/* tls13.c

 *

 * Copyright (C) 2006-2026 wolfSSL Inc.

 *

 * This file is part of wolfSSL.

 *

 * wolfSSL is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License as published by

 * the Free Software Foundation; either version 3 of the License, or

 * (at your option) any later version.

 *

 * wolfSSL is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * along with this program; if not, write to the Free Software

 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA

 */

#include <wolfssl/wolfcrypt/libwolfssl_sources.h>

/*

 * TLS 1.3-Specific Build Options:

 * (See tls.c for generic TLS options: extensions, curves, callbacks, etc.)

 *

 * Protocol:

 * WOLFSSL_TLS13:            Enable TLS 1.3 protocol               default: on

 * WOLFSSL_TLS13_DRAFT:      Enable TLS 1.3 draft version support  default: off

 * WOLFSSL_QUIC:             Enable QUIC protocol support (TLS 1.3) default: off

 * WOLFSSL_DTLS13_NO_HRR_ON_RESUME: Skip HRR on DTLS 1.3 resume   default: off

 * WOLFSSL_DTLS_CH_FRAG:     Enable DTLS 1.3 ClientHello frag     default: off

 *

 * Handshake:

 * WOLFSSL_TLS13_MIDDLEBOX_COMPAT: Enable middlebox compatibility  default: on

 *                            Sends ChangeCipherSpec and includes session id

 * WOLFSSL_SEND_HRR_COOKIE:  Send cookie in HelloRetryRequest     default: off

 *                            for stateless ClientHello tracking

 * WOLFSSL_EARLY_DATA:       Allow 0-RTT early data                default: off

 * WOLFSSL_EARLY_DATA_GROUP: Group early data with ClientHello     default: off

 * WOLFSSL_POST_HANDSHAKE_AUTH: Post-handshake client auth         default: off

 * WOLFSSL_TLS13_TICKET_BEFORE_FINISHED: Send NewSessionTicket     default: off

 *                            before client Finished message

 * WOLFSSL_NO_CLIENT_AUTH:   Disable TLS 1.3 client authentication default: off

 * WOLFSSL_NO_CLIENT_CERT_ERROR: Require client certificate        default: off

 * WOLFSSL_CERT_SETUP_CB:    Certificate setup callback            default: off

 * WOLFSSL_ALLOW_BAD_TLS_LEGACY_VERSION: Allow bad legacy version  default: off

 *

 * Security:

 * WOLFSSL_BLIND_PRIVATE_KEY: Blind private key during signing     default: off

 * WOLFSSL_CHECK_SIG_FAULTS: Verify signature after ECC signing    default: off

 *                            to detect fault injection attacks

 * WOLFSSL_CIPHER_TEXT_CHECK: Verify ciphertext integrity          default: off

 *

 * TLS 1.3 PSK:

 * WOLFSSL_PSK_ONE_ID:       Single PSK identity per connect       default: off

 * WOLFSSL_PSK_MULTI_ID_PER_CS: Multiple PSK IDs per cipher suite default: off

 * WOLFSSL_PRIORITIZE_PSK:   Prioritize PSK over ciphersuite order default: off

 * WOLFSSL_PSK_ID_PROTECTION: Enable PSK identity protection       default: off

 *

 * TLS 1.3 Session Tickets:

 * WOLFSSL_TICKET_HAVE_ID:   Session tickets include ID            default: off

 *                            Forced on when WOLFSSL_EARLY_DATA is set.

 * WOLFSSL_TICKET_NONCE_MALLOC: Dynamically allocate ticket nonce  default: off

 *

 * TLS 1.3 Key Exchange:

 * HAVE_KEYING_MATERIAL:     Export keying material (RFC 8446 7.5) default: off

 * WOLFSSL_HAVE_TLS_UNIQUE:  Enable tls-unique channel binding     default: off

 *

 * TLS 1.3 Hash/Signature:

 * WOLFSSL_TLS13_SHA512:     Allow SHA-512 in TLS 1.3 handshake   default: off

 *                            (no ciphersuite requires it currently)

 * WOLFSSL_ERROR_CODE_OPENSSL: Use OpenSSL-compatible error codes  default: off

 * WOLFSSL_SSLKEYLOGFILE_OUTPUT: Set key log output file path      default: off

 * WOLFSSL_RW_THREADED:      Enable read/write threading support   default: off

 * WOLFSSL_ASYNC_IO:         Enable async I/O operations           default: off

 * WOLFSSL_NONBLOCK_OCSP:    Non-blocking OCSP processing          default: off

 * WOLFSSL_TLS_OCSP_MULTI:   Multiple OCSP responses               default: off

 * WOLFSSL_WOLFSENTRY_HOOKS: wolfSentry integration hooks          default: off

 */

#if !defined(NO_TLS) && defined(WOLFSSL_TLS13)

/* 0-RTT anti-replay eviction needs the session cache. */

#if defined(WOLFSSL_EARLY_DATA) && defined(HAVE_SESSION_TICKET) && \

    defined(NO_SESSION_CACHE) && !defined(NO_WOLFSSL_SERVER) && \

    !defined(WOLFSSL_EARLY_DATA_NO_ANTI_REPLAY)

#error "WOLFSSL_EARLY_DATA with tickets requires !NO_SESSION_CACHE, or " \

       "define WOLFSSL_EARLY_DATA_NO_ANTI_REPLAY to opt out."

