Coverage Report

Created: 2026-07-16 06:50

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/wolfssl/src/tls13.c
Line
Count
Source
1
/* tls13.c
2
 *
3
 * Copyright (C) 2006-2026 wolfSSL Inc.
4
 *
5
 * This file is part of wolfSSL.
6
 *
7
 * wolfSSL is free software; you can redistribute it and/or modify
8
 * it under the terms of the GNU General Public License as published by
9
 * the Free Software Foundation; either version 3 of the License, or
10
 * (at your option) any later version.
11
 *
12
 * wolfSSL is distributed in the hope that it will be useful,
13
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15
 * GNU General Public License for more details.
16
 *
17
 * You should have received a copy of the GNU General Public License
18
 * along with this program; if not, write to the Free Software
19
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
20
 */
21
22
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
23
24
/*
25
 * TLS 1.3-Specific Build Options:
26
 * (See tls.c for generic TLS options: extensions, curves, callbacks, etc.)
27
 *
28
 * Protocol:
29
 * WOLFSSL_TLS13:            Enable TLS 1.3 protocol               default: on
30
 * WOLFSSL_TLS13_DRAFT:      Enable TLS 1.3 draft version support  default: off
31
 * WOLFSSL_QUIC:             Enable QUIC protocol support (TLS 1.3) default: off
32
 * WOLFSSL_DTLS13_NO_HRR_ON_RESUME: Skip HRR on DTLS 1.3 resume   default: off
33
 * WOLFSSL_DTLS_CH_FRAG:     Enable DTLS 1.3 ClientHello frag     default: off
34
 *
35
 * Handshake:
36
 * WOLFSSL_TLS13_MIDDLEBOX_COMPAT: Enable middlebox compatibility  default: on
37
 *                            Sends ChangeCipherSpec and includes session id
38
 * WOLFSSL_SEND_HRR_COOKIE:  Send cookie in HelloRetryRequest     default: off
39
 *                            for stateless ClientHello tracking
40
 * WOLFSSL_EARLY_DATA:       Allow 0-RTT early data                default: off
41
 * WOLFSSL_EARLY_DATA_GROUP: Group early data with ClientHello     default: off
42
 * WOLFSSL_POST_HANDSHAKE_AUTH: Post-handshake client auth         default: off
43
 * WOLFSSL_TLS13_TICKET_BEFORE_FINISHED: Send NewSessionTicket     default: off
44
 *                            before client Finished message
45
 * WOLFSSL_NO_CLIENT_AUTH:   Disable TLS 1.3 client authentication default: off
46
 * WOLFSSL_NO_CLIENT_CERT_ERROR: Require client certificate        default: off
47
 * WOLFSSL_CERT_SETUP_CB:    Certificate setup callback            default: off
48
 * WOLFSSL_ALLOW_BAD_TLS_LEGACY_VERSION: Allow bad legacy version  default: off
49
 *
50
 * Security:
51
 * WOLFSSL_BLIND_PRIVATE_KEY: Blind private key during signing     default: off
52
 * WOLFSSL_CHECK_SIG_FAULTS: Verify signature after ECC signing    default: off
53
 *                            to detect fault injection attacks
54
 * WOLFSSL_CIPHER_TEXT_CHECK: Verify ciphertext integrity          default: off
55
 *
56
 * TLS 1.3 PSK:
57
 * WOLFSSL_PSK_ONE_ID:       Single PSK identity per connect       default: off
58
 * WOLFSSL_PSK_MULTI_ID_PER_CS: Multiple PSK IDs per cipher suite default: off
59
 * WOLFSSL_PRIORITIZE_PSK:   Prioritize PSK over ciphersuite order default: off
60
 *
61
 * TLS 1.3 Session Tickets:
62
 * WOLFSSL_TICKET_HAVE_ID:   Session tickets include ID            default: off
63
 *                            Forced on when WOLFSSL_EARLY_DATA is set.
64
 * WOLFSSL_TICKET_NONCE_MALLOC: Dynamically allocate ticket nonce  default: off
65
 *
66
 * TLS 1.3 Key Exchange:
67
 * HAVE_KEYING_MATERIAL:     Export keying material (RFC 8446 7.5) default: off
68
 * WOLFSSL_HAVE_TLS_UNIQUE:  Enable tls-unique channel binding     default: off
69
 *
70
 * TLS 1.3 Hash/Signature:
71
 * WOLFSSL_TLS13_SHA512:     Allow SHA-512 in TLS 1.3 handshake   default: off
72
 *                            (no ciphersuite requires it currently)
73
 * WOLFSSL_ERROR_CODE_OPENSSL: Use OpenSSL-compatible error codes  default: off
74
 * WOLFSSL_SSLKEYLOGFILE_OUTPUT: Set key log output file path      default: off
75
 * WOLFSSL_RW_THREADED:      Enable read/write threading support   default: off
76
 * WOLFSSL_ASYNC_IO:         Enable async I/O operations           default: off
77
 * WOLFSSL_NONBLOCK_OCSP:    Non-blocking OCSP processing          default: off
78
 * WOLFSSL_TLS_OCSP_MULTI:   Multiple OCSP responses               default: off
79
 * WOLFSSL_WOLFSENTRY_HOOKS: wolfSentry integration hooks          default: off
80
 */
81
82
#if !defined(NO_TLS) && defined(WOLFSSL_TLS13)
83
84
/* 0-RTT anti-replay eviction needs the session cache. */
85
#if defined(WOLFSSL_EARLY_DATA) && defined(HAVE_SESSION_TICKET) && \
86
    defined(NO_SESSION_CACHE) && !defined(NO_WOLFSSL_SERVER) && \
87
    !defined(WOLFSSL_EARLY_DATA_NO_ANTI_REPLAY)
88
#error "WOLFSSL_EARLY_DATA with tickets requires !NO_SESSION_CACHE, or " \
89
       "define WOLFSSL_EARLY_DATA_NO_ANTI_REPLAY to opt out."
90
#endif
91
92
#ifndef WOLFCRYPT_ONLY
93
94
#ifdef HAVE_ERRNO_H
95
    #include <errno.h>
96
#endif
97
98
#if defined(__MACH__) || defined(__FreeBSD__) || \
99
    defined(__INCLUDE_NUTTX_CONFIG_H) || defined(WOLFSSL_RIOT_OS)
100
#include <sys/time.h>
101
#endif /* __MACH__ || __FreeBSD__ ||
102
          __INCLUDE_NUTTX_CONFIG_H || WOLFSSL_RIOT_OS */
103
104
105
#include <wolfssl/internal.h>
106
#include <wolfssl/error-ssl.h>
107
#include <wolfssl/wolfcrypt/asn.h>
108
#include <wolfssl/wolfcrypt/dh.h>
109
#include <wolfssl/wolfcrypt/kdf.h>
110
#include <wolfssl/wolfcrypt/signature.h>
111
#ifdef NO_INLINE
112
    #include <wolfssl/wolfcrypt/misc.h>
113
#else
114
    #define WOLFSSL_MISC_INCLUDED
115
    #include <wolfcrypt/src/misc.c>
116
#endif
117
118
#ifdef __sun
119
    #include <sys/filio.h>
120
#endif
121
122
#ifndef TRUE
123
    #define TRUE  1
124
#endif
125
#ifndef FALSE
126
    #define FALSE 0
127
#endif
128
129
#ifndef HAVE_AEAD
130
    #if !defined(_MSC_VER) && !defined(__TASKING__)
131
        #error "The build option HAVE_AEAD is required for TLS 1.3"
132
    #else
133
        #pragma \
134
        message("error: The build option HAVE_AEAD is required for TLS 1.3")
135
    #endif
136
#endif
137
138
#ifndef HAVE_HKDF
139
    #if !defined(_MSC_VER) && !defined(__TASKING__)
140
        #error "The build option HAVE_HKDF is required for TLS 1.3"
141
    #else
142
        #pragma message("error: The build option HAVE_HKDF is required for TLS 1.3")
143
    #endif
144
#endif
145
146
#ifndef HAVE_TLS_EXTENSIONS
147
    #if !defined(_MSC_VER) && !defined(__TASKING__)
148
        #error "The build option HAVE_TLS_EXTENSIONS is required for TLS 1.3"
149
    #else
150
        #pragma message("error: The build option HAVE_TLS_EXTENSIONS is required for TLS 1.3")
151
    #endif
152
#endif
153
154
155
/* Set ret to error value and jump to label.
156
 *
157
 * err     The error value to set.
158
 * eLabel  The label to jump to.
159
 */
160
0
#define ERROR_OUT(err, eLabel) { ret = (err); goto eLabel; }
161
162
/* Size of the TLS v1.3 label use when deriving keys. */
163
0
#define TLS13_PROTOCOL_LABEL_SZ    6
164
/* The protocol label for TLS v1.3. */
165
static const byte tls13ProtocolLabel[TLS13_PROTOCOL_LABEL_SZ + 1] = "tls13 ";
166
167
#ifdef WOLFSSL_DTLS13
168
#define DTLS13_PROTOCOL_LABEL_SZ    6
169
static const byte dtls13ProtocolLabel[DTLS13_PROTOCOL_LABEL_SZ + 1] = "dtls13";
170
#endif /* WOLFSSL_DTLS13 */
171
172
#if defined(HAVE_ECH)
173
#define ECH_ACCEPT_CONFIRMATION_LABEL_SZ 23
174
#define ECH_HRR_ACCEPT_CONFIRMATION_LABEL_SZ 27
175
static const byte
176
    echAcceptConfirmationLabel[ECH_ACCEPT_CONFIRMATION_LABEL_SZ + 1] =
177
    "ech accept confirmation";
178
static const byte
179
    echHrrAcceptConfirmationLabel[ECH_HRR_ACCEPT_CONFIRMATION_LABEL_SZ + 1] =
180
    "hrr ech accept confirmation";
181
#endif
182
183
#ifndef NO_CERTS
184
#if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
185
    defined(HAVE_ED448) || defined(HAVE_FALCON) || defined(WOLFSSL_HAVE_MLDSA)
186
187
static WC_INLINE int GetMsgHash(WOLFSSL* ssl, byte* hash);
188
189
#endif
190
#endif
191
192
/* Expand data using HMAC, salt and label and info.
193
 * TLS v1.3 defines this function. Use callback if available. */
194
static int Tls13HKDFExpandLabel(WOLFSSL* ssl, byte* okm, word32 okmLen,
195
                                const byte* prk, word32 prkLen,
196
                                const byte* protocol, word32 protocolLen,
197
                                const byte* label, word32 labelLen,
198
                                const byte* info, word32 infoLen,
199
                                int digest)
200
0
{
201
0
    int ret = WC_NO_ERR_TRACE(NOT_COMPILED_IN);
202
203
#if defined(HAVE_PK_CALLBACKS)
204
    if (ssl->ctx && ssl->ctx->HKDFExpandLabelCb) {
205
        ret = ssl->ctx->HKDFExpandLabelCb(okm, okmLen, prk, prkLen,
206
                                          protocol, protocolLen,
207
                                          label, labelLen,
208
                                          info, infoLen, digest,
209
                                          WOLFSSL_CLIENT_END /* ignored */);
210
    }
211
212
    if (ret != WC_NO_ERR_TRACE(NOT_COMPILED_IN))
213
        return ret;
214
#endif
215
0
    (void)ssl;
216
0
    PRIVATE_KEY_UNLOCK();
217
0
#if !defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(6,0))
218
0
    ret = wc_Tls13_HKDF_Expand_Label_ex(okm, okmLen, prk, prkLen,
219
0
                                     protocol, protocolLen,
220
0
                                     label, labelLen,
221
0
                                     info, infoLen, digest,
222
0
                                     ssl->heap, ssl->devId);
223
#else
224
    ret = wc_Tls13_HKDF_Expand_Label(okm, okmLen, prk, prkLen,
225
                                     protocol, protocolLen,
226
                                     label, labelLen,
227
                                     info, infoLen, digest);
228
#endif
229
0
    PRIVATE_KEY_LOCK();
230
0
    return ret;
231
0
}
232
233
/* Same as above, but pass in the side we are expanding for:
234
 * side: either WOLFSSL_CLIENT_END or WOLFSSL_SERVER_END.
235
 */
236
static int Tls13HKDFExpandKeyLabel(WOLFSSL* ssl, byte* okm, word32 okmLen,
237
                                   const byte* prk, word32 prkLen,
238
                                   const byte* protocol, word32 protocolLen,
239
                                   const byte* label, word32 labelLen,
240
                                   const byte* info, word32 infoLen,
241
                                   int digest, int side)
242
0
{
243
0
    int ret;
244
#if defined(HAVE_PK_CALLBACKS)
245
    ret = WC_NO_ERR_TRACE(NOT_COMPILED_IN);
246
    if (ssl->ctx && ssl->ctx->HKDFExpandLabelCb) {
247
        ret = ssl->ctx->HKDFExpandLabelCb(okm, okmLen, prk, prkLen,
248
                                         protocol, protocolLen,
249
                                         label, labelLen,
250
                                         info, infoLen,
251
                                         digest, side);
252
    }
253
    if (ret != WC_NO_ERR_TRACE(NOT_COMPILED_IN))
254
        return ret;
255
#endif
256
257
0
#if !defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(6,0))
258
0
    ret = wc_Tls13_HKDF_Expand_Label_ex(okm, okmLen, prk, prkLen,
259
0
                                      protocol, protocolLen,
260
0
                                      label, labelLen,
261
0
                                      info, infoLen, digest,
262
0
                                      ssl->heap, ssl->devId);
263
264
#elif defined(HAVE_FIPS) && defined(wc_Tls13_HKDF_Expand_Label)
265
    ret = wc_Tls13_HKDF_Expand_Label_fips(okm, okmLen, prk, prkLen,
266
                                      protocol, protocolLen,
267
                                      label, labelLen,
268
                                      info, infoLen, digest);
269
#else
270
    ret = wc_Tls13_HKDF_Expand_Label(okm, okmLen, prk, prkLen,
271
                                      protocol, protocolLen,
272
                                      label, labelLen,
273
                                      info, infoLen, digest);
274
#endif
275
0
    (void)ssl;
276
0
    (void)side;
277
0
    return ret;
278
0
}
279
280
281
/* Derive a key from a message.
282
 *
283
 * ssl        The SSL/TLS object.
284
 * output     The buffer to hold the derived key.
285
 * outputLen  The length of the derived key.
286
 * secret     The secret used to derive the key (HMAC secret).
287
 * label      The label used to distinguish the context.
288
 * labelLen   The length of the label.
289
 * msg        The message data to derive key from.
290
 * msgLen     The length of the message data to derive key from.
291
 * hashAlgo   The hash algorithm to use in the HMAC.
292
 * returns 0 on success, otherwise failure.
293
 */
294
static int DeriveKeyMsg(WOLFSSL* ssl, byte* output, int outputLen,
295
                        const byte* secret, const byte* label, word32 labelLen,
296
                        byte* msg, int msgLen, int hashAlgo)
297
0
{
298
0
    byte        hash[WC_MAX_DIGEST_SIZE];
299
0
    Digest      digest;
300
0
    word32      hashSz = 0;
301
0
    const byte* protocol;
302
0
    word32      protocolLen;
303
0
    int         digestAlg = -1;
304
0
    int         ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
305
306
0
    switch (hashAlgo) {
307
0
#ifndef NO_SHA256
308
0
        case sha256_mac:
309
0
            ret = wc_InitSha256_ex(&digest.sha256, ssl->heap, ssl->devId);
310
0
            if (ret == 0) {
311
0
                    ret = wc_Sha256Update(&digest.sha256, msg, (word32)msgLen);
312
0
                if (ret == 0)
313
0
                    ret = wc_Sha256Final(&digest.sha256, hash);
314
0
                wc_Sha256Free(&digest.sha256);
315
0
            }
316
0
            hashSz = WC_SHA256_DIGEST_SIZE;
317
0
            digestAlg = WC_SHA256;
318
0
            break;
319
0
#endif
320
0
#ifdef WOLFSSL_SHA384
321
0
        case sha384_mac:
322
0
            ret = wc_InitSha384_ex(&digest.sha384, ssl->heap, ssl->devId);
323
0
            if (ret == 0) {
324
0
                ret = wc_Sha384Update(&digest.sha384, msg, (word32)msgLen);
325
0
                if (ret == 0)
326
0
                    ret = wc_Sha384Final(&digest.sha384, hash);
327
0
                wc_Sha384Free(&digest.sha384);
328
0
            }
329
0
            hashSz = WC_SHA384_DIGEST_SIZE;
330
0
            digestAlg = WC_SHA384;
331
0
            break;
332
0
#endif
333
#ifdef WOLFSSL_TLS13_SHA512
334
        case sha512_mac:
335
            ret = wc_InitSha512_ex(&digest.sha512, ssl->heap, ssl->devId);
336
            if (ret == 0) {
337
                ret = wc_Sha512Update(&digest.sha512, msg, (word32)msgLen);
338
                if (ret == 0)
339
                    ret = wc_Sha512Final(&digest.sha512, hash);
340
                wc_Sha512Free(&digest.sha512);
341
            }
342
            hashSz = WC_SHA512_DIGEST_SIZE;
343
            digestAlg = WC_SHA512;
344
            break;
345
#endif
346
#ifdef WOLFSSL_SM3
347
        case sm3_mac:
348
            ret = wc_InitSm3(&digest.sm3, ssl->heap, ssl->devId);
349
            if (ret == 0) {
350
                ret = wc_Sm3Update(&digest.sm3, msg, (word32)msgLen);
351
                if (ret == 0)
352
                    ret = wc_Sm3Final(&digest.sm3, hash);
353
                wc_Sm3Free(&digest.sm3);
354
            }
355
            hashSz = WC_SM3_DIGEST_SIZE;
356
            digestAlg = WC_SM3;
357
            break;
358
#endif
359
0
        default:
360
0
            ret = BAD_FUNC_ARG;
361
0
            digestAlg = -1;
362
0
            break;
363
0
    }
364
365
0
    if (digestAlg < 0)
366
0
        return HASH_TYPE_E;
367
368
0
    if (ret != 0)
369
0
        return ret;
370
371
0
    switch (ssl->version.minor) {
372
0
        case TLSv1_3_MINOR:
373
0
            protocol = tls13ProtocolLabel;
374
0
            protocolLen = TLS13_PROTOCOL_LABEL_SZ;
375
0
            break;
376
#ifdef WOLFSSL_DTLS13
377
        case DTLSv1_3_MINOR:
378
            if (!ssl->options.dtls)
379
                return VERSION_ERROR;
380
381
            protocol = dtls13ProtocolLabel;
382
            protocolLen = DTLS13_PROTOCOL_LABEL_SZ;
383
            break;
384
#endif /* WOLFSSL_DTLS13 */
385
0
        default:
386
0
            return VERSION_ERROR;
387
0
    }
388
0
    if (outputLen == -1)
389
0
        outputLen = (int)hashSz;
390
391
0
    ret = Tls13HKDFExpandLabel(ssl, output, (word32)outputLen, secret, hashSz,
392
0
                               protocol, protocolLen, label, labelLen,
393
0
                               hash, hashSz, digestAlg);
394
0
    return ret;
395
0
}
396
397
/* Derive a key.
398
 *
399
 * ssl          The SSL/TLS object.
400
 * output       The buffer to hold the derived key.
401
 * outputLen    The length of the derived key.
402
 * secret       The secret used to derive the key (HMAC secret).
403
 * label        The label used to distinguish the context.
404
 * labelLen     The length of the label.
405
 * hashAlgo     The hash algorithm to use in the HMAC.
406
 * includeMsgs  Whether to include a hash of the handshake messages so far.
407
 * side         The side that we are deriving the secret for.
408
 * returns 0 on success, otherwise failure.
409
 */
410
int Tls13DeriveKey(WOLFSSL* ssl, byte* output, int outputLen,
411
                   const byte* secret, const byte* label, word32 labelLen,
412
                   int hashAlgo, int includeMsgs, int side)
413
0
{
414
0
    int         ret = 0;
415
0
    byte        hash[WC_MAX_DIGEST_SIZE];
416
0
    word32      hashSz = 0;
417
0
    word32      hashOutSz = 0;
418
0
    const byte* protocol;
419
0
    word32      protocolLen;
420
0
    int         digestAlg = 0;
421
422
423
0
    switch (hashAlgo) {
424
0
    #ifndef NO_SHA256
425
0
        case sha256_mac:
426
0
            hashSz    = WC_SHA256_DIGEST_SIZE;
427
0
            digestAlg = WC_SHA256;
428
0
            if (includeMsgs)
429
0
                ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
430
0
            break;
431
0
    #endif
432
433
0
    #ifdef WOLFSSL_SHA384
434
0
        case sha384_mac:
435
0
            hashSz    = WC_SHA384_DIGEST_SIZE;
436
0
            digestAlg = WC_SHA384;
437
0
            if (includeMsgs)
438
0
                ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
439
0
            break;
440
0
    #endif
441
442
    #ifdef WOLFSSL_TLS13_SHA512
443
        case sha512_mac:
444
            hashSz    = WC_SHA512_DIGEST_SIZE;
445
            digestAlg = WC_SHA512;
446
            if (includeMsgs)
447
                ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash);
448
            break;
449
    #endif
450
451
    #ifdef WOLFSSL_SM3
452
        case sm3_mac:
453
            hashSz    = WC_SM3_DIGEST_SIZE;
454
            digestAlg = WC_SM3;
455
            if (includeMsgs)
456
                ret = wc_Sm3GetHash(&ssl->hsHashes->hashSm3, hash);
457
            break;
458
    #endif
459
460
0
        default:
461
0
            ret = HASH_TYPE_E;
462
0
            break;
463
0
    }
464
0
    if (ret != 0)
465
0
        return ret;
466
467
0
    protocol = tls13ProtocolLabel;
468
0
    protocolLen = TLS13_PROTOCOL_LABEL_SZ;
469
470
#ifdef WOLFSSL_DTLS13
471
    if (ssl->options.dtls) {
472
         protocol = dtls13ProtocolLabel;
473
         protocolLen = DTLS13_PROTOCOL_LABEL_SZ;
474
    }
475
#endif /* WOLFSSL_DTLS13 */
476
477
0
    if (outputLen == -1) {
478
0
        outputLen = (int)hashSz;
479
0
    }
480
0
    if (includeMsgs) {
481
0
        hashOutSz = hashSz;
482
0
    }
483
0
    else {
484
        /* Appease static analyzers by making sure hash is cleared, since it is
485
         * passed into expand key label where older wc_Tls13_HKDF_Expand_Label
486
         * will unconditionally try to call a memcpy on it, however length will
487
         * always be 0. */
488
0
        XMEMSET(hash, 0, sizeof(hash));
489
0
        hashOutSz = 0;
490
0
    }
491
492
0
    PRIVATE_KEY_UNLOCK();
493
0
    ret = Tls13HKDFExpandKeyLabel(ssl, output, (word32)outputLen, secret, hashSz,
494
0
                                  protocol, protocolLen, label, labelLen,
495
0
                                  hash, hashOutSz, digestAlg, side);
496
0
    PRIVATE_KEY_LOCK();
497
498
#ifdef WOLFSSL_CHECK_MEM_ZERO
499
    wc_MemZero_Add("TLS 1.3 derived key", output, outputLen);
500
#endif
501
0
    return ret;
502
0
}
503
504
/* Convert TLS mac ID to a hash algorithm ID
505
 *
506
 * mac Mac ID to convert
507
 * returns hash ID on success, or the NONE type.
508
 */
509
static WC_INLINE int mac2hash(int mac)
510
0
{
511
0
    int hash;
512
0
    switch (mac) {
513
0
        #ifndef NO_SHA256
514
0
        case sha256_mac:
515
0
            hash = WC_SHA256;
516
0
            break;
517
0
        #endif
518
519
0
        #ifdef WOLFSSL_SHA384
520
0
        case sha384_mac:
521
0
            hash = WC_SHA384;
522
0
            break;
523
0
        #endif
524
525
        #ifdef WOLFSSL_TLS13_SHA512
526
        case sha512_mac:
527
            hash = WC_SHA512;
528
            break;
529
        #endif
530
531
        #ifdef WOLFSSL_SM3
532
        case sm3_mac:
533
            hash = WC_SM3;
534
            break;
535
        #endif
536
537
0
    default:
538
0
        hash = WC_HASH_TYPE_NONE;
539
0
    }
540
0
    return hash;
541
0
}
542
543
#ifndef NO_PSK
544
/* The length of the binder key label. */
545
#define BINDER_KEY_LABEL_SZ         10
546
/* The binder key label. */
547
static const byte binderKeyLabel[BINDER_KEY_LABEL_SZ + 1] =
548
    "ext binder";
549
550
/* Derive the binder key.
551
 *
552
 * ssl  The SSL/TLS object.
553
 * key  The derived key.
554
 * returns 0 on success, otherwise failure.
555
 */
556
static int DeriveBinderKey(WOLFSSL* ssl, byte* key)
557
{
558
    WOLFSSL_MSG("Derive Binder Key");
559
    if (ssl == NULL || ssl->arrays == NULL) {
560
        return BAD_FUNC_ARG;
561
    }
562
    return DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,
563
                        binderKeyLabel, BINDER_KEY_LABEL_SZ,
564
                        NULL, 0, ssl->specs.mac_algorithm);
565
}
566
#endif /* !NO_PSK */
567
568
#if defined(HAVE_SESSION_TICKET) && \
569
    (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER))
570
/* The length of the binder key resume label. */
571
#define BINDER_KEY_RESUME_LABEL_SZ  10
572
/* The binder key resume label. */
573
static const byte binderKeyResumeLabel[BINDER_KEY_RESUME_LABEL_SZ + 1] =
574
    "res binder";
575
576
/* Derive the binder resumption key.
577
 *
578
 * ssl  The SSL/TLS object.
579
 * key  The derived key.
580
 * returns 0 on success, otherwise failure.
581
 */
582
static int DeriveBinderKeyResume(WOLFSSL* ssl, byte* key)
583
{
584
    WOLFSSL_MSG("Derive Binder Key - Resumption");
585
    if (ssl == NULL || ssl->arrays == NULL) {
586
        return BAD_FUNC_ARG;
587
    }
588
    return DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,
589
                        binderKeyResumeLabel, BINDER_KEY_RESUME_LABEL_SZ,
590
                        NULL, 0, ssl->specs.mac_algorithm);
591
}
592
#endif /* HAVE_SESSION_TICKET && (!NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER) */
593
594
#ifdef WOLFSSL_EARLY_DATA
595
596
/* The length of the early traffic label. */
597
#define EARLY_TRAFFIC_LABEL_SZ      11
598
/* The early traffic label. */
599
static const byte earlyTrafficLabel[EARLY_TRAFFIC_LABEL_SZ + 1] =
600
    "c e traffic";
601
602
/* Derive the early traffic key.
603
 *
604
 * ssl  The SSL/TLS object.
605
 * key  The derived key.
606
 * side The side that we are deriving the secret for.
607
 * returns 0 on success, otherwise failure.
608
 */
609
static int DeriveEarlyTrafficSecret(WOLFSSL* ssl, byte* key, int side)
610
{
611
    int ret;
612
    WOLFSSL_MSG("Derive Early Traffic Secret");
613
    if (ssl == NULL || ssl->arrays == NULL) {
614
        return BAD_FUNC_ARG;
615
    }
616
617
#if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_KEYLOGFILE)
618
    /* If this is called from a sniffer session with keylog file support,
619
     * obtain the appropriate secret from the callback */
620
    if (ssl->snifferSecretCb != NULL) {
621
        return ssl->snifferSecretCb(ssl->arrays->clientRandom,
622
                                    SNIFFER_SECRET_CLIENT_EARLY_TRAFFIC_SECRET,
623
                                    key);
624
    }
625
#endif /* WOLFSSL_SNIFFER && WOLFSSL_SNIFFER_KEYLOGFILE */
626
627
    ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->secret,
628
                    earlyTrafficLabel, EARLY_TRAFFIC_LABEL_SZ,
629
                    ssl->specs.mac_algorithm, 1, side);
630
#ifdef HAVE_SECRET_CALLBACK
631
    if (ret == 0 && ssl->tls13SecretCb != NULL) {
632
        ret = ssl->tls13SecretCb(ssl, CLIENT_EARLY_TRAFFIC_SECRET, key,
633
                                 ssl->specs.hash_size, ssl->tls13SecretCtx);
634
        if (ret != 0) {
635
            WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
636
            return TLS13_SECRET_CB_E;
637
        }
638
    }
639
#ifdef OPENSSL_EXTRA
640
    if (ret == 0 && ssl->tls13KeyLogCb != NULL) {
641
        ret = ssl->tls13KeyLogCb(ssl, CLIENT_EARLY_TRAFFIC_SECRET, key,
642
                                ssl->specs.hash_size, NULL);
643
        if (ret != 0) {
644
            WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
645
            return TLS13_SECRET_CB_E;
646
        }
647
    }
648
#endif /* OPENSSL_EXTRA */
649
#endif /* HAVE_SECRET_CALLBACK */
650
    return ret;
651
}
652
653
#endif
654
655
/* The length of the client handshake label. */
656
0
#define CLIENT_HANDSHAKE_LABEL_SZ   12
657
/* The client handshake label. */
658
static const byte clientHandshakeLabel[CLIENT_HANDSHAKE_LABEL_SZ + 1] =
659
    "c hs traffic";
660
661
/* Derive the client handshake key.
662
 *
663
 * ssl  The SSL/TLS object.
664
 * key  The derived key.
665
 * returns 0 on success, otherwise failure.
666
 */
667
static int DeriveClientHandshakeSecret(WOLFSSL* ssl, byte* key)
668
0
{
669
0
    int ret;
670
0
    WOLFSSL_MSG("Derive Client Handshake Secret");
671
0
    if (ssl == NULL || ssl->arrays == NULL) {
672
0
        return BAD_FUNC_ARG;
673
0
    }
674
675
#if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_KEYLOGFILE)
676
    /* If this is called from a sniffer session with keylog file support,
677
     * obtain the appropriate secret from the callback */
678
    if (ssl->snifferSecretCb != NULL) {
679
        return ssl->snifferSecretCb(ssl->arrays->clientRandom,
680
                               SNIFFER_SECRET_CLIENT_HANDSHAKE_TRAFFIC_SECRET,
681
                               key);
682
    }
683
#endif /* WOLFSSL_SNIFFER && WOLFSSL_SNIFFER_KEYLOGFILE */
684
685
0
    ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->preMasterSecret,
686
0
                    clientHandshakeLabel, CLIENT_HANDSHAKE_LABEL_SZ,
687
0
                    ssl->specs.mac_algorithm, 1, WOLFSSL_CLIENT_END);
688
#ifdef HAVE_SECRET_CALLBACK
689
    if (ret == 0 && ssl->tls13SecretCb != NULL) {
690
        ret = ssl->tls13SecretCb(ssl, CLIENT_HANDSHAKE_TRAFFIC_SECRET, key,
691
                                 ssl->specs.hash_size, ssl->tls13SecretCtx);
692
        if (ret != 0) {
693
            WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
694
            return TLS13_SECRET_CB_E;
695
        }
696
    }
697
#ifdef OPENSSL_EXTRA
698
    if (ret == 0 && ssl->tls13KeyLogCb != NULL) {
699
        ret = ssl->tls13KeyLogCb(ssl, CLIENT_HANDSHAKE_TRAFFIC_SECRET, key,
700
                                ssl->specs.hash_size, NULL);
701
        if (ret != 0) {
702
            WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
703
            return TLS13_SECRET_CB_E;
704
        }
705
    }
706
#endif /* OPENSSL_EXTRA */
707
#endif /* HAVE_SECRET_CALLBACK */
708
0
    return ret;
709
0
}
710
711
/* The length of the server handshake label. */
712
0
#define SERVER_HANDSHAKE_LABEL_SZ   12
713
/* The server handshake label. */
714
static const byte serverHandshakeLabel[SERVER_HANDSHAKE_LABEL_SZ + 1] =
715
    "s hs traffic";
716
717
/* Derive the server handshake key.
718
 *
719
 * ssl  The SSL/TLS object.
720
 * key  The derived key.
721
 * returns 0 on success, otherwise failure.
722
 */
723
static int DeriveServerHandshakeSecret(WOLFSSL* ssl, byte* key)
724
0
{
725
0
    int ret;
726
0
    WOLFSSL_MSG("Derive Server Handshake Secret");
727
0
    if (ssl == NULL || ssl->arrays == NULL) {
728
0
        return BAD_FUNC_ARG;
729
0
    }
730
731
#if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_KEYLOGFILE)
732
    /* If this is called from a sniffer session with keylog file support,
733
     * obtain the appropriate secret from the callback */
734
    if (ssl->snifferSecretCb != NULL) {
735
        return ssl->snifferSecretCb(ssl->arrays->clientRandom,
736
                                SNIFFER_SECRET_SERVER_HANDSHAKE_TRAFFIC_SECRET,
737
                                key);
738
    }
739
#endif /* WOLFSSL_SNIFFER && WOLFSSL_SNIFFER_KEYLOGFILE */
740
741
0
    ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->preMasterSecret,
742
0
                    serverHandshakeLabel, SERVER_HANDSHAKE_LABEL_SZ,
743
0
                    ssl->specs.mac_algorithm, 1, WOLFSSL_SERVER_END);
744
745
#ifdef HAVE_SECRET_CALLBACK
746
    if (ret == 0 && ssl->tls13SecretCb != NULL) {
747
        ret = ssl->tls13SecretCb(ssl, SERVER_HANDSHAKE_TRAFFIC_SECRET, key,
748
                                 ssl->specs.hash_size, ssl->tls13SecretCtx);
749
        if (ret != 0) {
750
            WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
751
            return TLS13_SECRET_CB_E;
752
        }
753
    }
754
#ifdef OPENSSL_EXTRA
755
    if (ret == 0 && ssl->tls13KeyLogCb != NULL) {
756
        ret = ssl->tls13KeyLogCb(ssl, SERVER_HANDSHAKE_TRAFFIC_SECRET, key,
757
                                ssl->specs.hash_size, NULL);
758
        if (ret != 0) {
759
            WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
760
            return TLS13_SECRET_CB_E;
761
        }
762
    }
763
#endif /* OPENSSL_EXTRA */
764
#endif /* HAVE_SECRET_CALLBACK */
765
0
    return ret;
766
0
}
767
768
/* The length of the client application traffic label. */
769
0
#define CLIENT_APP_LABEL_SZ         12
770
/* The client application traffic label. */
771
static const byte clientAppLabel[CLIENT_APP_LABEL_SZ + 1] =
772
    "c ap traffic";
773
774
/* Derive the client application traffic key.
775
 *
776
 * ssl  The SSL/TLS object.
777
 * key  The derived key.
778
 * returns 0 on success, otherwise failure.
779
 */
780
static int DeriveClientTrafficSecret(WOLFSSL* ssl, byte* key)
781
0
{
782
0
    int ret;
783
0
    WOLFSSL_MSG("Derive Client Traffic Secret");
784
0
    if (ssl == NULL || ssl->arrays == NULL) {
785
0
        return BAD_FUNC_ARG;
786
0
    }
787
788
#if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_KEYLOGFILE)
789
    /* If this is called from a sniffer session with keylog file support,
790
     * obtain the appropriate secret from the callback */
791
    if (ssl->snifferSecretCb != NULL) {
792
        return ssl->snifferSecretCb(ssl->arrays->clientRandom,
793
                                    SNIFFER_SECRET_CLIENT_TRAFFIC_SECRET,
794
                                    key);
795
    }
796
#endif /* WOLFSSL_SNIFFER && WOLFSSL_SNIFFER_KEYLOGFILE */
797
798
0
    ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
799
0
                    clientAppLabel, CLIENT_APP_LABEL_SZ,
800
0
                    ssl->specs.mac_algorithm, 1, WOLFSSL_CLIENT_END);
801
802
#ifdef HAVE_SECRET_CALLBACK
803
    if (ret == 0 && ssl->tls13SecretCb != NULL) {
804
        ret = ssl->tls13SecretCb(ssl, CLIENT_TRAFFIC_SECRET, key,
805
                                 ssl->specs.hash_size, ssl->tls13SecretCtx);
806
        if (ret != 0) {
807
            WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
808
            return TLS13_SECRET_CB_E;
809
        }
810
    }
811
#ifdef OPENSSL_EXTRA
812
    if (ret == 0 && ssl->tls13KeyLogCb != NULL) {
813
        ret = ssl->tls13KeyLogCb(ssl, CLIENT_TRAFFIC_SECRET, key,
814
                                ssl->specs.hash_size, NULL);
815
        if (ret != 0) {
816
            WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
817
            return TLS13_SECRET_CB_E;
818
        }
819
    }
820
#endif /* OPENSSL_EXTRA */
821
#endif /* HAVE_SECRET_CALLBACK */
822
0
    return ret;
823
0
}
824
825
/* The length of the server application traffic label. */
826
0
#define SERVER_APP_LABEL_SZ         12
827
/* The  server application traffic label. */
828
static const byte serverAppLabel[SERVER_APP_LABEL_SZ + 1] =
829
    "s ap traffic";
830
831
/* Derive the server application traffic key.
832
 *
833
 * ssl  The SSL/TLS object.
834
 * key  The derived key.
835
 * returns 0 on success, otherwise failure.
836
 */
837
static int DeriveServerTrafficSecret(WOLFSSL* ssl, byte* key)
838
0
{
839
0
    int ret;
840
0
    WOLFSSL_MSG("Derive Server Traffic Secret");
841
0
    if (ssl == NULL || ssl->arrays == NULL) {
842
0
        return BAD_FUNC_ARG;
843
0
    }
844
845
#if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_KEYLOGFILE)
846
    /* If this is called from a sniffer session with keylog file support,
847
     * obtain the appropriate secret from the callback */
848
    if (ssl->snifferSecretCb != NULL) {
849
        return ssl->snifferSecretCb(ssl->arrays->clientRandom,
850
                                    SNIFFER_SECRET_SERVER_TRAFFIC_SECRET,
851
                                    key);
852
    }
853
#endif /* WOLFSSL_SNIFFER && WOLFSSL_SNIFFER_KEYLOGFILE */
854
855
0
    ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
856
0
                    serverAppLabel, SERVER_APP_LABEL_SZ,
857
0
                    ssl->specs.mac_algorithm, 1, WOLFSSL_SERVER_END);
858
859
#ifdef HAVE_SECRET_CALLBACK
860
    if (ret == 0 && ssl->tls13SecretCb != NULL) {
861
        ret = ssl->tls13SecretCb(ssl, SERVER_TRAFFIC_SECRET, key,
862
                                 ssl->specs.hash_size, ssl->tls13SecretCtx);
863
        if (ret != 0) {
864
            WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
865
            return TLS13_SECRET_CB_E;
866
        }
867
    }
868
#ifdef OPENSSL_EXTRA
869
    if (ret == 0 && ssl->tls13KeyLogCb != NULL) {
870
        ret = ssl->tls13KeyLogCb(ssl, SERVER_TRAFFIC_SECRET, key,
871
                                ssl->specs.hash_size, NULL);
872
        if (ret != 0) {
873
            WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
874
            return TLS13_SECRET_CB_E;
875
        }
876
    }
877
#endif /* OPENSSL_EXTRA */
878
#endif /* HAVE_SECRET_CALLBACK */
879
0
    return ret;
880
0
}
881
882
#ifdef HAVE_KEYING_MATERIAL
883
/* The length of the exporter master secret label. */
884
#define EXPORTER_MASTER_LABEL_SZ    10
885
/* The exporter master secret label. */
886
static const byte exporterMasterLabel[EXPORTER_MASTER_LABEL_SZ + 1] =
887
    "exp master";
888
889
/* Derive the exporter secret.
890
 *
891
 * ssl  The SSL/TLS object.
892
 * key  The derived key.
893
 * returns 0 on success, otherwise failure.
894
 */
895
static int DeriveExporterSecret(WOLFSSL* ssl, byte* key)
896
{
897
    int ret;
898
    WOLFSSL_ENTER("Derive Exporter Secret");
899
    if (ssl == NULL || ssl->arrays == NULL) {
900
        return BAD_FUNC_ARG;
901
    }
902
    ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
903
                        exporterMasterLabel, EXPORTER_MASTER_LABEL_SZ,
904
                        ssl->specs.mac_algorithm, 1, 0 /* Unused */);
905
#ifdef HAVE_SECRET_CALLBACK
906
    if (ret == 0 && ssl->tls13SecretCb != NULL) {
907
        ret = ssl->tls13SecretCb(ssl, EXPORTER_SECRET, key,
908
                                 ssl->specs.hash_size, ssl->tls13SecretCtx);
909
        if (ret != 0) {
910
            WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
911
            return TLS13_SECRET_CB_E;
912
        }
913
    }
914
#ifdef OPENSSL_EXTRA
915
    if (ret == 0 && ssl->tls13KeyLogCb != NULL) {
916
        ret = ssl->tls13KeyLogCb(ssl, EXPORTER_SECRET, key,
917
                                ssl->specs.hash_size, NULL);
918
        if (ret != 0) {
919
            WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
920
            return TLS13_SECRET_CB_E;
921
        }
922
    }
923
#endif /* OPENSSL_EXTRA */
924
#endif /* HAVE_SECRET_CALLBACK */
925
    return ret;
926
}
927
928
/* The length of the exporter label. */
929
#define EXPORTER_LABEL_SZ    8
930
/* The exporter label. */
931
static const byte exporterLabel[EXPORTER_LABEL_SZ + 1] =
932
    "exporter";
933
/* Hash("") */
934
#ifndef NO_SHA256
935
static const byte emptySHA256Hash[] = {
936
    0xE3, 0xB0, 0xC4, 0x42, 0x98, 0xFC, 0x1C, 0x14, 0x9A, 0xFB, 0xF4, 0xC8,
937
    0x99, 0x6F, 0xB9, 0x24, 0x27, 0xAE, 0x41, 0xE4, 0x64, 0x9B, 0x93, 0x4C,
938
    0xA4, 0x95, 0x99, 0x1B, 0x78, 0x52, 0xB8, 0x55
939
};
940
#endif
941
#ifdef WOLFSSL_SHA384
942
static const byte emptySHA384Hash[] = {
943
    0x38, 0xB0, 0x60, 0xA7, 0x51, 0xAC, 0x96, 0x38, 0x4C, 0xD9, 0x32, 0x7E,
944
    0xB1, 0xB1, 0xE3, 0x6A, 0x21, 0xFD, 0xB7, 0x11, 0x14, 0xBE, 0x07, 0x43,
945
    0x4C, 0x0C, 0xC7, 0xBF, 0x63, 0xF6, 0xE1, 0xDA, 0x27, 0x4E, 0xDE, 0xBF,
946
    0xE7, 0x6F, 0x65, 0xFB, 0xD5, 0x1A, 0xD2, 0xF1, 0x48, 0x98, 0xB9, 0x5B
947
};
948
#endif
949
#ifdef WOLFSSL_TLS13_SHA512
950
static const byte emptySHA512Hash[] = {
951
    0xCF, 0x83, 0xE1, 0x35, 0x7E, 0xEF, 0xB8, 0xBD, 0xF1, 0x54, 0x28, 0x50,
952
    0xD6, 0x6D, 0x80, 0x07, 0xD6, 0x20, 0xE4, 0x05, 0x0B, 0x57, 0x15, 0xDC,
953
    0x83, 0xF4, 0xA9, 0x21, 0xD3, 0x6C, 0xE9, 0xCE, 0x47, 0xD0, 0xD1, 0x3C,
954
    0x5D, 0x85, 0xF2, 0xB0, 0xFF, 0x83, 0x18, 0xD2, 0x87, 0x7E, 0xEC, 0x2F,
955
    0x63, 0xB9, 0x31, 0xBD, 0x47, 0x41, 0x7A, 0x81, 0xA5, 0x38, 0x32, 0x7A,
956
    0xF9, 0x27, 0xDA, 0x3E
957
};
958
#endif
959
#ifdef WOLFSSL_SM3
960
static const byte emptySM3Hash[] = {
961
    0x1A, 0xB2, 0x1D, 0x83, 0x55, 0xCF, 0xA1, 0x7F, 0x8E, 0x61, 0x19, 0x48,
962
    0x31, 0xE8, 0x1A, 0x8F, 0x22, 0xBE, 0xC8, 0xC7, 0x28, 0xFE, 0xFB, 0x74,
963
    0x7E, 0xD0, 0x35, 0xEB, 0x50, 0x82, 0xAA, 0x2B
964
};
965
#endif
966
/**
967
 * Implement section 7.5 of RFC 8446
968
 * @return  0 on success
969
 *         <0 on failure
970
 */
971
int Tls13_Exporter(WOLFSSL* ssl, unsigned char *out, size_t outLen,
972
        const char *label, size_t labelLen,
973
        const unsigned char *context, size_t contextLen)
974
{
975
    int                 ret;
976
    enum wc_HashType    hashType = WC_HASH_TYPE_NONE;
977
    word32              hashLen = 0;
978
    byte                hashOut[WC_MAX_DIGEST_SIZE];
979
    const byte*         emptyHash = NULL;
980
    byte                firstExpand[WC_MAX_DIGEST_SIZE];
981
    const byte*         protocol = tls13ProtocolLabel;
982
    word32              protocolLen = TLS13_PROTOCOL_LABEL_SZ;
983
984
    if (ssl->options.dtls && ssl->version.minor != DTLSv1_3_MINOR)
985
        return VERSION_ERROR;
986
987
    if (!ssl->options.dtls && ssl->version.minor != TLSv1_3_MINOR)
988
        return VERSION_ERROR;
989
990
#ifdef WOLFSSL_DTLS13
991
    if (ssl->options.dtls) {
992
        protocol = dtls13ProtocolLabel;
993
        protocolLen = DTLS13_PROTOCOL_LABEL_SZ;
994
    }
995
#endif /* WOLFSSL_DTLS13 */
996
997
    /* Sanity check contextLen to prevent truncation when cast to word32. */
998
    if (contextLen > WOLFSSL_MAX_32BIT)
999
        return BAD_FUNC_ARG;
1000
    /* RFC 8446 HkdfLabel encodes the output length as a uint16, so requested
1001
     * lengths > 65535 cannot be represented and must be rejected. */
1002
    if (outLen > WOLFSSL_MAX_16BIT)
1003
        return BAD_FUNC_ARG;
1004
    /* RFC 8446 HkdfLabel encodes the label length in a single byte, so
1005
     * anything > 255 cannot be represented and must be rejected.
1006
     * The protocol length is included in the label. */
1007
    if ((labelLen +  protocolLen) > WOLFSSL_MAX_8BIT)
1008
        return BAD_FUNC_ARG;
1009
1010
    switch (ssl->specs.mac_algorithm) {
1011
        #ifndef NO_SHA256
1012
        case sha256_mac:
1013
            hashType  = WC_HASH_TYPE_SHA256;
1014
            hashLen   = WC_SHA256_DIGEST_SIZE;
1015
            emptyHash = emptySHA256Hash;
1016
            break;
1017
        #endif
1018
1019
        #ifdef WOLFSSL_SHA384
1020
        case sha384_mac:
1021
            hashType  = WC_HASH_TYPE_SHA384;
1022
            hashLen   = WC_SHA384_DIGEST_SIZE;
1023
            emptyHash = emptySHA384Hash;
1024
            break;
1025
        #endif
1026
1027
        #ifdef WOLFSSL_TLS13_SHA512
1028
        case sha512_mac:
1029
            hashType  = WC_HASH_TYPE_SHA512;
1030
            hashLen   = WC_SHA512_DIGEST_SIZE;
1031
            emptyHash = emptySHA512Hash;
1032
            break;
1033
        #endif
1034
1035
        #ifdef WOLFSSL_SM3
1036
        case sm3_mac:
1037
            hashType  = WC_HASH_TYPE_SM3;
1038
            hashLen   = WC_SM3_DIGEST_SIZE;
1039
            emptyHash = emptySM3Hash;
1040
            break;
1041
        #endif
1042
1043
        default:
1044
            return BAD_FUNC_ARG;
1045
    }
1046
1047
    /* Derive-Secret(Secret, label, "") */
1048
    ret = Tls13HKDFExpandLabel(ssl, firstExpand, hashLen,
1049
            ssl->arrays->exporterSecret, hashLen,
1050
            protocol, protocolLen, (byte*)label, (word32)labelLen,
1051
            emptyHash, hashLen, (int)hashType);
1052
    if (ret != 0)
1053
        goto cleanup;
1054
1055
    /* Hash(context_value) */
1056
    ret = wc_Hash(hashType, context, (word32)contextLen, hashOut, WC_MAX_DIGEST_SIZE);
1057
    if (ret != 0)
1058
        goto cleanup;
1059
1060
    ret = Tls13HKDFExpandLabel(ssl, out, (word32)outLen, firstExpand, hashLen,
1061
            protocol, protocolLen, exporterLabel, EXPORTER_LABEL_SZ,
1062
            hashOut, hashLen, (int)hashType);
1063
1064
cleanup:
1065
    /* firstExpand is the per-label Derive-Secret PRK and hashOut holds
1066
     * Hash(context_value); wipe both before the stack frame is reclaimed. */
1067
    ForceZero(firstExpand, sizeof(firstExpand));
1068
    ForceZero(hashOut, sizeof(hashOut));
1069
    return ret;
1070
}
1071
#endif
1072
1073
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
1074
/* The length of the resumption master secret label. */
1075
#define RESUME_MASTER_LABEL_SZ      10
1076
/* The resumption master secret label. */
1077
static const byte resumeMasterLabel[RESUME_MASTER_LABEL_SZ + 1] =
1078
    "res master";
1079
1080
/* Derive the resumption secret.
1081
 *
1082
 * ssl  The SSL/TLS object.
1083
 * key  The derived key.
1084
 * returns 0 on success, otherwise failure.
1085
 */
1086
int DeriveResumptionSecret(WOLFSSL* ssl, byte* key)
1087
{
1088
    byte* masterSecret;
1089
1090
    WOLFSSL_MSG("Derive Resumption Secret");
1091
    if (ssl == NULL) {
1092
        return BAD_FUNC_ARG;
1093
    }
1094
    if (ssl->arrays != NULL) {
1095
        masterSecret = ssl->arrays->masterSecret;
1096
    }
1097
    else {
1098
        masterSecret = ssl->session->masterSecret;
1099
    }
1100
    return Tls13DeriveKey(ssl, key, -1, masterSecret, resumeMasterLabel,
1101
                     RESUME_MASTER_LABEL_SZ, ssl->specs.mac_algorithm, 1,
1102
                     0 /* Unused */);
1103
}
1104
#endif
1105
1106
/* Length of the finished label. */
1107
0
#define FINISHED_LABEL_SZ           8
1108
/* Finished label for generating finished key. */
1109
static const byte finishedLabel[FINISHED_LABEL_SZ+1] = "finished";
1110
/* Derive the finished secret.
1111
 *
1112
 * ssl     The SSL/TLS object.
1113
 * key     The key to use with the HMAC.
1114
 * secret  The derived secret.
1115
 * side    The side that we are deriving the secret for.
1116
 * returns 0 on success, otherwise failure.
1117
 */
1118
static int DeriveFinishedSecret(WOLFSSL* ssl, byte* key, byte* secret,
1119
                                int side)
1120
0
{
1121
0
    WOLFSSL_MSG("Derive Finished Secret");
1122
0
    return Tls13DeriveKey(ssl, secret, -1, key, finishedLabel,
1123
0
                          FINISHED_LABEL_SZ,  ssl->specs.mac_algorithm, 0,
1124
0
                          side);
1125
0
}
1126
1127
/* The length of the application traffic label. */
1128
0
#define APP_TRAFFIC_LABEL_SZ        11
1129
/* The application traffic label. */
1130
static const byte appTrafficLabel[APP_TRAFFIC_LABEL_SZ + 1] =
1131
    "traffic upd";
1132
1133
/* Update the traffic secret.
1134
 *
1135
 * ssl     The SSL/TLS object.
1136
 * secret  The previous secret and derived secret.
1137
 * side    The side that we are deriving the secret for.
1138
 * returns 0 on success, otherwise failure.
1139
 */
1140
static int DeriveTrafficSecret(WOLFSSL* ssl, byte* secret, int side)
1141
0
{
1142
0
    WOLFSSL_MSG("Derive New Application Traffic Secret");
1143
0
    return Tls13DeriveKey(ssl, secret, -1, secret,
1144
0
                     appTrafficLabel, APP_TRAFFIC_LABEL_SZ,
1145
0
                     ssl->specs.mac_algorithm, 0, side);
1146
0
}
1147
1148
1149
static int Tls13_HKDF_Extract(WOLFSSL *ssl, byte* prk, const byte* salt,
1150
                              int saltLen, byte* ikm, int ikmLen, int digest)
1151
0
{
1152
0
    int ret;
1153
#ifdef HAVE_PK_CALLBACKS
1154
    void *cb_ctx = ssl->HkdfExtractCtx;
1155
    CallbackHKDFExtract cb = ssl->ctx->HkdfExtractCb;
1156
    if (cb != NULL) {
1157
        ret = cb(prk, salt, (word32)saltLen, ikm, (word32)ikmLen, digest, cb_ctx);
1158
    }
1159
    else
1160
#endif
1161
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
1162
    if ((int)ssl->arrays->psk_keySz < 0) {
1163
        ret = PSK_KEY_ERROR;
1164
    }
1165
    else
1166
#endif
1167
0
    {
1168
0
    #if !defined(HAVE_FIPS) || \
1169
0
        (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(6,0))
1170
0
        ret = wc_Tls13_HKDF_Extract_ex(prk, salt, (word32)saltLen, ikm, (word32)ikmLen, digest,
1171
0
            ssl->heap, ssl->devId);
1172
    #else
1173
        ret = wc_Tls13_HKDF_Extract(prk, salt, saltLen, ikm, ikmLen, digest);
1174
        (void)ssl;
1175
    #endif
1176
0
    }
1177
0
    return ret;
1178
0
}
1179
1180
/* Derive the early secret using HKDF Extract.
1181
 *
1182
 * ssl  The SSL/TLS object.
1183
 */
1184
int DeriveEarlySecret(WOLFSSL* ssl)
1185
0
{
1186
0
    int ret;
1187
1188
0
    WOLFSSL_MSG("Derive Early Secret");
1189
0
    if (ssl == NULL || ssl->arrays == NULL) {
1190
0
        return BAD_FUNC_ARG;
1191
0
    }
1192
#if defined(WOLFSSL_RENESAS_TSIP_TLS)
1193
    ret = tsip_Tls13DeriveEarlySecret(ssl);
1194
    if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
1195
        return ret;
1196
#endif
1197
0
    PRIVATE_KEY_UNLOCK();
1198
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
1199
    ret = Tls13_HKDF_Extract(ssl, ssl->arrays->secret, NULL, 0,
1200
            ssl->arrays->psk_key, (int)ssl->arrays->psk_keySz,
1201
            mac2hash(ssl->specs.mac_algorithm));
1202
#else
1203
0
    ret = Tls13_HKDF_Extract(ssl, ssl->arrays->secret, NULL, 0,
1204
0
            ssl->arrays->masterSecret, 0, mac2hash(ssl->specs.mac_algorithm));
1205
0
#endif
1206
0
    PRIVATE_KEY_LOCK();
1207
0
    return ret;
1208
0
}
1209
1210
/* The length of the derived label. */
1211
0
#define DERIVED_LABEL_SZ        7
1212
/* The derived label. */
1213
static const byte derivedLabel[DERIVED_LABEL_SZ + 1] =
1214
    "derived";
1215
1216
/* Derive the handshake secret using HKDF Extract.
1217
 *
1218
 * ssl  The SSL/TLS object.
1219
 */
1220
int DeriveHandshakeSecret(WOLFSSL* ssl)
1221
0
{
1222
0
    byte key[WC_MAX_DIGEST_SIZE];
1223
0
    int ret;
1224
0
    WOLFSSL_MSG("Derive Handshake Secret");
1225
0
    if (ssl == NULL || ssl->arrays == NULL) {
1226
0
        return BAD_FUNC_ARG;
1227
0
    }
1228
#if defined(WOLFSSL_RENESAS_TSIP_TLS)
1229
    ret = tsip_Tls13DeriveHandshakeSecret(ssl);
1230
    if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
1231
        return ret;
1232
#endif
1233
1234
    /* Derive-Secret(., "derived", "") per RFC 8446 Section 7.1.
1235
     * Empty hash (NULL, 0) is required by the TLS 1.3 key schedule. */
1236
0
    ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,
1237
0
                        derivedLabel, DERIVED_LABEL_SZ,
1238
0
                        NULL, 0, ssl->specs.mac_algorithm);
1239
0
    if (ret == 0) {
1240
0
        PRIVATE_KEY_UNLOCK();
1241
0
        ret = Tls13_HKDF_Extract(ssl, ssl->arrays->preMasterSecret,
1242
0
                key, ssl->specs.hash_size,
1243
0
                ssl->arrays->preMasterSecret, (int)ssl->arrays->preMasterSz,
1244
0
                mac2hash(ssl->specs.mac_algorithm));
1245
0
        PRIVATE_KEY_LOCK();
1246
0
    }
1247
1248
#ifdef WOLFSSL_CHECK_MEM_ZERO
1249
    wc_MemZero_Add("DeriveHandshakeSecret key", key, WC_MAX_DIGEST_SIZE);
1250
#endif
1251
0
    ForceZero(key, sizeof(key));
1252
#ifdef WOLFSSL_CHECK_MEM_ZERO
1253
    wc_MemZero_Check(key, sizeof(key));
1254
#endif
1255
0
    return ret;
1256
0
}
1257
1258
/* Derive the master secret using HKDF Extract.
1259
 *
1260
 * ssl  The SSL/TLS object.
1261
 */
1262
int DeriveMasterSecret(WOLFSSL* ssl)
1263
0
{
1264
0
    byte key[WC_MAX_DIGEST_SIZE];
1265
0
    int ret;
1266
0
    WOLFSSL_MSG("Derive Master Secret");
1267
0
    if (ssl == NULL || ssl->arrays == NULL) {
1268
0
        return BAD_FUNC_ARG;
1269
0
    }
1270
1271
#if defined(WOLFSSL_RENESAS_TSIP_TLS)
1272
    ret = tsip_Tls13DeriveMasterSecret(ssl);
1273
    if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
1274
        return ret;
1275
#endif
1276
1277
    /* Derive-Secret(., "derived", "") per RFC 8446 Section 7.1.
1278
     * Empty hash (NULL, 0) is required by the TLS 1.3 key schedule. */
1279
0
    ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->preMasterSecret,
1280
0
                        derivedLabel, DERIVED_LABEL_SZ,
1281
0
                        NULL, 0, ssl->specs.mac_algorithm);
1282
0
    if (ret == 0) {
1283
0
        PRIVATE_KEY_UNLOCK();
1284
0
        ret = Tls13_HKDF_Extract(ssl, ssl->arrays->masterSecret,
1285
0
                                 key, ssl->specs.hash_size,
1286
0
                                 ssl->arrays->masterSecret, 0,
1287
0
                                 mac2hash(ssl->specs.mac_algorithm));
1288
0
        PRIVATE_KEY_LOCK();
1289
0
    }
1290
1291
#ifdef WOLFSSL_CHECK_MEM_ZERO
1292
    wc_MemZero_Add("DeriveMasterSecret key", key, WC_MAX_DIGEST_SIZE);
1293
#endif
1294
0
    ForceZero(key, sizeof(key));
1295
#ifdef WOLFSSL_CHECK_MEM_ZERO
1296
    wc_MemZero_Check(key, sizeof(key));
1297
#endif
1298
1299
#ifdef HAVE_KEYING_MATERIAL
1300
    if (ret != 0)
1301
        return ret;
1302
    /* Calculate exporter secret only when saving arrays */
1303
    if (ssl->options.saveArrays)
1304
        ret = DeriveExporterSecret(ssl, ssl->arrays->exporterSecret);
1305
#endif
1306
1307
0
    return ret;
1308
0
}
1309
1310
#if defined(HAVE_SESSION_TICKET)
1311
/* Length of the resumption label. */
1312
#define RESUMPTION_LABEL_SZ         10
1313
/* Resumption label for generating PSK associated with the ticket. */
1314
static const byte resumptionLabel[RESUMPTION_LABEL_SZ+1] = "resumption";
1315
1316
/* Derive the PSK associated with the ticket.
1317
 *
1318
 * ssl       The SSL/TLS object.
1319
 * nonce     The nonce to derive with.
1320
 * nonceLen  The length of the nonce to derive with.
1321
 * secret    The derived secret.
1322
 * returns 0 on success, otherwise failure.
1323
 */
1324
int DeriveResumptionPSK(WOLFSSL* ssl, byte* nonce, byte nonceLen, byte* secret)
1325
{
1326
    int         digestAlg;
1327
    /* Only one protocol version defined at this time. */
1328
    const byte* protocol    = tls13ProtocolLabel;
1329
    word32      protocolLen = TLS13_PROTOCOL_LABEL_SZ;
1330
    int         ret;
1331
1332
    WOLFSSL_MSG("Derive Resumption PSK");
1333
1334
#ifdef WOLFSSL_DTLS13
1335
    if (ssl->options.dtls) {
1336
        protocol = dtls13ProtocolLabel;
1337
        protocolLen = DTLS13_PROTOCOL_LABEL_SZ;
1338
    }
1339
#endif /* WOLFSSL_DTLS13 */
1340
1341
    switch (ssl->specs.mac_algorithm) {
1342
        #ifndef NO_SHA256
1343
        case sha256_mac:
1344
            digestAlg = WC_SHA256;
1345
            break;
1346
        #endif
1347
1348
        #ifdef WOLFSSL_SHA384
1349
        case sha384_mac:
1350
            digestAlg = WC_SHA384;
1351
            break;
1352
        #endif
1353
1354
        #ifdef WOLFSSL_TLS13_SHA512
1355
        case sha512_mac:
1356
            digestAlg = WC_SHA512;
1357
            break;
1358
        #endif
1359
1360
        #ifdef WOLFSSL_SM3
1361
        case sm3_mac:
1362
            digestAlg = WC_SM3;
1363
            break;
1364
        #endif
1365
1366
        default:
1367
            return BAD_FUNC_ARG;
1368
    }
1369
1370
#if defined(WOLFSSL_TICKET_NONCE_MALLOC) &&                                    \
1371
    (!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)))
1372
    PRIVATE_KEY_UNLOCK();
1373
    ret = wc_Tls13_HKDF_Expand_Label_Alloc(secret, ssl->specs.hash_size,
1374
        ssl->session->masterSecret, ssl->specs.hash_size, protocol, protocolLen,
1375
        resumptionLabel, RESUMPTION_LABEL_SZ, nonce, nonceLen, digestAlg,
1376
        ssl->heap);
1377
    PRIVATE_KEY_LOCK();
1378
#else
1379
    ret = Tls13HKDFExpandLabel(ssl, secret, ssl->specs.hash_size,
1380
                               ssl->session->masterSecret, ssl->specs.hash_size,
1381
                               protocol, protocolLen, resumptionLabel,
1382
                               RESUMPTION_LABEL_SZ, nonce, nonceLen, digestAlg);
1383
#endif /* !defined(HAVE_FIPS) || FIPS_VERSION_GE(5,3) */
1384
    return ret;
1385
}
1386
#endif /* HAVE_SESSION_TICKET */
1387
1388
1389
/* Calculate the HMAC of message data to this point.
1390
 *
1391
 * ssl   The SSL/TLS object.
1392
 * key   The HMAC key.
1393
 * hash  The hash result - verify data.
1394
 * returns length of verify data generated.
1395
 */
1396
static int BuildTls13HandshakeHmac(WOLFSSL* ssl, byte* key, byte* hash,
1397
    word32* pHashSz)
1398
0
{
1399
0
    WC_DECLARE_VAR(verifyHmac, Hmac, 1, 0);
1400
0
    int  hashType = WC_SHA256;
1401
0
    int  hashSz = WC_SHA256_DIGEST_SIZE;
1402
0
    int  ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
1403
1404
0
    if (ssl == NULL || key == NULL || hash == NULL) {
1405
0
        return BAD_FUNC_ARG;
1406
0
    }
1407
1408
    /* Get the hash of the previous handshake messages. */
1409
0
    switch (ssl->specs.mac_algorithm) {
1410
0
    #ifndef NO_SHA256
1411
0
        case sha256_mac:
1412
0
            hashType = WC_SHA256;
1413
0
            hashSz = WC_SHA256_DIGEST_SIZE;
1414
0
            ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
1415
0
            break;
1416
0
    #endif /* !NO_SHA256 */
1417
0
    #ifdef WOLFSSL_SHA384
1418
0
        case sha384_mac:
1419
0
            hashType = WC_SHA384;
1420
0
            hashSz = WC_SHA384_DIGEST_SIZE;
1421
0
            ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
1422
0
            break;
1423
0
    #endif /* WOLFSSL_SHA384 */
1424
    #ifdef WOLFSSL_TLS13_SHA512
1425
        case sha512_mac:
1426
            hashType = WC_SHA512;
1427
            hashSz = WC_SHA512_DIGEST_SIZE;
1428
            ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash);
1429
            break;
1430
    #endif /* WOLFSSL_TLS13_SHA512 */
1431
    #ifdef WOLFSSL_SM3
1432
        case sm3_mac:
1433
            hashType = WC_SM3;
1434
            hashSz = WC_SM3_DIGEST_SIZE;
1435
            ret = wc_Sm3GetHash(&ssl->hsHashes->hashSm3, hash);
1436
            break;
1437
    #endif /* WOLFSSL_SM3 */
1438
0
        default:
1439
0
            ret = BAD_FUNC_ARG;
1440
0
            break;
1441
0
    }
1442
0
    if (ret != 0)
1443
0
        return ret;
1444
1445
#ifdef WOLFSSL_DEBUG_TLS
1446
    WOLFSSL_MSG("  Key");
1447
    WOLFSSL_BUFFER(key, ssl->specs.hash_size);
1448
    WOLFSSL_MSG("  Msg Hash");
1449
    WOLFSSL_BUFFER(hash, hashSz);
1450
#endif
1451
1452
0
    WC_ALLOC_VAR_EX(verifyHmac, Hmac, 1, NULL, DYNAMIC_TYPE_HMAC,
1453
0
        return MEMORY_E);
1454
1455
    /* Calculate the verify data. */
1456
0
    ret = wc_HmacInit(verifyHmac, ssl->heap, ssl->devId);
1457
0
    if (ret == 0) {
1458
0
        ret = wc_HmacSetKey(verifyHmac, hashType, key, ssl->specs.hash_size);
1459
0
        if (ret == 0)
1460
0
            ret = wc_HmacUpdate(verifyHmac, hash, (word32)hashSz);
1461
0
        if (ret == 0)
1462
0
            ret = wc_HmacFinal(verifyHmac, hash);
1463
0
        wc_HmacFree(verifyHmac);
1464
0
    }
1465
1466
0
    WC_FREE_VAR_EX(verifyHmac, NULL, DYNAMIC_TYPE_HMAC);
1467
1468
#ifdef WOLFSSL_DEBUG_TLS
1469
    WOLFSSL_MSG("  Hash");
1470
    WOLFSSL_BUFFER(hash, hashSz);
1471
#endif
1472
1473
0
    if (pHashSz)
1474
0
        *pHashSz = (word32)hashSz;
1475
1476
0
    return ret;
1477
0
}
1478
1479
/* The length of the label to use when deriving keys. */
1480
0
#define WRITE_KEY_LABEL_SZ     3
1481
/* The length of the label to use when deriving IVs. */
1482
0
#define WRITE_IV_LABEL_SZ      2
1483
/* The label to use when deriving keys. */
1484
static const byte writeKeyLabel[WRITE_KEY_LABEL_SZ+1] = "key";
1485
/* The label to use when deriving IVs. */
1486
static const byte writeIVLabel[WRITE_IV_LABEL_SZ+1]   = "iv";
1487
1488
/* Derive the keys and IVs for TLS v1.3.
1489
 *
1490
 * ssl      The SSL/TLS object.
1491
 * secret   early_data_key when deriving the key and IV for encrypting early
1492
 *          data application data and end_of_early_data messages.
1493
 *          handshake_key when deriving keys and IVs for encrypting handshake
1494
 *          messages.
1495
 *          traffic_key when deriving first keys and IVs for encrypting
1496
 *          traffic messages.
1497
 *          update_traffic_key when deriving next keys and IVs for encrypting
1498
 *          traffic messages.
1499
 *          no_key when deriving keys and IVs from existing secrets without
1500
 *          re-deriving the secrets. Used during early data transitions.
1501
 * side     ENCRYPT_SIDE_ONLY when only encryption secret needs to be derived.
1502
 *          DECRYPT_SIDE_ONLY when only decryption secret needs to be derived.
1503
 *          ENCRYPT_AND_DECRYPT_SIDE when both secret needs to be derived.
1504
 * store    1 indicates to derive the keys and IVs from derived secret and
1505
 *          store ready for provisioning.
1506
 * returns 0 on success, otherwise failure.
1507
 */
1508
int DeriveTls13Keys(WOLFSSL* ssl, int secret, int side, int store)
1509
0
{
1510
0
    int   ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG); /* Assume failure */
1511
0
    int   i = 0;
1512
0
    WC_DECLARE_VAR(key_dig, byte, MAX_PRF_DIG, 0);
1513
0
    int   provision;
1514
1515
#if defined(WOLFSSL_RENESAS_TSIP_TLS)
1516
    ret = tsip_Tls13DeriveKeys(ssl, secret, side);
1517
    if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
1518
        return ret;
1519
    }
1520
    ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG); /* Assume failure */
1521
#endif
1522
1523
0
    WC_ALLOC_VAR_EX(key_dig, byte, MAX_PRF_DIG, ssl->heap,
1524
0
        DYNAMIC_TYPE_DIGEST, return MEMORY_E);
1525
1526
0
    if (side == ENCRYPT_AND_DECRYPT_SIDE) {
1527
0
        provision = PROVISION_CLIENT_SERVER;
1528
0
    }
1529
0
    else {
1530
0
        provision = ((ssl->options.side != WOLFSSL_CLIENT_END) ^
1531
0
                     (side == ENCRYPT_SIDE_ONLY)) ? PROVISION_CLIENT :
1532
0
                                                    PROVISION_SERVER;
1533
0
    }
1534
1535
    /* Derive the appropriate secret to use in the HKDF. */
1536
0
    switch (secret) {
1537
#ifdef WOLFSSL_EARLY_DATA
1538
        case early_data_key:
1539
            ret = DeriveEarlyTrafficSecret(ssl, ssl->clientSecret,
1540
                                           WOLFSSL_CLIENT_END);
1541
            if (ret != 0)
1542
                goto end;
1543
            break;
1544
#endif
1545
1546
0
        case handshake_key:
1547
0
            if (provision & PROVISION_CLIENT) {
1548
0
                ret = DeriveClientHandshakeSecret(ssl,
1549
0
                                                  ssl->clientSecret);
1550
0
                if (ret != 0)
1551
0
                    goto end;
1552
0
            }
1553
0
            if (provision & PROVISION_SERVER) {
1554
0
                ret = DeriveServerHandshakeSecret(ssl,
1555
0
                                                  ssl->serverSecret);
1556
0
                if (ret != 0)
1557
0
                    goto end;
1558
0
            }
1559
0
            break;
1560
1561
0
        case traffic_key:
1562
0
            if (provision & PROVISION_CLIENT) {
1563
0
                ret = DeriveClientTrafficSecret(ssl, ssl->clientSecret);
1564
0
                if (ret != 0)
1565
0
                    goto end;
1566
0
            }
1567
0
            if (provision & PROVISION_SERVER) {
1568
0
                ret = DeriveServerTrafficSecret(ssl, ssl->serverSecret);
1569
0
                if (ret != 0)
1570
0
                    goto end;
1571
0
            }
1572
0
            break;
1573
1574
0
        case update_traffic_key:
1575
0
            if (provision & PROVISION_CLIENT) {
1576
0
                ret = DeriveTrafficSecret(ssl, ssl->clientSecret,
1577
0
                                          WOLFSSL_CLIENT_END);
1578
0
                if (ret != 0)
1579
0
                    goto end;
1580
0
            }
1581
0
            if (provision & PROVISION_SERVER) {
1582
0
                ret = DeriveTrafficSecret(ssl, ssl->serverSecret,
1583
0
                                          WOLFSSL_SERVER_END);
1584
0
                if (ret != 0)
1585
0
                    goto end;
1586
0
            }
1587
0
            break;
1588
1589
0
        case no_key:
1590
            /* Called with early data to derive keys from existing secrets
1591
             * without re-deriving the secrets themselves. */
1592
0
            ret = 0;
1593
0
            break;
1594
1595
0
        default:
1596
0
            ret = BAD_FUNC_ARG;
1597
0
            break;
1598
0
    }
1599
1600
#ifdef WOLFSSL_QUIC
1601
    if (WOLFSSL_IS_QUIC(ssl)) {
1602
        ret = wolfSSL_quic_forward_secrets(ssl, secret, side);
1603
        if (ret != 0)
1604
            goto end;
1605
    }
1606
#endif /* WOLFSSL_QUIC */
1607
1608
0
    if (!store)
1609
0
        goto end;
1610
1611
    /* Key data = client key | server key | client IV | server IV */
1612
1613
0
    if (provision & PROVISION_CLIENT) {
1614
        /* Derive the client key.  */
1615
0
        WOLFSSL_MSG("Derive Client Key");
1616
0
        ret = Tls13DeriveKey(ssl, &key_dig[i], ssl->specs.key_size,
1617
0
                        ssl->clientSecret, writeKeyLabel,
1618
0
                        WRITE_KEY_LABEL_SZ, ssl->specs.mac_algorithm, 0,
1619
0
                        WOLFSSL_CLIENT_END);
1620
0
        if (ret != 0)
1621
0
            goto end;
1622
0
        i += ssl->specs.key_size;
1623
0
    }
1624
1625
0
    if (provision & PROVISION_SERVER) {
1626
        /* Derive the server key.  */
1627
0
        WOLFSSL_MSG("Derive Server Key");
1628
0
        ret = Tls13DeriveKey(ssl, &key_dig[i], ssl->specs.key_size,
1629
0
                        ssl->serverSecret, writeKeyLabel,
1630
0
                        WRITE_KEY_LABEL_SZ, ssl->specs.mac_algorithm, 0,
1631
0
                        WOLFSSL_SERVER_END);
1632
0
        if (ret != 0)
1633
0
            goto end;
1634
0
        i += ssl->specs.key_size;
1635
0
    }
1636
1637
0
    if (provision & PROVISION_CLIENT) {
1638
        /* Derive the client IV.  */
1639
0
        WOLFSSL_MSG("Derive Client IV");
1640
0
        ret = Tls13DeriveKey(ssl, &key_dig[i], ssl->specs.iv_size,
1641
0
                        ssl->clientSecret, writeIVLabel,
1642
0
                        WRITE_IV_LABEL_SZ, ssl->specs.mac_algorithm, 0,
1643
0
                        WOLFSSL_CLIENT_END);
1644
0
        if (ret != 0)
1645
0
            goto end;
1646
0
        i += ssl->specs.iv_size;
1647
0
    }
1648
1649
0
    if (provision & PROVISION_SERVER) {
1650
        /* Derive the server IV.  */
1651
0
        WOLFSSL_MSG("Derive Server IV");
1652
0
        ret = Tls13DeriveKey(ssl, &key_dig[i], ssl->specs.iv_size,
1653
0
                        ssl->serverSecret, writeIVLabel,
1654
0
                        WRITE_IV_LABEL_SZ, ssl->specs.mac_algorithm, 0,
1655
0
                        WOLFSSL_SERVER_END);
1656
0
        if (ret != 0)
1657
0
            goto end;
1658
0
        i += ssl->specs.iv_size;
1659
0
    }
1660
1661
    /* Store keys and IVs but don't activate them. */
1662
0
    ret = StoreKeys(ssl, key_dig, provision);
1663
1664
#ifdef WOLFSSL_DTLS13
1665
    if (ret != 0)
1666
      goto end;
1667
1668
    if (ssl->options.dtls) {
1669
        w64wrapper epochNumber;
1670
        ret = Dtls13DeriveSnKeys(ssl, provision);
1671
        if (ret != 0)
1672
            goto end;
1673
1674
        switch (secret) {
1675
            case early_data_key:
1676
                epochNumber = w64From32(0, DTLS13_EPOCH_EARLYDATA);
1677
                break;
1678
            case handshake_key:
1679
                epochNumber = w64From32(0, DTLS13_EPOCH_HANDSHAKE);
1680
                break;
1681
            case traffic_key:
1682
            case no_key:
1683
                epochNumber = w64From32(0, DTLS13_EPOCH_TRAFFIC0);
1684
                break;
1685
            case update_traffic_key:
1686
                if (side == ENCRYPT_SIDE_ONLY) {
1687
                    epochNumber = ssl->dtls13Epoch;
1688
                }
1689
                else if (side == DECRYPT_SIDE_ONLY) {
1690
                    epochNumber = ssl->dtls13PeerEpoch;
1691
                }
1692
                else {
1693
                    ret = BAD_STATE_E;
1694
                    goto end;
1695
                }
1696
                w64Increment(&epochNumber);
1697
                break;
1698
            default:
1699
                ret = BAD_STATE_E;
1700
                goto end;
1701
        }
1702
        ret = Dtls13NewEpoch(ssl, epochNumber, side);
1703
        if (ret != 0)
1704
            goto end;
1705
    }
1706
1707
#endif /* WOLFSSL_DTLS13 */
1708
1709
0
end:
1710
0
    ForceZero(key_dig, (word32)i);
1711
#ifdef WOLFSSL_SMALL_STACK
1712
    XFREE(key_dig, ssl->heap, DYNAMIC_TYPE_DIGEST);
1713
#elif defined(WOLFSSL_CHECK_MEM_ZERO)
1714
    wc_MemZero_Check(key_dig, MAX_PRF_DIG);
1715
#endif
1716
1717
0
    if (ret != 0) {
1718
0
        WOLFSSL_ERROR_VERBOSE(ret);
1719
0
    }
1720
1721
0
    return ret;
1722
0
}
1723
1724
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) || defined(WOLFSSL_DTLS13)
1725
#ifdef WOLFSSL_32BIT_MILLI_TIME
1726
#ifndef NO_ASN_TIME
1727
#if defined(USER_TICKS)
1728
#if 0
1729
    word32 TimeNowInMilliseconds(void)
1730
    {
1731
        /*
1732
        write your own clock tick function if don't want gettimeofday()
1733
        needs millisecond accuracy but doesn't have to correlated to EPOCH
1734
        */
1735
    }
1736
#endif
1737
1738
#elif defined(TIME_OVERRIDES)
1739
#if !defined(NO_ASN) && !defined(NO_ASN_TIME)
1740
    word32 TimeNowInMilliseconds(void)
1741
    {
1742
        return (word32) wc_Time(0) * 1000;
1743
    }
1744
#else
1745
    #ifndef HAVE_TIME_T_TYPE
1746
        typedef long time_t;
1747
    #endif
1748
    extern time_t XTIME(time_t * timer);
1749
1750
    /* The time in milliseconds.
1751
     * Used for tickets to represent difference between when first seen and when
1752
     * sending.
1753
     *
1754
     * returns the time in milliseconds as a 32-bit value.
1755
     */
1756
    word32 TimeNowInMilliseconds(void)
1757
    {
1758
        return (word32) XTIME(0) * 1000;
1759
    }
1760
#endif
1761
1762
#elif defined(XTIME_MS)
1763
    word32 TimeNowInMilliseconds(void)
1764
    {
1765
        return (word32)XTIME_MS(0);
1766
    }
1767
1768
#elif defined(USE_WINDOWS_API)
1769
    /* The time in milliseconds.
1770
     * Used for tickets to represent difference between when first seen and when
1771
     * sending.
1772
     *
1773
     * returns the time in milliseconds as a 32-bit value.
1774
     */
1775
    word32 TimeNowInMilliseconds(void)
1776
    {
1777
        static int           init = 0;
1778
        static LARGE_INTEGER freq;
1779
        LARGE_INTEGER        count;
1780
1781
        if (!init) {
1782
            QueryPerformanceFrequency(&freq);
1783
            init = 1;
1784
        }
1785
1786
        QueryPerformanceCounter(&count);
1787
1788
        return (word32)(count.QuadPart / (freq.QuadPart / 1000));
1789
    }
1790
1791
#elif defined(HAVE_RTP_SYS)
1792
    #include "rtptime.h"
1793
1794
    /* The time in milliseconds.
1795
     * Used for tickets to represent difference between when first seen and when
1796
     * sending.
1797
     *
1798
     * returns the time in milliseconds as a 32-bit value.
1799
     */
1800
    word32 TimeNowInMilliseconds(void)
1801
    {
1802
        return (word32)rtp_get_system_sec() * 1000;
1803
    }
1804
#elif defined(WOLFSSL_DEOS)
1805
    word32 TimeNowInMilliseconds(void)
1806
    {
1807
        const word32 systemTickTimeInHz = 1000000 / systemTickInMicroseconds();
1808
        word32 *systemTickPtr = systemTickPointer();
1809
1810
        return (word32) (*systemTickPtr/systemTickTimeInHz) * 1000;
1811
    }
1812
#elif defined(MICRIUM)
1813
    /* The time in milliseconds.
1814
     * Used for tickets to represent difference between when first seen and when
1815
     * sending.
1816
     *
1817
     * returns the time in milliseconds as a 32-bit value.
1818
     */
1819
    word32 TimeNowInMilliseconds(void)
1820
    {
1821
        OS_TICK ticks = 0;
1822
        OS_ERR  err;
1823
1824
        ticks = OSTimeGet(&err);
1825
1826
        return (word32) (ticks / OSCfg_TickRate_Hz) * 1000;
1827
    }
1828
#elif defined(MICROCHIP_TCPIP_V5)
1829
    /* The time in milliseconds.
1830
     * Used for tickets to represent difference between when first seen and when
1831
     * sending.
1832
     *
1833
     * returns the time in milliseconds as a 32-bit value.
1834
     */
1835
    word32 TimeNowInMilliseconds(void)
1836
    {
1837
        return (word32) (TickGet() / (TICKS_PER_SECOND / 1000));
1838
    }
1839
#elif defined(MICROCHIP_TCPIP)
1840
    #if defined(MICROCHIP_MPLAB_HARMONY)
1841
        #include <system/tmr/sys_tmr.h>
1842
1843
    /* The time in milliseconds.
1844
     * Used for tickets to represent difference between when first seen and when
1845
     * sending.
1846
     *
1847
     * returns the time in milliseconds as a 32-bit value.
1848
     */
1849
    word32 TimeNowInMilliseconds(void)
1850
    {
1851
        return (word32)(SYS_TMR_TickCountGet() /
1852
                        (SYS_TMR_TickCounterFrequencyGet() / 1000));
1853
    }
1854
    #else
1855
    /* The time in milliseconds.
1856
     * Used for tickets to represent difference between when first seen and when
1857
     * sending.
1858
     *
1859
     * returns the time in milliseconds as a 32-bit value.
1860
     */
1861
    word32 TimeNowInMilliseconds(void)
1862
    {
1863
        return (word32)(SYS_TICK_Get() / (SYS_TICK_TicksPerSecondGet() / 1000));
1864
    }
1865
1866
    #endif
1867
1868
#elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
1869
    /* The time in milliseconds.
1870
     * Used for tickets to represent difference between when first seen and when
1871
     * sending.
1872
     *
1873
     * returns the time in milliseconds as a 32-bit value.
1874
     */
1875
    word32 TimeNowInMilliseconds(void)
1876
    {
1877
        TIME_STRUCT mqxTime;
1878
1879
        _time_get_elapsed(&mqxTime);
1880
1881
        return (word32) mqxTime.SECONDS * 1000;
1882
    }
1883
#elif defined(FREESCALE_FREE_RTOS) || defined(FREESCALE_KSDK_FREERTOS)
1884
    #include "include/task.h"
1885
1886
    /* The time in milliseconds.
1887
     * Used for tickets to represent difference between when first seen and when
1888
     * sending.
1889
     *
1890
     * returns the time in milliseconds as a 32-bit value.
1891
     */
1892
    word32 TimeNowInMilliseconds(void)
1893
    {
1894
        return (unsigned int)(((float)xTaskGetTickCount()) /
1895
                              (configTICK_RATE_HZ / 1000));
1896
    }
1897
#elif defined(FREESCALE_KSDK_BM)
1898
    #include "lwip/sys.h" /* lwIP */
1899
1900
    /* The time in milliseconds.
1901
     * Used for tickets to represent difference between when first seen and when
1902
     * sending.
1903
     *
1904
     * returns the time in milliseconds as a 32-bit value.
1905
     */
1906
    word32 TimeNowInMilliseconds(void)
1907
    {
1908
        return sys_now();
1909
    }
1910
1911
#elif defined(WOLFSSL_CMSIS_RTOS) || defined(WOLFSSL_CMSIS_RTOSv2)
1912
1913
    word32 TimeNowInMilliseconds(void)
1914
    {
1915
        return (word32)osKernelGetTickCount();
1916
    }
1917
1918
#elif defined(WOLFSSL_TIRTOS)
1919
    /* The time in milliseconds.
1920
     * Used for tickets to represent difference between when first seen and when
1921
     * sending.
1922
     *
1923
     * returns the time in milliseconds as a 32-bit value.
1924
     */
1925
    word32 TimeNowInMilliseconds(void)
1926
    {
1927
        return (word32) Seconds_get() * 1000;
1928
    }
1929
#elif defined(WOLFSSL_UTASKER)
1930
    /* The time in milliseconds.
1931
     * Used for tickets to represent difference between when first seen and when
1932
     * sending.
1933
     *
1934
     * returns the time in milliseconds as a 32-bit value.
1935
     */
1936
    word32 TimeNowInMilliseconds(void)
1937
    {
1938
        return (word32)(uTaskerSystemTick / (TICK_RESOLUTION / 1000));
1939
    }
1940
#elif defined(WOLFSSL_LINUXKM)
1941
    word32 TimeNowInMilliseconds(void)
1942
    {
1943
        s64 t;
1944
#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0)
1945
        struct timespec ts;
1946
        getnstimeofday(&ts);
1947
        t = ts.tv_sec * (s64)1000;
1948
        t += ts.tv_nsec / (s64)1000000;
1949
#else
1950
        struct timespec64 ts;
1951
#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 0, 0)
1952
        ts = current_kernel_time64();
1953
#else
1954
        ktime_get_coarse_real_ts64(&ts);
1955
#endif
1956
        t = ts.tv_sec * 1000L;
1957
        t += ts.tv_nsec / 1000000L;
1958
#endif
1959
        return (word32)t;
1960
    }
1961
#elif defined(WOLFSSL_QNX_CAAM)
1962
    word32 TimeNowInMilliseconds(void)
1963
    {
1964
        struct timespec now;
1965
        clock_gettime(CLOCK_REALTIME, &now);
1966
        return (word32)(now.tv_sec * 1000 + now.tv_nsec / 1000000);
1967
    }
1968
#elif defined(FUSION_RTOS)
1969
    /* The time in milliseconds.
1970
     * Used for tickets to represent difference between when first seen and when
1971
     * sending.
1972
     *
1973
     * returns the time in milliseconds as a 32-bit value.
1974
     */
1975
    word32 TimeNowInMilliseconds(void)
1976
    {
1977
        struct timeval now;
1978
        if (FCL_GETTIMEOFDAY(&now, 0) < 0)
1979
            return 0;
1980
1981
        /* Convert to milliseconds number. */
1982
        return (word32)(now.tv_sec * 1000 + now.tv_usec / 1000);
1983
    }
1984
#elif defined(WOLFSSL_ZEPHYR)
1985
    word32 TimeNowInMilliseconds(void)
1986
    {
1987
        int64_t t;
1988
    #if defined(CONFIG_ARCH_POSIX)
1989
        k_cpu_idle();
1990
    #endif
1991
        t = k_uptime_get(); /* returns current uptime in milliseconds */
1992
        return (word32)t;
1993
    }
1994
#elif defined(FREERTOS)
1995
    word32 TimeNowInMilliseconds(void)
1996
    {
1997
        return (word32)((uint64_t)(xTaskGetTickCount() * 1000) /
1998
            configTICK_RATE_HZ);
1999
    }
2000
#else
2001
    /* The time in milliseconds.
2002
     * Used for tickets to represent difference between when first seen and when
2003
     * sending.
2004
     *
2005
     * returns the time in milliseconds as a 32-bit value.
2006
     */
2007
    word32 TimeNowInMilliseconds(void)
2008
    {
2009
        struct timeval now;
2010
2011
        if (gettimeofday(&now, 0) < 0)
2012
            return 0;
2013
2014
        /* Convert to milliseconds number. */
2015
        return (word32)(now.tv_sec * 1000 + now.tv_usec / 1000);
2016
    }
2017
#endif
2018
#else
2019
    /* user must supply time in milliseconds function:
2020
     *   word32 TimeNowInMilliseconds(void);
2021
     * The response is milliseconds elapsed
2022
     */
2023
#endif /* !NO_ASN_TIME */
2024
#else
2025
#ifndef NO_ASN_TIME
2026
#if defined(USER_TICKS)
2027
#if 0
2028
    sword64 TimeNowInMilliseconds(void)
2029
    {
2030
        /*
2031
        write your own clock tick function if don't want gettimeofday()
2032
        needs millisecond accuracy but doesn't have to correlated to EPOCH
2033
        */
2034
    }
2035
#endif
2036
2037
#elif defined(TIME_OVERRIDES)
2038
#if !defined(NO_ASN) && !defined(NO_ASN_TIME)
2039
    sword64 TimeNowInMilliseconds(void)
2040
    {
2041
        return (sword64) wc_Time(0) * 1000;
2042
    }
2043
#else
2044
    #ifndef HAVE_TIME_T_TYPE
2045
        typedef long time_t;
2046
    #endif
2047
    extern time_t XTIME(time_t * timer);
2048
2049
    /* The time in milliseconds.
2050
     * Used for tickets to represent difference between when first seen and when
2051
     * sending.
2052
     *
2053
     * returns the time in milliseconds as a 32-bit value.
2054
     */
2055
    sword64 TimeNowInMilliseconds(void)
2056
    {
2057
        return (sword64) XTIME(0) * 1000;
2058
    }
2059
#endif
2060
2061
#elif defined(XTIME_MS)
2062
    sword64 TimeNowInMilliseconds(void)
2063
    {
2064
        return (sword64)XTIME_MS(0);
2065
    }
2066
2067
#elif defined(USE_WINDOWS_API)
2068
    /* The time in milliseconds.
2069
     * Used for tickets to represent difference between when first seen and when
2070
     * sending.
2071
     *
2072
     * returns the time in milliseconds as a 64-bit value.
2073
     */
2074
    sword64 TimeNowInMilliseconds(void)
2075
    {
2076
        static int           init = 0;
2077
        static LARGE_INTEGER freq;
2078
        LARGE_INTEGER        count;
2079
2080
        if (!init) {
2081
            QueryPerformanceFrequency(&freq);
2082
            init = 1;
2083
        }
2084
2085
        QueryPerformanceCounter(&count);
2086
2087
        return (sword64)(count.QuadPart / (freq.QuadPart / 1000));
2088
    }
2089
2090
#elif defined(HAVE_RTP_SYS)
2091
    #include "rtptime.h"
2092
2093
    /* The time in milliseconds.
2094
     * Used for tickets to represent difference between when first seen and when
2095
     * sending.
2096
     *
2097
     * returns the time in milliseconds as a 64-bit value.
2098
     */
2099
    sword64 TimeNowInMilliseconds(void)
2100
    {
2101
        return (sword64)rtp_get_system_sec() * 1000;
2102
    }
2103
#elif defined(WOLFSSL_DEOS)
2104
    sword64 TimeNowInMilliseconds(void)
2105
    {
2106
        const word32 systemTickTimeInHz = 1000000 / systemTickInMicroseconds();
2107
        word32 *systemTickPtr = systemTickPointer();
2108
2109
        return (sword64) (*systemTickPtr/systemTickTimeInHz) * 1000;
2110
    }
2111
#elif defined(MICRIUM)
2112
    /* The time in milliseconds.
