Coverage Report

Created: 2026-06-06 06:39

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/wolfssl/src/tls.c
Line
Count
Source
1
/* tls.c
2
 *
3
 * Copyright (C) 2006-2026 wolfSSL Inc.
4
 *
5
 * This file is part of wolfSSL.
6
 *
7
 * wolfSSL is free software; you can redistribute it and/or modify
8
 * it under the terms of the GNU General Public License as published by
9
 * the Free Software Foundation; either version 3 of the License, or
10
 * (at your option) any later version.
11
 *
12
 * wolfSSL is distributed in the hope that it will be useful,
13
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15
 * GNU General Public License for more details.
16
 *
17
 * You should have received a copy of the GNU General Public License
18
 * along with this program; if not, write to the Free Software
19
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
20
 */
21
22
/*
23
 * TLS Build Options:
24
 * (See tls13.c for TLS 1.3-specific options)
25
 *
26
 * Protocol Control:
27
 * NO_OLD_TLS:               Disable TLS 1.0 and 1.1              default: off
28
 * WOLFSSL_ALLOW_TLSV10:     Allow TLS 1.0 connections             default: off
29
 * WOLFSSL_NO_TLS12:         Disable TLS 1.2                       default: off
30
 * NO_TLS:                   Disable TLS entirely (SSL only)       default: off
31
 * WOLFSSL_DTLS:             Enable DTLS support                   default: off
32
 * WOLFSSL_DTLS13:           Enable DTLS 1.3 support               default: off
33
 * WOLFSSL_DTLS_CID:         Enable DTLS Connection ID             default: off
34
 * WOLFSSL_AEAD_ONLY:        Only allow AEAD cipher suites         default: off
35
 * NO_WOLFSSL_CLIENT:        Disable TLS client functionality      default: off
36
 * NO_WOLFSSL_SERVER:        Disable TLS server functionality      default: off
37
 * WOLFSSL_EITHER_SIDE:      Allow same context for client/server  default: off
38
 * HAVE_TLS_EXTENSIONS:      Enable TLS extension support          default: on
39
 * HAVE_SNI:                 Server Name Indication extension      default: off
40
 * WOLFSSL_ALWAYS_KEEP_SNI:  Keep SNI after handshake              default: off
41
 * HAVE_MAX_FRAGMENT:        Max Fragment Length extension          default: off
42
 * HAVE_TRUNCATED_HMAC:      Truncated HMAC extension              default: off
43
 * HAVE_SUPPORTED_CURVES:    Supported Curves extension            default: on
44
 * HAVE_EXTENDED_MASTER:     Extended Master Secret (RFC 7627)     default: on
45
 * HAVE_ENCRYPT_THEN_MAC:    Encrypt-Then-MAC extension            default: on
46
 * HAVE_ALPN:                Application-Layer Protocol Negotiation default: off
47
 * HAVE_CERTIFICATE_STATUS_REQUEST: OCSP stapling                  default: off
48
 * HAVE_CERTIFICATE_STATUS_REQUEST_V2: OCSP stapling v2            default: off
49
 * HAVE_SECURE_RENEGOTIATION: Secure renegotiation support         default: off
50
 * HAVE_SERVER_RENEGOTIATION_INFO: Server renegotiation info       default: off
51
 * HAVE_SESSION_TICKET:      Session ticket support                default: off
52
 * HAVE_TRUSTED_CA:          Trusted CA Indication extension       default: off
53
 * HAVE_RPK:                 Raw Public Key support (RFC 7250)     default: off
54
 * HAVE_ECH:                 Encrypted Client Hello support        default: off
55
 * WOLFSSL_NO_SIGALG:        Disable signature algorithms ext      default: off
56
 * WOLFSSL_NO_CA_NAMES:      Disable CA Names in CertificateReq   default: off
57
 * WOLFSSL_NO_SERVER_GROUPS_EXT: Don't send server groups ext      default: off
58
 * NO_TLSX_PSKKEM_PLAIN_ANNOUNCE: Disable plain PSK announce      default: off
59
 * WOLFSSL_OLD_UNSUPPORTED_EXTENSION: Old unsupported ext handling default: off
60
 * WOLFSSL_ALLOW_SERVER_SC_EXT: Allow server supported curves ext  default: off
61
 *
62
 * Pre-Shared Keys:
63
 * NO_PSK:                   Disable PSK cipher suites             default: off
64
 *
65
 * Key Exchange:
66
 * HAVE_FFDHE:               Enable Finite Field DH ephemeral      default: off
67
 * HAVE_FFDHE_2048:          Enable FFDHE 2048-bit group           default: off
68
 * HAVE_FFDHE_3072:          Enable FFDHE 3072-bit group           default: off
69
 * HAVE_FFDHE_4096:          Enable FFDHE 4096-bit group           default: off
70
 * HAVE_FFDHE_6144:          Enable FFDHE 6144-bit group           default: off
71
 * HAVE_FFDHE_8192:          Enable FFDHE 8192-bit group           default: off
72
 * HAVE_PUBLIC_FFDHE:        Use public FFDHE parameters only      default: off
73
 * WOLFSSL_OLD_PRIME_CHECK:  Use old DH prime checking method      default: off
74
 * WOLFSSL_STATIC_DH:        Enable static DH cipher suites       default: off
75
 * WOLFSSL_STATIC_EPHEMERAL: Enable static ephemeral key loading   default: off
76
 *
77
 * Post-Quantum:
78
 * WOLFSSL_HAVE_MLKEM:       Enable ML-KEM (Kyber) support         default: off
79
 * WOLFSSL_MLKEM_KYBER:      Use Kyber round 3 parameters          default: off
80
 * WOLFSSL_KYBER512:         Enable Kyber/ML-KEM-512               default: off
81
 * WOLFSSL_KYBER768:         Enable Kyber/ML-KEM-768               default: off
82
 * WOLFSSL_KYBER1024:        Enable Kyber/ML-KEM-1024              default: off
83
 * WOLFSSL_NO_ML_KEM:        Disable all ML-KEM support            default: off
84
 * WOLFSSL_NO_ML_KEM_512:    Disable ML-KEM-512                    default: off
85
 * WOLFSSL_NO_ML_KEM_768:    Disable ML-KEM-768                    default: off
86
 * WOLFSSL_NO_ML_KEM_1024:   Disable ML-KEM-1024                  default: off
87
 * WOLFSSL_ML_KEM_USE_OLD_IDS: Use old IANA IDs for ML-KEM        default: off
88
 * WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ: Store ML-KEM object in ext   default: off
89
 * WOLFSSL_TLSX_PQC_MLKEM_STORE_PRIV_KEY: Store ML-KEM priv key   default: off
90
 * WOLFSSL_MLKEM_CACHE_A:    Cache ML-KEM A matrix                 default: off
91
 * WOLFSSL_MLKEM_NO_MAKE_KEY: Disable ML-KEM key generation       default: off
92
 * WOLFSSL_MLKEM_NO_ENCAPSULATE: Disable ML-KEM encapsulation     default: off
93
 * WOLFSSL_MLKEM_NO_DECAPSULATE: Disable ML-KEM decapsulation     default: off
94
 * HAVE_LIBOQS:              Use liboqs for PQ algorithms          default: off
95
 *
96
 * Curves:
97
 * HAVE_SECRET_CALLBACK:     Enable TLS secret callback            default: off
98
 * HAVE_PK_CALLBACKS:        Enable public key callbacks           default: off
99
 * HAVE_FUZZER:              Enable fuzzing callback support        default: off
100
 *
101
 * Features:
102
 * WOLFSSL_SNIFFER:          Enable TLS packet sniffing support    default: off
103
 * WOLFSSL_SNIFFER_KEYLOGFILE: Sniffer keylog file support         default: off
104
 * WOLFSSL_SSLKEYLOGFILE:    Enable SSL key log file output        default: off
105
 * WOLFSSL_SRTP:             Enable SRTP extension support         default: off
106
 * WOLFSSL_DUAL_ALG_CERTS:   Enable dual algorithm certificates   default: off
107
 * WOLFSSL_HAVE_PRF:         Enable TLS PRF function access        default: off
108
 * WOLFSSL_DEBUG_TLS:        Debug TLS protocol messages            default: off
109
 * WOLFSSL_32BIT_MILLI_TIME: 32-bit millisecond time function      default: off
110
 * WOLFSSL_REQUIRE_TCA:      Require Trusted CA extension          default: off
111
 * WOLFSSL_DH_EXTRA:         Extra DH key info in SSL object       default: off
112
 * WOLFSSL_CURVE25519_BLINDING: Curve25519 blinding in TLS         default: off
113
 * HAVE_NULL_CIPHER:         Allow NULL cipher suites               default: off
114
 * HAVE_WEBSERVER:           Enable web server features             default: off
115
 * NO_CERTS:                 Disable certificate processing        default: off
116
 */
117
118
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
119
120
#ifndef WOLFCRYPT_ONLY
121
122
#include <wolfssl/ssl.h>
123
#include <wolfssl/internal.h>
124
#include <wolfssl/error-ssl.h>
125
#include <wolfssl/wolfcrypt/hash.h>
126
#include <wolfssl/wolfcrypt/hmac.h>
127
#include <wolfssl/wolfcrypt/kdf.h>
128
#ifdef NO_INLINE
129
    #include <wolfssl/wolfcrypt/misc.h>
130
#else
131
    #define WOLFSSL_MISC_INCLUDED
132
    #include <wolfcrypt/src/misc.c>
133
#endif
134
135
#ifdef HAVE_CURVE25519
136
    #include <wolfssl/wolfcrypt/curve25519.h>
137
#endif
138
#ifdef HAVE_CURVE448
139
    #include <wolfssl/wolfcrypt/curve448.h>
140
#endif
141
#ifdef WOLFSSL_HAVE_MLKEM
142
    #include <wolfssl/wolfcrypt/wc_mlkem.h>
143
#endif
144
145
#if defined(WOLFSSL_RENESAS_TSIP_TLS)
146
    #include <wolfssl/wolfcrypt/port/Renesas/renesas_tsip_internal.h>
147
#endif
148
149
#include <wolfssl/wolfcrypt/hpke.h>
150
151
#ifndef NO_TLS
152
153
#if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES)
154
static void TLSX_KeyShare_FreeAll(KeyShareEntry* list, void* heap);
155
#endif
156
157
#ifdef HAVE_SUPPORTED_CURVES
158
static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions);
159
#endif
160
161
/* Digest enable checks */
162
#ifdef NO_OLD_TLS /* TLS 1.2 only */
163
    #if defined(NO_SHA256) && !defined(WOLFSSL_SHA384) && \
164
            !defined(WOLFSSL_SHA512)
165
        #error Must have SHA256, SHA384 or SHA512 enabled for TLS 1.2
166
    #endif
167
#else  /* TLS 1.1 or older */
168
    #if defined(NO_MD5) && defined(NO_SHA)
169
        #error Must have SHA1 and MD5 enabled for old TLS
170
    #endif
171
#endif
172
173
#ifdef WOLFSSL_TLS13
174
    #if !defined(NO_DH) && \
175
        !defined(HAVE_FFDHE_2048) && !defined(HAVE_FFDHE_3072) && \
176
        !defined(HAVE_FFDHE_4096) && !defined(HAVE_FFDHE_6144) && \
177
        !defined(HAVE_FFDHE_8192)
178
        #error Please configure your TLS 1.3 DH key size using either: HAVE_FFDHE_2048, HAVE_FFDHE_3072, HAVE_FFDHE_4096, HAVE_FFDHE_6144 or HAVE_FFDHE_8192
179
    #endif
180
    #if !defined(NO_RSA) && !defined(WC_RSA_PSS)
181
        #error The build option WC_RSA_PSS is required for TLS 1.3 with RSA
182
    #endif
183
    #ifndef HAVE_TLS_EXTENSIONS
184
        #if !defined(_MSC_VER) && !defined(__TASKING__)
185
            #error "The build option HAVE_TLS_EXTENSIONS is required for TLS 1.3"
186
        #else
187
            #pragma message("Error: The build option HAVE_TLS_EXTENSIONS is required for TLS 1.3")
188
        #endif
189
    #endif
190
#endif
191
192
/* Warn if secrets logging is enabled */
193
#if (defined(SHOW_SECRETS) || defined(WOLFSSL_SSLKEYLOGFILE)) && \
194
    !defined(WOLFSSL_KEYLOG_EXPORT_WARNED)
195
    #if !defined(_MSC_VER) && !defined(__TASKING__)
196
        #warning The SHOW_SECRETS and WOLFSSL_SSLKEYLOGFILE options should only be used for debugging and never in a production environment
197
    #else
198
        #pragma message("Warning: The SHOW_SECRETS and WOLFSSL_SSLKEYLOGFILE options should only be used for debugging and never in a production environment")
199
    #endif
200
#endif
201
202
#ifndef WOLFSSL_NO_TLS12
203
204
#ifdef WOLFSSL_SHA384
205
0
    #define HSHASH_SZ WC_SHA384_DIGEST_SIZE
206
#else
207
    #define HSHASH_SZ FINISHED_SZ
208
#endif
209
210
int BuildTlsHandshakeHash(WOLFSSL* ssl, byte* hash, word32* hashLen)
211
0
{
212
0
    int ret = 0;
213
0
    word32 hashSz = FINISHED_SZ;
214
215
0
    if (ssl == NULL || hash == NULL || hashLen == NULL || *hashLen < HSHASH_SZ)
216
0
        return BAD_FUNC_ARG;
217
218
    /* for constant timing perform these even if error */
219
#ifndef NO_OLD_TLS
220
    ret |= wc_Md5GetHash(&ssl->hsHashes->hashMd5, hash);
221
    ret |= wc_ShaGetHash(&ssl->hsHashes->hashSha, &hash[WC_MD5_DIGEST_SIZE]);
222
#endif
223
224
0
    if (IsAtLeastTLSv1_2(ssl)) {
225
0
#ifndef NO_SHA256
226
0
        if (ssl->specs.mac_algorithm <= sha256_mac ||
227
0
            ssl->specs.mac_algorithm == blake2b_mac) {
228
0
            ret |= wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
229
0
            hashSz = WC_SHA256_DIGEST_SIZE;
230
0
        }
231
0
#endif
232
0
#ifdef WOLFSSL_SHA384
233
0
        if (ssl->specs.mac_algorithm == sha384_mac) {
234
0
            ret |= wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
235
0
            hashSz = WC_SHA384_DIGEST_SIZE;
236
0
        }
237
0
#endif
238
#ifdef WOLFSSL_SM3
239
        if (ssl->specs.mac_algorithm == sm3_mac) {
240
            ret |= wc_Sm3GetHash(&ssl->hsHashes->hashSm3, hash);
241
            hashSz = WC_SM3_DIGEST_SIZE;
242
        }
243
#endif
244
0
    }
245
246
0
    *hashLen = hashSz;
247
#ifdef WOLFSSL_CHECK_MEM_ZERO
248
     wc_MemZero_Add("TLS handshake hash", hash, hashSz);
249
#endif
250
251
0
    if (ret != 0) {
252
0
        ret = BUILD_MSG_ERROR;
253
0
        WOLFSSL_ERROR_VERBOSE(ret);
254
0
    }
255
256
0
    return ret;
257
0
}
258
259
260
int BuildTlsFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
261
0
{
262
0
    int ret;
263
0
    const byte* side = NULL;
264
0
    word32 hashSz = HSHASH_SZ;
265
0
#if !defined(WOLFSSL_ASYNC_CRYPT) || defined(WC_ASYNC_NO_HASH)
266
0
    byte handshake_hash[HSHASH_SZ];
267
#else
268
    byte* handshake_hash = NULL;
269
    handshake_hash = (byte*)XMALLOC(HSHASH_SZ, ssl->heap, DYNAMIC_TYPE_DIGEST);
270
    if (handshake_hash == NULL)
271
        return MEMORY_E;
272
#endif
273
274
0
    XMEMSET(handshake_hash, 0, HSHASH_SZ);
275
0
    ret = BuildTlsHandshakeHash(ssl, handshake_hash, &hashSz);
276
0
    if (ret == 0) {
277
0
        if (XSTRNCMP((const char*)sender, (const char*)kTlsClientStr,
278
0
                                                          SIZEOF_SENDER) == 0) {
279
0
            side = kTlsClientFinStr;
280
0
        }
281
0
        else if (XSTRNCMP((const char*)sender, (const char*)kTlsServerStr,
282
0
                                                          SIZEOF_SENDER) == 0) {
283
0
            side = kTlsServerFinStr;
284
0
        }
285
0
        else {
286
0
            ret = BAD_FUNC_ARG;
287
0
            WOLFSSL_MSG("Unexpected sender value");
288
0
        }
289
0
    }
290
291
0
    if (ret == 0) {
292
0
#ifdef WOLFSSL_HAVE_PRF
293
#if !defined(NO_CERTS) && defined(HAVE_PK_CALLBACKS)
294
        if (ssl->ctx->TlsFinishedCb) {
295
            void* ctx = wolfSSL_GetTlsFinishedCtx(ssl);
296
            ret = ssl->ctx->TlsFinishedCb(ssl, side, handshake_hash, hashSz,
297
                                          (byte*)hashes, ctx);
298
        }
299
        if (!ssl->ctx->TlsFinishedCb ||
300
            ret == WC_NO_ERR_TRACE(PROTOCOLCB_UNAVAILABLE))
301
#endif
302
0
        {
303
0
            PRIVATE_KEY_UNLOCK();
304
0
            ret = wc_PRF_TLS((byte*)hashes, TLS_FINISHED_SZ,
305
0
                      ssl->arrays->masterSecret, SECRET_LEN, side,
306
0
                      FINISHED_LABEL_SZ, handshake_hash, hashSz,
307
0
                      IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm,
308
0
                      ssl->heap, ssl->devId);
309
0
            PRIVATE_KEY_LOCK();
310
0
        }
311
0
        ForceZero(handshake_hash, hashSz);
312
#else
313
        /* Pseudo random function must be enabled in the configuration. */
314
        ret = PRF_MISSING;
315
        WOLFSSL_ERROR_VERBOSE(ret);
316
        WOLFSSL_MSG("Pseudo-random function is not enabled");
317
318
        (void)side;
319
        (void)hashes;
320
#endif
321
0
    }
322
323
#if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_ASYNC_NO_HASH)
324
    XFREE(handshake_hash, ssl->heap, DYNAMIC_TYPE_DIGEST);
325
#elif defined(WOLFSSL_CHECK_MEM_ZERO)
326
    wc_MemZero_Check(handshake_hash, HSHASH_SZ);
327
#endif
328
329
0
    return ret;
330
0
}
331
332
#endif /* !WOLFSSL_NO_TLS12 */
333
334
#ifndef NO_OLD_TLS
335
336
#ifdef WOLFSSL_ALLOW_TLSV10
337
ProtocolVersion MakeTLSv1(void)
338
{
339
    ProtocolVersion pv;
340
    pv.major = SSLv3_MAJOR;
341
    pv.minor = TLSv1_MINOR;
342
343
    return pv;
344
}
345
#endif /* WOLFSSL_ALLOW_TLSV10 */
346
347
348
ProtocolVersion MakeTLSv1_1(void)
349
{
350
    ProtocolVersion pv;
351
    pv.major = SSLv3_MAJOR;
352
    pv.minor = TLSv1_1_MINOR;
353
354
    return pv;
355
}
356
357
#endif /* !NO_OLD_TLS */
358
359
360
#ifndef WOLFSSL_NO_TLS12
361
362
ProtocolVersion MakeTLSv1_2(void)
363
0
{
364
0
    ProtocolVersion pv;
365
0
    pv.major = SSLv3_MAJOR;
366
0
    pv.minor = TLSv1_2_MINOR;
367
368
0
    return pv;
369
0
}
370
371
#endif /* !WOLFSSL_NO_TLS12 */
372
373
#ifdef WOLFSSL_TLS13
374
/* The TLS v1.3 protocol version.
375
 *
376
 * returns the protocol version data for TLS v1.3.
377
 */
378
ProtocolVersion MakeTLSv1_3(void)
379
0
{
380
0
    ProtocolVersion pv;
381
0
    pv.major = SSLv3_MAJOR;
382
0
    pv.minor = TLSv1_3_MINOR;
383
384
0
    return pv;
385
0
}
386
#endif
387
388
#if defined(HAVE_SUPPORTED_CURVES)
389
/* Sets the key exchange groups in rank order on a context.
390
 *
391
 * ctx     SSL/TLS context object.
392
 * groups  Array of groups.
393
 * count   Number of groups in array.
394
 * returns BAD_FUNC_ARG when ctx or groups is NULL, not using TLS v1.3, count is
395
 * not positive or count is greater than WOLFSSL_MAX_GROUP_COUNT and
396
 * WOLFSSL_SUCCESS on success.
397
 */
398
int wolfSSL_CTX_set_groups(WOLFSSL_CTX* ctx, int* groups, int count)
399
0
{
400
0
    int ret, i;
401
402
0
    WOLFSSL_ENTER("wolfSSL_CTX_set_groups");
403
0
    if (ctx == NULL || groups == NULL || count <= 0 ||
404
0
            count > WOLFSSL_MAX_GROUP_COUNT)
405
0
        return BAD_FUNC_ARG;
406
0
    if (!IsTLS_ex(ctx->method->version))
407
0
        return BAD_FUNC_ARG;
408
409
0
    #ifdef WOLFSSL_TLS13
410
0
    ctx->numGroups = 0;
411
0
    #endif
412
0
    #if !defined(NO_TLS)
413
0
    TLSX_Remove(&ctx->extensions, TLSX_SUPPORTED_GROUPS, ctx->heap);
414
0
    #endif /* !NO_TLS */
415
0
    for (i = 0; i < count; i++) {
416
        /* Call to wolfSSL_CTX_UseSupportedCurve also checks if input groups
417
         * are valid */
418
0
        if ((ret = wolfSSL_CTX_UseSupportedCurve(ctx, (word16)groups[i]))
419
0
                != WOLFSSL_SUCCESS) {
420
0
    #if !defined(NO_TLS)
421
0
            TLSX_Remove(&ctx->extensions, TLSX_SUPPORTED_GROUPS, ctx->heap);
422
0
    #endif /* !NO_TLS */
423
0
            return ret;
424
0
        }
425
0
        #ifdef WOLFSSL_TLS13
426
0
        ctx->group[i] = (word16)groups[i];
427
0
        #endif
428
0
    }
429
0
    #ifdef WOLFSSL_TLS13
430
0
    ctx->numGroups = (byte)count;
431
0
    #endif
432
433
0
    return WOLFSSL_SUCCESS;
434
0
}
435
436
/* Sets the key exchange groups in rank order.
437
 *
438
 * ssl     SSL/TLS object.
439
 * groups  Array of groups.
440
 * count   Number of groups in array.
441
 * returns BAD_FUNC_ARG when ssl or groups is NULL, not using TLS v1.3, count is
442
 * not positive or count is greater than WOLFSSL_MAX_GROUP_COUNT and
443
 * WOLFSSL_SUCCESS on success.
444
 */
445
int wolfSSL_set_groups(WOLFSSL* ssl, int* groups, int count)
446
0
{
447
0
    int ret, i;
448
449
0
    WOLFSSL_ENTER("wolfSSL_set_groups");
450
0
    if (ssl == NULL || groups == NULL || count <= 0 ||
451
0
            count > WOLFSSL_MAX_GROUP_COUNT)
452
0
        return BAD_FUNC_ARG;
453
0
    if (!IsTLS_ex(ssl->version))
454
0
        return BAD_FUNC_ARG;
455
456
0
    #ifdef WOLFSSL_TLS13
457
0
    ssl->numGroups = 0;
458
0
    #endif
459
0
    #if !defined(NO_TLS)
460
0
    TLSX_Remove(&ssl->extensions, TLSX_SUPPORTED_GROUPS, ssl->heap);
461
0
    #endif /* !NO_TLS */
462
0
    for (i = 0; i < count; i++) {
463
        /* Call to wolfSSL_UseSupportedCurve also checks if input groups
464
                 * are valid */
465
0
        if ((ret = wolfSSL_UseSupportedCurve(ssl, (word16)groups[i]))
466
0
                != WOLFSSL_SUCCESS) {
467
0
    #if !defined(NO_TLS)
468
0
            TLSX_Remove(&ssl->extensions, TLSX_SUPPORTED_GROUPS, ssl->heap);
469
0
    #endif /* !NO_TLS */
470
0
            return ret;
471
0
        }
472
0
        #ifdef WOLFSSL_TLS13
473
0
        ssl->group[i] = (word16)groups[i];
474
0
        #endif
475
0
    }
476
0
    #ifdef WOLFSSL_TLS13
477
0
    ssl->numGroups = (byte)count;
478
0
    #endif
479
480
0
    return WOLFSSL_SUCCESS;
481
0
}
482
#endif /* HAVE_SUPPORTED_CURVES */
483
484
#ifndef WOLFSSL_NO_TLS12
485
486
#ifdef HAVE_EXTENDED_MASTER
487
static const byte ext_master_label[EXT_MASTER_LABEL_SZ + 1] =
488
                                                      "extended master secret";
489
#endif
490
static const byte master_label[MASTER_LABEL_SZ + 1] = "master secret";
491
static const byte key_label   [KEY_LABEL_SZ + 1]    = "key expansion";
492
493
static int _DeriveTlsKeys(byte* key_dig, word32 key_dig_len,
494
                         const byte* ms, word32 msLen,
495
                         const byte* sr, const byte* cr,
496
                         int tls1_2, int hash_type,
497
                         void* heap, int devId)
498
0
{
499
0
    int ret;
500
#if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_ASYNC_NO_HASH)
501
    byte* seed = NULL;
502
    seed = (byte*)XMALLOC(SEED_LEN, heap, DYNAMIC_TYPE_SEED);
503
    if (seed == NULL)
504
        return MEMORY_E;
505
#else
506
0
    byte seed[SEED_LEN];
507
0
#endif
508
509
0
    XMEMCPY(seed,           sr, RAN_LEN);
510
0
    XMEMCPY(seed + RAN_LEN, cr, RAN_LEN);
511
512
0
#ifdef WOLFSSL_HAVE_PRF
513
0
    PRIVATE_KEY_UNLOCK();
514
0
    ret = wc_PRF_TLS(key_dig, key_dig_len, ms, msLen, key_label, KEY_LABEL_SZ,
515
0
               seed, SEED_LEN, tls1_2, hash_type, heap, devId);
516
0
    PRIVATE_KEY_LOCK();
517
#else
518
    /* Pseudo random function must be enabled in the configuration. */
519
    ret = PRF_MISSING;
520
    WOLFSSL_ERROR_VERBOSE(ret);
521
    WOLFSSL_MSG("Pseudo-random function is not enabled");
522
523
    (void)key_dig;
524
    (void)key_dig_len;
525
    (void)ms;
526
    (void)msLen;
527
    (void)tls1_2;
528
    (void)hash_type;
529
    (void)heap;
530
    (void)devId;
531
    (void)key_label;
532
    (void)master_label;
533
#ifdef HAVE_EXTENDED_MASTER
534
    (void)ext_master_label;
535
#endif
536
#endif
537
538
#if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_ASYNC_NO_HASH)
539
    XFREE(seed, heap, DYNAMIC_TYPE_SEED);
540
#endif
541
542
0
    return ret;
543
0
}
544
545
/* External facing wrapper so user can call as well, 0 on success */
546
int wolfSSL_DeriveTlsKeys(byte* key_data, word32 keyLen,
547
                         const byte* ms, word32 msLen,
548
                         const byte* sr, const byte* cr,
549
                         int tls1_2, int hash_type)
550
0
{
551
0
    return _DeriveTlsKeys(key_data, keyLen, ms, msLen, sr, cr, tls1_2,
552
0
        hash_type, NULL, INVALID_DEVID);
553
0
}
554
555
556
int DeriveTlsKeys(WOLFSSL* ssl)
557
0
{
558
0
    int   ret;
559
0
    int   key_dig_len = 2 * ssl->specs.hash_size +
560
0
                        2 * ssl->specs.key_size  +
561
0
                        2 * ssl->specs.iv_size;
562
0
    WC_DECLARE_VAR(key_dig, byte, MAX_PRF_DIG, 0);
563
564
0
    WC_ALLOC_VAR_EX(key_dig, byte, MAX_PRF_DIG, ssl->heap,
565
0
        DYNAMIC_TYPE_DIGEST, return MEMORY_E);
566
567
0
    XMEMSET(key_dig, 0, MAX_PRF_DIG);
568
569
#if !defined(NO_CERTS) && defined(HAVE_PK_CALLBACKS)
570
    ret = PROTOCOLCB_UNAVAILABLE;
571
    if (ssl->ctx->GenSessionKeyCb) {
572
        void* ctx = wolfSSL_GetGenSessionKeyCtx(ssl);
573
        ret = ssl->ctx->GenSessionKeyCb(ssl, ctx);
574
    }
575
    if (!ssl->ctx->GenSessionKeyCb ||
576
        ret == WC_NO_ERR_TRACE(PROTOCOLCB_UNAVAILABLE))
577
#endif
578
0
    ret = _DeriveTlsKeys(key_dig, (word32)key_dig_len,
579
0
                     ssl->arrays->masterSecret, SECRET_LEN,
580
0
                     ssl->arrays->serverRandom, ssl->arrays->clientRandom,
581
0
                     IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm,
582
0
                     ssl->heap, ssl->devId);
583
0
    if (ret == 0)
584
0
        ret = StoreKeys(ssl, key_dig, PROVISION_CLIENT_SERVER);
585
586
#ifdef WOLFSSL_CHECK_MEM_ZERO
587
    wc_MemZero_Add("DeriveTlsKeys key_dig", key_dig, MAX_PRF_DIG);
588
#endif
589
0
    ForceZero(key_dig, MAX_PRF_DIG);
590
#ifdef WOLFSSL_CHECK_MEM_ZERO
591
    wc_MemZero_Check(key_dig, MAX_PRF_DIG);
592
#endif
593
594
0
    WC_FREE_VAR_EX(key_dig, ssl->heap, DYNAMIC_TYPE_DIGEST);
595
596
0
    return ret;
597
0
}
598
599
static int _MakeTlsMasterSecret(byte* ms, word32 msLen,
600
                               const byte* pms, word32 pmsLen,
601
                               const byte* cr, const byte* sr,
602
                               int tls1_2, int hash_type,
603
                               void* heap, int devId)
604
0
{
605
0
    int ret;
606
0
#if !defined(WOLFSSL_ASYNC_CRYPT) || defined(WC_ASYNC_NO_HASH)
607
0
    byte seed[SEED_LEN];
608
#else
609
    byte* seed = NULL;
610
    seed = (byte*)XMALLOC(SEED_LEN, heap, DYNAMIC_TYPE_SEED);
611
    if (seed == NULL)
612
        return MEMORY_E;
613
#endif
614
615
0
    XMEMCPY(seed,           cr, RAN_LEN);
616
0
    XMEMCPY(seed + RAN_LEN, sr, RAN_LEN);
617
618
0
#ifdef WOLFSSL_HAVE_PRF
619
0
    PRIVATE_KEY_UNLOCK();
620
0
    ret = wc_PRF_TLS(ms, msLen, pms, pmsLen, master_label, MASTER_LABEL_SZ,
621
0
               seed, SEED_LEN, tls1_2, hash_type, heap, devId);
622
0
    PRIVATE_KEY_LOCK();
623
#else
624
    /* Pseudo random function must be enabled in the configuration. */
625
    ret = PRF_MISSING;
626
    WOLFSSL_MSG("Pseudo-random function is not enabled");
627
628
    (void)ms;
629
    (void)msLen;
630
    (void)pms;
631
    (void)pmsLen;
632
    (void)tls1_2;
633
    (void)hash_type;
634
    (void)heap;
635
    (void)devId;
636
#endif
637
638
#if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_ASYNC_NO_HASH)
639
    XFREE(seed, heap, DYNAMIC_TYPE_SEED);
640
#endif
641
642
0
    return ret;
643
0
}
644
645
/* External facing wrapper so user can call as well, 0 on success */
646
int wolfSSL_MakeTlsMasterSecret(byte* ms, word32 msLen,
647
                               const byte* pms, word32 pmsLen,
648
                               const byte* cr, const byte* sr,
649
                               int tls1_2, int hash_type)
650
0
{
651
0
    return _MakeTlsMasterSecret(ms, msLen, pms, pmsLen, cr, sr, tls1_2,
652
0
        hash_type, NULL, INVALID_DEVID);
653
0
}
654
655
656
#ifdef HAVE_EXTENDED_MASTER
657
658
static int _MakeTlsExtendedMasterSecret(byte* ms, word32 msLen,
659
                                        const byte* pms, word32 pmsLen,
660
                                        const byte* sHash, word32 sHashLen,
661
                                        int tls1_2, int hash_type,
662
                                        void* heap, int devId)
663
0
{
664
0
    int ret;
665
666
0
#ifdef WOLFSSL_HAVE_PRF
667
0
    PRIVATE_KEY_UNLOCK();
668
0
    ret = wc_PRF_TLS(ms, msLen, pms, pmsLen, ext_master_label, EXT_MASTER_LABEL_SZ,
669
0
               sHash, sHashLen, tls1_2, hash_type, heap, devId);
670
0
    PRIVATE_KEY_LOCK();
671
#else
672
    /* Pseudo random function must be enabled in the configuration. */
673
    ret = PRF_MISSING;
674
    WOLFSSL_MSG("Pseudo-random function is not enabled");
675
676
    (void)ms;
677
    (void)msLen;
678
    (void)pms;
679
    (void)pmsLen;
680
    (void)sHash;
681
    (void)sHashLen;
682
    (void)tls1_2;
683
    (void)hash_type;
684
    (void)heap;
685
    (void)devId;
686
#endif
687
0
    return ret;
688
0
}
689
690
/* External facing wrapper so user can call as well, 0 on success */
691
int wolfSSL_MakeTlsExtendedMasterSecret(byte* ms, word32 msLen,
692
                                        const byte* pms, word32 pmsLen,
693
                                        const byte* sHash, word32 sHashLen,
694
                                        int tls1_2, int hash_type)
695
0
{
696
0
    return _MakeTlsExtendedMasterSecret(ms, msLen, pms, pmsLen, sHash, sHashLen,
697
0
        tls1_2, hash_type, NULL, INVALID_DEVID);
698
0
}
699
700
#endif /* HAVE_EXTENDED_MASTER */
701
702
703
int MakeTlsMasterSecret(WOLFSSL* ssl)
704
0
{
705
0
    int ret;
706
707
#if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_KEYLOGFILE)
708
    /* If this is called from a sniffer session with keylog file support, obtain
709
     * the master secret from the callback */
710
    if (ssl->snifferSecretCb != NULL) {
711
        ret = ssl->snifferSecretCb(ssl->arrays->clientRandom,
712
                                   SNIFFER_SECRET_TLS12_MASTER_SECRET,
713
                                   ssl->arrays->masterSecret);
714
        if (ret != 0) {
715
            return ret;
716
        }
717
        ret = DeriveTlsKeys(ssl);
718
        return ret;
719
    }
720
#endif /* WOLFSSL_SNIFFER && WOLFSSL_SNIFFER_KEYLOGFILE */
721
722
0
#ifdef HAVE_EXTENDED_MASTER
723
0
    if (ssl->options.haveEMS) {
724
0
        word32 hashSz = HSHASH_SZ;
725
    #ifdef WOLFSSL_SMALL_STACK
726
        byte* handshake_hash = (byte*)XMALLOC(HSHASH_SZ, ssl->heap,
727
                                              DYNAMIC_TYPE_DIGEST);
728
        if (handshake_hash == NULL)
729
            return MEMORY_E;
730
    #else
731
0
        byte handshake_hash[HSHASH_SZ];
732
0
    #endif
733
734
0
        XMEMSET(handshake_hash, 0, HSHASH_SZ);
735
0
        ret = BuildTlsHandshakeHash(ssl, handshake_hash, &hashSz);
736
0
        if (ret == 0) {
737
        #if !defined(NO_CERTS) && defined(HAVE_PK_CALLBACKS)
738
            ret = PROTOCOLCB_UNAVAILABLE;
739
            if (ssl->ctx->GenExtMasterCb) {
740
                void* ctx = wolfSSL_GetGenExtMasterSecretCtx(ssl);
741
                ret = ssl->ctx->GenExtMasterCb(ssl, handshake_hash, hashSz,
742
                                                ctx);
743
            }
744
            if (!ssl->ctx->GenExtMasterCb ||
745
                ret == WC_NO_ERR_TRACE(PROTOCOLCB_UNAVAILABLE))
746
        #endif /* (HAVE_SECRET_CALLBACK) && (HAVE_EXT_SECRET_CALLBACK) */
747
0
            {
748
0
                ret = _MakeTlsExtendedMasterSecret(
749
0
                    ssl->arrays->masterSecret, SECRET_LEN,
750
0
                    ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz,
751
0
                    handshake_hash, hashSz,
752
0
                    IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm,
753
0
                    ssl->heap, ssl->devId);
754
0
            }
755
0
            ForceZero(handshake_hash, hashSz);
756
0
        }
757
758
    #ifdef WOLFSSL_SMALL_STACK
759
        XFREE(handshake_hash, ssl->heap, DYNAMIC_TYPE_DIGEST);
760
    #elif defined(WOLFSSL_CHECK_MEM_ZERO)
761
        wc_MemZero_Check(handshake_hash, HSHASH_SZ);
762
    #endif
763
0
    }
764
0
    else
765
0
#endif /* HAVE_EXTENDED_MASTER */
766
0
    {
767
768
#if !defined(NO_CERTS) && defined(HAVE_PK_CALLBACKS)
769
        ret = PROTOCOLCB_UNAVAILABLE;
770
        if (ssl->ctx->GenMasterCb) {
771
            void* ctx = wolfSSL_GetGenMasterSecretCtx(ssl);
772
            ret = ssl->ctx->GenMasterCb(ssl, ctx);
773
        }
774
        if (!ssl->ctx->GenMasterCb ||
775
            ret == WC_NO_ERR_TRACE(PROTOCOLCB_UNAVAILABLE))
776
#endif
777
0
        {
778
0
            ret = _MakeTlsMasterSecret(ssl->arrays->masterSecret,
779
0
                      SECRET_LEN, ssl->arrays->preMasterSecret,
780
0
                      ssl->arrays->preMasterSz, ssl->arrays->clientRandom,
781
0
                      ssl->arrays->serverRandom, IsAtLeastTLSv1_2(ssl),
782
0
                      ssl->specs.mac_algorithm, ssl->heap, ssl->devId);
783
0
        }
784
0
    }
785
#ifdef HAVE_SECRET_CALLBACK
786
    if (ret == 0 && ssl->tlsSecretCb != NULL) {
787
        ret = ssl->tlsSecretCb(ssl, ssl->arrays->masterSecret,
788
                SECRET_LEN, ssl->tlsSecretCtx);
789
    }
790
#endif /* HAVE_SECRET_CALLBACK */
791
0
    if (ret == 0) {
792
0
        ret = DeriveTlsKeys(ssl);
793
0
    }
794
795
0
    return ret;
796
0
}
797
798
799
/* Used by EAP-TLS and EAP-TTLS to derive keying material from
800
 * the master_secret. */
801
int wolfSSL_make_eap_keys(WOLFSSL* ssl, void* key, unsigned int len,
802
                                                              const char* label)
803
0
{
804
0
    int   ret;
805
0
    WC_DECLARE_VAR(seed, byte, SEED_LEN, 0);
806
807
0
    WC_ALLOC_VAR_EX(seed, byte, SEED_LEN, ssl->heap, DYNAMIC_TYPE_SEED,
808
0
        return MEMORY_E);
809
810
    /*
811
     * As per RFC-5281, the order of the client and server randoms is reversed
812
     * from that used by the TLS protocol to derive keys.
813
     */
814
0
    XMEMCPY(seed,           ssl->arrays->clientRandom, RAN_LEN);
815
0
    XMEMCPY(seed + RAN_LEN, ssl->arrays->serverRandom, RAN_LEN);
816
817
0
#ifdef WOLFSSL_HAVE_PRF
818
0
    PRIVATE_KEY_UNLOCK();
819
0
    ret = wc_PRF_TLS((byte*)key, len, ssl->arrays->masterSecret, SECRET_LEN,
820
0
              (const byte *)label, (word32)XSTRLEN(label), seed, SEED_LEN,
821
0
              IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm,
822
0
              ssl->heap, ssl->devId);
823
0
    PRIVATE_KEY_LOCK();
824
#else
825
    /* Pseudo random function must be enabled in the configuration. */
826
    ret = PRF_MISSING;
827
    WOLFSSL_MSG("Pseudo-random function is not enabled");
828
829
    (void)key;
830
    (void)len;
831
    (void)label;
832
#endif
833
834
0
    WC_FREE_VAR_EX(seed, ssl->heap, DYNAMIC_TYPE_SEED);
835
836
0
    return ret;
837
0
}
838
839
/* return HMAC digest type in wolfSSL format */
840
int wolfSSL_GetHmacType(WOLFSSL* ssl)
841
0
{
842
0
    if (ssl == NULL)
843
0
        return BAD_FUNC_ARG;
844
845
0
    return wolfSSL_GetHmacType_ex(&ssl->specs);
846
0
}
847
848
849
int wolfSSL_SetTlsHmacInner(WOLFSSL* ssl, byte* inner, word32 sz, int content,
850
                           int verify)
851
0
{
852
0
    if (ssl == NULL || inner == NULL)
853
0
        return BAD_FUNC_ARG;
854
855
0
    if (content == dtls12_cid
856
#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_DTLS_CID)
857
       || (ssl->options.dtls && DtlsGetCidTxSize(ssl) > 0)
858
#endif
859
0
    ) {
860
0
        WOLFSSL_MSG("wolfSSL_SetTlsHmacInner doesn't support CID");
861
0
        return BAD_FUNC_ARG;
862
0
    }
863
864
0
    XMEMSET(inner, 0, WOLFSSL_TLS_HMAC_INNER_SZ);
865
866
0
    WriteSEQ(ssl, verify, inner);
867
0
    inner[SEQ_SZ] = (byte)content;
868
0
    inner[SEQ_SZ + ENUM_LEN]            = ssl->version.major;
869
0
    inner[SEQ_SZ + ENUM_LEN + ENUM_LEN] = ssl->version.minor;
870
0
    c16toa((word16)sz, inner + SEQ_SZ + ENUM_LEN + VERSION_SZ);
871
872
0
    return 0;
873
0
}
874
875
876
#ifndef WOLFSSL_AEAD_ONLY
877
#if !defined(WOLFSSL_NO_HASH_RAW) && !defined(HAVE_FIPS) && \
878
    !defined(HAVE_SELFTEST)
879
880
/* Update the hash in the HMAC.
881
 *
882
 * hmac  HMAC object.
883
 * data  Data to be hashed.
884
 * sz    Size of data to hash.
885
 * returns 0 on success, otherwise failure.
886
 */
887
static int Hmac_HashUpdate(Hmac* hmac, const byte* data, word32 sz)
888
0
{
889
0
    int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
890
891
0
    switch (hmac->macType) {
892
0
    #ifndef NO_SHA
893
0
        case WC_SHA:
894
0
            ret = wc_ShaUpdate(&hmac->hash.sha, data, sz);
895
0
            break;
896
0
    #endif /* !NO_SHA */
897
898
0
    #ifndef NO_SHA256
899
0
        case WC_SHA256:
900
0
            ret = wc_Sha256Update(&hmac->hash.sha256, data, sz);
901
0
            break;
902
0
    #endif /* !NO_SHA256 */
903
904
0
    #ifdef WOLFSSL_SHA384
905
0
        case WC_SHA384:
906
0
            ret = wc_Sha384Update(&hmac->hash.sha384, data, sz);
907
0
            break;
908
0
    #endif /* WOLFSSL_SHA384 */
909
910
0
    #ifdef WOLFSSL_SHA512
911
0
        case WC_SHA512:
912
0
            ret = wc_Sha512Update(&hmac->hash.sha512, data, sz);
913
0
            break;
914
0
    #endif /* WOLFSSL_SHA512 */
915
916
    #ifdef WOLFSSL_SM3
917
        case WC_SM3:
918
            ret = wc_Sm3Update(&hmac->hash.sm3, data, sz);
919
            break;
920
    #endif /* WOLFSSL_SM3 */
921
922
0
        default:
923
0
            ret = BAD_FUNC_ARG;
924
0
            break;
925
0
    }
926
927
0
    return ret;
928
0
}
929
930
/* Finalize the hash but don't put the EOC, padding or length in.
931
 *
932
 * hmac  HMAC object.
933
 * hash  Hash result.
934
 * returns 0 on success, otherwise failure.
935
 */
936
static int Hmac_HashFinalRaw(Hmac* hmac, unsigned char* hash)
937
0
{
938
0
    int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
939
940
0
    switch (hmac->macType) {
941
0
    #ifndef NO_SHA
942
0
        case WC_SHA:
943
0
            ret = wc_ShaFinalRaw(&hmac->hash.sha, hash);
944
0
            break;
945
0
    #endif /* !NO_SHA */
946
947
0
    #ifndef NO_SHA256
948
0
        case WC_SHA256:
949
0
            ret = wc_Sha256FinalRaw(&hmac->hash.sha256, hash);
950
0
            break;
951
0
    #endif /* !NO_SHA256 */
952
953
0
    #ifdef WOLFSSL_SHA384
954
0
        case WC_SHA384:
955
0
            ret = wc_Sha384FinalRaw(&hmac->hash.sha384, hash);
956
0
            break;
957
0
    #endif /* WOLFSSL_SHA384 */
958
959
0
    #ifdef WOLFSSL_SHA512
960
0
        case WC_SHA512:
961
0
            ret = wc_Sha512FinalRaw(&hmac->hash.sha512, hash);
962
0
            break;
963
0
    #endif /* WOLFSSL_SHA512 */
964
965
    #ifdef WOLFSSL_SM3
966
        case WC_SM3:
967
            ret = wc_Sm3FinalRaw(&hmac->hash.sm3, hash);
968
            break;
969
    #endif /* WOLFSSL_SM3 */
970
971
0
        default:
972
0
            ret = BAD_FUNC_ARG;
973
0
            break;
974
0
    }
975
976
0
    return ret;
977
0
}
978
979
/* Finalize the HMAC by performing outer hash.
980
 *
981
 * hmac  HMAC object.
982
 * mac   MAC result.
983
 * returns 0 on success, otherwise failure.
984
 */
985
static int Hmac_OuterHash(Hmac* hmac, unsigned char* mac)
986
0
{
987
0
    int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
988
0
    WC_DECLARE_VAR(hash, wc_HashAlg, 1, hmac ? hmac->heap : NULL);
989
0
    enum wc_HashType hashType = (enum wc_HashType)hmac->macType;
990
0
    int digestSz = wc_HashGetDigestSize(hashType);
991
0
    int blockSz = wc_HashGetBlockSize(hashType);
992
993
0
    WC_ALLOC_VAR_EX(hash, wc_HashAlg, 1, hmac->heap, DYNAMIC_TYPE_HASHES,
994
0
                    return MEMORY_E);
995
996
0
    if ((digestSz >= 0) && (blockSz >= 0)) {
997
0
        ret = wc_HashInit(hash, hashType);
998
0
    }
999
0
    else {
1000
0
        ret = BAD_FUNC_ARG;
1001
0
    }
1002
1003
0
    if (ret == 0) {
1004
0
        ret = wc_HashUpdate(hash, hashType, (byte*)hmac->opad,
1005
0
            (word32)blockSz);
1006
0
        if (ret == 0)
1007
0
            ret = wc_HashUpdate(hash, hashType, (byte*)hmac->innerHash,
1008
0
                (word32)digestSz);
1009
0
        if (ret == 0)
1010
0
            ret = wc_HashFinal(hash, hashType, mac);
1011
0
        wc_HashFree(hash, hashType);
1012
0
    }
1013
1014
0
    WC_FREE_VAR_EX(hash, hmac->heap, DYNAMIC_TYPE_HASHES);
1015
0
    return ret;
1016
0
}
1017
1018
/* Calculate the HMAC of the header + message data.
1019
 * Constant time implementation using wc_Sha*FinalRaw().
1020
 *
1021
 * hmac    HMAC object.
1022
 * digest  MAC result.
1023
 * in      Message data.
1024
 * sz      Size of the message data.
1025
 * header  Constructed record header with length of handshake data.
1026
 * headerSz Length of header
1027
 * returns 0 on success, otherwise failure.
1028
 */
1029
static int Hmac_UpdateFinal_CT(Hmac* hmac, byte* digest, const byte* in,
1030
                           word32 sz, int macLen, byte* header, word32 headerSz)
1031
0
{
1032
0
    byte         lenBytes[8];
1033
0
    int          i, j;
1034
0
    unsigned int k;
1035
0
    int          blockBits, blockMask;
1036
0
    int          lastBlockLen, extraLen, eocIndex;
1037
0
    int          blocks;
1038
0
    int          safeBlocks;
1039
0
    int          lenBlock;
1040
0
    int          eocBlock;
1041
0
    word32       maxLen;
1042
0
    int          blockSz, padSz;
1043
0
    int          ret;
1044
0
    word32       realLen;
1045
0
    byte         extraBlock;
1046
1047
0
    if (macLen <= 0 || macLen > (int)sizeof(hmac->innerHash))
1048
0
        return BAD_FUNC_ARG;
1049
1050
0
    switch (hmac->macType) {
1051
0
    #ifndef NO_SHA
1052
0
        case WC_SHA:
1053
0
            blockSz = WC_SHA_BLOCK_SIZE;
1054
0
            blockBits = 6;
1055
0
            padSz = WC_SHA_BLOCK_SIZE - WC_SHA_PAD_SIZE + 1;
1056
0
            break;
1057
0
    #endif /* !NO_SHA */
1058
1059
0
    #ifndef NO_SHA256
1060
0
        case WC_SHA256:
1061
0
            blockSz = WC_SHA256_BLOCK_SIZE;
1062
0
            blockBits = 6;
1063
0
            padSz = WC_SHA256_BLOCK_SIZE - WC_SHA256_PAD_SIZE + 1;
1064
0
            break;
1065
0
    #endif /* !NO_SHA256 */
1066
1067
0
    #ifdef WOLFSSL_SHA384
1068
0
        case WC_SHA384:
1069
0
            blockSz = WC_SHA384_BLOCK_SIZE;
1070
0
            blockBits = 7;
1071
0
            padSz = WC_SHA384_BLOCK_SIZE - WC_SHA384_PAD_SIZE + 1;
1072
0
            break;
1073
0
    #endif /* WOLFSSL_SHA384 */
1074
1075
0
    #ifdef WOLFSSL_SHA512
1076
0
        case WC_SHA512:
1077
0
            blockSz = WC_SHA512_BLOCK_SIZE;
1078
0
            blockBits = 7;
1079
0
            padSz = WC_SHA512_BLOCK_SIZE - WC_SHA512_PAD_SIZE + 1;
1080
0
            break;
1081
0
    #endif /* WOLFSSL_SHA512 */
1082
1083
    #ifdef WOLFSSL_SM3
1084
        case WC_SM3:
1085
            blockSz = WC_SM3_BLOCK_SIZE;
1086
            blockBits = 6;
1087
            padSz = WC_SM3_BLOCK_SIZE - WC_SM3_PAD_SIZE + 1;
1088
            break;
1089
    #endif /* WOLFSSL_SM3 */
1090
1091
0
        default:
1092
0
            return BAD_FUNC_ARG;
1093
0
    }
1094
0
    blockMask = blockSz - 1;
1095
1096
    /* Size of data to HMAC if padding length byte is zero. */
1097
0
    maxLen = WOLFSSL_TLS_HMAC_INNER_SZ + sz - 1 - (word32)macLen;
1098
1099
    /* Complete data (including padding) has block for EOC and/or length. */
1100
0
    extraBlock = ctSetLTE(((int)maxLen + padSz) & blockMask, padSz);
1101
    /* Total number of blocks for data including padding. */
1102
0
    blocks = ((int)(maxLen + (word32)blockSz - 1) >> blockBits) + extraBlock;
1103
    /* Up to last 6 blocks can be hashed safely. */
1104
0
    safeBlocks = blocks - 6;
1105
1106
    /* Length of message data. */
1107
0
    realLen = maxLen - in[sz - 1];
1108
    /* Number of message bytes in last block. */
1109
0
    lastBlockLen = (int)realLen & blockMask;
1110
    /* Number of padding bytes in last block. */
1111
0
    extraLen = ((blockSz * 2 - padSz - lastBlockLen) & blockMask) + 1;
1112
    /* Number of blocks to create for hash. */
1113
0
    lenBlock = ((int)realLen + extraLen) >> blockBits;
1114
    /* Block containing EOC byte. */
1115
0
    eocBlock = (int)(realLen >> (word32)blockBits);
1116
    /* Index of EOC byte in block. */
1117
0
    eocIndex = (int)(realLen & (word32)blockMask);
1118
1119
    /* Add length of hmac's ipad to total length. */
1120
0
    realLen += (word32)blockSz;
1121
    /* Length as bits - 8 bytes bigendian. */
1122
0
    c32toa(realLen >> ((sizeof(word32) * 8) - 3), lenBytes);
1123
0
    c32toa(realLen << 3, lenBytes + sizeof(word32));
1124
1125
0
    ret = Hmac_HashUpdate(hmac, (unsigned char*)hmac->ipad, (word32)blockSz);
1126
0
    if (ret != 0)
1127
0
        return ret;
1128
1129
0
    XMEMSET(hmac->innerHash, 0, (size_t)macLen);
1130
1131
0
    if (safeBlocks > 0) {
1132
0
        ret = Hmac_HashUpdate(hmac, header, headerSz);
1133
0
        if (ret != 0)
1134
0
            return ret;
1135
0
        ret = Hmac_HashUpdate(hmac, in, (word32)(safeBlocks * blockSz -
1136
0
                                WOLFSSL_TLS_HMAC_INNER_SZ));
1137
1138
0
        if (ret != 0)
1139
0
            return ret;
1140
0
    }
1141
0
    else
1142
0
        safeBlocks = 0;
1143
1144
0
    XMEMSET(digest, 0, (size_t)macLen);
1145
0
    k = (unsigned int)(safeBlocks * blockSz);
1146
0
    for (i = safeBlocks; i < blocks; i++) {
1147
0
        unsigned char hashBlock[WC_MAX_BLOCK_SIZE];
1148
0
        unsigned char isEocBlock = ctMaskEq(i, eocBlock);
1149
0
        unsigned char isOutBlock = ctMaskEq(i, lenBlock);
1150
1151
0
        for (j = 0; j < blockSz; j++) {
1152
0
            unsigned char atEoc = ctMaskEq(j, eocIndex) & isEocBlock;
1153
0
            volatile unsigned char maskPastEoc = ctMaskGT(j, eocIndex);
1154
0
            volatile unsigned char pastEoc = maskPastEoc & isEocBlock;
1155
0
            unsigned char b = 0;
1156
1157
0
            if (k < headerSz)
1158
0
                b = header[k];
1159
0
            else if (k < maxLen)
1160
0
                b = in[k - headerSz];
1161
0
            k++;
1162
1163
0
            b = ctMaskSel(atEoc, 0x80, b);
1164
0
            b &= (unsigned char)~(word32)pastEoc;
1165
0
            b &= ((unsigned char)~(word32)isOutBlock) | isEocBlock;
1166
1167
0
            if (j >= blockSz - 8) {
1168
0
                b = ctMaskSel(isOutBlock, lenBytes[j - (blockSz - 8)], b);
1169
0
            }
1170
1171
0
            hashBlock[j] = b;
1172
0
        }
1173
1174
        /* cppcheck-suppress uninitvar */
1175
0
        ret = Hmac_HashUpdate(hmac, hashBlock, (word32)blockSz);
1176
0
        if (ret != 0)
1177
0
            return ret;
1178
0
        ret = Hmac_HashFinalRaw(hmac, hashBlock);
1179
0
        if (ret != 0)
1180
0
            return ret;
1181
0
        for (j = 0; j < macLen; j++)
1182
0
            ((unsigned char*)hmac->innerHash)[j] |= hashBlock[j] & isOutBlock;
1183
0
    }
1184
1185
0
    ret = Hmac_OuterHash(hmac, digest);
1186
1187
0
    return ret;
1188
0
}
1189
1190
#endif
1191
1192
#if defined(WOLFSSL_NO_HASH_RAW) || defined(HAVE_FIPS) || \
1193
    defined(HAVE_SELFTEST) || defined(HAVE_BLAKE2B)
1194
1195
/* Calculate the HMAC of the header + message data.
1196
 * Constant time implementation using normal hashing operations.
1197
 * Update-Final need to be constant time.
1198
 *
1199
 * hmac    HMAC object.
1200
 * digest  MAC result.
1201
 * in      Message data.
1202
 * sz      Size of the message data.
1203
 * header  Constructed record header with length of handshake data.
1204
 * headerSz Length of header
1205
 * returns 0 on success, otherwise failure.
1206
 */
1207
static int Hmac_UpdateFinal(Hmac* hmac, byte* digest, const byte* in,
1208
                            word32 sz, byte* header, word32 headerSz)
1209
{
1210
    byte       dummy[WC_MAX_BLOCK_SIZE] = {0};
1211
    int        ret = 0;
1212
    word32     msgSz, blockSz, macSz, padSz, maxSz, realSz;
1213
    word32     offset = 0;
1214
    int        msgBlocks, blocks, blockBits;
1215
    int        i;
1216
1217
    switch (hmac->macType) {
1218
    #ifndef NO_SHA
1219
        case WC_SHA:
1220
            blockSz = WC_SHA_BLOCK_SIZE;
1221
            blockBits = 6;
1222
            macSz = WC_SHA_DIGEST_SIZE;
1223
            padSz = WC_SHA_BLOCK_SIZE - WC_SHA_PAD_SIZE + 1;
1224
            break;
1225
    #endif /* !NO_SHA */
1226
1227
    #ifndef NO_SHA256
1228
        case WC_SHA256:
1229
            blockSz = WC_SHA256_BLOCK_SIZE;
1230
            blockBits = 6;
1231
            macSz = WC_SHA256_DIGEST_SIZE;
1232
            padSz = WC_SHA256_BLOCK_SIZE - WC_SHA256_PAD_SIZE + 1;
1233
            break;
1234
    #endif /* !NO_SHA256 */
1235
1236
    #ifdef WOLFSSL_SHA384
1237
        case WC_SHA384:
1238
            blockSz = WC_SHA384_BLOCK_SIZE;
1239
            blockBits = 7;
1240
            macSz = WC_SHA384_DIGEST_SIZE;
1241
            padSz = WC_SHA384_BLOCK_SIZE - WC_SHA384_PAD_SIZE + 1;
1242
            break;
1243
    #endif /* WOLFSSL_SHA384 */
1244
1245
    #ifdef WOLFSSL_SHA512
1246
        case WC_SHA512:
1247
            blockSz = WC_SHA512_BLOCK_SIZE;
1248
            blockBits = 7;
1249
            macSz = WC_SHA512_DIGEST_SIZE;
1250
            padSz = WC_SHA512_BLOCK_SIZE - WC_SHA512_PAD_SIZE + 1;
1251
            break;
1252
    #endif /* WOLFSSL_SHA512 */
1253
1254
    #ifdef HAVE_BLAKE2B
1255
        case WC_HASH_TYPE_BLAKE2B:
1256
            blockSz = BLAKE2B_BLOCKBYTES;
1257
            blockBits = 7;
1258
            macSz = BLAKE2B_256;
1259
            padSz = 0;
1260
            break;
1261
    #endif /* HAVE_BLAKE2B */
1262
1263
    #ifdef WOLFSSL_SM3
1264
        case WC_SM3:
1265
            blockSz = WC_SM3_BLOCK_SIZE;
1266
            blockBits = 6;
1267
            macSz = WC_SM3_DIGEST_SIZE;
1268
            padSz = WC_SM3_BLOCK_SIZE - WC_SM3_PAD_SIZE + 1;
1269
            break;
1270
    #endif
1271
1272
        default:
1273
            WOLFSSL_MSG("ERROR: Hmac_UpdateFinal failed, no hmac->macType");
1274
            return BAD_FUNC_ARG;
1275
    }
1276
1277
    msgSz = sz - (1 + in[sz - 1] + macSz);
1278
    /* Make negative result 0 */
1279
    msgSz &= ~(0 - (msgSz >> 31));
1280
    realSz = WOLFSSL_TLS_HMAC_INNER_SZ + msgSz;
1281
    maxSz = WOLFSSL_TLS_HMAC_INNER_SZ + (sz - 1) - macSz;
1282
    /* Make negative result 0 */
1283
    maxSz &= ~(0 - (maxSz >> 31));
1284
1285
    /* Calculate #blocks processed in HMAC for max and real data. */
1286
    blocks      = (int)(maxSz >> blockBits);
1287
    blocks     += ((maxSz + padSz) % blockSz) < padSz;
1288
    msgBlocks   = (int)(realSz >> blockBits);
1289
    /* #Extra blocks to process. */
1290
    blocks -= msgBlocks + ((((realSz + padSz) % blockSz) < padSz) ? 1 : 0);
1291
    /* Calculate whole blocks. */
1292
    msgBlocks--;
1293
1294
    ret = wc_HmacUpdate(hmac, header, headerSz);
1295
    if (ret == 0) {
1296
        /* Fill the rest of the block with any available data. */
1297
        word32 currSz = ctMaskLT((int)msgSz, (int)blockSz) & msgSz;
1298
        currSz |= ctMaskGTE((int)msgSz, (int)blockSz) & blockSz;
1299
        currSz -= WOLFSSL_TLS_HMAC_INNER_SZ;
1300
        currSz &= ~(0 - (currSz >> 31));
1301
        ret = wc_HmacUpdate(hmac, in, currSz);
1302
        offset = currSz;
1303
    }
1304
    if (ret == 0) {
1305
        /* Do the hash operations on a block basis. */
1306
        for (i = 0; i < msgBlocks; i++, offset += blockSz) {
1307
            ret = wc_HmacUpdate(hmac, in + offset, blockSz);
1308
            if (ret != 0)
1309
                break;
1310
        }
1311
    }
1312
    if (ret == 0)
1313
        ret = wc_HmacUpdate(hmac, in + offset, msgSz - offset);
1314
    if (ret == 0)
1315
        ret = wc_HmacFinal(hmac, digest);
1316
    if (ret == 0) {
1317
        /* Do the dummy hash operations. Do at least one. */
1318
        for (i = 0; i < blocks + 1; i++) {
1319
            ret = wc_HmacUpdate(hmac, dummy, blockSz);
1320
            if (ret != 0)
1321
                break;
1322
        }
1323
    }
1324
1325
    return ret;
1326
}
1327
1328
#endif
1329
1330
#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_DTLS_CID)
1331
#define TLS_HMAC_CID_SZ(s, v) \
1332
                ((v) ? DtlsGetCidRxSize((s)) \
1333
                     : DtlsGetCidTxSize((s)))
1334
#define TLS_HMAC_CID(s, v, b, c) \
1335
                ((v) ? wolfSSL_dtls_cid_get_rx((s), (b), (c)) \
1336
                     : wolfSSL_dtls_cid_get_tx((s), (b), (c)))
1337
#endif
1338
1339
static int TLS_hmac_SetInner(WOLFSSL* ssl, byte* inner, word32* innerSz,
1340
        word32 sz, int content, int verify, int epochOrder)
1341
0
{
1342
#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_DTLS_CID)
1343
    unsigned int cidSz = 0;
1344
    if (ssl->options.dtls && (cidSz = TLS_HMAC_CID_SZ(ssl, verify)) > 0) {
1345
        word32 idx = 0;
1346
        if (cidSz > DTLS_CID_MAX_SIZE) {
1347
            WOLFSSL_MSG("DTLS CID too large");
1348
            return DTLS_CID_ERROR;
1349
        }
1350
1351
        XMEMSET(inner + idx, 0xFF, SEQ_SZ);
1352
        idx += SEQ_SZ;
1353
        inner[idx++] = dtls12_cid;
1354
        inner[idx++] = (byte)cidSz;
1355
        inner[idx++] = dtls12_cid;
1356
        inner[idx++] = ssl->version.major;
1357
        inner[idx++] = ssl->version.minor;
1358
        WriteSEQ(ssl, epochOrder, inner + idx);
1359
        idx += SEQ_SZ;
1360
        if (TLS_HMAC_CID(ssl, verify, inner + idx, cidSz) ==
1361
                WC_NO_ERR_TRACE(WOLFSSL_FAILURE)) {
1362
            WOLFSSL_MSG("DTLS CID write failed");
1363
            return DTLS_CID_ERROR;
1364
        }
1365
        idx += cidSz;
1366
        c16toa((word16)sz, inner + idx);
1367
        idx += LENGTH_SZ;
1368
1369
        *innerSz = idx;
1370
        return 0;
1371
    }
1372
#endif
1373
0
    *innerSz = WOLFSSL_TLS_HMAC_INNER_SZ;
1374
0
    return wolfSSL_SetTlsHmacInner(ssl, inner, sz, content,
1375
0
            !ssl->options.dtls ? verify : epochOrder);
1376
0
}
1377
1378
#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_DTLS_CID)
1379
#define TLS_HMAC_INNER_SZ WOLFSSL_TLS_HMAC_CID_INNER_SZ
1380
#else
1381
0
#define TLS_HMAC_INNER_SZ WOLFSSL_TLS_HMAC_INNER_SZ
1382
#endif
1383
1384
int TLS_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz, int padSz,
1385
             int content, int verify, int epochOrder)
1386
0
{
1387
0
    WC_DECLARE_VAR(hmac, Hmac, 1, ssl ? ssl->heap : NULL);
1388
0
    byte   myInner[TLS_HMAC_INNER_SZ];
1389
0
    word32 innerSz = TLS_HMAC_INNER_SZ;
1390
0
    int    ret = 0;
1391
0
    const byte* macSecret = NULL;
1392
0
    word32 hashSz = 0;
1393
0
    word32 totalSz = 0;
1394
1395
0
    if (ssl == NULL)
1396
0
        return BAD_FUNC_ARG;
1397
1398
0
    WC_ALLOC_VAR_EX(hmac, Hmac, 1, ssl->heap, DYNAMIC_TYPE_HMAC,
1399
0
                    return MEMORY_E);
1400
1401
#ifdef HAVE_TRUNCATED_HMAC
1402
    hashSz = ssl->truncated_hmac ? (byte)TRUNCATED_HMAC_SZ
1403
                                        : ssl->specs.hash_size;
1404
#else
1405
0
    hashSz = ssl->specs.hash_size;
1406
0
#endif
1407
1408
    /* Pre-compute sz + hashSz + padSz + 1 with overflow checking.
1409
     * Used by fuzzer callback and Hmac_UpdateFinal* in the verify path. */
1410
0
    if (verify && padSz >= 0) {
1411
0
        word32 hmacSz = 0;
1412
0
        if (!WC_SAFE_SUM_WORD32(sz, hashSz, hmacSz) ||
1413
0
            !WC_SAFE_SUM_WORD32(hmacSz, (word32)padSz, hmacSz) ||
1414
0
            !WC_SAFE_SUM_WORD32(hmacSz, 1, hmacSz)) {
1415
0
            WC_FREE_VAR_EX(hmac, ssl->heap, DYNAMIC_TYPE_HMAC);
1416
0
            return BUFFER_E;
1417
0
        }
1418
0
        totalSz = hmacSz;
1419
0
    }
1420
1421
#ifdef HAVE_FUZZER
1422
    /* Fuzz "in" buffer with sz to be used in HMAC algorithm */
1423
    if (ssl->fuzzerCb) {
1424
        if (verify && padSz >= 0) {
1425
            ssl->fuzzerCb(ssl, in, totalSz, FUZZ_HMAC,
1426
                          ssl->fuzzerCtx);
1427
        }
1428
        else {
1429
            ssl->fuzzerCb(ssl, in, sz, FUZZ_HMAC, ssl->fuzzerCtx);
1430
        }
1431
    }
1432
#endif
1433
1434
0
    ret = TLS_hmac_SetInner(ssl, myInner, &innerSz, sz, content, verify,
1435
0
                            epochOrder);
1436
0
    if (ret != 0) {
1437
0
        WC_FREE_VAR_EX(hmac, ssl->heap, DYNAMIC_TYPE_HMAC);
1438
0
        return ret;
1439
0
    }
1440
1441
0
    ret = wc_HmacInit(hmac, ssl->heap, ssl->devId);
1442
0
    if (ret != 0) {
1443
0
        WC_FREE_VAR_EX(hmac, ssl->heap, DYNAMIC_TYPE_HMAC);
1444
0
        return ret;
1445
0
    }
1446
1447
1448
#ifdef WOLFSSL_DTLS
1449
    if (ssl->options.dtls)
1450
        macSecret = wolfSSL_GetDtlsMacSecret(ssl, verify, epochOrder);
1451
    else
1452
#endif
1453
0
        macSecret = wolfSSL_GetMacSecret(ssl, verify);
1454
0
    ret = wc_HmacSetKey(hmac, wolfSSL_GetHmacType(ssl),
1455
0
                                              macSecret,
1456
0
                                              ssl->specs.hash_size);
1457
1458
0
    if (ret == 0) {
1459
        /* Constant time verification required. */
1460
0
        if (verify && padSz >= 0) {
1461
0
#if !defined(WOLFSSL_NO_HASH_RAW) && !defined(HAVE_FIPS) && \
1462
0
    !defined(HAVE_SELFTEST)
1463
    #ifdef HAVE_BLAKE2B
1464
            if (wolfSSL_GetHmacType(ssl) == WC_HASH_TYPE_BLAKE2B) {
1465
                ret = Hmac_UpdateFinal(hmac, digest, in,
1466
                        totalSz, myInner, innerSz);
1467
            }
1468
            else
1469
    #endif
1470
0
            {
1471
0
                ret = Hmac_UpdateFinal_CT(hmac, digest, in,
1472
0
                                      totalSz,
1473
0
                                      (int)hashSz, myInner, innerSz);
1474
1475
0
            }
1476
#else
1477
            ret = Hmac_UpdateFinal(hmac, digest, in, totalSz,
1478
                                        myInner, innerSz);
1479
#endif
1480
0
        }
1481
0
        else {
1482
0
            ret = wc_HmacUpdate(hmac, myInner, innerSz);
1483
0
            if (ret == 0)
1484
0
                ret = wc_HmacUpdate(hmac, in, sz);                /* content */
1485
0
            if (ret == 0)
1486
0
                ret = wc_HmacFinal(hmac, digest);
1487
0
        }
1488
0
    }
1489
1490
0
    wc_HmacFree(hmac);
1491
0
    WC_FREE_VAR_EX(hmac, ssl->heap, DYNAMIC_TYPE_HMAC);
1492
1493
0
    return ret;
1494
0
}
1495
#endif /* WOLFSSL_AEAD_ONLY */
1496
1497
#endif /* !WOLFSSL_NO_TLS12 */
1498
1499
int wolfSSL_GetHmacType_ex(CipherSpecs* specs)
1500
0
{
1501
0
    if (specs == NULL)
1502
0
        return BAD_FUNC_ARG;
1503
1504
0
    switch (specs->mac_algorithm) {
1505
        #ifndef NO_MD5
1506
        case md5_mac:
1507
        {
1508
            return WC_MD5;
1509
        }
1510
        #endif
1511
0
        #ifndef NO_SHA256
1512
0
        case sha256_mac:
1513
0
        {
1514
0
            return WC_SHA256;
1515
0
        }
1516
0
        #endif
1517
0
        #ifdef WOLFSSL_SHA384
1518
0
        case sha384_mac:
1519
0
        {
1520
0
            return WC_SHA384;
1521
0
        }
1522
0
        #endif
1523
        #ifdef WOLFSSL_SM3
1524
        case sm3_mac:
1525
        {
1526
            return WC_SM3;
1527
        }
1528
        #endif
1529
0
        #ifndef NO_SHA
1530
0
        case sha_mac:
1531
0
        {
1532
0
            return WC_SHA;
1533
0
        }
1534
0
        #endif
1535
        #ifdef HAVE_BLAKE2B
1536
        case blake2b_mac:
1537
        {
1538
            return BLAKE2B_ID;
1539
        }
1540
        #endif
1541
0
        default:
1542
0
        {
1543
0
            return WOLFSSL_FATAL_ERROR;
1544
0
        }
1545
0
    }
1546
0
}
1547
1548
#ifdef HAVE_TLS_EXTENSIONS
1549
1550
/**
1551
 * The TLSX semaphore is used to calculate the size of the extensions to be sent
1552
 * from one peer to another.
1553
 */
1554
1555
/** Supports up to 72 flags. Increase as needed. */
1556
#define SEMAPHORE_SIZE 9
1557
1558
/**
1559
 * Converts the extension type (id) to an index in the semaphore.
1560
 *
1561
 * Official reference for TLS extension types:
1562
 *   http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xml
1563
 *
1564
 * Motivation:
1565
 *   Previously, we used the extension type itself as the index of that
1566
 *   extension in the semaphore as the extension types were declared
1567
 *   sequentially, but maintain a semaphore as big as the number of available
1568
 *   extensions is no longer an option since the release of renegotiation_info.
1569
 *
1570
 * How to update:
1571
 *   Assign extension types that extrapolate the number of available semaphores
1572
 *   to the first available index going backwards in the semaphore array.
1573
 *   When adding a new extension type that don't extrapolate the number of
1574
 *   available semaphores, check for a possible collision with with a
1575
 *   'remapped' extension type.
1576
 *
1577
 * Update TLSX_Parse for duplicate detection if more added above 62.