#endif

#ifndef WOLFCRYPT_ONLY

#ifdef HAVE_ERRNO_H

    #include <errno.h>

#endif

#if defined(__MACH__) || defined(__FreeBSD__) || \

    defined(__INCLUDE_NUTTX_CONFIG_H) || defined(WOLFSSL_RIOT_OS)

#include <sys/time.h>

#endif /* __MACH__ || __FreeBSD__ ||

          __INCLUDE_NUTTX_CONFIG_H || WOLFSSL_RIOT_OS */

#include <wolfssl/internal.h>

#include <wolfssl/error-ssl.h>

#include <wolfssl/wolfcrypt/asn.h>

#include <wolfssl/wolfcrypt/dh.h>

#include <wolfssl/wolfcrypt/kdf.h>

#include <wolfssl/wolfcrypt/signature.h>

#ifdef NO_INLINE

    #include <wolfssl/wolfcrypt/misc.h>

#else

    #define WOLFSSL_MISC_INCLUDED

    #include <wolfcrypt/src/misc.c>

#endif

#ifdef __sun

    #include <sys/filio.h>

#endif

#ifndef TRUE

    #define TRUE  1

#endif

#ifndef FALSE

    #define FALSE 0

#endif

#ifndef HAVE_AEAD

    #if !defined(_MSC_VER) && !defined(__TASKING__)

        #error "The build option HAVE_AEAD is required for TLS 1.3"

    #else

        #pragma \

        message("error: The build option HAVE_AEAD is required for TLS 1.3")

    #endif

#endif

#ifndef HAVE_HKDF

    #if !defined(_MSC_VER) && !defined(__TASKING__)

        #error "The build option HAVE_HKDF is required for TLS 1.3"

    #else

        #pragma message("error: The build option HAVE_HKDF is required for TLS 1.3")

    #endif

#endif

#ifndef HAVE_TLS_EXTENSIONS

    #if !defined(_MSC_VER) && !defined(__TASKING__)

        #error "The build option HAVE_TLS_EXTENSIONS is required for TLS 1.3"

    #else

        #pragma message("error: The build option HAVE_TLS_EXTENSIONS is required for TLS 1.3")

    #endif

#endif

/* Set ret to error value and jump to label.

 *

 * err     The error value to set.

 * eLabel  The label to jump to.

 */

#define ERROR_OUT(err, eLabel) { ret = (err); goto eLabel; }

/* Size of the TLS v1.3 label use when deriving keys. */

#define TLS13_PROTOCOL_LABEL_SZ    6

/* The protocol label for TLS v1.3. */

static const byte tls13ProtocolLabel[TLS13_PROTOCOL_LABEL_SZ + 1] = "tls13 ";

#ifdef WOLFSSL_DTLS13

#define DTLS13_PROTOCOL_LABEL_SZ    6

static const byte dtls13ProtocolLabel[DTLS13_PROTOCOL_LABEL_SZ + 1] = "dtls13";

#endif /* WOLFSSL_DTLS13 */

#if defined(HAVE_ECH)

#define ECH_ACCEPT_CONFIRMATION_LABEL_SZ 23

#define ECH_HRR_ACCEPT_CONFIRMATION_LABEL_SZ 27

static const byte

    echAcceptConfirmationLabel[ECH_ACCEPT_CONFIRMATION_LABEL_SZ + 1] =

    "ech accept confirmation";

static const byte

    echHrrAcceptConfirmationLabel[ECH_HRR_ACCEPT_CONFIRMATION_LABEL_SZ + 1] =

    "hrr ech accept confirmation";

#endif

#ifndef NO_CERTS

#if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \

    defined(HAVE_ED448) || defined(HAVE_FALCON) || defined(HAVE_DILITHIUM)

static WC_INLINE int GetMsgHash(WOLFSSL* ssl, byte* hash);

#endif

#endif

/* Expand data using HMAC, salt and label and info.

 * TLS v1.3 defines this function. Use callback if available. */

static int Tls13HKDFExpandLabel(WOLFSSL* ssl, byte* okm, word32 okmLen,

                                const byte* prk, word32 prkLen,

                                const byte* protocol, word32 protocolLen,

                                const byte* label, word32 labelLen,

                                const byte* info, word32 infoLen,

                                int digest)

{

    int ret = WC_NO_ERR_TRACE(NOT_COMPILED_IN);

#if defined(HAVE_PK_CALLBACKS)

    if (ssl->ctx && ssl->ctx->HKDFExpandLabelCb) {

        ret = ssl->ctx->HKDFExpandLabelCb(okm, okmLen, prk, prkLen,

                                          protocol, protocolLen,

                                          label, labelLen,

                                          info, infoLen, digest,

                                          WOLFSSL_CLIENT_END /* ignored */);

    }

    if (ret != WC_NO_ERR_TRACE(NOT_COMPILED_IN))

        return ret;

#endif

    (void)ssl;

    PRIVATE_KEY_UNLOCK();

#if !defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(6,0))

    ret = wc_Tls13_HKDF_Expand_Label_ex(okm, okmLen, prk, prkLen,

                                     protocol, protocolLen,

                                     label, labelLen,

                                     info, infoLen, digest,

                                     ssl->heap, ssl->devId);

#else

    ret = wc_Tls13_HKDF_Expand_Label(okm, okmLen, prk, prkLen,

                                     protocol, protocolLen,

                                     label, labelLen,

                                     info, infoLen, digest);

#endif

    PRIVATE_KEY_LOCK();

    return ret;

}

/* Same as above, but pass in the side we are expanding for:

 * side: either WOLFSSL_CLIENT_END or WOLFSSL_SERVER_END.