2113
     * Used for tickets to represent difference between when first seen and when
2114
     * sending.
2115
     *
2116
     * returns the time in milliseconds as a 64-bit value.
2117
     */
2118
    sword64 TimeNowInMilliseconds(void)
2119
    {
2120
        OS_TICK ticks = 0;
2121
        OS_ERR  err;
2122
2123
        ticks = OSTimeGet(&err);
2124
2125
        return (sword64) (ticks / OSCfg_TickRate_Hz) * 1000;
2126
    }
2127
#elif defined(MICROCHIP_TCPIP_V5)
2128
    /* The time in milliseconds.
2129
     * Used for tickets to represent difference between when first seen and when
2130
     * sending.
2131
     *
2132
     * returns the time in milliseconds as a 64-bit value.
2133
     */
2134
    sword64 TimeNowInMilliseconds(void)
2135
    {
2136
        return (sword64) (TickGet() / (TICKS_PER_SECOND / 1000));
2137
    }
2138
#elif defined(MICROCHIP_TCPIP)
2139
    #if defined(MICROCHIP_MPLAB_HARMONY)
2140
        #include <system/tmr/sys_tmr.h>
2141
2142
    /* The time in milliseconds.
2143
     * Used for tickets to represent difference between when first seen and when
2144
     * sending.
2145
     *
2146
     * returns the time in milliseconds as a 64-bit value.
2147
     */
2148
    sword64 TimeNowInMilliseconds(void)
2149
    {
2150
        return (sword64)SYS_TMR_TickCountGet() /
2151
                        (SYS_TMR_TickCounterFrequencyGet() / 1000);
2152
    }
2153
    #else
2154
    /* The time in milliseconds.
2155
     * Used for tickets to represent difference between when first seen and when
2156
     * sending.
2157
     *
2158
     * returns the time in milliseconds as a 64-bit value.
2159
     */
2160
    sword64 TimeNowInMilliseconds(void)
2161
    {
2162
        return (sword64)SYS_TICK_Get() / (SYS_TICK_TicksPerSecondGet() / 1000);
2163
    }
2164
2165
    #endif
2166
2167
#elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
2168
    /* The time in milliseconds.
2169
     * Used for tickets to represent difference between when first seen and when
2170
     * sending.
2171
     *
2172
     * returns the time in milliseconds as a 64-bit value.
2173
     */
2174
    sword64 TimeNowInMilliseconds(void)
2175
    {
2176
        TIME_STRUCT mqxTime;
2177
2178
        _time_get_elapsed(&mqxTime);
2179
2180
        return (sword64) mqxTime.SECONDS * 1000;
2181
    }
2182
#elif defined(FREESCALE_FREE_RTOS) || defined(FREESCALE_KSDK_FREERTOS)
2183
    #include "include/task.h"
2184
2185
    /* The time in milliseconds.
2186
     * Used for tickets to represent difference between when first seen and when
2187
     * sending.
2188
     *
2189
     * returns the time in milliseconds as a 64-bit value.
2190
     */
2191
    sword64 TimeNowInMilliseconds(void)
2192
    {
2193
        return (sword64)xTaskGetTickCount() / (configTICK_RATE_HZ / 1000);
2194
    }
2195
#elif defined(FREESCALE_KSDK_BM)
2196
    #include "lwip/sys.h" /* lwIP */
2197
2198
    /* The time in milliseconds.
2199
     * Used for tickets to represent difference between when first seen and when
2200
     * sending.
2201
     *
2202
     * returns the time in milliseconds as a 64-bit value.
2203
     */
2204
    sword64 TimeNowInMilliseconds(void)
2205
    {
2206
        return sys_now();
2207
    }
2208
2209
#elif defined(WOLFSSL_CMSIS_RTOS) || defined(WOLFSSL_CMSIS_RTOSv2)
2210
2211
    sword64 TimeNowInMilliseconds(void)
2212
    {
2213
        return (sword64)osKernelGetTickCount();
2214
    }
2215
2216
#elif defined(WOLFSSL_TIRTOS)
2217
    /* The time in milliseconds.
2218
     * Used for tickets to represent difference between when first seen and when
2219
     * sending.
2220
     *
2221
     * returns the time in milliseconds as a 64-bit value.
2222
     */
2223
    sword64 TimeNowInMilliseconds(void)
2224
    {
2225
        return (sword64) Seconds_get() * 1000;
2226
    }
2227
#elif defined(WOLFSSL_UTASKER)
2228
    /* The time in milliseconds.
2229
     * Used for tickets to represent difference between when first seen and when
2230
     * sending.
2231
     *
2232
     * returns the time in milliseconds as a 64-bit value.
2233
     */
2234
    sword64 TimeNowInMilliseconds(void)
2235
    {
2236
        return (sword64)(uTaskerSystemTick / (TICK_RESOLUTION / 1000));
2237
    }
2238
#elif defined(WOLFSSL_LINUXKM)
2239
    sword64 TimeNowInMilliseconds(void)
2240
    {
2241
        s64 t;
2242
#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0)
2243
        struct timespec ts;
2244
        getnstimeofday(&ts);
2245
        t = ts.tv_sec * (s64)1000;
2246
        t += ts.tv_nsec / (s64)1000000;
2247
#else
2248
        struct timespec64 ts;
2249
#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 0, 0)
2250
        ts = current_kernel_time64();
2251
#else
2252
        ktime_get_coarse_real_ts64(&ts);
2253
#endif
2254
        t = ts.tv_sec * 1000L;
2255
        t += ts.tv_nsec / 1000000L;
2256
#endif
2257
        return (sword64)t;
2258
    }
2259
#elif defined(WOLFSSL_QNX_CAAM)
2260
    sword64 TimeNowInMilliseconds(void)
2261
    {
2262
        struct timespec now;
2263
        clock_gettime(CLOCK_REALTIME, &now);
2264
        return (sword64)(now.tv_sec * 1000 + now.tv_nsec / 1000000);
2265
    }
2266
#elif defined(FUSION_RTOS)
2267
    /* The time in milliseconds.
2268
     * Used for tickets to represent difference between when first seen and when
2269
     * sending.
2270
     *
2271
     * returns the time in milliseconds as a 64-bit value.
2272
     */
2273
    sword64 TimeNowInMilliseconds(void)
2274
    {
2275
        struct timeval now;
2276
        if (FCL_GETTIMEOFDAY(&now, 0) < 0)
2277
            return 0;
2278
2279
        /* Convert to milliseconds number. */
2280
        return (sword64)now.tv_sec * 1000 + now.tv_usec / 1000;
2281
    }
2282
#elif defined(WOLFSSL_ZEPHYR)
2283
    sword64 TimeNowInMilliseconds(void)
2284
    {
2285
        int64_t t;
2286
    #if defined(CONFIG_ARCH_POSIX)
2287
        k_cpu_idle();
2288
    #endif
2289
        t = k_uptime_get(); /* returns current uptime in milliseconds */
2290
        return (sword64)t;
2291
    }
2292
#elif defined(FREERTOS)
2293
    sword64 TimeNowInMilliseconds(void)
2294
    {
2295
        return (sword64)((uint64_t)(xTaskGetTickCount() * 1000) /
2296
            configTICK_RATE_HZ);
2297
    }
2298
#else
2299
    /* The time in milliseconds.
2300
     * Used for tickets to represent difference between when first seen and when
2301
     * sending.
2302
     *
2303
     * returns the time in milliseconds as a 64-bit value.
2304
     */
2305
    sword64 TimeNowInMilliseconds(void)
2306
    {
2307
        struct timeval now;
2308
2309
        if (gettimeofday(&now, 0) < 0)
2310
            return 0;
2311
2312
        /* Convert to milliseconds number. */
2313
        return (sword64)now.tv_sec * 1000 + now.tv_usec / 1000;
2314
    }
2315
#endif
2316
#else
2317
    /* user must supply time in milliseconds function:
2318
     *   sword64 TimeNowInMilliseconds(void);
2319
     * The response is milliseconds elapsed
2320
     */
2321
#endif /* !NO_ASN_TIME */
2322
#endif /* WOLFSSL_32BIT_MILLI_TIME */
2323
#endif /* HAVE_SESSION_TICKET || !NO_PSK || WOLFSSL_DTLS13 */
2324
2325
/* Add record layer header to message.
2326
 *
2327
 * output  The buffer to write the record layer header into.
2328
 * length  The length of the record data.
2329
 * type    The type of record message.
2330
 * ssl     The SSL/TLS object.
2331
 */
2332
static void AddTls13RecordHeader(byte* output, word32 length, byte type,
2333
                                 WOLFSSL* ssl)
2334
0
{
2335
0
    RecordLayerHeader* rl;
2336
2337
0
    rl = (RecordLayerHeader*)output;
2338
0
    rl->type    = type;
2339
0
    rl->pvMajor = ssl->version.major;
2340
    /* NOTE: May be TLSv1_MINOR when sending first ClientHello. */
2341
0
    rl->pvMinor = TLSv1_2_MINOR;
2342
0
    c16toa((word16)length, rl->length);
2343
0
}
2344
2345
/* Add handshake header to message.
2346
 *
2347
 * output      The buffer to write the handshake header into.
2348
 * length      The length of the handshake data.
2349
 * fragOffset  The offset of the fragment data. (DTLS)
2350
 * fragLength  The length of the fragment data. (DTLS)
2351
 * type        The type of handshake message.
2352
 * ssl         The SSL/TLS object. (DTLS)
2353
 */
2354
static void AddTls13HandShakeHeader(byte* output, word32 length,
2355
                                    word32 fragOffset, word32 fragLength,
2356
                                    byte type, WOLFSSL* ssl)
2357
0
{
2358
0
    HandShakeHeader* hs;
2359
0
    (void)fragOffset;
2360
0
    (void)fragLength;
2361
0
    (void)ssl;
2362
2363
#ifdef WOLFSSL_DTLS13
2364
    /* message_hash type is used for a synthetic message that replaces the first
2365
       ClientHello in the hash transcript when using HelloRetryRequest. It will
2366
       never be transmitted and, as the DTLS-only fields must not be considered
2367
       when computing the hash transcript, we can avoid to use the DTLS
2368
       handshake header. */
2369
    if (ssl->options.dtls && type != message_hash) {
2370
        Dtls13HandshakeAddHeader(ssl, output, (enum HandShakeType)type, length);
2371
        return;
2372
    }
2373
#endif /* WOLFSSL_DTLS13 */
2374
2375
    /* handshake header */
2376
0
    hs = (HandShakeHeader*)output;
2377
0
    hs->type = type;
2378
0
    c32to24(length, hs->length);
2379
0
}
2380
2381
2382
/* Add both record layer and handshake header to message.
2383
 *
2384
 * output      The buffer to write the headers into.
2385
 * length      The length of the handshake data.
2386
 * type        The type of record layer message.
2387
 * ssl         The SSL/TLS object. (DTLS)
2388
 */
2389
static void AddTls13Headers(byte* output, word32 length, byte type,
2390
                            WOLFSSL* ssl)
2391
0
{
2392
0
    word32 lengthAdj = HANDSHAKE_HEADER_SZ;
2393
0
    word32 outputAdj = RECORD_HEADER_SZ;
2394
2395
#ifdef WOLFSSL_DTLS13
2396
    if (ssl->options.dtls) {
2397
        Dtls13AddHeaders(output, length, (enum HandShakeType)type, ssl);
2398
        return;
2399
    }
2400
#endif /* WOLFSSL_DTLS13 */
2401
2402
0
    AddTls13RecordHeader(output, length + lengthAdj, handshake, ssl);
2403
0
    AddTls13HandShakeHeader(output + outputAdj, length, 0, length, type, ssl);
2404
0
}
2405
2406
#if (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) \
2407
    && !defined(NO_CERTS)
2408
/* Add both record layer and fragment handshake header to message.
2409
 *
2410
 * output      The buffer to write the headers into.
2411
 * fragOffset  The offset of the fragment data. (DTLS)
2412
 * fragLength  The length of the fragment data. (DTLS)
2413
 * length      The length of the handshake data.
2414
 * type        The type of record layer message.
2415
 * ssl         The SSL/TLS object. (DTLS)
2416
 */
2417
static void AddTls13FragHeaders(byte* output, word32 fragSz, word32 fragOffset,
2418
                                word32 length, byte type, WOLFSSL* ssl)
2419
0
{
2420
0
    word32 lengthAdj = HANDSHAKE_HEADER_SZ;
2421
0
    word32 outputAdj = RECORD_HEADER_SZ;
2422
0
    (void)fragSz;
2423
2424
#ifdef WOLFSSL_DTLS13
2425
    /* we ignore fragmentation fields here because fragmentation logic for
2426
       DTLS1.3 is inside dtls13_handshake_send(). */
2427
    if (ssl->options.dtls) {
2428
        Dtls13AddHeaders(output, length, (enum HandShakeType)type, ssl);
2429
        return;
2430
    }
2431
#endif /* WOLFSSL_DTLS13 */
2432
2433
0
    AddTls13RecordHeader(output, fragSz + lengthAdj, handshake, ssl);
2434
0
    AddTls13HandShakeHeader(output + outputAdj, length, fragOffset, fragSz,
2435
0
                            type, ssl);
2436
0
}
2437
#endif /* (!NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER) && !NO_CERTS */
2438
2439
/* Write the sequence number into the buffer.
2440
 * No DTLS v1.3 support.
2441
 *
2442
 * ssl          The SSL/TLS object.
2443
 * verifyOrder  Which set of sequence numbers to use.
2444
 * out          The buffer to write into.
2445
 */
2446
static WC_INLINE void WriteSEQTls13(WOLFSSL* ssl, int verifyOrder, byte* out)
2447
0
{
2448
0
    word32 seq[2] = {0, 0};
2449
2450
0
    if (ssl->options.dtls) {
2451
#ifdef WOLFSSL_DTLS13
2452
        Dtls13GetSeq(ssl, verifyOrder, seq, 1);
2453
#endif /* WOLFSSL_DTLS13 */
2454
0
    }
2455
0
    else if (verifyOrder == PEER_ORDER) {
2456
0
        seq[0] = ssl->keys.peer_sequence_number_hi;
2457
0
        seq[1] = ssl->keys.peer_sequence_number_lo++;
2458
        /* handle rollover */
2459
0
        if (seq[1] > ssl->keys.peer_sequence_number_lo)
2460
0
            ssl->keys.peer_sequence_number_hi++;
2461
0
    }
2462
0
    else {
2463
0
        seq[0] = ssl->keys.sequence_number_hi;
2464
0
        seq[1] = ssl->keys.sequence_number_lo++;
2465
        /* handle rollover */
2466
0
        if (seq[1] > ssl->keys.sequence_number_lo)
2467
0
            ssl->keys.sequence_number_hi++;
2468
0
    }
2469
#ifdef WOLFSSL_DEBUG_TLS
2470
    WOLFSSL_MSG_EX("TLS 1.3 Write Sequence %d %d", seq[0], seq[1]);
2471
#endif
2472
2473
0
    c32toa(seq[0], out);
2474
0
    c32toa(seq[1], out + OPAQUE32_LEN);
2475
0
}
2476
2477
/* Build the nonce for TLS v1.3 encryption and decryption.
2478
 *
2479
 * ssl    The SSL/TLS object.
2480
 * nonce  The nonce data to use when encrypting or decrypting.
2481
 * iv     The derived IV.
2482
 * order  The side on which the message is to be or was sent.
2483
 */
2484
static WC_INLINE void BuildTls13Nonce(WOLFSSL* ssl, byte* nonce, const byte* iv,
2485
                                   int ivSz, int order)
2486
0
{
2487
0
    int seq_offset;
2488
    /* Ensure minimum nonce size for standard AEAD ciphers */
2489
0
    if (ivSz < AEAD_NONCE_SZ)
2490
0
        ivSz = AEAD_NONCE_SZ;
2491
0
    seq_offset = ivSz - SEQ_SZ;
2492
    /* The nonce is the IV with the sequence XORed into the last bytes. */
2493
0
    WriteSEQTls13(ssl, order, nonce + seq_offset);
2494
0
    XMEMCPY(nonce, iv, seq_offset);
2495
0
    xorbuf(nonce + seq_offset, iv + seq_offset, SEQ_SZ);
2496
0
}
2497
2498
#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
2499
/* Encrypt with ChaCha20 and create authentication tag with Poly1305.
2500
 *
2501
 * ssl     The SSL/TLS object.
2502
 * output  The buffer to write encrypted data and authentication tag into.
2503
 *         May be the same pointer as input.
2504
 * input   The data to encrypt.
2505
 * sz      The number of bytes to encrypt.
2506
 * nonce   The nonce to use with ChaCha20.
2507
 * aad     The additional authentication data.
2508
 * aadSz   The size of the addition authentication data.
2509
 * tag     The authentication tag buffer.
2510
 * returns 0 on success, otherwise failure.
2511
 */
2512
static int ChaCha20Poly1305_Encrypt(WOLFSSL* ssl, byte* output,
2513
                                    const byte* input, word16 sz, byte* nonce,
2514
                                    const byte* aad, word16 aadSz, byte* tag)
2515
0
{
2516
0
    int    ret    = 0;
2517
0
    byte   poly[CHACHA20_256_KEY_SIZE];
2518
2519
    /* Poly1305 key is 256 bits of zero encrypted with ChaCha20. */
2520
0
    XMEMSET(poly, 0, sizeof(poly));
2521
2522
    /* Set the nonce for ChaCha and get Poly1305 key. */
2523
0
    ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 0);
2524
0
    if (ret != 0)
2525
0
        return ret;
2526
    /* Create Poly1305 key using ChaCha20 keystream. */
2527
0
    ret = wc_Chacha_Process(ssl->encrypt.chacha, poly, poly, sizeof(poly));
2528
0
    if (ret != 0)
2529
0
        return ret;
2530
#ifdef WOLFSSL_CHECK_MEM_ZERO
2531
    wc_MemZero_Add("ChaCha20Poly1305_Encrypt poly", poly, sizeof(poly));
2532
#endif
2533
0
    ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 1);
2534
0
    if (ret != 0)
2535
0
        return ret;
2536
    /* Encrypt the plain text. */
2537
0
    ret = wc_Chacha_Process(ssl->encrypt.chacha, output, input, sz);
2538
0
    if (ret != 0) {
2539
0
        ForceZero(poly, sizeof(poly));
2540
    #ifdef WOLFSSL_CHECK_MEM_ZERO
2541
        wc_MemZero_Check(poly, sizeof(poly));
2542
    #endif
2543
0
        return ret;
2544
0
    }
2545
2546
    /* Set key for Poly1305. */
2547
0
    ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly, sizeof(poly));
2548
0
    ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */
2549
#ifdef WOLFSSL_CHECK_MEM_ZERO
2550
    wc_MemZero_Check(poly, sizeof(poly));
2551
#endif
2552
0
    if (ret != 0)
2553
0
        return ret;
2554
    /* Add authentication code of encrypted data to end. */
2555
0
    ret = wc_Poly1305_MAC(ssl->auth.poly1305, aad, aadSz, output, sz, tag,
2556
0
                                                              POLY1305_AUTH_SZ);
2557
2558
0
    return ret;
2559
0
}
2560
#endif
2561
2562
#ifdef HAVE_NULL_CIPHER
2563
/* Create authentication tag and copy data over input.
2564
 *
2565
 * ssl     The SSL/TLS object.
2566
 * output  The buffer to copy data into.
2567
 *         May be the same pointer as input.
2568
 * input   The data.
2569
 * sz      The number of bytes of data.
2570
 * nonce   The nonce to use with authentication.
2571
 * aad     The additional authentication data.
2572
 * aadSz   The size of the addition authentication data.
2573
 * tag     The authentication tag buffer.
2574
 * returns 0 on success, otherwise failure.
2575
 */
2576
static int Tls13IntegrityOnly_Encrypt(WOLFSSL* ssl, byte* output,
2577
                                      const byte* input, word16 sz,
2578
                                      const byte* nonce,
2579
                                      const byte* aad, word16 aadSz, byte* tag)
2580
{
2581
    int ret;
2582
2583
    /* HMAC: nonce | aad | input  */
2584
    ret = wc_HmacUpdate(ssl->encrypt.hmac, nonce, ssl->specs.iv_size);
2585
    if (ret == 0)
2586
        ret = wc_HmacUpdate(ssl->encrypt.hmac, aad, aadSz);
2587
    if (ret == 0)
2588
        ret = wc_HmacUpdate(ssl->encrypt.hmac, input, sz);
2589
    if (ret == 0)
2590
        ret = wc_HmacFinal(ssl->encrypt.hmac, tag);
2591
    /* Copy the input to output if not the same buffer */
2592
    if (ret == 0 && output != input)
2593
        XMEMCPY(output, input, sz);
2594
    return ret;
2595
}
2596
#endif
2597
2598
/* Encrypt data for TLS v1.3.
2599
 *
2600
 * ssl     The SSL/TLS object.
2601
 * output  The buffer to write encrypted data and authentication tag into.
2602
 *         May be the same pointer as input.
2603
 * input   The record header and data to encrypt.
2604
 * sz      The number of bytes to encrypt.
2605
 * aad     The additional authentication data.
2606
 * aadSz   The size of the addition authentication data.
2607
 * asyncOkay If non-zero can return WC_PENDING_E, otherwise blocks on crypto
2608
 * returns 0 on success, otherwise failure.
2609
 */
2610
static int EncryptTls13(WOLFSSL* ssl, byte* output, const byte* input,
2611
                        word16 sz, const byte* aad, word16 aadSz, int asyncOkay)
2612
0
{
2613
0
    int    ret    = 0;
2614
0
    word16 dataSz;
2615
0
    word16 macSz  = ssl->specs.aead_mac_size;
2616
0
    word32 nonceSz = 0;
2617
#ifdef WOLFSSL_ASYNC_CRYPT
2618
    WC_ASYNC_DEV* asyncDev = NULL;
2619
    word32 event_flags = WC_ASYNC_FLAG_CALL_AGAIN;
2620
#endif
2621
2622
0
    WOLFSSL_ENTER("EncryptTls13");
2623
0
    if (sz < ssl->specs.aead_mac_size)
2624
0
        return BUFFER_E;
2625
0
    dataSz = sz - ssl->specs.aead_mac_size;
2626
2627
0
    (void)output;
2628
0
    (void)input;
2629
0
    (void)sz;
2630
0
    (void)dataSz;
2631
0
    (void)macSz;
2632
0
    (void)asyncOkay;
2633
0
    (void)nonceSz;
2634
2635
#ifdef WOLFSSL_ASYNC_CRYPT
2636
    if (ssl->error == WC_NO_ERR_TRACE(WC_PENDING_E)) {
2637
        ssl->error = 0; /* clear async */
2638
    }
2639
#endif
2640
#if defined(WOLFSSL_RENESAS_TSIP_TLS)
2641
    ret = tsip_Tls13AesEncrypt(ssl, output, input, dataSz);
2642
    if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
2643
        if (ret > 0) {
2644
            ret = 0; /* tsip_Tls13AesEncrypt returns output size */
2645
        }
2646
        return ret;
2647
    }
2648
    ret = 0;
2649
#endif /* WOLFSSL_RENESAS_TSIP_TLS */
2650
2651
0
    switch (ssl->encrypt.state) {
2652
0
        case CIPHER_STATE_BEGIN:
2653
0
        {
2654
        #ifdef WOLFSSL_DEBUG_TLS
2655
            WOLFSSL_MSG("Data to encrypt");
2656
            WOLFSSL_BUFFER(input, dataSz);
2657
            WOLFSSL_MSG("Additional Authentication Data");
2658
            WOLFSSL_BUFFER(aad, aadSz);
2659
        #endif
2660
2661
        #ifdef WOLFSSL_CIPHER_TEXT_CHECK
2662
            if (ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null &&
2663
                    dataSz >= sizeof(ssl->encrypt.sanityCheck)) {
2664
                XMEMCPY(ssl->encrypt.sanityCheck, input,
2665
                    sizeof(ssl->encrypt.sanityCheck));
2666
            }
2667
        #endif
2668
2669
0
        #ifdef CIPHER_NONCE
2670
0
            if (ssl->encrypt.nonce == NULL) {
2671
0
                ssl->encrypt.nonce = (byte*)XMALLOC(AEAD_MAX_IMP_SZ,
2672
0
                                                ssl->heap, DYNAMIC_TYPE_CIPHER);
2673
            #ifdef WOLFSSL_CHECK_MEM_ZERO
2674
                if (ssl->encrypt.nonce != NULL) {
2675
                    wc_MemZero_Add("EncryptTls13 nonce", ssl->encrypt.nonce,
2676
                        ssl->specs.iv_size);
2677
                }
2678
            #endif
2679
0
            }
2680
0
            if (ssl->encrypt.nonce == NULL)
2681
0
                return MEMORY_E;
2682
2683
0
            BuildTls13Nonce(ssl, ssl->encrypt.nonce, ssl->keys.aead_enc_imp_IV,
2684
0
                            ssl->specs.iv_size, CUR_ORDER);
2685
0
        #endif
2686
2687
            /* Advance state and proceed */
2688
0
            ssl->encrypt.state = CIPHER_STATE_DO;
2689
0
        }
2690
0
        FALL_THROUGH;
2691
2692
0
        case CIPHER_STATE_DO:
2693
0
        {
2694
0
            switch (ssl->specs.bulk_cipher_algorithm) {
2695
0
            #ifdef BUILD_AESGCM
2696
0
                case wolfssl_aes_gcm:
2697
                #ifdef WOLFSSL_ASYNC_CRYPT
2698
                    /* initialize event */
2699
                    asyncDev = &ssl->encrypt.aes->asyncDev;
2700
                    ret = wolfSSL_AsyncInit(ssl, asyncDev, event_flags);
2701
                    if (ret != 0)
2702
                        break;
2703
                #endif
2704
2705
0
                    nonceSz = AESGCM_NONCE_SZ;
2706
2707
                #if defined(HAVE_PK_CALLBACKS)
2708
                    ret = WC_NO_ERR_TRACE(NOT_COMPILED_IN);
2709
                    if (ssl->ctx && ssl->ctx->PerformTlsRecordProcessingCb) {
2710
                        ret = ssl->ctx->PerformTlsRecordProcessingCb(ssl, 1,
2711
                                  output, input, dataSz,
2712
                                  ssl->encrypt.nonce, nonceSz,
2713
                                  output + dataSz, macSz,
2714
                                  aad, aadSz);
2715
                    }
2716
                    if (ret == WC_NO_ERR_TRACE(NOT_COMPILED_IN))
2717
                #endif
2718
0
                    {
2719
2720
                #if ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \
2721
                    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)))
2722
                        ret = wc_AesGcmEncrypt(ssl->encrypt.aes, output, input,
2723
                            dataSz, ssl->encrypt.nonce, nonceSz,
2724
                            output + dataSz, macSz, aad, aadSz);
2725
                #else
2726
0
                        ret = wc_AesGcmSetExtIV(ssl->encrypt.aes,
2727
0
                                ssl->encrypt.nonce, nonceSz);
2728
0
                        if (ret == 0) {
2729
0
                            ret = wc_AesGcmEncrypt_ex(ssl->encrypt.aes, output,
2730
0
                                    input, dataSz, ssl->encrypt.nonce, nonceSz,
2731
0
                                    output + dataSz, macSz, aad, aadSz);
2732
0
                        }
2733
0
                #endif
2734
0
                    }
2735
0
                    break;
2736
0
            #endif
2737
2738
            #ifdef HAVE_AESCCM
2739
                case wolfssl_aes_ccm:
2740
                #ifdef WOLFSSL_ASYNC_CRYPT
2741
                    /* initialize event */
2742
                    asyncDev = &ssl->encrypt.aes->asyncDev;
2743
                    ret = wolfSSL_AsyncInit(ssl, asyncDev, event_flags);
2744
                    if (ret != 0)
2745
                        break;
2746
                #endif
2747
2748
                    nonceSz = AESCCM_NONCE_SZ;
2749
                #if defined(HAVE_PK_CALLBACKS)
2750
                    ret = WC_NO_ERR_TRACE(NOT_COMPILED_IN);
2751
                    if (ssl->ctx && ssl->ctx->PerformTlsRecordProcessingCb) {
2752
                        ret = ssl->ctx->PerformTlsRecordProcessingCb(ssl, 1,
2753
                                  output, input, dataSz,
2754
                                  ssl->encrypt.nonce, nonceSz,
2755
                                  output + dataSz, macSz,
2756
                                  aad, aadSz);
2757
                    }
2758
                    if (ret == WC_NO_ERR_TRACE(NOT_COMPILED_IN))
2759
                #endif
2760
                    {
2761
                #if ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \
2762
                    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)))
2763
                        ret = wc_AesCcmEncrypt(ssl->encrypt.aes, output, input,
2764
                            dataSz, ssl->encrypt.nonce, nonceSz,
2765
                            output + dataSz, macSz, aad, aadSz);
2766
                #else
2767
                        ret = wc_AesCcmSetNonce(ssl->encrypt.aes,
2768
                                ssl->encrypt.nonce, nonceSz);
2769
                        if (ret == 0) {
2770
                            ret = wc_AesCcmEncrypt_ex(ssl->encrypt.aes, output,
2771
                                    input, dataSz, ssl->encrypt.nonce, nonceSz,
2772
                                    output + dataSz, macSz, aad, aadSz);
2773
                        }
2774
                #endif
2775
                    }
2776
                    break;
2777
            #endif
2778
2779
0
            #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
2780
0
                case wolfssl_chacha:
2781
0
                    ret = ChaCha20Poly1305_Encrypt(ssl, output, input, dataSz,
2782
0
                        ssl->encrypt.nonce, aad, aadSz, output + dataSz);
2783
0
                    break;
2784
0
            #endif
2785
2786
            #ifdef WOLFSSL_SM4_GCM
2787
                case wolfssl_sm4_gcm:
2788
                    nonceSz = SM4_GCM_NONCE_SZ;
2789
                    ret = wc_Sm4GcmEncrypt(ssl->encrypt.sm4, output, input,
2790
                        dataSz, ssl->encrypt.nonce, nonceSz, output + dataSz,
2791
                        macSz, aad, aadSz);
2792
                    break;
2793
            #endif
2794
2795
            #ifdef WOLFSSL_SM4_CCM
2796
                case wolfssl_sm4_ccm:
2797
                    nonceSz = SM4_CCM_NONCE_SZ;
2798
                    ret = wc_Sm4CcmEncrypt(ssl->encrypt.sm4, output, input,
2799
                        dataSz, ssl->encrypt.nonce, nonceSz, output + dataSz,
2800
                        macSz, aad, aadSz);
2801
                    break;
2802
            #endif
2803
2804
            #ifdef HAVE_NULL_CIPHER
2805
                case wolfssl_cipher_null:
2806
                    ret = Tls13IntegrityOnly_Encrypt(ssl, output, input, dataSz,
2807
                        ssl->encrypt.nonce, aad, aadSz, output + dataSz);
2808
                    break;
2809
            #endif
2810
2811
0
                default:
2812
0
                    WOLFSSL_MSG("wolfSSL Encrypt programming error");
2813
0
                    return ENCRYPT_ERROR;
2814
0
            }
2815
2816
            /* Advance state */
2817
0
            ssl->encrypt.state = CIPHER_STATE_END;
2818
2819
        #ifdef WOLFSSL_ASYNC_CRYPT
2820
            if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
2821
                /* if async is not okay, then block */
2822
                if (!asyncOkay) {
2823
                    ret = wc_AsyncWait(ret, asyncDev, event_flags);
2824
                }
2825
                else {
2826
                    /* If pending, then leave and return will resume below */
2827
                    return wolfSSL_AsyncPush(ssl, asyncDev);
2828
                }
2829
            }
2830
        #endif
2831
0
        }
2832
0
        FALL_THROUGH;
2833
2834
0
        case CIPHER_STATE_END:
2835
0
        {
2836
        #ifdef WOLFSSL_DEBUG_TLS
2837
            #ifdef CIPHER_NONCE
2838
                WOLFSSL_MSG("Nonce");
2839
                WOLFSSL_BUFFER(ssl->encrypt.nonce, ssl->specs.iv_size);
2840
            #endif
2841
                WOLFSSL_MSG("Encrypted data");
2842
                WOLFSSL_BUFFER(output, dataSz);
2843
                WOLFSSL_MSG("Authentication Tag");
2844
                WOLFSSL_BUFFER(output + dataSz, macSz);
2845
        #endif
2846
2847
        #ifdef WOLFSSL_CIPHER_TEXT_CHECK
2848
            if (ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null &&
2849
                    dataSz >= sizeof(ssl->encrypt.sanityCheck) &&
2850
                XMEMCMP(output, ssl->encrypt.sanityCheck,
2851
                    sizeof(ssl->encrypt.sanityCheck)) == 0) {
2852
2853
                WOLFSSL_MSG("EncryptTls13 sanity check failed! Glitch?");
2854
                return ENCRYPT_ERROR;
2855
            }
2856
            ForceZero(ssl->encrypt.sanityCheck,
2857
                sizeof(ssl->encrypt.sanityCheck));
2858
        #endif
2859
        #ifdef WOLFSSL_CHECK_MEM_ZERO
2860
            if ((ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null) &&
2861
                    (output != input) && (ret == 0)) {
2862
                wc_MemZero_Add("TLS 1.3 Encrypt plaintext", input, sz);
2863
            }
2864
        #endif
2865
2866
0
        #ifdef CIPHER_NONCE
2867
0
            ForceZero(ssl->encrypt.nonce, ssl->specs.iv_size);
2868
0
        #endif
2869
2870
0
            break;
2871
0
        }
2872
2873
0
        default:
2874
0
            break;
2875
0
    }
2876
2877
2878
    /* Reset state */
2879
0
    ssl->encrypt.state = CIPHER_STATE_BEGIN;
2880
2881
0
    return ret;
2882
0
}
2883
2884
#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
2885
/* Decrypt with ChaCha20 and check authentication tag with Poly1305.
2886
 *
2887
 * ssl     The SSL/TLS object.
2888
 * output  The buffer to write decrypted data into.
2889
 *         May be the same pointer as input.
2890
 * input   The data to decrypt.
2891
 * sz      The number of bytes to decrypt.
2892
 * nonce   The nonce to use with ChaCha20.
2893
 * aad     The additional authentication data.
2894
 * aadSz   The size of the addition authentication data.
2895
 * tagIn   The authentication tag data from packet.
2896
 * returns 0 on success, otherwise failure.
2897
 */
2898
static int ChaCha20Poly1305_Decrypt(WOLFSSL* ssl, byte* output,
2899
                                    const byte* input, word16 sz, byte* nonce,
2900
                                    const byte* aad, word16 aadSz,
2901
                                    const byte* tagIn)
2902
0
{
2903
0
    int ret;
2904
0
    byte tag[POLY1305_AUTH_SZ];
2905
0
    byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for mac */
2906
2907
    /* Poly1305 key is 256 bits of zero encrypted with ChaCha20. */
2908
0
    XMEMSET(poly, 0, sizeof(poly));
2909
2910
    /* Set nonce and get Poly1305 key. */
2911
0
    ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 0);
2912
0
    if (ret != 0)
2913
0
        return ret;
2914
    /* Use ChaCha20 keystream to get Poly1305 key for tag. */
2915
0
    ret = wc_Chacha_Process(ssl->decrypt.chacha, poly, poly, sizeof(poly));
2916
0
    if (ret != 0)
2917
0
        return ret;
2918
#ifdef WOLFSSL_CHECK_MEM_ZERO
2919
    wc_MemZero_Add("ChaCha20Poly1305_Decrypt poly", poly, sizeof(poly));
2920
#endif
2921
0
    ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 1);
2922
0
    if (ret != 0) {
2923
0
        ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */
2924
    #ifdef WOLFSSL_CHECK_MEM_ZERO
2925
        wc_MemZero_Check(poly, sizeof(poly));
2926
    #endif
2927
0
        return ret;
2928
0
    }
2929
2930
    /* Set key for Poly1305. */
2931
0
    ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly, sizeof(poly));
2932
0
    ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */
2933
#ifdef WOLFSSL_CHECK_MEM_ZERO
2934
    wc_MemZero_Check(poly, sizeof(poly));
2935
#endif
2936
0
    if (ret != 0)
2937
0
        return ret;
2938
    /* Generate authentication tag for encrypted data. */
2939
0
    if ((ret = wc_Poly1305_MAC(ssl->auth.poly1305, aad, aadSz, input, sz, tag,
2940
0
                                                           sizeof(tag))) != 0) {
2941
0
        return ret;
2942
0
    }
2943
2944
    /* Check tag sent along with packet. */
2945
0
    if (ConstantCompare(tagIn, tag, POLY1305_AUTH_SZ) != 0) {
2946
0
        WOLFSSL_MSG("MAC did not match");
2947
0
        return VERIFY_MAC_ERROR;
2948
0
    }
2949
2950
    /* If the tag was good decrypt message. */
2951
0
    ret = wc_Chacha_Process(ssl->decrypt.chacha, output, input, sz);
2952
2953
0
    return ret;
2954
0
}
2955
#endif
2956
2957
#ifdef HAVE_NULL_CIPHER
2958
/* Check HMAC tag and copy over input.
2959
 *
2960
 * ssl     The SSL/TLS object.
2961
 * output  The buffer to copy data into.
2962
 *         May be the same pointer as input.
2963
 * input   The data.
2964
 * sz      The number of bytes of data.
2965
 * nonce   The nonce to use with authentication.
2966
 * aad     The additional authentication data.
2967
 * aadSz   The size of the addition authentication data.
2968
 * tagIn   The authentication tag data from packet.
2969
 * returns 0 on success, otherwise failure.
2970
 */
2971
static int Tls13IntegrityOnly_Decrypt(WOLFSSL* ssl, byte* output,
2972
                                      const byte* input, word16 sz,
2973
                                      const byte* nonce,
2974
                                      const byte* aad, word16 aadSz,
2975
                                      const byte* tagIn)
2976
{
2977
    int ret;
2978
    byte hmac[WC_MAX_DIGEST_SIZE];
2979
2980
    /* HMAC: nonce | aad | input  */
2981
    ret = wc_HmacUpdate(ssl->decrypt.hmac, nonce, ssl->specs.iv_size);
2982
    if (ret == 0)
2983
        ret = wc_HmacUpdate(ssl->decrypt.hmac, aad, aadSz);
2984
    if (ret == 0)
2985
        ret = wc_HmacUpdate(ssl->decrypt.hmac, input, sz);
2986
    if (ret == 0)
2987
        ret = wc_HmacFinal(ssl->decrypt.hmac, hmac);
2988
    /* Check authentication tag matches */
2989
    if (ret == 0 && ConstantCompare(tagIn, hmac, ssl->specs.hash_size) != 0)
2990
        ret = DECRYPT_ERROR;
2991
    /* Copy the input to output if not the same buffer */
2992
    if (ret == 0 && output != input)
2993
        XMEMCPY(output, input, sz);
2994
    ForceZero(hmac, sizeof(hmac));
2995
    return ret;
2996
}
2997
#endif
2998
2999
/* Decrypt data for TLS v1.3.
3000
 *
3001
 * ssl     The SSL/TLS object.
3002
 * output  The buffer to write decrypted data into.
3003
 *         May be the same pointer as input.
3004
 * input   The data to decrypt and authentication tag.
3005
 * sz      The length of the encrypted data plus authentication tag.
3006
 * aad     The additional authentication data.
3007
 * aadSz   The size of the addition authentication data.
3008
 * returns 0 on success, otherwise failure.
3009
 */
3010
int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz,
3011
                 const byte* aad, word16 aadSz)
3012
0
{
3013
0
    int    ret    = 0;
3014
0
    word16 dataSz;
3015
0
    word16 macSz  = ssl->specs.aead_mac_size;
3016
0
    word32 nonceSz = 0;
3017
3018
0
    WOLFSSL_ENTER("DecryptTls13");
3019
0
    if (sz < ssl->specs.aead_mac_size) {
3020
0
        return BAD_FUNC_ARG;
3021
0
    }
3022
0
    dataSz = sz - ssl->specs.aead_mac_size;
3023
3024
#if defined(WOLFSSL_RENESAS_TSIP_TLS)
3025
    ret = tsip_Tls13AesDecrypt(ssl, output, input, sz);
3026
3027
    if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
3028
        #ifndef WOLFSSL_EARLY_DATA
3029
        if (ret < 0) {
3030
            ret = VERIFY_MAC_ERROR;
3031
            WOLFSSL_ERROR_VERBOSE(ret);
3032
        }
3033
        #endif
3034
        return ret;
3035
    }
3036
#endif
3037
3038
#ifdef WOLFSSL_ASYNC_CRYPT
3039
    ret = wolfSSL_AsyncPop(ssl, &ssl->decrypt.state);
3040
    if (ret != WC_NO_ERR_TRACE(WC_NO_PENDING_E)) {
3041
        /* check for still pending */
3042
        if (ret == WC_NO_ERR_TRACE(WC_PENDING_E))
3043
            return ret;
3044
3045
        ssl->error = 0; /* clear async */
3046
3047
        /* let failures through so CIPHER_STATE_END logic is run */
3048
    }
3049
    else
3050
#endif
3051
0
    {
3052
        /* Reset state */
3053
0
        ret = 0;
3054
0
        ssl->decrypt.state = CIPHER_STATE_BEGIN;
3055
0
    }
3056
3057
0
    (void)output;
3058
0
    (void)input;
3059
0
    (void)sz;
3060
0
    (void)dataSz;
3061
0
    (void)macSz;
3062
0
    (void)nonceSz;
3063
3064
0
    switch (ssl->decrypt.state) {
3065
0
        case CIPHER_STATE_BEGIN:
3066
0
        {
3067
        #ifdef WOLFSSL_DEBUG_TLS
3068
            WOLFSSL_MSG("Data to decrypt");
3069
            WOLFSSL_BUFFER(input, dataSz);
3070
            WOLFSSL_MSG("Additional Authentication Data");
3071
            WOLFSSL_BUFFER(aad, aadSz);
3072
            WOLFSSL_MSG("Authentication tag");
3073
            WOLFSSL_BUFFER(input + dataSz, macSz);
3074
        #endif
3075
3076
0
        #ifdef CIPHER_NONCE
3077
0
            if (ssl->decrypt.nonce == NULL) {
3078
0
                ssl->decrypt.nonce = (byte*)XMALLOC(AEAD_MAX_IMP_SZ,
3079
0
                                                ssl->heap, DYNAMIC_TYPE_CIPHER);
3080
            #ifdef WOLFSSL_CHECK_MEM_ZERO
3081
                if (ssl->decrypt.nonce != NULL) {
3082
                    wc_MemZero_Add("DecryptTls13 nonce", ssl->decrypt.nonce,
3083
                        ssl->specs.iv_size);
3084
                }
3085
            #endif
3086
0
            }
3087
0
            if (ssl->decrypt.nonce == NULL)
3088
0
                return MEMORY_E;
3089
3090
0
            BuildTls13Nonce(ssl, ssl->decrypt.nonce, ssl->keys.aead_dec_imp_IV,
3091
0
                            ssl->specs.iv_size, PEER_ORDER);
3092
0
        #endif
3093
3094
            /* Advance state and proceed */
3095
0
            ssl->decrypt.state = CIPHER_STATE_DO;
3096
0
        }
3097
0
        FALL_THROUGH;
3098
3099
0
        case CIPHER_STATE_DO:
3100
0
        {
3101
0
            switch (ssl->specs.bulk_cipher_algorithm) {
3102
0
            #ifdef BUILD_AESGCM
3103
0
                case wolfssl_aes_gcm:
3104
                #ifdef WOLFSSL_ASYNC_CRYPT
3105
                    /* initialize event */
3106
                    ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.aes->asyncDev,
3107
                        WC_ASYNC_FLAG_NONE);
3108
                    if (ret != 0)
3109
                        break;
3110
                #endif
3111
3112
0
                    nonceSz = AESGCM_NONCE_SZ;
3113
3114
                #if defined(HAVE_PK_CALLBACKS)
3115
                    ret = WC_NO_ERR_TRACE(NOT_COMPILED_IN);
3116
                    if (ssl->ctx && ssl->ctx->PerformTlsRecordProcessingCb) {
3117
                        ret = ssl->ctx->PerformTlsRecordProcessingCb(ssl, 0,
3118
                                  output, input, dataSz,
3119
                                  ssl->decrypt.nonce, nonceSz,
3120
                                  (byte *)(input + dataSz), macSz,
3121
                                  aad, aadSz);
3122
                    }
3123
                    if (ret == WC_NO_ERR_TRACE(NOT_COMPILED_IN))
3124
                #endif
3125
0
                    {
3126
3127
0
                        ret = wc_AesGcmDecrypt(ssl->decrypt.aes, output, input,
3128
0
                            dataSz, ssl->decrypt.nonce, nonceSz,
3129
0
                            input + dataSz, macSz, aad, aadSz);
3130
3131
                #ifdef WOLFSSL_ASYNC_CRYPT
3132
                        if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
3133
                            ret = wolfSSL_AsyncPush(ssl,
3134
                                &ssl->decrypt.aes->asyncDev);
3135
                        }
3136
                #endif
3137
3138
0
                    }
3139
0
                    break;
3140
0
            #endif
3141
3142
            #ifdef HAVE_AESCCM
3143
                case wolfssl_aes_ccm:
3144
                #ifdef WOLFSSL_ASYNC_CRYPT
3145
                    /* initialize event */
3146
                    ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.aes->asyncDev,
3147
                        WC_ASYNC_FLAG_NONE);
3148
                    if (ret != 0)
3149
                        break;
3150
                #endif
3151
3152
                    nonceSz = AESCCM_NONCE_SZ;
3153
                #if defined(HAVE_PK_CALLBACKS)
3154
                    ret = WC_NO_ERR_TRACE(NOT_COMPILED_IN);
3155
                    if (ssl->ctx && ssl->ctx->PerformTlsRecordProcessingCb) {
3156
                        ret = ssl->ctx->PerformTlsRecordProcessingCb(ssl, 0,
3157
                                  output, input, dataSz,
3158
                                  ssl->decrypt.nonce, nonceSz,
3159
                                  (byte *)(input + dataSz), macSz,
3160
                                  aad, aadSz);
3161
                    }
3162
                    if (ret == WC_NO_ERR_TRACE(NOT_COMPILED_IN))
3163
                #endif
3164
                    {
3165
                        ret = wc_AesCcmDecrypt(ssl->decrypt.aes, output, input,
3166
                            dataSz, ssl->decrypt.nonce, nonceSz,
3167
                            input + dataSz, macSz, aad, aadSz);
3168
                #ifdef WOLFSSL_ASYNC_CRYPT
3169
                        if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
3170
                            ret = wolfSSL_AsyncPush(ssl,
3171
                                &ssl->decrypt.aes->asyncDev);
3172
                        }
3173
                #endif
3174
                    }
3175
                    break;
3176
            #endif
3177
3178
0
            #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
3179
0
                case wolfssl_chacha:
3180
0
                    ret = ChaCha20Poly1305_Decrypt(ssl, output, input, dataSz,
3181
0
                        ssl->decrypt.nonce, aad, aadSz, input + dataSz);
3182
0
                    break;
3183
0
            #endif
3184
3185
            #ifdef WOLFSSL_SM4_GCM
3186
                case wolfssl_sm4_gcm:
3187
                    nonceSz = SM4_GCM_NONCE_SZ;
3188
                    ret = wc_Sm4GcmDecrypt(ssl->decrypt.sm4, output, input,
3189
                        dataSz, ssl->decrypt.nonce, nonceSz, input + dataSz,
3190
                        macSz, aad, aadSz);
3191
                    break;
3192
            #endif
3193
3194
            #ifdef WOLFSSL_SM4_CCM
3195
                case wolfssl_sm4_ccm:
3196
                    nonceSz = SM4_CCM_NONCE_SZ;
3197
                    ret = wc_Sm4CcmDecrypt(ssl->decrypt.sm4, output, input,
3198
                        dataSz, ssl->decrypt.nonce, nonceSz, input + dataSz,
3199
                        macSz, aad, aadSz);
3200
                    break;
3201
            #endif
3202
3203
            #ifdef HAVE_NULL_CIPHER
3204
                case wolfssl_cipher_null:
3205
                    ret = Tls13IntegrityOnly_Decrypt(ssl, output, input, dataSz,
3206
                        ssl->decrypt.nonce, aad, aadSz, input + dataSz);
3207
                    break;
3208
            #endif
3209
0
                default:
3210
0
                    WOLFSSL_MSG("wolfSSL Decrypt programming error");
3211
0
                    return DECRYPT_ERROR;
3212
0
            }
3213
3214
            /* Advance state */
3215
0
            ssl->decrypt.state = CIPHER_STATE_END;
3216
3217
        #ifdef WOLFSSL_ASYNC_CRYPT
3218
            /* If pending, leave now */
3219
            if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
3220
                return ret;
3221
            }
3222
        #endif
3223
0
        }
3224
0
        FALL_THROUGH;
3225
3226
0
        case CIPHER_STATE_END:
3227
0
        {
3228
        #ifdef WOLFSSL_DEBUG_TLS
3229
            #ifdef CIPHER_NONCE
3230
                WOLFSSL_MSG("Nonce");
3231
                WOLFSSL_BUFFER(ssl->decrypt.nonce, ssl->specs.iv_size);
3232
            #endif
3233
                WOLFSSL_MSG("Decrypted data");
3234
                WOLFSSL_BUFFER(output, dataSz);
3235
        #endif
3236
        #ifdef WOLFSSL_CHECK_MEM_ZERO
3237
            if ((ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null) &&
3238
                    (ret == 0)) {
3239
                wc_MemZero_Add("TLS 1.3 Decrypted data", output, sz);
3240
            }
3241
        #endif
3242
3243
0
        #ifdef CIPHER_NONCE
3244
0
            ForceZero(ssl->decrypt.nonce, ssl->specs.iv_size);
3245
0
        #endif
3246
3247
0
            break;
3248
0
        }
3249
3250
0
       default:
3251
0
            break;
3252
0
    }
3253
3254
0
    if (ret < 0) {
3255
0
        WOLFSSL_ERROR_VERBOSE(ret);
3256
0
    }
3257
3258
0
    return ret;
3259
0
}
3260
3261
/* Persistable BuildTls13Message arguments */
3262
typedef struct BuildMsg13Args {
3263
    word32 sz;
3264
    word32 idx;
3265
    word32 headerSz;
3266
    word16 size;
3267
    word32 paddingSz;
3268
} BuildMsg13Args;
3269
3270
static void FreeBuildMsg13Args(WOLFSSL* ssl, void* pArgs)
3271
0
{
3272
0
    BuildMsg13Args* args = (BuildMsg13Args*)pArgs;
3273
3274
0
    (void)ssl;
3275
0
    (void)args;
3276
3277
    /* no allocations in BuildTls13Message */
3278
0
}
3279
3280
/* Build SSL Message, encrypted.
3281
 * TLS v1.3 encryption is AEAD only.
3282
 *
3283
 * ssl         The SSL/TLS object.
3284
 * output      The buffer to write record message to.
3285
 * outSz       Size of the buffer being written into.
3286
 * input       The record data to encrypt (excluding record header).
3287
 * inSz        The size of the record data.
3288
 * type        The recorder header content type.
3289
 * hashOutput  Whether to hash the unencrypted record data.
3290
 * sizeOnly    Only want the size of the record message.
3291
 * asyncOkay   If non-zero can return WC_PENDING_E, otherwise blocks on crypto
3292
 * returns the size of the encrypted record message or negative value on error.
3293
 */
3294
int BuildTls13Message(WOLFSSL* ssl, byte* output, int outSz, const byte* input,
3295
                int inSz, int type, int hashOutput, int sizeOnly, int asyncOkay)
3296
0
{
3297
0
    int ret;
3298
0
    BuildMsg13Args* args;
3299
0
    BuildMsg13Args  lcl_args;
3300
3301
0
    WOLFSSL_ENTER("BuildTls13Message");
3302
3303
0
    if (ssl == NULL) {
3304
0
        return BAD_FUNC_ARG;
3305
0
    }
3306
3307
#ifdef WOLFSSL_ASYNC_CRYPT
3308
    ret = WC_NO_PENDING_E;
3309
    if (asyncOkay) {
3310
        WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
3311
3312
        if (ssl->async == NULL) {
3313
            ssl->async = (struct WOLFSSL_ASYNC*)
3314
                    XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
3315
                            DYNAMIC_TYPE_ASYNC);
3316
            if (ssl->async == NULL)
3317
                return MEMORY_E;
3318
        }
3319
        args = (BuildMsg13Args*)ssl->async->args;
3320
3321
        ret = wolfSSL_AsyncPop(ssl, &ssl->options.buildMsgState);
3322
        if (ret != WC_NO_ERR_TRACE(WC_NO_PENDING_E)) {
3323
            /* Check for error */
3324
            if (ret < 0)
3325
                goto exit_buildmsg;
3326
        }
3327
    }
3328
    else
3329
#endif
3330
0
    {
3331
0
        args = &lcl_args;
3332
0
    }
3333
3334
    /* Reset state */
3335
#ifdef WOLFSSL_ASYNC_CRYPT
3336
    if (ret == WC_NO_ERR_TRACE(WC_NO_PENDING_E))
3337
#endif
3338
0
    {
3339
0
        ret = 0;
3340
0
        ssl->options.buildMsgState = BUILD_MSG_BEGIN;
3341
0
        XMEMSET(args, 0, sizeof(BuildMsg13Args));
3342
3343
0
        args->headerSz = RECORD_HEADER_SZ;
3344
#ifdef WOLFSSL_DTLS13
3345
        if (ssl->options.dtls)
3346
            args->headerSz = Dtls13GetRlHeaderLength(ssl, 1);
3347
#endif /* WOLFSSL_DTLS13 */
3348
3349
0
        args->sz = args->headerSz + (word32)inSz;
3350
0
        args->idx  = args->headerSz;
3351
3352
    #ifdef WOLFSSL_ASYNC_CRYPT
3353
        if (asyncOkay)
3354
            ssl->async->freeArgs = FreeBuildMsg13Args;
3355
    #endif
3356
0
    }
3357
3358
0
    switch (ssl->options.buildMsgState) {
3359
0
        case BUILD_MSG_BEGIN:
3360
0
        {
3361
           /* catch mistaken sizeOnly parameter */
3362
0
            if (sizeOnly) {
3363
0
                if (output || input) {
3364
0
                    WOLFSSL_MSG("BuildTls13Message with sizeOnly "
3365
0
                                "doesn't need input or output");
3366
0
                    return BAD_FUNC_ARG;
3367
0
                }
3368
0
            }
3369
0
            else if (output == NULL || input == NULL) {
3370
0
                return BAD_FUNC_ARG;
3371
0
            }
3372
3373
            /* Record layer content type at the end of record data. */
3374
0
            args->sz++;
3375
            /* Authentication data at the end. */
3376
0
            args->sz += ssl->specs.aead_mac_size;
3377
#ifdef WOLFSSL_DTLS13
3378
            /* Pad to minimum length */
3379
            if (ssl->options.dtls &&
3380
                    args->sz < (word32)Dtls13MinimumRecordLength(ssl)) {
3381
                args->paddingSz = Dtls13MinimumRecordLength(ssl) - args->sz;
3382
                args->sz = Dtls13MinimumRecordLength(ssl);
3383
            }
3384
#endif
3385
0
            if (sizeOnly)
3386
0
                return (int)args->sz;
3387
3388
0
            if (args->sz > (word32)outSz) {
3389
0
                WOLFSSL_MSG("Oops, want to write past output buffer size");
3390
0
                return BUFFER_E;
3391
0
            }
3392
3393
            /* Record data length. */
3394
0
            args->size = (word16)(args->sz - args->headerSz);
3395
            /* Write/update the record header with the new size.
3396
             * Always have the content type as application data for encrypted
3397
             * messages in TLS v1.3.
3398
             */
3399
3400
0
            if (ssl->options.dtls) {
3401
#ifdef WOLFSSL_DTLS13
3402
                Dtls13RlAddCiphertextHeader(ssl, output, args->size);
3403
#endif /* WOLFSSL_DTLS13 */
3404
0
            }
3405
0
            else {
3406
0
                AddTls13RecordHeader(output, args->size, application_data, ssl);
3407
0
            }
3408
3409
            /* TLS v1.3 can do in place encryption. */
3410
0
            if (input != output + args->idx)
3411
0
                XMEMCPY(output + args->idx, input, (size_t)inSz);
3412
0
            args->idx += (word32)inSz;
3413
3414
0
            ssl->options.buildMsgState = BUILD_MSG_HASH;
3415
0
        }
3416
0
        FALL_THROUGH;
3417
3418
0
        case BUILD_MSG_HASH:
3419
0
        {
3420
0
            if (hashOutput) {
3421
0
                ret = HashOutput(ssl, output, (int)args->headerSz + inSz, 0);
3422
0
                if (ret != 0)
3423
0
                    goto exit_buildmsg;
3424
0
            }
3425
3426
            /* The real record content type goes at the end of the data. */
3427
0
            output[args->idx++] = (byte)type;
3428
            /* Double check that any necessary padding is zero'd out */
3429
0
            XMEMSET(output + args->idx, 0, args->paddingSz);
3430
0
            args->idx += args->paddingSz;
3431
3432
0
            ssl->options.buildMsgState = BUILD_MSG_ENCRYPT;
3433
0
        }
3434
0
        FALL_THROUGH;
3435
3436
0
        case BUILD_MSG_ENCRYPT:
3437
0
        {
3438
#ifdef WOLFSSL_QUIC
3439
            if (WOLFSSL_IS_QUIC(ssl)) {
3440
                /* QUIC does not use encryption of the TLS Record Layer.
3441
                 * Return the original length + added headers
3442
                 * and restore it in the record header. */
3443
                AddTls13RecordHeader(output, (word32)inSz, (byte)type, ssl);
3444
                ret = (int)args->headerSz + inSz;
3445
                goto exit_buildmsg;
3446
            }
3447
#endif
3448
        #ifdef ATOMIC_USER
3449
            if (ssl->ctx->MacEncryptCb) {
3450
                /* User Record Layer Callback handling */
3451
                byte* mac = output + args->idx;
3452
                output += args->headerSz;
3453
3454
                ret = ssl->ctx->MacEncryptCb(ssl, mac, output, (unsigned int)inSz, (byte)type, 0,
3455
                        output, output, args->size, ssl->MacEncryptCtx);
3456
            }
3457
            else
3458
        #endif
3459
0
            {
3460
0
                const byte* aad = output;
3461
0
                output += args->headerSz;
3462
0
                ret = EncryptTls13(ssl, output, output, args->size, aad,
3463
0
                                   (word16)args->headerSz, asyncOkay);
3464
0
                if (ret != 0) {
3465
                #ifdef WOLFSSL_ASYNC_CRYPT
3466
                    if (ret != WC_NO_ERR_TRACE(WC_PENDING_E))
3467
                #endif
3468
0
                    {
3469
                        /* Zeroize plaintext. */
3470
0
                        ForceZero(output, args->size);
3471
0
                    }
3472
0
                }
3473
#ifdef WOLFSSL_DTLS13
3474
                if (ret == 0 && ssl->options.dtls) {
3475
                    /* AAD points to the header. Reuse the variable  */
3476
                    ret = Dtls13EncryptRecordNumber(ssl, (byte*)aad,
3477
                                                    (word16)args->sz);
3478
                }
3479
#endif /* WOLFSSL_DTLS13 */
3480
0
            }
3481
0
            break;
3482
0
        }
3483
3484
0
        default:
3485
0
            break;
3486
0
    }
3487
3488
0
exit_buildmsg:
3489
3490
0
    WOLFSSL_LEAVE("BuildTls13Message", ret);
3491
3492
#ifdef WOLFSSL_ASYNC_CRYPT
3493
    if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
3494
        return ret;
3495
    }
3496
#endif
3497
3498
    /* make sure build message state is reset */
3499
0
    ssl->options.buildMsgState = BUILD_MSG_BEGIN;
3500
3501
    /* return sz on success */
3502
0
    if (ret == 0) {
3503
0
        ret = (int)args->sz;
3504
0
    }
3505
0
    else {
3506
0
        WOLFSSL_ERROR_VERBOSE(ret);
3507
0
    }
3508
3509
    /* Final cleanup */
3510
#ifdef WOLFSSL_ASYNC_CRYPT
3511
    if (asyncOkay)
3512
        FreeAsyncCtx(ssl, 0);
3513
    else
3514
#endif
3515
0
        FreeBuildMsg13Args(ssl, args);
3516
3517
0
    return ret;
3518
0
}
3519
3520
#if !defined(NO_WOLFSSL_CLIENT) || (!defined(NO_WOLFSSL_SERVER) && \
3521
    (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) && \
3522
    (defined(WOLFSSL_PSK_ONE_ID) || defined(WOLFSSL_PRIORITIZE_PSK)))
3523
/* Find the cipher suite in the suites set in the SSL.
3524
 *
3525
 * ssl    SSL/TLS object.
3526
 * suite  Cipher suite to look for.
3527
 * returns 1 when suite is found in SSL/TLS object's list and 0 otherwise.
3528
 */
3529
int FindSuiteSSL(const WOLFSSL* ssl, byte* suite)
3530
0
{
3531
0
    word16 i;
3532
0
    const Suites* suites = WOLFSSL_SUITES(ssl);
3533
3534
0
    for (i = 0; i < suites->suiteSz; i += 2) {
3535
0
        if (suites->suites[i+0] == suite[0] &&
3536
0
                suites->suites[i+1] == suite[1]) {
3537
0
            return 1;
3538
0
        }
3539
0
    }
3540
3541
0
    return 0;
3542
0
}
3543
#endif
3544
3545
#ifndef NO_PSK
3546
/* Get the MAC algorithm for the TLS 1.3 cipher suite.
3547
 *
3548
 * @param [in] suite.
3549
 * @return  A value from wc_MACAlgorithm enumeration.
3550
 */
3551
byte SuiteMac(const byte* suite)
3552
{
3553
    byte mac = no_mac;
3554
3555
    if (suite[0] == TLS13_BYTE) {
3556
        switch (suite[1]) {
3557
        #ifdef BUILD_TLS_AES_128_GCM_SHA256
3558
            case TLS_AES_128_GCM_SHA256:
3559
                mac = sha256_mac;
3560
                break;
3561
        #endif
3562
        #ifdef BUILD_TLS_CHACHA20_POLY1305_SHA256
3563
            case TLS_CHACHA20_POLY1305_SHA256:
3564
                mac = sha256_mac;
3565
                break;
3566
        #endif
3567
        #ifdef BUILD_TLS_AES_128_CCM_SHA256
3568
            case TLS_AES_128_CCM_SHA256:
3569
                mac = sha256_mac;
3570
                break;
3571
        #endif
3572
        #ifdef BUILD_TLS_AES_128_CCM_8_SHA256
3573
            case TLS_AES_128_CCM_8_SHA256:
3574
                mac = sha256_mac;
3575
                break;
3576
        #endif
3577
        #ifdef BUILD_TLS_AES_256_GCM_SHA384
3578
            case TLS_AES_256_GCM_SHA384:
3579
                mac = sha384_mac;
3580
                break;
3581
        #endif
3582
            default:
3583
                break;
3584
        }
3585
    }
3586
#if (defined(WOLFSSL_SM4_GCM) || defined(WOLFSSL_SM4_CCM)) && \
3587
     defined(WOLFSSL_SM3)
3588
    else if (suite[0] == CIPHER_BYTE) {
3589
        switch (suite[1]) {
3590
        #ifdef BUILD_TLS_SM4_GCM_SM3
3591
            case TLS_SM4_GCM_SM3:
3592
                mac = sm3_mac;
3593
                break;
3594
        #endif
3595
        #ifdef BUILD_TLS_SM4_CCM_SM3
3596
            case TLS_SM4_CCM_SM3:
3597
                mac = sm3_mac;
3598
                break;
3599
        #endif
3600
            default:
3601
                break;
3602
        }
3603
    }
3604
#endif
3605
#ifdef HAVE_NULL_CIPHER
3606
    else if (suite[0] == ECC_BYTE) {
3607
        switch (suite[1]) {
3608
        #ifdef BUILD_TLS_SHA256_SHA256
3609
            case TLS_SHA256_SHA256:
3610
                mac = sha256_mac;
3611
                break;
3612
        #endif
3613
        #ifdef BUILD_TLS_SHA384_SHA384
3614
            case TLS_SHA384_SHA384:
3615
                mac = sha384_mac;
3616
                break;
3617
        #endif
3618
            default:
3619
                break;
3620
        }
3621
    }
3622
#endif
3623
3624
    return mac;
3625
}
3626
#endif
3627
3628
#if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER)
3629
/* Create Cookie extension using the hash of the first ClientHello.
3630
 *
3631
 * ssl     SSL/TLS object.
3632
 * hash    The hash data.
3633
 * hashSz  The size of the hash data in bytes.
3634
 * returns 0 on success, otherwise failure.
3635
 */
3636
int CreateCookieExt(const WOLFSSL* ssl, byte* hash, word16 hashSz,
3637
                    TLSX** exts, byte cipherSuite0, byte cipherSuite)
3638
{
3639
    int  ret;
3640
    byte mac[WC_MAX_DIGEST_SIZE] = {0};
3641
    WC_DECLARE_VAR(cookieHmac, Hmac, 1, ssl->heap);
3642
    byte cookieType = 0;
3643
    byte macSz = 0;
3644
    byte cookie[OPAQUE8_LEN + WC_MAX_DIGEST_SIZE + OPAQUE16_LEN * 2];
3645
    TLSX* ext;
3646
    word16 cookieSz = 0;
3647
3648
    if (hash == NULL || hashSz == 0) {
3649
        return BAD_FUNC_ARG;
3650
    }
3651
3652
    if (ssl->buffers.tls13CookieSecret.buffer == NULL ||
3653
            ssl->buffers.tls13CookieSecret.length == 0) {
3654
        WOLFSSL_MSG("Missing DTLS 1.3 cookie secret");
3655
        return COOKIE_ERROR;
3656
    }
3657
3658
    /* Cookie Data = Hash Len | Hash | CS | KeyShare Group */
3659
    cookie[cookieSz++] = (byte)hashSz;
3660
    XMEMCPY(cookie + cookieSz, hash, hashSz);
3661
    cookieSz += hashSz;
3662
    cookie[cookieSz++] = cipherSuite0;
3663
    cookie[cookieSz++] = cipherSuite;
3664
    if ((ext = TLSX_Find(*exts, TLSX_KEY_SHARE)) != NULL) {
3665
        KeyShareEntry* kse = (KeyShareEntry*)ext->data;
3666
        if (kse == NULL) {
3667
            WOLFSSL_MSG("KeyShareEntry can't be empty when negotiating "
3668
                        "parameters");
3669
            return BAD_STATE_E;
3670
        }
3671
        c16toa(kse->group, cookie + cookieSz);
3672
        cookieSz += OPAQUE16_LEN;
3673
    }
3674
3675
#ifndef NO_SHA256
3676
    cookieType = WC_SHA256;
3677
    macSz = WC_SHA256_DIGEST_SIZE;
3678
#elif defined(WOLFSSL_SHA384)
3679
    cookieType = WC_SHA384;
3680
    macSz = WC_SHA384_DIGEST_SIZE;
3681
#elif defined(WOLFSSL_TLS13_SHA512)
3682
    cookieType = WC_SHA512;
3683
    macSz = WC_SHA512_DIGEST_SIZE;
3684
#elif defined(WOLFSSL_SM3)
3685
    cookieType = WC_SM3;
3686
    macSz = WC_SM3_DIGEST_SIZE;
3687
#else
3688
    #error "No digest to available to use with HMAC for cookies."
3689
#endif /* NO_SHA */
3690
3691
    WC_ALLOC_VAR_EX(cookieHmac, Hmac, 1, ssl->heap, DYNAMIC_TYPE_HMAC,
3692
                    return MEMORY_E);
3693
3694
    ret = wc_HmacInit(cookieHmac, ssl->heap, ssl->devId);
3695
    if (ret == 0) {
3696
        ret = wc_HmacSetKey(cookieHmac, cookieType,
3697
                            ssl->buffers.tls13CookieSecret.buffer,
3698
                            ssl->buffers.tls13CookieSecret.length);
3699
    }
3700
    if (ret == 0)
3701
        ret = wc_HmacUpdate(cookieHmac, cookie, cookieSz);
3702
#ifdef WOLFSSL_DTLS13
3703
    /* Tie cookie to peer address */
3704
    if (ret == 0) {
3705
        /* peerLock not necessary. Still in handshake phase. */
3706
        if (ssl->options.dtls && ssl->buffers.dtlsCtx.peer.sz > 0) {
3707
            ret = wc_HmacUpdate(cookieHmac,
3708
                (byte*)ssl->buffers.dtlsCtx.peer.sa,
3709
                ssl->buffers.dtlsCtx.peer.sz);
3710
        }
3711
    }
3712
#endif
3713
    if (ret == 0)
3714
        ret = wc_HmacFinal(cookieHmac, mac);
3715
3716
    wc_HmacFree(cookieHmac);
3717
    WC_FREE_VAR_EX(cookieHmac, ssl->heap, DYNAMIC_TYPE_HMAC);
3718
    if (ret != 0)
3719
        return ret;
3720
3721
    /* The cookie data is the hash and the integrity check. */
3722
    return TLSX_Cookie_Use(ssl, cookie, cookieSz, mac, macSz, 1, exts);
3723
}
3724
#endif
3725
3726
#ifdef WOLFSSL_DTLS13
3727
#define HRR_MAX_HS_HEADER_SZ DTLS_HANDSHAKE_HEADER_SZ
3728
#else
3729
#define HRR_MAX_HS_HEADER_SZ HANDSHAKE_HEADER_SZ
3730
#endif /* WOLFSSL_DTLS13 */
3731
3732
static int CreateCookie(const WOLFSSL* ssl, byte** hash, byte* hashSz,
3733
                            Hashes* hashes, TLSX** exts)
3734
0
{
3735
0
    int    ret = 0;
3736
3737
0
    (void)exts;
3738
3739
0
    *hash = NULL;
3740
0
    switch (ssl->specs.mac_algorithm) {
3741
0
    #ifndef NO_SHA256
3742
0
        case sha256_mac:
3743
0
            *hash = hashes->sha256;
3744
0
            break;
3745
0
    #endif
3746
0
    #ifdef WOLFSSL_SHA384
3747
0
        case sha384_mac:
3748
0
            *hash = hashes->sha384;
3749
0
            break;
3750
0
    #endif
3751
    #ifdef WOLFSSL_TLS13_SHA512
3752
        case sha512_mac:
3753
            *hash = hashes->sha512;
3754
            break;
3755
    #endif
3756
    #ifdef WOLFSSL_SM3
3757
        case sm3_mac:
3758
            *hash = hashes->sm3;
3759
            break;
3760
    #endif
3761
0
    }
3762
0
    *hashSz = ssl->specs.hash_size;
3763
3764
    /* check hash */
3765
0
    if (*hash == NULL && *hashSz > 0)
3766
0
        return BAD_FUNC_ARG;
3767
3768
#if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER)
3769
    if (ssl->options.sendCookie && ssl->options.side == WOLFSSL_SERVER_END)
3770
        ret = CreateCookieExt(ssl, *hash, *hashSz, exts,
3771
                ssl->options.cipherSuite0, ssl->options.cipherSuite);
3772
#endif
3773
0
    return ret;
3774
0
}
3775
3776
/* Restart the handshake hash with a hash of the previous messages.
3777
 *
3778
 * ssl The SSL/TLS object.
3779
 * returns 0 on success, otherwise failure.
3780
 */
3781
int RestartHandshakeHash(WOLFSSL* ssl)
3782
0
{
3783
0
    int    ret;
3784
0
    byte   header[HANDSHAKE_HEADER_SZ] = {0};
3785
0
    Hashes hashes;
3786
0
    byte*  hash = NULL;
3787
0
    byte   hashSz = 0;
3788
3789
0
    ret = BuildCertHashes(ssl, &hashes);
3790
0
    if (ret != 0)
3791
0
        return ret;
3792
0
    ret = CreateCookie(ssl, &hash, &hashSz, &hashes, &ssl->extensions);
3793
0
    if (ret != 0)
3794
0
        return ret;
3795
#if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER)
3796
    if (ssl->options.sendCookie && ssl->options.side == WOLFSSL_SERVER_END)
3797
        return 0;
3798
#endif
3799
3800
0
    AddTls13HandShakeHeader(header, hashSz, 0, 0, message_hash, ssl);
3801
3802
#ifdef WOLFSSL_DEBUG_TLS
3803
    WOLFSSL_MSG("Restart Hash");
3804
    WOLFSSL_BUFFER(hash, hashSz);
3805
#endif
3806
3807
0
    ret = InitHandshakeHashes(ssl);
3808
0
    if (ret != 0)
3809
0
        return ret;
3810
0
    ret = HashRaw(ssl, header, sizeof(header));
3811
0
    if (ret != 0)
3812
0
        return ret;
3813
0
    return HashRaw(ssl, hash, hashSz);
3814
0
}
3815
3816
#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)
3817
/* The value in the random field of a ServerHello to indicate
3818
 * HelloRetryRequest.
3819
 */
3820
static byte helloRetryRequestRandom[] = {
3821
    0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
3822
    0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91,
3823
    0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E,
3824
    0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C
3825
};
3826
#endif
3827
3828
#ifdef HAVE_ECH
3829
/* returns the index of the first supported cipher suite, -1 if none */
3830
int EchConfigGetSupportedCipherSuite(WOLFSSL_EchConfig* config)
3831
{
3832
    int i = 0;
3833
3834
    if (!wc_HpkeKemIsSupported(config->kemId)) {
3835
        WOLFSSL_MSG("ECH config: KEM not supported");
3836
        return WOLFSSL_FATAL_ERROR;
3837
    }
3838
3839
    for (i = 0; i < config->numCipherSuites; i++) {
3840
        if (wc_HpkeKdfIsSupported(config->cipherSuites[i].kdfId) &&
3841
                wc_HpkeAeadIsSupported(config->cipherSuites[i].aeadId)) {
3842
            return i;
3843
        }
3844
    }
3845
3846
    WOLFSSL_MSG("ECH config: KDF or AEAD not supported");
3847
    return WOLFSSL_FATAL_ERROR;
3848
}
3849
3850
/* Hash the inner client hello, initializing the hsHashesEch field if needed.
3851
 * This should receive the client hello without outer_extensions 'encoding'
3852
 *
3853
 * ssl      SSL/TLS object.
3854
 * ech      ECH object.
3855
 * returns 0 on success and otherwise failure.
3856
 */
3857
static int EchHashHelloInner(WOLFSSL* ssl, WOLFSSL_ECH* ech)
3858
{
3859
    int ret = 0;
3860
    int headerSz;
3861
    word32 realSz;
3862
    HS_Hashes* tmpHashes;
3863
#ifndef NO_WOLFSSL_CLIENT
3864
    byte falseHeader[HRR_MAX_HS_HEADER_SZ];
3865
#endif
3866
3867
    if (ssl == NULL || ech == NULL) {
3868
        return BAD_FUNC_ARG;
3869
    }
3870
3871
#ifdef WOLFSSL_DTLS13
3872
    headerSz = ssl->options.dtls ? DTLS13_HANDSHAKE_HEADER_SZ :
3873
                                   HANDSHAKE_HEADER_SZ;
3874
#else
3875
    headerSz = HANDSHAKE_HEADER_SZ;
3876
#endif
3877
3878
    realSz = ech->innerClientHelloLen;
3879
3880
    tmpHashes = ssl->hsHashes;
3881
3882
    ssl->hsHashes = ssl->hsHashesEch;
3883
    if (ssl->hsHashes == NULL) {
3884
        ret = InitHandshakeHashes(ssl);
3885
        if (ret == 0) {
3886
            ssl->hsHashesEch = ssl->hsHashes;
3887
        }
3888
    }
3889
3890
    if (ret == 0) {
3891
#ifndef NO_WOLFSSL_CLIENT
3892
        if (ssl->options.side == WOLFSSL_CLIENT_END) {
3893
            /* client-side: innerClientHello contains body only */
3894
            AddTls13HandShakeHeader(falseHeader, realSz, 0, 0, client_hello,
3895
                                    ssl);
3896
            ret = HashRaw(ssl, falseHeader, headerSz);
3897
            if (ret == 0) {
3898
                ret = HashRaw(ssl, ech->innerClientHello, realSz);
3899
            }
3900
        }
3901
#endif
3902
#ifndef NO_WOLFSSL_SERVER
3903
        if (ssl->options.side == WOLFSSL_SERVER_END) {
3904
            /* server-side: innerClientHello contains header + body */
3905
            ret = HashRaw(ssl, ech->innerClientHello, headerSz + realSz);
3906
        }
3907
#endif
3908
    }
3909
3910
    ssl->hsHashes = tmpHashes;
3911
    return ret;
3912
}
3913
3914
/* Calculate the 8 ECH confirmation bytes.
3915
 *
3916
 * ssl            SSL/TLS object.
3917
 * label          Ascii string describing ECH acceptance or rejection.
3918
 * labelSz        Length of label excluding NULL character.
3919
 * input          The buffer to calculate confirmation off of.
3920
 * acceptOffset   Where the 8 ECH confirmation bytes start.
3921
 * helloSz        Size of hello message.
3922
 * isHrr          Whether message is a HelloRetryRequest or not.
3923
 * acceptExpanded An 8 byte array to store calculated confirmation to.
3924
 * returns 0 on success and otherwise failure.
3925
 */
3926
static int EchCalcAcceptance(WOLFSSL* ssl, byte* label, word16 labelSz,
3927
    const byte* input, int acceptOffset, int helloSz, byte isHrr,
3928
    byte* acceptExpanded)
3929
{
3930
    int ret = 0;
3931
    int digestType = 0;
3932
    int digestSize = 0;
3933
    int hashSz = 0;
3934
    int headerSz;
3935
    HS_Hashes* tmpHashes;
3936
    HS_Hashes* acceptHash = NULL;
3937
    byte zeros[WC_MAX_DIGEST_SIZE];
3938
    byte transcriptEchConf[WC_MAX_DIGEST_SIZE];
3939
    byte clientHelloInnerHash[WC_MAX_DIGEST_SIZE];
3940
    byte expandLabelPrk[WC_MAX_DIGEST_SIZE];
3941
    byte messageHashHeader[HRR_MAX_HS_HEADER_SZ];
3942
3943
    XMEMSET(zeros, 0, sizeof(zeros));
3944
    XMEMSET(transcriptEchConf, 0, sizeof(transcriptEchConf));
3945
    XMEMSET(clientHelloInnerHash, 0, sizeof(clientHelloInnerHash));
3946
    XMEMSET(expandLabelPrk, 0, sizeof(expandLabelPrk));
3947
3948
#ifdef WOLFSSL_CHECK_MEM_ZERO
3949
    wc_MemZero_Add("ECH PRK", expandLabelPrk, sizeof(expandLabelPrk));
3950
#endif
3951
3952
    tmpHashes = ssl->hsHashes;
3953
    ssl->hsHashes = ssl->hsHashesEch;
3954
3955
#ifdef WOLFSSL_DTLS13
3956
    headerSz = ssl->options.dtls ? DTLS13_HANDSHAKE_HEADER_SZ :
3957
                                   HANDSHAKE_HEADER_SZ;
3958
#else
3959
    headerSz = HANDSHAKE_HEADER_SZ;
3960
#endif
3961
3962
    if (isHrr) {
3963
        /* the transcript hash of ClientHelloInner1 */
3964
        ret = GetMsgHash(ssl, clientHelloInnerHash);
3965
        if (ret > 0) {
3966
            hashSz = ret;
3967
            ret = 0;
3968
        }
3969
        else if (ret == 0) {
3970
            ret = HASH_TYPE_E;
3971
        }
3972
3973
        /* restart ECH transcript hash, similar to RestartHandshakeHash but
3974
         * don't add a cookie */
3975
        if (ret == 0) {
3976
            ret = InitHandshakeHashes(ssl);
3977
            ssl->hsHashesEch = ssl->hsHashes;
3978
        }
3979
        if (ret == 0) {
3980
            AddTls13HandShakeHeader(messageHashHeader, (word32)hashSz, 0, 0,
3981
                message_hash, ssl);
3982
            ret = HashRaw(ssl, messageHashHeader, headerSz);
3983
        }
3984
        if (ret == 0) {
3985
            ret = HashRaw(ssl, clientHelloInnerHash, (word32)hashSz);
3986
        }
3987
    }
3988
3989
    /* hash with zeros for confirmation computation */
3990
    if (ret == 0) {
3991
        ret = InitHandshakeHashesAndCopy(ssl, ssl->hsHashesEch, &acceptHash);
3992
    }
3993
    if (ret == 0) {
3994
        ssl->hsHashes = acceptHash;
3995
        ret = HashRaw(ssl, input, acceptOffset);
3996
    }
3997
    if (ret == 0) {
3998
        ret = HashRaw(ssl, zeros, ECH_ACCEPT_CONFIRMATION_SZ);
3999
    }
4000
    if (ret == 0) {
4001
        ret = HashRaw(ssl, input + acceptOffset + ECH_ACCEPT_CONFIRMATION_SZ,
4002
            helloSz + headerSz - (acceptOffset + ECH_ACCEPT_CONFIRMATION_SZ));
4003
    }
4004
4005
    /* get the modified transcript hash */
4006
    if (ret == 0) {
4007
        ret = GetMsgHash(ssl, transcriptEchConf);
4008
        if (ret > 0) {
4009
            ret = 0;
4010
        }
4011
        else if (ret == 0) {
4012
            ret = HASH_TYPE_E;
4013
        }
4014
    }
4015
4016
    /* pick the right type and size based on mac_algorithm */
4017
    if (ret == 0) {
4018
        switch (ssl->specs.mac_algorithm) {
4019
#ifndef NO_SHA256
4020
            case sha256_mac:
4021
                digestType = WC_SHA256;
4022
                digestSize = WC_SHA256_DIGEST_SIZE;
4023
                break;
4024
#endif /* !NO_SHA256 */
4025
#ifdef WOLFSSL_SHA384
4026
            case sha384_mac:
4027
                digestType = WC_SHA384;
4028
                digestSize = WC_SHA384_DIGEST_SIZE;
4029
                break;
4030
#endif /* WOLFSSL_SHA384 */
4031
#ifdef WOLFSSL_TLS13_SHA512
4032
            case sha512_mac:
4033
                digestType = WC_SHA512;
4034
                digestSize = WC_SHA512_DIGEST_SIZE;
4035
                break;
4036
#endif /* WOLFSSL_TLS13_SHA512 */
4037
#ifdef WOLFSSL_SM3
4038
            case sm3_mac:
4039
                digestType = WC_SM3;
4040
                digestSize = WC_SM3_DIGEST_SIZE;
4041
                break;
4042
#endif /* WOLFSSL_SM3 */
4043
            default:
4044
                ret = WOLFSSL_FATAL_ERROR;
4045
                break;
4046
        }
4047
    }
4048
4049
    /* extract clientRandomInner with a key of all zeros */
4050
    if (ret == 0) {
4051
        PRIVATE_KEY_UNLOCK();
4052
    #if !defined(HAVE_FIPS) || \
4053
        (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(6,0))
4054
        ret = wc_HKDF_Extract_ex(digestType, zeros, (word32)digestSize,
4055
            ssl->arrays->clientRandomInner, RAN_LEN, expandLabelPrk,
4056
            ssl->heap, ssl->devId);
4057
    #else
4058
        ret = wc_HKDF_Extract(digestType, zeros, digestSize,
4059
            ssl->arrays->clientRandomInner, RAN_LEN, expandLabelPrk);
4060
    #endif
4061
        PRIVATE_KEY_LOCK();
4062
    }
4063
4064
    /* tls expand with the confirmation label */
4065
    if (ret == 0) {
4066
        PRIVATE_KEY_UNLOCK();
4067
#ifdef WOLFSSL_DTLS13
4068
        if (ssl->options.dtls) {
4069
            ret = Tls13HKDFExpandKeyLabel(ssl, acceptExpanded,
4070
                ECH_ACCEPT_CONFIRMATION_SZ, expandLabelPrk, (word32)digestSize,
4071
                dtls13ProtocolLabel, DTLS13_PROTOCOL_LABEL_SZ, label, labelSz,
4072
                transcriptEchConf, (word32)digestSize, digestType,
4073
                WOLFSSL_SERVER_END);
4074
        }
4075
        else
4076
#endif
4077
        {
4078
            ret = Tls13HKDFExpandKeyLabel(ssl, acceptExpanded,
4079
                ECH_ACCEPT_CONFIRMATION_SZ, expandLabelPrk, (word32)digestSize,
4080
                tls13ProtocolLabel, TLS13_PROTOCOL_LABEL_SZ, label, labelSz,
4081
                transcriptEchConf, (word32)digestSize, digestType,
4082
                WOLFSSL_SERVER_END);
4083
        }
4084
        PRIVATE_KEY_LOCK();
4085
    }
4086
4087
    if (acceptHash != NULL) {
4088
        ssl->hsHashes = acceptHash;
4089
        FreeHandshakeHashes(ssl);
4090
    }
4091
4092
    ssl->hsHashes = tmpHashes;
4093
    ForceZero(expandLabelPrk, sizeof(expandLabelPrk));
4094
#ifdef WOLFSSL_CHECK_MEM_ZERO
4095
    wc_MemZero_Check(expandLabelPrk, sizeof(expandLabelPrk));
4096
#endif
4097
    return ret;
4098
}
4099
#endif
4100
4101
#ifndef NO_WOLFSSL_CLIENT
4102
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
4103
#if defined(OPENSSL_EXTRA) && !defined(WOLFSSL_PSK_ONE_ID) && \
4104
    !defined(NO_PSK)
4105
/**
4106
* convert mac algorithm to WOLFSSL_EVP_MD
4107
* @param mac_alg mac algorithm
4108
* @return const WOLFSSL_EVP_MD on successful, otherwise NULL
4109
*/
4110
static const WOLFSSL_EVP_MD* ssl_handshake_md(const byte mac_alg)
4111
{
4112
    switch(mac_alg) {
4113
        case no_mac:
4114
            return NULL;
4115
    #ifndef NO_MD5
4116
        case md5_mac:
4117
            return wolfSSL_EVP_md5();
4118
    #endif
4119
    #ifndef NO_SHA
4120
        case sha_mac:
4121
            return wolfSSL_EVP_sha1();
4122
    #endif
4123
    #ifdef WOLFSSL_SHA224
4124
        case sha224_mac:
4125
            return wolfSSL_EVP_sha224();
4126
    #endif
4127
        case sha256_mac:
4128
            return wolfSSL_EVP_sha256();
4129
    #ifdef WOLFSSL_SHA384
4130
        case sha384_mac:
4131
            return wolfSSL_EVP_sha384();
4132
    #endif
4133
    #ifdef WOLFSSL_SHA512
4134
        case sha512_mac:
4135
            return wolfSSL_EVP_sha512();
4136
    #endif
4137
        case rmd_mac:
4138
        case blake2b_mac:
4139
            WOLFSSL_MSG("no suitable EVP_MD");
4140
            return NULL;
4141
        default:
4142
            WOLFSSL_MSG("Unknown mac algorithm");
4143
            return NULL;
4144
    }
4145
}
4146
#endif
4147
/* Setup pre-shared key based on the details in the extension data.
4148
 *
4149
 * ssl          SSL/TLS object.
4150
 * psk          Pre-shared key extension data.
4151
 * clientHello  Whether called from client_hello construction.
4152
 * returns 0 on success, PSK_KEY_ERROR when the client PSK callback fails and
4153
 * other negative value on failure.
