wolfSSL SSL/TLS library, support up to TLS1.3
Dependents: CyaSSL-Twitter-OAuth4Tw Example-client-tls-cert TwitterReader TweetTest ... more
src/tls13.c@17:a5f916481144, 2020-06-05 (annotated)
- Committer:
- wolfSSL
- Date:
- Fri Jun 05 00:11:07 2020 +0000
- Revision:
- 17:a5f916481144
- Parent:
- 16:8e0d178b1d1e
wolfSSL 4.4.0
Who changed what in which revision?
User | Revision | Line number | New contents of line |
---|---|---|---|
wolfSSL | 15:117db924cf7c | 1 | /* tls13.c |
wolfSSL | 15:117db924cf7c | 2 | * |
wolfSSL | 16:8e0d178b1d1e | 3 | * Copyright (C) 2006-2020 wolfSSL Inc. |
wolfSSL | 15:117db924cf7c | 4 | * |
wolfSSL | 15:117db924cf7c | 5 | * This file is part of wolfSSL. |
wolfSSL | 15:117db924cf7c | 6 | * |
wolfSSL | 15:117db924cf7c | 7 | * wolfSSL is free software; you can redistribute it and/or modify |
wolfSSL | 15:117db924cf7c | 8 | * it under the terms of the GNU General Public License as published by |
wolfSSL | 15:117db924cf7c | 9 | * the Free Software Foundation; either version 2 of the License, or |
wolfSSL | 15:117db924cf7c | 10 | * (at your option) any later version. |
wolfSSL | 15:117db924cf7c | 11 | * |
wolfSSL | 15:117db924cf7c | 12 | * wolfSSL is distributed in the hope that it will be useful, |
wolfSSL | 15:117db924cf7c | 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
wolfSSL | 15:117db924cf7c | 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
wolfSSL | 15:117db924cf7c | 15 | * GNU General Public License for more details. |
wolfSSL | 15:117db924cf7c | 16 | * |
wolfSSL | 15:117db924cf7c | 17 | * You should have received a copy of the GNU General Public License |
wolfSSL | 15:117db924cf7c | 18 | * along with this program; if not, write to the Free Software |
wolfSSL | 15:117db924cf7c | 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA |
wolfSSL | 15:117db924cf7c | 20 | */ |
wolfSSL | 15:117db924cf7c | 21 | |
wolfSSL | 15:117db924cf7c | 22 | |
wolfSSL | 15:117db924cf7c | 23 | /* |
wolfSSL | 15:117db924cf7c | 24 | * BUILD_GCM |
wolfSSL | 15:117db924cf7c | 25 | * Enables AES-GCM ciphersuites. |
wolfSSL | 15:117db924cf7c | 26 | * HAVE_AESCCM |
wolfSSL | 15:117db924cf7c | 27 | * Enables AES-CCM ciphersuites. |
wolfSSL | 15:117db924cf7c | 28 | * HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 29 | * Enables session tickets - required for TLS 1.3 resumption. |
wolfSSL | 15:117db924cf7c | 30 | * NO_PSK |
wolfSSL | 15:117db924cf7c | 31 | * Do not enable Pre-Shared Keys. |
wolfSSL | 15:117db924cf7c | 32 | * TLS13_SUPPORTS_EXPORTERS |
wolfSSL | 16:8e0d178b1d1e | 33 | * Guard to compile out any code for exporter keys. |
wolfSSL | 15:117db924cf7c | 34 | * Feature not supported yet. |
wolfSSL | 15:117db924cf7c | 35 | * WOLFSSL_ASYNC_CRYPT |
wolfSSL | 16:8e0d178b1d1e | 36 | * Enables the use of asynchronous cryptographic operations. |
wolfSSL | 15:117db924cf7c | 37 | * This is available for ciphers and certificates. |
wolfSSL | 15:117db924cf7c | 38 | * HAVE_CHACHA && HAVE_POLY1305 |
wolfSSL | 15:117db924cf7c | 39 | * Enables use of CHACHA20-POLY1305 ciphersuites. |
wolfSSL | 15:117db924cf7c | 40 | * WOLFSSL_DEBUG_TLS |
wolfSSL | 16:8e0d178b1d1e | 41 | * Writes out details of TLS 1.3 protocol including handshake message buffers |
wolfSSL | 15:117db924cf7c | 42 | * and key generation input and output. |
wolfSSL | 15:117db924cf7c | 43 | * WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 44 | * Allow 0-RTT Handshake using Early Data extensions and handshake message |
wolfSSL | 16:8e0d178b1d1e | 45 | * WOLFSSL_EARLY_DATA_GROUP |
wolfSSL | 16:8e0d178b1d1e | 46 | * Group EarlyData message with ClientHello when sending |
wolfSSL | 15:117db924cf7c | 47 | * WOLFSSL_NO_SERVER_GROUPS_EXT |
wolfSSL | 15:117db924cf7c | 48 | * Do not send the server's groups in an extension when the server's top |
wolfSSL | 15:117db924cf7c | 49 | * preference is not in client's list. |
wolfSSL | 15:117db924cf7c | 50 | * WOLFSSL_POST_HANDSHAKE_AUTH |
wolfSSL | 15:117db924cf7c | 51 | * Allow TLS v1.3 code to perform post-handshake authentication of the |
wolfSSL | 15:117db924cf7c | 52 | * client. |
wolfSSL | 15:117db924cf7c | 53 | * WOLFSSL_SEND_HRR_COOKIE |
wolfSSL | 15:117db924cf7c | 54 | * Send a cookie in hello_retry_request message to enable stateless tracking |
wolfSSL | 15:117db924cf7c | 55 | * of ClientHello replies. |
wolfSSL | 15:117db924cf7c | 56 | * WOLFSSL_TLS13 |
wolfSSL | 15:117db924cf7c | 57 | * Enable TLS 1.3 protocol implementation. |
wolfSSL | 15:117db924cf7c | 58 | * WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 59 | * Conform with Draft 18 of the TLS v1.3 specification. |
wolfSSL | 15:117db924cf7c | 60 | * WOLFSSL_TLS13_DRAFT_22 |
wolfSSL | 15:117db924cf7c | 61 | * Conform with Draft 22 of the TLS v1.3 specification. |
wolfSSL | 15:117db924cf7c | 62 | * WOLFSSL_TLS13_DRAFT_23 |
wolfSSL | 15:117db924cf7c | 63 | * Conform with Draft 23 of the TLS v1.3 specification. |
wolfSSL | 15:117db924cf7c | 64 | * WOLFSSL_TLS13_MIDDLEBOX_COMPAT |
wolfSSL | 16:8e0d178b1d1e | 65 | * Enable middlebox compatibility in the TLS 1.3 handshake. |
wolfSSL | 15:117db924cf7c | 66 | * This includes sending ChangeCipherSpec before encrypted messages and |
wolfSSL | 15:117db924cf7c | 67 | * including a session id. |
wolfSSL | 15:117db924cf7c | 68 | * WOLFSSL_TLS13_SHA512 |
wolfSSL | 15:117db924cf7c | 69 | * Allow generation of SHA-512 digests in handshake - no ciphersuite |
wolfSSL | 15:117db924cf7c | 70 | * requires SHA-512 at this time. |
wolfSSL | 15:117db924cf7c | 71 | * WOLFSSL_TLS13_TICKET_BEFORE_FINISHED |
wolfSSL | 15:117db924cf7c | 72 | * Allow a NewSessionTicket message to be sent by server before Client's |
wolfSSL | 15:117db924cf7c | 73 | * Finished message. |
wolfSSL | 15:117db924cf7c | 74 | * See TLS v1.3 specification, Section 4.6.1, Paragraph 4 (Note). |
wolfSSL | 15:117db924cf7c | 75 | */ |
wolfSSL | 15:117db924cf7c | 76 | |
wolfSSL | 15:117db924cf7c | 77 | #ifdef HAVE_CONFIG_H |
wolfSSL | 15:117db924cf7c | 78 | #include <config.h> |
wolfSSL | 15:117db924cf7c | 79 | #endif |
wolfSSL | 15:117db924cf7c | 80 | |
wolfSSL | 15:117db924cf7c | 81 | #include <wolfssl/wolfcrypt/settings.h> |
wolfSSL | 15:117db924cf7c | 82 | |
wolfSSL | 15:117db924cf7c | 83 | #ifdef WOLFSSL_TLS13 |
wolfSSL | 15:117db924cf7c | 84 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 85 | #include <wolfssl/wolfcrypt/wc_port.h> |
wolfSSL | 15:117db924cf7c | 86 | #endif |
wolfSSL | 15:117db924cf7c | 87 | |
wolfSSL | 15:117db924cf7c | 88 | #ifndef WOLFCRYPT_ONLY |
wolfSSL | 15:117db924cf7c | 89 | |
wolfSSL | 15:117db924cf7c | 90 | #ifdef HAVE_ERRNO_H |
wolfSSL | 15:117db924cf7c | 91 | #include <errno.h> |
wolfSSL | 15:117db924cf7c | 92 | #endif |
wolfSSL | 15:117db924cf7c | 93 | |
wolfSSL | 15:117db924cf7c | 94 | #include <wolfssl/internal.h> |
wolfSSL | 15:117db924cf7c | 95 | #include <wolfssl/error-ssl.h> |
wolfSSL | 15:117db924cf7c | 96 | #include <wolfssl/wolfcrypt/asn.h> |
wolfSSL | 15:117db924cf7c | 97 | #include <wolfssl/wolfcrypt/dh.h> |
wolfSSL | 15:117db924cf7c | 98 | #ifdef NO_INLINE |
wolfSSL | 15:117db924cf7c | 99 | #include <wolfssl/wolfcrypt/misc.h> |
wolfSSL | 15:117db924cf7c | 100 | #else |
wolfSSL | 15:117db924cf7c | 101 | #define WOLFSSL_MISC_INCLUDED |
wolfSSL | 15:117db924cf7c | 102 | #include <wolfcrypt/src/misc.c> |
wolfSSL | 15:117db924cf7c | 103 | #endif |
wolfSSL | 15:117db924cf7c | 104 | |
wolfSSL | 15:117db924cf7c | 105 | #ifdef HAVE_NTRU |
wolfSSL | 15:117db924cf7c | 106 | #include "libntruencrypt/ntru_crypto.h" |
wolfSSL | 15:117db924cf7c | 107 | #endif |
wolfSSL | 15:117db924cf7c | 108 | |
wolfSSL | 15:117db924cf7c | 109 | #ifdef __sun |
wolfSSL | 15:117db924cf7c | 110 | #include <sys/filio.h> |
wolfSSL | 15:117db924cf7c | 111 | #endif |
wolfSSL | 15:117db924cf7c | 112 | |
wolfSSL | 15:117db924cf7c | 113 | #ifndef TRUE |
wolfSSL | 15:117db924cf7c | 114 | #define TRUE 1 |
wolfSSL | 15:117db924cf7c | 115 | #endif |
wolfSSL | 15:117db924cf7c | 116 | #ifndef FALSE |
wolfSSL | 15:117db924cf7c | 117 | #define FALSE 0 |
wolfSSL | 15:117db924cf7c | 118 | #endif |
wolfSSL | 15:117db924cf7c | 119 | |
wolfSSL | 15:117db924cf7c | 120 | #ifndef HAVE_HKDF |
wolfSSL | 15:117db924cf7c | 121 | #error The build option HAVE_HKDF is required for TLS 1.3 |
wolfSSL | 15:117db924cf7c | 122 | #endif |
wolfSSL | 15:117db924cf7c | 123 | |
wolfSSL | 16:8e0d178b1d1e | 124 | #ifndef HAVE_TLS_EXTENSIONS |
wolfSSL | 16:8e0d178b1d1e | 125 | #ifndef _MSC_VER |
wolfSSL | 16:8e0d178b1d1e | 126 | #error "The build option HAVE_TLS_EXTENSIONS is required for TLS 1.3" |
wolfSSL | 16:8e0d178b1d1e | 127 | #else |
wolfSSL | 16:8e0d178b1d1e | 128 | #pragma message("error: The build option HAVE_TLS_EXTENSIONS is required for TLS 1.3") |
wolfSSL | 16:8e0d178b1d1e | 129 | #endif |
wolfSSL | 16:8e0d178b1d1e | 130 | #endif |
wolfSSL | 16:8e0d178b1d1e | 131 | |
wolfSSL | 15:117db924cf7c | 132 | |
wolfSSL | 15:117db924cf7c | 133 | /* Set ret to error value and jump to label. |
wolfSSL | 15:117db924cf7c | 134 | * |
wolfSSL | 15:117db924cf7c | 135 | * err The error value to set. |
wolfSSL | 15:117db924cf7c | 136 | * eLabel The label to jump to. |
wolfSSL | 15:117db924cf7c | 137 | */ |
wolfSSL | 15:117db924cf7c | 138 | #define ERROR_OUT(err, eLabel) { ret = (err); goto eLabel; } |
wolfSSL | 15:117db924cf7c | 139 | |
wolfSSL | 15:117db924cf7c | 140 | |
wolfSSL | 15:117db924cf7c | 141 | /* Extract data using HMAC, salt and input. |
wolfSSL | 15:117db924cf7c | 142 | * RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF) |
wolfSSL | 15:117db924cf7c | 143 | * |
wolfSSL | 15:117db924cf7c | 144 | * prk The generated pseudorandom key. |
wolfSSL | 15:117db924cf7c | 145 | * salt The salt. |
wolfSSL | 15:117db924cf7c | 146 | * saltLen The length of the salt. |
wolfSSL | 15:117db924cf7c | 147 | * ikm The input keying material. |
wolfSSL | 15:117db924cf7c | 148 | * ikmLen The length of the input keying material. |
wolfSSL | 15:117db924cf7c | 149 | * mac The type of digest to use. |
wolfSSL | 15:117db924cf7c | 150 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 151 | */ |
wolfSSL | 15:117db924cf7c | 152 | static int Tls13_HKDF_Extract(byte* prk, const byte* salt, int saltLen, |
wolfSSL | 15:117db924cf7c | 153 | byte* ikm, int ikmLen, int mac) |
wolfSSL | 15:117db924cf7c | 154 | { |
wolfSSL | 15:117db924cf7c | 155 | int ret; |
wolfSSL | 15:117db924cf7c | 156 | int hash = 0; |
wolfSSL | 15:117db924cf7c | 157 | int len = 0; |
wolfSSL | 15:117db924cf7c | 158 | |
wolfSSL | 15:117db924cf7c | 159 | switch (mac) { |
wolfSSL | 15:117db924cf7c | 160 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 161 | case sha256_mac: |
wolfSSL | 15:117db924cf7c | 162 | hash = WC_SHA256; |
wolfSSL | 15:117db924cf7c | 163 | len = WC_SHA256_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 164 | break; |
wolfSSL | 15:117db924cf7c | 165 | #endif |
wolfSSL | 15:117db924cf7c | 166 | |
wolfSSL | 15:117db924cf7c | 167 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 168 | case sha384_mac: |
wolfSSL | 15:117db924cf7c | 169 | hash = WC_SHA384; |
wolfSSL | 15:117db924cf7c | 170 | len = WC_SHA384_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 171 | break; |
wolfSSL | 15:117db924cf7c | 172 | #endif |
wolfSSL | 15:117db924cf7c | 173 | |
wolfSSL | 15:117db924cf7c | 174 | #ifdef WOLFSSL_TLS13_SHA512 |
wolfSSL | 15:117db924cf7c | 175 | case sha512_mac: |
wolfSSL | 15:117db924cf7c | 176 | hash = WC_SHA512; |
wolfSSL | 15:117db924cf7c | 177 | len = WC_SHA512_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 178 | break; |
wolfSSL | 15:117db924cf7c | 179 | #endif |
wolfSSL | 15:117db924cf7c | 180 | } |
wolfSSL | 15:117db924cf7c | 181 | |
wolfSSL | 15:117db924cf7c | 182 | /* When length is 0 then use zeroed data of digest length. */ |
wolfSSL | 15:117db924cf7c | 183 | if (ikmLen == 0) { |
wolfSSL | 15:117db924cf7c | 184 | ikmLen = len; |
wolfSSL | 15:117db924cf7c | 185 | XMEMSET(ikm, 0, len); |
wolfSSL | 15:117db924cf7c | 186 | } |
wolfSSL | 15:117db924cf7c | 187 | |
wolfSSL | 15:117db924cf7c | 188 | #ifdef WOLFSSL_DEBUG_TLS |
wolfSSL | 15:117db924cf7c | 189 | WOLFSSL_MSG(" Salt"); |
wolfSSL | 15:117db924cf7c | 190 | WOLFSSL_BUFFER(salt, saltLen); |
wolfSSL | 15:117db924cf7c | 191 | WOLFSSL_MSG(" IKM"); |
wolfSSL | 15:117db924cf7c | 192 | WOLFSSL_BUFFER(ikm, ikmLen); |
wolfSSL | 15:117db924cf7c | 193 | #endif |
wolfSSL | 15:117db924cf7c | 194 | |
wolfSSL | 15:117db924cf7c | 195 | ret = wc_HKDF_Extract(hash, salt, saltLen, ikm, ikmLen, prk); |
wolfSSL | 15:117db924cf7c | 196 | |
wolfSSL | 15:117db924cf7c | 197 | #ifdef WOLFSSL_DEBUG_TLS |
wolfSSL | 15:117db924cf7c | 198 | WOLFSSL_MSG(" PRK"); |
wolfSSL | 15:117db924cf7c | 199 | WOLFSSL_BUFFER(prk, len); |
wolfSSL | 15:117db924cf7c | 200 | #endif |
wolfSSL | 15:117db924cf7c | 201 | |
wolfSSL | 15:117db924cf7c | 202 | return ret; |
wolfSSL | 15:117db924cf7c | 203 | } |
wolfSSL | 15:117db924cf7c | 204 | |
wolfSSL | 15:117db924cf7c | 205 | /* Expand data using HMAC, salt and label and info. |
wolfSSL | 15:117db924cf7c | 206 | * TLS v1.3 defines this function. |
wolfSSL | 15:117db924cf7c | 207 | * |
wolfSSL | 15:117db924cf7c | 208 | * okm The generated pseudorandom key - output key material. |
wolfSSL | 15:117db924cf7c | 209 | * okmLen The length of generated pseudorandom key - output key material. |
wolfSSL | 15:117db924cf7c | 210 | * prk The salt - pseudo-random key. |
wolfSSL | 15:117db924cf7c | 211 | * prkLen The length of the salt - pseudo-random key. |
wolfSSL | 15:117db924cf7c | 212 | * protocol The TLS protocol label. |
wolfSSL | 15:117db924cf7c | 213 | * protocolLen The length of the TLS protocol label. |
wolfSSL | 15:117db924cf7c | 214 | * info The information to expand. |
wolfSSL | 15:117db924cf7c | 215 | * infoLen The length of the information. |
wolfSSL | 15:117db924cf7c | 216 | * digest The type of digest to use. |
wolfSSL | 15:117db924cf7c | 217 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 218 | */ |
wolfSSL | 15:117db924cf7c | 219 | static int HKDF_Expand_Label(byte* okm, word32 okmLen, |
wolfSSL | 15:117db924cf7c | 220 | const byte* prk, word32 prkLen, |
wolfSSL | 15:117db924cf7c | 221 | const byte* protocol, word32 protocolLen, |
wolfSSL | 15:117db924cf7c | 222 | const byte* label, word32 labelLen, |
wolfSSL | 15:117db924cf7c | 223 | const byte* info, word32 infoLen, |
wolfSSL | 15:117db924cf7c | 224 | int digest) |
wolfSSL | 15:117db924cf7c | 225 | { |
wolfSSL | 15:117db924cf7c | 226 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 227 | int idx = 0; |
wolfSSL | 15:117db924cf7c | 228 | byte data[MAX_HKDF_LABEL_SZ]; |
wolfSSL | 15:117db924cf7c | 229 | |
wolfSSL | 15:117db924cf7c | 230 | /* Output length. */ |
wolfSSL | 15:117db924cf7c | 231 | data[idx++] = (byte)(okmLen >> 8); |
wolfSSL | 15:117db924cf7c | 232 | data[idx++] = (byte)okmLen; |
wolfSSL | 15:117db924cf7c | 233 | /* Length of protocol | label. */ |
wolfSSL | 15:117db924cf7c | 234 | data[idx++] = (byte)(protocolLen + labelLen); |
wolfSSL | 15:117db924cf7c | 235 | /* Protocol */ |
wolfSSL | 15:117db924cf7c | 236 | XMEMCPY(&data[idx], protocol, protocolLen); |
wolfSSL | 15:117db924cf7c | 237 | idx += protocolLen; |
wolfSSL | 15:117db924cf7c | 238 | /* Label */ |
wolfSSL | 15:117db924cf7c | 239 | XMEMCPY(&data[idx], label, labelLen); |
wolfSSL | 15:117db924cf7c | 240 | idx += labelLen; |
wolfSSL | 15:117db924cf7c | 241 | /* Length of hash of messages */ |
wolfSSL | 15:117db924cf7c | 242 | data[idx++] = (byte)infoLen; |
wolfSSL | 15:117db924cf7c | 243 | /* Hash of messages */ |
wolfSSL | 15:117db924cf7c | 244 | XMEMCPY(&data[idx], info, infoLen); |
wolfSSL | 15:117db924cf7c | 245 | idx += infoLen; |
wolfSSL | 15:117db924cf7c | 246 | |
wolfSSL | 15:117db924cf7c | 247 | #ifdef WOLFSSL_DEBUG_TLS |
wolfSSL | 15:117db924cf7c | 248 | WOLFSSL_MSG(" PRK"); |
wolfSSL | 15:117db924cf7c | 249 | WOLFSSL_BUFFER(prk, prkLen); |
wolfSSL | 15:117db924cf7c | 250 | WOLFSSL_MSG(" Info"); |
wolfSSL | 15:117db924cf7c | 251 | WOLFSSL_BUFFER(data, idx); |
wolfSSL | 15:117db924cf7c | 252 | #endif |
wolfSSL | 15:117db924cf7c | 253 | |
wolfSSL | 15:117db924cf7c | 254 | ret = wc_HKDF_Expand(digest, prk, prkLen, data, idx, okm, okmLen); |
wolfSSL | 15:117db924cf7c | 255 | |
wolfSSL | 15:117db924cf7c | 256 | #ifdef WOLFSSL_DEBUG_TLS |
wolfSSL | 15:117db924cf7c | 257 | WOLFSSL_MSG(" OKM"); |
wolfSSL | 15:117db924cf7c | 258 | WOLFSSL_BUFFER(okm, okmLen); |
wolfSSL | 15:117db924cf7c | 259 | #endif |
wolfSSL | 15:117db924cf7c | 260 | |
wolfSSL | 15:117db924cf7c | 261 | ForceZero(data, idx); |
wolfSSL | 15:117db924cf7c | 262 | |
wolfSSL | 15:117db924cf7c | 263 | return ret; |
wolfSSL | 15:117db924cf7c | 264 | } |
wolfSSL | 15:117db924cf7c | 265 | |
wolfSSL | 15:117db924cf7c | 266 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 267 | /* Size of the TLS v1.3 label use when deriving keys. */ |
wolfSSL | 15:117db924cf7c | 268 | #define TLS13_PROTOCOL_LABEL_SZ 9 |
wolfSSL | 15:117db924cf7c | 269 | /* The protocol label for TLS v1.3. */ |
wolfSSL | 15:117db924cf7c | 270 | static const byte tls13ProtocolLabel[TLS13_PROTOCOL_LABEL_SZ + 1] = "TLS 1.3, "; |
wolfSSL | 15:117db924cf7c | 271 | #else |
wolfSSL | 15:117db924cf7c | 272 | /* Size of the TLS v1.3 label use when deriving keys. */ |
wolfSSL | 15:117db924cf7c | 273 | #define TLS13_PROTOCOL_LABEL_SZ 6 |
wolfSSL | 15:117db924cf7c | 274 | /* The protocol label for TLS v1.3. */ |
wolfSSL | 15:117db924cf7c | 275 | static const byte tls13ProtocolLabel[TLS13_PROTOCOL_LABEL_SZ + 1] = "tls13 "; |
wolfSSL | 15:117db924cf7c | 276 | #endif |
wolfSSL | 15:117db924cf7c | 277 | |
wolfSSL | 15:117db924cf7c | 278 | #if !defined(WOLFSSL_TLS13_DRAFT_18) || defined(HAVE_SESSION_TICKET) || \ |
wolfSSL | 15:117db924cf7c | 279 | !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 280 | /* Derive a key from a message. |
wolfSSL | 15:117db924cf7c | 281 | * |
wolfSSL | 15:117db924cf7c | 282 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 283 | * output The buffer to hold the derived key. |
wolfSSL | 15:117db924cf7c | 284 | * outputLen The length of the derived key. |
wolfSSL | 15:117db924cf7c | 285 | * secret The secret used to derive the key (HMAC secret). |
wolfSSL | 15:117db924cf7c | 286 | * label The label used to distinguish the context. |
wolfSSL | 15:117db924cf7c | 287 | * labelLen The length of the label. |
wolfSSL | 15:117db924cf7c | 288 | * msg The message data to derive key from. |
wolfSSL | 15:117db924cf7c | 289 | * msgLen The length of the message data to derive key from. |
wolfSSL | 15:117db924cf7c | 290 | * hashAlgo The hash algorithm to use in the HMAC. |
wolfSSL | 15:117db924cf7c | 291 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 292 | */ |
wolfSSL | 15:117db924cf7c | 293 | static int DeriveKeyMsg(WOLFSSL* ssl, byte* output, int outputLen, |
wolfSSL | 15:117db924cf7c | 294 | const byte* secret, const byte* label, word32 labelLen, |
wolfSSL | 15:117db924cf7c | 295 | byte* msg, int msgLen, int hashAlgo) |
wolfSSL | 15:117db924cf7c | 296 | { |
wolfSSL | 15:117db924cf7c | 297 | byte hash[WC_MAX_DIGEST_SIZE]; |
wolfSSL | 15:117db924cf7c | 298 | Digest digest; |
wolfSSL | 15:117db924cf7c | 299 | word32 hashSz = 0; |
wolfSSL | 15:117db924cf7c | 300 | const byte* protocol; |
wolfSSL | 15:117db924cf7c | 301 | word32 protocolLen; |
wolfSSL | 15:117db924cf7c | 302 | int digestAlg = -1; |
wolfSSL | 15:117db924cf7c | 303 | int ret = BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 304 | |
wolfSSL | 15:117db924cf7c | 305 | switch (hashAlgo) { |
wolfSSL | 15:117db924cf7c | 306 | #ifndef NO_WOLFSSL_SHA256 |
wolfSSL | 15:117db924cf7c | 307 | case sha256_mac: |
wolfSSL | 15:117db924cf7c | 308 | ret = wc_InitSha256_ex(&digest.sha256, ssl->heap, INVALID_DEVID); |
wolfSSL | 15:117db924cf7c | 309 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 310 | ret = wc_Sha256Update(&digest.sha256, msg, msgLen); |
wolfSSL | 15:117db924cf7c | 311 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 312 | ret = wc_Sha256Final(&digest.sha256, hash); |
wolfSSL | 15:117db924cf7c | 313 | wc_Sha256Free(&digest.sha256); |
wolfSSL | 15:117db924cf7c | 314 | } |
wolfSSL | 15:117db924cf7c | 315 | hashSz = WC_SHA256_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 316 | digestAlg = WC_SHA256; |
wolfSSL | 15:117db924cf7c | 317 | break; |
wolfSSL | 15:117db924cf7c | 318 | #endif |
wolfSSL | 15:117db924cf7c | 319 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 320 | case sha384_mac: |
wolfSSL | 15:117db924cf7c | 321 | ret = wc_InitSha384_ex(&digest.sha384, ssl->heap, INVALID_DEVID); |
wolfSSL | 15:117db924cf7c | 322 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 323 | ret = wc_Sha384Update(&digest.sha384, msg, msgLen); |
wolfSSL | 15:117db924cf7c | 324 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 325 | ret = wc_Sha384Final(&digest.sha384, hash); |
wolfSSL | 15:117db924cf7c | 326 | wc_Sha384Free(&digest.sha384); |
wolfSSL | 15:117db924cf7c | 327 | } |
wolfSSL | 15:117db924cf7c | 328 | hashSz = WC_SHA384_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 329 | digestAlg = WC_SHA384; |
wolfSSL | 15:117db924cf7c | 330 | break; |
wolfSSL | 15:117db924cf7c | 331 | #endif |
wolfSSL | 15:117db924cf7c | 332 | #ifdef WOLFSSL_TLS13_SHA512 |
wolfSSL | 15:117db924cf7c | 333 | case sha512_mac: |
wolfSSL | 15:117db924cf7c | 334 | ret = wc_InitSha512_ex(&digest.sha512, ssl->heap, INVALID_DEVID); |
wolfSSL | 15:117db924cf7c | 335 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 336 | ret = wc_Sha512Update(&digest.sha512, msg, msgLen); |
wolfSSL | 15:117db924cf7c | 337 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 338 | ret = wc_Sha512Final(&digest.sha512, hash); |
wolfSSL | 15:117db924cf7c | 339 | wc_Sha512Free(&digest.sha512); |
wolfSSL | 15:117db924cf7c | 340 | } |
wolfSSL | 15:117db924cf7c | 341 | hashSz = WC_SHA512_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 342 | digestAlg = WC_SHA512; |
wolfSSL | 15:117db924cf7c | 343 | break; |
wolfSSL | 15:117db924cf7c | 344 | #endif |
wolfSSL | 15:117db924cf7c | 345 | default: |
wolfSSL | 15:117db924cf7c | 346 | digestAlg = -1; |
wolfSSL | 15:117db924cf7c | 347 | break; |
wolfSSL | 15:117db924cf7c | 348 | } |
wolfSSL | 15:117db924cf7c | 349 | |
wolfSSL | 15:117db924cf7c | 350 | if (digestAlg < 0) |
wolfSSL | 15:117db924cf7c | 351 | return HASH_TYPE_E; |
wolfSSL | 15:117db924cf7c | 352 | |
wolfSSL | 15:117db924cf7c | 353 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 354 | return ret; |
wolfSSL | 15:117db924cf7c | 355 | |
wolfSSL | 15:117db924cf7c | 356 | switch (ssl->version.minor) { |
wolfSSL | 15:117db924cf7c | 357 | case TLSv1_3_MINOR: |
wolfSSL | 15:117db924cf7c | 358 | protocol = tls13ProtocolLabel; |
wolfSSL | 15:117db924cf7c | 359 | protocolLen = TLS13_PROTOCOL_LABEL_SZ; |
wolfSSL | 15:117db924cf7c | 360 | break; |
wolfSSL | 15:117db924cf7c | 361 | |
wolfSSL | 15:117db924cf7c | 362 | default: |
wolfSSL | 15:117db924cf7c | 363 | return VERSION_ERROR; |
wolfSSL | 15:117db924cf7c | 364 | } |
wolfSSL | 15:117db924cf7c | 365 | if (outputLen == -1) |
wolfSSL | 15:117db924cf7c | 366 | outputLen = hashSz; |
wolfSSL | 15:117db924cf7c | 367 | |
wolfSSL | 15:117db924cf7c | 368 | return HKDF_Expand_Label(output, outputLen, secret, hashSz, |
wolfSSL | 15:117db924cf7c | 369 | protocol, protocolLen, label, labelLen, |
wolfSSL | 15:117db924cf7c | 370 | hash, hashSz, digestAlg); |
wolfSSL | 15:117db924cf7c | 371 | } |
wolfSSL | 15:117db924cf7c | 372 | #endif |
wolfSSL | 15:117db924cf7c | 373 | |
wolfSSL | 15:117db924cf7c | 374 | /* Derive a key. |
wolfSSL | 15:117db924cf7c | 375 | * |
wolfSSL | 15:117db924cf7c | 376 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 377 | * output The buffer to hold the derived key. |
wolfSSL | 15:117db924cf7c | 378 | * outputLen The length of the derived key. |
wolfSSL | 15:117db924cf7c | 379 | * secret The secret used to derive the key (HMAC secret). |
wolfSSL | 15:117db924cf7c | 380 | * label The label used to distinguish the context. |
wolfSSL | 15:117db924cf7c | 381 | * labelLen The length of the label. |
wolfSSL | 15:117db924cf7c | 382 | * hashAlgo The hash algorithm to use in the HMAC. |
wolfSSL | 15:117db924cf7c | 383 | * includeMsgs Whether to include a hash of the handshake messages so far. |
wolfSSL | 15:117db924cf7c | 384 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 385 | */ |
wolfSSL | 15:117db924cf7c | 386 | static int DeriveKey(WOLFSSL* ssl, byte* output, int outputLen, |
wolfSSL | 15:117db924cf7c | 387 | const byte* secret, const byte* label, word32 labelLen, |
wolfSSL | 15:117db924cf7c | 388 | int hashAlgo, int includeMsgs) |
wolfSSL | 15:117db924cf7c | 389 | { |
wolfSSL | 15:117db924cf7c | 390 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 391 | byte hash[WC_MAX_DIGEST_SIZE]; |
wolfSSL | 15:117db924cf7c | 392 | word32 hashSz = 0; |
wolfSSL | 15:117db924cf7c | 393 | word32 hashOutSz = 0; |
wolfSSL | 15:117db924cf7c | 394 | const byte* protocol; |
wolfSSL | 15:117db924cf7c | 395 | word32 protocolLen; |
wolfSSL | 15:117db924cf7c | 396 | int digestAlg = 0; |
wolfSSL | 15:117db924cf7c | 397 | |
wolfSSL | 15:117db924cf7c | 398 | switch (hashAlgo) { |
wolfSSL | 15:117db924cf7c | 399 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 400 | case sha256_mac: |
wolfSSL | 15:117db924cf7c | 401 | hashSz = WC_SHA256_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 402 | digestAlg = WC_SHA256; |
wolfSSL | 15:117db924cf7c | 403 | if (includeMsgs) |
wolfSSL | 15:117db924cf7c | 404 | ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash); |
wolfSSL | 15:117db924cf7c | 405 | break; |
wolfSSL | 15:117db924cf7c | 406 | #endif |
wolfSSL | 15:117db924cf7c | 407 | |
wolfSSL | 15:117db924cf7c | 408 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 409 | case sha384_mac: |
wolfSSL | 15:117db924cf7c | 410 | hashSz = WC_SHA384_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 411 | digestAlg = WC_SHA384; |
wolfSSL | 15:117db924cf7c | 412 | if (includeMsgs) |
wolfSSL | 15:117db924cf7c | 413 | ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash); |
wolfSSL | 15:117db924cf7c | 414 | break; |
wolfSSL | 15:117db924cf7c | 415 | #endif |
wolfSSL | 15:117db924cf7c | 416 | |
wolfSSL | 15:117db924cf7c | 417 | #ifdef WOLFSSL_TLS13_SHA512 |
wolfSSL | 15:117db924cf7c | 418 | case sha512_mac: |
wolfSSL | 15:117db924cf7c | 419 | hashSz = WC_SHA512_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 420 | digestAlg = WC_SHA512; |
wolfSSL | 15:117db924cf7c | 421 | if (includeMsgs) |
wolfSSL | 15:117db924cf7c | 422 | ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash); |
wolfSSL | 15:117db924cf7c | 423 | break; |
wolfSSL | 15:117db924cf7c | 424 | #endif |
wolfSSL | 15:117db924cf7c | 425 | } |
wolfSSL | 15:117db924cf7c | 426 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 427 | return ret; |
wolfSSL | 15:117db924cf7c | 428 | |
wolfSSL | 15:117db924cf7c | 429 | /* Only one protocol version defined at this time. */ |
wolfSSL | 15:117db924cf7c | 430 | protocol = tls13ProtocolLabel; |
wolfSSL | 15:117db924cf7c | 431 | protocolLen = TLS13_PROTOCOL_LABEL_SZ; |
wolfSSL | 15:117db924cf7c | 432 | |
wolfSSL | 15:117db924cf7c | 433 | if (outputLen == -1) |
wolfSSL | 15:117db924cf7c | 434 | outputLen = hashSz; |
wolfSSL | 15:117db924cf7c | 435 | if (includeMsgs) |
wolfSSL | 15:117db924cf7c | 436 | hashOutSz = hashSz; |
wolfSSL | 15:117db924cf7c | 437 | |
wolfSSL | 15:117db924cf7c | 438 | return HKDF_Expand_Label(output, outputLen, secret, hashSz, |
wolfSSL | 15:117db924cf7c | 439 | protocol, protocolLen, label, labelLen, |
wolfSSL | 15:117db924cf7c | 440 | hash, hashOutSz, digestAlg); |
wolfSSL | 15:117db924cf7c | 441 | } |
wolfSSL | 15:117db924cf7c | 442 | |
wolfSSL | 15:117db924cf7c | 443 | #ifndef NO_PSK |
wolfSSL | 15:117db924cf7c | 444 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 445 | /* The length of the binder key label. */ |
wolfSSL | 15:117db924cf7c | 446 | #define BINDER_KEY_LABEL_SZ 23 |
wolfSSL | 15:117db924cf7c | 447 | /* The binder key label. */ |
wolfSSL | 15:117db924cf7c | 448 | static const byte binderKeyLabel[BINDER_KEY_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 449 | "external psk binder key"; |
wolfSSL | 15:117db924cf7c | 450 | #else |
wolfSSL | 15:117db924cf7c | 451 | /* The length of the binder key label. */ |
wolfSSL | 15:117db924cf7c | 452 | #define BINDER_KEY_LABEL_SZ 10 |
wolfSSL | 15:117db924cf7c | 453 | /* The binder key label. */ |
wolfSSL | 15:117db924cf7c | 454 | static const byte binderKeyLabel[BINDER_KEY_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 455 | "ext binder"; |
wolfSSL | 15:117db924cf7c | 456 | #endif |
wolfSSL | 15:117db924cf7c | 457 | /* Derive the binder key. |
wolfSSL | 15:117db924cf7c | 458 | * |
wolfSSL | 15:117db924cf7c | 459 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 460 | * key The derived key. |
wolfSSL | 15:117db924cf7c | 461 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 462 | */ |
wolfSSL | 15:117db924cf7c | 463 | static int DeriveBinderKey(WOLFSSL* ssl, byte* key) |
wolfSSL | 15:117db924cf7c | 464 | { |
wolfSSL | 15:117db924cf7c | 465 | WOLFSSL_MSG("Derive Binder Key"); |
wolfSSL | 15:117db924cf7c | 466 | return DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret, |
wolfSSL | 15:117db924cf7c | 467 | binderKeyLabel, BINDER_KEY_LABEL_SZ, |
wolfSSL | 15:117db924cf7c | 468 | NULL, 0, ssl->specs.mac_algorithm); |
wolfSSL | 15:117db924cf7c | 469 | } |
wolfSSL | 15:117db924cf7c | 470 | #endif /* !NO_PSK */ |
wolfSSL | 15:117db924cf7c | 471 | |
wolfSSL | 15:117db924cf7c | 472 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 473 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 474 | /* The length of the binder key resume label. */ |
wolfSSL | 15:117db924cf7c | 475 | #define BINDER_KEY_RESUME_LABEL_SZ 25 |
wolfSSL | 15:117db924cf7c | 476 | /* The binder key resume label. */ |
wolfSSL | 15:117db924cf7c | 477 | static const byte binderKeyResumeLabel[BINDER_KEY_RESUME_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 478 | "resumption psk binder key"; |
wolfSSL | 15:117db924cf7c | 479 | #else |
wolfSSL | 15:117db924cf7c | 480 | /* The length of the binder key resume label. */ |
wolfSSL | 15:117db924cf7c | 481 | #define BINDER_KEY_RESUME_LABEL_SZ 10 |
wolfSSL | 15:117db924cf7c | 482 | /* The binder key resume label. */ |
wolfSSL | 15:117db924cf7c | 483 | static const byte binderKeyResumeLabel[BINDER_KEY_RESUME_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 484 | "res binder"; |
wolfSSL | 15:117db924cf7c | 485 | #endif |
wolfSSL | 15:117db924cf7c | 486 | /* Derive the binder resumption key. |
wolfSSL | 15:117db924cf7c | 487 | * |
wolfSSL | 15:117db924cf7c | 488 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 489 | * key The derived key. |
wolfSSL | 15:117db924cf7c | 490 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 491 | */ |
wolfSSL | 15:117db924cf7c | 492 | static int DeriveBinderKeyResume(WOLFSSL* ssl, byte* key) |
wolfSSL | 15:117db924cf7c | 493 | { |
wolfSSL | 15:117db924cf7c | 494 | WOLFSSL_MSG("Derive Binder Key - Resumption"); |
wolfSSL | 15:117db924cf7c | 495 | return DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret, |
wolfSSL | 15:117db924cf7c | 496 | binderKeyResumeLabel, BINDER_KEY_RESUME_LABEL_SZ, |
wolfSSL | 15:117db924cf7c | 497 | NULL, 0, ssl->specs.mac_algorithm); |
wolfSSL | 15:117db924cf7c | 498 | } |
wolfSSL | 15:117db924cf7c | 499 | #endif /* HAVE_SESSION_TICKET */ |
wolfSSL | 15:117db924cf7c | 500 | |
wolfSSL | 15:117db924cf7c | 501 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 502 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 503 | /* The length of the early traffic label. */ |
wolfSSL | 15:117db924cf7c | 504 | #define EARLY_TRAFFIC_LABEL_SZ 27 |
wolfSSL | 15:117db924cf7c | 505 | /* The early traffic label. */ |
wolfSSL | 15:117db924cf7c | 506 | static const byte earlyTrafficLabel[EARLY_TRAFFIC_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 507 | "client early traffic secret"; |
wolfSSL | 15:117db924cf7c | 508 | #else |
wolfSSL | 15:117db924cf7c | 509 | /* The length of the early traffic label. */ |
wolfSSL | 15:117db924cf7c | 510 | #define EARLY_TRAFFIC_LABEL_SZ 11 |
wolfSSL | 15:117db924cf7c | 511 | /* The early traffic label. */ |
wolfSSL | 15:117db924cf7c | 512 | static const byte earlyTrafficLabel[EARLY_TRAFFIC_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 513 | "c e traffic"; |
wolfSSL | 15:117db924cf7c | 514 | #endif |
wolfSSL | 15:117db924cf7c | 515 | /* Derive the early traffic key. |
wolfSSL | 15:117db924cf7c | 516 | * |
wolfSSL | 15:117db924cf7c | 517 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 518 | * key The derived key. |
wolfSSL | 15:117db924cf7c | 519 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 520 | */ |
wolfSSL | 15:117db924cf7c | 521 | static int DeriveEarlyTrafficSecret(WOLFSSL* ssl, byte* key) |
wolfSSL | 15:117db924cf7c | 522 | { |
wolfSSL | 16:8e0d178b1d1e | 523 | int ret; |
wolfSSL | 15:117db924cf7c | 524 | WOLFSSL_MSG("Derive Early Traffic Secret"); |
wolfSSL | 16:8e0d178b1d1e | 525 | ret = DeriveKey(ssl, key, -1, ssl->arrays->secret, |
wolfSSL | 16:8e0d178b1d1e | 526 | earlyTrafficLabel, EARLY_TRAFFIC_LABEL_SZ, |
wolfSSL | 16:8e0d178b1d1e | 527 | ssl->specs.mac_algorithm, 1); |
wolfSSL | 16:8e0d178b1d1e | 528 | #ifdef HAVE_SECRET_CALLBACK |
wolfSSL | 16:8e0d178b1d1e | 529 | if (ret == 0 && ssl->tls13SecretCb != NULL) { |
wolfSSL | 16:8e0d178b1d1e | 530 | ret = ssl->tls13SecretCb(ssl, CLIENT_EARLY_TRAFFIC_SECRET, key, |
wolfSSL | 16:8e0d178b1d1e | 531 | ssl->specs.hash_size, ssl->tls13SecretCtx); |
wolfSSL | 16:8e0d178b1d1e | 532 | if (ret != 0) { |
wolfSSL | 16:8e0d178b1d1e | 533 | return TLS13_SECRET_CB_E; |
wolfSSL | 16:8e0d178b1d1e | 534 | } |
wolfSSL | 16:8e0d178b1d1e | 535 | } |
wolfSSL | 16:8e0d178b1d1e | 536 | #endif /* HAVE_SECRET_CALLBACK */ |
wolfSSL | 16:8e0d178b1d1e | 537 | return ret; |
wolfSSL | 15:117db924cf7c | 538 | } |
wolfSSL | 15:117db924cf7c | 539 | |
wolfSSL | 15:117db924cf7c | 540 | #ifdef TLS13_SUPPORTS_EXPORTERS |
wolfSSL | 15:117db924cf7c | 541 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 542 | /* The length of the early exporter label. */ |
wolfSSL | 15:117db924cf7c | 543 | #define EARLY_EXPORTER_LABEL_SZ 28 |
wolfSSL | 15:117db924cf7c | 544 | /* The early exporter label. */ |
wolfSSL | 15:117db924cf7c | 545 | static const byte earlyExporterLabel[EARLY_EXPORTER_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 546 | "early exporter master secret"; |
wolfSSL | 15:117db924cf7c | 547 | #else |
wolfSSL | 15:117db924cf7c | 548 | /* The length of the early exporter label. */ |
wolfSSL | 15:117db924cf7c | 549 | #define EARLY_EXPORTER_LABEL_SZ 12 |
wolfSSL | 15:117db924cf7c | 550 | /* The early exporter label. */ |
wolfSSL | 15:117db924cf7c | 551 | static const byte earlyExporterLabel[EARLY_EXPORTER_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 552 | "e exp master"; |
wolfSSL | 15:117db924cf7c | 553 | #endif |
wolfSSL | 15:117db924cf7c | 554 | /* Derive the early exporter key. |
wolfSSL | 15:117db924cf7c | 555 | * |
wolfSSL | 15:117db924cf7c | 556 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 557 | * key The derived key. |
wolfSSL | 15:117db924cf7c | 558 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 559 | */ |
wolfSSL | 15:117db924cf7c | 560 | static int DeriveEarlyExporterSecret(WOLFSSL* ssl, byte* key) |
wolfSSL | 15:117db924cf7c | 561 | { |
wolfSSL | 16:8e0d178b1d1e | 562 | int ret; |
wolfSSL | 15:117db924cf7c | 563 | WOLFSSL_MSG("Derive Early Exporter Secret"); |
wolfSSL | 16:8e0d178b1d1e | 564 | ret = DeriveKey(ssl, key, -1, ssl->arrays->secret, |
wolfSSL | 16:8e0d178b1d1e | 565 | earlyExporterLabel, EARLY_EXPORTER_LABEL_SZ, |
wolfSSL | 16:8e0d178b1d1e | 566 | ssl->specs.mac_algorithm, 1); |
wolfSSL | 16:8e0d178b1d1e | 567 | #ifdef HAVE_SECRET_CALLBACK |
wolfSSL | 16:8e0d178b1d1e | 568 | if (ret == 0 && ssl->tls13SecretCb != NULL) { |
wolfSSL | 16:8e0d178b1d1e | 569 | ret = ssl->tls13SecretCb(ssl, EARLY_EXPORTER_SECRET, key |
wolfSSL | 16:8e0d178b1d1e | 570 | ssl->specs.hash_size, ssl->tls13SecretCtx); |
wolfSSL | 16:8e0d178b1d1e | 571 | if (ret != 0) { |
wolfSSL | 16:8e0d178b1d1e | 572 | return TLS13_SECRET_CB_E; |
wolfSSL | 16:8e0d178b1d1e | 573 | } |
wolfSSL | 16:8e0d178b1d1e | 574 | } |
wolfSSL | 16:8e0d178b1d1e | 575 | #endif /* HAVE_SECRET_CALLBACK */ |
wolfSSL | 16:8e0d178b1d1e | 576 | return ret; |
wolfSSL | 15:117db924cf7c | 577 | } |
wolfSSL | 15:117db924cf7c | 578 | #endif |
wolfSSL | 15:117db924cf7c | 579 | #endif |
wolfSSL | 15:117db924cf7c | 580 | |
wolfSSL | 15:117db924cf7c | 581 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 16:8e0d178b1d1e | 582 | /* The length of the client handshake label. */ |
wolfSSL | 15:117db924cf7c | 583 | #define CLIENT_HANDSHAKE_LABEL_SZ 31 |
wolfSSL | 16:8e0d178b1d1e | 584 | /* The client handshake label. */ |
wolfSSL | 15:117db924cf7c | 585 | static const byte clientHandshakeLabel[CLIENT_HANDSHAKE_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 586 | "client handshake traffic secret"; |
wolfSSL | 15:117db924cf7c | 587 | #else |
wolfSSL | 16:8e0d178b1d1e | 588 | /* The length of the client handshake label. */ |
wolfSSL | 15:117db924cf7c | 589 | #define CLIENT_HANDSHAKE_LABEL_SZ 12 |
wolfSSL | 16:8e0d178b1d1e | 590 | /* The client handshake label. */ |
wolfSSL | 15:117db924cf7c | 591 | static const byte clientHandshakeLabel[CLIENT_HANDSHAKE_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 592 | "c hs traffic"; |
wolfSSL | 15:117db924cf7c | 593 | #endif |
wolfSSL | 15:117db924cf7c | 594 | /* Derive the client handshake key. |
wolfSSL | 15:117db924cf7c | 595 | * |
wolfSSL | 15:117db924cf7c | 596 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 597 | * key The derived key. |
wolfSSL | 15:117db924cf7c | 598 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 599 | */ |
wolfSSL | 15:117db924cf7c | 600 | static int DeriveClientHandshakeSecret(WOLFSSL* ssl, byte* key) |
wolfSSL | 15:117db924cf7c | 601 | { |
wolfSSL | 16:8e0d178b1d1e | 602 | int ret; |
wolfSSL | 15:117db924cf7c | 603 | WOLFSSL_MSG("Derive Client Handshake Secret"); |
wolfSSL | 16:8e0d178b1d1e | 604 | ret = DeriveKey(ssl, key, -1, ssl->arrays->preMasterSecret, |
wolfSSL | 16:8e0d178b1d1e | 605 | clientHandshakeLabel, CLIENT_HANDSHAKE_LABEL_SZ, |
wolfSSL | 16:8e0d178b1d1e | 606 | ssl->specs.mac_algorithm, 1); |
wolfSSL | 16:8e0d178b1d1e | 607 | #ifdef HAVE_SECRET_CALLBACK |
wolfSSL | 16:8e0d178b1d1e | 608 | if (ret == 0 && ssl->tls13SecretCb != NULL) { |
wolfSSL | 16:8e0d178b1d1e | 609 | ret = ssl->tls13SecretCb(ssl, CLIENT_HANDSHAKE_TRAFFIC_SECRET, key, |
wolfSSL | 16:8e0d178b1d1e | 610 | ssl->specs.hash_size, ssl->tls13SecretCtx); |
wolfSSL | 16:8e0d178b1d1e | 611 | if (ret != 0) { |
wolfSSL | 16:8e0d178b1d1e | 612 | return TLS13_SECRET_CB_E; |
wolfSSL | 16:8e0d178b1d1e | 613 | } |
wolfSSL | 16:8e0d178b1d1e | 614 | } |
wolfSSL | 16:8e0d178b1d1e | 615 | #endif /* HAVE_SECRET_CALLBACK */ |
wolfSSL | 16:8e0d178b1d1e | 616 | return ret; |
wolfSSL | 15:117db924cf7c | 617 | } |
wolfSSL | 15:117db924cf7c | 618 | |
wolfSSL | 15:117db924cf7c | 619 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 620 | /* The length of the server handshake label. */ |
wolfSSL | 15:117db924cf7c | 621 | #define SERVER_HANDSHAKE_LABEL_SZ 31 |
wolfSSL | 15:117db924cf7c | 622 | /* The server handshake label. */ |
wolfSSL | 15:117db924cf7c | 623 | static const byte serverHandshakeLabel[SERVER_HANDSHAKE_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 624 | "server handshake traffic secret"; |
wolfSSL | 15:117db924cf7c | 625 | #else |
wolfSSL | 15:117db924cf7c | 626 | /* The length of the server handshake label. */ |
wolfSSL | 15:117db924cf7c | 627 | #define SERVER_HANDSHAKE_LABEL_SZ 12 |
wolfSSL | 15:117db924cf7c | 628 | /* The server handshake label. */ |
wolfSSL | 15:117db924cf7c | 629 | static const byte serverHandshakeLabel[SERVER_HANDSHAKE_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 630 | "s hs traffic"; |
wolfSSL | 15:117db924cf7c | 631 | #endif |
wolfSSL | 15:117db924cf7c | 632 | /* Derive the server handshake key. |
wolfSSL | 15:117db924cf7c | 633 | * |
wolfSSL | 15:117db924cf7c | 634 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 635 | * key The derived key. |
wolfSSL | 15:117db924cf7c | 636 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 637 | */ |
wolfSSL | 15:117db924cf7c | 638 | static int DeriveServerHandshakeSecret(WOLFSSL* ssl, byte* key) |
wolfSSL | 15:117db924cf7c | 639 | { |
wolfSSL | 16:8e0d178b1d1e | 640 | int ret; |
wolfSSL | 15:117db924cf7c | 641 | WOLFSSL_MSG("Derive Server Handshake Secret"); |
wolfSSL | 16:8e0d178b1d1e | 642 | ret = DeriveKey(ssl, key, -1, ssl->arrays->preMasterSecret, |
wolfSSL | 16:8e0d178b1d1e | 643 | serverHandshakeLabel, SERVER_HANDSHAKE_LABEL_SZ, |
wolfSSL | 16:8e0d178b1d1e | 644 | ssl->specs.mac_algorithm, 1); |
wolfSSL | 16:8e0d178b1d1e | 645 | #ifdef HAVE_SECRET_CALLBACK |
wolfSSL | 16:8e0d178b1d1e | 646 | if (ret == 0 && ssl->tls13SecretCb != NULL) { |
wolfSSL | 16:8e0d178b1d1e | 647 | ret = ssl->tls13SecretCb(ssl, SERVER_HANDSHAKE_TRAFFIC_SECRET, key, |
wolfSSL | 16:8e0d178b1d1e | 648 | ssl->specs.hash_size, ssl->tls13SecretCtx); |
wolfSSL | 16:8e0d178b1d1e | 649 | if (ret != 0) { |
wolfSSL | 16:8e0d178b1d1e | 650 | return TLS13_SECRET_CB_E; |
wolfSSL | 16:8e0d178b1d1e | 651 | } |
wolfSSL | 16:8e0d178b1d1e | 652 | } |
wolfSSL | 16:8e0d178b1d1e | 653 | #endif /* HAVE_SECRET_CALLBACK */ |
wolfSSL | 16:8e0d178b1d1e | 654 | return ret; |
wolfSSL | 15:117db924cf7c | 655 | } |
wolfSSL | 15:117db924cf7c | 656 | |
wolfSSL | 15:117db924cf7c | 657 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 658 | /* The length of the client application traffic label. */ |
wolfSSL | 15:117db924cf7c | 659 | #define CLIENT_APP_LABEL_SZ 33 |
wolfSSL | 15:117db924cf7c | 660 | /* The client application traffic label. */ |
wolfSSL | 15:117db924cf7c | 661 | static const byte clientAppLabel[CLIENT_APP_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 662 | "client application traffic secret"; |
wolfSSL | 15:117db924cf7c | 663 | #else |
wolfSSL | 15:117db924cf7c | 664 | /* The length of the client application traffic label. */ |
wolfSSL | 15:117db924cf7c | 665 | #define CLIENT_APP_LABEL_SZ 12 |
wolfSSL | 15:117db924cf7c | 666 | /* The client application traffic label. */ |
wolfSSL | 15:117db924cf7c | 667 | static const byte clientAppLabel[CLIENT_APP_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 668 | "c ap traffic"; |
wolfSSL | 15:117db924cf7c | 669 | #endif |
wolfSSL | 15:117db924cf7c | 670 | /* Derive the client application traffic key. |
wolfSSL | 15:117db924cf7c | 671 | * |
wolfSSL | 15:117db924cf7c | 672 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 673 | * key The derived key. |
wolfSSL | 15:117db924cf7c | 674 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 675 | */ |
wolfSSL | 15:117db924cf7c | 676 | static int DeriveClientTrafficSecret(WOLFSSL* ssl, byte* key) |
wolfSSL | 15:117db924cf7c | 677 | { |
wolfSSL | 16:8e0d178b1d1e | 678 | int ret; |
wolfSSL | 15:117db924cf7c | 679 | WOLFSSL_MSG("Derive Client Traffic Secret"); |
wolfSSL | 16:8e0d178b1d1e | 680 | ret = DeriveKey(ssl, key, -1, ssl->arrays->masterSecret, |
wolfSSL | 16:8e0d178b1d1e | 681 | clientAppLabel, CLIENT_APP_LABEL_SZ, |
wolfSSL | 16:8e0d178b1d1e | 682 | ssl->specs.mac_algorithm, 1); |
wolfSSL | 16:8e0d178b1d1e | 683 | #ifdef HAVE_SECRET_CALLBACK |
wolfSSL | 16:8e0d178b1d1e | 684 | if (ret == 0 && ssl->tls13SecretCb != NULL) { |
wolfSSL | 16:8e0d178b1d1e | 685 | ret = ssl->tls13SecretCb(ssl, CLIENT_TRAFFIC_SECRET, key, |
wolfSSL | 16:8e0d178b1d1e | 686 | ssl->specs.hash_size, ssl->tls13SecretCtx); |
wolfSSL | 16:8e0d178b1d1e | 687 | if (ret != 0) { |
wolfSSL | 16:8e0d178b1d1e | 688 | return TLS13_SECRET_CB_E; |
wolfSSL | 16:8e0d178b1d1e | 689 | } |
wolfSSL | 16:8e0d178b1d1e | 690 | } |
wolfSSL | 16:8e0d178b1d1e | 691 | #endif /* HAVE_SECRET_CALLBACK */ |
wolfSSL | 16:8e0d178b1d1e | 692 | return ret; |
wolfSSL | 15:117db924cf7c | 693 | } |
wolfSSL | 15:117db924cf7c | 694 | |
wolfSSL | 15:117db924cf7c | 695 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 696 | /* The length of the server application traffic label. */ |
wolfSSL | 15:117db924cf7c | 697 | #define SERVER_APP_LABEL_SZ 33 |
wolfSSL | 15:117db924cf7c | 698 | /* The server application traffic label. */ |
wolfSSL | 15:117db924cf7c | 699 | static const byte serverAppLabel[SERVER_APP_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 700 | "server application traffic secret"; |
wolfSSL | 15:117db924cf7c | 701 | #else |
wolfSSL | 15:117db924cf7c | 702 | /* The length of the server application traffic label. */ |
wolfSSL | 15:117db924cf7c | 703 | #define SERVER_APP_LABEL_SZ 12 |
wolfSSL | 15:117db924cf7c | 704 | /* The server application traffic label. */ |
wolfSSL | 15:117db924cf7c | 705 | static const byte serverAppLabel[SERVER_APP_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 706 | "s ap traffic"; |
wolfSSL | 15:117db924cf7c | 707 | #endif |
wolfSSL | 15:117db924cf7c | 708 | /* Derive the server application traffic key. |
wolfSSL | 15:117db924cf7c | 709 | * |
wolfSSL | 15:117db924cf7c | 710 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 711 | * key The derived key. |
wolfSSL | 15:117db924cf7c | 712 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 713 | */ |
wolfSSL | 15:117db924cf7c | 714 | static int DeriveServerTrafficSecret(WOLFSSL* ssl, byte* key) |
wolfSSL | 15:117db924cf7c | 715 | { |
wolfSSL | 16:8e0d178b1d1e | 716 | int ret; |
wolfSSL | 15:117db924cf7c | 717 | WOLFSSL_MSG("Derive Server Traffic Secret"); |
wolfSSL | 16:8e0d178b1d1e | 718 | ret = DeriveKey(ssl, key, -1, ssl->arrays->masterSecret, |
wolfSSL | 16:8e0d178b1d1e | 719 | serverAppLabel, SERVER_APP_LABEL_SZ, |
wolfSSL | 16:8e0d178b1d1e | 720 | ssl->specs.mac_algorithm, 1); |
wolfSSL | 16:8e0d178b1d1e | 721 | #ifdef HAVE_SECRET_CALLBACK |
wolfSSL | 16:8e0d178b1d1e | 722 | if (ret == 0 && ssl->tls13SecretCb != NULL) { |
wolfSSL | 16:8e0d178b1d1e | 723 | ret = ssl->tls13SecretCb(ssl, SERVER_TRAFFIC_SECRET, key, |
wolfSSL | 16:8e0d178b1d1e | 724 | ssl->specs.hash_size, ssl->tls13SecretCtx); |
wolfSSL | 16:8e0d178b1d1e | 725 | if (ret != 0) { |
wolfSSL | 16:8e0d178b1d1e | 726 | return TLS13_SECRET_CB_E; |
wolfSSL | 16:8e0d178b1d1e | 727 | } |
wolfSSL | 16:8e0d178b1d1e | 728 | } |
wolfSSL | 16:8e0d178b1d1e | 729 | #endif /* HAVE_SECRET_CALLBACK */ |
wolfSSL | 16:8e0d178b1d1e | 730 | return ret; |
wolfSSL | 15:117db924cf7c | 731 | } |
wolfSSL | 15:117db924cf7c | 732 | |
wolfSSL | 15:117db924cf7c | 733 | #ifdef TLS13_SUPPORTS_EXPORTERS |
wolfSSL | 15:117db924cf7c | 734 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 735 | /* The length of the exporter master secret label. */ |
wolfSSL | 15:117db924cf7c | 736 | #define EXPORTER_MASTER_LABEL_SZ 22 |
wolfSSL | 15:117db924cf7c | 737 | /* The exporter master secret label. */ |
wolfSSL | 15:117db924cf7c | 738 | static const byte exporterMasterLabel[EXPORTER_MASTER_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 739 | "exporter master secret"; |
wolfSSL | 15:117db924cf7c | 740 | #else |
wolfSSL | 15:117db924cf7c | 741 | /* The length of the exporter master secret label. */ |
wolfSSL | 15:117db924cf7c | 742 | #define EXPORTER_MASTER_LABEL_SZ 10 |
wolfSSL | 15:117db924cf7c | 743 | /* The exporter master secret label. */ |
wolfSSL | 15:117db924cf7c | 744 | static const byte exporterMasterLabel[EXPORTER_MASTER_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 745 | "exp master"; |
wolfSSL | 15:117db924cf7c | 746 | #endif |
wolfSSL | 15:117db924cf7c | 747 | /* Derive the exporter secret. |
wolfSSL | 15:117db924cf7c | 748 | * |
wolfSSL | 15:117db924cf7c | 749 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 750 | * key The derived key. |
wolfSSL | 15:117db924cf7c | 751 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 752 | */ |
wolfSSL | 15:117db924cf7c | 753 | static int DeriveExporterSecret(WOLFSSL* ssl, byte* key) |
wolfSSL | 15:117db924cf7c | 754 | { |
wolfSSL | 16:8e0d178b1d1e | 755 | int ret; |
wolfSSL | 15:117db924cf7c | 756 | WOLFSSL_MSG("Derive Exporter Secret"); |
wolfSSL | 16:8e0d178b1d1e | 757 | ret = DeriveKey(ssl, key, -1, ssl->arrays->masterSecret, |
wolfSSL | 16:8e0d178b1d1e | 758 | exporterMasterLabel, EXPORTER_MASTER_LABEL_SZ, |
wolfSSL | 16:8e0d178b1d1e | 759 | ssl->specs.mac_algorithm, 1); |
wolfSSL | 16:8e0d178b1d1e | 760 | #ifdef HAVE_SECRET_CALLBACK |
wolfSSL | 16:8e0d178b1d1e | 761 | if (ret == 0 && ssl->tls13SecretCb != NULL) { |
wolfSSL | 16:8e0d178b1d1e | 762 | ret = ssl->tls13SecretCb(ssl, EXPORTER_SECRET, key, |
wolfSSL | 16:8e0d178b1d1e | 763 | ssl->specs.hash_size, ssl->tls13SecretCtx); |
wolfSSL | 16:8e0d178b1d1e | 764 | if (ret != 0) { |
wolfSSL | 16:8e0d178b1d1e | 765 | return TLS13_SECRET_CB_E; |
wolfSSL | 16:8e0d178b1d1e | 766 | } |
wolfSSL | 16:8e0d178b1d1e | 767 | } |
wolfSSL | 16:8e0d178b1d1e | 768 | #endif /* HAVE_SECRET_CALLBACK */ |
wolfSSL | 16:8e0d178b1d1e | 769 | return ret; |
wolfSSL | 15:117db924cf7c | 770 | } |
wolfSSL | 15:117db924cf7c | 771 | #endif |
wolfSSL | 15:117db924cf7c | 772 | |
wolfSSL | 15:117db924cf7c | 773 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 774 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 775 | /* The length of the resumption master secret label. */ |
wolfSSL | 15:117db924cf7c | 776 | #define RESUME_MASTER_LABEL_SZ 24 |
wolfSSL | 15:117db924cf7c | 777 | /* The resumption master secret label. */ |
wolfSSL | 15:117db924cf7c | 778 | static const byte resumeMasterLabel[RESUME_MASTER_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 779 | "resumption master secret"; |
wolfSSL | 15:117db924cf7c | 780 | #else |
wolfSSL | 15:117db924cf7c | 781 | /* The length of the resumption master secret label. */ |
wolfSSL | 15:117db924cf7c | 782 | #define RESUME_MASTER_LABEL_SZ 10 |
wolfSSL | 15:117db924cf7c | 783 | /* The resumption master secret label. */ |
wolfSSL | 15:117db924cf7c | 784 | static const byte resumeMasterLabel[RESUME_MASTER_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 785 | "res master"; |
wolfSSL | 15:117db924cf7c | 786 | #endif |
wolfSSL | 15:117db924cf7c | 787 | /* Derive the resumption secret. |
wolfSSL | 15:117db924cf7c | 788 | * |
wolfSSL | 15:117db924cf7c | 789 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 790 | * key The derived key. |
wolfSSL | 15:117db924cf7c | 791 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 792 | */ |
wolfSSL | 15:117db924cf7c | 793 | static int DeriveResumptionSecret(WOLFSSL* ssl, byte* key) |
wolfSSL | 15:117db924cf7c | 794 | { |
wolfSSL | 15:117db924cf7c | 795 | WOLFSSL_MSG("Derive Resumption Secret"); |
wolfSSL | 15:117db924cf7c | 796 | return DeriveKey(ssl, key, -1, ssl->arrays->masterSecret, |
wolfSSL | 15:117db924cf7c | 797 | resumeMasterLabel, RESUME_MASTER_LABEL_SZ, |
wolfSSL | 15:117db924cf7c | 798 | ssl->specs.mac_algorithm, 1); |
wolfSSL | 15:117db924cf7c | 799 | } |
wolfSSL | 15:117db924cf7c | 800 | #endif |
wolfSSL | 15:117db924cf7c | 801 | |
wolfSSL | 15:117db924cf7c | 802 | /* Length of the finished label. */ |
wolfSSL | 15:117db924cf7c | 803 | #define FINISHED_LABEL_SZ 8 |
wolfSSL | 15:117db924cf7c | 804 | /* Finished label for generating finished key. */ |
wolfSSL | 15:117db924cf7c | 805 | static const byte finishedLabel[FINISHED_LABEL_SZ+1] = "finished"; |
wolfSSL | 15:117db924cf7c | 806 | /* Derive the finished secret. |
wolfSSL | 15:117db924cf7c | 807 | * |
wolfSSL | 15:117db924cf7c | 808 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 809 | * key The key to use with the HMAC. |
wolfSSL | 15:117db924cf7c | 810 | * secret The derived secret. |
wolfSSL | 15:117db924cf7c | 811 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 812 | */ |
wolfSSL | 15:117db924cf7c | 813 | static int DeriveFinishedSecret(WOLFSSL* ssl, byte* key, byte* secret) |
wolfSSL | 15:117db924cf7c | 814 | { |
wolfSSL | 15:117db924cf7c | 815 | WOLFSSL_MSG("Derive Finished Secret"); |
wolfSSL | 15:117db924cf7c | 816 | return DeriveKey(ssl, secret, -1, key, finishedLabel, FINISHED_LABEL_SZ, |
wolfSSL | 15:117db924cf7c | 817 | ssl->specs.mac_algorithm, 0); |
wolfSSL | 15:117db924cf7c | 818 | } |
wolfSSL | 15:117db924cf7c | 819 | |
wolfSSL | 15:117db924cf7c | 820 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 821 | /* The length of the application traffic label. */ |
wolfSSL | 15:117db924cf7c | 822 | #define APP_TRAFFIC_LABEL_SZ 26 |
wolfSSL | 15:117db924cf7c | 823 | /* The application traffic label. */ |
wolfSSL | 15:117db924cf7c | 824 | static const byte appTrafficLabel[APP_TRAFFIC_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 825 | "application traffic secret"; |
wolfSSL | 15:117db924cf7c | 826 | #else |
wolfSSL | 15:117db924cf7c | 827 | /* The length of the application traffic label. */ |
wolfSSL | 15:117db924cf7c | 828 | #define APP_TRAFFIC_LABEL_SZ 11 |
wolfSSL | 15:117db924cf7c | 829 | /* The application traffic label. */ |
wolfSSL | 15:117db924cf7c | 830 | static const byte appTrafficLabel[APP_TRAFFIC_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 831 | "traffic upd"; |
wolfSSL | 15:117db924cf7c | 832 | #endif |
wolfSSL | 15:117db924cf7c | 833 | /* Update the traffic secret. |
wolfSSL | 15:117db924cf7c | 834 | * |
wolfSSL | 15:117db924cf7c | 835 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 836 | * secret The previous secret and derived secret. |
wolfSSL | 15:117db924cf7c | 837 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 838 | */ |
wolfSSL | 15:117db924cf7c | 839 | static int DeriveTrafficSecret(WOLFSSL* ssl, byte* secret) |
wolfSSL | 15:117db924cf7c | 840 | { |
wolfSSL | 15:117db924cf7c | 841 | WOLFSSL_MSG("Derive New Application Traffic Secret"); |
wolfSSL | 15:117db924cf7c | 842 | return DeriveKey(ssl, secret, -1, secret, |
wolfSSL | 15:117db924cf7c | 843 | appTrafficLabel, APP_TRAFFIC_LABEL_SZ, |
wolfSSL | 15:117db924cf7c | 844 | ssl->specs.mac_algorithm, 0); |
wolfSSL | 15:117db924cf7c | 845 | } |
wolfSSL | 15:117db924cf7c | 846 | |
wolfSSL | 15:117db924cf7c | 847 | /* Derive the early secret using HKDF Extract. |
wolfSSL | 15:117db924cf7c | 848 | * |
wolfSSL | 15:117db924cf7c | 849 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 850 | */ |
wolfSSL | 15:117db924cf7c | 851 | static int DeriveEarlySecret(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 852 | { |
wolfSSL | 15:117db924cf7c | 853 | WOLFSSL_MSG("Derive Early Secret"); |
wolfSSL | 15:117db924cf7c | 854 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 855 | return Tls13_HKDF_Extract(ssl->arrays->secret, NULL, 0, |
wolfSSL | 15:117db924cf7c | 856 | ssl->arrays->psk_key, ssl->arrays->psk_keySz, |
wolfSSL | 15:117db924cf7c | 857 | ssl->specs.mac_algorithm); |
wolfSSL | 15:117db924cf7c | 858 | #else |
wolfSSL | 15:117db924cf7c | 859 | return Tls13_HKDF_Extract(ssl->arrays->secret, NULL, 0, |
wolfSSL | 15:117db924cf7c | 860 | ssl->arrays->masterSecret, 0, ssl->specs.mac_algorithm); |
wolfSSL | 15:117db924cf7c | 861 | #endif |
wolfSSL | 15:117db924cf7c | 862 | } |
wolfSSL | 15:117db924cf7c | 863 | |
wolfSSL | 15:117db924cf7c | 864 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 865 | /* The length of the derived label. */ |
wolfSSL | 15:117db924cf7c | 866 | #define DERIVED_LABEL_SZ 7 |
wolfSSL | 15:117db924cf7c | 867 | /* The derived label. */ |
wolfSSL | 15:117db924cf7c | 868 | static const byte derivedLabel[DERIVED_LABEL_SZ + 1] = |
wolfSSL | 15:117db924cf7c | 869 | "derived"; |
wolfSSL | 15:117db924cf7c | 870 | #endif |
wolfSSL | 15:117db924cf7c | 871 | /* Derive the handshake secret using HKDF Extract. |
wolfSSL | 15:117db924cf7c | 872 | * |
wolfSSL | 15:117db924cf7c | 873 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 874 | */ |
wolfSSL | 15:117db924cf7c | 875 | static int DeriveHandshakeSecret(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 876 | { |
wolfSSL | 15:117db924cf7c | 877 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 878 | WOLFSSL_MSG("Derive Handshake Secret"); |
wolfSSL | 15:117db924cf7c | 879 | return Tls13_HKDF_Extract(ssl->arrays->preMasterSecret, |
wolfSSL | 15:117db924cf7c | 880 | ssl->arrays->secret, ssl->specs.hash_size, |
wolfSSL | 15:117db924cf7c | 881 | ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz, |
wolfSSL | 15:117db924cf7c | 882 | ssl->specs.mac_algorithm); |
wolfSSL | 15:117db924cf7c | 883 | #else |
wolfSSL | 15:117db924cf7c | 884 | byte key[WC_MAX_DIGEST_SIZE]; |
wolfSSL | 15:117db924cf7c | 885 | int ret; |
wolfSSL | 15:117db924cf7c | 886 | |
wolfSSL | 15:117db924cf7c | 887 | WOLFSSL_MSG("Derive Handshake Secret"); |
wolfSSL | 15:117db924cf7c | 888 | |
wolfSSL | 15:117db924cf7c | 889 | ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret, |
wolfSSL | 15:117db924cf7c | 890 | derivedLabel, DERIVED_LABEL_SZ, |
wolfSSL | 15:117db924cf7c | 891 | NULL, 0, ssl->specs.mac_algorithm); |
wolfSSL | 15:117db924cf7c | 892 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 893 | return ret; |
wolfSSL | 15:117db924cf7c | 894 | |
wolfSSL | 15:117db924cf7c | 895 | return Tls13_HKDF_Extract(ssl->arrays->preMasterSecret, |
wolfSSL | 15:117db924cf7c | 896 | key, ssl->specs.hash_size, |
wolfSSL | 15:117db924cf7c | 897 | ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz, |
wolfSSL | 15:117db924cf7c | 898 | ssl->specs.mac_algorithm); |
wolfSSL | 15:117db924cf7c | 899 | #endif |
wolfSSL | 15:117db924cf7c | 900 | } |
wolfSSL | 15:117db924cf7c | 901 | |
wolfSSL | 15:117db924cf7c | 902 | /* Derive the master secret using HKDF Extract. |
wolfSSL | 15:117db924cf7c | 903 | * |
wolfSSL | 15:117db924cf7c | 904 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 905 | */ |
wolfSSL | 15:117db924cf7c | 906 | static int DeriveMasterSecret(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 907 | { |
wolfSSL | 15:117db924cf7c | 908 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 909 | WOLFSSL_MSG("Derive Master Secret"); |
wolfSSL | 15:117db924cf7c | 910 | return Tls13_HKDF_Extract(ssl->arrays->masterSecret, |
wolfSSL | 15:117db924cf7c | 911 | ssl->arrays->preMasterSecret, ssl->specs.hash_size, |
wolfSSL | 15:117db924cf7c | 912 | ssl->arrays->masterSecret, 0, ssl->specs.mac_algorithm); |
wolfSSL | 15:117db924cf7c | 913 | #else |
wolfSSL | 15:117db924cf7c | 914 | byte key[WC_MAX_DIGEST_SIZE]; |
wolfSSL | 15:117db924cf7c | 915 | int ret; |
wolfSSL | 15:117db924cf7c | 916 | |
wolfSSL | 15:117db924cf7c | 917 | WOLFSSL_MSG("Derive Master Secret"); |
wolfSSL | 15:117db924cf7c | 918 | |
wolfSSL | 15:117db924cf7c | 919 | ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->preMasterSecret, |
wolfSSL | 15:117db924cf7c | 920 | derivedLabel, DERIVED_LABEL_SZ, |
wolfSSL | 15:117db924cf7c | 921 | NULL, 0, ssl->specs.mac_algorithm); |
wolfSSL | 15:117db924cf7c | 922 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 923 | return ret; |
wolfSSL | 15:117db924cf7c | 924 | |
wolfSSL | 15:117db924cf7c | 925 | return Tls13_HKDF_Extract(ssl->arrays->masterSecret, |
wolfSSL | 15:117db924cf7c | 926 | key, ssl->specs.hash_size, |
wolfSSL | 15:117db924cf7c | 927 | ssl->arrays->masterSecret, 0, ssl->specs.mac_algorithm); |
wolfSSL | 15:117db924cf7c | 928 | #endif |
wolfSSL | 15:117db924cf7c | 929 | } |
wolfSSL | 15:117db924cf7c | 930 | |
wolfSSL | 15:117db924cf7c | 931 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 932 | #if defined(HAVE_SESSION_TICKET) |
wolfSSL | 15:117db924cf7c | 933 | /* Length of the resumption label. */ |
wolfSSL | 15:117db924cf7c | 934 | #define RESUMPTION_LABEL_SZ 10 |
wolfSSL | 16:8e0d178b1d1e | 935 | /* Resumption label for generating PSK associated with the ticket. */ |
wolfSSL | 15:117db924cf7c | 936 | static const byte resumptionLabel[RESUMPTION_LABEL_SZ+1] = "resumption"; |
wolfSSL | 16:8e0d178b1d1e | 937 | /* Derive the PSK associated with the ticket. |
wolfSSL | 15:117db924cf7c | 938 | * |
wolfSSL | 15:117db924cf7c | 939 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 940 | * nonce The nonce to derive with. |
wolfSSL | 15:117db924cf7c | 941 | * nonceLen The length of the nonce to derive with. |
wolfSSL | 15:117db924cf7c | 942 | * secret The derived secret. |
wolfSSL | 15:117db924cf7c | 943 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 944 | */ |
wolfSSL | 15:117db924cf7c | 945 | static int DeriveResumptionPSK(WOLFSSL* ssl, byte* nonce, byte nonceLen, |
wolfSSL | 15:117db924cf7c | 946 | byte* secret) |
wolfSSL | 15:117db924cf7c | 947 | { |
wolfSSL | 15:117db924cf7c | 948 | int digestAlg; |
wolfSSL | 15:117db924cf7c | 949 | /* Only one protocol version defined at this time. */ |
wolfSSL | 15:117db924cf7c | 950 | const byte* protocol = tls13ProtocolLabel; |
wolfSSL | 15:117db924cf7c | 951 | word32 protocolLen = TLS13_PROTOCOL_LABEL_SZ; |
wolfSSL | 15:117db924cf7c | 952 | |
wolfSSL | 15:117db924cf7c | 953 | WOLFSSL_MSG("Derive Resumption PSK"); |
wolfSSL | 15:117db924cf7c | 954 | |
wolfSSL | 15:117db924cf7c | 955 | switch (ssl->specs.mac_algorithm) { |
wolfSSL | 15:117db924cf7c | 956 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 957 | case sha256_mac: |
wolfSSL | 15:117db924cf7c | 958 | digestAlg = WC_SHA256; |
wolfSSL | 15:117db924cf7c | 959 | break; |
wolfSSL | 15:117db924cf7c | 960 | #endif |
wolfSSL | 15:117db924cf7c | 961 | |
wolfSSL | 15:117db924cf7c | 962 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 963 | case sha384_mac: |
wolfSSL | 15:117db924cf7c | 964 | digestAlg = WC_SHA384; |
wolfSSL | 15:117db924cf7c | 965 | break; |
wolfSSL | 15:117db924cf7c | 966 | #endif |
wolfSSL | 15:117db924cf7c | 967 | |
wolfSSL | 15:117db924cf7c | 968 | #ifdef WOLFSSL_TLS13_SHA512 |
wolfSSL | 15:117db924cf7c | 969 | case sha512_mac: |
wolfSSL | 15:117db924cf7c | 970 | digestAlg = WC_SHA512; |
wolfSSL | 15:117db924cf7c | 971 | break; |
wolfSSL | 15:117db924cf7c | 972 | #endif |
wolfSSL | 15:117db924cf7c | 973 | |
wolfSSL | 15:117db924cf7c | 974 | default: |
wolfSSL | 15:117db924cf7c | 975 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 976 | } |
wolfSSL | 15:117db924cf7c | 977 | |
wolfSSL | 15:117db924cf7c | 978 | return HKDF_Expand_Label(secret, ssl->specs.hash_size, |
wolfSSL | 15:117db924cf7c | 979 | ssl->session.masterSecret, ssl->specs.hash_size, |
wolfSSL | 15:117db924cf7c | 980 | protocol, protocolLen, resumptionLabel, |
wolfSSL | 15:117db924cf7c | 981 | RESUMPTION_LABEL_SZ, nonce, nonceLen, digestAlg); |
wolfSSL | 15:117db924cf7c | 982 | } |
wolfSSL | 15:117db924cf7c | 983 | #endif /* HAVE_SESSION_TICKET */ |
wolfSSL | 15:117db924cf7c | 984 | #endif /* WOLFSSL_TLS13_DRAFT_18 */ |
wolfSSL | 15:117db924cf7c | 985 | |
wolfSSL | 15:117db924cf7c | 986 | |
wolfSSL | 15:117db924cf7c | 987 | /* Calculate the HMAC of message data to this point. |
wolfSSL | 15:117db924cf7c | 988 | * |
wolfSSL | 15:117db924cf7c | 989 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 990 | * key The HMAC key. |
wolfSSL | 15:117db924cf7c | 991 | * hash The hash result - verify data. |
wolfSSL | 15:117db924cf7c | 992 | * returns length of verify data generated. |
wolfSSL | 15:117db924cf7c | 993 | */ |
wolfSSL | 15:117db924cf7c | 994 | static int BuildTls13HandshakeHmac(WOLFSSL* ssl, byte* key, byte* hash, |
wolfSSL | 15:117db924cf7c | 995 | word32* pHashSz) |
wolfSSL | 15:117db924cf7c | 996 | { |
wolfSSL | 15:117db924cf7c | 997 | Hmac verifyHmac; |
wolfSSL | 15:117db924cf7c | 998 | int hashType = WC_SHA256; |
wolfSSL | 15:117db924cf7c | 999 | int hashSz = WC_SHA256_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 1000 | int ret = BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 1001 | |
wolfSSL | 15:117db924cf7c | 1002 | /* Get the hash of the previous handshake messages. */ |
wolfSSL | 15:117db924cf7c | 1003 | switch (ssl->specs.mac_algorithm) { |
wolfSSL | 15:117db924cf7c | 1004 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 1005 | case sha256_mac: |
wolfSSL | 15:117db924cf7c | 1006 | hashType = WC_SHA256; |
wolfSSL | 15:117db924cf7c | 1007 | hashSz = WC_SHA256_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 1008 | ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash); |
wolfSSL | 15:117db924cf7c | 1009 | break; |
wolfSSL | 15:117db924cf7c | 1010 | #endif /* !NO_SHA256 */ |
wolfSSL | 15:117db924cf7c | 1011 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 1012 | case sha384_mac: |
wolfSSL | 15:117db924cf7c | 1013 | hashType = WC_SHA384; |
wolfSSL | 15:117db924cf7c | 1014 | hashSz = WC_SHA384_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 1015 | ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash); |
wolfSSL | 15:117db924cf7c | 1016 | break; |
wolfSSL | 15:117db924cf7c | 1017 | #endif /* WOLFSSL_SHA384 */ |
wolfSSL | 15:117db924cf7c | 1018 | #ifdef WOLFSSL_TLS13_SHA512 |
wolfSSL | 15:117db924cf7c | 1019 | case sha512_mac: |
wolfSSL | 15:117db924cf7c | 1020 | hashType = WC_SHA512; |
wolfSSL | 15:117db924cf7c | 1021 | hashSz = WC_SHA512_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 1022 | ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash); |
wolfSSL | 15:117db924cf7c | 1023 | break; |
wolfSSL | 15:117db924cf7c | 1024 | #endif /* WOLFSSL_TLS13_SHA512 */ |
wolfSSL | 15:117db924cf7c | 1025 | } |
wolfSSL | 15:117db924cf7c | 1026 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1027 | return ret; |
wolfSSL | 15:117db924cf7c | 1028 | |
wolfSSL | 15:117db924cf7c | 1029 | /* Calculate the verify data. */ |
wolfSSL | 15:117db924cf7c | 1030 | ret = wc_HmacInit(&verifyHmac, ssl->heap, ssl->devId); |
wolfSSL | 15:117db924cf7c | 1031 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 1032 | ret = wc_HmacSetKey(&verifyHmac, hashType, key, ssl->specs.hash_size); |
wolfSSL | 15:117db924cf7c | 1033 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 1034 | ret = wc_HmacUpdate(&verifyHmac, hash, hashSz); |
wolfSSL | 15:117db924cf7c | 1035 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 1036 | ret = wc_HmacFinal(&verifyHmac, hash); |
wolfSSL | 15:117db924cf7c | 1037 | wc_HmacFree(&verifyHmac); |
wolfSSL | 15:117db924cf7c | 1038 | } |
wolfSSL | 15:117db924cf7c | 1039 | |
wolfSSL | 15:117db924cf7c | 1040 | if (pHashSz) |
wolfSSL | 15:117db924cf7c | 1041 | *pHashSz = hashSz; |
wolfSSL | 15:117db924cf7c | 1042 | |
wolfSSL | 15:117db924cf7c | 1043 | return ret; |
wolfSSL | 15:117db924cf7c | 1044 | } |
wolfSSL | 15:117db924cf7c | 1045 | |
wolfSSL | 15:117db924cf7c | 1046 | /* The length of the label to use when deriving keys. */ |
wolfSSL | 15:117db924cf7c | 1047 | #define WRITE_KEY_LABEL_SZ 3 |
wolfSSL | 15:117db924cf7c | 1048 | /* The length of the label to use when deriving IVs. */ |
wolfSSL | 15:117db924cf7c | 1049 | #define WRITE_IV_LABEL_SZ 2 |
wolfSSL | 15:117db924cf7c | 1050 | /* The label to use when deriving keys. */ |
wolfSSL | 15:117db924cf7c | 1051 | static const byte writeKeyLabel[WRITE_KEY_LABEL_SZ+1] = "key"; |
wolfSSL | 15:117db924cf7c | 1052 | /* The label to use when deriving IVs. */ |
wolfSSL | 15:117db924cf7c | 1053 | static const byte writeIVLabel[WRITE_IV_LABEL_SZ+1] = "iv"; |
wolfSSL | 15:117db924cf7c | 1054 | |
wolfSSL | 15:117db924cf7c | 1055 | /* Derive the keys and IVs for TLS v1.3. |
wolfSSL | 15:117db924cf7c | 1056 | * |
wolfSSL | 15:117db924cf7c | 1057 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 1058 | * sercret early_data_key when deriving the key and IV for encrypting early |
wolfSSL | 15:117db924cf7c | 1059 | * data application data and end_of_early_data messages. |
wolfSSL | 15:117db924cf7c | 1060 | * handshake_key when deriving keys and IVs for encrypting handshake |
wolfSSL | 15:117db924cf7c | 1061 | * messages. |
wolfSSL | 15:117db924cf7c | 1062 | * traffic_key when deriving first keys and IVs for encrypting |
wolfSSL | 15:117db924cf7c | 1063 | * traffic messages. |
wolfSSL | 15:117db924cf7c | 1064 | * update_traffic_key when deriving next keys and IVs for encrypting |
wolfSSL | 15:117db924cf7c | 1065 | * traffic messages. |
wolfSSL | 15:117db924cf7c | 1066 | * side ENCRYPT_SIDE_ONLY when only encryption secret needs to be derived. |
wolfSSL | 15:117db924cf7c | 1067 | * DECRYPT_SIDE_ONLY when only decryption secret needs to be derived. |
wolfSSL | 15:117db924cf7c | 1068 | * ENCRYPT_AND_DECRYPT_SIDE when both secret needs to be derived. |
wolfSSL | 15:117db924cf7c | 1069 | * store 1 indicates to derive the keys and IVs from derived secret and |
wolfSSL | 15:117db924cf7c | 1070 | * store ready for provisioning. |
wolfSSL | 15:117db924cf7c | 1071 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 1072 | */ |
wolfSSL | 15:117db924cf7c | 1073 | static int DeriveTls13Keys(WOLFSSL* ssl, int secret, int side, int store) |
wolfSSL | 15:117db924cf7c | 1074 | { |
wolfSSL | 15:117db924cf7c | 1075 | int ret = BAD_FUNC_ARG; /* Assume failure */ |
wolfSSL | 15:117db924cf7c | 1076 | int i = 0; |
wolfSSL | 15:117db924cf7c | 1077 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 1078 | byte* key_dig; |
wolfSSL | 15:117db924cf7c | 1079 | #else |
wolfSSL | 15:117db924cf7c | 1080 | byte key_dig[MAX_PRF_DIG]; |
wolfSSL | 15:117db924cf7c | 1081 | #endif |
wolfSSL | 15:117db924cf7c | 1082 | int provision; |
wolfSSL | 15:117db924cf7c | 1083 | |
wolfSSL | 15:117db924cf7c | 1084 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 1085 | key_dig = (byte*)XMALLOC(MAX_PRF_DIG, ssl->heap, DYNAMIC_TYPE_DIGEST); |
wolfSSL | 15:117db924cf7c | 1086 | if (key_dig == NULL) |
wolfSSL | 15:117db924cf7c | 1087 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 1088 | #endif |
wolfSSL | 15:117db924cf7c | 1089 | |
wolfSSL | 15:117db924cf7c | 1090 | if (side == ENCRYPT_AND_DECRYPT_SIDE) { |
wolfSSL | 15:117db924cf7c | 1091 | provision = PROVISION_CLIENT_SERVER; |
wolfSSL | 15:117db924cf7c | 1092 | } |
wolfSSL | 15:117db924cf7c | 1093 | else { |
wolfSSL | 15:117db924cf7c | 1094 | provision = ((ssl->options.side != WOLFSSL_CLIENT_END) ^ |
wolfSSL | 15:117db924cf7c | 1095 | (side == ENCRYPT_SIDE_ONLY)) ? PROVISION_CLIENT : |
wolfSSL | 15:117db924cf7c | 1096 | PROVISION_SERVER; |
wolfSSL | 15:117db924cf7c | 1097 | } |
wolfSSL | 15:117db924cf7c | 1098 | |
wolfSSL | 15:117db924cf7c | 1099 | /* Derive the appropriate secret to use in the HKDF. */ |
wolfSSL | 15:117db924cf7c | 1100 | switch (secret) { |
wolfSSL | 15:117db924cf7c | 1101 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 1102 | case early_data_key: |
wolfSSL | 16:8e0d178b1d1e | 1103 | ret = DeriveEarlyTrafficSecret(ssl, ssl->clientSecret); |
wolfSSL | 15:117db924cf7c | 1104 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1105 | goto end; |
wolfSSL | 15:117db924cf7c | 1106 | break; |
wolfSSL | 15:117db924cf7c | 1107 | #endif |
wolfSSL | 15:117db924cf7c | 1108 | |
wolfSSL | 15:117db924cf7c | 1109 | case handshake_key: |
wolfSSL | 15:117db924cf7c | 1110 | if (provision & PROVISION_CLIENT) { |