1578
 */
1579
static WC_INLINE word16 TLSX_ToSemaphore(word16 type)
1580
0
{
1581
0
    switch (type) {
1582
1583
0
        case TLSX_RENEGOTIATION_INFO: /* 0xFF01 */
1584
0
            return 63;
1585
#ifdef WOLFSSL_QUIC
1586
        case TLSX_KEY_QUIC_TP_PARAMS_DRAFT: /* 0xffa5 */
1587
            return 64;
1588
#endif
1589
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
1590
        case TLSX_ECH: /* 0xfe0d */
1591
            return 65;
1592
#endif
1593
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_DUAL_ALG_CERTS)
1594
        case TLSX_CKS:
1595
            return 66;
1596
#endif
1597
0
        default:
1598
0
            if (type > 62) {
1599
                /* This message SHOULD only happens during the adding of
1600
                   new TLS extensions in which its IANA number overflows
1601
                   the current semaphore's range, or if its number already
1602
                   is assigned to be used by another extension.
1603
                   Use this check value for the new extension and decrement
1604
                   the check value by one. */
1605
0
                WOLFSSL_MSG("### TLSX semaphore collision or overflow detected!");
1606
0
            }
1607
0
    }
1608
1609
0
    return type;
1610
0
}
1611
1612
/** Checks if a specific light (tls extension) is not set in the semaphore. */
1613
#define IS_OFF(semaphore, light) \
1614
0
    (!(((semaphore)[(light) / 8] &  (byte) (0x01 << ((light) % 8)))))
1615
1616
/** Turn on a specific light (tls extension) in the semaphore. */
1617
/* the semaphore marks the extensions already written to the message */
1618
#define TURN_ON(semaphore, light) \
1619
0
    ((semaphore)[(light) / 8] |= (byte) (0x01 << ((light) % 8)))
1620
1621
/** Turn off a specific light (tls extension) in the semaphore. */
1622
#define TURN_OFF(semaphore, light) \
1623
0
    ((semaphore)[(light) / 8] &= (byte) ~(0x01 << ((light) % 8)))
1624
1625
/** Creates a new extension. */
1626
static TLSX* TLSX_New(TLSX_Type type, const void* data, void* heap)
1627
0
{
1628
0
    TLSX* extension = (TLSX*)XMALLOC(sizeof(TLSX), heap, DYNAMIC_TYPE_TLSX);
1629
1630
0
    (void)heap;
1631
1632
0
    if (extension) {
1633
0
        extension->type = type;
1634
0
        extension->data = (void*)data;
1635
0
        extension->resp = 0;
1636
0
        extension->next = NULL;
1637
0
    }
1638
1639
0
    return extension;
1640
0
}
1641
1642
/**
1643
 * Creates a new extension and appends it to the provided list.
1644
 * Checks for duplicate extensions, keeps the newest.
1645
 */
1646
int TLSX_Append(TLSX** list, TLSX_Type type, const void* data, void* heap)
1647
0
{
1648
0
    TLSX* extension = TLSX_New(type, data, heap);
1649
0
    TLSX* cur;
1650
0
    TLSX** prevNext = list;
1651
1652
0
    if (extension == NULL)
1653
0
        return MEMORY_E;
1654
1655
0
    for (cur = *list; cur != NULL;) {
1656
0
        if (cur->type == type) {
1657
0
            *prevNext = cur->next;
1658
0
            cur->next = NULL;
1659
0
            TLSX_FreeAll(cur, heap);
1660
0
            cur = *prevNext;
1661
0
        }
1662
0
        else {
1663
0
            prevNext = &cur->next;
1664
0
            cur = cur->next;
1665
0
        }
1666
0
    }
1667
1668
    /* Append the extension to the list */
1669
0
    *prevNext = extension;
1670
1671
0
    return 0;
1672
0
}
1673
1674
/**
1675
 * Creates a new extension and pushes it to the provided list.
1676
 * Checks for duplicate extensions, keeps the newest.
1677
 */
1678
int TLSX_Push(TLSX** list, TLSX_Type type, const void* data, void* heap)
1679
0
{
1680
0
    TLSX* extension = TLSX_New(type, data, heap);
1681
1682
0
    if (extension == NULL)
1683
0
        return MEMORY_E;
1684
1685
    /* pushes the new extension on the list. */
1686
0
    extension->next = *list;
1687
0
    *list = extension;
1688
1689
    /* remove duplicate extensions, there should be only one of each type. */
1690
0
    do {
1691
0
        if (extension->next && extension->next->type == type) {
1692
0
            TLSX *next = extension->next;
1693
1694
0
            extension->next = next->next;
1695
0
            next->next = NULL;
1696
1697
0
            TLSX_FreeAll(next, heap);
1698
1699
            /* there is no way to occur more than
1700
             * two extensions of the same type.
1701
             */
1702
0
            break;
1703
0
        }
1704
0
    } while ((extension = extension->next));
1705
1706
0
    return 0;
1707
0
}
1708
1709
#ifndef NO_WOLFSSL_CLIENT
1710
1711
int TLSX_CheckUnsupportedExtension(WOLFSSL* ssl, TLSX_Type type);
1712
1713
int TLSX_CheckUnsupportedExtension(WOLFSSL* ssl, TLSX_Type type)
1714
0
{
1715
0
    TLSX *extension = TLSX_Find(ssl->extensions, type);
1716
1717
0
    if (!extension)
1718
0
        extension = TLSX_Find(ssl->ctx->extensions, type);
1719
1720
0
    return extension == NULL;
1721
0
}
1722
1723
int TLSX_HandleUnsupportedExtension(WOLFSSL* ssl);
1724
1725
int TLSX_HandleUnsupportedExtension(WOLFSSL* ssl)
1726
0
{
1727
0
    SendAlert(ssl, alert_fatal, unsupported_extension);
1728
0
    WOLFSSL_ERROR_VERBOSE(UNSUPPORTED_EXTENSION);
1729
0
    return UNSUPPORTED_EXTENSION;
1730
0
}
1731
1732
#else
1733
1734
#define TLSX_CheckUnsupportedExtension(ssl, type) 0
1735
#define TLSX_HandleUnsupportedExtension(ssl) 0
1736
1737
#endif
1738
1739
#if !defined(NO_WOLFSSL_SERVER) || defined(WOLFSSL_TLS13)
1740
void TLSX_SetResponse(WOLFSSL* ssl, TLSX_Type type);
1741
/** Mark an extension to be sent back to the client. */
1742
void TLSX_SetResponse(WOLFSSL* ssl, TLSX_Type type)
1743
0
{
1744
0
    TLSX *extension = TLSX_Find(ssl->extensions, type);
1745
1746
0
    if (extension)
1747
0
        extension->resp = 1;
1748
0
}
1749
#endif
1750
1751
/******************************************************************************/
1752
/* Application-Layer Protocol Negotiation                                     */
1753
/******************************************************************************/
1754
1755
#ifdef HAVE_ALPN
1756
/** Creates a new ALPN object, providing protocol name to use. */
1757
static ALPN* TLSX_ALPN_New(char *protocol_name, word16 protocol_nameSz,
1758
                                                                     void* heap)
1759
{
1760
    ALPN *alpn;
1761
1762
    WOLFSSL_ENTER("TLSX_ALPN_New");
1763
1764
    if (protocol_name == NULL ||
1765
        protocol_nameSz > WOLFSSL_MAX_ALPN_PROTO_NAME_LEN) {
1766
        WOLFSSL_MSG("Invalid arguments");
1767
        return NULL;
1768
    }
1769
1770
    alpn = (ALPN*)XMALLOC(sizeof(ALPN), heap, DYNAMIC_TYPE_TLSX);
1771
    if (alpn == NULL) {
1772
        WOLFSSL_MSG("Memory failure");
1773
        return NULL;
1774
    }
1775
1776
    alpn->next = NULL;
1777
    alpn->negotiated = 0;
1778
    alpn->options = 0;
1779
1780
    alpn->protocol_name = (char*)XMALLOC(protocol_nameSz + 1,
1781
                                         heap, DYNAMIC_TYPE_TLSX);
1782
    if (alpn->protocol_name == NULL) {
1783
        WOLFSSL_MSG("Memory failure");
1784
        XFREE(alpn, heap, DYNAMIC_TYPE_TLSX);
1785
        return NULL;
1786
    }
1787
1788
    XMEMCPY(alpn->protocol_name, protocol_name, protocol_nameSz);
1789
    alpn->protocol_name[protocol_nameSz] = 0;
1790
1791
    (void)heap;
1792
1793
    return alpn;
1794
}
1795
1796
/** Releases an ALPN object. */
1797
static void TLSX_ALPN_Free(ALPN *alpn, void* heap)
1798
{
1799
    (void)heap;
1800
1801
    if (alpn == NULL)
1802
        return;
1803
1804
    XFREE(alpn->protocol_name, heap, DYNAMIC_TYPE_TLSX);
1805
    XFREE(alpn, heap, DYNAMIC_TYPE_TLSX);
1806
}
1807
1808
/** Releases all ALPN objects in the provided list. */
1809
static void TLSX_ALPN_FreeAll(ALPN *list, void* heap)
1810
{
1811
    ALPN* alpn;
1812
1813
    while ((alpn = list)) {
1814
        list = alpn->next;
1815
        TLSX_ALPN_Free(alpn, heap);
1816
    }
1817
}
1818
1819
/** Tells the buffered size of the ALPN objects in a list. */
1820
static word16 TLSX_ALPN_GetSize(ALPN *list)
1821
{
1822
    ALPN* alpn;
1823
    word32 length = OPAQUE16_LEN; /* list length */
1824
1825
    while ((alpn = list)) {
1826
        list = alpn->next;
1827
1828
        length++; /* protocol name length is on one byte */
1829
        length += (word32)XSTRLEN(alpn->protocol_name);
1830
1831
        if (length > WOLFSSL_MAX_16BIT) {
1832
            return 0;
1833
        }
1834
    }
1835
1836
    return (word16)length;
1837
}
1838
1839
/** Writes the ALPN objects of a list in a buffer. */
1840
static word16 TLSX_ALPN_Write(ALPN *list, byte *output)
1841
{
1842
    ALPN* alpn;
1843
    word16 length = 0;
1844
    word16 offset = OPAQUE16_LEN; /* list length offset */
1845
1846
    while ((alpn = list)) {
1847
        list = alpn->next;
1848
1849
        length = (word16)XSTRLEN(alpn->protocol_name);
1850
1851
        /* protocol name length */
1852
        output[offset++] = (byte)length;
1853
1854
        /* protocol name value */
1855
        XMEMCPY(output + offset, alpn->protocol_name, length);
1856
1857
        offset += length;
1858
    }
1859
1860
    /* writing list length */
1861
    c16toa(offset - OPAQUE16_LEN, output);
1862
1863
    return offset;
1864
}
1865
1866
/** Finds a protocol name in the provided ALPN list */
1867
static ALPN* TLSX_ALPN_Find(ALPN *list, char *protocol_name, word16 size)
1868
{
1869
    ALPN *alpn;
1870
1871
    if (list == NULL || protocol_name == NULL)
1872
        return NULL;
1873
1874
    alpn = list;
1875
    while (alpn != NULL && (
1876
           (word16)XSTRLEN(alpn->protocol_name) != size ||
1877
           XSTRNCMP(alpn->protocol_name, protocol_name, size)))
1878
        alpn = alpn->next;
1879
1880
    return alpn;
1881
}
1882
1883
/** Set the ALPN matching client and server requirements */
1884
static int TLSX_SetALPN(TLSX** extensions, const void* data, word16 size,
1885
                                                                     void* heap)
1886
{
1887
    ALPN *alpn;
1888
    int  ret;
1889
1890
    if (extensions == NULL || data == NULL)
1891
        return BAD_FUNC_ARG;
1892
1893
    alpn = TLSX_ALPN_New((char *)data, size, heap);
1894
    if (alpn == NULL) {
1895
        WOLFSSL_MSG("Memory failure");
1896
        return MEMORY_E;
1897
    }
1898
1899
    alpn->negotiated = 1;
1900
1901
    ret = TLSX_Push(extensions, TLSX_APPLICATION_LAYER_PROTOCOL, (void*)alpn,
1902
                                                                          heap);
1903
    if (ret != 0) {
1904
        TLSX_ALPN_Free(alpn, heap);
1905
        return ret;
1906
    }
1907
1908
    return WOLFSSL_SUCCESS;
1909
}
1910
1911
static int ALPN_find_match(WOLFSSL *ssl, TLSX **pextension,
1912
                           const byte **psel, byte *psel_len,
1913
                           const byte *alpn_val, word16 alpn_val_len)
1914
{
1915
    TLSX    *extension;
1916
    ALPN    *alpn, *list;
1917
    const byte *sel = NULL, *s;
1918
    byte sel_len = 0, wlen;
1919
1920
    extension = TLSX_Find(ssl->extensions, TLSX_APPLICATION_LAYER_PROTOCOL);
1921
    if (extension == NULL)
1922
        extension = TLSX_Find(ssl->ctx->extensions,
1923
                              TLSX_APPLICATION_LAYER_PROTOCOL);
1924
1925
    /* No ALPN configured here */
1926
    if (extension == NULL || extension->data == NULL) {
1927
        *pextension = NULL;
1928
        *psel = NULL;
1929
        *psel_len = 0;
1930
        return 0;
1931
    }
1932
1933
    list = (ALPN*)extension->data;
1934
    for (s = alpn_val;
1935
         (s - alpn_val) < alpn_val_len;
1936
         s += wlen) {
1937
        wlen = *s++; /* bounds already checked on save */
1938
        alpn = TLSX_ALPN_Find(list, (char*)s, wlen);
1939
        if (alpn != NULL) {
1940
            WOLFSSL_MSG("ALPN protocol match");
1941
            sel = s,
1942
            sel_len = wlen;
1943
            break;
1944
        }
1945
    }
1946
1947
    if (sel == NULL) {
1948
        WOLFSSL_MSG("No ALPN protocol match");
1949
1950
        /* do nothing if no protocol match between client and server and option
1951
         is set to continue (like OpenSSL) */
1952
        if (list->options & WOLFSSL_ALPN_CONTINUE_ON_MISMATCH) {
1953
            WOLFSSL_MSG("Continue on mismatch");
1954
        }
1955
        else {
1956
            SendAlert(ssl, alert_fatal, no_application_protocol);
1957
            WOLFSSL_ERROR_VERBOSE(UNKNOWN_ALPN_PROTOCOL_NAME_E);
1958
            return UNKNOWN_ALPN_PROTOCOL_NAME_E;
1959
        }
1960
    }
1961
1962
    *pextension = extension;
1963
    *psel = sel;
1964
    *psel_len = sel_len;
1965
    return 0;
1966
}
1967
1968
int ALPN_Select(WOLFSSL *ssl)
1969
{
1970
    TLSX *extension;
1971
    const byte *sel = NULL;
1972
    byte sel_len = 0;
1973
    int r = 0;
1974
1975
    WOLFSSL_ENTER("ALPN_Select");
1976
    if (ssl->alpn_peer_requested == NULL)
1977
        return 0;
1978
1979
#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
1980
    if (ssl->alpnSelect != NULL && ssl->options.side == WOLFSSL_SERVER_END) {
1981
        r = ssl->alpnSelect(ssl, &sel, &sel_len, ssl->alpn_peer_requested,
1982
                ssl->alpn_peer_requested_length, ssl->alpnSelectArg);
1983
        switch (r) {
1984
            case SSL_TLSEXT_ERR_OK:
1985
                WOLFSSL_MSG("ALPN protocol match");
1986
                break;
1987
            case SSL_TLSEXT_ERR_NOACK:
1988
                WOLFSSL_MSG("ALPN cb no match but not fatal");
1989
                sel = NULL;
1990
                sel_len = 0;
1991
                break;
1992
            case SSL_TLSEXT_ERR_ALERT_FATAL:
1993
            default:
1994
                WOLFSSL_MSG("ALPN cb no match and fatal");
1995
                SendAlert(ssl, alert_fatal, no_application_protocol);
1996
                WOLFSSL_ERROR_VERBOSE(UNKNOWN_ALPN_PROTOCOL_NAME_E);
1997
                return UNKNOWN_ALPN_PROTOCOL_NAME_E;
1998
        }
1999
    }
2000
    else
2001
#endif
2002
    {
2003
        r = ALPN_find_match(ssl, &extension, &sel, &sel_len,
2004
                            ssl->alpn_peer_requested,
2005
                            ssl->alpn_peer_requested_length);
2006
        if (r != 0)
2007
            return r;
2008
    }
2009
2010
    if (sel != NULL) {
2011
        /* set the matching negotiated protocol */
2012
        r = TLSX_SetALPN(&ssl->extensions, sel, sel_len, ssl->heap);
2013
        if (r != WOLFSSL_SUCCESS) {
2014
            WOLFSSL_MSG("TLSX_SetALPN failed");
2015
            return BUFFER_ERROR;
2016
        }
2017
        /* reply to ALPN extension sent from peer */
2018
#ifndef NO_WOLFSSL_SERVER
2019
        TLSX_SetResponse(ssl, TLSX_APPLICATION_LAYER_PROTOCOL);
2020
#endif
2021
    }
2022
    return 0;
2023
}
2024
2025
/** Parses a buffer of ALPN extensions and set the first one matching
2026
 * client and server requirements */
2027
static int TLSX_ALPN_ParseAndSet(WOLFSSL *ssl, const byte *input, word16 length,
2028
                                 byte isRequest)
2029
{
2030
    word16  size = 0, offset = 0, wlen;
2031
    int     r = WC_NO_ERR_TRACE(BUFFER_ERROR);
2032
    const byte *s;
2033
2034
    if (OPAQUE16_LEN > length)
2035
        return BUFFER_ERROR;
2036
2037
    ato16(input, &size);
2038
    offset += OPAQUE16_LEN;
2039
2040
    /* validating alpn list length */
2041
    if (size == 0 || length != OPAQUE16_LEN + size)
2042
        return BUFFER_ERROR;
2043
2044
    /* validating length of entries before accepting */
2045
    for (s = input + offset; (s - input) < length; s += wlen) {
2046
        wlen = *s++;
2047
        if (wlen == 0 || (s + wlen - input) > length)
2048
            return BUFFER_ERROR;
2049
    }
2050
2051
    if (isRequest) {
2052
        /* keep the list sent by peer, if this is from a request. We
2053
         * use it later in ALPN_Select() for evaluation. */
2054
        if (ssl->alpn_peer_requested != NULL) {
2055
            XFREE(ssl->alpn_peer_requested, ssl->heap, DYNAMIC_TYPE_ALPN);
2056
            ssl->alpn_peer_requested_length = 0;
2057
        }
2058
        ssl->alpn_peer_requested = (byte *)XMALLOC(size, ssl->heap,
2059
                                                   DYNAMIC_TYPE_ALPN);
2060
        if (ssl->alpn_peer_requested == NULL) {
2061
            return MEMORY_ERROR;
2062
        }
2063
        ssl->alpn_peer_requested_length = size;
2064
        XMEMCPY(ssl->alpn_peer_requested, (char*)input + offset, size);
2065
    }
2066
    else {
2067
        /* a response, we should find the value in our config */
2068
        const byte *sel = NULL;
2069
        byte sel_len = 0;
2070
        TLSX *extension = NULL;
2071
2072
        /* RFC 7301 Section 3.1: a ServerHello ALPN extension MUST contain
2073
         * exactly one protocol name. The first name's length byte plus its
2074
         * payload must therefore span the whole list. */
2075
        if ((word16)(input[offset] + OPAQUE8_LEN) != size) {
2076
            SendAlert(ssl, alert_fatal, illegal_parameter);
2077
            WOLFSSL_ERROR_VERBOSE(BUFFER_ERROR);
2078
            return BUFFER_ERROR;
2079
        }
2080
2081
        r = ALPN_find_match(ssl, &extension, &sel, &sel_len, input + offset, size);
2082
        if (r != 0)
2083
            return r;
2084
2085
        if (sel != NULL) {
2086
            /* set the matching negotiated protocol */
2087
            r = TLSX_SetALPN(&ssl->extensions, sel, sel_len, ssl->heap);
2088
            if (r != WOLFSSL_SUCCESS) {
2089
                WOLFSSL_MSG("TLSX_SetALPN failed");
2090
                return BUFFER_ERROR;
2091
            }
2092
        }
2093
        /* If we had nothing configured, the response is unexpected */
2094
        else if (extension == NULL) {
2095
            r = TLSX_HandleUnsupportedExtension(ssl);
2096
            if (r != 0)
2097
                return r;
2098
        }
2099
    }
2100
    return 0;
2101
}
2102
2103
/** Add a protocol name to the list of accepted usable ones */
2104
int TLSX_UseALPN(TLSX** extensions, const void* data, word16 size, byte options,
2105
                                                                     void* heap)
2106
{
2107
    ALPN *alpn;
2108
    TLSX *extension;
2109
    int  ret;
2110
2111
    if (extensions == NULL || data == NULL)
2112
        return BAD_FUNC_ARG;
2113
2114
    alpn = TLSX_ALPN_New((char *)data, size, heap);
2115
    if (alpn == NULL) {
2116
        WOLFSSL_MSG("Memory failure");
2117
        return MEMORY_E;
2118
    }
2119
2120
    /* Set Options of ALPN */
2121
    alpn->options = options;
2122
2123
    extension = TLSX_Find(*extensions, TLSX_APPLICATION_LAYER_PROTOCOL);
2124
    if (extension == NULL) {
2125
        ret = TLSX_Push(extensions, TLSX_APPLICATION_LAYER_PROTOCOL,
2126
                                                             (void*)alpn, heap);
2127
        if (ret != 0) {
2128
            TLSX_ALPN_Free(alpn, heap);
2129
            return ret;
2130
        }
2131
    }
2132
    else {
2133
        /* push new ALPN object to extension data. */
2134
        alpn->next = (ALPN*)extension->data;
2135
        extension->data = (void*)alpn;
2136
    }
2137
2138
    return WOLFSSL_SUCCESS;
2139
}
2140
2141
/** Get the protocol name set by the server */
2142
int TLSX_ALPN_GetRequest(TLSX* extensions, void** data, word16 *dataSz)
2143
{
2144
    TLSX *extension;
2145
    ALPN *alpn;
2146
2147
    if (extensions == NULL || data == NULL || dataSz == NULL)
2148
        return BAD_FUNC_ARG;
2149
2150
    *data = NULL;
2151
    *dataSz = 0;
2152
2153
    extension = TLSX_Find(extensions, TLSX_APPLICATION_LAYER_PROTOCOL);
2154
    if (extension == NULL) {
2155
        WOLFSSL_MSG("TLS extension not found");
2156
        WOLFSSL_ERROR_VERBOSE(WOLFSSL_ALPN_NOT_FOUND);
2157
        return WOLFSSL_ALPN_NOT_FOUND;
2158
    }
2159
2160
    alpn = (ALPN *)extension->data;
2161
    if (alpn == NULL) {
2162
        WOLFSSL_MSG("ALPN extension not found");
2163
        WOLFSSL_ERROR_VERBOSE(WOLFSSL_FATAL_ERROR);
2164
        return WOLFSSL_FATAL_ERROR;
2165
    }
2166
2167
    if (alpn->negotiated != 1) {
2168
2169
        /* consider as an error */
2170
        if (alpn->options & WOLFSSL_ALPN_FAILED_ON_MISMATCH) {
2171
            WOLFSSL_MSG("No protocol match with peer -> Failed");
2172
            WOLFSSL_ERROR_VERBOSE(WOLFSSL_FATAL_ERROR);
2173
            return WOLFSSL_FATAL_ERROR;
2174
        }
2175
2176
        /* continue without negotiated protocol */
2177
        WOLFSSL_MSG("No protocol match with peer -> Continue");
2178
        WOLFSSL_ERROR_VERBOSE(WOLFSSL_ALPN_NOT_FOUND);
2179
        return WOLFSSL_ALPN_NOT_FOUND;
2180
    }
2181
2182
    if (alpn->next != NULL) {
2183
        WOLFSSL_MSG("Only one protocol name must be accepted");
2184
        WOLFSSL_ERROR_VERBOSE(WOLFSSL_FATAL_ERROR);
2185
        return WOLFSSL_FATAL_ERROR;
2186
    }
2187
2188
    *data = alpn->protocol_name;
2189
    *dataSz = (word16)XSTRLEN((char*)*data);
2190
2191
    return WOLFSSL_SUCCESS;
2192
}
2193
2194
#define ALPN_FREE_ALL     TLSX_ALPN_FreeAll
2195
#define ALPN_GET_SIZE     TLSX_ALPN_GetSize
2196
#define ALPN_WRITE        TLSX_ALPN_Write
2197
#define ALPN_PARSE        TLSX_ALPN_ParseAndSet
2198
2199
#else /* HAVE_ALPN */
2200
2201
0
#define ALPN_FREE_ALL(list, heap) WC_DO_NOTHING
2202
0
#define ALPN_GET_SIZE(list)     0
2203
0
#define ALPN_WRITE(a, b)        0
2204
0
#define ALPN_PARSE(a, b, c, d)  0
2205
2206
#endif /* HAVE_ALPN */
2207
2208
/******************************************************************************/
2209
/* Server Name Indication                                                     */
2210
/******************************************************************************/
2211
2212
#ifdef HAVE_SNI
2213
2214
/** Creates a new SNI object. */
2215
static SNI* TLSX_SNI_New(byte type, const void* data, word16 size, void* heap)
2216
0
{
2217
0
    SNI* sni = (SNI*)XMALLOC(sizeof(SNI), heap, DYNAMIC_TYPE_TLSX);
2218
2219
0
    (void)heap;
2220
2221
0
    if (sni) {
2222
0
        sni->type = type;
2223
0
        sni->next = NULL;
2224
2225
0
    #ifndef NO_WOLFSSL_SERVER
2226
0
        sni->options = 0;
2227
0
        sni->status  = WOLFSSL_SNI_NO_MATCH;
2228
0
    #endif
2229
2230
0
        switch (sni->type) {
2231
0
            case WOLFSSL_SNI_HOST_NAME:
2232
0
                sni->data.host_name = (char*)XMALLOC(size + 1, heap,
2233
0
                                                     DYNAMIC_TYPE_TLSX);
2234
0
                if (sni->data.host_name) {
2235
0
                    XSTRNCPY(sni->data.host_name, (const char*)data, size);
2236
0
                    sni->data.host_name[size] = '\0';
2237
0
                } else {
2238
0
                    XFREE(sni, heap, DYNAMIC_TYPE_TLSX);
2239
0
                    sni = NULL;
2240
0
                }
2241
0
            break;
2242
2243
0
            default: /* invalid type */
2244
0
                XFREE(sni, heap, DYNAMIC_TYPE_TLSX);
2245
0
                sni = NULL;
2246
0
        }
2247
0
    }
2248
2249
0
    return sni;
2250
0
}
2251
2252
/** Releases a SNI object. */
2253
static void TLSX_SNI_Free(SNI* sni, void* heap)
2254
0
{
2255
0
    if (sni) {
2256
0
        switch (sni->type) {
2257
0
            case WOLFSSL_SNI_HOST_NAME:
2258
0
                XFREE(sni->data.host_name, heap, DYNAMIC_TYPE_TLSX);
2259
0
            break;
2260
0
        }
2261
2262
0
        XFREE(sni, heap, DYNAMIC_TYPE_TLSX);
2263
0
    }
2264
0
    (void)heap;
2265
0
}
2266
2267
/** Releases all SNI objects in the provided list. */
2268
static void TLSX_SNI_FreeAll(SNI* list, void* heap)
2269
0
{
2270
0
    SNI* sni;
2271
2272
0
    while ((sni = list)) {
2273
0
        list = sni->next;
2274
0
        TLSX_SNI_Free(sni, heap);
2275
0
    }
2276
0
}
2277
2278
/** Tells the buffered size of the SNI objects in a list. */
2279
WOLFSSL_TEST_VIS word16 TLSX_SNI_GetSize(SNI* list)
2280
0
{
2281
0
    SNI* sni;
2282
0
    word32 length = OPAQUE16_LEN; /* list length */
2283
2284
0
    while ((sni = list)) {
2285
0
        list = sni->next;
2286
2287
0
        length += ENUM_LEN + OPAQUE16_LEN; /* sni type + sni length */
2288
2289
0
        switch (sni->type) {
2290
0
            case WOLFSSL_SNI_HOST_NAME:
2291
0
                length += (word32)XSTRLEN((char*)sni->data.host_name);
2292
0
            break;
2293
0
        }
2294
2295
0
        if (length > WOLFSSL_MAX_16BIT) {
2296
0
            return 0;
2297
0
        }
2298
0
    }
2299
2300
0
    return (word16)length;
2301
0
}
2302
2303
/** Writes the SNI objects of a list in a buffer. */
2304
static word16 TLSX_SNI_Write(SNI* list, byte* output)
2305
0
{
2306
0
    SNI* sni;
2307
0
    word16 length = 0;
2308
0
    word16 offset = OPAQUE16_LEN; /* list length offset */
2309
2310
0
    while ((sni = list)) {
2311
0
        list = sni->next;
2312
2313
0
        output[offset++] = sni->type; /* sni type */
2314
2315
0
        switch (sni->type) {
2316
0
            case WOLFSSL_SNI_HOST_NAME:
2317
0
                length = (word16)XSTRLEN((char*)sni->data.host_name);
2318
2319
0
                c16toa(length, output + offset); /* sni length */
2320
0
                offset += OPAQUE16_LEN;
2321
2322
0
                XMEMCPY(output + offset, sni->data.host_name, length);
2323
2324
0
                offset += length;
2325
0
            break;
2326
0
        }
2327
0
    }
2328
2329
0
    c16toa(offset - OPAQUE16_LEN, output); /* writing list length */
2330
2331
0
    return offset;
2332
0
}
2333
2334
/** Finds a SNI object in the provided list. */
2335
static SNI* TLSX_SNI_Find(SNI *list, byte type)
2336
0
{
2337
0
    SNI* sni = list;
2338
2339
0
    while (sni && sni->type != type)
2340
0
        sni = sni->next;
2341
2342
0
    return sni;
2343
0
}
2344
2345
#if (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER))
2346
/** Sets the status of a SNI object. */
2347
static void TLSX_SNI_SetStatus(TLSX* extensions, byte type, byte status)
2348
0
{
2349
0
    TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME);
2350
0
    SNI* sni = TLSX_SNI_Find(extension ? (SNI*)extension->data : NULL, type);
2351
2352
0
    if (sni)
2353
0
        sni->status = status;
2354
0
}
2355
#endif
2356
2357
/** Gets the status of a SNI object. */
2358
byte TLSX_SNI_Status(TLSX* extensions, byte type)
2359
0
{
2360
0
    TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME);
2361
0
    SNI* sni = TLSX_SNI_Find(extension ? (SNI*)extension->data : NULL, type);
2362
2363
0
    if (sni)
2364
0
        return sni->status;
2365
2366
0
    return 0;
2367
0
}
2368
2369
/** Parses a buffer of SNI extensions. */
2370
static int TLSX_SNI_Parse(WOLFSSL* ssl, const byte* input, word16 length,
2371
                          byte isRequest)
2372
0
{
2373
0
#ifndef NO_WOLFSSL_SERVER
2374
0
    word16 size = 0;
2375
0
    word16 offset = 0;
2376
0
    int cacheOnly = 0;
2377
0
    SNI *sni = NULL;
2378
0
    byte type;
2379
0
    byte matched;
2380
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
2381
    TLSX* echX = NULL;
2382
    WOLFSSL_ECH* ech = NULL;
2383
    WOLFSSL_EchConfig* workingConfig;
2384
    word16 privateNameLen;
2385
#endif
2386
0
#endif /* !NO_WOLFSSL_SERVER */
2387
0
    TLSX *extension = TLSX_Find(ssl->extensions, TLSX_SERVER_NAME);
2388
2389
0
    if (!extension)
2390
0
        extension = TLSX_Find(ssl->ctx->extensions, TLSX_SERVER_NAME);
2391
2392
0
    if (!isRequest) {
2393
0
        #ifndef NO_WOLFSSL_CLIENT
2394
0
            if (!extension || !extension->data)
2395
0
                return TLSX_HandleUnsupportedExtension(ssl);
2396
2397
0
            if (length > 0)
2398
0
                return BUFFER_ERROR; /* SNI response MUST be empty. */
2399
2400
            /* This call enables wolfSSL_SNI_GetRequest() to be called in the
2401
             * client side to fetch the used SNI. It will only work if the SNI
2402
             * was set at the SSL object level. Right now we only support one
2403
             * name type, WOLFSSL_SNI_HOST_NAME, but in the future, the
2404
             * inclusion of other name types will turn this method inaccurate,
2405
             * as the extension response doesn't contains information of which
2406
             * name was accepted.
2407
             */
2408
0
            TLSX_SNI_SetStatus(ssl->extensions, WOLFSSL_SNI_HOST_NAME,
2409
0
                                                        WOLFSSL_SNI_REAL_MATCH);
2410
2411
0
            return 0;
2412
0
        #endif
2413
0
    }
2414
2415
0
#ifndef NO_WOLFSSL_SERVER
2416
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
2417
    if (!ssl->options.disableECH) {
2418
        echX = TLSX_Find(ssl->extensions, TLSX_ECH);
2419
        if (echX != NULL) {
2420
            ech = (WOLFSSL_ECH*)(echX->data);
2421
        }
2422
    }
2423
#endif
2424
2425
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
2426
    if ((!extension || !extension->data) ||
2427
            (ech != NULL && ech->sniState == ECH_INNER_SNI &&
2428
             ech->privateName == NULL)) {
2429
#else
2430
0
    if (!extension || !extension->data) {
2431
0
#endif
2432
        /* This will keep SNI even though TLSX_UseSNI has not been called.
2433
         * Enable it so that the received sni is available to functions
2434
         * that use a custom callback when SNI is received.
2435
         */
2436
    #ifdef WOLFSSL_ALWAYS_KEEP_SNI
2437
        cacheOnly = 1;
2438
    #endif
2439
0
        if (ssl->ctx->sniRecvCb) {
2440
0
            cacheOnly = 1;
2441
0
        }
2442
2443
0
        if (cacheOnly) {
2444
0
            WOLFSSL_MSG("Forcing SSL object to store SNI parameter");
2445
0
        }
2446
0
        else {
2447
            /* Skipping, SNI not enabled at server side. */
2448
0
            return 0;
2449
0
        }
2450
0
    }
2451
2452
0
    if (OPAQUE16_LEN > length)
2453
0
        return BUFFER_ERROR;
2454
2455
0
    ato16(input, &size);
2456
0
    offset += OPAQUE16_LEN;
2457
2458
    /* validating sni list length */
2459
0
    if (length != OPAQUE16_LEN + size || size == 0)
2460
0
        return BUFFER_ERROR;
2461
2462
    /* SNI was badly specified and only one type is now recognized and allowed.
2463
     * Only one SNI value per type (RFC6066), so, no loop. */
2464
0
    type = input[offset++];
2465
0
    if (type != WOLFSSL_SNI_HOST_NAME)
2466
0
        return BUFFER_ERROR;
2467
2468
0
    if (offset + OPAQUE16_LEN > length)
2469
0
        return BUFFER_ERROR;
2470
0
    ato16(input + offset, &size);
2471
0
    offset += OPAQUE16_LEN;
2472
2473
0
    if (offset + size != length || size == 0)
2474
0
        return BUFFER_ERROR;
2475
2476
0
    if (!cacheOnly && !(sni = TLSX_SNI_Find((SNI*)extension->data, type)))
2477
0
        return 0; /* not using this type of SNI. */
2478
2479
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
2480
    if (ech != NULL && ech->sniState == ECH_INNER_SNI){
2481
        /* SNI status is carried over from processing the outer hello so it is
2482
         * necessary to clear it before processing the inner hello */
2483
        ech->sniState = ECH_INNER_SNI_ATTEMPT;
2484
        if (sni != NULL){
2485
            sni->status = WOLFSSL_SNI_NO_MATCH;
2486
        }
2487
    }
2488
    else if (ech != NULL && ech->sniState == ECH_OUTER_SNI &&
2489
            ech->privateName == NULL && sni != NULL){
2490
        /* save the private SNI before it is overwritten by the public SNI */
2491
        privateNameLen = (word16)XSTRLEN(sni->data.host_name) + 1;
2492
        ech->privateName = (char*)XMALLOC(privateNameLen, ssl->heap,
2493
            DYNAMIC_TYPE_TMP_BUFFER);
2494
        if (ech->privateName == NULL)
2495
            return MEMORY_E;
2496
        XMEMCPY((char*)ech->privateName, sni->data.host_name,
2497
            privateNameLen);
2498
    }
2499
#endif
2500
2501
0
#if defined(WOLFSSL_TLS13)
2502
    /* Don't process the second ClientHello SNI extension if there
2503
     * was problems with the first.
2504
     */
2505
0
    if (!cacheOnly && sni != NULL && sni->status != WOLFSSL_SNI_NO_MATCH)
2506
0
        return 0;
2507
0
#endif
2508
2509
#if defined(HAVE_ECH)
2510
    if (ech != NULL && ech->sniState == ECH_INNER_SNI_ATTEMPT &&
2511
            ech->privateName != NULL) {
2512
        matched = cacheOnly || (XSTRLEN(ech->privateName) == size &&
2513
            XSTRNCMP(ech->privateName, (const char*)input + offset, size) == 0);
2514
    }
2515
    else
2516
#endif
2517
0
    {
2518
0
        const char* hostName = (sni != NULL) ? sni->data.host_name : NULL;
2519
0
        matched = cacheOnly || (hostName != NULL &&
2520
0
            XSTRLEN(hostName) == size &&
2521
0
            XSTRNCMP(hostName, (const char*)input + offset, size) == 0);
2522
0
    }
2523
2524
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
2525
    if (!matched && ech != NULL && ech->sniState == ECH_OUTER_SNI) {
2526
        workingConfig = ech->echConfig;
2527
        while (workingConfig != NULL) {
2528
            matched = XSTRLEN(workingConfig->publicName) == size &&
2529
                XSTRNCMP(workingConfig->publicName,
2530
                (const char*)input + offset, size) == 0;
2531
2532
            if (matched)
2533
                break;
2534
2535
            workingConfig = workingConfig->next;
2536
        }
2537
    }
2538
#endif
2539
2540
0
    if (matched ||
2541
0
            (sni != NULL && (sni->options & WOLFSSL_SNI_ANSWER_ON_MISMATCH))) {
2542
0
        int matchStat;
2543
0
        int r = TLSX_UseSNI(&ssl->extensions, type, input + offset, size,
2544
0
                                                                     ssl->heap);
2545
2546
0
        if (r != WOLFSSL_SUCCESS)
2547
0
            return r; /* throws error. */
2548
2549
0
        if (cacheOnly) {
2550
0
            WOLFSSL_MSG("Forcing storage of SNI, Fake match");
2551
0
            matchStat = WOLFSSL_SNI_FORCE_KEEP;
2552
0
        }
2553
0
        else if (matched) {
2554
0
            WOLFSSL_MSG("SNI did match!");
2555
0
            matchStat = WOLFSSL_SNI_REAL_MATCH;
2556
0
        }
2557
0
        else {
2558
0
            WOLFSSL_MSG("fake SNI match from ANSWER_ON_MISMATCH");
2559
0
            matchStat = WOLFSSL_SNI_FAKE_MATCH;
2560
0
        }
2561
2562
0
        TLSX_SNI_SetStatus(ssl->extensions, type, (byte)matchStat);
2563
2564
0
        if (!cacheOnly)
2565
0
            TLSX_SetResponse(ssl, TLSX_SERVER_NAME);
2566
0
    }
2567
0
    else if ((sni == NULL) ||
2568
0
            !(sni->options & WOLFSSL_SNI_CONTINUE_ON_MISMATCH)) {
2569
0
        SendAlert(ssl, alert_fatal, unrecognized_name);
2570
0
        WOLFSSL_ERROR_VERBOSE(UNKNOWN_SNI_HOST_NAME_E);
2571
0
        return UNKNOWN_SNI_HOST_NAME_E;
2572
0
    }
2573
#else
2574
    (void)input;
2575
#endif /* !NO_WOLFSSL_SERVER */
2576
2577
#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER)
2578
    (void)length;
2579
#endif
2580
2581
0
    return 0;
2582
0
}
2583
2584
static int TLSX_SNI_VerifyParse(WOLFSSL* ssl,  byte isRequest)
2585
0
{
2586
0
    (void)ssl;
2587
2588
0
    if (isRequest) {
2589
0
    #ifndef NO_WOLFSSL_SERVER
2590
0
        TLSX* ctx_ext = TLSX_Find(ssl->ctx->extensions, TLSX_SERVER_NAME);
2591
0
        TLSX* ssl_ext = TLSX_Find(ssl->extensions,      TLSX_SERVER_NAME);
2592
0
        SNI* ctx_sni = ctx_ext ? (SNI*)ctx_ext->data : NULL;
2593
0
        SNI* ssl_sni = ssl_ext ? (SNI*)ssl_ext->data : NULL;
2594
0
        SNI* sni = NULL;
2595
2596
0
        for (; ctx_sni; ctx_sni = ctx_sni->next) {
2597
0
            if (ctx_sni->options & WOLFSSL_SNI_ABORT_ON_ABSENCE) {
2598
0
                sni = TLSX_SNI_Find(ssl_sni, ctx_sni->type);
2599
2600
0
                if (sni) {
2601
0
                    if (sni->status != WOLFSSL_SNI_NO_MATCH)
2602
0
                        continue;
2603
2604
                    /* if ssl level overrides ctx level, it is ok. */
2605
0
                    if ((sni->options & WOLFSSL_SNI_ABORT_ON_ABSENCE) == 0)
2606
0
                        continue;
2607
0
                }
2608
2609
0
                SendAlert(ssl, alert_fatal,
2610
0
                          IsAtLeastTLSv1_3(ssl->version)
2611
0
                              ? missing_extension
2612
0
                              : handshake_failure);
2613
0
                WOLFSSL_ERROR_VERBOSE(SNI_ABSENT_ERROR);
2614
0
                return SNI_ABSENT_ERROR;
2615
0
            }
2616
0
        }
2617
2618
0
        for (; ssl_sni; ssl_sni = ssl_sni->next) {
2619
0
            if (ssl_sni->options & WOLFSSL_SNI_ABORT_ON_ABSENCE) {
2620
0
                if (ssl_sni->status != WOLFSSL_SNI_NO_MATCH)
2621
0
                    continue;
2622
2623
0
                SendAlert(ssl, alert_fatal,
2624
0
                          IsAtLeastTLSv1_3(ssl->version)
2625
0
                              ? missing_extension
2626
0
                              : handshake_failure);
2627
0
                WOLFSSL_ERROR_VERBOSE(SNI_ABSENT_ERROR);
2628
0
                return SNI_ABSENT_ERROR;
2629
0
            }
2630
0
        }
2631
0
    #endif /* NO_WOLFSSL_SERVER */
2632
0
    }
2633
2634
0
    return 0;
2635
0
}
2636
2637
int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, word16 size,
2638
                                                                     void* heap)
2639
0
{
2640
0
    TLSX* extension;
2641
0
    SNI* sni = NULL;
2642
2643
0
    if (extensions == NULL || data == NULL)
2644
0
        return BAD_FUNC_ARG;
2645
2646
0
    if ((type == WOLFSSL_SNI_HOST_NAME) && (size >= WOLFSSL_HOST_NAME_MAX))
2647
0
        return BAD_LENGTH_E;
2648
2649
0
    if ((sni = TLSX_SNI_New(type, data, size, heap)) == NULL)
2650
0
        return MEMORY_E;
2651
2652
0
    extension = TLSX_Find(*extensions, TLSX_SERVER_NAME);
2653
0
    if (!extension) {
2654
0
        int ret = TLSX_Push(extensions, TLSX_SERVER_NAME, (void*)sni, heap);
2655
2656
0
        if (ret != 0) {
2657
0
            TLSX_SNI_Free(sni, heap);
2658
0
            return ret;
2659
0
        }
2660
0
    }
2661
0
    else {
2662
        /* push new SNI object to extension data. */
2663
0
        sni->next = (SNI*)extension->data;
2664
0
        extension->data = (void*)sni;
2665
2666
        /* remove duplicate SNI, there should be only one of each type. */
2667
0
        do {
2668
0
            if (sni->next && sni->next->type == type) {
2669
0
                SNI* next = sni->next;
2670
2671
0
                sni->next = next->next;
2672
0
                TLSX_SNI_Free(next, heap);
2673
2674
                /* there is no way to occur more than
2675
                 * two SNIs of the same type.
2676
                 */
2677
0
                break;
2678
0
            }
2679
0
        } while ((sni = sni->next));
2680
0
    }
2681
2682
0
    return WOLFSSL_SUCCESS;
2683
0
}
2684
2685
#ifndef NO_WOLFSSL_SERVER
2686
2687
/** Tells the SNI requested by the client. */
2688
word16 TLSX_SNI_GetRequest(TLSX* extensions, byte type, void** data,
2689
        byte ignoreStatus)
2690
0
{
2691
0
    TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME);
2692
0
    SNI* sni = TLSX_SNI_Find(extension ? (SNI*)extension->data : NULL, type);
2693
2694
0
    if (sni && (ignoreStatus || sni->status != WOLFSSL_SNI_NO_MATCH)) {
2695
0
        switch (sni->type) {
2696
0
            case WOLFSSL_SNI_HOST_NAME:
2697
0
                if (data) {
2698
0
                    *data = sni->data.host_name;
2699
0
                    return (word16)XSTRLEN((char*)*data);
2700
0
                }
2701
0
        }
2702
0
    }
2703
2704
0
    return 0;
2705
0
}
2706
2707
/** Sets the options for a SNI object. */
2708
void TLSX_SNI_SetOptions(TLSX* extensions, byte type, byte options)
2709
0
{
2710
0
    TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME);
2711
0
    SNI* sni = TLSX_SNI_Find(extension ? (SNI*)extension->data : NULL, type);
2712
2713
0
    if (sni)
2714
0
        sni->options = options;
2715
0
}
2716
2717
/** Retrieves a SNI request from a client hello buffer. */
2718
int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz,
2719
                           byte type, byte* sni, word32* inOutSz)
2720
0
{
2721
0
    word32 offset = 0;
2722
0
    word32 len32 = 0;
2723
0
    word16 len16 = 0;
2724
2725
0
    if (helloSz < RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + CLIENT_HELLO_FIRST)
2726
0
        return INCOMPLETE_DATA;
2727
2728
    /* TLS record header */
2729
0
    if ((enum ContentType) clientHello[offset++] != handshake) {
2730
2731
        /* checking for SSLv2.0 client hello according to: */
2732
        /* http://tools.ietf.org/html/rfc4346#appendix-E.1 */
2733
0
        if ((enum HandShakeType) clientHello[++offset] == client_hello) {
2734
0
            offset += ENUM_LEN + VERSION_SZ; /* skip version */
2735
2736
0
            ato16(clientHello + offset, &len16);
2737
0
            offset += OPAQUE16_LEN;
2738
2739
0
            if (len16 % 3) /* cipher_spec_length must be multiple of 3 */
2740
0
                return BUFFER_ERROR;
2741
2742
0
            ato16(clientHello + offset, &len16);
2743
            /* Returning SNI_UNSUPPORTED do not increment offset here */
2744
2745
0
            if (len16 != 0) /* session_id_length must be 0 */
2746
0
                return BUFFER_ERROR;
2747
2748
0
            WOLFSSL_ERROR_VERBOSE(SNI_UNSUPPORTED);
2749
0
            return SNI_UNSUPPORTED;
2750
0
        }
2751
2752
0
        return BUFFER_ERROR;
2753
0
    }
2754
2755
0
    if (clientHello[offset++] != SSLv3_MAJOR)
2756
0
        return BUFFER_ERROR;
2757
2758
0
    if (clientHello[offset++] < TLSv1_MINOR) {
2759
0
        WOLFSSL_ERROR_VERBOSE(SNI_UNSUPPORTED);
2760
0
        return SNI_UNSUPPORTED;
2761
0
    }
2762
2763
0
    ato16(clientHello + offset, &len16);
2764
0
    offset += OPAQUE16_LEN;
2765
2766
0
    if (offset + len16 > helloSz)
2767
0
        return INCOMPLETE_DATA;
2768
2769
    /* Handshake header */
2770
0
    if ((enum HandShakeType) clientHello[offset] != client_hello)
2771
0
        return BUFFER_ERROR;
2772
2773
0
    c24to32(clientHello + offset + 1, &len32);
2774
0
    offset += HANDSHAKE_HEADER_SZ;
2775
2776
0
    if (offset + len32 > helloSz)
2777
0
        return BUFFER_ERROR;
2778
2779
    /* client hello */
2780
0
    offset += VERSION_SZ + RAN_LEN; /* version, random */
2781
2782
0
    if (helloSz < offset + clientHello[offset])
2783
0
        return BUFFER_ERROR;
2784
2785
0
    offset += ENUM_LEN + clientHello[offset]; /* skip session id */
2786
2787
    /* cypher suites */
2788
0
    if (helloSz < offset + OPAQUE16_LEN)
2789
0
        return BUFFER_ERROR;
2790
2791
0
    ato16(clientHello + offset, &len16);
2792
0
    offset += OPAQUE16_LEN;
2793
2794
0
    if (helloSz < offset + len16)
2795
0
        return BUFFER_ERROR;
2796
2797
0
    offset += len16; /* skip cypher suites */
2798
2799
    /* compression methods */
2800
0
    if (helloSz < offset + 1)
2801
0
        return BUFFER_ERROR;
2802
2803
0
    if (helloSz < offset + clientHello[offset])
2804
0
        return BUFFER_ERROR;
2805
2806
0
    offset += ENUM_LEN + clientHello[offset]; /* skip compression methods */
2807
2808
    /* extensions */
2809
0
    if (helloSz < offset + OPAQUE16_LEN)
2810
0
        return 0; /* no extensions in client hello. */
2811
2812
0
    ato16(clientHello + offset, &len16);
2813
0
    offset += OPAQUE16_LEN;
2814
2815
0
    if (helloSz < offset + len16)
2816
0
        return BUFFER_ERROR;
2817
2818
0
    while (len16 >= OPAQUE16_LEN + OPAQUE16_LEN) {
2819
0
        word16 extType;
2820
0
        word16 extLen;
2821
2822
0
        ato16(clientHello + offset, &extType);
2823
0
        offset += OPAQUE16_LEN;
2824
2825
0
        ato16(clientHello + offset, &extLen);
2826
0
        offset += OPAQUE16_LEN;
2827
2828
0
        if (helloSz < offset + extLen)
2829
0
            return BUFFER_ERROR;
2830
2831
0
        if (extType != TLSX_SERVER_NAME) {
2832
0
            offset += extLen; /* skip extension */
2833
0
        } else {
2834
0
            word16 listLen;
2835
2836
0
            if (extLen < OPAQUE16_LEN)
2837
0
                return BUFFER_ERROR;
2838
2839
0
            ato16(clientHello + offset, &listLen);
2840
0
            offset += OPAQUE16_LEN;
2841
2842
0
            if (helloSz < offset + listLen)
2843
0
                return BUFFER_ERROR;
2844
2845
0
            while (listLen > ENUM_LEN + OPAQUE16_LEN) {
2846
0
                byte   sniType = clientHello[offset++];
2847
0
                word16 sniLen;
2848
2849
0
                ato16(clientHello + offset, &sniLen);
2850
0
                offset += OPAQUE16_LEN;
2851
2852
0
                if (helloSz < offset + sniLen)
2853
0
                    return BUFFER_ERROR;
2854
2855
0
                if (sniType != type) {
2856
0
                    offset  += sniLen;
2857
0
                    listLen -= min(ENUM_LEN + OPAQUE16_LEN + sniLen, listLen);
2858
0
                    continue;
2859
0
                }
2860
2861
0
                *inOutSz = min(sniLen, *inOutSz);
2862
0
                XMEMCPY(sni, clientHello + offset, *inOutSz);
2863
2864
0
                return WOLFSSL_SUCCESS;
2865
0
            }
2866
0
        }
2867
2868
0
        len16 -= min(2 * OPAQUE16_LEN + extLen, len16);
2869
0
    }
2870
2871
0
    return len16 ? BUFFER_ERROR : 0;
2872
0
}
2873
2874
#endif
2875
2876
0
#define SNI_FREE_ALL     TLSX_SNI_FreeAll
2877
0
#define SNI_GET_SIZE     TLSX_SNI_GetSize
2878
0
#define SNI_WRITE        TLSX_SNI_Write
2879
0
#define SNI_PARSE        TLSX_SNI_Parse
2880
0
#define SNI_VERIFY_PARSE TLSX_SNI_VerifyParse
2881
2882
#else
2883
2884
#define SNI_FREE_ALL(list, heap) WC_DO_NOTHING
2885
#define SNI_GET_SIZE(list)     0
2886
#define SNI_WRITE(a, b)        0
2887
#define SNI_PARSE(a, b, c, d)  0
2888
#define SNI_VERIFY_PARSE(a, b) 0
2889
2890
#endif /* HAVE_SNI */
2891
2892
/******************************************************************************/
2893
/* Trusted CA Key Indication                                                  */
2894
/******************************************************************************/
2895
2896
#ifdef HAVE_TRUSTED_CA
2897
2898
/** Creates a new TCA object. */
2899
static TCA* TLSX_TCA_New(byte type, const byte* id, word16 idSz, void* heap)
2900
{
2901
    TCA* tca = (TCA*)XMALLOC(sizeof(TCA), heap, DYNAMIC_TYPE_TLSX);
2902
2903
    if (tca) {
2904
        XMEMSET(tca, 0, sizeof(TCA));
2905
        tca->type = type;
2906
2907
        switch (type) {
2908
            case WOLFSSL_TRUSTED_CA_PRE_AGREED:
2909
                break;
2910
2911
            #ifndef NO_SHA
2912
            case WOLFSSL_TRUSTED_CA_KEY_SHA1:
2913
            case WOLFSSL_TRUSTED_CA_CERT_SHA1:
2914
                if (idSz == WC_SHA_DIGEST_SIZE &&
2915
                        (tca->id =
2916
                            (byte*)XMALLOC(idSz, heap, DYNAMIC_TYPE_TLSX))) {
2917
                    XMEMCPY(tca->id, id, idSz);
2918
                    tca->idSz = idSz;
2919
                }
2920
                else {
2921
                    XFREE(tca, heap, DYNAMIC_TYPE_TLSX);
2922
                    tca = NULL;
2923
                }
2924
                break;
2925
            #endif
2926
2927
            case WOLFSSL_TRUSTED_CA_X509_NAME:
2928
                if (idSz > 0 &&
2929
                        (tca->id =
2930
                            (byte*)XMALLOC(idSz, heap, DYNAMIC_TYPE_TLSX))) {
2931
                    XMEMCPY(tca->id, id, idSz);
2932
                    tca->idSz = idSz;
2933
                }
2934
                else {
2935
                    XFREE(tca, heap, DYNAMIC_TYPE_TLSX);
2936
                    tca = NULL;
2937
                }
2938
                break;
2939
2940
            default: /* invalid type */
2941
                XFREE(tca, heap, DYNAMIC_TYPE_TLSX);
2942
                tca = NULL;
2943
        }
2944
    }
2945
2946
    (void)heap;
2947
2948
    return tca;
2949
}
2950
2951
/** Releases a TCA object. */
2952
static void TLSX_TCA_Free(TCA* tca, void* heap)
2953
{
2954
    (void)heap;
2955
2956
    if (tca) {
2957
        XFREE(tca->id, heap, DYNAMIC_TYPE_TLSX);
2958
        XFREE(tca, heap, DYNAMIC_TYPE_TLSX);
2959
    }
2960
}
2961
2962
/** Releases all TCA objects in the provided list. */
2963
static void TLSX_TCA_FreeAll(TCA* list, void* heap)
2964
{
2965
    TCA* tca;
2966
2967
    while ((tca = list)) {
2968
        list = tca->next;
2969
        TLSX_TCA_Free(tca, heap);
2970
    }
2971
}
2972
2973
/** Tells the buffered size of the TCA objects in a list. */
2974
static word16 TLSX_TCA_GetSize(TCA* list)
2975
{
2976
    TCA* tca;
2977
    word32 length = OPAQUE16_LEN; /* list length */
2978
2979
    while ((tca = list)) {
2980
        list = tca->next;
2981
2982
        length += ENUM_LEN; /* tca type */
2983
2984
        switch (tca->type) {
2985
            case WOLFSSL_TRUSTED_CA_PRE_AGREED:
2986
                break;
2987
            case WOLFSSL_TRUSTED_CA_KEY_SHA1:
2988
            case WOLFSSL_TRUSTED_CA_CERT_SHA1:
2989
                length += tca->idSz;
2990
                break;
2991
            case WOLFSSL_TRUSTED_CA_X509_NAME:
2992
                length += OPAQUE16_LEN + tca->idSz;
2993
                break;
2994
        }
2995
2996
        if (length > WOLFSSL_MAX_16BIT) {
2997
            return 0;
2998
        }
2999
    }
3000
3001
    return (word16)length;
3002
}
3003
3004
/** Writes the TCA objects of a list in a buffer. */
3005
static word16 TLSX_TCA_Write(TCA* list, byte* output)
3006
{
3007
    TCA* tca;
3008
    word16 offset = OPAQUE16_LEN; /* list length offset */
3009
3010
    while ((tca = list)) {
3011
        list = tca->next;
3012
3013
        output[offset++] = tca->type; /* tca type */
3014
3015
        switch (tca->type) {
3016
            case WOLFSSL_TRUSTED_CA_PRE_AGREED:
3017
                break;
3018
            #ifndef NO_SHA
3019
            case WOLFSSL_TRUSTED_CA_KEY_SHA1:
3020
            case WOLFSSL_TRUSTED_CA_CERT_SHA1:
3021
                if (tca->id != NULL) {
3022
                    XMEMCPY(output + offset, tca->id, tca->idSz);
3023
                    offset += tca->idSz;
3024
                }
3025
                else {
3026
                    /* ID missing. Set to an empty string. */
3027
                    c16toa(0, output + offset);
3028
                    offset += OPAQUE16_LEN;
3029
                }
3030
                break;
3031
            #endif
3032
            case WOLFSSL_TRUSTED_CA_X509_NAME:
3033
                if (tca->id != NULL) {
3034
                    c16toa(tca->idSz, output + offset); /* tca length */
3035
                    offset += OPAQUE16_LEN;
3036
                    XMEMCPY(output + offset, tca->id, tca->idSz);
3037
                    offset += tca->idSz;
3038
                }
3039
                else {
3040
                    /* ID missing. Set to an empty string. */
3041
                    c16toa(0, output + offset);
3042
                    offset += OPAQUE16_LEN;
3043
                }
3044
                break;
3045
            default:
3046
                /* ID unknown. Set to an empty string. */
3047
                c16toa(0, output + offset);
3048
                offset += OPAQUE16_LEN;
3049
        }
3050
    }
3051
3052
    c16toa(offset - OPAQUE16_LEN, output); /* writing list length */
3053
3054
    return offset;
3055
}
3056
3057
#ifndef NO_WOLFSSL_SERVER
3058
static TCA* TLSX_TCA_Find(TCA *list, byte type, const byte* id, word16 idSz)
3059
{
3060
    TCA* tca = list;
3061
3062
    while (tca) {
3063
        if (type == WOLFSSL_TRUSTED_CA_PRE_AGREED)
3064
            break;
3065
        if (tca->type == type && idSz == tca->idSz &&
3066
                XMEMCMP(id, tca->id, idSz) == 0)
3067
            break;
3068
        tca = tca->next;
3069
    }
3070
3071
    return tca;
3072
}
3073
#endif /* NO_WOLFSSL_SERVER */
3074
3075
/** Parses a buffer of TCA extensions. */
3076
static int TLSX_TCA_Parse(WOLFSSL* ssl, const byte* input, word16 length,
3077
                          byte isRequest)
3078
{
3079
#ifndef NO_WOLFSSL_SERVER
3080
    word16 size = 0;
3081
    word16 offset = 0;
3082
#endif
3083
3084
    TLSX *extension = TLSX_Find(ssl->extensions, TLSX_TRUSTED_CA_KEYS);
3085
3086
    if (!extension)
3087
        extension = TLSX_Find(ssl->ctx->extensions, TLSX_TRUSTED_CA_KEYS);
3088
3089
    if (!isRequest) {
3090
        #ifndef NO_WOLFSSL_CLIENT
3091
            if (!extension || !extension->data)
3092
                return TLSX_HandleUnsupportedExtension(ssl);
3093
3094
            if (length > 0)
3095
                return BUFFER_ERROR; /* TCA response MUST be empty. */
3096
3097
            /* Set the flag that we're good for keys */
3098
            TLSX_SetResponse(ssl, TLSX_TRUSTED_CA_KEYS);
3099
3100
            return 0;
3101
        #endif
3102
    }
3103
3104
#ifndef NO_WOLFSSL_SERVER
3105
    if (!extension || !extension->data) {
3106
        /* Skipping, TCA not enabled at server side. */
3107
        return 0;
3108
    }
3109
3110
    if (OPAQUE16_LEN > length)
3111
        return BUFFER_ERROR;
3112
3113
    ato16(input, &size);
3114
    offset += OPAQUE16_LEN;
3115
3116
    /* validating tca list length */
3117
    if (length != OPAQUE16_LEN + size)
3118
        return BUFFER_ERROR;
3119
3120
    for (size = 0; offset < length; offset += size) {
3121
        TCA *tca = NULL;
3122
        byte type;
3123
        const byte* id = NULL;
3124
        word16 idSz = 0;
3125
3126
        if (offset + ENUM_LEN > length)
3127
            return BUFFER_ERROR;
3128
3129
        type = input[offset++];
3130
3131
        switch (type) {
3132
            case WOLFSSL_TRUSTED_CA_PRE_AGREED:
3133
                break;
3134
            #ifndef NO_SHA
3135
            case WOLFSSL_TRUSTED_CA_KEY_SHA1:
3136
            case WOLFSSL_TRUSTED_CA_CERT_SHA1:
3137
                if (offset + WC_SHA_DIGEST_SIZE > length)
3138
                    return BUFFER_ERROR;
3139
                idSz = WC_SHA_DIGEST_SIZE;
3140
                id = input + offset;
3141
                offset += idSz;
3142
                break;
3143
            #endif
3144
            case WOLFSSL_TRUSTED_CA_X509_NAME:
3145
                if (offset + OPAQUE16_LEN > length)
3146
                    return BUFFER_ERROR;
3147
                ato16(input + offset, &idSz);
3148
                offset += OPAQUE16_LEN;
3149
                if ((offset > length) || (idSz > length - offset))
3150
                    return BUFFER_ERROR;
3151
                id = input + offset;
3152
                offset += idSz;
3153
                break;
3154
            default:
3155
                WOLFSSL_ERROR_VERBOSE(TCA_INVALID_ID_TYPE);
3156
                return TCA_INVALID_ID_TYPE;
3157
        }
3158
3159
        /* Find the type/ID in the TCA list. */
3160
        tca = TLSX_TCA_Find((TCA*)extension->data, type, id, idSz);
3161
        if (tca != NULL) {
3162
            /* Found it. Set the response flag and break out of the loop. */
3163
            TLSX_SetResponse(ssl, TLSX_TRUSTED_CA_KEYS);
3164
            break;
3165
        }
3166
    }
3167
#else
3168
    (void)input;
3169
#endif
3170
3171
    return 0;
3172
}
3173
3174
/* Checks to see if the server sent a response for the TCA. */
3175
static int TLSX_TCA_VerifyParse(WOLFSSL* ssl, byte isRequest)
3176
{
3177
    (void)ssl;
3178
3179
    if (!isRequest) {
3180
        /* RFC 6066 section 6 states that the server responding
3181
         * to trusted_ca_keys is optional.  Do not error out unless
3182
         * opted into with the define WOLFSSL_REQUIRE_TCA. */
3183
    #if !defined(NO_WOLFSSL_CLIENT) && defined(WOLFSSL_REQUIRE_TCA)
3184
        TLSX* extension = TLSX_Find(ssl->extensions, TLSX_TRUSTED_CA_KEYS);
3185
3186
        if (extension && !extension->resp) {
3187
            SendAlert(ssl, alert_fatal, handshake_failure);
3188
            WOLFSSL_ERROR_VERBOSE(TCA_ABSENT_ERROR);
3189
            return TCA_ABSENT_ERROR;
3190
        }
3191
    #else
3192
        WOLFSSL_MSG("No response received for trusted_ca_keys.  Continuing.");
3193
    #endif /* !NO_WOLFSSL_CLIENT && WOLFSSL_REQUIRE_TCA */
3194
    }
3195
3196
    return 0;
3197
}
3198
3199
int TLSX_UseTrustedCA(TLSX** extensions, byte type,
3200
                    const byte* id, word16 idSz, void* heap)
3201
{
3202
    TLSX* extension;
3203
    TCA* tca = NULL;
3204
3205
    if (extensions == NULL)
3206
        return BAD_FUNC_ARG;
3207
3208
    if ((tca = TLSX_TCA_New(type, id, idSz, heap)) == NULL)
3209
        return MEMORY_E;
3210
3211
    extension = TLSX_Find(*extensions, TLSX_TRUSTED_CA_KEYS);
3212
    if (!extension) {
3213
        int ret = TLSX_Push(extensions, TLSX_TRUSTED_CA_KEYS, (void*)tca, heap);
3214
3215
        if (ret != 0) {
3216
            TLSX_TCA_Free(tca, heap);
3217
            return ret;
3218
        }
3219
    }
3220
    else {
3221
        /* push new TCA object to extension data. */
3222
        tca->next = (TCA*)extension->data;
3223
        extension->data = (void*)tca;
3224
    }
3225
3226
    return WOLFSSL_SUCCESS;
3227
}
3228
3229
#define TCA_FREE_ALL     TLSX_TCA_FreeAll
3230
#define TCA_GET_SIZE     TLSX_TCA_GetSize
3231
#define TCA_WRITE        TLSX_TCA_Write
3232
#define TCA_PARSE        TLSX_TCA_Parse
3233
#define TCA_VERIFY_PARSE TLSX_TCA_VerifyParse
3234
3235
#else /* HAVE_TRUSTED_CA */
3236
3237
0
#define TCA_FREE_ALL(list, heap) WC_DO_NOTHING
3238
0
#define TCA_GET_SIZE(list)     0
3239
0
#define TCA_WRITE(a, b)        0
3240
0
#define TCA_PARSE(a, b, c, d)  0
3241
0
#define TCA_VERIFY_PARSE(a, b) 0
3242
3243
#endif /* HAVE_TRUSTED_CA */
3244
3245
/******************************************************************************/
3246
/* Max Fragment Length Negotiation                                            */
3247
/******************************************************************************/
3248
3249
#ifdef HAVE_MAX_FRAGMENT
3250
3251
static word16 TLSX_MFL_Write(byte* data, byte* output)
3252
{
3253
    output[0] = data[0];
3254
3255
    return ENUM_LEN;
3256
}
3257
3258
static int TLSX_MFL_Parse(WOLFSSL* ssl, const byte* input, word16 length,
3259
                          byte isRequest)
3260
{
3261
    if (length != ENUM_LEN)
3262
        return BUFFER_ERROR;
3263
3264
#ifdef WOLFSSL_OLD_UNSUPPORTED_EXTENSION
3265
    (void) isRequest;
3266
#else
3267
    if (!isRequest) {
3268
        TLSX* extension;
3269
3270
        if (TLSX_CheckUnsupportedExtension(ssl, TLSX_MAX_FRAGMENT_LENGTH))
3271
            return TLSX_HandleUnsupportedExtension(ssl);
3272
3273
        /* RFC 6066 Section 4: the server's response value must match the
3274
         * value the client requested. The request may have been configured on
3275
         * the WOLFSSL object or inherited from the WOLFSSL_CTX. */
3276
        extension = TLSX_Find(ssl->extensions, TLSX_MAX_FRAGMENT_LENGTH);
3277
        if (extension == NULL) {
3278
            extension = TLSX_Find(ssl->ctx->extensions,
3279
                    TLSX_MAX_FRAGMENT_LENGTH);
3280
        }
3281
        if (extension == NULL || extension->data == NULL ||
3282
                ((byte*)extension->data)[0] != *input) {
3283
            SendAlert(ssl, alert_fatal, illegal_parameter);
3284
            WOLFSSL_ERROR_VERBOSE(UNKNOWN_MAX_FRAG_LEN_E);
3285
            return UNKNOWN_MAX_FRAG_LEN_E;
3286
        }
3287
    }
3288
#endif
3289
3290
    switch (*input) {
3291
        case WOLFSSL_MFL_2_8 : ssl->max_fragment =  256; break;
3292
        case WOLFSSL_MFL_2_9 : ssl->max_fragment =  512; break;
3293
        case WOLFSSL_MFL_2_10: ssl->max_fragment = 1024; break;
3294
        case WOLFSSL_MFL_2_11: ssl->max_fragment = 2048; break;
3295
        case WOLFSSL_MFL_2_12: ssl->max_fragment = 4096; break;
3296
        case WOLFSSL_MFL_2_13: ssl->max_fragment = 8192; break;
3297
3298
        default:
3299
            SendAlert(ssl, alert_fatal, illegal_parameter);
3300
            WOLFSSL_ERROR_VERBOSE(UNKNOWN_MAX_FRAG_LEN_E);
3301
            return UNKNOWN_MAX_FRAG_LEN_E;
3302
    }
3303
    if (ssl->session != NULL) {
3304
        ssl->session->mfl = *input;
3305
    }
3306
3307
#ifndef NO_WOLFSSL_SERVER
3308
    if (isRequest) {
3309
        int ret = TLSX_UseMaxFragment(&ssl->extensions, *input, ssl->heap);
3310
3311
        if (ret != WOLFSSL_SUCCESS)
3312
            return ret; /* throw error */
3313
3314
        TLSX_SetResponse(ssl, TLSX_MAX_FRAGMENT_LENGTH);
3315
    }
3316
#endif
3317
3318
    return 0;
3319
}
3320
3321
int TLSX_UseMaxFragment(TLSX** extensions, byte mfl, void* heap)
3322
{
3323
    byte* data = NULL;
3324
    int ret = 0;
3325
3326
    if (extensions == NULL || mfl < WOLFSSL_MFL_MIN || mfl > WOLFSSL_MFL_MAX)
3327
        return BAD_FUNC_ARG;
3328
3329
    data = (byte*)XMALLOC(ENUM_LEN, heap, DYNAMIC_TYPE_TLSX);
3330
    if (data == NULL)
3331
        return MEMORY_E;
3332
3333
    data[0] = mfl;
3334
3335
    ret = TLSX_Push(extensions, TLSX_MAX_FRAGMENT_LENGTH, data, heap);
3336
    if (ret != 0) {
3337
        XFREE(data, heap, DYNAMIC_TYPE_TLSX);
3338
        return ret;
3339
    }
3340
3341
    return WOLFSSL_SUCCESS;
3342
}
3343
3344
3345
#define MFL_FREE_ALL(data, heap) XFREE(data, (heap), DYNAMIC_TYPE_TLSX)
3346
#define MFL_GET_SIZE(data) ENUM_LEN
3347
#define MFL_WRITE          TLSX_MFL_Write
3348
#define MFL_PARSE          TLSX_MFL_Parse
3349
3350
#else
3351
3352
0
#define MFL_FREE_ALL(a, b) WC_DO_NOTHING
3353
0
#define MFL_GET_SIZE(a)       0
3354
0
#define MFL_WRITE(a, b)       0
3355
0
#define MFL_PARSE(a, b, c, d) 0
3356
3357
#endif /* HAVE_MAX_FRAGMENT */
3358
3359
/******************************************************************************/
3360
/* Truncated HMAC                                                             */
3361
/******************************************************************************/
3362
3363
#ifdef HAVE_TRUNCATED_HMAC
3364
3365
static int TLSX_THM_Parse(WOLFSSL* ssl, const byte* input, word16 length,
3366
                          byte isRequest)
3367
{
3368
    if (length != 0 || input == NULL)
3369
        return BUFFER_ERROR;
3370
3371
    if (!isRequest) {
3372
    #ifndef WOLFSSL_OLD_UNSUPPORTED_EXTENSION
3373
        if (TLSX_CheckUnsupportedExtension(ssl, TLSX_TRUNCATED_HMAC))
3374
            return TLSX_HandleUnsupportedExtension(ssl);
3375
    #endif
3376
    }
3377
    else {
3378
        #ifndef NO_WOLFSSL_SERVER
3379
            int ret = TLSX_UseTruncatedHMAC(&ssl->extensions, ssl->heap);
3380
3381
            if (ret != WOLFSSL_SUCCESS)
3382
                return ret; /* throw error */
3383
3384
            TLSX_SetResponse(ssl, TLSX_TRUNCATED_HMAC);
3385
        #endif
3386
    }
3387
3388
    ssl->truncated_hmac = 1;
3389
3390
    return 0;
3391
}
3392
3393
int TLSX_UseTruncatedHMAC(TLSX** extensions, void* heap)
3394
{
3395
    int ret = 0;
3396
3397
    if (extensions == NULL)
3398
        return BAD_FUNC_ARG;
3399
3400
    ret = TLSX_Push(extensions, TLSX_TRUNCATED_HMAC, NULL, heap);
3401
    if (ret != 0)
3402
        return ret;
3403
3404
    return WOLFSSL_SUCCESS;
3405
}
3406
3407
#define THM_PARSE TLSX_THM_Parse
3408
3409
#else
3410
3411
0
#define THM_PARSE(a, b, c, d) 0
3412
3413
#endif /* HAVE_TRUNCATED_HMAC */
3414
3415
/******************************************************************************/
3416
/* Certificate Status Request                                                 */
3417
/******************************************************************************/
3418
3419
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
3420
3421
static void TLSX_CSR_Free(CertificateStatusRequest* csr, void* heap)
3422
{
3423
    int i;
3424
3425
    switch (csr->status_type) {
3426
        case WOLFSSL_CSR_OCSP:
3427
            for (i = 0; i <= csr->requests; i++) {
3428
                FreeOcspRequest(&csr->request.ocsp[i]);
3429
            }
3430
        break;
3431
    }
3432
#ifdef WOLFSSL_TLS13
3433
    for (i = 0; i < MAX_CERT_EXTENSIONS; i++) {
3434
        if (csr->responses[i].buffer != NULL) {
3435
            XFREE(csr->responses[i].buffer, heap,
3436
                DYNAMIC_TYPE_TMP_BUFFER);
3437
        }
3438
    }
3439
#endif
3440
    XFREE(csr, heap, DYNAMIC_TYPE_TLSX);
3441
    (void)heap;
3442
}
3443
3444
word16 TLSX_CSR_GetSize_ex(CertificateStatusRequest* csr, byte isRequest,
3445
                                                             int idx)
3446
{
3447
    word32 size = 0;
3448
3449
    /* shut up compiler warnings */
3450
    (void) csr; (void) isRequest;
3451
#ifndef NO_WOLFSSL_CLIENT
3452
    if (isRequest) {
3453
        switch (csr->status_type) {
3454
            case WOLFSSL_CSR_OCSP:
3455
                size += ENUM_LEN + 2 * OPAQUE16_LEN;
3456
3457
                if (csr->request.ocsp[0].nonceSz)
3458
                    size += OCSP_NONCE_EXT_SZ;
3459
            break;
3460
        }
3461
    }
3462
#endif
3463
#if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER)
3464
    if (!isRequest && IsAtLeastTLSv1_3(csr->ssl->version)) {
3465
        if (csr->ssl != NULL && SSL_CM(csr->ssl) != NULL &&
3466
                SSL_CM(csr->ssl)->ocsp_stapling != NULL &&
3467
                SSL_CM(csr->ssl)->ocsp_stapling->statusCb != NULL) {
3468
            if (WOLFSSL_MAX_16BIT - OPAQUE8_LEN - OPAQUE24_LEN <
3469
                    csr->ssl->ocspCsrResp[idx].length) {
3470
                return 0;
3471
            }
3472
            size = OPAQUE8_LEN + OPAQUE24_LEN +
3473
                    csr->ssl->ocspCsrResp[idx].length;
3474
            return (word16)size;
3475
        }
3476
        if (WOLFSSL_MAX_16BIT - OPAQUE8_LEN - OPAQUE24_LEN <
3477
                csr->responses[idx].length) {
3478
            return 0;
3479
        }
3480
        size = OPAQUE8_LEN + OPAQUE24_LEN + csr->responses[idx].length;
3481
        return (word16)size;
3482
    }
3483
#else
3484
    (void)idx;
3485
#endif
3486
    return (word16)size;
3487
}
3488
3489
#if (defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER))
3490
int TLSX_CSR_SetResponseWithStatusCB(WOLFSSL *ssl)
3491
{
3492
    WOLFSSL_OCSP *ocsp;
3493
    int ret;
3494
3495
    if (ssl == NULL || SSL_CM(ssl) == NULL)
3496
        return BAD_FUNC_ARG;
3497
    ocsp = SSL_CM(ssl)->ocsp_stapling;
3498
    if (ocsp == NULL || ocsp->statusCb == NULL)
3499
        return BAD_FUNC_ARG;
3500
    ret = ocsp->statusCb(ssl, ocsp->statusCbArg);
3501
    switch (ret) {
3502
        case WOLFSSL_OCSP_STATUS_CB_OK: {
3503
            size_t i;
3504
            for (i = 0; i < XELEM_CNT(ssl->ocspCsrResp); i++) {
3505
                if (ssl->ocspCsrResp[i].length > 0) {
3506
                    /* ack the extension, status cb provided the response in
3507
                     * ssl->ocspCsrResp */
3508
                    TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST);
3509
                    ssl->status_request = WOLFSSL_CSR_OCSP;
3510
                    break;
3511
                }
3512
            }
3513
            ret = 0;
3514
            break;
3515
        }
3516
        case WOLFSSL_OCSP_STATUS_CB_NOACK:
3517
            /* suppressing as not critical */
3518
            ret = 0;
3519
            break;
3520
        case WOLFSSL_OCSP_STATUS_CB_ALERT_FATAL:
3521
        default:
3522
            ret = WOLFSSL_FATAL_ERROR;
3523
            break;
3524
    }
3525
    return ret;
3526
}
3527
3528
static int TLSX_CSR_WriteWithStatusCB(CertificateStatusRequest* csr,
3529
    byte* output, int idx)
3530
{
3531
    WOLFSSL *ssl = csr->ssl;
3532
    WOLFSSL_OCSP *ocsp;
3533
    word16 offset = 0;
3534
    byte *response;
3535
    int respSz;
3536
3537
    if (ssl == NULL || SSL_CM(ssl) == NULL)
3538
        return BAD_FUNC_ARG;
3539
    ocsp = SSL_CM(ssl)->ocsp_stapling;
3540
    if (ocsp == NULL || ocsp->statusCb == NULL)
3541
        return BAD_FUNC_ARG;
3542
    response = ssl->ocspCsrResp[idx].buffer;
3543
    respSz = ssl->ocspCsrResp[idx].length;
3544
    if (response == NULL || respSz == 0)
3545
        return BAD_FUNC_ARG;
3546
    output[offset++] = WOLFSSL_CSR_OCSP;
3547
    c32to24(respSz, output + offset);
3548
    offset += OPAQUE24_LEN;
3549
    XMEMCPY(output + offset, response, respSz);
3550
    return offset + respSz;
3551
}
3552
#endif /* (TLS13 && !NO_WOLFSLL_SERVER) */
3553
3554
static word16 TLSX_CSR_GetSize(CertificateStatusRequest* csr, byte isRequest)
3555
{
3556
    return TLSX_CSR_GetSize_ex(csr, isRequest, 0);
3557
}
3558
3559
int TLSX_CSR_Write_ex(CertificateStatusRequest* csr, byte* output,
3560
                          byte isRequest, int idx)
3561
{
3562
    /* shut up compiler warnings */
3563
    (void) csr; (void) output; (void) isRequest;
3564
3565
#ifndef NO_WOLFSSL_CLIENT
3566
    if (isRequest) {
3567
        int ret = 0;
3568
        word16 offset = 0;
3569
        word16 length = 0;
3570
3571
        /* type */
3572
        output[offset++] = csr->status_type;
3573
3574
        switch (csr->status_type) {
3575
            case WOLFSSL_CSR_OCSP:
3576
                /* responder id list */
3577
                c16toa(0, output + offset);
3578
                offset += OPAQUE16_LEN;
3579
3580
                /* request extensions */
3581
                if (csr->request.ocsp[0].nonceSz) {
3582
                    ret = (int)EncodeOcspRequestExtensions(&csr->request.ocsp[0],
3583
                                                 output + offset + OPAQUE16_LEN,
3584
                                                 OCSP_NONCE_EXT_SZ);
3585
3586
                    if (ret > 0) {
3587
                        length = (word16)ret;
3588
                    }
3589
                    else {
3590
                        return ret;
3591
                    }
3592
                }
3593
3594
                c16toa(length, output + offset);
3595
                offset += OPAQUE16_LEN + length;
3596
3597
            break;
3598
        }
3599
3600
        return (int)offset;
3601
    }
3602
#endif
3603
#if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER)
3604
    if (!isRequest && IsAtLeastTLSv1_3(csr->ssl->version)) {
3605
        word16 offset = 0;
3606
        if (csr->ssl != NULL && SSL_CM(csr->ssl) != NULL &&
3607
                SSL_CM(csr->ssl)->ocsp_stapling != NULL &&
3608
                SSL_CM(csr->ssl)->ocsp_stapling->statusCb != NULL) {
3609
            return TLSX_CSR_WriteWithStatusCB(csr, output, idx);
3610
        }
3611
        output[offset++] = csr->status_type;
3612
        c32to24(csr->responses[idx].length, output + offset);
3613
        offset += OPAQUE24_LEN;
3614
        XMEMCPY(output + offset, csr->responses[idx].buffer,
3615
                                        csr->responses[idx].length);
3616
        offset += (word16)csr->responses[idx].length;
3617
        return offset;
3618
    }
3619
#else
3620
    (void)idx;
3621
#endif
3622
3623
    return 0;
3624
}
3625
3626
static int TLSX_CSR_Write(CertificateStatusRequest* csr, byte* output,
3627
                          byte isRequest)
3628
{
3629
    return TLSX_CSR_Write_ex(csr, output, isRequest, 0);
3630
}
3631
3632
#if !defined(NO_WOLFSSL_SERVER) && defined(WOLFSSL_TLS13) && \
3633
    defined(WOLFSSL_TLS_OCSP_MULTI)
3634
/* Process OCSP request certificate chain
3635
 *
3636
 * ssl       SSL/TLS object.
