Coverage Report

Created: 2024-11-21 07:03

/src/wolfssl/src/keys.c
Line
Count
Source (jump to first uncovered line)
1
/* keys.c
2
 *
3
 * Copyright (C) 2006-2024 wolfSSL Inc.
4
 *
5
 * This file is part of wolfSSL.
6
 *
7
 * wolfSSL is free software; you can redistribute it and/or modify
8
 * it under the terms of the GNU General Public License as published by
9
 * the Free Software Foundation; either version 2 of the License, or
10
 * (at your option) any later version.
11
 *
12
 * wolfSSL is distributed in the hope that it will be useful,
13
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15
 * GNU General Public License for more details.
16
 *
17
 * You should have received a copy of the GNU General Public License
18
 * along with this program; if not, write to the Free Software
19
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
20
 */
21
22
23
/* Name change compatibility layer no longer needs to be included here */
24
25
#ifdef HAVE_CONFIG_H
26
    #include <config.h>
27
#endif
28
29
#include <wolfssl/wolfcrypt/settings.h>
30
31
#ifndef WOLFCRYPT_ONLY
32
33
#include <wolfssl/internal.h>
34
#include <wolfssl/error-ssl.h>
35
#if defined(SHOW_SECRETS) || defined(CHACHA_AEAD_TEST)
36
    #ifndef NO_STDIO_FILESYSTEM
37
        #include <stdio.h>
38
    #endif
39
#endif
40
41
#if defined(WOLFSSL_RENESAS_FSPSM_TLS) || defined(WOLFSSL_RENESAS_TSIP_TLS)
42
#include <wolfssl/wolfcrypt/port/Renesas/renesas_cmn.h>
43
#endif
44
45
int SetCipherSpecs(WOLFSSL* ssl)
46
0
{
47
0
    int ret = GetCipherSpec(ssl->options.side, ssl->options.cipherSuite0,
48
0
                                ssl->options.cipherSuite, &ssl->specs,
49
0
                                &ssl->options);
50
0
    if (ret == 0) {
51
        /* set TLS if it hasn't been turned off */
52
0
        if (ssl->version.major == SSLv3_MAJOR &&
53
0
                ssl->version.minor >= TLSv1_MINOR) {
54
0
    #ifndef NO_TLS
55
0
            ssl->options.tls = 1;
56
0
        #if !defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_AEAD_ONLY)
57
0
            #if !defined(WOLFSSL_RENESAS_FSPSM_TLS) && \
58
0
                !defined(WOLFSSL_RENESAS_TSIP_TLS)
59
0
            ssl->hmac = TLS_hmac;
60
            #else
61
            ssl->hmac = Renesas_cmn_TLS_hmac;
62
            #endif
63
0
        #endif
64
0
            if (ssl->version.minor >= TLSv1_1_MINOR) {
65
0
                ssl->options.tls1_1 = 1;
66
0
                if (ssl->version.minor >= TLSv1_3_MINOR)
67
0
                    ssl->options.tls1_3 = 1;
68
0
            }
69
0
    #endif
70
0
        }
71
72
0
    #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
73
0
        if (IsAtLeastTLSv1_3(ssl->version) || ssl->specs.cipher_type != block)
74
0
           ssl->options.encThenMac = 0;
75
0
    #endif
76
77
    #if defined(WOLFSSL_DTLS)
78
        if (ssl->options.dtls && ssl->version.major == DTLS_MAJOR) {
79
        #ifndef WOLFSSL_AEAD_ONLY
80
            #if !defined(WOLFSSL_RENESAS_FSPSM_TLS) && \
81
                !defined(WOLFSSL_RENESAS_TSIP_TLS)
82
            ssl->hmac = TLS_hmac;
83
            #else
84
            ssl->hmac = Renesas_cmn_TLS_hmac;
85
            #endif
86
        #endif
87
            ssl->options.tls = 1;
88
            ssl->options.tls1_1 = 1; /* DTLS 1.0 == TLS 1.1 */
89
        #ifdef WOLFSSL_DTLS13
90
            if (ssl->version.minor <= DTLSv1_3_MINOR)
91
                ssl->options.tls1_3 = 1;
92
        #endif
93
        }
94
    #endif
95
0
    }
96
0
    return ret;
97
0
}
98
99
/**
100
 * Populate specs with the specification of the chosen ciphersuite. If opts is
101
 * not NULL then the appropriate options will also be set.
102
 *
103
 * @param side         [in] WOLFSSL_SERVER_END or WOLFSSL_CLIENT_END
104
 * @param cipherSuite0 [in]
105
 * @param cipherSuite  [in]
106
 * @param specs        [out] CipherSpecs
107
 * @param opts         [in/out] Options can be NULL
108
 * @return int (less than 0 on fail, 0 on success)
109
 */
110
int GetCipherSpec(word16 side, byte cipherSuite0, byte cipherSuite,
111
                      CipherSpecs* specs, Options* opts)
112
0
{
113
0
    word16 havePSK = 0;
114
0
    (void)havePSK;
115
0
    (void)side;
116
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
117
    if (opts != NULL)
118
        havePSK = opts->havePSK;
119
#endif
120
0
#ifndef NO_WOLFSSL_CLIENT
121
0
    if (side == WOLFSSL_CLIENT_END) {
122
        /* server side verified before SetCipherSpecs call */
123
0
        if (VerifyClientSuite(havePSK, cipherSuite0, cipherSuite) != 1) {
124
0
            WOLFSSL_MSG("SetCipherSpecs() client has an unusable suite");
125
0
            WOLFSSL_ERROR_VERBOSE(UNSUPPORTED_SUITE);
126
0
            return UNSUPPORTED_SUITE;
127
0
        }
128
0
    }
129
0
#endif /* NO_WOLFSSL_CLIENT */
130
131
    /* Chacha extensions, 0xcc */
132
0
    if (cipherSuite0 == CHACHA_BYTE) {
133
134
0
    switch (cipherSuite) {
135
0
#ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256
136
0
    case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256:
137
0
        specs->bulk_cipher_algorithm = wolfssl_chacha;
138
0
        specs->cipher_type           = aead;
139
0
        specs->mac_algorithm         = sha256_mac;
140
0
        specs->kea                   = ecc_diffie_hellman_kea;
141
0
        specs->sig_algo              = rsa_sa_algo;
142
0
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
143
0
        specs->pad_size              = PAD_SHA;
144
0
        specs->static_ecdh           = 0;
145
0
        specs->key_size              = CHACHA20_256_KEY_SIZE;
146
0
        specs->block_size            = CHACHA20_BLOCK_SIZE;
147
0
        specs->iv_size               = CHACHA20_IV_SIZE;
148
0
        specs->aead_mac_size         = POLY1305_AUTH_SZ;
149
0
        if (opts != NULL)
150
0
            opts->oldPoly            = 1; /* use old poly1305 padding */
151
152
0
        break;
153
0
#endif
154
155
0
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256
156
0
    case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256:
157
0
        specs->bulk_cipher_algorithm = wolfssl_chacha;
158
0
        specs->cipher_type           = aead;
159
0
        specs->mac_algorithm         = sha256_mac;
160
0
        specs->kea                   = ecc_diffie_hellman_kea;
161
0
        specs->sig_algo              = ecc_dsa_sa_algo;
162
0
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
163
0
        specs->pad_size              = PAD_SHA;
164
0
        specs->static_ecdh           = 0;
165
0
        specs->key_size              = CHACHA20_256_KEY_SIZE;
166
0
        specs->block_size            = CHACHA20_BLOCK_SIZE;
167
0
        specs->iv_size               = CHACHA20_IV_SIZE;
168
0
        specs->aead_mac_size         = POLY1305_AUTH_SZ;
169
0
        if (opts != NULL)
170
0
            opts->oldPoly            = 1; /* use old poly1305 padding */
171
172
0
        break;
173
0
#endif
174
175
0
#ifdef BUILD_TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256
176
0
    case TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256:
177
0
        specs->bulk_cipher_algorithm = wolfssl_chacha;
178
0
        specs->cipher_type           = aead;
179
0
        specs->mac_algorithm         = sha256_mac;
180
0
        specs->kea                   = diffie_hellman_kea;
181
0
        specs->sig_algo              = rsa_sa_algo;
182
0
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
183
0
        specs->pad_size              = PAD_SHA;
184
0
        specs->static_ecdh           = 0;
185
0
        specs->key_size              = CHACHA20_256_KEY_SIZE;
186
0
        specs->block_size            = CHACHA20_BLOCK_SIZE;
187
0
        specs->iv_size               = CHACHA20_IV_SIZE;
188
0
        specs->aead_mac_size         = POLY1305_AUTH_SZ;
189
0
        if (opts != NULL)
190
0
            opts->oldPoly            = 1; /* use old poly1305 padding */
191
192
0
        break;
193
0
#endif
194
0
#ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
195
0
    case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
196
0
        specs->bulk_cipher_algorithm = wolfssl_chacha;
197
0
        specs->cipher_type           = aead;
198
0
        specs->mac_algorithm         = sha256_mac;
199
0
        specs->kea                   = ecc_diffie_hellman_kea;
200
0
        specs->sig_algo              = rsa_sa_algo;
201
0
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
202
0
        specs->pad_size              = PAD_SHA;
203
0
        specs->static_ecdh           = 0;
204
0
        specs->key_size              = CHACHA20_256_KEY_SIZE;
205
0
        specs->block_size            = CHACHA20_BLOCK_SIZE;
206
0
        specs->iv_size               = CHACHA20_IV_SIZE;
207
0
        specs->aead_mac_size         = POLY1305_AUTH_SZ;
208
0
        if (opts != NULL)
209
0
            opts->oldPoly            = 0; /* use recent padding RFC */
210
211
0
        break;
212
0
#endif
213
214
0
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
215
0
    case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256:
216
0
        specs->bulk_cipher_algorithm = wolfssl_chacha;
217
0
        specs->cipher_type           = aead;
218
0
        specs->mac_algorithm         = sha256_mac;
219
0
        specs->kea                   = ecc_diffie_hellman_kea;
220
0
        specs->sig_algo              = ecc_dsa_sa_algo;
221
0
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
222
0
        specs->pad_size              = PAD_SHA;
223
0
        specs->static_ecdh           = 0;
224
0
        specs->key_size              = CHACHA20_256_KEY_SIZE;
225
0
        specs->block_size            = CHACHA20_BLOCK_SIZE;
226
0
        specs->iv_size               = CHACHA20_IV_SIZE;
227
0
        specs->aead_mac_size         = POLY1305_AUTH_SZ;
228
0
        if (opts != NULL)
229
0
            opts->oldPoly            = 0; /* use recent padding RFC */
230
231
0
        break;
232
0
#endif
233
234
0
#ifdef BUILD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
235
0
    case TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
236
0
        specs->bulk_cipher_algorithm = wolfssl_chacha;
237
0
        specs->cipher_type           = aead;
238
0
        specs->mac_algorithm         = sha256_mac;
239
0
        specs->kea                   = diffie_hellman_kea;
240
0
        specs->sig_algo              = rsa_sa_algo;
241
0
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
242
0
        specs->pad_size              = PAD_SHA;
243
0
        specs->static_ecdh           = 0;
244
0
        specs->key_size              = CHACHA20_256_KEY_SIZE;
245
0
        specs->block_size            = CHACHA20_BLOCK_SIZE;
246
0
        specs->iv_size               = CHACHA20_IV_SIZE;
247
0
        specs->aead_mac_size         = POLY1305_AUTH_SZ;
248
0
        if (opts != NULL)
249
0
            opts->oldPoly            = 0; /* use recent padding RFC */
250
251
0
        break;
252
0
#endif
253
254
#ifdef BUILD_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256
255
    case TLS_PSK_WITH_CHACHA20_POLY1305_SHA256:
256
        specs->bulk_cipher_algorithm = wolfssl_chacha;
257
        specs->cipher_type           = aead;
258
        specs->mac_algorithm         = sha256_mac;
259
        specs->kea                   = psk_kea;
260
        specs->sig_algo              = anonymous_sa_algo;
261
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
262
        specs->pad_size              = PAD_SHA;
263
        specs->static_ecdh           = 0;
264
        specs->key_size              = CHACHA20_256_KEY_SIZE;
265
        specs->block_size            = CHACHA20_BLOCK_SIZE;
266
        specs->iv_size               = CHACHA20_IV_SIZE;
267
        specs->aead_mac_size         = POLY1305_AUTH_SZ;
268
269
        if (opts != NULL) {
270
            opts->oldPoly            = 0; /* use recent padding RFC */
271
            opts->usingPSK_cipher    = 1;
272
        }
273
        break;
274
#endif
275
276
#ifdef BUILD_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256
277
    case TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256:
278
        specs->bulk_cipher_algorithm = wolfssl_chacha;
279
        specs->cipher_type           = aead;
280
        specs->mac_algorithm         = sha256_mac;
281
        specs->kea                   = ecdhe_psk_kea;
282
        specs->sig_algo              = anonymous_sa_algo;
283
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
284
        specs->pad_size              = PAD_SHA;
285
        specs->static_ecdh           = 0;
286
        specs->key_size              = CHACHA20_256_KEY_SIZE;
287
        specs->block_size            = CHACHA20_BLOCK_SIZE;
288
        specs->iv_size               = CHACHA20_IV_SIZE;
289
        specs->aead_mac_size         = POLY1305_AUTH_SZ;
290
291
        if (opts != NULL) {
292
            opts->oldPoly            = 0; /* use recent padding RFC */
293
            opts->usingPSK_cipher    = 1;
294
        }
295
        break;
296
#endif
297
298
#ifdef BUILD_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256
299
    case TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256:
300
        specs->bulk_cipher_algorithm = wolfssl_chacha;
301
        specs->cipher_type           = aead;
302
        specs->mac_algorithm         = sha256_mac;
303
        specs->kea                   = dhe_psk_kea;
304
        specs->sig_algo              = anonymous_sa_algo;
305
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
306
        specs->pad_size              = PAD_SHA;
307
        specs->static_ecdh           = 0;
308
        specs->key_size              = CHACHA20_256_KEY_SIZE;
309
        specs->block_size            = CHACHA20_BLOCK_SIZE;
310
        specs->iv_size               = CHACHA20_IV_SIZE;
311
        specs->aead_mac_size         = POLY1305_AUTH_SZ;
312
313
        if (opts != NULL) {
314
            opts->oldPoly            = 0; /* use recent padding RFC */
315
            opts->usingPSK_cipher    = 1;
316
        }
317
        break;
318
#endif
319
0
    default:
320
0
        WOLFSSL_MSG("Unsupported cipher suite, SetCipherSpecs ChaCha");
321
0
        return UNSUPPORTED_SUITE;
322
0
    }
323
0
    }
324
325
    /* ECC extensions, AES-CCM or TLS 1.3 Integrity-only */
326
0
    if (cipherSuite0 == ECC_BYTE) {
327
328
0
    switch (cipherSuite) {
329
330
0
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
331
332
0
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
333
0
    case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 :
334
0
        specs->bulk_cipher_algorithm = wolfssl_aes;
335
0
        specs->cipher_type           = block;
336
0
        specs->mac_algorithm         = sha256_mac;
337
0
        specs->kea                   = ecc_diffie_hellman_kea;
338
0
        specs->sig_algo              = rsa_sa_algo;
339
0
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
340
0
        specs->pad_size              = PAD_SHA;
341
0
        specs->static_ecdh           = 0;
342
0
        specs->key_size              = AES_128_KEY_SIZE;
343
0
        specs->iv_size               = AES_IV_SIZE;
344
0
        specs->block_size            = AES_BLOCK_SIZE;
345
346
0
        break;
347
0
#endif
348
349
0
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
350
0
    case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 :
351
0
        specs->bulk_cipher_algorithm = wolfssl_aes;
352
0
        specs->cipher_type           = block;
353
0
        specs->mac_algorithm         = sha384_mac;
354
0
        specs->kea                   = ecc_diffie_hellman_kea;
355
0
        specs->sig_algo              = rsa_sa_algo;
356
0
        specs->hash_size             = WC_SHA384_DIGEST_SIZE;
357
0
        specs->pad_size              = PAD_SHA;
358
0
        specs->static_ecdh           = 0;
359
0
        specs->key_size              = AES_256_KEY_SIZE;
360
0
        specs->iv_size               = AES_IV_SIZE;
361
0
        specs->block_size            = AES_BLOCK_SIZE;
362
363
0
        break;
364
0
#endif
365
366
0
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
367
0
    case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA :
368
0
        specs->bulk_cipher_algorithm = wolfssl_aes;
369
0
        specs->cipher_type           = block;
370
0
        specs->mac_algorithm         = sha_mac;
371
0
        specs->kea                   = ecc_diffie_hellman_kea;
372
0
        specs->sig_algo              = rsa_sa_algo;
373
0
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
374
0
        specs->pad_size              = PAD_SHA;
375
0
        specs->static_ecdh           = 0;
376
0
        specs->key_size              = AES_128_KEY_SIZE;
377
0
        specs->block_size            = AES_BLOCK_SIZE;
378
0
        specs->iv_size               = AES_IV_SIZE;
379
380
0
        break;
381
0
#endif
382
383
#ifdef BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
384
    case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA :
385
        specs->bulk_cipher_algorithm = wolfssl_triple_des;
386
        specs->cipher_type           = block;
387
        specs->mac_algorithm         = sha_mac;
388
        specs->kea                   = ecc_diffie_hellman_kea;
389
        specs->sig_algo              = rsa_sa_algo;
390
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
391
        specs->pad_size              = PAD_SHA;
392
        specs->static_ecdh           = 0;
393
        specs->key_size              = DES3_KEY_SIZE;
394
        specs->block_size            = DES_BLOCK_SIZE;
395
/* DES_IV_SIZE is incorrectly 16 in FIPS v2. It should be 8, same as the
396
 * block size. */
397
#if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION == 2)
398
        specs->iv_size               = DES_BLOCK_SIZE;
399
#else
400
        specs->iv_size               = DES_IV_SIZE;
401
#endif
402
403
        break;
404
#endif
405
406
0
#ifdef BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA
407
0
    case TLS_ECDHE_RSA_WITH_RC4_128_SHA :
408
0
        specs->bulk_cipher_algorithm = wolfssl_rc4;
409
0
        specs->cipher_type           = stream;
410
0
        specs->mac_algorithm         = sha_mac;
411
0
        specs->kea                   = ecc_diffie_hellman_kea;
412
0
        specs->sig_algo              = rsa_sa_algo;
413
0
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
414
0
        specs->pad_size              = PAD_SHA;
415
0
        specs->static_ecdh           = 0;
416
0
        specs->key_size              = RC4_KEY_SIZE;
417
0
        specs->iv_size               = 0;
418
0
        specs->block_size            = 0;
419
420
0
        break;
421
0
#endif
422
423
0
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
424
0
    case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA :
425
0
        specs->bulk_cipher_algorithm = wolfssl_aes;
426
0
        specs->cipher_type           = block;
427
0
        specs->mac_algorithm         = sha_mac;
428
0
        specs->kea                   = ecc_diffie_hellman_kea;
429
0
        specs->sig_algo              = rsa_sa_algo;
430
0
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
431
0
        specs->pad_size              = PAD_SHA;
432
0
        specs->static_ecdh           = 0;
433
0
        specs->key_size              = AES_256_KEY_SIZE;
434
0
        specs->block_size            = AES_BLOCK_SIZE;
435
0
        specs->iv_size               = AES_IV_SIZE;
436
437
0
        break;
438
0
#endif
439
440
0
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
441
0
    case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 :
442
0
        specs->bulk_cipher_algorithm = wolfssl_aes_gcm;
443
0
        specs->cipher_type           = aead;
444
0
        specs->mac_algorithm         = sha256_mac;
445
0
        specs->kea                   = ecc_diffie_hellman_kea;
446
0
        specs->sig_algo              = rsa_sa_algo;
447
0
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
448
0
        specs->pad_size              = PAD_SHA;
449
0
        specs->static_ecdh           = 0;
450
0
        specs->key_size              = AES_128_KEY_SIZE;
451
0
        specs->block_size            = AES_BLOCK_SIZE;
452
0
        specs->iv_size               = AESGCM_IMP_IV_SZ;
453
0
        specs->aead_mac_size         = AES_GCM_AUTH_SZ;
454
455
0
        break;
456
0
#endif
457
458
0
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
459
0
    case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 :
460
0
        specs->bulk_cipher_algorithm = wolfssl_aes_gcm;
461
0
        specs->cipher_type           = aead;
462
0
        specs->mac_algorithm         = sha384_mac;
463
0
        specs->kea                   = ecc_diffie_hellman_kea;
464
0
        specs->sig_algo              = rsa_sa_algo;
465
0
        specs->hash_size             = WC_SHA384_DIGEST_SIZE;
466
0
        specs->pad_size              = PAD_SHA;
467
0
        specs->static_ecdh           = 0;
468
0
        specs->key_size              = AES_256_KEY_SIZE;
469
0
        specs->block_size            = AES_BLOCK_SIZE;
470
0
        specs->iv_size               = AESGCM_IMP_IV_SZ;
471
0
        specs->aead_mac_size         = AES_GCM_AUTH_SZ;
472
473
0
        break;
474
0
#endif
475
476
#ifdef BUILD_TLS_ECDHE_PSK_WITH_NULL_SHA256
477
    case TLS_ECDHE_PSK_WITH_NULL_SHA256 :
478
        specs->bulk_cipher_algorithm = wolfssl_cipher_null;
479
        specs->cipher_type           = stream;
480
        specs->mac_algorithm         = sha256_mac;
481
        specs->kea                   = ecdhe_psk_kea;
482
        specs->sig_algo              = anonymous_sa_algo;
483
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
484
        specs->pad_size              = PAD_SHA;
485
        specs->static_ecdh           = 0;
486
        specs->key_size              = 0;
487
        specs->block_size            = 0;
488
        specs->iv_size               = 0;
489
490
        if (opts != NULL)
491
            opts->usingPSK_cipher    = 1;
492
        break;
493
#endif
494
495
#ifdef BUILD_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
496
    case TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 :
497
        specs->bulk_cipher_algorithm = wolfssl_aes;
498
        specs->cipher_type           = block;
499