 */

static int Tls13HKDFExpandKeyLabel(WOLFSSL* ssl, byte* okm, word32 okmLen,

                                   const byte* prk, word32 prkLen,

                                   const byte* protocol, word32 protocolLen,

                                   const byte* label, word32 labelLen,

                                   const byte* info, word32 infoLen,

                                   int digest, int side)

{

    int ret;

#if defined(HAVE_PK_CALLBACKS)

    ret = WC_NO_ERR_TRACE(NOT_COMPILED_IN);

    if (ssl->ctx && ssl->ctx->HKDFExpandLabelCb) {

        ret = ssl->ctx->HKDFExpandLabelCb(okm, okmLen, prk, prkLen,

                                         protocol, protocolLen,

                                         label, labelLen,

                                         info, infoLen,

                                         digest, side);

    }

    if (ret != WC_NO_ERR_TRACE(NOT_COMPILED_IN))

        return ret;

#endif

#if !defined(HAVE_FIPS) || (defined(FIPS_VERSION_GE) && FIPS_VERSION_GE(6,0))

    ret = wc_Tls13_HKDF_Expand_Label_ex(okm, okmLen, prk, prkLen,

                                      protocol, protocolLen,

                                      label, labelLen,

                                      info, infoLen, digest,

                                      ssl->heap, ssl->devId);

#elif defined(HAVE_FIPS) && defined(wc_Tls13_HKDF_Expand_Label)

    ret = wc_Tls13_HKDF_Expand_Label_fips(okm, okmLen, prk, prkLen,

                                      protocol, protocolLen,

                                      label, labelLen,

                                      info, infoLen, digest);

#else

    ret = wc_Tls13_HKDF_Expand_Label(okm, okmLen, prk, prkLen,

                                      protocol, protocolLen,

                                      label, labelLen,

                                      info, infoLen, digest);

#endif

    (void)ssl;

    (void)side;

    return ret;

}

/* Derive a key from a message.

 *

 * ssl        The SSL/TLS object.

 * output     The buffer to hold the derived key.

 * outputLen  The length of the derived key.

 * secret     The secret used to derive the key (HMAC secret).

 * label      The label used to distinguish the context.

 * labelLen   The length of the label.

 * msg        The message data to derive key from.

 * msgLen     The length of the message data to derive key from.

 * hashAlgo   The hash algorithm to use in the HMAC.

 * returns 0 on success, otherwise failure.

 */

static int DeriveKeyMsg(WOLFSSL* ssl, byte* output, int outputLen,

                        const byte* secret, const byte* label, word32 labelLen,

                        byte* msg, int msgLen, int hashAlgo)

{

    byte        hash[WC_MAX_DIGEST_SIZE];

    Digest      digest;

    word32      hashSz = 0;

    const byte* protocol;

    word32      protocolLen;

    int         digestAlg = -1;

    int         ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);

    switch (hashAlgo) {

#ifndef NO_SHA256

        case sha256_mac:

            ret = wc_InitSha256_ex(&digest.sha256, ssl->heap, ssl->devId);

            if (ret == 0) {

                    ret = wc_Sha256Update(&digest.sha256, msg, (word32)msgLen);

                if (ret == 0)

                    ret = wc_Sha256Final(&digest.sha256, hash);

                wc_Sha256Free(&digest.sha256);

            }

            hashSz = WC_SHA256_DIGEST_SIZE;

            digestAlg = WC_SHA256;

            break;

#endif

#ifdef WOLFSSL_SHA384

        case sha384_mac:

            ret = wc_InitSha384_ex(&digest.sha384, ssl->heap, ssl->devId);

            if (ret == 0) {

                ret = wc_Sha384Update(&digest.sha384, msg, (word32)msgLen);

                if (ret == 0)

                    ret = wc_Sha384Final(&digest.sha384, hash);

                wc_Sha384Free(&digest.sha384);

            }

            hashSz = WC_SHA384_DIGEST_SIZE;

            digestAlg = WC_SHA384;

            break;

#endif

#ifdef WOLFSSL_TLS13_SHA512

        case sha512_mac:

            ret = wc_InitSha512_ex(&digest.sha512, ssl->heap, ssl->devId);

            if (ret == 0) {

                ret = wc_Sha512Update(&digest.sha512, msg, (word32)msgLen);

                if (ret == 0)

                    ret = wc_Sha512Final(&digest.sha512, hash);

                wc_Sha512Free(&digest.sha512);

            }

            hashSz = WC_SHA512_DIGEST_SIZE;

            digestAlg = WC_SHA512;

            break;

#endif

#ifdef WOLFSSL_SM3

        case sm3_mac:

            ret = wc_InitSm3(&digest.sm3, ssl->heap, ssl->devId);

            if (ret == 0) {

                ret = wc_Sm3Update(&digest.sm3, msg, (word32)msgLen);

                if (ret == 0)

                    ret = wc_Sm3Final(&digest.sm3, hash);

                wc_Sm3Free(&digest.sm3);

            }

            hashSz = WC_SM3_DIGEST_SIZE;

            digestAlg = WC_SM3;

            break;

#endif

        default:

            ret = BAD_FUNC_ARG;

            digestAlg = -1;

            break;

    }

    if (digestAlg < 0)

        return HASH_TYPE_E;

    if (ret != 0)

        return ret;

    switch (ssl->version.minor) {

        case TLSv1_3_MINOR:

            protocol = tls13ProtocolLabel;

            protocolLen = TLS13_PROTOCOL_LABEL_SZ;

            break;

#ifdef WOLFSSL_DTLS13

        case DTLSv1_3_MINOR:

            if (!ssl->options.dtls)

                return VERSION_ERROR;

            protocol = dtls13ProtocolLabel;

            protocolLen = DTLS13_PROTOCOL_LABEL_SZ;

            break;

#endif /* WOLFSSL_DTLS13 */

        default:

            return VERSION_ERROR;

    }

    if (outputLen == -1)

        outputLen = (int)hashSz;

    ret = Tls13HKDFExpandLabel(ssl, output, (word32)outputLen, secret, hashSz,

                               protocol, protocolLen, label, labelLen,

                               hash, hashSz, digestAlg);

    return ret;

}

/* Derive a key.