wolfSSL | 15:117db924cf7c | 1111 | ret = DeriveClientHandshakeSecret(ssl, |
wolfSSL | 16:8e0d178b1d1e | 1112 | ssl->clientSecret); |
wolfSSL | 15:117db924cf7c | 1113 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1114 | goto end; |
wolfSSL | 15:117db924cf7c | 1115 | } |
wolfSSL | 15:117db924cf7c | 1116 | if (provision & PROVISION_SERVER) { |
wolfSSL | 15:117db924cf7c | 1117 | ret = DeriveServerHandshakeSecret(ssl, |
wolfSSL | 16:8e0d178b1d1e | 1118 | ssl->serverSecret); |
wolfSSL | 15:117db924cf7c | 1119 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1120 | goto end; |
wolfSSL | 15:117db924cf7c | 1121 | } |
wolfSSL | 15:117db924cf7c | 1122 | break; |
wolfSSL | 15:117db924cf7c | 1123 | |
wolfSSL | 15:117db924cf7c | 1124 | case traffic_key: |
wolfSSL | 15:117db924cf7c | 1125 | if (provision & PROVISION_CLIENT) { |
wolfSSL | 16:8e0d178b1d1e | 1126 | ret = DeriveClientTrafficSecret(ssl, ssl->clientSecret); |
wolfSSL | 15:117db924cf7c | 1127 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1128 | goto end; |
wolfSSL | 15:117db924cf7c | 1129 | } |
wolfSSL | 15:117db924cf7c | 1130 | if (provision & PROVISION_SERVER) { |
wolfSSL | 16:8e0d178b1d1e | 1131 | ret = DeriveServerTrafficSecret(ssl, ssl->serverSecret); |
wolfSSL | 15:117db924cf7c | 1132 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1133 | goto end; |
wolfSSL | 15:117db924cf7c | 1134 | } |
wolfSSL | 15:117db924cf7c | 1135 | break; |
wolfSSL | 15:117db924cf7c | 1136 | |
wolfSSL | 15:117db924cf7c | 1137 | case update_traffic_key: |
wolfSSL | 15:117db924cf7c | 1138 | if (provision & PROVISION_CLIENT) { |
wolfSSL | 16:8e0d178b1d1e | 1139 | ret = DeriveTrafficSecret(ssl, ssl->clientSecret); |
wolfSSL | 15:117db924cf7c | 1140 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1141 | goto end; |
wolfSSL | 15:117db924cf7c | 1142 | } |
wolfSSL | 15:117db924cf7c | 1143 | if (provision & PROVISION_SERVER) { |
wolfSSL | 16:8e0d178b1d1e | 1144 | ret = DeriveTrafficSecret(ssl, ssl->serverSecret); |
wolfSSL | 15:117db924cf7c | 1145 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1146 | goto end; |
wolfSSL | 15:117db924cf7c | 1147 | } |
wolfSSL | 15:117db924cf7c | 1148 | break; |
wolfSSL | 15:117db924cf7c | 1149 | } |
wolfSSL | 15:117db924cf7c | 1150 | |
wolfSSL | 15:117db924cf7c | 1151 | if (!store) |
wolfSSL | 15:117db924cf7c | 1152 | goto end; |
wolfSSL | 15:117db924cf7c | 1153 | |
wolfSSL | 15:117db924cf7c | 1154 | /* Key data = client key | server key | client IV | server IV */ |
wolfSSL | 15:117db924cf7c | 1155 | |
wolfSSL | 15:117db924cf7c | 1156 | if (provision & PROVISION_CLIENT) { |
wolfSSL | 15:117db924cf7c | 1157 | /* Derive the client key. */ |
wolfSSL | 15:117db924cf7c | 1158 | WOLFSSL_MSG("Derive Client Key"); |
wolfSSL | 15:117db924cf7c | 1159 | ret = DeriveKey(ssl, &key_dig[i], ssl->specs.key_size, |
wolfSSL | 16:8e0d178b1d1e | 1160 | ssl->clientSecret, writeKeyLabel, |
wolfSSL | 15:117db924cf7c | 1161 | WRITE_KEY_LABEL_SZ, ssl->specs.mac_algorithm, 0); |
wolfSSL | 15:117db924cf7c | 1162 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1163 | goto end; |
wolfSSL | 15:117db924cf7c | 1164 | i += ssl->specs.key_size; |
wolfSSL | 15:117db924cf7c | 1165 | } |
wolfSSL | 15:117db924cf7c | 1166 | |
wolfSSL | 15:117db924cf7c | 1167 | if (provision & PROVISION_SERVER) { |
wolfSSL | 15:117db924cf7c | 1168 | /* Derive the server key. */ |
wolfSSL | 15:117db924cf7c | 1169 | WOLFSSL_MSG("Derive Server Key"); |
wolfSSL | 15:117db924cf7c | 1170 | ret = DeriveKey(ssl, &key_dig[i], ssl->specs.key_size, |
wolfSSL | 16:8e0d178b1d1e | 1171 | ssl->serverSecret, writeKeyLabel, |
wolfSSL | 15:117db924cf7c | 1172 | WRITE_KEY_LABEL_SZ, ssl->specs.mac_algorithm, 0); |
wolfSSL | 15:117db924cf7c | 1173 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1174 | goto end; |
wolfSSL | 15:117db924cf7c | 1175 | i += ssl->specs.key_size; |
wolfSSL | 15:117db924cf7c | 1176 | } |
wolfSSL | 15:117db924cf7c | 1177 | |
wolfSSL | 15:117db924cf7c | 1178 | if (provision & PROVISION_CLIENT) { |
wolfSSL | 15:117db924cf7c | 1179 | /* Derive the client IV. */ |
wolfSSL | 15:117db924cf7c | 1180 | WOLFSSL_MSG("Derive Client IV"); |
wolfSSL | 15:117db924cf7c | 1181 | ret = DeriveKey(ssl, &key_dig[i], ssl->specs.iv_size, |
wolfSSL | 16:8e0d178b1d1e | 1182 | ssl->clientSecret, writeIVLabel, |
wolfSSL | 15:117db924cf7c | 1183 | WRITE_IV_LABEL_SZ, ssl->specs.mac_algorithm, 0); |
wolfSSL | 15:117db924cf7c | 1184 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1185 | goto end; |
wolfSSL | 15:117db924cf7c | 1186 | i += ssl->specs.iv_size; |
wolfSSL | 15:117db924cf7c | 1187 | } |
wolfSSL | 15:117db924cf7c | 1188 | |
wolfSSL | 15:117db924cf7c | 1189 | if (provision & PROVISION_SERVER) { |
wolfSSL | 15:117db924cf7c | 1190 | /* Derive the server IV. */ |
wolfSSL | 15:117db924cf7c | 1191 | WOLFSSL_MSG("Derive Server IV"); |
wolfSSL | 15:117db924cf7c | 1192 | ret = DeriveKey(ssl, &key_dig[i], ssl->specs.iv_size, |
wolfSSL | 16:8e0d178b1d1e | 1193 | ssl->serverSecret, writeIVLabel, |
wolfSSL | 15:117db924cf7c | 1194 | WRITE_IV_LABEL_SZ, ssl->specs.mac_algorithm, 0); |
wolfSSL | 15:117db924cf7c | 1195 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1196 | goto end; |
wolfSSL | 15:117db924cf7c | 1197 | } |
wolfSSL | 15:117db924cf7c | 1198 | |
wolfSSL | 15:117db924cf7c | 1199 | /* Store keys and IVs but don't activate them. */ |
wolfSSL | 15:117db924cf7c | 1200 | ret = StoreKeys(ssl, key_dig, provision); |
wolfSSL | 15:117db924cf7c | 1201 | |
wolfSSL | 15:117db924cf7c | 1202 | end: |
wolfSSL | 15:117db924cf7c | 1203 | #ifdef WOLFSSL_SMALL_STACK |
wolfSSL | 15:117db924cf7c | 1204 | XFREE(key_dig, ssl->heap, DYNAMIC_TYPE_DIGEST); |
wolfSSL | 15:117db924cf7c | 1205 | #endif |
wolfSSL | 15:117db924cf7c | 1206 | |
wolfSSL | 15:117db924cf7c | 1207 | return ret; |
wolfSSL | 15:117db924cf7c | 1208 | } |
wolfSSL | 15:117db924cf7c | 1209 | |
wolfSSL | 15:117db924cf7c | 1210 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 1211 | #if defined(USER_TICKS) |
wolfSSL | 15:117db924cf7c | 1212 | #if 0 |
wolfSSL | 15:117db924cf7c | 1213 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 15:117db924cf7c | 1214 | { |
wolfSSL | 15:117db924cf7c | 1215 | /* |
wolfSSL | 15:117db924cf7c | 1216 | write your own clock tick function if don't want gettimeofday() |
wolfSSL | 15:117db924cf7c | 1217 | needs millisecond accuracy but doesn't have to correlated to EPOCH |
wolfSSL | 15:117db924cf7c | 1218 | */ |
wolfSSL | 15:117db924cf7c | 1219 | } |
wolfSSL | 15:117db924cf7c | 1220 | #endif |
wolfSSL | 15:117db924cf7c | 1221 | |
wolfSSL | 15:117db924cf7c | 1222 | #elif defined(TIME_OVERRIDES) |
wolfSSL | 15:117db924cf7c | 1223 | #ifndef HAVE_TIME_T_TYPE |
wolfSSL | 15:117db924cf7c | 1224 | typedef long time_t; |
wolfSSL | 15:117db924cf7c | 1225 | #endif |
wolfSSL | 15:117db924cf7c | 1226 | extern time_t XTIME(time_t * timer); |
wolfSSL | 15:117db924cf7c | 1227 | |
wolfSSL | 15:117db924cf7c | 1228 | /* The time in milliseconds. |
wolfSSL | 15:117db924cf7c | 1229 | * Used for tickets to represent difference between when first seen and when |
wolfSSL | 15:117db924cf7c | 1230 | * sending. |
wolfSSL | 15:117db924cf7c | 1231 | * |
wolfSSL | 15:117db924cf7c | 1232 | * returns the time in milliseconds as a 32-bit value. |
wolfSSL | 15:117db924cf7c | 1233 | */ |
wolfSSL | 15:117db924cf7c | 1234 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 15:117db924cf7c | 1235 | { |
wolfSSL | 15:117db924cf7c | 1236 | return (word32) XTIME(0) * 1000; |
wolfSSL | 15:117db924cf7c | 1237 | } |
wolfSSL | 16:8e0d178b1d1e | 1238 | |
wolfSSL | 16:8e0d178b1d1e | 1239 | #elif defined(XTIME_MS) |
wolfSSL | 16:8e0d178b1d1e | 1240 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 16:8e0d178b1d1e | 1241 | { |
wolfSSL | 16:8e0d178b1d1e | 1242 | return (word32)XTIME_MS(0); |
wolfSSL | 16:8e0d178b1d1e | 1243 | } |
wolfSSL | 16:8e0d178b1d1e | 1244 | |
wolfSSL | 15:117db924cf7c | 1245 | #elif defined(USE_WINDOWS_API) |
wolfSSL | 15:117db924cf7c | 1246 | /* The time in milliseconds. |
wolfSSL | 15:117db924cf7c | 1247 | * Used for tickets to represent difference between when first seen and when |
wolfSSL | 15:117db924cf7c | 1248 | * sending. |
wolfSSL | 15:117db924cf7c | 1249 | * |
wolfSSL | 15:117db924cf7c | 1250 | * returns the time in milliseconds as a 32-bit value. |
wolfSSL | 15:117db924cf7c | 1251 | */ |
wolfSSL | 15:117db924cf7c | 1252 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 15:117db924cf7c | 1253 | { |
wolfSSL | 15:117db924cf7c | 1254 | static int init = 0; |
wolfSSL | 15:117db924cf7c | 1255 | static LARGE_INTEGER freq; |
wolfSSL | 15:117db924cf7c | 1256 | LARGE_INTEGER count; |
wolfSSL | 15:117db924cf7c | 1257 | |
wolfSSL | 15:117db924cf7c | 1258 | if (!init) { |
wolfSSL | 15:117db924cf7c | 1259 | QueryPerformanceFrequency(&freq); |
wolfSSL | 15:117db924cf7c | 1260 | init = 1; |
wolfSSL | 15:117db924cf7c | 1261 | } |
wolfSSL | 15:117db924cf7c | 1262 | |
wolfSSL | 15:117db924cf7c | 1263 | QueryPerformanceCounter(&count); |
wolfSSL | 15:117db924cf7c | 1264 | |
wolfSSL | 15:117db924cf7c | 1265 | return (word32)(count.QuadPart / (freq.QuadPart / 1000)); |
wolfSSL | 15:117db924cf7c | 1266 | } |
wolfSSL | 15:117db924cf7c | 1267 | |
wolfSSL | 15:117db924cf7c | 1268 | #elif defined(HAVE_RTP_SYS) |
wolfSSL | 15:117db924cf7c | 1269 | #include "rtptime.h" |
wolfSSL | 15:117db924cf7c | 1270 | |
wolfSSL | 15:117db924cf7c | 1271 | /* The time in milliseconds. |
wolfSSL | 15:117db924cf7c | 1272 | * Used for tickets to represent difference between when first seen and when |
wolfSSL | 15:117db924cf7c | 1273 | * sending. |
wolfSSL | 15:117db924cf7c | 1274 | * |
wolfSSL | 15:117db924cf7c | 1275 | * returns the time in milliseconds as a 32-bit value. |
wolfSSL | 15:117db924cf7c | 1276 | */ |
wolfSSL | 15:117db924cf7c | 1277 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 15:117db924cf7c | 1278 | { |
wolfSSL | 15:117db924cf7c | 1279 | return (word32)rtp_get_system_sec() * 1000; |
wolfSSL | 15:117db924cf7c | 1280 | } |
wolfSSL | 16:8e0d178b1d1e | 1281 | #elif defined(WOLFSSL_DEOS) |
wolfSSL | 16:8e0d178b1d1e | 1282 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 16:8e0d178b1d1e | 1283 | { |
wolfSSL | 16:8e0d178b1d1e | 1284 | const uint32_t systemTickTimeInHz = 1000000 / systemTickInMicroseconds(); |
wolfSSL | 16:8e0d178b1d1e | 1285 | uint32_t *systemTickPtr = systemTickPointer(); |
wolfSSL | 16:8e0d178b1d1e | 1286 | |
wolfSSL | 16:8e0d178b1d1e | 1287 | return (word32) (*systemTickPtr/systemTickTimeInHz) * 1000; |
wolfSSL | 16:8e0d178b1d1e | 1288 | } |
wolfSSL | 15:117db924cf7c | 1289 | #elif defined(MICRIUM) |
wolfSSL | 15:117db924cf7c | 1290 | /* The time in milliseconds. |
wolfSSL | 15:117db924cf7c | 1291 | * Used for tickets to represent difference between when first seen and when |
wolfSSL | 15:117db924cf7c | 1292 | * sending. |
wolfSSL | 15:117db924cf7c | 1293 | * |
wolfSSL | 15:117db924cf7c | 1294 | * returns the time in milliseconds as a 32-bit value. |
wolfSSL | 15:117db924cf7c | 1295 | */ |
wolfSSL | 15:117db924cf7c | 1296 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 15:117db924cf7c | 1297 | { |
wolfSSL | 15:117db924cf7c | 1298 | OS_TICK ticks = 0; |
wolfSSL | 15:117db924cf7c | 1299 | OS_ERR err; |
wolfSSL | 15:117db924cf7c | 1300 | |
wolfSSL | 15:117db924cf7c | 1301 | ticks = OSTimeGet(&err); |
wolfSSL | 15:117db924cf7c | 1302 | |
wolfSSL | 15:117db924cf7c | 1303 | return (word32) (ticks / OSCfg_TickRate_Hz) * 1000; |
wolfSSL | 15:117db924cf7c | 1304 | } |
wolfSSL | 15:117db924cf7c | 1305 | #elif defined(MICROCHIP_TCPIP_V5) |
wolfSSL | 15:117db924cf7c | 1306 | /* The time in milliseconds. |
wolfSSL | 15:117db924cf7c | 1307 | * Used for tickets to represent difference between when first seen and when |
wolfSSL | 15:117db924cf7c | 1308 | * sending. |
wolfSSL | 15:117db924cf7c | 1309 | * |
wolfSSL | 15:117db924cf7c | 1310 | * returns the time in milliseconds as a 32-bit value. |
wolfSSL | 15:117db924cf7c | 1311 | */ |
wolfSSL | 15:117db924cf7c | 1312 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 15:117db924cf7c | 1313 | { |
wolfSSL | 15:117db924cf7c | 1314 | return (word32) (TickGet() / (TICKS_PER_SECOND / 1000)); |
wolfSSL | 15:117db924cf7c | 1315 | } |
wolfSSL | 15:117db924cf7c | 1316 | #elif defined(MICROCHIP_TCPIP) |
wolfSSL | 15:117db924cf7c | 1317 | #if defined(MICROCHIP_MPLAB_HARMONY) |
wolfSSL | 15:117db924cf7c | 1318 | #include <system/tmr/sys_tmr.h> |
wolfSSL | 15:117db924cf7c | 1319 | |
wolfSSL | 15:117db924cf7c | 1320 | /* The time in milliseconds. |
wolfSSL | 15:117db924cf7c | 1321 | * Used for tickets to represent difference between when first seen and when |
wolfSSL | 15:117db924cf7c | 1322 | * sending. |
wolfSSL | 15:117db924cf7c | 1323 | * |
wolfSSL | 15:117db924cf7c | 1324 | * returns the time in milliseconds as a 32-bit value. |
wolfSSL | 15:117db924cf7c | 1325 | */ |
wolfSSL | 15:117db924cf7c | 1326 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 15:117db924cf7c | 1327 | { |
wolfSSL | 15:117db924cf7c | 1328 | return (word32)(SYS_TMR_TickCountGet() / |
wolfSSL | 15:117db924cf7c | 1329 | (SYS_TMR_TickCounterFrequencyGet() / 1000)); |
wolfSSL | 15:117db924cf7c | 1330 | } |
wolfSSL | 15:117db924cf7c | 1331 | #else |
wolfSSL | 15:117db924cf7c | 1332 | /* The time in milliseconds. |
wolfSSL | 15:117db924cf7c | 1333 | * Used for tickets to represent difference between when first seen and when |
wolfSSL | 15:117db924cf7c | 1334 | * sending. |
wolfSSL | 15:117db924cf7c | 1335 | * |
wolfSSL | 15:117db924cf7c | 1336 | * returns the time in milliseconds as a 32-bit value. |
wolfSSL | 15:117db924cf7c | 1337 | */ |
wolfSSL | 15:117db924cf7c | 1338 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 15:117db924cf7c | 1339 | { |
wolfSSL | 15:117db924cf7c | 1340 | return (word32)(SYS_TICK_Get() / (SYS_TICK_TicksPerSecondGet() / 1000)); |
wolfSSL | 15:117db924cf7c | 1341 | } |
wolfSSL | 15:117db924cf7c | 1342 | |
wolfSSL | 15:117db924cf7c | 1343 | #endif |
wolfSSL | 15:117db924cf7c | 1344 | |
wolfSSL | 15:117db924cf7c | 1345 | #elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) |
wolfSSL | 15:117db924cf7c | 1346 | /* The time in milliseconds. |
wolfSSL | 15:117db924cf7c | 1347 | * Used for tickets to represent difference between when first seen and when |
wolfSSL | 15:117db924cf7c | 1348 | * sending. |
wolfSSL | 15:117db924cf7c | 1349 | * |
wolfSSL | 15:117db924cf7c | 1350 | * returns the time in milliseconds as a 32-bit value. |
wolfSSL | 15:117db924cf7c | 1351 | */ |
wolfSSL | 15:117db924cf7c | 1352 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 15:117db924cf7c | 1353 | { |
wolfSSL | 15:117db924cf7c | 1354 | TIME_STRUCT mqxTime; |
wolfSSL | 15:117db924cf7c | 1355 | |
wolfSSL | 15:117db924cf7c | 1356 | _time_get_elapsed(&mqxTime); |
wolfSSL | 15:117db924cf7c | 1357 | |
wolfSSL | 15:117db924cf7c | 1358 | return (word32) mqxTime.SECONDS * 1000; |
wolfSSL | 15:117db924cf7c | 1359 | } |
wolfSSL | 15:117db924cf7c | 1360 | #elif defined(FREESCALE_FREE_RTOS) || defined(FREESCALE_KSDK_FREERTOS) |
wolfSSL | 15:117db924cf7c | 1361 | #include "include/task.h" |
wolfSSL | 15:117db924cf7c | 1362 | |
wolfSSL | 15:117db924cf7c | 1363 | /* The time in milliseconds. |
wolfSSL | 15:117db924cf7c | 1364 | * Used for tickets to represent difference between when first seen and when |
wolfSSL | 15:117db924cf7c | 1365 | * sending. |
wolfSSL | 15:117db924cf7c | 1366 | * |
wolfSSL | 15:117db924cf7c | 1367 | * returns the time in milliseconds as a 32-bit value. |
wolfSSL | 15:117db924cf7c | 1368 | */ |
wolfSSL | 15:117db924cf7c | 1369 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 15:117db924cf7c | 1370 | { |
wolfSSL | 15:117db924cf7c | 1371 | return (unsigned int)(((float)xTaskGetTickCount()) / |
wolfSSL | 15:117db924cf7c | 1372 | (configTICK_RATE_HZ / 1000)); |
wolfSSL | 15:117db924cf7c | 1373 | } |
wolfSSL | 15:117db924cf7c | 1374 | #elif defined(FREESCALE_KSDK_BM) |
wolfSSL | 15:117db924cf7c | 1375 | #include "lwip/sys.h" /* lwIP */ |
wolfSSL | 15:117db924cf7c | 1376 | |
wolfSSL | 15:117db924cf7c | 1377 | /* The time in milliseconds. |
wolfSSL | 15:117db924cf7c | 1378 | * Used for tickets to represent difference between when first seen and when |
wolfSSL | 15:117db924cf7c | 1379 | * sending. |
wolfSSL | 15:117db924cf7c | 1380 | * |
wolfSSL | 15:117db924cf7c | 1381 | * returns the time in milliseconds as a 32-bit value. |
wolfSSL | 15:117db924cf7c | 1382 | */ |
wolfSSL | 15:117db924cf7c | 1383 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 15:117db924cf7c | 1384 | { |
wolfSSL | 15:117db924cf7c | 1385 | return sys_now(); |
wolfSSL | 15:117db924cf7c | 1386 | } |
wolfSSL | 15:117db924cf7c | 1387 | #elif defined(WOLFSSL_TIRTOS) |
wolfSSL | 15:117db924cf7c | 1388 | /* The time in milliseconds. |
wolfSSL | 15:117db924cf7c | 1389 | * Used for tickets to represent difference between when first seen and when |
wolfSSL | 15:117db924cf7c | 1390 | * sending. |
wolfSSL | 15:117db924cf7c | 1391 | * |
wolfSSL | 15:117db924cf7c | 1392 | * returns the time in milliseconds as a 32-bit value. |
wolfSSL | 15:117db924cf7c | 1393 | */ |
wolfSSL | 15:117db924cf7c | 1394 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 15:117db924cf7c | 1395 | { |
wolfSSL | 15:117db924cf7c | 1396 | return (word32) Seconds_get() * 1000; |
wolfSSL | 15:117db924cf7c | 1397 | } |
wolfSSL | 15:117db924cf7c | 1398 | #elif defined(WOLFSSL_UTASKER) |
wolfSSL | 15:117db924cf7c | 1399 | /* The time in milliseconds. |
wolfSSL | 15:117db924cf7c | 1400 | * Used for tickets to represent difference between when first seen and when |
wolfSSL | 15:117db924cf7c | 1401 | * sending. |
wolfSSL | 15:117db924cf7c | 1402 | * |
wolfSSL | 15:117db924cf7c | 1403 | * returns the time in milliseconds as a 32-bit value. |
wolfSSL | 15:117db924cf7c | 1404 | */ |
wolfSSL | 15:117db924cf7c | 1405 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 15:117db924cf7c | 1406 | { |
wolfSSL | 15:117db924cf7c | 1407 | return (word32)(uTaskerSystemTick / (TICK_RESOLUTION / 1000)); |
wolfSSL | 15:117db924cf7c | 1408 | } |
wolfSSL | 15:117db924cf7c | 1409 | #else |
wolfSSL | 15:117db924cf7c | 1410 | /* The time in milliseconds. |
wolfSSL | 15:117db924cf7c | 1411 | * Used for tickets to represent difference between when first seen and when |
wolfSSL | 15:117db924cf7c | 1412 | * sending. |
wolfSSL | 15:117db924cf7c | 1413 | * |
wolfSSL | 15:117db924cf7c | 1414 | * returns the time in milliseconds as a 32-bit value. |
wolfSSL | 15:117db924cf7c | 1415 | */ |
wolfSSL | 15:117db924cf7c | 1416 | word32 TimeNowInMilliseconds(void) |
wolfSSL | 15:117db924cf7c | 1417 | { |
wolfSSL | 15:117db924cf7c | 1418 | struct timeval now; |
wolfSSL | 15:117db924cf7c | 1419 | |
wolfSSL | 15:117db924cf7c | 1420 | if (gettimeofday(&now, 0) < 0) |
wolfSSL | 15:117db924cf7c | 1421 | return GETTIME_ERROR; |
wolfSSL | 15:117db924cf7c | 1422 | /* Convert to milliseconds number. */ |
wolfSSL | 15:117db924cf7c | 1423 | return (word32)(now.tv_sec * 1000 + now.tv_usec / 1000); |
wolfSSL | 15:117db924cf7c | 1424 | } |
wolfSSL | 15:117db924cf7c | 1425 | #endif |
wolfSSL | 15:117db924cf7c | 1426 | #endif /* HAVE_SESSION_TICKET || !NO_PSK */ |
wolfSSL | 15:117db924cf7c | 1427 | |
wolfSSL | 15:117db924cf7c | 1428 | |
wolfSSL | 15:117db924cf7c | 1429 | #if !defined(NO_WOLFSSL_SERVER) && (defined(HAVE_SESSION_TICKET) || \ |
wolfSSL | 15:117db924cf7c | 1430 | !defined(NO_PSK)) |
wolfSSL | 15:117db924cf7c | 1431 | /* Add input to all handshake hashes. |
wolfSSL | 15:117db924cf7c | 1432 | * |
wolfSSL | 15:117db924cf7c | 1433 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 1434 | * input The data to hash. |
wolfSSL | 15:117db924cf7c | 1435 | * sz The size of the data to hash. |
wolfSSL | 15:117db924cf7c | 1436 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 1437 | */ |
wolfSSL | 15:117db924cf7c | 1438 | static int HashInputRaw(WOLFSSL* ssl, const byte* input, int sz) |
wolfSSL | 15:117db924cf7c | 1439 | { |
wolfSSL | 15:117db924cf7c | 1440 | int ret = BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 1441 | |
wolfSSL | 15:117db924cf7c | 1442 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 1443 | ret = wc_Sha256Update(&ssl->hsHashes->hashSha256, input, sz); |
wolfSSL | 15:117db924cf7c | 1444 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1445 | return ret; |
wolfSSL | 15:117db924cf7c | 1446 | #endif |
wolfSSL | 15:117db924cf7c | 1447 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 1448 | ret = wc_Sha384Update(&ssl->hsHashes->hashSha384, input, sz); |
wolfSSL | 15:117db924cf7c | 1449 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1450 | return ret; |
wolfSSL | 15:117db924cf7c | 1451 | #endif |
wolfSSL | 15:117db924cf7c | 1452 | #ifdef WOLFSSL_TLS13_SHA512 |
wolfSSL | 15:117db924cf7c | 1453 | ret = wc_Sha512Update(&ssl->hsHashes->hashSha512, input, sz); |
wolfSSL | 15:117db924cf7c | 1454 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1455 | return ret; |
wolfSSL | 15:117db924cf7c | 1456 | #endif |
wolfSSL | 15:117db924cf7c | 1457 | |
wolfSSL | 15:117db924cf7c | 1458 | return ret; |
wolfSSL | 15:117db924cf7c | 1459 | } |
wolfSSL | 15:117db924cf7c | 1460 | #endif |
wolfSSL | 15:117db924cf7c | 1461 | |
wolfSSL | 15:117db924cf7c | 1462 | /* Extract the handshake header information. |
wolfSSL | 15:117db924cf7c | 1463 | * |
wolfSSL | 15:117db924cf7c | 1464 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 1465 | * input The buffer holding the message data. |
wolfSSL | 15:117db924cf7c | 1466 | * inOutIdx On entry, the index into the buffer of the handshake data. |
wolfSSL | 16:8e0d178b1d1e | 1467 | * On exit, the start of the handshake data. |
wolfSSL | 15:117db924cf7c | 1468 | * type Type of handshake message. |
wolfSSL | 15:117db924cf7c | 1469 | * size The length of the handshake message data. |
wolfSSL | 15:117db924cf7c | 1470 | * totalSz The total size of data in the buffer. |
wolfSSL | 15:117db924cf7c | 1471 | * returns BUFFER_E if there is not enough input data and 0 on success. |
wolfSSL | 15:117db924cf7c | 1472 | */ |
wolfSSL | 15:117db924cf7c | 1473 | static int GetHandshakeHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx, |
wolfSSL | 15:117db924cf7c | 1474 | byte* type, word32* size, word32 totalSz) |
wolfSSL | 15:117db924cf7c | 1475 | { |
wolfSSL | 15:117db924cf7c | 1476 | const byte* ptr = input + *inOutIdx; |
wolfSSL | 15:117db924cf7c | 1477 | (void)ssl; |
wolfSSL | 15:117db924cf7c | 1478 | |
wolfSSL | 15:117db924cf7c | 1479 | *inOutIdx += HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 1480 | if (*inOutIdx > totalSz) |
wolfSSL | 15:117db924cf7c | 1481 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 1482 | |
wolfSSL | 15:117db924cf7c | 1483 | *type = ptr[0]; |
wolfSSL | 15:117db924cf7c | 1484 | c24to32(&ptr[1], size); |
wolfSSL | 15:117db924cf7c | 1485 | |
wolfSSL | 15:117db924cf7c | 1486 | return 0; |
wolfSSL | 15:117db924cf7c | 1487 | } |
wolfSSL | 15:117db924cf7c | 1488 | |
wolfSSL | 15:117db924cf7c | 1489 | /* Add record layer header to message. |
wolfSSL | 15:117db924cf7c | 1490 | * |
wolfSSL | 15:117db924cf7c | 1491 | * output The buffer to write the record layer header into. |
wolfSSL | 15:117db924cf7c | 1492 | * length The length of the record data. |
wolfSSL | 15:117db924cf7c | 1493 | * type The type of record message. |
wolfSSL | 15:117db924cf7c | 1494 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 1495 | */ |
wolfSSL | 15:117db924cf7c | 1496 | static void AddTls13RecordHeader(byte* output, word32 length, byte type, |
wolfSSL | 15:117db924cf7c | 1497 | WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 1498 | { |
wolfSSL | 15:117db924cf7c | 1499 | RecordLayerHeader* rl; |
wolfSSL | 15:117db924cf7c | 1500 | |
wolfSSL | 15:117db924cf7c | 1501 | rl = (RecordLayerHeader*)output; |
wolfSSL | 15:117db924cf7c | 1502 | rl->type = type; |
wolfSSL | 15:117db924cf7c | 1503 | rl->pvMajor = ssl->version.major; |
wolfSSL | 15:117db924cf7c | 1504 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 1505 | rl->pvMinor = TLSv1_MINOR; |
wolfSSL | 15:117db924cf7c | 1506 | #else |
wolfSSL | 16:8e0d178b1d1e | 1507 | /* NOTE: May be TLSv1_MINOR when sending first ClientHello. */ |
wolfSSL | 15:117db924cf7c | 1508 | rl->pvMinor = TLSv1_2_MINOR; |
wolfSSL | 15:117db924cf7c | 1509 | #endif |
wolfSSL | 15:117db924cf7c | 1510 | c16toa((word16)length, rl->length); |
wolfSSL | 15:117db924cf7c | 1511 | } |
wolfSSL | 15:117db924cf7c | 1512 | |
wolfSSL | 15:117db924cf7c | 1513 | /* Add handshake header to message. |
wolfSSL | 15:117db924cf7c | 1514 | * |
wolfSSL | 16:8e0d178b1d1e | 1515 | * output The buffer to write the handshake header into. |
wolfSSL | 15:117db924cf7c | 1516 | * length The length of the handshake data. |
wolfSSL | 15:117db924cf7c | 1517 | * fragOffset The offset of the fragment data. (DTLS) |
wolfSSL | 15:117db924cf7c | 1518 | * fragLength The length of the fragment data. (DTLS) |
wolfSSL | 15:117db924cf7c | 1519 | * type The type of handshake message. |
wolfSSL | 15:117db924cf7c | 1520 | * ssl The SSL/TLS object. (DTLS) |
wolfSSL | 15:117db924cf7c | 1521 | */ |
wolfSSL | 15:117db924cf7c | 1522 | static void AddTls13HandShakeHeader(byte* output, word32 length, |
wolfSSL | 15:117db924cf7c | 1523 | word32 fragOffset, word32 fragLength, |
wolfSSL | 15:117db924cf7c | 1524 | byte type, WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 1525 | { |
wolfSSL | 15:117db924cf7c | 1526 | HandShakeHeader* hs; |
wolfSSL | 15:117db924cf7c | 1527 | (void)fragOffset; |
wolfSSL | 15:117db924cf7c | 1528 | (void)fragLength; |
wolfSSL | 15:117db924cf7c | 1529 | (void)ssl; |
wolfSSL | 15:117db924cf7c | 1530 | |
wolfSSL | 15:117db924cf7c | 1531 | /* handshake header */ |
wolfSSL | 15:117db924cf7c | 1532 | hs = (HandShakeHeader*)output; |
wolfSSL | 15:117db924cf7c | 1533 | hs->type = type; |
wolfSSL | 15:117db924cf7c | 1534 | c32to24(length, hs->length); |
wolfSSL | 15:117db924cf7c | 1535 | } |
wolfSSL | 15:117db924cf7c | 1536 | |
wolfSSL | 15:117db924cf7c | 1537 | |
wolfSSL | 15:117db924cf7c | 1538 | /* Add both record layer and handshake header to message. |
wolfSSL | 15:117db924cf7c | 1539 | * |
wolfSSL | 15:117db924cf7c | 1540 | * output The buffer to write the headers into. |
wolfSSL | 15:117db924cf7c | 1541 | * length The length of the handshake data. |
wolfSSL | 15:117db924cf7c | 1542 | * type The type of record layer message. |
wolfSSL | 15:117db924cf7c | 1543 | * ssl The SSL/TLS object. (DTLS) |
wolfSSL | 15:117db924cf7c | 1544 | */ |
wolfSSL | 15:117db924cf7c | 1545 | static void AddTls13Headers(byte* output, word32 length, byte type, |
wolfSSL | 15:117db924cf7c | 1546 | WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 1547 | { |
wolfSSL | 15:117db924cf7c | 1548 | word32 lengthAdj = HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 1549 | word32 outputAdj = RECORD_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 1550 | |
wolfSSL | 15:117db924cf7c | 1551 | AddTls13RecordHeader(output, length + lengthAdj, handshake, ssl); |
wolfSSL | 15:117db924cf7c | 1552 | AddTls13HandShakeHeader(output + outputAdj, length, 0, length, type, ssl); |
wolfSSL | 15:117db924cf7c | 1553 | } |
wolfSSL | 15:117db924cf7c | 1554 | |
wolfSSL | 15:117db924cf7c | 1555 | |
wolfSSL | 15:117db924cf7c | 1556 | #ifndef NO_CERTS |
wolfSSL | 16:8e0d178b1d1e | 1557 | /* Add both record layer and fragment handshake header to message. |
wolfSSL | 15:117db924cf7c | 1558 | * |
wolfSSL | 15:117db924cf7c | 1559 | * output The buffer to write the headers into. |
wolfSSL | 15:117db924cf7c | 1560 | * fragOffset The offset of the fragment data. (DTLS) |
wolfSSL | 15:117db924cf7c | 1561 | * fragLength The length of the fragment data. (DTLS) |
wolfSSL | 15:117db924cf7c | 1562 | * length The length of the handshake data. |
wolfSSL | 15:117db924cf7c | 1563 | * type The type of record layer message. |
wolfSSL | 15:117db924cf7c | 1564 | * ssl The SSL/TLS object. (DTLS) |
wolfSSL | 15:117db924cf7c | 1565 | */ |
wolfSSL | 15:117db924cf7c | 1566 | static void AddTls13FragHeaders(byte* output, word32 fragSz, word32 fragOffset, |
wolfSSL | 15:117db924cf7c | 1567 | word32 length, byte type, WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 1568 | { |
wolfSSL | 15:117db924cf7c | 1569 | word32 lengthAdj = HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 1570 | word32 outputAdj = RECORD_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 1571 | (void)fragSz; |
wolfSSL | 15:117db924cf7c | 1572 | |
wolfSSL | 15:117db924cf7c | 1573 | AddTls13RecordHeader(output, fragSz + lengthAdj, handshake, ssl); |
wolfSSL | 15:117db924cf7c | 1574 | AddTls13HandShakeHeader(output + outputAdj, length, fragOffset, fragSz, |
wolfSSL | 15:117db924cf7c | 1575 | type, ssl); |
wolfSSL | 15:117db924cf7c | 1576 | } |
wolfSSL | 15:117db924cf7c | 1577 | #endif /* NO_CERTS */ |
wolfSSL | 15:117db924cf7c | 1578 | |
wolfSSL | 15:117db924cf7c | 1579 | /* Write the sequence number into the buffer. |
wolfSSL | 15:117db924cf7c | 1580 | * No DTLS v1.3 support. |
wolfSSL | 15:117db924cf7c | 1581 | * |
wolfSSL | 15:117db924cf7c | 1582 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 1583 | * verifyOrder Which set of sequence numbers to use. |
wolfSSL | 15:117db924cf7c | 1584 | * out The buffer to write into. |
wolfSSL | 15:117db924cf7c | 1585 | */ |
wolfSSL | 15:117db924cf7c | 1586 | static WC_INLINE void WriteSEQ(WOLFSSL* ssl, int verifyOrder, byte* out) |
wolfSSL | 15:117db924cf7c | 1587 | { |
wolfSSL | 15:117db924cf7c | 1588 | word32 seq[2] = {0, 0}; |
wolfSSL | 15:117db924cf7c | 1589 | |
wolfSSL | 15:117db924cf7c | 1590 | if (verifyOrder) { |
wolfSSL | 15:117db924cf7c | 1591 | seq[0] = ssl->keys.peer_sequence_number_hi; |
wolfSSL | 15:117db924cf7c | 1592 | seq[1] = ssl->keys.peer_sequence_number_lo++; |
wolfSSL | 15:117db924cf7c | 1593 | /* handle rollover */ |
wolfSSL | 15:117db924cf7c | 1594 | if (seq[1] > ssl->keys.peer_sequence_number_lo) |
wolfSSL | 15:117db924cf7c | 1595 | ssl->keys.peer_sequence_number_hi++; |
wolfSSL | 15:117db924cf7c | 1596 | } |
wolfSSL | 15:117db924cf7c | 1597 | else { |
wolfSSL | 15:117db924cf7c | 1598 | seq[0] = ssl->keys.sequence_number_hi; |
wolfSSL | 15:117db924cf7c | 1599 | seq[1] = ssl->keys.sequence_number_lo++; |
wolfSSL | 15:117db924cf7c | 1600 | /* handle rollover */ |
wolfSSL | 15:117db924cf7c | 1601 | if (seq[1] > ssl->keys.sequence_number_lo) |
wolfSSL | 15:117db924cf7c | 1602 | ssl->keys.sequence_number_hi++; |
wolfSSL | 15:117db924cf7c | 1603 | } |
wolfSSL | 15:117db924cf7c | 1604 | |
wolfSSL | 15:117db924cf7c | 1605 | c32toa(seq[0], out); |
wolfSSL | 15:117db924cf7c | 1606 | c32toa(seq[1], out + OPAQUE32_LEN); |
wolfSSL | 15:117db924cf7c | 1607 | } |
wolfSSL | 15:117db924cf7c | 1608 | |
wolfSSL | 15:117db924cf7c | 1609 | /* Build the nonce for TLS v1.3 encryption and decryption. |
wolfSSL | 15:117db924cf7c | 1610 | * |
wolfSSL | 15:117db924cf7c | 1611 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 1612 | * nonce The nonce data to use when encrypting or decrypting. |
wolfSSL | 15:117db924cf7c | 1613 | * iv The derived IV. |
wolfSSL | 15:117db924cf7c | 1614 | * order The side on which the message is to be or was sent. |
wolfSSL | 15:117db924cf7c | 1615 | */ |
wolfSSL | 15:117db924cf7c | 1616 | static WC_INLINE void BuildTls13Nonce(WOLFSSL* ssl, byte* nonce, const byte* iv, |
wolfSSL | 15:117db924cf7c | 1617 | int order) |
wolfSSL | 15:117db924cf7c | 1618 | { |
wolfSSL | 15:117db924cf7c | 1619 | int i; |
wolfSSL | 15:117db924cf7c | 1620 | |
wolfSSL | 15:117db924cf7c | 1621 | /* The nonce is the IV with the sequence XORed into the last bytes. */ |
wolfSSL | 15:117db924cf7c | 1622 | WriteSEQ(ssl, order, nonce + AEAD_NONCE_SZ - SEQ_SZ); |
wolfSSL | 15:117db924cf7c | 1623 | for (i = 0; i < AEAD_NONCE_SZ - SEQ_SZ; i++) |
wolfSSL | 15:117db924cf7c | 1624 | nonce[i] = iv[i]; |
wolfSSL | 15:117db924cf7c | 1625 | for (; i < AEAD_NONCE_SZ; i++) |
wolfSSL | 15:117db924cf7c | 1626 | nonce[i] ^= iv[i]; |
wolfSSL | 15:117db924cf7c | 1627 | } |
wolfSSL | 15:117db924cf7c | 1628 | |
wolfSSL | 15:117db924cf7c | 1629 | #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) |
wolfSSL | 15:117db924cf7c | 1630 | /* Encrypt with ChaCha20 and create authenication tag with Poly1305. |
wolfSSL | 15:117db924cf7c | 1631 | * |
wolfSSL | 15:117db924cf7c | 1632 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 1633 | * output The buffer to write encrypted data and authentication tag into. |
wolfSSL | 15:117db924cf7c | 1634 | * May be the same pointer as input. |
wolfSSL | 15:117db924cf7c | 1635 | * input The data to encrypt. |
wolfSSL | 15:117db924cf7c | 1636 | * sz The number of bytes to encrypt. |
wolfSSL | 15:117db924cf7c | 1637 | * nonce The nonce to use with ChaCha20. |
wolfSSL | 15:117db924cf7c | 1638 | * aad The additional authentication data. |
wolfSSL | 15:117db924cf7c | 1639 | * aadSz The size of the addition authentication data. |
wolfSSL | 15:117db924cf7c | 1640 | * tag The authentication tag buffer. |
wolfSSL | 15:117db924cf7c | 1641 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 1642 | */ |
wolfSSL | 15:117db924cf7c | 1643 | static int ChaCha20Poly1305_Encrypt(WOLFSSL* ssl, byte* output, |
wolfSSL | 15:117db924cf7c | 1644 | const byte* input, word16 sz, byte* nonce, |
wolfSSL | 15:117db924cf7c | 1645 | const byte* aad, word16 aadSz, byte* tag) |
wolfSSL | 15:117db924cf7c | 1646 | { |
wolfSSL | 15:117db924cf7c | 1647 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 1648 | byte poly[CHACHA20_256_KEY_SIZE]; |
wolfSSL | 15:117db924cf7c | 1649 | |
wolfSSL | 15:117db924cf7c | 1650 | /* Poly1305 key is 256 bits of zero encrypted with ChaCha20. */ |
wolfSSL | 15:117db924cf7c | 1651 | XMEMSET(poly, 0, sizeof(poly)); |
wolfSSL | 15:117db924cf7c | 1652 | |
wolfSSL | 15:117db924cf7c | 1653 | /* Set the nonce for ChaCha and get Poly1305 key. */ |
wolfSSL | 15:117db924cf7c | 1654 | ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 0); |
wolfSSL | 15:117db924cf7c | 1655 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1656 | return ret; |
wolfSSL | 15:117db924cf7c | 1657 | /* Create Poly1305 key using ChaCha20 keystream. */ |
wolfSSL | 15:117db924cf7c | 1658 | ret = wc_Chacha_Process(ssl->encrypt.chacha, poly, poly, sizeof(poly)); |
wolfSSL | 15:117db924cf7c | 1659 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1660 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 1661 | ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 1); |
wolfSSL | 16:8e0d178b1d1e | 1662 | if (ret != 0) |
wolfSSL | 16:8e0d178b1d1e | 1663 | return ret; |
wolfSSL | 15:117db924cf7c | 1664 | /* Encrypt the plain text. */ |
wolfSSL | 15:117db924cf7c | 1665 | ret = wc_Chacha_Process(ssl->encrypt.chacha, output, input, sz); |
wolfSSL | 15:117db924cf7c | 1666 | if (ret != 0) { |
wolfSSL | 15:117db924cf7c | 1667 | ForceZero(poly, sizeof(poly)); |
wolfSSL | 15:117db924cf7c | 1668 | return ret; |
wolfSSL | 15:117db924cf7c | 1669 | } |
wolfSSL | 15:117db924cf7c | 1670 | |
wolfSSL | 15:117db924cf7c | 1671 | /* Set key for Poly1305. */ |
wolfSSL | 15:117db924cf7c | 1672 | ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly, sizeof(poly)); |
wolfSSL | 15:117db924cf7c | 1673 | ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */ |
wolfSSL | 15:117db924cf7c | 1674 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1675 | return ret; |
wolfSSL | 15:117db924cf7c | 1676 | /* Add authentication code of encrypted data to end. */ |
wolfSSL | 15:117db924cf7c | 1677 | ret = wc_Poly1305_MAC(ssl->auth.poly1305, (byte*)aad, aadSz, output, sz, |
wolfSSL | 15:117db924cf7c | 1678 | tag, POLY1305_AUTH_SZ); |
wolfSSL | 15:117db924cf7c | 1679 | |
wolfSSL | 15:117db924cf7c | 1680 | return ret; |
wolfSSL | 15:117db924cf7c | 1681 | } |
wolfSSL | 15:117db924cf7c | 1682 | #endif |
wolfSSL | 15:117db924cf7c | 1683 | |
wolfSSL | 16:8e0d178b1d1e | 1684 | #ifdef HAVE_NULL_CIPHER |
wolfSSL | 16:8e0d178b1d1e | 1685 | /* Create authenication tag and copy data over input. |
wolfSSL | 16:8e0d178b1d1e | 1686 | * |
wolfSSL | 16:8e0d178b1d1e | 1687 | * ssl The SSL/TLS object. |
wolfSSL | 16:8e0d178b1d1e | 1688 | * output The buffer to copy data into. |
wolfSSL | 16:8e0d178b1d1e | 1689 | * May be the same pointer as input. |
wolfSSL | 16:8e0d178b1d1e | 1690 | * input The data. |
wolfSSL | 16:8e0d178b1d1e | 1691 | * sz The number of bytes of data. |
wolfSSL | 16:8e0d178b1d1e | 1692 | * nonce The nonce to use with authentication. |
wolfSSL | 16:8e0d178b1d1e | 1693 | * aad The additional authentication data. |
wolfSSL | 16:8e0d178b1d1e | 1694 | * aadSz The size of the addition authentication data. |
wolfSSL | 16:8e0d178b1d1e | 1695 | * tag The authentication tag buffer. |
wolfSSL | 16:8e0d178b1d1e | 1696 | * returns 0 on success, otherwise failure. |
wolfSSL | 16:8e0d178b1d1e | 1697 | */ |
wolfSSL | 16:8e0d178b1d1e | 1698 | static int Tls13IntegrityOnly_Encrypt(WOLFSSL* ssl, byte* output, |
wolfSSL | 16:8e0d178b1d1e | 1699 | const byte* input, word16 sz, |
wolfSSL | 16:8e0d178b1d1e | 1700 | const byte* nonce, |
wolfSSL | 16:8e0d178b1d1e | 1701 | const byte* aad, word16 aadSz, byte* tag) |
wolfSSL | 16:8e0d178b1d1e | 1702 | { |
wolfSSL | 16:8e0d178b1d1e | 1703 | int ret; |
wolfSSL | 16:8e0d178b1d1e | 1704 | |
wolfSSL | 16:8e0d178b1d1e | 1705 | /* HMAC: nonce | aad | input */ |
wolfSSL | 16:8e0d178b1d1e | 1706 | ret = wc_HmacUpdate(ssl->encrypt.hmac, nonce, HMAC_NONCE_SZ); |
wolfSSL | 16:8e0d178b1d1e | 1707 | if (ret == 0) |
wolfSSL | 16:8e0d178b1d1e | 1708 | ret = wc_HmacUpdate(ssl->encrypt.hmac, aad, aadSz); |
wolfSSL | 16:8e0d178b1d1e | 1709 | if (ret == 0) |
wolfSSL | 16:8e0d178b1d1e | 1710 | ret = wc_HmacUpdate(ssl->encrypt.hmac, input, sz); |
wolfSSL | 16:8e0d178b1d1e | 1711 | if (ret == 0) |
wolfSSL | 16:8e0d178b1d1e | 1712 | ret = wc_HmacFinal(ssl->encrypt.hmac, tag); |
wolfSSL | 16:8e0d178b1d1e | 1713 | /* Copy the input to output if not the same buffer */ |
wolfSSL | 16:8e0d178b1d1e | 1714 | if (ret == 0 && output != input) |
wolfSSL | 16:8e0d178b1d1e | 1715 | XMEMCPY(output, input, sz); |
wolfSSL | 16:8e0d178b1d1e | 1716 | |
wolfSSL | 16:8e0d178b1d1e | 1717 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 1718 | } |
wolfSSL | 16:8e0d178b1d1e | 1719 | #endif |
wolfSSL | 16:8e0d178b1d1e | 1720 | |
wolfSSL | 15:117db924cf7c | 1721 | /* Encrypt data for TLS v1.3. |
wolfSSL | 15:117db924cf7c | 1722 | * |
wolfSSL | 15:117db924cf7c | 1723 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 1724 | * output The buffer to write encrypted data and authentication tag into. |
wolfSSL | 15:117db924cf7c | 1725 | * May be the same pointer as input. |
wolfSSL | 15:117db924cf7c | 1726 | * input The record header and data to encrypt. |
wolfSSL | 15:117db924cf7c | 1727 | * sz The number of bytes to encrypt. |
wolfSSL | 15:117db924cf7c | 1728 | * aad The additional authentication data. |
wolfSSL | 15:117db924cf7c | 1729 | * aadSz The size of the addition authentication data. |
wolfSSL | 15:117db924cf7c | 1730 | * asyncOkay If non-zero can return WC_PENDING_E, otherwise blocks on crypto |
wolfSSL | 15:117db924cf7c | 1731 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 1732 | */ |
wolfSSL | 15:117db924cf7c | 1733 | static int EncryptTls13(WOLFSSL* ssl, byte* output, const byte* input, |
wolfSSL | 15:117db924cf7c | 1734 | word16 sz, const byte* aad, word16 aadSz, int asyncOkay) |
wolfSSL | 15:117db924cf7c | 1735 | { |
wolfSSL | 15:117db924cf7c | 1736 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 1737 | word16 dataSz = sz - ssl->specs.aead_mac_size; |
wolfSSL | 15:117db924cf7c | 1738 | word16 macSz = ssl->specs.aead_mac_size; |
wolfSSL | 15:117db924cf7c | 1739 | word32 nonceSz = 0; |
wolfSSL | 15:117db924cf7c | 1740 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 1741 | WC_ASYNC_DEV* asyncDev = NULL; |
wolfSSL | 15:117db924cf7c | 1742 | word32 event_flags = WC_ASYNC_FLAG_CALL_AGAIN; |
wolfSSL | 15:117db924cf7c | 1743 | #endif |
wolfSSL | 15:117db924cf7c | 1744 | |
wolfSSL | 15:117db924cf7c | 1745 | WOLFSSL_ENTER("EncryptTls13"); |
wolfSSL | 15:117db924cf7c | 1746 | |
wolfSSL | 15:117db924cf7c | 1747 | (void)output; |
wolfSSL | 15:117db924cf7c | 1748 | (void)input; |
wolfSSL | 15:117db924cf7c | 1749 | (void)sz; |
wolfSSL | 15:117db924cf7c | 1750 | (void)dataSz; |
wolfSSL | 15:117db924cf7c | 1751 | (void)macSz; |
wolfSSL | 15:117db924cf7c | 1752 | (void)asyncOkay; |
wolfSSL | 15:117db924cf7c | 1753 | (void)nonceSz; |
wolfSSL | 15:117db924cf7c | 1754 | |
wolfSSL | 15:117db924cf7c | 1755 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 1756 | if (ssl->error == WC_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 1757 | ssl->error = 0; /* clear async */ |
wolfSSL | 15:117db924cf7c | 1758 | } |
wolfSSL | 15:117db924cf7c | 1759 | #endif |
wolfSSL | 15:117db924cf7c | 1760 | |
wolfSSL | 15:117db924cf7c | 1761 | switch (ssl->encrypt.state) { |
wolfSSL | 15:117db924cf7c | 1762 | case CIPHER_STATE_BEGIN: |
wolfSSL | 15:117db924cf7c | 1763 | { |
wolfSSL | 15:117db924cf7c | 1764 | #ifdef WOLFSSL_DEBUG_TLS |
wolfSSL | 15:117db924cf7c | 1765 | WOLFSSL_MSG("Data to encrypt"); |
wolfSSL | 15:117db924cf7c | 1766 | WOLFSSL_BUFFER(input, dataSz); |
wolfSSL | 15:117db924cf7c | 1767 | #if !defined(WOLFSSL_TLS13_DRAFT_18) && !defined(WOLFSSL_TLS13_DRAFT_22) && \ |
wolfSSL | 15:117db924cf7c | 1768 | !defined(WOLFSSL_TLS13_DRAFT_23) |
wolfSSL | 15:117db924cf7c | 1769 | WOLFSSL_MSG("Additional Authentication Data"); |
wolfSSL | 15:117db924cf7c | 1770 | WOLFSSL_BUFFER(aad, aadSz); |
wolfSSL | 15:117db924cf7c | 1771 | #endif |
wolfSSL | 15:117db924cf7c | 1772 | #endif |
wolfSSL | 15:117db924cf7c | 1773 | |
wolfSSL | 16:8e0d178b1d1e | 1774 | #ifdef CIPHER_NONCE |
wolfSSL | 15:117db924cf7c | 1775 | if (ssl->encrypt.nonce == NULL) |
wolfSSL | 15:117db924cf7c | 1776 | ssl->encrypt.nonce = (byte*)XMALLOC(AEAD_NONCE_SZ, |
wolfSSL | 15:117db924cf7c | 1777 | ssl->heap, DYNAMIC_TYPE_AES_BUFFER); |
wolfSSL | 15:117db924cf7c | 1778 | if (ssl->encrypt.nonce == NULL) |
wolfSSL | 15:117db924cf7c | 1779 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 1780 | |
wolfSSL | 15:117db924cf7c | 1781 | BuildTls13Nonce(ssl, ssl->encrypt.nonce, ssl->keys.aead_enc_imp_IV, |
wolfSSL | 15:117db924cf7c | 1782 | CUR_ORDER); |
wolfSSL | 16:8e0d178b1d1e | 1783 | #endif |
wolfSSL | 15:117db924cf7c | 1784 | |
wolfSSL | 15:117db924cf7c | 1785 | /* Advance state and proceed */ |
wolfSSL | 15:117db924cf7c | 1786 | ssl->encrypt.state = CIPHER_STATE_DO; |
wolfSSL | 15:117db924cf7c | 1787 | } |
wolfSSL | 15:117db924cf7c | 1788 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 1789 | |
wolfSSL | 15:117db924cf7c | 1790 | case CIPHER_STATE_DO: |
wolfSSL | 15:117db924cf7c | 1791 | { |
wolfSSL | 15:117db924cf7c | 1792 | switch (ssl->specs.bulk_cipher_algorithm) { |
wolfSSL | 15:117db924cf7c | 1793 | #ifdef BUILD_AESGCM |
wolfSSL | 15:117db924cf7c | 1794 | case wolfssl_aes_gcm: |
wolfSSL | 15:117db924cf7c | 1795 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 1796 | /* initialize event */ |
wolfSSL | 15:117db924cf7c | 1797 | asyncDev = &ssl->encrypt.aes->asyncDev; |
wolfSSL | 15:117db924cf7c | 1798 | ret = wolfSSL_AsyncInit(ssl, asyncDev, event_flags); |
wolfSSL | 15:117db924cf7c | 1799 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1800 | break; |
wolfSSL | 15:117db924cf7c | 1801 | #endif |
wolfSSL | 15:117db924cf7c | 1802 | |
wolfSSL | 15:117db924cf7c | 1803 | nonceSz = AESGCM_NONCE_SZ; |
wolfSSL | 16:8e0d178b1d1e | 1804 | #if ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \ |
wolfSSL | 16:8e0d178b1d1e | 1805 | (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))) |
wolfSSL | 15:117db924cf7c | 1806 | ret = wc_AesGcmEncrypt(ssl->encrypt.aes, output, input, |
wolfSSL | 15:117db924cf7c | 1807 | dataSz, ssl->encrypt.nonce, nonceSz, |
wolfSSL | 15:117db924cf7c | 1808 | output + dataSz, macSz, aad, aadSz); |
wolfSSL | 16:8e0d178b1d1e | 1809 | #else |
wolfSSL | 16:8e0d178b1d1e | 1810 | ret = wc_AesGcmSetExtIV(ssl->encrypt.aes, |
wolfSSL | 16:8e0d178b1d1e | 1811 | ssl->encrypt.nonce, nonceSz); |
wolfSSL | 16:8e0d178b1d1e | 1812 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 1813 | ret = wc_AesGcmEncrypt_ex(ssl->encrypt.aes, output, |
wolfSSL | 16:8e0d178b1d1e | 1814 | input, dataSz, ssl->encrypt.nonce, nonceSz, |
wolfSSL | 16:8e0d178b1d1e | 1815 | output + dataSz, macSz, aad, aadSz); |
wolfSSL | 16:8e0d178b1d1e | 1816 | } |
wolfSSL | 16:8e0d178b1d1e | 1817 | #endif |
wolfSSL | 15:117db924cf7c | 1818 | break; |
wolfSSL | 15:117db924cf7c | 1819 | #endif |
wolfSSL | 15:117db924cf7c | 1820 | |
wolfSSL | 15:117db924cf7c | 1821 | #ifdef HAVE_AESCCM |
wolfSSL | 15:117db924cf7c | 1822 | case wolfssl_aes_ccm: |
wolfSSL | 15:117db924cf7c | 1823 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 1824 | /* initialize event */ |
wolfSSL | 15:117db924cf7c | 1825 | asyncDev = &ssl->encrypt.aes->asyncDev; |
wolfSSL | 15:117db924cf7c | 1826 | ret = wolfSSL_AsyncInit(ssl, asyncDev, event_flags); |
wolfSSL | 15:117db924cf7c | 1827 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1828 | break; |
wolfSSL | 15:117db924cf7c | 1829 | #endif |
wolfSSL | 15:117db924cf7c | 1830 | |
wolfSSL | 15:117db924cf7c | 1831 | nonceSz = AESCCM_NONCE_SZ; |
wolfSSL | 16:8e0d178b1d1e | 1832 | #if ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \ |
wolfSSL | 16:8e0d178b1d1e | 1833 | (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))) |
wolfSSL | 15:117db924cf7c | 1834 | ret = wc_AesCcmEncrypt(ssl->encrypt.aes, output, input, |
wolfSSL | 15:117db924cf7c | 1835 | dataSz, ssl->encrypt.nonce, nonceSz, |
wolfSSL | 15:117db924cf7c | 1836 | output + dataSz, macSz, aad, aadSz); |
wolfSSL | 16:8e0d178b1d1e | 1837 | #else |
wolfSSL | 16:8e0d178b1d1e | 1838 | ret = wc_AesCcmSetNonce(ssl->encrypt.aes, |
wolfSSL | 16:8e0d178b1d1e | 1839 | ssl->encrypt.nonce, nonceSz); |
wolfSSL | 16:8e0d178b1d1e | 1840 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 1841 | ret = wc_AesCcmEncrypt_ex(ssl->encrypt.aes, output, |
wolfSSL | 16:8e0d178b1d1e | 1842 | input, dataSz, ssl->encrypt.nonce, nonceSz, |
wolfSSL | 16:8e0d178b1d1e | 1843 | output + dataSz, macSz, aad, aadSz); |
wolfSSL | 16:8e0d178b1d1e | 1844 | } |
wolfSSL | 16:8e0d178b1d1e | 1845 | #endif |
wolfSSL | 15:117db924cf7c | 1846 | break; |
wolfSSL | 15:117db924cf7c | 1847 | #endif |
wolfSSL | 15:117db924cf7c | 1848 | |
wolfSSL | 15:117db924cf7c | 1849 | #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) |
wolfSSL | 15:117db924cf7c | 1850 | case wolfssl_chacha: |
wolfSSL | 15:117db924cf7c | 1851 | ret = ChaCha20Poly1305_Encrypt(ssl, output, input, dataSz, |
wolfSSL | 15:117db924cf7c | 1852 | ssl->encrypt.nonce, aad, aadSz, output + dataSz); |
wolfSSL | 15:117db924cf7c | 1853 | break; |
wolfSSL | 15:117db924cf7c | 1854 | #endif |
wolfSSL | 15:117db924cf7c | 1855 | |
wolfSSL | 16:8e0d178b1d1e | 1856 | #ifdef HAVE_NULL_CIPHER |
wolfSSL | 16:8e0d178b1d1e | 1857 | case wolfssl_cipher_null: |
wolfSSL | 16:8e0d178b1d1e | 1858 | ret = Tls13IntegrityOnly_Encrypt(ssl, output, input, dataSz, |
wolfSSL | 16:8e0d178b1d1e | 1859 | ssl->encrypt.nonce, aad, aadSz, output + dataSz); |
wolfSSL | 16:8e0d178b1d1e | 1860 | break; |
wolfSSL | 16:8e0d178b1d1e | 1861 | #endif |
wolfSSL | 16:8e0d178b1d1e | 1862 | |
wolfSSL | 15:117db924cf7c | 1863 | default: |
wolfSSL | 15:117db924cf7c | 1864 | WOLFSSL_MSG("wolfSSL Encrypt programming error"); |
wolfSSL | 15:117db924cf7c | 1865 | return ENCRYPT_ERROR; |
wolfSSL | 15:117db924cf7c | 1866 | } |
wolfSSL | 15:117db924cf7c | 1867 | |
wolfSSL | 15:117db924cf7c | 1868 | /* Advance state */ |
wolfSSL | 15:117db924cf7c | 1869 | ssl->encrypt.state = CIPHER_STATE_END; |
wolfSSL | 15:117db924cf7c | 1870 | |
wolfSSL | 15:117db924cf7c | 1871 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 1872 | if (ret == WC_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 1873 | /* if async is not okay, then block */ |
wolfSSL | 15:117db924cf7c | 1874 | if (!asyncOkay) { |
wolfSSL | 15:117db924cf7c | 1875 | ret = wc_AsyncWait(ret, asyncDev, event_flags); |
wolfSSL | 15:117db924cf7c | 1876 | } |
wolfSSL | 15:117db924cf7c | 1877 | else { |
wolfSSL | 15:117db924cf7c | 1878 | /* If pending, then leave and return will resume below */ |
wolfSSL | 15:117db924cf7c | 1879 | return wolfSSL_AsyncPush(ssl, asyncDev); |
wolfSSL | 15:117db924cf7c | 1880 | } |
wolfSSL | 15:117db924cf7c | 1881 | } |
wolfSSL | 15:117db924cf7c | 1882 | #endif |
wolfSSL | 15:117db924cf7c | 1883 | } |
wolfSSL | 15:117db924cf7c | 1884 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 1885 | |
wolfSSL | 15:117db924cf7c | 1886 | case CIPHER_STATE_END: |
wolfSSL | 15:117db924cf7c | 1887 | { |
wolfSSL | 16:8e0d178b1d1e | 1888 | #ifdef WOLFSSL_DEBUG_TLS |
wolfSSL | 16:8e0d178b1d1e | 1889 | #ifdef CIPHER_NONCE |
wolfSSL | 15:117db924cf7c | 1890 | WOLFSSL_MSG("Nonce"); |
wolfSSL | 15:117db924cf7c | 1891 | WOLFSSL_BUFFER(ssl->encrypt.nonce, ssl->specs.iv_size); |
wolfSSL | 16:8e0d178b1d1e | 1892 | #endif |
wolfSSL | 15:117db924cf7c | 1893 | WOLFSSL_MSG("Encrypted data"); |
wolfSSL | 15:117db924cf7c | 1894 | WOLFSSL_BUFFER(output, dataSz); |
wolfSSL | 15:117db924cf7c | 1895 | WOLFSSL_MSG("Authentication Tag"); |
wolfSSL | 15:117db924cf7c | 1896 | WOLFSSL_BUFFER(output + dataSz, macSz); |
wolfSSL | 16:8e0d178b1d1e | 1897 | #endif |
wolfSSL | 16:8e0d178b1d1e | 1898 | |
wolfSSL | 16:8e0d178b1d1e | 1899 | #ifdef CIPHER_NONCE |
wolfSSL | 15:117db924cf7c | 1900 | ForceZero(ssl->encrypt.nonce, AEAD_NONCE_SZ); |
wolfSSL | 16:8e0d178b1d1e | 1901 | #endif |
wolfSSL | 15:117db924cf7c | 1902 | |
wolfSSL | 15:117db924cf7c | 1903 | break; |
wolfSSL | 15:117db924cf7c | 1904 | } |
wolfSSL | 15:117db924cf7c | 1905 | } |
wolfSSL | 15:117db924cf7c | 1906 | |
wolfSSL | 15:117db924cf7c | 1907 | /* Reset state */ |
wolfSSL | 15:117db924cf7c | 1908 | ssl->encrypt.state = CIPHER_STATE_BEGIN; |
wolfSSL | 15:117db924cf7c | 1909 | |
wolfSSL | 15:117db924cf7c | 1910 | return ret; |
wolfSSL | 15:117db924cf7c | 1911 | } |
wolfSSL | 15:117db924cf7c | 1912 | |
wolfSSL | 15:117db924cf7c | 1913 | #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) |
wolfSSL | 15:117db924cf7c | 1914 | /* Decrypt with ChaCha20 and check authenication tag with Poly1305. |
wolfSSL | 15:117db924cf7c | 1915 | * |
wolfSSL | 15:117db924cf7c | 1916 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 1917 | * output The buffer to write decrypted data into. |
wolfSSL | 15:117db924cf7c | 1918 | * May be the same pointer as input. |
wolfSSL | 15:117db924cf7c | 1919 | * input The data to decrypt. |
wolfSSL | 15:117db924cf7c | 1920 | * sz The number of bytes to decrypt. |
wolfSSL | 15:117db924cf7c | 1921 | * nonce The nonce to use with ChaCha20. |
wolfSSL | 15:117db924cf7c | 1922 | * aad The additional authentication data. |
wolfSSL | 15:117db924cf7c | 1923 | * aadSz The size of the addition authentication data. |
wolfSSL | 15:117db924cf7c | 1924 | * tagIn The authentication tag data from packet. |
wolfSSL | 15:117db924cf7c | 1925 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 1926 | */ |
wolfSSL | 15:117db924cf7c | 1927 | static int ChaCha20Poly1305_Decrypt(WOLFSSL* ssl, byte* output, |
wolfSSL | 15:117db924cf7c | 1928 | const byte* input, word16 sz, byte* nonce, |
wolfSSL | 15:117db924cf7c | 1929 | const byte* aad, word16 aadSz, |
wolfSSL | 15:117db924cf7c | 1930 | const byte* tagIn) |
wolfSSL | 15:117db924cf7c | 1931 | { |
wolfSSL | 15:117db924cf7c | 1932 | int ret; |
wolfSSL | 15:117db924cf7c | 1933 | byte tag[POLY1305_AUTH_SZ]; |
wolfSSL | 15:117db924cf7c | 1934 | byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for mac */ |
wolfSSL | 15:117db924cf7c | 1935 | |
wolfSSL | 15:117db924cf7c | 1936 | /* Poly1305 key is 256 bits of zero encrypted with ChaCha20. */ |
wolfSSL | 15:117db924cf7c | 1937 | XMEMSET(poly, 0, sizeof(poly)); |
wolfSSL | 15:117db924cf7c | 1938 | |
wolfSSL | 15:117db924cf7c | 1939 | /* Set nonce and get Poly1305 key. */ |
wolfSSL | 15:117db924cf7c | 1940 | ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 0); |
wolfSSL | 15:117db924cf7c | 1941 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1942 | return ret; |
wolfSSL | 15:117db924cf7c | 1943 | /* Use ChaCha20 keystream to get Poly1305 key for tag. */ |
wolfSSL | 15:117db924cf7c | 1944 | ret = wc_Chacha_Process(ssl->decrypt.chacha, poly, poly, sizeof(poly)); |
wolfSSL | 15:117db924cf7c | 1945 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1946 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 1947 | ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 1); |
wolfSSL | 16:8e0d178b1d1e | 1948 | if (ret != 0) |
wolfSSL | 16:8e0d178b1d1e | 1949 | return ret; |
wolfSSL | 15:117db924cf7c | 1950 | |
wolfSSL | 15:117db924cf7c | 1951 | /* Set key for Poly1305. */ |
wolfSSL | 15:117db924cf7c | 1952 | ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly, sizeof(poly)); |
wolfSSL | 15:117db924cf7c | 1953 | ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */ |
wolfSSL | 15:117db924cf7c | 1954 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 1955 | return ret; |
wolfSSL | 15:117db924cf7c | 1956 | /* Generate authentication tag for encrypted data. */ |
wolfSSL | 15:117db924cf7c | 1957 | if ((ret = wc_Poly1305_MAC(ssl->auth.poly1305, (byte*)aad, aadSz, |
wolfSSL | 15:117db924cf7c | 1958 | (byte*)input, sz, tag, sizeof(tag))) != 0) { |
wolfSSL | 15:117db924cf7c | 1959 | return ret; |
wolfSSL | 15:117db924cf7c | 1960 | } |
wolfSSL | 15:117db924cf7c | 1961 | |
wolfSSL | 15:117db924cf7c | 1962 | /* Check tag sent along with packet. */ |
wolfSSL | 15:117db924cf7c | 1963 | if (ConstantCompare(tagIn, tag, POLY1305_AUTH_SZ) != 0) { |
wolfSSL | 15:117db924cf7c | 1964 | WOLFSSL_MSG("MAC did not match"); |
wolfSSL | 15:117db924cf7c | 1965 | return VERIFY_MAC_ERROR; |
wolfSSL | 15:117db924cf7c | 1966 | } |
wolfSSL | 15:117db924cf7c | 1967 | |
wolfSSL | 15:117db924cf7c | 1968 | /* If the tag was good decrypt message. */ |
wolfSSL | 15:117db924cf7c | 1969 | ret = wc_Chacha_Process(ssl->decrypt.chacha, output, input, sz); |
wolfSSL | 15:117db924cf7c | 1970 | |
wolfSSL | 15:117db924cf7c | 1971 | return ret; |
wolfSSL | 15:117db924cf7c | 1972 | } |
wolfSSL | 15:117db924cf7c | 1973 | #endif |
wolfSSL | 15:117db924cf7c | 1974 | |
wolfSSL | 16:8e0d178b1d1e | 1975 | #ifdef HAVE_NULL_CIPHER |
wolfSSL | 16:8e0d178b1d1e | 1976 | /* Check HMAC tag and copy over input. |
wolfSSL | 16:8e0d178b1d1e | 1977 | * |
wolfSSL | 16:8e0d178b1d1e | 1978 | * ssl The SSL/TLS object. |
wolfSSL | 16:8e0d178b1d1e | 1979 | * output The buffer to copy data into. |
wolfSSL | 16:8e0d178b1d1e | 1980 | * May be the same pointer as input. |
wolfSSL | 16:8e0d178b1d1e | 1981 | * input The data. |
wolfSSL | 16:8e0d178b1d1e | 1982 | * sz The number of bytes of data. |
wolfSSL | 16:8e0d178b1d1e | 1983 | * nonce The nonce to use with authentication. |
wolfSSL | 16:8e0d178b1d1e | 1984 | * aad The additional authentication data. |
wolfSSL | 16:8e0d178b1d1e | 1985 | * aadSz The size of the addition authentication data. |
wolfSSL | 16:8e0d178b1d1e | 1986 | * tagIn The authentication tag data from packet. |
wolfSSL | 16:8e0d178b1d1e | 1987 | * returns 0 on success, otherwise failure. |
wolfSSL | 16:8e0d178b1d1e | 1988 | */ |
wolfSSL | 16:8e0d178b1d1e | 1989 | static int Tls13IntegrityOnly_Decrypt(WOLFSSL* ssl, byte* output, |
wolfSSL | 16:8e0d178b1d1e | 1990 | const byte* input, word16 sz, |
wolfSSL | 16:8e0d178b1d1e | 1991 | const byte* nonce, |
wolfSSL | 16:8e0d178b1d1e | 1992 | const byte* aad, word16 aadSz, |
wolfSSL | 16:8e0d178b1d1e | 1993 | const byte* tagIn) |
wolfSSL | 16:8e0d178b1d1e | 1994 | { |
wolfSSL | 16:8e0d178b1d1e | 1995 | int ret; |
wolfSSL | 16:8e0d178b1d1e | 1996 | byte hmac[WC_MAX_DIGEST_SIZE]; |
wolfSSL | 16:8e0d178b1d1e | 1997 | |
wolfSSL | 16:8e0d178b1d1e | 1998 | /* HMAC: nonce | aad | input */ |
wolfSSL | 16:8e0d178b1d1e | 1999 | ret = wc_HmacUpdate(ssl->decrypt.hmac, nonce, HMAC_NONCE_SZ); |
wolfSSL | 16:8e0d178b1d1e | 2000 | if (ret == 0) |
wolfSSL | 16:8e0d178b1d1e | 2001 | ret = wc_HmacUpdate(ssl->decrypt.hmac, aad, aadSz); |
wolfSSL | 16:8e0d178b1d1e | 2002 | if (ret == 0) |
wolfSSL | 16:8e0d178b1d1e | 2003 | ret = wc_HmacUpdate(ssl->decrypt.hmac, input, sz); |
wolfSSL | 16:8e0d178b1d1e | 2004 | if (ret == 0) |
wolfSSL | 16:8e0d178b1d1e | 2005 | ret = wc_HmacFinal(ssl->decrypt.hmac, hmac); |
wolfSSL | 16:8e0d178b1d1e | 2006 | /* Check authentication tag matches */ |
wolfSSL | 16:8e0d178b1d1e | 2007 | if (ret == 0 && ConstantCompare(tagIn, hmac, ssl->specs.hash_size) != 0) |
wolfSSL | 16:8e0d178b1d1e | 2008 | ret = DECRYPT_ERROR; |
wolfSSL | 16:8e0d178b1d1e | 2009 | /* Copy the input to output if not the same buffer */ |
wolfSSL | 16:8e0d178b1d1e | 2010 | if (ret == 0 && output != input) |
wolfSSL | 16:8e0d178b1d1e | 2011 | XMEMCPY(output, input, sz); |
wolfSSL | 16:8e0d178b1d1e | 2012 | |
wolfSSL | 16:8e0d178b1d1e | 2013 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 2014 | } |
wolfSSL | 16:8e0d178b1d1e | 2015 | #endif |
wolfSSL | 16:8e0d178b1d1e | 2016 | |
wolfSSL | 15:117db924cf7c | 2017 | /* Decrypt data for TLS v1.3. |
wolfSSL | 15:117db924cf7c | 2018 | * |
wolfSSL | 15:117db924cf7c | 2019 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 2020 | * output The buffer to write decrypted data into. |
wolfSSL | 15:117db924cf7c | 2021 | * May be the same pointer as input. |
wolfSSL | 15:117db924cf7c | 2022 | * input The data to decrypt and authentication tag. |
wolfSSL | 15:117db924cf7c | 2023 | * sz The length of the encrypted data plus authentication tag. |
wolfSSL | 15:117db924cf7c | 2024 | * aad The additional authentication data. |
wolfSSL | 15:117db924cf7c | 2025 | * aadSz The size of the addition authentication data. |
wolfSSL | 15:117db924cf7c | 2026 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 2027 | */ |
wolfSSL | 15:117db924cf7c | 2028 | int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz, |
wolfSSL | 15:117db924cf7c | 2029 | const byte* aad, word16 aadSz) |
wolfSSL | 15:117db924cf7c | 2030 | { |
wolfSSL | 15:117db924cf7c | 2031 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 2032 | word16 dataSz = sz - ssl->specs.aead_mac_size; |
wolfSSL | 15:117db924cf7c | 2033 | word16 macSz = ssl->specs.aead_mac_size; |
wolfSSL | 15:117db924cf7c | 2034 | word32 nonceSz = 0; |
wolfSSL | 15:117db924cf7c | 2035 | |
wolfSSL | 15:117db924cf7c | 2036 | WOLFSSL_ENTER("DecryptTls13"); |
wolfSSL | 15:117db924cf7c | 2037 | |
wolfSSL | 15:117db924cf7c | 2038 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 2039 | ret = wolfSSL_AsyncPop(ssl, &ssl->decrypt.state); |
wolfSSL | 15:117db924cf7c | 2040 | if (ret != WC_NOT_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 2041 | /* check for still pending */ |
wolfSSL | 15:117db924cf7c | 2042 | if (ret == WC_PENDING_E) |
wolfSSL | 15:117db924cf7c | 2043 | return ret; |
wolfSSL | 15:117db924cf7c | 2044 | |
wolfSSL | 15:117db924cf7c | 2045 | ssl->error = 0; /* clear async */ |
wolfSSL | 15:117db924cf7c | 2046 | |
wolfSSL | 15:117db924cf7c | 2047 | /* let failures through so CIPHER_STATE_END logic is run */ |
wolfSSL | 15:117db924cf7c | 2048 | } |
wolfSSL | 15:117db924cf7c | 2049 | else |
wolfSSL | 15:117db924cf7c | 2050 | #endif |
wolfSSL | 15:117db924cf7c | 2051 | { |
wolfSSL | 15:117db924cf7c | 2052 | /* Reset state */ |
wolfSSL | 15:117db924cf7c | 2053 | ret = 0; |
wolfSSL | 15:117db924cf7c | 2054 | ssl->decrypt.state = CIPHER_STATE_BEGIN; |
wolfSSL | 15:117db924cf7c | 2055 | } |
wolfSSL | 15:117db924cf7c | 2056 | |
wolfSSL | 15:117db924cf7c | 2057 | (void)output; |
wolfSSL | 15:117db924cf7c | 2058 | (void)input; |
wolfSSL | 15:117db924cf7c | 2059 | (void)sz; |
wolfSSL | 15:117db924cf7c | 2060 | (void)dataSz; |
wolfSSL | 15:117db924cf7c | 2061 | (void)macSz; |
wolfSSL | 15:117db924cf7c | 2062 | (void)nonceSz; |
wolfSSL | 15:117db924cf7c | 2063 | |
wolfSSL | 15:117db924cf7c | 2064 | switch (ssl->decrypt.state) { |
wolfSSL | 15:117db924cf7c | 2065 | case CIPHER_STATE_BEGIN: |
wolfSSL | 15:117db924cf7c | 2066 | { |
wolfSSL | 15:117db924cf7c | 2067 | #ifdef WOLFSSL_DEBUG_TLS |
wolfSSL | 15:117db924cf7c | 2068 | WOLFSSL_MSG("Data to decrypt"); |
wolfSSL | 15:117db924cf7c | 2069 | WOLFSSL_BUFFER(input, dataSz); |
wolfSSL | 15:117db924cf7c | 2070 | #if !defined(WOLFSSL_TLS13_DRAFT_18) && !defined(WOLFSSL_TLS13_DRAFT_22) && \ |
wolfSSL | 15:117db924cf7c | 2071 | !defined(WOLFSSL_TLS13_DRAFT_23) |
wolfSSL | 15:117db924cf7c | 2072 | WOLFSSL_MSG("Additional Authentication Data"); |
wolfSSL | 15:117db924cf7c | 2073 | WOLFSSL_BUFFER(aad, aadSz); |
wolfSSL | 15:117db924cf7c | 2074 | #endif |
wolfSSL | 15:117db924cf7c | 2075 | WOLFSSL_MSG("Authentication tag"); |
wolfSSL | 15:117db924cf7c | 2076 | WOLFSSL_BUFFER(input + dataSz, macSz); |
wolfSSL | 15:117db924cf7c | 2077 | #endif |
wolfSSL | 15:117db924cf7c | 2078 | |
wolfSSL | 16:8e0d178b1d1e | 2079 | #ifdef CIPHER_NONCE |
wolfSSL | 15:117db924cf7c | 2080 | if (ssl->decrypt.nonce == NULL) |
wolfSSL | 15:117db924cf7c | 2081 | ssl->decrypt.nonce = (byte*)XMALLOC(AEAD_NONCE_SZ, |
wolfSSL | 15:117db924cf7c | 2082 | ssl->heap, DYNAMIC_TYPE_AES_BUFFER); |
wolfSSL | 15:117db924cf7c | 2083 | if (ssl->decrypt.nonce == NULL) |
wolfSSL | 15:117db924cf7c | 2084 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 2085 | |
wolfSSL | 15:117db924cf7c | 2086 | BuildTls13Nonce(ssl, ssl->decrypt.nonce, ssl->keys.aead_dec_imp_IV, |
wolfSSL | 15:117db924cf7c | 2087 | PEER_ORDER); |
wolfSSL | 16:8e0d178b1d1e | 2088 | #endif |
wolfSSL | 15:117db924cf7c | 2089 | |
wolfSSL | 15:117db924cf7c | 2090 | /* Advance state and proceed */ |
wolfSSL | 15:117db924cf7c | 2091 | ssl->decrypt.state = CIPHER_STATE_DO; |
wolfSSL | 15:117db924cf7c | 2092 | } |
wolfSSL | 15:117db924cf7c | 2093 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 2094 | |
wolfSSL | 15:117db924cf7c | 2095 | case CIPHER_STATE_DO: |
wolfSSL | 15:117db924cf7c | 2096 | { |
wolfSSL | 15:117db924cf7c | 2097 | switch (ssl->specs.bulk_cipher_algorithm) { |
wolfSSL | 15:117db924cf7c | 2098 | #ifdef BUILD_AESGCM |
wolfSSL | 15:117db924cf7c | 2099 | case wolfssl_aes_gcm: |
wolfSSL | 15:117db924cf7c | 2100 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 2101 | /* initialize event */ |
wolfSSL | 15:117db924cf7c | 2102 | ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.aes->asyncDev, |
wolfSSL | 15:117db924cf7c | 2103 | WC_ASYNC_FLAG_CALL_AGAIN); |
wolfSSL | 15:117db924cf7c | 2104 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2105 | break; |
wolfSSL | 15:117db924cf7c | 2106 | #endif |
wolfSSL | 15:117db924cf7c | 2107 | |
wolfSSL | 15:117db924cf7c | 2108 | nonceSz = AESGCM_NONCE_SZ; |
wolfSSL | 15:117db924cf7c | 2109 | ret = wc_AesGcmDecrypt(ssl->decrypt.aes, output, input, |
wolfSSL | 15:117db924cf7c | 2110 | dataSz, ssl->decrypt.nonce, nonceSz, |
wolfSSL | 15:117db924cf7c | 2111 | input + dataSz, macSz, aad, aadSz); |
wolfSSL | 15:117db924cf7c | 2112 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 2113 | if (ret == WC_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 2114 | ret = wolfSSL_AsyncPush(ssl, |
wolfSSL | 15:117db924cf7c | 2115 | &ssl->decrypt.aes->asyncDev); |
wolfSSL | 15:117db924cf7c | 2116 | } |
wolfSSL | 15:117db924cf7c | 2117 | #endif |
wolfSSL | 15:117db924cf7c | 2118 | break; |
wolfSSL | 15:117db924cf7c | 2119 | #endif |
wolfSSL | 15:117db924cf7c | 2120 | |
wolfSSL | 15:117db924cf7c | 2121 | #ifdef HAVE_AESCCM |
wolfSSL | 15:117db924cf7c | 2122 | case wolfssl_aes_ccm: |
wolfSSL | 15:117db924cf7c | 2123 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 2124 | /* initialize event */ |
wolfSSL | 15:117db924cf7c | 2125 | ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.aes->asyncDev, |
wolfSSL | 15:117db924cf7c | 2126 | WC_ASYNC_FLAG_CALL_AGAIN); |
wolfSSL | 15:117db924cf7c | 2127 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2128 | break; |
wolfSSL | 15:117db924cf7c | 2129 | #endif |
wolfSSL | 15:117db924cf7c | 2130 | |
wolfSSL | 15:117db924cf7c | 2131 | nonceSz = AESCCM_NONCE_SZ; |
wolfSSL | 15:117db924cf7c | 2132 | ret = wc_AesCcmDecrypt(ssl->decrypt.aes, output, input, |
wolfSSL | 15:117db924cf7c | 2133 | dataSz, ssl->decrypt.nonce, nonceSz, |
wolfSSL | 15:117db924cf7c | 2134 | input + dataSz, macSz, aad, aadSz); |
wolfSSL | 15:117db924cf7c | 2135 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 2136 | if (ret == WC_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 2137 | ret = wolfSSL_AsyncPush(ssl, |
wolfSSL | 15:117db924cf7c | 2138 | &ssl->decrypt.aes->asyncDev); |
wolfSSL | 15:117db924cf7c | 2139 | } |
wolfSSL | 15:117db924cf7c | 2140 | #endif |
wolfSSL | 15:117db924cf7c | 2141 | break; |
wolfSSL | 15:117db924cf7c | 2142 | #endif |
wolfSSL | 15:117db924cf7c | 2143 | |
wolfSSL | 15:117db924cf7c | 2144 | #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) |
wolfSSL | 15:117db924cf7c | 2145 | case wolfssl_chacha: |
wolfSSL | 15:117db924cf7c | 2146 | ret = ChaCha20Poly1305_Decrypt(ssl, output, input, dataSz, |
wolfSSL | 15:117db924cf7c | 2147 | ssl->decrypt.nonce, aad, aadSz, input + dataSz); |
wolfSSL | 15:117db924cf7c | 2148 | break; |
wolfSSL | 15:117db924cf7c | 2149 | #endif |
wolfSSL | 15:117db924cf7c | 2150 | |
wolfSSL | 16:8e0d178b1d1e | 2151 | #ifdef HAVE_NULL_CIPHER |
wolfSSL | 16:8e0d178b1d1e | 2152 | case wolfssl_cipher_null: |
wolfSSL | 16:8e0d178b1d1e | 2153 | ret = Tls13IntegrityOnly_Decrypt(ssl, output, input, dataSz, |
wolfSSL | 16:8e0d178b1d1e | 2154 | ssl->decrypt.nonce, aad, aadSz, input + dataSz); |
wolfSSL | 16:8e0d178b1d1e | 2155 | break; |
wolfSSL | 16:8e0d178b1d1e | 2156 | #endif |
wolfSSL | 15:117db924cf7c | 2157 | default: |
wolfSSL | 15:117db924cf7c | 2158 | WOLFSSL_MSG("wolfSSL Decrypt programming error"); |
wolfSSL | 15:117db924cf7c | 2159 | return DECRYPT_ERROR; |
wolfSSL | 15:117db924cf7c | 2160 | } |
wolfSSL | 15:117db924cf7c | 2161 | |
wolfSSL | 15:117db924cf7c | 2162 | /* Advance state */ |
wolfSSL | 15:117db924cf7c | 2163 | ssl->decrypt.state = CIPHER_STATE_END; |
wolfSSL | 15:117db924cf7c | 2164 | |
wolfSSL | 15:117db924cf7c | 2165 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 2166 | /* If pending, leave now */ |
wolfSSL | 15:117db924cf7c | 2167 | if (ret == WC_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 2168 | return ret; |
wolfSSL | 15:117db924cf7c | 2169 | } |
wolfSSL | 15:117db924cf7c | 2170 | #endif |
wolfSSL | 15:117db924cf7c | 2171 | } |
wolfSSL | 15:117db924cf7c | 2172 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 2173 | |
wolfSSL | 15:117db924cf7c | 2174 | case CIPHER_STATE_END: |
wolfSSL | 15:117db924cf7c | 2175 | { |
wolfSSL | 15:117db924cf7c | 2176 | #ifdef WOLFSSL_DEBUG_TLS |
wolfSSL | 16:8e0d178b1d1e | 2177 | #ifdef CIPHER_NONCE |
wolfSSL | 16:8e0d178b1d1e | 2178 | WOLFSSL_MSG("Nonce"); |
wolfSSL | 16:8e0d178b1d1e | 2179 | WOLFSSL_BUFFER(ssl->decrypt.nonce, ssl->specs.iv_size); |
wolfSSL | 16:8e0d178b1d1e | 2180 | #endif |
wolfSSL | 16:8e0d178b1d1e | 2181 | WOLFSSL_MSG("Decrypted data"); |
wolfSSL | 16:8e0d178b1d1e | 2182 | WOLFSSL_BUFFER(output, dataSz); |
wolfSSL | 15:117db924cf7c | 2183 | #endif |
wolfSSL | 15:117db924cf7c | 2184 | |
wolfSSL | 16:8e0d178b1d1e | 2185 | #ifdef CIPHER_NONCE |
wolfSSL | 15:117db924cf7c | 2186 | ForceZero(ssl->decrypt.nonce, AEAD_NONCE_SZ); |
wolfSSL | 16:8e0d178b1d1e | 2187 | #endif |
wolfSSL | 15:117db924cf7c | 2188 | |
wolfSSL | 15:117db924cf7c | 2189 | break; |
wolfSSL | 15:117db924cf7c | 2190 | } |
wolfSSL | 15:117db924cf7c | 2191 | } |
wolfSSL | 15:117db924cf7c | 2192 | |
wolfSSL | 15:117db924cf7c | 2193 | #ifndef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 2194 | if (ret < 0) { |
wolfSSL | 15:117db924cf7c | 2195 | SendAlert(ssl, alert_fatal, bad_record_mac); |
wolfSSL | 15:117db924cf7c | 2196 | ret = VERIFY_MAC_ERROR; |
wolfSSL | 15:117db924cf7c | 2197 | } |
wolfSSL | 15:117db924cf7c | 2198 | #endif |
wolfSSL | 15:117db924cf7c | 2199 | |
wolfSSL | 15:117db924cf7c | 2200 | return ret; |
wolfSSL | 15:117db924cf7c | 2201 | } |
wolfSSL | 15:117db924cf7c | 2202 | |
wolfSSL | 15:117db924cf7c | 2203 | /* Persistable BuildTls13Message arguments */ |
wolfSSL | 15:117db924cf7c | 2204 | typedef struct BuildMsg13Args { |
wolfSSL | 15:117db924cf7c | 2205 | word32 sz; |
wolfSSL | 15:117db924cf7c | 2206 | word32 idx; |
wolfSSL | 15:117db924cf7c | 2207 | word32 headerSz; |
wolfSSL | 15:117db924cf7c | 2208 | word16 size; |
wolfSSL | 15:117db924cf7c | 2209 | } BuildMsg13Args; |
wolfSSL | 15:117db924cf7c | 2210 | |
wolfSSL | 15:117db924cf7c | 2211 | static void FreeBuildMsg13Args(WOLFSSL* ssl, void* pArgs) |
wolfSSL | 15:117db924cf7c | 2212 | { |
wolfSSL | 15:117db924cf7c | 2213 | BuildMsg13Args* args = (BuildMsg13Args*)pArgs; |
wolfSSL | 15:117db924cf7c | 2214 | |
wolfSSL | 15:117db924cf7c | 2215 | (void)ssl; |
wolfSSL | 15:117db924cf7c | 2216 | (void)args; |
wolfSSL | 15:117db924cf7c | 2217 | |
wolfSSL | 15:117db924cf7c | 2218 | /* no allocations in BuildTls13Message */ |
wolfSSL | 15:117db924cf7c | 2219 | } |
wolfSSL | 15:117db924cf7c | 2220 | |
wolfSSL | 15:117db924cf7c | 2221 | /* Build SSL Message, encrypted. |
wolfSSL | 15:117db924cf7c | 2222 | * TLS v1.3 encryption is AEAD only. |
wolfSSL | 15:117db924cf7c | 2223 | * |
wolfSSL | 15:117db924cf7c | 2224 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 2225 | * output The buffer to write record message to. |
wolfSSL | 15:117db924cf7c | 2226 | * outSz Size of the buffer being written into. |
wolfSSL | 15:117db924cf7c | 2227 | * input The record data to encrypt (excluding record header). |
wolfSSL | 15:117db924cf7c | 2228 | * inSz The size of the record data. |
wolfSSL | 15:117db924cf7c | 2229 | * type The recorder header content type. |
wolfSSL | 15:117db924cf7c | 2230 | * hashOutput Whether to hash the unencrypted record data. |
wolfSSL | 15:117db924cf7c | 2231 | * sizeOnly Only want the size of the record message. |
wolfSSL | 15:117db924cf7c | 2232 | * asyncOkay If non-zero can return WC_PENDING_E, otherwise blocks on crypto |
wolfSSL | 15:117db924cf7c | 2233 | * returns the size of the encrypted record message or negative value on error. |
wolfSSL | 15:117db924cf7c | 2234 | */ |
wolfSSL | 15:117db924cf7c | 2235 | int BuildTls13Message(WOLFSSL* ssl, byte* output, int outSz, const byte* input, |
wolfSSL | 15:117db924cf7c | 2236 | int inSz, int type, int hashOutput, int sizeOnly, int asyncOkay) |
wolfSSL | 15:117db924cf7c | 2237 | { |
wolfSSL | 15:117db924cf7c | 2238 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 2239 | BuildMsg13Args* args; |
wolfSSL | 15:117db924cf7c | 2240 | BuildMsg13Args lcl_args; |
wolfSSL | 15:117db924cf7c | 2241 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 2242 | args = (BuildMsg13Args*)ssl->async.args; |
wolfSSL | 15:117db924cf7c | 2243 | typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1]; |
