Line | Count | Source |
1 | | /* tls13.c |
2 | | * |
3 | | * Copyright (C) 2006-2026 wolfSSL Inc. |
4 | | * |
5 | | * This file is part of wolfSSL. |
6 | | * |
7 | | * wolfSSL is free software; you can redistribute it and/or modify |
8 | | * it under the terms of the GNU General Public License as published by |
9 | | * the Free Software Foundation; either version 3 of the License, or |
10 | | * (at your option) any later version. |
11 | | * |
12 | | * wolfSSL is distributed in the hope that it will be useful, |
13 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
14 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
15 | | * GNU General Public License for more details. |
16 | | * |
17 | | * You should have received a copy of the GNU General Public License |
18 | | * along with this program; if not, write to the Free Software |
19 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA |
20 | | */ |
21 | | |
22 | | #include <wolfssl/wolfcrypt/libwolfssl_sources.h> |
23 | | |
24 | | /* |
25 | | * TLS 1.3-Specific Build Options: |
26 | | * (See tls.c for generic TLS options: extensions, curves, callbacks, etc.) |
27 | | * |
28 | | * Protocol: |
29 | | * WOLFSSL_TLS13: Enable TLS 1.3 protocol default: on |
30 | | * WOLFSSL_TLS13_DRAFT: Enable TLS 1.3 draft version support default: off |
31 | | * WOLFSSL_QUIC: Enable QUIC protocol support (TLS 1.3) default: off |
32 | | * WOLFSSL_DTLS13_NO_HRR_ON_RESUME: Skip HRR on DTLS 1.3 resume default: off |
33 | | * WOLFSSL_DTLS_CH_FRAG: Enable DTLS 1.3 ClientHello frag default: off |
34 | | * |
35 | | * Handshake: |
36 | | * WOLFSSL_TLS13_MIDDLEBOX_COMPAT: Enable middlebox compatibility default: on |
37 | | * Sends ChangeCipherSpec and includes session id |
38 | | * WOLFSSL_SEND_HRR_COOKIE: Send cookie in HelloRetryRequest default: off |
39 | | * for stateless ClientHello tracking |
40 | | * WOLFSSL_EARLY_DATA: Allow 0-RTT early data default: off |
41 | | * WOLFSSL_EARLY_DATA_GROUP: Group early data with ClientHello default: off |
42 | | * WOLFSSL_POST_HANDSHAKE_AUTH: Post-handshake client auth default: off |
43 | | * WOLFSSL_TLS13_TICKET_BEFORE_FINISHED: Send NewSessionTicket default: off |
44 | | * before client Finished message |
45 | | * WOLFSSL_NO_CLIENT_AUTH: Disable TLS 1.3 client authentication default: off |
46 | | * WOLFSSL_NO_CLIENT_CERT_ERROR: Require client certificate default: off |
47 | | * WOLFSSL_CERT_SETUP_CB: Certificate setup callback default: off |
48 | | * WOLFSSL_ALLOW_BAD_TLS_LEGACY_VERSION: Allow bad legacy version default: off |
49 | | * |
50 | | * Security: |
51 | | * WOLFSSL_BLIND_PRIVATE_KEY: Blind private key during signing default: off |
52 | | * WOLFSSL_CHECK_SIG_FAULTS: Verify signature after ECC signing default: off |
53 | | * to detect fault injection attacks |
54 | | * WOLFSSL_CIPHER_TEXT_CHECK: Verify ciphertext integrity default: off |
55 | | * |
56 | | * TLS 1.3 PSK: |
57 | | * WOLFSSL_PSK_ONE_ID: Single PSK identity per connect default: off |
58 | | * WOLFSSL_PSK_MULTI_ID_PER_CS: Multiple PSK IDs per cipher suite default: off |
59 | | * WOLFSSL_PRIORITIZE_PSK: Prioritize PSK over ciphersuite order default: off |
60 | | * |
61 | | * TLS 1.3 Session Tickets: |
62 | | * WOLFSSL_TICKET_HAVE_ID: Session tickets include ID default: off |
63 | | * Forced on when WOLFSSL_EARLY_DATA is set. |
64 | | * WOLFSSL_TICKET_NONCE_MALLOC: Dynamically allocate ticket nonce default: off |
65 | | * |
66 | | * TLS 1.3 Key Exchange: |
67 | | * HAVE_KEYING_MATERIAL: Export keying material (RFC 8446 7.5) default: off |
68 | | * WOLFSSL_HAVE_TLS_UNIQUE: Enable tls-unique channel binding default: off |
69 | | * |
70 | | * TLS 1.3 Hash/Signature: |
71 | | * WOLFSSL_TLS13_SHA512: Allow SHA-512 in TLS 1.3 handshake default: off |
72 | | * (no ciphersuite requires it currently) |
73 | | * WOLFSSL_ERROR_CODE_OPENSSL: Use OpenSSL-compatible error codes default: off |
74 | | * WOLFSSL_SSLKEYLOGFILE_OUTPUT: Set key log output file path default: off |
75 | | * WOLFSSL_RW_THREADED: Enable read/write threading support default: off |
76 | | * WOLFSSL_ASYNC_IO: Enable async I/O operations default: off |
77 | | * WOLFSSL_NONBLOCK_OCSP: Non-blocking OCSP processing default: off |
78 | | * WOLFSSL_TLS_OCSP_MULTI: Multiple OCSP responses default: off |
79 | | * WOLFSSL_WOLFSENTRY_HOOKS: wolfSentry integration hooks default: off |
80 | | */ |
81 | | |
82 | | #if !defined(NO_TLS) && defined(WOLFSSL_TLS13) |
83 | | |
84 | | /* 0-RTT anti-replay eviction needs the session cache. */ |
85 | | #if defined(WOLFSSL_EARLY_DATA) && defined(HAVE_SESSION_TICKET) && \ |
86 | | defined(NO_SESSION_CACHE) && !defined(NO_WOLFSSL_SERVER) && \ |
87 | | !defined(WOLFSSL_EARLY_DATA_NO_ANTI_REPLAY) |
88 | | #error "WOLFSSL_EARLY_DATA with tickets requires !NO_SESSION_CACHE, or " \ |
89 | | "define WOLFSSL_EARLY_DATA_NO_ANTI_REPLAY to opt out." |
90 | | #endif |
91 | | |
92 | | #ifndef WOLFCRYPT_ONLY |
93 | | |
94 | | #ifdef HAVE_ERRNO_H |
95 | | #include <errno.h> |
96 | | #endif |
97 | | |
98 | | #if defined(__MACH__) || defined(__FreeBSD__) || \ |
99 | | defined(__INCLUDE_NUTTX_CONFIG_H) || defined(WOLFSSL_RIOT_OS) |
100 | | #include <sys/time.h> |
101 | | #endif /* __MACH__ || __FreeBSD__ || |
102 | | __INCLUDE_NUTTX_CONFIG_H || WOLFSSL_RIOT_OS */ |
103 | | |
104 | | |
105 | | #include <wolfssl/internal.h> |
106 | | #include <wolfssl/error-ssl.h> |
107 | | #include <wolfssl/wolfcrypt/asn.h> |
108 | | #include <wolfssl/wolfcrypt/dh.h> |
109 | | #include <wolfssl/wolfcrypt/kdf.h> |
110 | | #include <wolfssl/wolfcrypt/signature.h> |
111 | | #ifdef NO_INLINE |
112 | | #include <wolfssl/wolfcrypt/misc.h> |
113 | | #else |
114 | | #define WOLFSSL_MISC_INCLUDED |
115 | | #include <wolfcrypt/src/misc.c> |
116 | | #endif |
117 | | |
118 | | #ifdef __sun |
119 | | #include <sys/filio.h> |
120 | | #endif |
121 | | |
122 | | #ifndef TRUE |
123 | | #define TRUE 1 |
124 | | #endif |
125 | | #ifndef FALSE |
126 | | #define FALSE 0 |
127 | | #endif |
128 | | |
129 | | #ifndef HAVE_AEAD |
130 | | #if !defined(_MSC_VER) && !defined(__TASKING__) |
131 | | #error "The build option HAVE_AEAD is required for TLS 1.3" |
132 | | #else |
133 | | #pragma \ |
134 | | message("error: The build option HAVE_AEAD is required for TLS 1.3") |
135 | | #endif |
136 | | #endif |
137 | | |
138 | | #ifndef HAVE_HKDF |
139 | | #if !defined(_MSC_VER) && !defined(__TASKING__) |
140 | | #error "The build option HAVE_HKDF is required for TLS 1.3" |
141 | | #else |
142 | | #pragma message("error: The build option HAVE_HKDF is required for TLS 1.3") |
143 | | #endif |
144 | | #endif |
145 | | |
146 | | #ifndef HAVE_TLS_EXTENSIONS |
147 | | #if !defined(_MSC_VER) && !defined(__TASKING__) |
148 | | #error "The build option HAVE_TLS_EXTENSIONS is required for TLS 1.3" |
149 | | #else |
150 | | #pragma message("error: The build option HAVE_TLS_EXTENSIONS is required for TLS 1.3") |
151 | | #endif |
152 | | #endif |
153 | | |
154 | | |
155 | | /* Set ret to error value and jump to label. |
156 | | * |
157 | | * err The error value to set. |
158 | | * eLabel The label to jump to. |
159 | | */ |
160 | 0 | #define ERROR_OUT(err, eLabel) { ret = (err); goto eLabel; } |
161 | | |
162 | | /* Size of the TLS v1.3 label use when deriving keys. */ |
163 | 0 | #define TLS13_PROTOCOL_LABEL_SZ 6 |
164 | | /* The protocol label for TLS v1.3. */ |
165 | | static const byte tls13ProtocolLabel[TLS13_PROTOCOL_LABEL_SZ + 1] = "tls13 "; |
166 | | |
167 | | #ifdef WOLFSSL_DTLS13 |
168 | | #define DTLS13_PROTOCOL_LABEL_SZ 6 |
169 | | static const byte dtls13ProtocolLabel[DTLS13_PROTOCOL_LABEL_SZ + 1] = "dtls13"; |
170 | | #endif /* WOLFSSL_DTLS13 */ |
171 | | |
172 | | #if defined(HAVE_ECH) |
173 | | #define ECH_ACCEPT_CONFIRMATION_LABEL_SZ 23 |
174 | | #define ECH_HRR_ACCEPT_CONFIRMATION_LABEL_SZ 27 |
175 | | static const byte |
176 | | echAcceptConfirmationLabel[ECH_ACCEPT_CONFIRMATION_LABEL_SZ + 1] = |
177 | | "ech accept confirmation"; |
178 | | static const byte |
179 | | echHrrAcceptConfirmationLabel[ECH_HRR_ACCEPT_CONFIRMATION_LABEL_SZ + 1] = |
180 | | "hrr ech accept confirmation"; |
181 | | #endif |
182 | | |
183 | | #ifndef NO_CERTS |
184 | | #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \ |
185 | | defined(HAVE_ED448) || defined(HAVE_FALCON) || defined(WOLFSSL_HAVE_MLDSA) |
186 | | |
187 | | static WC_INLINE int GetMsgHash(WOLFSSL* ssl, byte* hash); |
188 | | |
189 | | #endif |
190 | | #endif |
191 | | |
192 | | /* Expand data using HMAC, salt and label and info. |
193 | | * TLS v1.3 defines this function. Use callback if available. */ |
194 | | static int Tls13HKDFExpandLabel(WOLFSSL* ssl, byte* okm, word32 okmLen, |
195 | | const byte* prk, word32 prkLen, |
196 | | const byte* protocol, word32 protocolLen, |
197 | | const byte* label, word32 labelLen, |
198 | | const byte* info, word32 infoLen, |
199 | | int digest) |
200 | 0 | { |
201 | 0 | int ret = WC_NO_ERR_TRACE(NOT_COMPILED_IN); |
202 | |
|
203 | | #if defined(HAVE_PK_CALLBACKS) |
204 | | if (ssl->ctx && ssl->ctx->HKDFExpandLabelCb) { |
205 | | ret = ssl->ctx->HKDFExpandLabelCb(okm, okmLen, prk, prkLen, |
206 | | protocol, protocolLen, |
207 | | label, labelLen, |
208 | | info, infoLen, digest, |
209 | | WOLFSSL_CLIENT_END /* ignored */); |
210 | | } |
211 | | |
212 | | if (ret != WC_NO_ERR_TRACE(NOT_COMPILED_IN)) |
213 | | return ret; |
214 | | #endif |
215 | 0 | (void)ssl; |
216 | 0 | PRIVATE_KEY_UNLOCK(); |
217 | 0 | #if !defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(6,0)) |
218 | 0 | ret = wc_Tls13_HKDF_Expand_Label_ex(okm, okmLen, prk, prkLen, |
219 | 0 | protocol, protocolLen, |
220 | 0 | label, labelLen, |
221 | 0 | info, infoLen, digest, |
222 | 0 | ssl->heap, ssl->devId); |
223 | | #else |
224 | | ret = wc_Tls13_HKDF_Expand_Label(okm, okmLen, prk, prkLen, |
225 | | protocol, protocolLen, |
226 | | label, labelLen, |
227 | | info, infoLen, digest); |
228 | | #endif |
229 | 0 | PRIVATE_KEY_LOCK(); |
230 | 0 | return ret; |
231 | 0 | } |
232 | | |
233 | | /* Same as above, but pass in the side we are expanding for: |
234 | | * side: either WOLFSSL_CLIENT_END or WOLFSSL_SERVER_END. |
235 | | */ |
236 | | static int Tls13HKDFExpandKeyLabel(WOLFSSL* ssl, byte* okm, word32 okmLen, |
237 | | const byte* prk, word32 prkLen, |
238 | | const byte* protocol, word32 protocolLen, |
239 | | const byte* label, word32 labelLen, |
240 | | const byte* info, word32 infoLen, |
241 | | int digest, int side) |
242 | 0 | { |
243 | 0 | int ret; |
244 | | #if defined(HAVE_PK_CALLBACKS) |
245 | | ret = WC_NO_ERR_TRACE(NOT_COMPILED_IN); |
246 | | if (ssl->ctx && ssl->ctx->HKDFExpandLabelCb) { |
247 | | ret = ssl->ctx->HKDFExpandLabelCb(okm, okmLen, prk, prkLen, |
248 | | protocol, protocolLen, |
249 | | label, labelLen, |
250 | | info, infoLen, |
251 | | digest, side); |
252 | | } |
253 | | if (ret != WC_NO_ERR_TRACE(NOT_COMPILED_IN)) |
254 | | return ret; |
255 | | #endif |
256 | |
|
257 | 0 | #if !defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(6,0)) |
258 | 0 | ret = wc_Tls13_HKDF_Expand_Label_ex(okm, okmLen, prk, prkLen, |
259 | 0 | protocol, protocolLen, |
260 | 0 | label, labelLen, |
261 | 0 | info, infoLen, digest, |
262 | 0 | ssl->heap, ssl->devId); |
263 | |
|
264 | | #elif defined(HAVE_FIPS) && defined(wc_Tls13_HKDF_Expand_Label) |
265 | | ret = wc_Tls13_HKDF_Expand_Label_fips(okm, okmLen, prk, prkLen, |
266 | | protocol, protocolLen, |
267 | | label, labelLen, |
268 | | info, infoLen, digest); |
269 | | #else |
270 | | ret = wc_Tls13_HKDF_Expand_Label(okm, okmLen, prk, prkLen, |
271 | | protocol, protocolLen, |
272 | | label, labelLen, |
273 | | info, infoLen, digest); |
274 | | #endif |
275 | 0 | (void)ssl; |
276 | 0 | (void)side; |
277 | 0 | return ret; |
278 | 0 | } |
279 | | |
280 | | |
281 | | /* Derive a key from a message. |
282 | | * |
283 | | * ssl The SSL/TLS object. |
284 | | * output The buffer to hold the derived key. |
285 | | * outputLen The length of the derived key. |
286 | | * secret The secret used to derive the key (HMAC secret). |
287 | | * label The label used to distinguish the context. |
288 | | * labelLen The length of the label. |
289 | | * msg The message data to derive key from. |
290 | | * msgLen The length of the message data to derive key from. |
291 | | * hashAlgo The hash algorithm to use in the HMAC. |
292 | | * returns 0 on success, otherwise failure. |
293 | | */ |
294 | | static int DeriveKeyMsg(WOLFSSL* ssl, byte* output, int outputLen, |
295 | | const byte* secret, const byte* label, word32 labelLen, |
296 | | byte* msg, int msgLen, int hashAlgo) |
297 | 0 | { |
298 | 0 | byte hash[WC_MAX_DIGEST_SIZE]; |
299 | 0 | Digest digest; |
300 | 0 | word32 hashSz = 0; |
301 | 0 | const byte* protocol; |
302 | 0 | word32 protocolLen; |
303 | 0 | int digestAlg = -1; |
304 | 0 | int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG); |
305 | |
|
306 | 0 | switch (hashAlgo) { |
307 | 0 | #ifndef NO_SHA256 |
308 | 0 | case sha256_mac: |
309 | 0 | ret = wc_InitSha256_ex(&digest.sha256, ssl->heap, ssl->devId); |
310 | 0 | if (ret == 0) { |
311 | 0 | ret = wc_Sha256Update(&digest.sha256, msg, (word32)msgLen); |
312 | 0 | if (ret == 0) |
313 | 0 | ret = wc_Sha256Final(&digest.sha256, hash); |
314 | 0 | wc_Sha256Free(&digest.sha256); |
315 | 0 | } |
316 | 0 | hashSz = WC_SHA256_DIGEST_SIZE; |
317 | 0 | digestAlg = WC_SHA256; |
318 | 0 | break; |
319 | 0 | #endif |
320 | 0 | #ifdef WOLFSSL_SHA384 |
321 | 0 | case sha384_mac: |
322 | 0 | ret = wc_InitSha384_ex(&digest.sha384, ssl->heap, ssl->devId); |
323 | 0 | if (ret == 0) { |
324 | 0 | ret = wc_Sha384Update(&digest.sha384, msg, (word32)msgLen); |
325 | 0 | if (ret == 0) |
326 | 0 | ret = wc_Sha384Final(&digest.sha384, hash); |
327 | 0 | wc_Sha384Free(&digest.sha384); |
328 | 0 | } |
329 | 0 | hashSz = WC_SHA384_DIGEST_SIZE; |
330 | 0 | digestAlg = WC_SHA384; |
331 | 0 | break; |
332 | 0 | #endif |
333 | | #ifdef WOLFSSL_TLS13_SHA512 |
334 | | case sha512_mac: |
335 | | ret = wc_InitSha512_ex(&digest.sha512, ssl->heap, ssl->devId); |
336 | | if (ret == 0) { |
337 | | ret = wc_Sha512Update(&digest.sha512, msg, (word32)msgLen); |
338 | | if (ret == 0) |
339 | | ret = wc_Sha512Final(&digest.sha512, hash); |
340 | | wc_Sha512Free(&digest.sha512); |
341 | | } |
342 | | hashSz = WC_SHA512_DIGEST_SIZE; |
343 | | digestAlg = WC_SHA512; |
344 | | break; |
345 | | #endif |
346 | | #ifdef WOLFSSL_SM3 |
347 | | case sm3_mac: |
348 | | ret = wc_InitSm3(&digest.sm3, ssl->heap, ssl->devId); |
349 | | if (ret == 0) { |
350 | | ret = wc_Sm3Update(&digest.sm3, msg, (word32)msgLen); |
351 | | if (ret == 0) |
352 | | ret = wc_Sm3Final(&digest.sm3, hash); |
353 | | wc_Sm3Free(&digest.sm3); |
354 | | } |
355 | | hashSz = WC_SM3_DIGEST_SIZE; |
356 | | digestAlg = WC_SM3; |
357 | | break; |
358 | | #endif |
359 | 0 | default: |
360 | 0 | ret = BAD_FUNC_ARG; |
361 | 0 | digestAlg = -1; |
362 | 0 | break; |
363 | 0 | } |
364 | | |
365 | 0 | if (digestAlg < 0) |
366 | 0 | return HASH_TYPE_E; |
367 | | |
368 | 0 | if (ret != 0) |
369 | 0 | return ret; |
370 | | |
371 | 0 | switch (ssl->version.minor) { |
372 | 0 | case TLSv1_3_MINOR: |
373 | 0 | protocol = tls13ProtocolLabel; |
374 | 0 | protocolLen = TLS13_PROTOCOL_LABEL_SZ; |
375 | 0 | break; |
376 | | #ifdef WOLFSSL_DTLS13 |
377 | | case DTLSv1_3_MINOR: |
378 | | if (!ssl->options.dtls) |
379 | | return VERSION_ERROR; |
380 | | |
381 | | protocol = dtls13ProtocolLabel; |
382 | | protocolLen = DTLS13_PROTOCOL_LABEL_SZ; |
383 | | break; |
384 | | #endif /* WOLFSSL_DTLS13 */ |
385 | 0 | default: |
386 | 0 | return VERSION_ERROR; |
387 | 0 | } |
388 | 0 | if (outputLen == -1) |
389 | 0 | outputLen = (int)hashSz; |
390 | |
|
391 | 0 | ret = Tls13HKDFExpandLabel(ssl, output, (word32)outputLen, secret, hashSz, |
392 | 0 | protocol, protocolLen, label, labelLen, |
393 | 0 | hash, hashSz, digestAlg); |
394 | 0 | return ret; |
395 | 0 | } |
396 | | |
397 | | /* Derive a key. |
398 | | * |
399 | | * ssl The SSL/TLS object. |
400 | | * output The buffer to hold the derived key. |
401 | | * outputLen The length of the derived key. |
402 | | * secret The secret used to derive the key (HMAC secret). |
403 | | * label The label used to distinguish the context. |
404 | | * labelLen The length of the label. |
405 | | * hashAlgo The hash algorithm to use in the HMAC. |
406 | | * includeMsgs Whether to include a hash of the handshake messages so far. |
407 | | * side The side that we are deriving the secret for. |
408 | | * returns 0 on success, otherwise failure. |
409 | | */ |
410 | | int Tls13DeriveKey(WOLFSSL* ssl, byte* output, int outputLen, |
411 | | const byte* secret, const byte* label, word32 labelLen, |
412 | | int hashAlgo, int includeMsgs, int side) |
413 | 0 | { |
414 | 0 | int ret = 0; |
415 | 0 | byte hash[WC_MAX_DIGEST_SIZE]; |
416 | 0 | word32 hashSz = 0; |
417 | 0 | word32 hashOutSz = 0; |
418 | 0 | const byte* protocol; |
419 | 0 | word32 protocolLen; |
420 | 0 | int digestAlg = 0; |
421 | | |
422 | |
|
423 | 0 | switch (hashAlgo) { |
424 | 0 | #ifndef NO_SHA256 |
425 | 0 | case sha256_mac: |
426 | 0 | hashSz = WC_SHA256_DIGEST_SIZE; |
427 | 0 | digestAlg = WC_SHA256; |
428 | 0 | if (includeMsgs) |
429 | 0 | ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash); |
430 | 0 | break; |
431 | 0 | #endif |
432 | | |
433 | 0 | #ifdef WOLFSSL_SHA384 |
434 | 0 | case sha384_mac: |
435 | 0 | hashSz = WC_SHA384_DIGEST_SIZE; |
436 | 0 | digestAlg = WC_SHA384; |
437 | 0 | if (includeMsgs) |
438 | 0 | ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash); |
439 | 0 | break; |
440 | 0 | #endif |
441 | | |
442 | | #ifdef WOLFSSL_TLS13_SHA512 |
443 | | case sha512_mac: |
444 | | hashSz = WC_SHA512_DIGEST_SIZE; |
445 | | digestAlg = WC_SHA512; |
446 | | if (includeMsgs) |
447 | | ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash); |
448 | | break; |
449 | | #endif |
450 | | |
451 | | #ifdef WOLFSSL_SM3 |
452 | | case sm3_mac: |
453 | | hashSz = WC_SM3_DIGEST_SIZE; |
454 | | digestAlg = WC_SM3; |
455 | | if (includeMsgs) |
456 | | ret = wc_Sm3GetHash(&ssl->hsHashes->hashSm3, hash); |
457 | | break; |
458 | | #endif |
459 | | |
460 | 0 | default: |
461 | 0 | ret = HASH_TYPE_E; |
462 | 0 | break; |
463 | 0 | } |
464 | 0 | if (ret != 0) |
465 | 0 | return ret; |
466 | | |
467 | 0 | protocol = tls13ProtocolLabel; |
468 | 0 | protocolLen = TLS13_PROTOCOL_LABEL_SZ; |
469 | |
|
470 | | #ifdef WOLFSSL_DTLS13 |
471 | | if (ssl->options.dtls) { |
472 | | protocol = dtls13ProtocolLabel; |
473 | | protocolLen = DTLS13_PROTOCOL_LABEL_SZ; |
474 | | } |
475 | | #endif /* WOLFSSL_DTLS13 */ |
476 | |
|
477 | 0 | if (outputLen == -1) { |
478 | 0 | outputLen = (int)hashSz; |
479 | 0 | } |
480 | 0 | if (includeMsgs) { |
481 | 0 | hashOutSz = hashSz; |
482 | 0 | } |
483 | 0 | else { |
484 | | /* Appease static analyzers by making sure hash is cleared, since it is |
485 | | * passed into expand key label where older wc_Tls13_HKDF_Expand_Label |
486 | | * will unconditionally try to call a memcpy on it, however length will |
487 | | * always be 0. */ |
488 | 0 | XMEMSET(hash, 0, sizeof(hash)); |
489 | 0 | hashOutSz = 0; |
490 | 0 | } |
491 | |
|
492 | 0 | PRIVATE_KEY_UNLOCK(); |
493 | 0 | ret = Tls13HKDFExpandKeyLabel(ssl, output, (word32)outputLen, secret, hashSz, |
494 | 0 | protocol, protocolLen, label, labelLen, |
495 | 0 | hash, hashOutSz, digestAlg, side); |
496 | 0 | PRIVATE_KEY_LOCK(); |
497 | |
|
498 | | #ifdef WOLFSSL_CHECK_MEM_ZERO |
499 | | wc_MemZero_Add("TLS 1.3 derived key", output, outputLen); |
500 | | #endif |
501 | 0 | return ret; |
502 | 0 | } |
503 | | |
504 | | /* Convert TLS mac ID to a hash algorithm ID |
505 | | * |
506 | | * mac Mac ID to convert |
507 | | * returns hash ID on success, or the NONE type. |
508 | | */ |
509 | | static WC_INLINE int mac2hash(int mac) |
510 | 0 | { |
511 | 0 | int hash; |
512 | 0 | switch (mac) { |
513 | 0 | #ifndef NO_SHA256 |
514 | 0 | case sha256_mac: |
515 | 0 | hash = WC_SHA256; |
516 | 0 | break; |
517 | 0 | #endif |
518 | | |
519 | 0 | #ifdef WOLFSSL_SHA384 |
520 | 0 | case sha384_mac: |
521 | 0 | hash = WC_SHA384; |
522 | 0 | break; |
523 | 0 | #endif |
524 | | |
525 | | #ifdef WOLFSSL_TLS13_SHA512 |
526 | | case sha512_mac: |
527 | | hash = WC_SHA512; |
528 | | break; |
529 | | #endif |
530 | | |
531 | | #ifdef WOLFSSL_SM3 |
532 | | case sm3_mac: |
533 | | hash = WC_SM3; |
534 | | break; |
535 | | #endif |
536 | | |
537 | 0 | default: |
538 | 0 | hash = WC_HASH_TYPE_NONE; |
539 | 0 | } |
540 | 0 | return hash; |
541 | 0 | } |
542 | | |
543 | | #ifndef NO_PSK |
544 | | /* The length of the binder key label. */ |
545 | | #define BINDER_KEY_LABEL_SZ 10 |
546 | | /* The binder key label. */ |
547 | | static const byte binderKeyLabel[BINDER_KEY_LABEL_SZ + 1] = |
548 | | "ext binder"; |
549 | | |
550 | | /* Derive the binder key. |
551 | | * |
552 | | * ssl The SSL/TLS object. |
553 | | * key The derived key. |
554 | | * returns 0 on success, otherwise failure. |
555 | | */ |
556 | | static int DeriveBinderKey(WOLFSSL* ssl, byte* key) |
557 | | { |
558 | | WOLFSSL_MSG("Derive Binder Key"); |
559 | | if (ssl == NULL || ssl->arrays == NULL) { |
560 | | return BAD_FUNC_ARG; |
561 | | } |
562 | | return DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret, |
563 | | binderKeyLabel, BINDER_KEY_LABEL_SZ, |
564 | | NULL, 0, ssl->specs.mac_algorithm); |
565 | | } |
566 | | #endif /* !NO_PSK */ |
567 | | |
568 | | #if defined(HAVE_SESSION_TICKET) && \ |
569 | | (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) |
570 | | /* The length of the binder key resume label. */ |
571 | | #define BINDER_KEY_RESUME_LABEL_SZ 10 |
572 | | /* The binder key resume label. */ |
573 | | static const byte binderKeyResumeLabel[BINDER_KEY_RESUME_LABEL_SZ + 1] = |
574 | | "res binder"; |
575 | | |
576 | | /* Derive the binder resumption key. |
577 | | * |
578 | | * ssl The SSL/TLS object. |
579 | | * key The derived key. |
580 | | * returns 0 on success, otherwise failure. |
581 | | */ |
582 | | static int DeriveBinderKeyResume(WOLFSSL* ssl, byte* key) |
583 | | { |
584 | | WOLFSSL_MSG("Derive Binder Key - Resumption"); |
585 | | if (ssl == NULL || ssl->arrays == NULL) { |
586 | | return BAD_FUNC_ARG; |
587 | | } |
588 | | return DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret, |
589 | | binderKeyResumeLabel, BINDER_KEY_RESUME_LABEL_SZ, |
590 | | NULL, 0, ssl->specs.mac_algorithm); |
591 | | } |
592 | | #endif /* HAVE_SESSION_TICKET && (!NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER) */ |
593 | | |
594 | | #ifdef WOLFSSL_EARLY_DATA |
595 | | |
596 | | /* The length of the early traffic label. */ |
597 | | #define EARLY_TRAFFIC_LABEL_SZ 11 |
598 | | /* The early traffic label. */ |
599 | | static const byte earlyTrafficLabel[EARLY_TRAFFIC_LABEL_SZ + 1] = |
600 | | "c e traffic"; |
601 | | |
602 | | /* Derive the early traffic key. |
603 | | * |
604 | | * ssl The SSL/TLS object. |
605 | | * key The derived key. |
606 | | * side The side that we are deriving the secret for. |
607 | | * returns 0 on success, otherwise failure. |
608 | | */ |
609 | | static int DeriveEarlyTrafficSecret(WOLFSSL* ssl, byte* key, int side) |
610 | | { |
611 | | int ret; |
612 | | WOLFSSL_MSG("Derive Early Traffic Secret"); |
613 | | if (ssl == NULL || ssl->arrays == NULL) { |
614 | | return BAD_FUNC_ARG; |
615 | | } |
616 | | |
617 | | #if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_KEYLOGFILE) |
618 | | /* If this is called from a sniffer session with keylog file support, |
619 | | * obtain the appropriate secret from the callback */ |
620 | | if (ssl->snifferSecretCb != NULL) { |
621 | | return ssl->snifferSecretCb(ssl->arrays->clientRandom, |
622 | | SNIFFER_SECRET_CLIENT_EARLY_TRAFFIC_SECRET, |
623 | | key); |
624 | | } |
625 | | #endif /* WOLFSSL_SNIFFER && WOLFSSL_SNIFFER_KEYLOGFILE */ |
626 | | |
627 | | ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->secret, |
628 | | earlyTrafficLabel, EARLY_TRAFFIC_LABEL_SZ, |
629 | | ssl->specs.mac_algorithm, 1, side); |
630 | | #ifdef HAVE_SECRET_CALLBACK |
631 | | if (ret == 0 && ssl->tls13SecretCb != NULL) { |
632 | | ret = ssl->tls13SecretCb(ssl, CLIENT_EARLY_TRAFFIC_SECRET, key, |
633 | | ssl->specs.hash_size, ssl->tls13SecretCtx); |
634 | | if (ret != 0) { |
635 | | WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E); |
636 | | return TLS13_SECRET_CB_E; |
637 | | } |
638 | | } |
639 | | #ifdef OPENSSL_EXTRA |
640 | | if (ret == 0 && ssl->tls13KeyLogCb != NULL) { |
641 | | ret = ssl->tls13KeyLogCb(ssl, CLIENT_EARLY_TRAFFIC_SECRET, key, |
642 | | ssl->specs.hash_size, NULL); |
643 | | if (ret != 0) { |
644 | | WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E); |
645 | | return TLS13_SECRET_CB_E; |
646 | | } |
647 | | } |
648 | | #endif /* OPENSSL_EXTRA */ |
649 | | #endif /* HAVE_SECRET_CALLBACK */ |
650 | | return ret; |
651 | | } |
652 | | |
653 | | #endif |
654 | | |
655 | | /* The length of the client handshake label. */ |
656 | 0 | #define CLIENT_HANDSHAKE_LABEL_SZ 12 |
657 | | /* The client handshake label. */ |
658 | | static const byte clientHandshakeLabel[CLIENT_HANDSHAKE_LABEL_SZ + 1] = |
659 | | "c hs traffic"; |
660 | | |
661 | | /* Derive the client handshake key. |
662 | | * |
663 | | * ssl The SSL/TLS object. |
664 | | * key The derived key. |
665 | | * returns 0 on success, otherwise failure. |
666 | | */ |
667 | | static int DeriveClientHandshakeSecret(WOLFSSL* ssl, byte* key) |
668 | 0 | { |
669 | 0 | int ret; |
670 | 0 | WOLFSSL_MSG("Derive Client Handshake Secret"); |
671 | 0 | if (ssl == NULL || ssl->arrays == NULL) { |
672 | 0 | return BAD_FUNC_ARG; |
673 | 0 | } |
674 | | |
675 | | #if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_KEYLOGFILE) |
676 | | /* If this is called from a sniffer session with keylog file support, |
677 | | * obtain the appropriate secret from the callback */ |
678 | | if (ssl->snifferSecretCb != NULL) { |
679 | | return ssl->snifferSecretCb(ssl->arrays->clientRandom, |
680 | | SNIFFER_SECRET_CLIENT_HANDSHAKE_TRAFFIC_SECRET, |
681 | | key); |
682 | | } |
683 | | #endif /* WOLFSSL_SNIFFER && WOLFSSL_SNIFFER_KEYLOGFILE */ |
684 | | |
685 | 0 | ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->preMasterSecret, |
686 | 0 | clientHandshakeLabel, CLIENT_HANDSHAKE_LABEL_SZ, |
687 | 0 | ssl->specs.mac_algorithm, 1, WOLFSSL_CLIENT_END); |
688 | | #ifdef HAVE_SECRET_CALLBACK |
689 | | if (ret == 0 && ssl->tls13SecretCb != NULL) { |
690 | | ret = ssl->tls13SecretCb(ssl, CLIENT_HANDSHAKE_TRAFFIC_SECRET, key, |
691 | | ssl->specs.hash_size, ssl->tls13SecretCtx); |
692 | | if (ret != 0) { |
693 | | WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E); |
694 | | return TLS13_SECRET_CB_E; |
695 | | } |
696 | | } |
697 | | #ifdef OPENSSL_EXTRA |
698 | | if (ret == 0 && ssl->tls13KeyLogCb != NULL) { |
699 | | ret = ssl->tls13KeyLogCb(ssl, CLIENT_HANDSHAKE_TRAFFIC_SECRET, key, |
700 | | ssl->specs.hash_size, NULL); |
701 | | if (ret != 0) { |
702 | | WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E); |
703 | | return TLS13_SECRET_CB_E; |
704 | | } |
705 | | } |
706 | | #endif /* OPENSSL_EXTRA */ |
707 | | #endif /* HAVE_SECRET_CALLBACK */ |
708 | 0 | return ret; |
709 | 0 | } |
710 | | |
711 | | /* The length of the server handshake label. */ |
712 | 0 | #define SERVER_HANDSHAKE_LABEL_SZ 12 |
713 | | /* The server handshake label. */ |
714 | | static const byte serverHandshakeLabel[SERVER_HANDSHAKE_LABEL_SZ + 1] = |
715 | | "s hs traffic"; |
716 | | |
717 | | /* Derive the server handshake key. |
718 | | * |
719 | | * ssl The SSL/TLS object. |
720 | | * key The derived key. |
721 | | * returns 0 on success, otherwise failure. |
722 | | */ |
723 | | static int DeriveServerHandshakeSecret(WOLFSSL* ssl, byte* key) |
724 | 0 | { |
725 | 0 | int ret; |
726 | 0 | WOLFSSL_MSG("Derive Server Handshake Secret"); |
727 | 0 | if (ssl == NULL || ssl->arrays == NULL) { |
728 | 0 | return BAD_FUNC_ARG; |
729 | 0 | } |
730 | | |
731 | | #if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_KEYLOGFILE) |
732 | | /* If this is called from a sniffer session with keylog file support, |
733 | | * obtain the appropriate secret from the callback */ |
734 | | if (ssl->snifferSecretCb != NULL) { |
735 | | return ssl->snifferSecretCb(ssl->arrays->clientRandom, |
736 | | SNIFFER_SECRET_SERVER_HANDSHAKE_TRAFFIC_SECRET, |
737 | | key); |
738 | | } |
739 | | #endif /* WOLFSSL_SNIFFER && WOLFSSL_SNIFFER_KEYLOGFILE */ |
740 | | |
741 | 0 | ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->preMasterSecret, |
742 | 0 | serverHandshakeLabel, SERVER_HANDSHAKE_LABEL_SZ, |
743 | 0 | ssl->specs.mac_algorithm, 1, WOLFSSL_SERVER_END); |
744 | |
|
745 | | #ifdef HAVE_SECRET_CALLBACK |
746 | | if (ret == 0 && ssl->tls13SecretCb != NULL) { |
747 | | ret = ssl->tls13SecretCb(ssl, SERVER_HANDSHAKE_TRAFFIC_SECRET, key, |
748 | | ssl->specs.hash_size, ssl->tls13SecretCtx); |
749 | | if (ret != 0) { |
750 | | WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E); |
751 | | return TLS13_SECRET_CB_E; |
752 | | } |
753 | | } |
754 | | #ifdef OPENSSL_EXTRA |
755 | | if (ret == 0 && ssl->tls13KeyLogCb != NULL) { |
756 | | ret = ssl->tls13KeyLogCb(ssl, SERVER_HANDSHAKE_TRAFFIC_SECRET, key, |
757 | | ssl->specs.hash_size, NULL); |
758 | | if (ret != 0) { |
759 | | WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E); |
760 | | return TLS13_SECRET_CB_E; |
761 | | } |
762 | | } |
763 | | #endif /* OPENSSL_EXTRA */ |
764 | | #endif /* HAVE_SECRET_CALLBACK */ |
765 | 0 | return ret; |
766 | 0 | } |
767 | | |
768 | | /* The length of the client application traffic label. */ |
769 | 0 | #define CLIENT_APP_LABEL_SZ 12 |
770 | | /* The client application traffic label. */ |
771 | | static const byte clientAppLabel[CLIENT_APP_LABEL_SZ + 1] = |
772 | | "c ap traffic"; |
773 | | |
774 | | /* Derive the client application traffic key. |
775 | | * |
776 | | * ssl The SSL/TLS object. |
777 | | * key The derived key. |
778 | | * returns 0 on success, otherwise failure. |
779 | | */ |
780 | | static int DeriveClientTrafficSecret(WOLFSSL* ssl, byte* key) |
781 | 0 | { |
782 | 0 | int ret; |
783 | 0 | WOLFSSL_MSG("Derive Client Traffic Secret"); |
784 | 0 | if (ssl == NULL || ssl->arrays == NULL) { |
785 | 0 | return BAD_FUNC_ARG; |
786 | 0 | } |
787 | | |
788 | | #if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_KEYLOGFILE) |
789 | | /* If this is called from a sniffer session with keylog file support, |
790 | | * obtain the appropriate secret from the callback */ |
791 | | if (ssl->snifferSecretCb != NULL) { |
792 | | return ssl->snifferSecretCb(ssl->arrays->clientRandom, |
793 | | SNIFFER_SECRET_CLIENT_TRAFFIC_SECRET, |
794 | | key); |
795 | | } |
796 | | #endif /* WOLFSSL_SNIFFER && WOLFSSL_SNIFFER_KEYLOGFILE */ |
797 | | |
798 | 0 | ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->masterSecret, |
799 | 0 | clientAppLabel, CLIENT_APP_LABEL_SZ, |
800 | 0 | ssl->specs.mac_algorithm, 1, WOLFSSL_CLIENT_END); |
801 | |
|
802 | | #ifdef HAVE_SECRET_CALLBACK |
803 | | if (ret == 0 && ssl->tls13SecretCb != NULL) { |
804 | | ret = ssl->tls13SecretCb(ssl, CLIENT_TRAFFIC_SECRET, key, |
805 | | ssl->specs.hash_size, ssl->tls13SecretCtx); |
806 | | if (ret != 0) { |
807 | | WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E); |
808 | | return TLS13_SECRET_CB_E; |
809 | | } |
810 | | } |
811 | | #ifdef OPENSSL_EXTRA |
812 | | if (ret == 0 && ssl->tls13KeyLogCb != NULL) { |
813 | | ret = ssl->tls13KeyLogCb(ssl, CLIENT_TRAFFIC_SECRET, key, |
814 | | ssl->specs.hash_size, NULL); |
815 | | if (ret != 0) { |
816 | | WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E); |
817 | | return TLS13_SECRET_CB_E; |
818 | | } |
819 | | } |
820 | | #endif /* OPENSSL_EXTRA */ |
821 | | #endif /* HAVE_SECRET_CALLBACK */ |
822 | 0 | return ret; |
823 | 0 | } |
824 | | |
825 | | /* The length of the server application traffic label. */ |
826 | 0 | #define SERVER_APP_LABEL_SZ 12 |
827 | | /* The server application traffic label. */ |
828 | | static const byte serverAppLabel[SERVER_APP_LABEL_SZ + 1] = |
829 | | "s ap traffic"; |
830 | | |
831 | | /* Derive the server application traffic key. |
832 | | * |
833 | | * ssl The SSL/TLS object. |
834 | | * key The derived key. |
835 | | * returns 0 on success, otherwise failure. |
836 | | */ |
837 | | static int DeriveServerTrafficSecret(WOLFSSL* ssl, byte* key) |
838 | 0 | { |
839 | 0 | int ret; |
840 | 0 | WOLFSSL_MSG("Derive Server Traffic Secret"); |
841 | 0 | if (ssl == NULL || ssl->arrays == NULL) { |
842 | 0 | return BAD_FUNC_ARG; |
843 | 0 | } |
844 | | |
845 | | #if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_KEYLOGFILE) |
846 | | /* If this is called from a sniffer session with keylog file support, |
847 | | * obtain the appropriate secret from the callback */ |
848 | | if (ssl->snifferSecretCb != NULL) { |
849 | | return ssl->snifferSecretCb(ssl->arrays->clientRandom, |
850 | | SNIFFER_SECRET_SERVER_TRAFFIC_SECRET, |
851 | | key); |
852 | | } |
853 | | #endif /* WOLFSSL_SNIFFER && WOLFSSL_SNIFFER_KEYLOGFILE */ |
854 | | |
855 | 0 | ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->masterSecret, |
856 | 0 | serverAppLabel, SERVER_APP_LABEL_SZ, |
857 | 0 | ssl->specs.mac_algorithm, 1, WOLFSSL_SERVER_END); |
858 | |
|
859 | | #ifdef HAVE_SECRET_CALLBACK |
860 | | if (ret == 0 && ssl->tls13SecretCb != NULL) { |
861 | | ret = ssl->tls13SecretCb(ssl, SERVER_TRAFFIC_SECRET, key, |
862 | | ssl->specs.hash_size, ssl->tls13SecretCtx); |
863 | | if (ret != 0) { |
864 | | WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E); |
865 | | return TLS13_SECRET_CB_E; |
866 | | } |
867 | | } |
868 | | #ifdef OPENSSL_EXTRA |
869 | | if (ret == 0 && ssl->tls13KeyLogCb != NULL) { |
870 | | ret = ssl->tls13KeyLogCb(ssl, SERVER_TRAFFIC_SECRET, key, |
871 | | ssl->specs.hash_size, NULL); |
872 | | if (ret != 0) { |
873 | | WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E); |
874 | | return TLS13_SECRET_CB_E; |
875 | | } |
876 | | } |
877 | | #endif /* OPENSSL_EXTRA */ |
878 | | #endif /* HAVE_SECRET_CALLBACK */ |
879 | 0 | return ret; |
880 | 0 | } |
881 | | |
882 | | #ifdef HAVE_KEYING_MATERIAL |
883 | | /* The length of the exporter master secret label. */ |
884 | | #define EXPORTER_MASTER_LABEL_SZ 10 |
885 | | /* The exporter master secret label. */ |
886 | | static const byte exporterMasterLabel[EXPORTER_MASTER_LABEL_SZ + 1] = |
887 | | "exp master"; |
888 | | |
889 | | /* Derive the exporter secret. |
890 | | * |
891 | | * ssl The SSL/TLS object. |
892 | | * key The derived key. |
893 | | * returns 0 on success, otherwise failure. |
894 | | */ |
895 | | static int DeriveExporterSecret(WOLFSSL* ssl, byte* key) |
896 | | { |
897 | | int ret; |
898 | | WOLFSSL_ENTER("Derive Exporter Secret"); |
899 | | if (ssl == NULL || ssl->arrays == NULL) { |
900 | | return BAD_FUNC_ARG; |
901 | | } |
902 | | ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->masterSecret, |
903 | | exporterMasterLabel, EXPORTER_MASTER_LABEL_SZ, |
904 | | ssl->specs.mac_algorithm, 1, 0 /* Unused */); |
905 | | #ifdef HAVE_SECRET_CALLBACK |
906 | | if (ret == 0 && ssl->tls13SecretCb != NULL) { |
907 | | ret = ssl->tls13SecretCb(ssl, EXPORTER_SECRET, key, |
908 | | ssl->specs.hash_size, ssl->tls13SecretCtx); |
909 | | if (ret != 0) { |
910 | | WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E); |
911 | | return TLS13_SECRET_CB_E; |
912 | | } |
913 | | } |
914 | | #ifdef OPENSSL_EXTRA |
915 | | if (ret == 0 && ssl->tls13KeyLogCb != NULL) { |
916 | | ret = ssl->tls13KeyLogCb(ssl, EXPORTER_SECRET, key, |
917 | | ssl->specs.hash_size, NULL); |
918 | | if (ret != 0) { |
919 | | WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E); |
920 | | return TLS13_SECRET_CB_E; |
921 | | } |
922 | | } |
923 | | #endif /* OPENSSL_EXTRA */ |
924 | | #endif /* HAVE_SECRET_CALLBACK */ |
925 | | return ret; |
926 | | } |
927 | | |
928 | | /* The length of the exporter label. */ |
929 | | #define EXPORTER_LABEL_SZ 8 |
930 | | /* The exporter label. */ |
931 | | static const byte exporterLabel[EXPORTER_LABEL_SZ + 1] = |
932 | | "exporter"; |
933 | | /* Hash("") */ |
934 | | #ifndef NO_SHA256 |
935 | | static const byte emptySHA256Hash[] = { |
936 | | 0xE3, 0xB0, 0xC4, 0x42, 0x98, 0xFC, 0x1C, 0x14, 0x9A, 0xFB, 0xF4, 0xC8, |
937 | | 0x99, 0x6F, 0xB9, 0x24, 0x27, 0xAE, 0x41, 0xE4, 0x64, 0x9B, 0x93, 0x4C, |
938 | | 0xA4, 0x95, 0x99, 0x1B, 0x78, 0x52, 0xB8, 0x55 |
939 | | }; |
940 | | #endif |
941 | | #ifdef WOLFSSL_SHA384 |
942 | | static const byte emptySHA384Hash[] = { |
943 | | 0x38, 0xB0, 0x60, 0xA7, 0x51, 0xAC, 0x96, 0x38, 0x4C, 0xD9, 0x32, 0x7E, |
944 | | 0xB1, 0xB1, 0xE3, 0x6A, 0x21, 0xFD, 0xB7, 0x11, 0x14, 0xBE, 0x07, 0x43, |
945 | | 0x4C, 0x0C, 0xC7, 0xBF, 0x63, 0xF6, 0xE1, 0xDA, 0x27, 0x4E, 0xDE, 0xBF, |
946 | | 0xE7, 0x6F, 0x65, 0xFB, 0xD5, 0x1A, 0xD2, 0xF1, 0x48, 0x98, 0xB9, 0x5B |
947 | | }; |
948 | | #endif |
949 | | #ifdef WOLFSSL_TLS13_SHA512 |
950 | | static const byte emptySHA512Hash[] = { |
951 | | 0xCF, 0x83, 0xE1, 0x35, 0x7E, 0xEF, 0xB8, 0xBD, 0xF1, 0x54, 0x28, 0x50, |
952 | | 0xD6, 0x6D, 0x80, 0x07, 0xD6, 0x20, 0xE4, 0x05, 0x0B, 0x57, 0x15, 0xDC, |
953 | | 0x83, 0xF4, 0xA9, 0x21, 0xD3, 0x6C, 0xE9, 0xCE, 0x47, 0xD0, 0xD1, 0x3C, |
954 | | 0x5D, 0x85, 0xF2, 0xB0, 0xFF, 0x83, 0x18, 0xD2, 0x87, 0x7E, 0xEC, 0x2F, |
955 | | 0x63, 0xB9, 0x31, 0xBD, 0x47, 0x41, 0x7A, 0x81, 0xA5, 0x38, 0x32, 0x7A, |
956 | | 0xF9, 0x27, 0xDA, 0x3E |
957 | | }; |
958 | | #endif |
959 | | #ifdef WOLFSSL_SM3 |
960 | | static const byte emptySM3Hash[] = { |
961 | | 0x1A, 0xB2, 0x1D, 0x83, 0x55, 0xCF, 0xA1, 0x7F, 0x8E, 0x61, 0x19, 0x48, |
962 | | 0x31, 0xE8, 0x1A, 0x8F, 0x22, 0xBE, 0xC8, 0xC7, 0x28, 0xFE, 0xFB, 0x74, |
963 | | 0x7E, 0xD0, 0x35, 0xEB, 0x50, 0x82, 0xAA, 0x2B |
964 | | }; |
965 | | #endif |
966 | | /** |
967 | | * Implement section 7.5 of RFC 8446 |
968 | | * @return 0 on success |
969 | | * <0 on failure |
970 | | */ |
971 | | int Tls13_Exporter(WOLFSSL* ssl, unsigned char *out, size_t outLen, |
972 | | const char *label, size_t labelLen, |
973 | | const unsigned char *context, size_t contextLen) |
974 | | { |
975 | | int ret; |
976 | | enum wc_HashType hashType = WC_HASH_TYPE_NONE; |
977 | | word32 hashLen = 0; |
978 | | byte hashOut[WC_MAX_DIGEST_SIZE]; |
979 | | const byte* emptyHash = NULL; |
980 | | byte firstExpand[WC_MAX_DIGEST_SIZE]; |
981 | | const byte* protocol = tls13ProtocolLabel; |
982 | | word32 protocolLen = TLS13_PROTOCOL_LABEL_SZ; |
983 | | |
984 | | if (ssl->options.dtls && ssl->version.minor != DTLSv1_3_MINOR) |
985 | | return VERSION_ERROR; |
986 | | |
987 | | if (!ssl->options.dtls && ssl->version.minor != TLSv1_3_MINOR) |
988 | | return VERSION_ERROR; |
989 | | |
990 | | #ifdef WOLFSSL_DTLS13 |
991 | | if (ssl->options.dtls) { |
992 | | protocol = dtls13ProtocolLabel; |
993 | | protocolLen = DTLS13_PROTOCOL_LABEL_SZ; |
994 | | } |
995 | | #endif /* WOLFSSL_DTLS13 */ |
996 | | |
997 | | /* Sanity check contextLen to prevent truncation when cast to word32. */ |
998 | | if (contextLen > WOLFSSL_MAX_32BIT) |
999 | | return BAD_FUNC_ARG; |
1000 | | /* RFC 8446 HkdfLabel encodes the output length as a uint16, so requested |
1001 | | * lengths > 65535 cannot be represented and must be rejected. */ |
1002 | | if (outLen > WOLFSSL_MAX_16BIT) |
1003 | | return BAD_FUNC_ARG; |
1004 | | /* RFC 8446 HkdfLabel encodes the label length in a single byte, so |
1005 | | * anything > 255 cannot be represented and must be rejected. |
1006 | | * The protocol length is included in the label. */ |
1007 | | if ((labelLen + protocolLen) > WOLFSSL_MAX_8BIT) |
1008 | | return BAD_FUNC_ARG; |
1009 | | |
1010 | | switch (ssl->specs.mac_algorithm) { |
1011 | | #ifndef NO_SHA256 |
1012 | | case sha256_mac: |
1013 | | hashType = WC_HASH_TYPE_SHA256; |
1014 | | hashLen = WC_SHA256_DIGEST_SIZE; |
1015 | | emptyHash = emptySHA256Hash; |
1016 | | break; |
1017 | | #endif |
1018 | | |
1019 | | #ifdef WOLFSSL_SHA384 |
1020 | | case sha384_mac: |
1021 | | hashType = WC_HASH_TYPE_SHA384; |
1022 | | hashLen = WC_SHA384_DIGEST_SIZE; |
1023 | | emptyHash = emptySHA384Hash; |
1024 | | break; |
1025 | | #endif |
1026 | | |
1027 | | #ifdef WOLFSSL_TLS13_SHA512 |
1028 | | case sha512_mac: |
1029 | | hashType = WC_HASH_TYPE_SHA512; |
1030 | | hashLen = WC_SHA512_DIGEST_SIZE; |
1031 | | emptyHash = emptySHA512Hash; |
1032 | | break; |
1033 | | #endif |
1034 | | |
1035 | | #ifdef WOLFSSL_SM3 |
1036 | | case sm3_mac: |
1037 | | hashType = WC_HASH_TYPE_SM3; |
1038 | | hashLen = WC_SM3_DIGEST_SIZE; |
1039 | | emptyHash = emptySM3Hash; |
1040 | | break; |
1041 | | #endif |
1042 | | |
1043 | | default: |
1044 | | return BAD_FUNC_ARG; |
1045 | | } |
1046 | | |
1047 | | /* Derive-Secret(Secret, label, "") */ |
1048 | | ret = Tls13HKDFExpandLabel(ssl, firstExpand, hashLen, |
1049 | | ssl->arrays->exporterSecret, hashLen, |
1050 | | protocol, protocolLen, (byte*)label, (word32)labelLen, |
1051 | | emptyHash, hashLen, (int)hashType); |
1052 | | if (ret != 0) |
1053 | | goto cleanup; |
1054 | | |
1055 | | /* Hash(context_value) */ |
1056 | | ret = wc_Hash(hashType, context, (word32)contextLen, hashOut, WC_MAX_DIGEST_SIZE); |
1057 | | if (ret != 0) |
1058 | | goto cleanup; |
1059 | | |
1060 | | ret = Tls13HKDFExpandLabel(ssl, out, (word32)outLen, firstExpand, hashLen, |
1061 | | protocol, protocolLen, exporterLabel, EXPORTER_LABEL_SZ, |
1062 | | hashOut, hashLen, (int)hashType); |
1063 | | |
1064 | | cleanup: |
1065 | | /* firstExpand is the per-label Derive-Secret PRK and hashOut holds |
1066 | | * Hash(context_value); wipe both before the stack frame is reclaimed. */ |
1067 | | ForceZero(firstExpand, sizeof(firstExpand)); |
1068 | | ForceZero(hashOut, sizeof(hashOut)); |
1069 | | return ret; |
1070 | | } |
1071 | | #endif |
1072 | | |
1073 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
1074 | | /* The length of the resumption master secret label. */ |
1075 | | #define RESUME_MASTER_LABEL_SZ 10 |
1076 | | /* The resumption master secret label. */ |
1077 | | static const byte resumeMasterLabel[RESUME_MASTER_LABEL_SZ + 1] = |
1078 | | "res master"; |
1079 | | |
1080 | | /* Derive the resumption secret. |
1081 | | * |
1082 | | * ssl The SSL/TLS object. |
1083 | | * key The derived key. |
1084 | | * returns 0 on success, otherwise failure. |
1085 | | */ |
1086 | | int DeriveResumptionSecret(WOLFSSL* ssl, byte* key) |
1087 | | { |
1088 | | byte* masterSecret; |
1089 | | |
1090 | | WOLFSSL_MSG("Derive Resumption Secret"); |
1091 | | if (ssl == NULL) { |
1092 | | return BAD_FUNC_ARG; |
1093 | | } |
1094 | | if (ssl->arrays != NULL) { |
1095 | | masterSecret = ssl->arrays->masterSecret; |
1096 | | } |
1097 | | else { |
1098 | | masterSecret = ssl->session->masterSecret; |
1099 | | } |
1100 | | return Tls13DeriveKey(ssl, key, -1, masterSecret, resumeMasterLabel, |
1101 | | RESUME_MASTER_LABEL_SZ, ssl->specs.mac_algorithm, 1, |
1102 | | 0 /* Unused */); |
1103 | | } |
1104 | | #endif |
1105 | | |
1106 | | /* Length of the finished label. */ |
1107 | 0 | #define FINISHED_LABEL_SZ 8 |
1108 | | /* Finished label for generating finished key. */ |
1109 | | static const byte finishedLabel[FINISHED_LABEL_SZ+1] = "finished"; |
1110 | | /* Derive the finished secret. |
1111 | | * |
1112 | | * ssl The SSL/TLS object. |
1113 | | * key The key to use with the HMAC. |
1114 | | * secret The derived secret. |
1115 | | * side The side that we are deriving the secret for. |
1116 | | * returns 0 on success, otherwise failure. |
1117 | | */ |
1118 | | static int DeriveFinishedSecret(WOLFSSL* ssl, byte* key, byte* secret, |
1119 | | int side) |
1120 | 0 | { |
1121 | 0 | WOLFSSL_MSG("Derive Finished Secret"); |
1122 | 0 | return Tls13DeriveKey(ssl, secret, -1, key, finishedLabel, |
1123 | 0 | FINISHED_LABEL_SZ, ssl->specs.mac_algorithm, 0, |
1124 | 0 | side); |
1125 | 0 | } |
1126 | | |
1127 | | /* The length of the application traffic label. */ |
1128 | 0 | #define APP_TRAFFIC_LABEL_SZ 11 |
1129 | | /* The application traffic label. */ |
1130 | | static const byte appTrafficLabel[APP_TRAFFIC_LABEL_SZ + 1] = |
1131 | | "traffic upd"; |
1132 | | |
1133 | | /* Update the traffic secret. |
1134 | | * |
1135 | | * ssl The SSL/TLS object. |
1136 | | * secret The previous secret and derived secret. |
1137 | | * side The side that we are deriving the secret for. |
1138 | | * returns 0 on success, otherwise failure. |
1139 | | */ |
1140 | | static int DeriveTrafficSecret(WOLFSSL* ssl, byte* secret, int side) |
1141 | 0 | { |
1142 | 0 | WOLFSSL_MSG("Derive New Application Traffic Secret"); |
1143 | 0 | return Tls13DeriveKey(ssl, secret, -1, secret, |
1144 | 0 | appTrafficLabel, APP_TRAFFIC_LABEL_SZ, |
1145 | 0 | ssl->specs.mac_algorithm, 0, side); |
1146 | 0 | } |
1147 | | |
1148 | | |
1149 | | static int Tls13_HKDF_Extract(WOLFSSL *ssl, byte* prk, const byte* salt, |
1150 | | int saltLen, byte* ikm, int ikmLen, int digest) |
1151 | 0 | { |
1152 | 0 | int ret; |
1153 | | #ifdef HAVE_PK_CALLBACKS |
1154 | | void *cb_ctx = ssl->HkdfExtractCtx; |
1155 | | CallbackHKDFExtract cb = ssl->ctx->HkdfExtractCb; |
1156 | | if (cb != NULL) { |
1157 | | ret = cb(prk, salt, (word32)saltLen, ikm, (word32)ikmLen, digest, cb_ctx); |
1158 | | } |
1159 | | else |
1160 | | #endif |
1161 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
1162 | | if ((int)ssl->arrays->psk_keySz < 0) { |
1163 | | ret = PSK_KEY_ERROR; |
1164 | | } |
1165 | | else |
1166 | | #endif |
1167 | 0 | { |
1168 | 0 | #if !defined(HAVE_FIPS) || \ |
1169 | 0 | (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(6,0)) |
1170 | 0 | ret = wc_Tls13_HKDF_Extract_ex(prk, salt, (word32)saltLen, ikm, (word32)ikmLen, digest, |
1171 | 0 | ssl->heap, ssl->devId); |
1172 | | #else |
1173 | | ret = wc_Tls13_HKDF_Extract(prk, salt, saltLen, ikm, ikmLen, digest); |
1174 | | (void)ssl; |
1175 | | #endif |
1176 | 0 | } |
1177 | 0 | return ret; |
1178 | 0 | } |
1179 | | |
1180 | | /* Derive the early secret using HKDF Extract. |
1181 | | * |
1182 | | * ssl The SSL/TLS object. |
1183 | | */ |
1184 | | int DeriveEarlySecret(WOLFSSL* ssl) |
1185 | 0 | { |
1186 | 0 | int ret; |
1187 | |
|
1188 | 0 | WOLFSSL_MSG("Derive Early Secret"); |
1189 | 0 | if (ssl == NULL || ssl->arrays == NULL) { |
1190 | 0 | return BAD_FUNC_ARG; |
1191 | 0 | } |
1192 | | #if defined(WOLFSSL_RENESAS_TSIP_TLS) |
1193 | | ret = tsip_Tls13DeriveEarlySecret(ssl); |
1194 | | if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) |
1195 | | return ret; |
1196 | | #endif |
1197 | 0 | PRIVATE_KEY_UNLOCK(); |
1198 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
1199 | | ret = Tls13_HKDF_Extract(ssl, ssl->arrays->secret, NULL, 0, |
1200 | | ssl->arrays->psk_key, (int)ssl->arrays->psk_keySz, |
1201 | | mac2hash(ssl->specs.mac_algorithm)); |
1202 | | #else |
1203 | 0 | ret = Tls13_HKDF_Extract(ssl, ssl->arrays->secret, NULL, 0, |
1204 | 0 | ssl->arrays->masterSecret, 0, mac2hash(ssl->specs.mac_algorithm)); |
1205 | 0 | #endif |
1206 | 0 | PRIVATE_KEY_LOCK(); |
1207 | 0 | return ret; |
1208 | 0 | } |
1209 | | |
1210 | | /* The length of the derived label. */ |
1211 | 0 | #define DERIVED_LABEL_SZ 7 |
1212 | | /* The derived label. */ |
1213 | | static const byte derivedLabel[DERIVED_LABEL_SZ + 1] = |
1214 | | "derived"; |
1215 | | |
1216 | | /* Derive the handshake secret using HKDF Extract. |
1217 | | * |
1218 | | * ssl The SSL/TLS object. |
1219 | | */ |
1220 | | int DeriveHandshakeSecret(WOLFSSL* ssl) |
1221 | 0 | { |
1222 | 0 | byte key[WC_MAX_DIGEST_SIZE]; |
1223 | 0 | int ret; |
1224 | 0 | WOLFSSL_MSG("Derive Handshake Secret"); |
1225 | 0 | if (ssl == NULL || ssl->arrays == NULL) { |
1226 | 0 | return BAD_FUNC_ARG; |
1227 | 0 | } |
1228 | | #if defined(WOLFSSL_RENESAS_TSIP_TLS) |
1229 | | ret = tsip_Tls13DeriveHandshakeSecret(ssl); |
1230 | | if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) |
1231 | | return ret; |
1232 | | #endif |
1233 | | |
1234 | | /* Derive-Secret(., "derived", "") per RFC 8446 Section 7.1. |
1235 | | * Empty hash (NULL, 0) is required by the TLS 1.3 key schedule. */ |
1236 | 0 | ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret, |
1237 | 0 | derivedLabel, DERIVED_LABEL_SZ, |
1238 | 0 | NULL, 0, ssl->specs.mac_algorithm); |
1239 | 0 | if (ret == 0) { |
1240 | 0 | PRIVATE_KEY_UNLOCK(); |
1241 | 0 | ret = Tls13_HKDF_Extract(ssl, ssl->arrays->preMasterSecret, |
1242 | 0 | key, ssl->specs.hash_size, |
1243 | 0 | ssl->arrays->preMasterSecret, (int)ssl->arrays->preMasterSz, |
1244 | 0 | mac2hash(ssl->specs.mac_algorithm)); |
1245 | 0 | PRIVATE_KEY_LOCK(); |
1246 | 0 | } |
1247 | |
|
1248 | | #ifdef WOLFSSL_CHECK_MEM_ZERO |
1249 | | wc_MemZero_Add("DeriveHandshakeSecret key", key, WC_MAX_DIGEST_SIZE); |
1250 | | #endif |
1251 | 0 | ForceZero(key, sizeof(key)); |
1252 | | #ifdef WOLFSSL_CHECK_MEM_ZERO |
1253 | | wc_MemZero_Check(key, sizeof(key)); |
1254 | | #endif |
1255 | 0 | return ret; |
1256 | 0 | } |
1257 | | |
1258 | | /* Derive the master secret using HKDF Extract. |
1259 | | * |
1260 | | * ssl The SSL/TLS object. |
1261 | | */ |
1262 | | int DeriveMasterSecret(WOLFSSL* ssl) |
1263 | 0 | { |
1264 | 0 | byte key[WC_MAX_DIGEST_SIZE]; |
1265 | 0 | int ret; |
1266 | 0 | WOLFSSL_MSG("Derive Master Secret"); |
1267 | 0 | if (ssl == NULL || ssl->arrays == NULL) { |
1268 | 0 | return BAD_FUNC_ARG; |
1269 | 0 | } |
1270 | | |
1271 | | #if defined(WOLFSSL_RENESAS_TSIP_TLS) |
1272 | | ret = tsip_Tls13DeriveMasterSecret(ssl); |
1273 | | if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) |
1274 | | return ret; |
1275 | | #endif |
1276 | | |
1277 | | /* Derive-Secret(., "derived", "") per RFC 8446 Section 7.1. |
1278 | | * Empty hash (NULL, 0) is required by the TLS 1.3 key schedule. */ |
1279 | 0 | ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->preMasterSecret, |
1280 | 0 | derivedLabel, DERIVED_LABEL_SZ, |
1281 | 0 | NULL, 0, ssl->specs.mac_algorithm); |
1282 | 0 | if (ret == 0) { |
1283 | 0 | PRIVATE_KEY_UNLOCK(); |
1284 | 0 | ret = Tls13_HKDF_Extract(ssl, ssl->arrays->masterSecret, |
1285 | 0 | key, ssl->specs.hash_size, |
1286 | 0 | ssl->arrays->masterSecret, 0, |
1287 | 0 | mac2hash(ssl->specs.mac_algorithm)); |
1288 | 0 | PRIVATE_KEY_LOCK(); |
1289 | 0 | } |
1290 | |
|
1291 | | #ifdef WOLFSSL_CHECK_MEM_ZERO |
1292 | | wc_MemZero_Add("DeriveMasterSecret key", key, WC_MAX_DIGEST_SIZE); |
1293 | | #endif |
1294 | 0 | ForceZero(key, sizeof(key)); |
1295 | | #ifdef WOLFSSL_CHECK_MEM_ZERO |
1296 | | wc_MemZero_Check(key, sizeof(key)); |
1297 | | #endif |
1298 | |
|
1299 | | #ifdef HAVE_KEYING_MATERIAL |
1300 | | if (ret != 0) |
1301 | | return ret; |
1302 | | /* Calculate exporter secret only when saving arrays */ |
1303 | | if (ssl->options.saveArrays) |
1304 | | ret = DeriveExporterSecret(ssl, ssl->arrays->exporterSecret); |
1305 | | #endif |
1306 | |
|
1307 | 0 | return ret; |
1308 | 0 | } |
1309 | | |
1310 | | #if defined(HAVE_SESSION_TICKET) |
1311 | | /* Length of the resumption label. */ |
1312 | | #define RESUMPTION_LABEL_SZ 10 |
1313 | | /* Resumption label for generating PSK associated with the ticket. */ |
1314 | | static const byte resumptionLabel[RESUMPTION_LABEL_SZ+1] = "resumption"; |
1315 | | |
1316 | | /* Derive the PSK associated with the ticket. |
1317 | | * |
1318 | | * ssl The SSL/TLS object. |
1319 | | * nonce The nonce to derive with. |
1320 | | * nonceLen The length of the nonce to derive with. |
1321 | | * secret The derived secret. |
1322 | | * returns 0 on success, otherwise failure. |
1323 | | */ |
1324 | | int DeriveResumptionPSK(WOLFSSL* ssl, byte* nonce, byte nonceLen, byte* secret) |
1325 | | { |
1326 | | int digestAlg; |
1327 | | /* Only one protocol version defined at this time. */ |
1328 | | const byte* protocol = tls13ProtocolLabel; |
1329 | | word32 protocolLen = TLS13_PROTOCOL_LABEL_SZ; |
1330 | | int ret; |
1331 | | |
1332 | | WOLFSSL_MSG("Derive Resumption PSK"); |
1333 | | |
1334 | | #ifdef WOLFSSL_DTLS13 |
1335 | | if (ssl->options.dtls) { |
1336 | | protocol = dtls13ProtocolLabel; |
1337 | | protocolLen = DTLS13_PROTOCOL_LABEL_SZ; |
1338 | | } |
1339 | | #endif /* WOLFSSL_DTLS13 */ |
1340 | | |
1341 | | switch (ssl->specs.mac_algorithm) { |
1342 | | #ifndef NO_SHA256 |
1343 | | case sha256_mac: |
1344 | | digestAlg = WC_SHA256; |
1345 | | break; |
1346 | | #endif |
1347 | | |
1348 | | #ifdef WOLFSSL_SHA384 |
1349 | | case sha384_mac: |
1350 | | digestAlg = WC_SHA384; |
1351 | | break; |
1352 | | #endif |
1353 | | |
1354 | | #ifdef WOLFSSL_TLS13_SHA512 |
1355 | | case sha512_mac: |
1356 | | digestAlg = WC_SHA512; |
1357 | | break; |
1358 | | #endif |
1359 | | |
1360 | | #ifdef WOLFSSL_SM3 |
1361 | | case sm3_mac: |
1362 | | digestAlg = WC_SM3; |
1363 | | break; |
1364 | | #endif |
1365 | | |
1366 | | default: |
1367 | | return BAD_FUNC_ARG; |
1368 | | } |
1369 | | |
1370 | | #if defined(WOLFSSL_TICKET_NONCE_MALLOC) && \ |
1371 | | (!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3))) |
1372 | | PRIVATE_KEY_UNLOCK(); |
1373 | | ret = wc_Tls13_HKDF_Expand_Label_Alloc(secret, ssl->specs.hash_size, |
1374 | | ssl->session->masterSecret, ssl->specs.hash_size, protocol, protocolLen, |
1375 | | resumptionLabel, RESUMPTION_LABEL_SZ, nonce, nonceLen, digestAlg, |
1376 | | ssl->heap); |
1377 | | PRIVATE_KEY_LOCK(); |
1378 | | #else |
1379 | | ret = Tls13HKDFExpandLabel(ssl, secret, ssl->specs.hash_size, |
1380 | | ssl->session->masterSecret, ssl->specs.hash_size, |
1381 | | protocol, protocolLen, resumptionLabel, |
1382 | | RESUMPTION_LABEL_SZ, nonce, nonceLen, digestAlg); |
1383 | | #endif /* !defined(HAVE_FIPS) || FIPS_VERSION_GE(5,3) */ |
1384 | | return ret; |
1385 | | } |
1386 | | #endif /* HAVE_SESSION_TICKET */ |
1387 | | |
1388 | | |
1389 | | /* Calculate the HMAC of message data to this point. |
1390 | | * |
1391 | | * ssl The SSL/TLS object. |
1392 | | * key The HMAC key. |
1393 | | * hash The hash result - verify data. |
1394 | | * returns length of verify data generated. |
1395 | | */ |
1396 | | static int BuildTls13HandshakeHmac(WOLFSSL* ssl, byte* key, byte* hash, |
1397 | | word32* pHashSz) |
1398 | 0 | { |
1399 | 0 | WC_DECLARE_VAR(verifyHmac, Hmac, 1, 0); |
1400 | 0 | int hashType = WC_SHA256; |
1401 | 0 | int hashSz = WC_SHA256_DIGEST_SIZE; |
1402 | 0 | int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG); |
1403 | |
|
1404 | 0 | if (ssl == NULL || key == NULL || hash == NULL) { |
1405 | 0 | return BAD_FUNC_ARG; |
1406 | 0 | } |
1407 | | |
1408 | | /* Get the hash of the previous handshake messages. */ |
1409 | 0 | switch (ssl->specs.mac_algorithm) { |
1410 | 0 | #ifndef NO_SHA256 |
1411 | 0 | case sha256_mac: |
1412 | 0 | hashType = WC_SHA256; |
1413 | 0 | hashSz = WC_SHA256_DIGEST_SIZE; |
1414 | 0 | ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash); |
1415 | 0 | break; |
1416 | 0 | #endif /* !NO_SHA256 */ |
1417 | 0 | #ifdef WOLFSSL_SHA384 |
1418 | 0 | case sha384_mac: |
1419 | 0 | hashType = WC_SHA384; |
1420 | 0 | hashSz = WC_SHA384_DIGEST_SIZE; |
1421 | 0 | ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash); |
1422 | 0 | break; |
1423 | 0 | #endif /* WOLFSSL_SHA384 */ |
1424 | | #ifdef WOLFSSL_TLS13_SHA512 |
1425 | | case sha512_mac: |
1426 | | hashType = WC_SHA512; |
1427 | | hashSz = WC_SHA512_DIGEST_SIZE; |
1428 | | ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash); |
1429 | | break; |
1430 | | #endif /* WOLFSSL_TLS13_SHA512 */ |
1431 | | #ifdef WOLFSSL_SM3 |
1432 | | case sm3_mac: |
1433 | | hashType = WC_SM3; |
1434 | | hashSz = WC_SM3_DIGEST_SIZE; |
1435 | | ret = wc_Sm3GetHash(&ssl->hsHashes->hashSm3, hash); |
1436 | | break; |
1437 | | #endif /* WOLFSSL_SM3 */ |
1438 | 0 | default: |
1439 | 0 | ret = BAD_FUNC_ARG; |
1440 | 0 | break; |
1441 | 0 | } |
1442 | 0 | if (ret != 0) |
1443 | 0 | return ret; |
1444 | | |
1445 | | #ifdef WOLFSSL_DEBUG_TLS |
1446 | | WOLFSSL_MSG(" Key"); |
1447 | | WOLFSSL_BUFFER(key, ssl->specs.hash_size); |
1448 | | WOLFSSL_MSG(" Msg Hash"); |
1449 | | WOLFSSL_BUFFER(hash, hashSz); |
1450 | | #endif |
1451 | | |
1452 | 0 | WC_ALLOC_VAR_EX(verifyHmac, Hmac, 1, NULL, DYNAMIC_TYPE_HMAC, |
1453 | 0 | return MEMORY_E); |
1454 | | |
1455 | | /* Calculate the verify data. */ |
1456 | 0 | ret = wc_HmacInit(verifyHmac, ssl->heap, ssl->devId); |
1457 | 0 | if (ret == 0) { |
1458 | 0 | ret = wc_HmacSetKey(verifyHmac, hashType, key, ssl->specs.hash_size); |
1459 | 0 | if (ret == 0) |
1460 | 0 | ret = wc_HmacUpdate(verifyHmac, hash, (word32)hashSz); |
1461 | 0 | if (ret == 0) |
1462 | 0 | ret = wc_HmacFinal(verifyHmac, hash); |
1463 | 0 | wc_HmacFree(verifyHmac); |
1464 | 0 | } |
1465 | |
|
1466 | 0 | WC_FREE_VAR_EX(verifyHmac, NULL, DYNAMIC_TYPE_HMAC); |
1467 | |
|
1468 | | #ifdef WOLFSSL_DEBUG_TLS |
1469 | | WOLFSSL_MSG(" Hash"); |
1470 | | WOLFSSL_BUFFER(hash, hashSz); |
1471 | | #endif |
1472 | |
|
1473 | 0 | if (pHashSz) |
1474 | 0 | *pHashSz = (word32)hashSz; |
1475 | |
|
1476 | 0 | return ret; |
1477 | 0 | } |
1478 | | |
1479 | | /* The length of the label to use when deriving keys. */ |
1480 | 0 | #define WRITE_KEY_LABEL_SZ 3 |
1481 | | /* The length of the label to use when deriving IVs. */ |
1482 | 0 | #define WRITE_IV_LABEL_SZ 2 |
1483 | | /* The label to use when deriving keys. */ |
1484 | | static const byte writeKeyLabel[WRITE_KEY_LABEL_SZ+1] = "key"; |
1485 | | /* The label to use when deriving IVs. */ |
1486 | | static const byte writeIVLabel[WRITE_IV_LABEL_SZ+1] = "iv"; |
1487 | | |
1488 | | /* Derive the keys and IVs for TLS v1.3. |
1489 | | * |
1490 | | * ssl The SSL/TLS object. |
1491 | | * secret early_data_key when deriving the key and IV for encrypting early |
1492 | | * data application data and end_of_early_data messages. |
1493 | | * handshake_key when deriving keys and IVs for encrypting handshake |
1494 | | * messages. |
1495 | | * traffic_key when deriving first keys and IVs for encrypting |
1496 | | * traffic messages. |
1497 | | * update_traffic_key when deriving next keys and IVs for encrypting |
1498 | | * traffic messages. |
1499 | | * no_key when deriving keys and IVs from existing secrets without |
1500 | | * re-deriving the secrets. Used during early data transitions. |
1501 | | * side ENCRYPT_SIDE_ONLY when only encryption secret needs to be derived. |
1502 | | * DECRYPT_SIDE_ONLY when only decryption secret needs to be derived. |
1503 | | * ENCRYPT_AND_DECRYPT_SIDE when both secret needs to be derived. |
1504 | | * store 1 indicates to derive the keys and IVs from derived secret and |
1505 | | * store ready for provisioning. |
1506 | | * returns 0 on success, otherwise failure. |
1507 | | */ |
1508 | | int DeriveTls13Keys(WOLFSSL* ssl, int secret, int side, int store) |
1509 | 0 | { |
1510 | 0 | int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG); /* Assume failure */ |
1511 | 0 | int i = 0; |
1512 | 0 | WC_DECLARE_VAR(key_dig, byte, MAX_PRF_DIG, 0); |
1513 | 0 | int provision; |
1514 | |
|
1515 | | #if defined(WOLFSSL_RENESAS_TSIP_TLS) |
1516 | | ret = tsip_Tls13DeriveKeys(ssl, secret, side); |
1517 | | if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) { |
1518 | | return ret; |
1519 | | } |
1520 | | ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG); /* Assume failure */ |
1521 | | #endif |
1522 | |
|
1523 | 0 | WC_ALLOC_VAR_EX(key_dig, byte, MAX_PRF_DIG, ssl->heap, |
1524 | 0 | DYNAMIC_TYPE_DIGEST, return MEMORY_E); |
1525 | |
|
1526 | 0 | if (side == ENCRYPT_AND_DECRYPT_SIDE) { |
1527 | 0 | provision = PROVISION_CLIENT_SERVER; |
1528 | 0 | } |
1529 | 0 | else { |
1530 | 0 | provision = ((ssl->options.side != WOLFSSL_CLIENT_END) ^ |
1531 | 0 | (side == ENCRYPT_SIDE_ONLY)) ? PROVISION_CLIENT : |
1532 | 0 | PROVISION_SERVER; |
1533 | 0 | } |
1534 | | |
1535 | | /* Derive the appropriate secret to use in the HKDF. */ |
1536 | 0 | switch (secret) { |
1537 | | #ifdef WOLFSSL_EARLY_DATA |
1538 | | case early_data_key: |
1539 | | ret = DeriveEarlyTrafficSecret(ssl, ssl->clientSecret, |
1540 | | WOLFSSL_CLIENT_END); |
1541 | | if (ret != 0) |
1542 | | goto end; |
1543 | | break; |
1544 | | #endif |
1545 | | |
1546 | 0 | case handshake_key: |
1547 | 0 | if (provision & PROVISION_CLIENT) { |
1548 | 0 | ret = DeriveClientHandshakeSecret(ssl, |
1549 | 0 | ssl->clientSecret); |
1550 | 0 | if (ret != 0) |
1551 | 0 | goto end; |
1552 | 0 | } |
1553 | 0 | if (provision & PROVISION_SERVER) { |
1554 | 0 | ret = DeriveServerHandshakeSecret(ssl, |
1555 | 0 | ssl->serverSecret); |
1556 | 0 | if (ret != 0) |
1557 | 0 | goto end; |
1558 | 0 | } |
1559 | 0 | break; |
1560 | | |
1561 | 0 | case traffic_key: |
1562 | 0 | if (provision & PROVISION_CLIENT) { |
1563 | 0 | ret = DeriveClientTrafficSecret(ssl, ssl->clientSecret); |
1564 | 0 | if (ret != 0) |
1565 | 0 | goto end; |
1566 | 0 | } |
1567 | 0 | if (provision & PROVISION_SERVER) { |
1568 | 0 | ret = DeriveServerTrafficSecret(ssl, ssl->serverSecret); |
1569 | 0 | if (ret != 0) |
1570 | 0 | goto end; |
1571 | 0 | } |
1572 | 0 | break; |
1573 | | |
1574 | 0 | case update_traffic_key: |
1575 | 0 | if (provision & PROVISION_CLIENT) { |
1576 | 0 | ret = DeriveTrafficSecret(ssl, ssl->clientSecret, |
1577 | 0 | WOLFSSL_CLIENT_END); |
1578 | 0 | if (ret != 0) |
1579 | 0 | goto end; |
1580 | 0 | } |
1581 | 0 | if (provision & PROVISION_SERVER) { |
1582 | 0 | ret = DeriveTrafficSecret(ssl, ssl->serverSecret, |
1583 | 0 | WOLFSSL_SERVER_END); |
1584 | 0 | if (ret != 0) |
1585 | 0 | goto end; |
1586 | 0 | } |
1587 | 0 | break; |
1588 | | |
1589 | 0 | case no_key: |
1590 | | /* Called with early data to derive keys from existing secrets |
1591 | | * without re-deriving the secrets themselves. */ |
1592 | 0 | ret = 0; |
1593 | 0 | break; |
1594 | | |
1595 | 0 | default: |
1596 | 0 | ret = BAD_FUNC_ARG; |
1597 | 0 | break; |
1598 | 0 | } |
1599 | | |
1600 | | #ifdef WOLFSSL_QUIC |
1601 | | if (WOLFSSL_IS_QUIC(ssl)) { |
1602 | | ret = wolfSSL_quic_forward_secrets(ssl, secret, side); |
1603 | | if (ret != 0) |
1604 | | goto end; |
1605 | | } |
1606 | | #endif /* WOLFSSL_QUIC */ |
1607 | | |
1608 | 0 | if (!store) |
1609 | 0 | goto end; |
1610 | | |
1611 | | /* Key data = client key | server key | client IV | server IV */ |
1612 | | |
1613 | 0 | if (provision & PROVISION_CLIENT) { |
1614 | | /* Derive the client key. */ |
1615 | 0 | WOLFSSL_MSG("Derive Client Key"); |
1616 | 0 | ret = Tls13DeriveKey(ssl, &key_dig[i], ssl->specs.key_size, |
1617 | 0 | ssl->clientSecret, writeKeyLabel, |
1618 | 0 | WRITE_KEY_LABEL_SZ, ssl->specs.mac_algorithm, 0, |
1619 | 0 | WOLFSSL_CLIENT_END); |
1620 | 0 | if (ret != 0) |
1621 | 0 | goto end; |
1622 | 0 | i += ssl->specs.key_size; |
1623 | 0 | } |
1624 | | |
1625 | 0 | if (provision & PROVISION_SERVER) { |
1626 | | /* Derive the server key. */ |
1627 | 0 | WOLFSSL_MSG("Derive Server Key"); |
1628 | 0 | ret = Tls13DeriveKey(ssl, &key_dig[i], ssl->specs.key_size, |
1629 | 0 | ssl->serverSecret, writeKeyLabel, |
1630 | 0 | WRITE_KEY_LABEL_SZ, ssl->specs.mac_algorithm, 0, |
1631 | 0 | WOLFSSL_SERVER_END); |
1632 | 0 | if (ret != 0) |
1633 | 0 | goto end; |
1634 | 0 | i += ssl->specs.key_size; |
1635 | 0 | } |
1636 | | |
1637 | 0 | if (provision & PROVISION_CLIENT) { |
1638 | | /* Derive the client IV. */ |
1639 | 0 | WOLFSSL_MSG("Derive Client IV"); |
1640 | 0 | ret = Tls13DeriveKey(ssl, &key_dig[i], ssl->specs.iv_size, |
1641 | 0 | ssl->clientSecret, writeIVLabel, |
1642 | 0 | WRITE_IV_LABEL_SZ, ssl->specs.mac_algorithm, 0, |
1643 | 0 | WOLFSSL_CLIENT_END); |
1644 | 0 | if (ret != 0) |
1645 | 0 | goto end; |
1646 | 0 | i += ssl->specs.iv_size; |
1647 | 0 | } |
1648 | | |
1649 | 0 | if (provision & PROVISION_SERVER) { |
1650 | | /* Derive the server IV. */ |
1651 | 0 | WOLFSSL_MSG("Derive Server IV"); |
1652 | 0 | ret = Tls13DeriveKey(ssl, &key_dig[i], ssl->specs.iv_size, |
1653 | 0 | ssl->serverSecret, writeIVLabel, |
1654 | 0 | WRITE_IV_LABEL_SZ, ssl->specs.mac_algorithm, 0, |
1655 | 0 | WOLFSSL_SERVER_END); |
1656 | 0 | if (ret != 0) |
1657 | 0 | goto end; |
1658 | 0 | i += ssl->specs.iv_size; |
1659 | 0 | } |
1660 | | |
1661 | | /* Store keys and IVs but don't activate them. */ |
1662 | 0 | ret = StoreKeys(ssl, key_dig, provision); |
1663 | |
|
1664 | | #ifdef WOLFSSL_DTLS13 |
1665 | | if (ret != 0) |
1666 | | goto end; |
1667 | | |
1668 | | if (ssl->options.dtls) { |
1669 | | w64wrapper epochNumber; |
1670 | | ret = Dtls13DeriveSnKeys(ssl, provision); |
1671 | | if (ret != 0) |
1672 | | goto end; |
1673 | | |
1674 | | switch (secret) { |
1675 | | case early_data_key: |
1676 | | epochNumber = w64From32(0, DTLS13_EPOCH_EARLYDATA); |
1677 | | break; |
1678 | | case handshake_key: |
1679 | | epochNumber = w64From32(0, DTLS13_EPOCH_HANDSHAKE); |
1680 | | break; |
1681 | | case traffic_key: |
1682 | | case no_key: |
1683 | | epochNumber = w64From32(0, DTLS13_EPOCH_TRAFFIC0); |
1684 | | break; |
1685 | | case update_traffic_key: |
1686 | | if (side == ENCRYPT_SIDE_ONLY) { |
1687 | | epochNumber = ssl->dtls13Epoch; |
1688 | | } |
1689 | | else if (side == DECRYPT_SIDE_ONLY) { |
1690 | | epochNumber = ssl->dtls13PeerEpoch; |
1691 | | } |
1692 | | else { |
1693 | | ret = BAD_STATE_E; |
1694 | | goto end; |
1695 | | } |
1696 | | w64Increment(&epochNumber); |
1697 | | break; |
1698 | | default: |
1699 | | ret = BAD_STATE_E; |
1700 | | goto end; |
1701 | | } |
1702 | | ret = Dtls13NewEpoch(ssl, epochNumber, side); |
1703 | | if (ret != 0) |
1704 | | goto end; |
1705 | | } |
1706 | | |
1707 | | #endif /* WOLFSSL_DTLS13 */ |
1708 | |
|
1709 | 0 | end: |
1710 | 0 | ForceZero(key_dig, (word32)i); |
1711 | | #ifdef WOLFSSL_SMALL_STACK |
1712 | | XFREE(key_dig, ssl->heap, DYNAMIC_TYPE_DIGEST); |
1713 | | #elif defined(WOLFSSL_CHECK_MEM_ZERO) |
1714 | | wc_MemZero_Check(key_dig, MAX_PRF_DIG); |
1715 | | #endif |
1716 | |
|
1717 | 0 | if (ret != 0) { |
1718 | 0 | WOLFSSL_ERROR_VERBOSE(ret); |
1719 | 0 | } |
1720 | |
|
1721 | 0 | return ret; |
1722 | 0 | } |
1723 | | |
1724 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) || defined(WOLFSSL_DTLS13) |
1725 | | #ifdef WOLFSSL_32BIT_MILLI_TIME |
1726 | | #ifndef NO_ASN_TIME |
1727 | | #if defined(USER_TICKS) |
1728 | | #if 0 |
1729 | | word32 TimeNowInMilliseconds(void) |
1730 | | { |
1731 | | /* |
1732 | | write your own clock tick function if don't want gettimeofday() |
1733 | | needs millisecond accuracy but doesn't have to correlated to EPOCH |
1734 | | */ |
1735 | | } |
1736 | | #endif |
1737 | | |
1738 | | #elif defined(TIME_OVERRIDES) |
1739 | | #if !defined(NO_ASN) && !defined(NO_ASN_TIME) |
1740 | | word32 TimeNowInMilliseconds(void) |
1741 | | { |
1742 | | return (word32) wc_Time(0) * 1000; |
1743 | | } |
1744 | | #else |
1745 | | #ifndef HAVE_TIME_T_TYPE |
1746 | | typedef long time_t; |
1747 | | #endif |
1748 | | extern time_t XTIME(time_t * timer); |
1749 | | |
1750 | | /* The time in milliseconds. |
1751 | | * Used for tickets to represent difference between when first seen and when |
1752 | | * sending. |
1753 | | * |
1754 | | * returns the time in milliseconds as a 32-bit value. |
1755 | | */ |
1756 | | word32 TimeNowInMilliseconds(void) |
1757 | | { |
1758 | | return (word32) XTIME(0) * 1000; |
1759 | | } |
1760 | | #endif |
1761 | | |
1762 | | #elif defined(XTIME_MS) |
1763 | | word32 TimeNowInMilliseconds(void) |
1764 | | { |
1765 | | return (word32)XTIME_MS(0); |
1766 | | } |
1767 | | |
1768 | | #elif defined(USE_WINDOWS_API) |
1769 | | /* The time in milliseconds. |
1770 | | * Used for tickets to represent difference between when first seen and when |
1771 | | * sending. |
1772 | | * |
1773 | | * returns the time in milliseconds as a 32-bit value. |
1774 | | */ |
1775 | | word32 TimeNowInMilliseconds(void) |
1776 | | { |
1777 | | static int init = 0; |
1778 | | static LARGE_INTEGER freq; |
1779 | | LARGE_INTEGER count; |
1780 | | |
1781 | | if (!init) { |
1782 | | QueryPerformanceFrequency(&freq); |
1783 | | init = 1; |
1784 | | } |
1785 | | |
1786 | | QueryPerformanceCounter(&count); |
1787 | | |
1788 | | return (word32)(count.QuadPart / (freq.QuadPart / 1000)); |
1789 | | } |
1790 | | |
1791 | | #elif defined(HAVE_RTP_SYS) |
1792 | | #include "rtptime.h" |
1793 | | |
1794 | | /* The time in milliseconds. |
1795 | | * Used for tickets to represent difference between when first seen and when |
1796 | | * sending. |
1797 | | * |
1798 | | * returns the time in milliseconds as a 32-bit value. |
1799 | | */ |
1800 | | word32 TimeNowInMilliseconds(void) |
1801 | | { |
1802 | | return (word32)rtp_get_system_sec() * 1000; |
1803 | | } |
1804 | | #elif defined(WOLFSSL_DEOS) |
1805 | | word32 TimeNowInMilliseconds(void) |
1806 | | { |
1807 | | const word32 systemTickTimeInHz = 1000000 / systemTickInMicroseconds(); |
1808 | | word32 *systemTickPtr = systemTickPointer(); |
1809 | | |
1810 | | return (word32) (*systemTickPtr/systemTickTimeInHz) * 1000; |
1811 | | } |
1812 | | #elif defined(MICRIUM) |
1813 | | /* The time in milliseconds. |
1814 | | * Used for tickets to represent difference between when first seen and when |
1815 | | * sending. |
1816 | | * |
1817 | | * returns the time in milliseconds as a 32-bit value. |
1818 | | */ |
1819 | | word32 TimeNowInMilliseconds(void) |
1820 | | { |
1821 | | OS_TICK ticks = 0; |
1822 | | OS_ERR err; |
1823 | | |
1824 | | ticks = OSTimeGet(&err); |
1825 | | |
1826 | | return (word32) (ticks / OSCfg_TickRate_Hz) * 1000; |
1827 | | } |
1828 | | #elif defined(MICROCHIP_TCPIP_V5) |
1829 | | /* The time in milliseconds. |
1830 | | * Used for tickets to represent difference between when first seen and when |
1831 | | * sending. |
1832 | | * |
1833 | | * returns the time in milliseconds as a 32-bit value. |
1834 | | */ |
1835 | | word32 TimeNowInMilliseconds(void) |
1836 | | { |
1837 | | return (word32) (TickGet() / (TICKS_PER_SECOND / 1000)); |
1838 | | } |
1839 | | #elif defined(MICROCHIP_TCPIP) |
1840 | | #if defined(MICROCHIP_MPLAB_HARMONY) |
1841 | | #include <system/tmr/sys_tmr.h> |
1842 | | |
1843 | | /* The time in milliseconds. |
1844 | | * Used for tickets to represent difference between when first seen and when |
1845 | | * sending. |
1846 | | * |
1847 | | * returns the time in milliseconds as a 32-bit value. |
1848 | | */ |
1849 | | word32 TimeNowInMilliseconds(void) |
1850 | | { |
1851 | | return (word32)(SYS_TMR_TickCountGet() / |
1852 | | (SYS_TMR_TickCounterFrequencyGet() / 1000)); |
1853 | | } |
1854 | | #else |
1855 | | /* The time in milliseconds. |
1856 | | * Used for tickets to represent difference between when first seen and when |
1857 | | * sending. |
1858 | | * |
1859 | | * returns the time in milliseconds as a 32-bit value. |
1860 | | */ |
1861 | | word32 TimeNowInMilliseconds(void) |
1862 | | { |
1863 | | return (word32)(SYS_TICK_Get() / (SYS_TICK_TicksPerSecondGet() / 1000)); |
1864 | | } |
1865 | | |
1866 | | #endif |
1867 | | |
1868 | | #elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) |
1869 | | /* The time in milliseconds. |
1870 | | * Used for tickets to represent difference between when first seen and when |
1871 | | * sending. |
1872 | | * |
1873 | | * returns the time in milliseconds as a 32-bit value. |
1874 | | */ |
1875 | | word32 TimeNowInMilliseconds(void) |
1876 | | { |
1877 | | TIME_STRUCT mqxTime; |
1878 | | |
1879 | | _time_get_elapsed(&mqxTime); |
1880 | | |
1881 | | return (word32) mqxTime.SECONDS * 1000; |
1882 | | } |
1883 | | #elif defined(FREESCALE_FREE_RTOS) || defined(FREESCALE_KSDK_FREERTOS) |
1884 | | #include "include/task.h" |
1885 | | |
1886 | | /* The time in milliseconds. |
1887 | | * Used for tickets to represent difference between when first seen and when |
1888 | | * sending. |
1889 | | * |
1890 | | * returns the time in milliseconds as a 32-bit value. |
1891 | | */ |
1892 | | word32 TimeNowInMilliseconds(void) |
1893 | | { |
1894 | | return (unsigned int)(((float)xTaskGetTickCount()) / |
1895 | | (configTICK_RATE_HZ / 1000)); |
1896 | | } |
1897 | | #elif defined(FREESCALE_KSDK_BM) |
1898 | | #include "lwip/sys.h" /* lwIP */ |
1899 | | |
1900 | | /* The time in milliseconds. |
1901 | | * Used for tickets to represent difference between when first seen and when |
1902 | | * sending. |
1903 | | * |
1904 | | * returns the time in milliseconds as a 32-bit value. |
1905 | | */ |
1906 | | word32 TimeNowInMilliseconds(void) |
1907 | | { |
1908 | | return sys_now(); |
1909 | | } |
1910 | | |
1911 | | #elif defined(WOLFSSL_CMSIS_RTOS) || defined(WOLFSSL_CMSIS_RTOSv2) |
1912 | | |
1913 | | word32 TimeNowInMilliseconds(void) |
1914 | | { |
1915 | | return (word32)osKernelGetTickCount(); |
1916 | | } |
1917 | | |
1918 | | #elif defined(WOLFSSL_TIRTOS) |
1919 | | /* The time in milliseconds. |
1920 | | * Used for tickets to represent difference between when first seen and when |
1921 | | * sending. |
1922 | | * |
1923 | | * returns the time in milliseconds as a 32-bit value. |
1924 | | */ |
1925 | | word32 TimeNowInMilliseconds(void) |
1926 | | { |
1927 | | return (word32) Seconds_get() * 1000; |
1928 | | } |
1929 | | #elif defined(WOLFSSL_UTASKER) |
1930 | | /* The time in milliseconds. |
1931 | | * Used for tickets to represent difference between when first seen and when |
1932 | | * sending. |
1933 | | * |
1934 | | * returns the time in milliseconds as a 32-bit value. |
1935 | | */ |
1936 | | word32 TimeNowInMilliseconds(void) |
1937 | | { |
1938 | | return (word32)(uTaskerSystemTick / (TICK_RESOLUTION / 1000)); |
1939 | | } |
1940 | | #elif defined(WOLFSSL_LINUXKM) |
1941 | | word32 TimeNowInMilliseconds(void) |
1942 | | { |
1943 | | s64 t; |
1944 | | #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0) |
1945 | | struct timespec ts; |
1946 | | getnstimeofday(&ts); |
1947 | | t = ts.tv_sec * (s64)1000; |
1948 | | t += ts.tv_nsec / (s64)1000000; |
1949 | | #else |
1950 | | struct timespec64 ts; |
1951 | | #if LINUX_VERSION_CODE < KERNEL_VERSION(5, 0, 0) |
1952 | | ts = current_kernel_time64(); |
1953 | | #else |
1954 | | ktime_get_coarse_real_ts64(&ts); |
1955 | | #endif |
1956 | | t = ts.tv_sec * 1000L; |
1957 | | t += ts.tv_nsec / 1000000L; |
1958 | | #endif |
1959 | | return (word32)t; |
1960 | | } |
1961 | | #elif defined(WOLFSSL_QNX_CAAM) |
1962 | | word32 TimeNowInMilliseconds(void) |
1963 | | { |
1964 | | struct timespec now; |
1965 | | clock_gettime(CLOCK_REALTIME, &now); |
1966 | | return (word32)(now.tv_sec * 1000 + now.tv_nsec / 1000000); |
1967 | | } |
1968 | | #elif defined(FUSION_RTOS) |
1969 | | /* The time in milliseconds. |
1970 | | * Used for tickets to represent difference between when first seen and when |
1971 | | * sending. |
1972 | | * |
1973 | | * returns the time in milliseconds as a 32-bit value. |
1974 | | */ |
1975 | | word32 TimeNowInMilliseconds(void) |
1976 | | { |
1977 | | struct timeval now; |
1978 | | if (FCL_GETTIMEOFDAY(&now, 0) < 0) |
1979 | | return 0; |
1980 | | |
1981 | | /* Convert to milliseconds number. */ |
1982 | | return (word32)(now.tv_sec * 1000 + now.tv_usec / 1000); |
1983 | | } |
1984 | | #elif defined(WOLFSSL_ZEPHYR) |
1985 | | word32 TimeNowInMilliseconds(void) |
1986 | | { |
1987 | | int64_t t; |
1988 | | #if defined(CONFIG_ARCH_POSIX) |
1989 | | k_cpu_idle(); |
1990 | | #endif |
1991 | | t = k_uptime_get(); /* returns current uptime in milliseconds */ |
1992 | | return (word32)t; |
1993 | | } |
1994 | | #elif defined(FREERTOS) |
1995 | | word32 TimeNowInMilliseconds(void) |
1996 | | { |
1997 | | return (word32)((uint64_t)(xTaskGetTickCount() * 1000) / |
1998 | | configTICK_RATE_HZ); |
1999 | | } |
2000 | | #else |
2001 | | /* The time in milliseconds. |
2002 | | * Used for tickets to represent difference between when first seen and when |
2003 | | * sending. |
2004 | | * |
2005 | | * returns the time in milliseconds as a 32-bit value. |
2006 | | */ |
2007 | | word32 TimeNowInMilliseconds(void) |
2008 | | { |
2009 | | struct timeval now; |
2010 | | |
2011 | | if (gettimeofday(&now, 0) < 0) |
2012 | | return 0; |
2013 | | |
2014 | | /* Convert to milliseconds number. */ |
2015 | | return (word32)(now.tv_sec * 1000 + now.tv_usec / 1000); |
2016 | | } |
2017 | | #endif |
2018 | | #else |
2019 | | /* user must supply time in milliseconds function: |
2020 | | * word32 TimeNowInMilliseconds(void); |
2021 | | * The response is milliseconds elapsed |
2022 | | */ |
2023 | | #endif /* !NO_ASN_TIME */ |
2024 | | #else |
2025 | | #ifndef NO_ASN_TIME |
2026 | | #if defined(USER_TICKS) |
2027 | | #if 0 |
2028 | | sword64 TimeNowInMilliseconds(void) |
2029 | | { |
2030 | | /* |
2031 | | write your own clock tick function if don't want gettimeofday() |
2032 | | needs millisecond accuracy but doesn't have to correlated to EPOCH |
2033 | | */ |
2034 | | } |
2035 | | #endif |
2036 | | |
2037 | | #elif defined(TIME_OVERRIDES) |
2038 | | #if !defined(NO_ASN) && !defined(NO_ASN_TIME) |
2039 | | sword64 TimeNowInMilliseconds(void) |
2040 | | { |
2041 | | return (sword64) wc_Time(0) * 1000; |
2042 | | } |
2043 | | #else |
2044 | | #ifndef HAVE_TIME_T_TYPE |
2045 | | typedef long time_t; |
2046 | | #endif |
2047 | | extern time_t XTIME(time_t * timer); |
2048 | | |
2049 | | /* The time in milliseconds. |
2050 | | * Used for tickets to represent difference between when first seen and when |
2051 | | * sending. |
2052 | | * |
2053 | | * returns the time in milliseconds as a 32-bit value. |
2054 | | */ |
2055 | | sword64 TimeNowInMilliseconds(void) |
2056 | | { |
2057 | | return (sword64) XTIME(0) * 1000; |
2058 | | } |
2059 | | #endif |
2060 | | |
2061 | | #elif defined(XTIME_MS) |
2062 | | sword64 TimeNowInMilliseconds(void) |
2063 | | { |
2064 | | return (sword64)XTIME_MS(0); |
2065 | | } |
2066 | | |
2067 | | #elif defined(USE_WINDOWS_API) |
2068 | | /* The time in milliseconds. |
2069 | | * Used for tickets to represent difference between when first seen and when |
2070 | | * sending. |
2071 | | * |
2072 | | * returns the time in milliseconds as a 64-bit value. |
2073 | | */ |
2074 | | sword64 TimeNowInMilliseconds(void) |
2075 | | { |
2076 | | static int init = 0; |
2077 | | static LARGE_INTEGER freq; |
2078 | | LARGE_INTEGER count; |
2079 | | |
2080 | | if (!init) { |
2081 | | QueryPerformanceFrequency(&freq); |
2082 | | init = 1; |
2083 | | } |
2084 | | |
2085 | | QueryPerformanceCounter(&count); |
2086 | | |
2087 | | return (sword64)(count.QuadPart / (freq.QuadPart / 1000)); |
2088 | | } |
2089 | | |
2090 | | #elif defined(HAVE_RTP_SYS) |
2091 | | #include "rtptime.h" |
2092 | | |
2093 | | /* The time in milliseconds. |
2094 | | * Used for tickets to represent difference between when first seen and when |
2095 | | * sending. |
2096 | | * |
2097 | | * returns the time in milliseconds as a 64-bit value. |
2098 | | */ |
2099 | | sword64 TimeNowInMilliseconds(void) |
2100 | | { |
2101 | | return (sword64)rtp_get_system_sec() * 1000; |
2102 | | } |
2103 | | #elif defined(WOLFSSL_DEOS) |
2104 | | sword64 TimeNowInMilliseconds(void) |
2105 | | { |
2106 | | const word32 systemTickTimeInHz = 1000000 / systemTickInMicroseconds(); |
2107 | | word32 *systemTickPtr = systemTickPointer(); |
2108 | | |
2109 | | return (sword64) (*systemTickPtr/systemTickTimeInHz) * 1000; |
2110 | | } |
2111 | | #elif defined(MICRIUM) |
2112 | | /* The time in milliseconds. |
2113 | | * Used for tickets to represent difference between when first seen and when |
2114 | | * sending. |
2115 | | * |
2116 | | * returns the time in milliseconds as a 64-bit value. |
2117 | | */ |
2118 | | sword64 TimeNowInMilliseconds(void) |
2119 | | { |
2120 | | OS_TICK ticks = 0; |
2121 | | OS_ERR err; |
2122 | | |
2123 | | ticks = OSTimeGet(&err); |
2124 | | |
2125 | | return (sword64) (ticks / OSCfg_TickRate_Hz) * 1000; |