 *

 * ssl          The SSL/TLS object.

 * output       The buffer to hold the derived key.

 * outputLen    The length of the derived key.

 * secret       The secret used to derive the key (HMAC secret).

 * label        The label used to distinguish the context.

 * labelLen     The length of the label.

 * hashAlgo     The hash algorithm to use in the HMAC.

 * includeMsgs  Whether to include a hash of the handshake messages so far.

 * side         The side that we are deriving the secret for.

 * returns 0 on success, otherwise failure.

 */

int Tls13DeriveKey(WOLFSSL* ssl, byte* output, int outputLen,

                   const byte* secret, const byte* label, word32 labelLen,

                   int hashAlgo, int includeMsgs, int side)

{

    int         ret = 0;

    byte        hash[WC_MAX_DIGEST_SIZE];

    word32      hashSz = 0;

    word32      hashOutSz = 0;

    const byte* protocol;

    word32      protocolLen;

    int         digestAlg = 0;

    switch (hashAlgo) {

    #ifndef NO_SHA256

        case sha256_mac:

            hashSz    = WC_SHA256_DIGEST_SIZE;

            digestAlg = WC_SHA256;

            if (includeMsgs)

                ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);

            break;

    #endif

    #ifdef WOLFSSL_SHA384

        case sha384_mac:

            hashSz    = WC_SHA384_DIGEST_SIZE;

            digestAlg = WC_SHA384;

            if (includeMsgs)

                ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);

            break;

    #endif

    #ifdef WOLFSSL_TLS13_SHA512

        case sha512_mac:

            hashSz    = WC_SHA512_DIGEST_SIZE;

            digestAlg = WC_SHA512;

            if (includeMsgs)

                ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash);

            break;

    #endif

    #ifdef WOLFSSL_SM3

        case sm3_mac:

            hashSz    = WC_SM3_DIGEST_SIZE;

            digestAlg = WC_SM3;

            if (includeMsgs)

                ret = wc_Sm3GetHash(&ssl->hsHashes->hashSm3, hash);

            break;

    #endif

        default:

            ret = HASH_TYPE_E;

            break;

    }

    if (ret != 0)

        return ret;

    protocol = tls13ProtocolLabel;

    protocolLen = TLS13_PROTOCOL_LABEL_SZ;

#ifdef WOLFSSL_DTLS13

    if (ssl->options.dtls) {

         protocol = dtls13ProtocolLabel;

         protocolLen = DTLS13_PROTOCOL_LABEL_SZ;

    }

#endif /* WOLFSSL_DTLS13 */

    if (outputLen == -1) {

        outputLen = (int)hashSz;

    }

    if (includeMsgs) {

        hashOutSz = hashSz;

    }

    else {

        /* Appease static analyzers by making sure hash is cleared, since it is

         * passed into expand key label where older wc_Tls13_HKDF_Expand_Label

         * will unconditionally try to call a memcpy on it, however length will

         * always be 0. */

        XMEMSET(hash, 0, sizeof(hash));

        hashOutSz = 0;

    }

    PRIVATE_KEY_UNLOCK();

    ret = Tls13HKDFExpandKeyLabel(ssl, output, (word32)outputLen, secret, hashSz,

                                  protocol, protocolLen, label, labelLen,

                                  hash, hashOutSz, digestAlg, side);

    PRIVATE_KEY_LOCK();

#ifdef WOLFSSL_CHECK_MEM_ZERO

    wc_MemZero_Add("TLS 1.3 derived key", output, outputLen);

#endif

    return ret;

}

/* Convert TLS mac ID to a hash algorithm ID

 *

 * mac Mac ID to convert

 * returns hash ID on success, or the NONE type.

 */

static WC_INLINE int mac2hash(int mac)

{

    int hash;

    switch (mac) {

        #ifndef NO_SHA256

        case sha256_mac:

            hash = WC_SHA256;

            break;

        #endif

        #ifdef WOLFSSL_SHA384

        case sha384_mac:

            hash = WC_SHA384;

            break;

        #endif

        #ifdef WOLFSSL_TLS13_SHA512

        case sha512_mac:

            hash = WC_SHA512;

            break;

        #endif

        #ifdef WOLFSSL_SM3

        case sm3_mac:

            hash = WC_SM3;

            break;

        #endif

    default:

        hash = WC_HASH_TYPE_NONE;

    }

    return hash;

}

#ifndef NO_PSK

/* The length of the binder key label. */

#define BINDER_KEY_LABEL_SZ         10

/* The binder key label. */

static const byte binderKeyLabel[BINDER_KEY_LABEL_SZ + 1] =

    "ext binder";

/* Derive the binder key.

 *

 * ssl  The SSL/TLS object.

 * key  The derived key.

 * returns 0 on success, otherwise failure.