wolfSSL | 15:117db924cf7c | 2244 | (void)sizeof(args_test); |
wolfSSL | 15:117db924cf7c | 2245 | #endif |
wolfSSL | 15:117db924cf7c | 2246 | |
wolfSSL | 15:117db924cf7c | 2247 | WOLFSSL_ENTER("BuildTls13Message"); |
wolfSSL | 15:117db924cf7c | 2248 | |
wolfSSL | 15:117db924cf7c | 2249 | ret = WC_NOT_PENDING_E; |
wolfSSL | 15:117db924cf7c | 2250 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 2251 | if (asyncOkay) { |
wolfSSL | 15:117db924cf7c | 2252 | ret = wolfSSL_AsyncPop(ssl, &ssl->options.buildMsgState); |
wolfSSL | 15:117db924cf7c | 2253 | if (ret != WC_NOT_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 2254 | /* Check for error */ |
wolfSSL | 15:117db924cf7c | 2255 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 2256 | goto exit_buildmsg; |
wolfSSL | 15:117db924cf7c | 2257 | } |
wolfSSL | 15:117db924cf7c | 2258 | } |
wolfSSL | 15:117db924cf7c | 2259 | else |
wolfSSL | 15:117db924cf7c | 2260 | #endif |
wolfSSL | 15:117db924cf7c | 2261 | { |
wolfSSL | 15:117db924cf7c | 2262 | args = &lcl_args; |
wolfSSL | 15:117db924cf7c | 2263 | } |
wolfSSL | 15:117db924cf7c | 2264 | |
wolfSSL | 15:117db924cf7c | 2265 | /* Reset state */ |
wolfSSL | 15:117db924cf7c | 2266 | if (ret == WC_NOT_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 2267 | ret = 0; |
wolfSSL | 15:117db924cf7c | 2268 | ssl->options.buildMsgState = BUILD_MSG_BEGIN; |
wolfSSL | 15:117db924cf7c | 2269 | XMEMSET(args, 0, sizeof(BuildMsg13Args)); |
wolfSSL | 15:117db924cf7c | 2270 | |
wolfSSL | 15:117db924cf7c | 2271 | args->sz = RECORD_HEADER_SZ + inSz; |
wolfSSL | 15:117db924cf7c | 2272 | args->idx = RECORD_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 2273 | args->headerSz = RECORD_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 2274 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 2275 | ssl->async.freeArgs = FreeBuildMsg13Args; |
wolfSSL | 15:117db924cf7c | 2276 | #endif |
wolfSSL | 15:117db924cf7c | 2277 | } |
wolfSSL | 15:117db924cf7c | 2278 | |
wolfSSL | 15:117db924cf7c | 2279 | switch (ssl->options.buildMsgState) { |
wolfSSL | 15:117db924cf7c | 2280 | case BUILD_MSG_BEGIN: |
wolfSSL | 15:117db924cf7c | 2281 | { |
wolfSSL | 15:117db924cf7c | 2282 | /* catch mistaken sizeOnly parameter */ |
wolfSSL | 15:117db924cf7c | 2283 | if (sizeOnly) { |
wolfSSL | 15:117db924cf7c | 2284 | if (output || input) { |
wolfSSL | 15:117db924cf7c | 2285 | WOLFSSL_MSG("BuildTls13Message with sizeOnly " |
wolfSSL | 15:117db924cf7c | 2286 | "doesn't need input or output"); |
wolfSSL | 15:117db924cf7c | 2287 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 2288 | } |
wolfSSL | 15:117db924cf7c | 2289 | } |
wolfSSL | 15:117db924cf7c | 2290 | else if (output == NULL || input == NULL) { |
wolfSSL | 15:117db924cf7c | 2291 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 2292 | } |
wolfSSL | 15:117db924cf7c | 2293 | |
wolfSSL | 15:117db924cf7c | 2294 | /* Record layer content type at the end of record data. */ |
wolfSSL | 15:117db924cf7c | 2295 | args->sz++; |
wolfSSL | 15:117db924cf7c | 2296 | /* Authentication data at the end. */ |
wolfSSL | 15:117db924cf7c | 2297 | args->sz += ssl->specs.aead_mac_size; |
wolfSSL | 15:117db924cf7c | 2298 | |
wolfSSL | 15:117db924cf7c | 2299 | if (sizeOnly) |
wolfSSL | 15:117db924cf7c | 2300 | return args->sz; |
wolfSSL | 15:117db924cf7c | 2301 | |
wolfSSL | 15:117db924cf7c | 2302 | if (args->sz > (word32)outSz) { |
wolfSSL | 15:117db924cf7c | 2303 | WOLFSSL_MSG("Oops, want to write past output buffer size"); |
wolfSSL | 15:117db924cf7c | 2304 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 2305 | } |
wolfSSL | 15:117db924cf7c | 2306 | |
wolfSSL | 15:117db924cf7c | 2307 | /* Record data length. */ |
wolfSSL | 15:117db924cf7c | 2308 | args->size = (word16)(args->sz - args->headerSz); |
wolfSSL | 15:117db924cf7c | 2309 | /* Write/update the record header with the new size. |
wolfSSL | 15:117db924cf7c | 2310 | * Always have the content type as application data for encrypted |
wolfSSL | 15:117db924cf7c | 2311 | * messages in TLS v1.3. |
wolfSSL | 15:117db924cf7c | 2312 | */ |
wolfSSL | 15:117db924cf7c | 2313 | AddTls13RecordHeader(output, args->size, application_data, ssl); |
wolfSSL | 15:117db924cf7c | 2314 | |
wolfSSL | 15:117db924cf7c | 2315 | /* TLS v1.3 can do in place encryption. */ |
wolfSSL | 15:117db924cf7c | 2316 | if (input != output + args->idx) |
wolfSSL | 15:117db924cf7c | 2317 | XMEMCPY(output + args->idx, input, inSz); |
wolfSSL | 15:117db924cf7c | 2318 | args->idx += inSz; |
wolfSSL | 15:117db924cf7c | 2319 | |
wolfSSL | 15:117db924cf7c | 2320 | ssl->options.buildMsgState = BUILD_MSG_HASH; |
wolfSSL | 15:117db924cf7c | 2321 | } |
wolfSSL | 15:117db924cf7c | 2322 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 2323 | |
wolfSSL | 15:117db924cf7c | 2324 | case BUILD_MSG_HASH: |
wolfSSL | 15:117db924cf7c | 2325 | { |
wolfSSL | 15:117db924cf7c | 2326 | if (hashOutput) { |
wolfSSL | 15:117db924cf7c | 2327 | ret = HashOutput(ssl, output, args->headerSz + inSz, 0); |
wolfSSL | 15:117db924cf7c | 2328 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2329 | goto exit_buildmsg; |
wolfSSL | 15:117db924cf7c | 2330 | } |
wolfSSL | 15:117db924cf7c | 2331 | |
wolfSSL | 16:8e0d178b1d1e | 2332 | /* The real record content type goes at the end of the data. */ |
wolfSSL | 16:8e0d178b1d1e | 2333 | output[args->idx++] = (byte)type; |
wolfSSL | 16:8e0d178b1d1e | 2334 | |
wolfSSL | 15:117db924cf7c | 2335 | ssl->options.buildMsgState = BUILD_MSG_ENCRYPT; |
wolfSSL | 15:117db924cf7c | 2336 | } |
wolfSSL | 15:117db924cf7c | 2337 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 2338 | |
wolfSSL | 15:117db924cf7c | 2339 | case BUILD_MSG_ENCRYPT: |
wolfSSL | 15:117db924cf7c | 2340 | { |
wolfSSL | 15:117db924cf7c | 2341 | #ifdef ATOMIC_USER |
wolfSSL | 15:117db924cf7c | 2342 | if (ssl->ctx->MacEncryptCb) { |
wolfSSL | 15:117db924cf7c | 2343 | /* User Record Layer Callback handling */ |
wolfSSL | 15:117db924cf7c | 2344 | byte* mac = output + args->idx; |
wolfSSL | 15:117db924cf7c | 2345 | output += args->headerSz; |
wolfSSL | 15:117db924cf7c | 2346 | |
wolfSSL | 15:117db924cf7c | 2347 | ret = ssl->ctx->MacEncryptCb(ssl, mac, output, inSz, type, 0, |
wolfSSL | 15:117db924cf7c | 2348 | output, output, args->size, ssl->MacEncryptCtx); |
wolfSSL | 15:117db924cf7c | 2349 | } |
wolfSSL | 15:117db924cf7c | 2350 | else |
wolfSSL | 15:117db924cf7c | 2351 | #endif |
wolfSSL | 15:117db924cf7c | 2352 | { |
wolfSSL | 15:117db924cf7c | 2353 | #if defined(WOLFSSL_TLS13_DRAFT_18) || defined(WOLFSSL_TLS13_DRAFT_22) || \ |
wolfSSL | 15:117db924cf7c | 2354 | defined(WOLFSSL_TLS13_DRAFT_23) |
wolfSSL | 15:117db924cf7c | 2355 | output += args->headerSz; |
wolfSSL | 15:117db924cf7c | 2356 | ret = EncryptTls13(ssl, output, output, args->size, NULL, 0, |
wolfSSL | 15:117db924cf7c | 2357 | asyncOkay); |
wolfSSL | 15:117db924cf7c | 2358 | #else |
wolfSSL | 15:117db924cf7c | 2359 | const byte* aad = output; |
wolfSSL | 15:117db924cf7c | 2360 | output += args->headerSz; |
wolfSSL | 15:117db924cf7c | 2361 | ret = EncryptTls13(ssl, output, output, args->size, aad, |
wolfSSL | 15:117db924cf7c | 2362 | RECORD_HEADER_SZ, asyncOkay); |
wolfSSL | 15:117db924cf7c | 2363 | #endif |
wolfSSL | 15:117db924cf7c | 2364 | } |
wolfSSL | 15:117db924cf7c | 2365 | break; |
wolfSSL | 15:117db924cf7c | 2366 | } |
wolfSSL | 15:117db924cf7c | 2367 | } |
wolfSSL | 15:117db924cf7c | 2368 | |
wolfSSL | 15:117db924cf7c | 2369 | exit_buildmsg: |
wolfSSL | 15:117db924cf7c | 2370 | |
wolfSSL | 15:117db924cf7c | 2371 | WOLFSSL_LEAVE("BuildTls13Message", ret); |
wolfSSL | 15:117db924cf7c | 2372 | |
wolfSSL | 15:117db924cf7c | 2373 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 2374 | if (ret == WC_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 2375 | return ret; |
wolfSSL | 15:117db924cf7c | 2376 | } |
wolfSSL | 15:117db924cf7c | 2377 | #endif |
wolfSSL | 15:117db924cf7c | 2378 | |
wolfSSL | 15:117db924cf7c | 2379 | /* make sure build message state is reset */ |
wolfSSL | 15:117db924cf7c | 2380 | ssl->options.buildMsgState = BUILD_MSG_BEGIN; |
wolfSSL | 15:117db924cf7c | 2381 | |
wolfSSL | 15:117db924cf7c | 2382 | /* return sz on success */ |
wolfSSL | 15:117db924cf7c | 2383 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 2384 | ret = args->sz; |
wolfSSL | 15:117db924cf7c | 2385 | |
wolfSSL | 15:117db924cf7c | 2386 | /* Final cleanup */ |
wolfSSL | 15:117db924cf7c | 2387 | FreeBuildMsg13Args(ssl, args); |
wolfSSL | 16:8e0d178b1d1e | 2388 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 16:8e0d178b1d1e | 2389 | ssl->async.freeArgs = NULL; |
wolfSSL | 16:8e0d178b1d1e | 2390 | #endif |
wolfSSL | 15:117db924cf7c | 2391 | |
wolfSSL | 15:117db924cf7c | 2392 | return ret; |
wolfSSL | 15:117db924cf7c | 2393 | } |
wolfSSL | 15:117db924cf7c | 2394 | |
wolfSSL | 15:117db924cf7c | 2395 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 2396 | /* Find the cipher suite in the suites set in the SSL. |
wolfSSL | 15:117db924cf7c | 2397 | * |
wolfSSL | 15:117db924cf7c | 2398 | * ssl SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 2399 | * suite Cipher suite to look for. |
wolfSSL | 15:117db924cf7c | 2400 | * returns 1 when suite is found in SSL/TLS object's list and 0 otherwise. |
wolfSSL | 15:117db924cf7c | 2401 | */ |
wolfSSL | 16:8e0d178b1d1e | 2402 | static int FindSuiteSSL(WOLFSSL* ssl, byte* suite) |
wolfSSL | 15:117db924cf7c | 2403 | { |
wolfSSL | 16:8e0d178b1d1e | 2404 | word16 i; |
wolfSSL | 15:117db924cf7c | 2405 | |
wolfSSL | 15:117db924cf7c | 2406 | for (i = 0; i < ssl->suites->suiteSz; i += 2) { |
wolfSSL | 15:117db924cf7c | 2407 | if (ssl->suites->suites[i+0] == suite[0] && |
wolfSSL | 15:117db924cf7c | 2408 | ssl->suites->suites[i+1] == suite[1]) { |
wolfSSL | 15:117db924cf7c | 2409 | return 1; |
wolfSSL | 15:117db924cf7c | 2410 | } |
wolfSSL | 15:117db924cf7c | 2411 | } |
wolfSSL | 15:117db924cf7c | 2412 | |
wolfSSL | 15:117db924cf7c | 2413 | return 0; |
wolfSSL | 15:117db924cf7c | 2414 | } |
wolfSSL | 15:117db924cf7c | 2415 | #endif |
wolfSSL | 15:117db924cf7c | 2416 | |
wolfSSL | 15:117db924cf7c | 2417 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 2418 | #if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER) |
wolfSSL | 15:117db924cf7c | 2419 | /* Create Cookie extension using the hash of the first ClientHello. |
wolfSSL | 15:117db924cf7c | 2420 | * |
wolfSSL | 15:117db924cf7c | 2421 | * ssl SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 2422 | * hash The hash data. |
wolfSSL | 15:117db924cf7c | 2423 | * hashSz The size of the hash data in bytes. |
wolfSSL | 15:117db924cf7c | 2424 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 2425 | */ |
wolfSSL | 15:117db924cf7c | 2426 | static int CreateCookie(WOLFSSL* ssl, byte* hash, byte hashSz) |
wolfSSL | 15:117db924cf7c | 2427 | { |
wolfSSL | 15:117db924cf7c | 2428 | int ret; |
wolfSSL | 16:8e0d178b1d1e | 2429 | byte mac[WC_MAX_DIGEST_SIZE] = {0}; |
wolfSSL | 15:117db924cf7c | 2430 | Hmac cookieHmac; |
wolfSSL | 16:8e0d178b1d1e | 2431 | byte cookieType = 0; |
wolfSSL | 16:8e0d178b1d1e | 2432 | byte macSz = 0; |
wolfSSL | 15:117db924cf7c | 2433 | |
wolfSSL | 15:117db924cf7c | 2434 | #if !defined(NO_SHA) && defined(NO_SHA256) |
wolfSSL | 15:117db924cf7c | 2435 | cookieType = SHA; |
wolfSSL | 15:117db924cf7c | 2436 | macSz = WC_SHA_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 2437 | #endif /* NO_SHA */ |
wolfSSL | 15:117db924cf7c | 2438 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 2439 | cookieType = WC_SHA256; |
wolfSSL | 15:117db924cf7c | 2440 | macSz = WC_SHA256_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 2441 | #endif /* NO_SHA256 */ |
wolfSSL | 16:8e0d178b1d1e | 2442 | XMEMSET(&cookieHmac, 0, sizeof(Hmac)); |
wolfSSL | 15:117db924cf7c | 2443 | |
wolfSSL | 15:117db924cf7c | 2444 | ret = wc_HmacSetKey(&cookieHmac, cookieType, |
wolfSSL | 15:117db924cf7c | 2445 | ssl->buffers.tls13CookieSecret.buffer, |
wolfSSL | 15:117db924cf7c | 2446 | ssl->buffers.tls13CookieSecret.length); |
wolfSSL | 15:117db924cf7c | 2447 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2448 | return ret; |
wolfSSL | 15:117db924cf7c | 2449 | if ((ret = wc_HmacUpdate(&cookieHmac, hash, hashSz)) != 0) |
wolfSSL | 15:117db924cf7c | 2450 | return ret; |
wolfSSL | 15:117db924cf7c | 2451 | if ((ret = wc_HmacFinal(&cookieHmac, mac)) != 0) |
wolfSSL | 15:117db924cf7c | 2452 | return ret; |
wolfSSL | 15:117db924cf7c | 2453 | |
wolfSSL | 15:117db924cf7c | 2454 | /* The cookie data is the hash and the integrity check. */ |
wolfSSL | 15:117db924cf7c | 2455 | return TLSX_Cookie_Use(ssl, hash, hashSz, mac, macSz, 1); |
wolfSSL | 15:117db924cf7c | 2456 | } |
wolfSSL | 15:117db924cf7c | 2457 | #endif |
wolfSSL | 15:117db924cf7c | 2458 | |
wolfSSL | 16:8e0d178b1d1e | 2459 | /* Restart the handshake hash with a hash of the previous messages. |
wolfSSL | 15:117db924cf7c | 2460 | * |
wolfSSL | 15:117db924cf7c | 2461 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 2462 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 2463 | */ |
wolfSSL | 15:117db924cf7c | 2464 | static int RestartHandshakeHash(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 2465 | { |
wolfSSL | 15:117db924cf7c | 2466 | int ret; |
wolfSSL | 15:117db924cf7c | 2467 | Hashes hashes; |
wolfSSL | 16:8e0d178b1d1e | 2468 | byte header[HANDSHAKE_HEADER_SZ] = {0}; |
wolfSSL | 15:117db924cf7c | 2469 | byte* hash = NULL; |
wolfSSL | 15:117db924cf7c | 2470 | byte hashSz = 0; |
wolfSSL | 15:117db924cf7c | 2471 | |
wolfSSL | 15:117db924cf7c | 2472 | ret = BuildCertHashes(ssl, &hashes); |
wolfSSL | 15:117db924cf7c | 2473 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2474 | return ret; |
wolfSSL | 15:117db924cf7c | 2475 | switch (ssl->specs.mac_algorithm) { |
wolfSSL | 15:117db924cf7c | 2476 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 2477 | case sha256_mac: |
wolfSSL | 15:117db924cf7c | 2478 | hash = hashes.sha256; |
wolfSSL | 15:117db924cf7c | 2479 | break; |
wolfSSL | 15:117db924cf7c | 2480 | #endif |
wolfSSL | 15:117db924cf7c | 2481 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 2482 | case sha384_mac: |
wolfSSL | 15:117db924cf7c | 2483 | hash = hashes.sha384; |
wolfSSL | 15:117db924cf7c | 2484 | break; |
wolfSSL | 15:117db924cf7c | 2485 | #endif |
wolfSSL | 15:117db924cf7c | 2486 | #ifdef WOLFSSL_TLS13_SHA512 |
wolfSSL | 15:117db924cf7c | 2487 | case sha512_mac: |
wolfSSL | 15:117db924cf7c | 2488 | hash = hashes.sha512; |
wolfSSL | 15:117db924cf7c | 2489 | break; |
wolfSSL | 15:117db924cf7c | 2490 | #endif |
wolfSSL | 15:117db924cf7c | 2491 | } |
wolfSSL | 15:117db924cf7c | 2492 | hashSz = ssl->specs.hash_size; |
wolfSSL | 16:8e0d178b1d1e | 2493 | |
wolfSSL | 16:8e0d178b1d1e | 2494 | /* check hash */ |
wolfSSL | 16:8e0d178b1d1e | 2495 | if (hash == NULL && hashSz > 0) |
wolfSSL | 16:8e0d178b1d1e | 2496 | return BAD_FUNC_ARG; |
wolfSSL | 16:8e0d178b1d1e | 2497 | |
wolfSSL | 15:117db924cf7c | 2498 | AddTls13HandShakeHeader(header, hashSz, 0, 0, message_hash, ssl); |
wolfSSL | 15:117db924cf7c | 2499 | |
wolfSSL | 15:117db924cf7c | 2500 | WOLFSSL_MSG("Restart Hash"); |
wolfSSL | 15:117db924cf7c | 2501 | WOLFSSL_BUFFER(hash, hashSz); |
wolfSSL | 15:117db924cf7c | 2502 | |
wolfSSL | 15:117db924cf7c | 2503 | #if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER) |
wolfSSL | 15:117db924cf7c | 2504 | if (ssl->options.sendCookie) { |
wolfSSL | 15:117db924cf7c | 2505 | byte cookie[OPAQUE8_LEN + WC_MAX_DIGEST_SIZE + OPAQUE16_LEN * 2]; |
wolfSSL | 15:117db924cf7c | 2506 | TLSX* ext; |
wolfSSL | 15:117db924cf7c | 2507 | word32 idx = 0; |
wolfSSL | 15:117db924cf7c | 2508 | |
wolfSSL | 15:117db924cf7c | 2509 | /* Cookie Data = Hash Len | Hash | CS | KeyShare Group */ |
wolfSSL | 15:117db924cf7c | 2510 | cookie[idx++] = hashSz; |
wolfSSL | 16:8e0d178b1d1e | 2511 | if (hash) |
wolfSSL | 16:8e0d178b1d1e | 2512 | XMEMCPY(cookie + idx, hash, hashSz); |
wolfSSL | 15:117db924cf7c | 2513 | idx += hashSz; |
wolfSSL | 15:117db924cf7c | 2514 | cookie[idx++] = ssl->options.cipherSuite0; |
wolfSSL | 15:117db924cf7c | 2515 | cookie[idx++] = ssl->options.cipherSuite; |
wolfSSL | 15:117db924cf7c | 2516 | if ((ext = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE)) != NULL) { |
wolfSSL | 15:117db924cf7c | 2517 | KeyShareEntry* kse = (KeyShareEntry*)ext->data; |
wolfSSL | 15:117db924cf7c | 2518 | c16toa(kse->group, cookie + idx); |
wolfSSL | 15:117db924cf7c | 2519 | idx += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 2520 | } |
wolfSSL | 15:117db924cf7c | 2521 | return CreateCookie(ssl, cookie, idx); |
wolfSSL | 15:117db924cf7c | 2522 | } |
wolfSSL | 15:117db924cf7c | 2523 | #endif |
wolfSSL | 15:117db924cf7c | 2524 | |
wolfSSL | 15:117db924cf7c | 2525 | ret = InitHandshakeHashes(ssl); |
wolfSSL | 15:117db924cf7c | 2526 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2527 | return ret; |
wolfSSL | 15:117db924cf7c | 2528 | ret = HashOutputRaw(ssl, header, sizeof(header)); |
wolfSSL | 15:117db924cf7c | 2529 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2530 | return ret; |
wolfSSL | 15:117db924cf7c | 2531 | return HashOutputRaw(ssl, hash, hashSz); |
wolfSSL | 15:117db924cf7c | 2532 | } |
wolfSSL | 15:117db924cf7c | 2533 | |
wolfSSL | 15:117db924cf7c | 2534 | /* The value in the random field of a ServerHello to indicate |
wolfSSL | 15:117db924cf7c | 2535 | * HelloRetryRequest. |
wolfSSL | 15:117db924cf7c | 2536 | */ |
wolfSSL | 15:117db924cf7c | 2537 | static byte helloRetryRequestRandom[] = { |
wolfSSL | 15:117db924cf7c | 2538 | 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, |
wolfSSL | 15:117db924cf7c | 2539 | 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91, |
wolfSSL | 15:117db924cf7c | 2540 | 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E, |
wolfSSL | 15:117db924cf7c | 2541 | 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C |
wolfSSL | 15:117db924cf7c | 2542 | }; |
wolfSSL | 15:117db924cf7c | 2543 | #endif /* WOLFSSL_TLS13_DRAFT_18 */ |
wolfSSL | 15:117db924cf7c | 2544 | |
wolfSSL | 15:117db924cf7c | 2545 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 2546 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 2547 | /* Setup pre-shared key based on the details in the extension data. |
wolfSSL | 15:117db924cf7c | 2548 | * |
wolfSSL | 15:117db924cf7c | 2549 | * ssl SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 2550 | * psk Pre-shared key extension data. |
wolfSSL | 15:117db924cf7c | 2551 | * returns 0 on success, PSK_KEY_ERROR when the client PSK callback fails and |
wolfSSL | 15:117db924cf7c | 2552 | * other negative value on failure. |
wolfSSL | 15:117db924cf7c | 2553 | */ |
wolfSSL | 15:117db924cf7c | 2554 | static int SetupPskKey(WOLFSSL* ssl, PreSharedKey* psk) |
wolfSSL | 15:117db924cf7c | 2555 | { |
wolfSSL | 15:117db924cf7c | 2556 | int ret; |
wolfSSL | 15:117db924cf7c | 2557 | byte suite[2]; |
wolfSSL | 15:117db924cf7c | 2558 | |
wolfSSL | 16:8e0d178b1d1e | 2559 | if (psk == NULL) |
wolfSSL | 16:8e0d178b1d1e | 2560 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 2561 | |
wolfSSL | 15:117db924cf7c | 2562 | suite[0] = psk->cipherSuite0; |
wolfSSL | 15:117db924cf7c | 2563 | suite[1] = psk->cipherSuite; |
wolfSSL | 16:8e0d178b1d1e | 2564 | if (!FindSuiteSSL(ssl, suite)) |
wolfSSL | 15:117db924cf7c | 2565 | return PSK_KEY_ERROR; |
wolfSSL | 15:117db924cf7c | 2566 | |
wolfSSL | 15:117db924cf7c | 2567 | ssl->options.cipherSuite0 = psk->cipherSuite0; |
wolfSSL | 15:117db924cf7c | 2568 | ssl->options.cipherSuite = psk->cipherSuite; |
wolfSSL | 15:117db924cf7c | 2569 | if ((ret = SetCipherSpecs(ssl)) != 0) |
wolfSSL | 15:117db924cf7c | 2570 | return ret; |
wolfSSL | 15:117db924cf7c | 2571 | |
wolfSSL | 15:117db924cf7c | 2572 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 2573 | if (psk->resumption) { |
wolfSSL | 15:117db924cf7c | 2574 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 2575 | if (ssl->session.maxEarlyDataSz == 0) |
wolfSSL | 15:117db924cf7c | 2576 | ssl->earlyData = no_early_data; |
wolfSSL | 15:117db924cf7c | 2577 | #endif |
wolfSSL | 15:117db924cf7c | 2578 | /* Resumption PSK is master secret. */ |
wolfSSL | 15:117db924cf7c | 2579 | ssl->arrays->psk_keySz = ssl->specs.hash_size; |
wolfSSL | 15:117db924cf7c | 2580 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 2581 | XMEMCPY(ssl->arrays->psk_key, ssl->session.masterSecret, |
wolfSSL | 15:117db924cf7c | 2582 | ssl->arrays->psk_keySz); |
wolfSSL | 15:117db924cf7c | 2583 | #else |
wolfSSL | 15:117db924cf7c | 2584 | if ((ret = DeriveResumptionPSK(ssl, ssl->session.ticketNonce.data, |
wolfSSL | 15:117db924cf7c | 2585 | ssl->session.ticketNonce.len, ssl->arrays->psk_key)) != 0) { |
wolfSSL | 15:117db924cf7c | 2586 | return ret; |
wolfSSL | 15:117db924cf7c | 2587 | } |
wolfSSL | 15:117db924cf7c | 2588 | #endif |
wolfSSL | 15:117db924cf7c | 2589 | } |
wolfSSL | 15:117db924cf7c | 2590 | #endif |
wolfSSL | 15:117db924cf7c | 2591 | #ifndef NO_PSK |
wolfSSL | 15:117db924cf7c | 2592 | if (!psk->resumption) { |
wolfSSL | 16:8e0d178b1d1e | 2593 | #ifndef WOLFSSL_PSK_ONE_ID |
wolfSSL | 16:8e0d178b1d1e | 2594 | const char* cipherName = NULL; |
wolfSSL | 16:8e0d178b1d1e | 2595 | byte cipherSuite0 = TLS13_BYTE, cipherSuite = WOLFSSL_DEF_PSK_CIPHER; |
wolfSSL | 16:8e0d178b1d1e | 2596 | |
wolfSSL | 15:117db924cf7c | 2597 | /* Get the pre-shared key. */ |
wolfSSL | 16:8e0d178b1d1e | 2598 | if (ssl->options.client_psk_tls13_cb != NULL) { |
wolfSSL | 16:8e0d178b1d1e | 2599 | ssl->arrays->psk_keySz = ssl->options.client_psk_tls13_cb(ssl, |
wolfSSL | 16:8e0d178b1d1e | 2600 | (char *)psk->identity, ssl->arrays->client_identity, |
wolfSSL | 16:8e0d178b1d1e | 2601 | MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN, |
wolfSSL | 16:8e0d178b1d1e | 2602 | &cipherName); |
wolfSSL | 16:8e0d178b1d1e | 2603 | if (GetCipherSuiteFromName(cipherName, &cipherSuite0, |
wolfSSL | 16:8e0d178b1d1e | 2604 | &cipherSuite) != 0) { |
wolfSSL | 16:8e0d178b1d1e | 2605 | return PSK_KEY_ERROR; |
wolfSSL | 16:8e0d178b1d1e | 2606 | } |
wolfSSL | 16:8e0d178b1d1e | 2607 | } |
wolfSSL | 16:8e0d178b1d1e | 2608 | else { |
wolfSSL | 16:8e0d178b1d1e | 2609 | ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl, |
wolfSSL | 16:8e0d178b1d1e | 2610 | (char *)psk->identity, ssl->arrays->client_identity, |
wolfSSL | 16:8e0d178b1d1e | 2611 | MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN); |
wolfSSL | 16:8e0d178b1d1e | 2612 | } |
wolfSSL | 15:117db924cf7c | 2613 | if (ssl->arrays->psk_keySz == 0 || |
wolfSSL | 16:8e0d178b1d1e | 2614 | ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) { |
wolfSSL | 15:117db924cf7c | 2615 | return PSK_KEY_ERROR; |
wolfSSL | 15:117db924cf7c | 2616 | } |
wolfSSL | 16:8e0d178b1d1e | 2617 | |
wolfSSL | 16:8e0d178b1d1e | 2618 | if (psk->cipherSuite0 != cipherSuite0 || |
wolfSSL | 16:8e0d178b1d1e | 2619 | psk->cipherSuite != cipherSuite) { |
wolfSSL | 15:117db924cf7c | 2620 | return PSK_KEY_ERROR; |
wolfSSL | 15:117db924cf7c | 2621 | } |
wolfSSL | 16:8e0d178b1d1e | 2622 | #else |
wolfSSL | 16:8e0d178b1d1e | 2623 | /* PSK information loaded during setting of default TLS extensions. */ |
wolfSSL | 16:8e0d178b1d1e | 2624 | #endif |
wolfSSL | 16:8e0d178b1d1e | 2625 | } |
wolfSSL | 16:8e0d178b1d1e | 2626 | #endif |
wolfSSL | 16:8e0d178b1d1e | 2627 | |
wolfSSL | 16:8e0d178b1d1e | 2628 | if (ssl->options.noPskDheKe) |
wolfSSL | 16:8e0d178b1d1e | 2629 | ssl->arrays->preMasterSz = 0; |
wolfSSL | 15:117db924cf7c | 2630 | |
wolfSSL | 15:117db924cf7c | 2631 | /* Derive the early secret using the PSK. */ |
wolfSSL | 15:117db924cf7c | 2632 | return DeriveEarlySecret(ssl); |
wolfSSL | 15:117db924cf7c | 2633 | } |
wolfSSL | 15:117db924cf7c | 2634 | |
wolfSSL | 15:117db924cf7c | 2635 | /* Derive and write the binders into the ClientHello in space left when |
wolfSSL | 15:117db924cf7c | 2636 | * writing the Pre-Shared Key extension. |
wolfSSL | 15:117db924cf7c | 2637 | * |
wolfSSL | 15:117db924cf7c | 2638 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 2639 | * output The buffer containing the ClientHello. |
wolfSSL | 15:117db924cf7c | 2640 | * idx The index at the end of the completed ClientHello. |
wolfSSL | 15:117db924cf7c | 2641 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 2642 | */ |
wolfSSL | 15:117db924cf7c | 2643 | static int WritePSKBinders(WOLFSSL* ssl, byte* output, word32 idx) |
wolfSSL | 15:117db924cf7c | 2644 | { |
wolfSSL | 15:117db924cf7c | 2645 | int ret; |
wolfSSL | 15:117db924cf7c | 2646 | TLSX* ext; |
wolfSSL | 15:117db924cf7c | 2647 | PreSharedKey* current; |
wolfSSL | 15:117db924cf7c | 2648 | byte binderKey[WC_MAX_DIGEST_SIZE]; |
wolfSSL | 15:117db924cf7c | 2649 | word16 len; |
wolfSSL | 15:117db924cf7c | 2650 | |
wolfSSL | 15:117db924cf7c | 2651 | WOLFSSL_ENTER("WritePSKBinders"); |
wolfSSL | 15:117db924cf7c | 2652 | |
wolfSSL | 15:117db924cf7c | 2653 | ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY); |
wolfSSL | 15:117db924cf7c | 2654 | if (ext == NULL) |
wolfSSL | 15:117db924cf7c | 2655 | return SANITY_MSG_E; |
wolfSSL | 15:117db924cf7c | 2656 | |
wolfSSL | 15:117db924cf7c | 2657 | /* Get the size of the binders to determine where to write binders. */ |
wolfSSL | 16:8e0d178b1d1e | 2658 | ret = TLSX_PreSharedKey_GetSizeBinders((PreSharedKey*)ext->data, |
wolfSSL | 16:8e0d178b1d1e | 2659 | client_hello, &len); |
wolfSSL | 16:8e0d178b1d1e | 2660 | if (ret < 0) |
wolfSSL | 16:8e0d178b1d1e | 2661 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 2662 | idx -= len; |
wolfSSL | 15:117db924cf7c | 2663 | |
wolfSSL | 15:117db924cf7c | 2664 | /* Hash truncated ClientHello - up to binders. */ |
wolfSSL | 15:117db924cf7c | 2665 | ret = HashOutput(ssl, output, idx, 0); |
wolfSSL | 15:117db924cf7c | 2666 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2667 | return ret; |
wolfSSL | 15:117db924cf7c | 2668 | |
wolfSSL | 15:117db924cf7c | 2669 | current = (PreSharedKey*)ext->data; |
wolfSSL | 15:117db924cf7c | 2670 | /* Calculate the binder for each identity based on previous handshake data. |
wolfSSL | 15:117db924cf7c | 2671 | */ |
wolfSSL | 15:117db924cf7c | 2672 | while (current != NULL) { |
wolfSSL | 15:117db924cf7c | 2673 | if ((ret = SetupPskKey(ssl, current)) != 0) |
wolfSSL | 15:117db924cf7c | 2674 | return ret; |
wolfSSL | 15:117db924cf7c | 2675 | |
wolfSSL | 15:117db924cf7c | 2676 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 2677 | if (current->resumption) |
wolfSSL | 15:117db924cf7c | 2678 | ret = DeriveBinderKeyResume(ssl, binderKey); |
wolfSSL | 15:117db924cf7c | 2679 | #endif |
wolfSSL | 15:117db924cf7c | 2680 | #ifndef NO_PSK |
wolfSSL | 15:117db924cf7c | 2681 | if (!current->resumption) |
wolfSSL | 15:117db924cf7c | 2682 | ret = DeriveBinderKey(ssl, binderKey); |
wolfSSL | 15:117db924cf7c | 2683 | #endif |
wolfSSL | 15:117db924cf7c | 2684 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2685 | return ret; |
wolfSSL | 15:117db924cf7c | 2686 | |
wolfSSL | 15:117db924cf7c | 2687 | /* Derive the Finished message secret. */ |
wolfSSL | 15:117db924cf7c | 2688 | ret = DeriveFinishedSecret(ssl, binderKey, |
wolfSSL | 15:117db924cf7c | 2689 | ssl->keys.client_write_MAC_secret); |
wolfSSL | 15:117db924cf7c | 2690 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2691 | return ret; |
wolfSSL | 15:117db924cf7c | 2692 | |
wolfSSL | 15:117db924cf7c | 2693 | /* Build the HMAC of the handshake message data = binder. */ |
wolfSSL | 15:117db924cf7c | 2694 | ret = BuildTls13HandshakeHmac(ssl, ssl->keys.client_write_MAC_secret, |
wolfSSL | 15:117db924cf7c | 2695 | current->binder, ¤t->binderLen); |
wolfSSL | 15:117db924cf7c | 2696 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2697 | return ret; |
wolfSSL | 15:117db924cf7c | 2698 | |
wolfSSL | 15:117db924cf7c | 2699 | current = current->next; |
wolfSSL | 15:117db924cf7c | 2700 | } |
wolfSSL | 15:117db924cf7c | 2701 | |
wolfSSL | 15:117db924cf7c | 2702 | /* Data entered into extension, now write to message. */ |
wolfSSL | 16:8e0d178b1d1e | 2703 | ret = TLSX_PreSharedKey_WriteBinders((PreSharedKey*)ext->data, output + idx, |
wolfSSL | 16:8e0d178b1d1e | 2704 | client_hello, &len); |
wolfSSL | 16:8e0d178b1d1e | 2705 | if (ret < 0) |
wolfSSL | 16:8e0d178b1d1e | 2706 | return ret; |
wolfSSL | 15:117db924cf7c | 2707 | |
wolfSSL | 15:117db924cf7c | 2708 | /* Hash binders to complete the hash of the ClientHello. */ |
wolfSSL | 15:117db924cf7c | 2709 | ret = HashOutputRaw(ssl, output + idx, len); |
wolfSSL | 15:117db924cf7c | 2710 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 2711 | return ret; |
wolfSSL | 15:117db924cf7c | 2712 | |
wolfSSL | 15:117db924cf7c | 2713 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 2714 | if (ssl->earlyData != no_early_data) { |
wolfSSL | 15:117db924cf7c | 2715 | if ((ret = SetupPskKey(ssl, (PreSharedKey*)ext->data)) != 0) |
wolfSSL | 15:117db924cf7c | 2716 | return ret; |
wolfSSL | 15:117db924cf7c | 2717 | |
wolfSSL | 15:117db924cf7c | 2718 | /* Derive early data encryption key. */ |
wolfSSL | 15:117db924cf7c | 2719 | ret = DeriveTls13Keys(ssl, early_data_key, ENCRYPT_SIDE_ONLY, 1); |
wolfSSL | 15:117db924cf7c | 2720 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2721 | return ret; |
wolfSSL | 15:117db924cf7c | 2722 | if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0) |
wolfSSL | 15:117db924cf7c | 2723 | return ret; |
wolfSSL | 15:117db924cf7c | 2724 | } |
wolfSSL | 15:117db924cf7c | 2725 | #endif |
wolfSSL | 15:117db924cf7c | 2726 | |
wolfSSL | 15:117db924cf7c | 2727 | WOLFSSL_LEAVE("WritePSKBinders", ret); |
wolfSSL | 15:117db924cf7c | 2728 | |
wolfSSL | 15:117db924cf7c | 2729 | return ret; |
wolfSSL | 15:117db924cf7c | 2730 | } |
wolfSSL | 15:117db924cf7c | 2731 | #endif |
wolfSSL | 15:117db924cf7c | 2732 | |
wolfSSL | 15:117db924cf7c | 2733 | /* handle generation of TLS 1.3 client_hello (1) */ |
wolfSSL | 15:117db924cf7c | 2734 | /* Send a ClientHello message to the server. |
wolfSSL | 15:117db924cf7c | 2735 | * Include the information required to start a handshake with servers using |
wolfSSL | 15:117db924cf7c | 2736 | * protocol versions less than TLS v1.3. |
wolfSSL | 15:117db924cf7c | 2737 | * Only a client will send this message. |
wolfSSL | 15:117db924cf7c | 2738 | * |
wolfSSL | 15:117db924cf7c | 2739 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 2740 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 2741 | */ |
wolfSSL | 15:117db924cf7c | 2742 | int SendTls13ClientHello(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 2743 | { |
wolfSSL | 15:117db924cf7c | 2744 | byte* output; |
wolfSSL | 15:117db924cf7c | 2745 | word16 length; |
wolfSSL | 15:117db924cf7c | 2746 | word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 2747 | int sendSz; |
wolfSSL | 15:117db924cf7c | 2748 | int ret; |
wolfSSL | 15:117db924cf7c | 2749 | |
wolfSSL | 15:117db924cf7c | 2750 | WOLFSSL_START(WC_FUNC_CLIENT_HELLO_SEND); |
wolfSSL | 15:117db924cf7c | 2751 | WOLFSSL_ENTER("SendTls13ClientHello"); |
wolfSSL | 15:117db924cf7c | 2752 | |
wolfSSL | 15:117db924cf7c | 2753 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 2754 | if (ssl->options.resuming && |
wolfSSL | 15:117db924cf7c | 2755 | (ssl->session.version.major != ssl->version.major || |
wolfSSL | 15:117db924cf7c | 2756 | ssl->session.version.minor != ssl->version.minor)) { |
wolfSSL | 15:117db924cf7c | 2757 | #ifndef WOLFSSL_NO_TLS12 |
wolfSSL | 15:117db924cf7c | 2758 | if (ssl->session.version.major == ssl->version.major && |
wolfSSL | 15:117db924cf7c | 2759 | ssl->session.version.minor < ssl->version.minor) { |
wolfSSL | 15:117db924cf7c | 2760 | /* Cannot resume with a different protocol version. */ |
wolfSSL | 15:117db924cf7c | 2761 | ssl->options.resuming = 0; |
wolfSSL | 15:117db924cf7c | 2762 | ssl->version.major = ssl->session.version.major; |
wolfSSL | 15:117db924cf7c | 2763 | ssl->version.minor = ssl->session.version.minor; |
wolfSSL | 15:117db924cf7c | 2764 | return SendClientHello(ssl); |
wolfSSL | 15:117db924cf7c | 2765 | } |
wolfSSL | 15:117db924cf7c | 2766 | else |
wolfSSL | 15:117db924cf7c | 2767 | #endif |
wolfSSL | 15:117db924cf7c | 2768 | return VERSION_ERROR; |
wolfSSL | 15:117db924cf7c | 2769 | } |
wolfSSL | 15:117db924cf7c | 2770 | #endif |
wolfSSL | 15:117db924cf7c | 2771 | |
wolfSSL | 15:117db924cf7c | 2772 | if (ssl->suites == NULL) { |
wolfSSL | 15:117db924cf7c | 2773 | WOLFSSL_MSG("Bad suites pointer in SendTls13ClientHello"); |
wolfSSL | 15:117db924cf7c | 2774 | return SUITES_ERROR; |
wolfSSL | 15:117db924cf7c | 2775 | } |
wolfSSL | 15:117db924cf7c | 2776 | |
wolfSSL | 15:117db924cf7c | 2777 | /* Version | Random | Session Id | Cipher Suites | Compression */ |
wolfSSL | 15:117db924cf7c | 2778 | length = VERSION_SZ + RAN_LEN + ENUM_LEN + ssl->suites->suiteSz + |
wolfSSL | 15:117db924cf7c | 2779 | SUITE_LEN + COMP_LEN + ENUM_LEN; |
wolfSSL | 15:117db924cf7c | 2780 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 2781 | #if defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT) |
wolfSSL | 15:117db924cf7c | 2782 | length += ID_LEN; |
wolfSSL | 15:117db924cf7c | 2783 | #else |
wolfSSL | 15:117db924cf7c | 2784 | if (ssl->session.sessionIDSz > 0) |
wolfSSL | 15:117db924cf7c | 2785 | length += ssl->session.sessionIDSz; |
wolfSSL | 15:117db924cf7c | 2786 | #endif |
wolfSSL | 15:117db924cf7c | 2787 | #endif |
wolfSSL | 15:117db924cf7c | 2788 | |
wolfSSL | 15:117db924cf7c | 2789 | /* Auto populate extensions supported unless user defined. */ |
wolfSSL | 15:117db924cf7c | 2790 | if ((ret = TLSX_PopulateExtensions(ssl, 0)) != 0) |
wolfSSL | 15:117db924cf7c | 2791 | return ret; |
wolfSSL | 15:117db924cf7c | 2792 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 2793 | #ifndef NO_PSK |
wolfSSL | 16:8e0d178b1d1e | 2794 | if (!ssl->options.resuming && |
wolfSSL | 16:8e0d178b1d1e | 2795 | ssl->options.client_psk_tls13_cb == NULL && |
wolfSSL | 16:8e0d178b1d1e | 2796 | ssl->options.client_psk_cb == NULL) |
wolfSSL | 15:117db924cf7c | 2797 | #else |
wolfSSL | 15:117db924cf7c | 2798 | if (!ssl->options.resuming) |
wolfSSL | 15:117db924cf7c | 2799 | #endif |
wolfSSL | 15:117db924cf7c | 2800 | ssl->earlyData = no_early_data; |
wolfSSL | 15:117db924cf7c | 2801 | if (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE) |
wolfSSL | 15:117db924cf7c | 2802 | ssl->earlyData = no_early_data; |
wolfSSL | 15:117db924cf7c | 2803 | if (ssl->earlyData == no_early_data) |
wolfSSL | 15:117db924cf7c | 2804 | TLSX_Remove(&ssl->extensions, TLSX_EARLY_DATA, ssl->heap); |
wolfSSL | 15:117db924cf7c | 2805 | if (ssl->earlyData != no_early_data && |
wolfSSL | 15:117db924cf7c | 2806 | (ret = TLSX_EarlyData_Use(ssl, 0)) < 0) { |
wolfSSL | 15:117db924cf7c | 2807 | return ret; |
wolfSSL | 15:117db924cf7c | 2808 | } |
wolfSSL | 15:117db924cf7c | 2809 | #endif |
wolfSSL | 15:117db924cf7c | 2810 | /* Include length of TLS extensions. */ |
wolfSSL | 15:117db924cf7c | 2811 | ret = TLSX_GetRequestSize(ssl, client_hello, &length); |
wolfSSL | 15:117db924cf7c | 2812 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2813 | return ret; |
wolfSSL | 15:117db924cf7c | 2814 | |
wolfSSL | 15:117db924cf7c | 2815 | /* Total message size. */ |
wolfSSL | 15:117db924cf7c | 2816 | sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 2817 | |
wolfSSL | 15:117db924cf7c | 2818 | /* Check buffers are big enough and grow if needed. */ |
wolfSSL | 15:117db924cf7c | 2819 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) |
wolfSSL | 15:117db924cf7c | 2820 | return ret; |
wolfSSL | 15:117db924cf7c | 2821 | |
wolfSSL | 15:117db924cf7c | 2822 | /* Get position in output buffer to write new message to. */ |
wolfSSL | 15:117db924cf7c | 2823 | output = ssl->buffers.outputBuffer.buffer + |
wolfSSL | 15:117db924cf7c | 2824 | ssl->buffers.outputBuffer.length; |
wolfSSL | 15:117db924cf7c | 2825 | |
wolfSSL | 15:117db924cf7c | 2826 | /* Put the record and handshake headers on. */ |
wolfSSL | 15:117db924cf7c | 2827 | AddTls13Headers(output, length, client_hello, ssl); |
wolfSSL | 15:117db924cf7c | 2828 | |
wolfSSL | 15:117db924cf7c | 2829 | /* Protocol version - negotiation now in extension: supported_versions. */ |
wolfSSL | 15:117db924cf7c | 2830 | output[idx++] = SSLv3_MAJOR; |
wolfSSL | 15:117db924cf7c | 2831 | output[idx++] = TLSv1_2_MINOR; |
wolfSSL | 15:117db924cf7c | 2832 | /* Keep for downgrade. */ |
wolfSSL | 15:117db924cf7c | 2833 | ssl->chVersion = ssl->version; |
wolfSSL | 15:117db924cf7c | 2834 | |
wolfSSL | 15:117db924cf7c | 2835 | /* Client Random */ |
wolfSSL | 15:117db924cf7c | 2836 | if (ssl->options.connectState == CONNECT_BEGIN) { |
wolfSSL | 15:117db924cf7c | 2837 | ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, RAN_LEN); |
wolfSSL | 15:117db924cf7c | 2838 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2839 | return ret; |
wolfSSL | 15:117db924cf7c | 2840 | |
wolfSSL | 15:117db924cf7c | 2841 | /* Store random for possible second ClientHello. */ |
wolfSSL | 15:117db924cf7c | 2842 | XMEMCPY(ssl->arrays->clientRandom, output + idx, RAN_LEN); |
wolfSSL | 15:117db924cf7c | 2843 | } |
wolfSSL | 15:117db924cf7c | 2844 | else |
wolfSSL | 15:117db924cf7c | 2845 | XMEMCPY(output + idx, ssl->arrays->clientRandom, RAN_LEN); |
wolfSSL | 15:117db924cf7c | 2846 | idx += RAN_LEN; |
wolfSSL | 15:117db924cf7c | 2847 | |
wolfSSL | 15:117db924cf7c | 2848 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 2849 | /* TLS v1.3 does not use session id - 0 length. */ |
wolfSSL | 15:117db924cf7c | 2850 | output[idx++] = 0; |
wolfSSL | 15:117db924cf7c | 2851 | #else |
wolfSSL | 15:117db924cf7c | 2852 | if (ssl->session.sessionIDSz > 0) { |
wolfSSL | 15:117db924cf7c | 2853 | /* Session resumption for old versions of protocol. */ |
wolfSSL | 15:117db924cf7c | 2854 | output[idx++] = ID_LEN; |
wolfSSL | 15:117db924cf7c | 2855 | XMEMCPY(output + idx, ssl->session.sessionID, ssl->session.sessionIDSz); |
wolfSSL | 15:117db924cf7c | 2856 | idx += ID_LEN; |
wolfSSL | 15:117db924cf7c | 2857 | } |
wolfSSL | 15:117db924cf7c | 2858 | else { |
wolfSSL | 15:117db924cf7c | 2859 | #ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT |
wolfSSL | 15:117db924cf7c | 2860 | output[idx++] = ID_LEN; |
wolfSSL | 15:117db924cf7c | 2861 | XMEMCPY(output + idx, ssl->arrays->clientRandom, ID_LEN); |
wolfSSL | 15:117db924cf7c | 2862 | idx += ID_LEN; |
wolfSSL | 15:117db924cf7c | 2863 | #else |
wolfSSL | 15:117db924cf7c | 2864 | /* TLS v1.3 does not use session id - 0 length. */ |
wolfSSL | 15:117db924cf7c | 2865 | output[idx++] = 0; |
wolfSSL | 15:117db924cf7c | 2866 | #endif /* WOLFSSL_TLS13_MIDDLEBOX_COMPAT */ |
wolfSSL | 15:117db924cf7c | 2867 | } |
wolfSSL | 15:117db924cf7c | 2868 | #endif /* WOLFSSL_TLS13_DRAFT_18 */ |
wolfSSL | 15:117db924cf7c | 2869 | |
wolfSSL | 15:117db924cf7c | 2870 | /* Cipher suites */ |
wolfSSL | 15:117db924cf7c | 2871 | c16toa(ssl->suites->suiteSz, output + idx); |
wolfSSL | 15:117db924cf7c | 2872 | idx += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 2873 | XMEMCPY(output + idx, &ssl->suites->suites, ssl->suites->suiteSz); |
wolfSSL | 15:117db924cf7c | 2874 | idx += ssl->suites->suiteSz; |
wolfSSL | 15:117db924cf7c | 2875 | |
wolfSSL | 15:117db924cf7c | 2876 | /* Compression not supported in TLS v1.3. */ |
wolfSSL | 15:117db924cf7c | 2877 | output[idx++] = COMP_LEN; |
wolfSSL | 15:117db924cf7c | 2878 | output[idx++] = NO_COMPRESSION; |
wolfSSL | 15:117db924cf7c | 2879 | |
wolfSSL | 15:117db924cf7c | 2880 | /* Write out extensions for a request. */ |
wolfSSL | 15:117db924cf7c | 2881 | length = 0; |
wolfSSL | 15:117db924cf7c | 2882 | ret = TLSX_WriteRequest(ssl, output + idx, client_hello, &length); |
wolfSSL | 15:117db924cf7c | 2883 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2884 | return ret; |
wolfSSL | 15:117db924cf7c | 2885 | idx += length; |
wolfSSL | 15:117db924cf7c | 2886 | |
wolfSSL | 15:117db924cf7c | 2887 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 2888 | /* Resumption has a specific set of extensions and binder is calculated |
wolfSSL | 15:117db924cf7c | 2889 | * for each identity. |
wolfSSL | 15:117db924cf7c | 2890 | */ |
wolfSSL | 15:117db924cf7c | 2891 | if (TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY)) |
wolfSSL | 15:117db924cf7c | 2892 | ret = WritePSKBinders(ssl, output, idx); |
wolfSSL | 15:117db924cf7c | 2893 | else |
wolfSSL | 15:117db924cf7c | 2894 | #endif |
wolfSSL | 15:117db924cf7c | 2895 | ret = HashOutput(ssl, output, idx, 0); |
wolfSSL | 15:117db924cf7c | 2896 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2897 | return ret; |
wolfSSL | 15:117db924cf7c | 2898 | |
wolfSSL | 15:117db924cf7c | 2899 | ssl->options.clientState = CLIENT_HELLO_COMPLETE; |
wolfSSL | 15:117db924cf7c | 2900 | |
wolfSSL | 15:117db924cf7c | 2901 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 2902 | if (ssl->hsInfoOn) AddPacketName(ssl, "ClientHello"); |
wolfSSL | 15:117db924cf7c | 2903 | if (ssl->toInfoOn) { |
wolfSSL | 15:117db924cf7c | 2904 | AddPacketInfo(ssl, "ClientHello", handshake, output, sendSz, |
wolfSSL | 15:117db924cf7c | 2905 | WRITE_PROTO, ssl->heap); |
wolfSSL | 15:117db924cf7c | 2906 | } |
wolfSSL | 15:117db924cf7c | 2907 | #endif |
wolfSSL | 15:117db924cf7c | 2908 | |
wolfSSL | 15:117db924cf7c | 2909 | ssl->buffers.outputBuffer.length += sendSz; |
wolfSSL | 15:117db924cf7c | 2910 | |
wolfSSL | 16:8e0d178b1d1e | 2911 | #ifdef WOLFSSL_EARLY_DATA_GROUP |
wolfSSL | 16:8e0d178b1d1e | 2912 | if (ssl->earlyData == no_early_data) |
wolfSSL | 16:8e0d178b1d1e | 2913 | #endif |
wolfSSL | 16:8e0d178b1d1e | 2914 | ret = SendBuffered(ssl); |
wolfSSL | 16:8e0d178b1d1e | 2915 | |
wolfSSL | 15:117db924cf7c | 2916 | |
wolfSSL | 15:117db924cf7c | 2917 | WOLFSSL_LEAVE("SendTls13ClientHello", ret); |
wolfSSL | 15:117db924cf7c | 2918 | WOLFSSL_END(WC_FUNC_CLIENT_HELLO_SEND); |
wolfSSL | 15:117db924cf7c | 2919 | |
wolfSSL | 15:117db924cf7c | 2920 | return ret; |
wolfSSL | 15:117db924cf7c | 2921 | } |
wolfSSL | 15:117db924cf7c | 2922 | |
wolfSSL | 15:117db924cf7c | 2923 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 2924 | /* handle rocessing of TLS 1.3 hello_retry_request (6) */ |
wolfSSL | 15:117db924cf7c | 2925 | /* Parse and handle a HelloRetryRequest message. |
wolfSSL | 15:117db924cf7c | 2926 | * Only a client will receive this message. |
wolfSSL | 15:117db924cf7c | 2927 | * |
wolfSSL | 15:117db924cf7c | 2928 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 2929 | * input The message buffer. |
wolfSSL | 15:117db924cf7c | 2930 | * inOutIdx On entry, the index into the message buffer of |
wolfSSL | 15:117db924cf7c | 2931 | * HelloRetryRequest. |
wolfSSL | 15:117db924cf7c | 2932 | * On exit, the index of byte after the HelloRetryRequest message. |
wolfSSL | 15:117db924cf7c | 2933 | * totalSz The length of the current handshake message. |
wolfSSL | 15:117db924cf7c | 2934 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 2935 | */ |
wolfSSL | 15:117db924cf7c | 2936 | static int DoTls13HelloRetryRequest(WOLFSSL* ssl, const byte* input, |
wolfSSL | 15:117db924cf7c | 2937 | word32* inOutIdx, word32 totalSz) |
wolfSSL | 15:117db924cf7c | 2938 | { |
wolfSSL | 15:117db924cf7c | 2939 | int ret; |
wolfSSL | 15:117db924cf7c | 2940 | word32 begin = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 2941 | word32 i = begin; |
wolfSSL | 15:117db924cf7c | 2942 | word16 totalExtSz; |
wolfSSL | 15:117db924cf7c | 2943 | ProtocolVersion pv; |
wolfSSL | 15:117db924cf7c | 2944 | |
wolfSSL | 15:117db924cf7c | 2945 | WOLFSSL_ENTER("DoTls13HelloRetryRequest"); |
wolfSSL | 15:117db924cf7c | 2946 | |
wolfSSL | 15:117db924cf7c | 2947 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 2948 | if (ssl->hsInfoOn) AddPacketName(ssl, "HelloRetryRequest"); |
wolfSSL | 15:117db924cf7c | 2949 | if (ssl->toInfoOn) AddLateName("HelloRetryRequest", &ssl->timeoutInfo); |
wolfSSL | 15:117db924cf7c | 2950 | #endif |
wolfSSL | 15:117db924cf7c | 2951 | |
wolfSSL | 15:117db924cf7c | 2952 | /* Version info and length field of extension data. */ |
wolfSSL | 15:117db924cf7c | 2953 | if (totalSz < i - begin + OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN) |
wolfSSL | 15:117db924cf7c | 2954 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 2955 | |
wolfSSL | 15:117db924cf7c | 2956 | /* Protocol version. */ |
wolfSSL | 15:117db924cf7c | 2957 | XMEMCPY(&pv, input + i, OPAQUE16_LEN); |
wolfSSL | 15:117db924cf7c | 2958 | i += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 2959 | ret = CheckVersion(ssl, pv); |
wolfSSL | 15:117db924cf7c | 2960 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 2961 | return ret; |
wolfSSL | 15:117db924cf7c | 2962 | |
wolfSSL | 15:117db924cf7c | 2963 | /* Length of extension data. */ |
wolfSSL | 15:117db924cf7c | 2964 | ato16(&input[i], &totalExtSz); |
wolfSSL | 15:117db924cf7c | 2965 | i += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 2966 | if (totalExtSz == 0) { |
wolfSSL | 15:117db924cf7c | 2967 | WOLFSSL_MSG("HelloRetryRequest must contain extensions"); |
wolfSSL | 15:117db924cf7c | 2968 | return MISSING_HANDSHAKE_DATA; |
wolfSSL | 15:117db924cf7c | 2969 | } |
wolfSSL | 15:117db924cf7c | 2970 | |
wolfSSL | 15:117db924cf7c | 2971 | /* Extension data. */ |
wolfSSL | 15:117db924cf7c | 2972 | if (i - begin + totalExtSz > totalSz) |
wolfSSL | 15:117db924cf7c | 2973 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 2974 | if ((ret = TLSX_Parse(ssl, (byte *)(input + i), totalExtSz, |
wolfSSL | 15:117db924cf7c | 2975 | hello_retry_request, NULL)) != 0) |
wolfSSL | 15:117db924cf7c | 2976 | return ret; |
wolfSSL | 15:117db924cf7c | 2977 | /* The KeyShare extension parsing fails when not valid. */ |
wolfSSL | 15:117db924cf7c | 2978 | |
wolfSSL | 15:117db924cf7c | 2979 | /* Move index to byte after message. */ |
wolfSSL | 15:117db924cf7c | 2980 | *inOutIdx = i + totalExtSz; |
wolfSSL | 15:117db924cf7c | 2981 | |
wolfSSL | 15:117db924cf7c | 2982 | ssl->options.tls1_3 = 1; |
wolfSSL | 15:117db924cf7c | 2983 | ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE; |
wolfSSL | 15:117db924cf7c | 2984 | |
wolfSSL | 15:117db924cf7c | 2985 | WOLFSSL_LEAVE("DoTls13HelloRetryRequest", ret); |
wolfSSL | 15:117db924cf7c | 2986 | |
wolfSSL | 15:117db924cf7c | 2987 | return ret; |
wolfSSL | 15:117db924cf7c | 2988 | } |
wolfSSL | 15:117db924cf7c | 2989 | #endif |
wolfSSL | 15:117db924cf7c | 2990 | |
wolfSSL | 15:117db924cf7c | 2991 | |
wolfSSL | 15:117db924cf7c | 2992 | /* handle processing of TLS 1.3 server_hello (2) and hello_retry_request (6) */ |
wolfSSL | 15:117db924cf7c | 2993 | /* Handle the ServerHello message from the server. |
wolfSSL | 15:117db924cf7c | 2994 | * Only a client will receive this message. |
wolfSSL | 15:117db924cf7c | 2995 | * |
wolfSSL | 15:117db924cf7c | 2996 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 2997 | * input The message buffer. |
wolfSSL | 15:117db924cf7c | 2998 | * inOutIdx On entry, the index into the message buffer of ServerHello. |
wolfSSL | 15:117db924cf7c | 2999 | * On exit, the index of byte after the ServerHello message. |
wolfSSL | 15:117db924cf7c | 3000 | * helloSz The length of the current handshake message. |
wolfSSL | 15:117db924cf7c | 3001 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 3002 | */ |
wolfSSL | 15:117db924cf7c | 3003 | int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, |
wolfSSL | 15:117db924cf7c | 3004 | word32 helloSz, byte* extMsgType) |
wolfSSL | 15:117db924cf7c | 3005 | { |
wolfSSL | 15:117db924cf7c | 3006 | ProtocolVersion pv; |
wolfSSL | 15:117db924cf7c | 3007 | word32 i = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 3008 | word32 begin = i; |
wolfSSL | 15:117db924cf7c | 3009 | int ret; |
wolfSSL | 15:117db924cf7c | 3010 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 3011 | byte sessIdSz; |
wolfSSL | 15:117db924cf7c | 3012 | const byte* sessId; |
wolfSSL | 15:117db924cf7c | 3013 | byte b; |
wolfSSL | 16:8e0d178b1d1e | 3014 | int foundVersion; |
wolfSSL | 15:117db924cf7c | 3015 | #endif |
wolfSSL | 15:117db924cf7c | 3016 | word16 totalExtSz; |
wolfSSL | 15:117db924cf7c | 3017 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 3018 | TLSX* ext; |
wolfSSL | 15:117db924cf7c | 3019 | PreSharedKey* psk = NULL; |
wolfSSL | 15:117db924cf7c | 3020 | #endif |
wolfSSL | 15:117db924cf7c | 3021 | |
wolfSSL | 15:117db924cf7c | 3022 | WOLFSSL_START(WC_FUNC_SERVER_HELLO_DO); |
wolfSSL | 15:117db924cf7c | 3023 | WOLFSSL_ENTER("DoTls13ServerHello"); |
wolfSSL | 15:117db924cf7c | 3024 | |
wolfSSL | 15:117db924cf7c | 3025 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 3026 | if (ssl->hsInfoOn) AddPacketName(ssl, "ServerHello"); |
wolfSSL | 15:117db924cf7c | 3027 | if (ssl->toInfoOn) AddLateName("ServerHello", &ssl->timeoutInfo); |
wolfSSL | 15:117db924cf7c | 3028 | #endif |
wolfSSL | 15:117db924cf7c | 3029 | |
wolfSSL | 15:117db924cf7c | 3030 | /* Protocol version length check. */ |
wolfSSL | 15:117db924cf7c | 3031 | if (OPAQUE16_LEN > helloSz) |
wolfSSL | 15:117db924cf7c | 3032 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3033 | |
wolfSSL | 15:117db924cf7c | 3034 | /* Protocol version */ |
wolfSSL | 15:117db924cf7c | 3035 | XMEMCPY(&pv, input + i, OPAQUE16_LEN); |
wolfSSL | 15:117db924cf7c | 3036 | i += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 3037 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 3038 | ret = CheckVersion(ssl, pv); |
wolfSSL | 15:117db924cf7c | 3039 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3040 | return ret; |
wolfSSL | 15:117db924cf7c | 3041 | if (!IsAtLeastTLSv1_3(pv) && pv.major != TLS_DRAFT_MAJOR) { |
wolfSSL | 15:117db924cf7c | 3042 | #ifndef WOLFSSL_NO_TLS12 |
wolfSSL | 15:117db924cf7c | 3043 | if (ssl->options.downgrade) { |
wolfSSL | 15:117db924cf7c | 3044 | ssl->version = pv; |
wolfSSL | 15:117db924cf7c | 3045 | return DoServerHello(ssl, input, inOutIdx, helloSz); |
wolfSSL | 15:117db924cf7c | 3046 | } |
wolfSSL | 15:117db924cf7c | 3047 | #endif |
wolfSSL | 15:117db924cf7c | 3048 | |
wolfSSL | 15:117db924cf7c | 3049 | WOLFSSL_MSG("Client using higher version, fatal error"); |
wolfSSL | 15:117db924cf7c | 3050 | return VERSION_ERROR; |
wolfSSL | 15:117db924cf7c | 3051 | } |
wolfSSL | 15:117db924cf7c | 3052 | #else |
wolfSSL | 15:117db924cf7c | 3053 | #ifndef WOLFSSL_NO_TLS12 |
wolfSSL | 15:117db924cf7c | 3054 | if (pv.major == ssl->version.major && pv.minor < TLSv1_2_MINOR && |
wolfSSL | 15:117db924cf7c | 3055 | ssl->options.downgrade) { |
wolfSSL | 15:117db924cf7c | 3056 | /* Force client hello version 1.2 to work for static RSA. */ |
wolfSSL | 15:117db924cf7c | 3057 | ssl->chVersion.minor = TLSv1_2_MINOR; |
wolfSSL | 15:117db924cf7c | 3058 | ssl->version.minor = TLSv1_2_MINOR; |
wolfSSL | 15:117db924cf7c | 3059 | return DoServerHello(ssl, input, inOutIdx, helloSz); |
wolfSSL | 15:117db924cf7c | 3060 | } |
wolfSSL | 15:117db924cf7c | 3061 | #endif |
wolfSSL | 15:117db924cf7c | 3062 | if (pv.major != ssl->version.major || pv.minor != TLSv1_2_MINOR) |
wolfSSL | 15:117db924cf7c | 3063 | return VERSION_ERROR; |
wolfSSL | 15:117db924cf7c | 3064 | #endif |
wolfSSL | 15:117db924cf7c | 3065 | |
wolfSSL | 15:117db924cf7c | 3066 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 3067 | /* Random length check */ |
wolfSSL | 15:117db924cf7c | 3068 | if ((i - begin) + RAN_LEN > helloSz) |
wolfSSL | 15:117db924cf7c | 3069 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3070 | #else |
wolfSSL | 15:117db924cf7c | 3071 | /* Random and session id length check */ |
wolfSSL | 15:117db924cf7c | 3072 | if ((i - begin) + RAN_LEN + ENUM_LEN > helloSz) |
wolfSSL | 15:117db924cf7c | 3073 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3074 | |
wolfSSL | 15:117db924cf7c | 3075 | if (XMEMCMP(input + i, helloRetryRequestRandom, RAN_LEN) == 0) |
wolfSSL | 15:117db924cf7c | 3076 | *extMsgType = hello_retry_request; |
wolfSSL | 15:117db924cf7c | 3077 | #endif |
wolfSSL | 15:117db924cf7c | 3078 | |
wolfSSL | 15:117db924cf7c | 3079 | /* Server random - keep for debugging. */ |
wolfSSL | 15:117db924cf7c | 3080 | XMEMCPY(ssl->arrays->serverRandom, input + i, RAN_LEN); |
wolfSSL | 15:117db924cf7c | 3081 | i += RAN_LEN; |
wolfSSL | 15:117db924cf7c | 3082 | |
wolfSSL | 15:117db924cf7c | 3083 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 3084 | /* Session id */ |
wolfSSL | 15:117db924cf7c | 3085 | sessIdSz = input[i++]; |
wolfSSL | 15:117db924cf7c | 3086 | if ((i - begin) + sessIdSz > helloSz) |
wolfSSL | 15:117db924cf7c | 3087 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3088 | sessId = input + i; |
wolfSSL | 15:117db924cf7c | 3089 | i += sessIdSz; |
wolfSSL | 15:117db924cf7c | 3090 | #endif /* WOLFSSL_TLS13_DRAFT_18 */ |
wolfSSL | 15:117db924cf7c | 3091 | ssl->options.haveSessionId = 1; |
wolfSSL | 15:117db924cf7c | 3092 | |
wolfSSL | 15:117db924cf7c | 3093 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 3094 | /* Ciphersuite check */ |
wolfSSL | 15:117db924cf7c | 3095 | if ((i - begin) + OPAQUE16_LEN + OPAQUE16_LEN > helloSz) |
wolfSSL | 15:117db924cf7c | 3096 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3097 | #else |
wolfSSL | 15:117db924cf7c | 3098 | /* Ciphersuite and compression check */ |
wolfSSL | 15:117db924cf7c | 3099 | if ((i - begin) + OPAQUE16_LEN + OPAQUE8_LEN > helloSz) |
wolfSSL | 15:117db924cf7c | 3100 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3101 | #endif |
wolfSSL | 15:117db924cf7c | 3102 | |
wolfSSL | 15:117db924cf7c | 3103 | /* Set the cipher suite from the message. */ |
wolfSSL | 15:117db924cf7c | 3104 | ssl->options.cipherSuite0 = input[i++]; |
wolfSSL | 15:117db924cf7c | 3105 | ssl->options.cipherSuite = input[i++]; |
wolfSSL | 15:117db924cf7c | 3106 | |
wolfSSL | 15:117db924cf7c | 3107 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 3108 | /* Compression */ |
wolfSSL | 15:117db924cf7c | 3109 | b = input[i++]; |
wolfSSL | 15:117db924cf7c | 3110 | if (b != 0) { |
wolfSSL | 15:117db924cf7c | 3111 | WOLFSSL_MSG("Must be no compression types in list"); |
wolfSSL | 15:117db924cf7c | 3112 | return INVALID_PARAMETER; |
wolfSSL | 15:117db924cf7c | 3113 | } |
wolfSSL | 15:117db924cf7c | 3114 | #endif |
wolfSSL | 15:117db924cf7c | 3115 | |
wolfSSL | 15:117db924cf7c | 3116 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 3117 | if ((i - begin) + OPAQUE16_LEN > helloSz) { |
wolfSSL | 15:117db924cf7c | 3118 | if (!ssl->options.downgrade) |
wolfSSL | 15:117db924cf7c | 3119 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3120 | #ifndef WOLFSSL_NO_TLS12 |
wolfSSL | 15:117db924cf7c | 3121 | ssl->version.minor = TLSv1_2_MINOR; |
wolfSSL | 15:117db924cf7c | 3122 | #endif |
wolfSSL | 15:117db924cf7c | 3123 | ssl->options.haveEMS = 0; |
wolfSSL | 15:117db924cf7c | 3124 | } |
wolfSSL | 15:117db924cf7c | 3125 | if ((i - begin) < helloSz) |
wolfSSL | 15:117db924cf7c | 3126 | #endif |
wolfSSL | 15:117db924cf7c | 3127 | { |
wolfSSL | 15:117db924cf7c | 3128 | /* Get extension length and length check. */ |
wolfSSL | 15:117db924cf7c | 3129 | if ((i - begin) + OPAQUE16_LEN > helloSz) |
wolfSSL | 15:117db924cf7c | 3130 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3131 | ato16(&input[i], &totalExtSz); |
wolfSSL | 15:117db924cf7c | 3132 | i += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 3133 | if ((i - begin) + totalExtSz > helloSz) |
wolfSSL | 15:117db924cf7c | 3134 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3135 | |
wolfSSL | 15:117db924cf7c | 3136 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 16:8e0d178b1d1e | 3137 | /* Need to negotiate version first. */ |
wolfSSL | 16:8e0d178b1d1e | 3138 | if ((ret = TLSX_ParseVersion(ssl, (byte*)input + i, totalExtSz, |
wolfSSL | 16:8e0d178b1d1e | 3139 | *extMsgType, &foundVersion))) { |
wolfSSL | 16:8e0d178b1d1e | 3140 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 3141 | } |
wolfSSL | 16:8e0d178b1d1e | 3142 | if (!foundVersion) { |
wolfSSL | 16:8e0d178b1d1e | 3143 | if (!ssl->options.downgrade) { |
wolfSSL | 16:8e0d178b1d1e | 3144 | WOLFSSL_MSG("Server trying to downgrade to version less than " |
wolfSSL | 16:8e0d178b1d1e | 3145 | "TLS v1.3"); |
wolfSSL | 16:8e0d178b1d1e | 3146 | return VERSION_ERROR; |
wolfSSL | 16:8e0d178b1d1e | 3147 | } |
wolfSSL | 16:8e0d178b1d1e | 3148 | |
wolfSSL | 16:8e0d178b1d1e | 3149 | if (pv.minor < ssl->options.minDowngrade) |
wolfSSL | 16:8e0d178b1d1e | 3150 | return VERSION_ERROR; |
wolfSSL | 16:8e0d178b1d1e | 3151 | ssl->version.minor = pv.minor; |
wolfSSL | 16:8e0d178b1d1e | 3152 | } |
wolfSSL | 16:8e0d178b1d1e | 3153 | #endif |
wolfSSL | 16:8e0d178b1d1e | 3154 | |
wolfSSL | 15:117db924cf7c | 3155 | /* Parse and handle extensions. */ |
wolfSSL | 15:117db924cf7c | 3156 | ret = TLSX_Parse(ssl, (byte *) input + i, totalExtSz, *extMsgType, |
wolfSSL | 15:117db924cf7c | 3157 | NULL); |
wolfSSL | 15:117db924cf7c | 3158 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3159 | return ret; |
wolfSSL | 15:117db924cf7c | 3160 | |
wolfSSL | 15:117db924cf7c | 3161 | i += totalExtSz; |
wolfSSL | 15:117db924cf7c | 3162 | } |
wolfSSL | 15:117db924cf7c | 3163 | *inOutIdx = i; |
wolfSSL | 15:117db924cf7c | 3164 | |
wolfSSL | 15:117db924cf7c | 3165 | ssl->options.serverState = SERVER_HELLO_COMPLETE; |
wolfSSL | 15:117db924cf7c | 3166 | |
wolfSSL | 15:117db924cf7c | 3167 | #ifdef HAVE_SECRET_CALLBACK |
wolfSSL | 15:117db924cf7c | 3168 | if (ssl->sessionSecretCb != NULL) { |
wolfSSL | 15:117db924cf7c | 3169 | int secretSz = SECRET_LEN; |
wolfSSL | 15:117db924cf7c | 3170 | ret = ssl->sessionSecretCb(ssl, ssl->session.masterSecret, |
wolfSSL | 15:117db924cf7c | 3171 | &secretSz, ssl->sessionSecretCtx); |
wolfSSL | 16:8e0d178b1d1e | 3172 | if (ret != 0 || secretSz != SECRET_LEN) { |
wolfSSL | 15:117db924cf7c | 3173 | return SESSION_SECRET_CB_E; |
wolfSSL | 16:8e0d178b1d1e | 3174 | } |
wolfSSL | 15:117db924cf7c | 3175 | } |
wolfSSL | 15:117db924cf7c | 3176 | #endif /* HAVE_SECRET_CALLBACK */ |
wolfSSL | 15:117db924cf7c | 3177 | |
wolfSSL | 15:117db924cf7c | 3178 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 3179 | /* Version only negotiated in extensions for TLS v1.3. |
wolfSSL | 15:117db924cf7c | 3180 | * Only now do we know how to deal with session id. |
wolfSSL | 15:117db924cf7c | 3181 | */ |
wolfSSL | 15:117db924cf7c | 3182 | if (!IsAtLeastTLSv1_3(ssl->version)) { |
wolfSSL | 15:117db924cf7c | 3183 | #ifndef WOLFSSL_NO_TLS12 |
wolfSSL | 15:117db924cf7c | 3184 | ssl->arrays->sessionIDSz = sessIdSz; |
wolfSSL | 15:117db924cf7c | 3185 | |
wolfSSL | 15:117db924cf7c | 3186 | if (ssl->arrays->sessionIDSz > ID_LEN) { |
wolfSSL | 15:117db924cf7c | 3187 | WOLFSSL_MSG("Invalid session ID size"); |
wolfSSL | 15:117db924cf7c | 3188 | ssl->arrays->sessionIDSz = 0; |
wolfSSL | 15:117db924cf7c | 3189 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3190 | } |
wolfSSL | 15:117db924cf7c | 3191 | else if (ssl->arrays->sessionIDSz) { |
wolfSSL | 15:117db924cf7c | 3192 | XMEMCPY(ssl->arrays->sessionID, sessId, ssl->arrays->sessionIDSz); |
wolfSSL | 15:117db924cf7c | 3193 | ssl->options.haveSessionId = 1; |
wolfSSL | 15:117db924cf7c | 3194 | } |
wolfSSL | 15:117db924cf7c | 3195 | |
wolfSSL | 15:117db924cf7c | 3196 | /* Force client hello version 1.2 to work for static RSA. */ |
wolfSSL | 15:117db924cf7c | 3197 | ssl->chVersion.minor = TLSv1_2_MINOR; |
wolfSSL | 15:117db924cf7c | 3198 | /* Complete TLS v1.2 processing of ServerHello. */ |
wolfSSL | 15:117db924cf7c | 3199 | ret = CompleteServerHello(ssl); |
wolfSSL | 15:117db924cf7c | 3200 | #else |
wolfSSL | 15:117db924cf7c | 3201 | WOLFSSL_MSG("Client using higher version, fatal error"); |
wolfSSL | 15:117db924cf7c | 3202 | ret = VERSION_ERROR; |
wolfSSL | 15:117db924cf7c | 3203 | #endif |
wolfSSL | 15:117db924cf7c | 3204 | |
wolfSSL | 15:117db924cf7c | 3205 | WOLFSSL_LEAVE("DoTls13ServerHello", ret); |
wolfSSL | 15:117db924cf7c | 3206 | |
wolfSSL | 15:117db924cf7c | 3207 | return ret; |
wolfSSL | 15:117db924cf7c | 3208 | } |
wolfSSL | 15:117db924cf7c | 3209 | |
wolfSSL | 15:117db924cf7c | 3210 | #ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT |
wolfSSL | 15:117db924cf7c | 3211 | if (sessIdSz == 0) |
wolfSSL | 15:117db924cf7c | 3212 | return INVALID_PARAMETER; |
wolfSSL | 15:117db924cf7c | 3213 | if (ssl->session.sessionIDSz != 0) { |
wolfSSL | 15:117db924cf7c | 3214 | if (ssl->session.sessionIDSz != sessIdSz || |
wolfSSL | 15:117db924cf7c | 3215 | XMEMCMP(ssl->session.sessionID, sessId, sessIdSz) != 0) { |
wolfSSL | 15:117db924cf7c | 3216 | return INVALID_PARAMETER; |
wolfSSL | 15:117db924cf7c | 3217 | } |
wolfSSL | 15:117db924cf7c | 3218 | } |
wolfSSL | 15:117db924cf7c | 3219 | else if (XMEMCMP(ssl->arrays->clientRandom, sessId, sessIdSz) != 0) |
wolfSSL | 15:117db924cf7c | 3220 | return INVALID_PARAMETER; |
wolfSSL | 15:117db924cf7c | 3221 | #else |
wolfSSL | 15:117db924cf7c | 3222 | if (sessIdSz != ssl->session.sessionIDSz || (sessIdSz > 0 && |
wolfSSL | 15:117db924cf7c | 3223 | XMEMCMP(ssl->session.sessionID, sessId, sessIdSz) != 0)) { |
wolfSSL | 15:117db924cf7c | 3224 | WOLFSSL_MSG("Server sent different session id"); |
wolfSSL | 15:117db924cf7c | 3225 | return INVALID_PARAMETER; |
wolfSSL | 15:117db924cf7c | 3226 | } |
wolfSSL | 15:117db924cf7c | 3227 | #endif /* WOLFSSL_TLS13_MIDDLEBOX_COMPAT */ |
wolfSSL | 15:117db924cf7c | 3228 | #endif |
wolfSSL | 15:117db924cf7c | 3229 | |
wolfSSL | 15:117db924cf7c | 3230 | ret = SetCipherSpecs(ssl); |
wolfSSL | 15:117db924cf7c | 3231 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3232 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 3233 | #ifdef HAVE_NULL_CIPHER |
wolfSSL | 16:8e0d178b1d1e | 3234 | if (ssl->options.cipherSuite0 == ECC_BYTE && |
wolfSSL | 16:8e0d178b1d1e | 3235 | (ssl->options.cipherSuite == TLS_SHA256_SHA256 || |
wolfSSL | 16:8e0d178b1d1e | 3236 | ssl->options.cipherSuite == TLS_SHA384_SHA384)) { |
wolfSSL | 16:8e0d178b1d1e | 3237 | ; |
wolfSSL | 16:8e0d178b1d1e | 3238 | } |
wolfSSL | 16:8e0d178b1d1e | 3239 | else |
wolfSSL | 16:8e0d178b1d1e | 3240 | #endif |
wolfSSL | 16:8e0d178b1d1e | 3241 | /* Check that the negotiated ciphersuite matches protocol version. */ |
wolfSSL | 16:8e0d178b1d1e | 3242 | if (ssl->options.cipherSuite0 != TLS13_BYTE) { |
wolfSSL | 16:8e0d178b1d1e | 3243 | WOLFSSL_MSG("Server sent non-TLS13 cipher suite in TLS 1.3 packet"); |
wolfSSL | 16:8e0d178b1d1e | 3244 | return INVALID_PARAMETER; |
wolfSSL | 16:8e0d178b1d1e | 3245 | } |
wolfSSL | 15:117db924cf7c | 3246 | |
wolfSSL | 15:117db924cf7c | 3247 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 3248 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 3249 | if (*extMsgType == server_hello) |
wolfSSL | 15:117db924cf7c | 3250 | #endif |
wolfSSL | 15:117db924cf7c | 3251 | { |
wolfSSL | 15:117db924cf7c | 3252 | ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY); |
wolfSSL | 15:117db924cf7c | 3253 | if (ext != NULL) |
wolfSSL | 15:117db924cf7c | 3254 | psk = (PreSharedKey*)ext->data; |
wolfSSL | 15:117db924cf7c | 3255 | while (psk != NULL && !psk->chosen) |
wolfSSL | 15:117db924cf7c | 3256 | psk = psk->next; |
wolfSSL | 15:117db924cf7c | 3257 | if (psk == NULL) { |
wolfSSL | 15:117db924cf7c | 3258 | ssl->options.resuming = 0; |
wolfSSL | 15:117db924cf7c | 3259 | ssl->arrays->psk_keySz = 0; |
wolfSSL | 15:117db924cf7c | 3260 | XMEMSET(ssl->arrays->psk_key, 0, MAX_PSK_KEY_LEN); |
wolfSSL | 15:117db924cf7c | 3261 | } |
wolfSSL | 15:117db924cf7c | 3262 | else if ((ret = SetupPskKey(ssl, psk)) != 0) |
wolfSSL | 15:117db924cf7c | 3263 | return ret; |
wolfSSL | 15:117db924cf7c | 3264 | } |
wolfSSL | 15:117db924cf7c | 3265 | #endif |
wolfSSL | 15:117db924cf7c | 3266 | |
wolfSSL | 15:117db924cf7c | 3267 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 3268 | ssl->keys.encryptionOn = 1; |
wolfSSL | 15:117db924cf7c | 3269 | #else |
wolfSSL | 15:117db924cf7c | 3270 | if (*extMsgType == server_hello) { |
wolfSSL | 15:117db924cf7c | 3271 | ssl->keys.encryptionOn = 1; |
wolfSSL | 15:117db924cf7c | 3272 | ssl->options.serverState = SERVER_HELLO_COMPLETE; |
wolfSSL | 15:117db924cf7c | 3273 | } |
wolfSSL | 15:117db924cf7c | 3274 | else { |
wolfSSL | 15:117db924cf7c | 3275 | ssl->options.tls1_3 = 1; |
wolfSSL | 15:117db924cf7c | 3276 | ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE; |
wolfSSL | 15:117db924cf7c | 3277 | |
wolfSSL | 15:117db924cf7c | 3278 | ret = RestartHandshakeHash(ssl); |
wolfSSL | 15:117db924cf7c | 3279 | } |
wolfSSL | 15:117db924cf7c | 3280 | #endif |
wolfSSL | 15:117db924cf7c | 3281 | |
wolfSSL | 15:117db924cf7c | 3282 | WOLFSSL_LEAVE("DoTls13ServerHello", ret); |
wolfSSL | 15:117db924cf7c | 3283 | WOLFSSL_END(WC_FUNC_SERVER_HELLO_DO); |
wolfSSL | 15:117db924cf7c | 3284 | |
wolfSSL | 15:117db924cf7c | 3285 | return ret; |
wolfSSL | 15:117db924cf7c | 3286 | } |
wolfSSL | 15:117db924cf7c | 3287 | |
wolfSSL | 15:117db924cf7c | 3288 | /* handle processing TLS 1.3 encrypted_extensions (8) */ |
wolfSSL | 15:117db924cf7c | 3289 | /* Parse and handle an EncryptedExtensions message. |
wolfSSL | 15:117db924cf7c | 3290 | * Only a client will receive this message. |
wolfSSL | 15:117db924cf7c | 3291 | * |
wolfSSL | 15:117db924cf7c | 3292 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 3293 | * input The message buffer. |
wolfSSL | 15:117db924cf7c | 3294 | * inOutIdx On entry, the index into the message buffer of |
wolfSSL | 15:117db924cf7c | 3295 | * EncryptedExtensions. |
wolfSSL | 15:117db924cf7c | 3296 | * On exit, the index of byte after the EncryptedExtensions |
wolfSSL | 15:117db924cf7c | 3297 | * message. |
wolfSSL | 15:117db924cf7c | 3298 | * totalSz The length of the current handshake message. |
wolfSSL | 15:117db924cf7c | 3299 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 3300 | */ |
wolfSSL | 15:117db924cf7c | 3301 | static int DoTls13EncryptedExtensions(WOLFSSL* ssl, const byte* input, |
wolfSSL | 15:117db924cf7c | 3302 | word32* inOutIdx, word32 totalSz) |
wolfSSL | 15:117db924cf7c | 3303 | { |
wolfSSL | 15:117db924cf7c | 3304 | int ret; |
wolfSSL | 15:117db924cf7c | 3305 | word32 begin = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 3306 | word32 i = begin; |
wolfSSL | 15:117db924cf7c | 3307 | word16 totalExtSz; |
wolfSSL | 15:117db924cf7c | 3308 | |
wolfSSL | 15:117db924cf7c | 3309 | WOLFSSL_START(WC_FUNC_ENCRYPTED_EXTENSIONS_DO); |
wolfSSL | 15:117db924cf7c | 3310 | WOLFSSL_ENTER("DoTls13EncryptedExtensions"); |
wolfSSL | 15:117db924cf7c | 3311 | |
wolfSSL | 15:117db924cf7c | 3312 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 3313 | if (ssl->hsInfoOn) AddPacketName(ssl, "EncryptedExtensions"); |
wolfSSL | 15:117db924cf7c | 3314 | if (ssl->toInfoOn) AddLateName("EncryptedExtensions", &ssl->timeoutInfo); |
wolfSSL | 15:117db924cf7c | 3315 | #endif |
wolfSSL | 15:117db924cf7c | 3316 | |
wolfSSL | 15:117db924cf7c | 3317 | /* Length field of extension data. */ |
wolfSSL | 15:117db924cf7c | 3318 | if (totalSz < i - begin + OPAQUE16_LEN) |
wolfSSL | 15:117db924cf7c | 3319 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3320 | ato16(&input[i], &totalExtSz); |
wolfSSL | 15:117db924cf7c | 3321 | i += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 3322 | |
wolfSSL | 15:117db924cf7c | 3323 | /* Extension data. */ |
wolfSSL | 15:117db924cf7c | 3324 | if (i - begin + totalExtSz > totalSz) |
wolfSSL | 15:117db924cf7c | 3325 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3326 | if ((ret = TLSX_Parse(ssl, (byte *)(input + i), totalExtSz, |
wolfSSL | 15:117db924cf7c | 3327 | encrypted_extensions, NULL))) |
wolfSSL | 15:117db924cf7c | 3328 | return ret; |
wolfSSL | 15:117db924cf7c | 3329 | |
wolfSSL | 15:117db924cf7c | 3330 | /* Move index to byte after message. */ |
wolfSSL | 15:117db924cf7c | 3331 | *inOutIdx = i + totalExtSz; |
wolfSSL | 15:117db924cf7c | 3332 | |
wolfSSL | 15:117db924cf7c | 3333 | /* Always encrypted. */ |
wolfSSL | 15:117db924cf7c | 3334 | *inOutIdx += ssl->keys.padSz; |
wolfSSL | 15:117db924cf7c | 3335 | |
wolfSSL | 15:117db924cf7c | 3336 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 3337 | if (ssl->earlyData != no_early_data) { |
wolfSSL | 15:117db924cf7c | 3338 | TLSX* ext = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA); |
wolfSSL | 15:117db924cf7c | 3339 | if (ext == NULL || !ext->val) |
wolfSSL | 15:117db924cf7c | 3340 | ssl->earlyData = no_early_data; |
wolfSSL | 15:117db924cf7c | 3341 | } |
wolfSSL | 15:117db924cf7c | 3342 | #endif |
wolfSSL | 15:117db924cf7c | 3343 | |
wolfSSL | 15:117db924cf7c | 3344 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 3345 | if (ssl->earlyData == no_early_data) { |
wolfSSL | 15:117db924cf7c | 3346 | ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY); |
wolfSSL | 15:117db924cf7c | 3347 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3348 | return ret; |
wolfSSL | 15:117db924cf7c | 3349 | } |
wolfSSL | 15:117db924cf7c | 3350 | #endif |
wolfSSL | 15:117db924cf7c | 3351 | |
wolfSSL | 15:117db924cf7c | 3352 | ssl->options.serverState = SERVER_ENCRYPTED_EXTENSIONS_COMPLETE; |
wolfSSL | 15:117db924cf7c | 3353 | |
wolfSSL | 15:117db924cf7c | 3354 | WOLFSSL_LEAVE("DoTls13EncryptedExtensions", ret); |
wolfSSL | 15:117db924cf7c | 3355 | WOLFSSL_END(WC_FUNC_ENCRYPTED_EXTENSIONS_DO); |
wolfSSL | 15:117db924cf7c | 3356 | |
wolfSSL | 15:117db924cf7c | 3357 | return ret; |
wolfSSL | 15:117db924cf7c | 3358 | } |
wolfSSL | 15:117db924cf7c | 3359 | |
wolfSSL | 15:117db924cf7c | 3360 | /* handle processing TLS v1.3 certificate_request (13) */ |
wolfSSL | 15:117db924cf7c | 3361 | /* Handle a TLS v1.3 CertificateRequest message. |
wolfSSL | 15:117db924cf7c | 3362 | * This message is always encrypted. |
wolfSSL | 15:117db924cf7c | 3363 | * Only a client will receive this message. |
wolfSSL | 15:117db924cf7c | 3364 | * |
wolfSSL | 15:117db924cf7c | 3365 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 3366 | * input The message buffer. |
wolfSSL | 15:117db924cf7c | 3367 | * inOutIdx On entry, the index into the message buffer of CertificateRequest. |
wolfSSL | 15:117db924cf7c | 3368 | * On exit, the index of byte after the CertificateRequest message. |
wolfSSL | 15:117db924cf7c | 3369 | * size The length of the current handshake message. |
wolfSSL | 15:117db924cf7c | 3370 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 3371 | */ |
wolfSSL | 15:117db924cf7c | 3372 | static int DoTls13CertificateRequest(WOLFSSL* ssl, const byte* input, |
wolfSSL | 15:117db924cf7c | 3373 | word32* inOutIdx, word32 size) |
wolfSSL | 15:117db924cf7c | 3374 | { |
wolfSSL | 15:117db924cf7c | 3375 | word16 len; |
wolfSSL | 15:117db924cf7c | 3376 | word32 begin = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 3377 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 3378 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 3379 | Suites peerSuites; |
wolfSSL | 15:117db924cf7c | 3380 | #endif |