2126 | | } |
2127 | | #elif defined(MICROCHIP_TCPIP_V5) |
2128 | | /* The time in milliseconds. |
2129 | | * Used for tickets to represent difference between when first seen and when |
2130 | | * sending. |
2131 | | * |
2132 | | * returns the time in milliseconds as a 64-bit value. |
2133 | | */ |
2134 | | sword64 TimeNowInMilliseconds(void) |
2135 | | { |
2136 | | return (sword64) (TickGet() / (TICKS_PER_SECOND / 1000)); |
2137 | | } |
2138 | | #elif defined(MICROCHIP_TCPIP) |
2139 | | #if defined(MICROCHIP_MPLAB_HARMONY) |
2140 | | #include <system/tmr/sys_tmr.h> |
2141 | | |
2142 | | /* The time in milliseconds. |
2143 | | * Used for tickets to represent difference between when first seen and when |
2144 | | * sending. |
2145 | | * |
2146 | | * returns the time in milliseconds as a 64-bit value. |
2147 | | */ |
2148 | | sword64 TimeNowInMilliseconds(void) |
2149 | | { |
2150 | | return (sword64)SYS_TMR_TickCountGet() / |
2151 | | (SYS_TMR_TickCounterFrequencyGet() / 1000); |
2152 | | } |
2153 | | #else |
2154 | | /* The time in milliseconds. |
2155 | | * Used for tickets to represent difference between when first seen and when |
2156 | | * sending. |
2157 | | * |
2158 | | * returns the time in milliseconds as a 64-bit value. |
2159 | | */ |
2160 | | sword64 TimeNowInMilliseconds(void) |
2161 | | { |
2162 | | return (sword64)SYS_TICK_Get() / (SYS_TICK_TicksPerSecondGet() / 1000); |
2163 | | } |
2164 | | |
2165 | | #endif |
2166 | | |
2167 | | #elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) |
2168 | | /* The time in milliseconds. |
2169 | | * Used for tickets to represent difference between when first seen and when |
2170 | | * sending. |
2171 | | * |
2172 | | * returns the time in milliseconds as a 64-bit value. |
2173 | | */ |
2174 | | sword64 TimeNowInMilliseconds(void) |
2175 | | { |
2176 | | TIME_STRUCT mqxTime; |
2177 | | |
2178 | | _time_get_elapsed(&mqxTime); |
2179 | | |
2180 | | return (sword64) mqxTime.SECONDS * 1000; |
2181 | | } |
2182 | | #elif defined(FREESCALE_FREE_RTOS) || defined(FREESCALE_KSDK_FREERTOS) |
2183 | | #include "include/task.h" |
2184 | | |
2185 | | /* The time in milliseconds. |
2186 | | * Used for tickets to represent difference between when first seen and when |
2187 | | * sending. |
2188 | | * |
2189 | | * returns the time in milliseconds as a 64-bit value. |
2190 | | */ |
2191 | | sword64 TimeNowInMilliseconds(void) |
2192 | | { |
2193 | | return (sword64)xTaskGetTickCount() / (configTICK_RATE_HZ / 1000); |
2194 | | } |
2195 | | #elif defined(FREESCALE_KSDK_BM) |
2196 | | #include "lwip/sys.h" /* lwIP */ |
2197 | | |
2198 | | /* The time in milliseconds. |
2199 | | * Used for tickets to represent difference between when first seen and when |
2200 | | * sending. |
2201 | | * |
2202 | | * returns the time in milliseconds as a 64-bit value. |
2203 | | */ |
2204 | | sword64 TimeNowInMilliseconds(void) |
2205 | | { |
2206 | | return sys_now(); |
2207 | | } |
2208 | | |
2209 | | #elif defined(WOLFSSL_CMSIS_RTOS) || defined(WOLFSSL_CMSIS_RTOSv2) |
2210 | | |
2211 | | sword64 TimeNowInMilliseconds(void) |
2212 | | { |
2213 | | return (sword64)osKernelGetTickCount(); |
2214 | | } |
2215 | | |
2216 | | #elif defined(WOLFSSL_TIRTOS) |
2217 | | /* The time in milliseconds. |
2218 | | * Used for tickets to represent difference between when first seen and when |
2219 | | * sending. |
2220 | | * |
2221 | | * returns the time in milliseconds as a 64-bit value. |
2222 | | */ |
2223 | | sword64 TimeNowInMilliseconds(void) |
2224 | | { |
2225 | | return (sword64) Seconds_get() * 1000; |
2226 | | } |
2227 | | #elif defined(WOLFSSL_UTASKER) |
2228 | | /* The time in milliseconds. |
2229 | | * Used for tickets to represent difference between when first seen and when |
2230 | | * sending. |
2231 | | * |
2232 | | * returns the time in milliseconds as a 64-bit value. |
2233 | | */ |
2234 | | sword64 TimeNowInMilliseconds(void) |
2235 | | { |
2236 | | return (sword64)(uTaskerSystemTick / (TICK_RESOLUTION / 1000)); |
2237 | | } |
2238 | | #elif defined(WOLFSSL_LINUXKM) |
2239 | | sword64 TimeNowInMilliseconds(void) |
2240 | | { |
2241 | | s64 t; |
2242 | | #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 0, 0) |
2243 | | struct timespec ts; |
2244 | | getnstimeofday(&ts); |
2245 | | t = ts.tv_sec * (s64)1000; |
2246 | | t += ts.tv_nsec / (s64)1000000; |
2247 | | #else |
2248 | | struct timespec64 ts; |
2249 | | #if LINUX_VERSION_CODE < KERNEL_VERSION(5, 0, 0) |
2250 | | ts = current_kernel_time64(); |
2251 | | #else |
2252 | | ktime_get_coarse_real_ts64(&ts); |
2253 | | #endif |
2254 | | t = ts.tv_sec * 1000L; |
2255 | | t += ts.tv_nsec / 1000000L; |
2256 | | #endif |
2257 | | return (sword64)t; |
2258 | | } |
2259 | | #elif defined(WOLFSSL_QNX_CAAM) |
2260 | | sword64 TimeNowInMilliseconds(void) |
2261 | | { |
2262 | | struct timespec now; |
2263 | | clock_gettime(CLOCK_REALTIME, &now); |
2264 | | return (sword64)(now.tv_sec * 1000 + now.tv_nsec / 1000000); |
2265 | | } |
2266 | | #elif defined(FUSION_RTOS) |
2267 | | /* The time in milliseconds. |
2268 | | * Used for tickets to represent difference between when first seen and when |
2269 | | * sending. |
2270 | | * |
2271 | | * returns the time in milliseconds as a 64-bit value. |
2272 | | */ |
2273 | | sword64 TimeNowInMilliseconds(void) |
2274 | | { |
2275 | | struct timeval now; |
2276 | | if (FCL_GETTIMEOFDAY(&now, 0) < 0) |
2277 | | return 0; |
2278 | | |
2279 | | /* Convert to milliseconds number. */ |
2280 | | return (sword64)now.tv_sec * 1000 + now.tv_usec / 1000; |
2281 | | } |
2282 | | #elif defined(WOLFSSL_ZEPHYR) |
2283 | | sword64 TimeNowInMilliseconds(void) |
2284 | | { |
2285 | | int64_t t; |
2286 | | #if defined(CONFIG_ARCH_POSIX) |
2287 | | k_cpu_idle(); |
2288 | | #endif |
2289 | | t = k_uptime_get(); /* returns current uptime in milliseconds */ |
2290 | | return (sword64)t; |
2291 | | } |
2292 | | #elif defined(FREERTOS) |
2293 | | sword64 TimeNowInMilliseconds(void) |
2294 | | { |
2295 | | return (sword64)((uint64_t)(xTaskGetTickCount() * 1000) / |
2296 | | configTICK_RATE_HZ); |
2297 | | } |
2298 | | #else |
2299 | | /* The time in milliseconds. |
2300 | | * Used for tickets to represent difference between when first seen and when |
2301 | | * sending. |
2302 | | * |
2303 | | * returns the time in milliseconds as a 64-bit value. |
2304 | | */ |
2305 | | sword64 TimeNowInMilliseconds(void) |
2306 | | { |
2307 | | struct timeval now; |
2308 | | |
2309 | | if (gettimeofday(&now, 0) < 0) |
2310 | | return 0; |
2311 | | |
2312 | | /* Convert to milliseconds number. */ |
2313 | | return (sword64)now.tv_sec * 1000 + now.tv_usec / 1000; |
2314 | | } |
2315 | | #endif |
2316 | | #else |
2317 | | /* user must supply time in milliseconds function: |
2318 | | * sword64 TimeNowInMilliseconds(void); |
2319 | | * The response is milliseconds elapsed |
2320 | | */ |
2321 | | #endif /* !NO_ASN_TIME */ |
2322 | | #endif /* WOLFSSL_32BIT_MILLI_TIME */ |
2323 | | #endif /* HAVE_SESSION_TICKET || !NO_PSK || WOLFSSL_DTLS13 */ |
2324 | | |
2325 | | /* Add record layer header to message. |
2326 | | * |
2327 | | * output The buffer to write the record layer header into. |
2328 | | * length The length of the record data. |
2329 | | * type The type of record message. |
2330 | | * ssl The SSL/TLS object. |
2331 | | */ |
2332 | | static void AddTls13RecordHeader(byte* output, word32 length, byte type, |
2333 | | WOLFSSL* ssl) |
2334 | 0 | { |
2335 | 0 | RecordLayerHeader* rl; |
2336 | |
|
2337 | 0 | rl = (RecordLayerHeader*)output; |
2338 | 0 | rl->type = type; |
2339 | 0 | rl->pvMajor = ssl->version.major; |
2340 | | /* NOTE: May be TLSv1_MINOR when sending first ClientHello. */ |
2341 | 0 | rl->pvMinor = TLSv1_2_MINOR; |
2342 | 0 | c16toa((word16)length, rl->length); |
2343 | 0 | } |
2344 | | |
2345 | | /* Add handshake header to message. |
2346 | | * |
2347 | | * output The buffer to write the handshake header into. |
2348 | | * length The length of the handshake data. |
2349 | | * fragOffset The offset of the fragment data. (DTLS) |
2350 | | * fragLength The length of the fragment data. (DTLS) |
2351 | | * type The type of handshake message. |
2352 | | * ssl The SSL/TLS object. (DTLS) |
2353 | | */ |
2354 | | static void AddTls13HandShakeHeader(byte* output, word32 length, |
2355 | | word32 fragOffset, word32 fragLength, |
2356 | | byte type, WOLFSSL* ssl) |
2357 | 0 | { |
2358 | 0 | HandShakeHeader* hs; |
2359 | 0 | (void)fragOffset; |
2360 | 0 | (void)fragLength; |
2361 | 0 | (void)ssl; |
2362 | |
|
2363 | | #ifdef WOLFSSL_DTLS13 |
2364 | | /* message_hash type is used for a synthetic message that replaces the first |
2365 | | ClientHello in the hash transcript when using HelloRetryRequest. It will |
2366 | | never be transmitted and, as the DTLS-only fields must not be considered |
2367 | | when computing the hash transcript, we can avoid to use the DTLS |
2368 | | handshake header. */ |
2369 | | if (ssl->options.dtls && type != message_hash) { |
2370 | | Dtls13HandshakeAddHeader(ssl, output, (enum HandShakeType)type, length); |
2371 | | return; |
2372 | | } |
2373 | | #endif /* WOLFSSL_DTLS13 */ |
2374 | | |
2375 | | /* handshake header */ |
2376 | 0 | hs = (HandShakeHeader*)output; |
2377 | 0 | hs->type = type; |
2378 | 0 | c32to24(length, hs->length); |
2379 | 0 | } |
2380 | | |
2381 | | |
2382 | | /* Add both record layer and handshake header to message. |
2383 | | * |
2384 | | * output The buffer to write the headers into. |
2385 | | * length The length of the handshake data. |
2386 | | * type The type of record layer message. |
2387 | | * ssl The SSL/TLS object. (DTLS) |
2388 | | */ |
2389 | | static void AddTls13Headers(byte* output, word32 length, byte type, |
2390 | | WOLFSSL* ssl) |
2391 | 0 | { |
2392 | 0 | word32 lengthAdj = HANDSHAKE_HEADER_SZ; |
2393 | 0 | word32 outputAdj = RECORD_HEADER_SZ; |
2394 | |
|
2395 | | #ifdef WOLFSSL_DTLS13 |
2396 | | if (ssl->options.dtls) { |
2397 | | Dtls13AddHeaders(output, length, (enum HandShakeType)type, ssl); |
2398 | | return; |
2399 | | } |
2400 | | #endif /* WOLFSSL_DTLS13 */ |
2401 | |
|
2402 | 0 | AddTls13RecordHeader(output, length + lengthAdj, handshake, ssl); |
2403 | 0 | AddTls13HandShakeHeader(output + outputAdj, length, 0, length, type, ssl); |
2404 | 0 | } |
2405 | | |
2406 | | #if (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) \ |
2407 | | && !defined(NO_CERTS) |
2408 | | /* Add both record layer and fragment handshake header to message. |
2409 | | * |
2410 | | * output The buffer to write the headers into. |
2411 | | * fragOffset The offset of the fragment data. (DTLS) |
2412 | | * fragLength The length of the fragment data. (DTLS) |
2413 | | * length The length of the handshake data. |
2414 | | * type The type of record layer message. |
2415 | | * ssl The SSL/TLS object. (DTLS) |
2416 | | */ |
2417 | | static void AddTls13FragHeaders(byte* output, word32 fragSz, word32 fragOffset, |
2418 | | word32 length, byte type, WOLFSSL* ssl) |
2419 | 0 | { |
2420 | 0 | word32 lengthAdj = HANDSHAKE_HEADER_SZ; |
2421 | 0 | word32 outputAdj = RECORD_HEADER_SZ; |
2422 | 0 | (void)fragSz; |
2423 | |
|
2424 | | #ifdef WOLFSSL_DTLS13 |
2425 | | /* we ignore fragmentation fields here because fragmentation logic for |
2426 | | DTLS1.3 is inside dtls13_handshake_send(). */ |
2427 | | if (ssl->options.dtls) { |
2428 | | Dtls13AddHeaders(output, length, (enum HandShakeType)type, ssl); |
2429 | | return; |
2430 | | } |
2431 | | #endif /* WOLFSSL_DTLS13 */ |
2432 | |
|
2433 | 0 | AddTls13RecordHeader(output, fragSz + lengthAdj, handshake, ssl); |
2434 | 0 | AddTls13HandShakeHeader(output + outputAdj, length, fragOffset, fragSz, |
2435 | 0 | type, ssl); |
2436 | 0 | } |
2437 | | #endif /* (!NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER) && !NO_CERTS */ |
2438 | | |
2439 | | /* Write the sequence number into the buffer. |
2440 | | * No DTLS v1.3 support. |
2441 | | * |
2442 | | * ssl The SSL/TLS object. |
2443 | | * verifyOrder Which set of sequence numbers to use. |
2444 | | * out The buffer to write into. |
2445 | | */ |
2446 | | static WC_INLINE void WriteSEQTls13(WOLFSSL* ssl, int verifyOrder, byte* out) |
2447 | 0 | { |
2448 | 0 | word32 seq[2] = {0, 0}; |
2449 | |
|
2450 | 0 | if (ssl->options.dtls) { |
2451 | | #ifdef WOLFSSL_DTLS13 |
2452 | | Dtls13GetSeq(ssl, verifyOrder, seq, 1); |
2453 | | #endif /* WOLFSSL_DTLS13 */ |
2454 | 0 | } |
2455 | 0 | else if (verifyOrder == PEER_ORDER) { |
2456 | 0 | seq[0] = ssl->keys.peer_sequence_number_hi; |
2457 | 0 | seq[1] = ssl->keys.peer_sequence_number_lo++; |
2458 | | /* handle rollover */ |
2459 | 0 | if (seq[1] > ssl->keys.peer_sequence_number_lo) |
2460 | 0 | ssl->keys.peer_sequence_number_hi++; |
2461 | 0 | } |
2462 | 0 | else { |
2463 | 0 | seq[0] = ssl->keys.sequence_number_hi; |
2464 | 0 | seq[1] = ssl->keys.sequence_number_lo++; |
2465 | | /* handle rollover */ |
2466 | 0 | if (seq[1] > ssl->keys.sequence_number_lo) |
2467 | 0 | ssl->keys.sequence_number_hi++; |
2468 | 0 | } |
2469 | | #ifdef WOLFSSL_DEBUG_TLS |
2470 | | WOLFSSL_MSG_EX("TLS 1.3 Write Sequence %d %d", seq[0], seq[1]); |
2471 | | #endif |
2472 | |
|
2473 | 0 | c32toa(seq[0], out); |
2474 | 0 | c32toa(seq[1], out + OPAQUE32_LEN); |
2475 | 0 | } |
2476 | | |
2477 | | /* Build the nonce for TLS v1.3 encryption and decryption. |
2478 | | * |
2479 | | * ssl The SSL/TLS object. |
2480 | | * nonce The nonce data to use when encrypting or decrypting. |
2481 | | * iv The derived IV. |
2482 | | * order The side on which the message is to be or was sent. |
2483 | | */ |
2484 | | static WC_INLINE void BuildTls13Nonce(WOLFSSL* ssl, byte* nonce, const byte* iv, |
2485 | | int ivSz, int order) |
2486 | 0 | { |
2487 | 0 | int seq_offset; |
2488 | | /* Ensure minimum nonce size for standard AEAD ciphers */ |
2489 | 0 | if (ivSz < AEAD_NONCE_SZ) |
2490 | 0 | ivSz = AEAD_NONCE_SZ; |
2491 | 0 | seq_offset = ivSz - SEQ_SZ; |
2492 | | /* The nonce is the IV with the sequence XORed into the last bytes. */ |
2493 | 0 | WriteSEQTls13(ssl, order, nonce + seq_offset); |
2494 | 0 | XMEMCPY(nonce, iv, seq_offset); |
2495 | 0 | xorbuf(nonce + seq_offset, iv + seq_offset, SEQ_SZ); |
2496 | 0 | } |
2497 | | |
2498 | | #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) |
2499 | | /* Encrypt with ChaCha20 and create authentication tag with Poly1305. |
2500 | | * |
2501 | | * ssl The SSL/TLS object. |
2502 | | * output The buffer to write encrypted data and authentication tag into. |
2503 | | * May be the same pointer as input. |
2504 | | * input The data to encrypt. |
2505 | | * sz The number of bytes to encrypt. |
2506 | | * nonce The nonce to use with ChaCha20. |
2507 | | * aad The additional authentication data. |
2508 | | * aadSz The size of the addition authentication data. |
2509 | | * tag The authentication tag buffer. |
2510 | | * returns 0 on success, otherwise failure. |
2511 | | */ |
2512 | | static int ChaCha20Poly1305_Encrypt(WOLFSSL* ssl, byte* output, |
2513 | | const byte* input, word16 sz, byte* nonce, |
2514 | | const byte* aad, word16 aadSz, byte* tag) |
2515 | 0 | { |
2516 | 0 | int ret = 0; |
2517 | 0 | byte poly[CHACHA20_256_KEY_SIZE]; |
2518 | | |
2519 | | /* Poly1305 key is 256 bits of zero encrypted with ChaCha20. */ |
2520 | 0 | XMEMSET(poly, 0, sizeof(poly)); |
2521 | | |
2522 | | /* Set the nonce for ChaCha and get Poly1305 key. */ |
2523 | 0 | ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 0); |
2524 | 0 | if (ret != 0) |
2525 | 0 | return ret; |
2526 | | /* Create Poly1305 key using ChaCha20 keystream. */ |
2527 | 0 | ret = wc_Chacha_Process(ssl->encrypt.chacha, poly, poly, sizeof(poly)); |
2528 | 0 | if (ret != 0) |
2529 | 0 | return ret; |
2530 | | #ifdef WOLFSSL_CHECK_MEM_ZERO |
2531 | | wc_MemZero_Add("ChaCha20Poly1305_Encrypt poly", poly, sizeof(poly)); |
2532 | | #endif |
2533 | 0 | ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 1); |
2534 | 0 | if (ret != 0) |
2535 | 0 | return ret; |
2536 | | /* Encrypt the plain text. */ |
2537 | 0 | ret = wc_Chacha_Process(ssl->encrypt.chacha, output, input, sz); |
2538 | 0 | if (ret != 0) { |
2539 | 0 | ForceZero(poly, sizeof(poly)); |
2540 | | #ifdef WOLFSSL_CHECK_MEM_ZERO |
2541 | | wc_MemZero_Check(poly, sizeof(poly)); |
2542 | | #endif |
2543 | 0 | return ret; |
2544 | 0 | } |
2545 | | |
2546 | | /* Set key for Poly1305. */ |
2547 | 0 | ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly, sizeof(poly)); |
2548 | 0 | ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */ |
2549 | | #ifdef WOLFSSL_CHECK_MEM_ZERO |
2550 | | wc_MemZero_Check(poly, sizeof(poly)); |
2551 | | #endif |
2552 | 0 | if (ret != 0) |
2553 | 0 | return ret; |
2554 | | /* Add authentication code of encrypted data to end. */ |
2555 | 0 | ret = wc_Poly1305_MAC(ssl->auth.poly1305, aad, aadSz, output, sz, tag, |
2556 | 0 | POLY1305_AUTH_SZ); |
2557 | |
|
2558 | 0 | return ret; |
2559 | 0 | } |
2560 | | #endif |
2561 | | |
2562 | | #ifdef HAVE_NULL_CIPHER |
2563 | | /* Create authentication tag and copy data over input. |
2564 | | * |
2565 | | * ssl The SSL/TLS object. |
2566 | | * output The buffer to copy data into. |
2567 | | * May be the same pointer as input. |
2568 | | * input The data. |
2569 | | * sz The number of bytes of data. |
2570 | | * nonce The nonce to use with authentication. |
2571 | | * aad The additional authentication data. |
2572 | | * aadSz The size of the addition authentication data. |
2573 | | * tag The authentication tag buffer. |
2574 | | * returns 0 on success, otherwise failure. |
2575 | | */ |
2576 | | static int Tls13IntegrityOnly_Encrypt(WOLFSSL* ssl, byte* output, |
2577 | | const byte* input, word16 sz, |
2578 | | const byte* nonce, |
2579 | | const byte* aad, word16 aadSz, byte* tag) |
2580 | | { |
2581 | | int ret; |
2582 | | |
2583 | | /* HMAC: nonce | aad | input */ |
2584 | | ret = wc_HmacUpdate(ssl->encrypt.hmac, nonce, ssl->specs.iv_size); |
2585 | | if (ret == 0) |
2586 | | ret = wc_HmacUpdate(ssl->encrypt.hmac, aad, aadSz); |
2587 | | if (ret == 0) |
2588 | | ret = wc_HmacUpdate(ssl->encrypt.hmac, input, sz); |
2589 | | if (ret == 0) |
2590 | | ret = wc_HmacFinal(ssl->encrypt.hmac, tag); |
2591 | | /* Copy the input to output if not the same buffer */ |
2592 | | if (ret == 0 && output != input) |
2593 | | XMEMCPY(output, input, sz); |
2594 | | return ret; |
2595 | | } |
2596 | | #endif |
2597 | | |
2598 | | /* Encrypt data for TLS v1.3. |
2599 | | * |
2600 | | * ssl The SSL/TLS object. |
2601 | | * output The buffer to write encrypted data and authentication tag into. |
2602 | | * May be the same pointer as input. |
2603 | | * input The record header and data to encrypt. |
2604 | | * sz The number of bytes to encrypt. |
2605 | | * aad The additional authentication data. |
2606 | | * aadSz The size of the addition authentication data. |
2607 | | * asyncOkay If non-zero can return WC_PENDING_E, otherwise blocks on crypto |
2608 | | * returns 0 on success, otherwise failure. |
2609 | | */ |
2610 | | static int EncryptTls13(WOLFSSL* ssl, byte* output, const byte* input, |
2611 | | word16 sz, const byte* aad, word16 aadSz, int asyncOkay) |
2612 | 0 | { |
2613 | 0 | int ret = 0; |
2614 | 0 | word16 dataSz; |
2615 | 0 | word16 macSz = ssl->specs.aead_mac_size; |
2616 | 0 | word32 nonceSz = 0; |
2617 | | #ifdef WOLFSSL_ASYNC_CRYPT |
2618 | | WC_ASYNC_DEV* asyncDev = NULL; |
2619 | | word32 event_flags = WC_ASYNC_FLAG_CALL_AGAIN; |
2620 | | #endif |
2621 | |
|
2622 | 0 | WOLFSSL_ENTER("EncryptTls13"); |
2623 | 0 | if (sz < ssl->specs.aead_mac_size) |
2624 | 0 | return BUFFER_E; |
2625 | 0 | dataSz = sz - ssl->specs.aead_mac_size; |
2626 | |
|
2627 | 0 | (void)output; |
2628 | 0 | (void)input; |
2629 | 0 | (void)sz; |
2630 | 0 | (void)dataSz; |
2631 | 0 | (void)macSz; |
2632 | 0 | (void)asyncOkay; |
2633 | 0 | (void)nonceSz; |
2634 | |
|
2635 | | #ifdef WOLFSSL_ASYNC_CRYPT |
2636 | | if (ssl->error == WC_NO_ERR_TRACE(WC_PENDING_E)) { |
2637 | | ssl->error = 0; /* clear async */ |
2638 | | } |
2639 | | #endif |
2640 | | #if defined(WOLFSSL_RENESAS_TSIP_TLS) |
2641 | | ret = tsip_Tls13AesEncrypt(ssl, output, input, dataSz); |
2642 | | if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) { |
2643 | | if (ret > 0) { |
2644 | | ret = 0; /* tsip_Tls13AesEncrypt returns output size */ |
2645 | | } |
2646 | | return ret; |
2647 | | } |
2648 | | ret = 0; |
2649 | | #endif /* WOLFSSL_RENESAS_TSIP_TLS */ |
2650 | |
|
2651 | 0 | switch (ssl->encrypt.state) { |
2652 | 0 | case CIPHER_STATE_BEGIN: |
2653 | 0 | { |
2654 | | #ifdef WOLFSSL_DEBUG_TLS |
2655 | | WOLFSSL_MSG("Data to encrypt"); |
2656 | | WOLFSSL_BUFFER(input, dataSz); |
2657 | | WOLFSSL_MSG("Additional Authentication Data"); |
2658 | | WOLFSSL_BUFFER(aad, aadSz); |
2659 | | #endif |
2660 | |
|
2661 | | #ifdef WOLFSSL_CIPHER_TEXT_CHECK |
2662 | | if (ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null && |
2663 | | dataSz >= sizeof(ssl->encrypt.sanityCheck)) { |
2664 | | XMEMCPY(ssl->encrypt.sanityCheck, input, |
2665 | | sizeof(ssl->encrypt.sanityCheck)); |
2666 | | } |
2667 | | #endif |
2668 | |
|
2669 | 0 | #ifdef CIPHER_NONCE |
2670 | 0 | if (ssl->encrypt.nonce == NULL) { |
2671 | 0 | ssl->encrypt.nonce = (byte*)XMALLOC(AEAD_MAX_IMP_SZ, |
2672 | 0 | ssl->heap, DYNAMIC_TYPE_CIPHER); |
2673 | | #ifdef WOLFSSL_CHECK_MEM_ZERO |
2674 | | if (ssl->encrypt.nonce != NULL) { |
2675 | | wc_MemZero_Add("EncryptTls13 nonce", ssl->encrypt.nonce, |
2676 | | ssl->specs.iv_size); |
2677 | | } |
2678 | | #endif |
2679 | 0 | } |
2680 | 0 | if (ssl->encrypt.nonce == NULL) |
2681 | 0 | return MEMORY_E; |
2682 | | |
2683 | 0 | BuildTls13Nonce(ssl, ssl->encrypt.nonce, ssl->keys.aead_enc_imp_IV, |
2684 | 0 | ssl->specs.iv_size, CUR_ORDER); |
2685 | 0 | #endif |
2686 | | |
2687 | | /* Advance state and proceed */ |
2688 | 0 | ssl->encrypt.state = CIPHER_STATE_DO; |
2689 | 0 | } |
2690 | 0 | FALL_THROUGH; |
2691 | |
|
2692 | 0 | case CIPHER_STATE_DO: |
2693 | 0 | { |
2694 | 0 | switch (ssl->specs.bulk_cipher_algorithm) { |
2695 | 0 | #ifdef BUILD_AESGCM |
2696 | 0 | case wolfssl_aes_gcm: |
2697 | | #ifdef WOLFSSL_ASYNC_CRYPT |
2698 | | /* initialize event */ |
2699 | | asyncDev = &ssl->encrypt.aes->asyncDev; |
2700 | | ret = wolfSSL_AsyncInit(ssl, asyncDev, event_flags); |
2701 | | if (ret != 0) |
2702 | | break; |
2703 | | #endif |
2704 | |
|
2705 | 0 | nonceSz = AESGCM_NONCE_SZ; |
2706 | |
|
2707 | | #if defined(HAVE_PK_CALLBACKS) |
2708 | | ret = WC_NO_ERR_TRACE(NOT_COMPILED_IN); |
2709 | | if (ssl->ctx && ssl->ctx->PerformTlsRecordProcessingCb) { |
2710 | | ret = ssl->ctx->PerformTlsRecordProcessingCb(ssl, 1, |
2711 | | output, input, dataSz, |
2712 | | ssl->encrypt.nonce, nonceSz, |
2713 | | output + dataSz, macSz, |
2714 | | aad, aadSz); |
2715 | | } |
2716 | | if (ret == WC_NO_ERR_TRACE(NOT_COMPILED_IN)) |
2717 | | #endif |
2718 | 0 | { |
2719 | |
|
2720 | | #if ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \ |
2721 | | (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))) |
2722 | | ret = wc_AesGcmEncrypt(ssl->encrypt.aes, output, input, |
2723 | | dataSz, ssl->encrypt.nonce, nonceSz, |
2724 | | output + dataSz, macSz, aad, aadSz); |
2725 | | #else |
2726 | 0 | ret = wc_AesGcmSetExtIV(ssl->encrypt.aes, |
2727 | 0 | ssl->encrypt.nonce, nonceSz); |
2728 | 0 | if (ret == 0) { |
2729 | 0 | ret = wc_AesGcmEncrypt_ex(ssl->encrypt.aes, output, |
2730 | 0 | input, dataSz, ssl->encrypt.nonce, nonceSz, |
2731 | 0 | output + dataSz, macSz, aad, aadSz); |
2732 | 0 | } |
2733 | 0 | #endif |
2734 | 0 | } |
2735 | 0 | break; |
2736 | 0 | #endif |
2737 | | |
2738 | | #ifdef HAVE_AESCCM |
2739 | | case wolfssl_aes_ccm: |
2740 | | #ifdef WOLFSSL_ASYNC_CRYPT |
2741 | | /* initialize event */ |
2742 | | asyncDev = &ssl->encrypt.aes->asyncDev; |
2743 | | ret = wolfSSL_AsyncInit(ssl, asyncDev, event_flags); |
2744 | | if (ret != 0) |
2745 | | break; |
2746 | | #endif |
2747 | | |
2748 | | nonceSz = AESCCM_NONCE_SZ; |
2749 | | #if defined(HAVE_PK_CALLBACKS) |
2750 | | ret = WC_NO_ERR_TRACE(NOT_COMPILED_IN); |
2751 | | if (ssl->ctx && ssl->ctx->PerformTlsRecordProcessingCb) { |
2752 | | ret = ssl->ctx->PerformTlsRecordProcessingCb(ssl, 1, |
2753 | | output, input, dataSz, |
2754 | | ssl->encrypt.nonce, nonceSz, |
2755 | | output + dataSz, macSz, |
2756 | | aad, aadSz); |
2757 | | } |
2758 | | if (ret == WC_NO_ERR_TRACE(NOT_COMPILED_IN)) |
2759 | | #endif |
2760 | | { |
2761 | | #if ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \ |
2762 | | (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2))) |
2763 | | ret = wc_AesCcmEncrypt(ssl->encrypt.aes, output, input, |
2764 | | dataSz, ssl->encrypt.nonce, nonceSz, |
2765 | | output + dataSz, macSz, aad, aadSz); |
2766 | | #else |
2767 | | ret = wc_AesCcmSetNonce(ssl->encrypt.aes, |
2768 | | ssl->encrypt.nonce, nonceSz); |
2769 | | if (ret == 0) { |
2770 | | ret = wc_AesCcmEncrypt_ex(ssl->encrypt.aes, output, |
2771 | | input, dataSz, ssl->encrypt.nonce, nonceSz, |
2772 | | output + dataSz, macSz, aad, aadSz); |
2773 | | } |
2774 | | #endif |
2775 | | } |
2776 | | break; |
2777 | | #endif |
2778 | | |
2779 | 0 | #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) |
2780 | 0 | case wolfssl_chacha: |
2781 | 0 | ret = ChaCha20Poly1305_Encrypt(ssl, output, input, dataSz, |
2782 | 0 | ssl->encrypt.nonce, aad, aadSz, output + dataSz); |
2783 | 0 | break; |
2784 | 0 | #endif |
2785 | | |
2786 | | #ifdef WOLFSSL_SM4_GCM |
2787 | | case wolfssl_sm4_gcm: |
2788 | | nonceSz = SM4_GCM_NONCE_SZ; |
2789 | | ret = wc_Sm4GcmEncrypt(ssl->encrypt.sm4, output, input, |
2790 | | dataSz, ssl->encrypt.nonce, nonceSz, output + dataSz, |
2791 | | macSz, aad, aadSz); |
2792 | | break; |
2793 | | #endif |
2794 | | |
2795 | | #ifdef WOLFSSL_SM4_CCM |
2796 | | case wolfssl_sm4_ccm: |
2797 | | nonceSz = SM4_CCM_NONCE_SZ; |
2798 | | ret = wc_Sm4CcmEncrypt(ssl->encrypt.sm4, output, input, |
2799 | | dataSz, ssl->encrypt.nonce, nonceSz, output + dataSz, |
2800 | | macSz, aad, aadSz); |
2801 | | break; |
2802 | | #endif |
2803 | | |
2804 | | #ifdef HAVE_NULL_CIPHER |
2805 | | case wolfssl_cipher_null: |
2806 | | ret = Tls13IntegrityOnly_Encrypt(ssl, output, input, dataSz, |
2807 | | ssl->encrypt.nonce, aad, aadSz, output + dataSz); |
2808 | | break; |
2809 | | #endif |
2810 | | |
2811 | 0 | default: |
2812 | 0 | WOLFSSL_MSG("wolfSSL Encrypt programming error"); |
2813 | 0 | return ENCRYPT_ERROR; |
2814 | 0 | } |
2815 | | |
2816 | | /* Advance state */ |
2817 | 0 | ssl->encrypt.state = CIPHER_STATE_END; |
2818 | |
|
2819 | | #ifdef WOLFSSL_ASYNC_CRYPT |
2820 | | if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) { |
2821 | | /* if async is not okay, then block */ |
2822 | | if (!asyncOkay) { |
2823 | | ret = wc_AsyncWait(ret, asyncDev, event_flags); |
2824 | | } |
2825 | | else { |
2826 | | /* If pending, then leave and return will resume below */ |
2827 | | return wolfSSL_AsyncPush(ssl, asyncDev); |
2828 | | } |
2829 | | } |
2830 | | #endif |
2831 | 0 | } |
2832 | 0 | FALL_THROUGH; |
2833 | |
|
2834 | 0 | case CIPHER_STATE_END: |
2835 | 0 | { |
2836 | | #ifdef WOLFSSL_DEBUG_TLS |
2837 | | #ifdef CIPHER_NONCE |
2838 | | WOLFSSL_MSG("Nonce"); |
2839 | | WOLFSSL_BUFFER(ssl->encrypt.nonce, ssl->specs.iv_size); |
2840 | | #endif |
2841 | | WOLFSSL_MSG("Encrypted data"); |
2842 | | WOLFSSL_BUFFER(output, dataSz); |
2843 | | WOLFSSL_MSG("Authentication Tag"); |
2844 | | WOLFSSL_BUFFER(output + dataSz, macSz); |
2845 | | #endif |
2846 | |
|
2847 | | #ifdef WOLFSSL_CIPHER_TEXT_CHECK |
2848 | | if (ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null && |
2849 | | dataSz >= sizeof(ssl->encrypt.sanityCheck) && |
2850 | | XMEMCMP(output, ssl->encrypt.sanityCheck, |
2851 | | sizeof(ssl->encrypt.sanityCheck)) == 0) { |
2852 | | |
2853 | | WOLFSSL_MSG("EncryptTls13 sanity check failed! Glitch?"); |
2854 | | return ENCRYPT_ERROR; |
2855 | | } |
2856 | | ForceZero(ssl->encrypt.sanityCheck, |
2857 | | sizeof(ssl->encrypt.sanityCheck)); |
2858 | | #endif |
2859 | | #ifdef WOLFSSL_CHECK_MEM_ZERO |
2860 | | if ((ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null) && |
2861 | | (output != input) && (ret == 0)) { |
2862 | | wc_MemZero_Add("TLS 1.3 Encrypt plaintext", input, sz); |
2863 | | } |
2864 | | #endif |
2865 | |
|
2866 | 0 | #ifdef CIPHER_NONCE |
2867 | 0 | ForceZero(ssl->encrypt.nonce, ssl->specs.iv_size); |
2868 | 0 | #endif |
2869 | |
|
2870 | 0 | break; |
2871 | 0 | } |
2872 | | |
2873 | 0 | default: |
2874 | 0 | break; |
2875 | 0 | } |
2876 | | |
2877 | | |
2878 | | /* Reset state */ |
2879 | 0 | ssl->encrypt.state = CIPHER_STATE_BEGIN; |
2880 | |
|
2881 | 0 | return ret; |
2882 | 0 | } |
2883 | | |
2884 | | #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) |
2885 | | /* Decrypt with ChaCha20 and check authentication tag with Poly1305. |
2886 | | * |
2887 | | * ssl The SSL/TLS object. |
2888 | | * output The buffer to write decrypted data into. |
2889 | | * May be the same pointer as input. |
2890 | | * input The data to decrypt. |
2891 | | * sz The number of bytes to decrypt. |
2892 | | * nonce The nonce to use with ChaCha20. |
2893 | | * aad The additional authentication data. |
2894 | | * aadSz The size of the addition authentication data. |
2895 | | * tagIn The authentication tag data from packet. |
2896 | | * returns 0 on success, otherwise failure. |
2897 | | */ |
2898 | | static int ChaCha20Poly1305_Decrypt(WOLFSSL* ssl, byte* output, |
2899 | | const byte* input, word16 sz, byte* nonce, |
2900 | | const byte* aad, word16 aadSz, |
2901 | | const byte* tagIn) |
2902 | 0 | { |
2903 | 0 | int ret; |
2904 | 0 | byte tag[POLY1305_AUTH_SZ]; |
2905 | 0 | byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for mac */ |
2906 | | |
2907 | | /* Poly1305 key is 256 bits of zero encrypted with ChaCha20. */ |
2908 | 0 | XMEMSET(poly, 0, sizeof(poly)); |
2909 | | |
2910 | | /* Set nonce and get Poly1305 key. */ |
2911 | 0 | ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 0); |
2912 | 0 | if (ret != 0) |
2913 | 0 | return ret; |
2914 | | /* Use ChaCha20 keystream to get Poly1305 key for tag. */ |
2915 | 0 | ret = wc_Chacha_Process(ssl->decrypt.chacha, poly, poly, sizeof(poly)); |
2916 | 0 | if (ret != 0) |
2917 | 0 | return ret; |
2918 | | #ifdef WOLFSSL_CHECK_MEM_ZERO |
2919 | | wc_MemZero_Add("ChaCha20Poly1305_Decrypt poly", poly, sizeof(poly)); |
2920 | | #endif |
2921 | 0 | ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 1); |
2922 | 0 | if (ret != 0) { |
2923 | 0 | ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */ |
2924 | | #ifdef WOLFSSL_CHECK_MEM_ZERO |
2925 | | wc_MemZero_Check(poly, sizeof(poly)); |
2926 | | #endif |
2927 | 0 | return ret; |
2928 | 0 | } |
2929 | | |
2930 | | /* Set key for Poly1305. */ |
2931 | 0 | ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly, sizeof(poly)); |
2932 | 0 | ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */ |
2933 | | #ifdef WOLFSSL_CHECK_MEM_ZERO |
2934 | | wc_MemZero_Check(poly, sizeof(poly)); |
2935 | | #endif |
2936 | 0 | if (ret != 0) |
2937 | 0 | return ret; |
2938 | | /* Generate authentication tag for encrypted data. */ |
2939 | 0 | if ((ret = wc_Poly1305_MAC(ssl->auth.poly1305, aad, aadSz, input, sz, tag, |
2940 | 0 | sizeof(tag))) != 0) { |
2941 | 0 | return ret; |
2942 | 0 | } |
2943 | | |
2944 | | /* Check tag sent along with packet. */ |
2945 | 0 | if (ConstantCompare(tagIn, tag, POLY1305_AUTH_SZ) != 0) { |
2946 | 0 | WOLFSSL_MSG("MAC did not match"); |
2947 | 0 | return VERIFY_MAC_ERROR; |
2948 | 0 | } |
2949 | | |
2950 | | /* If the tag was good decrypt message. */ |
2951 | 0 | ret = wc_Chacha_Process(ssl->decrypt.chacha, output, input, sz); |
2952 | |
|
2953 | 0 | return ret; |
2954 | 0 | } |
2955 | | #endif |
2956 | | |
2957 | | #ifdef HAVE_NULL_CIPHER |
2958 | | /* Check HMAC tag and copy over input. |
2959 | | * |
2960 | | * ssl The SSL/TLS object. |
2961 | | * output The buffer to copy data into. |
2962 | | * May be the same pointer as input. |
2963 | | * input The data. |
2964 | | * sz The number of bytes of data. |
2965 | | * nonce The nonce to use with authentication. |
2966 | | * aad The additional authentication data. |
2967 | | * aadSz The size of the addition authentication data. |
2968 | | * tagIn The authentication tag data from packet. |
2969 | | * returns 0 on success, otherwise failure. |
2970 | | */ |
2971 | | static int Tls13IntegrityOnly_Decrypt(WOLFSSL* ssl, byte* output, |
2972 | | const byte* input, word16 sz, |
2973 | | const byte* nonce, |
2974 | | const byte* aad, word16 aadSz, |
2975 | | const byte* tagIn) |
2976 | | { |
2977 | | int ret; |
2978 | | byte hmac[WC_MAX_DIGEST_SIZE]; |
2979 | | |
2980 | | /* HMAC: nonce | aad | input */ |
2981 | | ret = wc_HmacUpdate(ssl->decrypt.hmac, nonce, ssl->specs.iv_size); |
2982 | | if (ret == 0) |
2983 | | ret = wc_HmacUpdate(ssl->decrypt.hmac, aad, aadSz); |
2984 | | if (ret == 0) |
2985 | | ret = wc_HmacUpdate(ssl->decrypt.hmac, input, sz); |
2986 | | if (ret == 0) |
2987 | | ret = wc_HmacFinal(ssl->decrypt.hmac, hmac); |
2988 | | /* Check authentication tag matches */ |
2989 | | if (ret == 0 && ConstantCompare(tagIn, hmac, ssl->specs.hash_size) != 0) |
2990 | | ret = DECRYPT_ERROR; |
2991 | | /* Copy the input to output if not the same buffer */ |
2992 | | if (ret == 0 && output != input) |
2993 | | XMEMCPY(output, input, sz); |
2994 | | ForceZero(hmac, sizeof(hmac)); |
2995 | | return ret; |
2996 | | } |
2997 | | #endif |
2998 | | |
2999 | | /* Decrypt data for TLS v1.3. |
3000 | | * |
3001 | | * ssl The SSL/TLS object. |
3002 | | * output The buffer to write decrypted data into. |
3003 | | * May be the same pointer as input. |
3004 | | * input The data to decrypt and authentication tag. |
3005 | | * sz The length of the encrypted data plus authentication tag. |
3006 | | * aad The additional authentication data. |
3007 | | * aadSz The size of the addition authentication data. |
3008 | | * returns 0 on success, otherwise failure. |
3009 | | */ |
3010 | | int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz, |
3011 | | const byte* aad, word16 aadSz) |
3012 | 0 | { |
3013 | 0 | int ret = 0; |
3014 | 0 | word16 dataSz; |
3015 | 0 | word16 macSz = ssl->specs.aead_mac_size; |
3016 | 0 | word32 nonceSz = 0; |
3017 | |
|
3018 | 0 | WOLFSSL_ENTER("DecryptTls13"); |
3019 | 0 | if (sz < ssl->specs.aead_mac_size) { |
3020 | 0 | return BAD_FUNC_ARG; |
3021 | 0 | } |
3022 | 0 | dataSz = sz - ssl->specs.aead_mac_size; |
3023 | |
|
3024 | | #if defined(WOLFSSL_RENESAS_TSIP_TLS) |
3025 | | ret = tsip_Tls13AesDecrypt(ssl, output, input, sz); |
3026 | | |
3027 | | if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) { |
3028 | | #ifndef WOLFSSL_EARLY_DATA |
3029 | | if (ret < 0) { |
3030 | | ret = VERIFY_MAC_ERROR; |
3031 | | WOLFSSL_ERROR_VERBOSE(ret); |
3032 | | } |
3033 | | #endif |
3034 | | return ret; |
3035 | | } |
3036 | | #endif |
3037 | |
|
3038 | | #ifdef WOLFSSL_ASYNC_CRYPT |
3039 | | ret = wolfSSL_AsyncPop(ssl, &ssl->decrypt.state); |
3040 | | if (ret != WC_NO_ERR_TRACE(WC_NO_PENDING_E)) { |
3041 | | /* check for still pending */ |
3042 | | if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) |
3043 | | return ret; |
3044 | | |
3045 | | ssl->error = 0; /* clear async */ |
3046 | | |
3047 | | /* let failures through so CIPHER_STATE_END logic is run */ |
3048 | | } |
3049 | | else |
3050 | | #endif |
3051 | 0 | { |
3052 | | /* Reset state */ |
3053 | 0 | ret = 0; |
3054 | 0 | ssl->decrypt.state = CIPHER_STATE_BEGIN; |
3055 | 0 | } |
3056 | |
|
3057 | 0 | (void)output; |
3058 | 0 | (void)input; |
3059 | 0 | (void)sz; |
3060 | 0 | (void)dataSz; |
3061 | 0 | (void)macSz; |
3062 | 0 | (void)nonceSz; |
3063 | |
|
3064 | 0 | switch (ssl->decrypt.state) { |
3065 | 0 | case CIPHER_STATE_BEGIN: |
3066 | 0 | { |
3067 | | #ifdef WOLFSSL_DEBUG_TLS |
3068 | | WOLFSSL_MSG("Data to decrypt"); |
3069 | | WOLFSSL_BUFFER(input, dataSz); |
3070 | | WOLFSSL_MSG("Additional Authentication Data"); |
3071 | | WOLFSSL_BUFFER(aad, aadSz); |
3072 | | WOLFSSL_MSG("Authentication tag"); |
3073 | | WOLFSSL_BUFFER(input + dataSz, macSz); |
3074 | | #endif |
3075 | |
|
3076 | 0 | #ifdef CIPHER_NONCE |
3077 | 0 | if (ssl->decrypt.nonce == NULL) { |
3078 | 0 | ssl->decrypt.nonce = (byte*)XMALLOC(AEAD_MAX_IMP_SZ, |
3079 | 0 | ssl->heap, DYNAMIC_TYPE_CIPHER); |
3080 | | #ifdef WOLFSSL_CHECK_MEM_ZERO |
3081 | | if (ssl->decrypt.nonce != NULL) { |
3082 | | wc_MemZero_Add("DecryptTls13 nonce", ssl->decrypt.nonce, |
3083 | | ssl->specs.iv_size); |
3084 | | } |
3085 | | #endif |
3086 | 0 | } |
3087 | 0 | if (ssl->decrypt.nonce == NULL) |
3088 | 0 | return MEMORY_E; |
3089 | | |
3090 | 0 | BuildTls13Nonce(ssl, ssl->decrypt.nonce, ssl->keys.aead_dec_imp_IV, |
3091 | 0 | ssl->specs.iv_size, PEER_ORDER); |
3092 | 0 | #endif |
3093 | | |
3094 | | /* Advance state and proceed */ |
3095 | 0 | ssl->decrypt.state = CIPHER_STATE_DO; |
3096 | 0 | } |
3097 | 0 | FALL_THROUGH; |
3098 | |
|
3099 | 0 | case CIPHER_STATE_DO: |
3100 | 0 | { |
3101 | 0 | switch (ssl->specs.bulk_cipher_algorithm) { |
3102 | 0 | #ifdef BUILD_AESGCM |
3103 | 0 | case wolfssl_aes_gcm: |
3104 | | #ifdef WOLFSSL_ASYNC_CRYPT |
3105 | | /* initialize event */ |
3106 | | ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.aes->asyncDev, |
3107 | | WC_ASYNC_FLAG_NONE); |
3108 | | if (ret != 0) |
3109 | | break; |
3110 | | #endif |
3111 | |
|
3112 | 0 | nonceSz = AESGCM_NONCE_SZ; |
3113 | |
|
3114 | | #if defined(HAVE_PK_CALLBACKS) |
3115 | | ret = WC_NO_ERR_TRACE(NOT_COMPILED_IN); |
3116 | | if (ssl->ctx && ssl->ctx->PerformTlsRecordProcessingCb) { |
3117 | | ret = ssl->ctx->PerformTlsRecordProcessingCb(ssl, 0, |
3118 | | output, input, dataSz, |
3119 | | ssl->decrypt.nonce, nonceSz, |
3120 | | (byte *)(input + dataSz), macSz, |
3121 | | aad, aadSz); |
3122 | | } |
3123 | | if (ret == WC_NO_ERR_TRACE(NOT_COMPILED_IN)) |
3124 | | #endif |
3125 | 0 | { |
3126 | |
|
3127 | 0 | ret = wc_AesGcmDecrypt(ssl->decrypt.aes, output, input, |
3128 | 0 | dataSz, ssl->decrypt.nonce, nonceSz, |
3129 | 0 | input + dataSz, macSz, aad, aadSz); |
3130 | |
|
3131 | | #ifdef WOLFSSL_ASYNC_CRYPT |
3132 | | if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) { |
3133 | | ret = wolfSSL_AsyncPush(ssl, |
3134 | | &ssl->decrypt.aes->asyncDev); |
3135 | | } |
3136 | | #endif |
3137 | |
|
3138 | 0 | } |
3139 | 0 | break; |
3140 | 0 | #endif |
3141 | | |
3142 | | #ifdef HAVE_AESCCM |
3143 | | case wolfssl_aes_ccm: |
3144 | | #ifdef WOLFSSL_ASYNC_CRYPT |
3145 | | /* initialize event */ |
3146 | | ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.aes->asyncDev, |
3147 | | WC_ASYNC_FLAG_NONE); |
3148 | | if (ret != 0) |
3149 | | break; |
3150 | | #endif |
3151 | | |
3152 | | nonceSz = AESCCM_NONCE_SZ; |
3153 | | #if defined(HAVE_PK_CALLBACKS) |
3154 | | ret = WC_NO_ERR_TRACE(NOT_COMPILED_IN); |
3155 | | if (ssl->ctx && ssl->ctx->PerformTlsRecordProcessingCb) { |
3156 | | ret = ssl->ctx->PerformTlsRecordProcessingCb(ssl, 0, |
3157 | | output, input, dataSz, |
3158 | | ssl->decrypt.nonce, nonceSz, |
3159 | | (byte *)(input + dataSz), macSz, |
3160 | | aad, aadSz); |
3161 | | } |
3162 | | if (ret == WC_NO_ERR_TRACE(NOT_COMPILED_IN)) |
3163 | | #endif |
3164 | | { |
3165 | | ret = wc_AesCcmDecrypt(ssl->decrypt.aes, output, input, |
3166 | | dataSz, ssl->decrypt.nonce, nonceSz, |
3167 | | input + dataSz, macSz, aad, aadSz); |
3168 | | #ifdef WOLFSSL_ASYNC_CRYPT |
3169 | | if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) { |
3170 | | ret = wolfSSL_AsyncPush(ssl, |
3171 | | &ssl->decrypt.aes->asyncDev); |
3172 | | } |
3173 | | #endif |
3174 | | } |
3175 | | break; |
3176 | | #endif |
3177 | | |
3178 | 0 | #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) |
3179 | 0 | case wolfssl_chacha: |
3180 | 0 | ret = ChaCha20Poly1305_Decrypt(ssl, output, input, dataSz, |
3181 | 0 | ssl->decrypt.nonce, aad, aadSz, input + dataSz); |
3182 | 0 | break; |
3183 | 0 | #endif |
3184 | | |
3185 | | #ifdef WOLFSSL_SM4_GCM |
3186 | | case wolfssl_sm4_gcm: |
3187 | | nonceSz = SM4_GCM_NONCE_SZ; |
3188 | | ret = wc_Sm4GcmDecrypt(ssl->decrypt.sm4, output, input, |
3189 | | dataSz, ssl->decrypt.nonce, nonceSz, input + dataSz, |
3190 | | macSz, aad, aadSz); |
3191 | | break; |
3192 | | #endif |
3193 | | |
3194 | | #ifdef WOLFSSL_SM4_CCM |
3195 | | case wolfssl_sm4_ccm: |
3196 | | nonceSz = SM4_CCM_NONCE_SZ; |
3197 | | ret = wc_Sm4CcmDecrypt(ssl->decrypt.sm4, output, input, |
3198 | | dataSz, ssl->decrypt.nonce, nonceSz, input + dataSz, |
3199 | | macSz, aad, aadSz); |
3200 | | break; |
3201 | | #endif |
3202 | | |
3203 | | #ifdef HAVE_NULL_CIPHER |
3204 | | case wolfssl_cipher_null: |
3205 | | ret = Tls13IntegrityOnly_Decrypt(ssl, output, input, dataSz, |
3206 | | ssl->decrypt.nonce, aad, aadSz, input + dataSz); |
3207 | | break; |
3208 | | #endif |
3209 | 0 | default: |
3210 | 0 | WOLFSSL_MSG("wolfSSL Decrypt programming error"); |
3211 | 0 | return DECRYPT_ERROR; |
3212 | 0 | } |
3213 | | |
3214 | | /* Advance state */ |
3215 | 0 | ssl->decrypt.state = CIPHER_STATE_END; |
3216 | |
|
3217 | | #ifdef WOLFSSL_ASYNC_CRYPT |
3218 | | /* If pending, leave now */ |
3219 | | if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) { |
3220 | | return ret; |
3221 | | } |
3222 | | #endif |
3223 | 0 | } |
3224 | 0 | FALL_THROUGH; |
3225 | |
|
3226 | 0 | case CIPHER_STATE_END: |
3227 | 0 | { |
3228 | | #ifdef WOLFSSL_DEBUG_TLS |
3229 | | #ifdef CIPHER_NONCE |
3230 | | WOLFSSL_MSG("Nonce"); |
3231 | | WOLFSSL_BUFFER(ssl->decrypt.nonce, ssl->specs.iv_size); |
3232 | | #endif |
3233 | | WOLFSSL_MSG("Decrypted data"); |
3234 | | WOLFSSL_BUFFER(output, dataSz); |
3235 | | #endif |
3236 | | #ifdef WOLFSSL_CHECK_MEM_ZERO |
3237 | | if ((ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null) && |
3238 | | (ret == 0)) { |
3239 | | wc_MemZero_Add("TLS 1.3 Decrypted data", output, sz); |
3240 | | } |
3241 | | #endif |
3242 | |
|
3243 | 0 | #ifdef CIPHER_NONCE |
3244 | 0 | ForceZero(ssl->decrypt.nonce, ssl->specs.iv_size); |
3245 | 0 | #endif |
3246 | |
|
3247 | 0 | break; |
3248 | 0 | } |
3249 | | |
3250 | 0 | default: |
3251 | 0 | break; |
3252 | 0 | } |
3253 | | |
3254 | 0 | if (ret < 0) { |
3255 | 0 | WOLFSSL_ERROR_VERBOSE(ret); |
3256 | 0 | } |
3257 | |
|
3258 | 0 | return ret; |
3259 | 0 | } |
3260 | | |
3261 | | /* Persistable BuildTls13Message arguments */ |
3262 | | typedef struct BuildMsg13Args { |
3263 | | word32 sz; |
3264 | | word32 idx; |
3265 | | word32 headerSz; |
3266 | | word16 size; |
3267 | | word32 paddingSz; |
3268 | | } BuildMsg13Args; |
3269 | | |
3270 | | static void FreeBuildMsg13Args(WOLFSSL* ssl, void* pArgs) |
3271 | 0 | { |
3272 | 0 | BuildMsg13Args* args = (BuildMsg13Args*)pArgs; |
3273 | |
|
3274 | 0 | (void)ssl; |
3275 | 0 | (void)args; |
3276 | | |
3277 | | /* no allocations in BuildTls13Message */ |
3278 | 0 | } |
3279 | | |
3280 | | /* Build SSL Message, encrypted. |
3281 | | * TLS v1.3 encryption is AEAD only. |
3282 | | * |
3283 | | * ssl The SSL/TLS object. |
3284 | | * output The buffer to write record message to. |
3285 | | * outSz Size of the buffer being written into. |
3286 | | * input The record data to encrypt (excluding record header). |
3287 | | * inSz The size of the record data. |
3288 | | * type The recorder header content type. |
3289 | | * hashOutput Whether to hash the unencrypted record data. |
3290 | | * sizeOnly Only want the size of the record message. |
3291 | | * asyncOkay If non-zero can return WC_PENDING_E, otherwise blocks on crypto |
3292 | | * returns the size of the encrypted record message or negative value on error. |
3293 | | */ |
3294 | | int BuildTls13Message(WOLFSSL* ssl, byte* output, int outSz, const byte* input, |
3295 | | int inSz, int type, int hashOutput, int sizeOnly, int asyncOkay) |
3296 | 0 | { |
3297 | 0 | int ret; |
3298 | 0 | BuildMsg13Args* args; |
3299 | 0 | BuildMsg13Args lcl_args; |
3300 | |
|
3301 | 0 | WOLFSSL_ENTER("BuildTls13Message"); |
3302 | |
|
3303 | 0 | if (ssl == NULL) { |
3304 | 0 | return BAD_FUNC_ARG; |
3305 | 0 | } |
3306 | | |
3307 | | #ifdef WOLFSSL_ASYNC_CRYPT |
3308 | | ret = WC_NO_PENDING_E; |
3309 | | if (asyncOkay) { |
3310 | | WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args); |
3311 | | |
3312 | | if (ssl->async == NULL) { |
3313 | | ssl->async = (struct WOLFSSL_ASYNC*) |
3314 | | XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap, |
3315 | | DYNAMIC_TYPE_ASYNC); |
3316 | | if (ssl->async == NULL) |
3317 | | return MEMORY_E; |
3318 | | } |
3319 | | args = (BuildMsg13Args*)ssl->async->args; |
3320 | | |
3321 | | ret = wolfSSL_AsyncPop(ssl, &ssl->options.buildMsgState); |
3322 | | if (ret != WC_NO_ERR_TRACE(WC_NO_PENDING_E)) { |
3323 | | /* Check for error */ |
3324 | | if (ret < 0) |
3325 | | goto exit_buildmsg; |
3326 | | } |
3327 | | } |
3328 | | else |
3329 | | #endif |
3330 | 0 | { |
3331 | 0 | args = &lcl_args; |
3332 | 0 | } |
3333 | | |
3334 | | /* Reset state */ |
3335 | | #ifdef WOLFSSL_ASYNC_CRYPT |
3336 | | if (ret == WC_NO_ERR_TRACE(WC_NO_PENDING_E)) |
3337 | | #endif |
3338 | 0 | { |
3339 | 0 | ret = 0; |
3340 | 0 | ssl->options.buildMsgState = BUILD_MSG_BEGIN; |
3341 | 0 | XMEMSET(args, 0, sizeof(BuildMsg13Args)); |
3342 | |
|
3343 | 0 | args->headerSz = RECORD_HEADER_SZ; |
3344 | | #ifdef WOLFSSL_DTLS13 |
3345 | | if (ssl->options.dtls) |
3346 | | args->headerSz = Dtls13GetRlHeaderLength(ssl, 1); |
3347 | | #endif /* WOLFSSL_DTLS13 */ |
3348 | |
|
3349 | 0 | args->sz = args->headerSz + (word32)inSz; |
3350 | 0 | args->idx = args->headerSz; |
3351 | |
|
3352 | | #ifdef WOLFSSL_ASYNC_CRYPT |
3353 | | if (asyncOkay) |
3354 | | ssl->async->freeArgs = FreeBuildMsg13Args; |
3355 | | #endif |
3356 | 0 | } |
3357 | |
|
3358 | 0 | switch (ssl->options.buildMsgState) { |
3359 | 0 | case BUILD_MSG_BEGIN: |
3360 | 0 | { |
3361 | | /* catch mistaken sizeOnly parameter */ |
3362 | 0 | if (sizeOnly) { |
3363 | 0 | if (output || input) { |
3364 | 0 | WOLFSSL_MSG("BuildTls13Message with sizeOnly " |
3365 | 0 | "doesn't need input or output"); |
3366 | 0 | return BAD_FUNC_ARG; |
3367 | 0 | } |
3368 | 0 | } |
3369 | 0 | else if (output == NULL || input == NULL) { |
3370 | 0 | return BAD_FUNC_ARG; |
3371 | 0 | } |
3372 | | |
3373 | | /* Record layer content type at the end of record data. */ |
3374 | 0 | args->sz++; |
3375 | | /* Authentication data at the end. */ |
3376 | 0 | args->sz += ssl->specs.aead_mac_size; |
3377 | | #ifdef WOLFSSL_DTLS13 |
3378 | | /* Pad to minimum length */ |
3379 | | if (ssl->options.dtls && |
3380 | | args->sz < (word32)Dtls13MinimumRecordLength(ssl)) { |
3381 | | args->paddingSz = Dtls13MinimumRecordLength(ssl) - args->sz; |
3382 | | args->sz = Dtls13MinimumRecordLength(ssl); |
3383 | | } |
3384 | | #endif |
3385 | 0 | if (sizeOnly) |
3386 | 0 | return (int)args->sz; |
3387 | | |
3388 | 0 | if (args->sz > (word32)outSz) { |
3389 | 0 | WOLFSSL_MSG("Oops, want to write past output buffer size"); |
3390 | 0 | return BUFFER_E; |
3391 | 0 | } |
3392 | | |
3393 | | /* Record data length. */ |
3394 | 0 | args->size = (word16)(args->sz - args->headerSz); |
3395 | | /* Write/update the record header with the new size. |
3396 | | * Always have the content type as application data for encrypted |
3397 | | * messages in TLS v1.3. |
3398 | | */ |
3399 | |
|
3400 | 0 | if (ssl->options.dtls) { |
3401 | | #ifdef WOLFSSL_DTLS13 |
3402 | | Dtls13RlAddCiphertextHeader(ssl, output, args->size); |
3403 | | #endif /* WOLFSSL_DTLS13 */ |
3404 | 0 | } |
3405 | 0 | else { |
3406 | 0 | AddTls13RecordHeader(output, args->size, application_data, ssl); |
3407 | 0 | } |
3408 | | |
3409 | | /* TLS v1.3 can do in place encryption. */ |
3410 | 0 | if (input != output + args->idx) |
3411 | 0 | XMEMCPY(output + args->idx, input, (size_t)inSz); |
3412 | 0 | args->idx += (word32)inSz; |
3413 | |
|
3414 | 0 | ssl->options.buildMsgState = BUILD_MSG_HASH; |
3415 | 0 | } |
3416 | 0 | FALL_THROUGH; |
3417 | |
|
3418 | 0 | case BUILD_MSG_HASH: |
3419 | 0 | { |
3420 | 0 | if (hashOutput) { |
3421 | 0 | ret = HashOutput(ssl, output, (int)args->headerSz + inSz, 0); |
3422 | 0 | if (ret != 0) |
3423 | 0 | goto exit_buildmsg; |
3424 | 0 | } |
3425 | | |
3426 | | /* The real record content type goes at the end of the data. */ |
3427 | 0 | output[args->idx++] = (byte)type; |
3428 | | /* Double check that any necessary padding is zero'd out */ |
3429 | 0 | XMEMSET(output + args->idx, 0, args->paddingSz); |
3430 | 0 | args->idx += args->paddingSz; |
3431 | |
|
3432 | 0 | ssl->options.buildMsgState = BUILD_MSG_ENCRYPT; |
3433 | 0 | } |
3434 | 0 | FALL_THROUGH; |
3435 | |
|
3436 | 0 | case BUILD_MSG_ENCRYPT: |
3437 | 0 | { |
3438 | | #ifdef WOLFSSL_QUIC |
3439 | | if (WOLFSSL_IS_QUIC(ssl)) { |
3440 | | /* QUIC does not use encryption of the TLS Record Layer. |
3441 | | * Return the original length + added headers |
3442 | | * and restore it in the record header. */ |
3443 | | AddTls13RecordHeader(output, (word32)inSz, (byte)type, ssl); |
3444 | | ret = (int)args->headerSz + inSz; |
3445 | | goto exit_buildmsg; |
3446 | | } |
3447 | | #endif |
3448 | | #ifdef ATOMIC_USER |
3449 | | if (ssl->ctx->MacEncryptCb) { |
3450 | | /* User Record Layer Callback handling */ |
3451 | | byte* mac = output + args->idx; |
3452 | | output += args->headerSz; |
3453 | | |
3454 | | ret = ssl->ctx->MacEncryptCb(ssl, mac, output, (unsigned int)inSz, (byte)type, 0, |
3455 | | output, output, args->size, ssl->MacEncryptCtx); |
3456 | | } |
3457 | | else |
3458 | | #endif |
3459 | 0 | { |
3460 | 0 | const byte* aad = output; |
3461 | 0 | output += args->headerSz; |
3462 | 0 | ret = EncryptTls13(ssl, output, output, args->size, aad, |
3463 | 0 | (word16)args->headerSz, asyncOkay); |
3464 | 0 | if (ret != 0) { |
3465 | | #ifdef WOLFSSL_ASYNC_CRYPT |
3466 | | if (ret != WC_NO_ERR_TRACE(WC_PENDING_E)) |
3467 | | #endif |
3468 | 0 | { |
3469 | | /* Zeroize plaintext. */ |
3470 | 0 | ForceZero(output, args->size); |
3471 | 0 | } |
3472 | 0 | } |
3473 | | #ifdef WOLFSSL_DTLS13 |
3474 | | if (ret == 0 && ssl->options.dtls) { |
3475 | | /* AAD points to the header. Reuse the variable */ |
3476 | | ret = Dtls13EncryptRecordNumber(ssl, (byte*)aad, |
3477 | | (word16)args->sz); |
3478 | | } |
3479 | | #endif /* WOLFSSL_DTLS13 */ |
3480 | 0 | } |
3481 | 0 | break; |
3482 | 0 | } |
3483 | | |
3484 | 0 | default: |
3485 | 0 | break; |
3486 | 0 | } |
3487 | | |
3488 | 0 | exit_buildmsg: |
3489 | |
|
3490 | 0 | WOLFSSL_LEAVE("BuildTls13Message", ret); |
3491 | |
|
3492 | | #ifdef WOLFSSL_ASYNC_CRYPT |
3493 | | if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) { |
3494 | | return ret; |
3495 | | } |
3496 | | #endif |
3497 | | |
3498 | | /* make sure build message state is reset */ |
3499 | 0 | ssl->options.buildMsgState = BUILD_MSG_BEGIN; |
3500 | | |
3501 | | /* return sz on success */ |
3502 | 0 | if (ret == 0) { |
3503 | 0 | ret = (int)args->sz; |
3504 | 0 | } |
3505 | 0 | else { |
3506 | 0 | WOLFSSL_ERROR_VERBOSE(ret); |
3507 | 0 | } |
3508 | | |
3509 | | /* Final cleanup */ |
3510 | | #ifdef WOLFSSL_ASYNC_CRYPT |
3511 | | if (asyncOkay) |
3512 | | FreeAsyncCtx(ssl, 0); |
3513 | | else |
3514 | | #endif |
3515 | 0 | FreeBuildMsg13Args(ssl, args); |
3516 | |
|
3517 | 0 | return ret; |
3518 | 0 | } |
3519 | | |
3520 | | #if !defined(NO_WOLFSSL_CLIENT) || (!defined(NO_WOLFSSL_SERVER) && \ |
3521 | | (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) && \ |
3522 | | (defined(WOLFSSL_PSK_ONE_ID) || defined(WOLFSSL_PRIORITIZE_PSK))) |
3523 | | /* Find the cipher suite in the suites set in the SSL. |
3524 | | * |
3525 | | * ssl SSL/TLS object. |
3526 | | * suite Cipher suite to look for. |
3527 | | * returns 1 when suite is found in SSL/TLS object's list and 0 otherwise. |
3528 | | */ |
3529 | | int FindSuiteSSL(const WOLFSSL* ssl, byte* suite) |
3530 | 0 | { |
3531 | 0 | word16 i; |
3532 | 0 | const Suites* suites = WOLFSSL_SUITES(ssl); |
3533 | |
|
3534 | 0 | for (i = 0; i < suites->suiteSz; i += 2) { |
3535 | 0 | if (suites->suites[i+0] == suite[0] && |
3536 | 0 | suites->suites[i+1] == suite[1]) { |
3537 | 0 | return 1; |
3538 | 0 | } |
3539 | 0 | } |
3540 | | |
3541 | 0 | return 0; |
3542 | 0 | } |
3543 | | #endif |
3544 | | |
3545 | | #ifndef NO_PSK |
3546 | | /* Get the MAC algorithm for the TLS 1.3 cipher suite. |
3547 | | * |
3548 | | * @param [in] suite. |
3549 | | * @return A value from wc_MACAlgorithm enumeration. |
3550 | | */ |
3551 | | byte SuiteMac(const byte* suite) |
3552 | | { |
3553 | | byte mac = no_mac; |
3554 | | |
3555 | | if (suite[0] == TLS13_BYTE) { |
3556 | | switch (suite[1]) { |
3557 | | #ifdef BUILD_TLS_AES_128_GCM_SHA256 |
3558 | | case TLS_AES_128_GCM_SHA256: |
3559 | | mac = sha256_mac; |
3560 | | break; |
3561 | | #endif |
3562 | | #ifdef BUILD_TLS_CHACHA20_POLY1305_SHA256 |
3563 | | case TLS_CHACHA20_POLY1305_SHA256: |
3564 | | mac = sha256_mac; |
3565 | | break; |
3566 | | #endif |
3567 | | #ifdef BUILD_TLS_AES_128_CCM_SHA256 |
3568 | | case TLS_AES_128_CCM_SHA256: |
3569 | | mac = sha256_mac; |
3570 | | break; |
3571 | | #endif |
3572 | | #ifdef BUILD_TLS_AES_128_CCM_8_SHA256 |
3573 | | case TLS_AES_128_CCM_8_SHA256: |
3574 | | mac = sha256_mac; |
3575 | | break; |
3576 | | #endif |
3577 | | #ifdef BUILD_TLS_AES_256_GCM_SHA384 |
3578 | | case TLS_AES_256_GCM_SHA384: |
3579 | | mac = sha384_mac; |
3580 | | break; |
3581 | | #endif |
3582 | | default: |
3583 | | break; |
3584 | | } |
3585 | | } |
3586 | | #if (defined(WOLFSSL_SM4_GCM) || defined(WOLFSSL_SM4_CCM)) && \ |
3587 | | defined(WOLFSSL_SM3) |
3588 | | else if (suite[0] == CIPHER_BYTE) { |
3589 | | switch (suite[1]) { |
3590 | | #ifdef BUILD_TLS_SM4_GCM_SM3 |
3591 | | case TLS_SM4_GCM_SM3: |
3592 | | mac = sm3_mac; |
3593 | | break; |
3594 | | #endif |
3595 | | #ifdef BUILD_TLS_SM4_CCM_SM3 |
3596 | | case TLS_SM4_CCM_SM3: |
3597 | | mac = sm3_mac; |
3598 | | break; |
3599 | | #endif |
3600 | | default: |
3601 | | break; |
3602 | | } |
3603 | | } |
3604 | | #endif |
3605 | | #ifdef HAVE_NULL_CIPHER |
3606 | | else if (suite[0] == ECC_BYTE) { |
3607 | | switch (suite[1]) { |
3608 | | #ifdef BUILD_TLS_SHA256_SHA256 |
3609 | | case TLS_SHA256_SHA256: |
3610 | | mac = sha256_mac; |
3611 | | break; |
3612 | | #endif |
3613 | | #ifdef BUILD_TLS_SHA384_SHA384 |
3614 | | case TLS_SHA384_SHA384: |
3615 | | mac = sha384_mac; |
3616 | | break; |
3617 | | #endif |
3618 | | default: |
3619 | | break; |
3620 | | } |
3621 | | } |
3622 | | #endif |
3623 | | |
3624 | | return mac; |
3625 | | } |
3626 | | #endif |
3627 | | |
3628 | | #if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER) |
3629 | | /* Create Cookie extension using the hash of the first ClientHello. |
3630 | | * |
3631 | | * ssl SSL/TLS object. |
3632 | | * hash The hash data. |
3633 | | * hashSz The size of the hash data in bytes. |
3634 | | * returns 0 on success, otherwise failure. |
3635 | | */ |
3636 | | int CreateCookieExt(const WOLFSSL* ssl, byte* hash, word16 hashSz, |
3637 | | TLSX** exts, byte cipherSuite0, byte cipherSuite) |
3638 | | { |
3639 | | int ret; |
3640 | | byte mac[WC_MAX_DIGEST_SIZE] = {0}; |
3641 | | WC_DECLARE_VAR(cookieHmac, Hmac, 1, ssl->heap); |
3642 | | byte cookieType = 0; |
3643 | | byte macSz = 0; |
3644 | | byte cookie[OPAQUE8_LEN + WC_MAX_DIGEST_SIZE + OPAQUE16_LEN * 2]; |
3645 | | TLSX* ext; |
3646 | | word16 cookieSz = 0; |
3647 | | |
3648 | | if (hash == NULL || hashSz == 0) { |
3649 | | return BAD_FUNC_ARG; |
3650 | | } |
3651 | | |
3652 | | if (ssl->buffers.tls13CookieSecret.buffer == NULL || |
3653 | | ssl->buffers.tls13CookieSecret.length == 0) { |
3654 | | WOLFSSL_MSG("Missing DTLS 1.3 cookie secret"); |
3655 | | return COOKIE_ERROR; |
3656 | | } |
3657 | | |
3658 | | /* Cookie Data = Hash Len | Hash | CS | KeyShare Group */ |
3659 | | cookie[cookieSz++] = (byte)hashSz; |
3660 | | XMEMCPY(cookie + cookieSz, hash, hashSz); |
3661 | | cookieSz += hashSz; |
3662 | | cookie[cookieSz++] = cipherSuite0; |
3663 | | cookie[cookieSz++] = cipherSuite; |
3664 | | if ((ext = TLSX_Find(*exts, TLSX_KEY_SHARE)) != NULL) { |
3665 | | KeyShareEntry* kse = (KeyShareEntry*)ext->data; |
3666 | | if (kse == NULL) { |
3667 | | WOLFSSL_MSG("KeyShareEntry can't be empty when negotiating " |
3668 | | "parameters"); |
3669 | | return BAD_STATE_E; |
3670 | | } |
3671 | | c16toa(kse->group, cookie + cookieSz); |
3672 | | cookieSz += OPAQUE16_LEN; |
3673 | | } |
3674 | | |
3675 | | #ifndef NO_SHA256 |
3676 | | cookieType = WC_SHA256; |
3677 | | macSz = WC_SHA256_DIGEST_SIZE; |
3678 | | #elif defined(WOLFSSL_SHA384) |
3679 | | cookieType = WC_SHA384; |
3680 | | macSz = WC_SHA384_DIGEST_SIZE; |
3681 | | #elif defined(WOLFSSL_TLS13_SHA512) |
3682 | | cookieType = WC_SHA512; |
3683 | | macSz = WC_SHA512_DIGEST_SIZE; |
3684 | | #elif defined(WOLFSSL_SM3) |
3685 | | cookieType = WC_SM3; |
3686 | | macSz = WC_SM3_DIGEST_SIZE; |
3687 | | #else |
3688 | | #error "No digest to available to use with HMAC for cookies." |
3689 | | #endif /* NO_SHA */ |
3690 | | |
3691 | | WC_ALLOC_VAR_EX(cookieHmac, Hmac, 1, ssl->heap, DYNAMIC_TYPE_HMAC, |
3692 | | return MEMORY_E); |
3693 | | |
3694 | | ret = wc_HmacInit(cookieHmac, ssl->heap, ssl->devId); |
3695 | | if (ret == 0) { |
3696 | | ret = wc_HmacSetKey(cookieHmac, cookieType, |
3697 | | ssl->buffers.tls13CookieSecret.buffer, |
3698 | | ssl->buffers.tls13CookieSecret.length); |
3699 | | } |
3700 | | if (ret == 0) |
3701 | | ret = wc_HmacUpdate(cookieHmac, cookie, cookieSz); |
3702 | | #ifdef WOLFSSL_DTLS13 |
3703 | | /* Tie cookie to peer address */ |
3704 | | if (ret == 0) { |
3705 | | /* peerLock not necessary. Still in handshake phase. */ |
3706 | | if (ssl->options.dtls && ssl->buffers.dtlsCtx.peer.sz > 0) { |
3707 | | ret = wc_HmacUpdate(cookieHmac, |
3708 | | (byte*)ssl->buffers.dtlsCtx.peer.sa, |
3709 | | ssl->buffers.dtlsCtx.peer.sz); |
3710 | | } |
3711 | | } |
3712 | | #endif |
3713 | | if (ret == 0) |
3714 | | ret = wc_HmacFinal(cookieHmac, mac); |
3715 | | |
3716 | | wc_HmacFree(cookieHmac); |
3717 | | WC_FREE_VAR_EX(cookieHmac, ssl->heap, DYNAMIC_TYPE_HMAC); |
3718 | | if (ret != 0) |
3719 | | return ret; |
3720 | | |
3721 | | /* The cookie data is the hash and the integrity check. */ |
3722 | | return TLSX_Cookie_Use(ssl, cookie, cookieSz, mac, macSz, 1, exts); |
3723 | | } |
3724 | | #endif |
3725 | | |
3726 | | #ifdef WOLFSSL_DTLS13 |
3727 | | #define HRR_MAX_HS_HEADER_SZ DTLS_HANDSHAKE_HEADER_SZ |
3728 | | #else |
3729 | | #define HRR_MAX_HS_HEADER_SZ HANDSHAKE_HEADER_SZ |
3730 | | #endif /* WOLFSSL_DTLS13 */ |
3731 | | |
3732 | | static int CreateCookie(const WOLFSSL* ssl, byte** hash, byte* hashSz, |
3733 | | Hashes* hashes, TLSX** exts) |
3734 | 0 | { |
3735 | 0 | int ret = 0; |
3736 | |
|
3737 | 0 | (void)exts; |
3738 | |
|
3739 | 0 | *hash = NULL; |
3740 | 0 | switch (ssl->specs.mac_algorithm) { |
3741 | 0 | #ifndef NO_SHA256 |
3742 | 0 | case sha256_mac: |
3743 | 0 | *hash = hashes->sha256; |
3744 | 0 | break; |
3745 | 0 | #endif |
3746 | 0 | #ifdef WOLFSSL_SHA384 |
3747 | 0 | case sha384_mac: |
3748 | 0 | *hash = hashes->sha384; |
3749 | 0 | break; |
3750 | 0 | #endif |
3751 | | #ifdef WOLFSSL_TLS13_SHA512 |
3752 | | case sha512_mac: |
3753 | | *hash = hashes->sha512; |
3754 | | break; |
3755 | | #endif |
3756 | | #ifdef WOLFSSL_SM3 |
3757 | | case sm3_mac: |
3758 | | *hash = hashes->sm3; |
3759 | | break; |
3760 | | #endif |
3761 | 0 | } |
3762 | 0 | *hashSz = ssl->specs.hash_size; |
3763 | | |
3764 | | /* check hash */ |
3765 | 0 | if (*hash == NULL && *hashSz > 0) |
3766 | 0 | return BAD_FUNC_ARG; |
3767 | | |
3768 | | #if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER) |
3769 | | if (ssl->options.sendCookie && ssl->options.side == WOLFSSL_SERVER_END) |
3770 | | ret = CreateCookieExt(ssl, *hash, *hashSz, exts, |
3771 | | ssl->options.cipherSuite0, ssl->options.cipherSuite); |
3772 | | #endif |
3773 | 0 | return ret; |
3774 | 0 | } |
3775 | | |
3776 | | /* Restart the handshake hash with a hash of the previous messages. |
3777 | | * |
3778 | | * ssl The SSL/TLS object. |
3779 | | * returns 0 on success, otherwise failure. |
3780 | | */ |
3781 | | int RestartHandshakeHash(WOLFSSL* ssl) |
3782 | 0 | { |
3783 | 0 | int ret; |
3784 | 0 | byte header[HANDSHAKE_HEADER_SZ] = {0}; |
3785 | 0 | Hashes hashes; |
3786 | 0 | byte* hash = NULL; |
3787 | 0 | byte hashSz = 0; |
3788 | |
|
3789 | 0 | ret = BuildCertHashes(ssl, &hashes); |
3790 | 0 | if (ret != 0) |
3791 | 0 | return ret; |
3792 | 0 | ret = CreateCookie(ssl, &hash, &hashSz, &hashes, &ssl->extensions); |
3793 | 0 | if (ret != 0) |
3794 | 0 | return ret; |
3795 | | #if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER) |
3796 | | if (ssl->options.sendCookie && ssl->options.side == WOLFSSL_SERVER_END) |
3797 | | return 0; |
3798 | | #endif |
3799 | | |
3800 | 0 | AddTls13HandShakeHeader(header, hashSz, 0, 0, message_hash, ssl); |
3801 | |
|
3802 | | #ifdef WOLFSSL_DEBUG_TLS |
3803 | | WOLFSSL_MSG("Restart Hash"); |
3804 | | WOLFSSL_BUFFER(hash, hashSz); |
3805 | | #endif |
3806 | |
|
3807 | 0 | ret = InitHandshakeHashes(ssl); |
3808 | 0 | if (ret != 0) |
3809 | 0 | return ret; |
3810 | 0 | ret = HashRaw(ssl, header, sizeof(header)); |
3811 | 0 | if (ret != 0) |
3812 | 0 | return ret; |
3813 | 0 | return HashRaw(ssl, hash, hashSz); |
3814 | 0 | } |
3815 | | |
3816 | | #if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) |
3817 | | /* The value in the random field of a ServerHello to indicate |
3818 | | * HelloRetryRequest. |
3819 | | */ |
3820 | | static byte helloRetryRequestRandom[] = { |
3821 | | 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, |
3822 | | 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91, |
3823 | | 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E, |
3824 | | 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C |
3825 | | }; |
3826 | | #endif |
3827 | | |
3828 | | #ifdef HAVE_ECH |
3829 | | /* returns the index of the first supported cipher suite, -1 if none */ |
3830 | | int EchConfigGetSupportedCipherSuite(WOLFSSL_EchConfig* config) |
3831 | | { |
3832 | | int i = 0; |
3833 | | |
3834 | | if (!wc_HpkeKemIsSupported(config->kemId)) { |
3835 | | WOLFSSL_MSG("ECH config: KEM not supported"); |
3836 | | return WOLFSSL_FATAL_ERROR; |
3837 | | } |
3838 | | |
3839 | | for (i = 0; i < config->numCipherSuites; i++) { |
3840 | | if (wc_HpkeKdfIsSupported(config->cipherSuites[i].kdfId) && |
3841 | | wc_HpkeAeadIsSupported(config->cipherSuites[i].aeadId)) { |
3842 | | return i; |
3843 | | } |
3844 | | } |
3845 | | |
3846 | | WOLFSSL_MSG("ECH config: KDF or AEAD not supported"); |
3847 | | return WOLFSSL_FATAL_ERROR; |
3848 | | } |
3849 | | |
3850 | | /* Hash the inner client hello, initializing the hsHashesEch field if needed. |
3851 | | * This should receive the client hello without outer_extensions 'encoding' |
3852 | | * |
3853 | | * ssl SSL/TLS object. |
3854 | | * ech ECH object. |
3855 | | * returns 0 on success and otherwise failure. |
3856 | | */ |
3857 | | static int EchHashHelloInner(WOLFSSL* ssl, WOLFSSL_ECH* ech) |
3858 | | { |
3859 | | int ret = 0; |
3860 | | int headerSz; |
3861 | | word32 realSz; |
3862 | | HS_Hashes* tmpHashes; |
3863 | | #ifndef NO_WOLFSSL_CLIENT |
3864 | | byte falseHeader[HRR_MAX_HS_HEADER_SZ]; |
3865 | | #endif |
3866 | | |
3867 | | if (ssl == NULL || ech == NULL) { |
3868 | | return BAD_FUNC_ARG; |
3869 | | } |
3870 | | |
3871 | | #ifdef WOLFSSL_DTLS13 |
3872 | | headerSz = ssl->options.dtls ? DTLS13_HANDSHAKE_HEADER_SZ : |
3873 | | HANDSHAKE_HEADER_SZ; |
3874 | | #else |
3875 | | headerSz = HANDSHAKE_HEADER_SZ; |
3876 | | #endif |
3877 | | |
3878 | | realSz = ech->innerClientHelloLen; |
3879 | | |
3880 | | tmpHashes = ssl->hsHashes; |
3881 | | |
3882 | | ssl->hsHashes = ssl->hsHashesEch; |
3883 | | if (ssl->hsHashes == NULL) { |
3884 | | ret = InitHandshakeHashes(ssl); |
3885 | | if (ret == 0) { |
3886 | | ssl->hsHashesEch = ssl->hsHashes; |
3887 | | } |
3888 | | } |
3889 | | |
3890 | | if (ret == 0) { |
3891 | | #ifndef NO_WOLFSSL_CLIENT |
3892 | | if (ssl->options.side == WOLFSSL_CLIENT_END) { |
3893 | | /* client-side: innerClientHello contains body only */ |
3894 | | AddTls13HandShakeHeader(falseHeader, realSz, 0, 0, client_hello, |
3895 | | ssl); |
3896 | | ret = HashRaw(ssl, falseHeader, headerSz); |
3897 | | if (ret == 0) { |
3898 | | ret = HashRaw(ssl, ech->innerClientHello, realSz); |
3899 | | } |
3900 | | } |
3901 | | #endif |
3902 | | #ifndef NO_WOLFSSL_SERVER |
3903 | | if (ssl->options.side == WOLFSSL_SERVER_END) { |
3904 | | /* server-side: innerClientHello contains header + body */ |
3905 | | ret = HashRaw(ssl, ech->innerClientHello, headerSz + realSz); |
3906 | | } |
3907 | | #endif |
3908 | | } |
3909 | | |
3910 | | ssl->hsHashes = tmpHashes; |
3911 | | return ret; |
3912 | | } |
3913 | | |
3914 | | /* Calculate the 8 ECH confirmation bytes. |
3915 | | * |
3916 | | * ssl SSL/TLS object. |
3917 | | * label Ascii string describing ECH acceptance or rejection. |
3918 | | * labelSz Length of label excluding NULL character. |
3919 | | * input The buffer to calculate confirmation off of. |
3920 | | * acceptOffset Where the 8 ECH confirmation bytes start. |
3921 | | * helloSz Size of hello message. |
3922 | | * isHrr Whether message is a HelloRetryRequest or not. |
3923 | | * acceptExpanded An 8 byte array to store calculated confirmation to. |
3924 | | * returns 0 on success and otherwise failure. |
3925 | | */ |
3926 | | static int EchCalcAcceptance(WOLFSSL* ssl, byte* label, word16 labelSz, |
3927 | | const byte* input, int acceptOffset, int helloSz, byte isHrr, |
3928 | | byte* acceptExpanded) |
3929 | | { |
3930 | | int ret = 0; |
3931 | | int digestType = 0; |
3932 | | int digestSize = 0; |
3933 | | int hashSz = 0; |
3934 | | int headerSz; |
3935 | | HS_Hashes* tmpHashes; |
3936 | | HS_Hashes* acceptHash = NULL; |
3937 | | byte zeros[WC_MAX_DIGEST_SIZE]; |
3938 | | byte transcriptEchConf[WC_MAX_DIGEST_SIZE]; |
3939 | | byte clientHelloInnerHash[WC_MAX_DIGEST_SIZE]; |
3940 | | byte expandLabelPrk[WC_MAX_DIGEST_SIZE]; |
3941 | | byte messageHashHeader[HRR_MAX_HS_HEADER_SZ]; |
3942 | | |
3943 | | XMEMSET(zeros, 0, sizeof(zeros)); |
3944 | | XMEMSET(transcriptEchConf, 0, sizeof(transcriptEchConf)); |
3945 | | XMEMSET(clientHelloInnerHash, 0, sizeof(clientHelloInnerHash)); |
3946 | | XMEMSET(expandLabelPrk, 0, sizeof(expandLabelPrk)); |
3947 | | |
3948 | | #ifdef WOLFSSL_CHECK_MEM_ZERO |
3949 | | wc_MemZero_Add("ECH PRK", expandLabelPrk, sizeof(expandLabelPrk)); |
3950 | | #endif |
3951 | | |
3952 | | tmpHashes = ssl->hsHashes; |
3953 | | ssl->hsHashes = ssl->hsHashesEch; |
3954 | | |
3955 | | #ifdef WOLFSSL_DTLS13 |
3956 | | headerSz = ssl->options.dtls ? DTLS13_HANDSHAKE_HEADER_SZ : |
3957 | | HANDSHAKE_HEADER_SZ; |
3958 | | #else |
3959 | | headerSz = HANDSHAKE_HEADER_SZ; |
3960 | | #endif |
3961 | | |
3962 | | if (isHrr) { |
3963 | | /* the transcript hash of ClientHelloInner1 */ |
3964 | | ret = GetMsgHash(ssl, clientHelloInnerHash); |
3965 | | if (ret > 0) { |
3966 | | hashSz = ret; |
3967 | | ret = 0; |
3968 | | } |
3969 | | else if (ret == 0) { |
3970 | | ret = HASH_TYPE_E; |
3971 | | } |
3972 | | |
3973 | | /* restart ECH transcript hash, similar to RestartHandshakeHash but |
3974 | | * don't add a cookie */ |
3975 | | if (ret == 0) { |
3976 | | ret = InitHandshakeHashes(ssl); |
3977 | | ssl->hsHashesEch = ssl->hsHashes; |
3978 | | } |
3979 | | if (ret == 0) { |
3980 | | AddTls13HandShakeHeader(messageHashHeader, (word32)hashSz, 0, 0, |
3981 | | message_hash, ssl); |
3982 | | ret = HashRaw(ssl, messageHashHeader, headerSz); |
3983 | | } |
3984 | | if (ret == 0) { |
3985 | | ret = HashRaw(ssl, clientHelloInnerHash, (word32)hashSz); |
3986 | | } |
3987 | | } |
3988 | | |
3989 | | /* hash with zeros for confirmation computation */ |
3990 | | if (ret == 0) { |
3991 | | ret = InitHandshakeHashesAndCopy(ssl, ssl->hsHashesEch, &acceptHash); |
3992 | | } |
3993 | | if (ret == 0) { |
3994 | | ssl->hsHashes = acceptHash; |
3995 | | ret = HashRaw(ssl, input, acceptOffset); |
3996 | | } |
3997 | | if (ret == 0) { |
3998 | | ret = HashRaw(ssl, zeros, ECH_ACCEPT_CONFIRMATION_SZ); |
3999 | | } |
4000 | | if (ret == 0) { |
4001 | | ret = HashRaw(ssl, input + acceptOffset + ECH_ACCEPT_CONFIRMATION_SZ, |
4002 | | helloSz + headerSz - (acceptOffset + ECH_ACCEPT_CONFIRMATION_SZ)); |
4003 | | } |
4004 | | |
4005 | | /* get the modified transcript hash */ |
4006 | | if (ret == 0) { |
4007 | | ret = GetMsgHash(ssl, transcriptEchConf); |
4008 | | if (ret > 0) { |
4009 | | ret = 0; |
4010 | | } |
4011 | | else if (ret == 0) { |
4012 | | ret = HASH_TYPE_E; |
4013 | | } |
4014 | | } |
4015 | | |
4016 | | /* pick the right type and size based on mac_algorithm */ |
4017 | | if (ret == 0) { |
4018 | | switch (ssl->specs.mac_algorithm) { |
4019 | | #ifndef NO_SHA256 |
4020 | | case sha256_mac: |
4021 | | digestType = WC_SHA256; |
4022 | | digestSize = WC_SHA256_DIGEST_SIZE; |
4023 | | break; |
4024 | | #endif /* !NO_SHA256 */ |
4025 | | #ifdef WOLFSSL_SHA384 |
4026 | | case sha384_mac: |
4027 | | digestType = WC_SHA384; |
4028 | | digestSize = WC_SHA384_DIGEST_SIZE; |
4029 | | break; |
4030 | | #endif /* WOLFSSL_SHA384 */ |
4031 | | #ifdef WOLFSSL_TLS13_SHA512 |
4032 | | case sha512_mac: |
4033 | | digestType = WC_SHA512; |
4034 | | digestSize = WC_SHA512_DIGEST_SIZE; |
4035 | | break; |
4036 | | #endif /* WOLFSSL_TLS13_SHA512 */ |
4037 | | #ifdef WOLFSSL_SM3 |
4038 | | case sm3_mac: |
4039 | | digestType = WC_SM3; |
4040 | | digestSize = WC_SM3_DIGEST_SIZE; |
4041 | | break; |
4042 | | #endif /* WOLFSSL_SM3 */ |
4043 | | default: |
4044 | | ret = WOLFSSL_FATAL_ERROR; |
4045 | | break; |
4046 | | } |
4047 | | } |
4048 | | |
4049 | | /* extract clientRandomInner with a key of all zeros */ |
4050 | | if (ret == 0) { |
4051 | | PRIVATE_KEY_UNLOCK(); |
4052 | | #if !defined(HAVE_FIPS) || \ |
4053 | | (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(6,0)) |
4054 | | ret = wc_HKDF_Extract_ex(digestType, zeros, (word32)digestSize, |
4055 | | ssl->arrays->clientRandomInner, RAN_LEN, expandLabelPrk, |
4056 | | ssl->heap, ssl->devId); |
4057 | | #else |
4058 | | ret = wc_HKDF_Extract(digestType, zeros, digestSize, |
4059 | | ssl->arrays->clientRandomInner, RAN_LEN, expandLabelPrk); |
4060 | | #endif |
4061 | | PRIVATE_KEY_LOCK(); |
4062 | | } |
4063 | | |
4064 | | /* tls expand with the confirmation label */ |
4065 | | if (ret == 0) { |
4066 | | PRIVATE_KEY_UNLOCK(); |
4067 | | #ifdef WOLFSSL_DTLS13 |
4068 | | if (ssl->options.dtls) { |
4069 | | ret = Tls13HKDFExpandKeyLabel(ssl, acceptExpanded, |
4070 | | ECH_ACCEPT_CONFIRMATION_SZ, expandLabelPrk, (word32)digestSize, |
4071 | | dtls13ProtocolLabel, DTLS13_PROTOCOL_LABEL_SZ, label, labelSz, |
4072 | | transcriptEchConf, (word32)digestSize, digestType, |
4073 | | WOLFSSL_SERVER_END); |
4074 | | } |
4075 | | else |
4076 | | #endif |
4077 | | { |
4078 | | ret = Tls13HKDFExpandKeyLabel(ssl, acceptExpanded, |
4079 | | ECH_ACCEPT_CONFIRMATION_SZ, expandLabelPrk, (word32)digestSize, |
4080 | | tls13ProtocolLabel, TLS13_PROTOCOL_LABEL_SZ, label, labelSz, |
4081 | | transcriptEchConf, (word32)digestSize, digestType, |
4082 | | WOLFSSL_SERVER_END); |
4083 | | } |
4084 | | PRIVATE_KEY_LOCK(); |
4085 | | } |
4086 | | |
4087 | | if (acceptHash != NULL) { |
4088 | | ssl->hsHashes = acceptHash; |
4089 | | FreeHandshakeHashes(ssl); |
4090 | | } |
4091 | | |
4092 | | ssl->hsHashes = tmpHashes; |
4093 | | ForceZero(expandLabelPrk, sizeof(expandLabelPrk)); |
4094 | | #ifdef WOLFSSL_CHECK_MEM_ZERO |
4095 | | wc_MemZero_Check(expandLabelPrk, sizeof(expandLabelPrk)); |
4096 | | #endif |
4097 | | return ret; |
4098 | | } |
4099 | | #endif |
4100 | | |
4101 | | #ifndef NO_WOLFSSL_CLIENT |
4102 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
4103 | | #if defined(OPENSSL_EXTRA) && !defined(WOLFSSL_PSK_ONE_ID) && \ |
4104 | | !defined(NO_PSK) |
4105 | | /** |
4106 | | * convert mac algorithm to WOLFSSL_EVP_MD |
4107 | | * @param mac_alg mac algorithm |
4108 | | * @return const WOLFSSL_EVP_MD on successful, otherwise NULL |
4109 | | */ |
4110 | | static const WOLFSSL_EVP_MD* ssl_handshake_md(const byte mac_alg) |
4111 | | { |
4112 | | switch(mac_alg) { |
4113 | | case no_mac: |
4114 | | return NULL; |
4115 | | #ifndef NO_MD5 |
4116 | | case md5_mac: |
4117 | | return wolfSSL_EVP_md5(); |
4118 | | #endif |
4119 | | #ifndef NO_SHA |
4120 | | case sha_mac: |
4121 | | return wolfSSL_EVP_sha1(); |
4122 | | #endif |
4123 | | #ifdef WOLFSSL_SHA224 |
4124 | | case sha224_mac: |
4125 | | return wolfSSL_EVP_sha224(); |
4126 | | #endif |
4127 | | case sha256_mac: |
4128 | | return wolfSSL_EVP_sha256(); |
4129 | | #ifdef WOLFSSL_SHA384 |
4130 | | case sha384_mac: |
4131 | | return wolfSSL_EVP_sha384(); |
4132 | | #endif |
4133 | | #ifdef WOLFSSL_SHA512 |
4134 | | case sha512_mac: |
4135 | | return wolfSSL_EVP_sha512(); |
4136 | | #endif |
4137 | | case rmd_mac: |
4138 | | case blake2b_mac: |
4139 | | WOLFSSL_MSG("no suitable EVP_MD"); |
4140 | | return NULL; |
4141 | | default: |
4142 | | WOLFSSL_MSG("Unknown mac algorithm"); |
4143 | | return NULL; |
4144 | | } |
4145 | | } |
4146 | | #endif |
4147 | | /* Setup pre-shared key based on the details in the extension data. |
4148 | | * |
4149 | | * ssl SSL/TLS object. |
4150 | | * psk Pre-shared key extension data. |
4151 | | * clientHello Whether called from client_hello construction. |
4152 | | * returns 0 on success, PSK_KEY_ERROR when the client PSK callback fails and |
4153 | | * other negative value on failure. |
4154 | | */ |
4155 | | static int SetupPskKey(WOLFSSL* ssl, PreSharedKey* psk, int clientHello) |
4156 | | { |
4157 | | #if defined(HAVE_SESSION_TICKET) || !defined(WOLFSSL_PSK_ONE_ID) |
4158 | | int ret; |
4159 | | #endif |
4160 | | byte suite[2]; |
4161 | | |
4162 | | if (psk == NULL) |
4163 | | return BAD_FUNC_ARG; |
4164 | | |
4165 | | if (!HaveUniqueSessionObj(ssl)) { |
4166 | | WOLFSSL_MSG("Unable to have unique session object"); |
4167 | | WOLFSSL_ERROR_VERBOSE(MEMORY_ERROR); |
4168 | | return MEMORY_ERROR; |
4169 | | } |
4170 | | |
4171 | | suite[0] = ssl->options.cipherSuite0; |
4172 | | suite[1] = ssl->options.cipherSuite; |
4173 | | |
4174 | | #ifdef HAVE_SESSION_TICKET |
4175 | | if (psk->resumption) { |
4176 | | if (clientHello) { |
4177 | | suite[0] = psk->cipherSuite0; |
4178 | | suite[1] = psk->cipherSuite; |
4179 | | |
4180 | | /* Ensure cipher suite is supported or changed suite to one with |
4181 | | * the same MAC algorithm. */ |
4182 | | if (!FindSuiteSSL(ssl, suite)) { |
4183 | | WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR); |
4184 | | return PSK_KEY_ERROR; |
4185 | | } |
4186 | | |
4187 | | ssl->options.cipherSuite0 = suite[0]; |
4188 | | ssl->options.cipherSuite = suite[1]; |
4189 | | |
4190 | | /* Setting mac for binder and keys for deriving EarlyData. */ |
4191 | | ret = SetCipherSpecs(ssl); |
4192 | | if (ret != 0) |
4193 | | return ret; |
4194 | | } |
4195 | | |
4196 | | #ifdef WOLFSSL_EARLY_DATA |
4197 | | if (ssl->session->maxEarlyDataSz == 0) |
4198 | | ssl->earlyData = no_early_data; |
4199 | | #endif |
4200 | | /* Resumption PSK is master secret. */ |
4201 | | ssl->arrays->psk_keySz = ssl->specs.hash_size; |
4202 | | if ((ret = DeriveResumptionPSK(ssl, ssl->session->ticketNonce.data, |
4203 | | ssl->session->ticketNonce.len, ssl->arrays->psk_key)) != 0) { |
4204 | | return ret; |
4205 | | } |
4206 | | if (!clientHello) { |
4207 | | /* CLIENT: using secret in ticket for peer authentication. */ |
4208 | | ssl->options.peerAuthGood = 1; |
4209 | | } |
4210 | | } |
4211 | | #endif |
4212 | | #ifndef NO_PSK |
4213 | | if (!psk->resumption) { |
4214 | | /* Get the pre-shared key. */ |
4215 | | #ifndef WOLFSSL_PSK_ONE_ID |
4216 | | const char* cipherName = NULL; |
4217 | | #ifdef OPENSSL_EXTRA |
4218 | | WOLFSSL_SESSION* psksession = NULL; |
4219 | | #endif |
4220 | | |
4221 | | /* Set the client identity to use. */ |
4222 | | if (psk->identityLen > MAX_PSK_ID_LEN) |
4223 | | return PSK_KEY_ERROR; |
4224 | | XMEMSET(ssl->arrays->client_identity, 0, |
4225 | | sizeof(ssl->arrays->client_identity)); |
4226 | | XMEMCPY(ssl->arrays->client_identity, psk->identity, psk->identityLen); |
4227 | | |
4228 | | #ifdef WOLFSSL_DEBUG_TLS |
4229 | | WOLFSSL_MSG("PSK cipher suite:"); |
4230 | | WOLFSSL_MSG(GetCipherNameInternal(psk->cipherSuite0, psk->cipherSuite)); |
4231 | | #endif |
4232 | | |
4233 | | /* Get the pre-shared key. */ |
4234 | | #ifdef OPENSSL_EXTRA |
4235 | | if (ssl->options.session_psk_cb != NULL) { |
4236 | | const unsigned char* id = NULL; |
4237 | | size_t idlen = 0; |
4238 | | const WOLFSSL_EVP_MD* handshake_md = NULL; |
4239 | | |
4240 | | if (ssl->msgsReceived.got_hello_retry_request >= 1) { |
4241 | | handshake_md = ssl_handshake_md(ssl->specs.mac_algorithm); |
4242 | | } |
4243 | | /* OpenSSL compatible callback that gets cached session. */ |
4244 | | if (ssl->options.session_psk_cb(ssl, handshake_md, &id, &idlen, |
4245 | | &psksession) == 0) { |
4246 | | wolfSSL_FreeSession(ssl->ctx, psksession); |
4247 | | WOLFSSL_MSG("psk session callback failed"); |
4248 | | return PSK_KEY_ERROR; |
4249 | | } |
4250 | | if (psksession != NULL) { |
4251 | | if (idlen > MAX_PSK_KEY_LEN) { |
4252 | | wolfSSL_FreeSession(ssl->ctx, psksession); |
4253 | | WOLFSSL_MSG("psk key length is too long"); |
4254 | | WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR); |
4255 | | return PSK_KEY_ERROR; |
4256 | | } |
4257 | | |
4258 | | ssl->arrays->psk_keySz = (word32)idlen; |
4259 | | XMEMCPY(ssl->arrays->psk_key, id, idlen); |
4260 | | suite[0] = psksession->cipherSuite0; |
4261 | | suite[1] = psksession->cipherSuite; |
4262 | | /* Not needed anymore. */ |
4263 | | wolfSSL_FreeSession(ssl->ctx, psksession); |
4264 | | /* Leave pointer not NULL to indicate success with callback. */ |
4265 | | } |
4266 | | } |
4267 | | if (psksession != NULL) { |
4268 | | /* Don't try other callbacks - we have an answer. */ |
4269 | | } |
4270 | | else |
4271 | | #endif /* OPENSSL_EXTRA */ |
4272 | | if (ssl->options.client_psk_cs_cb != NULL) { |
4273 | | #ifdef WOLFSSL_PSK_MULTI_ID_PER_CS |
4274 | | ssl->arrays->client_identity[0] = 0; |
4275 | | #endif |
4276 | | /* Lookup key again for next identity. */ |
4277 | | ssl->arrays->psk_keySz = ssl->options.client_psk_cs_cb( |
4278 | | ssl, ssl->arrays->server_hint, |
4279 | | ssl->arrays->client_identity, MAX_PSK_ID_LEN, |
4280 | | ssl->arrays->psk_key, MAX_PSK_KEY_LEN, |
4281 | | GetCipherNameInternal(psk->cipherSuite0, psk->cipherSuite)); |
4282 | | if (clientHello) { |
4283 | | /* Use PSK cipher suite. */ |
4284 | | ssl->options.cipherSuite0 = psk->cipherSuite0; |
4285 | | ssl->options.cipherSuite = psk->cipherSuite; |
4286 | | } |
4287 | | else { |
4288 | | byte pskCS[2]; |
4289 | | pskCS[0] = psk->cipherSuite0; |
4290 | | pskCS[1] = psk->cipherSuite; |
4291 | | |
4292 | | /* Ensure PSK and negotiated cipher suites have same hash. */ |
4293 | | if (SuiteMac(pskCS) != SuiteMac(suite)) { |
4294 | | WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR); |
4295 | | return PSK_KEY_ERROR; |
4296 | | } |
4297 | | /* Negotiated cipher suite is to be used - update PSK. */ |
4298 | | psk->cipherSuite0 = suite[0]; |
4299 | | psk->cipherSuite = suite[1]; |
4300 | | } |
4301 | | } |
4302 | | else if (ssl->options.client_psk_tls13_cb != NULL) { |
4303 | | byte cipherSuite0; |
4304 | | byte cipherSuite; |
4305 | | int cipherSuiteFlags = WOLFSSL_CIPHER_SUITE_FLAG_NONE; |
4306 | | |
4307 | | ssl->arrays->psk_keySz = ssl->options.client_psk_tls13_cb(ssl, |