 */

static int DeriveBinderKey(WOLFSSL* ssl, byte* key)

{

    WOLFSSL_MSG("Derive Binder Key");

    if (ssl == NULL || ssl->arrays == NULL) {

        return BAD_FUNC_ARG;

    }

    return DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,

                        binderKeyLabel, BINDER_KEY_LABEL_SZ,

                        NULL, 0, ssl->specs.mac_algorithm);

}

#endif /* !NO_PSK */

#if defined(HAVE_SESSION_TICKET) && \

    (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER))

/* The length of the binder key resume label. */

#define BINDER_KEY_RESUME_LABEL_SZ  10

/* The binder key resume label. */

static const byte binderKeyResumeLabel[BINDER_KEY_RESUME_LABEL_SZ + 1] =

    "res binder";

/* Derive the binder resumption key.

 *

 * ssl  The SSL/TLS object.

 * key  The derived key.

 * returns 0 on success, otherwise failure.

 */

static int DeriveBinderKeyResume(WOLFSSL* ssl, byte* key)

{

    WOLFSSL_MSG("Derive Binder Key - Resumption");

    if (ssl == NULL || ssl->arrays == NULL) {

        return BAD_FUNC_ARG;

    }

    return DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,

                        binderKeyResumeLabel, BINDER_KEY_RESUME_LABEL_SZ,

                        NULL, 0, ssl->specs.mac_algorithm);

}

#endif /* HAVE_SESSION_TICKET && (!NO_WOLFSSL_CLIENT || !NO_WOLFSSL_SERVER) */

#ifdef WOLFSSL_EARLY_DATA

/* The length of the early traffic label. */

#define EARLY_TRAFFIC_LABEL_SZ      11

/* The early traffic label. */

static const byte earlyTrafficLabel[EARLY_TRAFFIC_LABEL_SZ + 1] =

    "c e traffic";

/* Derive the early traffic key.

 *

 * ssl  The SSL/TLS object.

 * key  The derived key.

 * side The side that we are deriving the secret for.

 * returns 0 on success, otherwise failure.

 */

static int DeriveEarlyTrafficSecret(WOLFSSL* ssl, byte* key, int side)

{

    int ret;

    WOLFSSL_MSG("Derive Early Traffic Secret");

    if (ssl == NULL || ssl->arrays == NULL) {

        return BAD_FUNC_ARG;

    }

#if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_KEYLOGFILE)

    /* If this is called from a sniffer session with keylog file support,

     * obtain the appropriate secret from the callback */

    if (ssl->snifferSecretCb != NULL) {

        return ssl->snifferSecretCb(ssl->arrays->clientRandom,

                                    SNIFFER_SECRET_CLIENT_EARLY_TRAFFIC_SECRET,

                                    key);

    }

#endif /* WOLFSSL_SNIFFER && WOLFSSL_SNIFFER_KEYLOGFILE */

    ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->secret,

                    earlyTrafficLabel, EARLY_TRAFFIC_LABEL_SZ,

                    ssl->specs.mac_algorithm, 1, side);

#ifdef HAVE_SECRET_CALLBACK

    if (ret == 0 && ssl->tls13SecretCb != NULL) {

        ret = ssl->tls13SecretCb(ssl, CLIENT_EARLY_TRAFFIC_SECRET, key,

                                 ssl->specs.hash_size, ssl->tls13SecretCtx);

        if (ret != 0) {

            WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);

            return TLS13_SECRET_CB_E;

        }

    }

#ifdef OPENSSL_EXTRA

    if (ret == 0 && ssl->tls13KeyLogCb != NULL) {

        ret = ssl->tls13KeyLogCb(ssl, CLIENT_EARLY_TRAFFIC_SECRET, key,

                                ssl->specs.hash_size, NULL);

        if (ret != 0) {

            WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);

            return TLS13_SECRET_CB_E;

        }

    }

#endif /* OPENSSL_EXTRA */

#endif /* HAVE_SECRET_CALLBACK */

    return ret;

}

#endif

/* The length of the client handshake label. */

#define CLIENT_HANDSHAKE_LABEL_SZ   12

/* The client handshake label. */

static const byte clientHandshakeLabel[CLIENT_HANDSHAKE_LABEL_SZ + 1] =

    "c hs traffic";

/* Derive the client handshake key.

 *

 * ssl  The SSL/TLS object.

 * key  The derived key.

 * returns 0 on success, otherwise failure.

 */

static int DeriveClientHandshakeSecret(WOLFSSL* ssl, byte* key)

{

    int ret;

    WOLFSSL_MSG("Derive Client Handshake Secret");

    if (ssl == NULL || ssl->arrays == NULL) {

        return BAD_FUNC_ARG;

    }

#if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_KEYLOGFILE)

    /* If this is called from a sniffer session with keylog file support,

     * obtain the appropriate secret from the callback */

    if (ssl->snifferSecretCb != NULL) {

        return ssl->snifferSecretCb(ssl->arrays->clientRandom,

                               SNIFFER_SECRET_CLIENT_HANDSHAKE_TRAFFIC_SECRET,

                               key);

    }

#endif /* WOLFSSL_SNIFFER && WOLFSSL_SNIFFER_KEYLOGFILE */

    ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->preMasterSecret,

                    clientHandshakeLabel, CLIENT_HANDSHAKE_LABEL_SZ,

                    ssl->specs.mac_algorithm, 1, WOLFSSL_CLIENT_END);