wolfSSL | 15:117db924cf7c | 3381 | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH |
wolfSSL | 15:117db924cf7c | 3382 | CertReqCtx* certReqCtx; |
wolfSSL | 15:117db924cf7c | 3383 | #endif |
wolfSSL | 15:117db924cf7c | 3384 | |
wolfSSL | 15:117db924cf7c | 3385 | WOLFSSL_START(WC_FUNC_CERTIFICATE_REQUEST_DO); |
wolfSSL | 15:117db924cf7c | 3386 | WOLFSSL_ENTER("DoTls13CertificateRequest"); |
wolfSSL | 15:117db924cf7c | 3387 | |
wolfSSL | 16:8e0d178b1d1e | 3388 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 16:8e0d178b1d1e | 3389 | XMEMSET(&peerSuites, 0, sizeof(Suites)); |
wolfSSL | 16:8e0d178b1d1e | 3390 | #endif |
wolfSSL | 15:117db924cf7c | 3391 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 3392 | if (ssl->hsInfoOn) AddPacketName(ssl, "CertificateRequest"); |
wolfSSL | 15:117db924cf7c | 3393 | if (ssl->toInfoOn) AddLateName("CertificateRequest", &ssl->timeoutInfo); |
wolfSSL | 15:117db924cf7c | 3394 | #endif |
wolfSSL | 15:117db924cf7c | 3395 | |
wolfSSL | 15:117db924cf7c | 3396 | if ((*inOutIdx - begin) + OPAQUE8_LEN > size) |
wolfSSL | 15:117db924cf7c | 3397 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3398 | |
wolfSSL | 15:117db924cf7c | 3399 | /* Length of the request context. */ |
wolfSSL | 15:117db924cf7c | 3400 | len = input[(*inOutIdx)++]; |
wolfSSL | 15:117db924cf7c | 3401 | if ((*inOutIdx - begin) + len > size) |
wolfSSL | 15:117db924cf7c | 3402 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3403 | if (ssl->options.connectState < FINISHED_DONE && len > 0) |
wolfSSL | 15:117db924cf7c | 3404 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3405 | |
wolfSSL | 15:117db924cf7c | 3406 | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH |
wolfSSL | 15:117db924cf7c | 3407 | /* CertReqCtx has one byte at end for context value. |
wolfSSL | 15:117db924cf7c | 3408 | * Increase size to handle other implementations sending more than one byte. |
wolfSSL | 15:117db924cf7c | 3409 | * That is, allocate extra space, over one byte, to hold the context value. |
wolfSSL | 15:117db924cf7c | 3410 | */ |
wolfSSL | 15:117db924cf7c | 3411 | certReqCtx = (CertReqCtx*)XMALLOC(sizeof(CertReqCtx) + len - 1, ssl->heap, |
wolfSSL | 15:117db924cf7c | 3412 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 3413 | if (certReqCtx == NULL) |
wolfSSL | 15:117db924cf7c | 3414 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 3415 | certReqCtx->next = ssl->certReqCtx; |
wolfSSL | 15:117db924cf7c | 3416 | certReqCtx->len = len; |
wolfSSL | 15:117db924cf7c | 3417 | XMEMCPY(&certReqCtx->ctx, input + *inOutIdx, len); |
wolfSSL | 15:117db924cf7c | 3418 | ssl->certReqCtx = certReqCtx; |
wolfSSL | 15:117db924cf7c | 3419 | #endif |
wolfSSL | 15:117db924cf7c | 3420 | *inOutIdx += len; |
wolfSSL | 15:117db924cf7c | 3421 | |
wolfSSL | 15:117db924cf7c | 3422 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 3423 | /* Signature and hash algorithms. */ |
wolfSSL | 15:117db924cf7c | 3424 | if ((*inOutIdx - begin) + OPAQUE16_LEN > size) |
wolfSSL | 15:117db924cf7c | 3425 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3426 | ato16(input + *inOutIdx, &len); |
wolfSSL | 15:117db924cf7c | 3427 | *inOutIdx += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 3428 | if ((*inOutIdx - begin) + len > size) |
wolfSSL | 15:117db924cf7c | 3429 | return BUFFER_ERROR; |
wolfSSL | 16:8e0d178b1d1e | 3430 | if (PickHashSigAlgo(ssl, input + *inOutIdx, len) != 0 && |
wolfSSL | 16:8e0d178b1d1e | 3431 | ssl->buffers.certificate && ssl->buffers.certificate->buffer && |
wolfSSL | 16:8e0d178b1d1e | 3432 | ssl->buffers.key && ssl->buffers.key->buffer) { |
wolfSSL | 16:8e0d178b1d1e | 3433 | return INVALID_PARAMETER; |
wolfSSL | 16:8e0d178b1d1e | 3434 | } |
wolfSSL | 15:117db924cf7c | 3435 | *inOutIdx += len; |
wolfSSL | 15:117db924cf7c | 3436 | |
wolfSSL | 15:117db924cf7c | 3437 | /* Length of certificate authority data. */ |
wolfSSL | 15:117db924cf7c | 3438 | if ((*inOutIdx - begin) + OPAQUE16_LEN > size) |
wolfSSL | 15:117db924cf7c | 3439 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3440 | ato16(input + *inOutIdx, &len); |
wolfSSL | 15:117db924cf7c | 3441 | *inOutIdx += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 3442 | if ((*inOutIdx - begin) + len > size) |
wolfSSL | 15:117db924cf7c | 3443 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3444 | |
wolfSSL | 15:117db924cf7c | 3445 | /* Certificate authorities. */ |
wolfSSL | 15:117db924cf7c | 3446 | while (len) { |
wolfSSL | 15:117db924cf7c | 3447 | word16 dnSz; |
wolfSSL | 15:117db924cf7c | 3448 | |
wolfSSL | 15:117db924cf7c | 3449 | if ((*inOutIdx - begin) + OPAQUE16_LEN > size) |
wolfSSL | 15:117db924cf7c | 3450 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3451 | |
wolfSSL | 15:117db924cf7c | 3452 | ato16(input + *inOutIdx, &dnSz); |
wolfSSL | 15:117db924cf7c | 3453 | *inOutIdx += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 3454 | |
wolfSSL | 15:117db924cf7c | 3455 | if ((*inOutIdx - begin) + dnSz > size) |
wolfSSL | 15:117db924cf7c | 3456 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3457 | |
wolfSSL | 15:117db924cf7c | 3458 | *inOutIdx += dnSz; |
wolfSSL | 15:117db924cf7c | 3459 | len -= OPAQUE16_LEN + dnSz; |
wolfSSL | 15:117db924cf7c | 3460 | } |
wolfSSL | 15:117db924cf7c | 3461 | |
wolfSSL | 15:117db924cf7c | 3462 | /* Certificate extensions */ |
wolfSSL | 15:117db924cf7c | 3463 | if ((*inOutIdx - begin) + OPAQUE16_LEN > size) |
wolfSSL | 15:117db924cf7c | 3464 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3465 | ato16(input + *inOutIdx, &len); |
wolfSSL | 15:117db924cf7c | 3466 | *inOutIdx += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 3467 | if ((*inOutIdx - begin) + len > size) |
wolfSSL | 15:117db924cf7c | 3468 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3469 | *inOutIdx += len; |
wolfSSL | 15:117db924cf7c | 3470 | #else |
wolfSSL | 15:117db924cf7c | 3471 | /* TODO: Add support for more extensions: |
wolfSSL | 15:117db924cf7c | 3472 | * signed_certificate_timestamp, certificate_authorities, oid_filters. |
wolfSSL | 15:117db924cf7c | 3473 | */ |
wolfSSL | 15:117db924cf7c | 3474 | /* Certificate extensions */ |
wolfSSL | 15:117db924cf7c | 3475 | if ((*inOutIdx - begin) + OPAQUE16_LEN > size) |
wolfSSL | 15:117db924cf7c | 3476 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3477 | ato16(input + *inOutIdx, &len); |
wolfSSL | 15:117db924cf7c | 3478 | *inOutIdx += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 3479 | if ((*inOutIdx - begin) + len > size) |
wolfSSL | 15:117db924cf7c | 3480 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 3481 | if (len == 0) |
wolfSSL | 15:117db924cf7c | 3482 | return INVALID_PARAMETER; |
wolfSSL | 15:117db924cf7c | 3483 | if ((ret = TLSX_Parse(ssl, (byte *)(input + *inOutIdx), len, |
wolfSSL | 15:117db924cf7c | 3484 | certificate_request, &peerSuites))) { |
wolfSSL | 15:117db924cf7c | 3485 | return ret; |
wolfSSL | 15:117db924cf7c | 3486 | } |
wolfSSL | 15:117db924cf7c | 3487 | *inOutIdx += len; |
wolfSSL | 15:117db924cf7c | 3488 | #endif |
wolfSSL | 15:117db924cf7c | 3489 | |
wolfSSL | 15:117db924cf7c | 3490 | if (ssl->buffers.certificate && ssl->buffers.certificate->buffer && |
wolfSSL | 16:8e0d178b1d1e | 3491 | ((ssl->buffers.key && ssl->buffers.key->buffer) |
wolfSSL | 16:8e0d178b1d1e | 3492 | #ifdef HAVE_PK_CALLBACKS |
wolfSSL | 16:8e0d178b1d1e | 3493 | || wolfSSL_CTX_IsPrivatePkSet(ssl->ctx) |
wolfSSL | 16:8e0d178b1d1e | 3494 | #endif |
wolfSSL | 16:8e0d178b1d1e | 3495 | )) { |
wolfSSL | 16:8e0d178b1d1e | 3496 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 16:8e0d178b1d1e | 3497 | if (PickHashSigAlgo(ssl, peerSuites.hashSigAlgo, |
wolfSSL | 16:8e0d178b1d1e | 3498 | peerSuites.hashSigAlgoSz) != 0) { |
wolfSSL | 16:8e0d178b1d1e | 3499 | return INVALID_PARAMETER; |
wolfSSL | 16:8e0d178b1d1e | 3500 | } |
wolfSSL | 16:8e0d178b1d1e | 3501 | #endif |
wolfSSL | 15:117db924cf7c | 3502 | ssl->options.sendVerify = SEND_CERT; |
wolfSSL | 16:8e0d178b1d1e | 3503 | } |
wolfSSL | 16:8e0d178b1d1e | 3504 | else { |
wolfSSL | 15:117db924cf7c | 3505 | ssl->options.sendVerify = SEND_BLANK_CERT; |
wolfSSL | 16:8e0d178b1d1e | 3506 | } |
wolfSSL | 15:117db924cf7c | 3507 | |
wolfSSL | 15:117db924cf7c | 3508 | /* This message is always encrypted so add encryption padding. */ |
wolfSSL | 15:117db924cf7c | 3509 | *inOutIdx += ssl->keys.padSz; |
wolfSSL | 15:117db924cf7c | 3510 | |
wolfSSL | 15:117db924cf7c | 3511 | WOLFSSL_LEAVE("DoTls13CertificateRequest", ret); |
wolfSSL | 15:117db924cf7c | 3512 | WOLFSSL_END(WC_FUNC_CERTIFICATE_REQUEST_DO); |
wolfSSL | 15:117db924cf7c | 3513 | |
wolfSSL | 15:117db924cf7c | 3514 | return ret; |
wolfSSL | 15:117db924cf7c | 3515 | } |
wolfSSL | 15:117db924cf7c | 3516 | |
wolfSSL | 15:117db924cf7c | 3517 | #endif /* !NO_WOLFSSL_CLIENT */ |
wolfSSL | 15:117db924cf7c | 3518 | |
wolfSSL | 15:117db924cf7c | 3519 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 3520 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 3521 | /* Refine list of supported cipher suites to those common to server and client. |
wolfSSL | 15:117db924cf7c | 3522 | * |
wolfSSL | 15:117db924cf7c | 3523 | * ssl SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 3524 | * peerSuites The peer's advertised list of supported cipher suites. |
wolfSSL | 15:117db924cf7c | 3525 | */ |
wolfSSL | 15:117db924cf7c | 3526 | static void RefineSuites(WOLFSSL* ssl, Suites* peerSuites) |
wolfSSL | 15:117db924cf7c | 3527 | { |
wolfSSL | 15:117db924cf7c | 3528 | byte suites[WOLFSSL_MAX_SUITE_SZ]; |
wolfSSL | 15:117db924cf7c | 3529 | int suiteSz = 0; |
wolfSSL | 16:8e0d178b1d1e | 3530 | word16 i, j; |
wolfSSL | 16:8e0d178b1d1e | 3531 | |
wolfSSL | 16:8e0d178b1d1e | 3532 | XMEMSET(suites, 0, WOLFSSL_MAX_SUITE_SZ); |
wolfSSL | 15:117db924cf7c | 3533 | |
wolfSSL | 15:117db924cf7c | 3534 | for (i = 0; i < ssl->suites->suiteSz; i += 2) { |
wolfSSL | 15:117db924cf7c | 3535 | for (j = 0; j < peerSuites->suiteSz; j += 2) { |
wolfSSL | 15:117db924cf7c | 3536 | if (ssl->suites->suites[i+0] == peerSuites->suites[j+0] && |
wolfSSL | 15:117db924cf7c | 3537 | ssl->suites->suites[i+1] == peerSuites->suites[j+1]) { |
wolfSSL | 15:117db924cf7c | 3538 | suites[suiteSz++] = peerSuites->suites[j+0]; |
wolfSSL | 15:117db924cf7c | 3539 | suites[suiteSz++] = peerSuites->suites[j+1]; |
wolfSSL | 15:117db924cf7c | 3540 | } |
wolfSSL | 15:117db924cf7c | 3541 | } |
wolfSSL | 15:117db924cf7c | 3542 | } |
wolfSSL | 15:117db924cf7c | 3543 | |
wolfSSL | 15:117db924cf7c | 3544 | ssl->suites->suiteSz = suiteSz; |
wolfSSL | 15:117db924cf7c | 3545 | XMEMCPY(ssl->suites->suites, &suites, sizeof(suites)); |
wolfSSL | 15:117db924cf7c | 3546 | } |
wolfSSL | 15:117db924cf7c | 3547 | |
wolfSSL | 15:117db924cf7c | 3548 | /* Handle any Pre-Shared Key (PSK) extension. |
wolfSSL | 15:117db924cf7c | 3549 | * Must do this in ClientHello as it requires a hash of the truncated message. |
wolfSSL | 15:117db924cf7c | 3550 | * Don't know size of binders until Pre-Shared Key extension has been parsed. |
wolfSSL | 15:117db924cf7c | 3551 | * |
wolfSSL | 15:117db924cf7c | 3552 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 3553 | * input The ClientHello message. |
wolfSSL | 15:117db924cf7c | 3554 | * helloSz The size of the ClientHello message (including binders if present). |
wolfSSL | 15:117db924cf7c | 3555 | * usingPSK Indicates handshake is using Pre-Shared Keys. |
wolfSSL | 15:117db924cf7c | 3556 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 3557 | */ |
wolfSSL | 15:117db924cf7c | 3558 | static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 helloSz, |
wolfSSL | 15:117db924cf7c | 3559 | int* usingPSK) |
wolfSSL | 15:117db924cf7c | 3560 | { |
wolfSSL | 15:117db924cf7c | 3561 | int ret; |
wolfSSL | 15:117db924cf7c | 3562 | TLSX* ext; |
wolfSSL | 15:117db924cf7c | 3563 | word16 bindersLen; |
wolfSSL | 15:117db924cf7c | 3564 | PreSharedKey* current; |
wolfSSL | 15:117db924cf7c | 3565 | byte binderKey[WC_MAX_DIGEST_SIZE]; |
wolfSSL | 15:117db924cf7c | 3566 | byte binder[WC_MAX_DIGEST_SIZE]; |
wolfSSL | 15:117db924cf7c | 3567 | word32 binderLen; |
wolfSSL | 15:117db924cf7c | 3568 | word16 modes; |
wolfSSL | 15:117db924cf7c | 3569 | byte suite[2]; |
wolfSSL | 15:117db924cf7c | 3570 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 3571 | int pskCnt = 0; |
wolfSSL | 15:117db924cf7c | 3572 | TLSX* extEarlyData; |
wolfSSL | 15:117db924cf7c | 3573 | #endif |
wolfSSL | 16:8e0d178b1d1e | 3574 | #ifndef NO_PSK |
wolfSSL | 16:8e0d178b1d1e | 3575 | const char* cipherName = NULL; |
wolfSSL | 16:8e0d178b1d1e | 3576 | byte cipherSuite0 = TLS13_BYTE; |
wolfSSL | 16:8e0d178b1d1e | 3577 | byte cipherSuite = WOLFSSL_DEF_PSK_CIPHER; |
wolfSSL | 16:8e0d178b1d1e | 3578 | #endif |
wolfSSL | 15:117db924cf7c | 3579 | |
wolfSSL | 15:117db924cf7c | 3580 | WOLFSSL_ENTER("DoPreSharedKeys"); |
wolfSSL | 15:117db924cf7c | 3581 | |
wolfSSL | 15:117db924cf7c | 3582 | ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY); |
wolfSSL | 15:117db924cf7c | 3583 | if (ext == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 3584 | /* Hash data up to binders for deriving binders in PSK extension. */ |
wolfSSL | 16:8e0d178b1d1e | 3585 | ret = HashInput(ssl, input, helloSz); |
wolfSSL | 16:8e0d178b1d1e | 3586 | return ret; |
wolfSSL | 15:117db924cf7c | 3587 | } |
wolfSSL | 15:117db924cf7c | 3588 | |
wolfSSL | 15:117db924cf7c | 3589 | /* Extensions pushed on stack/list and PSK must be last. */ |
wolfSSL | 15:117db924cf7c | 3590 | if (ssl->extensions != ext) |
wolfSSL | 15:117db924cf7c | 3591 | return PSK_KEY_ERROR; |
wolfSSL | 15:117db924cf7c | 3592 | |
wolfSSL | 15:117db924cf7c | 3593 | /* Assume we are going to resume with a pre-shared key. */ |
wolfSSL | 15:117db924cf7c | 3594 | ssl->options.resuming = 1; |
wolfSSL | 15:117db924cf7c | 3595 | |
wolfSSL | 15:117db924cf7c | 3596 | /* Find the pre-shared key extension and calculate hash of truncated |
wolfSSL | 15:117db924cf7c | 3597 | * ClientHello for binders. |
wolfSSL | 15:117db924cf7c | 3598 | */ |
wolfSSL | 16:8e0d178b1d1e | 3599 | ret = TLSX_PreSharedKey_GetSizeBinders((PreSharedKey*)ext->data, |
wolfSSL | 16:8e0d178b1d1e | 3600 | client_hello, &bindersLen); |
wolfSSL | 16:8e0d178b1d1e | 3601 | if (ret < 0) |
wolfSSL | 16:8e0d178b1d1e | 3602 | return ret; |
wolfSSL | 15:117db924cf7c | 3603 | |
wolfSSL | 15:117db924cf7c | 3604 | /* Hash data up to binders for deriving binders in PSK extension. */ |
wolfSSL | 15:117db924cf7c | 3605 | ret = HashInput(ssl, input, helloSz - bindersLen); |
wolfSSL | 15:117db924cf7c | 3606 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3607 | return ret; |
wolfSSL | 15:117db924cf7c | 3608 | |
wolfSSL | 15:117db924cf7c | 3609 | /* Look through all client's pre-shared keys for a match. */ |
wolfSSL | 15:117db924cf7c | 3610 | current = (PreSharedKey*)ext->data; |
wolfSSL | 15:117db924cf7c | 3611 | while (current != NULL) { |
wolfSSL | 15:117db924cf7c | 3612 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 3613 | pskCnt++; |
wolfSSL | 15:117db924cf7c | 3614 | #endif |
wolfSSL | 15:117db924cf7c | 3615 | |
wolfSSL | 15:117db924cf7c | 3616 | #ifndef NO_PSK |
wolfSSL | 16:8e0d178b1d1e | 3617 | if (current->identityLen > MAX_PSK_ID_LEN) { |
wolfSSL | 16:8e0d178b1d1e | 3618 | return BUFFER_ERROR; |
wolfSSL | 16:8e0d178b1d1e | 3619 | } |
wolfSSL | 15:117db924cf7c | 3620 | XMEMCPY(ssl->arrays->client_identity, current->identity, |
wolfSSL | 15:117db924cf7c | 3621 | current->identityLen); |
wolfSSL | 15:117db924cf7c | 3622 | ssl->arrays->client_identity[current->identityLen] = '\0'; |
wolfSSL | 15:117db924cf7c | 3623 | #endif |
wolfSSL | 15:117db924cf7c | 3624 | |
wolfSSL | 15:117db924cf7c | 3625 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 3626 | /* Decode the identity. */ |
wolfSSL | 15:117db924cf7c | 3627 | if ((ret = DoClientTicket(ssl, current->identity, current->identityLen)) |
wolfSSL | 15:117db924cf7c | 3628 | == WOLFSSL_TICKET_RET_OK) { |
wolfSSL | 15:117db924cf7c | 3629 | word32 now; |
wolfSSL | 15:117db924cf7c | 3630 | int diff; |
wolfSSL | 15:117db924cf7c | 3631 | |
wolfSSL | 15:117db924cf7c | 3632 | now = TimeNowInMilliseconds(); |
wolfSSL | 15:117db924cf7c | 3633 | if (now == (word32)GETTIME_ERROR) |
wolfSSL | 15:117db924cf7c | 3634 | return now; |
wolfSSL | 15:117db924cf7c | 3635 | diff = now - ssl->session.ticketSeen; |
wolfSSL | 15:117db924cf7c | 3636 | diff -= current->ticketAge - ssl->session.ticketAdd; |
wolfSSL | 15:117db924cf7c | 3637 | /* Check session and ticket age timeout. |
wolfSSL | 15:117db924cf7c | 3638 | * Allow +/- 1000 milliseconds on ticket age. |
wolfSSL | 15:117db924cf7c | 3639 | */ |
wolfSSL | 15:117db924cf7c | 3640 | if (diff > (int)ssl->timeout * 1000 || diff < -1000 || |
wolfSSL | 15:117db924cf7c | 3641 | diff - MAX_TICKET_AGE_SECS * 1000 > 1000) { |
wolfSSL | 15:117db924cf7c | 3642 | /* Invalid difference, fallback to full handshake. */ |
wolfSSL | 15:117db924cf7c | 3643 | ssl->options.resuming = 0; |
wolfSSL | 15:117db924cf7c | 3644 | break; |
wolfSSL | 15:117db924cf7c | 3645 | } |
wolfSSL | 15:117db924cf7c | 3646 | |
wolfSSL | 15:117db924cf7c | 3647 | /* Check whether resumption is possible based on suites in SSL and |
wolfSSL | 15:117db924cf7c | 3648 | * ciphersuite in ticket. |
wolfSSL | 15:117db924cf7c | 3649 | */ |
wolfSSL | 15:117db924cf7c | 3650 | suite[0] = ssl->session.cipherSuite0; |
wolfSSL | 15:117db924cf7c | 3651 | suite[1] = ssl->session.cipherSuite; |
wolfSSL | 16:8e0d178b1d1e | 3652 | if (!FindSuiteSSL(ssl, suite)) { |
wolfSSL | 15:117db924cf7c | 3653 | current = current->next; |
wolfSSL | 15:117db924cf7c | 3654 | continue; |
wolfSSL | 15:117db924cf7c | 3655 | } |
wolfSSL | 15:117db924cf7c | 3656 | |
wolfSSL | 15:117db924cf7c | 3657 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 3658 | ssl->options.maxEarlyDataSz = ssl->session.maxEarlyDataSz; |
wolfSSL | 15:117db924cf7c | 3659 | #endif |
wolfSSL | 15:117db924cf7c | 3660 | /* Use the same cipher suite as before and set up for use. */ |
wolfSSL | 15:117db924cf7c | 3661 | ssl->options.cipherSuite0 = ssl->session.cipherSuite0; |
wolfSSL | 15:117db924cf7c | 3662 | ssl->options.cipherSuite = ssl->session.cipherSuite; |
wolfSSL | 15:117db924cf7c | 3663 | ret = SetCipherSpecs(ssl); |
wolfSSL | 15:117db924cf7c | 3664 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3665 | return ret; |
wolfSSL | 15:117db924cf7c | 3666 | |
wolfSSL | 15:117db924cf7c | 3667 | /* Resumption PSK is resumption master secret. */ |
wolfSSL | 15:117db924cf7c | 3668 | ssl->arrays->psk_keySz = ssl->specs.hash_size; |
wolfSSL | 15:117db924cf7c | 3669 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 3670 | XMEMCPY(ssl->arrays->psk_key, ssl->session.masterSecret, |
wolfSSL | 15:117db924cf7c | 3671 | ssl->arrays->psk_keySz); |
wolfSSL | 15:117db924cf7c | 3672 | #else |
wolfSSL | 15:117db924cf7c | 3673 | if ((ret = DeriveResumptionPSK(ssl, ssl->session.ticketNonce.data, |
wolfSSL | 15:117db924cf7c | 3674 | ssl->session.ticketNonce.len, ssl->arrays->psk_key)) != 0) { |
wolfSSL | 15:117db924cf7c | 3675 | return ret; |
wolfSSL | 15:117db924cf7c | 3676 | } |
wolfSSL | 15:117db924cf7c | 3677 | #endif |
wolfSSL | 15:117db924cf7c | 3678 | |
wolfSSL | 15:117db924cf7c | 3679 | /* Derive the early secret using the PSK. */ |
wolfSSL | 15:117db924cf7c | 3680 | ret = DeriveEarlySecret(ssl); |
wolfSSL | 15:117db924cf7c | 3681 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3682 | return ret; |
wolfSSL | 15:117db924cf7c | 3683 | /* Derive the binder key to use to with HMAC. */ |
wolfSSL | 15:117db924cf7c | 3684 | ret = DeriveBinderKeyResume(ssl, binderKey); |
wolfSSL | 15:117db924cf7c | 3685 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3686 | return ret; |
wolfSSL | 15:117db924cf7c | 3687 | } |
wolfSSL | 15:117db924cf7c | 3688 | else |
wolfSSL | 15:117db924cf7c | 3689 | #endif |
wolfSSL | 15:117db924cf7c | 3690 | #ifndef NO_PSK |
wolfSSL | 16:8e0d178b1d1e | 3691 | if ((ssl->options.server_psk_tls13_cb != NULL && |
wolfSSL | 16:8e0d178b1d1e | 3692 | (ssl->arrays->psk_keySz = ssl->options.server_psk_tls13_cb(ssl, |
wolfSSL | 15:117db924cf7c | 3693 | ssl->arrays->client_identity, ssl->arrays->psk_key, |
wolfSSL | 16:8e0d178b1d1e | 3694 | MAX_PSK_KEY_LEN, &cipherName)) != 0 && |
wolfSSL | 16:8e0d178b1d1e | 3695 | GetCipherSuiteFromName(cipherName, &cipherSuite0, |
wolfSSL | 16:8e0d178b1d1e | 3696 | &cipherSuite) == 0) || |
wolfSSL | 16:8e0d178b1d1e | 3697 | (ssl->options.server_psk_cb != NULL && |
wolfSSL | 16:8e0d178b1d1e | 3698 | (ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl, |
wolfSSL | 16:8e0d178b1d1e | 3699 | ssl->arrays->client_identity, ssl->arrays->psk_key, |
wolfSSL | 16:8e0d178b1d1e | 3700 | MAX_PSK_KEY_LEN)) != 0)) { |
wolfSSL | 15:117db924cf7c | 3701 | if (ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) |
wolfSSL | 15:117db924cf7c | 3702 | return PSK_KEY_ERROR; |
wolfSSL | 16:8e0d178b1d1e | 3703 | |
wolfSSL | 16:8e0d178b1d1e | 3704 | /* Check whether PSK ciphersuite is in SSL. */ |
wolfSSL | 16:8e0d178b1d1e | 3705 | suite[0] = cipherSuite0; |
wolfSSL | 16:8e0d178b1d1e | 3706 | suite[1] = cipherSuite; |
wolfSSL | 16:8e0d178b1d1e | 3707 | if (!FindSuiteSSL(ssl, suite)) { |
wolfSSL | 15:117db924cf7c | 3708 | current = current->next; |
wolfSSL | 15:117db924cf7c | 3709 | continue; |
wolfSSL | 15:117db924cf7c | 3710 | } |
wolfSSL | 15:117db924cf7c | 3711 | |
wolfSSL | 15:117db924cf7c | 3712 | /* Default to ciphersuite if cb doesn't specify. */ |
wolfSSL | 15:117db924cf7c | 3713 | ssl->options.resuming = 0; |
wolfSSL | 15:117db924cf7c | 3714 | |
wolfSSL | 15:117db924cf7c | 3715 | /* PSK age is always zero. */ |
wolfSSL | 15:117db924cf7c | 3716 | if (current->ticketAge != ssl->session.ticketAdd) |
wolfSSL | 15:117db924cf7c | 3717 | return PSK_KEY_ERROR; |
wolfSSL | 15:117db924cf7c | 3718 | |
wolfSSL | 16:8e0d178b1d1e | 3719 | /* Set PSK ciphersuite into SSL. */ |
wolfSSL | 16:8e0d178b1d1e | 3720 | ssl->options.cipherSuite0 = cipherSuite0; |
wolfSSL | 16:8e0d178b1d1e | 3721 | ssl->options.cipherSuite = cipherSuite; |
wolfSSL | 15:117db924cf7c | 3722 | ret = SetCipherSpecs(ssl); |
wolfSSL | 15:117db924cf7c | 3723 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3724 | return ret; |
wolfSSL | 15:117db924cf7c | 3725 | |
wolfSSL | 15:117db924cf7c | 3726 | /* Derive the early secret using the PSK. */ |
wolfSSL | 15:117db924cf7c | 3727 | ret = DeriveEarlySecret(ssl); |
wolfSSL | 15:117db924cf7c | 3728 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3729 | return ret; |
wolfSSL | 15:117db924cf7c | 3730 | /* Derive the binder key to use to with HMAC. */ |
wolfSSL | 15:117db924cf7c | 3731 | ret = DeriveBinderKey(ssl, binderKey); |
wolfSSL | 15:117db924cf7c | 3732 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3733 | return ret; |
wolfSSL | 15:117db924cf7c | 3734 | } |
wolfSSL | 15:117db924cf7c | 3735 | else |
wolfSSL | 15:117db924cf7c | 3736 | #endif |
wolfSSL | 15:117db924cf7c | 3737 | { |
wolfSSL | 15:117db924cf7c | 3738 | current = current->next; |
wolfSSL | 15:117db924cf7c | 3739 | continue; |
wolfSSL | 15:117db924cf7c | 3740 | } |
wolfSSL | 15:117db924cf7c | 3741 | |
wolfSSL | 15:117db924cf7c | 3742 | ssl->options.sendVerify = 0; |
wolfSSL | 15:117db924cf7c | 3743 | |
wolfSSL | 15:117db924cf7c | 3744 | /* Derive the Finished message secret. */ |
wolfSSL | 15:117db924cf7c | 3745 | ret = DeriveFinishedSecret(ssl, binderKey, |
wolfSSL | 15:117db924cf7c | 3746 | ssl->keys.client_write_MAC_secret); |
wolfSSL | 15:117db924cf7c | 3747 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3748 | return ret; |
wolfSSL | 15:117db924cf7c | 3749 | |
wolfSSL | 15:117db924cf7c | 3750 | /* Derive the binder and compare with the one in the extension. */ |
wolfSSL | 15:117db924cf7c | 3751 | ret = BuildTls13HandshakeHmac(ssl, |
wolfSSL | 15:117db924cf7c | 3752 | ssl->keys.client_write_MAC_secret, binder, &binderLen); |
wolfSSL | 15:117db924cf7c | 3753 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3754 | return ret; |
wolfSSL | 15:117db924cf7c | 3755 | if (binderLen != current->binderLen || |
wolfSSL | 15:117db924cf7c | 3756 | XMEMCMP(binder, current->binder, binderLen) != 0) { |
wolfSSL | 15:117db924cf7c | 3757 | return BAD_BINDER; |
wolfSSL | 15:117db924cf7c | 3758 | } |
wolfSSL | 15:117db924cf7c | 3759 | |
wolfSSL | 15:117db924cf7c | 3760 | /* This PSK works, no need to try any more. */ |
wolfSSL | 15:117db924cf7c | 3761 | current->chosen = 1; |
wolfSSL | 15:117db924cf7c | 3762 | ext->resp = 1; |
wolfSSL | 15:117db924cf7c | 3763 | break; |
wolfSSL | 15:117db924cf7c | 3764 | } |
wolfSSL | 15:117db924cf7c | 3765 | |
wolfSSL | 16:8e0d178b1d1e | 3766 | /* Hash the rest of the ClientHello. */ |
wolfSSL | 16:8e0d178b1d1e | 3767 | ret = HashInputRaw(ssl, input + helloSz - bindersLen, bindersLen); |
wolfSSL | 16:8e0d178b1d1e | 3768 | if (ret != 0) |
wolfSSL | 16:8e0d178b1d1e | 3769 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 3770 | |
wolfSSL | 15:117db924cf7c | 3771 | if (current == NULL) { |
wolfSSL | 15:117db924cf7c | 3772 | #ifdef WOLFSSL_PSK_ID_PROTECTION |
wolfSSL | 15:117db924cf7c | 3773 | #ifndef NO_CERTS |
wolfSSL | 15:117db924cf7c | 3774 | if (ssl->buffers.certChainCnt != 0) |
wolfSSL | 15:117db924cf7c | 3775 | return 0; |
wolfSSL | 15:117db924cf7c | 3776 | #endif |
wolfSSL | 15:117db924cf7c | 3777 | return BAD_BINDER; |
wolfSSL | 15:117db924cf7c | 3778 | #else |
wolfSSL | 15:117db924cf7c | 3779 | return 0; |
wolfSSL | 15:117db924cf7c | 3780 | #endif |
wolfSSL | 15:117db924cf7c | 3781 | } |
wolfSSL | 15:117db924cf7c | 3782 | |
wolfSSL | 15:117db924cf7c | 3783 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 3784 | extEarlyData = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA); |
wolfSSL | 15:117db924cf7c | 3785 | if (extEarlyData != NULL) { |
wolfSSL | 15:117db924cf7c | 3786 | if (ssl->earlyData != no_early_data && current == ext->data) { |
wolfSSL | 15:117db924cf7c | 3787 | extEarlyData->resp = 1; |
wolfSSL | 15:117db924cf7c | 3788 | |
wolfSSL | 15:117db924cf7c | 3789 | /* Derive early data decryption key. */ |
wolfSSL | 15:117db924cf7c | 3790 | ret = DeriveTls13Keys(ssl, early_data_key, DECRYPT_SIDE_ONLY, 1); |
wolfSSL | 15:117db924cf7c | 3791 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3792 | return ret; |
wolfSSL | 15:117db924cf7c | 3793 | if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0) |
wolfSSL | 15:117db924cf7c | 3794 | return ret; |
wolfSSL | 15:117db924cf7c | 3795 | |
wolfSSL | 15:117db924cf7c | 3796 | ssl->earlyData = process_early_data; |
wolfSSL | 15:117db924cf7c | 3797 | } |
wolfSSL | 15:117db924cf7c | 3798 | else |
wolfSSL | 15:117db924cf7c | 3799 | extEarlyData->resp = 0; |
wolfSSL | 15:117db924cf7c | 3800 | } |
wolfSSL | 15:117db924cf7c | 3801 | #endif |
wolfSSL | 15:117db924cf7c | 3802 | |
wolfSSL | 15:117db924cf7c | 3803 | /* Get the PSK key exchange modes the client wants to negotiate. */ |
wolfSSL | 15:117db924cf7c | 3804 | ext = TLSX_Find(ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES); |
wolfSSL | 15:117db924cf7c | 3805 | if (ext == NULL) |
wolfSSL | 15:117db924cf7c | 3806 | return MISSING_HANDSHAKE_DATA; |
wolfSSL | 15:117db924cf7c | 3807 | modes = ext->val; |
wolfSSL | 15:117db924cf7c | 3808 | |
wolfSSL | 15:117db924cf7c | 3809 | ext = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE); |
wolfSSL | 15:117db924cf7c | 3810 | /* Use (EC)DHE for forward-security if possible. */ |
wolfSSL | 15:117db924cf7c | 3811 | if ((modes & (1 << PSK_DHE_KE)) != 0 && !ssl->options.noPskDheKe && |
wolfSSL | 15:117db924cf7c | 3812 | ext != NULL) { |
wolfSSL | 15:117db924cf7c | 3813 | /* Only use named group used in last session. */ |
wolfSSL | 15:117db924cf7c | 3814 | ssl->namedGroup = ssl->session.namedGroup; |
wolfSSL | 15:117db924cf7c | 3815 | |
wolfSSL | 15:117db924cf7c | 3816 | /* Pick key share and Generate a new key if not present. */ |
wolfSSL | 15:117db924cf7c | 3817 | ret = TLSX_KeyShare_Establish(ssl); |
wolfSSL | 15:117db924cf7c | 3818 | if (ret == KEY_SHARE_ERROR) { |
wolfSSL | 15:117db924cf7c | 3819 | ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE; |
wolfSSL | 15:117db924cf7c | 3820 | ret = 0; |
wolfSSL | 15:117db924cf7c | 3821 | } |
wolfSSL | 15:117db924cf7c | 3822 | else if (ret < 0) |
wolfSSL | 15:117db924cf7c | 3823 | return ret; |
wolfSSL | 15:117db924cf7c | 3824 | |
wolfSSL | 15:117db924cf7c | 3825 | /* Send new public key to client. */ |
wolfSSL | 15:117db924cf7c | 3826 | ext->resp = 1; |
wolfSSL | 15:117db924cf7c | 3827 | } |
wolfSSL | 15:117db924cf7c | 3828 | else { |
wolfSSL | 15:117db924cf7c | 3829 | if ((modes & (1 << PSK_KE)) == 0) |
wolfSSL | 15:117db924cf7c | 3830 | return PSK_KEY_ERROR; |
wolfSSL | 15:117db924cf7c | 3831 | ssl->options.noPskDheKe = 1; |
wolfSSL | 16:8e0d178b1d1e | 3832 | ssl->arrays->preMasterSz = 0; |
wolfSSL | 15:117db924cf7c | 3833 | } |
wolfSSL | 15:117db924cf7c | 3834 | |
wolfSSL | 15:117db924cf7c | 3835 | *usingPSK = 1; |
wolfSSL | 15:117db924cf7c | 3836 | |
wolfSSL | 15:117db924cf7c | 3837 | WOLFSSL_LEAVE("DoPreSharedKeys", ret); |
wolfSSL | 15:117db924cf7c | 3838 | |
wolfSSL | 15:117db924cf7c | 3839 | return ret; |
wolfSSL | 15:117db924cf7c | 3840 | } |
wolfSSL | 15:117db924cf7c | 3841 | #endif |
wolfSSL | 15:117db924cf7c | 3842 | |
wolfSSL | 15:117db924cf7c | 3843 | #if !defined(WOLFSSL_TLS13_DRAFT_18) && defined(WOLFSSL_SEND_HRR_COOKIE) |
wolfSSL | 15:117db924cf7c | 3844 | /* Check that the Cookie data's integrity. |
wolfSSL | 15:117db924cf7c | 3845 | * |
wolfSSL | 15:117db924cf7c | 3846 | * ssl SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 3847 | * cookie The cookie data - hash and MAC. |
wolfSSL | 15:117db924cf7c | 3848 | * cookieSz The length of the cookie data in bytes. |
wolfSSL | 15:117db924cf7c | 3849 | * returns Length of the hash on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 3850 | */ |
wolfSSL | 15:117db924cf7c | 3851 | static int CheckCookie(WOLFSSL* ssl, byte* cookie, byte cookieSz) |
wolfSSL | 15:117db924cf7c | 3852 | { |
wolfSSL | 15:117db924cf7c | 3853 | int ret; |
wolfSSL | 16:8e0d178b1d1e | 3854 | byte mac[WC_MAX_DIGEST_SIZE] = {0}; |
wolfSSL | 15:117db924cf7c | 3855 | Hmac cookieHmac; |
wolfSSL | 16:8e0d178b1d1e | 3856 | byte cookieType = 0; |
wolfSSL | 16:8e0d178b1d1e | 3857 | byte macSz = 0; |
wolfSSL | 15:117db924cf7c | 3858 | |
wolfSSL | 15:117db924cf7c | 3859 | #if !defined(NO_SHA) && defined(NO_SHA256) |
wolfSSL | 15:117db924cf7c | 3860 | cookieType = SHA; |
wolfSSL | 15:117db924cf7c | 3861 | macSz = WC_SHA_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 3862 | #endif /* NO_SHA */ |
wolfSSL | 15:117db924cf7c | 3863 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 3864 | cookieType = WC_SHA256; |
wolfSSL | 15:117db924cf7c | 3865 | macSz = WC_SHA256_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 3866 | #endif /* NO_SHA256 */ |
wolfSSL | 15:117db924cf7c | 3867 | |
wolfSSL | 15:117db924cf7c | 3868 | if (cookieSz < ssl->specs.hash_size + macSz) |
wolfSSL | 15:117db924cf7c | 3869 | return HRR_COOKIE_ERROR; |
wolfSSL | 15:117db924cf7c | 3870 | cookieSz -= macSz; |
wolfSSL | 16:8e0d178b1d1e | 3871 | XMEMSET(&cookieHmac, 0, sizeof(Hmac)); |
wolfSSL | 15:117db924cf7c | 3872 | |
wolfSSL | 15:117db924cf7c | 3873 | ret = wc_HmacSetKey(&cookieHmac, cookieType, |
wolfSSL | 15:117db924cf7c | 3874 | ssl->buffers.tls13CookieSecret.buffer, |
wolfSSL | 15:117db924cf7c | 3875 | ssl->buffers.tls13CookieSecret.length); |
wolfSSL | 15:117db924cf7c | 3876 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 3877 | return ret; |
wolfSSL | 15:117db924cf7c | 3878 | if ((ret = wc_HmacUpdate(&cookieHmac, cookie, cookieSz)) != 0) |
wolfSSL | 15:117db924cf7c | 3879 | return ret; |
wolfSSL | 15:117db924cf7c | 3880 | if ((ret = wc_HmacFinal(&cookieHmac, mac)) != 0) |
wolfSSL | 15:117db924cf7c | 3881 | return ret; |
wolfSSL | 15:117db924cf7c | 3882 | |
wolfSSL | 15:117db924cf7c | 3883 | if (ConstantCompare(cookie + cookieSz, mac, macSz) != 0) |
wolfSSL | 15:117db924cf7c | 3884 | return HRR_COOKIE_ERROR; |
wolfSSL | 15:117db924cf7c | 3885 | return cookieSz; |
wolfSSL | 15:117db924cf7c | 3886 | } |
wolfSSL | 15:117db924cf7c | 3887 | |
wolfSSL | 15:117db924cf7c | 3888 | /* Length of the KeyShare Extension */ |
wolfSSL | 15:117db924cf7c | 3889 | #define HRR_KEY_SHARE_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN) |
wolfSSL | 15:117db924cf7c | 3890 | /* Length of the Supported Vresions Extension */ |
wolfSSL | 15:117db924cf7c | 3891 | #define HRR_VERSIONS_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN) |
wolfSSL | 15:117db924cf7c | 3892 | /* Length of the Cookie Extension excluding cookie data */ |
wolfSSL | 15:117db924cf7c | 3893 | #define HRR_COOKIE_HDR_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN) |
wolfSSL | 15:117db924cf7c | 3894 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 3895 | /* PV | CipherSuite | Ext Len */ |
wolfSSL | 15:117db924cf7c | 3896 | #define HRR_BODY_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN) |
wolfSSL | 15:117db924cf7c | 3897 | /* HH | PV | CipherSuite | Ext Len | Key Share | Cookie */ |
wolfSSL | 15:117db924cf7c | 3898 | #define MAX_HRR_SZ (HANDSHAKE_HEADER_SZ + \ |
wolfSSL | 15:117db924cf7c | 3899 | HRR_BODY_SZ + \ |
wolfSSL | 15:117db924cf7c | 3900 | HRR_KEY_SHARE_SZ + \ |
wolfSSL | 15:117db924cf7c | 3901 | HRR_COOKIE_HDR_SZ) |
wolfSSL | 15:117db924cf7c | 3902 | #else |
wolfSSL | 15:117db924cf7c | 3903 | /* PV | Random | Session Id | CipherSuite | Compression | Ext Len */ |
wolfSSL | 15:117db924cf7c | 3904 | #define HRR_BODY_SZ (VERSION_SZ + RAN_LEN + ENUM_LEN + ID_LEN + \ |
wolfSSL | 15:117db924cf7c | 3905 | SUITE_LEN + COMP_LEN + OPAQUE16_LEN) |
wolfSSL | 15:117db924cf7c | 3906 | /* HH | PV | CipherSuite | Ext Len | Key Share | Supported Version | Cookie */ |
wolfSSL | 15:117db924cf7c | 3907 | #define MAX_HRR_SZ (HANDSHAKE_HEADER_SZ + \ |
wolfSSL | 15:117db924cf7c | 3908 | HRR_BODY_SZ + \ |
wolfSSL | 15:117db924cf7c | 3909 | HRR_KEY_SHARE_SZ + \ |
wolfSSL | 15:117db924cf7c | 3910 | HRR_VERSIONS_SZ + \ |
wolfSSL | 15:117db924cf7c | 3911 | HRR_COOKIE_HDR_SZ) |
wolfSSL | 15:117db924cf7c | 3912 | #endif |
wolfSSL | 15:117db924cf7c | 3913 | |
wolfSSL | 16:8e0d178b1d1e | 3914 | /* Restart the handshake hash from the cookie value. |
wolfSSL | 15:117db924cf7c | 3915 | * |
wolfSSL | 15:117db924cf7c | 3916 | * ssl SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 3917 | * cookie Cookie data from client. |
wolfSSL | 15:117db924cf7c | 3918 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 3919 | */ |
wolfSSL | 15:117db924cf7c | 3920 | static int RestartHandshakeHashWithCookie(WOLFSSL* ssl, Cookie* cookie) |
wolfSSL | 15:117db924cf7c | 3921 | { |
wolfSSL | 16:8e0d178b1d1e | 3922 | byte header[HANDSHAKE_HEADER_SZ] = {0}; |
wolfSSL | 16:8e0d178b1d1e | 3923 | byte hrr[MAX_HRR_SZ] = {0}; |
wolfSSL | 15:117db924cf7c | 3924 | int hrrIdx; |
wolfSSL | 15:117db924cf7c | 3925 | word32 idx; |
wolfSSL | 15:117db924cf7c | 3926 | byte hashSz; |
wolfSSL | 15:117db924cf7c | 3927 | byte* cookieData; |
wolfSSL | 15:117db924cf7c | 3928 | byte cookieDataSz; |
wolfSSL | 15:117db924cf7c | 3929 | word16 length; |
wolfSSL | 15:117db924cf7c | 3930 | int keyShareExt = 0; |
wolfSSL | 15:117db924cf7c | 3931 | int ret; |
wolfSSL | 15:117db924cf7c | 3932 | |
wolfSSL | 15:117db924cf7c | 3933 | cookieDataSz = ret = CheckCookie(ssl, &cookie->data, cookie->len); |
wolfSSL | 15:117db924cf7c | 3934 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 3935 | return ret; |
wolfSSL | 15:117db924cf7c | 3936 | hashSz = cookie->data; |
wolfSSL | 15:117db924cf7c | 3937 | cookieData = &cookie->data; |
wolfSSL | 15:117db924cf7c | 3938 | idx = OPAQUE8_LEN; |
wolfSSL | 15:117db924cf7c | 3939 | |
wolfSSL | 15:117db924cf7c | 3940 | /* Restart handshake hash with synthetic message hash. */ |
wolfSSL | 15:117db924cf7c | 3941 | AddTls13HandShakeHeader(header, hashSz, 0, 0, message_hash, ssl); |
wolfSSL | 15:117db924cf7c | 3942 | if ((ret = InitHandshakeHashes(ssl)) != 0) |
wolfSSL | 15:117db924cf7c | 3943 | return ret; |
wolfSSL | 15:117db924cf7c | 3944 | if ((ret = HashOutputRaw(ssl, header, sizeof(header))) != 0) |
wolfSSL | 15:117db924cf7c | 3945 | return ret; |
wolfSSL | 15:117db924cf7c | 3946 | if ((ret = HashOutputRaw(ssl, cookieData + idx, hashSz)) != 0) |
wolfSSL | 15:117db924cf7c | 3947 | return ret; |
wolfSSL | 15:117db924cf7c | 3948 | |
wolfSSL | 15:117db924cf7c | 3949 | /* Reconstruct the HelloRetryMessage for handshake hash. */ |
wolfSSL | 15:117db924cf7c | 3950 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 3951 | length = HRR_BODY_SZ + HRR_COOKIE_HDR_SZ + cookie->len; |
wolfSSL | 15:117db924cf7c | 3952 | #else |
wolfSSL | 15:117db924cf7c | 3953 | length = HRR_BODY_SZ - ID_LEN + ssl->session.sessionIDSz + |
wolfSSL | 15:117db924cf7c | 3954 | HRR_COOKIE_HDR_SZ + cookie->len; |
wolfSSL | 15:117db924cf7c | 3955 | length += HRR_VERSIONS_SZ; |
wolfSSL | 15:117db924cf7c | 3956 | #endif |
wolfSSL | 15:117db924cf7c | 3957 | if (cookieDataSz > hashSz + OPAQUE16_LEN) { |
wolfSSL | 15:117db924cf7c | 3958 | keyShareExt = 1; |
wolfSSL | 15:117db924cf7c | 3959 | length += HRR_KEY_SHARE_SZ; |
wolfSSL | 15:117db924cf7c | 3960 | } |
wolfSSL | 15:117db924cf7c | 3961 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 3962 | AddTls13HandShakeHeader(hrr, length, 0, 0, hello_retry_request, ssl); |
wolfSSL | 15:117db924cf7c | 3963 | |
wolfSSL | 15:117db924cf7c | 3964 | idx += hashSz; |
wolfSSL | 15:117db924cf7c | 3965 | hrrIdx = HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 3966 | /* The negotiated protocol version. */ |
wolfSSL | 15:117db924cf7c | 3967 | hrr[hrrIdx++] = TLS_DRAFT_MAJOR; |
wolfSSL | 15:117db924cf7c | 3968 | hrr[hrrIdx++] = TLS_DRAFT_MINOR; |
wolfSSL | 15:117db924cf7c | 3969 | /* Cipher Suite */ |
wolfSSL | 15:117db924cf7c | 3970 | hrr[hrrIdx++] = cookieData[idx++]; |
wolfSSL | 15:117db924cf7c | 3971 | hrr[hrrIdx++] = cookieData[idx++]; |
wolfSSL | 15:117db924cf7c | 3972 | |
wolfSSL | 15:117db924cf7c | 3973 | /* Extensions' length */ |
wolfSSL | 15:117db924cf7c | 3974 | length -= HRR_BODY_SZ; |
wolfSSL | 15:117db924cf7c | 3975 | c16toa(length, hrr + hrrIdx); |
wolfSSL | 15:117db924cf7c | 3976 | hrrIdx += 2; |
wolfSSL | 15:117db924cf7c | 3977 | #else |
wolfSSL | 15:117db924cf7c | 3978 | AddTls13HandShakeHeader(hrr, length, 0, 0, server_hello, ssl); |
wolfSSL | 15:117db924cf7c | 3979 | |
wolfSSL | 15:117db924cf7c | 3980 | idx += hashSz; |
wolfSSL | 15:117db924cf7c | 3981 | hrrIdx = HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 3982 | |
wolfSSL | 15:117db924cf7c | 3983 | /* The negotiated protocol version. */ |
wolfSSL | 15:117db924cf7c | 3984 | hrr[hrrIdx++] = ssl->version.major; |
wolfSSL | 15:117db924cf7c | 3985 | hrr[hrrIdx++] = TLSv1_2_MINOR; |
wolfSSL | 15:117db924cf7c | 3986 | |
wolfSSL | 15:117db924cf7c | 3987 | /* HelloRetryRequest message has fixed value for random. */ |
wolfSSL | 15:117db924cf7c | 3988 | XMEMCPY(hrr + hrrIdx, helloRetryRequestRandom, RAN_LEN); |
wolfSSL | 15:117db924cf7c | 3989 | hrrIdx += RAN_LEN; |
wolfSSL | 15:117db924cf7c | 3990 | |
wolfSSL | 15:117db924cf7c | 3991 | hrr[hrrIdx++] = ssl->session.sessionIDSz; |
wolfSSL | 15:117db924cf7c | 3992 | if (ssl->session.sessionIDSz > 0) { |
wolfSSL | 15:117db924cf7c | 3993 | XMEMCPY(hrr + hrrIdx, ssl->session.sessionID, ssl->session.sessionIDSz); |
wolfSSL | 15:117db924cf7c | 3994 | hrrIdx += ssl->session.sessionIDSz; |
wolfSSL | 15:117db924cf7c | 3995 | } |
wolfSSL | 15:117db924cf7c | 3996 | |
wolfSSL | 15:117db924cf7c | 3997 | /* Cipher Suite */ |
wolfSSL | 15:117db924cf7c | 3998 | hrr[hrrIdx++] = cookieData[idx++]; |
wolfSSL | 15:117db924cf7c | 3999 | hrr[hrrIdx++] = cookieData[idx++]; |
wolfSSL | 15:117db924cf7c | 4000 | |
wolfSSL | 15:117db924cf7c | 4001 | /* Compression not supported in TLS v1.3. */ |
wolfSSL | 15:117db924cf7c | 4002 | hrr[hrrIdx++] = 0; |
wolfSSL | 15:117db924cf7c | 4003 | |
wolfSSL | 15:117db924cf7c | 4004 | /* Extensions' length */ |
wolfSSL | 15:117db924cf7c | 4005 | length -= HRR_BODY_SZ - ID_LEN + ssl->session.sessionIDSz; |
wolfSSL | 15:117db924cf7c | 4006 | c16toa(length, hrr + hrrIdx); |
wolfSSL | 15:117db924cf7c | 4007 | hrrIdx += 2; |
wolfSSL | 15:117db924cf7c | 4008 | |
wolfSSL | 15:117db924cf7c | 4009 | #endif |
wolfSSL | 15:117db924cf7c | 4010 | /* Optional KeyShare Extension */ |
wolfSSL | 15:117db924cf7c | 4011 | if (keyShareExt) { |
wolfSSL | 15:117db924cf7c | 4012 | c16toa(TLSX_KEY_SHARE, hrr + hrrIdx); |
wolfSSL | 15:117db924cf7c | 4013 | hrrIdx += 2; |
wolfSSL | 15:117db924cf7c | 4014 | c16toa(OPAQUE16_LEN, hrr + hrrIdx); |
wolfSSL | 15:117db924cf7c | 4015 | hrrIdx += 2; |
wolfSSL | 15:117db924cf7c | 4016 | hrr[hrrIdx++] = cookieData[idx++]; |
wolfSSL | 15:117db924cf7c | 4017 | hrr[hrrIdx++] = cookieData[idx++]; |
wolfSSL | 15:117db924cf7c | 4018 | } |
wolfSSL | 15:117db924cf7c | 4019 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 4020 | c16toa(TLSX_SUPPORTED_VERSIONS, hrr + hrrIdx); |
wolfSSL | 15:117db924cf7c | 4021 | hrrIdx += 2; |
wolfSSL | 15:117db924cf7c | 4022 | c16toa(OPAQUE16_LEN, hrr + hrrIdx); |
wolfSSL | 15:117db924cf7c | 4023 | hrrIdx += 2; |
wolfSSL | 16:8e0d178b1d1e | 4024 | #ifdef WOLFSSL_TLS13_DRAFT |
wolfSSL | 16:8e0d178b1d1e | 4025 | hrr[hrrIdx++] = TLS_DRAFT_MAJOR; |
wolfSSL | 16:8e0d178b1d1e | 4026 | hrr[hrrIdx++] = TLS_DRAFT_MINOR; |
wolfSSL | 16:8e0d178b1d1e | 4027 | #else |
wolfSSL | 15:117db924cf7c | 4028 | hrr[hrrIdx++] = ssl->version.major; |
wolfSSL | 15:117db924cf7c | 4029 | hrr[hrrIdx++] = ssl->version.minor; |
wolfSSL | 15:117db924cf7c | 4030 | #endif |
wolfSSL | 15:117db924cf7c | 4031 | #endif |
wolfSSL | 15:117db924cf7c | 4032 | /* Mandatory Cookie Extension */ |
wolfSSL | 15:117db924cf7c | 4033 | c16toa(TLSX_COOKIE, hrr + hrrIdx); |
wolfSSL | 15:117db924cf7c | 4034 | hrrIdx += 2; |
wolfSSL | 15:117db924cf7c | 4035 | c16toa(cookie->len + OPAQUE16_LEN, hrr + hrrIdx); |
wolfSSL | 15:117db924cf7c | 4036 | hrrIdx += 2; |
wolfSSL | 15:117db924cf7c | 4037 | c16toa(cookie->len, hrr + hrrIdx); |
wolfSSL | 15:117db924cf7c | 4038 | hrrIdx += 2; |
wolfSSL | 15:117db924cf7c | 4039 | |
wolfSSL | 15:117db924cf7c | 4040 | #ifdef WOLFSSL_DEBUG_TLS |
wolfSSL | 15:117db924cf7c | 4041 | WOLFSSL_MSG("Reconstucted HelloRetryRequest"); |
wolfSSL | 15:117db924cf7c | 4042 | WOLFSSL_BUFFER(hrr, hrrIdx); |
wolfSSL | 15:117db924cf7c | 4043 | WOLFSSL_MSG("Cookie"); |
wolfSSL | 15:117db924cf7c | 4044 | WOLFSSL_BUFFER(cookieData, cookie->len); |
wolfSSL | 15:117db924cf7c | 4045 | #endif |
wolfSSL | 15:117db924cf7c | 4046 | |
wolfSSL | 15:117db924cf7c | 4047 | if ((ret = HashOutputRaw(ssl, hrr, hrrIdx)) != 0) |
wolfSSL | 15:117db924cf7c | 4048 | return ret; |
wolfSSL | 15:117db924cf7c | 4049 | return HashOutputRaw(ssl, cookieData, cookie->len); |
wolfSSL | 15:117db924cf7c | 4050 | } |
wolfSSL | 15:117db924cf7c | 4051 | #endif |
wolfSSL | 15:117db924cf7c | 4052 | |
wolfSSL | 16:8e0d178b1d1e | 4053 | /* Do SupportedVersion extension for TLS v1.3+ otherwise it is not. |
wolfSSL | 16:8e0d178b1d1e | 4054 | * |
wolfSSL | 16:8e0d178b1d1e | 4055 | * ssl The SSL/TLS object. |
wolfSSL | 16:8e0d178b1d1e | 4056 | * input The message buffer. |
wolfSSL | 16:8e0d178b1d1e | 4057 | * i The index into the message buffer of ClientHello. |
wolfSSL | 16:8e0d178b1d1e | 4058 | * helloSz The length of the current handshake message. |
wolfSSL | 16:8e0d178b1d1e | 4059 | * returns 0 on success and otherwise failure. |
wolfSSL | 16:8e0d178b1d1e | 4060 | */ |
wolfSSL | 16:8e0d178b1d1e | 4061 | static int DoTls13SupportedVersions(WOLFSSL* ssl, const byte* input, word32 i, |
wolfSSL | 16:8e0d178b1d1e | 4062 | word32 helloSz, int* wantDowngrade) |
wolfSSL | 16:8e0d178b1d1e | 4063 | { |
wolfSSL | 16:8e0d178b1d1e | 4064 | int ret; |
wolfSSL | 16:8e0d178b1d1e | 4065 | byte b; |
wolfSSL | 16:8e0d178b1d1e | 4066 | word16 suiteSz; |
wolfSSL | 16:8e0d178b1d1e | 4067 | word16 totalExtSz; |
wolfSSL | 16:8e0d178b1d1e | 4068 | int foundVersion = 0; |
wolfSSL | 16:8e0d178b1d1e | 4069 | |
wolfSSL | 16:8e0d178b1d1e | 4070 | /* Client random */ |
wolfSSL | 16:8e0d178b1d1e | 4071 | i += RAN_LEN; |
wolfSSL | 16:8e0d178b1d1e | 4072 | /* Session id - not used in TLS v1.3 */ |
wolfSSL | 16:8e0d178b1d1e | 4073 | b = input[i++]; |
wolfSSL | 16:8e0d178b1d1e | 4074 | if (i + b > helloSz) { |
wolfSSL | 16:8e0d178b1d1e | 4075 | return BUFFER_ERROR; |
wolfSSL | 16:8e0d178b1d1e | 4076 | } |
wolfSSL | 16:8e0d178b1d1e | 4077 | i += b; |
wolfSSL | 16:8e0d178b1d1e | 4078 | /* Cipher suites */ |
wolfSSL | 16:8e0d178b1d1e | 4079 | if (i + OPAQUE16_LEN > helloSz) |
wolfSSL | 16:8e0d178b1d1e | 4080 | return BUFFER_ERROR; |
wolfSSL | 16:8e0d178b1d1e | 4081 | ato16(input + i, &suiteSz); |
wolfSSL | 16:8e0d178b1d1e | 4082 | i += OPAQUE16_LEN; |
wolfSSL | 16:8e0d178b1d1e | 4083 | if (i + suiteSz + 1 > helloSz) |
wolfSSL | 16:8e0d178b1d1e | 4084 | return BUFFER_ERROR; |
wolfSSL | 16:8e0d178b1d1e | 4085 | i += suiteSz; |
wolfSSL | 16:8e0d178b1d1e | 4086 | /* Compression */ |
wolfSSL | 16:8e0d178b1d1e | 4087 | b = input[i++]; |
wolfSSL | 16:8e0d178b1d1e | 4088 | if (i + b > helloSz) |
wolfSSL | 16:8e0d178b1d1e | 4089 | return BUFFER_ERROR; |
wolfSSL | 16:8e0d178b1d1e | 4090 | i += b; |
wolfSSL | 16:8e0d178b1d1e | 4091 | |
wolfSSL | 16:8e0d178b1d1e | 4092 | /* TLS 1.3 must have extensions */ |
wolfSSL | 16:8e0d178b1d1e | 4093 | if (i < helloSz) { |
wolfSSL | 16:8e0d178b1d1e | 4094 | if (i + OPAQUE16_LEN > helloSz) |
wolfSSL | 16:8e0d178b1d1e | 4095 | return BUFFER_ERROR; |
wolfSSL | 16:8e0d178b1d1e | 4096 | ato16(&input[i], &totalExtSz); |
wolfSSL | 16:8e0d178b1d1e | 4097 | i += OPAQUE16_LEN; |
wolfSSL | 16:8e0d178b1d1e | 4098 | if (totalExtSz != helloSz - i) |
wolfSSL | 16:8e0d178b1d1e | 4099 | return BUFFER_ERROR; |
wolfSSL | 16:8e0d178b1d1e | 4100 | |
wolfSSL | 16:8e0d178b1d1e | 4101 | /* Need to negotiate version first. */ |
wolfSSL | 16:8e0d178b1d1e | 4102 | if ((ret = TLSX_ParseVersion(ssl, (byte*)input + i, totalExtSz, |
wolfSSL | 16:8e0d178b1d1e | 4103 | client_hello, &foundVersion))) { |
wolfSSL | 16:8e0d178b1d1e | 4104 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 4105 | } |
wolfSSL | 16:8e0d178b1d1e | 4106 | } |
wolfSSL | 16:8e0d178b1d1e | 4107 | *wantDowngrade = !foundVersion || !IsAtLeastTLSv1_3(ssl->version); |
wolfSSL | 16:8e0d178b1d1e | 4108 | |
wolfSSL | 16:8e0d178b1d1e | 4109 | return 0; |
wolfSSL | 16:8e0d178b1d1e | 4110 | } |
wolfSSL | 16:8e0d178b1d1e | 4111 | |
wolfSSL | 15:117db924cf7c | 4112 | /* Handle a ClientHello handshake message. |
wolfSSL | 15:117db924cf7c | 4113 | * If the protocol version in the message is not TLS v1.3 or higher, use |
wolfSSL | 15:117db924cf7c | 4114 | * DoClientHello() |
wolfSSL | 15:117db924cf7c | 4115 | * Only a server will receive this message. |
wolfSSL | 15:117db924cf7c | 4116 | * |
wolfSSL | 15:117db924cf7c | 4117 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 4118 | * input The message buffer. |
wolfSSL | 15:117db924cf7c | 4119 | * inOutIdx On entry, the index into the message buffer of ClientHello. |
wolfSSL | 15:117db924cf7c | 4120 | * On exit, the index of byte after the ClientHello message and |
wolfSSL | 15:117db924cf7c | 4121 | * padding. |
wolfSSL | 15:117db924cf7c | 4122 | * helloSz The length of the current handshake message. |
wolfSSL | 15:117db924cf7c | 4123 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 4124 | */ |
wolfSSL | 15:117db924cf7c | 4125 | int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, |
wolfSSL | 15:117db924cf7c | 4126 | word32 helloSz) |
wolfSSL | 15:117db924cf7c | 4127 | { |
wolfSSL | 15:117db924cf7c | 4128 | int ret = VERSION_ERROR; |
wolfSSL | 16:8e0d178b1d1e | 4129 | byte b = 0; |
wolfSSL | 15:117db924cf7c | 4130 | ProtocolVersion pv; |
wolfSSL | 15:117db924cf7c | 4131 | Suites clSuites; |
wolfSSL | 15:117db924cf7c | 4132 | word32 i = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 4133 | word32 begin = i; |
wolfSSL | 15:117db924cf7c | 4134 | word16 totalExtSz = 0; |
wolfSSL | 15:117db924cf7c | 4135 | int usingPSK = 0; |
wolfSSL | 16:8e0d178b1d1e | 4136 | byte sessIdSz = 0; |
wolfSSL | 16:8e0d178b1d1e | 4137 | int wantDowngrade = 0; |
wolfSSL | 15:117db924cf7c | 4138 | |
wolfSSL | 15:117db924cf7c | 4139 | WOLFSSL_START(WC_FUNC_CLIENT_HELLO_DO); |
wolfSSL | 15:117db924cf7c | 4140 | WOLFSSL_ENTER("DoTls13ClientHello"); |
wolfSSL | 15:117db924cf7c | 4141 | |
wolfSSL | 16:8e0d178b1d1e | 4142 | XMEMSET(&pv, 0, sizeof(ProtocolVersion)); |
wolfSSL | 16:8e0d178b1d1e | 4143 | XMEMSET(&clSuites, 0, sizeof(Suites)); |
wolfSSL | 16:8e0d178b1d1e | 4144 | |
wolfSSL | 15:117db924cf7c | 4145 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 4146 | if (ssl->hsInfoOn) AddPacketName(ssl, "ClientHello"); |
wolfSSL | 15:117db924cf7c | 4147 | if (ssl->toInfoOn) AddLateName("ClientHello", &ssl->timeoutInfo); |
wolfSSL | 15:117db924cf7c | 4148 | #endif |
wolfSSL | 15:117db924cf7c | 4149 | |
wolfSSL | 15:117db924cf7c | 4150 | /* protocol version, random and session id length check */ |
wolfSSL | 15:117db924cf7c | 4151 | if ((i - begin) + OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN > helloSz) |
wolfSSL | 15:117db924cf7c | 4152 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 4153 | |
wolfSSL | 15:117db924cf7c | 4154 | /* Protocol version */ |
wolfSSL | 15:117db924cf7c | 4155 | XMEMCPY(&pv, input + i, OPAQUE16_LEN); |
wolfSSL | 15:117db924cf7c | 4156 | ssl->chVersion = pv; /* store */ |
wolfSSL | 15:117db924cf7c | 4157 | i += OPAQUE16_LEN; |
wolfSSL | 16:8e0d178b1d1e | 4158 | if (pv.major < SSLv3_MAJOR) { |
wolfSSL | 16:8e0d178b1d1e | 4159 | WOLFSSL_MSG("Legacy version field contains unsupported value"); |
wolfSSL | 16:8e0d178b1d1e | 4160 | #ifdef WOLFSSL_MYSQL_COMPATIBLE |
wolfSSL | 16:8e0d178b1d1e | 4161 | SendAlert(ssl, alert_fatal, wc_protocol_version); |
wolfSSL | 16:8e0d178b1d1e | 4162 | #else |
wolfSSL | 16:8e0d178b1d1e | 4163 | SendAlert(ssl, alert_fatal, protocol_version); |
wolfSSL | 16:8e0d178b1d1e | 4164 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4165 | return INVALID_PARAMETER; |
wolfSSL | 16:8e0d178b1d1e | 4166 | } |
wolfSSL | 15:117db924cf7c | 4167 | /* Legacy protocol version cannot negotiate TLS 1.3 or higher. */ |
wolfSSL | 16:8e0d178b1d1e | 4168 | if (pv.major > SSLv3_MAJOR || (pv.major == SSLv3_MAJOR && |
wolfSSL | 16:8e0d178b1d1e | 4169 | pv.minor >= TLSv1_3_MINOR)) { |
wolfSSL | 16:8e0d178b1d1e | 4170 | pv.major = SSLv3_MAJOR; |
wolfSSL | 15:117db924cf7c | 4171 | pv.minor = TLSv1_2_MINOR; |
wolfSSL | 16:8e0d178b1d1e | 4172 | wantDowngrade = 1; |
wolfSSL | 16:8e0d178b1d1e | 4173 | ssl->version.minor = pv.minor; |
wolfSSL | 16:8e0d178b1d1e | 4174 | } |
wolfSSL | 16:8e0d178b1d1e | 4175 | /* Legacy version must be [ SSLv3_MAJOR, TLSv1_2_MINOR ] for TLS v1.3 */ |
wolfSSL | 16:8e0d178b1d1e | 4176 | else if (pv.major == SSLv3_MAJOR && pv.minor < TLSv1_2_MINOR) { |
wolfSSL | 16:8e0d178b1d1e | 4177 | wantDowngrade = 1; |
wolfSSL | 16:8e0d178b1d1e | 4178 | ssl->version.minor = pv.minor; |
wolfSSL | 16:8e0d178b1d1e | 4179 | } |
wolfSSL | 16:8e0d178b1d1e | 4180 | else { |
wolfSSL | 16:8e0d178b1d1e | 4181 | ret = DoTls13SupportedVersions(ssl, input + begin, i - begin, helloSz, |
wolfSSL | 16:8e0d178b1d1e | 4182 | &wantDowngrade); |
wolfSSL | 16:8e0d178b1d1e | 4183 | if (ret < 0) |
wolfSSL | 16:8e0d178b1d1e | 4184 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 4185 | } |
wolfSSL | 16:8e0d178b1d1e | 4186 | if (wantDowngrade) { |
wolfSSL | 15:117db924cf7c | 4187 | #ifndef WOLFSSL_NO_TLS12 |
wolfSSL | 16:8e0d178b1d1e | 4188 | if (!ssl->options.downgrade) { |
wolfSSL | 16:8e0d178b1d1e | 4189 | WOLFSSL_MSG("Client trying to connect with lesser version than " |
wolfSSL | 16:8e0d178b1d1e | 4190 | "TLS v1.3"); |
wolfSSL | 16:8e0d178b1d1e | 4191 | return VERSION_ERROR; |
wolfSSL | 16:8e0d178b1d1e | 4192 | } |
wolfSSL | 16:8e0d178b1d1e | 4193 | |
wolfSSL | 16:8e0d178b1d1e | 4194 | if (pv.minor < ssl->options.minDowngrade) |
wolfSSL | 16:8e0d178b1d1e | 4195 | return VERSION_ERROR; |
wolfSSL | 16:8e0d178b1d1e | 4196 | |
wolfSSL | 16:8e0d178b1d1e | 4197 | if ((ret = HashInput(ssl, input + begin, helloSz)) != 0) |
wolfSSL | 16:8e0d178b1d1e | 4198 | return ret; |
wolfSSL | 15:117db924cf7c | 4199 | return DoClientHello(ssl, input, inOutIdx, helloSz); |
wolfSSL | 16:8e0d178b1d1e | 4200 | #else |
wolfSSL | 16:8e0d178b1d1e | 4201 | WOLFSSL_MSG("Client trying to connect with lesser version than " |
wolfSSL | 16:8e0d178b1d1e | 4202 | "TLS v1.3"); |
wolfSSL | 16:8e0d178b1d1e | 4203 | return VERSION_ERROR; |
wolfSSL | 16:8e0d178b1d1e | 4204 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4205 | } |
wolfSSL | 15:117db924cf7c | 4206 | |
wolfSSL | 15:117db924cf7c | 4207 | /* Client random */ |
wolfSSL | 15:117db924cf7c | 4208 | XMEMCPY(ssl->arrays->clientRandom, input + i, RAN_LEN); |
wolfSSL | 15:117db924cf7c | 4209 | i += RAN_LEN; |
wolfSSL | 15:117db924cf7c | 4210 | |
wolfSSL | 15:117db924cf7c | 4211 | #ifdef WOLFSSL_DEBUG_TLS |
wolfSSL | 15:117db924cf7c | 4212 | WOLFSSL_MSG("client random"); |
wolfSSL | 15:117db924cf7c | 4213 | WOLFSSL_BUFFER(ssl->arrays->clientRandom, RAN_LEN); |
wolfSSL | 15:117db924cf7c | 4214 | #endif |
wolfSSL | 15:117db924cf7c | 4215 | |
wolfSSL | 15:117db924cf7c | 4216 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 4217 | /* Session id - empty in TLS v1.3 */ |
wolfSSL | 15:117db924cf7c | 4218 | sessIdSz = input[i++]; |
wolfSSL | 15:117db924cf7c | 4219 | if (sessIdSz > 0 && !ssl->options.downgrade) { |
wolfSSL | 15:117db924cf7c | 4220 | WOLFSSL_MSG("Client sent session id - not supported"); |
wolfSSL | 15:117db924cf7c | 4221 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 4222 | } |
wolfSSL | 15:117db924cf7c | 4223 | #else |
wolfSSL | 15:117db924cf7c | 4224 | sessIdSz = input[i++]; |
wolfSSL | 15:117db924cf7c | 4225 | if (sessIdSz != ID_LEN && sessIdSz != 0) |
wolfSSL | 15:117db924cf7c | 4226 | return INVALID_PARAMETER; |
wolfSSL | 15:117db924cf7c | 4227 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4228 | |
wolfSSL | 16:8e0d178b1d1e | 4229 | if (sessIdSz + i > helloSz) { |
wolfSSL | 16:8e0d178b1d1e | 4230 | return BUFFER_ERROR; |
wolfSSL | 16:8e0d178b1d1e | 4231 | } |
wolfSSL | 16:8e0d178b1d1e | 4232 | |
wolfSSL | 15:117db924cf7c | 4233 | ssl->session.sessionIDSz = sessIdSz; |
wolfSSL | 15:117db924cf7c | 4234 | if (sessIdSz == ID_LEN) { |
wolfSSL | 15:117db924cf7c | 4235 | XMEMCPY(ssl->session.sessionID, input + i, sessIdSz); |
wolfSSL | 15:117db924cf7c | 4236 | i += ID_LEN; |
wolfSSL | 15:117db924cf7c | 4237 | } |
wolfSSL | 15:117db924cf7c | 4238 | |
wolfSSL | 15:117db924cf7c | 4239 | /* Cipher suites */ |
wolfSSL | 15:117db924cf7c | 4240 | if ((i - begin) + OPAQUE16_LEN > helloSz) |
wolfSSL | 15:117db924cf7c | 4241 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 4242 | ato16(&input[i], &clSuites.suiteSz); |
wolfSSL | 15:117db924cf7c | 4243 | i += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 4244 | /* suites and compression length check */ |
wolfSSL | 15:117db924cf7c | 4245 | if ((i - begin) + clSuites.suiteSz + OPAQUE8_LEN > helloSz) |
wolfSSL | 15:117db924cf7c | 4246 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 4247 | if (clSuites.suiteSz > WOLFSSL_MAX_SUITE_SZ) |
wolfSSL | 15:117db924cf7c | 4248 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 4249 | XMEMCPY(clSuites.suites, input + i, clSuites.suiteSz); |
wolfSSL | 15:117db924cf7c | 4250 | i += clSuites.suiteSz; |
wolfSSL | 15:117db924cf7c | 4251 | clSuites.hashSigAlgoSz = 0; |
wolfSSL | 15:117db924cf7c | 4252 | |
wolfSSL | 16:8e0d178b1d1e | 4253 | #ifdef HAVE_SERVER_RENEGOTIATION_INFO |
wolfSSL | 16:8e0d178b1d1e | 4254 | ret = FindSuite(&clSuites, 0, TLS_EMPTY_RENEGOTIATION_INFO_SCSV); |
wolfSSL | 16:8e0d178b1d1e | 4255 | if (ret == SUITES_ERROR) |
wolfSSL | 16:8e0d178b1d1e | 4256 | return BUFFER_ERROR; |
wolfSSL | 16:8e0d178b1d1e | 4257 | if (ret >= 0) { |
wolfSSL | 16:8e0d178b1d1e | 4258 | TLSX* extension; |
wolfSSL | 16:8e0d178b1d1e | 4259 | |
wolfSSL | 16:8e0d178b1d1e | 4260 | /* check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV suite */ |
wolfSSL | 16:8e0d178b1d1e | 4261 | ret = TLSX_AddEmptyRenegotiationInfo(&ssl->extensions, ssl->heap); |
wolfSSL | 16:8e0d178b1d1e | 4262 | if (ret != WOLFSSL_SUCCESS) |
wolfSSL | 16:8e0d178b1d1e | 4263 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 4264 | |
wolfSSL | 16:8e0d178b1d1e | 4265 | extension = TLSX_Find(ssl->extensions, TLSX_RENEGOTIATION_INFO); |
wolfSSL | 16:8e0d178b1d1e | 4266 | if (extension) { |
wolfSSL | 16:8e0d178b1d1e | 4267 | ssl->secure_renegotiation = (SecureRenegotiation*)extension->data; |
wolfSSL | 16:8e0d178b1d1e | 4268 | ssl->secure_renegotiation->enabled = 1; |
wolfSSL | 16:8e0d178b1d1e | 4269 | } |
wolfSSL | 16:8e0d178b1d1e | 4270 | } |
wolfSSL | 16:8e0d178b1d1e | 4271 | #endif /* HAVE_SERVER_RENEGOTIATION_INFO */ |
wolfSSL | 16:8e0d178b1d1e | 4272 | |
wolfSSL | 15:117db924cf7c | 4273 | /* Compression */ |
wolfSSL | 15:117db924cf7c | 4274 | b = input[i++]; |
wolfSSL | 15:117db924cf7c | 4275 | if ((i - begin) + b > helloSz) |
wolfSSL | 15:117db924cf7c | 4276 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 4277 | if (b != COMP_LEN) { |
wolfSSL | 15:117db924cf7c | 4278 | WOLFSSL_MSG("Must be one compression type in list"); |
wolfSSL | 15:117db924cf7c | 4279 | return INVALID_PARAMETER; |
wolfSSL | 15:117db924cf7c | 4280 | } |
wolfSSL | 15:117db924cf7c | 4281 | b = input[i++]; |
wolfSSL | 15:117db924cf7c | 4282 | if (b != NO_COMPRESSION) { |
wolfSSL | 15:117db924cf7c | 4283 | WOLFSSL_MSG("Must be no compression type in list"); |
wolfSSL | 15:117db924cf7c | 4284 | return INVALID_PARAMETER; |
wolfSSL | 15:117db924cf7c | 4285 | } |
wolfSSL | 15:117db924cf7c | 4286 | |
wolfSSL | 16:8e0d178b1d1e | 4287 | /* Extensions */ |
wolfSSL | 16:8e0d178b1d1e | 4288 | if ((i - begin) == helloSz) |
wolfSSL | 16:8e0d178b1d1e | 4289 | return BUFFER_ERROR; |
wolfSSL | 16:8e0d178b1d1e | 4290 | if ((i - begin) + OPAQUE16_LEN > helloSz) |
wolfSSL | 16:8e0d178b1d1e | 4291 | return BUFFER_ERROR; |
wolfSSL | 16:8e0d178b1d1e | 4292 | |
wolfSSL | 16:8e0d178b1d1e | 4293 | ato16(&input[i], &totalExtSz); |
wolfSSL | 16:8e0d178b1d1e | 4294 | i += OPAQUE16_LEN; |
wolfSSL | 16:8e0d178b1d1e | 4295 | if ((i - begin) + totalExtSz > helloSz) |
wolfSSL | 16:8e0d178b1d1e | 4296 | return BUFFER_ERROR; |
wolfSSL | 16:8e0d178b1d1e | 4297 | |
wolfSSL | 16:8e0d178b1d1e | 4298 | /* Auto populate extensions supported unless user defined. */ |
wolfSSL | 16:8e0d178b1d1e | 4299 | if ((ret = TLSX_PopulateExtensions(ssl, 1)) != 0) |
wolfSSL | 16:8e0d178b1d1e | 4300 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 4301 | |
wolfSSL | 16:8e0d178b1d1e | 4302 | /* Parse extensions */ |
wolfSSL | 16:8e0d178b1d1e | 4303 | if ((ret = TLSX_Parse(ssl, (byte*)input + i, totalExtSz, client_hello, |
wolfSSL | 15:117db924cf7c | 4304 | &clSuites))) { |
wolfSSL | 16:8e0d178b1d1e | 4305 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 4306 | } |
wolfSSL | 15:117db924cf7c | 4307 | |
wolfSSL | 15:117db924cf7c | 4308 | #if defined(OPENSSL_ALL) || defined(HAVE_STUNNEL) || defined(WOLFSSL_NGINX) || \ |
wolfSSL | 15:117db924cf7c | 4309 | defined(WOLFSSL_HAPROXY) |
wolfSSL | 15:117db924cf7c | 4310 | if ((ret = SNI_Callback(ssl)) != 0) |
wolfSSL | 15:117db924cf7c | 4311 | return ret; |
wolfSSL | 15:117db924cf7c | 4312 | ssl->options.side = WOLFSSL_SERVER_END; |
wolfSSL | 15:117db924cf7c | 4313 | #endif /* OPENSSL_ALL || HAVE_STUNNEL || WOLFSSL_NGINX || WOLFSSL_HAPROXY */ |
wolfSSL | 15:117db924cf7c | 4314 | |
wolfSSL | 15:117db924cf7c | 4315 | i += totalExtSz; |
wolfSSL | 15:117db924cf7c | 4316 | *inOutIdx = i; |
wolfSSL | 15:117db924cf7c | 4317 | |
wolfSSL | 15:117db924cf7c | 4318 | ssl->options.sendVerify = SEND_CERT; |
wolfSSL | 15:117db924cf7c | 4319 | |
wolfSSL | 15:117db924cf7c | 4320 | ssl->options.clientState = CLIENT_HELLO_COMPLETE; |
wolfSSL | 15:117db924cf7c | 4321 | ssl->options.haveSessionId = 1; |
wolfSSL | 15:117db924cf7c | 4322 | |
wolfSSL | 15:117db924cf7c | 4323 | #if !defined(WOLFSSL_TLS13_DRAFT_18) && defined(WOLFSSL_SEND_HRR_COOKIE) |
wolfSSL | 16:8e0d178b1d1e | 4324 | if (ssl->options.sendCookie && |
wolfSSL | 15:117db924cf7c | 4325 | ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE) { |
wolfSSL | 16:8e0d178b1d1e | 4326 | TLSX* ext; |
wolfSSL | 16:8e0d178b1d1e | 4327 | |
wolfSSL | 16:8e0d178b1d1e | 4328 | if ((ext = TLSX_Find(ssl->extensions, TLSX_COOKIE)) == NULL) |
wolfSSL | 16:8e0d178b1d1e | 4329 | return HRR_COOKIE_ERROR; |
wolfSSL | 16:8e0d178b1d1e | 4330 | /* Ensure the cookie came from client and isn't the one in the |
wolfSSL | 16:8e0d178b1d1e | 4331 | * response - HelloRetryRequest. |
wolfSSL | 16:8e0d178b1d1e | 4332 | */ |
wolfSSL | 16:8e0d178b1d1e | 4333 | if (ext->resp == 1) |
wolfSSL | 16:8e0d178b1d1e | 4334 | return HRR_COOKIE_ERROR; |
wolfSSL | 16:8e0d178b1d1e | 4335 | ret = RestartHandshakeHashWithCookie(ssl, (Cookie*)ext->data); |
wolfSSL | 16:8e0d178b1d1e | 4336 | if (ret != 0) |
wolfSSL | 16:8e0d178b1d1e | 4337 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 4338 | } |
wolfSSL | 16:8e0d178b1d1e | 4339 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4340 | |
wolfSSL | 16:8e0d178b1d1e | 4341 | #if (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) && \ |
wolfSSL | 16:8e0d178b1d1e | 4342 | defined(HAVE_TLS_EXTENSIONS) |
wolfSSL | 16:8e0d178b1d1e | 4343 | if (TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY) != NULL) { |
wolfSSL | 15:117db924cf7c | 4344 | /* Refine list for PSK processing. */ |
wolfSSL | 15:117db924cf7c | 4345 | RefineSuites(ssl, &clSuites); |
wolfSSL | 15:117db924cf7c | 4346 | |
wolfSSL | 15:117db924cf7c | 4347 | /* Process the Pre-Shared Key extension if present. */ |
wolfSSL | 15:117db924cf7c | 4348 | ret = DoPreSharedKeys(ssl, input + begin, helloSz, &usingPSK); |
wolfSSL | 15:117db924cf7c | 4349 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 4350 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 4351 | } |
wolfSSL | 16:8e0d178b1d1e | 4352 | else |
wolfSSL | 16:8e0d178b1d1e | 4353 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4354 | { |
wolfSSL | 16:8e0d178b1d1e | 4355 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 16:8e0d178b1d1e | 4356 | ssl->earlyData = no_early_data; |
wolfSSL | 16:8e0d178b1d1e | 4357 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4358 | if ((ret = HashInput(ssl, input + begin, helloSz)) != 0) |
wolfSSL | 15:117db924cf7c | 4359 | return ret; |
wolfSSL | 16:8e0d178b1d1e | 4360 | |
wolfSSL | 16:8e0d178b1d1e | 4361 | } |
wolfSSL | 16:8e0d178b1d1e | 4362 | |
wolfSSL | 16:8e0d178b1d1e | 4363 | if (!usingPSK) { |
wolfSSL | 16:8e0d178b1d1e | 4364 | if (TLSX_Find(ssl->extensions, TLSX_KEY_SHARE) == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 4365 | WOLFSSL_MSG("Client did not send a KeyShare extension"); |
wolfSSL | 16:8e0d178b1d1e | 4366 | SendAlert(ssl, alert_fatal, missing_extension); |
wolfSSL | 16:8e0d178b1d1e | 4367 | return INCOMPLETE_DATA; |
wolfSSL | 16:8e0d178b1d1e | 4368 | } |
wolfSSL | 16:8e0d178b1d1e | 4369 | if (TLSX_Find(ssl->extensions, TLSX_SIGNATURE_ALGORITHMS) == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 4370 | WOLFSSL_MSG("Client did not send a SignatureAlgorithms extension"); |
wolfSSL | 16:8e0d178b1d1e | 4371 | SendAlert(ssl, alert_fatal, missing_extension); |
wolfSSL | 16:8e0d178b1d1e | 4372 | return INCOMPLETE_DATA; |
wolfSSL | 16:8e0d178b1d1e | 4373 | } |
wolfSSL | 16:8e0d178b1d1e | 4374 | |
wolfSSL | 16:8e0d178b1d1e | 4375 | if ((ret = MatchSuite(ssl, &clSuites)) < 0) { |
wolfSSL | 16:8e0d178b1d1e | 4376 | WOLFSSL_MSG("Unsupported cipher suite, ClientHello"); |
wolfSSL | 16:8e0d178b1d1e | 4377 | SendAlert(ssl, alert_fatal, handshake_failure); |
wolfSSL | 15:117db924cf7c | 4378 | return ret; |
wolfSSL | 15:117db924cf7c | 4379 | } |
wolfSSL | 16:8e0d178b1d1e | 4380 | |
wolfSSL | 16:8e0d178b1d1e | 4381 | #ifdef HAVE_NULL_CIPHER |
wolfSSL | 16:8e0d178b1d1e | 4382 | if (ssl->options.cipherSuite0 == ECC_BYTE && |
wolfSSL | 16:8e0d178b1d1e | 4383 | (ssl->options.cipherSuite == TLS_SHA256_SHA256 || |
wolfSSL | 16:8e0d178b1d1e | 4384 | ssl->options.cipherSuite == TLS_SHA384_SHA384)) { |
wolfSSL | 16:8e0d178b1d1e | 4385 | ; |
wolfSSL | 15:117db924cf7c | 4386 | } |
wolfSSL | 16:8e0d178b1d1e | 4387 | else |
wolfSSL | 16:8e0d178b1d1e | 4388 | #endif |
wolfSSL | 15:117db924cf7c | 4389 | /* Check that the negotiated ciphersuite matches protocol version. */ |
wolfSSL | 16:8e0d178b1d1e | 4390 | if (ssl->options.cipherSuite0 != TLS13_BYTE) { |
wolfSSL | 16:8e0d178b1d1e | 4391 | WOLFSSL_MSG("Negotiated ciphersuite from lesser version than " |
wolfSSL | 16:8e0d178b1d1e | 4392 | "TLS v1.3"); |
wolfSSL | 16:8e0d178b1d1e | 4393 | SendAlert(ssl, alert_fatal, handshake_failure); |
wolfSSL | 16:8e0d178b1d1e | 4394 | return VERSION_ERROR; |
wolfSSL | 15:117db924cf7c | 4395 | } |
wolfSSL | 15:117db924cf7c | 4396 | |
wolfSSL | 15:117db924cf7c | 4397 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 4398 | if (ssl->options.resuming) { |
wolfSSL | 15:117db924cf7c | 4399 | ssl->options.resuming = 0; |
wolfSSL | 15:117db924cf7c | 4400 | XMEMSET(ssl->arrays->psk_key, 0, ssl->specs.hash_size); |
wolfSSL | 15:117db924cf7c | 4401 | } |
wolfSSL | 15:117db924cf7c | 4402 | #endif |
wolfSSL | 15:117db924cf7c | 4403 | |
wolfSSL | 16:8e0d178b1d1e | 4404 | /* Derive early secret for handshake secret. */ |
wolfSSL | 16:8e0d178b1d1e | 4405 | if ((ret = DeriveEarlySecret(ssl)) != 0) |
wolfSSL | 16:8e0d178b1d1e | 4406 | return ret; |
wolfSSL | 15:117db924cf7c | 4407 | } |
wolfSSL | 15:117db924cf7c | 4408 | |
wolfSSL | 15:117db924cf7c | 4409 | WOLFSSL_LEAVE("DoTls13ClientHello", ret); |
wolfSSL | 15:117db924cf7c | 4410 | WOLFSSL_END(WC_FUNC_CLIENT_HELLO_DO); |
wolfSSL | 15:117db924cf7c | 4411 | |
wolfSSL | 15:117db924cf7c | 4412 | return ret; |
wolfSSL | 15:117db924cf7c | 4413 | } |
wolfSSL | 15:117db924cf7c | 4414 | |
wolfSSL | 15:117db924cf7c | 4415 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 4416 | /* handle generation of TLS 1.3 hello_retry_request (6) */ |
wolfSSL | 15:117db924cf7c | 4417 | /* Send the HelloRetryRequest message to indicate the negotiated protocol |
wolfSSL | 15:117db924cf7c | 4418 | * version and security parameters the server is willing to use. |
wolfSSL | 15:117db924cf7c | 4419 | * Only a server will send this message. |
wolfSSL | 15:117db924cf7c | 4420 | * |
wolfSSL | 15:117db924cf7c | 4421 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 4422 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 4423 | */ |
wolfSSL | 15:117db924cf7c | 4424 | int SendTls13HelloRetryRequest(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 4425 | { |
wolfSSL | 15:117db924cf7c | 4426 | int ret; |
wolfSSL | 15:117db924cf7c | 4427 | byte* output; |
wolfSSL | 15:117db924cf7c | 4428 | word32 length; |
wolfSSL | 15:117db924cf7c | 4429 | word16 len; |
wolfSSL | 15:117db924cf7c | 4430 | word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 4431 | int sendSz; |
wolfSSL | 15:117db924cf7c | 4432 | |
wolfSSL | 15:117db924cf7c | 4433 | WOLFSSL_ENTER("SendTls13HelloRetryRequest"); |
wolfSSL | 15:117db924cf7c | 4434 | |
wolfSSL | 15:117db924cf7c | 4435 | /* Get the length of the extensions that will be written. */ |
wolfSSL | 15:117db924cf7c | 4436 | len = 0; |
wolfSSL | 15:117db924cf7c | 4437 | ret = TLSX_GetResponseSize(ssl, hello_retry_request, &len); |
wolfSSL | 15:117db924cf7c | 4438 | /* There must be extensions sent to indicate what client needs to do. */ |
wolfSSL | 15:117db924cf7c | 4439 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 4440 | return MISSING_HANDSHAKE_DATA; |
wolfSSL | 15:117db924cf7c | 4441 | |
wolfSSL | 15:117db924cf7c | 4442 | /* Protocol version + Extensions */ |
wolfSSL | 15:117db924cf7c | 4443 | length = OPAQUE16_LEN + len; |
wolfSSL | 15:117db924cf7c | 4444 | sendSz = idx + length; |
wolfSSL | 15:117db924cf7c | 4445 | |
wolfSSL | 15:117db924cf7c | 4446 | /* Check buffers are big enough and grow if needed. */ |
wolfSSL | 15:117db924cf7c | 4447 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) |
wolfSSL | 15:117db924cf7c | 4448 | return ret; |
wolfSSL | 15:117db924cf7c | 4449 | |
wolfSSL | 15:117db924cf7c | 4450 | /* Get position in output buffer to write new message to. */ |
wolfSSL | 15:117db924cf7c | 4451 | output = ssl->buffers.outputBuffer.buffer + |
wolfSSL | 15:117db924cf7c | 4452 | ssl->buffers.outputBuffer.length; |
wolfSSL | 16:8e0d178b1d1e | 4453 | /* Add record and handshake headers. */ |
wolfSSL | 15:117db924cf7c | 4454 | AddTls13Headers(output, length, hello_retry_request, ssl); |
wolfSSL | 15:117db924cf7c | 4455 | |
wolfSSL | 15:117db924cf7c | 4456 | /* The negotiated protocol version. */ |
wolfSSL | 15:117db924cf7c | 4457 | output[idx++] = TLS_DRAFT_MAJOR; |
wolfSSL | 15:117db924cf7c | 4458 | output[idx++] = TLS_DRAFT_MINOR; |
wolfSSL | 15:117db924cf7c | 4459 | |
wolfSSL | 15:117db924cf7c | 4460 | /* Add TLS extensions. */ |
wolfSSL | 15:117db924cf7c | 4461 | ret = TLSX_WriteResponse(ssl, output + idx, hello_retry_request, NULL); |
wolfSSL | 15:117db924cf7c | 4462 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 4463 | return ret; |
wolfSSL | 15:117db924cf7c | 4464 | idx += len; |
wolfSSL | 15:117db924cf7c | 4465 | |
wolfSSL | 15:117db924cf7c | 4466 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 4467 | if (ssl->hsInfoOn) |
wolfSSL | 15:117db924cf7c | 4468 | AddPacketName(ssl, "HelloRetryRequest"); |
wolfSSL | 15:117db924cf7c | 4469 | if (ssl->toInfoOn) { |
wolfSSL | 15:117db924cf7c | 4470 | AddPacketInfo(ssl, "HelloRetryRequest", handshake, output, sendSz, |
wolfSSL | 15:117db924cf7c | 4471 | WRITE_PROTO, ssl->heap); |
wolfSSL | 15:117db924cf7c | 4472 | } |
wolfSSL | 15:117db924cf7c | 4473 | #endif |
wolfSSL | 15:117db924cf7c | 4474 | if ((ret = HashOutput(ssl, output, idx, 0)) != 0) |
wolfSSL | 15:117db924cf7c | 4475 | return ret; |
wolfSSL | 15:117db924cf7c | 4476 | |
wolfSSL | 15:117db924cf7c | 4477 | ssl->buffers.outputBuffer.length += sendSz; |
wolfSSL | 15:117db924cf7c | 4478 | |
wolfSSL | 15:117db924cf7c | 4479 | if (!ssl->options.groupMessages) |
wolfSSL | 15:117db924cf7c | 4480 | ret = SendBuffered(ssl); |
wolfSSL | 15:117db924cf7c | 4481 | |
wolfSSL | 15:117db924cf7c | 4482 | WOLFSSL_LEAVE("SendTls13HelloRetryRequest", ret); |
wolfSSL | 15:117db924cf7c | 4483 | |
wolfSSL | 15:117db924cf7c | 4484 | return ret; |
wolfSSL | 15:117db924cf7c | 4485 | } |
wolfSSL | 15:117db924cf7c | 4486 | #endif /* WOLFSSL_TLS13_DRAFT_18 */ |
wolfSSL | 15:117db924cf7c | 4487 | |
wolfSSL | 15:117db924cf7c | 4488 | /* Send TLS v1.3 ServerHello message to client. |
wolfSSL | 15:117db924cf7c | 4489 | * Only a server will send this message. |
wolfSSL | 15:117db924cf7c | 4490 | * |