        specs->mac_algorithm         = sha256_mac;
500
        specs->kea                   = ecdhe_psk_kea;
501
        specs->sig_algo              = anonymous_sa_algo;
502
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
503
        specs->pad_size              = PAD_SHA;
504
        specs->static_ecdh           = 0;
505
        specs->key_size              = AES_128_KEY_SIZE;
506
        specs->block_size            = AES_BLOCK_SIZE;
507
        specs->iv_size               = AES_IV_SIZE;
508
509
        if (opts != NULL)
510
            opts->usingPSK_cipher    = 1;
511
        if (opts != NULL)
512
            opts->usingPSK_cipher    = 1;
513
        break;
514
#endif
515
516
0
#endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
517
518
0
#if defined(HAVE_ECC) || (defined(HAVE_CURVE25519) && defined(HAVE_ED25519)) \
519
0
                      || (defined(HAVE_CURVE448) && defined(HAVE_ED448))
520
521
0
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
522
0
    case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 :
523
0
        specs->bulk_cipher_algorithm = wolfssl_aes;
524
0
        specs->cipher_type           = block;
525
0
        specs->mac_algorithm         = sha256_mac;
526
0
        specs->kea                   = ecc_diffie_hellman_kea;
527
0
        specs->sig_algo              = ecc_dsa_sa_algo;
528
0
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
529
0
        specs->pad_size              = PAD_SHA;
530
0
        specs->static_ecdh           = 0;
531
0
        specs->key_size              = AES_128_KEY_SIZE;
532
0
        specs->iv_size               = AES_IV_SIZE;
533
0
        specs->block_size            = AES_BLOCK_SIZE;
534
535
0
        break;
536
0
#endif
537
538
0
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
539
0
    case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 :
540
0
        specs->bulk_cipher_algorithm = wolfssl_aes;
541
0
        specs->cipher_type           = block;
542
0
        specs->mac_algorithm         = sha384_mac;
543
0
        specs->kea                   = ecc_diffie_hellman_kea;
544
0
        specs->sig_algo              = ecc_dsa_sa_algo;
545
0
        specs->hash_size             = WC_SHA384_DIGEST_SIZE;
546
0
        specs->pad_size              = PAD_SHA;
547
0
        specs->static_ecdh           = 0;
548
0
        specs->key_size              = AES_256_KEY_SIZE;
549
0
        specs->iv_size               = AES_IV_SIZE;
550
0
        specs->block_size            = AES_BLOCK_SIZE;
551
552
0
        break;
553
0
#endif
554
555
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
556
    case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA :
557
        specs->bulk_cipher_algorithm = wolfssl_triple_des;
558
        specs->cipher_type           = block;
559
        specs->mac_algorithm         = sha_mac;
560
        specs->kea                   = ecc_diffie_hellman_kea;
561
        specs->sig_algo              = ecc_dsa_sa_algo;
562
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
563
        specs->pad_size              = PAD_SHA;
564
        specs->static_ecdh           = 0;
565
        specs->key_size              = DES3_KEY_SIZE;
566
        specs->block_size            = DES_BLOCK_SIZE;
567
#if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION == 2)
568
        specs->iv_size               = DES_BLOCK_SIZE;
569
#else
570
        specs->iv_size               = DES_IV_SIZE;
571
#endif
572
573
        break;
574
#endif
575
576
0
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
577
0
    case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA :
578
0
        specs->bulk_cipher_algorithm = wolfssl_rc4;
579
0
        specs->cipher_type           = stream;
580
0
        specs->mac_algorithm         = sha_mac;
581
0
        specs->kea                   = ecc_diffie_hellman_kea;
582
0
        specs->sig_algo              = ecc_dsa_sa_algo;
583
0
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
584
0
        specs->pad_size              = PAD_SHA;
585
0
        specs->static_ecdh           = 0;
586
0
        specs->key_size              = RC4_KEY_SIZE;
587
0
        specs->iv_size               = 0;
588
0
        specs->block_size            = 0;
589
590
0
        break;
591
0
#endif
592
593
0
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
594
0
    case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA :
595
0
        specs->bulk_cipher_algorithm = wolfssl_aes;
596
0
        specs->cipher_type           = block;
597
0
        specs->mac_algorithm         = sha_mac;
598
0
        specs->kea                   = ecc_diffie_hellman_kea;
599
0
        specs->sig_algo              = ecc_dsa_sa_algo;
600
0
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
601
0
        specs->pad_size              = PAD_SHA;
602
0
        specs->static_ecdh           = 0;
603
0
        specs->key_size              = AES_128_KEY_SIZE;
604
0
        specs->block_size            = AES_BLOCK_SIZE;
605
0
        specs->iv_size               = AES_IV_SIZE;
606
607
0
        break;
608
0
#endif
609
610
0
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
611
0
    case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA :
612
0
        specs->bulk_cipher_algorithm = wolfssl_aes;
613
0
        specs->cipher_type           = block;
614
0
        specs->mac_algorithm         = sha_mac;
615
0
        specs->kea                   = ecc_diffie_hellman_kea;
616
0
        specs->sig_algo              = ecc_dsa_sa_algo;
617
0
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
618
0
        specs->pad_size              = PAD_SHA;
619
0
        specs->static_ecdh           = 0;
620
0
        specs->key_size              = AES_256_KEY_SIZE;
621
0
        specs->block_size            = AES_BLOCK_SIZE;
622
0
        specs->iv_size               = AES_IV_SIZE;
623
624
0
        break;
625
0
#endif
626
627
0
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
628
0
    case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 :
629
0
        specs->bulk_cipher_algorithm = wolfssl_aes_gcm;
630
0
        specs->cipher_type           = aead;
631
0
        specs->mac_algorithm         = sha256_mac;
632
0
        specs->kea                   = ecc_diffie_hellman_kea;
633
0
        specs->sig_algo              = ecc_dsa_sa_algo;
634
0
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
635
0
        specs->pad_size              = PAD_SHA;
636
0
        specs->static_ecdh           = 0;
637
0
        specs->key_size              = AES_128_KEY_SIZE;
638
0
        specs->block_size            = AES_BLOCK_SIZE;
639
0
        specs->iv_size               = AESGCM_IMP_IV_SZ;
640
0
        specs->aead_mac_size         = AES_GCM_AUTH_SZ;
641
642
0
        break;
643
0
#endif
644
645
0
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
646
0
    case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 :
647
0
        specs->bulk_cipher_algorithm = wolfssl_aes_gcm;
648
0
        specs->cipher_type           = aead;
649
0
        specs->mac_algorithm         = sha384_mac;
650
0
        specs->kea                   = ecc_diffie_hellman_kea;
651
0
        specs->sig_algo              = ecc_dsa_sa_algo;
652
0
        specs->hash_size             = WC_SHA384_DIGEST_SIZE;
653
0
        specs->pad_size              = PAD_SHA;
654
0
        specs->static_ecdh           = 0;
655
0
        specs->key_size              = AES_256_KEY_SIZE;
656
0
        specs->block_size            = AES_BLOCK_SIZE;
657
0
        specs->iv_size               = AESGCM_IMP_IV_SZ;
658
0
        specs->aead_mac_size         = AES_GCM_AUTH_SZ;
659
660
0
        break;
661
0
#endif
662
663
0
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM
664
0
    case TLS_ECDHE_ECDSA_WITH_AES_128_CCM :
665
0
        specs->bulk_cipher_algorithm = wolfssl_aes_ccm;
666
0
        specs->cipher_type           = aead;
667
0
        specs->mac_algorithm         = sha256_mac;
668
0
        specs->kea                   = ecc_diffie_hellman_kea;
669
0
        specs->sig_algo              = ecc_dsa_sa_algo;
670
0
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
671
0
        specs->pad_size              = PAD_SHA;
672
0
        specs->static_ecdh           = 0;
673
0
        specs->key_size              = AES_128_KEY_SIZE;
674
0
        specs->block_size            = AES_BLOCK_SIZE;
675
0
        specs->iv_size               = AESCCM_IMP_IV_SZ;
676
0
        specs->aead_mac_size         = AES_CCM_16_AUTH_SZ;
677
678
0
        break;
679
0
#endif
680
681
0
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
682
0
    case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 :
683
0
        specs->bulk_cipher_algorithm = wolfssl_aes_ccm;
684
0
        specs->cipher_type           = aead;
685
0
        specs->mac_algorithm         = sha256_mac;
686
0
        specs->kea                   = ecc_diffie_hellman_kea;
687
0
        specs->sig_algo              = ecc_dsa_sa_algo;
688
0
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
689
0
        specs->pad_size              = PAD_SHA;
690
0
        specs->static_ecdh           = 0;
691
0
        specs->key_size              = AES_128_KEY_SIZE;
692
0
        specs->block_size            = AES_BLOCK_SIZE;
693
0
        specs->iv_size               = AESCCM_IMP_IV_SZ;
694
0
        specs->aead_mac_size         = AES_CCM_8_AUTH_SZ;
695
696
0
        break;
697
0
#endif
698
699
0
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
700
0
    case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 :
701
0
        specs->bulk_cipher_algorithm = wolfssl_aes_ccm;
702
0
        specs->cipher_type           = aead;
703
0
        specs->mac_algorithm         = sha256_mac;
704
0
        specs->kea                   = ecc_diffie_hellman_kea;
705
0
        specs->sig_algo              = ecc_dsa_sa_algo;
706
0
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
707
0
        specs->pad_size              = PAD_SHA;
708
0
        specs->static_ecdh           = 0;
709
0
        specs->key_size              = AES_256_KEY_SIZE;
710
0
        specs->block_size            = AES_BLOCK_SIZE;
711
0
        specs->iv_size               = AESCCM_IMP_IV_SZ;
712
0
        specs->aead_mac_size         = AES_CCM_8_AUTH_SZ;
713
714
0
        break;
715
0
#endif
716
717
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_NULL_SHA
718
    case TLS_ECDHE_ECDSA_WITH_NULL_SHA :
719
        specs->bulk_cipher_algorithm = wolfssl_cipher_null;
720
        specs->cipher_type           = stream;
721
        specs->mac_algorithm         = sha_mac;
722
        specs->kea                   = ecc_diffie_hellman_kea;
723
        specs->sig_algo              = ecc_dsa_sa_algo;
724
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
725
        specs->pad_size              = PAD_SHA;
726
        specs->static_ecdh           = 0;
727
        specs->key_size              = 0;
728
        specs->block_size            = 0;
729
        specs->iv_size               = 0;
730
731
    break;
732
#endif
733
734
0
#endif /* HAVE_ECC || (CURVE25519 && ED25519) || (CURVE448 && ED448) */
735
736
0
#if defined(HAVE_ECC)
737
738
#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
739
    case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 :
740
        specs->bulk_cipher_algorithm = wolfssl_aes;
741
        specs->cipher_type           = block;
742
        specs->mac_algorithm         = sha256_mac;
743
        specs->kea                   = ecc_diffie_hellman_kea;
744
        specs->sig_algo              = rsa_sa_algo;
745
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
746
        specs->pad_size              = PAD_SHA;
747
        specs->static_ecdh           = 1;
748
        specs->key_size              = AES_128_KEY_SIZE;
749
        specs->iv_size               = AES_IV_SIZE;
750
        specs->block_size            = AES_BLOCK_SIZE;
751
752
        break;
753
#endif
754
755
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
756
    case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 :
757
        specs->bulk_cipher_algorithm = wolfssl_aes;
758
        specs->cipher_type           = block;
759
        specs->mac_algorithm         = sha256_mac;
760
        specs->kea                   = ecc_diffie_hellman_kea;
761
        specs->sig_algo              = ecc_dsa_sa_algo;
762
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
763
        specs->pad_size              = PAD_SHA;
764
        specs->static_ecdh           = 1;
765
        specs->key_size              = AES_128_KEY_SIZE;
766
        specs->iv_size               = AES_IV_SIZE;
767
        specs->block_size            = AES_BLOCK_SIZE;
768
769
        break;
770
#endif
771
772
#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
773
    case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 :
774
        specs->bulk_cipher_algorithm = wolfssl_aes;
775
        specs->cipher_type           = block;
776
        specs->mac_algorithm         = sha384_mac;
777
        specs->kea                   = ecc_diffie_hellman_kea;
778
        specs->sig_algo              = rsa_sa_algo;
779
        specs->hash_size             = WC_SHA384_DIGEST_SIZE;
780
        specs->pad_size              = PAD_SHA;
781
        specs->static_ecdh           = 1;
782
        specs->key_size              = AES_256_KEY_SIZE;
783
        specs->iv_size               = AES_IV_SIZE;
784
        specs->block_size            = AES_BLOCK_SIZE;
785
786
        break;
787
#endif
788
789
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
790
    case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 :
791
        specs->bulk_cipher_algorithm = wolfssl_aes;
792
        specs->cipher_type           = block;
793
        specs->mac_algorithm         = sha384_mac;
794
        specs->kea                   = ecc_diffie_hellman_kea;
795
        specs->sig_algo              = ecc_dsa_sa_algo;
796
        specs->hash_size             = WC_SHA384_DIGEST_SIZE;
797
        specs->pad_size              = PAD_SHA;
798
        specs->static_ecdh           = 1;
799
        specs->key_size              = AES_256_KEY_SIZE;
800
        specs->iv_size               = AES_IV_SIZE;
801
        specs->block_size            = AES_BLOCK_SIZE;
802
803
        break;
804
#endif
805
806
#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
807
    case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA :
808
        specs->bulk_cipher_algorithm = wolfssl_aes;
809
        specs->cipher_type           = block;
810
        specs->mac_algorithm         = sha_mac;
811
        specs->kea                   = ecc_diffie_hellman_kea;
812
        specs->sig_algo              = rsa_sa_algo;
813
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
814
        specs->pad_size              = PAD_SHA;
815
        specs->static_ecdh           = 1;
816
        specs->key_size              = AES_128_KEY_SIZE;
817
        specs->block_size            = AES_BLOCK_SIZE;
818
        specs->iv_size               = AES_IV_SIZE;
819
820
        break;
821
#endif
822
823
#ifdef BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
824
    case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA :
825
        specs->bulk_cipher_algorithm = wolfssl_triple_des;
826
        specs->cipher_type           = block;
827
        specs->mac_algorithm         = sha_mac;
828
        specs->kea                   = ecc_diffie_hellman_kea;
829
        specs->sig_algo              = rsa_sa_algo;
830
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
831
        specs->pad_size              = PAD_SHA;
832
        specs->static_ecdh           = 1;
833
        specs->key_size              = DES3_KEY_SIZE;
834
        specs->block_size            = DES_BLOCK_SIZE;
835
#if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION == 2)
836
        specs->iv_size               = DES_BLOCK_SIZE;
837
#else
838
        specs->iv_size               = DES_IV_SIZE;
839
#endif
840
841
        break;
842
#endif
843
844
#ifdef BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA
845
    case TLS_ECDH_RSA_WITH_RC4_128_SHA :
846
        specs->bulk_cipher_algorithm = wolfssl_rc4;
847
        specs->cipher_type           = stream;
848
        specs->mac_algorithm         = sha_mac;
849
        specs->kea                   = ecc_diffie_hellman_kea;
850
        specs->sig_algo              = rsa_sa_algo;
851
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
852
        specs->pad_size              = PAD_SHA;
853
        specs->static_ecdh           = 1;
854
        specs->key_size              = RC4_KEY_SIZE;
855
        specs->iv_size               = 0;
856
        specs->block_size            = 0;
857
858
        break;
859
#endif
860
861
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
862
    case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA :
863
        specs->bulk_cipher_algorithm = wolfssl_triple_des;
864
        specs->cipher_type           = block;
865
        specs->mac_algorithm         = sha_mac;
866
        specs->kea                   = ecc_diffie_hellman_kea;
867
        specs->sig_algo              = ecc_dsa_sa_algo;
868
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
869
        specs->pad_size              = PAD_SHA;
870
        specs->static_ecdh           = 1;
871
        specs->key_size              = DES3_KEY_SIZE;
872
        specs->block_size            = DES_BLOCK_SIZE;
873
#if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION == 2)
874
        specs->iv_size               = DES_BLOCK_SIZE;
875
#else
876
        specs->iv_size               = DES_IV_SIZE;
877
#endif
878
879
        break;
880
#endif
881
882
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
883
    case TLS_ECDH_ECDSA_WITH_RC4_128_SHA :
884
        specs->bulk_cipher_algorithm = wolfssl_rc4;
885
        specs->cipher_type           = stream;
886
        specs->mac_algorithm         = sha_mac;
887
        specs->kea                   = ecc_diffie_hellman_kea;
888
        specs->sig_algo              = ecc_dsa_sa_algo;
889
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
890
        specs->pad_size              = PAD_SHA;
891
        specs->static_ecdh           = 1;
892
        specs->key_size              = RC4_KEY_SIZE;
893
        specs->iv_size               = 0;
894
        specs->block_size            = 0;
895
896
        break;
897
#endif
898
899
#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
900
    case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA :
901
        specs->bulk_cipher_algorithm = wolfssl_aes;
902
        specs->cipher_type           = block;
903
        specs->mac_algorithm         = sha_mac;
904
        specs->kea                   = ecc_diffie_hellman_kea;
905
        specs->sig_algo              = rsa_sa_algo;
906
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
907
        specs->pad_size              = PAD_SHA;
908
        specs->static_ecdh           = 1;
909
        specs->key_size              = AES_256_KEY_SIZE;
910
        specs->block_size            = AES_BLOCK_SIZE;
911
        specs->iv_size               = AES_IV_SIZE;
912
913
        break;
914
#endif
915
916
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
917
    case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA :
918
        specs->bulk_cipher_algorithm = wolfssl_aes;
919
        specs->cipher_type           = block;
920
        specs->mac_algorithm         = sha_mac;
921
        specs->kea                   = ecc_diffie_hellman_kea;
922
        specs->sig_algo              = ecc_dsa_sa_algo;
923
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
924
        specs->pad_size              = PAD_SHA;
925
        specs->static_ecdh           = 1;
926
        specs->key_size              = AES_128_KEY_SIZE;
927
        specs->block_size            = AES_BLOCK_SIZE;
928
        specs->iv_size               = AES_IV_SIZE;
929
930
        break;
931
#endif
932
933
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
934
    case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA :
935
        specs->bulk_cipher_algorithm = wolfssl_aes;
936
        specs->cipher_type           = block;
937
        specs->mac_algorithm         = sha_mac;
938
        specs->kea                   = ecc_diffie_hellman_kea;
939
        specs->sig_algo              = ecc_dsa_sa_algo;
940
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
941
        specs->pad_size              = PAD_SHA;
942
        specs->static_ecdh           = 1;
943
        specs->key_size              = AES_256_KEY_SIZE;
944
        specs->block_size            = AES_BLOCK_SIZE;
945
        specs->iv_size               = AES_IV_SIZE;
946
947
        break;
948
#endif
949
950
#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
951
    case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 :
952
        specs->bulk_cipher_algorithm = wolfssl_aes_gcm;
953
        specs->cipher_type           = aead;
954
        specs->mac_algorithm         = sha256_mac;
955
        specs->kea                   = ecc_diffie_hellman_kea;
956
        specs->sig_algo              = rsa_sa_algo;
957
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
958
        specs->pad_size              = PAD_SHA;
959
        specs->static_ecdh           = 1;
960
        specs->key_size              = AES_128_KEY_SIZE;
961
        specs->block_size            = AES_BLOCK_SIZE;
962
        specs->iv_size               = AESGCM_IMP_IV_SZ;
963
        specs->aead_mac_size         = AES_GCM_AUTH_SZ;
964
965
        break;
966
#endif
967
968
#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
969
    case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 :
970
        specs->bulk_cipher_algorithm = wolfssl_aes_gcm;
971
        specs->cipher_type           = aead;
972
        specs->mac_algorithm         = sha384_mac;
973
        specs->kea                   = ecc_diffie_hellman_kea;
974
        specs->sig_algo              = rsa_sa_algo;
975
        specs->hash_size             = WC_SHA384_DIGEST_SIZE;
976
        specs->pad_size              = PAD_SHA;
977
        specs->static_ecdh           = 1;
978
        specs->key_size              = AES_256_KEY_SIZE;
979
        specs->block_size            = AES_BLOCK_SIZE;