3637
 * returns 0 on success, otherwise failure.
3638
 */
3639
int ProcessChainOCSPRequest(WOLFSSL* ssl)
3640
{
3641
    DecodedCert* cert;
3642
    OcspRequest* request;
3643
    TLSX* extension;
3644
    CertificateStatusRequest* csr;
3645
    DerBuffer* chain;
3646
    word32 pos = 0;
3647
    buffer der;
3648
    int i = 1;
3649
    int ret = 0;
3650
    byte ctxOwnsRequest = 0;
3651
3652
    /* use certChain if available, otherwise use peer certificate */
3653
    chain = ssl->buffers.certChain;
3654
    if (chain == NULL) {
3655
        chain = ssl->buffers.certificate;
3656
    }
3657
3658
    extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST);
3659
    csr = extension ?
3660
                (CertificateStatusRequest*)extension->data : NULL;
3661
    if (csr == NULL)
3662
        return MEMORY_ERROR;
3663
3664
    cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap,
3665
                                         DYNAMIC_TYPE_DCERT);
3666
    if (cert == NULL) {
3667
        return MEMORY_E;
3668
    }
3669
3670
    if (chain && chain->buffer) {
3671
        while (ret == 0 && pos + OPAQUE24_LEN < chain->length) {
3672
            if (i >= MAX_CERT_EXTENSIONS) {
3673
                WOLFSSL_MSG_EX(
3674
                    "OCSP request cert chain exceeds maximum length: "
3675
                    "i=%d, MAX_CERT_EXTENSIONS=%d", i, MAX_CERT_EXTENSIONS);
3676
                ret = MAX_CERT_EXTENSIONS_ERR;
3677
                break;
3678
            }
3679
3680
            c24to32(chain->buffer + pos, &der.length);
3681
            pos += OPAQUE24_LEN;
3682
            der.buffer = chain->buffer + pos;
3683
            pos += der.length;
3684
3685
            if (pos > chain->length)
3686
                break;
3687
            request = &csr->request.ocsp[i];
3688
            if (ret == 0) {
3689
                ret = CreateOcspRequest(ssl, request, cert,
3690
                        der.buffer, der.length, &ctxOwnsRequest);
3691
                if (ctxOwnsRequest) {
3692
                    wolfSSL_Mutex* ocspLock =
3693
                        &SSL_CM(ssl)->ocsp_stapling->ocspLock;
3694
                    if (wc_LockMutex(ocspLock) == 0) {
3695
                        /* the request is ours */
3696
                        ssl->ctx->certOcspRequest = NULL;
3697
                    }
3698
                    wc_UnLockMutex(ocspLock);
3699
                }
3700
            }
3701
3702
            if (ret == 0) {
3703
                request->ssl = ssl;
3704
                ret = CheckOcspRequest(SSL_CM(ssl)->ocsp_stapling,
3705
                                 request, &csr->responses[i], ssl->heap);
3706
                /* Suppressing soft-fail responder errors. OCSP_CERT_REVOKED
3707
                 * is an explicit positive assertion of revocation and must
3708
                 * not be ignored. */
3709
                if (ret == WC_NO_ERR_TRACE(OCSP_CERT_UNKNOWN) ||
3710
                    ret == WC_NO_ERR_TRACE(OCSP_LOOKUP_FAIL)) {
3711
                    ret = 0;
3712
                }
3713
                i++;
3714
                csr->requests++;
3715
            }
3716
        }
3717
    }
3718
    XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT);
3719
3720
    return ret;
3721
}
3722
#endif
3723
3724
static int TLSX_CSR_Parse(WOLFSSL* ssl, const byte* input, word16 length,
3725
                          byte isRequest)
3726
{
3727
    int ret;
3728
#if !defined(NO_WOLFSSL_SERVER)
3729
    byte status_type;
3730
    word16 size = 0;
3731
#endif
3732
3733
#if !defined(NO_WOLFSSL_CLIENT)
3734
    OcspRequest* request;
3735
    TLSX* extension;
3736
    CertificateStatusRequest* csr;
3737
#endif
3738
3739
#if !defined(NO_WOLFSSL_CLIENT) && defined(WOLFSSL_TLS13) \
3740
 || !defined(NO_WOLFSSL_SERVER)
3741
    word32 offset = 0;
3742
#endif
3743
3744
#if !defined(NO_WOLFSSL_CLIENT) && defined(WOLFSSL_TLS13)
3745
    word32 resp_length = 0;
3746
#endif
3747
3748
    /* shut up compiler warnings */
3749
    (void) ssl; (void) input;
3750
3751
    if (!isRequest) {
3752
#ifndef NO_WOLFSSL_CLIENT
3753
        extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST);
3754
        csr = extension ? (CertificateStatusRequest*)extension->data : NULL;
3755
3756
        if (!csr) {
3757
            /* look at context level */
3758
            extension = TLSX_Find(ssl->ctx->extensions, TLSX_STATUS_REQUEST);
3759
            csr = extension ? (CertificateStatusRequest*)extension->data : NULL;
3760
3761
            if (!csr) /* unexpected extension */
3762
                return TLSX_HandleUnsupportedExtension(ssl);
3763
3764
            /* enable extension at ssl level */
3765
            ret = TLSX_UseCertificateStatusRequest(&ssl->extensions,
3766
                                     csr->status_type, csr->options, ssl,
3767
                                     ssl->heap, ssl->devId);
3768
            if (ret != WOLFSSL_SUCCESS)
3769
                return ret == 0 ? -1 : ret;
3770
3771
            switch (csr->status_type) {
3772
                case WOLFSSL_CSR_OCSP:
3773
                    /* propagate nonce */
3774
                    if (csr->request.ocsp[0].nonceSz) {
3775
                        request =
3776
                            (OcspRequest*)TLSX_CSR_GetRequest(ssl->extensions);
3777
3778
                        if (request) {
3779
                            XMEMCPY(request->nonce, csr->request.ocsp[0].nonce,
3780
                                        (size_t)csr->request.ocsp[0].nonceSz);
3781
                            request->nonceSz = csr->request.ocsp[0].nonceSz;
3782
                        }
3783
                    }
3784
                break;
3785
            }
3786
        }
3787
3788
        ssl->status_request = 1;
3789
3790
    #ifdef WOLFSSL_TLS13
3791
        if (ssl->options.tls1_3) {
3792
            /* Get the new extension potentially created above. */
3793
            extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST);
3794
            csr = extension ? (CertificateStatusRequest*)extension->data : NULL;
3795
            if (csr == NULL)
3796
                return MEMORY_ERROR;
3797
3798
            ret = 0;
3799
            if (OPAQUE8_LEN + OPAQUE24_LEN > length)
3800
                ret = BUFFER_ERROR;
3801
            if (ret == 0 && input[offset++] != WOLFSSL_CSR_OCSP) {
3802
                ret = BAD_CERTIFICATE_STATUS_ERROR;
3803
                WOLFSSL_ERROR_VERBOSE(ret);
3804
            }
3805
            if (ret == 0) {
3806
                c24to32(input + offset, &resp_length);
3807
                offset += OPAQUE24_LEN;
3808
                if (offset + resp_length != length)
3809
                    ret = BUFFER_ERROR;
3810
            }
3811
            if (ret == 0) {
3812
                if (ssl->response_idx < (1 + MAX_CHAIN_DEPTH))
3813
                    csr->responses[ssl->response_idx].buffer =
3814
                    (byte*)XMALLOC(resp_length, ssl->heap,
3815
                        DYNAMIC_TYPE_TMP_BUFFER);
3816
                else
3817
                    ret = BAD_FUNC_ARG;
3818
3819
                if (ret == 0 &&
3820
                        csr->responses[ssl->response_idx].buffer == NULL)
3821
                    ret = MEMORY_ERROR;
3822
            }
3823
            if (ret == 0) {
3824
                XMEMCPY(csr->responses[ssl->response_idx].buffer,
3825
                                            input + offset, resp_length);
3826
                csr->responses[ssl->response_idx].length = resp_length;
3827
            }
3828
3829
            return ret;
3830
        }
3831
        else
3832
    #endif
3833
        {
3834
            /* extension_data MUST be empty. */
3835
            return length ? BUFFER_ERROR : 0;
3836
        }
3837
#endif
3838
    }
3839
    else {
3840
#ifndef NO_WOLFSSL_SERVER
3841
        if (length == 0)
3842
            return 0;
3843
3844
        status_type = input[offset++];
3845
3846
        switch (status_type) {
3847
            case WOLFSSL_CSR_OCSP: {
3848
3849
                /* skip responder_id_list */
3850
                if ((int)(length - offset) < OPAQUE16_LEN)
3851
                    return BUFFER_ERROR;
3852
3853
                ato16(input + offset, &size);
3854
                offset += OPAQUE16_LEN + size;
3855
3856
                /* skip request_extensions */
3857
                if ((int)(length - offset) < OPAQUE16_LEN)
3858
                    return BUFFER_ERROR;
3859
3860
                ato16(input + offset, &size);
3861
                offset += OPAQUE16_LEN + size;
3862
3863
                if (offset > length)
3864
                    return BUFFER_ERROR;
3865
3866
                /* is able to send OCSP response? */
3867
                if (SSL_CM(ssl) == NULL || !SSL_CM(ssl)->ocspStaplingEnabled)
3868
                    return 0;
3869
            }
3870
            break;
3871
3872
            /* unknown status type */
3873
            default:
3874
                return 0;
3875
        }
3876
3877
        /* if using status_request and already sending it, skip this one */
3878
        #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
3879
        if (ssl->status_request_v2)
3880
            return 0;
3881
        #endif
3882
3883
        /* accept the first good status_type and return */
3884
        ret = TLSX_UseCertificateStatusRequest(&ssl->extensions, status_type,
3885
                                                 0, ssl, ssl->heap, ssl->devId);
3886
        if (ret != WOLFSSL_SUCCESS)
3887
            return ret == 0 ? -1 : ret; /* throw error */
3888
3889
        TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST);
3890
        ssl->status_request = status_type;
3891
#endif
3892
    }
3893
3894
    return 0;
3895
}
3896
3897
int TLSX_CSR_InitRequest_ex(TLSX* extensions, DecodedCert* cert,
3898
                                                            void* heap, int idx)
3899
{
3900
     TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST);
3901
    CertificateStatusRequest* csr = extension ?
3902
        (CertificateStatusRequest*)extension->data : NULL;
3903
    int ret = 0;
3904
3905
    if (csr) {
3906
        switch (csr->status_type) {
3907
            case WOLFSSL_CSR_OCSP: {
3908
                byte nonce[MAX_OCSP_NONCE_SZ];
3909
                int  req_cnt = idx == -1 ? csr->requests : idx;
3910
                int  nonceSz = csr->request.ocsp[0].nonceSz;
3911
                OcspRequest* request;
3912
3913
                request = &csr->request.ocsp[req_cnt];
3914
                if (request->serial != NULL) {
3915
                    /* clear request contents before reuse */
3916
                    FreeOcspRequest(request);
3917
                    if (csr->requests > 0)
3918
                        csr->requests--;
3919
                }
3920
                /* preserve nonce */
3921
                XMEMCPY(nonce, csr->request.ocsp->nonce, (size_t)nonceSz);
3922
3923
                if (req_cnt < MAX_CERT_EXTENSIONS) {
3924
                    if ((ret = InitOcspRequest(request, cert, 0, heap)) != 0)
3925
                        return ret;
3926
3927
                    /* restore nonce */
3928
                    XMEMCPY(csr->request.ocsp->nonce, nonce, (size_t)nonceSz);
3929
                    request->nonceSz = nonceSz;
3930
                    csr->requests++;
3931
                }
3932
                else {
3933
                    WOLFSSL_ERROR_VERBOSE(MAX_CERT_EXTENSIONS_ERR);
3934
                    return MAX_CERT_EXTENSIONS_ERR;
3935
                }
3936
            }
3937
            break;
3938
        }
3939
    }
3940
3941
    return ret;
3942
}
3943
3944
int TLSX_CSR_InitRequest(TLSX* extensions, DecodedCert* cert, void* heap)
3945
{
3946
    return TLSX_CSR_InitRequest_ex(extensions, cert, heap, -1);
3947
}
3948
3949
void* TLSX_CSR_GetRequest_ex(TLSX* extensions, int idx)
3950
{
3951
    TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST);
3952
    CertificateStatusRequest* csr = extension ?
3953
                              (CertificateStatusRequest*)extension->data : NULL;
3954
3955
    if (csr && csr->ssl) {
3956
        switch (csr->status_type) {
3957
            case WOLFSSL_CSR_OCSP:
3958
                if (IsAtLeastTLSv1_3(csr->ssl->version)) {
3959
                    return idx < csr->requests ? &csr->request.ocsp[idx] : NULL;
3960
                }
3961
                else {
3962
                    return idx == 0 ? &csr->request.ocsp[0] : NULL;
3963
                }
3964
        }
3965
    }
3966
3967
    return NULL;
3968
}
3969
3970
void* TLSX_CSR_GetRequest(TLSX* extensions)
3971
{
3972
    return TLSX_CSR_GetRequest_ex(extensions, 0);
3973
}
3974
3975
int TLSX_CSR_ForceRequest(WOLFSSL* ssl)
3976
{
3977
    TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST);
3978
    CertificateStatusRequest* csr = extension ?
3979
                              (CertificateStatusRequest*)extension->data : NULL;
3980
3981
    if (csr) {
3982
        switch (csr->status_type) {
3983
            case WOLFSSL_CSR_OCSP:
3984
                if (SSL_CM(ssl)->ocspEnabled) {
3985
                    csr->request.ocsp[0].ssl = ssl;
3986
                    return CheckOcspRequest(SSL_CM(ssl)->ocsp,
3987
                                              &csr->request.ocsp[0], NULL, NULL);
3988
                }
3989
                else {
3990
                    WOLFSSL_ERROR_VERBOSE(OCSP_LOOKUP_FAIL);
3991
                    return OCSP_LOOKUP_FAIL;
3992
                }
3993
        }
3994
    }
3995
3996
    return 0;
3997
}
3998
3999
int TLSX_UseCertificateStatusRequest(TLSX** extensions, byte status_type,
4000
                                         byte options, WOLFSSL* ssl, void* heap,
4001
                                                                      int devId)
4002
{
4003
    CertificateStatusRequest* csr = NULL;
4004
    int ret = 0;
4005
4006
    if (!extensions || status_type != WOLFSSL_CSR_OCSP)
4007
        return BAD_FUNC_ARG;
4008
4009
    csr = (CertificateStatusRequest*)
4010
             XMALLOC(sizeof(CertificateStatusRequest), heap, DYNAMIC_TYPE_TLSX);
4011
    if (!csr)
4012
        return MEMORY_E;
4013
4014
    ForceZero(csr, sizeof(CertificateStatusRequest));
4015
#if defined(WOLFSSL_TLS13)
4016
    XMEMSET(csr->responses, 0, sizeof(csr->responses));
4017
#endif
4018
    csr->status_type = status_type;
4019
    csr->options     = options;
4020
    csr->ssl         = ssl;
4021
4022
    switch (csr->status_type) {
4023
        case WOLFSSL_CSR_OCSP:
4024
            if (options & WOLFSSL_CSR_OCSP_USE_NONCE) {
4025
                WC_RNG rng;
4026
4027
            #ifndef HAVE_FIPS
4028
                ret = wc_InitRng_ex(&rng, heap, devId);
4029
            #else
4030
                ret = wc_InitRng(&rng);
4031
                (void)devId;
4032
            #endif
4033
                if (ret == 0) {
4034
                    if (wc_RNG_GenerateBlock(&rng, csr->request.ocsp[0].nonce,
4035
                                                        MAX_OCSP_NONCE_SZ) == 0)
4036
                        csr->request.ocsp[0].nonceSz = MAX_OCSP_NONCE_SZ;
4037
4038
                    wc_FreeRng(&rng);
4039
                }
4040
            }
4041
        break;
4042
    }
4043
4044
    if ((ret = TLSX_Push(extensions, TLSX_STATUS_REQUEST, csr, heap)) != 0) {
4045
        XFREE(csr, heap, DYNAMIC_TYPE_TLSX);
4046
        return ret;
4047
    }
4048
4049
    return WOLFSSL_SUCCESS;
4050
}
4051
4052
#define CSR_FREE_ALL TLSX_CSR_Free
4053
#define CSR_GET_SIZE TLSX_CSR_GetSize
4054
#define CSR_WRITE    TLSX_CSR_Write
4055
#define CSR_PARSE    TLSX_CSR_Parse
4056
4057
#else
4058
4059
0
#define CSR_FREE_ALL(data, heap) WC_DO_NOTHING
4060
0
#define CSR_GET_SIZE(a, b)    0
4061
0
#define CSR_WRITE(a, b, c)    0
4062
0
#define CSR_PARSE(a, b, c, d) 0
4063
4064
#endif /* HAVE_CERTIFICATE_STATUS_REQUEST */
4065
4066
/******************************************************************************/
4067
/* Certificate Status Request v2                                              */
4068
/******************************************************************************/
4069
4070
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
4071
4072
static void TLSX_CSR2_FreePendingSigners(Signer *s, void* heap)
4073
{
4074
    Signer* next;
4075
    while(s) {
4076
        next = s->next;
4077
        FreeSigner(s, heap);
4078
        s = next;
4079
    }
4080
}
4081
static void TLSX_CSR2_FreeAll(CertificateStatusRequestItemV2* csr2, void* heap)
4082
{
4083
    CertificateStatusRequestItemV2* next;
4084
4085
    TLSX_CSR2_FreePendingSigners(csr2->pendingSigners, heap);
4086
    for (; csr2; csr2 = next) {
4087
        next = csr2->next;
4088
4089
        switch (csr2->status_type) {
4090
            case WOLFSSL_CSR2_OCSP:
4091
            case WOLFSSL_CSR2_OCSP_MULTI:
4092
                while(csr2->requests--)
4093
                    FreeOcspRequest(&csr2->request.ocsp[csr2->requests]);
4094
            break;
4095
        }
4096
4097
        XFREE(csr2, heap, DYNAMIC_TYPE_TLSX);
4098
    }
4099
    (void)heap;
4100
}
4101
4102
static word16 TLSX_CSR2_GetSize(CertificateStatusRequestItemV2* csr2,
4103
                                                                 byte isRequest)
4104
{
4105
    word32 size = 0;
4106
4107
    /* shut up compiler warnings */
4108
    (void) csr2; (void) isRequest;
4109
4110
#ifndef NO_WOLFSSL_CLIENT
4111
    if (isRequest) {
4112
        CertificateStatusRequestItemV2* next;
4113
4114
        for (size = OPAQUE16_LEN; csr2; csr2 = next) {
4115
            next = csr2->next;
4116
4117
            switch (csr2->status_type) {
4118
                case WOLFSSL_CSR2_OCSP:
4119
                case WOLFSSL_CSR2_OCSP_MULTI:
4120
                    size += ENUM_LEN + 3 * OPAQUE16_LEN;
4121
4122
                    if (csr2->request.ocsp[0].nonceSz)
4123
                        size += OCSP_NONCE_EXT_SZ;
4124
                break;
4125
            }
4126
4127
            if (size > WOLFSSL_MAX_16BIT) {
4128
                return 0;
4129
            }
4130
        }
4131
    }
4132
#endif
4133
4134
    return (word16)size;
4135
}
4136
4137
static int TLSX_CSR2_Write(CertificateStatusRequestItemV2* csr2,
4138
                                                   byte* output, byte isRequest)
4139
{
4140
    /* shut up compiler warnings */
4141
    (void) csr2; (void) output; (void) isRequest;
4142
4143
#ifndef NO_WOLFSSL_CLIENT
4144
    if (isRequest) {
4145
        int ret = 0;
4146
        word16 offset;
4147
        word16 length;
4148
4149
        for (offset = OPAQUE16_LEN; csr2 != NULL; csr2 = csr2->next) {
4150
            /* status_type */
4151
            output[offset++] = csr2->status_type;
4152
4153
            /* request */
4154
            switch (csr2->status_type) {
4155
                case WOLFSSL_CSR2_OCSP:
4156
                case WOLFSSL_CSR2_OCSP_MULTI:
4157
                    /* request_length */
4158
                    length = 2 * OPAQUE16_LEN;
4159
4160
                    if (csr2->request.ocsp[0].nonceSz)
4161
                        length += OCSP_NONCE_EXT_SZ;
4162
4163
                    c16toa(length, output + offset);
4164
                    offset += OPAQUE16_LEN;
4165
4166
                    /* responder id list */
4167
                    c16toa(0, output + offset);
4168
                    offset += OPAQUE16_LEN;
4169
4170
                    /* request extensions */
4171
                    length = 0;
4172
4173
                    if (csr2->request.ocsp[0].nonceSz) {
4174
                        ret = (int)EncodeOcspRequestExtensions(
4175
                                                 &csr2->request.ocsp[0],
4176
                                                 output + offset + OPAQUE16_LEN,
4177
                                                 OCSP_NONCE_EXT_SZ);
4178
4179
                        if (ret > 0) {
4180
                            length = (word16)ret;
4181
                        }
4182
                        else {
4183
                            return ret;
4184
                        }
4185
                    }
4186
4187
                    c16toa(length, output + offset);
4188
                    offset += OPAQUE16_LEN + length;
4189
                break;
4190
            }
4191
        }
4192
4193
        /* list size */
4194
        c16toa(offset - OPAQUE16_LEN, output);
4195
4196
        return (int)offset;
4197
    }
4198
#endif
4199
4200
    return 0;
4201
}
4202
4203
static int TLSX_CSR2_Parse(WOLFSSL* ssl, const byte* input, word16 length,
4204
                           byte isRequest)
4205
{
4206
    int ret;
4207
4208
    /* shut up compiler warnings */
4209
    (void) ssl; (void) input;
4210
4211
    if (!isRequest) {
4212
#ifndef NO_WOLFSSL_CLIENT
4213
        TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST_V2);
4214
        CertificateStatusRequestItemV2* csr2 = extension ?
4215
                        (CertificateStatusRequestItemV2*)extension->data : NULL;
4216
4217
        if (!csr2) {
4218
            /* look at context level */
4219
            extension = TLSX_Find(ssl->ctx->extensions, TLSX_STATUS_REQUEST_V2);
4220
            csr2 = extension ?
4221
                        (CertificateStatusRequestItemV2*)extension->data : NULL;
4222
4223
            if (!csr2) /* unexpected extension */
4224
                return TLSX_HandleUnsupportedExtension(ssl);
4225
4226
            /* enable extension at ssl level */
4227
            for (; csr2; csr2 = csr2->next) {
4228
                ret = TLSX_UseCertificateStatusRequestV2(&ssl->extensions,
4229
                                    csr2->status_type, csr2->options, ssl->heap,
4230
                                                                    ssl->devId);
4231
                if (ret != WOLFSSL_SUCCESS)
4232
                    return ret;
4233
4234
                switch (csr2->status_type) {
4235
                    case WOLFSSL_CSR2_OCSP:
4236
                        /* followed by */
4237
                    case WOLFSSL_CSR2_OCSP_MULTI:
4238
                        /* propagate nonce */
4239
                        if (csr2->request.ocsp[0].nonceSz) {
4240
                            OcspRequest* request =
4241
                             (OcspRequest*)TLSX_CSR2_GetRequest(ssl->extensions,
4242
                                                          csr2->status_type, 0);
4243
4244
                            if (request) {
4245
                                XMEMCPY(request->nonce,
4246
                                        csr2->request.ocsp[0].nonce,
4247
                                        (size_t)csr2->request.ocsp[0].nonceSz);
4248
4249
                                request->nonceSz =
4250
                                                  csr2->request.ocsp[0].nonceSz;
4251
                            }
4252
                        }
4253
                    break;
4254
                }
4255
            }
4256
        }
4257
4258
        ssl->status_request_v2 = 1;
4259
4260
        return length ? BUFFER_ERROR : 0; /* extension_data MUST be empty. */
4261
#endif
4262
    }
4263
    else {
4264
#ifndef NO_WOLFSSL_SERVER
4265
        byte   status_type;
4266
        word16 request_length;
4267
        word16 offset = 0;
4268
        word16 size = 0;
4269
4270
        /* list size */
4271
        if (offset + OPAQUE16_LEN >= length) {
4272
            return BUFFER_E;
4273
        }
4274
4275
        ato16(input + offset, &request_length);
4276
        offset += OPAQUE16_LEN;
4277
4278
        if (length - OPAQUE16_LEN != request_length)
4279
            return BUFFER_ERROR;
4280
4281
        while (length > offset) {
4282
            if ((int)(length - offset) < ENUM_LEN + OPAQUE16_LEN)
4283
                return BUFFER_ERROR;
4284
4285
            status_type = input[offset++];
4286
4287
            ato16(input + offset, &request_length);
4288
            offset += OPAQUE16_LEN;
4289
4290
            if (length - offset < request_length)
4291
                return BUFFER_ERROR;
4292
4293
            switch (status_type) {
4294
                case WOLFSSL_CSR2_OCSP:
4295
                case WOLFSSL_CSR2_OCSP_MULTI:
4296
                    /* skip responder_id_list */
4297
                    if ((int)(length - offset) < OPAQUE16_LEN)
4298
                        return BUFFER_ERROR;
4299
4300
                    ato16(input + offset, &size);
4301
                    if (length - offset - OPAQUE16_LEN < size)
4302
                        return BUFFER_ERROR;
4303
4304
                    offset += OPAQUE16_LEN + size;
4305
                    /* skip request_extensions */
4306
                    if ((int)(length - offset) < OPAQUE16_LEN)
4307
                        return BUFFER_ERROR;
4308
4309
                    ato16(input + offset, &size);
4310
                    if (length - offset < size)
4311
                        return BUFFER_ERROR;
4312
4313
                    offset += OPAQUE16_LEN + size;
4314
                    if (offset > length)
4315
                        return BUFFER_ERROR;
4316
4317
                    /* is able to send OCSP response? */
4318
                    if (SSL_CM(ssl) == NULL
4319
                    || !SSL_CM(ssl)->ocspStaplingEnabled)
4320
                        continue;
4321
                break;
4322
4323
                default:
4324
                    /* unknown status type, skipping! */
4325
                    offset += request_length;
4326
                    continue;
4327
            }
4328
4329
            /* if using status_request and already sending it, remove it
4330
             * and prefer to use the v2 version */
4331
            #ifdef HAVE_CERTIFICATE_STATUS_REQUEST
4332
            if (ssl->status_request) {
4333
                ssl->status_request = 0;
4334
                TLSX_Remove(&ssl->extensions, TLSX_STATUS_REQUEST, ssl->heap);
4335
            }
4336
            #endif
4337
4338
            /* TLS 1.3 servers MUST NOT act upon presence or information in
4339
             * this extension (RFC 8448 Section 4.4.2.1).
4340
             */
4341
            if (!IsAtLeastTLSv1_3(ssl->version)) {
4342
                /* accept the first good status_type and return */
4343
                ret = TLSX_UseCertificateStatusRequestV2(&ssl->extensions,
4344
                                         status_type, 0, ssl->heap, ssl->devId);
4345
                if (ret != WOLFSSL_SUCCESS)
4346
                    return ret; /* throw error */
4347
4348
                TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST_V2);
4349
                ssl->status_request_v2 = status_type;
4350
            }
4351
4352
            return 0;
4353
        }
4354
#endif
4355
    }
4356
4357
    return 0;
4358
}
4359
4360
static CertificateStatusRequestItemV2* TLSX_CSR2_GetMulti(TLSX *extensions)
4361
{
4362
    TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST_V2);
4363
    CertificateStatusRequestItemV2* csr2 = extension ?
4364
        (CertificateStatusRequestItemV2*)extension->data : NULL;
4365
4366
    for (; csr2; csr2 = csr2->next) {
4367
        if (csr2->status_type == WOLFSSL_CSR2_OCSP_MULTI)
4368
            return csr2;
4369
    }
4370
    return NULL;
4371
}
4372
4373
int TLSX_CSR2_IsMulti(TLSX *extensions)
4374
{
4375
    return TLSX_CSR2_GetMulti(extensions) != NULL;
4376
}
4377
4378
int TLSX_CSR2_AddPendingSigner(TLSX *extensions, Signer *s)
4379
{
4380
    CertificateStatusRequestItemV2* csr2;
4381
4382
    csr2 = TLSX_CSR2_GetMulti(extensions);
4383
    if (!csr2)
4384
        return WOLFSSL_FATAL_ERROR;
4385
4386
    s->next = csr2->pendingSigners;
4387
    csr2->pendingSigners = s;
4388
    return 0;
4389
}
4390
4391
Signer* TLSX_CSR2_GetPendingSigners(TLSX *extensions)
4392
{
4393
    CertificateStatusRequestItemV2* csr2;
4394
4395
    csr2 = TLSX_CSR2_GetMulti(extensions);
4396
    if (!csr2)
4397
        return NULL;
4398
4399
    return csr2->pendingSigners;
4400
}
4401
4402
int TLSX_CSR2_ClearPendingCA(WOLFSSL *ssl)
4403
{
4404
    CertificateStatusRequestItemV2* csr2;
4405
4406
    csr2 = TLSX_CSR2_GetMulti(ssl->extensions);
4407
    if (csr2 == NULL)
4408
        return 0;
4409
4410
    TLSX_CSR2_FreePendingSigners(csr2->pendingSigners, SSL_CM(ssl)->heap);
4411
    csr2->pendingSigners = NULL;
4412
    return 0;
4413
}
4414
4415
int TLSX_CSR2_MergePendingCA(WOLFSSL* ssl)
4416
{
4417
    CertificateStatusRequestItemV2* csr2;
4418
    Signer *s, *next;
4419
    int r = 0;
4420
4421
    csr2 = TLSX_CSR2_GetMulti(ssl->extensions);
4422
    if (csr2 == NULL)
4423
        return 0;
4424
4425
    s = csr2->pendingSigners;
4426
    while (s != NULL) {
4427
        next = s->next;
4428
        r = AddSigner(SSL_CM(ssl), s);
4429
        if (r != 0)
4430
            FreeSigner(s, SSL_CM(ssl)->heap);
4431
        s = next;
4432
    }
4433
    csr2->pendingSigners = NULL;
4434
    return r;
4435
}
4436
4437
int TLSX_CSR2_InitRequests(TLSX* extensions, DecodedCert* cert, byte isPeer,
4438
                                                                     void* heap)
4439
{
4440
    TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST_V2);
4441
    CertificateStatusRequestItemV2* csr2 = extension ?
4442
        (CertificateStatusRequestItemV2*)extension->data : NULL;
4443
    int ret = 0;
4444
4445
    for (; csr2; csr2 = csr2->next) {
4446
        switch (csr2->status_type) {
4447
            case WOLFSSL_CSR2_OCSP:
4448
                if (!isPeer || csr2->requests != 0)
4449
                    break;
4450
4451
                FALL_THROUGH; /* followed by */
4452
4453
            case WOLFSSL_CSR2_OCSP_MULTI: {
4454
                if (csr2->requests < 1 + MAX_CHAIN_DEPTH) {
4455
                    byte nonce[MAX_OCSP_NONCE_SZ];
4456
                    int  nonceSz = csr2->request.ocsp[0].nonceSz;
4457
4458
                    /* preserve nonce, replicating nonce of ocsp[0] */
4459
                    XMEMCPY(nonce, csr2->request.ocsp[0].nonce,
4460
                    (size_t)nonceSz);
4461
4462
                    if ((ret = InitOcspRequest(
4463
                                      &csr2->request.ocsp[csr2->requests], cert,
4464
                                                                 0, heap)) != 0)
4465
                        return ret;
4466
4467
                    /* restore nonce */
4468
                    XMEMCPY(csr2->request.ocsp[csr2->requests].nonce,
4469
                                                        nonce, (size_t)nonceSz);
4470
                    csr2->request.ocsp[csr2->requests].nonceSz = nonceSz;
4471
                    csr2->requests++;
4472
                }
4473
            }
4474
            break;
4475
        }
4476
    }
4477
4478
    (void)cert;
4479
    return ret;
4480
}
4481
4482
void* TLSX_CSR2_GetRequest(TLSX* extensions, byte status_type, byte idx)
4483
{
4484
    TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST_V2);
4485
    CertificateStatusRequestItemV2* csr2 = extension ?
4486
                        (CertificateStatusRequestItemV2*)extension->data : NULL;
4487
4488
    for (; csr2; csr2 = csr2->next) {
4489
        if (csr2->status_type == status_type) {
4490
            switch (csr2->status_type) {
4491
                case WOLFSSL_CSR2_OCSP:
4492
                    /* followed by */
4493
4494
                case WOLFSSL_CSR2_OCSP_MULTI:
4495
                    /* requests are initialized in the reverse order */
4496
                    return idx < csr2->requests
4497
                         ? &csr2->request.ocsp[csr2->requests - idx - 1]
4498
                         : NULL;
4499
            }
4500
        }
4501
    }
4502
4503
    return NULL;
4504
}
4505
4506
int TLSX_CSR2_ForceRequest(WOLFSSL* ssl)
4507
{
4508
    TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST_V2);
4509
    CertificateStatusRequestItemV2* csr2 = extension ?
4510
                        (CertificateStatusRequestItemV2*)extension->data : NULL;
4511
4512
    /* forces only the first one */
4513
    if (csr2) {
4514
        switch (csr2->status_type) {
4515
            case WOLFSSL_CSR2_OCSP:
4516
                /* followed by */
4517
4518
            case WOLFSSL_CSR2_OCSP_MULTI:
4519
                if (SSL_CM(ssl)->ocspEnabled && csr2->requests >= 1) {
4520
                    csr2->request.ocsp[csr2->requests-1].ssl = ssl;
4521
                    return CheckOcspRequest(SSL_CM(ssl)->ocsp,
4522
                                          &csr2->request.ocsp[csr2->requests-1], NULL, NULL);
4523
                }
4524
                else {
4525
                    WOLFSSL_ERROR_VERBOSE(OCSP_LOOKUP_FAIL);
4526
                    return OCSP_LOOKUP_FAIL;
4527
                }
4528
        }
4529
    }
4530
4531
    return 0;
4532
}
4533
4534
int TLSX_UseCertificateStatusRequestV2(TLSX** extensions, byte status_type,
4535
                                           byte options, void* heap, int devId)
4536
{
4537
    TLSX* extension = NULL;
4538
    CertificateStatusRequestItemV2* csr2 = NULL;
4539
    int ret = 0;
4540
4541
    if (!extensions)
4542
        return BAD_FUNC_ARG;
4543
4544
    if (status_type != WOLFSSL_CSR2_OCSP
4545
    &&  status_type != WOLFSSL_CSR2_OCSP_MULTI)
4546
        return BAD_FUNC_ARG;
4547
4548
    csr2 = (CertificateStatusRequestItemV2*)
4549
       XMALLOC(sizeof(CertificateStatusRequestItemV2), heap, DYNAMIC_TYPE_TLSX);
4550
    if (!csr2)
4551
        return MEMORY_E;
4552
4553
    ForceZero(csr2, sizeof(CertificateStatusRequestItemV2));
4554
4555
    csr2->status_type = status_type;
4556
    csr2->options     = options;
4557
    csr2->next        = NULL;
4558
4559
    switch (csr2->status_type) {
4560
        case WOLFSSL_CSR2_OCSP:
4561
        case WOLFSSL_CSR2_OCSP_MULTI:
4562
            if (options & WOLFSSL_CSR2_OCSP_USE_NONCE) {
4563
                WC_RNG rng;
4564
4565
            #ifndef HAVE_FIPS
4566
                ret = wc_InitRng_ex(&rng, heap, devId);
4567
            #else
4568
                ret = wc_InitRng(&rng);
4569
                (void)devId;
4570
            #endif
4571
                if (ret == 0) {
4572
                    if (wc_RNG_GenerateBlock(&rng, csr2->request.ocsp[0].nonce,
4573
                                                        MAX_OCSP_NONCE_SZ) == 0)
4574
                        csr2->request.ocsp[0].nonceSz = MAX_OCSP_NONCE_SZ;
4575
4576
                    wc_FreeRng(&rng);
4577
                }
4578
            }
4579
        break;
4580
    }
4581
4582
    /* append new item */
4583
    if ((extension = TLSX_Find(*extensions, TLSX_STATUS_REQUEST_V2))) {
4584
        CertificateStatusRequestItemV2* last =
4585
                               (CertificateStatusRequestItemV2*)extension->data;
4586
4587
        if (last == NULL) {
4588
            XFREE(csr2, heap, DYNAMIC_TYPE_TLSX);
4589
            return BAD_FUNC_ARG;
4590
        }
4591
4592
        for (; last->next; last = last->next);
4593
4594
        last->next = csr2;
4595
    }
4596
    else if ((ret = TLSX_Push(extensions, TLSX_STATUS_REQUEST_V2, csr2,heap))) {
4597
        XFREE(csr2, heap, DYNAMIC_TYPE_TLSX);
4598
        return ret;
4599
    }
4600
4601
    return WOLFSSL_SUCCESS;
4602
}
4603
4604
#define CSR2_FREE_ALL TLSX_CSR2_FreeAll
4605
#define CSR2_GET_SIZE TLSX_CSR2_GetSize
4606
#define CSR2_WRITE    TLSX_CSR2_Write
4607
#define CSR2_PARSE    TLSX_CSR2_Parse
4608
4609
#else
4610
4611
0
#define CSR2_FREE_ALL(data, heap) WC_DO_NOTHING
4612
0
#define CSR2_GET_SIZE(a, b)    0
4613
0
#define CSR2_WRITE(a, b, c)    0
4614
0
#define CSR2_PARSE(a, b, c, d) 0
4615
4616
#endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */
4617
4618
/* ML-KEM client support requires generating a key pair (encapsulation key) and
4619
 * decapsulating the server's ciphertext. */
4620
#if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_MAKE_KEY) && \
4621
     !defined(WOLFSSL_MLKEM_NO_DECAPSULATE)
4622
    #define WOLFSSL_HAVE_MLKEM_CLIENT_SUPPORT
4623
#endif
4624
/* ML-KEM server support requires encapsulating to the client's key. */
4625
#if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_ENCAPSULATE)
4626
    #define WOLFSSL_HAVE_MLKEM_SERVER_SUPPORT
4627
#endif
4628
4629
#if defined(HAVE_SUPPORTED_CURVES) || \
4630
    (defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES))
4631
4632
#ifdef WOLFSSL_HAVE_MLKEM
4633
/* Returns whether ML-KEM groups are supported for the given side.
4634
 *
4635
 * ML-KEM groups require side specific crypto support. The client needs to
4636
 * generate a key and decapsulate, while the server needs to encapsulate.
4637
 *
4638
 * side  The side of the connection the check is for: WOLFSSL_CLIENT_END,
4639
 *       WOLFSSL_SERVER_END or WOLFSSL_NEITHER_END when the side is not known.
4640
 * returns 1 when supported or 0 otherwise.
4641
 */
4642
static int TLSX_IsMlKemGroupSupported(int side)
4643
0
{
4644
0
    if (side == WOLFSSL_CLIENT_END) {
4645
0
    #ifdef WOLFSSL_HAVE_MLKEM_CLIENT_SUPPORT
4646
0
        return 1;
4647
    #else
4648
        return 0;
4649
    #endif
4650
0
    }
4651
0
    else if (side == WOLFSSL_SERVER_END) {
4652
0
    #ifdef WOLFSSL_HAVE_MLKEM_SERVER_SUPPORT
4653
0
        return 1;
4654
    #else
4655
        return 0;
4656
    #endif
4657
0
    }
4658
0
    else {
4659
        /* Side not known - supported if either side has the crypto support. */
4660
0
    #if defined(WOLFSSL_HAVE_MLKEM_CLIENT_SUPPORT) || \
4661
0
        defined(WOLFSSL_HAVE_MLKEM_SERVER_SUPPORT)
4662
0
        return 1;
4663
    #else
4664
        return 0;
4665
    #endif
4666
0
    }
4667
0
}
4668
#endif /* WOLFSSL_HAVE_MLKEM */
4669
4670
/* Returns whether this group is supported.
4671
 *
4672
 * namedGroup  The named group to check.
4673
 * side        The side of the connection the check is for: WOLFSSL_CLIENT_END,
4674
 *             WOLFSSL_SERVER_END or WOLFSSL_NEITHER_END when the side is not
4675
 *             known. Used to determine whether the local side has the crypto
4676
 *             support required to use the group (e.g. ML-KEM requires
4677
 *             decapsulation on the client and encapsulation on the server).
4678
 * returns 1 when supported or 0 otherwise.
4679
 */
4680
int TLSX_IsGroupSupported(int namedGroup, int side)
4681
0
{
4682
0
    (void)side;
4683
4684
0
    switch (namedGroup) {
4685
0
    #ifdef HAVE_FFDHE_2048
4686
0
        case WOLFSSL_FFDHE_2048:
4687
0
            break;
4688
0
    #endif
4689
    #ifdef HAVE_FFDHE_3072
4690
        case WOLFSSL_FFDHE_3072:
4691
            break;
4692
    #endif
4693
    #ifdef HAVE_FFDHE_4096
4694
        case WOLFSSL_FFDHE_4096:
4695
            break;
4696
    #endif
4697
    #ifdef HAVE_FFDHE_6144
4698
        case WOLFSSL_FFDHE_6144:
4699
            break;
4700
    #endif
4701
    #ifdef HAVE_FFDHE_8192
4702
        case WOLFSSL_FFDHE_8192:
4703
            break;
4704
    #endif
4705
0
    #if (!defined(NO_ECC256)  || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
4706
        #ifdef HAVE_ECC_KOBLITZ
4707
        case WOLFSSL_ECC_SECP256K1:
4708
            break;
4709
        #endif
4710
0
        #ifndef NO_ECC_SECP
4711
0
        case WOLFSSL_ECC_SECP256R1:
4712
0
            break;
4713
0
        #endif /* !NO_ECC_SECP */
4714
        #ifdef HAVE_ECC_BRAINPOOL
4715
        case WOLFSSL_ECC_BRAINPOOLP256R1:
4716
        case WOLFSSL_ECC_BRAINPOOLP256R1TLS13:
4717
            break;
4718
        #endif
4719
        #ifdef WOLFSSL_SM2
4720
        case WOLFSSL_ECC_SM2P256V1:
4721
            break;
4722
        #endif /* WOLFSSL_SM2 */
4723
0
    #endif
4724
    #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256
4725
        case WOLFSSL_ECC_X25519:
4726
            break;
4727
    #endif
4728
    #if defined(HAVE_CURVE448) && ECC_MIN_KEY_SZ <= 448
4729
        case WOLFSSL_ECC_X448:
4730
            break;
4731
    #endif
4732
0
    #if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384
4733
0
        #ifndef NO_ECC_SECP
4734
0
        case WOLFSSL_ECC_SECP384R1:
4735
0
            break;
4736
0
        #endif /* !NO_ECC_SECP */
4737
        #ifdef HAVE_ECC_BRAINPOOL
4738
        case WOLFSSL_ECC_BRAINPOOLP384R1:
4739
        case WOLFSSL_ECC_BRAINPOOLP384R1TLS13:
4740
            break;
4741
        #endif
4742
0
    #endif
4743
0
    #if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521
4744
0
        #ifndef NO_ECC_SECP
4745
0
        case WOLFSSL_ECC_SECP521R1:
4746
0
            break;
4747
0
        #endif /* !NO_ECC_SECP */
4748
0
    #endif
4749
    #if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 160
4750
        #ifdef HAVE_ECC_KOBLITZ
4751
        case WOLFSSL_ECC_SECP160K1:
4752
            break;
4753
        #endif
4754
        #ifndef NO_ECC_SECP
4755
        case WOLFSSL_ECC_SECP160R1:
4756
            break;
4757
        #endif
4758
        #ifdef HAVE_ECC_SECPR2
4759
        case WOLFSSL_ECC_SECP160R2:
4760
            break;
4761
        #endif
4762
    #endif
4763
    #if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 192
4764
        #ifdef HAVE_ECC_KOBLITZ
4765
        case WOLFSSL_ECC_SECP192K1:
4766
            break;
4767
        #endif
4768
        #ifndef NO_ECC_SECP
4769
        case WOLFSSL_ECC_SECP192R1:
4770
            break;
4771
        #endif
4772
    #endif
4773
0
    #if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 224
4774
        #ifdef HAVE_ECC_KOBLITZ
4775
        case WOLFSSL_ECC_SECP224K1:
4776
            break;
4777
        #endif
4778
0
        #ifndef NO_ECC_SECP
4779
0
        case WOLFSSL_ECC_SECP224R1:
4780
0
            break;
4781
0
        #endif
4782
0
    #endif
4783
0
    #if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 512
4784
        #ifdef HAVE_ECC_BRAINPOOL
4785
        case WOLFSSL_ECC_BRAINPOOLP512R1:
4786
        case WOLFSSL_ECC_BRAINPOOLP512R1TLS13:
4787
            break;
4788
        #endif
4789
0
    #endif
4790
0
#ifdef WOLFSSL_HAVE_MLKEM
4791
0
#ifndef WOLFSSL_NO_ML_KEM
4792
0
        #ifndef WOLFSSL_NO_ML_KEM_512
4793
            #ifndef WOLFSSL_TLS_NO_MLKEM_STANDALONE
4794
            case WOLFSSL_ML_KEM_512:
4795
                return TLSX_IsMlKemGroupSupported(side);
4796
            #endif /* !WOLFSSL_TLS_NO_MLKEM_STANDALONE */
4797
            #ifdef WOLFSSL_EXTRA_PQC_HYBRIDS
4798
            case WOLFSSL_SECP256R1MLKEM512:
4799
            #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256
4800
            case WOLFSSL_X25519MLKEM512:
4801
            #endif /* HAVE_CURVE25519 */
4802
                return TLSX_IsMlKemGroupSupported(side);
4803
            #endif /* WOLFSSL_EXTRA_PQC_HYBRIDS */
4804
0
        #endif /* WOLFSSL_NO_ML_KEM_512 */
4805
0
        #ifndef WOLFSSL_NO_ML_KEM_768
4806
            #ifndef WOLFSSL_TLS_NO_MLKEM_STANDALONE
4807
            case WOLFSSL_ML_KEM_768:
4808
            #endif /* !WOLFSSL_TLS_NO_MLKEM_STANDALONE */
4809
0
            #ifdef WOLFSSL_PQC_HYBRIDS
4810
0
            case WOLFSSL_SECP256R1MLKEM768:
4811
            #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256
4812
            case WOLFSSL_X25519MLKEM768:
4813
            #endif /* HAVE_CURVE25519 */
4814
0
            #endif /* WOLFSSL_PQC_HYBRIDS */
4815
            #ifdef WOLFSSL_EXTRA_PQC_HYBRIDS
4816
            case WOLFSSL_SECP384R1MLKEM768:
4817
            #if defined(HAVE_CURVE448) && ECC_MIN_KEY_SZ <= 448
4818
            case WOLFSSL_X448MLKEM768:
4819
            #endif /* HAVE_CURVE448 */
4820
            #endif /* WOLFSSL_EXTRA_PQC_HYBRIDS */
4821
0
                return TLSX_IsMlKemGroupSupported(side);
4822
0
        #endif /* WOLFSSL_NO_ML_KEM_768 */
4823
0
        #ifndef WOLFSSL_NO_ML_KEM_1024
4824
            #ifndef WOLFSSL_TLS_NO_MLKEM_STANDALONE
4825
            case WOLFSSL_ML_KEM_1024:
4826
            #endif /* !WOLFSSL_TLS_NO_MLKEM_STANDALONE */
4827
0
            #ifdef WOLFSSL_PQC_HYBRIDS
4828
0
            case WOLFSSL_SECP384R1MLKEM1024:
4829
0
            #endif /* WOLFSSL_PQC_HYBRIDS */
4830
            #ifdef WOLFSSL_EXTRA_PQC_HYBRIDS
4831
            case WOLFSSL_SECP521R1MLKEM1024:
4832
            #endif /* WOLFSSL_EXTRA_PQC_HYBRIDS */
4833
0
                return TLSX_IsMlKemGroupSupported(side);
4834
0
        #endif
4835
        #if defined(WOLFSSL_ML_KEM_USE_OLD_IDS) && \
4836
                                             defined (WOLFSSL_EXTRA_PQC_HYBRIDS)
4837
            case WOLFSSL_P256_ML_KEM_512_OLD:
4838
            case WOLFSSL_P384_ML_KEM_768_OLD:
4839
            case WOLFSSL_P521_ML_KEM_1024_OLD:
4840
                return TLSX_IsMlKemGroupSupported(side);
4841
        #endif /* WOLFSSL_ML_KEM_USE_OLD_IDS && WOLFSSL_EXTRA_PQC_HYBRIDS */
4842
0
#endif /* WOLFSSL_NO_ML_KEM */
4843
#ifdef WOLFSSL_MLKEM_KYBER
4844
        #ifdef WOLFSSL_KYBER512
4845
            case WOLFSSL_KYBER_LEVEL1:
4846
            case WOLFSSL_P256_KYBER_LEVEL1:
4847
        #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256
4848
            case WOLFSSL_X25519_KYBER_LEVEL1:
4849
        #endif
4850
        #endif
4851
        #ifdef WOLFSSL_KYBER768
4852
            case WOLFSSL_KYBER_LEVEL3:
4853
            case WOLFSSL_P384_KYBER_LEVEL3:
4854
            case WOLFSSL_P256_KYBER_LEVEL3:
4855
        #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256
4856
            case WOLFSSL_X25519_KYBER_LEVEL3:
4857
        #endif
4858
        #if defined(HAVE_CURVE448) && ECC_MIN_KEY_SZ <= 448
4859
            case WOLFSSL_X448_KYBER_LEVEL3:
4860
        #endif
4861
        #endif
4862
        #ifdef WOLFSSL_KYBER1024
4863
            case WOLFSSL_KYBER_LEVEL5:
4864
            case WOLFSSL_P521_KYBER_LEVEL5:
4865
        #endif
4866
                return TLSX_IsMlKemGroupSupported(side);
4867
#endif
4868
0
#endif /* WOLFSSL_HAVE_MLKEM */
4869
0
        default:
4870
0
            return 0;
4871
0
    }
4872
4873
0
    return 1;
4874
0
}
4875
#endif
4876
4877
/******************************************************************************/
4878
/* Supported Elliptic Curves                                                  */
4879
/******************************************************************************/
4880
4881
#ifdef HAVE_SUPPORTED_CURVES
4882
4883
#if !defined(HAVE_ECC) && !defined(HAVE_CURVE25519) && !defined(HAVE_CURVE448) \
4884
                       && !defined(HAVE_FFDHE) && !defined(WOLFSSL_HAVE_MLKEM)
4885
#error Elliptic Curves Extension requires Elliptic Curve Cryptography or liboqs groups. \
4886
       Use --enable-ecc and/or --enable-liboqs in the configure script or \
4887
       define HAVE_ECC. Alternatively use FFDHE for DH cipher suites.
4888
#endif
4889
4890
static int TLSX_SupportedCurve_New(SupportedCurve** curve, word16 name,
4891
                                                                     void* heap)
4892
0
{
4893
0
    if (curve == NULL)
4894
0
        return BAD_FUNC_ARG;
4895
4896
0
    (void)heap;
4897
4898
0
    *curve = (SupportedCurve*)XMALLOC(sizeof(SupportedCurve), heap,
4899
0
                                                             DYNAMIC_TYPE_TLSX);
4900
0
    if (*curve == NULL)
4901
0
        return MEMORY_E;
4902
4903
0
    (*curve)->name = name;
4904
0
    (*curve)->next = NULL;
4905
4906
0
    return 0;
4907
0
}
4908
4909
static int TLSX_PointFormat_New(PointFormat** point, byte format, void* heap)
4910
0
{
4911
0
    if (point == NULL)
4912
0
        return BAD_FUNC_ARG;
4913
4914
0
    (void)heap;
4915
4916
0
    *point = (PointFormat*)XMALLOC(sizeof(PointFormat), heap,
4917
0
                                                             DYNAMIC_TYPE_TLSX);
4918
0
    if (*point == NULL)
4919
0
        return MEMORY_E;
4920
4921
0
    (*point)->format = format;
4922
0
    (*point)->next = NULL;
4923
4924
0
    return 0;
4925
0
}
4926
4927
static void TLSX_SupportedCurve_FreeAll(SupportedCurve* list, void* heap)
4928
0
{
4929
0
    SupportedCurve* curve;
4930
4931
0
    while ((curve = list)) {
4932
0
        list = curve->next;
4933
0
        XFREE(curve, heap, DYNAMIC_TYPE_TLSX);
4934
0
    }
4935
0
    (void)heap;
4936
0
}
4937
4938
static void TLSX_PointFormat_FreeAll(PointFormat* list, void* heap)
4939
0
{
4940
0
    PointFormat* point;
4941
4942
0
    while ((point = list)) {
4943
0
        list = point->next;
4944
0
        XFREE(point, heap, DYNAMIC_TYPE_TLSX);
4945
0
    }
4946
0
    (void)heap;
4947
0
}
4948
4949
static int TLSX_SupportedCurve_Append(SupportedCurve* list, word16 name,
4950
                                                                     void* heap)
4951
0
{
4952
0
    int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
4953
4954
0
    while (list) {
4955
0
        if (list->name == name) {
4956
0
            ret = 0; /* curve already in use */
4957
0
            break;
4958
0
        }
4959
4960
0
        if (list->next == NULL) {
4961
0
            ret = TLSX_SupportedCurve_New(&list->next, name, heap);
4962
0
            break;
4963
0
        }
4964
4965
0
        list = list->next;
4966
0
    }
4967
4968
0
    return ret;
4969
0
}
4970
4971
static int TLSX_PointFormat_Append(PointFormat* list, byte format, void* heap)
4972
0
{
4973
0
    int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
4974
4975
0
    while (list) {
4976
0
        if (list->format == format) {
4977
0
            ret = 0; /* format already in use */
4978
0
            break;
4979
0
        }
4980
4981
0
        if (list->next == NULL) {
4982
0
            ret = TLSX_PointFormat_New(&list->next, format, heap);
4983
0
            break;
4984
0
        }
4985
4986
0
        list = list->next;
4987
0
    }
4988
4989
0
    return ret;
4990
0
}
4991
4992
#if defined(WOLFSSL_TLS13) || !defined(NO_WOLFSSL_CLIENT)
4993
4994
#if defined(HAVE_FFDHE) && (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
4995
                                                         defined(HAVE_CURVE448))
4996
static void TLSX_SupportedCurve_ValidateRequest(const WOLFSSL* ssl,
4997
                                                const byte* semaphore)
4998
0
{
4999
    /* If all pre-defined parameter types for key exchange are supported then
5000
     * always send SupportedGroups extension.
5001
     */
5002
0
    (void)ssl;
5003
0
    (void)semaphore;
5004
0
}
5005
#else
5006
static void TLSX_SupportedCurve_ValidateRequest(WOLFSSL* ssl, byte* semaphore)
5007
{
5008
    word16 i;
5009
    const Suites* suites = WOLFSSL_SUITES(ssl);
5010
5011
    for (i = 0; i < suites->suiteSz; i += 2) {
5012
        if (suites->suites[i] == TLS13_BYTE)
5013
            return;
5014
    #ifdef BUILD_TLS_SM4_GCM_SM3
5015
        if ((suites->suites[i] == CIPHER_BYTE) &&
5016
            (suites->suites[i+1] == TLS_SM4_GCM_SM3))
5017
            return;
5018
    #endif
5019
    #ifdef BUILD_TLS_SM4_CCM_SM3
5020
        if ((suites->suites[i] == CIPHER_BYTE) &&
5021
            (suites->suites[i+1] == TLS_SM4_CCM_SM3))
5022
            return;
5023
    #endif
5024
    #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3
5025
        if ((suites->suites[i] == SM_BYTE) &&
5026
            (suites->suites[i+1] == TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3))
5027
            return;
5028
    #endif
5029
        if ((suites->suites[i] == ECC_BYTE) ||
5030
            (suites->suites[i] == ECDHE_PSK_BYTE) ||
5031
            (suites->suites[i] == CHACHA_BYTE)) {
5032
        #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
5033
                                                          defined(HAVE_CURVE448)
5034
            return;
5035
        #endif
5036
        }
5037
        #ifdef HAVE_FFDHE
5038
        else {
5039
            return;
5040
        }
5041
        #endif
5042
    }
5043
5044
    /* turns semaphore on to avoid sending this extension. */
5045
    TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_GROUPS));
5046
}
5047
#endif
5048
5049
/* Only send PointFormats if TLSv13, ECC or CHACHA cipher suite present.
5050
 */
5051
static void TLSX_PointFormat_ValidateRequest(WOLFSSL* ssl, byte* semaphore)
5052
0
{
5053
0
#ifdef HAVE_FFDHE
5054
0
    (void)ssl;
5055
0
    (void)semaphore;
5056
#else
5057
    word16 i;
5058
    const Suites* suites = WOLFSSL_SUITES(ssl);
5059
5060
    if (suites == NULL)
5061
        return;
5062
5063
    for (i = 0; i < suites->suiteSz; i += 2) {
5064
        if (suites->suites[i] == TLS13_BYTE)
5065
            return;
5066
    #ifdef BUILD_TLS_SM4_GCM_SM3
5067
        if ((suites->suites[i] == CIPHER_BYTE) &&
5068
            (suites->suites[i+1] == TLS_SM4_GCM_SM3))
5069
            return;
5070
    #endif
5071
    #ifdef BUILD_TLS_SM4_CCM_SM3
5072
        if ((suites->suites[i] == CIPHER_BYTE) &&
5073
            (suites->suites[i+1] == TLS_SM4_CCM_SM3))
5074
            return;
5075
    #endif
5076
    #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3
5077
        if ((suites->suites[i] == SM_BYTE) &&
5078
            (suites->suites[i+1] == TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3))
5079
            return;
5080
    #endif
5081
        if ((suites->suites[i] == ECC_BYTE) ||
5082
            (suites->suites[i] == ECDHE_PSK_BYTE) ||
5083
            (suites->suites[i] == CHACHA_BYTE)) {
5084
        #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
5085
                                                          defined(HAVE_CURVE448)
5086
            return;
5087
        #endif
5088
        }
5089
    }
5090
   /* turns semaphore on to avoid sending this extension. */
5091
   TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EC_POINT_FORMATS));
5092
#endif
5093
0
}
5094
5095
#endif /* WOLFSSL_TLS13 || !NO_WOLFSSL_CLIENT */
5096
5097
#ifndef NO_WOLFSSL_SERVER
5098
5099
static void TLSX_PointFormat_ValidateResponse(WOLFSSL* ssl, byte* semaphore)
5100
0
{
5101
0
#if defined(HAVE_FFDHE) || defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
5102
0
                                                          defined(HAVE_CURVE448)
5103
0
    (void)semaphore;
5104
0
#endif
5105
5106
0
    if (ssl->options.cipherSuite0 == TLS13_BYTE)
5107
0
        return;
5108
#ifdef BUILD_TLS_SM4_GCM_SM3
5109
    if ((ssl->options.cipherSuite0 == CIPHER_BYTE) &&
5110
        (ssl->options.cipherSuite == TLS_SM4_GCM_SM3))
5111
        return;
5112
#endif
5113
#ifdef BUILD_TLS_SM4_CCM_SM3
5114
    if ((ssl->options.cipherSuite0 == CIPHER_BYTE) &&
5115
        (ssl->options.cipherSuite == TLS_SM4_CCM_SM3))
5116
        return;
5117
#endif
5118
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3
5119
    if ((ssl->options.cipherSuite0 == SM_BYTE) &&
5120
        (ssl->options.cipherSuite == TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3))
5121
        return;
5122
#endif
5123
0
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
5124
0
    if (ssl->options.cipherSuite0 == ECC_BYTE ||
5125
0
        ssl->options.cipherSuite0 == ECDHE_PSK_BYTE ||
5126
0
        ssl->options.cipherSuite0 == CHACHA_BYTE) {
5127
0
        return;
5128
0
    }
5129
0
#endif
5130
5131
    /* turns semaphore on to avoid sending this extension. */
5132
0
    TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EC_POINT_FORMATS));
5133
0
}
5134
5135
#endif /* !NO_WOLFSSL_SERVER */
5136
5137
#if !defined(NO_WOLFSSL_CLIENT) || defined(WOLFSSL_TLS13)
5138
5139
static word16 TLSX_SupportedCurve_GetSize(SupportedCurve* list)
5140
0
{
5141
0
    SupportedCurve* curve;
5142
0
    word16 length = OPAQUE16_LEN; /* list length */
5143
5144
0
    while ((curve = list)) {
5145
0
        list = curve->next;
5146
0
        length += OPAQUE16_LEN; /* curve length */
5147
0
    }
5148
5149
0
    return length;
5150
0
}
5151
5152
#endif
5153
5154
static word16 TLSX_PointFormat_GetSize(PointFormat* list)
5155
0
{
5156
0
    PointFormat* point;
5157
0
    word16 length = ENUM_LEN; /* list length */
5158
5159
0
    while ((point = list)) {
5160
0
        list = point->next;
5161
0
        length += ENUM_LEN; /* format length */
5162
0
    }
5163
5164
0
    return length;
5165
0
}
5166
5167
#if !defined(NO_WOLFSSL_CLIENT) || defined(WOLFSSL_TLS13)
5168
5169
static word16 TLSX_SupportedCurve_Write(SupportedCurve* list, byte* output)
5170
0
{
5171
0
    word16 offset = OPAQUE16_LEN;
5172
5173
0
    while (list) {
5174
0
        c16toa(list->name, output + offset);
5175
0
        offset += OPAQUE16_LEN;
5176
0
        list = list->next;
5177
0
    }
5178
5179
0
    c16toa(offset - OPAQUE16_LEN, output); /* writing list length */
5180
5181
0
    return offset;
5182
0
}
5183
5184
#endif
5185
5186
static word16 TLSX_PointFormat_Write(PointFormat* list, byte* output)
5187
0
{
5188
0
    word16 offset = ENUM_LEN;
5189
5190
0
    while (list) {
5191
0
        output[offset++] = list->format;
5192
0
        list = list->next;
5193
0
    }
5194
5195
0
    output[0] = (byte)(offset - ENUM_LEN);
5196
5197
0
    return offset;
5198
0
}
5199
5200
#if !defined(NO_WOLFSSL_SERVER) || (defined(WOLFSSL_TLS13) && \
5201
                                         !defined(WOLFSSL_NO_SERVER_GROUPS_EXT))
5202
5203
int TLSX_SupportedCurve_Parse(const WOLFSSL* ssl, const byte* input,
5204
                              word16 length, byte isRequest, TLSX** extensions)
5205
0
{
5206
0
    word16 offset;
5207
0
    word16 name;
5208
0
    int ret = 0;
5209
0
    TLSX* extension;
5210
5211
0
    if(!isRequest && !IsAtLeastTLSv1_3(ssl->version)) {
5212
#ifdef WOLFSSL_ALLOW_SERVER_SC_EXT
5213
        return 0;
5214
#else
5215
0
        return BUFFER_ERROR; /* servers doesn't send this extension. */
5216
0
#endif
5217
0
    }
5218
0
    if (OPAQUE16_LEN > length || length % OPAQUE16_LEN)
5219
0
        return BUFFER_ERROR;
5220
0
    ato16(input, &offset);
5221
    /* validating curve list length */
5222
0
    if (length != OPAQUE16_LEN + offset)
5223
0
        return BUFFER_ERROR;
5224
0
    offset = OPAQUE16_LEN;
5225
0
    if (offset == length)
5226
0
        return 0;
5227
5228
0
    extension = TLSX_Find(*extensions, TLSX_SUPPORTED_GROUPS);
5229
0
    if (extension == NULL) {
5230
        /* Just accept what the peer wants to use */
5231
0
        for (; offset < length; offset += OPAQUE16_LEN) {
5232
0
            ato16(input + offset, &name);
5233
5234
0
            ret = TLSX_UseSupportedCurve(extensions, name, ssl->heap,
5235
0
                                         ssl->options.side);
5236
            /* If it is BAD_FUNC_ARG then it is a group we do not support, but
5237
             * that is fine. */
5238
0
            if (ret != WOLFSSL_SUCCESS &&
5239
0
                    ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG))
5240
0
                break;
5241
0
            ret = 0;
5242
0
        }
5243
0
    }
5244
0
    else {
5245
        /* Find the intersection with what the user has set */
5246
0
        SupportedCurve* commonCurves = NULL;
5247
0
        for (; offset < length; offset += OPAQUE16_LEN) {
5248
0
            SupportedCurve* foundCurve = (SupportedCurve*)extension->data;
5249
0
            ato16(input + offset, &name);
5250
5251
0
            while (foundCurve != NULL && foundCurve->name != name)
5252
0
                foundCurve = foundCurve->next;
5253
5254
0
            if (foundCurve != NULL) {
5255
0
                ret = commonCurves == NULL ?
5256
0
                      TLSX_SupportedCurve_New(&commonCurves, name, ssl->heap) :
5257
0
                      TLSX_SupportedCurve_Append(commonCurves, name, ssl->heap);
5258
0
                if (ret != 0)
5259
0
                    break;
5260
0
            }
5261
0
        }
5262
        /* If no common curves return error. In TLS 1.3 we can still try to save
5263
         * this by using HRR. */
5264
0
        if (ret == 0 && commonCurves == NULL &&
5265
0
                !IsAtLeastTLSv1_3(ssl->version))
5266
0
            ret = ECC_CURVE_ERROR;
5267
0
        if (ret == 0) {
5268
            /* Now swap out the curves in the extension */
5269
0
            TLSX_SupportedCurve_FreeAll((SupportedCurve*)extension->data,
5270
0
                                        ssl->heap);
5271
0
            extension->data = commonCurves;
5272
0
            commonCurves = NULL;
5273
0
        }
5274
0
        TLSX_SupportedCurve_FreeAll(commonCurves, ssl->heap);
5275
0
    }
5276
5277
0
    return ret;
5278
0
}
5279
#endif
5280
5281
#if !defined(NO_WOLFSSL_SERVER)
5282
5283
#if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NO_SERVER_GROUPS_EXT)
5284
5285
/* Checks the priority of the groups on the server and set the supported groups
5286
 * response if there is a group not advertised by the client that is preferred.