wolfSSL | 15:117db924cf7c | 4491 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 4492 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 4493 | */ |
wolfSSL | 15:117db924cf7c | 4494 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 4495 | static |
wolfSSL | 15:117db924cf7c | 4496 | #endif |
wolfSSL | 15:117db924cf7c | 4497 | /* handle generation of TLS 1.3 server_hello (2) */ |
wolfSSL | 15:117db924cf7c | 4498 | int SendTls13ServerHello(WOLFSSL* ssl, byte extMsgType) |
wolfSSL | 15:117db924cf7c | 4499 | { |
wolfSSL | 15:117db924cf7c | 4500 | int ret; |
wolfSSL | 15:117db924cf7c | 4501 | byte* output; |
wolfSSL | 15:117db924cf7c | 4502 | word16 length; |
wolfSSL | 15:117db924cf7c | 4503 | word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 4504 | int sendSz; |
wolfSSL | 15:117db924cf7c | 4505 | |
wolfSSL | 15:117db924cf7c | 4506 | WOLFSSL_START(WC_FUNC_SERVER_HELLO_SEND); |
wolfSSL | 15:117db924cf7c | 4507 | WOLFSSL_ENTER("SendTls13ServerHello"); |
wolfSSL | 15:117db924cf7c | 4508 | |
wolfSSL | 15:117db924cf7c | 4509 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 4510 | if (extMsgType == hello_retry_request) { |
wolfSSL | 16:8e0d178b1d1e | 4511 | WOLFSSL_MSG("wolfSSL Doing HelloRetryRequest"); |
wolfSSL | 15:117db924cf7c | 4512 | if ((ret = RestartHandshakeHash(ssl)) < 0) |
wolfSSL | 15:117db924cf7c | 4513 | return ret; |
wolfSSL | 15:117db924cf7c | 4514 | } |
wolfSSL | 15:117db924cf7c | 4515 | #endif |
wolfSSL | 15:117db924cf7c | 4516 | |
wolfSSL | 15:117db924cf7c | 4517 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 4518 | /* Protocol version, server random, cipher suite and extensions. */ |
wolfSSL | 15:117db924cf7c | 4519 | length = VERSION_SZ + RAN_LEN + SUITE_LEN; |
wolfSSL | 15:117db924cf7c | 4520 | ret = TLSX_GetResponseSize(ssl, server_hello, &length); |
wolfSSL | 15:117db924cf7c | 4521 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 4522 | return ret; |
wolfSSL | 15:117db924cf7c | 4523 | #else |
wolfSSL | 15:117db924cf7c | 4524 | /* Protocol version, server random, session id, cipher suite, compression |
wolfSSL | 15:117db924cf7c | 4525 | * and extensions. |
wolfSSL | 15:117db924cf7c | 4526 | */ |
wolfSSL | 15:117db924cf7c | 4527 | length = VERSION_SZ + RAN_LEN + ENUM_LEN + ssl->session.sessionIDSz + |
wolfSSL | 15:117db924cf7c | 4528 | SUITE_LEN + COMP_LEN; |
wolfSSL | 15:117db924cf7c | 4529 | ret = TLSX_GetResponseSize(ssl, extMsgType, &length); |
wolfSSL | 15:117db924cf7c | 4530 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 4531 | return ret; |
wolfSSL | 15:117db924cf7c | 4532 | #endif |
wolfSSL | 15:117db924cf7c | 4533 | sendSz = idx + length; |
wolfSSL | 15:117db924cf7c | 4534 | |
wolfSSL | 15:117db924cf7c | 4535 | /* Check buffers are big enough and grow if needed. */ |
wolfSSL | 15:117db924cf7c | 4536 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) |
wolfSSL | 15:117db924cf7c | 4537 | return ret; |
wolfSSL | 15:117db924cf7c | 4538 | |
wolfSSL | 15:117db924cf7c | 4539 | /* Get position in output buffer to write new message to. */ |
wolfSSL | 15:117db924cf7c | 4540 | output = ssl->buffers.outputBuffer.buffer + |
wolfSSL | 15:117db924cf7c | 4541 | ssl->buffers.outputBuffer.length; |
wolfSSL | 15:117db924cf7c | 4542 | |
wolfSSL | 15:117db924cf7c | 4543 | /* Put the record and handshake headers on. */ |
wolfSSL | 15:117db924cf7c | 4544 | AddTls13Headers(output, length, server_hello, ssl); |
wolfSSL | 15:117db924cf7c | 4545 | |
wolfSSL | 15:117db924cf7c | 4546 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 4547 | /* The negotiated protocol version. */ |
wolfSSL | 15:117db924cf7c | 4548 | output[idx++] = TLS_DRAFT_MAJOR; |
wolfSSL | 15:117db924cf7c | 4549 | output[idx++] = TLS_DRAFT_MINOR; |
wolfSSL | 15:117db924cf7c | 4550 | #else |
wolfSSL | 15:117db924cf7c | 4551 | /* The protocol version must be TLS v1.2 for middleboxes. */ |
wolfSSL | 15:117db924cf7c | 4552 | output[idx++] = ssl->version.major; |
wolfSSL | 15:117db924cf7c | 4553 | output[idx++] = TLSv1_2_MINOR; |
wolfSSL | 15:117db924cf7c | 4554 | #endif |
wolfSSL | 15:117db924cf7c | 4555 | |
wolfSSL | 15:117db924cf7c | 4556 | if (extMsgType == server_hello) { |
wolfSSL | 15:117db924cf7c | 4557 | /* Generate server random. */ |
wolfSSL | 15:117db924cf7c | 4558 | if ((ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, RAN_LEN)) != 0) |
wolfSSL | 15:117db924cf7c | 4559 | return ret; |
wolfSSL | 15:117db924cf7c | 4560 | } |
wolfSSL | 15:117db924cf7c | 4561 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 4562 | else { |
wolfSSL | 15:117db924cf7c | 4563 | /* HelloRetryRequest message has fixed value for random. */ |
wolfSSL | 15:117db924cf7c | 4564 | XMEMCPY(output + idx, helloRetryRequestRandom, RAN_LEN); |
wolfSSL | 15:117db924cf7c | 4565 | } |
wolfSSL | 15:117db924cf7c | 4566 | #endif |
wolfSSL | 15:117db924cf7c | 4567 | /* Store in SSL for debugging. */ |
wolfSSL | 15:117db924cf7c | 4568 | XMEMCPY(ssl->arrays->serverRandom, output + idx, RAN_LEN); |
wolfSSL | 15:117db924cf7c | 4569 | idx += RAN_LEN; |
wolfSSL | 15:117db924cf7c | 4570 | |
wolfSSL | 15:117db924cf7c | 4571 | #ifdef WOLFSSL_DEBUG_TLS |
wolfSSL | 15:117db924cf7c | 4572 | WOLFSSL_MSG("Server random"); |
wolfSSL | 15:117db924cf7c | 4573 | WOLFSSL_BUFFER(ssl->arrays->serverRandom, RAN_LEN); |
wolfSSL | 15:117db924cf7c | 4574 | #endif |
wolfSSL | 15:117db924cf7c | 4575 | |
wolfSSL | 15:117db924cf7c | 4576 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 4577 | output[idx++] = ssl->session.sessionIDSz; |
wolfSSL | 15:117db924cf7c | 4578 | if (ssl->session.sessionIDSz > 0) { |
wolfSSL | 15:117db924cf7c | 4579 | XMEMCPY(output + idx, ssl->session.sessionID, ssl->session.sessionIDSz); |
wolfSSL | 15:117db924cf7c | 4580 | idx += ssl->session.sessionIDSz; |
wolfSSL | 15:117db924cf7c | 4581 | } |
wolfSSL | 15:117db924cf7c | 4582 | #endif |
wolfSSL | 15:117db924cf7c | 4583 | |
wolfSSL | 15:117db924cf7c | 4584 | /* Chosen cipher suite */ |
wolfSSL | 15:117db924cf7c | 4585 | output[idx++] = ssl->options.cipherSuite0; |
wolfSSL | 15:117db924cf7c | 4586 | output[idx++] = ssl->options.cipherSuite; |
wolfSSL | 15:117db924cf7c | 4587 | |
wolfSSL | 15:117db924cf7c | 4588 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 4589 | /* Compression not supported in TLS v1.3. */ |
wolfSSL | 15:117db924cf7c | 4590 | output[idx++] = 0; |
wolfSSL | 15:117db924cf7c | 4591 | #endif |
wolfSSL | 15:117db924cf7c | 4592 | |
wolfSSL | 15:117db924cf7c | 4593 | /* Extensions */ |
wolfSSL | 15:117db924cf7c | 4594 | ret = TLSX_WriteResponse(ssl, output + idx, extMsgType, NULL); |
wolfSSL | 15:117db924cf7c | 4595 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 4596 | return ret; |
wolfSSL | 15:117db924cf7c | 4597 | |
wolfSSL | 15:117db924cf7c | 4598 | ssl->buffers.outputBuffer.length += sendSz; |
wolfSSL | 15:117db924cf7c | 4599 | |
wolfSSL | 15:117db924cf7c | 4600 | if ((ret = HashOutput(ssl, output, sendSz, 0)) != 0) |
wolfSSL | 15:117db924cf7c | 4601 | return ret; |
wolfSSL | 15:117db924cf7c | 4602 | |
wolfSSL | 15:117db924cf7c | 4603 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 4604 | if (ssl->hsInfoOn) |
wolfSSL | 15:117db924cf7c | 4605 | AddPacketName(ssl, "ServerHello"); |
wolfSSL | 15:117db924cf7c | 4606 | if (ssl->toInfoOn) { |
wolfSSL | 15:117db924cf7c | 4607 | AddPacketInfo(ssl, "ServerHello", handshake, output, sendSz, |
wolfSSL | 15:117db924cf7c | 4608 | WRITE_PROTO, ssl->heap); |
wolfSSL | 15:117db924cf7c | 4609 | } |
wolfSSL | 15:117db924cf7c | 4610 | #endif |
wolfSSL | 15:117db924cf7c | 4611 | |
wolfSSL | 15:117db924cf7c | 4612 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 4613 | ssl->options.serverState = SERVER_HELLO_COMPLETE; |
wolfSSL | 15:117db924cf7c | 4614 | #else |
wolfSSL | 15:117db924cf7c | 4615 | if (extMsgType == server_hello) |
wolfSSL | 15:117db924cf7c | 4616 | ssl->options.serverState = SERVER_HELLO_COMPLETE; |
wolfSSL | 15:117db924cf7c | 4617 | #endif |
wolfSSL | 15:117db924cf7c | 4618 | |
wolfSSL | 16:8e0d178b1d1e | 4619 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 4620 | if (!ssl->options.groupMessages) |
wolfSSL | 16:8e0d178b1d1e | 4621 | #else |
wolfSSL | 16:8e0d178b1d1e | 4622 | if (!ssl->options.groupMessages || extMsgType != server_hello) |
wolfSSL | 16:8e0d178b1d1e | 4623 | #endif |
wolfSSL | 15:117db924cf7c | 4624 | ret = SendBuffered(ssl); |
wolfSSL | 15:117db924cf7c | 4625 | |
wolfSSL | 15:117db924cf7c | 4626 | WOLFSSL_LEAVE("SendTls13ServerHello", ret); |
wolfSSL | 15:117db924cf7c | 4627 | WOLFSSL_END(WC_FUNC_SERVER_HELLO_SEND); |
wolfSSL | 15:117db924cf7c | 4628 | |
wolfSSL | 15:117db924cf7c | 4629 | return ret; |
wolfSSL | 15:117db924cf7c | 4630 | } |
wolfSSL | 15:117db924cf7c | 4631 | |
wolfSSL | 15:117db924cf7c | 4632 | /* handle generation of TLS 1.3 encrypted_extensions (8) */ |
wolfSSL | 15:117db924cf7c | 4633 | /* Send the rest of the extensions encrypted under the handshake key. |
wolfSSL | 15:117db924cf7c | 4634 | * This message is always encrypted in TLS v1.3. |
wolfSSL | 15:117db924cf7c | 4635 | * Only a server will send this message. |
wolfSSL | 15:117db924cf7c | 4636 | * |
wolfSSL | 15:117db924cf7c | 4637 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 4638 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 4639 | */ |
wolfSSL | 15:117db924cf7c | 4640 | static int SendTls13EncryptedExtensions(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 4641 | { |
wolfSSL | 15:117db924cf7c | 4642 | int ret; |
wolfSSL | 15:117db924cf7c | 4643 | byte* output; |
wolfSSL | 15:117db924cf7c | 4644 | word16 length = 0; |
wolfSSL | 15:117db924cf7c | 4645 | word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 4646 | int sendSz; |
wolfSSL | 15:117db924cf7c | 4647 | |
wolfSSL | 15:117db924cf7c | 4648 | WOLFSSL_START(WC_FUNC_ENCRYPTED_EXTENSIONS_SEND); |
wolfSSL | 15:117db924cf7c | 4649 | WOLFSSL_ENTER("SendTls13EncryptedExtensions"); |
wolfSSL | 15:117db924cf7c | 4650 | |
wolfSSL | 15:117db924cf7c | 4651 | ssl->keys.encryptionOn = 1; |
wolfSSL | 15:117db924cf7c | 4652 | |
wolfSSL | 15:117db924cf7c | 4653 | #ifndef WOLFSSL_NO_SERVER_GROUPS_EXT |
wolfSSL | 15:117db924cf7c | 4654 | if ((ret = TLSX_SupportedCurve_CheckPriority(ssl)) != 0) |
wolfSSL | 15:117db924cf7c | 4655 | return ret; |
wolfSSL | 15:117db924cf7c | 4656 | #endif |
wolfSSL | 15:117db924cf7c | 4657 | |
wolfSSL | 15:117db924cf7c | 4658 | /* Derive the handshake secret now that we are at first message to be |
wolfSSL | 15:117db924cf7c | 4659 | * encrypted under the keys. |
wolfSSL | 15:117db924cf7c | 4660 | */ |
wolfSSL | 15:117db924cf7c | 4661 | if ((ret = DeriveHandshakeSecret(ssl)) != 0) |
wolfSSL | 15:117db924cf7c | 4662 | return ret; |
wolfSSL | 15:117db924cf7c | 4663 | if ((ret = DeriveTls13Keys(ssl, handshake_key, |
wolfSSL | 15:117db924cf7c | 4664 | ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0) |
wolfSSL | 15:117db924cf7c | 4665 | return ret; |
wolfSSL | 15:117db924cf7c | 4666 | |
wolfSSL | 15:117db924cf7c | 4667 | /* Setup encrypt/decrypt keys for following messages. */ |
wolfSSL | 15:117db924cf7c | 4668 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 4669 | if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0) |
wolfSSL | 15:117db924cf7c | 4670 | return ret; |
wolfSSL | 15:117db924cf7c | 4671 | if (ssl->earlyData != process_early_data) { |
wolfSSL | 15:117db924cf7c | 4672 | if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0) |
wolfSSL | 15:117db924cf7c | 4673 | return ret; |
wolfSSL | 15:117db924cf7c | 4674 | } |
wolfSSL | 15:117db924cf7c | 4675 | #else |
wolfSSL | 15:117db924cf7c | 4676 | if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0) |
wolfSSL | 15:117db924cf7c | 4677 | return ret; |
wolfSSL | 15:117db924cf7c | 4678 | #endif |
wolfSSL | 15:117db924cf7c | 4679 | |
wolfSSL | 15:117db924cf7c | 4680 | ret = TLSX_GetResponseSize(ssl, encrypted_extensions, &length); |
wolfSSL | 15:117db924cf7c | 4681 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 4682 | return ret; |
wolfSSL | 15:117db924cf7c | 4683 | |
wolfSSL | 15:117db924cf7c | 4684 | sendSz = idx + length; |
wolfSSL | 15:117db924cf7c | 4685 | /* Encryption always on. */ |
wolfSSL | 15:117db924cf7c | 4686 | sendSz += MAX_MSG_EXTRA; |
wolfSSL | 15:117db924cf7c | 4687 | |
wolfSSL | 15:117db924cf7c | 4688 | /* Check buffers are big enough and grow if needed. */ |
wolfSSL | 15:117db924cf7c | 4689 | ret = CheckAvailableSize(ssl, sendSz); |
wolfSSL | 15:117db924cf7c | 4690 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 4691 | return ret; |
wolfSSL | 15:117db924cf7c | 4692 | |
wolfSSL | 15:117db924cf7c | 4693 | /* Get position in output buffer to write new message to. */ |
wolfSSL | 15:117db924cf7c | 4694 | output = ssl->buffers.outputBuffer.buffer + |
wolfSSL | 15:117db924cf7c | 4695 | ssl->buffers.outputBuffer.length; |
wolfSSL | 15:117db924cf7c | 4696 | |
wolfSSL | 15:117db924cf7c | 4697 | /* Put the record and handshake headers on. */ |
wolfSSL | 15:117db924cf7c | 4698 | AddTls13Headers(output, length, encrypted_extensions, ssl); |
wolfSSL | 15:117db924cf7c | 4699 | |
wolfSSL | 15:117db924cf7c | 4700 | ret = TLSX_WriteResponse(ssl, output + idx, encrypted_extensions, NULL); |
wolfSSL | 15:117db924cf7c | 4701 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 4702 | return ret; |
wolfSSL | 15:117db924cf7c | 4703 | idx += length; |
wolfSSL | 15:117db924cf7c | 4704 | |
wolfSSL | 15:117db924cf7c | 4705 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 4706 | if (ssl->hsInfoOn) |
wolfSSL | 15:117db924cf7c | 4707 | AddPacketName(ssl, "EncryptedExtensions"); |
wolfSSL | 15:117db924cf7c | 4708 | if (ssl->toInfoOn) { |
wolfSSL | 15:117db924cf7c | 4709 | AddPacketInfo(ssl, "EncryptedExtensions", handshake, output, |
wolfSSL | 15:117db924cf7c | 4710 | sendSz, WRITE_PROTO, ssl->heap); |
wolfSSL | 15:117db924cf7c | 4711 | } |
wolfSSL | 15:117db924cf7c | 4712 | #endif |
wolfSSL | 15:117db924cf7c | 4713 | |
wolfSSL | 15:117db924cf7c | 4714 | /* This handshake message is always encrypted. */ |
wolfSSL | 15:117db924cf7c | 4715 | sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ, |
wolfSSL | 15:117db924cf7c | 4716 | idx - RECORD_HEADER_SZ, handshake, 1, 0, 0); |
wolfSSL | 15:117db924cf7c | 4717 | if (sendSz < 0) |
wolfSSL | 15:117db924cf7c | 4718 | return sendSz; |
wolfSSL | 15:117db924cf7c | 4719 | |
wolfSSL | 15:117db924cf7c | 4720 | ssl->buffers.outputBuffer.length += sendSz; |
wolfSSL | 15:117db924cf7c | 4721 | |
wolfSSL | 15:117db924cf7c | 4722 | ssl->options.serverState = SERVER_ENCRYPTED_EXTENSIONS_COMPLETE; |
wolfSSL | 15:117db924cf7c | 4723 | |
wolfSSL | 15:117db924cf7c | 4724 | if (!ssl->options.groupMessages) |
wolfSSL | 15:117db924cf7c | 4725 | ret = SendBuffered(ssl); |
wolfSSL | 15:117db924cf7c | 4726 | |
wolfSSL | 15:117db924cf7c | 4727 | WOLFSSL_LEAVE("SendTls13EncryptedExtensions", ret); |
wolfSSL | 15:117db924cf7c | 4728 | WOLFSSL_END(WC_FUNC_ENCRYPTED_EXTENSIONS_SEND); |
wolfSSL | 15:117db924cf7c | 4729 | |
wolfSSL | 15:117db924cf7c | 4730 | return ret; |
wolfSSL | 15:117db924cf7c | 4731 | } |
wolfSSL | 15:117db924cf7c | 4732 | |
wolfSSL | 15:117db924cf7c | 4733 | #ifndef NO_CERTS |
wolfSSL | 15:117db924cf7c | 4734 | /* handle generation TLS v1.3 certificate_request (13) */ |
wolfSSL | 15:117db924cf7c | 4735 | /* Send the TLS v1.3 CertificateRequest message. |
wolfSSL | 15:117db924cf7c | 4736 | * This message is always encrypted in TLS v1.3. |
wolfSSL | 15:117db924cf7c | 4737 | * Only a server will send this message. |
wolfSSL | 15:117db924cf7c | 4738 | * |
wolfSSL | 15:117db924cf7c | 4739 | * ssl SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 4740 | * reqCtx Request context. |
wolfSSL | 15:117db924cf7c | 4741 | * reqCtxLen Length of context. 0 when sending as part of handshake. |
wolfSSL | 15:117db924cf7c | 4742 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 4743 | */ |
wolfSSL | 15:117db924cf7c | 4744 | static int SendTls13CertificateRequest(WOLFSSL* ssl, byte* reqCtx, |
wolfSSL | 15:117db924cf7c | 4745 | int reqCtxLen) |
wolfSSL | 15:117db924cf7c | 4746 | { |
wolfSSL | 15:117db924cf7c | 4747 | byte* output; |
wolfSSL | 15:117db924cf7c | 4748 | int ret; |
wolfSSL | 15:117db924cf7c | 4749 | int sendSz; |
wolfSSL | 15:117db924cf7c | 4750 | word32 i; |
wolfSSL | 15:117db924cf7c | 4751 | word16 reqSz; |
wolfSSL | 15:117db924cf7c | 4752 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 4753 | TLSX* ext; |
wolfSSL | 15:117db924cf7c | 4754 | #endif |
wolfSSL | 15:117db924cf7c | 4755 | |
wolfSSL | 15:117db924cf7c | 4756 | WOLFSSL_START(WC_FUNC_CERTIFICATE_REQUEST_SEND); |
wolfSSL | 15:117db924cf7c | 4757 | WOLFSSL_ENTER("SendTls13CertificateRequest"); |
wolfSSL | 15:117db924cf7c | 4758 | |
wolfSSL | 15:117db924cf7c | 4759 | if (ssl->options.side == WOLFSSL_SERVER_END) |
wolfSSL | 15:117db924cf7c | 4760 | InitSuitesHashSigAlgo(ssl->suites, 1, 1, 0, 1, ssl->buffers.keySz); |
wolfSSL | 15:117db924cf7c | 4761 | |
wolfSSL | 15:117db924cf7c | 4762 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 4763 | i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 4764 | reqSz = OPAQUE8_LEN + reqCtxLen + REQ_HEADER_SZ + REQ_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 4765 | reqSz += LENGTH_SZ + ssl->suites->hashSigAlgoSz; |
wolfSSL | 15:117db924cf7c | 4766 | |
wolfSSL | 15:117db924cf7c | 4767 | sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + reqSz; |
wolfSSL | 15:117db924cf7c | 4768 | /* Always encrypted and make room for padding. */ |
wolfSSL | 15:117db924cf7c | 4769 | sendSz += MAX_MSG_EXTRA; |
wolfSSL | 15:117db924cf7c | 4770 | |
wolfSSL | 15:117db924cf7c | 4771 | /* Check buffers are big enough and grow if needed. */ |
wolfSSL | 15:117db924cf7c | 4772 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) |
wolfSSL | 15:117db924cf7c | 4773 | return ret; |
wolfSSL | 15:117db924cf7c | 4774 | |
wolfSSL | 15:117db924cf7c | 4775 | /* Get position in output buffer to write new message to. */ |
wolfSSL | 15:117db924cf7c | 4776 | output = ssl->buffers.outputBuffer.buffer + |
wolfSSL | 15:117db924cf7c | 4777 | ssl->buffers.outputBuffer.length; |
wolfSSL | 15:117db924cf7c | 4778 | |
wolfSSL | 15:117db924cf7c | 4779 | /* Put the record and handshake headers on. */ |
wolfSSL | 15:117db924cf7c | 4780 | AddTls13Headers(output, reqSz, certificate_request, ssl); |
wolfSSL | 15:117db924cf7c | 4781 | |
wolfSSL | 15:117db924cf7c | 4782 | /* Certificate request context. */ |
wolfSSL | 15:117db924cf7c | 4783 | output[i++] = reqCtxLen; |
wolfSSL | 15:117db924cf7c | 4784 | if (reqCtxLen != 0) { |
wolfSSL | 15:117db924cf7c | 4785 | XMEMCPY(output + i, reqCtx, reqCtxLen); |
wolfSSL | 15:117db924cf7c | 4786 | i += reqCtxLen; |
wolfSSL | 15:117db924cf7c | 4787 | } |
wolfSSL | 15:117db924cf7c | 4788 | |
wolfSSL | 15:117db924cf7c | 4789 | /* supported hash/sig */ |
wolfSSL | 15:117db924cf7c | 4790 | c16toa(ssl->suites->hashSigAlgoSz, &output[i]); |
wolfSSL | 15:117db924cf7c | 4791 | i += LENGTH_SZ; |
wolfSSL | 15:117db924cf7c | 4792 | |
wolfSSL | 15:117db924cf7c | 4793 | XMEMCPY(&output[i], ssl->suites->hashSigAlgo, ssl->suites->hashSigAlgoSz); |
wolfSSL | 15:117db924cf7c | 4794 | i += ssl->suites->hashSigAlgoSz; |
wolfSSL | 15:117db924cf7c | 4795 | |
wolfSSL | 15:117db924cf7c | 4796 | /* Certificate authorities not supported yet - empty buffer. */ |
wolfSSL | 15:117db924cf7c | 4797 | c16toa(0, &output[i]); |
wolfSSL | 15:117db924cf7c | 4798 | i += REQ_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 4799 | |
wolfSSL | 15:117db924cf7c | 4800 | /* Certificate extensions. */ |
wolfSSL | 15:117db924cf7c | 4801 | c16toa(0, &output[i]); /* auth's */ |
wolfSSL | 15:117db924cf7c | 4802 | i += REQ_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 4803 | #else |
wolfSSL | 15:117db924cf7c | 4804 | ext = TLSX_Find(ssl->extensions, TLSX_SIGNATURE_ALGORITHMS); |
wolfSSL | 15:117db924cf7c | 4805 | if (ext == NULL) |
wolfSSL | 15:117db924cf7c | 4806 | return EXT_MISSING; |
wolfSSL | 15:117db924cf7c | 4807 | ext->resp = 0; |
wolfSSL | 15:117db924cf7c | 4808 | |
wolfSSL | 15:117db924cf7c | 4809 | i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 4810 | reqSz = (word16)(OPAQUE8_LEN + reqCtxLen); |
wolfSSL | 15:117db924cf7c | 4811 | ret = TLSX_GetRequestSize(ssl, certificate_request, &reqSz); |
wolfSSL | 15:117db924cf7c | 4812 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 4813 | return ret; |
wolfSSL | 15:117db924cf7c | 4814 | |
wolfSSL | 15:117db924cf7c | 4815 | sendSz = i + reqSz; |
wolfSSL | 15:117db924cf7c | 4816 | /* Always encrypted and make room for padding. */ |
wolfSSL | 15:117db924cf7c | 4817 | sendSz += MAX_MSG_EXTRA; |
wolfSSL | 15:117db924cf7c | 4818 | |
wolfSSL | 15:117db924cf7c | 4819 | /* Check buffers are big enough and grow if needed. */ |
wolfSSL | 15:117db924cf7c | 4820 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) |
wolfSSL | 15:117db924cf7c | 4821 | return ret; |
wolfSSL | 15:117db924cf7c | 4822 | |
wolfSSL | 15:117db924cf7c | 4823 | /* Get position in output buffer to write new message to. */ |
wolfSSL | 15:117db924cf7c | 4824 | output = ssl->buffers.outputBuffer.buffer + |
wolfSSL | 15:117db924cf7c | 4825 | ssl->buffers.outputBuffer.length; |
wolfSSL | 15:117db924cf7c | 4826 | |
wolfSSL | 15:117db924cf7c | 4827 | /* Put the record and handshake headers on. */ |
wolfSSL | 15:117db924cf7c | 4828 | AddTls13Headers(output, reqSz, certificate_request, ssl); |
wolfSSL | 15:117db924cf7c | 4829 | |
wolfSSL | 15:117db924cf7c | 4830 | /* Certificate request context. */ |
wolfSSL | 15:117db924cf7c | 4831 | output[i++] = (byte)reqCtxLen; |
wolfSSL | 15:117db924cf7c | 4832 | if (reqCtxLen != 0) { |
wolfSSL | 15:117db924cf7c | 4833 | XMEMCPY(output + i, reqCtx, reqCtxLen); |
wolfSSL | 15:117db924cf7c | 4834 | i += reqCtxLen; |
wolfSSL | 15:117db924cf7c | 4835 | } |
wolfSSL | 15:117db924cf7c | 4836 | |
wolfSSL | 15:117db924cf7c | 4837 | /* Certificate extensions. */ |
wolfSSL | 15:117db924cf7c | 4838 | reqSz = 0; |
wolfSSL | 15:117db924cf7c | 4839 | ret = TLSX_WriteRequest(ssl, output + i, certificate_request, &reqSz); |
wolfSSL | 15:117db924cf7c | 4840 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 4841 | return ret; |
wolfSSL | 15:117db924cf7c | 4842 | i += reqSz; |
wolfSSL | 15:117db924cf7c | 4843 | #endif |
wolfSSL | 15:117db924cf7c | 4844 | |
wolfSSL | 15:117db924cf7c | 4845 | /* Always encrypted. */ |
wolfSSL | 15:117db924cf7c | 4846 | sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ, |
wolfSSL | 15:117db924cf7c | 4847 | i - RECORD_HEADER_SZ, handshake, 1, 0, 0); |
wolfSSL | 15:117db924cf7c | 4848 | if (sendSz < 0) |
wolfSSL | 15:117db924cf7c | 4849 | return sendSz; |
wolfSSL | 15:117db924cf7c | 4850 | |
wolfSSL | 15:117db924cf7c | 4851 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 4852 | if (ssl->hsInfoOn) |
wolfSSL | 15:117db924cf7c | 4853 | AddPacketName(ssl, "CertificateRequest"); |
wolfSSL | 15:117db924cf7c | 4854 | if (ssl->toInfoOn) { |
wolfSSL | 15:117db924cf7c | 4855 | AddPacketInfo(ssl, "CertificateRequest", handshake, output, |
wolfSSL | 15:117db924cf7c | 4856 | sendSz, WRITE_PROTO, ssl->heap); |
wolfSSL | 15:117db924cf7c | 4857 | } |
wolfSSL | 15:117db924cf7c | 4858 | #endif |
wolfSSL | 15:117db924cf7c | 4859 | |
wolfSSL | 15:117db924cf7c | 4860 | ssl->buffers.outputBuffer.length += sendSz; |
wolfSSL | 15:117db924cf7c | 4861 | if (!ssl->options.groupMessages) |
wolfSSL | 15:117db924cf7c | 4862 | ret = SendBuffered(ssl); |
wolfSSL | 15:117db924cf7c | 4863 | |
wolfSSL | 15:117db924cf7c | 4864 | WOLFSSL_LEAVE("SendTls13CertificateRequest", ret); |
wolfSSL | 15:117db924cf7c | 4865 | WOLFSSL_END(WC_FUNC_CERTIFICATE_REQUEST_SEND); |
wolfSSL | 15:117db924cf7c | 4866 | |
wolfSSL | 15:117db924cf7c | 4867 | return ret; |
wolfSSL | 15:117db924cf7c | 4868 | } |
wolfSSL | 15:117db924cf7c | 4869 | #endif /* NO_CERTS */ |
wolfSSL | 15:117db924cf7c | 4870 | #endif /* NO_WOLFSSL_SERVER */ |
wolfSSL | 15:117db924cf7c | 4871 | |
wolfSSL | 15:117db924cf7c | 4872 | #ifndef NO_CERTS |
wolfSSL | 16:8e0d178b1d1e | 4873 | #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \ |
wolfSSL | 16:8e0d178b1d1e | 4874 | defined(HAVE_ED448) |
wolfSSL | 15:117db924cf7c | 4875 | /* Encode the signature algorithm into buffer. |
wolfSSL | 15:117db924cf7c | 4876 | * |
wolfSSL | 15:117db924cf7c | 4877 | * hashalgo The hash algorithm. |
wolfSSL | 15:117db924cf7c | 4878 | * hsType The signature type. |
wolfSSL | 15:117db924cf7c | 4879 | * output The buffer to encode into. |
wolfSSL | 15:117db924cf7c | 4880 | */ |
wolfSSL | 15:117db924cf7c | 4881 | static WC_INLINE void EncodeSigAlg(byte hashAlgo, byte hsType, byte* output) |
wolfSSL | 15:117db924cf7c | 4882 | { |
wolfSSL | 15:117db924cf7c | 4883 | switch (hsType) { |
wolfSSL | 15:117db924cf7c | 4884 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 4885 | case ecc_dsa_sa_algo: |
wolfSSL | 15:117db924cf7c | 4886 | output[0] = hashAlgo; |
wolfSSL | 15:117db924cf7c | 4887 | output[1] = ecc_dsa_sa_algo; |
wolfSSL | 15:117db924cf7c | 4888 | break; |
wolfSSL | 15:117db924cf7c | 4889 | #endif |
wolfSSL | 15:117db924cf7c | 4890 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 4891 | /* ED25519: 0x0807 */ |
wolfSSL | 15:117db924cf7c | 4892 | case ed25519_sa_algo: |
wolfSSL | 15:117db924cf7c | 4893 | output[0] = ED25519_SA_MAJOR; |
wolfSSL | 15:117db924cf7c | 4894 | output[1] = ED25519_SA_MINOR; |
wolfSSL | 15:117db924cf7c | 4895 | (void)hashAlgo; |
wolfSSL | 15:117db924cf7c | 4896 | break; |
wolfSSL | 15:117db924cf7c | 4897 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4898 | #ifdef HAVE_ED448 |
wolfSSL | 16:8e0d178b1d1e | 4899 | /* ED448: 0x0808 */ |
wolfSSL | 16:8e0d178b1d1e | 4900 | case ed448_sa_algo: |
wolfSSL | 16:8e0d178b1d1e | 4901 | output[0] = ED448_SA_MAJOR; |
wolfSSL | 16:8e0d178b1d1e | 4902 | output[1] = ED448_SA_MINOR; |
wolfSSL | 16:8e0d178b1d1e | 4903 | (void)hashAlgo; |
wolfSSL | 16:8e0d178b1d1e | 4904 | break; |
wolfSSL | 16:8e0d178b1d1e | 4905 | #endif |
wolfSSL | 15:117db924cf7c | 4906 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 4907 | /* PSS signatures: 0x080[4-6] */ |
wolfSSL | 15:117db924cf7c | 4908 | case rsa_pss_sa_algo: |
wolfSSL | 15:117db924cf7c | 4909 | output[0] = rsa_pss_sa_algo; |
wolfSSL | 15:117db924cf7c | 4910 | output[1] = hashAlgo; |
wolfSSL | 15:117db924cf7c | 4911 | break; |
wolfSSL | 15:117db924cf7c | 4912 | #endif |
wolfSSL | 15:117db924cf7c | 4913 | } |
wolfSSL | 15:117db924cf7c | 4914 | } |
wolfSSL | 15:117db924cf7c | 4915 | |
wolfSSL | 15:117db924cf7c | 4916 | /* Decode the signature algorithm. |
wolfSSL | 15:117db924cf7c | 4917 | * |
wolfSSL | 15:117db924cf7c | 4918 | * input The encoded signature algorithm. |
wolfSSL | 15:117db924cf7c | 4919 | * hashalgo The hash algorithm. |
wolfSSL | 16:8e0d178b1d1e | 4920 | * hsType The signature type. |
wolfSSL | 16:8e0d178b1d1e | 4921 | * returns INVALID_PARAMETER if not recognized and 0 otherwise. |
wolfSSL | 15:117db924cf7c | 4922 | */ |
wolfSSL | 16:8e0d178b1d1e | 4923 | static WC_INLINE int DecodeTls13SigAlg(byte* input, byte* hashAlgo, |
wolfSSL | 16:8e0d178b1d1e | 4924 | byte* hsType) |
wolfSSL | 15:117db924cf7c | 4925 | { |
wolfSSL | 16:8e0d178b1d1e | 4926 | int ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 4927 | |
wolfSSL | 15:117db924cf7c | 4928 | switch (input[0]) { |
wolfSSL | 15:117db924cf7c | 4929 | case NEW_SA_MAJOR: |
wolfSSL | 15:117db924cf7c | 4930 | /* PSS signatures: 0x080[4-6] */ |
wolfSSL | 16:8e0d178b1d1e | 4931 | if (input[1] >= sha256_mac && input[1] <= sha512_mac) { |
wolfSSL | 15:117db924cf7c | 4932 | *hsType = input[0]; |
wolfSSL | 15:117db924cf7c | 4933 | *hashAlgo = input[1]; |
wolfSSL | 15:117db924cf7c | 4934 | } |
wolfSSL | 15:117db924cf7c | 4935 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 4936 | /* ED25519: 0x0807 */ |
wolfSSL | 16:8e0d178b1d1e | 4937 | else if (input[1] == ED25519_SA_MINOR) { |
wolfSSL | 15:117db924cf7c | 4938 | *hsType = ed25519_sa_algo; |
wolfSSL | 15:117db924cf7c | 4939 | /* Hash performed as part of sign/verify operation. */ |
wolfSSL | 15:117db924cf7c | 4940 | *hashAlgo = sha512_mac; |
wolfSSL | 15:117db924cf7c | 4941 | } |
wolfSSL | 15:117db924cf7c | 4942 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4943 | #ifdef HAVE_ED448 |
wolfSSL | 15:117db924cf7c | 4944 | /* ED448: 0x0808 */ |
wolfSSL | 16:8e0d178b1d1e | 4945 | else if (input[1] == ED448_SA_MINOR) { |
wolfSSL | 16:8e0d178b1d1e | 4946 | *hsType = ed448_sa_algo; |
wolfSSL | 16:8e0d178b1d1e | 4947 | /* Hash performed as part of sign/verify operation. */ |
wolfSSL | 16:8e0d178b1d1e | 4948 | *hashAlgo = sha512_mac; |
wolfSSL | 16:8e0d178b1d1e | 4949 | } |
wolfSSL | 16:8e0d178b1d1e | 4950 | #endif |
wolfSSL | 16:8e0d178b1d1e | 4951 | else |
wolfSSL | 16:8e0d178b1d1e | 4952 | ret = INVALID_PARAMETER; |
wolfSSL | 15:117db924cf7c | 4953 | break; |
wolfSSL | 15:117db924cf7c | 4954 | default: |
wolfSSL | 15:117db924cf7c | 4955 | *hashAlgo = input[0]; |
wolfSSL | 15:117db924cf7c | 4956 | *hsType = input[1]; |
wolfSSL | 15:117db924cf7c | 4957 | break; |
wolfSSL | 15:117db924cf7c | 4958 | } |
wolfSSL | 16:8e0d178b1d1e | 4959 | |
wolfSSL | 16:8e0d178b1d1e | 4960 | return ret; |
wolfSSL | 15:117db924cf7c | 4961 | } |
wolfSSL | 15:117db924cf7c | 4962 | |
wolfSSL | 15:117db924cf7c | 4963 | /* Get the hash of the messages so far. |
wolfSSL | 15:117db924cf7c | 4964 | * |
wolfSSL | 15:117db924cf7c | 4965 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 4966 | * hash The buffer to write the hash to. |
wolfSSL | 15:117db924cf7c | 4967 | * returns the length of the hash. |
wolfSSL | 15:117db924cf7c | 4968 | */ |
wolfSSL | 15:117db924cf7c | 4969 | static WC_INLINE int GetMsgHash(WOLFSSL* ssl, byte* hash) |
wolfSSL | 15:117db924cf7c | 4970 | { |
wolfSSL | 15:117db924cf7c | 4971 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 4972 | switch (ssl->specs.mac_algorithm) { |
wolfSSL | 15:117db924cf7c | 4973 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 4974 | case sha256_mac: |
wolfSSL | 15:117db924cf7c | 4975 | ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash); |
wolfSSL | 15:117db924cf7c | 4976 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 4977 | ret = WC_SHA256_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 4978 | break; |
wolfSSL | 15:117db924cf7c | 4979 | #endif /* !NO_SHA256 */ |
wolfSSL | 15:117db924cf7c | 4980 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 4981 | case sha384_mac: |
wolfSSL | 15:117db924cf7c | 4982 | ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash); |
wolfSSL | 15:117db924cf7c | 4983 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 4984 | ret = WC_SHA384_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 4985 | break; |
wolfSSL | 15:117db924cf7c | 4986 | #endif /* WOLFSSL_SHA384 */ |
wolfSSL | 15:117db924cf7c | 4987 | #ifdef WOLFSSL_TLS13_SHA512 |
wolfSSL | 15:117db924cf7c | 4988 | case sha512_mac: |
wolfSSL | 15:117db924cf7c | 4989 | ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash); |
wolfSSL | 15:117db924cf7c | 4990 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 4991 | ret = WC_SHA512_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 4992 | break; |
wolfSSL | 15:117db924cf7c | 4993 | #endif /* WOLFSSL_TLS13_SHA512 */ |
wolfSSL | 15:117db924cf7c | 4994 | } |
wolfSSL | 15:117db924cf7c | 4995 | return ret; |
wolfSSL | 15:117db924cf7c | 4996 | } |
wolfSSL | 15:117db924cf7c | 4997 | |
wolfSSL | 15:117db924cf7c | 4998 | /* The length of the certificate verification label - client and server. */ |
wolfSSL | 15:117db924cf7c | 4999 | #define CERT_VFY_LABEL_SZ 34 |
wolfSSL | 15:117db924cf7c | 5000 | /* The server certificate verification label. */ |
wolfSSL | 15:117db924cf7c | 5001 | static const byte serverCertVfyLabel[CERT_VFY_LABEL_SZ] = |
wolfSSL | 15:117db924cf7c | 5002 | "TLS 1.3, server CertificateVerify"; |
wolfSSL | 15:117db924cf7c | 5003 | /* The client certificate verification label. */ |
wolfSSL | 15:117db924cf7c | 5004 | static const byte clientCertVfyLabel[CERT_VFY_LABEL_SZ] = |
wolfSSL | 15:117db924cf7c | 5005 | "TLS 1.3, client CertificateVerify"; |
wolfSSL | 15:117db924cf7c | 5006 | |
wolfSSL | 15:117db924cf7c | 5007 | /* The number of prefix bytes for signature data. */ |
wolfSSL | 15:117db924cf7c | 5008 | #define SIGNING_DATA_PREFIX_SZ 64 |
wolfSSL | 15:117db924cf7c | 5009 | /* The prefix byte in the signature data. */ |
wolfSSL | 15:117db924cf7c | 5010 | #define SIGNING_DATA_PREFIX_BYTE 0x20 |
wolfSSL | 15:117db924cf7c | 5011 | /* Maximum length of the signature data. */ |
wolfSSL | 15:117db924cf7c | 5012 | #define MAX_SIG_DATA_SZ (SIGNING_DATA_PREFIX_SZ + \ |
wolfSSL | 15:117db924cf7c | 5013 | CERT_VFY_LABEL_SZ + \ |
wolfSSL | 15:117db924cf7c | 5014 | WC_MAX_DIGEST_SIZE) |
wolfSSL | 15:117db924cf7c | 5015 | |
wolfSSL | 15:117db924cf7c | 5016 | /* Create the signature data for TLS v1.3 certificate verification. |
wolfSSL | 15:117db924cf7c | 5017 | * |
wolfSSL | 15:117db924cf7c | 5018 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 5019 | * sigData The signature data. |
wolfSSL | 15:117db924cf7c | 5020 | * sigDataSz The length of the signature data. |
wolfSSL | 15:117db924cf7c | 5021 | * check Indicates this is a check not create. |
wolfSSL | 15:117db924cf7c | 5022 | */ |
wolfSSL | 15:117db924cf7c | 5023 | static int CreateSigData(WOLFSSL* ssl, byte* sigData, word16* sigDataSz, |
wolfSSL | 15:117db924cf7c | 5024 | int check) |
wolfSSL | 15:117db924cf7c | 5025 | { |
wolfSSL | 15:117db924cf7c | 5026 | word16 idx; |
wolfSSL | 15:117db924cf7c | 5027 | int side = ssl->options.side; |
wolfSSL | 15:117db924cf7c | 5028 | int ret; |
wolfSSL | 15:117db924cf7c | 5029 | |
wolfSSL | 15:117db924cf7c | 5030 | /* Signature Data = Prefix | Label | Handshake Hash */ |
wolfSSL | 15:117db924cf7c | 5031 | XMEMSET(sigData, SIGNING_DATA_PREFIX_BYTE, SIGNING_DATA_PREFIX_SZ); |
wolfSSL | 15:117db924cf7c | 5032 | idx = SIGNING_DATA_PREFIX_SZ; |
wolfSSL | 15:117db924cf7c | 5033 | |
wolfSSL | 15:117db924cf7c | 5034 | if ((side == WOLFSSL_SERVER_END && check) || |
wolfSSL | 15:117db924cf7c | 5035 | (side == WOLFSSL_CLIENT_END && !check)) { |
wolfSSL | 15:117db924cf7c | 5036 | XMEMCPY(&sigData[idx], clientCertVfyLabel, CERT_VFY_LABEL_SZ); |
wolfSSL | 15:117db924cf7c | 5037 | } |
wolfSSL | 15:117db924cf7c | 5038 | if ((side == WOLFSSL_CLIENT_END && check) || |
wolfSSL | 15:117db924cf7c | 5039 | (side == WOLFSSL_SERVER_END && !check)) { |
wolfSSL | 15:117db924cf7c | 5040 | XMEMCPY(&sigData[idx], serverCertVfyLabel, CERT_VFY_LABEL_SZ); |
wolfSSL | 15:117db924cf7c | 5041 | } |
wolfSSL | 15:117db924cf7c | 5042 | idx += CERT_VFY_LABEL_SZ; |
wolfSSL | 15:117db924cf7c | 5043 | |
wolfSSL | 15:117db924cf7c | 5044 | ret = GetMsgHash(ssl, &sigData[idx]); |
wolfSSL | 15:117db924cf7c | 5045 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 5046 | return ret; |
wolfSSL | 15:117db924cf7c | 5047 | |
wolfSSL | 15:117db924cf7c | 5048 | *sigDataSz = (word16)(idx + ret); |
wolfSSL | 15:117db924cf7c | 5049 | ret = 0; |
wolfSSL | 15:117db924cf7c | 5050 | |
wolfSSL | 15:117db924cf7c | 5051 | return ret; |
wolfSSL | 15:117db924cf7c | 5052 | } |
wolfSSL | 15:117db924cf7c | 5053 | |
wolfSSL | 15:117db924cf7c | 5054 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 5055 | /* Encode the PKCS #1.5 RSA signature. |
wolfSSL | 15:117db924cf7c | 5056 | * |
wolfSSL | 15:117db924cf7c | 5057 | * sig The buffer to place the encoded signature into. |
wolfSSL | 15:117db924cf7c | 5058 | * sigData The data to be signed. |
wolfSSL | 15:117db924cf7c | 5059 | * sigDataSz The size of the data to be signed. |
wolfSSL | 15:117db924cf7c | 5060 | * hashAlgo The hash algorithm to use when signing. |
wolfSSL | 15:117db924cf7c | 5061 | * returns the length of the encoded signature or negative on error. |
wolfSSL | 15:117db924cf7c | 5062 | */ |
wolfSSL | 15:117db924cf7c | 5063 | static int CreateRSAEncodedSig(byte* sig, byte* sigData, int sigDataSz, |
wolfSSL | 15:117db924cf7c | 5064 | int sigAlgo, int hashAlgo) |
wolfSSL | 15:117db924cf7c | 5065 | { |
wolfSSL | 15:117db924cf7c | 5066 | Digest digest; |
wolfSSL | 15:117db924cf7c | 5067 | int hashSz = 0; |
wolfSSL | 15:117db924cf7c | 5068 | int ret = BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 5069 | byte* hash; |
wolfSSL | 15:117db924cf7c | 5070 | |
wolfSSL | 15:117db924cf7c | 5071 | (void)sigAlgo; |
wolfSSL | 15:117db924cf7c | 5072 | |
wolfSSL | 15:117db924cf7c | 5073 | hash = sig; |
wolfSSL | 15:117db924cf7c | 5074 | |
wolfSSL | 15:117db924cf7c | 5075 | /* Digest the signature data. */ |
wolfSSL | 15:117db924cf7c | 5076 | switch (hashAlgo) { |
wolfSSL | 15:117db924cf7c | 5077 | #ifndef NO_WOLFSSL_SHA256 |
wolfSSL | 15:117db924cf7c | 5078 | case sha256_mac: |
wolfSSL | 15:117db924cf7c | 5079 | ret = wc_InitSha256(&digest.sha256); |
wolfSSL | 15:117db924cf7c | 5080 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 5081 | ret = wc_Sha256Update(&digest.sha256, sigData, sigDataSz); |
wolfSSL | 15:117db924cf7c | 5082 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 5083 | ret = wc_Sha256Final(&digest.sha256, hash); |
wolfSSL | 15:117db924cf7c | 5084 | wc_Sha256Free(&digest.sha256); |
wolfSSL | 15:117db924cf7c | 5085 | } |
wolfSSL | 15:117db924cf7c | 5086 | hashSz = WC_SHA256_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 5087 | break; |
wolfSSL | 15:117db924cf7c | 5088 | #endif |
wolfSSL | 15:117db924cf7c | 5089 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 5090 | case sha384_mac: |
wolfSSL | 15:117db924cf7c | 5091 | ret = wc_InitSha384(&digest.sha384); |
wolfSSL | 15:117db924cf7c | 5092 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 5093 | ret = wc_Sha384Update(&digest.sha384, sigData, sigDataSz); |
wolfSSL | 15:117db924cf7c | 5094 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 5095 | ret = wc_Sha384Final(&digest.sha384, hash); |
wolfSSL | 15:117db924cf7c | 5096 | wc_Sha384Free(&digest.sha384); |
wolfSSL | 15:117db924cf7c | 5097 | } |
wolfSSL | 15:117db924cf7c | 5098 | hashSz = WC_SHA384_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 5099 | break; |
wolfSSL | 15:117db924cf7c | 5100 | #endif |
wolfSSL | 15:117db924cf7c | 5101 | #ifdef WOLFSSL_SHA512 |
wolfSSL | 15:117db924cf7c | 5102 | case sha512_mac: |
wolfSSL | 15:117db924cf7c | 5103 | ret = wc_InitSha512(&digest.sha512); |
wolfSSL | 15:117db924cf7c | 5104 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 5105 | ret = wc_Sha512Update(&digest.sha512, sigData, sigDataSz); |
wolfSSL | 15:117db924cf7c | 5106 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 5107 | ret = wc_Sha512Final(&digest.sha512, hash); |
wolfSSL | 15:117db924cf7c | 5108 | wc_Sha512Free(&digest.sha512); |
wolfSSL | 15:117db924cf7c | 5109 | } |
wolfSSL | 15:117db924cf7c | 5110 | hashSz = WC_SHA512_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 5111 | break; |
wolfSSL | 15:117db924cf7c | 5112 | #endif |
wolfSSL | 15:117db924cf7c | 5113 | } |
wolfSSL | 15:117db924cf7c | 5114 | |
wolfSSL | 15:117db924cf7c | 5115 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 5116 | return ret; |
wolfSSL | 15:117db924cf7c | 5117 | |
wolfSSL | 15:117db924cf7c | 5118 | return hashSz; |
wolfSSL | 15:117db924cf7c | 5119 | } |
wolfSSL | 15:117db924cf7c | 5120 | #endif /* !NO_RSA */ |
wolfSSL | 15:117db924cf7c | 5121 | |
wolfSSL | 15:117db924cf7c | 5122 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 5123 | /* Encode the ECC signature. |
wolfSSL | 15:117db924cf7c | 5124 | * |
wolfSSL | 15:117db924cf7c | 5125 | * sigData The data to be signed. |
wolfSSL | 15:117db924cf7c | 5126 | * sigDataSz The size of the data to be signed. |
wolfSSL | 15:117db924cf7c | 5127 | * hashAlgo The hash algorithm to use when signing. |
wolfSSL | 15:117db924cf7c | 5128 | * returns the length of the encoded signature or negative on error. |
wolfSSL | 15:117db924cf7c | 5129 | */ |
wolfSSL | 15:117db924cf7c | 5130 | static int CreateECCEncodedSig(byte* sigData, int sigDataSz, int hashAlgo) |
wolfSSL | 15:117db924cf7c | 5131 | { |
wolfSSL | 15:117db924cf7c | 5132 | Digest digest; |
wolfSSL | 15:117db924cf7c | 5133 | int hashSz = 0; |
wolfSSL | 15:117db924cf7c | 5134 | int ret = BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 5135 | |
wolfSSL | 15:117db924cf7c | 5136 | /* Digest the signature data. */ |
wolfSSL | 15:117db924cf7c | 5137 | switch (hashAlgo) { |
wolfSSL | 15:117db924cf7c | 5138 | #ifndef NO_WOLFSSL_SHA256 |
wolfSSL | 15:117db924cf7c | 5139 | case sha256_mac: |
wolfSSL | 15:117db924cf7c | 5140 | ret = wc_InitSha256(&digest.sha256); |
wolfSSL | 15:117db924cf7c | 5141 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 5142 | ret = wc_Sha256Update(&digest.sha256, sigData, sigDataSz); |
wolfSSL | 15:117db924cf7c | 5143 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 5144 | ret = wc_Sha256Final(&digest.sha256, sigData); |
wolfSSL | 15:117db924cf7c | 5145 | wc_Sha256Free(&digest.sha256); |
wolfSSL | 15:117db924cf7c | 5146 | } |
wolfSSL | 15:117db924cf7c | 5147 | hashSz = WC_SHA256_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 5148 | break; |
wolfSSL | 15:117db924cf7c | 5149 | #endif |
wolfSSL | 15:117db924cf7c | 5150 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 5151 | case sha384_mac: |
wolfSSL | 15:117db924cf7c | 5152 | ret = wc_InitSha384(&digest.sha384); |
wolfSSL | 15:117db924cf7c | 5153 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 5154 | ret = wc_Sha384Update(&digest.sha384, sigData, sigDataSz); |
wolfSSL | 15:117db924cf7c | 5155 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 5156 | ret = wc_Sha384Final(&digest.sha384, sigData); |
wolfSSL | 15:117db924cf7c | 5157 | wc_Sha384Free(&digest.sha384); |
wolfSSL | 15:117db924cf7c | 5158 | } |
wolfSSL | 15:117db924cf7c | 5159 | hashSz = WC_SHA384_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 5160 | break; |
wolfSSL | 15:117db924cf7c | 5161 | #endif |
wolfSSL | 15:117db924cf7c | 5162 | #ifdef WOLFSSL_SHA512 |
wolfSSL | 15:117db924cf7c | 5163 | case sha512_mac: |
wolfSSL | 15:117db924cf7c | 5164 | ret = wc_InitSha512(&digest.sha512); |
wolfSSL | 15:117db924cf7c | 5165 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 5166 | ret = wc_Sha512Update(&digest.sha512, sigData, sigDataSz); |
wolfSSL | 15:117db924cf7c | 5167 | if (ret == 0) |
wolfSSL | 15:117db924cf7c | 5168 | ret = wc_Sha512Final(&digest.sha512, sigData); |
wolfSSL | 15:117db924cf7c | 5169 | wc_Sha512Free(&digest.sha512); |
wolfSSL | 15:117db924cf7c | 5170 | } |
wolfSSL | 15:117db924cf7c | 5171 | hashSz = WC_SHA512_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 5172 | break; |
wolfSSL | 15:117db924cf7c | 5173 | #endif |
wolfSSL | 15:117db924cf7c | 5174 | } |
wolfSSL | 15:117db924cf7c | 5175 | |
wolfSSL | 15:117db924cf7c | 5176 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 5177 | return ret; |
wolfSSL | 15:117db924cf7c | 5178 | |
wolfSSL | 15:117db924cf7c | 5179 | return hashSz; |
wolfSSL | 15:117db924cf7c | 5180 | } |
wolfSSL | 15:117db924cf7c | 5181 | #endif /* HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 5182 | |
wolfSSL | 15:117db924cf7c | 5183 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 5184 | /* Check that the decrypted signature matches the encoded signature |
wolfSSL | 15:117db924cf7c | 5185 | * based on the digest of the signature data. |
wolfSSL | 15:117db924cf7c | 5186 | * |
wolfSSL | 15:117db924cf7c | 5187 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 5188 | * sigAlgo The signature algorithm used to generate signature. |
wolfSSL | 15:117db924cf7c | 5189 | * hashAlgo The hash algorithm used to generate signature. |
wolfSSL | 15:117db924cf7c | 5190 | * decSig The decrypted signature. |
wolfSSL | 15:117db924cf7c | 5191 | * decSigSz The size of the decrypted signature. |
wolfSSL | 15:117db924cf7c | 5192 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 5193 | */ |
wolfSSL | 15:117db924cf7c | 5194 | static int CheckRSASignature(WOLFSSL* ssl, int sigAlgo, int hashAlgo, |
wolfSSL | 15:117db924cf7c | 5195 | byte* decSig, word32 decSigSz) |
wolfSSL | 15:117db924cf7c | 5196 | { |
wolfSSL | 15:117db924cf7c | 5197 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 5198 | byte sigData[MAX_SIG_DATA_SZ]; |
wolfSSL | 15:117db924cf7c | 5199 | word16 sigDataSz; |
wolfSSL | 15:117db924cf7c | 5200 | word32 sigSz; |
wolfSSL | 15:117db924cf7c | 5201 | |
wolfSSL | 15:117db924cf7c | 5202 | ret = CreateSigData(ssl, sigData, &sigDataSz, 1); |
wolfSSL | 15:117db924cf7c | 5203 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 5204 | return ret; |
wolfSSL | 15:117db924cf7c | 5205 | |
wolfSSL | 15:117db924cf7c | 5206 | if (sigAlgo == rsa_pss_sa_algo) { |
wolfSSL | 15:117db924cf7c | 5207 | enum wc_HashType hashType = WC_HASH_TYPE_NONE; |
wolfSSL | 15:117db924cf7c | 5208 | |
wolfSSL | 15:117db924cf7c | 5209 | ret = ConvertHashPss(hashAlgo, &hashType, NULL); |
wolfSSL | 15:117db924cf7c | 5210 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 5211 | return ret; |
wolfSSL | 15:117db924cf7c | 5212 | |
wolfSSL | 15:117db924cf7c | 5213 | /* PSS signature can be done in-place */ |
wolfSSL | 15:117db924cf7c | 5214 | ret = CreateRSAEncodedSig(sigData, sigData, sigDataSz, |
wolfSSL | 15:117db924cf7c | 5215 | sigAlgo, hashAlgo); |
wolfSSL | 15:117db924cf7c | 5216 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 5217 | return ret; |
wolfSSL | 15:117db924cf7c | 5218 | sigSz = ret; |
wolfSSL | 15:117db924cf7c | 5219 | |
wolfSSL | 15:117db924cf7c | 5220 | ret = wc_RsaPSS_CheckPadding(sigData, sigSz, decSig, decSigSz, |
wolfSSL | 15:117db924cf7c | 5221 | hashType); |
wolfSSL | 15:117db924cf7c | 5222 | } |
wolfSSL | 15:117db924cf7c | 5223 | |
wolfSSL | 15:117db924cf7c | 5224 | return ret; |
wolfSSL | 15:117db924cf7c | 5225 | } |
wolfSSL | 15:117db924cf7c | 5226 | #endif /* !NO_RSA */ |
wolfSSL | 15:117db924cf7c | 5227 | #endif /* !NO_RSA || HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 5228 | |
wolfSSL | 15:117db924cf7c | 5229 | /* Get the next certificate from the list for writing into the TLS v1.3 |
wolfSSL | 15:117db924cf7c | 5230 | * Certificate message. |
wolfSSL | 15:117db924cf7c | 5231 | * |
wolfSSL | 15:117db924cf7c | 5232 | * data The certificate list. |
wolfSSL | 15:117db924cf7c | 5233 | * length The length of the certificate data in the list. |
wolfSSL | 15:117db924cf7c | 5234 | * idx The index of the next certificate. |
wolfSSL | 15:117db924cf7c | 5235 | * returns the length of the certificate data. 0 indicates no more certificates |
wolfSSL | 15:117db924cf7c | 5236 | * in the list. |
wolfSSL | 15:117db924cf7c | 5237 | */ |
wolfSSL | 15:117db924cf7c | 5238 | static word32 NextCert(byte* data, word32 length, word32* idx) |
wolfSSL | 15:117db924cf7c | 5239 | { |
wolfSSL | 15:117db924cf7c | 5240 | word32 len; |
wolfSSL | 15:117db924cf7c | 5241 | |
wolfSSL | 15:117db924cf7c | 5242 | /* Is index at end of list. */ |
wolfSSL | 15:117db924cf7c | 5243 | if (*idx == length) |
wolfSSL | 15:117db924cf7c | 5244 | return 0; |
wolfSSL | 15:117db924cf7c | 5245 | |
wolfSSL | 15:117db924cf7c | 5246 | /* Length of the current ASN.1 encoded certificate. */ |
wolfSSL | 15:117db924cf7c | 5247 | c24to32(data + *idx, &len); |
wolfSSL | 15:117db924cf7c | 5248 | /* Include the length field. */ |
wolfSSL | 15:117db924cf7c | 5249 | len += 3; |
wolfSSL | 15:117db924cf7c | 5250 | |
wolfSSL | 15:117db924cf7c | 5251 | /* Move index to next certificate and return the current certificate's |
wolfSSL | 15:117db924cf7c | 5252 | * length. |
wolfSSL | 15:117db924cf7c | 5253 | */ |
wolfSSL | 15:117db924cf7c | 5254 | *idx += len; |
wolfSSL | 15:117db924cf7c | 5255 | return len; |
wolfSSL | 15:117db924cf7c | 5256 | } |
wolfSSL | 15:117db924cf7c | 5257 | |
wolfSSL | 15:117db924cf7c | 5258 | /* Add certificate data and empty extension to output up to the fragment size. |
wolfSSL | 15:117db924cf7c | 5259 | * |
wolfSSL | 15:117db924cf7c | 5260 | * ssl SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 5261 | * cert The certificate data to write out. |
wolfSSL | 15:117db924cf7c | 5262 | * len The length of the certificate data. |
wolfSSL | 15:117db924cf7c | 5263 | * extSz Length of the extension data with the certificate. |
wolfSSL | 15:117db924cf7c | 5264 | * idx The start of the certificate data to write out. |
wolfSSL | 15:117db924cf7c | 5265 | * fragSz The maximum size of this fragment. |
wolfSSL | 15:117db924cf7c | 5266 | * output The buffer to write to. |
wolfSSL | 15:117db924cf7c | 5267 | * returns the number of bytes written. |
wolfSSL | 15:117db924cf7c | 5268 | */ |
wolfSSL | 15:117db924cf7c | 5269 | static word32 AddCertExt(WOLFSSL* ssl, byte* cert, word32 len, word16 extSz, |
wolfSSL | 15:117db924cf7c | 5270 | word32 idx, word32 fragSz, byte* output) |
wolfSSL | 15:117db924cf7c | 5271 | { |
wolfSSL | 15:117db924cf7c | 5272 | word32 i = 0; |
wolfSSL | 15:117db924cf7c | 5273 | word32 copySz = min(len - idx, fragSz); |
wolfSSL | 15:117db924cf7c | 5274 | |
wolfSSL | 15:117db924cf7c | 5275 | if (idx < len) { |
wolfSSL | 15:117db924cf7c | 5276 | XMEMCPY(output, cert + idx, copySz); |
wolfSSL | 15:117db924cf7c | 5277 | i = copySz; |
wolfSSL | 15:117db924cf7c | 5278 | if (copySz == fragSz) |
wolfSSL | 15:117db924cf7c | 5279 | return i; |
wolfSSL | 15:117db924cf7c | 5280 | } |
wolfSSL | 15:117db924cf7c | 5281 | copySz = len + extSz - idx - i; |
wolfSSL | 15:117db924cf7c | 5282 | |
wolfSSL | 15:117db924cf7c | 5283 | if (extSz == OPAQUE16_LEN) { |
wolfSSL | 15:117db924cf7c | 5284 | if (copySz <= fragSz) { |
wolfSSL | 15:117db924cf7c | 5285 | /* Empty extension */ |
wolfSSL | 15:117db924cf7c | 5286 | output[i++] = 0; |
wolfSSL | 15:117db924cf7c | 5287 | output[i++] = 0; |
wolfSSL | 15:117db924cf7c | 5288 | } |
wolfSSL | 15:117db924cf7c | 5289 | } |
wolfSSL | 15:117db924cf7c | 5290 | else { |
wolfSSL | 15:117db924cf7c | 5291 | byte* certExts = ssl->buffers.certExts->buffer + idx + i - len; |
wolfSSL | 15:117db924cf7c | 5292 | /* Put out as much of the extensions' data as will fit in fragment. */ |
wolfSSL | 15:117db924cf7c | 5293 | if (copySz > fragSz - i) |
wolfSSL | 15:117db924cf7c | 5294 | copySz = fragSz - i; |
wolfSSL | 15:117db924cf7c | 5295 | XMEMCPY(output + i, certExts, copySz); |
wolfSSL | 15:117db924cf7c | 5296 | i += copySz; |
wolfSSL | 15:117db924cf7c | 5297 | } |
wolfSSL | 15:117db924cf7c | 5298 | |
wolfSSL | 15:117db924cf7c | 5299 | return i; |
wolfSSL | 15:117db924cf7c | 5300 | } |
wolfSSL | 15:117db924cf7c | 5301 | |
wolfSSL | 15:117db924cf7c | 5302 | /* handle generation TLS v1.3 certificate (11) */ |
wolfSSL | 15:117db924cf7c | 5303 | /* Send the certificate for this end and any CAs that help with validation. |
wolfSSL | 15:117db924cf7c | 5304 | * This message is always encrypted in TLS v1.3. |
wolfSSL | 15:117db924cf7c | 5305 | * |
wolfSSL | 15:117db924cf7c | 5306 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 5307 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 5308 | */ |
wolfSSL | 15:117db924cf7c | 5309 | static int SendTls13Certificate(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 5310 | { |
wolfSSL | 15:117db924cf7c | 5311 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 5312 | word32 certSz, certChainSz, headerSz, listSz, payloadSz; |
wolfSSL | 15:117db924cf7c | 5313 | word16 extSz = 0; |
wolfSSL | 15:117db924cf7c | 5314 | word32 length, maxFragment; |
wolfSSL | 15:117db924cf7c | 5315 | word32 len = 0; |
wolfSSL | 15:117db924cf7c | 5316 | word32 idx = 0; |
wolfSSL | 15:117db924cf7c | 5317 | word32 offset = OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 5318 | byte* p = NULL; |
wolfSSL | 15:117db924cf7c | 5319 | byte certReqCtxLen = 0; |
wolfSSL | 15:117db924cf7c | 5320 | byte* certReqCtx = NULL; |
wolfSSL | 15:117db924cf7c | 5321 | |
wolfSSL | 15:117db924cf7c | 5322 | WOLFSSL_START(WC_FUNC_CERTIFICATE_SEND); |
wolfSSL | 15:117db924cf7c | 5323 | WOLFSSL_ENTER("SendTls13Certificate"); |
wolfSSL | 15:117db924cf7c | 5324 | |
wolfSSL | 15:117db924cf7c | 5325 | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH |
wolfSSL | 15:117db924cf7c | 5326 | if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->certReqCtx != NULL) { |
wolfSSL | 15:117db924cf7c | 5327 | certReqCtxLen = ssl->certReqCtx->len; |
wolfSSL | 15:117db924cf7c | 5328 | certReqCtx = &ssl->certReqCtx->ctx; |
wolfSSL | 15:117db924cf7c | 5329 | } |
wolfSSL | 15:117db924cf7c | 5330 | #endif |
wolfSSL | 15:117db924cf7c | 5331 | |
wolfSSL | 15:117db924cf7c | 5332 | if (ssl->options.sendVerify == SEND_BLANK_CERT) { |
wolfSSL | 15:117db924cf7c | 5333 | certSz = 0; |
wolfSSL | 15:117db924cf7c | 5334 | certChainSz = 0; |
wolfSSL | 15:117db924cf7c | 5335 | headerSz = OPAQUE8_LEN + certReqCtxLen + CERT_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 5336 | length = headerSz; |
wolfSSL | 15:117db924cf7c | 5337 | listSz = 0; |
wolfSSL | 15:117db924cf7c | 5338 | } |
wolfSSL | 15:117db924cf7c | 5339 | else { |
wolfSSL | 15:117db924cf7c | 5340 | if (!ssl->buffers.certificate) { |
wolfSSL | 15:117db924cf7c | 5341 | WOLFSSL_MSG("Send Cert missing certificate buffer"); |
wolfSSL | 15:117db924cf7c | 5342 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 5343 | } |
wolfSSL | 15:117db924cf7c | 5344 | /* Certificate Data */ |
wolfSSL | 15:117db924cf7c | 5345 | certSz = ssl->buffers.certificate->length; |
wolfSSL | 15:117db924cf7c | 5346 | /* Cert Req Ctx Len | Cert Req Ctx | Cert List Len | Cert Data Len */ |
wolfSSL | 15:117db924cf7c | 5347 | headerSz = OPAQUE8_LEN + certReqCtxLen + CERT_HEADER_SZ + |
wolfSSL | 15:117db924cf7c | 5348 | CERT_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 5349 | |
wolfSSL | 15:117db924cf7c | 5350 | ret = TLSX_GetResponseSize(ssl, certificate, &extSz); |
wolfSSL | 15:117db924cf7c | 5351 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 5352 | return ret; |
wolfSSL | 15:117db924cf7c | 5353 | |
wolfSSL | 15:117db924cf7c | 5354 | /* Create extensions' data if none already present. */ |
wolfSSL | 15:117db924cf7c | 5355 | if (extSz > OPAQUE16_LEN && ssl->buffers.certExts == NULL) { |
wolfSSL | 15:117db924cf7c | 5356 | ret = AllocDer(&ssl->buffers.certExts, extSz, CERT_TYPE, ssl->heap); |
wolfSSL | 15:117db924cf7c | 5357 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 5358 | return ret; |
wolfSSL | 15:117db924cf7c | 5359 | |
wolfSSL | 16:8e0d178b1d1e | 5360 | extSz = 0; |
wolfSSL | 15:117db924cf7c | 5361 | ret = TLSX_WriteResponse(ssl, ssl->buffers.certExts->buffer, |
wolfSSL | 15:117db924cf7c | 5362 | certificate, &extSz); |
wolfSSL | 15:117db924cf7c | 5363 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 5364 | return ret; |
wolfSSL | 15:117db924cf7c | 5365 | } |
wolfSSL | 15:117db924cf7c | 5366 | |
wolfSSL | 15:117db924cf7c | 5367 | /* Length of message data with one certificate and extensions. */ |
wolfSSL | 15:117db924cf7c | 5368 | length = headerSz + certSz + extSz; |
wolfSSL | 15:117db924cf7c | 5369 | /* Length of list data with one certificate and extensions. */ |
wolfSSL | 15:117db924cf7c | 5370 | listSz = CERT_HEADER_SZ + certSz + extSz; |
wolfSSL | 15:117db924cf7c | 5371 | |
wolfSSL | 15:117db924cf7c | 5372 | /* Send rest of chain if sending cert (chain has leading size/s). */ |
wolfSSL | 15:117db924cf7c | 5373 | if (certSz > 0 && ssl->buffers.certChainCnt > 0) { |
wolfSSL | 15:117db924cf7c | 5374 | p = ssl->buffers.certChain->buffer; |
wolfSSL | 15:117db924cf7c | 5375 | /* Chain length including extensions. */ |
wolfSSL | 15:117db924cf7c | 5376 | certChainSz = ssl->buffers.certChain->length + |
wolfSSL | 15:117db924cf7c | 5377 | OPAQUE16_LEN * ssl->buffers.certChainCnt; |
wolfSSL | 15:117db924cf7c | 5378 | length += certChainSz; |
wolfSSL | 15:117db924cf7c | 5379 | listSz += certChainSz; |
wolfSSL | 15:117db924cf7c | 5380 | } |
wolfSSL | 15:117db924cf7c | 5381 | else |
wolfSSL | 15:117db924cf7c | 5382 | certChainSz = 0; |
wolfSSL | 15:117db924cf7c | 5383 | } |
wolfSSL | 15:117db924cf7c | 5384 | |
wolfSSL | 15:117db924cf7c | 5385 | payloadSz = length; |
wolfSSL | 15:117db924cf7c | 5386 | |
wolfSSL | 15:117db924cf7c | 5387 | if (ssl->fragOffset != 0) |
wolfSSL | 15:117db924cf7c | 5388 | length -= (ssl->fragOffset + headerSz); |
wolfSSL | 15:117db924cf7c | 5389 | |
wolfSSL | 15:117db924cf7c | 5390 | maxFragment = wolfSSL_GetMaxRecordSize(ssl, MAX_RECORD_SIZE); |
wolfSSL | 15:117db924cf7c | 5391 | |
wolfSSL | 15:117db924cf7c | 5392 | while (length > 0 && ret == 0) { |
wolfSSL | 15:117db924cf7c | 5393 | byte* output = NULL; |
wolfSSL | 15:117db924cf7c | 5394 | word32 fragSz = 0; |
wolfSSL | 15:117db924cf7c | 5395 | word32 i = RECORD_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 5396 | int sendSz = RECORD_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 5397 | |
wolfSSL | 15:117db924cf7c | 5398 | if (ssl->fragOffset == 0) { |
wolfSSL | 15:117db924cf7c | 5399 | if (headerSz + certSz + extSz + certChainSz <= |
wolfSSL | 15:117db924cf7c | 5400 | maxFragment - HANDSHAKE_HEADER_SZ) { |
wolfSSL | 15:117db924cf7c | 5401 | fragSz = headerSz + certSz + extSz + certChainSz; |
wolfSSL | 15:117db924cf7c | 5402 | } |
wolfSSL | 15:117db924cf7c | 5403 | else |
wolfSSL | 15:117db924cf7c | 5404 | fragSz = maxFragment - HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 5405 | |
wolfSSL | 15:117db924cf7c | 5406 | sendSz += fragSz + HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 5407 | i += HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 5408 | } |
wolfSSL | 15:117db924cf7c | 5409 | else { |
wolfSSL | 15:117db924cf7c | 5410 | fragSz = min(length, maxFragment); |
wolfSSL | 15:117db924cf7c | 5411 | sendSz += fragSz; |
wolfSSL | 15:117db924cf7c | 5412 | } |
wolfSSL | 15:117db924cf7c | 5413 | |
wolfSSL | 15:117db924cf7c | 5414 | sendSz += MAX_MSG_EXTRA; |
wolfSSL | 15:117db924cf7c | 5415 | |
wolfSSL | 15:117db924cf7c | 5416 | /* Check buffers are big enough and grow if needed. */ |
wolfSSL | 15:117db924cf7c | 5417 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) |
wolfSSL | 15:117db924cf7c | 5418 | return ret; |
wolfSSL | 15:117db924cf7c | 5419 | |
wolfSSL | 15:117db924cf7c | 5420 | /* Get position in output buffer to write new message to. */ |
wolfSSL | 15:117db924cf7c | 5421 | output = ssl->buffers.outputBuffer.buffer + |
wolfSSL | 15:117db924cf7c | 5422 | ssl->buffers.outputBuffer.length; |
wolfSSL | 15:117db924cf7c | 5423 | |
wolfSSL | 15:117db924cf7c | 5424 | if (ssl->fragOffset == 0) { |
wolfSSL | 15:117db924cf7c | 5425 | AddTls13FragHeaders(output, fragSz, 0, payloadSz, certificate, ssl); |
wolfSSL | 15:117db924cf7c | 5426 | |
wolfSSL | 15:117db924cf7c | 5427 | /* Request context. */ |
wolfSSL | 15:117db924cf7c | 5428 | output[i++] = certReqCtxLen; |
wolfSSL | 15:117db924cf7c | 5429 | if (certReqCtxLen > 0) { |
wolfSSL | 15:117db924cf7c | 5430 | XMEMCPY(output + i, certReqCtx, certReqCtxLen); |
wolfSSL | 15:117db924cf7c | 5431 | i += certReqCtxLen; |
wolfSSL | 15:117db924cf7c | 5432 | } |
wolfSSL | 15:117db924cf7c | 5433 | length -= OPAQUE8_LEN + certReqCtxLen; |
wolfSSL | 15:117db924cf7c | 5434 | fragSz -= OPAQUE8_LEN + certReqCtxLen; |
wolfSSL | 15:117db924cf7c | 5435 | /* Certificate list length. */ |
wolfSSL | 15:117db924cf7c | 5436 | c32to24(listSz, output + i); |
wolfSSL | 15:117db924cf7c | 5437 | i += CERT_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 5438 | length -= CERT_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 5439 | fragSz -= CERT_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 5440 | /* Leaf certificate data length. */ |
wolfSSL | 15:117db924cf7c | 5441 | if (certSz > 0) { |
wolfSSL | 15:117db924cf7c | 5442 | c32to24(certSz, output + i); |
wolfSSL | 15:117db924cf7c | 5443 | i += CERT_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 5444 | length -= CERT_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 5445 | fragSz -= CERT_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 5446 | } |
wolfSSL | 15:117db924cf7c | 5447 | } |
wolfSSL | 15:117db924cf7c | 5448 | else |
wolfSSL | 15:117db924cf7c | 5449 | AddTls13RecordHeader(output, fragSz, handshake, ssl); |
wolfSSL | 15:117db924cf7c | 5450 | |
wolfSSL | 15:117db924cf7c | 5451 | if (certSz > 0 && ssl->fragOffset < certSz + extSz) { |
wolfSSL | 15:117db924cf7c | 5452 | /* Put in the leaf certificate with extensions. */ |
wolfSSL | 15:117db924cf7c | 5453 | word32 copySz = AddCertExt(ssl, ssl->buffers.certificate->buffer, |
wolfSSL | 15:117db924cf7c | 5454 | certSz, extSz, ssl->fragOffset, fragSz, output + i); |
wolfSSL | 15:117db924cf7c | 5455 | i += copySz; |
wolfSSL | 15:117db924cf7c | 5456 | ssl->fragOffset += copySz; |
wolfSSL | 15:117db924cf7c | 5457 | length -= copySz; |
wolfSSL | 15:117db924cf7c | 5458 | fragSz -= copySz; |
wolfSSL | 15:117db924cf7c | 5459 | if (ssl->fragOffset == certSz + extSz) |
wolfSSL | 15:117db924cf7c | 5460 | FreeDer(&ssl->buffers.certExts); |
wolfSSL | 15:117db924cf7c | 5461 | } |
wolfSSL | 15:117db924cf7c | 5462 | if (certChainSz > 0 && fragSz > 0) { |
wolfSSL | 15:117db924cf7c | 5463 | /* Put in the CA certificates with empty extensions. */ |
wolfSSL | 15:117db924cf7c | 5464 | while (fragSz > 0) { |
wolfSSL | 15:117db924cf7c | 5465 | word32 l; |
wolfSSL | 15:117db924cf7c | 5466 | |
wolfSSL | 15:117db924cf7c | 5467 | if (offset == len + OPAQUE16_LEN) { |
wolfSSL | 15:117db924cf7c | 5468 | /* Find next CA certificate to write out. */ |
wolfSSL | 15:117db924cf7c | 5469 | offset = 0; |
wolfSSL | 15:117db924cf7c | 5470 | /* Point to the start of current cert in chain buffer. */ |
wolfSSL | 15:117db924cf7c | 5471 | p = ssl->buffers.certChain->buffer + idx; |
wolfSSL | 15:117db924cf7c | 5472 | len = NextCert(ssl->buffers.certChain->buffer, |
wolfSSL | 15:117db924cf7c | 5473 | ssl->buffers.certChain->length, &idx); |
wolfSSL | 15:117db924cf7c | 5474 | if (len == 0) |
wolfSSL | 15:117db924cf7c | 5475 | break; |
wolfSSL | 15:117db924cf7c | 5476 | } |
wolfSSL | 15:117db924cf7c | 5477 | |
wolfSSL | 15:117db924cf7c | 5478 | /* Write out certificate and empty extension. */ |
wolfSSL | 15:117db924cf7c | 5479 | l = AddCertExt(ssl, p, len, OPAQUE16_LEN, offset, fragSz, |
wolfSSL | 15:117db924cf7c | 5480 | output + i); |
wolfSSL | 15:117db924cf7c | 5481 | i += l; |
wolfSSL | 15:117db924cf7c | 5482 | ssl->fragOffset += l; |
wolfSSL | 15:117db924cf7c | 5483 | length -= l; |
wolfSSL | 15:117db924cf7c | 5484 | fragSz -= l; |
wolfSSL | 15:117db924cf7c | 5485 | offset += l; |
wolfSSL | 15:117db924cf7c | 5486 | } |
wolfSSL | 15:117db924cf7c | 5487 | } |
wolfSSL | 15:117db924cf7c | 5488 | |
wolfSSL | 15:117db924cf7c | 5489 | if ((int)i - RECORD_HEADER_SZ < 0) { |
wolfSSL | 15:117db924cf7c | 5490 | WOLFSSL_MSG("Send Cert bad inputSz"); |
wolfSSL | 15:117db924cf7c | 5491 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 5492 | } |
wolfSSL | 15:117db924cf7c | 5493 | |
wolfSSL | 15:117db924cf7c | 5494 | /* This message is always encrypted. */ |
wolfSSL | 15:117db924cf7c | 5495 | sendSz = BuildTls13Message(ssl, output, sendSz, |
wolfSSL | 15:117db924cf7c | 5496 | output + RECORD_HEADER_SZ, |
wolfSSL | 15:117db924cf7c | 5497 | i - RECORD_HEADER_SZ, handshake, 1, 0, 0); |
wolfSSL | 15:117db924cf7c | 5498 | if (sendSz < 0) |
wolfSSL | 15:117db924cf7c | 5499 | return sendSz; |
wolfSSL | 15:117db924cf7c | 5500 | |
wolfSSL | 15:117db924cf7c | 5501 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 5502 | if (ssl->hsInfoOn) |
wolfSSL | 15:117db924cf7c | 5503 | AddPacketName(ssl, "Certificate"); |
wolfSSL | 15:117db924cf7c | 5504 | if (ssl->toInfoOn) { |
wolfSSL | 15:117db924cf7c | 5505 | AddPacketInfo(ssl, "Certificate", handshake, output, |
wolfSSL | 15:117db924cf7c | 5506 | sendSz, WRITE_PROTO, ssl->heap); |
wolfSSL | 15:117db924cf7c | 5507 | } |
wolfSSL | 15:117db924cf7c | 5508 | #endif |
wolfSSL | 15:117db924cf7c | 5509 | |
wolfSSL | 15:117db924cf7c | 5510 | ssl->buffers.outputBuffer.length += sendSz; |
wolfSSL | 15:117db924cf7c | 5511 | if (!ssl->options.groupMessages) |
wolfSSL | 15:117db924cf7c | 5512 | ret = SendBuffered(ssl); |
wolfSSL | 15:117db924cf7c | 5513 | } |
wolfSSL | 15:117db924cf7c | 5514 | |
wolfSSL | 15:117db924cf7c | 5515 | if (ret != WANT_WRITE) { |
wolfSSL | 15:117db924cf7c | 5516 | /* Clean up the fragment offset. */ |
wolfSSL | 15:117db924cf7c | 5517 | ssl->fragOffset = 0; |
wolfSSL | 15:117db924cf7c | 5518 | if (ssl->options.side == WOLFSSL_SERVER_END) |
wolfSSL | 15:117db924cf7c | 5519 | ssl->options.serverState = SERVER_CERT_COMPLETE; |
wolfSSL | 15:117db924cf7c | 5520 | } |
wolfSSL | 15:117db924cf7c | 5521 | |
wolfSSL | 15:117db924cf7c | 5522 | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH |
wolfSSL | 15:117db924cf7c | 5523 | if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->certReqCtx != NULL) { |
wolfSSL | 15:117db924cf7c | 5524 | CertReqCtx* ctx = ssl->certReqCtx; |
wolfSSL | 15:117db924cf7c | 5525 | ssl->certReqCtx = ssl->certReqCtx->next; |
wolfSSL | 15:117db924cf7c | 5526 | XFREE(ctx, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 5527 | } |
wolfSSL | 15:117db924cf7c | 5528 | #endif |
wolfSSL | 15:117db924cf7c | 5529 | |
wolfSSL | 15:117db924cf7c | 5530 | WOLFSSL_LEAVE("SendTls13Certificate", ret); |
wolfSSL | 15:117db924cf7c | 5531 | WOLFSSL_END(WC_FUNC_CERTIFICATE_SEND); |
wolfSSL | 15:117db924cf7c | 5532 | |
wolfSSL | 15:117db924cf7c | 5533 | return ret; |
wolfSSL | 15:117db924cf7c | 5534 | } |
wolfSSL | 15:117db924cf7c | 5535 | |
wolfSSL | 15:117db924cf7c | 5536 | typedef struct Scv13Args { |
wolfSSL | 15:117db924cf7c | 5537 | byte* output; /* not allocated */ |
wolfSSL | 15:117db924cf7c | 5538 | byte* verify; /* not allocated */ |
wolfSSL | 15:117db924cf7c | 5539 | word32 idx; |
wolfSSL | 15:117db924cf7c | 5540 | word32 sigLen; |
wolfSSL | 15:117db924cf7c | 5541 | int sendSz; |
wolfSSL | 15:117db924cf7c | 5542 | word16 length; |
wolfSSL | 15:117db924cf7c | 5543 | |
wolfSSL | 15:117db924cf7c | 5544 | byte sigAlgo; |
wolfSSL | 15:117db924cf7c | 5545 | byte* sigData; |
wolfSSL | 15:117db924cf7c | 5546 | word16 sigDataSz; |
wolfSSL | 15:117db924cf7c | 5547 | } Scv13Args; |
wolfSSL | 15:117db924cf7c | 5548 | |
wolfSSL | 15:117db924cf7c | 5549 | static void FreeScv13Args(WOLFSSL* ssl, void* pArgs) |
wolfSSL | 15:117db924cf7c | 5550 | { |
wolfSSL | 15:117db924cf7c | 5551 | Scv13Args* args = (Scv13Args*)pArgs; |
wolfSSL | 15:117db924cf7c | 5552 | |
wolfSSL | 15:117db924cf7c | 5553 | (void)ssl; |
wolfSSL | 15:117db924cf7c | 5554 | |
wolfSSL | 15:117db924cf7c | 5555 | if (args->sigData) { |
wolfSSL | 15:117db924cf7c | 5556 | XFREE(args->sigData, ssl->heap, DYNAMIC_TYPE_SIGNATURE); |
wolfSSL | 15:117db924cf7c | 5557 | args->sigData = NULL; |
wolfSSL | 15:117db924cf7c | 5558 | } |
wolfSSL | 15:117db924cf7c | 5559 | } |
wolfSSL | 15:117db924cf7c | 5560 | |
wolfSSL | 15:117db924cf7c | 5561 | /* handle generation TLS v1.3 certificate_verify (15) */ |
wolfSSL | 15:117db924cf7c | 5562 | /* Send the TLS v1.3 CertificateVerify message. |
wolfSSL | 15:117db924cf7c | 5563 | * A hash of all the message so far is used. |
wolfSSL | 15:117db924cf7c | 5564 | * The signed data is: |
wolfSSL | 15:117db924cf7c | 5565 | * 0x20 * 64 | context string | 0x00 | hash of messages |
wolfSSL | 15:117db924cf7c | 5566 | * This message is always encrypted in TLS v1.3. |
wolfSSL | 15:117db924cf7c | 5567 | * |
wolfSSL | 15:117db924cf7c | 5568 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 5569 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 5570 | */ |
wolfSSL | 15:117db924cf7c | 5571 | static int SendTls13CertificateVerify(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 5572 | { |
wolfSSL | 15:117db924cf7c | 5573 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 5574 | buffer* sig = &ssl->buffers.sig; |
wolfSSL | 15:117db924cf7c | 5575 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 5576 | Scv13Args* args = (Scv13Args*)ssl->async.args; |
wolfSSL | 15:117db924cf7c | 5577 | typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1]; |
wolfSSL | 15:117db924cf7c | 5578 | (void)sizeof(args_test); |
wolfSSL | 15:117db924cf7c | 5579 | #else |
wolfSSL | 15:117db924cf7c | 5580 | Scv13Args args[1]; |
wolfSSL | 15:117db924cf7c | 5581 | #endif |
wolfSSL | 15:117db924cf7c | 5582 | |
wolfSSL | 15:117db924cf7c | 5583 | WOLFSSL_START(WC_FUNC_CERTIFICATE_VERIFY_SEND); |
wolfSSL | 15:117db924cf7c | 5584 | WOLFSSL_ENTER("SendTls13CertificateVerify"); |
wolfSSL | 15:117db924cf7c | 5585 | |
wolfSSL | 15:117db924cf7c | 5586 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 5587 | ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState); |
wolfSSL | 15:117db924cf7c | 5588 | if (ret != WC_NOT_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 5589 | /* Check for error */ |
wolfSSL | 15:117db924cf7c | 5590 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 5591 | goto exit_scv; |
wolfSSL | 15:117db924cf7c | 5592 | } |
wolfSSL | 15:117db924cf7c | 5593 | else |
wolfSSL | 15:117db924cf7c | 5594 | #endif |
wolfSSL | 15:117db924cf7c | 5595 | { |
wolfSSL | 15:117db924cf7c | 5596 | /* Reset state */ |
wolfSSL | 15:117db924cf7c | 5597 | ret = 0; |
wolfSSL | 15:117db924cf7c | 5598 | ssl->options.asyncState = TLS_ASYNC_BEGIN; |
wolfSSL | 15:117db924cf7c | 5599 | XMEMSET(args, 0, sizeof(Scv13Args)); |
wolfSSL | 15:117db924cf7c | 5600 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 5601 | ssl->async.freeArgs = FreeScv13Args; |
wolfSSL | 15:117db924cf7c | 5602 | #endif |
wolfSSL | 15:117db924cf7c | 5603 | } |
wolfSSL | 15:117db924cf7c | 5604 | |
wolfSSL | 15:117db924cf7c | 5605 | switch(ssl->options.asyncState) |
wolfSSL | 15:117db924cf7c | 5606 | { |
wolfSSL | 15:117db924cf7c | 5607 | case TLS_ASYNC_BEGIN: |
wolfSSL | 15:117db924cf7c | 5608 | { |
wolfSSL | 15:117db924cf7c | 5609 | if (ssl->options.sendVerify == SEND_BLANK_CERT) { |
wolfSSL | 15:117db924cf7c | 5610 | return 0; /* sent blank cert, can't verify */ |
wolfSSL | 15:117db924cf7c | 5611 | } |
wolfSSL | 15:117db924cf7c | 5612 | |
wolfSSL | 16:8e0d178b1d1e | 5613 | args->sendSz = MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA; |
wolfSSL | 15:117db924cf7c | 5614 | /* Always encrypted. */ |
wolfSSL | 15:117db924cf7c | 5615 | args->sendSz += MAX_MSG_EXTRA; |
wolfSSL | 15:117db924cf7c | 5616 | |
wolfSSL | 15:117db924cf7c | 5617 | /* check for available size */ |
wolfSSL | 15:117db924cf7c | 5618 | if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) { |
wolfSSL | 15:117db924cf7c | 5619 | goto exit_scv; |
wolfSSL | 15:117db924cf7c | 5620 | } |
wolfSSL | 15:117db924cf7c | 5621 | |
wolfSSL | 15:117db924cf7c | 5622 | /* get output buffer */ |
wolfSSL | 15:117db924cf7c | 5623 | args->output = ssl->buffers.outputBuffer.buffer + |
wolfSSL | 15:117db924cf7c | 5624 | ssl->buffers.outputBuffer.length; |
wolfSSL | 15:117db924cf7c | 5625 | |
wolfSSL | 15:117db924cf7c | 5626 | /* Advance state and proceed */ |
wolfSSL | 15:117db924cf7c | 5627 | ssl->options.asyncState = TLS_ASYNC_BUILD; |
wolfSSL | 15:117db924cf7c | 5628 | } /* case TLS_ASYNC_BEGIN */ |