980
        specs->iv_size               = AESGCM_IMP_IV_SZ;
981
        specs->aead_mac_size         = AES_GCM_AUTH_SZ;
982
983
        break;
984
#endif
985
986
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
987
    case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 :
988
        specs->bulk_cipher_algorithm = wolfssl_aes_gcm;
989
        specs->cipher_type           = aead;
990
        specs->mac_algorithm         = sha256_mac;
991
        specs->kea                   = ecc_diffie_hellman_kea;
992
        specs->sig_algo              = ecc_dsa_sa_algo;
993
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
994
        specs->pad_size              = PAD_SHA;
995
        specs->static_ecdh           = 1;
996
        specs->key_size              = AES_128_KEY_SIZE;
997
        specs->block_size            = AES_BLOCK_SIZE;
998
        specs->iv_size               = AESGCM_IMP_IV_SZ;
999
        specs->aead_mac_size         = AES_GCM_AUTH_SZ;
1000
1001
        break;
1002
#endif
1003
1004
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
1005
    case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 :
1006
        specs->bulk_cipher_algorithm = wolfssl_aes_gcm;
1007
        specs->cipher_type           = aead;
1008
        specs->mac_algorithm         = sha384_mac;
1009
        specs->kea                   = ecc_diffie_hellman_kea;
1010
        specs->sig_algo              = ecc_dsa_sa_algo;
1011
        specs->hash_size             = WC_SHA384_DIGEST_SIZE;
1012
        specs->pad_size              = PAD_SHA;
1013
        specs->static_ecdh           = 1;
1014
        specs->key_size              = AES_256_KEY_SIZE;
1015
        specs->block_size            = AES_BLOCK_SIZE;
1016
        specs->iv_size               = AESGCM_IMP_IV_SZ;
1017
        specs->aead_mac_size         = AES_GCM_AUTH_SZ;
1018
1019
        break;
1020
#endif
1021
1022
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
1023
    case TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 :
1024
        specs->bulk_cipher_algorithm = wolfssl_aria_gcm;
1025
        specs->cipher_type           = aead;
1026
        specs->mac_algorithm         = sha256_mac;
1027
        specs->kea                   = ecc_diffie_hellman_kea;
1028
        specs->sig_algo              = ecc_dsa_sa_algo;
1029
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
1030
        specs->pad_size              = PAD_SHA;
1031
        specs->static_ecdh           = 0;
1032
        specs->key_size              = ARIA_128_KEY_SIZE;
1033
        specs->block_size            = ARIA_BLOCK_SIZE;
1034
        specs->iv_size               = AESGCM_IMP_IV_SZ;
1035
        specs->aead_mac_size         = ARIA_GCM_AUTH_SZ;
1036
1037
        break;
1038
#endif
1039
1040
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
1041
    case TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 :
1042
        specs->bulk_cipher_algorithm = wolfssl_aria_gcm;
1043
        specs->cipher_type           = aead;
1044
        specs->mac_algorithm         = sha384_mac;
1045
        specs->kea                   = ecc_diffie_hellman_kea;
1046
        specs->sig_algo              = ecc_dsa_sa_algo;
1047
        specs->hash_size             = WC_SHA384_DIGEST_SIZE;
1048
        specs->pad_size              = PAD_SHA;
1049
        specs->static_ecdh           = 0;
1050
        specs->key_size              = ARIA_256_KEY_SIZE;
1051
        specs->block_size            = ARIA_BLOCK_SIZE;
1052
        specs->iv_size               = AESGCM_IMP_IV_SZ;
1053
        specs->aead_mac_size         = ARIA_GCM_AUTH_SZ;
1054
1055
        break;
1056
#endif
1057
1058
0
#endif /* HAVE_ECC */
1059
1060
#ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8
1061
    case TLS_RSA_WITH_AES_128_CCM_8 :
1062
        specs->bulk_cipher_algorithm = wolfssl_aes_ccm;
1063
        specs->cipher_type           = aead;
1064
        specs->mac_algorithm         = sha256_mac;
1065
        specs->kea                   = rsa_kea;
1066
        specs->sig_algo              = rsa_sa_algo;
1067
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
1068
        specs->pad_size              = PAD_SHA;
1069
        specs->static_ecdh           = 0;
1070
        specs->key_size              = AES_128_KEY_SIZE;
1071
        specs->block_size            = AES_BLOCK_SIZE;
1072
        specs->iv_size               = AESCCM_IMP_IV_SZ;
1073
        specs->aead_mac_size         = AES_CCM_8_AUTH_SZ;
1074
1075
        break;
1076
#endif
1077
1078
#ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8
1079
    case TLS_RSA_WITH_AES_256_CCM_8 :
1080
        specs->bulk_cipher_algorithm = wolfssl_aes_ccm;
1081
        specs->cipher_type           = aead;
1082
        specs->mac_algorithm         = sha256_mac;
1083
        specs->kea                   = rsa_kea;
1084
        specs->sig_algo              = rsa_sa_algo;
1085
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
1086
        specs->pad_size              = PAD_SHA;
1087
        specs->static_ecdh           = 0;
1088
        specs->key_size              = AES_256_KEY_SIZE;
1089
        specs->block_size            = AES_BLOCK_SIZE;
1090
        specs->iv_size               = AESCCM_IMP_IV_SZ;
1091
        specs->aead_mac_size         = AES_CCM_8_AUTH_SZ;
1092
1093
        break;
1094
#endif
1095
1096
#ifdef BUILD_TLS_PSK_WITH_AES_128_CCM_8
1097
    case TLS_PSK_WITH_AES_128_CCM_8 :
1098
        specs->bulk_cipher_algorithm = wolfssl_aes_ccm;
1099
        specs->cipher_type           = aead;
1100
        specs->mac_algorithm         = sha256_mac;
1101
        specs->kea                   = psk_kea;
1102
        specs->sig_algo              = anonymous_sa_algo;
1103
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
1104
        specs->pad_size              = PAD_SHA;
1105
        specs->static_ecdh           = 0;
1106
        specs->key_size              = AES_128_KEY_SIZE;
1107
        specs->block_size            = AES_BLOCK_SIZE;
1108
        specs->iv_size               = AESCCM_IMP_IV_SZ;
1109
        specs->aead_mac_size         = AES_CCM_8_AUTH_SZ;
1110
1111
        if (opts != NULL)
1112
            opts->usingPSK_cipher    = 1;
1113
        break;
1114
#endif
1115
1116
#ifdef BUILD_TLS_PSK_WITH_AES_256_CCM_8
1117
    case TLS_PSK_WITH_AES_256_CCM_8 :
1118
        specs->bulk_cipher_algorithm = wolfssl_aes_ccm;
1119
        specs->cipher_type           = aead;
1120
        specs->mac_algorithm         = sha256_mac;
1121
        specs->kea                   = psk_kea;
1122
        specs->sig_algo              = anonymous_sa_algo;
1123
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
1124
        specs->pad_size              = PAD_SHA;
1125
        specs->static_ecdh           = 0;
1126
        specs->key_size              = AES_256_KEY_SIZE;
1127
        specs->block_size            = AES_BLOCK_SIZE;
1128
        specs->iv_size               = AESCCM_IMP_IV_SZ;
1129
        specs->aead_mac_size         = AES_CCM_8_AUTH_SZ;
1130
1131
        if (opts != NULL)
1132
            opts->usingPSK_cipher    = 1;
1133
        break;
1134
#endif
1135
1136
#ifdef BUILD_TLS_PSK_WITH_AES_128_CCM
1137
    case TLS_PSK_WITH_AES_128_CCM :
1138
        specs->bulk_cipher_algorithm = wolfssl_aes_ccm;
1139
        specs->cipher_type           = aead;
1140
        specs->mac_algorithm         = sha256_mac;
1141
        specs->kea                   = psk_kea;
1142
        specs->sig_algo              = anonymous_sa_algo;
1143
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
1144
        specs->pad_size              = PAD_SHA;
1145
        specs->static_ecdh           = 0;
1146
        specs->key_size              = AES_128_KEY_SIZE;
1147
        specs->block_size            = AES_BLOCK_SIZE;
1148
        specs->iv_size               = AESCCM_IMP_IV_SZ;
1149
        specs->aead_mac_size         = AES_CCM_16_AUTH_SZ;
1150
1151
        if (opts != NULL)
1152
            opts->usingPSK_cipher    = 1;
1153
        break;
1154
#endif
1155
1156
#ifdef BUILD_TLS_PSK_WITH_AES_256_CCM
1157
    case TLS_PSK_WITH_AES_256_CCM :
1158
        specs->bulk_cipher_algorithm = wolfssl_aes_ccm;
1159
        specs->cipher_type           = aead;
1160
        specs->mac_algorithm         = sha256_mac;
1161
        specs->kea                   = psk_kea;
1162
        specs->sig_algo              = anonymous_sa_algo;
1163
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
1164
        specs->pad_size              = PAD_SHA;
1165
        specs->static_ecdh           = 0;
1166
        specs->key_size              = AES_256_KEY_SIZE;
1167
        specs->block_size            = AES_BLOCK_SIZE;
1168
        specs->iv_size               = AESCCM_IMP_IV_SZ;
1169
        specs->aead_mac_size         = AES_CCM_16_AUTH_SZ;
1170
1171
        if (opts != NULL)
1172
            opts->usingPSK_cipher    = 1;
1173
        break;
1174
#endif
1175
1176
#ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CCM
1177
    case TLS_DHE_PSK_WITH_AES_128_CCM :
1178
        specs->bulk_cipher_algorithm = wolfssl_aes_ccm;
1179
        specs->cipher_type           = aead;
1180
        specs->mac_algorithm         = sha256_mac;
1181
        specs->kea                   = dhe_psk_kea;
1182
        specs->sig_algo              = anonymous_sa_algo;
1183
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
1184
        specs->pad_size              = PAD_SHA;
1185
        specs->static_ecdh           = 0;
1186
        specs->key_size              = AES_128_KEY_SIZE;
1187
        specs->block_size            = AES_BLOCK_SIZE;
1188
        specs->iv_size               = AESCCM_IMP_IV_SZ;
1189
        specs->aead_mac_size         = AES_CCM_16_AUTH_SZ;
1190
1191
        if (opts != NULL)
1192
            opts->usingPSK_cipher    = 1;
1193
        break;
1194
#endif
1195
1196
#ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_CCM
1197
    case TLS_DHE_PSK_WITH_AES_256_CCM :
1198
        specs->bulk_cipher_algorithm = wolfssl_aes_ccm;
1199
        specs->cipher_type           = aead;
1200
        specs->mac_algorithm         = sha256_mac;
1201
        specs->kea                   = dhe_psk_kea;
1202
        specs->sig_algo              = anonymous_sa_algo;
1203
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
1204
        specs->pad_size              = PAD_SHA;
1205
        specs->static_ecdh           = 0;
1206
        specs->key_size              = AES_256_KEY_SIZE;
1207
        specs->block_size            = AES_BLOCK_SIZE;
1208
        specs->iv_size               = AESCCM_IMP_IV_SZ;
1209
        specs->aead_mac_size         = AES_CCM_16_AUTH_SZ;
1210
1211
        if (opts != NULL)
1212
            opts->usingPSK_cipher    = 1;
1213
        break;
1214
#endif
1215
1216
#if defined(WOLFSSL_TLS13) && defined(HAVE_NULL_CIPHER)
1217
    #ifdef BUILD_TLS_SHA256_SHA256
1218
    case TLS_SHA256_SHA256 :
1219
        specs->bulk_cipher_algorithm = wolfssl_cipher_null;
1220
        specs->cipher_type           = aead;
1221
        specs->mac_algorithm         = sha256_mac;
1222
        specs->kea                   = 0;
1223
        specs->sig_algo              = 0;
1224
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
1225
        specs->pad_size              = PAD_SHA;
1226
        specs->static_ecdh           = 0;
1227
        specs->key_size              = WC_SHA256_DIGEST_SIZE;
1228
        specs->block_size            = 0;
1229
        specs->iv_size               = HMAC_NONCE_SZ;
1230
        specs->aead_mac_size         = WC_SHA256_DIGEST_SIZE;
1231
1232
        break;
1233
    #endif
1234
1235
    #ifdef BUILD_TLS_SHA384_SHA384
1236
    case TLS_SHA384_SHA384 :
1237
        specs->bulk_cipher_algorithm = wolfssl_cipher_null;
1238
        specs->cipher_type           = aead;
1239
        specs->mac_algorithm         = sha384_mac;
1240
        specs->kea                   = 0;
1241
        specs->sig_algo              = 0;
1242
        specs->hash_size             = WC_SHA384_DIGEST_SIZE;
1243
        specs->pad_size              = PAD_SHA;
1244
        specs->static_ecdh           = 0;
1245
        specs->key_size              = WC_SHA384_DIGEST_SIZE;
1246
        specs->block_size            = 0;
1247
        specs->iv_size               = HMAC_NONCE_SZ;
1248
        specs->aead_mac_size         = WC_SHA384_DIGEST_SIZE;
1249
1250
        break;
1251
    #endif
1252
#endif
1253
1254
0
    default:
1255
0
        WOLFSSL_MSG("Unsupported cipher suite, SetCipherSpecs ECC");
1256
0
        return UNSUPPORTED_SUITE;
1257
0
    }   /* switch */
1258
0
    }   /* if     */
1259
1260
    /* TLSi v1.3 cipher suites, 0x13 */
1261
0
    if (cipherSuite0 == TLS13_BYTE) {
1262
0
        switch (cipherSuite) {
1263
1264
0
#ifdef WOLFSSL_TLS13
1265
0
    #ifdef BUILD_TLS_AES_128_GCM_SHA256
1266
0
        case TLS_AES_128_GCM_SHA256 :
1267
0
            specs->bulk_cipher_algorithm = wolfssl_aes_gcm;
1268
0
            specs->cipher_type           = aead;
1269
0
            specs->mac_algorithm         = sha256_mac;
1270
0
            specs->kea                   = 0;
1271
0
            specs->sig_algo              = 0;
1272
0
            specs->hash_size             = WC_SHA256_DIGEST_SIZE;
1273
0
            specs->pad_size              = PAD_SHA;
1274
0
            specs->static_ecdh           = 0;
1275
0
            specs->key_size              = AES_128_KEY_SIZE;
1276
0
            specs->block_size            = AES_BLOCK_SIZE;
1277
0
            specs->iv_size               = AESGCM_NONCE_SZ;
1278
0
            specs->aead_mac_size         = AES_GCM_AUTH_SZ;
1279
1280
0
            break;
1281
0
    #endif
1282
1283
0
    #ifdef BUILD_TLS_AES_256_GCM_SHA384
1284
0
        case TLS_AES_256_GCM_SHA384 :
1285
0
            specs->bulk_cipher_algorithm = wolfssl_aes_gcm;
1286
0
            specs->cipher_type           = aead;
1287
0
            specs->mac_algorithm         = sha384_mac;
1288
0
            specs->kea                   = 0;
1289
0
            specs->sig_algo              = 0;
1290
0
            specs->hash_size             = WC_SHA384_DIGEST_SIZE;
1291
0
            specs->pad_size              = PAD_SHA;
1292
0
            specs->static_ecdh           = 0;
1293
0
            specs->key_size              = AES_256_KEY_SIZE;
1294
0
            specs->block_size            = AES_BLOCK_SIZE;
1295
0
            specs->iv_size               = AESGCM_NONCE_SZ;
1296
0
            specs->aead_mac_size         = AES_GCM_AUTH_SZ;
1297
1298
0
            break;
1299
0
    #endif
1300
1301
0
    #ifdef BUILD_TLS_CHACHA20_POLY1305_SHA256
1302
0
        case TLS_CHACHA20_POLY1305_SHA256 :
1303
0
            specs->bulk_cipher_algorithm = wolfssl_chacha;
1304
0
            specs->cipher_type           = aead;
1305
0
            specs->mac_algorithm         = sha256_mac;
1306
0
            specs->kea                   = 0;
1307
0
            specs->sig_algo              = 0;
1308
0
            specs->hash_size             = WC_SHA256_DIGEST_SIZE;
1309
0
            specs->pad_size              = PAD_SHA;
1310
0
            specs->static_ecdh           = 0;
1311
0
            specs->key_size              = CHACHA20_256_KEY_SIZE;
1312
0
            specs->block_size            = CHACHA20_BLOCK_SIZE;
1313
0
            specs->iv_size               = CHACHA20_IV_SIZE;
1314
0
            specs->aead_mac_size         = POLY1305_AUTH_SZ;
1315
0
            if (opts != NULL)
1316
0
                opts->oldPoly            = 0; /* use recent padding RFC */
1317
1318
0
            break;
1319
0
    #endif
1320
1321
0
    #ifdef BUILD_TLS_AES_128_CCM_SHA256
1322
0
        case TLS_AES_128_CCM_SHA256 :
1323
0
            specs->bulk_cipher_algorithm = wolfssl_aes_ccm;
1324
0
            specs->cipher_type           = aead;
1325
0
            specs->mac_algorithm         = sha256_mac;
1326
0
            specs->kea                   = 0;
1327
0
            specs->sig_algo              = 0;
1328
0
            specs->hash_size             = WC_SHA256_DIGEST_SIZE;
1329
0
            specs->pad_size              = PAD_SHA;
1330
0
            specs->static_ecdh           = 0;
1331
0
            specs->key_size              = AES_128_KEY_SIZE;
1332
0
            specs->block_size            = AES_BLOCK_SIZE;
1333
0
            specs->iv_size               = AESCCM_NONCE_SZ;
1334
0
            specs->aead_mac_size         = AES_CCM_16_AUTH_SZ;
1335
1336
0
            break;
1337
0
    #endif
1338
1339
0
    #ifdef BUILD_TLS_AES_128_CCM_8_SHA256
1340
0
        case TLS_AES_128_CCM_8_SHA256 :
1341
0
            specs->bulk_cipher_algorithm = wolfssl_aes_ccm;
1342
0
            specs->cipher_type           = aead;
1343
0
            specs->mac_algorithm         = sha256_mac;
1344
0
            specs->kea                   = 0;
1345
0
            specs->sig_algo              = 0;
1346
0
            specs->hash_size             = WC_SHA256_DIGEST_SIZE;
1347
0
            specs->pad_size              = PAD_SHA;
1348
0
            specs->static_ecdh           = 0;
1349
0
            specs->key_size              = AES_128_KEY_SIZE;
1350
0
            specs->block_size            = AES_BLOCK_SIZE;
1351
0
            specs->iv_size               = AESCCM_NONCE_SZ;
1352
0
            specs->aead_mac_size         = AES_CCM_8_AUTH_SZ;
1353
1354
0
            break;
1355
0
    #endif
1356
0
#endif /* WOLFSSL_TLS13 */
1357
0
        default:
1358
0
            break;
1359
0
        }
1360
0
    }
1361
1362
0
    if (cipherSuite0 == ECDHE_PSK_BYTE) {
1363
1364
0
    switch (cipherSuite) {
1365
1366
0
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
1367
#ifdef BUILD_TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256
1368
    case TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 :
1369
        specs->bulk_cipher_algorithm = wolfssl_aes_gcm;
1370
        specs->cipher_type           = aead;
1371
        specs->mac_algorithm         = sha256_mac;
1372
        specs->kea                   = ecdhe_psk_kea;
1373
        specs->sig_algo              = anonymous_sa_algo;
1374
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
1375
        specs->pad_size              = PAD_SHA;
1376
        specs->static_ecdh           = 0;
1377
        specs->key_size              = AES_128_KEY_SIZE;
1378
        specs->block_size            = AES_BLOCK_SIZE;
1379
        specs->iv_size               = AESGCM_IMP_IV_SZ;
1380
        specs->aead_mac_size         = AES_GCM_AUTH_SZ;
1381
1382
        if (opts != NULL)
1383
            opts->usingPSK_cipher    = 1;
1384
        break;
1385
#endif
1386
0
#endif
1387
1388
0
    default:
1389
0
        break;
1390
0
    }
1391
0
    }
1392
1393
0
    if (cipherSuite0 == SM_BYTE) {
1394
1395
0
    switch (cipherSuite) {
1396
0
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3
1397
0
    case TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3 :
1398
0
        specs->bulk_cipher_algorithm = wolfssl_sm4_cbc;
1399
0
        specs->cipher_type           = block;
1400
0
        specs->mac_algorithm         = sm3_mac;
1401
0
        specs->kea                   = ecc_diffie_hellman_kea;
1402
0
        specs->sig_algo              = sm2_sa_algo;
1403
0
        specs->hash_size             = WC_SM3_DIGEST_SIZE;
1404
0
        specs->pad_size              = PAD_SHA;
1405
0
        specs->static_ecdh           = 0;
1406
0
        specs->key_size              = SM4_KEY_SIZE;
1407
0
        specs->iv_size               = SM4_IV_SIZE;
1408
0
        specs->block_size            = SM4_BLOCK_SIZE;
1409
1410
0
        break;
1411
0
#endif
1412
1413
0
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_SM4_GCM_SM3
1414
0
    case TLS_ECDHE_ECDSA_WITH_SM4_GCM_SM3 :
1415
0
        specs->bulk_cipher_algorithm = wolfssl_sm4_gcm;
1416
0
        specs->cipher_type           = aead;
1417
0
        specs->mac_algorithm         = sm3_mac;
1418
0
        specs->kea                   = ecc_diffie_hellman_kea;
1419
0
        specs->sig_algo              = sm2_sa_algo;
1420
0
        specs->hash_size             = WC_SM3_DIGEST_SIZE;
1421
0
        specs->pad_size              = PAD_SHA;
1422
0
        specs->static_ecdh           = 0;
1423
0
        specs->key_size              = SM4_KEY_SIZE;
1424
0
        specs->block_size            = SM4_BLOCK_SIZE;
1425
0
        specs->iv_size               = GCM_IMP_IV_SZ;
1426
0
        specs->aead_mac_size         = SM4_GCM_AUTH_SZ;
1427
1428
0
        break;
1429
0
#endif
1430
1431
0
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_SM4_CCM_SM3
1432
0
    case TLS_ECDHE_ECDSA_WITH_SM4_CCM_SM3 :
1433
0
        specs->bulk_cipher_algorithm = wolfssl_sm4_ccm;
1434
0
        specs->cipher_type           = aead;
1435
0
        specs->mac_algorithm         = sm3_mac;
1436
0
        specs->kea                   = ecc_diffie_hellman_kea;
1437
0
        specs->sig_algo              = sm2_sa_algo;
1438
0
        specs->hash_size             = WC_SM3_DIGEST_SIZE;
1439
0
        specs->pad_size              = PAD_SHA;
1440
0
        specs->static_ecdh           = 0;
1441
0
        specs->key_size              = SM4_KEY_SIZE;
1442
0
        specs->block_size            = SM4_BLOCK_SIZE;
1443
0
        specs->iv_size               = CCM_IMP_IV_SZ;
1444
0
        specs->aead_mac_size         = SM4_CCM_AUTH_SZ;
1445
1446
0
        break;
1447
0
#endif
1448
1449
0
    default:
1450
0
        break;
1451
0
    }
1452
0
    }
1453
1454
0
    if (cipherSuite0 != ECC_BYTE &&
1455
0
        cipherSuite0 != ECDHE_PSK_BYTE &&
1456
0
        cipherSuite0 != CHACHA_BYTE &&
1457
0
#if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3) && \
1458
0
    (defined(WOLFSSL_SM4_CBC) || defined(WOLFSSL_SM4_GCM) || \
1459
0
     defined(WOLFSSL_SM4_CCM))
1460
0
        cipherSuite0 != SM_BYTE &&
1461
0
#endif
1462
0
        cipherSuite0 != TLS13_BYTE) {   /* normal suites */
1463
0
    switch (cipherSuite) {
1464
1465
0
#ifdef BUILD_TLS_SM4_GCM_SM3
1466
0
    case TLS_SM4_GCM_SM3 :
1467
0
        specs->bulk_cipher_algorithm = wolfssl_sm4_gcm;
1468
0
        specs->cipher_type           = aead;
1469
0
        specs->mac_algorithm         = sm3_mac;
1470
0
        specs->kea                   = 0;
1471
0
        specs->sig_algo              = 0;
1472
0