5287
 *
5288
 * ssl  SSL/TLS object.
5289
 * returns 0 on success, otherwise an error.
5290
 */
5291
int TLSX_SupportedCurve_CheckPriority(WOLFSSL* ssl)
5292
0
{
5293
0
    int ret;
5294
0
    TLSX* extension;
5295
0
    TLSX* priority = NULL;
5296
0
    TLSX* ext = NULL;
5297
0
    word16 name;
5298
0
    SupportedCurve* curve;
5299
5300
0
    extension = TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS);
5301
    /* May be doing PSK with no key exchange. */
5302
0
    if (extension == NULL)
5303
0
        return 0;
5304
5305
0
    ret = TLSX_PopulateSupportedGroups(ssl, &priority);
5306
0
    if (ret != WOLFSSL_SUCCESS) {
5307
0
        TLSX_FreeAll(priority, ssl->heap);
5308
0
        return ret;
5309
0
    }
5310
5311
0
    ext = TLSX_Find(priority, TLSX_SUPPORTED_GROUPS);
5312
0
    if (ext == NULL) {
5313
0
        WOLFSSL_MSG("Could not find supported groups extension");
5314
0
        TLSX_FreeAll(priority, ssl->heap);
5315
0
        return 0;
5316
0
    }
5317
5318
0
    curve = (SupportedCurve*)ext->data;
5319
0
    name = curve->name;
5320
5321
0
    curve = (SupportedCurve*)extension->data;
5322
0
    while (curve != NULL) {
5323
0
        if (curve->name == name)
5324
0
            break;
5325
0
        curve = curve->next;
5326
0
    }
5327
5328
0
    if (curve == NULL) {
5329
        /* Couldn't find the preferred group in client list. */
5330
0
        extension->resp = 1;
5331
5332
        /* Send server list back and free client list. */
5333
0
        curve = (SupportedCurve*)extension->data;
5334
0
        extension->data = ext->data;
5335
0
        ext->data = curve;
5336
0
    }
5337
5338
0
    TLSX_FreeAll(priority, ssl->heap);
5339
5340
0
    return 0;
5341
0
}
5342
5343
#endif /* WOLFSSL_TLS13 && !WOLFSSL_NO_SERVER_GROUPS_EXT */
5344
5345
#if defined(HAVE_FFDHE) && !defined(WOLFSSL_NO_TLS12)
5346
#ifdef HAVE_PUBLIC_FFDHE
5347
static int tlsx_ffdhe_find_group(WOLFSSL* ssl, SupportedCurve* clientGroup,
5348
    SupportedCurve* serverGroup)
5349
0
{
5350
0
    int ret = 0;
5351
0
    SupportedCurve* group;
5352
0
    const DhParams* params = NULL;
5353
5354
0
    for (; serverGroup != NULL; serverGroup = serverGroup->next) {
5355
0
        if (!WOLFSSL_NAMED_GROUP_IS_FFDHE(serverGroup->name))
5356
0
            continue;
5357
5358
0
        for (group = clientGroup; group != NULL; group = group->next) {
5359
0
            if (serverGroup->name != group->name)
5360
0
                continue;
5361
5362
0
            switch (serverGroup->name) {
5363
0
            #ifdef HAVE_FFDHE_2048
5364
0
                case WOLFSSL_FFDHE_2048:
5365
0
                    params = wc_Dh_ffdhe2048_Get();
5366
0
                    break;
5367
0
            #endif
5368
            #ifdef HAVE_FFDHE_3072
5369
                case WOLFSSL_FFDHE_3072:
5370
                    params = wc_Dh_ffdhe3072_Get();
5371
                    break;
5372
            #endif
5373
            #ifdef HAVE_FFDHE_4096
5374
                case WOLFSSL_FFDHE_4096:
5375
                    params = wc_Dh_ffdhe4096_Get();
5376
                    break;
5377
            #endif
5378
            #ifdef HAVE_FFDHE_6144
5379
                case WOLFSSL_FFDHE_6144:
5380
                    params = wc_Dh_ffdhe6144_Get();
5381
                    break;
5382
            #endif
5383
            #ifdef HAVE_FFDHE_8192
5384
                case WOLFSSL_FFDHE_8192:
5385
                    params = wc_Dh_ffdhe8192_Get();
5386
                    break;
5387
            #endif
5388
0
                default:
5389
0
                    break;
5390
0
            }
5391
0
            if (params == NULL) {
5392
0
                ret = BAD_FUNC_ARG;
5393
0
                break;
5394
0
            }
5395
0
            if (params->p_len >= ssl->options.minDhKeySz &&
5396
0
                                     params->p_len <= ssl->options.maxDhKeySz) {
5397
0
                break;
5398
0
            }
5399
0
        }
5400
5401
0
        if (ret != 0)
5402
0
            break;
5403
0
        if ((group != NULL) && (serverGroup->name == group->name))
5404
0
            break;
5405
0
    }
5406
5407
0
    if ((ret == 0) && (serverGroup != NULL) && (params != NULL)) {
5408
0
        ssl->buffers.serverDH_P.buffer = (unsigned char *)params->p;
5409
0
        ssl->buffers.serverDH_P.length = params->p_len;
5410
0
        ssl->buffers.serverDH_G.buffer = (unsigned char *)params->g;
5411
0
        ssl->buffers.serverDH_G.length = params->g_len;
5412
5413
0
        ssl->namedGroup = serverGroup->name;
5414
0
    #if !defined(WOLFSSL_OLD_PRIME_CHECK) && \
5415
0
        !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
5416
0
        ssl->options.dhDoKeyTest = 0;
5417
0
    #endif
5418
0
        ssl->options.haveDH = 1;
5419
0
    }
5420
5421
0
    return ret;
5422
0
}
5423
#else
5424
static int tlsx_ffdhe_find_group(WOLFSSL* ssl, SupportedCurve* clientGroup,
5425
    SupportedCurve* serverGroup)
5426
{
5427
    int ret = 0;
5428
    SupportedCurve* group;
5429
    word32 p_len;
5430
5431
    for (; serverGroup != NULL; serverGroup = serverGroup->next) {
5432
        if (!WOLFSSL_NAMED_GROUP_IS_FFDHE(serverGroup->name))
5433
            continue;
5434
5435
        for (group = clientGroup; group != NULL; group = group->next) {
5436
            if (serverGroup->name != group->name)
5437
                continue;
5438
5439
            ret = wc_DhGetNamedKeyParamSize(serverGroup->name, &p_len, NULL, NULL);
5440
            if (ret == 0) {
5441
                if (p_len == 0) {
5442
                    ret = BAD_FUNC_ARG;
5443
                    break;
5444
                }
5445
                if (p_len >= ssl->options.minDhKeySz &&
5446
                                                p_len <= ssl->options.maxDhKeySz) {
5447
                    break;
5448
                }
5449
            }
5450
        }
5451
5452
        if (ret != 0)
5453
            break;
5454
        if ((group != NULL) && (serverGroup->name == group->name))
5455
            break;
5456
    }
5457
5458
    if ((ret == 0) && (serverGroup != NULL)) {
5459
        word32 pSz, gSz;
5460
5461
        ssl->buffers.serverDH_P.buffer = NULL;
5462
        ssl->buffers.serverDH_G.buffer = NULL;
5463
        ret = wc_DhGetNamedKeyParamSize(serverGroup->name, &pSz, &gSz, NULL);
5464
        if (ret == 0) {
5465
            ssl->buffers.serverDH_P.buffer =
5466
                (byte*)XMALLOC(pSz, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
5467
            if (ssl->buffers.serverDH_P.buffer == NULL)
5468
                ret = MEMORY_E;
5469
            else
5470
                ssl->buffers.serverDH_P.length = pSz;
5471
        }
5472
        if (ret == 0) {
5473
            ssl->buffers.serverDH_G.buffer =
5474
                (byte*)XMALLOC(gSz, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
5475
            if (ssl->buffers.serverDH_G.buffer == NULL) {
5476
                ret = MEMORY_E;
5477
            } else
5478
                ssl->buffers.serverDH_G.length = gSz;
5479
        }
5480
        if (ret == 0) {
5481
            ret = wc_DhCopyNamedKey(serverGroup->name,
5482
                              ssl->buffers.serverDH_P.buffer, &pSz,
5483
                              ssl->buffers.serverDH_G.buffer, &gSz,
5484
                              NULL, NULL);
5485
        }
5486
        if (ret == 0) {
5487
            ssl->buffers.weOwnDH = 1;
5488
5489
            ssl->namedGroup = serverGroup->name;
5490
        #if !defined(WOLFSSL_OLD_PRIME_CHECK) && \
5491
            !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
5492
            ssl->options.dhDoKeyTest = 0;
5493
        #endif
5494
            ssl->options.haveDH = 1;
5495
        }
5496
        else {
5497
            if (ssl->buffers.serverDH_P.buffer != NULL) {
5498
                XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap,
5499
                    DYNAMIC_TYPE_PUBLIC_KEY);
5500
                ssl->buffers.serverDH_P.length = 0;
5501
                ssl->buffers.serverDH_P.buffer = NULL;
5502
            }
5503
            if (ssl->buffers.serverDH_G.buffer != NULL) {
5504
                XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap,
5505
                    DYNAMIC_TYPE_PUBLIC_KEY);
5506
                ssl->buffers.serverDH_G.length = 0;
5507
                ssl->buffers.serverDH_G.buffer = NULL;
5508
            }
5509
        }
5510
    }
5511
5512
    return ret;
5513
}
5514
#endif
5515
5516
/* Set the highest priority common FFDHE group on the server as compared to
5517
 * client extensions.
5518
 *
5519
 * ssl    SSL/TLS object.
5520
 * returns 0 on success, otherwise an error.
5521
 */
5522
int TLSX_SupportedFFDHE_Set(WOLFSSL* ssl)
5523
0
{
5524
0
    int ret;
5525
0
    TLSX* priority = NULL;
5526
0
    TLSX* ext = NULL;
5527
0
    TLSX* extension;
5528
0
    SupportedCurve* clientGroup;
5529
0
    SupportedCurve* group;
5530
0
    int found = 0;
5531
5532
0
    extension = TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS);
5533
    /* May be doing PSK with no key exchange. */
5534
0
    if (extension == NULL)
5535
0
        return 0;
5536
0
    clientGroup = (SupportedCurve*)extension->data;
5537
0
    for (group = clientGroup; group != NULL; group = group->next) {
5538
0
        if (WOLFSSL_NAMED_GROUP_IS_FFDHE(group->name)) {
5539
0
            found = 1;
5540
0
            break;
5541
0
        }
5542
0
    }
5543
0
    if (!found)
5544
0
        return 0;
5545
5546
0
    if (ssl->buffers.serverDH_P.buffer && ssl->buffers.weOwnDH) {
5547
0
        XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap,
5548
0
                                                       DYNAMIC_TYPE_PUBLIC_KEY);
5549
0
    }
5550
0
    if (ssl->buffers.serverDH_G.buffer && ssl->buffers.weOwnDH) {
5551
0
        XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap,
5552
0
                                                       DYNAMIC_TYPE_PUBLIC_KEY);
5553
0
    }
5554
0
    ssl->buffers.serverDH_P.buffer = NULL;
5555
0
    ssl->buffers.serverDH_G.buffer = NULL;
5556
0
    ssl->buffers.weOwnDH = 0;
5557
0
    ssl->options.haveDH = 0;
5558
5559
0
    ret = TLSX_PopulateSupportedGroups(ssl, &priority);
5560
0
    if (ret == WOLFSSL_SUCCESS) {
5561
0
        SupportedCurve* serverGroup;
5562
5563
0
        ext = TLSX_Find(priority, TLSX_SUPPORTED_GROUPS);
5564
0
        if (ext == NULL) {
5565
0
            WOLFSSL_MSG("Could not find supported groups extension");
5566
0
            ret = 0;
5567
0
        }
5568
0
        else {
5569
0
            serverGroup = (SupportedCurve*)ext->data;
5570
0
            ret = tlsx_ffdhe_find_group(ssl, clientGroup, serverGroup);
5571
0
        }
5572
0
    }
5573
5574
0
    TLSX_FreeAll(priority, ssl->heap);
5575
5576
0
    return ret;
5577
0
}
5578
#endif /* HAVE_FFDHE && !WOLFSSL_NO_TLS12 */
5579
#endif /* !NO_WOLFSSL_SERVER */
5580
5581
/* Check if the given curve is present in the supported groups extension.
5582
 *
5583
 * ssl             SSL/TLS object.
5584
 * name            The curve name to check.
5585
 * returns 1 if present, 0 otherwise.
5586
 */
5587
int TLSX_SupportedCurve_IsSupported(WOLFSSL* ssl, word16 name)
5588
0
{
5589
0
    TLSX* extension;
5590
0
    SupportedCurve* curve;
5591
5592
0
    extension = TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS);
5593
0
    if (extension == NULL)
5594
0
        return 0;
5595
5596
0
    curve = (SupportedCurve*)extension->data;
5597
0
    while (curve != NULL) {
5598
0
        if (curve->name == name)
5599
0
            return 1;
5600
0
        curve = curve->next;
5601
0
    }
5602
5603
0
    return 0;
5604
0
}
5605
5606
#if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NO_SERVER_GROUPS_EXT)
5607
/* Return the preferred group.
5608
 *
5609
 * ssl             SSL/TLS object.
5610
 * checkSupported  Whether to check for the first supported group.
5611
 * returns BAD_FUNC_ARG if no group found, otherwise the group.
5612
 */
5613
int TLSX_SupportedCurve_Preferred(WOLFSSL* ssl, int checkSupported)
5614
0
{
5615
0
    TLSX* extension;
5616
0
    SupportedCurve* curve;
5617
5618
0
    extension = TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS);
5619
0
    if (extension == NULL)
5620
0
        return BAD_FUNC_ARG;
5621
5622
0
    curve = (SupportedCurve*)extension->data;
5623
0
    while (curve != NULL) {
5624
0
        if (!checkSupported ||
5625
0
                TLSX_IsGroupSupported(curve->name, ssl->options.side))
5626
0
            return curve->name;
5627
0
        curve = curve->next;
5628
0
    }
5629
5630
0
    return BAD_FUNC_ARG;
5631
0
}
5632
5633
#endif /* HAVE_SUPPORTED_CURVES */
5634
5635
#ifndef NO_WOLFSSL_SERVER
5636
5637
static int TLSX_PointFormat_Parse(WOLFSSL* ssl, const byte* input,
5638
                                  word16 length, byte isRequest)
5639
0
{
5640
0
    int ret;
5641
5642
    /* validating formats list length */
5643
0
    if (ENUM_LEN > length || length != (word16)ENUM_LEN + input[0])
5644
0
        return BUFFER_ERROR;
5645
5646
0
    if (isRequest) {
5647
        /* adding uncompressed point format to response */
5648
0
        ret = TLSX_UsePointFormat(&ssl->extensions, WOLFSSL_EC_PF_UNCOMPRESSED,
5649
0
                                                                     ssl->heap);
5650
0
        if (ret != WOLFSSL_SUCCESS)
5651
0
            return ret; /* throw error */
5652
5653
0
        TLSX_SetResponse(ssl, TLSX_EC_POINT_FORMATS);
5654
0
    }
5655
5656
0
    return 0;
5657
0
}
5658
5659
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
5660
int TLSX_ValidateSupportedCurves(const WOLFSSL* ssl, byte first, byte second,
5661
0
                                 word32* ecdhCurveOID) {
5662
0
    TLSX*           extension = NULL;
5663
0
    SupportedCurve* curve     = NULL;
5664
0
    word32          oid       = 0;
5665
0
    word32          defOid    = 0;
5666
0
    word32          defSz     = 80; /* Maximum known curve size is 66. */
5667
0
    word32          nextOid   = 0;
5668
0
    word32          nextSz    = 80; /* Maximum known curve size is 66. */
5669
0
    word32          currOid   = ssl->ecdhCurveOID;
5670
0
    int             ephmSuite = 0;
5671
0
    word16          octets    = 0; /* according to 'ecc_set_type ecc_sets[];' */
5672
0
    int             key       = 0; /* validate key       */
5673
0
    int             foundCurve = 0; /* Found at least one supported curve */
5674
5675
0
    (void)oid;
5676
5677
0
    if (first == CHACHA_BYTE) {
5678
0
        switch (second) {
5679
0
            case TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
5680
0
            case TLS_PSK_WITH_CHACHA20_POLY1305_SHA256:
5681
0
            case TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256:
5682
0
            case TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256:
5683
0
                return 1; /* no suite restriction */
5684
0
            case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
5685
0
            case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256:
5686
0
            case TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256:
5687
0
                break;
5688
0
        }
5689
0
    }
5690
0
    if (first == ECC_BYTE || first == ECDHE_PSK_BYTE || first == CHACHA_BYTE)
5691
0
        extension = TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS);
5692
0
    if (!extension)
5693
0
        return 1; /* no suite restriction */
5694
5695
0
    for (curve = (SupportedCurve*)extension->data;
5696
0
         curve && !key;
5697
0
         curve = curve->next) {
5698
5699
    #ifdef OPENSSL_EXTRA
5700
        /* skip if name is not in supported ECC range
5701
         * or disabled by user */
5702
        if (wolfSSL_curve_is_disabled(ssl, curve->name))
5703
            continue;
5704
    #endif
5705
5706
        /* find supported curve */
5707
0
        switch (curve->name) {
5708
0
#ifdef HAVE_ECC
5709
    #if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 160
5710
        #ifndef NO_ECC_SECP
5711
            case WOLFSSL_ECC_SECP160R1:
5712
                oid = ECC_SECP160R1_OID;
5713
                octets = 20;
5714
                break;
5715
        #endif /* !NO_ECC_SECP */
5716
        #ifdef HAVE_ECC_SECPR2
5717
            case WOLFSSL_ECC_SECP160R2:
5718
                oid = ECC_SECP160R2_OID;
5719
                octets = 20;
5720
                break;
5721
        #endif /* HAVE_ECC_SECPR2 */
5722
        #ifdef HAVE_ECC_KOBLITZ
5723
            case WOLFSSL_ECC_SECP160K1:
5724
                oid = ECC_SECP160K1_OID;
5725
                octets = 20;
5726
                break;
5727
        #endif /* HAVE_ECC_KOBLITZ */
5728
        #endif
5729
    #if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 192
5730
        #ifndef NO_ECC_SECP
5731
            case WOLFSSL_ECC_SECP192R1:
5732
                oid = ECC_SECP192R1_OID;
5733
                octets = 24;
5734
                break;
5735
        #endif /* !NO_ECC_SECP */
5736
        #ifdef HAVE_ECC_KOBLITZ
5737
            case WOLFSSL_ECC_SECP192K1:
5738
                oid = ECC_SECP192K1_OID;
5739
                octets = 24;
5740
                break;
5741
        #endif /* HAVE_ECC_KOBLITZ */
5742
    #endif
5743
0
    #if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 224
5744
0
        #ifndef NO_ECC_SECP
5745
0
            case WOLFSSL_ECC_SECP224R1:
5746
0
                oid = ECC_SECP224R1_OID;
5747
0
                octets = 28;
5748
0
                break;
5749
0
        #endif /* !NO_ECC_SECP */
5750
        #ifdef HAVE_ECC_KOBLITZ
5751
            case WOLFSSL_ECC_SECP224K1:
5752
                oid = ECC_SECP224K1_OID;
5753
                octets = 28;
5754
                break;
5755
        #endif /* HAVE_ECC_KOBLITZ */
5756
0
    #endif
5757
0
    #if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
5758
0
        #ifndef NO_ECC_SECP
5759
0
            case WOLFSSL_ECC_SECP256R1:
5760
0
                oid = ECC_SECP256R1_OID;
5761
0
                octets = 32;
5762
0
                break;
5763
0
        #endif /* !NO_ECC_SECP */
5764
0
    #endif /* !NO_ECC256 || HAVE_ALL_CURVES */
5765
0
#endif
5766
        #if (defined(HAVE_CURVE25519) || defined(HAVE_ED25519)) && ECC_MIN_KEY_SZ <= 256
5767
            case WOLFSSL_ECC_X25519:
5768
                oid = ECC_X25519_OID;
5769
                octets = 32;
5770
                break;
5771
        #endif /* HAVE_CURVE25519 */
5772
0
#ifdef HAVE_ECC
5773
0
    #if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
5774
        #ifdef HAVE_ECC_KOBLITZ
5775
            case WOLFSSL_ECC_SECP256K1:
5776
                oid = ECC_SECP256K1_OID;
5777
                octets = 32;
5778
                break;
5779
        #endif /* HAVE_ECC_KOBLITZ */
5780
        #ifdef HAVE_ECC_BRAINPOOL
5781
            case WOLFSSL_ECC_BRAINPOOLP256R1:
5782
                oid = ECC_BRAINPOOLP256R1_OID;
5783
                octets = 32;
5784
                break;
5785
        #endif /* HAVE_ECC_BRAINPOOL */
5786
        #ifdef WOLFSSL_SM2
5787
            case WOLFSSL_ECC_SM2P256V1:
5788
                oid = ECC_SM2P256V1_OID;
5789
                octets = 32;
5790
                break;
5791
        #endif /* WOLFSSL_SM2 */
5792
0
    #endif
5793
0
    #if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384
5794
0
        #ifndef NO_ECC_SECP
5795
0
            case WOLFSSL_ECC_SECP384R1:
5796
0
                oid = ECC_SECP384R1_OID;
5797
0
                octets = 48;
5798
0
                break;
5799
0
        #endif /* !NO_ECC_SECP */
5800
        #ifdef HAVE_ECC_BRAINPOOL
5801
            case WOLFSSL_ECC_BRAINPOOLP384R1:
5802
                oid = ECC_BRAINPOOLP384R1_OID;
5803
                octets = 48;
5804
                break;
5805
        #endif /* HAVE_ECC_BRAINPOOL */
5806
0
    #endif
5807
0
#endif
5808
        #if (defined(HAVE_CURVE448) || defined(HAVE_ED448)) && ECC_MIN_KEY_SZ <= 448
5809
            case WOLFSSL_ECC_X448:
5810
                oid = ECC_X448_OID;
5811
                octets = 57;
5812
                break;
5813
        #endif /* HAVE_CURVE448 */
5814
0
#ifdef HAVE_ECC
5815
0
    #if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 512
5816
        #ifdef HAVE_ECC_BRAINPOOL
5817
            case WOLFSSL_ECC_BRAINPOOLP512R1:
5818
                oid = ECC_BRAINPOOLP512R1_OID;
5819
                octets = 64;
5820
                break;
5821
        #endif /* HAVE_ECC_BRAINPOOL */
5822
0
    #endif
5823
0
    #if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521
5824
0
        #ifndef NO_ECC_SECP
5825
0
            case WOLFSSL_ECC_SECP521R1:
5826
0
                oid = ECC_SECP521R1_OID;
5827
0
                octets = 66;
5828
0
                break;
5829
0
        #endif /* !NO_ECC_SECP */
5830
0
    #endif
5831
0
#endif
5832
0
            default: continue; /* unsupported curve */
5833
0
        }
5834
5835
0
        foundCurve = 1;
5836
5837
0
    #ifdef HAVE_ECC
5838
        /* Set default Oid */
5839
0
        if (defOid == 0 && ssl->eccTempKeySz <= octets && defSz > octets) {
5840
0
            defOid = oid;
5841
0
            defSz = octets;
5842
0
        }
5843
5844
        /* The eccTempKeySz is the preferred ephemeral key size */
5845
0
        if (currOid == 0 && ssl->eccTempKeySz == octets)
5846
0
            currOid = oid;
5847
0
        if ((nextOid == 0 || nextSz > octets) && ssl->eccTempKeySz <= octets) {
5848
0
            nextOid = oid;
5849
0
            nextSz  = octets;
5850
0
        }
5851
    #else
5852
        if (defOid == 0 && defSz > octets) {
5853
            defOid = oid;
5854
            defSz = octets;
5855
        }
5856
5857
        if (currOid == 0)
5858
            currOid = oid;
5859
        if (nextOid == 0 || nextSz > octets) {
5860
            nextOid = oid;
5861
            nextSz  = octets;
5862
        }
5863
    #endif
5864
5865
0
        if (first == ECC_BYTE) {
5866
0
            switch (second) {
5867
0
#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
5868
                /* ECDHE_ECDSA */
5869
0
                case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
5870
0
                case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
5871
0
                case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:
5872
0
                case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA:
5873
0
                case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
5874
0
                case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
5875
0
                case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
5876
0
                case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
5877
0
                case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8:
5878
0
                case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8:
5879
0
                    key |= ssl->ecdhCurveOID == oid;
5880
0
                    ephmSuite = 1;
5881
0
                break;
5882
5883
    #ifdef WOLFSSL_STATIC_DH
5884
                /* ECDH_ECDSA */
5885
                case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA:
5886
                case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA:
5887
                case TLS_ECDH_ECDSA_WITH_RC4_128_SHA:
5888
                case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA:
5889
                case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256:
5890
                case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384:
5891
                case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256:
5892
                case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384:
5893
                    if (oid == ECC_X25519_OID && defOid == oid) {
5894
                        defOid = 0;
5895
                        defSz = 80;
5896
                    }
5897
                    if (oid == ECC_X448_OID && defOid == oid) {
5898
                        defOid = 0;
5899
                        defSz = 80;
5900
                    }
5901
                    key |= ssl->pkCurveOID == oid;
5902
                break;
5903
    #endif /* WOLFSSL_STATIC_DH */
5904
0
#endif /* HAVE_ECC || HAVE_ED25519 || HAVE_ED448 */
5905
0
#ifndef NO_RSA
5906
                /* ECDHE_RSA */
5907
0
                case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
5908
0
                case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
5909
0
                case TLS_ECDHE_RSA_WITH_RC4_128_SHA:
5910
0
                case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:
5911
0
                case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
5912
0
                case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:
5913
0
                case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
5914
0
                case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
5915
0
                    key |= ssl->ecdhCurveOID == oid;
5916
0
                    ephmSuite = 1;
5917
0
                break;
5918
5919
    #if defined(HAVE_ECC) && defined(WOLFSSL_STATIC_DH)
5920
                /* ECDH_RSA */
5921
                case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA:
5922
                case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA:
5923
                case TLS_ECDH_RSA_WITH_RC4_128_SHA:
5924
                case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA:
5925
                case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256:
5926
                case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384:
5927
                case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256:
5928
                case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384:
5929
                    if (oid == ECC_X25519_OID && defOid == oid) {
5930
                        defOid = 0;
5931
                        defSz = 80;
5932
                    }
5933
                    if (oid == ECC_X448_OID && defOid == oid) {
5934
                        defOid = 0;
5935
                        defSz = 80;
5936
                    }
5937
                    key |= ssl->pkCurveOID == oid;
5938
                break;
5939
    #endif /* HAVE_ECC && WOLFSSL_STATIC_DH */
5940
0
#endif
5941
0
                default:
5942
0
                    if (oid == ECC_X25519_OID && defOid == oid) {
5943
0
                        defOid = 0;
5944
0
                        defSz = 80;
5945
0
                    }
5946
0
                    if (oid == ECC_X448_OID && defOid == oid) {
5947
0
                        defOid = 0;
5948
0
                        defSz = 80;
5949
0
                    }
5950
0
                    key = 1;
5951
0
                break;
5952
0
            }
5953
0
        }
5954
5955
        /* ChaCha20-Poly1305 ECC cipher suites */
5956
0
        if (first == CHACHA_BYTE) {
5957
0
            switch (second) {
5958
0
#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
5959
                /* ECDHE_ECDSA */
5960
0
                case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 :
5961
0
                case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 :
5962
0
                    key |= ssl->ecdhCurveOID == oid;
5963
0
                    ephmSuite = 1;
5964
0
                break;
5965
0
#endif /* HAVE_ECC || HAVE_ED25519 || HAVE_ED448 */
5966
0
#ifndef NO_RSA
5967
                /* ECDHE_RSA */
5968
0
                case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 :
5969
0
                case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 :
5970
0
                    key |= ssl->ecdhCurveOID == oid;
5971
0
                    ephmSuite = 1;
5972
0
                break;
5973
0
#endif
5974
0
                default:
5975
0
                    key = 1;
5976
0
                break;
5977
0
            }
5978
0
        }
5979
0
    }
5980
5981
    /* Check we found at least one supported curve */
5982
0
    if (!foundCurve)
5983
0
        return 0;
5984
5985
0
    *ecdhCurveOID = ssl->ecdhCurveOID;
5986
    /* Choose the default if it is at the required strength. */
5987
0
#ifdef HAVE_ECC
5988
0
    if (*ecdhCurveOID == 0 && defSz == ssl->eccTempKeySz)
5989
#else
5990
    if (*ecdhCurveOID == 0)
5991
#endif
5992
0
    {
5993
0
        key = 1;
5994
0
        *ecdhCurveOID = defOid;
5995
0
    }
5996
    /* Choose any curve at the required strength. */
5997
0
    if (*ecdhCurveOID == 0) {
5998
0
        key = 1;
5999
0
        *ecdhCurveOID = currOid;
6000
0
    }
6001
    /* Choose the default if it is at the next highest strength. */
6002
0
    if (*ecdhCurveOID == 0 && defSz == nextSz)
6003
0
        *ecdhCurveOID = defOid;
6004
    /* Choose any curve at the next highest strength. */
6005
0
    if (*ecdhCurveOID == 0)
6006
0
        *ecdhCurveOID = nextOid;
6007
    /* No curve and ephemeral ECC suite requires a matching curve. */
6008
0
    if (*ecdhCurveOID == 0 && ephmSuite)
6009
0
        key = 0;
6010
6011
0
    return key;
6012
0
}
6013
#endif
6014
6015
#endif /* NO_WOLFSSL_SERVER */
6016
6017
6018
int TLSX_SupportedCurve_Copy(TLSX* src, TLSX** dst, void* heap)
6019
0
{
6020
0
    TLSX* extension;
6021
0
    int ret;
6022
6023
0
    extension = TLSX_Find(src, TLSX_SUPPORTED_GROUPS);
6024
0
    if (extension != NULL) {
6025
0
        SupportedCurve* curve;
6026
0
        for (curve = (SupportedCurve*)extension->data; curve != NULL;
6027
0
                curve = curve->next) {
6028
            /* Copying an already validated list - don't drop a group based on
6029
             * the side, so accept when either side has the crypto support. */
6030
0
            ret = TLSX_UseSupportedCurve(dst, curve->name, heap,
6031
0
                                         WOLFSSL_NEITHER_END);
6032
0
            if (ret != WOLFSSL_SUCCESS)
6033
0
                return MEMORY_E;
6034
0
        }
6035
0
    }
6036
6037
0
    return 0;
6038
0
}
6039
6040
int TLSX_UseSupportedCurve(TLSX** extensions, word16 name, void* heap, int side)
6041
0
{
6042
0
    TLSX* extension = NULL;
6043
0
    SupportedCurve* curve = NULL;
6044
0
    int ret;
6045
6046
0
    if (extensions == NULL) {
6047
0
        return BAD_FUNC_ARG;
6048
0
    }
6049
6050
0
    if (!TLSX_IsGroupSupported(name, side)) {
6051
0
        return BAD_FUNC_ARG;
6052
0
    }
6053
6054
0
    extension = TLSX_Find(*extensions, TLSX_SUPPORTED_GROUPS);
6055
6056
0
    if (!extension) {
6057
0
        ret = TLSX_SupportedCurve_New(&curve, name, heap);
6058
0
        if (ret != 0)
6059
0
            return ret;
6060
6061
0
        ret = TLSX_Push(extensions, TLSX_SUPPORTED_GROUPS, curve, heap);
6062
0
        if (ret != 0) {
6063
0
            XFREE(curve, heap, DYNAMIC_TYPE_TLSX);
6064
0
            return ret;
6065
0
        }
6066
0
    }
6067
0
    else {
6068
0
        ret = TLSX_SupportedCurve_Append((SupportedCurve*)extension->data, name,
6069
0
                                                                          heap);
6070
0
        if (ret != 0)
6071
0
            return ret;
6072
    #if defined(WOLFSSL_ML_KEM_USE_OLD_IDS) && \
6073
                                             defined (WOLFSSL_EXTRA_PQC_HYBRIDS)
6074
        if (name == WOLFSSL_SECP256R1MLKEM512) {
6075
            ret = TLSX_SupportedCurve_Append((SupportedCurve*)extension->data,
6076
                WOLFSSL_P256_ML_KEM_512_OLD, heap);
6077
        }
6078
        else if (name == WOLFSSL_SECP384R1MLKEM768) {
6079
            ret = TLSX_SupportedCurve_Append((SupportedCurve*)extension->data,
6080
                WOLFSSL_P384_ML_KEM_768_OLD, heap);
6081
        }
6082
        else if (name == WOLFSSL_SECP521R1MLKEM1024) {
6083
            ret = TLSX_SupportedCurve_Append((SupportedCurve*)extension->data,
6084
                WOLFSSL_P521_ML_KEM_1024_OLD, heap);
6085
        }
6086
        if (ret != 0) {
6087
            return ret;
6088
        }
6089
    #endif /* WOLFSSL_ML_KEM_USE_OLD_IDS && WOLFSSL_EXTRA_PQC_HYBRIDS */
6090
0
    }
6091
6092
0
    return WOLFSSL_SUCCESS;
6093
0
}
6094
6095
int TLSX_UsePointFormat(TLSX** extensions, byte format, void* heap)
6096
0
{
6097
0
    TLSX* extension = NULL;
6098
0
    PointFormat* point = NULL;
6099
0
    int ret = 0;
6100
6101
0
    if (extensions == NULL)
6102
0
        return BAD_FUNC_ARG;
6103
6104
0
    extension = TLSX_Find(*extensions, TLSX_EC_POINT_FORMATS);
6105
6106
0
    if (!extension) {
6107
0
        ret = TLSX_PointFormat_New(&point, format, heap);
6108
0
        if (ret != 0)
6109
0
            return ret;
6110
6111
0
        ret = TLSX_Push(extensions, TLSX_EC_POINT_FORMATS, point, heap);
6112
0
        if (ret != 0) {
6113
0
            XFREE(point, heap, DYNAMIC_TYPE_TLSX);
6114
0
            return ret;
6115
0
        }
6116
0
    }
6117
0
    else {
6118
0
        ret = TLSX_PointFormat_Append((PointFormat*)extension->data, format,
6119
0
                                                                          heap);
6120
0
        if (ret != 0)
6121
0
            return ret;
6122
0
    }
6123
6124
0
    return WOLFSSL_SUCCESS;
6125
0
}
6126
6127
0
#define EC_FREE_ALL         TLSX_SupportedCurve_FreeAll
6128
0
#define EC_VALIDATE_REQUEST TLSX_SupportedCurve_ValidateRequest
6129
6130
/* In TLS 1.2 the server never sends supported curve extension, but in TLS 1.3
6131
 * the server can send supported groups extension to indicate what it will
6132
 * support for later connections. */
6133
#if !defined(NO_WOLFSSL_CLIENT) || defined(WOLFSSL_TLS13)
6134
0
#define EC_GET_SIZE TLSX_SupportedCurve_GetSize
6135
0
#define EC_WRITE    TLSX_SupportedCurve_Write
6136
#else
6137
#define EC_GET_SIZE(list)         0
6138
#define EC_WRITE(a, b)            0
6139
#endif
6140
6141
#if !defined(NO_WOLFSSL_SERVER) || (defined(WOLFSSL_TLS13) && \
6142
                                         !defined(WOLFSSL_NO_SERVER_GROUPS_EXT))
6143
0
#define EC_PARSE TLSX_SupportedCurve_Parse
6144
#else
6145
#define EC_PARSE(a, b, c, d, e)   0
6146
#endif
6147
6148
0
#define PF_FREE_ALL          TLSX_PointFormat_FreeAll
6149
0
#define PF_VALIDATE_REQUEST  TLSX_PointFormat_ValidateRequest
6150
0
#define PF_VALIDATE_RESPONSE TLSX_PointFormat_ValidateResponse
6151
6152
0
#define PF_GET_SIZE TLSX_PointFormat_GetSize
6153
0
#define PF_WRITE    TLSX_PointFormat_Write
6154
6155
#ifndef NO_WOLFSSL_SERVER
6156
0
#define PF_PARSE TLSX_PointFormat_Parse
6157
#else
6158
#define PF_PARSE(a, b, c, d)      0
6159
#endif
6160
6161
#else
6162
6163
#define EC_FREE_ALL(list, heap) WC_DO_NOTHING
6164
#define EC_GET_SIZE(list)         0
6165
#define EC_WRITE(a, b)            0
6166
#define EC_PARSE(a, b, c, d, e)   0
6167
#define EC_VALIDATE_REQUEST(a, b) WC_DO_NOTHING
6168
6169
#define PF_FREE_ALL(list, heap)   WC_DO_NOTHING
6170
#define PF_GET_SIZE(list)         0
6171
#define PF_WRITE(a, b)            0
6172
#define PF_PARSE(a, b, c, d)      0
6173
#define PF_VALIDATE_REQUEST(a, b) WC_DO_NOTHING
6174
#define PF_VALIDATE_RESPONSE(a, b) WC_DO_NOTHING
6175
6176
#endif /* HAVE_SUPPORTED_CURVES */
6177
6178
/******************************************************************************/
6179
/* Renegotiation Indication                                                   */
6180
/******************************************************************************/
6181
6182
#if defined(HAVE_SECURE_RENEGOTIATION) \
6183
 || defined(HAVE_SERVER_RENEGOTIATION_INFO)
6184
6185
static byte TLSX_SecureRenegotiation_GetSize(SecureRenegotiation* data,
6186
                                                                  int isRequest)
6187
0
{
6188
0
    byte length = OPAQUE8_LEN; /* empty info length */
6189
6190
    /* data will be NULL for HAVE_SERVER_RENEGOTIATION_INFO only */
6191
0
    if (data && data->enabled && data->verifySet) {
6192
        /* client sends client_verify_data only */
6193
0
        length += TLS_FINISHED_SZ;
6194
6195
        /* server also sends server_verify_data */
6196
0
        if (!isRequest)
6197
0
            length += TLS_FINISHED_SZ;
6198
0
    }
6199
6200
0
    return length;
6201
0
}
6202
6203
static word16 TLSX_SecureRenegotiation_Write(SecureRenegotiation* data,
6204
                                                    byte* output, int isRequest)
6205
0
{
6206
0
    word16 offset = OPAQUE8_LEN; /* RenegotiationInfo length */
6207
0
    if (data && data->enabled && data->verifySet) {
6208
        /* client sends client_verify_data only */
6209
0
        XMEMCPY(output + offset, data->client_verify_data, TLS_FINISHED_SZ);
6210
0
        offset += TLS_FINISHED_SZ;
6211
6212
        /* server also sends server_verify_data */
6213
0
        if (!isRequest) {
6214
0
            XMEMCPY(output + offset, data->server_verify_data, TLS_FINISHED_SZ);
6215
0
            offset += TLS_FINISHED_SZ;
6216
0
        }
6217
0
    }
6218
6219
0
    output[0] = (byte)(offset - 1);  /* info length - self */
6220
6221
0
    return offset;
6222
0
}
6223
6224
static int TLSX_SecureRenegotiation_Parse(WOLFSSL* ssl, const byte* input,
6225
                                          word16 length, byte isRequest)
6226
0
{
6227
0
    int ret = WC_NO_ERR_TRACE(SECURE_RENEGOTIATION_E);
6228
6229
0
    if (length >= OPAQUE8_LEN) {
6230
0
        if (isRequest) {
6231
0
        #ifndef NO_WOLFSSL_SERVER
6232
0
            if (ssl->secure_renegotiation == NULL) {
6233
0
                ret = wolfSSL_UseSecureRenegotiation(ssl);
6234
0
                if (ret == WOLFSSL_SUCCESS)
6235
0
                    ret = 0;
6236
0
            }
6237
0
            if (ret != 0 && ret != WC_NO_ERR_TRACE(SECURE_RENEGOTIATION_E)) {
6238
0
            }
6239
0
            else if (ssl->secure_renegotiation == NULL) {
6240
0
            }
6241
0
            else if (!ssl->secure_renegotiation->enabled) {
6242
0
                if (*input == 0) {
6243
0
                    input++; /* get past size */
6244
6245
0
                    ssl->secure_renegotiation->enabled = 1;
6246
0
                    TLSX_SetResponse(ssl, TLSX_RENEGOTIATION_INFO);
6247
0
                    ret = 0;
6248
0
                }
6249
0
                else {
6250
                    /* already in error state */
6251
0
                    WOLFSSL_MSG("SCR client verify data present");
6252
0
                }
6253
0
            }
6254
0
            else if (*input == TLS_FINISHED_SZ) {
6255
0
                if (length < TLS_FINISHED_SZ + 1) {
6256
0
                    WOLFSSL_MSG("SCR malformed buffer");
6257
0
                    ret = BUFFER_E;
6258
0
                }
6259
0
                else {
6260
0
                    input++; /* get past size */
6261
6262
                    /* validate client verify data */
6263
0
                    if (ConstantCompare(input,
6264
0
                            ssl->secure_renegotiation->client_verify_data,
6265
0
                            TLS_FINISHED_SZ) == 0) {
6266
0
                        WOLFSSL_MSG("SCR client verify data match");
6267
0
                        TLSX_SetResponse(ssl, TLSX_RENEGOTIATION_INFO);
6268
0
                        ret = 0;  /* verified */
6269
0
                    }
6270
0
                    else {
6271
                        /* already in error state */
6272
0
                        WOLFSSL_MSG("SCR client verify data Failure");
6273
0
                    }
6274
0
                }
6275
0
            }
6276
0
        #endif
6277
0
        }
6278
0
        else if (ssl->secure_renegotiation != NULL) {
6279
0
        #ifndef NO_WOLFSSL_CLIENT
6280
0
            if (!ssl->secure_renegotiation->enabled) {
6281
0
                if (*input == 0) {
6282
0
                    ssl->secure_renegotiation->enabled = 1;
6283
0
                    ret = 0;
6284
0
                }
6285
0
            }
6286
0
            else if (*input == 2 * TLS_FINISHED_SZ &&
6287
0
                     length == 2 * TLS_FINISHED_SZ + OPAQUE8_LEN) {
6288
0
                int cmpRes = 0;
6289
0
                input++;  /* get past size */
6290
0
                cmpRes |= ConstantCompare(input,
6291
0
                        ssl->secure_renegotiation->client_verify_data,
6292
0
                        TLS_FINISHED_SZ);
6293
0
                cmpRes |= ConstantCompare(input + TLS_FINISHED_SZ,
6294
0
                        ssl->secure_renegotiation->server_verify_data,
6295
0
                        TLS_FINISHED_SZ);
6296
                /* validate client and server verify data */
6297
0
                if (cmpRes == 0) {
6298
0
                    WOLFSSL_MSG("SCR client and server verify data match");
6299
0
                    ret = 0;  /* verified */
6300
0
                }
6301
0
                else {
6302
                    /* already in error state */
6303
0
                    WOLFSSL_MSG("SCR client and server verify data Failure");
6304
0
                }
6305
0
            }
6306
0
        #endif
6307
0
        }
6308
0
        else {
6309
0
            ret = SECURE_RENEGOTIATION_E;
6310
0
        }
6311
0
    }
6312
0
    else {
6313
0
        ret = SECURE_RENEGOTIATION_E;
6314
0
    }
6315
6316
0
    if (ret != 0) {
6317
0
        WOLFSSL_ERROR_VERBOSE(ret);
6318
0
        SendAlert(ssl, alert_fatal, handshake_failure);
6319
0
    }
6320
6321
0
    return ret;
6322
0
}
6323
6324
int TLSX_UseSecureRenegotiation(TLSX** extensions, void* heap)
6325
0
{
6326
0
    int ret = 0;
6327
0
    SecureRenegotiation* data;
6328
6329
0
    data = (SecureRenegotiation*)XMALLOC(sizeof(SecureRenegotiation), heap,
6330
0
                                                             DYNAMIC_TYPE_TLSX);
6331
0
    if (data == NULL)
6332
0
        return MEMORY_E;
6333
6334
0
    XMEMSET(data, 0, sizeof(SecureRenegotiation));
6335
6336
0
    ret = TLSX_Push(extensions, TLSX_RENEGOTIATION_INFO, data, heap);
6337
0
    if (ret != 0) {
6338
0
        XFREE(data, heap, DYNAMIC_TYPE_TLSX);
6339
0
        return ret;
6340
0
    }
6341
6342
0
    return WOLFSSL_SUCCESS;
6343
0
}
6344
6345
#ifdef HAVE_SERVER_RENEGOTIATION_INFO
6346
6347
int TLSX_AddEmptyRenegotiationInfo(TLSX** extensions, void* heap)
6348
0
{
6349
0
    int ret;
6350
6351
    /* send empty renegotiation_info extension */
6352
0
    TLSX* ext = TLSX_Find(*extensions, TLSX_RENEGOTIATION_INFO);
6353
0
    if (ext == NULL) {
6354
0
        ret = TLSX_UseSecureRenegotiation(extensions, heap);
6355
0
        if (ret != WOLFSSL_SUCCESS)
6356
0
            return ret;
6357
6358
0
        ext = TLSX_Find(*extensions, TLSX_RENEGOTIATION_INFO);
6359
0
    }
6360
0
    if (ext)
6361
0
        ext->resp = 1;
6362
6363
0
    return WOLFSSL_SUCCESS;
6364
0
}
6365
6366
#endif /* HAVE_SERVER_RENEGOTIATION_INFO */
6367
6368
6369
0
#define SCR_FREE_ALL(data, heap) XFREE(data, (heap), DYNAMIC_TYPE_TLSX)
6370
0
#define SCR_GET_SIZE       TLSX_SecureRenegotiation_GetSize
6371
0
#define SCR_WRITE          TLSX_SecureRenegotiation_Write
6372
0
#define SCR_PARSE          TLSX_SecureRenegotiation_Parse
6373
6374
#else
6375
6376
#define SCR_FREE_ALL(a, heap) WC_DO_NOTHING
6377
#define SCR_GET_SIZE(a, b)    0
6378
#define SCR_WRITE(a, b, c)    0
6379
#define SCR_PARSE(a, b, c, d) 0
6380
6381
#endif /* HAVE_SECURE_RENEGOTIATION || HAVE_SERVER_RENEGOTIATION_INFO */
6382
6383
/******************************************************************************/
6384
/* Session Tickets                                                            */
6385
/******************************************************************************/
6386
6387
#ifdef HAVE_SESSION_TICKET
6388
6389
static word16 TLSX_SessionTicket_GetSize(SessionTicket* ticket, int isRequest)
6390
{
6391
    (void)isRequest;
6392
    return ticket ? ticket->size : 0;
6393
}
6394
6395
static word16 TLSX_SessionTicket_Write(SessionTicket* ticket, byte* output,
6396
                                       int isRequest)
6397
{
6398
    word16 offset = 0; /* empty ticket */
6399
6400
    if (isRequest && ticket) {
6401
        XMEMCPY(output + offset, ticket->data, ticket->size);
6402
        offset += ticket->size;
6403
    }
6404
6405
    return offset;
6406
}
6407
6408
6409
static int TLSX_SessionTicket_Parse(WOLFSSL* ssl, const byte* input,
6410
                                    word16 length, byte isRequest)
6411
{
6412
    int ret = 0;
6413
6414
    (void) input; /* avoid unused parameter if NO_WOLFSSL_SERVER defined */
6415
6416
    if (!isRequest) {
6417
        if (TLSX_CheckUnsupportedExtension(ssl, TLSX_SESSION_TICKET))
6418
            return TLSX_HandleUnsupportedExtension(ssl);
6419
6420
        if (length != 0)
6421
            return BUFFER_ERROR;
6422
6423
#ifndef NO_WOLFSSL_CLIENT
6424
        ssl->expect_session_ticket = 1;
6425
#endif
6426
    }
6427
#ifndef NO_WOLFSSL_SERVER
6428
    else {
6429
        /* server side */
6430
        if (ssl->ctx->ticketEncCb == NULL) {
6431
            WOLFSSL_MSG("Client sent session ticket, server has no callback");
6432
            return 0;
6433
        }
6434
6435
#ifdef HAVE_SECURE_RENEGOTIATION
6436
        if (IsSCR(ssl)) {
6437
            WOLFSSL_MSG("Client sent session ticket during SCR. Ignoring.");
6438
            return 0;
6439
        }
6440
#endif
6441
6442
        if (length > SESSION_TICKET_LEN) {
6443
            ret = BAD_TICKET_MSG_SZ;
6444
            WOLFSSL_ERROR_VERBOSE(ret);
6445
        } else if (IsAtLeastTLSv1_3(ssl->version)) {
6446
            WOLFSSL_MSG("Process client ticket rejected, TLS 1.3 no support");
6447
            ssl->options.rejectTicket = 1;
6448
            ret = 0;  /* not fatal */
6449
        } else if (ssl->options.noTicketTls12) {
6450
            /* ignore ticket request */
6451
        } else if (length == 0) {
6452
            /* blank ticket */
6453
            ret = TLSX_UseSessionTicket(&ssl->extensions, NULL, ssl->heap);
6454
            if (ret == WOLFSSL_SUCCESS) {
6455
                ret = 0;
6456
                /* send blank ticket */
6457
                TLSX_SetResponse(ssl, TLSX_SESSION_TICKET);
6458
                ssl->options.createTicket = 1;  /* will send ticket msg */
6459
                ssl->options.useTicket    = 1;
6460
                ssl->options.resuming     = 0;  /* no standard resumption */
6461
                ssl->arrays->sessionIDSz  = 0;  /* no echo on blank ticket */
6462
            }
6463
        } else {
6464
            /* got actual ticket from client */
6465
            ret = DoClientTicket(ssl, input, length);
6466
            if (ret == WOLFSSL_TICKET_RET_OK) {    /* use ticket to resume */
6467
                WOLFSSL_MSG("Using existing client ticket");
6468
                ssl->options.useTicket    = 1;
6469
                ssl->options.resuming     = 1;
6470
                /* SERVER: ticket is peer auth. */
6471
                ssl->options.peerAuthGood = 1;
6472
            } else if (ret == WOLFSSL_TICKET_RET_CREATE) {
6473
                WOLFSSL_MSG("Using existing client ticket, creating new one");
6474
                ret = TLSX_UseSessionTicket(&ssl->extensions, NULL, ssl->heap);
6475
                if (ret == WOLFSSL_SUCCESS) {
6476
                    ret = 0;
6477
                    TLSX_SetResponse(ssl, TLSX_SESSION_TICKET);
6478
                                                    /* send blank ticket */
6479
                    ssl->options.createTicket = 1;  /* will send ticket msg */
6480
                    ssl->options.useTicket    = 1;
6481
                    ssl->options.resuming     = 1;
6482
                    /* SERVER: ticket is peer auth. */
6483
                    ssl->options.peerAuthGood = 1;
6484
                }
6485
            } else if (ret == WOLFSSL_TICKET_RET_REJECT ||
6486
                    ret == WC_NO_ERR_TRACE(VERSION_ERROR)) {
6487
                WOLFSSL_MSG("Process client ticket rejected, not using");
6488
                if (ret == WC_NO_ERR_TRACE(VERSION_ERROR))
6489
                    WOLFSSL_MSG("\tbad TLS version");
6490
                ret = 0;  /* not fatal */
6491
6492
                ssl->options.rejectTicket = 1;
6493
                /* If we have session tickets enabled then send a new ticket */
6494
                if (!TLSX_CheckUnsupportedExtension(ssl, TLSX_SESSION_TICKET)) {
6495
                    ret = TLSX_UseSessionTicket(&ssl->extensions, NULL,
6496
                                                ssl->heap);
6497
                    if (ret == WOLFSSL_SUCCESS) {
6498
                        ret = 0;
6499
                        TLSX_SetResponse(ssl, TLSX_SESSION_TICKET);
6500
                        ssl->options.createTicket = 1;
6501
                        ssl->options.useTicket    = 1;
6502
                    }
6503
                }
6504
            } else if (ret == WOLFSSL_TICKET_RET_FATAL) {
6505
                WOLFSSL_MSG("Process client ticket fatal error, not using");
6506
            } else if (ret < 0) {
6507
                WOLFSSL_MSG("Process client ticket unknown error, not using");
6508
            }
6509
        }
6510
    }
6511
#endif /* NO_WOLFSSL_SERVER */
6512
6513
#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER)
6514
    (void)ssl;
6515
#endif
6516
6517
    return ret;
6518
}
6519
6520
WOLFSSL_TEST_VIS SessionTicket* TLSX_SessionTicket_Create(word32 lifetime,
6521
                                            byte* data, word16 size, void* heap)
6522
{
6523
    SessionTicket* ticket = (SessionTicket*)XMALLOC(sizeof(SessionTicket),
6524
                                                       heap, DYNAMIC_TYPE_TLSX);
6525
    if (ticket) {
6526
        ticket->data = (byte*)XMALLOC(size, heap, DYNAMIC_TYPE_TLSX);
6527
        if (ticket->data == NULL) {
6528
            XFREE(ticket, heap, DYNAMIC_TYPE_TLSX);
6529
            return NULL;
6530
        }
6531
6532
        XMEMCPY(ticket->data, data, size);
6533
        ticket->size     = size;
6534
        ticket->lifetime = lifetime;
6535
    }
6536
6537
    (void)heap;
6538
6539
    return ticket;
6540
}
6541
WOLFSSL_TEST_VIS void TLSX_SessionTicket_Free(SessionTicket* ticket, void* heap)
6542
{
6543
    if (ticket) {
6544
        XFREE(ticket->data, heap, DYNAMIC_TYPE_TLSX);
6545
        XFREE(ticket,       heap, DYNAMIC_TYPE_TLSX);
6546
    }
6547
6548
    (void)heap;
6549
}
6550
6551
int TLSX_UseSessionTicket(TLSX** extensions, SessionTicket* ticket, void* heap)
6552
{
6553
    int ret = 0;
6554
6555
    if (extensions == NULL)
6556
        return BAD_FUNC_ARG;
6557
6558
    /* If the ticket is NULL, the client will request a new ticket from the
6559
       server. Otherwise, the client will use it in the next client hello. */
6560
    if ((ret = TLSX_Push(extensions, TLSX_SESSION_TICKET, (void*)ticket, heap))
6561
                                                                           != 0)
6562
        return ret;
6563
6564
    return WOLFSSL_SUCCESS;
6565
}
6566
6567
#define WOLF_STK_GET_SIZE         TLSX_SessionTicket_GetSize
6568
#define WOLF_STK_WRITE            TLSX_SessionTicket_Write
6569
#define WOLF_STK_PARSE            TLSX_SessionTicket_Parse
6570
#define WOLF_STK_FREE(stk, heap)  TLSX_SessionTicket_Free((SessionTicket*)(stk),(heap))
6571
6572
#else
6573
6574
0
#define WOLF_STK_FREE(a, b) WC_DO_NOTHING
6575
#define WOLF_STK_VALIDATE_REQUEST(a) WC_DO_NOTHING
6576
0
#define WOLF_STK_GET_SIZE(a, b)      0
6577
0
#define WOLF_STK_WRITE(a, b, c)      0
6578
0
#define WOLF_STK_PARSE(a, b, c, d)   0
6579
6580
#endif /* HAVE_SESSION_TICKET */
6581
6582
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
6583
/******************************************************************************/
6584
/* Encrypt-then-MAC                                                           */
6585
/******************************************************************************/
6586
6587
#ifndef WOLFSSL_NO_TLS12
6588
static int TLSX_EncryptThenMac_Use(WOLFSSL* ssl);
6589
6590
/**
6591
 * Get the size of the Encrypt-Then-MAC extension.
6592
 *
6593
 * msgType  Type of message to put extension into.
6594
 * pSz      Size of extension data.
6595
 * return SANITY_MSG_E when the message is not allowed to have extension and
6596
 *        0 otherwise.
6597
 */
6598
static int TLSX_EncryptThenMac_GetSize(byte msgType, word16* pSz)
6599
0
{
6600
0
    (void)pSz;
6601
6602
0
    if (msgType != client_hello && msgType != server_hello) {
6603
0
        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
6604
0
        return SANITY_MSG_E;
6605
0
    }
6606
6607
    /* Empty extension */
6608
6609
0
    return 0;
6610
0
}
6611
6612
/**
6613
 * Write the Encrypt-Then-MAC extension.
6614
 *
6615
 * data     Unused
6616
 * output   Extension data buffer. Unused.
6617
 * msgType  Type of message to put extension into.
6618
 * pSz      Size of extension data.
6619
 * return SANITY_MSG_E when the message is not allowed to have extension and
6620
 *        0 otherwise.
6621
 */
6622
static int TLSX_EncryptThenMac_Write(void* data, byte* output, byte msgType,
6623
                                     word16* pSz)
6624
0
{
6625
0
    (void)data;
6626
0
    (void)output;
6627
0
    (void)pSz;
6628
6629
0
    if (msgType != client_hello && msgType != server_hello) {
6630
0
        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
6631
0
        return SANITY_MSG_E;
6632
0
    }
6633
6634
    /* Empty extension */
6635
6636
0
    return 0;
6637
0
}
6638
6639
/**
6640
 * Parse the Encrypt-Then-MAC extension.
6641
 *
6642
 * ssl      SSL object
6643
 * input    Extension data buffer.
6644
 * length   Length of this extension's data.
6645
 * msgType  Type of message to extension appeared in.
6646
 * return SANITY_MSG_E when the message is not allowed to have extension,
6647
 *        BUFFER_ERROR when the extension's data is invalid,
6648
 *        MEMORY_E when unable to allocate memory and
6649
 *        0 otherwise.
6650
 */
6651
static int TLSX_EncryptThenMac_Parse(WOLFSSL* ssl, const byte* input,
6652
                                     word16 length, byte msgType)
6653
0
{
6654
0
    int ret;
6655
6656
0
    (void)input;
6657
6658
0
    if (msgType != client_hello && msgType != server_hello) {
6659
0
        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
6660
0
        return SANITY_MSG_E;
6661
0
    }
6662
6663
    /* Empty extension */
6664
0
    if (length != 0)
6665
0
        return BUFFER_ERROR;
6666
6667
0
    if (msgType == client_hello) {
6668
        /* Check the user hasn't disallowed use of Encrypt-Then-Mac. */
6669
0
        if (!ssl->options.disallowEncThenMac) {
6670
0
            ssl->options.encThenMac = 1;
6671
            /* Set the extension reply. */
6672
0
            ret = TLSX_EncryptThenMac_Use(ssl);
6673
0
            if (ret != 0)
6674
0
                return ret;
6675
0
        }
6676
0
        return 0;
6677
0
    }
6678
6679
    /* Server Hello */
6680
0
    if (ssl->options.disallowEncThenMac) {
6681
0
        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
6682
0
        return SANITY_MSG_E;
6683
0
    }
6684
6685
0
    ssl->options.encThenMac = 1;
6686
0
    return 0;
6687
6688
0
}
6689
6690
/**
6691
 * Add the Encrypt-Then-MAC extension to list.
6692
 *
6693
 * ssl      SSL object
6694
 * return MEMORY_E when unable to allocate memory and 0 otherwise.
6695
 */
6696
static int TLSX_EncryptThenMac_Use(WOLFSSL* ssl)
6697
0
{
6698
0
    int   ret = 0;
6699
0
    TLSX* extension;
6700
6701
    /* Find the Encrypt-Then-Mac extension if it exists. */
6702
0
    extension = TLSX_Find(ssl->extensions, TLSX_ENCRYPT_THEN_MAC);
6703
0
    if (extension == NULL) {
6704
        /* Push new Encrypt-Then-Mac extension. */
6705
0
        ret = TLSX_Push(&ssl->extensions, TLSX_ENCRYPT_THEN_MAC, NULL,
6706
0
            ssl->heap);
6707
0
        if (ret != 0)
6708
0
            return ret;
6709
0
    }
6710
6711
0
    return 0;
6712
0
}
6713
6714
/**
6715
 * Set the Encrypt-Then-MAC extension as one to respond too.
6716
 *
6717
 * ssl      SSL object
6718
 * return EXT_MISSING when EncryptThenMac extension not in list.
6719
 */
6720
int TLSX_EncryptThenMac_Respond(WOLFSSL* ssl)
6721
0
{
6722
0
    TLSX* extension;
6723
6724
0
    extension = TLSX_Find(ssl->extensions, TLSX_ENCRYPT_THEN_MAC);
6725
0
    if (extension == NULL)
6726
0
        return EXT_MISSING;
6727
0
    extension->resp = 1;
6728
6729
0
    return 0;
6730
0
}
6731
6732
0
#define ETM_GET_SIZE  TLSX_EncryptThenMac_GetSize
6733
0
#define ETM_WRITE     TLSX_EncryptThenMac_Write
6734
0
#define ETM_PARSE     TLSX_EncryptThenMac_Parse
6735
6736
#else
6737
6738
#define ETM_GET_SIZE(a, b)    0
6739
#define ETM_WRITE(a, b, c, d) 0
6740
#define ETM_PARSE(a, b, c, d) 0
6741
6742
#endif /* !WOLFSSL_NO_TLS12 */
6743
6744
#endif /* HAVE_ENCRYPT_THEN_MAC && !WOLFSSL_AEAD_ONLY */
6745
6746
6747
#ifdef WOLFSSL_SRTP
6748
6749
/******************************************************************************/
6750
/* DTLS SRTP (Secure Real-time Transport Protocol)                            */
6751
/******************************************************************************/
6752
6753
/* Only support single SRTP profile */
6754
typedef struct TlsxSrtp {
6755
    word16 profileCount;
6756
    word16 ids; /* selected bits */
6757
} TlsxSrtp;
6758
6759
#ifndef NO_WOLFSSL_SERVER
6760
static int TLSX_UseSRTP_GetSize(TlsxSrtp *srtp)
6761
{
6762
    /*   SRTP Profile Len (2)
6763
     *      SRTP Profiles (2)
6764
     *   MKI (master key id) Length */
6765
    return (OPAQUE16_LEN + (srtp->profileCount * OPAQUE16_LEN) + 1);
6766
}
6767
#endif
6768
6769
static TlsxSrtp* TLSX_UseSRTP_New(word16 ids, void* heap)
6770
{
6771
    TlsxSrtp* srtp;
6772
    int i;
6773
6774
    srtp = (TlsxSrtp*)XMALLOC(sizeof(TlsxSrtp), heap, DYNAMIC_TYPE_TLSX);
6775
    if (srtp == NULL) {
6776
        WOLFSSL_MSG("TLSX SRTP Memory failure");
6777
        return NULL;
6778
    }
6779
6780
    /* count and test each bit set */
6781
    srtp->profileCount = 0;
6782
    for (i=0; i<16; i++) {
6783
        if (ids & (1 << i)) {
6784
            srtp->profileCount++;
6785
        }
6786
    }
6787
    srtp->ids = ids;
6788
6789
    return srtp;
6790
}
6791
6792
static void TLSX_UseSRTP_Free(TlsxSrtp *srtp, void* heap)
6793
{
6794
    XFREE(srtp, heap, DYNAMIC_TYPE_TLSX);
6795
    (void)heap;
6796
}
6797
6798
#ifndef NO_WOLFSSL_SERVER
6799
static int TLSX_UseSRTP_Parse(WOLFSSL* ssl, const byte* input, word16 length,
6800
    byte isRequest)
6801
{
6802
    int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
6803
    word16 profile_len = 0;
6804
    word16 profile_value = 0;
6805
    word16 offset = 0;
6806
    int i;
6807
    TlsxSrtp* srtp = NULL;
6808
6809
    if (length < OPAQUE16_LEN) {
6810
        return BUFFER_ERROR;
6811
    }
6812
6813
    /* reset selected DTLS SRTP profile ID */
6814
    ssl->dtlsSrtpId = 0;
6815
6816
    /* total length, not include itself */
6817
    ato16(input, &profile_len);
6818
    offset += OPAQUE16_LEN;
6819
    /* Check profile length is not bigger than remaining length. */
6820
    if (profile_len > length - offset) {
6821
        return BUFFER_ERROR;
6822
    }
6823
    /* Protection profiles are 2 bytes long - ensure not an odd no. bytes. */
6824
    if ((profile_len & 1) == 1) {
6825
        return BUFFER_ERROR;
6826
    }
6827
    /* Ignoring srtp_mki field - SRTP Make Key Identifier.
6828
     * Defined to be 0..255 bytes long.
6829
     */
6830
    if ((length - profile_len - offset) > 255) {
6831
        return BUFFER_ERROR;
6832
    }
6833
6834
    if (!isRequest) {
6835
#ifndef NO_WOLFSSL_CLIENT
6836
        /* Only one SRTP Protection Profile can be chosen. */
6837
        if (profile_len != OPAQUE16_LEN) {
6838
            return BUFFER_ERROR;
6839
        }
6840
6841
        ato16(input + offset, &profile_value);
6842
6843
        /* check that the profile received was in the ones we support */
6844
        if (profile_value < 16 &&
6845
                               (ssl->dtlsSrtpProfiles & (1 << profile_value))) {
6846
            ssl->dtlsSrtpId = profile_value;
6847
            ret = 0; /* success */
6848
        }
6849
#endif
6850
    }
6851
    else {
6852
        /* parse remainder one profile at a time, looking for match in CTX */
6853
        ret = 0;
6854
        for (i = 0; i < profile_len; i += OPAQUE16_LEN) {
6855
            ato16(input + offset + i, &profile_value);
6856
            /* find first match */
6857
            if (profile_value < 16 &&
6858
                                 ssl->dtlsSrtpProfiles & (1 << profile_value)) {
6859
                ssl->dtlsSrtpId = profile_value;
6860
6861
                /* make sure we respond with selected SRTP id selected */
6862
                srtp = TLSX_UseSRTP_New((1 << profile_value), ssl->heap);
6863
                if (srtp != NULL) {
6864
                    ret = TLSX_Push(&ssl->extensions, TLSX_USE_SRTP,
6865
                        (void*)srtp, ssl->heap);
6866
                    if (ret == 0) {
6867
                        TLSX_SetResponse(ssl, TLSX_USE_SRTP);
6868
                        /* successfully set extension */
6869
                    }
6870
                }
6871
                else {
6872
                    ret = MEMORY_E;
6873
                }
6874
                break;
6875
            }
6876
        }
6877
    }
6878
6879
    if (ret == 0 && ssl->dtlsSrtpId == 0) {
6880
        WOLFSSL_MSG("TLSX_UseSRTP_Parse profile not found!");
6881
        /* not fatal */
6882
    }
6883
    else if (ret != 0) {
6884
        ssl->dtlsSrtpId = 0;
6885
        TLSX_UseSRTP_Free(srtp, ssl->heap);
6886
    }
6887
6888
    return ret;
6889
}
6890
6891
static word16 TLSX_UseSRTP_Write(TlsxSrtp* srtp, byte* output)
6892
{
6893
    word16 offset = 0;
6894
    int i, j;
6895
6896
    c16toa(srtp->profileCount * 2, output + offset);
6897
    offset += OPAQUE16_LEN;
6898
    j = 0;
6899
    for (i = 0; i < srtp->profileCount; i++) {
6900
        for (; j < 16; j++) {
6901
            if (srtp->ids & (1 << j)) {
6902
                c16toa(j, output + offset);
6903
                offset += OPAQUE16_LEN;
6904
            }
6905
        }
6906
    }
6907
    output[offset++] = 0x00; /* MKI Length */
6908
6909
    return offset;
6910
}
6911
#endif
6912
6913
static int TLSX_UseSRTP(TLSX** extensions, word16 profiles, void* heap)
6914
{
6915
    int ret = 0;
6916
    TLSX* extension;
6917
6918
    if (extensions == NULL) {
6919
        return BAD_FUNC_ARG;
6920
    }
6921
6922
    extension = TLSX_Find(*extensions, TLSX_USE_SRTP);
6923
    if (extension == NULL) {
6924
        TlsxSrtp* srtp = TLSX_UseSRTP_New(profiles, heap);
6925
        if (srtp == NULL) {
6926
            return MEMORY_E;
6927
        }
6928
6929
        ret = TLSX_Push(extensions, TLSX_USE_SRTP, (void*)srtp, heap);
6930
        if (ret != 0) {
6931
            TLSX_UseSRTP_Free(srtp, heap);
6932
        }
6933
    }
6934
6935
    return ret;
6936
}
6937
6938
#ifndef NO_WOLFSSL_SERVER
6939
    #define SRTP_FREE     TLSX_UseSRTP_Free
6940
    #define SRTP_PARSE    TLSX_UseSRTP_Parse
6941
    #define SRTP_WRITE    TLSX_UseSRTP_Write
6942
    #define SRTP_GET_SIZE TLSX_UseSRTP_GetSize
6943
#else
6944
    #define SRTP_FREE(a, b) WC_DO_NOTHING
6945
    #define SRTP_PARSE(a, b, c, d)      0
6946
    #define SRTP_WRITE(a, b)            0
6947
    #define SRTP_GET_SIZE(a)            0
6948
#endif
6949
6950
#endif /* WOLFSSL_SRTP */
6951
6952
6953
/******************************************************************************/
6954
/* Supported Versions                                                         */
6955
/******************************************************************************/
6956
6957
#ifdef WOLFSSL_TLS13
6958
static WC_INLINE int versionIsGreater(byte isDtls, byte a, byte b)
6959
0
{
6960
0
    (void)isDtls;
6961
6962
#ifdef WOLFSSL_DTLS
6963
    /* DTLS version increases backwards (-1,-2,-3,etc) */
6964
    if (isDtls)
6965
        return a < b;
6966
#endif /* WOLFSSL_DTLS */
6967
6968
0
    return a > b;
6969
0
}
6970
6971
static WC_INLINE int versionIsLesser(byte isDtls, byte a, byte b)
6972
0
{
6973
0
    (void)isDtls;
6974
6975
#ifdef WOLFSSL_DTLS
6976
    /* DTLS version increases backwards (-1,-2,-3,etc) */
6977
    if (isDtls)
6978
        return a > b;
6979
#endif /* WOLFSSL_DTLS */
6980
6981
0
    return a < b;
6982
0
}
6983
6984
static WC_INLINE int versionIsAtLeast(byte isDtls, byte a, byte b)
6985
0
{
6986
0
    (void)isDtls;
6987
6988
#ifdef WOLFSSL_DTLS
6989
    /* DTLS version increases backwards (-1,-2,-3,etc) */
6990
    if (isDtls)
6991
        return a <= b;
6992
#endif /* WOLFSSL_DTLS */
6993
6994
0
    return a >= b;
6995
0
}
6996
6997
static WC_INLINE int versionIsLessEqual(byte isDtls, byte a, byte b)
6998
0
{
6999
0
    (void)isDtls;
7000
7001
#ifdef WOLFSSL_DTLS
7002
    /* DTLS version increases backwards (-1,-2,-3,etc) */
7003
    if (isDtls)
7004
        return a >= b;
7005
#endif /* WOLFSSL_DTLS */
7006
7007
0
    return a <= b;
7008
0
}
7009
7010
/* Return the size of the SupportedVersions extension's data.
7011
 *
7012
 * data       The SSL/TLS object.
7013
 * msgType The type of the message this extension is being written into.
7014
 * returns the length of data that will be in the extension.
7015
 */
7016
static int TLSX_SupportedVersions_GetSize(void* data, byte msgType, word16* pSz)
7017
0
{
7018
0
    WOLFSSL* ssl = (WOLFSSL*)data;
7019
0
    byte tls13Minor, tls12Minor, tls11Minor, isDtls;
7020
7021
0
    isDtls = !!ssl->options.dtls;
7022
0
    tls13Minor = (byte)(isDtls ? DTLSv1_3_MINOR : TLSv1_3_MINOR);
7023
0
    tls12Minor = (byte)(isDtls ? DTLSv1_2_MINOR : TLSv1_2_MINOR);
7024
0
    tls11Minor = (byte)(isDtls ? DTLS_MINOR : TLSv1_1_MINOR);
7025
7026
    /* unused on some configuration */
7027
0
    (void)tls12Minor;
7028
0
    (void)tls13Minor;
7029
0
    (void)tls11Minor;
7030
7031
0
    if (msgType == client_hello) {
7032
        /* TLS v1.2 and TLS v1.3  */
7033
0
        int cnt = 0;
7034
7035
0
        if (versionIsLessEqual(isDtls, ssl->options.minDowngrade, tls13Minor)
7036
        #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \
7037
            defined(WOLFSSL_WPAS_SMALL)
7038
            && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_3) == 0
7039
        #endif
7040
0
        ) {
7041
0
            cnt++;
7042
0
        }
7043
7044
0
        if (ssl->options.downgrade) {
7045
0
    #ifndef WOLFSSL_NO_TLS12
7046
0
            if (versionIsLessEqual(
7047
0
                    isDtls, ssl->options.minDowngrade, tls12Minor)
7048
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) ||                       \
7049
    defined(WOLFSSL_WPAS_SMALL)
7050
                && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_2) == 0
7051
#endif
7052
0
            ) {
7053
0
                cnt++;
7054
0
            }
7055
0
#endif
7056
    #ifndef NO_OLD_TLS
7057
            if (versionIsLessEqual(
7058
                    isDtls, ssl->options.minDowngrade, tls11Minor)
7059
            #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \
7060
                defined(WOLFSSL_WPAS_SMALL)
7061
                && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_1) == 0
7062
            #endif
7063
            ) {
7064
                cnt++;
7065
            }
7066
        #ifdef WOLFSSL_ALLOW_TLSV10
7067
            if (!ssl->options.dtls && (ssl->options.minDowngrade <= TLSv1_MINOR)
7068
            #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \
7069
                defined(WOLFSSL_WPAS_SMALL)
7070
                && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1) == 0
7071
            #endif
7072
            ) {
7073
                cnt++;
7074
            }
7075
        #endif
7076
    #endif
7077
0
        }
7078
7079
0
        *pSz += (word16)(OPAQUE8_LEN + cnt * OPAQUE16_LEN);
7080
0
    }
7081
0
    else if (msgType == server_hello || msgType == hello_retry_request) {
7082
0
        *pSz += OPAQUE16_LEN;
7083
0
    }
7084
0
    else {
7085
0
        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
7086
0
        return SANITY_MSG_E;
7087
0
    }
7088
7089
0
    return 0;
7090
0
}
7091
7092
/* Writes the SupportedVersions extension into the buffer.