4154
 */
4155
static int SetupPskKey(WOLFSSL* ssl, PreSharedKey* psk, int clientHello)
4156
{
4157
#if defined(HAVE_SESSION_TICKET) || !defined(WOLFSSL_PSK_ONE_ID)
4158
    int ret;
4159
#endif
4160
    byte suite[2];
4161
4162
    if (psk == NULL)
4163
        return BAD_FUNC_ARG;
4164
4165
    if (!HaveUniqueSessionObj(ssl)) {
4166
        WOLFSSL_MSG("Unable to have unique session object");
4167
        WOLFSSL_ERROR_VERBOSE(MEMORY_ERROR);
4168
        return MEMORY_ERROR;
4169
    }
4170
4171
    suite[0] = ssl->options.cipherSuite0;
4172
    suite[1] = ssl->options.cipherSuite;
4173
4174
#ifdef HAVE_SESSION_TICKET
4175
    if (psk->resumption) {
4176
        if (clientHello) {
4177
            suite[0] = psk->cipherSuite0;
4178
            suite[1] = psk->cipherSuite;
4179
4180
            /* Ensure cipher suite is supported or changed suite to one with
4181
             * the same MAC algorithm. */
4182
            if (!FindSuiteSSL(ssl, suite)) {
4183
                WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
4184
                return PSK_KEY_ERROR;
4185
            }
4186
4187
            ssl->options.cipherSuite0 = suite[0];
4188
            ssl->options.cipherSuite = suite[1];
4189
4190
            /* Setting mac for binder and keys for deriving EarlyData. */
4191
            ret = SetCipherSpecs(ssl);
4192
            if (ret != 0)
4193
                return ret;
4194
        }
4195
4196
    #ifdef WOLFSSL_EARLY_DATA
4197
        if (ssl->session->maxEarlyDataSz == 0)
4198
            ssl->earlyData = no_early_data;
4199
    #endif
4200
        /* Resumption PSK is master secret. */
4201
        ssl->arrays->psk_keySz = ssl->specs.hash_size;
4202
        if ((ret = DeriveResumptionPSK(ssl, ssl->session->ticketNonce.data,
4203
                   ssl->session->ticketNonce.len, ssl->arrays->psk_key)) != 0) {
4204
            return ret;
4205
        }
4206
        if (!clientHello) {
4207
            /* CLIENT: using secret in ticket for peer authentication. */
4208
            ssl->options.peerAuthGood = 1;
4209
        }
4210
    }
4211
#endif
4212
#ifndef NO_PSK
4213
    if (!psk->resumption) {
4214
        /* Get the pre-shared key. */
4215
#ifndef WOLFSSL_PSK_ONE_ID
4216
        const char* cipherName = NULL;
4217
    #ifdef OPENSSL_EXTRA
4218
        WOLFSSL_SESSION* psksession = NULL;
4219
    #endif
4220
4221
        /* Set the client identity to use. */
4222
        if (psk->identityLen > MAX_PSK_ID_LEN)
4223
            return PSK_KEY_ERROR;
4224
        XMEMSET(ssl->arrays->client_identity, 0,
4225
            sizeof(ssl->arrays->client_identity));
4226
        XMEMCPY(ssl->arrays->client_identity, psk->identity, psk->identityLen);
4227
4228
    #ifdef WOLFSSL_DEBUG_TLS
4229
        WOLFSSL_MSG("PSK cipher suite:");
4230
        WOLFSSL_MSG(GetCipherNameInternal(psk->cipherSuite0, psk->cipherSuite));
4231
    #endif
4232
4233
        /* Get the pre-shared key. */
4234
    #ifdef OPENSSL_EXTRA
4235
        if (ssl->options.session_psk_cb != NULL) {
4236
            const unsigned char* id = NULL;
4237
            size_t idlen = 0;
4238
            const WOLFSSL_EVP_MD* handshake_md = NULL;
4239
4240
            if (ssl->msgsReceived.got_hello_retry_request >= 1) {
4241
                handshake_md = ssl_handshake_md(ssl->specs.mac_algorithm);
4242
            }
4243
            /* OpenSSL compatible callback that gets cached session. */
4244
            if (ssl->options.session_psk_cb(ssl, handshake_md, &id, &idlen,
4245
                                                            &psksession) == 0) {
4246
                wolfSSL_FreeSession(ssl->ctx, psksession);
4247
                WOLFSSL_MSG("psk session callback failed");
4248
                return PSK_KEY_ERROR;
4249
            }
4250
            if (psksession != NULL) {
4251
                if (idlen > MAX_PSK_KEY_LEN) {
4252
                    wolfSSL_FreeSession(ssl->ctx, psksession);
4253
                    WOLFSSL_MSG("psk key length is too long");
4254
                    WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
4255
                    return PSK_KEY_ERROR;
4256
                }
4257
4258
                ssl->arrays->psk_keySz = (word32)idlen;
4259
                XMEMCPY(ssl->arrays->psk_key, id, idlen);
4260
                suite[0] = psksession->cipherSuite0;
4261
                suite[1] = psksession->cipherSuite;
4262
                /* Not needed anymore. */
4263
                wolfSSL_FreeSession(ssl->ctx, psksession);
4264
                /* Leave pointer not NULL to indicate success with callback. */
4265
            }
4266
        }
4267
        if (psksession != NULL) {
4268
            /* Don't try other callbacks - we have an answer. */
4269
        }
4270
        else
4271
    #endif /* OPENSSL_EXTRA */
4272
        if (ssl->options.client_psk_cs_cb != NULL) {
4273
        #ifdef WOLFSSL_PSK_MULTI_ID_PER_CS
4274
            ssl->arrays->client_identity[0] = 0;
4275
        #endif
4276
            /* Lookup key again for next identity. */
4277
            ssl->arrays->psk_keySz = ssl->options.client_psk_cs_cb(
4278
                ssl, ssl->arrays->server_hint,
4279
                ssl->arrays->client_identity, MAX_PSK_ID_LEN,
4280
                ssl->arrays->psk_key, MAX_PSK_KEY_LEN,
4281
                GetCipherNameInternal(psk->cipherSuite0, psk->cipherSuite));
4282
            if (clientHello) {
4283
                /* Use PSK cipher suite. */
4284
                ssl->options.cipherSuite0 = psk->cipherSuite0;
4285
                ssl->options.cipherSuite  = psk->cipherSuite;
4286
            }
4287
            else {
4288
                byte pskCS[2];
4289
                pskCS[0] = psk->cipherSuite0;
4290
                pskCS[1] = psk->cipherSuite;
4291
4292
                /* Ensure PSK and negotiated cipher suites have same hash. */
4293
                if (SuiteMac(pskCS) != SuiteMac(suite)) {
4294
                    WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
4295
                    return PSK_KEY_ERROR;
4296
                }
4297
                /* Negotiated cipher suite is to be used - update PSK. */
4298
                psk->cipherSuite0 = suite[0];
4299
                psk->cipherSuite  = suite[1];
4300
            }
4301
        }
4302
        else if (ssl->options.client_psk_tls13_cb != NULL) {
4303
            byte cipherSuite0;
4304
            byte cipherSuite;
4305
            int cipherSuiteFlags = WOLFSSL_CIPHER_SUITE_FLAG_NONE;
4306
4307
            ssl->arrays->psk_keySz = ssl->options.client_psk_tls13_cb(ssl,
4308
                    ssl->arrays->server_hint, ssl->arrays->client_identity,
4309
                    MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN,
4310
                    &cipherName);
4311
            if (GetCipherSuiteFromName(cipherName, &cipherSuite0,
4312
                            &cipherSuite, NULL, NULL, &cipherSuiteFlags) != 0) {
4313
                WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
4314
                return PSK_KEY_ERROR;
4315
            }
4316
            ssl->options.cipherSuite0 = cipherSuite0;
4317
            ssl->options.cipherSuite  = cipherSuite;
4318
            (void)cipherSuiteFlags;
4319
        }
4320
        else {
4321
            ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl,
4322
                    ssl->arrays->server_hint, ssl->arrays->client_identity,
4323
                    MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN);
4324
            ssl->options.cipherSuite0 = TLS13_BYTE;
4325
            ssl->options.cipherSuite  = WOLFSSL_DEF_PSK_CIPHER;
4326
        }
4327
        if (ssl->arrays->psk_keySz == 0 ||
4328
                (ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN &&
4329
            (int)ssl->arrays->psk_keySz != WC_NO_ERR_TRACE(USE_HW_PSK))) {
4330
            WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
4331
            return PSK_KEY_ERROR;
4332
        }
4333
4334
        ret = SetCipherSpecs(ssl);
4335
        if (ret != 0)
4336
            return ret;
4337
#else
4338
        /* PSK information loaded during setting of default TLS extensions. */
4339
#endif /* !WOLFSSL_PSK_ONE_ID */
4340
4341
        if (!clientHello && (psk->cipherSuite0 != suite[0] ||
4342
                             psk->cipherSuite  != suite[1])) {
4343
            WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
4344
            return PSK_KEY_ERROR;
4345
        }
4346
4347
        if (!clientHello) {
4348
#ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
4349
            if (ssl->options.certWithExternPsk) {
4350
                /* Certificate authentication is still required. */
4351
                ssl->options.peerAuthGood = 0;
4352
            }
4353
            else
4354
#endif
4355
            {
4356
                /* CLIENT: using PSK for peer authentication. */
4357
                ssl->options.peerAuthGood = 1;
4358
            }
4359
        }
4360
    }
4361
#endif
4362
4363
#ifdef HAVE_SUPPORTED_CURVES
4364
    if (!clientHello) {
4365
        TLSX* ext;
4366
        word32 modes;
4367
        KeyShareEntry* kse = NULL;
4368
4369
        /* Get the PSK key exchange modes the client wants to negotiate. */
4370
        ext = TLSX_Find(ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES);
4371
        if (ext == NULL) {
4372
            WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
4373
            return PSK_KEY_ERROR;
4374
        }
4375
        modes = ext->val;
4376
4377
        ext = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
4378
        if (ext != NULL) {
4379
            kse = (KeyShareEntry*)ext->data;
4380
        }
4381
        /* Use (EC)DHE for forward-security if possible. */
4382
        if (((modes & (1 << PSK_DHE_KE)) != 0) && (!ssl->options.noPskDheKe) &&
4383
                                                (kse != NULL) && kse->derived) {
4384
            if ((kse->session != 0) && (kse->session != kse->group)) {
4385
                WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
4386
                return PSK_KEY_ERROR;
4387
            }
4388
        }
4389
        else if (ssl->options.onlyPskDheKe ||
4390
                 (ssl->options.failNoPSK && !psk->resumption)) {
4391
            /* A mandatory external PSK (failNoPSK) must be combined with
4392
             * (EC)DHE for forward secrecy, so reject a pure psk_ke
4393
             * negotiation. Session-ticket resumption is exempt. */
4394
            WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
4395
            return PSK_KEY_ERROR;
4396
        }
4397
        else if (ssl->options.noPskDheKe) {
4398
            ssl->arrays->preMasterSz = 0;
4399
        }
4400
    }
4401
    else
4402
#endif
4403
    if (ssl->options.noPskDheKe) {
4404
        ssl->arrays->preMasterSz = 0;
4405
    }
4406
4407
    /* Derive the early secret using the PSK. */
4408
    return DeriveEarlySecret(ssl);
4409
}
4410
4411
/* Derive and write the binders into the ClientHello in space left when
4412
 * writing the Pre-Shared Key extension.
4413
 *
4414
 * ssl     The SSL/TLS object.
4415
 * output  The buffer containing the ClientHello.
4416
 * idx     The index at the end of the completed ClientHello.
4417
 * returns 0 on success and otherwise failure.
4418
 */
4419
static int WritePSKBinders(WOLFSSL* ssl, byte* output, word32 idx)
4420
{
4421
    int           ret;
4422
    TLSX*         ext;
4423
    PreSharedKey* current;
4424
    byte          binderKey[WC_MAX_DIGEST_SIZE];
4425
    word16        len;
4426
4427
    WOLFSSL_ENTER("WritePSKBinders");
4428
4429
    if (idx > WOLFSSL_MAX_16BIT) {
4430
        return INPUT_SIZE_E;
4431
    }
4432
4433
    ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
4434
    if (ext == NULL)
4435
        return SANITY_MSG_E;
4436
4437
    /* Get the size of the binders to determine where to write binders. */
4438
    ret = TLSX_PreSharedKey_GetSizeBinders((PreSharedKey*)ext->data,
4439
                                                            client_hello, &len);
4440
    if (ret < 0)
4441
        return ret;
4442
    idx -= len;
4443
4444
    /* Hash truncated ClientHello - up to binders. */
4445
#ifdef WOLFSSL_DTLS13
4446
    if (ssl->options.dtls)
4447
        ret = Dtls13HashHandshake(ssl, output + Dtls13GetRlHeaderLength(ssl, 0),
4448
                                 (word16)idx - Dtls13GetRlHeaderLength(ssl, 0));
4449
    else
4450
#endif /* WOLFSSL_DTLS13 */
4451
        ret = HashOutput(ssl, output, (int)idx, 0);
4452
4453
    if (ret != 0)
4454
        return ret;
4455
4456
    current = (PreSharedKey*)ext->data;
4457
#ifdef WOLFSSL_CHECK_MEM_ZERO
4458
    if (current != NULL) {
4459
        wc_MemZero_Add("WritePSKBinders binderKey", binderKey,
4460
            sizeof(binderKey));
4461
    }
4462
#endif
4463
    /* Calculate the binder for each identity based on previous handshake data.
4464
     */
4465
    while (current != NULL) {
4466
        if ((ret = SetupPskKey(ssl, current, 1)) != 0)
4467
            break;
4468
4469
    #ifdef HAVE_SESSION_TICKET
4470
        if (current->resumption)
4471
            ret = DeriveBinderKeyResume(ssl, binderKey);
4472
    #endif
4473
    #ifndef NO_PSK
4474
        if (!current->resumption)
4475
            ret = DeriveBinderKey(ssl, binderKey);
4476
    #endif
4477
        if (ret != 0)
4478
            break;
4479
4480
        /* Derive the Finished message secret. */
4481
        ret = DeriveFinishedSecret(ssl, binderKey,
4482
                                   ssl->keys.client_write_MAC_secret,
4483
                                   0 /* neither end */);
4484
        if (ret != 0)
4485
            break;
4486
4487
        /* Build the HMAC of the handshake message data = binder. */
4488
        ret = BuildTls13HandshakeHmac(ssl, ssl->keys.client_write_MAC_secret,
4489
            current->binder, &current->binderLen);
4490
        if (ret != 0)
4491
            break;
4492
4493
        current = current->next;
4494
    }
4495
4496
    ForceZero(binderKey, sizeof(binderKey));
4497
#ifdef WOLFSSL_CHECK_MEM_ZERO
4498
    wc_MemZero_Check(binderKey, sizeof(binderKey));
4499
#endif
4500
    if (ret != 0)
4501
        return ret;
4502
4503
    /* Data entered into extension, now write to message. */
4504
    ret = TLSX_PreSharedKey_WriteBinders((PreSharedKey*)ext->data, output + idx,
4505
                                                            client_hello, &len);
4506
    if (ret < 0)
4507
        return ret;
4508
4509
    /* Hash binders to complete the hash of the ClientHello. */
4510
    ret = HashRaw(ssl, output + idx, len);
4511
    if (ret < 0)
4512
        return ret;
4513
4514
    #ifdef WOLFSSL_EARLY_DATA
4515
    if (ssl->earlyData != no_early_data) {
4516
        if ((ret = SetupPskKey(ssl, (PreSharedKey*)ext->data, 1)) != 0)
4517
            return ret;
4518
4519
        /* Derive early data encryption key. */
4520
        ret = DeriveTls13Keys(ssl, early_data_key, ENCRYPT_SIDE_ONLY, 1);
4521
        if (ret != 0)
4522
            return ret;
4523
        if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
4524
            return ret;
4525
4526
    }
4527
    #endif
4528
4529
    WOLFSSL_LEAVE("WritePSKBinders", ret);
4530
4531
    return ret;
4532
}
4533
#endif
4534
4535
static void GetTls13SessionId(WOLFSSL* ssl, byte* output, word32* idx)
4536
0
{
4537
0
    if (ssl->session->sessionIDSz > 0) {
4538
        /* Session resumption for old versions of protocol. */
4539
0
        if (ssl->session->sessionIDSz <= ID_LEN) {
4540
0
            if (output != NULL)
4541
0
                output[*idx] = ssl->session->sessionIDSz;
4542
0
            (*idx)++;
4543
0
            if (output != NULL) {
4544
0
                XMEMCPY(output + *idx, ssl->session->sessionID,
4545
0
                    ssl->session->sessionIDSz);
4546
0
            }
4547
0
            *idx += ssl->session->sessionIDSz;
4548
0
        }
4549
0
        else {
4550
            /* Invalid session ID length. Reset it. */
4551
0
            ssl->session->sessionIDSz = 0;
4552
0
            if (output != NULL)
4553
0
                output[*idx] = 0;
4554
0
            (*idx)++;
4555
0
        }
4556
0
    }
4557
0
    else {
4558
    #ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
4559
        if (ssl->options.tls13MiddleBoxCompat) {
4560
            if (output != NULL)
4561
                output[*idx] = ID_LEN;
4562
            (*idx)++;
4563
            if (output != NULL)
4564
                XMEMCPY(output + *idx, ssl->arrays->clientRandom, ID_LEN);
4565
            *idx += ID_LEN;
4566
        }
4567
        else
4568
    #endif /* WOLFSSL_TLS13_MIDDLEBOX_COMPAT */
4569
0
        {
4570
            /* TLS v1.3 does not use session id - 0 length. */
4571
0
            if (output != NULL)
4572
0
                output[*idx] = 0;
4573
0
            (*idx)++;
4574
0
        }
4575
0
    }
4576
0
}
4577
4578
/* handle generation of TLS 1.3 client_hello (1) */
4579
/* Send a ClientHello message to the server.
4580
 * Include the information required to start a handshake with servers using
4581
 * protocol versions less than TLS v1.3.
4582
 * Only a client will send this message.
4583
 *
4584
 * ssl  The SSL/TLS object.
4585
 * returns 0 on success and otherwise failure.
4586
 */
4587
4588
typedef struct Sch13Args {
4589
    byte*  output;
4590
    word32 idx;
4591
    int    sendSz;
4592
    word32 length;
4593
#if defined(HAVE_ECH)
4594
    int clientRandomOffset;
4595
    word32 preXLength;
4596
    word32 expandedInnerLen;
4597
    WOLFSSL_ECH* ech;
4598
#endif
4599
} Sch13Args;
4600
4601
#ifdef WOLFSSL_EARLY_DATA
4602
/* Check if early data can potentially be sent.
4603
 * Returns 1 if early data is possible, 0 otherwise.
4604
 */
4605
static int EarlyDataPossible(WOLFSSL* ssl)
4606
{
4607
    /* Need session resumption OR PSK callback configured */
4608
    if (ssl->options.resuming) {
4609
        return 1;
4610
    }
4611
#ifndef NO_PSK
4612
    if (ssl->options.client_psk_tls13_cb != NULL ||
4613
        ssl->options.client_psk_cb != NULL) {
4614
        return 1;
4615
    }
4616
#endif
4617
    return 0;
4618
}
4619
#endif /* WOLFSSL_EARLY_DATA */
4620
4621
int SendTls13ClientHello(WOLFSSL* ssl)
4622
0
{
4623
0
    int ret;
4624
#ifdef WOLFSSL_ASYNC_CRYPT
4625
    Sch13Args* args = NULL;
4626
    WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
4627
#else
4628
0
    Sch13Args  args[1];
4629
0
#endif
4630
0
    byte major, tls12minor;
4631
0
    const Suites* suites;
4632
4633
0
    WOLFSSL_START(WC_FUNC_CLIENT_HELLO_SEND);
4634
0
    WOLFSSL_ENTER("SendTls13ClientHello");
4635
4636
0
    if (ssl == NULL) {
4637
0
        return BAD_FUNC_ARG;
4638
0
    }
4639
4640
0
    ssl->options.buildingMsg = 1;
4641
0
    major = SSLv3_MAJOR;
4642
0
    tls12minor = TLSv1_2_MINOR;
4643
4644
#ifdef WOLFSSL_DTLS13
4645
    if (ssl->options.dtls) {
4646
        major = DTLS_MAJOR;
4647
        tls12minor = DTLSv1_2_MINOR;
4648
    }
4649
#endif /* WOLFSSL_DTLS */
4650
4651
0
    if (ssl->options.resuming &&
4652
0
            ssl->session->version.major != 0 &&
4653
0
            (ssl->session->version.major != ssl->version.major ||
4654
0
             ssl->session->version.minor != ssl->version.minor)) {
4655
0
    #ifndef WOLFSSL_NO_TLS12
4656
0
        if (ssl->session->version.major == ssl->version.major &&
4657
0
            ssl->session->version.minor < ssl->version.minor) {
4658
            /* Cannot resume with a different protocol version. */
4659
0
            ssl->options.resuming = 0;
4660
0
            ssl->version.major = ssl->session->version.major;
4661
0
            ssl->version.minor = ssl->session->version.minor;
4662
0
            return SendClientHello(ssl);
4663
0
        }
4664
0
        else
4665
0
    #endif
4666
0
        {
4667
0
            WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
4668
0
            return VERSION_ERROR;
4669
0
        }
4670
0
    }
4671
4672
0
    suites = WOLFSSL_SUITES(ssl);
4673
0
    if (suites == NULL) {
4674
0
        WOLFSSL_MSG("Bad suites pointer in SendTls13ClientHello");
4675
0
        return SUITES_ERROR;
4676
0
    }
4677
4678
#ifdef WOLFSSL_ASYNC_CRYPT
4679
    if (ssl->async == NULL) {
4680
        ssl->async = (struct WOLFSSL_ASYNC*)
4681
                XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
4682
                        DYNAMIC_TYPE_ASYNC);
4683
        if (ssl->async == NULL)
4684
            return MEMORY_E;
4685
        ssl->async->freeArgs = NULL;
4686
    }
4687
    args = (Sch13Args*)ssl->async->args;
4688
4689
    ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
4690
    if (ret != WC_NO_ERR_TRACE(WC_NO_PENDING_E)) {
4691
        /* Check for error */
4692
        if (ret < 0)
4693
            return ret;
4694
    }
4695
    else
4696
#endif
4697
0
    {
4698
        /* Reset state */
4699
0
        ssl->options.asyncState = TLS_ASYNC_BEGIN;
4700
0
        XMEMSET(args, 0, sizeof(Sch13Args));
4701
0
    }
4702
4703
0
    switch (ssl->options.asyncState) {
4704
0
    case TLS_ASYNC_BEGIN:
4705
0
    {
4706
0
    word32 sessIdSz = 0;
4707
4708
0
    args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
4709
4710
#ifdef WOLFSSL_DTLS13
4711
    if (ssl->options.dtls)
4712
        args->idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
4713
#endif /* WOLFSSL_DTLS13 */
4714
4715
    /* Version | Random | Cipher Suites | Compression */
4716
0
    args->length = VERSION_SZ + RAN_LEN + suites->suiteSz +
4717
0
            SUITE_LEN + COMP_LEN + ENUM_LEN;
4718
#ifdef WOLFSSL_QUIC
4719
    if (WOLFSSL_IS_QUIC(ssl)) {
4720
        /* RFC 9001 ch. 8.4 sessionID in ClientHello MUST be 0 length */
4721
        ssl->session->sessionIDSz = 0;
4722
        ssl->options.tls13MiddleBoxCompat = 0;
4723
    }
4724
#endif
4725
#ifdef WOLFSSL_DTLS13
4726
    if (ssl->options.dtls) {
4727
        /* RFC 9147 Section 5: DTLS implementations do not use the
4728
         *                     TLS 1.3 "compatibility mode" */
4729
        ssl->options.tls13MiddleBoxCompat = 0;
4730
    }
4731
#endif
4732
0
    GetTls13SessionId(ssl, NULL, &sessIdSz);
4733
0
    args->length += (word16)sessIdSz;
4734
4735
#ifdef WOLFSSL_DTLS13
4736
    if (ssl->options.dtls) {
4737
        /* legacy_cookie_id len */
4738
        args->length += ENUM_LEN;
4739
4740
        /* server sent us an HelloVerifyRequest and we allow downgrade  */
4741
        if (ssl->arrays->cookieSz > 0 && ssl->options.downgrade)
4742
            args->length += ssl->arrays->cookieSz;
4743
    }
4744
#endif /* WOLFSSL_DTLS13 */
4745
4746
    /* Advance state and proceed */
4747
0
    ssl->options.asyncState = TLS_ASYNC_BUILD;
4748
0
    } /* case TLS_ASYNC_BEGIN */
4749
0
    FALL_THROUGH;
4750
4751
0
    case TLS_ASYNC_BUILD:
4752
0
    case TLS_ASYNC_DO:
4753
0
    {
4754
    /* Auto populate extensions supported unless user defined. */
4755
0
    if ((ret = TLSX_PopulateExtensions(ssl, 0)) != 0)
4756
0
        return ret;
4757
4758
    /* Advance state and proceed */
4759
0
    ssl->options.asyncState = TLS_ASYNC_FINALIZE;
4760
0
    } /* case TLS_ASYNC_BUILD */
4761
0
    FALL_THROUGH;
4762
4763
0
    case TLS_ASYNC_FINALIZE:
4764
0
    {
4765
#ifdef WOLFSSL_EARLY_DATA
4766
    if (!EarlyDataPossible(ssl))
4767
        ssl->earlyData = no_early_data;
4768
    if (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE)
4769
        ssl->earlyData = no_early_data;
4770
    if (ssl->earlyData == no_early_data)
4771
        TLSX_Remove(&ssl->extensions, TLSX_EARLY_DATA, ssl->heap);
4772
    if (ssl->earlyData != no_early_data &&
4773
        (ret = TLSX_EarlyData_Use(ssl, 0, 0)) < 0) {
4774
        return ret;
4775
    }
4776
#endif
4777
#ifdef WOLFSSL_QUIC
4778
    if (WOLFSSL_IS_QUIC(ssl) && IsAtLeastTLSv1_3(ssl->version)) {
4779
        ret = wolfSSL_quic_add_transport_extensions(ssl, client_hello);
4780
        if (ret != 0)
4781
            return ret;
4782
    }
4783
#endif
4784
4785
    /* find length of outer and inner */
4786
#if defined(HAVE_ECH)
4787
    if (!ssl->options.disableECH) {
4788
        TLSX* echX = TLSX_Find(ssl->extensions, TLSX_ECH);
4789
        void* hostName = NULL;
4790
        word16 nameLen;
4791
        if (echX == NULL)
4792
            return WOLFSSL_FATAL_ERROR;
4793
4794
        args->ech = (WOLFSSL_ECH*)echX->data;
4795
        if (args->ech == NULL)
4796
            return WOLFSSL_FATAL_ERROR;
4797
4798
        /* if ECH was rejected by the HRR then the server MUST stop
4799
         * decrypting ECH, so send a GREASE ECH for the follow-up CH */
4800
        if (ssl->echConfigs != NULL && !ssl->options.echAccepted &&
4801
                ssl->options.serverState ==
4802
                    SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
4803
            args->ech->state = ECH_WRITE_GREASE;
4804
        }
4805
4806
        /* only prepare if we have a chance at acceptance (real ECH only) */
4807
        if (ssl->echConfigs != NULL &&
4808
                (ssl->options.echAccepted || args->ech->innerCount == 0)) {
4809
            word32 encodedLen;
4810
            byte downgrade;
4811
4812
            /* ensure that a version less than TLS1.3 is never offered  */
4813
            downgrade = ssl->options.downgrade;
4814
            ssl->options.downgrade = 0;
4815
4816
            /* set the type to inner */
4817
            args->ech->type = ECH_TYPE_INNER;
4818
            args->preXLength = args->length;
4819
4820
            /* get expanded inner size (used for transcript) */
4821
            ret = TLSX_GetRequestSize(ssl, client_hello, &args->length);
4822
            if (ret != 0) {
4823
                args->ech->type = ECH_TYPE_OUTER;
4824
                ssl->options.downgrade = downgrade;
4825
                return ret;
4826
            }
4827
4828
            /* args->expandedInnerLen carries the length for the hash */
4829
            args->expandedInnerLen = args->length;
4830
            if (args->expandedInnerLen > 0xFFFF) {
4831
                args->ech->type = ECH_TYPE_OUTER;
4832
                ssl->options.downgrade = downgrade;
4833
                return BUFFER_E;
4834
            }
4835
4836
            /* get encoded inner size */
4837
            args->ech->writeEncoded = 1;
4838
            encodedLen = args->preXLength;
4839
            ret = TLSX_GetRequestSize(ssl, client_hello, &encodedLen);
4840
            args->ech->writeEncoded = 0;
4841
            /* set the type to outer */
4842
            args->ech->type = ECH_TYPE_OUTER;
4843
            ssl->options.downgrade = downgrade;
4844
            if (ret != 0)
4845
                return ret;
4846
4847
            /* calculate padding (RFC 9849, section 6.1.3) */
4848
            nameLen = TLSX_SNI_GetRequest(ssl->extensions,
4849
                WOLFSSL_SNI_HOST_NAME, &hostName, 1);
4850
            if (nameLen == 0 && ssl->ctx != NULL)
4851
                nameLen = TLSX_SNI_GetRequest(ssl->ctx->extensions,
4852
                    WOLFSSL_SNI_HOST_NAME, &hostName, 1);
4853
4854
            if (nameLen != 0) {
4855
                if (nameLen > args->ech->echConfig->maxNameLen)
4856
                    args->ech->paddingLen = 0;
4857
                else
4858
                    args->ech->paddingLen =
4859
                        (word16)args->ech->echConfig->maxNameLen - nameLen;
4860
            }
4861
            else {
4862
                /* maxNameLen + length of the SNI extension */
4863
                args->ech->paddingLen = args->ech->echConfig->maxNameLen + 9;
4864
            }
4865
4866
            /* innerClientHelloLen and padding are based on the
4867
             * encoded (sealed) inner */
4868
            args->ech->paddingLen +=
4869
                ECH_PADDING_TO_32(encodedLen + args->ech->paddingLen);
4870
            args->ech->innerClientHelloLen = encodedLen +
4871
                args->ech->paddingLen + args->ech->hpke->Nt;
4872
4873
            if (args->ech->innerClientHelloLen > 0xFFFF)
4874
                return BUFFER_E;
4875
4876
            /* restore the length to pre-ClientHelloInner computations */
4877
            args->length = args->preXLength;
4878
        }
4879
    }
4880
#endif
4881
4882
0
    {
4883
#ifdef WOLFSSL_DTLS_CH_FRAG
4884
        word16 maxFrag = wolfssl_local_GetMaxPlaintextSize(ssl);
4885
        word16 lenWithoutExts = args->length;
4886
#endif
4887
4888
        /* Include length of TLS extensions. */
4889
0
        ret = TLSX_GetRequestSize(ssl, client_hello, &args->length);
4890
0
        if (ret != 0)
4891
0
            return ret;
4892
4893
        /* Total message size. */
4894
0
        args->sendSz =
4895
0
                (int)(args->length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ);
4896
4897
#ifdef WOLFSSL_DTLS13
4898
        if (ssl->options.dtls)
4899
            args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
4900
#endif /* WOLFSSL_DTLS13 */
4901
4902
#ifdef WOLFSSL_DTLS_CH_FRAG
4903
        /* Only empty the key share on the first CH; this avoids first CH
4904
         * fragmentation (wolfSSL refuses them) */
4905
        if (ssl->options.dtls && args->sendSz > maxFrag &&
4906
                ssl->options.serverState !=
4907
                    SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
4908
            /* Try again with an empty key share if we would be fragmenting */
4909
            ret = TLSX_KeyShare_Empty(ssl);
4910
            if (ret != 0)
4911
                return ret;
4912
            args->length = lenWithoutExts;
4913
            ret = TLSX_GetRequestSize(ssl, client_hello, &args->length);
4914
            if (ret != 0)
4915
                return ret;
4916
            args->sendSz = (int)(args->length +
4917
                    DTLS_HANDSHAKE_HEADER_SZ + DTLS_RECORD_HEADER_SZ);
4918
            if (args->sendSz > maxFrag) {
4919
                WOLFSSL_MSG("Can't fit first CH in one fragment.");
4920
                return BUFFER_ERROR;
4921
            }
4922
            WOLFSSL_MSG("Sending empty key share so we don't fragment CH1");
4923
        }
4924
#endif
4925
0
    }
4926
4927
    /* Check buffers are big enough and grow if needed. */
4928
0
    if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0)
4929
0
        return ret;
4930
4931
    /* Get position in output buffer to write new message to. */
4932
0
    args->output = GetOutputBuffer(ssl);
4933
4934
    /* Put the record and handshake headers on. */
4935
0
    AddTls13Headers(args->output, args->length, client_hello, ssl);
4936
4937
    /* Protocol version - negotiation now in extension: supported_versions. */
4938
0
    args->output[args->idx++] = major;
4939
0
    args->output[args->idx++] = tls12minor;
4940
4941
    /* Keep for downgrade. */
4942
0
    ssl->chVersion = ssl->version;
4943
4944
0
    if (ssl->arrays == NULL) {
4945
0
        return BAD_FUNC_ARG;
4946
0
    }
4947
    /* Client Random */
4948
0
    if (ssl->options.connectState == CONNECT_BEGIN) {
4949
0
        ret = wc_RNG_GenerateBlock(ssl->rng, args->output + args->idx, RAN_LEN);
4950
0
        if (ret != 0)
4951
0
            return ret;
4952
4953
        /* Store random for possible second ClientHello. */
4954
0
        XMEMCPY(ssl->arrays->clientRandom, args->output + args->idx, RAN_LEN);
4955
0
    }
4956
0
    else
4957
0
        XMEMCPY(args->output + args->idx, ssl->arrays->clientRandom, RAN_LEN);
4958
4959
#if defined(HAVE_ECH)
4960
    args->clientRandomOffset = (int)args->idx;
4961
#endif
4962
4963
0
    args->idx += RAN_LEN;
4964
4965
0
    GetTls13SessionId(ssl, args->output, &args->idx);
4966
4967
#ifdef WOLFSSL_DTLS13
4968
    if (ssl->options.dtls) {
4969
        args->output[args->idx++] = ssl->arrays->cookieSz;
4970
4971
        if (ssl->arrays->cookieSz > 0) {
4972
            /* We have a cookie saved, so the server sent us an
4973
             * HelloVerifyRequest, it means it is a v1.2 server */
4974
            if (!ssl->options.downgrade)
4975
                return VERSION_ERROR;
4976
            XMEMCPY(args->output + args->idx, ssl->arrays->cookie,
4977
                ssl->arrays->cookieSz);
4978
            args->idx += ssl->arrays->cookieSz;
4979
        }
4980
    }
4981
#endif /* WOLFSSL_DTLS13 */
4982
4983
    /* Cipher suites */
4984
0
    c16toa(suites->suiteSz, args->output + args->idx);
4985
0
    args->idx += OPAQUE16_LEN;
4986
0
    XMEMCPY(args->output + args->idx, &suites->suites,
4987
0
        suites->suiteSz);
4988
0
    args->idx += suites->suiteSz;
4989
#ifdef WOLFSSL_DEBUG_TLS
4990
    {
4991
        int ii;
4992
        WOLFSSL_MSG("Ciphers:");
4993
        for (ii = 0 ; ii < suites->suiteSz; ii += 2) {
4994
            WOLFSSL_MSG(GetCipherNameInternal(suites->suites[ii+0],
4995
                                              suites->suites[ii+1]));
4996
        }
4997
    }
4998
#endif
4999
5000
    /* Compression not supported in TLS v1.3. */
5001
0
    args->output[args->idx++] = COMP_LEN;
5002
0
    args->output[args->idx++] = NO_COMPRESSION;
5003
5004
#if defined(HAVE_ECH)
5005
    /* Build the expanded inner ClientHello */
5006
    if (ssl->echConfigs != NULL && !ssl->options.disableECH &&
5007
            (ssl->options.echAccepted || args->ech->innerCount == 0)) {
5008
        byte downgrade;
5009
5010
        /* calculate maximum buffer size needed */
5011
        word32 encodedBodyLen = args->ech->innerClientHelloLen -
5012
            args->ech->hpke->Nt;
5013
        word32 innerBufSize = args->expandedInnerLen;
5014
        if (encodedBodyLen > innerBufSize)
5015
            innerBufSize = encodedBodyLen;
5016
5017
        /* set the type to inner */
5018
        args->ech->type = ECH_TYPE_INNER;
5019
        /* innerClientHello may already exist from hrr, free if it does */
5020
        if (args->ech->innerClientHello != NULL) {
5021
            XFREE(args->ech->innerClientHello, ssl->heap,
5022
                DYNAMIC_TYPE_TMP_BUFFER);
5023
        }
5024
        /* allocate the inner */
5025
        args->ech->innerClientHello =
5026
            (byte*)XMALLOC(innerBufSize, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
5027
        if (args->ech->innerClientHello == NULL) {
5028
            args->ech->type = ECH_TYPE_OUTER;
5029
            return MEMORY_E;
5030
        }
5031
        /* copy everything before extensions into the innerClientHello
5032
         * ignore record and handshake headers */
5033
        XMEMCPY(args->ech->innerClientHello,
5034
            args->output + RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ,
5035
            args->preXLength);
5036
        /* copy the client random to inner - only for first CH, not after HRR */
5037
        if (!ssl->options.echAccepted) {
5038
            XMEMCPY(ssl->arrays->clientRandomInner, ssl->arrays->clientRandom,
5039
                RAN_LEN);
5040
        }
5041
        else {
5042
            /* After HRR, use the same inner random as CH1 */
5043
            XMEMCPY(args->ech->innerClientHello + VERSION_SZ,
5044
                ssl->arrays->clientRandomInner, RAN_LEN);
5045
        }
5046
        /* change the outer client random */
5047
        ret = wc_RNG_GenerateBlock(ssl->rng, args->output +
5048
            args->clientRandomOffset, RAN_LEN);
5049
        if (ret != 0) {
5050
            args->ech->type = ECH_TYPE_OUTER;
5051
            return ret;
5052
        }
5053
        /* copy the new client random */
5054
        XMEMCPY(ssl->arrays->clientRandom, args->output +
5055
            args->clientRandomOffset, RAN_LEN);
5056
5057
        /* ensure that a version less than TLS1.3 is never offered  */
5058
        downgrade = ssl->options.downgrade;
5059
        ssl->options.downgrade = 0;
5060
5061
        /* write the expanded extensions into the inner buffer */
5062
        args->length = 0;
5063
        ret = TLSX_WriteRequest(ssl,
5064
            args->ech->innerClientHello + args->preXLength, client_hello,
5065
            &args->length);
5066
        if (ret != 0) {
5067
            args->ech->type = ECH_TYPE_OUTER;
5068
            ssl->options.downgrade = downgrade;
5069
            return ret;
5070
        }
5071
5072
        /* hash expanded form */
5073
        args->ech->innerClientHelloLen = args->expandedInnerLen;
5074
        ret = EchHashHelloInner(ssl, args->ech);
5075
        args->ech->innerClientHelloLen = encodedBodyLen + args->ech->hpke->Nt;
5076
        if (ret != 0) {
5077
            args->ech->type = ECH_TYPE_OUTER;
5078
            ssl->options.downgrade = downgrade;
5079
            return ret;
5080
        }
5081
5082
        /* zero padding bytes sealed with the inner hello */
5083
        XMEMSET(args->ech->innerClientHello +
5084
            args->ech->innerClientHelloLen - args->ech->hpke->Nt -
5085
            args->ech->paddingLen, 0, args->ech->paddingLen);
5086
        /* Rewrite inner buffer with the encoded form for sealing */
5087
        args->ech->writeEncoded = 1;
5088
        args->length = 0;
5089
        ret = TLSX_WriteRequest(ssl,
5090
            args->ech->innerClientHello + args->preXLength, client_hello,
5091
            &args->length);
5092
        args->ech->writeEncoded = 0;
5093
        /* set the type to outer */
5094
        args->ech->type = ECH_TYPE_OUTER;
5095
        ssl->options.downgrade = downgrade;
5096
        if (ret != 0)
5097
            return ret;
5098
    }
5099
#endif
5100
5101
    /* Write out extensions for a request. */
5102
0
    args->length = 0;
5103
0
    ret = TLSX_WriteRequest(ssl, args->output + args->idx, client_hello,
5104
0
        &args->length);
5105
0
    if (ret != 0)
5106
0
        return ret;
5107
5108
0
    args->idx += args->length;
5109
5110
#if defined(HAVE_ECH)
5111
    /* HPKE-seal inner hello and place into outer ECH extension's payload */
5112
    if (ssl->echConfigs != NULL && !ssl->options.disableECH &&
5113
            (ssl->options.echAccepted || args->ech->innerCount == 0)) {
5114
#if defined(WOLFSSL_TEST_ECH)
5115
        if (ssl->echInnerHelloCb != NULL) {
5116
            ret = ssl->echInnerHelloCb(args->ech->innerClientHello,
5117
                args->ech->innerClientHelloLen - args->ech->hpke->Nt);
5118
            if (ret != 0)
5119
                return ret;
5120
        }
5121
#endif
5122
        ret = TLSX_FinalizeEch(ssl, args->ech,
5123
            args->output + RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ,
5124
            (word32)(args->sendSz - (RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ)));
5125
5126
        if (ret != 0)
5127
            return ret;
5128
    }
5129
    /* Mark CH1 done for any ECH extension (real or GREASE) */
5130
    if (args->ech != NULL)
5131
        args->ech->innerCount = 1;
5132
#endif
5133
5134
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
5135
    /* Resumption has a specific set of extensions and binder is calculated
5136
     * for each identity.
5137
     */
5138
    if (TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY)) {
5139
        ret = WritePSKBinders(ssl, args->output, args->idx);
5140
    }
5141
    else
5142
#endif
5143
0
    {
5144
#ifdef WOLFSSL_DTLS13
5145
        if (ssl->options.dtls)
5146
            ret = Dtls13HashHandshake(ssl,
5147
                args->output + Dtls13GetRlHeaderLength(ssl, 0),
5148
                (word16)args->idx - Dtls13GetRlHeaderLength(ssl, 0));
5149
        else
5150
#endif /* WOLFSSL_DTLS13 */
5151
0
        {
5152
            /* compute the outer hash */
5153
0
            ret = HashOutput(ssl, args->output, (int)args->idx, 0);
5154
0
        }
5155
0
    }
5156
0
    if (ret != 0)
5157
0
        return ret;
5158
5159
0
    ssl->options.clientState = CLIENT_HELLO_COMPLETE;
5160
5161
#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
5162
    if (ssl->hsInfoOn) AddPacketName(ssl, "ClientHello");
5163
    if (ssl->toInfoOn) {
5164
        ret = AddPacketInfo(ssl, "ClientHello", handshake, args->output,
5165
                      args->sendSz, WRITE_PROTO, 0, ssl->heap);
5166
        if (ret != 0)
5167
            return ret;
5168
    }
5169
#endif
5170
5171
0
    ssl->options.buildingMsg = 0;
5172
#ifdef WOLFSSL_DTLS13
5173
    if (ssl->options.dtls) {
5174
        ret = Dtls13HandshakeSend(ssl, args->output, (word16)args->sendSz,
5175
                                  (word16)args->idx, client_hello, 0);
5176
        break;
5177
    }
5178
#endif /* WOLFSSL_DTLS13 */
5179
5180
0
    ssl->buffers.outputBuffer.length += (word32)args->sendSz;
5181
5182
    /* Advance state and proceed */
5183
0
    ssl->options.asyncState = TLS_ASYNC_END;
5184
0
    }
5185
    /* case TLS_ASYNC_BUILD */
5186
0
    FALL_THROUGH;
5187
5188
0
    case TLS_ASYNC_END:
5189
0
    {
5190
#ifdef WOLFSSL_EARLY_DATA_GROUP
5191
    /* QUIC needs to forward records at their encryption level
5192
     * and is therefore unable to group here */
5193
    if (ssl->earlyData == no_early_data || WOLFSSL_IS_QUIC(ssl))
5194
#endif
5195
0
        ret = SendBuffered(ssl);
5196
5197
0
    break;
5198
0
    }
5199
0
    default:
5200
0
        ret = INPUT_CASE_ERROR;
5201
0
    } /* switch (ssl->options.asyncState) */
5202
5203
#ifdef WOLFSSL_ASYNC_CRYPT
5204
    if (ret == 0)
5205
        FreeAsyncCtx(ssl, 0);
5206
#endif
5207
5208
0
    WOLFSSL_LEAVE("SendTls13ClientHello", ret);
5209
0
    WOLFSSL_END(WC_FUNC_CLIENT_HELLO_SEND);
5210
5211
0
    return ret;
5212
0
}
5213
5214
#if defined(WOLFSSL_DTLS13) && !defined(NO_WOLFSSL_CLIENT)
5215
static int Dtls13ClientDoDowngrade(WOLFSSL* ssl)
5216
{
5217
    int ret;
5218
    if (ssl->dtls13ClientHello == NULL)
5219
        return BAD_STATE_E;
5220
5221
    /* v1.3 and v1.2 hash messages to compute the transcript hash. When we are
5222
     * using DTLSv1.3 we hash the first clientHello following v1.3 but the
5223
     * server can negotiate a lower version. So we need to re-hash the
5224
     * clientHello to adhere to DTLS <= v1.2 rules. */
5225
    ret = InitHandshakeHashes(ssl);
5226
    if (ret != 0)
5227
        return ret;
5228
    ret = HashRaw(ssl, ssl->dtls13ClientHello, ssl->dtls13ClientHelloSz);
5229
    XFREE(ssl->dtls13ClientHello, ssl->heap, DYNAMIC_TYPE_DTLS_MSG);
5230
    ssl->dtls13ClientHello = NULL;
5231
    ssl->dtls13ClientHelloSz = 0;
5232
    ssl->keys.dtls_sequence_number_hi =
5233
        (word16)w64GetHigh32(ssl->dtls13EncryptEpoch->nextSeqNumber);
5234
    ssl->keys.dtls_sequence_number_lo =
5235
        w64GetLow32(ssl->dtls13EncryptEpoch->nextSeqNumber);
5236
    return ret;
5237
}
5238
#endif /* WOLFSSL_DTLS13 && !NO_WOLFSSL_CLIENT*/
5239
5240
#if defined(HAVE_ECH)
5241
/* Calculate ECH acceptance and verify the server accepted ECH.
5242
 *
5243
 * ssl          SSL/TLS object.
5244
 * label        Ascii string describing ECH acceptance type.
5245
 * labelSz      Length of label excluding NULL character.
5246
 * input        The buffer to calculate confirmation off of.
5247
 * acceptOffset Where the 8 ECH confirmation bytes start.
5248
 * helloSz      Size of hello message.
5249
 * returns 0 on success and otherwise failure.
5250
 */
5251
static int EchCheckAcceptance(WOLFSSL* ssl, byte* label, word16 labelSz,
5252
    const byte* input, int acceptOffset, int helloSz, byte msgType)
5253
{
5254
    int ret = 0;
5255
    int headerSz;
5256
    HS_Hashes* tmpHashes;
5257
    byte acceptConfirmation[ECH_ACCEPT_CONFIRMATION_SZ];
5258
5259
    XMEMSET(acceptConfirmation, 0, sizeof(acceptConfirmation));
5260
5261
#ifdef WOLFSSL_DTLS13
5262
    headerSz = ssl->options.dtls ? DTLS13_HANDSHAKE_HEADER_SZ :
5263
                                   HANDSHAKE_HEADER_SZ;
5264
#else
5265
    headerSz = HANDSHAKE_HEADER_SZ;
5266
#endif
5267
5268
    ret = EchCalcAcceptance(ssl, label, labelSz, input, acceptOffset, helloSz,
5269
            msgType == hello_retry_request, acceptConfirmation);
5270
5271
    if (ret == 0) {
5272
        tmpHashes = ssl->hsHashes;
5273
        ssl->hsHashes = ssl->hsHashesEch;
5274
5275
        /* last 8 bytes must match the expand output */
5276
        ret = ConstantCompare(acceptConfirmation, input + acceptOffset,
5277
            ECH_ACCEPT_CONFIRMATION_SZ);
5278
5279
        if (ret == 0) {
5280
            WOLFSSL_MSG("ECH accepted");
5281
            ssl->options.echAccepted = 1;
5282
5283
            /* after HRR, hsHashesEch must contain:
5284
             * message_hash(ClientHelloInner1) || HRR (actual, not zeros) */
5285
            if (msgType == hello_retry_request) {
5286
                ret = HashRaw(ssl, input, helloSz + headerSz);
5287
            }
5288
            /* normal TLS code will calculate transcript of ServerHello */
5289
            else {
5290
                ssl->hsHashes = tmpHashes;
5291
                FreeHandshakeHashes(ssl);
5292
                tmpHashes = ssl->hsHashesEch;
5293
                ssl->hsHashesEch = NULL;
5294
            }
5295
        }
5296
        else {
5297
            if (msgType != hello_retry_request && ssl->options.echAccepted) {
5298
                /* the SH has rejected ECH after the HRR has accepted it
5299
                 * RFC 9849, section 6.1.5 */
5300
                WOLFSSL_MSG("ECH rejected, but it was previously accepted...");
5301
                ret = INVALID_PARAMETER;
5302
            }
5303
            else {
5304
                WOLFSSL_MSG("ECH rejected");
5305
                ret = 0;
5306
            }
5307
            ssl->options.echAccepted = 0;
5308
5309
            /* ECH rejected, continue with outer transcript */
5310
            FreeHandshakeHashes(ssl);
5311
            ssl->hsHashesEch = NULL;
5312
        }
5313
5314
        ssl->hsHashes = tmpHashes;
5315
    }
5316
5317
    /* Skip only when the HRR signals ECH acceptance
5318
     * -> CH2 still needs ech->extensions for inner/outer extension swap
5319
     *    during write */
5320
    if (ret == 0 &&
5321
            (msgType != hello_retry_request || !ssl->options.echAccepted))
5322
        ret = TLSX_EchReplaceExtensions(ssl, ssl->options.echAccepted);
5323
5324
    return ret;
5325
}
5326
#endif /* HAVE_ECH */
5327
5328
/* handle processing of TLS 1.3 server_hello (2) and hello_retry_request (6) */
5329
/* Handle the ServerHello message from the server.
5330
 * Only a client will receive this message.
5331
 *
5332
 * ssl       The SSL/TLS object.
5333
 * input     The message buffer.
5334
 * inOutIdx  On entry, the index into the message buffer of ServerHello.
5335
 *           On exit, the index of byte after the ServerHello message.
5336
 * helloSz   The length of the current handshake message.
5337
 * returns 0 on success and otherwise failure.
5338
 */
5339
5340
typedef struct Dsh13Args {
5341
    ProtocolVersion pv;
5342
    word32          idx;
5343
    word32          begin;
5344
    const byte*     sessId;
5345
    word16          totalExtSz;
5346
    byte            sessIdSz;
5347
    byte            extMsgType;
5348
#if defined(HAVE_ECH)
5349
    TLSX* echX;
5350
    byte* acceptLabel;
5351
    word32 acceptOffset;
5352
    word16 acceptLabelSz;
5353
#endif
5354
} Dsh13Args;
5355
5356
int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
5357
                       word32 helloSz, byte* extMsgType)
5358
0
{
5359
0
    int ret;
5360
0
    byte suite[2];
5361
0
    byte tls12minor;
5362
#ifdef WOLFSSL_ASYNC_CRYPT
5363
    Dsh13Args* args = NULL;
5364
#else
5365
0
    Dsh13Args  args[1];
5366
0
#endif
5367
#ifdef WOLFSSL_ASYNC_CRYPT
5368
    WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
5369
#endif
5370
5371
0
    WOLFSSL_START(WC_FUNC_SERVER_HELLO_DO);
5372
0
    WOLFSSL_ENTER("DoTls13ServerHello");
5373
5374
0
    if (ssl == NULL || ssl->arrays == NULL)
5375
0
        return BAD_FUNC_ARG;
5376
5377
0
    tls12minor = TLSv1_2_MINOR;
5378
5379
#ifdef WOLFSSL_DTLS13
5380
    if (ssl->options.dtls)
5381
        tls12minor = DTLSv1_2_MINOR;
5382
#endif /*  WOLFSSL_DTLS13 */
5383
5384
#ifdef WOLFSSL_ASYNC_CRYPT
5385
    if (ssl->async == NULL) {
5386
        ssl->async = (struct WOLFSSL_ASYNC*)
5387
                XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
5388
                        DYNAMIC_TYPE_ASYNC);
5389
        if (ssl->async == NULL)
5390
            return MEMORY_E;
5391
        ssl->async->freeArgs = NULL;
5392
    }
5393
    args = (Dsh13Args*)ssl->async->args;
5394
5395
    ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
5396
    if (ret != WC_NO_ERR_TRACE(WC_NO_PENDING_E)) {
5397
        /* Check for error */
5398
        if (ret < 0) {
5399
            if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
5400
                /* Mark message as not received so it can process again */
5401
                ssl->msgsReceived.got_server_hello = 0;
5402
            }
5403
            return ret;
5404
        }
5405
    }
5406
    else
5407
#endif
5408
0
    {
5409
        /* Reset state */
5410
0
        ssl->options.asyncState = TLS_ASYNC_BEGIN;
5411
0
        XMEMSET(args, 0, sizeof(Dsh13Args));
5412
0
    }
5413
5414
0
    switch (ssl->options.asyncState) {
5415
0
    case TLS_ASYNC_BEGIN:
5416
0
    {
5417
0
    byte b;
5418
#ifdef WOLFSSL_CALLBACKS
5419
    if (ssl->hsInfoOn) AddPacketName(ssl, "ServerHello");
5420
    if (ssl->toInfoOn) AddLateName("ServerHello", &ssl->timeoutInfo);
5421
#endif
5422
5423
    /* Protocol version length check. */
5424
0
    if (helloSz < OPAQUE16_LEN)
5425
0
        return BUFFER_ERROR;
5426
5427
0
    args->idx = *inOutIdx;
5428
0
    args->begin = args->idx;
5429
5430
    /* Protocol version */
5431
0
    XMEMCPY(&args->pv, input + args->idx, OPAQUE16_LEN);
5432
0
    args->idx += OPAQUE16_LEN;
5433
5434
#ifdef WOLFSSL_DTLS
5435
    if (ssl->options.dtls &&
5436
        (args->pv.major != DTLS_MAJOR || args->pv.minor == DTLS_BOGUS_MINOR))
5437
        return VERSION_ERROR;
5438
#endif /* WOLFSSL_DTLS */
5439
5440
0
#ifndef WOLFSSL_NO_TLS12
5441
0
    {
5442
0
        byte wantDowngrade;
5443
5444
0
        wantDowngrade = args->pv.major == ssl->version.major &&
5445
0
            args->pv.minor < TLSv1_2_MINOR;
5446
5447
#ifdef WOLFSSL_DTLS13
5448
        if (ssl->options.dtls)
5449
            wantDowngrade = args->pv.major == ssl->version.major &&
5450
                args->pv.minor > DTLSv1_2_MINOR;
5451
#endif /* WOLFSSL_DTLS13 */
5452
5453
0
        if (wantDowngrade && ssl->options.downgrade) {
5454
            /* Force client hello version 1.2 to work for static RSA. */
5455
0
            ssl->chVersion.minor = TLSv1_2_MINOR;
5456
0
            ssl->version.minor = TLSv1_2_MINOR;
5457
0
            ssl->options.tls1_3 = 0;
5458
5459
#ifdef WOLFSSL_DTLS13
5460
            if (ssl->options.dtls) {
5461
                ssl->chVersion.minor = DTLSv1_2_MINOR;
5462
                ssl->version.minor = DTLSv1_2_MINOR;
5463
                ret = Dtls13ClientDoDowngrade(ssl);
5464
                if (ret != 0)
5465
                    return ret;
5466
            }
5467
#endif /* WOLFSSL_DTLS13 */
5468
5469
0
            return DoServerHello(ssl, input, inOutIdx, helloSz);
5470
0
        }
5471
0
    }
5472
0
#endif
5473
5474
0
    if (args->pv.major != ssl->version.major ||
5475
0
        args->pv.minor != tls12minor) {
5476
0
        SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version);
5477
0
        WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
5478
0
        return VERSION_ERROR;
5479
0
    }
5480
5481
    /* Random and session id length check */
5482
0
    if ((args->idx - args->begin) + RAN_LEN + ENUM_LEN > helloSz)
5483
0
        return BUFFER_ERROR;
5484
5485
    /* Check if hello retry request */
5486
0
    if (XMEMCMP(input + args->idx, helloRetryRequestRandom, RAN_LEN) == 0) {
5487
0
        WOLFSSL_MSG("HelloRetryRequest format");
5488
0
        *extMsgType = hello_retry_request;
5489
5490
0
        if (ssl->msgsReceived.got_hello_verify_request) {
5491
0
            WOLFSSL_MSG("Received HelloRetryRequest after a "
5492
0
                        "HelloVerifyRequest");
5493
0
            WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
5494
0
            return VERSION_ERROR;
5495
0
        }
5496
5497
        /* A HelloRetryRequest comes in as an ServerHello for MiddleBox compat.
5498
         * Found message to be a HelloRetryRequest.
5499
         * Don't allow more than one HelloRetryRequest or ServerHello.
5500
         */
5501
0
        if (ssl->msgsReceived.got_hello_retry_request) {
5502
0
            WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
5503
0
            return DUPLICATE_MSG_E;
5504
0
        }
5505
0
    }
5506
0
    args->extMsgType = *extMsgType;
5507
5508
    /* Server random - keep for debugging. */
5509
0
    XMEMCPY(ssl->arrays->serverRandom, input + args->idx, RAN_LEN);
5510
#if defined(HAVE_ECH)
5511
    /* last 8 bytes of server random */
5512
    args->acceptOffset = args->idx + RAN_LEN - ECH_ACCEPT_CONFIRMATION_SZ;
5513
#endif
5514
0
    args->idx += RAN_LEN;
5515
5516
    /* Session id */
5517
0
    args->sessIdSz = input[args->idx++];
5518
0
    if (args->sessIdSz > ID_LEN || args->sessIdSz > RAN_LEN ||
5519
0
        ((args->idx - args->begin) + args->sessIdSz > helloSz))
5520
0
        return BUFFER_ERROR;
5521
0
    args->sessId = input + args->idx;
5522
0
    args->idx += args->sessIdSz;
5523
5524
0
    ssl->options.haveSessionId = 1;
5525
5526
    /* Ciphersuite and compression check */
5527
0
    if ((args->idx - args->begin) + OPAQUE16_LEN + OPAQUE8_LEN > helloSz)
5528
0
        return BUFFER_ERROR;
5529
5530
    /* Set the cipher suite from the message. */
5531
0
    ssl->options.cipherSuite0 = input[args->idx++];
5532
0
    ssl->options.cipherSuite  = input[args->idx++];
5533
0
    if (*extMsgType == hello_retry_request) {
5534
0
        ssl->options.hrrCipherSuite0 = ssl->options.cipherSuite0;
5535
0
        ssl->options.hrrCipherSuite  = ssl->options.cipherSuite;
5536
0
    }
5537
0
    else if (ssl->msgsReceived.got_hello_retry_request &&
5538
0
             (ssl->options.hrrCipherSuite0 != ssl->options.cipherSuite0 ||
5539
0
                     ssl->options.hrrCipherSuite != ssl->options.cipherSuite)) {
5540
0
        WOLFSSL_MSG("Received ServerHello with different cipher suite than "
5541
0
                    "HelloRetryRequest");
5542
0
        WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
5543
0
        return INVALID_PARAMETER;
5544
0
    }
5545
#ifdef WOLFSSL_DEBUG_TLS
5546
    WOLFSSL_MSG("Chosen cipher suite:");
5547
    WOLFSSL_MSG(GetCipherNameInternal(ssl->options.cipherSuite0,
5548
                                      ssl->options.cipherSuite));
5549
#endif
5550
5551
    /* Compression */
5552
0
    b = input[args->idx++];
5553
0
    if (b != 0) {
5554
0
        WOLFSSL_MSG("Must be no compression types in list");
5555
0
        WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
5556
0
        return INVALID_PARAMETER;
5557
0
    }
5558
5559
0
    if ((args->idx - args->begin) + OPAQUE16_LEN > helloSz) {
5560
0
        if (!ssl->options.downgrade) {
5561
            /* Fewer than OPAQUE16_LEN bytes remain after the compression
5562
             * method, so there is no complete extensions length field. */
5563
0
            if ((args->idx - args->begin) < helloSz) {
5564
                /* A partial extensions length field is genuinely malformed:
5565
                 * report it as a decode error. */
5566
0
                WOLFSSL_MSG("Truncated extensions length in ServerHello");
5567
0
                return BUFFER_ERROR;
5568
0
            }
5569
            /* No extensions field at all, so the server is not offering TLS 1.3
5570
             * (no supported_versions extension - see RFC 8446 4.2.1) but TLS 1.2
5571
             * or below. This is a well-formed message, so a TLS 1.3-only client
5572
             * (downgrade disabled) must reject it as a version mismatch, not as
5573
             * a malformed message. Returning VERSION_ERROR makes the caller send
5574
             * a protocol_version alert (RFC 8446 6.2) rather than decode_error. */
5575
0
            WOLFSSL_MSG("Server offered TLS 1.2 (no supported_versions ext) "
5576
0
                        "but downgrade not allowed");
5577
0
            WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
5578
0
            return VERSION_ERROR;
5579
0
        }
5580
5581
0
        if (args->extMsgType == hello_retry_request) {
5582
            /* The sentinel Random (RFC 8446 4.1.3) identifies this as a TLS 1.3
5583
             * HelloRetryRequest, which MUST carry supported_versions
5584
             * (4.1.4/4.2.1). Reaching this downgrade branch means it does not,
5585
             * so the HRR is malformed. Reject it before DoServerHello would
5586
             * reinterpret the sentinel as a plain TLS 1.2 ServerHello.Random.
5587
             * The sentinel has already identified this as an HRR, so report it
5588
             * uniformly as an invalid HRR; INVALID_PARAMETER maps to the
5589
             * illegal_parameter alert. */
5590
0
            WOLFSSL_MSG("HelloRetryRequest with no supported_versions");
5591
0
            WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
5592
0
            return INVALID_PARAMETER;
5593
0
        }
5594
0
#ifndef WOLFSSL_NO_TLS12
5595
        /* Force client hello version 1.2 to work for static RSA. */
5596
0
        ssl->chVersion.minor = TLSv1_2_MINOR;
5597
0
        ssl->version.minor = TLSv1_2_MINOR;
5598
5599
#ifdef WOLFSSL_DTLS13
5600
        if (ssl->options.dtls) {
5601
            ssl->chVersion.minor = DTLSv1_2_MINOR;
5602
            ssl->version.minor = DTLSv1_2_MINOR;
5603
            ssl->options.tls1_3 = 0;
5604
            ret = Dtls13ClientDoDowngrade(ssl);
5605
            if (ret != 0)
5606
                return ret;
5607
        }
5608
#endif /* WOLFSSL_DTLS13 */
5609
5610
0
#endif
5611
0
        ssl->options.haveEMS = 0;
5612
0
        if (args->pv.minor < ssl->options.minDowngrade) {
5613
0
            SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version);
5614
0
            return VERSION_ERROR;
5615
0
        }
5616
0
#ifndef WOLFSSL_NO_TLS12
5617
0
        ssl->options.tls1_3 = 0;
5618
0
        return DoServerHello(ssl, input, inOutIdx, helloSz);
5619
#else
5620
        SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version);
5621
        return VERSION_ERROR;
5622
#endif
5623
0
    }
5624
5625
0
    if ((args->idx - args->begin) < helloSz) {
5626
0
        int foundVersion;
5627
5628
        /* Get extension length and length check. */
5629
0
        if ((args->idx - args->begin) + OPAQUE16_LEN > helloSz)
5630
0
            return BUFFER_ERROR;
5631
0
        ato16(&input[args->idx], &args->totalExtSz);
5632
0
        args->idx += OPAQUE16_LEN;
5633
0
        if ((args->idx - args->begin) + args->totalExtSz > helloSz)
5634
0
            return BUFFER_ERROR;
5635
5636
        /* Need to negotiate version first. */
5637
0
        if ((ret = TLSX_ParseVersion(ssl, input + args->idx,
5638
0
            args->totalExtSz, *extMsgType, &foundVersion))) {
5639
0
            return ret;
5640
0
        }
5641
0
        if (!foundVersion) {
5642
0
            if (!ssl->options.downgrade) {
5643
0
                WOLFSSL_MSG("Server trying to downgrade to version less than "
5644
0
                            "TLS v1.3");
5645
0
                SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version);
5646
0
                WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
5647
0
                return VERSION_ERROR;
5648
0
            }
5649
5650
0
            if (args->extMsgType == hello_retry_request) {
5651
                /* The HelloRetryRequest sentinel Random is reserved for TLS 1.3
5652
                 * (RFC 8446 4.1.3), but supported_versions (which an HRR MUST
5653
                 * carry, 4.1.4/4.2.1) is absent, so the message is malformed.
5654
                 * Reject before the downgrade reparses the remaining extensions
5655
                 * as a TLS 1.2 server_hello, where a recognized-but-not-
5656
                 * permitted extension (e.g. server_name) would wrongly yield an
5657
                 * unsupported_extension alert. illegal_parameter (via
5658
                 * EXT_NOT_ALLOWED) is chosen over missing_extension per the
5659
                 * RFC 8446 4.2 rule for such extensions. */
5660
0
                WOLFSSL_MSG("HelloRetryRequest without supported_versions");
5661
0
                WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
5662
0
                return EXT_NOT_ALLOWED;
5663
0
            }
5664
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \
5665
    defined(WOLFSSL_WPAS_SMALL)
5666
            /* Check if client has disabled TLS 1.2 */
5667
            if (args->pv.minor == TLSv1_2_MINOR &&
5668
                (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_2)
5669
                == WOLFSSL_OP_NO_TLSv1_2)
5670
            {
5671
                WOLFSSL_MSG("\tOption set to not allow TLSv1.2");
5672
                WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
5673
                return VERSION_ERROR;
5674
            }
5675
#endif
5676
5677
0
            if (!ssl->options.dtls &&
5678
0
                args->pv.minor < ssl->options.minDowngrade) {
5679
0
                SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version);
5680
0
                WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
5681
0
                return VERSION_ERROR;
5682
0
            }
5683
5684
0
            if (ssl->options.dtls &&
5685
0
                args->pv.minor > ssl->options.minDowngrade) {
5686
0
                SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version);
5687
0
                WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
5688
0
                return VERSION_ERROR;
5689
0
            }
5690
5691
0
            ssl->version.minor = args->pv.minor;
5692
0
            ssl->options.tls1_3 = 0;
5693
5694
#ifdef WOLFSSL_DTLS13
5695
            if (ssl->options.dtls) {
5696
                ret = Dtls13ClientDoDowngrade(ssl);
5697
                if (ret != 0)
5698
                    return ret;
5699
            }
5700
#endif /* WOLFSSL_DTLS13 */
5701
0
        }
5702
0
    }
5703
5704
#ifdef WOLFSSL_DTLS13
5705
    /* we are sure that version is >= v1.3 now, we can get rid of buffered
5706
     * ClientHello that was buffered to re-compute the hash in case of
5707
     * downgrade */
5708
    if (ssl->options.dtls && ssl->dtls13ClientHello != NULL) {
5709
        XFREE(ssl->dtls13ClientHello, ssl->heap, DYNAMIC_TYPE_DTLS_MSG);
5710
        ssl->dtls13ClientHello = NULL;
5711
        ssl->dtls13ClientHelloSz = 0;
5712
    }
5713
#endif /* WOLFSSL_DTLS13 */
5714
5715
    /* Advance state and proceed */
5716
0
    ssl->options.asyncState = TLS_ASYNC_BUILD;
5717
0
    } /* case TLS_ASYNC_BEGIN */
5718
0
    FALL_THROUGH;
5719
5720
0
    case TLS_ASYNC_BUILD:
5721
0
    case TLS_ASYNC_DO:
5722
0
    {
5723
    /* restore message type */
5724
0
    *extMsgType = args->extMsgType;
5725
5726
    /* Parse and handle extensions, unless lower than TLS1.3. In that case,
5727
     * extensions will be parsed in DoServerHello. */
5728
0
    if (args->totalExtSz > 0 && IsAtLeastTLSv1_3(ssl->version)) {
5729
0
        ret = TLSX_Parse(ssl, input + args->idx, args->totalExtSz,
5730
0
            *extMsgType, NULL);
5731
0
        if (ret != 0) {
5732
        #ifdef WOLFSSL_ASYNC_CRYPT
5733
            /* Handle async operation */
5734
            if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
5735
                /* Mark message as not received so it can process again */
5736
                ssl->msgsReceived.got_server_hello = 0;
5737
            }
5738
        #endif
5739
0
            return ret;
5740
0
        }
5741
5742
0
        if (*extMsgType == hello_retry_request) {
5743
            /* Update counts to reflect change of message type. */
5744
0
            ssl->msgsReceived.got_hello_retry_request = 1;
5745
0
            ssl->msgsReceived.got_server_hello = 0;
5746
0
        }
5747
0
    }
5748
5749
0
    if (args->totalExtSz > 0) {
5750
0
        args->idx += args->totalExtSz;
5751
0
    }
5752
5753
#ifdef WOLFSSL_DTLS_CID
5754
    if (ssl->options.useDtlsCID && *extMsgType == server_hello)
5755
        DtlsCIDOnExtensionsParsed(ssl);
5756
#endif /* WOLFSSL_DTLS_CID */
5757
5758
0
    if (IsAtLeastTLSv1_3(ssl->version)) {
5759
0
        *inOutIdx = args->idx;
5760
0
    }
5761
5762
0
    ssl->options.serverState = SERVER_HELLO_COMPLETE;
5763
5764
#ifdef HAVE_SECRET_CALLBACK
5765
    if (ssl->sessionSecretCb != NULL
5766
#ifdef HAVE_SESSION_TICKET
5767
            && ssl->session->ticketLen > 0
5768
#endif
5769
            ) {
5770
        int secretSz = SECRET_LEN;
5771
        ret = ssl->sessionSecretCb(ssl, ssl->session->masterSecret,
5772
                                   &secretSz, ssl->sessionSecretCtx);
5773
        if (ret != 0 || secretSz != SECRET_LEN) {
5774
            WOLFSSL_ERROR_VERBOSE(SESSION_SECRET_CB_E);
5775
            return SESSION_SECRET_CB_E;
5776
        }
5777
    }
5778
#endif /* HAVE_SECRET_CALLBACK */
5779
5780
    /* Version only negotiated in extensions for TLS v1.3.
5781
     * Only now do we know how to deal with session id.
5782
     */
5783
0
    if (!IsAtLeastTLSv1_3(ssl->version)) {
5784
0
#ifndef WOLFSSL_NO_TLS12
5785
0
        ssl->arrays->sessionIDSz = args->sessIdSz;
5786
5787
0
        if (ssl->arrays->sessionIDSz > ID_LEN) {
5788
0
            WOLFSSL_MSG("Invalid session ID size");
5789
0
            ssl->arrays->sessionIDSz = 0;
5790
0
            return BUFFER_ERROR;
5791
0
        }
5792
0
        else if (ssl->arrays->sessionIDSz) {
5793
0
            XMEMCPY(ssl->arrays->sessionID, args->sessId,
5794
0
                ssl->arrays->sessionIDSz);
5795
0
            ssl->options.haveSessionId = 1;
5796
0
        }
5797
5798
        /* Force client hello version 1.2 to work for static RSA. */
5799
0
        if (ssl->options.dtls)
5800
0
            ssl->chVersion.minor = DTLSv1_2_MINOR;
5801
0
        else
5802
0
            ssl->chVersion.minor = TLSv1_2_MINOR;
5803
        /* Complete TLS v1.2 processing of ServerHello. */
5804
0
        ret = DoServerHello(ssl, input, inOutIdx, helloSz);
5805
#else
5806
        WOLFSSL_MSG("Client using higher version, fatal error");
5807
        WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
5808
        ret = VERSION_ERROR;
5809
#endif
5810
5811
0
        WOLFSSL_LEAVE("DoTls13ServerHello", ret);
5812
5813
0
        return ret;
5814
0
    }
5815
5816
    /* Advance state and proceed */
5817
0
    ssl->options.asyncState = TLS_ASYNC_FINALIZE;
5818
0
    } /* case TLS_ASYNC_BUILD || TLS_ASYNC_DO */
5819
0
    FALL_THROUGH;
5820
5821
0
    case TLS_ASYNC_FINALIZE:
5822
0
    {
5823
#ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
5824
    if (ssl->options.tls13MiddleBoxCompat) {
5825
        if (args->sessIdSz == 0) {
5826
            WOLFSSL_MSG("args->sessIdSz == 0");
5827
            WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
5828
            return INVALID_PARAMETER;
5829
        }
5830
        if (ssl->session->sessionIDSz != 0) {
5831
            if (ssl->session->sessionIDSz != args->sessIdSz ||
5832
                XMEMCMP(ssl->session->sessionID, args->sessId,
5833
                    args->sessIdSz) != 0) {
5834
                WOLFSSL_MSG("session id doesn't match");
5835
                WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
5836
                return INVALID_PARAMETER;
5837
            }
5838
        }
5839
        else if (XMEMCMP(ssl->arrays->clientRandom, args->sessId,
5840
                args->sessIdSz) != 0) {
5841
            WOLFSSL_MSG("session id doesn't match client random");
5842
            WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
5843
            return INVALID_PARAMETER;
5844
        }
5845
    }
5846
    else
5847
#endif /* WOLFSSL_TLS13_MIDDLEBOX_COMPAT */
5848
#if defined(WOLFSSL_QUIC) || defined(WOLFSSL_DTLS13)
5849
    if (0
5850
#ifdef WOLFSSL_QUIC
5851
        || WOLFSSL_IS_QUIC(ssl)
5852
#endif
5853
#ifdef WOLFSSL_DTLS13
5854
        || ssl->options.dtls
5855
#endif
5856
    ) {
5857
        /* RFC 9147 Section 5.3 / RFC 9001 Section 8.4: DTLS 1.3 and QUIC
5858
         * ServerHello must have empty legacy_session_id_echo. */
5859
        int requireEmptyEcho = 1;
5860
#ifdef WOLFSSL_DTLS13_ECHO_LEGACY_SESSION_ID
5861
        /* Compat: a wolfSSL <= 5.9.0 DTLS 1.3 server echoes the client's
5862
         * legacy_session_id; accept any echo. */
5863
        if (ssl->options.dtls)
5864
            requireEmptyEcho = 0;
5865
#endif
5866
        if (requireEmptyEcho && args->sessIdSz != 0) {
5867
            WOLFSSL_MSG("args->sessIdSz != 0");
5868
            WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
5869
            return INVALID_PARAMETER;
5870
        }
5871
    }
5872
    else
5873
#endif /* WOLFSSL_QUIC || WOLFSSL_DTLS13 */
5874
0
    if (args->sessIdSz != ssl->session->sessionIDSz || (args->sessIdSz > 0 &&
5875
0
        XMEMCMP(ssl->session->sessionID, args->sessId, args->sessIdSz) != 0))
5876
0
    {
5877
0
        WOLFSSL_MSG("Server sent different session id");
5878
0
        WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
5879
0
        return INVALID_PARAMETER;
5880
0
    }
5881
5882
0
    ret = SetCipherSpecs(ssl);
5883
0
    if (ret != 0)
5884
0
        return ret;
5885
5886
#ifdef HAVE_NULL_CIPHER
5887
    if (ssl->options.cipherSuite0 == ECC_BYTE &&
5888
                              (ssl->options.cipherSuite == TLS_SHA256_SHA256 ||
5889
                               ssl->options.cipherSuite == TLS_SHA384_SHA384)) {
5890
        ;
5891
    }
5892
    else
5893
#endif
5894
#if defined(WOLFSSL_SM4_GCM) && defined(WOLFSSL_SM3)
5895
    if (ssl->options.cipherSuite0 == CIPHER_BYTE &&
5896
            ssl->options.cipherSuite == TLS_SM4_GCM_SM3) {
5897
        ; /* Do nothing. */
5898
    }
5899
    else
5900
#endif
5901
#if defined(WOLFSSL_SM4_CCM) && defined(WOLFSSL_SM3)
5902
    if (ssl->options.cipherSuite0 == CIPHER_BYTE &&
5903
            ssl->options.cipherSuite == TLS_SM4_CCM_SM3) {
5904
        ; /* Do nothing. */
5905
    }
5906
    else
5907
#endif
5908
    /* Check that the negotiated ciphersuite matches protocol version. */
5909
0
    if (ssl->options.cipherSuite0 != TLS13_BYTE) {
5910
0
        WOLFSSL_MSG("Server sent non-TLS13 cipher suite in TLS 1.3 packet");
5911
0
        WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
5912
0
        return INVALID_PARAMETER;
5913
0
    }
5914
5915
0
    suite[0] = ssl->options.cipherSuite0;
5916
0
    suite[1] = ssl->options.cipherSuite;
5917
0
    if (!FindSuiteSSL(ssl, suite)) {
5918
0
        WOLFSSL_MSG("Cipher suite not supported on client");
5919
0
        WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
5920
0
        return INVALID_PARAMETER;
5921
0
    }
5922
5923
#if defined(HAVE_ECH)
5924
    /* check for acceptConfirmation */
5925
    if (ssl->echConfigs != NULL && !ssl->options.disableECH &&
5926
            ssl->hsHashesEch != NULL) {
5927
        args->echX = TLSX_Find(ssl->extensions, TLSX_ECH);
5928
        if (args->echX == NULL || args->echX->data == NULL)
5929
            return WOLFSSL_FATAL_ERROR;
5930
5931
        if (args->extMsgType == hello_retry_request &&
5932
                ((WOLFSSL_ECH*)args->echX->data)->confBuf == NULL) {
5933
            /* server rejected ECH, fall back to outer */
5934
            Free_HS_Hashes(ssl->hsHashesEch, ssl->heap);
5935
            ssl->hsHashesEch = NULL;
5936
            /* EchCheckAcceptance is bypassed, so replace extensions now */
5937
            ret = TLSX_EchReplaceExtensions(ssl, 0);
5938
            if (ret != 0)
5939
                return ret;
5940
        }
5941
        else {
5942
            /* account for hrr extension instead of server random */
5943
            if (args->extMsgType == hello_retry_request) {
5944
                args->acceptOffset =
5945
                    (word32)(((WOLFSSL_ECH*)args->echX->data)->confBuf - input);
5946
                args->acceptLabel = (byte*)echHrrAcceptConfirmationLabel;
5947
                args->acceptLabelSz = ECH_HRR_ACCEPT_CONFIRMATION_LABEL_SZ;
5948
            }
5949
            else {
5950
                args->acceptLabel = (byte*)echAcceptConfirmationLabel;
5951
                args->acceptLabelSz = ECH_ACCEPT_CONFIRMATION_LABEL_SZ;
5952
            }
5953
            /* check acceptance */
5954
            if (ret == 0) {
5955
                ret = EchCheckAcceptance(ssl, args->acceptLabel,
5956
                    args->acceptLabelSz, input, args->acceptOffset, helloSz,
5957
                    args->extMsgType);
5958
            }
5959
            if (ret != 0)
5960
                return ret;
5961
            /* use the inner random for client random */
5962
            if (args->extMsgType != hello_retry_request &&
5963
                    ssl->options.echAccepted) {
5964
                XMEMCPY(ssl->arrays->clientRandom,
5965
                    ssl->arrays->clientRandomInner, RAN_LEN);
5966
            }
5967
        }
5968
    }
5969
#endif /* HAVE_ECH */
5970
5971
0
    if (*extMsgType == server_hello) {
5972
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
5973
        PreSharedKey* psk = NULL;
5974
        TLSX* ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
5975
        if (ext != NULL)
5976
            psk = (PreSharedKey*)ext->data;
5977
        while (psk != NULL && !psk->chosen)
5978
            psk = psk->next;
5979
        if (psk == NULL) {
5980
            /* A mandatory PSK is satisfied by any PSK the server chose,
5981
             * including a resumption PSK - this matches the server-side
5982
             * failNoPSK semantics, where a negotiated PSK (external or
5983
             * resumption) is accepted. The error only fires when no PSK was
5984
             * chosen at all. havePSK is only set by an external-PSK callback,
5985
             * so a peer relying solely on session-ticket resumption is
5986
             * unaffected. */
5987
            if (ssl->options.havePSK && ssl->options.failNoPSK) {
5988
                WOLFSSL_MSG("Server did not negotiate a mandatory PSK");
5989
                WOLFSSL_ERROR_VERBOSE(PSK_MISSING_ERROR);
5990
                return PSK_MISSING_ERROR;
5991
            }
5992
            ssl->options.resuming = 0;
5993
            ssl->arrays->psk_keySz = 0;
5994
            XMEMSET(ssl->arrays->psk_key, 0, MAX_PSK_KEY_LEN);
5995
        }
5996
        else {
5997
#if defined(HAVE_ECH)
5998
            /* do not resume when outerHandshake will be negotiated */
5999
            if (ssl->echConfigs != NULL && !ssl->options.disableECH &&
6000
                    !ssl->options.echAccepted) {
6001
                WOLFSSL_MSG("ECH rejected but server negotiated PSK");
6002
                return INVALID_PARAMETER;
6003
            }
6004
#endif
6005
#ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
6006
            if (ssl->options.certWithExternPsk && psk->resumption) {
6007
                /* RFC8773bis mode requires external PSK, not ticket resumption. */
6008
                WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
6009
                return PSK_KEY_ERROR;
6010
            }
6011
            if (ssl->options.certWithExternPsk && ssl->options.shSentKeyShare == 0) {
6012
                /* RFC8773bis Sec. 3: cert_with_extern_psk requires psk_dhe_ke;
6013
                 * a ServerHello without a key_share confirms only psk_ke. */
6014
                WOLFSSL_MSG("cert_with_extern_psk: ServerHello missing key_share");
6015
                WOLFSSL_ERROR_VERBOSE(EXT_MISSING);
6016
                return EXT_MISSING;
6017
            }
6018
#endif
6019
            if ((ret = SetupPskKey(ssl, psk, 0)) != 0)
6020
                return ret;
6021
            ssl->options.pskNegotiated = 1;
6022
        }
6023
#else
6024
        /* no resumption possible */
6025
0
        ssl->options.resuming = 0;
6026
0
#endif
6027
6028
        /* sanity check on PSK / KSE */
6029
0
        if (
6030
    #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
6031
            ssl->options.pskNegotiated == 0 &&
6032
    #endif
6033
0
            (ssl->session->namedGroup == 0 ||
6034
0
             ssl->options.shSentKeyShare == 0)) {
6035
0
            return EXT_MISSING;
6036
0
        }
6037
6038
0
        ssl->keys.encryptionOn = 1;
6039
0
        ssl->options.serverState = SERVER_HELLO_COMPLETE;
6040
6041
0
    }
6042
0
    else {
6043
        /* https://datatracker.ietf.org/doc/html/rfc8446#section-4.1.4
6044
         * Clients MUST abort the handshake with an
6045
         * "illegal_parameter" alert if the HelloRetryRequest would not result
6046
         * in any change in the ClientHello.
6047
         */
6048
        /* Check if the HRR contained a cookie or a keyshare */
6049
0
        if (!ssl->options.hrrSentKeyShare
6050
#ifdef WOLFSSL_SEND_HRR_COOKIE
6051
                && !ssl->options.hrrSentCookie
6052
#endif
6053
0
                ) {
6054
0
            SendAlert(ssl, alert_fatal, illegal_parameter);
6055
0
            return EXT_MISSING;
6056
0
        }
6057
6058
0
        ssl->options.tls1_3 = 1;
6059
0
        ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE;
6060
6061
0
        ret = RestartHandshakeHash(ssl);
6062
0
    }
6063
6064
0
    break;
6065
0
    } /* case TLS_ASYNC_FINALIZE */
6066
0
    default:
6067
0
        ret = INPUT_CASE_ERROR;
6068
0
    } /* switch (ssl->options.asyncState) */
6069
6070
#ifdef WOLFSSL_ASYNC_CRYPT
6071
    if (ret == 0)
6072
        FreeAsyncCtx(ssl, 0);
6073
#endif
6074
6075
0
    WOLFSSL_LEAVE("DoTls13ServerHello", ret);
6076
0
    WOLFSSL_END(WC_FUNC_SERVER_HELLO_DO);
6077
6078
0
    return ret;
6079
0
}
6080
6081
/* handle processing TLS 1.3 encrypted_extensions (8) */
6082
/* Parse and handle an EncryptedExtensions message.
6083
 * Only a client will receive this message.
6084
 *
6085
 * ssl       The SSL/TLS object.
6086
 * input     The message buffer.
6087
 * inOutIdx  On entry, the index into the message buffer of
6088
 *           EncryptedExtensions.
6089
 *           On exit, the index of byte after the EncryptedExtensions
6090
 *           message.
6091
 * totalSz   The length of the current handshake message.
6092
 * returns 0 on success and otherwise failure.
6093
 */
6094
static int DoTls13EncryptedExtensions(WOLFSSL* ssl, const byte* input,
6095
                                      word32* inOutIdx, word32 totalSz)
6096
0
{
6097
0
    int    ret;
6098
0
    word32 begin = *inOutIdx;
6099
0
    word32 i = begin;
6100
0
    word16 totalExtSz;
6101
6102
0
    WOLFSSL_START(WC_FUNC_ENCRYPTED_EXTENSIONS_DO);
6103
0
    WOLFSSL_ENTER("DoTls13EncryptedExtensions");
6104
6105
#ifdef WOLFSSL_CALLBACKS
6106
    if (ssl->hsInfoOn) AddPacketName(ssl, "EncryptedExtensions");
6107
    if (ssl->toInfoOn) AddLateName("EncryptedExtensions", &ssl->timeoutInfo);
6108
#endif
6109
6110
    /* Length field of extension data. */
6111
0
    if (totalSz < OPAQUE16_LEN)
6112
0
        return BUFFER_ERROR;
6113
0
    ato16(&input[i], &totalExtSz);
6114
0
    i += OPAQUE16_LEN;
6115
6116
    /* Extension data. */
6117
0
    if (i - begin + totalExtSz != totalSz)
6118
0
        return BUFFER_ERROR;
6119
0
    if ((ret = TLSX_Parse(ssl, input + i, totalExtSz, encrypted_extensions,
6120
0
                                                                       NULL))) {
6121
0
        return ret;
6122
0
    }
6123
6124
    /* Move index to byte after message. */
6125
0
    *inOutIdx = i + totalExtSz;
6126
6127
#ifdef WOLFSSL_EARLY_DATA
6128
    if (ssl->earlyData != no_early_data) {
6129
        TLSX* ext = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA);
6130
        if (ext == NULL || !ext->val) {
6131
            WOLFSSL_MSG("Early data rejected by server (no early_data "
6132
                        "EncryptedExtensions response)");
6133
            ssl->earlyData = no_early_data;
6134
        }
6135
    }
6136
6137
    if (ssl->earlyData == no_early_data) {
6138
        ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY);
6139
        if (ret != 0)
6140
            return ret;
6141
    }
6142
#endif /* WOLFSSL_EARLY_DATA */
6143
6144
0
    ssl->options.serverState = SERVER_ENCRYPTED_EXTENSIONS_COMPLETE;
6145
6146
0
    WOLFSSL_LEAVE("DoTls13EncryptedExtensions", ret);
6147
0
    WOLFSSL_END(WC_FUNC_ENCRYPTED_EXTENSIONS_DO);
6148
6149
0
    return ret;
6150
0
}
6151
6152
#ifndef NO_CERTS
6153
/* handle processing TLS v1.3 certificate_request (13) */
6154
/* Handle a TLS v1.3 CertificateRequest message.
6155
 * This message is always encrypted.
6156
 * Only a client will receive this message.
6157
 *
6158
 * ssl       The SSL/TLS object.
6159
 * input     The message buffer.
6160
 * inOutIdx  On entry, the index into the message buffer of CertificateRequest.
6161
 *           On exit, the index of byte after the CertificateRequest message.
6162
 * size      The length of the current handshake message.
6163
 * returns 0 on success and otherwise failure.
6164
 */
6165
static int DoTls13CertificateRequest(WOLFSSL* ssl, const byte* input,
6166
                                     word32* inOutIdx, word32 size)
6167
0
{
6168
0
    word16      len;
6169
0
    word32      begin = *inOutIdx;
6170
0
    int         ret = 0;
6171
0
    Suites      peerSuites;
6172
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
6173
    word16      reqCtxLen;
6174
    const byte* reqCtxData;
6175
#endif
6176
6177
0
    WOLFSSL_START(WC_FUNC_CERTIFICATE_REQUEST_DO);
6178
0
    WOLFSSL_ENTER("DoTls13CertificateRequest");
6179
6180
0
    XMEMSET(&peerSuites, 0, sizeof(Suites));
6181
6182
#ifdef WOLFSSL_CALLBACKS
6183
    if (ssl->hsInfoOn) AddPacketName(ssl, "CertificateRequest");
6184
    if (ssl->toInfoOn) AddLateName("CertificateRequest", &ssl->timeoutInfo);
6185
#endif
6186
6187
0
    if (OPAQUE8_LEN > size)
6188
0
        return BUFFER_ERROR;
6189
6190
    /* Length of the request context. */
6191
0
    len = input[(*inOutIdx)++];
6192
0
    if ((*inOutIdx - begin) + len > size)
6193
0
        return BUFFER_ERROR;
6194
    /* INVALID_PARAMETER does not map to illegal_parameter in the central
6195
     * alert path, so emit the alert explicitly before returning. */
6196
0
    if (ssl->options.connectState < FINISHED_DONE) {
6197
        /* RFC 8446 Section 4.3.2: in the handshake the context is zero
6198
         * length. */
6199
0
        if (len > 0) {
6200
0
            SendAlert(ssl, alert_fatal, illegal_parameter);
6201
0
            WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
6202
0
            return INVALID_PARAMETER;
6203
0
        }
6204
0
    }
6205
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
6206
    else if (len == 0) {
6207
        /* RFC 8446 Section 4.3.2: a post-handshake CertificateRequest context
6208
         * MUST be non-empty and unique for the connection. */
6209
        SendAlert(ssl, alert_fatal, illegal_parameter);
6210
        WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
6211
        return INVALID_PARAMETER;
6212
    }
6213
#endif
6214
6215
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
6216
    /* Remember the request context bytes; the CertReqCtx allocation and
6217
     * linking into ssl->certReqCtx is deferred until after the rest of the
6218
     * message has been validated.
6219
     */
6220
    reqCtxLen = len;
6221
    reqCtxData = input + *inOutIdx;
6222
    /* Reject a context that duplicates one still pending on the connection. */
6223
    if (ssl->options.connectState >= FINISHED_DONE) {
6224
        CertReqCtx* dup;
6225
        for (dup = ssl->certReqCtx; dup != NULL; dup = dup->next) {
6226
            if (dup->len == reqCtxLen &&
6227
                    XMEMCMP(&dup->ctx, reqCtxData, reqCtxLen) == 0) {
6228
                SendAlert(ssl, alert_fatal, illegal_parameter);
6229
                WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
6230
                return INVALID_PARAMETER;
6231
            }
6232
        }
6233
    }
6234
#endif
6235
0
    *inOutIdx += len;
6236
6237
    /* TODO: Add support for more extensions:
6238
     *   signed_certificate_timestamp, certificate_authorities, oid_filters.
6239
     */
6240
    /* Certificate extensions */
6241
0
    if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
6242
0
        return BUFFER_ERROR;
6243
0
    ato16(input + *inOutIdx, &len);
6244
0
    *inOutIdx += OPAQUE16_LEN;
6245
0
    if ((*inOutIdx - begin) + len > size)
6246
0
        return BUFFER_ERROR;
6247
0
    if (len == 0)
6248
0
        return INVALID_PARAMETER;
6249
0
    if ((ret = TLSX_Parse(ssl, input + *inOutIdx, len, certificate_request,
6250
0
                                                                &peerSuites))) {
6251
0
        return ret;
6252
0
    }
6253
0
    *inOutIdx += len;
6254
6255
    /* No trailing bytes allowed (RFC 8446 4.3.2). */
6256
0
    if ((*inOutIdx - begin) != size)
6257
0
        return BUFFER_ERROR;
6258
6259
    /* RFC 8446 Section 4.3.2: the signature_algorithms extension MUST be
6260
     * present in a CertificateRequest. */
6261
0
    if (peerSuites.hashSigAlgoSz == 0) {
6262
0
        SendAlert(ssl, alert_fatal, missing_extension);
6263
0
        WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
6264
0
        return INVALID_PARAMETER;
6265
0
    }
6266
#ifdef WOLFSSL_CERT_SETUP_CB
6267
    if ((ret = CertSetupCbWrapper(ssl)) != 0)
6268
        return ret;
6269
#endif
6270
6271
#if defined(HAVE_ECH)
6272
    /* RFC 9849 s6.1.7: ECH was offered but rejected by the server...
6273
     * the client MUST respond with an empty Certificate message. */
6274
    if (ssl->echConfigs != NULL && !ssl->options.disableECH &&
6275
            !ssl->options.echAccepted) {
6276
        ssl->options.sendVerify = SEND_BLANK_CERT;
6277
    }
6278
    else
6279
#endif
6280
0
    if ((ssl->buffers.certificate && ssl->buffers.certificate->buffer &&
6281
0
        ((ssl->buffers.key && ssl->buffers.key->buffer)
6282
        #ifdef HAVE_PK_CALLBACKS
6283
            || wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)
6284
        #endif
6285
0
    ))
6286
        #ifdef OPENSSL_EXTRA
6287
            || ssl->ctx->certSetupCb != NULL
6288
        #endif
6289
0
            ) {
6290
0
        if (PickHashSigAlgo(ssl, peerSuites.hashSigAlgo,
6291
0
                            peerSuites.hashSigAlgoSz, 0) != 0) {
6292
0
            WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
6293
0
            return INVALID_PARAMETER;
6294
0
        }
6295
0
        ssl->options.sendVerify = SEND_CERT;
6296
0
    }
6297
0
    else {
6298
0
#ifndef WOLFSSL_NO_CLIENT_CERT_ERROR
6299
0
        ssl->options.sendVerify = SEND_BLANK_CERT;
6300
#else
6301
        WOLFSSL_MSG("Certificate required but none set on client");
6302
        /* RFC 8446 Section 4.4.2.4: send certificate_required when a
6303
         * peer (here, the client) cannot provide a certificate that the
6304
         * other peer required. */
6305
        SendAlert(ssl, alert_fatal, certificate_required);
6306
        WOLFSSL_ERROR_VERBOSE(NO_CERT_ERROR);
6307
        return NO_CERT_ERROR;
6308
#endif
6309
0
    }
6310
6311
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
6312
    {
6313
        /* CertReqCtx has one byte at end for context value.
6314
        * Increase size to handle other implementations sending more than one byte.
6315
        * That is, allocate extra space, over one byte, to hold the context value.