        specs->hash_size             = WC_SM3_DIGEST_SIZE;
1473
0
        specs->pad_size              = PAD_SHA;
1474
0
        specs->static_ecdh           = 0;
1475
0
        specs->key_size              = SM4_KEY_SIZE;
1476
0
        specs->block_size            = SM4_BLOCK_SIZE;
1477
0
        specs->iv_size               = SM4_GCM_NONCE_SZ;
1478
0
        specs->aead_mac_size         = SM4_GCM_AUTH_SZ;
1479
1480
0
        break;
1481
0
#endif
1482
1483
0
#ifdef BUILD_TLS_SM4_CCM_SM3
1484
0
    case TLS_SM4_CCM_SM3 :
1485
0
        specs->bulk_cipher_algorithm = wolfssl_sm4_ccm;
1486
0
        specs->cipher_type           = aead;
1487
0
        specs->mac_algorithm         = sm3_mac;
1488
0
        specs->kea                   = 0;
1489
0
        specs->sig_algo              = 0;
1490
0
        specs->hash_size             = WC_SM3_DIGEST_SIZE;
1491
0
        specs->pad_size              = PAD_SHA;
1492
0
        specs->static_ecdh           = 0;
1493
0
        specs->key_size              = SM4_KEY_SIZE;
1494
0
        specs->block_size            = SM4_BLOCK_SIZE;
1495
0
        specs->iv_size               = SM4_CCM_NONCE_SZ;
1496
0
        specs->aead_mac_size         = SM4_CCM_AUTH_SZ;
1497
1498
0
        break;
1499
0
#endif
1500
1501
#ifdef BUILD_SSL_RSA_WITH_RC4_128_SHA
1502
    case SSL_RSA_WITH_RC4_128_SHA :
1503
        specs->bulk_cipher_algorithm = wolfssl_rc4;
1504
        specs->cipher_type           = stream;
1505
        specs->mac_algorithm         = sha_mac;
1506
        specs->kea                   = rsa_kea;
1507
        specs->sig_algo              = rsa_sa_algo;
1508
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
1509
        specs->pad_size              = PAD_SHA;
1510
        specs->static_ecdh           = 0;
1511
        specs->key_size              = RC4_KEY_SIZE;
1512
        specs->iv_size               = 0;
1513
        specs->block_size            = 0;
1514
1515
        break;
1516
#endif
1517
1518
#ifdef BUILD_SSL_RSA_WITH_RC4_128_MD5
1519
    case SSL_RSA_WITH_RC4_128_MD5 :
1520
        specs->bulk_cipher_algorithm = wolfssl_rc4;
1521
        specs->cipher_type           = stream;
1522
        specs->mac_algorithm         = md5_mac;
1523
        specs->kea                   = rsa_kea;
1524
        specs->sig_algo              = rsa_sa_algo;
1525
        specs->hash_size             = WC_MD5_DIGEST_SIZE;
1526
        specs->pad_size              = PAD_MD5;
1527
        specs->static_ecdh           = 0;
1528
        specs->key_size              = RC4_KEY_SIZE;
1529
        specs->iv_size               = 0;
1530
        specs->block_size            = 0;
1531
1532
        break;
1533
#endif
1534
1535
#ifdef BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA
1536
    case SSL_RSA_WITH_3DES_EDE_CBC_SHA :
1537
        specs->bulk_cipher_algorithm = wolfssl_triple_des;
1538
        specs->cipher_type           = block;
1539
        specs->mac_algorithm         = sha_mac;
1540
        specs->kea                   = rsa_kea;
1541
        specs->sig_algo              = rsa_sa_algo;
1542
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
1543
        specs->pad_size              = PAD_SHA;
1544
        specs->static_ecdh           = 0;
1545
        specs->key_size              = DES3_KEY_SIZE;
1546
        specs->block_size            = DES_BLOCK_SIZE;
1547
#if defined(HAVE_FIPS) && defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION == 2)
1548
        specs->iv_size               = DES_BLOCK_SIZE;
1549
#else
1550
        specs->iv_size               = DES_IV_SIZE;
1551
#endif
1552
1553
        break;
1554
#endif
1555
1556
#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA
1557
    case TLS_RSA_WITH_AES_128_CBC_SHA :
1558
        specs->bulk_cipher_algorithm = wolfssl_aes;
1559
        specs->cipher_type           = block;
1560
        specs->mac_algorithm         = sha_mac;
1561
        specs->kea                   = rsa_kea;
1562
        specs->sig_algo              = rsa_sa_algo;
1563
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
1564
        specs->pad_size              = PAD_SHA;
1565
        specs->static_ecdh           = 0;
1566
        specs->key_size              = AES_128_KEY_SIZE;
1567
        specs->block_size            = AES_BLOCK_SIZE;
1568
        specs->iv_size               = AES_IV_SIZE;
1569
1570
        break;
1571
#endif
1572
1573
#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256
1574
    case TLS_RSA_WITH_AES_128_CBC_SHA256 :
1575
        specs->bulk_cipher_algorithm = wolfssl_aes;
1576
        specs->cipher_type           = block;
1577
        specs->mac_algorithm         = sha256_mac;
1578
        specs->kea                   = rsa_kea;
1579
        specs->sig_algo              = rsa_sa_algo;
1580
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
1581
        specs->pad_size              = PAD_SHA;
1582
        specs->static_ecdh           = 0;
1583
        specs->key_size              = AES_128_KEY_SIZE;
1584
        specs->block_size            = AES_BLOCK_SIZE;
1585
        specs->iv_size               = AES_IV_SIZE;
1586
1587
        break;
1588
#endif
1589
1590
#ifdef BUILD_TLS_RSA_WITH_NULL_MD5
1591
    case TLS_RSA_WITH_NULL_MD5 :
1592
        specs->bulk_cipher_algorithm = wolfssl_cipher_null;
1593
        specs->cipher_type           = stream;
1594
        specs->mac_algorithm         = md5_mac;
1595
        specs->kea                   = rsa_kea;
1596
        specs->sig_algo              = rsa_sa_algo;
1597
        specs->hash_size             = WC_MD5_DIGEST_SIZE;
1598
        specs->pad_size              = PAD_MD5;
1599
        specs->static_ecdh           = 0;
1600
        specs->key_size              = 0;
1601
        specs->block_size            = 0;
1602
        specs->iv_size               = 0;
1603
1604
        break;
1605
#endif
1606
1607
#ifdef BUILD_TLS_RSA_WITH_NULL_SHA
1608
    case TLS_RSA_WITH_NULL_SHA :
1609
        specs->bulk_cipher_algorithm = wolfssl_cipher_null;
1610
        specs->cipher_type           = stream;
1611
        specs->mac_algorithm         = sha_mac;
1612
        specs->kea                   = rsa_kea;
1613
        specs->sig_algo              = rsa_sa_algo;
1614
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
1615
        specs->pad_size              = PAD_SHA;
1616
        specs->static_ecdh           = 0;
1617
        specs->key_size              = 0;
1618
        specs->block_size            = 0;
1619
        specs->iv_size               = 0;
1620
1621
        break;
1622
#endif
1623
1624
#ifdef BUILD_TLS_RSA_WITH_NULL_SHA256
1625
    case TLS_RSA_WITH_NULL_SHA256 :
1626
        specs->bulk_cipher_algorithm = wolfssl_cipher_null;
1627
        specs->cipher_type           = stream;
1628
        specs->mac_algorithm         = sha256_mac;
1629
        specs->kea                   = rsa_kea;
1630
        specs->sig_algo              = rsa_sa_algo;
1631
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
1632
        specs->pad_size              = PAD_SHA;
1633
        specs->static_ecdh           = 0;
1634
        specs->key_size              = 0;
1635
        specs->block_size            = 0;
1636
        specs->iv_size               = 0;
1637
1638
        break;
1639
#endif
1640
1641
#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA
1642
    case TLS_RSA_WITH_AES_256_CBC_SHA :
1643
        specs->bulk_cipher_algorithm = wolfssl_aes;
1644
        specs->cipher_type           = block;
1645
        specs->mac_algorithm         = sha_mac;
1646
        specs->kea                   = rsa_kea;
1647
        specs->sig_algo              = rsa_sa_algo;
1648
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
1649
        specs->pad_size              = PAD_SHA;
1650
        specs->static_ecdh           = 0;
1651
        specs->key_size              = AES_256_KEY_SIZE;
1652
        specs->block_size            = AES_BLOCK_SIZE;
1653
        specs->iv_size               = AES_IV_SIZE;
1654
1655
        break;
1656
#endif
1657
1658
#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256
1659
    case TLS_RSA_WITH_AES_256_CBC_SHA256 :
1660
        specs->bulk_cipher_algorithm = wolfssl_aes;
1661
        specs->cipher_type           = block;
1662
        specs->mac_algorithm         = sha256_mac;
1663
        specs->kea                   = rsa_kea;
1664
        specs->sig_algo              = rsa_sa_algo;
1665
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
1666
        specs->pad_size              = PAD_SHA;
1667
        specs->static_ecdh           = 0;
1668
        specs->key_size              = AES_256_KEY_SIZE;
1669
        specs->block_size            = AES_BLOCK_SIZE;
1670
        specs->iv_size               = AES_IV_SIZE;
1671
1672
        break;
1673
#endif
1674
1675
#ifdef BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256
1676
    case TLS_PSK_WITH_AES_128_GCM_SHA256 :
1677
        specs->bulk_cipher_algorithm = wolfssl_aes_gcm;
1678
        specs->cipher_type           = aead;
1679
        specs->mac_algorithm         = sha256_mac;
1680
        specs->kea                   = psk_kea;
1681
        specs->sig_algo              = anonymous_sa_algo;
1682
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
1683
        specs->pad_size              = PAD_SHA;
1684
        specs->static_ecdh           = 0;
1685
        specs->key_size              = AES_128_KEY_SIZE;
1686
        specs->block_size            = AES_BLOCK_SIZE;
1687
        specs->iv_size               = AESGCM_IMP_IV_SZ;
1688
        specs->aead_mac_size         = AES_GCM_AUTH_SZ;
1689
1690
        if (opts != NULL)
1691
            opts->usingPSK_cipher    = 1;
1692
        break;
1693
#endif
1694
1695
#ifdef BUILD_TLS_PSK_WITH_AES_256_GCM_SHA384
1696
    case TLS_PSK_WITH_AES_256_GCM_SHA384 :
1697
        specs->bulk_cipher_algorithm = wolfssl_aes_gcm;
1698
        specs->cipher_type           = aead;
1699
        specs->mac_algorithm         = sha384_mac;
1700
        specs->kea                   = psk_kea;
1701
        specs->sig_algo              = anonymous_sa_algo;
1702
        specs->hash_size             = WC_SHA384_DIGEST_SIZE;
1703
        specs->pad_size              = PAD_SHA;
1704
        specs->static_ecdh           = 0;
1705
        specs->key_size              = AES_256_KEY_SIZE;
1706
        specs->block_size            = AES_BLOCK_SIZE;
1707
        specs->iv_size               = AESGCM_IMP_IV_SZ;
1708
        specs->aead_mac_size         = AES_GCM_AUTH_SZ;
1709
1710
        if (opts != NULL)
1711
            opts->usingPSK_cipher    = 1;
1712
        break;
1713
#endif
1714
1715
#ifdef BUILD_TLS_DH_anon_WITH_AES_256_GCM_SHA384
1716
    case TLS_DH_anon_WITH_AES_256_GCM_SHA384:
1717
        specs->bulk_cipher_algorithm = wolfssl_aes_gcm;
1718
        specs->cipher_type           = aead;
1719
        specs->mac_algorithm         = sha384_mac;
1720
        specs->kea                   = diffie_hellman_kea;
1721
        specs->sig_algo              = anonymous_sa_algo;
1722
        specs->hash_size             = WC_SHA384_DIGEST_SIZE;
1723
        specs->pad_size              = PAD_SHA;
1724
        specs->static_ecdh           = 0;
1725
        specs->key_size              = AES_256_KEY_SIZE;
1726
        specs->block_size            = AES_BLOCK_SIZE;
1727
        specs->iv_size               = AESGCM_IMP_IV_SZ;
1728
        specs->aead_mac_size         = AES_GCM_AUTH_SZ;
1729
1730
        if (opts != NULL)
1731
            opts->usingAnon_cipher   = 1;
1732
        break;
1733
#endif
1734
1735
#ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
1736
    case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 :
1737
        specs->bulk_cipher_algorithm = wolfssl_aes_gcm;
1738
        specs->cipher_type           = aead;
1739
        specs->mac_algorithm         = sha256_mac;
1740
        specs->kea                   = dhe_psk_kea;
1741
        specs->sig_algo              = anonymous_sa_algo;
1742
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
1743
        specs->pad_size              = PAD_SHA;
1744
        specs->static_ecdh           = 0;
1745
        specs->key_size              = AES_128_KEY_SIZE;
1746
        specs->block_size            = AES_BLOCK_SIZE;
1747
        specs->iv_size               = AESGCM_IMP_IV_SZ;
1748
        specs->aead_mac_size         = AES_GCM_AUTH_SZ;
1749
1750
        if (opts != NULL)
1751
            opts->usingPSK_cipher    = 1;
1752
        break;
1753
#endif
1754
1755
#ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
1756
    case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 :
1757
        specs->bulk_cipher_algorithm = wolfssl_aes_gcm;
1758
        specs->cipher_type           = aead;
1759
        specs->mac_algorithm         = sha384_mac;
1760
        specs->kea                   = dhe_psk_kea;
1761
        specs->sig_algo              = anonymous_sa_algo;
1762
        specs->hash_size             = WC_SHA384_DIGEST_SIZE;
1763
        specs->pad_size              = PAD_SHA;
1764
        specs->static_ecdh           = 0;
1765
        specs->key_size              = AES_256_KEY_SIZE;
1766
        specs->block_size            = AES_BLOCK_SIZE;
1767
        specs->iv_size               = AESGCM_IMP_IV_SZ;
1768
        specs->aead_mac_size         = AES_GCM_AUTH_SZ;
1769
1770
        if (opts != NULL)
1771
            opts->usingPSK_cipher    = 1;
1772
        break;
1773
#endif
1774
1775
#ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256
1776
    case TLS_PSK_WITH_AES_128_CBC_SHA256 :
1777
        specs->bulk_cipher_algorithm = wolfssl_aes;
1778
        specs->cipher_type           = block;
1779
        specs->mac_algorithm         = sha256_mac;
1780
        specs->kea                   = psk_kea;
1781
        specs->sig_algo              = anonymous_sa_algo;
1782
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
1783
        specs->pad_size              = PAD_SHA;
1784
        specs->static_ecdh           = 0;
1785
        specs->key_size              = AES_128_KEY_SIZE;
1786
        specs->block_size            = AES_BLOCK_SIZE;
1787
        specs->iv_size               = AES_IV_SIZE;
1788
1789
        if (opts != NULL)
1790
            opts->usingPSK_cipher    = 1;
1791
        break;
1792
#endif
1793
1794
#ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA384
1795
    case TLS_PSK_WITH_AES_256_CBC_SHA384 :
1796
        specs->bulk_cipher_algorithm = wolfssl_aes;
1797
        specs->cipher_type           = block;
1798
        specs->mac_algorithm         = sha384_mac;
1799
        specs->kea                   = psk_kea;
1800
        specs->sig_algo              = anonymous_sa_algo;
1801
        specs->hash_size             = WC_SHA384_DIGEST_SIZE;
1802
        specs->pad_size              = PAD_SHA;
1803
        specs->static_ecdh           = 0;
1804
        specs->key_size              = AES_256_KEY_SIZE;
1805
        specs->block_size            = AES_BLOCK_SIZE;
1806
        specs->iv_size               = AES_IV_SIZE;
1807
1808
        if (opts != NULL)
1809
            opts->usingPSK_cipher    = 1;
1810
        break;
1811
#endif
1812
1813
#ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
1814
    case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 :
1815
        specs->bulk_cipher_algorithm = wolfssl_aes;
1816
        specs->cipher_type           = block;
1817
        specs->mac_algorithm         = sha256_mac;
1818
        specs->kea                   = dhe_psk_kea;
1819
        specs->sig_algo              = anonymous_sa_algo;
1820
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
1821
        specs->pad_size              = PAD_SHA;
1822
        specs->static_ecdh           = 0;
1823
        specs->key_size              = AES_128_KEY_SIZE;
1824
        specs->block_size            = AES_BLOCK_SIZE;
1825
        specs->iv_size               = AES_IV_SIZE;
1826
1827
        if (opts != NULL)
1828
            opts->usingPSK_cipher    = 1;
1829
        break;
1830
#endif
1831
1832
#ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
1833
    case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 :
1834
        specs->bulk_cipher_algorithm = wolfssl_aes;
1835
        specs->cipher_type           = block;
1836
        specs->mac_algorithm         = sha384_mac;
1837
        specs->kea                   = dhe_psk_kea;
1838
        specs->sig_algo              = anonymous_sa_algo;
1839
        specs->hash_size             = WC_SHA384_DIGEST_SIZE;
1840
        specs->pad_size              = PAD_SHA;
1841
        specs->static_ecdh           = 0;
1842
        specs->key_size              = AES_256_KEY_SIZE;
1843
        specs->block_size            = AES_BLOCK_SIZE;
1844
        specs->iv_size               = AES_IV_SIZE;
1845
1846
        if (opts != NULL)
1847
            opts->usingPSK_cipher    = 1;
1848
        break;
1849
#endif
1850
1851
#ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA
1852
    case TLS_PSK_WITH_AES_128_CBC_SHA :
1853
        specs->bulk_cipher_algorithm = wolfssl_aes;
1854
        specs->cipher_type           = block;
1855
        specs->mac_algorithm         = sha_mac;
1856
        specs->kea                   = psk_kea;
1857
        specs->sig_algo              = anonymous_sa_algo;
1858
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
1859
        specs->pad_size              = PAD_SHA;
1860
        specs->static_ecdh           = 0;
1861
        specs->key_size              = AES_128_KEY_SIZE;
1862
        specs->block_size            = AES_BLOCK_SIZE;
1863
        specs->iv_size               = AES_IV_SIZE;
1864
1865
        if (opts != NULL)
1866
            opts->usingPSK_cipher    = 1;
1867
        break;
1868
#endif
1869
1870
#ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA
1871
    case TLS_PSK_WITH_AES_256_CBC_SHA :
1872
        specs->bulk_cipher_algorithm = wolfssl_aes;
1873
        specs->cipher_type           = block;
1874
        specs->mac_algorithm         = sha_mac;
1875
        specs->kea                   = psk_kea;
1876
        specs->sig_algo              = anonymous_sa_algo;
1877
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
1878
        specs->pad_size              = PAD_SHA;
1879
        specs->static_ecdh           = 0;
1880
        specs->key_size              = AES_256_KEY_SIZE;
1881
        specs->block_size            = AES_BLOCK_SIZE;
1882
        specs->iv_size               = AES_IV_SIZE;
1883
1884
        if (opts != NULL)
1885
            opts->usingPSK_cipher    = 1;
1886
        break;
1887
#endif
1888
1889
#ifdef BUILD_TLS_PSK_WITH_NULL_SHA256
1890
    case TLS_PSK_WITH_NULL_SHA256 :
1891
        specs->bulk_cipher_algorithm = wolfssl_cipher_null;
1892
        specs->cipher_type           = stream;
1893
        specs->mac_algorithm         = sha256_mac;
1894
        specs->kea                   = psk_kea;
1895
        specs->sig_algo              = anonymous_sa_algo;
1896
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
1897
        specs->pad_size              = PAD_SHA;
1898
        specs->static_ecdh           = 0;
1899
        specs->key_size              = 0;
1900
        specs->block_size            = 0;
1901
        specs->iv_size               = 0;
1902
1903
        if (opts != NULL)
1904
            opts->usingPSK_cipher    = 1;
1905
        break;
1906
#endif
1907
1908
#ifdef BUILD_TLS_PSK_WITH_NULL_SHA384
1909
    case TLS_PSK_WITH_NULL_SHA384 :
1910
        specs->bulk_cipher_algorithm = wolfssl_cipher_null;
1911
        specs->cipher_type           = stream;
1912
        specs->mac_algorithm         = sha384_mac;
1913
        specs->kea                   = psk_kea;
1914
        specs->sig_algo              = anonymous_sa_algo;
1915
        specs->hash_size             = WC_SHA384_DIGEST_SIZE;
1916
        specs->pad_size              = PAD_SHA;
1917
        specs->static_ecdh           = 0;
1918
        specs->key_size              = 0;
1919
        specs->block_size            = 0;
1920
        specs->iv_size               = 0;
1921
1922
        if (opts != NULL)
1923
            opts->usingPSK_cipher    = 1;
1924
        break;
1925
#endif
1926
1927
#ifdef BUILD_TLS_PSK_WITH_NULL_SHA
1928
    case TLS_PSK_WITH_NULL_SHA :
1929
        specs->bulk_cipher_algorithm = wolfssl_cipher_null;
1930
        specs->cipher_type           = stream;
1931
        specs->mac_algorithm         = sha_mac;
1932
        specs->kea                   = psk_kea;
1933
        specs->sig_algo              = anonymous_sa_algo;
1934
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
1935
        specs->pad_size              = PAD_SHA;
1936
        specs->static_ecdh           = 0;
1937
        specs->key_size              = 0;
1938
        specs->block_size            = 0;
1939
        specs->iv_size               = 0;
1940
1941
        if (opts != NULL)
1942
            opts->usingPSK_cipher    = 1;
1943
        break;
1944
#endif
1945
1946
#ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA256
1947
    case TLS_DHE_PSK_WITH_NULL_SHA256 :
1948
        specs->bulk_cipher_algorithm = wolfssl_cipher_null;
1949
        specs->cipher_type           = stream;
1950
        specs->mac_algorithm         = sha256_mac;
1951
        specs->kea                   = dhe_psk_kea;
1952
        specs->sig_algo              = anonymous_sa_algo;
1953
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
1954
        specs->pad_size              = PAD_SHA;
1955
        specs->static_ecdh           = 0;
1956
        specs->key_size              = 0;
1957
        specs->block_size            = 0;
1958
        specs->iv_size               = 0;
1959
1960
        if (opts != NULL)
1961
            opts->usingPSK_cipher    = 1;
1962
        break;
1963
#endif
1964
1965
#ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA384
1966
    case TLS_DHE_PSK_WITH_NULL_SHA384 :
1967
        specs->bulk_cipher_algorithm = wolfssl_cipher_null;
1968
        specs->cipher_type           = stream;
1969
        specs->mac_algorithm         = sha384_mac;
1970
        specs->kea                   = dhe_psk_kea;
1971
        specs->sig_algo              = anonymous_sa_algo;
1972
        specs->hash_size             = WC_SHA384_DIGEST_SIZE;
1973
        specs->pad_size              = PAD_SHA;
1974
        specs->static_ecdh           = 0;