7093
 *
7094
 * data    The SSL/TLS object.
7095
 * output  The buffer to write the extension into.
7096
 * msgType The type of the message this extension is being written into.
7097
 * returns the length of data that was written.
7098
 */
7099
static int TLSX_SupportedVersions_Write(void* data, byte* output,
7100
                                        byte msgType, word16* pSz)
7101
0
{
7102
0
    WOLFSSL* ssl = (WOLFSSL*)data;
7103
0
    byte tls13minor, tls12minor, tls11minor, isDtls = 0;
7104
7105
0
    tls13minor = (byte)TLSv1_3_MINOR;
7106
0
    tls12minor = (byte)TLSv1_2_MINOR;
7107
0
    tls11minor = (byte)TLSv1_1_MINOR;
7108
7109
    /* unused in some configuration */
7110
0
    (void)tls11minor;
7111
0
    (void)tls12minor;
7112
7113
#ifdef WOLFSSL_DTLS13
7114
    if (ssl->options.dtls) {
7115
        tls13minor = (byte)DTLSv1_3_MINOR;
7116
    #ifndef WOLFSSL_NO_TLS12
7117
        tls12minor = (byte)DTLSv1_2_MINOR;
7118
    #endif
7119
    #ifndef NO_OLD_TLS
7120
        tls11minor = (byte)DTLS_MINOR;
7121
    #endif
7122
        isDtls = 1;
7123
    }
7124
#endif /* WOLFSSL_DTLS13 */
7125
7126
0
    if (msgType == client_hello) {
7127
0
        byte major = ssl->ctx->method->version.major;
7128
7129
0
        byte* cnt = output++;
7130
0
        *cnt = 0;
7131
7132
0
        if (versionIsLessEqual(isDtls, ssl->options.minDowngrade, tls13minor)
7133
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) ||                       \
7134
    defined(WOLFSSL_WPAS_SMALL)
7135
            && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_3) == 0
7136
#endif
7137
0
        ) {
7138
0
            *cnt += OPAQUE16_LEN;
7139
        #ifdef WOLFSSL_TLS13_DRAFT
7140
            /* The TLS draft major number. */
7141
            *(output++) = TLS_DRAFT_MAJOR;
7142
            /* Version of draft supported. */
7143
            *(output++) = TLS_DRAFT_MINOR;
7144
        #else
7145
0
            *(output++) = major;
7146
0
            *(output++) = tls13minor;
7147
0
        #endif
7148
0
        }
7149
7150
0
        if (ssl->options.downgrade) {
7151
0
        #ifndef WOLFSSL_NO_TLS12
7152
0
            if (versionIsLessEqual(isDtls, ssl->options.minDowngrade, tls12minor)
7153
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \
7154
                defined(WOLFSSL_WPAS_SMALL)
7155
                && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_2) == 0
7156
            #endif
7157
0
            ) {
7158
0
                *cnt += OPAQUE16_LEN;
7159
0
                *(output++) = major;
7160
0
                *(output++) = tls12minor;
7161
0
            }
7162
0
        #endif
7163
7164
    #ifndef NO_OLD_TLS
7165
            if (versionIsLessEqual(isDtls, ssl->options.minDowngrade, tls11minor)
7166
            #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \
7167
                defined(WOLFSSL_WPAS_SMALL)
7168
                && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_1) == 0
7169
            #endif
7170
            ) {
7171
                *cnt += OPAQUE16_LEN;
7172
                *(output++) = major;
7173
                *(output++) = tls11minor;
7174
            }
7175
        #ifdef WOLFSSL_ALLOW_TLSV10
7176
            if (!ssl->options.dtls && (ssl->options.minDowngrade <= TLSv1_MINOR)
7177
            #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \
7178
                defined(WOLFSSL_WPAS_SMALL)
7179
                && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1) == 0
7180
            #endif
7181
            ) {
7182
                *cnt += OPAQUE16_LEN;
7183
                *(output++) = major;
7184
                *(output++) = (byte)TLSv1_MINOR;
7185
            }
7186
        #endif
7187
    #endif
7188
0
        }
7189
7190
0
        *pSz += (word16)(OPAQUE8_LEN + *cnt);
7191
0
    }
7192
0
    else if (msgType == server_hello || msgType == hello_retry_request) {
7193
0
        output[0] = ssl->version.major;
7194
0
        output[1] = ssl->version.minor;
7195
7196
0
        *pSz += OPAQUE16_LEN;
7197
0
    }
7198
0
    else {
7199
0
        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
7200
0
        return SANITY_MSG_E;
7201
0
    }
7202
7203
0
    return 0;
7204
0
}
7205
7206
/* Parse the SupportedVersions extension.
7207
 *
7208
 * ssl     The SSL/TLS object.
7209
 * input   The buffer with the extension data.
7210
 * length  The length of the extension data.
7211
 * msgType The type of the message this extension is being parsed from.
7212
 * pv      The output ProtocolVersion for the negotiated version
7213
 * opts    The output options structure. Can be NULL.
7214
 * exts    The output extensions list. Can be NULL.
7215
 * returns 0 on success, otherwise failure.
7216
 */
7217
int TLSX_SupportedVersions_Parse(const WOLFSSL* ssl, const byte* input,
7218
        word16 length, byte msgType, ProtocolVersion* pv, Options* opts,
7219
        TLSX** exts)
7220
0
{
7221
    /* The client's greatest minor version that we support */
7222
0
    byte clientGreatestMinor = SSLv3_MINOR;
7223
0
    int ret;
7224
0
    byte major, minor;
7225
0
    byte tls13minor, tls12minor;
7226
0
    byte isDtls;
7227
7228
0
    tls13minor = TLSv1_3_MINOR;
7229
0
    tls12minor = TLSv1_2_MINOR;
7230
0
    isDtls = ssl->options.dtls == 1;
7231
7232
#ifdef WOLFSSL_DTLS13
7233
    if (ssl->options.dtls) {
7234
        tls13minor = DTLSv1_3_MINOR;
7235
        tls12minor = DTLSv1_2_MINOR;
7236
        clientGreatestMinor = DTLS_MINOR;
7237
    }
7238
#endif /* WOLFSSL_DTLS13 */
7239
7240
0
    if (msgType == client_hello) {
7241
0
        int i;
7242
0
        int len;
7243
0
        int set = 0;
7244
7245
        /* Must contain a length and at least one version. */
7246
0
        if (length < OPAQUE8_LEN + OPAQUE16_LEN || (length & 1) != 1
7247
0
            || length > MAX_SV_EXT_LEN) {
7248
0
            return BUFFER_ERROR;
7249
0
        }
7250
7251
0
        len = *input;
7252
7253
        /* Protocol version array must fill rest of data. */
7254
0
        if (length != (word16)OPAQUE8_LEN + len)
7255
0
            return BUFFER_ERROR;
7256
7257
0
        input++;
7258
7259
        /* Find first match. */
7260
0
        for (i = 0; i < len; i += OPAQUE16_LEN) {
7261
0
            major = input[i];
7262
0
            minor = input[i + OPAQUE8_LEN];
7263
7264
#ifdef WOLFSSL_TLS13_DRAFT
7265
            if (major == TLS_DRAFT_MAJOR && minor == TLS_DRAFT_MINOR) {
7266
                major = SSLv3_MAJOR;
7267
                minor = TLSv1_3_MINOR;
7268
            }
7269
#else
7270
0
            if (major == TLS_DRAFT_MAJOR)
7271
0
                continue;
7272
0
#endif
7273
7274
0
            if (major != ssl->ctx->method->version.major)
7275
0
                continue;
7276
7277
            /* No upgrade allowed. */
7278
0
            if (versionIsGreater(isDtls, minor, ssl->version.minor))
7279
0
                continue;
7280
7281
            /* Check downgrade. */
7282
0
            if (versionIsLesser(isDtls, minor, ssl->version.minor)) {
7283
0
                if (!ssl->options.downgrade)
7284
0
                    continue;
7285
7286
0
                if (versionIsLesser(isDtls, minor, ssl->options.minDowngrade))
7287
0
                    continue;
7288
0
            }
7289
0
            if (versionIsGreater(isDtls, minor, clientGreatestMinor))
7290
0
                clientGreatestMinor = minor;
7291
7292
0
            set = 1;
7293
0
        }
7294
0
        if (!set) {
7295
            /* No common supported version was negotiated */
7296
0
            SendAlert((WOLFSSL*)ssl, alert_fatal,
7297
0
                      wolfssl_alert_protocol_version);
7298
0
            WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
7299
0
            return VERSION_ERROR;
7300
0
        }
7301
0
        pv->minor = clientGreatestMinor;
7302
0
        if (versionIsAtLeast(isDtls, clientGreatestMinor, tls13minor)) {
7303
0
            if (opts != NULL)
7304
0
                opts->tls1_3 = 1;
7305
7306
            /* TLS v1.3 requires supported version extension */
7307
0
            if (exts != NULL &&
7308
0
                    TLSX_Find(*exts, TLSX_SUPPORTED_VERSIONS) == NULL) {
7309
0
                ret = TLSX_Push(exts,
7310
0
                          TLSX_SUPPORTED_VERSIONS, ssl, ssl->heap);
7311
0
                if (ret != 0) {
7312
0
                    return ret;
7313
0
                }
7314
                /* *exts should be pointing to the TLSX_SUPPORTED_VERSIONS
7315
                 * ext in the list since it was pushed. */
7316
0
                (*exts)->resp = 1;
7317
0
            }
7318
0
        }
7319
7320
0
    }
7321
0
    else if (msgType == server_hello || msgType == hello_retry_request) {
7322
        /* Must contain one version. */
7323
0
        if (length != OPAQUE16_LEN)
7324
0
            return BUFFER_ERROR;
7325
7326
0
        major = input[0];
7327
0
        minor = input[OPAQUE8_LEN];
7328
7329
0
        if (major != ssl->ctx->method->version.major) {
7330
0
            WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
7331
0
            return VERSION_ERROR;
7332
0
        }
7333
7334
        /* Can't downgrade with this extension below TLS v1.3. */
7335
0
        if (versionIsLesser(isDtls, minor, tls13minor)) {
7336
0
            WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
7337
0
            return VERSION_ERROR;
7338
0
        }
7339
7340
        /* Version is TLS v1.2 to handle downgrading from TLS v1.3+. */
7341
0
        if (ssl->options.downgrade && ssl->version.minor == tls12minor) {
7342
            /* Set minor version back to TLS v1.3+ */
7343
0
            pv->minor = ssl->ctx->method->version.minor;
7344
0
        }
7345
7346
        /* No upgrade allowed. */
7347
0
        if (versionIsLesser(isDtls, ssl->version.minor, minor)) {
7348
0
            WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
7349
0
            return VERSION_ERROR;
7350
0
        }
7351
7352
        /* Check downgrade. */
7353
0
        if (versionIsGreater(isDtls, ssl->version.minor, minor)) {
7354
0
            if (!ssl->options.downgrade) {
7355
0
                WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
7356
0
                return VERSION_ERROR;
7357
0
            }
7358
7359
0
            if (versionIsLesser(
7360
0
                    isDtls, minor, ssl->options.minDowngrade)) {
7361
0
                WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
7362
0
                return VERSION_ERROR;
7363
0
            }
7364
7365
            /* Downgrade the version. */
7366
0
            pv->minor = minor;
7367
0
        }
7368
0
    }
7369
0
    else {
7370
0
        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
7371
0
        return SANITY_MSG_E;
7372
0
    }
7373
7374
0
    return 0;
7375
0
}
7376
7377
/* Sets a new SupportedVersions extension into the extension list.
7378
 *
7379
 * extensions  The list of extensions.
7380
 * data        The extensions specific data.
7381
 * heap        The heap used for allocation.
7382
 * returns 0 on success, otherwise failure.
7383
 */
7384
static int TLSX_SetSupportedVersions(TLSX** extensions, const void* data,
7385
                                     void* heap)
7386
0
{
7387
0
    if (extensions == NULL || data == NULL)
7388
0
        return BAD_FUNC_ARG;
7389
7390
0
    return TLSX_Push(extensions, TLSX_SUPPORTED_VERSIONS, data, heap);
7391
0
}
7392
7393
0
#define SV_GET_SIZE  TLSX_SupportedVersions_GetSize
7394
0
#define SV_WRITE     TLSX_SupportedVersions_Write
7395
0
#define SV_PARSE     TLSX_SupportedVersions_Parse
7396
7397
#else
7398
7399
#define SV_GET_SIZE(a, b, c) 0
7400
#define SV_WRITE(a, b, c, d) 0
7401
#define SV_PARSE(a, b, c, d, e, f, g) 0
7402
7403
#endif /* WOLFSSL_TLS13 */
7404
7405
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_SEND_HRR_COOKIE)
7406
7407
/******************************************************************************/
7408
/* Cookie                                                                     */
7409
/******************************************************************************/
7410
7411
/* Free the cookie data.
7412
 *
7413
 * cookie  Cookie data.
7414
 * heap    The heap used for allocation.
7415
 */
7416
static void TLSX_Cookie_FreeAll(Cookie* cookie, void* heap)
7417
{
7418
    (void)heap;
7419
7420
    XFREE(cookie, heap, DYNAMIC_TYPE_TLSX);
7421
}
7422
7423
/* Get the size of the encoded Cookie extension.
7424
 * In messages: ClientHello and HelloRetryRequest.
7425
 *
7426
 * cookie   The cookie to write.
7427
 * msgType  The type of the message this extension is being written into.
7428
 * returns the number of bytes of the encoded Cookie extension.
7429
 */
7430
static int TLSX_Cookie_GetSize(Cookie* cookie, byte msgType, word16* pSz)
7431
{
7432
    if (msgType == client_hello || msgType == hello_retry_request) {
7433
        *pSz += OPAQUE16_LEN + cookie->len;
7434
    }
7435
    else {
7436
        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
7437
        return SANITY_MSG_E;
7438
    }
7439
    return 0;
7440
}
7441
7442
/* Writes the Cookie extension into the output buffer.
7443
 * Assumes that the the output buffer is big enough to hold data.
7444
 * In messages: ClientHello and HelloRetryRequest.
7445
 *
7446
 * cookie   The cookie to write.
7447
 * output   The buffer to write into.
7448
 * msgType  The type of the message this extension is being written into.
7449
 * returns the number of bytes written into the buffer.
7450
 */
7451
static int TLSX_Cookie_Write(Cookie* cookie, byte* output, byte msgType,
7452
                             word16* pSz)
7453
{
7454
    if (msgType == client_hello || msgType == hello_retry_request) {
7455
        c16toa(cookie->len, output);
7456
        output += OPAQUE16_LEN;
7457
        XMEMCPY(output, cookie->data, cookie->len);
7458
        *pSz += OPAQUE16_LEN + cookie->len;
7459
    }
7460
    else {
7461
        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
7462
        return SANITY_MSG_E;
7463
    }
7464
    return 0;
7465
}
7466
7467
/* Parse the Cookie extension.
7468
 * In messages: ClientHello and HelloRetryRequest.
7469
 *
7470
 * ssl      The SSL/TLS object.
7471
 * input    The extension data.
7472
 * length   The length of the extension data.
7473
 * msgType  The type of the message this extension is being parsed from.
7474
 * returns 0 on success and other values indicate failure.
7475
 */
7476
static int TLSX_Cookie_Parse(WOLFSSL* ssl, const byte* input, word16 length,
7477
                             byte msgType)
7478
{
7479
    word16  len;
7480
    word16  idx = 0;
7481
    TLSX*   extension;
7482
    Cookie* cookie;
7483
7484
    if (msgType != client_hello && msgType != hello_retry_request) {
7485
        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
7486
        return SANITY_MSG_E;
7487
    }
7488
7489
    /* Message contains length and Cookie which must be at least one byte
7490
     * in length.
7491
     */
7492
    if (length < OPAQUE16_LEN + 1)
7493
        return BUFFER_E;
7494
    ato16(input + idx, &len);
7495
    idx += OPAQUE16_LEN;
7496
    if (length - idx != len)
7497
        return BUFFER_E;
7498
7499
    if (msgType == hello_retry_request) {
7500
        ssl->options.hrrSentCookie = 1;
7501
        return TLSX_Cookie_Use(ssl, input + idx, len, NULL, 0, 1,
7502
                               &ssl->extensions);
7503
    }
7504
7505
    /* client_hello */
7506
    extension = TLSX_Find(ssl->extensions, TLSX_COOKIE);
7507
    if (extension == NULL) {
7508
#ifdef WOLFSSL_DTLS13
7509
        if (ssl->options.dtls && IsAtLeastTLSv1_3(ssl->version))
7510
            /* Allow a cookie extension with DTLS 1.3 because it is possible
7511
             * that a different SSL instance sent the cookie but we are now
7512
             * receiving it. */
7513
            return TLSX_Cookie_Use(ssl, input + idx, len, NULL, 0, 0,
7514
                                   &ssl->extensions);
7515
        else
7516
#endif
7517
        {
7518
            WOLFSSL_ERROR_VERBOSE(HRR_COOKIE_ERROR);
7519
            return HRR_COOKIE_ERROR;
7520
        }
7521
    }
7522
7523
    cookie = (Cookie*)extension->data;
7524
    if (cookie->len != len || XMEMCMP(cookie->data, input + idx, len) != 0) {
7525
        WOLFSSL_ERROR_VERBOSE(HRR_COOKIE_ERROR);
7526
        return HRR_COOKIE_ERROR;
7527
    }
7528
7529
    /* Request seen. */
7530
    extension->resp = 0;
7531
7532
    return 0;
7533
}
7534
7535
/* Use the data to create a new Cookie object in the extensions.
7536
 *
7537
 * ssl    SSL/TLS object.
7538
 * data   Cookie data.
7539
 * len    Length of cookie data in bytes.
7540
 * mac    MAC data.
7541
 * macSz  Length of MAC data in bytes.
7542
 * resp   Indicates the extension will go into a response (HelloRetryRequest).
7543
 * returns 0 on success and other values indicate failure.
7544
 */
7545
int TLSX_Cookie_Use(const WOLFSSL* ssl, const byte* data, word16 len, byte* mac,
7546
                    byte macSz, int resp, TLSX** exts)
7547
{
7548
    int     ret = 0;
7549
    TLSX*   extension;
7550
    Cookie* cookie;
7551
7552
    /* Find the cookie extension if it exists. */
7553
    extension = TLSX_Find(*exts, TLSX_COOKIE);
7554
    if (extension == NULL) {
7555
        /* Push new cookie extension. */
7556
        ret = TLSX_Push(exts, TLSX_COOKIE, NULL, ssl->heap);
7557
        if (ret != 0)
7558
            return ret;
7559
7560
        extension = TLSX_Find(*exts, TLSX_COOKIE);
7561
        if (extension == NULL)
7562
            return MEMORY_E;
7563
    }
7564
7565
    cookie = (Cookie*)XMALLOC(sizeof(Cookie) + len + macSz, ssl->heap,
7566
                              DYNAMIC_TYPE_TLSX);
7567
    if (cookie == NULL)
7568
        return MEMORY_E;
7569
7570
    cookie->len = len + macSz;
7571
    XMEMCPY(cookie->data, data, len);
7572
    if (mac != NULL)
7573
        XMEMCPY(cookie->data + len, mac, macSz);
7574
7575
    XFREE(extension->data, ssl->heap, DYNAMIC_TYPE_TLSX);
7576
7577
    extension->data = (void*)cookie;
7578
    extension->resp = (byte)resp;
7579
7580
    return 0;
7581
}
7582
7583
#define CKE_FREE_ALL  TLSX_Cookie_FreeAll
7584
#define CKE_GET_SIZE  TLSX_Cookie_GetSize
7585
#define CKE_WRITE     TLSX_Cookie_Write
7586
#define CKE_PARSE     TLSX_Cookie_Parse
7587
7588
#else
7589
7590
0
#define CKE_FREE_ALL(a, b)    WC_DO_NOTHING
7591
0
#define CKE_GET_SIZE(a, b, c) 0
7592
0
#define CKE_WRITE(a, b, c, d) 0
7593
0
#define CKE_PARSE(a, b, c, d) 0
7594
7595
#endif
7596
7597
#if defined(WOLFSSL_TLS13) && !defined(NO_CERTS) && \
7598
    !defined(WOLFSSL_NO_CA_NAMES) && defined(OPENSSL_EXTRA)
7599
/* Currently only settable through compatibility API */
7600
/******************************************************************************/
7601
/* Certificate Authorities                                                       */
7602
/******************************************************************************/
7603
7604
static word16 TLSX_CA_Names_GetSize(void* data)
7605
{
7606
    WOLFSSL* ssl = (WOLFSSL*)data;
7607
    WOLF_STACK_OF(WOLFSSL_X509_NAME)* names;
7608
    word32 size = 0;
7609
7610
    /* Length of names */
7611
    size += OPAQUE16_LEN;
7612
    for (names = SSL_PRIORITY_CA_NAMES(ssl); names != NULL; names = names->next) {
7613
        byte seq[MAX_SEQ_SZ];
7614
        WOLFSSL_X509_NAME* name = names->data.name;
7615
7616
        if (name != NULL) {
7617
            /* 16-bit length | SEQ | Len | DER of name */
7618
            size += (word32)(OPAQUE16_LEN + SetSequence(name->rawLen, seq) +
7619
                             name->rawLen);
7620
            if (size > WOLFSSL_MAX_16BIT) {
7621
                return 0;
7622
            }
7623
        }
7624
    }
7625
    return (word16)size;
7626
}
7627
7628
static word16 TLSX_CA_Names_Write(void* data, byte* output)
7629
{
7630
    WOLFSSL* ssl = (WOLFSSL*)data;
7631
    WOLF_STACK_OF(WOLFSSL_X509_NAME)* names;
7632
    byte* len;
7633
7634
    /* Reserve space for the length value */
7635
    len = output;
7636
    output += OPAQUE16_LEN;
7637
    for (names = SSL_PRIORITY_CA_NAMES(ssl); names != NULL; names = names->next) {
7638
        byte seq[MAX_SEQ_SZ];
7639
        WOLFSSL_X509_NAME* name = names->data.name;
7640
7641
        if (name != NULL) {
7642
            c16toa((word16)name->rawLen +
7643
                   (word16)SetSequence(name->rawLen, seq), output);
7644
            output += OPAQUE16_LEN;
7645
            output += SetSequence(name->rawLen, output);
7646
            XMEMCPY(output, name->raw, name->rawLen);
7647
            output += name->rawLen;
7648
        }
7649
    }
7650
    /* Write the total length */
7651
    c16toa((word16)(output - len - OPAQUE16_LEN), len);
7652
    return (word16)(output - len);
7653
}
7654
7655
static int TLSX_CA_Names_Parse(WOLFSSL *ssl, const byte* input,
7656
                                  word16 length, byte isRequest)
7657
{
7658
    word16 extLen;
7659
7660
    (void)isRequest;
7661
7662
    wolfSSL_sk_X509_NAME_pop_free(ssl->peer_ca_names, NULL);
7663
    ssl->peer_ca_names = wolfSSL_sk_X509_NAME_new(NULL);
7664
    if (ssl->peer_ca_names == NULL)
7665
        return MEMORY_ERROR;
7666
7667
    if (length < OPAQUE16_LEN)
7668
        return BUFFER_ERROR;
7669
7670
    ato16(input, &extLen);
7671
    input += OPAQUE16_LEN;
7672
    length -= OPAQUE16_LEN;
7673
    if (extLen != length)
7674
        return BUFFER_ERROR;
7675
7676
    while (length) {
7677
        word16 idx = 0;
7678
        WOLFSSL_X509_NAME* name = NULL;
7679
        int ret = 0;
7680
        int didInit = FALSE;
7681
        /* Use a DecodedCert struct to get access to GetName to
7682
         * parse DN name */
7683
#ifdef WOLFSSL_SMALL_STACK
7684
        DecodedCert *cert = (DecodedCert *)XMALLOC(
7685
            sizeof(*cert), ssl->heap, DYNAMIC_TYPE_DCERT);
7686
        if (cert == NULL)
7687
            return MEMORY_ERROR;
7688
#else
7689
        DecodedCert cert[1];
7690
#endif
7691
7692
        if (length < OPAQUE16_LEN) {
7693
            ret = BUFFER_ERROR;
7694
        }
7695
7696
        if (ret == 0) {
7697
            ato16(input, &extLen);
7698
            idx += OPAQUE16_LEN;
7699
7700
            if (extLen > length - idx)
7701
                ret = BUFFER_ERROR;
7702
        }
7703
7704
        if (ret == 0) {
7705
            InitDecodedCert(cert, input + idx, extLen, ssl->heap);
7706
            didInit = TRUE;
7707
            idx += extLen;
7708
            ret = GetName(cert, ASN_SUBJECT, extLen);
7709
        }
7710
7711
        if (ret == 0 && (name = wolfSSL_X509_NAME_new()) == NULL)
7712
            ret = MEMORY_ERROR;
7713
7714
        if (ret == 0) {
7715
            CopyDecodedName(name, cert, ASN_SUBJECT);
7716
            if (wolfSSL_sk_X509_NAME_push(ssl->peer_ca_names, name) <= 0) {
7717
                wolfSSL_X509_NAME_free(name);
7718
                ret = MEMORY_ERROR;
7719
            }
7720
        }
7721
7722
        if (didInit)
7723
            FreeDecodedCert(cert);
7724
7725
        WC_FREE_VAR_EX(cert, ssl->heap, DYNAMIC_TYPE_DCERT);
7726
        if (ret != 0)
7727
            return ret;
7728
7729
        input += idx;
7730
        length -= idx;
7731
    }
7732
    return 0;
7733
}
7734
7735
#define CAN_GET_SIZE(data)      TLSX_CA_Names_GetSize(data)
7736
#define CAN_WRITE(data, output) TLSX_CA_Names_Write(data, output)
7737
#define CAN_PARSE(ssl, input, length, isRequest) \
7738
                                TLSX_CA_Names_Parse(ssl, input, length, isRequest)
7739
7740
#else
7741
7742
#define CAN_GET_SIZE(data)                       0
7743
#define CAN_WRITE(data, output)                  0
7744
#define CAN_PARSE(ssl, input, length, isRequest) 0
7745
7746
#endif
7747
7748
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
7749
/******************************************************************************/
7750
/* Signature Algorithms                                                       */
7751
/******************************************************************************/
7752
7753
/* Return the size of the SignatureAlgorithms extension's data.
7754
 *
7755
 * data  Unused
7756
 * returns the length of data that will be in the extension.
7757
 */
7758
7759
static word16 TLSX_SignatureAlgorithms_GetSize(void* data)
7760
0
{
7761
0
    SignatureAlgorithms* sa = (SignatureAlgorithms*)data;
7762
7763
0
    if (sa->hashSigAlgoSz == 0)
7764
0
        return OPAQUE16_LEN + WOLFSSL_SUITES(sa->ssl)->hashSigAlgoSz;
7765
0
    else
7766
0
        return OPAQUE16_LEN + sa->hashSigAlgoSz;
7767
0
}
7768
7769
/* Creates a bit string of supported hash algorithms with RSA PSS.
7770
 * The bit string is used when determining which signature algorithm to use
7771
 * when creating the CertificateVerify message.
7772
 * Note: Valid data has an even length as each signature algorithm is two bytes.
7773
 *
7774
 * ssl     The SSL/TLS object.
7775
 * input   The buffer with the list of supported signature algorithms.
7776
 * length  The length of the list in bytes.
7777
 * returns 0 on success, BUFFER_ERROR when the length is not even.
7778
 */
7779
static int TLSX_SignatureAlgorithms_MapPss(WOLFSSL *ssl, const byte* input,
7780
                                           word16 length)
7781
0
{
7782
0
    word16 i;
7783
7784
0
    if ((length & 1) == 1)
7785
0
        return BUFFER_ERROR;
7786
7787
0
    ssl->pssAlgo = 0;
7788
0
    for (i = 0; i < length; i += 2) {
7789
0
        if (input[i] == rsa_pss_sa_algo && input[i + 1] <= sha512_mac)
7790
0
            ssl->pssAlgo |= 1 << input[i + 1];
7791
0
    #ifdef WOLFSSL_TLS13
7792
0
        if (input[i] == rsa_pss_sa_algo && input[i + 1] >= pss_sha256 &&
7793
0
                                                   input[i + 1] <= pss_sha512) {
7794
0
            ssl->pssAlgo |= 1 << input[i + 1];
7795
0
        }
7796
0
    #endif
7797
0
    }
7798
7799
0
    return 0;
7800
0
}
7801
7802
/* Writes the SignatureAlgorithms extension into the buffer.
7803
 *
7804
 * data    Unused
7805
 * output  The buffer to write the extension into.
7806
 * returns the length of data that was written.
7807
 */
7808
static word16 TLSX_SignatureAlgorithms_Write(void* data, byte* output)
7809
0
{
7810
0
    SignatureAlgorithms* sa = (SignatureAlgorithms*)data;
7811
0
    const Suites* suites = WOLFSSL_SUITES(sa->ssl);
7812
0
    word16 hashSigAlgoSz;
7813
7814
0
    if (sa->hashSigAlgoSz == 0) {
7815
0
        c16toa(suites->hashSigAlgoSz, output);
7816
0
        XMEMCPY(output + OPAQUE16_LEN, suites->hashSigAlgo,
7817
0
                suites->hashSigAlgoSz);
7818
0
        hashSigAlgoSz = suites->hashSigAlgoSz;
7819
0
    }
7820
0
    else {
7821
0
        c16toa(sa->hashSigAlgoSz, output);
7822
0
        XMEMCPY(output + OPAQUE16_LEN, sa->hashSigAlgo,
7823
0
                sa->hashSigAlgoSz);
7824
0
        hashSigAlgoSz = sa->hashSigAlgoSz;
7825
0
    }
7826
7827
0
#ifndef NO_RSA
7828
0
    TLSX_SignatureAlgorithms_MapPss(sa->ssl, output + OPAQUE16_LEN,
7829
0
            hashSigAlgoSz);
7830
0
#endif
7831
7832
0
    return OPAQUE16_LEN + hashSigAlgoSz;
7833
0
}
7834
7835
/* Parse the SignatureAlgorithms extension.
7836
 *
7837
 * ssl     The SSL/TLS object.
7838
 * input   The buffer with the extension data.
7839
 * length  The length of the extension data.
7840
 * returns 0 on success, otherwise failure.
7841
 */
7842
static int TLSX_SignatureAlgorithms_Parse(WOLFSSL *ssl, const byte* input,
7843
                                  word16 length, byte isRequest, Suites* suites)
7844
0
{
7845
0
    word16 len;
7846
7847
0
    if (!isRequest)
7848
0
        return BUFFER_ERROR;
7849
7850
    /* Must contain a length and at least algorithm. */
7851
0
    if (length < OPAQUE16_LEN + OPAQUE16_LEN || (length & 1) != 0)
7852
0
        return BUFFER_ERROR;
7853
7854
0
    ato16(input, &len);
7855
0
    input += OPAQUE16_LEN;
7856
7857
    /* Algorithm array must fill rest of data. */
7858
0
    if (length != OPAQUE16_LEN + len)
7859
0
        return BUFFER_ERROR;
7860
7861
    /* Truncate hashSigAlgo list if too long. */
7862
0
    suites->hashSigAlgoSz = len;
7863
    /* Sig Algo list size must be even. */
7864
0
    if (suites->hashSigAlgoSz % 2 != 0)
7865
0
        return BUFFER_ERROR;
7866
0
    if (suites->hashSigAlgoSz > WOLFSSL_MAX_SIGALGO) {
7867
0
        WOLFSSL_MSG("TLSX SigAlgo list exceeds max, truncating");
7868
0
        suites->hashSigAlgoSz = WOLFSSL_MAX_SIGALGO;
7869
0
    }
7870
0
    XMEMCPY(suites->hashSigAlgo, input, suites->hashSigAlgoSz);
7871
7872
0
    return TLSX_SignatureAlgorithms_MapPss(ssl, input, suites->hashSigAlgoSz);
7873
0
}
7874
7875
/* Sets a new SignatureAlgorithms extension into the extension list.
7876
 *
7877
 * extensions  The list of extensions.
7878
 * data        The extensions specific data.
7879
 * heap        The heap used for allocation.
7880
 * returns 0 on success, otherwise failure.
7881
 */
7882
static int TLSX_SetSignatureAlgorithms(TLSX** extensions, WOLFSSL* ssl,
7883
                                       void* heap)
7884
0
{
7885
0
    SignatureAlgorithms* sa;
7886
0
    int ret;
7887
7888
0
    if (extensions == NULL)
7889
0
        return BAD_FUNC_ARG;
7890
7891
    /* Already present */
7892
0
    if (TLSX_Find(*extensions, TLSX_SIGNATURE_ALGORITHMS) != NULL)
7893
0
        return 0;
7894
7895
0
    sa = TLSX_SignatureAlgorithms_New(ssl, 0, heap);
7896
0
    if (sa == NULL)
7897
0
        return MEMORY_ERROR;
7898
7899
0
    ret = TLSX_Push(extensions, TLSX_SIGNATURE_ALGORITHMS, sa, heap);
7900
0
    if (ret != 0)
7901
0
        TLSX_SignatureAlgorithms_FreeAll(sa, heap);
7902
0
    return ret;
7903
0
}
7904
7905
SignatureAlgorithms* TLSX_SignatureAlgorithms_New(WOLFSSL* ssl,
7906
        word16 hashSigAlgoSz, void* heap)
7907
0
{
7908
0
    SignatureAlgorithms* sa;
7909
0
    (void)heap;
7910
7911
0
    sa = (SignatureAlgorithms*)XMALLOC(sizeof(*sa) + hashSigAlgoSz, heap,
7912
0
                                       DYNAMIC_TYPE_TLSX);
7913
0
    if (sa != NULL) {
7914
0
        XMEMSET(sa, 0, sizeof(*sa) + hashSigAlgoSz);
7915
0
        sa->ssl = ssl;
7916
0
        sa->hashSigAlgoSz = hashSigAlgoSz;
7917
0
    }
7918
0
    return sa;
7919
0
}
7920
7921
void TLSX_SignatureAlgorithms_FreeAll(SignatureAlgorithms* sa,
7922
                                             void* heap)
7923
0
{
7924
0
    XFREE(sa, heap, DYNAMIC_TYPE_TLSX);
7925
0
    (void)heap;
7926
0
}
7927
7928
0
#define SA_GET_SIZE  TLSX_SignatureAlgorithms_GetSize
7929
0
#define SA_WRITE     TLSX_SignatureAlgorithms_Write
7930
0
#define SA_PARSE     TLSX_SignatureAlgorithms_Parse
7931
0
#define SA_FREE_ALL  TLSX_SignatureAlgorithms_FreeAll
7932
#endif
7933
/******************************************************************************/
7934
/* Signature Algorithms Certificate                                           */
7935
/******************************************************************************/
7936
7937
#if defined(WOLFSSL_TLS13) && !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
7938
/* Return the size of the SignatureAlgorithms extension's data.
7939
 *
7940
 * data  Unused
7941
 * returns the length of data that will be in the extension.
7942
 */
7943
static word16 TLSX_SignatureAlgorithmsCert_GetSize(void* data)
7944
0
{
7945
0
    WOLFSSL* ssl = (WOLFSSL*)data;
7946
7947
0
    return OPAQUE16_LEN + ssl->certHashSigAlgoSz;
7948
0
}
7949
7950
/* Writes the SignatureAlgorithmsCert extension into the buffer.
7951
 *
7952
 * data    Unused
7953
 * output  The buffer to write the extension into.
7954
 * returns the length of data that was written.
7955
 */
7956
static word16 TLSX_SignatureAlgorithmsCert_Write(void* data, byte* output)
7957
0
{
7958
0
    WOLFSSL* ssl = (WOLFSSL*)data;
7959
7960
0
    c16toa(ssl->certHashSigAlgoSz, output);
7961
0
    XMEMCPY(output + OPAQUE16_LEN, ssl->certHashSigAlgo,
7962
0
            ssl->certHashSigAlgoSz);
7963
7964
0
    return OPAQUE16_LEN + ssl->certHashSigAlgoSz;
7965
0
}
7966
7967
/* Parse the SignatureAlgorithmsCert extension.
7968
 *
7969
 * ssl     The SSL/TLS object.
7970
 * input   The buffer with the extension data.
7971
 * length  The length of the extension data.
7972
 * returns 0 on success, otherwise failure.
7973
 */
7974
static int TLSX_SignatureAlgorithmsCert_Parse(WOLFSSL *ssl, const byte* input,
7975
                                              word16 length, byte isRequest)
7976
0
{
7977
0
    word16 len;
7978
7979
0
    if (!isRequest)
7980
0
        return BUFFER_ERROR;
7981
7982
    /* Must contain a length and at least algorithm. */
7983
0
    if (length < OPAQUE16_LEN + OPAQUE16_LEN || (length & 1) != 0)
7984
0
        return BUFFER_ERROR;
7985
7986
0
    ato16(input, &len);
7987
0
    input += OPAQUE16_LEN;
7988
7989
    /* Algorithm array must fill rest of data. */
7990
0
    if (length != OPAQUE16_LEN + len)
7991
0
        return BUFFER_ERROR;
7992
7993
    /* truncate hashSigAlgo list if too long */
7994
0
    ssl->certHashSigAlgoSz = len;
7995
0
    if (ssl->certHashSigAlgoSz > WOLFSSL_MAX_SIGALGO) {
7996
0
        WOLFSSL_MSG("TLSX SigAlgo list exceeds max, truncating");
7997
0
        ssl->certHashSigAlgoSz = WOLFSSL_MAX_SIGALGO;
7998
0
    }
7999
0
    XMEMCPY(ssl->certHashSigAlgo, input, ssl->certHashSigAlgoSz);
8000
8001
0
    return 0;
8002
0
}
8003
8004
/* Sets a new SignatureAlgorithmsCert extension into the extension list.
8005
 *
8006
 * extensions  The list of extensions.
8007
 * data        The extensions specific data.
8008
 * heap        The heap used for allocation.
8009
 * returns 0 on success, otherwise failure.
8010
 */
8011
static int TLSX_SetSignatureAlgorithmsCert(TLSX** extensions,
8012
        const WOLFSSL* data, void* heap)
8013
0
{
8014
0
    if (extensions == NULL)
8015
0
        return BAD_FUNC_ARG;
8016
8017
0
    return TLSX_Push(extensions, TLSX_SIGNATURE_ALGORITHMS_CERT, data, heap);
8018
0
}
8019
8020
0
#define SAC_GET_SIZE  TLSX_SignatureAlgorithmsCert_GetSize
8021
0
#define SAC_WRITE     TLSX_SignatureAlgorithmsCert_Write
8022
0
#define SAC_PARSE     TLSX_SignatureAlgorithmsCert_Parse
8023
#endif /* WOLFSSL_TLS13 */
8024
8025
8026
/******************************************************************************/
8027
/* Key Share                                                                  */
8028
/******************************************************************************/
8029
8030
#ifndef MAX_KEYSHARE_NAMED_GROUPS
8031
    #if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_MAKE_KEY) && \
8032
        !defined(WOLFSSL_MLKEM_NO_DECAPSULATE)
8033
0
        #define MAX_KEYSHARE_NAMED_GROUPS    24
8034
    #else
8035
        #define MAX_KEYSHARE_NAMED_GROUPS    12
8036
    #endif
8037
#endif
8038
8039
#if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES)
8040
/* Create a key share entry using named Diffie-Hellman parameters group.
8041
 * Generates a key pair.
8042
 *
8043
 * ssl   The SSL/TLS object.
8044
 * kse   The key share entry object.
8045
 * returns 0 on success, otherwise failure.
8046
 */
8047
static int TLSX_KeyShare_GenDhKey(WOLFSSL *ssl, KeyShareEntry* kse)
8048
0
{
8049
0
    int ret = 0;
8050
0
#if !defined(NO_DH) && (!defined(NO_CERTS) || !defined(NO_PSK))
8051
0
    word32 pSz = 0, pvtSz = 0;
8052
0
    DhKey* dhKey = (DhKey*)kse->key;
8053
8054
    /* Pick the parameters from the named group. */
8055
0
#ifdef HAVE_PUBLIC_FFDHE
8056
0
    const DhParams* params = NULL;
8057
0
    switch (kse->group) {
8058
0
    #ifdef HAVE_FFDHE_2048
8059
0
        case WOLFSSL_FFDHE_2048:
8060
0
            params = wc_Dh_ffdhe2048_Get();
8061
0
            pvtSz = 29;
8062
0
            break;
8063
0
    #endif
8064
    #ifdef HAVE_FFDHE_3072
8065
        case WOLFSSL_FFDHE_3072:
8066
            params = wc_Dh_ffdhe3072_Get();
8067
            pvtSz = 34;
8068
            break;
8069
    #endif
8070
    #ifdef HAVE_FFDHE_4096
8071
        case WOLFSSL_FFDHE_4096:
8072
            params = wc_Dh_ffdhe4096_Get();
8073
            pvtSz = 39;
8074
            break;
8075
    #endif
8076
    #ifdef HAVE_FFDHE_6144
8077
        case WOLFSSL_FFDHE_6144:
8078
            params = wc_Dh_ffdhe6144_Get();
8079
            pvtSz = 46;
8080
            break;
8081
    #endif
8082
    #ifdef HAVE_FFDHE_8192
8083
        case WOLFSSL_FFDHE_8192:
8084
            params = wc_Dh_ffdhe8192_Get();
8085
            pvtSz = 52;
8086
            break;
8087
    #endif
8088
0
        default:
8089
0
            break;
8090
0
    }
8091
0
    if (params == NULL)
8092
0
        return BAD_FUNC_ARG;
8093
0
    pSz = params->p_len;
8094
#else
8095
    pvtSz = wc_DhGetNamedKeyMinSize(kse->group);
8096
    if (pvtSz == 0) {
8097
        return BAD_FUNC_ARG;
8098
    }
8099
    ret = wc_DhGetNamedKeyParamSize(kse->group, &pSz, NULL, NULL);
8100
    if (ret != 0) {
8101
        return BAD_FUNC_ARG;
8102
    }
8103
#endif
8104
8105
    /* Trigger Key Generation */
8106
0
    if (kse->pubKey == NULL || kse->privKey == NULL) {
8107
0
        if (kse->key == NULL) {
8108
0
            kse->key = (DhKey*)XMALLOC(sizeof(DhKey), ssl->heap,
8109
0
                DYNAMIC_TYPE_DH);
8110
0
            if (kse->key == NULL)
8111
0
                return MEMORY_E;
8112
8113
            /* Setup Key */
8114
0
            ret = wc_InitDhKey_ex((DhKey*)kse->key, ssl->heap, ssl->devId);
8115
0
            if (ret == 0) {
8116
0
                dhKey = (DhKey*)kse->key;
8117
0
            #ifdef HAVE_PUBLIC_FFDHE
8118
0
                ret = wc_DhSetKey(dhKey, params->p, params->p_len, params->g,
8119
0
                                                                 params->g_len);
8120
            #else
8121
                ret = wc_DhSetNamedKey(dhKey, kse->group);
8122
            #endif
8123
0
            }
8124
        #if defined(WC_DH_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
8125
            defined(WC_ASYNC_ENABLE_DH)
8126
            /* Only set non-blocking context when async device is active. With
8127
             * INVALID_DEVID there is no async loop to retry on MP_WOULDBLOCK, so
8128
             * skip non-blocking setup and use blocking mode instead. */
8129
            if (ret == 0 && ssl->devId != INVALID_DEVID) {
8130
                DhNb* dhNb = (DhNb*)XMALLOC(sizeof(DhNb), ssl->heap,
8131
                                            DYNAMIC_TYPE_TMP_BUFFER);
8132
                if (dhNb == NULL) {
8133
                    ret = MEMORY_E;
8134
                }
8135
                else {
8136
                    ret = wc_DhSetNonBlock((DhKey*)kse->key, dhNb);
8137
                    if (ret != 0) {
8138
                        XFREE(dhNb, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
8139
                    }
8140
                }
8141
            }
8142
        #endif /* WC_DH_NONBLOCK && WOLFSSL_ASYNC_CRYPT_SW &&
8143
                  WC_ASYNC_ENABLE_DH */
8144
0
        }
8145
8146
        /* Allocate space for the private and public key */
8147
0
        if (ret == 0 && kse->pubKey == NULL) {
8148
0
            kse->pubKey = (byte*)XMALLOC(pSz, ssl->heap,
8149
0
                DYNAMIC_TYPE_PUBLIC_KEY);
8150
0
            if (kse->pubKey == NULL)
8151
0
                ret = MEMORY_E;
8152
0
        }
8153
8154
0
        if (ret == 0 && kse->privKey == NULL) {
8155
0
            kse->privKey = (byte*)XMALLOC(pvtSz, ssl->heap,
8156
0
                DYNAMIC_TYPE_PRIVATE_KEY);
8157
0
            if (kse->privKey == NULL)
8158
0
                ret = MEMORY_E;
8159
0
        }
8160
8161
0
        if (ret == 0) {
8162
        #if defined(WOLFSSL_STATIC_EPHEMERAL) && defined(WOLFSSL_DH_EXTRA)
8163
            ret = wolfSSL_StaticEphemeralKeyLoad(ssl, WC_PK_TYPE_DH, kse->key);
8164
            kse->pubKeyLen = pSz;
8165
            kse->keyLen = pvtSz;
8166
            if (ret == 0) {
8167
                ret = wc_DhExportKeyPair(dhKey,
8168
                    (byte*)kse->privKey, &kse->keyLen, /* private */
8169
                    kse->pubKey, &kse->pubKeyLen /* public */
8170
                );
8171
            }
8172
            else
8173
        #endif
8174
0
            {
8175
                /* Generate a new key pair */
8176
                /* For async this is called once and when event is done, the
8177
                 *   provided buffers will be populated.
8178
                 * Final processing is zero pad below. */
8179
0
                kse->pubKeyLen = pSz;
8180
0
                kse->keyLen = pvtSz;
8181
0
                ret = DhGenKeyPair(ssl, dhKey,
8182
0
                    (byte*)kse->privKey, &kse->keyLen, /* private */
8183
0
                    kse->pubKey, &kse->pubKeyLen /* public */
8184
0
                );
8185
            #ifdef WOLFSSL_ASYNC_CRYPT
8186
                if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
8187
                    return ret;
8188
                }
8189
            #endif
8190
0
            }
8191
0
        }
8192
0
    }
8193
8194
0
    if (ret == 0) {
8195
0
        if (pSz != kse->pubKeyLen) {
8196
            /* Zero pad the front of the public key to match prime "p" size */
8197
0
            XMEMMOVE(kse->pubKey + pSz - kse->pubKeyLen, kse->pubKey,
8198
0
                kse->pubKeyLen);
8199
0
            XMEMSET(kse->pubKey, 0, pSz - kse->pubKeyLen);
8200
0
            kse->pubKeyLen = pSz;
8201
0
        }
8202
8203
0
        if (pvtSz != kse->keyLen) {
8204
            /* Zero pad the front of the private key */
8205
0
            XMEMMOVE(kse->privKey + pvtSz - kse->keyLen, kse->privKey,
8206
0
                kse->keyLen);
8207
0
            XMEMSET(kse->privKey, 0, pvtSz - kse->keyLen);
8208
0
            kse->keyLen = pvtSz;
8209
0
        }
8210
8211
    #ifdef WOLFSSL_DEBUG_TLS
8212
        WOLFSSL_MSG("Public DH Key");
8213
        WOLFSSL_BUFFER(kse->pubKey, kse->pubKeyLen);
8214
    #endif
8215
0
    }
8216
8217
    /* Always release the DH key to free up memory.
8218
     * The DhKey will be setup again in TLSX_KeyShare_ProcessDh */
8219
0
    if (dhKey != NULL) {
8220
    #if defined(WC_DH_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
8221
        defined(WC_ASYNC_ENABLE_DH)
8222
        if (dhKey->nb != NULL) {
8223
            XFREE(dhKey->nb, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
8224
            dhKey->nb = NULL;
8225
        }
8226
    #endif
8227
0
        wc_FreeDhKey(dhKey);
8228
0
    }
8229
0
    XFREE(kse->key, ssl->heap, DYNAMIC_TYPE_DH);
8230
0
    kse->key = NULL;
8231
8232
0
    if (ret != 0) {
8233
        /* Cleanup on error, otherwise data owned by key share entry */
8234
0
        if (kse->privKey) {
8235
0
            ForceZero(kse->privKey, pvtSz);
8236
0
            XFREE(kse->privKey, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
8237
0
            kse->privKey = NULL;
8238
0
        }
8239
0
        XFREE(kse->pubKey, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
8240
0
        kse->pubKey = NULL;
8241
0
    }
8242
#else
8243
    (void)ssl;
8244
    (void)kse;
8245
8246
    ret = NOT_COMPILED_IN;
8247
    WOLFSSL_ERROR_VERBOSE(ret);
8248
#endif
8249
8250
0
    return ret;
8251
0
}
8252
8253
/* Create a key share entry using X25519 parameters group.
8254
 * Generates a key pair.
8255
 *
8256
 * ssl   The SSL/TLS object.
8257
 * kse   The key share entry object.
8258
 * returns 0 on success, otherwise failure.
8259
 */
8260
static int TLSX_KeyShare_GenX25519Key(WOLFSSL *ssl, KeyShareEntry* kse)
8261
0
{
8262
0
    int ret = 0;
8263
#ifdef HAVE_CURVE25519
8264
    curve25519_key* key = (curve25519_key*)kse->key;
8265
8266
    if (kse->key == NULL) {
8267
        /* Allocate a Curve25519 key to hold private key. */
8268
        kse->key = (curve25519_key*)XMALLOC(sizeof(curve25519_key), ssl->heap,
8269
                                                      DYNAMIC_TYPE_PRIVATE_KEY);
8270
        if (kse->key == NULL) {
8271
            WOLFSSL_MSG("GenX25519Key memory error");
8272
            return MEMORY_E;
8273
        }
8274
8275
        /* Make an Curve25519 key. */
8276
        ret = wc_curve25519_init_ex((curve25519_key*)kse->key, ssl->heap,
8277
            ssl->devId);
8278
        if (ret == 0) {
8279
            /* setting "key" means okay to call wc_curve25519_free */
8280
            key = (curve25519_key*)kse->key;
8281
            kse->keyLen = CURVE25519_KEYSIZE;
8282
        }
8283
    #if defined(WC_X25519_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
8284
        defined(WC_ASYNC_ENABLE_X25519)
8285
        /* Only set non-blocking context when async device is active. With
8286
         * INVALID_DEVID there is no async loop to retry on FP_WOULDBLOCK, so
8287
         * skip non-blocking setup and use blocking mode instead. */
8288
        if (ret == 0 && ssl->devId != INVALID_DEVID) {
8289
            x25519_nb_ctx_t* nb_ctx = (x25519_nb_ctx_t*)XMALLOC(
8290
                sizeof(x25519_nb_ctx_t), ssl->heap,
8291
                DYNAMIC_TYPE_TMP_BUFFER);
8292
            if (nb_ctx == NULL) {
8293
                ret = MEMORY_E;
8294
            }
8295
            else {
8296
                ret = wc_curve25519_set_nonblock(key, nb_ctx);
8297
                if (ret != 0) {
8298
                    XFREE(nb_ctx, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
8299
                }
8300
            }
8301
        }
8302
    #endif /* WC_X25519_NONBLOCK && WOLFSSL_ASYNC_CRYPT_SW &&
8303
              WC_ASYNC_ENABLE_X25519 */
8304
        if (ret == 0) {
8305
        #ifdef WOLFSSL_STATIC_EPHEMERAL
8306
            ret = wolfSSL_StaticEphemeralKeyLoad(ssl, WC_PK_TYPE_CURVE25519, kse->key);
8307
            if (ret != 0) /* on failure, fallback to local key generation */
8308
        #endif
8309
            {
8310
            #ifdef WOLFSSL_ASYNC_CRYPT
8311
                /* initialize event */
8312
                ret = wolfSSL_AsyncInit(ssl, &key->asyncDev,
8313
                    WC_ASYNC_FLAG_NONE);
8314
                if (ret != 0)
8315
                    return ret;
8316
            #endif
8317
                ret = wc_curve25519_make_key(ssl->rng, CURVE25519_KEYSIZE, key);
8318
8319
                /* Handle async pending response */
8320
            #ifdef WOLFSSL_ASYNC_CRYPT
8321
                if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
8322
                    return wolfSSL_AsyncPush(ssl, &key->asyncDev);
8323
                }
8324
            #endif /* WOLFSSL_ASYNC_CRYPT */
8325
            }
8326
        }
8327
    }
8328
8329
    if (ret == 0 && kse->pubKey == NULL) {
8330
        /* Allocate space for the public key. */
8331
        kse->pubKey = (byte*)XMALLOC(CURVE25519_KEYSIZE, ssl->heap,
8332
                                                       DYNAMIC_TYPE_PUBLIC_KEY);
8333
        if (kse->pubKey == NULL) {
8334
            WOLFSSL_MSG("GenX25519Key pub memory error");
8335
            ret = MEMORY_E;
8336
        }
8337
    }
8338
8339
    if (ret == 0) {
8340
        /* Export Curve25519 public key. */
8341
        kse->pubKeyLen = CURVE25519_KEYSIZE;
8342
        if (wc_curve25519_export_public_ex(key, kse->pubKey, &kse->pubKeyLen,
8343
                                                  EC25519_LITTLE_ENDIAN) != 0) {
8344
            ret = ECC_EXPORT_ERROR;
8345
            WOLFSSL_ERROR_VERBOSE(ret);
8346
        }
8347
        kse->pubKeyLen = CURVE25519_KEYSIZE; /* always CURVE25519_KEYSIZE */
8348
    }
8349
8350
#ifdef WOLFSSL_DEBUG_TLS
8351
    if (ret == 0) {
8352
        WOLFSSL_MSG("Public Curve25519 Key");
8353
        WOLFSSL_BUFFER(kse->pubKey, kse->pubKeyLen);
8354
    }
8355
#endif
8356
8357
    if (ret != 0) {
8358
        /* Data owned by key share entry otherwise. */
8359
        XFREE(kse->pubKey, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
8360
        kse->pubKey = NULL;
8361
        if (key != NULL) {
8362
        #if defined(WC_X25519_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW)
8363
            if (key->nb_ctx != NULL) {
8364
                XFREE(key->nb_ctx, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
8365
            }
8366
        #endif
8367
            wc_curve25519_free(key);
8368
        }
8369
        XFREE(kse->key, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
8370
        kse->key = NULL;
8371
    }
8372
#else
8373
0
    (void)ssl;
8374
0
    (void)kse;
8375
8376
0
    ret = NOT_COMPILED_IN;
8377
0
    WOLFSSL_ERROR_VERBOSE(ret);
8378
0
#endif /* HAVE_CURVE25519 */
8379
8380
0
    return ret;
8381
0
}
8382
8383
/* Create a key share entry using X448 parameters group.
8384
 * Generates a key pair.
8385
 *
8386
 * ssl   The SSL/TLS object.
8387
 * kse   The key share entry object.
8388
 * returns 0 on success, otherwise failure.
8389
 */
8390
static int TLSX_KeyShare_GenX448Key(WOLFSSL *ssl, KeyShareEntry* kse)
8391
0
{
8392
0
    int ret = 0;
8393
#ifdef HAVE_CURVE448
8394
    curve448_key* key = (curve448_key*)kse->key;
8395
8396
    if (kse->key == NULL) {
8397
        /* Allocate a Curve448 key to hold private key. */
8398
        kse->key = (curve448_key*)XMALLOC(sizeof(curve448_key), ssl->heap,
8399
                                                      DYNAMIC_TYPE_PRIVATE_KEY);
8400
        if (kse->key == NULL) {
8401
            WOLFSSL_MSG("GenX448Key memory error");
8402
            return MEMORY_E;
8403
        }
8404
8405
        /* Make an Curve448 key. */
8406
        ret = wc_curve448_init((curve448_key*)kse->key);
8407
        if (ret == 0) {
8408
            key = (curve448_key*)kse->key;
8409
            kse->keyLen = CURVE448_KEY_SIZE;
8410
8411
            #ifdef WOLFSSL_STATIC_EPHEMERAL
8412
            ret = wolfSSL_StaticEphemeralKeyLoad(ssl, WC_PK_TYPE_CURVE448, kse->key);
8413
            if (ret != 0)
8414
        #endif
8415
            {
8416
                ret = wc_curve448_make_key(ssl->rng, CURVE448_KEY_SIZE, key);
8417
            }
8418
        }
8419
    }
8420
8421
    if (ret == 0 && kse->pubKey == NULL) {
8422
        /* Allocate space for the public key. */
8423
        kse->pubKey = (byte*)XMALLOC(CURVE448_KEY_SIZE, ssl->heap,
8424
                                                       DYNAMIC_TYPE_PUBLIC_KEY);
8425
        if (kse->pubKey == NULL) {
8426
            WOLFSSL_MSG("GenX448Key pub memory error");
8427
            ret = MEMORY_E;
8428
        }
8429
    }
8430
8431
    if (ret == 0) {
8432
        /* Export Curve448 public key. */
8433
        kse->pubKeyLen = CURVE448_KEY_SIZE;
8434
        if (wc_curve448_export_public_ex(key, kse->pubKey, &kse->pubKeyLen,
8435
                                                    EC448_LITTLE_ENDIAN) != 0) {
8436
            ret = ECC_EXPORT_ERROR;
8437
        }
8438
        kse->pubKeyLen = CURVE448_KEY_SIZE; /* always CURVE448_KEY_SIZE */
8439
    }
8440
8441
#ifdef WOLFSSL_DEBUG_TLS
8442
    if (ret == 0) {
8443
        WOLFSSL_MSG("Public Curve448 Key");
8444
        WOLFSSL_BUFFER(kse->pubKey, kse->pubKeyLen);
8445
    }
8446
#endif
8447
8448
    if (ret != 0) {
8449
        /* Data owned by key share entry otherwise. */
8450
        XFREE(kse->pubKey, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
8451
        kse->pubKey = NULL;
8452
        if (key != NULL)
8453
            wc_curve448_free(key);
8454
        XFREE(kse->key, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
8455
        kse->key = NULL;
8456
    }
8457
#else
8458
0
    (void)ssl;
8459
0
    (void)kse;
8460
8461
0
    ret = NOT_COMPILED_IN;
8462
0
    WOLFSSL_ERROR_VERBOSE(ret);
8463
0
#endif /* HAVE_CURVE448 */
8464
8465
0
    return ret;
8466
0
}
8467
8468
/* Create a key share entry using named elliptic curve parameters group.
8469
 * Generates a key pair.
8470
 *
8471
 * ssl   The SSL/TLS object.
8472
 * kse   The key share entry object.
8473
 * returns 0 on success, otherwise failure.
8474
 */
8475
static int TLSX_KeyShare_GenEccKey(WOLFSSL *ssl, KeyShareEntry* kse)
8476
0
{
8477
0
    int ret = 0;
8478
0
#if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT)
8479
0
    word32 keySize = 0;
8480
0
    word16 curveId = (word16) ECC_CURVE_INVALID;
8481
0
    ecc_key* eccKey = (ecc_key*)kse->key;
8482
8483
    /* Translate named group to a curve id. */
8484
0
    switch (kse->group) {
8485
0
    #if (!defined(NO_ECC256)  || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
8486
0
        #ifndef NO_ECC_SECP
8487
0
        case WOLFSSL_ECC_SECP256R1:
8488
0
            curveId = ECC_SECP256R1;
8489
0
            break;
8490
0
        #endif /* !NO_ECC_SECP */
8491
        #ifdef WOLFSSL_SM2
8492
        case WOLFSSL_ECC_SM2P256V1:
8493
            curveId = ECC_SM2P256V1;
8494
            break;
8495
        #endif /* !WOLFSSL_SM2 */
8496
        #ifdef HAVE_ECC_BRAINPOOL
8497
        case WOLFSSL_ECC_BRAINPOOLP256R1TLS13:
8498
            curveId = ECC_BRAINPOOLP256R1;
8499
            break;
8500
        #endif /* HAVE_ECC_BRAINPOOL */
8501
0
    #endif
8502
0
    #if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384
8503
0
        #ifndef NO_ECC_SECP
8504
0
        case WOLFSSL_ECC_SECP384R1:
8505
0
            curveId = ECC_SECP384R1;
8506
0
            break;
8507
0
        #endif /* !NO_ECC_SECP */
8508
        #ifdef HAVE_ECC_BRAINPOOL
8509
        case WOLFSSL_ECC_BRAINPOOLP384R1TLS13:
8510
            curveId = ECC_BRAINPOOLP384R1;
8511
            break;
8512
        #endif /* HAVE_ECC_BRAINPOOL */
8513
0
    #endif
8514
0
    #if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 512
8515
        #ifdef HAVE_ECC_BRAINPOOL
8516
        case WOLFSSL_ECC_BRAINPOOLP512R1TLS13:
8517
            curveId = ECC_BRAINPOOLP512R1;
8518
            break;
8519
        #endif /* HAVE_ECC_BRAINPOOL */
8520
0
    #endif
8521
0
    #if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521
8522
0
        #ifndef NO_ECC_SECP
8523
0
        case WOLFSSL_ECC_SECP521R1:
8524
0
            curveId = ECC_SECP521R1;
8525
0
            break;
8526
0
        #endif /* !NO_ECC_SECP */
8527
0
    #endif
8528
0
        default:
8529
0
            WOLFSSL_ERROR_VERBOSE(BAD_FUNC_ARG);
8530
0
            return BAD_FUNC_ARG;
8531
0
    }
8532
8533
0
    {
8534
0
        int size = wc_ecc_get_curve_size_from_id(curveId);
8535
0
        if (size < 0) {
8536
0
            WOLFSSL_ERROR_VERBOSE(size);
8537
0
            return size;
8538
0
        }
8539
0
        keySize = (word32)size;
8540
0
    }
8541
8542
0
    if (kse->key == NULL) {
8543
        /* Allocate an ECC key to hold private key. */
8544
0
        kse->key = (byte*)XMALLOC(sizeof(ecc_key), ssl->heap, DYNAMIC_TYPE_ECC);
8545
0
        if (kse->key == NULL) {
8546
0
            WOLFSSL_MSG_EX("Failed to allocate %d bytes, ssl->heap: %p",
8547
0
                           (int)sizeof(ecc_key), (wc_ptr_t)ssl->heap);
8548
0
            WOLFSSL_MSG("EccTempKey Memory error!");
8549
0
            return MEMORY_E;
8550
0
        }
8551
8552
        /* Initialize an ECC key struct for the ephemeral key */
8553
0
        ret = wc_ecc_init_ex((ecc_key*)kse->key, ssl->heap, ssl->devId);
8554
8555
    #if defined(WC_ECC_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
8556
        defined(WC_ASYNC_ENABLE_ECC)
8557
        /* Only set non-blocking context when async device is active. With
8558
         * INVALID_DEVID there is no async loop to retry on FP_WOULDBLOCK, so
8559
         * skip non-blocking setup and use blocking mode instead. */
8560
        if (ret == 0 && ssl->devId != INVALID_DEVID) {
8561
            ecc_nb_ctx_t* eccNbCtx = (ecc_nb_ctx_t*)XMALLOC(
8562
                sizeof(ecc_nb_ctx_t), ssl->heap,
8563
                DYNAMIC_TYPE_TMP_BUFFER);
8564
            if (eccNbCtx == NULL) {
8565
                ret = MEMORY_E;
8566
            }
8567
            else {
8568
                ret = wc_ecc_set_nonblock((ecc_key*)kse->key, eccNbCtx);
8569
                if (ret != 0) {
8570
                    XFREE(eccNbCtx, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
8571
                }
8572
            }
8573
        }
8574
    #endif /* WC_ECC_NONBLOCK && WOLFSSL_ASYNC_CRYPT_SW &&
8575
              WC_ASYNC_ENABLE_ECC */
8576
8577
0
        if (ret == 0) {
8578
0
            kse->keyLen = keySize;
8579
0
            kse->pubKeyLen = keySize * 2 + 1;
8580
8581
        #if defined(WOLFSSL_RENESAS_TSIP_TLS)
8582
            ret = tsip_Tls13GenEccKeyPair(ssl, kse);
8583
            if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
8584
                return ret;
8585
            }
8586
        #endif
8587
            /* setting eccKey means okay to call wc_ecc_free */
8588
0
            eccKey = (ecc_key*)kse->key;
8589
8590
        #ifdef WOLFSSL_STATIC_EPHEMERAL
8591
            ret = wolfSSL_StaticEphemeralKeyLoad(ssl, WC_PK_TYPE_ECDH, kse->key);
8592
            if (ret != 0 || eccKey->dp->id != curveId)
8593
        #endif
8594
0
            {
8595
                /* set curve info for EccMakeKey "peer" info */
8596
0
                ret = wc_ecc_set_curve(eccKey, (int)kse->keyLen, curveId);
8597
0
                if (ret == 0) {
8598
            #ifdef WOLFSSL_ASYNC_CRYPT
8599
                    /* Detect when private key generation is done */
8600
                    if (ssl->error == WC_NO_ERR_TRACE(WC_PENDING_E) &&
8601
                            eccKey->type == ECC_PRIVATEKEY) {
8602
                        ret = 0; /* ECC Key Generation is done */
8603
                    }
8604
                    else
8605
            #endif
8606
0
                    {
8607
                        /* Generate ephemeral ECC key */
8608
                        /* For async this is called once and when event is done, the
8609
                        *   provided buffers in key be populated.
8610
                        * Final processing is x963 key export below. */
8611
0
                        ret = EccMakeKey(ssl, eccKey, eccKey);
8612
0
                    }
8613
0
                }
8614
            #ifdef WOLFSSL_ASYNC_CRYPT
8615
                if (ret == WC_NO_ERR_TRACE(WC_PENDING_E))
8616
                    return ret;
8617
            #endif
8618
0
            }
8619
0
        }
8620
0
    }
8621
8622
0
    if (ret == 0 && kse->pubKey == NULL) {
8623
        /* Allocate space for the public key */
8624
0
        kse->pubKey = (byte*)XMALLOC(kse->pubKeyLen, ssl->heap,
8625
0
            DYNAMIC_TYPE_PUBLIC_KEY);
8626
0
        if (kse->pubKey == NULL) {
8627
0
            WOLFSSL_MSG("Key data Memory error");
8628
0
            ret = MEMORY_E;
8629
0
        }
8630
0
    }
8631
8632
0
    if (ret == 0) {
8633
0
        XMEMSET(kse->pubKey, 0, kse->pubKeyLen);
8634
8635
        /* Export public key. */
8636
0
        PRIVATE_KEY_UNLOCK();
8637
0
        if (wc_ecc_export_x963(eccKey, kse->pubKey, &kse->pubKeyLen) != 0) {
8638
0
            ret = ECC_EXPORT_ERROR;
8639
0
            WOLFSSL_ERROR_VERBOSE(ret);
8640
0
        }
8641
0
        PRIVATE_KEY_LOCK();
8642
0
    }
8643
#ifdef WOLFSSL_DEBUG_TLS
8644
    if (ret == 0) {
8645
        WOLFSSL_MSG("Public ECC Key");
8646
        WOLFSSL_BUFFER(kse->pubKey, kse->pubKeyLen);
8647
    }
8648
#endif
8649
8650
0
    if (ret != 0) {
8651
        /* Cleanup on error, otherwise data owned by key share entry */
8652
0
        XFREE(kse->pubKey, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
8653
0
        kse->pubKey = NULL;
8654
0
        if (eccKey != NULL) {
8655
    #if defined(WC_ECC_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
8656
        defined(WC_ASYNC_ENABLE_ECC)
8657
            if (eccKey->nb_ctx != NULL) {
8658
                XFREE(eccKey->nb_ctx, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
8659
            }
8660
    #endif
8661
0
            wc_ecc_free(eccKey);
8662
0
        }
8663
0
        XFREE(kse->key, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
8664
0
        kse->key = NULL;
8665
0
    }
8666
#else
8667
    (void)ssl;
8668
    (void)kse;
8669
8670
    ret = NOT_COMPILED_IN;
8671
    WOLFSSL_ERROR_VERBOSE(ret);
8672
#endif /* HAVE_ECC && HAVE_ECC_KEY_EXPORT */
8673
8674
0
    return ret;
8675
0
}
8676
8677
#ifdef WOLFSSL_HAVE_MLKEM
8678
#if (defined(WOLFSSL_MLKEM_CACHE_A) || \
8679
    (defined(HAVE_PKCS11) && !defined(NO_PKCS11_MLKEM))) && \
8680
    !defined(WOLFSSL_TLSX_PQC_MLKEM_STORE_PRIV_KEY)
8681
    /* Store MlKemKey object rather than private key bytes in key share entry.