6316
        */
6317
        CertReqCtx* certReqCtx = (CertReqCtx*)XMALLOC(
6318
            sizeof(CertReqCtx) + (reqCtxLen == 0 ? 0 : reqCtxLen - 1),
6319
            ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
6320
        if (certReqCtx == NULL)
6321
            return MEMORY_E;
6322
        certReqCtx->next = ssl->certReqCtx;
6323
        certReqCtx->len = reqCtxLen;
6324
        XMEMCPY(&certReqCtx->ctx, reqCtxData, reqCtxLen);
6325
        ssl->certReqCtx = certReqCtx;
6326
    }
6327
#endif
6328
6329
0
    WOLFSSL_LEAVE("DoTls13CertificateRequest", ret);
6330
0
    WOLFSSL_END(WC_FUNC_CERTIFICATE_REQUEST_DO);
6331
6332
0
    return ret;
6333
0
}
6334
#endif /* !NO_CERTS */
6335
#endif /* !NO_WOLFSSL_CLIENT */
6336
6337
#ifndef NO_WOLFSSL_SERVER
6338
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
6339
#ifndef NO_PSK
6340
int FindPskSuite(const WOLFSSL* ssl, PreSharedKey* psk, byte* psk_key,
6341
        word32* psk_keySz, const byte* suite, int* found, byte* foundSuite)
6342
{
6343
    const char* cipherName = NULL;
6344
    byte        cipherSuite0 = TLS13_BYTE;
6345
    byte        cipherSuite  = WOLFSSL_DEF_PSK_CIPHER;
6346
    int         ret = 0;
6347
6348
    *found = 0;
6349
    (void)suite;
6350
6351
    if (ssl->options.server_psk_tls13_cb != NULL) {
6352
         *psk_keySz = ssl->options.server_psk_tls13_cb((WOLFSSL*)ssl,
6353
             (char*)psk->identity, psk_key, MAX_PSK_KEY_LEN, &cipherName);
6354
         if (*psk_keySz != 0) {
6355
             int cipherSuiteFlags = WOLFSSL_CIPHER_SUITE_FLAG_NONE;
6356
             *found = (GetCipherSuiteFromName(cipherName, &cipherSuite0,
6357
                 &cipherSuite, NULL, NULL, &cipherSuiteFlags) == 0);
6358
             (void)cipherSuiteFlags;
6359
         }
6360
    }
6361
    if (*found == 0 && (ssl->options.server_psk_cb != NULL)) {
6362
         *psk_keySz = ssl->options.server_psk_cb((WOLFSSL*)ssl,
6363
                             (char*)psk->identity, psk_key,
6364
                             MAX_PSK_KEY_LEN);
6365
         *found = (*psk_keySz != 0);
6366
    }
6367
    if (*found) {
6368
        if (*psk_keySz > MAX_PSK_KEY_LEN &&
6369
            (int)*psk_keySz != WC_NO_ERR_TRACE(USE_HW_PSK)) {
6370
            WOLFSSL_MSG("Key len too long in FindPsk()");
6371
            ret = PSK_KEY_ERROR;
6372
            WOLFSSL_ERROR_VERBOSE(ret);
6373
            *found = 0;
6374
        }
6375
        if (ret == 0) {
6376
        #if !defined(WOLFSSL_PSK_ONE_ID) && !defined(WOLFSSL_PRIORITIZE_PSK)
6377
            /* Check whether PSK ciphersuite is in SSL. */
6378
            *found = (suite[0] == cipherSuite0) && (suite[1] == cipherSuite);
6379
        #else
6380
            (void)suite;
6381
            /* Check whether PSK ciphersuite is in SSL. */
6382
            {
6383
                byte s[2] = {
6384
                    cipherSuite0,
6385
                    cipherSuite,
6386
                };
6387
                *found = FindSuiteSSL(ssl, s);
6388
            }
6389
        #endif
6390
        }
6391
    }
6392
    if (*found && foundSuite != NULL) {
6393
        foundSuite[0] = cipherSuite0;
6394
        foundSuite[1] = cipherSuite;
6395
    }
6396
6397
    return ret;
6398
}
6399
6400
/* Attempt to find the PSK (not session ticket) that matches.
6401
 *
6402
 * @param [in, out] ssl    The SSL/TLS object.
6403
 * @param [in]      psk    A pre-shared key from the extension.
6404
 * @param [out]     suite  Cipher suite to use with PSK.
6405
 * @param [out]     err    Error code.
6406
 *                         PSK_KEY_ERROR when key is too big or ticket age is
6407
 *                         invalid,
6408
 *                         UNSUPPORTED_SUITE on invalid suite.
6409
 *                         Other error when attempting to derive early secret.
6410
 * @return  1 when a match found - but check error code.
6411
 * @return  0 when no match found.
6412
 */
6413
static int FindPsk(WOLFSSL* ssl, PreSharedKey* psk, const byte* suite, int* err)
6414
{
6415
    int         ret = 0;
6416
    int         found = 0;
6417
    byte        foundSuite[SUITE_LEN];
6418
6419
    WOLFSSL_ENTER("FindPsk");
6420
6421
    XMEMSET(foundSuite, 0, sizeof(foundSuite));
6422
6423
    ret = FindPskSuite(ssl, psk, ssl->arrays->psk_key, &ssl->arrays->psk_keySz,
6424
                       suite, &found, foundSuite);
6425
    if (ret == 0 && found) {
6426
        /* This identity matched via external PSK callback, not ticket resume. */
6427
        psk->resumption = 0;
6428
        /* Default to ciphersuite if cb doesn't specify. */
6429
        ssl->options.resuming = 0;
6430
        /* Don't send certificate request when using PSK. */
6431
#ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
6432
        if (!ssl->options.certWithExternPsk)
6433
#endif
6434
            ssl->options.verifyPeer = 0;
6435
6436
        /* PSK age is always zero. */
6437
        if (psk->ticketAge != 0) {
6438
            ret = PSK_KEY_ERROR;
6439
            WOLFSSL_ERROR_VERBOSE(ret);
6440
        }
6441
        if (ret == 0) {
6442
            /* Set PSK ciphersuite into SSL. */
6443
            ssl->options.cipherSuite0 = foundSuite[0];
6444
            ssl->options.cipherSuite  = foundSuite[1];
6445
            ret = SetCipherSpecs(ssl);
6446
        }
6447
        if (ret == 0) {
6448
            /* Derive the early secret using the PSK. */
6449
            ret = DeriveEarlySecret(ssl);
6450
        }
6451
        if (ret == 0) {
6452
            /* PSK negotiation has succeeded */
6453
            ssl->options.isPSK = 1;
6454
#ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
6455
            if (!ssl->options.certWithExternPsk)
6456
#endif
6457
            {
6458
                /* SERVER: using PSK for peer authentication. */
6459
                ssl->options.peerAuthGood = 1;
6460
            }
6461
        }
6462
    }
6463
6464
    *err = ret;
6465
    WOLFSSL_LEAVE("FindPsk", found);
6466
    WOLFSSL_LEAVE("FindPsk", ret);
6467
    return found;
6468
}
6469
#endif /* !NO_PSK */
6470
6471
/* Handle any Pre-Shared Key (PSK) extension.
6472
 * Find a PSK that supports the cipher suite passed in.
6473
 *
6474
 * ssl         SSL/TLS object.
6475
 * suite       Cipher suite to find PSK for.
6476
 * usingPSK    1=Indicates handshake is using Pre-Shared Keys (2=Ephemeral)
6477
 * first       Set to 1 if first in extension
6478
 * returns 0 on success and otherwise failure.
6479
 */
6480
static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 inputSz,
6481
    const byte* suite, int* usingPSK, int* first)
6482
{
6483
    int           ret = 0;
6484
    TLSX*         ext;
6485
    PreSharedKey* current;
6486
    byte          binderKey[WC_MAX_DIGEST_SIZE];
6487
    byte          binder[WC_MAX_DIGEST_SIZE];
6488
    word32        binderLen;
6489
#if defined(WOLFSSL_CERT_WITH_EXTERN_PSK) && defined(HAVE_SESSION_TICKET)
6490
    int           certWithExternOffered = 0;
6491
#endif
6492
6493
    #ifdef NO_PSK
6494
        (void) suite; /* to avoid unused var warning when not used */
6495
    #endif
6496
6497
    WOLFSSL_ENTER("DoPreSharedKeys");
6498
6499
    (void)suite;
6500
6501
    ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
6502
    if (ext == NULL) {
6503
        WOLFSSL_MSG("No pre shared extension keys found");
6504
        ret = BAD_FUNC_ARG;
6505
        goto cleanup;
6506
    }
6507
#if defined(WOLFSSL_CERT_WITH_EXTERN_PSK) && defined(HAVE_SESSION_TICKET)
6508
    certWithExternOffered =
6509
        TLSX_Find(ssl->extensions, TLSX_CERT_WITH_EXTERN_PSK) != NULL;
6510
#endif
6511
6512
    /* Look through all client's pre-shared keys for a match. */
6513
    for (current = (PreSharedKey*)ext->data; current != NULL;
6514
            current = current->next) {
6515
    #ifndef NO_PSK
6516
        if (current->identityLen > MAX_PSK_ID_LEN) {
6517
            ret = BUFFER_ERROR;
6518
            goto cleanup;
6519
        }
6520
        XMEMCPY(ssl->arrays->client_identity, current->identity,
6521
                current->identityLen);
6522
        ssl->arrays->client_identity[current->identityLen] = '\0';
6523
    #endif
6524
6525
    #ifdef HAVE_SESSION_TICKET
6526
        /* Decode the identity. */
6527
        switch (current->decryptRet) {
6528
            case PSK_DECRYPT_NONE:
6529
                ret = DoClientTicket_ex(ssl, current, 1);
6530
                /* psk->sess may be set. Need to clean up later. */
6531
                break;
6532
            case PSK_DECRYPT_OK:
6533
                ret = WOLFSSL_TICKET_RET_OK;
6534
                break;
6535
            case PSK_DECRYPT_CREATE:
6536
                ret = WOLFSSL_TICKET_RET_CREATE;
6537
                break;
6538
            case PSK_DECRYPT_FAIL:
6539
                ret = WOLFSSL_TICKET_RET_REJECT;
6540
                break;
6541
        }
6542
6543
        #ifdef WOLFSSL_ASYNC_CRYPT
6544
        if (ret == WC_NO_ERR_TRACE(WC_PENDING_E))
6545
            goto cleanup;
6546
        #endif
6547
6548
        if (ret != WOLFSSL_TICKET_RET_OK && current->sess_free_cb != NULL) {
6549
            current->sess_free_cb(ssl, current->sess,
6550
                    &current->sess_free_cb_ctx);
6551
            current->sess = NULL;
6552
            XMEMSET(&current->sess_free_cb_ctx, 0,
6553
                    sizeof(psk_sess_free_cb_ctx));
6554
        }
6555
        if (ret == WOLFSSL_TICKET_RET_OK) {
6556
#if defined(WOLFSSL_CERT_WITH_EXTERN_PSK) && defined(HAVE_SESSION_TICKET)
6557
            /* RFC 8773bis Sect. 5.1: all PSKs listed alongside
6558
             * tls_cert_with_extern_psk MUST be external PSKs.  A successfully
6559
             * decrypted session ticket identity is a resumption PSK, so the
6560
             * server MUST abort with illegal_parameter regardless of whether
6561
             * the ticket would otherwise be acceptable.  Check here, before
6562
             * DoClientTicketFinalize, to avoid polluting ssl->session with
6563
             * ticket state that will not be used. */
6564
            if (certWithExternOffered) {
6565
                if (current->sess_free_cb != NULL) {
6566
                    current->sess_free_cb(ssl, current->sess,
6567
                            &current->sess_free_cb_ctx);
6568
                    current->sess = NULL;
6569
                    XMEMSET(&current->sess_free_cb_ctx, 0,
6570
                            sizeof(psk_sess_free_cb_ctx));
6571
                }
6572
                ret = PSK_KEY_ERROR;
6573
                WOLFSSL_ERROR_VERBOSE(ret);
6574
                goto cleanup;
6575
            }
6576
#endif
6577
            ret = DoClientTicketCheck(ssl, current, ssl->timeout, suite);
6578
        #if defined(HAVE_SNI) || defined(HAVE_ALPN)
6579
            if (ret == 0) {
6580
                /* Decline this PSK if the SNI/ALPN bound to the ticket
6581
                 * does not match the current connection. RFC 6066 Sect.
6582
                 * 3 mandates this for SNI; wolfSSL applies the same
6583
                 * policy to ALPN as defense in depth. Skipping the PSK
6584
                 * (rather than aborting) lets the server try the next
6585
                 * candidate or fall back to a full handshake naturally
6586
                 * without unwinding committed PSK state. ALPN_Select
6587
                 * has already run earlier in DoTls13ClientHello so the
6588
                 * negotiated ALPN is available to TicketAlpnHash. */
6589
                byte curHash[TICKET_BINDING_HASH_SZ];
6590
            #ifdef HAVE_SNI
6591
                if (TicketSniHash(ssl, curHash) != 0 ||
6592
                        XMEMCMP(curHash, current->it->sniHash,
6593
                                TICKET_BINDING_HASH_SZ) != 0) {
6594
                    WOLFSSL_MSG("Ticket SNI mismatch, skipping PSK");
6595
                    ret = WOLFSSL_FATAL_ERROR;
6596
                }
6597
            #endif
6598
            #ifdef HAVE_ALPN
6599
                if (ret == 0 &&
6600
                        (TicketAlpnHash(ssl, curHash) != 0 ||
6601
                         XMEMCMP(curHash, current->it->alpnHash,
6602
                                 TICKET_BINDING_HASH_SZ) != 0)) {
6603
                    WOLFSSL_MSG("Ticket ALPN mismatch, skipping PSK");
6604
                    ret = WOLFSSL_FATAL_ERROR;
6605
                }
6606
            #endif
6607
            }
6608
        #endif
6609
            if (ret == 0)
6610
                DoClientTicketFinalize(ssl, current->it, current->sess);
6611
            if (current->sess_free_cb != NULL) {
6612
                current->sess_free_cb(ssl, current->sess,
6613
                        &current->sess_free_cb_ctx);
6614
                current->sess = NULL;
6615
                XMEMSET(&current->sess_free_cb_ctx, 0,
6616
                        sizeof(psk_sess_free_cb_ctx));
6617
            }
6618
            if (ret != 0)
6619
                continue;
6620
6621
            /* SERVER: using secret in session ticket for peer auth. */
6622
            ssl->options.peerAuthGood = 1;
6623
6624
        #ifdef WOLFSSL_EARLY_DATA
6625
            ssl->options.maxEarlyDataSz = ssl->session->maxEarlyDataSz;
6626
        #endif
6627
            /* Use the same cipher suite as before and set up for use. */
6628
            ssl->options.cipherSuite0   = ssl->session->cipherSuite0;
6629
            ssl->options.cipherSuite    = ssl->session->cipherSuite;
6630
            ret = SetCipherSpecs(ssl);
6631
            if (ret != 0)
6632
                goto cleanup;
6633
6634
            /* Resumption PSK is resumption master secret. */
6635
            ssl->arrays->psk_keySz = ssl->specs.hash_size;
6636
            if ((ret = DeriveResumptionPSK(ssl, ssl->session->ticketNonce.data,
6637
                ssl->session->ticketNonce.len, ssl->arrays->psk_key)) != 0) {
6638
                goto cleanup;
6639
            }
6640
6641
            /* Derive the early secret using the PSK. */
6642
            ret = DeriveEarlySecret(ssl);
6643
            if (ret != 0)
6644
                goto cleanup;
6645
6646
            /* Hash data up to binders for deriving binders in PSK extension. */
6647
            ret = HashInput(ssl, input, (int)inputSz);
6648
            if (ret < 0)
6649
                goto cleanup;
6650
6651
            /* Derive the binder key to use with HMAC. */
6652
            ret = DeriveBinderKeyResume(ssl, binderKey);
6653
            if (ret != 0)
6654
                goto cleanup;
6655
        }
6656
        else
6657
    #endif /* HAVE_SESSION_TICKET */
6658
    #ifndef NO_PSK
6659
        if (FindPsk(ssl, current, suite, &ret)) {
6660
            if (ret != 0)
6661
                goto cleanup;
6662
6663
            ret = HashInput(ssl, input, (int)inputSz);
6664
            if (ret < 0)
6665
                goto cleanup;
6666
6667
            /* Derive the binder key to use with HMAC. */
6668
            ret = DeriveBinderKey(ssl, binderKey);
6669
            if (ret != 0)
6670
                goto cleanup;
6671
        }
6672
        else
6673
    #endif
6674
        {
6675
            continue;
6676
        }
6677
6678
        ssl->options.sendVerify = 0;
6679
6680
        /* Derive the Finished message secret. */
6681
        ret = DeriveFinishedSecret(ssl, binderKey,
6682
                                   ssl->keys.client_write_MAC_secret,
6683
                                   0 /* neither end */);
6684
        if (ret != 0)
6685
            goto cleanup;
6686
6687
        /* Derive the binder and compare with the one in the extension. */
6688
        ret = BuildTls13HandshakeHmac(ssl,
6689
                         ssl->keys.client_write_MAC_secret, binder, &binderLen);
6690
        if (ret != 0)
6691
            goto cleanup;
6692
        if (binderLen != current->binderLen ||
6693
                             ConstantCompare(binder, current->binder,
6694
                                binderLen) != 0) {
6695
            WOLFSSL_ERROR_VERBOSE(BAD_BINDER);
6696
            ret = BAD_BINDER;
6697
            goto cleanup;
6698
        }
6699
6700
        /* This PSK works, no need to try any more. */
6701
        current->chosen = 1;
6702
        ext->resp = 1;
6703
        break;
6704
    }
6705
6706
    if (current == NULL) {
6707
        ret = 0;
6708
        goto cleanup;
6709
    }
6710
6711
    *first = (current == ext->data);
6712
    *usingPSK = 1;
6713
6714
cleanup:
6715
    ForceZero(binderKey, sizeof(binderKey));
6716
    ForceZero(binder, sizeof(binder));
6717
    WOLFSSL_LEAVE("DoPreSharedKeys", ret);
6718
6719
    return ret;
6720
}
6721
6722
/* Handle any Pre-Shared Key (PSK) extension.
6723
 * Must do this in ClientHello as it requires a hash of the truncated message.
6724
 * Don't know size of binders until Pre-Shared Key extension has been parsed.
6725
 *
6726
 * ssl         SSL/TLS object.
6727
 * input       ClientHello message.
6728
 * helloSz     Size of the ClientHello message (including binders if present).
6729
 * clSuites    Client's cipher suite list.
6730
 * usingPSK    Indicates handshake is using Pre-Shared Keys.
6731
 */
6732
static int CheckPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 helloSz,
6733
                              Suites* clSuites, int* usingPSK)
6734
{
6735
    int    ret;
6736
    TLSX*  ext;
6737
    word16 bindersLen;
6738
    int    first = 0;
6739
#ifndef WOLFSSL_PSK_ONE_ID
6740
    int    i;
6741
    const Suites* suites;
6742
#else
6743
    byte   suite[2];
6744
#endif
6745
6746
    WOLFSSL_ENTER("CheckPreSharedKeys");
6747
6748
    ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
6749
    if (ext == NULL) {
6750
#ifdef WOLFSSL_EARLY_DATA
6751
        ssl->earlyData = no_early_data;
6752
#endif
6753
        if (usingPSK)
6754
            *usingPSK = 0;
6755
6756
        /* No PSK extension at all: if a mandatory external PSK is configured,
6757
         * refuse the connection rather than continue without one. havePSK is
6758
         * only set by an external-PSK callback, so a peer relying solely on
6759
         * session-ticket resumption is unaffected. */
6760
        if (ssl->options.havePSK && ssl->options.failNoPSK) {
6761
            WOLFSSL_ERROR_VERBOSE(PSK_MISSING_ERROR);
6762
            return PSK_MISSING_ERROR;
6763
        }
6764
6765
        /* Hash data up to binders for deriving binders in PSK extension. */
6766
        ret = HashInput(ssl, input,  (int)helloSz);
6767
        return ret;
6768
    }
6769
6770
    /* Wire-order check that PSK was the last extension in ClientHello is
6771
     * performed in DoTls13ClientHello immediately after TLSX_Parse, since
6772
     * post-parse code (e.g. ALPN_Select via TLSX_SetALPN) may legitimately
6773
     * prepend new entries to ssl->extensions before this point and would
6774
     * otherwise trip a head-of-list check here. */
6775
6776
    /* Assume we are going to resume with a pre-shared key. */
6777
    ssl->options.resuming = 1;
6778
6779
    /* Find the pre-shared key extension and calculate hash of truncated
6780
     * ClientHello for binders.
6781
     */
6782
    ret = TLSX_PreSharedKey_GetSizeBinders((PreSharedKey*)ext->data,
6783
                                                     client_hello, &bindersLen);
6784
    if (ret < 0)
6785
        return ret;
6786
    if (bindersLen > helloSz)
6787
        return BUFFER_ERROR;
6788
6789
    /* Refine list for PSK processing. */
6790
    sslRefineSuites(ssl, clSuites);
6791
#ifndef WOLFSSL_PSK_ONE_ID
6792
    if (usingPSK == NULL)
6793
        return BAD_FUNC_ARG;
6794
6795
    /* set after refineSuites, to avoid taking a stale ptr to ctx->Suites */
6796
    suites = WOLFSSL_SUITES(ssl);
6797
    /* Server list has only common suites from refining in server or client
6798
     * order. */
6799
    for (i = 0; !(*usingPSK) && i < suites->suiteSz; i += 2) {
6800
        ret = DoPreSharedKeys(ssl, input, helloSz - bindersLen,
6801
                suites->suites + i, usingPSK, &first);
6802
        if (ret != 0) {
6803
#ifdef HAVE_SESSION_TICKET
6804
#ifdef WOLFSSL_ASYNC_CRYPT
6805
            if (ret != WC_NO_ERR_TRACE(WC_PENDING_E))
6806
#endif
6807
                CleanupClientTickets((PreSharedKey*)ext->data);
6808
#endif
6809
            WOLFSSL_MSG_EX("DoPreSharedKeys: %d", ret);
6810
            return ret;
6811
        }
6812
    }
6813
#ifdef HAVE_SESSION_TICKET
6814
    CleanupClientTickets((PreSharedKey*)ext->data);
6815
#endif
6816
#else
6817
    ret = DoPreSharedKeys(ssl, input, helloSz - bindersLen, suite, usingPSK,
6818
        &first);
6819
    if (ret != 0) {
6820
        WOLFSSL_MSG_EX("DoPreSharedKeys: %d", ret);
6821
        return ret;
6822
    }
6823
#endif
6824
6825
    if (!*usingPSK) {
6826
        /* No suitable PSK was negotiated. When a mandatory external PSK is
6827
         * configured, fail with a dedicated error instead of falling back to a
6828
         * certificate handshake. This must run before the no-certificate
6829
         * BAD_BINDER check below so a PSK-only server (no cert) still reports
6830
         * PSK_MISSING_ERROR. havePSK is only set by an external-PSK callback, so
6831
         * a peer relying solely on session-ticket resumption is unaffected. */
6832
        if (ssl->options.havePSK && ssl->options.failNoPSK) {
6833
            WOLFSSL_ERROR_VERBOSE(PSK_MISSING_ERROR);
6834
            return PSK_MISSING_ERROR;
6835
        }
6836
    #ifndef NO_CERTS
6837
        if (ssl->buffers.certificate == NULL
6838
        #ifdef WOLFSSL_CERT_SETUP_CB
6839
                && ssl->ctx->certSetupCb == NULL
6840
        #endif
6841
                )
6842
    #endif
6843
        {
6844
            WOLFSSL_ERROR_VERBOSE(BAD_BINDER);
6845
            return BAD_BINDER;
6846
        }
6847
    }
6848
6849
    if (*usingPSK) {
6850
        /* While verifying the selected PSK, we updated the
6851
         * handshake hash up to the binder bytes in the PSK extensions.
6852
         * Continuing, we need the rest of the ClientHello hashed as well.
6853
         */
6854
        ret = HashRaw(ssl, input + helloSz - bindersLen, bindersLen);
6855
    }
6856
    else {
6857
        /* No suitable PSK found, Hash the complete ClientHello,
6858
         * as caller expect it after we return */
6859
        ret = HashInput(ssl, input,  (int)helloSz);
6860
    }
6861
    if (ret != 0)
6862
        return ret;
6863
6864
    if (*usingPSK != 0) {
6865
        word32 modes;
6866
#ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
6867
        int usingCertWithExternPsk = 0;
6868
        TLSX* certExt = NULL;
6869
        TLSX* pskExt = NULL;
6870
        PreSharedKey* chosenPsk = NULL;
6871
#endif
6872
    #ifdef WOLFSSL_EARLY_DATA
6873
        TLSX*  extEarlyData;
6874
    #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
6875
        int hasCertWithExternPsk = (TLSX_Find(ssl->extensions,
6876
                                    TLSX_CERT_WITH_EXTERN_PSK) != NULL);
6877
    #endif
6878
6879
        extEarlyData = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA);
6880
        if (extEarlyData != NULL) {
6881
            /* Check if accepting early data and first PSK.
6882
             * RFC 8773bis: early_data is not compatible with
6883
             * cert_with_extern_psk, so skip key derivation in that case. */
6884
            if (ssl->earlyData != no_early_data && first
6885
                && ssl->options.maxEarlyDataSz > 0
6886
    #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
6887
                && !hasCertWithExternPsk
6888
    #endif
6889
    #if defined(HAVE_SESSION_TICKET) && !defined(NO_SESSION_CACHE)
6890
                /* RFC 8446 section 8: evict the session from the cache.
6891
                 * Accept 0-RTT only when the eviction found the entry
6892
                 * (single-use). */
6893
                && wolfSSL_SSL_CTX_remove_session(ssl->ctx, ssl->session)
6894
                    == 1
6895
    #endif
6896
            ) {
6897
                extEarlyData->resp = 1;
6898
6899
                /* Derive early data decryption key. */
6900
                ret = DeriveTls13Keys(ssl, early_data_key, DECRYPT_SIDE_ONLY,
6901
                                                                             1);
6902
                if (ret != 0)
6903
                    return ret;
6904
                if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
6905
                    return ret;
6906
6907
                ssl->keys.encryptionOn = 1;
6908
                ssl->earlyData = process_early_data;
6909
            }
6910
            else
6911
                extEarlyData->resp = 0;
6912
        }
6913
    #endif
6914
6915
        /* Get the PSK key exchange modes the client wants to negotiate. */
6916
        ext = TLSX_Find(ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES);
6917
        if (ext == NULL) {
6918
            WOLFSSL_ERROR_VERBOSE(MISSING_HANDSHAKE_DATA);
6919
            return MISSING_HANDSHAKE_DATA;
6920
        }
6921
        modes = ext->val;
6922
6923
    #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
6924
        certExt = TLSX_Find(ssl->extensions, TLSX_CERT_WITH_EXTERN_PSK);
6925
        if (certExt != NULL) {
6926
            pskExt = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
6927
            if (pskExt != NULL)
6928
                chosenPsk = (PreSharedKey*)pskExt->data;
6929
            while (chosenPsk != NULL && !chosenPsk->chosen)
6930
                chosenPsk = chosenPsk->next;
6931
            if (chosenPsk == NULL || chosenPsk->resumption) {
6932
                WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
6933
                return PSK_KEY_ERROR;
6934
            }
6935
            if ((modes & (1 << PSK_DHE_KE)) == 0) {
6936
                WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
6937
                return PSK_KEY_ERROR;
6938
            }
6939
            usingCertWithExternPsk = 1;
6940
            ssl->options.certWithExternPsk = 1;
6941
            if (clSuites->hashSigAlgoSz == 0) {
6942
                WOLFSSL_ERROR_VERBOSE(MISSING_HANDSHAKE_DATA);
6943
                return MISSING_HANDSHAKE_DATA;
6944
            }
6945
            ret = PickHashSigAlgo(ssl, clSuites->hashSigAlgo,
6946
                                  clSuites->hashSigAlgoSz, 1);
6947
            if (ret != 0)
6948
                return ret;
6949
            ssl->options.sendVerify = SEND_CERT;
6950
            certExt->resp = 1;
6951
        #ifdef WOLFSSL_EARLY_DATA
6952
            /* RFC 8773bis: early_data is not compatible with
6953
             * cert_with_extern_psk.  TLSX_Parse already rejects the
6954
             * combination in the ClientHello, but clear the response flag
6955
             * here as a defense-in-depth measure. */
6956
            if (extEarlyData != NULL) {
6957
                WOLFSSL_MSG("Rejecting early data: "
6958
                            "cert_with_extern_psk is not 0-RTT compatible");
6959
                extEarlyData->resp = 0;
6960
                ssl->earlyData = no_early_data;
6961
            }
6962
        #endif
6963
        }
6964
        else {
6965
            ssl->options.certWithExternPsk = 0;
6966
        }
6967
    #endif
6968
6969
#ifndef HAVE_SUPPORTED_CURVES
6970
    #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
6971
        if (usingCertWithExternPsk) {
6972
            WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
6973
            return PSK_KEY_ERROR;
6974
        }
6975
    #endif
6976
#endif
6977
    #ifdef HAVE_SUPPORTED_CURVES
6978
        ext = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
6979
        /* Use (EC)DHE for forward-security if possible. */
6980
        if (((modes & (1 << PSK_DHE_KE)) != 0 && !ssl->options.noPskDheKe &&
6981
             ext != NULL)
6982
#ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
6983
             || usingCertWithExternPsk
6984
#endif
6985
        ) {
6986
            if (ext == NULL) {
6987
                WOLFSSL_ERROR_VERBOSE(EXT_MISSING);
6988
                return EXT_MISSING;
6989
            }
6990
            /* Resumption path uses previous session group. */
6991
#ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
6992
            if (!usingCertWithExternPsk)
6993
#endif
6994
                ssl->namedGroup = ssl->session->namedGroup;
6995
            *usingPSK = 2; /* generate new ephemeral key */
6996
        }
6997
        else if (ssl->options.onlyPskDheKe ||
6998
                 (ssl->options.failNoPSK && !ssl->options.resuming)) {
6999
            /* A mandatory external PSK (failNoPSK) must be combined with
7000
             * (EC)DHE for forward secrecy, so reject a pure psk_ke
7001
             * negotiation. Session-ticket resumption is exempt. */
7002
            return PSK_KEY_ERROR;
7003
        }
7004
        else
7005
    #endif
7006
        {
7007
            if ((modes & (1 << PSK_KE)) == 0) {
7008
                WOLFSSL_MSG("psk_ke mode does not allow key share");
7009
                WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
7010
                return PSK_KEY_ERROR;
7011
            }
7012
            ssl->options.noPskDheKe = 1;
7013
            ssl->arrays->preMasterSz = 0;
7014
7015
            *usingPSK = 1;
7016
        }
7017
    }
7018
    else {
7019
#ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
7020
        /* If no PSK is found, we remove the extension to make sure it
7021
         * is not sent back to the client */
7022
        TLSX_Remove(&ssl->extensions, TLSX_CERT_WITH_EXTERN_PSK, ssl->heap);
7023
        ssl->options.certWithExternPsk = 0;
7024
#endif
7025
    #ifndef NO_CERTS
7026
        if (ssl->buffers.certificate != NULL
7027
        #ifdef WOLFSSL_CERT_SETUP_CB
7028
                || ssl->ctx->certSetupCb != NULL
7029
        #endif
7030
                )
7031
            return 0;
7032
    #endif
7033
        WOLFSSL_ERROR_VERBOSE(BAD_BINDER);
7034
        return BAD_BINDER;
7035
    }
7036
7037
    WOLFSSL_LEAVE("CheckPreSharedKeys", ret);
7038
7039
    return 0;
7040
}
7041
#endif /* HAVE_SESSION_TICKET || !NO_PSK */
7042
7043
#if defined(WOLFSSL_SEND_HRR_COOKIE)
7044
/* Check that the Cookie data's integrity.
7045
 *
7046
 * ssl       SSL/TLS object.
7047
 * cookie    The cookie data - hash and MAC.
7048
 * cookieSz  The length of the cookie data in bytes.
7049
 * returns Length of the hash on success, otherwise failure.
7050
 */
7051
int TlsCheckCookie(const WOLFSSL* ssl, const byte* cookie, word16 cookieSz)
7052
{
7053
    int  ret;
7054
    byte mac[WC_MAX_DIGEST_SIZE] = {0};
7055
    WC_DECLARE_VAR(cookieHmac, Hmac, 1, ssl->heap);
7056
    byte cookieType = 0;
7057
    byte macSz = 0;
7058
7059
    if (ssl->buffers.tls13CookieSecret.buffer == NULL ||
7060
            ssl->buffers.tls13CookieSecret.length == 0) {
7061
        WOLFSSL_MSG("Missing DTLS 1.3 cookie secret");
7062
        return COOKIE_ERROR;
7063
    }
7064
7065
#ifndef NO_SHA256
7066
    cookieType = WC_SHA256;
7067
    macSz = WC_SHA256_DIGEST_SIZE;
7068
#elif defined(WOLFSSL_SHA384)
7069
    cookieType = WC_SHA384;
7070
    macSz = WC_SHA384_DIGEST_SIZE;
7071
#elif defined(WOLFSSL_TLS13_SHA512)
7072
    cookieType = WC_SHA512;
7073
    macSz = WC_SHA512_DIGEST_SIZE;
7074
#elif defined(WOLFSSL_SM3)
7075
    cookieType = WC_SM3;
7076
    macSz = WC_SM3_DIGEST_SIZE;
7077
#else
7078
    #error "No digest to available to use with HMAC for cookies."
7079
#endif /* NO_SHA */
7080
7081
    if (cookieSz < ssl->specs.hash_size + macSz)
7082
        return HRR_COOKIE_ERROR;
7083
    cookieSz -= macSz;
7084
7085
    WC_ALLOC_VAR_EX(cookieHmac, Hmac, 1, ssl->heap, DYNAMIC_TYPE_HMAC,
7086
                    return MEMORY_E);
7087
7088
    ret = wc_HmacInit(cookieHmac, ssl->heap, ssl->devId);
7089
    if (ret == 0) {
7090
        ret = wc_HmacSetKey(cookieHmac, cookieType,
7091
                            ssl->buffers.tls13CookieSecret.buffer,
7092
                            ssl->buffers.tls13CookieSecret.length);
7093
    }
7094
    if (ret == 0)
7095
        ret = wc_HmacUpdate(cookieHmac, cookie, cookieSz);
7096
#ifdef WOLFSSL_DTLS13
7097
    /* Tie cookie to peer address */
7098
    if (ret == 0) {
7099
        /* peerLock not necessary. Still in handshake phase. */
7100
        if (ssl->options.dtls && ssl->buffers.dtlsCtx.peer.sz > 0) {
7101
            ret = wc_HmacUpdate(cookieHmac,
7102
                (byte*)ssl->buffers.dtlsCtx.peer.sa,
7103
                ssl->buffers.dtlsCtx.peer.sz);
7104
        }
7105
    }
7106
#endif
7107
    if (ret == 0)
7108
        ret = wc_HmacFinal(cookieHmac, mac);
7109
7110
    wc_HmacFree(cookieHmac);
7111
    WC_FREE_VAR_EX(cookieHmac, ssl->heap, DYNAMIC_TYPE_HMAC);
7112
    if (ret != 0)
7113
        return ret;
7114
7115
    if (ConstantCompare(cookie + cookieSz, mac, macSz) != 0) {
7116
        WOLFSSL_ERROR_VERBOSE(HRR_COOKIE_ERROR);
7117
        return HRR_COOKIE_ERROR;
7118
    }
7119
    return cookieSz;
7120
}
7121
7122
/* Length of the KeyShare Extension */
7123
#define HRR_KEY_SHARE_SZ   (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
7124
/* Length of the Supported Versions Extension */
7125
#define HRR_VERSIONS_SZ    (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
7126
/* Length of the Cookie Extension excluding cookie data */
7127
#define HRR_COOKIE_HDR_SZ  (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
7128
/* PV | Random | Session Id | CipherSuite | Compression | Ext Len */
7129
#define HRR_BODY_SZ        (VERSION_SZ + RAN_LEN + ENUM_LEN + ID_LEN + \
7130
                            SUITE_LEN + COMP_LEN + OPAQUE16_LEN)
7131
/* HH | PV | CipherSuite | Ext Len | Key Share | Supported Version | Cookie */
7132
#define MAX_HRR_SZ   (HRR_MAX_HS_HEADER_SZ   + \
7133
                        HRR_BODY_SZ         + \
7134
                          HRR_KEY_SHARE_SZ  + \
7135
                          HRR_VERSIONS_SZ   + \
7136
                          HRR_COOKIE_HDR_SZ)
7137
7138
7139
/* Restart the handshake hash from the cookie value.
7140
 *
7141
 * ssl     SSL/TLS object.
7142
 * cookie  Cookie data from client.
7143
 * returns 0 on success, otherwise failure.
7144
 */
7145
static int RestartHandshakeHashWithCookie(WOLFSSL* ssl, Cookie* cookie)
7146
{
7147
    byte   header[HANDSHAKE_HEADER_SZ] = {0};
7148
    byte   hrr[MAX_HRR_SZ] = {0};
7149
    int    hrrIdx;
7150
    word32 idx;
7151
    byte   hashSz;
7152
    byte*  cookieData;
7153
    word16 cookieDataSz;
7154
    word16 length;
7155
    int    keyShareExt = 0;
7156
    int    ret;
7157
    byte   sessIdSz;
7158
7159
    ret = TlsCheckCookie(ssl, cookie->data, cookie->len);
7160
    if (ret < 0)
7161
        return ret;
7162
    cookieDataSz = (word16)ret;
7163
    hashSz = cookie->data[0];
7164
    cookieData = cookie->data;
7165
    idx = OPAQUE8_LEN;
7166
7167
    /* Restart handshake hash with synthetic message hash. */
7168
    AddTls13HandShakeHeader(header, hashSz, 0, 0, message_hash, ssl);
7169
7170
    if ((ret = InitHandshakeHashes(ssl)) != 0)
7171
        return ret;
7172
    if ((ret = HashRaw(ssl, header, sizeof(header))) != 0)
7173
        return ret;
7174
#ifdef WOLFSSL_DEBUG_TLS
7175
    WOLFSSL_MSG("Restart Hash from Cookie");
7176
    WOLFSSL_BUFFER(cookieData + idx, hashSz);
7177
#endif
7178
    if ((ret = HashRaw(ssl, cookieData + idx, hashSz)) != 0)
7179
        return ret;
7180
7181
    /* Reconstruct the HelloRetryMessage for handshake hash. */
7182
    sessIdSz = ssl->session->sessionIDSz;
7183
#if defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_DTLS13_ECHO_LEGACY_SESSION_ID)
7184
    /* RFC 9147 Section 5.3: DTLS 1.3 must use empty legacy_session_id. */
7185
    if (ssl->options.dtls)
7186
        sessIdSz = 0;
7187
#endif
7188
    length = HRR_BODY_SZ - ID_LEN + sessIdSz +
7189
             HRR_COOKIE_HDR_SZ + cookie->len;
7190
    length += HRR_VERSIONS_SZ;
7191
    /* HashSz (1 byte) + Hash (HashSz bytes) + CipherSuite (2 bytes) */
7192
    if (cookieDataSz > OPAQUE8_LEN + hashSz + OPAQUE16_LEN) {
7193
        keyShareExt = 1;
7194
        length += HRR_KEY_SHARE_SZ;
7195
    }
7196
7197
    AddTls13HandShakeHeader(hrr, length, 0, 0, server_hello, ssl);
7198
7199
    idx += hashSz;
7200
    hrrIdx = HANDSHAKE_HEADER_SZ;
7201
7202
#ifdef WOLFSSL_DTLS13
7203
    if (ssl->options.dtls)
7204
        hrrIdx += DTLS_HANDSHAKE_EXTRA;
7205
#endif /* WOLFSSL_DTLS13 */
7206
7207
    /* The negotiated protocol version. */
7208
    hrr[hrrIdx++] = ssl->version.major;
7209
    hrr[hrrIdx++] = ssl->options.dtls ? DTLSv1_2_MINOR : TLSv1_2_MINOR;
7210
7211
    /* HelloRetryRequest message has fixed value for random. */
7212
    XMEMCPY(hrr + hrrIdx, helloRetryRequestRandom, RAN_LEN);
7213
    hrrIdx += RAN_LEN;
7214
7215
    hrr[hrrIdx++] = sessIdSz;
7216
    if (sessIdSz > 0) {
7217
        XMEMCPY(hrr + hrrIdx, ssl->session->sessionID, sessIdSz);
7218
        hrrIdx += sessIdSz;
7219
    }
7220
7221
    /* Restore the cipher suite from the cookie. */
7222
    ssl->options.hrrCipherSuite0 = cookieData[idx];
7223
    hrr[hrrIdx++] = cookieData[idx++];
7224
    ssl->options.hrrCipherSuite  = cookieData[idx];
7225
    hrr[hrrIdx++] = cookieData[idx++];
7226
7227
    /* Compression not supported in TLS v1.3. */
7228
    hrr[hrrIdx++] = 0;
7229
7230
    /* Extensions' length */
7231
    length -= HRR_BODY_SZ - ID_LEN + sessIdSz;
7232
    c16toa(length, hrr + hrrIdx);
7233
    hrrIdx += 2;
7234
7235
    /* Optional KeyShare Extension */
7236
    if (keyShareExt) {
7237
        c16toa(TLSX_KEY_SHARE, hrr + hrrIdx);
7238
        hrrIdx += 2;
7239
        c16toa(OPAQUE16_LEN, hrr + hrrIdx);
7240
        hrrIdx += 2;
7241
        /* Restore the HRR key share group from the cookie. */
7242
        ato16(cookieData + idx, &ssl->hrr_keyshare_group);
7243
        hrr[hrrIdx++] = cookieData[idx++];
7244
        hrr[hrrIdx++] = cookieData[idx++];
7245
    }
7246
    c16toa(TLSX_SUPPORTED_VERSIONS, hrr + hrrIdx);
7247
    hrrIdx += 2;
7248
    c16toa(OPAQUE16_LEN, hrr + hrrIdx);
7249
    hrrIdx += 2;
7250
    #ifdef WOLFSSL_TLS13_DRAFT
7251
        hrr[hrrIdx++] = TLS_DRAFT_MAJOR;
7252
        hrr[hrrIdx++] = TLS_DRAFT_MINOR;
7253
    #else
7254
        hrr[hrrIdx++] = ssl->version.major;
7255
        hrr[hrrIdx++] = ssl->version.minor;
7256
    #endif
7257
7258
    /* Mandatory Cookie Extension */
7259
    c16toa(TLSX_COOKIE, hrr + hrrIdx);
7260
    hrrIdx += 2;
7261
    c16toa(cookie->len + OPAQUE16_LEN, hrr + hrrIdx);
7262
    hrrIdx += 2;
7263
    c16toa(cookie->len, hrr + hrrIdx);
7264
    hrrIdx += 2;
7265
7266
#ifdef WOLFSSL_DEBUG_TLS
7267
    WOLFSSL_MSG("Reconstructed HelloRetryRequest");
7268
    WOLFSSL_BUFFER(hrr, hrrIdx);
7269
    WOLFSSL_MSG("Cookie");
7270
    WOLFSSL_BUFFER(cookieData, cookie->len);
7271
#endif
7272
7273
#ifdef WOLFSSL_DTLS13
7274
    if (ssl->options.dtls) {
7275
        ret = Dtls13HashHandshake(ssl, hrr, (word16)hrrIdx);
7276
    }
7277
    else
7278
#endif /* WOLFSSL_DTLS13 */
7279
        {
7280
            ret = HashRaw(ssl, hrr, hrrIdx);
7281
        }
7282
7283
    if (ret != 0)
7284
        return ret;
7285
7286
    return HashRaw(ssl, cookieData, cookie->len);
7287
}
7288
#endif
7289
7290
/* Do SupportedVersion extension for TLS v1.3+ otherwise it is not.
7291
 *
7292
 * ssl       The SSL/TLS object.
7293
 * input     The message buffer.
7294
 * i         The index into the message buffer of ClientHello.
7295
 * helloSz   The length of the current handshake message.
7296
 * returns 0 on success and otherwise failure.
7297
 */
7298
static int DoTls13SupportedVersions(WOLFSSL* ssl, const byte* input, word32 i,
7299
                                    word32 helloSz, int* wantDowngrade)
7300
0
{
7301
0
    int    ret;
7302
0
    byte   b;
7303
0
    word16 suiteSz;
7304
0
    word16 totalExtSz;
7305
0
    int    foundVersion = 0;
7306
7307
    /* Client random */
7308
0
    i += RAN_LEN;
7309
    /* Session id - not used in TLS v1.3 */
7310
0
    b = input[i++];
7311
0
    if (i + b > helloSz) {
7312
0
        return BUFFER_ERROR;
7313
0
    }
7314
0
    i += b;
7315
#ifdef WOLFSSL_DTLS13
7316
    if (ssl->options.dtls) {
7317
        /* legacy_cookie - not used in DTLS v1.3 */
7318
        b = input[i++];
7319
        if (i + b > helloSz) {
7320
            return BUFFER_ERROR;
7321
        }
7322
        i += b;
7323
    }
7324
#endif /* WOLFSSL_DTLS13 */
7325
    /* Cipher suites */
7326
0
    if (i + OPAQUE16_LEN > helloSz)
7327
0
        return BUFFER_ERROR;
7328
0
    ato16(input + i, &suiteSz);
7329
0
    i += OPAQUE16_LEN;
7330
0
    if (i + suiteSz + 1 > helloSz)
7331
0
        return BUFFER_ERROR;
7332
0
    i += suiteSz;
7333
    /* Compression */
7334
0
    b = input[i++];
7335
0
    if (i + b > helloSz)
7336
0
        return BUFFER_ERROR;
7337
0
    i += b;
7338
7339
    /* TLS 1.3 must have extensions */
7340
0
    if (i < helloSz) {
7341
0
        if (i + OPAQUE16_LEN > helloSz)
7342
0
            return BUFFER_ERROR;
7343
0
        ato16(&input[i], &totalExtSz);
7344
0
        i += OPAQUE16_LEN;
7345
0
        if (totalExtSz != helloSz - i)
7346
0
            return BUFFER_ERROR;
7347
7348
        /* Need to negotiate version first. */
7349
0
        if ((ret = TLSX_ParseVersion(ssl, input + i, totalExtSz, client_hello,
7350
0
                                                              &foundVersion))) {
7351
0
            return ret;
7352
0
        }
7353
0
    }
7354
0
    *wantDowngrade = !foundVersion || !IsAtLeastTLSv1_3(ssl->version);
7355
7356
0
    return 0;
7357
0
}
7358
7359
#ifdef HAVE_ECH
7360
/* Calculate and write the 8 ECH confirmation bytes.
7361
 * Output into confirmation field on HRR and into ServerRandom on ServerHello.
7362
 *
7363
 * ssl          SSL/TLS object.
7364
 * label        Ascii string describing ECH acceptance or rejection.
7365
 * labelSz      Length of label excluding NULL character.
7366
 * output       The buffer to calculate/write confirmation from/to.
7367
 * acceptOffset Where the 8 ECH confirmation bytes should be placed.
7368
 * helloSz      Size of hello message.
7369
 * msgType      Type of message being written.
7370
 * returns 0 on success and otherwise failure.
7371
 */
7372
static int EchWriteAcceptance(WOLFSSL* ssl, byte* label, word16 labelSz,
7373
    byte* output, int acceptOffset, int helloSz, byte msgType)
7374
{
7375
    int ret = 0;
7376
    int headerSz;
7377
    HS_Hashes* tmpHashes;
7378
7379
#ifdef WOLFSSL_DTLS13
7380
    headerSz = ssl->options.dtls ? DTLS13_HANDSHAKE_HEADER_SZ :
7381
                                   HANDSHAKE_HEADER_SZ;
7382
#else
7383
    headerSz = HANDSHAKE_HEADER_SZ;
7384
#endif
7385
7386
    ret = EchCalcAcceptance(ssl, label, labelSz, output, acceptOffset,
7387
            helloSz - headerSz, msgType == hello_retry_request,
7388
            output + acceptOffset);
7389
7390
    if (ret == 0) {
7391
        tmpHashes = ssl->hsHashes;
7392
        ssl->hsHashes = ssl->hsHashesEch;
7393
7394
        /* after HRR, hsHashesEch must contain:
7395
         * message_hash(ClientHelloInner1) || HRR (actual, not zeros) */
7396
        if (msgType == hello_retry_request) {
7397
            ret = HashRaw(ssl, output, helloSz);
7398
        }
7399
        /* normal TLS code will calculate transcript of ServerHello */
7400
        else {
7401
            ssl->hsHashes = tmpHashes;
7402
            FreeHandshakeHashes(ssl);
7403
            tmpHashes = ssl->hsHashesEch;
7404
            ssl->hsHashesEch = NULL;
7405
        }
7406
7407
        ssl->hsHashes = tmpHashes;
7408
    }
7409
7410
    return ret;
7411
}
7412
#endif
7413
7414
/* Handle a ClientHello handshake message.
7415
 * If the protocol version in the message is not TLS v1.3 or higher, use
7416
 * DoClientHello()
7417
 * Only a server will receive this message.
7418
 *
7419
 * ssl       The SSL/TLS object.
7420
 * input     The message buffer.
7421
 * inOutIdx  On entry, the index into the message buffer of ClientHello.
7422
 *           On exit, the index of byte after the ClientHello message and
7423
 *           padding.
7424
 * helloSz   The length of the current handshake message.
7425
 * returns 0 on success and otherwise failure.
7426
 */
7427
7428
typedef struct Dch13Args {
7429
    ProtocolVersion pv;
7430
    word32          idx;
7431
    word32          begin;
7432
    int             usingPSK;
7433
} Dch13Args;
7434
7435
static void FreeDch13Args(WOLFSSL* ssl, void* pArgs)
7436
0
{
7437
    /* openssl compat builds hang on to the client suites until WOLFSSL object
7438
     * is destroyed */
7439
0
#ifndef OPENSSL_EXTRA
7440
0
    if (ssl->clSuites) {
7441
0
        XFREE(ssl->clSuites, ssl->heap, DYNAMIC_TYPE_SUITES);
7442
0
        ssl->clSuites = NULL;
7443
0
    }
7444
0
#endif
7445
0
    (void)ssl;
7446
0
    (void)pArgs;
7447
7448
0
}
7449
7450
int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
7451
                       word32 helloSz)
7452
0
{
7453
0
    int ret;
7454
#ifdef WOLFSSL_ASYNC_CRYPT
7455
    Dch13Args* args = NULL;
7456
    WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
7457
#else
7458
0
    Dch13Args  args[1];
7459
0
#endif
7460
#if defined(HAVE_ECH)
7461
    TLSX* echX = NULL;
7462
#endif
7463
7464
0
    WOLFSSL_START(WC_FUNC_CLIENT_HELLO_DO);
7465
0
    WOLFSSL_ENTER("DoTls13ClientHello");
7466
7467
#ifdef WOLFSSL_ASYNC_CRYPT
7468
    if (ssl->async == NULL) {
7469
        ssl->async = (struct WOLFSSL_ASYNC*)
7470
                XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
7471
                        DYNAMIC_TYPE_ASYNC);
7472
        if (ssl->async == NULL)
7473
            ERROR_OUT(MEMORY_E, exit_dch);
7474
    }
7475
    args = (Dch13Args*)ssl->async->args;
7476
7477
    ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
7478
    if (ret != WC_NO_ERR_TRACE(WC_NO_PENDING_E)) {
7479
        /* Check for error */
7480
        if (ret < 0) {
7481
            goto exit_dch;
7482
        }
7483
    }
7484
    else
7485
#endif
7486
0
    {
7487
        /* Reset state */
7488
0
        ret = WC_NO_ERR_TRACE(VERSION_ERROR);
7489
0
        ssl->options.asyncState = TLS_ASYNC_BEGIN;
7490
0
        XMEMSET(args, 0, sizeof(Dch13Args));
7491
    #ifdef WOLFSSL_ASYNC_CRYPT
7492
        ssl->async->freeArgs = FreeDch13Args;
7493
    #endif
7494
0
    }
7495
7496
0
    switch (ssl->options.asyncState) {
7497
0
    case TLS_ASYNC_BEGIN:
7498
0
    {
7499
0
    byte b;
7500
0
    byte sessIdSz;
7501
0
    int wantDowngrade = 0;
7502
0
    word16 totalExtSz = 0;
7503
7504
#ifdef WOLFSSL_CALLBACKS
7505
    if (ssl->hsInfoOn) AddPacketName(ssl, "ClientHello");
7506
    if (ssl->toInfoOn) AddLateName("ClientHello", &ssl->timeoutInfo);
7507
#endif
7508
7509
    /* do not change state in the SSL object before the next region of code
7510
     * to be able to statelessly compute a DTLS cookie */
7511
#if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_SEND_HRR_COOKIE)
7512
    /* Update the ssl->options.dtlsStateful setting `if` statement in
7513
     * wolfSSL_accept_TLSv13 when changing this one. */
7514
    if (IsDtlsNotSctpMode(ssl) && ssl->options.sendCookie &&
7515
            !ssl->options.dtlsStateful) {
7516
        DtlsSetSeqNumForReply(ssl);
7517
        ret = DoClientHelloStateless(ssl, input + *inOutIdx, helloSz, 0, NULL);
7518
        if (ret != 0 || !ssl->options.dtlsStateful) {
7519
            *inOutIdx += helloSz;
7520
            goto exit_dch;
7521
        }
7522
        if (ssl->chGoodCb != NULL) {
7523
            int cbret = ssl->chGoodCb(ssl, ssl->chGoodCtx);
7524
            if (cbret < 0) {
7525
                ssl->error = cbret;
7526
                WOLFSSL_MSG("ClientHello Good Cb don't continue error");
7527
                return WOLFSSL_FATAL_ERROR;
7528
            }
7529
        }
7530
    }
7531
    ssl->options.dtlsStateful = 1;
7532
#endif /* WOLFSSL_DTLS */
7533
7534
0
    args->idx = *inOutIdx;
7535
0
    args->begin = args->idx;
7536
7537
    /* protocol version, random and session id length check */
7538
0
    if (OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN > helloSz) {
7539
0
        ERROR_OUT(BUFFER_ERROR, exit_dch);
7540
0
    }
7541
7542
    /* Protocol version */
7543
0
    XMEMCPY(&args->pv, input + args->idx, OPAQUE16_LEN);
7544
0
    ssl->chVersion = args->pv;   /* store */
7545
0
    args->idx += OPAQUE16_LEN;
7546
7547
7548
    /* this check pass for DTLS Major (0xff) */
7549
0
    if (args->pv.major < SSLv3_MAJOR) {
7550
0
        WOLFSSL_MSG("Legacy version field contains unsupported value");
7551
0
        ERROR_OUT(VERSION_ERROR, exit_dch);
7552
0
    }
7553
7554
#ifdef WOLFSSL_DTLS13
7555
    if (ssl->options.dtls &&
7556
        args->pv.major == DTLS_MAJOR && args->pv.minor > DTLSv1_2_MINOR) {
7557
        wantDowngrade = 1;
7558
        ssl->version.minor = args->pv.minor;
7559
    }
7560
#endif /* WOLFSSL_DTLS13 */
7561
7562
0
    if (!ssl->options.dtls) {
7563
0
#ifndef WOLFSSL_ALLOW_BAD_TLS_LEGACY_VERSION
7564
        /* Check for TLS 1.3 version (0x0304) in legacy version field. RFC 8446
7565
         * Section 4.2.1 allows this action:
7566
         *
7567
         * "Servers MAY abort the handshake upon receiving a ClientHello with
7568
         * legacy_version 0x0304 or later."
7569
         *
7570
         * Note that if WOLFSSL_ALLOW_BAD_TLS_LEGACY_VERSION is defined then the
7571
         * semantics of RFC 5246 Appendix E will be followed. A ServerHello with
7572
         * version 1.2 will be sent. The same is true if TLS 1.3 is not enabled.
7573
         */
7574
0
        if (args->pv.major == SSLv3_MAJOR && args->pv.minor >= TLSv1_3_MINOR) {
7575
0
            WOLFSSL_MSG("Legacy version field is TLS 1.3 or later. Aborting.");
7576
0
            ERROR_OUT(VERSION_ERROR, exit_dch);
7577
0
        }
7578
0
#endif /* WOLFSSL_ALLOW_BAD_TLS_LEGACY_VERSION */
7579
7580
        /* Legacy protocol version cannot negotiate TLS 1.3 or higher. */
7581
0
        if (args->pv.major > SSLv3_MAJOR || (args->pv.major == SSLv3_MAJOR &&
7582
0
                                             args->pv.minor >= TLSv1_3_MINOR)) {
7583
0
            args->pv.major = SSLv3_MAJOR;
7584
0
            args->pv.minor = TLSv1_2_MINOR;
7585
0
            wantDowngrade = 1;
7586
0
            ssl->version.minor = args->pv.minor;
7587
0
        }
7588
        /* Legacy version must be [ SSLv3_MAJOR, TLSv1_2_MINOR ] for TLS v1.3 */
7589
0
        else if (args->pv.major == SSLv3_MAJOR &&
7590
0
                 args->pv.minor < TLSv1_2_MINOR) {
7591
0
            wantDowngrade = 1;
7592
0
            ssl->version.minor = args->pv.minor;
7593
0
        }
7594
0
    }
7595
7596
0
    if (!wantDowngrade) {
7597
0
        ret = DoTls13SupportedVersions(ssl, input + args->begin,
7598
0
            args->idx - args->begin, helloSz, &wantDowngrade);
7599
0
        if (ret < 0)
7600
0
            goto exit_dch;
7601
0
    }
7602
7603
0
    if (wantDowngrade) {
7604
0
#ifndef WOLFSSL_NO_TLS12
7605
0
        byte realMinor;
7606
0
#endif
7607
#if defined(HAVE_ECH)
7608
        if (ssl->options.echProcessingInner) {
7609
            WOLFSSL_MSG("ECH: inner client hello does not support version "
7610
                        "less than TLS v1.3");
7611
            ERROR_OUT(INVALID_PARAMETER, exit_dch);
7612
        }
7613
#endif
7614
0
#ifndef WOLFSSL_NO_TLS12
7615
0
        if (!ssl->options.downgrade) {
7616
0
            WOLFSSL_MSG("Client trying to connect with lesser version than "
7617
0
                        "TLS v1.3");
7618
0
            ERROR_OUT(VERSION_ERROR, exit_dch);
7619
0
        }
7620
7621
0
        if ((!ssl->options.dtls
7622
0
                 && args->pv.minor < ssl->options.minDowngrade) ||
7623
0
            (ssl->options.dtls && args->pv.minor > ssl->options.minDowngrade)) {
7624
0
            WOLFSSL_MSG("\tversion below minimum allowed, fatal error");
7625
0
            ERROR_OUT(VERSION_ERROR, exit_dch);
7626
0
        }
7627
7628
0
        realMinor = ssl->version.minor;
7629
0
        ssl->version.minor = args->pv.minor;
7630
0
        ret = HashInput(ssl, input + args->begin, (int)helloSz);
7631
0
        ssl->version.minor = realMinor;
7632
0
        if (ret == 0) {
7633
0
            ret = DoClientHello(ssl, input, inOutIdx, helloSz);
7634
0
        }
7635
0
        goto exit_dch;
7636
#else
7637
        WOLFSSL_MSG("Client trying to connect with lesser version than "
7638
                    "TLS v1.3");
7639
        ERROR_OUT(VERSION_ERROR, exit_dch);
7640
#endif
7641
0
    }
7642
7643
    /* From here on we are a TLS 1.3 ClientHello. */
7644
7645
    /* Client random
7646
     * ECH Accepted -> This will fill with the innerClientRandom */
7647
0
    XMEMCPY(ssl->arrays->clientRandom, input + args->idx, RAN_LEN);
7648
0
    args->idx += RAN_LEN;
7649
7650
#ifdef WOLFSSL_DEBUG_TLS
7651
    WOLFSSL_MSG("client random");
7652
    WOLFSSL_BUFFER(ssl->arrays->clientRandom, RAN_LEN);
7653
#endif
7654
7655
0
    sessIdSz = input[args->idx++];
7656
0
    if (sessIdSz > ID_LEN)
7657
0
    {
7658
0
        ERROR_OUT(INVALID_PARAMETER, exit_dch);
7659
0
    }
7660
7661
0
    if (sessIdSz + args->idx > helloSz)
7662
0
        ERROR_OUT(BUFFER_ERROR, exit_dch);
7663
7664
#if defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_DTLS13_ECHO_LEGACY_SESSION_ID)
7665
    /* RFC 9147 Section 5.3: DTLS 1.3 ServerHello must have empty
7666
     * legacy_session_id_echo. Don't store the client's value so it
7667
     * won't be echoed in SendTls13ServerHello. */
7668
    if (ssl->options.dtls) {
7669
        ssl->session->sessionIDSz = 0;
7670
    }
7671
    else
7672
#endif
7673
0
    {
7674
0
        ssl->session->sessionIDSz = sessIdSz;
7675
0
        if (sessIdSz > 0)
7676
0
            XMEMCPY(ssl->session->sessionID, input + args->idx, sessIdSz);
7677
0
    }
7678
0
    args->idx += sessIdSz;
7679
7680
#ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
7681
    /* RFC 8446 Appendix D.4: server MUST only send CCS if the client's
7682
     * ClientHello contains a non-empty legacy_session_id. */
7683
    if (sessIdSz == 0) {
7684
        ssl->options.tls13MiddleBoxCompat = 0;
7685
    }
7686
#endif
7687
7688
#ifdef WOLFSSL_DTLS13
7689
    /* legacy_cookie */
7690
    if (ssl->options.dtls) {
7691
        /* https://www.rfc-editor.org/rfc/rfc9147.html#section-5.3 */
7692
        byte cookieLen = input[args->idx++];
7693
        if (cookieLen != 0) {
7694
            ERROR_OUT(INVALID_PARAMETER, exit_dch);
7695
        }
7696
    }
7697
#endif /* WOLFSSL_DTLS13 */
7698
7699
0
    XFREE(ssl->clSuites, ssl->heap, DYNAMIC_TYPE_SUITES);
7700
0
    ssl->clSuites = (Suites*)XMALLOC(sizeof(Suites), ssl->heap,
7701
0
        DYNAMIC_TYPE_SUITES);
7702
0
    if (ssl->clSuites == NULL) {
7703
0
        ERROR_OUT(MEMORY_E, exit_dch);
7704
0
    }
7705
7706
    /* Cipher suites */
7707
0
    if ((args->idx - args->begin) + OPAQUE16_LEN > helloSz)
7708
0
        ERROR_OUT(BUFFER_ERROR, exit_dch);
7709
0
    ato16(&input[args->idx], &ssl->clSuites->suiteSz);
7710
0
    args->idx += OPAQUE16_LEN;
7711
0
    if ((ssl->clSuites->suiteSz % 2) != 0) {
7712
0
        ERROR_OUT(INVALID_PARAMETER, exit_dch);
7713
0
    }
7714
    /* suites and compression length check */
7715
0
    if ((args->idx - args->begin) + ssl->clSuites->suiteSz + OPAQUE8_LEN >
7716
0
            helloSz) {
7717
0
        ERROR_OUT(BUFFER_ERROR, exit_dch);
7718
0
    }
7719
0
    if (ssl->clSuites->suiteSz > WOLFSSL_MAX_SUITE_SZ)
7720
0
        ERROR_OUT(BUFFER_ERROR, exit_dch);
7721
0
    XMEMCPY(ssl->clSuites->suites, input + args->idx, ssl->clSuites->suiteSz);
7722
0
    args->idx += ssl->clSuites->suiteSz;
7723
0
    ssl->clSuites->hashSigAlgoSz = 0;
7724
7725
    /* Compression */
7726
0
    b = input[args->idx++];
7727
0
    if ((args->idx - args->begin) + b > helloSz)
7728
0
        ERROR_OUT(BUFFER_ERROR, exit_dch);
7729
0
    if (b != COMP_LEN) {
7730
0
        WOLFSSL_MSG("Must be one compression type in list");
7731
0
        ERROR_OUT(INVALID_PARAMETER, exit_dch);
7732
0
    }
7733
0
    b = input[args->idx++];
7734
0
    if (b != NO_COMPRESSION) {
7735
0
        WOLFSSL_MSG("Must be no compression type in list");
7736
0
        ERROR_OUT(INVALID_PARAMETER, exit_dch);
7737
0
    }
7738
7739
    /* Extensions */
7740
0
    if ((args->idx - args->begin) == helloSz)
7741
0
        ERROR_OUT(BUFFER_ERROR, exit_dch);
7742
0
    if ((args->idx - args->begin) + OPAQUE16_LEN > helloSz)
7743
0
        ERROR_OUT(BUFFER_ERROR, exit_dch);
7744
7745
0
    ato16(&input[args->idx], &totalExtSz);
7746
0
    args->idx += OPAQUE16_LEN;
7747
0
    if ((args->idx - args->begin) + totalExtSz > helloSz)
7748
0
        ERROR_OUT(BUFFER_ERROR, exit_dch);
7749
7750
    /* Auto populate extensions supported unless user defined. */
7751
0
    if ((ret = TLSX_PopulateExtensions(ssl, 1)) != 0)
7752
0
        goto exit_dch;
7753
7754
#if defined(HAVE_ECH)
7755
    if (ssl->ctx->echConfigs != NULL && !ssl->options.disableECH) {
7756
        /* save the start of the buffer so we can use it when parsing ech */
7757
        echX = TLSX_Find(ssl->extensions, TLSX_ECH);
7758
7759
        if (echX == NULL)
7760
            ERROR_OUT(WOLFSSL_FATAL_ERROR, exit_dch);
7761
7762
        ((WOLFSSL_ECH*)echX->data)->aad = input + HANDSHAKE_HEADER_SZ;
7763
        ((WOLFSSL_ECH*)echX->data)->aadLen = helloSz;
7764
    }
7765
#endif
7766
7767
    /* Parse extensions */
7768
0
    if ((ret = TLSX_Parse(ssl, input + args->idx, totalExtSz, client_hello,
7769
0
                                                            ssl->clSuites))) {
7770
0
        goto exit_dch;
7771
0
    }
7772
7773
#if (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) && \
7774
    defined(HAVE_TLS_EXTENSIONS)
7775
    /* RFC 8446 Section 4.2.11: the pre_shared_key extension MUST be the
7776
     * last extension in the ClientHello. wolfSSL stores extensions in
7777
     * reverse wire order (TLSX_Push prepends), so a well-formed
7778
     * ClientHello with PSK leaves PSK at the head of ssl->extensions
7779
     * here, before any post-parse code (e.g. ALPN_Select) modifies the
7780
     * list. */
7781
    {
7782
        TLSX* pskExt = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
7783
        if (pskExt != NULL && ssl->extensions != pskExt) {
7784
            WOLFSSL_MSG("pre_shared_key extension was not last in "
7785
                        "ClientHello");
7786
            WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
7787
            ERROR_OUT(PSK_KEY_ERROR, exit_dch);
7788
        }
7789
    }
7790
#endif
7791
7792
#if defined(HAVE_ECH)
7793
    /* ECH accept/reject reconciliation is done at the end of TLSX_Parse. On
7794
     * acceptance the inner hello was decrypted, so jump to exit and let the
7795
     * caller re-invoke with the inner hello. */
7796
    if (!ssl->options.echProcessingInner && echX != NULL &&
7797
            ((WOLFSSL_ECH*)echX->data)->state == ECH_WRITE_NONE &&
7798
            ((WOLFSSL_ECH*)echX->data)->innerClientHello != NULL) {
7799
        goto exit_dch;
7800
    }
7801
#endif
7802
7803
0
#ifdef HAVE_SNI
7804
0
        if ((ret = SNI_Callback(ssl)) != 0)
7805
0
            goto exit_dch;
7806
0
        ssl->options.side = WOLFSSL_SERVER_END;
7807
0
#endif
7808
7809
0
    args->idx += totalExtSz;
7810
0
    ssl->options.haveSessionId = 1;
7811
0
    ssl->options.sendVerify = SEND_CERT;
7812
7813
#if defined(WOLFSSL_SEND_HRR_COOKIE)
7814
    ssl->options.cookieGood = 0;
7815
    if (ssl->options.sendCookie &&
7816
            (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE
7817
#ifdef WOLFSSL_DTLS13
7818
                    /* Always check for a valid cookie since we may have already
7819
                     * sent a HRR but we reset the state. */
7820
                    || ssl->options.dtls
7821
#endif
7822
                    )) {
7823
        TLSX* ext = TLSX_Find(ssl->extensions, TLSX_COOKIE);
7824
7825
        if (ext != NULL) {
7826
            /* Ensure the cookie came from client and isn't the one in the
7827
            * response - HelloRetryRequest.
7828
            */
7829
            if (ext->resp == 0) {
7830
                ret = RestartHandshakeHashWithCookie(ssl, (Cookie*)ext->data);
7831
                if (ret != 0)
7832
                    goto exit_dch;
7833
                /* Don't change state here as we may want to enter
7834
                 * DoTls13ClientHello again. */
7835
                ssl->options.cookieGood = 1;
7836
            }
7837
            else {
7838
                ERROR_OUT(HRR_COOKIE_ERROR, exit_dch);
7839
            }
7840
        }
7841
        else {
7842
#if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_DTLS13_NO_HRR_ON_RESUME)
7843
            /* Don't error out as we may be resuming. We confirm this later. */
7844
            if (!ssl->options.dtls)
7845
#endif
7846
                ERROR_OUT(HRR_COOKIE_ERROR, exit_dch);
7847
        }
7848
    }
7849
#endif
7850
7851
0
#ifdef HAVE_SUPPORTED_CURVES
7852
0
    if (ssl->hrr_keyshare_group != 0) {
7853
        /*
7854
         * https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.8
7855
         *   when sending the new ClientHello, the client MUST
7856
         *   replace the original "key_share" extension with one containing only
7857
         *   a new KeyShareEntry for the group indicated in the selected_group
7858
         *   field of the triggering HelloRetryRequest.
7859
         */
7860
0
        TLSX* extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
7861
0
        if (extension != NULL) {
7862
0
            KeyShareEntry* kse = (KeyShareEntry*)extension->data;
7863
            /* Exactly one KeyShareEntry with the HRR group must be present. */
7864
0
            if (kse == NULL || kse->next != NULL ||
7865
0
                                        kse->group != ssl->hrr_keyshare_group) {
7866
0
                ERROR_OUT(BAD_KEY_SHARE_DATA, exit_dch);
7867
0
            }
7868
0
        }
7869
0
        else
7870
0
            ERROR_OUT(BAD_KEY_SHARE_DATA, exit_dch);
7871
0
    }
7872
0
#endif
7873
7874
#if defined(HAVE_ECH)
7875
    /* hash clientHelloInner to hsHashesEch */
7876
    if (echX != NULL && ssl->ctx->echConfigs != NULL &&
7877
            !ssl->options.disableECH &&
7878
            ((WOLFSSL_ECH*)echX->data)->innerClientHello != NULL) {
7879
        ret = EchHashHelloInner(ssl, (WOLFSSL_ECH*)echX->data);
7880
        if (ret != 0)
7881
            goto exit_dch;
7882
        ((WOLFSSL_ECH*)echX->data)->innerCount = 1;
7883
    }
7884
#endif
7885
7886
#ifdef HAVE_ALPN
7887
    /* Select the ALPN protocol before PSK selection so that the
7888
     * selected value is available to the per-PSK SNI/ALPN binding check
7889
     * inside CheckPreSharedKeys/DoPreSharedKeys. ALPN_Select itself
7890
     * only inspects ssl->extensions and the app callback; it does not
7891
     * depend on any state set during PSK validation. */
7892
    if ((ret = ALPN_Select(ssl)) != 0)
7893
        goto exit_dch;
7894
#endif
7895
#if (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) && \
7896
                                                    defined(HAVE_TLS_EXTENSIONS)
7897
    ret = CheckPreSharedKeys(ssl, input + args->begin, helloSz, ssl->clSuites,
7898
        &args->usingPSK);
7899
    if (ret != 0)
7900
        goto exit_dch;
7901
#else
7902
0
    if ((ret = HashInput(ssl, input + args->begin, (int)helloSz)) != 0)
7903
0
        goto exit_dch;
7904
0
#endif
7905
7906
#if (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) && \
7907
                                                    defined(HAVE_TLS_EXTENSIONS)
7908
    if (!args->usingPSK
7909
#ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
7910
        || ssl->options.certWithExternPsk
7911
#endif
7912
    )
7913
#endif
7914
0
    {
7915
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
7916
        /* Not using PSK so don't require no KE. */
7917
        ssl->options.noPskDheKe = 0;
7918
#endif
7919
7920
0
#ifndef NO_CERTS
7921
0
        if (TLSX_Find(ssl->extensions, TLSX_KEY_SHARE) == NULL) {
7922
0
            WOLFSSL_MSG("Client did not send a KeyShare extension");
7923
0
            ERROR_OUT(INCOMPLETE_DATA, exit_dch);
7924
0
        }
7925
        /* Can't check ssl->extensions here as SigAlgs are unconditionally
7926
           set by TLSX_PopulateExtensions */
7927
0
        if (ssl->clSuites->hashSigAlgoSz == 0) {
7928
0
            WOLFSSL_MSG("Client did not send a SignatureAlgorithms extension");
7929
0
            ERROR_OUT(INCOMPLETE_DATA, exit_dch);
7930
0
        }
7931
#else
7932
        ERROR_OUT(INVALID_PARAMETER, exit_dch);
7933
#endif
7934
0
    }
7935
7936
0
    } /* case TLS_ASYNC_BEGIN */
7937
0
    FALL_THROUGH;
7938
7939
0
    case TLS_ASYNC_BUILD:
7940
    /* Advance state and proceed */
7941
0
    ssl->options.asyncState = TLS_ASYNC_DO;
7942
0
    FALL_THROUGH;
7943
7944
0
    case TLS_ASYNC_DO:
7945
0
    {
7946
#ifdef WOLFSSL_CERT_SETUP_CB
7947
    if ((ret = CertSetupCbWrapper(ssl)) != 0)
7948
        goto exit_dch;
7949
#endif
7950
0
#ifndef NO_CERTS
7951
0
    if (!args->usingPSK) {
7952
0
        if ((ret = MatchSuite(ssl, ssl->clSuites)) < 0) {
7953
        #ifdef WOLFSSL_ASYNC_CRYPT
7954
            if (ret != WC_NO_ERR_TRACE(WC_PENDING_E))
7955
        #endif
7956
0
                WOLFSSL_MSG("Unsupported cipher suite, ClientHello 1.3");
7957
0
            goto exit_dch;
7958
0
        }
7959
0
    }
7960
0
#endif
7961
0
#ifdef HAVE_SUPPORTED_CURVES
7962
0
    if (args->usingPSK == 2) {
7963
        /* Pick key share and Generate a new key if not present. */
7964
0
        int doHelloRetry = 0;
7965
0
        ret = TLSX_KeyShare_Establish(ssl, &doHelloRetry);
7966
0
        if (doHelloRetry) {
7967
            /* Make sure we don't send HRR twice */
7968
0
            if (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE)
7969
0
                ERROR_OUT(INVALID_PARAMETER, exit_dch);
7970
0
            ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE;
7971
0
            if (ret != WC_NO_ERR_TRACE(WC_PENDING_E))
7972
0
                ret = 0; /* for hello_retry return 0 */
7973
0
        }
7974
0
        if (ret != 0)
7975
0
            goto exit_dch;
7976
0
    }
7977
0
#endif
7978
7979
    /* Verify the cipher suite is the same as what was chosen in HRR.
7980
     * got_client_hello == 2 covers the stateful path.
7981
     * cookieGood covers the stateless DTLS path. */
7982
0
    if ((ssl->msgsReceived.got_client_hello == 2
7983
#ifdef WOLFSSL_SEND_HRR_COOKIE
7984
            || ssl->options.cookieGood
7985
#endif
7986
0
        ) &&
7987
0
            (ssl->options.cipherSuite0 != ssl->options.hrrCipherSuite0 ||
7988
0
             ssl->options.cipherSuite  != ssl->options.hrrCipherSuite)) {
7989
0
        WOLFSSL_MSG("Cipher suite in second ClientHello does not match "
7990
0
                    "HelloRetryRequest");
7991
0
        ERROR_OUT(INVALID_PARAMETER, exit_dch);
7992
0
    }
7993
7994
    /* Advance state and proceed */
7995
0
    ssl->options.asyncState = TLS_ASYNC_VERIFY;
7996
0
    } /* case TLS_ASYNC_BUILD || TLS_ASYNC_DO */
7997
0
    FALL_THROUGH;
7998
7999
0
    case TLS_ASYNC_VERIFY:
8000
0
    {
8001
#if defined(WOLFSSL_ASYNC_CRYPT) && defined(HAVE_SUPPORTED_CURVES)
8002
    /* Check if the KeyShare calculations from the previous state are complete.
8003
     * wolfSSL_AsyncPop advances ssl->options.asyncState so we may end up here
8004
     * with a pending calculation. */
8005
    TLSX* extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
8006
    if (extension != NULL && extension->resp == 1) {
8007
        KeyShareEntry* serverKSE = (KeyShareEntry*)extension->data;
8008
        if (serverKSE != NULL &&
8009
            serverKSE->lastRet == WC_NO_ERR_TRACE(WC_PENDING_E)) {
8010
    #if defined(WOLFSSL_HAVE_MLKEM)
8011
            if (WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(serverKSE->group)) {
8012
                ret = TLSX_KeyShare_HandlePqcHybridKeyServer(ssl, serverKSE,
8013
                        serverKSE->ke, serverKSE->keLen);
8014
            }
8015
            else
8016
    #endif
8017
            {
8018
                ret = TLSX_KeyShare_GenKey(ssl, serverKSE);
8019
            }
8020
            if (ret != 0)
8021
                goto exit_dch;
8022
        }
8023
    }
8024
#endif
8025
    /* Advance state and proceed */
8026
0
    ssl->options.asyncState = TLS_ASYNC_FINALIZE;
8027
0
    }
8028
0
    FALL_THROUGH;
8029
8030
0
    case TLS_ASYNC_FINALIZE:
8031
0
    {
8032
0
    *inOutIdx = args->idx;
8033
0
    ssl->options.clientState = CLIENT_HELLO_COMPLETE;
8034
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
8035
    ssl->options.pskNegotiated = (args->usingPSK != 0);
8036
#endif
8037
8038
0
    if (!args->usingPSK) {
8039
0
#ifndef NO_CERTS
8040
        /* Check that the negotiated ciphersuite matches protocol version. */
8041
    #ifdef HAVE_NULL_CIPHER
8042
        if (ssl->options.cipherSuite0 == ECC_BYTE &&
8043
                              (ssl->options.cipherSuite == TLS_SHA256_SHA256 ||
8044
                               ssl->options.cipherSuite == TLS_SHA384_SHA384)) {
8045
            ;
8046
        }
8047
        else
8048
    #endif
8049
    #if defined(WOLFSSL_SM4_GCM) && defined(WOLFSSL_SM3)
8050
        if (ssl->options.cipherSuite0 == CIPHER_BYTE &&
8051
                ssl->options.cipherSuite == TLS_SM4_GCM_SM3) {
8052
            ; /* Do nothing. */
8053
        }
8054
        else
8055
    #endif
8056
    #if defined(WOLFSSL_SM4_CCM) && defined(WOLFSSL_SM3)
8057
        if (ssl->options.cipherSuite0 == CIPHER_BYTE &&
8058
                ssl->options.cipherSuite == TLS_SM4_CCM_SM3) {
8059
            ; /* Do nothing. */
8060
        }
8061
        else
8062
    #endif
8063
0
        if (ssl->options.cipherSuite0 != TLS13_BYTE) {
8064
0
            WOLFSSL_MSG("Negotiated ciphersuite from lesser version than "
8065
0
                        "TLS v1.3");
8066
0
            ERROR_OUT(MATCH_SUITE_ERROR, exit_dch);
8067
0
        }
8068
8069
    #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
8070
        if (ssl->options.resuming) {
8071
            ssl->options.resuming = 0;
8072
            ssl->arrays->psk_keySz = 0;
8073
            XMEMSET(ssl->arrays->psk_key, 0, ssl->specs.hash_size);
8074
        }
8075
    #endif
8076
8077
        /* Derive early secret for handshake secret. */
8078
0
        if ((ret = DeriveEarlySecret(ssl)) != 0)
8079
0
            goto exit_dch;
8080
0
#endif /* !NO_CERTS */
8081
0
    }
8082
0
    break;
8083
0
    } /* case TLS_ASYNC_FINALIZE */
8084
0
    default:
8085
0
        ret = INPUT_CASE_ERROR;
8086
0
    } /* switch (ssl->options.asyncState) */
8087
8088
#ifdef WOLFSSL_SEND_HRR_COOKIE
8089
    if (ret == 0 && ssl->options.sendCookie) {
8090
        if (ssl->options.cookieGood &&
8091
                ssl->options.acceptState == TLS13_ACCEPT_FIRST_REPLY_DONE) {
8092
            /* Processing second ClientHello. Clear HRR state. */
8093
            ssl->options.serverState = NULL_STATE;
8094
        }
8095
8096
        if (ssl->options.cookieGood &&
8097
            ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
8098
            /* If we already verified the peer with a cookie then we can't
8099
             * do another HRR for cipher negotiation. Send alert and restart
8100
             * the entire handshake. */
8101
            ERROR_OUT(INVALID_PARAMETER, exit_dch);
8102
        }
8103
#ifdef WOLFSSL_DTLS13
8104
        if (ssl->options.dtls &&
8105
            ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
8106
            /* Cookie and key share negotiation should be handled in
8107
             * DoClientHelloStateless. If we enter here then something went
8108
             * wrong in our logic. */
8109
            ERROR_OUT(BAD_HELLO, exit_dch);
8110
        }
8111
#endif
8112
        /* Send a cookie */
8113
        if (!ssl->options.cookieGood &&
8114
            ssl->options.serverState != SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
8115
#ifdef WOLFSSL_DTLS13
8116
            if (ssl->options.dtls) {
8117
#ifdef WOLFSSL_DTLS13_NO_HRR_ON_RESUME
8118
                /* We can skip cookie on resumption */
8119
                if (!ssl->options.dtls || !ssl->options.dtls13NoHrrOnResume ||
8120
                        !args->usingPSK)
8121
#endif
8122
                    ERROR_OUT(BAD_HELLO, exit_dch);
8123
            }
8124
            else
8125
#endif
8126
            {
8127
                /* Need to remove the keyshare ext if we found a common group
8128
                 * and are not doing curve negotiation. */
8129
                TLSX_Remove(&ssl->extensions, TLSX_KEY_SHARE, ssl->heap);
8130
                ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE;
8131
            }
8132
8133
        }
8134
    }
8135
#endif /* WOLFSSL_DTLS13 */
8136
8137
#ifdef WOLFSSL_DTLS_CID
8138
    /* do not modify CID state if we are sending an HRR  */
8139
    if (ret == 0 && ssl->options.dtls && ssl->options.useDtlsCID &&
8140
            ssl->options.serverState != SERVER_HELLO_RETRY_REQUEST_COMPLETE)
8141
        DtlsCIDOnExtensionsParsed(ssl);
8142
#endif /* WOLFSSL_DTLS_CID */
8143
8144
8145
8146
0
exit_dch:
8147
8148
0
    WOLFSSL_LEAVE("DoTls13ClientHello", ret);
8149
8150
#ifdef WOLFSSL_ASYNC_CRYPT
8151
    if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
8152
        ssl->msgsReceived.got_client_hello = 0;
8153
        return ret;
8154
    }
8155
#endif
8156
8157
0
    FreeDch13Args(ssl, args);
8158
#ifdef WOLFSSL_ASYNC_CRYPT
8159
    FreeAsyncCtx(ssl, 0);
8160
#endif
8161
0
    WOLFSSL_END(WC_FUNC_CLIENT_HELLO_DO);
8162
8163
0
    if (ret != 0) {
8164
0
        WOLFSSL_ERROR_VERBOSE(ret);
8165
0
    }
8166
8167
#if defined(HAVE_ECH)
8168
    if (ret == 0 && echX != NULL &&
8169
        ((WOLFSSL_ECH*)echX->data)->state == ECH_WRITE_NONE &&
8170
        ((WOLFSSL_ECH*)echX->data)->innerClientHello != NULL) {
8171
8172
        /* add the header to the inner hello */
8173
        AddTls13HandShakeHeader(((WOLFSSL_ECH*)echX->data)->innerClientHello,
8174
            ((WOLFSSL_ECH*)echX->data)->innerClientHelloLen, 0, 0,
8175
            client_hello, ssl);
8176
    }
8177
#endif
8178
8179
0
    return ret;
8180
0
}
8181
8182
/* Send TLS v1.3 ServerHello message to client.
8183
 * Only a server will send this message.
8184
 *
8185
 * ssl  The SSL/TLS object.
8186
 * returns 0 on success, otherwise failure.
8187
 */
8188
/* handle generation of TLS 1.3 server_hello (2) */
8189
int SendTls13ServerHello(WOLFSSL* ssl, byte extMsgType)
8190
0
{
8191
0
    int    ret;
8192
0
    byte*  output;
8193
0
    word16 length;
8194
0
    word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
8195
0
    int    sendSz;
8196
#if defined(HAVE_ECH)
8197
    TLSX* echX = NULL;
8198
    byte* acceptLabel = (byte*)echAcceptConfirmationLabel;
8199
    word32 acceptOffset;
8200
    word16 acceptLabelSz = ECH_ACCEPT_CONFIRMATION_LABEL_SZ;
8201
#endif
8202
8203
0
    WOLFSSL_START(WC_FUNC_SERVER_HELLO_SEND);
8204
0
    WOLFSSL_ENTER("SendTls13ServerHello");
8205
8206
    /* When ssl->options.dtlsStateful is not set then cookie is calculated in
8207
     * dtls.c */
8208
0
    if (extMsgType == hello_retry_request
8209
#ifdef WOLFSSL_DTLS13
8210
            && (!ssl->options.dtls || ssl->options.dtlsStateful)
8211
#endif
8212
0
            ) {
8213
0
        WOLFSSL_MSG("wolfSSL Sending HelloRetryRequest");
8214
0
        if ((ret = RestartHandshakeHash(ssl)) < 0)
8215
0
            return ret;
8216
0
    }
8217
8218
0
    ssl->options.buildingMsg = 1;
8219
#ifdef WOLFSSL_DTLS13
8220
    if (ssl->options.dtls)
8221
        idx = DTLS_RECORD_HEADER_SZ + DTLS_HANDSHAKE_HEADER_SZ;
8222
#endif /* WOLFSSL_DTLS13 */
8223
8224
    /* Protocol version, server random, session id, cipher suite, compression
8225
     * and extensions.
8226
     */
8227
0
    length = VERSION_SZ + RAN_LEN + ENUM_LEN + ssl->session->sessionIDSz +
8228
0
             SUITE_LEN + COMP_LEN;
8229
0
    ret = TLSX_GetResponseSize(ssl, extMsgType, &length);
8230
0
    if (ret != 0)
8231
0
        return ret;
8232
0
    sendSz = (int)(idx + length);
8233
8234
    /* Check buffers are big enough and grow if needed. */
8235
0
    if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
8236
0
        return ret;
8237
8238
    /* Get position in output buffer to write new message to. */
8239
0
    output = GetOutputBuffer(ssl);
8240
8241
    /* Put the record and handshake headers on. */
8242
0
    AddTls13Headers(output, length, server_hello, ssl);
8243
8244
    /* The protocol version must be TLS v1.2 for middleboxes. */
8245
0
    output[idx++] = ssl->version.major;
8246
0
    output[idx++] = ssl->options.dtls ? DTLSv1_2_MINOR : TLSv1_2_MINOR;
8247
8248
0
    if (extMsgType == server_hello) {
8249
        /* Generate server random. */
8250
0
        if ((ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, RAN_LEN)) != 0)
8251
0
            return ret;
8252
0
    }
8253
0
    else {
8254
        /* HelloRetryRequest message has fixed value for random. */
8255
0
        XMEMCPY(output + idx, helloRetryRequestRandom, RAN_LEN);
8256
0
    }
8257
8258
#if defined(HAVE_ECH)
8259
    /* last 8 bytes of server random */
8260
    acceptOffset = idx + RAN_LEN - ECH_ACCEPT_CONFIRMATION_SZ;
8261
#endif
8262
8263
    /* Store in SSL for debugging. */
8264
0
    XMEMCPY(ssl->arrays->serverRandom, output + idx, RAN_LEN);
8265
0
    idx += RAN_LEN;
8266
8267
#ifdef WOLFSSL_DEBUG_TLS
8268
    WOLFSSL_MSG("Server random");
8269
    WOLFSSL_BUFFER(ssl->arrays->serverRandom, RAN_LEN);
8270
#endif
8271
8272
#if defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_DTLS13_ECHO_LEGACY_SESSION_ID)
8273
    if (ssl->options.dtls) {
8274
        /* RFC 9147 Section 5.3: DTLS 1.3 ServerHello must have empty
8275
         * legacy_session_id_echo. */
8276
        output[idx++] = 0;
8277
    }
8278
    else
8279
#endif
8280
0
    {
8281
0
        output[idx++] = ssl->session->sessionIDSz;
8282
0
        if (ssl->session->sessionIDSz > 0) {
8283
0
            XMEMCPY(output + idx, ssl->session->sessionID,
8284
0
                ssl->session->sessionIDSz);
8285
0
            idx += ssl->session->sessionIDSz;
8286
0
        }
8287
0
    }
8288
8289
    /* Chosen cipher suite */
8290
0
    output[idx++] = ssl->options.cipherSuite0;
8291
0
    output[idx++] = ssl->options.cipherSuite;
8292
#ifdef WOLFSSL_DEBUG_TLS
8293
    WOLFSSL_MSG("Chosen cipher suite:");
8294
    WOLFSSL_MSG(GetCipherNameInternal(ssl->options.cipherSuite0,
8295
                                      ssl->options.cipherSuite));
8296
#endif
8297
8298
    /* Compression not supported in TLS v1.3. */
8299
0
    output[idx++] = 0;
8300
8301
    /* Extensions */
8302
0
    ret = TLSX_WriteResponse(ssl, output + idx, extMsgType, NULL);
8303
0
    if (ret != 0)
8304
0
        return ret;
8305
8306
    /* When we send a HRR, we store the selected key share group to later check
8307
     * that the client uses the same group in the second ClientHello.
8308
     *
8309
     * In case of stateless DTLS, we do not store the group, however, as it is
8310
     * already stored in the cookie that is sent to the client. We later recover
8311
     * the group from the cookie to prevent storing a state in a stateless
8312
     * server.