1975
        specs->key_size              = 0;
1976
        specs->block_size            = 0;
1977
        specs->iv_size               = 0;
1978
1979
        if (opts != NULL)
1980
            opts->usingPSK_cipher    = 1;
1981
        break;
1982
#endif
1983
1984
0
#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
1985
0
    case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 :
1986
0
        specs->bulk_cipher_algorithm = wolfssl_aes;
1987
0
        specs->cipher_type           = block;
1988
0
        specs->mac_algorithm         = sha256_mac;
1989
0
        specs->kea                   = diffie_hellman_kea;
1990
0
        specs->sig_algo              = rsa_sa_algo;
1991
0
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
1992
0
        specs->pad_size              = PAD_SHA;
1993
0
        specs->static_ecdh           = 0;
1994
0
        specs->key_size              = AES_128_KEY_SIZE;
1995
0
        specs->block_size            = AES_BLOCK_SIZE;
1996
0
        specs->iv_size               = AES_IV_SIZE;
1997
1998
0
        break;
1999
0
#endif
2000
2001
#ifdef BUILD_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
2002
    case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA :
2003
        specs->bulk_cipher_algorithm = wolfssl_triple_des;
2004
        specs->cipher_type           = block;
2005
        specs->mac_algorithm         = sha_mac;
2006
        specs->kea                   = diffie_hellman_kea;
2007
        specs->sig_algo              = rsa_sa_algo;
2008
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
2009
        specs->pad_size              = PAD_SHA;
2010
        specs->static_ecdh           = 0;
2011
        specs->key_size              = DES3_KEY_SIZE;
2012
        specs->block_size            = DES_BLOCK_SIZE;
2013
        specs->iv_size               = DES_IV_SIZE;
2014
2015
        break;
2016
#endif
2017
2018
0
#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
2019
0
    case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 :
2020
0
        specs->bulk_cipher_algorithm = wolfssl_aes;
2021
0
        specs->cipher_type           = block;
2022
0
        specs->mac_algorithm         = sha256_mac;
2023
0
        specs->kea                   = diffie_hellman_kea;
2024
0
        specs->sig_algo              = rsa_sa_algo;
2025
0
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
2026
0
        specs->pad_size              = PAD_SHA;
2027
0
        specs->static_ecdh           = 0;
2028
0
        specs->key_size              = AES_256_KEY_SIZE;
2029
0
        specs->block_size            = AES_BLOCK_SIZE;
2030
0
        specs->iv_size               = AES_IV_SIZE;
2031
2032
0
        break;
2033
0
#endif
2034
2035
0
#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
2036
0
    case TLS_DHE_RSA_WITH_AES_128_CBC_SHA :
2037
0
        specs->bulk_cipher_algorithm = wolfssl_aes;
2038
0
        specs->cipher_type           = block;
2039
0
        specs->mac_algorithm         = sha_mac;
2040
0
        specs->kea                   = diffie_hellman_kea;
2041
0
        specs->sig_algo              = rsa_sa_algo;
2042
0
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
2043
0
        specs->pad_size              = PAD_SHA;
2044
0
        specs->static_ecdh           = 0;
2045
0
        specs->key_size              = AES_128_KEY_SIZE;
2046
0
        specs->block_size            = AES_BLOCK_SIZE;
2047
0
        specs->iv_size               = AES_IV_SIZE;
2048
2049
0
        break;
2050
0
#endif
2051
2052
0
#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
2053
0
    case TLS_DHE_RSA_WITH_AES_256_CBC_SHA :
2054
0
        specs->bulk_cipher_algorithm = wolfssl_aes;
2055
0
        specs->cipher_type           = block;
2056
0
        specs->mac_algorithm         = sha_mac;
2057
0
        specs->kea                   = diffie_hellman_kea;
2058
0
        specs->sig_algo              = rsa_sa_algo;
2059
0
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
2060
0
        specs->pad_size              = PAD_SHA;
2061
0
        specs->static_ecdh           = 0;
2062
0
        specs->key_size              = AES_256_KEY_SIZE;
2063
0
        specs->block_size            = AES_BLOCK_SIZE;
2064
0
        specs->iv_size               = AES_IV_SIZE;
2065
2066
0
        break;
2067
0
#endif
2068
2069
#ifdef BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256
2070
    case TLS_RSA_WITH_AES_128_GCM_SHA256 :
2071
        specs->bulk_cipher_algorithm = wolfssl_aes_gcm;
2072
        specs->cipher_type           = aead;
2073
        specs->mac_algorithm         = sha256_mac;
2074
        specs->kea                   = rsa_kea;
2075
        specs->sig_algo              = rsa_sa_algo;
2076
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
2077
        specs->pad_size              = PAD_SHA;
2078
        specs->static_ecdh           = 0;
2079
        specs->key_size              = AES_128_KEY_SIZE;
2080
        specs->block_size            = AES_BLOCK_SIZE;
2081
        specs->iv_size               = AESGCM_IMP_IV_SZ;
2082
        specs->aead_mac_size         = AES_GCM_AUTH_SZ;
2083
2084
        break;
2085
#endif
2086
2087
#ifdef BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384
2088
    case TLS_RSA_WITH_AES_256_GCM_SHA384 :
2089
        specs->bulk_cipher_algorithm = wolfssl_aes_gcm;
2090
        specs->cipher_type           = aead;
2091
        specs->mac_algorithm         = sha384_mac;
2092
        specs->kea                   = rsa_kea;
2093
        specs->sig_algo              = rsa_sa_algo;
2094
        specs->hash_size             = WC_SHA384_DIGEST_SIZE;
2095
        specs->pad_size              = PAD_SHA;
2096
        specs->static_ecdh           = 0;
2097
        specs->key_size              = AES_256_KEY_SIZE;
2098
        specs->block_size            = AES_BLOCK_SIZE;
2099
        specs->iv_size               = AESGCM_IMP_IV_SZ;
2100
        specs->aead_mac_size         = AES_GCM_AUTH_SZ;
2101
2102
        break;
2103
#endif
2104
2105
0
#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
2106
0
    case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 :
2107
0
        specs->bulk_cipher_algorithm = wolfssl_aes_gcm;
2108
0
        specs->cipher_type           = aead;
2109
0
        specs->mac_algorithm         = sha256_mac;
2110
0
        specs->kea                   = diffie_hellman_kea;
2111
0
        specs->sig_algo              = rsa_sa_algo;
2112
0
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
2113
0
        specs->pad_size              = PAD_SHA;
2114
0
        specs->static_ecdh           = 0;
2115
0
        specs->key_size              = AES_128_KEY_SIZE;
2116
0
        specs->block_size            = AES_BLOCK_SIZE;
2117
0
        specs->iv_size               = AESGCM_IMP_IV_SZ;
2118
0
        specs->aead_mac_size         = AES_GCM_AUTH_SZ;
2119
2120
0
        break;
2121
0
#endif
2122
2123
0
#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
2124
0
    case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 :
2125
0
        specs->bulk_cipher_algorithm = wolfssl_aes_gcm;
2126
0
        specs->cipher_type           = aead;
2127
0
        specs->mac_algorithm         = sha384_mac;
2128
0
        specs->kea                   = diffie_hellman_kea;
2129
0
        specs->sig_algo              = rsa_sa_algo;
2130
0
        specs->hash_size             = WC_SHA384_DIGEST_SIZE;
2131
0
        specs->pad_size              = PAD_SHA;
2132
0
        specs->static_ecdh           = 0;
2133
0
        specs->key_size              = AES_256_KEY_SIZE;
2134
0
        specs->block_size            = AES_BLOCK_SIZE;
2135
0
        specs->iv_size               = AESGCM_IMP_IV_SZ;
2136
0
        specs->aead_mac_size         = AES_GCM_AUTH_SZ;
2137
2138
0
        break;
2139
0
#endif
2140
2141
#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
2142
    case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA :
2143
        specs->bulk_cipher_algorithm = wolfssl_camellia;
2144
        specs->cipher_type           = block;
2145
        specs->mac_algorithm         = sha_mac;
2146
        specs->kea                   = rsa_kea;
2147
        specs->sig_algo              = rsa_sa_algo;
2148
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
2149
        specs->pad_size              = PAD_SHA;
2150
        specs->static_ecdh           = 0;
2151
        specs->key_size              = CAMELLIA_128_KEY_SIZE;
2152
        specs->block_size            = CAMELLIA_BLOCK_SIZE;
2153
        specs->iv_size               = CAMELLIA_IV_SIZE;
2154
2155
        break;
2156
#endif
2157
2158
#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
2159
    case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA :
2160
        specs->bulk_cipher_algorithm = wolfssl_camellia;
2161
        specs->cipher_type           = block;
2162
        specs->mac_algorithm         = sha_mac;
2163
        specs->kea                   = rsa_kea;
2164
        specs->sig_algo              = rsa_sa_algo;
2165
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
2166
        specs->pad_size              = PAD_SHA;
2167
        specs->static_ecdh           = 0;
2168
        specs->key_size              = CAMELLIA_256_KEY_SIZE;
2169
        specs->block_size            = CAMELLIA_BLOCK_SIZE;
2170
        specs->iv_size               = CAMELLIA_IV_SIZE;
2171
2172
        break;
2173
#endif
2174
2175
#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
2176
    case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 :
2177
        specs->bulk_cipher_algorithm = wolfssl_camellia;
2178
        specs->cipher_type           = block;
2179
        specs->mac_algorithm         = sha256_mac;
2180
        specs->kea                   = rsa_kea;
2181
        specs->sig_algo              = rsa_sa_algo;
2182
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
2183
        specs->pad_size              = PAD_SHA;
2184
        specs->static_ecdh           = 0;
2185
        specs->key_size              = CAMELLIA_128_KEY_SIZE;
2186
        specs->block_size            = CAMELLIA_BLOCK_SIZE;
2187
        specs->iv_size               = CAMELLIA_IV_SIZE;
2188
2189
        break;
2190
#endif
2191
2192
#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
2193
    case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 :
2194
        specs->bulk_cipher_algorithm = wolfssl_camellia;
2195
        specs->cipher_type           = block;
2196
        specs->mac_algorithm         = sha256_mac;
2197
        specs->kea                   = rsa_kea;
2198
        specs->sig_algo              = rsa_sa_algo;
2199
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
2200
        specs->pad_size              = PAD_SHA;
2201
        specs->static_ecdh           = 0;
2202
        specs->key_size              = CAMELLIA_256_KEY_SIZE;
2203
        specs->block_size            = CAMELLIA_BLOCK_SIZE;
2204
        specs->iv_size               = CAMELLIA_IV_SIZE;
2205
2206
        break;
2207
#endif
2208
2209
0
#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
2210
0
    case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA :
2211
0
        specs->bulk_cipher_algorithm = wolfssl_camellia;
2212
0
        specs->cipher_type           = block;
2213
0
        specs->mac_algorithm         = sha_mac;
2214
0
        specs->kea                   = diffie_hellman_kea;
2215
0
        specs->sig_algo              = rsa_sa_algo;
2216
0
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
2217
0
        specs->pad_size              = PAD_SHA;
2218
0
        specs->static_ecdh           = 0;
2219
0
        specs->key_size              = CAMELLIA_128_KEY_SIZE;
2220
0
        specs->block_size            = CAMELLIA_BLOCK_SIZE;
2221
0
        specs->iv_size               = CAMELLIA_IV_SIZE;
2222
2223
0
        break;
2224
0
#endif
2225
2226
0
#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
2227
0
    case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA :
2228
0
        specs->bulk_cipher_algorithm = wolfssl_camellia;
2229
0
        specs->cipher_type           = block;
2230
0
        specs->mac_algorithm         = sha_mac;
2231
0
        specs->kea                   = diffie_hellman_kea;
2232
0
        specs->sig_algo              = rsa_sa_algo;
2233
0
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
2234
0
        specs->pad_size              = PAD_SHA;
2235
0
        specs->static_ecdh           = 0;
2236
0
        specs->key_size              = CAMELLIA_256_KEY_SIZE;
2237
0
        specs->block_size            = CAMELLIA_BLOCK_SIZE;
2238
0
        specs->iv_size               = CAMELLIA_IV_SIZE;
2239
2240
0
        break;
2241
0
#endif
2242
2243
0
#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
2244
0
    case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 :
2245
0
        specs->bulk_cipher_algorithm = wolfssl_camellia;
2246
0
        specs->cipher_type           = block;
2247
0
        specs->mac_algorithm         = sha256_mac;
2248
0
        specs->kea                   = diffie_hellman_kea;
2249
0
        specs->sig_algo              = rsa_sa_algo;
2250
0
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
2251
0
        specs->pad_size              = PAD_SHA;
2252
0
        specs->static_ecdh           = 0;
2253
0
        specs->key_size              = CAMELLIA_128_KEY_SIZE;
2254
0
        specs->block_size            = CAMELLIA_BLOCK_SIZE;
2255
0
        specs->iv_size               = CAMELLIA_IV_SIZE;
2256
2257
0
        break;
2258
0
#endif
2259
2260
0
#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
2261
0
    case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 :
2262
0
        specs->bulk_cipher_algorithm = wolfssl_camellia;
2263
0
        specs->cipher_type           = block;
2264
0
        specs->mac_algorithm         = sha256_mac;
2265
0
        specs->kea                   = diffie_hellman_kea;
2266
0
        specs->sig_algo              = rsa_sa_algo;
2267
0
        specs->hash_size             = WC_SHA256_DIGEST_SIZE;
2268
0
        specs->pad_size              = PAD_SHA;
2269
0
        specs->static_ecdh           = 0;
2270
0
        specs->key_size              = CAMELLIA_256_KEY_SIZE;
2271
0
        specs->block_size            = CAMELLIA_BLOCK_SIZE;
2272
0
        specs->iv_size               = CAMELLIA_IV_SIZE;
2273
2274
0
        break;
2275
0
#endif
2276
2277
#ifdef BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA
2278
    case TLS_DH_anon_WITH_AES_128_CBC_SHA :
2279
        specs->bulk_cipher_algorithm = wolfssl_aes;
2280
        specs->cipher_type           = block;
2281
        specs->mac_algorithm         = sha_mac;
2282
        specs->kea                   = diffie_hellman_kea;
2283
        specs->sig_algo              = anonymous_sa_algo;
2284
        specs->hash_size             = WC_SHA_DIGEST_SIZE;
2285
        specs->pad_size              = PAD_SHA;
2286
        specs->static_ecdh           = 0;
2287
        specs->key_size              = AES_128_KEY_SIZE;
2288
        specs->block_size            = AES_BLOCK_SIZE;
2289
        specs->iv_size               = AES_IV_SIZE;
2290
2291
        if (opts != NULL)
2292
            opts->usingAnon_cipher   = 1;
2293
        break;
2294
#endif
2295
2296
#ifdef BUILD_WDM_WITH_NULL_SHA256
2297
        case WDM_WITH_NULL_SHA256 :
2298
            specs->bulk_cipher_algorithm = wolfssl_cipher_null;
2299
            specs->cipher_type           = stream;
2300
            specs->mac_algorithm         = sha256_mac;
2301
            specs->kea                   = no_kea;
2302
            specs->sig_algo              = anonymous_sa_algo;
2303
            specs->hash_size             = WC_SHA256_DIGEST_SIZE;
2304
            specs->pad_size              = PAD_SHA;
2305
2306
            break;
2307
#endif
2308
2309
0
    default:
2310
0
        WOLFSSL_MSG("Unsupported cipher suite, SetCipherSpecs");
2311
0
        WOLFSSL_ERROR_VERBOSE(UNSUPPORTED_SUITE);
2312
0
        return UNSUPPORTED_SUITE;
2313
0
    }  /* switch */
2314
0
    }  /* if ECC / Normal suites else */
2315
2316
0
    if (specs->sig_algo == anonymous_sa_algo && opts != NULL) {
2317
        /* CLIENT/SERVER: No peer authentication to be performed. */
2318
0
        opts->peerAuthGood = 1;
2319
0
    }
2320
2321
0
    return 0;
2322
0
}
2323
2324
2325
enum KeyStuff {
2326
    MASTER_ROUNDS = 3,
2327
    PREFIX        = 3,     /* up to three letters for master prefix */
2328
    KEY_PREFIX    = 9      /* up to 9 prefix letters for key rounds */
2329
2330
2331
};
2332
2333
#ifndef NO_OLD_TLS
2334
/* true or false, zero for error */
2335
static int SetPrefix(byte* sha_input, int idx)
2336
{
2337
    switch (idx) {
2338
    case 0:
2339
        XMEMCPY(sha_input, "A", 1);
2340
        break;
2341
    case 1:
2342
        XMEMCPY(sha_input, "BB", 2);
2343
        break;
2344
    case 2:
2345
        XMEMCPY(sha_input, "CCC", 3);
2346
        break;
2347
    case 3:
2348
        XMEMCPY(sha_input, "DDDD", 4);
2349
        break;
2350
    case 4:
2351
        XMEMCPY(sha_input, "EEEEE", 5);
2352
        break;
2353
    case 5:
2354
        XMEMCPY(sha_input, "FFFFFF", 6);
2355
        break;
2356
    case 6:
2357
        XMEMCPY(sha_input, "GGGGGGG", 7);
2358
        break;
2359
    case 7:
2360
        XMEMCPY(sha_input, "HHHHHHHH", 8);
2361
        break;
2362
    case 8:
2363
        XMEMCPY(sha_input, "IIIIIIIII", 9);
2364
        break;
2365
    default:
2366
        WOLFSSL_MSG("Set Prefix error, bad input");
2367
        return 0;
2368
    }
2369
    return 1;
2370
}
2371
#endif
2372
2373
2374
int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
2375
                   int side, void* heap, int devId, WC_RNG* rng, int tls13)
2376
0
{
2377
0
    (void)rng;
2378
0
    (void)tls13;
2379
2380
0
#ifdef BUILD_ARC4
2381
0
    if (specs->bulk_cipher_algorithm == wolfssl_rc4) {
2382
0
        word32 sz = specs->key_size;
2383
0
        if (enc && enc->arc4 == NULL) {
2384
0
            enc->arc4 = (Arc4*)XMALLOC(sizeof(Arc4), heap, DYNAMIC_TYPE_CIPHER);
2385
0
            if (enc->arc4 == NULL)
2386
0
                 return MEMORY_E;
2387
0
        }
2388
0
        if (dec && dec->arc4 == NULL) {
2389
0
            dec->arc4 = (Arc4*)XMALLOC(sizeof(Arc4), heap, DYNAMIC_TYPE_CIPHER);
2390
0
            if (dec->arc4 == NULL)
2391
0
                return MEMORY_E;
2392
0
        }
2393
2394
0
        if (enc) {
2395
0
            if (wc_Arc4Init(enc->arc4, heap, devId) != 0) {
2396
0
                WOLFSSL_MSG("Arc4Init failed in SetKeys");
2397
0
                return ASYNC_INIT_E;
2398
0
            }
2399
0
        }
2400
0
        if (dec) {
2401
0
            if (wc_Arc4Init(dec->arc4, heap, devId) != 0) {
2402
0
                WOLFSSL_MSG("Arc4Init failed in SetKeys");
2403
0
                return ASYNC_INIT_E;
2404
0
            }
2405
0
        }
2406
2407
0
        if (side == WOLFSSL_CLIENT_END) {
2408
0
            if (enc)
2409
0
                wc_Arc4SetKey(enc->arc4, keys->client_write_key, sz);
2410
0
            if (dec)
2411
0
                wc_Arc4SetKey(dec->arc4, keys->server_write_key, sz);
2412
0
        }
2413
0
        else {
2414
0
            if (enc)
2415
0
                wc_Arc4SetKey(enc->arc4, keys->server_write_key, sz);
2416
0
            if (dec)
2417
0
                wc_Arc4SetKey(dec->arc4, keys->client_write_key, sz);
2418
0
        }
2419
0
        if (enc)
2420
0
            enc->setup = 1;
2421
0
        if (dec)
2422
0
            dec->setup = 1;
2423
0
    }
2424
0
#endif /* BUILD_ARC4 */
2425
2426
2427
0
#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) && !defined(NO_CHAPOL_AEAD)
2428
    /* Check that the max implicit iv size is sufficient */
2429
    #if (AEAD_MAX_IMP_SZ < 12) /* CHACHA20_IMP_IV_SZ */
2430
        #error AEAD_MAX_IMP_SZ is too small for ChaCha20
2431
    #endif
2432
    #if (MAX_WRITE_IV_SZ < 12) /* CHACHA20_IMP_IV_SZ */
2433
        #error MAX_WRITE_IV_SZ is too small for ChaCha20
2434
    #endif
2435
2436
0
    if (specs->bulk_cipher_algorithm == wolfssl_chacha) {
2437
0
        int chachaRet;
2438
0
        if (enc && enc->chacha == NULL)
2439
0
            enc->chacha =
2440
0
                    (ChaCha*)XMALLOC(sizeof(ChaCha), heap, DYNAMIC_TYPE_CIPHER);
2441
0
        if (enc && enc->chacha == NULL)
2442
0
            return MEMORY_E;
2443
    #ifdef WOLFSSL_CHECK_MEM_ZERO
2444
        if (enc) {
2445
            wc_MemZero_Add("SSL keys enc chacha", enc->chacha, sizeof(ChaCha));
2446
        }
2447
    #endif
2448
0
        if (dec && dec->chacha == NULL)
2449
0
            dec->chacha =
2450
0
                    (ChaCha*)XMALLOC(sizeof(ChaCha), heap, DYNAMIC_TYPE_CIPHER);
2451
0
        if (dec && dec->chacha == NULL)
2452
0
            return MEMORY_E;
2453
    #ifdef WOLFSSL_CHECK_MEM_ZERO
2454
        if (dec) {
2455
            wc_MemZero_Add("SSL keys dec chacha", dec->chacha, sizeof(ChaCha));
2456
        }
2457
    #endif
2458
0
        if (side == WOLFSSL_CLIENT_END) {
2459
0
            if (enc) {
2460
0
                chachaRet = wc_Chacha_SetKey(enc->chacha, keys->client_write_key,
2461
0
                                          specs->key_size);
2462
0
                XMEMCPY(keys->aead_enc_imp_IV, keys->client_write_IV,
2463
0
                        CHACHA20_IMP_IV_SZ);
2464
0
                if (chachaRet != 0) return chachaRet;
2465
0
            }
2466
0
            if (dec) {
2467
0
                chachaRet = wc_Chacha_SetKey(dec->chacha, keys->server_write_key,
2468
0
                                          specs->key_size);
2469
0
                XMEMCPY(keys->aead_dec_imp_IV, keys->server_write_IV,
2470
0
                        CHACHA20_IMP_IV_SZ);
2471
0
                if (chachaRet != 0) return chachaRet;
2472
0
            }
2473
0
        }
2474
0
        else {
2475
0
            if (enc) {
2476
0
                chachaRet = wc_Chacha_SetKey(enc->chacha, keys->server_write_key,
2477
0
                                          specs->key_size);
2478
0
                XMEMCPY(keys->aead_enc_imp_IV, keys->server_write_IV,
2479
0
                        CHACHA20_IMP_IV_SZ);
2480
0
                if (chachaRet != 0) return chachaRet;
2481
0
            }
2482
0
            if (dec) {
2483