8682
     * Improves performance at cost of more dynamic memory being used. */
8683
    #define WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
8684
#endif
8685
#if defined(WOLFSSL_TLSX_PQC_MLKEM_STORE_PRIV_KEY) && \
8686
    defined(WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ)
8687
    #error "Choose WOLFSSL_TLSX_PQC_MLKEM_STORE_PRIV_KEY or "
8688
           "WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ"
8689
#endif
8690
8691
#if (!defined(WOLFSSL_MLKEM_NO_MAKE_KEY) && \
8692
     !defined(WOLFSSL_MLKEM_NO_DECAPSULATE)) || \
8693
    !defined(WOLFSSL_MLKEM_NO_ENCAPSULATE) || \
8694
    (!defined(WOLFSSL_MLKEM_NO_DECAPSULATE) && \
8695
     !defined(WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ))
8696
static int mlkem_id2type(int id, int *type)
8697
0
{
8698
0
    int ret = 0;
8699
8700
0
    switch (id) {
8701
0
#ifndef WOLFSSL_NO_ML_KEM
8702
0
    #ifndef WOLFSSL_NO_ML_KEM_512
8703
0
        case WOLFSSL_ML_KEM_512:
8704
0
            *type = WC_ML_KEM_512;
8705
0
            break;
8706
0
    #endif
8707
0
    #ifndef WOLFSSL_NO_ML_KEM_768
8708
0
        case WOLFSSL_ML_KEM_768:
8709
0
            *type = WC_ML_KEM_768;
8710
0
            break;
8711
0
    #endif
8712
0
    #ifndef WOLFSSL_NO_ML_KEM_1024
8713
0
        case WOLFSSL_ML_KEM_1024:
8714
0
            *type = WC_ML_KEM_1024;
8715
0
            break;
8716
0
    #endif
8717
0
#endif
8718
#ifdef WOLFSSL_MLKEM_KYBER
8719
    #ifdef WOLFSSL_KYBER512
8720
        case WOLFSSL_KYBER_LEVEL1:
8721
            *type = KYBER512;
8722
            break;
8723
    #endif
8724
    #ifdef WOLFSSL_KYBER768
8725
        case WOLFSSL_KYBER_LEVEL3:
8726
            *type = KYBER768;
8727
            break;
8728
    #endif
8729
    #ifdef WOLFSSL_KYBER1024
8730
        case WOLFSSL_KYBER_LEVEL5:
8731
            *type = KYBER1024;
8732
            break;
8733
    #endif
8734
#endif
8735
0
        default:
8736
0
            ret = NOT_COMPILED_IN;
8737
0
            break;
8738
0
    }
8739
8740
0
    return ret;
8741
0
}
8742
#endif
8743
8744
#if defined(WOLFSSL_NO_ML_KEM_768) && defined(WOLFSSL_NO_ML_KEM_1024) && \
8745
    defined(WOLFSSL_PQC_HYBRIDS)
8746
    #error "PQC hybrid combinations require either ML-KEM 768 or ML-KEM 1024"
8747
#endif
8748
8749
/* Structures and objects needed for hybrid key exchanges using both classic
8750
 * ECDHE and PQC KEM key material. */
8751
typedef struct PqcHybridMapping {
8752
    int hybrid;
8753
    int ecc;
8754
    int pqc;
8755
    int pqc_first;
8756
} PqcHybridMapping;
8757
8758
static const PqcHybridMapping pqc_hybrid_mapping[] = {
8759
#ifndef WOLFSSL_NO_ML_KEM
8760
#ifdef WOLFSSL_PQC_HYBRIDS
8761
    {WOLFSSL_SECP256R1MLKEM768, WOLFSSL_ECC_SECP256R1, WOLFSSL_ML_KEM_768, 0},
8762
    {WOLFSSL_SECP384R1MLKEM1024, WOLFSSL_ECC_SECP384R1, WOLFSSL_ML_KEM_1024, 0},
8763
#endif /* WOLFSSL_PQC_HYBRIDS */
8764
#ifdef WOLFSSL_EXTRA_PQC_HYBRIDS
8765
    {WOLFSSL_SECP256R1MLKEM512, WOLFSSL_ECC_SECP256R1, WOLFSSL_ML_KEM_512, 0},
8766
    {WOLFSSL_SECP384R1MLKEM768, WOLFSSL_ECC_SECP384R1, WOLFSSL_ML_KEM_768, 0},
8767
    {WOLFSSL_SECP521R1MLKEM1024, WOLFSSL_ECC_SECP521R1, WOLFSSL_ML_KEM_1024, 0},
8768
#ifdef WOLFSSL_ML_KEM_USE_OLD_IDS
8769
    {WOLFSSL_P256_ML_KEM_512_OLD, WOLFSSL_ECC_SECP256R1, WOLFSSL_ML_KEM_512, 0},
8770
    {WOLFSSL_P384_ML_KEM_768_OLD, WOLFSSL_ECC_SECP384R1, WOLFSSL_ML_KEM_768, 0},
8771
    {WOLFSSL_P521_ML_KEM_1024_OLD, WOLFSSL_ECC_SECP521R1, WOLFSSL_ML_KEM_1024, 0},
8772
#endif /* WOLFSSL_ML_KEM_USE_OLD_IDS */
8773
#endif /* WOLFSSL_EXTRA_PQC_HYBRIDS */
8774
#ifdef HAVE_CURVE25519
8775
#ifdef WOLFSSL_PQC_HYBRIDS
8776
    {WOLFSSL_X25519MLKEM768, WOLFSSL_ECC_X25519, WOLFSSL_ML_KEM_768, 1},
8777
#endif /* WOLFSSL_PQC_HYBRIDS */
8778
#ifdef WOLFSSL_EXTRA_PQC_HYBRIDS
8779
    {WOLFSSL_X25519MLKEM512, WOLFSSL_ECC_X25519, WOLFSSL_ML_KEM_512, 1},
8780
#endif /* WOLFSSL_EXTRA_PQC_HYBRIDS */
8781
#endif /* HAVE_CURVE25519 */
8782
#ifdef HAVE_CURVE448
8783
#ifdef WOLFSSL_EXTRA_PQC_HYBRIDS
8784
    {WOLFSSL_X448MLKEM768, WOLFSSL_ECC_X448, WOLFSSL_ML_KEM_768, 1},
8785
#endif /* WOLFSSL_EXTRA_PQC_HYBRIDS */
8786
#endif /* HAVE_CURVE448 */
8787
#endif /* WOLFSSL_NO_ML_KEM */
8788
#ifdef WOLFSSL_MLKEM_KYBER
8789
    {WOLFSSL_P256_KYBER_LEVEL1, WOLFSSL_ECC_SECP256R1, WOLFSSL_KYBER_LEVEL1, 0},
8790
    {WOLFSSL_P384_KYBER_LEVEL3, WOLFSSL_ECC_SECP384R1, WOLFSSL_KYBER_LEVEL3, 0},
8791
    {WOLFSSL_P256_KYBER_LEVEL3, WOLFSSL_ECC_SECP256R1, WOLFSSL_KYBER_LEVEL3, 0},
8792
    {WOLFSSL_P521_KYBER_LEVEL5, WOLFSSL_ECC_SECP521R1, WOLFSSL_KYBER_LEVEL5, 0},
8793
#ifdef HAVE_CURVE25519
8794
    {WOLFSSL_X25519_KYBER_LEVEL1, WOLFSSL_ECC_X25519, WOLFSSL_KYBER_LEVEL1, 0},
8795
    {WOLFSSL_X25519_KYBER_LEVEL3, WOLFSSL_ECC_X25519, WOLFSSL_KYBER_LEVEL3, 0},
8796
#endif
8797
#ifdef HAVE_CURVE448
8798
    {WOLFSSL_X448_KYBER_LEVEL3, WOLFSSL_ECC_X448, WOLFSSL_KYBER_LEVEL3, 0},
8799
#endif
8800
#endif /* WOLFSSL_MLKEM_KYBER */
8801
    {0, 0, 0, 0}
8802
};
8803
8804
/* Map an ecc-pqc hybrid group into its ecc group and pqc kem group. */
8805
static void findEccPqc(int *ecc, int *pqc, int *pqc_first, int group)
8806
0
{
8807
0
    int i;
8808
8809
0
    if (pqc != NULL)
8810
0
        *pqc = 0;
8811
0
    if (ecc != NULL)
8812
0
        *ecc = 0;
8813
0
    if (pqc_first != NULL)
8814
0
        *pqc_first = 0;
8815
8816
0
    for (i = 0; pqc_hybrid_mapping[i].hybrid != 0; i++) {
8817
0
        if (pqc_hybrid_mapping[i].hybrid == group) {
8818
0
            if (pqc != NULL)
8819
0
                *pqc = pqc_hybrid_mapping[i].pqc;
8820
0
            if (ecc != NULL)
8821
0
                *ecc = pqc_hybrid_mapping[i].ecc;
8822
0
            if (pqc_first != NULL)
8823
0
                *pqc_first = pqc_hybrid_mapping[i].pqc_first;
8824
0
            break;
8825
0
        }
8826
0
    }
8827
0
}
8828
8829
#if !defined(WOLFSSL_MLKEM_NO_MAKE_KEY) && \
8830
    !defined(WOLFSSL_MLKEM_NO_DECAPSULATE)
8831
/* Create a key share entry using pqc parameters group on the client side.
8832
 * Generates a key pair.
8833
 *
8834
 * ssl   The SSL/TLS object.
8835
 * kse   The key share entry object.
8836
 * returns 0 on success, otherwise failure.
8837
 */
8838
static int TLSX_KeyShare_GenPqcKeyClient(WOLFSSL *ssl, KeyShareEntry* kse)
8839
0
{
8840
0
    int ret = 0;
8841
0
    int type = 0;
8842
0
#ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
8843
0
        WC_DECLARE_VAR(kem, MlKemKey, 1, 0);
8844
0
    byte* privKey = NULL;
8845
0
    word32 privSz = 0;
8846
#else
8847
    MlKemKey* kem = NULL;
8848
#endif
8849
8850
    /* This gets called twice. Once during parsing of the key share and once
8851
     * during the population of the extension. No need to do work the second
8852
     * time. Just return success if its already been done. */
8853
0
    if (kse->pubKey != NULL) {
8854
0
        return ret;
8855
0
    }
8856
8857
    /* Get the type of key we need from the key share group. */
8858
0
    ret = mlkem_id2type(kse->group, &type);
8859
0
    if (ret == WC_NO_ERR_TRACE(NOT_COMPILED_IN)) {
8860
0
        WOLFSSL_MSG("Invalid ML-KEM algorithm specified.");
8861
0
        ret = BAD_FUNC_ARG;
8862
0
    }
8863
8864
0
#ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
8865
8866
    #ifdef WOLFSSL_SMALL_STACK
8867
    if (ret == 0) {
8868
        kem = (MlKemKey *)XMALLOC(sizeof(*kem), ssl->heap,
8869
                                  DYNAMIC_TYPE_PRIVATE_KEY);
8870
        if (kem == NULL) {
8871
            WOLFSSL_MSG("KEM memory allocation failure");
8872
            ret = MEMORY_ERROR;
8873
        }
8874
    }
8875
    #endif /* WOLFSSL_SMALL_STACK */
8876
8877
0
    if (ret == 0) {
8878
0
        ret = wc_MlKemKey_Init(kem, type, ssl->heap, ssl->devId);
8879
0
        if (ret != 0) {
8880
0
            WOLFSSL_MSG("Failed to initialize ML-KEM Key.");
8881
0
        }
8882
0
    }
8883
8884
0
    if (ret == 0) {
8885
0
        ret = wc_MlKemKey_PrivateKeySize(kem, &privSz);
8886
0
    }
8887
0
    if (ret == 0) {
8888
0
        ret = wc_MlKemKey_PublicKeySize(kem, &kse->pubKeyLen);
8889
0
    }
8890
8891
0
    if (ret == 0) {
8892
0
        privKey = (byte*)XMALLOC(privSz, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
8893
0
        if (privKey == NULL) {
8894
0
            WOLFSSL_MSG("privkey memory allocation failure");
8895
0
            ret = MEMORY_ERROR;
8896
0
        }
8897
0
    }
8898
#else
8899
    if (ret == 0) {
8900
        /* Allocate an ML-KEM key to hold private key. */
8901
        kem = (MlKemKey*)XMALLOC(sizeof(MlKemKey), ssl->heap,
8902
                                 DYNAMIC_TYPE_PRIVATE_KEY);
8903
        if (kem == NULL) {
8904
            WOLFSSL_MSG("KEM memory allocation failure");
8905
            ret = MEMORY_ERROR;
8906
        }
8907
    }
8908
    if (ret == 0) {
8909
        ret = wc_MlKemKey_Init(kem, type, ssl->heap, ssl->devId);
8910
        if (ret != 0) {
8911
            WOLFSSL_MSG("Failed to initialize ML-KEM Key.");
8912
        }
8913
    }
8914
    if (ret == 0) {
8915
        ret = wc_MlKemKey_PublicKeySize(kem, &kse->pubKeyLen);
8916
    }
8917
#endif
8918
8919
0
    if (ret == 0) {
8920
0
        kse->pubKey = (byte*)XMALLOC(kse->pubKeyLen, ssl->heap,
8921
0
                                     DYNAMIC_TYPE_PUBLIC_KEY);
8922
0
        if (kse->pubKey == NULL) {
8923
0
            WOLFSSL_MSG("pubkey memory allocation failure");
8924
0
            ret = MEMORY_ERROR;
8925
0
        }
8926
0
    }
8927
8928
0
    if (ret == 0) {
8929
0
        ret = wc_MlKemKey_MakeKey(kem, ssl->rng);
8930
0
        if (ret != 0) {
8931
0
            WOLFSSL_MSG("ML-KEM keygen failure");
8932
0
        }
8933
0
    }
8934
0
    if (ret == 0) {
8935
0
        ret = wc_MlKemKey_EncodePublicKey(kem, kse->pubKey,
8936
0
                                          kse->pubKeyLen);
8937
0
    }
8938
8939
0
#ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
8940
0
    if (ret == 0) {
8941
0
        PRIVATE_KEY_UNLOCK();
8942
0
        ret = wc_MlKemKey_EncodePrivateKey(kem, privKey, privSz);
8943
0
        PRIVATE_KEY_LOCK();
8944
0
    }
8945
0
#endif
8946
8947
#ifdef WOLFSSL_DEBUG_TLS
8948
    WOLFSSL_MSG("Public ML-KEM Key");
8949
    WOLFSSL_BUFFER(kse->pubKey, kse->pubKeyLen );
8950
#endif
8951
8952
0
    if (ret != 0) {
8953
        /* Data owned by key share entry otherwise. */
8954
0
        wc_MlKemKey_Free(kem);
8955
0
        XFREE(kse->pubKey, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
8956
0
        kse->pubKey = NULL;
8957
0
    #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
8958
0
        if (privKey) {
8959
0
            ForceZero(privKey, privSz);
8960
0
            XFREE(privKey, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
8961
0
            privKey = NULL;
8962
0
        }
8963
    #else
8964
        XFREE(kem, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
8965
        kse->key = NULL;
8966
    #endif
8967
0
    }
8968
0
    else {
8969
0
    #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
8970
0
        wc_MlKemKey_Free(kem);
8971
0
        kse->privKey = (byte*)privKey;
8972
0
        kse->privKeyLen = privSz;
8973
    #else
8974
        kse->key = kem;
8975
    #endif
8976
0
    }
8977
8978
    #if !defined(WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ) && \
8979
        defined(WOLFSSL_SMALL_STACK)
8980
    XFREE(kem, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
8981
    #endif
8982
8983
0
    return ret;
8984
0
}
8985
8986
/* Create a key share entry using both ecdhe and pqc parameters groups.
8987
 * Generates two key pairs on the client side.
8988
 *
8989
 * ssl   The SSL/TLS object.
8990
 * kse   The key share entry object.
8991
 * returns 0 on success, otherwise failure.
8992
 */
8993
static int TLSX_KeyShare_GenPqcHybridKeyClient(WOLFSSL *ssl, KeyShareEntry* kse)
8994
0
{
8995
0
    int ret = 0;
8996
0
    KeyShareEntry *ecc_kse = NULL;
8997
0
    KeyShareEntry *pqc_kse = NULL;
8998
0
    int pqc_group = 0;
8999
0
    int ecc_group = 0;
9000
0
    int pqc_first = 0;
9001
9002
    /* This gets called twice. Once during parsing of the key share and once
9003
     * during the population of the extension. No need to do work the second
9004
     * time. Just return success if its already been done. */
9005
0
    if (kse->pubKey != NULL) {
9006
0
        return ret;
9007
0
    }
9008
9009
    /* Determine the ECC and PQC group of the hybrid combination */
9010
0
    findEccPqc(&ecc_group, &pqc_group, &pqc_first, kse->group);
9011
0
    if (ecc_group == 0 || pqc_group == 0) {
9012
0
        WOLFSSL_MSG("Invalid hybrid group");
9013
0
        ret = BAD_FUNC_ARG;
9014
0
    }
9015
9016
0
    if (ret == 0) {
9017
0
        ecc_kse = (KeyShareEntry*)XMALLOC(sizeof(*ecc_kse), ssl->heap,
9018
0
                   DYNAMIC_TYPE_TLSX);
9019
0
        if (ecc_kse == NULL) {
9020
0
            WOLFSSL_MSG("kse memory allocation failure");
9021
0
            ret = MEMORY_ERROR;
9022
0
        }
9023
0
        else {
9024
0
            XMEMSET(ecc_kse, 0, sizeof(*ecc_kse));
9025
0
        }
9026
0
    }
9027
0
    if (ret == 0) {
9028
0
        pqc_kse = (KeyShareEntry*)XMALLOC(sizeof(*pqc_kse), ssl->heap,
9029
0
                   DYNAMIC_TYPE_TLSX);
9030
0
        if (pqc_kse == NULL) {
9031
0
            WOLFSSL_MSG("kse memory allocation failure");
9032
0
            ret = MEMORY_ERROR;
9033
0
        }
9034
0
        else {
9035
0
            XMEMSET(pqc_kse, 0, sizeof(*pqc_kse));
9036
0
        }
9037
0
    }
9038
9039
    /* Generate ECC key share part */
9040
0
    if (ret == 0) {
9041
0
        ecc_kse->group = ecc_group;
9042
9043
    #ifdef WOLFSSL_ASYNC_CRYPT
9044
        /* Check if the provided kse already contains an ECC key and the
9045
         * last error was WC_PENDING_E. In this case, we already tried to
9046
         * generate an ECC key. Hence, we have to restore it. */
9047
        if (kse->key != NULL && kse->keyLen > 0 &&
9048
            kse->lastRet == WC_NO_ERR_TRACE(WC_PENDING_E)) {
9049
            ecc_kse->key = kse->key;
9050
            ecc_kse->keyLen = kse->keyLen;
9051
            ecc_kse->pubKeyLen = kse->pubKeyLen;
9052
            ecc_kse->lastRet = kse->lastRet;
9053
            kse->key = NULL;
9054
        }
9055
    #endif
9056
9057
    #ifdef HAVE_CURVE25519
9058
        if (ecc_group == WOLFSSL_ECC_X25519) {
9059
            ret = TLSX_KeyShare_GenX25519Key(ssl, ecc_kse);
9060
        }
9061
        else
9062
    #endif
9063
    #ifdef HAVE_CURVE448
9064
        if (ecc_group == WOLFSSL_ECC_X448) {
9065
            ret = TLSX_KeyShare_GenX448Key(ssl, ecc_kse);
9066
        }
9067
        else
9068
    #endif
9069
0
        {
9070
0
            ret = TLSX_KeyShare_GenEccKey(ssl, ecc_kse);
9071
0
        }
9072
9073
    #ifdef WOLFSSL_ASYNC_CRYPT
9074
        if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
9075
            /* Store the generated ECC key in the provided kse to later
9076
             * restore it.*/
9077
            kse->key = ecc_kse->key;
9078
            kse->keyLen = ecc_kse->keyLen;
9079
            kse->pubKeyLen = ecc_kse->pubKeyLen;
9080
            ecc_kse->key = NULL;
9081
        }
9082
    #endif
9083
0
    }
9084
9085
    /* Generate PQC key share part */
9086
0
    if (ret == 0) {
9087
0
        pqc_kse->group = pqc_group;
9088
0
        ret = TLSX_KeyShare_GenPqcKeyClient(ssl, pqc_kse);
9089
        /* No error message, TLSX_KeyShare_GenPqcKeyClient will do it. */
9090
0
    }
9091
9092
    /* Allocate memory for combined public key */
9093
0
    if (ret == 0) {
9094
0
        kse->pubKey = (byte*)XMALLOC(ecc_kse->pubKeyLen + pqc_kse->pubKeyLen,
9095
0
                                     ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
9096
0
        if (kse->pubKey == NULL) {
9097
0
            WOLFSSL_MSG("pubkey memory allocation failure");
9098
0
            ret = MEMORY_ERROR;
9099
0
        }
9100
0
    }
9101
9102
    /* Create combined public key. The order of classic/pqc key material is
9103
     * indicated by the pqc_first variable. */
9104
0
    if (ret == 0) {
9105
0
        if (pqc_first) {
9106
0
            XMEMCPY(kse->pubKey, pqc_kse->pubKey, pqc_kse->pubKeyLen);
9107
0
            XMEMCPY(kse->pubKey + pqc_kse->pubKeyLen, ecc_kse->pubKey,
9108
0
                    ecc_kse->pubKeyLen);
9109
0
        }
9110
0
        else {
9111
0
            XMEMCPY(kse->pubKey, ecc_kse->pubKey, ecc_kse->pubKeyLen);
9112
0
            XMEMCPY(kse->pubKey + ecc_kse->pubKeyLen, pqc_kse->pubKey,
9113
0
                    pqc_kse->pubKeyLen);
9114
0
        }
9115
0
        kse->pubKeyLen = ecc_kse->pubKeyLen + pqc_kse->pubKeyLen;
9116
0
    }
9117
9118
    /* Store the private keys.
9119
     * Note we are saving the PQC private key and ECC private key
9120
     * separately. That's because the ECC private key is not simply a
9121
     * buffer. Its is an ecc_key struct. */
9122
0
    if (ret == 0) {
9123
0
    #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
9124
        /* PQC private key is an encoded byte array */
9125
0
        kse->privKey = pqc_kse->privKey;
9126
0
        kse->privKeyLen = pqc_kse->privKeyLen;
9127
0
        pqc_kse->privKey = NULL;
9128
    #else
9129
        /* PQC private key is a pointer to MlKemKey object */
9130
        kse->privKey = (byte*)pqc_kse->key;
9131
        kse->privKeyLen = 0;
9132
        pqc_kse->key = NULL;
9133
    #endif
9134
        /* ECC private key is a pointer to ecc_key object */
9135
0
        kse->key = ecc_kse->key;
9136
0
        kse->keyLen = ecc_kse->keyLen;
9137
0
        ecc_kse->key = NULL;
9138
0
    }
9139
9140
#ifdef WOLFSSL_DEBUG_TLS
9141
    WOLFSSL_MSG("Public ML-KEM Key");
9142
    WOLFSSL_BUFFER(kse->pubKey, kse->pubKeyLen );
9143
#endif
9144
9145
0
    TLSX_KeyShare_FreeAll(ecc_kse, ssl->heap);
9146
0
    TLSX_KeyShare_FreeAll(pqc_kse, ssl->heap);
9147
9148
0
    return ret;
9149
0
}
9150
#endif /* !WOLFSSL_MLKEM_NO_MAKE_KEY && !WOLFSSL_MLKEM_NO_DECAPSULATE */
9151
#endif /* WOLFSSL_HAVE_MLKEM */
9152
9153
/* Generate a secret/key using the key share entry.
9154
 *
9155
 * ssl  The SSL/TLS object.
9156
 * kse  The key share entry holding peer data.
9157
 */
9158
int TLSX_KeyShare_GenKey(WOLFSSL *ssl, KeyShareEntry *kse)
9159
0
{
9160
0
    int ret;
9161
    /* Named FFDHE groups have a bit set to identify them. */
9162
0
    if (WOLFSSL_NAMED_GROUP_IS_FFDHE(kse->group))
9163
0
        ret = TLSX_KeyShare_GenDhKey(ssl, kse);
9164
0
    else if (kse->group == WOLFSSL_ECC_X25519)
9165
0
        ret = TLSX_KeyShare_GenX25519Key(ssl, kse);
9166
0
    else if (kse->group == WOLFSSL_ECC_X448)
9167
0
        ret = TLSX_KeyShare_GenX448Key(ssl, kse);
9168
0
#if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_MAKE_KEY) && \
9169
0
    !defined(WOLFSSL_MLKEM_NO_DECAPSULATE)
9170
0
    else if (WOLFSSL_NAMED_GROUP_IS_PQC(kse->group))
9171
0
        ret = TLSX_KeyShare_GenPqcKeyClient(ssl, kse);
9172
0
    else if (WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(kse->group))
9173
0
        ret = TLSX_KeyShare_GenPqcHybridKeyClient(ssl, kse);
9174
0
#endif
9175
0
    else
9176
0
        ret = TLSX_KeyShare_GenEccKey(ssl, kse);
9177
#ifdef WOLFSSL_ASYNC_CRYPT
9178
    kse->lastRet = ret;
9179
#endif
9180
0
    return ret;
9181
0
}
9182
9183
/* Free the key share dynamic data.
9184
 *
9185
 * list  The linked list of key share entry objects.
9186
 * heap  The heap used for allocation.
9187
 */
9188
static void TLSX_KeyShare_FreeAll(KeyShareEntry* list, void* heap)
9189
0
{
9190
0
    KeyShareEntry* current;
9191
9192
0
    while ((current = list) != NULL) {
9193
0
        list = current->next;
9194
0
        if (WOLFSSL_NAMED_GROUP_IS_FFDHE(current->group)) {
9195
0
#ifndef NO_DH
9196
        #if defined(WC_DH_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
9197
            defined(WC_ASYNC_ENABLE_DH)
9198
            if (current->key != NULL &&
9199
                    ((DhKey*)current->key)->nb != NULL) {
9200
                XFREE(((DhKey*)current->key)->nb, heap,
9201
                    DYNAMIC_TYPE_TMP_BUFFER);
9202
                ((DhKey*)current->key)->nb = NULL;
9203
            }
9204
        #endif
9205
0
            wc_FreeDhKey((DhKey*)current->key);
9206
0
            if (current->privKey != NULL && current->privKeyLen > 0) {
9207
0
                ForceZero(current->privKey, current->privKeyLen);
9208
0
            }
9209
0
#endif
9210
0
        }
9211
0
        else if (current->group == WOLFSSL_ECC_X25519) {
9212
#ifdef HAVE_CURVE25519
9213
        #if defined(WC_X25519_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW)
9214
            if (current->key != NULL &&
9215
                    ((curve25519_key*)current->key)->nb_ctx != NULL) {
9216
                XFREE(((curve25519_key*)current->key)->nb_ctx, heap,
9217
                    DYNAMIC_TYPE_TMP_BUFFER);
9218
            }
9219
        #endif
9220
            wc_curve25519_free((curve25519_key*)current->key);
9221
#endif
9222
0
        }
9223
0
        else if (current->group == WOLFSSL_ECC_X448) {
9224
#ifdef HAVE_CURVE448
9225
            wc_curve448_free((curve448_key*)current->key);
9226
#endif
9227
0
        }
9228
0
        else if (WOLFSSL_NAMED_GROUP_IS_PQC(current->group)) {
9229
0
#ifdef WOLFSSL_HAVE_MLKEM
9230
0
            wc_MlKemKey_Free((MlKemKey*)current->key);
9231
0
        #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
9232
0
            if (current->privKey != NULL) {
9233
0
                ForceZero(current->privKey, current->privKeyLen);
9234
0
            }
9235
0
        #endif
9236
0
#endif
9237
0
        }
9238
0
        else if (WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(current->group)) {
9239
0
#ifdef WOLFSSL_HAVE_MLKEM
9240
0
            int ecc_group = 0;
9241
0
            findEccPqc(&ecc_group, NULL, NULL, current->group);
9242
9243
            /* Free PQC private key */
9244
        #ifdef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
9245
            wc_MlKemKey_Free((MlKemKey*)current->privKey);
9246
        #else
9247
0
            if (current->privKey != NULL) {
9248
0
                ForceZero(current->privKey, current->privKeyLen);
9249
0
            }
9250
0
        #endif
9251
9252
            /* Free ECC private key */
9253
0
            if (ecc_group == WOLFSSL_ECC_X25519) {
9254
            #ifdef HAVE_CURVE25519
9255
                wc_curve25519_free((curve25519_key*)current->key);
9256
            #endif
9257
0
            }
9258
0
            else if (ecc_group == WOLFSSL_ECC_X448) {
9259
            #ifdef HAVE_CURVE448
9260
                wc_curve448_free((curve448_key*)current->key);
9261
            #endif
9262
0
            }
9263
0
            else {
9264
0
            #ifdef HAVE_ECC
9265
                #if defined(WC_ECC_NONBLOCK) && \
9266
                    defined(WOLFSSL_ASYNC_CRYPT_SW) && \
9267
                    defined(WC_ASYNC_ENABLE_ECC)
9268
                if (current->key != NULL &&
9269
                        ((ecc_key*)current->key)->nb_ctx != NULL) {
9270
                    XFREE(((ecc_key*)current->key)->nb_ctx, heap,
9271
                        DYNAMIC_TYPE_TMP_BUFFER);
9272
                }
9273
                #endif
9274
0
                wc_ecc_free((ecc_key*)current->key);
9275
0
            #endif
9276
0
            }
9277
0
#endif
9278
0
        }
9279
0
        else {
9280
0
#ifdef HAVE_ECC
9281
        #if defined(WC_ECC_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
9282
            defined(WC_ASYNC_ENABLE_ECC)
9283
            if (current->key != NULL &&
9284
                    ((ecc_key*)current->key)->nb_ctx != NULL) {
9285
                XFREE(((ecc_key*)current->key)->nb_ctx, heap,
9286
                    DYNAMIC_TYPE_TMP_BUFFER);
9287
            }
9288
        #endif
9289
0
            wc_ecc_free((ecc_key*)current->key);
9290
0
#endif
9291
0
        }
9292
0
        XFREE(current->key, heap, DYNAMIC_TYPE_PRIVATE_KEY);
9293
0
    #if !defined(NO_DH) || defined(WOLFSSL_HAVE_MLKEM)
9294
0
        XFREE(current->privKey, heap, DYNAMIC_TYPE_PRIVATE_KEY);
9295
0
    #endif
9296
0
        XFREE(current->pubKey, heap, DYNAMIC_TYPE_PUBLIC_KEY);
9297
0
        XFREE(current->ke, heap, DYNAMIC_TYPE_PUBLIC_KEY);
9298
0
        XFREE(current, heap, DYNAMIC_TYPE_TLSX);
9299
0
    }
9300
9301
0
    (void)heap;
9302
0
}
9303
9304
/* Get the size of the encoded key share extension.
9305
 *
9306
 * list     The linked list of key share extensions.
9307
 * msgType  The type of the message this extension is being written into.
9308
 * returns the number of bytes of the encoded key share extension.
9309
 */
9310
static word16 TLSX_KeyShare_GetSize(KeyShareEntry* list, byte msgType)
9311
0
{
9312
0
    word16         len = 0;
9313
0
    byte           isRequest = (msgType == client_hello);
9314
0
    KeyShareEntry* current;
9315
9316
    /* The named group the server wants to use. */
9317
0
    if (msgType == hello_retry_request)
9318
0
        return OPAQUE16_LEN;
9319
9320
    /* List of key exchange groups. */
9321
0
    if (isRequest)
9322
0
        len += OPAQUE16_LEN;
9323
0
    while ((current = list) != NULL) {
9324
0
        list = current->next;
9325
9326
0
        if (!isRequest && current->pubKey == NULL)
9327
0
            continue;
9328
9329
0
        len += (word16)(KE_GROUP_LEN + OPAQUE16_LEN + current->pubKeyLen);
9330
0
    }
9331
9332
0
    return len;
9333
0
}
9334
9335
/* Writes the key share extension into the output buffer.
9336
 * Assumes that the the output buffer is big enough to hold data.
9337
 *
9338
 * list     The linked list of key share entries.
9339
 * output   The buffer to write into.
9340
 * msgType  The type of the message this extension is being written into.
9341
 * returns the number of bytes written into the buffer.
9342
 */
9343
static word16 TLSX_KeyShare_Write(KeyShareEntry* list, byte* output,
9344
                                  byte msgType)
9345
0
{
9346
0
    word16         i = 0;
9347
0
    byte           isRequest = (msgType == client_hello);
9348
0
    KeyShareEntry* current;
9349
9350
0
    if (msgType == hello_retry_request) {
9351
0
        c16toa(list->group, output);
9352
0
        return OPAQUE16_LEN;
9353
0
    }
9354
9355
    /* ClientHello has a list but ServerHello is only the chosen. */
9356
0
    if (isRequest)
9357
0
        i += OPAQUE16_LEN;
9358
9359
    /* Write out all in the list. */
9360
0
    while ((current = list) != NULL) {
9361
0
        list = current->next;
9362
9363
0
        if (!isRequest && current->pubKey == NULL)
9364
0
            continue;
9365
9366
0
        c16toa(current->group, &output[i]);
9367
0
        i += KE_GROUP_LEN;
9368
0
        c16toa((word16)(current->pubKeyLen), &output[i]);
9369
0
        i += OPAQUE16_LEN;
9370
0
        XMEMCPY(&output[i], current->pubKey, current->pubKeyLen);
9371
0
        i += (word16)current->pubKeyLen;
9372
0
    }
9373
    /* Write the length of the list if required. */
9374
0
    if (isRequest)
9375
0
        c16toa(i - OPAQUE16_LEN, output);
9376
9377
0
    return i;
9378
0
}
9379
9380
/* Process the DH key share extension on the client side.
9381
 *
9382
 * ssl            The SSL/TLS object.
9383
 * keyShareEntry  The key share entry object to use to calculate shared secret.
9384
 * returns 0 on success and other values indicate failure.
9385
 */
9386
static int TLSX_KeyShare_ProcessDh(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
9387
0
{
9388
0
    int ret = 0;
9389
0
#if !defined(NO_DH) && (!defined(NO_CERTS) || !defined(NO_PSK))
9390
0
    word32 pSz = 0;
9391
0
    DhKey* dhKey = (DhKey*)keyShareEntry->key;
9392
9393
0
#ifdef HAVE_PUBLIC_FFDHE
9394
0
    const DhParams* params = NULL;
9395
0
    switch (keyShareEntry->group) {
9396
0
    #ifdef HAVE_FFDHE_2048
9397
0
        case WOLFSSL_FFDHE_2048:
9398
0
            params = wc_Dh_ffdhe2048_Get();
9399
0
            break;
9400
0
    #endif
9401
    #ifdef HAVE_FFDHE_3072
9402
        case WOLFSSL_FFDHE_3072:
9403
            params = wc_Dh_ffdhe3072_Get();
9404
            break;
9405
    #endif
9406
    #ifdef HAVE_FFDHE_4096
9407
        case WOLFSSL_FFDHE_4096:
9408
            params = wc_Dh_ffdhe4096_Get();
9409
            break;
9410
    #endif
9411
    #ifdef HAVE_FFDHE_6144
9412
        case WOLFSSL_FFDHE_6144:
9413
            params = wc_Dh_ffdhe6144_Get();
9414
            break;
9415
    #endif
9416
    #ifdef HAVE_FFDHE_8192
9417
        case WOLFSSL_FFDHE_8192:
9418
            params = wc_Dh_ffdhe8192_Get();
9419
            break;
9420
    #endif
9421
0
        default:
9422
0
            break;
9423
0
    }
9424
0
    if (params == NULL) {
9425
0
        WOLFSSL_ERROR_VERBOSE(PEER_KEY_ERROR);
9426
0
        return PEER_KEY_ERROR;
9427
0
    }
9428
0
    pSz = params->p_len;
9429
#else
9430
    ret = wc_DhGetNamedKeyParamSize(keyShareEntry->group, &pSz, NULL, NULL);
9431
    if (ret != 0 || pSz == 0) {
9432
        WOLFSSL_ERROR_VERBOSE(PEER_KEY_ERROR);
9433
        return PEER_KEY_ERROR;
9434
    }
9435
#endif
9436
9437
    /* RFC 8446 Section 4.2.8.1: FFDHE key_exchange values are left-padded with
9438
     * zeros to the size of the named-group prime. Reject any peer key share
9439
     * whose byte length does not match the expected prime size. */
9440
0
    if (keyShareEntry->keLen != pSz) {
9441
0
        WOLFSSL_ERROR_VERBOSE(PEER_KEY_ERROR);
9442
0
        return PEER_KEY_ERROR;
9443
0
    }
9444
9445
    /* if DhKey is not setup, do it now */
9446
0
    if (keyShareEntry->key == NULL) {
9447
0
        keyShareEntry->key = (DhKey*)XMALLOC(sizeof(DhKey), ssl->heap,
9448
0
            DYNAMIC_TYPE_DH);
9449
0
        if (keyShareEntry->key == NULL)
9450
0
            return MEMORY_E;
9451
9452
        /* Setup Key */
9453
0
        ret = wc_InitDhKey_ex((DhKey*)keyShareEntry->key, ssl->heap, ssl->devId);
9454
0
        if (ret == 0) {
9455
0
            dhKey = (DhKey*)keyShareEntry->key;
9456
        /* Set key */
9457
0
        #ifdef HAVE_PUBLIC_FFDHE
9458
0
            ret = wc_DhSetKey(dhKey, params->p, params->p_len, params->g,
9459
0
                                                                params->g_len);
9460
        #else
9461
            ret = wc_DhSetNamedKey(dhKey, keyShareEntry->group);
9462
        #endif
9463
0
        }
9464
    #if defined(WC_DH_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
9465
        defined(WC_ASYNC_ENABLE_DH)
9466
        /* Only set non-blocking context when async device is active. With
9467
         * INVALID_DEVID there is no async loop to retry on MP_WOULDBLOCK, so
9468
         * skip non-blocking setup and use blocking mode instead. */
9469
        if (ret == 0 && ssl->devId != INVALID_DEVID) {
9470
            DhNb* dhNb = (DhNb*)XMALLOC(sizeof(DhNb), ssl->heap,
9471
                                        DYNAMIC_TYPE_TMP_BUFFER);
9472
            if (dhNb == NULL) {
9473
                ret = MEMORY_E;
9474
            }
9475
            else {
9476
                ret = wc_DhSetNonBlock((DhKey*)keyShareEntry->key, dhNb);
9477
                if (ret != 0) {
9478
                    XFREE(dhNb, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
9479
                }
9480
            }
9481
        }
9482
    #endif /* WC_DH_NONBLOCK && WOLFSSL_ASYNC_CRYPT_SW &&
9483
              WC_ASYNC_ENABLE_DH */
9484
0
    }
9485
9486
0
    if (ret == 0
9487
    #ifdef WOLFSSL_ASYNC_CRYPT
9488
        && keyShareEntry->lastRet == 0 /* don't enter here if WC_PENDING_E */
9489
    #endif
9490
0
    ) {
9491
    #ifdef WOLFSSL_DEBUG_TLS
9492
        WOLFSSL_MSG("Peer DH Key");
9493
        WOLFSSL_BUFFER(keyShareEntry->ke, keyShareEntry->keLen);
9494
    #endif
9495
9496
0
        ssl->options.dhKeySz = (word16)pSz;
9497
9498
        /* Derive secret from private key and peer's public key. */
9499
0
        ret = DhAgree(ssl, dhKey,
9500
0
            (const byte*)keyShareEntry->privKey, keyShareEntry->keyLen, /* our private */
9501
0
            keyShareEntry->ke, keyShareEntry->keLen,                    /* peer's public key */
9502
0
            ssl->arrays->preMasterSecret, &ssl->arrays->preMasterSz,    /* secret */
9503
0
            NULL, 0
9504
0
        );
9505
    #ifdef WOLFSSL_ASYNC_CRYPT
9506
        if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
9507
            return ret;
9508
        }
9509
    #endif
9510
0
    }
9511
9512
    /* RFC 8446 Section 7.4.1:
9513
     *     ... left-padded with zeros up to the size of the prime. ...
9514
     */
9515
0
    if (ret == 0 && (word32)ssl->options.dhKeySz > ssl->arrays->preMasterSz) {
9516
0
        word32 diff = (word32)ssl->options.dhKeySz - ssl->arrays->preMasterSz;
9517
0
        XMEMMOVE(ssl->arrays->preMasterSecret + diff,
9518
0
                        ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz);
9519
0
        XMEMSET(ssl->arrays->preMasterSecret, 0, diff);
9520
0
        ssl->arrays->preMasterSz = ssl->options.dhKeySz;
9521
0
    }
9522
9523
    /* done with key share, release resources */
9524
0
    if (dhKey) {
9525
    #if defined(WC_DH_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
9526
        defined(WC_ASYNC_ENABLE_DH)
9527
        if (dhKey->nb != NULL) {
9528
            XFREE(dhKey->nb, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
9529
            dhKey->nb = NULL;
9530
        }
9531
    #endif
9532
0
        wc_FreeDhKey(dhKey);
9533
0
    }
9534
0
    XFREE(keyShareEntry->key, ssl->heap, DYNAMIC_TYPE_DH);
9535
0
    keyShareEntry->key = NULL;
9536
0
    if (keyShareEntry->privKey) {
9537
0
        ForceZero(keyShareEntry->privKey, keyShareEntry->keyLen);
9538
0
        XFREE(keyShareEntry->privKey, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
9539
0
        keyShareEntry->privKey = NULL;
9540
0
    }
9541
0
    XFREE(keyShareEntry->pubKey, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
9542
0
    keyShareEntry->pubKey = NULL;
9543
0
    XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
9544
0
    keyShareEntry->ke = NULL;
9545
#else
9546
    (void)ssl;
9547
    (void)keyShareEntry;
9548
    ret = PEER_KEY_ERROR;
9549
    WOLFSSL_ERROR_VERBOSE(ret);
9550
#endif
9551
0
    return ret;
9552
0
}
9553
9554
/* Process the X25519 key share extension on the client side.
9555
 *
9556
 * ssl            The SSL/TLS object.
9557
 * keyShareEntry  The key share entry object to use to calculate shared secret.
9558
 * ssOutput       The destination buffer for the shared secret.
9559
 * ssOutSz        The size of the generated shared secret.
9560
 *
9561
 * returns 0 on success and other values indicate failure.
9562
 */
9563
static int TLSX_KeyShare_ProcessX25519_ex(WOLFSSL* ssl,
9564
                                          KeyShareEntry* keyShareEntry,
9565
                                          unsigned char* ssOutput,
9566
                                          word32* ssOutSz)
9567
0
{
9568
0
    int ret = 0;
9569
9570
#ifdef HAVE_CURVE25519
9571
    curve25519_key* key = (curve25519_key*)keyShareEntry->key;
9572
9573
#ifdef WOLFSSL_ASYNC_CRYPT
9574
    if (keyShareEntry->lastRet == 0) /* don't enter here if WC_PENDING_E */
9575
#endif
9576
    {
9577
    #ifdef HAVE_ECC
9578
        if (ssl->peerEccKey != NULL) {
9579
            wc_ecc_free(ssl->peerEccKey);
9580
            ssl->peerEccKey = NULL;
9581
            ssl->peerEccKeyPresent = 0;
9582
        }
9583
    #endif
9584
9585
        ssl->peerX25519Key = (curve25519_key*)XMALLOC(sizeof(curve25519_key),
9586
                                        ssl->heap, DYNAMIC_TYPE_TLSX);
9587
        if (ssl->peerX25519Key == NULL) {
9588
            WOLFSSL_MSG("PeerX25519Key Memory error");
9589
            return MEMORY_ERROR;
9590
        }
9591
        ret = wc_curve25519_init(ssl->peerX25519Key);
9592
        if (ret != 0) {
9593
            XFREE(ssl->peerX25519Key, ssl->heap, DYNAMIC_TYPE_TLSX);
9594
            ssl->peerX25519Key = NULL;
9595
            return ret;
9596
        }
9597
    #ifdef WOLFSSL_DEBUG_TLS
9598
        WOLFSSL_MSG("Peer Curve25519 Key");
9599
        WOLFSSL_BUFFER(keyShareEntry->ke, keyShareEntry->keLen);
9600
    #endif
9601
9602
        if (wc_curve25519_check_public(keyShareEntry->ke, keyShareEntry->keLen,
9603
                                                  EC25519_LITTLE_ENDIAN) != 0) {
9604
            ret = ECC_PEERKEY_ERROR;
9605
            WOLFSSL_ERROR_VERBOSE(ret);
9606
        }
9607
9608
        if (ret == 0) {
9609
            if (wc_curve25519_import_public_ex(keyShareEntry->ke,
9610
                                        keyShareEntry->keLen,
9611
                                        ssl->peerX25519Key,
9612
                                        EC25519_LITTLE_ENDIAN) != 0) {
9613
                ret = ECC_PEERKEY_ERROR;
9614
                WOLFSSL_ERROR_VERBOSE(ret);
9615
            }
9616
        }
9617
9618
        if (ret == 0) {
9619
            ssl->ecdhCurveOID = ECC_X25519_OID;
9620
            ssl->peerX25519KeyPresent = 1;
9621
        }
9622
    }
9623
9624
    if (ret == 0 && key == NULL)
9625
        ret = BAD_FUNC_ARG;
9626
    if (ret == 0) {
9627
    #ifdef WOLFSSL_CURVE25519_BLINDING
9628
        ret = wc_curve25519_set_rng(key, ssl->rng);
9629
    }
9630
    if (ret == 0) {
9631
    #endif
9632
    #ifdef WOLFSSL_ASYNC_CRYPT
9633
        if (keyShareEntry->lastRet != WC_NO_ERR_TRACE(WC_PENDING_E))
9634
    #endif
9635
        {
9636
        #ifdef WOLFSSL_ASYNC_CRYPT
9637
            /* initialize event */
9638
            ret = wolfSSL_AsyncInit(ssl, &key->asyncDev,
9639
                WC_ASYNC_FLAG_CALL_AGAIN);
9640
            if (ret != 0)
9641
                return ret;
9642
        #endif
9643
            ret = wc_curve25519_shared_secret_ex(key, ssl->peerX25519Key,
9644
                        ssOutput, ssOutSz, EC25519_LITTLE_ENDIAN);
9645
        #ifdef WOLFSSL_ASYNC_CRYPT
9646
            if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
9647
                return wolfSSL_AsyncPush(ssl, &key->asyncDev);
9648
            }
9649
        #endif
9650
        }
9651
        /* On CALL_AGAIN re-entry (lastRet == PENDING): the block above
9652
         * is skipped entirely, so wc_curve25519_shared_secret_ex is not
9653
         * called again. ret stays 0 from initialization, and execution
9654
         * falls through to the cleanup code below. */
9655
    }
9656
9657
    /* done with key share, release resources */
9658
    if (ssl->peerX25519Key != NULL) {
9659
        wc_curve25519_free(ssl->peerX25519Key);
9660
        XFREE(ssl->peerX25519Key, ssl->heap, DYNAMIC_TYPE_TLSX);
9661
        ssl->peerX25519Key = NULL;
9662
        ssl->peerX25519KeyPresent = 0;
9663
    }
9664
    if (keyShareEntry->key != NULL) {
9665
    #if defined(WC_X25519_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW)
9666
        if (((curve25519_key*)keyShareEntry->key)->nb_ctx != NULL) {
9667
            XFREE(((curve25519_key*)keyShareEntry->key)->nb_ctx, ssl->heap,
9668
                DYNAMIC_TYPE_TMP_BUFFER);
9669
        }
9670
    #endif
9671
        wc_curve25519_free((curve25519_key*)keyShareEntry->key);
9672
        XFREE(keyShareEntry->key, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
9673
        keyShareEntry->key = NULL;
9674
    }
9675
    XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
9676
    keyShareEntry->ke = NULL;
9677
#else
9678
0
    (void)ssl;
9679
0
    (void)keyShareEntry;
9680
0
    (void)ssOutput;
9681
0
    (void)ssOutSz;
9682
9683
0
    ret = PEER_KEY_ERROR;
9684
0
    WOLFSSL_ERROR_VERBOSE(ret);
9685
0
#endif /* HAVE_CURVE25519 */
9686
9687
0
    return ret;
9688
0
}
9689
9690
/* Process the X25519 key share extension on the client side.
9691
 *
9692
 * ssl            The SSL/TLS object.
9693
 * keyShareEntry  The key share entry object to use to calculate shared secret.
9694
 *
9695
 * returns 0 on success and other values indicate failure.
9696
 */
9697
static int TLSX_KeyShare_ProcessX25519(WOLFSSL* ssl,
9698
                                       KeyShareEntry* keyShareEntry)
9699
0
{
9700
0
    return TLSX_KeyShare_ProcessX25519_ex(ssl, keyShareEntry,
9701
0
                ssl->arrays->preMasterSecret, &ssl->arrays->preMasterSz);
9702
0
}
9703
9704
/* Process the X448 key share extension on the client side.
9705
 *
9706
 * ssl            The SSL/TLS object.
9707
 * keyShareEntry  The key share entry object to use to calculate shared secret.
9708
 * ssOutput       The destination buffer for the shared secret.
9709
 * ssOutSz        The size of the generated shared secret.
9710
 *
9711
 * returns 0 on success and other values indicate failure.
9712
 */
9713
static int TLSX_KeyShare_ProcessX448_ex(WOLFSSL* ssl,
9714
                                        KeyShareEntry* keyShareEntry,
9715
                                        unsigned char* ssOutput,
9716
                                        word32* ssOutSz)
9717
0
{
9718
0
    int ret;
9719
9720
#ifdef HAVE_CURVE448
9721
    curve448_key* key = (curve448_key*)keyShareEntry->key;
9722
    curve448_key* peerX448Key;
9723
9724
#ifdef HAVE_ECC
9725
    if (ssl->peerEccKey != NULL) {
9726
        wc_ecc_free(ssl->peerEccKey);
9727
        ssl->peerEccKey = NULL;
9728
        ssl->peerEccKeyPresent = 0;
9729
    }
9730
#endif
9731
9732
    peerX448Key = (curve448_key*)XMALLOC(sizeof(curve448_key), ssl->heap,
9733
                                                             DYNAMIC_TYPE_TLSX);
9734
    if (peerX448Key == NULL) {
9735
        WOLFSSL_MSG("PeerEccKey Memory error");
9736
        return MEMORY_ERROR;
9737
    }
9738
    ret = wc_curve448_init(peerX448Key);
9739
    if (ret != 0) {
9740
        XFREE(peerX448Key, ssl->heap, DYNAMIC_TYPE_TLSX);
9741
        return ret;
9742
    }
9743
#ifdef WOLFSSL_DEBUG_TLS
9744
    WOLFSSL_MSG("Peer Curve448 Key");
9745
    WOLFSSL_BUFFER(keyShareEntry->ke, keyShareEntry->keLen);
9746
#endif
9747
9748
    if (wc_curve448_check_public(keyShareEntry->ke, keyShareEntry->keLen,
9749
                                                    EC448_LITTLE_ENDIAN) != 0) {
9750
        ret = ECC_PEERKEY_ERROR;
9751
        WOLFSSL_ERROR_VERBOSE(ret);
9752
    }
9753
9754
    if (ret == 0) {
9755
        if (wc_curve448_import_public_ex(keyShareEntry->ke,
9756
                                              keyShareEntry->keLen, peerX448Key,
9757
                                              EC448_LITTLE_ENDIAN) != 0) {
9758
            ret = ECC_PEERKEY_ERROR;
9759
            WOLFSSL_ERROR_VERBOSE(ret);
9760
        }
9761
    }
9762
9763
    if (ret == 0) {
9764
        ssl->ecdhCurveOID = ECC_X448_OID;
9765
9766
        ret = wc_curve448_shared_secret_ex(key, peerX448Key,
9767
                    ssOutput, ssOutSz, EC448_LITTLE_ENDIAN);
9768
    }
9769
9770
    wc_curve448_free(peerX448Key);
9771
    XFREE(peerX448Key, ssl->heap, DYNAMIC_TYPE_TLSX);
9772
    wc_curve448_free((curve448_key*)keyShareEntry->key);
9773
    XFREE(keyShareEntry->key, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
9774
    keyShareEntry->key = NULL;
9775
    XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
9776
    keyShareEntry->ke = NULL;
9777
#else
9778
0
    (void)ssl;
9779
0
    (void)keyShareEntry;
9780
0
    (void)ssOutput;
9781
0
    (void)ssOutSz;
9782
9783
0
    ret = PEER_KEY_ERROR;
9784
0
    WOLFSSL_ERROR_VERBOSE(ret);
9785
0
#endif /* HAVE_CURVE448 */
9786
9787
0
    return ret;
9788
0
}
9789
9790
/* Process the X448 key share extension on the client side.
9791
 *
9792
 * ssl            The SSL/TLS object.
9793
 * keyShareEntry  The key share entry object to use to calculate shared secret.
9794
 * returns 0 on success and other values indicate failure.
9795
 */
9796
static int TLSX_KeyShare_ProcessX448(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
9797
0
{
9798
0
    return TLSX_KeyShare_ProcessX448_ex(ssl, keyShareEntry,
9799
0
                ssl->arrays->preMasterSecret, &ssl->arrays->preMasterSz);
9800
0
}
9801
9802
/* Process the ECC key share extension on the client side.
9803
 *
9804
 * ssl            The SSL/TLS object.
9805
 * keyShareEntry  The key share entry object to use to calculate shared secret.
9806
 * ssOutput       The destination buffer for the shared secret.
9807
 * ssOutSz        The size of the generated shared secret.
9808
 *
9809
 * returns 0 on success and other values indicate failure.
9810
 */
9811
static int TLSX_KeyShare_ProcessEcc_ex(WOLFSSL* ssl,
9812
                                       KeyShareEntry* keyShareEntry,
9813
                                       unsigned char* ssOutput,
9814
                                       word32* ssOutSz)
9815
0
{
9816
0
    int ret = 0;
9817
0
#ifdef HAVE_ECC
9818
0
    int curveId = ECC_CURVE_INVALID;
9819
0
    ecc_key* eccKey = (ecc_key*)keyShareEntry->key;
9820
9821
    /* find supported curve */
9822
0
    switch (keyShareEntry->group) {
9823
0
    #if (!defined(NO_ECC256)  || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
9824
0
        #ifndef NO_ECC_SECP
9825
0
        case WOLFSSL_ECC_SECP256R1:
9826
0
            curveId = ECC_SECP256R1;
9827
0
            break;
9828
0
        #endif /* !NO_ECC_SECP */
9829
        #ifdef WOLFSSL_SM2
9830
        case WOLFSSL_ECC_SM2P256V1:
9831
            curveId = ECC_SM2P256V1;
9832
            break;
9833
        #endif /* WOLFSSL_SM2 */
9834
        #ifdef HAVE_ECC_BRAINPOOL
9835
        case WOLFSSL_ECC_BRAINPOOLP256R1TLS13:
9836
            curveId = ECC_BRAINPOOLP256R1;
9837
            break;
9838
        #endif /* HAVE_ECC_BRAINPOOL */
9839
0
    #endif
9840
0
    #if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384
9841
0
        #ifndef NO_ECC_SECP
9842
0
        case WOLFSSL_ECC_SECP384R1:
9843
0
            curveId = ECC_SECP384R1;
9844
0
            break;
9845
0
        #endif /* !NO_ECC_SECP */
9846
        #ifdef HAVE_ECC_BRAINPOOL
9847
        case WOLFSSL_ECC_BRAINPOOLP384R1TLS13:
9848
            curveId = ECC_BRAINPOOLP384R1;
9849
            break;
9850
        #endif /* HAVE_ECC_BRAINPOOL */
9851
0
    #endif
9852
0
    #if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 512
9853
        #ifdef HAVE_ECC_BRAINPOOL
9854
        case WOLFSSL_ECC_BRAINPOOLP512R1TLS13:
9855
            curveId = ECC_BRAINPOOLP512R1;
9856
            break;
9857
        #endif /* HAVE_ECC_BRAINPOOL */
9858
0
    #endif
9859
0
    #if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521
9860
0
        #ifndef NO_ECC_SECP
9861
0
        case WOLFSSL_ECC_SECP521R1:
9862
0
            curveId = ECC_SECP521R1;
9863
0
            break;
9864
0
        #endif /* !NO_ECC_SECP */
9865
0
    #endif
9866
    #if defined(HAVE_X448) && ECC_MIN_KEY_SZ <= 448
9867
        case WOLFSSL_ECC_X448:
9868
            curveId = ECC_X448;
9869
            break;
9870
    #endif
9871
0
        default:
9872
            /* unsupported curve */
9873
0
            WOLFSSL_ERROR_VERBOSE(ECC_PEERKEY_ERROR);
9874
0
            return ECC_PEERKEY_ERROR;
9875
0
    }
9876
9877
#ifdef WOLFSSL_ASYNC_CRYPT
9878
    if (keyShareEntry->lastRet == 0) /* don't enter here if WC_PENDING_E */
9879
#endif
9880
0
    {
9881
    #ifdef WOLFSSL_DEBUG_TLS
9882
        WOLFSSL_MSG("Peer ECC Key");
9883
        WOLFSSL_BUFFER(keyShareEntry->ke, keyShareEntry->keLen);
9884
    #endif
9885
9886
0
        if (ssl->peerEccKey != NULL) {
9887
0
            wc_ecc_free(ssl->peerEccKey);
9888
0
            XFREE(ssl->peerEccKey, ssl->heap, DYNAMIC_TYPE_ECC);
9889
0
            ssl->peerEccKeyPresent = 0;
9890
0
        }
9891
#if defined(WOLFSSL_RENESAS_TSIP_TLS)
9892
        ret = tsip_Tls13GenSharedSecret(ssl, keyShareEntry);
9893
        if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
9894
            return ret;
9895
        }
9896
        ret = 0;
9897
#endif
9898
9899
0
        ssl->peerEccKey = (ecc_key*)XMALLOC(sizeof(ecc_key), ssl->heap,
9900
0
                                            DYNAMIC_TYPE_ECC);
9901
0
        if (ssl->peerEccKey == NULL) {
9902
0
            WOLFSSL_MSG("PeerEccKey Memory error");
9903
0
            ret = MEMORY_ERROR;
9904
0
        }
9905
9906
0
        if (ret == 0) {
9907
0
            ret = wc_ecc_init_ex(ssl->peerEccKey, ssl->heap, ssl->devId);
9908
0
        }
9909
9910
        /* Point is validated by import function. */
9911
0
        if (ret == 0) {
9912
0
#if !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS)
9913
0
            ret = wc_ecc_import_x963_ex2(keyShareEntry->ke,
9914
0
                keyShareEntry->keLen, ssl->peerEccKey, curveId, 1);
9915
#else
9916
            /* FIPS has validation define on. */
9917
            ret = wc_ecc_import_x963_ex(keyShareEntry->ke,
9918
                keyShareEntry->keLen, ssl->peerEccKey, curveId);
9919
#endif
9920
0
            if (ret != 0) {
9921
0
                ret = ECC_PEERKEY_ERROR;
9922
0
                WOLFSSL_ERROR_VERBOSE(ret);
9923
0
            }
9924
0
        }
9925
9926
0
        if (ret == 0) {
9927
0
            ssl->ecdhCurveOID = ssl->peerEccKey->dp->oidSum;
9928
0
            ssl->peerEccKeyPresent = 1;
9929
0
        }
9930
0
    }
9931
9932
0
    if (ret == 0 && eccKey == NULL)
9933
0
        ret = BAD_FUNC_ARG;
9934
0
    if (ret == 0) {
9935
0
        ret = EccSharedSecret(ssl, eccKey, ssl->peerEccKey,
9936
0
            keyShareEntry->ke, &keyShareEntry->keLen,
9937
0
            ssOutput, ssOutSz, ssl->options.side);
9938
    #ifdef WOLFSSL_ASYNC_CRYPT
9939
        if (ret == WC_NO_ERR_TRACE(WC_PENDING_E))
9940
            return ret;
9941
    #endif
9942
0
    }
9943
9944
    /* done with key share, release resources */
9945
0
    if (ssl->peerEccKey != NULL
9946
    #ifdef HAVE_PK_CALLBACKS
9947
        && ssl->ctx->EccSharedSecretCb == NULL
9948
    #endif
9949
0
    ) {
9950
0
        wc_ecc_free(ssl->peerEccKey);
9951
0
        XFREE(ssl->peerEccKey, ssl->heap, DYNAMIC_TYPE_ECC);
9952
0
        ssl->peerEccKey = NULL;
9953
0
        ssl->peerEccKeyPresent = 0;
9954
0
    }
9955
0
    if (eccKey != NULL) {
9956
    #if defined(WC_ECC_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
9957
        defined(WC_ASYNC_ENABLE_ECC)
9958
        if (eccKey->nb_ctx != NULL) {
9959
            XFREE(eccKey->nb_ctx, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
9960
        }
9961
    #endif
9962
0
        wc_ecc_free(eccKey);
9963
0
        XFREE(keyShareEntry->key, ssl->heap, DYNAMIC_TYPE_ECC);
9964
0
        keyShareEntry->key = NULL;
9965
0
    }
9966
0
    XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
9967
0
    keyShareEntry->ke = NULL;
9968
#else
9969
    (void)ssl;
9970
    (void)keyShareEntry;
9971
    (void)ssOutput;
9972
    (void)ssOutSz;
9973
9974
    ret = PEER_KEY_ERROR;
9975
    WOLFSSL_ERROR_VERBOSE(ret);
9976
#endif /* HAVE_ECC */
9977
9978
0
    return ret;
9979
0
}
9980
9981
/* Process the ECC key share extension on the client side.
9982
 *
9983
 * ssl            The SSL/TLS object.
9984
 * keyShareEntry  The key share entry object to use to calculate shared secret.
9985
 * returns 0 on success and other values indicate failure.
9986
 */
9987
static int TLSX_KeyShare_ProcessEcc(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
9988
0
{
9989
0
    return TLSX_KeyShare_ProcessEcc_ex(ssl, keyShareEntry,
9990
0
                ssl->arrays->preMasterSecret, &ssl->arrays->preMasterSz);
9991
0
}
9992
9993
#if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_DECAPSULATE)
9994
/* Process the ML-KEM key share extension on the client side.
9995
 *
9996
 * ssl            The SSL/TLS object.
9997
 * keyShareEntry  The key share entry object to use to calculate shared secret.
9998
 * ssOutput       The destination buffer for the shared secret.
9999
 * ssOutSz        The size of the generated shared secret.
10000
 *
10001
 * returns 0 on success and other values indicate failure.
10002
 */
10003
static int TLSX_KeyShare_ProcessPqcClient_ex(WOLFSSL* ssl,
10004
                                             KeyShareEntry* keyShareEntry,
10005
                                             unsigned char* ssOutput,
10006
                                             word32* ssOutSz)
10007
0
{
10008
0
    int       ret = 0;
10009
0
    MlKemKey* kem = (MlKemKey*)keyShareEntry->key;
10010
0
#ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
10011
0
    word32    privSz = 0;
10012
0
#endif
10013
0
    word32    ctSz = 0;
10014
0
    word32    ssSz = 0;
10015
10016
0
    if (ssl->options.side == WOLFSSL_SERVER_END) {
10017
        /* I am the server, the shared secret has already been generated and
10018
         * is in ssl->arrays->preMasterSecret, so nothing really to do here. */
10019
0
        return 0;
10020
0
    }
10021
10022
0
    if (keyShareEntry->ke == NULL) {
10023
0
        WOLFSSL_MSG("Invalid PQC algorithm specified.");
10024
0
        return BAD_FUNC_ARG;
10025
0
    }
10026
0
    if (ssOutSz == NULL)
10027
0
        return BAD_FUNC_ARG;
10028
10029
0
#ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
10030
0
    if (kem == NULL) {
10031
0
        int type = 0;
10032
10033
        /* Allocate an ML-KEM key to hold private key. */
10034
0
        kem = (MlKemKey*) XMALLOC(sizeof(MlKemKey), ssl->heap,
10035
0
                                  DYNAMIC_TYPE_PRIVATE_KEY);
10036
0
        if (kem == NULL) {
10037
0
            WOLFSSL_MSG("GenPqcKey memory error");
10038
0
            ret = MEMORY_E;
10039
0
        }
10040
0
        if (ret == 0) {
10041
0
            ret = mlkem_id2type(keyShareEntry->group, &type);
10042
0
        }
10043
0
        if (ret != 0) {
10044
0
            WOLFSSL_MSG("Invalid PQC algorithm specified.");
10045
0
            ret = BAD_FUNC_ARG;
10046
0
        }
10047
0
        if (ret == 0) {
10048
0
            ret = wc_MlKemKey_Init(kem, type, ssl->heap, ssl->devId);
10049
0
            if (ret != 0) {
10050
0
                WOLFSSL_MSG("Error creating ML-KEM key");
10051
0
            }
10052
0
        }
10053
0
    }
10054
#else
10055
    if (kem == NULL || keyShareEntry->privKeyLen != 0) {
10056
        WOLFSSL_MSG("Invalid ML-KEM key.");
10057
        ret = BAD_FUNC_ARG;
10058
    }
10059
#endif
10060
10061
0
    if (ret == 0) {
10062
0
        ret = wc_MlKemKey_SharedSecretSize(kem, &ssSz);
10063
0
    }
10064
0
    if (ret == 0) {
10065
0
        ret = wc_MlKemKey_CipherTextSize(kem, &ctSz);
10066
0
    }
10067
10068
0
#ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
10069
0
    if (ret == 0) {
10070
0
        ret = wc_MlKemKey_PrivateKeySize(kem, &privSz);
10071
0
    }
10072
0
    if (ret == 0 && privSz != keyShareEntry->privKeyLen) {
10073
0
        WOLFSSL_MSG("Invalid private key size.");
10074
0
        ret = BAD_FUNC_ARG;
10075
0
    }
10076
0
    if (ret == 0) {
10077
0
        PRIVATE_KEY_UNLOCK();
10078
0
        ret = wc_MlKemKey_DecodePrivateKey(kem, keyShareEntry->privKey, privSz);
10079
0
        PRIVATE_KEY_LOCK();
10080
0
    }
10081
0
#endif
10082
10083
0
    if (ret == 0 && keyShareEntry->keLen < ctSz) {
10084
0
        WOLFSSL_MSG("PQC key share data too short for ciphertext.");
10085
0
        ret = BUFFER_E;
10086
0
    }
10087
0
    if (ret == 0) {
10088
0
        PRIVATE_KEY_UNLOCK();
10089
0
        ret = wc_MlKemKey_Decapsulate(kem, ssOutput,
10090
0
                                      keyShareEntry->ke, ctSz);
10091
0
        PRIVATE_KEY_LOCK();
10092
0
        if (ret != 0) {
10093
0
            WOLFSSL_MSG("wc_MlKemKey decapsulation failure.");
10094
0
            ret = BAD_FUNC_ARG;
10095
0
        }
10096
0
    }
10097
0
    if (ret == 0) {
10098
0
        *ssOutSz = ssSz;
10099
0
    }
10100
10101
0
    wc_MlKemKey_Free(kem);
10102
10103
0
    XFREE(kem, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
10104
0
    keyShareEntry->key = NULL;
10105
10106
0
    XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
10107
0
    keyShareEntry->ke = NULL;
10108
10109
0
    return ret;
10110
0
}
10111
10112
/* Process the ML-KEM key share extension on the client side.
10113
 *
10114
 * ssl            The SSL/TLS object.
10115
 * keyShareEntry  The key share entry object to use to calculate shared secret.
10116
 *
10117
 * returns 0 on success and other values indicate failure.
10118
 */
10119
static int TLSX_KeyShare_ProcessPqcClient(WOLFSSL* ssl,
10120
                                          KeyShareEntry* keyShareEntry)
10121
0
{
10122
0
    return TLSX_KeyShare_ProcessPqcClient_ex(ssl, keyShareEntry,
10123
0
                                             ssl->arrays->preMasterSecret,
10124
0
                                             &ssl->arrays->preMasterSz);
10125
0
}
10126
10127
/* Process the hybrid key share extension on the client side.
10128
 *
10129
 * ssl            The SSL/TLS object.
10130
 * keyShareEntry  The key share entry object to use to calculate shared secret.
10131
 * returns 0 on success and other values indicate failure.
10132
 */
10133
static int TLSX_KeyShare_ProcessPqcHybridClient(WOLFSSL* ssl,
10134
                                                KeyShareEntry* keyShareEntry)
10135
0
{
10136
0
    int      ret = 0;
10137
0
    int      pqc_group = 0;
10138
0
    int      ecc_group = 0;
10139
0
    int      pqc_first = 0;
10140
0
    KeyShareEntry* pqc_kse = NULL;
10141
0
    KeyShareEntry *ecc_kse = NULL;
10142
0
    word32   ctSz = 0;
10143
0
    word32   ssSzPqc = 0;
10144
10145
0
    if (ssl->options.side == WOLFSSL_SERVER_END) {
10146
        /* I am the server, the shared secret has already been generated and
10147
         * is in ssl->arrays->preMasterSecret, so nothing really to do here. */
10148
0
        return 0;
10149
0
    }
10150
10151
0
    if (keyShareEntry->ke == NULL) {
10152
0
        WOLFSSL_MSG("Invalid PQC algorithm specified.");
10153
0
        return BAD_FUNC_ARG;
10154
0
    }
10155
10156
    /* I am the client, both the PQC ciphertext and the ECHD public key are in
10157
     * keyShareEntry->ke */
10158
10159
    /* Determine the ECC and PQC group of the hybrid combination */
10160
0
    findEccPqc(&ecc_group, &pqc_group, &pqc_first, keyShareEntry->group);
10161
0
    if (ecc_group == 0 || pqc_group == 0) {
10162
0
        WOLFSSL_MSG("Invalid hybrid group");
10163
0
        ret = BAD_FUNC_ARG;
10164
0
    }
10165
10166
0
    if (ret == 0) {
10167
0
        ecc_kse = (KeyShareEntry*)XMALLOC(sizeof(*ecc_kse), ssl->heap,
10168
0
                   DYNAMIC_TYPE_TLSX);
10169
0
        if (ecc_kse == NULL) {
10170
0
            WOLFSSL_MSG("kse memory allocation failure");
10171
0
            ret = MEMORY_ERROR;
10172
0
        }
10173
0
        else {
10174
0
            XMEMSET(ecc_kse, 0, sizeof(*ecc_kse));
10175
0
        }
10176
0
    }
10177
0
    if (ret == 0) {
10178
0
        pqc_kse = (KeyShareEntry*)XMALLOC(sizeof(*pqc_kse), ssl->heap,
10179
0
                   DYNAMIC_TYPE_TLSX);
10180
0
        if (pqc_kse == NULL) {
10181
0
            WOLFSSL_MSG("kse memory allocation failure");
10182
0
            ret = MEMORY_ERROR;
10183
0
        }
10184
0
        else {
10185
0
            XMEMSET(pqc_kse, 0, sizeof(*pqc_kse));
10186
0
        }
10187
0
    }
10188
10189
    /* The ciphertext and shared secret sizes of a KEM are fixed. Hence, we
10190
     * decode these sizes to separate the KEM ciphertext from the ECDH public
10191
     * key. */
10192
0
    if (ret == 0) {
10193
0
    #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
10194
0
        int type;
10195
10196
0
        pqc_kse->privKey = keyShareEntry->privKey;
10197
10198
0
        ret = mlkem_id2type(pqc_group, &type);
10199
0
        if (ret != 0) {
10200
0
            WOLFSSL_MSG("Invalid ML-KEM algorithm specified.");
10201
0
            ret = BAD_FUNC_ARG;
10202
0
        }
10203
0
        if (ret == 0) {
10204
0
            pqc_kse->key = XMALLOC(sizeof(MlKemKey), ssl->heap,
10205
0
                                DYNAMIC_TYPE_PRIVATE_KEY);
10206
0
            if (pqc_kse->key == NULL) {
10207
0
                WOLFSSL_MSG("GenPqcKey memory error");
10208
0
                ret = MEMORY_E;
10209
0
            }
10210
0
        }
10211
0
        if (ret == 0) {
10212
0
            ret = wc_MlKemKey_Init((MlKemKey*)pqc_kse->key, type,
10213
0
                                   ssl->heap, ssl->devId);
10214
0
            if (ret != 0) {
10215
0
                WOLFSSL_MSG("Error creating ML-KEM key");
10216
0
            }
10217
0
        }
10218
    #else
10219
        pqc_kse->key = keyShareEntry->privKey;
10220
    #endif
10221
10222
0
        pqc_kse->group = pqc_group;
10223
0
        pqc_kse->privKeyLen = keyShareEntry->privKeyLen;
10224
10225
0
        if (ret == 0) {
10226
0
            ret = wc_MlKemKey_SharedSecretSize((MlKemKey*)pqc_kse->key,
10227
0
                                               &ssSzPqc);
10228
0
        }
10229
0
        if (ret == 0) {
10230
0
            ret = wc_MlKemKey_CipherTextSize((MlKemKey*)pqc_kse->key,
10231
0
                                             &ctSz);
10232
0
            if (ret == 0 && keyShareEntry->keLen <= ctSz) {
10233
0
                WOLFSSL_MSG("Invalid ciphertext size.");
10234
0
                ret = BAD_FUNC_ARG;
10235
0
            }
10236
0
        }
10237
0
        if (ret == 0) {
10238
0
            pqc_kse->keLen = ctSz;
10239
0
            pqc_kse->ke = (byte*)XMALLOC(pqc_kse->keLen, ssl->heap,
10240
0
                                         DYNAMIC_TYPE_PUBLIC_KEY);
10241
0
            if (pqc_kse->ke == NULL) {
10242
0
                WOLFSSL_MSG("pqc_kse memory allocation failure");
10243
0
                ret = MEMORY_ERROR;
10244
0
            }
10245
            /* Copy the PQC KEM ciphertext. Depending on the pqc_first flag,
10246
             * the KEM ciphertext comes before or after the ECDH public key. */
10247
0
            if (ret == 0) {
10248
0
                int offset = keyShareEntry->keLen - ctSz;
10249
10250
0
                if (pqc_first)
10251
0
                    offset = 0;
10252
10253
0
                XMEMCPY(pqc_kse->ke, keyShareEntry->ke + offset, ctSz);
10254
0
            }
10255
0
        }
10256
0
    }
10257
10258
0
    if (ret == 0) {
10259
0
        ecc_kse->group = ecc_group;
10260
0
        ecc_kse->keLen = keyShareEntry->keLen - ctSz;
10261
0
        ecc_kse->key = keyShareEntry->key;
10262
0
        ecc_kse->ke = (byte*)XMALLOC(ecc_kse->keLen, ssl->heap,
10263
0
                                        DYNAMIC_TYPE_PUBLIC_KEY);
10264
0
        if (ecc_kse->ke == NULL) {
10265
0
            WOLFSSL_MSG("ecc_kse memory allocation failure");
10266
0
            ret = MEMORY_ERROR;
10267
0
        }
10268
        /* Copy the ECDH public key. Depending on the pqc_first flag, the
10269
         * KEM ciphertext comes before or after the ECDH public key. */
10270
0
        if (ret == 0) {
10271
0
            int offset = 0;
10272
10273
0
            if (pqc_first)
10274
0
                offset = ctSz;
10275
10276
0
            XMEMCPY(ecc_kse->ke, keyShareEntry->ke + offset, ecc_kse->keLen);
10277
0
        }
10278
    #ifdef WOLFSSL_ASYNC_CRYPT
10279
        ecc_kse->lastRet = keyShareEntry->lastRet;
10280
    #endif
10281
0
    }
10282
10283
    /* Process ECDH key share part. The generated shared secret is directly
10284
     * stored in the ssl->arrays->preMasterSecret buffer. Depending on the
10285
     * pqc_first flag, the ECDH shared secret part goes before or after the
10286
     * KEM part. */
10287
0
    if (ret == 0) {
10288
0
        int offset = 0;
10289
10290
0
        if (pqc_first)
10291
0
            offset = ssSzPqc;
10292
10293
    #ifdef HAVE_CURVE25519
10294
        if (ecc_group == WOLFSSL_ECC_X25519) {
10295
            ret = TLSX_KeyShare_ProcessX25519_ex(ssl, ecc_kse,
10296
                    ssl->arrays->preMasterSecret + offset,
10297
                    &ssl->arrays->preMasterSz);
10298
        }
10299
        else
10300
    #endif
10301
    #ifdef HAVE_CURVE448
10302
        if (ecc_group == WOLFSSL_ECC_X448) {
10303
            ret = TLSX_KeyShare_ProcessX448_ex(ssl, ecc_kse,
10304
                    ssl->arrays->preMasterSecret + offset,
10305
                    &ssl->arrays->preMasterSz);
10306
        }
10307
        else
10308
    #endif
10309
0
        {
10310
0
            ret = TLSX_KeyShare_ProcessEcc_ex(ssl, ecc_kse,
10311
0
                    ssl->arrays->preMasterSecret + offset,
10312
0
                    &ssl->arrays->preMasterSz);
10313
0
        }
10314
10315
    #ifdef WOLFSSL_ASYNC_CRYPT
10316
        if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
10317
            keyShareEntry->lastRet = WC_PENDING_E;
10318
            /* Prevent freeing of the ECC and ML-KEM private keys */
10319
            ecc_kse->key = NULL;
10320
        #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
10321
            pqc_kse->privKey = NULL;
10322
        #else
10323
            pqc_kse->key = NULL;
10324
        #endif
10325
        }
10326
        else
10327
    #endif
10328
0
        {
10329
            /* Re-sync keyShareEntry->key with ecc_kse->key. ecc_kse->key was
10330
             * aliased to keyShareEntry->key above. The inner Process*_ex
10331
             * either ran its end-of-function cleanup and set ecc_kse->key
10332
             * to NULL (so the outer pointer must also become NULL to avoid
10333
             * UAF/double-free in TLSX_KeyShare_FreeAll), or returned early
10334
             * before cleanup with ecc_kse->key still pointing at the live
10335
             * key (so the outer pointer must keep that pointer for later
10336
             * freeing). Mirroring whatever the inner left in ecc_kse->key
10337
             * handles both cases correctly. */
10338
0
            keyShareEntry->key = ecc_kse->key;
10339
0
        }
10340
0
    }
10341
10342
0
    if (ret == 0) {
10343
0
        if ((ssl->arrays->preMasterSz + ssSzPqc) > ENCRYPT_LEN) {
10344
0
            WOLFSSL_MSG("shared secret is too long.");
10345
0
            ret = LENGTH_ERROR;
10346
0
        }
10347
0
    }
10348
10349
    /* Process PQC KEM key share part. Depending on the pqc_first flag, the
10350
     * KEM shared secret part goes before or after the ECDH part. */
10351
0
    if (ret == 0) {
10352
0
        int offset = ssl->arrays->preMasterSz;
10353
10354
0
        if (pqc_first)
10355
0
            offset = 0;
10356
10357
0
        ret = TLSX_KeyShare_ProcessPqcClient_ex(ssl, pqc_kse,
10358
0
                ssl->arrays->preMasterSecret + offset, &ssSzPqc);
10359
0
    }
10360
10361
0
    if (ret == 0) {
10362
0
        keyShareEntry->privKey = (byte*)pqc_kse->key;
10363
10364
0
        ssl->arrays->preMasterSz += ssSzPqc;
10365
0
    }
10366
0
    else
10367
#ifdef WOLFSSL_ASYNC_CRYPT
10368
        if (ret != WC_NO_ERR_TRACE(WC_PENDING_E))
10369
#endif
10370
0
    {
10371
        /* Clear the pre master secret buffer to prevent leaking any
10372
         * intermediate keys in the error case. Do not use preMasterSz
10373
         * here as it may already been set to the ECC shared secret size,
10374
         * which would be too small due to the PQC offset case. */
10375
0
        ForceZero(ssl->arrays->preMasterSecret, ENCRYPT_LEN);
10376
10377
        /* Prevent FreeAll from freeing pointers owned by keyShareEntry. */
10378
0
        if (ecc_kse != NULL)
10379
0
            ecc_kse->key = NULL;
10380
0
        if (pqc_kse != NULL) {
10381
0
        #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
10382
0
            pqc_kse->privKey = NULL;
10383
        #else
10384
            pqc_kse->key = NULL;
10385
        #endif
10386
0
        }
10387
0
    }
10388
10389
0
    TLSX_KeyShare_FreeAll(ecc_kse, ssl->heap);
10390
0
    TLSX_KeyShare_FreeAll(pqc_kse, ssl->heap);
10391
10392
0
    return ret;
10393
0
}
10394
#endif /* WOLFSSL_HAVE_MLKEM && !WOLFSSL_MLKEM_NO_DECAPSULATE */
10395
10396
/* Process the key share extension on the client side.