wolfSSL | 15:117db924cf7c | 5629 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 5630 | |
wolfSSL | 15:117db924cf7c | 5631 | case TLS_ASYNC_BUILD: |
wolfSSL | 15:117db924cf7c | 5632 | { |
wolfSSL | 15:117db924cf7c | 5633 | /* idx is used to track verify pointer offset to output */ |
wolfSSL | 15:117db924cf7c | 5634 | args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 5635 | args->verify = |
wolfSSL | 15:117db924cf7c | 5636 | &args->output[RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ]; |
wolfSSL | 15:117db924cf7c | 5637 | |
wolfSSL | 15:117db924cf7c | 5638 | if (ssl->buffers.key == NULL) { |
wolfSSL | 15:117db924cf7c | 5639 | #ifdef HAVE_PK_CALLBACKS |
wolfSSL | 15:117db924cf7c | 5640 | if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) |
wolfSSL | 15:117db924cf7c | 5641 | args->length = GetPrivateKeySigSize(ssl); |
wolfSSL | 15:117db924cf7c | 5642 | else |
wolfSSL | 15:117db924cf7c | 5643 | #endif |
wolfSSL | 15:117db924cf7c | 5644 | ERROR_OUT(NO_PRIVATE_KEY, exit_scv); |
wolfSSL | 15:117db924cf7c | 5645 | } |
wolfSSL | 15:117db924cf7c | 5646 | else { |
wolfSSL | 15:117db924cf7c | 5647 | ret = DecodePrivateKey(ssl, &args->length); |
wolfSSL | 15:117db924cf7c | 5648 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 5649 | goto exit_scv; |
wolfSSL | 15:117db924cf7c | 5650 | } |
wolfSSL | 15:117db924cf7c | 5651 | |
wolfSSL | 15:117db924cf7c | 5652 | if (args->length <= 0) { |
wolfSSL | 15:117db924cf7c | 5653 | ERROR_OUT(NO_PRIVATE_KEY, exit_scv); |
wolfSSL | 15:117db924cf7c | 5654 | } |
wolfSSL | 15:117db924cf7c | 5655 | |
wolfSSL | 15:117db924cf7c | 5656 | /* Add signature algorithm. */ |
wolfSSL | 15:117db924cf7c | 5657 | if (ssl->hsType == DYNAMIC_TYPE_RSA) |
wolfSSL | 15:117db924cf7c | 5658 | args->sigAlgo = rsa_pss_sa_algo; |
wolfSSL | 15:117db924cf7c | 5659 | else if (ssl->hsType == DYNAMIC_TYPE_ECC) |
wolfSSL | 15:117db924cf7c | 5660 | args->sigAlgo = ecc_dsa_sa_algo; |
wolfSSL | 15:117db924cf7c | 5661 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 5662 | else if (ssl->hsType == DYNAMIC_TYPE_ED25519) |
wolfSSL | 15:117db924cf7c | 5663 | args->sigAlgo = ed25519_sa_algo; |
wolfSSL | 15:117db924cf7c | 5664 | #endif |
wolfSSL | 16:8e0d178b1d1e | 5665 | #ifdef HAVE_ED448 |
wolfSSL | 16:8e0d178b1d1e | 5666 | else if (ssl->hsType == DYNAMIC_TYPE_ED448) |
wolfSSL | 16:8e0d178b1d1e | 5667 | args->sigAlgo = ed448_sa_algo; |
wolfSSL | 16:8e0d178b1d1e | 5668 | #endif |
wolfSSL | 15:117db924cf7c | 5669 | EncodeSigAlg(ssl->suites->hashAlgo, args->sigAlgo, args->verify); |
wolfSSL | 15:117db924cf7c | 5670 | |
wolfSSL | 16:8e0d178b1d1e | 5671 | if (ssl->hsType == DYNAMIC_TYPE_RSA) { |
wolfSSL | 16:8e0d178b1d1e | 5672 | int sigLen = MAX_SIG_DATA_SZ; |
wolfSSL | 16:8e0d178b1d1e | 5673 | if (args->length > MAX_SIG_DATA_SZ) |
wolfSSL | 16:8e0d178b1d1e | 5674 | sigLen = args->length; |
wolfSSL | 16:8e0d178b1d1e | 5675 | args->sigData = (byte*)XMALLOC(sigLen, ssl->heap, |
wolfSSL | 16:8e0d178b1d1e | 5676 | DYNAMIC_TYPE_SIGNATURE); |
wolfSSL | 16:8e0d178b1d1e | 5677 | } |
wolfSSL | 16:8e0d178b1d1e | 5678 | else { |
wolfSSL | 16:8e0d178b1d1e | 5679 | args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap, |
wolfSSL | 16:8e0d178b1d1e | 5680 | DYNAMIC_TYPE_SIGNATURE); |
wolfSSL | 16:8e0d178b1d1e | 5681 | } |
wolfSSL | 16:8e0d178b1d1e | 5682 | if (args->sigData == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 5683 | ERROR_OUT(MEMORY_E, exit_scv); |
wolfSSL | 16:8e0d178b1d1e | 5684 | } |
wolfSSL | 16:8e0d178b1d1e | 5685 | |
wolfSSL | 15:117db924cf7c | 5686 | /* Create the data to be signed. */ |
wolfSSL | 15:117db924cf7c | 5687 | ret = CreateSigData(ssl, args->sigData, &args->sigDataSz, 0); |
wolfSSL | 15:117db924cf7c | 5688 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 5689 | goto exit_scv; |
wolfSSL | 15:117db924cf7c | 5690 | |
wolfSSL | 15:117db924cf7c | 5691 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 5692 | if (ssl->hsType == DYNAMIC_TYPE_RSA) { |
wolfSSL | 15:117db924cf7c | 5693 | /* build encoded signature buffer */ |
wolfSSL | 16:8e0d178b1d1e | 5694 | sig->length = WC_MAX_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 5695 | sig->buffer = (byte*)XMALLOC(sig->length, ssl->heap, |
wolfSSL | 16:8e0d178b1d1e | 5696 | DYNAMIC_TYPE_SIGNATURE); |
wolfSSL | 15:117db924cf7c | 5697 | if (sig->buffer == NULL) { |
wolfSSL | 15:117db924cf7c | 5698 | ERROR_OUT(MEMORY_E, exit_scv); |
wolfSSL | 15:117db924cf7c | 5699 | } |
wolfSSL | 15:117db924cf7c | 5700 | |
wolfSSL | 15:117db924cf7c | 5701 | ret = CreateRSAEncodedSig(sig->buffer, args->sigData, |
wolfSSL | 15:117db924cf7c | 5702 | args->sigDataSz, args->sigAlgo, ssl->suites->hashAlgo); |
wolfSSL | 15:117db924cf7c | 5703 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 5704 | goto exit_scv; |
wolfSSL | 15:117db924cf7c | 5705 | sig->length = ret; |
wolfSSL | 15:117db924cf7c | 5706 | ret = 0; |
wolfSSL | 15:117db924cf7c | 5707 | |
wolfSSL | 15:117db924cf7c | 5708 | /* Maximum size of RSA Signature. */ |
wolfSSL | 15:117db924cf7c | 5709 | args->sigLen = args->length; |
wolfSSL | 15:117db924cf7c | 5710 | } |
wolfSSL | 15:117db924cf7c | 5711 | #endif /* !NO_RSA */ |
wolfSSL | 15:117db924cf7c | 5712 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 5713 | if (ssl->hsType == DYNAMIC_TYPE_ECC) { |
wolfSSL | 15:117db924cf7c | 5714 | sig->length = args->sendSz - args->idx - HASH_SIG_SIZE - |
wolfSSL | 15:117db924cf7c | 5715 | VERIFY_HEADER; |
wolfSSL | 15:117db924cf7c | 5716 | ret = CreateECCEncodedSig(args->sigData, |
wolfSSL | 15:117db924cf7c | 5717 | args->sigDataSz, ssl->suites->hashAlgo); |
wolfSSL | 15:117db924cf7c | 5718 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 5719 | goto exit_scv; |
wolfSSL | 15:117db924cf7c | 5720 | args->sigDataSz = (word16)ret; |
wolfSSL | 15:117db924cf7c | 5721 | ret = 0; |
wolfSSL | 15:117db924cf7c | 5722 | } |
wolfSSL | 15:117db924cf7c | 5723 | #endif /* HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 5724 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 5725 | if (ssl->hsType == DYNAMIC_TYPE_ED25519) { |
wolfSSL | 15:117db924cf7c | 5726 | ret = Ed25519CheckPubKey(ssl); |
wolfSSL | 15:117db924cf7c | 5727 | if (ret < 0) { |
wolfSSL | 15:117db924cf7c | 5728 | ERROR_OUT(ret, exit_scv); |
wolfSSL | 15:117db924cf7c | 5729 | } |
wolfSSL | 15:117db924cf7c | 5730 | sig->length = ED25519_SIG_SIZE; |
wolfSSL | 15:117db924cf7c | 5731 | } |
wolfSSL | 16:8e0d178b1d1e | 5732 | #endif /* HAVE_ED25519 */ |
wolfSSL | 16:8e0d178b1d1e | 5733 | #ifdef HAVE_ED448 |
wolfSSL | 16:8e0d178b1d1e | 5734 | if (ssl->hsType == DYNAMIC_TYPE_ED448) { |
wolfSSL | 16:8e0d178b1d1e | 5735 | ret = Ed448CheckPubKey(ssl); |
wolfSSL | 16:8e0d178b1d1e | 5736 | if (ret < 0) { |
wolfSSL | 16:8e0d178b1d1e | 5737 | ERROR_OUT(ret, exit_scv); |
wolfSSL | 16:8e0d178b1d1e | 5738 | } |
wolfSSL | 16:8e0d178b1d1e | 5739 | sig->length = ED448_SIG_SIZE; |
wolfSSL | 16:8e0d178b1d1e | 5740 | } |
wolfSSL | 16:8e0d178b1d1e | 5741 | #endif /* HAVE_ED448 */ |
wolfSSL | 15:117db924cf7c | 5742 | |
wolfSSL | 15:117db924cf7c | 5743 | /* Advance state and proceed */ |
wolfSSL | 15:117db924cf7c | 5744 | ssl->options.asyncState = TLS_ASYNC_DO; |
wolfSSL | 15:117db924cf7c | 5745 | } /* case TLS_ASYNC_BUILD */ |
wolfSSL | 15:117db924cf7c | 5746 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 5747 | |
wolfSSL | 15:117db924cf7c | 5748 | case TLS_ASYNC_DO: |
wolfSSL | 15:117db924cf7c | 5749 | { |
wolfSSL | 15:117db924cf7c | 5750 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 5751 | if (ssl->hsType == DYNAMIC_TYPE_ECC) { |
wolfSSL | 16:8e0d178b1d1e | 5752 | |
wolfSSL | 15:117db924cf7c | 5753 | ret = EccSign(ssl, args->sigData, args->sigDataSz, |
wolfSSL | 15:117db924cf7c | 5754 | args->verify + HASH_SIG_SIZE + VERIFY_HEADER, |
wolfSSL | 16:8e0d178b1d1e | 5755 | (word32*)&sig->length, (ecc_key*)ssl->hsKey, |
wolfSSL | 15:117db924cf7c | 5756 | #ifdef HAVE_PK_CALLBACKS |
wolfSSL | 15:117db924cf7c | 5757 | ssl->buffers.key |
wolfSSL | 15:117db924cf7c | 5758 | #else |
wolfSSL | 15:117db924cf7c | 5759 | NULL |
wolfSSL | 15:117db924cf7c | 5760 | #endif |
wolfSSL | 15:117db924cf7c | 5761 | ); |
wolfSSL | 15:117db924cf7c | 5762 | args->length = (word16)sig->length; |
wolfSSL | 15:117db924cf7c | 5763 | } |
wolfSSL | 15:117db924cf7c | 5764 | #endif /* HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 5765 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 5766 | if (ssl->hsType == DYNAMIC_TYPE_ED25519) { |
wolfSSL | 15:117db924cf7c | 5767 | ret = Ed25519Sign(ssl, args->sigData, args->sigDataSz, |
wolfSSL | 15:117db924cf7c | 5768 | args->verify + HASH_SIG_SIZE + VERIFY_HEADER, |
wolfSSL | 16:8e0d178b1d1e | 5769 | (word32*)&sig->length, (ed25519_key*)ssl->hsKey, |
wolfSSL | 15:117db924cf7c | 5770 | #ifdef HAVE_PK_CALLBACKS |
wolfSSL | 15:117db924cf7c | 5771 | ssl->buffers.key |
wolfSSL | 15:117db924cf7c | 5772 | #else |
wolfSSL | 15:117db924cf7c | 5773 | NULL |
wolfSSL | 15:117db924cf7c | 5774 | #endif |
wolfSSL | 15:117db924cf7c | 5775 | ); |
wolfSSL | 16:8e0d178b1d1e | 5776 | args->length = (word16)sig->length; |
wolfSSL | 16:8e0d178b1d1e | 5777 | } |
wolfSSL | 16:8e0d178b1d1e | 5778 | #endif |
wolfSSL | 16:8e0d178b1d1e | 5779 | #ifdef HAVE_ED448 |
wolfSSL | 16:8e0d178b1d1e | 5780 | if (ssl->hsType == DYNAMIC_TYPE_ED448) { |
wolfSSL | 16:8e0d178b1d1e | 5781 | ret = Ed448Sign(ssl, args->sigData, args->sigDataSz, |
wolfSSL | 16:8e0d178b1d1e | 5782 | args->verify + HASH_SIG_SIZE + VERIFY_HEADER, |
wolfSSL | 16:8e0d178b1d1e | 5783 | (word32*)&sig->length, (ed448_key*)ssl->hsKey, |
wolfSSL | 16:8e0d178b1d1e | 5784 | #ifdef HAVE_PK_CALLBACKS |
wolfSSL | 16:8e0d178b1d1e | 5785 | ssl->buffers.key |
wolfSSL | 16:8e0d178b1d1e | 5786 | #else |
wolfSSL | 16:8e0d178b1d1e | 5787 | NULL |
wolfSSL | 16:8e0d178b1d1e | 5788 | #endif |
wolfSSL | 16:8e0d178b1d1e | 5789 | ); |
wolfSSL | 16:8e0d178b1d1e | 5790 | args->length = (word16)sig->length; |
wolfSSL | 15:117db924cf7c | 5791 | } |
wolfSSL | 15:117db924cf7c | 5792 | #endif |
wolfSSL | 15:117db924cf7c | 5793 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 5794 | if (ssl->hsType == DYNAMIC_TYPE_RSA) { |
wolfSSL | 16:8e0d178b1d1e | 5795 | ret = RsaSign(ssl, sig->buffer, (word32)sig->length, |
wolfSSL | 15:117db924cf7c | 5796 | args->verify + HASH_SIG_SIZE + VERIFY_HEADER, &args->sigLen, |
wolfSSL | 15:117db924cf7c | 5797 | args->sigAlgo, ssl->suites->hashAlgo, |
wolfSSL | 15:117db924cf7c | 5798 | (RsaKey*)ssl->hsKey, |
wolfSSL | 15:117db924cf7c | 5799 | ssl->buffers.key |
wolfSSL | 15:117db924cf7c | 5800 | ); |
wolfSSL | 16:8e0d178b1d1e | 5801 | if (ret == 0) { |
wolfSSL | 16:8e0d178b1d1e | 5802 | args->length = (word16)args->sigLen; |
wolfSSL | 16:8e0d178b1d1e | 5803 | |
wolfSSL | 16:8e0d178b1d1e | 5804 | XMEMCPY(args->sigData, |
wolfSSL | 16:8e0d178b1d1e | 5805 | args->verify + HASH_SIG_SIZE + VERIFY_HEADER, |
wolfSSL | 16:8e0d178b1d1e | 5806 | args->sigLen); |
wolfSSL | 16:8e0d178b1d1e | 5807 | } |
wolfSSL | 15:117db924cf7c | 5808 | } |
wolfSSL | 15:117db924cf7c | 5809 | #endif /* !NO_RSA */ |
wolfSSL | 15:117db924cf7c | 5810 | |
wolfSSL | 15:117db924cf7c | 5811 | /* Check for error */ |
wolfSSL | 15:117db924cf7c | 5812 | if (ret != 0) { |
wolfSSL | 15:117db924cf7c | 5813 | goto exit_scv; |
wolfSSL | 15:117db924cf7c | 5814 | } |
wolfSSL | 15:117db924cf7c | 5815 | |
wolfSSL | 15:117db924cf7c | 5816 | /* Add signature length. */ |
wolfSSL | 15:117db924cf7c | 5817 | c16toa(args->length, args->verify + HASH_SIG_SIZE); |
wolfSSL | 15:117db924cf7c | 5818 | |
wolfSSL | 15:117db924cf7c | 5819 | /* Advance state and proceed */ |
wolfSSL | 15:117db924cf7c | 5820 | ssl->options.asyncState = TLS_ASYNC_VERIFY; |
wolfSSL | 15:117db924cf7c | 5821 | } /* case TLS_ASYNC_DO */ |
wolfSSL | 15:117db924cf7c | 5822 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 5823 | |
wolfSSL | 15:117db924cf7c | 5824 | case TLS_ASYNC_VERIFY: |
wolfSSL | 15:117db924cf7c | 5825 | { |
wolfSSL | 15:117db924cf7c | 5826 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 5827 | if (ssl->hsType == DYNAMIC_TYPE_RSA) { |
wolfSSL | 15:117db924cf7c | 5828 | /* check for signature faults */ |
wolfSSL | 16:8e0d178b1d1e | 5829 | ret = VerifyRsaSign(ssl, args->sigData, args->sigLen, |
wolfSSL | 16:8e0d178b1d1e | 5830 | sig->buffer, (word32)sig->length, args->sigAlgo, |
wolfSSL | 15:117db924cf7c | 5831 | ssl->suites->hashAlgo, (RsaKey*)ssl->hsKey, |
wolfSSL | 15:117db924cf7c | 5832 | ssl->buffers.key |
wolfSSL | 15:117db924cf7c | 5833 | ); |
wolfSSL | 15:117db924cf7c | 5834 | } |
wolfSSL | 15:117db924cf7c | 5835 | #endif /* !NO_RSA */ |
wolfSSL | 15:117db924cf7c | 5836 | |
wolfSSL | 15:117db924cf7c | 5837 | /* Check for error */ |
wolfSSL | 15:117db924cf7c | 5838 | if (ret != 0) { |
wolfSSL | 15:117db924cf7c | 5839 | goto exit_scv; |
wolfSSL | 15:117db924cf7c | 5840 | } |
wolfSSL | 15:117db924cf7c | 5841 | |
wolfSSL | 15:117db924cf7c | 5842 | /* Advance state and proceed */ |
wolfSSL | 15:117db924cf7c | 5843 | ssl->options.asyncState = TLS_ASYNC_FINALIZE; |
wolfSSL | 15:117db924cf7c | 5844 | } /* case TLS_ASYNC_VERIFY */ |
wolfSSL | 15:117db924cf7c | 5845 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 5846 | |
wolfSSL | 15:117db924cf7c | 5847 | case TLS_ASYNC_FINALIZE: |
wolfSSL | 15:117db924cf7c | 5848 | { |
wolfSSL | 15:117db924cf7c | 5849 | /* Put the record and handshake headers on. */ |
wolfSSL | 15:117db924cf7c | 5850 | AddTls13Headers(args->output, args->length + HASH_SIG_SIZE + |
wolfSSL | 15:117db924cf7c | 5851 | VERIFY_HEADER, certificate_verify, ssl); |
wolfSSL | 15:117db924cf7c | 5852 | |
wolfSSL | 15:117db924cf7c | 5853 | args->sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + |
wolfSSL | 15:117db924cf7c | 5854 | args->length + HASH_SIG_SIZE + VERIFY_HEADER; |
wolfSSL | 15:117db924cf7c | 5855 | |
wolfSSL | 15:117db924cf7c | 5856 | /* Advance state and proceed */ |
wolfSSL | 15:117db924cf7c | 5857 | ssl->options.asyncState = TLS_ASYNC_END; |
wolfSSL | 15:117db924cf7c | 5858 | } /* case TLS_ASYNC_FINALIZE */ |
wolfSSL | 15:117db924cf7c | 5859 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 5860 | |
wolfSSL | 15:117db924cf7c | 5861 | case TLS_ASYNC_END: |
wolfSSL | 15:117db924cf7c | 5862 | { |
wolfSSL | 15:117db924cf7c | 5863 | /* This message is always encrypted. */ |
wolfSSL | 15:117db924cf7c | 5864 | ret = BuildTls13Message(ssl, args->output, |
wolfSSL | 15:117db924cf7c | 5865 | MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA, |
wolfSSL | 15:117db924cf7c | 5866 | args->output + RECORD_HEADER_SZ, |
wolfSSL | 15:117db924cf7c | 5867 | args->sendSz - RECORD_HEADER_SZ, handshake, |
wolfSSL | 15:117db924cf7c | 5868 | 1, 0, 0); |
wolfSSL | 15:117db924cf7c | 5869 | |
wolfSSL | 15:117db924cf7c | 5870 | if (ret < 0) { |
wolfSSL | 15:117db924cf7c | 5871 | goto exit_scv; |
wolfSSL | 15:117db924cf7c | 5872 | } |
wolfSSL | 15:117db924cf7c | 5873 | else { |
wolfSSL | 15:117db924cf7c | 5874 | args->sendSz = ret; |
wolfSSL | 15:117db924cf7c | 5875 | ret = 0; |
wolfSSL | 15:117db924cf7c | 5876 | } |
wolfSSL | 15:117db924cf7c | 5877 | |
wolfSSL | 15:117db924cf7c | 5878 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 5879 | if (ssl->hsInfoOn) |
wolfSSL | 15:117db924cf7c | 5880 | AddPacketName(ssl, "CertificateVerify"); |
wolfSSL | 15:117db924cf7c | 5881 | if (ssl->toInfoOn) { |
wolfSSL | 15:117db924cf7c | 5882 | AddPacketInfo(ssl, "CertificateVerify", handshake, |
wolfSSL | 15:117db924cf7c | 5883 | args->output, args->sendSz, WRITE_PROTO, ssl->heap); |
wolfSSL | 15:117db924cf7c | 5884 | } |
wolfSSL | 15:117db924cf7c | 5885 | #endif |
wolfSSL | 15:117db924cf7c | 5886 | |
wolfSSL | 15:117db924cf7c | 5887 | ssl->buffers.outputBuffer.length += args->sendSz; |
wolfSSL | 15:117db924cf7c | 5888 | |
wolfSSL | 15:117db924cf7c | 5889 | if (!ssl->options.groupMessages) |
wolfSSL | 15:117db924cf7c | 5890 | ret = SendBuffered(ssl); |
wolfSSL | 15:117db924cf7c | 5891 | break; |
wolfSSL | 15:117db924cf7c | 5892 | } |
wolfSSL | 15:117db924cf7c | 5893 | default: |
wolfSSL | 15:117db924cf7c | 5894 | ret = INPUT_CASE_ERROR; |
wolfSSL | 15:117db924cf7c | 5895 | } /* switch(ssl->options.asyncState) */ |
wolfSSL | 15:117db924cf7c | 5896 | |
wolfSSL | 15:117db924cf7c | 5897 | exit_scv: |
wolfSSL | 15:117db924cf7c | 5898 | |
wolfSSL | 15:117db924cf7c | 5899 | WOLFSSL_LEAVE("SendTls13CertificateVerify", ret); |
wolfSSL | 15:117db924cf7c | 5900 | WOLFSSL_END(WC_FUNC_CERTIFICATE_VERIFY_SEND); |
wolfSSL | 15:117db924cf7c | 5901 | |
wolfSSL | 15:117db924cf7c | 5902 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 5903 | /* Handle async operation */ |
wolfSSL | 15:117db924cf7c | 5904 | if (ret == WC_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 5905 | return ret; |
wolfSSL | 15:117db924cf7c | 5906 | } |
wolfSSL | 15:117db924cf7c | 5907 | #endif /* WOLFSSL_ASYNC_CRYPT */ |
wolfSSL | 15:117db924cf7c | 5908 | |
wolfSSL | 15:117db924cf7c | 5909 | /* Final cleanup */ |
wolfSSL | 15:117db924cf7c | 5910 | FreeScv13Args(ssl, args); |
wolfSSL | 15:117db924cf7c | 5911 | FreeKeyExchange(ssl); |
wolfSSL | 15:117db924cf7c | 5912 | |
wolfSSL | 15:117db924cf7c | 5913 | return ret; |
wolfSSL | 15:117db924cf7c | 5914 | } |
wolfSSL | 15:117db924cf7c | 5915 | |
wolfSSL | 15:117db924cf7c | 5916 | /* handle processing TLS v1.3 certificate (11) */ |
wolfSSL | 15:117db924cf7c | 5917 | /* Parse and handle a TLS v1.3 Certificate message. |
wolfSSL | 15:117db924cf7c | 5918 | * |
wolfSSL | 15:117db924cf7c | 5919 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 5920 | * input The message buffer. |
wolfSSL | 15:117db924cf7c | 5921 | * inOutIdx On entry, the index into the message buffer of Certificate. |
wolfSSL | 15:117db924cf7c | 5922 | * On exit, the index of byte after the Certificate message. |
wolfSSL | 15:117db924cf7c | 5923 | * totalSz The length of the current handshake message. |
wolfSSL | 15:117db924cf7c | 5924 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 5925 | */ |
wolfSSL | 15:117db924cf7c | 5926 | static int DoTls13Certificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, |
wolfSSL | 15:117db924cf7c | 5927 | word32 totalSz) |
wolfSSL | 15:117db924cf7c | 5928 | { |
wolfSSL | 15:117db924cf7c | 5929 | int ret; |
wolfSSL | 15:117db924cf7c | 5930 | |
wolfSSL | 15:117db924cf7c | 5931 | WOLFSSL_START(WC_FUNC_CERTIFICATE_DO); |
wolfSSL | 15:117db924cf7c | 5932 | WOLFSSL_ENTER("DoTls13Certificate"); |
wolfSSL | 15:117db924cf7c | 5933 | |
wolfSSL | 15:117db924cf7c | 5934 | ret = ProcessPeerCerts(ssl, input, inOutIdx, totalSz); |
wolfSSL | 15:117db924cf7c | 5935 | if (ret == 0) { |
wolfSSL | 15:117db924cf7c | 5936 | #if !defined(NO_WOLFSSL_CLIENT) |
wolfSSL | 15:117db924cf7c | 5937 | if (ssl->options.side == WOLFSSL_CLIENT_END) |
wolfSSL | 15:117db924cf7c | 5938 | ssl->options.serverState = SERVER_CERT_COMPLETE; |
wolfSSL | 15:117db924cf7c | 5939 | #endif |
wolfSSL | 15:117db924cf7c | 5940 | #if !defined(NO_WOLFSSL_SERVER) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) |
wolfSSL | 15:117db924cf7c | 5941 | if (ssl->options.side == WOLFSSL_SERVER_END && |
wolfSSL | 15:117db924cf7c | 5942 | ssl->options.handShakeState == HANDSHAKE_DONE) { |
wolfSSL | 15:117db924cf7c | 5943 | /* reset handshake states */ |
wolfSSL | 15:117db924cf7c | 5944 | ssl->options.serverState = SERVER_FINISHED_COMPLETE; |
wolfSSL | 15:117db924cf7c | 5945 | ssl->options.acceptState = TICKET_SENT; |
wolfSSL | 15:117db924cf7c | 5946 | ssl->options.handShakeState = SERVER_FINISHED_COMPLETE; |
wolfSSL | 15:117db924cf7c | 5947 | } |
wolfSSL | 15:117db924cf7c | 5948 | #endif |
wolfSSL | 15:117db924cf7c | 5949 | } |
wolfSSL | 15:117db924cf7c | 5950 | |
wolfSSL | 15:117db924cf7c | 5951 | WOLFSSL_LEAVE("DoTls13Certificate", ret); |
wolfSSL | 15:117db924cf7c | 5952 | WOLFSSL_END(WC_FUNC_CERTIFICATE_DO); |
wolfSSL | 15:117db924cf7c | 5953 | |
wolfSSL | 15:117db924cf7c | 5954 | return ret; |
wolfSSL | 15:117db924cf7c | 5955 | } |
wolfSSL | 15:117db924cf7c | 5956 | |
wolfSSL | 16:8e0d178b1d1e | 5957 | #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \ |
wolfSSL | 16:8e0d178b1d1e | 5958 | defined(HAVE_ED448) |
wolfSSL | 15:117db924cf7c | 5959 | |
wolfSSL | 15:117db924cf7c | 5960 | typedef struct Dcv13Args { |
wolfSSL | 15:117db924cf7c | 5961 | byte* output; /* not allocated */ |
wolfSSL | 15:117db924cf7c | 5962 | word32 sendSz; |
wolfSSL | 15:117db924cf7c | 5963 | word16 sz; |
wolfSSL | 15:117db924cf7c | 5964 | word32 sigSz; |
wolfSSL | 15:117db924cf7c | 5965 | word32 idx; |
wolfSSL | 15:117db924cf7c | 5966 | word32 begin; |
wolfSSL | 15:117db924cf7c | 5967 | byte hashAlgo; |
wolfSSL | 15:117db924cf7c | 5968 | byte sigAlgo; |
wolfSSL | 15:117db924cf7c | 5969 | |
wolfSSL | 15:117db924cf7c | 5970 | byte* sigData; |
wolfSSL | 15:117db924cf7c | 5971 | word16 sigDataSz; |
wolfSSL | 15:117db924cf7c | 5972 | } Dcv13Args; |
wolfSSL | 15:117db924cf7c | 5973 | |
wolfSSL | 15:117db924cf7c | 5974 | static void FreeDcv13Args(WOLFSSL* ssl, void* pArgs) |
wolfSSL | 15:117db924cf7c | 5975 | { |
wolfSSL | 15:117db924cf7c | 5976 | Dcv13Args* args = (Dcv13Args*)pArgs; |
wolfSSL | 15:117db924cf7c | 5977 | |
wolfSSL | 15:117db924cf7c | 5978 | if (args->sigData != NULL) { |
wolfSSL | 15:117db924cf7c | 5979 | XFREE(args->sigData, ssl->heap, DYNAMIC_TYPE_SIGNATURE); |
wolfSSL | 15:117db924cf7c | 5980 | args->sigData = NULL; |
wolfSSL | 15:117db924cf7c | 5981 | } |
wolfSSL | 15:117db924cf7c | 5982 | |
wolfSSL | 15:117db924cf7c | 5983 | (void)ssl; |
wolfSSL | 15:117db924cf7c | 5984 | } |
wolfSSL | 15:117db924cf7c | 5985 | |
wolfSSL | 15:117db924cf7c | 5986 | /* handle processing TLS v1.3 certificate_verify (15) */ |
wolfSSL | 15:117db924cf7c | 5987 | /* Parse and handle a TLS v1.3 CertificateVerify message. |
wolfSSL | 15:117db924cf7c | 5988 | * |
wolfSSL | 15:117db924cf7c | 5989 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 5990 | * input The message buffer. |
wolfSSL | 15:117db924cf7c | 5991 | * inOutIdx On entry, the index into the message buffer of |
wolfSSL | 15:117db924cf7c | 5992 | * CertificateVerify. |
wolfSSL | 15:117db924cf7c | 5993 | * On exit, the index of byte after the CertificateVerify message. |
wolfSSL | 15:117db924cf7c | 5994 | * totalSz The length of the current handshake message. |
wolfSSL | 15:117db924cf7c | 5995 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 5996 | */ |
wolfSSL | 15:117db924cf7c | 5997 | static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input, |
wolfSSL | 15:117db924cf7c | 5998 | word32* inOutIdx, word32 totalSz) |
wolfSSL | 15:117db924cf7c | 5999 | { |
wolfSSL | 15:117db924cf7c | 6000 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 6001 | buffer* sig = &ssl->buffers.sig; |
wolfSSL | 15:117db924cf7c | 6002 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 6003 | Dcv13Args* args = (Dcv13Args*)ssl->async.args; |
wolfSSL | 15:117db924cf7c | 6004 | typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1]; |
wolfSSL | 15:117db924cf7c | 6005 | (void)sizeof(args_test); |
wolfSSL | 15:117db924cf7c | 6006 | #else |
wolfSSL | 15:117db924cf7c | 6007 | Dcv13Args args[1]; |
wolfSSL | 15:117db924cf7c | 6008 | #endif |
wolfSSL | 15:117db924cf7c | 6009 | |
wolfSSL | 15:117db924cf7c | 6010 | WOLFSSL_START(WC_FUNC_CERTIFICATE_VERIFY_DO); |
wolfSSL | 15:117db924cf7c | 6011 | WOLFSSL_ENTER("DoTls13CertificateVerify"); |
wolfSSL | 15:117db924cf7c | 6012 | |
wolfSSL | 15:117db924cf7c | 6013 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 6014 | ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState); |
wolfSSL | 15:117db924cf7c | 6015 | if (ret != WC_NOT_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 6016 | /* Check for error */ |
wolfSSL | 15:117db924cf7c | 6017 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 6018 | goto exit_dcv; |
wolfSSL | 15:117db924cf7c | 6019 | } |
wolfSSL | 15:117db924cf7c | 6020 | else |
wolfSSL | 15:117db924cf7c | 6021 | #endif |
wolfSSL | 15:117db924cf7c | 6022 | { |
wolfSSL | 15:117db924cf7c | 6023 | /* Reset state */ |
wolfSSL | 15:117db924cf7c | 6024 | ret = 0; |
wolfSSL | 15:117db924cf7c | 6025 | ssl->options.asyncState = TLS_ASYNC_BEGIN; |
wolfSSL | 15:117db924cf7c | 6026 | XMEMSET(args, 0, sizeof(Dcv13Args)); |
wolfSSL | 15:117db924cf7c | 6027 | args->hashAlgo = sha_mac; |
wolfSSL | 15:117db924cf7c | 6028 | args->sigAlgo = anonymous_sa_algo; |
wolfSSL | 15:117db924cf7c | 6029 | args->idx = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 6030 | args->begin = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 6031 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 6032 | ssl->async.freeArgs = FreeDcv13Args; |
wolfSSL | 15:117db924cf7c | 6033 | #endif |
wolfSSL | 15:117db924cf7c | 6034 | } |
wolfSSL | 15:117db924cf7c | 6035 | |
wolfSSL | 15:117db924cf7c | 6036 | switch(ssl->options.asyncState) |
wolfSSL | 15:117db924cf7c | 6037 | { |
wolfSSL | 15:117db924cf7c | 6038 | case TLS_ASYNC_BEGIN: |
wolfSSL | 15:117db924cf7c | 6039 | { |
wolfSSL | 15:117db924cf7c | 6040 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 6041 | if (ssl->hsInfoOn) AddPacketName(ssl, "CertificateVerify"); |
wolfSSL | 15:117db924cf7c | 6042 | if (ssl->toInfoOn) AddLateName("CertificateVerify", |
wolfSSL | 15:117db924cf7c | 6043 | &ssl->timeoutInfo); |
wolfSSL | 15:117db924cf7c | 6044 | #endif |
wolfSSL | 15:117db924cf7c | 6045 | |
wolfSSL | 15:117db924cf7c | 6046 | /* Advance state and proceed */ |
wolfSSL | 15:117db924cf7c | 6047 | ssl->options.asyncState = TLS_ASYNC_BUILD; |
wolfSSL | 15:117db924cf7c | 6048 | } /* case TLS_ASYNC_BEGIN */ |
wolfSSL | 15:117db924cf7c | 6049 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 6050 | |
wolfSSL | 15:117db924cf7c | 6051 | case TLS_ASYNC_BUILD: |
wolfSSL | 15:117db924cf7c | 6052 | { |
wolfSSL | 15:117db924cf7c | 6053 | /* Signature algorithm. */ |
wolfSSL | 15:117db924cf7c | 6054 | if ((args->idx - args->begin) + ENUM_LEN + ENUM_LEN > totalSz) { |
wolfSSL | 15:117db924cf7c | 6055 | ERROR_OUT(BUFFER_ERROR, exit_dcv); |
wolfSSL | 15:117db924cf7c | 6056 | } |
wolfSSL | 16:8e0d178b1d1e | 6057 | ret = DecodeTls13SigAlg(input + args->idx, &args->hashAlgo, |
wolfSSL | 16:8e0d178b1d1e | 6058 | &args->sigAlgo); |
wolfSSL | 16:8e0d178b1d1e | 6059 | if (ret < 0) |
wolfSSL | 16:8e0d178b1d1e | 6060 | goto exit_dcv; |
wolfSSL | 15:117db924cf7c | 6061 | args->idx += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 6062 | |
wolfSSL | 15:117db924cf7c | 6063 | /* Signature length. */ |
wolfSSL | 15:117db924cf7c | 6064 | if ((args->idx - args->begin) + OPAQUE16_LEN > totalSz) { |
wolfSSL | 15:117db924cf7c | 6065 | ERROR_OUT(BUFFER_ERROR, exit_dcv); |
wolfSSL | 15:117db924cf7c | 6066 | } |
wolfSSL | 15:117db924cf7c | 6067 | ato16(input + args->idx, &args->sz); |
wolfSSL | 15:117db924cf7c | 6068 | args->idx += OPAQUE16_LEN; |
wolfSSL | 15:117db924cf7c | 6069 | |
wolfSSL | 15:117db924cf7c | 6070 | /* Signature data. */ |
wolfSSL | 15:117db924cf7c | 6071 | if ((args->idx - args->begin) + args->sz > totalSz || |
wolfSSL | 15:117db924cf7c | 6072 | args->sz > ENCRYPT_LEN) { |
wolfSSL | 15:117db924cf7c | 6073 | ERROR_OUT(BUFFER_ERROR, exit_dcv); |
wolfSSL | 15:117db924cf7c | 6074 | } |
wolfSSL | 15:117db924cf7c | 6075 | |
wolfSSL | 15:117db924cf7c | 6076 | /* Check for public key of required type. */ |
wolfSSL | 15:117db924cf7c | 6077 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 6078 | if (args->sigAlgo == ed25519_sa_algo && |
wolfSSL | 15:117db924cf7c | 6079 | !ssl->peerEd25519KeyPresent) { |
wolfSSL | 15:117db924cf7c | 6080 | WOLFSSL_MSG("Oops, peer sent ED25519 key but not in verify"); |
wolfSSL | 15:117db924cf7c | 6081 | } |
wolfSSL | 15:117db924cf7c | 6082 | #endif |
wolfSSL | 16:8e0d178b1d1e | 6083 | #ifdef HAVE_ED448 |
wolfSSL | 16:8e0d178b1d1e | 6084 | if (args->sigAlgo == ed448_sa_algo && !ssl->peerEd448KeyPresent) { |
wolfSSL | 16:8e0d178b1d1e | 6085 | WOLFSSL_MSG("Oops, peer sent ED448 key but not in verify"); |
wolfSSL | 16:8e0d178b1d1e | 6086 | } |
wolfSSL | 16:8e0d178b1d1e | 6087 | #endif |
wolfSSL | 15:117db924cf7c | 6088 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 6089 | if (args->sigAlgo == ecc_dsa_sa_algo && |
wolfSSL | 15:117db924cf7c | 6090 | !ssl->peerEccDsaKeyPresent) { |
wolfSSL | 15:117db924cf7c | 6091 | WOLFSSL_MSG("Oops, peer sent ECC key but not in verify"); |
wolfSSL | 15:117db924cf7c | 6092 | } |
wolfSSL | 15:117db924cf7c | 6093 | #endif |
wolfSSL | 15:117db924cf7c | 6094 | #ifndef NO_RSA |
wolfSSL | 16:8e0d178b1d1e | 6095 | if (args->sigAlgo == rsa_sa_algo) { |
wolfSSL | 16:8e0d178b1d1e | 6096 | WOLFSSL_MSG("Oops, peer sent PKCS#1.5 signature"); |
wolfSSL | 16:8e0d178b1d1e | 6097 | ERROR_OUT(INVALID_PARAMETER, exit_dcv); |
wolfSSL | 16:8e0d178b1d1e | 6098 | } |
wolfSSL | 16:8e0d178b1d1e | 6099 | if (args->sigAlgo == rsa_pss_sa_algo && |
wolfSSL | 15:117db924cf7c | 6100 | (ssl->peerRsaKey == NULL || !ssl->peerRsaKeyPresent)) { |
wolfSSL | 15:117db924cf7c | 6101 | WOLFSSL_MSG("Oops, peer sent RSA key but not in verify"); |
wolfSSL | 15:117db924cf7c | 6102 | } |
wolfSSL | 15:117db924cf7c | 6103 | #endif |
wolfSSL | 15:117db924cf7c | 6104 | |
wolfSSL | 15:117db924cf7c | 6105 | sig->buffer = (byte*)XMALLOC(args->sz, ssl->heap, |
wolfSSL | 15:117db924cf7c | 6106 | DYNAMIC_TYPE_SIGNATURE); |
wolfSSL | 15:117db924cf7c | 6107 | if (sig->buffer == NULL) { |
wolfSSL | 15:117db924cf7c | 6108 | ERROR_OUT(MEMORY_E, exit_dcv); |
wolfSSL | 15:117db924cf7c | 6109 | } |
wolfSSL | 15:117db924cf7c | 6110 | sig->length = args->sz; |
wolfSSL | 15:117db924cf7c | 6111 | XMEMCPY(sig->buffer, input + args->idx, args->sz); |
wolfSSL | 15:117db924cf7c | 6112 | |
wolfSSL | 15:117db924cf7c | 6113 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 6114 | if (ssl->peerEccDsaKeyPresent) { |
wolfSSL | 15:117db924cf7c | 6115 | WOLFSSL_MSG("Doing ECC peer cert verify"); |
wolfSSL | 15:117db924cf7c | 6116 | |
wolfSSL | 15:117db924cf7c | 6117 | args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap, |
wolfSSL | 16:8e0d178b1d1e | 6118 | DYNAMIC_TYPE_SIGNATURE); |
wolfSSL | 15:117db924cf7c | 6119 | if (args->sigData == NULL) { |
wolfSSL | 15:117db924cf7c | 6120 | ERROR_OUT(MEMORY_E, exit_dcv); |
wolfSSL | 15:117db924cf7c | 6121 | } |
wolfSSL | 15:117db924cf7c | 6122 | |
wolfSSL | 15:117db924cf7c | 6123 | ret = CreateSigData(ssl, args->sigData, &args->sigDataSz, 1); |
wolfSSL | 15:117db924cf7c | 6124 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 6125 | goto exit_dcv; |
wolfSSL | 15:117db924cf7c | 6126 | ret = CreateECCEncodedSig(args->sigData, |
wolfSSL | 15:117db924cf7c | 6127 | args->sigDataSz, args->hashAlgo); |
wolfSSL | 15:117db924cf7c | 6128 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 6129 | goto exit_dcv; |
wolfSSL | 15:117db924cf7c | 6130 | args->sigDataSz = (word16)ret; |
wolfSSL | 15:117db924cf7c | 6131 | ret = 0; |
wolfSSL | 15:117db924cf7c | 6132 | } |
wolfSSL | 15:117db924cf7c | 6133 | #endif |
wolfSSL | 15:117db924cf7c | 6134 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 6135 | if (ssl->peerEd25519KeyPresent) { |
wolfSSL | 15:117db924cf7c | 6136 | WOLFSSL_MSG("Doing ED25519 peer cert verify"); |
wolfSSL | 15:117db924cf7c | 6137 | |
wolfSSL | 15:117db924cf7c | 6138 | args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap, |
wolfSSL | 16:8e0d178b1d1e | 6139 | DYNAMIC_TYPE_SIGNATURE); |
wolfSSL | 15:117db924cf7c | 6140 | if (args->sigData == NULL) { |
wolfSSL | 15:117db924cf7c | 6141 | ERROR_OUT(MEMORY_E, exit_dcv); |
wolfSSL | 15:117db924cf7c | 6142 | } |
wolfSSL | 15:117db924cf7c | 6143 | |
wolfSSL | 15:117db924cf7c | 6144 | CreateSigData(ssl, args->sigData, &args->sigDataSz, 1); |
wolfSSL | 15:117db924cf7c | 6145 | ret = 0; |
wolfSSL | 15:117db924cf7c | 6146 | } |
wolfSSL | 15:117db924cf7c | 6147 | #endif |
wolfSSL | 16:8e0d178b1d1e | 6148 | #ifdef HAVE_ED448 |
wolfSSL | 16:8e0d178b1d1e | 6149 | if (ssl->peerEd448KeyPresent) { |
wolfSSL | 16:8e0d178b1d1e | 6150 | WOLFSSL_MSG("Doing ED448 peer cert verify"); |
wolfSSL | 16:8e0d178b1d1e | 6151 | |
wolfSSL | 16:8e0d178b1d1e | 6152 | args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap, |
wolfSSL | 16:8e0d178b1d1e | 6153 | DYNAMIC_TYPE_SIGNATURE); |
wolfSSL | 16:8e0d178b1d1e | 6154 | if (args->sigData == NULL) { |
wolfSSL | 16:8e0d178b1d1e | 6155 | ERROR_OUT(MEMORY_E, exit_dcv); |
wolfSSL | 16:8e0d178b1d1e | 6156 | } |
wolfSSL | 16:8e0d178b1d1e | 6157 | |
wolfSSL | 16:8e0d178b1d1e | 6158 | CreateSigData(ssl, args->sigData, &args->sigDataSz, 1); |
wolfSSL | 16:8e0d178b1d1e | 6159 | ret = 0; |
wolfSSL | 16:8e0d178b1d1e | 6160 | } |
wolfSSL | 16:8e0d178b1d1e | 6161 | #endif |
wolfSSL | 15:117db924cf7c | 6162 | |
wolfSSL | 15:117db924cf7c | 6163 | /* Advance state and proceed */ |
wolfSSL | 15:117db924cf7c | 6164 | ssl->options.asyncState = TLS_ASYNC_DO; |
wolfSSL | 15:117db924cf7c | 6165 | } /* case TLS_ASYNC_BUILD */ |
wolfSSL | 15:117db924cf7c | 6166 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 6167 | |
wolfSSL | 15:117db924cf7c | 6168 | case TLS_ASYNC_DO: |
wolfSSL | 15:117db924cf7c | 6169 | { |
wolfSSL | 15:117db924cf7c | 6170 | #ifndef NO_RSA |
wolfSSL | 16:8e0d178b1d1e | 6171 | if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) { |
wolfSSL | 15:117db924cf7c | 6172 | WOLFSSL_MSG("Doing RSA peer cert verify"); |
wolfSSL | 15:117db924cf7c | 6173 | |
wolfSSL | 16:8e0d178b1d1e | 6174 | ret = RsaVerify(ssl, sig->buffer, (word32)sig->length, &args->output, |
wolfSSL | 15:117db924cf7c | 6175 | args->sigAlgo, args->hashAlgo, ssl->peerRsaKey, |
wolfSSL | 15:117db924cf7c | 6176 | #ifdef HAVE_PK_CALLBACKS |
wolfSSL | 15:117db924cf7c | 6177 | &ssl->buffers.peerRsaKey |
wolfSSL | 15:117db924cf7c | 6178 | #else |
wolfSSL | 15:117db924cf7c | 6179 | NULL |
wolfSSL | 15:117db924cf7c | 6180 | #endif |
wolfSSL | 15:117db924cf7c | 6181 | ); |
wolfSSL | 15:117db924cf7c | 6182 | if (ret >= 0) { |
wolfSSL | 15:117db924cf7c | 6183 | args->sendSz = ret; |
wolfSSL | 15:117db924cf7c | 6184 | ret = 0; |
wolfSSL | 15:117db924cf7c | 6185 | } |
wolfSSL | 15:117db924cf7c | 6186 | } |
wolfSSL | 15:117db924cf7c | 6187 | #endif /* !NO_RSA */ |
wolfSSL | 15:117db924cf7c | 6188 | #ifdef HAVE_ECC |
wolfSSL | 15:117db924cf7c | 6189 | if (ssl->peerEccDsaKeyPresent) { |
wolfSSL | 15:117db924cf7c | 6190 | WOLFSSL_MSG("Doing ECC peer cert verify"); |
wolfSSL | 15:117db924cf7c | 6191 | |
wolfSSL | 15:117db924cf7c | 6192 | ret = EccVerify(ssl, input + args->idx, args->sz, |
wolfSSL | 15:117db924cf7c | 6193 | args->sigData, args->sigDataSz, |
wolfSSL | 15:117db924cf7c | 6194 | ssl->peerEccDsaKey, |
wolfSSL | 15:117db924cf7c | 6195 | #ifdef HAVE_PK_CALLBACKS |
wolfSSL | 15:117db924cf7c | 6196 | &ssl->buffers.peerEccDsaKey |
wolfSSL | 15:117db924cf7c | 6197 | #else |
wolfSSL | 15:117db924cf7c | 6198 | NULL |
wolfSSL | 15:117db924cf7c | 6199 | #endif |
wolfSSL | 15:117db924cf7c | 6200 | ); |
wolfSSL | 16:8e0d178b1d1e | 6201 | |
wolfSSL | 16:8e0d178b1d1e | 6202 | if (ret >= 0) { |
wolfSSL | 16:8e0d178b1d1e | 6203 | FreeKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->peerEccDsaKey); |
wolfSSL | 16:8e0d178b1d1e | 6204 | ssl->peerEccDsaKeyPresent = 0; |
wolfSSL | 16:8e0d178b1d1e | 6205 | } |
wolfSSL | 15:117db924cf7c | 6206 | } |
wolfSSL | 15:117db924cf7c | 6207 | #endif /* HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 6208 | #ifdef HAVE_ED25519 |
wolfSSL | 15:117db924cf7c | 6209 | if (ssl->peerEd25519KeyPresent) { |
wolfSSL | 15:117db924cf7c | 6210 | WOLFSSL_MSG("Doing ED25519 peer cert verify"); |
wolfSSL | 15:117db924cf7c | 6211 | |
wolfSSL | 15:117db924cf7c | 6212 | ret = Ed25519Verify(ssl, input + args->idx, args->sz, |
wolfSSL | 15:117db924cf7c | 6213 | args->sigData, args->sigDataSz, |
wolfSSL | 15:117db924cf7c | 6214 | ssl->peerEd25519Key, |
wolfSSL | 15:117db924cf7c | 6215 | #ifdef HAVE_PK_CALLBACKS |
wolfSSL | 15:117db924cf7c | 6216 | &ssl->buffers.peerEd25519Key |
wolfSSL | 15:117db924cf7c | 6217 | #else |
wolfSSL | 15:117db924cf7c | 6218 | NULL |
wolfSSL | 15:117db924cf7c | 6219 | #endif |
wolfSSL | 15:117db924cf7c | 6220 | ); |
wolfSSL | 16:8e0d178b1d1e | 6221 | |
wolfSSL | 16:8e0d178b1d1e | 6222 | if (ret >= 0) { |
wolfSSL | 16:8e0d178b1d1e | 6223 | FreeKey(ssl, DYNAMIC_TYPE_ED25519, |
wolfSSL | 16:8e0d178b1d1e | 6224 | (void**)&ssl->peerEd25519Key); |
wolfSSL | 16:8e0d178b1d1e | 6225 | ssl->peerEd25519KeyPresent = 0; |
wolfSSL | 16:8e0d178b1d1e | 6226 | } |
wolfSSL | 16:8e0d178b1d1e | 6227 | } |
wolfSSL | 16:8e0d178b1d1e | 6228 | #endif |
wolfSSL | 16:8e0d178b1d1e | 6229 | #ifdef HAVE_ED448 |
wolfSSL | 16:8e0d178b1d1e | 6230 | if (ssl->peerEd448KeyPresent) { |
wolfSSL | 16:8e0d178b1d1e | 6231 | WOLFSSL_MSG("Doing ED448 peer cert verify"); |
wolfSSL | 16:8e0d178b1d1e | 6232 | |
wolfSSL | 16:8e0d178b1d1e | 6233 | ret = Ed448Verify(ssl, input + args->idx, args->sz, |
wolfSSL | 16:8e0d178b1d1e | 6234 | args->sigData, args->sigDataSz, |
wolfSSL | 16:8e0d178b1d1e | 6235 | ssl->peerEd448Key, |
wolfSSL | 16:8e0d178b1d1e | 6236 | #ifdef HAVE_PK_CALLBACKS |
wolfSSL | 16:8e0d178b1d1e | 6237 | &ssl->buffers.peerEd448Key |
wolfSSL | 16:8e0d178b1d1e | 6238 | #else |
wolfSSL | 16:8e0d178b1d1e | 6239 | NULL |
wolfSSL | 16:8e0d178b1d1e | 6240 | #endif |
wolfSSL | 16:8e0d178b1d1e | 6241 | ); |
wolfSSL | 16:8e0d178b1d1e | 6242 | |
wolfSSL | 16:8e0d178b1d1e | 6243 | if (ret >= 0) { |
wolfSSL | 16:8e0d178b1d1e | 6244 | FreeKey(ssl, DYNAMIC_TYPE_ED448, |
wolfSSL | 16:8e0d178b1d1e | 6245 | (void**)&ssl->peerEd448Key); |
wolfSSL | 16:8e0d178b1d1e | 6246 | ssl->peerEd448KeyPresent = 0; |
wolfSSL | 16:8e0d178b1d1e | 6247 | } |
wolfSSL | 15:117db924cf7c | 6248 | } |
wolfSSL | 15:117db924cf7c | 6249 | #endif |
wolfSSL | 15:117db924cf7c | 6250 | |
wolfSSL | 15:117db924cf7c | 6251 | /* Check for error */ |
wolfSSL | 15:117db924cf7c | 6252 | if (ret != 0) { |
wolfSSL | 15:117db924cf7c | 6253 | goto exit_dcv; |
wolfSSL | 15:117db924cf7c | 6254 | } |
wolfSSL | 15:117db924cf7c | 6255 | |
wolfSSL | 15:117db924cf7c | 6256 | /* Advance state and proceed */ |
wolfSSL | 15:117db924cf7c | 6257 | ssl->options.asyncState = TLS_ASYNC_VERIFY; |
wolfSSL | 15:117db924cf7c | 6258 | } /* case TLS_ASYNC_DO */ |
wolfSSL | 15:117db924cf7c | 6259 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 6260 | |
wolfSSL | 15:117db924cf7c | 6261 | case TLS_ASYNC_VERIFY: |
wolfSSL | 15:117db924cf7c | 6262 | { |
wolfSSL | 15:117db924cf7c | 6263 | #ifndef NO_RSA |
wolfSSL | 15:117db924cf7c | 6264 | if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) { |
wolfSSL | 15:117db924cf7c | 6265 | ret = CheckRSASignature(ssl, args->sigAlgo, args->hashAlgo, |
wolfSSL | 15:117db924cf7c | 6266 | args->output, args->sendSz); |
wolfSSL | 15:117db924cf7c | 6267 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 6268 | goto exit_dcv; |
wolfSSL | 16:8e0d178b1d1e | 6269 | |
wolfSSL | 16:8e0d178b1d1e | 6270 | FreeKey(ssl, DYNAMIC_TYPE_RSA, (void**)&ssl->peerRsaKey); |
wolfSSL | 16:8e0d178b1d1e | 6271 | ssl->peerRsaKeyPresent = 0; |
wolfSSL | 15:117db924cf7c | 6272 | } |
wolfSSL | 15:117db924cf7c | 6273 | #endif /* !NO_RSA */ |
wolfSSL | 15:117db924cf7c | 6274 | |
wolfSSL | 15:117db924cf7c | 6275 | /* Advance state and proceed */ |
wolfSSL | 15:117db924cf7c | 6276 | ssl->options.asyncState = TLS_ASYNC_FINALIZE; |
wolfSSL | 15:117db924cf7c | 6277 | } /* case TLS_ASYNC_VERIFY */ |
wolfSSL | 15:117db924cf7c | 6278 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 6279 | |
wolfSSL | 15:117db924cf7c | 6280 | case TLS_ASYNC_FINALIZE: |
wolfSSL | 15:117db924cf7c | 6281 | { |
wolfSSL | 15:117db924cf7c | 6282 | ssl->options.havePeerVerify = 1; |
wolfSSL | 15:117db924cf7c | 6283 | |
wolfSSL | 15:117db924cf7c | 6284 | /* Set final index */ |
wolfSSL | 15:117db924cf7c | 6285 | args->idx += args->sz; |
wolfSSL | 15:117db924cf7c | 6286 | *inOutIdx = args->idx; |
wolfSSL | 15:117db924cf7c | 6287 | |
wolfSSL | 15:117db924cf7c | 6288 | /* Encryption is always on: add padding */ |
wolfSSL | 15:117db924cf7c | 6289 | *inOutIdx += ssl->keys.padSz; |
wolfSSL | 15:117db924cf7c | 6290 | |
wolfSSL | 15:117db924cf7c | 6291 | /* Advance state and proceed */ |
wolfSSL | 15:117db924cf7c | 6292 | ssl->options.asyncState = TLS_ASYNC_END; |
wolfSSL | 15:117db924cf7c | 6293 | } /* case TLS_ASYNC_FINALIZE */ |
wolfSSL | 15:117db924cf7c | 6294 | |
wolfSSL | 15:117db924cf7c | 6295 | case TLS_ASYNC_END: |
wolfSSL | 15:117db924cf7c | 6296 | { |
wolfSSL | 15:117db924cf7c | 6297 | break; |
wolfSSL | 15:117db924cf7c | 6298 | } |
wolfSSL | 15:117db924cf7c | 6299 | default: |
wolfSSL | 15:117db924cf7c | 6300 | ret = INPUT_CASE_ERROR; |
wolfSSL | 15:117db924cf7c | 6301 | } /* switch(ssl->options.asyncState) */ |
wolfSSL | 15:117db924cf7c | 6302 | |
wolfSSL | 15:117db924cf7c | 6303 | exit_dcv: |
wolfSSL | 15:117db924cf7c | 6304 | |
wolfSSL | 15:117db924cf7c | 6305 | WOLFSSL_LEAVE("DoTls13CertificateVerify", ret); |
wolfSSL | 15:117db924cf7c | 6306 | WOLFSSL_END(WC_FUNC_CERTIFICATE_VERIFY_DO); |
wolfSSL | 15:117db924cf7c | 6307 | |
wolfSSL | 15:117db924cf7c | 6308 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 6309 | /* Handle async operation */ |
wolfSSL | 15:117db924cf7c | 6310 | if (ret == WC_PENDING_E) { |
wolfSSL | 16:8e0d178b1d1e | 6311 | /* Mark message as not received so it can process again */ |
wolfSSL | 15:117db924cf7c | 6312 | ssl->msgsReceived.got_certificate_verify = 0; |
wolfSSL | 15:117db924cf7c | 6313 | |
wolfSSL | 15:117db924cf7c | 6314 | return ret; |
wolfSSL | 15:117db924cf7c | 6315 | } |
wolfSSL | 15:117db924cf7c | 6316 | else |
wolfSSL | 15:117db924cf7c | 6317 | #endif /* WOLFSSL_ASYNC_CRYPT */ |
wolfSSL | 16:8e0d178b1d1e | 6318 | if (ret != 0 && ret != INVALID_PARAMETER) |
wolfSSL | 15:117db924cf7c | 6319 | SendAlert(ssl, alert_fatal, decrypt_error); |
wolfSSL | 15:117db924cf7c | 6320 | |
wolfSSL | 15:117db924cf7c | 6321 | /* Final cleanup */ |
wolfSSL | 15:117db924cf7c | 6322 | FreeDcv13Args(ssl, args); |
wolfSSL | 15:117db924cf7c | 6323 | FreeKeyExchange(ssl); |
wolfSSL | 15:117db924cf7c | 6324 | |
wolfSSL | 15:117db924cf7c | 6325 | return ret; |
wolfSSL | 15:117db924cf7c | 6326 | } |
wolfSSL | 15:117db924cf7c | 6327 | #endif /* !NO_RSA || HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 6328 | |
wolfSSL | 15:117db924cf7c | 6329 | /* Parse and handle a TLS v1.3 Finished message. |
wolfSSL | 15:117db924cf7c | 6330 | * |
wolfSSL | 15:117db924cf7c | 6331 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 6332 | * input The message buffer. |
wolfSSL | 15:117db924cf7c | 6333 | * inOutIdx On entry, the index into the message buffer of Finished. |
wolfSSL | 15:117db924cf7c | 6334 | * On exit, the index of byte after the Finished message and padding. |
wolfSSL | 15:117db924cf7c | 6335 | * size Length of message data. |
wolfSSL | 15:117db924cf7c | 6336 | * totalSz Length of remaining data in the message buffer. |
wolfSSL | 15:117db924cf7c | 6337 | * sniff Indicates whether we are sniffing packets. |
wolfSSL | 15:117db924cf7c | 6338 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 6339 | */ |
wolfSSL | 15:117db924cf7c | 6340 | static int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, |
wolfSSL | 15:117db924cf7c | 6341 | word32 size, word32 totalSz, int sniff) |
wolfSSL | 15:117db924cf7c | 6342 | { |
wolfSSL | 15:117db924cf7c | 6343 | int ret; |
wolfSSL | 15:117db924cf7c | 6344 | word32 finishedSz = 0; |
wolfSSL | 15:117db924cf7c | 6345 | byte* secret; |
wolfSSL | 15:117db924cf7c | 6346 | byte mac[WC_MAX_DIGEST_SIZE]; |
wolfSSL | 15:117db924cf7c | 6347 | |
wolfSSL | 15:117db924cf7c | 6348 | WOLFSSL_START(WC_FUNC_FINISHED_DO); |
wolfSSL | 15:117db924cf7c | 6349 | WOLFSSL_ENTER("DoTls13Finished"); |
wolfSSL | 15:117db924cf7c | 6350 | |
wolfSSL | 15:117db924cf7c | 6351 | /* check against totalSz */ |
wolfSSL | 15:117db924cf7c | 6352 | if (*inOutIdx + size + ssl->keys.padSz > totalSz) |
wolfSSL | 15:117db924cf7c | 6353 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 6354 | |
wolfSSL | 15:117db924cf7c | 6355 | if (ssl->options.handShakeDone) { |
wolfSSL | 16:8e0d178b1d1e | 6356 | ret = DeriveFinishedSecret(ssl, ssl->clientSecret, |
wolfSSL | 15:117db924cf7c | 6357 | ssl->keys.client_write_MAC_secret); |
wolfSSL | 15:117db924cf7c | 6358 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 6359 | return ret; |
wolfSSL | 15:117db924cf7c | 6360 | |
wolfSSL | 15:117db924cf7c | 6361 | secret = ssl->keys.client_write_MAC_secret; |
wolfSSL | 15:117db924cf7c | 6362 | } |
wolfSSL | 15:117db924cf7c | 6363 | else if (ssl->options.side == WOLFSSL_CLIENT_END) { |
wolfSSL | 15:117db924cf7c | 6364 | /* All the handshake messages have been received to calculate |
wolfSSL | 15:117db924cf7c | 6365 | * client and server finished keys. |
wolfSSL | 15:117db924cf7c | 6366 | */ |
wolfSSL | 16:8e0d178b1d1e | 6367 | ret = DeriveFinishedSecret(ssl, ssl->clientSecret, |
wolfSSL | 15:117db924cf7c | 6368 | ssl->keys.client_write_MAC_secret); |
wolfSSL | 15:117db924cf7c | 6369 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 6370 | return ret; |
wolfSSL | 15:117db924cf7c | 6371 | |
wolfSSL | 16:8e0d178b1d1e | 6372 | ret = DeriveFinishedSecret(ssl, ssl->serverSecret, |
wolfSSL | 15:117db924cf7c | 6373 | ssl->keys.server_write_MAC_secret); |
wolfSSL | 15:117db924cf7c | 6374 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 6375 | return ret; |
wolfSSL | 15:117db924cf7c | 6376 | |
wolfSSL | 15:117db924cf7c | 6377 | secret = ssl->keys.server_write_MAC_secret; |
wolfSSL | 15:117db924cf7c | 6378 | } |
wolfSSL | 15:117db924cf7c | 6379 | else |
wolfSSL | 15:117db924cf7c | 6380 | secret = ssl->keys.client_write_MAC_secret; |
wolfSSL | 15:117db924cf7c | 6381 | |
wolfSSL | 15:117db924cf7c | 6382 | ret = BuildTls13HandshakeHmac(ssl, secret, mac, &finishedSz); |
wolfSSL | 15:117db924cf7c | 6383 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 6384 | return ret; |
wolfSSL | 15:117db924cf7c | 6385 | if (size != finishedSz) |
wolfSSL | 15:117db924cf7c | 6386 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 6387 | |
wolfSSL | 15:117db924cf7c | 6388 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 6389 | if (ssl->hsInfoOn) AddPacketName(ssl, "Finished"); |
wolfSSL | 15:117db924cf7c | 6390 | if (ssl->toInfoOn) AddLateName("Finished", &ssl->timeoutInfo); |
wolfSSL | 15:117db924cf7c | 6391 | #endif |
wolfSSL | 15:117db924cf7c | 6392 | |
wolfSSL | 15:117db924cf7c | 6393 | if (sniff == NO_SNIFF) { |
wolfSSL | 15:117db924cf7c | 6394 | /* Actually check verify data. */ |
wolfSSL | 15:117db924cf7c | 6395 | if (XMEMCMP(input + *inOutIdx, mac, size) != 0){ |
wolfSSL | 15:117db924cf7c | 6396 | WOLFSSL_MSG("Verify finished error on hashes"); |
wolfSSL | 15:117db924cf7c | 6397 | SendAlert(ssl, alert_fatal, decrypt_error); |
wolfSSL | 15:117db924cf7c | 6398 | return VERIFY_FINISHED_ERROR; |
wolfSSL | 15:117db924cf7c | 6399 | } |
wolfSSL | 15:117db924cf7c | 6400 | } |
wolfSSL | 15:117db924cf7c | 6401 | |
wolfSSL | 15:117db924cf7c | 6402 | /* Force input exhaustion at ProcessReply by consuming padSz. */ |
wolfSSL | 15:117db924cf7c | 6403 | *inOutIdx += size + ssl->keys.padSz; |
wolfSSL | 15:117db924cf7c | 6404 | |
wolfSSL | 15:117db924cf7c | 6405 | if (ssl->options.side == WOLFSSL_SERVER_END && |
wolfSSL | 15:117db924cf7c | 6406 | !ssl->options.handShakeDone) { |
wolfSSL | 15:117db924cf7c | 6407 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 6408 | if (ssl->earlyData != no_early_data) { |
wolfSSL | 15:117db924cf7c | 6409 | if ((ret = DeriveTls13Keys(ssl, no_key, DECRYPT_SIDE_ONLY, 1)) != 0) |
wolfSSL | 15:117db924cf7c | 6410 | return ret; |
wolfSSL | 15:117db924cf7c | 6411 | } |
wolfSSL | 15:117db924cf7c | 6412 | #endif |
wolfSSL | 15:117db924cf7c | 6413 | /* Setup keys for application data messages from client. */ |
wolfSSL | 15:117db924cf7c | 6414 | if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0) |
wolfSSL | 15:117db924cf7c | 6415 | return ret; |
wolfSSL | 15:117db924cf7c | 6416 | } |
wolfSSL | 15:117db924cf7c | 6417 | |
wolfSSL | 15:117db924cf7c | 6418 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 6419 | if (ssl->options.side == WOLFSSL_CLIENT_END) |
wolfSSL | 15:117db924cf7c | 6420 | ssl->options.serverState = SERVER_FINISHED_COMPLETE; |
wolfSSL | 15:117db924cf7c | 6421 | #endif |
wolfSSL | 15:117db924cf7c | 6422 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 6423 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
wolfSSL | 15:117db924cf7c | 6424 | ssl->options.clientState = CLIENT_FINISHED_COMPLETE; |
wolfSSL | 15:117db924cf7c | 6425 | ssl->options.handShakeState = HANDSHAKE_DONE; |
wolfSSL | 15:117db924cf7c | 6426 | ssl->options.handShakeDone = 1; |
wolfSSL | 15:117db924cf7c | 6427 | } |
wolfSSL | 15:117db924cf7c | 6428 | #endif |
wolfSSL | 15:117db924cf7c | 6429 | |
wolfSSL | 15:117db924cf7c | 6430 | WOLFSSL_LEAVE("DoTls13Finished", 0); |
wolfSSL | 15:117db924cf7c | 6431 | WOLFSSL_END(WC_FUNC_FINISHED_DO); |
wolfSSL | 15:117db924cf7c | 6432 | |
wolfSSL | 15:117db924cf7c | 6433 | return 0; |
wolfSSL | 15:117db924cf7c | 6434 | } |
wolfSSL | 15:117db924cf7c | 6435 | #endif /* NO_CERTS */ |
wolfSSL | 15:117db924cf7c | 6436 | |
wolfSSL | 15:117db924cf7c | 6437 | /* Send the TLS v1.3 Finished message. |
wolfSSL | 15:117db924cf7c | 6438 | * |
wolfSSL | 15:117db924cf7c | 6439 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 6440 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 6441 | */ |
wolfSSL | 15:117db924cf7c | 6442 | static int SendTls13Finished(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 6443 | { |
wolfSSL | 15:117db924cf7c | 6444 | int sendSz; |
wolfSSL | 15:117db924cf7c | 6445 | int finishedSz = ssl->specs.hash_size; |
wolfSSL | 15:117db924cf7c | 6446 | byte* input; |
wolfSSL | 15:117db924cf7c | 6447 | byte* output; |
wolfSSL | 15:117db924cf7c | 6448 | int ret; |
wolfSSL | 15:117db924cf7c | 6449 | int headerSz = HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 6450 | int outputSz; |
wolfSSL | 15:117db924cf7c | 6451 | byte* secret; |
wolfSSL | 15:117db924cf7c | 6452 | |
wolfSSL | 15:117db924cf7c | 6453 | WOLFSSL_START(WC_FUNC_FINISHED_SEND); |
wolfSSL | 15:117db924cf7c | 6454 | WOLFSSL_ENTER("SendTls13Finished"); |
wolfSSL | 15:117db924cf7c | 6455 | |
wolfSSL | 15:117db924cf7c | 6456 | outputSz = WC_MAX_DIGEST_SIZE + DTLS_HANDSHAKE_HEADER_SZ + MAX_MSG_EXTRA; |
wolfSSL | 15:117db924cf7c | 6457 | /* Check buffers are big enough and grow if needed. */ |
wolfSSL | 15:117db924cf7c | 6458 | if ((ret = CheckAvailableSize(ssl, outputSz)) != 0) |
wolfSSL | 15:117db924cf7c | 6459 | return ret; |
wolfSSL | 15:117db924cf7c | 6460 | |
wolfSSL | 15:117db924cf7c | 6461 | /* get output buffer */ |
wolfSSL | 15:117db924cf7c | 6462 | output = ssl->buffers.outputBuffer.buffer + |
wolfSSL | 15:117db924cf7c | 6463 | ssl->buffers.outputBuffer.length; |
wolfSSL | 15:117db924cf7c | 6464 | input = output + RECORD_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 6465 | |
wolfSSL | 15:117db924cf7c | 6466 | AddTls13HandShakeHeader(input, finishedSz, 0, finishedSz, finished, ssl); |
wolfSSL | 15:117db924cf7c | 6467 | |
wolfSSL | 15:117db924cf7c | 6468 | /* make finished hashes */ |
wolfSSL | 15:117db924cf7c | 6469 | if (ssl->options.handShakeDone) { |
wolfSSL | 16:8e0d178b1d1e | 6470 | ret = DeriveFinishedSecret(ssl, ssl->clientSecret, |
wolfSSL | 15:117db924cf7c | 6471 | ssl->keys.client_write_MAC_secret); |
wolfSSL | 15:117db924cf7c | 6472 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 6473 | return ret; |
wolfSSL | 15:117db924cf7c | 6474 | |
wolfSSL | 15:117db924cf7c | 6475 | secret = ssl->keys.client_write_MAC_secret; |
wolfSSL | 15:117db924cf7c | 6476 | } |
wolfSSL | 15:117db924cf7c | 6477 | else if (ssl->options.side == WOLFSSL_CLIENT_END) |
wolfSSL | 15:117db924cf7c | 6478 | secret = ssl->keys.client_write_MAC_secret; |
wolfSSL | 15:117db924cf7c | 6479 | else { |
wolfSSL | 15:117db924cf7c | 6480 | /* All the handshake messages have been done to calculate client and |
wolfSSL | 15:117db924cf7c | 6481 | * server finished keys. |
wolfSSL | 15:117db924cf7c | 6482 | */ |
wolfSSL | 16:8e0d178b1d1e | 6483 | ret = DeriveFinishedSecret(ssl, ssl->clientSecret, |
wolfSSL | 15:117db924cf7c | 6484 | ssl->keys.client_write_MAC_secret); |
wolfSSL | 15:117db924cf7c | 6485 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 6486 | return ret; |
wolfSSL | 15:117db924cf7c | 6487 | |
wolfSSL | 16:8e0d178b1d1e | 6488 | ret = DeriveFinishedSecret(ssl, ssl->serverSecret, |
wolfSSL | 15:117db924cf7c | 6489 | ssl->keys.server_write_MAC_secret); |
wolfSSL | 15:117db924cf7c | 6490 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 6491 | return ret; |
wolfSSL | 15:117db924cf7c | 6492 | |
wolfSSL | 15:117db924cf7c | 6493 | secret = ssl->keys.server_write_MAC_secret; |
wolfSSL | 15:117db924cf7c | 6494 | } |
wolfSSL | 15:117db924cf7c | 6495 | ret = BuildTls13HandshakeHmac(ssl, secret, &input[headerSz], NULL); |
wolfSSL | 15:117db924cf7c | 6496 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 6497 | return ret; |
wolfSSL | 15:117db924cf7c | 6498 | |
wolfSSL | 15:117db924cf7c | 6499 | /* This message is always encrypted. */ |
wolfSSL | 15:117db924cf7c | 6500 | sendSz = BuildTls13Message(ssl, output, outputSz, input, |
wolfSSL | 15:117db924cf7c | 6501 | headerSz + finishedSz, handshake, 1, 0, 0); |
wolfSSL | 15:117db924cf7c | 6502 | if (sendSz < 0) |
wolfSSL | 15:117db924cf7c | 6503 | return BUILD_MSG_ERROR; |
wolfSSL | 15:117db924cf7c | 6504 | |
wolfSSL | 15:117db924cf7c | 6505 | #ifndef NO_SESSION_CACHE |
wolfSSL | 16:8e0d178b1d1e | 6506 | if (!ssl->options.resuming && (ssl->options.side == WOLFSSL_SERVER_END || |
wolfSSL | 16:8e0d178b1d1e | 6507 | (ssl->options.side == WOLFSSL_SERVER_END && ssl->arrays != NULL))) { |
wolfSSL | 15:117db924cf7c | 6508 | AddSession(ssl); /* just try */ |
wolfSSL | 16:8e0d178b1d1e | 6509 | } |
wolfSSL | 16:8e0d178b1d1e | 6510 | #endif |
wolfSSL | 15:117db924cf7c | 6511 | |
wolfSSL | 15:117db924cf7c | 6512 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 6513 | if (ssl->hsInfoOn) AddPacketName(ssl, "Finished"); |
wolfSSL | 15:117db924cf7c | 6514 | if (ssl->toInfoOn) { |
wolfSSL | 15:117db924cf7c | 6515 | AddPacketInfo(ssl, "Finished", handshake, output, sendSz, |
wolfSSL | 15:117db924cf7c | 6516 | WRITE_PROTO, ssl->heap); |
wolfSSL | 15:117db924cf7c | 6517 | } |
wolfSSL | 15:117db924cf7c | 6518 | #endif |
wolfSSL | 15:117db924cf7c | 6519 | |
wolfSSL | 15:117db924cf7c | 6520 | ssl->buffers.outputBuffer.length += sendSz; |
wolfSSL | 15:117db924cf7c | 6521 | |
wolfSSL | 15:117db924cf7c | 6522 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
wolfSSL | 15:117db924cf7c | 6523 | /* Can send application data now. */ |
wolfSSL | 15:117db924cf7c | 6524 | if ((ret = DeriveMasterSecret(ssl)) != 0) |
wolfSSL | 15:117db924cf7c | 6525 | return ret; |
wolfSSL | 15:117db924cf7c | 6526 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 6527 | if ((ret = DeriveTls13Keys(ssl, traffic_key, ENCRYPT_SIDE_ONLY, 1)) |
wolfSSL | 15:117db924cf7c | 6528 | != 0) { |
wolfSSL | 15:117db924cf7c | 6529 | return ret; |
wolfSSL | 15:117db924cf7c | 6530 | } |
wolfSSL | 15:117db924cf7c | 6531 | if ((ret = DeriveTls13Keys(ssl, traffic_key, DECRYPT_SIDE_ONLY, |
wolfSSL | 15:117db924cf7c | 6532 | ssl->earlyData == no_early_data)) != 0) { |
wolfSSL | 15:117db924cf7c | 6533 | return ret; |
wolfSSL | 15:117db924cf7c | 6534 | } |
wolfSSL | 15:117db924cf7c | 6535 | #else |
wolfSSL | 15:117db924cf7c | 6536 | if ((ret = DeriveTls13Keys(ssl, traffic_key, ENCRYPT_AND_DECRYPT_SIDE, |
wolfSSL | 15:117db924cf7c | 6537 | 1)) != 0) { |
wolfSSL | 15:117db924cf7c | 6538 | return ret; |
wolfSSL | 15:117db924cf7c | 6539 | } |
wolfSSL | 15:117db924cf7c | 6540 | #endif |
wolfSSL | 15:117db924cf7c | 6541 | if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0) |
wolfSSL | 15:117db924cf7c | 6542 | return ret; |
wolfSSL | 15:117db924cf7c | 6543 | } |
wolfSSL | 15:117db924cf7c | 6544 | |
wolfSSL | 15:117db924cf7c | 6545 | if (ssl->options.side == WOLFSSL_CLIENT_END && |
wolfSSL | 15:117db924cf7c | 6546 | !ssl->options.handShakeDone) { |
wolfSSL | 15:117db924cf7c | 6547 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 6548 | if (ssl->earlyData != no_early_data) { |
wolfSSL | 15:117db924cf7c | 6549 | if ((ret = DeriveTls13Keys(ssl, no_key, ENCRYPT_AND_DECRYPT_SIDE, |
wolfSSL | 15:117db924cf7c | 6550 | 1)) != 0) { |
wolfSSL | 15:117db924cf7c | 6551 | return ret; |
wolfSSL | 15:117db924cf7c | 6552 | } |
wolfSSL | 15:117db924cf7c | 6553 | } |
wolfSSL | 15:117db924cf7c | 6554 | #endif |
wolfSSL | 15:117db924cf7c | 6555 | /* Setup keys for application data messages. */ |
wolfSSL | 15:117db924cf7c | 6556 | if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0) |
wolfSSL | 15:117db924cf7c | 6557 | return ret; |
wolfSSL | 15:117db924cf7c | 6558 | |
wolfSSL | 15:117db924cf7c | 6559 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 6560 | ret = DeriveResumptionSecret(ssl, ssl->session.masterSecret); |
wolfSSL | 15:117db924cf7c | 6561 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 6562 | return ret; |
wolfSSL | 15:117db924cf7c | 6563 | #endif |
wolfSSL | 15:117db924cf7c | 6564 | } |
wolfSSL | 15:117db924cf7c | 6565 | |
wolfSSL | 15:117db924cf7c | 6566 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 6567 | if (ssl->options.side == WOLFSSL_CLIENT_END) { |
wolfSSL | 15:117db924cf7c | 6568 | ssl->options.clientState = CLIENT_FINISHED_COMPLETE; |
wolfSSL | 15:117db924cf7c | 6569 | ssl->options.handShakeState = HANDSHAKE_DONE; |
wolfSSL | 15:117db924cf7c | 6570 | ssl->options.handShakeDone = 1; |
wolfSSL | 15:117db924cf7c | 6571 | } |
wolfSSL | 15:117db924cf7c | 6572 | #endif |
wolfSSL | 15:117db924cf7c | 6573 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 6574 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
wolfSSL | 15:117db924cf7c | 6575 | ssl->options.serverState = SERVER_FINISHED_COMPLETE; |
wolfSSL | 15:117db924cf7c | 6576 | } |
wolfSSL | 15:117db924cf7c | 6577 | #endif |
wolfSSL | 15:117db924cf7c | 6578 | |
wolfSSL | 15:117db924cf7c | 6579 | if ((ret = SendBuffered(ssl)) != 0) |
wolfSSL | 15:117db924cf7c | 6580 | return ret; |
wolfSSL | 15:117db924cf7c | 6581 | |
wolfSSL | 15:117db924cf7c | 6582 | WOLFSSL_LEAVE("SendTls13Finished", ret); |
wolfSSL | 15:117db924cf7c | 6583 | WOLFSSL_END(WC_FUNC_FINISHED_SEND); |
wolfSSL | 15:117db924cf7c | 6584 | |
wolfSSL | 15:117db924cf7c | 6585 | return ret; |
wolfSSL | 15:117db924cf7c | 6586 | } |
wolfSSL | 15:117db924cf7c | 6587 | |
wolfSSL | 15:117db924cf7c | 6588 | /* handle generation TLS v1.3 key_update (24) */ |
wolfSSL | 15:117db924cf7c | 6589 | /* Send the TLS v1.3 KeyUpdate message. |
wolfSSL | 15:117db924cf7c | 6590 | * |
wolfSSL | 15:117db924cf7c | 6591 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 6592 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 6593 | */ |
wolfSSL | 15:117db924cf7c | 6594 | static int SendTls13KeyUpdate(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 6595 | { |
wolfSSL | 15:117db924cf7c | 6596 | int sendSz; |
wolfSSL | 15:117db924cf7c | 6597 | byte* input; |
wolfSSL | 15:117db924cf7c | 6598 | byte* output; |
wolfSSL | 15:117db924cf7c | 6599 | int ret; |
wolfSSL | 15:117db924cf7c | 6600 | int headerSz = HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 6601 | int outputSz; |
wolfSSL | 15:117db924cf7c | 6602 | word32 i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 6603 | |
wolfSSL | 15:117db924cf7c | 6604 | WOLFSSL_START(WC_FUNC_KEY_UPDATE_SEND); |
wolfSSL | 15:117db924cf7c | 6605 | WOLFSSL_ENTER("SendTls13KeyUpdate"); |
wolfSSL | 15:117db924cf7c | 6606 | |
wolfSSL | 15:117db924cf7c | 6607 | outputSz = OPAQUE8_LEN + MAX_MSG_EXTRA; |
wolfSSL | 15:117db924cf7c | 6608 | /* Check buffers are big enough and grow if needed. */ |
wolfSSL | 15:117db924cf7c | 6609 | if ((ret = CheckAvailableSize(ssl, outputSz)) != 0) |
wolfSSL | 15:117db924cf7c | 6610 | return ret; |
wolfSSL | 15:117db924cf7c | 6611 | |
wolfSSL | 15:117db924cf7c | 6612 | /* get output buffer */ |
wolfSSL | 15:117db924cf7c | 6613 | output = ssl->buffers.outputBuffer.buffer + |
wolfSSL | 15:117db924cf7c | 6614 | ssl->buffers.outputBuffer.length; |
wolfSSL | 15:117db924cf7c | 6615 | input = output + RECORD_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 6616 | |
wolfSSL | 15:117db924cf7c | 6617 | AddTls13Headers(output, OPAQUE8_LEN, key_update, ssl); |
wolfSSL | 15:117db924cf7c | 6618 | |
wolfSSL | 15:117db924cf7c | 6619 | /* If: |
wolfSSL | 15:117db924cf7c | 6620 | * 1. I haven't sent a KeyUpdate requesting a response and |
wolfSSL | 15:117db924cf7c | 6621 | * 2. This isn't responding to peer KeyUpdate requiring a response then, |
wolfSSL | 15:117db924cf7c | 6622 | * I want a response. |
wolfSSL | 15:117db924cf7c | 6623 | */ |
wolfSSL | 15:117db924cf7c | 6624 | ssl->keys.updateResponseReq = output[i++] = |
wolfSSL | 15:117db924cf7c | 6625 | !ssl->keys.updateResponseReq && !ssl->keys.keyUpdateRespond; |
wolfSSL | 15:117db924cf7c | 6626 | /* Sent response, no longer need to respond. */ |
wolfSSL | 15:117db924cf7c | 6627 | ssl->keys.keyUpdateRespond = 0; |
wolfSSL | 15:117db924cf7c | 6628 | |
wolfSSL | 15:117db924cf7c | 6629 | /* This message is always encrypted. */ |
wolfSSL | 15:117db924cf7c | 6630 | sendSz = BuildTls13Message(ssl, output, outputSz, input, |
wolfSSL | 15:117db924cf7c | 6631 | headerSz + OPAQUE8_LEN, handshake, 0, 0, 0); |
wolfSSL | 15:117db924cf7c | 6632 | if (sendSz < 0) |
wolfSSL | 15:117db924cf7c | 6633 | return BUILD_MSG_ERROR; |
wolfSSL | 15:117db924cf7c | 6634 | |
wolfSSL | 15:117db924cf7c | 6635 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 6636 | if (ssl->hsInfoOn) AddPacketName(ssl, "KeyUpdate"); |
wolfSSL | 15:117db924cf7c | 6637 | if (ssl->toInfoOn) { |
wolfSSL | 15:117db924cf7c | 6638 | AddPacketInfo(ssl, "KeyUpdate", handshake, output, sendSz, |
wolfSSL | 15:117db924cf7c | 6639 | WRITE_PROTO, ssl->heap); |
wolfSSL | 15:117db924cf7c | 6640 | } |
wolfSSL | 15:117db924cf7c | 6641 | #endif |
wolfSSL | 15:117db924cf7c | 6642 | |
wolfSSL | 15:117db924cf7c | 6643 | ssl->buffers.outputBuffer.length += sendSz; |
wolfSSL | 15:117db924cf7c | 6644 | |
wolfSSL | 15:117db924cf7c | 6645 | ret = SendBuffered(ssl); |
wolfSSL | 15:117db924cf7c | 6646 | if (ret != 0 && ret != WANT_WRITE) |
wolfSSL | 15:117db924cf7c | 6647 | return ret; |
wolfSSL | 15:117db924cf7c | 6648 | |
wolfSSL | 15:117db924cf7c | 6649 | /* Future traffic uses new encryption keys. */ |
wolfSSL | 15:117db924cf7c | 6650 | if ((ret = DeriveTls13Keys(ssl, update_traffic_key, ENCRYPT_SIDE_ONLY, 1)) |
wolfSSL | 15:117db924cf7c | 6651 | != 0) |
wolfSSL | 15:117db924cf7c | 6652 | return ret; |
wolfSSL | 15:117db924cf7c | 6653 | if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0) |
wolfSSL | 15:117db924cf7c | 6654 | return ret; |
wolfSSL | 15:117db924cf7c | 6655 | |
wolfSSL | 15:117db924cf7c | 6656 | WOLFSSL_LEAVE("SendTls13KeyUpdate", ret); |
wolfSSL | 15:117db924cf7c | 6657 | WOLFSSL_END(WC_FUNC_KEY_UPDATE_SEND); |
wolfSSL | 15:117db924cf7c | 6658 | |
wolfSSL | 15:117db924cf7c | 6659 | return ret; |
wolfSSL | 15:117db924cf7c | 6660 | } |
wolfSSL | 15:117db924cf7c | 6661 | |
wolfSSL | 15:117db924cf7c | 6662 | /* handle processing TLS v1.3 key_update (24) */ |
wolfSSL | 15:117db924cf7c | 6663 | /* Parse and handle a TLS v1.3 KeyUpdate message. |
wolfSSL | 15:117db924cf7c | 6664 | * |
wolfSSL | 15:117db924cf7c | 6665 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 6666 | * input The message buffer. |
wolfSSL | 15:117db924cf7c | 6667 | * inOutIdx On entry, the index into the message buffer of Finished. |
wolfSSL | 15:117db924cf7c | 6668 | * On exit, the index of byte after the Finished message and padding. |
wolfSSL | 15:117db924cf7c | 6669 | * totalSz The length of the current handshake message. |
wolfSSL | 15:117db924cf7c | 6670 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 6671 | */ |
wolfSSL | 15:117db924cf7c | 6672 | static int DoTls13KeyUpdate(WOLFSSL* ssl, const byte* input, word32* inOutIdx, |
wolfSSL | 15:117db924cf7c | 6673 | word32 totalSz) |
wolfSSL | 15:117db924cf7c | 6674 | { |
wolfSSL | 15:117db924cf7c | 6675 | int ret; |
wolfSSL | 15:117db924cf7c | 6676 | word32 i = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 6677 | |
wolfSSL | 15:117db924cf7c | 6678 | WOLFSSL_START(WC_FUNC_KEY_UPDATE_DO); |
wolfSSL | 15:117db924cf7c | 6679 | WOLFSSL_ENTER("DoTls13KeyUpdate"); |
wolfSSL | 15:117db924cf7c | 6680 | |
wolfSSL | 15:117db924cf7c | 6681 | /* check against totalSz */ |
wolfSSL | 15:117db924cf7c | 6682 | if (OPAQUE8_LEN != totalSz) |
wolfSSL | 15:117db924cf7c | 6683 | return BUFFER_E; |
wolfSSL | 15:117db924cf7c | 6684 | |
wolfSSL | 15:117db924cf7c | 6685 | switch (input[i]) { |
wolfSSL | 15:117db924cf7c | 6686 | case update_not_requested: |
wolfSSL | 16:8e0d178b1d1e | 6687 | /* This message in response to any outstanding request. */ |
wolfSSL | 15:117db924cf7c | 6688 | ssl->keys.keyUpdateRespond = 0; |
wolfSSL | 15:117db924cf7c | 6689 | ssl->keys.updateResponseReq = 0; |
wolfSSL | 15:117db924cf7c | 6690 | break; |
wolfSSL | 15:117db924cf7c | 6691 | case update_requested: |
wolfSSL | 15:117db924cf7c | 6692 | /* New key update requiring a response. */ |
wolfSSL | 15:117db924cf7c | 6693 | ssl->keys.keyUpdateRespond = 1; |
wolfSSL | 15:117db924cf7c | 6694 | break; |
wolfSSL | 15:117db924cf7c | 6695 | default: |
wolfSSL | 15:117db924cf7c | 6696 | return INVALID_PARAMETER; |
wolfSSL | 15:117db924cf7c | 6697 | } |
wolfSSL | 15:117db924cf7c | 6698 | |
wolfSSL | 15:117db924cf7c | 6699 | /* Move index to byte after message. */ |
wolfSSL | 15:117db924cf7c | 6700 | *inOutIdx += totalSz; |
wolfSSL | 15:117db924cf7c | 6701 | /* Always encrypted. */ |
wolfSSL | 15:117db924cf7c | 6702 | *inOutIdx += ssl->keys.padSz; |
wolfSSL | 15:117db924cf7c | 6703 | |
wolfSSL | 15:117db924cf7c | 6704 | /* Future traffic uses new decryption keys. */ |
wolfSSL | 15:117db924cf7c | 6705 | if ((ret = DeriveTls13Keys(ssl, update_traffic_key, DECRYPT_SIDE_ONLY, 1)) |
wolfSSL | 15:117db924cf7c | 6706 | != 0) { |
wolfSSL | 15:117db924cf7c | 6707 | return ret; |
wolfSSL | 15:117db924cf7c | 6708 | } |
wolfSSL | 15:117db924cf7c | 6709 | if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0) |
wolfSSL | 15:117db924cf7c | 6710 | return ret; |
wolfSSL | 15:117db924cf7c | 6711 | |
wolfSSL | 15:117db924cf7c | 6712 | if (ssl->keys.keyUpdateRespond) |
wolfSSL | 15:117db924cf7c | 6713 | return SendTls13KeyUpdate(ssl); |
wolfSSL | 15:117db924cf7c | 6714 | |
wolfSSL | 15:117db924cf7c | 6715 | WOLFSSL_LEAVE("DoTls13KeyUpdate", ret); |
wolfSSL | 15:117db924cf7c | 6716 | WOLFSSL_END(WC_FUNC_KEY_UPDATE_DO); |
wolfSSL | 15:117db924cf7c | 6717 | |
wolfSSL | 15:117db924cf7c | 6718 | return 0; |
wolfSSL | 15:117db924cf7c | 6719 | } |
wolfSSL | 15:117db924cf7c | 6720 | |
wolfSSL | 15:117db924cf7c | 6721 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 6722 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 6723 | /* Send the TLS v1.3 EndOfEarlyData message to indicate that there will be no |
wolfSSL | 15:117db924cf7c | 6724 | * more early application data. |
wolfSSL | 15:117db924cf7c | 6725 | * The encryption key now changes to the pre-calculated handshake key. |
wolfSSL | 15:117db924cf7c | 6726 | * |
wolfSSL | 15:117db924cf7c | 6727 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 6728 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 6729 | */ |
wolfSSL | 15:117db924cf7c | 6730 | static int SendTls13EndOfEarlyData(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 6731 | { |
wolfSSL | 15:117db924cf7c | 6732 | byte* output; |
wolfSSL | 15:117db924cf7c | 6733 | int ret; |
wolfSSL | 15:117db924cf7c | 6734 | int sendSz; |
wolfSSL | 15:117db924cf7c | 6735 | word32 length; |
wolfSSL | 15:117db924cf7c | 6736 | word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 6737 | |
wolfSSL | 15:117db924cf7c | 6738 | WOLFSSL_START(WC_FUNC_END_OF_EARLY_DATA_SEND); |
wolfSSL | 15:117db924cf7c | 6739 | WOLFSSL_ENTER("SendTls13EndOfEarlyData"); |
wolfSSL | 15:117db924cf7c | 6740 | |
wolfSSL | 15:117db924cf7c | 6741 | length = 0; |
wolfSSL | 15:117db924cf7c | 6742 | sendSz = idx + length + MAX_MSG_EXTRA; |
wolfSSL | 15:117db924cf7c | 6743 | |
wolfSSL | 15:117db924cf7c | 6744 | /* Check buffers are big enough and grow if needed. */ |
wolfSSL | 15:117db924cf7c | 6745 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) |
wolfSSL | 15:117db924cf7c | 6746 | return ret; |
wolfSSL | 15:117db924cf7c | 6747 | |
wolfSSL | 15:117db924cf7c | 6748 | /* Get position in output buffer to write new message to. */ |
wolfSSL | 15:117db924cf7c | 6749 | output = ssl->buffers.outputBuffer.buffer + |
wolfSSL | 15:117db924cf7c | 6750 | ssl->buffers.outputBuffer.length; |
wolfSSL | 15:117db924cf7c | 6751 | |
wolfSSL | 15:117db924cf7c | 6752 | /* Put the record and handshake headers on. */ |
wolfSSL | 15:117db924cf7c | 6753 | AddTls13Headers(output, length, end_of_early_data, ssl); |
wolfSSL | 15:117db924cf7c | 6754 | |
wolfSSL | 15:117db924cf7c | 6755 | /* This message is always encrypted. */ |
wolfSSL | 15:117db924cf7c | 6756 | sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ, |
wolfSSL | 15:117db924cf7c | 6757 | idx - RECORD_HEADER_SZ, handshake, 1, 0, 0); |
wolfSSL | 15:117db924cf7c | 6758 | if (sendSz < 0) |
wolfSSL | 15:117db924cf7c | 6759 | return sendSz; |
wolfSSL | 15:117db924cf7c | 6760 | |
wolfSSL | 15:117db924cf7c | 6761 | ssl->buffers.outputBuffer.length += sendSz; |
wolfSSL | 15:117db924cf7c | 6762 | |
wolfSSL | 15:117db924cf7c | 6763 | if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0) |
wolfSSL | 15:117db924cf7c | 6764 | return ret; |
wolfSSL | 15:117db924cf7c | 6765 | |
wolfSSL | 15:117db924cf7c | 6766 | if (!ssl->options.groupMessages) |
wolfSSL | 15:117db924cf7c | 6767 | ret = SendBuffered(ssl); |
wolfSSL | 15:117db924cf7c | 6768 | |
wolfSSL | 15:117db924cf7c | 6769 | WOLFSSL_LEAVE("SendTls13EndOfEarlyData", ret); |
wolfSSL | 15:117db924cf7c | 6770 | WOLFSSL_END(WC_FUNC_END_OF_EARLY_DATA_SEND); |
wolfSSL | 15:117db924cf7c | 6771 | |
wolfSSL | 15:117db924cf7c | 6772 | return ret; |
wolfSSL | 15:117db924cf7c | 6773 | } |
wolfSSL | 15:117db924cf7c | 6774 | #endif /* !NO_WOLFSSL_CLIENT */ |
wolfSSL | 15:117db924cf7c | 6775 | |
wolfSSL | 15:117db924cf7c | 6776 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 6777 | /* handle processing of TLS 1.3 end_of_early_data (5) */ |
wolfSSL | 15:117db924cf7c | 6778 | /* Parse the TLS v1.3 EndOfEarlyData message that indicates that there will be |
wolfSSL | 15:117db924cf7c | 6779 | * no more early application data. |
wolfSSL | 15:117db924cf7c | 6780 | * The decryption key now changes to the pre-calculated handshake key. |
wolfSSL | 15:117db924cf7c | 6781 | * |
wolfSSL | 15:117db924cf7c | 6782 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 6783 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 6784 | */ |