#ifdef HAVE_SECRET_CALLBACK

    if (ret == 0 && ssl->tls13SecretCb != NULL) {

        ret = ssl->tls13SecretCb(ssl, CLIENT_HANDSHAKE_TRAFFIC_SECRET, key,

                                 ssl->specs.hash_size, ssl->tls13SecretCtx);

        if (ret != 0) {

            WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);

            return TLS13_SECRET_CB_E;

        }

    }

#ifdef OPENSSL_EXTRA

    if (ret == 0 && ssl->tls13KeyLogCb != NULL) {

        ret = ssl->tls13KeyLogCb(ssl, CLIENT_HANDSHAKE_TRAFFIC_SECRET, key,

                                ssl->specs.hash_size, NULL);

        if (ret != 0) {

            WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);

            return TLS13_SECRET_CB_E;

        }

    }

#endif /* OPENSSL_EXTRA */

#endif /* HAVE_SECRET_CALLBACK */

    return ret;

}

/* The length of the server handshake label. */

#define SERVER_HANDSHAKE_LABEL_SZ   12

/* The server handshake label. */

static const byte serverHandshakeLabel[SERVER_HANDSHAKE_LABEL_SZ + 1] =

    "s hs traffic";

/* Derive the server handshake key.

 *

 * ssl  The SSL/TLS object.

 * key  The derived key.

 * returns 0 on success, otherwise failure.

 */

static int DeriveServerHandshakeSecret(WOLFSSL* ssl, byte* key)

{

    int ret;

    WOLFSSL_MSG("Derive Server Handshake Secret");

    if (ssl == NULL || ssl->arrays == NULL) {

        return BAD_FUNC_ARG;

    }

#if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_KEYLOGFILE)

    /* If this is called from a sniffer session with keylog file support,

     * obtain the appropriate secret from the callback */

    if (ssl->snifferSecretCb != NULL) {

        return ssl->snifferSecretCb(ssl->arrays->clientRandom,

                                SNIFFER_SECRET_SERVER_HANDSHAKE_TRAFFIC_SECRET,

                                key);

    }

#endif /* WOLFSSL_SNIFFER && WOLFSSL_SNIFFER_KEYLOGFILE */

    ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->preMasterSecret,

                    serverHandshakeLabel, SERVER_HANDSHAKE_LABEL_SZ,

                    ssl->specs.mac_algorithm, 1, WOLFSSL_SERVER_END);

#ifdef HAVE_SECRET_CALLBACK

    if (ret == 0 && ssl->tls13SecretCb != NULL) {

        ret = ssl->tls13SecretCb(ssl, SERVER_HANDSHAKE_TRAFFIC_SECRET, key,

                                 ssl->specs.hash_size, ssl->tls13SecretCtx);

        if (ret != 0) {

            WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);

            return TLS13_SECRET_CB_E;

        }

    }

#ifdef OPENSSL_EXTRA

    if (ret == 0 && ssl->tls13KeyLogCb != NULL) {

        ret = ssl->tls13KeyLogCb(ssl, SERVER_HANDSHAKE_TRAFFIC_SECRET, key,

                                ssl->specs.hash_size, NULL);

        if (ret != 0) {

            WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);

            return TLS13_SECRET_CB_E;

        }

    }

#endif /* OPENSSL_EXTRA */

#endif /* HAVE_SECRET_CALLBACK */

    return ret;

}

/* The length of the client application traffic label. */

#define CLIENT_APP_LABEL_SZ         12

/* The client application traffic label. */

static const byte clientAppLabel[CLIENT_APP_LABEL_SZ + 1] =

    "c ap traffic";

/* Derive the client application traffic key.

 *

 * ssl  The SSL/TLS object.

 * key  The derived key.

 * returns 0 on success, otherwise failure.

 */

static int DeriveClientTrafficSecret(WOLFSSL* ssl, byte* key)

{

    int ret;

    WOLFSSL_MSG("Derive Client Traffic Secret");

    if (ssl == NULL || ssl->arrays == NULL) {

        return BAD_FUNC_ARG;

    }

#if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_KEYLOGFILE)

    /* If this is called from a sniffer session with keylog file support,

     * obtain the appropriate secret from the callback */

    if (ssl->snifferSecretCb != NULL) {

        return ssl->snifferSecretCb(ssl->arrays->clientRandom,

                                    SNIFFER_SECRET_CLIENT_TRAFFIC_SECRET,

                                    key);

    }

#endif /* WOLFSSL_SNIFFER && WOLFSSL_SNIFFER_KEYLOGFILE */

    ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,

                    clientAppLabel, CLIENT_APP_LABEL_SZ,

                    ssl->specs.mac_algorithm, 1, WOLFSSL_CLIENT_END);

#ifdef HAVE_SECRET_CALLBACK

    if (ret == 0 && ssl->tls13SecretCb != NULL) {

        ret = ssl->tls13SecretCb(ssl, CLIENT_TRAFFIC_SECRET, key,

                                 ssl->specs.hash_size, ssl->tls13SecretCtx);

        if (ret != 0) {

            WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);

            return TLS13_SECRET_CB_E;

        }

    }

#ifdef OPENSSL_EXTRA

    if (ret == 0 && ssl->tls13KeyLogCb != NULL) {

        ret = ssl->tls13KeyLogCb(ssl, CLIENT_TRAFFIC_SECRET, key,

                                ssl->specs.hash_size, NULL);

        if (ret != 0) {

            WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);

            return TLS13_SECRET_CB_E;

        }

    }

#endif /* OPENSSL_EXTRA */

#endif /* HAVE_SECRET_CALLBACK */

    return ret;

}

/* The length of the server application traffic label. */

#define SERVER_APP_LABEL_SZ         12

/* The  server application traffic label. */

static const byte serverAppLabel[SERVER_APP_LABEL_SZ + 1] =

    "s ap traffic";

/* Derive the server application traffic key.