10397
 *
10398
 * ssl            The SSL/TLS object.
10399
 * keyShareEntry  The key share entry object to use to calculate shared secret.
10400
 * returns 0 on success and other values indicate failure.
10401
 */
10402
static int TLSX_KeyShare_Process(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
10403
0
{
10404
0
    int ret;
10405
10406
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
10407
    keyShareEntry->session = ssl->session->namedGroup;
10408
    ssl->session->namedGroup = keyShareEntry->group;
10409
#endif
10410
    /* reset the pre master secret size */
10411
0
    if (ssl->arrays->preMasterSz == 0)
10412
0
        ssl->arrays->preMasterSz = ENCRYPT_LEN;
10413
10414
    /* Use Key Share Data from server. */
10415
0
    if (WOLFSSL_NAMED_GROUP_IS_FFDHE(keyShareEntry->group))
10416
0
        ret = TLSX_KeyShare_ProcessDh(ssl, keyShareEntry);
10417
0
    else if (keyShareEntry->group == WOLFSSL_ECC_X25519)
10418
0
        ret = TLSX_KeyShare_ProcessX25519(ssl, keyShareEntry);
10419
0
    else if (keyShareEntry->group == WOLFSSL_ECC_X448)
10420
0
        ret = TLSX_KeyShare_ProcessX448(ssl, keyShareEntry);
10421
0
#if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_DECAPSULATE)
10422
0
    else if (WOLFSSL_NAMED_GROUP_IS_PQC(keyShareEntry->group))
10423
0
        ret = TLSX_KeyShare_ProcessPqcClient(ssl, keyShareEntry);
10424
0
    else if (WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(keyShareEntry->group))
10425
0
        ret = TLSX_KeyShare_ProcessPqcHybridClient(ssl, keyShareEntry);
10426
0
#endif
10427
0
    else
10428
0
        ret = TLSX_KeyShare_ProcessEcc(ssl, keyShareEntry);
10429
10430
#ifdef WOLFSSL_DEBUG_TLS
10431
    if (ret == 0) {
10432
        WOLFSSL_MSG("KE Secret");
10433
        WOLFSSL_BUFFER(ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz);
10434
    }
10435
#endif
10436
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
10437
    keyShareEntry->derived = (ret == 0);
10438
#endif
10439
#ifdef WOLFSSL_ASYNC_CRYPT
10440
    keyShareEntry->lastRet = ret;
10441
#endif
10442
10443
0
    return ret;
10444
0
}
10445
10446
/* Parse an entry of the KeyShare extension.
10447
 *
10448
 * ssl     The SSL/TLS object.
10449
 * input   The extension data.
10450
 * length  The length of the extension data.
10451
 * kse     The new key share entry object.
10452
 * returns a positive number to indicate amount of data parsed and a negative
10453
 * number on error.
10454
 */
10455
static int TLSX_KeyShareEntry_Parse(const WOLFSSL* ssl, const byte* input,
10456
            word16 length, KeyShareEntry **kse, word16* seenGroups,
10457
            int* seenGroupsCnt, TLSX** extensions)
10458
0
{
10459
0
    int    ret;
10460
0
    word16 group;
10461
0
    word16 keLen;
10462
0
    int    offset = 0;
10463
0
    byte*  ke;
10464
0
    int    i;
10465
10466
0
    if (length < OPAQUE16_LEN + OPAQUE16_LEN)
10467
0
        return BUFFER_ERROR;
10468
    /* Named group */
10469
0
    ato16(&input[offset], &group);
10470
0
    offset += OPAQUE16_LEN;
10471
    /* Key exchange data - public key. */
10472
0
    ato16(&input[offset], &keLen);
10473
0
    offset += OPAQUE16_LEN;
10474
0
    if (keLen == 0)
10475
0
        return BUFFER_ERROR;
10476
0
    if (keLen > length - offset)
10477
0
        return BUFFER_ERROR;
10478
10479
0
    if (seenGroups != NULL) {
10480
0
        if (*seenGroupsCnt >= MAX_KEYSHARE_NAMED_GROUPS) {
10481
0
            return BAD_KEY_SHARE_DATA;
10482
0
        }
10483
0
        for (i = 0; i < *seenGroupsCnt; i++) {
10484
0
            if (seenGroups[i] == group) {
10485
0
                return BAD_KEY_SHARE_DATA;
10486
0
            }
10487
0
        }
10488
0
        seenGroups[i] = group;
10489
0
        *seenGroupsCnt = i + 1;
10490
0
    }
10491
10492
    /* Store a copy in the key share object. */
10493
0
    ke = (byte*)XMALLOC(keLen, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
10494
0
    if (ke == NULL)
10495
0
        return MEMORY_E;
10496
0
    XMEMCPY(ke, &input[offset], keLen);
10497
10498
    /* Populate a key share object in the extension. */
10499
0
    ret = TLSX_KeyShare_Use(ssl, group, keLen, ke, kse, extensions);
10500
0
    if (ret != 0) {
10501
0
        XFREE(ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
10502
0
        return ret;
10503
0
    }
10504
10505
    /* Total length of the parsed data. */
10506
0
    return offset + keLen;
10507
0
}
10508
10509
/* Searches the groups sent for the specified named group.
10510
 *
10511
 * ssl    SSL/TLS object.
10512
 * name   Group name to match.
10513
 * returns 1 when the extension has the group name and 0 otherwise.
10514
 */
10515
static int TLSX_KeyShare_Find(WOLFSSL* ssl, word16 group)
10516
0
{
10517
0
    TLSX*          extension;
10518
0
    KeyShareEntry* list;
10519
10520
0
    extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
10521
0
    if (extension == NULL) {
10522
0
        extension = TLSX_Find(ssl->ctx->extensions, TLSX_KEY_SHARE);
10523
0
        if (extension == NULL)
10524
0
            return 0;
10525
0
    }
10526
10527
0
    list = (KeyShareEntry*)extension->data;
10528
0
    while (list != NULL) {
10529
0
        if (list->group == group)
10530
0
            return 1;
10531
0
        list = list->next;
10532
0
    }
10533
10534
0
    return 0;
10535
0
}
10536
10537
10538
/* Searches the supported groups extension for the specified named group.
10539
 *
10540
 * ssl   The SSL/TLS object.
10541
 * name  The group name to match.
10542
 * returns 1 when the extension has the group name and 0 otherwise.
10543
 */
10544
static int TLSX_SupportedGroups_Find(const WOLFSSL* ssl, word16 name,
10545
                                     TLSX* extensions)
10546
0
{
10547
0
#ifdef HAVE_SUPPORTED_CURVES
10548
0
    TLSX*          extension;
10549
0
    SupportedCurve* curve = NULL;
10550
10551
0
    if ((extension = TLSX_Find(extensions, TLSX_SUPPORTED_GROUPS)) == NULL) {
10552
0
        if ((extension = TLSX_Find(ssl->ctx->extensions,
10553
0
                                              TLSX_SUPPORTED_GROUPS)) == NULL) {
10554
0
            return 0;
10555
0
        }
10556
0
    }
10557
10558
0
    for (curve = (SupportedCurve*)extension->data; curve; curve = curve->next) {
10559
0
        if (curve->name == name)
10560
0
            return 1;
10561
0
    }
10562
0
#endif
10563
10564
0
    (void)ssl;
10565
0
    (void)name;
10566
10567
0
    return 0;
10568
0
}
10569
10570
int TLSX_KeyShare_Parse_ClientHello(const WOLFSSL* ssl,
10571
        const byte* input, word16 length, TLSX** extensions)
10572
0
{
10573
0
    int ret;
10574
0
    int    offset = 0;
10575
0
    word16 len;
10576
0
    TLSX*  extension;
10577
0
    word16 seenGroups[MAX_KEYSHARE_NAMED_GROUPS];
10578
0
    int    seenGroupsCnt = 0;
10579
10580
    /* Add a KeyShare extension if it doesn't exist even if peer sent no
10581
     * entries. The presence of this extension signals that the peer can be
10582
     * negotiated with. */
10583
0
    extension = TLSX_Find(*extensions, TLSX_KEY_SHARE);
10584
0
    if (extension == NULL) {
10585
        /* Push new KeyShare extension. */
10586
0
        ret = TLSX_Push(extensions, TLSX_KEY_SHARE, NULL, ssl->heap);
10587
0
        if (ret != 0)
10588
0
            return ret;
10589
0
    }
10590
10591
0
    if (length < OPAQUE16_LEN)
10592
0
        return BUFFER_ERROR;
10593
10594
    /* ClientHello contains zero or more key share entries. Limits extension
10595
     * length to 2^16-1 and subtracting 4 bytes for header size per RFC 8446 */
10596
0
    ato16(input, &len);
10597
0
    if ((len != length - OPAQUE16_LEN) ||
10598
0
         length > (MAX_EXT_DATA_LEN - HELLO_EXT_SZ)) {
10599
0
        return BUFFER_ERROR;
10600
0
    }
10601
0
    offset += OPAQUE16_LEN;
10602
10603
0
    while (offset < (int)length) {
10604
0
        ret = TLSX_KeyShareEntry_Parse(ssl, &input[offset],
10605
0
                length - (word16)offset, NULL, seenGroups, &seenGroupsCnt,
10606
0
                extensions);
10607
0
        if (ret < 0)
10608
0
            return ret;
10609
10610
0
        offset += ret;
10611
0
    }
10612
10613
0
    return 0;
10614
0
}
10615
10616
/* Parse the KeyShare extension.
10617
 * Different formats in different messages.
10618
 *
10619
 * ssl      The SSL/TLS object.
10620
 * input    The extension data.
10621
 * length   The length of the extension data.
10622
 * msgType  The type of the message this extension is being parsed from.
10623
 * returns 0 on success and other values indicate failure.
10624
 */
10625
int TLSX_KeyShare_Parse(WOLFSSL* ssl, const byte* input, word16 length,
10626
                               byte msgType)
10627
0
{
10628
0
    int ret = 0;
10629
0
    KeyShareEntry *keyShareEntry = NULL;
10630
0
    word16 group;
10631
10632
0
    if (msgType == client_hello) {
10633
0
        ret = TLSX_KeyShare_Parse_ClientHello(ssl, input, length,
10634
0
                                              &ssl->extensions);
10635
0
    }
10636
0
    else if (msgType == server_hello) {
10637
0
        int len;
10638
10639
0
        if (length < OPAQUE16_LEN)
10640
0
            return BUFFER_ERROR;
10641
10642
0
        ssl->options.shSentKeyShare = 1;
10643
10644
        /* The data is the named group the server wants to use. */
10645
0
        ato16(input, &group);
10646
10647
        /* Check the selected group was supported by ClientHello extensions. */
10648
0
        if (!TLSX_SupportedGroups_Find(ssl, group, ssl->extensions)) {
10649
0
            WOLFSSL_ERROR_VERBOSE(BAD_KEY_SHARE_DATA);
10650
0
            return BAD_KEY_SHARE_DATA;
10651
0
        }
10652
10653
        /* Check if the group was sent. */
10654
0
        if (!TLSX_KeyShare_Find(ssl, group)) {
10655
0
            WOLFSSL_ERROR_VERBOSE(BAD_KEY_SHARE_DATA);
10656
0
            return BAD_KEY_SHARE_DATA;
10657
0
        }
10658
10659
        /* ServerHello contains one key share entry. */
10660
0
        len = TLSX_KeyShareEntry_Parse(ssl, input, length, &keyShareEntry, NULL,
10661
0
                NULL, &ssl->extensions);
10662
0
        if (len != (int)length)
10663
0
            return BUFFER_ERROR;
10664
10665
        /* Not in list sent if there isn't a private key. */
10666
0
        if (keyShareEntry == NULL || (keyShareEntry->key == NULL
10667
0
        #if !defined(NO_DH) || defined(WOLFSSL_HAVE_MLKEM)
10668
0
            && keyShareEntry->privKey == NULL
10669
0
        #endif
10670
0
        )) {
10671
0
            WOLFSSL_ERROR_VERBOSE(BAD_KEY_SHARE_DATA);
10672
0
            return BAD_KEY_SHARE_DATA;
10673
0
        }
10674
10675
        /* Process the entry to calculate the secret. */
10676
0
        ret = TLSX_KeyShare_Process(ssl, keyShareEntry);
10677
0
        if (ret == 0)
10678
0
            ssl->session->namedGroup = ssl->namedGroup = group;
10679
0
    }
10680
0
    else if (msgType == hello_retry_request) {
10681
0
        if (length != OPAQUE16_LEN)
10682
0
            return BUFFER_ERROR;
10683
10684
0
        ssl->options.hrrSentKeyShare = 1;
10685
10686
        /* The data is the named group the server wants to use. */
10687
0
        ato16(input, &group);
10688
10689
    #ifdef WOLFSSL_ASYNC_CRYPT
10690
        /* only perform find and clear TLSX if not returning from async */
10691
        if (ssl->error != WC_NO_ERR_TRACE(WC_PENDING_E))
10692
    #endif
10693
0
        {
10694
            /* Check the selected group was supported by ClientHello extensions.
10695
             */
10696
0
            if (!TLSX_SupportedGroups_Find(ssl, group, ssl->extensions)) {
10697
0
                WOLFSSL_ERROR_VERBOSE(BAD_KEY_SHARE_DATA);
10698
0
                return BAD_KEY_SHARE_DATA;
10699
0
            }
10700
10701
            /* Make sure KeyShare for server requested group was not sent in
10702
             * ClientHello. */
10703
0
            if (TLSX_KeyShare_Find(ssl, group)) {
10704
0
                WOLFSSL_ERROR_VERBOSE(BAD_KEY_SHARE_DATA);
10705
0
                return BAD_KEY_SHARE_DATA;
10706
0
            }
10707
10708
            /* Clear out unusable key shares. */
10709
0
            ret = TLSX_KeyShare_Empty(ssl);
10710
0
            if (ret != 0)
10711
0
                return ret;
10712
0
        }
10713
10714
0
        ret = TLSX_KeyShare_Use(ssl, group, 0, NULL, NULL, &ssl->extensions);
10715
0
        if (ret == 0)
10716
0
            ssl->session->namedGroup = ssl->namedGroup = group;
10717
0
    }
10718
0
    else {
10719
        /* Not a message type that is allowed to have this extension. */
10720
0
        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
10721
0
        return SANITY_MSG_E;
10722
0
    }
10723
10724
0
    return ret;
10725
0
}
10726
10727
/* Create a new key share entry and put it into the list.
10728
 *
10729
 * list           The linked list of key share entries.
10730
 * group          The named group.
10731
 * heap           The memory to allocate with.
10732
 * keyShareEntry  The new key share entry object.
10733
 * returns 0 on success and other values indicate failure.
10734
 */
10735
static int TLSX_KeyShare_New(KeyShareEntry** list, int group, void *heap,
10736
                             KeyShareEntry** keyShareEntry)
10737
0
{
10738
0
    KeyShareEntry* kse;
10739
0
    KeyShareEntry** next;
10740
10741
0
    kse = (KeyShareEntry*)XMALLOC(sizeof(KeyShareEntry), heap,
10742
0
                                  DYNAMIC_TYPE_TLSX);
10743
0
    if (kse == NULL)
10744
0
        return MEMORY_E;
10745
10746
0
    XMEMSET(kse, 0, sizeof(*kse));
10747
0
    kse->group = (word16)group;
10748
10749
    /* Add it to the back and maintain the links. */
10750
0
    while (*list != NULL) {
10751
        /* Assign to temporary to work around compiler bug found by customer. */
10752
0
        next = &((*list)->next);
10753
0
        list = next;
10754
0
    }
10755
0
    *list = kse;
10756
0
    *keyShareEntry = kse;
10757
10758
0
    (void)heap;
10759
10760
0
    return 0;
10761
0
}
10762
10763
#if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_ENCAPSULATE)
10764
/* Process the ML-KEM key share extension on the server side.
10765
 *
10766
 * ssl            The SSL/TLS object.
10767
 * keyShareEntry  The key share entry object to be sent to the client.
10768
 * data           The key share data received from the client.
10769
 * len            The length of the key share data from the client.
10770
 * ssOutput       The destination buffer for the shared secret.
10771
 * ssOutSz        The size of the generated shared secret.
10772
 *
10773
 * returns 0 on success and other values indicate failure.
10774
 */
10775
static int TLSX_KeyShare_HandlePqcKeyServer(WOLFSSL* ssl,
10776
    KeyShareEntry* keyShareEntry, byte* clientData, word16 clientLen,
10777
    unsigned char* ssOutput, word32* ssOutSz)
10778
0
{
10779
    /* We are on the server side. The key share contains a PQC KEM public key
10780
     * that we are using for an encapsulate operation. The resulting ciphertext
10781
     * is stored in the server key share. */
10782
0
    MlKemKey* kemKey = (MlKemKey*)keyShareEntry->key;
10783
0
    byte* ciphertext = NULL;
10784
0
    int ret = 0;
10785
0
    word32 pubSz = 0;
10786
0
    word32 ctSz = 0;
10787
0
    word32 ssSz = 0;
10788
10789
0
    if (clientData == NULL) {
10790
0
        WOLFSSL_MSG("No KEM public key from the client.");
10791
0
        return BAD_FUNC_ARG;
10792
0
    }
10793
10794
0
    if (kemKey == NULL) {
10795
0
        int type = 0;
10796
10797
        /* Allocate an ML-KEM key to hold private key. */
10798
0
        kemKey = (MlKemKey*) XMALLOC(sizeof(MlKemKey), ssl->heap,
10799
0
                                     DYNAMIC_TYPE_PRIVATE_KEY);
10800
0
        if (kemKey == NULL) {
10801
0
            WOLFSSL_MSG("GenPqcKey memory error");
10802
0
            ret = MEMORY_E;
10803
0
        }
10804
0
        if (ret == 0) {
10805
0
            ret = mlkem_id2type(keyShareEntry->group, &type);
10806
0
        }
10807
0
        if (ret != 0) {
10808
0
            WOLFSSL_MSG("Invalid PQC algorithm specified.");
10809
0
            ret = BAD_FUNC_ARG;
10810
0
        }
10811
0
        if (ret == 0) {
10812
0
            ret = wc_MlKemKey_Init(kemKey, type, ssl->heap, ssl->devId);
10813
0
            if (ret != 0) {
10814
0
                WOLFSSL_MSG("Error creating ML-KEM key");
10815
0
            }
10816
0
        }
10817
0
    }
10818
10819
0
    if (ret == 0) {
10820
0
        ret = wc_MlKemKey_PublicKeySize(kemKey, &pubSz);
10821
0
    }
10822
0
    if (ret == 0) {
10823
0
        ret = wc_MlKemKey_CipherTextSize(kemKey, &ctSz);
10824
0
    }
10825
0
    if (ret == 0) {
10826
0
        ret = wc_MlKemKey_SharedSecretSize(kemKey, &ssSz);
10827
0
    }
10828
10829
0
    if (ret == 0 && clientLen != pubSz) {
10830
0
        WOLFSSL_MSG("Invalid public key.");
10831
0
        ret = BAD_FUNC_ARG;
10832
0
    }
10833
10834
0
    if (ret == 0) {
10835
0
        ciphertext = (byte*)XMALLOC(ctSz, ssl->heap, DYNAMIC_TYPE_TLSX);
10836
10837
0
        if (ciphertext == NULL) {
10838
0
            WOLFSSL_MSG("Ciphertext memory allocation failure.");
10839
0
            ret = MEMORY_E;
10840
0
        }
10841
0
    }
10842
10843
0
    if (ret == 0) {
10844
0
        ret = wc_MlKemKey_DecodePublicKey(kemKey, clientData, pubSz);
10845
0
    }
10846
0
    if (ret == 0) {
10847
0
        ret = wc_MlKemKey_Encapsulate(kemKey, ciphertext,
10848
0
                                      ssOutput, ssl->rng);
10849
0
        if (ret != 0) {
10850
0
            WOLFSSL_MSG("wc_MlKemKey encapsulation failure.");
10851
0
        }
10852
0
    }
10853
10854
0
    if (ret == 0) {
10855
0
        XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
10856
10857
0
        *ssOutSz = ssSz;
10858
0
        keyShareEntry->ke = NULL;
10859
0
        keyShareEntry->keLen = 0;
10860
10861
0
        XFREE(keyShareEntry->pubKey, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
10862
0
        keyShareEntry->pubKey = ciphertext;
10863
0
        keyShareEntry->pubKeyLen = ctSz;
10864
0
        ciphertext = NULL;
10865
10866
        /* Set namedGroup so wolfSSL_get_curve_name() can function properly on
10867
         * the server side. */
10868
0
        ssl->namedGroup = keyShareEntry->group;
10869
0
    }
10870
10871
0
    XFREE(ciphertext, ssl->heap, DYNAMIC_TYPE_TLSX);
10872
10873
0
    wc_MlKemKey_Free(kemKey);
10874
0
    XFREE(kemKey, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
10875
0
    keyShareEntry->key = NULL;
10876
0
    return ret;
10877
0
}
10878
10879
int TLSX_KeyShare_HandlePqcHybridKeyServer(WOLFSSL* ssl,
10880
    KeyShareEntry* keyShareEntry, byte* data, word16 len)
10881
0
{
10882
    /* I am the server. The data parameter is the concatenation of the client's
10883
     * ECDH public key and the KEM public key. I need to generate a matching
10884
     * public key for ECDH and encapsulate a shared secret using the KEM public
10885
     * key. We send the ECDH public key and the KEM ciphertext back to the
10886
     * client. Additionally, we create the ECDH shared secret here already.
10887
     */
10888
0
    int    type;
10889
0
    byte*  ciphertext = NULL;
10890
0
    int    ret = 0;
10891
0
    int    pqc_group = 0;
10892
0
    int    ecc_group = 0;
10893
0
    int    pqc_first = 0;
10894
0
    KeyShareEntry *ecc_kse = NULL;
10895
0
    KeyShareEntry *pqc_kse = NULL;
10896
0
    word32 pubSz = 0;
10897
0
    word32 ctSz = 0;
10898
0
    word32 ssSzPqc = 0;
10899
10900
0
    if (data == NULL) {
10901
0
        WOLFSSL_MSG("No hybrid key share data from the client.");
10902
0
        return BAD_FUNC_ARG;
10903
0
    }
10904
10905
    /* Determine the ECC and PQC group of the hybrid combination */
10906
0
    findEccPqc(&ecc_group, &pqc_group, &pqc_first, keyShareEntry->group);
10907
0
    if (ecc_group == 0 || pqc_group == 0) {
10908
0
        WOLFSSL_MSG("Invalid hybrid group");
10909
0
        ret = BAD_FUNC_ARG;
10910
0
    }
10911
10912
0
    if (ret == 0) {
10913
0
        ecc_kse = (KeyShareEntry*)XMALLOC(sizeof(*ecc_kse), ssl->heap,
10914
0
                   DYNAMIC_TYPE_TLSX);
10915
0
        pqc_kse = (KeyShareEntry*)XMALLOC(sizeof(*pqc_kse), ssl->heap,
10916
0
                   DYNAMIC_TYPE_TLSX);
10917
0
        if (ecc_kse == NULL || pqc_kse == NULL) {
10918
0
            WOLFSSL_MSG("kse memory allocation failure");
10919
0
            ret = MEMORY_ERROR;
10920
0
        }
10921
0
    }
10922
0
    if (ret == 0) {
10923
0
        XMEMSET(ecc_kse, 0, sizeof(*ecc_kse));
10924
0
        ecc_kse->group = ecc_group;
10925
0
        XMEMSET(pqc_kse, 0, sizeof(*pqc_kse));
10926
0
        pqc_kse->group = pqc_group;
10927
0
    }
10928
10929
    /* The ciphertext and shared secret sizes of a KEM are fixed. Hence, we
10930
     * decode these sizes to properly concatenate the KEM ciphertext with the
10931
     * ECDH public key. */
10932
0
    if (ret == 0) {
10933
        /* Allocate an ML-KEM key to hold private key. */
10934
0
        pqc_kse->key = (MlKemKey*) XMALLOC(sizeof(MlKemKey), ssl->heap,
10935
0
                                           DYNAMIC_TYPE_PRIVATE_KEY);
10936
0
        if (pqc_kse->key == NULL) {
10937
0
            WOLFSSL_MSG("GenPqcKey memory error");
10938
0
            ret = MEMORY_E;
10939
0
        }
10940
0
        if (ret == 0) {
10941
0
            ret = mlkem_id2type(pqc_kse->group, &type);
10942
0
        }
10943
0
        if (ret != 0) {
10944
0
            WOLFSSL_MSG("Invalid PQC algorithm specified.");
10945
0
            ret = BAD_FUNC_ARG;
10946
0
        }
10947
0
        if (ret == 0) {
10948
0
            ret = wc_MlKemKey_Init((MlKemKey*)pqc_kse->key, type,
10949
0
                                   ssl->heap, ssl->devId);
10950
0
            if (ret != 0) {
10951
0
                WOLFSSL_MSG("Error creating ML-KEM key");
10952
0
            }
10953
0
        }
10954
0
        if (ret == 0) {
10955
0
            ret = wc_MlKemKey_SharedSecretSize((MlKemKey*)pqc_kse->key,
10956
0
                                               &ssSzPqc);
10957
0
        }
10958
0
        if (ret == 0) {
10959
0
            ret = wc_MlKemKey_CipherTextSize((MlKemKey*)pqc_kse->key,
10960
0
                                             &ctSz);
10961
0
        }
10962
0
        if (ret == 0) {
10963
0
            ret = wc_MlKemKey_PublicKeySize((MlKemKey*)pqc_kse->key,
10964
0
                                            &pubSz);
10965
0
        }
10966
0
    }
10967
10968
#ifdef WOLFSSL_ASYNC_CRYPT
10969
    if (ret == 0) {
10970
        /* Check if the provided kse already contains ECC data and the
10971
        * last error was WC_PENDING_E. In this case, we already tried to
10972
        * process ECC kse data. Hence, we have to restore it. */
10973
        if (keyShareEntry->key != NULL && keyShareEntry->keyLen > 0 &&
10974
            keyShareEntry->lastRet == WC_NO_ERR_TRACE(WC_PENDING_E)) {
10975
            ecc_kse->key = keyShareEntry->key;
10976
            ecc_kse->keyLen = keyShareEntry->keyLen;
10977
            ecc_kse->pubKey = keyShareEntry->pubKey;
10978
            ecc_kse->pubKeyLen = keyShareEntry->pubKeyLen;
10979
            ecc_kse->lastRet = keyShareEntry->lastRet;
10980
            keyShareEntry->key = NULL;
10981
            keyShareEntry->pubKey = NULL;
10982
        }
10983
    }
10984
#endif
10985
10986
    /* Generate the ECDH key share part to be sent to the client */
10987
0
    if (ret == 0 && ecc_group != 0 && ecc_kse->pubKey == NULL) {
10988
    #ifdef HAVE_CURVE25519
10989
        if (ecc_group == WOLFSSL_ECC_X25519) {
10990
            ret = TLSX_KeyShare_GenX25519Key(ssl, ecc_kse);
10991
        }
10992
        else
10993
    #endif
10994
    #ifdef HAVE_CURVE448
10995
        if (ecc_group == WOLFSSL_ECC_X448) {
10996
            ret = TLSX_KeyShare_GenX448Key(ssl, ecc_kse);
10997
        }
10998
        else
10999
    #endif
11000
0
        {
11001
0
            ret = TLSX_KeyShare_GenEccKey(ssl, ecc_kse);
11002
0
        }
11003
    #ifdef WOLFSSL_ASYNC_CRYPT
11004
        if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
11005
            /* Store the generated ECC key in the provided kse to later
11006
             * restore it.*/
11007
            keyShareEntry->key = ecc_kse->key;
11008
            keyShareEntry->keyLen = ecc_kse->keyLen;
11009
            keyShareEntry->pubKeyLen = ecc_kse->pubKeyLen;
11010
            keyShareEntry->lastRet = WC_PENDING_E;
11011
            ecc_kse->key = NULL;
11012
        }
11013
        else if (ret == 0 &&
11014
                 keyShareEntry->lastRet == WC_NO_ERR_TRACE(WC_PENDING_E)) {
11015
            keyShareEntry->lastRet = 0;
11016
            ecc_kse->lastRet = 0;
11017
        }
11018
    #endif
11019
0
    }
11020
11021
0
    if (ret == 0 && len != pubSz + ecc_kse->pubKeyLen) {
11022
0
        WOLFSSL_MSG("Invalid public key.");
11023
0
        ret = BAD_FUNC_ARG;
11024
0
    }
11025
11026
    /* Allocate buffer for the concatenated client key share data
11027
     * (PQC KEM ciphertext + ECDH public key) */
11028
0
    if (ret == 0) {
11029
0
        ciphertext = (byte*)XMALLOC(ecc_kse->pubKeyLen + ctSz, ssl->heap,
11030
0
            DYNAMIC_TYPE_TLSX);
11031
11032
0
        if (ciphertext == NULL) {
11033
0
            WOLFSSL_MSG("Ciphertext memory allocation failure.");
11034
0
            ret = MEMORY_E;
11035
0
        }
11036
0
    }
11037
11038
    /* Process ECDH key share part. The generated shared secret is directly
11039
     * stored in the ssl->arrays->preMasterSecret buffer. Depending on the
11040
     * pqc_first flag, the ECDH shared secret part goes before or after the
11041
     * KEM part. */
11042
0
    if (ret == 0) {
11043
0
        ecc_kse->keLen = len - pubSz;
11044
0
        ecc_kse->ke = (byte*)XMALLOC(ecc_kse->keLen, ssl->heap,
11045
0
                                     DYNAMIC_TYPE_PUBLIC_KEY);
11046
0
        if (ecc_kse->ke == NULL) {
11047
0
            WOLFSSL_MSG("ecc_kse memory allocation failure");
11048
0
            ret = MEMORY_ERROR;
11049
0
        }
11050
0
        if (ret == 0) {
11051
0
            int pubOffset = 0;
11052
0
            int ssOffset = 0;
11053
11054
0
            if (pqc_first) {
11055
0
                pubOffset = pubSz;
11056
0
                ssOffset = ssSzPqc;
11057
0
            }
11058
11059
0
            XMEMCPY(ecc_kse->ke, data + pubOffset, ecc_kse->keLen);
11060
11061
        #ifdef HAVE_CURVE25519
11062
            if (ecc_group == WOLFSSL_ECC_X25519) {
11063
                ret = TLSX_KeyShare_ProcessX25519_ex(ssl, ecc_kse,
11064
                        ssl->arrays->preMasterSecret + ssOffset,
11065
                        &ssl->arrays->preMasterSz);
11066
            }
11067
            else
11068
        #endif
11069
        #ifdef HAVE_CURVE448
11070
            if (ecc_group == WOLFSSL_ECC_X448) {
11071
                ret = TLSX_KeyShare_ProcessX448_ex(ssl, ecc_kse,
11072
                        ssl->arrays->preMasterSecret + ssOffset,
11073
                        &ssl->arrays->preMasterSz);
11074
            }
11075
            else
11076
        #endif
11077
0
            {
11078
0
                ret = TLSX_KeyShare_ProcessEcc_ex(ssl, ecc_kse,
11079
0
                        ssl->arrays->preMasterSecret + ssOffset,
11080
0
                        &ssl->arrays->preMasterSz);
11081
0
            }
11082
0
        }
11083
0
        if (ret == 0) {
11084
0
            if (ssl->arrays->preMasterSz != ecc_kse->keyLen) {
11085
0
                WOLFSSL_MSG("Data length mismatch.");
11086
0
                ret = BAD_FUNC_ARG;
11087
0
            }
11088
0
        }
11089
    #ifdef WOLFSSL_ASYNC_CRYPT
11090
        else if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
11091
            keyShareEntry->lastRet = WC_PENDING_E;
11092
            keyShareEntry->key = ecc_kse->key;
11093
            keyShareEntry->pubKey = ecc_kse->pubKey;
11094
            keyShareEntry->pubKeyLen = ecc_kse->pubKeyLen;
11095
            ecc_kse->key = NULL;
11096
            ecc_kse->pubKey = NULL;
11097
        }
11098
    #endif
11099
0
    }
11100
11101
0
    if (ret == 0 && ssl->arrays->preMasterSz + ssSzPqc > ENCRYPT_LEN) {
11102
0
        WOLFSSL_MSG("shared secret is too long.");
11103
0
        ret = LENGTH_ERROR;
11104
0
    }
11105
11106
    /* Process PQC KEM key share part. Depending on the pqc_first flag, the
11107
     * KEM shared secret part goes before or after the ECDH part. */
11108
0
    if (ret == 0) {
11109
0
        int input_offset = ecc_kse->keLen;
11110
0
        int output_offset = ssl->arrays->preMasterSz;
11111
11112
0
        if (pqc_first) {
11113
0
            input_offset = 0;
11114
0
            output_offset = 0;
11115
0
        }
11116
11117
0
        ret = TLSX_KeyShare_HandlePqcKeyServer(ssl, pqc_kse,
11118
0
                data + input_offset, pubSz,
11119
0
                ssl->arrays->preMasterSecret + output_offset, &ssSzPqc);
11120
0
    }
11121
11122
0
    if (ret == 0) {
11123
0
        XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
11124
11125
0
        ssl->arrays->preMasterSz += ssSzPqc;
11126
0
        keyShareEntry->ke = NULL;
11127
0
        keyShareEntry->keLen = 0;
11128
11129
        /* Concatenate the ECDH public key and the PQC KEM ciphertext. Based on
11130
         * the pqc_first flag, the ECDH public key goes before or after the KEM
11131
         * ciphertext. */
11132
0
        if (pqc_first) {
11133
0
            XMEMCPY(ciphertext, pqc_kse->pubKey, ctSz);
11134
0
            XMEMCPY(ciphertext + ctSz, ecc_kse->pubKey, ecc_kse->pubKeyLen);
11135
0
        }
11136
0
        else {
11137
0
            XMEMCPY(ciphertext, ecc_kse->pubKey, ecc_kse->pubKeyLen);
11138
0
            XMEMCPY(ciphertext + ecc_kse->pubKeyLen, pqc_kse->pubKey, ctSz);
11139
0
        }
11140
11141
0
        XFREE(keyShareEntry->pubKey, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
11142
0
        keyShareEntry->pubKey = ciphertext;
11143
0
        keyShareEntry->pubKeyLen = ecc_kse->pubKeyLen + ctSz;
11144
0
        ciphertext = NULL;
11145
11146
        /* Set namedGroup so wolfSSL_get_curve_name() can function properly on
11147
         * the server side. */
11148
0
        ssl->namedGroup = keyShareEntry->group;
11149
0
    }
11150
0
    else
11151
#ifdef WOLFSSL_ASYNC_CRYPT
11152
        if (ret != WC_NO_ERR_TRACE(WC_PENDING_E))
11153
#endif
11154
0
    {
11155
        /* Clear the pre master secret buffer to prevent leaking any
11156
         * intermediate keys in the error case. Do not use preMasterSz
11157
         * here as it may already been set to the ECC shared secret size,
11158
         * which would be too small due to the PQC offset case. */
11159
0
        ForceZero(ssl->arrays->preMasterSecret, ENCRYPT_LEN);
11160
0
    }
11161
11162
0
    TLSX_KeyShare_FreeAll(ecc_kse, ssl->heap);
11163
0
    TLSX_KeyShare_FreeAll(pqc_kse, ssl->heap);
11164
0
    XFREE(ciphertext, ssl->heap, DYNAMIC_TYPE_TLSX);
11165
0
    return ret;
11166
0
}
11167
#endif /* WOLFSSL_HAVE_MLKEM && !WOLFSSL_MLKEM_NO_ENCAPSULATE */
11168
11169
/* Use the data to create a new key share object in the extensions.
11170
 *
11171
 * ssl    The SSL/TLS object.
11172
 * group  The named group.
11173
 * len    The length of the public key data.
11174
 * data   The public key data.
11175
 * kse    The new key share entry object.
11176
 * returns 0 on success and other values indicate failure.
11177
 */
11178
int TLSX_KeyShare_Use(const WOLFSSL* ssl, word16 group, word16 len, byte* data,
11179
                      KeyShareEntry **kse, TLSX** extensions)
11180
0
{
11181
0
    int            ret = 0;
11182
0
    TLSX*          extension;
11183
0
    KeyShareEntry* keyShareEntry = NULL;
11184
11185
    /* Find the KeyShare extension if it exists. */
11186
0
    extension = TLSX_Find(*extensions, TLSX_KEY_SHARE);
11187
0
    if (extension == NULL) {
11188
        /* Push new KeyShare extension. */
11189
0
        ret = TLSX_Push(extensions, TLSX_KEY_SHARE, NULL, ssl->heap);
11190
0
        if (ret != 0)
11191
0
            return ret;
11192
11193
0
        extension = TLSX_Find(*extensions, TLSX_KEY_SHARE);
11194
0
        if (extension == NULL)
11195
0
            return MEMORY_E;
11196
0
    }
11197
0
    extension->resp = 0;
11198
11199
    /* Try to find the key share entry with this group. */
11200
0
    keyShareEntry = (KeyShareEntry*)extension->data;
11201
0
    while (keyShareEntry != NULL) {
11202
    #if defined(WOLFSSL_ML_KEM_USE_OLD_IDS) && \
11203
                                             defined (WOLFSSL_EXTRA_PQC_HYBRIDS)
11204
        if ((group == WOLFSSL_P256_ML_KEM_512_OLD &&
11205
                keyShareEntry->group == WOLFSSL_SECP256R1MLKEM512) ||
11206
            (group == WOLFSSL_P384_ML_KEM_768_OLD &&
11207
                keyShareEntry->group == WOLFSSL_SECP384R1MLKEM768) ||
11208
            (group == WOLFSSL_P521_ML_KEM_1024_OLD &&
11209
                keyShareEntry->group == WOLFSSL_SECP521R1MLKEM1024)) {
11210
            keyShareEntry->group = group;
11211
            break;
11212
        }
11213
        else
11214
    #endif /* WOLFSSL_ML_KEM_USE_OLD_IDS && WOLFSSL_EXTRA_PQC_HYBRIDS */
11215
0
        if (keyShareEntry->group == group)
11216
0
            break;
11217
0
        keyShareEntry = keyShareEntry->next;
11218
0
    }
11219
11220
    /* Create a new key share entry if not found. */
11221
0
    if (keyShareEntry == NULL) {
11222
0
        ret = TLSX_KeyShare_New((KeyShareEntry**)&extension->data, group,
11223
0
                                ssl->heap, &keyShareEntry);
11224
0
        if (ret != 0)
11225
0
            return ret;
11226
0
    }
11227
11228
0
    if (data != NULL) {
11229
        /* Store the peer data in the key share object. */
11230
0
        XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
11231
0
        keyShareEntry->ke = data;
11232
0
        keyShareEntry->keLen = len;
11233
0
    }
11234
0
    else {
11235
        /* Generate a key pair. Casting to non-const since changes inside are
11236
         * minimal but would require an extensive redesign to refactor. Also
11237
         * this path shouldn't be taken when parsing a ClientHello in stateless
11238
         * mode. */
11239
0
        ret = TLSX_KeyShare_GenKey((WOLFSSL*)ssl, keyShareEntry);
11240
0
        if (ret != 0)
11241
0
            return ret;
11242
0
    }
11243
11244
0
    if (kse != NULL)
11245
0
        *kse = keyShareEntry;
11246
11247
0
    return 0;
11248
0
}
11249
11250
/* Set an empty Key Share extension.
11251
 *
11252
 * ssl  The SSL/TLS object.
11253
 * returns 0 on success and other values indicate failure.
11254
 */
11255
int TLSX_KeyShare_Empty(WOLFSSL* ssl)
11256
0
{
11257
0
    int   ret = 0;
11258
0
    TLSX* extension;
11259
11260
    /* Find the KeyShare extension if it exists. */
11261
0
    extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
11262
0
    if (extension == NULL) {
11263
        /* Push new KeyShare extension. */
11264
0
        ret = TLSX_Push(&ssl->extensions, TLSX_KEY_SHARE, NULL, ssl->heap);
11265
0
    }
11266
0
    else if (extension->data != NULL) {
11267
0
        TLSX_KeyShare_FreeAll((KeyShareEntry*)extension->data, ssl->heap);
11268
0
        extension->data = NULL;
11269
0
    }
11270
11271
0
    return ret;
11272
0
}
11273
11274
/* Compile-time gating must stay aligned with TLSX_PopulateSupportedGroups().
11275
 * Runtime-only conditions in that function (TLS 1.3 version check, FFDHE
11276
 * key-size bounds, session-resumption short-circuit, downgrade-aware
11277
 * Brainpool TLS 1.2 selection) are intentionally not represented here. */
11278
static const word16 preferredGroup[] = {
11279
    /* Sort by strength, but prefer non-experimental PQ/T hybrid groups */
11280
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \
11281
    !defined(WOLFSSL_NO_ML_KEM) && defined(WOLFSSL_PQC_HYBRIDS)
11282
    #if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_CURVE25519) && \
11283
        ECC_MIN_KEY_SZ <= 256
11284
    WOLFSSL_X25519MLKEM768,
11285
    #endif
11286
    #if !defined(WOLFSSL_NO_ML_KEM_1024) && defined(HAVE_ECC) && \
11287
        (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && \
11288
        ECC_MIN_KEY_SZ <= 384
11289
    WOLFSSL_SECP384R1MLKEM1024,
11290
    #endif
11291
    #if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_ECC) && \
11292
        (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \
11293
        ECC_MIN_KEY_SZ <= 256
11294
    WOLFSSL_SECP256R1MLKEM768,
11295
    #endif
11296
#endif /* WOLFSSL_TLS13 && WOLFSSL_HAVE_MLKEM && !WOLFSSL_NO_ML_KEM &&
11297
        * WOLFSSL_PQC_HYBRIDS */
11298
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \
11299
    !defined(WOLFSSL_NO_ML_KEM) && !defined(WOLFSSL_NO_ML_KEM_1024) && \
11300
    !defined(WOLFSSL_TLS_NO_MLKEM_STANDALONE)
11301
    WOLFSSL_ML_KEM_1024,
11302
#endif
11303
#if defined(HAVE_ECC) && (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && \
11304
    !defined(NO_ECC_SECP) && ECC_MIN_KEY_SZ <= 521
11305
    WOLFSSL_ECC_SECP521R1,
11306
#endif
11307
#if defined(HAVE_ECC) && (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && \
11308
    defined(HAVE_ECC_BRAINPOOL) && ECC_MIN_KEY_SZ <= 512
11309
    WOLFSSL_ECC_BRAINPOOLP512R1TLS13,
11310
    WOLFSSL_ECC_BRAINPOOLP512R1,
11311
#endif
11312
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \
11313
    !defined(WOLFSSL_NO_ML_KEM) && !defined(WOLFSSL_NO_ML_KEM_768) && \
11314
    !defined(WOLFSSL_TLS_NO_MLKEM_STANDALONE)
11315
    WOLFSSL_ML_KEM_768,
11316
#endif
11317
#if defined(HAVE_ECC) && (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && \
11318
    ECC_MIN_KEY_SZ <= 384
11319
    #ifndef NO_ECC_SECP
11320
    WOLFSSL_ECC_SECP384R1,
11321
    #endif
11322
    #ifdef HAVE_ECC_BRAINPOOL
11323
    WOLFSSL_ECC_BRAINPOOLP384R1TLS13,
11324
    WOLFSSL_ECC_BRAINPOOLP384R1,
11325
    #endif
11326
#endif
11327
#if !defined(HAVE_FIPS) && defined(HAVE_CURVE448) && ECC_MIN_KEY_SZ <= 448
11328
    WOLFSSL_ECC_X448,
11329
#endif
11330
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \
11331
    !defined(WOLFSSL_NO_ML_KEM) && !defined(WOLFSSL_NO_ML_KEM_512) && \
11332
    !defined(WOLFSSL_TLS_NO_MLKEM_STANDALONE)
11333
    WOLFSSL_ML_KEM_512,
11334
#endif
11335
#if defined(HAVE_ECC) && (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \
11336
    ECC_MIN_KEY_SZ <= 256
11337
    #ifndef NO_ECC_SECP
11338
    WOLFSSL_ECC_SECP256R1,
11339
    #endif
11340
    #ifdef HAVE_ECC_KOBLITZ
11341
    WOLFSSL_ECC_SECP256K1,
11342
    #endif
11343
    #ifdef HAVE_ECC_BRAINPOOL
11344
    WOLFSSL_ECC_BRAINPOOLP256R1TLS13,
11345
    WOLFSSL_ECC_BRAINPOOLP256R1,
11346
    #endif
11347
    #if !defined(HAVE_FIPS) && defined(WOLFSSL_SM2)
11348
    WOLFSSL_ECC_SM2P256V1,
11349
    #endif
11350
#endif
11351
#if !defined(HAVE_FIPS) && defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256
11352
    WOLFSSL_ECC_X25519,
11353
#endif
11354
#if defined(HAVE_ECC) && (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && \
11355
    ECC_MIN_KEY_SZ <= 224
11356
    #ifndef NO_ECC_SECP
11357
    WOLFSSL_ECC_SECP224R1,
11358
    #endif
11359
    #ifdef HAVE_ECC_KOBLITZ
11360
    WOLFSSL_ECC_SECP224K1,
11361
    #endif
11362
#endif
11363
#if !defined(HAVE_FIPS) && defined(HAVE_ECC)
11364
    #if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && \
11365
        ECC_MIN_KEY_SZ <= 192
11366
        #ifndef NO_ECC_SECP
11367
        WOLFSSL_ECC_SECP192R1,
11368
        #endif
11369
        #ifdef HAVE_ECC_KOBLITZ
11370
        WOLFSSL_ECC_SECP192K1,
11371
        #endif
11372
    #endif
11373
    #if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && \
11374
        ECC_MIN_KEY_SZ <= 160
11375
        #ifndef NO_ECC_SECP
11376
        WOLFSSL_ECC_SECP160R1,
11377
        #endif
11378
        #ifdef HAVE_ECC_SECPR2
11379
        WOLFSSL_ECC_SECP160R2,
11380
        #endif
11381
        #ifdef HAVE_ECC_KOBLITZ
11382
        WOLFSSL_ECC_SECP160K1,
11383
        #endif
11384
    #endif
11385
#endif /* !HAVE_FIPS && HAVE_ECC */
11386
#if defined(HAVE_FFDHE_8192)
11387
    WOLFSSL_FFDHE_8192,
11388
#endif
11389
#if defined(HAVE_FFDHE_6144)
11390
    WOLFSSL_FFDHE_6144,
11391
#endif
11392
#if defined(HAVE_FFDHE_4096)
11393
    WOLFSSL_FFDHE_4096,
11394
#endif
11395
#if defined(HAVE_FFDHE_3072)
11396
    WOLFSSL_FFDHE_3072,
11397
#endif
11398
#if defined(HAVE_FFDHE_2048)
11399
    WOLFSSL_FFDHE_2048,
11400
#endif
11401
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \
11402
    !defined(WOLFSSL_NO_ML_KEM) && defined(WOLFSSL_EXTRA_PQC_HYBRIDS)
11403
    #if !defined(WOLFSSL_NO_ML_KEM_1024) && defined(HAVE_ECC) && \
11404
        (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && \
11405
        ECC_MIN_KEY_SZ <= 521
11406
    WOLFSSL_SECP521R1MLKEM1024,
11407
    #endif
11408
    #if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_ECC) && \
11409
        (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && \
11410
        ECC_MIN_KEY_SZ <= 384
11411
    WOLFSSL_SECP384R1MLKEM768,
11412
    #endif
11413
    #if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_CURVE448) && \
11414
        ECC_MIN_KEY_SZ <= 448
11415
    WOLFSSL_X448MLKEM768,
11416
    #endif
11417
    #if !defined(WOLFSSL_NO_ML_KEM_512) && defined(HAVE_ECC) && \
11418
        (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \
11419
        ECC_MIN_KEY_SZ <= 256
11420
    WOLFSSL_SECP256R1MLKEM512,
11421
    #endif
11422
    #if !defined(WOLFSSL_NO_ML_KEM_512) && defined(HAVE_CURVE25519) && \
11423
        ECC_MIN_KEY_SZ <= 256
11424
    WOLFSSL_X25519MLKEM512,
11425
    #endif
11426
#endif /* WOLFSSL_TLS13 && WOLFSSL_HAVE_MLKEM && !WOLFSSL_NO_ML_KEM &&
11427
        * WOLFSSL_EXTRA_PQC_HYBRIDS */
11428
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \
11429
    defined(WOLFSSL_MLKEM_KYBER)
11430
    #ifdef WOLFSSL_KYBER1024
11431
    WOLFSSL_KYBER_LEVEL5,
11432
    #if defined(HAVE_ECC) && (defined(HAVE_ECC521) || \
11433
        defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521
11434
    WOLFSSL_P521_KYBER_LEVEL5,
11435
    #endif
11436
    #endif
11437
    #ifdef WOLFSSL_KYBER768
11438
    WOLFSSL_KYBER_LEVEL3,
11439
    #if defined(HAVE_ECC) && (defined(HAVE_ECC384) || \
11440
        defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384
11441
    WOLFSSL_P384_KYBER_LEVEL3,
11442
    #endif
11443
    #if defined(HAVE_ECC) && (!defined(NO_ECC256) || \
11444
        defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
11445
    WOLFSSL_P256_KYBER_LEVEL3,
11446
    #endif
11447
    #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256
11448
    WOLFSSL_X25519_KYBER_LEVEL3,
11449
    #endif
11450
    #if defined(HAVE_CURVE448) && ECC_MIN_KEY_SZ <= 448
11451
    WOLFSSL_X448_KYBER_LEVEL3,
11452
    #endif
11453
    #endif
11454
    #ifdef WOLFSSL_KYBER512
11455
    WOLFSSL_KYBER_LEVEL1,
11456
    #if defined(HAVE_ECC) && (!defined(NO_ECC256) || \
11457
        defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
11458
    WOLFSSL_P256_KYBER_LEVEL1,
11459
    #endif
11460
    #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256
11461
    WOLFSSL_X25519_KYBER_LEVEL1,
11462
    #endif
11463
    #endif
11464
#endif /* WOLFSSL_TLS13 && WOLFSSL_HAVE_MLKEM && WOLFSSL_MLKEM_KYBER */
11465
    WOLFSSL_NAMED_GROUP_INVALID
11466
};
11467
11468
#define PREFERRED_GROUP_SZ \
11469
0
    ((sizeof(preferredGroup)/sizeof(*preferredGroup)) - 1)
11470
                                            /* -1 for the invalid group */
11471
11472
/* WOLFSSL_KEY_SHARE_DEFAULT_GROUP - group used for the speculative key share
11473
 * in ClientHello messages when the application has not selected one via
11474
 * wolfSSL_CTX_set_groups() / wolfSSL_set_groups() or wolfSSL_UseKeyShare().
11475
 *
11476
 * The default is optimized for the likelihood that the server will accept the
11477
 * speculative key share without forcing a HelloRetryRequest. It therefore
11478
 * differs from preferredGroup[] (which is sorted by strength): we pick the
11479
 * most widely deployed group at each tier rather than the strongest.
11480
 *
11481
 * Selection order when not user-defined:
11482
 *   1. A standardized PQ/T hybrid using X25519 or SECP256R1, if available.
11483
 *   2. SECP256R1, then X25519, then SECP384R1.
11484
 *   3. FFDHE 2048 or 3072, for DH-only TLS 1.3 builds.
11485
 *   4. preferredGroup[0] as a final fallback for any other configuration.
11486
 *
11487
 * Users can override the default by defining WOLFSSL_KEY_SHARE_DEFAULT_GROUP
11488
 * in user_settings.h to any of the WOLFSSL_* group identifiers from
11489
 * wolfssl/ssl.h (or the numeric IANA code point). The macro is substituted
11490
 * directly into an assignment, so wrap non-trivial expressions in parentheses.
11491
 */
11492
#ifndef WOLFSSL_KEY_SHARE_DEFAULT_GROUP
11493
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM_CLIENT_SUPPORT) && \
11494
      !defined(WOLFSSL_NO_ML_KEM) && defined(WOLFSSL_PQC_HYBRIDS) && \
11495
      !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_CURVE25519) && \
11496
      ECC_MIN_KEY_SZ <= 256
11497
    #define WOLFSSL_KEY_SHARE_DEFAULT_GROUP WOLFSSL_X25519MLKEM768
11498
#elif defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM_CLIENT_SUPPORT) && \
11499
      !defined(WOLFSSL_NO_ML_KEM) && defined(WOLFSSL_PQC_HYBRIDS) && \
11500
      !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_ECC) && \
11501
      (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \
11502
      ECC_MIN_KEY_SZ <= 256
11503
0
    #define WOLFSSL_KEY_SHARE_DEFAULT_GROUP WOLFSSL_SECP256R1MLKEM768
11504
#elif defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM_CLIENT_SUPPORT) && \
11505
      !defined(WOLFSSL_NO_ML_KEM) && defined(WOLFSSL_PQC_HYBRIDS) && \
11506
      !defined(WOLFSSL_NO_ML_KEM_1024) && defined(HAVE_ECC) && \
11507
      (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && \
11508
      ECC_MIN_KEY_SZ <= 384
11509
    #define WOLFSSL_KEY_SHARE_DEFAULT_GROUP WOLFSSL_SECP384R1MLKEM1024
11510
#elif defined(HAVE_ECC) && (!defined(NO_ECC256) || \
11511
      defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256 && \
11512
      !defined(NO_ECC_SECP)
11513
    #define WOLFSSL_KEY_SHARE_DEFAULT_GROUP WOLFSSL_ECC_SECP256R1
11514
#elif !defined(HAVE_FIPS) && defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256
11515
    #define WOLFSSL_KEY_SHARE_DEFAULT_GROUP WOLFSSL_ECC_X25519
11516
#elif defined(HAVE_ECC) && (defined(HAVE_ECC384) || \
11517
      defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384 && \
11518
      !defined(NO_ECC_SECP)
11519
    #define WOLFSSL_KEY_SHARE_DEFAULT_GROUP WOLFSSL_ECC_SECP384R1
11520
#elif defined(HAVE_FFDHE_2048)
11521
    #define WOLFSSL_KEY_SHARE_DEFAULT_GROUP WOLFSSL_FFDHE_2048
11522
#elif defined(HAVE_FFDHE_3072)
11523
    #define WOLFSSL_KEY_SHARE_DEFAULT_GROUP WOLFSSL_FFDHE_3072
11524
#else
11525
    /* Fall back to whatever preferredGroup[] starts with. */
11526
    #define WOLFSSL_KEY_SHARE_DEFAULT_GROUP (preferredGroup[0])
11527
#endif
11528
#endif /* !WOLFSSL_KEY_SHARE_DEFAULT_GROUP */
11529
11530
/* Examines the application specified group ranking and returns the rank of the
11531
 * group.
11532
 * If no group ranking set then all groups are rank 0 (highest).
11533
 *
11534
 * ssl    The SSL/TLS object.
11535
 * group  The group to check ranking for.
11536
 * returns ranking from 0 to MAX_GROUP_COUNT-1 or -1 when group not in list.
11537
 */
11538
static int TLSX_KeyShare_GroupRank(const WOLFSSL* ssl, int group)
11539
0
{
11540
0
    byte i;
11541
0
    const word16* groups;
11542
0
    byte numGroups;
11543
11544
0
    if (ssl->numGroups == 0) {
11545
        /* If the user didn't specify a group list with a preferred order,
11546
         * use the internal preferred group list. */
11547
0
        groups = preferredGroup;
11548
0
        numGroups = PREFERRED_GROUP_SZ;
11549
0
    }
11550
0
    else {
11551
0
        groups = ssl->group;
11552
0
        numGroups = ssl->numGroups;
11553
0
    }
11554
11555
0
    for (i = 0; i < numGroups; i++) {
11556
#if defined(WOLFSSL_ML_KEM_USE_OLD_IDS) && \
11557
                                             defined (WOLFSSL_EXTRA_PQC_HYBRIDS)
11558
        if ((group == WOLFSSL_P256_ML_KEM_512_OLD &&
11559
             groups[i] == WOLFSSL_SECP256R1MLKEM512) ||
11560
            (group == WOLFSSL_P384_ML_KEM_768_OLD &&
11561
             groups[i] == WOLFSSL_SECP384R1MLKEM768) ||
11562
            (group == WOLFSSL_P521_ML_KEM_1024_OLD &&
11563
             groups[i] == WOLFSSL_SECP521R1MLKEM1024)) {
11564
            return i;
11565
        }
11566
#endif
11567
0
        if (groups[i] == (word16)group)
11568
0
            return i;
11569
0
    }
11570
11571
0
    return WOLFSSL_FATAL_ERROR;
11572
0
}
11573
11574
/* Set a key share that is supported by the client into extensions.
11575
 *
11576
 * ssl  The SSL/TLS object.
11577
 * returns BAD_KEY_SHARE_DATA if no supported group has a key share,
11578
 * 0 if a supported group has a key share and other values indicate an error.
11579
 */
11580
int TLSX_KeyShare_SetSupported(const WOLFSSL* ssl, TLSX** extensions)
11581
0
{
11582
0
    int             ret;
11583
0
#ifdef HAVE_SUPPORTED_CURVES
11584
0
    TLSX*           extension;
11585
0
    SupportedCurve* curve = NULL;
11586
0
    SupportedCurve* preferredCurve = NULL;
11587
0
    word16          name = WOLFSSL_NAMED_GROUP_INVALID;
11588
0
    KeyShareEntry*  kse = NULL;
11589
0
    int             preferredRank = WOLFSSL_MAX_GROUP_COUNT;
11590
0
    int             rank;
11591
11592
0
    extension = TLSX_Find(*extensions, TLSX_SUPPORTED_GROUPS);
11593
0
    if (extension != NULL)
11594
0
        curve = (SupportedCurve*)extension->data;
11595
0
    for (; curve != NULL; curve = curve->next) {
11596
        /* Use server's preference order. Common group was found but key share
11597
         * was missing */
11598
0
        if (!TLSX_IsGroupSupported(curve->name, ssl->options.side))
11599
0
            continue;
11600
0
        if (wolfSSL_curve_is_disabled(ssl, curve->name))
11601
0
            continue;
11602
11603
0
        rank = TLSX_KeyShare_GroupRank(ssl, curve->name);
11604
0
        if (rank == -1)
11605
0
            continue;
11606
0
        if (rank < preferredRank) {
11607
0
            preferredCurve = curve;
11608
0
            preferredRank = rank;
11609
0
        }
11610
0
    }
11611
0
    curve = preferredCurve;
11612
11613
0
    if (curve == NULL) {
11614
0
        byte i;
11615
        /* Fallback to user selected group */
11616
0
        preferredRank = WOLFSSL_MAX_GROUP_COUNT;
11617
0
        for (i = 0; i < ssl->numGroups; i++) {
11618
0
            rank = TLSX_KeyShare_GroupRank(ssl, ssl->group[i]);
11619
0
            if (rank == -1)
11620
0
                continue;
11621
0
            if (rank < preferredRank) {
11622
0
                name = ssl->group[i];
11623
0
                preferredRank = rank;
11624
0
            }
11625
0
        }
11626
0
        if (name == WOLFSSL_NAMED_GROUP_INVALID) {
11627
            /* No group selected or specified by the server */
11628
0
            WOLFSSL_ERROR_VERBOSE(BAD_KEY_SHARE_DATA);
11629
0
            return BAD_KEY_SHARE_DATA;
11630
0
        }
11631
0
    }
11632
0
    else {
11633
0
        name = curve->name;
11634
0
    }
11635
11636
    #ifdef WOLFSSL_ASYNC_CRYPT
11637
    /* Check the old key share data list. */
11638
    extension = TLSX_Find(*extensions, TLSX_KEY_SHARE);
11639
    if (extension != NULL) {
11640
        kse = (KeyShareEntry*)extension->data;
11641
        /* We should not be computing keys if we are only going to advertise
11642
         * our choice here. */
11643
        if (kse != NULL && kse->lastRet == WC_NO_ERR_TRACE(WC_PENDING_E)) {
11644
            WOLFSSL_ERROR_VERBOSE(BAD_KEY_SHARE_DATA);
11645
            return BAD_KEY_SHARE_DATA;
11646
        }
11647
    }
11648
    #endif
11649
11650
    /* Push new KeyShare extension. This will also free the old one */
11651
0
    ret = TLSX_Push(extensions, TLSX_KEY_SHARE, NULL, ssl->heap);
11652
0
    if (ret != 0)
11653
0
        return ret;
11654
    /* Extension got pushed to head */
11655
0
    extension = *extensions;
11656
    /* Push the selected curve */
11657
0
    ret = TLSX_KeyShare_New((KeyShareEntry**)&extension->data, name,
11658
0
                            ssl->heap, &kse);
11659
0
    if (ret != 0)
11660
0
        return ret;
11661
    /* Set extension to be in response. */
11662
0
    extension->resp = 1;
11663
#else
11664
11665
    (void)ssl;
11666
11667
    WOLFSSL_ERROR_VERBOSE(NOT_COMPILED_IN);
11668
    ret = NOT_COMPILED_IN;
11669
#endif
11670
11671
0
    return ret;
11672
0
}
11673
11674
#ifdef WOLFSSL_DUAL_ALG_CERTS
11675
/* Writes the CKS objects of a list in a buffer. */
11676
static word16 CKS_WRITE(WOLFSSL* ssl, byte* output)
11677
{
11678
    XMEMCPY(output, ssl->sigSpec, ssl->sigSpecSz);
11679
    return ssl->sigSpecSz;
11680
}
11681
11682
static int TLSX_UseCKS(TLSX** extensions, WOLFSSL* ssl, void* heap)
11683
{
11684
    int ret = 0;
11685
    TLSX* extension;
11686
11687
    if (extensions == NULL) {
11688
        return BAD_FUNC_ARG;
11689
    }
11690
11691
    extension = TLSX_Find(*extensions, TLSX_CKS);
11692
    /* If it is already present, do nothing. */
11693
    if (extension == NULL) {
11694
        /* The data required is in the ssl struct, so push it in. */
11695
        ret = TLSX_Push(extensions, TLSX_CKS, (void*)ssl, heap);
11696
    }
11697
11698
    return ret;
11699
}
11700
11701
int TLSX_CKS_Set(WOLFSSL* ssl, TLSX** extensions)
11702
{
11703
    int ret;
11704
    TLSX* extension;
11705
    /* Push new KeyShare extension. This will also free the old one */
11706
    ret = TLSX_Push(extensions, TLSX_CKS, NULL, ssl->heap);
11707
    if (ret != 0)
11708
        return ret;
11709
    /* Extension got pushed to head */
11710
    extension = *extensions;
11711
    /* Need ssl->sigSpecSz during extension length calculation. */
11712
    extension->data = ssl;
11713
    /* Set extension to be in response. */
11714
    extension->resp = 1;
11715
    return ret;
11716
}
11717
11718
int TLSX_CKS_Parse(WOLFSSL* ssl, byte* input, word16 length,
11719
                   TLSX** extensions)
11720
{
11721
    int ret;
11722
    int i, j;
11723
11724
    (void) extensions;
11725
11726
    /* Validating the input. */
11727
    if (length == 0)
11728
        return BUFFER_ERROR;
11729
    for (i = 0; i < length; i++) {
11730
        switch (input[i])
11731
        {
11732
            case WOLFSSL_CKS_SIGSPEC_NATIVE:
11733
            case WOLFSSL_CKS_SIGSPEC_ALTERNATIVE:
11734
            case WOLFSSL_CKS_SIGSPEC_BOTH:
11735
                /* These are all valid values; do nothing */
11736
                break;
11737
            case WOLFSSL_CKS_SIGSPEC_EXTERNAL:
11738
            default:
11739
                /* All other values (including external) are not. */
11740
                return BAD_FUNC_ARG;
11741
        }
11742
    }
11743
11744
    /* This could be a situation where the client tried to start with TLS 1.3
11745
     * when it sent ClientHello and the server down-graded to TLS 1.2. In that
11746
     * case, erroring out because it is TLS 1.2 is not a reasonable thing to do.
11747
     * In the case of TLS 1.2, the CKS values will be ignored. */
11748
    if (!IsAtLeastTLSv1_3(ssl->version)) {
11749
        ssl->sigSpec = NULL;
11750
        ssl->sigSpecSz = 0;
11751
        return 0;
11752
    }
11753
11754
    /* Extension data is valid, but if we are the server and we don't have an
11755
     * alt private key, do not respond with CKS extension. */
11756
    if (wolfSSL_is_server(ssl) && ssl->buffers.altKey == NULL) {
11757
        ssl->sigSpec = NULL;
11758
        ssl->sigSpecSz = 0;
11759
        return 0;
11760
    }
11761
11762
    /* Copy as the lifetime of input seems to be ephemeral. */
11763
    ssl->peerSigSpec = (byte*)XMALLOC(length, ssl->heap, DYNAMIC_TYPE_TLSX);
11764
    if (ssl->peerSigSpec == NULL) {
11765
        return BUFFER_ERROR;
11766
    }
11767
    XMEMCPY(ssl->peerSigSpec, input, length);
11768
    ssl->peerSigSpecSz = length;
11769
11770
    /* If there is no preference set, use theirs... */
11771
    if (ssl->sigSpec == NULL) {
11772
        ret = wolfSSL_UseCKS(ssl, ssl->peerSigSpec, 1);
11773
        if (ret == WOLFSSL_SUCCESS) {
11774
            ret = TLSX_UseCKS(&ssl->extensions, ssl, ssl->heap);
11775
            TLSX_SetResponse(ssl, TLSX_CKS);
11776
        }
11777
        return ret;
11778
    }
11779
11780
    /* ...otherwise, prioritize our preference. */
11781
    for (i = 0; i < ssl->sigSpecSz; i++) {
11782
        for (j = 0; j < length; j++) {
11783
            if (ssl->sigSpec[i] == input[j]) {
11784
                /* Got the match, set to this one. */
11785
                ret = wolfSSL_UseCKS(ssl, &ssl->sigSpec[i], 1);
11786
                if (ret == WOLFSSL_SUCCESS) {
11787
                    ret = TLSX_UseCKS(&ssl->extensions, ssl, ssl->heap);
11788
                    TLSX_SetResponse(ssl, TLSX_CKS);
11789
                }
11790
                return ret;
11791
            }
11792
        }
11793
    }
11794
11795
    /* No match found. Cannot continue. */
11796
    return MATCH_SUITE_ERROR;
11797
}
11798
#endif /* WOLFSSL_DUAL_ALG_CERTS */
11799
11800
/* Server side KSE processing */
11801
int TLSX_KeyShare_Choose(const WOLFSSL *ssl, TLSX* extensions,
11802
    byte cipherSuite0, byte cipherSuite, KeyShareEntry** kse, byte* searched)
11803
0
{
11804
0
    TLSX*          extension;
11805
0
    KeyShareEntry* clientKSE = NULL;
11806
0
    KeyShareEntry* list = NULL;
11807
0
    KeyShareEntry* preferredKSE = NULL;
11808
0
    int preferredRank = WOLFSSL_MAX_GROUP_COUNT;
11809
0
    int rank;
11810
11811
0
    (void)cipherSuite0;
11812
0
    (void)cipherSuite;
11813
11814
0
    if (ssl == NULL || ssl->options.side != WOLFSSL_SERVER_END)
11815
0
        return BAD_FUNC_ARG;
11816
11817
0
    *searched = 0;
11818
11819
    /* Find the KeyShare extension if it exists. */
11820
0
    extension = TLSX_Find(extensions, TLSX_KEY_SHARE);
11821
0
    if (extension != NULL)
11822
0
        list = (KeyShareEntry*)extension->data;
11823
11824
0
    if (extension && extension->resp == 1) {
11825
        /* Outside of the async case this path should not be taken. */
11826
0
        int ret = WC_NO_ERR_TRACE(INCOMPLETE_DATA);
11827
    #ifdef WOLFSSL_ASYNC_CRYPT
11828
        /* in async case make sure key generation is finalized */
11829
        KeyShareEntry* serverKSE = (KeyShareEntry*)extension->data;
11830
        if (serverKSE && serverKSE->lastRet == WC_NO_ERR_TRACE(WC_PENDING_E)) {
11831
            if (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE)
11832
                *searched = 1;
11833
            ret = TLSX_KeyShare_GenKey((WOLFSSL*)ssl, serverKSE);
11834
        }
11835
        else
11836
    #endif
11837
0
        {
11838
0
            ret = INCOMPLETE_DATA;
11839
0
        }
11840
0
        return ret;
11841
0
    }
11842
11843
    /* Use server's preference order. */
11844
0
    for (clientKSE = list; clientKSE != NULL; clientKSE = clientKSE->next) {
11845
0
        if (clientKSE->ke == NULL)
11846
0
            continue;
11847
11848
#ifdef WOLFSSL_SM2
11849
        if ((cipherSuite0 == CIPHER_BYTE) &&
11850
            ((cipherSuite == TLS_SM4_GCM_SM3) ||
11851
             (cipherSuite == TLS_SM4_CCM_SM3))) {
11852
           if (clientKSE->group != WOLFSSL_ECC_SM2P256V1) {
11853
               continue;
11854
           }
11855
        }
11856
        else if (clientKSE->group == WOLFSSL_ECC_SM2P256V1) {
11857
           continue;
11858
        }
11859
#endif
11860
11861
        /* Check consistency now - extensions in any order. */
11862
0
        if (!TLSX_SupportedGroups_Find(ssl, clientKSE->group, extensions))
11863
0
            continue;
11864
11865
0
        if (!WOLFSSL_NAMED_GROUP_IS_FFDHE(clientKSE->group)) {
11866
            /* Check max value supported. */
11867
0
            if (clientKSE->group > WOLFSSL_ECC_MAX) {
11868
0
#ifdef WOLFSSL_HAVE_MLKEM
11869
0
                if (!WOLFSSL_NAMED_GROUP_IS_PQC(clientKSE->group) &&
11870
0
                    !WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(clientKSE->group))
11871
0
#endif
11872
0
                    continue;
11873
0
            }
11874
0
            if (wolfSSL_curve_is_disabled(ssl, clientKSE->group))
11875
0
                continue;
11876
0
        }
11877
0
        if (!TLSX_IsGroupSupported(clientKSE->group, ssl->options.side))
11878
0
            continue;
11879
11880
0
        rank = TLSX_KeyShare_GroupRank(ssl, clientKSE->group);
11881
0
        if (rank == -1)
11882
0
            continue;
11883
0
        if (rank < preferredRank) {
11884
0
            preferredKSE = clientKSE;
11885
0
            preferredRank = rank;
11886
0
        }
11887
0
    }
11888
0
    *kse = preferredKSE;
11889
0
    *searched = 1;
11890
0
    return 0;
11891
0
}
11892
11893
/* Server side KSE processing */
11894
int TLSX_KeyShare_Setup(WOLFSSL *ssl, KeyShareEntry* clientKSE)
11895
0
{
11896
0
    int            ret;
11897
0
    TLSX*          extension;
11898
0
    KeyShareEntry* serverKSE;
11899
0
    KeyShareEntry* list = NULL;
11900
11901
0
    if (ssl == NULL || ssl->options.side != WOLFSSL_SERVER_END)
11902
0
        return BAD_FUNC_ARG;
11903
11904
0
    extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
11905
0
    if (extension == NULL)
11906
0
        return BAD_STATE_E;
11907
11908
0
    if (clientKSE == NULL) {
11909
#ifdef WOLFSSL_ASYNC_CRYPT
11910
        /* Not necessarily an error. The key may have already been setup. */
11911
        if (extension != NULL && extension->resp == 1) {
11912
            serverKSE = (KeyShareEntry*)extension->data;
11913
            if (serverKSE != NULL) {
11914
                /* in async case make sure key generation is finalized */
11915
                if (serverKSE->lastRet == WC_NO_ERR_TRACE(WC_PENDING_E))
11916
                    return TLSX_KeyShare_GenKey((WOLFSSL*)ssl, serverKSE);
11917
                else if (serverKSE->lastRet == 0)
11918
                    return 0;
11919
            }
11920
        }
11921
#endif
11922
0
        return BAD_FUNC_ARG;
11923
0
    }
11924
11925
    /* Generate a new key pair except in the case of PQC KEM because we
11926
     * are going to encapsulate and that does not require us to generate a
11927
     * key pair.