wolfSSL | 15:117db924cf7c | 6785 | static int DoTls13EndOfEarlyData(WOLFSSL* ssl, const byte* input, |
wolfSSL | 15:117db924cf7c | 6786 | word32* inOutIdx, word32 size) |
wolfSSL | 15:117db924cf7c | 6787 | { |
wolfSSL | 15:117db924cf7c | 6788 | int ret; |
wolfSSL | 15:117db924cf7c | 6789 | word32 begin = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 6790 | |
wolfSSL | 15:117db924cf7c | 6791 | (void)input; |
wolfSSL | 15:117db924cf7c | 6792 | |
wolfSSL | 15:117db924cf7c | 6793 | WOLFSSL_START(WC_FUNC_END_OF_EARLY_DATA_DO); |
wolfSSL | 15:117db924cf7c | 6794 | WOLFSSL_ENTER("DoTls13EndOfEarlyData"); |
wolfSSL | 15:117db924cf7c | 6795 | |
wolfSSL | 15:117db924cf7c | 6796 | if ((*inOutIdx - begin) != size) |
wolfSSL | 15:117db924cf7c | 6797 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 6798 | |
wolfSSL | 15:117db924cf7c | 6799 | if (ssl->earlyData == no_early_data) { |
wolfSSL | 16:8e0d178b1d1e | 6800 | WOLFSSL_MSG("EndOfEarlyData received unexpectedly"); |
wolfSSL | 15:117db924cf7c | 6801 | SendAlert(ssl, alert_fatal, unexpected_message); |
wolfSSL | 15:117db924cf7c | 6802 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 6803 | } |
wolfSSL | 15:117db924cf7c | 6804 | |
wolfSSL | 15:117db924cf7c | 6805 | ssl->earlyData = done_early_data; |
wolfSSL | 15:117db924cf7c | 6806 | |
wolfSSL | 15:117db924cf7c | 6807 | /* Always encrypted. */ |
wolfSSL | 15:117db924cf7c | 6808 | *inOutIdx += ssl->keys.padSz; |
wolfSSL | 15:117db924cf7c | 6809 | |
wolfSSL | 15:117db924cf7c | 6810 | ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY); |
wolfSSL | 15:117db924cf7c | 6811 | |
wolfSSL | 15:117db924cf7c | 6812 | WOLFSSL_LEAVE("DoTls13EndOfEarlyData", ret); |
wolfSSL | 15:117db924cf7c | 6813 | WOLFSSL_END(WC_FUNC_END_OF_EARLY_DATA_DO); |
wolfSSL | 15:117db924cf7c | 6814 | |
wolfSSL | 15:117db924cf7c | 6815 | return ret; |
wolfSSL | 15:117db924cf7c | 6816 | } |
wolfSSL | 15:117db924cf7c | 6817 | #endif /* !NO_WOLFSSL_SERVER */ |
wolfSSL | 15:117db924cf7c | 6818 | #endif /* WOLFSSL_EARLY_DATA */ |
wolfSSL | 15:117db924cf7c | 6819 | |
wolfSSL | 15:117db924cf7c | 6820 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 6821 | /* Handle a New Session Ticket handshake message. |
wolfSSL | 15:117db924cf7c | 6822 | * Message contains the information required to perform resumption. |
wolfSSL | 15:117db924cf7c | 6823 | * |
wolfSSL | 15:117db924cf7c | 6824 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 6825 | * input The message buffer. |
wolfSSL | 15:117db924cf7c | 6826 | * inOutIdx On entry, the index into the message buffer of Finished. |
wolfSSL | 15:117db924cf7c | 6827 | * On exit, the index of byte after the Finished message and padding. |
wolfSSL | 15:117db924cf7c | 6828 | * size The length of the current handshake message. |
wolfSSL | 16:8e0d178b1d1e | 6829 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 6830 | */ |
wolfSSL | 15:117db924cf7c | 6831 | static int DoTls13NewSessionTicket(WOLFSSL* ssl, const byte* input, |
wolfSSL | 15:117db924cf7c | 6832 | word32* inOutIdx, word32 size) |
wolfSSL | 15:117db924cf7c | 6833 | { |
wolfSSL | 15:117db924cf7c | 6834 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 6835 | int ret; |
wolfSSL | 15:117db924cf7c | 6836 | word32 begin = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 6837 | word32 lifetime; |
wolfSSL | 15:117db924cf7c | 6838 | word32 ageAdd; |
wolfSSL | 15:117db924cf7c | 6839 | word16 length; |
wolfSSL | 15:117db924cf7c | 6840 | word32 now; |
wolfSSL | 15:117db924cf7c | 6841 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 6842 | const byte* nonce; |
wolfSSL | 15:117db924cf7c | 6843 | byte nonceLength; |
wolfSSL | 15:117db924cf7c | 6844 | #endif |
wolfSSL | 15:117db924cf7c | 6845 | |
wolfSSL | 15:117db924cf7c | 6846 | WOLFSSL_START(WC_FUNC_NEW_SESSION_TICKET_DO); |
wolfSSL | 15:117db924cf7c | 6847 | WOLFSSL_ENTER("DoTls13NewSessionTicket"); |
wolfSSL | 15:117db924cf7c | 6848 | |
wolfSSL | 15:117db924cf7c | 6849 | /* Lifetime hint. */ |
wolfSSL | 15:117db924cf7c | 6850 | if ((*inOutIdx - begin) + SESSION_HINT_SZ > size) |
wolfSSL | 15:117db924cf7c | 6851 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 6852 | ato32(input + *inOutIdx, &lifetime); |
wolfSSL | 15:117db924cf7c | 6853 | *inOutIdx += SESSION_HINT_SZ; |
wolfSSL | 15:117db924cf7c | 6854 | if (lifetime > MAX_LIFETIME) |
wolfSSL | 15:117db924cf7c | 6855 | return SERVER_HINT_ERROR; |
wolfSSL | 15:117db924cf7c | 6856 | |
wolfSSL | 15:117db924cf7c | 6857 | /* Age add. */ |
wolfSSL | 15:117db924cf7c | 6858 | if ((*inOutIdx - begin) + SESSION_ADD_SZ > size) |
wolfSSL | 15:117db924cf7c | 6859 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 6860 | ato32(input + *inOutIdx, &ageAdd); |
wolfSSL | 15:117db924cf7c | 6861 | *inOutIdx += SESSION_ADD_SZ; |
wolfSSL | 15:117db924cf7c | 6862 | |
wolfSSL | 15:117db924cf7c | 6863 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 6864 | /* Ticket nonce. */ |
wolfSSL | 15:117db924cf7c | 6865 | if ((*inOutIdx - begin) + 1 > size) |
wolfSSL | 15:117db924cf7c | 6866 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 6867 | nonceLength = input[*inOutIdx]; |
wolfSSL | 15:117db924cf7c | 6868 | if (nonceLength > MAX_TICKET_NONCE_SZ) { |
wolfSSL | 15:117db924cf7c | 6869 | WOLFSSL_MSG("Nonce length not supported"); |
wolfSSL | 15:117db924cf7c | 6870 | return INVALID_PARAMETER; |
wolfSSL | 15:117db924cf7c | 6871 | } |
wolfSSL | 15:117db924cf7c | 6872 | *inOutIdx += 1; |
wolfSSL | 15:117db924cf7c | 6873 | if ((*inOutIdx - begin) + nonceLength > size) |
wolfSSL | 15:117db924cf7c | 6874 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 6875 | nonce = input + *inOutIdx; |
wolfSSL | 15:117db924cf7c | 6876 | *inOutIdx += nonceLength; |
wolfSSL | 15:117db924cf7c | 6877 | #endif |
wolfSSL | 15:117db924cf7c | 6878 | |
wolfSSL | 15:117db924cf7c | 6879 | /* Ticket length. */ |
wolfSSL | 15:117db924cf7c | 6880 | if ((*inOutIdx - begin) + LENGTH_SZ > size) |
wolfSSL | 15:117db924cf7c | 6881 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 6882 | ato16(input + *inOutIdx, &length); |
wolfSSL | 15:117db924cf7c | 6883 | *inOutIdx += LENGTH_SZ; |
wolfSSL | 15:117db924cf7c | 6884 | if ((*inOutIdx - begin) + length > size) |
wolfSSL | 15:117db924cf7c | 6885 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 6886 | |
wolfSSL | 15:117db924cf7c | 6887 | if ((ret = SetTicket(ssl, input + *inOutIdx, length)) != 0) |
wolfSSL | 15:117db924cf7c | 6888 | return ret; |
wolfSSL | 15:117db924cf7c | 6889 | *inOutIdx += length; |
wolfSSL | 15:117db924cf7c | 6890 | |
wolfSSL | 15:117db924cf7c | 6891 | now = TimeNowInMilliseconds(); |
wolfSSL | 15:117db924cf7c | 6892 | if (now == (word32)GETTIME_ERROR) |
wolfSSL | 15:117db924cf7c | 6893 | return now; |
wolfSSL | 15:117db924cf7c | 6894 | /* Copy in ticket data (server identity). */ |
wolfSSL | 15:117db924cf7c | 6895 | ssl->timeout = lifetime; |
wolfSSL | 15:117db924cf7c | 6896 | ssl->session.timeout = lifetime; |
wolfSSL | 15:117db924cf7c | 6897 | ssl->session.cipherSuite0 = ssl->options.cipherSuite0; |
wolfSSL | 15:117db924cf7c | 6898 | ssl->session.cipherSuite = ssl->options.cipherSuite; |
wolfSSL | 15:117db924cf7c | 6899 | ssl->session.ticketSeen = now; |
wolfSSL | 15:117db924cf7c | 6900 | ssl->session.ticketAdd = ageAdd; |
wolfSSL | 15:117db924cf7c | 6901 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 6902 | ssl->session.maxEarlyDataSz = ssl->options.maxEarlyDataSz; |
wolfSSL | 15:117db924cf7c | 6903 | #endif |
wolfSSL | 15:117db924cf7c | 6904 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 6905 | ssl->session.ticketNonce.len = nonceLength; |
wolfSSL | 15:117db924cf7c | 6906 | if (nonceLength > 0) |
wolfSSL | 15:117db924cf7c | 6907 | XMEMCPY(&ssl->session.ticketNonce.data, nonce, nonceLength); |
wolfSSL | 15:117db924cf7c | 6908 | #endif |
wolfSSL | 15:117db924cf7c | 6909 | ssl->session.namedGroup = ssl->namedGroup; |
wolfSSL | 15:117db924cf7c | 6910 | |
wolfSSL | 15:117db924cf7c | 6911 | if ((*inOutIdx - begin) + EXTS_SZ > size) |
wolfSSL | 15:117db924cf7c | 6912 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 6913 | ato16(input + *inOutIdx, &length); |
wolfSSL | 15:117db924cf7c | 6914 | *inOutIdx += EXTS_SZ; |
wolfSSL | 15:117db924cf7c | 6915 | if ((*inOutIdx - begin) + length != size) |
wolfSSL | 15:117db924cf7c | 6916 | return BUFFER_ERROR; |
wolfSSL | 15:117db924cf7c | 6917 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 6918 | ret = TLSX_Parse(ssl, (byte *)input + (*inOutIdx), length, session_ticket, |
wolfSSL | 15:117db924cf7c | 6919 | NULL); |
wolfSSL | 15:117db924cf7c | 6920 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 6921 | return ret; |
wolfSSL | 15:117db924cf7c | 6922 | #endif |
wolfSSL | 15:117db924cf7c | 6923 | *inOutIdx += length; |
wolfSSL | 15:117db924cf7c | 6924 | |
wolfSSL | 15:117db924cf7c | 6925 | #ifndef NO_SESSION_CACHE |
wolfSSL | 15:117db924cf7c | 6926 | AddSession(ssl); |
wolfSSL | 15:117db924cf7c | 6927 | #endif |
wolfSSL | 15:117db924cf7c | 6928 | |
wolfSSL | 15:117db924cf7c | 6929 | /* Always encrypted. */ |
wolfSSL | 15:117db924cf7c | 6930 | *inOutIdx += ssl->keys.padSz; |
wolfSSL | 15:117db924cf7c | 6931 | |
wolfSSL | 15:117db924cf7c | 6932 | ssl->expect_session_ticket = 0; |
wolfSSL | 15:117db924cf7c | 6933 | #else |
wolfSSL | 15:117db924cf7c | 6934 | (void)ssl; |
wolfSSL | 15:117db924cf7c | 6935 | (void)input; |
wolfSSL | 15:117db924cf7c | 6936 | |
wolfSSL | 15:117db924cf7c | 6937 | WOLFSSL_ENTER("DoTls13NewSessionTicket"); |
wolfSSL | 15:117db924cf7c | 6938 | |
wolfSSL | 15:117db924cf7c | 6939 | *inOutIdx += size + ssl->keys.padSz; |
wolfSSL | 15:117db924cf7c | 6940 | #endif /* HAVE_SESSION_TICKET */ |
wolfSSL | 15:117db924cf7c | 6941 | |
wolfSSL | 15:117db924cf7c | 6942 | WOLFSSL_LEAVE("DoTls13NewSessionTicket", 0); |
wolfSSL | 15:117db924cf7c | 6943 | WOLFSSL_END(WC_FUNC_NEW_SESSION_TICKET_DO); |
wolfSSL | 15:117db924cf7c | 6944 | |
wolfSSL | 15:117db924cf7c | 6945 | return 0; |
wolfSSL | 15:117db924cf7c | 6946 | } |
wolfSSL | 15:117db924cf7c | 6947 | #endif /* NO_WOLFSSL_CLIENT */ |
wolfSSL | 15:117db924cf7c | 6948 | |
wolfSSL | 15:117db924cf7c | 6949 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 6950 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 6951 | |
wolfSSL | 15:117db924cf7c | 6952 | #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED |
wolfSSL | 15:117db924cf7c | 6953 | /* Offset of the MAC size in the finished message. */ |
wolfSSL | 15:117db924cf7c | 6954 | #define FINISHED_MSG_SIZE_OFFSET 3 |
wolfSSL | 15:117db924cf7c | 6955 | |
wolfSSL | 15:117db924cf7c | 6956 | /* Calculate the resumption secret which includes the unseen client finished |
wolfSSL | 15:117db924cf7c | 6957 | * message. |
wolfSSL | 15:117db924cf7c | 6958 | * |
wolfSSL | 15:117db924cf7c | 6959 | * ssl The SSL/TLS object. |
wolfSSL | 16:8e0d178b1d1e | 6960 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 6961 | */ |
wolfSSL | 15:117db924cf7c | 6962 | static int ExpectedResumptionSecret(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 6963 | { |
wolfSSL | 15:117db924cf7c | 6964 | int ret; |
wolfSSL | 15:117db924cf7c | 6965 | word32 finishedSz = 0; |
wolfSSL | 15:117db924cf7c | 6966 | byte mac[WC_MAX_DIGEST_SIZE]; |
wolfSSL | 15:117db924cf7c | 6967 | Digest digest; |
wolfSSL | 15:117db924cf7c | 6968 | static byte header[] = { 0x14, 0x00, 0x00, 0x00 }; |
wolfSSL | 15:117db924cf7c | 6969 | |
wolfSSL | 16:8e0d178b1d1e | 6970 | /* Copy the running hash so we can restore it after. */ |
wolfSSL | 15:117db924cf7c | 6971 | switch (ssl->specs.mac_algorithm) { |
wolfSSL | 15:117db924cf7c | 6972 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 6973 | case sha256_mac: |
wolfSSL | 15:117db924cf7c | 6974 | ret = wc_Sha256Copy(&ssl->hsHashes->hashSha256, &digest.sha256); |
wolfSSL | 15:117db924cf7c | 6975 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 6976 | return ret; |
wolfSSL | 15:117db924cf7c | 6977 | break; |
wolfSSL | 15:117db924cf7c | 6978 | #endif |
wolfSSL | 15:117db924cf7c | 6979 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 6980 | case sha384_mac: |
wolfSSL | 15:117db924cf7c | 6981 | ret = wc_Sha384Copy(&ssl->hsHashes->hashSha384, &digest.sha384); |
wolfSSL | 15:117db924cf7c | 6982 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 6983 | return ret; |
wolfSSL | 15:117db924cf7c | 6984 | break; |
wolfSSL | 15:117db924cf7c | 6985 | #endif |
wolfSSL | 15:117db924cf7c | 6986 | #ifdef WOLFSSL_TLS13_SHA512 |
wolfSSL | 15:117db924cf7c | 6987 | case sha512_mac: |
wolfSSL | 15:117db924cf7c | 6988 | ret = wc_Sha512Copy(&ssl->hsHashes->hashSha512, &digest.sha512); |
wolfSSL | 15:117db924cf7c | 6989 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 6990 | return ret; |
wolfSSL | 15:117db924cf7c | 6991 | break; |
wolfSSL | 15:117db924cf7c | 6992 | #endif |
wolfSSL | 15:117db924cf7c | 6993 | } |
wolfSSL | 15:117db924cf7c | 6994 | |
wolfSSL | 15:117db924cf7c | 6995 | /* Generate the Client's Finished message and hash it. */ |
wolfSSL | 15:117db924cf7c | 6996 | ret = BuildTls13HandshakeHmac(ssl, ssl->keys.client_write_MAC_secret, mac, |
wolfSSL | 15:117db924cf7c | 6997 | &finishedSz); |
wolfSSL | 15:117db924cf7c | 6998 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 6999 | return ret; |
wolfSSL | 15:117db924cf7c | 7000 | header[FINISHED_MSG_SIZE_OFFSET] = finishedSz; |
wolfSSL | 15:117db924cf7c | 7001 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 7002 | if (ssl->earlyData != no_early_data) { |
wolfSSL | 15:117db924cf7c | 7003 | static byte endOfEarlyData[] = { 0x05, 0x00, 0x00, 0x00 }; |
wolfSSL | 15:117db924cf7c | 7004 | ret = HashInputRaw(ssl, endOfEarlyData, sizeof(endOfEarlyData)); |
wolfSSL | 15:117db924cf7c | 7005 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 7006 | return ret; |
wolfSSL | 15:117db924cf7c | 7007 | } |
wolfSSL | 15:117db924cf7c | 7008 | #endif |
wolfSSL | 15:117db924cf7c | 7009 | if ((ret = HashInputRaw(ssl, header, sizeof(header))) != 0) |
wolfSSL | 15:117db924cf7c | 7010 | return ret; |
wolfSSL | 15:117db924cf7c | 7011 | if ((ret = HashInputRaw(ssl, mac, finishedSz)) != 0) |
wolfSSL | 15:117db924cf7c | 7012 | return ret; |
wolfSSL | 15:117db924cf7c | 7013 | |
wolfSSL | 15:117db924cf7c | 7014 | if ((ret = DeriveResumptionSecret(ssl, ssl->session.masterSecret)) != 0) |
wolfSSL | 15:117db924cf7c | 7015 | return ret; |
wolfSSL | 15:117db924cf7c | 7016 | |
wolfSSL | 15:117db924cf7c | 7017 | /* Restore the hash inline with currently seen messages. */ |
wolfSSL | 15:117db924cf7c | 7018 | switch (ssl->specs.mac_algorithm) { |
wolfSSL | 15:117db924cf7c | 7019 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 7020 | case sha256_mac: |
wolfSSL | 15:117db924cf7c | 7021 | ret = wc_Sha256Copy(&digest.sha256, &ssl->hsHashes->hashSha256); |
wolfSSL | 15:117db924cf7c | 7022 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 7023 | return ret; |
wolfSSL | 15:117db924cf7c | 7024 | break; |
wolfSSL | 15:117db924cf7c | 7025 | #endif |
wolfSSL | 15:117db924cf7c | 7026 | #ifdef WOLFSSL_SHA384 |
wolfSSL | 15:117db924cf7c | 7027 | case sha384_mac: |
wolfSSL | 15:117db924cf7c | 7028 | ret = wc_Sha384Copy(&digest.sha384, &ssl->hsHashes->hashSha384); |
wolfSSL | 15:117db924cf7c | 7029 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 7030 | return ret; |
wolfSSL | 15:117db924cf7c | 7031 | break; |
wolfSSL | 15:117db924cf7c | 7032 | #endif |
wolfSSL | 15:117db924cf7c | 7033 | #ifdef WOLFSSL_TLS13_SHA512 |
wolfSSL | 15:117db924cf7c | 7034 | case sha512_mac: |
wolfSSL | 15:117db924cf7c | 7035 | ret = wc_Sha512Copy(&digest.sha512, &ssl->hsHashes->hashSha384); |
wolfSSL | 15:117db924cf7c | 7036 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 7037 | return ret; |
wolfSSL | 15:117db924cf7c | 7038 | break; |
wolfSSL | 15:117db924cf7c | 7039 | #endif |
wolfSSL | 15:117db924cf7c | 7040 | } |
wolfSSL | 15:117db924cf7c | 7041 | |
wolfSSL | 15:117db924cf7c | 7042 | return ret; |
wolfSSL | 15:117db924cf7c | 7043 | } |
wolfSSL | 15:117db924cf7c | 7044 | #endif |
wolfSSL | 15:117db924cf7c | 7045 | |
wolfSSL | 15:117db924cf7c | 7046 | /* Send New Session Ticket handshake message. |
wolfSSL | 15:117db924cf7c | 7047 | * Message contains the information required to perform resumption. |
wolfSSL | 15:117db924cf7c | 7048 | * |
wolfSSL | 15:117db924cf7c | 7049 | * ssl The SSL/TLS object. |
wolfSSL | 16:8e0d178b1d1e | 7050 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 7051 | */ |
wolfSSL | 15:117db924cf7c | 7052 | static int SendTls13NewSessionTicket(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 7053 | { |
wolfSSL | 15:117db924cf7c | 7054 | byte* output; |
wolfSSL | 15:117db924cf7c | 7055 | int ret; |
wolfSSL | 15:117db924cf7c | 7056 | int sendSz; |
wolfSSL | 15:117db924cf7c | 7057 | word16 extSz; |
wolfSSL | 15:117db924cf7c | 7058 | word32 length; |
wolfSSL | 15:117db924cf7c | 7059 | word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 7060 | |
wolfSSL | 15:117db924cf7c | 7061 | WOLFSSL_START(WC_FUNC_NEW_SESSION_TICKET_SEND); |
wolfSSL | 15:117db924cf7c | 7062 | WOLFSSL_ENTER("SendTls13NewSessionTicket"); |
wolfSSL | 15:117db924cf7c | 7063 | |
wolfSSL | 15:117db924cf7c | 7064 | #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED |
wolfSSL | 15:117db924cf7c | 7065 | if (!ssl->msgsReceived.got_finished) { |
wolfSSL | 15:117db924cf7c | 7066 | if ((ret = ExpectedResumptionSecret(ssl)) != 0) |
wolfSSL | 15:117db924cf7c | 7067 | return ret; |
wolfSSL | 15:117db924cf7c | 7068 | } |
wolfSSL | 15:117db924cf7c | 7069 | #endif |
wolfSSL | 15:117db924cf7c | 7070 | |
wolfSSL | 15:117db924cf7c | 7071 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 7072 | /* Start ticket nonce at 0 and go up to 255. */ |
wolfSSL | 15:117db924cf7c | 7073 | if (ssl->session.ticketNonce.len == 0) { |
wolfSSL | 15:117db924cf7c | 7074 | ssl->session.ticketNonce.len = DEF_TICKET_NONCE_SZ; |
wolfSSL | 15:117db924cf7c | 7075 | ssl->session.ticketNonce.data[0] = 0; |
wolfSSL | 15:117db924cf7c | 7076 | } |
wolfSSL | 15:117db924cf7c | 7077 | else |
wolfSSL | 15:117db924cf7c | 7078 | ssl->session.ticketNonce.data[0]++; |
wolfSSL | 15:117db924cf7c | 7079 | #endif |
wolfSSL | 15:117db924cf7c | 7080 | |
wolfSSL | 15:117db924cf7c | 7081 | if (!ssl->options.noTicketTls13) { |
wolfSSL | 15:117db924cf7c | 7082 | if ((ret = CreateTicket(ssl)) != 0) |
wolfSSL | 15:117db924cf7c | 7083 | return ret; |
wolfSSL | 15:117db924cf7c | 7084 | } |
wolfSSL | 15:117db924cf7c | 7085 | |
wolfSSL | 15:117db924cf7c | 7086 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 7087 | ssl->session.maxEarlyDataSz = ssl->options.maxEarlyDataSz; |
wolfSSL | 15:117db924cf7c | 7088 | if (ssl->session.maxEarlyDataSz > 0) |
wolfSSL | 15:117db924cf7c | 7089 | TLSX_EarlyData_Use(ssl, ssl->session.maxEarlyDataSz); |
wolfSSL | 15:117db924cf7c | 7090 | extSz = 0; |
wolfSSL | 15:117db924cf7c | 7091 | ret = TLSX_GetResponseSize(ssl, session_ticket, &extSz); |
wolfSSL | 15:117db924cf7c | 7092 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 7093 | return ret; |
wolfSSL | 15:117db924cf7c | 7094 | #else |
wolfSSL | 15:117db924cf7c | 7095 | extSz = EXTS_SZ; |
wolfSSL | 15:117db924cf7c | 7096 | #endif |
wolfSSL | 15:117db924cf7c | 7097 | |
wolfSSL | 15:117db924cf7c | 7098 | /* Lifetime | Age Add | Ticket | Extensions */ |
wolfSSL | 15:117db924cf7c | 7099 | length = SESSION_HINT_SZ + SESSION_ADD_SZ + LENGTH_SZ + |
wolfSSL | 15:117db924cf7c | 7100 | ssl->session.ticketLen + extSz; |
wolfSSL | 15:117db924cf7c | 7101 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 7102 | /* Nonce */ |
wolfSSL | 15:117db924cf7c | 7103 | length += TICKET_NONCE_LEN_SZ + DEF_TICKET_NONCE_SZ; |
wolfSSL | 15:117db924cf7c | 7104 | #endif |
wolfSSL | 15:117db924cf7c | 7105 | sendSz = idx + length + MAX_MSG_EXTRA; |
wolfSSL | 15:117db924cf7c | 7106 | |
wolfSSL | 15:117db924cf7c | 7107 | /* Check buffers are big enough and grow if needed. */ |
wolfSSL | 15:117db924cf7c | 7108 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) |
wolfSSL | 15:117db924cf7c | 7109 | return ret; |
wolfSSL | 15:117db924cf7c | 7110 | |
wolfSSL | 15:117db924cf7c | 7111 | /* Get position in output buffer to write new message to. */ |
wolfSSL | 15:117db924cf7c | 7112 | output = ssl->buffers.outputBuffer.buffer + |
wolfSSL | 15:117db924cf7c | 7113 | ssl->buffers.outputBuffer.length; |
wolfSSL | 15:117db924cf7c | 7114 | |
wolfSSL | 15:117db924cf7c | 7115 | /* Put the record and handshake headers on. */ |
wolfSSL | 15:117db924cf7c | 7116 | AddTls13Headers(output, length, session_ticket, ssl); |
wolfSSL | 15:117db924cf7c | 7117 | |
wolfSSL | 15:117db924cf7c | 7118 | /* Lifetime hint */ |
wolfSSL | 15:117db924cf7c | 7119 | c32toa(ssl->ctx->ticketHint, output + idx); |
wolfSSL | 15:117db924cf7c | 7120 | idx += SESSION_HINT_SZ; |
wolfSSL | 15:117db924cf7c | 7121 | /* Age add - obfuscator */ |
wolfSSL | 15:117db924cf7c | 7122 | c32toa(ssl->session.ticketAdd, output + idx); |
wolfSSL | 15:117db924cf7c | 7123 | idx += SESSION_ADD_SZ; |
wolfSSL | 15:117db924cf7c | 7124 | |
wolfSSL | 15:117db924cf7c | 7125 | #ifndef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 7126 | output[idx++] = ssl->session.ticketNonce.len; |
wolfSSL | 15:117db924cf7c | 7127 | output[idx++] = ssl->session.ticketNonce.data[0]; |
wolfSSL | 15:117db924cf7c | 7128 | #endif |
wolfSSL | 15:117db924cf7c | 7129 | |
wolfSSL | 15:117db924cf7c | 7130 | /* length */ |
wolfSSL | 15:117db924cf7c | 7131 | c16toa(ssl->session.ticketLen, output + idx); |
wolfSSL | 15:117db924cf7c | 7132 | idx += LENGTH_SZ; |
wolfSSL | 15:117db924cf7c | 7133 | /* ticket */ |
wolfSSL | 15:117db924cf7c | 7134 | XMEMCPY(output + idx, ssl->session.ticket, ssl->session.ticketLen); |
wolfSSL | 15:117db924cf7c | 7135 | idx += ssl->session.ticketLen; |
wolfSSL | 15:117db924cf7c | 7136 | |
wolfSSL | 15:117db924cf7c | 7137 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 7138 | extSz = 0; |
wolfSSL | 15:117db924cf7c | 7139 | ret = TLSX_WriteResponse(ssl, output + idx, session_ticket, &extSz); |
wolfSSL | 15:117db924cf7c | 7140 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 7141 | return ret; |
wolfSSL | 15:117db924cf7c | 7142 | idx += extSz; |
wolfSSL | 15:117db924cf7c | 7143 | #else |
wolfSSL | 15:117db924cf7c | 7144 | /* No extension support - empty extensions. */ |
wolfSSL | 15:117db924cf7c | 7145 | c16toa(0, output + idx); |
wolfSSL | 15:117db924cf7c | 7146 | idx += EXTS_SZ; |
wolfSSL | 15:117db924cf7c | 7147 | #endif |
wolfSSL | 15:117db924cf7c | 7148 | |
wolfSSL | 15:117db924cf7c | 7149 | ssl->options.haveSessionId = 1; |
wolfSSL | 15:117db924cf7c | 7150 | |
wolfSSL | 15:117db924cf7c | 7151 | #ifndef NO_SESSION_CACHE |
wolfSSL | 15:117db924cf7c | 7152 | AddSession(ssl); |
wolfSSL | 15:117db924cf7c | 7153 | #endif |
wolfSSL | 15:117db924cf7c | 7154 | |
wolfSSL | 15:117db924cf7c | 7155 | /* This message is always encrypted. */ |
wolfSSL | 15:117db924cf7c | 7156 | sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ, |
wolfSSL | 15:117db924cf7c | 7157 | idx - RECORD_HEADER_SZ, handshake, 0, 0, 0); |
wolfSSL | 15:117db924cf7c | 7158 | if (sendSz < 0) |
wolfSSL | 15:117db924cf7c | 7159 | return sendSz; |
wolfSSL | 15:117db924cf7c | 7160 | |
wolfSSL | 15:117db924cf7c | 7161 | ssl->buffers.outputBuffer.length += sendSz; |
wolfSSL | 15:117db924cf7c | 7162 | |
wolfSSL | 15:117db924cf7c | 7163 | if (!ssl->options.groupMessages) |
wolfSSL | 15:117db924cf7c | 7164 | ret = SendBuffered(ssl); |
wolfSSL | 15:117db924cf7c | 7165 | |
wolfSSL | 15:117db924cf7c | 7166 | WOLFSSL_LEAVE("SendTls13NewSessionTicket", 0); |
wolfSSL | 15:117db924cf7c | 7167 | WOLFSSL_END(WC_FUNC_NEW_SESSION_TICKET_SEND); |
wolfSSL | 15:117db924cf7c | 7168 | |
wolfSSL | 15:117db924cf7c | 7169 | return ret; |
wolfSSL | 15:117db924cf7c | 7170 | } |
wolfSSL | 15:117db924cf7c | 7171 | #endif /* HAVE_SESSION_TICKET */ |
wolfSSL | 15:117db924cf7c | 7172 | #endif /* NO_WOLFSSL_SERVER */ |
wolfSSL | 15:117db924cf7c | 7173 | |
wolfSSL | 15:117db924cf7c | 7174 | /* Make sure no duplicates, no fast forward, or other problems |
wolfSSL | 15:117db924cf7c | 7175 | * |
wolfSSL | 15:117db924cf7c | 7176 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 7177 | * type Type of handshake message received. |
wolfSSL | 15:117db924cf7c | 7178 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 7179 | */ |
wolfSSL | 15:117db924cf7c | 7180 | static int SanityCheckTls13MsgReceived(WOLFSSL* ssl, byte type) |
wolfSSL | 15:117db924cf7c | 7181 | { |
wolfSSL | 15:117db924cf7c | 7182 | /* verify not a duplicate, mark received, check state */ |
wolfSSL | 15:117db924cf7c | 7183 | switch (type) { |
wolfSSL | 15:117db924cf7c | 7184 | |
wolfSSL | 15:117db924cf7c | 7185 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 7186 | case client_hello: |
wolfSSL | 15:117db924cf7c | 7187 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 7188 | if (ssl->options.side == WOLFSSL_CLIENT_END) { |
wolfSSL | 15:117db924cf7c | 7189 | WOLFSSL_MSG("ClientHello received by client"); |
wolfSSL | 15:117db924cf7c | 7190 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7191 | } |
wolfSSL | 15:117db924cf7c | 7192 | #endif |
wolfSSL | 15:117db924cf7c | 7193 | if (ssl->options.clientState >= CLIENT_HELLO_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 7194 | WOLFSSL_MSG("ClientHello received out of order"); |
wolfSSL | 15:117db924cf7c | 7195 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7196 | } |
wolfSSL | 15:117db924cf7c | 7197 | if (ssl->msgsReceived.got_client_hello == 2) { |
wolfSSL | 15:117db924cf7c | 7198 | WOLFSSL_MSG("Too many ClientHello received"); |
wolfSSL | 15:117db924cf7c | 7199 | return DUPLICATE_MSG_E; |
wolfSSL | 15:117db924cf7c | 7200 | } |
wolfSSL | 15:117db924cf7c | 7201 | ssl->msgsReceived.got_client_hello++; |
wolfSSL | 15:117db924cf7c | 7202 | |
wolfSSL | 15:117db924cf7c | 7203 | break; |
wolfSSL | 15:117db924cf7c | 7204 | #endif |
wolfSSL | 15:117db924cf7c | 7205 | |
wolfSSL | 15:117db924cf7c | 7206 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 7207 | case server_hello: |
wolfSSL | 15:117db924cf7c | 7208 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 7209 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
wolfSSL | 15:117db924cf7c | 7210 | WOLFSSL_MSG("ServerHello received by server"); |
wolfSSL | 15:117db924cf7c | 7211 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7212 | } |
wolfSSL | 15:117db924cf7c | 7213 | #endif |
wolfSSL | 15:117db924cf7c | 7214 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 7215 | if (ssl->msgsReceived.got_server_hello) { |
wolfSSL | 15:117db924cf7c | 7216 | WOLFSSL_MSG("Duplicate ServerHello received"); |
wolfSSL | 15:117db924cf7c | 7217 | return DUPLICATE_MSG_E; |
wolfSSL | 15:117db924cf7c | 7218 | } |
wolfSSL | 15:117db924cf7c | 7219 | ssl->msgsReceived.got_server_hello = 1; |
wolfSSL | 15:117db924cf7c | 7220 | #else |
wolfSSL | 15:117db924cf7c | 7221 | if (ssl->msgsReceived.got_server_hello == 2) { |
wolfSSL | 15:117db924cf7c | 7222 | WOLFSSL_MSG("Duplicate ServerHello received"); |
wolfSSL | 15:117db924cf7c | 7223 | return DUPLICATE_MSG_E; |
wolfSSL | 15:117db924cf7c | 7224 | } |
wolfSSL | 15:117db924cf7c | 7225 | ssl->msgsReceived.got_server_hello++; |
wolfSSL | 15:117db924cf7c | 7226 | #endif |
wolfSSL | 15:117db924cf7c | 7227 | |
wolfSSL | 15:117db924cf7c | 7228 | break; |
wolfSSL | 15:117db924cf7c | 7229 | #endif |
wolfSSL | 15:117db924cf7c | 7230 | |
wolfSSL | 15:117db924cf7c | 7231 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 7232 | case session_ticket: |
wolfSSL | 15:117db924cf7c | 7233 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 7234 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
wolfSSL | 15:117db924cf7c | 7235 | WOLFSSL_MSG("NewSessionTicket received by server"); |
wolfSSL | 15:117db924cf7c | 7236 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7237 | } |
wolfSSL | 15:117db924cf7c | 7238 | #endif |
wolfSSL | 15:117db924cf7c | 7239 | if (ssl->options.clientState < CLIENT_FINISHED_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 7240 | WOLFSSL_MSG("NewSessionTicket received out of order"); |
wolfSSL | 15:117db924cf7c | 7241 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7242 | } |
wolfSSL | 15:117db924cf7c | 7243 | ssl->msgsReceived.got_session_ticket = 1; |
wolfSSL | 15:117db924cf7c | 7244 | |
wolfSSL | 15:117db924cf7c | 7245 | break; |
wolfSSL | 15:117db924cf7c | 7246 | #endif |
wolfSSL | 15:117db924cf7c | 7247 | |
wolfSSL | 15:117db924cf7c | 7248 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 7249 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 7250 | case end_of_early_data: |
wolfSSL | 15:117db924cf7c | 7251 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 7252 | if (ssl->options.side == WOLFSSL_CLIENT_END) { |
wolfSSL | 15:117db924cf7c | 7253 | WOLFSSL_MSG("EndOfEarlyData received by client"); |
wolfSSL | 15:117db924cf7c | 7254 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7255 | } |
wolfSSL | 15:117db924cf7c | 7256 | #endif |
wolfSSL | 15:117db924cf7c | 7257 | if (ssl->options.serverState < SERVER_FINISHED_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 7258 | WOLFSSL_MSG("EndOfEarlyData received out of order"); |
wolfSSL | 15:117db924cf7c | 7259 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7260 | } |
wolfSSL | 15:117db924cf7c | 7261 | if (ssl->options.clientState >= CLIENT_FINISHED_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 7262 | WOLFSSL_MSG("EndOfEarlyData received out of order"); |
wolfSSL | 15:117db924cf7c | 7263 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7264 | } |
wolfSSL | 15:117db924cf7c | 7265 | if (ssl->msgsReceived.got_end_of_early_data == 1) { |
wolfSSL | 15:117db924cf7c | 7266 | WOLFSSL_MSG("Too many EndOfEarlyData received"); |
wolfSSL | 15:117db924cf7c | 7267 | return DUPLICATE_MSG_E; |
wolfSSL | 15:117db924cf7c | 7268 | } |
wolfSSL | 15:117db924cf7c | 7269 | ssl->msgsReceived.got_end_of_early_data++; |
wolfSSL | 15:117db924cf7c | 7270 | |
wolfSSL | 15:117db924cf7c | 7271 | break; |
wolfSSL | 15:117db924cf7c | 7272 | #endif |
wolfSSL | 15:117db924cf7c | 7273 | #endif |
wolfSSL | 15:117db924cf7c | 7274 | |
wolfSSL | 15:117db924cf7c | 7275 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 7276 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 7277 | case hello_retry_request: |
wolfSSL | 15:117db924cf7c | 7278 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 7279 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
wolfSSL | 15:117db924cf7c | 7280 | WOLFSSL_MSG("HelloRetryRequest received by server"); |
wolfSSL | 15:117db924cf7c | 7281 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7282 | } |
wolfSSL | 15:117db924cf7c | 7283 | #endif |
wolfSSL | 15:117db924cf7c | 7284 | if (ssl->options.clientState > CLIENT_FINISHED_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 7285 | WOLFSSL_MSG("HelloRetryRequest received out of order"); |
wolfSSL | 15:117db924cf7c | 7286 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7287 | } |
wolfSSL | 15:117db924cf7c | 7288 | if (ssl->msgsReceived.got_hello_retry_request) { |
wolfSSL | 15:117db924cf7c | 7289 | WOLFSSL_MSG("Duplicate HelloRetryRequest received"); |
wolfSSL | 15:117db924cf7c | 7290 | return DUPLICATE_MSG_E; |
wolfSSL | 15:117db924cf7c | 7291 | } |
wolfSSL | 15:117db924cf7c | 7292 | ssl->msgsReceived.got_hello_retry_request = 1; |
wolfSSL | 15:117db924cf7c | 7293 | |
wolfSSL | 15:117db924cf7c | 7294 | break; |
wolfSSL | 15:117db924cf7c | 7295 | #endif |
wolfSSL | 15:117db924cf7c | 7296 | #endif |
wolfSSL | 15:117db924cf7c | 7297 | |
wolfSSL | 15:117db924cf7c | 7298 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 7299 | case encrypted_extensions: |
wolfSSL | 15:117db924cf7c | 7300 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 7301 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
wolfSSL | 15:117db924cf7c | 7302 | WOLFSSL_MSG("EncryptedExtensions received by server"); |
wolfSSL | 15:117db924cf7c | 7303 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7304 | } |
wolfSSL | 15:117db924cf7c | 7305 | #endif |
wolfSSL | 15:117db924cf7c | 7306 | if (ssl->options.serverState != SERVER_HELLO_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 7307 | WOLFSSL_MSG("EncryptedExtensions received out of order"); |
wolfSSL | 15:117db924cf7c | 7308 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7309 | } |
wolfSSL | 15:117db924cf7c | 7310 | if (ssl->msgsReceived.got_encrypted_extensions) { |
wolfSSL | 15:117db924cf7c | 7311 | WOLFSSL_MSG("Duplicate EncryptedExtensions received"); |
wolfSSL | 15:117db924cf7c | 7312 | return DUPLICATE_MSG_E; |
wolfSSL | 15:117db924cf7c | 7313 | } |
wolfSSL | 15:117db924cf7c | 7314 | ssl->msgsReceived.got_encrypted_extensions = 1; |
wolfSSL | 15:117db924cf7c | 7315 | |
wolfSSL | 15:117db924cf7c | 7316 | break; |
wolfSSL | 15:117db924cf7c | 7317 | #endif |
wolfSSL | 15:117db924cf7c | 7318 | |
wolfSSL | 15:117db924cf7c | 7319 | case certificate: |
wolfSSL | 15:117db924cf7c | 7320 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 7321 | if (ssl->options.side == WOLFSSL_CLIENT_END && |
wolfSSL | 15:117db924cf7c | 7322 | ssl->options.serverState != |
wolfSSL | 15:117db924cf7c | 7323 | SERVER_ENCRYPTED_EXTENSIONS_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 7324 | WOLFSSL_MSG("Certificate received out of order - Client"); |
wolfSSL | 15:117db924cf7c | 7325 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7326 | } |
wolfSSL | 15:117db924cf7c | 7327 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 7328 | /* Server's authenticating with PSK must not send this. */ |
wolfSSL | 15:117db924cf7c | 7329 | if (ssl->options.side == WOLFSSL_CLIENT_END && |
wolfSSL | 15:117db924cf7c | 7330 | ssl->options.serverState == SERVER_CERT_COMPLETE && |
wolfSSL | 15:117db924cf7c | 7331 | ssl->arrays->psk_keySz != 0) { |
wolfSSL | 15:117db924cf7c | 7332 | WOLFSSL_MSG("Certificate received while using PSK"); |
wolfSSL | 15:117db924cf7c | 7333 | return SANITY_MSG_E; |
wolfSSL | 15:117db924cf7c | 7334 | } |
wolfSSL | 15:117db924cf7c | 7335 | #endif |
wolfSSL | 15:117db924cf7c | 7336 | #endif |
wolfSSL | 15:117db924cf7c | 7337 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 7338 | if (ssl->options.side == WOLFSSL_SERVER_END && |
wolfSSL | 15:117db924cf7c | 7339 | ssl->options.serverState < SERVER_FINISHED_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 7340 | WOLFSSL_MSG("Certificate received out of order - Server"); |
wolfSSL | 15:117db924cf7c | 7341 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7342 | } |
wolfSSL | 15:117db924cf7c | 7343 | #endif |
wolfSSL | 15:117db924cf7c | 7344 | if (ssl->msgsReceived.got_certificate) { |
wolfSSL | 15:117db924cf7c | 7345 | WOLFSSL_MSG("Duplicate Certificate received"); |
wolfSSL | 15:117db924cf7c | 7346 | return DUPLICATE_MSG_E; |
wolfSSL | 15:117db924cf7c | 7347 | } |
wolfSSL | 15:117db924cf7c | 7348 | ssl->msgsReceived.got_certificate = 1; |
wolfSSL | 15:117db924cf7c | 7349 | |
wolfSSL | 15:117db924cf7c | 7350 | break; |
wolfSSL | 15:117db924cf7c | 7351 | |
wolfSSL | 15:117db924cf7c | 7352 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 7353 | case certificate_request: |
wolfSSL | 15:117db924cf7c | 7354 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 7355 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
wolfSSL | 15:117db924cf7c | 7356 | WOLFSSL_MSG("CertificateRequest received by server"); |
wolfSSL | 15:117db924cf7c | 7357 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7358 | } |
wolfSSL | 15:117db924cf7c | 7359 | #endif |
wolfSSL | 15:117db924cf7c | 7360 | #ifndef WOLFSSL_POST_HANDSHAKE_AUTH |
wolfSSL | 15:117db924cf7c | 7361 | if (ssl->options.serverState != |
wolfSSL | 15:117db924cf7c | 7362 | SERVER_ENCRYPTED_EXTENSIONS_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 7363 | WOLFSSL_MSG("CertificateRequest received out of order"); |
wolfSSL | 15:117db924cf7c | 7364 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7365 | } |
wolfSSL | 15:117db924cf7c | 7366 | #else |
wolfSSL | 15:117db924cf7c | 7367 | if (ssl->options.serverState != |
wolfSSL | 15:117db924cf7c | 7368 | SERVER_ENCRYPTED_EXTENSIONS_COMPLETE && |
wolfSSL | 15:117db924cf7c | 7369 | (ssl->options.serverState != SERVER_FINISHED_COMPLETE || |
wolfSSL | 15:117db924cf7c | 7370 | ssl->options.clientState != CLIENT_FINISHED_COMPLETE)) { |
wolfSSL | 15:117db924cf7c | 7371 | WOLFSSL_MSG("CertificateRequest received out of order"); |
wolfSSL | 15:117db924cf7c | 7372 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7373 | } |
wolfSSL | 15:117db924cf7c | 7374 | #endif |
wolfSSL | 15:117db924cf7c | 7375 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 7376 | /* Server's authenticating with PSK must not send this. */ |
wolfSSL | 15:117db924cf7c | 7377 | if (ssl->options.serverState == |
wolfSSL | 15:117db924cf7c | 7378 | SERVER_ENCRYPTED_EXTENSIONS_COMPLETE && |
wolfSSL | 15:117db924cf7c | 7379 | ssl->arrays->psk_keySz != 0) { |
wolfSSL | 15:117db924cf7c | 7380 | WOLFSSL_MSG("CertificateRequset received while using PSK"); |
wolfSSL | 15:117db924cf7c | 7381 | return SANITY_MSG_E; |
wolfSSL | 15:117db924cf7c | 7382 | } |
wolfSSL | 15:117db924cf7c | 7383 | #endif |
wolfSSL | 15:117db924cf7c | 7384 | #ifndef WOLFSSL_POST_HANDSHAKE_AUTH |
wolfSSL | 15:117db924cf7c | 7385 | if (ssl->msgsReceived.got_certificate_request) { |
wolfSSL | 15:117db924cf7c | 7386 | WOLFSSL_MSG("Duplicate CertificateRequest received"); |
wolfSSL | 15:117db924cf7c | 7387 | return DUPLICATE_MSG_E; |
wolfSSL | 15:117db924cf7c | 7388 | } |
wolfSSL | 15:117db924cf7c | 7389 | #endif |
wolfSSL | 15:117db924cf7c | 7390 | ssl->msgsReceived.got_certificate_request = 1; |
wolfSSL | 15:117db924cf7c | 7391 | |
wolfSSL | 15:117db924cf7c | 7392 | break; |
wolfSSL | 15:117db924cf7c | 7393 | #endif |
wolfSSL | 15:117db924cf7c | 7394 | |
wolfSSL | 15:117db924cf7c | 7395 | case certificate_verify: |
wolfSSL | 15:117db924cf7c | 7396 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 7397 | if (ssl->options.side == WOLFSSL_CLIENT_END) { |
wolfSSL | 15:117db924cf7c | 7398 | if (ssl->options.serverState != SERVER_CERT_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 7399 | WOLFSSL_MSG("No Cert before CertVerify"); |
wolfSSL | 15:117db924cf7c | 7400 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7401 | } |
wolfSSL | 15:117db924cf7c | 7402 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 7403 | /* Server's authenticating with PSK must not send this. */ |
wolfSSL | 15:117db924cf7c | 7404 | if (ssl->options.serverState == SERVER_CERT_COMPLETE && |
wolfSSL | 15:117db924cf7c | 7405 | ssl->arrays->psk_keySz != 0) { |
wolfSSL | 15:117db924cf7c | 7406 | WOLFSSL_MSG("CertificateVerify received while using PSK"); |
wolfSSL | 15:117db924cf7c | 7407 | return SANITY_MSG_E; |
wolfSSL | 15:117db924cf7c | 7408 | } |
wolfSSL | 15:117db924cf7c | 7409 | #endif |
wolfSSL | 15:117db924cf7c | 7410 | } |
wolfSSL | 15:117db924cf7c | 7411 | #endif |
wolfSSL | 15:117db924cf7c | 7412 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 7413 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
wolfSSL | 15:117db924cf7c | 7414 | if (ssl->options.serverState < SERVER_FINISHED_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 7415 | WOLFSSL_MSG("CertificateVerify received out of order"); |
wolfSSL | 15:117db924cf7c | 7416 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7417 | } |
wolfSSL | 15:117db924cf7c | 7418 | if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 7419 | WOLFSSL_MSG("CertificateVerify before ClientHello done"); |
wolfSSL | 15:117db924cf7c | 7420 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7421 | } |
wolfSSL | 15:117db924cf7c | 7422 | if (!ssl->msgsReceived.got_certificate) { |
wolfSSL | 15:117db924cf7c | 7423 | WOLFSSL_MSG("No Cert before CertificateVerify"); |
wolfSSL | 15:117db924cf7c | 7424 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7425 | } |
wolfSSL | 15:117db924cf7c | 7426 | } |
wolfSSL | 15:117db924cf7c | 7427 | #endif |
wolfSSL | 15:117db924cf7c | 7428 | if (ssl->msgsReceived.got_certificate_verify) { |
wolfSSL | 15:117db924cf7c | 7429 | WOLFSSL_MSG("Duplicate CertificateVerify received"); |
wolfSSL | 15:117db924cf7c | 7430 | return DUPLICATE_MSG_E; |
wolfSSL | 15:117db924cf7c | 7431 | } |
wolfSSL | 15:117db924cf7c | 7432 | ssl->msgsReceived.got_certificate_verify = 1; |
wolfSSL | 15:117db924cf7c | 7433 | |
wolfSSL | 15:117db924cf7c | 7434 | break; |
wolfSSL | 15:117db924cf7c | 7435 | |
wolfSSL | 15:117db924cf7c | 7436 | case finished: |
wolfSSL | 15:117db924cf7c | 7437 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 7438 | if (ssl->options.side == WOLFSSL_CLIENT_END) { |
wolfSSL | 15:117db924cf7c | 7439 | if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 7440 | WOLFSSL_MSG("Finished received out of order"); |
wolfSSL | 15:117db924cf7c | 7441 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7442 | } |
wolfSSL | 15:117db924cf7c | 7443 | if (ssl->options.serverState < |
wolfSSL | 15:117db924cf7c | 7444 | SERVER_ENCRYPTED_EXTENSIONS_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 7445 | WOLFSSL_MSG("Finished received out of order"); |
wolfSSL | 15:117db924cf7c | 7446 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7447 | } |
wolfSSL | 15:117db924cf7c | 7448 | } |
wolfSSL | 15:117db924cf7c | 7449 | #endif |
wolfSSL | 15:117db924cf7c | 7450 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 7451 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
wolfSSL | 15:117db924cf7c | 7452 | if (ssl->options.serverState < SERVER_FINISHED_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 7453 | WOLFSSL_MSG("Finished received out of order"); |
wolfSSL | 15:117db924cf7c | 7454 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7455 | } |
wolfSSL | 15:117db924cf7c | 7456 | if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 7457 | WOLFSSL_MSG("Finished received out of order"); |
wolfSSL | 15:117db924cf7c | 7458 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7459 | } |
wolfSSL | 15:117db924cf7c | 7460 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 7461 | if (ssl->earlyData == process_early_data) { |
wolfSSL | 15:117db924cf7c | 7462 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7463 | } |
wolfSSL | 15:117db924cf7c | 7464 | #endif |
wolfSSL | 15:117db924cf7c | 7465 | } |
wolfSSL | 15:117db924cf7c | 7466 | #endif |
wolfSSL | 15:117db924cf7c | 7467 | if (ssl->msgsReceived.got_finished) { |
wolfSSL | 15:117db924cf7c | 7468 | WOLFSSL_MSG("Duplicate Finished received"); |
wolfSSL | 15:117db924cf7c | 7469 | return DUPLICATE_MSG_E; |
wolfSSL | 15:117db924cf7c | 7470 | } |
wolfSSL | 15:117db924cf7c | 7471 | ssl->msgsReceived.got_finished = 1; |
wolfSSL | 15:117db924cf7c | 7472 | |
wolfSSL | 15:117db924cf7c | 7473 | break; |
wolfSSL | 15:117db924cf7c | 7474 | |
wolfSSL | 15:117db924cf7c | 7475 | case key_update: |
wolfSSL | 15:117db924cf7c | 7476 | if (!ssl->msgsReceived.got_finished) { |
wolfSSL | 15:117db924cf7c | 7477 | WOLFSSL_MSG("No KeyUpdate before Finished"); |
wolfSSL | 15:117db924cf7c | 7478 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7479 | } |
wolfSSL | 15:117db924cf7c | 7480 | break; |
wolfSSL | 15:117db924cf7c | 7481 | |
wolfSSL | 15:117db924cf7c | 7482 | default: |
wolfSSL | 15:117db924cf7c | 7483 | WOLFSSL_MSG("Unknown message type"); |
wolfSSL | 15:117db924cf7c | 7484 | return SANITY_MSG_E; |
wolfSSL | 15:117db924cf7c | 7485 | } |
wolfSSL | 15:117db924cf7c | 7486 | |
wolfSSL | 15:117db924cf7c | 7487 | return 0; |
wolfSSL | 15:117db924cf7c | 7488 | } |
wolfSSL | 15:117db924cf7c | 7489 | |
wolfSSL | 15:117db924cf7c | 7490 | /* Handle a type of handshake message that has been received. |
wolfSSL | 15:117db924cf7c | 7491 | * |
wolfSSL | 15:117db924cf7c | 7492 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 7493 | * input The message buffer. |
wolfSSL | 15:117db924cf7c | 7494 | * inOutIdx On entry, the index into the buffer of the current message. |
wolfSSL | 15:117db924cf7c | 7495 | * On exit, the index into the buffer of the next message. |
wolfSSL | 15:117db924cf7c | 7496 | * size The length of the current handshake message. |
wolfSSL | 15:117db924cf7c | 7497 | * totalSz Length of remaining data in the message buffer. |
wolfSSL | 15:117db924cf7c | 7498 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 7499 | */ |
wolfSSL | 15:117db924cf7c | 7500 | int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx, |
wolfSSL | 15:117db924cf7c | 7501 | byte type, word32 size, word32 totalSz) |
wolfSSL | 15:117db924cf7c | 7502 | { |
wolfSSL | 15:117db924cf7c | 7503 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 7504 | word32 inIdx = *inOutIdx; |
wolfSSL | 15:117db924cf7c | 7505 | |
wolfSSL | 15:117db924cf7c | 7506 | (void)totalSz; |
wolfSSL | 15:117db924cf7c | 7507 | |
wolfSSL | 15:117db924cf7c | 7508 | WOLFSSL_ENTER("DoTls13HandShakeMsgType"); |
wolfSSL | 15:117db924cf7c | 7509 | |
wolfSSL | 16:8e0d178b1d1e | 7510 | /* make sure we can read the message */ |
wolfSSL | 15:117db924cf7c | 7511 | if (*inOutIdx + size > totalSz) |
wolfSSL | 15:117db924cf7c | 7512 | return INCOMPLETE_DATA; |
wolfSSL | 15:117db924cf7c | 7513 | |
wolfSSL | 15:117db924cf7c | 7514 | /* sanity check msg received */ |
wolfSSL | 15:117db924cf7c | 7515 | if ((ret = SanityCheckTls13MsgReceived(ssl, type)) != 0) { |
wolfSSL | 15:117db924cf7c | 7516 | WOLFSSL_MSG("Sanity Check on handshake message type received failed"); |
wolfSSL | 15:117db924cf7c | 7517 | SendAlert(ssl, alert_fatal, unexpected_message); |
wolfSSL | 15:117db924cf7c | 7518 | return ret; |
wolfSSL | 15:117db924cf7c | 7519 | } |
wolfSSL | 15:117db924cf7c | 7520 | |
wolfSSL | 15:117db924cf7c | 7521 | #ifdef WOLFSSL_CALLBACKS |
wolfSSL | 15:117db924cf7c | 7522 | /* add name later, add on record and handshake header part back on */ |
wolfSSL | 15:117db924cf7c | 7523 | if (ssl->toInfoOn) { |
wolfSSL | 15:117db924cf7c | 7524 | int add = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 7525 | AddPacketInfo(ssl, 0, handshake, input + *inOutIdx - add, |
wolfSSL | 15:117db924cf7c | 7526 | size + add, READ_PROTO, ssl->heap); |
wolfSSL | 15:117db924cf7c | 7527 | AddLateRecordHeader(&ssl->curRL, &ssl->timeoutInfo); |
wolfSSL | 15:117db924cf7c | 7528 | } |
wolfSSL | 15:117db924cf7c | 7529 | #endif |
wolfSSL | 15:117db924cf7c | 7530 | |
wolfSSL | 15:117db924cf7c | 7531 | if (ssl->options.handShakeState == HANDSHAKE_DONE && |
wolfSSL | 15:117db924cf7c | 7532 | type != session_ticket && type != certificate_request && |
wolfSSL | 15:117db924cf7c | 7533 | type != certificate && type != key_update) { |
wolfSSL | 15:117db924cf7c | 7534 | WOLFSSL_MSG("HandShake message after handshake complete"); |
wolfSSL | 15:117db924cf7c | 7535 | SendAlert(ssl, alert_fatal, unexpected_message); |
wolfSSL | 15:117db924cf7c | 7536 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7537 | } |
wolfSSL | 15:117db924cf7c | 7538 | |
wolfSSL | 15:117db924cf7c | 7539 | if (ssl->options.side == WOLFSSL_CLIENT_END && |
wolfSSL | 15:117db924cf7c | 7540 | ssl->options.serverState == NULL_STATE && |
wolfSSL | 15:117db924cf7c | 7541 | type != server_hello && type != hello_retry_request) { |
wolfSSL | 15:117db924cf7c | 7542 | WOLFSSL_MSG("First server message not server hello"); |
wolfSSL | 15:117db924cf7c | 7543 | SendAlert(ssl, alert_fatal, unexpected_message); |
wolfSSL | 15:117db924cf7c | 7544 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7545 | } |
wolfSSL | 15:117db924cf7c | 7546 | |
wolfSSL | 15:117db924cf7c | 7547 | if (ssl->options.side == WOLFSSL_SERVER_END && |
wolfSSL | 15:117db924cf7c | 7548 | ssl->options.clientState == NULL_STATE && type != client_hello) { |
wolfSSL | 15:117db924cf7c | 7549 | WOLFSSL_MSG("First client message not client hello"); |
wolfSSL | 15:117db924cf7c | 7550 | SendAlert(ssl, alert_fatal, unexpected_message); |
wolfSSL | 15:117db924cf7c | 7551 | return OUT_OF_ORDER_E; |
wolfSSL | 15:117db924cf7c | 7552 | } |
wolfSSL | 15:117db924cf7c | 7553 | |
wolfSSL | 15:117db924cf7c | 7554 | /* above checks handshake state */ |
wolfSSL | 15:117db924cf7c | 7555 | switch (type) { |
wolfSSL | 15:117db924cf7c | 7556 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 16:8e0d178b1d1e | 7557 | /* Messages only received by client. */ |
wolfSSL | 15:117db924cf7c | 7558 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 7559 | case hello_retry_request: |
wolfSSL | 16:8e0d178b1d1e | 7560 | WOLFSSL_MSG("processing hello retry request"); |
wolfSSL | 15:117db924cf7c | 7561 | ret = DoTls13HelloRetryRequest(ssl, input, inOutIdx, size); |
wolfSSL | 15:117db924cf7c | 7562 | break; |
wolfSSL | 15:117db924cf7c | 7563 | #endif |
wolfSSL | 15:117db924cf7c | 7564 | |
wolfSSL | 15:117db924cf7c | 7565 | case server_hello: |
wolfSSL | 15:117db924cf7c | 7566 | WOLFSSL_MSG("processing server hello"); |
wolfSSL | 15:117db924cf7c | 7567 | ret = DoTls13ServerHello(ssl, input, inOutIdx, size, &type); |
wolfSSL | 16:8e0d178b1d1e | 7568 | #if !defined(WOLFSSL_NO_CLIENT_AUTH) && \ |
wolfSSL | 16:8e0d178b1d1e | 7569 | ((defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)) || \ |
wolfSSL | 16:8e0d178b1d1e | 7570 | (defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH))) |
wolfSSL | 16:8e0d178b1d1e | 7571 | if (ssl->options.resuming || !IsAtLeastTLSv1_2(ssl) || |
wolfSSL | 16:8e0d178b1d1e | 7572 | IsAtLeastTLSv1_3(ssl->version)) { |
wolfSSL | 16:8e0d178b1d1e | 7573 | ssl->options.cacheMessages = 0; |
wolfSSL | 16:8e0d178b1d1e | 7574 | if (ssl->hsHashes->messages != NULL) { |
wolfSSL | 16:8e0d178b1d1e | 7575 | XFREE(ssl->hsHashes->messages, ssl->heap, DYNAMIC_TYPE_HASHES); |
wolfSSL | 16:8e0d178b1d1e | 7576 | ssl->hsHashes->messages = NULL; |
wolfSSL | 16:8e0d178b1d1e | 7577 | } |
wolfSSL | 16:8e0d178b1d1e | 7578 | } |
wolfSSL | 16:8e0d178b1d1e | 7579 | #endif |
wolfSSL | 15:117db924cf7c | 7580 | break; |
wolfSSL | 15:117db924cf7c | 7581 | |
wolfSSL | 15:117db924cf7c | 7582 | case encrypted_extensions: |
wolfSSL | 15:117db924cf7c | 7583 | WOLFSSL_MSG("processing encrypted extensions"); |
wolfSSL | 15:117db924cf7c | 7584 | ret = DoTls13EncryptedExtensions(ssl, input, inOutIdx, size); |
wolfSSL | 15:117db924cf7c | 7585 | break; |
wolfSSL | 15:117db924cf7c | 7586 | |
wolfSSL | 15:117db924cf7c | 7587 | #ifndef NO_CERTS |
wolfSSL | 15:117db924cf7c | 7588 | case certificate_request: |
wolfSSL | 15:117db924cf7c | 7589 | WOLFSSL_MSG("processing certificate request"); |
wolfSSL | 15:117db924cf7c | 7590 | ret = DoTls13CertificateRequest(ssl, input, inOutIdx, size); |
wolfSSL | 15:117db924cf7c | 7591 | break; |
wolfSSL | 15:117db924cf7c | 7592 | #endif |
wolfSSL | 15:117db924cf7c | 7593 | |
wolfSSL | 15:117db924cf7c | 7594 | case session_ticket: |
wolfSSL | 15:117db924cf7c | 7595 | WOLFSSL_MSG("processing new session ticket"); |
wolfSSL | 15:117db924cf7c | 7596 | ret = DoTls13NewSessionTicket(ssl, input, inOutIdx, size); |
wolfSSL | 15:117db924cf7c | 7597 | break; |
wolfSSL | 15:117db924cf7c | 7598 | #endif /* !NO_WOLFSSL_CLIENT */ |
wolfSSL | 15:117db924cf7c | 7599 | |
wolfSSL | 15:117db924cf7c | 7600 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 16:8e0d178b1d1e | 7601 | /* Messages only received by server. */ |
wolfSSL | 15:117db924cf7c | 7602 | case client_hello: |
wolfSSL | 15:117db924cf7c | 7603 | WOLFSSL_MSG("processing client hello"); |
wolfSSL | 15:117db924cf7c | 7604 | ret = DoTls13ClientHello(ssl, input, inOutIdx, size); |
wolfSSL | 15:117db924cf7c | 7605 | break; |
wolfSSL | 15:117db924cf7c | 7606 | |
wolfSSL | 15:117db924cf7c | 7607 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 7608 | case end_of_early_data: |
wolfSSL | 15:117db924cf7c | 7609 | WOLFSSL_MSG("processing end of early data"); |
wolfSSL | 15:117db924cf7c | 7610 | ret = DoTls13EndOfEarlyData(ssl, input, inOutIdx, size); |
wolfSSL | 15:117db924cf7c | 7611 | break; |
wolfSSL | 15:117db924cf7c | 7612 | #endif |
wolfSSL | 15:117db924cf7c | 7613 | #endif /* !NO_WOLFSSL_SERVER */ |
wolfSSL | 15:117db924cf7c | 7614 | |
wolfSSL | 16:8e0d178b1d1e | 7615 | /* Messages received by both client and server. */ |
wolfSSL | 15:117db924cf7c | 7616 | #ifndef NO_CERTS |
wolfSSL | 15:117db924cf7c | 7617 | case certificate: |
wolfSSL | 15:117db924cf7c | 7618 | WOLFSSL_MSG("processing certificate"); |
wolfSSL | 15:117db924cf7c | 7619 | ret = DoTls13Certificate(ssl, input, inOutIdx, size); |
wolfSSL | 15:117db924cf7c | 7620 | break; |
wolfSSL | 15:117db924cf7c | 7621 | #endif |
wolfSSL | 15:117db924cf7c | 7622 | |
wolfSSL | 16:8e0d178b1d1e | 7623 | #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \ |
wolfSSL | 16:8e0d178b1d1e | 7624 | defined(HAVE_ED448) |
wolfSSL | 15:117db924cf7c | 7625 | case certificate_verify: |
wolfSSL | 15:117db924cf7c | 7626 | WOLFSSL_MSG("processing certificate verify"); |
wolfSSL | 15:117db924cf7c | 7627 | ret = DoTls13CertificateVerify(ssl, input, inOutIdx, size); |
wolfSSL | 15:117db924cf7c | 7628 | break; |
wolfSSL | 15:117db924cf7c | 7629 | #endif /* !NO_RSA || HAVE_ECC */ |
wolfSSL | 15:117db924cf7c | 7630 | |
wolfSSL | 15:117db924cf7c | 7631 | case finished: |
wolfSSL | 15:117db924cf7c | 7632 | WOLFSSL_MSG("processing finished"); |
wolfSSL | 15:117db924cf7c | 7633 | ret = DoTls13Finished(ssl, input, inOutIdx, size, totalSz, NO_SNIFF); |
wolfSSL | 15:117db924cf7c | 7634 | break; |
wolfSSL | 15:117db924cf7c | 7635 | |
wolfSSL | 15:117db924cf7c | 7636 | case key_update: |
wolfSSL | 15:117db924cf7c | 7637 | WOLFSSL_MSG("processing finished"); |
wolfSSL | 15:117db924cf7c | 7638 | ret = DoTls13KeyUpdate(ssl, input, inOutIdx, size); |
wolfSSL | 15:117db924cf7c | 7639 | break; |
wolfSSL | 15:117db924cf7c | 7640 | |
wolfSSL | 15:117db924cf7c | 7641 | default: |
wolfSSL | 15:117db924cf7c | 7642 | WOLFSSL_MSG("Unknown handshake message type"); |
wolfSSL | 15:117db924cf7c | 7643 | ret = UNKNOWN_HANDSHAKE_TYPE; |
wolfSSL | 15:117db924cf7c | 7644 | break; |
wolfSSL | 15:117db924cf7c | 7645 | } |
wolfSSL | 15:117db924cf7c | 7646 | |
wolfSSL | 15:117db924cf7c | 7647 | /* reset error */ |
wolfSSL | 15:117db924cf7c | 7648 | if (ret == 0 && ssl->error == WC_PENDING_E) |
wolfSSL | 15:117db924cf7c | 7649 | ssl->error = 0; |
wolfSSL | 15:117db924cf7c | 7650 | |
wolfSSL | 15:117db924cf7c | 7651 | if (ret == 0 && type != client_hello && type != session_ticket && |
wolfSSL | 15:117db924cf7c | 7652 | type != key_update) { |
wolfSSL | 15:117db924cf7c | 7653 | ret = HashInput(ssl, input + inIdx, size); |
wolfSSL | 15:117db924cf7c | 7654 | } |
wolfSSL | 16:8e0d178b1d1e | 7655 | if (ret == 0 && ssl->buffers.inputBuffer.dynamicFlag) { |
wolfSSL | 16:8e0d178b1d1e | 7656 | ShrinkInputBuffer(ssl, NO_FORCED_FREE); |
wolfSSL | 16:8e0d178b1d1e | 7657 | } |
wolfSSL | 15:117db924cf7c | 7658 | |
wolfSSL | 15:117db924cf7c | 7659 | if (ret == BUFFER_ERROR || ret == MISSING_HANDSHAKE_DATA) |
wolfSSL | 15:117db924cf7c | 7660 | SendAlert(ssl, alert_fatal, decode_error); |
wolfSSL | 15:117db924cf7c | 7661 | else if (ret == EXT_NOT_ALLOWED || ret == PEER_KEY_ERROR || |
wolfSSL | 15:117db924cf7c | 7662 | ret == ECC_PEERKEY_ERROR || ret == BAD_KEY_SHARE_DATA || |
wolfSSL | 15:117db924cf7c | 7663 | ret == PSK_KEY_ERROR || ret == INVALID_PARAMETER) { |
wolfSSL | 15:117db924cf7c | 7664 | SendAlert(ssl, alert_fatal, illegal_parameter); |
wolfSSL | 15:117db924cf7c | 7665 | } |
wolfSSL | 15:117db924cf7c | 7666 | |
wolfSSL | 16:8e0d178b1d1e | 7667 | if (ret == 0 && ssl->options.tls1_3) { |
wolfSSL | 15:117db924cf7c | 7668 | /* Need to hash input message before deriving secrets. */ |
wolfSSL | 15:117db924cf7c | 7669 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 7670 | if (ssl->options.side == WOLFSSL_CLIENT_END) { |
wolfSSL | 15:117db924cf7c | 7671 | if (type == server_hello) { |
wolfSSL | 15:117db924cf7c | 7672 | if ((ret = DeriveEarlySecret(ssl)) != 0) |
wolfSSL | 15:117db924cf7c | 7673 | return ret; |
wolfSSL | 15:117db924cf7c | 7674 | if ((ret = DeriveHandshakeSecret(ssl)) != 0) |
wolfSSL | 15:117db924cf7c | 7675 | return ret; |
wolfSSL | 15:117db924cf7c | 7676 | |
wolfSSL | 15:117db924cf7c | 7677 | if ((ret = DeriveTls13Keys(ssl, handshake_key, |
wolfSSL | 15:117db924cf7c | 7678 | ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0) { |
wolfSSL | 15:117db924cf7c | 7679 | return ret; |
wolfSSL | 15:117db924cf7c | 7680 | } |
wolfSSL | 15:117db924cf7c | 7681 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 7682 | if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0) |
wolfSSL | 15:117db924cf7c | 7683 | return ret; |
wolfSSL | 15:117db924cf7c | 7684 | #else |
wolfSSL | 15:117db924cf7c | 7685 | if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0) |
wolfSSL | 15:117db924cf7c | 7686 | return ret; |
wolfSSL | 15:117db924cf7c | 7687 | #endif |
wolfSSL | 15:117db924cf7c | 7688 | } |
wolfSSL | 15:117db924cf7c | 7689 | |
wolfSSL | 15:117db924cf7c | 7690 | if (type == finished) { |
wolfSSL | 15:117db924cf7c | 7691 | if ((ret = DeriveMasterSecret(ssl)) != 0) |
wolfSSL | 15:117db924cf7c | 7692 | return ret; |
wolfSSL | 15:117db924cf7c | 7693 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 7694 | if ((ret = DeriveTls13Keys(ssl, traffic_key, |
wolfSSL | 15:117db924cf7c | 7695 | ENCRYPT_AND_DECRYPT_SIDE, |
wolfSSL | 15:117db924cf7c | 7696 | ssl->earlyData == no_early_data)) != 0) { |
wolfSSL | 15:117db924cf7c | 7697 | return ret; |
wolfSSL | 15:117db924cf7c | 7698 | } |
wolfSSL | 15:117db924cf7c | 7699 | #else |
wolfSSL | 15:117db924cf7c | 7700 | if ((ret = DeriveTls13Keys(ssl, traffic_key, |
wolfSSL | 15:117db924cf7c | 7701 | ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0) { |
wolfSSL | 15:117db924cf7c | 7702 | return ret; |
wolfSSL | 15:117db924cf7c | 7703 | } |
wolfSSL | 15:117db924cf7c | 7704 | #endif |
wolfSSL | 15:117db924cf7c | 7705 | } |
wolfSSL | 15:117db924cf7c | 7706 | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH |
wolfSSL | 15:117db924cf7c | 7707 | if (type == certificate_request && |
wolfSSL | 15:117db924cf7c | 7708 | ssl->options.handShakeState == HANDSHAKE_DONE) { |
wolfSSL | 15:117db924cf7c | 7709 | /* reset handshake states */ |
wolfSSL | 15:117db924cf7c | 7710 | ssl->options.clientState = CLIENT_HELLO_COMPLETE; |
wolfSSL | 15:117db924cf7c | 7711 | ssl->options.connectState = FIRST_REPLY_DONE; |
wolfSSL | 15:117db924cf7c | 7712 | ssl->options.handShakeState = CLIENT_HELLO_COMPLETE; |
wolfSSL | 15:117db924cf7c | 7713 | |
wolfSSL | 15:117db924cf7c | 7714 | if (wolfSSL_connect_TLSv13(ssl) != SSL_SUCCESS) |
wolfSSL | 15:117db924cf7c | 7715 | ret = POST_HAND_AUTH_ERROR; |
wolfSSL | 15:117db924cf7c | 7716 | } |
wolfSSL | 15:117db924cf7c | 7717 | #endif |
wolfSSL | 15:117db924cf7c | 7718 | } |
wolfSSL | 15:117db924cf7c | 7719 | #endif /* NO_WOLFSSL_CLIENT */ |
wolfSSL | 15:117db924cf7c | 7720 | |
wolfSSL | 15:117db924cf7c | 7721 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 7722 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 7723 | if (ssl->options.side == WOLFSSL_SERVER_END && type == finished) { |
wolfSSL | 15:117db924cf7c | 7724 | ret = DeriveResumptionSecret(ssl, ssl->session.masterSecret); |
wolfSSL | 15:117db924cf7c | 7725 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 7726 | return ret; |
wolfSSL | 15:117db924cf7c | 7727 | } |
wolfSSL | 15:117db924cf7c | 7728 | #endif |
wolfSSL | 15:117db924cf7c | 7729 | #endif /* NO_WOLFSSL_SERVER */ |
wolfSSL | 15:117db924cf7c | 7730 | } |
wolfSSL | 15:117db924cf7c | 7731 | |
wolfSSL | 15:117db924cf7c | 7732 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 7733 | /* if async, offset index so this msg will be processed again */ |
wolfSSL | 15:117db924cf7c | 7734 | if (ret == WC_PENDING_E && *inOutIdx > 0) { |
wolfSSL | 15:117db924cf7c | 7735 | *inOutIdx -= HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 7736 | } |
wolfSSL | 15:117db924cf7c | 7737 | #endif |
wolfSSL | 15:117db924cf7c | 7738 | |
wolfSSL | 15:117db924cf7c | 7739 | WOLFSSL_LEAVE("DoTls13HandShakeMsgType()", ret); |
wolfSSL | 15:117db924cf7c | 7740 | return ret; |
wolfSSL | 15:117db924cf7c | 7741 | } |
wolfSSL | 15:117db924cf7c | 7742 | |
wolfSSL | 15:117db924cf7c | 7743 | |
wolfSSL | 15:117db924cf7c | 7744 | /* Handle a handshake message that has been received. |
wolfSSL | 15:117db924cf7c | 7745 | * |
wolfSSL | 15:117db924cf7c | 7746 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 7747 | * input The message buffer. |
wolfSSL | 15:117db924cf7c | 7748 | * inOutIdx On entry, the index into the buffer of the current message. |
wolfSSL | 15:117db924cf7c | 7749 | * On exit, the index into the buffer of the next message. |
wolfSSL | 15:117db924cf7c | 7750 | * totalSz Length of remaining data in the message buffer. |
wolfSSL | 15:117db924cf7c | 7751 | * returns 0 on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 7752 | */ |
wolfSSL | 15:117db924cf7c | 7753 | int DoTls13HandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx, |
wolfSSL | 15:117db924cf7c | 7754 | word32 totalSz) |
wolfSSL | 15:117db924cf7c | 7755 | { |
wolfSSL | 15:117db924cf7c | 7756 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 7757 | word32 inputLength; |
wolfSSL | 15:117db924cf7c | 7758 | |
wolfSSL | 15:117db924cf7c | 7759 | WOLFSSL_ENTER("DoTls13HandShakeMsg()"); |
wolfSSL | 15:117db924cf7c | 7760 | |
wolfSSL | 15:117db924cf7c | 7761 | if (ssl->arrays == NULL) { |
wolfSSL | 15:117db924cf7c | 7762 | byte type; |
wolfSSL | 15:117db924cf7c | 7763 | word32 size; |
wolfSSL | 15:117db924cf7c | 7764 | |
wolfSSL | 16:8e0d178b1d1e | 7765 | if (GetHandshakeHeader(ssl, input, inOutIdx, &type, &size, |
wolfSSL | 16:8e0d178b1d1e | 7766 | totalSz) != 0) { |
wolfSSL | 16:8e0d178b1d1e | 7767 | SendAlert(ssl, alert_fatal, unexpected_message); |
wolfSSL | 15:117db924cf7c | 7768 | return PARSE_ERROR; |
wolfSSL | 16:8e0d178b1d1e | 7769 | } |
wolfSSL | 15:117db924cf7c | 7770 | |
wolfSSL | 15:117db924cf7c | 7771 | return DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size, |
wolfSSL | 15:117db924cf7c | 7772 | totalSz); |
wolfSSL | 15:117db924cf7c | 7773 | } |
wolfSSL | 15:117db924cf7c | 7774 | |
wolfSSL | 15:117db924cf7c | 7775 | inputLength = ssl->buffers.inputBuffer.length - *inOutIdx - ssl->keys.padSz; |
wolfSSL | 15:117db924cf7c | 7776 | |
wolfSSL | 15:117db924cf7c | 7777 | /* If there is a pending fragmented handshake message, |
wolfSSL | 15:117db924cf7c | 7778 | * pending message size will be non-zero. */ |
wolfSSL | 15:117db924cf7c | 7779 | if (ssl->arrays->pendingMsgSz == 0) { |
wolfSSL | 15:117db924cf7c | 7780 | byte type; |
wolfSSL | 15:117db924cf7c | 7781 | word32 size; |
wolfSSL | 15:117db924cf7c | 7782 | |
wolfSSL | 15:117db924cf7c | 7783 | if (GetHandshakeHeader(ssl,input, inOutIdx, &type, &size, totalSz) != 0) |
wolfSSL | 15:117db924cf7c | 7784 | return PARSE_ERROR; |
wolfSSL | 15:117db924cf7c | 7785 | |
wolfSSL | 15:117db924cf7c | 7786 | /* Cap the maximum size of a handshake message to something reasonable. |
wolfSSL | 15:117db924cf7c | 7787 | * By default is the maximum size of a certificate message assuming |
wolfSSL | 15:117db924cf7c | 7788 | * nine 2048-bit RSA certificates in the chain. */ |
wolfSSL | 15:117db924cf7c | 7789 | if (size > MAX_HANDSHAKE_SZ) { |
wolfSSL | 15:117db924cf7c | 7790 | WOLFSSL_MSG("Handshake message too large"); |
wolfSSL | 15:117db924cf7c | 7791 | return HANDSHAKE_SIZE_ERROR; |
wolfSSL | 15:117db924cf7c | 7792 | } |
wolfSSL | 15:117db924cf7c | 7793 | |
wolfSSL | 15:117db924cf7c | 7794 | /* size is the size of the certificate message payload */ |
wolfSSL | 15:117db924cf7c | 7795 | if (inputLength - HANDSHAKE_HEADER_SZ < size) { |
wolfSSL | 15:117db924cf7c | 7796 | ssl->arrays->pendingMsgType = type; |
wolfSSL | 15:117db924cf7c | 7797 | ssl->arrays->pendingMsgSz = size + HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 7798 | ssl->arrays->pendingMsg = (byte*)XMALLOC(size + HANDSHAKE_HEADER_SZ, |
wolfSSL | 15:117db924cf7c | 7799 | ssl->heap, |
wolfSSL | 15:117db924cf7c | 7800 | DYNAMIC_TYPE_ARRAYS); |
wolfSSL | 15:117db924cf7c | 7801 | if (ssl->arrays->pendingMsg == NULL) |
wolfSSL | 15:117db924cf7c | 7802 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 7803 | XMEMCPY(ssl->arrays->pendingMsg, |
wolfSSL | 15:117db924cf7c | 7804 | input + *inOutIdx - HANDSHAKE_HEADER_SZ, |
wolfSSL | 15:117db924cf7c | 7805 | inputLength); |
wolfSSL | 15:117db924cf7c | 7806 | ssl->arrays->pendingMsgOffset = inputLength; |
wolfSSL | 15:117db924cf7c | 7807 | *inOutIdx += inputLength + ssl->keys.padSz - HANDSHAKE_HEADER_SZ; |
wolfSSL | 15:117db924cf7c | 7808 | return 0; |
wolfSSL | 15:117db924cf7c | 7809 | } |
wolfSSL | 15:117db924cf7c | 7810 | |
wolfSSL | 15:117db924cf7c | 7811 | ret = DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size, |
wolfSSL | 15:117db924cf7c | 7812 | totalSz); |
wolfSSL | 15:117db924cf7c | 7813 | } |
wolfSSL | 15:117db924cf7c | 7814 | else { |
wolfSSL | 15:117db924cf7c | 7815 | if (inputLength + ssl->arrays->pendingMsgOffset > |
wolfSSL | 15:117db924cf7c | 7816 | ssl->arrays->pendingMsgSz) { |
wolfSSL | 15:117db924cf7c | 7817 | inputLength = ssl->arrays->pendingMsgSz - |
wolfSSL | 15:117db924cf7c | 7818 | ssl->arrays->pendingMsgOffset; |
wolfSSL | 15:117db924cf7c | 7819 | } |
wolfSSL | 15:117db924cf7c | 7820 | XMEMCPY(ssl->arrays->pendingMsg + ssl->arrays->pendingMsgOffset, |
wolfSSL | 15:117db924cf7c | 7821 | input + *inOutIdx, inputLength); |
wolfSSL | 15:117db924cf7c | 7822 | ssl->arrays->pendingMsgOffset += inputLength; |
wolfSSL | 15:117db924cf7c | 7823 | *inOutIdx += inputLength + ssl->keys.padSz; |
wolfSSL | 15:117db924cf7c | 7824 | |
wolfSSL | 15:117db924cf7c | 7825 | if (ssl->arrays->pendingMsgOffset == ssl->arrays->pendingMsgSz) |
wolfSSL | 15:117db924cf7c | 7826 | { |
wolfSSL | 15:117db924cf7c | 7827 | word32 idx = 0; |
wolfSSL | 15:117db924cf7c | 7828 | ret = DoTls13HandShakeMsgType(ssl, |
wolfSSL | 15:117db924cf7c | 7829 | ssl->arrays->pendingMsg + HANDSHAKE_HEADER_SZ, |
wolfSSL | 15:117db924cf7c | 7830 | &idx, ssl->arrays->pendingMsgType, |
wolfSSL | 15:117db924cf7c | 7831 | ssl->arrays->pendingMsgSz - HANDSHAKE_HEADER_SZ, |
wolfSSL | 15:117db924cf7c | 7832 | ssl->arrays->pendingMsgSz); |
wolfSSL | 15:117db924cf7c | 7833 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 15:117db924cf7c | 7834 | if (ret == WC_PENDING_E) { |
wolfSSL | 15:117db924cf7c | 7835 | /* setup to process fragment again */ |
wolfSSL | 15:117db924cf7c | 7836 | ssl->arrays->pendingMsgOffset -= inputLength; |
wolfSSL | 15:117db924cf7c | 7837 | *inOutIdx -= inputLength + ssl->keys.padSz; |
wolfSSL | 15:117db924cf7c | 7838 | } |
wolfSSL | 15:117db924cf7c | 7839 | else |
wolfSSL | 15:117db924cf7c | 7840 | #endif |
wolfSSL | 15:117db924cf7c | 7841 | { |
wolfSSL | 15:117db924cf7c | 7842 | XFREE(ssl->arrays->pendingMsg, ssl->heap, DYNAMIC_TYPE_ARRAYS); |
wolfSSL | 15:117db924cf7c | 7843 | ssl->arrays->pendingMsg = NULL; |
wolfSSL | 15:117db924cf7c | 7844 | ssl->arrays->pendingMsgSz = 0; |
wolfSSL | 15:117db924cf7c | 7845 | } |
wolfSSL | 15:117db924cf7c | 7846 | } |
wolfSSL | 15:117db924cf7c | 7847 | } |
wolfSSL | 15:117db924cf7c | 7848 | |
wolfSSL | 15:117db924cf7c | 7849 | WOLFSSL_LEAVE("DoTls13HandShakeMsg()", ret); |
wolfSSL | 15:117db924cf7c | 7850 | return ret; |
wolfSSL | 15:117db924cf7c | 7851 | } |
wolfSSL | 15:117db924cf7c | 7852 | |
wolfSSL | 15:117db924cf7c | 7853 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 7854 | |
wolfSSL | 15:117db924cf7c | 7855 | /* The client connecting to the server. |
wolfSSL | 15:117db924cf7c | 7856 | * The protocol version is expecting to be TLS v1.3. |
wolfSSL | 15:117db924cf7c | 7857 | * If the server downgrades, and older versions of the protocol are compiled |
wolfSSL | 15:117db924cf7c | 7858 | * in, the client will fallback to wolfSSL_connect(). |
wolfSSL | 15:117db924cf7c | 7859 | * Please see note at top of README if you get an error from connect. |
wolfSSL | 15:117db924cf7c | 7860 | * |
wolfSSL | 15:117db924cf7c | 7861 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 7862 | * returns WOLFSSL_SUCCESS on successful handshake, WOLFSSL_FATAL_ERROR when |
wolfSSL | 15:117db924cf7c | 7863 | * unrecoverable error occurs and 0 otherwise. |
wolfSSL | 15:117db924cf7c | 7864 | * For more error information use wolfSSL_get_error(). |
wolfSSL | 15:117db924cf7c | 7865 | */ |
wolfSSL | 15:117db924cf7c | 7866 | int wolfSSL_connect_TLSv13(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 7867 | { |
wolfSSL | 15:117db924cf7c | 7868 | WOLFSSL_ENTER("wolfSSL_connect_TLSv13()"); |
wolfSSL | 15:117db924cf7c | 7869 | |
wolfSSL | 15:117db924cf7c | 7870 | #ifdef HAVE_ERRNO_H |
wolfSSL | 15:117db924cf7c | 7871 | errno = 0; |
wolfSSL | 15:117db924cf7c | 7872 | #endif |
wolfSSL | 15:117db924cf7c | 7873 | |
wolfSSL | 15:117db924cf7c | 7874 | if (ssl->options.side != WOLFSSL_CLIENT_END) { |
wolfSSL | 15:117db924cf7c | 7875 | WOLFSSL_ERROR(ssl->error = SIDE_ERROR); |
wolfSSL | 15:117db924cf7c | 7876 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 7877 | } |
wolfSSL | 15:117db924cf7c | 7878 | |
wolfSSL | 16:8e0d178b1d1e | 7879 | if (ssl->buffers.outputBuffer.length > 0 |
wolfSSL | 16:8e0d178b1d1e | 7880 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 16:8e0d178b1d1e | 7881 | /* do not send buffered or advance state if last error was an |
wolfSSL | 16:8e0d178b1d1e | 7882 | async pending operation */ |
wolfSSL | 16:8e0d178b1d1e | 7883 | && ssl->error != WC_PENDING_E |
wolfSSL | 16:8e0d178b1d1e | 7884 | #endif |
wolfSSL | 16:8e0d178b1d1e | 7885 | ) { |
wolfSSL | 15:117db924cf7c | 7886 | if ((ssl->error = SendBuffered(ssl)) == 0) { |
wolfSSL | 15:117db924cf7c | 7887 | /* fragOffset is non-zero when sending fragments. On the last |
wolfSSL | 15:117db924cf7c | 7888 | * fragment, fragOffset is zero again, and the state can be |
wolfSSL | 15:117db924cf7c | 7889 | * advanced. */ |
wolfSSL | 15:117db924cf7c | 7890 | if (ssl->fragOffset == 0) { |
wolfSSL | 15:117db924cf7c | 7891 | ssl->options.connectState++; |
wolfSSL | 15:117db924cf7c | 7892 | WOLFSSL_MSG("connect state: " |
wolfSSL | 15:117db924cf7c | 7893 | "Advanced from last buffered fragment send"); |
wolfSSL | 15:117db924cf7c | 7894 | } |
wolfSSL | 15:117db924cf7c | 7895 | else { |
wolfSSL | 15:117db924cf7c | 7896 | WOLFSSL_MSG("connect state: " |
wolfSSL | 15:117db924cf7c | 7897 | "Not advanced, more fragments to send"); |
wolfSSL | 15:117db924cf7c | 7898 | } |
wolfSSL | 15:117db924cf7c | 7899 | } |
wolfSSL | 15:117db924cf7c | 7900 | else { |
wolfSSL | 15:117db924cf7c | 7901 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 7902 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 7903 | } |
wolfSSL | 15:117db924cf7c | 7904 | } |
wolfSSL | 15:117db924cf7c | 7905 | |
wolfSSL | 15:117db924cf7c | 7906 | switch (ssl->options.connectState) { |
wolfSSL | 15:117db924cf7c | 7907 | |
wolfSSL | 15:117db924cf7c | 7908 | case CONNECT_BEGIN: |