 *

 * ssl  The SSL/TLS object.

 * key  The derived key.

 * returns 0 on success, otherwise failure.

 */

static int DeriveServerTrafficSecret(WOLFSSL* ssl, byte* key)

{

    int ret;

    WOLFSSL_MSG("Derive Server Traffic Secret");

    if (ssl == NULL || ssl->arrays == NULL) {

        return BAD_FUNC_ARG;

    }

#if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_KEYLOGFILE)

    /* If this is called from a sniffer session with keylog file support,

     * obtain the appropriate secret from the callback */

    if (ssl->snifferSecretCb != NULL) {

        return ssl->snifferSecretCb(ssl->arrays->clientRandom,

                                    SNIFFER_SECRET_SERVER_TRAFFIC_SECRET,

                                    key);

    }

#endif /* WOLFSSL_SNIFFER && WOLFSSL_SNIFFER_KEYLOGFILE */

    ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,

                    serverAppLabel, SERVER_APP_LABEL_SZ,

                    ssl->specs.mac_algorithm, 1, WOLFSSL_SERVER_END);

#ifdef HAVE_SECRET_CALLBACK

    if (ret == 0 && ssl->tls13SecretCb != NULL) {

        ret = ssl->tls13SecretCb(ssl, SERVER_TRAFFIC_SECRET, key,

                                 ssl->specs.hash_size, ssl->tls13SecretCtx);

        if (ret != 0) {

            WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);

            return TLS13_SECRET_CB_E;

        }

    }

#ifdef OPENSSL_EXTRA

    if (ret == 0 && ssl->tls13KeyLogCb != NULL) {

        ret = ssl->tls13KeyLogCb(ssl, SERVER_TRAFFIC_SECRET, key,

                                ssl->specs.hash_size, NULL);

        if (ret != 0) {

            WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);

            return TLS13_SECRET_CB_E;

        }

    }

#endif /* OPENSSL_EXTRA */

#endif /* HAVE_SECRET_CALLBACK */

    return ret;

}

#ifdef HAVE_KEYING_MATERIAL

/* The length of the exporter master secret label. */

#define EXPORTER_MASTER_LABEL_SZ    10

/* The exporter master secret label. */

static const byte exporterMasterLabel[EXPORTER_MASTER_LABEL_SZ + 1] =

    "exp master";

/* Derive the exporter secret.

 *

 * ssl  The SSL/TLS object.

 * key  The derived key.

 * returns 0 on success, otherwise failure.

 */

static int DeriveExporterSecret(WOLFSSL* ssl, byte* key)

{

    int ret;

    WOLFSSL_ENTER("Derive Exporter Secret");

    if (ssl == NULL || ssl->arrays == NULL) {

        return BAD_FUNC_ARG;

    }

    ret = Tls13DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,

                        exporterMasterLabel, EXPORTER_MASTER_LABEL_SZ,

                        ssl->specs.mac_algorithm, 1, 0 /* Unused */);

#ifdef HAVE_SECRET_CALLBACK

    if (ret == 0 && ssl->tls13SecretCb != NULL) {

        ret = ssl->tls13SecretCb(ssl, EXPORTER_SECRET, key,

                                 ssl->specs.hash_size, ssl->tls13SecretCtx);

        if (ret != 0) {

            WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);

            return TLS13_SECRET_CB_E;

        }

    }

#ifdef OPENSSL_EXTRA

    if (ret == 0 && ssl->tls13KeyLogCb != NULL) {

        ret = ssl->tls13KeyLogCb(ssl, EXPORTER_SECRET, key,

                                ssl->specs.hash_size, NULL);

        if (ret != 0) {

            WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);

            return TLS13_SECRET_CB_E;

        }

    }

#endif /* OPENSSL_EXTRA */

#endif /* HAVE_SECRET_CALLBACK */

    return ret;

}

/* The length of the exporter label. */

#define EXPORTER_LABEL_SZ    8

/* The exporter label. */

static const byte exporterLabel[EXPORTER_LABEL_SZ + 1] =

    "exporter";

/* Hash("") */

#ifndef NO_SHA256

static const byte emptySHA256Hash[] = {

    0xE3, 0xB0, 0xC4, 0x42, 0x98, 0xFC, 0x1C, 0x14, 0x9A, 0xFB, 0xF4, 0xC8,

    0x99, 0x6F, 0xB9, 0x24, 0x27, 0xAE, 0x41, 0xE4, 0x64, 0x9B, 0x93, 0x4C,

    0xA4, 0x95, 0x99, 0x1B, 0x78, 0x52, 0xB8, 0x55

};

#endif

#ifdef WOLFSSL_SHA384

static const byte emptySHA384Hash[] = {

    0x38, 0xB0, 0x60, 0xA7, 0x51, 0xAC, 0x96, 0x38, 0x4C, 0xD9, 0x32, 0x7E,

    0xB1, 0xB1, 0xE3, 0x6A, 0x21, 0xFD, 0xB7, 0x11, 0x14, 0xBE, 0x07, 0x43,

    0x4C, 0x0C, 0xC7, 0xBF, 0x63, 0xF6, 0xE1, 0xDA, 0x27, 0x4E, 0xDE, 0xBF,

    0xE7, 0x6F, 0x65, 0xFB, 0xD5, 0x1A, 0xD2, 0xF1, 0x48, 0x98, 0xB9, 0x5B

};