4308 | | ssl->arrays->server_hint, ssl->arrays->client_identity, |
4309 | | MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN, |
4310 | | &cipherName); |
4311 | | if (GetCipherSuiteFromName(cipherName, &cipherSuite0, |
4312 | | &cipherSuite, NULL, NULL, &cipherSuiteFlags) != 0) { |
4313 | | WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR); |
4314 | | return PSK_KEY_ERROR; |
4315 | | } |
4316 | | ssl->options.cipherSuite0 = cipherSuite0; |
4317 | | ssl->options.cipherSuite = cipherSuite; |
4318 | | (void)cipherSuiteFlags; |
4319 | | } |
4320 | | else { |
4321 | | ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl, |
4322 | | ssl->arrays->server_hint, ssl->arrays->client_identity, |
4323 | | MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN); |
4324 | | ssl->options.cipherSuite0 = TLS13_BYTE; |
4325 | | ssl->options.cipherSuite = WOLFSSL_DEF_PSK_CIPHER; |
4326 | | } |
4327 | | if (ssl->arrays->psk_keySz == 0 || |
4328 | | (ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN && |
4329 | | (int)ssl->arrays->psk_keySz != WC_NO_ERR_TRACE(USE_HW_PSK))) { |
4330 | | WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR); |
4331 | | return PSK_KEY_ERROR; |
4332 | | } |
4333 | | |
4334 | | ret = SetCipherSpecs(ssl); |
4335 | | if (ret != 0) |
4336 | | return ret; |
4337 | | #else |
4338 | | /* PSK information loaded during setting of default TLS extensions. */ |
4339 | | #endif /* !WOLFSSL_PSK_ONE_ID */ |
4340 | | |
4341 | | if (!clientHello && (psk->cipherSuite0 != suite[0] || |
4342 | | psk->cipherSuite != suite[1])) { |
4343 | | WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR); |
4344 | | return PSK_KEY_ERROR; |
4345 | | } |
4346 | | |
4347 | | if (!clientHello) { |
4348 | | #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK |
4349 | | if (ssl->options.certWithExternPsk) { |
4350 | | /* Certificate authentication is still required. */ |
4351 | | ssl->options.peerAuthGood = 0; |
4352 | | } |
4353 | | else |
4354 | | #endif |
4355 | | { |
4356 | | /* CLIENT: using PSK for peer authentication. */ |
4357 | | ssl->options.peerAuthGood = 1; |
4358 | | } |
4359 | | } |
4360 | | } |
4361 | | #endif |
4362 | | |
4363 | | #ifdef HAVE_SUPPORTED_CURVES |
4364 | | if (!clientHello) { |
4365 | | TLSX* ext; |
4366 | | word32 modes; |
4367 | | KeyShareEntry* kse = NULL; |
4368 | | |
4369 | | /* Get the PSK key exchange modes the client wants to negotiate. */ |
4370 | | ext = TLSX_Find(ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES); |
4371 | | if (ext == NULL) { |
4372 | | WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR); |
4373 | | return PSK_KEY_ERROR; |
4374 | | } |
4375 | | modes = ext->val; |
4376 | | |
4377 | | ext = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE); |
4378 | | if (ext != NULL) { |
4379 | | kse = (KeyShareEntry*)ext->data; |
4380 | | } |
4381 | | /* Use (EC)DHE for forward-security if possible. */ |
4382 | | if (((modes & (1 << PSK_DHE_KE)) != 0) && (!ssl->options.noPskDheKe) && |
4383 | | (kse != NULL) && kse->derived) { |
4384 | | if ((kse->session != 0) && (kse->session != kse->group)) { |
4385 | | WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR); |
4386 | | return PSK_KEY_ERROR; |
4387 | | } |
4388 | | } |
4389 | | else if (ssl->options.onlyPskDheKe || |
4390 | | (ssl->options.failNoPSK && !psk->resumption)) { |
4391 | | /* A mandatory external PSK (failNoPSK) must be combined with |
4392 | | * (EC)DHE for forward secrecy, so reject a pure psk_ke |
4393 | | * negotiation. Session-ticket resumption is exempt. */ |
4394 | | WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR); |
4395 | | return PSK_KEY_ERROR; |
4396 | | } |
4397 | | else if (ssl->options.noPskDheKe) { |
4398 | | ssl->arrays->preMasterSz = 0; |
4399 | | } |
4400 | | } |
4401 | | else |
4402 | | #endif |
4403 | | if (ssl->options.noPskDheKe) { |
4404 | | ssl->arrays->preMasterSz = 0; |
4405 | | } |
4406 | | |
4407 | | /* Derive the early secret using the PSK. */ |
4408 | | return DeriveEarlySecret(ssl); |
4409 | | } |
4410 | | |
4411 | | /* Derive and write the binders into the ClientHello in space left when |
4412 | | * writing the Pre-Shared Key extension. |
4413 | | * |
4414 | | * ssl The SSL/TLS object. |
4415 | | * output The buffer containing the ClientHello. |
4416 | | * idx The index at the end of the completed ClientHello. |
4417 | | * returns 0 on success and otherwise failure. |
4418 | | */ |
4419 | | static int WritePSKBinders(WOLFSSL* ssl, byte* output, word32 idx) |
4420 | | { |
4421 | | int ret; |
4422 | | TLSX* ext; |
4423 | | PreSharedKey* current; |
4424 | | byte binderKey[WC_MAX_DIGEST_SIZE]; |
4425 | | word16 len; |
4426 | | |
4427 | | WOLFSSL_ENTER("WritePSKBinders"); |
4428 | | |
4429 | | if (idx > WOLFSSL_MAX_16BIT) { |
4430 | | return INPUT_SIZE_E; |
4431 | | } |
4432 | | |
4433 | | ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY); |
4434 | | if (ext == NULL) |
4435 | | return SANITY_MSG_E; |
4436 | | |
4437 | | /* Get the size of the binders to determine where to write binders. */ |
4438 | | ret = TLSX_PreSharedKey_GetSizeBinders((PreSharedKey*)ext->data, |
4439 | | client_hello, &len); |
4440 | | if (ret < 0) |
4441 | | return ret; |
4442 | | idx -= len; |
4443 | | |
4444 | | /* Hash truncated ClientHello - up to binders. */ |
4445 | | #ifdef WOLFSSL_DTLS13 |
4446 | | if (ssl->options.dtls) |
4447 | | ret = Dtls13HashHandshake(ssl, output + Dtls13GetRlHeaderLength(ssl, 0), |
4448 | | (word16)idx - Dtls13GetRlHeaderLength(ssl, 0)); |
4449 | | else |
4450 | | #endif /* WOLFSSL_DTLS13 */ |
4451 | | ret = HashOutput(ssl, output, (int)idx, 0); |
4452 | | |
4453 | | if (ret != 0) |
4454 | | return ret; |
4455 | | |
4456 | | current = (PreSharedKey*)ext->data; |
4457 | | #ifdef WOLFSSL_CHECK_MEM_ZERO |
4458 | | if (current != NULL) { |
4459 | | wc_MemZero_Add("WritePSKBinders binderKey", binderKey, |
4460 | | sizeof(binderKey)); |
4461 | | } |
4462 | | #endif |
4463 | | /* Calculate the binder for each identity based on previous handshake data. |
4464 | | */ |
4465 | | while (current != NULL) { |
4466 | | if ((ret = SetupPskKey(ssl, current, 1)) != 0) |
4467 | | break; |
4468 | | |
4469 | | #ifdef HAVE_SESSION_TICKET |
4470 | | if (current->resumption) |
4471 | | ret = DeriveBinderKeyResume(ssl, binderKey); |
4472 | | #endif |
4473 | | #ifndef NO_PSK |
4474 | | if (!current->resumption) |
4475 | | ret = DeriveBinderKey(ssl, binderKey); |
4476 | | #endif |
4477 | | if (ret != 0) |
4478 | | break; |
4479 | | |
4480 | | /* Derive the Finished message secret. */ |
4481 | | ret = DeriveFinishedSecret(ssl, binderKey, |
4482 | | ssl->keys.client_write_MAC_secret, |
4483 | | 0 /* neither end */); |
4484 | | if (ret != 0) |
4485 | | break; |
4486 | | |
4487 | | /* Build the HMAC of the handshake message data = binder. */ |
4488 | | ret = BuildTls13HandshakeHmac(ssl, ssl->keys.client_write_MAC_secret, |
4489 | | current->binder, ¤t->binderLen); |
4490 | | if (ret != 0) |
4491 | | break; |
4492 | | |
4493 | | current = current->next; |
4494 | | } |
4495 | | |
4496 | | ForceZero(binderKey, sizeof(binderKey)); |
4497 | | #ifdef WOLFSSL_CHECK_MEM_ZERO |
4498 | | wc_MemZero_Check(binderKey, sizeof(binderKey)); |
4499 | | #endif |
4500 | | if (ret != 0) |
4501 | | return ret; |
4502 | | |
4503 | | /* Data entered into extension, now write to message. */ |
4504 | | ret = TLSX_PreSharedKey_WriteBinders((PreSharedKey*)ext->data, output + idx, |
4505 | | client_hello, &len); |
4506 | | if (ret < 0) |
4507 | | return ret; |
4508 | | |
4509 | | /* Hash binders to complete the hash of the ClientHello. */ |
4510 | | ret = HashRaw(ssl, output + idx, len); |
4511 | | if (ret < 0) |
4512 | | return ret; |
4513 | | |
4514 | | #ifdef WOLFSSL_EARLY_DATA |
4515 | | if (ssl->earlyData != no_early_data) { |
4516 | | if ((ret = SetupPskKey(ssl, (PreSharedKey*)ext->data, 1)) != 0) |
4517 | | return ret; |
4518 | | |
4519 | | /* Derive early data encryption key. */ |
4520 | | ret = DeriveTls13Keys(ssl, early_data_key, ENCRYPT_SIDE_ONLY, 1); |
4521 | | if (ret != 0) |
4522 | | return ret; |
4523 | | if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0) |
4524 | | return ret; |
4525 | | |
4526 | | } |
4527 | | #endif |
4528 | | |
4529 | | WOLFSSL_LEAVE("WritePSKBinders", ret); |
4530 | | |
4531 | | return ret; |
4532 | | } |
4533 | | #endif |
4534 | | |
4535 | | static void GetTls13SessionId(WOLFSSL* ssl, byte* output, word32* idx) |
4536 | 0 | { |
4537 | 0 | if (ssl->session->sessionIDSz > 0) { |
4538 | | /* Session resumption for old versions of protocol. */ |
4539 | 0 | if (ssl->session->sessionIDSz <= ID_LEN) { |
4540 | 0 | if (output != NULL) |
4541 | 0 | output[*idx] = ssl->session->sessionIDSz; |
4542 | 0 | (*idx)++; |
4543 | 0 | if (output != NULL) { |
4544 | 0 | XMEMCPY(output + *idx, ssl->session->sessionID, |
4545 | 0 | ssl->session->sessionIDSz); |
4546 | 0 | } |
4547 | 0 | *idx += ssl->session->sessionIDSz; |
4548 | 0 | } |
4549 | 0 | else { |
4550 | | /* Invalid session ID length. Reset it. */ |
4551 | 0 | ssl->session->sessionIDSz = 0; |
4552 | 0 | if (output != NULL) |
4553 | 0 | output[*idx] = 0; |
4554 | 0 | (*idx)++; |
4555 | 0 | } |
4556 | 0 | } |
4557 | 0 | else { |
4558 | | #ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT |
4559 | | if (ssl->options.tls13MiddleBoxCompat) { |
4560 | | if (output != NULL) |
4561 | | output[*idx] = ID_LEN; |
4562 | | (*idx)++; |
4563 | | if (output != NULL) |
4564 | | XMEMCPY(output + *idx, ssl->arrays->clientRandom, ID_LEN); |
4565 | | *idx += ID_LEN; |
4566 | | } |
4567 | | else |
4568 | | #endif /* WOLFSSL_TLS13_MIDDLEBOX_COMPAT */ |
4569 | 0 | { |
4570 | | /* TLS v1.3 does not use session id - 0 length. */ |
4571 | 0 | if (output != NULL) |
4572 | 0 | output[*idx] = 0; |
4573 | 0 | (*idx)++; |
4574 | 0 | } |
4575 | 0 | } |
4576 | 0 | } |
4577 | | |
4578 | | /* handle generation of TLS 1.3 client_hello (1) */ |
4579 | | /* Send a ClientHello message to the server. |
4580 | | * Include the information required to start a handshake with servers using |
4581 | | * protocol versions less than TLS v1.3. |
4582 | | * Only a client will send this message. |
4583 | | * |
4584 | | * ssl The SSL/TLS object. |
4585 | | * returns 0 on success and otherwise failure. |
4586 | | */ |
4587 | | |
4588 | | typedef struct Sch13Args { |
4589 | | byte* output; |
4590 | | word32 idx; |
4591 | | int sendSz; |
4592 | | word32 length; |
4593 | | #if defined(HAVE_ECH) |
4594 | | int clientRandomOffset; |
4595 | | word32 preXLength; |
4596 | | word32 expandedInnerLen; |
4597 | | WOLFSSL_ECH* ech; |
4598 | | #endif |
4599 | | } Sch13Args; |
4600 | | |
4601 | | #ifdef WOLFSSL_EARLY_DATA |
4602 | | /* Check if early data can potentially be sent. |
4603 | | * Returns 1 if early data is possible, 0 otherwise. |
4604 | | */ |
4605 | | static int EarlyDataPossible(WOLFSSL* ssl) |
4606 | | { |
4607 | | /* Need session resumption OR PSK callback configured */ |
4608 | | if (ssl->options.resuming) { |
4609 | | return 1; |
4610 | | } |
4611 | | #ifndef NO_PSK |
4612 | | if (ssl->options.client_psk_tls13_cb != NULL || |
4613 | | ssl->options.client_psk_cb != NULL) { |
4614 | | return 1; |
4615 | | } |
4616 | | #endif |
4617 | | return 0; |
4618 | | } |
4619 | | #endif /* WOLFSSL_EARLY_DATA */ |
4620 | | |
4621 | | int SendTls13ClientHello(WOLFSSL* ssl) |
4622 | 0 | { |
4623 | 0 | int ret; |
4624 | | #ifdef WOLFSSL_ASYNC_CRYPT |
4625 | | Sch13Args* args = NULL; |
4626 | | WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args); |
4627 | | #else |
4628 | 0 | Sch13Args args[1]; |
4629 | 0 | #endif |
4630 | 0 | byte major, tls12minor; |
4631 | 0 | const Suites* suites; |
4632 | |
|
4633 | 0 | WOLFSSL_START(WC_FUNC_CLIENT_HELLO_SEND); |
4634 | 0 | WOLFSSL_ENTER("SendTls13ClientHello"); |
4635 | |
|
4636 | 0 | if (ssl == NULL) { |
4637 | 0 | return BAD_FUNC_ARG; |
4638 | 0 | } |
4639 | | |
4640 | 0 | ssl->options.buildingMsg = 1; |
4641 | 0 | major = SSLv3_MAJOR; |
4642 | 0 | tls12minor = TLSv1_2_MINOR; |
4643 | |
|
4644 | | #ifdef WOLFSSL_DTLS13 |
4645 | | if (ssl->options.dtls) { |
4646 | | major = DTLS_MAJOR; |
4647 | | tls12minor = DTLSv1_2_MINOR; |
4648 | | } |
4649 | | #endif /* WOLFSSL_DTLS */ |
4650 | |
|
4651 | 0 | if (ssl->options.resuming && |
4652 | 0 | ssl->session->version.major != 0 && |
4653 | 0 | (ssl->session->version.major != ssl->version.major || |
4654 | 0 | ssl->session->version.minor != ssl->version.minor)) { |
4655 | 0 | #ifndef WOLFSSL_NO_TLS12 |
4656 | 0 | if (ssl->session->version.major == ssl->version.major && |
4657 | 0 | ssl->session->version.minor < ssl->version.minor) { |
4658 | | /* Cannot resume with a different protocol version. */ |
4659 | 0 | ssl->options.resuming = 0; |
4660 | 0 | ssl->version.major = ssl->session->version.major; |
4661 | 0 | ssl->version.minor = ssl->session->version.minor; |
4662 | 0 | return SendClientHello(ssl); |
4663 | 0 | } |
4664 | 0 | else |
4665 | 0 | #endif |
4666 | 0 | { |
4667 | 0 | WOLFSSL_ERROR_VERBOSE(VERSION_ERROR); |
4668 | 0 | return VERSION_ERROR; |
4669 | 0 | } |
4670 | 0 | } |
4671 | | |
4672 | 0 | suites = WOLFSSL_SUITES(ssl); |
4673 | 0 | if (suites == NULL) { |
4674 | 0 | WOLFSSL_MSG("Bad suites pointer in SendTls13ClientHello"); |
4675 | 0 | return SUITES_ERROR; |
4676 | 0 | } |
4677 | | |
4678 | | #ifdef WOLFSSL_ASYNC_CRYPT |
4679 | | if (ssl->async == NULL) { |
4680 | | ssl->async = (struct WOLFSSL_ASYNC*) |
4681 | | XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap, |
4682 | | DYNAMIC_TYPE_ASYNC); |
4683 | | if (ssl->async == NULL) |
4684 | | return MEMORY_E; |
4685 | | ssl->async->freeArgs = NULL; |
4686 | | } |
4687 | | args = (Sch13Args*)ssl->async->args; |
4688 | | |
4689 | | ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState); |
4690 | | if (ret != WC_NO_ERR_TRACE(WC_NO_PENDING_E)) { |
4691 | | /* Check for error */ |
4692 | | if (ret < 0) |
4693 | | return ret; |
4694 | | } |
4695 | | else |
4696 | | #endif |
4697 | 0 | { |
4698 | | /* Reset state */ |
4699 | 0 | ssl->options.asyncState = TLS_ASYNC_BEGIN; |
4700 | 0 | XMEMSET(args, 0, sizeof(Sch13Args)); |
4701 | 0 | } |
4702 | |
|
4703 | 0 | switch (ssl->options.asyncState) { |
4704 | 0 | case TLS_ASYNC_BEGIN: |
4705 | 0 | { |
4706 | 0 | word32 sessIdSz = 0; |
4707 | |
|
4708 | 0 | args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
4709 | |
|
4710 | | #ifdef WOLFSSL_DTLS13 |
4711 | | if (ssl->options.dtls) |
4712 | | args->idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; |
4713 | | #endif /* WOLFSSL_DTLS13 */ |
4714 | | |
4715 | | /* Version | Random | Cipher Suites | Compression */ |
4716 | 0 | args->length = VERSION_SZ + RAN_LEN + suites->suiteSz + |
4717 | 0 | SUITE_LEN + COMP_LEN + ENUM_LEN; |
4718 | | #ifdef WOLFSSL_QUIC |
4719 | | if (WOLFSSL_IS_QUIC(ssl)) { |
4720 | | /* RFC 9001 ch. 8.4 sessionID in ClientHello MUST be 0 length */ |
4721 | | ssl->session->sessionIDSz = 0; |
4722 | | ssl->options.tls13MiddleBoxCompat = 0; |
4723 | | } |
4724 | | #endif |
4725 | | #ifdef WOLFSSL_DTLS13 |
4726 | | if (ssl->options.dtls) { |
4727 | | /* RFC 9147 Section 5: DTLS implementations do not use the |
4728 | | * TLS 1.3 "compatibility mode" */ |
4729 | | ssl->options.tls13MiddleBoxCompat = 0; |
4730 | | } |
4731 | | #endif |
4732 | 0 | GetTls13SessionId(ssl, NULL, &sessIdSz); |
4733 | 0 | args->length += (word16)sessIdSz; |
4734 | |
|
4735 | | #ifdef WOLFSSL_DTLS13 |
4736 | | if (ssl->options.dtls) { |
4737 | | /* legacy_cookie_id len */ |
4738 | | args->length += ENUM_LEN; |
4739 | | |
4740 | | /* server sent us an HelloVerifyRequest and we allow downgrade */ |
4741 | | if (ssl->arrays->cookieSz > 0 && ssl->options.downgrade) |
4742 | | args->length += ssl->arrays->cookieSz; |
4743 | | } |
4744 | | #endif /* WOLFSSL_DTLS13 */ |
4745 | | |
4746 | | /* Advance state and proceed */ |
4747 | 0 | ssl->options.asyncState = TLS_ASYNC_BUILD; |
4748 | 0 | } /* case TLS_ASYNC_BEGIN */ |
4749 | 0 | FALL_THROUGH; |
4750 | |
|
4751 | 0 | case TLS_ASYNC_BUILD: |
4752 | 0 | case TLS_ASYNC_DO: |
4753 | 0 | { |
4754 | | /* Auto populate extensions supported unless user defined. */ |
4755 | 0 | if ((ret = TLSX_PopulateExtensions(ssl, 0)) != 0) |
4756 | 0 | return ret; |
4757 | | |
4758 | | /* Advance state and proceed */ |
4759 | 0 | ssl->options.asyncState = TLS_ASYNC_FINALIZE; |
4760 | 0 | } /* case TLS_ASYNC_BUILD */ |
4761 | 0 | FALL_THROUGH; |
4762 | |
|
4763 | 0 | case TLS_ASYNC_FINALIZE: |
4764 | 0 | { |
4765 | | #ifdef WOLFSSL_EARLY_DATA |
4766 | | if (!EarlyDataPossible(ssl)) |
4767 | | ssl->earlyData = no_early_data; |
4768 | | if (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE) |
4769 | | ssl->earlyData = no_early_data; |
4770 | | if (ssl->earlyData == no_early_data) |
4771 | | TLSX_Remove(&ssl->extensions, TLSX_EARLY_DATA, ssl->heap); |
4772 | | if (ssl->earlyData != no_early_data && |
4773 | | (ret = TLSX_EarlyData_Use(ssl, 0, 0)) < 0) { |
4774 | | return ret; |
4775 | | } |
4776 | | #endif |
4777 | | #ifdef WOLFSSL_QUIC |
4778 | | if (WOLFSSL_IS_QUIC(ssl) && IsAtLeastTLSv1_3(ssl->version)) { |
4779 | | ret = wolfSSL_quic_add_transport_extensions(ssl, client_hello); |
4780 | | if (ret != 0) |
4781 | | return ret; |
4782 | | } |
4783 | | #endif |
4784 | | |
4785 | | /* find length of outer and inner */ |
4786 | | #if defined(HAVE_ECH) |
4787 | | if (!ssl->options.disableECH) { |
4788 | | TLSX* echX = TLSX_Find(ssl->extensions, TLSX_ECH); |
4789 | | void* hostName = NULL; |
4790 | | word16 nameLen; |
4791 | | if (echX == NULL) |
4792 | | return WOLFSSL_FATAL_ERROR; |
4793 | | |
4794 | | args->ech = (WOLFSSL_ECH*)echX->data; |
4795 | | if (args->ech == NULL) |
4796 | | return WOLFSSL_FATAL_ERROR; |
4797 | | |
4798 | | /* if ECH was rejected by the HRR then the server MUST stop |
4799 | | * decrypting ECH, so send a GREASE ECH for the follow-up CH */ |
4800 | | if (ssl->echConfigs != NULL && !ssl->options.echAccepted && |
4801 | | ssl->options.serverState == |
4802 | | SERVER_HELLO_RETRY_REQUEST_COMPLETE) { |
4803 | | args->ech->state = ECH_WRITE_GREASE; |
4804 | | } |
4805 | | |
4806 | | /* only prepare if we have a chance at acceptance (real ECH only) */ |
4807 | | if (ssl->echConfigs != NULL && |
4808 | | (ssl->options.echAccepted || args->ech->innerCount == 0)) { |
4809 | | word32 encodedLen; |
4810 | | byte downgrade; |
4811 | | |
4812 | | /* ensure that a version less than TLS1.3 is never offered */ |
4813 | | downgrade = ssl->options.downgrade; |
4814 | | ssl->options.downgrade = 0; |
4815 | | |
4816 | | /* set the type to inner */ |
4817 | | args->ech->type = ECH_TYPE_INNER; |
4818 | | args->preXLength = args->length; |
4819 | | |
4820 | | /* get expanded inner size (used for transcript) */ |
4821 | | ret = TLSX_GetRequestSize(ssl, client_hello, &args->length); |
4822 | | if (ret != 0) { |
4823 | | args->ech->type = ECH_TYPE_OUTER; |
4824 | | ssl->options.downgrade = downgrade; |
4825 | | return ret; |
4826 | | } |
4827 | | |
4828 | | /* args->expandedInnerLen carries the length for the hash */ |
4829 | | args->expandedInnerLen = args->length; |
4830 | | if (args->expandedInnerLen > 0xFFFF) { |
4831 | | args->ech->type = ECH_TYPE_OUTER; |
4832 | | ssl->options.downgrade = downgrade; |
4833 | | return BUFFER_E; |
4834 | | } |
4835 | | |
4836 | | /* get encoded inner size */ |
4837 | | args->ech->writeEncoded = 1; |
4838 | | encodedLen = args->preXLength; |
4839 | | ret = TLSX_GetRequestSize(ssl, client_hello, &encodedLen); |
4840 | | args->ech->writeEncoded = 0; |
4841 | | /* set the type to outer */ |
4842 | | args->ech->type = ECH_TYPE_OUTER; |
4843 | | ssl->options.downgrade = downgrade; |
4844 | | if (ret != 0) |
4845 | | return ret; |
4846 | | |
4847 | | /* calculate padding (RFC 9849, section 6.1.3) */ |
4848 | | nameLen = TLSX_SNI_GetRequest(ssl->extensions, |
4849 | | WOLFSSL_SNI_HOST_NAME, &hostName, 1); |
4850 | | if (nameLen == 0 && ssl->ctx != NULL) |
4851 | | nameLen = TLSX_SNI_GetRequest(ssl->ctx->extensions, |
4852 | | WOLFSSL_SNI_HOST_NAME, &hostName, 1); |
4853 | | |
4854 | | if (nameLen != 0) { |
4855 | | if (nameLen > args->ech->echConfig->maxNameLen) |
4856 | | args->ech->paddingLen = 0; |
4857 | | else |
4858 | | args->ech->paddingLen = |
4859 | | (word16)args->ech->echConfig->maxNameLen - nameLen; |
4860 | | } |
4861 | | else { |
4862 | | /* maxNameLen + length of the SNI extension */ |
4863 | | args->ech->paddingLen = args->ech->echConfig->maxNameLen + 9; |
4864 | | } |
4865 | | |
4866 | | /* innerClientHelloLen and padding are based on the |
4867 | | * encoded (sealed) inner */ |
4868 | | args->ech->paddingLen += |
4869 | | ECH_PADDING_TO_32(encodedLen + args->ech->paddingLen); |
4870 | | args->ech->innerClientHelloLen = encodedLen + |
4871 | | args->ech->paddingLen + args->ech->hpke->Nt; |
4872 | | |
4873 | | if (args->ech->innerClientHelloLen > 0xFFFF) |
4874 | | return BUFFER_E; |
4875 | | |
4876 | | /* restore the length to pre-ClientHelloInner computations */ |
4877 | | args->length = args->preXLength; |
4878 | | } |
4879 | | } |
4880 | | #endif |
4881 | |
|
4882 | 0 | { |
4883 | | #ifdef WOLFSSL_DTLS_CH_FRAG |
4884 | | word16 maxFrag = wolfssl_local_GetMaxPlaintextSize(ssl); |
4885 | | word16 lenWithoutExts = args->length; |
4886 | | #endif |
4887 | | |
4888 | | /* Include length of TLS extensions. */ |
4889 | 0 | ret = TLSX_GetRequestSize(ssl, client_hello, &args->length); |
4890 | 0 | if (ret != 0) |
4891 | 0 | return ret; |
4892 | | |
4893 | | /* Total message size. */ |
4894 | 0 | args->sendSz = |
4895 | 0 | (int)(args->length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ); |
4896 | |
|
4897 | | #ifdef WOLFSSL_DTLS13 |
4898 | | if (ssl->options.dtls) |
4899 | | args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; |
4900 | | #endif /* WOLFSSL_DTLS13 */ |
4901 | |
|
4902 | | #ifdef WOLFSSL_DTLS_CH_FRAG |
4903 | | /* Only empty the key share on the first CH; this avoids first CH |
4904 | | * fragmentation (wolfSSL refuses them) */ |
4905 | | if (ssl->options.dtls && args->sendSz > maxFrag && |
4906 | | ssl->options.serverState != |
4907 | | SERVER_HELLO_RETRY_REQUEST_COMPLETE) { |
4908 | | /* Try again with an empty key share if we would be fragmenting */ |
4909 | | ret = TLSX_KeyShare_Empty(ssl); |
4910 | | if (ret != 0) |
4911 | | return ret; |
4912 | | args->length = lenWithoutExts; |
4913 | | ret = TLSX_GetRequestSize(ssl, client_hello, &args->length); |
4914 | | if (ret != 0) |
4915 | | return ret; |
4916 | | args->sendSz = (int)(args->length + |
4917 | | DTLS_HANDSHAKE_HEADER_SZ + DTLS_RECORD_HEADER_SZ); |
4918 | | if (args->sendSz > maxFrag) { |
4919 | | WOLFSSL_MSG("Can't fit first CH in one fragment."); |
4920 | | return BUFFER_ERROR; |
4921 | | } |
4922 | | WOLFSSL_MSG("Sending empty key share so we don't fragment CH1"); |
4923 | | } |
4924 | | #endif |
4925 | 0 | } |
4926 | | |
4927 | | /* Check buffers are big enough and grow if needed. */ |
4928 | 0 | if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) |
4929 | 0 | return ret; |
4930 | | |
4931 | | /* Get position in output buffer to write new message to. */ |
4932 | 0 | args->output = GetOutputBuffer(ssl); |
4933 | | |
4934 | | /* Put the record and handshake headers on. */ |
4935 | 0 | AddTls13Headers(args->output, args->length, client_hello, ssl); |
4936 | | |
4937 | | /* Protocol version - negotiation now in extension: supported_versions. */ |
4938 | 0 | args->output[args->idx++] = major; |
4939 | 0 | args->output[args->idx++] = tls12minor; |
4940 | | |
4941 | | /* Keep for downgrade. */ |
4942 | 0 | ssl->chVersion = ssl->version; |
4943 | |
|
4944 | 0 | if (ssl->arrays == NULL) { |
4945 | 0 | return BAD_FUNC_ARG; |
4946 | 0 | } |
4947 | | /* Client Random */ |
4948 | 0 | if (ssl->options.connectState == CONNECT_BEGIN) { |
4949 | 0 | ret = wc_RNG_GenerateBlock(ssl->rng, args->output + args->idx, RAN_LEN); |
4950 | 0 | if (ret != 0) |
4951 | 0 | return ret; |
4952 | | |
4953 | | /* Store random for possible second ClientHello. */ |
4954 | 0 | XMEMCPY(ssl->arrays->clientRandom, args->output + args->idx, RAN_LEN); |
4955 | 0 | } |
4956 | 0 | else |
4957 | 0 | XMEMCPY(args->output + args->idx, ssl->arrays->clientRandom, RAN_LEN); |
4958 | | |
4959 | | #if defined(HAVE_ECH) |
4960 | | args->clientRandomOffset = (int)args->idx; |
4961 | | #endif |
4962 | | |
4963 | 0 | args->idx += RAN_LEN; |
4964 | |
|
4965 | 0 | GetTls13SessionId(ssl, args->output, &args->idx); |
4966 | |
|
4967 | | #ifdef WOLFSSL_DTLS13 |
4968 | | if (ssl->options.dtls) { |
4969 | | args->output[args->idx++] = ssl->arrays->cookieSz; |
4970 | | |
4971 | | if (ssl->arrays->cookieSz > 0) { |
4972 | | /* We have a cookie saved, so the server sent us an |
4973 | | * HelloVerifyRequest, it means it is a v1.2 server */ |
4974 | | if (!ssl->options.downgrade) |
4975 | | return VERSION_ERROR; |
4976 | | XMEMCPY(args->output + args->idx, ssl->arrays->cookie, |
4977 | | ssl->arrays->cookieSz); |
4978 | | args->idx += ssl->arrays->cookieSz; |
4979 | | } |
4980 | | } |
4981 | | #endif /* WOLFSSL_DTLS13 */ |
4982 | | |
4983 | | /* Cipher suites */ |
4984 | 0 | c16toa(suites->suiteSz, args->output + args->idx); |
4985 | 0 | args->idx += OPAQUE16_LEN; |
4986 | 0 | XMEMCPY(args->output + args->idx, &suites->suites, |
4987 | 0 | suites->suiteSz); |
4988 | 0 | args->idx += suites->suiteSz; |
4989 | | #ifdef WOLFSSL_DEBUG_TLS |
4990 | | { |
4991 | | int ii; |
4992 | | WOLFSSL_MSG("Ciphers:"); |
4993 | | for (ii = 0 ; ii < suites->suiteSz; ii += 2) { |
4994 | | WOLFSSL_MSG(GetCipherNameInternal(suites->suites[ii+0], |
4995 | | suites->suites[ii+1])); |
4996 | | } |
4997 | | } |
4998 | | #endif |
4999 | | |
5000 | | /* Compression not supported in TLS v1.3. */ |
5001 | 0 | args->output[args->idx++] = COMP_LEN; |
5002 | 0 | args->output[args->idx++] = NO_COMPRESSION; |
5003 | |
|
5004 | | #if defined(HAVE_ECH) |
5005 | | /* Build the expanded inner ClientHello */ |
5006 | | if (ssl->echConfigs != NULL && !ssl->options.disableECH && |
5007 | | (ssl->options.echAccepted || args->ech->innerCount == 0)) { |
5008 | | byte downgrade; |
5009 | | |
5010 | | /* calculate maximum buffer size needed */ |
5011 | | word32 encodedBodyLen = args->ech->innerClientHelloLen - |
5012 | | args->ech->hpke->Nt; |
5013 | | word32 innerBufSize = args->expandedInnerLen; |
5014 | | if (encodedBodyLen > innerBufSize) |
5015 | | innerBufSize = encodedBodyLen; |
5016 | | |
5017 | | /* set the type to inner */ |
5018 | | args->ech->type = ECH_TYPE_INNER; |
5019 | | /* innerClientHello may already exist from hrr, free if it does */ |
5020 | | if (args->ech->innerClientHello != NULL) { |
5021 | | XFREE(args->ech->innerClientHello, ssl->heap, |
5022 | | DYNAMIC_TYPE_TMP_BUFFER); |
5023 | | } |
5024 | | /* allocate the inner */ |
5025 | | args->ech->innerClientHello = |
5026 | | (byte*)XMALLOC(innerBufSize, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); |
5027 | | if (args->ech->innerClientHello == NULL) { |
5028 | | args->ech->type = ECH_TYPE_OUTER; |
5029 | | return MEMORY_E; |
5030 | | } |
5031 | | /* copy everything before extensions into the innerClientHello |
5032 | | * ignore record and handshake headers */ |
5033 | | XMEMCPY(args->ech->innerClientHello, |
5034 | | args->output + RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ, |
5035 | | args->preXLength); |
5036 | | /* copy the client random to inner - only for first CH, not after HRR */ |
5037 | | if (!ssl->options.echAccepted) { |
5038 | | XMEMCPY(ssl->arrays->clientRandomInner, ssl->arrays->clientRandom, |
5039 | | RAN_LEN); |
5040 | | } |
5041 | | else { |
5042 | | /* After HRR, use the same inner random as CH1 */ |
5043 | | XMEMCPY(args->ech->innerClientHello + VERSION_SZ, |
5044 | | ssl->arrays->clientRandomInner, RAN_LEN); |
5045 | | } |
5046 | | /* change the outer client random */ |
5047 | | ret = wc_RNG_GenerateBlock(ssl->rng, args->output + |
5048 | | args->clientRandomOffset, RAN_LEN); |
5049 | | if (ret != 0) { |
5050 | | args->ech->type = ECH_TYPE_OUTER; |
5051 | | return ret; |
5052 | | } |
5053 | | /* copy the new client random */ |
5054 | | XMEMCPY(ssl->arrays->clientRandom, args->output + |
5055 | | args->clientRandomOffset, RAN_LEN); |
5056 | | |
5057 | | /* ensure that a version less than TLS1.3 is never offered */ |
5058 | | downgrade = ssl->options.downgrade; |
5059 | | ssl->options.downgrade = 0; |
5060 | | |
5061 | | /* write the expanded extensions into the inner buffer */ |
5062 | | args->length = 0; |
5063 | | ret = TLSX_WriteRequest(ssl, |
5064 | | args->ech->innerClientHello + args->preXLength, client_hello, |
5065 | | &args->length); |
5066 | | if (ret != 0) { |
5067 | | args->ech->type = ECH_TYPE_OUTER; |
5068 | | ssl->options.downgrade = downgrade; |
5069 | | return ret; |
5070 | | } |
5071 | | |
5072 | | /* hash expanded form */ |
5073 | | args->ech->innerClientHelloLen = args->expandedInnerLen; |
5074 | | ret = EchHashHelloInner(ssl, args->ech); |
5075 | | args->ech->innerClientHelloLen = encodedBodyLen + args->ech->hpke->Nt; |
5076 | | if (ret != 0) { |
5077 | | args->ech->type = ECH_TYPE_OUTER; |
5078 | | ssl->options.downgrade = downgrade; |
5079 | | return ret; |
5080 | | } |
5081 | | |
5082 | | /* zero padding bytes sealed with the inner hello */ |
5083 | | XMEMSET(args->ech->innerClientHello + |
5084 | | args->ech->innerClientHelloLen - args->ech->hpke->Nt - |
5085 | | args->ech->paddingLen, 0, args->ech->paddingLen); |
5086 | | /* Rewrite inner buffer with the encoded form for sealing */ |
5087 | | args->ech->writeEncoded = 1; |
5088 | | args->length = 0; |
5089 | | ret = TLSX_WriteRequest(ssl, |
5090 | | args->ech->innerClientHello + args->preXLength, client_hello, |
5091 | | &args->length); |
5092 | | args->ech->writeEncoded = 0; |
5093 | | /* set the type to outer */ |
5094 | | args->ech->type = ECH_TYPE_OUTER; |
5095 | | ssl->options.downgrade = downgrade; |
5096 | | if (ret != 0) |
5097 | | return ret; |
5098 | | } |
5099 | | #endif |
5100 | | |
5101 | | /* Write out extensions for a request. */ |
5102 | 0 | args->length = 0; |
5103 | 0 | ret = TLSX_WriteRequest(ssl, args->output + args->idx, client_hello, |
5104 | 0 | &args->length); |
5105 | 0 | if (ret != 0) |
5106 | 0 | return ret; |
5107 | | |
5108 | 0 | args->idx += args->length; |
5109 | |
|
5110 | | #if defined(HAVE_ECH) |
5111 | | /* HPKE-seal inner hello and place into outer ECH extension's payload */ |
5112 | | if (ssl->echConfigs != NULL && !ssl->options.disableECH && |
5113 | | (ssl->options.echAccepted || args->ech->innerCount == 0)) { |
5114 | | #if defined(WOLFSSL_TEST_ECH) |
5115 | | if (ssl->echInnerHelloCb != NULL) { |
5116 | | ret = ssl->echInnerHelloCb(args->ech->innerClientHello, |
5117 | | args->ech->innerClientHelloLen - args->ech->hpke->Nt); |
5118 | | if (ret != 0) |
5119 | | return ret; |
5120 | | } |
5121 | | #endif |
5122 | | ret = TLSX_FinalizeEch(ssl, args->ech, |
5123 | | args->output + RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ, |
5124 | | (word32)(args->sendSz - (RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ))); |
5125 | | |
5126 | | if (ret != 0) |
5127 | | return ret; |
5128 | | } |
5129 | | /* Mark CH1 done for any ECH extension (real or GREASE) */ |
5130 | | if (args->ech != NULL) |
5131 | | args->ech->innerCount = 1; |
5132 | | #endif |
5133 | |
|
5134 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
5135 | | /* Resumption has a specific set of extensions and binder is calculated |
5136 | | * for each identity. |
5137 | | */ |
5138 | | if (TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY)) { |
5139 | | ret = WritePSKBinders(ssl, args->output, args->idx); |
5140 | | } |
5141 | | else |
5142 | | #endif |
5143 | 0 | { |
5144 | | #ifdef WOLFSSL_DTLS13 |
5145 | | if (ssl->options.dtls) |
5146 | | ret = Dtls13HashHandshake(ssl, |
5147 | | args->output + Dtls13GetRlHeaderLength(ssl, 0), |
5148 | | (word16)args->idx - Dtls13GetRlHeaderLength(ssl, 0)); |
5149 | | else |
5150 | | #endif /* WOLFSSL_DTLS13 */ |
5151 | 0 | { |
5152 | | /* compute the outer hash */ |
5153 | 0 | ret = HashOutput(ssl, args->output, (int)args->idx, 0); |
5154 | 0 | } |
5155 | 0 | } |
5156 | 0 | if (ret != 0) |
5157 | 0 | return ret; |
5158 | | |
5159 | 0 | ssl->options.clientState = CLIENT_HELLO_COMPLETE; |
5160 | |
|
5161 | | #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) |
5162 | | if (ssl->hsInfoOn) AddPacketName(ssl, "ClientHello"); |
5163 | | if (ssl->toInfoOn) { |
5164 | | ret = AddPacketInfo(ssl, "ClientHello", handshake, args->output, |
5165 | | args->sendSz, WRITE_PROTO, 0, ssl->heap); |
5166 | | if (ret != 0) |
5167 | | return ret; |
5168 | | } |
5169 | | #endif |
5170 | |
|
5171 | 0 | ssl->options.buildingMsg = 0; |
5172 | | #ifdef WOLFSSL_DTLS13 |
5173 | | if (ssl->options.dtls) { |
5174 | | ret = Dtls13HandshakeSend(ssl, args->output, (word16)args->sendSz, |
5175 | | (word16)args->idx, client_hello, 0); |
5176 | | break; |
5177 | | } |
5178 | | #endif /* WOLFSSL_DTLS13 */ |
5179 | |
|
5180 | 0 | ssl->buffers.outputBuffer.length += (word32)args->sendSz; |
5181 | | |
5182 | | /* Advance state and proceed */ |
5183 | 0 | ssl->options.asyncState = TLS_ASYNC_END; |
5184 | 0 | } |
5185 | | /* case TLS_ASYNC_BUILD */ |
5186 | 0 | FALL_THROUGH; |
5187 | |
|
5188 | 0 | case TLS_ASYNC_END: |
5189 | 0 | { |
5190 | | #ifdef WOLFSSL_EARLY_DATA_GROUP |
5191 | | /* QUIC needs to forward records at their encryption level |
5192 | | * and is therefore unable to group here */ |
5193 | | if (ssl->earlyData == no_early_data || WOLFSSL_IS_QUIC(ssl)) |
5194 | | #endif |
5195 | 0 | ret = SendBuffered(ssl); |
5196 | |
|
5197 | 0 | break; |
5198 | 0 | } |
5199 | 0 | default: |
5200 | 0 | ret = INPUT_CASE_ERROR; |
5201 | 0 | } /* switch (ssl->options.asyncState) */ |
5202 | | |
5203 | | #ifdef WOLFSSL_ASYNC_CRYPT |
5204 | | if (ret == 0) |
5205 | | FreeAsyncCtx(ssl, 0); |
5206 | | #endif |
5207 | | |
5208 | 0 | WOLFSSL_LEAVE("SendTls13ClientHello", ret); |
5209 | 0 | WOLFSSL_END(WC_FUNC_CLIENT_HELLO_SEND); |
5210 | |
|
5211 | 0 | return ret; |
5212 | 0 | } |
5213 | | |
5214 | | #if defined(WOLFSSL_DTLS13) && !defined(NO_WOLFSSL_CLIENT) |
5215 | | static int Dtls13ClientDoDowngrade(WOLFSSL* ssl) |
5216 | | { |
5217 | | int ret; |
5218 | | if (ssl->dtls13ClientHello == NULL) |
5219 | | return BAD_STATE_E; |
5220 | | |
5221 | | /* v1.3 and v1.2 hash messages to compute the transcript hash. When we are |
5222 | | * using DTLSv1.3 we hash the first clientHello following v1.3 but the |
5223 | | * server can negotiate a lower version. So we need to re-hash the |
5224 | | * clientHello to adhere to DTLS <= v1.2 rules. */ |
5225 | | ret = InitHandshakeHashes(ssl); |
5226 | | if (ret != 0) |
5227 | | return ret; |
5228 | | ret = HashRaw(ssl, ssl->dtls13ClientHello, ssl->dtls13ClientHelloSz); |
5229 | | XFREE(ssl->dtls13ClientHello, ssl->heap, DYNAMIC_TYPE_DTLS_MSG); |
5230 | | ssl->dtls13ClientHello = NULL; |
5231 | | ssl->dtls13ClientHelloSz = 0; |
5232 | | ssl->keys.dtls_sequence_number_hi = |
5233 | | (word16)w64GetHigh32(ssl->dtls13EncryptEpoch->nextSeqNumber); |
5234 | | ssl->keys.dtls_sequence_number_lo = |
5235 | | w64GetLow32(ssl->dtls13EncryptEpoch->nextSeqNumber); |
5236 | | return ret; |
5237 | | } |
5238 | | #endif /* WOLFSSL_DTLS13 && !NO_WOLFSSL_CLIENT*/ |
5239 | | |
5240 | | #if defined(HAVE_ECH) |
5241 | | /* Calculate ECH acceptance and verify the server accepted ECH. |
5242 | | * |
5243 | | * ssl SSL/TLS object. |
5244 | | * label Ascii string describing ECH acceptance type. |
5245 | | * labelSz Length of label excluding NULL character. |
5246 | | * input The buffer to calculate confirmation off of. |
5247 | | * acceptOffset Where the 8 ECH confirmation bytes start. |
5248 | | * helloSz Size of hello message. |
5249 | | * returns 0 on success and otherwise failure. |
5250 | | */ |
5251 | | static int EchCheckAcceptance(WOLFSSL* ssl, byte* label, word16 labelSz, |
5252 | | const byte* input, int acceptOffset, int helloSz, byte msgType) |
5253 | | { |
5254 | | int ret = 0; |
5255 | | int headerSz; |
5256 | | HS_Hashes* tmpHashes; |
5257 | | byte acceptConfirmation[ECH_ACCEPT_CONFIRMATION_SZ]; |
5258 | | |
5259 | | XMEMSET(acceptConfirmation, 0, sizeof(acceptConfirmation)); |
5260 | | |
5261 | | #ifdef WOLFSSL_DTLS13 |
5262 | | headerSz = ssl->options.dtls ? DTLS13_HANDSHAKE_HEADER_SZ : |
5263 | | HANDSHAKE_HEADER_SZ; |
5264 | | #else |
5265 | | headerSz = HANDSHAKE_HEADER_SZ; |
5266 | | #endif |
5267 | | |
5268 | | ret = EchCalcAcceptance(ssl, label, labelSz, input, acceptOffset, helloSz, |
5269 | | msgType == hello_retry_request, acceptConfirmation); |
5270 | | |
5271 | | if (ret == 0) { |
5272 | | tmpHashes = ssl->hsHashes; |
5273 | | ssl->hsHashes = ssl->hsHashesEch; |
5274 | | |
5275 | | /* last 8 bytes must match the expand output */ |
5276 | | ret = ConstantCompare(acceptConfirmation, input + acceptOffset, |
5277 | | ECH_ACCEPT_CONFIRMATION_SZ); |
5278 | | |
5279 | | if (ret == 0) { |
5280 | | WOLFSSL_MSG("ECH accepted"); |
5281 | | ssl->options.echAccepted = 1; |
5282 | | |
5283 | | /* after HRR, hsHashesEch must contain: |
5284 | | * message_hash(ClientHelloInner1) || HRR (actual, not zeros) */ |
5285 | | if (msgType == hello_retry_request) { |
5286 | | ret = HashRaw(ssl, input, helloSz + headerSz); |
5287 | | } |
5288 | | /* normal TLS code will calculate transcript of ServerHello */ |
5289 | | else { |
5290 | | ssl->hsHashes = tmpHashes; |
5291 | | FreeHandshakeHashes(ssl); |
5292 | | tmpHashes = ssl->hsHashesEch; |
5293 | | ssl->hsHashesEch = NULL; |
5294 | | } |
5295 | | } |
5296 | | else { |
5297 | | if (msgType != hello_retry_request && ssl->options.echAccepted) { |
5298 | | /* the SH has rejected ECH after the HRR has accepted it |
5299 | | * RFC 9849, section 6.1.5 */ |
5300 | | WOLFSSL_MSG("ECH rejected, but it was previously accepted..."); |
5301 | | ret = INVALID_PARAMETER; |
5302 | | } |
5303 | | else { |
5304 | | WOLFSSL_MSG("ECH rejected"); |
5305 | | ret = 0; |
5306 | | } |
5307 | | ssl->options.echAccepted = 0; |
5308 | | |
5309 | | /* ECH rejected, continue with outer transcript */ |
5310 | | FreeHandshakeHashes(ssl); |
5311 | | ssl->hsHashesEch = NULL; |
5312 | | } |
5313 | | |
5314 | | ssl->hsHashes = tmpHashes; |
5315 | | } |
5316 | | |
5317 | | /* Skip only when the HRR signals ECH acceptance |
5318 | | * -> CH2 still needs ech->extensions for inner/outer extension swap |
5319 | | * during write */ |
5320 | | if (ret == 0 && |
5321 | | (msgType != hello_retry_request || !ssl->options.echAccepted)) |
5322 | | ret = TLSX_EchReplaceExtensions(ssl, ssl->options.echAccepted); |
5323 | | |
5324 | | return ret; |
5325 | | } |
5326 | | #endif /* HAVE_ECH */ |
5327 | | |
5328 | | /* handle processing of TLS 1.3 server_hello (2) and hello_retry_request (6) */ |
5329 | | /* Handle the ServerHello message from the server. |
5330 | | * Only a client will receive this message. |
5331 | | * |
5332 | | * ssl The SSL/TLS object. |
5333 | | * input The message buffer. |
5334 | | * inOutIdx On entry, the index into the message buffer of ServerHello. |
5335 | | * On exit, the index of byte after the ServerHello message. |
5336 | | * helloSz The length of the current handshake message. |
5337 | | * returns 0 on success and otherwise failure. |
5338 | | */ |
5339 | | |
5340 | | typedef struct Dsh13Args { |
5341 | | ProtocolVersion pv; |
5342 | | word32 idx; |
5343 | | word32 begin; |
5344 | | const byte* sessId; |
5345 | | word16 totalExtSz; |
5346 | | byte sessIdSz; |
5347 | | byte extMsgType; |
5348 | | #if defined(HAVE_ECH) |
5349 | | TLSX* echX; |
5350 | | byte* acceptLabel; |
5351 | | word32 acceptOffset; |
5352 | | word16 acceptLabelSz; |
5353 | | #endif |
5354 | | } Dsh13Args; |
5355 | | |
5356 | | int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, |
5357 | | word32 helloSz, byte* extMsgType) |
5358 | 0 | { |
5359 | 0 | int ret; |
5360 | 0 | byte suite[2]; |
5361 | 0 | byte tls12minor; |
5362 | | #ifdef WOLFSSL_ASYNC_CRYPT |
5363 | | Dsh13Args* args = NULL; |
5364 | | #else |
5365 | 0 | Dsh13Args args[1]; |
5366 | 0 | #endif |
5367 | | #ifdef WOLFSSL_ASYNC_CRYPT |
5368 | | WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args); |
5369 | | #endif |
5370 | |
|
5371 | 0 | WOLFSSL_START(WC_FUNC_SERVER_HELLO_DO); |
5372 | 0 | WOLFSSL_ENTER("DoTls13ServerHello"); |
5373 | |
|
5374 | 0 | if (ssl == NULL || ssl->arrays == NULL) |
5375 | 0 | return BAD_FUNC_ARG; |
5376 | | |
5377 | 0 | tls12minor = TLSv1_2_MINOR; |
5378 | |
|
5379 | | #ifdef WOLFSSL_DTLS13 |
5380 | | if (ssl->options.dtls) |
5381 | | tls12minor = DTLSv1_2_MINOR; |
5382 | | #endif /* WOLFSSL_DTLS13 */ |
5383 | |
|
5384 | | #ifdef WOLFSSL_ASYNC_CRYPT |
5385 | | if (ssl->async == NULL) { |
5386 | | ssl->async = (struct WOLFSSL_ASYNC*) |
5387 | | XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap, |
5388 | | DYNAMIC_TYPE_ASYNC); |
5389 | | if (ssl->async == NULL) |
5390 | | return MEMORY_E; |
5391 | | ssl->async->freeArgs = NULL; |
5392 | | } |
5393 | | args = (Dsh13Args*)ssl->async->args; |
5394 | | |
5395 | | ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState); |
5396 | | if (ret != WC_NO_ERR_TRACE(WC_NO_PENDING_E)) { |
5397 | | /* Check for error */ |
5398 | | if (ret < 0) { |
5399 | | if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) { |
5400 | | /* Mark message as not received so it can process again */ |
5401 | | ssl->msgsReceived.got_server_hello = 0; |
5402 | | } |
5403 | | return ret; |
5404 | | } |
5405 | | } |
5406 | | else |
5407 | | #endif |
5408 | 0 | { |
5409 | | /* Reset state */ |
5410 | 0 | ssl->options.asyncState = TLS_ASYNC_BEGIN; |
5411 | 0 | XMEMSET(args, 0, sizeof(Dsh13Args)); |
5412 | 0 | } |
5413 | |
|
5414 | 0 | switch (ssl->options.asyncState) { |
5415 | 0 | case TLS_ASYNC_BEGIN: |
5416 | 0 | { |
5417 | 0 | byte b; |
5418 | | #ifdef WOLFSSL_CALLBACKS |
5419 | | if (ssl->hsInfoOn) AddPacketName(ssl, "ServerHello"); |
5420 | | if (ssl->toInfoOn) AddLateName("ServerHello", &ssl->timeoutInfo); |
5421 | | #endif |
5422 | | |
5423 | | /* Protocol version length check. */ |
5424 | 0 | if (helloSz < OPAQUE16_LEN) |
5425 | 0 | return BUFFER_ERROR; |
5426 | | |
5427 | 0 | args->idx = *inOutIdx; |
5428 | 0 | args->begin = args->idx; |
5429 | | |
5430 | | /* Protocol version */ |
5431 | 0 | XMEMCPY(&args->pv, input + args->idx, OPAQUE16_LEN); |
5432 | 0 | args->idx += OPAQUE16_LEN; |
5433 | |
|
5434 | | #ifdef WOLFSSL_DTLS |
5435 | | if (ssl->options.dtls && |
5436 | | (args->pv.major != DTLS_MAJOR || args->pv.minor == DTLS_BOGUS_MINOR)) |
5437 | | return VERSION_ERROR; |
5438 | | #endif /* WOLFSSL_DTLS */ |
5439 | |
|
5440 | 0 | #ifndef WOLFSSL_NO_TLS12 |
5441 | 0 | { |
5442 | 0 | byte wantDowngrade; |
5443 | |
|
5444 | 0 | wantDowngrade = args->pv.major == ssl->version.major && |
5445 | 0 | args->pv.minor < TLSv1_2_MINOR; |
5446 | |
|
5447 | | #ifdef WOLFSSL_DTLS13 |
5448 | | if (ssl->options.dtls) |
5449 | | wantDowngrade = args->pv.major == ssl->version.major && |
5450 | | args->pv.minor > DTLSv1_2_MINOR; |
5451 | | #endif /* WOLFSSL_DTLS13 */ |
5452 | |
|
5453 | 0 | if (wantDowngrade && ssl->options.downgrade) { |
5454 | | /* Force client hello version 1.2 to work for static RSA. */ |
5455 | 0 | ssl->chVersion.minor = TLSv1_2_MINOR; |
5456 | 0 | ssl->version.minor = TLSv1_2_MINOR; |
5457 | 0 | ssl->options.tls1_3 = 0; |
5458 | |
|
5459 | | #ifdef WOLFSSL_DTLS13 |
5460 | | if (ssl->options.dtls) { |
5461 | | ssl->chVersion.minor = DTLSv1_2_MINOR; |
5462 | | ssl->version.minor = DTLSv1_2_MINOR; |
5463 | | ret = Dtls13ClientDoDowngrade(ssl); |
5464 | | if (ret != 0) |
5465 | | return ret; |
5466 | | } |
5467 | | #endif /* WOLFSSL_DTLS13 */ |
5468 | |
|
5469 | 0 | return DoServerHello(ssl, input, inOutIdx, helloSz); |
5470 | 0 | } |
5471 | 0 | } |
5472 | 0 | #endif |
5473 | | |
5474 | 0 | if (args->pv.major != ssl->version.major || |
5475 | 0 | args->pv.minor != tls12minor) { |
5476 | 0 | SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version); |
5477 | 0 | WOLFSSL_ERROR_VERBOSE(VERSION_ERROR); |
5478 | 0 | return VERSION_ERROR; |
5479 | 0 | } |
5480 | | |
5481 | | /* Random and session id length check */ |
5482 | 0 | if ((args->idx - args->begin) + RAN_LEN + ENUM_LEN > helloSz) |
5483 | 0 | return BUFFER_ERROR; |
5484 | | |
5485 | | /* Check if hello retry request */ |
5486 | 0 | if (XMEMCMP(input + args->idx, helloRetryRequestRandom, RAN_LEN) == 0) { |
5487 | 0 | WOLFSSL_MSG("HelloRetryRequest format"); |
5488 | 0 | *extMsgType = hello_retry_request; |
5489 | |
|
5490 | 0 | if (ssl->msgsReceived.got_hello_verify_request) { |
5491 | 0 | WOLFSSL_MSG("Received HelloRetryRequest after a " |
5492 | 0 | "HelloVerifyRequest"); |
5493 | 0 | WOLFSSL_ERROR_VERBOSE(VERSION_ERROR); |
5494 | 0 | return VERSION_ERROR; |
5495 | 0 | } |
5496 | | |
5497 | | /* A HelloRetryRequest comes in as an ServerHello for MiddleBox compat. |
5498 | | * Found message to be a HelloRetryRequest. |
5499 | | * Don't allow more than one HelloRetryRequest or ServerHello. |
5500 | | */ |
5501 | 0 | if (ssl->msgsReceived.got_hello_retry_request) { |
5502 | 0 | WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E); |
5503 | 0 | return DUPLICATE_MSG_E; |
5504 | 0 | } |
5505 | 0 | } |
5506 | 0 | args->extMsgType = *extMsgType; |
5507 | | |
5508 | | /* Server random - keep for debugging. */ |
5509 | 0 | XMEMCPY(ssl->arrays->serverRandom, input + args->idx, RAN_LEN); |
5510 | | #if defined(HAVE_ECH) |
5511 | | /* last 8 bytes of server random */ |
5512 | | args->acceptOffset = args->idx + RAN_LEN - ECH_ACCEPT_CONFIRMATION_SZ; |
5513 | | #endif |
5514 | 0 | args->idx += RAN_LEN; |
5515 | | |
5516 | | /* Session id */ |
5517 | 0 | args->sessIdSz = input[args->idx++]; |
5518 | 0 | if (args->sessIdSz > ID_LEN || args->sessIdSz > RAN_LEN || |
5519 | 0 | ((args->idx - args->begin) + args->sessIdSz > helloSz)) |
5520 | 0 | return BUFFER_ERROR; |
5521 | 0 | args->sessId = input + args->idx; |
5522 | 0 | args->idx += args->sessIdSz; |
5523 | |
|
5524 | 0 | ssl->options.haveSessionId = 1; |
5525 | | |
5526 | | /* Ciphersuite and compression check */ |
5527 | 0 | if ((args->idx - args->begin) + OPAQUE16_LEN + OPAQUE8_LEN > helloSz) |
5528 | 0 | return BUFFER_ERROR; |
5529 | | |
5530 | | /* Set the cipher suite from the message. */ |
5531 | 0 | ssl->options.cipherSuite0 = input[args->idx++]; |
5532 | 0 | ssl->options.cipherSuite = input[args->idx++]; |
5533 | 0 | if (*extMsgType == hello_retry_request) { |
5534 | 0 | ssl->options.hrrCipherSuite0 = ssl->options.cipherSuite0; |
5535 | 0 | ssl->options.hrrCipherSuite = ssl->options.cipherSuite; |
5536 | 0 | } |
5537 | 0 | else if (ssl->msgsReceived.got_hello_retry_request && |
5538 | 0 | (ssl->options.hrrCipherSuite0 != ssl->options.cipherSuite0 || |
5539 | 0 | ssl->options.hrrCipherSuite != ssl->options.cipherSuite)) { |
5540 | 0 | WOLFSSL_MSG("Received ServerHello with different cipher suite than " |
5541 | 0 | "HelloRetryRequest"); |
5542 | 0 | WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER); |
5543 | 0 | return INVALID_PARAMETER; |
5544 | 0 | } |
5545 | | #ifdef WOLFSSL_DEBUG_TLS |
5546 | | WOLFSSL_MSG("Chosen cipher suite:"); |
5547 | | WOLFSSL_MSG(GetCipherNameInternal(ssl->options.cipherSuite0, |
5548 | | ssl->options.cipherSuite)); |
5549 | | #endif |
5550 | | |
5551 | | /* Compression */ |
5552 | 0 | b = input[args->idx++]; |
5553 | 0 | if (b != 0) { |
5554 | 0 | WOLFSSL_MSG("Must be no compression types in list"); |
5555 | 0 | WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER); |
5556 | 0 | return INVALID_PARAMETER; |
5557 | 0 | } |
5558 | | |
5559 | 0 | if ((args->idx - args->begin) + OPAQUE16_LEN > helloSz) { |
5560 | 0 | if (!ssl->options.downgrade) { |
5561 | | /* Fewer than OPAQUE16_LEN bytes remain after the compression |
5562 | | * method, so there is no complete extensions length field. */ |
5563 | 0 | if ((args->idx - args->begin) < helloSz) { |
5564 | | /* A partial extensions length field is genuinely malformed: |
5565 | | * report it as a decode error. */ |
5566 | 0 | WOLFSSL_MSG("Truncated extensions length in ServerHello"); |
5567 | 0 | return BUFFER_ERROR; |
5568 | 0 | } |
5569 | | /* No extensions field at all, so the server is not offering TLS 1.3 |
5570 | | * (no supported_versions extension - see RFC 8446 4.2.1) but TLS 1.2 |
5571 | | * or below. This is a well-formed message, so a TLS 1.3-only client |
5572 | | * (downgrade disabled) must reject it as a version mismatch, not as |
5573 | | * a malformed message. Returning VERSION_ERROR makes the caller send |
5574 | | * a protocol_version alert (RFC 8446 6.2) rather than decode_error. */ |
5575 | 0 | WOLFSSL_MSG("Server offered TLS 1.2 (no supported_versions ext) " |
5576 | 0 | "but downgrade not allowed"); |
5577 | 0 | WOLFSSL_ERROR_VERBOSE(VERSION_ERROR); |
5578 | 0 | return VERSION_ERROR; |
5579 | 0 | } |
5580 | | |
5581 | 0 | if (args->extMsgType == hello_retry_request) { |
5582 | | /* The sentinel Random (RFC 8446 4.1.3) identifies this as a TLS 1.3 |
5583 | | * HelloRetryRequest, which MUST carry supported_versions |
5584 | | * (4.1.4/4.2.1). Reaching this downgrade branch means it does not, |
5585 | | * so the HRR is malformed. Reject it before DoServerHello would |
5586 | | * reinterpret the sentinel as a plain TLS 1.2 ServerHello.Random. |
5587 | | * The sentinel has already identified this as an HRR, so report it |
5588 | | * uniformly as an invalid HRR; INVALID_PARAMETER maps to the |
5589 | | * illegal_parameter alert. */ |
5590 | 0 | WOLFSSL_MSG("HelloRetryRequest with no supported_versions"); |
5591 | 0 | WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER); |
5592 | 0 | return INVALID_PARAMETER; |
5593 | 0 | } |
5594 | 0 | #ifndef WOLFSSL_NO_TLS12 |
5595 | | /* Force client hello version 1.2 to work for static RSA. */ |
5596 | 0 | ssl->chVersion.minor = TLSv1_2_MINOR; |
5597 | 0 | ssl->version.minor = TLSv1_2_MINOR; |
5598 | |
|
5599 | | #ifdef WOLFSSL_DTLS13 |
5600 | | if (ssl->options.dtls) { |
5601 | | ssl->chVersion.minor = DTLSv1_2_MINOR; |
5602 | | ssl->version.minor = DTLSv1_2_MINOR; |
5603 | | ssl->options.tls1_3 = 0; |
5604 | | ret = Dtls13ClientDoDowngrade(ssl); |
5605 | | if (ret != 0) |
5606 | | return ret; |
5607 | | } |
5608 | | #endif /* WOLFSSL_DTLS13 */ |
5609 | |
|
5610 | 0 | #endif |
5611 | 0 | ssl->options.haveEMS = 0; |
5612 | 0 | if (args->pv.minor < ssl->options.minDowngrade) { |
5613 | 0 | SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version); |
5614 | 0 | return VERSION_ERROR; |
5615 | 0 | } |
5616 | 0 | #ifndef WOLFSSL_NO_TLS12 |
5617 | 0 | ssl->options.tls1_3 = 0; |
5618 | 0 | return DoServerHello(ssl, input, inOutIdx, helloSz); |
5619 | | #else |
5620 | | SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version); |
5621 | | return VERSION_ERROR; |
5622 | | #endif |
5623 | 0 | } |
5624 | | |
5625 | 0 | if ((args->idx - args->begin) < helloSz) { |
5626 | 0 | int foundVersion; |
5627 | | |
5628 | | /* Get extension length and length check. */ |
5629 | 0 | if ((args->idx - args->begin) + OPAQUE16_LEN > helloSz) |
5630 | 0 | return BUFFER_ERROR; |
5631 | 0 | ato16(&input[args->idx], &args->totalExtSz); |
5632 | 0 | args->idx += OPAQUE16_LEN; |
5633 | 0 | if ((args->idx - args->begin) + args->totalExtSz > helloSz) |
5634 | 0 | return BUFFER_ERROR; |
5635 | | |
5636 | | /* Need to negotiate version first. */ |
5637 | 0 | if ((ret = TLSX_ParseVersion(ssl, input + args->idx, |
5638 | 0 | args->totalExtSz, *extMsgType, &foundVersion))) { |
5639 | 0 | return ret; |
5640 | 0 | } |
5641 | 0 | if (!foundVersion) { |
5642 | 0 | if (!ssl->options.downgrade) { |
5643 | 0 | WOLFSSL_MSG("Server trying to downgrade to version less than " |
5644 | 0 | "TLS v1.3"); |
5645 | 0 | SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version); |
5646 | 0 | WOLFSSL_ERROR_VERBOSE(VERSION_ERROR); |
5647 | 0 | return VERSION_ERROR; |
5648 | 0 | } |
5649 | | |
5650 | 0 | if (args->extMsgType == hello_retry_request) { |
5651 | | /* The HelloRetryRequest sentinel Random is reserved for TLS 1.3 |
5652 | | * (RFC 8446 4.1.3), but supported_versions (which an HRR MUST |
5653 | | * carry, 4.1.4/4.2.1) is absent, so the message is malformed. |
5654 | | * Reject before the downgrade reparses the remaining extensions |
5655 | | * as a TLS 1.2 server_hello, where a recognized-but-not- |
5656 | | * permitted extension (e.g. server_name) would wrongly yield an |
5657 | | * unsupported_extension alert. illegal_parameter (via |
5658 | | * EXT_NOT_ALLOWED) is chosen over missing_extension per the |
5659 | | * RFC 8446 4.2 rule for such extensions. */ |
5660 | 0 | WOLFSSL_MSG("HelloRetryRequest without supported_versions"); |
5661 | 0 | WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); |
5662 | 0 | return EXT_NOT_ALLOWED; |
5663 | 0 | } |
5664 | | #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \ |
5665 | | defined(WOLFSSL_WPAS_SMALL) |
5666 | | /* Check if client has disabled TLS 1.2 */ |
5667 | | if (args->pv.minor == TLSv1_2_MINOR && |
5668 | | (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_2) |
5669 | | == WOLFSSL_OP_NO_TLSv1_2) |
5670 | | { |
5671 | | WOLFSSL_MSG("\tOption set to not allow TLSv1.2"); |
5672 | | WOLFSSL_ERROR_VERBOSE(VERSION_ERROR); |
5673 | | return VERSION_ERROR; |
5674 | | } |
5675 | | #endif |
5676 | | |
5677 | 0 | if (!ssl->options.dtls && |
5678 | 0 | args->pv.minor < ssl->options.minDowngrade) { |
5679 | 0 | SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version); |
5680 | 0 | WOLFSSL_ERROR_VERBOSE(VERSION_ERROR); |
5681 | 0 | return VERSION_ERROR; |
5682 | 0 | } |
5683 | | |
5684 | 0 | if (ssl->options.dtls && |
5685 | 0 | args->pv.minor > ssl->options.minDowngrade) { |
5686 | 0 | SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version); |
5687 | 0 | WOLFSSL_ERROR_VERBOSE(VERSION_ERROR); |
5688 | 0 | return VERSION_ERROR; |
5689 | 0 | } |
5690 | | |
5691 | 0 | ssl->version.minor = args->pv.minor; |
5692 | 0 | ssl->options.tls1_3 = 0; |
5693 | |
|
5694 | | #ifdef WOLFSSL_DTLS13 |
5695 | | if (ssl->options.dtls) { |
5696 | | ret = Dtls13ClientDoDowngrade(ssl); |
5697 | | if (ret != 0) |
5698 | | return ret; |
5699 | | } |
5700 | | #endif /* WOLFSSL_DTLS13 */ |
5701 | 0 | } |
5702 | 0 | } |
5703 | | |
5704 | | #ifdef WOLFSSL_DTLS13 |
5705 | | /* we are sure that version is >= v1.3 now, we can get rid of buffered |
5706 | | * ClientHello that was buffered to re-compute the hash in case of |
5707 | | * downgrade */ |
5708 | | if (ssl->options.dtls && ssl->dtls13ClientHello != NULL) { |
5709 | | XFREE(ssl->dtls13ClientHello, ssl->heap, DYNAMIC_TYPE_DTLS_MSG); |
5710 | | ssl->dtls13ClientHello = NULL; |
5711 | | ssl->dtls13ClientHelloSz = 0; |
5712 | | } |
5713 | | #endif /* WOLFSSL_DTLS13 */ |
5714 | | |
5715 | | /* Advance state and proceed */ |
5716 | 0 | ssl->options.asyncState = TLS_ASYNC_BUILD; |
5717 | 0 | } /* case TLS_ASYNC_BEGIN */ |
5718 | 0 | FALL_THROUGH; |
5719 | |
|
5720 | 0 | case TLS_ASYNC_BUILD: |
5721 | 0 | case TLS_ASYNC_DO: |
5722 | 0 | { |
5723 | | /* restore message type */ |
5724 | 0 | *extMsgType = args->extMsgType; |
5725 | | |
5726 | | /* Parse and handle extensions, unless lower than TLS1.3. In that case, |
5727 | | * extensions will be parsed in DoServerHello. */ |
5728 | 0 | if (args->totalExtSz > 0 && IsAtLeastTLSv1_3(ssl->version)) { |
5729 | 0 | ret = TLSX_Parse(ssl, input + args->idx, args->totalExtSz, |
5730 | 0 | *extMsgType, NULL); |
5731 | 0 | if (ret != 0) { |
5732 | | #ifdef WOLFSSL_ASYNC_CRYPT |
5733 | | /* Handle async operation */ |
5734 | | if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) { |
5735 | | /* Mark message as not received so it can process again */ |
5736 | | ssl->msgsReceived.got_server_hello = 0; |
5737 | | } |
5738 | | #endif |
5739 | 0 | return ret; |
5740 | 0 | } |
5741 | | |
5742 | 0 | if (*extMsgType == hello_retry_request) { |
5743 | | /* Update counts to reflect change of message type. */ |
5744 | 0 | ssl->msgsReceived.got_hello_retry_request = 1; |
5745 | 0 | ssl->msgsReceived.got_server_hello = 0; |
5746 | 0 | } |
5747 | 0 | } |
5748 | | |
5749 | 0 | if (args->totalExtSz > 0) { |
5750 | 0 | args->idx += args->totalExtSz; |
5751 | 0 | } |
5752 | |
|
5753 | | #ifdef WOLFSSL_DTLS_CID |
5754 | | if (ssl->options.useDtlsCID && *extMsgType == server_hello) |
5755 | | DtlsCIDOnExtensionsParsed(ssl); |
5756 | | #endif /* WOLFSSL_DTLS_CID */ |
5757 | |
|
5758 | 0 | if (IsAtLeastTLSv1_3(ssl->version)) { |
5759 | 0 | *inOutIdx = args->idx; |
5760 | 0 | } |
5761 | |
|
5762 | 0 | ssl->options.serverState = SERVER_HELLO_COMPLETE; |
5763 | |
|
5764 | | #ifdef HAVE_SECRET_CALLBACK |
5765 | | if (ssl->sessionSecretCb != NULL |
5766 | | #ifdef HAVE_SESSION_TICKET |
5767 | | && ssl->session->ticketLen > 0 |
5768 | | #endif |
5769 | | ) { |
5770 | | int secretSz = SECRET_LEN; |
5771 | | ret = ssl->sessionSecretCb(ssl, ssl->session->masterSecret, |
5772 | | &secretSz, ssl->sessionSecretCtx); |
5773 | | if (ret != 0 || secretSz != SECRET_LEN) { |
5774 | | WOLFSSL_ERROR_VERBOSE(SESSION_SECRET_CB_E); |
5775 | | return SESSION_SECRET_CB_E; |
5776 | | } |
5777 | | } |
5778 | | #endif /* HAVE_SECRET_CALLBACK */ |
5779 | | |
5780 | | /* Version only negotiated in extensions for TLS v1.3. |
5781 | | * Only now do we know how to deal with session id. |
5782 | | */ |
5783 | 0 | if (!IsAtLeastTLSv1_3(ssl->version)) { |
5784 | 0 | #ifndef WOLFSSL_NO_TLS12 |
5785 | 0 | ssl->arrays->sessionIDSz = args->sessIdSz; |
5786 | |
|
5787 | 0 | if (ssl->arrays->sessionIDSz > ID_LEN) { |
5788 | 0 | WOLFSSL_MSG("Invalid session ID size"); |
5789 | 0 | ssl->arrays->sessionIDSz = 0; |
5790 | 0 | return BUFFER_ERROR; |
5791 | 0 | } |
5792 | 0 | else if (ssl->arrays->sessionIDSz) { |
5793 | 0 | XMEMCPY(ssl->arrays->sessionID, args->sessId, |
5794 | 0 | ssl->arrays->sessionIDSz); |
5795 | 0 | ssl->options.haveSessionId = 1; |
5796 | 0 | } |
5797 | | |
5798 | | /* Force client hello version 1.2 to work for static RSA. */ |
5799 | 0 | if (ssl->options.dtls) |
5800 | 0 | ssl->chVersion.minor = DTLSv1_2_MINOR; |
5801 | 0 | else |
5802 | 0 | ssl->chVersion.minor = TLSv1_2_MINOR; |
5803 | | /* Complete TLS v1.2 processing of ServerHello. */ |
5804 | 0 | ret = DoServerHello(ssl, input, inOutIdx, helloSz); |
5805 | | #else |
5806 | | WOLFSSL_MSG("Client using higher version, fatal error"); |
5807 | | WOLFSSL_ERROR_VERBOSE(VERSION_ERROR); |
5808 | | ret = VERSION_ERROR; |
5809 | | #endif |
5810 | |
|
5811 | 0 | WOLFSSL_LEAVE("DoTls13ServerHello", ret); |
5812 | |
|
5813 | 0 | return ret; |
5814 | 0 | } |
5815 | | |
5816 | | /* Advance state and proceed */ |
5817 | 0 | ssl->options.asyncState = TLS_ASYNC_FINALIZE; |
5818 | 0 | } /* case TLS_ASYNC_BUILD || TLS_ASYNC_DO */ |
5819 | 0 | FALL_THROUGH; |
5820 | |
|
5821 | 0 | case TLS_ASYNC_FINALIZE: |
5822 | 0 | { |
5823 | | #ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT |
5824 | | if (ssl->options.tls13MiddleBoxCompat) { |
5825 | | if (args->sessIdSz == 0) { |
5826 | | WOLFSSL_MSG("args->sessIdSz == 0"); |
5827 | | WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER); |
5828 | | return INVALID_PARAMETER; |
5829 | | } |
5830 | | if (ssl->session->sessionIDSz != 0) { |
5831 | | if (ssl->session->sessionIDSz != args->sessIdSz || |
5832 | | XMEMCMP(ssl->session->sessionID, args->sessId, |
5833 | | args->sessIdSz) != 0) { |
5834 | | WOLFSSL_MSG("session id doesn't match"); |
5835 | | WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER); |
5836 | | return INVALID_PARAMETER; |
5837 | | } |
5838 | | } |
5839 | | else if (XMEMCMP(ssl->arrays->clientRandom, args->sessId, |
5840 | | args->sessIdSz) != 0) { |
5841 | | WOLFSSL_MSG("session id doesn't match client random"); |
5842 | | WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER); |
5843 | | return INVALID_PARAMETER; |
5844 | | } |
5845 | | } |
5846 | | else |
5847 | | #endif /* WOLFSSL_TLS13_MIDDLEBOX_COMPAT */ |
5848 | | #if defined(WOLFSSL_QUIC) || defined(WOLFSSL_DTLS13) |
5849 | | if (0 |
5850 | | #ifdef WOLFSSL_QUIC |
5851 | | || WOLFSSL_IS_QUIC(ssl) |
5852 | | #endif |
5853 | | #ifdef WOLFSSL_DTLS13 |
5854 | | || ssl->options.dtls |
5855 | | #endif |
5856 | | ) { |
5857 | | /* RFC 9147 Section 5.3 / RFC 9001 Section 8.4: DTLS 1.3 and QUIC |
5858 | | * ServerHello must have empty legacy_session_id_echo. */ |
5859 | | int requireEmptyEcho = 1; |
5860 | | #ifdef WOLFSSL_DTLS13_ECHO_LEGACY_SESSION_ID |
5861 | | /* Compat: a wolfSSL <= 5.9.0 DTLS 1.3 server echoes the client's |
5862 | | * legacy_session_id; accept any echo. */ |
5863 | | if (ssl->options.dtls) |
5864 | | requireEmptyEcho = 0; |
5865 | | #endif |
5866 | | if (requireEmptyEcho && args->sessIdSz != 0) { |
5867 | | WOLFSSL_MSG("args->sessIdSz != 0"); |
5868 | | WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER); |
5869 | | return INVALID_PARAMETER; |
5870 | | } |
5871 | | } |
5872 | | else |
5873 | | #endif /* WOLFSSL_QUIC || WOLFSSL_DTLS13 */ |
5874 | 0 | if (args->sessIdSz != ssl->session->sessionIDSz || (args->sessIdSz > 0 && |
5875 | 0 | XMEMCMP(ssl->session->sessionID, args->sessId, args->sessIdSz) != 0)) |
5876 | 0 | { |
5877 | 0 | WOLFSSL_MSG("Server sent different session id"); |
5878 | 0 | WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER); |
5879 | 0 | return INVALID_PARAMETER; |
5880 | 0 | } |
5881 | | |
5882 | 0 | ret = SetCipherSpecs(ssl); |
5883 | 0 | if (ret != 0) |
5884 | 0 | return ret; |
5885 | | |
5886 | | #ifdef HAVE_NULL_CIPHER |
5887 | | if (ssl->options.cipherSuite0 == ECC_BYTE && |
5888 | | (ssl->options.cipherSuite == TLS_SHA256_SHA256 || |
5889 | | ssl->options.cipherSuite == TLS_SHA384_SHA384)) { |
5890 | | ; |
5891 | | } |
5892 | | else |
5893 | | #endif |
5894 | | #if defined(WOLFSSL_SM4_GCM) && defined(WOLFSSL_SM3) |
5895 | | if (ssl->options.cipherSuite0 == CIPHER_BYTE && |
5896 | | ssl->options.cipherSuite == TLS_SM4_GCM_SM3) { |
5897 | | ; /* Do nothing. */ |
5898 | | } |
5899 | | else |
5900 | | #endif |
5901 | | #if defined(WOLFSSL_SM4_CCM) && defined(WOLFSSL_SM3) |
5902 | | if (ssl->options.cipherSuite0 == CIPHER_BYTE && |
5903 | | ssl->options.cipherSuite == TLS_SM4_CCM_SM3) { |
5904 | | ; /* Do nothing. */ |
5905 | | } |
5906 | | else |
5907 | | #endif |
5908 | | /* Check that the negotiated ciphersuite matches protocol version. */ |
5909 | 0 | if (ssl->options.cipherSuite0 != TLS13_BYTE) { |
5910 | 0 | WOLFSSL_MSG("Server sent non-TLS13 cipher suite in TLS 1.3 packet"); |
5911 | 0 | WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER); |
5912 | 0 | return INVALID_PARAMETER; |
5913 | 0 | } |
5914 | | |
5915 | 0 | suite[0] = ssl->options.cipherSuite0; |
5916 | 0 | suite[1] = ssl->options.cipherSuite; |
5917 | 0 | if (!FindSuiteSSL(ssl, suite)) { |
5918 | 0 | WOLFSSL_MSG("Cipher suite not supported on client"); |
5919 | 0 | WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER); |
5920 | 0 | return INVALID_PARAMETER; |
5921 | 0 | } |
5922 | | |
5923 | | #if defined(HAVE_ECH) |
5924 | | /* check for acceptConfirmation */ |
5925 | | if (ssl->echConfigs != NULL && !ssl->options.disableECH && |
5926 | | ssl->hsHashesEch != NULL) { |
5927 | | args->echX = TLSX_Find(ssl->extensions, TLSX_ECH); |
5928 | | if (args->echX == NULL || args->echX->data == NULL) |
5929 | | return WOLFSSL_FATAL_ERROR; |
5930 | | |
5931 | | if (args->extMsgType == hello_retry_request && |
5932 | | ((WOLFSSL_ECH*)args->echX->data)->confBuf == NULL) { |
5933 | | /* server rejected ECH, fall back to outer */ |
5934 | | Free_HS_Hashes(ssl->hsHashesEch, ssl->heap); |
5935 | | ssl->hsHashesEch = NULL; |
5936 | | /* EchCheckAcceptance is bypassed, so replace extensions now */ |
5937 | | ret = TLSX_EchReplaceExtensions(ssl, 0); |
5938 | | if (ret != 0) |
5939 | | return ret; |
5940 | | } |
5941 | | else { |
5942 | | /* account for hrr extension instead of server random */ |
5943 | | if (args->extMsgType == hello_retry_request) { |
5944 | | args->acceptOffset = |
5945 | | (word32)(((WOLFSSL_ECH*)args->echX->data)->confBuf - input); |
5946 | | args->acceptLabel = (byte*)echHrrAcceptConfirmationLabel; |
5947 | | args->acceptLabelSz = ECH_HRR_ACCEPT_CONFIRMATION_LABEL_SZ; |
5948 | | } |
5949 | | else { |
5950 | | args->acceptLabel = (byte*)echAcceptConfirmationLabel; |
5951 | | args->acceptLabelSz = ECH_ACCEPT_CONFIRMATION_LABEL_SZ; |
5952 | | } |
5953 | | /* check acceptance */ |
5954 | | if (ret == 0) { |
5955 | | ret = EchCheckAcceptance(ssl, args->acceptLabel, |
5956 | | args->acceptLabelSz, input, args->acceptOffset, helloSz, |
5957 | | args->extMsgType); |
5958 | | } |
5959 | | if (ret != 0) |
5960 | | return ret; |
5961 | | /* use the inner random for client random */ |
5962 | | if (args->extMsgType != hello_retry_request && |
5963 | | ssl->options.echAccepted) { |
5964 | | XMEMCPY(ssl->arrays->clientRandom, |
5965 | | ssl->arrays->clientRandomInner, RAN_LEN); |
5966 | | } |
5967 | | } |
5968 | | } |
5969 | | #endif /* HAVE_ECH */ |
5970 | | |
5971 | 0 | if (*extMsgType == server_hello) { |
5972 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
5973 | | PreSharedKey* psk = NULL; |
5974 | | TLSX* ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY); |
5975 | | if (ext != NULL) |
5976 | | psk = (PreSharedKey*)ext->data; |
5977 | | while (psk != NULL && !psk->chosen) |
5978 | | psk = psk->next; |
5979 | | if (psk == NULL) { |
5980 | | /* A mandatory PSK is satisfied by any PSK the server chose, |
5981 | | * including a resumption PSK - this matches the server-side |
5982 | | * failNoPSK semantics, where a negotiated PSK (external or |
5983 | | * resumption) is accepted. The error only fires when no PSK was |
5984 | | * chosen at all. havePSK is only set by an external-PSK callback, |
5985 | | * so a peer relying solely on session-ticket resumption is |
5986 | | * unaffected. */ |
5987 | | if (ssl->options.havePSK && ssl->options.failNoPSK) { |
5988 | | WOLFSSL_MSG("Server did not negotiate a mandatory PSK"); |
5989 | | WOLFSSL_ERROR_VERBOSE(PSK_MISSING_ERROR); |
5990 | | return PSK_MISSING_ERROR; |
5991 | | } |
5992 | | ssl->options.resuming = 0; |
5993 | | ssl->arrays->psk_keySz = 0; |
5994 | | XMEMSET(ssl->arrays->psk_key, 0, MAX_PSK_KEY_LEN); |
5995 | | } |
5996 | | else { |
5997 | | #if defined(HAVE_ECH) |
5998 | | /* do not resume when outerHandshake will be negotiated */ |
5999 | | if (ssl->echConfigs != NULL && !ssl->options.disableECH && |
6000 | | !ssl->options.echAccepted) { |
6001 | | WOLFSSL_MSG("ECH rejected but server negotiated PSK"); |
6002 | | return INVALID_PARAMETER; |
6003 | | } |
6004 | | #endif |
6005 | | #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK |
6006 | | if (ssl->options.certWithExternPsk && psk->resumption) { |
6007 | | /* RFC8773bis mode requires external PSK, not ticket resumption. */ |
6008 | | WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR); |
6009 | | return PSK_KEY_ERROR; |
6010 | | } |
6011 | | if (ssl->options.certWithExternPsk && ssl->options.shSentKeyShare == 0) { |
6012 | | /* RFC8773bis Sec. 3: cert_with_extern_psk requires psk_dhe_ke; |
6013 | | * a ServerHello without a key_share confirms only psk_ke. */ |
6014 | | WOLFSSL_MSG("cert_with_extern_psk: ServerHello missing key_share"); |
6015 | | WOLFSSL_ERROR_VERBOSE(EXT_MISSING); |
6016 | | return EXT_MISSING; |
6017 | | } |
6018 | | #endif |
6019 | | if ((ret = SetupPskKey(ssl, psk, 0)) != 0) |
6020 | | return ret; |
6021 | | ssl->options.pskNegotiated = 1; |
6022 | | } |
6023 | | #else |
6024 | | /* no resumption possible */ |
6025 | 0 | ssl->options.resuming = 0; |
6026 | 0 | #endif |
6027 | | |
6028 | | /* sanity check on PSK / KSE */ |
6029 | 0 | if ( |
6030 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
6031 | | ssl->options.pskNegotiated == 0 && |
6032 | | #endif |
6033 | 0 | (ssl->session->namedGroup == 0 || |
6034 | 0 | ssl->options.shSentKeyShare == 0)) { |
6035 | 0 | return EXT_MISSING; |
6036 | 0 | } |
6037 | | |
6038 | 0 | ssl->keys.encryptionOn = 1; |
6039 | 0 | ssl->options.serverState = SERVER_HELLO_COMPLETE; |
6040 | |
|
6041 | 0 | } |
6042 | 0 | else { |
6043 | | /* https://datatracker.ietf.org/doc/html/rfc8446#section-4.1.4 |
6044 | | * Clients MUST abort the handshake with an |
6045 | | * "illegal_parameter" alert if the HelloRetryRequest would not result |
6046 | | * in any change in the ClientHello. |
6047 | | */ |
6048 | | /* Check if the HRR contained a cookie or a keyshare */ |
6049 | 0 | if (!ssl->options.hrrSentKeyShare |
6050 | | #ifdef WOLFSSL_SEND_HRR_COOKIE |
6051 | | && !ssl->options.hrrSentCookie |
6052 | | #endif |
6053 | 0 | ) { |
6054 | 0 | SendAlert(ssl, alert_fatal, illegal_parameter); |
6055 | 0 | return EXT_MISSING; |
6056 | 0 | } |
6057 | | |
6058 | 0 | ssl->options.tls1_3 = 1; |
6059 | 0 | ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE; |
6060 | |
|
6061 | 0 | ret = RestartHandshakeHash(ssl); |
6062 | 0 | } |
6063 | | |
6064 | 0 | break; |
6065 | 0 | } /* case TLS_ASYNC_FINALIZE */ |
6066 | 0 | default: |
6067 | 0 | ret = INPUT_CASE_ERROR; |
6068 | 0 | } /* switch (ssl->options.asyncState) */ |
6069 | | |
6070 | | #ifdef WOLFSSL_ASYNC_CRYPT |
6071 | | if (ret == 0) |
6072 | | FreeAsyncCtx(ssl, 0); |
6073 | | #endif |
6074 | | |
6075 | 0 | WOLFSSL_LEAVE("DoTls13ServerHello", ret); |
6076 | 0 | WOLFSSL_END(WC_FUNC_SERVER_HELLO_DO); |
6077 | |
|
6078 | 0 | return ret; |
6079 | 0 | } |
6080 | | |
6081 | | /* handle processing TLS 1.3 encrypted_extensions (8) */ |
6082 | | /* Parse and handle an EncryptedExtensions message. |
6083 | | * Only a client will receive this message. |
6084 | | * |
6085 | | * ssl The SSL/TLS object. |
6086 | | * input The message buffer. |
6087 | | * inOutIdx On entry, the index into the message buffer of |
6088 | | * EncryptedExtensions. |
6089 | | * On exit, the index of byte after the EncryptedExtensions |
6090 | | * message. |
6091 | | * totalSz The length of the current handshake message. |
6092 | | * returns 0 on success and otherwise failure. |
6093 | | */ |
6094 | | static int DoTls13EncryptedExtensions(WOLFSSL* ssl, const byte* input, |
6095 | | word32* inOutIdx, word32 totalSz) |
6096 | 0 | { |
6097 | 0 | int ret; |
6098 | 0 | word32 begin = *inOutIdx; |
6099 | 0 | word32 i = begin; |
6100 | 0 | word16 totalExtSz; |
6101 | |
|
6102 | 0 | WOLFSSL_START(WC_FUNC_ENCRYPTED_EXTENSIONS_DO); |
6103 | 0 | WOLFSSL_ENTER("DoTls13EncryptedExtensions"); |
6104 | |
|
6105 | | #ifdef WOLFSSL_CALLBACKS |
6106 | | if (ssl->hsInfoOn) AddPacketName(ssl, "EncryptedExtensions"); |
6107 | | if (ssl->toInfoOn) AddLateName("EncryptedExtensions", &ssl->timeoutInfo); |
6108 | | #endif |
6109 | | |
6110 | | /* Length field of extension data. */ |
6111 | 0 | if (totalSz < OPAQUE16_LEN) |
6112 | 0 | return BUFFER_ERROR; |
6113 | 0 | ato16(&input[i], &totalExtSz); |
6114 | 0 | i += OPAQUE16_LEN; |
6115 | | |
6116 | | /* Extension data. */ |
6117 | 0 | if (i - begin + totalExtSz != totalSz) |
6118 | 0 | return BUFFER_ERROR; |
6119 | 0 | if ((ret = TLSX_Parse(ssl, input + i, totalExtSz, encrypted_extensions, |
6120 | 0 | NULL))) { |
6121 | 0 | return ret; |
6122 | 0 | } |
6123 | | |
6124 | | /* Move index to byte after message. */ |
6125 | 0 | *inOutIdx = i + totalExtSz; |
6126 | |
|
6127 | | #ifdef WOLFSSL_EARLY_DATA |
6128 | | if (ssl->earlyData != no_early_data) { |
6129 | | TLSX* ext = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA); |
6130 | | if (ext == NULL || !ext->val) { |
6131 | | WOLFSSL_MSG("Early data rejected by server (no early_data " |
6132 | | "EncryptedExtensions response)"); |
6133 | | ssl->earlyData = no_early_data; |
6134 | | } |
6135 | | } |
6136 | | |
6137 | | if (ssl->earlyData == no_early_data) { |
6138 | | ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY); |
6139 | | if (ret != 0) |
6140 | | return ret; |
6141 | | } |
6142 | | #endif /* WOLFSSL_EARLY_DATA */ |
6143 | |
|
6144 | 0 | ssl->options.serverState = SERVER_ENCRYPTED_EXTENSIONS_COMPLETE; |
6145 | |
|
6146 | 0 | WOLFSSL_LEAVE("DoTls13EncryptedExtensions", ret); |
6147 | 0 | WOLFSSL_END(WC_FUNC_ENCRYPTED_EXTENSIONS_DO); |
6148 | |
|
6149 | 0 | return ret; |
6150 | 0 | } |
6151 | | |
6152 | | #ifndef NO_CERTS |
6153 | | /* handle processing TLS v1.3 certificate_request (13) */ |
6154 | | /* Handle a TLS v1.3 CertificateRequest message. |
6155 | | * This message is always encrypted. |
6156 | | * Only a client will receive this message. |
6157 | | * |
6158 | | * ssl The SSL/TLS object. |
6159 | | * input The message buffer. |
6160 | | * inOutIdx On entry, the index into the message buffer of CertificateRequest. |
6161 | | * On exit, the index of byte after the CertificateRequest message. |
6162 | | * size The length of the current handshake message. |
6163 | | * returns 0 on success and otherwise failure. |
6164 | | */ |
6165 | | static int DoTls13CertificateRequest(WOLFSSL* ssl, const byte* input, |
6166 | | word32* inOutIdx, word32 size) |
6167 | 0 | { |
6168 | 0 | word16 len; |
6169 | 0 | word32 begin = *inOutIdx; |
6170 | 0 | int ret = 0; |
6171 | 0 | Suites peerSuites; |
6172 | | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH |
6173 | | word16 reqCtxLen; |
6174 | | const byte* reqCtxData; |
6175 | | #endif |
6176 | |
|
6177 | 0 | WOLFSSL_START(WC_FUNC_CERTIFICATE_REQUEST_DO); |
6178 | 0 | WOLFSSL_ENTER("DoTls13CertificateRequest"); |
6179 | |
|
6180 | 0 | XMEMSET(&peerSuites, 0, sizeof(Suites)); |
6181 | |
|
6182 | | #ifdef WOLFSSL_CALLBACKS |
6183 | | if (ssl->hsInfoOn) AddPacketName(ssl, "CertificateRequest"); |
6184 | | if (ssl->toInfoOn) AddLateName("CertificateRequest", &ssl->timeoutInfo); |
6185 | | #endif |
6186 | |
|
6187 | 0 | if (OPAQUE8_LEN > size) |
6188 | 0 | return BUFFER_ERROR; |
6189 | | |
6190 | | /* Length of the request context. */ |
6191 | 0 | len = input[(*inOutIdx)++]; |
6192 | 0 | if ((*inOutIdx - begin) + len > size) |
6193 | 0 | return BUFFER_ERROR; |
6194 | | /* INVALID_PARAMETER does not map to illegal_parameter in the central |
6195 | | * alert path, so emit the alert explicitly before returning. */ |
6196 | 0 | if (ssl->options.connectState < FINISHED_DONE) { |
6197 | | /* RFC 8446 Section 4.3.2: in the handshake the context is zero |
6198 | | * length. */ |
6199 | 0 | if (len > 0) { |
6200 | 0 | SendAlert(ssl, alert_fatal, illegal_parameter); |
6201 | 0 | WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER); |
6202 | 0 | return INVALID_PARAMETER; |
6203 | 0 | } |
6204 | 0 | } |
6205 | | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH |
6206 | | else if (len == 0) { |
6207 | | /* RFC 8446 Section 4.3.2: a post-handshake CertificateRequest context |
6208 | | * MUST be non-empty and unique for the connection. */ |
6209 | | SendAlert(ssl, alert_fatal, illegal_parameter); |
6210 | | WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER); |
6211 | | return INVALID_PARAMETER; |
6212 | | } |
6213 | | #endif |
6214 | | |
6215 | | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH |
6216 | | /* Remember the request context bytes; the CertReqCtx allocation and |
6217 | | * linking into ssl->certReqCtx is deferred until after the rest of the |
6218 | | * message has been validated. |
6219 | | */ |
6220 | | reqCtxLen = len; |
6221 | | reqCtxData = input + *inOutIdx; |
6222 | | /* Reject a context that duplicates one still pending on the connection. */ |
6223 | | if (ssl->options.connectState >= FINISHED_DONE) { |
6224 | | CertReqCtx* dup; |
6225 | | for (dup = ssl->certReqCtx; dup != NULL; dup = dup->next) { |
6226 | | if (dup->len == reqCtxLen && |
6227 | | XMEMCMP(&dup->ctx, reqCtxData, reqCtxLen) == 0) { |
6228 | | SendAlert(ssl, alert_fatal, illegal_parameter); |
6229 | | WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER); |
6230 | | return INVALID_PARAMETER; |
6231 | | } |
6232 | | } |
6233 | | } |
6234 | | #endif |
6235 | 0 | *inOutIdx += len; |
6236 | | |
6237 | | /* TODO: Add support for more extensions: |
6238 | | * signed_certificate_timestamp, certificate_authorities, oid_filters. |
6239 | | */ |
6240 | | /* Certificate extensions */ |
6241 | 0 | if ((*inOutIdx - begin) + OPAQUE16_LEN > size) |
6242 | 0 | return BUFFER_ERROR; |
6243 | 0 | ato16(input + *inOutIdx, &len); |
6244 | 0 | *inOutIdx += OPAQUE16_LEN; |
6245 | 0 | if ((*inOutIdx - begin) + len > size) |
6246 | 0 | return BUFFER_ERROR; |
6247 | 0 | if (len == 0) |
6248 | 0 | return INVALID_PARAMETER; |
6249 | 0 | if ((ret = TLSX_Parse(ssl, input + *inOutIdx, len, certificate_request, |
6250 | 0 | &peerSuites))) { |
6251 | 0 | return ret; |
6252 | 0 | } |
6253 | 0 | *inOutIdx += len; |
6254 | | |
6255 | | /* No trailing bytes allowed (RFC 8446 4.3.2). */ |
6256 | 0 | if ((*inOutIdx - begin) != size) |
6257 | 0 | return BUFFER_ERROR; |
6258 | | |
6259 | | /* RFC 8446 Section 4.3.2: the signature_algorithms extension MUST be |
6260 | | * present in a CertificateRequest. */ |
6261 | 0 | if (peerSuites.hashSigAlgoSz == 0) { |
6262 | 0 | SendAlert(ssl, alert_fatal, missing_extension); |
6263 | 0 | WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER); |
6264 | 0 | return INVALID_PARAMETER; |
6265 | 0 | } |
6266 | | #ifdef WOLFSSL_CERT_SETUP_CB |
6267 | | if ((ret = CertSetupCbWrapper(ssl)) != 0) |
6268 | | return ret; |
6269 | | #endif |
6270 | | |
6271 | | #if defined(HAVE_ECH) |
6272 | | /* RFC 9849 s6.1.7: ECH was offered but rejected by the server... |
6273 | | * the client MUST respond with an empty Certificate message. */ |
6274 | | if (ssl->echConfigs != NULL && !ssl->options.disableECH && |
6275 | | !ssl->options.echAccepted) { |
6276 | | ssl->options.sendVerify = SEND_BLANK_CERT; |
6277 | | } |
6278 | | else |
6279 | | #endif |
6280 | 0 | if ((ssl->buffers.certificate && ssl->buffers.certificate->buffer && |
6281 | 0 | ((ssl->buffers.key && ssl->buffers.key->buffer) |
6282 | | #ifdef HAVE_PK_CALLBACKS |
6283 | | || wolfSSL_CTX_IsPrivatePkSet(ssl->ctx) |
6284 | | #endif |
6285 | 0 | )) |
6286 | | #ifdef OPENSSL_EXTRA |
6287 | | || ssl->ctx->certSetupCb != NULL |
6288 | | #endif |
6289 | 0 | ) { |
6290 | 0 | if (PickHashSigAlgo(ssl, peerSuites.hashSigAlgo, |
6291 | 0 | peerSuites.hashSigAlgoSz, 0) != 0) { |
6292 | 0 | WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER); |
6293 | 0 | return INVALID_PARAMETER; |
6294 | 0 | } |
6295 | 0 | ssl->options.sendVerify = SEND_CERT; |
6296 | 0 | } |
6297 | 0 | else { |
6298 | 0 | #ifndef WOLFSSL_NO_CLIENT_CERT_ERROR |
6299 | 0 | ssl->options.sendVerify = SEND_BLANK_CERT; |
6300 | | #else |
6301 | | WOLFSSL_MSG("Certificate required but none set on client"); |
6302 | | /* RFC 8446 Section 4.4.2.4: send certificate_required when a |
6303 | | * peer (here, the client) cannot provide a certificate that the |
6304 | | * other peer required. */ |
6305 | | SendAlert(ssl, alert_fatal, certificate_required); |
6306 | | WOLFSSL_ERROR_VERBOSE(NO_CERT_ERROR); |
6307 | | return NO_CERT_ERROR; |
6308 | | #endif |
6309 | 0 | } |
6310 | | |
6311 | | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH |
6312 | | { |
6313 | | /* CertReqCtx has one byte at end for context value. |
6314 | | * Increase size to handle other implementations sending more than one byte. |
6315 | | * That is, allocate extra space, over one byte, to hold the context value. |
6316 | | */ |
6317 | | CertReqCtx* certReqCtx = (CertReqCtx*)XMALLOC( |
6318 | | sizeof(CertReqCtx) + (reqCtxLen == 0 ? 0 : reqCtxLen - 1), |
6319 | | ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); |
6320 | | if (certReqCtx == NULL) |
6321 | | return MEMORY_E; |
6322 | | certReqCtx->next = ssl->certReqCtx; |
6323 | | certReqCtx->len = reqCtxLen; |
6324 | | XMEMCPY(&certReqCtx->ctx, reqCtxData, reqCtxLen); |