wolfSSL | 15:117db924cf7c | 7909 | /* Always send client hello first. */ |
wolfSSL | 15:117db924cf7c | 7910 | if ((ssl->error = SendTls13ClientHello(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 7911 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 7912 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 7913 | } |
wolfSSL | 15:117db924cf7c | 7914 | |
wolfSSL | 15:117db924cf7c | 7915 | ssl->options.connectState = CLIENT_HELLO_SENT; |
wolfSSL | 15:117db924cf7c | 7916 | WOLFSSL_MSG("connect state: CLIENT_HELLO_SENT"); |
wolfSSL | 15:117db924cf7c | 7917 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 7918 | if (ssl->earlyData != no_early_data) { |
wolfSSL | 15:117db924cf7c | 7919 | #if !defined(WOLFSSL_TLS13_DRAFT_18) && \ |
wolfSSL | 15:117db924cf7c | 7920 | defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT) |
wolfSSL | 15:117db924cf7c | 7921 | if ((ssl->error = SendChangeCipher(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 7922 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 7923 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 7924 | } |
wolfSSL | 15:117db924cf7c | 7925 | ssl->options.sentChangeCipher = 1; |
wolfSSL | 15:117db924cf7c | 7926 | #endif |
wolfSSL | 15:117db924cf7c | 7927 | ssl->options.handShakeState = CLIENT_HELLO_COMPLETE; |
wolfSSL | 15:117db924cf7c | 7928 | return WOLFSSL_SUCCESS; |
wolfSSL | 15:117db924cf7c | 7929 | } |
wolfSSL | 15:117db924cf7c | 7930 | #endif |
wolfSSL | 15:117db924cf7c | 7931 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 7932 | |
wolfSSL | 15:117db924cf7c | 7933 | case CLIENT_HELLO_SENT: |
wolfSSL | 15:117db924cf7c | 7934 | /* Get the response/s from the server. */ |
wolfSSL | 15:117db924cf7c | 7935 | while (ssl->options.serverState < |
wolfSSL | 15:117db924cf7c | 7936 | SERVER_HELLO_RETRY_REQUEST_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 7937 | if ((ssl->error = ProcessReply(ssl)) < 0) { |
wolfSSL | 15:117db924cf7c | 7938 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 7939 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 7940 | } |
wolfSSL | 15:117db924cf7c | 7941 | } |
wolfSSL | 15:117db924cf7c | 7942 | |
wolfSSL | 15:117db924cf7c | 7943 | ssl->options.connectState = HELLO_AGAIN; |
wolfSSL | 15:117db924cf7c | 7944 | WOLFSSL_MSG("connect state: HELLO_AGAIN"); |
wolfSSL | 15:117db924cf7c | 7945 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 7946 | |
wolfSSL | 15:117db924cf7c | 7947 | case HELLO_AGAIN: |
wolfSSL | 15:117db924cf7c | 7948 | if (ssl->options.certOnly) |
wolfSSL | 15:117db924cf7c | 7949 | return WOLFSSL_SUCCESS; |
wolfSSL | 15:117db924cf7c | 7950 | |
wolfSSL | 15:117db924cf7c | 7951 | if (!ssl->options.tls1_3) { |
wolfSSL | 15:117db924cf7c | 7952 | #ifndef WOLFSSL_NO_TLS12 |
wolfSSL | 15:117db924cf7c | 7953 | if (ssl->options.downgrade) |
wolfSSL | 15:117db924cf7c | 7954 | return wolfSSL_connect(ssl); |
wolfSSL | 15:117db924cf7c | 7955 | #endif |
wolfSSL | 15:117db924cf7c | 7956 | |
wolfSSL | 15:117db924cf7c | 7957 | WOLFSSL_MSG("Client using higher version, fatal error"); |
wolfSSL | 15:117db924cf7c | 7958 | return VERSION_ERROR; |
wolfSSL | 15:117db924cf7c | 7959 | } |
wolfSSL | 15:117db924cf7c | 7960 | |
wolfSSL | 15:117db924cf7c | 7961 | if (ssl->options.serverState == |
wolfSSL | 15:117db924cf7c | 7962 | SERVER_HELLO_RETRY_REQUEST_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 7963 | #if !defined(WOLFSSL_TLS13_DRAFT_18) && \ |
wolfSSL | 15:117db924cf7c | 7964 | defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT) |
wolfSSL | 15:117db924cf7c | 7965 | if (!ssl->options.sentChangeCipher) { |
wolfSSL | 15:117db924cf7c | 7966 | if ((ssl->error = SendChangeCipher(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 7967 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 7968 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 7969 | } |
wolfSSL | 15:117db924cf7c | 7970 | ssl->options.sentChangeCipher = 1; |
wolfSSL | 15:117db924cf7c | 7971 | } |
wolfSSL | 15:117db924cf7c | 7972 | #endif |
wolfSSL | 15:117db924cf7c | 7973 | /* Try again with different security parameters. */ |
wolfSSL | 15:117db924cf7c | 7974 | if ((ssl->error = SendTls13ClientHello(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 7975 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 7976 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 7977 | } |
wolfSSL | 15:117db924cf7c | 7978 | } |
wolfSSL | 15:117db924cf7c | 7979 | |
wolfSSL | 15:117db924cf7c | 7980 | ssl->options.connectState = HELLO_AGAIN_REPLY; |
wolfSSL | 15:117db924cf7c | 7981 | WOLFSSL_MSG("connect state: HELLO_AGAIN_REPLY"); |
wolfSSL | 15:117db924cf7c | 7982 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 7983 | |
wolfSSL | 15:117db924cf7c | 7984 | case HELLO_AGAIN_REPLY: |
wolfSSL | 15:117db924cf7c | 7985 | /* Get the response/s from the server. */ |
wolfSSL | 15:117db924cf7c | 7986 | while (ssl->options.serverState < SERVER_FINISHED_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 7987 | if ((ssl->error = ProcessReply(ssl)) < 0) { |
wolfSSL | 15:117db924cf7c | 7988 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 7989 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 7990 | } |
wolfSSL | 15:117db924cf7c | 7991 | } |
wolfSSL | 15:117db924cf7c | 7992 | |
wolfSSL | 15:117db924cf7c | 7993 | ssl->options.connectState = FIRST_REPLY_DONE; |
wolfSSL | 15:117db924cf7c | 7994 | WOLFSSL_MSG("connect state: FIRST_REPLY_DONE"); |
wolfSSL | 15:117db924cf7c | 7995 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 7996 | |
wolfSSL | 15:117db924cf7c | 7997 | case FIRST_REPLY_DONE: |
wolfSSL | 15:117db924cf7c | 7998 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 7999 | if (ssl->earlyData != no_early_data) { |
wolfSSL | 15:117db924cf7c | 8000 | if ((ssl->error = SendTls13EndOfEarlyData(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 8001 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8002 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8003 | } |
wolfSSL | 15:117db924cf7c | 8004 | WOLFSSL_MSG("sent: end_of_early_data"); |
wolfSSL | 15:117db924cf7c | 8005 | } |
wolfSSL | 15:117db924cf7c | 8006 | #endif |
wolfSSL | 15:117db924cf7c | 8007 | |
wolfSSL | 15:117db924cf7c | 8008 | ssl->options.connectState = FIRST_REPLY_FIRST; |
wolfSSL | 15:117db924cf7c | 8009 | WOLFSSL_MSG("connect state: FIRST_REPLY_FIRST"); |
wolfSSL | 15:117db924cf7c | 8010 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8011 | |
wolfSSL | 15:117db924cf7c | 8012 | case FIRST_REPLY_FIRST: |
wolfSSL | 15:117db924cf7c | 8013 | #if !defined(WOLFSSL_TLS13_DRAFT_18) && \ |
wolfSSL | 15:117db924cf7c | 8014 | defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT) |
wolfSSL | 15:117db924cf7c | 8015 | if (!ssl->options.sentChangeCipher) { |
wolfSSL | 15:117db924cf7c | 8016 | if ((ssl->error = SendChangeCipher(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 8017 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8018 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8019 | } |
wolfSSL | 15:117db924cf7c | 8020 | ssl->options.sentChangeCipher = 1; |
wolfSSL | 15:117db924cf7c | 8021 | } |
wolfSSL | 15:117db924cf7c | 8022 | #endif |
wolfSSL | 15:117db924cf7c | 8023 | |
wolfSSL | 15:117db924cf7c | 8024 | ssl->options.connectState = FIRST_REPLY_SECOND; |
wolfSSL | 15:117db924cf7c | 8025 | WOLFSSL_MSG("connect state: FIRST_REPLY_SECOND"); |
wolfSSL | 15:117db924cf7c | 8026 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8027 | |
wolfSSL | 15:117db924cf7c | 8028 | case FIRST_REPLY_SECOND: |
wolfSSL | 15:117db924cf7c | 8029 | #ifndef NO_CERTS |
wolfSSL | 15:117db924cf7c | 8030 | if (!ssl->options.resuming && ssl->options.sendVerify) { |
wolfSSL | 15:117db924cf7c | 8031 | ssl->error = SendTls13Certificate(ssl); |
wolfSSL | 15:117db924cf7c | 8032 | if (ssl->error != 0) { |
wolfSSL | 15:117db924cf7c | 8033 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8034 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8035 | } |
wolfSSL | 15:117db924cf7c | 8036 | WOLFSSL_MSG("sent: certificate"); |
wolfSSL | 15:117db924cf7c | 8037 | } |
wolfSSL | 15:117db924cf7c | 8038 | #endif |
wolfSSL | 15:117db924cf7c | 8039 | |
wolfSSL | 15:117db924cf7c | 8040 | ssl->options.connectState = FIRST_REPLY_THIRD; |
wolfSSL | 15:117db924cf7c | 8041 | WOLFSSL_MSG("connect state: FIRST_REPLY_THIRD"); |
wolfSSL | 15:117db924cf7c | 8042 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8043 | |
wolfSSL | 15:117db924cf7c | 8044 | case FIRST_REPLY_THIRD: |
wolfSSL | 15:117db924cf7c | 8045 | #ifndef NO_CERTS |
wolfSSL | 15:117db924cf7c | 8046 | if (!ssl->options.resuming && ssl->options.sendVerify) { |
wolfSSL | 15:117db924cf7c | 8047 | ssl->error = SendTls13CertificateVerify(ssl); |
wolfSSL | 15:117db924cf7c | 8048 | if (ssl->error != 0) { |
wolfSSL | 15:117db924cf7c | 8049 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8050 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8051 | } |
wolfSSL | 15:117db924cf7c | 8052 | WOLFSSL_MSG("sent: certificate verify"); |
wolfSSL | 15:117db924cf7c | 8053 | } |
wolfSSL | 15:117db924cf7c | 8054 | #endif |
wolfSSL | 15:117db924cf7c | 8055 | |
wolfSSL | 15:117db924cf7c | 8056 | ssl->options.connectState = FIRST_REPLY_FOURTH; |
wolfSSL | 15:117db924cf7c | 8057 | WOLFSSL_MSG("connect state: FIRST_REPLY_FOURTH"); |
wolfSSL | 15:117db924cf7c | 8058 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8059 | |
wolfSSL | 15:117db924cf7c | 8060 | case FIRST_REPLY_FOURTH: |
wolfSSL | 15:117db924cf7c | 8061 | if ((ssl->error = SendTls13Finished(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 8062 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8063 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8064 | } |
wolfSSL | 15:117db924cf7c | 8065 | WOLFSSL_MSG("sent: finished"); |
wolfSSL | 15:117db924cf7c | 8066 | |
wolfSSL | 15:117db924cf7c | 8067 | ssl->options.connectState = FINISHED_DONE; |
wolfSSL | 15:117db924cf7c | 8068 | WOLFSSL_MSG("connect state: FINISHED_DONE"); |
wolfSSL | 15:117db924cf7c | 8069 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8070 | |
wolfSSL | 15:117db924cf7c | 8071 | case FINISHED_DONE: |
wolfSSL | 15:117db924cf7c | 8072 | #ifndef NO_HANDSHAKE_DONE_CB |
wolfSSL | 15:117db924cf7c | 8073 | if (ssl->hsDoneCb != NULL) { |
wolfSSL | 15:117db924cf7c | 8074 | int cbret = ssl->hsDoneCb(ssl, ssl->hsDoneCtx); |
wolfSSL | 15:117db924cf7c | 8075 | if (cbret < 0) { |
wolfSSL | 15:117db924cf7c | 8076 | ssl->error = cbret; |
wolfSSL | 15:117db924cf7c | 8077 | WOLFSSL_MSG("HandShake Done Cb don't continue error"); |
wolfSSL | 15:117db924cf7c | 8078 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8079 | } |
wolfSSL | 15:117db924cf7c | 8080 | } |
wolfSSL | 15:117db924cf7c | 8081 | #endif /* NO_HANDSHAKE_DONE_CB */ |
wolfSSL | 15:117db924cf7c | 8082 | |
wolfSSL | 16:8e0d178b1d1e | 8083 | if (!ssl->options.keepResources) { |
wolfSSL | 16:8e0d178b1d1e | 8084 | FreeHandshakeResources(ssl); |
wolfSSL | 16:8e0d178b1d1e | 8085 | } |
wolfSSL | 16:8e0d178b1d1e | 8086 | |
wolfSSL | 15:117db924cf7c | 8087 | WOLFSSL_LEAVE("wolfSSL_connect_TLSv13()", WOLFSSL_SUCCESS); |
wolfSSL | 15:117db924cf7c | 8088 | return WOLFSSL_SUCCESS; |
wolfSSL | 15:117db924cf7c | 8089 | |
wolfSSL | 15:117db924cf7c | 8090 | default: |
wolfSSL | 15:117db924cf7c | 8091 | WOLFSSL_MSG("Unknown connect state ERROR"); |
wolfSSL | 15:117db924cf7c | 8092 | return WOLFSSL_FATAL_ERROR; /* unknown connect state */ |
wolfSSL | 15:117db924cf7c | 8093 | } |
wolfSSL | 15:117db924cf7c | 8094 | } |
wolfSSL | 15:117db924cf7c | 8095 | #endif |
wolfSSL | 15:117db924cf7c | 8096 | |
wolfSSL | 15:117db924cf7c | 8097 | #if defined(WOLFSSL_SEND_HRR_COOKIE) |
wolfSSL | 15:117db924cf7c | 8098 | /* Send a cookie with the HelloRetryRequest to avoid storing state. |
wolfSSL | 15:117db924cf7c | 8099 | * |
wolfSSL | 15:117db924cf7c | 8100 | * ssl SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 8101 | * secret Secret to use when generating integrity check for cookie. |
wolfSSL | 15:117db924cf7c | 8102 | * A value of NULL indicates to generate a new random secret. |
wolfSSL | 15:117db924cf7c | 8103 | * secretSz Size of secret data in bytes. |
wolfSSL | 15:117db924cf7c | 8104 | * Use a value of 0 to indicate use of default size. |
wolfSSL | 15:117db924cf7c | 8105 | * returns BAD_FUNC_ARG when ssl is NULL or not using TLS v1.3, SIDE_ERROR when |
wolfSSL | 15:117db924cf7c | 8106 | * called on a client; WOLFSSL_SUCCESS on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 8107 | */ |
wolfSSL | 15:117db924cf7c | 8108 | int wolfSSL_send_hrr_cookie(WOLFSSL* ssl, const unsigned char* secret, |
wolfSSL | 15:117db924cf7c | 8109 | unsigned int secretSz) |
wolfSSL | 15:117db924cf7c | 8110 | { |
wolfSSL | 15:117db924cf7c | 8111 | int ret; |
wolfSSL | 15:117db924cf7c | 8112 | |
wolfSSL | 15:117db924cf7c | 8113 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
wolfSSL | 15:117db924cf7c | 8114 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8115 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 8116 | if (ssl->options.side == WOLFSSL_CLIENT_END) |
wolfSSL | 15:117db924cf7c | 8117 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 8118 | |
wolfSSL | 15:117db924cf7c | 8119 | if (secretSz == 0) { |
wolfSSL | 15:117db924cf7c | 8120 | #if !defined(NO_SHA) && defined(NO_SHA256) |
wolfSSL | 15:117db924cf7c | 8121 | secretSz = WC_SHA_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 8122 | #endif /* NO_SHA */ |
wolfSSL | 15:117db924cf7c | 8123 | #ifndef NO_SHA256 |
wolfSSL | 15:117db924cf7c | 8124 | secretSz = WC_SHA256_DIGEST_SIZE; |
wolfSSL | 15:117db924cf7c | 8125 | #endif /* NO_SHA256 */ |
wolfSSL | 15:117db924cf7c | 8126 | } |
wolfSSL | 15:117db924cf7c | 8127 | |
wolfSSL | 15:117db924cf7c | 8128 | if (secretSz != ssl->buffers.tls13CookieSecret.length) { |
wolfSSL | 15:117db924cf7c | 8129 | byte* newSecret; |
wolfSSL | 15:117db924cf7c | 8130 | |
wolfSSL | 15:117db924cf7c | 8131 | if (ssl->buffers.tls13CookieSecret.buffer != NULL) { |
wolfSSL | 15:117db924cf7c | 8132 | ForceZero(ssl->buffers.tls13CookieSecret.buffer, |
wolfSSL | 15:117db924cf7c | 8133 | ssl->buffers.tls13CookieSecret.length); |
wolfSSL | 15:117db924cf7c | 8134 | XFREE(ssl->buffers.tls13CookieSecret.buffer, |
wolfSSL | 15:117db924cf7c | 8135 | ssl->heap, DYNAMIC_TYPE_COOKIE_PWD); |
wolfSSL | 15:117db924cf7c | 8136 | } |
wolfSSL | 15:117db924cf7c | 8137 | |
wolfSSL | 15:117db924cf7c | 8138 | newSecret = (byte*)XMALLOC(secretSz, ssl->heap, |
wolfSSL | 15:117db924cf7c | 8139 | DYNAMIC_TYPE_COOKIE_PWD); |
wolfSSL | 15:117db924cf7c | 8140 | if (newSecret == NULL) { |
wolfSSL | 15:117db924cf7c | 8141 | ssl->buffers.tls13CookieSecret.buffer = NULL; |
wolfSSL | 15:117db924cf7c | 8142 | ssl->buffers.tls13CookieSecret.length = 0; |
wolfSSL | 15:117db924cf7c | 8143 | WOLFSSL_MSG("couldn't allocate new cookie secret"); |
wolfSSL | 15:117db924cf7c | 8144 | return MEMORY_ERROR; |
wolfSSL | 15:117db924cf7c | 8145 | } |
wolfSSL | 15:117db924cf7c | 8146 | ssl->buffers.tls13CookieSecret.buffer = newSecret; |
wolfSSL | 15:117db924cf7c | 8147 | ssl->buffers.tls13CookieSecret.length = secretSz; |
wolfSSL | 15:117db924cf7c | 8148 | } |
wolfSSL | 15:117db924cf7c | 8149 | |
wolfSSL | 15:117db924cf7c | 8150 | /* If the supplied secret is NULL, randomly generate a new secret. */ |
wolfSSL | 15:117db924cf7c | 8151 | if (secret == NULL) { |
wolfSSL | 15:117db924cf7c | 8152 | ret = wc_RNG_GenerateBlock(ssl->rng, |
wolfSSL | 15:117db924cf7c | 8153 | ssl->buffers.tls13CookieSecret.buffer, secretSz); |
wolfSSL | 15:117db924cf7c | 8154 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 8155 | return ret; |
wolfSSL | 15:117db924cf7c | 8156 | } |
wolfSSL | 15:117db924cf7c | 8157 | else |
wolfSSL | 15:117db924cf7c | 8158 | XMEMCPY(ssl->buffers.tls13CookieSecret.buffer, secret, secretSz); |
wolfSSL | 15:117db924cf7c | 8159 | |
wolfSSL | 15:117db924cf7c | 8160 | ssl->options.sendCookie = 1; |
wolfSSL | 15:117db924cf7c | 8161 | |
wolfSSL | 15:117db924cf7c | 8162 | ret = WOLFSSL_SUCCESS; |
wolfSSL | 15:117db924cf7c | 8163 | #else |
wolfSSL | 15:117db924cf7c | 8164 | (void)secret; |
wolfSSL | 15:117db924cf7c | 8165 | (void)secretSz; |
wolfSSL | 15:117db924cf7c | 8166 | |
wolfSSL | 15:117db924cf7c | 8167 | ret = SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 8168 | #endif |
wolfSSL | 15:117db924cf7c | 8169 | |
wolfSSL | 15:117db924cf7c | 8170 | return ret; |
wolfSSL | 15:117db924cf7c | 8171 | } |
wolfSSL | 15:117db924cf7c | 8172 | #endif |
wolfSSL | 15:117db924cf7c | 8173 | |
wolfSSL | 15:117db924cf7c | 8174 | /* Create a key share entry from group. |
wolfSSL | 15:117db924cf7c | 8175 | * Generates a key pair. |
wolfSSL | 15:117db924cf7c | 8176 | * |
wolfSSL | 15:117db924cf7c | 8177 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 8178 | * group The named group. |
wolfSSL | 15:117db924cf7c | 8179 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 8180 | */ |
wolfSSL | 15:117db924cf7c | 8181 | int wolfSSL_UseKeyShare(WOLFSSL* ssl, word16 group) |
wolfSSL | 15:117db924cf7c | 8182 | { |
wolfSSL | 15:117db924cf7c | 8183 | int ret; |
wolfSSL | 15:117db924cf7c | 8184 | |
wolfSSL | 15:117db924cf7c | 8185 | if (ssl == NULL) |
wolfSSL | 15:117db924cf7c | 8186 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8187 | |
wolfSSL | 15:117db924cf7c | 8188 | ret = TLSX_KeyShare_Use(ssl, group, 0, NULL, NULL); |
wolfSSL | 15:117db924cf7c | 8189 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 8190 | return ret; |
wolfSSL | 15:117db924cf7c | 8191 | |
wolfSSL | 15:117db924cf7c | 8192 | return WOLFSSL_SUCCESS; |
wolfSSL | 15:117db924cf7c | 8193 | } |
wolfSSL | 15:117db924cf7c | 8194 | |
wolfSSL | 15:117db924cf7c | 8195 | /* Send no key share entries - use HelloRetryRequest to negotiate shared group. |
wolfSSL | 15:117db924cf7c | 8196 | * |
wolfSSL | 15:117db924cf7c | 8197 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 8198 | * returns 0 on success, otherwise failure. |
wolfSSL | 15:117db924cf7c | 8199 | */ |
wolfSSL | 15:117db924cf7c | 8200 | int wolfSSL_NoKeyShares(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 8201 | { |
wolfSSL | 15:117db924cf7c | 8202 | int ret; |
wolfSSL | 15:117db924cf7c | 8203 | |
wolfSSL | 15:117db924cf7c | 8204 | if (ssl == NULL) |
wolfSSL | 15:117db924cf7c | 8205 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8206 | if (ssl->options.side == WOLFSSL_SERVER_END) |
wolfSSL | 15:117db924cf7c | 8207 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 8208 | |
wolfSSL | 15:117db924cf7c | 8209 | ret = TLSX_KeyShare_Empty(ssl); |
wolfSSL | 15:117db924cf7c | 8210 | if (ret != 0) |
wolfSSL | 15:117db924cf7c | 8211 | return ret; |
wolfSSL | 15:117db924cf7c | 8212 | |
wolfSSL | 15:117db924cf7c | 8213 | return WOLFSSL_SUCCESS; |
wolfSSL | 15:117db924cf7c | 8214 | } |
wolfSSL | 15:117db924cf7c | 8215 | |
wolfSSL | 15:117db924cf7c | 8216 | /* Do not send a ticket after TLS v1.3 handshake for resumption. |
wolfSSL | 15:117db924cf7c | 8217 | * |
wolfSSL | 15:117db924cf7c | 8218 | * ctx The SSL/TLS CTX object. |
wolfSSL | 15:117db924cf7c | 8219 | * returns BAD_FUNC_ARG when ctx is NULL and 0 on success. |
wolfSSL | 15:117db924cf7c | 8220 | */ |
wolfSSL | 15:117db924cf7c | 8221 | int wolfSSL_CTX_no_ticket_TLSv13(WOLFSSL_CTX* ctx) |
wolfSSL | 15:117db924cf7c | 8222 | { |
wolfSSL | 15:117db924cf7c | 8223 | if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version)) |
wolfSSL | 15:117db924cf7c | 8224 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8225 | if (ctx->method->side == WOLFSSL_CLIENT_END) |
wolfSSL | 15:117db924cf7c | 8226 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 8227 | |
wolfSSL | 15:117db924cf7c | 8228 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 8229 | ctx->noTicketTls13 = 1; |
wolfSSL | 15:117db924cf7c | 8230 | #endif |
wolfSSL | 15:117db924cf7c | 8231 | |
wolfSSL | 15:117db924cf7c | 8232 | return 0; |
wolfSSL | 15:117db924cf7c | 8233 | } |
wolfSSL | 15:117db924cf7c | 8234 | |
wolfSSL | 15:117db924cf7c | 8235 | /* Do not send a ticket after TLS v1.3 handshake for resumption. |
wolfSSL | 15:117db924cf7c | 8236 | * |
wolfSSL | 15:117db924cf7c | 8237 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 8238 | * returns BAD_FUNC_ARG when ssl is NULL, not using TLS v1.3, or called on |
wolfSSL | 15:117db924cf7c | 8239 | * a client and 0 on success. |
wolfSSL | 15:117db924cf7c | 8240 | */ |
wolfSSL | 15:117db924cf7c | 8241 | int wolfSSL_no_ticket_TLSv13(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 8242 | { |
wolfSSL | 15:117db924cf7c | 8243 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
wolfSSL | 15:117db924cf7c | 8244 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8245 | if (ssl->options.side == WOLFSSL_CLIENT_END) |
wolfSSL | 15:117db924cf7c | 8246 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 8247 | |
wolfSSL | 15:117db924cf7c | 8248 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 8249 | ssl->options.noTicketTls13 = 1; |
wolfSSL | 15:117db924cf7c | 8250 | #endif |
wolfSSL | 15:117db924cf7c | 8251 | |
wolfSSL | 15:117db924cf7c | 8252 | return 0; |
wolfSSL | 15:117db924cf7c | 8253 | } |
wolfSSL | 15:117db924cf7c | 8254 | |
wolfSSL | 15:117db924cf7c | 8255 | /* Disallow (EC)DHE key exchange when using pre-shared keys. |
wolfSSL | 15:117db924cf7c | 8256 | * |
wolfSSL | 15:117db924cf7c | 8257 | * ctx The SSL/TLS CTX object. |
wolfSSL | 15:117db924cf7c | 8258 | * returns BAD_FUNC_ARG when ctx is NULL and 0 on success. |
wolfSSL | 15:117db924cf7c | 8259 | */ |
wolfSSL | 15:117db924cf7c | 8260 | int wolfSSL_CTX_no_dhe_psk(WOLFSSL_CTX* ctx) |
wolfSSL | 15:117db924cf7c | 8261 | { |
wolfSSL | 15:117db924cf7c | 8262 | if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version)) |
wolfSSL | 15:117db924cf7c | 8263 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8264 | |
wolfSSL | 15:117db924cf7c | 8265 | ctx->noPskDheKe = 1; |
wolfSSL | 15:117db924cf7c | 8266 | |
wolfSSL | 15:117db924cf7c | 8267 | return 0; |
wolfSSL | 15:117db924cf7c | 8268 | } |
wolfSSL | 15:117db924cf7c | 8269 | |
wolfSSL | 15:117db924cf7c | 8270 | /* Disallow (EC)DHE key exchange when using pre-shared keys. |
wolfSSL | 15:117db924cf7c | 8271 | * |
wolfSSL | 15:117db924cf7c | 8272 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 8273 | * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3 and 0 on |
wolfSSL | 15:117db924cf7c | 8274 | * success. |
wolfSSL | 15:117db924cf7c | 8275 | */ |
wolfSSL | 15:117db924cf7c | 8276 | int wolfSSL_no_dhe_psk(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 8277 | { |
wolfSSL | 15:117db924cf7c | 8278 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
wolfSSL | 15:117db924cf7c | 8279 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8280 | |
wolfSSL | 15:117db924cf7c | 8281 | ssl->options.noPskDheKe = 1; |
wolfSSL | 15:117db924cf7c | 8282 | |
wolfSSL | 15:117db924cf7c | 8283 | return 0; |
wolfSSL | 15:117db924cf7c | 8284 | } |
wolfSSL | 15:117db924cf7c | 8285 | |
wolfSSL | 15:117db924cf7c | 8286 | /* Update the keys for encryption and decryption. |
wolfSSL | 15:117db924cf7c | 8287 | * If using non-blocking I/O and WOLFSSL_ERROR_WANT_WRITE is returned then |
wolfSSL | 15:117db924cf7c | 8288 | * calling wolfSSL_write() will have the message sent when ready. |
wolfSSL | 15:117db924cf7c | 8289 | * |
wolfSSL | 15:117db924cf7c | 8290 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 8291 | * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3, |
wolfSSL | 15:117db924cf7c | 8292 | * WOLFSSL_ERROR_WANT_WRITE when non-blocking I/O is not ready to write, |
wolfSSL | 15:117db924cf7c | 8293 | * WOLFSSL_SUCCESS on success and otherwise failure. |
wolfSSL | 15:117db924cf7c | 8294 | */ |
wolfSSL | 15:117db924cf7c | 8295 | int wolfSSL_update_keys(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 8296 | { |
wolfSSL | 15:117db924cf7c | 8297 | int ret; |
wolfSSL | 15:117db924cf7c | 8298 | |
wolfSSL | 15:117db924cf7c | 8299 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
wolfSSL | 15:117db924cf7c | 8300 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8301 | |
wolfSSL | 15:117db924cf7c | 8302 | ret = SendTls13KeyUpdate(ssl); |
wolfSSL | 15:117db924cf7c | 8303 | if (ret == WANT_WRITE) |
wolfSSL | 15:117db924cf7c | 8304 | ret = WOLFSSL_ERROR_WANT_WRITE; |
wolfSSL | 15:117db924cf7c | 8305 | else if (ret == 0) |
wolfSSL | 15:117db924cf7c | 8306 | ret = WOLFSSL_SUCCESS; |
wolfSSL | 15:117db924cf7c | 8307 | return ret; |
wolfSSL | 15:117db924cf7c | 8308 | } |
wolfSSL | 15:117db924cf7c | 8309 | |
wolfSSL | 15:117db924cf7c | 8310 | #if !defined(NO_CERTS) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) |
wolfSSL | 15:117db924cf7c | 8311 | /* Allow post-handshake authentication in TLS v1.3 connections. |
wolfSSL | 15:117db924cf7c | 8312 | * |
wolfSSL | 15:117db924cf7c | 8313 | * ctx The SSL/TLS CTX object. |
wolfSSL | 15:117db924cf7c | 8314 | * returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a client and |
wolfSSL | 15:117db924cf7c | 8315 | * 0 on success. |
wolfSSL | 15:117db924cf7c | 8316 | */ |
wolfSSL | 15:117db924cf7c | 8317 | int wolfSSL_CTX_allow_post_handshake_auth(WOLFSSL_CTX* ctx) |
wolfSSL | 15:117db924cf7c | 8318 | { |
wolfSSL | 15:117db924cf7c | 8319 | if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version)) |
wolfSSL | 15:117db924cf7c | 8320 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8321 | if (ctx->method->side == WOLFSSL_SERVER_END) |
wolfSSL | 15:117db924cf7c | 8322 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 8323 | |
wolfSSL | 15:117db924cf7c | 8324 | ctx->postHandshakeAuth = 1; |
wolfSSL | 15:117db924cf7c | 8325 | |
wolfSSL | 15:117db924cf7c | 8326 | return 0; |
wolfSSL | 15:117db924cf7c | 8327 | } |
wolfSSL | 15:117db924cf7c | 8328 | |
wolfSSL | 15:117db924cf7c | 8329 | /* Allow post-handshake authentication in TLS v1.3 connection. |
wolfSSL | 15:117db924cf7c | 8330 | * |
wolfSSL | 15:117db924cf7c | 8331 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 8332 | * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3, |
wolfSSL | 15:117db924cf7c | 8333 | * SIDE_ERROR when not a client and 0 on success. |
wolfSSL | 15:117db924cf7c | 8334 | */ |
wolfSSL | 15:117db924cf7c | 8335 | int wolfSSL_allow_post_handshake_auth(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 8336 | { |
wolfSSL | 15:117db924cf7c | 8337 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
wolfSSL | 15:117db924cf7c | 8338 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8339 | if (ssl->options.side == WOLFSSL_SERVER_END) |
wolfSSL | 15:117db924cf7c | 8340 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 8341 | |
wolfSSL | 15:117db924cf7c | 8342 | ssl->options.postHandshakeAuth = 1; |
wolfSSL | 15:117db924cf7c | 8343 | |
wolfSSL | 15:117db924cf7c | 8344 | return 0; |
wolfSSL | 15:117db924cf7c | 8345 | } |
wolfSSL | 15:117db924cf7c | 8346 | |
wolfSSL | 15:117db924cf7c | 8347 | /* Request a certificate of the client. |
wolfSSL | 15:117db924cf7c | 8348 | * Can be called any time after handshake completion. |
wolfSSL | 15:117db924cf7c | 8349 | * A maximum of 256 requests can be sent on a connection. |
wolfSSL | 15:117db924cf7c | 8350 | * |
wolfSSL | 15:117db924cf7c | 8351 | * ssl SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 8352 | */ |
wolfSSL | 15:117db924cf7c | 8353 | int wolfSSL_request_certificate(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 8354 | { |
wolfSSL | 15:117db924cf7c | 8355 | int ret; |
wolfSSL | 15:117db924cf7c | 8356 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 8357 | CertReqCtx* certReqCtx; |
wolfSSL | 15:117db924cf7c | 8358 | #endif |
wolfSSL | 15:117db924cf7c | 8359 | |
wolfSSL | 15:117db924cf7c | 8360 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
wolfSSL | 15:117db924cf7c | 8361 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8362 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 8363 | if (ssl->options.side == WOLFSSL_CLIENT_END) |
wolfSSL | 15:117db924cf7c | 8364 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 8365 | if (ssl->options.handShakeState != HANDSHAKE_DONE) |
wolfSSL | 15:117db924cf7c | 8366 | return NOT_READY_ERROR; |
wolfSSL | 15:117db924cf7c | 8367 | if (!ssl->options.postHandshakeAuth) |
wolfSSL | 15:117db924cf7c | 8368 | return POST_HAND_AUTH_ERROR; |
wolfSSL | 15:117db924cf7c | 8369 | |
wolfSSL | 15:117db924cf7c | 8370 | certReqCtx = (CertReqCtx*)XMALLOC(sizeof(CertReqCtx), ssl->heap, |
wolfSSL | 15:117db924cf7c | 8371 | DYNAMIC_TYPE_TMP_BUFFER); |
wolfSSL | 15:117db924cf7c | 8372 | if (certReqCtx == NULL) |
wolfSSL | 15:117db924cf7c | 8373 | return MEMORY_E; |
wolfSSL | 15:117db924cf7c | 8374 | XMEMSET(certReqCtx, 0, sizeof(CertReqCtx)); |
wolfSSL | 15:117db924cf7c | 8375 | certReqCtx->next = ssl->certReqCtx; |
wolfSSL | 15:117db924cf7c | 8376 | certReqCtx->len = 1; |
wolfSSL | 15:117db924cf7c | 8377 | if (certReqCtx->next != NULL) |
wolfSSL | 15:117db924cf7c | 8378 | certReqCtx->ctx = certReqCtx->next->ctx + 1; |
wolfSSL | 15:117db924cf7c | 8379 | ssl->certReqCtx = certReqCtx; |
wolfSSL | 15:117db924cf7c | 8380 | |
wolfSSL | 15:117db924cf7c | 8381 | ssl->msgsReceived.got_certificate = 0; |
wolfSSL | 15:117db924cf7c | 8382 | ssl->msgsReceived.got_certificate_verify = 0; |
wolfSSL | 15:117db924cf7c | 8383 | ssl->msgsReceived.got_finished = 0; |
wolfSSL | 15:117db924cf7c | 8384 | |
wolfSSL | 15:117db924cf7c | 8385 | ret = SendTls13CertificateRequest(ssl, &certReqCtx->ctx, certReqCtx->len); |
wolfSSL | 15:117db924cf7c | 8386 | if (ret == WANT_WRITE) |
wolfSSL | 15:117db924cf7c | 8387 | ret = WOLFSSL_ERROR_WANT_WRITE; |
wolfSSL | 15:117db924cf7c | 8388 | else if (ret == 0) |
wolfSSL | 15:117db924cf7c | 8389 | ret = WOLFSSL_SUCCESS; |
wolfSSL | 15:117db924cf7c | 8390 | #else |
wolfSSL | 15:117db924cf7c | 8391 | ret = SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 8392 | #endif |
wolfSSL | 15:117db924cf7c | 8393 | |
wolfSSL | 15:117db924cf7c | 8394 | return ret; |
wolfSSL | 15:117db924cf7c | 8395 | } |
wolfSSL | 15:117db924cf7c | 8396 | #endif /* !NO_CERTS && WOLFSSL_POST_HANDSHAKE_AUTH */ |
wolfSSL | 15:117db924cf7c | 8397 | |
wolfSSL | 15:117db924cf7c | 8398 | #if !defined(WOLFSSL_NO_SERVER_GROUPS_EXT) |
wolfSSL | 15:117db924cf7c | 8399 | /* Get the preferred key exchange group. |
wolfSSL | 15:117db924cf7c | 8400 | * |
wolfSSL | 15:117db924cf7c | 8401 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 8402 | * returns BAD_FUNC_ARG when ssl is NULL or not using TLS v1.3, |
wolfSSL | 15:117db924cf7c | 8403 | * SIDE_ERROR when not a client, NOT_READY_ERROR when handshake not complete |
wolfSSL | 15:117db924cf7c | 8404 | * and group number on success. |
wolfSSL | 15:117db924cf7c | 8405 | */ |
wolfSSL | 15:117db924cf7c | 8406 | int wolfSSL_preferred_group(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 8407 | { |
wolfSSL | 15:117db924cf7c | 8408 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
wolfSSL | 15:117db924cf7c | 8409 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8410 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 8411 | if (ssl->options.side == WOLFSSL_SERVER_END) |
wolfSSL | 15:117db924cf7c | 8412 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 8413 | if (ssl->options.handShakeState != HANDSHAKE_DONE) |
wolfSSL | 15:117db924cf7c | 8414 | return NOT_READY_ERROR; |
wolfSSL | 15:117db924cf7c | 8415 | |
wolfSSL | 15:117db924cf7c | 8416 | /* Return supported groups only. */ |
wolfSSL | 15:117db924cf7c | 8417 | return TLSX_SupportedCurve_Preferred(ssl, 1); |
wolfSSL | 15:117db924cf7c | 8418 | #else |
wolfSSL | 15:117db924cf7c | 8419 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 8420 | #endif |
wolfSSL | 15:117db924cf7c | 8421 | } |
wolfSSL | 15:117db924cf7c | 8422 | #endif |
wolfSSL | 15:117db924cf7c | 8423 | |
wolfSSL | 15:117db924cf7c | 8424 | /* Sets the key exchange groups in rank order on a context. |
wolfSSL | 15:117db924cf7c | 8425 | * |
wolfSSL | 15:117db924cf7c | 8426 | * ctx SSL/TLS context object. |
wolfSSL | 15:117db924cf7c | 8427 | * groups Array of groups. |
wolfSSL | 15:117db924cf7c | 8428 | * count Number of groups in array. |
wolfSSL | 15:117db924cf7c | 8429 | * returns BAD_FUNC_ARG when ctx or groups is NULL, not using TLS v1.3 or |
wolfSSL | 15:117db924cf7c | 8430 | * count is greater than WOLFSSL_MAX_GROUP_COUNT and WOLFSSL_SUCCESS on success. |
wolfSSL | 15:117db924cf7c | 8431 | */ |
wolfSSL | 15:117db924cf7c | 8432 | int wolfSSL_CTX_set_groups(WOLFSSL_CTX* ctx, int* groups, int count) |
wolfSSL | 15:117db924cf7c | 8433 | { |
wolfSSL | 15:117db924cf7c | 8434 | int i; |
wolfSSL | 15:117db924cf7c | 8435 | |
wolfSSL | 15:117db924cf7c | 8436 | if (ctx == NULL || groups == NULL || count > WOLFSSL_MAX_GROUP_COUNT) |
wolfSSL | 15:117db924cf7c | 8437 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8438 | if (!IsAtLeastTLSv1_3(ctx->method->version)) |
wolfSSL | 15:117db924cf7c | 8439 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8440 | |
wolfSSL | 15:117db924cf7c | 8441 | for (i = 0; i < count; i++) |
wolfSSL | 15:117db924cf7c | 8442 | ctx->group[i] = (word16)groups[i]; |
wolfSSL | 15:117db924cf7c | 8443 | ctx->numGroups = (byte)count; |
wolfSSL | 15:117db924cf7c | 8444 | |
wolfSSL | 15:117db924cf7c | 8445 | return WOLFSSL_SUCCESS; |
wolfSSL | 15:117db924cf7c | 8446 | } |
wolfSSL | 15:117db924cf7c | 8447 | |
wolfSSL | 15:117db924cf7c | 8448 | /* Sets the key exchange groups in rank order. |
wolfSSL | 15:117db924cf7c | 8449 | * |
wolfSSL | 15:117db924cf7c | 8450 | * ssl SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 8451 | * groups Array of groups. |
wolfSSL | 15:117db924cf7c | 8452 | * count Number of groups in array. |
wolfSSL | 15:117db924cf7c | 8453 | * returns BAD_FUNC_ARG when ssl or groups is NULL, not using TLS v1.3 or |
wolfSSL | 15:117db924cf7c | 8454 | * count is greater than WOLFSSL_MAX_GROUP_COUNT and WOLFSSL_SUCCESS on success. |
wolfSSL | 15:117db924cf7c | 8455 | */ |
wolfSSL | 15:117db924cf7c | 8456 | int wolfSSL_set_groups(WOLFSSL* ssl, int* groups, int count) |
wolfSSL | 15:117db924cf7c | 8457 | { |
wolfSSL | 15:117db924cf7c | 8458 | int i; |
wolfSSL | 15:117db924cf7c | 8459 | |
wolfSSL | 15:117db924cf7c | 8460 | if (ssl == NULL || groups == NULL || count > WOLFSSL_MAX_GROUP_COUNT) |
wolfSSL | 15:117db924cf7c | 8461 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8462 | if (!IsAtLeastTLSv1_3(ssl->version)) |
wolfSSL | 15:117db924cf7c | 8463 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8464 | |
wolfSSL | 15:117db924cf7c | 8465 | for (i = 0; i < count; i++) |
wolfSSL | 15:117db924cf7c | 8466 | ssl->group[i] = (word16)groups[i]; |
wolfSSL | 15:117db924cf7c | 8467 | ssl->numGroups = (byte)count; |
wolfSSL | 15:117db924cf7c | 8468 | |
wolfSSL | 15:117db924cf7c | 8469 | return WOLFSSL_SUCCESS; |
wolfSSL | 15:117db924cf7c | 8470 | } |
wolfSSL | 15:117db924cf7c | 8471 | |
wolfSSL | 16:8e0d178b1d1e | 8472 | #ifndef NO_PSK |
wolfSSL | 16:8e0d178b1d1e | 8473 | void wolfSSL_CTX_set_psk_client_tls13_callback(WOLFSSL_CTX* ctx, |
wolfSSL | 16:8e0d178b1d1e | 8474 | wc_psk_client_tls13_callback cb) |
wolfSSL | 16:8e0d178b1d1e | 8475 | { |
wolfSSL | 16:8e0d178b1d1e | 8476 | WOLFSSL_ENTER("SSL_CTX_set_psk_client_tls13_callback"); |
wolfSSL | 16:8e0d178b1d1e | 8477 | |
wolfSSL | 16:8e0d178b1d1e | 8478 | if (ctx == NULL) |
wolfSSL | 16:8e0d178b1d1e | 8479 | return; |
wolfSSL | 16:8e0d178b1d1e | 8480 | |
wolfSSL | 16:8e0d178b1d1e | 8481 | ctx->havePSK = 1; |
wolfSSL | 16:8e0d178b1d1e | 8482 | ctx->client_psk_tls13_cb = cb; |
wolfSSL | 16:8e0d178b1d1e | 8483 | } |
wolfSSL | 16:8e0d178b1d1e | 8484 | |
wolfSSL | 16:8e0d178b1d1e | 8485 | |
wolfSSL | 16:8e0d178b1d1e | 8486 | void wolfSSL_set_psk_client_tls13_callback(WOLFSSL* ssl, |
wolfSSL | 16:8e0d178b1d1e | 8487 | wc_psk_client_tls13_callback cb) |
wolfSSL | 16:8e0d178b1d1e | 8488 | { |
wolfSSL | 16:8e0d178b1d1e | 8489 | byte haveRSA = 1; |
wolfSSL | 16:8e0d178b1d1e | 8490 | int keySz = 0; |
wolfSSL | 16:8e0d178b1d1e | 8491 | |
wolfSSL | 16:8e0d178b1d1e | 8492 | WOLFSSL_ENTER("SSL_set_psk_client_tls13_callback"); |
wolfSSL | 16:8e0d178b1d1e | 8493 | |
wolfSSL | 16:8e0d178b1d1e | 8494 | if (ssl == NULL) |
wolfSSL | 16:8e0d178b1d1e | 8495 | return; |
wolfSSL | 16:8e0d178b1d1e | 8496 | |
wolfSSL | 16:8e0d178b1d1e | 8497 | ssl->options.havePSK = 1; |
wolfSSL | 16:8e0d178b1d1e | 8498 | ssl->options.client_psk_tls13_cb = cb; |
wolfSSL | 16:8e0d178b1d1e | 8499 | |
wolfSSL | 16:8e0d178b1d1e | 8500 | #ifdef NO_RSA |
wolfSSL | 16:8e0d178b1d1e | 8501 | haveRSA = 0; |
wolfSSL | 16:8e0d178b1d1e | 8502 | #endif |
wolfSSL | 16:8e0d178b1d1e | 8503 | #ifndef NO_CERTS |
wolfSSL | 16:8e0d178b1d1e | 8504 | keySz = ssl->buffers.keySz; |
wolfSSL | 16:8e0d178b1d1e | 8505 | #endif |
wolfSSL | 16:8e0d178b1d1e | 8506 | InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE, |
wolfSSL | 16:8e0d178b1d1e | 8507 | ssl->options.haveDH, ssl->options.haveNTRU, |
wolfSSL | 16:8e0d178b1d1e | 8508 | ssl->options.haveECDSAsig, ssl->options.haveECC, |
wolfSSL | 16:8e0d178b1d1e | 8509 | ssl->options.haveStaticECC, ssl->options.side); |
wolfSSL | 16:8e0d178b1d1e | 8510 | } |
wolfSSL | 16:8e0d178b1d1e | 8511 | |
wolfSSL | 16:8e0d178b1d1e | 8512 | |
wolfSSL | 16:8e0d178b1d1e | 8513 | void wolfSSL_CTX_set_psk_server_tls13_callback(WOLFSSL_CTX* ctx, |
wolfSSL | 16:8e0d178b1d1e | 8514 | wc_psk_server_tls13_callback cb) |
wolfSSL | 16:8e0d178b1d1e | 8515 | { |
wolfSSL | 16:8e0d178b1d1e | 8516 | WOLFSSL_ENTER("SSL_CTX_set_psk_server_tls13_callback"); |
wolfSSL | 16:8e0d178b1d1e | 8517 | if (ctx == NULL) |
wolfSSL | 16:8e0d178b1d1e | 8518 | return; |
wolfSSL | 16:8e0d178b1d1e | 8519 | ctx->havePSK = 1; |
wolfSSL | 16:8e0d178b1d1e | 8520 | ctx->server_psk_tls13_cb = cb; |
wolfSSL | 16:8e0d178b1d1e | 8521 | } |
wolfSSL | 16:8e0d178b1d1e | 8522 | |
wolfSSL | 16:8e0d178b1d1e | 8523 | |
wolfSSL | 16:8e0d178b1d1e | 8524 | void wolfSSL_set_psk_server_tls13_callback(WOLFSSL* ssl, |
wolfSSL | 16:8e0d178b1d1e | 8525 | wc_psk_server_tls13_callback cb) |
wolfSSL | 16:8e0d178b1d1e | 8526 | { |
wolfSSL | 16:8e0d178b1d1e | 8527 | byte haveRSA = 1; |
wolfSSL | 16:8e0d178b1d1e | 8528 | int keySz = 0; |
wolfSSL | 16:8e0d178b1d1e | 8529 | |
wolfSSL | 16:8e0d178b1d1e | 8530 | WOLFSSL_ENTER("SSL_set_psk_server_tls13_callback"); |
wolfSSL | 16:8e0d178b1d1e | 8531 | if (ssl == NULL) |
wolfSSL | 16:8e0d178b1d1e | 8532 | return; |
wolfSSL | 16:8e0d178b1d1e | 8533 | |
wolfSSL | 16:8e0d178b1d1e | 8534 | ssl->options.havePSK = 1; |
wolfSSL | 16:8e0d178b1d1e | 8535 | ssl->options.server_psk_tls13_cb = cb; |
wolfSSL | 16:8e0d178b1d1e | 8536 | |
wolfSSL | 16:8e0d178b1d1e | 8537 | #ifdef NO_RSA |
wolfSSL | 16:8e0d178b1d1e | 8538 | haveRSA = 0; |
wolfSSL | 16:8e0d178b1d1e | 8539 | #endif |
wolfSSL | 16:8e0d178b1d1e | 8540 | #ifndef NO_CERTS |
wolfSSL | 16:8e0d178b1d1e | 8541 | keySz = ssl->buffers.keySz; |
wolfSSL | 16:8e0d178b1d1e | 8542 | #endif |
wolfSSL | 16:8e0d178b1d1e | 8543 | InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE, |
wolfSSL | 16:8e0d178b1d1e | 8544 | ssl->options.haveDH, ssl->options.haveNTRU, |
wolfSSL | 16:8e0d178b1d1e | 8545 | ssl->options.haveECDSAsig, ssl->options.haveECC, |
wolfSSL | 16:8e0d178b1d1e | 8546 | ssl->options.haveStaticECC, ssl->options.side); |
wolfSSL | 16:8e0d178b1d1e | 8547 | } |
wolfSSL | 16:8e0d178b1d1e | 8548 | #endif |
wolfSSL | 16:8e0d178b1d1e | 8549 | |
wolfSSL | 16:8e0d178b1d1e | 8550 | |
wolfSSL | 15:117db924cf7c | 8551 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 8552 | /* The server accepting a connection from a client. |
wolfSSL | 15:117db924cf7c | 8553 | * The protocol version is expecting to be TLS v1.3. |
wolfSSL | 15:117db924cf7c | 8554 | * If the client downgrades, and older versions of the protocol are compiled |
wolfSSL | 15:117db924cf7c | 8555 | * in, the server will fallback to wolfSSL_accept(). |
wolfSSL | 15:117db924cf7c | 8556 | * Please see note at top of README if you get an error from accept. |
wolfSSL | 15:117db924cf7c | 8557 | * |
wolfSSL | 15:117db924cf7c | 8558 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 8559 | * returns WOLFSSL_SUCCESS on successful handshake, WOLFSSL_FATAL_ERROR when |
wolfSSL | 15:117db924cf7c | 8560 | * unrecoverable error occurs and 0 otherwise. |
wolfSSL | 15:117db924cf7c | 8561 | * For more error information use wolfSSL_get_error(). |
wolfSSL | 15:117db924cf7c | 8562 | */ |
wolfSSL | 15:117db924cf7c | 8563 | int wolfSSL_accept_TLSv13(WOLFSSL* ssl) |
wolfSSL | 15:117db924cf7c | 8564 | { |
wolfSSL | 15:117db924cf7c | 8565 | word16 havePSK = 0; |
wolfSSL | 15:117db924cf7c | 8566 | WOLFSSL_ENTER("SSL_accept_TLSv13()"); |
wolfSSL | 15:117db924cf7c | 8567 | |
wolfSSL | 15:117db924cf7c | 8568 | #ifdef HAVE_ERRNO_H |
wolfSSL | 15:117db924cf7c | 8569 | errno = 0; |
wolfSSL | 15:117db924cf7c | 8570 | #endif |
wolfSSL | 15:117db924cf7c | 8571 | |
wolfSSL | 15:117db924cf7c | 8572 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
wolfSSL | 15:117db924cf7c | 8573 | havePSK = ssl->options.havePSK; |
wolfSSL | 15:117db924cf7c | 8574 | #endif |
wolfSSL | 15:117db924cf7c | 8575 | (void)havePSK; |
wolfSSL | 15:117db924cf7c | 8576 | |
wolfSSL | 15:117db924cf7c | 8577 | if (ssl->options.side != WOLFSSL_SERVER_END) { |
wolfSSL | 15:117db924cf7c | 8578 | WOLFSSL_ERROR(ssl->error = SIDE_ERROR); |
wolfSSL | 15:117db924cf7c | 8579 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8580 | } |
wolfSSL | 15:117db924cf7c | 8581 | |
wolfSSL | 15:117db924cf7c | 8582 | #ifndef NO_CERTS |
wolfSSL | 15:117db924cf7c | 8583 | /* allow no private key if using PK callbacks and CB is set */ |
wolfSSL | 15:117db924cf7c | 8584 | if (!havePSK) { |
wolfSSL | 15:117db924cf7c | 8585 | if (!ssl->buffers.certificate || |
wolfSSL | 15:117db924cf7c | 8586 | !ssl->buffers.certificate->buffer) { |
wolfSSL | 15:117db924cf7c | 8587 | |
wolfSSL | 15:117db924cf7c | 8588 | WOLFSSL_MSG("accept error: server cert required"); |
wolfSSL | 15:117db924cf7c | 8589 | WOLFSSL_ERROR(ssl->error = NO_PRIVATE_KEY); |
wolfSSL | 15:117db924cf7c | 8590 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8591 | } |
wolfSSL | 15:117db924cf7c | 8592 | |
wolfSSL | 15:117db924cf7c | 8593 | #ifdef HAVE_PK_CALLBACKS |
wolfSSL | 15:117db924cf7c | 8594 | if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) { |
wolfSSL | 15:117db924cf7c | 8595 | WOLFSSL_MSG("Using PK for server private key"); |
wolfSSL | 15:117db924cf7c | 8596 | } |
wolfSSL | 15:117db924cf7c | 8597 | else |
wolfSSL | 15:117db924cf7c | 8598 | #endif |
wolfSSL | 15:117db924cf7c | 8599 | if (!ssl->buffers.key || !ssl->buffers.key->buffer) { |
wolfSSL | 15:117db924cf7c | 8600 | WOLFSSL_MSG("accept error: server key required"); |
wolfSSL | 15:117db924cf7c | 8601 | WOLFSSL_ERROR(ssl->error = NO_PRIVATE_KEY); |
wolfSSL | 15:117db924cf7c | 8602 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8603 | } |
wolfSSL | 15:117db924cf7c | 8604 | } |
wolfSSL | 15:117db924cf7c | 8605 | #endif |
wolfSSL | 15:117db924cf7c | 8606 | |
wolfSSL | 16:8e0d178b1d1e | 8607 | if (ssl->buffers.outputBuffer.length > 0 |
wolfSSL | 16:8e0d178b1d1e | 8608 | #ifdef WOLFSSL_ASYNC_CRYPT |
wolfSSL | 16:8e0d178b1d1e | 8609 | /* do not send buffered or advance state if last error was an |
wolfSSL | 16:8e0d178b1d1e | 8610 | async pending operation */ |
wolfSSL | 16:8e0d178b1d1e | 8611 | && ssl->error != WC_PENDING_E |
wolfSSL | 16:8e0d178b1d1e | 8612 | #endif |
wolfSSL | 16:8e0d178b1d1e | 8613 | ) { |
wolfSSL | 15:117db924cf7c | 8614 | if ((ssl->error = SendBuffered(ssl)) == 0) { |
wolfSSL | 15:117db924cf7c | 8615 | /* fragOffset is non-zero when sending fragments. On the last |
wolfSSL | 15:117db924cf7c | 8616 | * fragment, fragOffset is zero again, and the state can be |
wolfSSL | 15:117db924cf7c | 8617 | * advanced. */ |
wolfSSL | 15:117db924cf7c | 8618 | if (ssl->fragOffset == 0) { |
wolfSSL | 15:117db924cf7c | 8619 | ssl->options.acceptState++; |
wolfSSL | 15:117db924cf7c | 8620 | WOLFSSL_MSG("accept state: " |
wolfSSL | 15:117db924cf7c | 8621 | "Advanced from last buffered fragment send"); |
wolfSSL | 15:117db924cf7c | 8622 | } |
wolfSSL | 15:117db924cf7c | 8623 | else { |
wolfSSL | 15:117db924cf7c | 8624 | WOLFSSL_MSG("accept state: " |
wolfSSL | 15:117db924cf7c | 8625 | "Not advanced, more fragments to send"); |
wolfSSL | 15:117db924cf7c | 8626 | } |
wolfSSL | 15:117db924cf7c | 8627 | } |
wolfSSL | 15:117db924cf7c | 8628 | else { |
wolfSSL | 15:117db924cf7c | 8629 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8630 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8631 | } |
wolfSSL | 15:117db924cf7c | 8632 | } |
wolfSSL | 15:117db924cf7c | 8633 | |
wolfSSL | 15:117db924cf7c | 8634 | switch (ssl->options.acceptState) { |
wolfSSL | 15:117db924cf7c | 8635 | |
wolfSSL | 16:8e0d178b1d1e | 8636 | #ifdef HAVE_SECURE_RENEGOTIATION |
wolfSSL | 16:8e0d178b1d1e | 8637 | case TLS13_ACCEPT_BEGIN_RENEG: |
wolfSSL | 16:8e0d178b1d1e | 8638 | #endif |
wolfSSL | 15:117db924cf7c | 8639 | case TLS13_ACCEPT_BEGIN : |
wolfSSL | 15:117db924cf7c | 8640 | /* get client_hello */ |
wolfSSL | 15:117db924cf7c | 8641 | while (ssl->options.clientState < CLIENT_HELLO_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 8642 | if ((ssl->error = ProcessReply(ssl)) < 0) { |
wolfSSL | 15:117db924cf7c | 8643 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8644 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8645 | } |
wolfSSL | 15:117db924cf7c | 8646 | } |
wolfSSL | 15:117db924cf7c | 8647 | |
wolfSSL | 15:117db924cf7c | 8648 | ssl->options.acceptState = TLS13_ACCEPT_CLIENT_HELLO_DONE; |
wolfSSL | 15:117db924cf7c | 8649 | WOLFSSL_MSG("accept state ACCEPT_CLIENT_HELLO_DONE"); |
wolfSSL | 16:8e0d178b1d1e | 8650 | if (!IsAtLeastTLSv1_3(ssl->version)) |
wolfSSL | 16:8e0d178b1d1e | 8651 | return wolfSSL_accept(ssl); |
wolfSSL | 15:117db924cf7c | 8652 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8653 | |
wolfSSL | 15:117db924cf7c | 8654 | case TLS13_ACCEPT_CLIENT_HELLO_DONE : |
wolfSSL | 15:117db924cf7c | 8655 | #ifdef WOLFSSL_TLS13_DRAFT_18 |
wolfSSL | 15:117db924cf7c | 8656 | if (ssl->options.serverState == |
wolfSSL | 15:117db924cf7c | 8657 | SERVER_HELLO_RETRY_REQUEST_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 8658 | if ((ssl->error = SendTls13HelloRetryRequest(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 8659 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8660 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8661 | } |
wolfSSL | 15:117db924cf7c | 8662 | } |
wolfSSL | 15:117db924cf7c | 8663 | |
wolfSSL | 15:117db924cf7c | 8664 | ssl->options.acceptState = TLS13_ACCEPT_FIRST_REPLY_DONE; |
wolfSSL | 15:117db924cf7c | 8665 | WOLFSSL_MSG("accept state ACCEPT_FIRST_REPLY_DONE"); |
wolfSSL | 15:117db924cf7c | 8666 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8667 | |
wolfSSL | 15:117db924cf7c | 8668 | case TLS13_ACCEPT_HELLO_RETRY_REQUEST_DONE : |
wolfSSL | 15:117db924cf7c | 8669 | #else |
wolfSSL | 15:117db924cf7c | 8670 | if (ssl->options.serverState == |
wolfSSL | 15:117db924cf7c | 8671 | SERVER_HELLO_RETRY_REQUEST_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 8672 | if ((ssl->error = SendTls13ServerHello(ssl, |
wolfSSL | 15:117db924cf7c | 8673 | hello_retry_request)) != 0) { |
wolfSSL | 15:117db924cf7c | 8674 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8675 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8676 | } |
wolfSSL | 15:117db924cf7c | 8677 | } |
wolfSSL | 15:117db924cf7c | 8678 | |
wolfSSL | 15:117db924cf7c | 8679 | ssl->options.acceptState = TLS13_ACCEPT_HELLO_RETRY_REQUEST_DONE; |
wolfSSL | 15:117db924cf7c | 8680 | WOLFSSL_MSG("accept state ACCEPT_HELLO_RETRY_REQUEST_DONE"); |
wolfSSL | 15:117db924cf7c | 8681 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8682 | |
wolfSSL | 15:117db924cf7c | 8683 | case TLS13_ACCEPT_HELLO_RETRY_REQUEST_DONE : |
wolfSSL | 15:117db924cf7c | 8684 | #ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT |
wolfSSL | 15:117db924cf7c | 8685 | if (ssl->options.serverState == |
wolfSSL | 15:117db924cf7c | 8686 | SERVER_HELLO_RETRY_REQUEST_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 8687 | if ((ssl->error = SendChangeCipher(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 8688 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8689 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8690 | } |
wolfSSL | 15:117db924cf7c | 8691 | ssl->options.sentChangeCipher = 1; |
wolfSSL | 16:8e0d178b1d1e | 8692 | ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE; |
wolfSSL | 15:117db924cf7c | 8693 | } |
wolfSSL | 15:117db924cf7c | 8694 | #endif |
wolfSSL | 15:117db924cf7c | 8695 | ssl->options.acceptState = TLS13_ACCEPT_FIRST_REPLY_DONE; |
wolfSSL | 15:117db924cf7c | 8696 | WOLFSSL_MSG("accept state ACCEPT_FIRST_REPLY_DONE"); |
wolfSSL | 15:117db924cf7c | 8697 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8698 | #endif |
wolfSSL | 15:117db924cf7c | 8699 | |
wolfSSL | 15:117db924cf7c | 8700 | case TLS13_ACCEPT_FIRST_REPLY_DONE : |
wolfSSL | 15:117db924cf7c | 8701 | if (ssl->options.serverState == |
wolfSSL | 15:117db924cf7c | 8702 | SERVER_HELLO_RETRY_REQUEST_COMPLETE) { |
wolfSSL | 16:8e0d178b1d1e | 8703 | ssl->options.clientState = CLIENT_HELLO_RETRY; |
wolfSSL | 15:117db924cf7c | 8704 | while (ssl->options.clientState < CLIENT_HELLO_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 8705 | if ((ssl->error = ProcessReply(ssl)) < 0) { |
wolfSSL | 15:117db924cf7c | 8706 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8707 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8708 | } |
wolfSSL | 15:117db924cf7c | 8709 | } |
wolfSSL | 15:117db924cf7c | 8710 | } |
wolfSSL | 15:117db924cf7c | 8711 | |
wolfSSL | 15:117db924cf7c | 8712 | ssl->options.acceptState = TLS13_ACCEPT_SECOND_REPLY_DONE; |
wolfSSL | 15:117db924cf7c | 8713 | WOLFSSL_MSG("accept state ACCEPT_SECOND_REPLY_DONE"); |
wolfSSL | 15:117db924cf7c | 8714 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8715 | |
wolfSSL | 15:117db924cf7c | 8716 | case TLS13_ACCEPT_SECOND_REPLY_DONE : |
wolfSSL | 15:117db924cf7c | 8717 | if ((ssl->error = SendTls13ServerHello(ssl, server_hello)) != 0) { |
wolfSSL | 15:117db924cf7c | 8718 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8719 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8720 | } |
wolfSSL | 15:117db924cf7c | 8721 | ssl->options.acceptState = TLS13_SERVER_HELLO_SENT; |
wolfSSL | 15:117db924cf7c | 8722 | WOLFSSL_MSG("accept state SERVER_HELLO_SENT"); |
wolfSSL | 15:117db924cf7c | 8723 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8724 | |
wolfSSL | 15:117db924cf7c | 8725 | case TLS13_SERVER_HELLO_SENT : |
wolfSSL | 15:117db924cf7c | 8726 | #if !defined(WOLFSSL_TLS13_DRAFT_18) && \ |
wolfSSL | 15:117db924cf7c | 8727 | defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT) |
wolfSSL | 15:117db924cf7c | 8728 | if (!ssl->options.sentChangeCipher) { |
wolfSSL | 15:117db924cf7c | 8729 | if ((ssl->error = SendChangeCipher(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 8730 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8731 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8732 | } |
wolfSSL | 15:117db924cf7c | 8733 | ssl->options.sentChangeCipher = 1; |
wolfSSL | 15:117db924cf7c | 8734 | } |
wolfSSL | 15:117db924cf7c | 8735 | #endif |
wolfSSL | 15:117db924cf7c | 8736 | |
wolfSSL | 15:117db924cf7c | 8737 | ssl->options.acceptState = TLS13_ACCEPT_THIRD_REPLY_DONE; |
wolfSSL | 15:117db924cf7c | 8738 | WOLFSSL_MSG("accept state ACCEPT_THIRD_REPLY_DONE"); |
wolfSSL | 15:117db924cf7c | 8739 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8740 | |
wolfSSL | 15:117db924cf7c | 8741 | case TLS13_ACCEPT_THIRD_REPLY_DONE : |
wolfSSL | 15:117db924cf7c | 8742 | if (!ssl->options.noPskDheKe) { |
wolfSSL | 15:117db924cf7c | 8743 | ssl->error = TLSX_KeyShare_DeriveSecret(ssl); |
wolfSSL | 15:117db924cf7c | 8744 | if (ssl->error != 0) |
wolfSSL | 15:117db924cf7c | 8745 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8746 | } |
wolfSSL | 15:117db924cf7c | 8747 | |
wolfSSL | 15:117db924cf7c | 8748 | if ((ssl->error = SendTls13EncryptedExtensions(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 8749 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8750 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8751 | } |
wolfSSL | 15:117db924cf7c | 8752 | ssl->options.acceptState = TLS13_SERVER_EXTENSIONS_SENT; |
wolfSSL | 15:117db924cf7c | 8753 | WOLFSSL_MSG("accept state SERVER_EXTENSIONS_SENT"); |
wolfSSL | 15:117db924cf7c | 8754 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8755 | |
wolfSSL | 15:117db924cf7c | 8756 | case TLS13_SERVER_EXTENSIONS_SENT : |
wolfSSL | 15:117db924cf7c | 8757 | #ifndef NO_CERTS |
wolfSSL | 15:117db924cf7c | 8758 | if (!ssl->options.resuming) { |
wolfSSL | 15:117db924cf7c | 8759 | if (ssl->options.verifyPeer) { |
wolfSSL | 15:117db924cf7c | 8760 | ssl->error = SendTls13CertificateRequest(ssl, NULL, 0); |
wolfSSL | 15:117db924cf7c | 8761 | if (ssl->error != 0) { |
wolfSSL | 15:117db924cf7c | 8762 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8763 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8764 | } |
wolfSSL | 15:117db924cf7c | 8765 | } |
wolfSSL | 15:117db924cf7c | 8766 | } |
wolfSSL | 15:117db924cf7c | 8767 | #endif |
wolfSSL | 15:117db924cf7c | 8768 | ssl->options.acceptState = TLS13_CERT_REQ_SENT; |
wolfSSL | 15:117db924cf7c | 8769 | WOLFSSL_MSG("accept state CERT_REQ_SENT"); |
wolfSSL | 15:117db924cf7c | 8770 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8771 | |
wolfSSL | 15:117db924cf7c | 8772 | case TLS13_CERT_REQ_SENT : |
wolfSSL | 15:117db924cf7c | 8773 | #ifndef NO_CERTS |
wolfSSL | 15:117db924cf7c | 8774 | if (!ssl->options.resuming && ssl->options.sendVerify) { |
wolfSSL | 15:117db924cf7c | 8775 | if ((ssl->error = SendTls13Certificate(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 8776 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8777 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8778 | } |
wolfSSL | 15:117db924cf7c | 8779 | } |
wolfSSL | 15:117db924cf7c | 8780 | #endif |
wolfSSL | 15:117db924cf7c | 8781 | ssl->options.acceptState = TLS13_CERT_SENT; |
wolfSSL | 15:117db924cf7c | 8782 | WOLFSSL_MSG("accept state CERT_SENT"); |
wolfSSL | 15:117db924cf7c | 8783 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8784 | |
wolfSSL | 15:117db924cf7c | 8785 | case TLS13_CERT_SENT : |
wolfSSL | 15:117db924cf7c | 8786 | #ifndef NO_CERTS |
wolfSSL | 15:117db924cf7c | 8787 | if (!ssl->options.resuming && ssl->options.sendVerify) { |
wolfSSL | 15:117db924cf7c | 8788 | if ((ssl->error = SendTls13CertificateVerify(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 8789 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8790 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8791 | } |
wolfSSL | 15:117db924cf7c | 8792 | } |
wolfSSL | 15:117db924cf7c | 8793 | #endif |
wolfSSL | 15:117db924cf7c | 8794 | ssl->options.acceptState = TLS13_CERT_VERIFY_SENT; |
wolfSSL | 15:117db924cf7c | 8795 | WOLFSSL_MSG("accept state CERT_VERIFY_SENT"); |
wolfSSL | 15:117db924cf7c | 8796 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8797 | |
wolfSSL | 15:117db924cf7c | 8798 | case TLS13_CERT_VERIFY_SENT : |
wolfSSL | 15:117db924cf7c | 8799 | if ((ssl->error = SendTls13Finished(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 8800 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8801 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8802 | } |
wolfSSL | 15:117db924cf7c | 8803 | |
wolfSSL | 15:117db924cf7c | 8804 | ssl->options.acceptState = TLS13_ACCEPT_FINISHED_SENT; |
wolfSSL | 15:117db924cf7c | 8805 | WOLFSSL_MSG("accept state ACCEPT_FINISHED_SENT"); |
wolfSSL | 15:117db924cf7c | 8806 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 8807 | if (ssl->earlyData != no_early_data) { |
wolfSSL | 15:117db924cf7c | 8808 | ssl->options.handShakeState = SERVER_FINISHED_COMPLETE; |
wolfSSL | 15:117db924cf7c | 8809 | return WOLFSSL_SUCCESS; |
wolfSSL | 15:117db924cf7c | 8810 | } |
wolfSSL | 15:117db924cf7c | 8811 | #endif |
wolfSSL | 15:117db924cf7c | 8812 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8813 | |
wolfSSL | 15:117db924cf7c | 8814 | case TLS13_ACCEPT_FINISHED_SENT : |
wolfSSL | 15:117db924cf7c | 8815 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 8816 | #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED |
wolfSSL | 16:8e0d178b1d1e | 8817 | if (!ssl->options.verifyPeer && !ssl->options.noTicketTls13 && |
wolfSSL | 16:8e0d178b1d1e | 8818 | ssl->ctx->ticketEncCb != NULL) { |
wolfSSL | 15:117db924cf7c | 8819 | if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 8820 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8821 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8822 | } |
wolfSSL | 15:117db924cf7c | 8823 | } |
wolfSSL | 15:117db924cf7c | 8824 | #endif |
wolfSSL | 15:117db924cf7c | 8825 | #endif /* HAVE_SESSION_TICKET */ |
wolfSSL | 15:117db924cf7c | 8826 | ssl->options.acceptState = TLS13_PRE_TICKET_SENT; |
wolfSSL | 15:117db924cf7c | 8827 | WOLFSSL_MSG("accept state TICKET_SENT"); |
wolfSSL | 15:117db924cf7c | 8828 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8829 | |
wolfSSL | 15:117db924cf7c | 8830 | case TLS13_PRE_TICKET_SENT : |
wolfSSL | 15:117db924cf7c | 8831 | while (ssl->options.clientState < CLIENT_FINISHED_COMPLETE) |
wolfSSL | 15:117db924cf7c | 8832 | if ( (ssl->error = ProcessReply(ssl)) < 0) { |
wolfSSL | 15:117db924cf7c | 8833 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8834 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8835 | } |
wolfSSL | 15:117db924cf7c | 8836 | |
wolfSSL | 15:117db924cf7c | 8837 | ssl->options.acceptState = TLS13_ACCEPT_FINISHED_DONE; |
wolfSSL | 15:117db924cf7c | 8838 | WOLFSSL_MSG("accept state ACCEPT_FINISHED_DONE"); |
wolfSSL | 15:117db924cf7c | 8839 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8840 | |
wolfSSL | 15:117db924cf7c | 8841 | case TLS13_ACCEPT_FINISHED_DONE : |
wolfSSL | 15:117db924cf7c | 8842 | #ifdef HAVE_SESSION_TICKET |
wolfSSL | 15:117db924cf7c | 8843 | #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED |
wolfSSL | 15:117db924cf7c | 8844 | if (!ssl->options.verifyPeer) { |
wolfSSL | 15:117db924cf7c | 8845 | } |
wolfSSL | 15:117db924cf7c | 8846 | else |
wolfSSL | 15:117db924cf7c | 8847 | #endif |
wolfSSL | 16:8e0d178b1d1e | 8848 | if (!ssl->options.noTicketTls13 && ssl->ctx->ticketEncCb != NULL) { |
wolfSSL | 15:117db924cf7c | 8849 | if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) { |
wolfSSL | 15:117db924cf7c | 8850 | WOLFSSL_ERROR(ssl->error); |
wolfSSL | 15:117db924cf7c | 8851 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8852 | } |
wolfSSL | 15:117db924cf7c | 8853 | } |
wolfSSL | 15:117db924cf7c | 8854 | #endif /* HAVE_SESSION_TICKET */ |
wolfSSL | 15:117db924cf7c | 8855 | ssl->options.acceptState = TLS13_TICKET_SENT; |
wolfSSL | 15:117db924cf7c | 8856 | WOLFSSL_MSG("accept state TICKET_SENT"); |
wolfSSL | 15:117db924cf7c | 8857 | FALL_THROUGH; |
wolfSSL | 15:117db924cf7c | 8858 | |
wolfSSL | 15:117db924cf7c | 8859 | case TLS13_TICKET_SENT : |
wolfSSL | 15:117db924cf7c | 8860 | #ifndef NO_HANDSHAKE_DONE_CB |
wolfSSL | 15:117db924cf7c | 8861 | if (ssl->hsDoneCb) { |
wolfSSL | 15:117db924cf7c | 8862 | int cbret = ssl->hsDoneCb(ssl, ssl->hsDoneCtx); |
wolfSSL | 15:117db924cf7c | 8863 | if (cbret < 0) { |
wolfSSL | 15:117db924cf7c | 8864 | ssl->error = cbret; |
wolfSSL | 15:117db924cf7c | 8865 | WOLFSSL_MSG("HandShake Done Cb don't continue error"); |
wolfSSL | 15:117db924cf7c | 8866 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8867 | } |
wolfSSL | 15:117db924cf7c | 8868 | } |
wolfSSL | 15:117db924cf7c | 8869 | #endif /* NO_HANDSHAKE_DONE_CB */ |
wolfSSL | 15:117db924cf7c | 8870 | |
wolfSSL | 16:8e0d178b1d1e | 8871 | if (!ssl->options.keepResources) { |
wolfSSL | 16:8e0d178b1d1e | 8872 | FreeHandshakeResources(ssl); |
wolfSSL | 16:8e0d178b1d1e | 8873 | } |
wolfSSL | 16:8e0d178b1d1e | 8874 | |
wolfSSL | 15:117db924cf7c | 8875 | WOLFSSL_LEAVE("SSL_accept()", WOLFSSL_SUCCESS); |
wolfSSL | 15:117db924cf7c | 8876 | return WOLFSSL_SUCCESS; |
wolfSSL | 15:117db924cf7c | 8877 | |
wolfSSL | 15:117db924cf7c | 8878 | default : |
wolfSSL | 15:117db924cf7c | 8879 | WOLFSSL_MSG("Unknown accept state ERROR"); |
wolfSSL | 15:117db924cf7c | 8880 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8881 | } |
wolfSSL | 15:117db924cf7c | 8882 | } |
wolfSSL | 15:117db924cf7c | 8883 | #endif |
wolfSSL | 15:117db924cf7c | 8884 | |
wolfSSL | 15:117db924cf7c | 8885 | #ifdef WOLFSSL_EARLY_DATA |
wolfSSL | 15:117db924cf7c | 8886 | /* Sets the maximum amount of early data that can be seen by server when using |
wolfSSL | 15:117db924cf7c | 8887 | * session tickets for resumption. |
wolfSSL | 15:117db924cf7c | 8888 | * A value of zero indicates no early data is to be sent by client using session |
wolfSSL | 15:117db924cf7c | 8889 | * tickets. |
wolfSSL | 15:117db924cf7c | 8890 | * |
wolfSSL | 15:117db924cf7c | 8891 | * ctx The SSL/TLS CTX object. |
wolfSSL | 15:117db924cf7c | 8892 | * sz Maximum size of the early data. |
wolfSSL | 15:117db924cf7c | 8893 | * returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a server and |
wolfSSL | 15:117db924cf7c | 8894 | * 0 on success. |
wolfSSL | 15:117db924cf7c | 8895 | */ |
wolfSSL | 15:117db924cf7c | 8896 | int wolfSSL_CTX_set_max_early_data(WOLFSSL_CTX* ctx, unsigned int sz) |
wolfSSL | 15:117db924cf7c | 8897 | { |
wolfSSL | 15:117db924cf7c | 8898 | if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version)) |
wolfSSL | 15:117db924cf7c | 8899 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8900 | if (ctx->method->side == WOLFSSL_CLIENT_END) |
wolfSSL | 15:117db924cf7c | 8901 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 8902 | |
wolfSSL | 15:117db924cf7c | 8903 | ctx->maxEarlyDataSz = sz; |
wolfSSL | 15:117db924cf7c | 8904 | |
wolfSSL | 15:117db924cf7c | 8905 | return 0; |
wolfSSL | 15:117db924cf7c | 8906 | } |
wolfSSL | 15:117db924cf7c | 8907 | |
wolfSSL | 15:117db924cf7c | 8908 | /* Sets the maximum amount of early data that can be seen by server when using |
wolfSSL | 15:117db924cf7c | 8909 | * session tickets for resumption. |
wolfSSL | 15:117db924cf7c | 8910 | * A value of zero indicates no early data is to be sent by client using session |
wolfSSL | 15:117db924cf7c | 8911 | * tickets. |
wolfSSL | 15:117db924cf7c | 8912 | * |
wolfSSL | 15:117db924cf7c | 8913 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 8914 | * sz Maximum size of the early data. |
wolfSSL | 15:117db924cf7c | 8915 | * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3, |
wolfSSL | 15:117db924cf7c | 8916 | * SIDE_ERROR when not a server and 0 on success. |
wolfSSL | 15:117db924cf7c | 8917 | */ |
wolfSSL | 15:117db924cf7c | 8918 | int wolfSSL_set_max_early_data(WOLFSSL* ssl, unsigned int sz) |
wolfSSL | 15:117db924cf7c | 8919 | { |
wolfSSL | 15:117db924cf7c | 8920 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
wolfSSL | 15:117db924cf7c | 8921 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8922 | if (ssl->options.side == WOLFSSL_CLIENT_END) |
wolfSSL | 15:117db924cf7c | 8923 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 8924 | |
wolfSSL | 15:117db924cf7c | 8925 | ssl->options.maxEarlyDataSz = sz; |
wolfSSL | 15:117db924cf7c | 8926 | |
wolfSSL | 15:117db924cf7c | 8927 | return 0; |
wolfSSL | 15:117db924cf7c | 8928 | } |
wolfSSL | 15:117db924cf7c | 8929 | |
wolfSSL | 15:117db924cf7c | 8930 | /* Write early data to the server. |
wolfSSL | 15:117db924cf7c | 8931 | * |
wolfSSL | 15:117db924cf7c | 8932 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 8933 | * data Early data to write |
wolfSSL | 15:117db924cf7c | 8934 | * sz The size of the eary data in bytes. |
wolfSSL | 15:117db924cf7c | 8935 | * outSz The number of early data bytes written. |
wolfSSL | 15:117db924cf7c | 8936 | * returns BAD_FUNC_ARG when: ssl, data or outSz is NULL; sz is negative; |
wolfSSL | 15:117db924cf7c | 8937 | * or not using TLS v1.3. SIDE ERROR when not a server. Otherwise the number of |
wolfSSL | 15:117db924cf7c | 8938 | * early data bytes written. |
wolfSSL | 15:117db924cf7c | 8939 | */ |
wolfSSL | 15:117db924cf7c | 8940 | int wolfSSL_write_early_data(WOLFSSL* ssl, const void* data, int sz, int* outSz) |
wolfSSL | 15:117db924cf7c | 8941 | { |
wolfSSL | 15:117db924cf7c | 8942 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 8943 | |
wolfSSL | 15:117db924cf7c | 8944 | WOLFSSL_ENTER("SSL_write_early_data()"); |
wolfSSL | 15:117db924cf7c | 8945 | |
wolfSSL | 15:117db924cf7c | 8946 | if (ssl == NULL || data == NULL || sz < 0 || outSz == NULL) |
wolfSSL | 15:117db924cf7c | 8947 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8948 | if (!IsAtLeastTLSv1_3(ssl->version)) |
wolfSSL | 15:117db924cf7c | 8949 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8950 | |
wolfSSL | 15:117db924cf7c | 8951 | #ifndef NO_WOLFSSL_CLIENT |
wolfSSL | 15:117db924cf7c | 8952 | if (ssl->options.side == WOLFSSL_SERVER_END) |
wolfSSL | 15:117db924cf7c | 8953 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 8954 | |
wolfSSL | 15:117db924cf7c | 8955 | if (ssl->options.handShakeState == NULL_STATE) { |
wolfSSL | 15:117db924cf7c | 8956 | ssl->earlyData = expecting_early_data; |
wolfSSL | 15:117db924cf7c | 8957 | ret = wolfSSL_connect_TLSv13(ssl); |
wolfSSL | 16:8e0d178b1d1e | 8958 | if (ret != WOLFSSL_SUCCESS) |
wolfSSL | 15:117db924cf7c | 8959 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8960 | } |
wolfSSL | 15:117db924cf7c | 8961 | if (ssl->options.handShakeState == CLIENT_HELLO_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 8962 | ret = SendData(ssl, data, sz); |
wolfSSL | 15:117db924cf7c | 8963 | if (ret > 0) |
wolfSSL | 15:117db924cf7c | 8964 | *outSz = ret; |
wolfSSL | 15:117db924cf7c | 8965 | } |
wolfSSL | 15:117db924cf7c | 8966 | #else |
wolfSSL | 15:117db924cf7c | 8967 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 8968 | #endif |
wolfSSL | 15:117db924cf7c | 8969 | |
wolfSSL | 15:117db924cf7c | 8970 | WOLFSSL_LEAVE("SSL_write_early_data()", ret); |
wolfSSL | 15:117db924cf7c | 8971 | |
wolfSSL | 15:117db924cf7c | 8972 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 8973 | ret = WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 8974 | return ret; |
wolfSSL | 15:117db924cf7c | 8975 | } |
wolfSSL | 15:117db924cf7c | 8976 | |
wolfSSL | 15:117db924cf7c | 8977 | /* Read the any early data from the client. |
wolfSSL | 15:117db924cf7c | 8978 | * |
wolfSSL | 15:117db924cf7c | 8979 | * ssl The SSL/TLS object. |
wolfSSL | 15:117db924cf7c | 8980 | * data Buffer to put the early data into. |
wolfSSL | 15:117db924cf7c | 8981 | * sz The size of the buffer in bytes. |
wolfSSL | 15:117db924cf7c | 8982 | * outSz The number of early data bytes read. |
wolfSSL | 15:117db924cf7c | 8983 | * returns BAD_FUNC_ARG when: ssl, data or outSz is NULL; sz is negative; |
wolfSSL | 15:117db924cf7c | 8984 | * or not using TLS v1.3. SIDE ERROR when not a server. Otherwise the number of |
wolfSSL | 15:117db924cf7c | 8985 | * early data bytes read. |
wolfSSL | 15:117db924cf7c | 8986 | */ |
wolfSSL | 15:117db924cf7c | 8987 | int wolfSSL_read_early_data(WOLFSSL* ssl, void* data, int sz, int* outSz) |
wolfSSL | 15:117db924cf7c | 8988 | { |
wolfSSL | 15:117db924cf7c | 8989 | int ret = 0; |
wolfSSL | 15:117db924cf7c | 8990 | |
wolfSSL | 15:117db924cf7c | 8991 | WOLFSSL_ENTER("wolfSSL_read_early_data()"); |
wolfSSL | 15:117db924cf7c | 8992 | |
wolfSSL | 15:117db924cf7c | 8993 | |
wolfSSL | 15:117db924cf7c | 8994 | if (ssl == NULL || data == NULL || sz < 0 || outSz == NULL) |
wolfSSL | 15:117db924cf7c | 8995 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8996 | if (!IsAtLeastTLSv1_3(ssl->version)) |
wolfSSL | 15:117db924cf7c | 8997 | return BAD_FUNC_ARG; |
wolfSSL | 15:117db924cf7c | 8998 | |
wolfSSL | 15:117db924cf7c | 8999 | #ifndef NO_WOLFSSL_SERVER |
wolfSSL | 15:117db924cf7c | 9000 | if (ssl->options.side == WOLFSSL_CLIENT_END) |
wolfSSL | 15:117db924cf7c | 9001 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 9002 | |
wolfSSL | 15:117db924cf7c | 9003 | if (ssl->options.handShakeState == NULL_STATE) { |
wolfSSL | 15:117db924cf7c | 9004 | ssl->earlyData = expecting_early_data; |
wolfSSL | 15:117db924cf7c | 9005 | ret = wolfSSL_accept_TLSv13(ssl); |
wolfSSL | 15:117db924cf7c | 9006 | if (ret <= 0) |
wolfSSL | 15:117db924cf7c | 9007 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 9008 | } |
wolfSSL | 15:117db924cf7c | 9009 | if (ssl->options.handShakeState == SERVER_FINISHED_COMPLETE) { |
wolfSSL | 15:117db924cf7c | 9010 | ret = ReceiveData(ssl, (byte*)data, sz, FALSE); |
wolfSSL | 15:117db924cf7c | 9011 | if (ret > 0) |
wolfSSL | 15:117db924cf7c | 9012 | *outSz = ret; |
wolfSSL | 15:117db924cf7c | 9013 | if (ssl->error == ZERO_RETURN) |
wolfSSL | 15:117db924cf7c | 9014 | ssl->error = WOLFSSL_ERROR_NONE; |
wolfSSL | 15:117db924cf7c | 9015 | } |
wolfSSL | 15:117db924cf7c | 9016 | else |
wolfSSL | 15:117db924cf7c | 9017 | ret = 0; |
wolfSSL | 15:117db924cf7c | 9018 | #else |
wolfSSL | 15:117db924cf7c | 9019 | return SIDE_ERROR; |
wolfSSL | 15:117db924cf7c | 9020 | #endif |
wolfSSL | 15:117db924cf7c | 9021 | |
wolfSSL | 15:117db924cf7c | 9022 | WOLFSSL_LEAVE("wolfSSL_read_early_data()", ret); |
wolfSSL | 15:117db924cf7c | 9023 | |
wolfSSL | 15:117db924cf7c | 9024 | if (ret < 0) |
wolfSSL | 15:117db924cf7c | 9025 | ret = WOLFSSL_FATAL_ERROR; |
wolfSSL | 15:117db924cf7c | 9026 | return ret; |
wolfSSL | 15:117db924cf7c | 9027 | } |
wolfSSL | 15:117db924cf7c | 9028 | #endif |
wolfSSL | 15:117db924cf7c | 9029 | |
wolfSSL | 16:8e0d178b1d1e | 9030 | #ifdef HAVE_SECRET_CALLBACK |
wolfSSL | 16:8e0d178b1d1e | 9031 | int wolfSSL_set_tls13_secret_cb(WOLFSSL* ssl, Tls13SecretCb cb, void* ctx) |
wolfSSL | 16:8e0d178b1d1e | 9032 | { |
wolfSSL | 16:8e0d178b1d1e | 9033 | WOLFSSL_ENTER("wolfSSL_set_tls13_secret_cb"); |
wolfSSL | 16:8e0d178b1d1e | 9034 | if (ssl == NULL) |
wolfSSL | 16:8e0d178b1d1e | 9035 | return WOLFSSL_FATAL_ERROR; |
wolfSSL | 16:8e0d178b1d1e | 9036 | |
wolfSSL | 16:8e0d178b1d1e | 9037 | ssl->tls13SecretCb = cb; |
wolfSSL | 16:8e0d178b1d1e | 9038 | ssl->tls13SecretCtx = ctx; |
wolfSSL | 16:8e0d178b1d1e | 9039 | |
wolfSSL | 16:8e0d178b1d1e | 9040 | return WOLFSSL_SUCCESS; |
wolfSSL | 16:8e0d178b1d1e | 9041 | } |
wolfSSL | 16:8e0d178b1d1e | 9042 | #endif |
wolfSSL | 16:8e0d178b1d1e | 9043 | |
wolfSSL | 15:117db924cf7c | 9044 | #undef ERROR_OUT |
wolfSSL | 15:117db924cf7c | 9045 | |
wolfSSL | 15:117db924cf7c | 9046 | #endif /* !WOLFCRYPT_ONLY */ |
wolfSSL | 15:117db924cf7c | 9047 | |
wolfSSL | 15:117db924cf7c | 9048 | #endif /* WOLFSSL_TLS13 */ |
wolfSSL | 15:117db924cf7c | 9049 |