#endif

#ifdef WOLFSSL_TLS13_SHA512

static const byte emptySHA512Hash[] = {

    0xCF, 0x83, 0xE1, 0x35, 0x7E, 0xEF, 0xB8, 0xBD, 0xF1, 0x54, 0x28, 0x50,

    0xD6, 0x6D, 0x80, 0x07, 0xD6, 0x20, 0xE4, 0x05, 0x0B, 0x57, 0x15, 0xDC,

    0x83, 0xF4, 0xA9, 0x21, 0xD3, 0x6C, 0xE9, 0xCE, 0x47, 0xD0, 0xD1, 0x3C,

    0x5D, 0x85, 0xF2, 0xB0, 0xFF, 0x83, 0x18, 0xD2, 0x87, 0x7E, 0xEC, 0x2F,

    0x63, 0xB9, 0x31, 0xBD, 0x47, 0x41, 0x7A, 0x81, 0xA5, 0x38, 0x32, 0x7A,

    0xF9, 0x27, 0xDA, 0x3E

};

#endif

#ifdef WOLFSSL_SM3

static const byte emptySM3Hash[] = {

    0x1A, 0xB2, 0x1D, 0x83, 0x55, 0xCF, 0xA1, 0x7F, 0x8E, 0x61, 0x19, 0x48,

    0x31, 0xE8, 0x1A, 0x8F, 0x22, 0xBE, 0xC8, 0xC7, 0x28, 0xFE, 0xFB, 0x74,

    0x7E, 0xD0, 0x35, 0xEB, 0x50, 0x82, 0xAA, 0x2B

};

#endif

/**

 * Implement section 7.5 of RFC 8446

 * @return  0 on success

 *         <0 on failure

 */

int Tls13_Exporter(WOLFSSL* ssl, unsigned char *out, size_t outLen,

        const char *label, size_t labelLen,

        const unsigned char *context, size_t contextLen)

{

    int                 ret;

    enum wc_HashType    hashType = WC_HASH_TYPE_NONE;

    word32              hashLen = 0;

    byte                hashOut[WC_MAX_DIGEST_SIZE];

    const byte*         emptyHash = NULL;

    byte                firstExpand[WC_MAX_DIGEST_SIZE];

    const byte*         protocol = tls13ProtocolLabel;

    word32              protocolLen = TLS13_PROTOCOL_LABEL_SZ;

    if (ssl->options.dtls && ssl->version.minor != DTLSv1_3_MINOR)

        return VERSION_ERROR;

    if (!ssl->options.dtls && ssl->version.minor != TLSv1_3_MINOR)

        return VERSION_ERROR;

#ifdef WOLFSSL_DTLS13

    if (ssl->options.dtls) {

        protocol = dtls13ProtocolLabel;

        protocolLen = DTLS13_PROTOCOL_LABEL_SZ;

    }

#endif /* WOLFSSL_DTLS13 */

    /* Sanity check contextLen to prevent truncation when cast to word32. */

    if (contextLen > WOLFSSL_MAX_32BIT)

        return BAD_FUNC_ARG;

    /* RFC 8446 HkdfLabel encodes the output length as a uint16, so requested

     * lengths > 65535 cannot be represented and must be rejected. */

    if (outLen > WOLFSSL_MAX_16BIT)

        return BAD_FUNC_ARG;

    /* RFC 8446 HkdfLabel encodes the label length in a single byte, so

     * anything > 255 cannot be represented and must be rejected.

     * The protocol length is included in the label. */

    if ((labelLen +  protocolLen) > WOLFSSL_MAX_8BIT)

        return BAD_FUNC_ARG;

    switch (ssl->specs.mac_algorithm) {

        #ifndef NO_SHA256

        case sha256_mac:

            hashType  = WC_HASH_TYPE_SHA256;

            hashLen   = WC_SHA256_DIGEST_SIZE;

            emptyHash = emptySHA256Hash;

            break;

        #endif

        #ifdef WOLFSSL_SHA384

        case sha384_mac:

            hashType  = WC_HASH_TYPE_SHA384;

            hashLen   = WC_SHA384_DIGEST_SIZE;

            emptyHash = emptySHA384Hash;

            break;

        #endif

        #ifdef WOLFSSL_TLS13_SHA512

        case sha512_mac:

            hashType  = WC_HASH_TYPE_SHA512;

            hashLen   = WC_SHA512_DIGEST_SIZE;

            emptyHash = emptySHA512Hash;

            break;

        #endif

        #ifdef WOLFSSL_SM3

        case sm3_mac:

            hashType  = WC_HASH_TYPE_SM3;

            hashLen   = WC_SM3_DIGEST_SIZE;

            emptyHash = emptySM3Hash;

            break;

        #endif

        default:

            return BAD_FUNC_ARG;

    }

    /* Derive-Secret(Secret, label, "") */

    ret = Tls13HKDFExpandLabel(ssl, firstExpand, hashLen,

            ssl->arrays->exporterSecret, hashLen,

            protocol, protocolLen, (byte*)label, (word32)labelLen,

            emptyHash, hashLen, (int)hashType);

    if (ret != 0)

        return ret;

    /* Hash(context_value) */

    ret = wc_Hash(hashType, context, (word32)contextLen, hashOut, WC_MAX_DIGEST_SIZE);

    if (ret != 0)

        return ret;