6325 | | ssl->certReqCtx = certReqCtx; |
6326 | | } |
6327 | | #endif |
6328 | | |
6329 | 0 | WOLFSSL_LEAVE("DoTls13CertificateRequest", ret); |
6330 | 0 | WOLFSSL_END(WC_FUNC_CERTIFICATE_REQUEST_DO); |
6331 | |
|
6332 | 0 | return ret; |
6333 | 0 | } |
6334 | | #endif /* !NO_CERTS */ |
6335 | | #endif /* !NO_WOLFSSL_CLIENT */ |
6336 | | |
6337 | | #ifndef NO_WOLFSSL_SERVER |
6338 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
6339 | | #ifndef NO_PSK |
6340 | | int FindPskSuite(const WOLFSSL* ssl, PreSharedKey* psk, byte* psk_key, |
6341 | | word32* psk_keySz, const byte* suite, int* found, byte* foundSuite) |
6342 | | { |
6343 | | const char* cipherName = NULL; |
6344 | | byte cipherSuite0 = TLS13_BYTE; |
6345 | | byte cipherSuite = WOLFSSL_DEF_PSK_CIPHER; |
6346 | | int ret = 0; |
6347 | | |
6348 | | *found = 0; |
6349 | | (void)suite; |
6350 | | |
6351 | | if (ssl->options.server_psk_tls13_cb != NULL) { |
6352 | | *psk_keySz = ssl->options.server_psk_tls13_cb((WOLFSSL*)ssl, |
6353 | | (char*)psk->identity, psk_key, MAX_PSK_KEY_LEN, &cipherName); |
6354 | | if (*psk_keySz != 0) { |
6355 | | int cipherSuiteFlags = WOLFSSL_CIPHER_SUITE_FLAG_NONE; |
6356 | | *found = (GetCipherSuiteFromName(cipherName, &cipherSuite0, |
6357 | | &cipherSuite, NULL, NULL, &cipherSuiteFlags) == 0); |
6358 | | (void)cipherSuiteFlags; |
6359 | | } |
6360 | | } |
6361 | | if (*found == 0 && (ssl->options.server_psk_cb != NULL)) { |
6362 | | *psk_keySz = ssl->options.server_psk_cb((WOLFSSL*)ssl, |
6363 | | (char*)psk->identity, psk_key, |
6364 | | MAX_PSK_KEY_LEN); |
6365 | | *found = (*psk_keySz != 0); |
6366 | | } |
6367 | | if (*found) { |
6368 | | if (*psk_keySz > MAX_PSK_KEY_LEN && |
6369 | | (int)*psk_keySz != WC_NO_ERR_TRACE(USE_HW_PSK)) { |
6370 | | WOLFSSL_MSG("Key len too long in FindPsk()"); |
6371 | | ret = PSK_KEY_ERROR; |
6372 | | WOLFSSL_ERROR_VERBOSE(ret); |
6373 | | *found = 0; |
6374 | | } |
6375 | | if (ret == 0) { |
6376 | | #if !defined(WOLFSSL_PSK_ONE_ID) && !defined(WOLFSSL_PRIORITIZE_PSK) |
6377 | | /* Check whether PSK ciphersuite is in SSL. */ |
6378 | | *found = (suite[0] == cipherSuite0) && (suite[1] == cipherSuite); |
6379 | | #else |
6380 | | (void)suite; |
6381 | | /* Check whether PSK ciphersuite is in SSL. */ |
6382 | | { |
6383 | | byte s[2] = { |
6384 | | cipherSuite0, |
6385 | | cipherSuite, |
6386 | | }; |
6387 | | *found = FindSuiteSSL(ssl, s); |
6388 | | } |
6389 | | #endif |
6390 | | } |
6391 | | } |
6392 | | if (*found && foundSuite != NULL) { |
6393 | | foundSuite[0] = cipherSuite0; |
6394 | | foundSuite[1] = cipherSuite; |
6395 | | } |
6396 | | |
6397 | | return ret; |
6398 | | } |
6399 | | |
6400 | | /* Attempt to find the PSK (not session ticket) that matches. |
6401 | | * |
6402 | | * @param [in, out] ssl The SSL/TLS object. |
6403 | | * @param [in] psk A pre-shared key from the extension. |
6404 | | * @param [out] suite Cipher suite to use with PSK. |
6405 | | * @param [out] err Error code. |
6406 | | * PSK_KEY_ERROR when key is too big or ticket age is |
6407 | | * invalid, |
6408 | | * UNSUPPORTED_SUITE on invalid suite. |
6409 | | * Other error when attempting to derive early secret. |
6410 | | * @return 1 when a match found - but check error code. |
6411 | | * @return 0 when no match found. |
6412 | | */ |
6413 | | static int FindPsk(WOLFSSL* ssl, PreSharedKey* psk, const byte* suite, int* err) |
6414 | | { |
6415 | | int ret = 0; |
6416 | | int found = 0; |
6417 | | byte foundSuite[SUITE_LEN]; |
6418 | | |
6419 | | WOLFSSL_ENTER("FindPsk"); |
6420 | | |
6421 | | XMEMSET(foundSuite, 0, sizeof(foundSuite)); |
6422 | | |
6423 | | ret = FindPskSuite(ssl, psk, ssl->arrays->psk_key, &ssl->arrays->psk_keySz, |
6424 | | suite, &found, foundSuite); |
6425 | | if (ret == 0 && found) { |
6426 | | /* This identity matched via external PSK callback, not ticket resume. */ |
6427 | | psk->resumption = 0; |
6428 | | /* Default to ciphersuite if cb doesn't specify. */ |
6429 | | ssl->options.resuming = 0; |
6430 | | /* Don't send certificate request when using PSK. */ |
6431 | | #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK |
6432 | | if (!ssl->options.certWithExternPsk) |
6433 | | #endif |
6434 | | ssl->options.verifyPeer = 0; |
6435 | | |
6436 | | /* PSK age is always zero. */ |
6437 | | if (psk->ticketAge != 0) { |
6438 | | ret = PSK_KEY_ERROR; |
6439 | | WOLFSSL_ERROR_VERBOSE(ret); |
6440 | | } |
6441 | | if (ret == 0) { |
6442 | | /* Set PSK ciphersuite into SSL. */ |
6443 | | ssl->options.cipherSuite0 = foundSuite[0]; |
6444 | | ssl->options.cipherSuite = foundSuite[1]; |
6445 | | ret = SetCipherSpecs(ssl); |
6446 | | } |
6447 | | if (ret == 0) { |
6448 | | /* Derive the early secret using the PSK. */ |
6449 | | ret = DeriveEarlySecret(ssl); |
6450 | | } |
6451 | | if (ret == 0) { |
6452 | | /* PSK negotiation has succeeded */ |
6453 | | ssl->options.isPSK = 1; |
6454 | | #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK |
6455 | | if (!ssl->options.certWithExternPsk) |
6456 | | #endif |
6457 | | { |
6458 | | /* SERVER: using PSK for peer authentication. */ |
6459 | | ssl->options.peerAuthGood = 1; |
6460 | | } |
6461 | | } |
6462 | | } |
6463 | | |
6464 | | *err = ret; |
6465 | | WOLFSSL_LEAVE("FindPsk", found); |
6466 | | WOLFSSL_LEAVE("FindPsk", ret); |
6467 | | return found; |
6468 | | } |
6469 | | #endif /* !NO_PSK */ |
6470 | | |
6471 | | /* Handle any Pre-Shared Key (PSK) extension. |
6472 | | * Find a PSK that supports the cipher suite passed in. |
6473 | | * |
6474 | | * ssl SSL/TLS object. |
6475 | | * suite Cipher suite to find PSK for. |
6476 | | * usingPSK 1=Indicates handshake is using Pre-Shared Keys (2=Ephemeral) |
6477 | | * first Set to 1 if first in extension |
6478 | | * returns 0 on success and otherwise failure. |
6479 | | */ |
6480 | | static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 inputSz, |
6481 | | const byte* suite, int* usingPSK, int* first) |
6482 | | { |
6483 | | int ret = 0; |
6484 | | TLSX* ext; |
6485 | | PreSharedKey* current; |
6486 | | byte binderKey[WC_MAX_DIGEST_SIZE]; |
6487 | | byte binder[WC_MAX_DIGEST_SIZE]; |
6488 | | word32 binderLen; |
6489 | | #if defined(WOLFSSL_CERT_WITH_EXTERN_PSK) && defined(HAVE_SESSION_TICKET) |
6490 | | int certWithExternOffered = 0; |
6491 | | #endif |
6492 | | |
6493 | | #ifdef NO_PSK |
6494 | | (void) suite; /* to avoid unused var warning when not used */ |
6495 | | #endif |
6496 | | |
6497 | | WOLFSSL_ENTER("DoPreSharedKeys"); |
6498 | | |
6499 | | (void)suite; |
6500 | | |
6501 | | ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY); |
6502 | | if (ext == NULL) { |
6503 | | WOLFSSL_MSG("No pre shared extension keys found"); |
6504 | | ret = BAD_FUNC_ARG; |
6505 | | goto cleanup; |
6506 | | } |
6507 | | #if defined(WOLFSSL_CERT_WITH_EXTERN_PSK) && defined(HAVE_SESSION_TICKET) |
6508 | | certWithExternOffered = |
6509 | | TLSX_Find(ssl->extensions, TLSX_CERT_WITH_EXTERN_PSK) != NULL; |
6510 | | #endif |
6511 | | |
6512 | | /* Look through all client's pre-shared keys for a match. */ |
6513 | | for (current = (PreSharedKey*)ext->data; current != NULL; |
6514 | | current = current->next) { |
6515 | | #ifndef NO_PSK |
6516 | | if (current->identityLen > MAX_PSK_ID_LEN) { |
6517 | | ret = BUFFER_ERROR; |
6518 | | goto cleanup; |
6519 | | } |
6520 | | XMEMCPY(ssl->arrays->client_identity, current->identity, |
6521 | | current->identityLen); |
6522 | | ssl->arrays->client_identity[current->identityLen] = '\0'; |
6523 | | #endif |
6524 | | |
6525 | | #ifdef HAVE_SESSION_TICKET |
6526 | | /* Decode the identity. */ |
6527 | | switch (current->decryptRet) { |
6528 | | case PSK_DECRYPT_NONE: |
6529 | | ret = DoClientTicket_ex(ssl, current, 1); |
6530 | | /* psk->sess may be set. Need to clean up later. */ |
6531 | | break; |
6532 | | case PSK_DECRYPT_OK: |
6533 | | ret = WOLFSSL_TICKET_RET_OK; |
6534 | | break; |
6535 | | case PSK_DECRYPT_CREATE: |
6536 | | ret = WOLFSSL_TICKET_RET_CREATE; |
6537 | | break; |
6538 | | case PSK_DECRYPT_FAIL: |
6539 | | ret = WOLFSSL_TICKET_RET_REJECT; |
6540 | | break; |
6541 | | } |
6542 | | |
6543 | | #ifdef WOLFSSL_ASYNC_CRYPT |
6544 | | if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) |
6545 | | goto cleanup; |
6546 | | #endif |
6547 | | |
6548 | | if (ret != WOLFSSL_TICKET_RET_OK && current->sess_free_cb != NULL) { |
6549 | | current->sess_free_cb(ssl, current->sess, |
6550 | | ¤t->sess_free_cb_ctx); |
6551 | | current->sess = NULL; |
6552 | | XMEMSET(¤t->sess_free_cb_ctx, 0, |
6553 | | sizeof(psk_sess_free_cb_ctx)); |
6554 | | } |
6555 | | if (ret == WOLFSSL_TICKET_RET_OK) { |
6556 | | #if defined(WOLFSSL_CERT_WITH_EXTERN_PSK) && defined(HAVE_SESSION_TICKET) |
6557 | | /* RFC 8773bis Sect. 5.1: all PSKs listed alongside |
6558 | | * tls_cert_with_extern_psk MUST be external PSKs. A successfully |
6559 | | * decrypted session ticket identity is a resumption PSK, so the |
6560 | | * server MUST abort with illegal_parameter regardless of whether |
6561 | | * the ticket would otherwise be acceptable. Check here, before |
6562 | | * DoClientTicketFinalize, to avoid polluting ssl->session with |
6563 | | * ticket state that will not be used. */ |
6564 | | if (certWithExternOffered) { |
6565 | | if (current->sess_free_cb != NULL) { |
6566 | | current->sess_free_cb(ssl, current->sess, |
6567 | | ¤t->sess_free_cb_ctx); |
6568 | | current->sess = NULL; |
6569 | | XMEMSET(¤t->sess_free_cb_ctx, 0, |
6570 | | sizeof(psk_sess_free_cb_ctx)); |
6571 | | } |
6572 | | ret = PSK_KEY_ERROR; |
6573 | | WOLFSSL_ERROR_VERBOSE(ret); |
6574 | | goto cleanup; |
6575 | | } |
6576 | | #endif |
6577 | | ret = DoClientTicketCheck(ssl, current, ssl->timeout, suite); |
6578 | | #if defined(HAVE_SNI) || defined(HAVE_ALPN) |
6579 | | if (ret == 0) { |
6580 | | /* Decline this PSK if the SNI/ALPN bound to the ticket |
6581 | | * does not match the current connection. RFC 6066 Sect. |
6582 | | * 3 mandates this for SNI; wolfSSL applies the same |
6583 | | * policy to ALPN as defense in depth. Skipping the PSK |
6584 | | * (rather than aborting) lets the server try the next |
6585 | | * candidate or fall back to a full handshake naturally |
6586 | | * without unwinding committed PSK state. ALPN_Select |
6587 | | * has already run earlier in DoTls13ClientHello so the |
6588 | | * negotiated ALPN is available to TicketAlpnHash. */ |
6589 | | byte curHash[TICKET_BINDING_HASH_SZ]; |
6590 | | #ifdef HAVE_SNI |
6591 | | if (TicketSniHash(ssl, curHash) != 0 || |
6592 | | XMEMCMP(curHash, current->it->sniHash, |
6593 | | TICKET_BINDING_HASH_SZ) != 0) { |
6594 | | WOLFSSL_MSG("Ticket SNI mismatch, skipping PSK"); |
6595 | | ret = WOLFSSL_FATAL_ERROR; |
6596 | | } |
6597 | | #endif |
6598 | | #ifdef HAVE_ALPN |
6599 | | if (ret == 0 && |
6600 | | (TicketAlpnHash(ssl, curHash) != 0 || |
6601 | | XMEMCMP(curHash, current->it->alpnHash, |
6602 | | TICKET_BINDING_HASH_SZ) != 0)) { |
6603 | | WOLFSSL_MSG("Ticket ALPN mismatch, skipping PSK"); |
6604 | | ret = WOLFSSL_FATAL_ERROR; |
6605 | | } |
6606 | | #endif |
6607 | | } |
6608 | | #endif |
6609 | | if (ret == 0) |
6610 | | DoClientTicketFinalize(ssl, current->it, current->sess); |
6611 | | if (current->sess_free_cb != NULL) { |
6612 | | current->sess_free_cb(ssl, current->sess, |
6613 | | ¤t->sess_free_cb_ctx); |
6614 | | current->sess = NULL; |
6615 | | XMEMSET(¤t->sess_free_cb_ctx, 0, |
6616 | | sizeof(psk_sess_free_cb_ctx)); |
6617 | | } |
6618 | | if (ret != 0) |
6619 | | continue; |
6620 | | |
6621 | | /* SERVER: using secret in session ticket for peer auth. */ |
6622 | | ssl->options.peerAuthGood = 1; |
6623 | | |
6624 | | #ifdef WOLFSSL_EARLY_DATA |
6625 | | ssl->options.maxEarlyDataSz = ssl->session->maxEarlyDataSz; |
6626 | | #endif |
6627 | | /* Use the same cipher suite as before and set up for use. */ |
6628 | | ssl->options.cipherSuite0 = ssl->session->cipherSuite0; |
6629 | | ssl->options.cipherSuite = ssl->session->cipherSuite; |
6630 | | ret = SetCipherSpecs(ssl); |
6631 | | if (ret != 0) |
6632 | | goto cleanup; |
6633 | | |
6634 | | /* Resumption PSK is resumption master secret. */ |
6635 | | ssl->arrays->psk_keySz = ssl->specs.hash_size; |
6636 | | if ((ret = DeriveResumptionPSK(ssl, ssl->session->ticketNonce.data, |
6637 | | ssl->session->ticketNonce.len, ssl->arrays->psk_key)) != 0) { |
6638 | | goto cleanup; |
6639 | | } |
6640 | | |
6641 | | /* Derive the early secret using the PSK. */ |
6642 | | ret = DeriveEarlySecret(ssl); |
6643 | | if (ret != 0) |
6644 | | goto cleanup; |
6645 | | |
6646 | | /* Hash data up to binders for deriving binders in PSK extension. */ |
6647 | | ret = HashInput(ssl, input, (int)inputSz); |
6648 | | if (ret < 0) |
6649 | | goto cleanup; |
6650 | | |
6651 | | /* Derive the binder key to use with HMAC. */ |
6652 | | ret = DeriveBinderKeyResume(ssl, binderKey); |
6653 | | if (ret != 0) |
6654 | | goto cleanup; |
6655 | | } |
6656 | | else |
6657 | | #endif /* HAVE_SESSION_TICKET */ |
6658 | | #ifndef NO_PSK |
6659 | | if (FindPsk(ssl, current, suite, &ret)) { |
6660 | | if (ret != 0) |
6661 | | goto cleanup; |
6662 | | |
6663 | | ret = HashInput(ssl, input, (int)inputSz); |
6664 | | if (ret < 0) |
6665 | | goto cleanup; |
6666 | | |
6667 | | /* Derive the binder key to use with HMAC. */ |
6668 | | ret = DeriveBinderKey(ssl, binderKey); |
6669 | | if (ret != 0) |
6670 | | goto cleanup; |
6671 | | } |
6672 | | else |
6673 | | #endif |
6674 | | { |
6675 | | continue; |
6676 | | } |
6677 | | |
6678 | | ssl->options.sendVerify = 0; |
6679 | | |
6680 | | /* Derive the Finished message secret. */ |
6681 | | ret = DeriveFinishedSecret(ssl, binderKey, |
6682 | | ssl->keys.client_write_MAC_secret, |
6683 | | 0 /* neither end */); |
6684 | | if (ret != 0) |
6685 | | goto cleanup; |
6686 | | |
6687 | | /* Derive the binder and compare with the one in the extension. */ |
6688 | | ret = BuildTls13HandshakeHmac(ssl, |
6689 | | ssl->keys.client_write_MAC_secret, binder, &binderLen); |
6690 | | if (ret != 0) |
6691 | | goto cleanup; |
6692 | | if (binderLen != current->binderLen || |
6693 | | ConstantCompare(binder, current->binder, |
6694 | | binderLen) != 0) { |
6695 | | WOLFSSL_ERROR_VERBOSE(BAD_BINDER); |
6696 | | ret = BAD_BINDER; |
6697 | | goto cleanup; |
6698 | | } |
6699 | | |
6700 | | /* This PSK works, no need to try any more. */ |
6701 | | current->chosen = 1; |
6702 | | ext->resp = 1; |
6703 | | break; |
6704 | | } |
6705 | | |
6706 | | if (current == NULL) { |
6707 | | ret = 0; |
6708 | | goto cleanup; |
6709 | | } |
6710 | | |
6711 | | *first = (current == ext->data); |
6712 | | *usingPSK = 1; |
6713 | | |
6714 | | cleanup: |
6715 | | ForceZero(binderKey, sizeof(binderKey)); |
6716 | | ForceZero(binder, sizeof(binder)); |
6717 | | WOLFSSL_LEAVE("DoPreSharedKeys", ret); |
6718 | | |
6719 | | return ret; |
6720 | | } |
6721 | | |
6722 | | /* Handle any Pre-Shared Key (PSK) extension. |
6723 | | * Must do this in ClientHello as it requires a hash of the truncated message. |
6724 | | * Don't know size of binders until Pre-Shared Key extension has been parsed. |
6725 | | * |
6726 | | * ssl SSL/TLS object. |
6727 | | * input ClientHello message. |
6728 | | * helloSz Size of the ClientHello message (including binders if present). |
6729 | | * clSuites Client's cipher suite list. |
6730 | | * usingPSK Indicates handshake is using Pre-Shared Keys. |
6731 | | */ |
6732 | | static int CheckPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 helloSz, |
6733 | | Suites* clSuites, int* usingPSK) |
6734 | | { |
6735 | | int ret; |
6736 | | TLSX* ext; |
6737 | | word16 bindersLen; |
6738 | | int first = 0; |
6739 | | #ifndef WOLFSSL_PSK_ONE_ID |
6740 | | int i; |
6741 | | const Suites* suites; |
6742 | | #else |
6743 | | byte suite[2]; |
6744 | | #endif |
6745 | | |
6746 | | WOLFSSL_ENTER("CheckPreSharedKeys"); |
6747 | | |
6748 | | ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY); |
6749 | | if (ext == NULL) { |
6750 | | #ifdef WOLFSSL_EARLY_DATA |
6751 | | ssl->earlyData = no_early_data; |
6752 | | #endif |
6753 | | if (usingPSK) |
6754 | | *usingPSK = 0; |
6755 | | |
6756 | | /* No PSK extension at all: if a mandatory external PSK is configured, |
6757 | | * refuse the connection rather than continue without one. havePSK is |
6758 | | * only set by an external-PSK callback, so a peer relying solely on |
6759 | | * session-ticket resumption is unaffected. */ |
6760 | | if (ssl->options.havePSK && ssl->options.failNoPSK) { |
6761 | | WOLFSSL_ERROR_VERBOSE(PSK_MISSING_ERROR); |
6762 | | return PSK_MISSING_ERROR; |
6763 | | } |
6764 | | |
6765 | | /* Hash data up to binders for deriving binders in PSK extension. */ |
6766 | | ret = HashInput(ssl, input, (int)helloSz); |
6767 | | return ret; |
6768 | | } |
6769 | | |
6770 | | /* Wire-order check that PSK was the last extension in ClientHello is |
6771 | | * performed in DoTls13ClientHello immediately after TLSX_Parse, since |
6772 | | * post-parse code (e.g. ALPN_Select via TLSX_SetALPN) may legitimately |
6773 | | * prepend new entries to ssl->extensions before this point and would |
6774 | | * otherwise trip a head-of-list check here. */ |
6775 | | |
6776 | | /* Assume we are going to resume with a pre-shared key. */ |
6777 | | ssl->options.resuming = 1; |
6778 | | |
6779 | | /* Find the pre-shared key extension and calculate hash of truncated |
6780 | | * ClientHello for binders. |
6781 | | */ |
6782 | | ret = TLSX_PreSharedKey_GetSizeBinders((PreSharedKey*)ext->data, |
6783 | | client_hello, &bindersLen); |
6784 | | if (ret < 0) |
6785 | | return ret; |
6786 | | if (bindersLen > helloSz) |
6787 | | return BUFFER_ERROR; |
6788 | | |
6789 | | /* Refine list for PSK processing. */ |
6790 | | sslRefineSuites(ssl, clSuites); |
6791 | | #ifndef WOLFSSL_PSK_ONE_ID |
6792 | | if (usingPSK == NULL) |
6793 | | return BAD_FUNC_ARG; |
6794 | | |
6795 | | /* set after refineSuites, to avoid taking a stale ptr to ctx->Suites */ |
6796 | | suites = WOLFSSL_SUITES(ssl); |
6797 | | /* Server list has only common suites from refining in server or client |
6798 | | * order. */ |
6799 | | for (i = 0; !(*usingPSK) && i < suites->suiteSz; i += 2) { |
6800 | | ret = DoPreSharedKeys(ssl, input, helloSz - bindersLen, |
6801 | | suites->suites + i, usingPSK, &first); |
6802 | | if (ret != 0) { |
6803 | | #ifdef HAVE_SESSION_TICKET |
6804 | | #ifdef WOLFSSL_ASYNC_CRYPT |
6805 | | if (ret != WC_NO_ERR_TRACE(WC_PENDING_E)) |
6806 | | #endif |
6807 | | CleanupClientTickets((PreSharedKey*)ext->data); |
6808 | | #endif |
6809 | | WOLFSSL_MSG_EX("DoPreSharedKeys: %d", ret); |
6810 | | return ret; |
6811 | | } |
6812 | | } |
6813 | | #ifdef HAVE_SESSION_TICKET |
6814 | | CleanupClientTickets((PreSharedKey*)ext->data); |
6815 | | #endif |
6816 | | #else |
6817 | | ret = DoPreSharedKeys(ssl, input, helloSz - bindersLen, suite, usingPSK, |
6818 | | &first); |
6819 | | if (ret != 0) { |
6820 | | WOLFSSL_MSG_EX("DoPreSharedKeys: %d", ret); |
6821 | | return ret; |
6822 | | } |
6823 | | #endif |
6824 | | |
6825 | | if (!*usingPSK) { |
6826 | | /* No suitable PSK was negotiated. When a mandatory external PSK is |
6827 | | * configured, fail with a dedicated error instead of falling back to a |
6828 | | * certificate handshake. This must run before the no-certificate |
6829 | | * BAD_BINDER check below so a PSK-only server (no cert) still reports |
6830 | | * PSK_MISSING_ERROR. havePSK is only set by an external-PSK callback, so |
6831 | | * a peer relying solely on session-ticket resumption is unaffected. */ |
6832 | | if (ssl->options.havePSK && ssl->options.failNoPSK) { |
6833 | | WOLFSSL_ERROR_VERBOSE(PSK_MISSING_ERROR); |
6834 | | return PSK_MISSING_ERROR; |
6835 | | } |
6836 | | #ifndef NO_CERTS |
6837 | | if (ssl->buffers.certificate == NULL |
6838 | | #ifdef WOLFSSL_CERT_SETUP_CB |
6839 | | && ssl->ctx->certSetupCb == NULL |
6840 | | #endif |
6841 | | ) |
6842 | | #endif |
6843 | | { |
6844 | | WOLFSSL_ERROR_VERBOSE(BAD_BINDER); |
6845 | | return BAD_BINDER; |
6846 | | } |
6847 | | } |
6848 | | |
6849 | | if (*usingPSK) { |
6850 | | /* While verifying the selected PSK, we updated the |
6851 | | * handshake hash up to the binder bytes in the PSK extensions. |
6852 | | * Continuing, we need the rest of the ClientHello hashed as well. |
6853 | | */ |
6854 | | ret = HashRaw(ssl, input + helloSz - bindersLen, bindersLen); |
6855 | | } |
6856 | | else { |
6857 | | /* No suitable PSK found, Hash the complete ClientHello, |
6858 | | * as caller expect it after we return */ |
6859 | | ret = HashInput(ssl, input, (int)helloSz); |
6860 | | } |
6861 | | if (ret != 0) |
6862 | | return ret; |
6863 | | |
6864 | | if (*usingPSK != 0) { |
6865 | | word32 modes; |
6866 | | #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK |
6867 | | int usingCertWithExternPsk = 0; |
6868 | | TLSX* certExt = NULL; |
6869 | | TLSX* pskExt = NULL; |
6870 | | PreSharedKey* chosenPsk = NULL; |
6871 | | #endif |
6872 | | #ifdef WOLFSSL_EARLY_DATA |
6873 | | TLSX* extEarlyData; |
6874 | | #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK |
6875 | | int hasCertWithExternPsk = (TLSX_Find(ssl->extensions, |
6876 | | TLSX_CERT_WITH_EXTERN_PSK) != NULL); |
6877 | | #endif |
6878 | | |
6879 | | extEarlyData = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA); |
6880 | | if (extEarlyData != NULL) { |
6881 | | /* Check if accepting early data and first PSK. |
6882 | | * RFC 8773bis: early_data is not compatible with |
6883 | | * cert_with_extern_psk, so skip key derivation in that case. */ |
6884 | | if (ssl->earlyData != no_early_data && first |
6885 | | && ssl->options.maxEarlyDataSz > 0 |
6886 | | #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK |
6887 | | && !hasCertWithExternPsk |
6888 | | #endif |
6889 | | #if defined(HAVE_SESSION_TICKET) && !defined(NO_SESSION_CACHE) |
6890 | | /* RFC 8446 section 8: evict the session from the cache. |
6891 | | * Accept 0-RTT only when the eviction found the entry |
6892 | | * (single-use). */ |
6893 | | && wolfSSL_SSL_CTX_remove_session(ssl->ctx, ssl->session) |
6894 | | == 1 |
6895 | | #endif |
6896 | | ) { |
6897 | | extEarlyData->resp = 1; |
6898 | | |
6899 | | /* Derive early data decryption key. */ |
6900 | | ret = DeriveTls13Keys(ssl, early_data_key, DECRYPT_SIDE_ONLY, |
6901 | | 1); |
6902 | | if (ret != 0) |
6903 | | return ret; |
6904 | | if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0) |
6905 | | return ret; |
6906 | | |
6907 | | ssl->keys.encryptionOn = 1; |
6908 | | ssl->earlyData = process_early_data; |
6909 | | } |
6910 | | else |
6911 | | extEarlyData->resp = 0; |
6912 | | } |
6913 | | #endif |
6914 | | |
6915 | | /* Get the PSK key exchange modes the client wants to negotiate. */ |
6916 | | ext = TLSX_Find(ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES); |
6917 | | if (ext == NULL) { |
6918 | | WOLFSSL_ERROR_VERBOSE(MISSING_HANDSHAKE_DATA); |
6919 | | return MISSING_HANDSHAKE_DATA; |
6920 | | } |
6921 | | modes = ext->val; |
6922 | | |
6923 | | #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK |
6924 | | certExt = TLSX_Find(ssl->extensions, TLSX_CERT_WITH_EXTERN_PSK); |
6925 | | if (certExt != NULL) { |
6926 | | pskExt = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY); |
6927 | | if (pskExt != NULL) |
6928 | | chosenPsk = (PreSharedKey*)pskExt->data; |
6929 | | while (chosenPsk != NULL && !chosenPsk->chosen) |
6930 | | chosenPsk = chosenPsk->next; |
6931 | | if (chosenPsk == NULL || chosenPsk->resumption) { |
6932 | | WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR); |
6933 | | return PSK_KEY_ERROR; |
6934 | | } |
6935 | | if ((modes & (1 << PSK_DHE_KE)) == 0) { |
6936 | | WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR); |
6937 | | return PSK_KEY_ERROR; |
6938 | | } |
6939 | | usingCertWithExternPsk = 1; |
6940 | | ssl->options.certWithExternPsk = 1; |
6941 | | if (clSuites->hashSigAlgoSz == 0) { |
6942 | | WOLFSSL_ERROR_VERBOSE(MISSING_HANDSHAKE_DATA); |
6943 | | return MISSING_HANDSHAKE_DATA; |
6944 | | } |
6945 | | ret = PickHashSigAlgo(ssl, clSuites->hashSigAlgo, |
6946 | | clSuites->hashSigAlgoSz, 1); |
6947 | | if (ret != 0) |
6948 | | return ret; |
6949 | | ssl->options.sendVerify = SEND_CERT; |
6950 | | certExt->resp = 1; |
6951 | | #ifdef WOLFSSL_EARLY_DATA |
6952 | | /* RFC 8773bis: early_data is not compatible with |
6953 | | * cert_with_extern_psk. TLSX_Parse already rejects the |
6954 | | * combination in the ClientHello, but clear the response flag |
6955 | | * here as a defense-in-depth measure. */ |
6956 | | if (extEarlyData != NULL) { |
6957 | | WOLFSSL_MSG("Rejecting early data: " |
6958 | | "cert_with_extern_psk is not 0-RTT compatible"); |
6959 | | extEarlyData->resp = 0; |
6960 | | ssl->earlyData = no_early_data; |
6961 | | } |
6962 | | #endif |
6963 | | } |
6964 | | else { |
6965 | | ssl->options.certWithExternPsk = 0; |
6966 | | } |
6967 | | #endif |
6968 | | |
6969 | | #ifndef HAVE_SUPPORTED_CURVES |
6970 | | #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK |
6971 | | if (usingCertWithExternPsk) { |
6972 | | WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR); |
6973 | | return PSK_KEY_ERROR; |
6974 | | } |
6975 | | #endif |
6976 | | #endif |
6977 | | #ifdef HAVE_SUPPORTED_CURVES |
6978 | | ext = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE); |
6979 | | /* Use (EC)DHE for forward-security if possible. */ |
6980 | | if (((modes & (1 << PSK_DHE_KE)) != 0 && !ssl->options.noPskDheKe && |
6981 | | ext != NULL) |
6982 | | #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK |
6983 | | || usingCertWithExternPsk |
6984 | | #endif |
6985 | | ) { |
6986 | | if (ext == NULL) { |
6987 | | WOLFSSL_ERROR_VERBOSE(EXT_MISSING); |
6988 | | return EXT_MISSING; |
6989 | | } |
6990 | | /* Resumption path uses previous session group. */ |
6991 | | #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK |
6992 | | if (!usingCertWithExternPsk) |
6993 | | #endif |
6994 | | ssl->namedGroup = ssl->session->namedGroup; |
6995 | | *usingPSK = 2; /* generate new ephemeral key */ |
6996 | | } |
6997 | | else if (ssl->options.onlyPskDheKe || |
6998 | | (ssl->options.failNoPSK && !ssl->options.resuming)) { |
6999 | | /* A mandatory external PSK (failNoPSK) must be combined with |
7000 | | * (EC)DHE for forward secrecy, so reject a pure psk_ke |
7001 | | * negotiation. Session-ticket resumption is exempt. */ |
7002 | | return PSK_KEY_ERROR; |
7003 | | } |
7004 | | else |
7005 | | #endif |
7006 | | { |
7007 | | if ((modes & (1 << PSK_KE)) == 0) { |
7008 | | WOLFSSL_MSG("psk_ke mode does not allow key share"); |
7009 | | WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR); |
7010 | | return PSK_KEY_ERROR; |
7011 | | } |
7012 | | ssl->options.noPskDheKe = 1; |
7013 | | ssl->arrays->preMasterSz = 0; |
7014 | | |
7015 | | *usingPSK = 1; |
7016 | | } |
7017 | | } |
7018 | | else { |
7019 | | #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK |
7020 | | /* If no PSK is found, we remove the extension to make sure it |
7021 | | * is not sent back to the client */ |
7022 | | TLSX_Remove(&ssl->extensions, TLSX_CERT_WITH_EXTERN_PSK, ssl->heap); |
7023 | | ssl->options.certWithExternPsk = 0; |
7024 | | #endif |
7025 | | #ifndef NO_CERTS |
7026 | | if (ssl->buffers.certificate != NULL |
7027 | | #ifdef WOLFSSL_CERT_SETUP_CB |
7028 | | || ssl->ctx->certSetupCb != NULL |
7029 | | #endif |
7030 | | ) |
7031 | | return 0; |
7032 | | #endif |
7033 | | WOLFSSL_ERROR_VERBOSE(BAD_BINDER); |
7034 | | return BAD_BINDER; |
7035 | | } |
7036 | | |
7037 | | WOLFSSL_LEAVE("CheckPreSharedKeys", ret); |
7038 | | |
7039 | | return 0; |
7040 | | } |
7041 | | #endif /* HAVE_SESSION_TICKET || !NO_PSK */ |
7042 | | |
7043 | | #if defined(WOLFSSL_SEND_HRR_COOKIE) |
7044 | | /* Check that the Cookie data's integrity. |
7045 | | * |
7046 | | * ssl SSL/TLS object. |
7047 | | * cookie The cookie data - hash and MAC. |
7048 | | * cookieSz The length of the cookie data in bytes. |
7049 | | * returns Length of the hash on success, otherwise failure. |
7050 | | */ |
7051 | | int TlsCheckCookie(const WOLFSSL* ssl, const byte* cookie, word16 cookieSz) |
7052 | | { |
7053 | | int ret; |
7054 | | byte mac[WC_MAX_DIGEST_SIZE] = {0}; |
7055 | | WC_DECLARE_VAR(cookieHmac, Hmac, 1, ssl->heap); |
7056 | | byte cookieType = 0; |
7057 | | byte macSz = 0; |
7058 | | |
7059 | | if (ssl->buffers.tls13CookieSecret.buffer == NULL || |
7060 | | ssl->buffers.tls13CookieSecret.length == 0) { |
7061 | | WOLFSSL_MSG("Missing DTLS 1.3 cookie secret"); |
7062 | | return COOKIE_ERROR; |
7063 | | } |
7064 | | |
7065 | | #ifndef NO_SHA256 |
7066 | | cookieType = WC_SHA256; |
7067 | | macSz = WC_SHA256_DIGEST_SIZE; |
7068 | | #elif defined(WOLFSSL_SHA384) |
7069 | | cookieType = WC_SHA384; |
7070 | | macSz = WC_SHA384_DIGEST_SIZE; |
7071 | | #elif defined(WOLFSSL_TLS13_SHA512) |
7072 | | cookieType = WC_SHA512; |
7073 | | macSz = WC_SHA512_DIGEST_SIZE; |
7074 | | #elif defined(WOLFSSL_SM3) |
7075 | | cookieType = WC_SM3; |
7076 | | macSz = WC_SM3_DIGEST_SIZE; |
7077 | | #else |
7078 | | #error "No digest to available to use with HMAC for cookies." |
7079 | | #endif /* NO_SHA */ |
7080 | | |
7081 | | if (cookieSz < ssl->specs.hash_size + macSz) |
7082 | | return HRR_COOKIE_ERROR; |
7083 | | cookieSz -= macSz; |
7084 | | |
7085 | | WC_ALLOC_VAR_EX(cookieHmac, Hmac, 1, ssl->heap, DYNAMIC_TYPE_HMAC, |
7086 | | return MEMORY_E); |
7087 | | |
7088 | | ret = wc_HmacInit(cookieHmac, ssl->heap, ssl->devId); |
7089 | | if (ret == 0) { |
7090 | | ret = wc_HmacSetKey(cookieHmac, cookieType, |
7091 | | ssl->buffers.tls13CookieSecret.buffer, |
7092 | | ssl->buffers.tls13CookieSecret.length); |
7093 | | } |
7094 | | if (ret == 0) |
7095 | | ret = wc_HmacUpdate(cookieHmac, cookie, cookieSz); |
7096 | | #ifdef WOLFSSL_DTLS13 |
7097 | | /* Tie cookie to peer address */ |
7098 | | if (ret == 0) { |
7099 | | /* peerLock not necessary. Still in handshake phase. */ |
7100 | | if (ssl->options.dtls && ssl->buffers.dtlsCtx.peer.sz > 0) { |
7101 | | ret = wc_HmacUpdate(cookieHmac, |
7102 | | (byte*)ssl->buffers.dtlsCtx.peer.sa, |
7103 | | ssl->buffers.dtlsCtx.peer.sz); |
7104 | | } |
7105 | | } |
7106 | | #endif |
7107 | | if (ret == 0) |
7108 | | ret = wc_HmacFinal(cookieHmac, mac); |
7109 | | |
7110 | | wc_HmacFree(cookieHmac); |
7111 | | WC_FREE_VAR_EX(cookieHmac, ssl->heap, DYNAMIC_TYPE_HMAC); |
7112 | | if (ret != 0) |
7113 | | return ret; |
7114 | | |
7115 | | if (ConstantCompare(cookie + cookieSz, mac, macSz) != 0) { |
7116 | | WOLFSSL_ERROR_VERBOSE(HRR_COOKIE_ERROR); |
7117 | | return HRR_COOKIE_ERROR; |
7118 | | } |
7119 | | return cookieSz; |
7120 | | } |
7121 | | |
7122 | | /* Length of the KeyShare Extension */ |
7123 | | #define HRR_KEY_SHARE_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN) |
7124 | | /* Length of the Supported Versions Extension */ |
7125 | | #define HRR_VERSIONS_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN) |
7126 | | /* Length of the Cookie Extension excluding cookie data */ |
7127 | | #define HRR_COOKIE_HDR_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN) |
7128 | | /* PV | Random | Session Id | CipherSuite | Compression | Ext Len */ |
7129 | | #define HRR_BODY_SZ (VERSION_SZ + RAN_LEN + ENUM_LEN + ID_LEN + \ |
7130 | | SUITE_LEN + COMP_LEN + OPAQUE16_LEN) |
7131 | | /* HH | PV | CipherSuite | Ext Len | Key Share | Supported Version | Cookie */ |
7132 | | #define MAX_HRR_SZ (HRR_MAX_HS_HEADER_SZ + \ |
7133 | | HRR_BODY_SZ + \ |
7134 | | HRR_KEY_SHARE_SZ + \ |
7135 | | HRR_VERSIONS_SZ + \ |
7136 | | HRR_COOKIE_HDR_SZ) |
7137 | | |
7138 | | |
7139 | | /* Restart the handshake hash from the cookie value. |
7140 | | * |
7141 | | * ssl SSL/TLS object. |
7142 | | * cookie Cookie data from client. |
7143 | | * returns 0 on success, otherwise failure. |
7144 | | */ |
7145 | | static int RestartHandshakeHashWithCookie(WOLFSSL* ssl, Cookie* cookie) |
7146 | | { |
7147 | | byte header[HANDSHAKE_HEADER_SZ] = {0}; |
7148 | | byte hrr[MAX_HRR_SZ] = {0}; |
7149 | | int hrrIdx; |
7150 | | word32 idx; |
7151 | | byte hashSz; |
7152 | | byte* cookieData; |
7153 | | word16 cookieDataSz; |
7154 | | word16 length; |
7155 | | int keyShareExt = 0; |
7156 | | int ret; |
7157 | | byte sessIdSz; |
7158 | | |
7159 | | ret = TlsCheckCookie(ssl, cookie->data, cookie->len); |
7160 | | if (ret < 0) |
7161 | | return ret; |
7162 | | cookieDataSz = (word16)ret; |
7163 | | hashSz = cookie->data[0]; |
7164 | | cookieData = cookie->data; |
7165 | | idx = OPAQUE8_LEN; |
7166 | | |
7167 | | /* Restart handshake hash with synthetic message hash. */ |
7168 | | AddTls13HandShakeHeader(header, hashSz, 0, 0, message_hash, ssl); |
7169 | | |
7170 | | if ((ret = InitHandshakeHashes(ssl)) != 0) |
7171 | | return ret; |
7172 | | if ((ret = HashRaw(ssl, header, sizeof(header))) != 0) |
7173 | | return ret; |
7174 | | #ifdef WOLFSSL_DEBUG_TLS |
7175 | | WOLFSSL_MSG("Restart Hash from Cookie"); |
7176 | | WOLFSSL_BUFFER(cookieData + idx, hashSz); |
7177 | | #endif |
7178 | | if ((ret = HashRaw(ssl, cookieData + idx, hashSz)) != 0) |
7179 | | return ret; |
7180 | | |
7181 | | /* Reconstruct the HelloRetryMessage for handshake hash. */ |
7182 | | sessIdSz = ssl->session->sessionIDSz; |
7183 | | #if defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_DTLS13_ECHO_LEGACY_SESSION_ID) |
7184 | | /* RFC 9147 Section 5.3: DTLS 1.3 must use empty legacy_session_id. */ |
7185 | | if (ssl->options.dtls) |
7186 | | sessIdSz = 0; |
7187 | | #endif |
7188 | | length = HRR_BODY_SZ - ID_LEN + sessIdSz + |
7189 | | HRR_COOKIE_HDR_SZ + cookie->len; |
7190 | | length += HRR_VERSIONS_SZ; |
7191 | | /* HashSz (1 byte) + Hash (HashSz bytes) + CipherSuite (2 bytes) */ |
7192 | | if (cookieDataSz > OPAQUE8_LEN + hashSz + OPAQUE16_LEN) { |
7193 | | keyShareExt = 1; |
7194 | | length += HRR_KEY_SHARE_SZ; |
7195 | | } |
7196 | | |
7197 | | AddTls13HandShakeHeader(hrr, length, 0, 0, server_hello, ssl); |
7198 | | |
7199 | | idx += hashSz; |
7200 | | hrrIdx = HANDSHAKE_HEADER_SZ; |
7201 | | |
7202 | | #ifdef WOLFSSL_DTLS13 |
7203 | | if (ssl->options.dtls) |
7204 | | hrrIdx += DTLS_HANDSHAKE_EXTRA; |
7205 | | #endif /* WOLFSSL_DTLS13 */ |
7206 | | |
7207 | | /* The negotiated protocol version. */ |
7208 | | hrr[hrrIdx++] = ssl->version.major; |
7209 | | hrr[hrrIdx++] = ssl->options.dtls ? DTLSv1_2_MINOR : TLSv1_2_MINOR; |
7210 | | |
7211 | | /* HelloRetryRequest message has fixed value for random. */ |
7212 | | XMEMCPY(hrr + hrrIdx, helloRetryRequestRandom, RAN_LEN); |
7213 | | hrrIdx += RAN_LEN; |
7214 | | |
7215 | | hrr[hrrIdx++] = sessIdSz; |
7216 | | if (sessIdSz > 0) { |
7217 | | XMEMCPY(hrr + hrrIdx, ssl->session->sessionID, sessIdSz); |
7218 | | hrrIdx += sessIdSz; |
7219 | | } |
7220 | | |
7221 | | /* Restore the cipher suite from the cookie. */ |
7222 | | ssl->options.hrrCipherSuite0 = cookieData[idx]; |
7223 | | hrr[hrrIdx++] = cookieData[idx++]; |
7224 | | ssl->options.hrrCipherSuite = cookieData[idx]; |
7225 | | hrr[hrrIdx++] = cookieData[idx++]; |
7226 | | |
7227 | | /* Compression not supported in TLS v1.3. */ |
7228 | | hrr[hrrIdx++] = 0; |
7229 | | |
7230 | | /* Extensions' length */ |
7231 | | length -= HRR_BODY_SZ - ID_LEN + sessIdSz; |
7232 | | c16toa(length, hrr + hrrIdx); |
7233 | | hrrIdx += 2; |
7234 | | |
7235 | | /* Optional KeyShare Extension */ |
7236 | | if (keyShareExt) { |
7237 | | c16toa(TLSX_KEY_SHARE, hrr + hrrIdx); |
7238 | | hrrIdx += 2; |
7239 | | c16toa(OPAQUE16_LEN, hrr + hrrIdx); |
7240 | | hrrIdx += 2; |
7241 | | /* Restore the HRR key share group from the cookie. */ |
7242 | | ato16(cookieData + idx, &ssl->hrr_keyshare_group); |
7243 | | hrr[hrrIdx++] = cookieData[idx++]; |
7244 | | hrr[hrrIdx++] = cookieData[idx++]; |
7245 | | } |
7246 | | c16toa(TLSX_SUPPORTED_VERSIONS, hrr + hrrIdx); |
7247 | | hrrIdx += 2; |
7248 | | c16toa(OPAQUE16_LEN, hrr + hrrIdx); |
7249 | | hrrIdx += 2; |
7250 | | #ifdef WOLFSSL_TLS13_DRAFT |
7251 | | hrr[hrrIdx++] = TLS_DRAFT_MAJOR; |
7252 | | hrr[hrrIdx++] = TLS_DRAFT_MINOR; |
7253 | | #else |
7254 | | hrr[hrrIdx++] = ssl->version.major; |
7255 | | hrr[hrrIdx++] = ssl->version.minor; |
7256 | | #endif |
7257 | | |
7258 | | /* Mandatory Cookie Extension */ |
7259 | | c16toa(TLSX_COOKIE, hrr + hrrIdx); |
7260 | | hrrIdx += 2; |
7261 | | c16toa(cookie->len + OPAQUE16_LEN, hrr + hrrIdx); |
7262 | | hrrIdx += 2; |
7263 | | c16toa(cookie->len, hrr + hrrIdx); |
7264 | | hrrIdx += 2; |
7265 | | |
7266 | | #ifdef WOLFSSL_DEBUG_TLS |
7267 | | WOLFSSL_MSG("Reconstructed HelloRetryRequest"); |
7268 | | WOLFSSL_BUFFER(hrr, hrrIdx); |
7269 | | WOLFSSL_MSG("Cookie"); |
7270 | | WOLFSSL_BUFFER(cookieData, cookie->len); |
7271 | | #endif |
7272 | | |
7273 | | #ifdef WOLFSSL_DTLS13 |
7274 | | if (ssl->options.dtls) { |
7275 | | ret = Dtls13HashHandshake(ssl, hrr, (word16)hrrIdx); |
7276 | | } |
7277 | | else |
7278 | | #endif /* WOLFSSL_DTLS13 */ |
7279 | | { |
7280 | | ret = HashRaw(ssl, hrr, hrrIdx); |
7281 | | } |
7282 | | |
7283 | | if (ret != 0) |
7284 | | return ret; |
7285 | | |
7286 | | return HashRaw(ssl, cookieData, cookie->len); |
7287 | | } |
7288 | | #endif |
7289 | | |
7290 | | /* Do SupportedVersion extension for TLS v1.3+ otherwise it is not. |
7291 | | * |
7292 | | * ssl The SSL/TLS object. |
7293 | | * input The message buffer. |
7294 | | * i The index into the message buffer of ClientHello. |
7295 | | * helloSz The length of the current handshake message. |
7296 | | * returns 0 on success and otherwise failure. |
7297 | | */ |
7298 | | static int DoTls13SupportedVersions(WOLFSSL* ssl, const byte* input, word32 i, |
7299 | | word32 helloSz, int* wantDowngrade) |
7300 | 0 | { |
7301 | 0 | int ret; |
7302 | 0 | byte b; |
7303 | 0 | word16 suiteSz; |
7304 | 0 | word16 totalExtSz; |
7305 | 0 | int foundVersion = 0; |
7306 | | |
7307 | | /* Client random */ |
7308 | 0 | i += RAN_LEN; |
7309 | | /* Session id - not used in TLS v1.3 */ |
7310 | 0 | b = input[i++]; |
7311 | 0 | if (i + b > helloSz) { |
7312 | 0 | return BUFFER_ERROR; |
7313 | 0 | } |
7314 | 0 | i += b; |
7315 | | #ifdef WOLFSSL_DTLS13 |
7316 | | if (ssl->options.dtls) { |
7317 | | /* legacy_cookie - not used in DTLS v1.3 */ |
7318 | | b = input[i++]; |
7319 | | if (i + b > helloSz) { |
7320 | | return BUFFER_ERROR; |
7321 | | } |
7322 | | i += b; |
7323 | | } |
7324 | | #endif /* WOLFSSL_DTLS13 */ |
7325 | | /* Cipher suites */ |
7326 | 0 | if (i + OPAQUE16_LEN > helloSz) |
7327 | 0 | return BUFFER_ERROR; |
7328 | 0 | ato16(input + i, &suiteSz); |
7329 | 0 | i += OPAQUE16_LEN; |
7330 | 0 | if (i + suiteSz + 1 > helloSz) |
7331 | 0 | return BUFFER_ERROR; |
7332 | 0 | i += suiteSz; |
7333 | | /* Compression */ |
7334 | 0 | b = input[i++]; |
7335 | 0 | if (i + b > helloSz) |
7336 | 0 | return BUFFER_ERROR; |
7337 | 0 | i += b; |
7338 | | |
7339 | | /* TLS 1.3 must have extensions */ |
7340 | 0 | if (i < helloSz) { |
7341 | 0 | if (i + OPAQUE16_LEN > helloSz) |
7342 | 0 | return BUFFER_ERROR; |
7343 | 0 | ato16(&input[i], &totalExtSz); |
7344 | 0 | i += OPAQUE16_LEN; |
7345 | 0 | if (totalExtSz != helloSz - i) |
7346 | 0 | return BUFFER_ERROR; |
7347 | | |
7348 | | /* Need to negotiate version first. */ |
7349 | 0 | if ((ret = TLSX_ParseVersion(ssl, input + i, totalExtSz, client_hello, |
7350 | 0 | &foundVersion))) { |
7351 | 0 | return ret; |
7352 | 0 | } |
7353 | 0 | } |
7354 | 0 | *wantDowngrade = !foundVersion || !IsAtLeastTLSv1_3(ssl->version); |
7355 | |
|
7356 | 0 | return 0; |
7357 | 0 | } |
7358 | | |
7359 | | #ifdef HAVE_ECH |
7360 | | /* Calculate and write the 8 ECH confirmation bytes. |
7361 | | * Output into confirmation field on HRR and into ServerRandom on ServerHello. |
7362 | | * |
7363 | | * ssl SSL/TLS object. |
7364 | | * label Ascii string describing ECH acceptance or rejection. |
7365 | | * labelSz Length of label excluding NULL character. |
7366 | | * output The buffer to calculate/write confirmation from/to. |
7367 | | * acceptOffset Where the 8 ECH confirmation bytes should be placed. |
7368 | | * helloSz Size of hello message. |
7369 | | * msgType Type of message being written. |
7370 | | * returns 0 on success and otherwise failure. |
7371 | | */ |
7372 | | static int EchWriteAcceptance(WOLFSSL* ssl, byte* label, word16 labelSz, |
7373 | | byte* output, int acceptOffset, int helloSz, byte msgType) |
7374 | | { |
7375 | | int ret = 0; |
7376 | | int headerSz; |
7377 | | HS_Hashes* tmpHashes; |
7378 | | |
7379 | | #ifdef WOLFSSL_DTLS13 |
7380 | | headerSz = ssl->options.dtls ? DTLS13_HANDSHAKE_HEADER_SZ : |
7381 | | HANDSHAKE_HEADER_SZ; |
7382 | | #else |
7383 | | headerSz = HANDSHAKE_HEADER_SZ; |
7384 | | #endif |
7385 | | |
7386 | | ret = EchCalcAcceptance(ssl, label, labelSz, output, acceptOffset, |
7387 | | helloSz - headerSz, msgType == hello_retry_request, |
7388 | | output + acceptOffset); |
7389 | | |
7390 | | if (ret == 0) { |
7391 | | tmpHashes = ssl->hsHashes; |
7392 | | ssl->hsHashes = ssl->hsHashesEch; |
7393 | | |
7394 | | /* after HRR, hsHashesEch must contain: |
7395 | | * message_hash(ClientHelloInner1) || HRR (actual, not zeros) */ |
7396 | | if (msgType == hello_retry_request) { |
7397 | | ret = HashRaw(ssl, output, helloSz); |
7398 | | } |
7399 | | /* normal TLS code will calculate transcript of ServerHello */ |
7400 | | else { |
7401 | | ssl->hsHashes = tmpHashes; |
7402 | | FreeHandshakeHashes(ssl); |
7403 | | tmpHashes = ssl->hsHashesEch; |
7404 | | ssl->hsHashesEch = NULL; |
7405 | | } |
7406 | | |
7407 | | ssl->hsHashes = tmpHashes; |
7408 | | } |
7409 | | |
7410 | | return ret; |
7411 | | } |
7412 | | #endif |
7413 | | |
7414 | | /* Handle a ClientHello handshake message. |
7415 | | * If the protocol version in the message is not TLS v1.3 or higher, use |
7416 | | * DoClientHello() |
7417 | | * Only a server will receive this message. |
7418 | | * |
7419 | | * ssl The SSL/TLS object. |
7420 | | * input The message buffer. |
7421 | | * inOutIdx On entry, the index into the message buffer of ClientHello. |
7422 | | * On exit, the index of byte after the ClientHello message and |
7423 | | * padding. |
7424 | | * helloSz The length of the current handshake message. |
7425 | | * returns 0 on success and otherwise failure. |
7426 | | */ |
7427 | | |
7428 | | typedef struct Dch13Args { |
7429 | | ProtocolVersion pv; |
7430 | | word32 idx; |
7431 | | word32 begin; |
7432 | | int usingPSK; |
7433 | | } Dch13Args; |
7434 | | |
7435 | | static void FreeDch13Args(WOLFSSL* ssl, void* pArgs) |
7436 | 0 | { |
7437 | | /* openssl compat builds hang on to the client suites until WOLFSSL object |
7438 | | * is destroyed */ |
7439 | 0 | #ifndef OPENSSL_EXTRA |
7440 | 0 | if (ssl->clSuites) { |
7441 | 0 | XFREE(ssl->clSuites, ssl->heap, DYNAMIC_TYPE_SUITES); |
7442 | 0 | ssl->clSuites = NULL; |
7443 | 0 | } |
7444 | 0 | #endif |
7445 | 0 | (void)ssl; |
7446 | 0 | (void)pArgs; |
7447 | |
|
7448 | 0 | } |
7449 | | |
7450 | | int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx, |
7451 | | word32 helloSz) |
7452 | 0 | { |
7453 | 0 | int ret; |
7454 | | #ifdef WOLFSSL_ASYNC_CRYPT |
7455 | | Dch13Args* args = NULL; |
7456 | | WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args); |
7457 | | #else |
7458 | 0 | Dch13Args args[1]; |
7459 | 0 | #endif |
7460 | | #if defined(HAVE_ECH) |
7461 | | TLSX* echX = NULL; |
7462 | | #endif |
7463 | |
|
7464 | 0 | WOLFSSL_START(WC_FUNC_CLIENT_HELLO_DO); |
7465 | 0 | WOLFSSL_ENTER("DoTls13ClientHello"); |
7466 | |
|
7467 | | #ifdef WOLFSSL_ASYNC_CRYPT |
7468 | | if (ssl->async == NULL) { |
7469 | | ssl->async = (struct WOLFSSL_ASYNC*) |
7470 | | XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap, |
7471 | | DYNAMIC_TYPE_ASYNC); |
7472 | | if (ssl->async == NULL) |
7473 | | ERROR_OUT(MEMORY_E, exit_dch); |
7474 | | } |
7475 | | args = (Dch13Args*)ssl->async->args; |
7476 | | |
7477 | | ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState); |
7478 | | if (ret != WC_NO_ERR_TRACE(WC_NO_PENDING_E)) { |
7479 | | /* Check for error */ |
7480 | | if (ret < 0) { |
7481 | | goto exit_dch; |
7482 | | } |
7483 | | } |
7484 | | else |
7485 | | #endif |
7486 | 0 | { |
7487 | | /* Reset state */ |
7488 | 0 | ret = WC_NO_ERR_TRACE(VERSION_ERROR); |
7489 | 0 | ssl->options.asyncState = TLS_ASYNC_BEGIN; |
7490 | 0 | XMEMSET(args, 0, sizeof(Dch13Args)); |
7491 | | #ifdef WOLFSSL_ASYNC_CRYPT |
7492 | | ssl->async->freeArgs = FreeDch13Args; |
7493 | | #endif |
7494 | 0 | } |
7495 | |
|
7496 | 0 | switch (ssl->options.asyncState) { |
7497 | 0 | case TLS_ASYNC_BEGIN: |
7498 | 0 | { |
7499 | 0 | byte b; |
7500 | 0 | byte sessIdSz; |
7501 | 0 | int wantDowngrade = 0; |
7502 | 0 | word16 totalExtSz = 0; |
7503 | |
|
7504 | | #ifdef WOLFSSL_CALLBACKS |
7505 | | if (ssl->hsInfoOn) AddPacketName(ssl, "ClientHello"); |
7506 | | if (ssl->toInfoOn) AddLateName("ClientHello", &ssl->timeoutInfo); |
7507 | | #endif |
7508 | | |
7509 | | /* do not change state in the SSL object before the next region of code |
7510 | | * to be able to statelessly compute a DTLS cookie */ |
7511 | | #if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_SEND_HRR_COOKIE) |
7512 | | /* Update the ssl->options.dtlsStateful setting `if` statement in |
7513 | | * wolfSSL_accept_TLSv13 when changing this one. */ |
7514 | | if (IsDtlsNotSctpMode(ssl) && ssl->options.sendCookie && |
7515 | | !ssl->options.dtlsStateful) { |
7516 | | DtlsSetSeqNumForReply(ssl); |
7517 | | ret = DoClientHelloStateless(ssl, input + *inOutIdx, helloSz, 0, NULL); |
7518 | | if (ret != 0 || !ssl->options.dtlsStateful) { |
7519 | | *inOutIdx += helloSz; |
7520 | | goto exit_dch; |
7521 | | } |
7522 | | if (ssl->chGoodCb != NULL) { |
7523 | | int cbret = ssl->chGoodCb(ssl, ssl->chGoodCtx); |
7524 | | if (cbret < 0) { |
7525 | | ssl->error = cbret; |
7526 | | WOLFSSL_MSG("ClientHello Good Cb don't continue error"); |
7527 | | return WOLFSSL_FATAL_ERROR; |
7528 | | } |
7529 | | } |
7530 | | } |
7531 | | ssl->options.dtlsStateful = 1; |
7532 | | #endif /* WOLFSSL_DTLS */ |
7533 | |
|
7534 | 0 | args->idx = *inOutIdx; |
7535 | 0 | args->begin = args->idx; |
7536 | | |
7537 | | /* protocol version, random and session id length check */ |
7538 | 0 | if (OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN > helloSz) { |
7539 | 0 | ERROR_OUT(BUFFER_ERROR, exit_dch); |
7540 | 0 | } |
7541 | | |
7542 | | /* Protocol version */ |
7543 | 0 | XMEMCPY(&args->pv, input + args->idx, OPAQUE16_LEN); |
7544 | 0 | ssl->chVersion = args->pv; /* store */ |
7545 | 0 | args->idx += OPAQUE16_LEN; |
7546 | | |
7547 | | |
7548 | | /* this check pass for DTLS Major (0xff) */ |
7549 | 0 | if (args->pv.major < SSLv3_MAJOR) { |
7550 | 0 | WOLFSSL_MSG("Legacy version field contains unsupported value"); |
7551 | 0 | ERROR_OUT(VERSION_ERROR, exit_dch); |
7552 | 0 | } |
7553 | | |
7554 | | #ifdef WOLFSSL_DTLS13 |
7555 | | if (ssl->options.dtls && |
7556 | | args->pv.major == DTLS_MAJOR && args->pv.minor > DTLSv1_2_MINOR) { |
7557 | | wantDowngrade = 1; |
7558 | | ssl->version.minor = args->pv.minor; |
7559 | | } |
7560 | | #endif /* WOLFSSL_DTLS13 */ |
7561 | | |
7562 | 0 | if (!ssl->options.dtls) { |
7563 | 0 | #ifndef WOLFSSL_ALLOW_BAD_TLS_LEGACY_VERSION |
7564 | | /* Check for TLS 1.3 version (0x0304) in legacy version field. RFC 8446 |
7565 | | * Section 4.2.1 allows this action: |
7566 | | * |
7567 | | * "Servers MAY abort the handshake upon receiving a ClientHello with |
7568 | | * legacy_version 0x0304 or later." |
7569 | | * |
7570 | | * Note that if WOLFSSL_ALLOW_BAD_TLS_LEGACY_VERSION is defined then the |
7571 | | * semantics of RFC 5246 Appendix E will be followed. A ServerHello with |
7572 | | * version 1.2 will be sent. The same is true if TLS 1.3 is not enabled. |
7573 | | */ |
7574 | 0 | if (args->pv.major == SSLv3_MAJOR && args->pv.minor >= TLSv1_3_MINOR) { |
7575 | 0 | WOLFSSL_MSG("Legacy version field is TLS 1.3 or later. Aborting."); |
7576 | 0 | ERROR_OUT(VERSION_ERROR, exit_dch); |
7577 | 0 | } |
7578 | 0 | #endif /* WOLFSSL_ALLOW_BAD_TLS_LEGACY_VERSION */ |
7579 | | |
7580 | | /* Legacy protocol version cannot negotiate TLS 1.3 or higher. */ |
7581 | 0 | if (args->pv.major > SSLv3_MAJOR || (args->pv.major == SSLv3_MAJOR && |
7582 | 0 | args->pv.minor >= TLSv1_3_MINOR)) { |
7583 | 0 | args->pv.major = SSLv3_MAJOR; |
7584 | 0 | args->pv.minor = TLSv1_2_MINOR; |
7585 | 0 | wantDowngrade = 1; |
7586 | 0 | ssl->version.minor = args->pv.minor; |
7587 | 0 | } |
7588 | | /* Legacy version must be [ SSLv3_MAJOR, TLSv1_2_MINOR ] for TLS v1.3 */ |
7589 | 0 | else if (args->pv.major == SSLv3_MAJOR && |
7590 | 0 | args->pv.minor < TLSv1_2_MINOR) { |
7591 | 0 | wantDowngrade = 1; |
7592 | 0 | ssl->version.minor = args->pv.minor; |
7593 | 0 | } |
7594 | 0 | } |
7595 | | |
7596 | 0 | if (!wantDowngrade) { |
7597 | 0 | ret = DoTls13SupportedVersions(ssl, input + args->begin, |
7598 | 0 | args->idx - args->begin, helloSz, &wantDowngrade); |
7599 | 0 | if (ret < 0) |
7600 | 0 | goto exit_dch; |
7601 | 0 | } |
7602 | | |
7603 | 0 | if (wantDowngrade) { |
7604 | 0 | #ifndef WOLFSSL_NO_TLS12 |
7605 | 0 | byte realMinor; |
7606 | 0 | #endif |
7607 | | #if defined(HAVE_ECH) |
7608 | | if (ssl->options.echProcessingInner) { |
7609 | | WOLFSSL_MSG("ECH: inner client hello does not support version " |
7610 | | "less than TLS v1.3"); |
7611 | | ERROR_OUT(INVALID_PARAMETER, exit_dch); |
7612 | | } |
7613 | | #endif |
7614 | 0 | #ifndef WOLFSSL_NO_TLS12 |
7615 | 0 | if (!ssl->options.downgrade) { |
7616 | 0 | WOLFSSL_MSG("Client trying to connect with lesser version than " |
7617 | 0 | "TLS v1.3"); |
7618 | 0 | ERROR_OUT(VERSION_ERROR, exit_dch); |
7619 | 0 | } |
7620 | | |
7621 | 0 | if ((!ssl->options.dtls |
7622 | 0 | && args->pv.minor < ssl->options.minDowngrade) || |
7623 | 0 | (ssl->options.dtls && args->pv.minor > ssl->options.minDowngrade)) { |
7624 | 0 | WOLFSSL_MSG("\tversion below minimum allowed, fatal error"); |
7625 | 0 | ERROR_OUT(VERSION_ERROR, exit_dch); |
7626 | 0 | } |
7627 | | |
7628 | 0 | realMinor = ssl->version.minor; |
7629 | 0 | ssl->version.minor = args->pv.minor; |
7630 | 0 | ret = HashInput(ssl, input + args->begin, (int)helloSz); |
7631 | 0 | ssl->version.minor = realMinor; |
7632 | 0 | if (ret == 0) { |
7633 | 0 | ret = DoClientHello(ssl, input, inOutIdx, helloSz); |
7634 | 0 | } |
7635 | 0 | goto exit_dch; |
7636 | | #else |
7637 | | WOLFSSL_MSG("Client trying to connect with lesser version than " |
7638 | | "TLS v1.3"); |
7639 | | ERROR_OUT(VERSION_ERROR, exit_dch); |
7640 | | #endif |
7641 | 0 | } |
7642 | | |
7643 | | /* From here on we are a TLS 1.3 ClientHello. */ |
7644 | | |
7645 | | /* Client random |
7646 | | * ECH Accepted -> This will fill with the innerClientRandom */ |
7647 | 0 | XMEMCPY(ssl->arrays->clientRandom, input + args->idx, RAN_LEN); |
7648 | 0 | args->idx += RAN_LEN; |
7649 | |
|
7650 | | #ifdef WOLFSSL_DEBUG_TLS |
7651 | | WOLFSSL_MSG("client random"); |
7652 | | WOLFSSL_BUFFER(ssl->arrays->clientRandom, RAN_LEN); |
7653 | | #endif |
7654 | |
|
7655 | 0 | sessIdSz = input[args->idx++]; |
7656 | 0 | if (sessIdSz > ID_LEN) |
7657 | 0 | { |
7658 | 0 | ERROR_OUT(INVALID_PARAMETER, exit_dch); |
7659 | 0 | } |
7660 | | |
7661 | 0 | if (sessIdSz + args->idx > helloSz) |
7662 | 0 | ERROR_OUT(BUFFER_ERROR, exit_dch); |
7663 | |
|
7664 | | #if defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_DTLS13_ECHO_LEGACY_SESSION_ID) |
7665 | | /* RFC 9147 Section 5.3: DTLS 1.3 ServerHello must have empty |
7666 | | * legacy_session_id_echo. Don't store the client's value so it |
7667 | | * won't be echoed in SendTls13ServerHello. */ |
7668 | | if (ssl->options.dtls) { |
7669 | | ssl->session->sessionIDSz = 0; |
7670 | | } |
7671 | | else |
7672 | | #endif |
7673 | 0 | { |
7674 | 0 | ssl->session->sessionIDSz = sessIdSz; |
7675 | 0 | if (sessIdSz > 0) |
7676 | 0 | XMEMCPY(ssl->session->sessionID, input + args->idx, sessIdSz); |
7677 | 0 | } |
7678 | 0 | args->idx += sessIdSz; |
7679 | |
|
7680 | | #ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT |
7681 | | /* RFC 8446 Appendix D.4: server MUST only send CCS if the client's |
7682 | | * ClientHello contains a non-empty legacy_session_id. */ |
7683 | | if (sessIdSz == 0) { |
7684 | | ssl->options.tls13MiddleBoxCompat = 0; |
7685 | | } |
7686 | | #endif |
7687 | |
|
7688 | | #ifdef WOLFSSL_DTLS13 |
7689 | | /* legacy_cookie */ |
7690 | | if (ssl->options.dtls) { |
7691 | | /* https://www.rfc-editor.org/rfc/rfc9147.html#section-5.3 */ |
7692 | | byte cookieLen = input[args->idx++]; |
7693 | | if (cookieLen != 0) { |
7694 | | ERROR_OUT(INVALID_PARAMETER, exit_dch); |
7695 | | } |
7696 | | } |
7697 | | #endif /* WOLFSSL_DTLS13 */ |
7698 | |
|
7699 | 0 | XFREE(ssl->clSuites, ssl->heap, DYNAMIC_TYPE_SUITES); |
7700 | 0 | ssl->clSuites = (Suites*)XMALLOC(sizeof(Suites), ssl->heap, |
7701 | 0 | DYNAMIC_TYPE_SUITES); |
7702 | 0 | if (ssl->clSuites == NULL) { |
7703 | 0 | ERROR_OUT(MEMORY_E, exit_dch); |
7704 | 0 | } |
7705 | | |
7706 | | /* Cipher suites */ |
7707 | 0 | if ((args->idx - args->begin) + OPAQUE16_LEN > helloSz) |
7708 | 0 | ERROR_OUT(BUFFER_ERROR, exit_dch); |
7709 | 0 | ato16(&input[args->idx], &ssl->clSuites->suiteSz); |
7710 | 0 | args->idx += OPAQUE16_LEN; |
7711 | 0 | if ((ssl->clSuites->suiteSz % 2) != 0) { |
7712 | 0 | ERROR_OUT(INVALID_PARAMETER, exit_dch); |
7713 | 0 | } |
7714 | | /* suites and compression length check */ |
7715 | 0 | if ((args->idx - args->begin) + ssl->clSuites->suiteSz + OPAQUE8_LEN > |
7716 | 0 | helloSz) { |
7717 | 0 | ERROR_OUT(BUFFER_ERROR, exit_dch); |
7718 | 0 | } |
7719 | 0 | if (ssl->clSuites->suiteSz > WOLFSSL_MAX_SUITE_SZ) |
7720 | 0 | ERROR_OUT(BUFFER_ERROR, exit_dch); |
7721 | 0 | XMEMCPY(ssl->clSuites->suites, input + args->idx, ssl->clSuites->suiteSz); |
7722 | 0 | args->idx += ssl->clSuites->suiteSz; |
7723 | 0 | ssl->clSuites->hashSigAlgoSz = 0; |
7724 | | |
7725 | | /* Compression */ |
7726 | 0 | b = input[args->idx++]; |
7727 | 0 | if ((args->idx - args->begin) + b > helloSz) |
7728 | 0 | ERROR_OUT(BUFFER_ERROR, exit_dch); |
7729 | 0 | if (b != COMP_LEN) { |
7730 | 0 | WOLFSSL_MSG("Must be one compression type in list"); |
7731 | 0 | ERROR_OUT(INVALID_PARAMETER, exit_dch); |
7732 | 0 | } |
7733 | 0 | b = input[args->idx++]; |
7734 | 0 | if (b != NO_COMPRESSION) { |
7735 | 0 | WOLFSSL_MSG("Must be no compression type in list"); |
7736 | 0 | ERROR_OUT(INVALID_PARAMETER, exit_dch); |
7737 | 0 | } |
7738 | | |
7739 | | /* Extensions */ |
7740 | 0 | if ((args->idx - args->begin) == helloSz) |
7741 | 0 | ERROR_OUT(BUFFER_ERROR, exit_dch); |
7742 | 0 | if ((args->idx - args->begin) + OPAQUE16_LEN > helloSz) |
7743 | 0 | ERROR_OUT(BUFFER_ERROR, exit_dch); |
7744 | |
|
7745 | 0 | ato16(&input[args->idx], &totalExtSz); |
7746 | 0 | args->idx += OPAQUE16_LEN; |
7747 | 0 | if ((args->idx - args->begin) + totalExtSz > helloSz) |
7748 | 0 | ERROR_OUT(BUFFER_ERROR, exit_dch); |
7749 | | |
7750 | | /* Auto populate extensions supported unless user defined. */ |
7751 | 0 | if ((ret = TLSX_PopulateExtensions(ssl, 1)) != 0) |
7752 | 0 | goto exit_dch; |
7753 | | |
7754 | | #if defined(HAVE_ECH) |
7755 | | if (ssl->ctx->echConfigs != NULL && !ssl->options.disableECH) { |
7756 | | /* save the start of the buffer so we can use it when parsing ech */ |
7757 | | echX = TLSX_Find(ssl->extensions, TLSX_ECH); |
7758 | | |
7759 | | if (echX == NULL) |
7760 | | ERROR_OUT(WOLFSSL_FATAL_ERROR, exit_dch); |
7761 | | |
7762 | | ((WOLFSSL_ECH*)echX->data)->aad = input + HANDSHAKE_HEADER_SZ; |
7763 | | ((WOLFSSL_ECH*)echX->data)->aadLen = helloSz; |
7764 | | } |
7765 | | #endif |
7766 | | |
7767 | | /* Parse extensions */ |
7768 | 0 | if ((ret = TLSX_Parse(ssl, input + args->idx, totalExtSz, client_hello, |
7769 | 0 | ssl->clSuites))) { |
7770 | 0 | goto exit_dch; |
7771 | 0 | } |
7772 | | |
7773 | | #if (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) && \ |
7774 | | defined(HAVE_TLS_EXTENSIONS) |
7775 | | /* RFC 8446 Section 4.2.11: the pre_shared_key extension MUST be the |
7776 | | * last extension in the ClientHello. wolfSSL stores extensions in |
7777 | | * reverse wire order (TLSX_Push prepends), so a well-formed |
7778 | | * ClientHello with PSK leaves PSK at the head of ssl->extensions |
7779 | | * here, before any post-parse code (e.g. ALPN_Select) modifies the |
7780 | | * list. */ |
7781 | | { |
7782 | | TLSX* pskExt = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY); |
7783 | | if (pskExt != NULL && ssl->extensions != pskExt) { |
7784 | | WOLFSSL_MSG("pre_shared_key extension was not last in " |
7785 | | "ClientHello"); |
7786 | | WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR); |
7787 | | ERROR_OUT(PSK_KEY_ERROR, exit_dch); |
7788 | | } |
7789 | | } |
7790 | | #endif |
7791 | | |
7792 | | #if defined(HAVE_ECH) |
7793 | | /* ECH accept/reject reconciliation is done at the end of TLSX_Parse. On |
7794 | | * acceptance the inner hello was decrypted, so jump to exit and let the |
7795 | | * caller re-invoke with the inner hello. */ |
7796 | | if (!ssl->options.echProcessingInner && echX != NULL && |
7797 | | ((WOLFSSL_ECH*)echX->data)->state == ECH_WRITE_NONE && |
7798 | | ((WOLFSSL_ECH*)echX->data)->innerClientHello != NULL) { |
7799 | | goto exit_dch; |
7800 | | } |
7801 | | #endif |
7802 | | |
7803 | 0 | #ifdef HAVE_SNI |
7804 | 0 | if ((ret = SNI_Callback(ssl)) != 0) |
7805 | 0 | goto exit_dch; |
7806 | 0 | ssl->options.side = WOLFSSL_SERVER_END; |
7807 | 0 | #endif |
7808 | |
|
7809 | 0 | args->idx += totalExtSz; |
7810 | 0 | ssl->options.haveSessionId = 1; |
7811 | 0 | ssl->options.sendVerify = SEND_CERT; |
7812 | |
|
7813 | | #if defined(WOLFSSL_SEND_HRR_COOKIE) |
7814 | | ssl->options.cookieGood = 0; |
7815 | | if (ssl->options.sendCookie && |
7816 | | (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE |
7817 | | #ifdef WOLFSSL_DTLS13 |
7818 | | /* Always check for a valid cookie since we may have already |
7819 | | * sent a HRR but we reset the state. */ |
7820 | | || ssl->options.dtls |
7821 | | #endif |
7822 | | )) { |
7823 | | TLSX* ext = TLSX_Find(ssl->extensions, TLSX_COOKIE); |
7824 | | |
7825 | | if (ext != NULL) { |
7826 | | /* Ensure the cookie came from client and isn't the one in the |
7827 | | * response - HelloRetryRequest. |
7828 | | */ |
7829 | | if (ext->resp == 0) { |
7830 | | ret = RestartHandshakeHashWithCookie(ssl, (Cookie*)ext->data); |
7831 | | if (ret != 0) |
7832 | | goto exit_dch; |
7833 | | /* Don't change state here as we may want to enter |
7834 | | * DoTls13ClientHello again. */ |
7835 | | ssl->options.cookieGood = 1; |
7836 | | } |
7837 | | else { |
7838 | | ERROR_OUT(HRR_COOKIE_ERROR, exit_dch); |
7839 | | } |
7840 | | } |
7841 | | else { |
7842 | | #if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_DTLS13_NO_HRR_ON_RESUME) |
7843 | | /* Don't error out as we may be resuming. We confirm this later. */ |
7844 | | if (!ssl->options.dtls) |
7845 | | #endif |
7846 | | ERROR_OUT(HRR_COOKIE_ERROR, exit_dch); |
7847 | | } |
7848 | | } |
7849 | | #endif |
7850 | |
|
7851 | 0 | #ifdef HAVE_SUPPORTED_CURVES |
7852 | 0 | if (ssl->hrr_keyshare_group != 0) { |
7853 | | /* |
7854 | | * https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.8 |
7855 | | * when sending the new ClientHello, the client MUST |
7856 | | * replace the original "key_share" extension with one containing only |
7857 | | * a new KeyShareEntry for the group indicated in the selected_group |
7858 | | * field of the triggering HelloRetryRequest. |
7859 | | */ |
7860 | 0 | TLSX* extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE); |
7861 | 0 | if (extension != NULL) { |
7862 | 0 | KeyShareEntry* kse = (KeyShareEntry*)extension->data; |
7863 | | /* Exactly one KeyShareEntry with the HRR group must be present. */ |
7864 | 0 | if (kse == NULL || kse->next != NULL || |
7865 | 0 | kse->group != ssl->hrr_keyshare_group) { |
7866 | 0 | ERROR_OUT(BAD_KEY_SHARE_DATA, exit_dch); |
7867 | 0 | } |
7868 | 0 | } |
7869 | 0 | else |
7870 | 0 | ERROR_OUT(BAD_KEY_SHARE_DATA, exit_dch); |
7871 | 0 | } |
7872 | 0 | #endif |
7873 | | |
7874 | | #if defined(HAVE_ECH) |
7875 | | /* hash clientHelloInner to hsHashesEch */ |
7876 | | if (echX != NULL && ssl->ctx->echConfigs != NULL && |
7877 | | !ssl->options.disableECH && |
7878 | | ((WOLFSSL_ECH*)echX->data)->innerClientHello != NULL) { |
7879 | | ret = EchHashHelloInner(ssl, (WOLFSSL_ECH*)echX->data); |
7880 | | if (ret != 0) |
7881 | | goto exit_dch; |
7882 | | ((WOLFSSL_ECH*)echX->data)->innerCount = 1; |
7883 | | } |
7884 | | #endif |
7885 | | |
7886 | | #ifdef HAVE_ALPN |
7887 | | /* Select the ALPN protocol before PSK selection so that the |
7888 | | * selected value is available to the per-PSK SNI/ALPN binding check |
7889 | | * inside CheckPreSharedKeys/DoPreSharedKeys. ALPN_Select itself |
7890 | | * only inspects ssl->extensions and the app callback; it does not |
7891 | | * depend on any state set during PSK validation. */ |
7892 | | if ((ret = ALPN_Select(ssl)) != 0) |
7893 | | goto exit_dch; |
7894 | | #endif |
7895 | | #if (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) && \ |
7896 | | defined(HAVE_TLS_EXTENSIONS) |
7897 | | ret = CheckPreSharedKeys(ssl, input + args->begin, helloSz, ssl->clSuites, |
7898 | | &args->usingPSK); |
7899 | | if (ret != 0) |
7900 | | goto exit_dch; |
7901 | | #else |
7902 | 0 | if ((ret = HashInput(ssl, input + args->begin, (int)helloSz)) != 0) |
7903 | 0 | goto exit_dch; |
7904 | 0 | #endif |
7905 | | |
7906 | | #if (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) && \ |
7907 | | defined(HAVE_TLS_EXTENSIONS) |
7908 | | if (!args->usingPSK |
7909 | | #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK |
7910 | | || ssl->options.certWithExternPsk |
7911 | | #endif |
7912 | | ) |
7913 | | #endif |
7914 | 0 | { |
7915 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
7916 | | /* Not using PSK so don't require no KE. */ |
7917 | | ssl->options.noPskDheKe = 0; |
7918 | | #endif |
7919 | |
|
7920 | 0 | #ifndef NO_CERTS |
7921 | 0 | if (TLSX_Find(ssl->extensions, TLSX_KEY_SHARE) == NULL) { |
7922 | 0 | WOLFSSL_MSG("Client did not send a KeyShare extension"); |
7923 | 0 | ERROR_OUT(INCOMPLETE_DATA, exit_dch); |
7924 | 0 | } |
7925 | | /* Can't check ssl->extensions here as SigAlgs are unconditionally |
7926 | | set by TLSX_PopulateExtensions */ |
7927 | 0 | if (ssl->clSuites->hashSigAlgoSz == 0) { |
7928 | 0 | WOLFSSL_MSG("Client did not send a SignatureAlgorithms extension"); |
7929 | 0 | ERROR_OUT(INCOMPLETE_DATA, exit_dch); |
7930 | 0 | } |
7931 | | #else |
7932 | | ERROR_OUT(INVALID_PARAMETER, exit_dch); |
7933 | | #endif |
7934 | 0 | } |
7935 | |
|
7936 | 0 | } /* case TLS_ASYNC_BEGIN */ |
7937 | 0 | FALL_THROUGH; |
7938 | |
|
7939 | 0 | case TLS_ASYNC_BUILD: |
7940 | | /* Advance state and proceed */ |
7941 | 0 | ssl->options.asyncState = TLS_ASYNC_DO; |
7942 | 0 | FALL_THROUGH; |
7943 | |
|
7944 | 0 | case TLS_ASYNC_DO: |
7945 | 0 | { |
7946 | | #ifdef WOLFSSL_CERT_SETUP_CB |
7947 | | if ((ret = CertSetupCbWrapper(ssl)) != 0) |
7948 | | goto exit_dch; |
7949 | | #endif |
7950 | 0 | #ifndef NO_CERTS |
7951 | 0 | if (!args->usingPSK) { |
7952 | 0 | if ((ret = MatchSuite(ssl, ssl->clSuites)) < 0) { |
7953 | | #ifdef WOLFSSL_ASYNC_CRYPT |
7954 | | if (ret != WC_NO_ERR_TRACE(WC_PENDING_E)) |
7955 | | #endif |
7956 | 0 | WOLFSSL_MSG("Unsupported cipher suite, ClientHello 1.3"); |
7957 | 0 | goto exit_dch; |
7958 | 0 | } |
7959 | 0 | } |
7960 | 0 | #endif |
7961 | 0 | #ifdef HAVE_SUPPORTED_CURVES |
7962 | 0 | if (args->usingPSK == 2) { |
7963 | | /* Pick key share and Generate a new key if not present. */ |
7964 | 0 | int doHelloRetry = 0; |
7965 | 0 | ret = TLSX_KeyShare_Establish(ssl, &doHelloRetry); |
7966 | 0 | if (doHelloRetry) { |
7967 | | /* Make sure we don't send HRR twice */ |
7968 | 0 | if (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE) |
7969 | 0 | ERROR_OUT(INVALID_PARAMETER, exit_dch); |
7970 | 0 | ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE; |
7971 | 0 | if (ret != WC_NO_ERR_TRACE(WC_PENDING_E)) |
7972 | 0 | ret = 0; /* for hello_retry return 0 */ |
7973 | 0 | } |
7974 | 0 | if (ret != 0) |
7975 | 0 | goto exit_dch; |
7976 | 0 | } |
7977 | 0 | #endif |
7978 | | |
7979 | | /* Verify the cipher suite is the same as what was chosen in HRR. |
7980 | | * got_client_hello == 2 covers the stateful path. |
7981 | | * cookieGood covers the stateless DTLS path. */ |
7982 | 0 | if ((ssl->msgsReceived.got_client_hello == 2 |
7983 | | #ifdef WOLFSSL_SEND_HRR_COOKIE |
7984 | | || ssl->options.cookieGood |
7985 | | #endif |
7986 | 0 | ) && |
7987 | 0 | (ssl->options.cipherSuite0 != ssl->options.hrrCipherSuite0 || |
7988 | 0 | ssl->options.cipherSuite != ssl->options.hrrCipherSuite)) { |
7989 | 0 | WOLFSSL_MSG("Cipher suite in second ClientHello does not match " |
7990 | 0 | "HelloRetryRequest"); |
7991 | 0 | ERROR_OUT(INVALID_PARAMETER, exit_dch); |
7992 | 0 | } |
7993 | | |
7994 | | /* Advance state and proceed */ |
7995 | 0 | ssl->options.asyncState = TLS_ASYNC_VERIFY; |
7996 | 0 | } /* case TLS_ASYNC_BUILD || TLS_ASYNC_DO */ |
7997 | 0 | FALL_THROUGH; |
7998 | |
|
7999 | 0 | case TLS_ASYNC_VERIFY: |
8000 | 0 | { |
8001 | | #if defined(WOLFSSL_ASYNC_CRYPT) && defined(HAVE_SUPPORTED_CURVES) |
8002 | | /* Check if the KeyShare calculations from the previous state are complete. |
8003 | | * wolfSSL_AsyncPop advances ssl->options.asyncState so we may end up here |
8004 | | * with a pending calculation. */ |
8005 | | TLSX* extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE); |
8006 | | if (extension != NULL && extension->resp == 1) { |
8007 | | KeyShareEntry* serverKSE = (KeyShareEntry*)extension->data; |
8008 | | if (serverKSE != NULL && |
8009 | | serverKSE->lastRet == WC_NO_ERR_TRACE(WC_PENDING_E)) { |
8010 | | #if defined(WOLFSSL_HAVE_MLKEM) |
8011 | | if (WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(serverKSE->group)) { |
8012 | | ret = TLSX_KeyShare_HandlePqcHybridKeyServer(ssl, serverKSE, |
8013 | | serverKSE->ke, serverKSE->keLen); |
8014 | | } |
8015 | | else |
8016 | | #endif |
8017 | | { |
8018 | | ret = TLSX_KeyShare_GenKey(ssl, serverKSE); |
8019 | | } |
8020 | | if (ret != 0) |
8021 | | goto exit_dch; |
8022 | | } |
8023 | | } |
8024 | | #endif |
8025 | | /* Advance state and proceed */ |
8026 | 0 | ssl->options.asyncState = TLS_ASYNC_FINALIZE; |
8027 | 0 | } |
8028 | 0 | FALL_THROUGH; |
8029 | |
|
8030 | 0 | case TLS_ASYNC_FINALIZE: |
8031 | 0 | { |
8032 | 0 | *inOutIdx = args->idx; |
8033 | 0 | ssl->options.clientState = CLIENT_HELLO_COMPLETE; |
8034 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
8035 | | ssl->options.pskNegotiated = (args->usingPSK != 0); |
8036 | | #endif |
8037 | |
|
8038 | 0 | if (!args->usingPSK) { |
8039 | 0 | #ifndef NO_CERTS |
8040 | | /* Check that the negotiated ciphersuite matches protocol version. */ |
8041 | | #ifdef HAVE_NULL_CIPHER |
8042 | | if (ssl->options.cipherSuite0 == ECC_BYTE && |
8043 | | (ssl->options.cipherSuite == TLS_SHA256_SHA256 || |
8044 | | ssl->options.cipherSuite == TLS_SHA384_SHA384)) { |
8045 | | ; |
8046 | | } |
8047 | | else |
8048 | | #endif |
8049 | | #if defined(WOLFSSL_SM4_GCM) && defined(WOLFSSL_SM3) |
8050 | | if (ssl->options.cipherSuite0 == CIPHER_BYTE && |
8051 | | ssl->options.cipherSuite == TLS_SM4_GCM_SM3) { |
8052 | | ; /* Do nothing. */ |
8053 | | } |
8054 | | else |
8055 | | #endif |
8056 | | #if defined(WOLFSSL_SM4_CCM) && defined(WOLFSSL_SM3) |
8057 | | if (ssl->options.cipherSuite0 == CIPHER_BYTE && |
8058 | | ssl->options.cipherSuite == TLS_SM4_CCM_SM3) { |
8059 | | ; /* Do nothing. */ |
8060 | | } |
8061 | | else |
8062 | | #endif |
8063 | 0 | if (ssl->options.cipherSuite0 != TLS13_BYTE) { |
8064 | 0 | WOLFSSL_MSG("Negotiated ciphersuite from lesser version than " |
8065 | 0 | "TLS v1.3"); |
8066 | 0 | ERROR_OUT(MATCH_SUITE_ERROR, exit_dch); |
8067 | 0 | } |
8068 | | |
8069 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
8070 | | if (ssl->options.resuming) { |
8071 | | ssl->options.resuming = 0; |
8072 | | ssl->arrays->psk_keySz = 0; |
8073 | | XMEMSET(ssl->arrays->psk_key, 0, ssl->specs.hash_size); |
8074 | | } |
8075 | | #endif |
8076 | | |
8077 | | /* Derive early secret for handshake secret. */ |
8078 | 0 | if ((ret = DeriveEarlySecret(ssl)) != 0) |
8079 | 0 | goto exit_dch; |
8080 | 0 | #endif /* !NO_CERTS */ |
8081 | 0 | } |
8082 | 0 | break; |
8083 | 0 | } /* case TLS_ASYNC_FINALIZE */ |
8084 | 0 | default: |
8085 | 0 | ret = INPUT_CASE_ERROR; |
8086 | 0 | } /* switch (ssl->options.asyncState) */ |
8087 | | |
8088 | | #ifdef WOLFSSL_SEND_HRR_COOKIE |
8089 | | if (ret == 0 && ssl->options.sendCookie) { |
8090 | | if (ssl->options.cookieGood && |
8091 | | ssl->options.acceptState == TLS13_ACCEPT_FIRST_REPLY_DONE) { |
8092 | | /* Processing second ClientHello. Clear HRR state. */ |
8093 | | ssl->options.serverState = NULL_STATE; |
8094 | | } |
8095 | | |
8096 | | if (ssl->options.cookieGood && |
8097 | | ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE) { |
8098 | | /* If we already verified the peer with a cookie then we can't |
8099 | | * do another HRR for cipher negotiation. Send alert and restart |
8100 | | * the entire handshake. */ |
8101 | | ERROR_OUT(INVALID_PARAMETER, exit_dch); |
8102 | | } |
8103 | | #ifdef WOLFSSL_DTLS13 |
8104 | | if (ssl->options.dtls && |
8105 | | ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE) { |
8106 | | /* Cookie and key share negotiation should be handled in |
8107 | | * DoClientHelloStateless. If we enter here then something went |
8108 | | * wrong in our logic. */ |
8109 | | ERROR_OUT(BAD_HELLO, exit_dch); |
8110 | | } |
8111 | | #endif |
8112 | | /* Send a cookie */ |
8113 | | if (!ssl->options.cookieGood && |
8114 | | ssl->options.serverState != SERVER_HELLO_RETRY_REQUEST_COMPLETE) { |
8115 | | #ifdef WOLFSSL_DTLS13 |
8116 | | if (ssl->options.dtls) { |
8117 | | #ifdef WOLFSSL_DTLS13_NO_HRR_ON_RESUME |
8118 | | /* We can skip cookie on resumption */ |
8119 | | if (!ssl->options.dtls || !ssl->options.dtls13NoHrrOnResume || |
8120 | | !args->usingPSK) |
8121 | | #endif |
8122 | | ERROR_OUT(BAD_HELLO, exit_dch); |
8123 | | } |
8124 | | else |
8125 | | #endif |
8126 | | { |
8127 | | /* Need to remove the keyshare ext if we found a common group |
8128 | | * and are not doing curve negotiation. */ |
8129 | | TLSX_Remove(&ssl->extensions, TLSX_KEY_SHARE, ssl->heap); |
8130 | | ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE; |
8131 | | } |
8132 | | |
8133 | | } |
8134 | | } |
8135 | | #endif /* WOLFSSL_DTLS13 */ |
8136 | | |
8137 | | #ifdef WOLFSSL_DTLS_CID |
8138 | | /* do not modify CID state if we are sending an HRR */ |
8139 | | if (ret == 0 && ssl->options.dtls && ssl->options.useDtlsCID && |
8140 | | ssl->options.serverState != SERVER_HELLO_RETRY_REQUEST_COMPLETE) |
8141 | | DtlsCIDOnExtensionsParsed(ssl); |
8142 | | #endif /* WOLFSSL_DTLS_CID */ |
8143 | | |
8144 | | |
8145 | | |
8146 | 0 | exit_dch: |
8147 | |
|
8148 | 0 | WOLFSSL_LEAVE("DoTls13ClientHello", ret); |
8149 | |
|
8150 | | #ifdef WOLFSSL_ASYNC_CRYPT |
8151 | | if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) { |
8152 | | ssl->msgsReceived.got_client_hello = 0; |
8153 | | return ret; |
8154 | | } |
8155 | | #endif |
8156 | |
|
8157 | 0 | FreeDch13Args(ssl, args); |
8158 | | #ifdef WOLFSSL_ASYNC_CRYPT |
8159 | | FreeAsyncCtx(ssl, 0); |
8160 | | #endif |
8161 | 0 | WOLFSSL_END(WC_FUNC_CLIENT_HELLO_DO); |
8162 | |
|
8163 | 0 | if (ret != 0) { |
8164 | 0 | WOLFSSL_ERROR_VERBOSE(ret); |
8165 | 0 | } |
8166 | |
|
8167 | | #if defined(HAVE_ECH) |
8168 | | if (ret == 0 && echX != NULL && |
8169 | | ((WOLFSSL_ECH*)echX->data)->state == ECH_WRITE_NONE && |
8170 | | ((WOLFSSL_ECH*)echX->data)->innerClientHello != NULL) { |
8171 | | |
8172 | | /* add the header to the inner hello */ |
8173 | | AddTls13HandShakeHeader(((WOLFSSL_ECH*)echX->data)->innerClientHello, |
8174 | | ((WOLFSSL_ECH*)echX->data)->innerClientHelloLen, 0, 0, |
8175 | | client_hello, ssl); |
8176 | | } |
8177 | | #endif |
8178 | |
|
8179 | 0 | return ret; |
8180 | 0 | } |
8181 | | |
8182 | | /* Send TLS v1.3 ServerHello message to client. |
8183 | | * Only a server will send this message. |
8184 | | * |
8185 | | * ssl The SSL/TLS object. |
8186 | | * returns 0 on success, otherwise failure. |
8187 | | */ |
8188 | | /* handle generation of TLS 1.3 server_hello (2) */ |
8189 | | int SendTls13ServerHello(WOLFSSL* ssl, byte extMsgType) |
8190 | 0 | { |
8191 | 0 | int ret; |
8192 | 0 | byte* output; |
8193 | 0 | word16 length; |
8194 | 0 | word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
8195 | 0 | int sendSz; |
8196 | | #if defined(HAVE_ECH) |
8197 | | TLSX* echX = NULL; |
8198 | | byte* acceptLabel = (byte*)echAcceptConfirmationLabel; |
8199 | | word32 acceptOffset; |
8200 | | word16 acceptLabelSz = ECH_ACCEPT_CONFIRMATION_LABEL_SZ; |
8201 | | #endif |
8202 | |
|
8203 | 0 | WOLFSSL_START(WC_FUNC_SERVER_HELLO_SEND); |
8204 | 0 | WOLFSSL_ENTER("SendTls13ServerHello"); |
8205 | | |
8206 | | /* When ssl->options.dtlsStateful is not set then cookie is calculated in |
8207 | | * dtls.c */ |
8208 | 0 | if (extMsgType == hello_retry_request |
8209 | | #ifdef WOLFSSL_DTLS13 |
8210 | | && (!ssl->options.dtls || ssl->options.dtlsStateful) |
8211 | | #endif |
8212 | 0 | ) { |
8213 | 0 | WOLFSSL_MSG("wolfSSL Sending HelloRetryRequest"); |
8214 | 0 | if ((ret = RestartHandshakeHash(ssl)) < 0) |
8215 | 0 | return ret; |
8216 | 0 | } |
8217 | | |
8218 | 0 | ssl->options.buildingMsg = 1; |
8219 | | #ifdef WOLFSSL_DTLS13 |
8220 | | if (ssl->options.dtls) |
8221 | | idx = DTLS_RECORD_HEADER_SZ + DTLS_HANDSHAKE_HEADER_SZ; |
8222 | | #endif /* WOLFSSL_DTLS13 */ |
8223 | | |
8224 | | /* Protocol version, server random, session id, cipher suite, compression |
8225 | | * and extensions. |
8226 | | */ |
8227 | 0 | length = VERSION_SZ + RAN_LEN + ENUM_LEN + ssl->session->sessionIDSz + |
8228 | 0 | SUITE_LEN + COMP_LEN; |
8229 | 0 | ret = TLSX_GetResponseSize(ssl, extMsgType, &length); |
8230 | 0 | if (ret != 0) |
8231 | 0 | return ret; |
8232 | 0 | sendSz = (int)(idx + length); |
8233 | | |
8234 | | /* Check buffers are big enough and grow if needed. */ |
8235 | 0 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) |
8236 | 0 | return ret; |
8237 | | |
8238 | | /* Get position in output buffer to write new message to. */ |
8239 | 0 | output = GetOutputBuffer(ssl); |
8240 | | |
8241 | | /* Put the record and handshake headers on. */ |
8242 | 0 | AddTls13Headers(output, length, server_hello, ssl); |
8243 | | |
8244 | | /* The protocol version must be TLS v1.2 for middleboxes. */ |
8245 | 0 | output[idx++] = ssl->version.major; |
8246 | 0 | output[idx++] = ssl->options.dtls ? DTLSv1_2_MINOR : TLSv1_2_MINOR; |
8247 | |
|
8248 | 0 | if (extMsgType == server_hello) { |
8249 | | /* Generate server random. */ |
8250 | 0 | if ((ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, RAN_LEN)) != 0) |
8251 | 0 | return ret; |
8252 | 0 | } |
8253 | 0 | else { |
8254 | | /* HelloRetryRequest message has fixed value for random. */ |
8255 | 0 | XMEMCPY(output + idx, helloRetryRequestRandom, RAN_LEN); |
8256 | 0 | } |
8257 | | |
8258 | | #if defined(HAVE_ECH) |
8259 | | /* last 8 bytes of server random */ |
8260 | | acceptOffset = idx + RAN_LEN - ECH_ACCEPT_CONFIRMATION_SZ; |
8261 | | #endif |
8262 | | |
8263 | | /* Store in SSL for debugging. */ |
8264 | 0 | XMEMCPY(ssl->arrays->serverRandom, output + idx, RAN_LEN); |
8265 | 0 | idx += RAN_LEN; |
8266 | |
|
8267 | | #ifdef WOLFSSL_DEBUG_TLS |
8268 | | WOLFSSL_MSG("Server random"); |
8269 | | WOLFSSL_BUFFER(ssl->arrays->serverRandom, RAN_LEN); |
8270 | | #endif |
8271 | |
|
8272 | | #if defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_DTLS13_ECHO_LEGACY_SESSION_ID) |
8273 | | if (ssl->options.dtls) { |
8274 | | /* RFC 9147 Section 5.3: DTLS 1.3 ServerHello must have empty |
8275 | | * legacy_session_id_echo. */ |
8276 | | output[idx++] = 0; |
8277 | | } |
8278 | | else |
8279 | | #endif |
8280 | 0 | { |
8281 | 0 | output[idx++] = ssl->session->sessionIDSz; |
8282 | 0 | if (ssl->session->sessionIDSz > 0) { |
8283 | 0 | XMEMCPY(output + idx, ssl->session->sessionID, |
8284 | 0 | ssl->session->sessionIDSz); |
8285 | 0 | idx += ssl->session->sessionIDSz; |
8286 | 0 | } |
8287 | 0 | } |
8288 | | |
8289 | | /* Chosen cipher suite */ |
8290 | 0 | output[idx++] = ssl->options.cipherSuite0; |
8291 | 0 | output[idx++] = ssl->options.cipherSuite; |
8292 | | #ifdef WOLFSSL_DEBUG_TLS |
8293 | | WOLFSSL_MSG("Chosen cipher suite:"); |
8294 | | WOLFSSL_MSG(GetCipherNameInternal(ssl->options.cipherSuite0, |
8295 | | ssl->options.cipherSuite)); |
8296 | | #endif |
8297 | | |
8298 | | /* Compression not supported in TLS v1.3. */ |
8299 | 0 | output[idx++] = 0; |
8300 | | |
8301 | | /* Extensions */ |
8302 | 0 | ret = TLSX_WriteResponse(ssl, output + idx, extMsgType, NULL); |
8303 | 0 | if (ret != 0) |
8304 | 0 | return ret; |
8305 | | |
8306 | | /* When we send a HRR, we store the selected key share group to later check |
8307 | | * that the client uses the same group in the second ClientHello. |
8308 | | * |
8309 | | * In case of stateless DTLS, we do not store the group, however, as it is |
8310 | | * already stored in the cookie that is sent to the client. We later recover |
8311 | | * the group from the cookie to prevent storing a state in a stateless |
8312 | | * server. |
8313 | | * |
8314 | | * Similar logic holds for the hrrCipherSuite. */ |
8315 | 0 | if (extMsgType == hello_retry_request |
8316 | | #if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_SEND_HRR_COOKIE) |
8317 | | && (!ssl->options.dtls || ssl->options.dtlsStateful) |
8318 | | #endif |
8319 | 0 | ) { |
8320 | 0 | TLSX* ksExt = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE); |
8321 | 0 | if (ksExt != NULL) { |
8322 | 0 | KeyShareEntry* kse = (KeyShareEntry*)ksExt->data; |
8323 | 0 | if (kse != NULL) |
8324 | 0 | ssl->hrr_keyshare_group = kse->group; |
8325 | 0 | } |
8326 | |
|
8327 | 0 | ssl->options.hrrCipherSuite0 = ssl->options.cipherSuite0; |
8328 | 0 | ssl->options.hrrCipherSuite = ssl->options.cipherSuite; |
8329 | 0 | } |
8330 | |
|
8331 | | #ifdef WOLFSSL_SEND_HRR_COOKIE |
8332 | | if (ssl->options.sendCookie && extMsgType == hello_retry_request) { |
8333 | | /* Reset the hashes from here. We will be able to restart the hashes |
8334 | | * from the cookie in RestartHandshakeHashWithCookie */ |
8335 | | #ifdef WOLFSSL_DTLS13 |
8336 | | /* When ssl->options.dtlsStateful is not set then cookie is calculated |
8337 | | * in dtls.c */ |
8338 | | if (ssl->options.dtls && !ssl->options.dtlsStateful) |
8339 | | ret = 0; |
8340 | | else |
8341 | | #endif |
8342 | | ret = InitHandshakeHashes(ssl); |
8343 | | } |
8344 | | else |
8345 | | #endif |
8346 | 0 | { |
8347 | | #ifdef WOLFSSL_DTLS13 |
8348 | | if (ssl->options.dtls) { |
8349 | | ret = Dtls13HashHandshake( |
8350 | | ssl, |
8351 | | output + Dtls13GetRlHeaderLength(ssl, 0) , |
8352 | | (word16)sendSz - Dtls13GetRlHeaderLength(ssl, 0)); |
8353 | | } |
8354 | | else |
8355 | | #endif /* WOLFSSL_DTLS13 */ |
8356 | 0 | { |
8357 | | #if defined(HAVE_ECH) |
8358 | | if (ssl->ctx->echConfigs != NULL && !ssl->options.disableECH) { |
8359 | | echX = TLSX_Find(ssl->extensions, TLSX_ECH); |
8360 | | if (echX == NULL) |
8361 | | return WOLFSSL_FATAL_ERROR; |
8362 | | /* use hrr offset */ |
8363 | | if (extMsgType == hello_retry_request) { |
8364 | | acceptOffset = |
8365 | | (word32)(((WOLFSSL_ECH*)echX->data)->confBuf - output); |