0
                chachaRet = wc_Chacha_SetKey(dec->chacha, keys->client_write_key,
2484
0
                                          specs->key_size);
2485
0
                XMEMCPY(keys->aead_dec_imp_IV, keys->client_write_IV,
2486
0
                        CHACHA20_IMP_IV_SZ);
2487
0
                if (chachaRet != 0) return chachaRet;
2488
0
            }
2489
0
        }
2490
2491
0
        if (enc)
2492
0
            enc->setup = 1;
2493
0
        if (dec)
2494
0
            dec->setup = 1;
2495
0
    }
2496
0
#endif /* HAVE_CHACHA && HAVE_POLY1305 */
2497
2498
0
#ifdef BUILD_DES3
2499
    /* check that buffer sizes are sufficient */
2500
    #if (MAX_WRITE_IV_SZ < 8) /* DES_IV_SIZE */
2501
        #error MAX_WRITE_IV_SZ too small for 3DES
2502
    #endif
2503
2504
0
    if (specs->bulk_cipher_algorithm == wolfssl_triple_des) {
2505
0
        int desRet = 0;
2506
2507
0
        if (enc) {
2508
0
            if (enc->des3 == NULL)
2509
0
                enc->des3 = (Des3*)XMALLOC(sizeof(Des3), heap, DYNAMIC_TYPE_CIPHER);
2510
0
            if (enc->des3 == NULL)
2511
0
                return MEMORY_E;
2512
0
            XMEMSET(enc->des3, 0, sizeof(Des3));
2513
0
        }
2514
0
        if (dec) {
2515
0
            if (dec->des3 == NULL)
2516
0
                dec->des3 = (Des3*)XMALLOC(sizeof(Des3), heap, DYNAMIC_TYPE_CIPHER);
2517
0
            if (dec->des3 == NULL)
2518
0
                return MEMORY_E;
2519
0
            XMEMSET(dec->des3, 0, sizeof(Des3));
2520
0
        }
2521
2522
0
        if (enc) {
2523
0
            if (wc_Des3Init(enc->des3, heap, devId) != 0) {
2524
0
                WOLFSSL_MSG("Des3Init failed in SetKeys");
2525
0
                return ASYNC_INIT_E;
2526
0
            }
2527
0
        }
2528
0
        if (dec) {
2529
0
            if (wc_Des3Init(dec->des3, heap, devId) != 0) {
2530
0
                WOLFSSL_MSG("Des3Init failed in SetKeys");
2531
0
                return ASYNC_INIT_E;
2532
0
            }
2533
0
        }
2534
2535
0
        if (side == WOLFSSL_CLIENT_END) {
2536
0
            if (enc) {
2537
0
                desRet = wc_Des3_SetKey(enc->des3, keys->client_write_key,
2538
0
                                     keys->client_write_IV, DES_ENCRYPTION);
2539
0
                if (desRet != 0) return desRet;
2540
0
            }
2541
0
            if (dec) {
2542
0
                desRet = wc_Des3_SetKey(dec->des3, keys->server_write_key,
2543
0
                                     keys->server_write_IV, DES_DECRYPTION);
2544
0
                if (desRet != 0) return desRet;
2545
0
            }
2546
0
        }
2547
0
        else {
2548
0
            if (enc) {
2549
0
                desRet = wc_Des3_SetKey(enc->des3, keys->server_write_key,
2550
0
                                     keys->server_write_IV, DES_ENCRYPTION);
2551
0
                if (desRet != 0) return desRet;
2552
0
            }
2553
0
            if (dec) {
2554
0
                desRet = wc_Des3_SetKey(dec->des3, keys->client_write_key,
2555
0
                                     keys->client_write_IV, DES_DECRYPTION);
2556
0
                if (desRet != 0) return desRet;
2557
0
            }
2558
0
        }
2559
0
        if (enc)
2560
0
            enc->setup = 1;
2561
0
        if (dec)
2562
0
            dec->setup = 1;
2563
0
    }
2564
0
#endif /* BUILD_DES3 */
2565
2566
0
#ifdef BUILD_AES
2567
    /* check that buffer sizes are sufficient */
2568
    #if (MAX_WRITE_IV_SZ < 16) /* AES_IV_SIZE */
2569
        #error MAX_WRITE_IV_SZ too small for AES
2570
    #endif
2571
2572
0
    if (specs->bulk_cipher_algorithm == wolfssl_aes) {
2573
0
        int aesRet = 0;
2574
2575
0
        if (enc) {
2576
0
            if (enc->aes == NULL) {
2577
0
                enc->aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_CIPHER);
2578
0
                if (enc->aes == NULL)
2579
0
                    return MEMORY_E;
2580
0
            } else {
2581
0
                wc_AesFree(enc->aes);
2582
0
            }
2583
2584
0
            XMEMSET(enc->aes, 0, sizeof(Aes));
2585
0
        }
2586
0
        if (dec) {
2587
0
            if (dec->aes == NULL) {
2588
0
                dec->aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_CIPHER);
2589
0
                if (dec->aes == NULL)
2590
0
                    return MEMORY_E;
2591
0
            } else {
2592
0
                wc_AesFree(dec->aes);
2593
0
            }
2594
2595
0
            XMEMSET(dec->aes, 0, sizeof(Aes));
2596
0
        }
2597
0
        if (enc) {
2598
0
            if (wc_AesInit(enc->aes, heap, devId) != 0) {
2599
0
                WOLFSSL_MSG("AesInit failed in SetKeys");
2600
0
                return ASYNC_INIT_E;
2601
0
            }
2602
0
        }
2603
0
        if (dec) {
2604
0
            if (wc_AesInit(dec->aes, heap, devId) != 0) {
2605
0
                WOLFSSL_MSG("AesInit failed in SetKeys");
2606
0
                return ASYNC_INIT_E;
2607
0
            }
2608
0
        }
2609
2610
0
        if (side == WOLFSSL_CLIENT_END) {
2611
0
            if (enc) {
2612
0
                aesRet = wc_AesSetKey(enc->aes, keys->client_write_key,
2613
0
                                   specs->key_size, keys->client_write_IV,
2614
0
                                   AES_ENCRYPTION);
2615
0
                if (aesRet != 0) return aesRet;
2616
0
            }
2617
0
            if (dec) {
2618
0
                aesRet = wc_AesSetKey(dec->aes, keys->server_write_key,
2619
0
                                   specs->key_size, keys->server_write_IV,
2620
0
                                   AES_DECRYPTION);
2621
0
                if (aesRet != 0) return aesRet;
2622
0
            }
2623
0
        }
2624
0
        else {
2625
0
            if (enc) {
2626
0
                aesRet = wc_AesSetKey(enc->aes, keys->server_write_key,
2627
0
                                   specs->key_size, keys->server_write_IV,
2628
0
                                   AES_ENCRYPTION);
2629
0
                if (aesRet != 0) return aesRet;
2630
0
            }
2631
0
            if (dec) {
2632
0
                aesRet = wc_AesSetKey(dec->aes, keys->client_write_key,
2633
0
                                   specs->key_size, keys->client_write_IV,
2634
0
                                   AES_DECRYPTION);
2635
0
                if (aesRet != 0) return aesRet;
2636
0
            }
2637
0
        }
2638
0
        if (enc)
2639
0
            enc->setup = 1;
2640
0
        if (dec)
2641
0
            dec->setup = 1;
2642
0
    }
2643
0
#endif /* BUILD_AES */
2644
2645
0
#ifdef BUILD_AESGCM
2646
    /* check that buffer sizes are sufficient */
2647
    #if (AEAD_MAX_IMP_SZ < 4) /* AESGCM_IMP_IV_SZ */
2648
        #error AEAD_MAX_IMP_SZ too small for AESGCM
2649
    #endif
2650
    #if (AEAD_MAX_EXP_SZ < 8) /* AESGCM_EXP_IV_SZ */
2651
        #error AEAD_MAX_EXP_SZ too small for AESGCM
2652
    #endif
2653
    #if (MAX_WRITE_IV_SZ < 4) /* AESGCM_IMP_IV_SZ */
2654
        #error MAX_WRITE_IV_SZ too small for AESGCM
2655
    #endif
2656
2657
0
    if (specs->bulk_cipher_algorithm == wolfssl_aes_gcm) {
2658
0
        int gcmRet;
2659
2660
0
        if (enc) {
2661
0
            if (enc->aes == NULL) {
2662
0
                enc->aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_CIPHER);
2663
0
                if (enc->aes == NULL)
2664
0
                    return MEMORY_E;
2665
0
            } else {
2666
0
                wc_AesFree(enc->aes);
2667
0
            }
2668
2669
0
            XMEMSET(enc->aes, 0, sizeof(Aes));
2670
0
        }
2671
0
        if (dec) {
2672
0
            if (dec->aes == NULL) {
2673
0
                dec->aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_CIPHER);
2674
0
                if (dec->aes == NULL)
2675
0
                    return MEMORY_E;
2676
0
            } else {
2677
0
                wc_AesFree(dec->aes);
2678
0
            }
2679
2680
0
            XMEMSET(dec->aes, 0, sizeof(Aes));
2681
0
        }
2682
2683
0
        if (enc) {
2684
0
            if (wc_AesInit(enc->aes, heap, devId) != 0) {
2685
0
                WOLFSSL_MSG("AesInit failed in SetKeys");
2686
0
                return ASYNC_INIT_E;
2687
0
            }
2688
0
        }
2689
0
        if (dec) {
2690
0
            if (wc_AesInit(dec->aes, heap, devId) != 0) {
2691
0
                WOLFSSL_MSG("AesInit failed in SetKeys");
2692
0
                return ASYNC_INIT_E;
2693
0
            }
2694
0
        }
2695
2696
0
        if (side == WOLFSSL_CLIENT_END) {
2697
0
            if (enc) {
2698
0
                gcmRet = wc_AesGcmSetKey(enc->aes, keys->client_write_key,
2699
0
                                      specs->key_size);
2700
0
                if (gcmRet != 0) return gcmRet;
2701
0
                XMEMCPY(keys->aead_enc_imp_IV, keys->client_write_IV,
2702
0
                        AEAD_MAX_IMP_SZ);
2703
0
#if !defined(NO_PUBLIC_GCM_SET_IV) && \
2704
0
    ((!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \
2705
0
    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)))
2706
0
                if (!tls13) {
2707
0
                    gcmRet = wc_AesGcmSetIV(enc->aes, AESGCM_NONCE_SZ,
2708
0
                            keys->client_write_IV, AESGCM_IMP_IV_SZ, rng);
2709
0
                    if (gcmRet != 0) return gcmRet;
2710
0
                }
2711
0
#endif
2712
0
            }
2713
0
            if (dec) {
2714
0
                gcmRet = wc_AesGcmSetKey(dec->aes, keys->server_write_key,
2715
0
                                      specs->key_size);
2716
0
                if (gcmRet != 0) return gcmRet;
2717
0
                XMEMCPY(keys->aead_dec_imp_IV, keys->server_write_IV,
2718
0
                        AEAD_MAX_IMP_SZ);
2719
0
            }
2720
0
        }
2721
0
        else {
2722
0
            if (enc) {
2723
0
                gcmRet = wc_AesGcmSetKey(enc->aes, keys->server_write_key,
2724
0
                                      specs->key_size);
2725
0
                if (gcmRet != 0) return gcmRet;
2726
0
                XMEMCPY(keys->aead_enc_imp_IV, keys->server_write_IV,
2727
0
                        AEAD_MAX_IMP_SZ);
2728
0
#if !defined(NO_PUBLIC_GCM_SET_IV) && \
2729
0
    ((!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \
2730
0
    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)))
2731
0
                if (!tls13) {
2732
0
                    gcmRet = wc_AesGcmSetIV(enc->aes, AESGCM_NONCE_SZ,
2733
0
                            keys->server_write_IV, AESGCM_IMP_IV_SZ, rng);
2734
0
                    if (gcmRet != 0) return gcmRet;
2735
0
                }
2736
0
#endif
2737
0
            }
2738
0
            if (dec) {
2739
0
                gcmRet = wc_AesGcmSetKey(dec->aes, keys->client_write_key,
2740
0
                                      specs->key_size);
2741
0
                if (gcmRet != 0) return gcmRet;
2742
0
                XMEMCPY(keys->aead_dec_imp_IV, keys->client_write_IV,
2743
0
                        AEAD_MAX_IMP_SZ);
2744
0
            }
2745
0
        }
2746
0
        if (enc)
2747
0
            enc->setup = 1;
2748
0
        if (dec)
2749
0
            dec->setup = 1;
2750
0
    }
2751
0
#endif /* BUILD_AESGCM */
2752
2753
0
#ifdef HAVE_AESCCM
2754
    /* check that buffer sizes are sufficient (CCM is same size as GCM) */
2755
    #if (AEAD_MAX_IMP_SZ < 4) /* AESGCM_IMP_IV_SZ */
2756
        #error AEAD_MAX_IMP_SZ too small for AESCCM
2757
    #endif
2758
    #if (AEAD_MAX_EXP_SZ < 8) /* AESGCM_EXP_IV_SZ */
2759
        #error AEAD_MAX_EXP_SZ too small for AESCCM
2760
    #endif
2761
    #if (MAX_WRITE_IV_SZ < 4) /* AESGCM_IMP_IV_SZ */
2762
        #error MAX_WRITE_IV_SZ too small for AESCCM
2763
    #endif
2764
2765
0
    if (specs->bulk_cipher_algorithm == wolfssl_aes_ccm) {
2766
0
        int CcmRet;
2767
2768
0
        if (enc) {
2769
0
            if (enc->aes == NULL) {
2770
0
                enc->aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_CIPHER);
2771
0
                if (enc->aes == NULL)
2772
0
                    return MEMORY_E;
2773
0
            } else {
2774
0
                wc_AesFree(enc->aes);
2775
0
            }
2776
2777
0
            XMEMSET(enc->aes, 0, sizeof(Aes));
2778
0
        }
2779
0
        if (dec) {
2780
0
            if (dec->aes == NULL) {
2781
0
                dec->aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_CIPHER);
2782
0
                if (dec->aes == NULL)
2783
0
                return MEMORY_E;
2784
0
            } else {
2785
0
                wc_AesFree(dec->aes);
2786
0
            }
2787
0
            XMEMSET(dec->aes, 0, sizeof(Aes));
2788
0
        }
2789
2790
0
        if (enc) {
2791
0
            if (wc_AesInit(enc->aes, heap, devId) != 0) {
2792
0
                WOLFSSL_MSG("AesInit failed in SetKeys");
2793
0
                return ASYNC_INIT_E;
2794
0
            }
2795
0
        }
2796
0
        if (dec) {
2797
0
            if (wc_AesInit(dec->aes, heap, devId) != 0) {
2798
0
                WOLFSSL_MSG("AesInit failed in SetKeys");
2799
0
                return ASYNC_INIT_E;
2800
0
            }
2801
0
        }
2802
2803
0
        if (side == WOLFSSL_CLIENT_END) {
2804
0
            if (enc) {
2805
0
                CcmRet = wc_AesCcmSetKey(enc->aes, keys->client_write_key,
2806
0
                                         specs->key_size);
2807
0
                if (CcmRet != 0) {
2808
0
                    return CcmRet;
2809
0
                }
2810
0
                XMEMCPY(keys->aead_enc_imp_IV, keys->client_write_IV,
2811
0
                        AEAD_MAX_IMP_SZ);
2812
0
#if !defined(NO_PUBLIC_CCM_SET_NONCE) && \
2813
0
    ((!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \
2814
0
    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)))
2815
0
                if (!tls13) {
2816
0
                    CcmRet = wc_AesCcmSetNonce(enc->aes, keys->client_write_IV,
2817
0
                            AEAD_MAX_IMP_SZ);
2818
0
                    if (CcmRet != 0) return CcmRet;
2819
0
                }
2820
0
#endif
2821
0
            }
2822
0
            if (dec) {
2823
0
                CcmRet = wc_AesCcmSetKey(dec->aes, keys->server_write_key,
2824
0
                                         specs->key_size);
2825
0
                if (CcmRet != 0) {
2826
0
                    return CcmRet;
2827
0
                }
2828
0
                XMEMCPY(keys->aead_dec_imp_IV, keys->server_write_IV,
2829
0
                        AEAD_MAX_IMP_SZ);
2830
0
            }
2831
0
        }
2832
0
        else {
2833
0
            if (enc) {
2834
0
                CcmRet = wc_AesCcmSetKey(enc->aes, keys->server_write_key,
2835
0
                                         specs->key_size);
2836
0
                if (CcmRet != 0) {
2837
0
                    return CcmRet;
2838
0
                }
2839
0
                XMEMCPY(keys->aead_enc_imp_IV, keys->server_write_IV,
2840
0
                        AEAD_MAX_IMP_SZ);
2841
0
#if !defined(NO_PUBLIC_CCM_SET_NONCE) && \
2842
0
    ((!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \
2843
0
    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)))
2844
0
                if (!tls13) {
2845
0
                    CcmRet = wc_AesCcmSetNonce(enc->aes, keys->server_write_IV,
2846
0
                            AEAD_MAX_IMP_SZ);
2847
0
                    if (CcmRet != 0) return CcmRet;
2848
0
                }
2849
0
#endif
2850
0
            }
2851
0
            if (dec) {
2852
0
                CcmRet = wc_AesCcmSetKey(dec->aes, keys->client_write_key,
2853
0
                                         specs->key_size);
2854
0
                if (CcmRet != 0) {
2855
0
                    return CcmRet;
2856
0
                }
2857
0
                XMEMCPY(keys->aead_dec_imp_IV, keys->client_write_IV,
2858
0
                        AEAD_MAX_IMP_SZ);
2859
0
            }
2860
0
        }
2861
0
        if (enc)
2862
0
            enc->setup = 1;
2863
0
        if (dec)
2864
0
            dec->setup = 1;
2865
0
    }
2866
0
#endif /* HAVE_AESCCM */
2867
2868
#ifdef HAVE_ARIA
2869
    /* check that buffer sizes are sufficient */
2870
    #if (MAX_WRITE_IV_SZ < 16) /* AES_IV_SIZE */
2871
        #error MAX_WRITE_IV_SZ too small for AES
2872
    #endif
2873
2874
    if (specs->bulk_cipher_algorithm == wolfssl_aria_gcm) {
2875
        int ret = 0;
2876
        MC_ALGID algo;
2877
2878
        switch(specs->key_size) {
2879
            case ARIA_128_KEY_SIZE:
2880
                algo = MC_ALGID_ARIA_128BITKEY;
2881
                break;
2882
            case ARIA_192_KEY_SIZE:
2883
                algo = MC_ALGID_ARIA_192BITKEY;
2884
                break;
2885
            case ARIA_256_KEY_SIZE:
2886
                algo = MC_ALGID_ARIA_256BITKEY;
2887
                break;
2888
            default:
2889
                return WOLFSSL_NOT_IMPLEMENTED; /* This should never happen */
2890
        }
2891
2892
        if (enc) {
2893
            if (enc->aria == NULL) {
2894
                enc->aria = (wc_Aria*)XMALLOC(sizeof(wc_Aria), heap, DYNAMIC_TYPE_CIPHER);
2895
                if (enc->aria == NULL)
2896
                    return MEMORY_E;
2897
            } else {
2898
                wc_AriaFreeCrypt(enc->aria);
2899
            }
2900
2901
            XMEMSET(enc->aria, 0, sizeof(wc_Aria));
2902
            if (wc_AriaInitCrypt(enc->aria, algo) != 0) {
2903
                WOLFSSL_MSG("AriaInit failed in SetKeys");
2904
                return ASYNC_INIT_E;
2905
            }
2906
        }
2907
        if (dec) {
2908
            if (dec->aria == NULL) {
2909
                dec->aria = (wc_Aria*)XMALLOC(sizeof(wc_Aria), heap, DYNAMIC_TYPE_CIPHER);
2910
                if (dec->aria == NULL)
2911
                    return MEMORY_E;
2912
            } else {
2913
                wc_AriaFreeCrypt(dec->aria);
2914
            }
2915
2916
            XMEMSET(dec->aria, 0, sizeof(wc_Aria));
2917
            if (wc_AriaInitCrypt(dec->aria, algo) != 0) {
2918
                WOLFSSL_MSG("AriaInit failed in SetKeys");
2919
                return ASYNC_INIT_E;
2920
            }
2921
        }
2922
2923
        if (side == WOLFSSL_CLIENT_END) {
2924
            if (enc) {
2925
                ret = wc_AriaSetKey(enc->aria, keys->client_write_key);
2926
                if (ret != 0) return ret;
2927
                XMEMCPY(keys->aead_enc_imp_IV, keys->client_write_IV,
2928
                        AEAD_MAX_IMP_SZ);
2929
                if (!tls13) {
2930
                    ret = wc_AriaGcmSetIV(enc->aria, AESGCM_NONCE_SZ,
2931
                            keys->client_write_IV, AESGCM_IMP_IV_SZ, rng);
2932
                    if (ret != 0) return ret;
2933
                }
2934
            }
2935
            if (dec) {
2936
                ret = wc_AriaSetKey(dec->aria, keys->server_write_key);
2937
                if (ret != 0) return ret;
2938
                XMEMCPY(keys->aead_dec_imp_IV, keys->server_write_IV,
2939
                        AEAD_MAX_IMP_SZ);
2940
            }
2941
        }
2942
        else {
2943
            if (enc) {
2944
                ret = wc_AriaSetKey(enc->aria, keys->server_write_key);
2945
                if (ret != 0) return ret;
2946
                XMEMCPY(keys->aead_enc_imp_IV, keys->server_write_IV,
2947
                        AEAD_MAX_IMP_SZ);
2948
                if (!tls13) {
2949
                    ret = wc_AriaGcmSetIV(enc->aria, AESGCM_NONCE_SZ,
2950
                            keys->server_write_IV, AESGCM_IMP_IV_SZ, rng);
2951
                    if (ret != 0) return ret;
2952
                }
2953
            }
2954
            if (dec) {
2955
                ret = wc_AriaSetKey(dec->aria, keys->client_write_key);
2956
                if (ret != 0) return ret;
2957
                XMEMCPY(keys->aead_dec_imp_IV, keys->client_write_IV,
2958
                        AEAD_MAX_IMP_SZ);
2959
            }
2960
        }
2961
        if (enc)
2962
            enc->setup = 1;
2963
        if (dec)
2964
            dec->setup = 1;
2965
    }
2966
#endif /* HAVE_ARIA */
2967
2968
0
#ifdef HAVE_CAMELLIA
2969
    /* check that buffer sizes are sufficient */
2970
    #if (MAX_WRITE_IV_SZ < 16) /* CAMELLIA_IV_SIZE */
2971
        #error MAX_WRITE_IV_SZ too small for CAMELLIA
2972
    #endif
2973
2974
0
    if (specs->bulk_cipher_algorithm == wolfssl_camellia) {
2975
0
        int camRet;
2976
2977
0
        if (enc && enc->cam == NULL)
2978
0
            enc->cam =
2979
0
                (Camellia*)XMALLOC(sizeof(Camellia), heap, DYNAMIC_TYPE_CIPHER);
2980
0
        if (enc && enc->cam == NULL)
2981
0
            return MEMORY_E;
2982
2983
0
        if (dec && dec->cam == NULL)
2984
0
            dec->cam =
2985
0
                (Camellia*)XMALLOC(sizeof(Camellia), heap, DYNAMIC_TYPE_CIPHER);
2986
0
        if (dec && dec->cam == NULL)
2987
0
            return MEMORY_E;
2988
2989
0
        if (side == WOLFSSL_CLIENT_END) {
2990
0
            if (enc) {
2991
0
                camRet = wc_CamelliaSetKey(enc->cam, keys->client_write_key,
2992
0
                                        specs->key_size, keys->client_write_IV);
2993
0
                if (camRet != 0) return camRet;
2994
0
            }
2995
0
            if (dec) {
2996
0
                camRet = wc_CamelliaSetKey(dec->cam, keys->server_write_key,
2997
0
                                        specs->key_size, keys->server_write_IV);
2998
0
                if (camRet != 0) return camRet;
2999
0
            }
3000
0
        }
3001
0
        else {
3002
0
            if (enc) {
3003
0
                camRet = wc_CamelliaSetKey(enc->cam, keys->server_write_key,
3004
0
                                        specs->key_size, keys->server_write_IV);
3005
0
                if (camRet != 0) return camRet;
3006
0
            }
3007
0
            if (dec) {
3008
0
                camRet = wc_CamelliaSetKey(dec->cam, keys->client_write_key,
3009
0
                                        specs->key_size, keys->client_write_IV);
3010
0
                if (camRet != 0) return camRet;
3011
0
            }
3012
0
        }
3013
0
        if (enc)
3014
0
            enc->setup = 1;
3015
0
        if (dec)
3016
0
            dec->setup = 1;
3017
0
    }
3018
0
#endif /* HAVE_CAMELLIA */
3019
3020
0