8313
     *
8314
     * Similar logic holds for the hrrCipherSuite. */
8315
0
    if (extMsgType == hello_retry_request
8316
#if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_SEND_HRR_COOKIE)
8317
        && (!ssl->options.dtls || ssl->options.dtlsStateful)
8318
#endif
8319
0
    ) {
8320
0
        TLSX* ksExt = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
8321
0
        if (ksExt != NULL) {
8322
0
            KeyShareEntry* kse = (KeyShareEntry*)ksExt->data;
8323
0
            if (kse != NULL)
8324
0
                ssl->hrr_keyshare_group = kse->group;
8325
0
        }
8326
8327
0
        ssl->options.hrrCipherSuite0 = ssl->options.cipherSuite0;
8328
0
        ssl->options.hrrCipherSuite  = ssl->options.cipherSuite;
8329
0
    }
8330
8331
#ifdef WOLFSSL_SEND_HRR_COOKIE
8332
    if (ssl->options.sendCookie && extMsgType == hello_retry_request) {
8333
        /* Reset the hashes from here. We will be able to restart the hashes
8334
         * from the cookie in RestartHandshakeHashWithCookie */
8335
#ifdef WOLFSSL_DTLS13
8336
        /* When ssl->options.dtlsStateful is not set then cookie is calculated
8337
         * in dtls.c */
8338
        if (ssl->options.dtls && !ssl->options.dtlsStateful)
8339
            ret = 0;
8340
        else
8341
#endif
8342
            ret = InitHandshakeHashes(ssl);
8343
    }
8344
    else
8345
#endif
8346
0
    {
8347
#ifdef WOLFSSL_DTLS13
8348
        if (ssl->options.dtls) {
8349
            ret = Dtls13HashHandshake(
8350
                ssl,
8351
                output + Dtls13GetRlHeaderLength(ssl, 0) ,
8352
                (word16)sendSz - Dtls13GetRlHeaderLength(ssl, 0));
8353
        }
8354
        else
8355
#endif /* WOLFSSL_DTLS13 */
8356
0
        {
8357
#if defined(HAVE_ECH)
8358
            if (ssl->ctx->echConfigs != NULL && !ssl->options.disableECH) {
8359
                echX = TLSX_Find(ssl->extensions, TLSX_ECH);
8360
                if (echX == NULL)
8361
                    return WOLFSSL_FATAL_ERROR;
8362
                /* use hrr offset */
8363
                if (extMsgType == hello_retry_request) {
8364
                    acceptOffset =
8365
                        (word32)(((WOLFSSL_ECH*)echX->data)->confBuf - output);
8366
                    acceptLabel = (byte*)echHrrAcceptConfirmationLabel;
8367
                    acceptLabelSz = ECH_HRR_ACCEPT_CONFIRMATION_LABEL_SZ;
8368
                }
8369
                /* replace the last 8 bytes of server random with the accept */
8370
                if (((WOLFSSL_ECH*)echX->data)->state == ECH_PARSED_INTERNAL) {
8371
                    if (ret == 0) {
8372
                        ret = EchWriteAcceptance(ssl, acceptLabel,
8373
                            acceptLabelSz, output + RECORD_HEADER_SZ,
8374
                            acceptOffset - RECORD_HEADER_SZ,
8375
                            sendSz - RECORD_HEADER_SZ, extMsgType);
8376
                    }
8377
                    if (extMsgType == hello_retry_request) {
8378
                        /* reset the ech state for round 2 */
8379
                        ((WOLFSSL_ECH*)echX->data)->state = ECH_WRITE_NONE;
8380
                        /* inner hello no longer needed, free it */
8381
                        XFREE(((WOLFSSL_ECH*)echX->data)->innerClientHello,
8382
                              ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
8383
                        ((WOLFSSL_ECH*)echX->data)->innerClientHello = NULL;
8384
                    }
8385
                    else {
8386
                        if (ret == 0) {
8387
                            /* update serverRandom on success */
8388
                            XMEMCPY(ssl->arrays->serverRandom,
8389
                                output + acceptOffset -
8390
                                (RAN_LEN -ECH_ACCEPT_CONFIRMATION_SZ), RAN_LEN);
8391
                        }
8392
                        /* remove ech so we don't keep sending it in write */
8393
                        TLSX_Remove(&ssl->extensions, TLSX_ECH, ssl->heap);
8394
                    }
8395
                }
8396
            }
8397
#endif
8398
0
            if (ret == 0)
8399
0
                ret = HashOutput(ssl, output, sendSz, 0);
8400
0
        }
8401
0
    }
8402
8403
0
    if (ret != 0)
8404
0
        return ret;
8405
8406
#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
8407
    if (ssl->hsInfoOn)
8408
        AddPacketName(ssl, "ServerHello");
8409
    if (ssl->toInfoOn) {
8410
        ret = AddPacketInfo(ssl, "ServerHello", handshake, output, sendSz,
8411
                      WRITE_PROTO, 0, ssl->heap);
8412
        if (ret != 0)
8413
            return ret;
8414
    }
8415
    #endif
8416
8417
0
    if (extMsgType == server_hello)
8418
0
        ssl->options.serverState = SERVER_HELLO_COMPLETE;
8419
8420
0
    ssl->options.buildingMsg = 0;
8421
#ifdef WOLFSSL_DTLS13
8422
    if (ssl->options.dtls) {
8423
        ret = Dtls13HandshakeSend(ssl, output, (word16)sendSz, (word16)sendSz,
8424
            (enum HandShakeType)extMsgType, 0);
8425
8426
        WOLFSSL_LEAVE("SendTls13ServerHello", ret);
8427
        WOLFSSL_END(WC_FUNC_SERVER_HELLO_SEND);
8428
        return ret;
8429
    }
8430
#endif /* WOLFSSL_DTLS13 */
8431
8432
0
    ssl->buffers.outputBuffer.length += (word32)sendSz;
8433
8434
0
    if (!ssl->options.groupMessages || extMsgType != server_hello)
8435
0
        ret = SendBuffered(ssl);
8436
8437
0
    WOLFSSL_LEAVE("SendTls13ServerHello", ret);
8438
0
    WOLFSSL_END(WC_FUNC_SERVER_HELLO_SEND);
8439
8440
0
    return ret;
8441
0
}
8442
8443
/* handle generation of TLS 1.3 encrypted_extensions (8) */
8444
/* Send the rest of the extensions encrypted under the handshake key.
8445
 * This message is always encrypted in TLS v1.3.
8446
 * Only a server will send this message.
8447
 *
8448
 * ssl  The SSL/TLS object.
8449
 * returns 0 on success, otherwise failure.
8450
 */
8451
static int SendTls13EncryptedExtensions(WOLFSSL* ssl)
8452
0
{
8453
0
    int    ret;
8454
0
    byte*  output;
8455
0
    word16 length = 0;
8456
0
    word32 idx;
8457
0
    int    sendSz;
8458
8459
0
    WOLFSSL_START(WC_FUNC_ENCRYPTED_EXTENSIONS_SEND);
8460
0
    WOLFSSL_ENTER("SendTls13EncryptedExtensions");
8461
8462
0
    ssl->options.buildingMsg = 1;
8463
0
    ssl->keys.encryptionOn = 1;
8464
8465
#ifdef WOLFSSL_DTLS13
8466
    if (ssl->options.dtls) {
8467
        idx = Dtls13GetHeadersLength(ssl, encrypted_extensions);
8468
    }
8469
    else
8470
#endif /* WOLFSSL_DTLS13 */
8471
0
    {
8472
0
        idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
8473
0
    }
8474
8475
0
#if defined(HAVE_SUPPORTED_CURVES) && !defined(WOLFSSL_NO_SERVER_GROUPS_EXT)
8476
0
    if ((ret = TLSX_SupportedCurve_CheckPriority(ssl)) != 0)
8477
0
        return ret;
8478
0
#endif
8479
8480
    /* Derive the handshake secret now that we are at first message to be
8481
     * encrypted under the keys.
8482
     */
8483
0
    if ((ret = DeriveHandshakeSecret(ssl)) != 0)
8484
0
        return ret;
8485
0
    if ((ret = DeriveTls13Keys(ssl, handshake_key,
8486
0
                               ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0)
8487
0
        return ret;
8488
8489
    /* Setup encrypt/decrypt keys for following messages. */
8490
#ifdef WOLFSSL_EARLY_DATA
8491
    if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
8492
        return ret;
8493
    if (ssl->earlyData != process_early_data) {
8494
        if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
8495
            return ret;
8496
    }
8497
#else
8498
0
    if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0)
8499
0
        return ret;
8500
0
#endif
8501
#ifdef WOLFSSL_QUIC
8502
    if (IsAtLeastTLSv1_3(ssl->version) && WOLFSSL_IS_QUIC(ssl)) {
8503
        ret = wolfSSL_quic_add_transport_extensions(ssl, encrypted_extensions);
8504
        if (ret != 0)
8505
            return ret;
8506
    }
8507
#endif
8508
8509
#ifdef WOLFSSL_DTLS13
8510
    if (ssl->options.dtls) {
8511
        w64wrapper epochHandshake = w64From32(0, DTLS13_EPOCH_HANDSHAKE);
8512
        ssl->dtls13Epoch = epochHandshake;
8513
8514
        ret = Dtls13SetEpochKeys(
8515
            ssl, epochHandshake, ENCRYPT_AND_DECRYPT_SIDE);
8516
        if (ret != 0)
8517
            return ret;
8518
8519
    }
8520
#endif /* WOLFSSL_DTLS13 */
8521
8522
0
    ret = TLSX_GetResponseSize(ssl, encrypted_extensions, &length);
8523
0
    if (ret != 0)
8524
0
        return ret;
8525
8526
0
    sendSz = (int)(idx + length);
8527
    /* Encryption always on. */
8528
0
    sendSz += MAX_MSG_EXTRA;
8529
8530
    /* Check buffers are big enough and grow if needed. */
8531
0
    ret = CheckAvailableSize(ssl, sendSz);
8532
0
    if (ret != 0)
8533
0
        return ret;
8534
8535
    /* Get position in output buffer to write new message to. */
8536
0
    output = GetOutputBuffer(ssl);
8537
8538
    /* Put the record and handshake headers on. */
8539
0
    AddTls13Headers(output, length, encrypted_extensions, ssl);
8540
8541
0
    ret = TLSX_WriteResponse(ssl, output + idx, encrypted_extensions, NULL);
8542
0
    if (ret != 0)
8543
0
        return ret;
8544
0
    idx += length;
8545
8546
#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
8547
    if (ssl->hsInfoOn)
8548
        AddPacketName(ssl, "EncryptedExtensions");
8549
    if (ssl->toInfoOn) {
8550
        ret = AddPacketInfo(ssl, "EncryptedExtensions", handshake, output,
8551
                      sendSz, WRITE_PROTO, 0, ssl->heap);
8552
        if (ret != 0)
8553
            return ret;
8554
    }
8555
#endif
8556
8557
#ifdef WOLFSSL_DTLS13
8558
    if (ssl->options.dtls) {
8559
        ssl->options.buildingMsg = 0;
8560
        ret = Dtls13HandshakeSend(ssl, output, (word16)sendSz, (word16)idx,
8561
                                  encrypted_extensions, 1);
8562
8563
        if (ret == 0)
8564
            ssl->options.serverState = SERVER_ENCRYPTED_EXTENSIONS_COMPLETE;
8565
8566
        WOLFSSL_LEAVE("SendTls13EncryptedExtensions", ret);
8567
        WOLFSSL_END(WC_FUNC_ENCRYPTED_EXTENSIONS_SEND);
8568
8569
        return ret;
8570
    }
8571
#endif /* WOLFSSL_DTLS13 */
8572
8573
    /* This handshake message is always encrypted. */
8574
0
    sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
8575
0
                               (int)(idx - RECORD_HEADER_SZ),
8576
0
                               handshake, 1, 0, 0);
8577
0
    if (sendSz < 0)
8578
0
        return sendSz;
8579
8580
0
    ssl->buffers.outputBuffer.length += (word32)sendSz;
8581
0
    ssl->options.buildingMsg = 0;
8582
0
    ssl->options.serverState = SERVER_ENCRYPTED_EXTENSIONS_COMPLETE;
8583
8584
0
    if (!ssl->options.groupMessages)
8585
0
        ret = SendBuffered(ssl);
8586
8587
8588
0
    WOLFSSL_LEAVE("SendTls13EncryptedExtensions", ret);
8589
0
    WOLFSSL_END(WC_FUNC_ENCRYPTED_EXTENSIONS_SEND);
8590
8591
0
    return ret;
8592
0
}
8593
8594
#ifndef NO_CERTS
8595
/* handle generation TLS v1.3 certificate_request (13) */
8596
/* Send the TLS v1.3 CertificateRequest message.
8597
 * This message is always encrypted in TLS v1.3.
8598
 * Only a server will send this message.
8599
 *
8600
 * ssl        SSL/TLS object.
8601
 * reqCtx     Request context.
8602
 * reqCtxLen  Length of context. 0 when sending as part of handshake.
8603
 * returns 0 on success, otherwise failure.
8604
 */
8605
static int SendTls13CertificateRequest(WOLFSSL* ssl, byte* reqCtx,
8606
                                       word32 reqCtxLen)
8607
0
{
8608
0
    byte*   output;
8609
0
    int    ret;
8610
0
    int    sendSz;
8611
0
    word32 i;
8612
0
    word32 reqSz;
8613
0
    SignatureAlgorithms* sa;
8614
8615
0
    WOLFSSL_START(WC_FUNC_CERTIFICATE_REQUEST_SEND);
8616
0
    WOLFSSL_ENTER("SendTls13CertificateRequest");
8617
8618
0
    ssl->options.buildingMsg = 1;
8619
8620
0
    if (ssl->options.side != WOLFSSL_SERVER_END)
8621
0
        return SIDE_ERROR;
8622
8623
    /* Use ssl->suites->hashSigAlgo so wolfSSL_set1_sigalgs_list() is honored.
8624
     * hashSigAlgoSz=0 makes GetSize/Write fall back to WOLFSSL_SUITES(ssl). */
8625
0
    sa = TLSX_SignatureAlgorithms_New(ssl, 0, ssl->heap);
8626
0
    if (sa == NULL)
8627
0
        return MEMORY_ERROR;
8628
0
    ret = TLSX_Push(&ssl->extensions, TLSX_SIGNATURE_ALGORITHMS, sa, ssl->heap);
8629
0
    if (ret != 0) {
8630
0
        TLSX_SignatureAlgorithms_FreeAll(sa, ssl->heap);
8631
0
        return ret;
8632
0
    }
8633
8634
0
    i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
8635
#ifdef WOLFSSL_DTLS13
8636
    if (ssl->options.dtls)
8637
        i = Dtls13GetRlHeaderLength(ssl, 1) + DTLS_HANDSHAKE_HEADER_SZ;
8638
#endif /* WOLFSSL_DTLS13 */
8639
8640
0
    reqSz = (word16)(OPAQUE8_LEN + reqCtxLen);
8641
0
    ret = TLSX_GetRequestSize(ssl, certificate_request, &reqSz);
8642
0
    if (ret != 0)
8643
0
        return ret;
8644
8645
0
    sendSz = (int)(i + reqSz);
8646
    /* Always encrypted and make room for padding. */
8647
0
    sendSz += MAX_MSG_EXTRA;
8648
8649
    /* Check buffers are big enough and grow if needed. */
8650
0
    if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
8651
0
        return ret;
8652
8653
    /* Get position in output buffer to write new message to. */
8654
0
    output = GetOutputBuffer(ssl);
8655
8656
    /* Put the record and handshake headers on. */
8657
0
    AddTls13Headers(output, reqSz, certificate_request, ssl);
8658
8659
    /* Certificate request context. */
8660
0
    output[i++] = (byte)reqCtxLen;
8661
0
    if (reqCtxLen != 0) {
8662
0
        XMEMCPY(output + i, reqCtx, reqCtxLen);
8663
0
        i += reqCtxLen;
8664
0
    }
8665
8666
    /* Certificate extensions. */
8667
0
    reqSz = 0;
8668
0
    ret = TLSX_WriteRequest(ssl, output + i, certificate_request, &reqSz);
8669
0
    if (ret != 0)
8670
0
        return ret;
8671
0
    i += reqSz;
8672
8673
#ifdef WOLFSSL_DTLS13
8674
    if (ssl->options.dtls) {
8675
        ssl->options.buildingMsg = 0;
8676
        ret =
8677
            Dtls13HandshakeSend(ssl, output, (word16)sendSz, (word16)i,
8678
                                certificate_request, 1);
8679
8680
        WOLFSSL_LEAVE("SendTls13CertificateRequest", ret);
8681
        WOLFSSL_END(WC_FUNC_CERTIFICATE_REQUEST_SEND);
8682
8683
        return ret;
8684
8685
    }
8686
#endif /* WOLFSSL_DTLS13 */
8687
8688
    /* Always encrypted. */
8689
0
    sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
8690
0
                               (int)(i - RECORD_HEADER_SZ), handshake, 1, 0, 0);
8691
0
    if (sendSz < 0)
8692
0
        return sendSz;
8693
8694
    #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
8695
        if (ssl->hsInfoOn)
8696
            AddPacketName(ssl, "CertificateRequest");
8697
        if (ssl->toInfoOn) {
8698
            ret = AddPacketInfo(ssl, "CertificateRequest", handshake, output,
8699
                          sendSz, WRITE_PROTO, 0, ssl->heap);
8700
            if (ret != 0)
8701
                return ret;
8702
        }
8703
    #endif
8704
8705
0
    ssl->buffers.outputBuffer.length += (word32)sendSz;
8706
0
    ssl->options.buildingMsg = 0;
8707
0
    if (!ssl->options.groupMessages)
8708
0
        ret = SendBuffered(ssl);
8709
8710
0
    WOLFSSL_LEAVE("SendTls13CertificateRequest", ret);
8711
0
    WOLFSSL_END(WC_FUNC_CERTIFICATE_REQUEST_SEND);
8712
8713
0
    return ret;
8714
0
}
8715
#endif /* NO_CERTS */
8716
#endif /* NO_WOLFSSL_SERVER */
8717
8718
#ifndef NO_CERTS
8719
#if (!defined(NO_WOLFSSL_SERVER) || !defined(WOLFSSL_NO_CLIENT_AUTH)) && \
8720
    (!defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
8721
     defined(HAVE_ED448) || defined(HAVE_FALCON) || defined(WOLFSSL_HAVE_MLDSA))
8722
/* Encode the signature algorithm into buffer.
8723
 *
8724
 * hashalgo  The hash algorithm.
8725
 * hsType   The signature type.
8726
 * output    The buffer to encode into.
8727
 */
8728
static WC_INLINE void EncodeSigAlg(const WOLFSSL * ssl, byte hashAlgo,
8729
    byte hsType, byte* output)
8730
0
{
8731
0
    (void)ssl;
8732
0
    switch (hsType) {
8733
0
#ifdef HAVE_ECC
8734
0
        case ecc_dsa_sa_algo:
8735
0
            if (ssl->pkCurveOID == ECC_BRAINPOOLP256R1_OID) {
8736
0
                output[0] = NEW_SA_MAJOR;
8737
0
                output[1] = ECDSA_BRAINPOOLP256R1TLS13_SHA256_MINOR;
8738
0
            }
8739
0
            else if (ssl->pkCurveOID == ECC_BRAINPOOLP384R1_OID) {
8740
0
                output[0] = NEW_SA_MAJOR;
8741
0
                output[1] = ECDSA_BRAINPOOLP384R1TLS13_SHA384_MINOR;
8742
0
            }
8743
0
            else if (ssl->pkCurveOID == ECC_BRAINPOOLP512R1_OID) {
8744
0
                output[0] = NEW_SA_MAJOR;
8745
0
                output[1] = ECDSA_BRAINPOOLP512R1TLS13_SHA512_MINOR;
8746
0
            }
8747
0
            else {
8748
0
                output[0] = hashAlgo;
8749
0
                output[1] = ecc_dsa_sa_algo;
8750
0
            }
8751
0
            break;
8752
0
#endif
8753
#if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
8754
        case sm2_sa_algo:
8755
            output[0] = SM2_SA_MAJOR;
8756
            output[1] = SM2_SA_MINOR;
8757
            break;
8758
#endif
8759
#ifdef HAVE_ED25519
8760
        /* ED25519: 0x0807 */
8761
        case ed25519_sa_algo:
8762
            output[0] = ED25519_SA_MAJOR;
8763
            output[1] = ED25519_SA_MINOR;
8764
            (void)hashAlgo;
8765
            break;
8766
#endif
8767
#ifdef HAVE_ED448
8768
        /* ED448: 0x0808 */
8769
        case ed448_sa_algo:
8770
            output[0] = ED448_SA_MAJOR;
8771
            output[1] = ED448_SA_MINOR;
8772
            (void)hashAlgo;
8773
            break;
8774
#endif
8775
0
#ifndef NO_RSA
8776
        /* PSS signatures: 0x080[4-6] or 0x080[9-B] */
8777
0
        case rsa_pss_sa_algo:
8778
0
            output[0] = rsa_pss_sa_algo;
8779
0
#ifdef WC_RSA_PSS
8780
            /* If the private key uses the RSA-PSS OID, and the peer supports
8781
             * the rsa_pss_pss_* signature algorithm in use, then report
8782
             * rsa_pss_pss_* rather than rsa_pss_rsae_*. */
8783
0
            if (ssl->useRsaPss &&
8784
0
                ((ssl->pssAlgo & (1U << hashAlgo)) != 0U) &&
8785
0
                (sha256_mac <= hashAlgo) && (hashAlgo <= sha512_mac))
8786
0
            {
8787
0
                output[1] = PSS_RSAE_TO_PSS_PSS(hashAlgo);
8788
0
            }
8789
0
            else
8790
0
#endif
8791
0
            {
8792
0
                output[1] = hashAlgo;
8793
0
            }
8794
0
            break;
8795
0
#endif
8796
#ifdef HAVE_FALCON
8797
        case falcon_level1_sa_algo:
8798
            output[0] = FALCON_LEVEL1_SA_MAJOR;
8799
            output[1] = FALCON_LEVEL1_SA_MINOR;
8800
            break;
8801
        case falcon_level5_sa_algo:
8802
            output[0] = FALCON_LEVEL5_SA_MAJOR;
8803
            output[1] = FALCON_LEVEL5_SA_MINOR;
8804
            break;
8805
#endif
8806
#ifdef WOLFSSL_HAVE_MLDSA
8807
        case mldsa_44_sa_algo:
8808
            output[0] = MLDSA_44_SA_MAJOR;
8809
            output[1] = MLDSA_44_SA_MINOR;
8810
            break;
8811
        case mldsa_65_sa_algo:
8812
            output[0] = MLDSA_65_SA_MAJOR;
8813
            output[1] = MLDSA_65_SA_MINOR;
8814
            break;
8815
        case mldsa_87_sa_algo:
8816
            output[0] = MLDSA_87_SA_MAJOR;
8817
            output[1] = MLDSA_87_SA_MINOR;
8818
            break;
8819
#endif
8820
0
        default:
8821
0
            break;
8822
0
    }
8823
0
}
8824
#endif
8825
8826
#if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
8827
    defined(HAVE_ED448) || defined(HAVE_FALCON) || defined(WOLFSSL_HAVE_MLDSA)
8828
#ifdef WOLFSSL_DUAL_ALG_CERTS
8829
/* These match up with what the OQS team has defined. */
8830
#define HYBRID_SA_MAJOR 0xFE
8831
#define HYBRID_P256_MLDSA_44_SA_MINOR            0xA1
8832
#define HYBRID_RSA3072_MLDSA_44_SA_MINOR         0xA2
8833
#define HYBRID_P384_MLDSA_65_SA_MINOR            0xA4
8834
#define HYBRID_P521_MLDSA_87_SA_MINOR            0xA6
8835
/* Falcon hybrid codepoints aligned with oqs-provider. */
8836
#define HYBRID_P256_FALCON_LEVEL1_SA_MINOR       0xD8
8837
#define HYBRID_RSA3072_FALCON_LEVEL1_SA_MINOR    0xD9
8838
#define HYBRID_P521_FALCON_LEVEL5_SA_MINOR       0xDB
8839
8840
/* Custom defined ones for PQC first */
8841
#define HYBRID_MLDSA_44_P256_SA_MINOR            0xD1
8842
#define HYBRID_MLDSA_44_RSA3072_SA_MINOR         0xD2
8843
#define HYBRID_MLDSA_65_P384_SA_MINOR            0xD3
8844
#define HYBRID_MLDSA_87_P521_SA_MINOR            0xD4
8845
#define HYBRID_FALCON_LEVEL1_P256_SA_MINOR       0xD5
8846
#define HYBRID_FALCON_LEVEL1_RSA3072_SA_MINOR    0xD6
8847
#define HYBRID_FALCON_LEVEL5_P521_SA_MINOR       0xD7
8848
8849
8850
static void EncodeDualSigAlg(byte sigAlg, byte altSigAlg, byte* output)
8851
{
8852
    /* Initialize output to error indicator. */
8853
    output[0] = 0x0;
8854
    output[1] = 0x0;
8855
8856
    if (sigAlg == ecc_dsa_sa_algo && altSigAlg == mldsa_44_sa_algo) {
8857
        output[1] = HYBRID_P256_MLDSA_44_SA_MINOR;
8858
    }
8859
    else if (sigAlg == rsa_pss_sa_algo &&
8860
             altSigAlg == mldsa_44_sa_algo) {
8861
        output[1] = HYBRID_RSA3072_MLDSA_44_SA_MINOR;
8862
    }
8863
    else if (sigAlg == ecc_dsa_sa_algo &&
8864
             altSigAlg == mldsa_65_sa_algo) {
8865
        output[1] = HYBRID_P384_MLDSA_65_SA_MINOR;
8866
    }
8867
    else if (sigAlg == ecc_dsa_sa_algo &&
8868
             altSigAlg == mldsa_87_sa_algo) {
8869
        output[1] = HYBRID_P521_MLDSA_87_SA_MINOR;
8870
    }
8871
    else if (sigAlg == ecc_dsa_sa_algo &&
8872
             altSigAlg == falcon_level1_sa_algo) {
8873
        output[1] = HYBRID_P256_FALCON_LEVEL1_SA_MINOR;
8874
    }
8875
    else if (sigAlg == rsa_pss_sa_algo &&
8876
             altSigAlg == falcon_level1_sa_algo) {
8877
        output[1] = HYBRID_RSA3072_FALCON_LEVEL1_SA_MINOR;
8878
    }
8879
    else if (sigAlg == ecc_dsa_sa_algo &&
8880
             altSigAlg == falcon_level5_sa_algo) {
8881
        output[1] = HYBRID_P521_FALCON_LEVEL5_SA_MINOR;
8882
    }
8883
    else if (sigAlg == mldsa_44_sa_algo &&
8884
             altSigAlg == ecc_dsa_sa_algo) {
8885
        output[1] = HYBRID_MLDSA_44_P256_SA_MINOR;
8886
    }
8887
    else if (sigAlg == mldsa_44_sa_algo &&
8888
             altSigAlg == rsa_pss_sa_algo) {
8889
        output[1] = HYBRID_MLDSA_44_RSA3072_SA_MINOR;
8890
    }
8891
    else if (sigAlg == mldsa_65_sa_algo &&
8892
             altSigAlg == ecc_dsa_sa_algo) {
8893
        output[1] = HYBRID_MLDSA_65_P384_SA_MINOR;
8894
    }
8895
    else if (sigAlg == mldsa_87_sa_algo &&
8896
             altSigAlg == ecc_dsa_sa_algo) {
8897
        output[1] = HYBRID_MLDSA_87_P521_SA_MINOR;
8898
    }
8899
    else if (sigAlg == falcon_level1_sa_algo &&
8900
             altSigAlg == ecc_dsa_sa_algo) {
8901
        output[1] = HYBRID_FALCON_LEVEL1_P256_SA_MINOR;
8902
    }
8903
    else if (sigAlg == falcon_level1_sa_algo &&
8904
             altSigAlg == rsa_pss_sa_algo) {
8905
        output[1] = HYBRID_FALCON_LEVEL1_RSA3072_SA_MINOR;
8906
    }
8907
    else if (sigAlg == falcon_level5_sa_algo &&
8908
             altSigAlg == ecc_dsa_sa_algo) {
8909
        output[1] = HYBRID_FALCON_LEVEL5_P521_SA_MINOR;
8910
    }
8911
8912
    if (output[1] != 0x0) {
8913
        output[0] = HYBRID_SA_MAJOR;
8914
    }
8915
}
8916
#endif /* WOLFSSL_DUAL_ALG_CERTS */
8917
8918
static enum wc_MACAlgorithm GetNewSAHashAlgo(int typeIn)
8919
0
{
8920
0
    switch (typeIn) {
8921
0
        case RSA_PSS_RSAE_SHA256_MINOR:
8922
0
        case RSA_PSS_PSS_SHA256_MINOR:
8923
0
        case ECDSA_BRAINPOOLP256R1TLS13_SHA256_MINOR:
8924
0
            return sha256_mac;
8925
8926
0
        case RSA_PSS_RSAE_SHA384_MINOR:
8927
0
        case RSA_PSS_PSS_SHA384_MINOR:
8928
0
        case ECDSA_BRAINPOOLP384R1TLS13_SHA384_MINOR:
8929
0
            return sha384_mac;
8930
8931
0
        case RSA_PSS_RSAE_SHA512_MINOR:
8932
0
        case RSA_PSS_PSS_SHA512_MINOR:
8933
0
        case ED25519_SA_MINOR:
8934
0
        case ED448_SA_MINOR:
8935
0
        case ECDSA_BRAINPOOLP512R1TLS13_SHA512_MINOR:
8936
0
            return sha512_mac;
8937
0
        default:
8938
0
            return no_mac;
8939
0
    }
8940
0
}
8941
8942
/* Decode the signature algorithm.
8943
 *
8944
 * input     The encoded signature algorithm.
8945
 * hashalgo  The hash algorithm.
8946
 * hsType    The signature type.
8947
 * returns INVALID_PARAMETER if not recognized and 0 otherwise.
8948
 */
8949
static WC_INLINE int DecodeTls13SigAlg(byte* input, byte* hashAlgo,
8950
                                       byte* hsType)
8951
0
{
8952
0
    int ret = 0;
8953
8954
0
    switch (input[0]) {
8955
    #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
8956
        case SM2_SA_MAJOR:
8957
            if (input[1] == SM2_SA_MINOR) {
8958
                *hsType = sm2_sa_algo;
8959
                *hashAlgo = sm3_mac;
8960
            }
8961
            else
8962
                ret = INVALID_PARAMETER;
8963
            break;
8964
    #endif
8965
0
        case NEW_SA_MAJOR:
8966
0
        {
8967
0
            enum wc_MACAlgorithm mac = GetNewSAHashAlgo(input[1]);
8968
0
            *hashAlgo = (byte)mac;
8969
0
        }
8970
8971
            /* PSS encryption: 0x080[4-6] */
8972
0
            if (input[1] >= RSA_PSS_RSAE_SHA256_MINOR &&
8973
0
                    input[1] <= RSA_PSS_RSAE_SHA512_MINOR) {
8974
0
                *hsType   = input[0];
8975
0
            }
8976
            /* PSS signature: 0x080[9-B] */
8977
0
            else if (input[1] >= RSA_PSS_PSS_SHA256_MINOR &&
8978
0
                    input[1] <= RSA_PSS_PSS_SHA512_MINOR) {
8979
0
                *hsType   = input[0];
8980
0
            }
8981
    #ifdef HAVE_ED25519
8982
            /* ED25519: 0x0807 */
8983
            else if (input[1] == ED25519_SA_MINOR) {
8984
                *hsType = ed25519_sa_algo;
8985
                /* Hash performed as part of sign/verify operation. */
8986
            }
8987
    #endif
8988
    #ifdef HAVE_ED448
8989
            /* ED448: 0x0808 */
8990
            else if (input[1] == ED448_SA_MINOR) {
8991
                *hsType = ed448_sa_algo;
8992
                /* Hash performed as part of sign/verify operation. */
8993
            }
8994
    #endif
8995
    #ifdef HAVE_ECC_BRAINPOOL
8996
            else if ((input[1] == ECDSA_BRAINPOOLP256R1TLS13_SHA256_MINOR) ||
8997
                     (input[1] == ECDSA_BRAINPOOLP384R1TLS13_SHA384_MINOR) ||
8998
                     (input[1] == ECDSA_BRAINPOOLP512R1TLS13_SHA512_MINOR)) {
8999
                *hsType = ecc_dsa_sa_algo;
9000
            }
9001
    #endif
9002
0
            else
9003
0
                ret = INVALID_PARAMETER;
9004
0
            break;
9005
#if defined(HAVE_FALCON)
9006
        case FALCON_SA_MAJOR:
9007
            if (input[1] == FALCON_LEVEL1_SA_MINOR) {
9008
                *hsType = falcon_level1_sa_algo;
9009
                /* Hash performed as part of sign/verify operation. */
9010
                *hashAlgo = sha512_mac;
9011
            } else if (input[1] == FALCON_LEVEL5_SA_MINOR) {
9012
                *hsType = falcon_level5_sa_algo;
9013
                /* Hash performed as part of sign/verify operation. */
9014
                *hashAlgo = sha512_mac;
9015
            }
9016
            else
9017
                ret = INVALID_PARAMETER;
9018
            break;
9019
#endif /* HAVE_FALCON */
9020
#if defined(WOLFSSL_HAVE_MLDSA)
9021
        case MLDSA_SA_MAJOR:
9022
            if (input[1] == MLDSA_44_SA_MINOR) {
9023
                *hsType = mldsa_44_sa_algo;
9024
                /* Hash performed as part of sign/verify operation. */
9025
                *hashAlgo = sha512_mac;
9026
            } else if (input[1] == MLDSA_65_SA_MINOR) {
9027
                *hsType = mldsa_65_sa_algo;
9028
                /* Hash performed as part of sign/verify operation. */
9029
                *hashAlgo = sha512_mac;
9030
            } else if (input[1] == MLDSA_87_SA_MINOR) {
9031
                *hsType = mldsa_87_sa_algo;
9032
                /* Hash performed as part of sign/verify operation. */
9033
                *hashAlgo = sha512_mac;
9034
            }
9035
            else
9036
            {
9037
                ret = INVALID_PARAMETER;
9038
            }
9039
            break;
9040
#endif /* WOLFSSL_HAVE_MLDSA */
9041
0
        default:
9042
0
            *hashAlgo = input[0];
9043
0
            *hsType   = input[1];
9044
0
            break;
9045
0
    }
9046
9047
0
    return ret;
9048
0
}
9049
9050
#ifdef WOLFSSL_DUAL_ALG_CERTS
9051
/* Decode the hybrid signature algorithm.
9052
 *
9053
 * input     The encoded signature algorithm.
9054
 * hashalgo  The hash algorithm.
9055
 * hsType    The signature type.
9056
 * returns INVALID_PARAMETER if not recognized and 0 otherwise.
9057
 */
9058
static WC_INLINE int DecodeTls13HybridSigAlg(byte* input, byte* hashAlg,
9059
                                             byte *sigAlg, byte *altSigAlg)
9060
{
9061
9062
    if (input[0] != HYBRID_SA_MAJOR) {
9063
        return INVALID_PARAMETER;
9064
    }
9065
9066
    if (input[1] == HYBRID_P256_MLDSA_44_SA_MINOR) {
9067
        *sigAlg = ecc_dsa_sa_algo;
9068
        *hashAlg = sha256_mac;
9069
        *altSigAlg = mldsa_44_sa_algo;
9070
    }
9071
    else if (input[1] == HYBRID_RSA3072_MLDSA_44_SA_MINOR) {
9072
        *sigAlg = rsa_pss_sa_algo;
9073
        *hashAlg = sha256_mac;
9074
        *altSigAlg = mldsa_44_sa_algo;
9075
    }
9076
    else if (input[1] == HYBRID_P384_MLDSA_65_SA_MINOR) {
9077
        *sigAlg = ecc_dsa_sa_algo;
9078
        *hashAlg = sha384_mac;
9079
        *altSigAlg = mldsa_65_sa_algo;
9080
    }
9081
    else if (input[1] == HYBRID_P521_MLDSA_87_SA_MINOR) {
9082
        *sigAlg = ecc_dsa_sa_algo;
9083
        *hashAlg = sha512_mac;
9084
        *altSigAlg = mldsa_87_sa_algo;
9085
    }
9086
    else if (input[1] == HYBRID_P256_FALCON_LEVEL1_SA_MINOR) {
9087
        *sigAlg = ecc_dsa_sa_algo;
9088
        *hashAlg = sha256_mac;
9089
        *altSigAlg = falcon_level1_sa_algo;
9090
    }
9091
    else if (input[1] == HYBRID_RSA3072_FALCON_LEVEL1_SA_MINOR) {
9092
        *sigAlg = rsa_pss_sa_algo;
9093
        *hashAlg = sha256_mac;
9094
        *altSigAlg = falcon_level1_sa_algo;
9095
    }
9096
    else if (input[1] == HYBRID_P521_FALCON_LEVEL5_SA_MINOR) {
9097
        *sigAlg = ecc_dsa_sa_algo;
9098
        *hashAlg = sha512_mac;
9099
        *altSigAlg = falcon_level5_sa_algo;
9100
    }
9101
    else if (input[1] == HYBRID_MLDSA_44_P256_SA_MINOR) {
9102
        *sigAlg = mldsa_44_sa_algo;
9103
        *hashAlg = sha256_mac;
9104
        *altSigAlg = ecc_dsa_sa_algo;
9105
    }
9106
    else if (input[1] == HYBRID_MLDSA_44_RSA3072_SA_MINOR) {
9107
        *sigAlg = mldsa_44_sa_algo;
9108
        *hashAlg = sha256_mac;
9109
        *altSigAlg = rsa_pss_sa_algo;
9110
    }
9111
    else if (input[1] == HYBRID_MLDSA_65_P384_SA_MINOR) {
9112
        *sigAlg = mldsa_65_sa_algo;
9113
        *hashAlg = sha384_mac;
9114
        *altSigAlg = ecc_dsa_sa_algo;
9115
    }
9116
    else if (input[1] == HYBRID_MLDSA_87_P521_SA_MINOR) {
9117
        *sigAlg = mldsa_87_sa_algo;
9118
        *hashAlg = sha512_mac;
9119
        *altSigAlg = ecc_dsa_sa_algo;
9120
    }
9121
    else if (input[1] == HYBRID_FALCON_LEVEL1_P256_SA_MINOR) {
9122
        *sigAlg = falcon_level1_sa_algo;
9123
        *hashAlg = sha256_mac;
9124
        *altSigAlg = ecc_dsa_sa_algo;
9125
    }
9126
    else if (input[1] == HYBRID_FALCON_LEVEL1_RSA3072_SA_MINOR) {
9127
        *sigAlg = falcon_level1_sa_algo;
9128
        *hashAlg = sha256_mac;
9129
        *altSigAlg = rsa_pss_sa_algo;
9130
    }
9131
    else if (input[1] == HYBRID_FALCON_LEVEL5_P521_SA_MINOR) {
9132
        *sigAlg = falcon_level5_sa_algo;
9133
        *hashAlg = sha512_mac;
9134
        *altSigAlg = ecc_dsa_sa_algo;
9135
    }
9136
    else {
9137
        return INVALID_PARAMETER;
9138
    }
9139
9140
    return 0;
9141
}
9142
#endif /* WOLFSSL_DUAL_ALG_CERTS */
9143
9144
/* Get the hash of the messages so far.
9145
 *
9146
 * ssl   The SSL/TLS object.
9147
 * hash  The buffer to write the hash to.
9148
 * returns the length of the hash.
9149
 */
9150
static WC_INLINE int GetMsgHash(WOLFSSL* ssl, byte* hash)
9151
0
{
9152
0
    int ret = 0;
9153
0
    switch (ssl->specs.mac_algorithm) {
9154
0
    #ifndef NO_SHA256
9155
0
        case sha256_mac:
9156
0
            ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
9157
0
            if (ret == 0)
9158
0
                ret = WC_SHA256_DIGEST_SIZE;
9159
0
            break;
9160
0
    #endif /* !NO_SHA256 */
9161
0
    #ifdef WOLFSSL_SHA384
9162
0
        case sha384_mac:
9163
0
            ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
9164
0
            if (ret == 0)
9165
0
                ret = WC_SHA384_DIGEST_SIZE;
9166
0
            break;
9167
0
    #endif /* WOLFSSL_SHA384 */
9168
    #ifdef WOLFSSL_TLS13_SHA512
9169
        case sha512_mac:
9170
            ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash);
9171
            if (ret == 0)
9172
                ret = WC_SHA512_DIGEST_SIZE;
9173
            break;
9174
    #endif /* WOLFSSL_TLS13_SHA512 */
9175
    #ifdef WOLFSSL_SM3
9176
        case sm3_mac:
9177
            ret = wc_Sm3GetHash(&ssl->hsHashes->hashSm3, hash);
9178
            if (ret == 0)
9179
                ret = WC_SM3_DIGEST_SIZE;
9180
            break;
9181
    #endif /* WOLFSSL_SM3 */
9182
0
        default:
9183
0
            break;
9184
0
    }
9185
0
    return ret;
9186
0
}
9187
9188
/* The server certificate verification label. */
9189
static const byte serverCertVfyLabel[CERT_VFY_LABEL_SZ] =
9190
    "TLS 1.3, server CertificateVerify";
9191
/* The client certificate verification label. */
9192
static const byte clientCertVfyLabel[CERT_VFY_LABEL_SZ] =
9193
    "TLS 1.3, client CertificateVerify";
9194
/* The prefix byte in the signature data. */
9195
#define SIGNING_DATA_PREFIX_BYTE   0x20
9196
9197
/* Create the signature data for TLS v1.3 certificate verification.
9198
 *
9199
 * ssl        The SSL/TLS object.
9200
 * sigData    The signature data.
9201
 * sigDataSz  The length of the signature data.
9202
 * check      Indicates this is a check not create.
9203
 */
9204
int CreateSigData(WOLFSSL* ssl, byte* sigData, word16* sigDataSz,
9205
                  int check)
9206
0
{
9207
0
    word16 idx;
9208
0
    int side = ssl->options.side;
9209
0
    int ret;
9210
9211
    /* Signature Data = Prefix | Label | Handshake Hash */
9212
0
    XMEMSET(sigData, SIGNING_DATA_PREFIX_BYTE, SIGNING_DATA_PREFIX_SZ);
9213
0
    idx = SIGNING_DATA_PREFIX_SZ;
9214
9215
0
    if ((side == WOLFSSL_SERVER_END && check) ||
9216
0
        (side == WOLFSSL_CLIENT_END && !check)) {
9217
0
        XMEMCPY(&sigData[idx], clientCertVfyLabel, CERT_VFY_LABEL_SZ);
9218
0
    }
9219
0
    if ((side == WOLFSSL_CLIENT_END && check) ||
9220
0
        (side == WOLFSSL_SERVER_END && !check)) {
9221
0
        XMEMCPY(&sigData[idx], serverCertVfyLabel, CERT_VFY_LABEL_SZ);
9222
0
    }
9223
0
    idx += CERT_VFY_LABEL_SZ;
9224
9225
0
    ret = GetMsgHash(ssl, &sigData[idx]);
9226
0
    if (ret < 0)
9227
0
        return ret;
9228
0
    if (ret == 0)
9229
0
        return HASH_TYPE_E;
9230
9231
0
    *sigDataSz = (word16)(idx + ret);
9232
0
    ret = 0;
9233
9234
0
    return ret;
9235
0
}
9236
9237
#ifndef NO_RSA
9238
/* Encode the PKCS #1.5 RSA signature.
9239
 *
9240
 * sig        The buffer to place the encoded signature into.
9241
 * sigData    The data to be signed.
9242
 * sigDataSz  The size of the data to be signed.
9243
 * hashAlgo   The hash algorithm to use when signing.
9244
 * returns the length of the encoded signature or negative on error.
9245
 */
9246
int CreateRSAEncodedSig(byte* sig, byte* sigData, int sigDataSz,
9247
                        int sigAlgo, int hashAlgo)
9248
0
{
9249
0
    Digest digest;
9250
0
    int    hashSz = 0;
9251
0
    int    ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
9252
0
    byte*  hash;
9253
9254
0
    (void)sigAlgo;
9255
9256
0
    hash = sig;
9257
9258
    /* Digest the signature data. */
9259
0
    switch (hashAlgo) {
9260
0
#ifndef NO_SHA256
9261
0
        case sha256_mac:
9262
0
            ret = wc_InitSha256(&digest.sha256);
9263
0
            if (ret == 0) {
9264
0
                ret = wc_Sha256Update(&digest.sha256, sigData, (word32)sigDataSz);
9265
0
                if (ret == 0)
9266
0
                    ret = wc_Sha256Final(&digest.sha256, hash);
9267
0
                wc_Sha256Free(&digest.sha256);
9268
0
            }
9269
0
            hashSz = WC_SHA256_DIGEST_SIZE;
9270
0
            break;
9271
0
#endif
9272
0
#ifdef WOLFSSL_SHA384
9273
0
        case sha384_mac:
9274
0
            ret = wc_InitSha384(&digest.sha384);
9275
0
            if (ret == 0) {
9276
0
                ret = wc_Sha384Update(&digest.sha384, sigData, (word32)sigDataSz);
9277
0
                if (ret == 0)
9278
0
                    ret = wc_Sha384Final(&digest.sha384, hash);
9279
0
                wc_Sha384Free(&digest.sha384);
9280
0
            }
9281
0
            hashSz = WC_SHA384_DIGEST_SIZE;
9282
0
            break;
9283
0
#endif
9284
0
#ifdef WOLFSSL_SHA512
9285
0
        case sha512_mac:
9286
0
            ret = wc_InitSha512(&digest.sha512);
9287
0
            if (ret == 0) {
9288
0
                ret = wc_Sha512Update(&digest.sha512, sigData, (word32)sigDataSz);
9289
0
                if (ret == 0)
9290
0
                    ret = wc_Sha512Final(&digest.sha512, hash);
9291
0
                wc_Sha512Free(&digest.sha512);
9292
0
            }
9293
0
            hashSz = WC_SHA512_DIGEST_SIZE;
9294
0
            break;
9295
0
#endif
9296
0
       default:
9297
0
            ret = BAD_FUNC_ARG;
9298
0
            break;
9299
9300
0
    }
9301
9302
0
    if (ret != 0)
9303
0
        return ret;
9304
9305
0
    return hashSz;
9306
0
}
9307
#endif /* !NO_RSA */
9308
9309
#ifdef HAVE_ECC
9310
/* Encode the ECC signature.
9311
 *
9312
 * sigData    The data to be signed.
9313
 * sigDataSz  The size of the data to be signed.
9314
 * hashAlgo   The hash algorithm to use when signing.
9315
 * returns the length of the encoded signature or negative on error.
9316
 */
9317
static int CreateECCEncodedSig(byte* sigData, int sigDataSz, int hashAlgo)
9318
0
{
9319
0
    Digest digest;
9320
0
    int    hashSz = 0;
9321
0
    int    ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
9322
9323
    /* Digest the signature data. */
9324
0
    switch (hashAlgo) {
9325
0
#ifndef NO_SHA256
9326
0
        case sha256_mac:
9327
0
            ret = wc_InitSha256(&digest.sha256);
9328
0
            if (ret == 0) {
9329
0
                ret = wc_Sha256Update(&digest.sha256, sigData, (word32)sigDataSz);
9330
0
                if (ret == 0)
9331
0
                    ret = wc_Sha256Final(&digest.sha256, sigData);
9332
0
                wc_Sha256Free(&digest.sha256);
9333
0
            }
9334
0
            hashSz = WC_SHA256_DIGEST_SIZE;
9335
0
            break;
9336
0
#endif
9337
0
#ifdef WOLFSSL_SHA384
9338
0
        case sha384_mac:
9339
0
            ret = wc_InitSha384(&digest.sha384);
9340
0
            if (ret == 0) {
9341
0
                ret = wc_Sha384Update(&digest.sha384, sigData, (word32)sigDataSz);
9342
0
                if (ret == 0)
9343
0
                    ret = wc_Sha384Final(&digest.sha384, sigData);
9344
0
                wc_Sha384Free(&digest.sha384);
9345
0
            }
9346
0
            hashSz = WC_SHA384_DIGEST_SIZE;
9347
0
            break;
9348
0
#endif
9349
0
#ifdef WOLFSSL_SHA512
9350
0
        case sha512_mac:
9351
0
            ret = wc_InitSha512(&digest.sha512);
9352
0
            if (ret == 0) {
9353
0
                ret = wc_Sha512Update(&digest.sha512, sigData, (word32)sigDataSz);
9354
0
                if (ret == 0)
9355
0
                    ret = wc_Sha512Final(&digest.sha512, sigData);
9356
0
                wc_Sha512Free(&digest.sha512);
9357
0
            }
9358
0
            hashSz = WC_SHA512_DIGEST_SIZE;
9359
0
            break;
9360
0
#endif
9361
0
        default:
9362
0
            ret = BAD_FUNC_ARG;
9363
0
            break;
9364
0
    }
9365
9366
0
    if (ret != 0)
9367
0
        return ret;
9368
9369
0
    return hashSz;
9370
0
}
9371
#endif /* HAVE_ECC */
9372
9373
#if !defined(NO_RSA) && defined(WC_RSA_PSS)
9374
/* Check that the decrypted signature matches the encoded signature
9375
 * based on the digest of the signature data.
9376
 *
9377
 * ssl       The SSL/TLS object.
9378
 * sigAlgo   The signature algorithm used to generate signature.
9379
 * hashAlgo  The hash algorithm used to generate signature.
9380
 * decSig    The decrypted signature.
9381
 * decSigSz  The size of the decrypted signature.
9382
 * returns 0 on success, otherwise failure.
9383
 */
9384
static int CheckRSASignature(WOLFSSL* ssl, int sigAlgo, int hashAlgo,
9385
                             byte* decSig, word32 decSigSz)
9386
0
{
9387
0
    int    ret = 0;
9388
0
    byte   sigData[MAX_SIG_DATA_SZ];
9389
0
    word16 sigDataSz;
9390
9391
0
    ret = CreateSigData(ssl, sigData, &sigDataSz, 1);
9392
0
    if (ret != 0)
9393
0
        return ret;
9394
9395
0
    if (sigAlgo == rsa_pss_sa_algo) {
9396
0
        enum wc_HashType hashType = WC_HASH_TYPE_NONE;
9397
0
        word32 sigSz;
9398
9399
0
        ret = ConvertHashPss(hashAlgo, &hashType, NULL);
9400
0
        if (ret < 0)
9401
0
            return ret;
9402
9403
        /* PSS signature can be done in-place */
9404
0
        ret = CreateRSAEncodedSig(sigData, sigData, sigDataSz,
9405
0
                                  sigAlgo, hashAlgo);
9406
0
        if (ret < 0)
9407
0
            return ret;
9408
0
        sigSz = (word32)ret;
9409
9410
0
        ret = wc_RsaPSS_CheckPadding(sigData, sigSz, decSig, decSigSz,
9411
0
                                     hashType);
9412
0
    }
9413
9414
0
    return ret;
9415
0
}
9416
#endif /* !NO_RSA && WC_RSA_PSS */
9417
#endif /* !NO_RSA || HAVE_ECC */
9418
9419
#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)
9420
/* Get the next certificate from the list for writing into the TLS v1.3
9421
 * Certificate message.
9422
 *
9423
 * data    The certificate list.
9424
 * length  The length of the certificate data in the list.
9425
 * idx     The index of the next certificate.
9426
 * returns the length of the certificate data. 0 indicates no more certificates
9427
 * in the list.
9428
 */
9429
static word32 NextCert(byte* data, word32 length, word32* idx)
9430
0
{
9431
0
    word32 len;
9432
9433
    /* Would index read past end of list? */
9434
0
    if (*idx + 3 > length)
9435
0
        return 0;
9436
9437
    /* Length of the current ASN.1 encoded certificate. */
9438
0
    c24to32(data + *idx, &len);
9439
    /* Include the length field. */
9440
0
    len += 3;
9441
9442
    /* Ensure len does not overrun certificate list */
9443
0
    if (*idx + len > length)
9444
0
        return 0;
9445
9446
    /* Move index to next certificate and return the current certificate's
9447
     * length.
9448
     */
9449
0
    *idx += len;
9450
0
    return len;
9451
0
}
9452
9453
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(NO_WOLFSSL_SERVER)
9454
/* Write certificate status request into certificate to buffer.
9455
 *
9456
 * ssl       SSL/TLS object.
9457
 * certExts  DerBuffer array. buffers written
9458
 * extSz     word32 array.
9459
 *           Length of the certificate status request data for the certificate.
9460
 * extSz_num number of the CSR written
9461
 * extIdx    The index number of certificate status request data
9462
 *           for the certificate.
9463
 * offset    index offset
9464
 * returns   Total number of bytes written on success or negative value on error.
9465
 */
9466
static int WriteCSRToBuffer(WOLFSSL* ssl, DerBuffer** certExts,
9467
                                word16* extSz,  word16 extSz_num)
9468
{
9469
    int    ret = 0;
9470
    TLSX* ext;
9471
    CertificateStatusRequest* csr;
9472
    word32 ex_offset = HELLO_EXT_TYPE_SZ + OPAQUE16_LEN /* extension type */
9473
                    + OPAQUE16_LEN /* extension length */;
9474
    word32 totalSz = 0;
9475
    word32 tmpSz;
9476
    word32 extIdx;
9477
    DerBuffer* der;
9478
9479
    if (extSz_num > MAX_CERT_EXTENSIONS)
9480
        return MAX_CERT_EXTENSIONS_ERR;
9481
9482
    ext = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST);
9483
    csr = ext ? (CertificateStatusRequest*)ext->data : NULL;
9484
9485
    if (csr) {
9486
        for (extIdx = 0; extIdx < (word16)(extSz_num); extIdx++) {
9487
            tmpSz = TLSX_CSR_GetSize_ex(csr, 0, (int)extIdx);
9488
9489
            if (tmpSz > (OPAQUE8_LEN + OPAQUE24_LEN) &&
9490
                certExts[extIdx] == NULL) {
9491
                /* csr extension is not zero */
9492
                if (tmpSz > WOLFSSL_MAX_16BIT)
9493
                    return BUFFER_E;
9494
                extSz[extIdx] = (word16)tmpSz;
9495
9496
                ret = AllocDer(&certExts[extIdx], extSz[extIdx] + ex_offset,
9497
                                                    CERT_TYPE, ssl->heap);
9498
                if (ret < 0)
9499
                    return ret;
9500
                der = certExts[extIdx];
9501
9502
                /* write extension type */
9503
                c16toa(ext->type, der->buffer
9504
                                + OPAQUE16_LEN);
9505
                /* writes extension data length. */
9506
                c16toa(extSz[extIdx], der->buffer
9507
                            + HELLO_EXT_TYPE_SZ + OPAQUE16_LEN);
9508
                /* write extension data */
9509
                extSz[extIdx] = (word16)TLSX_CSR_Write_ex(csr,
9510
                        der->buffer + ex_offset, 0, extIdx);
9511
                /* add extension offset */
9512
                extSz[extIdx] += (word16)ex_offset;
9513
                /* extension length */
9514
                c16toa(extSz[extIdx] - OPAQUE16_LEN,
9515
                            der->buffer);
9516
            }
9517
            totalSz += extSz[extIdx];
9518
        }
9519
    }
9520
    else {
9521
        /* chain cert empty extension size */
9522
        totalSz += OPAQUE16_LEN * extSz_num;
9523
    }
9524
    return (int)totalSz;
9525
}
9526
#endif /* HAVE_CERTIFICATE_STATUS_REQUEST */
9527
/* Add certificate data and empty extension to output up to the fragment size.
9528
 *
9529
 * ssl     SSL/TLS object.
9530
 * cert    The certificate data to write out.
9531
 * len     The length of the certificate data.
9532
 * extSz   Length of the extension data with the certificate.
9533
 * idx     The start of the certificate data to write out.
9534
 * fragSz  The maximum size of this fragment.
9535
 * output  The buffer to write to.
9536
 * extIdx  The index number of the extension data with the certificate
9537
 * returns the number of bytes written.
9538
 */
9539
static word32 AddCertExt(WOLFSSL* ssl, byte* cert, word32 len, word16 extSz,
9540
                         word32 idx, word32 fragSz, byte* output, word16 extIdx)
9541
0
{
9542
0
    word32 i = 0;
9543
0
    word32 copySz = min(len - idx, fragSz);
9544
9545
0
    if (idx < len) {
9546
0
        XMEMCPY(output, cert + idx, copySz);
9547
0
        i = copySz;
9548
0
        if (copySz == fragSz)
9549
0
            return i;
9550
0
    }
9551
0
    copySz = len + extSz - idx - i;
9552
9553
0
    if (extSz == OPAQUE16_LEN) {
9554
0
        if (copySz <= fragSz) {
9555
            /* Empty extension */
9556
0
            output[i++] = 0;
9557
0
            output[i++] = 0;
9558
0
        }
9559
0
    }
9560
0
    else {
9561
0
        byte* certExts = ssl->buffers.certExts[extIdx]->buffer + idx + i - len;
9562
        /* Put out as much of the extensions' data as will fit in fragment. */
9563
0
        if (copySz > fragSz - i)
9564
0
            copySz = fragSz - i;
9565
0
        XMEMCPY(output + i, certExts, copySz);
9566
0
        i += copySz;
9567
0
    }
9568
9569
0
    return i;
9570
0
}
9571
9572
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(NO_WOLFSSL_SERVER)
9573
static int SetupOcspResp(WOLFSSL* ssl)
9574
{
9575
    DecodedCert* cert = NULL;
9576
    CertificateStatusRequest* csr = NULL;
9577
    TLSX* extension = NULL;
9578
    int ret = 0;
9579
    OcspRequest* request = NULL;
9580
9581
    extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST);
9582
    if (extension == NULL)
9583
        return 0; /* peer didn't signal ocsp support */
9584
    csr = (CertificateStatusRequest*)extension->data;
9585
    if (csr == NULL)
9586
        return MEMORY_ERROR;
9587
9588
    if (SSL_CM(ssl) != NULL &&
9589
            SSL_CM(ssl)->ocsp_stapling != NULL &&
9590
            SSL_CM(ssl)->ocsp_stapling->statusCb != NULL) {
9591
        return TLSX_CSR_SetResponseWithStatusCB(ssl);
9592
    }
9593
9594
    if (ssl->buffers.certificate == NULL) {
9595
        WOLFSSL_MSG("Certificate buffer not set!");
9596
        return BUFFER_ERROR;
9597
    }
9598
    cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap,
9599
                                 DYNAMIC_TYPE_DCERT);
9600
    if (cert == NULL) {
9601
        return MEMORY_E;
9602
    }
9603
    InitDecodedCert(cert, ssl->buffers.certificate->buffer,
9604
                    ssl->buffers.certificate->length, ssl->heap);
9605
    ret = ParseCert(cert, CERT_TYPE, NO_VERIFY, SSL_CM(ssl));
9606
    if (ret != 0) {
9607
        FreeDecodedCert(cert);
9608
        XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT);
9609
        return ret;
9610
    }
9611
    ret = TLSX_CSR_InitRequest(ssl->extensions, cert, ssl->heap);
9612
    FreeDecodedCert(cert);
9613
    XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT);
9614
    if (ret != 0 )
9615
        return ret;
9616
9617
    request = &csr->request.ocsp[0];
9618
    ret = CreateOcspResponse(ssl, &request, &csr->responses[0]);
9619
    if (request != &csr->request.ocsp[0] &&
9620
            ssl->buffers.weOwnCert) {
9621
        /* request will be allocated in CreateOcspResponse() */
9622
        FreeOcspRequest(request);
9623
        XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST);
9624
    }
9625
    if (ret != 0)
9626
        return ret;
9627
9628
    if (csr->responses[0].buffer)
9629
        extension->resp = 1;
9630
#if defined(WOLFSSL_TLS_OCSP_MULTI)
9631
    /* process OCSP request in certificate chain */
9632
    if ((ret = ProcessChainOCSPRequest(ssl)) != 0) {
9633
        WOLFSSL_MSG("Process Cert Chain OCSP request failed");
9634
        WOLFSSL_ERROR_VERBOSE(ret);
9635
        return ret;
9636
    }
9637
#endif
9638
    return ret;
9639
}
9640
#endif
9641
9642
/* handle generation TLS v1.3 certificate (11) */
9643
/* Send the certificate for this end and any CAs that help with validation.
9644
 * This message is always encrypted in TLS v1.3.
9645
 *
9646
 * ssl  The SSL/TLS object.
9647
 * returns 0 on success, otherwise failure.
9648
 */
9649
static int SendTls13Certificate(WOLFSSL* ssl)
9650
0
{
9651
0
    int    ret = 0;
9652
0
    word32 certSz, certChainSz, headerSz, listSz, payloadSz;
9653
0
    word16 extSz[MAX_CERT_EXTENSIONS];
9654
0
    word16 extIdx = 0;
9655
0
    word32 maxFragment;
9656
0
    word32 totalextSz = 0;
9657
0
    word32 len = 0;
9658
0
    word32 idx = 0;
9659
0
    word32 offset = OPAQUE16_LEN;
9660
0
    byte*  p = NULL;
9661
0
    byte   certReqCtxLen = 0;
9662
0
    sword32 length;
9663
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
9664
    byte*  certReqCtx = NULL;
9665
#endif
9666
9667
#ifdef OPENSSL_EXTRA
9668
    WOLFSSL_X509* x509 = NULL;
9669
    WOLFSSL_EVP_PKEY* pkey = NULL;
9670
#endif
9671
9672
0
    WOLFSSL_START(WC_FUNC_CERTIFICATE_SEND);
9673
0
    WOLFSSL_ENTER("SendTls13Certificate");
9674
9675
0
    XMEMSET(extSz, 0, sizeof(extSz));
9676
9677
0
    ssl->options.buildingMsg = 1;
9678
9679
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
9680
    if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->certReqCtx != NULL) {
9681
        certReqCtxLen = ssl->certReqCtx->len;
9682
        certReqCtx = &ssl->certReqCtx->ctx;
9683
    }
9684
#endif
9685
9686
#if defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_SETUP_CB)
9687
    /* call client cert callback if no cert has been loaded */
9688
    if ((ssl->ctx->CBClientCert != NULL) &&
9689
        (!ssl->buffers.certificate || !ssl->buffers.certificate->buffer)) {
9690
        ret = ssl->ctx->CBClientCert(ssl, &x509, &pkey);
9691
        if (ret == 1) {
9692
            if ((wolfSSL_CTX_use_certificate(ssl->ctx, x509) == WOLFSSL_SUCCESS) &&
9693
                (wolfSSL_CTX_use_PrivateKey(ssl->ctx, pkey) == WOLFSSL_SUCCESS)) {
9694
                ssl->options.sendVerify = SEND_CERT;
9695
            }
9696
            wolfSSL_X509_free(x509);
9697
            x509 = NULL;
9698
            wolfSSL_EVP_PKEY_free(pkey);
9699
        }
9700
    }
9701
#endif
9702
9703
0
    if (ssl->options.sendVerify == SEND_BLANK_CERT) {
9704
0
        certSz = 0;
9705
0
        certChainSz = 0;
9706
0
        headerSz = OPAQUE8_LEN + certReqCtxLen + CERT_HEADER_SZ;
9707
0
        length = (sword32)headerSz;
9708
0
        listSz = 0;
9709
0
    }
9710
0
    else {
9711
0
        if (!ssl->buffers.certificate || !ssl->buffers.certificate->buffer) {
9712
0
            WOLFSSL_MSG("Send Cert missing certificate buffer");
9713
0
            return NO_CERT_ERROR;
9714
0
        }
9715
        /* Certificate Data */
9716
0
        certSz = ssl->buffers.certificate->length;
9717
0
        if (ssl->buffers.certChainCnt > MAX_CHAIN_DEPTH) {
9718
0
            WOLFSSL_MSG("Certificate chain count exceeds maximum depth");
9719
0
            return MAX_CHAIN_ERROR;
9720
0
        }
9721
        /* Cert Req Ctx Len | Cert Req Ctx | Cert List Len | Cert Data Len */
9722
0
        headerSz = OPAQUE8_LEN + certReqCtxLen + CERT_HEADER_SZ +
9723
0
                   CERT_HEADER_SZ;
9724
        /* set empty extension as default */
9725
0
        for (extIdx = 0; extIdx < (word16)XELEM_CNT(extSz); extIdx++)
9726
0
            extSz[extIdx] = OPAQUE16_LEN;
9727
9728
    #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(NO_WOLFSSL_SERVER)
9729
        /* We only send CSR on the server side. On client side, the CSR data
9730
         * is populated with the server response. We would be sending the server
9731
         * its own stapling data. */
9732
        if (ssl->options.side == WOLFSSL_SERVER_END) {
9733
            ret = SetupOcspResp(ssl);
9734
            if (ret != 0)
9735
                return ret;
9736
9737
            if ((1 + ssl->buffers.certChainCnt) > MAX_CERT_EXTENSIONS)
9738
                ret = MAX_CERT_EXTENSIONS_ERR;
9739
            if (ret == 0)
9740
                ret = WriteCSRToBuffer(ssl, &ssl->buffers.certExts[0], &extSz[0],
9741
                        1 /* +1 for leaf */ + (word16)ssl->buffers.certChainCnt);
9742
            if (ret < 0)
9743
                return ret;
9744
            totalextSz += ret;
9745
            ret = 0; /* Clear to signal no error */
9746
        }
9747
        else
9748
    #endif
9749
0
        {
9750
            /* Leaf cert empty extension size */
9751
0
            totalextSz += OPAQUE16_LEN;
9752
            /* chain cert empty extension size */
9753
0
            totalextSz += OPAQUE16_LEN * ssl->buffers.certChainCnt;
9754
0
        }
9755
9756
        /* Length of message data with one certificate and extensions. */
9757
0
        length = (sword32)(headerSz + certSz + totalextSz);
9758
        /* Length of list data with one certificate and extensions. */
9759
0
        listSz = CERT_HEADER_SZ + certSz + totalextSz;
9760
9761
        /* Send rest of chain if sending cert (chain has leading size/s). */
9762
0
        if (certSz > 0 && ssl->buffers.certChainCnt > 0) {
9763
0
            p = ssl->buffers.certChain->buffer;
9764
            /* Chain length including extensions. */
9765
0
            certChainSz = ssl->buffers.certChain->length;
9766
9767
0
            length += certChainSz;
9768
0
            listSz += certChainSz;
9769
0
        }
9770
0
        else
9771
0
            certChainSz = 0;
9772
0
    }
9773
9774
0
    payloadSz = (word32)length;
9775
9776
0
    if (ssl->fragOffset != 0)
9777
0
        length -= (ssl->fragOffset + headerSz);
9778
9779
0
    maxFragment = (word32)wolfssl_local_GetMaxPlaintextSize(ssl);
9780
9781
0
    extIdx = 0;
9782
9783
0
    while (length > 0 && ret == 0) {
9784
0
        byte*  output = NULL;
9785
0
        word32 fragSz = 0;
9786
0
        word32 i = RECORD_HEADER_SZ;
9787
0
        int    sendSz = RECORD_HEADER_SZ;
9788
9789
#ifdef WOLFSSL_DTLS13
9790
        if (ssl->options.dtls) {
9791
            i = Dtls13GetRlHeaderLength(ssl, 1);
9792
            sendSz = (int)i;
9793
        }
9794
#endif /* WOLFSSL_DTLS13 */
9795
9796
0
        if (ssl->fragOffset == 0) {
9797
0
            if (headerSz + certSz + totalextSz + certChainSz <=
9798
0
                                            maxFragment - HANDSHAKE_HEADER_SZ) {
9799
0
                fragSz = headerSz + certSz + totalextSz + certChainSz;
9800
0
            }
9801
#ifdef WOLFSSL_DTLS13
9802
            else if (ssl->options.dtls){
9803
                /* short-circuit the fragmentation logic here. DTLS
9804
                   fragmentation will be done in dtls13HandshakeSend() */
9805
                fragSz = headerSz + certSz + totalextSz + certChainSz;
9806
            }
9807
#endif /* WOLFSSL_DTLS13 */
9808
0
            else {
9809
0
                fragSz = maxFragment - HANDSHAKE_HEADER_SZ;
9810
0
            }
9811
9812
0
            sendSz += fragSz + HANDSHAKE_HEADER_SZ;
9813
0
            i += HANDSHAKE_HEADER_SZ;
9814
#ifdef WOLFSSL_DTLS13
9815
            if (ssl->options.dtls) {
9816
                sendSz += DTLS_HANDSHAKE_EXTRA;
9817
                i += DTLS_HANDSHAKE_EXTRA;
9818
            }
9819
#endif /* WOLFSSL_DTLS13 */
9820
0
        }
9821
0
        else {
9822
0
            fragSz = min((word32)length, maxFragment);
9823
0
            sendSz += fragSz;
9824
0
        }
9825
9826
0
        sendSz += MAX_MSG_EXTRA;
9827
9828
        /* Check buffers are big enough and grow if needed. */
9829
0
        if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
9830
0
            return ret;
9831
9832
        /* Get position in output buffer to write new message to. */
9833
0
        output = GetOutputBuffer(ssl);
9834
9835
0
        if (ssl->fragOffset == 0) {
9836
0
            AddTls13FragHeaders(output, fragSz, 0, payloadSz, certificate, ssl);
9837
9838
            /* Request context. */
9839
0
            output[i++] = certReqCtxLen;
9840
        #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
9841
            if (certReqCtxLen > 0) {
9842
                XMEMCPY(output + i, certReqCtx, certReqCtxLen);
9843
                i += certReqCtxLen;
9844
            }
9845
        #endif
9846
0
            length -= OPAQUE8_LEN + certReqCtxLen;
9847
0
            fragSz -= OPAQUE8_LEN + certReqCtxLen;
9848
            /* Certificate list length. */
9849
0
            c32to24(listSz, output + i);
9850
0
            i += CERT_HEADER_SZ;
9851
0
            length -= CERT_HEADER_SZ;
9852
0
            fragSz -= CERT_HEADER_SZ;
9853
            /* Leaf certificate data length. */
9854
0
            if (certSz > 0) {
9855
0
                c32to24(certSz, output + i);
9856
0
                i += CERT_HEADER_SZ;
9857
0
                length -= CERT_HEADER_SZ;
9858
0
                fragSz -= CERT_HEADER_SZ;
9859
0
            }
9860
0
        }
9861
0
        else
9862
0
            AddTls13RecordHeader(output, fragSz, handshake, ssl);
9863
9864
0
        if (extIdx == 0) {
9865
0
            if (certSz > 0 && ssl->fragOffset < certSz + extSz[0]) {
9866
                /* Put in the leaf certificate with extensions. */
9867
0
                word32 copySz = AddCertExt(ssl, ssl->buffers.certificate->buffer,
9868
0
                                certSz, extSz[0], ssl->fragOffset, fragSz,
9869
0
                                output + i, 0);
9870
0
                i += copySz;
9871
0
                ssl->fragOffset += copySz;
9872
0
                length -= copySz;
9873
0
                fragSz -= copySz;
9874
0
                if (ssl->fragOffset == certSz + extSz[0])
9875
0
                    FreeDer(&ssl->buffers.certExts[0]);
9876
0
            }
9877
0
        }
9878
0
        if (certChainSz > 0 && fragSz > 0) {
9879
             /* Put in the CA certificates with extensions. */
9880
0
             while (fragSz > 0) {
9881
0
                word32 l;
9882
9883
0
                if (offset == len + OPAQUE16_LEN) {
9884
                    /* Find next CA certificate to write out. */
9885
0
                    offset = 0;
9886
                    /* Point to the start of current cert in chain buffer. */
9887
0
                    p = ssl->buffers.certChain->buffer + idx;
9888
0
                    len = NextCert(ssl->buffers.certChain->buffer,
9889
0
                            ssl->buffers.certChain->length, &idx);
9890
0
                    if (len == 0)
9891
0
                        break;
9892
                #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) && \
9893
                        !defined(NO_WOLFSSL_SERVER)
9894
                    if (extIdx + 1 < MAX_CERT_EXTENSIONS)
9895
                        extIdx++;
9896
                #endif
9897
0
                }
9898
                /* Write out certificate and extension. */
9899
0
                l = AddCertExt(ssl, p, len, extSz[extIdx], offset, fragSz,
9900
0
                                                       output + i, extIdx);
9901
0
                i += l;
9902
0
                ssl->fragOffset += l;
9903
0
                length -= l;
9904
0
                fragSz -= l;
9905
0
                offset += l;
9906
9907
0
                if (extIdx != 0 && extIdx < MAX_CERT_EXTENSIONS &&
9908
0
                    ssl->buffers.certExts[extIdx] != NULL &&
9909
0
                                offset == len + extSz[extIdx]) {
9910
0
                    FreeDer(&ssl->buffers.certExts[extIdx]);
9911
                    /* for next chain cert */
9912
0
                    len += extSz[extIdx] - OPAQUE16_LEN;
9913
0
                }
9914
0
            }
9915
0
        }
9916
9917
0
        if ((int)i - RECORD_HEADER_SZ < 0) {
9918
0
            WOLFSSL_MSG("Send Cert bad inputSz");
9919
0
            return BUFFER_E;
9920
0
        }
9921
9922
#ifdef WOLFSSL_DTLS13
9923
        if (ssl->options.dtls) {
9924
            /* DTLS1.3 uses a separate variable and logic for fragments */
9925
            ssl->options.buildingMsg = 0;
9926
            ssl->fragOffset = 0;
9927
            if ((word32)sendSz > WOLFSSL_MAX_16BIT || i > WOLFSSL_MAX_16BIT) {
9928
                WOLFSSL_MSG("Send Cert DTLS size exceeds word16");
9929
                return BUFFER_E;
9930
            }
9931
            ret = Dtls13HandshakeSend(ssl, output, (word16)sendSz, (word16)i,
9932
                                      certificate, 1);
9933
        }
9934
        else
9935
#endif /* WOLFSSL_DTLS13 */
9936
0
        {
9937
            /* This message is always encrypted. */
9938
0
            sendSz = BuildTls13Message(ssl, output, sendSz,
9939
0
                output + RECORD_HEADER_SZ, (int)(i - RECORD_HEADER_SZ),
9940
0
                handshake, 1,
9941
0
                0, 0);
9942
0
            if (sendSz < 0)
9943
0
                return sendSz;
9944
9945
#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
9946
            if (ssl->hsInfoOn)
9947
                AddPacketName(ssl, "Certificate");
9948
            if (ssl->toInfoOn) {
9949
                ret = AddPacketInfo(ssl, "Certificate", handshake, output,
9950
                              sendSz, WRITE_PROTO, 0, ssl->heap);
9951
                if (ret != 0)
9952
                    return ret;
9953
            }
9954
#endif
9955
9956
0
            ssl->buffers.outputBuffer.length += (word32)sendSz;
9957
0
            ssl->options.buildingMsg = 0;
9958
0
            if (!ssl->options.groupMessages)
9959
0
                ret = SendBuffered(ssl);
9960
0
        }
9961
0
    }
9962
9963
0
    if (ret != WC_NO_ERR_TRACE(WANT_WRITE)) {
9964
        /* Clean up the fragment offset. */
9965
0
        ssl->options.buildingMsg = 0;
9966
0
        ssl->fragOffset = 0;
9967
0
        if (ssl->options.side == WOLFSSL_SERVER_END)
9968
0
            ssl->options.serverState = SERVER_CERT_COMPLETE;
9969
0
    }
9970
9971
#ifdef WOLFSSL_POST_HANDSHAKE_AUTH
9972
    if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->certReqCtx != NULL) {
9973
        CertReqCtx* ctx = ssl->certReqCtx;
9974
        ssl->certReqCtx = ssl->certReqCtx->next;
9975
        XFREE(ctx, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
9976
    }
9977
#endif
9978
9979
0
    WOLFSSL_LEAVE("SendTls13Certificate", ret);
9980
0
    WOLFSSL_END(WC_FUNC_CERTIFICATE_SEND);
9981
9982
0
    return ret;
9983
0
}
9984
9985
#if (!defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
9986
     defined(HAVE_ED448) || defined(HAVE_FALCON) || \
9987
     defined(WOLFSSL_HAVE_MLDSA)) && \
9988
    (!defined(NO_WOLFSSL_SERVER) || !defined(WOLFSSL_NO_CLIENT_AUTH))
9989
typedef struct Scv13Args {
9990
    byte*  output; /* not allocated */
9991
    byte*  verify; /* not allocated */
9992
    word32 idx;
9993
    word32 sigLen;
9994
    int    sendSz;
9995
    word16 length;
9996
9997
    byte   sigAlgo;
9998
    byte*  sigData;
9999
    word16 sigDataSz;
10000
#ifndef NO_RSA
10001
    byte*  toSign; /* not allocated */
10002
    word32 toSignSz;
10003
#endif
10004
#ifdef WOLFSSL_DUAL_ALG_CERTS
10005
    byte   altSigAlgo;
10006
    word32 altSigLen;    /* Only used in the case of both native and alt. */
10007
    byte*  altSigData;
10008
    word16 altSigDataSz;
10009
#endif
10010
} Scv13Args;
10011
10012
static void FreeScv13Args(WOLFSSL* ssl, void* pArgs)
10013
0
{
10014
0
    Scv13Args* args = (Scv13Args*)pArgs;
10015
10016
0
    (void)ssl;
10017
10018
0
    if (args && args->sigData) {
10019
0
        XFREE(args->sigData, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
10020
0
        args->sigData = NULL;
10021
0
    }
10022
#ifdef WOLFSSL_DUAL_ALG_CERTS
10023
    if (args && args->altSigData != NULL) {
10024
        XFREE(args->altSigData, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
10025
        args->altSigData = NULL;
10026
    }
10027
#endif
10028
0
}
10029
10030
/* handle generation TLS v1.3 certificate_verify (15) */
10031
/* Send the TLS v1.3 CertificateVerify message.
10032
 * A hash of all the message so far is used.
10033
 * The signed data is:
10034
 *     0x20 * 64 | context string | 0x00 | hash of messages
10035
 * This message is always encrypted in TLS v1.3.
10036
 *
10037
 * ssl  The SSL/TLS object.
10038
 * returns 0 on success, otherwise failure.
10039
 */
10040
static int SendTls13CertificateVerify(WOLFSSL* ssl)
10041
0
{
10042
0
    int ret = 0;
10043
0
#ifndef NO_RSA
10044
    /* Use this as a temporary buffer for RSA signature verification. */
10045
0
    buffer* rsaSigBuf = &ssl->buffers.sig;
10046
0
#endif
10047
#ifdef WOLFSSL_ASYNC_CRYPT
10048
    Scv13Args* args = NULL;
10049
    WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
10050
#else
10051
0
    Scv13Args  args[1];
10052
0
#endif
10053
10054
#ifdef WOLFSSL_DTLS13
10055
    int recordLayerHdrExtra;
10056
#endif /* WOLFSSL_DTLS13 */
10057
10058
0
    WOLFSSL_START(WC_FUNC_CERTIFICATE_VERIFY_SEND);
10059
0
    WOLFSSL_ENTER("SendTls13CertificateVerify");
10060
10061
#ifdef WOLFSSL_BLIND_PRIVATE_KEY
10062
    wolfssl_priv_der_blind_toggle(ssl->buffers.key, ssl->buffers.keyMask);
10063
#endif
10064
10065
0
    ssl->options.buildingMsg = 1;
10066
10067
#if defined(WOLFSSL_RENESAS_TSIP_TLS)
10068
    ret = tsip_Tls13SendCertVerify(ssl);
10069
    if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
10070
        goto exit_scv;
10071
    }
10072
    ret = 0;
10073
#endif /* WOLFSSL_RENESAS_TSIP_TLS */
10074
10075
#ifdef WOLFSSL_DTLS13
10076
    /* can be negative */
10077
    if (ssl->options.dtls)
10078
        recordLayerHdrExtra = Dtls13GetRlHeaderLength(ssl, 1) - RECORD_HEADER_SZ;
10079
    else
10080
        recordLayerHdrExtra = 0;
10081
10082
#endif /* WOLFSSL_DTLS13 */
10083
10084
#ifdef WOLFSSL_ASYNC_CRYPT
10085
    if (ssl->async == NULL) {
10086
        ssl->async = (struct WOLFSSL_ASYNC*)
10087
                XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
10088
                        DYNAMIC_TYPE_ASYNC);
10089
        if (ssl->async == NULL)
10090
            ERROR_OUT(MEMORY_E, exit_scv);
10091
    }
10092
    args = (Scv13Args*)ssl->async->args;
10093
10094
    ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
10095
    if (ret != WC_NO_ERR_TRACE(WC_NO_PENDING_E)) {
10096
        /* Check for error */
10097
        if (ret < 0)
10098
            goto exit_scv;
10099
    }
10100
    else
10101
#endif
10102
0
    {
10103
        /* Reset state */
10104
0
        ret = 0;
10105
0
        ssl->options.asyncState = TLS_ASYNC_BEGIN;
10106
0
        XMEMSET(args, 0, sizeof(Scv13Args));
10107
    #ifdef WOLFSSL_ASYNC_CRYPT
10108
        ssl->async->freeArgs = FreeScv13Args;
10109
    #endif
10110
0
    }
10111
10112
0
    switch(ssl->options.asyncState)
10113
0
    {
10114
0
        case TLS_ASYNC_BEGIN:
10115
0
        {
10116
0
            if (ssl->options.sendVerify == SEND_BLANK_CERT) {
10117
            #ifdef WOLFSSL_BLIND_PRIVATE_KEY
10118
                wolfssl_priv_der_blind_toggle(ssl->buffers.key,
10119
                    ssl->buffers.keyMask);
10120
            #endif
10121
0
                return 0;  /* sent blank cert, can't verify */
10122
0
            }
10123
10124
0
            args->sendSz = WC_MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA;
10125
            /* Always encrypted.  */
10126
0
            args->sendSz += MAX_MSG_EXTRA;
10127
10128
            /* check for available size */
10129
0
            if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) {
10130
0
                goto exit_scv;
10131
0
            }
10132
10133
            /* get output buffer */
10134
0
            args->output = GetOutputBuffer(ssl);
10135
10136
            /* Advance state and proceed */
10137
0
            ssl->options.asyncState = TLS_ASYNC_BUILD;
10138
0
        } /* case TLS_ASYNC_BEGIN */
10139
0
        FALL_THROUGH;
10140
10141
0
        case TLS_ASYNC_BUILD:
10142
0
        {
10143
0
            int rem = (int)(ssl->buffers.outputBuffer.bufferSize
10144
0
              - ssl->buffers.outputBuffer.length
10145
0
              - RECORD_HEADER_SZ - HANDSHAKE_HEADER_SZ);
10146
10147
            /* idx is used to track verify pointer offset to output */
10148
0
            args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
10149
0
            args->verify =
10150
0
                          &args->output[RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ];
10151
10152
#ifdef WOLFSSL_DTLS13
10153
            if (ssl->options.dtls) {
10154
                rem -= recordLayerHdrExtra + DTLS_HANDSHAKE_EXTRA;
10155
                args->idx += recordLayerHdrExtra + DTLS_HANDSHAKE_EXTRA;
10156
                args->verify += recordLayerHdrExtra + DTLS_HANDSHAKE_EXTRA;
10157
            }
10158
#endif /* WOLFSSL_DTLS13 */
10159
10160
0
            if (ssl->buffers.key == NULL) {
10161
            #ifdef HAVE_PK_CALLBACKS
10162
                if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx))
10163
                    args->sigLen = (word16)GetPrivateKeySigSize(ssl);
10164
                else
10165
            #endif
10166
0
                    ERROR_OUT(NO_PRIVATE_KEY, exit_scv);
10167
0
            }
10168
0
            else {
10169
#ifdef WOLFSSL_DUAL_ALG_CERTS
10170
                if (ssl->sigSpec != NULL &&
10171
                    *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_ALTERNATIVE) {
10172
                    /* In the case of alternative, we swap in the alt. */
10173
                    if (ssl->buffers.altKey == NULL) {
10174
                        ERROR_OUT(NO_PRIVATE_KEY, exit_scv);
10175
                    }
10176
                    ssl->buffers.keyType = ssl->buffers.altKeyType;
10177
                    ssl->buffers.keySz = ssl->buffers.altKeySz;
10178
                    /* If we own it, free key before overriding it. */
10179
                    if (ssl->buffers.weOwnKey) {
10180
                        FreeDer(&ssl->buffers.key);
10181
                    #ifdef WOLFSSL_BLIND_PRIVATE_KEY
10182
                        FreeDer(&ssl->buffers.keyMask);
10183
                    #endif
10184
                    }
10185
10186
                    /* Swap keys */
10187
                    ssl->buffers.key     = ssl->buffers.altKey;
10188
                    ssl->buffers.weOwnKey = ssl->buffers.weOwnAltKey;
10189
10190
                #ifdef WOLFSSL_BLIND_PRIVATE_KEY
10191
                    ssl->buffers.keyMask = ssl->buffers.altKeyMask;
10192
                    /* Unblind the alternative key before decoding */
10193
                    wolfssl_priv_der_blind_toggle(ssl->buffers.key, ssl->buffers.keyMask);
10194
                #endif
10195
                }
10196
#endif /* WOLFSSL_DUAL_ALG_CERTS */
10197
0
                ret = DecodePrivateKey(ssl, &args->sigLen);
10198
0
                if (ret != 0)
10199
0
                    goto exit_scv;
10200
0
            }
10201
10202
0
            if (rem < 0 || (int)args->sigLen > rem) {
10203
0
                ERROR_OUT(BUFFER_E, exit_scv);
10204
0
            }
10205
10206
0
            if (args->sigLen == 0) {
10207
0
                ERROR_OUT(NO_PRIVATE_KEY, exit_scv);
10208
0
            }
10209
10210
            /* Add signature algorithm. */
10211
0
            if (ssl->hsType == DYNAMIC_TYPE_RSA)
10212
0
                args->sigAlgo = rsa_pss_sa_algo;
10213
0
        #ifdef HAVE_ECC
10214
0
            else if (ssl->hsType == DYNAMIC_TYPE_ECC) {
10215
        #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
10216
                if (ssl->buffers.keyType == sm2_sa_algo) {
10217
                    args->sigAlgo = sm2_sa_algo;
10218
                }
10219
                else
10220
        #endif
10221
0
                {
10222
0
                    args->sigAlgo = ecc_dsa_sa_algo;
10223
0
                }
10224
0
            }
10225
0
        #endif
10226
        #ifdef HAVE_ED25519
10227
            else if (ssl->hsType == DYNAMIC_TYPE_ED25519)
10228
                args->sigAlgo = ed25519_sa_algo;
10229
        #endif
10230
        #ifdef HAVE_ED448
10231
            else if (ssl->hsType == DYNAMIC_TYPE_ED448)
10232
                args->sigAlgo = ed448_sa_algo;
10233
        #endif
10234
        #if defined(HAVE_FALCON)
10235
            else if (ssl->hsType == DYNAMIC_TYPE_FALCON) {
10236
                args->sigAlgo = ssl->buffers.keyType;
10237
            }
10238
        #endif /* HAVE_FALCON */
10239
        #if defined(WOLFSSL_HAVE_MLDSA)
10240
            else if (ssl->hsType == DYNAMIC_TYPE_MLDSA) {
10241
                args->sigAlgo = ssl->buffers.keyType;
10242
            }
10243
        #endif /* WOLFSSL_HAVE_MLDSA */
10244
0
            else {
10245
0
                ERROR_OUT(ALGO_ID_E, exit_scv);
10246
0
            }
10247
10248
        #ifdef WOLFSSL_DUAL_ALG_CERTS
10249
            if (ssl->peerSigSpec == NULL) {
10250
                /* The peer did not respond. We didn't send CKS or they don't
10251
                 * support it. Either way, we do not need to handle dual
10252
                 * key/sig case. */
10253
                ssl->sigSpec = NULL;
10254
                ssl->sigSpecSz = 0;
10255
            }
10256
10257
            if (ssl->sigSpec != NULL &&
10258
                *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) {
10259
                /* The native was already decoded. Now we need to do the
10260
                 * alternative. Note that no swap was done because this case is
10261
                 * both native and alternative, not just alternative. */
10262
                if (ssl->buffers.altKey == NULL) {
10263
                    ERROR_OUT(NO_PRIVATE_KEY, exit_scv);
10264
                }
10265
10266
                /* After this call, args->altSigLen has the length we need for
10267
                 * the alternative signature. */
10268
                ret = DecodeAltPrivateKey(ssl, &args->altSigLen);
10269
                if (ret != 0)
10270
                    goto exit_scv;
10271
10272
                if (ssl->buffers.altKeyType == ecc_dsa_sa_algo ||
10273
                    ssl->buffers.altKeyType == falcon_level1_sa_algo ||
10274
                    ssl->buffers.altKeyType == falcon_level5_sa_algo ||
10275
                    ssl->buffers.altKeyType == mldsa_44_sa_algo ||
10276
                    ssl->buffers.altKeyType == mldsa_65_sa_algo ||
10277
                    ssl->buffers.altKeyType == mldsa_87_sa_algo) {
10278
                    args->altSigAlgo = ssl->buffers.altKeyType;
10279
                }
10280
                else if (ssl->buffers.altKeyType == rsa_sa_algo &&
10281
                         ssl->hsAltType == DYNAMIC_TYPE_RSA) {
10282
                    args->altSigAlgo = rsa_pss_sa_algo;
10283
                }
10284
                else {
10285
                    ERROR_OUT(ALGO_ID_E, exit_scv);
10286
                }
10287
10288
                EncodeDualSigAlg(args->sigAlgo, args->altSigAlgo, args->verify);
10289
                if (args->verify[0] == 0) {
10290
                    ERROR_OUT(ALGO_ID_E, exit_scv);
10291
                }
10292
            }
10293
            else
10294
        #endif /* WOLFSSL_DUAL_ALG_CERTS */
10295
0
                EncodeSigAlg(ssl, ssl->options.hashAlgo, args->sigAlgo,
10296
0
                             args->verify);
10297
10298
0
            if (args->sigData == NULL) {
10299
0
                word32 sigLen = MAX_SIG_DATA_SZ;
10300
0
                if ((ssl->hsType == DYNAMIC_TYPE_RSA) &&
10301
0
                    (args->sigLen > MAX_SIG_DATA_SZ)) {
10302
                    /* We store the RSA signature in the sigData buffer
10303
                     * temporarily, hence its size must be fitting. */
10304
0
                    sigLen = args->sigLen;
10305
0
                }
10306
0
                args->sigData = (byte*)XMALLOC(sigLen, ssl->heap,
10307
0
                                                    DYNAMIC_TYPE_SIGNATURE);
10308
0
                if (args->sigData == NULL) {
10309
0
                    ERROR_OUT(MEMORY_E, exit_scv);
10310
0
                }
10311
0
            }
10312
10313
        #ifdef WOLFSSL_DUAL_ALG_CERTS
10314
            if ((ssl->sigSpec != NULL) &&
10315
                (*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) &&
10316
                (args->altSigData == NULL)) {
10317
                word32 sigLen = MAX_SIG_DATA_SZ;
10318
                if (ssl->hsAltType == DYNAMIC_TYPE_RSA &&
10319
                    args->altSigLen > MAX_SIG_DATA_SZ) {
10320
                    /* We store the RSA signature in the sigData buffer
10321
                     * temporarily, hence its size must be fitting. */
10322
                    sigLen = args->altSigLen;
10323
                }
10324
                args->altSigData = (byte*)XMALLOC(sigLen, ssl->heap,
10325
                                                    DYNAMIC_TYPE_SIGNATURE);
10326
                if (args->altSigData == NULL) {
10327
                    ERROR_OUT(MEMORY_E, exit_scv);
10328
                }
10329
            }
10330
        #endif /* WOLFSSL_DUAL_ALG_CERTS */
10331
10332
            /* Create the data to be signed. */
10333
0
            ret = CreateSigData(ssl, args->sigData, &args->sigDataSz, 0);
10334
0
            if (ret != 0)
10335
0
                goto exit_scv;
10336
10337
        #ifdef WOLFSSL_DUAL_ALG_CERTS
10338
            if ((ssl->sigSpec != NULL) &&
10339
                (*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH)) {
10340
                XMEMCPY(args->altSigData, args->sigData, args->sigDataSz);
10341
                args->altSigDataSz = args->sigDataSz;
10342
            }
10343
        #endif /* WOLFSSL_DUAL_ALG_CERTS */
10344
10345
0
        #ifndef NO_RSA
10346
0
            if (ssl->hsType == DYNAMIC_TYPE_RSA) {
10347
                /* build encoded signature buffer */
10348
0
                rsaSigBuf->length = WC_MAX_DIGEST_SIZE;
10349
0
                rsaSigBuf->buffer = (byte*)XMALLOC(rsaSigBuf->length, ssl->heap,
10350
0
                                                   DYNAMIC_TYPE_SIGNATURE);
10351
0
                if (rsaSigBuf->buffer == NULL) {
10352
0
                    ERROR_OUT(MEMORY_E, exit_scv);
10353
0
                }
10354
10355
0
                ret = CreateRSAEncodedSig(rsaSigBuf->buffer, args->sigData,
10356
0
                    args->sigDataSz, args->sigAlgo, ssl->options.hashAlgo);
10357
0
                if (ret < 0)
10358
0
                    goto exit_scv;
10359
0
                rsaSigBuf->length = (unsigned int)ret;
10360
0
                ret = 0;
10361
0
            }
10362
0
        #endif /* !NO_RSA */
10363
0
        #ifdef HAVE_ECC
10364
0
            if (ssl->hsType == DYNAMIC_TYPE_ECC) {
10365
0
                args->sigLen = (word32)args->sendSz - args->idx -
10366
0
                               HASH_SIG_SIZE -
10367
0
                               VERIFY_HEADER;
10368
            #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
10369
                if (ssl->buffers.keyType != sm2_sa_algo)
10370
            #endif
10371
0
                {
10372
0
                    ret = CreateECCEncodedSig(args->sigData,
10373
0
                        args->sigDataSz, ssl->options.hashAlgo);
10374
0
                    if (ret < 0)
10375
0
                        goto exit_scv;
10376
0
                    args->sigDataSz = (word16)ret;
10377
0
                    ret = 0;
10378
0
                }
10379
0
            }
10380
0
        #endif /* HAVE_ECC */
10381
        #ifdef HAVE_ED25519
10382
            if (ssl->hsType == DYNAMIC_TYPE_ED25519) {
10383
                ret = Ed25519CheckPubKey(ssl);
10384
                if (ret < 0) {
10385
                    ERROR_OUT(ret, exit_scv);
10386
                }
10387
                args->sigLen = ED25519_SIG_SIZE;
10388
            }
10389
        #endif /* HAVE_ED25519 */
10390
        #ifdef HAVE_ED448
10391
            if (ssl->hsType == DYNAMIC_TYPE_ED448) {
10392
                ret = Ed448CheckPubKey(ssl);
10393
                if (ret < 0) {
10394
                    ERROR_OUT(ret, exit_scv);
10395
                }
10396
                args->sigLen = ED448_SIG_SIZE;
10397
            }
10398
10399
        #endif /* HAVE_ED448 */
10400
        #if defined(HAVE_FALCON)
10401
            if (ssl->hsType == DYNAMIC_TYPE_FALCON) {
10402
                args->sigLen = FALCON_MAX_SIG_SIZE;
10403
            }
10404
        #endif /* HAVE_FALCON */
10405
        #if defined(WOLFSSL_HAVE_MLDSA)
10406
            if (ssl->hsType == DYNAMIC_TYPE_MLDSA) {
10407
                args->sigLen = MLDSA_MAX_SIG_SIZE;
10408
            }
10409
        #endif /* WOLFSSL_HAVE_MLDSA */
10410
10411
        #ifdef WOLFSSL_DUAL_ALG_CERTS
10412
            if (ssl->sigSpec != NULL &&
10413
                *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) {
10414
10415
            #ifndef NO_RSA
10416
                if (ssl->hsAltType == DYNAMIC_TYPE_RSA) {
10417
                    /* build encoded signature buffer */
10418
                    XFREE(rsaSigBuf->buffer, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
10419
                    rsaSigBuf->length = WC_MAX_DIGEST_SIZE;
10420
                    rsaSigBuf->buffer = (byte*)XMALLOC(rsaSigBuf->length,
10421
                                                       ssl->heap,
10422
                                                       DYNAMIC_TYPE_SIGNATURE);
10423
                    if (rsaSigBuf->buffer == NULL) {
10424
                        ERROR_OUT(MEMORY_E, exit_scv);
10425
                    }
10426
10427
                    ret = CreateRSAEncodedSig(rsaSigBuf->buffer,
10428
                                    args->altSigData, args->altSigDataSz,
10429
                                    args->altSigAlgo, ssl->options.hashAlgo);
10430
                    if (ret < 0)
10431
                        goto exit_scv;
10432
                    rsaSigBuf->length = ret;
10433
                    ret = 0;
10434
                }
10435
            #endif /* !NO_RSA */
10436
            #ifdef HAVE_ECC
10437
                if (ssl->hsAltType == DYNAMIC_TYPE_ECC) {
10438
                    ret = CreateECCEncodedSig(args->altSigData,
10439
                            args->altSigDataSz, ssl->options.hashAlgo);
10440
                    if (ret < 0)
10441
                        goto exit_scv;
10442
                    args->altSigDataSz = (word16)ret;
10443
                    ret = 0;
10444
                }
10445
            #endif /* HAVE_ECC */
10446
            }
10447
        #endif /* WOLFSSL_DUAL_ALG_CERTS */
10448
10449
            /* Advance state and proceed */
10450
0
            ssl->options.asyncState = TLS_ASYNC_DO;
10451
0
        } /* case TLS_ASYNC_BUILD */
10452
0
        FALL_THROUGH;
10453
10454
0
        case TLS_ASYNC_DO:
10455
0
        {
10456
0
            byte* sigOut = args->verify + HASH_SIG_SIZE + VERIFY_HEADER;
10457
        #ifdef WOLFSSL_DUAL_ALG_CERTS
10458
            if (ssl->sigSpec != NULL &&
10459
                *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) {
10460
                /* As we have two signatures in the message, we store
10461
                 * the length of each before the actual signature. This
10462
                 * is necessary, as we could have two algorithms with
10463
                 * variable length signatures. */
10464
                sigOut += OPAQUE16_LEN;
10465
            }
10466
        #endif
10467
0
        #ifdef HAVE_ECC
10468
0
            if (ssl->hsType == DYNAMIC_TYPE_ECC) {
10469
            #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
10470
                if (ssl->buffers.keyType == sm2_sa_algo) {
10471
                    ret = Sm2wSm3Sign(ssl, TLS13_SM2_SIG_ID,
10472
                        TLS13_SM2_SIG_ID_SZ, args->sigData, args->sigDataSz,
10473
                        sigOut, &args->sigLen, (ecc_key*)ssl->hsKey, NULL);
10474
                }
10475
                else
10476
            #endif
10477
0
                {
10478
0
                    ret = EccSign(ssl, args->sigData, args->sigDataSz,
10479
0
                        sigOut, &args->sigLen, (ecc_key*)ssl->hsKey,
10480
                #ifdef HAVE_PK_CALLBACKS
10481
                        ssl->buffers.key
10482
                #else
10483
0
                        NULL
10484
0
                #endif
10485
0
                    );
10486
0
                }
10487
0
                args->length = (word16)args->sigLen;
10488
0
            }
10489
0
        #endif /* HAVE_ECC */
10490
        #ifdef HAVE_ED25519
10491
            if (ssl->hsType == DYNAMIC_TYPE_ED25519) {
10492
                ret = Ed25519Sign(ssl, args->sigData, args->sigDataSz,
10493
                    sigOut, &args->sigLen, (ed25519_key*)ssl->hsKey,
10494
            #ifdef HAVE_PK_CALLBACKS
10495
                    ssl->buffers.key
10496
            #else
10497
                    NULL
10498
            #endif
10499
                );
10500
                args->length = (word16)args->sigLen;
10501
            }
10502
        #endif
10503
        #ifdef HAVE_ED448
10504
            if (ssl->hsType == DYNAMIC_TYPE_ED448) {
10505
                ret = Ed448Sign(ssl, args->sigData, args->sigDataSz,
10506
                    sigOut, &args->sigLen, (ed448_key*)ssl->hsKey,
10507
            #ifdef HAVE_PK_CALLBACKS
10508
                    ssl->buffers.key
10509
            #else
10510
                    NULL
10511
            #endif
10512
                );
10513
                args->length = (word16)args->sigLen;
10514
            }
10515
        #endif
10516
        #if defined(HAVE_FALCON)
10517
            if (ssl->hsType == DYNAMIC_TYPE_FALCON) {
10518
                ret = wc_falcon_sign_msg(args->sigData, args->sigDataSz,
10519
                                         sigOut, &args->sigLen,
10520
                                         (falcon_key*)ssl->hsKey, ssl->rng);
10521
                args->length = (word16)args->sigLen;
10522
            }
10523
        #endif /* HAVE_FALCON */
10524
        #if defined(WOLFSSL_HAVE_MLDSA) && !defined(WOLFSSL_MLDSA_NO_SIGN)
10525
            if (ssl->hsType == DYNAMIC_TYPE_MLDSA) {
10526
                ret = wc_MlDsaKey_SignCtx((wc_MlDsaKey*)ssl->hsKey, NULL, 0,
10527
                                          sigOut, &args->sigLen,
10528
                                          args->sigData, args->sigDataSz,
10529
                                          ssl->rng);
10530
                args->length = (word16)args->sigLen;
10531
            }
10532
        #endif /* WOLFSSL_HAVE_MLDSA */
10533
0
        #if !defined(NO_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY) && \
10534
0
            !defined(WOLFSSL_RSA_VERIFY_ONLY)
10535
0
            if (ssl->hsType == DYNAMIC_TYPE_RSA) {
10536
0
                args->toSign = rsaSigBuf->buffer;
10537
0
                args->toSignSz = (word32)rsaSigBuf->length;
10538
            #if defined(HAVE_PK_CALLBACKS) && \
10539
                defined(TLS13_RSA_PSS_SIGN_CB_NO_PREHASH)
10540
                /* Pass full data to sign (args->sigData), not hash of */
10541
                if (ssl->ctx->RsaPssSignCb) {
10542
                    args->toSign = args->sigData;
10543
                    args->toSignSz = args->sigDataSz;
10544
                }
10545
            #endif
10546
0
                ret = RsaSign(ssl, (const byte*)args->toSign, args->toSignSz,
10547
0
                              sigOut, &args->sigLen, args->sigAlgo,
10548
0
                              ssl->options.hashAlgo, (RsaKey*)ssl->hsKey,
10549
0
                              ssl->buffers.key);
10550
0
                if (ret == 0) {
10551
0
                    args->length = (word16)args->sigLen;
10552
0
                    XMEMCPY(args->sigData, sigOut, args->sigLen);
10553
0
                }
10554
0
            }
10555
0
        #endif /* !NO_RSA && !WOLFSSL_RSA_PUBLIC_ONLY && !WOLFSSL_RSA_VERIFY_ONLY */
10556
10557
            /* Check for error */
10558
0
            if (ret != 0) {
10559
0
                goto exit_scv;
10560
0
            }
10561
10562
        #ifdef WOLFSSL_DUAL_ALG_CERTS
10563
            if (ssl->sigSpec != NULL &&
10564
                *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) {
10565
                /* Add signature length for the first signature. */
10566
                c16toa((word16)args->sigLen, sigOut - OPAQUE16_LEN);
10567
                args->length += OPAQUE16_LEN;
10568
10569
                /* Advance our pointer to where we store the alt signature.