8366 | | acceptLabel = (byte*)echHrrAcceptConfirmationLabel; |
8367 | | acceptLabelSz = ECH_HRR_ACCEPT_CONFIRMATION_LABEL_SZ; |
8368 | | } |
8369 | | /* replace the last 8 bytes of server random with the accept */ |
8370 | | if (((WOLFSSL_ECH*)echX->data)->state == ECH_PARSED_INTERNAL) { |
8371 | | if (ret == 0) { |
8372 | | ret = EchWriteAcceptance(ssl, acceptLabel, |
8373 | | acceptLabelSz, output + RECORD_HEADER_SZ, |
8374 | | acceptOffset - RECORD_HEADER_SZ, |
8375 | | sendSz - RECORD_HEADER_SZ, extMsgType); |
8376 | | } |
8377 | | if (extMsgType == hello_retry_request) { |
8378 | | /* reset the ech state for round 2 */ |
8379 | | ((WOLFSSL_ECH*)echX->data)->state = ECH_WRITE_NONE; |
8380 | | /* inner hello no longer needed, free it */ |
8381 | | XFREE(((WOLFSSL_ECH*)echX->data)->innerClientHello, |
8382 | | ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); |
8383 | | ((WOLFSSL_ECH*)echX->data)->innerClientHello = NULL; |
8384 | | } |
8385 | | else { |
8386 | | if (ret == 0) { |
8387 | | /* update serverRandom on success */ |
8388 | | XMEMCPY(ssl->arrays->serverRandom, |
8389 | | output + acceptOffset - |
8390 | | (RAN_LEN -ECH_ACCEPT_CONFIRMATION_SZ), RAN_LEN); |
8391 | | } |
8392 | | /* remove ech so we don't keep sending it in write */ |
8393 | | TLSX_Remove(&ssl->extensions, TLSX_ECH, ssl->heap); |
8394 | | } |
8395 | | } |
8396 | | } |
8397 | | #endif |
8398 | 0 | if (ret == 0) |
8399 | 0 | ret = HashOutput(ssl, output, sendSz, 0); |
8400 | 0 | } |
8401 | 0 | } |
8402 | |
|
8403 | 0 | if (ret != 0) |
8404 | 0 | return ret; |
8405 | | |
8406 | | #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) |
8407 | | if (ssl->hsInfoOn) |
8408 | | AddPacketName(ssl, "ServerHello"); |
8409 | | if (ssl->toInfoOn) { |
8410 | | ret = AddPacketInfo(ssl, "ServerHello", handshake, output, sendSz, |
8411 | | WRITE_PROTO, 0, ssl->heap); |
8412 | | if (ret != 0) |
8413 | | return ret; |
8414 | | } |
8415 | | #endif |
8416 | | |
8417 | 0 | if (extMsgType == server_hello) |
8418 | 0 | ssl->options.serverState = SERVER_HELLO_COMPLETE; |
8419 | |
|
8420 | 0 | ssl->options.buildingMsg = 0; |
8421 | | #ifdef WOLFSSL_DTLS13 |
8422 | | if (ssl->options.dtls) { |
8423 | | ret = Dtls13HandshakeSend(ssl, output, (word16)sendSz, (word16)sendSz, |
8424 | | (enum HandShakeType)extMsgType, 0); |
8425 | | |
8426 | | WOLFSSL_LEAVE("SendTls13ServerHello", ret); |
8427 | | WOLFSSL_END(WC_FUNC_SERVER_HELLO_SEND); |
8428 | | return ret; |
8429 | | } |
8430 | | #endif /* WOLFSSL_DTLS13 */ |
8431 | |
|
8432 | 0 | ssl->buffers.outputBuffer.length += (word32)sendSz; |
8433 | |
|
8434 | 0 | if (!ssl->options.groupMessages || extMsgType != server_hello) |
8435 | 0 | ret = SendBuffered(ssl); |
8436 | |
|
8437 | 0 | WOLFSSL_LEAVE("SendTls13ServerHello", ret); |
8438 | 0 | WOLFSSL_END(WC_FUNC_SERVER_HELLO_SEND); |
8439 | |
|
8440 | 0 | return ret; |
8441 | 0 | } |
8442 | | |
8443 | | /* handle generation of TLS 1.3 encrypted_extensions (8) */ |
8444 | | /* Send the rest of the extensions encrypted under the handshake key. |
8445 | | * This message is always encrypted in TLS v1.3. |
8446 | | * Only a server will send this message. |
8447 | | * |
8448 | | * ssl The SSL/TLS object. |
8449 | | * returns 0 on success, otherwise failure. |
8450 | | */ |
8451 | | static int SendTls13EncryptedExtensions(WOLFSSL* ssl) |
8452 | 0 | { |
8453 | 0 | int ret; |
8454 | 0 | byte* output; |
8455 | 0 | word16 length = 0; |
8456 | 0 | word32 idx; |
8457 | 0 | int sendSz; |
8458 | |
|
8459 | 0 | WOLFSSL_START(WC_FUNC_ENCRYPTED_EXTENSIONS_SEND); |
8460 | 0 | WOLFSSL_ENTER("SendTls13EncryptedExtensions"); |
8461 | |
|
8462 | 0 | ssl->options.buildingMsg = 1; |
8463 | 0 | ssl->keys.encryptionOn = 1; |
8464 | |
|
8465 | | #ifdef WOLFSSL_DTLS13 |
8466 | | if (ssl->options.dtls) { |
8467 | | idx = Dtls13GetHeadersLength(ssl, encrypted_extensions); |
8468 | | } |
8469 | | else |
8470 | | #endif /* WOLFSSL_DTLS13 */ |
8471 | 0 | { |
8472 | 0 | idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
8473 | 0 | } |
8474 | |
|
8475 | 0 | #if defined(HAVE_SUPPORTED_CURVES) && !defined(WOLFSSL_NO_SERVER_GROUPS_EXT) |
8476 | 0 | if ((ret = TLSX_SupportedCurve_CheckPriority(ssl)) != 0) |
8477 | 0 | return ret; |
8478 | 0 | #endif |
8479 | | |
8480 | | /* Derive the handshake secret now that we are at first message to be |
8481 | | * encrypted under the keys. |
8482 | | */ |
8483 | 0 | if ((ret = DeriveHandshakeSecret(ssl)) != 0) |
8484 | 0 | return ret; |
8485 | 0 | if ((ret = DeriveTls13Keys(ssl, handshake_key, |
8486 | 0 | ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0) |
8487 | 0 | return ret; |
8488 | | |
8489 | | /* Setup encrypt/decrypt keys for following messages. */ |
8490 | | #ifdef WOLFSSL_EARLY_DATA |
8491 | | if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0) |
8492 | | return ret; |
8493 | | if (ssl->earlyData != process_early_data) { |
8494 | | if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0) |
8495 | | return ret; |
8496 | | } |
8497 | | #else |
8498 | 0 | if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0) |
8499 | 0 | return ret; |
8500 | 0 | #endif |
8501 | | #ifdef WOLFSSL_QUIC |
8502 | | if (IsAtLeastTLSv1_3(ssl->version) && WOLFSSL_IS_QUIC(ssl)) { |
8503 | | ret = wolfSSL_quic_add_transport_extensions(ssl, encrypted_extensions); |
8504 | | if (ret != 0) |
8505 | | return ret; |
8506 | | } |
8507 | | #endif |
8508 | | |
8509 | | #ifdef WOLFSSL_DTLS13 |
8510 | | if (ssl->options.dtls) { |
8511 | | w64wrapper epochHandshake = w64From32(0, DTLS13_EPOCH_HANDSHAKE); |
8512 | | ssl->dtls13Epoch = epochHandshake; |
8513 | | |
8514 | | ret = Dtls13SetEpochKeys( |
8515 | | ssl, epochHandshake, ENCRYPT_AND_DECRYPT_SIDE); |
8516 | | if (ret != 0) |
8517 | | return ret; |
8518 | | |
8519 | | } |
8520 | | #endif /* WOLFSSL_DTLS13 */ |
8521 | | |
8522 | 0 | ret = TLSX_GetResponseSize(ssl, encrypted_extensions, &length); |
8523 | 0 | if (ret != 0) |
8524 | 0 | return ret; |
8525 | | |
8526 | 0 | sendSz = (int)(idx + length); |
8527 | | /* Encryption always on. */ |
8528 | 0 | sendSz += MAX_MSG_EXTRA; |
8529 | | |
8530 | | /* Check buffers are big enough and grow if needed. */ |
8531 | 0 | ret = CheckAvailableSize(ssl, sendSz); |
8532 | 0 | if (ret != 0) |
8533 | 0 | return ret; |
8534 | | |
8535 | | /* Get position in output buffer to write new message to. */ |
8536 | 0 | output = GetOutputBuffer(ssl); |
8537 | | |
8538 | | /* Put the record and handshake headers on. */ |
8539 | 0 | AddTls13Headers(output, length, encrypted_extensions, ssl); |
8540 | |
|
8541 | 0 | ret = TLSX_WriteResponse(ssl, output + idx, encrypted_extensions, NULL); |
8542 | 0 | if (ret != 0) |
8543 | 0 | return ret; |
8544 | 0 | idx += length; |
8545 | |
|
8546 | | #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) |
8547 | | if (ssl->hsInfoOn) |
8548 | | AddPacketName(ssl, "EncryptedExtensions"); |
8549 | | if (ssl->toInfoOn) { |
8550 | | ret = AddPacketInfo(ssl, "EncryptedExtensions", handshake, output, |
8551 | | sendSz, WRITE_PROTO, 0, ssl->heap); |
8552 | | if (ret != 0) |
8553 | | return ret; |
8554 | | } |
8555 | | #endif |
8556 | |
|
8557 | | #ifdef WOLFSSL_DTLS13 |
8558 | | if (ssl->options.dtls) { |
8559 | | ssl->options.buildingMsg = 0; |
8560 | | ret = Dtls13HandshakeSend(ssl, output, (word16)sendSz, (word16)idx, |
8561 | | encrypted_extensions, 1); |
8562 | | |
8563 | | if (ret == 0) |
8564 | | ssl->options.serverState = SERVER_ENCRYPTED_EXTENSIONS_COMPLETE; |
8565 | | |
8566 | | WOLFSSL_LEAVE("SendTls13EncryptedExtensions", ret); |
8567 | | WOLFSSL_END(WC_FUNC_ENCRYPTED_EXTENSIONS_SEND); |
8568 | | |
8569 | | return ret; |
8570 | | } |
8571 | | #endif /* WOLFSSL_DTLS13 */ |
8572 | | |
8573 | | /* This handshake message is always encrypted. */ |
8574 | 0 | sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ, |
8575 | 0 | (int)(idx - RECORD_HEADER_SZ), |
8576 | 0 | handshake, 1, 0, 0); |
8577 | 0 | if (sendSz < 0) |
8578 | 0 | return sendSz; |
8579 | | |
8580 | 0 | ssl->buffers.outputBuffer.length += (word32)sendSz; |
8581 | 0 | ssl->options.buildingMsg = 0; |
8582 | 0 | ssl->options.serverState = SERVER_ENCRYPTED_EXTENSIONS_COMPLETE; |
8583 | |
|
8584 | 0 | if (!ssl->options.groupMessages) |
8585 | 0 | ret = SendBuffered(ssl); |
8586 | | |
8587 | |
|
8588 | 0 | WOLFSSL_LEAVE("SendTls13EncryptedExtensions", ret); |
8589 | 0 | WOLFSSL_END(WC_FUNC_ENCRYPTED_EXTENSIONS_SEND); |
8590 | |
|
8591 | 0 | return ret; |
8592 | 0 | } |
8593 | | |
8594 | | #ifndef NO_CERTS |
8595 | | /* handle generation TLS v1.3 certificate_request (13) */ |
8596 | | /* Send the TLS v1.3 CertificateRequest message. |
8597 | | * This message is always encrypted in TLS v1.3. |
8598 | | * Only a server will send this message. |
8599 | | * |
8600 | | * ssl SSL/TLS object. |
8601 | | * reqCtx Request context. |
8602 | | * reqCtxLen Length of context. 0 when sending as part of handshake. |
8603 | | * returns 0 on success, otherwise failure. |
8604 | | */ |
8605 | | static int SendTls13CertificateRequest(WOLFSSL* ssl, byte* reqCtx, |
8606 | | word32 reqCtxLen) |
8607 | 0 | { |
8608 | 0 | byte* output; |
8609 | 0 | int ret; |
8610 | 0 | int sendSz; |
8611 | 0 | word32 i; |
8612 | 0 | word32 reqSz; |
8613 | 0 | SignatureAlgorithms* sa; |
8614 | |
|
8615 | 0 | WOLFSSL_START(WC_FUNC_CERTIFICATE_REQUEST_SEND); |
8616 | 0 | WOLFSSL_ENTER("SendTls13CertificateRequest"); |
8617 | |
|
8618 | 0 | ssl->options.buildingMsg = 1; |
8619 | |
|
8620 | 0 | if (ssl->options.side != WOLFSSL_SERVER_END) |
8621 | 0 | return SIDE_ERROR; |
8622 | | |
8623 | | /* Use ssl->suites->hashSigAlgo so wolfSSL_set1_sigalgs_list() is honored. |
8624 | | * hashSigAlgoSz=0 makes GetSize/Write fall back to WOLFSSL_SUITES(ssl). */ |
8625 | 0 | sa = TLSX_SignatureAlgorithms_New(ssl, 0, ssl->heap); |
8626 | 0 | if (sa == NULL) |
8627 | 0 | return MEMORY_ERROR; |
8628 | 0 | ret = TLSX_Push(&ssl->extensions, TLSX_SIGNATURE_ALGORITHMS, sa, ssl->heap); |
8629 | 0 | if (ret != 0) { |
8630 | 0 | TLSX_SignatureAlgorithms_FreeAll(sa, ssl->heap); |
8631 | 0 | return ret; |
8632 | 0 | } |
8633 | | |
8634 | 0 | i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
8635 | | #ifdef WOLFSSL_DTLS13 |
8636 | | if (ssl->options.dtls) |
8637 | | i = Dtls13GetRlHeaderLength(ssl, 1) + DTLS_HANDSHAKE_HEADER_SZ; |
8638 | | #endif /* WOLFSSL_DTLS13 */ |
8639 | |
|
8640 | 0 | reqSz = (word16)(OPAQUE8_LEN + reqCtxLen); |
8641 | 0 | ret = TLSX_GetRequestSize(ssl, certificate_request, &reqSz); |
8642 | 0 | if (ret != 0) |
8643 | 0 | return ret; |
8644 | | |
8645 | 0 | sendSz = (int)(i + reqSz); |
8646 | | /* Always encrypted and make room for padding. */ |
8647 | 0 | sendSz += MAX_MSG_EXTRA; |
8648 | | |
8649 | | /* Check buffers are big enough and grow if needed. */ |
8650 | 0 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) |
8651 | 0 | return ret; |
8652 | | |
8653 | | /* Get position in output buffer to write new message to. */ |
8654 | 0 | output = GetOutputBuffer(ssl); |
8655 | | |
8656 | | /* Put the record and handshake headers on. */ |
8657 | 0 | AddTls13Headers(output, reqSz, certificate_request, ssl); |
8658 | | |
8659 | | /* Certificate request context. */ |
8660 | 0 | output[i++] = (byte)reqCtxLen; |
8661 | 0 | if (reqCtxLen != 0) { |
8662 | 0 | XMEMCPY(output + i, reqCtx, reqCtxLen); |
8663 | 0 | i += reqCtxLen; |
8664 | 0 | } |
8665 | | |
8666 | | /* Certificate extensions. */ |
8667 | 0 | reqSz = 0; |
8668 | 0 | ret = TLSX_WriteRequest(ssl, output + i, certificate_request, &reqSz); |
8669 | 0 | if (ret != 0) |
8670 | 0 | return ret; |
8671 | 0 | i += reqSz; |
8672 | |
|
8673 | | #ifdef WOLFSSL_DTLS13 |
8674 | | if (ssl->options.dtls) { |
8675 | | ssl->options.buildingMsg = 0; |
8676 | | ret = |
8677 | | Dtls13HandshakeSend(ssl, output, (word16)sendSz, (word16)i, |
8678 | | certificate_request, 1); |
8679 | | |
8680 | | WOLFSSL_LEAVE("SendTls13CertificateRequest", ret); |
8681 | | WOLFSSL_END(WC_FUNC_CERTIFICATE_REQUEST_SEND); |
8682 | | |
8683 | | return ret; |
8684 | | |
8685 | | } |
8686 | | #endif /* WOLFSSL_DTLS13 */ |
8687 | | |
8688 | | /* Always encrypted. */ |
8689 | 0 | sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ, |
8690 | 0 | (int)(i - RECORD_HEADER_SZ), handshake, 1, 0, 0); |
8691 | 0 | if (sendSz < 0) |
8692 | 0 | return sendSz; |
8693 | | |
8694 | | #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) |
8695 | | if (ssl->hsInfoOn) |
8696 | | AddPacketName(ssl, "CertificateRequest"); |
8697 | | if (ssl->toInfoOn) { |
8698 | | ret = AddPacketInfo(ssl, "CertificateRequest", handshake, output, |
8699 | | sendSz, WRITE_PROTO, 0, ssl->heap); |
8700 | | if (ret != 0) |
8701 | | return ret; |
8702 | | } |
8703 | | #endif |
8704 | | |
8705 | 0 | ssl->buffers.outputBuffer.length += (word32)sendSz; |
8706 | 0 | ssl->options.buildingMsg = 0; |
8707 | 0 | if (!ssl->options.groupMessages) |
8708 | 0 | ret = SendBuffered(ssl); |
8709 | |
|
8710 | 0 | WOLFSSL_LEAVE("SendTls13CertificateRequest", ret); |
8711 | 0 | WOLFSSL_END(WC_FUNC_CERTIFICATE_REQUEST_SEND); |
8712 | |
|
8713 | 0 | return ret; |
8714 | 0 | } |
8715 | | #endif /* NO_CERTS */ |
8716 | | #endif /* NO_WOLFSSL_SERVER */ |
8717 | | |
8718 | | #ifndef NO_CERTS |
8719 | | #if (!defined(NO_WOLFSSL_SERVER) || !defined(WOLFSSL_NO_CLIENT_AUTH)) && \ |
8720 | | (!defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \ |
8721 | | defined(HAVE_ED448) || defined(HAVE_FALCON) || defined(WOLFSSL_HAVE_MLDSA)) |
8722 | | /* Encode the signature algorithm into buffer. |
8723 | | * |
8724 | | * hashalgo The hash algorithm. |
8725 | | * hsType The signature type. |
8726 | | * output The buffer to encode into. |
8727 | | */ |
8728 | | static WC_INLINE void EncodeSigAlg(const WOLFSSL * ssl, byte hashAlgo, |
8729 | | byte hsType, byte* output) |
8730 | 0 | { |
8731 | 0 | (void)ssl; |
8732 | 0 | switch (hsType) { |
8733 | 0 | #ifdef HAVE_ECC |
8734 | 0 | case ecc_dsa_sa_algo: |
8735 | 0 | if (ssl->pkCurveOID == ECC_BRAINPOOLP256R1_OID) { |
8736 | 0 | output[0] = NEW_SA_MAJOR; |
8737 | 0 | output[1] = ECDSA_BRAINPOOLP256R1TLS13_SHA256_MINOR; |
8738 | 0 | } |
8739 | 0 | else if (ssl->pkCurveOID == ECC_BRAINPOOLP384R1_OID) { |
8740 | 0 | output[0] = NEW_SA_MAJOR; |
8741 | 0 | output[1] = ECDSA_BRAINPOOLP384R1TLS13_SHA384_MINOR; |
8742 | 0 | } |
8743 | 0 | else if (ssl->pkCurveOID == ECC_BRAINPOOLP512R1_OID) { |
8744 | 0 | output[0] = NEW_SA_MAJOR; |
8745 | 0 | output[1] = ECDSA_BRAINPOOLP512R1TLS13_SHA512_MINOR; |
8746 | 0 | } |
8747 | 0 | else { |
8748 | 0 | output[0] = hashAlgo; |
8749 | 0 | output[1] = ecc_dsa_sa_algo; |
8750 | 0 | } |
8751 | 0 | break; |
8752 | 0 | #endif |
8753 | | #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3) |
8754 | | case sm2_sa_algo: |
8755 | | output[0] = SM2_SA_MAJOR; |
8756 | | output[1] = SM2_SA_MINOR; |
8757 | | break; |
8758 | | #endif |
8759 | | #ifdef HAVE_ED25519 |
8760 | | /* ED25519: 0x0807 */ |
8761 | | case ed25519_sa_algo: |
8762 | | output[0] = ED25519_SA_MAJOR; |
8763 | | output[1] = ED25519_SA_MINOR; |
8764 | | (void)hashAlgo; |
8765 | | break; |
8766 | | #endif |
8767 | | #ifdef HAVE_ED448 |
8768 | | /* ED448: 0x0808 */ |
8769 | | case ed448_sa_algo: |
8770 | | output[0] = ED448_SA_MAJOR; |
8771 | | output[1] = ED448_SA_MINOR; |
8772 | | (void)hashAlgo; |
8773 | | break; |
8774 | | #endif |
8775 | 0 | #ifndef NO_RSA |
8776 | | /* PSS signatures: 0x080[4-6] or 0x080[9-B] */ |
8777 | 0 | case rsa_pss_sa_algo: |
8778 | 0 | output[0] = rsa_pss_sa_algo; |
8779 | 0 | #ifdef WC_RSA_PSS |
8780 | | /* If the private key uses the RSA-PSS OID, and the peer supports |
8781 | | * the rsa_pss_pss_* signature algorithm in use, then report |
8782 | | * rsa_pss_pss_* rather than rsa_pss_rsae_*. */ |
8783 | 0 | if (ssl->useRsaPss && |
8784 | 0 | ((ssl->pssAlgo & (1U << hashAlgo)) != 0U) && |
8785 | 0 | (sha256_mac <= hashAlgo) && (hashAlgo <= sha512_mac)) |
8786 | 0 | { |
8787 | 0 | output[1] = PSS_RSAE_TO_PSS_PSS(hashAlgo); |
8788 | 0 | } |
8789 | 0 | else |
8790 | 0 | #endif |
8791 | 0 | { |
8792 | 0 | output[1] = hashAlgo; |
8793 | 0 | } |
8794 | 0 | break; |
8795 | 0 | #endif |
8796 | | #ifdef HAVE_FALCON |
8797 | | case falcon_level1_sa_algo: |
8798 | | output[0] = FALCON_LEVEL1_SA_MAJOR; |
8799 | | output[1] = FALCON_LEVEL1_SA_MINOR; |
8800 | | break; |
8801 | | case falcon_level5_sa_algo: |
8802 | | output[0] = FALCON_LEVEL5_SA_MAJOR; |
8803 | | output[1] = FALCON_LEVEL5_SA_MINOR; |
8804 | | break; |
8805 | | #endif |
8806 | | #ifdef WOLFSSL_HAVE_MLDSA |
8807 | | case mldsa_44_sa_algo: |
8808 | | output[0] = MLDSA_44_SA_MAJOR; |
8809 | | output[1] = MLDSA_44_SA_MINOR; |
8810 | | break; |
8811 | | case mldsa_65_sa_algo: |
8812 | | output[0] = MLDSA_65_SA_MAJOR; |
8813 | | output[1] = MLDSA_65_SA_MINOR; |
8814 | | break; |
8815 | | case mldsa_87_sa_algo: |
8816 | | output[0] = MLDSA_87_SA_MAJOR; |
8817 | | output[1] = MLDSA_87_SA_MINOR; |
8818 | | break; |
8819 | | #endif |
8820 | 0 | default: |
8821 | 0 | break; |
8822 | 0 | } |
8823 | 0 | } |
8824 | | #endif |
8825 | | |
8826 | | #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \ |
8827 | | defined(HAVE_ED448) || defined(HAVE_FALCON) || defined(WOLFSSL_HAVE_MLDSA) |
8828 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
8829 | | /* These match up with what the OQS team has defined. */ |
8830 | | #define HYBRID_SA_MAJOR 0xFE |
8831 | | #define HYBRID_P256_MLDSA_44_SA_MINOR 0xA1 |
8832 | | #define HYBRID_RSA3072_MLDSA_44_SA_MINOR 0xA2 |
8833 | | #define HYBRID_P384_MLDSA_65_SA_MINOR 0xA4 |
8834 | | #define HYBRID_P521_MLDSA_87_SA_MINOR 0xA6 |
8835 | | /* Falcon hybrid codepoints aligned with oqs-provider. */ |
8836 | | #define HYBRID_P256_FALCON_LEVEL1_SA_MINOR 0xD8 |
8837 | | #define HYBRID_RSA3072_FALCON_LEVEL1_SA_MINOR 0xD9 |
8838 | | #define HYBRID_P521_FALCON_LEVEL5_SA_MINOR 0xDB |
8839 | | |
8840 | | /* Custom defined ones for PQC first */ |
8841 | | #define HYBRID_MLDSA_44_P256_SA_MINOR 0xD1 |
8842 | | #define HYBRID_MLDSA_44_RSA3072_SA_MINOR 0xD2 |
8843 | | #define HYBRID_MLDSA_65_P384_SA_MINOR 0xD3 |
8844 | | #define HYBRID_MLDSA_87_P521_SA_MINOR 0xD4 |
8845 | | #define HYBRID_FALCON_LEVEL1_P256_SA_MINOR 0xD5 |
8846 | | #define HYBRID_FALCON_LEVEL1_RSA3072_SA_MINOR 0xD6 |
8847 | | #define HYBRID_FALCON_LEVEL5_P521_SA_MINOR 0xD7 |
8848 | | |
8849 | | |
8850 | | static void EncodeDualSigAlg(byte sigAlg, byte altSigAlg, byte* output) |
8851 | | { |
8852 | | /* Initialize output to error indicator. */ |
8853 | | output[0] = 0x0; |
8854 | | output[1] = 0x0; |
8855 | | |
8856 | | if (sigAlg == ecc_dsa_sa_algo && altSigAlg == mldsa_44_sa_algo) { |
8857 | | output[1] = HYBRID_P256_MLDSA_44_SA_MINOR; |
8858 | | } |
8859 | | else if (sigAlg == rsa_pss_sa_algo && |
8860 | | altSigAlg == mldsa_44_sa_algo) { |
8861 | | output[1] = HYBRID_RSA3072_MLDSA_44_SA_MINOR; |
8862 | | } |
8863 | | else if (sigAlg == ecc_dsa_sa_algo && |
8864 | | altSigAlg == mldsa_65_sa_algo) { |
8865 | | output[1] = HYBRID_P384_MLDSA_65_SA_MINOR; |
8866 | | } |
8867 | | else if (sigAlg == ecc_dsa_sa_algo && |
8868 | | altSigAlg == mldsa_87_sa_algo) { |
8869 | | output[1] = HYBRID_P521_MLDSA_87_SA_MINOR; |
8870 | | } |
8871 | | else if (sigAlg == ecc_dsa_sa_algo && |
8872 | | altSigAlg == falcon_level1_sa_algo) { |
8873 | | output[1] = HYBRID_P256_FALCON_LEVEL1_SA_MINOR; |
8874 | | } |
8875 | | else if (sigAlg == rsa_pss_sa_algo && |
8876 | | altSigAlg == falcon_level1_sa_algo) { |
8877 | | output[1] = HYBRID_RSA3072_FALCON_LEVEL1_SA_MINOR; |
8878 | | } |
8879 | | else if (sigAlg == ecc_dsa_sa_algo && |
8880 | | altSigAlg == falcon_level5_sa_algo) { |
8881 | | output[1] = HYBRID_P521_FALCON_LEVEL5_SA_MINOR; |
8882 | | } |
8883 | | else if (sigAlg == mldsa_44_sa_algo && |
8884 | | altSigAlg == ecc_dsa_sa_algo) { |
8885 | | output[1] = HYBRID_MLDSA_44_P256_SA_MINOR; |
8886 | | } |
8887 | | else if (sigAlg == mldsa_44_sa_algo && |
8888 | | altSigAlg == rsa_pss_sa_algo) { |
8889 | | output[1] = HYBRID_MLDSA_44_RSA3072_SA_MINOR; |
8890 | | } |
8891 | | else if (sigAlg == mldsa_65_sa_algo && |
8892 | | altSigAlg == ecc_dsa_sa_algo) { |
8893 | | output[1] = HYBRID_MLDSA_65_P384_SA_MINOR; |
8894 | | } |
8895 | | else if (sigAlg == mldsa_87_sa_algo && |
8896 | | altSigAlg == ecc_dsa_sa_algo) { |
8897 | | output[1] = HYBRID_MLDSA_87_P521_SA_MINOR; |
8898 | | } |
8899 | | else if (sigAlg == falcon_level1_sa_algo && |
8900 | | altSigAlg == ecc_dsa_sa_algo) { |
8901 | | output[1] = HYBRID_FALCON_LEVEL1_P256_SA_MINOR; |
8902 | | } |
8903 | | else if (sigAlg == falcon_level1_sa_algo && |
8904 | | altSigAlg == rsa_pss_sa_algo) { |
8905 | | output[1] = HYBRID_FALCON_LEVEL1_RSA3072_SA_MINOR; |
8906 | | } |
8907 | | else if (sigAlg == falcon_level5_sa_algo && |
8908 | | altSigAlg == ecc_dsa_sa_algo) { |
8909 | | output[1] = HYBRID_FALCON_LEVEL5_P521_SA_MINOR; |
8910 | | } |
8911 | | |
8912 | | if (output[1] != 0x0) { |
8913 | | output[0] = HYBRID_SA_MAJOR; |
8914 | | } |
8915 | | } |
8916 | | #endif /* WOLFSSL_DUAL_ALG_CERTS */ |
8917 | | |
8918 | | static enum wc_MACAlgorithm GetNewSAHashAlgo(int typeIn) |
8919 | 0 | { |
8920 | 0 | switch (typeIn) { |
8921 | 0 | case RSA_PSS_RSAE_SHA256_MINOR: |
8922 | 0 | case RSA_PSS_PSS_SHA256_MINOR: |
8923 | 0 | case ECDSA_BRAINPOOLP256R1TLS13_SHA256_MINOR: |
8924 | 0 | return sha256_mac; |
8925 | | |
8926 | 0 | case RSA_PSS_RSAE_SHA384_MINOR: |
8927 | 0 | case RSA_PSS_PSS_SHA384_MINOR: |
8928 | 0 | case ECDSA_BRAINPOOLP384R1TLS13_SHA384_MINOR: |
8929 | 0 | return sha384_mac; |
8930 | | |
8931 | 0 | case RSA_PSS_RSAE_SHA512_MINOR: |
8932 | 0 | case RSA_PSS_PSS_SHA512_MINOR: |
8933 | 0 | case ED25519_SA_MINOR: |
8934 | 0 | case ED448_SA_MINOR: |
8935 | 0 | case ECDSA_BRAINPOOLP512R1TLS13_SHA512_MINOR: |
8936 | 0 | return sha512_mac; |
8937 | 0 | default: |
8938 | 0 | return no_mac; |
8939 | 0 | } |
8940 | 0 | } |
8941 | | |
8942 | | /* Decode the signature algorithm. |
8943 | | * |
8944 | | * input The encoded signature algorithm. |
8945 | | * hashalgo The hash algorithm. |
8946 | | * hsType The signature type. |
8947 | | * returns INVALID_PARAMETER if not recognized and 0 otherwise. |
8948 | | */ |
8949 | | static WC_INLINE int DecodeTls13SigAlg(byte* input, byte* hashAlgo, |
8950 | | byte* hsType) |
8951 | 0 | { |
8952 | 0 | int ret = 0; |
8953 | |
|
8954 | 0 | switch (input[0]) { |
8955 | | #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3) |
8956 | | case SM2_SA_MAJOR: |
8957 | | if (input[1] == SM2_SA_MINOR) { |
8958 | | *hsType = sm2_sa_algo; |
8959 | | *hashAlgo = sm3_mac; |
8960 | | } |
8961 | | else |
8962 | | ret = INVALID_PARAMETER; |
8963 | | break; |
8964 | | #endif |
8965 | 0 | case NEW_SA_MAJOR: |
8966 | 0 | { |
8967 | 0 | enum wc_MACAlgorithm mac = GetNewSAHashAlgo(input[1]); |
8968 | 0 | *hashAlgo = (byte)mac; |
8969 | 0 | } |
8970 | | |
8971 | | /* PSS encryption: 0x080[4-6] */ |
8972 | 0 | if (input[1] >= RSA_PSS_RSAE_SHA256_MINOR && |
8973 | 0 | input[1] <= RSA_PSS_RSAE_SHA512_MINOR) { |
8974 | 0 | *hsType = input[0]; |
8975 | 0 | } |
8976 | | /* PSS signature: 0x080[9-B] */ |
8977 | 0 | else if (input[1] >= RSA_PSS_PSS_SHA256_MINOR && |
8978 | 0 | input[1] <= RSA_PSS_PSS_SHA512_MINOR) { |
8979 | 0 | *hsType = input[0]; |
8980 | 0 | } |
8981 | | #ifdef HAVE_ED25519 |
8982 | | /* ED25519: 0x0807 */ |
8983 | | else if (input[1] == ED25519_SA_MINOR) { |
8984 | | *hsType = ed25519_sa_algo; |
8985 | | /* Hash performed as part of sign/verify operation. */ |
8986 | | } |
8987 | | #endif |
8988 | | #ifdef HAVE_ED448 |
8989 | | /* ED448: 0x0808 */ |
8990 | | else if (input[1] == ED448_SA_MINOR) { |
8991 | | *hsType = ed448_sa_algo; |
8992 | | /* Hash performed as part of sign/verify operation. */ |
8993 | | } |
8994 | | #endif |
8995 | | #ifdef HAVE_ECC_BRAINPOOL |
8996 | | else if ((input[1] == ECDSA_BRAINPOOLP256R1TLS13_SHA256_MINOR) || |
8997 | | (input[1] == ECDSA_BRAINPOOLP384R1TLS13_SHA384_MINOR) || |
8998 | | (input[1] == ECDSA_BRAINPOOLP512R1TLS13_SHA512_MINOR)) { |
8999 | | *hsType = ecc_dsa_sa_algo; |
9000 | | } |
9001 | | #endif |
9002 | 0 | else |
9003 | 0 | ret = INVALID_PARAMETER; |
9004 | 0 | break; |
9005 | | #if defined(HAVE_FALCON) |
9006 | | case FALCON_SA_MAJOR: |
9007 | | if (input[1] == FALCON_LEVEL1_SA_MINOR) { |
9008 | | *hsType = falcon_level1_sa_algo; |
9009 | | /* Hash performed as part of sign/verify operation. */ |
9010 | | *hashAlgo = sha512_mac; |
9011 | | } else if (input[1] == FALCON_LEVEL5_SA_MINOR) { |
9012 | | *hsType = falcon_level5_sa_algo; |
9013 | | /* Hash performed as part of sign/verify operation. */ |
9014 | | *hashAlgo = sha512_mac; |
9015 | | } |
9016 | | else |
9017 | | ret = INVALID_PARAMETER; |
9018 | | break; |
9019 | | #endif /* HAVE_FALCON */ |
9020 | | #if defined(WOLFSSL_HAVE_MLDSA) |
9021 | | case MLDSA_SA_MAJOR: |
9022 | | if (input[1] == MLDSA_44_SA_MINOR) { |
9023 | | *hsType = mldsa_44_sa_algo; |
9024 | | /* Hash performed as part of sign/verify operation. */ |
9025 | | *hashAlgo = sha512_mac; |
9026 | | } else if (input[1] == MLDSA_65_SA_MINOR) { |
9027 | | *hsType = mldsa_65_sa_algo; |
9028 | | /* Hash performed as part of sign/verify operation. */ |
9029 | | *hashAlgo = sha512_mac; |
9030 | | } else if (input[1] == MLDSA_87_SA_MINOR) { |
9031 | | *hsType = mldsa_87_sa_algo; |
9032 | | /* Hash performed as part of sign/verify operation. */ |
9033 | | *hashAlgo = sha512_mac; |
9034 | | } |
9035 | | else |
9036 | | { |
9037 | | ret = INVALID_PARAMETER; |
9038 | | } |
9039 | | break; |
9040 | | #endif /* WOLFSSL_HAVE_MLDSA */ |
9041 | 0 | default: |
9042 | 0 | *hashAlgo = input[0]; |
9043 | 0 | *hsType = input[1]; |
9044 | 0 | break; |
9045 | 0 | } |
9046 | | |
9047 | 0 | return ret; |
9048 | 0 | } |
9049 | | |
9050 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
9051 | | /* Decode the hybrid signature algorithm. |
9052 | | * |
9053 | | * input The encoded signature algorithm. |
9054 | | * hashalgo The hash algorithm. |
9055 | | * hsType The signature type. |
9056 | | * returns INVALID_PARAMETER if not recognized and 0 otherwise. |
9057 | | */ |
9058 | | static WC_INLINE int DecodeTls13HybridSigAlg(byte* input, byte* hashAlg, |
9059 | | byte *sigAlg, byte *altSigAlg) |
9060 | | { |
9061 | | |
9062 | | if (input[0] != HYBRID_SA_MAJOR) { |
9063 | | return INVALID_PARAMETER; |
9064 | | } |
9065 | | |
9066 | | if (input[1] == HYBRID_P256_MLDSA_44_SA_MINOR) { |
9067 | | *sigAlg = ecc_dsa_sa_algo; |
9068 | | *hashAlg = sha256_mac; |
9069 | | *altSigAlg = mldsa_44_sa_algo; |
9070 | | } |
9071 | | else if (input[1] == HYBRID_RSA3072_MLDSA_44_SA_MINOR) { |
9072 | | *sigAlg = rsa_pss_sa_algo; |
9073 | | *hashAlg = sha256_mac; |
9074 | | *altSigAlg = mldsa_44_sa_algo; |
9075 | | } |
9076 | | else if (input[1] == HYBRID_P384_MLDSA_65_SA_MINOR) { |
9077 | | *sigAlg = ecc_dsa_sa_algo; |
9078 | | *hashAlg = sha384_mac; |
9079 | | *altSigAlg = mldsa_65_sa_algo; |
9080 | | } |
9081 | | else if (input[1] == HYBRID_P521_MLDSA_87_SA_MINOR) { |
9082 | | *sigAlg = ecc_dsa_sa_algo; |
9083 | | *hashAlg = sha512_mac; |
9084 | | *altSigAlg = mldsa_87_sa_algo; |
9085 | | } |
9086 | | else if (input[1] == HYBRID_P256_FALCON_LEVEL1_SA_MINOR) { |
9087 | | *sigAlg = ecc_dsa_sa_algo; |
9088 | | *hashAlg = sha256_mac; |
9089 | | *altSigAlg = falcon_level1_sa_algo; |
9090 | | } |
9091 | | else if (input[1] == HYBRID_RSA3072_FALCON_LEVEL1_SA_MINOR) { |
9092 | | *sigAlg = rsa_pss_sa_algo; |
9093 | | *hashAlg = sha256_mac; |
9094 | | *altSigAlg = falcon_level1_sa_algo; |
9095 | | } |
9096 | | else if (input[1] == HYBRID_P521_FALCON_LEVEL5_SA_MINOR) { |
9097 | | *sigAlg = ecc_dsa_sa_algo; |
9098 | | *hashAlg = sha512_mac; |
9099 | | *altSigAlg = falcon_level5_sa_algo; |
9100 | | } |
9101 | | else if (input[1] == HYBRID_MLDSA_44_P256_SA_MINOR) { |
9102 | | *sigAlg = mldsa_44_sa_algo; |
9103 | | *hashAlg = sha256_mac; |
9104 | | *altSigAlg = ecc_dsa_sa_algo; |
9105 | | } |
9106 | | else if (input[1] == HYBRID_MLDSA_44_RSA3072_SA_MINOR) { |
9107 | | *sigAlg = mldsa_44_sa_algo; |
9108 | | *hashAlg = sha256_mac; |
9109 | | *altSigAlg = rsa_pss_sa_algo; |
9110 | | } |
9111 | | else if (input[1] == HYBRID_MLDSA_65_P384_SA_MINOR) { |
9112 | | *sigAlg = mldsa_65_sa_algo; |
9113 | | *hashAlg = sha384_mac; |
9114 | | *altSigAlg = ecc_dsa_sa_algo; |
9115 | | } |
9116 | | else if (input[1] == HYBRID_MLDSA_87_P521_SA_MINOR) { |
9117 | | *sigAlg = mldsa_87_sa_algo; |
9118 | | *hashAlg = sha512_mac; |
9119 | | *altSigAlg = ecc_dsa_sa_algo; |
9120 | | } |
9121 | | else if (input[1] == HYBRID_FALCON_LEVEL1_P256_SA_MINOR) { |
9122 | | *sigAlg = falcon_level1_sa_algo; |
9123 | | *hashAlg = sha256_mac; |
9124 | | *altSigAlg = ecc_dsa_sa_algo; |
9125 | | } |
9126 | | else if (input[1] == HYBRID_FALCON_LEVEL1_RSA3072_SA_MINOR) { |
9127 | | *sigAlg = falcon_level1_sa_algo; |
9128 | | *hashAlg = sha256_mac; |
9129 | | *altSigAlg = rsa_pss_sa_algo; |
9130 | | } |
9131 | | else if (input[1] == HYBRID_FALCON_LEVEL5_P521_SA_MINOR) { |
9132 | | *sigAlg = falcon_level5_sa_algo; |
9133 | | *hashAlg = sha512_mac; |
9134 | | *altSigAlg = ecc_dsa_sa_algo; |
9135 | | } |
9136 | | else { |
9137 | | return INVALID_PARAMETER; |
9138 | | } |
9139 | | |
9140 | | return 0; |
9141 | | } |
9142 | | #endif /* WOLFSSL_DUAL_ALG_CERTS */ |
9143 | | |
9144 | | /* Get the hash of the messages so far. |
9145 | | * |
9146 | | * ssl The SSL/TLS object. |
9147 | | * hash The buffer to write the hash to. |
9148 | | * returns the length of the hash. |
9149 | | */ |
9150 | | static WC_INLINE int GetMsgHash(WOLFSSL* ssl, byte* hash) |
9151 | 0 | { |
9152 | 0 | int ret = 0; |
9153 | 0 | switch (ssl->specs.mac_algorithm) { |
9154 | 0 | #ifndef NO_SHA256 |
9155 | 0 | case sha256_mac: |
9156 | 0 | ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash); |
9157 | 0 | if (ret == 0) |
9158 | 0 | ret = WC_SHA256_DIGEST_SIZE; |
9159 | 0 | break; |
9160 | 0 | #endif /* !NO_SHA256 */ |
9161 | 0 | #ifdef WOLFSSL_SHA384 |
9162 | 0 | case sha384_mac: |
9163 | 0 | ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash); |
9164 | 0 | if (ret == 0) |
9165 | 0 | ret = WC_SHA384_DIGEST_SIZE; |
9166 | 0 | break; |
9167 | 0 | #endif /* WOLFSSL_SHA384 */ |
9168 | | #ifdef WOLFSSL_TLS13_SHA512 |
9169 | | case sha512_mac: |
9170 | | ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash); |
9171 | | if (ret == 0) |
9172 | | ret = WC_SHA512_DIGEST_SIZE; |
9173 | | break; |
9174 | | #endif /* WOLFSSL_TLS13_SHA512 */ |
9175 | | #ifdef WOLFSSL_SM3 |
9176 | | case sm3_mac: |
9177 | | ret = wc_Sm3GetHash(&ssl->hsHashes->hashSm3, hash); |
9178 | | if (ret == 0) |
9179 | | ret = WC_SM3_DIGEST_SIZE; |
9180 | | break; |
9181 | | #endif /* WOLFSSL_SM3 */ |
9182 | 0 | default: |
9183 | 0 | break; |
9184 | 0 | } |
9185 | 0 | return ret; |
9186 | 0 | } |
9187 | | |
9188 | | /* The server certificate verification label. */ |
9189 | | static const byte serverCertVfyLabel[CERT_VFY_LABEL_SZ] = |
9190 | | "TLS 1.3, server CertificateVerify"; |
9191 | | /* The client certificate verification label. */ |
9192 | | static const byte clientCertVfyLabel[CERT_VFY_LABEL_SZ] = |
9193 | | "TLS 1.3, client CertificateVerify"; |
9194 | | /* The prefix byte in the signature data. */ |
9195 | | #define SIGNING_DATA_PREFIX_BYTE 0x20 |
9196 | | |
9197 | | /* Create the signature data for TLS v1.3 certificate verification. |
9198 | | * |
9199 | | * ssl The SSL/TLS object. |
9200 | | * sigData The signature data. |
9201 | | * sigDataSz The length of the signature data. |
9202 | | * check Indicates this is a check not create. |
9203 | | */ |
9204 | | int CreateSigData(WOLFSSL* ssl, byte* sigData, word16* sigDataSz, |
9205 | | int check) |
9206 | 0 | { |
9207 | 0 | word16 idx; |
9208 | 0 | int side = ssl->options.side; |
9209 | 0 | int ret; |
9210 | | |
9211 | | /* Signature Data = Prefix | Label | Handshake Hash */ |
9212 | 0 | XMEMSET(sigData, SIGNING_DATA_PREFIX_BYTE, SIGNING_DATA_PREFIX_SZ); |
9213 | 0 | idx = SIGNING_DATA_PREFIX_SZ; |
9214 | |
|
9215 | 0 | if ((side == WOLFSSL_SERVER_END && check) || |
9216 | 0 | (side == WOLFSSL_CLIENT_END && !check)) { |
9217 | 0 | XMEMCPY(&sigData[idx], clientCertVfyLabel, CERT_VFY_LABEL_SZ); |
9218 | 0 | } |
9219 | 0 | if ((side == WOLFSSL_CLIENT_END && check) || |
9220 | 0 | (side == WOLFSSL_SERVER_END && !check)) { |
9221 | 0 | XMEMCPY(&sigData[idx], serverCertVfyLabel, CERT_VFY_LABEL_SZ); |
9222 | 0 | } |
9223 | 0 | idx += CERT_VFY_LABEL_SZ; |
9224 | |
|
9225 | 0 | ret = GetMsgHash(ssl, &sigData[idx]); |
9226 | 0 | if (ret < 0) |
9227 | 0 | return ret; |
9228 | 0 | if (ret == 0) |
9229 | 0 | return HASH_TYPE_E; |
9230 | | |
9231 | 0 | *sigDataSz = (word16)(idx + ret); |
9232 | 0 | ret = 0; |
9233 | |
|
9234 | 0 | return ret; |
9235 | 0 | } |
9236 | | |
9237 | | #ifndef NO_RSA |
9238 | | /* Encode the PKCS #1.5 RSA signature. |
9239 | | * |
9240 | | * sig The buffer to place the encoded signature into. |
9241 | | * sigData The data to be signed. |
9242 | | * sigDataSz The size of the data to be signed. |
9243 | | * hashAlgo The hash algorithm to use when signing. |
9244 | | * returns the length of the encoded signature or negative on error. |
9245 | | */ |
9246 | | int CreateRSAEncodedSig(byte* sig, byte* sigData, int sigDataSz, |
9247 | | int sigAlgo, int hashAlgo) |
9248 | 0 | { |
9249 | 0 | Digest digest; |
9250 | 0 | int hashSz = 0; |
9251 | 0 | int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG); |
9252 | 0 | byte* hash; |
9253 | |
|
9254 | 0 | (void)sigAlgo; |
9255 | |
|
9256 | 0 | hash = sig; |
9257 | | |
9258 | | /* Digest the signature data. */ |
9259 | 0 | switch (hashAlgo) { |
9260 | 0 | #ifndef NO_SHA256 |
9261 | 0 | case sha256_mac: |
9262 | 0 | ret = wc_InitSha256(&digest.sha256); |
9263 | 0 | if (ret == 0) { |
9264 | 0 | ret = wc_Sha256Update(&digest.sha256, sigData, (word32)sigDataSz); |
9265 | 0 | if (ret == 0) |
9266 | 0 | ret = wc_Sha256Final(&digest.sha256, hash); |
9267 | 0 | wc_Sha256Free(&digest.sha256); |
9268 | 0 | } |
9269 | 0 | hashSz = WC_SHA256_DIGEST_SIZE; |
9270 | 0 | break; |
9271 | 0 | #endif |
9272 | 0 | #ifdef WOLFSSL_SHA384 |
9273 | 0 | case sha384_mac: |
9274 | 0 | ret = wc_InitSha384(&digest.sha384); |
9275 | 0 | if (ret == 0) { |
9276 | 0 | ret = wc_Sha384Update(&digest.sha384, sigData, (word32)sigDataSz); |
9277 | 0 | if (ret == 0) |
9278 | 0 | ret = wc_Sha384Final(&digest.sha384, hash); |
9279 | 0 | wc_Sha384Free(&digest.sha384); |
9280 | 0 | } |
9281 | 0 | hashSz = WC_SHA384_DIGEST_SIZE; |
9282 | 0 | break; |
9283 | 0 | #endif |
9284 | 0 | #ifdef WOLFSSL_SHA512 |
9285 | 0 | case sha512_mac: |
9286 | 0 | ret = wc_InitSha512(&digest.sha512); |
9287 | 0 | if (ret == 0) { |
9288 | 0 | ret = wc_Sha512Update(&digest.sha512, sigData, (word32)sigDataSz); |
9289 | 0 | if (ret == 0) |
9290 | 0 | ret = wc_Sha512Final(&digest.sha512, hash); |
9291 | 0 | wc_Sha512Free(&digest.sha512); |
9292 | 0 | } |
9293 | 0 | hashSz = WC_SHA512_DIGEST_SIZE; |
9294 | 0 | break; |
9295 | 0 | #endif |
9296 | 0 | default: |
9297 | 0 | ret = BAD_FUNC_ARG; |
9298 | 0 | break; |
9299 | |
|
9300 | 0 | } |
9301 | | |
9302 | 0 | if (ret != 0) |
9303 | 0 | return ret; |
9304 | | |
9305 | 0 | return hashSz; |
9306 | 0 | } |
9307 | | #endif /* !NO_RSA */ |
9308 | | |
9309 | | #ifdef HAVE_ECC |
9310 | | /* Encode the ECC signature. |
9311 | | * |
9312 | | * sigData The data to be signed. |
9313 | | * sigDataSz The size of the data to be signed. |
9314 | | * hashAlgo The hash algorithm to use when signing. |
9315 | | * returns the length of the encoded signature or negative on error. |
9316 | | */ |
9317 | | static int CreateECCEncodedSig(byte* sigData, int sigDataSz, int hashAlgo) |
9318 | 0 | { |
9319 | 0 | Digest digest; |
9320 | 0 | int hashSz = 0; |
9321 | 0 | int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG); |
9322 | | |
9323 | | /* Digest the signature data. */ |
9324 | 0 | switch (hashAlgo) { |
9325 | 0 | #ifndef NO_SHA256 |
9326 | 0 | case sha256_mac: |
9327 | 0 | ret = wc_InitSha256(&digest.sha256); |
9328 | 0 | if (ret == 0) { |
9329 | 0 | ret = wc_Sha256Update(&digest.sha256, sigData, (word32)sigDataSz); |
9330 | 0 | if (ret == 0) |
9331 | 0 | ret = wc_Sha256Final(&digest.sha256, sigData); |
9332 | 0 | wc_Sha256Free(&digest.sha256); |
9333 | 0 | } |
9334 | 0 | hashSz = WC_SHA256_DIGEST_SIZE; |
9335 | 0 | break; |
9336 | 0 | #endif |
9337 | 0 | #ifdef WOLFSSL_SHA384 |
9338 | 0 | case sha384_mac: |
9339 | 0 | ret = wc_InitSha384(&digest.sha384); |
9340 | 0 | if (ret == 0) { |
9341 | 0 | ret = wc_Sha384Update(&digest.sha384, sigData, (word32)sigDataSz); |
9342 | 0 | if (ret == 0) |
9343 | 0 | ret = wc_Sha384Final(&digest.sha384, sigData); |
9344 | 0 | wc_Sha384Free(&digest.sha384); |
9345 | 0 | } |
9346 | 0 | hashSz = WC_SHA384_DIGEST_SIZE; |
9347 | 0 | break; |
9348 | 0 | #endif |
9349 | 0 | #ifdef WOLFSSL_SHA512 |
9350 | 0 | case sha512_mac: |
9351 | 0 | ret = wc_InitSha512(&digest.sha512); |
9352 | 0 | if (ret == 0) { |
9353 | 0 | ret = wc_Sha512Update(&digest.sha512, sigData, (word32)sigDataSz); |
9354 | 0 | if (ret == 0) |
9355 | 0 | ret = wc_Sha512Final(&digest.sha512, sigData); |
9356 | 0 | wc_Sha512Free(&digest.sha512); |
9357 | 0 | } |
9358 | 0 | hashSz = WC_SHA512_DIGEST_SIZE; |
9359 | 0 | break; |
9360 | 0 | #endif |
9361 | 0 | default: |
9362 | 0 | ret = BAD_FUNC_ARG; |
9363 | 0 | break; |
9364 | 0 | } |
9365 | | |
9366 | 0 | if (ret != 0) |
9367 | 0 | return ret; |
9368 | | |
9369 | 0 | return hashSz; |
9370 | 0 | } |
9371 | | #endif /* HAVE_ECC */ |
9372 | | |
9373 | | #if !defined(NO_RSA) && defined(WC_RSA_PSS) |
9374 | | /* Check that the decrypted signature matches the encoded signature |
9375 | | * based on the digest of the signature data. |
9376 | | * |
9377 | | * ssl The SSL/TLS object. |
9378 | | * sigAlgo The signature algorithm used to generate signature. |
9379 | | * hashAlgo The hash algorithm used to generate signature. |
9380 | | * decSig The decrypted signature. |
9381 | | * decSigSz The size of the decrypted signature. |
9382 | | * returns 0 on success, otherwise failure. |
9383 | | */ |
9384 | | static int CheckRSASignature(WOLFSSL* ssl, int sigAlgo, int hashAlgo, |
9385 | | byte* decSig, word32 decSigSz) |
9386 | 0 | { |
9387 | 0 | int ret = 0; |
9388 | 0 | byte sigData[MAX_SIG_DATA_SZ]; |
9389 | 0 | word16 sigDataSz; |
9390 | |
|
9391 | 0 | ret = CreateSigData(ssl, sigData, &sigDataSz, 1); |
9392 | 0 | if (ret != 0) |
9393 | 0 | return ret; |
9394 | | |
9395 | 0 | if (sigAlgo == rsa_pss_sa_algo) { |
9396 | 0 | enum wc_HashType hashType = WC_HASH_TYPE_NONE; |
9397 | 0 | word32 sigSz; |
9398 | |
|
9399 | 0 | ret = ConvertHashPss(hashAlgo, &hashType, NULL); |
9400 | 0 | if (ret < 0) |
9401 | 0 | return ret; |
9402 | | |
9403 | | /* PSS signature can be done in-place */ |
9404 | 0 | ret = CreateRSAEncodedSig(sigData, sigData, sigDataSz, |
9405 | 0 | sigAlgo, hashAlgo); |
9406 | 0 | if (ret < 0) |
9407 | 0 | return ret; |
9408 | 0 | sigSz = (word32)ret; |
9409 | |
|
9410 | 0 | ret = wc_RsaPSS_CheckPadding(sigData, sigSz, decSig, decSigSz, |
9411 | 0 | hashType); |
9412 | 0 | } |
9413 | | |
9414 | 0 | return ret; |
9415 | 0 | } |
9416 | | #endif /* !NO_RSA && WC_RSA_PSS */ |
9417 | | #endif /* !NO_RSA || HAVE_ECC */ |
9418 | | |
9419 | | #if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) |
9420 | | /* Get the next certificate from the list for writing into the TLS v1.3 |
9421 | | * Certificate message. |
9422 | | * |
9423 | | * data The certificate list. |
9424 | | * length The length of the certificate data in the list. |
9425 | | * idx The index of the next certificate. |
9426 | | * returns the length of the certificate data. 0 indicates no more certificates |
9427 | | * in the list. |
9428 | | */ |
9429 | | static word32 NextCert(byte* data, word32 length, word32* idx) |
9430 | 0 | { |
9431 | 0 | word32 len; |
9432 | | |
9433 | | /* Would index read past end of list? */ |
9434 | 0 | if (*idx + 3 > length) |
9435 | 0 | return 0; |
9436 | | |
9437 | | /* Length of the current ASN.1 encoded certificate. */ |
9438 | 0 | c24to32(data + *idx, &len); |
9439 | | /* Include the length field. */ |
9440 | 0 | len += 3; |
9441 | | |
9442 | | /* Ensure len does not overrun certificate list */ |
9443 | 0 | if (*idx + len > length) |
9444 | 0 | return 0; |
9445 | | |
9446 | | /* Move index to next certificate and return the current certificate's |
9447 | | * length. |
9448 | | */ |
9449 | 0 | *idx += len; |
9450 | 0 | return len; |
9451 | 0 | } |
9452 | | |
9453 | | #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(NO_WOLFSSL_SERVER) |
9454 | | /* Write certificate status request into certificate to buffer. |
9455 | | * |
9456 | | * ssl SSL/TLS object. |
9457 | | * certExts DerBuffer array. buffers written |
9458 | | * extSz word32 array. |
9459 | | * Length of the certificate status request data for the certificate. |
9460 | | * extSz_num number of the CSR written |
9461 | | * extIdx The index number of certificate status request data |
9462 | | * for the certificate. |
9463 | | * offset index offset |
9464 | | * returns Total number of bytes written on success or negative value on error. |
9465 | | */ |
9466 | | static int WriteCSRToBuffer(WOLFSSL* ssl, DerBuffer** certExts, |
9467 | | word16* extSz, word16 extSz_num) |
9468 | | { |
9469 | | int ret = 0; |
9470 | | TLSX* ext; |
9471 | | CertificateStatusRequest* csr; |
9472 | | word32 ex_offset = HELLO_EXT_TYPE_SZ + OPAQUE16_LEN /* extension type */ |
9473 | | + OPAQUE16_LEN /* extension length */; |
9474 | | word32 totalSz = 0; |
9475 | | word32 tmpSz; |
9476 | | word32 extIdx; |
9477 | | DerBuffer* der; |
9478 | | |
9479 | | if (extSz_num > MAX_CERT_EXTENSIONS) |
9480 | | return MAX_CERT_EXTENSIONS_ERR; |
9481 | | |
9482 | | ext = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST); |
9483 | | csr = ext ? (CertificateStatusRequest*)ext->data : NULL; |
9484 | | |
9485 | | if (csr) { |
9486 | | for (extIdx = 0; extIdx < (word16)(extSz_num); extIdx++) { |
9487 | | tmpSz = TLSX_CSR_GetSize_ex(csr, 0, (int)extIdx); |
9488 | | |
9489 | | if (tmpSz > (OPAQUE8_LEN + OPAQUE24_LEN) && |
9490 | | certExts[extIdx] == NULL) { |
9491 | | /* csr extension is not zero */ |
9492 | | if (tmpSz > WOLFSSL_MAX_16BIT) |
9493 | | return BUFFER_E; |
9494 | | extSz[extIdx] = (word16)tmpSz; |
9495 | | |
9496 | | ret = AllocDer(&certExts[extIdx], extSz[extIdx] + ex_offset, |
9497 | | CERT_TYPE, ssl->heap); |
9498 | | if (ret < 0) |
9499 | | return ret; |
9500 | | der = certExts[extIdx]; |
9501 | | |
9502 | | /* write extension type */ |
9503 | | c16toa(ext->type, der->buffer |
9504 | | + OPAQUE16_LEN); |
9505 | | /* writes extension data length. */ |
9506 | | c16toa(extSz[extIdx], der->buffer |
9507 | | + HELLO_EXT_TYPE_SZ + OPAQUE16_LEN); |
9508 | | /* write extension data */ |
9509 | | extSz[extIdx] = (word16)TLSX_CSR_Write_ex(csr, |
9510 | | der->buffer + ex_offset, 0, extIdx); |
9511 | | /* add extension offset */ |
9512 | | extSz[extIdx] += (word16)ex_offset; |
9513 | | /* extension length */ |
9514 | | c16toa(extSz[extIdx] - OPAQUE16_LEN, |
9515 | | der->buffer); |
9516 | | } |
9517 | | totalSz += extSz[extIdx]; |
9518 | | } |
9519 | | } |
9520 | | else { |
9521 | | /* chain cert empty extension size */ |
9522 | | totalSz += OPAQUE16_LEN * extSz_num; |
9523 | | } |
9524 | | return (int)totalSz; |
9525 | | } |
9526 | | #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */ |
9527 | | /* Add certificate data and empty extension to output up to the fragment size. |
9528 | | * |
9529 | | * ssl SSL/TLS object. |
9530 | | * cert The certificate data to write out. |
9531 | | * len The length of the certificate data. |
9532 | | * extSz Length of the extension data with the certificate. |
9533 | | * idx The start of the certificate data to write out. |
9534 | | * fragSz The maximum size of this fragment. |
9535 | | * output The buffer to write to. |
9536 | | * extIdx The index number of the extension data with the certificate |
9537 | | * returns the number of bytes written. |
9538 | | */ |
9539 | | static word32 AddCertExt(WOLFSSL* ssl, byte* cert, word32 len, word16 extSz, |
9540 | | word32 idx, word32 fragSz, byte* output, word16 extIdx) |
9541 | 0 | { |
9542 | 0 | word32 i = 0; |
9543 | 0 | word32 copySz = min(len - idx, fragSz); |
9544 | |
|
9545 | 0 | if (idx < len) { |
9546 | 0 | XMEMCPY(output, cert + idx, copySz); |
9547 | 0 | i = copySz; |
9548 | 0 | if (copySz == fragSz) |
9549 | 0 | return i; |
9550 | 0 | } |
9551 | 0 | copySz = len + extSz - idx - i; |
9552 | |
|
9553 | 0 | if (extSz == OPAQUE16_LEN) { |
9554 | 0 | if (copySz <= fragSz) { |
9555 | | /* Empty extension */ |
9556 | 0 | output[i++] = 0; |
9557 | 0 | output[i++] = 0; |
9558 | 0 | } |
9559 | 0 | } |
9560 | 0 | else { |
9561 | 0 | byte* certExts = ssl->buffers.certExts[extIdx]->buffer + idx + i - len; |
9562 | | /* Put out as much of the extensions' data as will fit in fragment. */ |
9563 | 0 | if (copySz > fragSz - i) |
9564 | 0 | copySz = fragSz - i; |
9565 | 0 | XMEMCPY(output + i, certExts, copySz); |
9566 | 0 | i += copySz; |
9567 | 0 | } |
9568 | |
|
9569 | 0 | return i; |
9570 | 0 | } |
9571 | | |
9572 | | #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(NO_WOLFSSL_SERVER) |
9573 | | static int SetupOcspResp(WOLFSSL* ssl) |
9574 | | { |
9575 | | DecodedCert* cert = NULL; |
9576 | | CertificateStatusRequest* csr = NULL; |
9577 | | TLSX* extension = NULL; |
9578 | | int ret = 0; |
9579 | | OcspRequest* request = NULL; |
9580 | | |
9581 | | extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST); |
9582 | | if (extension == NULL) |
9583 | | return 0; /* peer didn't signal ocsp support */ |
9584 | | csr = (CertificateStatusRequest*)extension->data; |
9585 | | if (csr == NULL) |
9586 | | return MEMORY_ERROR; |
9587 | | |
9588 | | if (SSL_CM(ssl) != NULL && |
9589 | | SSL_CM(ssl)->ocsp_stapling != NULL && |
9590 | | SSL_CM(ssl)->ocsp_stapling->statusCb != NULL) { |
9591 | | return TLSX_CSR_SetResponseWithStatusCB(ssl); |
9592 | | } |
9593 | | |
9594 | | if (ssl->buffers.certificate == NULL) { |
9595 | | WOLFSSL_MSG("Certificate buffer not set!"); |
9596 | | return BUFFER_ERROR; |
9597 | | } |
9598 | | cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap, |
9599 | | DYNAMIC_TYPE_DCERT); |
9600 | | if (cert == NULL) { |
9601 | | return MEMORY_E; |
9602 | | } |
9603 | | InitDecodedCert(cert, ssl->buffers.certificate->buffer, |
9604 | | ssl->buffers.certificate->length, ssl->heap); |
9605 | | ret = ParseCert(cert, CERT_TYPE, NO_VERIFY, SSL_CM(ssl)); |
9606 | | if (ret != 0) { |
9607 | | FreeDecodedCert(cert); |
9608 | | XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT); |
9609 | | return ret; |
9610 | | } |
9611 | | ret = TLSX_CSR_InitRequest(ssl->extensions, cert, ssl->heap); |
9612 | | FreeDecodedCert(cert); |
9613 | | XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT); |
9614 | | if (ret != 0 ) |
9615 | | return ret; |
9616 | | |
9617 | | request = &csr->request.ocsp[0]; |
9618 | | ret = CreateOcspResponse(ssl, &request, &csr->responses[0]); |
9619 | | if (request != &csr->request.ocsp[0] && |
9620 | | ssl->buffers.weOwnCert) { |
9621 | | /* request will be allocated in CreateOcspResponse() */ |
9622 | | FreeOcspRequest(request); |
9623 | | XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST); |
9624 | | } |
9625 | | if (ret != 0) |
9626 | | return ret; |
9627 | | |
9628 | | if (csr->responses[0].buffer) |
9629 | | extension->resp = 1; |
9630 | | #if defined(WOLFSSL_TLS_OCSP_MULTI) |
9631 | | /* process OCSP request in certificate chain */ |
9632 | | if ((ret = ProcessChainOCSPRequest(ssl)) != 0) { |
9633 | | WOLFSSL_MSG("Process Cert Chain OCSP request failed"); |
9634 | | WOLFSSL_ERROR_VERBOSE(ret); |
9635 | | return ret; |
9636 | | } |
9637 | | #endif |
9638 | | return ret; |
9639 | | } |
9640 | | #endif |
9641 | | |
9642 | | /* handle generation TLS v1.3 certificate (11) */ |
9643 | | /* Send the certificate for this end and any CAs that help with validation. |
9644 | | * This message is always encrypted in TLS v1.3. |
9645 | | * |
9646 | | * ssl The SSL/TLS object. |
9647 | | * returns 0 on success, otherwise failure. |
9648 | | */ |
9649 | | static int SendTls13Certificate(WOLFSSL* ssl) |
9650 | 0 | { |
9651 | 0 | int ret = 0; |
9652 | 0 | word32 certSz, certChainSz, headerSz, listSz, payloadSz; |
9653 | 0 | word16 extSz[MAX_CERT_EXTENSIONS]; |
9654 | 0 | word16 extIdx = 0; |
9655 | 0 | word32 maxFragment; |
9656 | 0 | word32 totalextSz = 0; |
9657 | 0 | word32 len = 0; |
9658 | 0 | word32 idx = 0; |
9659 | 0 | word32 offset = OPAQUE16_LEN; |
9660 | 0 | byte* p = NULL; |
9661 | 0 | byte certReqCtxLen = 0; |
9662 | 0 | sword32 length; |
9663 | | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH |
9664 | | byte* certReqCtx = NULL; |
9665 | | #endif |
9666 | |
|
9667 | | #ifdef OPENSSL_EXTRA |
9668 | | WOLFSSL_X509* x509 = NULL; |
9669 | | WOLFSSL_EVP_PKEY* pkey = NULL; |
9670 | | #endif |
9671 | |
|
9672 | 0 | WOLFSSL_START(WC_FUNC_CERTIFICATE_SEND); |
9673 | 0 | WOLFSSL_ENTER("SendTls13Certificate"); |
9674 | |
|
9675 | 0 | XMEMSET(extSz, 0, sizeof(extSz)); |
9676 | |
|
9677 | 0 | ssl->options.buildingMsg = 1; |
9678 | |
|
9679 | | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH |
9680 | | if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->certReqCtx != NULL) { |
9681 | | certReqCtxLen = ssl->certReqCtx->len; |
9682 | | certReqCtx = &ssl->certReqCtx->ctx; |
9683 | | } |
9684 | | #endif |
9685 | |
|
9686 | | #if defined(OPENSSL_EXTRA) && defined(WOLFSSL_CERT_SETUP_CB) |
9687 | | /* call client cert callback if no cert has been loaded */ |
9688 | | if ((ssl->ctx->CBClientCert != NULL) && |
9689 | | (!ssl->buffers.certificate || !ssl->buffers.certificate->buffer)) { |
9690 | | ret = ssl->ctx->CBClientCert(ssl, &x509, &pkey); |
9691 | | if (ret == 1) { |
9692 | | if ((wolfSSL_CTX_use_certificate(ssl->ctx, x509) == WOLFSSL_SUCCESS) && |
9693 | | (wolfSSL_CTX_use_PrivateKey(ssl->ctx, pkey) == WOLFSSL_SUCCESS)) { |
9694 | | ssl->options.sendVerify = SEND_CERT; |
9695 | | } |
9696 | | wolfSSL_X509_free(x509); |
9697 | | x509 = NULL; |
9698 | | wolfSSL_EVP_PKEY_free(pkey); |
9699 | | } |
9700 | | } |
9701 | | #endif |
9702 | |
|
9703 | 0 | if (ssl->options.sendVerify == SEND_BLANK_CERT) { |
9704 | 0 | certSz = 0; |
9705 | 0 | certChainSz = 0; |
9706 | 0 | headerSz = OPAQUE8_LEN + certReqCtxLen + CERT_HEADER_SZ; |
9707 | 0 | length = (sword32)headerSz; |
9708 | 0 | listSz = 0; |
9709 | 0 | } |
9710 | 0 | else { |
9711 | 0 | if (!ssl->buffers.certificate || !ssl->buffers.certificate->buffer) { |
9712 | 0 | WOLFSSL_MSG("Send Cert missing certificate buffer"); |
9713 | 0 | return NO_CERT_ERROR; |
9714 | 0 | } |
9715 | | /* Certificate Data */ |
9716 | 0 | certSz = ssl->buffers.certificate->length; |
9717 | 0 | if (ssl->buffers.certChainCnt > MAX_CHAIN_DEPTH) { |
9718 | 0 | WOLFSSL_MSG("Certificate chain count exceeds maximum depth"); |
9719 | 0 | return MAX_CHAIN_ERROR; |
9720 | 0 | } |
9721 | | /* Cert Req Ctx Len | Cert Req Ctx | Cert List Len | Cert Data Len */ |
9722 | 0 | headerSz = OPAQUE8_LEN + certReqCtxLen + CERT_HEADER_SZ + |
9723 | 0 | CERT_HEADER_SZ; |
9724 | | /* set empty extension as default */ |
9725 | 0 | for (extIdx = 0; extIdx < (word16)XELEM_CNT(extSz); extIdx++) |
9726 | 0 | extSz[extIdx] = OPAQUE16_LEN; |
9727 | |
|
9728 | | #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(NO_WOLFSSL_SERVER) |
9729 | | /* We only send CSR on the server side. On client side, the CSR data |
9730 | | * is populated with the server response. We would be sending the server |
9731 | | * its own stapling data. */ |
9732 | | if (ssl->options.side == WOLFSSL_SERVER_END) { |
9733 | | ret = SetupOcspResp(ssl); |
9734 | | if (ret != 0) |
9735 | | return ret; |
9736 | | |
9737 | | if ((1 + ssl->buffers.certChainCnt) > MAX_CERT_EXTENSIONS) |
9738 | | ret = MAX_CERT_EXTENSIONS_ERR; |
9739 | | if (ret == 0) |
9740 | | ret = WriteCSRToBuffer(ssl, &ssl->buffers.certExts[0], &extSz[0], |
9741 | | 1 /* +1 for leaf */ + (word16)ssl->buffers.certChainCnt); |
9742 | | if (ret < 0) |
9743 | | return ret; |
9744 | | totalextSz += ret; |
9745 | | ret = 0; /* Clear to signal no error */ |
9746 | | } |
9747 | | else |
9748 | | #endif |
9749 | 0 | { |
9750 | | /* Leaf cert empty extension size */ |
9751 | 0 | totalextSz += OPAQUE16_LEN; |
9752 | | /* chain cert empty extension size */ |
9753 | 0 | totalextSz += OPAQUE16_LEN * ssl->buffers.certChainCnt; |
9754 | 0 | } |
9755 | | |
9756 | | /* Length of message data with one certificate and extensions. */ |
9757 | 0 | length = (sword32)(headerSz + certSz + totalextSz); |
9758 | | /* Length of list data with one certificate and extensions. */ |
9759 | 0 | listSz = CERT_HEADER_SZ + certSz + totalextSz; |
9760 | | |
9761 | | /* Send rest of chain if sending cert (chain has leading size/s). */ |
9762 | 0 | if (certSz > 0 && ssl->buffers.certChainCnt > 0) { |
9763 | 0 | p = ssl->buffers.certChain->buffer; |
9764 | | /* Chain length including extensions. */ |
9765 | 0 | certChainSz = ssl->buffers.certChain->length; |
9766 | |
|
9767 | 0 | length += certChainSz; |
9768 | 0 | listSz += certChainSz; |
9769 | 0 | } |
9770 | 0 | else |
9771 | 0 | certChainSz = 0; |
9772 | 0 | } |
9773 | | |
9774 | 0 | payloadSz = (word32)length; |
9775 | |
|
9776 | 0 | if (ssl->fragOffset != 0) |
9777 | 0 | length -= (ssl->fragOffset + headerSz); |
9778 | |
|
9779 | 0 | maxFragment = (word32)wolfssl_local_GetMaxPlaintextSize(ssl); |
9780 | |
|
9781 | 0 | extIdx = 0; |
9782 | |
|
9783 | 0 | while (length > 0 && ret == 0) { |
9784 | 0 | byte* output = NULL; |
9785 | 0 | word32 fragSz = 0; |
9786 | 0 | word32 i = RECORD_HEADER_SZ; |
9787 | 0 | int sendSz = RECORD_HEADER_SZ; |
9788 | |
|
9789 | | #ifdef WOLFSSL_DTLS13 |
9790 | | if (ssl->options.dtls) { |
9791 | | i = Dtls13GetRlHeaderLength(ssl, 1); |
9792 | | sendSz = (int)i; |
9793 | | } |
9794 | | #endif /* WOLFSSL_DTLS13 */ |
9795 | |
|
9796 | 0 | if (ssl->fragOffset == 0) { |
9797 | 0 | if (headerSz + certSz + totalextSz + certChainSz <= |
9798 | 0 | maxFragment - HANDSHAKE_HEADER_SZ) { |
9799 | 0 | fragSz = headerSz + certSz + totalextSz + certChainSz; |
9800 | 0 | } |
9801 | | #ifdef WOLFSSL_DTLS13 |
9802 | | else if (ssl->options.dtls){ |
9803 | | /* short-circuit the fragmentation logic here. DTLS |
9804 | | fragmentation will be done in dtls13HandshakeSend() */ |
9805 | | fragSz = headerSz + certSz + totalextSz + certChainSz; |
9806 | | } |
9807 | | #endif /* WOLFSSL_DTLS13 */ |
9808 | 0 | else { |
9809 | 0 | fragSz = maxFragment - HANDSHAKE_HEADER_SZ; |
9810 | 0 | } |
9811 | |
|
9812 | 0 | sendSz += fragSz + HANDSHAKE_HEADER_SZ; |
9813 | 0 | i += HANDSHAKE_HEADER_SZ; |
9814 | | #ifdef WOLFSSL_DTLS13 |
9815 | | if (ssl->options.dtls) { |
9816 | | sendSz += DTLS_HANDSHAKE_EXTRA; |
9817 | | i += DTLS_HANDSHAKE_EXTRA; |
9818 | | } |
9819 | | #endif /* WOLFSSL_DTLS13 */ |
9820 | 0 | } |
9821 | 0 | else { |
9822 | 0 | fragSz = min((word32)length, maxFragment); |
9823 | 0 | sendSz += fragSz; |
9824 | 0 | } |
9825 | |
|
9826 | 0 | sendSz += MAX_MSG_EXTRA; |
9827 | | |
9828 | | /* Check buffers are big enough and grow if needed. */ |
9829 | 0 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) |
9830 | 0 | return ret; |
9831 | | |
9832 | | /* Get position in output buffer to write new message to. */ |
9833 | 0 | output = GetOutputBuffer(ssl); |
9834 | |
|
9835 | 0 | if (ssl->fragOffset == 0) { |
9836 | 0 | AddTls13FragHeaders(output, fragSz, 0, payloadSz, certificate, ssl); |
9837 | | |
9838 | | /* Request context. */ |
9839 | 0 | output[i++] = certReqCtxLen; |
9840 | | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH |
9841 | | if (certReqCtxLen > 0) { |
9842 | | XMEMCPY(output + i, certReqCtx, certReqCtxLen); |
9843 | | i += certReqCtxLen; |
9844 | | } |
9845 | | #endif |
9846 | 0 | length -= OPAQUE8_LEN + certReqCtxLen; |
9847 | 0 | fragSz -= OPAQUE8_LEN + certReqCtxLen; |
9848 | | /* Certificate list length. */ |
9849 | 0 | c32to24(listSz, output + i); |
9850 | 0 | i += CERT_HEADER_SZ; |
9851 | 0 | length -= CERT_HEADER_SZ; |
9852 | 0 | fragSz -= CERT_HEADER_SZ; |
9853 | | /* Leaf certificate data length. */ |
9854 | 0 | if (certSz > 0) { |
9855 | 0 | c32to24(certSz, output + i); |
9856 | 0 | i += CERT_HEADER_SZ; |
9857 | 0 | length -= CERT_HEADER_SZ; |
9858 | 0 | fragSz -= CERT_HEADER_SZ; |
9859 | 0 | } |
9860 | 0 | } |
9861 | 0 | else |
9862 | 0 | AddTls13RecordHeader(output, fragSz, handshake, ssl); |
9863 | |
|
9864 | 0 | if (extIdx == 0) { |
9865 | 0 | if (certSz > 0 && ssl->fragOffset < certSz + extSz[0]) { |
9866 | | /* Put in the leaf certificate with extensions. */ |
9867 | 0 | word32 copySz = AddCertExt(ssl, ssl->buffers.certificate->buffer, |
9868 | 0 | certSz, extSz[0], ssl->fragOffset, fragSz, |
9869 | 0 | output + i, 0); |
9870 | 0 | i += copySz; |
9871 | 0 | ssl->fragOffset += copySz; |
9872 | 0 | length -= copySz; |
9873 | 0 | fragSz -= copySz; |
9874 | 0 | if (ssl->fragOffset == certSz + extSz[0]) |
9875 | 0 | FreeDer(&ssl->buffers.certExts[0]); |
9876 | 0 | } |
9877 | 0 | } |
9878 | 0 | if (certChainSz > 0 && fragSz > 0) { |
9879 | | /* Put in the CA certificates with extensions. */ |
9880 | 0 | while (fragSz > 0) { |
9881 | 0 | word32 l; |
9882 | |
|
9883 | 0 | if (offset == len + OPAQUE16_LEN) { |
9884 | | /* Find next CA certificate to write out. */ |
9885 | 0 | offset = 0; |
9886 | | /* Point to the start of current cert in chain buffer. */ |
9887 | 0 | p = ssl->buffers.certChain->buffer + idx; |
9888 | 0 | len = NextCert(ssl->buffers.certChain->buffer, |
9889 | 0 | ssl->buffers.certChain->length, &idx); |
9890 | 0 | if (len == 0) |
9891 | 0 | break; |
9892 | | #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) && \ |
9893 | | !defined(NO_WOLFSSL_SERVER) |
9894 | | if (extIdx + 1 < MAX_CERT_EXTENSIONS) |
9895 | | extIdx++; |
9896 | | #endif |
9897 | 0 | } |
9898 | | /* Write out certificate and extension. */ |
9899 | 0 | l = AddCertExt(ssl, p, len, extSz[extIdx], offset, fragSz, |
9900 | 0 | output + i, extIdx); |
9901 | 0 | i += l; |
9902 | 0 | ssl->fragOffset += l; |
9903 | 0 | length -= l; |
9904 | 0 | fragSz -= l; |
9905 | 0 | offset += l; |
9906 | |
|
9907 | 0 | if (extIdx != 0 && extIdx < MAX_CERT_EXTENSIONS && |
9908 | 0 | ssl->buffers.certExts[extIdx] != NULL && |
9909 | 0 | offset == len + extSz[extIdx]) { |
9910 | 0 | FreeDer(&ssl->buffers.certExts[extIdx]); |
9911 | | /* for next chain cert */ |
9912 | 0 | len += extSz[extIdx] - OPAQUE16_LEN; |
9913 | 0 | } |
9914 | 0 | } |
9915 | 0 | } |
9916 | |
|
9917 | 0 | if ((int)i - RECORD_HEADER_SZ < 0) { |
9918 | 0 | WOLFSSL_MSG("Send Cert bad inputSz"); |
9919 | 0 | return BUFFER_E; |
9920 | 0 | } |
9921 | | |
9922 | | #ifdef WOLFSSL_DTLS13 |
9923 | | if (ssl->options.dtls) { |
9924 | | /* DTLS1.3 uses a separate variable and logic for fragments */ |
9925 | | ssl->options.buildingMsg = 0; |
9926 | | ssl->fragOffset = 0; |
9927 | | if ((word32)sendSz > WOLFSSL_MAX_16BIT || i > WOLFSSL_MAX_16BIT) { |
9928 | | WOLFSSL_MSG("Send Cert DTLS size exceeds word16"); |
9929 | | return BUFFER_E; |
9930 | | } |
9931 | | ret = Dtls13HandshakeSend(ssl, output, (word16)sendSz, (word16)i, |
9932 | | certificate, 1); |
9933 | | } |
9934 | | else |
9935 | | #endif /* WOLFSSL_DTLS13 */ |
9936 | 0 | { |
9937 | | /* This message is always encrypted. */ |
9938 | 0 | sendSz = BuildTls13Message(ssl, output, sendSz, |
9939 | 0 | output + RECORD_HEADER_SZ, (int)(i - RECORD_HEADER_SZ), |
9940 | 0 | handshake, 1, |
9941 | 0 | 0, 0); |
9942 | 0 | if (sendSz < 0) |
9943 | 0 | return sendSz; |
9944 | | |
9945 | | #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) |
9946 | | if (ssl->hsInfoOn) |
9947 | | AddPacketName(ssl, "Certificate"); |
9948 | | if (ssl->toInfoOn) { |
9949 | | ret = AddPacketInfo(ssl, "Certificate", handshake, output, |
9950 | | sendSz, WRITE_PROTO, 0, ssl->heap); |
9951 | | if (ret != 0) |
9952 | | return ret; |
9953 | | } |
9954 | | #endif |
9955 | | |
9956 | 0 | ssl->buffers.outputBuffer.length += (word32)sendSz; |
9957 | 0 | ssl->options.buildingMsg = 0; |
9958 | 0 | if (!ssl->options.groupMessages) |
9959 | 0 | ret = SendBuffered(ssl); |
9960 | 0 | } |
9961 | 0 | } |
9962 | | |
9963 | 0 | if (ret != WC_NO_ERR_TRACE(WANT_WRITE)) { |
9964 | | /* Clean up the fragment offset. */ |
9965 | 0 | ssl->options.buildingMsg = 0; |
9966 | 0 | ssl->fragOffset = 0; |
9967 | 0 | if (ssl->options.side == WOLFSSL_SERVER_END) |
9968 | 0 | ssl->options.serverState = SERVER_CERT_COMPLETE; |
9969 | 0 | } |
9970 | |
|
9971 | | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH |
9972 | | if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->certReqCtx != NULL) { |
9973 | | CertReqCtx* ctx = ssl->certReqCtx; |
9974 | | ssl->certReqCtx = ssl->certReqCtx->next; |
9975 | | XFREE(ctx, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); |
9976 | | } |
9977 | | #endif |
9978 | |
|
9979 | 0 | WOLFSSL_LEAVE("SendTls13Certificate", ret); |
9980 | 0 | WOLFSSL_END(WC_FUNC_CERTIFICATE_SEND); |
9981 | |
|
9982 | 0 | return ret; |
9983 | 0 | } |
9984 | | |
9985 | | #if (!defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \ |
9986 | | defined(HAVE_ED448) || defined(HAVE_FALCON) || \ |
9987 | | defined(WOLFSSL_HAVE_MLDSA)) && \ |
9988 | | (!defined(NO_WOLFSSL_SERVER) || !defined(WOLFSSL_NO_CLIENT_AUTH)) |
9989 | | typedef struct Scv13Args { |
9990 | | byte* output; /* not allocated */ |
9991 | | byte* verify; /* not allocated */ |
9992 | | word32 idx; |
9993 | | word32 sigLen; |
9994 | | int sendSz; |
9995 | | word16 length; |
9996 | | |
9997 | | byte sigAlgo; |
9998 | | byte* sigData; |
9999 | | word16 sigDataSz; |
10000 | | #ifndef NO_RSA |
10001 | | byte* toSign; /* not allocated */ |
10002 | | word32 toSignSz; |
10003 | | #endif |
10004 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
10005 | | byte altSigAlgo; |
10006 | | word32 altSigLen; /* Only used in the case of both native and alt. */ |
10007 | | byte* altSigData; |
10008 | | word16 altSigDataSz; |
10009 | | #endif |
10010 | | } Scv13Args; |
10011 | | |
10012 | | static void FreeScv13Args(WOLFSSL* ssl, void* pArgs) |
10013 | 0 | { |
10014 | 0 | Scv13Args* args = (Scv13Args*)pArgs; |
10015 | |
|
10016 | 0 | (void)ssl; |
10017 | |
|
10018 | 0 | if (args && args->sigData) { |
10019 | 0 | XFREE(args->sigData, ssl->heap, DYNAMIC_TYPE_SIGNATURE); |
10020 | 0 | args->sigData = NULL; |
10021 | 0 | } |
10022 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
10023 | | if (args && args->altSigData != NULL) { |
10024 | | XFREE(args->altSigData, ssl->heap, DYNAMIC_TYPE_SIGNATURE); |
10025 | | args->altSigData = NULL; |
10026 | | } |
10027 | | #endif |
10028 | 0 | } |
10029 | | |
10030 | | /* handle generation TLS v1.3 certificate_verify (15) */ |
10031 | | /* Send the TLS v1.3 CertificateVerify message. |
10032 | | * A hash of all the message so far is used. |
10033 | | * The signed data is: |
10034 | | * 0x20 * 64 | context string | 0x00 | hash of messages |
10035 | | * This message is always encrypted in TLS v1.3. |
10036 | | * |
10037 | | * ssl The SSL/TLS object. |
10038 | | * returns 0 on success, otherwise failure. |
10039 | | */ |
10040 | | static int SendTls13CertificateVerify(WOLFSSL* ssl) |
10041 | 0 | { |
10042 | 0 | int ret = 0; |
10043 | 0 | #ifndef NO_RSA |
10044 | | /* Use this as a temporary buffer for RSA signature verification. */ |
10045 | 0 | buffer* rsaSigBuf = &ssl->buffers.sig; |
10046 | 0 | #endif |
10047 | | #ifdef WOLFSSL_ASYNC_CRYPT |
10048 | | Scv13Args* args = NULL; |
10049 | | WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args); |
10050 | | #else |
10051 | 0 | Scv13Args args[1]; |
10052 | 0 | #endif |
10053 | |
|
10054 | | #ifdef WOLFSSL_DTLS13 |
10055 | | int recordLayerHdrExtra; |
10056 | | #endif /* WOLFSSL_DTLS13 */ |
10057 | |
|
10058 | 0 | WOLFSSL_START(WC_FUNC_CERTIFICATE_VERIFY_SEND); |
10059 | 0 | WOLFSSL_ENTER("SendTls13CertificateVerify"); |
10060 | |
|
10061 | | #ifdef WOLFSSL_BLIND_PRIVATE_KEY |
10062 | | wolfssl_priv_der_blind_toggle(ssl->buffers.key, ssl->buffers.keyMask); |
10063 | | #endif |
10064 | |
|
10065 | 0 | ssl->options.buildingMsg = 1; |
10066 | |
|
10067 | | #if defined(WOLFSSL_RENESAS_TSIP_TLS) |
10068 | | ret = tsip_Tls13SendCertVerify(ssl); |
10069 | | if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) { |
10070 | | goto exit_scv; |
10071 | | } |
10072 | | ret = 0; |
10073 | | #endif /* WOLFSSL_RENESAS_TSIP_TLS */ |
10074 | |
|
10075 | | #ifdef WOLFSSL_DTLS13 |
10076 | | /* can be negative */ |
10077 | | if (ssl->options.dtls) |
10078 | | recordLayerHdrExtra = Dtls13GetRlHeaderLength(ssl, 1) - RECORD_HEADER_SZ; |
10079 | | else |
10080 | | recordLayerHdrExtra = 0; |
10081 | | |
10082 | | #endif /* WOLFSSL_DTLS13 */ |
10083 | |
|
10084 | | #ifdef WOLFSSL_ASYNC_CRYPT |
10085 | | if (ssl->async == NULL) { |
10086 | | ssl->async = (struct WOLFSSL_ASYNC*) |
10087 | | XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap, |
10088 | | DYNAMIC_TYPE_ASYNC); |
10089 | | if (ssl->async == NULL) |
10090 | | ERROR_OUT(MEMORY_E, exit_scv); |
10091 | | } |
10092 | | args = (Scv13Args*)ssl->async->args; |
10093 | | |
10094 | | ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState); |
10095 | | if (ret != WC_NO_ERR_TRACE(WC_NO_PENDING_E)) { |
10096 | | /* Check for error */ |
10097 | | if (ret < 0) |
10098 | | goto exit_scv; |
10099 | | } |
10100 | | else |
10101 | | #endif |
10102 | 0 | { |
10103 | | /* Reset state */ |
10104 | 0 | ret = 0; |
10105 | 0 | ssl->options.asyncState = TLS_ASYNC_BEGIN; |
10106 | 0 | XMEMSET(args, 0, sizeof(Scv13Args)); |
10107 | | #ifdef WOLFSSL_ASYNC_CRYPT |
10108 | | ssl->async->freeArgs = FreeScv13Args; |
10109 | | #endif |
10110 | 0 | } |
10111 | |
|
10112 | 0 | switch(ssl->options.asyncState) |
10113 | 0 | { |
10114 | 0 | case TLS_ASYNC_BEGIN: |
10115 | 0 | { |
10116 | 0 | if (ssl->options.sendVerify == SEND_BLANK_CERT) { |
10117 | | #ifdef WOLFSSL_BLIND_PRIVATE_KEY |
10118 | | wolfssl_priv_der_blind_toggle(ssl->buffers.key, |
10119 | | ssl->buffers.keyMask); |
10120 | | #endif |
10121 | 0 | return 0; /* sent blank cert, can't verify */ |
10122 | 0 | } |
10123 | | |
10124 | 0 | args->sendSz = WC_MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA; |
10125 | | /* Always encrypted. */ |
10126 | 0 | args->sendSz += MAX_MSG_EXTRA; |
10127 | | |
10128 | | /* check for available size */ |
10129 | 0 | if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) { |
10130 | 0 | goto exit_scv; |
10131 | 0 | } |
10132 | | |
10133 | | /* get output buffer */ |
10134 | 0 | args->output = GetOutputBuffer(ssl); |
10135 | | |
10136 | | /* Advance state and proceed */ |
10137 | 0 | ssl->options.asyncState = TLS_ASYNC_BUILD; |
10138 | 0 | } /* case TLS_ASYNC_BEGIN */ |
10139 | 0 | FALL_THROUGH; |
10140 | |
|
10141 | 0 | case TLS_ASYNC_BUILD: |
10142 | 0 | { |
10143 | 0 | int rem = (int)(ssl->buffers.outputBuffer.bufferSize |
10144 | 0 | - ssl->buffers.outputBuffer.length |
10145 | 0 | - RECORD_HEADER_SZ - HANDSHAKE_HEADER_SZ); |
10146 | | |
10147 | | /* idx is used to track verify pointer offset to output */ |
10148 | 0 | args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
10149 | 0 | args->verify = |
10150 | 0 | &args->output[RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ]; |
10151 | |
|
10152 | | #ifdef WOLFSSL_DTLS13 |
10153 | | if (ssl->options.dtls) { |
10154 | | rem -= recordLayerHdrExtra + DTLS_HANDSHAKE_EXTRA; |
10155 | | args->idx += recordLayerHdrExtra + DTLS_HANDSHAKE_EXTRA; |
10156 | | args->verify += recordLayerHdrExtra + DTLS_HANDSHAKE_EXTRA; |
10157 | | } |
10158 | | #endif /* WOLFSSL_DTLS13 */ |
10159 | |
|
10160 | 0 | if (ssl->buffers.key == NULL) { |
10161 | | #ifdef HAVE_PK_CALLBACKS |
10162 | | if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) |
10163 | | args->sigLen = (word16)GetPrivateKeySigSize(ssl); |
10164 | | else |
10165 | | #endif |
10166 | 0 | ERROR_OUT(NO_PRIVATE_KEY, exit_scv); |
10167 | 0 | } |
10168 | 0 | else { |
10169 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
10170 | | if (ssl->sigSpec != NULL && |
10171 | | *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_ALTERNATIVE) { |
10172 | | /* In the case of alternative, we swap in the alt. */ |
10173 | | if (ssl->buffers.altKey == NULL) { |
10174 | | ERROR_OUT(NO_PRIVATE_KEY, exit_scv); |
10175 | | } |
10176 | | ssl->buffers.keyType = ssl->buffers.altKeyType; |
10177 | | ssl->buffers.keySz = ssl->buffers.altKeySz; |
10178 | | /* If we own it, free key before overriding it. */ |
10179 | | if (ssl->buffers.weOwnKey) { |
10180 | | FreeDer(&ssl->buffers.key); |
10181 | | #ifdef WOLFSSL_BLIND_PRIVATE_KEY |
10182 | | FreeDer(&ssl->buffers.keyMask); |
10183 | | #endif |
10184 | | } |
10185 | | |
10186 | | /* Swap keys */ |
10187 | | ssl->buffers.key = ssl->buffers.altKey; |
10188 | | ssl->buffers.weOwnKey = ssl->buffers.weOwnAltKey; |
10189 | | |
10190 | | #ifdef WOLFSSL_BLIND_PRIVATE_KEY |
10191 | | ssl->buffers.keyMask = ssl->buffers.altKeyMask; |
10192 | | /* Unblind the alternative key before decoding */ |
10193 | | wolfssl_priv_der_blind_toggle(ssl->buffers.key, ssl->buffers.keyMask); |
10194 | | #endif |
10195 | | } |
10196 | | #endif /* WOLFSSL_DUAL_ALG_CERTS */ |
10197 | 0 | ret = DecodePrivateKey(ssl, &args->sigLen); |
10198 | 0 | if (ret != 0) |
10199 | 0 | goto exit_scv; |
10200 | 0 | } |
10201 | | |
10202 | 0 | if (rem < 0 || (int)args->sigLen > rem) { |
10203 | 0 | ERROR_OUT(BUFFER_E, exit_scv); |
10204 | 0 | } |
10205 | | |
10206 | 0 | if (args->sigLen == 0) { |
10207 | 0 | ERROR_OUT(NO_PRIVATE_KEY, exit_scv); |
10208 | 0 | } |
10209 | | |
10210 | | /* Add signature algorithm. */ |
10211 | 0 | if (ssl->hsType == DYNAMIC_TYPE_RSA) |
10212 | 0 | args->sigAlgo = rsa_pss_sa_algo; |
10213 | 0 | #ifdef HAVE_ECC |
10214 | 0 | else if (ssl->hsType == DYNAMIC_TYPE_ECC) { |
10215 | | #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3) |
10216 | | if (ssl->buffers.keyType == sm2_sa_algo) { |
10217 | | args->sigAlgo = sm2_sa_algo; |
10218 | | } |
10219 | | else |
10220 | | #endif |
10221 | 0 | { |
10222 | 0 | args->sigAlgo = ecc_dsa_sa_algo; |
10223 | 0 | } |
10224 | 0 | } |
10225 | 0 | #endif |
10226 | | #ifdef HAVE_ED25519 |
10227 | | else if (ssl->hsType == DYNAMIC_TYPE_ED25519) |
10228 | | args->sigAlgo = ed25519_sa_algo; |
10229 | | #endif |
10230 | | #ifdef HAVE_ED448 |
10231 | | else if (ssl->hsType == DYNAMIC_TYPE_ED448) |
10232 | | args->sigAlgo = ed448_sa_algo; |
10233 | | #endif |
10234 | | #if defined(HAVE_FALCON) |
10235 | | else if (ssl->hsType == DYNAMIC_TYPE_FALCON) { |
10236 | | args->sigAlgo = ssl->buffers.keyType; |
10237 | | } |
10238 | | #endif /* HAVE_FALCON */ |
10239 | | #if defined(WOLFSSL_HAVE_MLDSA) |
10240 | | else if (ssl->hsType == DYNAMIC_TYPE_MLDSA) { |
10241 | | args->sigAlgo = ssl->buffers.keyType; |
10242 | | } |
10243 | | #endif /* WOLFSSL_HAVE_MLDSA */ |
10244 | 0 | else { |
10245 | 0 | ERROR_OUT(ALGO_ID_E, exit_scv); |
10246 | 0 | } |
10247 | | |
10248 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
10249 | | if (ssl->peerSigSpec == NULL) { |
10250 | | /* The peer did not respond. We didn't send CKS or they don't |
10251 | | * support it. Either way, we do not need to handle dual |
10252 | | * key/sig case. */ |
10253 | | ssl->sigSpec = NULL; |
10254 | | ssl->sigSpecSz = 0; |
10255 | | } |
10256 | | |
10257 | | if (ssl->sigSpec != NULL && |
10258 | | *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) { |
10259 | | /* The native was already decoded. Now we need to do the |
10260 | | * alternative. Note that no swap was done because this case is |
10261 | | * both native and alternative, not just alternative. */ |
10262 | | if (ssl->buffers.altKey == NULL) { |
10263 | | ERROR_OUT(NO_PRIVATE_KEY, exit_scv); |
10264 | | } |
10265 | | |
10266 | | /* After this call, args->altSigLen has the length we need for |
10267 | | * the alternative signature. */ |
10268 | | ret = DecodeAltPrivateKey(ssl, &args->altSigLen); |
10269 | | if (ret != 0) |
10270 | | goto exit_scv; |
10271 | | |
10272 | | if (ssl->buffers.altKeyType == ecc_dsa_sa_algo || |
10273 | | ssl->buffers.altKeyType == falcon_level1_sa_algo || |
10274 | | ssl->buffers.altKeyType == falcon_level5_sa_algo || |
10275 | | ssl->buffers.altKeyType == mldsa_44_sa_algo || |
10276 | | ssl->buffers.altKeyType == mldsa_65_sa_algo || |
10277 | | ssl->buffers.altKeyType == mldsa_87_sa_algo) { |
10278 | | args->altSigAlgo = ssl->buffers.altKeyType; |
10279 | | } |
10280 | | else if (ssl->buffers.altKeyType == rsa_sa_algo && |
10281 | | ssl->hsAltType == DYNAMIC_TYPE_RSA) { |
10282 | | args->altSigAlgo = rsa_pss_sa_algo; |
10283 | | } |
10284 | | else { |
10285 | | ERROR_OUT(ALGO_ID_E, exit_scv); |
10286 | | } |
10287 | | |
10288 | | EncodeDualSigAlg(args->sigAlgo, args->altSigAlgo, args->verify); |
10289 | | if (args->verify[0] == 0) { |
10290 | | ERROR_OUT(ALGO_ID_E, exit_scv); |
10291 | | } |
10292 | | } |
10293 | | else |
10294 | | #endif /* WOLFSSL_DUAL_ALG_CERTS */ |
10295 | 0 | EncodeSigAlg(ssl, ssl->options.hashAlgo, args->sigAlgo, |
10296 | 0 | args->verify); |
10297 | |
|
10298 | 0 | if (args->sigData == NULL) { |
10299 | 0 | word32 sigLen = MAX_SIG_DATA_SZ; |
10300 | 0 | if ((ssl->hsType == DYNAMIC_TYPE_RSA) && |
10301 | 0 | (args->sigLen > MAX_SIG_DATA_SZ)) { |
10302 | | /* We store the RSA signature in the sigData buffer |
10303 | | * temporarily, hence its size must be fitting. */ |
10304 | 0 | sigLen = args->sigLen; |
10305 | 0 | } |
10306 | 0 | args->sigData = (byte*)XMALLOC(sigLen, ssl->heap, |
10307 | 0 | DYNAMIC_TYPE_SIGNATURE); |
10308 | 0 | if (args->sigData == NULL) { |
10309 | 0 | ERROR_OUT(MEMORY_E, exit_scv); |
10310 | 0 | } |
10311 | 0 | } |
10312 | | |
10313 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
10314 | | if ((ssl->sigSpec != NULL) && |
10315 | | (*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) && |
10316 | | (args->altSigData == NULL)) { |
10317 | | word32 sigLen = MAX_SIG_DATA_SZ; |
10318 | | if (ssl->hsAltType == DYNAMIC_TYPE_RSA && |
10319 | | args->altSigLen > MAX_SIG_DATA_SZ) { |
10320 | | /* We store the RSA signature in the sigData buffer |
10321 | | * temporarily, hence its size must be fitting. */ |
10322 | | sigLen = args->altSigLen; |
10323 | | } |
10324 | | args->altSigData = (byte*)XMALLOC(sigLen, ssl->heap, |
10325 | | DYNAMIC_TYPE_SIGNATURE); |
10326 | | if (args->altSigData == NULL) { |
10327 | | ERROR_OUT(MEMORY_E, exit_scv); |
10328 | | } |
10329 | | } |
10330 | | #endif /* WOLFSSL_DUAL_ALG_CERTS */ |
10331 | | |
10332 | | /* Create the data to be signed. */ |
10333 | 0 | ret = CreateSigData(ssl, args->sigData, &args->sigDataSz, 0); |
10334 | 0 | if (ret != 0) |
10335 | 0 | goto exit_scv; |
10336 | | |
10337 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
10338 | | if ((ssl->sigSpec != NULL) && |
10339 | | (*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH)) { |
10340 | | XMEMCPY(args->altSigData, args->sigData, args->sigDataSz); |
10341 | | args->altSigDataSz = args->sigDataSz; |
10342 | | } |
10343 | | #endif /* WOLFSSL_DUAL_ALG_CERTS */ |
10344 | | |
10345 | 0 | #ifndef NO_RSA |
10346 | 0 | if (ssl->hsType == DYNAMIC_TYPE_RSA) { |
10347 | | /* build encoded signature buffer */ |
10348 | 0 | rsaSigBuf->length = WC_MAX_DIGEST_SIZE; |
10349 | 0 | rsaSigBuf->buffer = (byte*)XMALLOC(rsaSigBuf->length, ssl->heap, |
10350 | 0 | DYNAMIC_TYPE_SIGNATURE); |
10351 | 0 | if (rsaSigBuf->buffer == NULL) { |
10352 | 0 | ERROR_OUT(MEMORY_E, exit_scv); |
10353 | 0 | } |
10354 | | |
10355 | 0 | ret = CreateRSAEncodedSig(rsaSigBuf->buffer, args->sigData, |
10356 | 0 | args->sigDataSz, args->sigAlgo, ssl->options.hashAlgo); |
10357 | 0 | if (ret < 0) |
10358 | 0 | goto exit_scv; |
10359 | 0 | rsaSigBuf->length = (unsigned int)ret; |
10360 | 0 | ret = 0; |
10361 | 0 | } |
10362 | 0 | #endif /* !NO_RSA */ |
10363 | 0 | #ifdef HAVE_ECC |
10364 | 0 | if (ssl->hsType == DYNAMIC_TYPE_ECC) { |
10365 | 0 | args->sigLen = (word32)args->sendSz - args->idx - |
10366 | 0 | HASH_SIG_SIZE - |
10367 | 0 | VERIFY_HEADER; |
10368 | | #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3) |
10369 | | if (ssl->buffers.keyType != sm2_sa_algo) |
10370 | | #endif |
10371 | 0 | { |
10372 | 0 | ret = CreateECCEncodedSig(args->sigData, |
10373 | 0 | args->sigDataSz, ssl->options.hashAlgo); |
10374 | 0 | if (ret < 0) |
10375 | 0 | goto exit_scv; |
10376 | 0 | args->sigDataSz = (word16)ret; |
10377 | 0 | ret = 0; |
10378 | 0 | } |
10379 | 0 | } |
10380 | 0 | #endif /* HAVE_ECC */ |
10381 | | #ifdef HAVE_ED25519 |
10382 | | if (ssl->hsType == DYNAMIC_TYPE_ED25519) { |
10383 | | ret = Ed25519CheckPubKey(ssl); |
10384 | | if (ret < 0) { |
10385 | | ERROR_OUT(ret, exit_scv); |
10386 | | } |
10387 | | args->sigLen = ED25519_SIG_SIZE; |
10388 | | } |
10389 | | #endif /* HAVE_ED25519 */ |
10390 | | #ifdef HAVE_ED448 |
10391 | | if (ssl->hsType == DYNAMIC_TYPE_ED448) { |
10392 | | ret = Ed448CheckPubKey(ssl); |
10393 | | if (ret < 0) { |
10394 | | ERROR_OUT(ret, exit_scv); |
10395 | | } |
10396 | | args->sigLen = ED448_SIG_SIZE; |
10397 | | } |
10398 | | |
10399 | | #endif /* HAVE_ED448 */ |
10400 | | #if defined(HAVE_FALCON) |
10401 | | if (ssl->hsType == DYNAMIC_TYPE_FALCON) { |
10402 | | args->sigLen = FALCON_MAX_SIG_SIZE; |
10403 | | } |
10404 | | #endif /* HAVE_FALCON */ |
10405 | | #if defined(WOLFSSL_HAVE_MLDSA) |
10406 | | if (ssl->hsType == DYNAMIC_TYPE_MLDSA) { |
10407 | | args->sigLen = MLDSA_MAX_SIG_SIZE; |
10408 | | } |
10409 | | #endif /* WOLFSSL_HAVE_MLDSA */ |
10410 | | |
10411 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
10412 | | if (ssl->sigSpec != NULL && |
10413 | | *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) { |
10414 | | |
10415 | | #ifndef NO_RSA |
10416 | | if (ssl->hsAltType == DYNAMIC_TYPE_RSA) { |
10417 | | /* build encoded signature buffer */ |
10418 | | XFREE(rsaSigBuf->buffer, ssl->heap, DYNAMIC_TYPE_SIGNATURE); |
10419 | | rsaSigBuf->length = WC_MAX_DIGEST_SIZE; |
10420 | | rsaSigBuf->buffer = (byte*)XMALLOC(rsaSigBuf->length, |
10421 | | ssl->heap, |
10422 | | DYNAMIC_TYPE_SIGNATURE); |
10423 | | if (rsaSigBuf->buffer == NULL) { |
10424 | | ERROR_OUT(MEMORY_E, exit_scv); |
10425 | | } |
10426 | | |
10427 | | ret = CreateRSAEncodedSig(rsaSigBuf->buffer, |
10428 | | args->altSigData, args->altSigDataSz, |
10429 | | args->altSigAlgo, ssl->options.hashAlgo); |
10430 | | if (ret < 0) |
10431 | | goto exit_scv; |
10432 | | rsaSigBuf->length = ret; |
10433 | | ret = 0; |
10434 | | } |
10435 | | #endif /* !NO_RSA */ |
10436 | | #ifdef HAVE_ECC |
10437 | | if (ssl->hsAltType == DYNAMIC_TYPE_ECC) { |
10438 | | ret = CreateECCEncodedSig(args->altSigData, |
10439 | | args->altSigDataSz, ssl->options.hashAlgo); |
10440 | | if (ret < 0) |
10441 | | goto exit_scv; |
10442 | | args->altSigDataSz = (word16)ret; |
10443 | | ret = 0; |
10444 | | } |
10445 | | #endif /* HAVE_ECC */ |
10446 | | } |
10447 | | #endif /* WOLFSSL_DUAL_ALG_CERTS */ |
10448 | | |
10449 | | /* Advance state and proceed */ |
10450 | 0 | ssl->options.asyncState = TLS_ASYNC_DO; |
10451 | 0 | } /* case TLS_ASYNC_BUILD */ |
10452 | 0 | FALL_THROUGH; |
10453 | |
|
10454 | 0 | case TLS_ASYNC_DO: |
10455 | 0 | { |
10456 | 0 | byte* sigOut = args->verify + HASH_SIG_SIZE + VERIFY_HEADER; |
10457 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
10458 | | if (ssl->sigSpec != NULL && |
10459 | | *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) { |
10460 | | /* As we have two signatures in the message, we store |
10461 | | * the length of each before the actual signature. This |
10462 | | * is necessary, as we could have two algorithms with |
10463 | | * variable length signatures. */ |