#ifdef WOLFSSL_SM4_CBC
3021
    /* check that buffer sizes are sufficient */
3022
    #if (MAX_WRITE_IV_SZ < 16) /* AES_IV_SIZE */
3023
        #error MAX_WRITE_IV_SZ too small for SM4_CBC
3024
    #endif
3025
3026
0
    if (specs->bulk_cipher_algorithm == wolfssl_sm4_cbc) {
3027
0
        int sm4Ret = 0;
3028
3029
0
        if (enc) {
3030
0
            if (enc->sm4 == NULL) {
3031
0
                enc->sm4 = (wc_Sm4*)XMALLOC(sizeof(wc_Sm4), heap,
3032
0
                    DYNAMIC_TYPE_CIPHER);
3033
0
                if (enc->sm4 == NULL)
3034
0
                    return MEMORY_E;
3035
0
            }
3036
0
            else {
3037
0
                wc_Sm4Free(enc->sm4);
3038
0
            }
3039
3040
0
            XMEMSET(enc->sm4, 0, sizeof(wc_Sm4));
3041
0
        }
3042
0
        if (dec) {
3043
0
            if (dec->sm4 == NULL) {
3044
0
                dec->sm4 = (wc_Sm4*)XMALLOC(sizeof(wc_Sm4), heap,
3045
0
                    DYNAMIC_TYPE_CIPHER);
3046
0
                if (dec->sm4 == NULL)
3047
0
                    return MEMORY_E;
3048
0
            }
3049
0
            else {
3050
0
                wc_Sm4Free(dec->sm4);
3051
0
            }
3052
3053
0
            XMEMSET(dec->sm4, 0, sizeof(wc_Sm4));
3054
0
        }
3055
0
        if (enc) {
3056
0
            if (wc_Sm4Init(enc->sm4, heap, devId) != 0) {
3057
0
                WOLFSSL_MSG("Sm4Init failed in SetKeys");
3058
0
                return ASYNC_INIT_E;
3059
0
            }
3060
0
        }
3061
0
        if (dec) {
3062
0
            if (wc_Sm4Init(dec->sm4, heap, devId) != 0) {
3063
0
                WOLFSSL_MSG("Sm4Init failed in SetKeys");
3064
0
                return ASYNC_INIT_E;
3065
0
            }
3066
0
        }
3067
3068
0
        if (side == WOLFSSL_CLIENT_END) {
3069
0
            if (enc) {
3070
0
                sm4Ret = wc_Sm4SetKey(enc->sm4, keys->client_write_key,
3071
0
                    specs->key_size);
3072
0
                if (sm4Ret != 0) return sm4Ret;
3073
0
                sm4Ret = wc_Sm4SetIV(enc->sm4, keys->client_write_IV);
3074
0
                if (sm4Ret != 0) return sm4Ret;
3075
0
            }
3076
0
            if (dec) {
3077
0
                sm4Ret = wc_Sm4SetKey(dec->sm4, keys->server_write_key,
3078
0
                    specs->key_size);
3079
0
                if (sm4Ret != 0) return sm4Ret;
3080
0
                sm4Ret = wc_Sm4SetIV(dec->sm4, keys->server_write_IV);
3081
0
                if (sm4Ret != 0) return sm4Ret;
3082
0
            }
3083
0
        }
3084
0
        else {
3085
0
            if (enc) {
3086
0
                sm4Ret = wc_Sm4SetKey(enc->sm4, keys->server_write_key,
3087
0
                    specs->key_size);
3088
0
                if (sm4Ret != 0) return sm4Ret;
3089
0
                sm4Ret = wc_Sm4SetIV(enc->sm4, keys->server_write_IV);
3090
0
                if (sm4Ret != 0) return sm4Ret;
3091
0
            }
3092
0
            if (dec) {
3093
0
                sm4Ret = wc_Sm4SetKey(dec->sm4, keys->client_write_key,
3094
0
                    specs->key_size);
3095
0
                if (sm4Ret != 0) return sm4Ret;
3096
0
                sm4Ret = wc_Sm4SetIV(dec->sm4, keys->client_write_IV);
3097
0
                if (sm4Ret != 0) return sm4Ret;
3098
0
            }
3099
0
        }
3100
0
        if (enc)
3101
0
            enc->setup = 1;
3102
0
        if (dec)
3103
0
            dec->setup = 1;
3104
0
    }
3105
0
#endif /* WOLFSSL_SM4_CBC */
3106
3107
0
#ifdef WOLFSSL_SM4_GCM
3108
    /* check that buffer sizes are sufficient */
3109
    #if (AEAD_MAX_IMP_SZ < 4) /* SM4-GCM_IMP_IV_SZ */
3110
        #error AEAD_MAX_IMP_SZ too small for SM4-GCM
3111
    #endif
3112
    #if (AEAD_MAX_EXP_SZ < 8) /* SM4-GCM_EXP_IV_SZ */
3113
        #error AEAD_MAX_EXP_SZ too small for SM4-GCM
3114
    #endif
3115
    #if (MAX_WRITE_IV_SZ < 4) /* SM4-GCM_IMP_IV_SZ */
3116
        #error MAX_WRITE_IV_SZ too small for SM4-GCM
3117
    #endif
3118
3119
0
    if (specs->bulk_cipher_algorithm == wolfssl_sm4_gcm) {
3120
0
        int gcmRet;
3121
3122
0
        if (enc) {
3123
0
            if (enc->sm4 == NULL) {
3124
0
                enc->sm4 = (wc_Sm4*)XMALLOC(sizeof(wc_Sm4), heap,
3125
0
                                            DYNAMIC_TYPE_CIPHER);
3126
0
                if (enc->sm4 == NULL)
3127
0
                    return MEMORY_E;
3128
0
            } else {
3129
0
                wc_Sm4Free(enc->sm4);
3130
0
            }
3131
3132
0
            XMEMSET(enc->sm4, 0, sizeof(wc_Sm4));
3133
0
        }
3134
0
        if (dec) {
3135
0
            if (dec->sm4 == NULL) {
3136
0
                dec->sm4 = (wc_Sm4*)XMALLOC(sizeof(wc_Sm4), heap,
3137
0
                                            DYNAMIC_TYPE_CIPHER);
3138
0
                if (dec->sm4 == NULL)
3139
0
                    return MEMORY_E;
3140
0
            } else {
3141
0
                wc_Sm4Free(dec->sm4);
3142
0
            }
3143
3144
0
            XMEMSET(dec->sm4, 0, sizeof(wc_Sm4));
3145
0
        }
3146
3147
0
        if (enc) {
3148
0
            if (wc_Sm4Init(enc->sm4, heap, devId) != 0) {
3149
0
                WOLFSSL_MSG("Sm4Init failed in SetKeys");
3150
0
                return ASYNC_INIT_E;
3151
0
            }
3152
0
        }
3153
0
        if (dec) {
3154
0
            if (wc_Sm4Init(dec->sm4, heap, devId) != 0) {
3155
0
                WOLFSSL_MSG("Sm4Init failed in SetKeys");
3156
0
                return ASYNC_INIT_E;
3157
0
            }
3158
0
        }
3159
3160
0
        if (side == WOLFSSL_CLIENT_END) {
3161
0
            if (enc) {
3162
0
                gcmRet = wc_Sm4GcmSetKey(enc->sm4, keys->client_write_key,
3163
0
                                      specs->key_size);
3164
0
                if (gcmRet != 0) return gcmRet;
3165
0
                XMEMCPY(keys->aead_enc_imp_IV, keys->client_write_IV,
3166
0
                        AEAD_MAX_IMP_SZ);
3167
0
            }
3168
0
            if (dec) {
3169
0
                gcmRet = wc_Sm4GcmSetKey(dec->sm4, keys->server_write_key,
3170
0
                                      specs->key_size);
3171
0
                if (gcmRet != 0) return gcmRet;
3172
0
                XMEMCPY(keys->aead_dec_imp_IV, keys->server_write_IV,
3173
0
                        AEAD_MAX_IMP_SZ);
3174
0
            }
3175
0
        }
3176
0
        else {
3177
0
            if (enc) {
3178
0
                gcmRet = wc_Sm4GcmSetKey(enc->sm4, keys->server_write_key,
3179
0
                                      specs->key_size);
3180
0
                if (gcmRet != 0) return gcmRet;
3181
0
                XMEMCPY(keys->aead_enc_imp_IV, keys->server_write_IV,
3182
0
                        AEAD_MAX_IMP_SZ);
3183
0
            }
3184
0
            if (dec) {
3185
0
                gcmRet = wc_Sm4GcmSetKey(dec->sm4, keys->client_write_key,
3186
0
                                      specs->key_size);
3187
0
                if (gcmRet != 0) return gcmRet;
3188
0
                XMEMCPY(keys->aead_dec_imp_IV, keys->client_write_IV,
3189
0
                        AEAD_MAX_IMP_SZ);
3190
0
            }
3191
0
        }
3192
0
        if (enc)
3193
0
            enc->setup = 1;
3194
0
        if (dec)
3195
0
            dec->setup = 1;
3196
0
    }
3197
0
#endif /* WOLFSSL_SM4_GCM */
3198
3199
0
#ifdef WOLFSSL_SM4_CCM
3200
    /* check that buffer sizes are sufficient (CCM is same size as GCM) */
3201
    #if (AEAD_MAX_IMP_SZ < 4) /* SM4-CCM_IMP_IV_SZ */
3202
        #error AEAD_MAX_IMP_SZ too small for SM4-CCM
3203
    #endif
3204
    #if (AEAD_MAX_EXP_SZ < 8) /* SM4-CCM_EXP_IV_SZ */
3205
        #error AEAD_MAX_EXP_SZ too small for SM4-CCM
3206
    #endif
3207
    #if (MAX_WRITE_IV_SZ < 4) /* SM4-CCM_IMP_IV_SZ */
3208
        #error MAX_WRITE_IV_SZ too small for SM4-CCM
3209
    #endif
3210
3211
0
    if (specs->bulk_cipher_algorithm == wolfssl_sm4_ccm) {
3212
0
        int CcmRet;
3213
3214
0
        if (enc) {
3215
0
            if (enc->sm4 == NULL) {
3216
0
                enc->sm4 = (wc_Sm4*)XMALLOC(sizeof(wc_Sm4), heap,
3217
0
                                            DYNAMIC_TYPE_CIPHER);
3218
0
                if (enc->sm4 == NULL)
3219
0
                    return MEMORY_E;
3220
0
            } else {
3221
0
                wc_Sm4Free(enc->sm4);
3222
0
            }
3223
3224
0
            XMEMSET(enc->sm4, 0, sizeof(wc_Sm4));
3225
0
        }
3226
0
        if (dec) {
3227
0
            if (dec->sm4 == NULL) {
3228
0
                dec->sm4 = (wc_Sm4*)XMALLOC(sizeof(wc_Sm4), heap,
3229
0
                                            DYNAMIC_TYPE_CIPHER);
3230
0
                if (dec->sm4 == NULL)
3231
0
                return MEMORY_E;
3232
0
            } else {
3233
0
                wc_Sm4Free(dec->sm4);
3234
0
            }
3235
0
            XMEMSET(dec->sm4, 0, sizeof(wc_Sm4));
3236
0
        }
3237
3238
0
        if (enc) {
3239
0
            if (wc_Sm4Init(enc->sm4, heap, devId) != 0) {
3240
0
                WOLFSSL_MSG("Sm4Init failed in SetKeys");
3241
0
                return ASYNC_INIT_E;
3242
0
            }
3243
0
        }
3244
0
        if (dec) {
3245
0
            if (wc_Sm4Init(dec->sm4, heap, devId) != 0) {
3246
0
                WOLFSSL_MSG("Sm4Init failed in SetKeys");
3247
0
                return ASYNC_INIT_E;
3248
0
            }
3249
0
        }
3250
3251
0
        if (side == WOLFSSL_CLIENT_END) {
3252
0
            if (enc) {
3253
0
                CcmRet = wc_Sm4SetKey(enc->sm4, keys->client_write_key,
3254
0
                                      specs->key_size);
3255
0
                if (CcmRet != 0) {
3256
0
                    return CcmRet;
3257
0
                }
3258
0
                XMEMCPY(keys->aead_enc_imp_IV, keys->client_write_IV,
3259
0
                        AEAD_MAX_IMP_SZ);
3260
0
            }
3261
0
            if (dec) {
3262
0
                CcmRet = wc_Sm4SetKey(dec->sm4, keys->server_write_key,
3263
0
                                      specs->key_size);
3264
0
                if (CcmRet != 0) {
3265
0
                    return CcmRet;
3266
0
                }
3267
0
                XMEMCPY(keys->aead_dec_imp_IV, keys->server_write_IV,
3268
0
                        AEAD_MAX_IMP_SZ);
3269
0
            }
3270
0
        }
3271
0
        else {
3272
0
            if (enc) {
3273
0
                CcmRet = wc_Sm4SetKey(enc->sm4, keys->server_write_key,
3274
0
                                      specs->key_size);
3275
0
                if (CcmRet != 0) {
3276
0
                    return CcmRet;
3277
0
                }
3278
0
                XMEMCPY(keys->aead_enc_imp_IV, keys->server_write_IV,
3279
0
                        AEAD_MAX_IMP_SZ);
3280
0
            }
3281
0
            if (dec) {
3282
0
                CcmRet = wc_Sm4SetKey(dec->sm4, keys->client_write_key,
3283
0
                                      specs->key_size);
3284
0
                if (CcmRet != 0) {
3285
0
                    return CcmRet;
3286
0
                }
3287
0
                XMEMCPY(keys->aead_dec_imp_IV, keys->client_write_IV,
3288
0
                        AEAD_MAX_IMP_SZ);
3289
0
            }
3290
0
        }
3291
0
        if (enc)
3292
0
            enc->setup = 1;
3293
0
        if (dec)
3294
0
            dec->setup = 1;
3295
0
    }
3296
0
#endif /* WOLFSSL_SM4_CCM */
3297
3298
#ifdef HAVE_NULL_CIPHER
3299
    if (specs->bulk_cipher_algorithm == wolfssl_cipher_null) {
3300
    #ifdef WOLFSSL_TLS13
3301
        if (tls13) {
3302
            int hmacRet;
3303
            int hashType = WC_HASH_TYPE_NONE;
3304
3305
            switch (specs->mac_algorithm) {
3306
                case sha256_mac:
3307
                    hashType = WC_SHA256;
3308
                    break;
3309
                case sha384_mac:
3310
                    hashType = WC_SHA384;
3311
                    break;
3312
                default:
3313
                    break;
3314
            }
3315
3316
            if (enc && enc->hmac == NULL) {
3317
                enc->hmac = (Hmac*)XMALLOC(sizeof(Hmac), heap,
3318
                                                           DYNAMIC_TYPE_CIPHER);
3319
                if (enc->hmac == NULL)
3320
                    return MEMORY_E;
3321
3322
                if (wc_HmacInit(enc->hmac, heap, devId) != 0) {
3323
                    WOLFSSL_MSG("HmacInit failed in SetKeys");
3324
                    XFREE(enc->hmac, heap, DYNAMIC_TYPE_CIPHER);
3325
                    enc->hmac = NULL;
3326
                    return ASYNC_INIT_E;
3327
                }
3328
            }
3329
3330
            if (dec && dec->hmac == NULL) {
3331
                dec->hmac = (Hmac*)XMALLOC(sizeof(Hmac), heap,
3332
                                                           DYNAMIC_TYPE_CIPHER);
3333
                if (dec->hmac == NULL)
3334
                    return MEMORY_E;
3335
3336
                if (wc_HmacInit(dec->hmac, heap, devId) != 0) {
3337
                    WOLFSSL_MSG("HmacInit failed in SetKeys");
3338
                    XFREE(dec->hmac, heap, DYNAMIC_TYPE_CIPHER);
3339
                    dec->hmac = NULL;
3340
                    return ASYNC_INIT_E;
3341
                }
3342
            }
3343
3344
            if (side == WOLFSSL_CLIENT_END) {
3345
                if (enc) {
3346
                    XMEMCPY(keys->aead_enc_imp_IV, keys->client_write_IV,
3347
                            HMAC_NONCE_SZ);
3348
                    hmacRet = wc_HmacSetKey(enc->hmac, hashType,
3349
                                       keys->client_write_key, specs->key_size);
3350
                    if (hmacRet != 0) return hmacRet;
3351
                }
3352
                if (dec) {
3353
                    XMEMCPY(keys->aead_dec_imp_IV, keys->server_write_IV,
3354
                            HMAC_NONCE_SZ);
3355
                    hmacRet = wc_HmacSetKey(dec->hmac, hashType,
3356
                                       keys->server_write_key, specs->key_size);
3357
                    if (hmacRet != 0) return hmacRet;
3358
                }
3359
            }
3360
            else {
3361
                if (enc) {
3362
                    XMEMCPY(keys->aead_enc_imp_IV, keys->server_write_IV,
3363
                            HMAC_NONCE_SZ);
3364
                    hmacRet = wc_HmacSetKey(enc->hmac, hashType,
3365
                                       keys->server_write_key, specs->key_size);
3366
                    if (hmacRet != 0) return hmacRet;
3367
                }
3368
                if (dec) {
3369
                    XMEMCPY(keys->aead_dec_imp_IV, keys->client_write_IV,
3370
                            HMAC_NONCE_SZ);
3371
                    hmacRet = wc_HmacSetKey(dec->hmac, hashType,
3372
                                       keys->client_write_key, specs->key_size);
3373
                    if (hmacRet != 0) return hmacRet;
3374
                }
3375
            }
3376
        }
3377
    #endif
3378
        if (enc)
3379
            enc->setup = 1;
3380
        if (dec)
3381
            dec->setup = 1;
3382
    }
3383
#endif
3384
3385
0
    if (enc) {
3386
0
        keys->sequence_number_hi      = 0;
3387
0
        keys->sequence_number_lo      = 0;
3388
0
    }
3389
0
    if (dec) {
3390
0
        keys->peer_sequence_number_hi = 0;
3391
0
        keys->peer_sequence_number_lo = 0;
3392
0
    }
3393
0
    (void)side;
3394
0
    (void)heap;
3395
0
    (void)enc;
3396
0
    (void)dec;
3397
0
    (void)specs;
3398
0
    (void)devId;
3399
3400
0
    return 0;
3401
0
}
3402
3403
3404
#ifdef HAVE_ONE_TIME_AUTH
3405
/* set one time authentication keys */
3406
static int SetAuthKeys(OneTimeAuth* authentication, Keys* keys,
3407
                       CipherSpecs* specs, void* heap, int devId)
3408
0
{
3409
3410
0
#ifdef HAVE_POLY1305
3411
        /* set up memory space for poly1305 */
3412
0
        if (authentication && authentication->poly1305 == NULL)
3413
0
            authentication->poly1305 =
3414
0
                (Poly1305*)XMALLOC(sizeof(Poly1305), heap, DYNAMIC_TYPE_CIPHER);
3415
0
        if (authentication && authentication->poly1305 == NULL)
3416
0
            return MEMORY_E;
3417
    #ifdef WOLFSSL_CHECK_MEM_ZERO
3418
        wc_MemZero_Add("SSL auth keys poly1305", authentication->poly1305,
3419
            sizeof(Poly1305));
3420
    #endif
3421
0
        if (authentication)
3422
0
            authentication->setup = 1;
3423
0
#endif
3424
0
        (void)authentication;
3425
0
        (void)heap;
3426
0
        (void)keys;
3427
0
        (void)specs;
3428
0
        (void)devId;
3429
3430
0
        return 0;
3431
0
}
3432
#endif /* HAVE_ONE_TIME_AUTH */
3433
3434
#ifdef HAVE_SECURE_RENEGOTIATION
3435
/* function name is for cache_status++
3436
 * This function was added because of error incrementing enum type when
3437
 * compiling with a C++ compiler.
3438
 */
3439
static void CacheStatusPP(SecureRenegotiation* cache)
3440
{
3441
    switch (cache->cache_status) {
3442
        case SCR_CACHE_NULL:
3443
            cache->cache_status = SCR_CACHE_NEEDED;
3444
            break;
3445
3446
        case SCR_CACHE_NEEDED:
3447
            cache->cache_status = SCR_CACHE_COPY;
3448
            break;
3449
3450
        case SCR_CACHE_COPY:
3451
            cache->cache_status = SCR_CACHE_PARTIAL;
3452
            break;
3453
3454
        case SCR_CACHE_PARTIAL:
3455
            cache->cache_status = SCR_CACHE_COMPLETE;
3456
            break;
3457
3458
        case SCR_CACHE_COMPLETE:
3459
            WOLFSSL_MSG("SCR Cache state Complete");
3460
            break;
3461
3462
        default:
3463
            WOLFSSL_MSG("Unknown cache state!!");
3464
    }
3465
}
3466
#endif /* HAVE_SECURE_RENEGOTIATION */
3467
3468
3469
/* Set wc_encrypt/wc_decrypt or both sides of key setup
3470
 * note: use wc_encrypt to avoid shadowing global encrypt
3471
 * declared in unistd.h
3472
 */
3473
int SetKeysSide(WOLFSSL* ssl, enum encrypt_side side)
3474
0
{
3475
0
    int ret, copy = 0;
3476
0
    Ciphers* wc_encrypt = NULL;
3477
0
    Ciphers* wc_decrypt = NULL;
3478
0
    Keys*    keys    = &ssl->keys;
3479
3480
0
    (void)copy;
3481
3482
#ifdef HAVE_SECURE_RENEGOTIATION
3483
    if (ssl->secure_renegotiation &&
3484
            ssl->secure_renegotiation->cache_status != SCR_CACHE_NULL) {
3485
        keys = &ssl->secure_renegotiation->tmp_keys;
3486
#ifdef WOLFSSL_DTLS
3487
        /* For DTLS, copy is done in StoreKeys */
3488
        if (!ssl->options.dtls)
3489
#endif
3490
            copy = 1;
3491
    }
3492
#endif /* HAVE_SECURE_RENEGOTIATION */
3493
3494
0
    switch (side) {
3495
0
        case ENCRYPT_SIDE_ONLY:
3496
#ifdef WOLFSSL_DEBUG_TLS
3497
            WOLFSSL_MSG("Provisioning ENCRYPT key");
3498
            if (ssl->options.side == WOLFSSL_CLIENT_END) {
3499
                WOLFSSL_BUFFER(keys->client_write_key, ssl->specs.key_size);
3500
            }
3501
            else {
3502
                WOLFSSL_BUFFER(keys->server_write_key, ssl->specs.key_size);
3503
            }
3504
#endif
3505
0
            wc_encrypt = &ssl->encrypt;
3506
0
            break;
3507
3508
0
        case DECRYPT_SIDE_ONLY:
3509
#ifdef WOLFSSL_DEBUG_TLS
3510
            WOLFSSL_MSG("Provisioning DECRYPT key");
3511
            if (ssl->options.side == WOLFSSL_CLIENT_END) {
3512
                WOLFSSL_BUFFER(keys->server_write_key, ssl->specs.key_size);
3513
            }
3514
            else {
3515
                WOLFSSL_BUFFER(keys->client_write_key, ssl->specs.key_size);
3516
            }
3517
#endif
3518
0
            wc_decrypt = &ssl->decrypt;
3519
0
            break;
3520
3521
0
        case ENCRYPT_AND_DECRYPT_SIDE:
3522
#ifdef WOLFSSL_DEBUG_TLS
3523
            WOLFSSL_MSG("Provisioning ENCRYPT key");
3524
            if (ssl->options.side == WOLFSSL_CLIENT_END) {
3525
                WOLFSSL_BUFFER(keys->client_write_key, ssl->specs.key_size);
3526
            }
3527
            else {
3528
                WOLFSSL_BUFFER(keys->server_write_key, ssl->specs.key_size);
3529
            }
3530
            WOLFSSL_MSG("Provisioning DECRYPT key");
3531
            if (ssl->options.side == WOLFSSL_CLIENT_END) {
3532
                WOLFSSL_BUFFER(keys->server_write_key, ssl->specs.key_size);
3533
            }
3534
            else {
3535
                WOLFSSL_BUFFER(keys->client_write_key, ssl->specs.key_size);
3536
            }
3537
#endif
3538
0
            wc_encrypt = &ssl->encrypt;
3539
0
            wc_decrypt = &ssl->decrypt;
3540
0
            break;
3541
3542
0
        default:
3543
0
            return BAD_FUNC_ARG;
3544
0
    }
3545
3546
0
#ifdef HAVE_ONE_TIME_AUTH
3547
0
    if (!ssl->auth.setup && ssl->specs.bulk_cipher_algorithm == wolfssl_chacha){
3548
0
        ret = SetAuthKeys(&ssl->auth, keys, &ssl->specs, ssl->heap, ssl->devId);
3549
0
        if (ret != 0)
3550
0
           return ret;
3551
0
    }
3552
0
#endif
3553
3554
#if !defined(NO_CERTS) && defined(HAVE_PK_CALLBACKS)
3555
    ret = PROTOCOLCB_UNAVAILABLE;
3556
    if (ssl->ctx->EncryptKeysCb) {
3557
        void* ctx = wolfSSL_GetEncryptKeysCtx(ssl);
3558
        ret = ssl->ctx->EncryptKeysCb(ssl, ctx);
3559
    }
3560
    if (!ssl->ctx->EncryptKeysCb ||
3561
        ret == WC_NO_ERR_TRACE(PROTOCOLCB_UNAVAILABLE))
3562
#endif
3563
0
    {
3564
0
        ret = SetKeys(wc_encrypt, wc_decrypt, keys, &ssl->specs, ssl->options.side,
3565
0
                      ssl->heap, ssl->devId, ssl->rng, ssl->options.tls1_3);
3566
0
    }
3567
3568
#ifdef WOLFSSL_DTLS13
3569
    if (ret == 0 && ssl->options.dtls && IsAtLeastTLSv1_3(ssl->version))
3570
        ret = Dtls13SetRecordNumberKeys(ssl, side);
3571
#endif /* WOLFSSL_DTLS13 */
3572
#ifdef WOLFSSL_QUIC
3573
    if (ret == 0 && WOLFSSL_IS_QUIC(ssl)) {
3574
        ret = wolfSSL_quic_keys_active(ssl, side);
3575
    }
3576
#endif /* WOLFSSL_QUIC */
3577
3578
#ifdef HAVE_SECURE_RENEGOTIATION
3579
#ifdef WOLFSSL_DTLS
3580
    if (ret == 0 && ssl->options.dtls && !ssl->options.tls1_3) {
3581
        if (wc_encrypt)
3582
            wc_encrypt->src = keys == &ssl->keys ? KEYS : SCR;
3583
        if (wc_decrypt)
3584
            wc_decrypt->src = keys == &ssl->keys ? KEYS : SCR;
3585
    }
3586
#endif
3587
3588
    if (copy) {
3589
        int clientCopy = 0;
3590
3591
        /* Sanity check that keys == ssl->secure_renegotiation->tmp_keys.