10570
                 * We also add additional space for the length field of the
10571
                 * second signature. */
10572
                sigOut += args->sigLen + OPAQUE16_LEN;
10573
10574
                /* Generate the alternative signature */
10575
            #ifdef HAVE_ECC
10576
                if (ssl->hsAltType == DYNAMIC_TYPE_ECC) {
10577
                    ret = EccSign(ssl, args->altSigData, args->altSigDataSz,
10578
                                  sigOut, &args->altSigLen,
10579
                                  (ecc_key*)ssl->hsAltKey,
10580
                    #ifdef HAVE_PK_CALLBACKS
10581
                                  ssl->buffers.altKey
10582
                    #else
10583
                                  NULL
10584
                    #endif
10585
                                  );
10586
                }
10587
            #endif /* HAVE_ECC */
10588
            #if !defined(NO_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY) && \
10589
                !defined(WOLFSSL_RSA_VERIFY_ONLY)
10590
                if (ssl->hsAltType == DYNAMIC_TYPE_RSA) {
10591
                    args->toSign = rsaSigBuf->buffer;
10592
                    args->toSignSz = (word32)rsaSigBuf->length;
10593
                #if defined(HAVE_PK_CALLBACKS) && \
10594
                    defined(TLS13_RSA_PSS_SIGN_CB_NO_PREHASH)
10595
                    /* Pass full data to sign (args->altSigData), not hash of */
10596
                    if (ssl->ctx->RsaPssSignCb) {
10597
                        args->toSign = args->altSigData;
10598
                        args->toSignSz = (word32)args->altSigDataSz;
10599
                    }
10600
                #endif
10601
                    ret = RsaSign(ssl, (const byte*)args->toSign,
10602
                                  args->toSignSz, sigOut, &args->altSigLen,
10603
                                  args->altSigAlgo, ssl->options.hashAlgo,
10604
                                  (RsaKey*)ssl->hsAltKey,
10605
                                  ssl->buffers.altKey);
10606
10607
                    if (ret == 0) {
10608
                        XMEMCPY(args->altSigData, sigOut, args->altSigLen);
10609
                    }
10610
                }
10611
            #endif /* !NO_RSA && !WOLFSSL_RSA_PUBLIC_ONLY && !WOLFSSL_RSA_VERIFY_ONLY */
10612
            #if defined(HAVE_FALCON)
10613
                if (ssl->hsAltType == DYNAMIC_TYPE_FALCON) {
10614
                    ret = wc_falcon_sign_msg(args->altSigData,
10615
                                             args->altSigDataSz, sigOut,
10616
                                             &args->altSigLen,
10617
                                             (falcon_key*)ssl->hsAltKey,
10618
                                             ssl->rng);
10619
                }
10620
            #endif /* HAVE_FALCON */
10621
            #if defined(WOLFSSL_HAVE_MLDSA) && !defined(WOLFSSL_MLDSA_NO_SIGN)
10622
                if (ssl->hsAltType == DYNAMIC_TYPE_MLDSA) {
10623
                    ret = wc_MlDsaKey_SignCtx((wc_MlDsaKey*)ssl->hsAltKey,
10624
                                NULL, 0, sigOut, &args->altSigLen,
10625
                                args->altSigData, args->altSigDataSz, ssl->rng);
10626
                }
10627
            #endif /* WOLFSSL_HAVE_MLDSA */
10628
10629
                /* Check for error */
10630
                if (ret != 0) {
10631
                    goto exit_scv;
10632
                }
10633
10634
                /* Add signature length for the alternative signature. */
10635
                c16toa((word16)args->altSigLen, sigOut - OPAQUE16_LEN);
10636
10637
                /* Add length of the alt sig to the total length */
10638
                args->length += args->altSigLen + OPAQUE16_LEN;
10639
            }
10640
        #endif /* WOLFSSL_DUAL_ALG_CERTS */
10641
10642
            /* Add signature length. */
10643
0
            c16toa(args->length, args->verify + HASH_SIG_SIZE);
10644
10645
            /* Advance state and proceed */
10646
0
            ssl->options.asyncState = TLS_ASYNC_VERIFY;
10647
0
        } /* case TLS_ASYNC_DO */
10648
0
        FALL_THROUGH;
10649
10650
0
        case TLS_ASYNC_VERIFY:
10651
0
        {
10652
0
        #ifndef NO_RSA
10653
0
            if (ssl->hsType == DYNAMIC_TYPE_RSA) {
10654
                /* check for signature faults */
10655
0
                ret = VerifyRsaSign(ssl, args->sigData, args->sigLen,
10656
0
                    rsaSigBuf->buffer, (word32)rsaSigBuf->length, args->sigAlgo,
10657
0
                    ssl->options.hashAlgo, (RsaKey*)ssl->hsKey,
10658
0
                    ssl->buffers.key);
10659
0
            }
10660
        #ifdef WOLFSSL_DUAL_ALG_CERTS
10661
            if (ssl->sigSpec != NULL &&
10662
                *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH &&
10663
                ssl->hsAltType == DYNAMIC_TYPE_RSA) {
10664
                /* check for signature faults */
10665
                ret = VerifyRsaSign(ssl, args->altSigData, args->altSigLen,
10666
                        rsaSigBuf->buffer, (word32)rsaSigBuf->length,
10667
                        args->altSigAlgo, ssl->options.hashAlgo,
10668
                        (RsaKey*)ssl->hsAltKey, ssl->buffers.altKey);
10669
            }
10670
        #endif /* WOLFSSL_DUAL_ALG_CERTS */
10671
0
        #endif /* !NO_RSA */
10672
        #if defined(HAVE_ECC) && defined(WOLFSSL_CHECK_SIG_FAULTS)
10673
            if (ssl->hsType == DYNAMIC_TYPE_ECC) {
10674
                byte* sigOut = args->verify + HASH_SIG_SIZE + VERIFY_HEADER;
10675
            #ifdef WOLFSSL_DUAL_ALG_CERTS
10676
                if (ssl->sigSpec != NULL &&
10677
                    *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) {
10678
                    /* Add our length offset. */
10679
                    sigOut += OPAQUE16_LEN;
10680
                }
10681
            #endif
10682
            #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
10683
                if (ssl->buffers.keyType == sm2_sa_algo) {
10684
                    ret = Sm2wSm3Verify(ssl, TLS13_SM2_SIG_ID,
10685
                        TLS13_SM2_SIG_ID_SZ,
10686
                        sigOut, args->sigLen, args->sigData, args->sigDataSz,
10687
                        (ecc_key*)ssl->hsKey, NULL);
10688
                }
10689
                else
10690
            #endif
10691
                {
10692
                #ifdef HAVE_PK_CALLBACKS
10693
                    buffer tmp;
10694
10695
                    tmp.length = ssl->buffers.key->length;
10696
                    tmp.buffer = ssl->buffers.key->buffer;
10697
                #endif
10698
                    ret = EccVerify(ssl, sigOut, args->sigLen,
10699
                            args->sigData, args->sigDataSz,
10700
                            (ecc_key*)ssl->hsKey,
10701
                #ifdef HAVE_PK_CALLBACKS
10702
                            &tmp
10703
                #else
10704
                            NULL
10705
                #endif
10706
                            );
10707
                }
10708
            }
10709
        #ifdef WOLFSSL_DUAL_ALG_CERTS
10710
            if (ssl->sigSpec != NULL &&
10711
                *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH &&
10712
                ssl->hsAltType == DYNAMIC_TYPE_ECC) {
10713
                /* check for signature faults */
10714
                byte* sigOut = args->verify + HASH_SIG_SIZE + VERIFY_HEADER +
10715
                                args->sigLen + OPAQUE16_LEN + OPAQUE16_LEN;
10716
            #ifdef HAVE_PK_CALLBACKS
10717
                buffer tmp;
10718
                tmp.length = ssl->buffers.altKey->length;
10719
                tmp.buffer = ssl->buffers.altKey->buffer;
10720
            #endif
10721
                ret = EccVerify(ssl, sigOut, args->altSigLen,
10722
                        args->altSigData, args->altSigDataSz,
10723
                        (ecc_key*)ssl->hsAltKey,
10724
            #ifdef HAVE_PK_CALLBACKS
10725
                        &tmp
10726
            #else
10727
                        NULL
10728
            #endif
10729
                        );
10730
            }
10731
        #endif /* WOLFSSL_DUAL_ALG_CERTS */
10732
        #endif /* HAVE_ECC && WOLFSSL_CHECK_SIG_FAULTS */
10733
10734
            /* Check for error */
10735
0
            if (ret != 0) {
10736
0
                goto exit_scv;
10737
0
            }
10738
10739
            /* Advance state and proceed */
10740
0
            ssl->options.asyncState = TLS_ASYNC_FINALIZE;
10741
0
        } /* case TLS_ASYNC_VERIFY */
10742
0
        FALL_THROUGH;
10743
10744
0
        case TLS_ASYNC_FINALIZE:
10745
0
        {
10746
            /* Put the record and handshake headers on. */
10747
0
            AddTls13Headers(args->output, args->length + HASH_SIG_SIZE +
10748
0
                            VERIFY_HEADER, certificate_verify, ssl);
10749
10750
0
            args->sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ +
10751
0
                                args->length + HASH_SIG_SIZE + VERIFY_HEADER;
10752
#ifdef WOLFSSL_DTLS13
10753
            if (ssl->options.dtls)
10754
                args->sendSz += recordLayerHdrExtra + DTLS_HANDSHAKE_EXTRA;
10755
10756
#endif /* WOLFSSL_DTLS13 */
10757
            /* Advance state and proceed */
10758
0
            ssl->options.asyncState = TLS_ASYNC_END;
10759
0
        } /* case TLS_ASYNC_FINALIZE */
10760
0
        FALL_THROUGH;
10761
10762
0
        case TLS_ASYNC_END:
10763
0
        {
10764
#ifdef WOLFSSL_DTLS13
10765
            if (ssl->options.dtls) {
10766
                ssl->options.buildingMsg = 0;
10767
                ret = Dtls13HandshakeSend(ssl, args->output,
10768
                    WC_MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA + MAX_MSG_EXTRA,
10769
                    (word16)args->sendSz, certificate_verify, 1);
10770
                if (ret != 0)
10771
                    goto exit_scv;
10772
10773
                break;
10774
            }
10775
#endif /* WOLFSSL_DTLS13 */
10776
10777
            /* This message is always encrypted. */
10778
0
            ret = BuildTls13Message(ssl, args->output,
10779
0
                                    WC_MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA,
10780
0
                                    args->output + RECORD_HEADER_SZ,
10781
0
                                    args->sendSz - RECORD_HEADER_SZ, handshake,
10782
0
                                    1, 0, 0);
10783
10784
0
            if (ret < 0) {
10785
0
                goto exit_scv;
10786
0
            }
10787
0
            else {
10788
0
                args->sendSz = ret;
10789
0
                ret = 0;
10790
0
            }
10791
10792
        #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
10793
            if (ssl->hsInfoOn)
10794
                AddPacketName(ssl, "CertificateVerify");
10795
            if (ssl->toInfoOn) {
10796
                ret = AddPacketInfo(ssl, "CertificateVerify", handshake,
10797
                            args->output, args->sendSz, WRITE_PROTO, 0,
10798
                            ssl->heap);
10799
                if (ret != 0)
10800
                    goto exit_scv;
10801
            }
10802
        #endif
10803
10804
0
            ssl->buffers.outputBuffer.length += (word32)args->sendSz;
10805
0
            ssl->options.buildingMsg = 0;
10806
0
            if (!ssl->options.groupMessages)
10807
0
                ret = SendBuffered(ssl);
10808
0
            break;
10809
0
        }
10810
0
        default:
10811
0
            ret = INPUT_CASE_ERROR;
10812
0
    } /* switch(ssl->options.asyncState) */
10813
10814
0
exit_scv:
10815
#ifdef WOLFSSL_BLIND_PRIVATE_KEY
10816
    if (ret == 0) {
10817
        ret = wolfssl_priv_der_blind(ssl->rng, ssl->buffers.key,
10818
            &ssl->buffers.keyMask);
10819
    }
10820
    else {
10821
        wolfssl_priv_der_blind_toggle(ssl->buffers.key, ssl->buffers.keyMask);
10822
    }
10823
#endif
10824
10825
0
    WOLFSSL_LEAVE("SendTls13CertificateVerify", ret);
10826
0
    WOLFSSL_END(WC_FUNC_CERTIFICATE_VERIFY_SEND);
10827
10828
#ifdef WOLFSSL_ASYNC_CRYPT
10829
    /* Handle async operation */
10830
    if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
10831
        return ret;
10832
    }
10833
#endif /* WOLFSSL_ASYNC_CRYPT */
10834
10835
    /* Final cleanup */
10836
0
    FreeScv13Args(ssl, args);
10837
0
    FreeKeyExchange(ssl);
10838
0
#ifdef WOLFSSL_ASYNC_IO
10839
    /* Cleanup async */
10840
0
    FreeAsyncCtx(ssl, 0);
10841
0
#endif
10842
10843
0
    if (ret != 0) {
10844
0
        WOLFSSL_ERROR_VERBOSE(ret);
10845
0
    }
10846
10847
0
    return ret;
10848
0
}
10849
#endif
10850
#endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */
10851
10852
#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
10853
/* handle processing TLS v1.3 certificate (11) */
10854
/* Parse and handle a TLS v1.3 Certificate message.
10855
 *
10856
 * ssl       The SSL/TLS object.
10857
 * input     The message buffer.
10858
 * inOutIdx  On entry, the index into the message buffer of Certificate.
10859
 *           On exit, the index of byte after the Certificate message.
10860
 * totalSz   The length of the current handshake message.
10861
 * returns 0 on success and otherwise failure.
10862
 */
10863
static int DoTls13Certificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
10864
                              word32 totalSz)
10865
0
{
10866
0
    int ret = 0;
10867
10868
0
    WOLFSSL_START(WC_FUNC_CERTIFICATE_DO);
10869
0
    WOLFSSL_ENTER("DoTls13Certificate");
10870
10871
#ifdef WOLFSSL_DTLS13
10872
    if (ssl->options.dtls && ssl->options.handShakeDone) {
10873
        /* certificate needs some special care after the handshake */
10874
        ret = Dtls13RtxProcessingCertificate(
10875
            ssl, input + *inOutIdx, totalSz);
10876
    }
10877
#endif /* WOLFSSL_DTLS13 */
10878
10879
0
    if (ret == 0)
10880
0
        ret = ProcessPeerCerts(ssl, input, inOutIdx, totalSz);
10881
0
    if (ret == 0) {
10882
0
#if !defined(NO_WOLFSSL_CLIENT)
10883
0
        if (ssl->options.side == WOLFSSL_CLIENT_END)
10884
0
            ssl->options.serverState = SERVER_CERT_COMPLETE;
10885
0
#endif
10886
#if !defined(NO_WOLFSSL_SERVER) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
10887
        if (ssl->options.side == WOLFSSL_SERVER_END &&
10888
                                ssl->options.handShakeState == HANDSHAKE_DONE) {
10889
            /* reset handshake states */
10890
            ssl->options.serverState = SERVER_FINISHED_COMPLETE;
10891
            ssl->options.acceptState  = TICKET_SENT;
10892
            ssl->options.handShakeState = SERVER_FINISHED_COMPLETE;
10893
        }
10894
#endif
10895
0
    }
10896
10897
0
    WOLFSSL_LEAVE("DoTls13Certificate", ret);
10898
0
    WOLFSSL_END(WC_FUNC_CERTIFICATE_DO);
10899
10900
0
    return ret;
10901
0
}
10902
#endif
10903
10904
#if (!defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
10905
     defined(HAVE_ED448) || defined(HAVE_FALCON) || \
10906
     defined(WOLFSSL_HAVE_MLDSA)) && !defined(NO_CERTS)
10907
10908
typedef struct Dcv13Args {
10909
    byte*  output; /* not allocated */
10910
    word32 sendSz;
10911
    word16 sz;
10912
    word32 sigSz;
10913
    word32 idx;
10914
    word32 begin;
10915
10916
    byte*  sigData;
10917
    word16 sigDataSz;
10918
#ifdef WOLFSSL_DUAL_ALG_CERTS
10919
    byte   altSigAlgo;
10920
    byte*  altSigData;
10921
    word32 altSigDataSz;
10922
    word32 altSignatureSz;
10923
    byte   altPeerAuthGood;
10924
#endif
10925
} Dcv13Args;
10926
10927
static void FreeDcv13Args(WOLFSSL* ssl, void* pArgs)
10928
0
{
10929
0
    Dcv13Args* args = (Dcv13Args*)pArgs;
10930
10931
0
    if (args && args->sigData != NULL) {
10932
0
        XFREE(args->sigData, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
10933
0
        args->sigData = NULL;
10934
0
    }
10935
#ifdef WOLFSSL_DUAL_ALG_CERTS
10936
    if (args && args->altSigData != NULL) {
10937
        XFREE(args->altSigData, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
10938
        args->altSigData = NULL;
10939
    }
10940
#endif
10941
0
    (void)ssl;
10942
0
}
10943
10944
#ifdef WOLFSSL_DUAL_ALG_CERTS
10945
#ifndef NO_RSA
10946
/* ssl->peerCert->sapkiDer is the alternative public key. Hopefully it is a
10947
 * RSA public key. Convert it into a usable public key. */
10948
static int decodeRsaKey(WOLFSSL* ssl)
10949
{
10950
    int keyRet;
10951
    word32 tmpIdx = 0;
10952
10953
    if (ssl->peerRsaKeyPresent)
10954
        return INVALID_PARAMETER;
10955
10956
    keyRet = AllocKey(ssl, DYNAMIC_TYPE_RSA, (void**)&ssl->peerRsaKey);
10957
    if (keyRet != 0)
10958
        return PEER_KEY_ERROR;
10959
10960
    ssl->peerRsaKeyPresent = 1;
10961
    keyRet = wc_RsaPublicKeyDecode(ssl->peerCert.sapkiDer, &tmpIdx,
10962
                                   ssl->peerRsaKey,
10963
                                   ssl->peerCert.sapkiLen);
10964
    if (keyRet != 0)
10965
        return PEER_KEY_ERROR;
10966
10967
    return 0;
10968
}
10969
#endif /* !NO_RSA */
10970
10971
#ifdef HAVE_ECC
10972
/* ssl->peerCert->sapkiDer is the alternative public key. Hopefully it is a
10973
 * ECC public key. Convert it into a usable public key. */
10974
static int decodeEccKey(WOLFSSL* ssl)
10975
{
10976
    int keyRet;
10977
    word32 tmpIdx = 0;
10978
10979
    if (ssl->peerEccDsaKeyPresent)
10980
        return INVALID_PARAMETER;
10981
10982
    keyRet = AllocKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->peerEccDsaKey);
10983
    if (keyRet != 0)
10984
        return PEER_KEY_ERROR;
10985
10986
    ssl->peerEccDsaKeyPresent = 1;
10987
    keyRet = wc_EccPublicKeyDecode(ssl->peerCert.sapkiDer, &tmpIdx,
10988
                                   ssl->peerEccDsaKey,
10989
                                   ssl->peerCert.sapkiLen);
10990
    if (keyRet != 0)
10991
        return PEER_KEY_ERROR;
10992
10993
    return 0;
10994
}
10995
#endif /* HAVE_ECC */
10996
10997
#ifdef WOLFSSL_HAVE_MLDSA
10998
/* ssl->peerCert->sapkiDer is the alternative public key. Hopefully it is a
10999
 * ML-DSA public key. Convert it into a usable public key. */
11000
static int decodeMlDsaKey(WOLFSSL* ssl, int level)
11001
{
11002
    int keyRet;
11003
    word32 tmpIdx = 0;
11004
11005
    if (ssl->peerMlDsaKeyPresent)
11006
        return INVALID_PARAMETER;
11007
11008
    keyRet = AllocKey(ssl, DYNAMIC_TYPE_MLDSA,
11009
                      (void**)&ssl->peerMlDsaKey);
11010
    if (keyRet != 0)
11011
        return PEER_KEY_ERROR;
11012
11013
    ssl->peerMlDsaKeyPresent = 1;
11014
    keyRet = wc_MlDsaKey_SetParams(ssl->peerMlDsaKey, level);
11015
    if (keyRet != 0)
11016
        return PEER_KEY_ERROR;
11017
11018
    keyRet = wc_MlDsaKey_PublicKeyDecode(ssl->peerMlDsaKey,
11019
                                         ssl->peerCert.sapkiDer,
11020
                                         ssl->peerCert.sapkiLen, &tmpIdx);
11021
    if (keyRet != 0)
11022
        return PEER_KEY_ERROR;
11023
11024
    return 0;
11025
}
11026
#endif /* WOLFSSL_HAVE_MLDSA */
11027
11028
#ifdef HAVE_FALCON
11029
/* ssl->peerCert->sapkiDer is the alternative public key. Hopefully it is a
11030
 * falcon public key. Convert it into a usable public key. */
11031
static int decodeFalconKey(WOLFSSL* ssl, int level)
11032
{
11033
    int keyRet;
11034
    word32 tmpIdx = 0;
11035
11036
    if (ssl->peerFalconKeyPresent)
11037
        return INVALID_PARAMETER;
11038
11039
    keyRet = AllocKey(ssl, DYNAMIC_TYPE_FALCON, (void**)&ssl->peerFalconKey);
11040
    if (keyRet != 0)
11041
        return PEER_KEY_ERROR;
11042
11043
    ssl->peerFalconKeyPresent = 1;
11044
    keyRet = wc_falcon_set_level(ssl->peerFalconKey, level);
11045
    if (keyRet != 0)
11046
        return PEER_KEY_ERROR;
11047
11048
    keyRet = wc_Falcon_PublicKeyDecode(ssl->peerCert.sapkiDer, &tmpIdx,
11049
                                       ssl->peerFalconKey,
11050
                                       ssl->peerCert.sapkiLen);
11051
    if (keyRet != 0)
11052
        return PEER_KEY_ERROR;
11053
11054
    return 0;
11055
}
11056
#endif /* HAVE_FALCON */
11057
#endif /* WOLFSSL_DUAL_ALG_CERTS */
11058
11059
/* handle processing TLS v1.3 certificate_verify (15) */
11060
/* Parse and handle a TLS v1.3 CertificateVerify message.
11061
 *
11062
 * ssl       The SSL/TLS object.
11063
 * input     The message buffer.
11064
 * inOutIdx  On entry, the index into the message buffer of
11065
 *           CertificateVerify.
11066
 *           On exit, the index of byte after the CertificateVerify message.
11067
 * totalSz   The length of the current handshake message.
11068
 * returns 0 on success and otherwise failure.
11069
 */
11070
static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
11071
                                    word32* inOutIdx, word32 totalSz)
11072
0
{
11073
0
    int         ret = 0;
11074
0
    byte*       sig = NULL;
11075
0
#ifndef NO_RSA
11076
    /* Use this as a temporary buffer for RSA signature verification. */
11077
0
    buffer*     rsaSigBuf = &ssl->buffers.sig;
11078
0
#endif
11079
#ifdef WOLFSSL_ASYNC_CRYPT
11080
    Dcv13Args* args = NULL;
11081
    WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
11082
#else
11083
0
    Dcv13Args  args[1];
11084
0
#endif
11085
11086
0
    WOLFSSL_START(WC_FUNC_CERTIFICATE_VERIFY_DO);
11087
0
    WOLFSSL_ENTER("DoTls13CertificateVerify");
11088
11089
#if defined(WOLFSSL_RENESAS_TSIP_TLS)
11090
    ret = tsip_Tls13CertificateVerify(ssl, input, inOutIdx, totalSz);
11091
    if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
11092
        goto exit_dcv;
11093
    }
11094
    ret = 0;
11095
#endif
11096
11097
#ifdef WOLFSSL_ASYNC_CRYPT
11098
    if (ssl->async == NULL) {
11099
        ssl->async = (struct WOLFSSL_ASYNC*)
11100
                XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
11101
                        DYNAMIC_TYPE_ASYNC);
11102
        if (ssl->async == NULL)
11103
            ERROR_OUT(MEMORY_E, exit_dcv);
11104
    }
11105
    args = (Dcv13Args*)ssl->async->args;
11106
11107
    ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
11108
    if (ret != WC_NO_ERR_TRACE(WC_NO_PENDING_E)) {
11109
        /* Check for error */
11110
        if (ret < 0)
11111
            goto exit_dcv;
11112
    }
11113
    else
11114
#endif
11115
0
    {
11116
        /* Reset state */
11117
0
        ret = 0;
11118
0
        ssl->options.asyncState = TLS_ASYNC_BEGIN;
11119
0
        XMEMSET(args, 0, sizeof(Dcv13Args));
11120
0
        ssl->options.peerHashAlgo = sha_mac;
11121
0
        ssl->options.peerSigAlgo = anonymous_sa_algo;
11122
0
        args->idx = *inOutIdx;
11123
0
        args->begin = *inOutIdx;
11124
    #ifdef WOLFSSL_ASYNC_CRYPT
11125
        ssl->async->freeArgs = FreeDcv13Args;
11126
    #endif
11127
0
    }
11128
11129
0
    switch(ssl->options.asyncState)
11130
0
    {
11131
0
        case TLS_ASYNC_BEGIN:
11132
0
        {
11133
        #ifdef WOLFSSL_CALLBACKS
11134
            if (ssl->hsInfoOn) AddPacketName(ssl, "CertificateVerify");
11135
            if (ssl->toInfoOn) AddLateName("CertificateVerify",
11136
                                           &ssl->timeoutInfo);
11137
        #endif
11138
11139
            /* Advance state and proceed */
11140
0
            ssl->options.asyncState = TLS_ASYNC_BUILD;
11141
0
        } /* case TLS_ASYNC_BEGIN */
11142
0
        FALL_THROUGH;
11143
11144
0
        case TLS_ASYNC_BUILD:
11145
0
        {
11146
0
            int validSigAlgo;
11147
0
            const Suites* suites = WOLFSSL_SUITES(ssl);
11148
0
            word16 i;
11149
11150
            /* Signature algorithm. */
11151
0
            if ((args->idx - args->begin) + ENUM_LEN + ENUM_LEN > totalSz) {
11152
0
                ERROR_OUT(BUFFER_ERROR, exit_dcv);
11153
0
            }
11154
11155
#ifdef WOLFSSL_DUAL_ALG_CERTS
11156
            if (ssl->peerSigSpec == NULL) {
11157
                /* The peer did not respond. We didn't send CKS or they don't
11158
                 * support it. Either way, we do not need to handle dual
11159
                 * key/sig case. */
11160
                ssl->sigSpec = NULL;
11161
                ssl->sigSpecSz = 0;
11162
            }
11163
11164
            /* If no CKS extension or either native or alternative, then just
11165
             * get a normal sigalgo.  But if BOTH, then get the native and alt
11166
             * sig algos. */
11167
            if (ssl->sigSpec == NULL ||
11168
                *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_NATIVE ||
11169
                *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_ALTERNATIVE) {
11170
#endif /* WOLFSSL_DUAL_ALG_CERTS */
11171
0
                validSigAlgo = 0;
11172
0
                for (i = 0; i < suites->hashSigAlgoSz; i += 2) {
11173
0
                     if ((suites->hashSigAlgo[i + 0] == input[args->idx + 0]) &&
11174
0
                             (suites->hashSigAlgo[i + 1] == input[args->idx + 1])) {
11175
0
                         validSigAlgo = 1;
11176
0
                         break;
11177
0
                     }
11178
0
                }
11179
0
                if (!validSigAlgo) {
11180
0
                    ERROR_OUT(INVALID_PARAMETER, exit_dcv);
11181
0
                }
11182
11183
0
                ret = DecodeTls13SigAlg(input + args->idx,
11184
0
                        &ssl->options.peerHashAlgo, &ssl->options.peerSigAlgo);
11185
#ifdef WOLFSSL_DUAL_ALG_CERTS
11186
            }
11187
            else {
11188
                ret = DecodeTls13HybridSigAlg(input + args->idx,
11189
                                              &ssl->options.peerHashAlgo,
11190
                                              &ssl->options.peerSigAlgo,
11191
                                              &args->altSigAlgo);
11192
            }
11193
#endif /* WOLFSSL_DUAL_ALG_CERTS */
11194
11195
0
            if (ret < 0)
11196
0
                goto exit_dcv;
11197
0
            args->idx += OPAQUE16_LEN;
11198
11199
            /* Signature length. */
11200
0
            if ((args->idx - args->begin) + OPAQUE16_LEN > totalSz) {
11201
0
                ERROR_OUT(BUFFER_ERROR, exit_dcv);
11202
0
            }
11203
0
            ato16(input + args->idx, &args->sz);
11204
0
            args->idx += OPAQUE16_LEN;
11205
11206
            /* Signature data. */
11207
0
            if ((args->idx - args->begin) + args->sz > totalSz) {
11208
0
                ERROR_OUT(BUFFER_ERROR, exit_dcv);
11209
0
            }
11210
11211
#ifdef WOLFSSL_DUAL_ALG_CERTS
11212
            if ((ssl->sigSpec != NULL) &&
11213
                (*ssl->sigSpec != WOLFSSL_CKS_SIGSPEC_NATIVE)) {
11214
11215
                word16 sa;
11216
                if (args->altSigAlgo == 0)
11217
                    sa = ssl->options.peerSigAlgo;
11218
                else
11219
                    sa = args->altSigAlgo;
11220
11221
                switch(sa) {
11222
            #ifndef NO_RSA
11223
                case rsa_pss_sa_algo:
11224
                    ret = decodeRsaKey(ssl);
11225
                    break;
11226
            #endif
11227
            #ifdef HAVE_ECC
11228
                case ecc_dsa_sa_algo:
11229
                    ret = decodeEccKey(ssl);
11230
                    break;
11231
            #endif
11232
            #ifdef WOLFSSL_HAVE_MLDSA
11233
                case mldsa_44_sa_algo:
11234
                    ret = decodeMlDsaKey(ssl, WC_ML_DSA_44);
11235
                    break;
11236
                case mldsa_65_sa_algo:
11237
                    ret = decodeMlDsaKey(ssl, WC_ML_DSA_65);
11238
                    break;
11239
                case mldsa_87_sa_algo:
11240
                    ret = decodeMlDsaKey(ssl, WC_ML_DSA_87);
11241
                    break;
11242
            #endif
11243
            #ifdef HAVE_FALCON
11244
                case falcon_level1_sa_algo:
11245
                    ret = decodeFalconKey(ssl, 1);
11246
                    break;
11247
                case falcon_level5_sa_algo:
11248
                    ret = decodeFalconKey(ssl, 5);
11249
                    break;
11250
            #endif
11251
                default:
11252
                    ERROR_OUT(PEER_KEY_ERROR, exit_dcv);
11253
                }
11254
11255
                if (ret != 0)
11256
                    ERROR_OUT(ret, exit_dcv);
11257
11258
                if (*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_ALTERNATIVE) {
11259
                    /* Now swap in the alternative by removing the native.
11260
                     * sa contains the alternative signature type. */
11261
                #ifndef NO_RSA
11262
                    if (ssl->peerRsaKeyPresent && sa != rsa_pss_sa_algo) {
11263
                        FreeKey(ssl, DYNAMIC_TYPE_RSA,
11264
                                (void**)&ssl->peerRsaKey);
11265
                        ssl->peerRsaKeyPresent = 0;
11266
                    }
11267
                #endif
11268
                #ifdef HAVE_ECC
11269
                    else if (ssl->peerEccDsaKeyPresent &&
11270
                             sa != ecc_dsa_sa_algo) {
11271
                        FreeKey(ssl, DYNAMIC_TYPE_ECC,
11272
                                (void**)&ssl->peerEccDsaKey);
11273
                        ssl->peerEccDsaKeyPresent = 0;
11274
                    }
11275
                #endif
11276
                #ifdef WOLFSSL_HAVE_MLDSA
11277
                    else if (ssl->peerMlDsaKeyPresent &&
11278
                             sa != mldsa_44_sa_algo &&
11279
                             sa != mldsa_65_sa_algo &&
11280
                             sa != mldsa_87_sa_algo) {
11281
                        FreeKey(ssl, DYNAMIC_TYPE_MLDSA,
11282
                                (void**)&ssl->peerMlDsaKey);
11283
                        ssl->peerMlDsaKeyPresent = 0;
11284
                    }
11285
                #endif
11286
                #ifdef HAVE_FALCON
11287
                    else if (ssl->peerFalconKeyPresent &&
11288
                             sa != falcon_level1_sa_algo &&
11289
                             sa != falcon_level5_sa_algo) {
11290
                        FreeKey(ssl, DYNAMIC_TYPE_FALCON,
11291
                                (void**)&ssl->peerFalconKey);
11292
                        ssl->peerFalconKeyPresent = 0;
11293
                    }
11294
                #endif
11295
                    else {
11296
                        ERROR_OUT(PEER_KEY_ERROR, exit_dcv);
11297
                    }
11298
                }
11299
            }
11300
#endif /* WOLFSSL_DUAL_ALG_CERTS */
11301
11302
            /* Check for public key of required type. */
11303
            /* Assume invalid unless signature algo matches the key provided */
11304
0
            validSigAlgo = 0;
11305
        #ifdef HAVE_ED25519
11306
            if (ssl->options.peerSigAlgo == ed25519_sa_algo) {
11307
                WOLFSSL_MSG("Peer sent ED25519 sig");
11308
                validSigAlgo = (ssl->peerEd25519Key != NULL) &&
11309
                                                     ssl->peerEd25519KeyPresent;
11310
            }
11311
        #endif
11312
        #ifdef HAVE_ED448
11313
            if (ssl->options.peerSigAlgo == ed448_sa_algo) {
11314
                WOLFSSL_MSG("Peer sent ED448 sig");
11315
                validSigAlgo = (ssl->peerEd448Key != NULL) &&
11316
                                                       ssl->peerEd448KeyPresent;
11317
            }
11318
        #endif
11319
0
        #ifdef HAVE_ECC
11320
0
            if (ssl->options.peerSigAlgo == ecc_dsa_sa_algo) {
11321
0
                WOLFSSL_MSG("Peer sent ECC sig");
11322
0
                validSigAlgo = (ssl->peerEccDsaKey != NULL) &&
11323
0
                                                      ssl->peerEccDsaKeyPresent;
11324
0
            }
11325
0
        #endif
11326
        #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
11327
            if (ssl->options.peerSigAlgo == sm2_sa_algo) {
11328
                WOLFSSL_MSG("Peer sent SM2 sig");
11329
                validSigAlgo = (ssl->peerEccDsaKey != NULL) &&
11330
                                                      ssl->peerEccDsaKeyPresent;
11331
            }
11332
        #endif
11333
        #ifdef HAVE_FALCON
11334
            if (ssl->options.peerSigAlgo == falcon_level1_sa_algo) {
11335
                WOLFSSL_MSG("Peer sent Falcon Level 1 sig");
11336
                validSigAlgo = (ssl->peerFalconKey != NULL) &&
11337
                               ssl->peerFalconKeyPresent;
11338
            }
11339
            if (ssl->options.peerSigAlgo == falcon_level5_sa_algo) {
11340
                WOLFSSL_MSG("Peer sent Falcon Level 5 sig");
11341
                validSigAlgo = (ssl->peerFalconKey != NULL) &&
11342
                               ssl->peerFalconKeyPresent;
11343
            }
11344
        #endif
11345
        #ifdef WOLFSSL_HAVE_MLDSA
11346
            if (ssl->options.peerSigAlgo == mldsa_44_sa_algo) {
11347
                WOLFSSL_MSG("Peer sent ML-DSA Level 2 sig");
11348
                validSigAlgo = (ssl->peerMlDsaKey != NULL) &&
11349
                               ssl->peerMlDsaKeyPresent;
11350
            }
11351
            if (ssl->options.peerSigAlgo == mldsa_65_sa_algo) {
11352
                WOLFSSL_MSG("Peer sent ML-DSA Level 3 sig");
11353
                validSigAlgo = (ssl->peerMlDsaKey != NULL) &&
11354
                               ssl->peerMlDsaKeyPresent;
11355
            }
11356
            if (ssl->options.peerSigAlgo == mldsa_87_sa_algo) {
11357
                WOLFSSL_MSG("Peer sent ML-DSA Level 5 sig");
11358
                validSigAlgo = (ssl->peerMlDsaKey != NULL) &&
11359
                               ssl->peerMlDsaKeyPresent;
11360
            }
11361
        #endif
11362
0
        #ifndef NO_RSA
11363
0
            if (ssl->options.peerSigAlgo == rsa_sa_algo) {
11364
0
                WOLFSSL_MSG("Peer sent PKCS#1.5 algo - not valid TLS 1.3");
11365
0
                ERROR_OUT(INVALID_PARAMETER, exit_dcv);
11366
0
            }
11367
0
            if (ssl->options.peerSigAlgo == rsa_pss_sa_algo) {
11368
0
                WOLFSSL_MSG("Peer sent RSA sig");
11369
0
                validSigAlgo = (ssl->peerRsaKey != NULL) &&
11370
0
                                                         ssl->peerRsaKeyPresent;
11371
0
            }
11372
0
        #endif
11373
0
            if (!validSigAlgo) {
11374
0
                WOLFSSL_MSG("Sig algo doesn't correspond to certificate");
11375
0
                ERROR_OUT(SIG_VERIFY_E, exit_dcv);
11376
0
            }
11377
11378
0
            args->sigSz = args->sz;
11379
#ifdef WOLFSSL_DUAL_ALG_CERTS
11380
            if (ssl->sigSpec != NULL &&
11381
                *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) {
11382
                /* In case we received two signatures, both of them are encoded
11383
                 * with their size as 16-bit integeter prior in memory. Hence,
11384
                 * we can decode both lengths here now. */
11385
                word32 tmpIdx = args->idx;
11386
                word16 tmpSz = 0;
11387
                if (args->sz < OPAQUE16_LEN) {
11388
                    ERROR_OUT(BUFFER_ERROR, exit_dcv);
11389
                }
11390
                ato16(input + tmpIdx, &tmpSz);
11391
                args->sigSz = tmpSz;
11392
11393
                tmpIdx += OPAQUE16_LEN + args->sigSz;
11394
                if (tmpIdx - args->idx + OPAQUE16_LEN > args->sz) {
11395
                    ERROR_OUT(BUFFER_ERROR, exit_dcv);
11396
                }
11397
                ato16(input + tmpIdx, &tmpSz);
11398
                args->altSignatureSz = tmpSz;
11399
11400
                if (args->sz != (args->sigSz + args->altSignatureSz +
11401
                                    OPAQUE16_LEN + OPAQUE16_LEN)) {
11402
                    ERROR_OUT(BUFFER_ERROR, exit_dcv);
11403
                }
11404
            }
11405
#endif /* WOLFSSL_DUAL_ALG_CERTS */
11406
11407
0
        #if !defined(NO_RSA) && defined(WC_RSA_PSS)
11408
            /* In case we have to verify an RSA signature, we have to store the
11409
             * signature in the 'rsaSigBuf' structure for further processing.
11410
             */
11411
0
            if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) {
11412
0
                word32 sigSz = args->sigSz;
11413
0
                sig = input + args->idx;
11414
            #ifdef WOLFSSL_DUAL_ALG_CERTS
11415
                /* Check if our alternative signature was RSA */
11416
                if (ssl->sigSpec != NULL &&
11417
                    *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) {
11418
                    if (ssl->options.peerSigAlgo != rsa_pss_sa_algo) {
11419
                        /* We have to skip the first signature (length field
11420
                         * and signature itself) and the length field of the
11421
                         * alternative signature. */
11422
                        sig += OPAQUE16_LEN + OPAQUE16_LEN + args->sigSz;
11423
                        sigSz = args->altSignatureSz;
11424
                    }
11425
                    else {
11426
                        /* We have to skip the length field */
11427
                        sig += OPAQUE16_LEN;
11428
                    }
11429
                }
11430
            #endif
11431
0
                rsaSigBuf->buffer = (byte*)XMALLOC(sigSz, ssl->heap,
11432
0
                                         DYNAMIC_TYPE_SIGNATURE);
11433
0
                if (rsaSigBuf->buffer == NULL) {
11434
0
                    ERROR_OUT(MEMORY_E, exit_dcv);
11435
0
                }
11436
0
                rsaSigBuf->length = sigSz;
11437
0
                XMEMCPY(rsaSigBuf->buffer, sig, rsaSigBuf->length);
11438
0
            }
11439
0
        #endif /* !NO_RSA && WC_RSA_PSS */
11440
11441
0
            args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap,
11442
0
                                                    DYNAMIC_TYPE_SIGNATURE);
11443
0
            if (args->sigData == NULL) {
11444
0
                ERROR_OUT(MEMORY_E, exit_dcv);
11445
0
            }
11446
11447
0
            ret = CreateSigData(ssl, args->sigData, &args->sigDataSz, 1);
11448
0
            if (ret < 0)
11449
0
                goto exit_dcv;
11450
11451
        #ifdef WOLFSSL_DUAL_ALG_CERTS
11452
            if ((ssl->sigSpec != NULL) &&
11453
                (*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH)) {
11454
                args->altSigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap,
11455
                                                        DYNAMIC_TYPE_SIGNATURE);
11456
                if (args->altSigData == NULL) {
11457
                    ERROR_OUT(MEMORY_E, exit_dcv);
11458
                }
11459
                XMEMCPY(args->altSigData, args->sigData, args->sigDataSz);
11460
                args->altSigDataSz = args->sigDataSz;
11461
            }
11462
        #endif /* WOLFSSL_DUAL_ALG_CERTS */
11463
11464
0
        #ifdef HAVE_ECC
11465
0
            if ((ssl->options.peerSigAlgo == ecc_dsa_sa_algo) &&
11466
0
                (ssl->peerEccDsaKeyPresent)) {
11467
0
                ret = CreateECCEncodedSig(args->sigData,
11468
0
                    args->sigDataSz, ssl->options.peerHashAlgo);
11469
0
                if (ret < 0)
11470
0
                    goto exit_dcv;
11471
0
                args->sigDataSz = (word16)ret;
11472
0
                ret = 0;
11473
0
            }
11474
11475
        #ifdef WOLFSSL_DUAL_ALG_CERTS
11476
            if ((ssl->sigSpec != NULL) &&
11477
                (*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) &&
11478
                (args->altSigAlgo == ecc_dsa_sa_algo) &&
11479
                (ssl->peerEccDsaKeyPresent)) {
11480
                ret = CreateECCEncodedSig(args->altSigData,
11481
                        args->altSigDataSz, ssl->options.peerHashAlgo);
11482
                    if (ret < 0)
11483
                        goto exit_dcv;
11484
                    args->altSigDataSz = (word16)ret;
11485
                    ret = 0;
11486
            }
11487
        #endif /* WOLFSSL_DUAL_ALG_CERTS */
11488
0
        #endif /* HAVE_ECC */
11489
11490
            /* Advance state and proceed */
11491
0
            ssl->options.asyncState = TLS_ASYNC_DO;
11492
0
        } /* case TLS_ASYNC_BUILD */
11493
0
        FALL_THROUGH;
11494
11495
0
        case TLS_ASYNC_DO:
11496
0
        {
11497
0
            sig = input + args->idx;
11498
0
            (void)sig;
11499
        #ifdef WOLFSSL_DUAL_ALG_CERTS
11500
            if (ssl->sigSpec != NULL &&
11501
                *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) {
11502
                /* As we have two signatures in the message, we stored
11503
                 * the length of each before the actual signature. This
11504
                 * is necessary, as we could have two algorithms with
11505
                 * variable length signatures. */
11506
                sig += OPAQUE16_LEN;
11507
            }
11508
        #endif
11509
0
        #ifndef NO_RSA
11510
0
            if ((ssl->options.peerSigAlgo == rsa_pss_sa_algo) &&
11511
0
                (ssl->peerRsaKey != NULL) && (ssl->peerRsaKeyPresent != 0)) {
11512
0
                WOLFSSL_MSG("Doing RSA peer cert verify");
11513
0
                ret = RsaVerify(ssl, rsaSigBuf->buffer,
11514
0
                                (word32)rsaSigBuf->length, &args->output,
11515
0
                                ssl->options.peerSigAlgo,
11516
0
                                ssl->options.peerHashAlgo, ssl->peerRsaKey,
11517
                #ifdef HAVE_PK_CALLBACKS
11518
                                &ssl->buffers.peerRsaKey
11519
                #else
11520
0
                                NULL
11521
0
                #endif
11522
0
                                );
11523
0
                if (ret >= 0) {
11524
0
                    args->sendSz = (word32)ret;
11525
0
                    ret = 0;
11526
0
                }
11527
0
            }
11528
0
        #endif /* !NO_RSA */
11529
0
        #ifdef HAVE_ECC
11530
0
            if ((ssl->options.peerSigAlgo == ecc_dsa_sa_algo) &&
11531
0
                    ssl->peerEccDsaKeyPresent) {
11532
0
                WOLFSSL_MSG("Doing ECC peer cert verify");
11533
0
                ret = EccVerify(ssl, sig, args->sigSz,
11534
0
                    args->sigData, args->sigDataSz,
11535
0
                    ssl->peerEccDsaKey,
11536
                #ifdef HAVE_PK_CALLBACKS
11537
                    &ssl->buffers.peerEccDsaKey
11538
                #else
11539
0
                    NULL
11540
0
                #endif
11541
0
                    );
11542
11543
0
                if (ret >= 0) {
11544
                    /* CLIENT/SERVER: data verified with public key from
11545
                     * certificate. */
11546
0
                    ssl->options.peerAuthGood = 1;
11547
11548
0
                    FreeKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->peerEccDsaKey);
11549
0
                    ssl->peerEccDsaKeyPresent = 0;
11550
0
                }
11551
0
            }
11552
0
        #endif /* HAVE_ECC */
11553
        #if defined(HAVE_ECC) && defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3)
11554
            if ((ssl->options.peerSigAlgo == sm2_sa_algo) &&
11555
                   ssl->peerEccDsaKeyPresent) {
11556
                WOLFSSL_MSG("Doing SM2/SM3 peer cert verify");
11557
                ret = Sm2wSm3Verify(ssl, TLS13_SM2_SIG_ID, TLS13_SM2_SIG_ID_SZ,
11558
                    sig, args->sigSz, args->sigData, args->sigDataSz,
11559
                    ssl->peerEccDsaKey, NULL);
11560
                if (ret >= 0) {
11561
                    /* CLIENT/SERVER: data verified with public key from
11562
                     * certificate. */
11563
                    ssl->options.peerAuthGood = 1;
11564
11565
                    FreeKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->peerEccDsaKey);
11566
                    ssl->peerEccDsaKeyPresent = 0;
11567
                }
11568
            }
11569
        #endif
11570
        #ifdef HAVE_ED25519
11571
            if ((ssl->options.peerSigAlgo == ed25519_sa_algo) &&
11572
                (ssl->peerEd25519KeyPresent)) {
11573
                WOLFSSL_MSG("Doing ED25519 peer cert verify");
11574
                ret = Ed25519Verify(ssl, sig, args->sigSz,
11575
                    args->sigData, args->sigDataSz,
11576
                    ssl->peerEd25519Key,
11577
                #ifdef HAVE_PK_CALLBACKS
11578
                    &ssl->buffers.peerEd25519Key
11579
                #else
11580
                    NULL
11581
                #endif
11582
                    );
11583
11584
                if (ret >= 0) {
11585
                    /* CLIENT/SERVER: data verified with public key from
11586
                     * certificate. */
11587
                    ssl->options.peerAuthGood = 1;
11588
                    FreeKey(ssl, DYNAMIC_TYPE_ED25519,
11589
                                                  (void**)&ssl->peerEd25519Key);
11590
                    ssl->peerEd25519KeyPresent = 0;
11591
                }
11592
            }
11593
        #endif
11594
        #ifdef HAVE_ED448
11595
            if ((ssl->options.peerSigAlgo == ed448_sa_algo) &&
11596
                (ssl->peerEd448KeyPresent)) {
11597
                WOLFSSL_MSG("Doing ED448 peer cert verify");
11598
                ret = Ed448Verify(ssl, sig, args->sigSz,
11599
                    args->sigData, args->sigDataSz,
11600
                    ssl->peerEd448Key,
11601
                #ifdef HAVE_PK_CALLBACKS
11602
                    &ssl->buffers.peerEd448Key
11603
                #else
11604
                    NULL
11605
                #endif
11606
                );
11607
11608
                if (ret >= 0) {
11609
                    /* CLIENT/SERVER: data verified with public key from
11610
                     * certificate. */
11611
                    ssl->options.peerAuthGood = 1;
11612
                    FreeKey(ssl, DYNAMIC_TYPE_ED448,
11613
                                                    (void**)&ssl->peerEd448Key);
11614
                    ssl->peerEd448KeyPresent = 0;
11615
                }
11616
            }
11617
        #endif
11618
        #if defined(HAVE_FALCON)
11619
            if (((ssl->options.peerSigAlgo == falcon_level1_sa_algo) ||
11620
                 (ssl->options.peerSigAlgo == falcon_level5_sa_algo)) &&
11621
                (ssl->peerFalconKeyPresent)) {
11622
                int res = 0;
11623
                WOLFSSL_MSG("Doing Falcon peer cert verify");
11624
                ret = wc_falcon_verify_msg(sig, args->sigSz,
11625
                                           args->sigData, args->sigDataSz,
11626
                                           &res, ssl->peerFalconKey);
11627
11628
                if ((ret >= 0) && (res == 1)) {
11629
                    /* CLIENT/SERVER: data verified with public key from
11630
                     * certificate. */
11631
                    ssl->options.peerAuthGood = 1;
11632
11633
                    FreeKey(ssl, DYNAMIC_TYPE_FALCON,
11634
                                                   (void**)&ssl->peerFalconKey);
11635
                    ssl->peerFalconKeyPresent = 0;
11636
                }
11637
                else if ((ret >= 0) && (res == 0)) {
11638
                    WOLFSSL_MSG("Falcon signature verification failed");
11639
                    ret = SIG_VERIFY_E;
11640
                }
11641
            }
11642
        #endif /* HAVE_FALCON */
11643
        #if defined(WOLFSSL_HAVE_MLDSA) && !defined(WOLFSSL_MLDSA_NO_VERIFY)
11644
            if (((ssl->options.peerSigAlgo == mldsa_44_sa_algo) ||
11645
                 (ssl->options.peerSigAlgo == mldsa_65_sa_algo) ||
11646
                 (ssl->options.peerSigAlgo == mldsa_87_sa_algo)) &&
11647
                (ssl->peerMlDsaKeyPresent)) {
11648
                int res = 0;
11649
                WOLFSSL_MSG("Doing ML-DSA peer cert verify");
11650
                ret = wc_MlDsaKey_VerifyCtx(ssl->peerMlDsaKey, sig, args->sigSz,
11651
                                            NULL, 0, args->sigData,
11652
                                            args->sigDataSz, &res);
11653
11654
                if ((ret >= 0) && (res == 1)) {
11655
                    /* CLIENT/SERVER: data verified with public key from
11656
                     * certificate. */
11657
                    ssl->options.peerAuthGood = 1;
11658
11659
                    FreeKey(ssl, DYNAMIC_TYPE_MLDSA,
11660
                            (void**)&ssl->peerMlDsaKey);
11661
                    ssl->peerMlDsaKeyPresent = 0;
11662
                }
11663
                else if ((ret >= 0) && (res == 0)) {
11664
                    WOLFSSL_MSG("ML-DSA signature verification failed");
11665
                    ret = SIG_VERIFY_E;
11666
                }
11667
            }
11668
        #endif /* WOLFSSL_HAVE_MLDSA */
11669
11670
            /* Check for error */
11671
0
            if (ret != 0) {
11672
0
                goto exit_dcv;
11673
0
            }
11674
11675
        #ifdef WOLFSSL_DUAL_ALG_CERTS
11676
            if (ssl->sigSpec != NULL &&
11677
                *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) {
11678
                /* Move forward to the alternative signature. */
11679
                sig += args->sigSz + OPAQUE16_LEN;
11680
11681
                /* Verify the alternative signature */
11682
            #ifndef NO_RSA
11683
                if ((args->altSigAlgo == rsa_pss_sa_algo) &&
11684
                    (ssl->peerRsaKey != NULL) &&
11685
                    (ssl->peerRsaKeyPresent != 0)) {
11686
                    WOLFSSL_MSG("Doing RSA peer cert alt verify");
11687
                    ret = RsaVerify(ssl, rsaSigBuf->buffer,
11688
                                    (word32)rsaSigBuf->length,
11689
                                    &args->output, args->altSigAlgo,
11690
                                    ssl->options.peerHashAlgo, ssl->peerRsaKey,
11691
                    #ifdef HAVE_PK_CALLBACKS
11692
                                    &ssl->buffers.peerRsaKey
11693
                    #else
11694
                                    NULL
11695
                    #endif
11696
                                    );
11697
                    if (ret >= 0) {
11698
                        args->sendSz = ret;
11699
                        ret = 0;
11700
                    }
11701
                }
11702
            #endif /* !NO_RSA */
11703
            #ifdef HAVE_ECC
11704
                if ((args->altSigAlgo == ecc_dsa_sa_algo) &&
11705
                    (ssl->peerEccDsaKeyPresent)) {
11706
                    WOLFSSL_MSG("Doing ECC peer cert alt verify");
11707
                    ret = EccVerify(ssl, sig, args->altSignatureSz,
11708
                                args->altSigData, args->altSigDataSz,
11709
                                ssl->peerEccDsaKey,
11710
                    #ifdef HAVE_PK_CALLBACKS
11711
                                &ssl->buffers.peerEccDsaKey
11712
                    #else
11713
                                NULL
11714
                    #endif
11715
                                );
11716
11717
                    if (ret >= 0) {
11718
                        /* CLIENT/SERVER: data verified with public key from
11719
                        * certificate. */
11720
                        args->altPeerAuthGood = 1;
11721
11722
                        FreeKey(ssl, DYNAMIC_TYPE_ECC,
11723
                                                (void**)&ssl->peerEccDsaKey);
11724
                        ssl->peerEccDsaKeyPresent = 0;
11725
                    }
11726
                }
11727
            #endif /* HAVE_ECC */
11728
            #if defined(HAVE_FALCON)
11729
                if (((args->altSigAlgo == falcon_level1_sa_algo) ||
11730
                     (args->altSigAlgo == falcon_level5_sa_algo)) &&
11731
                    (ssl->peerFalconKeyPresent)) {
11732
                    int res = 0;
11733
                    WOLFSSL_MSG("Doing Falcon peer cert alt verify");
11734
                    ret = wc_falcon_verify_msg(sig, args->altSignatureSz,
11735
                                        args->altSigData, args->altSigDataSz,
11736
                                        &res, ssl->peerFalconKey);
11737
11738
                    if ((ret >= 0) && (res == 1)) {
11739
                        /* CLIENT/SERVER: data verified with public key from
11740
                        * certificate. */
11741
                        args->altPeerAuthGood = 1;
11742
11743
                        FreeKey(ssl, DYNAMIC_TYPE_FALCON,
11744
                                                (void**)&ssl->peerFalconKey);
11745
                        ssl->peerFalconKeyPresent = 0;
11746
                    }
11747
                    else if ((ret >= 0) && (res == 0)) {
11748
                        WOLFSSL_MSG("Falcon signature verification failed");
11749
                        ret = SIG_VERIFY_E;
11750
                    }
11751
                }
11752
            #endif /* HAVE_FALCON */
11753
            #if defined(WOLFSSL_HAVE_MLDSA) && !defined(WOLFSSL_MLDSA_NO_VERIFY)
11754
                if (((args->altSigAlgo == mldsa_44_sa_algo) ||
11755
                     (args->altSigAlgo == mldsa_65_sa_algo) ||
11756
                     (args->altSigAlgo == mldsa_87_sa_algo)) &&
11757
                    (ssl->peerMlDsaKeyPresent)) {
11758
                    int res = 0;
11759
                    WOLFSSL_MSG("Doing ML-DSA peer cert alt verify");
11760
                    ret = wc_MlDsaKey_VerifyCtx(ssl->peerMlDsaKey, sig,
11761
                                        args->altSignatureSz, NULL, 0,
11762
                                        args->altSigData,
11763
                                        args->altSigDataSz, &res);
11764
11765
                    if ((ret >= 0) && (res == 1)) {
11766
                        /* CLIENT/SERVER: data verified with public key from
11767
                        * certificate. */
11768
                        args->altPeerAuthGood = 1;
11769
11770
                        FreeKey(ssl, DYNAMIC_TYPE_MLDSA,
11771
                                            (void**)&ssl->peerMlDsaKey);
11772
                        ssl->peerMlDsaKeyPresent = 0;
11773
                    }
11774
                    else if ((ret >= 0) && (res == 0)) {
11775
                        WOLFSSL_MSG("ML-DSA signature verification failed");
11776
                        ret = SIG_VERIFY_E;
11777
                    }
11778
                }
11779
            #endif /* WOLFSSL_HAVE_MLDSA */
11780
11781
                /* Check for error */
11782
                if (ret != 0) {
11783
                    goto exit_dcv;
11784
                }
11785
            }
11786
        #endif /* WOLFSSL_DUAL_ALG_CERTS */
11787
11788
            /* Advance state and proceed */
11789
0
            ssl->options.asyncState = TLS_ASYNC_VERIFY;
11790
0
        } /* case TLS_ASYNC_DO */
11791
0
        FALL_THROUGH;
11792
11793
0
        case TLS_ASYNC_VERIFY:
11794
0
        {
11795
0
        #if !defined(NO_RSA) && defined(WC_RSA_PSS)
11796
0
            if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) {
11797
0
                int sigAlgo = ssl->options.peerSigAlgo;
11798
            #ifdef WOLFSSL_DUAL_ALG_CERTS
11799
                /* Check if our alternative signature was RSA */
11800
                if (ssl->sigSpec != NULL &&
11801
                    *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH &&
11802
                    ssl->options.peerSigAlgo != rsa_pss_sa_algo) {
11803
                    sigAlgo = args->altSigAlgo;
11804
                }
11805
            #endif
11806
0
                ret = CheckRSASignature(ssl, sigAlgo,
11807
0
                        ssl->options.peerHashAlgo, args->output, args->sendSz);
11808
0
                if (ret != 0)
11809
0
                    goto exit_dcv;
11810
11811
                /* CLIENT/SERVER: data verified with public key from
11812
                 * certificate. */
11813
0
                ssl->peerRsaKeyPresent = 0;
11814
0
                FreeKey(ssl, DYNAMIC_TYPE_RSA, (void**)&ssl->peerRsaKey);
11815
            #ifdef WOLFSSL_DUAL_ALG_CERTS
11816
                /* Check if our alternative signature was RSA */
11817
                if (ssl->sigSpec != NULL &&
11818
                    *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH &&
11819
                    ssl->options.peerSigAlgo != rsa_pss_sa_algo) {
11820
                    args->altPeerAuthGood = 1;
11821
                }
11822
                else
11823
            #endif
11824
0
                    ssl->options.peerAuthGood = 1;
11825
0
            }
11826
0
        #endif /* !NO_RSA && WC_RSA_PSS */
11827
11828
            /* Advance state and proceed */
11829
0
            ssl->options.asyncState = TLS_ASYNC_FINALIZE;
11830
0
        } /* case TLS_ASYNC_VERIFY */
11831
0
        FALL_THROUGH;
11832
11833
0
        case TLS_ASYNC_FINALIZE:
11834
0
        {
11835
#ifdef WOLFSSL_DUAL_ALG_CERTS
11836
            if (ssl->options.peerAuthGood &&
11837
                ssl->sigSpec != NULL &&
11838
                *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) {
11839
                ssl->options.peerAuthGood = args->altPeerAuthGood;
11840
            }
11841
#endif /* WOLFSSL_DUAL_ALG_CERTS */
11842
0
            ssl->options.havePeerVerify = 1;
11843
11844
            /* Set final index */
11845
0
            args->idx += args->sz;
11846
0
            *inOutIdx = args->idx;
11847
11848
            /* Advance state and proceed */
11849
0
            ssl->options.asyncState = TLS_ASYNC_END;
11850
11851
0
        #if !defined(NO_WOLFSSL_CLIENT)
11852
0
            if (ssl->options.side == WOLFSSL_CLIENT_END)
11853
0
                ssl->options.serverState = SERVER_CERT_VERIFY_COMPLETE;
11854
0
        #endif
11855
0
        } /* case TLS_ASYNC_FINALIZE */
11856
0
        FALL_THROUGH;
11857
11858
0
        case TLS_ASYNC_END:
11859
0
        {
11860
0
            break;
11861
0
        }
11862
11863
0
        default:
11864
0
            ret = INPUT_CASE_ERROR;
11865
0
    } /* switch(ssl->options.asyncState) */
11866
11867
0
exit_dcv:
11868
11869
0
    WOLFSSL_LEAVE("DoTls13CertificateVerify", ret);
11870
0
    WOLFSSL_END(WC_FUNC_CERTIFICATE_VERIFY_DO);
11871
11872
#ifdef WOLFSSL_ASYNC_CRYPT
11873
    /* Handle async operation */
11874
    if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
11875
        /* Mark message as not received so it can process again */
11876
        ssl->msgsReceived.got_certificate_verify = 0;
11877
11878
        return ret;
11879
    }
11880
    else
11881
#endif /* WOLFSSL_ASYNC_CRYPT */
11882
0
    if (ret != 0) {
11883
0
        WOLFSSL_ERROR_VERBOSE(ret);
11884
11885
0
        if (ret != WC_NO_ERR_TRACE(INVALID_PARAMETER)) {
11886
0
            SendAlert(ssl, alert_fatal, decrypt_error);
11887
0
        }
11888
0
    }
11889
11890
    /* Final cleanup */
11891
0
    FreeDcv13Args(ssl, args);
11892
0
    FreeKeyExchange(ssl);
11893
0
#ifdef WOLFSSL_ASYNC_IO
11894
    /* Cleanup async */
11895
0
    FreeAsyncCtx(ssl, 0);
11896
0
#endif
11897
11898
0
    return ret;
11899
0
}
11900
#endif /* !NO_RSA || HAVE_ECC */
11901
#endif /* !NO_CERTS */
11902
11903
/* Parse and handle a TLS v1.3 Finished message.
11904
 *
11905
 * ssl       The SSL/TLS object.
11906
 * input     The message buffer.
11907
 * inOutIdx  On entry, the index into the message buffer of Finished.
11908
 *           On exit, the index of byte after the Finished message and padding.
11909
 * size      Length of message data.
11910
 * totalSz   Length of remaining data in the message buffer.
11911
 * sniff     Indicates whether we are sniffing packets.
11912
 * returns 0 on success and otherwise failure.
11913
 */
11914
int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
11915
                           word32 size, word32 totalSz, int sniff)
11916
0
{
11917
0
    int    ret;
11918
0
    word32 finishedSz = 0;
11919
0
    byte*  secret;
11920
0
    byte   mac[WC_MAX_DIGEST_SIZE];
11921
11922
0
    WOLFSSL_START(WC_FUNC_FINISHED_DO);
11923
0
    WOLFSSL_ENTER("DoTls13Finished");
11924
11925
0
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH)
11926
    /* verify the client sent certificate if required */
11927
0
    if (ssl->options.side == WOLFSSL_SERVER_END && !ssl->options.resuming &&
11928
0
            (ssl->options.mutualAuth || ssl->options.failNoCert)) {
11929
#ifdef OPENSSL_COMPATIBLE_DEFAULTS
11930
        if (ssl->options.isPSK) {
11931
            WOLFSSL_MSG("TLS v1.3 client used PSK but cert required. Allowing "
11932
                        "for OpenSSL compatibility");
11933
        }
11934
        else
11935
#endif
11936
0
        if (
11937
        #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
11938
            /* Exempt only the initial handshake; a pending post-handshake
11939
             * CertificateRequest (certReqCtx != NULL) still requires a peer
11940
             * certificate and a valid CertificateVerify. */
11941
            (!ssl->options.verifyPostHandshake || ssl->certReqCtx != NULL) &&
11942
        #endif
11943
0
            (!ssl->options.havePeerCert || !ssl->options.havePeerVerify)) {
11944
0
            ret = NO_PEER_CERT; /* NO_PEER_VERIFY */
11945
0
            WOLFSSL_MSG("TLS v1.3 client did not present peer cert");
11946
0
            DoCertFatalAlert(ssl, ret);
11947
0
            goto cleanup;
11948
0
        }
11949
0
    }
11950
0
#endif
11951
11952
#if !defined(NO_CERTS) && !defined(NO_PSK) && \
11953
    defined(WOLFSSL_CERT_WITH_EXTERN_PSK)
11954
    /* Verify the server sent a certificate if requested */
11955
    if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->options.pskNegotiated &&
11956
            ssl->options.failNoCert) {
11957
        if ((TLSX_Find(ssl->extensions, TLSX_CERT_WITH_EXTERN_PSK) != NULL) &&
11958
                (!ssl->options.havePeerCert || !ssl->options.havePeerVerify)) {
11959
            ret = NO_PEER_CERT;
11960
            WOLFSSL_MSG("TLS v1.3 server did not present peer cert");
11961
            DoCertFatalAlert(ssl, ret);
11962
            goto cleanup;
11963
        }
11964
    }
11965
#endif
11966
11967
    /* check against totalSz */
11968
0
    if (*inOutIdx + size > totalSz) {
11969
0
        ret = BUFFER_E;
11970
0
        goto cleanup;
11971
0
    }
11972
11973
#if defined(WOLFSSL_RENESAS_TSIP_TLS)
11974
    ret = tsip_Tls13HandleFinished(ssl, input, inOutIdx, size, totalSz);
11975
    if (ret == 0) {
11976
        ssl->options.serverState = SERVER_FINISHED_COMPLETE;
11977
        goto cleanup;
11978
    }
11979
    if (ret == WC_NO_ERR_TRACE(VERIFY_FINISHED_ERROR)) {
11980
        SendAlert(ssl, alert_fatal, decrypt_error);
11981
        goto cleanup;
11982
    }
11983
    if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
11984
        /* other errors */
11985
        goto cleanup;
11986
    }
11987
    ret = 0;
11988
#endif /* WOLFSSL_RENESAS_TSIP_TLS */
11989
11990
0
    if (ssl->options.handShakeDone) {
11991
0
        ret = DeriveFinishedSecret(ssl, ssl->clientSecret,
11992
0
                                   ssl->keys.client_write_MAC_secret,
11993
0
                                   WOLFSSL_CLIENT_END);
11994
0
        if (ret != 0)
11995
0
            goto cleanup;
11996
11997
0
        secret = ssl->keys.client_write_MAC_secret;
11998
0
    }
11999
0
    else if (ssl->options.side == WOLFSSL_CLIENT_END) {
12000
        /* All the handshake messages have been received to calculate
12001
         * client and server finished keys.
12002
         */
12003
0
        ret = DeriveFinishedSecret(ssl, ssl->clientSecret,
12004
0
                                   ssl->keys.client_write_MAC_secret,
12005
0
                                   WOLFSSL_CLIENT_END);
12006
0
        if (ret != 0)
12007
0
            goto cleanup;
12008
12009
0
        ret = DeriveFinishedSecret(ssl, ssl->serverSecret,
12010
0
                                   ssl->keys.server_write_MAC_secret,
12011
0
                                   WOLFSSL_SERVER_END);
12012
0
        if (ret != 0)
12013
0
            goto cleanup;
12014
12015
0
        secret = ssl->keys.server_write_MAC_secret;
12016
0
    }
12017
0
    else {
12018
0
        secret = ssl->keys.client_write_MAC_secret;
12019
0
    }
12020
12021
0
    if (sniff == NO_SNIFF) {
12022
12023
0
        ret = BuildTls13HandshakeHmac(ssl, secret, mac, &finishedSz);
12024
    #ifdef WOLFSSL_HAVE_TLS_UNIQUE
12025
        if (finishedSz > TLS_FINISHED_SZ_MAX) {
12026
            ret = BUFFER_ERROR;
12027
            goto cleanup;
12028
        }
12029
        if (ssl->options.side == WOLFSSL_CLIENT_END) {
12030
            XMEMCPY(ssl->serverFinished, mac, finishedSz);
12031
            ssl->serverFinished_len = (byte)finishedSz;
12032
        }
12033
        else {
12034
            XMEMCPY(ssl->clientFinished, mac, finishedSz);
12035
            ssl->clientFinished_len = (byte)finishedSz;
12036
        }
12037
    #endif /* WOLFSSL_HAVE_TLS_UNIQUE */
12038
0
        if (ret != 0)
12039
0
            goto cleanup;
12040
0
        if (size != finishedSz) {
12041
0
            ret = BUFFER_ERROR;
12042
0
            goto cleanup;
12043
0
        }
12044
0
    }
12045
12046
#ifdef WOLFSSL_CALLBACKS
12047
    if (ssl->hsInfoOn) AddPacketName(ssl, "Finished");
12048
    if (ssl->toInfoOn) AddLateName("Finished", &ssl->timeoutInfo);
12049
#endif
12050
12051
0
    if (sniff == NO_SNIFF) {
12052
        /* Actually check verify data. */
12053
0
        if (size > WC_MAX_DIGEST_SIZE ||
12054
0
                ConstantCompare(input + *inOutIdx, mac, size) != 0){
12055
0
            WOLFSSL_MSG("Verify finished error on hashes");
12056
0
            SendAlert(ssl, alert_fatal, decrypt_error);
12057
0
            WOLFSSL_ERROR_VERBOSE(VERIFY_FINISHED_ERROR);
12058
0
            ret = VERIFY_FINISHED_ERROR;
12059
0
            goto cleanup;
12060
0
        }
12061
0
    }
12062
12063
0
    *inOutIdx += size;
12064
12065
0
#ifndef NO_WOLFSSL_SERVER
12066
0
    if (ssl->options.side == WOLFSSL_SERVER_END &&
12067
0
                                                  !ssl->options.handShakeDone) {
12068
#ifdef WOLFSSL_EARLY_DATA
12069
        if (ssl->earlyData != no_early_data) {
12070
            if ((ret = DeriveTls13Keys(ssl, no_key, DECRYPT_SIDE_ONLY, 1)) != 0)
12071
                goto cleanup;
12072
        }
12073
#endif
12074
        /* Setup keys for application data messages from client. */
12075
0
        if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
12076
0
            goto cleanup;
12077
0
    }
12078
0
#endif
12079
12080
0
#ifndef NO_WOLFSSL_CLIENT
12081
0
    if (ssl->options.side == WOLFSSL_CLIENT_END)
12082
0
        ssl->options.serverState = SERVER_FINISHED_COMPLETE;
12083
0
#endif
12084
0
#ifndef NO_WOLFSSL_SERVER
12085
0
    if (ssl->options.side == WOLFSSL_SERVER_END) {
12086
0
        ssl->options.clientState = CLIENT_FINISHED_COMPLETE;
12087
0
        ssl->options.handShakeState = HANDSHAKE_DONE;
12088
0
        ssl->options.handShakeDone  = 1;
12089
0
    }
12090
0
#endif
12091
12092
#if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_EARLY_DATA)
12093
    if (ssl->options.dtls && ssl->earlyData > early_data_ext) {
12094
        /* DTLSv1.3 has no EndOfearlydata messages. We stop processing EarlyData
12095
           as soon we receive the client's finished message */
12096
        ssl->earlyData = done_early_data;
12097
    }
12098
#endif /* WOLFSSL_DTLS13 && WOLFSSL_EARLY_DATA */
12099
#if defined(WOLFSSL_QUIC) && defined(WOLFSSL_EARLY_DATA)
12100
    if (WOLFSSL_IS_QUIC(ssl) && ssl->earlyData > early_data_ext) {
12101
        /* QUIC has no EndOfEarlyData messages. We stop processing EarlyData
12102
           as soon we receive the client's finished message */
12103
        ssl->earlyData = done_early_data;
12104
    }
12105
#endif /* WOLFSSL_QUIC && WOLFSSL_EARLY_DATA */
12106
12107
0
    ret = 0;
12108
0
cleanup:
12109
0
    ForceZero(mac, sizeof(mac));
12110
0
    WOLFSSL_LEAVE("DoTls13Finished", ret);
12111
0
    WOLFSSL_END(WC_FUNC_FINISHED_DO);
12112
12113
0
    return ret;
12114
0
}
12115
12116
#if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)
12117
/* Send the TLS v1.3 Finished message.
12118
 *
12119
 * ssl  The SSL/TLS object.
12120
 * returns 0 on success, otherwise failure.
12121
 */
12122
static int SendTls13Finished(WOLFSSL* ssl)
12123
0
{
12124
0
    byte  finishedSz = ssl->specs.hash_size;
12125
0
    byte* input;
12126
0
    byte* output;
12127
0
    int   ret;
12128
0
    int   headerSz = HANDSHAKE_HEADER_SZ;
12129
0
    int   outputSz;
12130
0
    byte* secret;
12131
12132
#ifdef WOLFSSL_DTLS13
12133
    int dtlsRet = 0, isDtls = 0;
12134
#endif /* WOLFSSL_DTLS13 */
12135
12136
0
    WOLFSSL_START(WC_FUNC_FINISHED_SEND);
12137
0
    WOLFSSL_ENTER("SendTls13Finished");
12138
12139
0
    ssl->options.buildingMsg = 1;
12140
#ifdef WOLFSSL_DTLS13
12141
    if (ssl->options.dtls) {
12142
        headerSz = DTLS_HANDSHAKE_HEADER_SZ;
12143
        /* using isDtls instead of ssl->options.dtls will abide clang static
12144
           analyzer on using an uninitialized value */
12145
        isDtls = 1;
12146
    }
12147
#endif /* WOLFSSL_DTLS13 */
12148
12149
0
    outputSz = WC_MAX_DIGEST_SIZE + DTLS_HANDSHAKE_HEADER_SZ + MAX_MSG_EXTRA;
12150
    /* Check buffers are big enough and grow if needed. */
12151
0
    if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)
12152
0
        return ret;
12153
12154
    /* get output buffer */
12155
0
    output = GetOutputBuffer(ssl);
12156
0
    input = output + RECORD_HEADER_SZ;
12157
12158
#ifdef WOLFSSL_DTLS13
12159
    if (isDtls)
12160
        input = output + Dtls13GetRlHeaderLength(ssl, 1);
12161
#endif /* WOLFSSL_DTLS13 */
12162
12163
0
    AddTls13HandShakeHeader(input, (word32)finishedSz, 0, (word32)finishedSz,
12164
0
            finished, ssl);
12165
12166
#if defined(WOLFSSL_RENESAS_TSIP_TLS)
12167
    if (ssl->options.side == WOLFSSL_CLIENT_END) {
12168
        ret = tsip_Tls13SendFinished(ssl, output, outputSz, input, 1);
12169
        if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
12170
            return ret;
12171
        }
12172
        ret = 0;
12173
    }
12174
#endif /* WOLFSSL_RENESAS_TSIP_TLS */
12175
12176
    /* make finished hashes */
12177
0
    if (ssl->options.handShakeDone) {
12178
0
        ret = DeriveFinishedSecret(ssl, ssl->clientSecret,
12179
0
                                   ssl->keys.client_write_MAC_secret,
12180
0
                                   WOLFSSL_CLIENT_END);
12181
0
        if (ret != 0)
12182
0
            return ret;
12183
12184
0
        secret = ssl->keys.client_write_MAC_secret;
12185
0
    }
12186
0
    else if (ssl->options.side == WOLFSSL_CLIENT_END)
12187
0
        secret = ssl->keys.client_write_MAC_secret;
12188
0
    else {
12189
        /* All the handshake messages have been done to calculate client and
12190
         * server finished keys.
12191
         */
12192
0
        ret = DeriveFinishedSecret(ssl, ssl->clientSecret,
12193
0
                                   ssl->keys.client_write_MAC_secret,
12194
0
                                   WOLFSSL_CLIENT_END);
12195
0
        if (ret != 0)
12196
0
            return ret;
12197
12198
0
        ret = DeriveFinishedSecret(ssl, ssl->serverSecret,
12199
0
                                   ssl->keys.server_write_MAC_secret,
12200
0
                                   WOLFSSL_SERVER_END);
12201
0
        if (ret != 0)
12202
0
            return ret;
12203
12204
0
        secret = ssl->keys.server_write_MAC_secret;
12205
0
    }
12206
0
    ret = BuildTls13HandshakeHmac(ssl, secret, &input[headerSz], NULL);
12207
0
    if (ret != 0)
12208
0
        return ret;
12209
    #ifdef WOLFSSL_HAVE_TLS_UNIQUE
12210
        if (ssl->options.side == WOLFSSL_CLIENT_END) {
12211
            XMEMCPY(ssl->clientFinished, &input[headerSz], finishedSz);
12212
            ssl->clientFinished_len = finishedSz;
12213
        }
12214
        else {
12215
            XMEMCPY(ssl->serverFinished, &input[headerSz], finishedSz);
12216
            ssl->serverFinished_len = finishedSz;
12217
        }
12218
    #endif /* WOLFSSL_HAVE_TLS_UNIQUE */
12219
12220
#ifdef WOLFSSL_DTLS13
12221
    if (isDtls) {
12222
        dtlsRet = Dtls13HandshakeSend(ssl, output, (word16)outputSz,
12223
            (word16)(Dtls13GetRlHeaderLength(ssl, 1) + headerSz + finishedSz), finished,
12224
            1);
12225
        if (dtlsRet != 0 && dtlsRet != WC_NO_ERR_TRACE(WANT_WRITE))
12226
            return dtlsRet;
12227
12228
    } else
12229
#endif /* WOLFSSL_DTLS13 */
12230
0
    {
12231
        /* This message is always encrypted. */
12232
0
        int sendSz = BuildTls13Message(ssl, output, outputSz, input,
12233
0
                                   headerSz + finishedSz, handshake, 1, 0, 0);
12234
0
        if (sendSz < 0) {
12235
0
            WOLFSSL_ERROR_VERBOSE(BUILD_MSG_ERROR);
12236
0
            return BUILD_MSG_ERROR;
12237
0
        }
12238
12239
        #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
12240
            if (ssl->hsInfoOn) AddPacketName(ssl, "Finished");
12241
            if (ssl->toInfoOn) {
12242
                ret = AddPacketInfo(ssl, "Finished", handshake, output, sendSz,
12243
                              WRITE_PROTO, 0, ssl->heap);
12244
                if (ret != 0)
12245
                    return ret;
12246
            }
12247
        #endif
12248
12249
0
        ssl->buffers.outputBuffer.length += (word32)sendSz;
12250
0
        ssl->options.buildingMsg = 0;
12251
0
    }
12252
12253
0
    if (ssl->options.side == WOLFSSL_SERVER_END) {
12254
#ifdef WOLFSSL_EARLY_DATA
12255
        byte storeTrafficDecKeys = ssl->earlyData == no_early_data;
12256
#endif
12257
        /* Can send application data now. */
12258
0
        if ((ret = DeriveMasterSecret(ssl)) != 0)
12259
0
            return ret;
12260
        /* Last use of preMasterSecret - zeroize as soon as possible. */
12261
0
        ForceZero(ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz);
12262
#ifdef WOLFSSL_EARLY_DATA
12263
12264
#ifdef WOLFSSL_DTLS13
12265
        /* DTLS13 dynamically change keys and it needs all
12266
           the keys in ssl->keys to save the keying material */
12267
        if (isDtls)
12268
            storeTrafficDecKeys = 1;
12269
#endif /* WOLFSSL_DTLS13 */
12270
12271
        if ((ret = DeriveTls13Keys(ssl, traffic_key, ENCRYPT_SIDE_ONLY, 1))
12272
                                                                         != 0) {
12273
            return ret;
12274
        }
12275
        if ((ret = DeriveTls13Keys(ssl, traffic_key, DECRYPT_SIDE_ONLY,
12276
                                       storeTrafficDecKeys)) != 0) {
12277
            return ret;
12278
        }
12279
#else
12280
0
        if ((ret = DeriveTls13Keys(ssl, traffic_key, ENCRYPT_AND_DECRYPT_SIDE,
12281
0
                                                                     1)) != 0) {
12282
0
            return ret;
12283
0
        }
12284
0
#endif
12285
0
        if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
12286
0
            return ret;
12287
12288
#ifdef WOLFSSL_DTLS13
12289
        if (isDtls) {
12290
            w64wrapper epochTraffic0;
12291
            epochTraffic0 = w64From32(0, DTLS13_EPOCH_TRAFFIC0);
12292
            ssl->dtls13Epoch = epochTraffic0;
12293
            ssl->dtls13PeerEpoch = epochTraffic0;
12294
12295
            ret = Dtls13SetEpochKeys(
12296
                ssl, epochTraffic0, ENCRYPT_AND_DECRYPT_SIDE);
12297
            if (ret != 0)
12298
                return ret;
12299
12300
        }
12301
#endif /* WOLFSSL_DTLS13 */
12302
12303
0
    }
12304
12305
0
    if (ssl->options.side == WOLFSSL_CLIENT_END &&
12306
0
                                                  !ssl->options.handShakeDone) {
12307
#ifdef WOLFSSL_EARLY_DATA
12308
        if (ssl->earlyData != no_early_data) {
12309
            if ((ret = DeriveTls13Keys(ssl, no_key, ENCRYPT_SIDE_ONLY,
12310
                                                                     1)) != 0) {
12311
                    return ret;
12312
            }
12313
        }
12314
#endif
12315
        /* Setup keys for application data messages. */
12316
0
        if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
12317
0
            return ret;
12318
12319
#if defined(HAVE_SESSION_TICKET)
12320
        ret = DeriveResumptionSecret(ssl, ssl->session->masterSecret);
12321
        if (ret != 0)
12322
            return ret;
12323
#endif
12324
12325
#ifdef WOLFSSL_DTLS13
12326
        if (isDtls) {
12327
            w64wrapper epochTraffic0;
12328
            epochTraffic0 = w64From32(0, DTLS13_EPOCH_TRAFFIC0);
12329
            ssl->dtls13Epoch = epochTraffic0;
12330
            ssl->dtls13PeerEpoch = epochTraffic0;
12331
12332
            ret = Dtls13SetEpochKeys(
12333
                ssl, epochTraffic0, ENCRYPT_AND_DECRYPT_SIDE);
12334
            if (ret != 0)
12335
                return ret;
12336
12337
        }
12338
#endif /* WOLFSSL_DTLS13 */
12339
0
    }
12340
12341
0
#ifndef NO_WOLFSSL_CLIENT
12342
0
    if (ssl->options.side == WOLFSSL_CLIENT_END) {
12343
0
        ssl->options.clientState = CLIENT_FINISHED_COMPLETE;
12344
0
        ssl->options.handShakeState = HANDSHAKE_DONE;
12345
0
        ssl->options.handShakeDone  = 1;
12346
0
    }
12347
0
#endif
12348
0
#ifndef NO_WOLFSSL_SERVER
12349
0
    if (ssl->options.side == WOLFSSL_SERVER_END) {
12350
0
        ssl->options.serverState = SERVER_FINISHED_COMPLETE;
12351
0
    }
12352
0
#endif
12353
12354
#ifdef WOLFSSL_DTLS13
12355
    if (isDtls) {
12356
        WOLFSSL_LEAVE("SendTls13Finished", ret);
12357
        WOLFSSL_END(WC_FUNC_FINISHED_SEND);
12358
12359
        return dtlsRet;
12360
    }
12361
#endif /* WOLFSSL_DTLS13 */
12362
12363
0
    if ((ret = SendBuffered(ssl)) != 0)
12364
0
        return ret;
12365
12366
0
    WOLFSSL_LEAVE("SendTls13Finished", ret);
12367
0
    WOLFSSL_END(WC_FUNC_FINISHED_SEND);
12368
12369
0
    return ret;
12370
0
}
12371
#endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */
12372
12373
/* handle generation TLS v1.3 key_update (24) */
12374
/* Send the TLS v1.3 KeyUpdate message.