10464 | | sigOut += OPAQUE16_LEN; |
10465 | | } |
10466 | | #endif |
10467 | 0 | #ifdef HAVE_ECC |
10468 | 0 | if (ssl->hsType == DYNAMIC_TYPE_ECC) { |
10469 | | #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3) |
10470 | | if (ssl->buffers.keyType == sm2_sa_algo) { |
10471 | | ret = Sm2wSm3Sign(ssl, TLS13_SM2_SIG_ID, |
10472 | | TLS13_SM2_SIG_ID_SZ, args->sigData, args->sigDataSz, |
10473 | | sigOut, &args->sigLen, (ecc_key*)ssl->hsKey, NULL); |
10474 | | } |
10475 | | else |
10476 | | #endif |
10477 | 0 | { |
10478 | 0 | ret = EccSign(ssl, args->sigData, args->sigDataSz, |
10479 | 0 | sigOut, &args->sigLen, (ecc_key*)ssl->hsKey, |
10480 | | #ifdef HAVE_PK_CALLBACKS |
10481 | | ssl->buffers.key |
10482 | | #else |
10483 | 0 | NULL |
10484 | 0 | #endif |
10485 | 0 | ); |
10486 | 0 | } |
10487 | 0 | args->length = (word16)args->sigLen; |
10488 | 0 | } |
10489 | 0 | #endif /* HAVE_ECC */ |
10490 | | #ifdef HAVE_ED25519 |
10491 | | if (ssl->hsType == DYNAMIC_TYPE_ED25519) { |
10492 | | ret = Ed25519Sign(ssl, args->sigData, args->sigDataSz, |
10493 | | sigOut, &args->sigLen, (ed25519_key*)ssl->hsKey, |
10494 | | #ifdef HAVE_PK_CALLBACKS |
10495 | | ssl->buffers.key |
10496 | | #else |
10497 | | NULL |
10498 | | #endif |
10499 | | ); |
10500 | | args->length = (word16)args->sigLen; |
10501 | | } |
10502 | | #endif |
10503 | | #ifdef HAVE_ED448 |
10504 | | if (ssl->hsType == DYNAMIC_TYPE_ED448) { |
10505 | | ret = Ed448Sign(ssl, args->sigData, args->sigDataSz, |
10506 | | sigOut, &args->sigLen, (ed448_key*)ssl->hsKey, |
10507 | | #ifdef HAVE_PK_CALLBACKS |
10508 | | ssl->buffers.key |
10509 | | #else |
10510 | | NULL |
10511 | | #endif |
10512 | | ); |
10513 | | args->length = (word16)args->sigLen; |
10514 | | } |
10515 | | #endif |
10516 | | #if defined(HAVE_FALCON) |
10517 | | if (ssl->hsType == DYNAMIC_TYPE_FALCON) { |
10518 | | ret = wc_falcon_sign_msg(args->sigData, args->sigDataSz, |
10519 | | sigOut, &args->sigLen, |
10520 | | (falcon_key*)ssl->hsKey, ssl->rng); |
10521 | | args->length = (word16)args->sigLen; |
10522 | | } |
10523 | | #endif /* HAVE_FALCON */ |
10524 | | #if defined(WOLFSSL_HAVE_MLDSA) && !defined(WOLFSSL_MLDSA_NO_SIGN) |
10525 | | if (ssl->hsType == DYNAMIC_TYPE_MLDSA) { |
10526 | | ret = wc_MlDsaKey_SignCtx((wc_MlDsaKey*)ssl->hsKey, NULL, 0, |
10527 | | sigOut, &args->sigLen, |
10528 | | args->sigData, args->sigDataSz, |
10529 | | ssl->rng); |
10530 | | args->length = (word16)args->sigLen; |
10531 | | } |
10532 | | #endif /* WOLFSSL_HAVE_MLDSA */ |
10533 | 0 | #if !defined(NO_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY) && \ |
10534 | 0 | !defined(WOLFSSL_RSA_VERIFY_ONLY) |
10535 | 0 | if (ssl->hsType == DYNAMIC_TYPE_RSA) { |
10536 | 0 | args->toSign = rsaSigBuf->buffer; |
10537 | 0 | args->toSignSz = (word32)rsaSigBuf->length; |
10538 | | #if defined(HAVE_PK_CALLBACKS) && \ |
10539 | | defined(TLS13_RSA_PSS_SIGN_CB_NO_PREHASH) |
10540 | | /* Pass full data to sign (args->sigData), not hash of */ |
10541 | | if (ssl->ctx->RsaPssSignCb) { |
10542 | | args->toSign = args->sigData; |
10543 | | args->toSignSz = args->sigDataSz; |
10544 | | } |
10545 | | #endif |
10546 | 0 | ret = RsaSign(ssl, (const byte*)args->toSign, args->toSignSz, |
10547 | 0 | sigOut, &args->sigLen, args->sigAlgo, |
10548 | 0 | ssl->options.hashAlgo, (RsaKey*)ssl->hsKey, |
10549 | 0 | ssl->buffers.key); |
10550 | 0 | if (ret == 0) { |
10551 | 0 | args->length = (word16)args->sigLen; |
10552 | 0 | XMEMCPY(args->sigData, sigOut, args->sigLen); |
10553 | 0 | } |
10554 | 0 | } |
10555 | 0 | #endif /* !NO_RSA && !WOLFSSL_RSA_PUBLIC_ONLY && !WOLFSSL_RSA_VERIFY_ONLY */ |
10556 | | |
10557 | | /* Check for error */ |
10558 | 0 | if (ret != 0) { |
10559 | 0 | goto exit_scv; |
10560 | 0 | } |
10561 | | |
10562 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
10563 | | if (ssl->sigSpec != NULL && |
10564 | | *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) { |
10565 | | /* Add signature length for the first signature. */ |
10566 | | c16toa((word16)args->sigLen, sigOut - OPAQUE16_LEN); |
10567 | | args->length += OPAQUE16_LEN; |
10568 | | |
10569 | | /* Advance our pointer to where we store the alt signature. |
10570 | | * We also add additional space for the length field of the |
10571 | | * second signature. */ |
10572 | | sigOut += args->sigLen + OPAQUE16_LEN; |
10573 | | |
10574 | | /* Generate the alternative signature */ |
10575 | | #ifdef HAVE_ECC |
10576 | | if (ssl->hsAltType == DYNAMIC_TYPE_ECC) { |
10577 | | ret = EccSign(ssl, args->altSigData, args->altSigDataSz, |
10578 | | sigOut, &args->altSigLen, |
10579 | | (ecc_key*)ssl->hsAltKey, |
10580 | | #ifdef HAVE_PK_CALLBACKS |
10581 | | ssl->buffers.altKey |
10582 | | #else |
10583 | | NULL |
10584 | | #endif |
10585 | | ); |
10586 | | } |
10587 | | #endif /* HAVE_ECC */ |
10588 | | #if !defined(NO_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY) && \ |
10589 | | !defined(WOLFSSL_RSA_VERIFY_ONLY) |
10590 | | if (ssl->hsAltType == DYNAMIC_TYPE_RSA) { |
10591 | | args->toSign = rsaSigBuf->buffer; |
10592 | | args->toSignSz = (word32)rsaSigBuf->length; |
10593 | | #if defined(HAVE_PK_CALLBACKS) && \ |
10594 | | defined(TLS13_RSA_PSS_SIGN_CB_NO_PREHASH) |
10595 | | /* Pass full data to sign (args->altSigData), not hash of */ |
10596 | | if (ssl->ctx->RsaPssSignCb) { |
10597 | | args->toSign = args->altSigData; |
10598 | | args->toSignSz = (word32)args->altSigDataSz; |
10599 | | } |
10600 | | #endif |
10601 | | ret = RsaSign(ssl, (const byte*)args->toSign, |
10602 | | args->toSignSz, sigOut, &args->altSigLen, |
10603 | | args->altSigAlgo, ssl->options.hashAlgo, |
10604 | | (RsaKey*)ssl->hsAltKey, |
10605 | | ssl->buffers.altKey); |
10606 | | |
10607 | | if (ret == 0) { |
10608 | | XMEMCPY(args->altSigData, sigOut, args->altSigLen); |
10609 | | } |
10610 | | } |
10611 | | #endif /* !NO_RSA && !WOLFSSL_RSA_PUBLIC_ONLY && !WOLFSSL_RSA_VERIFY_ONLY */ |
10612 | | #if defined(HAVE_FALCON) |
10613 | | if (ssl->hsAltType == DYNAMIC_TYPE_FALCON) { |
10614 | | ret = wc_falcon_sign_msg(args->altSigData, |
10615 | | args->altSigDataSz, sigOut, |
10616 | | &args->altSigLen, |
10617 | | (falcon_key*)ssl->hsAltKey, |
10618 | | ssl->rng); |
10619 | | } |
10620 | | #endif /* HAVE_FALCON */ |
10621 | | #if defined(WOLFSSL_HAVE_MLDSA) && !defined(WOLFSSL_MLDSA_NO_SIGN) |
10622 | | if (ssl->hsAltType == DYNAMIC_TYPE_MLDSA) { |
10623 | | ret = wc_MlDsaKey_SignCtx((wc_MlDsaKey*)ssl->hsAltKey, |
10624 | | NULL, 0, sigOut, &args->altSigLen, |
10625 | | args->altSigData, args->altSigDataSz, ssl->rng); |
10626 | | } |
10627 | | #endif /* WOLFSSL_HAVE_MLDSA */ |
10628 | | |
10629 | | /* Check for error */ |
10630 | | if (ret != 0) { |
10631 | | goto exit_scv; |
10632 | | } |
10633 | | |
10634 | | /* Add signature length for the alternative signature. */ |
10635 | | c16toa((word16)args->altSigLen, sigOut - OPAQUE16_LEN); |
10636 | | |
10637 | | /* Add length of the alt sig to the total length */ |
10638 | | args->length += args->altSigLen + OPAQUE16_LEN; |
10639 | | } |
10640 | | #endif /* WOLFSSL_DUAL_ALG_CERTS */ |
10641 | | |
10642 | | /* Add signature length. */ |
10643 | 0 | c16toa(args->length, args->verify + HASH_SIG_SIZE); |
10644 | | |
10645 | | /* Advance state and proceed */ |
10646 | 0 | ssl->options.asyncState = TLS_ASYNC_VERIFY; |
10647 | 0 | } /* case TLS_ASYNC_DO */ |
10648 | 0 | FALL_THROUGH; |
10649 | |
|
10650 | 0 | case TLS_ASYNC_VERIFY: |
10651 | 0 | { |
10652 | 0 | #ifndef NO_RSA |
10653 | 0 | if (ssl->hsType == DYNAMIC_TYPE_RSA) { |
10654 | | /* check for signature faults */ |
10655 | 0 | ret = VerifyRsaSign(ssl, args->sigData, args->sigLen, |
10656 | 0 | rsaSigBuf->buffer, (word32)rsaSigBuf->length, args->sigAlgo, |
10657 | 0 | ssl->options.hashAlgo, (RsaKey*)ssl->hsKey, |
10658 | 0 | ssl->buffers.key); |
10659 | 0 | } |
10660 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
10661 | | if (ssl->sigSpec != NULL && |
10662 | | *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH && |
10663 | | ssl->hsAltType == DYNAMIC_TYPE_RSA) { |
10664 | | /* check for signature faults */ |
10665 | | ret = VerifyRsaSign(ssl, args->altSigData, args->altSigLen, |
10666 | | rsaSigBuf->buffer, (word32)rsaSigBuf->length, |
10667 | | args->altSigAlgo, ssl->options.hashAlgo, |
10668 | | (RsaKey*)ssl->hsAltKey, ssl->buffers.altKey); |
10669 | | } |
10670 | | #endif /* WOLFSSL_DUAL_ALG_CERTS */ |
10671 | 0 | #endif /* !NO_RSA */ |
10672 | | #if defined(HAVE_ECC) && defined(WOLFSSL_CHECK_SIG_FAULTS) |
10673 | | if (ssl->hsType == DYNAMIC_TYPE_ECC) { |
10674 | | byte* sigOut = args->verify + HASH_SIG_SIZE + VERIFY_HEADER; |
10675 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
10676 | | if (ssl->sigSpec != NULL && |
10677 | | *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) { |
10678 | | /* Add our length offset. */ |
10679 | | sigOut += OPAQUE16_LEN; |
10680 | | } |
10681 | | #endif |
10682 | | #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3) |
10683 | | if (ssl->buffers.keyType == sm2_sa_algo) { |
10684 | | ret = Sm2wSm3Verify(ssl, TLS13_SM2_SIG_ID, |
10685 | | TLS13_SM2_SIG_ID_SZ, |
10686 | | sigOut, args->sigLen, args->sigData, args->sigDataSz, |
10687 | | (ecc_key*)ssl->hsKey, NULL); |
10688 | | } |
10689 | | else |
10690 | | #endif |
10691 | | { |
10692 | | #ifdef HAVE_PK_CALLBACKS |
10693 | | buffer tmp; |
10694 | | |
10695 | | tmp.length = ssl->buffers.key->length; |
10696 | | tmp.buffer = ssl->buffers.key->buffer; |
10697 | | #endif |
10698 | | ret = EccVerify(ssl, sigOut, args->sigLen, |
10699 | | args->sigData, args->sigDataSz, |
10700 | | (ecc_key*)ssl->hsKey, |
10701 | | #ifdef HAVE_PK_CALLBACKS |
10702 | | &tmp |
10703 | | #else |
10704 | | NULL |
10705 | | #endif |
10706 | | ); |
10707 | | } |
10708 | | } |
10709 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
10710 | | if (ssl->sigSpec != NULL && |
10711 | | *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH && |
10712 | | ssl->hsAltType == DYNAMIC_TYPE_ECC) { |
10713 | | /* check for signature faults */ |
10714 | | byte* sigOut = args->verify + HASH_SIG_SIZE + VERIFY_HEADER + |
10715 | | args->sigLen + OPAQUE16_LEN + OPAQUE16_LEN; |
10716 | | #ifdef HAVE_PK_CALLBACKS |
10717 | | buffer tmp; |
10718 | | tmp.length = ssl->buffers.altKey->length; |
10719 | | tmp.buffer = ssl->buffers.altKey->buffer; |
10720 | | #endif |
10721 | | ret = EccVerify(ssl, sigOut, args->altSigLen, |
10722 | | args->altSigData, args->altSigDataSz, |
10723 | | (ecc_key*)ssl->hsAltKey, |
10724 | | #ifdef HAVE_PK_CALLBACKS |
10725 | | &tmp |
10726 | | #else |
10727 | | NULL |
10728 | | #endif |
10729 | | ); |
10730 | | } |
10731 | | #endif /* WOLFSSL_DUAL_ALG_CERTS */ |
10732 | | #endif /* HAVE_ECC && WOLFSSL_CHECK_SIG_FAULTS */ |
10733 | | |
10734 | | /* Check for error */ |
10735 | 0 | if (ret != 0) { |
10736 | 0 | goto exit_scv; |
10737 | 0 | } |
10738 | | |
10739 | | /* Advance state and proceed */ |
10740 | 0 | ssl->options.asyncState = TLS_ASYNC_FINALIZE; |
10741 | 0 | } /* case TLS_ASYNC_VERIFY */ |
10742 | 0 | FALL_THROUGH; |
10743 | |
|
10744 | 0 | case TLS_ASYNC_FINALIZE: |
10745 | 0 | { |
10746 | | /* Put the record and handshake headers on. */ |
10747 | 0 | AddTls13Headers(args->output, args->length + HASH_SIG_SIZE + |
10748 | 0 | VERIFY_HEADER, certificate_verify, ssl); |
10749 | |
|
10750 | 0 | args->sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + |
10751 | 0 | args->length + HASH_SIG_SIZE + VERIFY_HEADER; |
10752 | | #ifdef WOLFSSL_DTLS13 |
10753 | | if (ssl->options.dtls) |
10754 | | args->sendSz += recordLayerHdrExtra + DTLS_HANDSHAKE_EXTRA; |
10755 | | |
10756 | | #endif /* WOLFSSL_DTLS13 */ |
10757 | | /* Advance state and proceed */ |
10758 | 0 | ssl->options.asyncState = TLS_ASYNC_END; |
10759 | 0 | } /* case TLS_ASYNC_FINALIZE */ |
10760 | 0 | FALL_THROUGH; |
10761 | |
|
10762 | 0 | case TLS_ASYNC_END: |
10763 | 0 | { |
10764 | | #ifdef WOLFSSL_DTLS13 |
10765 | | if (ssl->options.dtls) { |
10766 | | ssl->options.buildingMsg = 0; |
10767 | | ret = Dtls13HandshakeSend(ssl, args->output, |
10768 | | WC_MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA + MAX_MSG_EXTRA, |
10769 | | (word16)args->sendSz, certificate_verify, 1); |
10770 | | if (ret != 0) |
10771 | | goto exit_scv; |
10772 | | |
10773 | | break; |
10774 | | } |
10775 | | #endif /* WOLFSSL_DTLS13 */ |
10776 | | |
10777 | | /* This message is always encrypted. */ |
10778 | 0 | ret = BuildTls13Message(ssl, args->output, |
10779 | 0 | WC_MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA, |
10780 | 0 | args->output + RECORD_HEADER_SZ, |
10781 | 0 | args->sendSz - RECORD_HEADER_SZ, handshake, |
10782 | 0 | 1, 0, 0); |
10783 | |
|
10784 | 0 | if (ret < 0) { |
10785 | 0 | goto exit_scv; |
10786 | 0 | } |
10787 | 0 | else { |
10788 | 0 | args->sendSz = ret; |
10789 | 0 | ret = 0; |
10790 | 0 | } |
10791 | | |
10792 | | #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) |
10793 | | if (ssl->hsInfoOn) |
10794 | | AddPacketName(ssl, "CertificateVerify"); |
10795 | | if (ssl->toInfoOn) { |
10796 | | ret = AddPacketInfo(ssl, "CertificateVerify", handshake, |
10797 | | args->output, args->sendSz, WRITE_PROTO, 0, |
10798 | | ssl->heap); |
10799 | | if (ret != 0) |
10800 | | goto exit_scv; |
10801 | | } |
10802 | | #endif |
10803 | | |
10804 | 0 | ssl->buffers.outputBuffer.length += (word32)args->sendSz; |
10805 | 0 | ssl->options.buildingMsg = 0; |
10806 | 0 | if (!ssl->options.groupMessages) |
10807 | 0 | ret = SendBuffered(ssl); |
10808 | 0 | break; |
10809 | 0 | } |
10810 | 0 | default: |
10811 | 0 | ret = INPUT_CASE_ERROR; |
10812 | 0 | } /* switch(ssl->options.asyncState) */ |
10813 | | |
10814 | 0 | exit_scv: |
10815 | | #ifdef WOLFSSL_BLIND_PRIVATE_KEY |
10816 | | if (ret == 0) { |
10817 | | ret = wolfssl_priv_der_blind(ssl->rng, ssl->buffers.key, |
10818 | | &ssl->buffers.keyMask); |
10819 | | } |
10820 | | else { |
10821 | | wolfssl_priv_der_blind_toggle(ssl->buffers.key, ssl->buffers.keyMask); |
10822 | | } |
10823 | | #endif |
10824 | |
|
10825 | 0 | WOLFSSL_LEAVE("SendTls13CertificateVerify", ret); |
10826 | 0 | WOLFSSL_END(WC_FUNC_CERTIFICATE_VERIFY_SEND); |
10827 | |
|
10828 | | #ifdef WOLFSSL_ASYNC_CRYPT |
10829 | | /* Handle async operation */ |
10830 | | if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) { |
10831 | | return ret; |
10832 | | } |
10833 | | #endif /* WOLFSSL_ASYNC_CRYPT */ |
10834 | | |
10835 | | /* Final cleanup */ |
10836 | 0 | FreeScv13Args(ssl, args); |
10837 | 0 | FreeKeyExchange(ssl); |
10838 | 0 | #ifdef WOLFSSL_ASYNC_IO |
10839 | | /* Cleanup async */ |
10840 | 0 | FreeAsyncCtx(ssl, 0); |
10841 | 0 | #endif |
10842 | |
|
10843 | 0 | if (ret != 0) { |
10844 | 0 | WOLFSSL_ERROR_VERBOSE(ret); |
10845 | 0 | } |
10846 | |
|
10847 | 0 | return ret; |
10848 | 0 | } |
10849 | | #endif |
10850 | | #endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ |
10851 | | |
10852 | | #if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH) |
10853 | | /* handle processing TLS v1.3 certificate (11) */ |
10854 | | /* Parse and handle a TLS v1.3 Certificate message. |
10855 | | * |
10856 | | * ssl The SSL/TLS object. |
10857 | | * input The message buffer. |
10858 | | * inOutIdx On entry, the index into the message buffer of Certificate. |
10859 | | * On exit, the index of byte after the Certificate message. |
10860 | | * totalSz The length of the current handshake message. |
10861 | | * returns 0 on success and otherwise failure. |
10862 | | */ |
10863 | | static int DoTls13Certificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, |
10864 | | word32 totalSz) |
10865 | 0 | { |
10866 | 0 | int ret = 0; |
10867 | |
|
10868 | 0 | WOLFSSL_START(WC_FUNC_CERTIFICATE_DO); |
10869 | 0 | WOLFSSL_ENTER("DoTls13Certificate"); |
10870 | |
|
10871 | | #ifdef WOLFSSL_DTLS13 |
10872 | | if (ssl->options.dtls && ssl->options.handShakeDone) { |
10873 | | /* certificate needs some special care after the handshake */ |
10874 | | ret = Dtls13RtxProcessingCertificate( |
10875 | | ssl, input + *inOutIdx, totalSz); |
10876 | | } |
10877 | | #endif /* WOLFSSL_DTLS13 */ |
10878 | |
|
10879 | 0 | if (ret == 0) |
10880 | 0 | ret = ProcessPeerCerts(ssl, input, inOutIdx, totalSz); |
10881 | 0 | if (ret == 0) { |
10882 | 0 | #if !defined(NO_WOLFSSL_CLIENT) |
10883 | 0 | if (ssl->options.side == WOLFSSL_CLIENT_END) |
10884 | 0 | ssl->options.serverState = SERVER_CERT_COMPLETE; |
10885 | 0 | #endif |
10886 | | #if !defined(NO_WOLFSSL_SERVER) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) |
10887 | | if (ssl->options.side == WOLFSSL_SERVER_END && |
10888 | | ssl->options.handShakeState == HANDSHAKE_DONE) { |
10889 | | /* reset handshake states */ |
10890 | | ssl->options.serverState = SERVER_FINISHED_COMPLETE; |
10891 | | ssl->options.acceptState = TICKET_SENT; |
10892 | | ssl->options.handShakeState = SERVER_FINISHED_COMPLETE; |
10893 | | } |
10894 | | #endif |
10895 | 0 | } |
10896 | |
|
10897 | 0 | WOLFSSL_LEAVE("DoTls13Certificate", ret); |
10898 | 0 | WOLFSSL_END(WC_FUNC_CERTIFICATE_DO); |
10899 | |
|
10900 | 0 | return ret; |
10901 | 0 | } |
10902 | | #endif |
10903 | | |
10904 | | #if (!defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \ |
10905 | | defined(HAVE_ED448) || defined(HAVE_FALCON) || \ |
10906 | | defined(WOLFSSL_HAVE_MLDSA)) && !defined(NO_CERTS) |
10907 | | |
10908 | | typedef struct Dcv13Args { |
10909 | | byte* output; /* not allocated */ |
10910 | | word32 sendSz; |
10911 | | word16 sz; |
10912 | | word32 sigSz; |
10913 | | word32 idx; |
10914 | | word32 begin; |
10915 | | |
10916 | | byte* sigData; |
10917 | | word16 sigDataSz; |
10918 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
10919 | | byte altSigAlgo; |
10920 | | byte* altSigData; |
10921 | | word32 altSigDataSz; |
10922 | | word32 altSignatureSz; |
10923 | | byte altPeerAuthGood; |
10924 | | #endif |
10925 | | } Dcv13Args; |
10926 | | |
10927 | | static void FreeDcv13Args(WOLFSSL* ssl, void* pArgs) |
10928 | 0 | { |
10929 | 0 | Dcv13Args* args = (Dcv13Args*)pArgs; |
10930 | |
|
10931 | 0 | if (args && args->sigData != NULL) { |
10932 | 0 | XFREE(args->sigData, ssl->heap, DYNAMIC_TYPE_SIGNATURE); |
10933 | 0 | args->sigData = NULL; |
10934 | 0 | } |
10935 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
10936 | | if (args && args->altSigData != NULL) { |
10937 | | XFREE(args->altSigData, ssl->heap, DYNAMIC_TYPE_SIGNATURE); |
10938 | | args->altSigData = NULL; |
10939 | | } |
10940 | | #endif |
10941 | 0 | (void)ssl; |
10942 | 0 | } |
10943 | | |
10944 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
10945 | | #ifndef NO_RSA |
10946 | | /* ssl->peerCert->sapkiDer is the alternative public key. Hopefully it is a |
10947 | | * RSA public key. Convert it into a usable public key. */ |
10948 | | static int decodeRsaKey(WOLFSSL* ssl) |
10949 | | { |
10950 | | int keyRet; |
10951 | | word32 tmpIdx = 0; |
10952 | | |
10953 | | if (ssl->peerRsaKeyPresent) |
10954 | | return INVALID_PARAMETER; |
10955 | | |
10956 | | keyRet = AllocKey(ssl, DYNAMIC_TYPE_RSA, (void**)&ssl->peerRsaKey); |
10957 | | if (keyRet != 0) |
10958 | | return PEER_KEY_ERROR; |
10959 | | |
10960 | | ssl->peerRsaKeyPresent = 1; |
10961 | | keyRet = wc_RsaPublicKeyDecode(ssl->peerCert.sapkiDer, &tmpIdx, |
10962 | | ssl->peerRsaKey, |
10963 | | ssl->peerCert.sapkiLen); |
10964 | | if (keyRet != 0) |
10965 | | return PEER_KEY_ERROR; |
10966 | | |
10967 | | return 0; |
10968 | | } |
10969 | | #endif /* !NO_RSA */ |
10970 | | |
10971 | | #ifdef HAVE_ECC |
10972 | | /* ssl->peerCert->sapkiDer is the alternative public key. Hopefully it is a |
10973 | | * ECC public key. Convert it into a usable public key. */ |
10974 | | static int decodeEccKey(WOLFSSL* ssl) |
10975 | | { |
10976 | | int keyRet; |
10977 | | word32 tmpIdx = 0; |
10978 | | |
10979 | | if (ssl->peerEccDsaKeyPresent) |
10980 | | return INVALID_PARAMETER; |
10981 | | |
10982 | | keyRet = AllocKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->peerEccDsaKey); |
10983 | | if (keyRet != 0) |
10984 | | return PEER_KEY_ERROR; |
10985 | | |
10986 | | ssl->peerEccDsaKeyPresent = 1; |
10987 | | keyRet = wc_EccPublicKeyDecode(ssl->peerCert.sapkiDer, &tmpIdx, |
10988 | | ssl->peerEccDsaKey, |
10989 | | ssl->peerCert.sapkiLen); |
10990 | | if (keyRet != 0) |
10991 | | return PEER_KEY_ERROR; |
10992 | | |
10993 | | return 0; |
10994 | | } |
10995 | | #endif /* HAVE_ECC */ |
10996 | | |
10997 | | #ifdef WOLFSSL_HAVE_MLDSA |
10998 | | /* ssl->peerCert->sapkiDer is the alternative public key. Hopefully it is a |
10999 | | * ML-DSA public key. Convert it into a usable public key. */ |
11000 | | static int decodeMlDsaKey(WOLFSSL* ssl, int level) |
11001 | | { |
11002 | | int keyRet; |
11003 | | word32 tmpIdx = 0; |
11004 | | |
11005 | | if (ssl->peerMlDsaKeyPresent) |
11006 | | return INVALID_PARAMETER; |
11007 | | |
11008 | | keyRet = AllocKey(ssl, DYNAMIC_TYPE_MLDSA, |
11009 | | (void**)&ssl->peerMlDsaKey); |
11010 | | if (keyRet != 0) |
11011 | | return PEER_KEY_ERROR; |
11012 | | |
11013 | | ssl->peerMlDsaKeyPresent = 1; |
11014 | | keyRet = wc_MlDsaKey_SetParams(ssl->peerMlDsaKey, level); |
11015 | | if (keyRet != 0) |
11016 | | return PEER_KEY_ERROR; |
11017 | | |
11018 | | keyRet = wc_MlDsaKey_PublicKeyDecode(ssl->peerMlDsaKey, |
11019 | | ssl->peerCert.sapkiDer, |
11020 | | ssl->peerCert.sapkiLen, &tmpIdx); |
11021 | | if (keyRet != 0) |
11022 | | return PEER_KEY_ERROR; |
11023 | | |
11024 | | return 0; |
11025 | | } |
11026 | | #endif /* WOLFSSL_HAVE_MLDSA */ |
11027 | | |
11028 | | #ifdef HAVE_FALCON |
11029 | | /* ssl->peerCert->sapkiDer is the alternative public key. Hopefully it is a |
11030 | | * falcon public key. Convert it into a usable public key. */ |
11031 | | static int decodeFalconKey(WOLFSSL* ssl, int level) |
11032 | | { |
11033 | | int keyRet; |
11034 | | word32 tmpIdx = 0; |
11035 | | |
11036 | | if (ssl->peerFalconKeyPresent) |
11037 | | return INVALID_PARAMETER; |
11038 | | |
11039 | | keyRet = AllocKey(ssl, DYNAMIC_TYPE_FALCON, (void**)&ssl->peerFalconKey); |
11040 | | if (keyRet != 0) |
11041 | | return PEER_KEY_ERROR; |
11042 | | |
11043 | | ssl->peerFalconKeyPresent = 1; |
11044 | | keyRet = wc_falcon_set_level(ssl->peerFalconKey, level); |
11045 | | if (keyRet != 0) |
11046 | | return PEER_KEY_ERROR; |
11047 | | |
11048 | | keyRet = wc_Falcon_PublicKeyDecode(ssl->peerCert.sapkiDer, &tmpIdx, |
11049 | | ssl->peerFalconKey, |
11050 | | ssl->peerCert.sapkiLen); |
11051 | | if (keyRet != 0) |
11052 | | return PEER_KEY_ERROR; |
11053 | | |
11054 | | return 0; |
11055 | | } |
11056 | | #endif /* HAVE_FALCON */ |
11057 | | #endif /* WOLFSSL_DUAL_ALG_CERTS */ |
11058 | | |
11059 | | /* handle processing TLS v1.3 certificate_verify (15) */ |
11060 | | /* Parse and handle a TLS v1.3 CertificateVerify message. |
11061 | | * |
11062 | | * ssl The SSL/TLS object. |
11063 | | * input The message buffer. |
11064 | | * inOutIdx On entry, the index into the message buffer of |
11065 | | * CertificateVerify. |
11066 | | * On exit, the index of byte after the CertificateVerify message. |
11067 | | * totalSz The length of the current handshake message. |
11068 | | * returns 0 on success and otherwise failure. |
11069 | | */ |
11070 | | static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input, |
11071 | | word32* inOutIdx, word32 totalSz) |
11072 | 0 | { |
11073 | 0 | int ret = 0; |
11074 | 0 | byte* sig = NULL; |
11075 | 0 | #ifndef NO_RSA |
11076 | | /* Use this as a temporary buffer for RSA signature verification. */ |
11077 | 0 | buffer* rsaSigBuf = &ssl->buffers.sig; |
11078 | 0 | #endif |
11079 | | #ifdef WOLFSSL_ASYNC_CRYPT |
11080 | | Dcv13Args* args = NULL; |
11081 | | WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args); |
11082 | | #else |
11083 | 0 | Dcv13Args args[1]; |
11084 | 0 | #endif |
11085 | |
|
11086 | 0 | WOLFSSL_START(WC_FUNC_CERTIFICATE_VERIFY_DO); |
11087 | 0 | WOLFSSL_ENTER("DoTls13CertificateVerify"); |
11088 | |
|
11089 | | #if defined(WOLFSSL_RENESAS_TSIP_TLS) |
11090 | | ret = tsip_Tls13CertificateVerify(ssl, input, inOutIdx, totalSz); |
11091 | | if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) { |
11092 | | goto exit_dcv; |
11093 | | } |
11094 | | ret = 0; |
11095 | | #endif |
11096 | |
|
11097 | | #ifdef WOLFSSL_ASYNC_CRYPT |
11098 | | if (ssl->async == NULL) { |
11099 | | ssl->async = (struct WOLFSSL_ASYNC*) |
11100 | | XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap, |
11101 | | DYNAMIC_TYPE_ASYNC); |
11102 | | if (ssl->async == NULL) |
11103 | | ERROR_OUT(MEMORY_E, exit_dcv); |
11104 | | } |
11105 | | args = (Dcv13Args*)ssl->async->args; |
11106 | | |
11107 | | ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState); |
11108 | | if (ret != WC_NO_ERR_TRACE(WC_NO_PENDING_E)) { |
11109 | | /* Check for error */ |
11110 | | if (ret < 0) |
11111 | | goto exit_dcv; |
11112 | | } |
11113 | | else |
11114 | | #endif |
11115 | 0 | { |
11116 | | /* Reset state */ |
11117 | 0 | ret = 0; |
11118 | 0 | ssl->options.asyncState = TLS_ASYNC_BEGIN; |
11119 | 0 | XMEMSET(args, 0, sizeof(Dcv13Args)); |
11120 | 0 | ssl->options.peerHashAlgo = sha_mac; |
11121 | 0 | ssl->options.peerSigAlgo = anonymous_sa_algo; |
11122 | 0 | args->idx = *inOutIdx; |
11123 | 0 | args->begin = *inOutIdx; |
11124 | | #ifdef WOLFSSL_ASYNC_CRYPT |
11125 | | ssl->async->freeArgs = FreeDcv13Args; |
11126 | | #endif |
11127 | 0 | } |
11128 | |
|
11129 | 0 | switch(ssl->options.asyncState) |
11130 | 0 | { |
11131 | 0 | case TLS_ASYNC_BEGIN: |
11132 | 0 | { |
11133 | | #ifdef WOLFSSL_CALLBACKS |
11134 | | if (ssl->hsInfoOn) AddPacketName(ssl, "CertificateVerify"); |
11135 | | if (ssl->toInfoOn) AddLateName("CertificateVerify", |
11136 | | &ssl->timeoutInfo); |
11137 | | #endif |
11138 | | |
11139 | | /* Advance state and proceed */ |
11140 | 0 | ssl->options.asyncState = TLS_ASYNC_BUILD; |
11141 | 0 | } /* case TLS_ASYNC_BEGIN */ |
11142 | 0 | FALL_THROUGH; |
11143 | |
|
11144 | 0 | case TLS_ASYNC_BUILD: |
11145 | 0 | { |
11146 | 0 | int validSigAlgo; |
11147 | 0 | const Suites* suites = WOLFSSL_SUITES(ssl); |
11148 | 0 | word16 i; |
11149 | | |
11150 | | /* Signature algorithm. */ |
11151 | 0 | if ((args->idx - args->begin) + ENUM_LEN + ENUM_LEN > totalSz) { |
11152 | 0 | ERROR_OUT(BUFFER_ERROR, exit_dcv); |
11153 | 0 | } |
11154 | | |
11155 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
11156 | | if (ssl->peerSigSpec == NULL) { |
11157 | | /* The peer did not respond. We didn't send CKS or they don't |
11158 | | * support it. Either way, we do not need to handle dual |
11159 | | * key/sig case. */ |
11160 | | ssl->sigSpec = NULL; |
11161 | | ssl->sigSpecSz = 0; |
11162 | | } |
11163 | | |
11164 | | /* If no CKS extension or either native or alternative, then just |
11165 | | * get a normal sigalgo. But if BOTH, then get the native and alt |
11166 | | * sig algos. */ |
11167 | | if (ssl->sigSpec == NULL || |
11168 | | *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_NATIVE || |
11169 | | *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_ALTERNATIVE) { |
11170 | | #endif /* WOLFSSL_DUAL_ALG_CERTS */ |
11171 | 0 | validSigAlgo = 0; |
11172 | 0 | for (i = 0; i < suites->hashSigAlgoSz; i += 2) { |
11173 | 0 | if ((suites->hashSigAlgo[i + 0] == input[args->idx + 0]) && |
11174 | 0 | (suites->hashSigAlgo[i + 1] == input[args->idx + 1])) { |
11175 | 0 | validSigAlgo = 1; |
11176 | 0 | break; |
11177 | 0 | } |
11178 | 0 | } |
11179 | 0 | if (!validSigAlgo) { |
11180 | 0 | ERROR_OUT(INVALID_PARAMETER, exit_dcv); |
11181 | 0 | } |
11182 | | |
11183 | 0 | ret = DecodeTls13SigAlg(input + args->idx, |
11184 | 0 | &ssl->options.peerHashAlgo, &ssl->options.peerSigAlgo); |
11185 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
11186 | | } |
11187 | | else { |
11188 | | ret = DecodeTls13HybridSigAlg(input + args->idx, |
11189 | | &ssl->options.peerHashAlgo, |
11190 | | &ssl->options.peerSigAlgo, |
11191 | | &args->altSigAlgo); |
11192 | | } |
11193 | | #endif /* WOLFSSL_DUAL_ALG_CERTS */ |
11194 | |
|
11195 | 0 | if (ret < 0) |
11196 | 0 | goto exit_dcv; |
11197 | 0 | args->idx += OPAQUE16_LEN; |
11198 | | |
11199 | | /* Signature length. */ |
11200 | 0 | if ((args->idx - args->begin) + OPAQUE16_LEN > totalSz) { |
11201 | 0 | ERROR_OUT(BUFFER_ERROR, exit_dcv); |
11202 | 0 | } |
11203 | 0 | ato16(input + args->idx, &args->sz); |
11204 | 0 | args->idx += OPAQUE16_LEN; |
11205 | | |
11206 | | /* Signature data. */ |
11207 | 0 | if ((args->idx - args->begin) + args->sz > totalSz) { |
11208 | 0 | ERROR_OUT(BUFFER_ERROR, exit_dcv); |
11209 | 0 | } |
11210 | | |
11211 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
11212 | | if ((ssl->sigSpec != NULL) && |
11213 | | (*ssl->sigSpec != WOLFSSL_CKS_SIGSPEC_NATIVE)) { |
11214 | | |
11215 | | word16 sa; |
11216 | | if (args->altSigAlgo == 0) |
11217 | | sa = ssl->options.peerSigAlgo; |
11218 | | else |
11219 | | sa = args->altSigAlgo; |
11220 | | |
11221 | | switch(sa) { |
11222 | | #ifndef NO_RSA |
11223 | | case rsa_pss_sa_algo: |
11224 | | ret = decodeRsaKey(ssl); |
11225 | | break; |
11226 | | #endif |
11227 | | #ifdef HAVE_ECC |
11228 | | case ecc_dsa_sa_algo: |
11229 | | ret = decodeEccKey(ssl); |
11230 | | break; |
11231 | | #endif |
11232 | | #ifdef WOLFSSL_HAVE_MLDSA |
11233 | | case mldsa_44_sa_algo: |
11234 | | ret = decodeMlDsaKey(ssl, WC_ML_DSA_44); |
11235 | | break; |
11236 | | case mldsa_65_sa_algo: |
11237 | | ret = decodeMlDsaKey(ssl, WC_ML_DSA_65); |
11238 | | break; |
11239 | | case mldsa_87_sa_algo: |
11240 | | ret = decodeMlDsaKey(ssl, WC_ML_DSA_87); |
11241 | | break; |
11242 | | #endif |
11243 | | #ifdef HAVE_FALCON |
11244 | | case falcon_level1_sa_algo: |
11245 | | ret = decodeFalconKey(ssl, 1); |
11246 | | break; |
11247 | | case falcon_level5_sa_algo: |
11248 | | ret = decodeFalconKey(ssl, 5); |
11249 | | break; |
11250 | | #endif |
11251 | | default: |
11252 | | ERROR_OUT(PEER_KEY_ERROR, exit_dcv); |
11253 | | } |
11254 | | |
11255 | | if (ret != 0) |
11256 | | ERROR_OUT(ret, exit_dcv); |
11257 | | |
11258 | | if (*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_ALTERNATIVE) { |
11259 | | /* Now swap in the alternative by removing the native. |
11260 | | * sa contains the alternative signature type. */ |
11261 | | #ifndef NO_RSA |
11262 | | if (ssl->peerRsaKeyPresent && sa != rsa_pss_sa_algo) { |
11263 | | FreeKey(ssl, DYNAMIC_TYPE_RSA, |
11264 | | (void**)&ssl->peerRsaKey); |
11265 | | ssl->peerRsaKeyPresent = 0; |
11266 | | } |
11267 | | #endif |
11268 | | #ifdef HAVE_ECC |
11269 | | else if (ssl->peerEccDsaKeyPresent && |
11270 | | sa != ecc_dsa_sa_algo) { |
11271 | | FreeKey(ssl, DYNAMIC_TYPE_ECC, |
11272 | | (void**)&ssl->peerEccDsaKey); |
11273 | | ssl->peerEccDsaKeyPresent = 0; |
11274 | | } |
11275 | | #endif |
11276 | | #ifdef WOLFSSL_HAVE_MLDSA |
11277 | | else if (ssl->peerMlDsaKeyPresent && |
11278 | | sa != mldsa_44_sa_algo && |
11279 | | sa != mldsa_65_sa_algo && |
11280 | | sa != mldsa_87_sa_algo) { |
11281 | | FreeKey(ssl, DYNAMIC_TYPE_MLDSA, |
11282 | | (void**)&ssl->peerMlDsaKey); |
11283 | | ssl->peerMlDsaKeyPresent = 0; |
11284 | | } |
11285 | | #endif |
11286 | | #ifdef HAVE_FALCON |
11287 | | else if (ssl->peerFalconKeyPresent && |
11288 | | sa != falcon_level1_sa_algo && |
11289 | | sa != falcon_level5_sa_algo) { |
11290 | | FreeKey(ssl, DYNAMIC_TYPE_FALCON, |
11291 | | (void**)&ssl->peerFalconKey); |
11292 | | ssl->peerFalconKeyPresent = 0; |
11293 | | } |
11294 | | #endif |
11295 | | else { |
11296 | | ERROR_OUT(PEER_KEY_ERROR, exit_dcv); |
11297 | | } |
11298 | | } |
11299 | | } |
11300 | | #endif /* WOLFSSL_DUAL_ALG_CERTS */ |
11301 | | |
11302 | | /* Check for public key of required type. */ |
11303 | | /* Assume invalid unless signature algo matches the key provided */ |
11304 | 0 | validSigAlgo = 0; |
11305 | | #ifdef HAVE_ED25519 |
11306 | | if (ssl->options.peerSigAlgo == ed25519_sa_algo) { |
11307 | | WOLFSSL_MSG("Peer sent ED25519 sig"); |
11308 | | validSigAlgo = (ssl->peerEd25519Key != NULL) && |
11309 | | ssl->peerEd25519KeyPresent; |
11310 | | } |
11311 | | #endif |
11312 | | #ifdef HAVE_ED448 |
11313 | | if (ssl->options.peerSigAlgo == ed448_sa_algo) { |
11314 | | WOLFSSL_MSG("Peer sent ED448 sig"); |
11315 | | validSigAlgo = (ssl->peerEd448Key != NULL) && |
11316 | | ssl->peerEd448KeyPresent; |
11317 | | } |
11318 | | #endif |
11319 | 0 | #ifdef HAVE_ECC |
11320 | 0 | if (ssl->options.peerSigAlgo == ecc_dsa_sa_algo) { |
11321 | 0 | WOLFSSL_MSG("Peer sent ECC sig"); |
11322 | 0 | validSigAlgo = (ssl->peerEccDsaKey != NULL) && |
11323 | 0 | ssl->peerEccDsaKeyPresent; |
11324 | 0 | } |
11325 | 0 | #endif |
11326 | | #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3) |
11327 | | if (ssl->options.peerSigAlgo == sm2_sa_algo) { |
11328 | | WOLFSSL_MSG("Peer sent SM2 sig"); |
11329 | | validSigAlgo = (ssl->peerEccDsaKey != NULL) && |
11330 | | ssl->peerEccDsaKeyPresent; |
11331 | | } |
11332 | | #endif |
11333 | | #ifdef HAVE_FALCON |
11334 | | if (ssl->options.peerSigAlgo == falcon_level1_sa_algo) { |
11335 | | WOLFSSL_MSG("Peer sent Falcon Level 1 sig"); |
11336 | | validSigAlgo = (ssl->peerFalconKey != NULL) && |
11337 | | ssl->peerFalconKeyPresent; |
11338 | | } |
11339 | | if (ssl->options.peerSigAlgo == falcon_level5_sa_algo) { |
11340 | | WOLFSSL_MSG("Peer sent Falcon Level 5 sig"); |
11341 | | validSigAlgo = (ssl->peerFalconKey != NULL) && |
11342 | | ssl->peerFalconKeyPresent; |
11343 | | } |
11344 | | #endif |
11345 | | #ifdef WOLFSSL_HAVE_MLDSA |
11346 | | if (ssl->options.peerSigAlgo == mldsa_44_sa_algo) { |
11347 | | WOLFSSL_MSG("Peer sent ML-DSA Level 2 sig"); |
11348 | | validSigAlgo = (ssl->peerMlDsaKey != NULL) && |
11349 | | ssl->peerMlDsaKeyPresent; |
11350 | | } |
11351 | | if (ssl->options.peerSigAlgo == mldsa_65_sa_algo) { |
11352 | | WOLFSSL_MSG("Peer sent ML-DSA Level 3 sig"); |
11353 | | validSigAlgo = (ssl->peerMlDsaKey != NULL) && |
11354 | | ssl->peerMlDsaKeyPresent; |
11355 | | } |
11356 | | if (ssl->options.peerSigAlgo == mldsa_87_sa_algo) { |
11357 | | WOLFSSL_MSG("Peer sent ML-DSA Level 5 sig"); |
11358 | | validSigAlgo = (ssl->peerMlDsaKey != NULL) && |
11359 | | ssl->peerMlDsaKeyPresent; |
11360 | | } |
11361 | | #endif |
11362 | 0 | #ifndef NO_RSA |
11363 | 0 | if (ssl->options.peerSigAlgo == rsa_sa_algo) { |
11364 | 0 | WOLFSSL_MSG("Peer sent PKCS#1.5 algo - not valid TLS 1.3"); |
11365 | 0 | ERROR_OUT(INVALID_PARAMETER, exit_dcv); |
11366 | 0 | } |
11367 | 0 | if (ssl->options.peerSigAlgo == rsa_pss_sa_algo) { |
11368 | 0 | WOLFSSL_MSG("Peer sent RSA sig"); |
11369 | 0 | validSigAlgo = (ssl->peerRsaKey != NULL) && |
11370 | 0 | ssl->peerRsaKeyPresent; |
11371 | 0 | } |
11372 | 0 | #endif |
11373 | 0 | if (!validSigAlgo) { |
11374 | 0 | WOLFSSL_MSG("Sig algo doesn't correspond to certificate"); |
11375 | 0 | ERROR_OUT(SIG_VERIFY_E, exit_dcv); |
11376 | 0 | } |
11377 | | |
11378 | 0 | args->sigSz = args->sz; |
11379 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
11380 | | if (ssl->sigSpec != NULL && |
11381 | | *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) { |
11382 | | /* In case we received two signatures, both of them are encoded |
11383 | | * with their size as 16-bit integeter prior in memory. Hence, |
11384 | | * we can decode both lengths here now. */ |
11385 | | word32 tmpIdx = args->idx; |
11386 | | word16 tmpSz = 0; |
11387 | | if (args->sz < OPAQUE16_LEN) { |
11388 | | ERROR_OUT(BUFFER_ERROR, exit_dcv); |
11389 | | } |
11390 | | ato16(input + tmpIdx, &tmpSz); |
11391 | | args->sigSz = tmpSz; |
11392 | | |
11393 | | tmpIdx += OPAQUE16_LEN + args->sigSz; |
11394 | | if (tmpIdx - args->idx + OPAQUE16_LEN > args->sz) { |
11395 | | ERROR_OUT(BUFFER_ERROR, exit_dcv); |
11396 | | } |
11397 | | ato16(input + tmpIdx, &tmpSz); |
11398 | | args->altSignatureSz = tmpSz; |
11399 | | |
11400 | | if (args->sz != (args->sigSz + args->altSignatureSz + |
11401 | | OPAQUE16_LEN + OPAQUE16_LEN)) { |
11402 | | ERROR_OUT(BUFFER_ERROR, exit_dcv); |
11403 | | } |
11404 | | } |
11405 | | #endif /* WOLFSSL_DUAL_ALG_CERTS */ |
11406 | |
|
11407 | 0 | #if !defined(NO_RSA) && defined(WC_RSA_PSS) |
11408 | | /* In case we have to verify an RSA signature, we have to store the |
11409 | | * signature in the 'rsaSigBuf' structure for further processing. |
11410 | | */ |
11411 | 0 | if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) { |
11412 | 0 | word32 sigSz = args->sigSz; |
11413 | 0 | sig = input + args->idx; |
11414 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
11415 | | /* Check if our alternative signature was RSA */ |
11416 | | if (ssl->sigSpec != NULL && |
11417 | | *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) { |
11418 | | if (ssl->options.peerSigAlgo != rsa_pss_sa_algo) { |
11419 | | /* We have to skip the first signature (length field |
11420 | | * and signature itself) and the length field of the |
11421 | | * alternative signature. */ |
11422 | | sig += OPAQUE16_LEN + OPAQUE16_LEN + args->sigSz; |
11423 | | sigSz = args->altSignatureSz; |
11424 | | } |
11425 | | else { |
11426 | | /* We have to skip the length field */ |
11427 | | sig += OPAQUE16_LEN; |
11428 | | } |
11429 | | } |
11430 | | #endif |
11431 | 0 | rsaSigBuf->buffer = (byte*)XMALLOC(sigSz, ssl->heap, |
11432 | 0 | DYNAMIC_TYPE_SIGNATURE); |
11433 | 0 | if (rsaSigBuf->buffer == NULL) { |
11434 | 0 | ERROR_OUT(MEMORY_E, exit_dcv); |
11435 | 0 | } |
11436 | 0 | rsaSigBuf->length = sigSz; |
11437 | 0 | XMEMCPY(rsaSigBuf->buffer, sig, rsaSigBuf->length); |
11438 | 0 | } |
11439 | 0 | #endif /* !NO_RSA && WC_RSA_PSS */ |
11440 | | |
11441 | 0 | args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap, |
11442 | 0 | DYNAMIC_TYPE_SIGNATURE); |
11443 | 0 | if (args->sigData == NULL) { |
11444 | 0 | ERROR_OUT(MEMORY_E, exit_dcv); |
11445 | 0 | } |
11446 | | |
11447 | 0 | ret = CreateSigData(ssl, args->sigData, &args->sigDataSz, 1); |
11448 | 0 | if (ret < 0) |
11449 | 0 | goto exit_dcv; |
11450 | | |
11451 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
11452 | | if ((ssl->sigSpec != NULL) && |
11453 | | (*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH)) { |
11454 | | args->altSigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap, |
11455 | | DYNAMIC_TYPE_SIGNATURE); |
11456 | | if (args->altSigData == NULL) { |
11457 | | ERROR_OUT(MEMORY_E, exit_dcv); |
11458 | | } |
11459 | | XMEMCPY(args->altSigData, args->sigData, args->sigDataSz); |
11460 | | args->altSigDataSz = args->sigDataSz; |
11461 | | } |
11462 | | #endif /* WOLFSSL_DUAL_ALG_CERTS */ |
11463 | | |
11464 | 0 | #ifdef HAVE_ECC |
11465 | 0 | if ((ssl->options.peerSigAlgo == ecc_dsa_sa_algo) && |
11466 | 0 | (ssl->peerEccDsaKeyPresent)) { |
11467 | 0 | ret = CreateECCEncodedSig(args->sigData, |
11468 | 0 | args->sigDataSz, ssl->options.peerHashAlgo); |
11469 | 0 | if (ret < 0) |
11470 | 0 | goto exit_dcv; |
11471 | 0 | args->sigDataSz = (word16)ret; |
11472 | 0 | ret = 0; |
11473 | 0 | } |
11474 | | |
11475 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
11476 | | if ((ssl->sigSpec != NULL) && |
11477 | | (*ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) && |
11478 | | (args->altSigAlgo == ecc_dsa_sa_algo) && |
11479 | | (ssl->peerEccDsaKeyPresent)) { |
11480 | | ret = CreateECCEncodedSig(args->altSigData, |
11481 | | args->altSigDataSz, ssl->options.peerHashAlgo); |
11482 | | if (ret < 0) |
11483 | | goto exit_dcv; |
11484 | | args->altSigDataSz = (word16)ret; |
11485 | | ret = 0; |
11486 | | } |
11487 | | #endif /* WOLFSSL_DUAL_ALG_CERTS */ |
11488 | 0 | #endif /* HAVE_ECC */ |
11489 | | |
11490 | | /* Advance state and proceed */ |
11491 | 0 | ssl->options.asyncState = TLS_ASYNC_DO; |
11492 | 0 | } /* case TLS_ASYNC_BUILD */ |
11493 | 0 | FALL_THROUGH; |
11494 | |
|
11495 | 0 | case TLS_ASYNC_DO: |
11496 | 0 | { |
11497 | 0 | sig = input + args->idx; |
11498 | 0 | (void)sig; |
11499 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
11500 | | if (ssl->sigSpec != NULL && |
11501 | | *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) { |
11502 | | /* As we have two signatures in the message, we stored |
11503 | | * the length of each before the actual signature. This |
11504 | | * is necessary, as we could have two algorithms with |
11505 | | * variable length signatures. */ |
11506 | | sig += OPAQUE16_LEN; |
11507 | | } |
11508 | | #endif |
11509 | 0 | #ifndef NO_RSA |
11510 | 0 | if ((ssl->options.peerSigAlgo == rsa_pss_sa_algo) && |
11511 | 0 | (ssl->peerRsaKey != NULL) && (ssl->peerRsaKeyPresent != 0)) { |
11512 | 0 | WOLFSSL_MSG("Doing RSA peer cert verify"); |
11513 | 0 | ret = RsaVerify(ssl, rsaSigBuf->buffer, |
11514 | 0 | (word32)rsaSigBuf->length, &args->output, |
11515 | 0 | ssl->options.peerSigAlgo, |
11516 | 0 | ssl->options.peerHashAlgo, ssl->peerRsaKey, |
11517 | | #ifdef HAVE_PK_CALLBACKS |
11518 | | &ssl->buffers.peerRsaKey |
11519 | | #else |
11520 | 0 | NULL |
11521 | 0 | #endif |
11522 | 0 | ); |
11523 | 0 | if (ret >= 0) { |
11524 | 0 | args->sendSz = (word32)ret; |
11525 | 0 | ret = 0; |
11526 | 0 | } |
11527 | 0 | } |
11528 | 0 | #endif /* !NO_RSA */ |
11529 | 0 | #ifdef HAVE_ECC |
11530 | 0 | if ((ssl->options.peerSigAlgo == ecc_dsa_sa_algo) && |
11531 | 0 | ssl->peerEccDsaKeyPresent) { |
11532 | 0 | WOLFSSL_MSG("Doing ECC peer cert verify"); |
11533 | 0 | ret = EccVerify(ssl, sig, args->sigSz, |
11534 | 0 | args->sigData, args->sigDataSz, |
11535 | 0 | ssl->peerEccDsaKey, |
11536 | | #ifdef HAVE_PK_CALLBACKS |
11537 | | &ssl->buffers.peerEccDsaKey |
11538 | | #else |
11539 | 0 | NULL |
11540 | 0 | #endif |
11541 | 0 | ); |
11542 | |
|
11543 | 0 | if (ret >= 0) { |
11544 | | /* CLIENT/SERVER: data verified with public key from |
11545 | | * certificate. */ |
11546 | 0 | ssl->options.peerAuthGood = 1; |
11547 | |
|
11548 | 0 | FreeKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->peerEccDsaKey); |
11549 | 0 | ssl->peerEccDsaKeyPresent = 0; |
11550 | 0 | } |
11551 | 0 | } |
11552 | 0 | #endif /* HAVE_ECC */ |
11553 | | #if defined(HAVE_ECC) && defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3) |
11554 | | if ((ssl->options.peerSigAlgo == sm2_sa_algo) && |
11555 | | ssl->peerEccDsaKeyPresent) { |
11556 | | WOLFSSL_MSG("Doing SM2/SM3 peer cert verify"); |
11557 | | ret = Sm2wSm3Verify(ssl, TLS13_SM2_SIG_ID, TLS13_SM2_SIG_ID_SZ, |
11558 | | sig, args->sigSz, args->sigData, args->sigDataSz, |
11559 | | ssl->peerEccDsaKey, NULL); |
11560 | | if (ret >= 0) { |
11561 | | /* CLIENT/SERVER: data verified with public key from |
11562 | | * certificate. */ |
11563 | | ssl->options.peerAuthGood = 1; |
11564 | | |
11565 | | FreeKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->peerEccDsaKey); |
11566 | | ssl->peerEccDsaKeyPresent = 0; |
11567 | | } |
11568 | | } |
11569 | | #endif |
11570 | | #ifdef HAVE_ED25519 |
11571 | | if ((ssl->options.peerSigAlgo == ed25519_sa_algo) && |
11572 | | (ssl->peerEd25519KeyPresent)) { |
11573 | | WOLFSSL_MSG("Doing ED25519 peer cert verify"); |
11574 | | ret = Ed25519Verify(ssl, sig, args->sigSz, |
11575 | | args->sigData, args->sigDataSz, |
11576 | | ssl->peerEd25519Key, |
11577 | | #ifdef HAVE_PK_CALLBACKS |
11578 | | &ssl->buffers.peerEd25519Key |
11579 | | #else |
11580 | | NULL |
11581 | | #endif |
11582 | | ); |
11583 | | |
11584 | | if (ret >= 0) { |
11585 | | /* CLIENT/SERVER: data verified with public key from |
11586 | | * certificate. */ |
11587 | | ssl->options.peerAuthGood = 1; |
11588 | | FreeKey(ssl, DYNAMIC_TYPE_ED25519, |
11589 | | (void**)&ssl->peerEd25519Key); |
11590 | | ssl->peerEd25519KeyPresent = 0; |
11591 | | } |
11592 | | } |
11593 | | #endif |
11594 | | #ifdef HAVE_ED448 |
11595 | | if ((ssl->options.peerSigAlgo == ed448_sa_algo) && |
11596 | | (ssl->peerEd448KeyPresent)) { |
11597 | | WOLFSSL_MSG("Doing ED448 peer cert verify"); |
11598 | | ret = Ed448Verify(ssl, sig, args->sigSz, |
11599 | | args->sigData, args->sigDataSz, |
11600 | | ssl->peerEd448Key, |
11601 | | #ifdef HAVE_PK_CALLBACKS |
11602 | | &ssl->buffers.peerEd448Key |
11603 | | #else |
11604 | | NULL |
11605 | | #endif |
11606 | | ); |
11607 | | |
11608 | | if (ret >= 0) { |
11609 | | /* CLIENT/SERVER: data verified with public key from |
11610 | | * certificate. */ |
11611 | | ssl->options.peerAuthGood = 1; |
11612 | | FreeKey(ssl, DYNAMIC_TYPE_ED448, |
11613 | | (void**)&ssl->peerEd448Key); |
11614 | | ssl->peerEd448KeyPresent = 0; |
11615 | | } |
11616 | | } |
11617 | | #endif |
11618 | | #if defined(HAVE_FALCON) |
11619 | | if (((ssl->options.peerSigAlgo == falcon_level1_sa_algo) || |
11620 | | (ssl->options.peerSigAlgo == falcon_level5_sa_algo)) && |
11621 | | (ssl->peerFalconKeyPresent)) { |
11622 | | int res = 0; |
11623 | | WOLFSSL_MSG("Doing Falcon peer cert verify"); |
11624 | | ret = wc_falcon_verify_msg(sig, args->sigSz, |
11625 | | args->sigData, args->sigDataSz, |
11626 | | &res, ssl->peerFalconKey); |
11627 | | |
11628 | | if ((ret >= 0) && (res == 1)) { |
11629 | | /* CLIENT/SERVER: data verified with public key from |
11630 | | * certificate. */ |
11631 | | ssl->options.peerAuthGood = 1; |
11632 | | |
11633 | | FreeKey(ssl, DYNAMIC_TYPE_FALCON, |
11634 | | (void**)&ssl->peerFalconKey); |
11635 | | ssl->peerFalconKeyPresent = 0; |
11636 | | } |
11637 | | else if ((ret >= 0) && (res == 0)) { |
11638 | | WOLFSSL_MSG("Falcon signature verification failed"); |
11639 | | ret = SIG_VERIFY_E; |
11640 | | } |
11641 | | } |
11642 | | #endif /* HAVE_FALCON */ |
11643 | | #if defined(WOLFSSL_HAVE_MLDSA) && !defined(WOLFSSL_MLDSA_NO_VERIFY) |
11644 | | if (((ssl->options.peerSigAlgo == mldsa_44_sa_algo) || |
11645 | | (ssl->options.peerSigAlgo == mldsa_65_sa_algo) || |
11646 | | (ssl->options.peerSigAlgo == mldsa_87_sa_algo)) && |
11647 | | (ssl->peerMlDsaKeyPresent)) { |
11648 | | int res = 0; |
11649 | | WOLFSSL_MSG("Doing ML-DSA peer cert verify"); |
11650 | | ret = wc_MlDsaKey_VerifyCtx(ssl->peerMlDsaKey, sig, args->sigSz, |
11651 | | NULL, 0, args->sigData, |
11652 | | args->sigDataSz, &res); |
11653 | | |
11654 | | if ((ret >= 0) && (res == 1)) { |
11655 | | /* CLIENT/SERVER: data verified with public key from |
11656 | | * certificate. */ |
11657 | | ssl->options.peerAuthGood = 1; |
11658 | | |
11659 | | FreeKey(ssl, DYNAMIC_TYPE_MLDSA, |
11660 | | (void**)&ssl->peerMlDsaKey); |
11661 | | ssl->peerMlDsaKeyPresent = 0; |
11662 | | } |
11663 | | else if ((ret >= 0) && (res == 0)) { |
11664 | | WOLFSSL_MSG("ML-DSA signature verification failed"); |
11665 | | ret = SIG_VERIFY_E; |
11666 | | } |
11667 | | } |
11668 | | #endif /* WOLFSSL_HAVE_MLDSA */ |
11669 | | |
11670 | | /* Check for error */ |
11671 | 0 | if (ret != 0) { |
11672 | 0 | goto exit_dcv; |
11673 | 0 | } |
11674 | | |
11675 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
11676 | | if (ssl->sigSpec != NULL && |
11677 | | *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) { |
11678 | | /* Move forward to the alternative signature. */ |
11679 | | sig += args->sigSz + OPAQUE16_LEN; |
11680 | | |
11681 | | /* Verify the alternative signature */ |
11682 | | #ifndef NO_RSA |
11683 | | if ((args->altSigAlgo == rsa_pss_sa_algo) && |
11684 | | (ssl->peerRsaKey != NULL) && |
11685 | | (ssl->peerRsaKeyPresent != 0)) { |
11686 | | WOLFSSL_MSG("Doing RSA peer cert alt verify"); |
11687 | | ret = RsaVerify(ssl, rsaSigBuf->buffer, |
11688 | | (word32)rsaSigBuf->length, |
11689 | | &args->output, args->altSigAlgo, |
11690 | | ssl->options.peerHashAlgo, ssl->peerRsaKey, |
11691 | | #ifdef HAVE_PK_CALLBACKS |
11692 | | &ssl->buffers.peerRsaKey |
11693 | | #else |
11694 | | NULL |
11695 | | #endif |
11696 | | ); |
11697 | | if (ret >= 0) { |
11698 | | args->sendSz = ret; |
11699 | | ret = 0; |
11700 | | } |
11701 | | } |
11702 | | #endif /* !NO_RSA */ |
11703 | | #ifdef HAVE_ECC |
11704 | | if ((args->altSigAlgo == ecc_dsa_sa_algo) && |
11705 | | (ssl->peerEccDsaKeyPresent)) { |
11706 | | WOLFSSL_MSG("Doing ECC peer cert alt verify"); |
11707 | | ret = EccVerify(ssl, sig, args->altSignatureSz, |
11708 | | args->altSigData, args->altSigDataSz, |
11709 | | ssl->peerEccDsaKey, |
11710 | | #ifdef HAVE_PK_CALLBACKS |
11711 | | &ssl->buffers.peerEccDsaKey |
11712 | | #else |
11713 | | NULL |
11714 | | #endif |
11715 | | ); |
11716 | | |
11717 | | if (ret >= 0) { |
11718 | | /* CLIENT/SERVER: data verified with public key from |
11719 | | * certificate. */ |
11720 | | args->altPeerAuthGood = 1; |
11721 | | |
11722 | | FreeKey(ssl, DYNAMIC_TYPE_ECC, |
11723 | | (void**)&ssl->peerEccDsaKey); |
11724 | | ssl->peerEccDsaKeyPresent = 0; |
11725 | | } |
11726 | | } |
11727 | | #endif /* HAVE_ECC */ |
11728 | | #if defined(HAVE_FALCON) |
11729 | | if (((args->altSigAlgo == falcon_level1_sa_algo) || |
11730 | | (args->altSigAlgo == falcon_level5_sa_algo)) && |
11731 | | (ssl->peerFalconKeyPresent)) { |
11732 | | int res = 0; |
11733 | | WOLFSSL_MSG("Doing Falcon peer cert alt verify"); |
11734 | | ret = wc_falcon_verify_msg(sig, args->altSignatureSz, |
11735 | | args->altSigData, args->altSigDataSz, |
11736 | | &res, ssl->peerFalconKey); |
11737 | | |
11738 | | if ((ret >= 0) && (res == 1)) { |
11739 | | /* CLIENT/SERVER: data verified with public key from |
11740 | | * certificate. */ |
11741 | | args->altPeerAuthGood = 1; |
11742 | | |
11743 | | FreeKey(ssl, DYNAMIC_TYPE_FALCON, |
11744 | | (void**)&ssl->peerFalconKey); |
11745 | | ssl->peerFalconKeyPresent = 0; |
11746 | | } |
11747 | | else if ((ret >= 0) && (res == 0)) { |
11748 | | WOLFSSL_MSG("Falcon signature verification failed"); |
11749 | | ret = SIG_VERIFY_E; |
11750 | | } |
11751 | | } |
11752 | | #endif /* HAVE_FALCON */ |
11753 | | #if defined(WOLFSSL_HAVE_MLDSA) && !defined(WOLFSSL_MLDSA_NO_VERIFY) |
11754 | | if (((args->altSigAlgo == mldsa_44_sa_algo) || |
11755 | | (args->altSigAlgo == mldsa_65_sa_algo) || |
11756 | | (args->altSigAlgo == mldsa_87_sa_algo)) && |
11757 | | (ssl->peerMlDsaKeyPresent)) { |
11758 | | int res = 0; |
11759 | | WOLFSSL_MSG("Doing ML-DSA peer cert alt verify"); |
11760 | | ret = wc_MlDsaKey_VerifyCtx(ssl->peerMlDsaKey, sig, |
11761 | | args->altSignatureSz, NULL, 0, |
11762 | | args->altSigData, |
11763 | | args->altSigDataSz, &res); |
11764 | | |
11765 | | if ((ret >= 0) && (res == 1)) { |
11766 | | /* CLIENT/SERVER: data verified with public key from |
11767 | | * certificate. */ |
11768 | | args->altPeerAuthGood = 1; |
11769 | | |
11770 | | FreeKey(ssl, DYNAMIC_TYPE_MLDSA, |
11771 | | (void**)&ssl->peerMlDsaKey); |
11772 | | ssl->peerMlDsaKeyPresent = 0; |
11773 | | } |
11774 | | else if ((ret >= 0) && (res == 0)) { |
11775 | | WOLFSSL_MSG("ML-DSA signature verification failed"); |
11776 | | ret = SIG_VERIFY_E; |
11777 | | } |
11778 | | } |
11779 | | #endif /* WOLFSSL_HAVE_MLDSA */ |
11780 | | |
11781 | | /* Check for error */ |
11782 | | if (ret != 0) { |
11783 | | goto exit_dcv; |
11784 | | } |
11785 | | } |
11786 | | #endif /* WOLFSSL_DUAL_ALG_CERTS */ |
11787 | | |
11788 | | /* Advance state and proceed */ |
11789 | 0 | ssl->options.asyncState = TLS_ASYNC_VERIFY; |
11790 | 0 | } /* case TLS_ASYNC_DO */ |
11791 | 0 | FALL_THROUGH; |
11792 | |
|
11793 | 0 | case TLS_ASYNC_VERIFY: |
11794 | 0 | { |
11795 | 0 | #if !defined(NO_RSA) && defined(WC_RSA_PSS) |
11796 | 0 | if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) { |
11797 | 0 | int sigAlgo = ssl->options.peerSigAlgo; |
11798 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
11799 | | /* Check if our alternative signature was RSA */ |
11800 | | if (ssl->sigSpec != NULL && |
11801 | | *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH && |
11802 | | ssl->options.peerSigAlgo != rsa_pss_sa_algo) { |
11803 | | sigAlgo = args->altSigAlgo; |
11804 | | } |
11805 | | #endif |
11806 | 0 | ret = CheckRSASignature(ssl, sigAlgo, |
11807 | 0 | ssl->options.peerHashAlgo, args->output, args->sendSz); |
11808 | 0 | if (ret != 0) |
11809 | 0 | goto exit_dcv; |
11810 | | |
11811 | | /* CLIENT/SERVER: data verified with public key from |
11812 | | * certificate. */ |
11813 | 0 | ssl->peerRsaKeyPresent = 0; |
11814 | 0 | FreeKey(ssl, DYNAMIC_TYPE_RSA, (void**)&ssl->peerRsaKey); |
11815 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
11816 | | /* Check if our alternative signature was RSA */ |
11817 | | if (ssl->sigSpec != NULL && |
11818 | | *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH && |
11819 | | ssl->options.peerSigAlgo != rsa_pss_sa_algo) { |
11820 | | args->altPeerAuthGood = 1; |
11821 | | } |
11822 | | else |
11823 | | #endif |
11824 | 0 | ssl->options.peerAuthGood = 1; |
11825 | 0 | } |
11826 | 0 | #endif /* !NO_RSA && WC_RSA_PSS */ |
11827 | | |
11828 | | /* Advance state and proceed */ |
11829 | 0 | ssl->options.asyncState = TLS_ASYNC_FINALIZE; |
11830 | 0 | } /* case TLS_ASYNC_VERIFY */ |
11831 | 0 | FALL_THROUGH; |
11832 | |
|
11833 | 0 | case TLS_ASYNC_FINALIZE: |
11834 | 0 | { |
11835 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
11836 | | if (ssl->options.peerAuthGood && |
11837 | | ssl->sigSpec != NULL && |
11838 | | *ssl->sigSpec == WOLFSSL_CKS_SIGSPEC_BOTH) { |
11839 | | ssl->options.peerAuthGood = args->altPeerAuthGood; |
11840 | | } |
11841 | | #endif /* WOLFSSL_DUAL_ALG_CERTS */ |
11842 | 0 | ssl->options.havePeerVerify = 1; |
11843 | | |
11844 | | /* Set final index */ |
11845 | 0 | args->idx += args->sz; |
11846 | 0 | *inOutIdx = args->idx; |
11847 | | |
11848 | | /* Advance state and proceed */ |
11849 | 0 | ssl->options.asyncState = TLS_ASYNC_END; |
11850 | |
|
11851 | 0 | #if !defined(NO_WOLFSSL_CLIENT) |
11852 | 0 | if (ssl->options.side == WOLFSSL_CLIENT_END) |
11853 | 0 | ssl->options.serverState = SERVER_CERT_VERIFY_COMPLETE; |
11854 | 0 | #endif |
11855 | 0 | } /* case TLS_ASYNC_FINALIZE */ |
11856 | 0 | FALL_THROUGH; |
11857 | |
|
11858 | 0 | case TLS_ASYNC_END: |
11859 | 0 | { |
11860 | 0 | break; |
11861 | 0 | } |
11862 | | |
11863 | 0 | default: |
11864 | 0 | ret = INPUT_CASE_ERROR; |
11865 | 0 | } /* switch(ssl->options.asyncState) */ |
11866 | | |
11867 | 0 | exit_dcv: |
11868 | |
|
11869 | 0 | WOLFSSL_LEAVE("DoTls13CertificateVerify", ret); |
11870 | 0 | WOLFSSL_END(WC_FUNC_CERTIFICATE_VERIFY_DO); |
11871 | |
|
11872 | | #ifdef WOLFSSL_ASYNC_CRYPT |
11873 | | /* Handle async operation */ |
11874 | | if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) { |
11875 | | /* Mark message as not received so it can process again */ |
11876 | | ssl->msgsReceived.got_certificate_verify = 0; |
11877 | | |
11878 | | return ret; |
11879 | | } |
11880 | | else |
11881 | | #endif /* WOLFSSL_ASYNC_CRYPT */ |
11882 | 0 | if (ret != 0) { |
11883 | 0 | WOLFSSL_ERROR_VERBOSE(ret); |
11884 | |
|
11885 | 0 | if (ret != WC_NO_ERR_TRACE(INVALID_PARAMETER)) { |
11886 | 0 | SendAlert(ssl, alert_fatal, decrypt_error); |
11887 | 0 | } |
11888 | 0 | } |
11889 | | |
11890 | | /* Final cleanup */ |
11891 | 0 | FreeDcv13Args(ssl, args); |
11892 | 0 | FreeKeyExchange(ssl); |
11893 | 0 | #ifdef WOLFSSL_ASYNC_IO |
11894 | | /* Cleanup async */ |
11895 | 0 | FreeAsyncCtx(ssl, 0); |
11896 | 0 | #endif |
11897 | |
|
11898 | 0 | return ret; |
11899 | 0 | } |
11900 | | #endif /* !NO_RSA || HAVE_ECC */ |
11901 | | #endif /* !NO_CERTS */ |
11902 | | |
11903 | | /* Parse and handle a TLS v1.3 Finished message. |
11904 | | * |
11905 | | * ssl The SSL/TLS object. |
11906 | | * input The message buffer. |
11907 | | * inOutIdx On entry, the index into the message buffer of Finished. |
11908 | | * On exit, the index of byte after the Finished message and padding. |
11909 | | * size Length of message data. |
11910 | | * totalSz Length of remaining data in the message buffer. |
11911 | | * sniff Indicates whether we are sniffing packets. |
11912 | | * returns 0 on success and otherwise failure. |
11913 | | */ |
11914 | | int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, |
11915 | | word32 size, word32 totalSz, int sniff) |
11916 | 0 | { |
11917 | 0 | int ret; |
11918 | 0 | word32 finishedSz = 0; |
11919 | 0 | byte* secret; |
11920 | 0 | byte mac[WC_MAX_DIGEST_SIZE]; |
11921 | |
|
11922 | 0 | WOLFSSL_START(WC_FUNC_FINISHED_DO); |
11923 | 0 | WOLFSSL_ENTER("DoTls13Finished"); |
11924 | |
|
11925 | 0 | #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH) |
11926 | | /* verify the client sent certificate if required */ |
11927 | 0 | if (ssl->options.side == WOLFSSL_SERVER_END && !ssl->options.resuming && |
11928 | 0 | (ssl->options.mutualAuth || ssl->options.failNoCert)) { |
11929 | | #ifdef OPENSSL_COMPATIBLE_DEFAULTS |
11930 | | if (ssl->options.isPSK) { |
11931 | | WOLFSSL_MSG("TLS v1.3 client used PSK but cert required. Allowing " |
11932 | | "for OpenSSL compatibility"); |
11933 | | } |
11934 | | else |
11935 | | #endif |
11936 | 0 | if ( |
11937 | | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH |
11938 | | /* Exempt only the initial handshake; a pending post-handshake |
11939 | | * CertificateRequest (certReqCtx != NULL) still requires a peer |
11940 | | * certificate and a valid CertificateVerify. */ |
11941 | | (!ssl->options.verifyPostHandshake || ssl->certReqCtx != NULL) && |
11942 | | #endif |
11943 | 0 | (!ssl->options.havePeerCert || !ssl->options.havePeerVerify)) { |
11944 | 0 | ret = NO_PEER_CERT; /* NO_PEER_VERIFY */ |
11945 | 0 | WOLFSSL_MSG("TLS v1.3 client did not present peer cert"); |
11946 | 0 | DoCertFatalAlert(ssl, ret); |
11947 | 0 | goto cleanup; |
11948 | 0 | } |
11949 | 0 | } |
11950 | 0 | #endif |
11951 | | |
11952 | | #if !defined(NO_CERTS) && !defined(NO_PSK) && \ |
11953 | | defined(WOLFSSL_CERT_WITH_EXTERN_PSK) |
11954 | | /* Verify the server sent a certificate if requested */ |
11955 | | if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->options.pskNegotiated && |
11956 | | ssl->options.failNoCert) { |
11957 | | if ((TLSX_Find(ssl->extensions, TLSX_CERT_WITH_EXTERN_PSK) != NULL) && |
11958 | | (!ssl->options.havePeerCert || !ssl->options.havePeerVerify)) { |
11959 | | ret = NO_PEER_CERT; |
11960 | | WOLFSSL_MSG("TLS v1.3 server did not present peer cert"); |
11961 | | DoCertFatalAlert(ssl, ret); |
11962 | | goto cleanup; |
11963 | | } |
11964 | | } |
11965 | | #endif |
11966 | | |
11967 | | /* check against totalSz */ |
11968 | 0 | if (*inOutIdx + size > totalSz) { |
11969 | 0 | ret = BUFFER_E; |
11970 | 0 | goto cleanup; |
11971 | 0 | } |
11972 | | |
11973 | | #if defined(WOLFSSL_RENESAS_TSIP_TLS) |
11974 | | ret = tsip_Tls13HandleFinished(ssl, input, inOutIdx, size, totalSz); |
11975 | | if (ret == 0) { |
11976 | | ssl->options.serverState = SERVER_FINISHED_COMPLETE; |
11977 | | goto cleanup; |
11978 | | } |
11979 | | if (ret == WC_NO_ERR_TRACE(VERIFY_FINISHED_ERROR)) { |
11980 | | SendAlert(ssl, alert_fatal, decrypt_error); |
11981 | | goto cleanup; |
11982 | | } |
11983 | | if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) { |
11984 | | /* other errors */ |
11985 | | goto cleanup; |
11986 | | } |
11987 | | ret = 0; |
11988 | | #endif /* WOLFSSL_RENESAS_TSIP_TLS */ |
11989 | | |
11990 | 0 | if (ssl->options.handShakeDone) { |
11991 | 0 | ret = DeriveFinishedSecret(ssl, ssl->clientSecret, |
11992 | 0 | ssl->keys.client_write_MAC_secret, |
11993 | 0 | WOLFSSL_CLIENT_END); |
11994 | 0 | if (ret != 0) |
11995 | 0 | goto cleanup; |
11996 | | |
11997 | 0 | secret = ssl->keys.client_write_MAC_secret; |
11998 | 0 | } |
11999 | 0 | else if (ssl->options.side == WOLFSSL_CLIENT_END) { |
12000 | | /* All the handshake messages have been received to calculate |
12001 | | * client and server finished keys. |
12002 | | */ |
12003 | 0 | ret = DeriveFinishedSecret(ssl, ssl->clientSecret, |
12004 | 0 | ssl->keys.client_write_MAC_secret, |
12005 | 0 | WOLFSSL_CLIENT_END); |
12006 | 0 | if (ret != 0) |
12007 | 0 | goto cleanup; |
12008 | | |
12009 | 0 | ret = DeriveFinishedSecret(ssl, ssl->serverSecret, |
12010 | 0 | ssl->keys.server_write_MAC_secret, |
12011 | 0 | WOLFSSL_SERVER_END); |
12012 | 0 | if (ret != 0) |
12013 | 0 | goto cleanup; |
12014 | | |
12015 | 0 | secret = ssl->keys.server_write_MAC_secret; |
12016 | 0 | } |
12017 | 0 | else { |
12018 | 0 | secret = ssl->keys.client_write_MAC_secret; |
12019 | 0 | } |
12020 | | |
12021 | 0 | if (sniff == NO_SNIFF) { |
12022 | |
|
12023 | 0 | ret = BuildTls13HandshakeHmac(ssl, secret, mac, &finishedSz); |
12024 | | #ifdef WOLFSSL_HAVE_TLS_UNIQUE |
12025 | | if (finishedSz > TLS_FINISHED_SZ_MAX) { |
12026 | | ret = BUFFER_ERROR; |
12027 | | goto cleanup; |
12028 | | } |
12029 | | if (ssl->options.side == WOLFSSL_CLIENT_END) { |
12030 | | XMEMCPY(ssl->serverFinished, mac, finishedSz); |
12031 | | ssl->serverFinished_len = (byte)finishedSz; |
12032 | | } |
12033 | | else { |
12034 | | XMEMCPY(ssl->clientFinished, mac, finishedSz); |
12035 | | ssl->clientFinished_len = (byte)finishedSz; |
12036 | | } |
12037 | | #endif /* WOLFSSL_HAVE_TLS_UNIQUE */ |
12038 | 0 | if (ret != 0) |
12039 | 0 | goto cleanup; |
12040 | 0 | if (size != finishedSz) { |
12041 | 0 | ret = BUFFER_ERROR; |
12042 | 0 | goto cleanup; |
12043 | 0 | } |
12044 | 0 | } |
12045 | | |
12046 | | #ifdef WOLFSSL_CALLBACKS |
12047 | | if (ssl->hsInfoOn) AddPacketName(ssl, "Finished"); |
12048 | | if (ssl->toInfoOn) AddLateName("Finished", &ssl->timeoutInfo); |
12049 | | #endif |
12050 | | |
12051 | 0 | if (sniff == NO_SNIFF) { |
12052 | | /* Actually check verify data. */ |
12053 | 0 | if (size > WC_MAX_DIGEST_SIZE || |
12054 | 0 | ConstantCompare(input + *inOutIdx, mac, size) != 0){ |
12055 | 0 | WOLFSSL_MSG("Verify finished error on hashes"); |
12056 | 0 | SendAlert(ssl, alert_fatal, decrypt_error); |
12057 | 0 | WOLFSSL_ERROR_VERBOSE(VERIFY_FINISHED_ERROR); |
12058 | 0 | ret = VERIFY_FINISHED_ERROR; |
12059 | 0 | goto cleanup; |
12060 | 0 | } |
12061 | 0 | } |
12062 | | |
12063 | 0 | *inOutIdx += size; |
12064 | |
|
12065 | 0 | #ifndef NO_WOLFSSL_SERVER |
12066 | 0 | if (ssl->options.side == WOLFSSL_SERVER_END && |
12067 | 0 | !ssl->options.handShakeDone) { |
12068 | | #ifdef WOLFSSL_EARLY_DATA |
12069 | | if (ssl->earlyData != no_early_data) { |
12070 | | if ((ret = DeriveTls13Keys(ssl, no_key, DECRYPT_SIDE_ONLY, 1)) != 0) |
12071 | | goto cleanup; |
12072 | | } |
12073 | | #endif |
12074 | | /* Setup keys for application data messages from client. */ |
12075 | 0 | if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0) |
12076 | 0 | goto cleanup; |
12077 | 0 | } |
12078 | 0 | #endif |
12079 | | |
12080 | 0 | #ifndef NO_WOLFSSL_CLIENT |
12081 | 0 | if (ssl->options.side == WOLFSSL_CLIENT_END) |
12082 | 0 | ssl->options.serverState = SERVER_FINISHED_COMPLETE; |
12083 | 0 | #endif |
12084 | 0 | #ifndef NO_WOLFSSL_SERVER |
12085 | 0 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
12086 | 0 | ssl->options.clientState = CLIENT_FINISHED_COMPLETE; |
12087 | 0 | ssl->options.handShakeState = HANDSHAKE_DONE; |
12088 | 0 | ssl->options.handShakeDone = 1; |
12089 | 0 | } |
12090 | 0 | #endif |
12091 | |
|
12092 | | #if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_EARLY_DATA) |
12093 | | if (ssl->options.dtls && ssl->earlyData > early_data_ext) { |
12094 | | /* DTLSv1.3 has no EndOfearlydata messages. We stop processing EarlyData |
12095 | | as soon we receive the client's finished message */ |
12096 | | ssl->earlyData = done_early_data; |
12097 | | } |
12098 | | #endif /* WOLFSSL_DTLS13 && WOLFSSL_EARLY_DATA */ |
12099 | | #if defined(WOLFSSL_QUIC) && defined(WOLFSSL_EARLY_DATA) |
12100 | | if (WOLFSSL_IS_QUIC(ssl) && ssl->earlyData > early_data_ext) { |
12101 | | /* QUIC has no EndOfEarlyData messages. We stop processing EarlyData |
12102 | | as soon we receive the client's finished message */ |
12103 | | ssl->earlyData = done_early_data; |
12104 | | } |
12105 | | #endif /* WOLFSSL_QUIC && WOLFSSL_EARLY_DATA */ |
12106 | |
|
12107 | 0 | ret = 0; |
12108 | 0 | cleanup: |
12109 | 0 | ForceZero(mac, sizeof(mac)); |
12110 | 0 | WOLFSSL_LEAVE("DoTls13Finished", ret); |
12111 | 0 | WOLFSSL_END(WC_FUNC_FINISHED_DO); |
12112 | |
|
12113 | 0 | return ret; |
12114 | 0 | } |
12115 | | |
12116 | | #if !defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER) |
12117 | | /* Send the TLS v1.3 Finished message. |
12118 | | * |
12119 | | * ssl The SSL/TLS object. |
12120 | | * returns 0 on success, otherwise failure. |
12121 | | */ |
12122 | | static int SendTls13Finished(WOLFSSL* ssl) |
12123 | 0 | { |
12124 | 0 | byte finishedSz = ssl->specs.hash_size; |
12125 | 0 | byte* input; |
12126 | 0 | byte* output; |
12127 | 0 | int ret; |
12128 | 0 | int headerSz = HANDSHAKE_HEADER_SZ; |
12129 | 0 | int outputSz; |
12130 | 0 | byte* secret; |
12131 | |
|
12132 | | #ifdef WOLFSSL_DTLS13 |
12133 | | int dtlsRet = 0, isDtls = 0; |
12134 | | #endif /* WOLFSSL_DTLS13 */ |
12135 | |
|
12136 | 0 | WOLFSSL_START(WC_FUNC_FINISHED_SEND); |
12137 | 0 | WOLFSSL_ENTER("SendTls13Finished"); |
12138 | |
|
12139 | 0 | ssl->options.buildingMsg = 1; |
12140 | | #ifdef WOLFSSL_DTLS13 |
12141 | | if (ssl->options.dtls) { |
12142 | | headerSz = DTLS_HANDSHAKE_HEADER_SZ; |
12143 | | /* using isDtls instead of ssl->options.dtls will abide clang static |
12144 | | analyzer on using an uninitialized value */ |
12145 | | isDtls = 1; |
12146 | | } |
12147 | | #endif /* WOLFSSL_DTLS13 */ |
12148 | |
|
12149 | 0 | outputSz = WC_MAX_DIGEST_SIZE + DTLS_HANDSHAKE_HEADER_SZ + MAX_MSG_EXTRA; |
12150 | | /* Check buffers are big enough and grow if needed. */ |
12151 | 0 | if ((ret = CheckAvailableSize(ssl, outputSz)) != 0) |
12152 | 0 | return ret; |
12153 | | |
12154 | | /* get output buffer */ |
12155 | 0 | output = GetOutputBuffer(ssl); |
12156 | 0 | input = output + RECORD_HEADER_SZ; |
12157 | |
|
12158 | | #ifdef WOLFSSL_DTLS13 |
12159 | | if (isDtls) |
12160 | | input = output + Dtls13GetRlHeaderLength(ssl, 1); |
12161 | | #endif /* WOLFSSL_DTLS13 */ |
12162 | |
|
12163 | 0 | AddTls13HandShakeHeader(input, (word32)finishedSz, 0, (word32)finishedSz, |
12164 | 0 | finished, ssl); |
12165 | |
|
12166 | | #if defined(WOLFSSL_RENESAS_TSIP_TLS) |
12167 | | if (ssl->options.side == WOLFSSL_CLIENT_END) { |
12168 | | ret = tsip_Tls13SendFinished(ssl, output, outputSz, input, 1); |
12169 | | if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) { |
12170 | | return ret; |
12171 | | } |
12172 | | ret = 0; |
12173 | | } |
12174 | | #endif /* WOLFSSL_RENESAS_TSIP_TLS */ |
12175 | | |
12176 | | /* make finished hashes */ |
12177 | 0 | if (ssl->options.handShakeDone) { |
12178 | 0 | ret = DeriveFinishedSecret(ssl, ssl->clientSecret, |
12179 | 0 | ssl->keys.client_write_MAC_secret, |
12180 | 0 | WOLFSSL_CLIENT_END); |
12181 | 0 | if (ret != 0) |
12182 | 0 | return ret; |
12183 | | |
12184 | 0 | secret = ssl->keys.client_write_MAC_secret; |
12185 | 0 | } |
12186 | 0 | else if (ssl->options.side == WOLFSSL_CLIENT_END) |
12187 | 0 | secret = ssl->keys.client_write_MAC_secret; |
12188 | 0 | else { |
12189 | | /* All the handshake messages have been done to calculate client and |
12190 | | * server finished keys. |
12191 | | */ |
12192 | 0 | ret = DeriveFinishedSecret(ssl, ssl->clientSecret, |
12193 | 0 | ssl->keys.client_write_MAC_secret, |
12194 | 0 | WOLFSSL_CLIENT_END); |
12195 | 0 | if (ret != 0) |
12196 | 0 | return ret; |
12197 | | |
12198 | 0 | ret = DeriveFinishedSecret(ssl, ssl->serverSecret, |
12199 | 0 | ssl->keys.server_write_MAC_secret, |
12200 | 0 | WOLFSSL_SERVER_END); |
12201 | 0 | if (ret != 0) |
12202 | 0 | return ret; |
12203 | | |
12204 | 0 | secret = ssl->keys.server_write_MAC_secret; |
12205 | 0 | } |
12206 | 0 | ret = BuildTls13HandshakeHmac(ssl, secret, &input[headerSz], NULL); |
12207 | 0 | if (ret != 0) |
12208 | 0 | return ret; |
12209 | | #ifdef WOLFSSL_HAVE_TLS_UNIQUE |
12210 | | if (ssl->options.side == WOLFSSL_CLIENT_END) { |
12211 | | XMEMCPY(ssl->clientFinished, &input[headerSz], finishedSz); |
12212 | | ssl->clientFinished_len = finishedSz; |
12213 | | } |
12214 | | else { |
12215 | | XMEMCPY(ssl->serverFinished, &input[headerSz], finishedSz); |
12216 | | ssl->serverFinished_len = finishedSz; |
12217 | | } |
12218 | | #endif /* WOLFSSL_HAVE_TLS_UNIQUE */ |
12219 | | |
12220 | | #ifdef WOLFSSL_DTLS13 |
12221 | | if (isDtls) { |
12222 | | dtlsRet = Dtls13HandshakeSend(ssl, output, (word16)outputSz, |
12223 | | (word16)(Dtls13GetRlHeaderLength(ssl, 1) + headerSz + finishedSz), finished, |
12224 | | 1); |
12225 | | if (dtlsRet != 0 && dtlsRet != WC_NO_ERR_TRACE(WANT_WRITE)) |
12226 | | return dtlsRet; |
12227 | | |
12228 | | } else |
12229 | | #endif /* WOLFSSL_DTLS13 */ |
12230 | 0 | { |
12231 | | /* This message is always encrypted. */ |
12232 | 0 | int sendSz = BuildTls13Message(ssl, output, outputSz, input, |
12233 | 0 | headerSz + finishedSz, handshake, 1, 0, 0); |
12234 | 0 | if (sendSz < 0) { |
12235 | 0 | WOLFSSL_ERROR_VERBOSE(BUILD_MSG_ERROR); |
12236 | 0 | return BUILD_MSG_ERROR; |
12237 | 0 | } |
12238 | | |
12239 | | #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) |
12240 | | if (ssl->hsInfoOn) AddPacketName(ssl, "Finished"); |
12241 | | if (ssl->toInfoOn) { |
12242 | | ret = AddPacketInfo(ssl, "Finished", handshake, output, sendSz, |
12243 | | WRITE_PROTO, 0, ssl->heap); |
12244 | | if (ret != 0) |
12245 | | return ret; |
12246 | | } |
12247 | | #endif |
12248 | | |
12249 | 0 | ssl->buffers.outputBuffer.length += (word32)sendSz; |
12250 | 0 | ssl->options.buildingMsg = 0; |
12251 | 0 | } |
12252 | | |
12253 | 0 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
12254 | | #ifdef WOLFSSL_EARLY_DATA |
12255 | | byte storeTrafficDecKeys = ssl->earlyData == no_early_data; |
12256 | | #endif |
12257 | | /* Can send application data now. */ |
12258 | 0 | if ((ret = DeriveMasterSecret(ssl)) != 0) |
12259 | 0 | return ret; |
12260 | | /* Last use of preMasterSecret - zeroize as soon as possible. */ |
12261 | 0 | ForceZero(ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz); |
12262 | | #ifdef WOLFSSL_EARLY_DATA |
12263 | | |
12264 | | #ifdef WOLFSSL_DTLS13 |
12265 | | /* DTLS13 dynamically change keys and it needs all |
12266 | | the keys in ssl->keys to save the keying material */ |
12267 | | if (isDtls) |
12268 | | storeTrafficDecKeys = 1; |
12269 | | #endif /* WOLFSSL_DTLS13 */ |
12270 | | |
12271 | | if ((ret = DeriveTls13Keys(ssl, traffic_key, ENCRYPT_SIDE_ONLY, 1)) |
12272 | | != 0) { |
12273 | | return ret; |
12274 | | } |
12275 | | if ((ret = DeriveTls13Keys(ssl, traffic_key, DECRYPT_SIDE_ONLY, |
12276 | | storeTrafficDecKeys)) != 0) { |
12277 | | return ret; |
12278 | | } |
12279 | | #else |
12280 | 0 | if ((ret = DeriveTls13Keys(ssl, traffic_key, ENCRYPT_AND_DECRYPT_SIDE, |
12281 | 0 | 1)) != 0) { |
12282 | 0 | return ret; |
12283 | 0 | } |
12284 | 0 | #endif |
12285 | 0 | if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0) |
12286 | 0 | return ret; |
12287 | |
|
12288 | | #ifdef WOLFSSL_DTLS13 |
12289 | | if (isDtls) { |
12290 | | w64wrapper epochTraffic0; |
12291 | | epochTraffic0 = w64From32(0, DTLS13_EPOCH_TRAFFIC0); |
12292 | | ssl->dtls13Epoch = epochTraffic0; |
12293 | | ssl->dtls13PeerEpoch = epochTraffic0; |
12294 | | |
12295 | | ret = Dtls13SetEpochKeys( |
12296 | | ssl, epochTraffic0, ENCRYPT_AND_DECRYPT_SIDE); |
12297 | | if (ret != 0) |
12298 | | return ret; |
12299 | | |
12300 | | } |
12301 | | #endif /* WOLFSSL_DTLS13 */ |
12302 | |
|
12303 | 0 | } |
12304 | | |
12305 | 0 | if (ssl->options.side == WOLFSSL_CLIENT_END && |
12306 | 0 | !ssl->options.handShakeDone) { |
12307 | | #ifdef WOLFSSL_EARLY_DATA |
12308 | | if (ssl->earlyData != no_early_data) { |
12309 | | if ((ret = DeriveTls13Keys(ssl, no_key, ENCRYPT_SIDE_ONLY, |
12310 | | 1)) != 0) { |
12311 | | return ret; |
12312 | | } |
12313 | | } |
12314 | | #endif |
12315 | | /* Setup keys for application data messages. */ |
12316 | 0 | if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0) |
12317 | 0 | return ret; |
12318 | |
|
12319 | | #if defined(HAVE_SESSION_TICKET) |
12320 | | ret = DeriveResumptionSecret(ssl, ssl->session->masterSecret); |
12321 | | if (ret != 0) |
12322 | | return ret; |
12323 | | #endif |
12324 | |
|
12325 | | #ifdef WOLFSSL_DTLS13 |
12326 | | if (isDtls) { |
12327 | | w64wrapper epochTraffic0; |
12328 | | epochTraffic0 = w64From32(0, DTLS13_EPOCH_TRAFFIC0); |
12329 | | ssl->dtls13Epoch = epochTraffic0; |
12330 | | ssl->dtls13PeerEpoch = epochTraffic0; |
12331 | | |
12332 | | ret = Dtls13SetEpochKeys( |
12333 | | ssl, epochTraffic0, ENCRYPT_AND_DECRYPT_SIDE); |
12334 | | if (ret != 0) |
12335 | | return ret; |
12336 | | |
12337 | | } |
12338 | | #endif /* WOLFSSL_DTLS13 */ |
12339 | 0 | } |
12340 | | |
12341 | 0 | #ifndef NO_WOLFSSL_CLIENT |
12342 | 0 | if (ssl->options.side == WOLFSSL_CLIENT_END) { |
12343 | 0 | ssl->options.clientState = CLIENT_FINISHED_COMPLETE; |
12344 | 0 | ssl->options.handShakeState = HANDSHAKE_DONE; |
12345 | 0 | ssl->options.handShakeDone = 1; |
12346 | 0 | } |
12347 | 0 | #endif |
12348 | 0 | #ifndef NO_WOLFSSL_SERVER |
12349 | 0 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
12350 | 0 | ssl->options.serverState = SERVER_FINISHED_COMPLETE; |
12351 | 0 | } |
12352 | 0 | #endif |
12353 | |
|
12354 | | #ifdef WOLFSSL_DTLS13 |
12355 | | if (isDtls) { |
12356 | | WOLFSSL_LEAVE("SendTls13Finished", ret); |
12357 | | WOLFSSL_END(WC_FUNC_FINISHED_SEND); |
12358 | | |
12359 | | return dtlsRet; |
12360 | | } |
12361 | | #endif /* WOLFSSL_DTLS13 */ |
12362 | |
|
12363 | 0 | if ((ret = SendBuffered(ssl)) != 0) |
12364 | 0 | return ret; |
12365 | | |
12366 | 0 | WOLFSSL_LEAVE("SendTls13Finished", ret); |
12367 | 0 | WOLFSSL_END(WC_FUNC_FINISHED_SEND); |
12368 | |
|
12369 | 0 | return ret; |
12370 | 0 | } |
12371 | | #endif /* !NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER */ |
12372 | | |
12373 | | /* handle generation TLS v1.3 key_update (24) */ |
12374 | | /* Send the TLS v1.3 KeyUpdate message. |
12375 | | * |
12376 | | * ssl The SSL/TLS object. |
12377 | | * returns 0 on success, otherwise failure. |
12378 | | */ |
12379 | | int SendTls13KeyUpdate(WOLFSSL* ssl) |
12380 | 0 | { |
12381 | 0 | byte* input; |
12382 | 0 | byte* output; |
12383 | 0 | int ret; |
12384 | 0 | int headerSz = HANDSHAKE_HEADER_SZ; |
12385 | 0 | int outputSz; |
12386 | 0 | word32 i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
12387 | |
|
12388 | 0 | WOLFSSL_START(WC_FUNC_KEY_UPDATE_SEND); |
12389 | 0 | WOLFSSL_ENTER("SendTls13KeyUpdate"); |
12390 | |
|
12391 | | #ifdef WOLFSSL_DTLS13 |
12392 | | if (ssl->options.dtls) { |
12393 | | /* RFC 9147 Section 4.2.1: do not send a KeyUpdate that would advance |
12394 | | * the sending epoch beyond 2^48-1. */ |
12395 | | if (w64GTE(ssl->dtls13Epoch, |
12396 | | w64From32(DTLS13_EPOCH_MAX_HI32, DTLS13_EPOCH_MAX_LO32))) { |
12397 | | WOLFSSL_MSG("DTLS 1.3 sending epoch at maximum; refusing KeyUpdate"); |
12398 | | return BAD_STATE_E; |
12399 | | } |
12400 | | i = Dtls13GetRlHeaderLength(ssl, 1) + DTLS_HANDSHAKE_HEADER_SZ; |
12401 | | } |
12402 | | #endif /* WOLFSSL_DTLS13 */ |
12403 | |
|
12404 | 0 | outputSz = OPAQUE8_LEN + MAX_MSG_EXTRA; |
12405 | | /* Check buffers are big enough and grow if needed. */ |
12406 | 0 | if ((ret = CheckAvailableSize(ssl, outputSz)) != 0) |
12407 | 0 | return ret; |
12408 | | |
12409 | | /* get output buffer */ |
12410 | 0 | output = GetOutputBuffer(ssl); |
12411 | 0 | input = output + RECORD_HEADER_SZ; |
12412 | |
|
12413 | | #ifdef WOLFSSL_DTLS13 |
12414 | | if (ssl->options.dtls) |
12415 | | input = output + Dtls13GetRlHeaderLength(ssl, 1); |
12416 | | #endif /* WOLFSSL_DTLS13 */ |
12417 | |
|
12418 | 0 | AddTls13Headers(output, OPAQUE8_LEN, key_update, ssl); |
12419 | | |
12420 | | /* If: |
12421 | | * 1. I haven't sent a KeyUpdate requesting a response and |
12422 | | * 2. This isn't responding to peer KeyUpdate requiring a response then, |
12423 | | * I want a response. |
12424 | | */ |
12425 | 0 | ssl->keys.updateResponseReq = output[i++] = |
12426 | 0 | !ssl->keys.updateResponseReq && !ssl->keys.keyUpdateRespond; |
12427 | | /* Sent response, no longer need to respond. */ |
12428 | 0 | ssl->keys.keyUpdateRespond = 0; |
12429 | |
|
12430 | | #ifdef WOLFSSL_DTLS13 |
12431 | | if (ssl->options.dtls) { |
12432 | | ret = Dtls13HandshakeSend(ssl, output, (word16)outputSz, |
12433 | | OPAQUE8_LEN + Dtls13GetRlHeaderLength(ssl, 1) + |
12434 | | DTLS_HANDSHAKE_HEADER_SZ, |
12435 | | key_update, 0); |
12436 | | } |
12437 | | else |
12438 | | #endif /* WOLFSSL_DTLS13 */ |
12439 | 0 | { |
12440 | | /* This message is always encrypted. */ |
12441 | 0 | int sendSz = BuildTls13Message(ssl, output, outputSz, input, |
12442 | 0 | headerSz + OPAQUE8_LEN, handshake, 0, 0, 0); |
12443 | 0 | if (sendSz < 0) |
12444 | 0 | return BUILD_MSG_ERROR; |
12445 | | |
12446 | | #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA) |
12447 | | if (ssl->hsInfoOn) AddPacketName(ssl, "KeyUpdate"); |
12448 | | if (ssl->toInfoOn) { |
12449 | | ret = AddPacketInfo(ssl, "KeyUpdate", handshake, output, sendSz, |
12450 | | WRITE_PROTO, 0, ssl->heap); |
12451 | | if (ret != 0) |
12452 | | return ret; |
12453 | | } |
12454 | | #endif |
12455 | | |
12456 | 0 | ssl->buffers.outputBuffer.length += (word32)sendSz; |
12457 | |
|
12458 | 0 | ret = SendBuffered(ssl); |
12459 | | |
12460 | |
|
12461 | 0 | if (ret != 0 && ret != WC_NO_ERR_TRACE(WANT_WRITE)) |
12462 | 0 | return ret; |
12463 | 0 | } |
12464 | | |
12465 | | /* In DTLS we must wait for the ack before setting up the new keys */ |
12466 | 0 | if (!ssl->options.dtls) { |
12467 | | |
12468 | | /* Future traffic uses new encryption keys. */ |
12469 | 0 | if ((ret = DeriveTls13Keys( |
12470 | 0 | ssl, update_traffic_key, ENCRYPT_SIDE_ONLY, 1)) |
12471 | 0 | != 0) |
12472 | 0 | return ret; |
12473 | 0 | if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0) |
12474 | 0 | return ret; |
12475 | 0 | } |
12476 | | |
12477 | | |
12478 | 0 | WOLFSSL_LEAVE("SendTls13KeyUpdate", ret); |
12479 | 0 | WOLFSSL_END(WC_FUNC_KEY_UPDATE_SEND); |
12480 | |
|
12481 | 0 | return ret; |
12482 | 0 | } |
12483 | | |
12484 | | /* handle processing TLS v1.3 key_update (24) */ |
12485 | | /* Parse and handle a TLS v1.3 KeyUpdate message. |
12486 | | * |
12487 | | * ssl The SSL/TLS object. |
12488 | | * input The message buffer. |
12489 | | * inOutIdx On entry, the index into the message buffer of Finished. |
12490 | | * On exit, the index of byte after the Finished message and padding. |
12491 | | * totalSz The length of the current handshake message. |
12492 | | * returns 0 on success and otherwise failure. |
12493 | | */ |
12494 | | static int DoTls13KeyUpdate(WOLFSSL* ssl, const byte* input, word32* inOutIdx, |
12495 | | word32 totalSz) |
12496 | 0 | { |
12497 | 0 | int ret; |
12498 | 0 | word32 i = *inOutIdx; |
12499 | |
|
12500 | 0 | WOLFSSL_START(WC_FUNC_KEY_UPDATE_DO); |
12501 | 0 | WOLFSSL_ENTER("DoTls13KeyUpdate"); |
12502 | | |
12503 | | /* check against totalSz */ |
12504 | 0 | if (OPAQUE8_LEN != totalSz) |
12505 | 0 | return BUFFER_E; |
12506 | | |
12507 | 0 | switch (input[i]) { |
12508 | 0 | case update_not_requested: |
12509 | | /* This message in response to any outstanding request. */ |
12510 | 0 | ssl->keys.keyUpdateRespond = 0; |
12511 | 0 | ssl->keys.updateResponseReq = 0; |
12512 | 0 | break; |
12513 | 0 | case update_requested: |
12514 | | /* New key update requiring a response. */ |
12515 | 0 | ssl->keys.keyUpdateRespond = 1; |
12516 | 0 | break; |
12517 | 0 | default: |
12518 | 0 | WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER); |
12519 | 0 | return INVALID_PARAMETER; |
12520 | 0 | } |
12521 | | |
12522 | | /* Move index to byte after message. */ |
12523 | 0 | *inOutIdx += totalSz; |
12524 | | |