3592
         * Otherwise the memcpy calls would copy overlapping memory
3593
         * and cause UB. Fail early. */
3594
        if (keys == &ssl->keys)
3595
            return BAD_FUNC_ARG;
3596
3597
        if (ssl->options.side == WOLFSSL_CLIENT_END && wc_encrypt)
3598
            clientCopy = 1;
3599
        else if (ssl->options.side == WOLFSSL_SERVER_END && wc_decrypt)
3600
            clientCopy = 1;
3601
3602
        if (clientCopy) {
3603
    #ifndef WOLFSSL_AEAD_ONLY
3604
            XMEMCPY(ssl->keys.client_write_MAC_secret,
3605
                    keys->client_write_MAC_secret, WC_MAX_DIGEST_SIZE);
3606
    #endif
3607
            XMEMCPY(ssl->keys.client_write_key,
3608
                    keys->client_write_key, AES_256_KEY_SIZE);
3609
            XMEMCPY(ssl->keys.client_write_IV,
3610
                    keys->client_write_IV, MAX_WRITE_IV_SZ);
3611
        } else {
3612
    #ifndef WOLFSSL_AEAD_ONLY
3613
            XMEMCPY(ssl->keys.server_write_MAC_secret,
3614
                    keys->server_write_MAC_secret, WC_MAX_DIGEST_SIZE);
3615
    #endif
3616
            XMEMCPY(ssl->keys.server_write_key,
3617
                    keys->server_write_key, AES_256_KEY_SIZE);
3618
            XMEMCPY(ssl->keys.server_write_IV,
3619
                    keys->server_write_IV, MAX_WRITE_IV_SZ);
3620
        }
3621
        if (wc_encrypt) {
3622
            ssl->keys.sequence_number_hi = keys->sequence_number_hi;
3623
            ssl->keys.sequence_number_lo = keys->sequence_number_lo;
3624
            #ifdef HAVE_AEAD
3625
                if (ssl->specs.cipher_type == aead) {
3626
                    /* Initialize the AES-GCM/CCM explicit IV to a zero. */
3627
                    XMEMCPY(ssl->keys.aead_exp_IV, keys->aead_exp_IV,
3628
                            AEAD_MAX_EXP_SZ);
3629
3630
                    /* Initialize encrypt implicit IV by encrypt side */
3631
                    if (ssl->options.side == WOLFSSL_CLIENT_END) {
3632
                        XMEMCPY(ssl->keys.aead_enc_imp_IV,
3633
                                keys->client_write_IV, AEAD_MAX_IMP_SZ);
3634
                    } else {
3635
                        XMEMCPY(ssl->keys.aead_enc_imp_IV,
3636
                                keys->server_write_IV, AEAD_MAX_IMP_SZ);
3637
                    }
3638
                }
3639
            #endif
3640
        }
3641
        if (wc_decrypt) {
3642
            ssl->keys.peer_sequence_number_hi = keys->peer_sequence_number_hi;
3643
            ssl->keys.peer_sequence_number_lo = keys->peer_sequence_number_lo;
3644
            #ifdef HAVE_AEAD
3645
                if (ssl->specs.cipher_type == aead) {
3646
                    /* Initialize decrypt implicit IV by decrypt side */
3647
                    if (ssl->options.side == WOLFSSL_SERVER_END) {
3648
                        XMEMCPY(ssl->keys.aead_dec_imp_IV,
3649
                                keys->client_write_IV, AEAD_MAX_IMP_SZ);
3650
                    } else {
3651
                        XMEMCPY(ssl->keys.aead_dec_imp_IV,
3652
                                keys->server_write_IV, AEAD_MAX_IMP_SZ);
3653
                    }
3654
                }
3655
            #endif
3656
        }
3657
        CacheStatusPP(ssl->secure_renegotiation);
3658
    }
3659
#endif /* HAVE_SECURE_RENEGOTIATION */
3660
3661
0
    return ret;
3662
0
}
3663
3664
3665
/* TLS can call too */
3666
int StoreKeys(WOLFSSL* ssl, const byte* keyData, int side)
3667
0
{
3668
0
    size_t sz;
3669
0
    int i = 0;
3670
0
    Keys* keys = &ssl->keys;
3671
#ifdef WOLFSSL_DTLS
3672
    /* In case of DTLS, ssl->keys is updated here */
3673
    int scr_copy = 0;
3674
#endif
3675
3676
#ifdef HAVE_SECURE_RENEGOTIATION
3677
    if (ssl->secure_renegotiation &&
3678
            ssl->secure_renegotiation->cache_status == SCR_CACHE_NEEDED) {
3679
        keys = &ssl->secure_renegotiation->tmp_keys;
3680
#ifdef WOLFSSL_DTLS
3681
        if (ssl->options.dtls) {
3682
            /* epoch is incremented after StoreKeys is called */
3683
            ssl->secure_renegotiation->tmp_keys.dtls_epoch = ssl->keys.dtls_epoch + 1;
3684
            /* we only need to copy keys on second and future renegotiations */
3685
            if (ssl->keys.dtls_epoch > 1)
3686
                scr_copy = 1;
3687
            ssl->encrypt.src = KEYS_NOT_SET;
3688
            ssl->decrypt.src = KEYS_NOT_SET;
3689
        }
3690
#endif
3691
        CacheStatusPP(ssl->secure_renegotiation);
3692
    }
3693
#endif /* HAVE_SECURE_RENEGOTIATION */
3694
3695
#ifdef WOLFSSL_MULTICAST
3696
    if (ssl->options.haveMcast) {
3697
        /* Use the same keys for encrypt and decrypt. */
3698
        if (ssl->specs.cipher_type != aead) {
3699
            sz = ssl->specs.hash_size;
3700
    #ifndef WOLFSSL_AEAD_ONLY
3701
3702
    #ifdef WOLFSSL_DTLS
3703
            if (scr_copy) {
3704
                XMEMCPY(ssl->keys.client_write_MAC_secret,
3705
                        keys->client_write_MAC_secret, sz);
3706
                XMEMCPY(ssl->keys.server_write_MAC_secret,
3707
                        keys->server_write_MAC_secret, sz);
3708
            }
3709
    #endif
3710
            XMEMCPY(keys->client_write_MAC_secret,&keyData[i], sz);
3711
            XMEMCPY(keys->server_write_MAC_secret,&keyData[i], sz);
3712
    #endif
3713
            i += (int)sz;
3714
        }
3715
        sz = ssl->specs.key_size;
3716
    #ifdef WOLFSSL_DTLS
3717
        if (scr_copy) {
3718
            XMEMCPY(ssl->keys.client_write_key,
3719
                    keys->client_write_key, sz);
3720
            XMEMCPY(ssl->keys.server_write_key,
3721
                    keys->server_write_key, sz);
3722
        }
3723
    #endif
3724
        XMEMCPY(keys->client_write_key, &keyData[i], sz);
3725
        XMEMCPY(keys->server_write_key, &keyData[i], sz);
3726
        i += (int)sz;
3727
3728
        sz = ssl->specs.iv_size;
3729
    #ifdef WOLFSSL_DTLS
3730
        if (scr_copy) {
3731
            XMEMCPY(ssl->keys.client_write_IV,
3732
                    keys->client_write_IV, sz);
3733
            XMEMCPY(ssl->keys.server_write_IV,
3734
                    keys->server_write_IV, sz);
3735
        }
3736
    #endif
3737
        XMEMCPY(keys->client_write_IV, &keyData[i], sz);
3738
        XMEMCPY(keys->server_write_IV, &keyData[i], sz);
3739
3740
#ifdef HAVE_AEAD
3741
        if (ssl->specs.cipher_type == aead) {
3742
            /* Initialize the AES-GCM/CCM explicit IV to a zero. */
3743
        #ifdef WOLFSSL_DTLS
3744
            if (scr_copy) {
3745
                XMEMCPY(ssl->keys.aead_exp_IV,
3746
                        keys->aead_exp_IV, AEAD_MAX_EXP_SZ);
3747
            }
3748
        #endif
3749
            XMEMSET(keys->aead_exp_IV, 0, AEAD_MAX_EXP_SZ);
3750
        }
3751
#endif /* HAVE_AEAD */
3752
3753
        return 0;
3754
    }
3755
#endif /* WOLFSSL_MULTICAST */
3756
3757
0
    if (ssl->specs.cipher_type != aead) {
3758
0
        sz = ssl->specs.hash_size;
3759
0
        if (side & PROVISION_CLIENT) {
3760
0
    #ifndef WOLFSSL_AEAD_ONLY
3761
        #ifdef WOLFSSL_DTLS
3762
            if (scr_copy)
3763
                XMEMCPY(ssl->keys.client_write_MAC_secret,
3764
                        keys->client_write_MAC_secret, sz);
3765
        #endif
3766
0
            XMEMCPY(keys->client_write_MAC_secret,&keyData[i], sz);
3767
0
    #endif
3768
0
            i += (int)sz;
3769
0
        }
3770
0
        if (side & PROVISION_SERVER) {
3771
0
    #ifndef WOLFSSL_AEAD_ONLY
3772
        #ifdef WOLFSSL_DTLS
3773
            if (scr_copy)
3774
                XMEMCPY(ssl->keys.server_write_MAC_secret,
3775
                        keys->server_write_MAC_secret, sz);
3776
        #endif
3777
0
            XMEMCPY(keys->server_write_MAC_secret,&keyData[i], sz);
3778
0
    #endif
3779
0
            i += (int)sz;
3780
0
        }
3781
0
    }
3782
0
    sz = ssl->specs.key_size;
3783
0
    if (side & PROVISION_CLIENT) {
3784
    #ifdef WOLFSSL_DTLS
3785
        if (scr_copy)
3786
            XMEMCPY(ssl->keys.client_write_key,
3787
                    keys->client_write_key, sz);
3788
    #endif
3789
0
        XMEMCPY(keys->client_write_key, &keyData[i], sz);
3790
0
        i += (int)sz;
3791
0
    }
3792
0
    if (side & PROVISION_SERVER) {
3793
    #ifdef WOLFSSL_DTLS
3794
        if (scr_copy)
3795
            XMEMCPY(ssl->keys.server_write_key,
3796
                    keys->server_write_key, sz);
3797
    #endif
3798
0
        XMEMCPY(keys->server_write_key, &keyData[i], sz);
3799
0
        i += (int)sz;
3800
0
    }
3801
3802
0
    sz = ssl->specs.iv_size;
3803
0
    if (side & PROVISION_CLIENT) {
3804
    #ifdef WOLFSSL_DTLS
3805
        if (scr_copy)
3806
            XMEMCPY(ssl->keys.client_write_IV,
3807
                    keys->client_write_IV, sz);
3808
    #endif
3809
0
        XMEMCPY(keys->client_write_IV, &keyData[i], sz);
3810
0
        i += (int)sz;
3811
0
    }
3812
0
    if (side & PROVISION_SERVER) {
3813
    #ifdef WOLFSSL_DTLS
3814
        if (scr_copy)
3815
            XMEMCPY(ssl->keys.server_write_IV,
3816
                    keys->server_write_IV, sz);
3817
    #endif
3818
0
        XMEMCPY(keys->server_write_IV, &keyData[i], sz);
3819
0
    }
3820
3821
0
#ifdef HAVE_AEAD
3822
0
    if (ssl->specs.cipher_type == aead) {
3823
        /* Initialize the AES-GCM/CCM explicit IV to a zero. */
3824
    #ifdef WOLFSSL_DTLS
3825
        if (scr_copy)
3826
            XMEMMOVE(ssl->keys.aead_exp_IV,
3827
                    keys->aead_exp_IV, AEAD_MAX_EXP_SZ);
3828
    #endif
3829
0
        XMEMSET(keys->aead_exp_IV, 0, AEAD_MAX_EXP_SZ);
3830
0
    }
3831
0
#endif
3832
3833
0
    return 0;
3834
0
}
3835
3836
#ifndef NO_OLD_TLS
3837
int DeriveKeys(WOLFSSL* ssl)
3838
{
3839
    int    length = 2 * ssl->specs.hash_size +
3840
                    2 * ssl->specs.key_size  +
3841
                    2 * ssl->specs.iv_size;
3842
    int    rounds = (length + WC_MD5_DIGEST_SIZE - 1 ) / WC_MD5_DIGEST_SIZE;
3843
    int    ret = 0;
3844
3845
#ifdef WOLFSSL_SMALL_STACK
3846
    byte*  shaOutput;
3847
    byte*  md5Input;
3848
    byte*  shaInput;
3849
    byte*  keyData;
3850
    wc_Md5* md5;
3851
    wc_Sha* sha;
3852
#else
3853
    byte   shaOutput[WC_SHA_DIGEST_SIZE];
3854
    byte   md5Input[SECRET_LEN + WC_SHA_DIGEST_SIZE];
3855
    byte   shaInput[KEY_PREFIX + SECRET_LEN + 2 * RAN_LEN];
3856
    byte   keyData[KEY_PREFIX * WC_MD5_DIGEST_SIZE];
3857
    wc_Md5 md5[1];
3858
    wc_Sha sha[1];
3859
#endif
3860
3861
#ifdef WOLFSSL_SMALL_STACK
3862
    shaOutput = (byte*)XMALLOC(WC_SHA_DIGEST_SIZE,
3863
                                            NULL, DYNAMIC_TYPE_TMP_BUFFER);
3864
    md5Input  = (byte*)XMALLOC(SECRET_LEN + WC_SHA_DIGEST_SIZE,
3865
                                            NULL, DYNAMIC_TYPE_TMP_BUFFER);
3866
    shaInput  = (byte*)XMALLOC(KEY_PREFIX + SECRET_LEN + 2 * RAN_LEN,
3867
                                            NULL, DYNAMIC_TYPE_TMP_BUFFER);
3868
    keyData   = (byte*)XMALLOC(KEY_PREFIX * WC_MD5_DIGEST_SIZE,
3869
                                            NULL, DYNAMIC_TYPE_TMP_BUFFER);
3870
    md5       =  (wc_Md5*)XMALLOC(sizeof(wc_Md5), NULL, DYNAMIC_TYPE_TMP_BUFFER);
3871
    sha       =  (wc_Sha*)XMALLOC(sizeof(wc_Sha), NULL, DYNAMIC_TYPE_TMP_BUFFER);
3872
3873
    if (shaOutput == NULL || md5Input == NULL || shaInput == NULL ||
3874
        keyData   == NULL || md5      == NULL || sha      == NULL) {
3875
        XFREE(shaOutput, NULL, DYNAMIC_TYPE_TMP_BUFFER);
3876
        XFREE(md5Input, NULL, DYNAMIC_TYPE_TMP_BUFFER);
3877
        XFREE(shaInput, NULL, DYNAMIC_TYPE_TMP_BUFFER);
3878
        XFREE(keyData, NULL, DYNAMIC_TYPE_TMP_BUFFER);
3879
        XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER);
3880
        XFREE(sha, NULL, DYNAMIC_TYPE_TMP_BUFFER);
3881
3882
        return MEMORY_E;
3883
    }
3884
#endif
3885
    XMEMSET(shaOutput, 0, WC_SHA_DIGEST_SIZE);
3886
    ret = wc_InitMd5(md5);
3887
    if (ret == 0) {
3888
        ret = wc_InitSha(sha);
3889
    }
3890
    if (ret == 0) {
3891
        int i;
3892
3893
        XMEMCPY(md5Input, ssl->arrays->masterSecret, SECRET_LEN);
3894
3895
        for (i = 0; i < rounds; ++i) {
3896
            int j   = i + 1;
3897
            int idx = j;
3898
3899
            if (!SetPrefix(shaInput, i)) {
3900
                ret = PREFIX_ERROR;
3901
                break;
3902
            }
3903
3904
            XMEMCPY(shaInput + idx, ssl->arrays->masterSecret, SECRET_LEN);
3905
            idx += SECRET_LEN;
3906
            XMEMCPY(shaInput + idx, ssl->arrays->serverRandom, RAN_LEN);
3907
            idx += RAN_LEN;
3908
            XMEMCPY(shaInput + idx, ssl->arrays->clientRandom, RAN_LEN);
3909
            if (ret == 0) {
3910
                ret = wc_ShaUpdate(sha, shaInput,
3911
                    (KEY_PREFIX + SECRET_LEN + 2 * RAN_LEN) - KEY_PREFIX + j);
3912
            }
3913
            if (ret == 0) {
3914
                ret = wc_ShaFinal(sha, shaOutput);
3915
            }
3916
3917
            XMEMCPY(md5Input + SECRET_LEN, shaOutput, WC_SHA_DIGEST_SIZE);
3918
            if (ret == 0) {
3919
                ret = wc_Md5Update(md5, md5Input, SECRET_LEN + WC_SHA_DIGEST_SIZE);
3920
            }
3921
            if (ret == 0) {
3922
                ret = wc_Md5Final(md5, keyData + i * WC_MD5_DIGEST_SIZE);
3923
            }
3924
        }
3925
3926
        if (ret == 0)
3927
            ret = StoreKeys(ssl, keyData, PROVISION_CLIENT_SERVER);
3928
    }
3929
3930
#ifdef WOLFSSL_SMALL_STACK
3931
    XFREE(shaOutput, NULL, DYNAMIC_TYPE_TMP_BUFFER);
3932
    XFREE(md5Input,  NULL, DYNAMIC_TYPE_TMP_BUFFER);
3933
    XFREE(shaInput,  NULL, DYNAMIC_TYPE_TMP_BUFFER);
3934
    XFREE(keyData,   NULL, DYNAMIC_TYPE_TMP_BUFFER);
3935
    XFREE(md5,       NULL, DYNAMIC_TYPE_TMP_BUFFER);
3936
    XFREE(sha,       NULL, DYNAMIC_TYPE_TMP_BUFFER);
3937
#endif
3938
3939
    return ret;
3940
}
3941
3942
3943
static int CleanPreMaster(WOLFSSL* ssl)
3944
{
3945
    int i, ret, sz = ssl->arrays->preMasterSz;
3946
3947
    for (i = 0; i < sz; i++)
3948
        ssl->arrays->preMasterSecret[i] = 0;
3949
3950
    ret = wc_RNG_GenerateBlock(ssl->rng, ssl->arrays->preMasterSecret, sz);
3951
    if (ret != 0)
3952
        return ret;
3953
3954
    for (i = 0; i < sz; i++)
3955
        ssl->arrays->preMasterSecret[i] = 0;
3956
3957
    XFREE(ssl->arrays->preMasterSecret, ssl->heap, DYNAMIC_TYPE_SECRET);
3958
    ssl->arrays->preMasterSecret = NULL;
3959
    ssl->arrays->preMasterSz = 0;
3960
3961
    return 0;
3962
}
3963
3964
3965
/* Create and store the master secret see page 32, 6.1 */
3966
static int MakeSslMasterSecret(WOLFSSL* ssl)
3967
{
3968
    int    i, ret;
3969
    word32 idx;
3970
    word32 pmsSz = ssl->arrays->preMasterSz;
3971
3972
#ifdef WOLFSSL_SMALL_STACK
3973
    byte*  shaOutput;
3974
    byte*  md5Input;
3975
    byte*  shaInput;
3976
    wc_Md5* md5;
3977
    wc_Sha* sha;
3978
#else
3979
    byte   shaOutput[WC_SHA_DIGEST_SIZE];
3980
    byte   md5Input[ENCRYPT_LEN + WC_SHA_DIGEST_SIZE];
3981
    byte   shaInput[PREFIX + ENCRYPT_LEN + 2 * RAN_LEN];
3982
    wc_Md5 md5[1];
3983
    wc_Sha sha[1];
3984
#endif
3985
3986
    if (ssl->arrays->preMasterSecret == NULL) {
3987
        return BAD_FUNC_ARG;
3988
    }
3989
3990
#ifdef SHOW_SECRETS
3991
    {
3992
        word32 j;
3993
        printf("pre master secret: ");
3994
        for (j = 0; j < pmsSz; j++)
3995
            printf("%02x", ssl->arrays->preMasterSecret[j]);
3996
        printf("\n");
3997
    }
3998
#endif
3999
4000
#ifdef WOLFSSL_SMALL_STACK
4001
    shaOutput = (byte*)XMALLOC(WC_SHA_DIGEST_SIZE,
4002
                                            NULL, DYNAMIC_TYPE_TMP_BUFFER);
4003
    md5Input  = (byte*)XMALLOC(ENCRYPT_LEN + WC_SHA_DIGEST_SIZE,
4004
                                            NULL, DYNAMIC_TYPE_TMP_BUFFER);
4005
    shaInput  = (byte*)XMALLOC(PREFIX + ENCRYPT_LEN + 2 * RAN_LEN,
4006
                                            NULL, DYNAMIC_TYPE_TMP_BUFFER);
4007
    md5       =  (wc_Md5*)XMALLOC(sizeof(wc_Md5), NULL, DYNAMIC_TYPE_TMP_BUFFER);
4008
    sha       =  (wc_Sha*)XMALLOC(sizeof(wc_Sha), NULL, DYNAMIC_TYPE_TMP_BUFFER);
4009
4010
    if (shaOutput == NULL || md5Input == NULL || shaInput == NULL ||
4011
                             md5      == NULL || sha      == NULL) {
4012
        XFREE(shaOutput, NULL, DYNAMIC_TYPE_TMP_BUFFER);
4013
        XFREE(md5Input, NULL, DYNAMIC_TYPE_TMP_BUFFER);
4014
        XFREE(shaInput, NULL, DYNAMIC_TYPE_TMP_BUFFER);
4015
        XFREE(md5, NULL, DYNAMIC_TYPE_TMP_BUFFER);
4016
        XFREE(sha, NULL, DYNAMIC_TYPE_TMP_BUFFER);
4017
4018
        return MEMORY_E;
4019
    }
4020
#endif
4021
    XMEMSET(shaOutput, 0, WC_SHA_DIGEST_SIZE);
4022
4023
    ret = wc_InitMd5(md5);
4024
    if (ret == 0) {
4025
        ret = wc_InitSha(sha);
4026
    }
4027
    if (ret == 0) {
4028
        XMEMCPY(md5Input, ssl->arrays->preMasterSecret, pmsSz);
4029
4030
        for (i = 0; i < MASTER_ROUNDS; ++i) {
4031
            byte prefix[KEY_PREFIX];      /* only need PREFIX bytes but static */
4032
            if (!SetPrefix(prefix, i)) {  /* analysis thinks will overrun      */
4033
                ret = PREFIX_ERROR;
4034
                break;
4035
            }
4036
4037
            idx = 0;
4038
            XMEMCPY(shaInput, prefix, i + 1);
4039
            idx += i + 1;
4040
4041
            XMEMCPY(shaInput + idx, ssl->arrays->preMasterSecret, pmsSz);
4042
            idx += pmsSz;
4043
            XMEMCPY(shaInput + idx, ssl->arrays->clientRandom, RAN_LEN);
4044
            idx += RAN_LEN;
4045
            XMEMCPY(shaInput + idx, ssl->arrays->serverRandom, RAN_LEN);
4046
            idx += RAN_LEN;
4047
            if (ret == 0) {
4048
                ret = wc_ShaUpdate(sha, shaInput, idx);
4049
            }
4050
            if (ret == 0) {
4051
                ret = wc_ShaFinal(sha, shaOutput);
4052
            }
4053
            idx = pmsSz;  /* preSz */
4054
            XMEMCPY(md5Input + idx, shaOutput, WC_SHA_DIGEST_SIZE);
4055
            idx += WC_SHA_DIGEST_SIZE;
4056
            if (ret == 0) {
4057
                ret = wc_Md5Update(md5, md5Input, idx);
4058
            }
4059
            if (ret == 0) {
4060
                ret = wc_Md5Final(md5,
4061
                            &ssl->arrays->masterSecret[i * WC_MD5_DIGEST_SIZE]);
4062
            }
4063
        }
4064
4065
#ifdef SHOW_SECRETS
4066
        {
4067
            word32 j;
4068
            printf("master secret: ");
4069
            for (j = 0; j < SECRET_LEN; j++)
4070
                printf("%02x", ssl->arrays->masterSecret[j]);
4071
            printf("\n");
4072
        }
4073
#endif
4074
4075
        if (ret == 0)
4076
            ret = DeriveKeys(ssl);
4077
    }
4078
4079
#ifdef WOLFSSL_SMALL_STACK
4080
    XFREE(shaOutput, NULL, DYNAMIC_TYPE_TMP_BUFFER);
4081
    XFREE(md5Input,  NULL, DYNAMIC_TYPE_TMP_BUFFER);
4082
    XFREE(shaInput,  NULL, DYNAMIC_TYPE_TMP_BUFFER);
4083
    XFREE(md5,       NULL, DYNAMIC_TYPE_TMP_BUFFER);
4084
    XFREE(sha,       NULL, DYNAMIC_TYPE_TMP_BUFFER);
4085
#endif
4086
4087
    if (ret == 0)
4088
        ret = CleanPreMaster(ssl);
4089
    else
4090
        CleanPreMaster(ssl);
4091
4092
    return ret;
4093
}
4094
#endif
4095
4096
4097
/* Master wrapper, doesn't use SSL stack space in TLS mode */
4098
int MakeMasterSecret(WOLFSSL* ssl)
4099
0
{
4100
    /* append secret to premaster : premaster | SerSi | CliSi */
4101
#ifndef NO_OLD_TLS
4102
    if (ssl->options.tls) return MakeTlsMasterSecret(ssl);
4103
    return MakeSslMasterSecret(ssl);
4104
#elif !defined(WOLFSSL_NO_TLS12) && !defined(NO_TLS)
4105
0
    return MakeTlsMasterSecret(ssl);
4106
#else
4107
    (void)ssl;
4108
    return 0;
4109
#endif
4110
0
}
4111
4112
#endif /* WOLFCRYPT_ONLY */