12375
 *
12376
 * ssl  The SSL/TLS object.
12377
 * returns 0 on success, otherwise failure.
12378
 */
12379
int SendTls13KeyUpdate(WOLFSSL* ssl)
12380
0
{
12381
0
    byte*  input;
12382
0
    byte*  output;
12383
0
    int    ret;
12384
0
    int    headerSz = HANDSHAKE_HEADER_SZ;
12385
0
    int    outputSz;
12386
0
    word32 i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
12387
12388
0
    WOLFSSL_START(WC_FUNC_KEY_UPDATE_SEND);
12389
0
    WOLFSSL_ENTER("SendTls13KeyUpdate");
12390
12391
#ifdef WOLFSSL_DTLS13
12392
    if (ssl->options.dtls) {
12393
        /* RFC 9147 Section 4.2.1: do not send a KeyUpdate that would advance
12394
         * the sending epoch beyond 2^48-1. */
12395
        if (w64GTE(ssl->dtls13Epoch,
12396
                   w64From32(DTLS13_EPOCH_MAX_HI32, DTLS13_EPOCH_MAX_LO32))) {
12397
            WOLFSSL_MSG("DTLS 1.3 sending epoch at maximum; refusing KeyUpdate");
12398
            return BAD_STATE_E;
12399
        }
12400
        i = Dtls13GetRlHeaderLength(ssl, 1) + DTLS_HANDSHAKE_HEADER_SZ;
12401
    }
12402
#endif /* WOLFSSL_DTLS13 */
12403
12404
0
    outputSz = OPAQUE8_LEN + MAX_MSG_EXTRA;
12405
    /* Check buffers are big enough and grow if needed. */
12406
0
    if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)
12407
0
        return ret;
12408
12409
    /* get output buffer */
12410
0
    output = GetOutputBuffer(ssl);
12411
0
    input = output + RECORD_HEADER_SZ;
12412
12413
#ifdef WOLFSSL_DTLS13
12414
    if (ssl->options.dtls)
12415
        input = output + Dtls13GetRlHeaderLength(ssl, 1);
12416
#endif /* WOLFSSL_DTLS13 */
12417
12418
0
    AddTls13Headers(output, OPAQUE8_LEN, key_update, ssl);
12419
12420
    /* If:
12421
     *   1. I haven't sent a KeyUpdate requesting a response and
12422
     *   2. This isn't responding to peer KeyUpdate requiring a response then,
12423
     * I want a response.
12424
     */
12425
0
    ssl->keys.updateResponseReq = output[i++] =
12426
0
         !ssl->keys.updateResponseReq && !ssl->keys.keyUpdateRespond;
12427
    /* Sent response, no longer need to respond. */
12428
0
    ssl->keys.keyUpdateRespond = 0;
12429
12430
#ifdef WOLFSSL_DTLS13
12431
    if (ssl->options.dtls) {
12432
        ret = Dtls13HandshakeSend(ssl, output, (word16)outputSz,
12433
            OPAQUE8_LEN + Dtls13GetRlHeaderLength(ssl, 1) +
12434
                DTLS_HANDSHAKE_HEADER_SZ,
12435
            key_update, 0);
12436
    }
12437
    else
12438
#endif /* WOLFSSL_DTLS13 */
12439
0
    {
12440
        /* This message is always encrypted. */
12441
0
        int sendSz = BuildTls13Message(ssl, output, outputSz, input,
12442
0
                                   headerSz + OPAQUE8_LEN, handshake, 0, 0, 0);
12443
0
        if (sendSz < 0)
12444
0
            return BUILD_MSG_ERROR;
12445
12446
        #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
12447
            if (ssl->hsInfoOn) AddPacketName(ssl, "KeyUpdate");
12448
            if (ssl->toInfoOn) {
12449
                ret = AddPacketInfo(ssl, "KeyUpdate", handshake, output, sendSz,
12450
                              WRITE_PROTO, 0, ssl->heap);
12451
                if (ret != 0)
12452
                    return ret;
12453
            }
12454
        #endif
12455
12456
0
        ssl->buffers.outputBuffer.length += (word32)sendSz;
12457
12458
0
        ret = SendBuffered(ssl);
12459
12460
12461
0
        if (ret != 0 && ret != WC_NO_ERR_TRACE(WANT_WRITE))
12462
0
            return ret;
12463
0
    }
12464
12465
    /* In DTLS we must wait for the ack before setting up the new keys */
12466
0
    if (!ssl->options.dtls) {
12467
12468
        /* Future traffic uses new encryption keys. */
12469
0
        if ((ret = DeriveTls13Keys(
12470
0
                       ssl, update_traffic_key, ENCRYPT_SIDE_ONLY, 1))
12471
0
            != 0)
12472
0
            return ret;
12473
0
        if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
12474
0
            return ret;
12475
0
    }
12476
12477
12478
0
    WOLFSSL_LEAVE("SendTls13KeyUpdate", ret);
12479
0
    WOLFSSL_END(WC_FUNC_KEY_UPDATE_SEND);
12480
12481
0
    return ret;
12482
0
}
12483
12484
/* handle processing TLS v1.3 key_update (24) */
12485
/* Parse and handle a TLS v1.3 KeyUpdate message.
12486
 *
12487
 * ssl       The SSL/TLS object.
12488
 * input     The message buffer.
12489
 * inOutIdx  On entry, the index into the message buffer of Finished.
12490
 *           On exit, the index of byte after the Finished message and padding.
12491
 * totalSz   The length of the current handshake message.
12492
 * returns 0 on success and otherwise failure.
12493
 */
12494
static int DoTls13KeyUpdate(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
12495
                            word32 totalSz)
12496
0
{
12497
0
    int    ret;
12498
0
    word32 i = *inOutIdx;
12499
12500
0
    WOLFSSL_START(WC_FUNC_KEY_UPDATE_DO);
12501
0
    WOLFSSL_ENTER("DoTls13KeyUpdate");
12502
12503
    /* check against totalSz */
12504
0
    if (OPAQUE8_LEN != totalSz)
12505
0
        return BUFFER_E;
12506
12507
0
    switch (input[i]) {
12508
0
        case update_not_requested:
12509
            /* This message in response to any outstanding request. */
12510
0
            ssl->keys.keyUpdateRespond = 0;
12511
0
            ssl->keys.updateResponseReq = 0;
12512
0
            break;
12513
0
        case update_requested:
12514
            /* New key update requiring a response. */
12515
0
            ssl->keys.keyUpdateRespond = 1;
12516
0
            break;
12517
0
        default:
12518
0
            WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
12519
0
            return INVALID_PARAMETER;
12520
0
    }
12521
12522
    /* Move index to byte after message. */
12523
0
    *inOutIdx += totalSz;
12524
12525
    /* Future traffic uses new decryption keys. */
12526
0
    if ((ret = DeriveTls13Keys(ssl, update_traffic_key, DECRYPT_SIDE_ONLY, 1))
12527
0
                                                                         != 0) {
12528
0
        return ret;
12529
0
    }
12530
0
    if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
12531
0
        return ret;
12532
12533
#ifdef WOLFSSL_DTLS13
12534
    if (ssl->options.dtls) {
12535
        /* Increment on a local copy so ssl->dtls13PeerEpoch is left
12536
         * untouched when the check fails. */
12537
        w64wrapper newEpoch = ssl->dtls13PeerEpoch;
12538
        w64Increment(&newEpoch);
12539
12540
        /* RFC 9147 Section 8: the 2^48-1 cap is sender-only; receivers MUST
12541
         * NOT enforce it. Guard only the wrap-to-zero (Section 4.2.1). */
12542
        if (w64IsZero(newEpoch))
12543
            return BAD_STATE_E;
12544
12545
        ssl->dtls13PeerEpoch = newEpoch;
12546
12547
        ret = Dtls13SetEpochKeys(ssl, ssl->dtls13PeerEpoch, DECRYPT_SIDE_ONLY);
12548
        if (ret != 0)
12549
            return ret;
12550
    }
12551
#endif /* WOLFSSL_DTLS13 */
12552
12553
0
    if (ssl->keys.keyUpdateRespond) {
12554
12555
#ifdef WOLFSSL_DTLS13
12556
        /* we already sent a keyUpdate (either in response to a previous
12557
           KeyUpdate or initiated by the application) and we are waiting for the
12558
           ack. We can't send a new KeyUpdate right away but to honor the RFC we
12559
           should send another KeyUpdate after the one in-flight is acked. We
12560
           don't do that as it looks redundant, it will make the code more
12561
           complex and I don't see a good use case for that. */
12562
        if (ssl->options.dtls && ssl->dtls13WaitKeyUpdateAck) {
12563
            ssl->keys.keyUpdateRespond = 0;
12564
            return 0;
12565
        }
12566
#endif /* WOLFSSL_DTLS13 */
12567
12568
#if defined(HAVE_WRITE_DUP) && defined(WOLFSSL_TLS13)
12569
        /* Read side cannot write; delegate the response to the write side. */
12570
        if (ssl->dupWrite != NULL && ssl->dupSide == READ_DUP_SIDE) {
12571
            if (wc_LockMutex(&ssl->dupWrite->dupMutex) != 0)
12572
                return BAD_MUTEX_E;
12573
            ssl->dupWrite->keyUpdateRespond = 1;
12574
            wc_UnLockMutex(&ssl->dupWrite->dupMutex);
12575
            ssl->keys.keyUpdateRespond = 0;
12576
            return 0;
12577
        }
12578
#endif /* HAVE_WRITE_DUP && WOLFSSL_TLS13 */
12579
12580
0
#ifndef WOLFSSL_RW_THREADED
12581
0
        return SendTls13KeyUpdate(ssl);
12582
#else
12583
        ssl->options.sendKeyUpdate = 1;
12584
        return 0;
12585
#endif
12586
0
    }
12587
12588
0
    WOLFSSL_LEAVE("DoTls13KeyUpdate", ret);
12589
0
    WOLFSSL_END(WC_FUNC_KEY_UPDATE_DO);
12590
12591
0
    return 0;
12592
0
}
12593
12594
#ifdef WOLFSSL_EARLY_DATA
12595
#ifndef NO_WOLFSSL_CLIENT
12596
/* Send the TLS v1.3 EndOfEarlyData message to indicate that there will be no
12597
 * more early application data.
12598
 * The encryption key now changes to the pre-calculated handshake key.
12599
 *
12600
 * ssl  The SSL/TLS object.
12601
 * returns 0 on success and otherwise failure.
12602
 */
12603
static int SendTls13EndOfEarlyData(WOLFSSL* ssl)
12604
{
12605
    byte*  output;
12606
    int    ret;
12607
    int    sendSz;
12608
    word32 length;
12609
    word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
12610
12611
    WOLFSSL_START(WC_FUNC_END_OF_EARLY_DATA_SEND);
12612
    WOLFSSL_ENTER("SendTls13EndOfEarlyData");
12613
12614
    length = 0;
12615
    sendSz = (int)(idx + length + MAX_MSG_EXTRA);
12616
    ssl->options.buildingMsg = 1;
12617
12618
    /* Check buffers are big enough and grow if needed. */
12619
    if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
12620
        return ret;
12621
12622
    /* Get position in output buffer to write new message to. */
12623
    output = GetOutputBuffer(ssl);
12624
12625
    /* Put the record and handshake headers on. */
12626
    AddTls13Headers(output, length, end_of_early_data, ssl);
12627
12628
    /* This message is always encrypted. */
12629
    sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
12630
                               idx - RECORD_HEADER_SZ, handshake, 1, 0, 0);
12631
    if (sendSz < 0)
12632
        return sendSz;
12633
12634
    ssl->buffers.outputBuffer.length += sendSz;
12635
12636
    if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
12637
        return ret;
12638
12639
    ssl->options.buildingMsg = 0;
12640
    if (!ssl->options.groupMessages)
12641
        ret = SendBuffered(ssl);
12642
12643
    ssl->earlyData = done_early_data;
12644
12645
    WOLFSSL_LEAVE("SendTls13EndOfEarlyData", ret);
12646
    WOLFSSL_END(WC_FUNC_END_OF_EARLY_DATA_SEND);
12647
12648
    return ret;
12649
}
12650
#endif /* !NO_WOLFSSL_CLIENT */
12651
12652
#ifndef NO_WOLFSSL_SERVER
12653
/* handle processing of TLS 1.3 end_of_early_data (5) */
12654
/* Parse the TLS v1.3 EndOfEarlyData message that indicates that there will be
12655
 * no more early application data.
12656
 * The decryption key now changes to the pre-calculated handshake key.
12657
 *
12658
 * ssl  The SSL/TLS object.
12659
 * returns 0 on success and otherwise failure.
12660
 */
12661
static int DoTls13EndOfEarlyData(WOLFSSL* ssl, const byte* input,
12662
                                 word32* inOutIdx, word32 size)
12663
{
12664
    int    ret;
12665
    word32 begin = *inOutIdx;
12666
12667
    (void)input;
12668
12669
    WOLFSSL_START(WC_FUNC_END_OF_EARLY_DATA_DO);
12670
    WOLFSSL_ENTER("DoTls13EndOfEarlyData");
12671
12672
    if ((*inOutIdx - begin) != size)
12673
        return BUFFER_ERROR;
12674
12675
    if (ssl->earlyData == no_early_data) {
12676
        WOLFSSL_MSG("EndOfEarlyData received unexpectedly");
12677
        SendAlert(ssl, alert_fatal, unexpected_message);
12678
        WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
12679
        return OUT_OF_ORDER_E;
12680
    }
12681
12682
    ssl->earlyData = done_early_data;
12683
12684
    ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY);
12685
12686
    WOLFSSL_LEAVE("DoTls13EndOfEarlyData", ret);
12687
    WOLFSSL_END(WC_FUNC_END_OF_EARLY_DATA_DO);
12688
12689
    return ret;
12690
}
12691
#endif /* !NO_WOLFSSL_SERVER */
12692
#endif /* WOLFSSL_EARLY_DATA */
12693
12694
#if defined(HAVE_SESSION_TICKET) && defined(WOLFSSL_TICKET_NONCE_MALLOC) &&    \
12695
    (!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)))
12696
int SessionTicketNoncePopulate(WOLFSSL_SESSION *session, const byte *nonce,
12697
    byte len)
12698
{
12699
    if (session->ticketNonce.data
12700
            != session->ticketNonce.dataStatic) {
12701
         XFREE(session->ticketNonce.data, session->heap,
12702
             DYNAMIC_TYPE_SESSION_TICK);
12703
         session->ticketNonce.data = session->ticketNonce.dataStatic;
12704
         session->ticketNonce.len = 0;
12705
    }
12706
12707
    if (len > MAX_TICKET_NONCE_STATIC_SZ) {
12708
        WOLFSSL_MSG("Using dynamic nonce buffer");
12709
        session->ticketNonce.data = (byte*)XMALLOC(len,
12710
            session->heap, DYNAMIC_TYPE_SESSION_TICK);
12711
        if (session->ticketNonce.data == NULL)
12712
            return MEMORY_ERROR;
12713
    }
12714
    XMEMCPY(session->ticketNonce.data, nonce, len);
12715
    session->ticketNonce.len = len;
12716
    return 0;
12717
}
12718
#endif
12719
#ifndef NO_WOLFSSL_CLIENT
12720
/* Handle a New Session Ticket handshake message.
12721
 * Message contains the information required to perform resumption.
12722
 *
12723
 * ssl       The SSL/TLS object.
12724
 * input     The message buffer.
12725
 * inOutIdx  On entry, the index into the message buffer of Finished.
12726
 *           On exit, the index of byte after the Finished message and padding.
12727
 * size      The length of the current handshake message.
12728
 * returns 0 on success, otherwise failure.
12729
 */
12730
static int DoTls13NewSessionTicket(WOLFSSL* ssl, const byte* input,
12731
                                   word32* inOutIdx, word32 size)
12732
0
{
12733
#ifdef HAVE_SESSION_TICKET
12734
    int    ret;
12735
    word32 begin = *inOutIdx;
12736
    word32 lifetime;
12737
    word32 ageAdd;
12738
    word16 length;
12739
#ifdef WOLFSSL_32BIT_MILLI_TIME
12740
    word32 now;
12741
#else
12742
    sword64 now;
12743
#endif
12744
    const byte* nonce;
12745
    byte        nonceLength;
12746
12747
    WOLFSSL_START(WC_FUNC_NEW_SESSION_TICKET_DO);
12748
    WOLFSSL_ENTER("DoTls13NewSessionTicket");
12749
12750
#ifdef HAVE_ECH
12751
    /* ignore session ticket when ECH is rejected */
12752
    if (ssl->echConfigs != NULL && !ssl->options.disableECH &&
12753
            !ssl->options.echAccepted) {
12754
        *inOutIdx += size + ssl->keys.padSz;
12755
        return 0;
12756
    }
12757
#endif
12758
12759
    /* Lifetime hint. */
12760
    if ((*inOutIdx - begin) + SESSION_HINT_SZ > size)
12761
        return BUFFER_ERROR;
12762
    ato32(input + *inOutIdx, &lifetime);
12763
    *inOutIdx += SESSION_HINT_SZ;
12764
    if (lifetime > MAX_LIFETIME) {
12765
        WOLFSSL_ERROR_VERBOSE(SERVER_HINT_ERROR);
12766
        return SERVER_HINT_ERROR;
12767
    }
12768
12769
    /* Age add. */
12770
    if ((*inOutIdx - begin) + SESSION_ADD_SZ > size)
12771
        return BUFFER_ERROR;
12772
    ato32(input + *inOutIdx, &ageAdd);
12773
    *inOutIdx += SESSION_ADD_SZ;
12774
12775
    /* Ticket nonce. */
12776
    if ((*inOutIdx - begin) + 1 > size)
12777
        return BUFFER_ERROR;
12778
    nonceLength = input[*inOutIdx];
12779
#if !defined(WOLFSSL_TICKET_NONCE_MALLOC) &&                                   \
12780
    (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5,3))
12781
    if (nonceLength > MAX_TICKET_NONCE_STATIC_SZ) {
12782
        WOLFSSL_MSG("Nonce length not supported");
12783
        WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
12784
        return INVALID_PARAMETER;
12785
    }
12786
#endif /* WOLFSSL_TICKET_NONCE_MALLOC && FIPS_VERSION_GE(5,3) */
12787
    *inOutIdx += 1;
12788
    if ((*inOutIdx - begin) + nonceLength > size)
12789
        return BUFFER_ERROR;
12790
    nonce = input + *inOutIdx;
12791
    *inOutIdx += nonceLength;
12792
12793
    /* Ticket length. */
12794
    if ((*inOutIdx - begin) + LENGTH_SZ > size)
12795
        return BUFFER_ERROR;
12796
    ato16(input + *inOutIdx, &length);
12797
    *inOutIdx += LENGTH_SZ;
12798
    if ((*inOutIdx - begin) + length > size)
12799
        return BUFFER_ERROR;
12800
12801
    if ((ret = SetTicket(ssl, input + *inOutIdx, length)) != 0)
12802
        return ret;
12803
    *inOutIdx += length;
12804
12805
    now = TimeNowInMilliseconds();
12806
    if (now == 0)
12807
        return GETTIME_ERROR;
12808
    /* Copy in ticket data (server identity). */
12809
    ssl->timeout                  = lifetime;
12810
    ssl->session->timeout         = lifetime;
12811
    ssl->session->cipherSuite0    = ssl->options.cipherSuite0;
12812
    ssl->session->cipherSuite     = ssl->options.cipherSuite;
12813
    ssl->session->ticketSeen      = now;
12814
    ssl->session->ticketAdd       = ageAdd;
12815
    #ifdef WOLFSSL_EARLY_DATA
12816
    ssl->session->maxEarlyDataSz  = ssl->options.maxEarlyDataSz;
12817
    #endif
12818
12819
#if defined(WOLFSSL_TICKET_NONCE_MALLOC) &&                                    \
12820
    (!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3)))
12821
    ret = SessionTicketNoncePopulate(ssl->session, nonce, nonceLength);
12822
    if (ret != 0)
12823
        return ret;
12824
#else
12825
    ssl->session->ticketNonce.len = nonceLength;
12826
    if (nonceLength > MAX_TICKET_NONCE_STATIC_SZ) {
12827
        ret = BUFFER_ERROR;
12828
        return ret;
12829
    }
12830
    if (nonceLength > 0)
12831
        XMEMCPY(ssl->session->ticketNonce.data, nonce, nonceLength);
12832
#endif /* defined(WOLFSSL_TICKET_NONCE_MALLOC) && FIPS_VERSION_GE(5,3) */
12833
12834
    ssl->session->namedGroup      = ssl->namedGroup;
12835
12836
    if ((*inOutIdx - begin) + EXTS_SZ > size)
12837
        return BUFFER_ERROR;
12838
    ato16(input + *inOutIdx, &length);
12839
    *inOutIdx += EXTS_SZ;
12840
    if ((*inOutIdx - begin) + length != size)
12841
        return BUFFER_ERROR;
12842
    #ifdef WOLFSSL_EARLY_DATA
12843
    ret = TLSX_Parse(ssl, (byte *)input + (*inOutIdx), length, session_ticket,
12844
                     NULL);
12845
    if (ret != 0)
12846
        return ret;
12847
    #endif
12848
    *inOutIdx += length;
12849
12850
    SetupSession(ssl);
12851
    #ifndef NO_SESSION_CACHE
12852
        AddSession(ssl);
12853
    #endif
12854
12855
    ssl->expect_session_ticket = 0;
12856
#else
12857
0
    (void)ssl;
12858
0
    (void)input;
12859
12860
0
    WOLFSSL_ENTER("DoTls13NewSessionTicket");
12861
12862
0
    *inOutIdx += size;
12863
0
#endif /* HAVE_SESSION_TICKET */
12864
12865
0
    WOLFSSL_LEAVE("DoTls13NewSessionTicket", 0);
12866
0
    WOLFSSL_END(WC_FUNC_NEW_SESSION_TICKET_DO);
12867
12868
0
    return 0;
12869
0
}
12870
#endif /* NO_WOLFSSL_CLIENT */
12871
12872
#ifndef NO_WOLFSSL_SERVER
12873
    #ifdef HAVE_SESSION_TICKET
12874
12875
#ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
12876
/* Offset of the MAC size in the finished message. */
12877
#define FINISHED_MSG_SIZE_OFFSET    3
12878
12879
/* Calculate the resumption secret which includes the unseen client finished
12880
 * message.
12881
 *
12882
 * ssl  The SSL/TLS object.
12883
 * returns 0 on success, otherwise failure.
12884
 */
12885
static int ExpectedResumptionSecret(WOLFSSL* ssl)
12886
{
12887
    int         ret;
12888
    word32      finishedSz = 0;
12889
    byte        mac[WC_MAX_DIGEST_SIZE];
12890
    Digest      digest;
12891
    byte header[] = { 0x14, 0x00, 0x00, 0x00 };
12892
12893
    XMEMSET(&digest, 0, sizeof(Digest));
12894
12895
    /* Copy the running hash so we can restore it after. */
12896
    switch (ssl->specs.mac_algorithm) {
12897
    #ifndef NO_SHA256
12898
        case sha256_mac:
12899
            ret = wc_Sha256Copy(&ssl->hsHashes->hashSha256, &digest.sha256);
12900
            if (ret != 0)
12901
                return ret;
12902
            break;
12903
    #endif
12904
    #ifdef WOLFSSL_SHA384
12905
        case sha384_mac:
12906
            ret = wc_Sha384Copy(&ssl->hsHashes->hashSha384, &digest.sha384);
12907
            if (ret != 0)
12908
                return ret;
12909
            break;
12910
    #endif
12911
    #ifdef WOLFSSL_TLS13_SHA512
12912
        case sha512_mac:
12913
            ret = wc_Sha512Copy(&ssl->hsHashes->hashSha512, &digest.sha512);
12914
            if (ret != 0)
12915
                return ret;
12916
            break;
12917
    #endif
12918
    #ifdef WOLFSSL_SM3
12919
        case sm3_mac:
12920
            ret = wc_Sm3Copy(&ssl->hsHashes->hashSm3, &digest.sm3);
12921
            if (ret != 0)
12922
                return ret;
12923
            break;
12924
    #endif
12925
    }
12926
12927
    /* Generate the Client's Finished message and hash it. */
12928
    ret = BuildTls13HandshakeHmac(ssl, ssl->keys.client_write_MAC_secret, mac,
12929
                                  &finishedSz);
12930
    if (ret != 0)
12931
        goto restore;
12932
    header[FINISHED_MSG_SIZE_OFFSET] = finishedSz;
12933
#ifdef WOLFSSL_EARLY_DATA
12934
    if (ssl->earlyData != no_early_data) {
12935
        static byte endOfEarlyData[] = { 0x05, 0x00, 0x00, 0x00 };
12936
        ret = HashRaw(ssl, endOfEarlyData, sizeof(endOfEarlyData));
12937
        if (ret != 0)
12938
            goto restore;
12939
    }
12940
#endif
12941
    if ((ret = HashRaw(ssl, header, sizeof(header))) != 0)
12942
        goto restore;
12943
    if ((ret = HashRaw(ssl, mac, finishedSz)) != 0)
12944
        goto restore;
12945
12946
    if ((ret = DeriveResumptionSecret(ssl, ssl->session->masterSecret)) != 0)
12947
        goto restore;
12948
12949
    /* Restore the hash inline with currently seen messages. */
12950
restore:
12951
    switch (ssl->specs.mac_algorithm) {
12952
    #ifndef NO_SHA256
12953
        case sha256_mac:
12954
            wc_Sha256Free(&ssl->hsHashes->hashSha256);
12955
            ret = wc_Sha256Copy(&digest.sha256, &ssl->hsHashes->hashSha256);
12956
            wc_Sha256Free(&digest.sha256);
12957
            break;
12958
    #endif
12959
    #ifdef WOLFSSL_SHA384
12960
        case sha384_mac:
12961
            wc_Sha384Free(&ssl->hsHashes->hashSha384);
12962
            ret = wc_Sha384Copy(&digest.sha384, &ssl->hsHashes->hashSha384);
12963
            wc_Sha384Free(&digest.sha384);
12964
            break;
12965
    #endif
12966
    #ifdef WOLFSSL_TLS13_SHA512
12967
        case sha512_mac:
12968
            wc_Sha512Free(&ssl->hsHashes->hashSha512);
12969
            ret = wc_Sha512Copy(&digest.sha512, &ssl->hsHashes->hashSha512);
12970
            wc_Sha512Free(&digest.sha512);
12971
            break;
12972
    #endif
12973
    #ifdef WOLFSSL_SM3
12974
        case sm3_mac:
12975
            wc_Sm3Free(&ssl->hsHashes->hashSm3);
12976
            ret = wc_Sm3Copy(&digest.sm3, &ssl->hsHashes->hashSm3);
12977
            wc_Sm3Free(&digest.sm3);
12978
            break;
12979
    #endif
12980
    }
12981
12982
    ForceZero(mac, sizeof(mac));
12983
    return ret;
12984
}
12985
#endif
12986
12987
/* Send New Session Ticket handshake message.
12988
 * Message contains the information required to perform resumption.
12989
 *
12990
 * ssl  The SSL/TLS object.
12991
 * returns 0 on success, otherwise failure.
12992
 */
12993
static int SendTls13NewSessionTicket(WOLFSSL* ssl)
12994
{
12995
    byte*  output;
12996
    int    ret;
12997
    word32 length;
12998
    int    sendSz;
12999
    word16 extSz;
13000
    word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
13001
13002
    WOLFSSL_START(WC_FUNC_NEW_SESSION_TICKET_SEND);
13003
    WOLFSSL_ENTER("SendTls13NewSessionTicket");
13004
13005
    if (DefTicketHintTooLarge(ssl)) {
13006
        WOLFSSL_MSG("Ticket hint exceeds half the ticket key lifetime; "
13007
                    "skipping ticket");
13008
        return 0;
13009
    }
13010
13011
#ifdef WOLFSSL_DTLS13
13012
    if (ssl->options.dtls)
13013
        idx = Dtls13GetRlHeaderLength(ssl, 1) + DTLS_HANDSHAKE_HEADER_SZ;
13014
#endif /* WOLFSSL_DTLS13 */
13015
13016
#ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
13017
    if (!ssl->msgsReceived.got_finished) {
13018
        if ((ret = ExpectedResumptionSecret(ssl)) != 0)
13019
            return ret;
13020
    }
13021
#endif
13022
13023
    /* Start ticket nonce at 0 and go up to 255. */
13024
    if (ssl->session->ticketNonce.len == 0) {
13025
        ssl->session->ticketNonce.len = DEF_TICKET_NONCE_SZ;
13026
        ssl->session->ticketNonce.data[0] = 0;
13027
    }
13028
    else
13029
    #ifdef WOLFSSL_ASYNC_CRYPT
13030
        if (ssl->error != WC_NO_ERR_TRACE(WC_PENDING_E))
13031
    #endif
13032
    {
13033
        if (ssl->session->ticketNonce.data[0] == 255) {
13034
            /* RFC8446 Section 4.6.1: Each ticket must have a unique nonce
13035
             * value. As the nonce is only a single byte, we have to prevent
13036
             * the overflow and abort. */
13037
            return SESSION_TICKET_NONCE_OVERFLOW;
13038
        }
13039
        else
13040
            ssl->session->ticketNonce.data[0]++;
13041
    }
13042
13043
    if ((ssl->options.mask & WOLFSSL_OP_NO_TICKET) != 0) {
13044
        /* In this case we only send the ID as the ticket. Let's generate a new
13045
         * ID for the new ticket so that we don't overwrite any old ones */
13046
        ret = wc_RNG_GenerateBlock(ssl->rng, ssl->session->altSessionID,
13047
                                   ID_LEN);
13048
        if (ret != 0)
13049
            return ret;
13050
        ssl->session->haveAltSessionID = 1;
13051
    }
13052
13053
    if (!ssl->options.noTicketTls13) {
13054
        if ((ret = SetupTicket(ssl)) != 0)
13055
            return ret;
13056
        /* No need to create the ticket if we only send the ID */
13057
        if ((ssl->options.mask & WOLFSSL_OP_NO_TICKET) == 0) {
13058
            if ((ret = CreateTicket(ssl)) != 0)
13059
                return ret;
13060
        }
13061
    }
13062
13063
#ifdef WOLFSSL_EARLY_DATA
13064
    ssl->session->maxEarlyDataSz = ssl->options.maxEarlyDataSz;
13065
    if (ssl->session->maxEarlyDataSz > 0)
13066
        TLSX_EarlyData_Use(ssl, ssl->session->maxEarlyDataSz, 1);
13067
    extSz = 0;
13068
    ret = TLSX_GetResponseSize(ssl, session_ticket, &extSz);
13069
    if (ret != 0)
13070
        return ret;
13071
#else
13072
    extSz = EXTS_SZ;
13073
#endif
13074
    /* Lifetime | Age Add | Ticket session ID | Extensions */
13075
    length = SESSION_HINT_SZ + SESSION_ADD_SZ + LENGTH_SZ;
13076
    if ((ssl->options.mask & WOLFSSL_OP_NO_TICKET) != 0)
13077
        length += ID_LEN + extSz;
13078
    else
13079
        length += ssl->session->ticketLen + extSz;
13080
    /* Nonce */
13081
    length += TICKET_NONCE_LEN_SZ + DEF_TICKET_NONCE_SZ;
13082
13083
    sendSz = (int)(idx + length + MAX_MSG_EXTRA);
13084
13085
    /* Check buffers are big enough and grow if needed. */
13086
    if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
13087
        return ret;
13088
13089
    /* Get position in output buffer to write new message to. */
13090
    output = GetOutputBuffer(ssl);
13091
13092
    /* Put the record and handshake headers on. */
13093
    AddTls13Headers(output, length, session_ticket, ssl);
13094
13095
    /* Lifetime hint */
13096
    c32toa(ssl->ctx->ticketHint, output + idx);
13097
    idx += SESSION_HINT_SZ;
13098
    /* Age add - obfuscator */
13099
    c32toa(ssl->session->ticketAdd, output + idx);
13100
    idx += SESSION_ADD_SZ;
13101
13102
    output[idx++] = ssl->session->ticketNonce.len;
13103
    output[idx++] = ssl->session->ticketNonce.data[0];
13104
13105
    /* length */
13106
    if ((ssl->options.mask & WOLFSSL_OP_NO_TICKET) != 0) {
13107
        c16toa(ID_LEN, output + idx);
13108
    }
13109
    else {
13110
        c16toa(ssl->session->ticketLen, output + idx);
13111
    }
13112
13113
    idx += LENGTH_SZ;
13114
    /* ticket */
13115
    if ((ssl->options.mask & WOLFSSL_OP_NO_TICKET) != 0) {
13116
        if (ssl->session->haveAltSessionID)
13117
            XMEMCPY(output + idx, ssl->session->altSessionID, ID_LEN);
13118
        else
13119
            return BAD_FUNC_ARG; /* Should not happen */
13120
        idx += ID_LEN;
13121
    }
13122
    else {
13123
        XMEMCPY(output + idx, ssl->session->ticket, ssl->session->ticketLen);
13124
        idx += ssl->session->ticketLen;
13125
    }
13126
13127
#ifdef WOLFSSL_EARLY_DATA
13128
    extSz = 0;
13129
    ret = TLSX_WriteResponse(ssl, output + idx, session_ticket, &extSz);
13130
    if (ret != 0)
13131
        return ret;
13132
    idx += extSz;
13133
#else
13134
    /* No extension support - empty extensions. */
13135
    c16toa(0, output + idx);
13136
    idx += EXTS_SZ;
13137
#endif
13138
13139
    if (idx > WOLFSSL_MAX_16BIT ||
13140
        sendSz > (int)WOLFSSL_MAX_16BIT) {
13141
        return BAD_LENGTH_E;
13142
    }
13143
13144
    ssl->options.haveSessionId = 1;
13145
13146
    SetupSession(ssl);
13147
    /* Only add to cache when support built in and when the ticket contains
13148
     * an ID. Otherwise we have no way to actually retrieve the ticket from the
13149
     * cache. */
13150
#if !defined(NO_SESSION_CACHE) && defined(WOLFSSL_TICKET_HAVE_ID)
13151
    AddSession(ssl);
13152
#endif
13153
13154
#ifdef WOLFSSL_DTLS13
13155
    if (ssl->options.dtls)
13156
        return Dtls13HandshakeSend(ssl, output, (word16)sendSz,
13157
                                   (word16)idx, session_ticket, 0);
13158
#endif /* WOLFSSL_DTLS13 */
13159
13160
    /* This message is always encrypted. */
13161
    sendSz = BuildTls13Message(ssl, output, sendSz,
13162
                               output + RECORD_HEADER_SZ,
13163
                               (word16)idx - RECORD_HEADER_SZ,
13164
                               handshake, 0, 0, 0);
13165
    if (sendSz < 0)
13166
        return sendSz;
13167
13168
    ssl->buffers.outputBuffer.length += sendSz;
13169
13170
    /* Always send as this is either directly after server's Finished or only
13171
     * message after client's Finished.
13172
     */
13173
    ret = SendBuffered(ssl);
13174
13175
    WOLFSSL_LEAVE("SendTls13NewSessionTicket", 0);
13176
    WOLFSSL_END(WC_FUNC_NEW_SESSION_TICKET_SEND);
13177
13178
    return ret;
13179
}
13180
    #endif /* HAVE_SESSION_TICKET */
13181
#endif /* NO_WOLFSSL_SERVER */
13182
13183
/* Make sure no duplicates, no fast forward, or other problems
13184
 *
13185
 * ssl   The SSL/TLS object.
13186
 * type  Type of handshake message received.
13187
 * returns 0 on success, otherwise failure.
13188
 */
13189
static int SanityCheckTls13MsgReceived(WOLFSSL* ssl, byte type)
13190
0
{
13191
    /* verify not a duplicate, mark received, check state */
13192
0
    switch (type) {
13193
13194
0
#ifndef NO_WOLFSSL_SERVER
13195
0
        case client_hello:
13196
0
        #ifndef NO_WOLFSSL_CLIENT
13197
            /* Only valid when received on SERVER side. */
13198
0
            if (ssl->options.side == WOLFSSL_CLIENT_END) {
13199
0
                WOLFSSL_MSG("ClientHello received by client");
13200
0
                WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
13201
0
                return SIDE_ERROR;
13202
0
            }
13203
0
        #endif
13204
            /* Check state. */
13205
0
            if (ssl->options.clientState >= CLIENT_HELLO_COMPLETE) {
13206
0
                WOLFSSL_MSG("ClientHello received out of order");
13207
0
                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13208
0
                return OUT_OF_ORDER_E;
13209
0
            }
13210
            /* Check previously seen. */
13211
            /* Initial and after HelloRetryRequest - no more than 2. */
13212
0
            if (ssl->msgsReceived.got_client_hello == 2) {
13213
0
                WOLFSSL_MSG("Too many ClientHello received");
13214
0
                WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
13215
0
                return DUPLICATE_MSG_E;
13216
0
            }
13217
            /* Second only after HelloRetryRequest seen. */
13218
0
            if (ssl->msgsReceived.got_client_hello == 1 &&
13219
0
                ssl->options.serverState !=
13220
0
                                          SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
13221
0
                WOLFSSL_MSG("Duplicate ClientHello received");
13222
0
                WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
13223
0
                return DUPLICATE_MSG_E;
13224
0
            }
13225
0
            ssl->msgsReceived.got_client_hello++;
13226
13227
0
            break;
13228
0
#endif
13229
13230
0
#ifndef NO_WOLFSSL_CLIENT
13231
0
        case server_hello:
13232
0
        #ifndef NO_WOLFSSL_SERVER
13233
            /* Only valid when received on CLIENT side. */
13234
0
            if (ssl->options.side == WOLFSSL_SERVER_END) {
13235
0
                WOLFSSL_MSG("ServerHello received by server");
13236
0
                WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
13237
0
                return SIDE_ERROR;
13238
0
            }
13239
0
        #endif
13240
            /* Check state. */
13241
0
            if (ssl->options.serverState >= SERVER_HELLO_COMPLETE) {
13242
0
                WOLFSSL_MSG("ServerHello received out of order");
13243
0
                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13244
0
                return OUT_OF_ORDER_E;
13245
0
            }
13246
            /* Check previously seen. */
13247
            /* Only once after ClientHello.
13248
             * HelloRetryRequest has ServerHello type but count fixed up later
13249
             * - see DoTls13ServerHello().
13250
             */
13251
0
            if (ssl->msgsReceived.got_server_hello) {
13252
0
                WOLFSSL_MSG("Duplicate ServerHello received");
13253
0
                WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
13254
0
                return DUPLICATE_MSG_E;
13255
0
            }
13256
0
            ssl->msgsReceived.got_server_hello = 1;
13257
13258
0
            break;
13259
0
#endif
13260
13261
0
#ifndef NO_WOLFSSL_CLIENT
13262
0
        case session_ticket:
13263
0
        #ifndef NO_WOLFSSL_SERVER
13264
            /* Only valid when received on CLIENT side. */
13265
0
            if (ssl->options.side == WOLFSSL_SERVER_END) {
13266
0
                WOLFSSL_MSG("NewSessionTicket received by server");
13267
0
                WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
13268
0
                return SIDE_ERROR;
13269
0
            }
13270
0
        #endif
13271
            /* Check state. */
13272
        #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
13273
            /* Only allowed after server's Finished message. */
13274
            if (ssl->options.serverState < SERVER_FINISHED_COMPLETE) {
13275
                WOLFSSL_MSG("NewSessionTicket received out of order");
13276
                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13277
                return OUT_OF_ORDER_E;
13278
            }
13279
        #else
13280
            /* Only allowed after client's Finished message. */
13281
0
            if (ssl->options.clientState < CLIENT_FINISHED_COMPLETE) {
13282
0
                WOLFSSL_MSG("NewSessionTicket received out of order");
13283
0
                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13284
0
                return OUT_OF_ORDER_E;
13285
0
            }
13286
0
        #endif
13287
            /* Many SessionTickets can be sent. */
13288
0
            ssl->msgsReceived.got_session_ticket = 1;
13289
13290
0
            break;
13291
0
#endif
13292
13293
0
#ifndef NO_WOLFSSL_SERVER
13294
    #ifdef WOLFSSL_EARLY_DATA
13295
        case end_of_early_data:
13296
        #ifndef NO_WOLFSSL_CLIENT
13297
            /* Only valid when received on SERVER side. */
13298
            if (ssl->options.side == WOLFSSL_CLIENT_END) {
13299
                WOLFSSL_MSG("EndOfEarlyData received by client");
13300
                WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
13301
                return SIDE_ERROR;
13302
            }
13303
        #endif
13304
            /* Check state. */
13305
            /* Only after server's Finished and before client's Finished. */
13306
            if (ssl->options.serverState < SERVER_FINISHED_COMPLETE) {
13307
                WOLFSSL_MSG("EndOfEarlyData received out of order");
13308
                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13309
                return OUT_OF_ORDER_E;
13310
            }
13311
            if (ssl->options.clientState >= CLIENT_FINISHED_COMPLETE) {
13312
                WOLFSSL_MSG("EndOfEarlyData received out of order");
13313
                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13314
                return OUT_OF_ORDER_E;
13315
            }
13316
            /* Check previously seen. */
13317
            if (ssl->msgsReceived.got_end_of_early_data) {
13318
                WOLFSSL_MSG("Too many EndOfEarlyData received");
13319
                WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
13320
                return DUPLICATE_MSG_E;
13321
            }
13322
            ssl->msgsReceived.got_end_of_early_data = 1;
13323
13324
            break;
13325
    #endif
13326
0
#endif
13327
13328
0
#ifndef NO_WOLFSSL_CLIENT
13329
0
        case encrypted_extensions:
13330
0
        #ifndef NO_WOLFSSL_SERVER
13331
            /* Only valid when received on CLIENT side. */
13332
0
            if (ssl->options.side == WOLFSSL_SERVER_END) {
13333
0
                WOLFSSL_MSG("EncryptedExtensions received by server");
13334
0
                WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
13335
0
                return SIDE_ERROR;
13336
0
            }
13337
0
        #endif
13338
            /* Check state. */
13339
            /* Must be received directly after ServerHello.
13340
             * DoTls13EncryptedExtensions() changes state to:
13341
             *   SERVER_ENCRYPTED_EXTENSIONS_COMPLETE.
13342
             */
13343
0
            if (ssl->options.serverState != SERVER_HELLO_COMPLETE) {
13344
0
                WOLFSSL_MSG("EncryptedExtensions received out of order");
13345
0
                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13346
0
                return OUT_OF_ORDER_E;
13347
0
            }
13348
            /* Check previously seen. */
13349
0
            if (ssl->msgsReceived.got_encrypted_extensions) {
13350
0
                WOLFSSL_MSG("Duplicate EncryptedExtensions received");
13351
0
                WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
13352
0
                return DUPLICATE_MSG_E;
13353
0
            }
13354
0
            ssl->msgsReceived.got_encrypted_extensions = 1;
13355
13356
0
            break;
13357
0
#endif
13358
13359
0
        case certificate:
13360
            /* Valid on both sides. */
13361
0
    #ifndef NO_WOLFSSL_CLIENT
13362
            /* Check state. */
13363
            /* On client, seen after EncryptedExtension and CertificateRequest
13364
             * (if sent) and before CertificateVerify and Finished.
13365
             * DoTls13Certificate() sets serverState to SERVER_CERT_COMPLETE.
13366
             */
13367
0
            if (ssl->options.side == WOLFSSL_CLIENT_END &&
13368
0
                ssl->options.serverState !=
13369
0
                                         SERVER_ENCRYPTED_EXTENSIONS_COMPLETE) {
13370
0
                WOLFSSL_MSG("Certificate received out of order - Client");
13371
0
                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13372
0
                return OUT_OF_ORDER_E;
13373
0
            }
13374
        #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
13375
            /* Server's authenticating with PSK must not send this. */
13376
            if (ssl->options.side == WOLFSSL_CLIENT_END &&
13377
                             ssl->options.serverState == SERVER_CERT_COMPLETE &&
13378
                             ssl->options.pskNegotiated
13379
#ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
13380
                             && !ssl->options.certWithExternPsk
13381
#endif
13382
               ) {
13383
                WOLFSSL_MSG("Certificate received while using PSK");
13384
                WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
13385
                return SANITY_MSG_E;
13386
            }
13387
        #endif
13388
0
    #endif
13389
0
    #ifndef NO_WOLFSSL_SERVER
13390
            /* Check state. */
13391
            /* On Server, valid after ClientHello received and ServerFinished
13392
             * sent. */
13393
0
            if (ssl->options.side == WOLFSSL_SERVER_END &&
13394
0
                ssl->options.clientState != CLIENT_HELLO_COMPLETE &&
13395
0
                ssl->options.serverState < SERVER_FINISHED_COMPLETE) {
13396
0
                WOLFSSL_MSG("Certificate received out of order - Server");
13397
0
                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13398
0
                return OUT_OF_ORDER_E;
13399
0
            }
13400
0
    #endif
13401
            /* Check previously seen. */
13402
0
            if (ssl->msgsReceived.got_certificate) {
13403
0
                WOLFSSL_MSG("Duplicate Certificate received");
13404
0
                WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
13405
0
                return DUPLICATE_MSG_E;
13406
0
            }
13407
0
            ssl->msgsReceived.got_certificate = 1;
13408
13409
0
            break;
13410
13411
0
#ifndef NO_WOLFSSL_CLIENT
13412
0
        case certificate_request:
13413
0
        #ifndef NO_WOLFSSL_SERVER
13414
            /* Only valid when received on CLIENT side. */
13415
0
            if (ssl->options.side == WOLFSSL_SERVER_END) {
13416
0
                WOLFSSL_MSG("CertificateRequest received by server");
13417
0
                WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
13418
0
                return SIDE_ERROR;
13419
0
            }
13420
0
        #endif
13421
            /* Check state. */
13422
0
        #ifndef WOLFSSL_POST_HANDSHAKE_AUTH
13423
            /* Only valid when sent after EncryptedExtensions and before
13424
             * Certificate. */
13425
0
            if (ssl->options.serverState !=
13426
0
                                         SERVER_ENCRYPTED_EXTENSIONS_COMPLETE) {
13427
0
                WOLFSSL_MSG("CertificateRequest received out of order");
13428
0
                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13429
0
                return OUT_OF_ORDER_E;
13430
0
            }
13431
        #else
13432
            /* Valid when sent after EncryptedExtensions and before Certificate
13433
             * and after both client and server have sent Finished (Post
13434
             * Handshake Authentication). */
13435
            if (ssl->options.serverState !=
13436
                                         SERVER_ENCRYPTED_EXTENSIONS_COMPLETE &&
13437
                       (ssl->options.serverState < SERVER_FINISHED_COMPLETE ||
13438
                        ssl->options.clientState != CLIENT_FINISHED_COMPLETE)) {
13439
                WOLFSSL_MSG("CertificateRequest received out of order");
13440
                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13441
                return OUT_OF_ORDER_E;
13442
            }
13443
            /* RFC 8446 4.6.2: A client that receives a post-handshake
13444
             * CertificateRequest message without having sent the
13445
             * "post_handshake_auth" extension MUST send an
13446
             * "unexpected_message" fatal alert. wolfSSL_allow_post_handshake_auth()
13447
             * must be called before wolfSSL_connect() so postHandshakeAuth
13448
             * reflects whether the extension was offered. */
13449
            if (ssl->options.serverState >= SERVER_FINISHED_COMPLETE &&
13450
                ssl->options.clientState == CLIENT_FINISHED_COMPLETE &&
13451
                !ssl->options.postHandshakeAuth) {
13452
                WOLFSSL_MSG("Post-handshake CertificateRequest received "
13453
                            "without having sent post_handshake_auth "
13454
                            "extension");
13455
                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13456
                return OUT_OF_ORDER_E;
13457
            }
13458
        #endif
13459
        #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
13460
            /* Server's authenticating with PSK must not send this. */
13461
            if (ssl->options.pskNegotiated
13462
#ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
13463
                && !ssl->options.certWithExternPsk
13464
#endif
13465
               ) {
13466
                WOLFSSL_MSG("CertificateRequest received while using PSK");
13467
                WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
13468
                return SANITY_MSG_E;
13469
            }
13470
        #endif
13471
            /* Check previously seen. */
13472
0
        #ifndef WOLFSSL_POST_HANDSHAKE_AUTH
13473
            /* Only once during handshake. */
13474
0
            if (ssl->msgsReceived.got_certificate_request) {
13475
0
                WOLFSSL_MSG("Duplicate CertificateRequest received");
13476
0
                WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
13477
0
                return DUPLICATE_MSG_E;
13478
0
            }
13479
        #else
13480
            /* Only once during handshake. */
13481
            if (ssl->msgsReceived.got_certificate_request &&
13482
                ssl->options.clientState != CLIENT_FINISHED_COMPLETE) {
13483
                WOLFSSL_MSG("Duplicate CertificateRequest received");
13484
                WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
13485
                return DUPLICATE_MSG_E;
13486
            }
13487
        #endif
13488
0
            ssl->msgsReceived.got_certificate_request = 1;
13489
13490
0
            break;
13491
0
#endif
13492
13493
0
        case certificate_verify:
13494
            /* Valid on both sides. */
13495
0
    #ifndef NO_WOLFSSL_CLIENT
13496
            /* Check state on client.
13497
             * Valid only directly after a Certificate message. */
13498
0
            if (ssl->options.side == WOLFSSL_CLIENT_END) {
13499
0
                if (ssl->options.serverState != SERVER_CERT_COMPLETE) {
13500
0
                    WOLFSSL_MSG("No Cert before CertVerify");
13501
0
                    WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13502
0
                    return OUT_OF_ORDER_E;
13503
0
                }
13504
            #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
13505
                /* Server's authenticating with PSK must not send this. */
13506
                if (ssl->options.pskNegotiated
13507
#ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
13508
                    && !ssl->options.certWithExternPsk
13509
#endif
13510
                   ) {
13511
                    WOLFSSL_MSG("CertificateVerify received while using PSK");
13512
                    WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
13513
                    return SANITY_MSG_E;
13514
                }
13515
            #endif
13516
0
            }
13517
0
    #endif
13518
0
    #ifndef NO_WOLFSSL_SERVER
13519
            /* Check state on server. */
13520
0
            if (ssl->options.side == WOLFSSL_SERVER_END) {
13521
                /* Server must have sent Finished message. */
13522
0
                if (ssl->options.serverState < SERVER_FINISHED_COMPLETE) {
13523
0
                    WOLFSSL_MSG("CertificateVerify received out of order");
13524
0
                    WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13525
0
                    return OUT_OF_ORDER_E;
13526
0
                }
13527
                /* Valid only directly after a Certificate message. */
13528
0
                if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
13529
0
                    WOLFSSL_MSG("CertificateVerify before ClientHello done");
13530
0
                    WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13531
0
                    return OUT_OF_ORDER_E;
13532
0
                }
13533
0
                if (!ssl->msgsReceived.got_certificate) {
13534
0
                    WOLFSSL_MSG("No Cert before CertificateVerify");
13535
0
                    WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13536
0
                    return OUT_OF_ORDER_E;
13537
0
                }
13538
0
            }
13539
0
    #endif
13540
            /* Check previously seen. */
13541
0
            if (ssl->msgsReceived.got_certificate_verify) {
13542
0
                WOLFSSL_MSG("Duplicate CertificateVerify received");
13543
0
                WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
13544
0
                return DUPLICATE_MSG_E;
13545
0
            }
13546
0
            ssl->msgsReceived.got_certificate_verify = 1;
13547
13548
0
            break;
13549
13550
0
        case finished:
13551
            /* Valid on both sides. */
13552
0
        #ifndef NO_WOLFSSL_CLIENT
13553
            /* Check state on client. */
13554
0
            if (ssl->options.side == WOLFSSL_CLIENT_END) {
13555
                /* After sending ClientHello */
13556
0
                if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
13557
0
                    WOLFSSL_MSG("Finished received out of order - clientState");
13558
0
                    WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13559
0
                    return OUT_OF_ORDER_E;
13560
0
                }
13561
                /* Must have seen certificate and verify from server except when
13562
                 * using PSK. */
13563
            #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
13564
                if (ssl->options.pskNegotiated) {
13565
#ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
13566
                    if (ssl->options.certWithExternPsk) {
13567
                        if (ssl->options.serverState !=
13568
                                                SERVER_CERT_VERIFY_COMPLETE) {
13569
                            WOLFSSL_MSG("Finished received out of order - "
13570
                                        "cert_with_extern_psk");
13571
                            WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13572
                            return OUT_OF_ORDER_E;
13573
                        }
13574
                    }
13575
                    else
13576
#endif
13577
                    {
13578
                        if (ssl->options.serverState !=
13579
                                         SERVER_ENCRYPTED_EXTENSIONS_COMPLETE) {
13580
                            WOLFSSL_MSG("Finished received out of order - PSK");
13581
                            WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13582
                            return OUT_OF_ORDER_E;
13583
                        }
13584
                    }
13585
                }
13586
                else
13587
            #endif
13588
0
                if (ssl->options.serverState != SERVER_CERT_VERIFY_COMPLETE) {
13589
0
                    WOLFSSL_MSG("Finished received out of order - serverState");
13590
0
                    WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13591
0
                    return OUT_OF_ORDER_E;
13592
0
                }
13593
0
            }
13594
0
        #endif
13595
0
        #ifndef NO_WOLFSSL_SERVER
13596
            /* Check state on server. */
13597
0
            if (ssl->options.side == WOLFSSL_SERVER_END) {
13598
0
                if (ssl->options.serverState < SERVER_FINISHED_COMPLETE) {
13599
0
                    WOLFSSL_MSG("Finished received out of order - serverState");
13600
0
                    WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13601
0
                    return OUT_OF_ORDER_E;
13602
0
                }
13603
0
                if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
13604
0
                    WOLFSSL_MSG("Finished received out of order - clientState");
13605
0
                    WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13606
0
                    return OUT_OF_ORDER_E;
13607
0
                }
13608
            #ifdef WOLFSSL_EARLY_DATA
13609
                if (ssl->earlyData == process_early_data &&
13610
                    /* early data may be lost when using DTLS */
13611
                    !ssl->options.dtls
13612
                    /* QUIC does not use EndOfEarlyData records */
13613
                    && !WOLFSSL_IS_QUIC(ssl)) {
13614
                    WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13615
                    return OUT_OF_ORDER_E;
13616
                }
13617
            #endif
13618
0
            }
13619
0
        #endif
13620
        #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
13621
            if (!ssl->options.pskNegotiated
13622
#ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
13623
                || ssl->options.certWithExternPsk
13624
#endif
13625
            )
13626
        #endif
13627
0
            {
13628
                /* Must have received a Certificate message from client if
13629
                 * verifying the peer. Empty certificate message indicates
13630
                 * no certificate available.
13631
                 */
13632
0
                if (ssl->options.verifyPeer &&
13633
                #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
13634
                    /* The post-handshake-auth exemption is only valid during
13635
                     * the initial handshake. On the server, once a
13636
                     * post-handshake CertificateRequest is outstanding
13637
                     * (certReqCtx != NULL), a Certificate is required again.
13638
                     * Scoped to the server: certReqCtx means something
13639
                     * different on the client (a received request) and the
13640
                     * client does not process an inbound Finished in that
13641
                     * state. Whether an empty Certificate is then accepted
13642
                     * follows the verify mode (FAIL_IF_NO_PEER_CERT), exactly
13643
                     * as for first-handshake client authentication. */
13644
                    (!ssl->options.verifyPostHandshake ||
13645
                     (ssl->options.side == WOLFSSL_SERVER_END &&
13646
                      ssl->certReqCtx != NULL)) &&
13647
                #endif
13648
0
                                           !ssl->msgsReceived.got_certificate) {
13649
0
                    WOLFSSL_MSG("Finished received out of order - "
13650
0
                                "missing Certificate message");
13651
0
                    WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13652
0
                    return OUT_OF_ORDER_E;
13653
0
                }
13654
                /* Mutual authentication on server requires a certificate from
13655
                 * peer. Verify peer set on client side requires a certificate
13656
                 * from peer as not doing PSK.
13657
                 */
13658
0
                if ((ssl->options.mutualAuth ||
13659
0
                    (ssl->options.side == WOLFSSL_CLIENT_END &&
13660
0
                     ssl->options.verifyPeer)) && !ssl->options.havePeerCert) {
13661
0
                    WOLFSSL_MSG("Finished received out of order - "
13662
0
                                "no valid certificate");
13663
0
                    WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13664
0
                    return OUT_OF_ORDER_E;
13665
0
                }
13666
                /* Must have received a valid CertificateVerify if verifying
13667
                 * peer and got a peer certificate.
13668
                 */
13669
0
                if ((ssl->options.mutualAuth || ssl->options.verifyPeer) &&
13670
0
                    ssl->options.havePeerCert && !ssl->options.havePeerVerify) {
13671
0
                    WOLFSSL_MSG("Finished received out of order - "
13672
0
                                "Certificate message but no CertificateVerify");
13673
0
                    WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13674
0
                    return OUT_OF_ORDER_E;
13675
0
                }
13676
0
            }
13677
            /* Check previously seen. */
13678
0
            if (ssl->msgsReceived.got_finished) {
13679
0
                WOLFSSL_MSG("Duplicate Finished received");
13680
0
                WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
13681
0
                return DUPLICATE_MSG_E;
13682
0
            }
13683
0
            ssl->msgsReceived.got_finished = 1;
13684
13685
0
            break;
13686
13687
0
        case key_update:
13688
            /* Valid on both sides. */
13689
#ifdef WOLFSSL_QUIC
13690
            /* RFC 9001 Section 6: QUIC performs key updates at the QUIC
13691
             * packet-protection layer, so a TLS KeyUpdate message must be
13692
             * rejected as a fatal unexpected_message connection error. */
13693
            if (WOLFSSL_IS_QUIC(ssl)) {
13694
                WOLFSSL_MSG("KeyUpdate received over QUIC");
13695
                WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
13696
                return SANITY_MSG_E;
13697
            }
13698
#endif
13699
            /* Check state.
13700
             * Client and server must have received finished message from other
13701
             * side.
13702
             */
13703
0
            if (!ssl->msgsReceived.got_finished) {
13704
0
                WOLFSSL_MSG("No KeyUpdate before Finished");
13705
0
                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13706
0
                return OUT_OF_ORDER_E;
13707
0
            }
13708
            /* Multiple KeyUpdates can be sent. */
13709
0
            break;
13710
#if defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_NO_TLS12)
13711
        case hello_verify_request:
13712
            if (!ssl->options.dtls) {
13713
                WOLFSSL_MSG("HelloVerifyRequest when not in DTLS");
13714
                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13715
                return OUT_OF_ORDER_E;
13716
            }
13717
            if (ssl->msgsReceived.got_hello_verify_request) {
13718
                WOLFSSL_MSG("Duplicate HelloVerifyRequest received");
13719
                WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
13720
                return DUPLICATE_MSG_E;
13721
            }
13722
            ssl->msgsReceived.got_hello_verify_request = 1;
13723
            if (ssl->msgsReceived.got_hello_retry_request) {
13724
                WOLFSSL_MSG(
13725
                    "Both HelloVerifyRequest and HelloRetryRequest received");
13726
                WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
13727
                return DUPLICATE_MSG_E;
13728
            }
13729
            if (ssl->options.serverState >=
13730
                    SERVER_HELLO_RETRY_REQUEST_COMPLETE ||
13731
                ssl->options.connectState != CLIENT_HELLO_SENT) {
13732
                WOLFSSL_MSG("HelloVerifyRequest received out of order");
13733
                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13734
                return OUT_OF_ORDER_E;
13735
            }
13736
            if (ssl->options.side == WOLFSSL_SERVER_END) {
13737
                WOLFSSL_MSG("HelloVerifyRequest received on the server");
13738
                WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
13739
                return SIDE_ERROR;
13740
            }
13741
            if (!ssl->options.downgrade ||
13742
                ssl->options.minDowngrade < DTLSv1_2_MINOR) {
13743
                WOLFSSL_MSG(
13744
                    "HelloVerifyRequest received but not DTLSv1.2 allowed");
13745
                WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
13746
                return VERSION_ERROR;
13747
            }
13748
            break;
13749
#endif /* WOLFSSL_DTLS13 && !WOLFSSL_NO_TLS12*/
13750
13751
#if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_DTLS_CID)
13752
        case request_connection_id:
13753
        case new_connection_id:
13754
        {
13755
            CIDInfo* cidInfo = ssl->dtlsCidInfo;
13756
13757
            /* DTLS 1.3 only (RFC 9147) */
13758
            if (!ssl->options.dtls) {
13759
                WOLFSSL_MSG("CID message received but not DTLS");
13760
                WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
13761
                return SANITY_MSG_E;
13762
            }
13763
            /* RFC 9147 Section 9: if CIDs were not negotiated, MUST abort
13764
             * with an unexpected_message alert */
13765
            if (cidInfo == NULL || !cidInfo->negotiated) {
13766
                WOLFSSL_MSG("CID message received but CID not negotiated");
13767
                WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
13768
                return SANITY_MSG_E;
13769
            }
13770
            if (ssl->options.handShakeState != HANDSHAKE_DONE) {
13771
                WOLFSSL_MSG("CID message received out of order");
13772
                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13773
                return OUT_OF_ORDER_E;
13774
            }
13775
            if (type == request_connection_id) {
13776
                /* the peer MUST NOT request CIDs while sending an empty
13777
                 * CID itself */
13778
                if (cidInfo->rx == NULL || cidInfo->rx->length == 0) {
13779
                    WOLFSSL_MSG("RequestConnectionId from peer sending an "
13780
                                "empty CID");
13781
                    WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
13782
                    return SANITY_MSG_E;
13783
                }
13784
            }
13785
            else {
13786
                /* the peer MUST NOT issue CIDs after negotiating receiving
13787
                 * an empty CID */
13788
                if (cidInfo->tx == NULL || cidInfo->tx->length == 0) {
13789
                    WOLFSSL_MSG("NewConnectionId from peer that negotiated "
13790
                                "an empty CID");
13791
                    WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
13792
                    return SANITY_MSG_E;
13793
                }
13794
            }
13795
            break;
13796
        }
13797
#endif /* WOLFSSL_DTLS13 && WOLFSSL_DTLS_CID */
13798
13799
0
        default:
13800
0
            WOLFSSL_MSG("Unknown message type");
13801
0
            WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
13802
0
            return SANITY_MSG_E;
13803
0
    }
13804
13805
0
    return 0;
13806
0
}
13807
13808
/* Handle a type of handshake message that has been received.
13809
 *
13810
 * ssl       The SSL/TLS object.
13811
 * input     The message buffer.
13812
 * inOutIdx  On entry, the index into the buffer of the current message.
13813
 *           On exit, the index into the buffer of the next message.
13814
 * size      The length of the current handshake message.
13815
 * totalSz   Length of remaining data in the message buffer.
13816
 * returns 0 on success and otherwise failure.
13817
 */
13818
int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
13819
                            byte type, word32 size, word32 totalSz)
13820
0
{
13821
0
    int ret = 0, tmp;
13822
0
    word32 inIdx = *inOutIdx;
13823
0
    int alertType;
13824
#if defined(HAVE_ECH) && !defined(NO_WOLFSSL_SERVER)
13825
    TLSX* echX = NULL;
13826
    word32 echInOutIdx;
13827
#endif
13828
13829
0
    (void)totalSz;
13830
13831
0
    WOLFSSL_ENTER("DoTls13HandShakeMsgType");
13832
13833
    /* make sure we can read the message */
13834
0
    if (*inOutIdx + size > totalSz)
13835
0
        return INCOMPLETE_DATA;
13836
13837
    /* sanity check msg received */
13838
0
    if ((ret = SanityCheckTls13MsgReceived(ssl, type)) != 0) {
13839
0
        WOLFSSL_MSG("Sanity Check on handshake message type received failed");
13840
0
        if (ret == WC_NO_ERR_TRACE(VERSION_ERROR))
13841
0
            SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version);
13842
0
        else
13843
0
            SendAlert(ssl, alert_fatal, unexpected_message);
13844
0
        return ret;
13845
0
    }
13846
13847
#if defined(WOLFSSL_CALLBACKS)
13848
    /* add name later, add on record and handshake header part back on */
13849
    if (ssl->toInfoOn) {
13850
        ret = AddPacketInfo(ssl, 0, handshake, input + *inOutIdx -
13851
            HANDSHAKE_HEADER_SZ, size + HANDSHAKE_HEADER_SZ, READ_PROTO,
13852
            RECORD_HEADER_SZ, ssl->heap);
13853
        if (ret != 0)
13854
            return ret;
13855
        AddLateRecordHeader(&ssl->curRL, &ssl->timeoutInfo);
13856
    }
13857
#endif
13858
13859
0
    if (ssl->options.handShakeState == HANDSHAKE_DONE &&
13860
0
            type != session_ticket && type != certificate_request &&
13861
0
            type != certificate && type != key_update && type != finished
13862
#if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_DTLS_CID)
13863
            && type != request_connection_id && type != new_connection_id
13864
#endif
13865
0
            ) {
13866
0
        WOLFSSL_MSG("HandShake message after handshake complete");
13867
0
        SendAlert(ssl, alert_fatal, unexpected_message);
13868
0
        WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13869
0
        return OUT_OF_ORDER_E;
13870
0
    }
13871
13872
0
    if (ssl->options.side == WOLFSSL_CLIENT_END &&
13873
0
               ssl->options.serverState == NULL_STATE &&
13874
0
               type != server_hello && type != hello_retry_request
13875
#if defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_NO_TLS12)
13876
        && (!ssl->options.dtls || type != hello_verify_request)
13877
#endif /* defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_NO_TLS12) */
13878
0
        ) {
13879
0
        WOLFSSL_MSG("First server message not server hello");
13880
0
        SendAlert(ssl, alert_fatal, unexpected_message);
13881
0
        WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13882
0
        return OUT_OF_ORDER_E;
13883
0
    }
13884
13885
0
    if (ssl->options.side == WOLFSSL_SERVER_END &&
13886
0
               ssl->options.clientState == NULL_STATE && type != client_hello) {
13887
0
        WOLFSSL_MSG("First client message not client hello");
13888
0
        SendAlert(ssl, alert_fatal, unexpected_message);
13889
0
        WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
13890
0
        return OUT_OF_ORDER_E;
13891
0
    }
13892
13893
    /* above checks handshake state */
13894
0
    switch (type) {
13895
0
#ifndef NO_WOLFSSL_CLIENT
13896
    /* Messages only received by client. */
13897
0
    case server_hello:
13898
0
        WOLFSSL_MSG("processing server hello");
13899
0
        ret = DoTls13ServerHello(ssl, input, inOutIdx, size, &type);
13900
    #if !defined(WOLFSSL_NO_CLIENT_AUTH) && \
13901
               ((defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)) || \
13902
                (defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)))
13903
        if (ssl->options.resuming || !IsAtLeastTLSv1_2(ssl) ||
13904
                                               IsAtLeastTLSv1_3(ssl->version)) {
13905
            ssl->options.cacheMessages = 0;
13906
            if ((ssl->hsHashes != NULL) && (ssl->hsHashes->messages != NULL)) {
13907
                ForceZero(ssl->hsHashes->messages, ssl->hsHashes->length);
13908
                XFREE(ssl->hsHashes->messages, ssl->heap, DYNAMIC_TYPE_HASHES);
13909
                ssl->hsHashes->messages = NULL;
13910
            }
13911
        }
13912
    #endif
13913
0
        break;
13914
13915
0
    case encrypted_extensions:
13916
0
        WOLFSSL_MSG("processing encrypted extensions");
13917
0
        ret = DoTls13EncryptedExtensions(ssl, input, inOutIdx, size);
13918
0
        break;
13919
13920
0
    #ifndef NO_CERTS
13921
0
    case certificate_request:
13922
0
        WOLFSSL_MSG("processing certificate request");
13923
0
        ret = DoTls13CertificateRequest(ssl, input, inOutIdx, size);
13924
0
        break;
13925
0
    #endif
13926
13927
0
    case session_ticket:
13928
0
        WOLFSSL_MSG("processing new session ticket");
13929
0
        ret = DoTls13NewSessionTicket(ssl, input, inOutIdx, size);
13930
0
        break;
13931
0
#endif /* !NO_WOLFSSL_CLIENT */
13932
13933
0
#ifndef NO_WOLFSSL_SERVER
13934
    /* Messages only received by server. */
13935
0
    case client_hello:
13936
0
        WOLFSSL_MSG("processing client hello");
13937
#if defined(HAVE_ECH)
13938
        /* keep the start idx so we can restore it for the inner call */
13939
        echInOutIdx = *inOutIdx;
13940
#endif
13941
0
        ret = DoTls13ClientHello(ssl, input, inOutIdx, size);
13942
    #if !defined(WOLFSSL_NO_CLIENT_AUTH) && \
13943
               ((defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)) || \
13944
                (defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)))
13945
        if ((ssl->options.resuming || !ssl->options.verifyPeer ||
13946
               !IsAtLeastTLSv1_2(ssl) || IsAtLeastTLSv1_3(ssl->version))
13947
        #ifdef WOLFSSL_DTLS13
13948
               && (!ssl->options.dtls)
13949
        #endif
13950
               ) {
13951
        #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP)
13952
            if (ret != WC_NO_ERR_TRACE(WC_PENDING_E) &&
13953
                ret != WC_NO_ERR_TRACE(OCSP_WANT_READ))
13954
        #endif
13955
            {
13956
                ssl->options.cacheMessages = 0;
13957
                if ((ssl->hsHashes != NULL) &&
13958
                        (ssl->hsHashes->messages != NULL)) {
13959
                    ForceZero(ssl->hsHashes->messages, ssl->hsHashes->length);
13960
                    XFREE(ssl->hsHashes->messages, ssl->heap,
13961
                        DYNAMIC_TYPE_HASHES);
13962
                    ssl->hsHashes->messages = NULL;
13963
                }
13964
            }
13965
        }
13966
    #endif
13967
#if defined(HAVE_ECH)
13968
        if (ret == 0) {
13969
            echX = TLSX_Find(ssl->extensions, TLSX_ECH);
13970
13971
            if (echX != NULL &&
13972
                    ((WOLFSSL_ECH*)echX->data)->state == ECH_WRITE_NONE &&
13973
                    ((WOLFSSL_ECH*)echX->data)->innerClientHello != NULL) {
13974
                byte copyRandom = ((WOLFSSL_ECH*)echX->data)->innerCount == 0;
13975
                /* reset the inOutIdx to the outer start */
13976
                *inOutIdx = echInOutIdx;
13977
                /* call again with the inner hello */
13978
                if (ret == 0) {
13979
                    ssl->options.echProcessingInner = 1;
13980
                    ret = DoTls13ClientHello(ssl,
13981
                        ((WOLFSSL_ECH*)echX->data)->innerClientHello,
13982
                        &echInOutIdx,
13983
                        ((WOLFSSL_ECH*)echX->data)->innerClientHelloLen);
13984
                    ssl->options.echProcessingInner = 0;
13985
                }
13986
                if (ret == 0 && ((WOLFSSL_ECH*)echX->data)->state !=
13987
                        ECH_PARSED_INTERNAL) {
13988
                    WOLFSSL_MSG("ECH: inner ClientHello missing ECH extension");
13989
                    ret = INVALID_PARAMETER;
13990
                }
13991
                /* if the inner ech parsed successfully we have successfully
13992
                 * handled the hello and can skip the whole message */
13993
                if (ret == 0) {
13994
                    /* Copy inner client random for ECH acceptance calculation.
13995
                     * Only on first inner ClientHello (before HRR), not CH2. */
13996
                    if (copyRandom) {
13997
                        XMEMCPY(ssl->arrays->clientRandomInner,
13998
                                ssl->arrays->clientRandom, RAN_LEN);
13999
                    }
14000
                    *inOutIdx += size;
14001
                }
14002
            }
14003
        }
14004
#endif /* HAVE_ECH */
14005
0
        break;
14006
14007
    #ifdef WOLFSSL_EARLY_DATA
14008
    case end_of_early_data:
14009
        WOLFSSL_MSG("processing end of early data");
14010
        ret = DoTls13EndOfEarlyData(ssl, input, inOutIdx, size);
14011
        break;
14012
    #endif
14013
0
#endif /* !NO_WOLFSSL_SERVER */
14014
14015
    /* Messages received by both client and server. */
14016
0
#if !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \
14017
0
                           !defined(WOLFSSL_NO_CLIENT_AUTH))
14018
0
    case certificate:
14019
0
        WOLFSSL_MSG("processing certificate");
14020
0
        ret = DoTls13Certificate(ssl, input, inOutIdx, size);
14021
0
        break;
14022
0
#endif
14023
14024
0
#if (!defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
14025
0
     defined(HAVE_ED448) || defined(HAVE_FALCON) || \
14026
0
     defined(WOLFSSL_HAVE_MLDSA)) && !defined(NO_CERTS)
14027
0
    case certificate_verify:
14028
0
        WOLFSSL_MSG("processing certificate verify");
14029
0
        ret = DoTls13CertificateVerify(ssl, input, inOutIdx, size);
14030
0
        break;
14031
0
#endif
14032
0
    case finished:
14033
0
        WOLFSSL_MSG("processing finished");
14034
0
        ret = DoTls13Finished(ssl, input, inOutIdx, size, totalSz, NO_SNIFF);
14035
0
        break;
14036
14037
0
    case key_update:
14038
0
        WOLFSSL_MSG("processing key update");
14039
0
        ret = DoTls13KeyUpdate(ssl, input, inOutIdx, size);
14040
0
        break;
14041
14042
#if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_DTLS_CID)
14043
    case request_connection_id:
14044
        WOLFSSL_MSG("processing request connection id");
14045
        ret = DoDtls13RequestConnectionId(ssl, input, inOutIdx, size);
14046
        break;
14047
14048
    case new_connection_id:
14049
        WOLFSSL_MSG("processing new connection id");
14050
        ret = DoDtls13NewConnectionId(ssl, input, inOutIdx, size);
14051
        break;
14052
#endif /* WOLFSSL_DTLS13 && WOLFSSL_DTLS_CID */
14053
14054
#if defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_NO_TLS12) && \
14055
    !defined(NO_WOLFSSL_CLIENT)
14056
    case hello_verify_request:
14057
        WOLFSSL_MSG("processing hello verify request");
14058
        ret = DoHelloVerifyRequest(ssl, input, inOutIdx, size);
14059
        break;
14060
#endif
14061
0
    default:
14062
0
        WOLFSSL_MSG("Unknown handshake message type");
14063
0
        ret = UNKNOWN_HANDSHAKE_TYPE;
14064
0
        break;
14065
0
    }
14066
14067
0
#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_ASYNC_IO)
14068
    /* if async, offset index so this msg will be processed again */
14069
    /* NOTE: check this now before other calls can overwrite ret */
14070
0
    if ((ret == WC_NO_ERR_TRACE(WC_PENDING_E) ||
14071
0
         ret == WC_NO_ERR_TRACE(OCSP_WANT_READ)) && *inOutIdx > 0) {
14072
        /* DTLS always stores a message in a buffer when async is enable, so we
14073
         * don't need to adjust for the extra bytes here (*inOutIdx is always
14074
         * == 0) */
14075
0
        *inOutIdx -= HANDSHAKE_HEADER_SZ;
14076
0
    }
14077
14078
    /* make sure async error is cleared */
14079
0
    if (ret == 0 &&
14080
0
        (ssl->error == WC_NO_ERR_TRACE(WC_PENDING_E) ||
14081
0
         ssl->error == WC_NO_ERR_TRACE(OCSP_WANT_READ))) {
14082
0
        ssl->error = 0;
14083
0
    }
14084
0
#endif
14085
0
    if (ret == 0 && type != client_hello && type != session_ticket &&
14086
0
                                                           type != key_update
14087
#if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_DTLS_CID)
14088
            && type != request_connection_id && type != new_connection_id
14089
#endif
14090
0
            ) {
14091
0
        ret = HashInput(ssl, input + inIdx, (int)size);
14092
0
    }
14093
14094
0
    alertType = TranslateErrorToAlert(ret);
14095
14096
0
    if (alertType != invalid_alert) {
14097
#ifdef WOLFSSL_DTLS13
14098
        if (type == client_hello && ssl->options.dtls)
14099
            DtlsSetSeqNumForReply(ssl);
14100
#endif
14101
0
        tmp = SendAlert(ssl, alert_fatal, alertType);
14102
        /* propagate socket error instead of tls error to be sure the error is
14103
         * not ignored by DTLS code */
14104
0
        if (tmp == WC_NO_ERR_TRACE(SOCKET_ERROR_E))
14105
0
            ret = SOCKET_ERROR_E;
14106
0
    }
14107
14108
0
    if (ret == 0 && ssl->options.tls1_3) {
14109
        /* Need to hash input message before deriving secrets. */
14110
0
    #ifndef NO_WOLFSSL_CLIENT
14111
0
        if (ssl->options.side == WOLFSSL_CLIENT_END) {
14112
0
            if (type == server_hello) {
14113
0
                if ((ret = DeriveEarlySecret(ssl)) != 0)
14114
0
                    return ret;
14115
0
                if ((ret = DeriveHandshakeSecret(ssl)) != 0)
14116
0
                    return ret;
14117
14118
0
                if ((ret = DeriveTls13Keys(ssl, handshake_key,
14119
0
                                        ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0) {
14120
0
                    return ret;
14121
0
                }
14122
        #ifdef WOLFSSL_EARLY_DATA
14123
                if (ssl->earlyData != no_early_data) {
14124
                    if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
14125
                        return ret;
14126
                }
14127
                else
14128
        #endif
14129
0
                if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0)
14130
0
                    return ret;
14131
14132
#ifdef WOLFSSL_DTLS13
14133
                if (ssl->options.dtls) {
14134
                    w64wrapper epochHandshake;
14135
                    epochHandshake = w64From32(0, DTLS13_EPOCH_HANDSHAKE);
14136
                    ssl->dtls13Epoch = epochHandshake;
14137
                    ssl->dtls13PeerEpoch = epochHandshake;
14138
14139
                    ret = Dtls13SetEpochKeys(
14140
                        ssl, epochHandshake, ENCRYPT_AND_DECRYPT_SIDE);
14141
                    if (ret != 0)
14142
                        return ret;
14143
14144
                }
14145
#endif /* WOLFSSL_DTLS13 */
14146
0
            }
14147
14148
0
            if (type == finished) {
14149
0
                if ((ret = DeriveMasterSecret(ssl)) != 0)
14150
0
                    return ret;
14151
                /* Last use of preMasterSecret - zeroize as soon as possible. */
14152
0
                ForceZero(ssl->arrays->preMasterSecret,
14153
0
                    ssl->arrays->preMasterSz);
14154
        #ifdef WOLFSSL_EARLY_DATA
14155
        #ifdef WOLFSSL_QUIC
14156
                if (WOLFSSL_IS_QUIC(ssl) && ssl->earlyData != no_early_data) {
14157
                    /* QUIC never sends/receives EndOfEarlyData, but having
14158
                     * early data means the last encryption keys had not been
14159
                     * set yet. */
14160
                    if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
14161
                        return ret;
14162
                }
14163
        #endif
14164
                if ((ret = DeriveTls13Keys(ssl, traffic_key,
14165
                                    ENCRYPT_AND_DECRYPT_SIDE,
14166
                                    ssl->earlyData == no_early_data)) != 0) {
14167
                    return ret;
14168
                }
14169
                if (ssl->earlyData != no_early_data) {
14170
                    if ((ret = DeriveTls13Keys(ssl, no_key, DECRYPT_SIDE_ONLY,
14171
                                                                  1)) != 0) {
14172
                            return ret;
14173
                    }
14174
                }
14175
        #else
14176
0
                if ((ret = DeriveTls13Keys(ssl, traffic_key,
14177
0
                                        ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0) {
14178
0
                    return ret;
14179
0
                }
14180
0
        #endif
14181
                /* Setup keys for application data messages. */
14182
0
                if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
14183
0
                    return ret;
14184
0
            }
14185
        #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
14186
            if (type == certificate_request &&
14187
                                ssl->options.handShakeState == HANDSHAKE_DONE) {
14188
#if defined(HAVE_WRITE_DUP)
14189
                /* Read side cannot write; delegate the cert response to the
14190
                 * write side by saving auth state in the shared WriteDup. */
14191
                if (ssl->dupSide == READ_DUP_SIDE) {
14192
                    if (ssl->dupWrite == NULL)
14193
                        return BAD_STATE_E;
14194
                    if (wc_LockMutex(&ssl->dupWrite->dupMutex) != 0)
14195
                        return BAD_MUTEX_E;
14196
                    /* Copy the current transcript so the write side can
14197
                     * compute the correct Finished MAC. */
14198
                    ret = InitHandshakeHashesAndCopy(ssl, ssl->hsHashes,
14199
                                      &ssl->dupWrite->postHandshakeHashState);
14200
                    if (ret == 0) {
14201
                        /* Copy the cert request context. */
14202
                        CertReqCtx** tail = &ssl->certReqCtx;
14203
                        while (*tail != NULL)
14204
                            tail = &(*tail)->next;
14205
                        *tail = ssl->dupWrite->postHandshakeCertReqCtx;
14206
                        ssl->dupWrite->postHandshakeCertReqCtx = ssl->certReqCtx;
14207
                        ssl->certReqCtx = NULL;
14208
                        ssl->dupWrite->postHandshakeSendVerify =
14209
                            ssl->options.sendVerify;
14210
                        ssl->dupWrite->postHandshakeSigAlgo =
14211
                            ssl->options.sigAlgo;
14212
                        ssl->dupWrite->postHandshakeHashAlgo =
14213
                            ssl->options.hashAlgo;
14214
                        ssl->dupWrite->postHandshakeAuthPending = 1;
14215
                    }
14216
                    wc_UnLockMutex(&ssl->dupWrite->dupMutex);
14217
                    /* Leave ssl->options unchanged: read side must not reset
14218
                     * its states or call wolfSSL_connect_TLSv13. */
14219
                }
14220
                else
14221
#endif /* HAVE_WRITE_DUP */
14222
                {
14223
                    /* reset handshake states */
14224
                    ssl->options.clientState = CLIENT_HELLO_COMPLETE;
14225
                    ssl->options.connectState  = FIRST_REPLY_DONE;
14226
                    ssl->options.handShakeState = CLIENT_HELLO_COMPLETE;
14227
                    ssl->options.processReply = 0; /* doProcessInit */
14228
14229
                    /*
14230
                       DTLSv1.3 note: We can't reset serverState to
14231
                       SERVER_FINISHED_COMPLETE with the goal that this connect
14232
                       blocks until the cert/cert_verify/finished flight gets ACKed
14233
                       by the server. The problem is that we will invoke
14234
                       ProcessReplyEx() in that case, but we came here from
14235
                       ProcessReplyEx() and it is not re-entrant safe (the input
14236
                       buffer would still have the certificate_request message). */
14237
14238
                    if (wolfSSL_connect_TLSv13(ssl) != WOLFSSL_SUCCESS) {
14239
                        ret = ssl->error;
14240
                        if (ret != WC_NO_ERR_TRACE(WC_PENDING_E))
14241
                            ret = POST_HAND_AUTH_ERROR;
14242
                    }
14243
                }
14244
            }
14245
        #endif
14246
0
        }
14247
0
    #endif /* NO_WOLFSSL_CLIENT */
14248
14249
0
#ifndef NO_WOLFSSL_SERVER
14250
    #if defined(HAVE_SESSION_TICKET)
14251
        if (ssl->options.side == WOLFSSL_SERVER_END && type == finished) {
14252
            ret = DeriveResumptionSecret(ssl, ssl->session->masterSecret);
14253
            if (ret != 0)
14254
                return ret;
14255
        }
14256
    #endif
14257
0
#endif /* NO_WOLFSSL_SERVER */
14258
0
    }
14259
14260
#ifdef WOLFSSL_DTLS13
14261
    if (ssl->options.dtls && !ssl->options.dtlsStateful) {
14262
        DtlsResetState(ssl);
14263
        if (DtlsIgnoreError(ret))
14264
            ret = 0;
14265
    }
14266
#endif
14267
14268
0
    WOLFSSL_LEAVE("DoTls13HandShakeMsgType()", ret);
14269
0
    return ret;
14270
0
}
14271
14272
14273
/* Handle a handshake message that has been received.
14274
 *
14275
 * ssl       The SSL/TLS object.
14276
 * input     The message buffer.
14277
 * inOutIdx  On entry, the index into the buffer of the current message.
14278
 *           On exit, the index into the buffer of the next message.
14279
 * totalSz   Length of remaining data in the message buffer.
14280
 * returns 0 on success and otherwise failure.
14281
 */
14282
int DoTls13HandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
14283
                        word32 totalSz)
14284
0
{
14285
0
    int    ret = 0;
14286
0
    word32 inputLength;
14287
0
    byte   type;
14288
0
    word32 size = 0;
14289
14290
0
    WOLFSSL_ENTER("DoTls13HandShakeMsg");
14291
14292
    /* totalSz is now curStartIdx + curSize (content-only, padSz already
14293
     * subtracted in ProcessReply). */
14294
0
    if (*inOutIdx > totalSz)
14295
0
        return BUFFER_ERROR;
14296
0
    inputLength = totalSz - *inOutIdx;
14297
14298
    /* If there is a pending fragmented handshake message,
14299
     * pending message size will be non-zero. */
14300
0
    if (ssl->pendingMsgSz == 0) {
14301
14302
0
        if (GetHandshakeHeader(ssl, input, inOutIdx, &type, &size,
14303
0
                               totalSz) != 0) {
14304
0
            WOLFSSL_ERROR_VERBOSE(PARSE_ERROR);
14305
0
            return PARSE_ERROR;
14306
0
        }
14307
14308
0
        ret = EarlySanityCheckMsgReceived(ssl, type,
14309
0
                (inputLength > HANDSHAKE_HEADER_SZ) ?
14310
0
                min(inputLength - HANDSHAKE_HEADER_SZ, size) : 0);
14311
0
        if (ret != 0) {
14312
0
            WOLFSSL_ERROR(ret);
14313
0
            return ret;
14314
0
        }
14315
14316
        /* Cap the maximum size of a handshake message to something reasonable.
14317
         * By default is the maximum size of a certificate message assuming
14318
         * nine 2048-bit RSA certificates in the chain. */
14319
0
        if (size > MAX_HANDSHAKE_SZ) {
14320
0
            WOLFSSL_MSG("Handshake message too large");
14321
0
            WOLFSSL_ERROR_VERBOSE(HANDSHAKE_SIZE_ERROR);
14322
0
            return HANDSHAKE_SIZE_ERROR;
14323
0
        }
14324
14325
        /* size is the size of the certificate message payload */
14326
0
        if (inputLength - HANDSHAKE_HEADER_SZ < size) {
14327
            /* Commit pending state only after the allocation succeeds. */
14328
0
            ssl->pendingMsg = (byte*)XMALLOC(size + HANDSHAKE_HEADER_SZ,
14329
0
                                             ssl->heap, DYNAMIC_TYPE_ARRAYS);
14330
0
            if (ssl->pendingMsg == NULL)
14331
0
                return MEMORY_E;
14332
0
            ssl->pendingMsgType = type;
14333
0
            ssl->pendingMsgSz = size + HANDSHAKE_HEADER_SZ;
14334
0
            XMEMCPY(ssl->pendingMsg,
14335
0
                    input + *inOutIdx - HANDSHAKE_HEADER_SZ,
14336
0
                    inputLength);
14337
0
            ssl->pendingMsgOffset = inputLength;
14338
0
            *inOutIdx += inputLength - HANDSHAKE_HEADER_SZ;
14339
0
            return 0;
14340
0
        }
14341
14342
0
        ret = DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size,
14343
0
                                      totalSz);
14344
0
    }
14345
0
    else {
14346
0
        if (inputLength + ssl->pendingMsgOffset > ssl->pendingMsgSz) {
14347
0
            inputLength = ssl->pendingMsgSz - ssl->pendingMsgOffset;
14348
0
        }
14349
14350
0
        ret = EarlySanityCheckMsgReceived(ssl, ssl->pendingMsgType,
14351
0
                inputLength);
14352
0
        if (ret != 0) {
14353
0
            WOLFSSL_ERROR(ret);
14354
0
            return ret;
14355
0
        }
14356
14357
0
        XMEMCPY(ssl->pendingMsg + ssl->pendingMsgOffset,
14358
0
                input + *inOutIdx, inputLength);
14359
0
        ssl->pendingMsgOffset += inputLength;
14360
0
        *inOutIdx += inputLength;
14361
14362
0
        if (ssl->pendingMsgOffset == ssl->pendingMsgSz)
14363
0
        {
14364
0
            word32 idx = 0;
14365
0
            ret = DoTls13HandShakeMsgType(ssl,
14366
0
                                ssl->pendingMsg + HANDSHAKE_HEADER_SZ,
14367
0
                                &idx, ssl->pendingMsgType,
14368
0
                                ssl->pendingMsgSz - HANDSHAKE_HEADER_SZ,
14369
0
                                ssl->pendingMsgSz);
14370
        #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP)
14371
            if (ret == WC_NO_ERR_TRACE(WC_PENDING_E) ||
14372
                ret == WC_NO_ERR_TRACE(OCSP_WANT_READ)) {
14373
                /* setup to process fragment again */
14374
                ssl->pendingMsgOffset -= inputLength;
14375
                *inOutIdx -= inputLength;
14376
            }
14377
            else
14378
        #endif
14379
0
            {
14380
0
                XFREE(ssl->pendingMsg, ssl->heap, DYNAMIC_TYPE_ARRAYS);
14381
0
                ssl->pendingMsg = NULL;
14382
0
                ssl->pendingMsgSz = 0;
14383
0
            }
14384
0
        }
14385
0
    }
14386
14387
0
    WOLFSSL_LEAVE("DoTls13HandShakeMsg", ret);
14388
0
    return ret;
14389
0
}
14390
14391
#ifndef NO_WOLFSSL_CLIENT
14392
14393
/* The client connecting to the server.
14394
 * The protocol version is expecting to be TLS v1.3.
14395
 * If the server downgrades, and older versions of the protocol are compiled
14396
 * in, the client will fallback to wolfSSL_connect().
14397
 * Please see note at top of README if you get an error from connect.
14398
 *
14399
 * ssl  The SSL/TLS object.
14400
 * returns WOLFSSL_SUCCESS on successful handshake, WOLFSSL_FATAL_ERROR when
14401
 * unrecoverable error occurs and 0 otherwise.
14402
 * For more error information use wolfSSL_get_error().