12525 | | /* Future traffic uses new decryption keys. */ |
12526 | 0 | if ((ret = DeriveTls13Keys(ssl, update_traffic_key, DECRYPT_SIDE_ONLY, 1)) |
12527 | 0 | != 0) { |
12528 | 0 | return ret; |
12529 | 0 | } |
12530 | 0 | if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0) |
12531 | 0 | return ret; |
12532 | | |
12533 | | #ifdef WOLFSSL_DTLS13 |
12534 | | if (ssl->options.dtls) { |
12535 | | /* Increment on a local copy so ssl->dtls13PeerEpoch is left |
12536 | | * untouched when the check fails. */ |
12537 | | w64wrapper newEpoch = ssl->dtls13PeerEpoch; |
12538 | | w64Increment(&newEpoch); |
12539 | | |
12540 | | /* RFC 9147 Section 8: the 2^48-1 cap is sender-only; receivers MUST |
12541 | | * NOT enforce it. Guard only the wrap-to-zero (Section 4.2.1). */ |
12542 | | if (w64IsZero(newEpoch)) |
12543 | | return BAD_STATE_E; |
12544 | | |
12545 | | ssl->dtls13PeerEpoch = newEpoch; |
12546 | | |
12547 | | ret = Dtls13SetEpochKeys(ssl, ssl->dtls13PeerEpoch, DECRYPT_SIDE_ONLY); |
12548 | | if (ret != 0) |
12549 | | return ret; |
12550 | | } |
12551 | | #endif /* WOLFSSL_DTLS13 */ |
12552 | | |
12553 | 0 | if (ssl->keys.keyUpdateRespond) { |
12554 | |
|
12555 | | #ifdef WOLFSSL_DTLS13 |
12556 | | /* we already sent a keyUpdate (either in response to a previous |
12557 | | KeyUpdate or initiated by the application) and we are waiting for the |
12558 | | ack. We can't send a new KeyUpdate right away but to honor the RFC we |
12559 | | should send another KeyUpdate after the one in-flight is acked. We |
12560 | | don't do that as it looks redundant, it will make the code more |
12561 | | complex and I don't see a good use case for that. */ |
12562 | | if (ssl->options.dtls && ssl->dtls13WaitKeyUpdateAck) { |
12563 | | ssl->keys.keyUpdateRespond = 0; |
12564 | | return 0; |
12565 | | } |
12566 | | #endif /* WOLFSSL_DTLS13 */ |
12567 | |
|
12568 | | #if defined(HAVE_WRITE_DUP) && defined(WOLFSSL_TLS13) |
12569 | | /* Read side cannot write; delegate the response to the write side. */ |
12570 | | if (ssl->dupWrite != NULL && ssl->dupSide == READ_DUP_SIDE) { |
12571 | | if (wc_LockMutex(&ssl->dupWrite->dupMutex) != 0) |
12572 | | return BAD_MUTEX_E; |
12573 | | ssl->dupWrite->keyUpdateRespond = 1; |
12574 | | wc_UnLockMutex(&ssl->dupWrite->dupMutex); |
12575 | | ssl->keys.keyUpdateRespond = 0; |
12576 | | return 0; |
12577 | | } |
12578 | | #endif /* HAVE_WRITE_DUP && WOLFSSL_TLS13 */ |
12579 | |
|
12580 | 0 | #ifndef WOLFSSL_RW_THREADED |
12581 | 0 | return SendTls13KeyUpdate(ssl); |
12582 | | #else |
12583 | | ssl->options.sendKeyUpdate = 1; |
12584 | | return 0; |
12585 | | #endif |
12586 | 0 | } |
12587 | | |
12588 | 0 | WOLFSSL_LEAVE("DoTls13KeyUpdate", ret); |
12589 | 0 | WOLFSSL_END(WC_FUNC_KEY_UPDATE_DO); |
12590 | |
|
12591 | 0 | return 0; |
12592 | 0 | } |
12593 | | |
12594 | | #ifdef WOLFSSL_EARLY_DATA |
12595 | | #ifndef NO_WOLFSSL_CLIENT |
12596 | | /* Send the TLS v1.3 EndOfEarlyData message to indicate that there will be no |
12597 | | * more early application data. |
12598 | | * The encryption key now changes to the pre-calculated handshake key. |
12599 | | * |
12600 | | * ssl The SSL/TLS object. |
12601 | | * returns 0 on success and otherwise failure. |
12602 | | */ |
12603 | | static int SendTls13EndOfEarlyData(WOLFSSL* ssl) |
12604 | | { |
12605 | | byte* output; |
12606 | | int ret; |
12607 | | int sendSz; |
12608 | | word32 length; |
12609 | | word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
12610 | | |
12611 | | WOLFSSL_START(WC_FUNC_END_OF_EARLY_DATA_SEND); |
12612 | | WOLFSSL_ENTER("SendTls13EndOfEarlyData"); |
12613 | | |
12614 | | length = 0; |
12615 | | sendSz = (int)(idx + length + MAX_MSG_EXTRA); |
12616 | | ssl->options.buildingMsg = 1; |
12617 | | |
12618 | | /* Check buffers are big enough and grow if needed. */ |
12619 | | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) |
12620 | | return ret; |
12621 | | |
12622 | | /* Get position in output buffer to write new message to. */ |
12623 | | output = GetOutputBuffer(ssl); |
12624 | | |
12625 | | /* Put the record and handshake headers on. */ |
12626 | | AddTls13Headers(output, length, end_of_early_data, ssl); |
12627 | | |
12628 | | /* This message is always encrypted. */ |
12629 | | sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ, |
12630 | | idx - RECORD_HEADER_SZ, handshake, 1, 0, 0); |
12631 | | if (sendSz < 0) |
12632 | | return sendSz; |
12633 | | |
12634 | | ssl->buffers.outputBuffer.length += sendSz; |
12635 | | |
12636 | | if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0) |
12637 | | return ret; |
12638 | | |
12639 | | ssl->options.buildingMsg = 0; |
12640 | | if (!ssl->options.groupMessages) |
12641 | | ret = SendBuffered(ssl); |
12642 | | |
12643 | | ssl->earlyData = done_early_data; |
12644 | | |
12645 | | WOLFSSL_LEAVE("SendTls13EndOfEarlyData", ret); |
12646 | | WOLFSSL_END(WC_FUNC_END_OF_EARLY_DATA_SEND); |
12647 | | |
12648 | | return ret; |
12649 | | } |
12650 | | #endif /* !NO_WOLFSSL_CLIENT */ |
12651 | | |
12652 | | #ifndef NO_WOLFSSL_SERVER |
12653 | | /* handle processing of TLS 1.3 end_of_early_data (5) */ |
12654 | | /* Parse the TLS v1.3 EndOfEarlyData message that indicates that there will be |
12655 | | * no more early application data. |
12656 | | * The decryption key now changes to the pre-calculated handshake key. |
12657 | | * |
12658 | | * ssl The SSL/TLS object. |
12659 | | * returns 0 on success and otherwise failure. |
12660 | | */ |
12661 | | static int DoTls13EndOfEarlyData(WOLFSSL* ssl, const byte* input, |
12662 | | word32* inOutIdx, word32 size) |
12663 | | { |
12664 | | int ret; |
12665 | | word32 begin = *inOutIdx; |
12666 | | |
12667 | | (void)input; |
12668 | | |
12669 | | WOLFSSL_START(WC_FUNC_END_OF_EARLY_DATA_DO); |
12670 | | WOLFSSL_ENTER("DoTls13EndOfEarlyData"); |
12671 | | |
12672 | | if ((*inOutIdx - begin) != size) |
12673 | | return BUFFER_ERROR; |
12674 | | |
12675 | | if (ssl->earlyData == no_early_data) { |
12676 | | WOLFSSL_MSG("EndOfEarlyData received unexpectedly"); |
12677 | | SendAlert(ssl, alert_fatal, unexpected_message); |
12678 | | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
12679 | | return OUT_OF_ORDER_E; |
12680 | | } |
12681 | | |
12682 | | ssl->earlyData = done_early_data; |
12683 | | |
12684 | | ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY); |
12685 | | |
12686 | | WOLFSSL_LEAVE("DoTls13EndOfEarlyData", ret); |
12687 | | WOLFSSL_END(WC_FUNC_END_OF_EARLY_DATA_DO); |
12688 | | |
12689 | | return ret; |
12690 | | } |
12691 | | #endif /* !NO_WOLFSSL_SERVER */ |
12692 | | #endif /* WOLFSSL_EARLY_DATA */ |
12693 | | |
12694 | | #if defined(HAVE_SESSION_TICKET) && defined(WOLFSSL_TICKET_NONCE_MALLOC) && \ |
12695 | | (!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3))) |
12696 | | int SessionTicketNoncePopulate(WOLFSSL_SESSION *session, const byte *nonce, |
12697 | | byte len) |
12698 | | { |
12699 | | if (session->ticketNonce.data |
12700 | | != session->ticketNonce.dataStatic) { |
12701 | | XFREE(session->ticketNonce.data, session->heap, |
12702 | | DYNAMIC_TYPE_SESSION_TICK); |
12703 | | session->ticketNonce.data = session->ticketNonce.dataStatic; |
12704 | | session->ticketNonce.len = 0; |
12705 | | } |
12706 | | |
12707 | | if (len > MAX_TICKET_NONCE_STATIC_SZ) { |
12708 | | WOLFSSL_MSG("Using dynamic nonce buffer"); |
12709 | | session->ticketNonce.data = (byte*)XMALLOC(len, |
12710 | | session->heap, DYNAMIC_TYPE_SESSION_TICK); |
12711 | | if (session->ticketNonce.data == NULL) |
12712 | | return MEMORY_ERROR; |
12713 | | } |
12714 | | XMEMCPY(session->ticketNonce.data, nonce, len); |
12715 | | session->ticketNonce.len = len; |
12716 | | return 0; |
12717 | | } |
12718 | | #endif |
12719 | | #ifndef NO_WOLFSSL_CLIENT |
12720 | | /* Handle a New Session Ticket handshake message. |
12721 | | * Message contains the information required to perform resumption. |
12722 | | * |
12723 | | * ssl The SSL/TLS object. |
12724 | | * input The message buffer. |
12725 | | * inOutIdx On entry, the index into the message buffer of Finished. |
12726 | | * On exit, the index of byte after the Finished message and padding. |
12727 | | * size The length of the current handshake message. |
12728 | | * returns 0 on success, otherwise failure. |
12729 | | */ |
12730 | | static int DoTls13NewSessionTicket(WOLFSSL* ssl, const byte* input, |
12731 | | word32* inOutIdx, word32 size) |
12732 | 0 | { |
12733 | | #ifdef HAVE_SESSION_TICKET |
12734 | | int ret; |
12735 | | word32 begin = *inOutIdx; |
12736 | | word32 lifetime; |
12737 | | word32 ageAdd; |
12738 | | word16 length; |
12739 | | #ifdef WOLFSSL_32BIT_MILLI_TIME |
12740 | | word32 now; |
12741 | | #else |
12742 | | sword64 now; |
12743 | | #endif |
12744 | | const byte* nonce; |
12745 | | byte nonceLength; |
12746 | | |
12747 | | WOLFSSL_START(WC_FUNC_NEW_SESSION_TICKET_DO); |
12748 | | WOLFSSL_ENTER("DoTls13NewSessionTicket"); |
12749 | | |
12750 | | #ifdef HAVE_ECH |
12751 | | /* ignore session ticket when ECH is rejected */ |
12752 | | if (ssl->echConfigs != NULL && !ssl->options.disableECH && |
12753 | | !ssl->options.echAccepted) { |
12754 | | *inOutIdx += size + ssl->keys.padSz; |
12755 | | return 0; |
12756 | | } |
12757 | | #endif |
12758 | | |
12759 | | /* Lifetime hint. */ |
12760 | | if ((*inOutIdx - begin) + SESSION_HINT_SZ > size) |
12761 | | return BUFFER_ERROR; |
12762 | | ato32(input + *inOutIdx, &lifetime); |
12763 | | *inOutIdx += SESSION_HINT_SZ; |
12764 | | if (lifetime > MAX_LIFETIME) { |
12765 | | WOLFSSL_ERROR_VERBOSE(SERVER_HINT_ERROR); |
12766 | | return SERVER_HINT_ERROR; |
12767 | | } |
12768 | | |
12769 | | /* Age add. */ |
12770 | | if ((*inOutIdx - begin) + SESSION_ADD_SZ > size) |
12771 | | return BUFFER_ERROR; |
12772 | | ato32(input + *inOutIdx, &ageAdd); |
12773 | | *inOutIdx += SESSION_ADD_SZ; |
12774 | | |
12775 | | /* Ticket nonce. */ |
12776 | | if ((*inOutIdx - begin) + 1 > size) |
12777 | | return BUFFER_ERROR; |
12778 | | nonceLength = input[*inOutIdx]; |
12779 | | #if !defined(WOLFSSL_TICKET_NONCE_MALLOC) && \ |
12780 | | (!defined(HAVE_FIPS) || FIPS_VERSION_GE(5,3)) |
12781 | | if (nonceLength > MAX_TICKET_NONCE_STATIC_SZ) { |
12782 | | WOLFSSL_MSG("Nonce length not supported"); |
12783 | | WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER); |
12784 | | return INVALID_PARAMETER; |
12785 | | } |
12786 | | #endif /* WOLFSSL_TICKET_NONCE_MALLOC && FIPS_VERSION_GE(5,3) */ |
12787 | | *inOutIdx += 1; |
12788 | | if ((*inOutIdx - begin) + nonceLength > size) |
12789 | | return BUFFER_ERROR; |
12790 | | nonce = input + *inOutIdx; |
12791 | | *inOutIdx += nonceLength; |
12792 | | |
12793 | | /* Ticket length. */ |
12794 | | if ((*inOutIdx - begin) + LENGTH_SZ > size) |
12795 | | return BUFFER_ERROR; |
12796 | | ato16(input + *inOutIdx, &length); |
12797 | | *inOutIdx += LENGTH_SZ; |
12798 | | if ((*inOutIdx - begin) + length > size) |
12799 | | return BUFFER_ERROR; |
12800 | | |
12801 | | if ((ret = SetTicket(ssl, input + *inOutIdx, length)) != 0) |
12802 | | return ret; |
12803 | | *inOutIdx += length; |
12804 | | |
12805 | | now = TimeNowInMilliseconds(); |
12806 | | if (now == 0) |
12807 | | return GETTIME_ERROR; |
12808 | | /* Copy in ticket data (server identity). */ |
12809 | | ssl->timeout = lifetime; |
12810 | | ssl->session->timeout = lifetime; |
12811 | | ssl->session->cipherSuite0 = ssl->options.cipherSuite0; |
12812 | | ssl->session->cipherSuite = ssl->options.cipherSuite; |
12813 | | ssl->session->ticketSeen = now; |
12814 | | ssl->session->ticketAdd = ageAdd; |
12815 | | #ifdef WOLFSSL_EARLY_DATA |
12816 | | ssl->session->maxEarlyDataSz = ssl->options.maxEarlyDataSz; |
12817 | | #endif |
12818 | | |
12819 | | #if defined(WOLFSSL_TICKET_NONCE_MALLOC) && \ |
12820 | | (!defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(5,3))) |
12821 | | ret = SessionTicketNoncePopulate(ssl->session, nonce, nonceLength); |
12822 | | if (ret != 0) |
12823 | | return ret; |
12824 | | #else |
12825 | | ssl->session->ticketNonce.len = nonceLength; |
12826 | | if (nonceLength > MAX_TICKET_NONCE_STATIC_SZ) { |
12827 | | ret = BUFFER_ERROR; |
12828 | | return ret; |
12829 | | } |
12830 | | if (nonceLength > 0) |
12831 | | XMEMCPY(ssl->session->ticketNonce.data, nonce, nonceLength); |
12832 | | #endif /* defined(WOLFSSL_TICKET_NONCE_MALLOC) && FIPS_VERSION_GE(5,3) */ |
12833 | | |
12834 | | ssl->session->namedGroup = ssl->namedGroup; |
12835 | | |
12836 | | if ((*inOutIdx - begin) + EXTS_SZ > size) |
12837 | | return BUFFER_ERROR; |
12838 | | ato16(input + *inOutIdx, &length); |
12839 | | *inOutIdx += EXTS_SZ; |
12840 | | if ((*inOutIdx - begin) + length != size) |
12841 | | return BUFFER_ERROR; |
12842 | | #ifdef WOLFSSL_EARLY_DATA |
12843 | | ret = TLSX_Parse(ssl, (byte *)input + (*inOutIdx), length, session_ticket, |
12844 | | NULL); |
12845 | | if (ret != 0) |
12846 | | return ret; |
12847 | | #endif |
12848 | | *inOutIdx += length; |
12849 | | |
12850 | | SetupSession(ssl); |
12851 | | #ifndef NO_SESSION_CACHE |
12852 | | AddSession(ssl); |
12853 | | #endif |
12854 | | |
12855 | | ssl->expect_session_ticket = 0; |
12856 | | #else |
12857 | 0 | (void)ssl; |
12858 | 0 | (void)input; |
12859 | |
|
12860 | 0 | WOLFSSL_ENTER("DoTls13NewSessionTicket"); |
12861 | |
|
12862 | 0 | *inOutIdx += size; |
12863 | 0 | #endif /* HAVE_SESSION_TICKET */ |
12864 | |
|
12865 | 0 | WOLFSSL_LEAVE("DoTls13NewSessionTicket", 0); |
12866 | 0 | WOLFSSL_END(WC_FUNC_NEW_SESSION_TICKET_DO); |
12867 | |
|
12868 | 0 | return 0; |
12869 | 0 | } |
12870 | | #endif /* NO_WOLFSSL_CLIENT */ |
12871 | | |
12872 | | #ifndef NO_WOLFSSL_SERVER |
12873 | | #ifdef HAVE_SESSION_TICKET |
12874 | | |
12875 | | #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED |
12876 | | /* Offset of the MAC size in the finished message. */ |
12877 | | #define FINISHED_MSG_SIZE_OFFSET 3 |
12878 | | |
12879 | | /* Calculate the resumption secret which includes the unseen client finished |
12880 | | * message. |
12881 | | * |
12882 | | * ssl The SSL/TLS object. |
12883 | | * returns 0 on success, otherwise failure. |
12884 | | */ |
12885 | | static int ExpectedResumptionSecret(WOLFSSL* ssl) |
12886 | | { |
12887 | | int ret; |
12888 | | word32 finishedSz = 0; |
12889 | | byte mac[WC_MAX_DIGEST_SIZE]; |
12890 | | Digest digest; |
12891 | | byte header[] = { 0x14, 0x00, 0x00, 0x00 }; |
12892 | | |
12893 | | XMEMSET(&digest, 0, sizeof(Digest)); |
12894 | | |
12895 | | /* Copy the running hash so we can restore it after. */ |
12896 | | switch (ssl->specs.mac_algorithm) { |
12897 | | #ifndef NO_SHA256 |
12898 | | case sha256_mac: |
12899 | | ret = wc_Sha256Copy(&ssl->hsHashes->hashSha256, &digest.sha256); |
12900 | | if (ret != 0) |
12901 | | return ret; |
12902 | | break; |
12903 | | #endif |
12904 | | #ifdef WOLFSSL_SHA384 |
12905 | | case sha384_mac: |
12906 | | ret = wc_Sha384Copy(&ssl->hsHashes->hashSha384, &digest.sha384); |
12907 | | if (ret != 0) |
12908 | | return ret; |
12909 | | break; |
12910 | | #endif |
12911 | | #ifdef WOLFSSL_TLS13_SHA512 |
12912 | | case sha512_mac: |
12913 | | ret = wc_Sha512Copy(&ssl->hsHashes->hashSha512, &digest.sha512); |
12914 | | if (ret != 0) |
12915 | | return ret; |
12916 | | break; |
12917 | | #endif |
12918 | | #ifdef WOLFSSL_SM3 |
12919 | | case sm3_mac: |
12920 | | ret = wc_Sm3Copy(&ssl->hsHashes->hashSm3, &digest.sm3); |
12921 | | if (ret != 0) |
12922 | | return ret; |
12923 | | break; |
12924 | | #endif |
12925 | | } |
12926 | | |
12927 | | /* Generate the Client's Finished message and hash it. */ |
12928 | | ret = BuildTls13HandshakeHmac(ssl, ssl->keys.client_write_MAC_secret, mac, |
12929 | | &finishedSz); |
12930 | | if (ret != 0) |
12931 | | goto restore; |
12932 | | header[FINISHED_MSG_SIZE_OFFSET] = finishedSz; |
12933 | | #ifdef WOLFSSL_EARLY_DATA |
12934 | | if (ssl->earlyData != no_early_data) { |
12935 | | static byte endOfEarlyData[] = { 0x05, 0x00, 0x00, 0x00 }; |
12936 | | ret = HashRaw(ssl, endOfEarlyData, sizeof(endOfEarlyData)); |
12937 | | if (ret != 0) |
12938 | | goto restore; |
12939 | | } |
12940 | | #endif |
12941 | | if ((ret = HashRaw(ssl, header, sizeof(header))) != 0) |
12942 | | goto restore; |
12943 | | if ((ret = HashRaw(ssl, mac, finishedSz)) != 0) |
12944 | | goto restore; |
12945 | | |
12946 | | if ((ret = DeriveResumptionSecret(ssl, ssl->session->masterSecret)) != 0) |
12947 | | goto restore; |
12948 | | |
12949 | | /* Restore the hash inline with currently seen messages. */ |
12950 | | restore: |
12951 | | switch (ssl->specs.mac_algorithm) { |
12952 | | #ifndef NO_SHA256 |
12953 | | case sha256_mac: |
12954 | | wc_Sha256Free(&ssl->hsHashes->hashSha256); |
12955 | | ret = wc_Sha256Copy(&digest.sha256, &ssl->hsHashes->hashSha256); |
12956 | | wc_Sha256Free(&digest.sha256); |
12957 | | break; |
12958 | | #endif |
12959 | | #ifdef WOLFSSL_SHA384 |
12960 | | case sha384_mac: |
12961 | | wc_Sha384Free(&ssl->hsHashes->hashSha384); |
12962 | | ret = wc_Sha384Copy(&digest.sha384, &ssl->hsHashes->hashSha384); |
12963 | | wc_Sha384Free(&digest.sha384); |
12964 | | break; |
12965 | | #endif |
12966 | | #ifdef WOLFSSL_TLS13_SHA512 |
12967 | | case sha512_mac: |
12968 | | wc_Sha512Free(&ssl->hsHashes->hashSha512); |
12969 | | ret = wc_Sha512Copy(&digest.sha512, &ssl->hsHashes->hashSha512); |
12970 | | wc_Sha512Free(&digest.sha512); |
12971 | | break; |
12972 | | #endif |
12973 | | #ifdef WOLFSSL_SM3 |
12974 | | case sm3_mac: |
12975 | | wc_Sm3Free(&ssl->hsHashes->hashSm3); |
12976 | | ret = wc_Sm3Copy(&digest.sm3, &ssl->hsHashes->hashSm3); |
12977 | | wc_Sm3Free(&digest.sm3); |
12978 | | break; |
12979 | | #endif |
12980 | | } |
12981 | | |
12982 | | ForceZero(mac, sizeof(mac)); |
12983 | | return ret; |
12984 | | } |
12985 | | #endif |
12986 | | |
12987 | | /* Send New Session Ticket handshake message. |
12988 | | * Message contains the information required to perform resumption. |
12989 | | * |
12990 | | * ssl The SSL/TLS object. |
12991 | | * returns 0 on success, otherwise failure. |
12992 | | */ |
12993 | | static int SendTls13NewSessionTicket(WOLFSSL* ssl) |
12994 | | { |
12995 | | byte* output; |
12996 | | int ret; |
12997 | | word32 length; |
12998 | | int sendSz; |
12999 | | word16 extSz; |
13000 | | word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; |
13001 | | |
13002 | | WOLFSSL_START(WC_FUNC_NEW_SESSION_TICKET_SEND); |
13003 | | WOLFSSL_ENTER("SendTls13NewSessionTicket"); |
13004 | | |
13005 | | if (DefTicketHintTooLarge(ssl)) { |
13006 | | WOLFSSL_MSG("Ticket hint exceeds half the ticket key lifetime; " |
13007 | | "skipping ticket"); |
13008 | | return 0; |
13009 | | } |
13010 | | |
13011 | | #ifdef WOLFSSL_DTLS13 |
13012 | | if (ssl->options.dtls) |
13013 | | idx = Dtls13GetRlHeaderLength(ssl, 1) + DTLS_HANDSHAKE_HEADER_SZ; |
13014 | | #endif /* WOLFSSL_DTLS13 */ |
13015 | | |
13016 | | #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED |
13017 | | if (!ssl->msgsReceived.got_finished) { |
13018 | | if ((ret = ExpectedResumptionSecret(ssl)) != 0) |
13019 | | return ret; |
13020 | | } |
13021 | | #endif |
13022 | | |
13023 | | /* Start ticket nonce at 0 and go up to 255. */ |
13024 | | if (ssl->session->ticketNonce.len == 0) { |
13025 | | ssl->session->ticketNonce.len = DEF_TICKET_NONCE_SZ; |
13026 | | ssl->session->ticketNonce.data[0] = 0; |
13027 | | } |
13028 | | else |
13029 | | #ifdef WOLFSSL_ASYNC_CRYPT |
13030 | | if (ssl->error != WC_NO_ERR_TRACE(WC_PENDING_E)) |
13031 | | #endif |
13032 | | { |
13033 | | if (ssl->session->ticketNonce.data[0] == 255) { |
13034 | | /* RFC8446 Section 4.6.1: Each ticket must have a unique nonce |
13035 | | * value. As the nonce is only a single byte, we have to prevent |
13036 | | * the overflow and abort. */ |
13037 | | return SESSION_TICKET_NONCE_OVERFLOW; |
13038 | | } |
13039 | | else |
13040 | | ssl->session->ticketNonce.data[0]++; |
13041 | | } |
13042 | | |
13043 | | if ((ssl->options.mask & WOLFSSL_OP_NO_TICKET) != 0) { |
13044 | | /* In this case we only send the ID as the ticket. Let's generate a new |
13045 | | * ID for the new ticket so that we don't overwrite any old ones */ |
13046 | | ret = wc_RNG_GenerateBlock(ssl->rng, ssl->session->altSessionID, |
13047 | | ID_LEN); |
13048 | | if (ret != 0) |
13049 | | return ret; |
13050 | | ssl->session->haveAltSessionID = 1; |
13051 | | } |
13052 | | |
13053 | | if (!ssl->options.noTicketTls13) { |
13054 | | if ((ret = SetupTicket(ssl)) != 0) |
13055 | | return ret; |
13056 | | /* No need to create the ticket if we only send the ID */ |
13057 | | if ((ssl->options.mask & WOLFSSL_OP_NO_TICKET) == 0) { |
13058 | | if ((ret = CreateTicket(ssl)) != 0) |
13059 | | return ret; |
13060 | | } |
13061 | | } |
13062 | | |
13063 | | #ifdef WOLFSSL_EARLY_DATA |
13064 | | ssl->session->maxEarlyDataSz = ssl->options.maxEarlyDataSz; |
13065 | | if (ssl->session->maxEarlyDataSz > 0) |
13066 | | TLSX_EarlyData_Use(ssl, ssl->session->maxEarlyDataSz, 1); |
13067 | | extSz = 0; |
13068 | | ret = TLSX_GetResponseSize(ssl, session_ticket, &extSz); |
13069 | | if (ret != 0) |
13070 | | return ret; |
13071 | | #else |
13072 | | extSz = EXTS_SZ; |
13073 | | #endif |
13074 | | /* Lifetime | Age Add | Ticket session ID | Extensions */ |
13075 | | length = SESSION_HINT_SZ + SESSION_ADD_SZ + LENGTH_SZ; |
13076 | | if ((ssl->options.mask & WOLFSSL_OP_NO_TICKET) != 0) |
13077 | | length += ID_LEN + extSz; |
13078 | | else |
13079 | | length += ssl->session->ticketLen + extSz; |
13080 | | /* Nonce */ |
13081 | | length += TICKET_NONCE_LEN_SZ + DEF_TICKET_NONCE_SZ; |
13082 | | |
13083 | | sendSz = (int)(idx + length + MAX_MSG_EXTRA); |
13084 | | |
13085 | | /* Check buffers are big enough and grow if needed. */ |
13086 | | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) |
13087 | | return ret; |
13088 | | |
13089 | | /* Get position in output buffer to write new message to. */ |
13090 | | output = GetOutputBuffer(ssl); |
13091 | | |
13092 | | /* Put the record and handshake headers on. */ |
13093 | | AddTls13Headers(output, length, session_ticket, ssl); |
13094 | | |
13095 | | /* Lifetime hint */ |
13096 | | c32toa(ssl->ctx->ticketHint, output + idx); |
13097 | | idx += SESSION_HINT_SZ; |
13098 | | /* Age add - obfuscator */ |
13099 | | c32toa(ssl->session->ticketAdd, output + idx); |
13100 | | idx += SESSION_ADD_SZ; |
13101 | | |
13102 | | output[idx++] = ssl->session->ticketNonce.len; |
13103 | | output[idx++] = ssl->session->ticketNonce.data[0]; |
13104 | | |
13105 | | /* length */ |
13106 | | if ((ssl->options.mask & WOLFSSL_OP_NO_TICKET) != 0) { |
13107 | | c16toa(ID_LEN, output + idx); |
13108 | | } |
13109 | | else { |
13110 | | c16toa(ssl->session->ticketLen, output + idx); |
13111 | | } |
13112 | | |
13113 | | idx += LENGTH_SZ; |
13114 | | /* ticket */ |
13115 | | if ((ssl->options.mask & WOLFSSL_OP_NO_TICKET) != 0) { |
13116 | | if (ssl->session->haveAltSessionID) |
13117 | | XMEMCPY(output + idx, ssl->session->altSessionID, ID_LEN); |
13118 | | else |
13119 | | return BAD_FUNC_ARG; /* Should not happen */ |
13120 | | idx += ID_LEN; |
13121 | | } |
13122 | | else { |
13123 | | XMEMCPY(output + idx, ssl->session->ticket, ssl->session->ticketLen); |
13124 | | idx += ssl->session->ticketLen; |
13125 | | } |
13126 | | |
13127 | | #ifdef WOLFSSL_EARLY_DATA |
13128 | | extSz = 0; |
13129 | | ret = TLSX_WriteResponse(ssl, output + idx, session_ticket, &extSz); |
13130 | | if (ret != 0) |
13131 | | return ret; |
13132 | | idx += extSz; |
13133 | | #else |
13134 | | /* No extension support - empty extensions. */ |
13135 | | c16toa(0, output + idx); |
13136 | | idx += EXTS_SZ; |
13137 | | #endif |
13138 | | |
13139 | | if (idx > WOLFSSL_MAX_16BIT || |
13140 | | sendSz > (int)WOLFSSL_MAX_16BIT) { |
13141 | | return BAD_LENGTH_E; |
13142 | | } |
13143 | | |
13144 | | ssl->options.haveSessionId = 1; |
13145 | | |
13146 | | SetupSession(ssl); |
13147 | | /* Only add to cache when support built in and when the ticket contains |
13148 | | * an ID. Otherwise we have no way to actually retrieve the ticket from the |
13149 | | * cache. */ |
13150 | | #if !defined(NO_SESSION_CACHE) && defined(WOLFSSL_TICKET_HAVE_ID) |
13151 | | AddSession(ssl); |
13152 | | #endif |
13153 | | |
13154 | | #ifdef WOLFSSL_DTLS13 |
13155 | | if (ssl->options.dtls) |
13156 | | return Dtls13HandshakeSend(ssl, output, (word16)sendSz, |
13157 | | (word16)idx, session_ticket, 0); |
13158 | | #endif /* WOLFSSL_DTLS13 */ |
13159 | | |
13160 | | /* This message is always encrypted. */ |
13161 | | sendSz = BuildTls13Message(ssl, output, sendSz, |
13162 | | output + RECORD_HEADER_SZ, |
13163 | | (word16)idx - RECORD_HEADER_SZ, |
13164 | | handshake, 0, 0, 0); |
13165 | | if (sendSz < 0) |
13166 | | return sendSz; |
13167 | | |
13168 | | ssl->buffers.outputBuffer.length += sendSz; |
13169 | | |
13170 | | /* Always send as this is either directly after server's Finished or only |
13171 | | * message after client's Finished. |
13172 | | */ |
13173 | | ret = SendBuffered(ssl); |
13174 | | |
13175 | | WOLFSSL_LEAVE("SendTls13NewSessionTicket", 0); |
13176 | | WOLFSSL_END(WC_FUNC_NEW_SESSION_TICKET_SEND); |
13177 | | |
13178 | | return ret; |
13179 | | } |
13180 | | #endif /* HAVE_SESSION_TICKET */ |
13181 | | #endif /* NO_WOLFSSL_SERVER */ |
13182 | | |
13183 | | /* Make sure no duplicates, no fast forward, or other problems |
13184 | | * |
13185 | | * ssl The SSL/TLS object. |
13186 | | * type Type of handshake message received. |
13187 | | * returns 0 on success, otherwise failure. |
13188 | | */ |
13189 | | static int SanityCheckTls13MsgReceived(WOLFSSL* ssl, byte type) |
13190 | 0 | { |
13191 | | /* verify not a duplicate, mark received, check state */ |
13192 | 0 | switch (type) { |
13193 | | |
13194 | 0 | #ifndef NO_WOLFSSL_SERVER |
13195 | 0 | case client_hello: |
13196 | 0 | #ifndef NO_WOLFSSL_CLIENT |
13197 | | /* Only valid when received on SERVER side. */ |
13198 | 0 | if (ssl->options.side == WOLFSSL_CLIENT_END) { |
13199 | 0 | WOLFSSL_MSG("ClientHello received by client"); |
13200 | 0 | WOLFSSL_ERROR_VERBOSE(SIDE_ERROR); |
13201 | 0 | return SIDE_ERROR; |
13202 | 0 | } |
13203 | 0 | #endif |
13204 | | /* Check state. */ |
13205 | 0 | if (ssl->options.clientState >= CLIENT_HELLO_COMPLETE) { |
13206 | 0 | WOLFSSL_MSG("ClientHello received out of order"); |
13207 | 0 | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13208 | 0 | return OUT_OF_ORDER_E; |
13209 | 0 | } |
13210 | | /* Check previously seen. */ |
13211 | | /* Initial and after HelloRetryRequest - no more than 2. */ |
13212 | 0 | if (ssl->msgsReceived.got_client_hello == 2) { |
13213 | 0 | WOLFSSL_MSG("Too many ClientHello received"); |
13214 | 0 | WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E); |
13215 | 0 | return DUPLICATE_MSG_E; |
13216 | 0 | } |
13217 | | /* Second only after HelloRetryRequest seen. */ |
13218 | 0 | if (ssl->msgsReceived.got_client_hello == 1 && |
13219 | 0 | ssl->options.serverState != |
13220 | 0 | SERVER_HELLO_RETRY_REQUEST_COMPLETE) { |
13221 | 0 | WOLFSSL_MSG("Duplicate ClientHello received"); |
13222 | 0 | WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E); |
13223 | 0 | return DUPLICATE_MSG_E; |
13224 | 0 | } |
13225 | 0 | ssl->msgsReceived.got_client_hello++; |
13226 | |
|
13227 | 0 | break; |
13228 | 0 | #endif |
13229 | | |
13230 | 0 | #ifndef NO_WOLFSSL_CLIENT |
13231 | 0 | case server_hello: |
13232 | 0 | #ifndef NO_WOLFSSL_SERVER |
13233 | | /* Only valid when received on CLIENT side. */ |
13234 | 0 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
13235 | 0 | WOLFSSL_MSG("ServerHello received by server"); |
13236 | 0 | WOLFSSL_ERROR_VERBOSE(SIDE_ERROR); |
13237 | 0 | return SIDE_ERROR; |
13238 | 0 | } |
13239 | 0 | #endif |
13240 | | /* Check state. */ |
13241 | 0 | if (ssl->options.serverState >= SERVER_HELLO_COMPLETE) { |
13242 | 0 | WOLFSSL_MSG("ServerHello received out of order"); |
13243 | 0 | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13244 | 0 | return OUT_OF_ORDER_E; |
13245 | 0 | } |
13246 | | /* Check previously seen. */ |
13247 | | /* Only once after ClientHello. |
13248 | | * HelloRetryRequest has ServerHello type but count fixed up later |
13249 | | * - see DoTls13ServerHello(). |
13250 | | */ |
13251 | 0 | if (ssl->msgsReceived.got_server_hello) { |
13252 | 0 | WOLFSSL_MSG("Duplicate ServerHello received"); |
13253 | 0 | WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E); |
13254 | 0 | return DUPLICATE_MSG_E; |
13255 | 0 | } |
13256 | 0 | ssl->msgsReceived.got_server_hello = 1; |
13257 | |
|
13258 | 0 | break; |
13259 | 0 | #endif |
13260 | | |
13261 | 0 | #ifndef NO_WOLFSSL_CLIENT |
13262 | 0 | case session_ticket: |
13263 | 0 | #ifndef NO_WOLFSSL_SERVER |
13264 | | /* Only valid when received on CLIENT side. */ |
13265 | 0 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
13266 | 0 | WOLFSSL_MSG("NewSessionTicket received by server"); |
13267 | 0 | WOLFSSL_ERROR_VERBOSE(SIDE_ERROR); |
13268 | 0 | return SIDE_ERROR; |
13269 | 0 | } |
13270 | 0 | #endif |
13271 | | /* Check state. */ |
13272 | | #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED |
13273 | | /* Only allowed after server's Finished message. */ |
13274 | | if (ssl->options.serverState < SERVER_FINISHED_COMPLETE) { |
13275 | | WOLFSSL_MSG("NewSessionTicket received out of order"); |
13276 | | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13277 | | return OUT_OF_ORDER_E; |
13278 | | } |
13279 | | #else |
13280 | | /* Only allowed after client's Finished message. */ |
13281 | 0 | if (ssl->options.clientState < CLIENT_FINISHED_COMPLETE) { |
13282 | 0 | WOLFSSL_MSG("NewSessionTicket received out of order"); |
13283 | 0 | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13284 | 0 | return OUT_OF_ORDER_E; |
13285 | 0 | } |
13286 | 0 | #endif |
13287 | | /* Many SessionTickets can be sent. */ |
13288 | 0 | ssl->msgsReceived.got_session_ticket = 1; |
13289 | |
|
13290 | 0 | break; |
13291 | 0 | #endif |
13292 | | |
13293 | 0 | #ifndef NO_WOLFSSL_SERVER |
13294 | | #ifdef WOLFSSL_EARLY_DATA |
13295 | | case end_of_early_data: |
13296 | | #ifndef NO_WOLFSSL_CLIENT |
13297 | | /* Only valid when received on SERVER side. */ |
13298 | | if (ssl->options.side == WOLFSSL_CLIENT_END) { |
13299 | | WOLFSSL_MSG("EndOfEarlyData received by client"); |
13300 | | WOLFSSL_ERROR_VERBOSE(SIDE_ERROR); |
13301 | | return SIDE_ERROR; |
13302 | | } |
13303 | | #endif |
13304 | | /* Check state. */ |
13305 | | /* Only after server's Finished and before client's Finished. */ |
13306 | | if (ssl->options.serverState < SERVER_FINISHED_COMPLETE) { |
13307 | | WOLFSSL_MSG("EndOfEarlyData received out of order"); |
13308 | | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13309 | | return OUT_OF_ORDER_E; |
13310 | | } |
13311 | | if (ssl->options.clientState >= CLIENT_FINISHED_COMPLETE) { |
13312 | | WOLFSSL_MSG("EndOfEarlyData received out of order"); |
13313 | | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13314 | | return OUT_OF_ORDER_E; |
13315 | | } |
13316 | | /* Check previously seen. */ |
13317 | | if (ssl->msgsReceived.got_end_of_early_data) { |
13318 | | WOLFSSL_MSG("Too many EndOfEarlyData received"); |
13319 | | WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E); |
13320 | | return DUPLICATE_MSG_E; |
13321 | | } |
13322 | | ssl->msgsReceived.got_end_of_early_data = 1; |
13323 | | |
13324 | | break; |
13325 | | #endif |
13326 | 0 | #endif |
13327 | | |
13328 | 0 | #ifndef NO_WOLFSSL_CLIENT |
13329 | 0 | case encrypted_extensions: |
13330 | 0 | #ifndef NO_WOLFSSL_SERVER |
13331 | | /* Only valid when received on CLIENT side. */ |
13332 | 0 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
13333 | 0 | WOLFSSL_MSG("EncryptedExtensions received by server"); |
13334 | 0 | WOLFSSL_ERROR_VERBOSE(SIDE_ERROR); |
13335 | 0 | return SIDE_ERROR; |
13336 | 0 | } |
13337 | 0 | #endif |
13338 | | /* Check state. */ |
13339 | | /* Must be received directly after ServerHello. |
13340 | | * DoTls13EncryptedExtensions() changes state to: |
13341 | | * SERVER_ENCRYPTED_EXTENSIONS_COMPLETE. |
13342 | | */ |
13343 | 0 | if (ssl->options.serverState != SERVER_HELLO_COMPLETE) { |
13344 | 0 | WOLFSSL_MSG("EncryptedExtensions received out of order"); |
13345 | 0 | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13346 | 0 | return OUT_OF_ORDER_E; |
13347 | 0 | } |
13348 | | /* Check previously seen. */ |
13349 | 0 | if (ssl->msgsReceived.got_encrypted_extensions) { |
13350 | 0 | WOLFSSL_MSG("Duplicate EncryptedExtensions received"); |
13351 | 0 | WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E); |
13352 | 0 | return DUPLICATE_MSG_E; |
13353 | 0 | } |
13354 | 0 | ssl->msgsReceived.got_encrypted_extensions = 1; |
13355 | |
|
13356 | 0 | break; |
13357 | 0 | #endif |
13358 | | |
13359 | 0 | case certificate: |
13360 | | /* Valid on both sides. */ |
13361 | 0 | #ifndef NO_WOLFSSL_CLIENT |
13362 | | /* Check state. */ |
13363 | | /* On client, seen after EncryptedExtension and CertificateRequest |
13364 | | * (if sent) and before CertificateVerify and Finished. |
13365 | | * DoTls13Certificate() sets serverState to SERVER_CERT_COMPLETE. |
13366 | | */ |
13367 | 0 | if (ssl->options.side == WOLFSSL_CLIENT_END && |
13368 | 0 | ssl->options.serverState != |
13369 | 0 | SERVER_ENCRYPTED_EXTENSIONS_COMPLETE) { |
13370 | 0 | WOLFSSL_MSG("Certificate received out of order - Client"); |
13371 | 0 | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13372 | 0 | return OUT_OF_ORDER_E; |
13373 | 0 | } |
13374 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
13375 | | /* Server's authenticating with PSK must not send this. */ |
13376 | | if (ssl->options.side == WOLFSSL_CLIENT_END && |
13377 | | ssl->options.serverState == SERVER_CERT_COMPLETE && |
13378 | | ssl->options.pskNegotiated |
13379 | | #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK |
13380 | | && !ssl->options.certWithExternPsk |
13381 | | #endif |
13382 | | ) { |
13383 | | WOLFSSL_MSG("Certificate received while using PSK"); |
13384 | | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
13385 | | return SANITY_MSG_E; |
13386 | | } |
13387 | | #endif |
13388 | 0 | #endif |
13389 | 0 | #ifndef NO_WOLFSSL_SERVER |
13390 | | /* Check state. */ |
13391 | | /* On Server, valid after ClientHello received and ServerFinished |
13392 | | * sent. */ |
13393 | 0 | if (ssl->options.side == WOLFSSL_SERVER_END && |
13394 | 0 | ssl->options.clientState != CLIENT_HELLO_COMPLETE && |
13395 | 0 | ssl->options.serverState < SERVER_FINISHED_COMPLETE) { |
13396 | 0 | WOLFSSL_MSG("Certificate received out of order - Server"); |
13397 | 0 | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13398 | 0 | return OUT_OF_ORDER_E; |
13399 | 0 | } |
13400 | 0 | #endif |
13401 | | /* Check previously seen. */ |
13402 | 0 | if (ssl->msgsReceived.got_certificate) { |
13403 | 0 | WOLFSSL_MSG("Duplicate Certificate received"); |
13404 | 0 | WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E); |
13405 | 0 | return DUPLICATE_MSG_E; |
13406 | 0 | } |
13407 | 0 | ssl->msgsReceived.got_certificate = 1; |
13408 | |
|
13409 | 0 | break; |
13410 | | |
13411 | 0 | #ifndef NO_WOLFSSL_CLIENT |
13412 | 0 | case certificate_request: |
13413 | 0 | #ifndef NO_WOLFSSL_SERVER |
13414 | | /* Only valid when received on CLIENT side. */ |
13415 | 0 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
13416 | 0 | WOLFSSL_MSG("CertificateRequest received by server"); |
13417 | 0 | WOLFSSL_ERROR_VERBOSE(SIDE_ERROR); |
13418 | 0 | return SIDE_ERROR; |
13419 | 0 | } |
13420 | 0 | #endif |
13421 | | /* Check state. */ |
13422 | 0 | #ifndef WOLFSSL_POST_HANDSHAKE_AUTH |
13423 | | /* Only valid when sent after EncryptedExtensions and before |
13424 | | * Certificate. */ |
13425 | 0 | if (ssl->options.serverState != |
13426 | 0 | SERVER_ENCRYPTED_EXTENSIONS_COMPLETE) { |
13427 | 0 | WOLFSSL_MSG("CertificateRequest received out of order"); |
13428 | 0 | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13429 | 0 | return OUT_OF_ORDER_E; |
13430 | 0 | } |
13431 | | #else |
13432 | | /* Valid when sent after EncryptedExtensions and before Certificate |
13433 | | * and after both client and server have sent Finished (Post |
13434 | | * Handshake Authentication). */ |
13435 | | if (ssl->options.serverState != |
13436 | | SERVER_ENCRYPTED_EXTENSIONS_COMPLETE && |
13437 | | (ssl->options.serverState < SERVER_FINISHED_COMPLETE || |
13438 | | ssl->options.clientState != CLIENT_FINISHED_COMPLETE)) { |
13439 | | WOLFSSL_MSG("CertificateRequest received out of order"); |
13440 | | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13441 | | return OUT_OF_ORDER_E; |
13442 | | } |
13443 | | /* RFC 8446 4.6.2: A client that receives a post-handshake |
13444 | | * CertificateRequest message without having sent the |
13445 | | * "post_handshake_auth" extension MUST send an |
13446 | | * "unexpected_message" fatal alert. wolfSSL_allow_post_handshake_auth() |
13447 | | * must be called before wolfSSL_connect() so postHandshakeAuth |
13448 | | * reflects whether the extension was offered. */ |
13449 | | if (ssl->options.serverState >= SERVER_FINISHED_COMPLETE && |
13450 | | ssl->options.clientState == CLIENT_FINISHED_COMPLETE && |
13451 | | !ssl->options.postHandshakeAuth) { |
13452 | | WOLFSSL_MSG("Post-handshake CertificateRequest received " |
13453 | | "without having sent post_handshake_auth " |
13454 | | "extension"); |
13455 | | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13456 | | return OUT_OF_ORDER_E; |
13457 | | } |
13458 | | #endif |
13459 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
13460 | | /* Server's authenticating with PSK must not send this. */ |
13461 | | if (ssl->options.pskNegotiated |
13462 | | #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK |
13463 | | && !ssl->options.certWithExternPsk |
13464 | | #endif |
13465 | | ) { |
13466 | | WOLFSSL_MSG("CertificateRequest received while using PSK"); |
13467 | | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
13468 | | return SANITY_MSG_E; |
13469 | | } |
13470 | | #endif |
13471 | | /* Check previously seen. */ |
13472 | 0 | #ifndef WOLFSSL_POST_HANDSHAKE_AUTH |
13473 | | /* Only once during handshake. */ |
13474 | 0 | if (ssl->msgsReceived.got_certificate_request) { |
13475 | 0 | WOLFSSL_MSG("Duplicate CertificateRequest received"); |
13476 | 0 | WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E); |
13477 | 0 | return DUPLICATE_MSG_E; |
13478 | 0 | } |
13479 | | #else |
13480 | | /* Only once during handshake. */ |
13481 | | if (ssl->msgsReceived.got_certificate_request && |
13482 | | ssl->options.clientState != CLIENT_FINISHED_COMPLETE) { |
13483 | | WOLFSSL_MSG("Duplicate CertificateRequest received"); |
13484 | | WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E); |
13485 | | return DUPLICATE_MSG_E; |
13486 | | } |
13487 | | #endif |
13488 | 0 | ssl->msgsReceived.got_certificate_request = 1; |
13489 | |
|
13490 | 0 | break; |
13491 | 0 | #endif |
13492 | | |
13493 | 0 | case certificate_verify: |
13494 | | /* Valid on both sides. */ |
13495 | 0 | #ifndef NO_WOLFSSL_CLIENT |
13496 | | /* Check state on client. |
13497 | | * Valid only directly after a Certificate message. */ |
13498 | 0 | if (ssl->options.side == WOLFSSL_CLIENT_END) { |
13499 | 0 | if (ssl->options.serverState != SERVER_CERT_COMPLETE) { |
13500 | 0 | WOLFSSL_MSG("No Cert before CertVerify"); |
13501 | 0 | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13502 | 0 | return OUT_OF_ORDER_E; |
13503 | 0 | } |
13504 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
13505 | | /* Server's authenticating with PSK must not send this. */ |
13506 | | if (ssl->options.pskNegotiated |
13507 | | #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK |
13508 | | && !ssl->options.certWithExternPsk |
13509 | | #endif |
13510 | | ) { |
13511 | | WOLFSSL_MSG("CertificateVerify received while using PSK"); |
13512 | | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
13513 | | return SANITY_MSG_E; |
13514 | | } |
13515 | | #endif |
13516 | 0 | } |
13517 | 0 | #endif |
13518 | 0 | #ifndef NO_WOLFSSL_SERVER |
13519 | | /* Check state on server. */ |
13520 | 0 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
13521 | | /* Server must have sent Finished message. */ |
13522 | 0 | if (ssl->options.serverState < SERVER_FINISHED_COMPLETE) { |
13523 | 0 | WOLFSSL_MSG("CertificateVerify received out of order"); |
13524 | 0 | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13525 | 0 | return OUT_OF_ORDER_E; |
13526 | 0 | } |
13527 | | /* Valid only directly after a Certificate message. */ |
13528 | 0 | if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) { |
13529 | 0 | WOLFSSL_MSG("CertificateVerify before ClientHello done"); |
13530 | 0 | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13531 | 0 | return OUT_OF_ORDER_E; |
13532 | 0 | } |
13533 | 0 | if (!ssl->msgsReceived.got_certificate) { |
13534 | 0 | WOLFSSL_MSG("No Cert before CertificateVerify"); |
13535 | 0 | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13536 | 0 | return OUT_OF_ORDER_E; |
13537 | 0 | } |
13538 | 0 | } |
13539 | 0 | #endif |
13540 | | /* Check previously seen. */ |
13541 | 0 | if (ssl->msgsReceived.got_certificate_verify) { |
13542 | 0 | WOLFSSL_MSG("Duplicate CertificateVerify received"); |
13543 | 0 | WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E); |
13544 | 0 | return DUPLICATE_MSG_E; |
13545 | 0 | } |
13546 | 0 | ssl->msgsReceived.got_certificate_verify = 1; |
13547 | |
|
13548 | 0 | break; |
13549 | | |
13550 | 0 | case finished: |
13551 | | /* Valid on both sides. */ |
13552 | 0 | #ifndef NO_WOLFSSL_CLIENT |
13553 | | /* Check state on client. */ |
13554 | 0 | if (ssl->options.side == WOLFSSL_CLIENT_END) { |
13555 | | /* After sending ClientHello */ |
13556 | 0 | if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) { |
13557 | 0 | WOLFSSL_MSG("Finished received out of order - clientState"); |
13558 | 0 | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13559 | 0 | return OUT_OF_ORDER_E; |
13560 | 0 | } |
13561 | | /* Must have seen certificate and verify from server except when |
13562 | | * using PSK. */ |
13563 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
13564 | | if (ssl->options.pskNegotiated) { |
13565 | | #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK |
13566 | | if (ssl->options.certWithExternPsk) { |
13567 | | if (ssl->options.serverState != |
13568 | | SERVER_CERT_VERIFY_COMPLETE) { |
13569 | | WOLFSSL_MSG("Finished received out of order - " |
13570 | | "cert_with_extern_psk"); |
13571 | | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13572 | | return OUT_OF_ORDER_E; |
13573 | | } |
13574 | | } |
13575 | | else |
13576 | | #endif |
13577 | | { |
13578 | | if (ssl->options.serverState != |
13579 | | SERVER_ENCRYPTED_EXTENSIONS_COMPLETE) { |
13580 | | WOLFSSL_MSG("Finished received out of order - PSK"); |
13581 | | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13582 | | return OUT_OF_ORDER_E; |
13583 | | } |
13584 | | } |
13585 | | } |
13586 | | else |
13587 | | #endif |
13588 | 0 | if (ssl->options.serverState != SERVER_CERT_VERIFY_COMPLETE) { |
13589 | 0 | WOLFSSL_MSG("Finished received out of order - serverState"); |
13590 | 0 | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13591 | 0 | return OUT_OF_ORDER_E; |
13592 | 0 | } |
13593 | 0 | } |
13594 | 0 | #endif |
13595 | 0 | #ifndef NO_WOLFSSL_SERVER |
13596 | | /* Check state on server. */ |
13597 | 0 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
13598 | 0 | if (ssl->options.serverState < SERVER_FINISHED_COMPLETE) { |
13599 | 0 | WOLFSSL_MSG("Finished received out of order - serverState"); |
13600 | 0 | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13601 | 0 | return OUT_OF_ORDER_E; |
13602 | 0 | } |
13603 | 0 | if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) { |
13604 | 0 | WOLFSSL_MSG("Finished received out of order - clientState"); |
13605 | 0 | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13606 | 0 | return OUT_OF_ORDER_E; |
13607 | 0 | } |
13608 | | #ifdef WOLFSSL_EARLY_DATA |
13609 | | if (ssl->earlyData == process_early_data && |
13610 | | /* early data may be lost when using DTLS */ |
13611 | | !ssl->options.dtls |
13612 | | /* QUIC does not use EndOfEarlyData records */ |
13613 | | && !WOLFSSL_IS_QUIC(ssl)) { |
13614 | | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13615 | | return OUT_OF_ORDER_E; |
13616 | | } |
13617 | | #endif |
13618 | 0 | } |
13619 | 0 | #endif |
13620 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
13621 | | if (!ssl->options.pskNegotiated |
13622 | | #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK |
13623 | | || ssl->options.certWithExternPsk |
13624 | | #endif |
13625 | | ) |
13626 | | #endif |
13627 | 0 | { |
13628 | | /* Must have received a Certificate message from client if |
13629 | | * verifying the peer. Empty certificate message indicates |
13630 | | * no certificate available. |
13631 | | */ |
13632 | 0 | if (ssl->options.verifyPeer && |
13633 | | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH |
13634 | | /* The post-handshake-auth exemption is only valid during |
13635 | | * the initial handshake. On the server, once a |
13636 | | * post-handshake CertificateRequest is outstanding |
13637 | | * (certReqCtx != NULL), a Certificate is required again. |
13638 | | * Scoped to the server: certReqCtx means something |
13639 | | * different on the client (a received request) and the |
13640 | | * client does not process an inbound Finished in that |
13641 | | * state. Whether an empty Certificate is then accepted |
13642 | | * follows the verify mode (FAIL_IF_NO_PEER_CERT), exactly |
13643 | | * as for first-handshake client authentication. */ |
13644 | | (!ssl->options.verifyPostHandshake || |
13645 | | (ssl->options.side == WOLFSSL_SERVER_END && |
13646 | | ssl->certReqCtx != NULL)) && |
13647 | | #endif |
13648 | 0 | !ssl->msgsReceived.got_certificate) { |
13649 | 0 | WOLFSSL_MSG("Finished received out of order - " |
13650 | 0 | "missing Certificate message"); |
13651 | 0 | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13652 | 0 | return OUT_OF_ORDER_E; |
13653 | 0 | } |
13654 | | /* Mutual authentication on server requires a certificate from |
13655 | | * peer. Verify peer set on client side requires a certificate |
13656 | | * from peer as not doing PSK. |
13657 | | */ |
13658 | 0 | if ((ssl->options.mutualAuth || |
13659 | 0 | (ssl->options.side == WOLFSSL_CLIENT_END && |
13660 | 0 | ssl->options.verifyPeer)) && !ssl->options.havePeerCert) { |
13661 | 0 | WOLFSSL_MSG("Finished received out of order - " |
13662 | 0 | "no valid certificate"); |
13663 | 0 | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13664 | 0 | return OUT_OF_ORDER_E; |
13665 | 0 | } |
13666 | | /* Must have received a valid CertificateVerify if verifying |
13667 | | * peer and got a peer certificate. |
13668 | | */ |
13669 | 0 | if ((ssl->options.mutualAuth || ssl->options.verifyPeer) && |
13670 | 0 | ssl->options.havePeerCert && !ssl->options.havePeerVerify) { |
13671 | 0 | WOLFSSL_MSG("Finished received out of order - " |
13672 | 0 | "Certificate message but no CertificateVerify"); |
13673 | 0 | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13674 | 0 | return OUT_OF_ORDER_E; |
13675 | 0 | } |
13676 | 0 | } |
13677 | | /* Check previously seen. */ |
13678 | 0 | if (ssl->msgsReceived.got_finished) { |
13679 | 0 | WOLFSSL_MSG("Duplicate Finished received"); |
13680 | 0 | WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E); |
13681 | 0 | return DUPLICATE_MSG_E; |
13682 | 0 | } |
13683 | 0 | ssl->msgsReceived.got_finished = 1; |
13684 | |
|
13685 | 0 | break; |
13686 | | |
13687 | 0 | case key_update: |
13688 | | /* Valid on both sides. */ |
13689 | | #ifdef WOLFSSL_QUIC |
13690 | | /* RFC 9001 Section 6: QUIC performs key updates at the QUIC |
13691 | | * packet-protection layer, so a TLS KeyUpdate message must be |
13692 | | * rejected as a fatal unexpected_message connection error. */ |
13693 | | if (WOLFSSL_IS_QUIC(ssl)) { |
13694 | | WOLFSSL_MSG("KeyUpdate received over QUIC"); |
13695 | | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
13696 | | return SANITY_MSG_E; |
13697 | | } |
13698 | | #endif |
13699 | | /* Check state. |
13700 | | * Client and server must have received finished message from other |
13701 | | * side. |
13702 | | */ |
13703 | 0 | if (!ssl->msgsReceived.got_finished) { |
13704 | 0 | WOLFSSL_MSG("No KeyUpdate before Finished"); |
13705 | 0 | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13706 | 0 | return OUT_OF_ORDER_E; |
13707 | 0 | } |
13708 | | /* Multiple KeyUpdates can be sent. */ |
13709 | 0 | break; |
13710 | | #if defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_NO_TLS12) |
13711 | | case hello_verify_request: |
13712 | | if (!ssl->options.dtls) { |
13713 | | WOLFSSL_MSG("HelloVerifyRequest when not in DTLS"); |
13714 | | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13715 | | return OUT_OF_ORDER_E; |
13716 | | } |
13717 | | if (ssl->msgsReceived.got_hello_verify_request) { |
13718 | | WOLFSSL_MSG("Duplicate HelloVerifyRequest received"); |
13719 | | WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E); |
13720 | | return DUPLICATE_MSG_E; |
13721 | | } |
13722 | | ssl->msgsReceived.got_hello_verify_request = 1; |
13723 | | if (ssl->msgsReceived.got_hello_retry_request) { |
13724 | | WOLFSSL_MSG( |
13725 | | "Both HelloVerifyRequest and HelloRetryRequest received"); |
13726 | | WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E); |
13727 | | return DUPLICATE_MSG_E; |
13728 | | } |
13729 | | if (ssl->options.serverState >= |
13730 | | SERVER_HELLO_RETRY_REQUEST_COMPLETE || |
13731 | | ssl->options.connectState != CLIENT_HELLO_SENT) { |
13732 | | WOLFSSL_MSG("HelloVerifyRequest received out of order"); |
13733 | | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13734 | | return OUT_OF_ORDER_E; |
13735 | | } |
13736 | | if (ssl->options.side == WOLFSSL_SERVER_END) { |
13737 | | WOLFSSL_MSG("HelloVerifyRequest received on the server"); |
13738 | | WOLFSSL_ERROR_VERBOSE(SIDE_ERROR); |
13739 | | return SIDE_ERROR; |
13740 | | } |
13741 | | if (!ssl->options.downgrade || |
13742 | | ssl->options.minDowngrade < DTLSv1_2_MINOR) { |
13743 | | WOLFSSL_MSG( |
13744 | | "HelloVerifyRequest received but not DTLSv1.2 allowed"); |
13745 | | WOLFSSL_ERROR_VERBOSE(VERSION_ERROR); |
13746 | | return VERSION_ERROR; |
13747 | | } |
13748 | | break; |
13749 | | #endif /* WOLFSSL_DTLS13 && !WOLFSSL_NO_TLS12*/ |
13750 | | |
13751 | | #if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_DTLS_CID) |
13752 | | case request_connection_id: |
13753 | | case new_connection_id: |
13754 | | { |
13755 | | CIDInfo* cidInfo = ssl->dtlsCidInfo; |
13756 | | |
13757 | | /* DTLS 1.3 only (RFC 9147) */ |
13758 | | if (!ssl->options.dtls) { |
13759 | | WOLFSSL_MSG("CID message received but not DTLS"); |
13760 | | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
13761 | | return SANITY_MSG_E; |
13762 | | } |
13763 | | /* RFC 9147 Section 9: if CIDs were not negotiated, MUST abort |
13764 | | * with an unexpected_message alert */ |
13765 | | if (cidInfo == NULL || !cidInfo->negotiated) { |
13766 | | WOLFSSL_MSG("CID message received but CID not negotiated"); |
13767 | | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
13768 | | return SANITY_MSG_E; |
13769 | | } |
13770 | | if (ssl->options.handShakeState != HANDSHAKE_DONE) { |
13771 | | WOLFSSL_MSG("CID message received out of order"); |
13772 | | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13773 | | return OUT_OF_ORDER_E; |
13774 | | } |
13775 | | if (type == request_connection_id) { |
13776 | | /* the peer MUST NOT request CIDs while sending an empty |
13777 | | * CID itself */ |
13778 | | if (cidInfo->rx == NULL || cidInfo->rx->length == 0) { |
13779 | | WOLFSSL_MSG("RequestConnectionId from peer sending an " |
13780 | | "empty CID"); |
13781 | | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
13782 | | return SANITY_MSG_E; |
13783 | | } |
13784 | | } |
13785 | | else { |
13786 | | /* the peer MUST NOT issue CIDs after negotiating receiving |
13787 | | * an empty CID */ |
13788 | | if (cidInfo->tx == NULL || cidInfo->tx->length == 0) { |
13789 | | WOLFSSL_MSG("NewConnectionId from peer that negotiated " |
13790 | | "an empty CID"); |
13791 | | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
13792 | | return SANITY_MSG_E; |
13793 | | } |
13794 | | } |
13795 | | break; |
13796 | | } |
13797 | | #endif /* WOLFSSL_DTLS13 && WOLFSSL_DTLS_CID */ |
13798 | | |
13799 | 0 | default: |
13800 | 0 | WOLFSSL_MSG("Unknown message type"); |
13801 | 0 | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
13802 | 0 | return SANITY_MSG_E; |
13803 | 0 | } |
13804 | | |
13805 | 0 | return 0; |
13806 | 0 | } |
13807 | | |
13808 | | /* Handle a type of handshake message that has been received. |
13809 | | * |
13810 | | * ssl The SSL/TLS object. |
13811 | | * input The message buffer. |
13812 | | * inOutIdx On entry, the index into the buffer of the current message. |
13813 | | * On exit, the index into the buffer of the next message. |
13814 | | * size The length of the current handshake message. |
13815 | | * totalSz Length of remaining data in the message buffer. |
13816 | | * returns 0 on success and otherwise failure. |
13817 | | */ |
13818 | | int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx, |
13819 | | byte type, word32 size, word32 totalSz) |
13820 | 0 | { |
13821 | 0 | int ret = 0, tmp; |
13822 | 0 | word32 inIdx = *inOutIdx; |
13823 | 0 | int alertType; |
13824 | | #if defined(HAVE_ECH) && !defined(NO_WOLFSSL_SERVER) |
13825 | | TLSX* echX = NULL; |
13826 | | word32 echInOutIdx; |
13827 | | #endif |
13828 | |
|
13829 | 0 | (void)totalSz; |
13830 | |
|
13831 | 0 | WOLFSSL_ENTER("DoTls13HandShakeMsgType"); |
13832 | | |
13833 | | /* make sure we can read the message */ |
13834 | 0 | if (*inOutIdx + size > totalSz) |
13835 | 0 | return INCOMPLETE_DATA; |
13836 | | |
13837 | | /* sanity check msg received */ |
13838 | 0 | if ((ret = SanityCheckTls13MsgReceived(ssl, type)) != 0) { |
13839 | 0 | WOLFSSL_MSG("Sanity Check on handshake message type received failed"); |
13840 | 0 | if (ret == WC_NO_ERR_TRACE(VERSION_ERROR)) |
13841 | 0 | SendAlert(ssl, alert_fatal, wolfssl_alert_protocol_version); |
13842 | 0 | else |
13843 | 0 | SendAlert(ssl, alert_fatal, unexpected_message); |
13844 | 0 | return ret; |
13845 | 0 | } |
13846 | | |
13847 | | #if defined(WOLFSSL_CALLBACKS) |
13848 | | /* add name later, add on record and handshake header part back on */ |
13849 | | if (ssl->toInfoOn) { |
13850 | | ret = AddPacketInfo(ssl, 0, handshake, input + *inOutIdx - |
13851 | | HANDSHAKE_HEADER_SZ, size + HANDSHAKE_HEADER_SZ, READ_PROTO, |
13852 | | RECORD_HEADER_SZ, ssl->heap); |
13853 | | if (ret != 0) |
13854 | | return ret; |
13855 | | AddLateRecordHeader(&ssl->curRL, &ssl->timeoutInfo); |
13856 | | } |
13857 | | #endif |
13858 | | |
13859 | 0 | if (ssl->options.handShakeState == HANDSHAKE_DONE && |
13860 | 0 | type != session_ticket && type != certificate_request && |
13861 | 0 | type != certificate && type != key_update && type != finished |
13862 | | #if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_DTLS_CID) |
13863 | | && type != request_connection_id && type != new_connection_id |
13864 | | #endif |
13865 | 0 | ) { |
13866 | 0 | WOLFSSL_MSG("HandShake message after handshake complete"); |
13867 | 0 | SendAlert(ssl, alert_fatal, unexpected_message); |
13868 | 0 | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13869 | 0 | return OUT_OF_ORDER_E; |
13870 | 0 | } |
13871 | | |
13872 | 0 | if (ssl->options.side == WOLFSSL_CLIENT_END && |
13873 | 0 | ssl->options.serverState == NULL_STATE && |
13874 | 0 | type != server_hello && type != hello_retry_request |
13875 | | #if defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_NO_TLS12) |
13876 | | && (!ssl->options.dtls || type != hello_verify_request) |
13877 | | #endif /* defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_NO_TLS12) */ |
13878 | 0 | ) { |
13879 | 0 | WOLFSSL_MSG("First server message not server hello"); |
13880 | 0 | SendAlert(ssl, alert_fatal, unexpected_message); |
13881 | 0 | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13882 | 0 | return OUT_OF_ORDER_E; |
13883 | 0 | } |
13884 | | |
13885 | 0 | if (ssl->options.side == WOLFSSL_SERVER_END && |
13886 | 0 | ssl->options.clientState == NULL_STATE && type != client_hello) { |
13887 | 0 | WOLFSSL_MSG("First client message not client hello"); |
13888 | 0 | SendAlert(ssl, alert_fatal, unexpected_message); |
13889 | 0 | WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E); |
13890 | 0 | return OUT_OF_ORDER_E; |
13891 | 0 | } |
13892 | | |
13893 | | /* above checks handshake state */ |
13894 | 0 | switch (type) { |
13895 | 0 | #ifndef NO_WOLFSSL_CLIENT |
13896 | | /* Messages only received by client. */ |
13897 | 0 | case server_hello: |
13898 | 0 | WOLFSSL_MSG("processing server hello"); |
13899 | 0 | ret = DoTls13ServerHello(ssl, input, inOutIdx, size, &type); |
13900 | | #if !defined(WOLFSSL_NO_CLIENT_AUTH) && \ |
13901 | | ((defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)) || \ |
13902 | | (defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH))) |
13903 | | if (ssl->options.resuming || !IsAtLeastTLSv1_2(ssl) || |
13904 | | IsAtLeastTLSv1_3(ssl->version)) { |
13905 | | ssl->options.cacheMessages = 0; |
13906 | | if ((ssl->hsHashes != NULL) && (ssl->hsHashes->messages != NULL)) { |
13907 | | ForceZero(ssl->hsHashes->messages, ssl->hsHashes->length); |
13908 | | XFREE(ssl->hsHashes->messages, ssl->heap, DYNAMIC_TYPE_HASHES); |
13909 | | ssl->hsHashes->messages = NULL; |
13910 | | } |
13911 | | } |
13912 | | #endif |
13913 | 0 | break; |
13914 | | |
13915 | 0 | case encrypted_extensions: |
13916 | 0 | WOLFSSL_MSG("processing encrypted extensions"); |
13917 | 0 | ret = DoTls13EncryptedExtensions(ssl, input, inOutIdx, size); |
13918 | 0 | break; |
13919 | | |
13920 | 0 | #ifndef NO_CERTS |
13921 | 0 | case certificate_request: |
13922 | 0 | WOLFSSL_MSG("processing certificate request"); |
13923 | 0 | ret = DoTls13CertificateRequest(ssl, input, inOutIdx, size); |
13924 | 0 | break; |
13925 | 0 | #endif |
13926 | | |
13927 | 0 | case session_ticket: |
13928 | 0 | WOLFSSL_MSG("processing new session ticket"); |
13929 | 0 | ret = DoTls13NewSessionTicket(ssl, input, inOutIdx, size); |
13930 | 0 | break; |
13931 | 0 | #endif /* !NO_WOLFSSL_CLIENT */ |
13932 | | |
13933 | 0 | #ifndef NO_WOLFSSL_SERVER |
13934 | | /* Messages only received by server. */ |
13935 | 0 | case client_hello: |
13936 | 0 | WOLFSSL_MSG("processing client hello"); |
13937 | | #if defined(HAVE_ECH) |
13938 | | /* keep the start idx so we can restore it for the inner call */ |
13939 | | echInOutIdx = *inOutIdx; |
13940 | | #endif |
13941 | 0 | ret = DoTls13ClientHello(ssl, input, inOutIdx, size); |
13942 | | #if !defined(WOLFSSL_NO_CLIENT_AUTH) && \ |
13943 | | ((defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)) || \ |
13944 | | (defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH))) |
13945 | | if ((ssl->options.resuming || !ssl->options.verifyPeer || |
13946 | | !IsAtLeastTLSv1_2(ssl) || IsAtLeastTLSv1_3(ssl->version)) |
13947 | | #ifdef WOLFSSL_DTLS13 |
13948 | | && (!ssl->options.dtls) |
13949 | | #endif |
13950 | | ) { |
13951 | | #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP) |
13952 | | if (ret != WC_NO_ERR_TRACE(WC_PENDING_E) && |
13953 | | ret != WC_NO_ERR_TRACE(OCSP_WANT_READ)) |
13954 | | #endif |
13955 | | { |
13956 | | ssl->options.cacheMessages = 0; |
13957 | | if ((ssl->hsHashes != NULL) && |
13958 | | (ssl->hsHashes->messages != NULL)) { |
13959 | | ForceZero(ssl->hsHashes->messages, ssl->hsHashes->length); |
13960 | | XFREE(ssl->hsHashes->messages, ssl->heap, |
13961 | | DYNAMIC_TYPE_HASHES); |
13962 | | ssl->hsHashes->messages = NULL; |
13963 | | } |
13964 | | } |
13965 | | } |
13966 | | #endif |
13967 | | #if defined(HAVE_ECH) |
13968 | | if (ret == 0) { |
13969 | | echX = TLSX_Find(ssl->extensions, TLSX_ECH); |
13970 | | |
13971 | | if (echX != NULL && |
13972 | | ((WOLFSSL_ECH*)echX->data)->state == ECH_WRITE_NONE && |
13973 | | ((WOLFSSL_ECH*)echX->data)->innerClientHello != NULL) { |
13974 | | byte copyRandom = ((WOLFSSL_ECH*)echX->data)->innerCount == 0; |
13975 | | /* reset the inOutIdx to the outer start */ |
13976 | | *inOutIdx = echInOutIdx; |
13977 | | /* call again with the inner hello */ |
13978 | | if (ret == 0) { |
13979 | | ssl->options.echProcessingInner = 1; |
13980 | | ret = DoTls13ClientHello(ssl, |
13981 | | ((WOLFSSL_ECH*)echX->data)->innerClientHello, |
13982 | | &echInOutIdx, |
13983 | | ((WOLFSSL_ECH*)echX->data)->innerClientHelloLen); |
13984 | | ssl->options.echProcessingInner = 0; |
13985 | | } |
13986 | | if (ret == 0 && ((WOLFSSL_ECH*)echX->data)->state != |
13987 | | ECH_PARSED_INTERNAL) { |
13988 | | WOLFSSL_MSG("ECH: inner ClientHello missing ECH extension"); |
13989 | | ret = INVALID_PARAMETER; |
13990 | | } |
13991 | | /* if the inner ech parsed successfully we have successfully |
13992 | | * handled the hello and can skip the whole message */ |
13993 | | if (ret == 0) { |
13994 | | /* Copy inner client random for ECH acceptance calculation. |
13995 | | * Only on first inner ClientHello (before HRR), not CH2. */ |
13996 | | if (copyRandom) { |
13997 | | XMEMCPY(ssl->arrays->clientRandomInner, |
13998 | | ssl->arrays->clientRandom, RAN_LEN); |
13999 | | } |
14000 | | *inOutIdx += size; |
14001 | | } |
14002 | | } |
14003 | | } |
14004 | | #endif /* HAVE_ECH */ |
14005 | 0 | break; |
14006 | | |
14007 | | #ifdef WOLFSSL_EARLY_DATA |
14008 | | case end_of_early_data: |
14009 | | WOLFSSL_MSG("processing end of early data"); |
14010 | | ret = DoTls13EndOfEarlyData(ssl, input, inOutIdx, size); |
14011 | | break; |
14012 | | #endif |
14013 | 0 | #endif /* !NO_WOLFSSL_SERVER */ |
14014 | | |
14015 | | /* Messages received by both client and server. */ |
14016 | 0 | #if !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \ |
14017 | 0 | !defined(WOLFSSL_NO_CLIENT_AUTH)) |
14018 | 0 | case certificate: |
14019 | 0 | WOLFSSL_MSG("processing certificate"); |
14020 | 0 | ret = DoTls13Certificate(ssl, input, inOutIdx, size); |
14021 | 0 | break; |
14022 | 0 | #endif |
14023 | | |
14024 | 0 | #if (!defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \ |
14025 | 0 | defined(HAVE_ED448) || defined(HAVE_FALCON) || \ |
14026 | 0 | defined(WOLFSSL_HAVE_MLDSA)) && !defined(NO_CERTS) |
14027 | 0 | case certificate_verify: |
14028 | 0 | WOLFSSL_MSG("processing certificate verify"); |
14029 | 0 | ret = DoTls13CertificateVerify(ssl, input, inOutIdx, size); |
14030 | 0 | break; |
14031 | 0 | #endif |
14032 | 0 | case finished: |
14033 | 0 | WOLFSSL_MSG("processing finished"); |
14034 | 0 | ret = DoTls13Finished(ssl, input, inOutIdx, size, totalSz, NO_SNIFF); |
14035 | 0 | break; |
14036 | | |
14037 | 0 | case key_update: |
14038 | 0 | WOLFSSL_MSG("processing key update"); |
14039 | 0 | ret = DoTls13KeyUpdate(ssl, input, inOutIdx, size); |
14040 | 0 | break; |
14041 | | |
14042 | | #if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_DTLS_CID) |
14043 | | case request_connection_id: |
14044 | | WOLFSSL_MSG("processing request connection id"); |
14045 | | ret = DoDtls13RequestConnectionId(ssl, input, inOutIdx, size); |
14046 | | break; |
14047 | | |
14048 | | case new_connection_id: |
14049 | | WOLFSSL_MSG("processing new connection id"); |
14050 | | ret = DoDtls13NewConnectionId(ssl, input, inOutIdx, size); |
14051 | | break; |
14052 | | #endif /* WOLFSSL_DTLS13 && WOLFSSL_DTLS_CID */ |
14053 | | |
14054 | | #if defined(WOLFSSL_DTLS13) && !defined(WOLFSSL_NO_TLS12) && \ |
14055 | | !defined(NO_WOLFSSL_CLIENT) |
14056 | | case hello_verify_request: |
14057 | | WOLFSSL_MSG("processing hello verify request"); |
14058 | | ret = DoHelloVerifyRequest(ssl, input, inOutIdx, size); |
14059 | | break; |
14060 | | #endif |
14061 | 0 | default: |
14062 | 0 | WOLFSSL_MSG("Unknown handshake message type"); |
14063 | 0 | ret = UNKNOWN_HANDSHAKE_TYPE; |
14064 | 0 | break; |
14065 | 0 | } |
14066 | | |
14067 | 0 | #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_ASYNC_IO) |
14068 | | /* if async, offset index so this msg will be processed again */ |
14069 | | /* NOTE: check this now before other calls can overwrite ret */ |
14070 | 0 | if ((ret == WC_NO_ERR_TRACE(WC_PENDING_E) || |
14071 | 0 | ret == WC_NO_ERR_TRACE(OCSP_WANT_READ)) && *inOutIdx > 0) { |
14072 | | /* DTLS always stores a message in a buffer when async is enable, so we |
14073 | | * don't need to adjust for the extra bytes here (*inOutIdx is always |
14074 | | * == 0) */ |
14075 | 0 | *inOutIdx -= HANDSHAKE_HEADER_SZ; |
14076 | 0 | } |
14077 | | |
14078 | | /* make sure async error is cleared */ |
14079 | 0 | if (ret == 0 && |
14080 | 0 | (ssl->error == WC_NO_ERR_TRACE(WC_PENDING_E) || |
14081 | 0 | ssl->error == WC_NO_ERR_TRACE(OCSP_WANT_READ))) { |
14082 | 0 | ssl->error = 0; |
14083 | 0 | } |
14084 | 0 | #endif |
14085 | 0 | if (ret == 0 && type != client_hello && type != session_ticket && |
14086 | 0 | type != key_update |
14087 | | #if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_DTLS_CID) |
14088 | | && type != request_connection_id && type != new_connection_id |
14089 | | #endif |
14090 | 0 | ) { |
14091 | 0 | ret = HashInput(ssl, input + inIdx, (int)size); |
14092 | 0 | } |
14093 | |
|
14094 | 0 | alertType = TranslateErrorToAlert(ret); |
14095 | |
|
14096 | 0 | if (alertType != invalid_alert) { |
14097 | | #ifdef WOLFSSL_DTLS13 |
14098 | | if (type == client_hello && ssl->options.dtls) |
14099 | | DtlsSetSeqNumForReply(ssl); |
14100 | | #endif |
14101 | 0 | tmp = SendAlert(ssl, alert_fatal, alertType); |
14102 | | /* propagate socket error instead of tls error to be sure the error is |
14103 | | * not ignored by DTLS code */ |
14104 | 0 | if (tmp == WC_NO_ERR_TRACE(SOCKET_ERROR_E)) |
14105 | 0 | ret = SOCKET_ERROR_E; |
14106 | 0 | } |
14107 | |
|
14108 | 0 | if (ret == 0 && ssl->options.tls1_3) { |
14109 | | /* Need to hash input message before deriving secrets. */ |
14110 | 0 | #ifndef NO_WOLFSSL_CLIENT |
14111 | 0 | if (ssl->options.side == WOLFSSL_CLIENT_END) { |
14112 | 0 | if (type == server_hello) { |
14113 | 0 | if ((ret = DeriveEarlySecret(ssl)) != 0) |
14114 | 0 | return ret; |
14115 | 0 | if ((ret = DeriveHandshakeSecret(ssl)) != 0) |
14116 | 0 | return ret; |
14117 | | |
14118 | 0 | if ((ret = DeriveTls13Keys(ssl, handshake_key, |
14119 | 0 | ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0) { |
14120 | 0 | return ret; |
14121 | 0 | } |
14122 | | #ifdef WOLFSSL_EARLY_DATA |
14123 | | if (ssl->earlyData != no_early_data) { |
14124 | | if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0) |
14125 | | return ret; |
14126 | | } |
14127 | | else |
14128 | | #endif |
14129 | 0 | if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0) |
14130 | 0 | return ret; |
14131 | |
|
14132 | | #ifdef WOLFSSL_DTLS13 |
14133 | | if (ssl->options.dtls) { |
14134 | | w64wrapper epochHandshake; |
14135 | | epochHandshake = w64From32(0, DTLS13_EPOCH_HANDSHAKE); |
14136 | | ssl->dtls13Epoch = epochHandshake; |
14137 | | ssl->dtls13PeerEpoch = epochHandshake; |
14138 | | |
14139 | | ret = Dtls13SetEpochKeys( |
14140 | | ssl, epochHandshake, ENCRYPT_AND_DECRYPT_SIDE); |
14141 | | if (ret != 0) |
14142 | | return ret; |
14143 | | |
14144 | | } |
14145 | | #endif /* WOLFSSL_DTLS13 */ |
14146 | 0 | } |
14147 | | |
14148 | 0 | if (type == finished) { |
14149 | 0 | if ((ret = DeriveMasterSecret(ssl)) != 0) |
14150 | 0 | return ret; |
14151 | | /* Last use of preMasterSecret - zeroize as soon as possible. */ |
14152 | 0 | ForceZero(ssl->arrays->preMasterSecret, |
14153 | 0 | ssl->arrays->preMasterSz); |
14154 | | #ifdef WOLFSSL_EARLY_DATA |
14155 | | #ifdef WOLFSSL_QUIC |
14156 | | if (WOLFSSL_IS_QUIC(ssl) && ssl->earlyData != no_early_data) { |
14157 | | /* QUIC never sends/receives EndOfEarlyData, but having |
14158 | | * early data means the last encryption keys had not been |
14159 | | * set yet. */ |
14160 | | if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0) |
14161 | | return ret; |
14162 | | } |
14163 | | #endif |
14164 | | if ((ret = DeriveTls13Keys(ssl, traffic_key, |
14165 | | ENCRYPT_AND_DECRYPT_SIDE, |
14166 | | ssl->earlyData == no_early_data)) != 0) { |
14167 | | return ret; |
14168 | | } |
14169 | | if (ssl->earlyData != no_early_data) { |
14170 | | if ((ret = DeriveTls13Keys(ssl, no_key, DECRYPT_SIDE_ONLY, |
14171 | | 1)) != 0) { |
14172 | | return ret; |
14173 | | } |
14174 | | } |
14175 | | #else |
14176 | 0 | if ((ret = DeriveTls13Keys(ssl, traffic_key, |
14177 | 0 | ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0) { |
14178 | 0 | return ret; |
14179 | 0 | } |
14180 | 0 | #endif |
14181 | | /* Setup keys for application data messages. */ |
14182 | 0 | if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0) |
14183 | 0 | return ret; |
14184 | 0 | } |
14185 | | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH |
14186 | | if (type == certificate_request && |
14187 | | ssl->options.handShakeState == HANDSHAKE_DONE) { |
14188 | | #if defined(HAVE_WRITE_DUP) |
14189 | | /* Read side cannot write; delegate the cert response to the |
14190 | | * write side by saving auth state in the shared WriteDup. */ |
14191 | | if (ssl->dupSide == READ_DUP_SIDE) { |
14192 | | if (ssl->dupWrite == NULL) |
14193 | | return BAD_STATE_E; |
14194 | | if (wc_LockMutex(&ssl->dupWrite->dupMutex) != 0) |
14195 | | return BAD_MUTEX_E; |
14196 | | /* Copy the current transcript so the write side can |
14197 | | * compute the correct Finished MAC. */ |
14198 | | ret = InitHandshakeHashesAndCopy(ssl, ssl->hsHashes, |
14199 | | &ssl->dupWrite->postHandshakeHashState); |
14200 | | if (ret == 0) { |
14201 | | /* Copy the cert request context. */ |
14202 | | CertReqCtx** tail = &ssl->certReqCtx; |
14203 | | while (*tail != NULL) |
14204 | | tail = &(*tail)->next; |
14205 | | *tail = ssl->dupWrite->postHandshakeCertReqCtx; |
14206 | | ssl->dupWrite->postHandshakeCertReqCtx = ssl->certReqCtx; |
14207 | | ssl->certReqCtx = NULL; |
14208 | | ssl->dupWrite->postHandshakeSendVerify = |
14209 | | ssl->options.sendVerify; |
14210 | | ssl->dupWrite->postHandshakeSigAlgo = |
14211 | | ssl->options.sigAlgo; |
14212 | | ssl->dupWrite->postHandshakeHashAlgo = |
14213 | | ssl->options.hashAlgo; |
14214 | | ssl->dupWrite->postHandshakeAuthPending = 1; |
14215 | | } |
14216 | | wc_UnLockMutex(&ssl->dupWrite->dupMutex); |
14217 | | /* Leave ssl->options unchanged: read side must not reset |
14218 | | * its states or call wolfSSL_connect_TLSv13. */ |
14219 | | } |
14220 | | else |
14221 | | #endif /* HAVE_WRITE_DUP */ |
14222 | | { |
14223 | | /* reset handshake states */ |
14224 | | ssl->options.clientState = CLIENT_HELLO_COMPLETE; |
14225 | | ssl->options.connectState = FIRST_REPLY_DONE; |
14226 | | ssl->options.handShakeState = CLIENT_HELLO_COMPLETE; |
14227 | | ssl->options.processReply = 0; /* doProcessInit */ |
14228 | | |
14229 | | /* |
14230 | | DTLSv1.3 note: We can't reset serverState to |
14231 | | SERVER_FINISHED_COMPLETE with the goal that this connect |
14232 | | blocks until the cert/cert_verify/finished flight gets ACKed |
14233 | | by the server. The problem is that we will invoke |
14234 | | ProcessReplyEx() in that case, but we came here from |
14235 | | ProcessReplyEx() and it is not re-entrant safe (the input |
14236 | | buffer would still have the certificate_request message). */ |
14237 | | |
14238 | | if (wolfSSL_connect_TLSv13(ssl) != WOLFSSL_SUCCESS) { |
14239 | | ret = ssl->error; |
14240 | | if (ret != WC_NO_ERR_TRACE(WC_PENDING_E)) |
14241 | | ret = POST_HAND_AUTH_ERROR; |
14242 | | } |
14243 | | } |
14244 | | } |
14245 | | #endif |
14246 | 0 | } |
14247 | 0 | #endif /* NO_WOLFSSL_CLIENT */ |
14248 | |
|
14249 | 0 | #ifndef NO_WOLFSSL_SERVER |
14250 | | #if defined(HAVE_SESSION_TICKET) |
14251 | | if (ssl->options.side == WOLFSSL_SERVER_END && type == finished) { |
14252 | | ret = DeriveResumptionSecret(ssl, ssl->session->masterSecret); |
14253 | | if (ret != 0) |
14254 | | return ret; |
14255 | | } |
14256 | | #endif |
14257 | 0 | #endif /* NO_WOLFSSL_SERVER */ |
14258 | 0 | } |
14259 | | |
14260 | | #ifdef WOLFSSL_DTLS13 |
14261 | | if (ssl->options.dtls && !ssl->options.dtlsStateful) { |
14262 | | DtlsResetState(ssl); |
14263 | | if (DtlsIgnoreError(ret)) |
14264 | | ret = 0; |
14265 | | } |
14266 | | #endif |
14267 | | |
14268 | 0 | WOLFSSL_LEAVE("DoTls13HandShakeMsgType()", ret); |
14269 | 0 | return ret; |
14270 | 0 | } |
14271 | | |
14272 | | |
14273 | | /* Handle a handshake message that has been received. |
14274 | | * |
14275 | | * ssl The SSL/TLS object. |
14276 | | * input The message buffer. |
14277 | | * inOutIdx On entry, the index into the buffer of the current message. |
14278 | | * On exit, the index into the buffer of the next message. |
14279 | | * totalSz Length of remaining data in the message buffer. |
14280 | | * returns 0 on success and otherwise failure. |
14281 | | */ |
14282 | | int DoTls13HandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx, |
14283 | | word32 totalSz) |
14284 | 0 | { |
14285 | 0 | int ret = 0; |
14286 | 0 | word32 inputLength; |
14287 | 0 | byte type; |
14288 | 0 | word32 size = 0; |
14289 | |
|
14290 | 0 | WOLFSSL_ENTER("DoTls13HandShakeMsg"); |
14291 | | |
14292 | | /* totalSz is now curStartIdx + curSize (content-only, padSz already |
14293 | | * subtracted in ProcessReply). */ |
14294 | 0 | if (*inOutIdx > totalSz) |
14295 | 0 | return BUFFER_ERROR; |
14296 | 0 | inputLength = totalSz - *inOutIdx; |
14297 | | |
14298 | | /* If there is a pending fragmented handshake message, |
14299 | | * pending message size will be non-zero. */ |
14300 | 0 | if (ssl->pendingMsgSz == 0) { |
14301 | |
|
14302 | 0 | if (GetHandshakeHeader(ssl, input, inOutIdx, &type, &size, |
14303 | 0 | totalSz) != 0) { |
14304 | 0 | WOLFSSL_ERROR_VERBOSE(PARSE_ERROR); |
14305 | 0 | return PARSE_ERROR; |
14306 | 0 | } |
14307 | | |
14308 | 0 | ret = EarlySanityCheckMsgReceived(ssl, type, |
14309 | 0 | (inputLength > HANDSHAKE_HEADER_SZ) ? |
14310 | 0 | min(inputLength - HANDSHAKE_HEADER_SZ, size) : 0); |
14311 | 0 | if (ret != 0) { |
14312 | 0 | WOLFSSL_ERROR(ret); |
14313 | 0 | return ret; |
14314 | 0 | } |
14315 | | |
14316 | | /* Cap the maximum size of a handshake message to something reasonable. |
14317 | | * By default is the maximum size of a certificate message assuming |
14318 | | * nine 2048-bit RSA certificates in the chain. */ |
14319 | 0 | if (size > MAX_HANDSHAKE_SZ) { |
14320 | 0 | WOLFSSL_MSG("Handshake message too large"); |
14321 | 0 | WOLFSSL_ERROR_VERBOSE(HANDSHAKE_SIZE_ERROR); |
14322 | 0 | return HANDSHAKE_SIZE_ERROR; |
14323 | 0 | } |
14324 | | |
14325 | | /* size is the size of the certificate message payload */ |
14326 | 0 | if (inputLength - HANDSHAKE_HEADER_SZ < size) { |
14327 | | /* Commit pending state only after the allocation succeeds. */ |
14328 | 0 | ssl->pendingMsg = (byte*)XMALLOC(size + HANDSHAKE_HEADER_SZ, |
14329 | 0 | ssl->heap, DYNAMIC_TYPE_ARRAYS); |
14330 | 0 | if (ssl->pendingMsg == NULL) |
14331 | 0 | return MEMORY_E; |
14332 | 0 | ssl->pendingMsgType = type; |
14333 | 0 | ssl->pendingMsgSz = size + HANDSHAKE_HEADER_SZ; |
14334 | 0 | XMEMCPY(ssl->pendingMsg, |
14335 | 0 | input + *inOutIdx - HANDSHAKE_HEADER_SZ, |
14336 | 0 | inputLength); |
14337 | 0 | ssl->pendingMsgOffset = inputLength; |
14338 | 0 | *inOutIdx += inputLength - HANDSHAKE_HEADER_SZ; |
14339 | 0 | return 0; |
14340 | 0 | } |
14341 | | |
14342 | 0 | ret = DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size, |
14343 | 0 | totalSz); |
14344 | 0 | } |
14345 | 0 | else { |
14346 | 0 | if (inputLength + ssl->pendingMsgOffset > ssl->pendingMsgSz) { |
14347 | 0 | inputLength = ssl->pendingMsgSz - ssl->pendingMsgOffset; |
14348 | 0 | } |
14349 | |
|
14350 | 0 | ret = EarlySanityCheckMsgReceived(ssl, ssl->pendingMsgType, |
14351 | 0 | inputLength); |
14352 | 0 | if (ret != 0) { |
14353 | 0 | WOLFSSL_ERROR(ret); |
14354 | 0 | return ret; |
14355 | 0 | } |
14356 | | |
14357 | 0 | XMEMCPY(ssl->pendingMsg + ssl->pendingMsgOffset, |
14358 | 0 | input + *inOutIdx, inputLength); |
14359 | 0 | ssl->pendingMsgOffset += inputLength; |
14360 | 0 | *inOutIdx += inputLength; |
14361 | |
|
14362 | 0 | if (ssl->pendingMsgOffset == ssl->pendingMsgSz) |
14363 | 0 | { |
14364 | 0 | word32 idx = 0; |
14365 | 0 | ret = DoTls13HandShakeMsgType(ssl, |
14366 | 0 | ssl->pendingMsg + HANDSHAKE_HEADER_SZ, |
14367 | 0 | &idx, ssl->pendingMsgType, |
14368 | 0 | ssl->pendingMsgSz - HANDSHAKE_HEADER_SZ, |
14369 | 0 | ssl->pendingMsgSz); |
14370 | | #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP) |
14371 | | if (ret == WC_NO_ERR_TRACE(WC_PENDING_E) || |
14372 | | ret == WC_NO_ERR_TRACE(OCSP_WANT_READ)) { |
14373 | | /* setup to process fragment again */ |
14374 | | ssl->pendingMsgOffset -= inputLength; |
14375 | | *inOutIdx -= inputLength; |
14376 | | } |
14377 | | else |
14378 | | #endif |
14379 | 0 | { |
14380 | 0 | XFREE(ssl->pendingMsg, ssl->heap, DYNAMIC_TYPE_ARRAYS); |
14381 | 0 | ssl->pendingMsg = NULL; |
14382 | 0 | ssl->pendingMsgSz = 0; |
14383 | 0 | } |
14384 | 0 | } |
14385 | 0 | } |
14386 | | |
14387 | 0 | WOLFSSL_LEAVE("DoTls13HandShakeMsg", ret); |
14388 | 0 | return ret; |
14389 | 0 | } |
14390 | | |
14391 | | #ifndef NO_WOLFSSL_CLIENT |
14392 | | |
14393 | | /* The client connecting to the server. |
14394 | | * The protocol version is expecting to be TLS v1.3. |
14395 | | * If the server downgrades, and older versions of the protocol are compiled |
14396 | | * in, the client will fallback to wolfSSL_connect(). |
14397 | | * Please see note at top of README if you get an error from connect. |
14398 | | * |
14399 | | * ssl The SSL/TLS object. |
14400 | | * returns WOLFSSL_SUCCESS on successful handshake, WOLFSSL_FATAL_ERROR when |
14401 | | * unrecoverable error occurs and 0 otherwise. |
14402 | | * For more error information use wolfSSL_get_error(). |
14403 | | */ |
14404 | | int wolfSSL_connect_TLSv13(WOLFSSL* ssl) |
14405 | 0 | { |
14406 | 0 | int advanceState; |
14407 | 0 | int ret = 0; |
14408 | |
|
14409 | 0 | WOLFSSL_ENTER("wolfSSL_connect_TLSv13"); |
14410 | |
|
14411 | 0 | #ifdef HAVE_ERRNO_H |
14412 | 0 | errno = 0; |
14413 | 0 | #endif |
14414 | |
|
14415 | 0 | if (ssl == NULL) |
14416 | 0 | return BAD_FUNC_ARG; |
14417 | | |
14418 | 0 | if (ssl->options.side != WOLFSSL_CLIENT_END) { |
14419 | 0 | ssl->error = SIDE_ERROR; |
14420 | 0 | WOLFSSL_ERROR(ssl->error); |
14421 | 0 | return WOLFSSL_FATAL_ERROR; |
14422 | 0 | } |
14423 | | |
14424 | | /* make sure this wolfSSL object has arrays and rng setup. Protects |
14425 | | * case where the WOLFSSL object is reused via wolfSSL_clear() */ |
14426 | 0 | if ((ret = ReinitSSL(ssl, ssl->ctx, 0)) != 0) { |
14427 | 0 | return ret; |
14428 | 0 | } |
14429 | | |
14430 | | #ifdef WOLFSSL_DTLS |
14431 | | if (ssl->version.major == DTLS_MAJOR) { |
14432 | | ssl->options.dtls = 1; |
14433 | | ssl->options.dtlsStateful = 1; |
14434 | | } |
14435 | | #endif |
14436 | | |
14437 | | #ifdef WOLFSSL_WOLFSENTRY_HOOKS |
14438 | | if ((ssl->ConnectFilter != NULL) && |
14439 | | (ssl->options.connectState == CONNECT_BEGIN)) |
14440 | | { |
14441 | | wolfSSL_netfilter_decision_t res; |