14403
 */
14404
int wolfSSL_connect_TLSv13(WOLFSSL* ssl)
14405
0
{
14406
0
    int advanceState;
14407
0
    int ret = 0;
14408
14409
0
    WOLFSSL_ENTER("wolfSSL_connect_TLSv13");
14410
14411
0
#ifdef HAVE_ERRNO_H
14412
0
    errno = 0;
14413
0
#endif
14414
14415
0
    if (ssl == NULL)
14416
0
        return BAD_FUNC_ARG;
14417
14418
0
    if (ssl->options.side != WOLFSSL_CLIENT_END) {
14419
0
        ssl->error = SIDE_ERROR;
14420
0
        WOLFSSL_ERROR(ssl->error);
14421
0
        return WOLFSSL_FATAL_ERROR;
14422
0
    }
14423
14424
    /* make sure this wolfSSL object has arrays and rng setup. Protects
14425
     * case where the WOLFSSL object is reused via wolfSSL_clear() */
14426
0
    if ((ret = ReinitSSL(ssl, ssl->ctx, 0)) != 0) {
14427
0
        return ret;
14428
0
    }
14429
14430
#ifdef WOLFSSL_DTLS
14431
    if (ssl->version.major == DTLS_MAJOR) {
14432
        ssl->options.dtls   = 1;
14433
        ssl->options.dtlsStateful = 1;
14434
    }
14435
#endif
14436
14437
#ifdef WOLFSSL_WOLFSENTRY_HOOKS
14438
    if ((ssl->ConnectFilter != NULL) &&
14439
        (ssl->options.connectState == CONNECT_BEGIN))
14440
    {
14441
        wolfSSL_netfilter_decision_t res;
14442
        if ((ssl->ConnectFilter(ssl, ssl->ConnectFilter_arg, &res) ==
14443
             WOLFSSL_SUCCESS) &&
14444
            (res == WOLFSSL_NETFILTER_REJECT)) {
14445
            ssl->error = SOCKET_FILTERED_E;
14446
            WOLFSSL_ERROR(ssl->error);
14447
            return WOLFSSL_FATAL_ERROR;
14448
        }
14449
    }
14450
#endif /* WOLFSSL_WOLFSENTRY_HOOKS */
14451
14452
    /* fragOffset is non-zero when sending fragments. On the last
14453
     * fragment, fragOffset is zero again, and the state can be
14454
     * advanced. Also, only advance from states in which we send data */
14455
0
    advanceState = (ssl->options.connectState == CONNECT_BEGIN ||
14456
0
            ssl->options.connectState == HELLO_AGAIN ||
14457
0
            (ssl->options.connectState >= FIRST_REPLY_DONE &&
14458
0
             ssl->options.connectState <= FIRST_REPLY_FOURTH));
14459
14460
#ifdef WOLFSSL_DTLS13
14461
    if (ssl->options.dtls)
14462
        advanceState = advanceState && !ssl->dtls13SendingFragments
14463
            && !ssl->dtls13SendingAckOrRtx;
14464
#endif /* WOLFSSL_DTLS13 */
14465
14466
0
    if (ssl->buffers.outputBuffer.length > 0
14467
    #ifdef WOLFSSL_ASYNC_CRYPT
14468
        /* do not send buffered or advance state if last error was an
14469
            async pending operation */
14470
        && ssl->error != WC_NO_ERR_TRACE(WC_PENDING_E)
14471
    #endif
14472
0
    ) {
14473
0
        if ((ret = SendBuffered(ssl)) == 0) {
14474
0
            if (ssl->fragOffset == 0 && !ssl->options.buildingMsg) {
14475
0
                if (advanceState) {
14476
#ifdef WOLFSSL_DTLS13
14477
                    if (ssl->options.dtls && IsAtLeastTLSv1_3(ssl->version) &&
14478
                        ssl->options.connectState == FIRST_REPLY_FOURTH) {
14479
                    /* WAIT_FINISHED_ACK is a state added afterwards, but it
14480
                       can't follow FIRST_REPLY_FOURTH in the enum order. Indeed
14481
                       the value of the enum ConnectState is stored in
14482
                       serialized session. This would make importing serialized
14483
                       session from other wolfSSL version incompatible */
14484
                        ssl->options.connectState = WAIT_FINISHED_ACK;
14485
                    }
14486
                    else
14487
#endif /* WOLFSSL_DTLS13 */
14488
0
                    {
14489
0
                        ssl->options.connectState++;
14490
0
                    }
14491
0
                    WOLFSSL_MSG("connect state: "
14492
0
                                "Advanced from last buffered fragment send");
14493
0
#ifdef WOLFSSL_ASYNC_IO
14494
0
                    FreeAsyncCtx(ssl, 0);
14495
0
#endif
14496
14497
0
                }
14498
0
            }
14499
0
            else {
14500
0
                WOLFSSL_MSG("connect state: "
14501
0
                            "Not advanced, more fragments to send");
14502
0
            }
14503
#ifdef WOLFSSL_DTLS13
14504
            if (ssl->options.dtls)
14505
                ssl->dtls13SendingAckOrRtx = 0;
14506
#endif /* WOLFSSL_DTLS13 */
14507
14508
0
        }
14509
0
        else {
14510
0
            ssl->error = ret;
14511
0
            WOLFSSL_ERROR(ssl->error);
14512
0
            return WOLFSSL_FATAL_ERROR;
14513
0
        }
14514
0
    }
14515
14516
0
    ret = RetrySendAlert(ssl);
14517
0
    if (ret != 0) {
14518
0
        ssl->error = ret;
14519
0
        WOLFSSL_ERROR(ssl->error);
14520
0
        return WOLFSSL_FATAL_ERROR;
14521
0
    }
14522
14523
#ifdef WOLFSSL_DTLS13
14524
    if (ssl->options.dtls && ssl->dtls13SendingFragments) {
14525
        if ((ssl->error = Dtls13FragmentsContinue(ssl)) != 0) {
14526
                WOLFSSL_ERROR(ssl->error);
14527
                return WOLFSSL_FATAL_ERROR;
14528
        }
14529
14530
        /* we sent all the fragments. Advance state. */
14531
        ssl->options.connectState++;
14532
    }
14533
#endif /* WOLFSSL_DTLS13 */
14534
14535
0
    switch (ssl->options.connectState) {
14536
14537
0
        case CONNECT_BEGIN:
14538
            /* Always send client hello first. */
14539
0
            if ((ssl->error = SendTls13ClientHello(ssl)) != 0) {
14540
0
                WOLFSSL_ERROR(ssl->error);
14541
0
                return WOLFSSL_FATAL_ERROR;
14542
0
            }
14543
14544
0
            ssl->options.connectState = CLIENT_HELLO_SENT;
14545
0
            WOLFSSL_MSG("TLSv13 connect state: CLIENT_HELLO_SENT");
14546
0
            FALL_THROUGH;
14547
14548
0
        case CLIENT_HELLO_SENT:
14549
    #ifdef WOLFSSL_EARLY_DATA
14550
            if (ssl->earlyData != no_early_data &&
14551
                ssl->options.handShakeState != CLIENT_HELLO_COMPLETE) {
14552
        #if defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT)
14553
                    if (!ssl->options.dtls &&
14554
                           ssl->options.tls13MiddleBoxCompat) {
14555
                        if ((ssl->error = SendChangeCipher(ssl)) != 0) {
14556
                            WOLFSSL_ERROR(ssl->error);
14557
                            return WOLFSSL_FATAL_ERROR;
14558
                        }
14559
                        ssl->options.sentChangeCipher = 1;
14560
                    }
14561
        #endif
14562
                ssl->options.handShakeState = CLIENT_HELLO_COMPLETE;
14563
                return WOLFSSL_SUCCESS;
14564
            }
14565
    #endif
14566
            /* Get the response/s from the server. */
14567
0
            while (ssl->options.serverState <
14568
0
                    SERVER_HELLOVERIFYREQUEST_COMPLETE) {
14569
0
                if ((ssl->error = ProcessReply(ssl)) < 0) {
14570
0
                        WOLFSSL_ERROR(ssl->error);
14571
0
                        return WOLFSSL_FATAL_ERROR;
14572
0
                }
14573
14574
#ifdef WOLFSSL_DTLS13
14575
                if (ssl->options.dtls) {
14576
                    if ((ssl->error = Dtls13DoScheduledWork(ssl)) < 0) {
14577
                        WOLFSSL_ERROR(ssl->error);
14578
                        return WOLFSSL_FATAL_ERROR;
14579
                    }
14580
                }
14581
#endif /* WOLFSSL_DTLS13 */
14582
0
            }
14583
14584
0
            if (!ssl->options.tls1_3) {
14585
0
    #ifndef WOLFSSL_NO_TLS12
14586
0
                if (ssl->options.downgrade)
14587
0
                    return wolfSSL_connect(ssl);
14588
0
    #endif
14589
0
                WOLFSSL_MSG("Client using higher version, fatal error");
14590
0
                WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
14591
0
                return VERSION_ERROR;
14592
0
            }
14593
14594
0
            ssl->options.connectState = HELLO_AGAIN;
14595
0
            WOLFSSL_MSG("connect state: HELLO_AGAIN");
14596
0
            FALL_THROUGH;
14597
14598
0
        case HELLO_AGAIN:
14599
14600
0
            if (ssl->options.serverState ==
14601
0
                                          SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
14602
        #if defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT)
14603
                if (!ssl->options.dtls && !ssl->options.sentChangeCipher
14604
                    && ssl->options.tls13MiddleBoxCompat) {
14605
                    if ((ssl->error = SendChangeCipher(ssl)) != 0) {
14606
                        WOLFSSL_ERROR(ssl->error);
14607
                        return WOLFSSL_FATAL_ERROR;
14608
                    }
14609
                    ssl->options.sentChangeCipher = 1;
14610
                }
14611
        #endif
14612
                /* Try again with different security parameters. */
14613
0
                if ((ssl->error = SendTls13ClientHello(ssl)) != 0) {
14614
0
                    WOLFSSL_ERROR(ssl->error);
14615
0
                    return WOLFSSL_FATAL_ERROR;
14616
0
                }
14617
0
            }
14618
14619
0
            ssl->options.connectState = HELLO_AGAIN_REPLY;
14620
0
            WOLFSSL_MSG("connect state: HELLO_AGAIN_REPLY");
14621
0
            FALL_THROUGH;
14622
14623
0
        case HELLO_AGAIN_REPLY:
14624
            /* Get the response/s from the server. */
14625
0
            while (ssl->options.serverState < SERVER_FINISHED_COMPLETE) {
14626
#ifdef WOLFSSL_DTLS13
14627
                if (!IsAtLeastTLSv1_3(ssl->version)) {
14628
        #ifndef WOLFSSL_NO_TLS12
14629
                    if (ssl->options.downgrade)
14630
                        return wolfSSL_connect(ssl);
14631
        #endif
14632
                }
14633
#endif /* WOLFSSL_DTLS13 */
14634
0
                if ((ssl->error = ProcessReply(ssl)) < 0) {
14635
0
                        WOLFSSL_ERROR(ssl->error);
14636
0
                        return WOLFSSL_FATAL_ERROR;
14637
0
                }
14638
14639
#ifdef WOLFSSL_DTLS13
14640
                if (ssl->options.dtls) {
14641
                    if ((ssl->error = Dtls13DoScheduledWork(ssl)) < 0) {
14642
                        WOLFSSL_ERROR(ssl->error);
14643
                        return WOLFSSL_FATAL_ERROR;
14644
                    }
14645
                }
14646
#endif /* WOLFSSL_DTLS13 */
14647
0
            }
14648
14649
0
            ssl->options.connectState = FIRST_REPLY_DONE;
14650
0
            WOLFSSL_MSG("connect state: FIRST_REPLY_DONE");
14651
0
            FALL_THROUGH;
14652
14653
0
        case FIRST_REPLY_DONE:
14654
0
            if (ssl->options.certOnly)
14655
0
                return WOLFSSL_SUCCESS;
14656
        #ifdef WOLFSSL_EARLY_DATA
14657
            if (!ssl->options.dtls && ssl->earlyData != no_early_data
14658
                && !WOLFSSL_IS_QUIC(ssl)) {
14659
                if ((ssl->error = SendTls13EndOfEarlyData(ssl)) != 0) {
14660
                    WOLFSSL_ERROR(ssl->error);
14661
                    return WOLFSSL_FATAL_ERROR;
14662
                }
14663
                WOLFSSL_MSG("sent: end_of_early_data");
14664
            }
14665
        #endif
14666
14667
0
            ssl->options.connectState = FIRST_REPLY_FIRST;
14668
0
            WOLFSSL_MSG("connect state: FIRST_REPLY_FIRST");
14669
0
            FALL_THROUGH;
14670
14671
0
        case FIRST_REPLY_FIRST:
14672
        #if defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT)
14673
            if (!ssl->options.sentChangeCipher && !ssl->options.dtls
14674
                && ssl->options.tls13MiddleBoxCompat) {
14675
                if ((ssl->error = SendChangeCipher(ssl)) != 0) {
14676
                    WOLFSSL_ERROR(ssl->error);
14677
                    return WOLFSSL_FATAL_ERROR;
14678
                }
14679
                ssl->options.sentChangeCipher = 1;
14680
            }
14681
        #endif
14682
14683
0
            ssl->options.connectState = FIRST_REPLY_SECOND;
14684
0
            WOLFSSL_MSG("connect state: FIRST_REPLY_SECOND");
14685
0
            FALL_THROUGH;
14686
14687
0
        case FIRST_REPLY_SECOND:
14688
            /* CLIENT: check peer authentication. */
14689
0
            if (!ssl->options.peerAuthGood) {
14690
0
                WOLFSSL_MSG("Server authentication did not happen");
14691
0
                WOLFSSL_ERROR_VERBOSE(WOLFSSL_FATAL_ERROR);
14692
0
                return WOLFSSL_FATAL_ERROR;
14693
0
            }
14694
0
        #ifndef NO_CERTS
14695
0
            if (!ssl->options.resuming && ssl->options.sendVerify) {
14696
0
                ssl->error = SendTls13Certificate(ssl);
14697
0
                if (ssl->error != 0) {
14698
0
                    wolfssl_local_MaybeCheckAlertOnErr(ssl, ssl->error);
14699
0
                    WOLFSSL_ERROR(ssl->error);
14700
0
                    return WOLFSSL_FATAL_ERROR;
14701
0
                }
14702
0
                WOLFSSL_MSG("sent: certificate");
14703
0
            }
14704
0
        #endif
14705
14706
0
            ssl->options.connectState = FIRST_REPLY_THIRD;
14707
0
            WOLFSSL_MSG("connect state: FIRST_REPLY_THIRD");
14708
0
            FALL_THROUGH;
14709
14710
0
        case FIRST_REPLY_THIRD:
14711
0
        #if (!defined(NO_CERTS) && (!defined(NO_RSA) || defined(HAVE_ECC) || \
14712
0
             defined(HAVE_ED25519) || defined(HAVE_ED448) || \
14713
0
             defined(HAVE_FALCON) || defined(WOLFSSL_HAVE_MLDSA))) && \
14714
0
             (!defined(NO_WOLFSSL_SERVER) || !defined(WOLFSSL_NO_CLIENT_AUTH))
14715
0
            if (!ssl->options.resuming && ssl->options.sendVerify) {
14716
0
                ssl->error = SendTls13CertificateVerify(ssl);
14717
0
                if (ssl->error != 0) {
14718
0
                    wolfssl_local_MaybeCheckAlertOnErr(ssl, ssl->error);
14719
0
                    WOLFSSL_ERROR(ssl->error);
14720
0
                    return WOLFSSL_FATAL_ERROR;
14721
0
                }
14722
0
                WOLFSSL_MSG("sent: certificate verify");
14723
0
            }
14724
0
        #endif
14725
14726
0
            ssl->options.connectState = FIRST_REPLY_FOURTH;
14727
0
            WOLFSSL_MSG("connect state: FIRST_REPLY_FOURTH");
14728
0
            FALL_THROUGH;
14729
14730
0
        case FIRST_REPLY_FOURTH:
14731
0
            if ((ssl->error = SendTls13Finished(ssl)) != 0) {
14732
0
                wolfssl_local_MaybeCheckAlertOnErr(ssl, ssl->error);
14733
0
                WOLFSSL_ERROR(ssl->error);
14734
0
                return WOLFSSL_FATAL_ERROR;
14735
0
            }
14736
0
            WOLFSSL_MSG("sent: finished");
14737
14738
#ifdef WOLFSSL_DTLS13
14739
            ssl->options.connectState = WAIT_FINISHED_ACK;
14740
            WOLFSSL_MSG("connect state: WAIT_FINISHED_ACK");
14741
            FALL_THROUGH;
14742
14743
        case WAIT_FINISHED_ACK:
14744
            if (ssl->options.dtls) {
14745
                while (ssl->options.serverState != SERVER_FINISHED_ACKED) {
14746
                    if ((ssl->error = ProcessReply(ssl)) < 0) {
14747
                        WOLFSSL_ERROR(ssl->error);
14748
                        return WOLFSSL_FATAL_ERROR;
14749
                    }
14750
14751
                    if ((ssl->error = Dtls13DoScheduledWork(ssl)) < 0) {
14752
                        WOLFSSL_ERROR(ssl->error);
14753
                        return WOLFSSL_FATAL_ERROR;
14754
                    }
14755
                }
14756
            }
14757
#endif /* WOLFSSL_DTLS13 */
14758
0
            ssl->options.connectState = FINISHED_DONE;
14759
0
            WOLFSSL_MSG("connect state: FINISHED_DONE");
14760
0
            FALL_THROUGH;
14761
14762
0
        case FINISHED_DONE:
14763
0
        #ifndef NO_HANDSHAKE_DONE_CB
14764
0
            if (ssl->hsDoneCb != NULL) {
14765
0
                int cbret = ssl->hsDoneCb(ssl, ssl->hsDoneCtx);
14766
0
                if (cbret < 0) {
14767
0
                    ssl->error = cbret;
14768
0
                    WOLFSSL_ERROR_VERBOSE(ssl->error);
14769
0
                    WOLFSSL_MSG("HandShake Done Cb don't continue error");
14770
0
                    return WOLFSSL_FATAL_ERROR;
14771
0
                }
14772
0
            }
14773
0
        #endif /* NO_HANDSHAKE_DONE_CB */
14774
14775
        #if defined(HAVE_ECH)
14776
            /* RFC 9849 s6.1.6: if we offered ECH but the server rejected it,
14777
             * send ech_required alert and abort before returning to the app */
14778
            if (ssl->echConfigs != NULL && !ssl->options.disableECH &&
14779
                    !ssl->options.echAccepted) {
14780
                if (ssl->echRetryConfigs != NULL) {
14781
                    ssl->options.echRetryConfigsAccepted = 1;
14782
                }
14783
                SendAlert(ssl, alert_fatal, ech_required);
14784
                ssl->error = ECH_REQUIRED_E;
14785
                WOLFSSL_ERROR_VERBOSE(ECH_REQUIRED_E);
14786
                return WOLFSSL_FATAL_ERROR;
14787
            }
14788
        #endif /* HAVE_ECH */
14789
14790
0
            if (!ssl->options.keepResources) {
14791
0
                FreeHandshakeResources(ssl);
14792
0
            }
14793
0
        #if defined(WOLFSSL_ASYNC_IO) && !defined(WOLFSSL_ASYNC_CRYPT)
14794
            /* Free the remaining async context if not using it for crypto */
14795
0
            FreeAsyncCtx(ssl, 1);
14796
0
        #endif
14797
14798
0
            ssl->error = 0; /* clear the error */
14799
14800
0
            WOLFSSL_LEAVE("wolfSSL_connect_TLSv13", WOLFSSL_SUCCESS);
14801
0
            return WOLFSSL_SUCCESS;
14802
14803
0
        default:
14804
0
            WOLFSSL_MSG("Unknown connect state ERROR");
14805
0
            return WOLFSSL_FATAL_ERROR; /* unknown connect state */
14806
0
    }
14807
0
}
14808
#endif
14809
14810
#if defined(WOLFSSL_SEND_HRR_COOKIE)
14811
/* Send a cookie with the HelloRetryRequest to avoid storing state.
14812
 *
14813
 * ssl       SSL/TLS object.
14814
 * secret    Secret to use when generating integrity check for cookie.
14815
 *           A value of NULL indicates to generate a new random secret.
14816
 * secretSz  Size of secret data in bytes.
14817
 *           Use a value of 0 to indicate use of default size.
14818
 * returns BAD_FUNC_ARG when ssl is NULL or not using TLS v1.3, SIDE_ERROR when
14819
 * called on a client; WOLFSSL_SUCCESS on success and otherwise failure.
14820
 */
14821
int wolfSSL_send_hrr_cookie(WOLFSSL* ssl, const unsigned char* secret,
14822
                            unsigned int secretSz)
14823
{
14824
    int ret;
14825
14826
    if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
14827
        return BAD_FUNC_ARG;
14828
 #ifndef NO_WOLFSSL_SERVER
14829
    if (ssl->options.side == WOLFSSL_CLIENT_END)
14830
        return SIDE_ERROR;
14831
14832
    if (secretSz == 0) {
14833
    #ifndef NO_SHA256
14834
        secretSz = WC_SHA256_DIGEST_SIZE;
14835
    #elif defined(WOLFSSL_SHA384)
14836
        secretSz = WC_SHA384_DIGEST_SIZE;
14837
    #elif defined(WOLFSSL_TLS13_SHA512)
14838
        secretSz = WC_SHA512_DIGEST_SIZE;
14839
    #elif defined(WOLFSSL_SM3)
14840
        secretSz = WC_SM3_DIGEST_SIZE;
14841
    #else
14842
        #error "No digest to available to use with HMAC for cookies."
14843
    #endif /* NO_SHA */
14844
    }
14845
14846
    if (secretSz != ssl->buffers.tls13CookieSecret.length) {
14847
        byte* newSecret;
14848
14849
        if (ssl->buffers.tls13CookieSecret.buffer != NULL) {
14850
            ForceZero(ssl->buffers.tls13CookieSecret.buffer,
14851
                      ssl->buffers.tls13CookieSecret.length);
14852
            XFREE(ssl->buffers.tls13CookieSecret.buffer,
14853
                  ssl->heap, DYNAMIC_TYPE_COOKIE_PWD);
14854
        }
14855
14856
        newSecret = (byte*)XMALLOC(secretSz, ssl->heap,
14857
                                   DYNAMIC_TYPE_COOKIE_PWD);
14858
        if (newSecret == NULL) {
14859
            ssl->buffers.tls13CookieSecret.buffer = NULL;
14860
            ssl->buffers.tls13CookieSecret.length = 0;
14861
            WOLFSSL_MSG("couldn't allocate new cookie secret");
14862
            return MEMORY_ERROR;
14863
        }
14864
        ssl->buffers.tls13CookieSecret.buffer = newSecret;
14865
        ssl->buffers.tls13CookieSecret.length = secretSz;
14866
    #ifdef WOLFSSL_CHECK_MEM_ZERO
14867
        wc_MemZero_Add("wolfSSL_send_hrr_cookie secret",
14868
            ssl->buffers.tls13CookieSecret.buffer,
14869
            ssl->buffers.tls13CookieSecret.length);
14870
    #endif
14871
    }
14872
14873
    /* If the supplied secret is NULL, randomly generate a new secret. */
14874
    if (secret == NULL) {
14875
        ret = wc_RNG_GenerateBlock(ssl->rng,
14876
                               ssl->buffers.tls13CookieSecret.buffer, secretSz);
14877
        if (ret < 0)
14878
            return ret;
14879
    }
14880
    else
14881
        XMEMCPY(ssl->buffers.tls13CookieSecret.buffer, secret, secretSz);
14882
14883
    ssl->options.sendCookie = 1;
14884
14885
    ret = WOLFSSL_SUCCESS;
14886
#else
14887
    (void)secret;
14888
    (void)secretSz;
14889
14890
    ret = SIDE_ERROR;
14891
#endif
14892
14893
    return ret;
14894
}
14895
14896
int wolfSSL_disable_hrr_cookie(WOLFSSL* ssl)
14897
{
14898
    if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
14899
        return BAD_FUNC_ARG;
14900
14901
#ifdef NO_WOLFSSL_SERVER
14902
    return SIDE_ERROR;
14903
#else
14904
    if (ssl->options.side == WOLFSSL_CLIENT_END)
14905
        return SIDE_ERROR;
14906
14907
    if (ssl->buffers.tls13CookieSecret.buffer != NULL) {
14908
        ForceZero(ssl->buffers.tls13CookieSecret.buffer,
14909
            ssl->buffers.tls13CookieSecret.length);
14910
        XFREE(ssl->buffers.tls13CookieSecret.buffer, ssl->heap,
14911
            DYNAMIC_TYPE_COOKIE_PWD);
14912
        ssl->buffers.tls13CookieSecret.buffer = NULL;
14913
        ssl->buffers.tls13CookieSecret.length = 0;
14914
    }
14915
14916
    ssl->options.sendCookie = 0;
14917
    return WOLFSSL_SUCCESS;
14918
#endif /* NO_WOLFSSL_SERVER */
14919
}
14920
14921
#endif /* defined(WOLFSSL_SEND_HRR_COOKIE) */
14922
14923
#ifdef HAVE_SUPPORTED_CURVES
14924
/* Create a key share entry from group.
14925
 * Generates a key pair.
14926
 *
14927
 * ssl    The SSL/TLS object.
14928
 * group  The named group.
14929
 * returns 0 on success, otherwise failure.
14930
 *   for async can return WC_PENDING_E and should be called again
14931
 */
14932
int wolfSSL_UseKeyShare(WOLFSSL* ssl, word16 group)
14933
0
{
14934
0
    int ret;
14935
14936
0
    if (ssl == NULL)
14937
0
        return BAD_FUNC_ARG;
14938
14939
#ifdef WOLFSSL_ASYNC_CRYPT
14940
    ret = wolfSSL_AsyncPop(ssl, NULL);
14941
    if (ret != WC_NO_ERR_TRACE(WC_NO_PENDING_E)) {
14942
        /* Check for error */
14943
        if (ret < 0)
14944
            return ret;
14945
    }
14946
#endif
14947
14948
0
#if defined(WOLFSSL_HAVE_MLKEM)
14949
0
    if (WOLFSSL_NAMED_GROUP_IS_PQC(group) ||
14950
0
        WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(group)) {
14951
14952
0
        if (!IsAtLeastTLSv1_3(ssl->version)) {
14953
0
            return BAD_FUNC_ARG;
14954
0
        }
14955
14956
0
        if (ssl->options.side == WOLFSSL_SERVER_END) {
14957
            /* If I am the server of a KEM connection, do not do keygen because
14958
             * I'm going to encapsulate with the client's public key. Note that
14959
             * I might be the client and ssl->option.side has not been properly
14960
             * set yet. In that case the KeyGen operation will be deferred to
14961
             * connection time. */
14962
0
            return WOLFSSL_SUCCESS;
14963
0
        }
14964
0
    }
14965
0
#endif
14966
#if defined(NO_TLS)
14967
    (void)ret;
14968
    (void)group;
14969
#else
14970
    /* Check if the group is supported. */
14971
0
    if (!TLSX_IsGroupSupported(group, ssl->options.side)) {
14972
0
        WOLFSSL_MSG("Group not supported.");
14973
0
        return BAD_FUNC_ARG;
14974
0
    }
14975
14976
0
    ret = TLSX_KeyShare_Use(ssl, group, 0, NULL, NULL, &ssl->extensions);
14977
0
    if (ret != 0)
14978
0
        return ret;
14979
0
#endif /* NO_TLS */
14980
0
    return WOLFSSL_SUCCESS;
14981
0
}
14982
14983
/* Send no key share entries - use HelloRetryRequest to negotiate shared group.
14984
 *
14985
 * ssl    The SSL/TLS object.
14986
 * returns 0 on success, otherwise failure.
14987
 */
14988
int wolfSSL_NoKeyShares(WOLFSSL* ssl)
14989
0
{
14990
0
    int ret;
14991
14992
0
    if (ssl == NULL)
14993
0
        return BAD_FUNC_ARG;
14994
0
    if (ssl->options.side == WOLFSSL_SERVER_END)
14995
0
        return SIDE_ERROR;
14996
#if defined(NO_TLS)
14997
    (void)ret;
14998
#else
14999
0
    ret = TLSX_KeyShare_Empty(ssl);
15000
0
    if (ret != 0)
15001
0
        return ret;
15002
0
#endif /* NO_TLS */
15003
0
    return WOLFSSL_SUCCESS;
15004
0
}
15005
#endif
15006
15007
#ifdef WOLFSSL_DUAL_ALG_CERTS
15008
int wolfSSL_UseCKS(WOLFSSL* ssl, byte *sigSpec, word16 sigSpecSz)
15009
{
15010
    if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->ctx->method->version) ||
15011
        sigSpec == NULL || sigSpecSz == 0)
15012
        return BAD_FUNC_ARG;
15013
15014
    ssl->sigSpec = sigSpec;
15015
    ssl->sigSpecSz = sigSpecSz;
15016
    return WOLFSSL_SUCCESS;
15017
}
15018
15019
int wolfSSL_CTX_UseCKS(WOLFSSL_CTX* ctx, byte *sigSpec, word16 sigSpecSz)
15020
{
15021
    if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version) ||
15022
        sigSpec == NULL || sigSpecSz == 0)
15023
        return BAD_FUNC_ARG;
15024
15025
    ctx->sigSpec = sigSpec;
15026
    ctx->sigSpecSz = sigSpecSz;
15027
    return WOLFSSL_SUCCESS;
15028
}
15029
#endif /* WOLFSSL_DUAL_ALG_CERTS */
15030
15031
/* Do not send a ticket after TLS v1.3 handshake for resumption.
15032
 *
15033
 * ctx  The SSL/TLS CTX object.
15034
 * returns BAD_FUNC_ARG when ctx is NULL and 0 on success.
15035
 */
15036
int wolfSSL_CTX_no_ticket_TLSv13(WOLFSSL_CTX* ctx)
15037
0
{
15038
0
    if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
15039
0
        return BAD_FUNC_ARG;
15040
0
    if (ctx->method->side == WOLFSSL_CLIENT_END)
15041
0
        return SIDE_ERROR;
15042
15043
#ifdef HAVE_SESSION_TICKET
15044
    ctx->noTicketTls13 = 1;
15045
#endif
15046
15047
0
    return 0;
15048
0
}
15049
15050
/* Do not send a ticket after TLS v1.3 handshake for resumption.
15051
 *
15052
 * ssl  The SSL/TLS object.
15053
 * returns BAD_FUNC_ARG when ssl is NULL, not using TLS v1.3, or called on
15054
 * a client and 0 on success.
15055
 */
15056
int wolfSSL_no_ticket_TLSv13(WOLFSSL* ssl)
15057
0
{
15058
0
    if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
15059
0
        return BAD_FUNC_ARG;
15060
0
    if (ssl->options.side == WOLFSSL_CLIENT_END)
15061
0
        return SIDE_ERROR;
15062
15063
#ifdef HAVE_SESSION_TICKET
15064
    ssl->options.noTicketTls13 = 1;
15065
#endif
15066
15067
0
    return 0;
15068
0
}
15069
15070
/* Disallow (EC)DHE key exchange when using pre-shared keys.
15071
 *
15072
 * ctx  The SSL/TLS CTX object.
15073
 * returns BAD_FUNC_ARG when ctx is NULL and 0 on success.
15074
 */
15075
int wolfSSL_CTX_no_dhe_psk(WOLFSSL_CTX* ctx)
15076
0
{
15077
0
    if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
15078
0
        return BAD_FUNC_ARG;
15079
15080
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
15081
    ctx->noPskDheKe = 1;
15082
#endif
15083
15084
0
    return 0;
15085
0
}
15086
15087
/* Disallow (EC)DHE key exchange when using pre-shared keys.
15088
 *
15089
 * ssl  The SSL/TLS object.
15090
 * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3 and 0 on
15091
 * success.
15092
 */
15093
int wolfSSL_no_dhe_psk(WOLFSSL* ssl)
15094
0
{
15095
0
    if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
15096
0
        return BAD_FUNC_ARG;
15097
15098
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
15099
    ssl->options.noPskDheKe = 1;
15100
#endif
15101
15102
0
    return 0;
15103
0
}
15104
15105
#ifdef HAVE_SUPPORTED_CURVES
15106
/* Only allow (EC)DHE key exchange when using pre-shared keys.
15107
 *
15108
 * ctx  The SSL/TLS CTX object.
15109
 * returns BAD_FUNC_ARG when ctx is NULL and 0 on success.
15110
 */
15111
int wolfSSL_CTX_only_dhe_psk(WOLFSSL_CTX* ctx)
15112
0
{
15113
0
    if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
15114
0
        return BAD_FUNC_ARG;
15115
15116
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
15117
    ctx->onlyPskDheKe = 1;
15118
#endif
15119
15120
0
    return 0;
15121
0
}
15122
15123
/* Only allow (EC)DHE key exchange when using pre-shared keys.
15124
 *
15125
 * ssl  The SSL/TLS object.
15126
 * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3 and 0 on
15127
 * success.
15128
 */
15129
int wolfSSL_only_dhe_psk(WOLFSSL* ssl)
15130
0
{
15131
0
    if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
15132
0
        return BAD_FUNC_ARG;
15133
15134
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
15135
    ssl->options.onlyPskDheKe = 1;
15136
#endif
15137
15138
0
    return 0;
15139
0
}
15140
#endif /* HAVE_SUPPORTED_CURVES */
15141
15142
/* Require that an external Pre-Shared Key is negotiated for the handshake to
15143
 * succeed. TLS 1.3 / DTLS 1.3 only - in (D)TLS 1.2 the use of a PSK is
15144
 * determined by the negotiated cipher suite, so a mandatory PSK is configured
15145
 * there by restricting the cipher suite list to PSK suites.
15146
 *
15147
 * ctx  The SSL/TLS CTX object.
15148
 * returns BAD_FUNC_ARG when ctx is NULL or not at least TLS v1.3, 0 on success.
15149
 */
15150
int wolfSSL_CTX_require_psk(WOLFSSL_CTX* ctx)
15151
0
{
15152
0
    if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
15153
0
        return BAD_FUNC_ARG;
15154
15155
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
15156
    ctx->failNoPSK = 1;
15157
    /* The requirement can only be enforced for (D)TLS 1.3, so keep it
15158
     * fail-closed by disabling a version downgrade. Otherwise a
15159
     * downgrade-capable context (e.g. from a v23 method) could silently fall
15160
     * back to (D)TLS 1.2 and complete without any PSK. */
15161
    ctx->method->downgrade = 0;
15162
#endif
15163
15164
0
    return 0;
15165
0
}
15166
15167
/* Require that an external Pre-Shared Key is negotiated for the handshake to
15168
 * succeed. See wolfSSL_CTX_require_psk().
15169
 *
15170
 * ssl  The SSL/TLS object.
15171
 * returns BAD_FUNC_ARG when ssl is NULL or not at least TLS v1.3, 0 on success.
15172
 */
15173
int wolfSSL_require_psk(WOLFSSL* ssl)
15174
0
{
15175
0
    if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
15176
0
        return BAD_FUNC_ARG;
15177
15178
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
15179
    ssl->options.failNoPSK = 1;
15180
    /* See wolfSSL_CTX_require_psk() - keep the requirement fail-closed by
15181
     * disabling a version downgrade to (D)TLS 1.2. */
15182
    ssl->options.downgrade = 0;
15183
#endif
15184
15185
0
    return 0;
15186
0
}
15187
15188
int Tls13UpdateKeys(WOLFSSL* ssl)
15189
0
{
15190
0
    if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
15191
0
        return BAD_FUNC_ARG;
15192
15193
#ifdef WOLFSSL_QUIC
15194
    /* RFC 9001 Section 6: a QUIC connection must not send a TLS KeyUpdate;
15195
     * key updates are handled at the QUIC packet-protection layer. */
15196
    if (WOLFSSL_IS_QUIC(ssl))
15197
        return BAD_FUNC_ARG;
15198
#endif
15199
15200
#ifdef WOLFSSL_DTLS13
15201
    /* we are already waiting for the ack of a sent key update message. We can't
15202
       send another one before receiving its ack. Either wolfSSL_update_keys()
15203
       was invoked multiple times over a short period of time or we replied to a
15204
       KeyUpdate with update request. We'll just ignore sending this
15205
       KeyUpdate. */
15206
    /* TODO: add WOLFSSL_ERROR_ALREADY_IN_PROGRESS type of error here */
15207
    if (ssl->options.dtls && ssl->dtls13WaitKeyUpdateAck)
15208
        return 0;
15209
#endif /* WOLFSSL_DTLS13 */
15210
15211
0
    return SendTls13KeyUpdate(ssl);
15212
0
}
15213
15214
/* Update the keys for encryption and decryption.
15215
 * If using non-blocking I/O and WOLFSSL_ERROR_WANT_WRITE is returned then
15216
 * calling wolfSSL_write() will have the message sent when ready.
15217
 *
15218
 * ssl  The SSL/TLS object.
15219
 * returns BAD_FUNC_ARG when ssl is NULL, not using TLS v1.3, or running over
15220
 * QUIC (RFC 9001 handles key updates at the QUIC packet-protection layer),
15221
 * WOLFSSL_ERROR_WANT_WRITE when non-blocking I/O is not ready to write,
15222
 * WOLFSSL_SUCCESS on success and otherwise failure.
15223
 */
15224
int wolfSSL_update_keys(WOLFSSL* ssl)
15225
0
{
15226
0
    int ret;
15227
0
    ret = Tls13UpdateKeys(ssl);
15228
0
    if (ret == WC_NO_ERR_TRACE(WANT_WRITE))
15229
0
        ret = WOLFSSL_ERROR_WANT_WRITE;
15230
0
    else if (ret == 0)
15231
0
        ret = WOLFSSL_SUCCESS;
15232
0
    return ret;
15233
0
}
15234
15235
/* Whether a response is waiting for key update request.
15236
 *
15237
 * ssl        The SSL/TLS object.
15238
 * required   0 when no key update response required.
15239
 *            1 when no key update response required.
15240
 * return  0 on success.
15241
 * return  BAD_FUNC_ARG when ssl is NULL or not using TLS v1.3
15242
 */
15243
int wolfSSL_key_update_response(WOLFSSL* ssl, int* required)
15244
0
{
15245
0
    if (required == NULL || ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
15246
0
        return BAD_FUNC_ARG;
15247
15248
0
    *required = ssl->keys.updateResponseReq;
15249
15250
0
    return 0;
15251
0
}
15252
15253
#if !defined(NO_CERTS) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
15254
/* Allow post-handshake authentication in TLS v1.3 connections.
15255
 *
15256
 * ctx  The SSL/TLS CTX object.
15257
 * returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a client and
15258
 * 0 on success.
15259
 */
15260
int wolfSSL_CTX_allow_post_handshake_auth(WOLFSSL_CTX* ctx)
15261
{
15262
    if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
15263
        return BAD_FUNC_ARG;
15264
    if (ctx->method->side == WOLFSSL_SERVER_END)
15265
        return SIDE_ERROR;
15266
15267
    ctx->postHandshakeAuth = 1;
15268
15269
    return 0;
15270
}
15271
15272
/* Allow post-handshake authentication in TLS v1.3 connection.
15273
 *
15274
 * ssl  The SSL/TLS object.
15275
 * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3,
15276
 * SIDE_ERROR when not a client, BAD_STATE_E when called after the handshake
15277
 * has started, and 0 on success.
15278
 *
15279
 * Must be called before wolfSSL_connect() so the post_handshake_auth
15280
 * extension can be included in the ClientHello.
15281
 */
15282
int wolfSSL_allow_post_handshake_auth(WOLFSSL* ssl)
15283
{
15284
    if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
15285
        return BAD_FUNC_ARG;
15286
    if (ssl->options.side == WOLFSSL_SERVER_END)
15287
        return SIDE_ERROR;
15288
    if (ssl->options.handShakeState != NULL_STATE)
15289
        return BAD_STATE_E;
15290
15291
    ssl->options.postHandshakeAuth = 1;
15292
15293
    return 0;
15294
}
15295
15296
/* Request a certificate of the client.
15297
 * Can be called any time after handshake completion.
15298
 * A maximum of 256 requests can be sent on a connection.
15299
 *
15300
 * ssl  SSL/TLS object.
15301
 */
15302
int wolfSSL_request_certificate(WOLFSSL* ssl)
15303
{
15304
    int         ret;
15305
#ifndef NO_WOLFSSL_SERVER
15306
    CertReqCtx* certReqCtx;
15307
#endif
15308
15309
    if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
15310
        return BAD_FUNC_ARG;
15311
#ifndef NO_WOLFSSL_SERVER
15312
    if (ssl->options.side == WOLFSSL_CLIENT_END)
15313
        return SIDE_ERROR;
15314
    if (ssl->options.handShakeState != HANDSHAKE_DONE)
15315
        return NOT_READY_ERROR;
15316
    if (!ssl->options.postHandshakeAuth)
15317
        return POST_HAND_AUTH_ERROR;
15318
    if (ssl->certReqCtx != NULL) {
15319
        if (ssl->certReqCtx->len != 1)
15320
            return BAD_STATE_E;
15321
        /* We support sending up to 255 certificate requests */
15322
        if (ssl->certReqCtx->ctx == 255)
15323
            return BAD_STATE_E;
15324
    }
15325
15326
    certReqCtx = (CertReqCtx*)XMALLOC(sizeof(CertReqCtx), ssl->heap,
15327
                                                       DYNAMIC_TYPE_TMP_BUFFER);
15328
    if (certReqCtx == NULL)
15329
        return MEMORY_E;
15330
    XMEMSET(certReqCtx, 0, sizeof(CertReqCtx));
15331
    certReqCtx->next = ssl->certReqCtx;
15332
    certReqCtx->len = 1;
15333
    if (certReqCtx->next != NULL)
15334
        certReqCtx->ctx = certReqCtx->next->ctx + 1;
15335
    ssl->certReqCtx = certReqCtx;
15336
15337
    ssl->msgsReceived.got_certificate = 0;
15338
    ssl->msgsReceived.got_certificate_verify = 0;
15339
    ssl->msgsReceived.got_finished = 0;
15340
15341
    ret = SendTls13CertificateRequest(ssl, &certReqCtx->ctx, certReqCtx->len);
15342
    if (ret == WC_NO_ERR_TRACE(WANT_WRITE))
15343
        ret = WOLFSSL_ERROR_WANT_WRITE;
15344
    else if (ret == 0)
15345
        ret = WOLFSSL_SUCCESS;
15346
#else
15347
    ret = SIDE_ERROR;
15348
#endif
15349
15350
    return ret;
15351
}
15352
#endif /* !NO_CERTS && WOLFSSL_POST_HANDSHAKE_AUTH */
15353
15354
#if !defined(WOLFSSL_NO_SERVER_GROUPS_EXT)
15355
/* Get the preferred key exchange group.
15356
 *
15357
 * ssl  The SSL/TLS object.
15358
 * returns BAD_FUNC_ARG when ssl is NULL or not using TLS v1.3,
15359
 * SIDE_ERROR when not a client, NOT_READY_ERROR when handshake not complete
15360
 * and group number on success.
15361
 */
15362
int wolfSSL_preferred_group(WOLFSSL* ssl)
15363
0
{
15364
0
    if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
15365
0
        return BAD_FUNC_ARG;
15366
0
#ifndef NO_WOLFSSL_CLIENT
15367
0
    if (ssl->options.side == WOLFSSL_SERVER_END)
15368
0
        return SIDE_ERROR;
15369
0
    if (ssl->options.handShakeState != HANDSHAKE_DONE)
15370
0
        return NOT_READY_ERROR;
15371
15372
0
#ifdef HAVE_SUPPORTED_CURVES
15373
    /* Return supported groups only. */
15374
0
    return TLSX_SupportedCurve_Preferred(ssl, 1);
15375
#else
15376
    return 0;
15377
#endif
15378
#else
15379
    return SIDE_ERROR;
15380
#endif
15381
0
}
15382
#endif
15383
15384
#ifndef NO_PSK
15385
/* Set the PSK callback, that is passed the cipher suite, for a client to use
15386
 * against context object.
15387
 *
15388
 * @param [in, out] ctx  SSL/TLS context object.
15389
 * @param [in]      cb   Client PSK callback passed a cipher suite.
15390
 */
15391
void wolfSSL_CTX_set_psk_client_cs_callback(WOLFSSL_CTX* ctx,
15392
                                            wc_psk_client_cs_callback cb)
15393
{
15394
    WOLFSSL_ENTER("wolfSSL_CTX_set_psk_client_cs_callback");
15395
15396
    if (ctx == NULL)
15397
        return;
15398
15399
    ctx->havePSK = 1;
15400
    ctx->client_psk_cs_cb = cb;
15401
}
15402
15403
/* Set the PSK callback, that is passed the cipher suite, for a client to use
15404
 * against SSL object.
15405
 *
15406
 * @param [in, out] ssl  SSL/TLS object.
15407
 * @param [in]      cb   Client PSK callback passed a cipher suite.
15408
 */
15409
void wolfSSL_set_psk_client_cs_callback(WOLFSSL* ssl,
15410
                                        wc_psk_client_cs_callback cb)
15411
{
15412
    byte haveRSA = 1;
15413
    int  keySz   = 0;
15414
15415
    WOLFSSL_ENTER("wolfSSL_set_psk_client_cs_callback");
15416
15417
    if (ssl == NULL)
15418
        return;
15419
15420
    ssl->options.havePSK = 1;
15421
    ssl->options.client_psk_cs_cb = cb;
15422
15423
    #ifdef NO_RSA
15424
        haveRSA = 0;
15425
    #endif
15426
    #ifndef NO_CERTS
15427
        keySz = ssl->buffers.keySz;
15428
    #endif
15429
    if (AllocateSuites(ssl) != 0)
15430
        return;
15431
    InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
15432
               ssl->options.haveDH, ssl->options.haveECDSAsig,
15433
               ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
15434
               ssl->options.useAnon, TRUE, TRUE, TRUE, TRUE, ssl->options.side);
15435
}
15436
15437
/* Set the PSK callback that returns the cipher suite for a client to use
15438
 * against context object.
15439
 *
15440
 * @param [in, out] ctx  SSL/TLS context object.
15441
 * @param [in]      cb   Client PSK callback returning cipher suite.
15442
 */
15443
void wolfSSL_CTX_set_psk_client_tls13_callback(WOLFSSL_CTX* ctx,
15444
                                               wc_psk_client_tls13_callback cb)
15445
{
15446
    WOLFSSL_ENTER("wolfSSL_CTX_set_psk_client_tls13_callback");
15447
15448
    if (ctx == NULL)
15449
        return;
15450
15451
    ctx->havePSK = 1;
15452
    ctx->client_psk_tls13_cb = cb;
15453
}
15454
15455
/* Set the PSK callback that returns the cipher suite for a client to use
15456
 * against SSL object.
15457
 *
15458
 * @param [in, out] ssl  SSL/TLS object.
15459
 * @param [in]      cb   Client PSK callback returning cipher suite.
15460
 */
15461
void wolfSSL_set_psk_client_tls13_callback(WOLFSSL* ssl,
15462
                                           wc_psk_client_tls13_callback cb)
15463
{
15464
    byte haveRSA = 1;
15465
    int  keySz   = 0;
15466
15467
    WOLFSSL_ENTER("wolfSSL_set_psk_client_tls13_callback");
15468
15469
    if (ssl == NULL)
15470
        return;
15471
15472
    ssl->options.havePSK = 1;
15473
    ssl->options.client_psk_tls13_cb = cb;
15474
15475
    #ifdef NO_RSA
15476
        haveRSA = 0;
15477
    #endif
15478
    #ifndef NO_CERTS
15479
        keySz = ssl->buffers.keySz;
15480
    #endif
15481
    if (AllocateSuites(ssl) != 0)
15482
        return;
15483
    InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
15484
               ssl->options.haveDH, ssl->options.haveECDSAsig,
15485
               ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
15486
               ssl->options.useAnon, TRUE, TRUE, TRUE, TRUE, ssl->options.side);
15487
}
15488
15489
/* Set the PSK callback that returns the cipher suite for a server to use
15490
 * against context object.
15491
 *
15492
 * @param [in, out] ctx  SSL/TLS context object.
15493
 * @param [in]      cb   Server PSK callback returning cipher suite.
15494
 */
15495
void wolfSSL_CTX_set_psk_server_tls13_callback(WOLFSSL_CTX* ctx,
15496
                                               wc_psk_server_tls13_callback cb)
15497
{
15498
    WOLFSSL_ENTER("wolfSSL_CTX_set_psk_server_tls13_callback");
15499
    if (ctx == NULL)
15500
        return;
15501
    ctx->havePSK = 1;
15502
    ctx->server_psk_tls13_cb = cb;
15503
}
15504
15505
/* Set the PSK callback that returns the cipher suite for a server to use
15506
 * against SSL object.
15507
 *
15508
 * @param [in, out] ssl  SSL/TLS object.
15509
 * @param [in]      cb   Server PSK callback returning cipher suite.
15510
 */
15511
void wolfSSL_set_psk_server_tls13_callback(WOLFSSL* ssl,
15512
                                           wc_psk_server_tls13_callback cb)
15513
{
15514
    byte haveRSA = 1;
15515
    int  keySz   = 0;
15516
15517
    WOLFSSL_ENTER("wolfSSL_set_psk_server_tls13_callback");
15518
    if (ssl == NULL)
15519
        return;
15520
15521
    ssl->options.havePSK = 1;
15522
    ssl->options.server_psk_tls13_cb = cb;
15523
15524
    #ifdef NO_RSA
15525
        haveRSA = 0;
15526
    #endif
15527
    #ifndef NO_CERTS
15528
        keySz = ssl->buffers.keySz;
15529
    #endif
15530
    if (AllocateSuites(ssl) != 0)
15531
        return;
15532
    InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE,
15533
               ssl->options.haveDH, ssl->options.haveECDSAsig,
15534
               ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
15535
               ssl->options.useAnon, TRUE, TRUE, TRUE, TRUE, ssl->options.side);
15536
}
15537
15538
/* Get name of first supported cipher suite that uses the hash indicated.
15539
 *
15540
 * @param [in] ssl   SSL/TLS object.
15541
 * @param [in] hash  Name of hash algorithm. e.g. "SHA256", "SHA384"
15542
 * @return  Name of cipher suite.
15543
 * @return  NULL on failure.
15544
 */
15545
const char* wolfSSL_get_cipher_name_by_hash(WOLFSSL* ssl, const char* hash)
15546
{
15547
    const char* name = NULL;
15548
    byte mac = no_mac;
15549
    int i;
15550
    const Suites* suites;
15551
15552
    if (hash == NULL || ssl == NULL ||
15553
        (ssl->suites == NULL && ssl->ctx == NULL))
15554
        return NULL;
15555
15556
    suites = WOLFSSL_SUITES(ssl);
15557
    if (suites == NULL)
15558
        return NULL;
15559
15560
    if (XSTRCMP(hash, "SHA256") == 0) {
15561
        mac = sha256_mac;
15562
    }
15563
    else if (XSTRCMP(hash, "SHA384") == 0) {
15564
        mac = sha384_mac;
15565
    }
15566
    if (mac != no_mac) {
15567
        for (i = 0; i < suites->suiteSz; i += 2) {
15568
            if (SuiteMac(suites->suites + i) == mac) {
15569
                name = GetCipherNameInternal(suites->suites[i + 0],
15570
                                             suites->suites[i + 1]);
15571
                break;
15572
            }
15573
        }
15574
    }
15575
    return name;
15576
}
15577
#endif /* !NO_PSK */
15578
15579
15580
#ifndef NO_WOLFSSL_SERVER
15581
15582
/* The server accepting a connection from a client.
15583
 * The protocol version is expecting to be TLS v1.3.
15584
 * If the client downgrades, and older versions of the protocol are compiled
15585
 * in, the server will fallback to wolfSSL_accept().
15586
 * Please see note at top of README if you get an error from accept.
15587
 *
15588
 * ssl  The SSL/TLS object.
15589
 * returns WOLFSSL_SUCCESS on successful handshake, WOLFSSL_FATAL_ERROR when
15590
 * unrecoverable error occurs and 0 otherwise.
15591
 * For more error information use wolfSSL_get_error().
15592
 */
15593
int wolfSSL_accept_TLSv13(WOLFSSL* ssl)
15594
0
{
15595
#if !defined(NO_CERTS) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK))
15596
    word16 havePSK = 0;
15597
#endif
15598
0
    int ret = 0;
15599
15600
0
    WOLFSSL_ENTER("wolfSSL_accept_TLSv13");
15601
15602
0
#ifdef HAVE_ERRNO_H
15603
0
    errno = 0;
15604
0
#endif
15605
15606
0
    if (ssl == NULL)
15607
0
        return WOLFSSL_FATAL_ERROR;
15608
15609
#if !defined(NO_CERTS) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK))
15610
    havePSK = ssl->options.havePSK;
15611
#endif
15612
15613
0
    if (ssl->options.side != WOLFSSL_SERVER_END) {
15614
0
        ssl->error = SIDE_ERROR;
15615
0
        WOLFSSL_ERROR(ssl->error);
15616
0
        return WOLFSSL_FATAL_ERROR;
15617
0
    }
15618
15619
    /* make sure this wolfSSL object has arrays and rng setup. Protects
15620
     * case where the WOLFSSL object is reused via wolfSSL_clear() */
15621
0
    if ((ret = ReinitSSL(ssl, ssl->ctx, 0)) != 0) {
15622
0
        return ret;
15623
0
    }
15624
15625
#ifdef WOLFSSL_DTLS
15626
    if (ssl->version.major == DTLS_MAJOR) {
15627
        ssl->options.dtls   = 1;
15628
        if (!IsDtlsNotSctpMode(ssl) || !ssl->options.sendCookie)
15629
            ssl->options.dtlsStateful = 1;
15630
    }
15631
#endif
15632
15633
#ifdef WOLFSSL_WOLFSENTRY_HOOKS
15634
    if ((ssl->AcceptFilter != NULL) &&
15635
            ((ssl->options.acceptState == TLS13_ACCEPT_BEGIN)
15636
#ifdef HAVE_SECURE_RENEGOTIATION
15637
             || (ssl->options.acceptState == TLS13_ACCEPT_BEGIN_RENEG)
15638
#endif
15639
                ))
15640
    {
15641
        wolfSSL_netfilter_decision_t res;
15642
        if ((ssl->AcceptFilter(ssl, ssl->AcceptFilter_arg, &res) ==
15643
             WOLFSSL_SUCCESS) &&
15644
            (res == WOLFSSL_NETFILTER_REJECT)) {
15645
            ssl->error = SOCKET_FILTERED_E;
15646
            WOLFSSL_ERROR(ssl->error);
15647
            return WOLFSSL_FATAL_ERROR;
15648
        }
15649
    }
15650
#endif /* WOLFSSL_WOLFSENTRY_HOOKS */
15651
15652
0
#ifndef NO_CERTS
15653
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
15654
    if (!havePSK)
15655
#endif
15656
0
    {
15657
    #if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || \
15658
        defined(WOLFSSL_NGINX) || defined (WOLFSSL_HAPROXY)
15659
        if (ssl->ctx->certSetupCb != NULL) {
15660
            WOLFSSL_MSG("CertSetupCb set. server cert and "
15661
                        "key not checked");
15662
        }
15663
        else
15664
    #endif
15665
0
        {
15666
0
            if (!ssl->buffers.certificate ||
15667
0
                !ssl->buffers.certificate->buffer) {
15668
15669
0
                WOLFSSL_MSG("accept error: server cert required");
15670
0
                ssl->error = NO_PRIVATE_KEY;
15671
0
                WOLFSSL_ERROR(ssl->error);
15672
0
                return WOLFSSL_FATAL_ERROR;
15673
0
            }
15674
15675
0
            if (!ssl->buffers.key || !ssl->buffers.key->buffer) {
15676
                /* allow no private key if using existing key */
15677
            #ifdef WOLF_PRIVATE_KEY_ID
15678
                if (ssl->devId != INVALID_DEVID
15679
                #ifdef HAVE_PK_CALLBACKS
15680
                    || wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)
15681
                #endif
15682
                ) {
15683
                    WOLFSSL_MSG("Allowing no server private key (external)");
15684
                }
15685
                else
15686
            #endif
15687
0
                {
15688
0
                    WOLFSSL_MSG("accept error: server key required");
15689
0
                    ssl->error = NO_PRIVATE_KEY;
15690
0
                    WOLFSSL_ERROR(ssl->error);
15691
0
                    return WOLFSSL_FATAL_ERROR;
15692
0
                }
15693
0
            }
15694
0
        }
15695
0
    }
15696
0
#endif /* NO_CERTS */
15697
15698
0
    if (ssl->buffers.outputBuffer.length > 0
15699
    #ifdef WOLFSSL_ASYNC_CRYPT
15700
        /* do not send buffered or advance state if last error was an
15701
            async pending operation */
15702
        && ssl->error != WC_NO_ERR_TRACE(WC_PENDING_E)
15703
    #endif
15704
0
    ) {
15705
15706
        /* fragOffset is non-zero when sending fragments. On the last
15707
         * fragment, fragOffset is zero again, and the state can be
15708
         * advanced. */
15709
0
        int advanceState =
15710
0
            (ssl->options.acceptState == TLS13_ACCEPT_CLIENT_HELLO_DONE ||
15711
0
                ssl->options.acceptState ==
15712
0
                    TLS13_ACCEPT_HELLO_RETRY_REQUEST_DONE ||
15713
0
                ssl->options.acceptState == TLS13_ACCEPT_SECOND_REPLY_DONE ||
15714
0
                ssl->options.acceptState == TLS13_SERVER_HELLO_SENT ||
15715
0
                ssl->options.acceptState == TLS13_ACCEPT_THIRD_REPLY_DONE ||
15716
0
                ssl->options.acceptState == TLS13_SERVER_EXTENSIONS_SENT ||
15717
0
                ssl->options.acceptState == TLS13_CERT_REQ_SENT ||
15718
0
                ssl->options.acceptState == TLS13_CERT_SENT ||
15719
0
                ssl->options.acceptState == TLS13_CERT_VERIFY_SENT ||
15720
0
                ssl->options.acceptState == TLS13_ACCEPT_FINISHED_SENT ||
15721
0
                ssl->options.acceptState == TLS13_ACCEPT_FINISHED_DONE);
15722
15723
#ifdef WOLFSSL_DTLS13
15724
        if (ssl->options.dtls)
15725
            advanceState = advanceState && !ssl->dtls13SendingFragments
15726
                && !ssl->dtls13SendingAckOrRtx;
15727
#endif /* WOLFSSL_DTLS13 */
15728
15729
0
        ret = SendBuffered(ssl);
15730
0
        if (ret == 0) {
15731
0
            if (ssl->fragOffset == 0 && !ssl->options.buildingMsg) {
15732
0
                if (advanceState) {
15733
0
                    ssl->options.acceptState++;
15734
0
                    WOLFSSL_MSG("accept state: "
15735
0
                                "Advanced from last buffered fragment send");
15736
0
#ifdef WOLFSSL_ASYNC_IO
15737
0
                    FreeAsyncCtx(ssl, 0);
15738
0
#endif
15739
0
                }
15740
0
            }
15741
0
            else {
15742
0
                WOLFSSL_MSG("accept state: "
15743
0
                            "Not advanced, more fragments to send");
15744
0
            }
15745
15746
#ifdef WOLFSSL_DTLS13
15747
            if (ssl->options.dtls)
15748
                ssl->dtls13SendingAckOrRtx = 0;
15749
#endif /* WOLFSSL_DTLS13 */
15750
15751
0
        }
15752
0
        else {
15753
0
            ssl->error = ret;
15754
0
            WOLFSSL_ERROR(ssl->error);
15755
0
            return WOLFSSL_FATAL_ERROR;
15756
0
        }
15757
0
    }
15758
15759
0
    ret = RetrySendAlert(ssl);
15760
0
    if (ret != 0) {
15761
0
        ssl->error = ret;
15762
0
        WOLFSSL_ERROR(ssl->error);
15763
0
        return WOLFSSL_FATAL_ERROR;
15764
0
    }
15765
#ifdef WOLFSSL_DTLS13
15766
    if (ssl->options.dtls && ssl->dtls13SendingFragments) {
15767
        if ((ssl->error = Dtls13FragmentsContinue(ssl)) != 0) {
15768
                WOLFSSL_ERROR(ssl->error);
15769
                return WOLFSSL_FATAL_ERROR;
15770
        }
15771
15772
        /* we sent all the fragments. Advance state. */
15773
        ssl->options.acceptState++;
15774
    }
15775
#endif /* WOLFSSL_DTLS13 */
15776
15777
0
    switch (ssl->options.acceptState) {
15778
15779
#ifdef HAVE_SECURE_RENEGOTIATION
15780
        case TLS13_ACCEPT_BEGIN_RENEG:
15781
#endif
15782
0
        case TLS13_ACCEPT_BEGIN :
15783
            /* get client_hello */
15784
15785
0
            while (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
15786
0
                if ((ssl->error = ProcessReply(ssl)) < 0) {
15787
0
                    WOLFSSL_ERROR(ssl->error);
15788
0
                    return WOLFSSL_FATAL_ERROR;
15789
0
                }
15790
15791
#ifdef WOLFSSL_DTLS13
15792
                if (ssl->options.dtls) {
15793
                    if ((ssl->error = Dtls13DoScheduledWork(ssl)) < 0) {
15794
                        WOLFSSL_ERROR(ssl->error);
15795
                        return WOLFSSL_FATAL_ERROR;
15796
                    }
15797
                }
15798
#endif /* WOLFSSL_DTLS13 */
15799
15800
0
            }
15801
15802
0
            ssl->options.acceptState = TLS13_ACCEPT_CLIENT_HELLO_DONE;
15803
0
            WOLFSSL_MSG("accept state ACCEPT_CLIENT_HELLO_DONE");
15804
0
            if (!IsAtLeastTLSv1_3(ssl->version))
15805
0
                return wolfSSL_accept(ssl);
15806
0
            FALL_THROUGH;
15807
15808
0
        case TLS13_ACCEPT_CLIENT_HELLO_DONE :
15809
0
            if (ssl->options.serverState ==
15810
0
                                          SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
15811
0
                if ((ssl->error = SendTls13ServerHello(ssl,
15812
0
                                                   hello_retry_request)) != 0) {
15813
0
                    WOLFSSL_ERROR(ssl->error);
15814
0
                    return WOLFSSL_FATAL_ERROR;
15815
0
                }
15816
0
            }
15817
15818
0
            ssl->options.acceptState = TLS13_ACCEPT_HELLO_RETRY_REQUEST_DONE;
15819
0
            WOLFSSL_MSG("accept state ACCEPT_HELLO_RETRY_REQUEST_DONE");
15820
0
            FALL_THROUGH;
15821
15822
0
        case TLS13_ACCEPT_HELLO_RETRY_REQUEST_DONE :
15823
    #ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT
15824
            if (!ssl->options.dtls && ssl->options.tls13MiddleBoxCompat
15825
                && ssl->options.serverState ==
15826
                                          SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
15827
                if ((ssl->error = SendChangeCipher(ssl)) != 0) {
15828
                    WOLFSSL_ERROR(ssl->error);
15829
                    return WOLFSSL_FATAL_ERROR;
15830
                }
15831
                ssl->options.sentChangeCipher = 1;
15832
                ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE;
15833
            }
15834
    #endif
15835
0
            ssl->options.acceptState = TLS13_ACCEPT_FIRST_REPLY_DONE;
15836
0
            WOLFSSL_MSG("accept state ACCEPT_FIRST_REPLY_DONE");
15837
0
            FALL_THROUGH;
15838
15839
0
        case TLS13_ACCEPT_FIRST_REPLY_DONE :
15840
0
            if (ssl->options.serverState ==
15841
0
                                          SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
15842
0
                ssl->options.clientState = CLIENT_HELLO_RETRY;
15843
0
                while (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
15844
0
                    if ((ssl->error = ProcessReply(ssl)) < 0) {
15845
0
                        WOLFSSL_ERROR(ssl->error);
15846
0
                        return WOLFSSL_FATAL_ERROR;
15847
0
                    }
15848
15849
#ifdef WOLFSSL_DTLS13
15850
                if (ssl->options.dtls) {
15851
                    if ((ssl->error = Dtls13DoScheduledWork(ssl)) < 0) {
15852
                        WOLFSSL_ERROR(ssl->error);
15853
                        return WOLFSSL_FATAL_ERROR;
15854
                    }
15855
                }
15856
#endif /* WOLFSSL_DTLS13 */
15857
15858
0
                }
15859
0
            }
15860
15861
0
            ssl->options.acceptState = TLS13_ACCEPT_SECOND_REPLY_DONE;
15862
0
            WOLFSSL_MSG("accept state ACCEPT_SECOND_REPLY_DONE");
15863
0
            FALL_THROUGH;
15864
15865
0
        case TLS13_ACCEPT_SECOND_REPLY_DONE :
15866
0
            if (ssl->options.returnOnGoodCh) {
15867
                /* Higher level in stack wants us to return. Simulate a
15868
                 * WANT_WRITE to accomplish this. */
15869
0
                ssl->error = WANT_WRITE;
15870
0
                return WOLFSSL_FATAL_ERROR;
15871
0
            }
15872
15873
0
            if ((ssl->error = SendTls13ServerHello(ssl, server_hello)) != 0) {
15874
0
                WOLFSSL_ERROR(ssl->error);
15875
0
                return WOLFSSL_FATAL_ERROR;
15876
0
            }
15877
0
            ssl->options.acceptState = TLS13_SERVER_HELLO_SENT;
15878
0
            WOLFSSL_MSG("accept state SERVER_HELLO_SENT");
15879
0
            FALL_THROUGH;
15880
15881
0
        case TLS13_SERVER_HELLO_SENT :
15882
    #if defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT)
15883
            if (!ssl->options.dtls && ssl->options.tls13MiddleBoxCompat
15884
                          && !ssl->options.sentChangeCipher && !ssl->options.dtls) {
15885
                if ((ssl->error = SendChangeCipher(ssl)) != 0) {
15886
                    WOLFSSL_ERROR(ssl->error);
15887
                    return WOLFSSL_FATAL_ERROR;
15888
                }
15889
                ssl->options.sentChangeCipher = 1;
15890
            }
15891
    #endif
15892
15893
0
            ssl->options.acceptState = TLS13_ACCEPT_THIRD_REPLY_DONE;
15894
0
            WOLFSSL_MSG("accept state ACCEPT_THIRD_REPLY_DONE");
15895
0
            FALL_THROUGH;
15896
15897
0
        case TLS13_ACCEPT_THIRD_REPLY_DONE :
15898
0
    #ifdef HAVE_SUPPORTED_CURVES
15899
        #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
15900
            if (!ssl->options.noPskDheKe)
15901
        #endif
15902
0
            {
15903
0
                ssl->error = TLSX_KeyShare_DeriveSecret(ssl);
15904
0
                if (ssl->error != 0)
15905
0
                    return WOLFSSL_FATAL_ERROR;
15906
0
            }
15907
0
    #endif
15908
15909
0
            if ((ssl->error = SendTls13EncryptedExtensions(ssl)) != 0) {
15910
0
                WOLFSSL_ERROR(ssl->error);
15911
0
                return WOLFSSL_FATAL_ERROR;
15912
0
            }
15913
0
            ssl->options.acceptState = TLS13_SERVER_EXTENSIONS_SENT;
15914
0
            WOLFSSL_MSG("accept state SERVER_EXTENSIONS_SENT");
15915
0
            FALL_THROUGH;
15916
15917
0
        case TLS13_SERVER_EXTENSIONS_SENT :
15918
0
#ifndef NO_CERTS
15919
0
            if (!ssl->options.resuming) {
15920
0
                if (ssl->options.verifyPeer
15921
    #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
15922
                    && !ssl->options.verifyPostHandshake
15923
    #endif
15924
0
                   ) {
15925
0
                    ssl->error = SendTls13CertificateRequest(ssl, NULL, 0);
15926
0
                    if (ssl->error != 0) {
15927
0
                        WOLFSSL_ERROR(ssl->error);
15928
0
                        return WOLFSSL_FATAL_ERROR;
15929
0
                    }
15930
0
                }
15931
0
                else {
15932
                    /* SERVER: Peer auth good if not verifying client. */
15933
0
                    ssl->options.peerAuthGood = 1;
15934
0
                }
15935
0
            }
15936
0
#endif
15937
0
            ssl->options.acceptState = TLS13_CERT_REQ_SENT;
15938
0
            WOLFSSL_MSG("accept state CERT_REQ_SENT");
15939
0
            FALL_THROUGH;
15940
15941
0
        case TLS13_CERT_REQ_SENT :
15942
0
#ifndef NO_CERTS
15943
0
            if (!ssl->options.resuming && ssl->options.sendVerify) {
15944
0
                if ((ssl->error = SendTls13Certificate(ssl)) != 0) {
15945
0
                    WOLFSSL_ERROR(ssl->error);
15946
0
                    return WOLFSSL_FATAL_ERROR;
15947
0
                }
15948
0
            }
15949
0
#endif
15950
0
            ssl->options.acceptState = TLS13_CERT_SENT;
15951
0
            WOLFSSL_MSG("accept state CERT_SENT");
15952
0
            FALL_THROUGH;
15953
15954
0
        case TLS13_CERT_SENT :
15955
0
#if !defined(NO_CERTS) && (!defined(NO_RSA) || defined(HAVE_ECC) || \
15956
0
     defined(HAVE_ED25519) || defined(HAVE_ED448) || defined(HAVE_FALCON) || \
15957
0
     defined(WOLFSSL_HAVE_MLDSA))
15958
0
            if (!ssl->options.resuming && ssl->options.sendVerify) {
15959
0
                if ((ssl->error = SendTls13CertificateVerify(ssl)) != 0) {
15960
0
                    WOLFSSL_ERROR(ssl->error);
15961
0
                    return WOLFSSL_FATAL_ERROR;
15962
0
                }
15963
0
            }
15964
0
#endif
15965
0
            ssl->options.acceptState = TLS13_CERT_VERIFY_SENT;
15966
0
            WOLFSSL_MSG("accept state CERT_VERIFY_SENT");
15967
0
            FALL_THROUGH;
15968
15969
0
        case TLS13_CERT_VERIFY_SENT :
15970
0
            if ((ssl->error = SendTls13Finished(ssl)) != 0) {
15971
0
                WOLFSSL_ERROR(ssl->error);
15972
0
                return WOLFSSL_FATAL_ERROR;
15973
0
            }
15974
15975
0
            ssl->options.acceptState = TLS13_ACCEPT_FINISHED_SENT;
15976
0
            WOLFSSL_MSG("accept state ACCEPT_FINISHED_SENT");
15977
0
            FALL_THROUGH;
15978
15979
0
        case TLS13_ACCEPT_FINISHED_SENT:
15980
#ifdef WOLFSSL_EARLY_DATA
15981
            if (ssl->earlyData != no_early_data &&
15982
                    ssl->options.handShakeState != SERVER_FINISHED_COMPLETE) {
15983
                ssl->options.handShakeState = SERVER_FINISHED_COMPLETE;
15984
                return WOLFSSL_SUCCESS;
15985
            }
15986
#endif
15987
#ifdef HAVE_SESSION_TICKET
15988
    #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
15989
            if (!ssl->options.verifyPeer && !ssl->options.noTicketTls13 &&
15990
                    ssl->ctx->ticketEncCb != NULL &&
15991
                    ssl->options.maxTicketTls13 > 0) {
15992
                if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) {
15993
                    WOLFSSL_ERROR(ssl->error);
15994
                    return WOLFSSL_FATAL_ERROR;
15995
                }
15996
                ssl->options.ticketsSent = 1;
15997
            }
15998
    #endif
15999
#endif /* HAVE_SESSION_TICKET */
16000
0
            ssl->options.acceptState = TLS13_PRE_TICKET_SENT;
16001
0
            WOLFSSL_MSG("accept state  TICKET_SENT");
16002
0
            FALL_THROUGH;
16003
16004
0
        case TLS13_PRE_TICKET_SENT :
16005
0
            while (ssl->options.clientState < CLIENT_FINISHED_COMPLETE) {
16006
0
                if ( (ssl->error = ProcessReply(ssl)) < 0) {
16007
0
                        WOLFSSL_ERROR(ssl->error);
16008
0
                        return WOLFSSL_FATAL_ERROR;
16009
0
                    }
16010
16011
#ifdef WOLFSSL_DTLS13
16012
                if (ssl->options.dtls) {
16013
                    if ((ssl->error = Dtls13DoScheduledWork(ssl)) < 0) {
16014
                        WOLFSSL_ERROR(ssl->error);
16015
                        return WOLFSSL_FATAL_ERROR;
16016
                    }
16017
                }
16018
#endif /* WOLFSSL_DTLS13 */
16019
0
            }
16020
16021
0
            ssl->options.acceptState = TLS13_ACCEPT_FINISHED_DONE;
16022
0
            WOLFSSL_MSG("accept state ACCEPT_FINISHED_DONE");
16023
0
            FALL_THROUGH;
16024
16025
0
        case TLS13_ACCEPT_FINISHED_DONE :
16026
            /* SERVER: When not resuming and verifying peer but no certificate
16027
             * received and not failing when not received then peer auth good.
16028
             */
16029
0
            if (!ssl->options.resuming && ssl->options.verifyPeer &&
16030
        #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
16031
                !ssl->options.verifyPostHandshake &&
16032
        #endif
16033
0
                !ssl->options.havePeerCert && !ssl->options.failNoCert) {
16034
0
                ssl->options.peerAuthGood = 1;
16035
0
            }
16036
            /* SERVER: check peer authentication. */
16037
0
            if (!ssl->options.peerAuthGood) {
16038
0
                WOLFSSL_MSG("Client authentication did not happen");
16039
0
                return WOLFSSL_FATAL_ERROR;
16040
0
            }
16041
#ifdef HAVE_SESSION_TICKET
16042
            while (ssl->options.ticketsSent < ssl->options.maxTicketTls13) {
16043
                if (!ssl->options.noTicketTls13 && ssl->ctx->ticketEncCb
16044
                        != NULL) {
16045
                    if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) {
16046
                        WOLFSSL_ERROR(ssl->error);
16047
                        return WOLFSSL_FATAL_ERROR;
16048
                    }
16049
                }
16050
                ssl->options.ticketsSent++;
16051
16052
                /* only one session ticket is sent on session resumption */
16053
                if (ssl->options.resuming) {
16054
                    break;
16055
                }
16056
            }
16057
#endif /* HAVE_SESSION_TICKET */
16058
0
            ssl->options.acceptState = TLS13_TICKET_SENT;
16059
0
            WOLFSSL_MSG("accept state TICKET_SENT");
16060
0
            FALL_THROUGH;
16061
16062
0
        case TLS13_TICKET_SENT :
16063
0
#ifndef NO_HANDSHAKE_DONE_CB
16064
0
            if (ssl->hsDoneCb) {
16065
0
                int cbret = ssl->hsDoneCb(ssl, ssl->hsDoneCtx);
16066
0
                if (cbret < 0) {
16067
0
                    ssl->error = cbret;
16068
0
                    WOLFSSL_MSG("HandShake Done Cb don't continue error");
16069
0
                    return WOLFSSL_FATAL_ERROR;
16070
0
                }
16071
0
            }
16072
0
#endif /* NO_HANDSHAKE_DONE_CB */
16073
16074
0
            if (!ssl->options.keepResources) {
16075
0
                FreeHandshakeResources(ssl);
16076
0
            }
16077
16078
0
#if defined(WOLFSSL_ASYNC_IO) && !defined(WOLFSSL_ASYNC_CRYPT)
16079
            /* Free the remaining async context if not using it for crypto */
16080
0
            FreeAsyncCtx(ssl, 1);
16081
0
#endif
16082
16083
0
            ssl->error = 0; /* clear the error */
16084
16085
0
            WOLFSSL_LEAVE("wolfSSL_accept", WOLFSSL_SUCCESS);
16086
0
            return WOLFSSL_SUCCESS;
16087
16088
0
        default:
16089
0
            WOLFSSL_MSG("Unknown accept state ERROR");
16090
0
            return WOLFSSL_FATAL_ERROR;
16091
0
    }
16092
0
}
16093
#endif
16094
16095
#if !defined(NO_WOLFSSL_SERVER) && defined(HAVE_SESSION_TICKET)
16096
/* Server sends a session ticket to the peer.
16097
 *
16098
 * RFC 8446, section 4.6.1, para 1.
16099
 *
16100
 * ssl  The SSL/TLS object.
16101
 * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3,
16102
 *         SIDE_ERROR when not a server,
16103
 *         NOT_READY_ERROR when handshake not complete,
16104
 *         WOLFSSL_FATAL_ERROR when creating or sending message fails, and
16105
 *         WOLFSSL_SUCCESS on success.
16106
 */
16107
int wolfSSL_send_SessionTicket(WOLFSSL* ssl)
16108
{
16109
    if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
16110
        return BAD_FUNC_ARG;
16111
    if (ssl->options.side == WOLFSSL_CLIENT_END)
16112
        return SIDE_ERROR;
16113
    if (ssl->options.handShakeState != HANDSHAKE_DONE)
16114
        return NOT_READY_ERROR;
16115
16116
    if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) {
16117
        WOLFSSL_ERROR(ssl->error);
16118
        return WOLFSSL_FATAL_ERROR;
16119
    }
16120
    ssl->options.ticketsSent++;
16121
16122
    return WOLFSSL_SUCCESS;
16123
}
16124
#endif
16125
16126
#ifdef WOLFSSL_EARLY_DATA
16127
/* Sets the maximum amount of early data that can be seen by server when using
16128
 * session tickets for resumption.
16129
 * A value of zero indicates no early data is to be sent by client using session
16130
 * tickets.
16131
 *
16132
 * The default value is zero: per RFC 8446 Appendix E.5, TLS implementations
16133
 * "MUST NOT enable 0-RTT (either sending or accepting) unless specifically
16134
 * requested by the application." Servers must explicitly opt in by calling
16135
 * this function (or the per-SSL equivalent) with a non-zero value.
16136
 *
16137
 * ctx  The SSL/TLS CTX object.
16138
 * sz   Maximum size of the early data.
16139
 * returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a server and
16140
 * 0 on success.
16141
 */
16142
int wolfSSL_CTX_set_max_early_data(WOLFSSL_CTX* ctx, unsigned int sz)
16143
{
16144
    if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
16145
        return BAD_FUNC_ARG;
16146
    if (ctx->method->side == WOLFSSL_CLIENT_END)
16147
        return SIDE_ERROR;
16148
16149
    ctx->maxEarlyDataSz = sz;
16150
16151
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_ERROR_CODE_OPENSSL)
16152
    /* 1 on success in OpenSSL*/
16153
    return WOLFSSL_SUCCESS;
16154
#else
16155
    return 0;
16156
#endif
16157
}
16158
16159
/* Sets the maximum amount of early data that a client or server would like
16160
 * to exchange. Servers will advertise this value in session tickets sent
16161
 * to a client.
16162
 * A value of zero indicates no early data will be sent by a client, or
16163
 * no early data is accepted by a server (and announced as such in send out
16164
 * session tickets).
16165
 *
16166
 * ssl  The SSL/TLS object.
16167
 * sz   Maximum size of the early data.
16168
 * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3,
16169
 * and 0 on success.
16170
 */
16171
int wolfSSL_set_max_early_data(WOLFSSL* ssl, unsigned int sz)
16172
{
16173
    if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
16174
        return BAD_FUNC_ARG;
16175
16176
    ssl->options.maxEarlyDataSz = sz;
16177
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_ERROR_CODE_OPENSSL)
16178
    /* 1 on success in OpenSSL*/
16179
    return WOLFSSL_SUCCESS;
16180
#else
16181
    return 0;
16182
#endif
16183
}
16184
16185
/* Gets the maximum amount of early data that can be seen by server when using
16186
 * session tickets for resumption.
16187
 * A value of zero indicates no early data is to be sent by client using session
16188
 * tickets.
16189
 *
16190
 * ctx  The SSL/TLS CTX object.
16191
 * returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a server and
16192
 * returns the maximum amount of early data to be set
16193
 */
16194
int wolfSSL_CTX_get_max_early_data(WOLFSSL_CTX* ctx)
16195
{
16196
    if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
16197
        return BAD_FUNC_ARG;
16198
    if (ctx->method->side == WOLFSSL_CLIENT_END)
16199
        return SIDE_ERROR;
16200
16201
    return ctx->maxEarlyDataSz;
16202
}
16203
16204
/* Gets the maximum amount of early data that can be seen by server when using
16205
 * session tickets for resumption.
16206
 * A value of zero indicates no early data is to be sent by client using session
16207
 * tickets.
16208
 *
16209
 * ssl  The SSL/TLS object.
16210
 * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3,
16211
 * SIDE_ERROR when not a server and
16212
 * returns the maximum amount of early data to be set
16213
 */
16214
int wolfSSL_get_max_early_data(WOLFSSL* ssl)
16215
{
16216
    if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
16217
        return BAD_FUNC_ARG;
16218
16219
    return ssl->options.maxEarlyDataSz;
16220
}
16221
16222
/* Write early data to the server.
16223
 *
16224
 * ssl    The SSL/TLS object.
16225
 * data   Early data to write
16226
 * sz     The size of the early data in bytes.
16227
 * outSz  The number of early data bytes written.
16228
 * returns BAD_FUNC_ARG when: ssl, data or outSz is NULL; sz is negative;
16229
 * or not using TLS v1.3. SIDE ERROR when not a server. BAD_STATE_E if invoked
16230
 * without a valid session or without a valid PSK CB.
16231
 * Otherwise the number of early data bytes written.
16232
 */
16233
int wolfSSL_write_early_data(WOLFSSL* ssl, const void* data, int sz, int* outSz)
16234
{
16235
    int ret = 0;
16236
16237
    WOLFSSL_ENTER("wolfSSL_write_early_data");
16238
16239
    if (ssl == NULL || data == NULL || sz < 0 || outSz == NULL)
16240
        return BAD_FUNC_ARG;
16241
    if (!IsAtLeastTLSv1_3(ssl->version))
16242
        return BAD_FUNC_ARG;
16243
16244
    *outSz = 0;
16245
16246
#ifndef NO_WOLFSSL_CLIENT
16247
    if (ssl->options.side == WOLFSSL_SERVER_END)
16248
        return SIDE_ERROR;
16249
16250
    /* Early data requires PSK or session resumption */
16251
    if (!EarlyDataPossible(ssl)) {
16252
        return BAD_STATE_E;
16253
    }
16254
16255
    if (ssl->options.handShakeState == NULL_STATE) {
16256
        /* avoid re-setting ssl->earlyData if we re-enter the function because
16257
         * of WC_PENDING_E, WANT_WRITE or WANT_READ */
16258
        if (ssl->error == 0)
16259
            ssl->earlyData = expecting_early_data;
16260
        ret = wolfSSL_connect_TLSv13(ssl);
16261
        if (ret != WOLFSSL_SUCCESS)
16262
            return WOLFSSL_FATAL_ERROR;
16263
        /* on client side, status is set to rejected        */
16264
        /* until sever accepts the early data extension.    */
16265
        ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_REJECTED;
16266
    }
16267
    if (ssl->options.handShakeState == CLIENT_HELLO_COMPLETE) {
16268
#ifdef OPENSSL_EXTRA
16269
        /* when processed early data exceeds max size */
16270
        if (ssl->session->maxEarlyDataSz > 0 &&
16271
            (ssl->earlyDataSz + sz > ssl->session->maxEarlyDataSz)) {
16272
            ssl->error = TOO_MUCH_EARLY_DATA;
16273
            return WOLFSSL_FATAL_ERROR;
16274
        }
16275
#endif
16276
        ret = SendData(ssl, data, sz);
16277
        if (ret > 0) {
16278
            *outSz = ret;
16279
            /* store amount of processed early data from client */
16280
            ssl->earlyDataSz += ret;
16281
        }
16282
    }
16283
#else
16284
    return SIDE_ERROR;
16285
#endif
16286
16287
    WOLFSSL_LEAVE("wolfSSL_write_early_data", ret);
16288
16289
    if (ret < 0)
16290
        ret = WOLFSSL_FATAL_ERROR;
16291
    return ret;
16292
}
16293
16294
/* Read the any early data from the client.
16295
 *
16296
 * ssl    The SSL/TLS object.
16297
 * data   Buffer to put the early data into.
16298
 * sz     The size of the buffer in bytes.
16299
 * outSz  The number of early data bytes read.
16300
 * returns BAD_FUNC_ARG when: ssl, data or outSz is NULL; sz is negative;
16301
 * or not using TLS v1.3. SIDE ERROR when not a server. Otherwise the number of
16302
 * early data bytes read.
16303
 */
16304
int wolfSSL_read_early_data(WOLFSSL* ssl, void* data, int sz, int* outSz)
16305
{
16306
    int ret = 0;
16307
16308
    WOLFSSL_ENTER("wolfSSL_read_early_data");
16309
16310
16311
    if (ssl == NULL || data == NULL || sz < 0 || outSz == NULL)
16312
        return BAD_FUNC_ARG;
16313
    if (!IsAtLeastTLSv1_3(ssl->version))
16314
        return BAD_FUNC_ARG;
16315
16316
    *outSz = 0;
16317
#ifndef NO_WOLFSSL_SERVER
16318
    if (ssl->options.side == WOLFSSL_CLIENT_END)
16319
        return SIDE_ERROR;
16320
16321
    if (ssl->options.handShakeState == NULL_STATE) {
16322
        /* the server flight can return WANT_WRITE and we re-enter here after
16323
         * setting ssl->earlyData = process_early_data, set earlyData to
16324
         * expecting_early_data just once */
16325
        if (ssl->earlyData < expecting_early_data)
16326
            ssl->earlyData = expecting_early_data;
16327
        /* this used to be: ret = wolfSSL_accept_TLSv13(ssl);
16328
         * However, wolfSSL_accept_TLSv13() expects a certificate to
16329
         * be installed already, which is not the case in servers
16330
         * such as HAProxy. They do it after inspecting the ClientHello.
16331
         * The common wolfssl_accept() allows that. */
16332
        ret = wolfSSL_accept(ssl);
16333
        if (ret <= 0)
16334
            return WOLFSSL_FATAL_ERROR;
16335
    }
16336
    if (ssl->options.handShakeState == SERVER_FINISHED_COMPLETE) {
16337
        ssl->options.clientInEarlyData = 1;
16338
        ret = ReceiveData(ssl, (byte*)data, (size_t)sz, FALSE);
16339
        ssl->options.clientInEarlyData = 0;
16340
        if (ret > 0)
16341
            *outSz = ret;
16342
        if (ssl->error == WC_NO_ERR_TRACE(APP_DATA_READY)) {
16343
            ret = 0;
16344
            ssl->error = WOLFSSL_ERROR_NONE;
16345
#ifdef WOLFSSL_DTLS13
16346
            if (ssl->options.dtls) {
16347
                ret = Dtls13DoScheduledWork(ssl);
16348
                if (ret  < 0) {
16349
                    ssl->error = ret;
16350
                    WOLFSSL_ERROR(ssl->error);
16351
                    return WOLFSSL_FATAL_ERROR;
16352
                }
16353
            }
16354
#endif /* WOLFSSL_DTLS13 */
16355
        }
16356
    }
16357
#ifdef WOLFSSL_DTLS13
16358
    else if (ssl->buffers.outputBuffer.length > 0 &&
16359
        ssl->options.dtls && ssl->dtls13SendingAckOrRtx) {
16360
        ret = SendBuffered(ssl);
16361
        if (ret == 0) {
16362
            ssl->dtls13SendingAckOrRtx = 0;
16363
        }
16364
        else {
16365
            ssl->error = ret;
16366
            WOLFSSL_ERROR(ssl->error);
16367
            return WOLFSSL_FATAL_ERROR;
16368
        }
16369
    }
16370
#endif /* WOLFSSL_DTLS13 */
16371
    else
16372
        ret = 0;
16373
#else
16374
    return SIDE_ERROR;
16375
#endif
16376
16377
    WOLFSSL_LEAVE("wolfSSL_read_early_data", ret);
16378
16379
    if (ret < 0)
16380
        ret = WOLFSSL_FATAL_ERROR;
16381
    return ret;
16382
}
16383
16384
/* Returns early data status
16385
 *
16386
 * ssl    The SSL/TLS object.
16387
 * returns WOLFSSL_EARLY_DATA_ACCEPTED if the data was accepted
16388
 *         WOLFSSL_EARLY_DATA_REJECTED if the data was rejected
16389
 *         WOLFSSL_EARLY_DATA_NOT_SENT if no early data was sent
16390
 */
16391
int wolfSSL_get_early_data_status(const WOLFSSL* ssl)
16392
{
16393
    if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
16394
        return BAD_FUNC_ARG;
16395
16396
    return ssl->earlyDataStatus;
16397
}
16398
#endif
16399
16400
#ifdef HAVE_SECRET_CALLBACK
16401
int wolfSSL_set_tls13_secret_cb(WOLFSSL* ssl, Tls13SecretCb cb, void* ctx)
16402
{
16403
    WOLFSSL_ENTER("wolfSSL_set_tls13_secret_cb");
16404
    if (ssl == NULL)
16405
        return WOLFSSL_FATAL_ERROR;
16406
16407
    ssl->tls13SecretCb = cb;
16408
    ssl->tls13SecretCtx = ctx;
16409
16410
    return WOLFSSL_SUCCESS;
16411
}
16412
16413
#if defined(SHOW_SECRETS) && defined(WOLFSSL_SSLKEYLOGFILE)
16414
int tls13ShowSecrets(WOLFSSL* ssl, int id, const unsigned char* secret,
16415
    int secretSz, void* ctx)
16416
{
16417
    int i;
16418
    const char* str = NULL;
16419
    byte clientRandom[RAN_LEN];
16420
    int clientRandomSz;
16421
    XFILE fp;
16422
16423
    (void) ctx;
16424
#ifdef WOLFSSL_SSLKEYLOGFILE_OUTPUT
16425
    fp = XFOPEN(WOLFSSL_SSLKEYLOGFILE_OUTPUT, "ab");
16426
    if (fp == XBADFILE) {
16427
        return BAD_FUNC_ARG;
16428
    }
16429
#else
16430
    fp = stderr;
16431
#endif
16432
16433
    clientRandomSz = (int)wolfSSL_get_client_random(ssl, clientRandom,
16434
        sizeof(clientRandom));
16435
16436
    if (clientRandomSz <= 0) {
16437
        printf("Error getting server random %d\n", clientRandomSz);
16438
        return BAD_FUNC_ARG;
16439
    }
16440
16441
#if 0
16442
    printf("TLS Server Secret CB: Rand %d, Secret %d\n",
16443
        serverRandomSz, secretSz);
16444
#endif
16445
16446
    switch (id) {
16447
        case CLIENT_EARLY_TRAFFIC_SECRET:
16448
            str = "CLIENT_EARLY_TRAFFIC_SECRET"; break;
16449
        case EARLY_EXPORTER_SECRET:
16450
            str = "EARLY_EXPORTER_SECRET"; break;
16451
        case CLIENT_HANDSHAKE_TRAFFIC_SECRET:
16452
            str = "CLIENT_HANDSHAKE_TRAFFIC_SECRET"; break;
16453
        case SERVER_HANDSHAKE_TRAFFIC_SECRET:
16454
            str = "SERVER_HANDSHAKE_TRAFFIC_SECRET"; break;
16455
        case CLIENT_TRAFFIC_SECRET:
16456
            str = "CLIENT_TRAFFIC_SECRET_0"; break;
16457
        case SERVER_TRAFFIC_SECRET:
16458
            str = "SERVER_TRAFFIC_SECRET_0"; break;
16459
        case EXPORTER_SECRET:
16460
            str = "EXPORTER_SECRET"; break;
16461
#ifdef HAVE_ECH
16462
        case ECH_SECRET:
16463
            str = "ECH_SECRET"; break;
16464
        case ECH_CONFIG:
16465
            str = "ECH_CONFIG"; break;
16466
#endif
16467
        default:
16468
#ifdef WOLFSSL_SSLKEYLOGFILE_OUTPUT
16469
            XFCLOSE(fp);
16470
#endif
16471
            return BAD_FUNC_ARG;
16472
            break;
16473
    }
16474
16475
    fprintf(fp, "%s ", str);
16476
    for (i = 0; i < (int)clientRandomSz; i++) {
16477
        fprintf(fp, "%02x", clientRandom[i]);
16478
    }
16479
    fprintf(fp, " ");
16480
    for (i = 0; i < secretSz; i++) {
16481
        fprintf(fp, "%02x", secret[i]);
16482
    }
16483
    fprintf(fp, "\n");
16484
16485
#ifdef WOLFSSL_SSLKEYLOGFILE_OUTPUT
16486
    XFCLOSE(fp);
16487
#endif
16488
16489
    return 0;
16490
}
16491
#endif
16492
#endif
16493
16494
#undef ERROR_OUT
16495
16496
#endif /* !WOLFCRYPT_ONLY */
16497
16498
#endif /* !NO_TLS && WOLFSSL_TLS13 */