14442 | | if ((ssl->ConnectFilter(ssl, ssl->ConnectFilter_arg, &res) == |
14443 | | WOLFSSL_SUCCESS) && |
14444 | | (res == WOLFSSL_NETFILTER_REJECT)) { |
14445 | | ssl->error = SOCKET_FILTERED_E; |
14446 | | WOLFSSL_ERROR(ssl->error); |
14447 | | return WOLFSSL_FATAL_ERROR; |
14448 | | } |
14449 | | } |
14450 | | #endif /* WOLFSSL_WOLFSENTRY_HOOKS */ |
14451 | | |
14452 | | /* fragOffset is non-zero when sending fragments. On the last |
14453 | | * fragment, fragOffset is zero again, and the state can be |
14454 | | * advanced. Also, only advance from states in which we send data */ |
14455 | 0 | advanceState = (ssl->options.connectState == CONNECT_BEGIN || |
14456 | 0 | ssl->options.connectState == HELLO_AGAIN || |
14457 | 0 | (ssl->options.connectState >= FIRST_REPLY_DONE && |
14458 | 0 | ssl->options.connectState <= FIRST_REPLY_FOURTH)); |
14459 | |
|
14460 | | #ifdef WOLFSSL_DTLS13 |
14461 | | if (ssl->options.dtls) |
14462 | | advanceState = advanceState && !ssl->dtls13SendingFragments |
14463 | | && !ssl->dtls13SendingAckOrRtx; |
14464 | | #endif /* WOLFSSL_DTLS13 */ |
14465 | |
|
14466 | 0 | if (ssl->buffers.outputBuffer.length > 0 |
14467 | | #ifdef WOLFSSL_ASYNC_CRYPT |
14468 | | /* do not send buffered or advance state if last error was an |
14469 | | async pending operation */ |
14470 | | && ssl->error != WC_NO_ERR_TRACE(WC_PENDING_E) |
14471 | | #endif |
14472 | 0 | ) { |
14473 | 0 | if ((ret = SendBuffered(ssl)) == 0) { |
14474 | 0 | if (ssl->fragOffset == 0 && !ssl->options.buildingMsg) { |
14475 | 0 | if (advanceState) { |
14476 | | #ifdef WOLFSSL_DTLS13 |
14477 | | if (ssl->options.dtls && IsAtLeastTLSv1_3(ssl->version) && |
14478 | | ssl->options.connectState == FIRST_REPLY_FOURTH) { |
14479 | | /* WAIT_FINISHED_ACK is a state added afterwards, but it |
14480 | | can't follow FIRST_REPLY_FOURTH in the enum order. Indeed |
14481 | | the value of the enum ConnectState is stored in |
14482 | | serialized session. This would make importing serialized |
14483 | | session from other wolfSSL version incompatible */ |
14484 | | ssl->options.connectState = WAIT_FINISHED_ACK; |
14485 | | } |
14486 | | else |
14487 | | #endif /* WOLFSSL_DTLS13 */ |
14488 | 0 | { |
14489 | 0 | ssl->options.connectState++; |
14490 | 0 | } |
14491 | 0 | WOLFSSL_MSG("connect state: " |
14492 | 0 | "Advanced from last buffered fragment send"); |
14493 | 0 | #ifdef WOLFSSL_ASYNC_IO |
14494 | 0 | FreeAsyncCtx(ssl, 0); |
14495 | 0 | #endif |
14496 | |
|
14497 | 0 | } |
14498 | 0 | } |
14499 | 0 | else { |
14500 | 0 | WOLFSSL_MSG("connect state: " |
14501 | 0 | "Not advanced, more fragments to send"); |
14502 | 0 | } |
14503 | | #ifdef WOLFSSL_DTLS13 |
14504 | | if (ssl->options.dtls) |
14505 | | ssl->dtls13SendingAckOrRtx = 0; |
14506 | | #endif /* WOLFSSL_DTLS13 */ |
14507 | |
|
14508 | 0 | } |
14509 | 0 | else { |
14510 | 0 | ssl->error = ret; |
14511 | 0 | WOLFSSL_ERROR(ssl->error); |
14512 | 0 | return WOLFSSL_FATAL_ERROR; |
14513 | 0 | } |
14514 | 0 | } |
14515 | | |
14516 | 0 | ret = RetrySendAlert(ssl); |
14517 | 0 | if (ret != 0) { |
14518 | 0 | ssl->error = ret; |
14519 | 0 | WOLFSSL_ERROR(ssl->error); |
14520 | 0 | return WOLFSSL_FATAL_ERROR; |
14521 | 0 | } |
14522 | | |
14523 | | #ifdef WOLFSSL_DTLS13 |
14524 | | if (ssl->options.dtls && ssl->dtls13SendingFragments) { |
14525 | | if ((ssl->error = Dtls13FragmentsContinue(ssl)) != 0) { |
14526 | | WOLFSSL_ERROR(ssl->error); |
14527 | | return WOLFSSL_FATAL_ERROR; |
14528 | | } |
14529 | | |
14530 | | /* we sent all the fragments. Advance state. */ |
14531 | | ssl->options.connectState++; |
14532 | | } |
14533 | | #endif /* WOLFSSL_DTLS13 */ |
14534 | | |
14535 | 0 | switch (ssl->options.connectState) { |
14536 | | |
14537 | 0 | case CONNECT_BEGIN: |
14538 | | /* Always send client hello first. */ |
14539 | 0 | if ((ssl->error = SendTls13ClientHello(ssl)) != 0) { |
14540 | 0 | WOLFSSL_ERROR(ssl->error); |
14541 | 0 | return WOLFSSL_FATAL_ERROR; |
14542 | 0 | } |
14543 | | |
14544 | 0 | ssl->options.connectState = CLIENT_HELLO_SENT; |
14545 | 0 | WOLFSSL_MSG("TLSv13 connect state: CLIENT_HELLO_SENT"); |
14546 | 0 | FALL_THROUGH; |
14547 | |
|
14548 | 0 | case CLIENT_HELLO_SENT: |
14549 | | #ifdef WOLFSSL_EARLY_DATA |
14550 | | if (ssl->earlyData != no_early_data && |
14551 | | ssl->options.handShakeState != CLIENT_HELLO_COMPLETE) { |
14552 | | #if defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT) |
14553 | | if (!ssl->options.dtls && |
14554 | | ssl->options.tls13MiddleBoxCompat) { |
14555 | | if ((ssl->error = SendChangeCipher(ssl)) != 0) { |
14556 | | WOLFSSL_ERROR(ssl->error); |
14557 | | return WOLFSSL_FATAL_ERROR; |
14558 | | } |
14559 | | ssl->options.sentChangeCipher = 1; |
14560 | | } |
14561 | | #endif |
14562 | | ssl->options.handShakeState = CLIENT_HELLO_COMPLETE; |
14563 | | return WOLFSSL_SUCCESS; |
14564 | | } |
14565 | | #endif |
14566 | | /* Get the response/s from the server. */ |
14567 | 0 | while (ssl->options.serverState < |
14568 | 0 | SERVER_HELLOVERIFYREQUEST_COMPLETE) { |
14569 | 0 | if ((ssl->error = ProcessReply(ssl)) < 0) { |
14570 | 0 | WOLFSSL_ERROR(ssl->error); |
14571 | 0 | return WOLFSSL_FATAL_ERROR; |
14572 | 0 | } |
14573 | |
|
14574 | | #ifdef WOLFSSL_DTLS13 |
14575 | | if (ssl->options.dtls) { |
14576 | | if ((ssl->error = Dtls13DoScheduledWork(ssl)) < 0) { |
14577 | | WOLFSSL_ERROR(ssl->error); |
14578 | | return WOLFSSL_FATAL_ERROR; |
14579 | | } |
14580 | | } |
14581 | | #endif /* WOLFSSL_DTLS13 */ |
14582 | 0 | } |
14583 | | |
14584 | 0 | if (!ssl->options.tls1_3) { |
14585 | 0 | #ifndef WOLFSSL_NO_TLS12 |
14586 | 0 | if (ssl->options.downgrade) |
14587 | 0 | return wolfSSL_connect(ssl); |
14588 | 0 | #endif |
14589 | 0 | WOLFSSL_MSG("Client using higher version, fatal error"); |
14590 | 0 | WOLFSSL_ERROR_VERBOSE(VERSION_ERROR); |
14591 | 0 | return VERSION_ERROR; |
14592 | 0 | } |
14593 | | |
14594 | 0 | ssl->options.connectState = HELLO_AGAIN; |
14595 | 0 | WOLFSSL_MSG("connect state: HELLO_AGAIN"); |
14596 | 0 | FALL_THROUGH; |
14597 | |
|
14598 | 0 | case HELLO_AGAIN: |
14599 | |
|
14600 | 0 | if (ssl->options.serverState == |
14601 | 0 | SERVER_HELLO_RETRY_REQUEST_COMPLETE) { |
14602 | | #if defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT) |
14603 | | if (!ssl->options.dtls && !ssl->options.sentChangeCipher |
14604 | | && ssl->options.tls13MiddleBoxCompat) { |
14605 | | if ((ssl->error = SendChangeCipher(ssl)) != 0) { |
14606 | | WOLFSSL_ERROR(ssl->error); |
14607 | | return WOLFSSL_FATAL_ERROR; |
14608 | | } |
14609 | | ssl->options.sentChangeCipher = 1; |
14610 | | } |
14611 | | #endif |
14612 | | /* Try again with different security parameters. */ |
14613 | 0 | if ((ssl->error = SendTls13ClientHello(ssl)) != 0) { |
14614 | 0 | WOLFSSL_ERROR(ssl->error); |
14615 | 0 | return WOLFSSL_FATAL_ERROR; |
14616 | 0 | } |
14617 | 0 | } |
14618 | | |
14619 | 0 | ssl->options.connectState = HELLO_AGAIN_REPLY; |
14620 | 0 | WOLFSSL_MSG("connect state: HELLO_AGAIN_REPLY"); |
14621 | 0 | FALL_THROUGH; |
14622 | |
|
14623 | 0 | case HELLO_AGAIN_REPLY: |
14624 | | /* Get the response/s from the server. */ |
14625 | 0 | while (ssl->options.serverState < SERVER_FINISHED_COMPLETE) { |
14626 | | #ifdef WOLFSSL_DTLS13 |
14627 | | if (!IsAtLeastTLSv1_3(ssl->version)) { |
14628 | | #ifndef WOLFSSL_NO_TLS12 |
14629 | | if (ssl->options.downgrade) |
14630 | | return wolfSSL_connect(ssl); |
14631 | | #endif |
14632 | | } |
14633 | | #endif /* WOLFSSL_DTLS13 */ |
14634 | 0 | if ((ssl->error = ProcessReply(ssl)) < 0) { |
14635 | 0 | WOLFSSL_ERROR(ssl->error); |
14636 | 0 | return WOLFSSL_FATAL_ERROR; |
14637 | 0 | } |
14638 | |
|
14639 | | #ifdef WOLFSSL_DTLS13 |
14640 | | if (ssl->options.dtls) { |
14641 | | if ((ssl->error = Dtls13DoScheduledWork(ssl)) < 0) { |
14642 | | WOLFSSL_ERROR(ssl->error); |
14643 | | return WOLFSSL_FATAL_ERROR; |
14644 | | } |
14645 | | } |
14646 | | #endif /* WOLFSSL_DTLS13 */ |
14647 | 0 | } |
14648 | | |
14649 | 0 | ssl->options.connectState = FIRST_REPLY_DONE; |
14650 | 0 | WOLFSSL_MSG("connect state: FIRST_REPLY_DONE"); |
14651 | 0 | FALL_THROUGH; |
14652 | |
|
14653 | 0 | case FIRST_REPLY_DONE: |
14654 | 0 | if (ssl->options.certOnly) |
14655 | 0 | return WOLFSSL_SUCCESS; |
14656 | | #ifdef WOLFSSL_EARLY_DATA |
14657 | | if (!ssl->options.dtls && ssl->earlyData != no_early_data |
14658 | | && !WOLFSSL_IS_QUIC(ssl)) { |
14659 | | if ((ssl->error = SendTls13EndOfEarlyData(ssl)) != 0) { |
14660 | | WOLFSSL_ERROR(ssl->error); |
14661 | | return WOLFSSL_FATAL_ERROR; |
14662 | | } |
14663 | | WOLFSSL_MSG("sent: end_of_early_data"); |
14664 | | } |
14665 | | #endif |
14666 | | |
14667 | 0 | ssl->options.connectState = FIRST_REPLY_FIRST; |
14668 | 0 | WOLFSSL_MSG("connect state: FIRST_REPLY_FIRST"); |
14669 | 0 | FALL_THROUGH; |
14670 | |
|
14671 | 0 | case FIRST_REPLY_FIRST: |
14672 | | #if defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT) |
14673 | | if (!ssl->options.sentChangeCipher && !ssl->options.dtls |
14674 | | && ssl->options.tls13MiddleBoxCompat) { |
14675 | | if ((ssl->error = SendChangeCipher(ssl)) != 0) { |
14676 | | WOLFSSL_ERROR(ssl->error); |
14677 | | return WOLFSSL_FATAL_ERROR; |
14678 | | } |
14679 | | ssl->options.sentChangeCipher = 1; |
14680 | | } |
14681 | | #endif |
14682 | |
|
14683 | 0 | ssl->options.connectState = FIRST_REPLY_SECOND; |
14684 | 0 | WOLFSSL_MSG("connect state: FIRST_REPLY_SECOND"); |
14685 | 0 | FALL_THROUGH; |
14686 | |
|
14687 | 0 | case FIRST_REPLY_SECOND: |
14688 | | /* CLIENT: check peer authentication. */ |
14689 | 0 | if (!ssl->options.peerAuthGood) { |
14690 | 0 | WOLFSSL_MSG("Server authentication did not happen"); |
14691 | 0 | WOLFSSL_ERROR_VERBOSE(WOLFSSL_FATAL_ERROR); |
14692 | 0 | return WOLFSSL_FATAL_ERROR; |
14693 | 0 | } |
14694 | 0 | #ifndef NO_CERTS |
14695 | 0 | if (!ssl->options.resuming && ssl->options.sendVerify) { |
14696 | 0 | ssl->error = SendTls13Certificate(ssl); |
14697 | 0 | if (ssl->error != 0) { |
14698 | 0 | wolfssl_local_MaybeCheckAlertOnErr(ssl, ssl->error); |
14699 | 0 | WOLFSSL_ERROR(ssl->error); |
14700 | 0 | return WOLFSSL_FATAL_ERROR; |
14701 | 0 | } |
14702 | 0 | WOLFSSL_MSG("sent: certificate"); |
14703 | 0 | } |
14704 | 0 | #endif |
14705 | | |
14706 | 0 | ssl->options.connectState = FIRST_REPLY_THIRD; |
14707 | 0 | WOLFSSL_MSG("connect state: FIRST_REPLY_THIRD"); |
14708 | 0 | FALL_THROUGH; |
14709 | |
|
14710 | 0 | case FIRST_REPLY_THIRD: |
14711 | 0 | #if (!defined(NO_CERTS) && (!defined(NO_RSA) || defined(HAVE_ECC) || \ |
14712 | 0 | defined(HAVE_ED25519) || defined(HAVE_ED448) || \ |
14713 | 0 | defined(HAVE_FALCON) || defined(WOLFSSL_HAVE_MLDSA))) && \ |
14714 | 0 | (!defined(NO_WOLFSSL_SERVER) || !defined(WOLFSSL_NO_CLIENT_AUTH)) |
14715 | 0 | if (!ssl->options.resuming && ssl->options.sendVerify) { |
14716 | 0 | ssl->error = SendTls13CertificateVerify(ssl); |
14717 | 0 | if (ssl->error != 0) { |
14718 | 0 | wolfssl_local_MaybeCheckAlertOnErr(ssl, ssl->error); |
14719 | 0 | WOLFSSL_ERROR(ssl->error); |
14720 | 0 | return WOLFSSL_FATAL_ERROR; |
14721 | 0 | } |
14722 | 0 | WOLFSSL_MSG("sent: certificate verify"); |
14723 | 0 | } |
14724 | 0 | #endif |
14725 | | |
14726 | 0 | ssl->options.connectState = FIRST_REPLY_FOURTH; |
14727 | 0 | WOLFSSL_MSG("connect state: FIRST_REPLY_FOURTH"); |
14728 | 0 | FALL_THROUGH; |
14729 | |
|
14730 | 0 | case FIRST_REPLY_FOURTH: |
14731 | 0 | if ((ssl->error = SendTls13Finished(ssl)) != 0) { |
14732 | 0 | wolfssl_local_MaybeCheckAlertOnErr(ssl, ssl->error); |
14733 | 0 | WOLFSSL_ERROR(ssl->error); |
14734 | 0 | return WOLFSSL_FATAL_ERROR; |
14735 | 0 | } |
14736 | 0 | WOLFSSL_MSG("sent: finished"); |
14737 | |
|
14738 | | #ifdef WOLFSSL_DTLS13 |
14739 | | ssl->options.connectState = WAIT_FINISHED_ACK; |
14740 | | WOLFSSL_MSG("connect state: WAIT_FINISHED_ACK"); |
14741 | | FALL_THROUGH; |
14742 | | |
14743 | | case WAIT_FINISHED_ACK: |
14744 | | if (ssl->options.dtls) { |
14745 | | while (ssl->options.serverState != SERVER_FINISHED_ACKED) { |
14746 | | if ((ssl->error = ProcessReply(ssl)) < 0) { |
14747 | | WOLFSSL_ERROR(ssl->error); |
14748 | | return WOLFSSL_FATAL_ERROR; |
14749 | | } |
14750 | | |
14751 | | if ((ssl->error = Dtls13DoScheduledWork(ssl)) < 0) { |
14752 | | WOLFSSL_ERROR(ssl->error); |
14753 | | return WOLFSSL_FATAL_ERROR; |
14754 | | } |
14755 | | } |
14756 | | } |
14757 | | #endif /* WOLFSSL_DTLS13 */ |
14758 | 0 | ssl->options.connectState = FINISHED_DONE; |
14759 | 0 | WOLFSSL_MSG("connect state: FINISHED_DONE"); |
14760 | 0 | FALL_THROUGH; |
14761 | |
|
14762 | 0 | case FINISHED_DONE: |
14763 | 0 | #ifndef NO_HANDSHAKE_DONE_CB |
14764 | 0 | if (ssl->hsDoneCb != NULL) { |
14765 | 0 | int cbret = ssl->hsDoneCb(ssl, ssl->hsDoneCtx); |
14766 | 0 | if (cbret < 0) { |
14767 | 0 | ssl->error = cbret; |
14768 | 0 | WOLFSSL_ERROR_VERBOSE(ssl->error); |
14769 | 0 | WOLFSSL_MSG("HandShake Done Cb don't continue error"); |
14770 | 0 | return WOLFSSL_FATAL_ERROR; |
14771 | 0 | } |
14772 | 0 | } |
14773 | 0 | #endif /* NO_HANDSHAKE_DONE_CB */ |
14774 | | |
14775 | | #if defined(HAVE_ECH) |
14776 | | /* RFC 9849 s6.1.6: if we offered ECH but the server rejected it, |
14777 | | * send ech_required alert and abort before returning to the app */ |
14778 | | if (ssl->echConfigs != NULL && !ssl->options.disableECH && |
14779 | | !ssl->options.echAccepted) { |
14780 | | if (ssl->echRetryConfigs != NULL) { |
14781 | | ssl->options.echRetryConfigsAccepted = 1; |
14782 | | } |
14783 | | SendAlert(ssl, alert_fatal, ech_required); |
14784 | | ssl->error = ECH_REQUIRED_E; |
14785 | | WOLFSSL_ERROR_VERBOSE(ECH_REQUIRED_E); |
14786 | | return WOLFSSL_FATAL_ERROR; |
14787 | | } |
14788 | | #endif /* HAVE_ECH */ |
14789 | | |
14790 | 0 | if (!ssl->options.keepResources) { |
14791 | 0 | FreeHandshakeResources(ssl); |
14792 | 0 | } |
14793 | 0 | #if defined(WOLFSSL_ASYNC_IO) && !defined(WOLFSSL_ASYNC_CRYPT) |
14794 | | /* Free the remaining async context if not using it for crypto */ |
14795 | 0 | FreeAsyncCtx(ssl, 1); |
14796 | 0 | #endif |
14797 | |
|
14798 | 0 | ssl->error = 0; /* clear the error */ |
14799 | |
|
14800 | 0 | WOLFSSL_LEAVE("wolfSSL_connect_TLSv13", WOLFSSL_SUCCESS); |
14801 | 0 | return WOLFSSL_SUCCESS; |
14802 | | |
14803 | 0 | default: |
14804 | 0 | WOLFSSL_MSG("Unknown connect state ERROR"); |
14805 | 0 | return WOLFSSL_FATAL_ERROR; /* unknown connect state */ |
14806 | 0 | } |
14807 | 0 | } |
14808 | | #endif |
14809 | | |
14810 | | #if defined(WOLFSSL_SEND_HRR_COOKIE) |
14811 | | /* Send a cookie with the HelloRetryRequest to avoid storing state. |
14812 | | * |
14813 | | * ssl SSL/TLS object. |
14814 | | * secret Secret to use when generating integrity check for cookie. |
14815 | | * A value of NULL indicates to generate a new random secret. |
14816 | | * secretSz Size of secret data in bytes. |
14817 | | * Use a value of 0 to indicate use of default size. |
14818 | | * returns BAD_FUNC_ARG when ssl is NULL or not using TLS v1.3, SIDE_ERROR when |
14819 | | * called on a client; WOLFSSL_SUCCESS on success and otherwise failure. |
14820 | | */ |
14821 | | int wolfSSL_send_hrr_cookie(WOLFSSL* ssl, const unsigned char* secret, |
14822 | | unsigned int secretSz) |
14823 | | { |
14824 | | int ret; |
14825 | | |
14826 | | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
14827 | | return BAD_FUNC_ARG; |
14828 | | #ifndef NO_WOLFSSL_SERVER |
14829 | | if (ssl->options.side == WOLFSSL_CLIENT_END) |
14830 | | return SIDE_ERROR; |
14831 | | |
14832 | | if (secretSz == 0) { |
14833 | | #ifndef NO_SHA256 |
14834 | | secretSz = WC_SHA256_DIGEST_SIZE; |
14835 | | #elif defined(WOLFSSL_SHA384) |
14836 | | secretSz = WC_SHA384_DIGEST_SIZE; |
14837 | | #elif defined(WOLFSSL_TLS13_SHA512) |
14838 | | secretSz = WC_SHA512_DIGEST_SIZE; |
14839 | | #elif defined(WOLFSSL_SM3) |
14840 | | secretSz = WC_SM3_DIGEST_SIZE; |
14841 | | #else |
14842 | | #error "No digest to available to use with HMAC for cookies." |
14843 | | #endif /* NO_SHA */ |
14844 | | } |
14845 | | |
14846 | | if (secretSz != ssl->buffers.tls13CookieSecret.length) { |
14847 | | byte* newSecret; |
14848 | | |
14849 | | if (ssl->buffers.tls13CookieSecret.buffer != NULL) { |
14850 | | ForceZero(ssl->buffers.tls13CookieSecret.buffer, |
14851 | | ssl->buffers.tls13CookieSecret.length); |
14852 | | XFREE(ssl->buffers.tls13CookieSecret.buffer, |
14853 | | ssl->heap, DYNAMIC_TYPE_COOKIE_PWD); |
14854 | | } |
14855 | | |
14856 | | newSecret = (byte*)XMALLOC(secretSz, ssl->heap, |
14857 | | DYNAMIC_TYPE_COOKIE_PWD); |
14858 | | if (newSecret == NULL) { |
14859 | | ssl->buffers.tls13CookieSecret.buffer = NULL; |
14860 | | ssl->buffers.tls13CookieSecret.length = 0; |
14861 | | WOLFSSL_MSG("couldn't allocate new cookie secret"); |
14862 | | return MEMORY_ERROR; |
14863 | | } |
14864 | | ssl->buffers.tls13CookieSecret.buffer = newSecret; |
14865 | | ssl->buffers.tls13CookieSecret.length = secretSz; |
14866 | | #ifdef WOLFSSL_CHECK_MEM_ZERO |
14867 | | wc_MemZero_Add("wolfSSL_send_hrr_cookie secret", |
14868 | | ssl->buffers.tls13CookieSecret.buffer, |
14869 | | ssl->buffers.tls13CookieSecret.length); |
14870 | | #endif |
14871 | | } |
14872 | | |
14873 | | /* If the supplied secret is NULL, randomly generate a new secret. */ |
14874 | | if (secret == NULL) { |
14875 | | ret = wc_RNG_GenerateBlock(ssl->rng, |
14876 | | ssl->buffers.tls13CookieSecret.buffer, secretSz); |
14877 | | if (ret < 0) |
14878 | | return ret; |
14879 | | } |
14880 | | else |
14881 | | XMEMCPY(ssl->buffers.tls13CookieSecret.buffer, secret, secretSz); |
14882 | | |
14883 | | ssl->options.sendCookie = 1; |
14884 | | |
14885 | | ret = WOLFSSL_SUCCESS; |
14886 | | #else |
14887 | | (void)secret; |
14888 | | (void)secretSz; |
14889 | | |
14890 | | ret = SIDE_ERROR; |
14891 | | #endif |
14892 | | |
14893 | | return ret; |
14894 | | } |
14895 | | |
14896 | | int wolfSSL_disable_hrr_cookie(WOLFSSL* ssl) |
14897 | | { |
14898 | | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
14899 | | return BAD_FUNC_ARG; |
14900 | | |
14901 | | #ifdef NO_WOLFSSL_SERVER |
14902 | | return SIDE_ERROR; |
14903 | | #else |
14904 | | if (ssl->options.side == WOLFSSL_CLIENT_END) |
14905 | | return SIDE_ERROR; |
14906 | | |
14907 | | if (ssl->buffers.tls13CookieSecret.buffer != NULL) { |
14908 | | ForceZero(ssl->buffers.tls13CookieSecret.buffer, |
14909 | | ssl->buffers.tls13CookieSecret.length); |
14910 | | XFREE(ssl->buffers.tls13CookieSecret.buffer, ssl->heap, |
14911 | | DYNAMIC_TYPE_COOKIE_PWD); |
14912 | | ssl->buffers.tls13CookieSecret.buffer = NULL; |
14913 | | ssl->buffers.tls13CookieSecret.length = 0; |
14914 | | } |
14915 | | |
14916 | | ssl->options.sendCookie = 0; |
14917 | | return WOLFSSL_SUCCESS; |
14918 | | #endif /* NO_WOLFSSL_SERVER */ |
14919 | | } |
14920 | | |
14921 | | #endif /* defined(WOLFSSL_SEND_HRR_COOKIE) */ |
14922 | | |
14923 | | #ifdef HAVE_SUPPORTED_CURVES |
14924 | | /* Create a key share entry from group. |
14925 | | * Generates a key pair. |
14926 | | * |
14927 | | * ssl The SSL/TLS object. |
14928 | | * group The named group. |
14929 | | * returns 0 on success, otherwise failure. |
14930 | | * for async can return WC_PENDING_E and should be called again |
14931 | | */ |
14932 | | int wolfSSL_UseKeyShare(WOLFSSL* ssl, word16 group) |
14933 | 0 | { |
14934 | 0 | int ret; |
14935 | |
|
14936 | 0 | if (ssl == NULL) |
14937 | 0 | return BAD_FUNC_ARG; |
14938 | | |
14939 | | #ifdef WOLFSSL_ASYNC_CRYPT |
14940 | | ret = wolfSSL_AsyncPop(ssl, NULL); |
14941 | | if (ret != WC_NO_ERR_TRACE(WC_NO_PENDING_E)) { |
14942 | | /* Check for error */ |
14943 | | if (ret < 0) |
14944 | | return ret; |
14945 | | } |
14946 | | #endif |
14947 | | |
14948 | 0 | #if defined(WOLFSSL_HAVE_MLKEM) |
14949 | 0 | if (WOLFSSL_NAMED_GROUP_IS_PQC(group) || |
14950 | 0 | WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(group)) { |
14951 | |
|
14952 | 0 | if (!IsAtLeastTLSv1_3(ssl->version)) { |
14953 | 0 | return BAD_FUNC_ARG; |
14954 | 0 | } |
14955 | | |
14956 | 0 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
14957 | | /* If I am the server of a KEM connection, do not do keygen because |
14958 | | * I'm going to encapsulate with the client's public key. Note that |
14959 | | * I might be the client and ssl->option.side has not been properly |
14960 | | * set yet. In that case the KeyGen operation will be deferred to |
14961 | | * connection time. */ |
14962 | 0 | return WOLFSSL_SUCCESS; |
14963 | 0 | } |
14964 | 0 | } |
14965 | 0 | #endif |
14966 | | #if defined(NO_TLS) |
14967 | | (void)ret; |
14968 | | (void)group; |
14969 | | #else |
14970 | | /* Check if the group is supported. */ |
14971 | 0 | if (!TLSX_IsGroupSupported(group, ssl->options.side)) { |
14972 | 0 | WOLFSSL_MSG("Group not supported."); |
14973 | 0 | return BAD_FUNC_ARG; |
14974 | 0 | } |
14975 | | |
14976 | 0 | ret = TLSX_KeyShare_Use(ssl, group, 0, NULL, NULL, &ssl->extensions); |
14977 | 0 | if (ret != 0) |
14978 | 0 | return ret; |
14979 | 0 | #endif /* NO_TLS */ |
14980 | 0 | return WOLFSSL_SUCCESS; |
14981 | 0 | } |
14982 | | |
14983 | | /* Send no key share entries - use HelloRetryRequest to negotiate shared group. |
14984 | | * |
14985 | | * ssl The SSL/TLS object. |
14986 | | * returns 0 on success, otherwise failure. |
14987 | | */ |
14988 | | int wolfSSL_NoKeyShares(WOLFSSL* ssl) |
14989 | 0 | { |
14990 | 0 | int ret; |
14991 | |
|
14992 | 0 | if (ssl == NULL) |
14993 | 0 | return BAD_FUNC_ARG; |
14994 | 0 | if (ssl->options.side == WOLFSSL_SERVER_END) |
14995 | 0 | return SIDE_ERROR; |
14996 | | #if defined(NO_TLS) |
14997 | | (void)ret; |
14998 | | #else |
14999 | 0 | ret = TLSX_KeyShare_Empty(ssl); |
15000 | 0 | if (ret != 0) |
15001 | 0 | return ret; |
15002 | 0 | #endif /* NO_TLS */ |
15003 | 0 | return WOLFSSL_SUCCESS; |
15004 | 0 | } |
15005 | | #endif |
15006 | | |
15007 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
15008 | | int wolfSSL_UseCKS(WOLFSSL* ssl, byte *sigSpec, word16 sigSpecSz) |
15009 | | { |
15010 | | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->ctx->method->version) || |
15011 | | sigSpec == NULL || sigSpecSz == 0) |
15012 | | return BAD_FUNC_ARG; |
15013 | | |
15014 | | ssl->sigSpec = sigSpec; |
15015 | | ssl->sigSpecSz = sigSpecSz; |
15016 | | return WOLFSSL_SUCCESS; |
15017 | | } |
15018 | | |
15019 | | int wolfSSL_CTX_UseCKS(WOLFSSL_CTX* ctx, byte *sigSpec, word16 sigSpecSz) |
15020 | | { |
15021 | | if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version) || |
15022 | | sigSpec == NULL || sigSpecSz == 0) |
15023 | | return BAD_FUNC_ARG; |
15024 | | |
15025 | | ctx->sigSpec = sigSpec; |
15026 | | ctx->sigSpecSz = sigSpecSz; |
15027 | | return WOLFSSL_SUCCESS; |
15028 | | } |
15029 | | #endif /* WOLFSSL_DUAL_ALG_CERTS */ |
15030 | | |
15031 | | /* Do not send a ticket after TLS v1.3 handshake for resumption. |
15032 | | * |
15033 | | * ctx The SSL/TLS CTX object. |
15034 | | * returns BAD_FUNC_ARG when ctx is NULL and 0 on success. |
15035 | | */ |
15036 | | int wolfSSL_CTX_no_ticket_TLSv13(WOLFSSL_CTX* ctx) |
15037 | 0 | { |
15038 | 0 | if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version)) |
15039 | 0 | return BAD_FUNC_ARG; |
15040 | 0 | if (ctx->method->side == WOLFSSL_CLIENT_END) |
15041 | 0 | return SIDE_ERROR; |
15042 | | |
15043 | | #ifdef HAVE_SESSION_TICKET |
15044 | | ctx->noTicketTls13 = 1; |
15045 | | #endif |
15046 | | |
15047 | 0 | return 0; |
15048 | 0 | } |
15049 | | |
15050 | | /* Do not send a ticket after TLS v1.3 handshake for resumption. |
15051 | | * |
15052 | | * ssl The SSL/TLS object. |
15053 | | * returns BAD_FUNC_ARG when ssl is NULL, not using TLS v1.3, or called on |
15054 | | * a client and 0 on success. |
15055 | | */ |
15056 | | int wolfSSL_no_ticket_TLSv13(WOLFSSL* ssl) |
15057 | 0 | { |
15058 | 0 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
15059 | 0 | return BAD_FUNC_ARG; |
15060 | 0 | if (ssl->options.side == WOLFSSL_CLIENT_END) |
15061 | 0 | return SIDE_ERROR; |
15062 | | |
15063 | | #ifdef HAVE_SESSION_TICKET |
15064 | | ssl->options.noTicketTls13 = 1; |
15065 | | #endif |
15066 | | |
15067 | 0 | return 0; |
15068 | 0 | } |
15069 | | |
15070 | | /* Disallow (EC)DHE key exchange when using pre-shared keys. |
15071 | | * |
15072 | | * ctx The SSL/TLS CTX object. |
15073 | | * returns BAD_FUNC_ARG when ctx is NULL and 0 on success. |
15074 | | */ |
15075 | | int wolfSSL_CTX_no_dhe_psk(WOLFSSL_CTX* ctx) |
15076 | 0 | { |
15077 | 0 | if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version)) |
15078 | 0 | return BAD_FUNC_ARG; |
15079 | | |
15080 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
15081 | | ctx->noPskDheKe = 1; |
15082 | | #endif |
15083 | | |
15084 | 0 | return 0; |
15085 | 0 | } |
15086 | | |
15087 | | /* Disallow (EC)DHE key exchange when using pre-shared keys. |
15088 | | * |
15089 | | * ssl The SSL/TLS object. |
15090 | | * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3 and 0 on |
15091 | | * success. |
15092 | | */ |
15093 | | int wolfSSL_no_dhe_psk(WOLFSSL* ssl) |
15094 | 0 | { |
15095 | 0 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
15096 | 0 | return BAD_FUNC_ARG; |
15097 | | |
15098 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
15099 | | ssl->options.noPskDheKe = 1; |
15100 | | #endif |
15101 | | |
15102 | 0 | return 0; |
15103 | 0 | } |
15104 | | |
15105 | | #ifdef HAVE_SUPPORTED_CURVES |
15106 | | /* Only allow (EC)DHE key exchange when using pre-shared keys. |
15107 | | * |
15108 | | * ctx The SSL/TLS CTX object. |
15109 | | * returns BAD_FUNC_ARG when ctx is NULL and 0 on success. |
15110 | | */ |
15111 | | int wolfSSL_CTX_only_dhe_psk(WOLFSSL_CTX* ctx) |
15112 | 0 | { |
15113 | 0 | if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version)) |
15114 | 0 | return BAD_FUNC_ARG; |
15115 | | |
15116 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
15117 | | ctx->onlyPskDheKe = 1; |
15118 | | #endif |
15119 | | |
15120 | 0 | return 0; |
15121 | 0 | } |
15122 | | |
15123 | | /* Only allow (EC)DHE key exchange when using pre-shared keys. |
15124 | | * |
15125 | | * ssl The SSL/TLS object. |
15126 | | * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3 and 0 on |
15127 | | * success. |
15128 | | */ |
15129 | | int wolfSSL_only_dhe_psk(WOLFSSL* ssl) |
15130 | 0 | { |
15131 | 0 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
15132 | 0 | return BAD_FUNC_ARG; |
15133 | | |
15134 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
15135 | | ssl->options.onlyPskDheKe = 1; |
15136 | | #endif |
15137 | | |
15138 | 0 | return 0; |
15139 | 0 | } |
15140 | | #endif /* HAVE_SUPPORTED_CURVES */ |
15141 | | |
15142 | | /* Require that an external Pre-Shared Key is negotiated for the handshake to |
15143 | | * succeed. TLS 1.3 / DTLS 1.3 only - in (D)TLS 1.2 the use of a PSK is |
15144 | | * determined by the negotiated cipher suite, so a mandatory PSK is configured |
15145 | | * there by restricting the cipher suite list to PSK suites. |
15146 | | * |
15147 | | * ctx The SSL/TLS CTX object. |
15148 | | * returns BAD_FUNC_ARG when ctx is NULL or not at least TLS v1.3, 0 on success. |
15149 | | */ |
15150 | | int wolfSSL_CTX_require_psk(WOLFSSL_CTX* ctx) |
15151 | 0 | { |
15152 | 0 | if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version)) |
15153 | 0 | return BAD_FUNC_ARG; |
15154 | | |
15155 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
15156 | | ctx->failNoPSK = 1; |
15157 | | /* The requirement can only be enforced for (D)TLS 1.3, so keep it |
15158 | | * fail-closed by disabling a version downgrade. Otherwise a |
15159 | | * downgrade-capable context (e.g. from a v23 method) could silently fall |
15160 | | * back to (D)TLS 1.2 and complete without any PSK. */ |
15161 | | ctx->method->downgrade = 0; |
15162 | | #endif |
15163 | | |
15164 | 0 | return 0; |
15165 | 0 | } |
15166 | | |
15167 | | /* Require that an external Pre-Shared Key is negotiated for the handshake to |
15168 | | * succeed. See wolfSSL_CTX_require_psk(). |
15169 | | * |
15170 | | * ssl The SSL/TLS object. |
15171 | | * returns BAD_FUNC_ARG when ssl is NULL or not at least TLS v1.3, 0 on success. |
15172 | | */ |
15173 | | int wolfSSL_require_psk(WOLFSSL* ssl) |
15174 | 0 | { |
15175 | 0 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
15176 | 0 | return BAD_FUNC_ARG; |
15177 | | |
15178 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
15179 | | ssl->options.failNoPSK = 1; |
15180 | | /* See wolfSSL_CTX_require_psk() - keep the requirement fail-closed by |
15181 | | * disabling a version downgrade to (D)TLS 1.2. */ |
15182 | | ssl->options.downgrade = 0; |
15183 | | #endif |
15184 | | |
15185 | 0 | return 0; |
15186 | 0 | } |
15187 | | |
15188 | | int Tls13UpdateKeys(WOLFSSL* ssl) |
15189 | 0 | { |
15190 | 0 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
15191 | 0 | return BAD_FUNC_ARG; |
15192 | | |
15193 | | #ifdef WOLFSSL_QUIC |
15194 | | /* RFC 9001 Section 6: a QUIC connection must not send a TLS KeyUpdate; |
15195 | | * key updates are handled at the QUIC packet-protection layer. */ |
15196 | | if (WOLFSSL_IS_QUIC(ssl)) |
15197 | | return BAD_FUNC_ARG; |
15198 | | #endif |
15199 | | |
15200 | | #ifdef WOLFSSL_DTLS13 |
15201 | | /* we are already waiting for the ack of a sent key update message. We can't |
15202 | | send another one before receiving its ack. Either wolfSSL_update_keys() |
15203 | | was invoked multiple times over a short period of time or we replied to a |
15204 | | KeyUpdate with update request. We'll just ignore sending this |
15205 | | KeyUpdate. */ |
15206 | | /* TODO: add WOLFSSL_ERROR_ALREADY_IN_PROGRESS type of error here */ |
15207 | | if (ssl->options.dtls && ssl->dtls13WaitKeyUpdateAck) |
15208 | | return 0; |
15209 | | #endif /* WOLFSSL_DTLS13 */ |
15210 | | |
15211 | 0 | return SendTls13KeyUpdate(ssl); |
15212 | 0 | } |
15213 | | |
15214 | | /* Update the keys for encryption and decryption. |
15215 | | * If using non-blocking I/O and WOLFSSL_ERROR_WANT_WRITE is returned then |
15216 | | * calling wolfSSL_write() will have the message sent when ready. |
15217 | | * |
15218 | | * ssl The SSL/TLS object. |
15219 | | * returns BAD_FUNC_ARG when ssl is NULL, not using TLS v1.3, or running over |
15220 | | * QUIC (RFC 9001 handles key updates at the QUIC packet-protection layer), |
15221 | | * WOLFSSL_ERROR_WANT_WRITE when non-blocking I/O is not ready to write, |
15222 | | * WOLFSSL_SUCCESS on success and otherwise failure. |
15223 | | */ |
15224 | | int wolfSSL_update_keys(WOLFSSL* ssl) |
15225 | 0 | { |
15226 | 0 | int ret; |
15227 | 0 | ret = Tls13UpdateKeys(ssl); |
15228 | 0 | if (ret == WC_NO_ERR_TRACE(WANT_WRITE)) |
15229 | 0 | ret = WOLFSSL_ERROR_WANT_WRITE; |
15230 | 0 | else if (ret == 0) |
15231 | 0 | ret = WOLFSSL_SUCCESS; |
15232 | 0 | return ret; |
15233 | 0 | } |
15234 | | |
15235 | | /* Whether a response is waiting for key update request. |
15236 | | * |
15237 | | * ssl The SSL/TLS object. |
15238 | | * required 0 when no key update response required. |
15239 | | * 1 when no key update response required. |
15240 | | * return 0 on success. |
15241 | | * return BAD_FUNC_ARG when ssl is NULL or not using TLS v1.3 |
15242 | | */ |
15243 | | int wolfSSL_key_update_response(WOLFSSL* ssl, int* required) |
15244 | 0 | { |
15245 | 0 | if (required == NULL || ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
15246 | 0 | return BAD_FUNC_ARG; |
15247 | | |
15248 | 0 | *required = ssl->keys.updateResponseReq; |
15249 | |
|
15250 | 0 | return 0; |
15251 | 0 | } |
15252 | | |
15253 | | #if !defined(NO_CERTS) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) |
15254 | | /* Allow post-handshake authentication in TLS v1.3 connections. |
15255 | | * |
15256 | | * ctx The SSL/TLS CTX object. |
15257 | | * returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a client and |
15258 | | * 0 on success. |
15259 | | */ |
15260 | | int wolfSSL_CTX_allow_post_handshake_auth(WOLFSSL_CTX* ctx) |
15261 | | { |
15262 | | if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version)) |
15263 | | return BAD_FUNC_ARG; |
15264 | | if (ctx->method->side == WOLFSSL_SERVER_END) |
15265 | | return SIDE_ERROR; |
15266 | | |
15267 | | ctx->postHandshakeAuth = 1; |
15268 | | |
15269 | | return 0; |
15270 | | } |
15271 | | |
15272 | | /* Allow post-handshake authentication in TLS v1.3 connection. |
15273 | | * |
15274 | | * ssl The SSL/TLS object. |
15275 | | * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3, |
15276 | | * SIDE_ERROR when not a client, BAD_STATE_E when called after the handshake |
15277 | | * has started, and 0 on success. |
15278 | | * |
15279 | | * Must be called before wolfSSL_connect() so the post_handshake_auth |
15280 | | * extension can be included in the ClientHello. |
15281 | | */ |
15282 | | int wolfSSL_allow_post_handshake_auth(WOLFSSL* ssl) |
15283 | | { |
15284 | | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
15285 | | return BAD_FUNC_ARG; |
15286 | | if (ssl->options.side == WOLFSSL_SERVER_END) |
15287 | | return SIDE_ERROR; |
15288 | | if (ssl->options.handShakeState != NULL_STATE) |
15289 | | return BAD_STATE_E; |
15290 | | |
15291 | | ssl->options.postHandshakeAuth = 1; |
15292 | | |
15293 | | return 0; |
15294 | | } |
15295 | | |
15296 | | /* Request a certificate of the client. |
15297 | | * Can be called any time after handshake completion. |
15298 | | * A maximum of 256 requests can be sent on a connection. |
15299 | | * |
15300 | | * ssl SSL/TLS object. |
15301 | | */ |
15302 | | int wolfSSL_request_certificate(WOLFSSL* ssl) |
15303 | | { |
15304 | | int ret; |
15305 | | #ifndef NO_WOLFSSL_SERVER |
15306 | | CertReqCtx* certReqCtx; |
15307 | | #endif |
15308 | | |
15309 | | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
15310 | | return BAD_FUNC_ARG; |
15311 | | #ifndef NO_WOLFSSL_SERVER |
15312 | | if (ssl->options.side == WOLFSSL_CLIENT_END) |
15313 | | return SIDE_ERROR; |
15314 | | if (ssl->options.handShakeState != HANDSHAKE_DONE) |
15315 | | return NOT_READY_ERROR; |
15316 | | if (!ssl->options.postHandshakeAuth) |
15317 | | return POST_HAND_AUTH_ERROR; |
15318 | | if (ssl->certReqCtx != NULL) { |
15319 | | if (ssl->certReqCtx->len != 1) |
15320 | | return BAD_STATE_E; |
15321 | | /* We support sending up to 255 certificate requests */ |
15322 | | if (ssl->certReqCtx->ctx == 255) |
15323 | | return BAD_STATE_E; |
15324 | | } |
15325 | | |
15326 | | certReqCtx = (CertReqCtx*)XMALLOC(sizeof(CertReqCtx), ssl->heap, |
15327 | | DYNAMIC_TYPE_TMP_BUFFER); |
15328 | | if (certReqCtx == NULL) |
15329 | | return MEMORY_E; |
15330 | | XMEMSET(certReqCtx, 0, sizeof(CertReqCtx)); |
15331 | | certReqCtx->next = ssl->certReqCtx; |
15332 | | certReqCtx->len = 1; |
15333 | | if (certReqCtx->next != NULL) |
15334 | | certReqCtx->ctx = certReqCtx->next->ctx + 1; |
15335 | | ssl->certReqCtx = certReqCtx; |
15336 | | |
15337 | | ssl->msgsReceived.got_certificate = 0; |
15338 | | ssl->msgsReceived.got_certificate_verify = 0; |
15339 | | ssl->msgsReceived.got_finished = 0; |
15340 | | |
15341 | | ret = SendTls13CertificateRequest(ssl, &certReqCtx->ctx, certReqCtx->len); |
15342 | | if (ret == WC_NO_ERR_TRACE(WANT_WRITE)) |
15343 | | ret = WOLFSSL_ERROR_WANT_WRITE; |
15344 | | else if (ret == 0) |
15345 | | ret = WOLFSSL_SUCCESS; |
15346 | | #else |
15347 | | ret = SIDE_ERROR; |
15348 | | #endif |
15349 | | |
15350 | | return ret; |
15351 | | } |
15352 | | #endif /* !NO_CERTS && WOLFSSL_POST_HANDSHAKE_AUTH */ |
15353 | | |
15354 | | #if !defined(WOLFSSL_NO_SERVER_GROUPS_EXT) |
15355 | | /* Get the preferred key exchange group. |
15356 | | * |
15357 | | * ssl The SSL/TLS object. |
15358 | | * returns BAD_FUNC_ARG when ssl is NULL or not using TLS v1.3, |
15359 | | * SIDE_ERROR when not a client, NOT_READY_ERROR when handshake not complete |
15360 | | * and group number on success. |
15361 | | */ |
15362 | | int wolfSSL_preferred_group(WOLFSSL* ssl) |
15363 | 0 | { |
15364 | 0 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
15365 | 0 | return BAD_FUNC_ARG; |
15366 | 0 | #ifndef NO_WOLFSSL_CLIENT |
15367 | 0 | if (ssl->options.side == WOLFSSL_SERVER_END) |
15368 | 0 | return SIDE_ERROR; |
15369 | 0 | if (ssl->options.handShakeState != HANDSHAKE_DONE) |
15370 | 0 | return NOT_READY_ERROR; |
15371 | | |
15372 | 0 | #ifdef HAVE_SUPPORTED_CURVES |
15373 | | /* Return supported groups only. */ |
15374 | 0 | return TLSX_SupportedCurve_Preferred(ssl, 1); |
15375 | | #else |
15376 | | return 0; |
15377 | | #endif |
15378 | | #else |
15379 | | return SIDE_ERROR; |
15380 | | #endif |
15381 | 0 | } |
15382 | | #endif |
15383 | | |
15384 | | #ifndef NO_PSK |
15385 | | /* Set the PSK callback, that is passed the cipher suite, for a client to use |
15386 | | * against context object. |
15387 | | * |
15388 | | * @param [in, out] ctx SSL/TLS context object. |
15389 | | * @param [in] cb Client PSK callback passed a cipher suite. |
15390 | | */ |
15391 | | void wolfSSL_CTX_set_psk_client_cs_callback(WOLFSSL_CTX* ctx, |
15392 | | wc_psk_client_cs_callback cb) |
15393 | | { |
15394 | | WOLFSSL_ENTER("wolfSSL_CTX_set_psk_client_cs_callback"); |
15395 | | |
15396 | | if (ctx == NULL) |
15397 | | return; |
15398 | | |
15399 | | ctx->havePSK = 1; |
15400 | | ctx->client_psk_cs_cb = cb; |
15401 | | } |
15402 | | |
15403 | | /* Set the PSK callback, that is passed the cipher suite, for a client to use |
15404 | | * against SSL object. |
15405 | | * |
15406 | | * @param [in, out] ssl SSL/TLS object. |
15407 | | * @param [in] cb Client PSK callback passed a cipher suite. |
15408 | | */ |
15409 | | void wolfSSL_set_psk_client_cs_callback(WOLFSSL* ssl, |
15410 | | wc_psk_client_cs_callback cb) |
15411 | | { |
15412 | | byte haveRSA = 1; |
15413 | | int keySz = 0; |
15414 | | |
15415 | | WOLFSSL_ENTER("wolfSSL_set_psk_client_cs_callback"); |
15416 | | |
15417 | | if (ssl == NULL) |
15418 | | return; |
15419 | | |
15420 | | ssl->options.havePSK = 1; |
15421 | | ssl->options.client_psk_cs_cb = cb; |
15422 | | |
15423 | | #ifdef NO_RSA |
15424 | | haveRSA = 0; |
15425 | | #endif |
15426 | | #ifndef NO_CERTS |
15427 | | keySz = ssl->buffers.keySz; |
15428 | | #endif |
15429 | | if (AllocateSuites(ssl) != 0) |
15430 | | return; |
15431 | | InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE, |
15432 | | ssl->options.haveDH, ssl->options.haveECDSAsig, |
15433 | | ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, |
15434 | | ssl->options.useAnon, TRUE, TRUE, TRUE, TRUE, ssl->options.side); |
15435 | | } |
15436 | | |
15437 | | /* Set the PSK callback that returns the cipher suite for a client to use |
15438 | | * against context object. |
15439 | | * |
15440 | | * @param [in, out] ctx SSL/TLS context object. |
15441 | | * @param [in] cb Client PSK callback returning cipher suite. |
15442 | | */ |
15443 | | void wolfSSL_CTX_set_psk_client_tls13_callback(WOLFSSL_CTX* ctx, |
15444 | | wc_psk_client_tls13_callback cb) |
15445 | | { |
15446 | | WOLFSSL_ENTER("wolfSSL_CTX_set_psk_client_tls13_callback"); |
15447 | | |
15448 | | if (ctx == NULL) |
15449 | | return; |
15450 | | |
15451 | | ctx->havePSK = 1; |
15452 | | ctx->client_psk_tls13_cb = cb; |
15453 | | } |
15454 | | |
15455 | | /* Set the PSK callback that returns the cipher suite for a client to use |
15456 | | * against SSL object. |
15457 | | * |
15458 | | * @param [in, out] ssl SSL/TLS object. |
15459 | | * @param [in] cb Client PSK callback returning cipher suite. |
15460 | | */ |
15461 | | void wolfSSL_set_psk_client_tls13_callback(WOLFSSL* ssl, |
15462 | | wc_psk_client_tls13_callback cb) |
15463 | | { |
15464 | | byte haveRSA = 1; |
15465 | | int keySz = 0; |
15466 | | |
15467 | | WOLFSSL_ENTER("wolfSSL_set_psk_client_tls13_callback"); |
15468 | | |
15469 | | if (ssl == NULL) |
15470 | | return; |
15471 | | |
15472 | | ssl->options.havePSK = 1; |
15473 | | ssl->options.client_psk_tls13_cb = cb; |
15474 | | |
15475 | | #ifdef NO_RSA |
15476 | | haveRSA = 0; |
15477 | | #endif |
15478 | | #ifndef NO_CERTS |
15479 | | keySz = ssl->buffers.keySz; |
15480 | | #endif |
15481 | | if (AllocateSuites(ssl) != 0) |
15482 | | return; |
15483 | | InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE, |
15484 | | ssl->options.haveDH, ssl->options.haveECDSAsig, |
15485 | | ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, |
15486 | | ssl->options.useAnon, TRUE, TRUE, TRUE, TRUE, ssl->options.side); |
15487 | | } |
15488 | | |
15489 | | /* Set the PSK callback that returns the cipher suite for a server to use |
15490 | | * against context object. |
15491 | | * |
15492 | | * @param [in, out] ctx SSL/TLS context object. |
15493 | | * @param [in] cb Server PSK callback returning cipher suite. |
15494 | | */ |
15495 | | void wolfSSL_CTX_set_psk_server_tls13_callback(WOLFSSL_CTX* ctx, |
15496 | | wc_psk_server_tls13_callback cb) |
15497 | | { |
15498 | | WOLFSSL_ENTER("wolfSSL_CTX_set_psk_server_tls13_callback"); |
15499 | | if (ctx == NULL) |
15500 | | return; |
15501 | | ctx->havePSK = 1; |
15502 | | ctx->server_psk_tls13_cb = cb; |
15503 | | } |
15504 | | |
15505 | | /* Set the PSK callback that returns the cipher suite for a server to use |
15506 | | * against SSL object. |
15507 | | * |
15508 | | * @param [in, out] ssl SSL/TLS object. |
15509 | | * @param [in] cb Server PSK callback returning cipher suite. |
15510 | | */ |
15511 | | void wolfSSL_set_psk_server_tls13_callback(WOLFSSL* ssl, |
15512 | | wc_psk_server_tls13_callback cb) |
15513 | | { |
15514 | | byte haveRSA = 1; |
15515 | | int keySz = 0; |
15516 | | |
15517 | | WOLFSSL_ENTER("wolfSSL_set_psk_server_tls13_callback"); |
15518 | | if (ssl == NULL) |
15519 | | return; |
15520 | | |
15521 | | ssl->options.havePSK = 1; |
15522 | | ssl->options.server_psk_tls13_cb = cb; |
15523 | | |
15524 | | #ifdef NO_RSA |
15525 | | haveRSA = 0; |
15526 | | #endif |
15527 | | #ifndef NO_CERTS |
15528 | | keySz = ssl->buffers.keySz; |
15529 | | #endif |
15530 | | if (AllocateSuites(ssl) != 0) |
15531 | | return; |
15532 | | InitSuites(ssl->suites, ssl->version, keySz, haveRSA, TRUE, |
15533 | | ssl->options.haveDH, ssl->options.haveECDSAsig, |
15534 | | ssl->options.haveECC, TRUE, ssl->options.haveStaticECC, |
15535 | | ssl->options.useAnon, TRUE, TRUE, TRUE, TRUE, ssl->options.side); |
15536 | | } |
15537 | | |
15538 | | /* Get name of first supported cipher suite that uses the hash indicated. |
15539 | | * |
15540 | | * @param [in] ssl SSL/TLS object. |
15541 | | * @param [in] hash Name of hash algorithm. e.g. "SHA256", "SHA384" |
15542 | | * @return Name of cipher suite. |
15543 | | * @return NULL on failure. |
15544 | | */ |
15545 | | const char* wolfSSL_get_cipher_name_by_hash(WOLFSSL* ssl, const char* hash) |
15546 | | { |
15547 | | const char* name = NULL; |
15548 | | byte mac = no_mac; |
15549 | | int i; |
15550 | | const Suites* suites; |
15551 | | |
15552 | | if (hash == NULL || ssl == NULL || |
15553 | | (ssl->suites == NULL && ssl->ctx == NULL)) |
15554 | | return NULL; |
15555 | | |
15556 | | suites = WOLFSSL_SUITES(ssl); |
15557 | | if (suites == NULL) |
15558 | | return NULL; |
15559 | | |
15560 | | if (XSTRCMP(hash, "SHA256") == 0) { |
15561 | | mac = sha256_mac; |
15562 | | } |
15563 | | else if (XSTRCMP(hash, "SHA384") == 0) { |
15564 | | mac = sha384_mac; |
15565 | | } |
15566 | | if (mac != no_mac) { |
15567 | | for (i = 0; i < suites->suiteSz; i += 2) { |
15568 | | if (SuiteMac(suites->suites + i) == mac) { |
15569 | | name = GetCipherNameInternal(suites->suites[i + 0], |
15570 | | suites->suites[i + 1]); |
15571 | | break; |
15572 | | } |
15573 | | } |
15574 | | } |
15575 | | return name; |
15576 | | } |
15577 | | #endif /* !NO_PSK */ |
15578 | | |
15579 | | |
15580 | | #ifndef NO_WOLFSSL_SERVER |
15581 | | |
15582 | | /* The server accepting a connection from a client. |
15583 | | * The protocol version is expecting to be TLS v1.3. |
15584 | | * If the client downgrades, and older versions of the protocol are compiled |
15585 | | * in, the server will fallback to wolfSSL_accept(). |
15586 | | * Please see note at top of README if you get an error from accept. |
15587 | | * |
15588 | | * ssl The SSL/TLS object. |
15589 | | * returns WOLFSSL_SUCCESS on successful handshake, WOLFSSL_FATAL_ERROR when |
15590 | | * unrecoverable error occurs and 0 otherwise. |
15591 | | * For more error information use wolfSSL_get_error(). |
15592 | | */ |
15593 | | int wolfSSL_accept_TLSv13(WOLFSSL* ssl) |
15594 | 0 | { |
15595 | | #if !defined(NO_CERTS) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) |
15596 | | word16 havePSK = 0; |
15597 | | #endif |
15598 | 0 | int ret = 0; |
15599 | |
|
15600 | 0 | WOLFSSL_ENTER("wolfSSL_accept_TLSv13"); |
15601 | |
|
15602 | 0 | #ifdef HAVE_ERRNO_H |
15603 | 0 | errno = 0; |
15604 | 0 | #endif |
15605 | |
|
15606 | 0 | if (ssl == NULL) |
15607 | 0 | return WOLFSSL_FATAL_ERROR; |
15608 | | |
15609 | | #if !defined(NO_CERTS) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) |
15610 | | havePSK = ssl->options.havePSK; |
15611 | | #endif |
15612 | | |
15613 | 0 | if (ssl->options.side != WOLFSSL_SERVER_END) { |
15614 | 0 | ssl->error = SIDE_ERROR; |
15615 | 0 | WOLFSSL_ERROR(ssl->error); |
15616 | 0 | return WOLFSSL_FATAL_ERROR; |
15617 | 0 | } |
15618 | | |
15619 | | /* make sure this wolfSSL object has arrays and rng setup. Protects |
15620 | | * case where the WOLFSSL object is reused via wolfSSL_clear() */ |
15621 | 0 | if ((ret = ReinitSSL(ssl, ssl->ctx, 0)) != 0) { |
15622 | 0 | return ret; |
15623 | 0 | } |
15624 | | |
15625 | | #ifdef WOLFSSL_DTLS |
15626 | | if (ssl->version.major == DTLS_MAJOR) { |
15627 | | ssl->options.dtls = 1; |
15628 | | if (!IsDtlsNotSctpMode(ssl) || !ssl->options.sendCookie) |
15629 | | ssl->options.dtlsStateful = 1; |
15630 | | } |
15631 | | #endif |
15632 | | |
15633 | | #ifdef WOLFSSL_WOLFSENTRY_HOOKS |
15634 | | if ((ssl->AcceptFilter != NULL) && |
15635 | | ((ssl->options.acceptState == TLS13_ACCEPT_BEGIN) |
15636 | | #ifdef HAVE_SECURE_RENEGOTIATION |
15637 | | || (ssl->options.acceptState == TLS13_ACCEPT_BEGIN_RENEG) |
15638 | | #endif |
15639 | | )) |
15640 | | { |
15641 | | wolfSSL_netfilter_decision_t res; |
15642 | | if ((ssl->AcceptFilter(ssl, ssl->AcceptFilter_arg, &res) == |
15643 | | WOLFSSL_SUCCESS) && |
15644 | | (res == WOLFSSL_NETFILTER_REJECT)) { |
15645 | | ssl->error = SOCKET_FILTERED_E; |
15646 | | WOLFSSL_ERROR(ssl->error); |
15647 | | return WOLFSSL_FATAL_ERROR; |
15648 | | } |
15649 | | } |
15650 | | #endif /* WOLFSSL_WOLFSENTRY_HOOKS */ |
15651 | | |
15652 | 0 | #ifndef NO_CERTS |
15653 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
15654 | | if (!havePSK) |
15655 | | #endif |
15656 | 0 | { |
15657 | | #if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || \ |
15658 | | defined(WOLFSSL_NGINX) || defined (WOLFSSL_HAPROXY) |
15659 | | if (ssl->ctx->certSetupCb != NULL) { |
15660 | | WOLFSSL_MSG("CertSetupCb set. server cert and " |
15661 | | "key not checked"); |
15662 | | } |
15663 | | else |
15664 | | #endif |
15665 | 0 | { |
15666 | 0 | if (!ssl->buffers.certificate || |
15667 | 0 | !ssl->buffers.certificate->buffer) { |
15668 | |
|
15669 | 0 | WOLFSSL_MSG("accept error: server cert required"); |
15670 | 0 | ssl->error = NO_PRIVATE_KEY; |
15671 | 0 | WOLFSSL_ERROR(ssl->error); |
15672 | 0 | return WOLFSSL_FATAL_ERROR; |
15673 | 0 | } |
15674 | | |
15675 | 0 | if (!ssl->buffers.key || !ssl->buffers.key->buffer) { |
15676 | | /* allow no private key if using existing key */ |
15677 | | #ifdef WOLF_PRIVATE_KEY_ID |
15678 | | if (ssl->devId != INVALID_DEVID |
15679 | | #ifdef HAVE_PK_CALLBACKS |
15680 | | || wolfSSL_CTX_IsPrivatePkSet(ssl->ctx) |
15681 | | #endif |
15682 | | ) { |
15683 | | WOLFSSL_MSG("Allowing no server private key (external)"); |
15684 | | } |
15685 | | else |
15686 | | #endif |
15687 | 0 | { |
15688 | 0 | WOLFSSL_MSG("accept error: server key required"); |
15689 | 0 | ssl->error = NO_PRIVATE_KEY; |
15690 | 0 | WOLFSSL_ERROR(ssl->error); |
15691 | 0 | return WOLFSSL_FATAL_ERROR; |
15692 | 0 | } |
15693 | 0 | } |
15694 | 0 | } |
15695 | 0 | } |
15696 | 0 | #endif /* NO_CERTS */ |
15697 | | |
15698 | 0 | if (ssl->buffers.outputBuffer.length > 0 |
15699 | | #ifdef WOLFSSL_ASYNC_CRYPT |
15700 | | /* do not send buffered or advance state if last error was an |
15701 | | async pending operation */ |
15702 | | && ssl->error != WC_NO_ERR_TRACE(WC_PENDING_E) |
15703 | | #endif |
15704 | 0 | ) { |
15705 | | |
15706 | | /* fragOffset is non-zero when sending fragments. On the last |
15707 | | * fragment, fragOffset is zero again, and the state can be |
15708 | | * advanced. */ |
15709 | 0 | int advanceState = |
15710 | 0 | (ssl->options.acceptState == TLS13_ACCEPT_CLIENT_HELLO_DONE || |
15711 | 0 | ssl->options.acceptState == |
15712 | 0 | TLS13_ACCEPT_HELLO_RETRY_REQUEST_DONE || |
15713 | 0 | ssl->options.acceptState == TLS13_ACCEPT_SECOND_REPLY_DONE || |
15714 | 0 | ssl->options.acceptState == TLS13_SERVER_HELLO_SENT || |
15715 | 0 | ssl->options.acceptState == TLS13_ACCEPT_THIRD_REPLY_DONE || |
15716 | 0 | ssl->options.acceptState == TLS13_SERVER_EXTENSIONS_SENT || |
15717 | 0 | ssl->options.acceptState == TLS13_CERT_REQ_SENT || |
15718 | 0 | ssl->options.acceptState == TLS13_CERT_SENT || |
15719 | 0 | ssl->options.acceptState == TLS13_CERT_VERIFY_SENT || |
15720 | 0 | ssl->options.acceptState == TLS13_ACCEPT_FINISHED_SENT || |
15721 | 0 | ssl->options.acceptState == TLS13_ACCEPT_FINISHED_DONE); |
15722 | |
|
15723 | | #ifdef WOLFSSL_DTLS13 |
15724 | | if (ssl->options.dtls) |
15725 | | advanceState = advanceState && !ssl->dtls13SendingFragments |
15726 | | && !ssl->dtls13SendingAckOrRtx; |
15727 | | #endif /* WOLFSSL_DTLS13 */ |
15728 | |
|
15729 | 0 | ret = SendBuffered(ssl); |
15730 | 0 | if (ret == 0) { |
15731 | 0 | if (ssl->fragOffset == 0 && !ssl->options.buildingMsg) { |
15732 | 0 | if (advanceState) { |
15733 | 0 | ssl->options.acceptState++; |
15734 | 0 | WOLFSSL_MSG("accept state: " |
15735 | 0 | "Advanced from last buffered fragment send"); |
15736 | 0 | #ifdef WOLFSSL_ASYNC_IO |
15737 | 0 | FreeAsyncCtx(ssl, 0); |
15738 | 0 | #endif |
15739 | 0 | } |
15740 | 0 | } |
15741 | 0 | else { |
15742 | 0 | WOLFSSL_MSG("accept state: " |
15743 | 0 | "Not advanced, more fragments to send"); |
15744 | 0 | } |
15745 | |
|
15746 | | #ifdef WOLFSSL_DTLS13 |
15747 | | if (ssl->options.dtls) |
15748 | | ssl->dtls13SendingAckOrRtx = 0; |
15749 | | #endif /* WOLFSSL_DTLS13 */ |
15750 | |
|
15751 | 0 | } |
15752 | 0 | else { |
15753 | 0 | ssl->error = ret; |
15754 | 0 | WOLFSSL_ERROR(ssl->error); |
15755 | 0 | return WOLFSSL_FATAL_ERROR; |
15756 | 0 | } |
15757 | 0 | } |
15758 | | |
15759 | 0 | ret = RetrySendAlert(ssl); |
15760 | 0 | if (ret != 0) { |
15761 | 0 | ssl->error = ret; |
15762 | 0 | WOLFSSL_ERROR(ssl->error); |
15763 | 0 | return WOLFSSL_FATAL_ERROR; |
15764 | 0 | } |
15765 | | #ifdef WOLFSSL_DTLS13 |
15766 | | if (ssl->options.dtls && ssl->dtls13SendingFragments) { |
15767 | | if ((ssl->error = Dtls13FragmentsContinue(ssl)) != 0) { |
15768 | | WOLFSSL_ERROR(ssl->error); |
15769 | | return WOLFSSL_FATAL_ERROR; |
15770 | | } |
15771 | | |
15772 | | /* we sent all the fragments. Advance state. */ |
15773 | | ssl->options.acceptState++; |
15774 | | } |
15775 | | #endif /* WOLFSSL_DTLS13 */ |
15776 | | |
15777 | 0 | switch (ssl->options.acceptState) { |
15778 | | |
15779 | | #ifdef HAVE_SECURE_RENEGOTIATION |
15780 | | case TLS13_ACCEPT_BEGIN_RENEG: |
15781 | | #endif |
15782 | 0 | case TLS13_ACCEPT_BEGIN : |
15783 | | /* get client_hello */ |
15784 | |
|
15785 | 0 | while (ssl->options.clientState < CLIENT_HELLO_COMPLETE) { |
15786 | 0 | if ((ssl->error = ProcessReply(ssl)) < 0) { |
15787 | 0 | WOLFSSL_ERROR(ssl->error); |
15788 | 0 | return WOLFSSL_FATAL_ERROR; |
15789 | 0 | } |
15790 | |
|
15791 | | #ifdef WOLFSSL_DTLS13 |
15792 | | if (ssl->options.dtls) { |
15793 | | if ((ssl->error = Dtls13DoScheduledWork(ssl)) < 0) { |
15794 | | WOLFSSL_ERROR(ssl->error); |
15795 | | return WOLFSSL_FATAL_ERROR; |
15796 | | } |
15797 | | } |
15798 | | #endif /* WOLFSSL_DTLS13 */ |
15799 | |
|
15800 | 0 | } |
15801 | | |
15802 | 0 | ssl->options.acceptState = TLS13_ACCEPT_CLIENT_HELLO_DONE; |
15803 | 0 | WOLFSSL_MSG("accept state ACCEPT_CLIENT_HELLO_DONE"); |
15804 | 0 | if (!IsAtLeastTLSv1_3(ssl->version)) |
15805 | 0 | return wolfSSL_accept(ssl); |
15806 | 0 | FALL_THROUGH; |
15807 | |
|
15808 | 0 | case TLS13_ACCEPT_CLIENT_HELLO_DONE : |
15809 | 0 | if (ssl->options.serverState == |
15810 | 0 | SERVER_HELLO_RETRY_REQUEST_COMPLETE) { |
15811 | 0 | if ((ssl->error = SendTls13ServerHello(ssl, |
15812 | 0 | hello_retry_request)) != 0) { |
15813 | 0 | WOLFSSL_ERROR(ssl->error); |
15814 | 0 | return WOLFSSL_FATAL_ERROR; |
15815 | 0 | } |
15816 | 0 | } |
15817 | | |
15818 | 0 | ssl->options.acceptState = TLS13_ACCEPT_HELLO_RETRY_REQUEST_DONE; |
15819 | 0 | WOLFSSL_MSG("accept state ACCEPT_HELLO_RETRY_REQUEST_DONE"); |
15820 | 0 | FALL_THROUGH; |
15821 | |
|
15822 | 0 | case TLS13_ACCEPT_HELLO_RETRY_REQUEST_DONE : |
15823 | | #ifdef WOLFSSL_TLS13_MIDDLEBOX_COMPAT |
15824 | | if (!ssl->options.dtls && ssl->options.tls13MiddleBoxCompat |
15825 | | && ssl->options.serverState == |
15826 | | SERVER_HELLO_RETRY_REQUEST_COMPLETE) { |
15827 | | if ((ssl->error = SendChangeCipher(ssl)) != 0) { |
15828 | | WOLFSSL_ERROR(ssl->error); |
15829 | | return WOLFSSL_FATAL_ERROR; |
15830 | | } |
15831 | | ssl->options.sentChangeCipher = 1; |
15832 | | ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE; |
15833 | | } |
15834 | | #endif |
15835 | 0 | ssl->options.acceptState = TLS13_ACCEPT_FIRST_REPLY_DONE; |
15836 | 0 | WOLFSSL_MSG("accept state ACCEPT_FIRST_REPLY_DONE"); |
15837 | 0 | FALL_THROUGH; |
15838 | |
|
15839 | 0 | case TLS13_ACCEPT_FIRST_REPLY_DONE : |
15840 | 0 | if (ssl->options.serverState == |
15841 | 0 | SERVER_HELLO_RETRY_REQUEST_COMPLETE) { |
15842 | 0 | ssl->options.clientState = CLIENT_HELLO_RETRY; |
15843 | 0 | while (ssl->options.clientState < CLIENT_HELLO_COMPLETE) { |
15844 | 0 | if ((ssl->error = ProcessReply(ssl)) < 0) { |
15845 | 0 | WOLFSSL_ERROR(ssl->error); |
15846 | 0 | return WOLFSSL_FATAL_ERROR; |
15847 | 0 | } |
15848 | |
|
15849 | | #ifdef WOLFSSL_DTLS13 |
15850 | | if (ssl->options.dtls) { |
15851 | | if ((ssl->error = Dtls13DoScheduledWork(ssl)) < 0) { |
15852 | | WOLFSSL_ERROR(ssl->error); |
15853 | | return WOLFSSL_FATAL_ERROR; |
15854 | | } |
15855 | | } |
15856 | | #endif /* WOLFSSL_DTLS13 */ |
15857 | |
|
15858 | 0 | } |
15859 | 0 | } |
15860 | | |
15861 | 0 | ssl->options.acceptState = TLS13_ACCEPT_SECOND_REPLY_DONE; |
15862 | 0 | WOLFSSL_MSG("accept state ACCEPT_SECOND_REPLY_DONE"); |
15863 | 0 | FALL_THROUGH; |
15864 | |
|
15865 | 0 | case TLS13_ACCEPT_SECOND_REPLY_DONE : |
15866 | 0 | if (ssl->options.returnOnGoodCh) { |
15867 | | /* Higher level in stack wants us to return. Simulate a |
15868 | | * WANT_WRITE to accomplish this. */ |
15869 | 0 | ssl->error = WANT_WRITE; |
15870 | 0 | return WOLFSSL_FATAL_ERROR; |
15871 | 0 | } |
15872 | | |
15873 | 0 | if ((ssl->error = SendTls13ServerHello(ssl, server_hello)) != 0) { |
15874 | 0 | WOLFSSL_ERROR(ssl->error); |
15875 | 0 | return WOLFSSL_FATAL_ERROR; |
15876 | 0 | } |
15877 | 0 | ssl->options.acceptState = TLS13_SERVER_HELLO_SENT; |
15878 | 0 | WOLFSSL_MSG("accept state SERVER_HELLO_SENT"); |
15879 | 0 | FALL_THROUGH; |
15880 | |
|
15881 | 0 | case TLS13_SERVER_HELLO_SENT : |
15882 | | #if defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT) |
15883 | | if (!ssl->options.dtls && ssl->options.tls13MiddleBoxCompat |
15884 | | && !ssl->options.sentChangeCipher && !ssl->options.dtls) { |
15885 | | if ((ssl->error = SendChangeCipher(ssl)) != 0) { |
15886 | | WOLFSSL_ERROR(ssl->error); |
15887 | | return WOLFSSL_FATAL_ERROR; |
15888 | | } |
15889 | | ssl->options.sentChangeCipher = 1; |
15890 | | } |
15891 | | #endif |
15892 | |
|
15893 | 0 | ssl->options.acceptState = TLS13_ACCEPT_THIRD_REPLY_DONE; |
15894 | 0 | WOLFSSL_MSG("accept state ACCEPT_THIRD_REPLY_DONE"); |
15895 | 0 | FALL_THROUGH; |
15896 | |
|
15897 | 0 | case TLS13_ACCEPT_THIRD_REPLY_DONE : |
15898 | 0 | #ifdef HAVE_SUPPORTED_CURVES |
15899 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
15900 | | if (!ssl->options.noPskDheKe) |
15901 | | #endif |
15902 | 0 | { |
15903 | 0 | ssl->error = TLSX_KeyShare_DeriveSecret(ssl); |
15904 | 0 | if (ssl->error != 0) |
15905 | 0 | return WOLFSSL_FATAL_ERROR; |
15906 | 0 | } |
15907 | 0 | #endif |
15908 | | |
15909 | 0 | if ((ssl->error = SendTls13EncryptedExtensions(ssl)) != 0) { |
15910 | 0 | WOLFSSL_ERROR(ssl->error); |
15911 | 0 | return WOLFSSL_FATAL_ERROR; |
15912 | 0 | } |
15913 | 0 | ssl->options.acceptState = TLS13_SERVER_EXTENSIONS_SENT; |
15914 | 0 | WOLFSSL_MSG("accept state SERVER_EXTENSIONS_SENT"); |
15915 | 0 | FALL_THROUGH; |
15916 | |
|
15917 | 0 | case TLS13_SERVER_EXTENSIONS_SENT : |
15918 | 0 | #ifndef NO_CERTS |
15919 | 0 | if (!ssl->options.resuming) { |
15920 | 0 | if (ssl->options.verifyPeer |
15921 | | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH |
15922 | | && !ssl->options.verifyPostHandshake |
15923 | | #endif |
15924 | 0 | ) { |
15925 | 0 | ssl->error = SendTls13CertificateRequest(ssl, NULL, 0); |
15926 | 0 | if (ssl->error != 0) { |
15927 | 0 | WOLFSSL_ERROR(ssl->error); |
15928 | 0 | return WOLFSSL_FATAL_ERROR; |
15929 | 0 | } |
15930 | 0 | } |
15931 | 0 | else { |
15932 | | /* SERVER: Peer auth good if not verifying client. */ |
15933 | 0 | ssl->options.peerAuthGood = 1; |
15934 | 0 | } |
15935 | 0 | } |
15936 | 0 | #endif |
15937 | 0 | ssl->options.acceptState = TLS13_CERT_REQ_SENT; |
15938 | 0 | WOLFSSL_MSG("accept state CERT_REQ_SENT"); |
15939 | 0 | FALL_THROUGH; |
15940 | |
|
15941 | 0 | case TLS13_CERT_REQ_SENT : |
15942 | 0 | #ifndef NO_CERTS |
15943 | 0 | if (!ssl->options.resuming && ssl->options.sendVerify) { |
15944 | 0 | if ((ssl->error = SendTls13Certificate(ssl)) != 0) { |
15945 | 0 | WOLFSSL_ERROR(ssl->error); |
15946 | 0 | return WOLFSSL_FATAL_ERROR; |
15947 | 0 | } |
15948 | 0 | } |
15949 | 0 | #endif |
15950 | 0 | ssl->options.acceptState = TLS13_CERT_SENT; |
15951 | 0 | WOLFSSL_MSG("accept state CERT_SENT"); |
15952 | 0 | FALL_THROUGH; |
15953 | |
|
15954 | 0 | case TLS13_CERT_SENT : |
15955 | 0 | #if !defined(NO_CERTS) && (!defined(NO_RSA) || defined(HAVE_ECC) || \ |
15956 | 0 | defined(HAVE_ED25519) || defined(HAVE_ED448) || defined(HAVE_FALCON) || \ |
15957 | 0 | defined(WOLFSSL_HAVE_MLDSA)) |
15958 | 0 | if (!ssl->options.resuming && ssl->options.sendVerify) { |
15959 | 0 | if ((ssl->error = SendTls13CertificateVerify(ssl)) != 0) { |
15960 | 0 | WOLFSSL_ERROR(ssl->error); |
15961 | 0 | return WOLFSSL_FATAL_ERROR; |
15962 | 0 | } |
15963 | 0 | } |
15964 | 0 | #endif |
15965 | 0 | ssl->options.acceptState = TLS13_CERT_VERIFY_SENT; |
15966 | 0 | WOLFSSL_MSG("accept state CERT_VERIFY_SENT"); |
15967 | 0 | FALL_THROUGH; |
15968 | |
|
15969 | 0 | case TLS13_CERT_VERIFY_SENT : |
15970 | 0 | if ((ssl->error = SendTls13Finished(ssl)) != 0) { |
15971 | 0 | WOLFSSL_ERROR(ssl->error); |
15972 | 0 | return WOLFSSL_FATAL_ERROR; |
15973 | 0 | } |
15974 | | |
15975 | 0 | ssl->options.acceptState = TLS13_ACCEPT_FINISHED_SENT; |
15976 | 0 | WOLFSSL_MSG("accept state ACCEPT_FINISHED_SENT"); |
15977 | 0 | FALL_THROUGH; |
15978 | |
|
15979 | 0 | case TLS13_ACCEPT_FINISHED_SENT: |
15980 | | #ifdef WOLFSSL_EARLY_DATA |
15981 | | if (ssl->earlyData != no_early_data && |
15982 | | ssl->options.handShakeState != SERVER_FINISHED_COMPLETE) { |
15983 | | ssl->options.handShakeState = SERVER_FINISHED_COMPLETE; |
15984 | | return WOLFSSL_SUCCESS; |
15985 | | } |
15986 | | #endif |
15987 | | #ifdef HAVE_SESSION_TICKET |
15988 | | #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED |
15989 | | if (!ssl->options.verifyPeer && !ssl->options.noTicketTls13 && |
15990 | | ssl->ctx->ticketEncCb != NULL && |
15991 | | ssl->options.maxTicketTls13 > 0) { |
15992 | | if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) { |
15993 | | WOLFSSL_ERROR(ssl->error); |
15994 | | return WOLFSSL_FATAL_ERROR; |
15995 | | } |
15996 | | ssl->options.ticketsSent = 1; |
15997 | | } |
15998 | | #endif |
15999 | | #endif /* HAVE_SESSION_TICKET */ |
16000 | 0 | ssl->options.acceptState = TLS13_PRE_TICKET_SENT; |
16001 | 0 | WOLFSSL_MSG("accept state TICKET_SENT"); |
16002 | 0 | FALL_THROUGH; |
16003 | |
|
16004 | 0 | case TLS13_PRE_TICKET_SENT : |
16005 | 0 | while (ssl->options.clientState < CLIENT_FINISHED_COMPLETE) { |
16006 | 0 | if ( (ssl->error = ProcessReply(ssl)) < 0) { |
16007 | 0 | WOLFSSL_ERROR(ssl->error); |
16008 | 0 | return WOLFSSL_FATAL_ERROR; |
16009 | 0 | } |
16010 | |
|
16011 | | #ifdef WOLFSSL_DTLS13 |
16012 | | if (ssl->options.dtls) { |
16013 | | if ((ssl->error = Dtls13DoScheduledWork(ssl)) < 0) { |
16014 | | WOLFSSL_ERROR(ssl->error); |
16015 | | return WOLFSSL_FATAL_ERROR; |
16016 | | } |
16017 | | } |
16018 | | #endif /* WOLFSSL_DTLS13 */ |
16019 | 0 | } |
16020 | | |
16021 | 0 | ssl->options.acceptState = TLS13_ACCEPT_FINISHED_DONE; |
16022 | 0 | WOLFSSL_MSG("accept state ACCEPT_FINISHED_DONE"); |
16023 | 0 | FALL_THROUGH; |
16024 | |
|
16025 | 0 | case TLS13_ACCEPT_FINISHED_DONE : |
16026 | | /* SERVER: When not resuming and verifying peer but no certificate |
16027 | | * received and not failing when not received then peer auth good. |
16028 | | */ |
16029 | 0 | if (!ssl->options.resuming && ssl->options.verifyPeer && |
16030 | | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH |
16031 | | !ssl->options.verifyPostHandshake && |
16032 | | #endif |
16033 | 0 | !ssl->options.havePeerCert && !ssl->options.failNoCert) { |
16034 | 0 | ssl->options.peerAuthGood = 1; |
16035 | 0 | } |
16036 | | /* SERVER: check peer authentication. */ |
16037 | 0 | if (!ssl->options.peerAuthGood) { |
16038 | 0 | WOLFSSL_MSG("Client authentication did not happen"); |
16039 | 0 | return WOLFSSL_FATAL_ERROR; |
16040 | 0 | } |
16041 | | #ifdef HAVE_SESSION_TICKET |
16042 | | while (ssl->options.ticketsSent < ssl->options.maxTicketTls13) { |
16043 | | if (!ssl->options.noTicketTls13 && ssl->ctx->ticketEncCb |
16044 | | != NULL) { |
16045 | | if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) { |
16046 | | WOLFSSL_ERROR(ssl->error); |
16047 | | return WOLFSSL_FATAL_ERROR; |
16048 | | } |
16049 | | } |
16050 | | ssl->options.ticketsSent++; |
16051 | | |
16052 | | /* only one session ticket is sent on session resumption */ |
16053 | | if (ssl->options.resuming) { |
16054 | | break; |
16055 | | } |
16056 | | } |
16057 | | #endif /* HAVE_SESSION_TICKET */ |
16058 | 0 | ssl->options.acceptState = TLS13_TICKET_SENT; |
16059 | 0 | WOLFSSL_MSG("accept state TICKET_SENT"); |
16060 | 0 | FALL_THROUGH; |
16061 | |
|
16062 | 0 | case TLS13_TICKET_SENT : |
16063 | 0 | #ifndef NO_HANDSHAKE_DONE_CB |
16064 | 0 | if (ssl->hsDoneCb) { |
16065 | 0 | int cbret = ssl->hsDoneCb(ssl, ssl->hsDoneCtx); |
16066 | 0 | if (cbret < 0) { |
16067 | 0 | ssl->error = cbret; |
16068 | 0 | WOLFSSL_MSG("HandShake Done Cb don't continue error"); |
16069 | 0 | return WOLFSSL_FATAL_ERROR; |
16070 | 0 | } |
16071 | 0 | } |
16072 | 0 | #endif /* NO_HANDSHAKE_DONE_CB */ |
16073 | | |
16074 | 0 | if (!ssl->options.keepResources) { |
16075 | 0 | FreeHandshakeResources(ssl); |
16076 | 0 | } |
16077 | |
|
16078 | 0 | #if defined(WOLFSSL_ASYNC_IO) && !defined(WOLFSSL_ASYNC_CRYPT) |
16079 | | /* Free the remaining async context if not using it for crypto */ |
16080 | 0 | FreeAsyncCtx(ssl, 1); |
16081 | 0 | #endif |
16082 | |
|
16083 | 0 | ssl->error = 0; /* clear the error */ |
16084 | |
|
16085 | 0 | WOLFSSL_LEAVE("wolfSSL_accept", WOLFSSL_SUCCESS); |
16086 | 0 | return WOLFSSL_SUCCESS; |
16087 | | |
16088 | 0 | default: |
16089 | 0 | WOLFSSL_MSG("Unknown accept state ERROR"); |
16090 | 0 | return WOLFSSL_FATAL_ERROR; |
16091 | 0 | } |
16092 | 0 | } |
16093 | | #endif |
16094 | | |
16095 | | #if !defined(NO_WOLFSSL_SERVER) && defined(HAVE_SESSION_TICKET) |
16096 | | /* Server sends a session ticket to the peer. |
16097 | | * |
16098 | | * RFC 8446, section 4.6.1, para 1. |
16099 | | * |
16100 | | * ssl The SSL/TLS object. |
16101 | | * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3, |
16102 | | * SIDE_ERROR when not a server, |
16103 | | * NOT_READY_ERROR when handshake not complete, |
16104 | | * WOLFSSL_FATAL_ERROR when creating or sending message fails, and |
16105 | | * WOLFSSL_SUCCESS on success. |
16106 | | */ |
16107 | | int wolfSSL_send_SessionTicket(WOLFSSL* ssl) |
16108 | | { |
16109 | | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
16110 | | return BAD_FUNC_ARG; |
16111 | | if (ssl->options.side == WOLFSSL_CLIENT_END) |
16112 | | return SIDE_ERROR; |
16113 | | if (ssl->options.handShakeState != HANDSHAKE_DONE) |
16114 | | return NOT_READY_ERROR; |
16115 | | |
16116 | | if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) { |
16117 | | WOLFSSL_ERROR(ssl->error); |
16118 | | return WOLFSSL_FATAL_ERROR; |
16119 | | } |
16120 | | ssl->options.ticketsSent++; |
16121 | | |
16122 | | return WOLFSSL_SUCCESS; |
16123 | | } |
16124 | | #endif |
16125 | | |
16126 | | #ifdef WOLFSSL_EARLY_DATA |
16127 | | /* Sets the maximum amount of early data that can be seen by server when using |
16128 | | * session tickets for resumption. |
16129 | | * A value of zero indicates no early data is to be sent by client using session |
16130 | | * tickets. |
16131 | | * |
16132 | | * The default value is zero: per RFC 8446 Appendix E.5, TLS implementations |
16133 | | * "MUST NOT enable 0-RTT (either sending or accepting) unless specifically |
16134 | | * requested by the application." Servers must explicitly opt in by calling |
16135 | | * this function (or the per-SSL equivalent) with a non-zero value. |
16136 | | * |
16137 | | * ctx The SSL/TLS CTX object. |
16138 | | * sz Maximum size of the early data. |
16139 | | * returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a server and |
16140 | | * 0 on success. |
16141 | | */ |
16142 | | int wolfSSL_CTX_set_max_early_data(WOLFSSL_CTX* ctx, unsigned int sz) |
16143 | | { |
16144 | | if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version)) |
16145 | | return BAD_FUNC_ARG; |
16146 | | if (ctx->method->side == WOLFSSL_CLIENT_END) |
16147 | | return SIDE_ERROR; |
16148 | | |
16149 | | ctx->maxEarlyDataSz = sz; |
16150 | | |
16151 | | #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_ERROR_CODE_OPENSSL) |
16152 | | /* 1 on success in OpenSSL*/ |
16153 | | return WOLFSSL_SUCCESS; |
16154 | | #else |
16155 | | return 0; |
16156 | | #endif |
16157 | | } |
16158 | | |
16159 | | /* Sets the maximum amount of early data that a client or server would like |
16160 | | * to exchange. Servers will advertise this value in session tickets sent |
16161 | | * to a client. |
16162 | | * A value of zero indicates no early data will be sent by a client, or |
16163 | | * no early data is accepted by a server (and announced as such in send out |
16164 | | * session tickets). |
16165 | | * |
16166 | | * ssl The SSL/TLS object. |
16167 | | * sz Maximum size of the early data. |
16168 | | * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3, |
16169 | | * and 0 on success. |
16170 | | */ |
16171 | | int wolfSSL_set_max_early_data(WOLFSSL* ssl, unsigned int sz) |
16172 | | { |
16173 | | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
16174 | | return BAD_FUNC_ARG; |
16175 | | |
16176 | | ssl->options.maxEarlyDataSz = sz; |
16177 | | #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_ERROR_CODE_OPENSSL) |
16178 | | /* 1 on success in OpenSSL*/ |
16179 | | return WOLFSSL_SUCCESS; |
16180 | | #else |
16181 | | return 0; |
16182 | | #endif |
16183 | | } |
16184 | | |
16185 | | /* Gets the maximum amount of early data that can be seen by server when using |
16186 | | * session tickets for resumption. |
16187 | | * A value of zero indicates no early data is to be sent by client using session |
16188 | | * tickets. |
16189 | | * |
16190 | | * ctx The SSL/TLS CTX object. |
16191 | | * returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a server and |
16192 | | * returns the maximum amount of early data to be set |
16193 | | */ |
16194 | | int wolfSSL_CTX_get_max_early_data(WOLFSSL_CTX* ctx) |
16195 | | { |
16196 | | if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version)) |
16197 | | return BAD_FUNC_ARG; |
16198 | | if (ctx->method->side == WOLFSSL_CLIENT_END) |
16199 | | return SIDE_ERROR; |
16200 | | |
16201 | | return ctx->maxEarlyDataSz; |
16202 | | } |
16203 | | |
16204 | | /* Gets the maximum amount of early data that can be seen by server when using |
16205 | | * session tickets for resumption. |
16206 | | * A value of zero indicates no early data is to be sent by client using session |
16207 | | * tickets. |
16208 | | * |
16209 | | * ssl The SSL/TLS object. |
16210 | | * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3, |
16211 | | * SIDE_ERROR when not a server and |
16212 | | * returns the maximum amount of early data to be set |
16213 | | */ |
16214 | | int wolfSSL_get_max_early_data(WOLFSSL* ssl) |
16215 | | { |
16216 | | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
16217 | | return BAD_FUNC_ARG; |
16218 | | |
16219 | | return ssl->options.maxEarlyDataSz; |
16220 | | } |
16221 | | |
16222 | | /* Write early data to the server. |
16223 | | * |
16224 | | * ssl The SSL/TLS object. |
16225 | | * data Early data to write |
16226 | | * sz The size of the early data in bytes. |
16227 | | * outSz The number of early data bytes written. |
16228 | | * returns BAD_FUNC_ARG when: ssl, data or outSz is NULL; sz is negative; |
16229 | | * or not using TLS v1.3. SIDE ERROR when not a server. BAD_STATE_E if invoked |
16230 | | * without a valid session or without a valid PSK CB. |
16231 | | * Otherwise the number of early data bytes written. |
16232 | | */ |
16233 | | int wolfSSL_write_early_data(WOLFSSL* ssl, const void* data, int sz, int* outSz) |
16234 | | { |
16235 | | int ret = 0; |
16236 | | |
16237 | | WOLFSSL_ENTER("wolfSSL_write_early_data"); |
16238 | | |
16239 | | if (ssl == NULL || data == NULL || sz < 0 || outSz == NULL) |
16240 | | return BAD_FUNC_ARG; |
16241 | | if (!IsAtLeastTLSv1_3(ssl->version)) |
16242 | | return BAD_FUNC_ARG; |
16243 | | |
16244 | | *outSz = 0; |
16245 | | |
16246 | | #ifndef NO_WOLFSSL_CLIENT |
16247 | | if (ssl->options.side == WOLFSSL_SERVER_END) |
16248 | | return SIDE_ERROR; |
16249 | | |
16250 | | /* Early data requires PSK or session resumption */ |
16251 | | if (!EarlyDataPossible(ssl)) { |
16252 | | return BAD_STATE_E; |
16253 | | } |
16254 | | |
16255 | | if (ssl->options.handShakeState == NULL_STATE) { |
16256 | | /* avoid re-setting ssl->earlyData if we re-enter the function because |
16257 | | * of WC_PENDING_E, WANT_WRITE or WANT_READ */ |
16258 | | if (ssl->error == 0) |
16259 | | ssl->earlyData = expecting_early_data; |
16260 | | ret = wolfSSL_connect_TLSv13(ssl); |
16261 | | if (ret != WOLFSSL_SUCCESS) |
16262 | | return WOLFSSL_FATAL_ERROR; |
16263 | | /* on client side, status is set to rejected */ |
16264 | | /* until sever accepts the early data extension. */ |
16265 | | ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_REJECTED; |
16266 | | } |
16267 | | if (ssl->options.handShakeState == CLIENT_HELLO_COMPLETE) { |
16268 | | #ifdef OPENSSL_EXTRA |
16269 | | /* when processed early data exceeds max size */ |
16270 | | if (ssl->session->maxEarlyDataSz > 0 && |
16271 | | (ssl->earlyDataSz + sz > ssl->session->maxEarlyDataSz)) { |
16272 | | ssl->error = TOO_MUCH_EARLY_DATA; |
16273 | | return WOLFSSL_FATAL_ERROR; |
16274 | | } |
16275 | | #endif |
16276 | | ret = SendData(ssl, data, sz); |
16277 | | if (ret > 0) { |
16278 | | *outSz = ret; |
16279 | | /* store amount of processed early data from client */ |
16280 | | ssl->earlyDataSz += ret; |
16281 | | } |
16282 | | } |
16283 | | #else |
16284 | | return SIDE_ERROR; |
16285 | | #endif |
16286 | | |
16287 | | WOLFSSL_LEAVE("wolfSSL_write_early_data", ret); |
16288 | | |
16289 | | if (ret < 0) |
16290 | | ret = WOLFSSL_FATAL_ERROR; |
16291 | | return ret; |
16292 | | } |
16293 | | |
16294 | | /* Read the any early data from the client. |
16295 | | * |
16296 | | * ssl The SSL/TLS object. |
16297 | | * data Buffer to put the early data into. |
16298 | | * sz The size of the buffer in bytes. |
16299 | | * outSz The number of early data bytes read. |
16300 | | * returns BAD_FUNC_ARG when: ssl, data or outSz is NULL; sz is negative; |
16301 | | * or not using TLS v1.3. SIDE ERROR when not a server. Otherwise the number of |
16302 | | * early data bytes read. |
16303 | | */ |
16304 | | int wolfSSL_read_early_data(WOLFSSL* ssl, void* data, int sz, int* outSz) |
16305 | | { |
16306 | | int ret = 0; |
16307 | | |
16308 | | WOLFSSL_ENTER("wolfSSL_read_early_data"); |
16309 | | |
16310 | | |
16311 | | if (ssl == NULL || data == NULL || sz < 0 || outSz == NULL) |
16312 | | return BAD_FUNC_ARG; |
16313 | | if (!IsAtLeastTLSv1_3(ssl->version)) |
16314 | | return BAD_FUNC_ARG; |
16315 | | |
16316 | | *outSz = 0; |
16317 | | #ifndef NO_WOLFSSL_SERVER |
16318 | | if (ssl->options.side == WOLFSSL_CLIENT_END) |
16319 | | return SIDE_ERROR; |
16320 | | |
16321 | | if (ssl->options.handShakeState == NULL_STATE) { |
16322 | | /* the server flight can return WANT_WRITE and we re-enter here after |
16323 | | * setting ssl->earlyData = process_early_data, set earlyData to |
16324 | | * expecting_early_data just once */ |
16325 | | if (ssl->earlyData < expecting_early_data) |
16326 | | ssl->earlyData = expecting_early_data; |
16327 | | /* this used to be: ret = wolfSSL_accept_TLSv13(ssl); |
16328 | | * However, wolfSSL_accept_TLSv13() expects a certificate to |
16329 | | * be installed already, which is not the case in servers |
16330 | | * such as HAProxy. They do it after inspecting the ClientHello. |
16331 | | * The common wolfssl_accept() allows that. */ |
16332 | | ret = wolfSSL_accept(ssl); |
16333 | | if (ret <= 0) |
16334 | | return WOLFSSL_FATAL_ERROR; |
16335 | | } |
16336 | | if (ssl->options.handShakeState == SERVER_FINISHED_COMPLETE) { |
16337 | | ssl->options.clientInEarlyData = 1; |
16338 | | ret = ReceiveData(ssl, (byte*)data, (size_t)sz, FALSE); |
16339 | | ssl->options.clientInEarlyData = 0; |
16340 | | if (ret > 0) |
16341 | | *outSz = ret; |
16342 | | if (ssl->error == WC_NO_ERR_TRACE(APP_DATA_READY)) { |
16343 | | ret = 0; |
16344 | | ssl->error = WOLFSSL_ERROR_NONE; |
16345 | | #ifdef WOLFSSL_DTLS13 |
16346 | | if (ssl->options.dtls) { |
16347 | | ret = Dtls13DoScheduledWork(ssl); |
16348 | | if (ret < 0) { |
16349 | | ssl->error = ret; |
16350 | | WOLFSSL_ERROR(ssl->error); |
16351 | | return WOLFSSL_FATAL_ERROR; |
16352 | | } |
16353 | | } |
16354 | | #endif /* WOLFSSL_DTLS13 */ |
16355 | | } |
16356 | | } |
16357 | | #ifdef WOLFSSL_DTLS13 |
16358 | | else if (ssl->buffers.outputBuffer.length > 0 && |
16359 | | ssl->options.dtls && ssl->dtls13SendingAckOrRtx) { |
16360 | | ret = SendBuffered(ssl); |
16361 | | if (ret == 0) { |
16362 | | ssl->dtls13SendingAckOrRtx = 0; |
16363 | | } |
16364 | | else { |
16365 | | ssl->error = ret; |
16366 | | WOLFSSL_ERROR(ssl->error); |
16367 | | return WOLFSSL_FATAL_ERROR; |
16368 | | } |
16369 | | } |
16370 | | #endif /* WOLFSSL_DTLS13 */ |
16371 | | else |
16372 | | ret = 0; |
16373 | | #else |
16374 | | return SIDE_ERROR; |
16375 | | #endif |
16376 | | |
16377 | | WOLFSSL_LEAVE("wolfSSL_read_early_data", ret); |
16378 | | |
16379 | | if (ret < 0) |
16380 | | ret = WOLFSSL_FATAL_ERROR; |
16381 | | return ret; |
16382 | | } |
16383 | | |
16384 | | /* Returns early data status |
16385 | | * |
16386 | | * ssl The SSL/TLS object. |
16387 | | * returns WOLFSSL_EARLY_DATA_ACCEPTED if the data was accepted |
16388 | | * WOLFSSL_EARLY_DATA_REJECTED if the data was rejected |
16389 | | * WOLFSSL_EARLY_DATA_NOT_SENT if no early data was sent |
16390 | | */ |
16391 | | int wolfSSL_get_early_data_status(const WOLFSSL* ssl) |
16392 | | { |
16393 | | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version)) |
16394 | | return BAD_FUNC_ARG; |
16395 | | |
16396 | | return ssl->earlyDataStatus; |
16397 | | } |
16398 | | #endif |
16399 | | |
16400 | | #ifdef HAVE_SECRET_CALLBACK |
16401 | | int wolfSSL_set_tls13_secret_cb(WOLFSSL* ssl, Tls13SecretCb cb, void* ctx) |
16402 | | { |
16403 | | WOLFSSL_ENTER("wolfSSL_set_tls13_secret_cb"); |
16404 | | if (ssl == NULL) |
16405 | | return WOLFSSL_FATAL_ERROR; |
16406 | | |
16407 | | ssl->tls13SecretCb = cb; |
16408 | | ssl->tls13SecretCtx = ctx; |
16409 | | |
16410 | | return WOLFSSL_SUCCESS; |
16411 | | } |
16412 | | |
16413 | | #if defined(SHOW_SECRETS) && defined(WOLFSSL_SSLKEYLOGFILE) |
16414 | | int tls13ShowSecrets(WOLFSSL* ssl, int id, const unsigned char* secret, |
16415 | | int secretSz, void* ctx) |
16416 | | { |
16417 | | int i; |
16418 | | const char* str = NULL; |
16419 | | byte clientRandom[RAN_LEN]; |
16420 | | int clientRandomSz; |
16421 | | XFILE fp; |
16422 | | |
16423 | | (void) ctx; |
16424 | | #ifdef WOLFSSL_SSLKEYLOGFILE_OUTPUT |
16425 | | fp = XFOPEN(WOLFSSL_SSLKEYLOGFILE_OUTPUT, "ab"); |
16426 | | if (fp == XBADFILE) { |
16427 | | return BAD_FUNC_ARG; |
16428 | | } |
16429 | | #else |
16430 | | fp = stderr; |
16431 | | #endif |
16432 | | |
16433 | | clientRandomSz = (int)wolfSSL_get_client_random(ssl, clientRandom, |
16434 | | sizeof(clientRandom)); |
16435 | | |
16436 | | if (clientRandomSz <= 0) { |
16437 | | printf("Error getting server random %d\n", clientRandomSz); |
16438 | | return BAD_FUNC_ARG; |
16439 | | } |
16440 | | |
16441 | | #if 0 |
16442 | | printf("TLS Server Secret CB: Rand %d, Secret %d\n", |
16443 | | serverRandomSz, secretSz); |
16444 | | #endif |
16445 | | |
16446 | | switch (id) { |
16447 | | case CLIENT_EARLY_TRAFFIC_SECRET: |
16448 | | str = "CLIENT_EARLY_TRAFFIC_SECRET"; break; |
16449 | | case EARLY_EXPORTER_SECRET: |
16450 | | str = "EARLY_EXPORTER_SECRET"; break; |
16451 | | case CLIENT_HANDSHAKE_TRAFFIC_SECRET: |
16452 | | str = "CLIENT_HANDSHAKE_TRAFFIC_SECRET"; break; |
16453 | | case SERVER_HANDSHAKE_TRAFFIC_SECRET: |
16454 | | str = "SERVER_HANDSHAKE_TRAFFIC_SECRET"; break; |
16455 | | case CLIENT_TRAFFIC_SECRET: |
16456 | | str = "CLIENT_TRAFFIC_SECRET_0"; break; |
16457 | | case SERVER_TRAFFIC_SECRET: |
16458 | | str = "SERVER_TRAFFIC_SECRET_0"; break; |
16459 | | case EXPORTER_SECRET: |
16460 | | str = "EXPORTER_SECRET"; break; |
16461 | | #ifdef HAVE_ECH |
16462 | | case ECH_SECRET: |
16463 | | str = "ECH_SECRET"; break; |
16464 | | case ECH_CONFIG: |
16465 | | str = "ECH_CONFIG"; break; |
16466 | | #endif |
16467 | | default: |
16468 | | #ifdef WOLFSSL_SSLKEYLOGFILE_OUTPUT |
16469 | | XFCLOSE(fp); |
16470 | | #endif |
16471 | | return BAD_FUNC_ARG; |
16472 | | break; |
16473 | | } |
16474 | | |
16475 | | fprintf(fp, "%s ", str); |
16476 | | for (i = 0; i < (int)clientRandomSz; i++) { |
16477 | | fprintf(fp, "%02x", clientRandom[i]); |
16478 | | } |
16479 | | fprintf(fp, " "); |
16480 | | for (i = 0; i < secretSz; i++) { |
16481 | | fprintf(fp, "%02x", secret[i]); |
16482 | | } |
16483 | | fprintf(fp, "\n"); |
16484 | | |
16485 | | #ifdef WOLFSSL_SSLKEYLOGFILE_OUTPUT |
16486 | | XFCLOSE(fp); |
16487 | | #endif |
16488 | | |
16489 | | return 0; |
16490 | | } |
16491 | | #endif |
16492 | | #endif |
16493 | | |
16494 | | #undef ERROR_OUT |
16495 | | |
16496 | | #endif /* !WOLFCRYPT_ONLY */ |
16497 | | |
16498 | | #endif /* !NO_TLS && WOLFSSL_TLS13 */ |