11928
     */
11929
0
    ret = TLSX_KeyShare_New(&list, clientKSE->group, ssl->heap, &serverKSE);
11930
0
    if (ret != 0)
11931
0
        return ret;
11932
11933
0
    if (clientKSE->key == NULL) {
11934
0
#if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_ENCAPSULATE)
11935
0
        if (WOLFSSL_NAMED_GROUP_IS_PQC(clientKSE->group)) {
11936
0
            ret = TLSX_KeyShare_HandlePqcKeyServer(ssl, serverKSE,
11937
0
                    clientKSE->ke, clientKSE->keLen,
11938
0
                    ssl->arrays->preMasterSecret, &ssl->arrays->preMasterSz);
11939
0
        }
11940
0
        else if (WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(clientKSE->group)) {
11941
0
            ret = TLSX_KeyShare_HandlePqcHybridKeyServer(ssl, serverKSE,
11942
0
                    clientKSE->ke, clientKSE->keLen);
11943
0
        }
11944
0
        else
11945
0
#endif
11946
0
        {
11947
0
            ret = TLSX_KeyShare_GenKey(ssl, serverKSE);
11948
0
        }
11949
11950
        /* for async do setup of serverKSE below, but return WC_PENDING_E */
11951
0
        if (ret != 0
11952
        #ifdef WOLFSSL_ASYNC_CRYPT
11953
            && ret != WC_NO_ERR_TRACE(WC_PENDING_E)
11954
        #endif
11955
0
        ) {
11956
0
            TLSX_KeyShare_FreeAll(list, ssl->heap);
11957
0
            return ret;
11958
0
        }
11959
0
    }
11960
0
    else {
11961
        /* transfer buffers to serverKSE */
11962
0
        serverKSE->key = clientKSE->key;
11963
0
        clientKSE->key = NULL;
11964
0
        serverKSE->keyLen = clientKSE->keyLen;
11965
0
        serverKSE->pubKey = clientKSE->pubKey;
11966
0
        clientKSE->pubKey = NULL;
11967
0
        serverKSE->pubKeyLen = clientKSE->pubKeyLen;
11968
0
    #ifndef NO_DH
11969
0
        serverKSE->privKey = clientKSE->privKey;
11970
0
        clientKSE->privKey = NULL;
11971
0
    #endif
11972
0
    }
11973
0
    serverKSE->ke = clientKSE->ke;
11974
0
    serverKSE->keLen = clientKSE->keLen;
11975
0
    clientKSE->ke = NULL;
11976
0
    clientKSE->keLen = 0;
11977
0
    ssl->namedGroup = serverKSE->group;
11978
11979
0
    TLSX_KeyShare_FreeAll((KeyShareEntry*)extension->data, ssl->heap);
11980
0
    extension->data = (void *)serverKSE;
11981
11982
0
    extension->resp = 1;
11983
0
    return ret;
11984
0
}
11985
11986
/* Ensure there is a key pair that can be used for key exchange.
11987
 *
11988
 * ssl  The SSL/TLS object.
11989
 * doHelloRetry If set to non-zero will do hello_retry
11990
 * returns 0 on success and other values indicate failure.
11991
 */
11992
int TLSX_KeyShare_Establish(WOLFSSL *ssl, int* doHelloRetry)
11993
0
{
11994
0
    int            ret;
11995
0
    KeyShareEntry* clientKSE = NULL;
11996
0
    byte           searched = 0;
11997
11998
0
    *doHelloRetry = 0;
11999
12000
0
    ret = TLSX_KeyShare_Choose(ssl, ssl->extensions, ssl->cipher.cipherSuite0,
12001
0
        ssl->cipher.cipherSuite, &clientKSE, &searched);
12002
0
    if (ret != 0 || !searched)
12003
0
        return ret;
12004
12005
    /* No supported group found - send HelloRetryRequest. */
12006
0
    if (clientKSE == NULL) {
12007
        /* Set KEY_SHARE_ERROR to indicate HelloRetryRequest required. */
12008
0
        *doHelloRetry = 1;
12009
0
        return TLSX_KeyShare_SetSupported(ssl, &ssl->extensions);
12010
0
    }
12011
12012
0
    return TLSX_KeyShare_Setup(ssl, clientKSE);
12013
0
}
12014
12015
/* Derive the shared secret of the key exchange.
12016
 *
12017
 * ssl  The SSL/TLS object.
12018
 * returns 0 on success and other values indicate failure.
12019
 */
12020
int TLSX_KeyShare_DeriveSecret(WOLFSSL *ssl)
12021
0
{
12022
0
    int            ret;
12023
0
    TLSX*          extension;
12024
0
    KeyShareEntry* list = NULL;
12025
12026
#ifdef WOLFSSL_ASYNC_CRYPT
12027
    ret = wolfSSL_AsyncPop(ssl, NULL);
12028
    /* Check for error */
12029
    if (ret != WC_NO_ERR_TRACE(WC_NO_PENDING_E) && ret < 0) {
12030
        return ret;
12031
    }
12032
#endif
12033
12034
    /* Find the KeyShare extension if it exists. */
12035
0
    extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
12036
0
    if (extension != NULL)
12037
0
        list = (KeyShareEntry*)extension->data;
12038
12039
0
    if (list == NULL)
12040
0
        return KEY_SHARE_ERROR;
12041
12042
    /* Calculate secret. */
12043
0
    ret = TLSX_KeyShare_Process(ssl, list);
12044
12045
0
    return ret;
12046
0
}
12047
12048
0
#define KS_FREE_ALL  TLSX_KeyShare_FreeAll
12049
0
#define KS_GET_SIZE  TLSX_KeyShare_GetSize
12050
0
#define KS_WRITE     TLSX_KeyShare_Write
12051
0
#define KS_PARSE     TLSX_KeyShare_Parse
12052
12053
#else
12054
12055
#define KS_FREE_ALL(a, b) WC_DO_NOTHING
12056
#define KS_GET_SIZE(a, b)    0
12057
#define KS_WRITE(a, b, c)    0
12058
#define KS_PARSE(a, b, c, d) 0
12059
12060
#endif /* WOLFSSL_TLS13 */
12061
12062
/******************************************************************************/
12063
/* Pre-Shared Key                                                             */
12064
/******************************************************************************/
12065
12066
#if defined(WOLFSSL_TLS13) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK))
12067
/* Free the pre-shared key dynamic data.
12068
 *
12069
 * list  The linked list of key share entry objects.
12070
 * heap  The heap used for allocation.
12071
 */
12072
static void TLSX_PreSharedKey_FreeAll(PreSharedKey* list, void* heap)
12073
{
12074
    PreSharedKey* current;
12075
12076
    while ((current = list) != NULL) {
12077
        list = current->next;
12078
        XFREE(current->identity, heap, DYNAMIC_TYPE_TLSX);
12079
        XFREE(current, heap, DYNAMIC_TYPE_TLSX);
12080
    }
12081
12082
    (void)heap;
12083
}
12084
12085
/* Get the size of the encoded pre shared key extension.
12086
 *
12087
 * list     The linked list of pre-shared key extensions.
12088
 * msgType  The type of the message this extension is being written into.
12089
 * returns the number of bytes of the encoded pre-shared key extension or
12090
 * SANITY_MSG_E to indicate invalid message type.
12091
 */
12092
static int TLSX_PreSharedKey_GetSize(PreSharedKey* list, byte msgType,
12093
                                     word16* pSz)
12094
{
12095
    if (msgType == client_hello) {
12096
        /* Length of identities + Length of binders. */
12097
        word32 len = OPAQUE16_LEN + OPAQUE16_LEN;
12098
        while (list != NULL) {
12099
            /* Each entry has: identity, ticket age and binder. */
12100
            len += OPAQUE16_LEN + list->identityLen + OPAQUE32_LEN +
12101
                   OPAQUE8_LEN + (word32)list->binderLen;
12102
            if (len > WOLFSSL_MAX_16BIT) {
12103
                WOLFSSL_ERROR_VERBOSE(LENGTH_ERROR);
12104
                return LENGTH_ERROR;
12105
            }
12106
            list = list->next;
12107
        }
12108
        if ((word32)*pSz + len > WOLFSSL_MAX_16BIT) {
12109
            WOLFSSL_ERROR_VERBOSE(LENGTH_ERROR);
12110
            return LENGTH_ERROR;
12111
        }
12112
        *pSz += (word16)len;
12113
        return 0;
12114
    }
12115
12116
    if (msgType == server_hello) {
12117
        *pSz += OPAQUE16_LEN;
12118
        return 0;
12119
    }
12120
12121
    WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
12122
    return SANITY_MSG_E;
12123
}
12124
12125
/* The number of bytes to be written for the binders.
12126
 *
12127
 * list     The linked list of pre-shared key extensions.
12128
 * msgType  The type of the message this extension is being written into.
12129
 * returns the number of bytes of the encoded pre-shared key extension or
12130
 * SANITY_MSG_E to indicate invalid message type.
12131
 */
12132
int TLSX_PreSharedKey_GetSizeBinders(PreSharedKey* list, byte msgType,
12133
                                     word16* pSz)
12134
{
12135
    word32 len;
12136
12137
    if (msgType != client_hello) {
12138
        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
12139
        return SANITY_MSG_E;
12140
    }
12141
12142
    /* Length of all binders. */
12143
    len = OPAQUE16_LEN;
12144
    while (list != NULL) {
12145
        len += OPAQUE8_LEN + (word32)list->binderLen;
12146
        if (len > WOLFSSL_MAX_16BIT) {
12147
            WOLFSSL_ERROR_VERBOSE(LENGTH_ERROR);
12148
            return LENGTH_ERROR;
12149
        }
12150
        list = list->next;
12151
    }
12152
12153
    *pSz = (word16)len;
12154
    return 0;
12155
}
12156
12157
/* Writes the pre-shared key extension into the output buffer - binders only.
12158
 * Assumes that the the output buffer is big enough to hold data.
12159
 *
12160
 * list     The linked list of key share entries.
12161
 * output   The buffer to write into.
12162
 * msgType  The type of the message this extension is being written into.
12163
 * returns the number of bytes written into the buffer.
12164
 */
12165
int TLSX_PreSharedKey_WriteBinders(PreSharedKey* list, byte* output,
12166
                                   byte msgType, word16* pSz)
12167
{
12168
    PreSharedKey* current = list;
12169
    word16 idx = 0;
12170
    word16 lenIdx;
12171
    word16 len;
12172
12173
    if (msgType != client_hello) {
12174
        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
12175
        return SANITY_MSG_E;
12176
    }
12177
12178
    /* Skip length of all binders. */
12179
    lenIdx = idx;
12180
    idx += OPAQUE16_LEN;
12181
    while (current != NULL) {
12182
        /* Binder data length. */
12183
        output[idx++] = (byte)current->binderLen;
12184
        /* Binder data. */
12185
        XMEMCPY(output + idx, current->binder, current->binderLen);
12186
        idx += (word16)current->binderLen;
12187
12188
        current = current->next;
12189
    }
12190
    /* Length of the binders. */
12191
    len = idx - lenIdx - OPAQUE16_LEN;
12192
    c16toa(len, output + lenIdx);
12193
12194
    *pSz = idx;
12195
    return 0;
12196
}
12197
12198
12199
/* Writes the pre-shared key extension into the output buffer.
12200
 * Assumes that the the output buffer is big enough to hold data.
12201
 *
12202
 * list     The linked list of key share entries.
12203
 * output   The buffer to write into.
12204
 * msgType  The type of the message this extension is being written into.
12205
 * returns the number of bytes written into the buffer.
12206
 */
12207
static int TLSX_PreSharedKey_Write(PreSharedKey* list, byte* output,
12208
                                   byte msgType, word16* pSz)
12209
{
12210
    if (msgType == client_hello) {
12211
        PreSharedKey* current = list;
12212
        word16 idx = 0;
12213
        word16 lenIdx;
12214
        word16 len;
12215
        int ret;
12216
12217
        /* Write identities only. Binders after HMACing over this. */
12218
        lenIdx = idx;
12219
        idx += OPAQUE16_LEN;
12220
        while (current != NULL) {
12221
            /* Identity length */
12222
            c16toa(current->identityLen, output + idx);
12223
            idx += OPAQUE16_LEN;
12224
            /* Identity data */
12225
            XMEMCPY(output + idx, current->identity, current->identityLen);
12226
            idx += current->identityLen;
12227
12228
            /* Obfuscated ticket age. */
12229
            c32toa(current->ticketAge, output + idx);
12230
            idx += OPAQUE32_LEN;
12231
12232
            current = current->next;
12233
        }
12234
        /* Length of the identities. */
12235
        len = idx - lenIdx - OPAQUE16_LEN;
12236
        c16toa(len, output + lenIdx);
12237
12238
        /* Don't include binders here.
12239
         * The binders are based on the hash of all the ClientHello data up to
12240
         * and include the identities written above.
12241
         */
12242
        ret = TLSX_PreSharedKey_GetSizeBinders(list, msgType, &len);
12243
        if (ret < 0)
12244
            return ret;
12245
        *pSz += idx + len;
12246
    }
12247
    else if (msgType == server_hello) {
12248
        word16 i;
12249
12250
        /* Find the index of the chosen identity. */
12251
        for (i=0; list != NULL && !list->chosen; i++)
12252
            list = list->next;
12253
        if (list == NULL) {
12254
            WOLFSSL_ERROR_VERBOSE(BUILD_MSG_ERROR);
12255
            return BUILD_MSG_ERROR;
12256
        }
12257
12258
        /* The index of the identity chosen by the server from the list supplied
12259
         * by the client.
12260
         */
12261
        c16toa(i, output);
12262
        *pSz += OPAQUE16_LEN;
12263
    }
12264
    else {
12265
        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
12266
        return SANITY_MSG_E;
12267
    }
12268
12269
    return 0;
12270
}
12271
12272
int TLSX_PreSharedKey_Parse_ClientHello(TLSX** extensions, const byte* input,
12273
                                        word16 length, void* heap)
12274
{
12275
12276
    int    ret;
12277
    word16 len;
12278
    word16 idx = 0;
12279
    TLSX*         extension;
12280
    PreSharedKey* list;
12281
12282
    TLSX_Remove(extensions, TLSX_PRE_SHARED_KEY, heap);
12283
12284
    /* Length of identities and of binders. */
12285
    if ((int)(length - idx) < OPAQUE16_LEN + OPAQUE16_LEN)
12286
        return BUFFER_E;
12287
12288
    /* Length of identities. */
12289
    ato16(input + idx, &len);
12290
    idx += OPAQUE16_LEN;
12291
    if (len < MIN_PSK_ID_LEN || length - idx < len)
12292
        return BUFFER_E;
12293
12294
    /* Create a pre-shared key object for each identity. */
12295
    while (len > 0) {
12296
        const byte* identity;
12297
        word16      identityLen;
12298
        word32      age;
12299
12300
        if (len < OPAQUE16_LEN)
12301
            return BUFFER_E;
12302
12303
        /* Length of identity. */
12304
        ato16(input + idx, &identityLen);
12305
        idx += OPAQUE16_LEN;
12306
        if (len < OPAQUE16_LEN + identityLen + OPAQUE32_LEN ||
12307
                identityLen > MAX_PSK_ID_LEN)
12308
            return BUFFER_E;
12309
        /* Cache identity pointer. */
12310
        identity = input + idx;
12311
        idx += identityLen;
12312
        /* Ticket age. */
12313
        ato32(input + idx, &age);
12314
        idx += OPAQUE32_LEN;
12315
12316
        ret = TLSX_PreSharedKey_Use(extensions, identity, identityLen, age, no_mac,
12317
                                    0, 0, 1, NULL, heap);
12318
        if (ret != 0)
12319
            return ret;
12320
12321
        /* Done with this identity. */
12322
        len -= OPAQUE16_LEN + identityLen + OPAQUE32_LEN;
12323
    }
12324
12325
    /* Find the list of identities sent to server. */
12326
    extension = TLSX_Find(*extensions, TLSX_PRE_SHARED_KEY);
12327
    if (extension == NULL)
12328
        return PSK_KEY_ERROR;
12329
    list = (PreSharedKey*)extension->data;
12330
12331
    /* Length of binders. */
12332
    if (idx + OPAQUE16_LEN > length)
12333
        return BUFFER_E;
12334
    ato16(input + idx, &len);
12335
    idx += OPAQUE16_LEN;
12336
    if (len < MIN_PSK_BINDERS_LEN || length - idx < len)
12337
        return BUFFER_E;
12338
12339
    /* Set binder for each identity. */
12340
    while (list != NULL && len > 0) {
12341
        /* Length of binder */
12342
        list->binderLen = input[idx++];
12343
        if (list->binderLen < WC_SHA256_DIGEST_SIZE ||
12344
                list->binderLen > WC_MAX_DIGEST_SIZE)
12345
            return BUFFER_E;
12346
        if (len < OPAQUE8_LEN + list->binderLen)
12347
            return BUFFER_E;
12348
12349
        /* Copy binder into static buffer. */
12350
        XMEMCPY(list->binder, input + idx, list->binderLen);
12351
        idx += (word16)list->binderLen;
12352
12353
        /* Done with binder entry. */
12354
        len -= OPAQUE8_LEN + (word16)list->binderLen;
12355
12356
        /* Next identity. */
12357
        list = list->next;
12358
    }
12359
    if (list != NULL || len != 0)
12360
        return BUFFER_E;
12361
12362
    return 0;
12363
12364
}
12365
12366
/* Parse the pre-shared key extension.
12367
 * Different formats in different messages.
12368
 *
12369
 * ssl      The SSL/TLS object.
12370
 * input    The extension data.
12371
 * length   The length of the extension data.
12372
 * msgType  The type of the message this extension is being parsed from.
12373
 * returns 0 on success and other values indicate failure.
12374
 */
12375
static int TLSX_PreSharedKey_Parse(WOLFSSL* ssl, const byte* input,
12376
                                   word16 length, byte msgType)
12377
{
12378
12379
    if (msgType == client_hello) {
12380
        return TLSX_PreSharedKey_Parse_ClientHello(&ssl->extensions, input,
12381
                                                   length, ssl->heap);
12382
    }
12383
12384
    if (msgType == server_hello) {
12385
        word16 idx;
12386
        PreSharedKey* list;
12387
        TLSX*         extension;
12388
12389
        /* Index of identity chosen by server. */
12390
        if (length != OPAQUE16_LEN)
12391
            return BUFFER_E;
12392
        ato16(input, &idx);
12393
12394
    #ifdef WOLFSSL_EARLY_DATA
12395
        ssl->options.pskIdIndex = idx + 1;
12396
    #endif
12397
12398
        /* Find the list of identities sent to server. */
12399
        extension = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
12400
        if (extension == NULL)
12401
            return INCOMPLETE_DATA;
12402
        list = (PreSharedKey*)extension->data;
12403
12404
        /* Mark the identity as chosen. */
12405
        for (; list != NULL && idx > 0; idx--)
12406
            list = list->next;
12407
        if (list == NULL) {
12408
            WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
12409
            return PSK_KEY_ERROR;
12410
        }
12411
        list->chosen = 1;
12412
12413
        if (list->resumption) {
12414
           /* Check that the session's details are the same as the server's. */
12415
           if (ssl->options.cipherSuite0  != ssl->session->cipherSuite0       ||
12416
               ssl->options.cipherSuite   != ssl->session->cipherSuite        ||
12417
               ssl->session->version.major != ssl->ctx->method->version.major ||
12418
               ssl->session->version.minor != ssl->ctx->method->version.minor) {
12419
                WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
12420
               return PSK_KEY_ERROR;
12421
           }
12422
        }
12423
12424
        return 0;
12425
    }
12426
12427
    WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
12428
    return SANITY_MSG_E;
12429
}
12430
12431
/* Create a new pre-shared key and put it into the list.
12432
 *
12433
 * list          The linked list of pre-shared key.
12434
 * identity      The identity.
12435
 * len           The length of the identity data.
12436
 * heap          The memory to allocate with.
12437
 * preSharedKey  The new pre-shared key object.
12438
 * returns 0 on success and other values indicate failure.
12439
 */
12440
static int TLSX_PreSharedKey_New(PreSharedKey** list, const byte* identity,
12441
                                 word16 len, void *heap,
12442
                                 PreSharedKey** preSharedKey)
12443
{
12444
    PreSharedKey* psk;
12445
    PreSharedKey** next;
12446
12447
    psk = (PreSharedKey*)XMALLOC(sizeof(PreSharedKey), heap, DYNAMIC_TYPE_TLSX);
12448
    if (psk == NULL)
12449
        return MEMORY_E;
12450
    XMEMSET(psk, 0, sizeof(*psk));
12451
12452
    /* Make a copy of the identity data. */
12453
    psk->identity = (byte*)XMALLOC(len + NULL_TERM_LEN, heap,
12454
                                   DYNAMIC_TYPE_TLSX);
12455
    if (psk->identity == NULL) {
12456
        XFREE(psk, heap, DYNAMIC_TYPE_TLSX);
12457
        return MEMORY_E;
12458
    }
12459
    XMEMCPY(psk->identity, identity, len);
12460
    psk->identityLen = len;
12461
    /* Use a NULL terminator in case it is a C string */
12462
    psk->identity[psk->identityLen] = '\0';
12463
12464
    /* Add it to the end and maintain the links. */
12465
    while (*list != NULL) {
12466
        /* Assign to temporary to work around compiler bug found by customer. */
12467
        next = &((*list)->next);
12468
        list = next;
12469
    }
12470
    *list = psk;
12471
    *preSharedKey = psk;
12472
12473
    (void)heap;
12474
12475
    return 0;
12476
}
12477
12478
static WC_INLINE byte GetHmacLength(int hmac)
12479
{
12480
    switch (hmac) {
12481
    #ifndef NO_SHA256
12482
        case sha256_mac:
12483
            return WC_SHA256_DIGEST_SIZE;
12484
    #endif
12485
    #ifdef WOLFSSL_SHA384
12486
        case sha384_mac:
12487
            return WC_SHA384_DIGEST_SIZE;
12488
    #endif
12489
    #ifdef WOLFSSL_SHA512
12490
        case sha512_mac:
12491
            return WC_SHA512_DIGEST_SIZE;
12492
    #endif
12493
    #ifdef WOLFSSL_SM3
12494
        case sm3_mac:
12495
            return WC_SM3_DIGEST_SIZE;
12496
    #endif
12497
        default:
12498
            break;
12499
    }
12500
    return 0;
12501
}
12502
12503
/* Use the data to create a new pre-shared key object in the extensions.
12504
 *
12505
 * ssl           The SSL/TLS object.
12506
 * identity      The identity.
12507
 * len           The length of the identity data.
12508
 * age           The age of the identity.
12509
 * hmac          The HMAC algorithm.
12510
 * cipherSuite0  The first byte of the cipher suite to use.
12511
 * cipherSuite   The second byte of the cipher suite to use.
12512
 * resumption    The PSK is for resumption of a session.
12513
 * preSharedKey  The new pre-shared key object.
12514
 * returns 0 on success and other values indicate failure.
12515
 */
12516
int TLSX_PreSharedKey_Use(TLSX** extensions, const byte* identity, word16 len,
12517
                          word32 age, byte hmac, byte cipherSuite0,
12518
                          byte cipherSuite, byte resumption,
12519
                          PreSharedKey **preSharedKey, void* heap)
12520
{
12521
    int           ret = 0;
12522
    TLSX*         extension;
12523
    PreSharedKey* psk = NULL;
12524
12525
    /* Find the pre-shared key extension if it exists. */
12526
    extension = TLSX_Find(*extensions, TLSX_PRE_SHARED_KEY);
12527
    if (extension == NULL) {
12528
        /* Push new pre-shared key extension. */
12529
        ret = TLSX_Push(extensions, TLSX_PRE_SHARED_KEY, NULL, heap);
12530
        if (ret != 0)
12531
            return ret;
12532
12533
        extension = TLSX_Find(*extensions, TLSX_PRE_SHARED_KEY);
12534
        if (extension == NULL)
12535
            return MEMORY_E;
12536
    }
12537
12538
    /* Try to find the pre-shared key with this identity. */
12539
    psk = (PreSharedKey*)extension->data;
12540
    while (psk != NULL) {
12541
        if ((psk->identityLen == len) &&
12542
               (XMEMCMP(psk->identity, identity, len) == 0)) {
12543
            break;
12544
        }
12545
        psk = psk->next;
12546
    }
12547
12548
    /* Create a new pre-shared key object if not found. */
12549
    if (psk == NULL) {
12550
        ret = TLSX_PreSharedKey_New((PreSharedKey**)&extension->data, identity,
12551
                                    len, heap, &psk);
12552
        if (ret != 0)
12553
            return ret;
12554
    }
12555
12556
    /* Update/set age and HMAC algorithm. */
12557
    psk->ticketAge    = age;
12558
    psk->hmac         = hmac;
12559
    psk->cipherSuite0 = cipherSuite0;
12560
    psk->cipherSuite  = cipherSuite;
12561
    psk->resumption   = resumption;
12562
    psk->binderLen    = GetHmacLength(psk->hmac);
12563
12564
    if (preSharedKey != NULL)
12565
        *preSharedKey = psk;
12566
12567
    return 0;
12568
}
12569
12570
#define PSK_FREE_ALL  TLSX_PreSharedKey_FreeAll
12571
#define PSK_GET_SIZE  TLSX_PreSharedKey_GetSize
12572
#define PSK_WRITE     TLSX_PreSharedKey_Write
12573
#define PSK_PARSE     TLSX_PreSharedKey_Parse
12574
12575
#else
12576
12577
#define PSK_FREE_ALL(a, b) WC_DO_NOTHING
12578
#define PSK_GET_SIZE(a, b, c) 0
12579
#define PSK_WRITE(a, b, c, d) 0
12580
#define PSK_PARSE(a, b, c, d) 0
12581
12582
#endif
12583
12584
/******************************************************************************/
12585
/* Certificate Authentication with External Pre-Shared Key                    */
12586
/******************************************************************************/
12587
12588
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_CERT_WITH_EXTERN_PSK) && \
12589
    !defined(NO_PSK)
12590
12591
static int TLSX_CertWithExternPsk_GetSize(byte msgType, word16* pSz)
12592
{
12593
    (void)msgType;
12594
    (void)pSz;
12595
    /* Zero-length extension - nothing to add. */
12596
    return 0;
12597
}
12598
12599
static int TLSX_CertWithExternPsk_Write(byte* output, byte msgType,
12600
    word16* pSz)
12601
{
12602
    (void)output;
12603
    (void)msgType;
12604
    (void)pSz;
12605
    /* Zero-length extension - nothing to write. */
12606
    return 0;
12607
}
12608
12609
static int TLSX_CertWithExternPsk_Parse(WOLFSSL* ssl, byte msgType)
12610
{
12611
    if (msgType == client_hello) {
12612
        /* Server has not opted in - treat the extension as unknown. */
12613
        if (!ssl->options.certWithExternPsk)
12614
            return 0;
12615
        /* Record that the client offered the extension, leaving resp=0.
12616
         * CheckPreSharedKeys() is the sole writer that flips resp to 1, and
12617
         * only after confirming that a non-ticket PSK was matched. */
12618
        if (TLSX_Find(ssl->extensions, TLSX_CERT_WITH_EXTERN_PSK) == NULL) {
12619
            return TLSX_Push(&ssl->extensions, TLSX_CERT_WITH_EXTERN_PSK,
12620
                NULL, ssl->heap);
12621
        }
12622
        return 0;
12623
    }
12624
12625
    if (msgType == server_hello) {
12626
        if (TLSX_Find(ssl->extensions, TLSX_CERT_WITH_EXTERN_PSK) == NULL) {
12627
            WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
12628
            return EXT_NOT_ALLOWED;
12629
        }
12630
        ssl->options.certWithExternPsk = 1;
12631
        return 0;
12632
    }
12633
12634
    WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
12635
    return SANITY_MSG_E;
12636
}
12637
12638
int TLSX_CertWithExternPsk_Use(WOLFSSL* ssl)
12639
{
12640
    TLSX* extension = TLSX_Find(ssl->extensions, TLSX_CERT_WITH_EXTERN_PSK);
12641
12642
    if (extension == NULL) {
12643
        int ret = TLSX_Push(&ssl->extensions, TLSX_CERT_WITH_EXTERN_PSK, NULL,
12644
            ssl->heap);
12645
        if (ret != 0)
12646
            return ret;
12647
        extension = TLSX_Find(ssl->extensions, TLSX_CERT_WITH_EXTERN_PSK);
12648
        if (extension == NULL)
12649
            return MEMORY_E;
12650
    }
12651
    extension->resp = 1;
12652
    return 0;
12653
}
12654
12655
#define PSK_WITH_CERT_GET_SIZE  TLSX_CertWithExternPsk_GetSize
12656
#define PSK_WITH_CERT_WRITE     TLSX_CertWithExternPsk_Write
12657
#define PSK_WITH_CERT_PARSE     TLSX_CertWithExternPsk_Parse
12658
12659
#else
12660
12661
#define PSK_WITH_CERT_GET_SIZE(a, b) 0
12662
#define PSK_WITH_CERT_WRITE(a, b, c) 0
12663
#define PSK_WITH_CERT_PARSE(a, b) 0
12664
12665
#endif /* WOLFSSL_TLS13 && WOLFSSL_CERT_WITH_EXTERN_PSK */
12666
12667
/******************************************************************************/
12668
/* PSK Key Exchange Modes                                                     */
12669
/******************************************************************************/
12670
12671
#if defined(WOLFSSL_TLS13) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK))
12672
/* Get the size of the encoded PSK KE modes extension.
12673
 * Only in ClientHello.
12674
 *
12675
 * modes    The PSK KE mode bit string.
12676
 * msgType  The type of the message this extension is being written into.
12677
 * returns the number of bytes of the encoded PSK KE mode extension.
12678
 */
12679
static int TLSX_PskKeModes_GetSize(byte modes, byte msgType, word16* pSz)
12680
{
12681
    if (msgType == client_hello) {
12682
        /* Format: Len | Modes* */
12683
        word16 len = OPAQUE8_LEN;
12684
        /* Check whether each possible mode is to be written. */
12685
        if (modes & (1 << PSK_KE))
12686
            len += OPAQUE8_LEN;
12687
        if (modes & (1 << PSK_DHE_KE))
12688
            len += OPAQUE8_LEN;
12689
        *pSz += len;
12690
        return 0;
12691
    }
12692
12693
    WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
12694
    return SANITY_MSG_E;
12695
}
12696
12697
/* Writes the PSK KE modes extension into the output buffer.
12698
 * Assumes that the the output buffer is big enough to hold data.
12699
 * Only in ClientHello.
12700
 *
12701
 * modes    The PSK KE mode bit string.
12702
 * output   The buffer to write into.
12703
 * msgType  The type of the message this extension is being written into.
12704
 * returns the number of bytes written into the buffer.
12705
 */
12706
static int TLSX_PskKeModes_Write(byte modes, byte* output, byte msgType,
12707
                                 word16* pSz)
12708
{
12709
    if (msgType == client_hello) {
12710
        /* Format: Len | Modes* */
12711
        word16 idx = OPAQUE8_LEN;
12712
12713
        /* Write out each possible mode. */
12714
        if (modes & (1 << PSK_KE))
12715
            output[idx++] = PSK_KE;
12716
        if (modes & (1 << PSK_DHE_KE))
12717
            output[idx++] = PSK_DHE_KE;
12718
        /* Write out length of mode list. */
12719
        output[0] = (byte)(idx - OPAQUE8_LEN);
12720
12721
        *pSz += idx;
12722
        return 0;
12723
    }
12724
12725
    WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
12726
    return SANITY_MSG_E;
12727
}
12728
12729
int TLSX_PskKeyModes_Parse_Modes(const byte* input, word16 length, byte msgType,
12730
                                byte* modes)
12731
{
12732
    if (msgType == client_hello) {
12733
        /* Format: Len | Modes* */
12734
        int   idx = 0;
12735
        word16 len;
12736
        *modes = 0;
12737
12738
        /* Ensure length byte exists. */
12739
        if (length < OPAQUE8_LEN)
12740
            return BUFFER_E;
12741
12742
        /* Get length of mode list and ensure that is the only data. */
12743
        len = input[0];
12744
        if (length - OPAQUE8_LEN != len)
12745
            return BUFFER_E;
12746
12747
        idx = OPAQUE8_LEN;
12748
        /* Set a bit for each recognized modes. */
12749
        while (len > 0) {
12750
            /* Ignore unrecognized modes.  */
12751
            if (input[idx] <= PSK_DHE_KE)
12752
               *modes |= 1 << input[idx];
12753
            idx++;
12754
            len--;
12755
        }
12756
        return 0;
12757
    }
12758
12759
    WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
12760
    return SANITY_MSG_E;
12761
}
12762
12763
/* Parse the PSK KE modes extension.
12764
 * Only in ClientHello.
12765
 *
12766
 * ssl      The SSL/TLS object.
12767
 * input    The extension data.
12768
 * length   The length of the extension data.
12769
 * msgType  The type of the message this extension is being parsed from.
12770
 * returns 0 on success and other values indicate failure.
12771
 */
12772
static int TLSX_PskKeModes_Parse(WOLFSSL* ssl, const byte* input, word16 length,
12773
                                 byte msgType)
12774
{
12775
    int    ret;
12776
    byte modes;
12777
12778
    ret = TLSX_PskKeyModes_Parse_Modes(input, length, msgType, &modes);
12779
    if (ret == 0)
12780
        ret = TLSX_PskKeyModes_Use(ssl, modes);
12781
12782
    if (ret != 0) {
12783
        WOLFSSL_ERROR_VERBOSE(ret);
12784
    }
12785
12786
    return ret;
12787
}
12788
12789
/* Use the data to create a new PSK Key Exchange Modes object in the extensions.
12790
 *
12791
 * ssl    The SSL/TLS object.
12792
 * modes  The PSK key exchange modes.
12793
 * returns 0 on success and other values indicate failure.
12794
 */
12795
int TLSX_PskKeyModes_Use(WOLFSSL* ssl, byte modes)
12796
{
12797
    int           ret = 0;
12798
    TLSX*         extension;
12799
12800
    /* Find the PSK key exchange modes extension if it exists. */
12801
    extension = TLSX_Find(ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES);
12802
    if (extension == NULL) {
12803
        /* Push new PSK key exchange modes extension. */
12804
        ret = TLSX_Push(&ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES, NULL,
12805
            ssl->heap);
12806
        if (ret != 0)
12807
            return ret;
12808
12809
        extension = TLSX_Find(ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES);
12810
        if (extension == NULL)
12811
            return MEMORY_E;
12812
    }
12813
12814
    extension->val = modes;
12815
12816
    return 0;
12817
}
12818
12819
#define PKM_GET_SIZE  TLSX_PskKeModes_GetSize
12820
#define PKM_WRITE     TLSX_PskKeModes_Write
12821
#define PKM_PARSE     TLSX_PskKeModes_Parse
12822
12823
#else
12824
12825
#define PKM_GET_SIZE(a, b, c) 0
12826
#define PKM_WRITE(a, b, c, d) 0
12827
#define PKM_PARSE(a, b, c, d) 0
12828
12829
#endif
12830
12831
/******************************************************************************/
12832
/* Post-Handshake Authentication                                              */
12833
/******************************************************************************/
12834
12835
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
12836
/* Get the size of the encoded Post-Handshake Authentication extension.
12837
 * Only in ClientHello.
12838
 *
12839
 * msgType  The type of the message this extension is being written into.
12840
 * returns the number of bytes of the encoded Post-Handshake Authentication
12841
 * extension.
12842
 */
12843
static int TLSX_PostHandAuth_GetSize(byte msgType, word16* pSz)
12844
{
12845
    if (msgType == client_hello) {
12846
        *pSz += 0;
12847
        return 0;
12848
    }
12849
12850
    WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
12851
    return SANITY_MSG_E;
12852
}
12853
12854
/* Writes the Post-Handshake Authentication extension into the output buffer.
12855
 * Assumes that the the output buffer is big enough to hold data.
12856
 * Only in ClientHello.
12857
 *
12858
 * output   The buffer to write into.
12859
 * msgType  The type of the message this extension is being written into.
12860
 * returns the number of bytes written into the buffer.
12861
 */
12862
static int TLSX_PostHandAuth_Write(byte* output, byte msgType, word16* pSz)
12863
{
12864
    (void)output;
12865
12866
    if (msgType == client_hello) {
12867
        *pSz += 0;
12868
        return 0;
12869
    }
12870
12871
    WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
12872
    return SANITY_MSG_E;
12873
}
12874
12875
/* Parse the Post-Handshake Authentication extension.
12876
 * Only in ClientHello.
12877
 *
12878
 * ssl      The SSL/TLS object.
12879
 * input    The extension data.
12880
 * length   The length of the extension data.
12881
 * msgType  The type of the message this extension is being parsed from.
12882
 * returns 0 on success and other values indicate failure.
12883
 */
12884
static int TLSX_PostHandAuth_Parse(WOLFSSL* ssl, const byte* input,
12885
                                   word16 length, byte msgType)
12886
{
12887
    (void)input;
12888
12889
    if (msgType == client_hello) {
12890
        /* Ensure extension is empty. */
12891
        if (length != 0)
12892
            return BUFFER_E;
12893
12894
        ssl->options.postHandshakeAuth = 1;
12895
        return 0;
12896
    }
12897
12898
    WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
12899
    return SANITY_MSG_E;
12900
}
12901
12902
/* Create a new Post-handshake authentication object in the extensions.
12903
 *
12904
 * ssl    The SSL/TLS object.
12905
 * returns 0 on success and other values indicate failure.
12906
 */
12907
static int TLSX_PostHandAuth_Use(WOLFSSL* ssl)
12908
{
12909
    int   ret = 0;
12910
    TLSX* extension;
12911
12912
    /* Find the PSK key exchange modes extension if it exists. */
12913
    extension = TLSX_Find(ssl->extensions, TLSX_POST_HANDSHAKE_AUTH);
12914
    if (extension == NULL) {
12915
        /* Push new Post-handshake Authentication extension. */
12916
        ret = TLSX_Push(&ssl->extensions, TLSX_POST_HANDSHAKE_AUTH, NULL,
12917
            ssl->heap);
12918
        if (ret != 0)
12919
            return ret;
12920
    }
12921
12922
    return 0;
12923
}
12924
12925
#define PHA_GET_SIZE  TLSX_PostHandAuth_GetSize
12926
#define PHA_WRITE     TLSX_PostHandAuth_Write
12927
#define PHA_PARSE     TLSX_PostHandAuth_Parse
12928
12929
#else
12930
12931
#define PHA_GET_SIZE(a, b)    0
12932
#define PHA_WRITE(a, b, c)    0
12933
#define PHA_PARSE(a, b, c, d) 0
12934
12935
#endif
12936
12937
/******************************************************************************/
12938
/* Early Data Indication                                                      */
12939
/******************************************************************************/
12940
12941
#ifdef WOLFSSL_EARLY_DATA
12942
/* Get the size of the encoded Early Data Indication extension.
12943
 * In messages: ClientHello, EncryptedExtensions and NewSessionTicket.
12944
 *
12945
 * msgType  The type of the message this extension is being written into.
12946
 * returns the number of bytes of the encoded Early Data Indication extension.
12947
 */
12948
static int TLSX_EarlyData_GetSize(byte msgType, word16* pSz)
12949
{
12950
    int ret = 0;
12951
12952
    if (msgType == client_hello || msgType == encrypted_extensions)
12953
        *pSz += 0;
12954
    else if (msgType == session_ticket)
12955
        *pSz += OPAQUE32_LEN;
12956
    else {
12957
        ret = SANITY_MSG_E;
12958
        WOLFSSL_ERROR_VERBOSE(ret);
12959
    }
12960
12961
    return ret;
12962
}
12963
12964
/* Writes the Early Data Indicator extension into the output buffer.
12965
 * Assumes that the the output buffer is big enough to hold data.
12966
 * In messages: ClientHello, EncryptedExtensions and NewSessionTicket.
12967
 *
12968
 * maxSz    The maximum early data size.
12969
 * output   The buffer to write into.
12970
 * msgType  The type of the message this extension is being written into.
12971
 * returns the number of bytes written into the buffer.
12972
 */
12973
static int TLSX_EarlyData_Write(word32 maxSz, byte* output, byte msgType,
12974
                                word16* pSz)
12975
{
12976
    if (msgType == client_hello || msgType == encrypted_extensions)
12977
        return 0;
12978
    else if (msgType == session_ticket) {
12979
        c32toa(maxSz, output);
12980
        *pSz += OPAQUE32_LEN;
12981
        return 0;
12982
    }
12983
12984
    WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
12985
    return SANITY_MSG_E;
12986
}
12987
12988
/* Parse the Early Data Indicator extension.
12989
 * In messages: ClientHello, EncryptedExtensions and NewSessionTicket.
12990
 *
12991
 * ssl      The SSL/TLS object.
12992
 * input    The extension data.
12993
 * length   The length of the extension data.
12994
 * msgType  The type of the message this extension is being parsed from.
12995
 * returns 0 on success and other values indicate failure.
12996
 */
12997
static int TLSX_EarlyData_Parse(WOLFSSL* ssl, const byte* input, word16 length,
12998
                                 byte msgType)
12999
{
13000
    WOLFSSL_ENTER("TLSX_EarlyData_Parse");
13001
    if (msgType == client_hello) {
13002
        if (length != 0)
13003
            return BUFFER_E;
13004
13005
        if (ssl->earlyData == expecting_early_data) {
13006
13007
            if (ssl->options.maxEarlyDataSz != 0)
13008
                ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_ACCEPTED;
13009
            else
13010
                ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_REJECTED;
13011
13012
            return TLSX_EarlyData_Use(ssl, 0, 0);
13013
        }
13014
        ssl->earlyData = early_data_ext;
13015
13016
        return 0;
13017
    }
13018
    if (msgType == encrypted_extensions) {
13019
        if (length != 0)
13020
            return BUFFER_E;
13021
13022
        /* Ensure the index of PSK identity chosen by server is 0.
13023
         * Index is plus one to handle 'not set' value of 0.
13024
         */
13025
        if (ssl->options.pskIdIndex != 1) {
13026
            WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
13027
            return PSK_KEY_ERROR;
13028
        }
13029
13030
        if (ssl->options.side == WOLFSSL_CLIENT_END) {
13031
            /* the extension from server comes in */
13032
            ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_ACCEPTED;
13033
        }
13034
13035
        return TLSX_EarlyData_Use(ssl, 1, 1);
13036
    }
13037
    if (msgType == session_ticket) {
13038
        word32 maxSz;
13039
13040
        if (length != OPAQUE32_LEN)
13041
            return BUFFER_E;
13042
        ato32(input, &maxSz);
13043
13044
        ssl->session->maxEarlyDataSz = maxSz;
13045
        return 0;
13046
    }
13047
13048
    WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
13049
    return SANITY_MSG_E;
13050
}
13051
13052
/* Use the data to create a new Early Data object in the extensions.
13053
 *
13054
 * ssl    The SSL/TLS object.
13055
 * maxSz  The maximum early data size.
13056
 * is_response   if this extension is part of a response
13057
 * returns 0 on success and other values indicate failure.
13058
 */
13059
int TLSX_EarlyData_Use(WOLFSSL* ssl, word32 maxSz, int is_response)
13060
{
13061
    int   ret = 0;
13062
    TLSX* extension;
13063
13064
    /* Find the early data extension if it exists. */
13065
    extension = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA);
13066
    if (extension == NULL) {
13067
        /* Push new early data extension. */
13068
        ret = TLSX_Push(&ssl->extensions, TLSX_EARLY_DATA, NULL, ssl->heap);
13069
        if (ret != 0)
13070
            return ret;
13071
13072
        extension = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA);
13073
        if (extension == NULL)
13074
            return MEMORY_E;
13075
    }
13076
13077
    extension->resp = is_response;
13078
    /* In QUIC, earlydata size is either 0 or 0xffffffff.
13079
     * Override any size between, possibly left from our initial value */
13080
    extension->val  = (WOLFSSL_IS_QUIC(ssl) && is_response && maxSz > 0) ?
13081
                       WOLFSSL_MAX_32BIT : maxSz;
13082
13083
    return 0;
13084
}
13085
13086
#define EDI_GET_SIZE  TLSX_EarlyData_GetSize
13087
#define EDI_WRITE     TLSX_EarlyData_Write
13088
#define EDI_PARSE     TLSX_EarlyData_Parse
13089
13090
#else
13091
13092
#define EDI_GET_SIZE(a, b)    0
13093
#define EDI_WRITE(a, b, c, d) 0
13094
#define EDI_PARSE(a, b, c, d) 0
13095
13096
#endif
13097
13098
/******************************************************************************/
13099
/* QUIC transport parameter extension                                         */
13100
/******************************************************************************/
13101
#ifdef WOLFSSL_QUIC
13102
13103
static word16 TLSX_QuicTP_GetSize(TLSX* extension)
13104
{
13105
    const QuicTransportParam *tp = (QuicTransportParam*)extension->data;
13106
13107
    return tp ? tp->len : 0;
13108
}
13109
13110
int TLSX_QuicTP_Use(WOLFSSL* ssl, TLSX_Type ext_type, int is_response)
13111
{
13112
    int ret = 0;
13113
    TLSX* extension;
13114
13115
    WOLFSSL_ENTER("TLSX_QuicTP_Use");
13116
    if (ssl->quic.transport_local == NULL) {
13117
        /* RFC9000, ch 7.3: "An endpoint MUST treat the absence of [...]
13118
         *     from either endpoint [...] as a connection error of type
13119
         *     TRANSPORT_PARAMETER_ERROR."
13120
         */
13121
        ret = QUIC_TP_MISSING_E;
13122
        goto cleanup;
13123
    }
13124
13125
    extension = TLSX_Find(ssl->extensions, ext_type);
13126
    if (extension == NULL) {
13127
        ret = TLSX_Push(&ssl->extensions, ext_type, NULL, ssl->heap);
13128
        if (ret != 0)
13129
            goto cleanup;
13130
13131
        extension = TLSX_Find(ssl->extensions, ext_type);
13132
        if (extension == NULL) {
13133
            ret = MEMORY_E;
13134
            goto cleanup;
13135
        }
13136
    }
13137
    if (extension->data) {
13138
        QuicTransportParam_free((QuicTransportParam*)extension->data, ssl->heap);
13139
        extension->data = NULL;
13140
    }
13141
    extension->resp = is_response;
13142
    extension->data = (void*)QuicTransportParam_dup(ssl->quic.transport_local, ssl->heap);
13143
    if (!extension->data) {
13144
        ret = MEMORY_E;
13145
        goto cleanup;
13146
    }
13147
13148
cleanup:
13149
    WOLFSSL_LEAVE("TLSX_QuicTP_Use", ret);
13150
    return ret;
13151
}
13152
13153
static word16 TLSX_QuicTP_Write(QuicTransportParam *tp, byte* output)
13154
{
13155
    word16 len = 0;
13156
13157
    WOLFSSL_ENTER("TLSX_QuicTP_Write");
13158
    if (tp && tp->len) {
13159
        XMEMCPY(output, tp->data, tp->len);
13160
        len = tp->len;
13161
    }
13162
    WOLFSSL_LEAVE("TLSX_QuicTP_Write", len);
13163
    return len;
13164
}
13165
13166
static int TLSX_QuicTP_Parse(WOLFSSL *ssl, const byte *input, size_t len, int ext_type, int msgType)
13167
{
13168
    const QuicTransportParam *tp, **ptp;
13169
13170
    (void)msgType;
13171
    tp = QuicTransportParam_new(input, len, ssl->heap);
13172
    if (!tp) {
13173
        return MEMORY_E;
13174
    }
13175
    ptp = (ext_type == TLSX_KEY_QUIC_TP_PARAMS_DRAFT) ?
13176
        &ssl->quic.transport_peer_draft : &ssl->quic.transport_peer;
13177
    if (*ptp) {
13178
        QTP_FREE(*ptp, ssl->heap);
13179
    }
13180
    *ptp = tp;
13181
    return 0;
13182
}
13183
13184
#define QTP_GET_SIZE    TLSX_QuicTP_GetSize
13185
#define QTP_USE         TLSX_QuicTP_Use
13186
#define QTP_WRITE       TLSX_QuicTP_Write
13187
#define QTP_PARSE       TLSX_QuicTP_Parse
13188
13189
#endif /* WOLFSSL_QUIC */
13190
13191
#if defined(WOLFSSL_DTLS_CID)
13192
#define CID_GET_SIZE  TLSX_ConnectionID_GetSize
13193
#define CID_WRITE  TLSX_ConnectionID_Write
13194
#define CID_PARSE  TLSX_ConnectionID_Parse
13195
#define CID_FREE  TLSX_ConnectionID_Free
13196
#else
13197
#define CID_GET_SIZE(a) 0
13198
#define CID_WRITE(a, b) 0
13199
#define CID_PARSE(a, b, c, d) 0
13200
#define CID_FREE(a, b) 0
13201
#endif /* defined(WOLFSSL_DTLS_CID) */
13202
13203
#if defined(HAVE_RPK)
13204
/******************************************************************************/
13205
/* Client_Certificate_Type extension                                          */
13206
/******************************************************************************/
13207
/* return 1 if specified type is included in the given list, otherwise 0 */
13208
static int IsCertTypeListed(byte type, byte cnt, const byte* list)
13209
{
13210
    int ret = 0;
13211
    int i;
13212
13213
    if (cnt == 0 || list == NULL)
13214
        return ret;
13215
13216
    if (cnt > 0 && cnt <= MAX_CLIENT_CERT_TYPE_CNT) {
13217
        for (i = 0; i < cnt; i++) {
13218
            if (list[i] == type)
13219
                return 1;
13220
        }
13221
    }
13222
    return 0;
13223
}
13224
13225
/* Search both arrays from above to find a common value between the two given
13226
 * arrays(a and b). return 1 if it finds a common value, otherwise return 0.
13227
 */
13228
static int GetCommonItem(const byte* a, byte aLen, const byte* b, byte bLen,
13229
                                                                    byte* type)
13230
{
13231
    int i, j;
13232
13233
    if (a == NULL || b == NULL)
13234
        return 0;
13235
13236
    for (i = 0; i < aLen; i++) {
13237
        for (j = 0; j < bLen; j++) {
13238
            if (a[i] == b[j]) {
13239
                *type = a[i];
13240
                return 1;
13241
            }
13242
        }
13243
    }
13244
    return 0;
13245
}
13246
13247
/* Creates a "client certificate type" extension if necessary.
13248
 * Returns 0 if no error occurred, negative value otherwise.
13249
 * A return of 0, it does not indicae that the extension was created.
13250
 */
13251
static int TLSX_ClientCertificateType_Use(WOLFSSL* ssl, byte isServer)
13252
{
13253
    int ret = 0;
13254
13255
    if (ssl == NULL)
13256
        return BAD_FUNC_ARG;
13257
13258
    if (isServer) {
13259
        /* [in server side]
13260
         */
13261
13262
        if (IsCertTypeListed(WOLFSSL_CERT_TYPE_RPK,
13263
                        ssl->options.rpkConfig.preferred_ClientCertTypeCnt,
13264
                        ssl->options.rpkConfig.preferred_ClientCertTypes)) {
13265
13266
            WOLFSSL_MSG("Adding Client Certificate Type extension");
13267
            ret = TLSX_Push(&ssl->extensions, TLSX_CLIENT_CERTIFICATE_TYPE, ssl,
13268
                                                                    ssl->heap);
13269
            if (ret == 0) {
13270
                TLSX_SetResponse(ssl, TLSX_CLIENT_CERTIFICATE_TYPE);
13271
            }
13272
        }
13273
    }
13274
    else {
13275
        /* [in client side]
13276
         * This extension MUST be omitted from the ClientHello unless the RPK
13277
         * certificate is preferred by the user and actually loaded.
13278
         */
13279
13280
        if (IsCertTypeListed(WOLFSSL_CERT_TYPE_RPK,
13281
                        ssl->options.rpkConfig.preferred_ClientCertTypeCnt,
13282
                        ssl->options.rpkConfig.preferred_ClientCertTypes)) {
13283
13284
            if (ssl->options.rpkState.isRPKLoaded) {
13285
13286
                ssl->options.rpkState.sending_ClientCertTypeCnt = 1;
13287
                ssl->options.rpkState.sending_ClientCertTypes[0] =
13288
                                                        WOLFSSL_CERT_TYPE_RPK;
13289
13290
                /* Push new client_certificate_type extension. */
13291
                WOLFSSL_MSG("Adding Client Certificate Type extension");
13292
                ret = TLSX_Push(&ssl->extensions, TLSX_CLIENT_CERTIFICATE_TYPE,
13293
                                                                ssl, ssl->heap);
13294
            }
13295
            else {
13296
                WOLFSSL_MSG("Willing to use RPK cert but not loaded it");
13297
            }
13298
        }
13299
        else {
13300
            WOLFSSL_MSG("No will to use RPK cert");
13301
        }
13302
    }
13303
    return ret;
13304
}
13305
13306
/* Parse a "client certificate type" extension received from peer.
13307
 * returns 0 on success and other values indicate failure.
13308
 */
13309
static int TLSX_ClientCertificateType_Parse(WOLFSSL* ssl, const byte* input,
13310
                                                word16 length, byte msgType)
13311
{
13312
    byte typeCnt;
13313
    int idx = 0;
13314
    int ret = 0;
13315
    int i;
13316
    int populate = 0;
13317
    byte  cmnType;
13318
13319
13320
    if (msgType == client_hello) {
13321
        /* [parse ClientHello in server end]
13322
         * case 1) if peer verify is disabled, this extension must be omitted
13323
         *         from ServerHello.
13324
         * case 2) if user have not set his preference, find X509 in parsed
13325
         *         result, then populate "Client Certificate Type" extension.
13326
         * case 3) if user have not set his preference and X509 isn't included
13327
         *         in parsed result, send "unsupported certificate" alert.
13328
         * case 4) if user have set his preference, find a common cert type
13329
         *         in users preference and received cert types.
13330
         * case 5) if user have set his preference, but no common cert type
13331
         *         found.
13332
         */
13333
13334
        /* case 1 */
13335
        if (ssl->options.verifyNone) {
13336
            return ret;
13337
        }
13338
13339
        /* parse extension */
13340
        if (length < OPAQUE8_LEN)
13341
            return BUFFER_E;
13342
13343
        typeCnt = input[idx];
13344
13345
        if (typeCnt > MAX_CLIENT_CERT_TYPE_CNT)
13346
            return BUFFER_E;
13347
13348
        if ((typeCnt + 1) * OPAQUE8_LEN != length){
13349
            return BUFFER_E;
13350
        }
13351
13352
        ssl->options.rpkState.received_ClientCertTypeCnt = input[idx];
13353
        idx += OPAQUE8_LEN;
13354
13355
        for (i = 0; i < typeCnt; i++) {
13356
            ssl->options.rpkState.received_ClientCertTypes[i] = input[idx];
13357
            idx += OPAQUE8_LEN;
13358
        }
13359
13360
        if (ssl->options.rpkConfig.preferred_ClientCertTypeCnt == 0) {
13361
            /* case 2 */
13362
            if (IsCertTypeListed(WOLFSSL_CERT_TYPE_X509,
13363
                            ssl->options.rpkState.received_ClientCertTypeCnt,
13364
                            ssl->options.rpkState.received_ClientCertTypes)) {
13365
13366
                ssl->options.rpkState.sending_ClientCertTypeCnt = 1;
13367
                ssl->options.rpkState.sending_ClientCertTypes[0] =
13368
                                                        WOLFSSL_CERT_TYPE_X509;
13369
                populate = 1;
13370
            }
13371
            /* case 3 */
13372
            else {
13373
                WOLFSSL_MSG("No common cert type found in client_certificate_type ext");
13374
                SendAlert(ssl, alert_fatal, unsupported_certificate);
13375
                return UNSUPPORTED_CERTIFICATE;
13376
            }
13377
        }
13378
        else if (ssl->options.rpkConfig.preferred_ClientCertTypeCnt > 0) {
13379
            /* case 4 */
13380
            if (GetCommonItem(
13381
                            ssl->options.rpkConfig.preferred_ClientCertTypes,
13382
                            ssl->options.rpkConfig.preferred_ClientCertTypeCnt,
13383
                            ssl->options.rpkState.received_ClientCertTypes,
13384
                            ssl->options.rpkState.received_ClientCertTypeCnt,
13385
                            &cmnType)) {
13386
                ssl->options.rpkState.sending_ClientCertTypeCnt  = 1;
13387
                ssl->options.rpkState.sending_ClientCertTypes[0] = cmnType;
13388
                populate = 1;
13389
            }
13390
            /* case 5 */
13391
            else {
13392
                WOLFSSL_MSG("No common cert type found in client_certificate_type ext");
13393
                SendAlert(ssl, alert_fatal, unsupported_certificate);
13394
                return UNSUPPORTED_CERTIFICATE;
13395
            }
13396
        }
13397
13398
        /* populate client_certificate_type extension */
13399
        if (populate) {
13400
            WOLFSSL_MSG("Adding Client Certificate Type extension");
13401
            ret = TLSX_Push(&ssl->extensions, TLSX_CLIENT_CERTIFICATE_TYPE, ssl,
13402
                                                                    ssl->heap);
13403
            if (ret == 0) {
13404
                TLSX_SetResponse(ssl, TLSX_CLIENT_CERTIFICATE_TYPE);
13405
            }
13406
        }
13407
    }
13408
    else if (msgType == server_hello || msgType == encrypted_extensions) {
13409
        /* parse it in client side */
13410
        if (length == 1) {
13411
            ssl->options.rpkState.received_ClientCertTypeCnt  = 1;
13412
            ssl->options.rpkState.received_ClientCertTypes[0] = *input;
13413
        }
13414
        else {
13415
            return BUFFER_E;
13416
        }
13417
    }
13418
13419
    return ret;
13420
}
13421
13422
/* Write out the "client certificate type" extension data into the given buffer.
13423
 * return the size wrote in the buffer on success, negative value on error.
13424
 */
13425
static word16 TLSX_ClientCertificateType_Write(void* data, byte* output,
13426
                                              byte msgType)
13427
{
13428
    WOLFSSL* ssl = (WOLFSSL*)data;
13429
    word16 idx = 0;
13430
    byte cnt = 0;
13431
    int i;
13432
13433
    /* skip to write extension if count is zero */
13434
    cnt = ssl->options.rpkState.sending_ClientCertTypeCnt;
13435
13436
    if (cnt == 0)
13437
        return 0;
13438
13439
    if (msgType == client_hello) {
13440
        /* client side */
13441
13442
        *(output + idx) = cnt;
13443
        idx += OPAQUE8_LEN;
13444
13445
        for (i = 0; i < cnt; i++) {
13446
            *(output + idx) = ssl->options.rpkState.sending_ClientCertTypes[i];
13447
            idx += OPAQUE8_LEN;
13448
        }
13449
        return idx;
13450
    }
13451
    else if (msgType == server_hello || msgType == encrypted_extensions) {
13452
        /* sever side */
13453
        if (cnt == 1) {
13454
            *(output + idx) = ssl->options.rpkState.sending_ClientCertTypes[0];
13455
            idx += OPAQUE8_LEN;
13456
        }
13457
    }
13458
    return idx;
13459
}
13460
13461
/* Calculate then return the size of the "client certificate type" extension
13462
 * data.
13463
 * return the extension data size on success, negative value on error.
13464
*/
13465
static int TLSX_ClientCertificateType_GetSize(WOLFSSL* ssl, byte msgType)
13466
{
13467
    int ret = 0;
13468
    byte cnt;
13469
13470
    if (ssl == NULL)
13471
        return BAD_FUNC_ARG;
13472
13473
    if (msgType == client_hello) {
13474
        /* client side */
13475
        cnt = ssl->options.rpkState.sending_ClientCertTypeCnt;
13476
        ret = (int)(OPAQUE8_LEN + cnt * OPAQUE8_LEN);
13477
    }
13478
    else if (msgType == server_hello || msgType == encrypted_extensions) {
13479
        /* server side */
13480
        cnt = ssl->options.rpkState.sending_ClientCertTypeCnt;/* must be one */
13481
        if (cnt != 1)
13482
            return SANITY_MSG_E;
13483
        ret = OPAQUE8_LEN;
13484
    }
13485
    else {
13486
        return SANITY_MSG_E;
13487
    }
13488
    return ret;
13489
}
13490
13491
    #define CCT_GET_SIZE  TLSX_ClientCertificateType_GetSize
13492
    #define CCT_WRITE     TLSX_ClientCertificateType_Write
13493
    #define CCT_PARSE     TLSX_ClientCertificateType_Parse
13494
#else
13495
    #define CCT_GET_SIZE(a)  0
13496
    #define CCT_WRITE(a, b)  0
13497
    #define CCT_PARSE(a, b, c, d) 0
13498
#endif /* HAVE_RPK */
13499
13500
#if defined(HAVE_RPK)
13501
/******************************************************************************/
13502
/* Server_Certificate_Type extension                                          */
13503
/******************************************************************************/
13504
/* Creates a "server certificate type" extension if necessary.
13505
 * Returns 0 if no error occurred, negative value otherwise.
13506
 * A return of 0, it does not indicae that the extension was created.
13507
 */
13508
static int TLSX_ServerCertificateType_Use(WOLFSSL* ssl, byte isServer)
13509
{
13510
    int ret = 0;
13511
    byte ctype;
13512
13513
    if (ssl == NULL)
13514
        return BAD_FUNC_ARG;
13515
13516
    if (isServer) {
13517
        /* [in server side] */
13518
        /* find common cert type to both end */
13519
        if (GetCommonItem(
13520
                ssl->options.rpkConfig.preferred_ServerCertTypes,
13521
                ssl->options.rpkConfig.preferred_ServerCertTypeCnt,
13522
                ssl->options.rpkState.received_ServerCertTypes,
13523
                ssl->options.rpkState.received_ServerCertTypeCnt,
13524
                &ctype)) {
13525
            ssl->options.rpkState.sending_ServerCertTypeCnt = 1;
13526
            ssl->options.rpkState.sending_ServerCertTypes[0] = ctype;
13527
13528
            /* Push new server_certificate_type extension. */
13529
            WOLFSSL_MSG("Adding Server Certificate Type extension");
13530
            ret = TLSX_Push(&ssl->extensions, TLSX_SERVER_CERTIFICATE_TYPE, ssl,
13531
                                                                    ssl->heap);
13532
            if (ret == 0) {
13533
                TLSX_SetResponse(ssl, TLSX_SERVER_CERTIFICATE_TYPE);
13534
            }
13535
        }
13536
        else {
13537
            /* no common cert type found */
13538
            WOLFSSL_MSG("No common cert type found in server_certificate_type ext");
13539
            SendAlert(ssl, alert_fatal, unsupported_certificate);
13540
            ret = UNSUPPORTED_CERTIFICATE;
13541
        }
13542
    }
13543
    else {
13544
        /* [in client side] */
13545
        if (IsCertTypeListed(WOLFSSL_CERT_TYPE_RPK,
13546
                            ssl->options.rpkConfig.preferred_ServerCertTypeCnt,
13547
                            ssl->options.rpkConfig.preferred_ServerCertTypes)) {
13548
13549
            ssl->options.rpkState.sending_ServerCertTypeCnt =
13550
                        ssl->options.rpkConfig.preferred_ServerCertTypeCnt;
13551
            XMEMCPY(ssl->options.rpkState.sending_ServerCertTypes,
13552
                    ssl->options.rpkConfig.preferred_ServerCertTypes,
13553
                    ssl->options.rpkConfig.preferred_ServerCertTypeCnt);
13554
13555
            /* Push new server_certificate_type extension. */
13556
            WOLFSSL_MSG("Adding Server Certificate Type extension");
13557
            ret = TLSX_Push(&ssl->extensions, TLSX_SERVER_CERTIFICATE_TYPE, ssl,
13558
                                                                    ssl->heap);
13559
        }
13560
        else {
13561
            WOLFSSL_MSG("No will to accept RPK cert");
13562
        }
13563
    }
13564
13565
    return ret;
13566
}
13567
13568
/* Parse a "server certificate type" extension received from peer.
13569
 * returns 0 on success and other values indicate failure.
13570
 */
13571
static int TLSX_ServerCertificateType_Parse(WOLFSSL* ssl, const byte* input,
13572
                                                word16 length, byte msgType)
13573
{
13574
    byte typeCnt;
13575
    int idx = 0;
13576
    int ret = 0;
13577
    int i;
13578
13579
    if (msgType == client_hello) {
13580
        /* in server side */
13581
13582
        if (length < OPAQUE8_LEN)
13583
            return BUFFER_E;
13584
13585
        typeCnt = input[idx];
13586
13587
        if (typeCnt > MAX_SERVER_CERT_TYPE_CNT)
13588
            return BUFFER_E;
13589
13590
        if ((typeCnt + 1) * OPAQUE8_LEN != length){
13591
            return BUFFER_E;
13592
        }
13593
        ssl->options.rpkState.received_ServerCertTypeCnt = input[idx];
13594
        idx += OPAQUE8_LEN;
13595
13596
        for (i = 0; i < typeCnt; i++) {
13597
            ssl->options.rpkState.received_ServerCertTypes[i] = input[idx];
13598
            idx += OPAQUE8_LEN;
13599
        }
13600
13601
        ret = TLSX_ServerCertificateType_Use(ssl, 1);
13602
        if (ret == 0) {
13603
            TLSX_SetResponse(ssl, TLSX_SERVER_CERTIFICATE_TYPE);
13604
        }
13605
    }
13606
    else if (msgType == server_hello || msgType == encrypted_extensions) {
13607
        /* in client side */
13608
        if (length != 1)                     /* length slould be 1 */
13609
            return BUFFER_E;
13610
13611
        ssl->options.rpkState.received_ServerCertTypeCnt  = 1;
13612
        ssl->options.rpkState.received_ServerCertTypes[0] = *input;
13613
    }
13614
13615
    return 0;
13616
}
13617
13618
/* Write out the "server certificate type" extension data into the given buffer.
13619
 * return the size wrote in the buffer on success, negative value on error.
13620
 */
13621
static word16 TLSX_ServerCertificateType_Write(void* data, byte* output,
13622
                                                                byte msgType)
13623
{
13624
    WOLFSSL* ssl = (WOLFSSL*)data;
13625
    word16 idx = 0;
13626
    int cnt = 0;
13627
    int i;
13628
13629
    /* skip to write extension if count is zero */
13630
    cnt = ssl->options.rpkState.sending_ServerCertTypeCnt;
13631
13632
    if (cnt == 0)
13633
        return 0;
13634
13635
    if (msgType == client_hello) {
13636
        /* in client side */
13637
13638
        *(output + idx) = cnt;
13639
        idx += OPAQUE8_LEN;
13640
13641
        for (i = 0; i < cnt; i++) {
13642
            *(output + idx) = ssl->options.rpkState.sending_ServerCertTypes[i];
13643
            idx += OPAQUE8_LEN;
13644
        }
13645
    }
13646
    else if (msgType == server_hello || msgType == encrypted_extensions) {
13647
        /* in server side */
13648
        /* ensure cnt is one */
13649
        if (cnt != 1)
13650
            return 0;
13651
13652
        *(output + idx) =  ssl->options.rpkState.sending_ServerCertTypes[0];
13653
        idx += OPAQUE8_LEN;
13654
    }
13655
    return idx;
13656
}
13657
13658
/* Calculate then return the size of the "server certificate type" extension
13659
 * data.
13660
 * return the extension data size on success, negative value on error.
13661
*/
13662
static int TLSX_ServerCertificateType_GetSize(WOLFSSL* ssl, byte msgType)
13663
{
13664
    int ret = 0;
13665
    int cnt;
13666
13667
    if (ssl == NULL)
13668
        return BAD_FUNC_ARG;
13669
13670
    if (msgType == client_hello) {
13671
        /* in clent side */
13672
        cnt = ssl->options.rpkState.sending_ServerCertTypeCnt;
13673
        if (cnt > 0) {
13674
            ret = (int)(OPAQUE8_LEN + cnt * OPAQUE8_LEN);
13675
        }
13676
    }
13677
    else if (msgType == server_hello || msgType == encrypted_extensions) {
13678
        /* in server side */
13679
        ret = (int)OPAQUE8_LEN;
13680
    }
13681
    else {
13682
        return SANITY_MSG_E;
13683
    }
13684
    return ret;
13685
}
13686
13687
    #define SCT_GET_SIZE  TLSX_ServerCertificateType_GetSize
13688
    #define SCT_WRITE     TLSX_ServerCertificateType_Write
13689
    #define SCT_PARSE     TLSX_ServerCertificateType_Parse
13690
#else
13691
    #define SCT_GET_SIZE(a)  0
13692
    #define SCT_WRITE(a, b)  0
13693
    #define SCT_PARSE(a, b, c, d) 0
13694
#endif /* HAVE_RPK */
13695
13696
/******************************************************************************/
13697
/* TLS Extensions Framework                                                   */
13698
/******************************************************************************/
13699
13700
/** Finds an extension in the provided list. */
13701
TLSX* TLSX_Find(TLSX* list, TLSX_Type type)
13702
0
{
13703
0
    TLSX* extension = list;
13704
13705
0
    while (extension && extension->type != type)
13706
0
        extension = extension->next;
13707
13708
0
    return extension;
13709
0
}
13710
13711
/** Remove an extension. */
13712
void TLSX_Remove(TLSX** list, TLSX_Type type, void* heap)
13713
0
{
13714
0
    TLSX* extension;
13715
0
    TLSX** next;
13716
13717
0
    if (list == NULL)
13718
0
        return;
13719
13720
0
    extension = *list;
13721
0
    next = list;
13722
13723
0
    while (extension && extension->type != type) {
13724
0
        next = &extension->next;
13725
0
        extension = extension->next;
13726
0
    }
13727
13728
0
    if (extension) {
13729
0
        *next = extension->next;
13730
0
        extension->next = NULL;
13731
0
        TLSX_FreeAll(extension, heap);
13732
0
    }
13733
0
}
13734
13735
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
13736
#define GREASE_ECH_SIZE 160
13737
#define TLS_INFO_CONST_STRING "tls ech"
13738
#define TLS_INFO_CONST_STRING_SZ 7
13739
13740
/* return status after setting up ech to write a grease ech */
13741
static int TLSX_GreaseECH_Use(TLSX** extensions, void* heap, WC_RNG* rng)
13742
{
13743
    int ret = 0;
13744
    TLSX* echX;
13745
    WOLFSSL_ECH* ech;
13746
13747
    if (extensions == NULL)
13748
        return BAD_FUNC_ARG;
13749
    /* skip if we already have an ech extension, we will for hrr */
13750
    echX = TLSX_Find(*extensions, TLSX_ECH);
13751
    if (echX != NULL)
13752
        return 0;
13753
13754
    ech = (WOLFSSL_ECH*)XMALLOC(sizeof(WOLFSSL_ECH), heap,
13755
        DYNAMIC_TYPE_TMP_BUFFER);
13756
13757
    if (ech == NULL)
13758
        return MEMORY_E;
13759
13760
    ForceZero(ech, sizeof(WOLFSSL_ECH));
13761
13762
    ech->state = ECH_WRITE_GREASE;
13763
13764
    /* 0 for outer */
13765
    ech->type = ECH_TYPE_OUTER;
13766
    /* kemId */
13767
    ech->kemId = DHKEM_X25519_HKDF_SHA256;
13768
    /* cipherSuite kdf */
13769
    ech->cipherSuite.kdfId = HKDF_SHA256;
13770
    /* cipherSuite aead */
13771
    ech->cipherSuite.aeadId = HPKE_AES_128_GCM;
13772
13773
    /* random configId */
13774
    ret = wc_RNG_GenerateByte(rng, &(ech->configId));
13775
13776
    /* curve25519 encLen */
13777
    ech->encLen = DHKEM_X25519_ENC_LEN;
13778
13779
    if (ret == 0)
13780
        ret = TLSX_Push(extensions, TLSX_ECH, ech, heap);
13781
13782
    if (ret != 0) {
13783
        XFREE(ech, heap, DYNAMIC_TYPE_TMP_BUFFER);
13784
    }
13785
13786
    return ret;
13787
}
13788
13789
/* return status after setting up ech to write real ech */
13790
static int TLSX_ECH_Use(WOLFSSL_EchConfig* echConfig, TLSX** extensions,
13791
    void* heap, WC_RNG* rng)
13792
{
13793
    int ret = 0;
13794
    int suiteIndex;
13795
    TLSX* echX;
13796
    WOLFSSL_ECH* ech;
13797
    if (extensions == NULL)
13798
        return BAD_FUNC_ARG;
13799
    /* skip if we already have an ech extension, we will for hrr */
13800
    echX = TLSX_Find(*extensions, TLSX_ECH);
13801
    if (echX != NULL)
13802
        return 0;
13803
    /* find a supported cipher suite */
13804
    suiteIndex = EchConfigGetSupportedCipherSuite(echConfig);
13805
    if (suiteIndex < 0)
13806
        return suiteIndex;
13807
    ech = (WOLFSSL_ECH*)XMALLOC(sizeof(WOLFSSL_ECH), heap,
13808
        DYNAMIC_TYPE_TMP_BUFFER);
13809
    if (ech == NULL)
13810
        return MEMORY_E;
13811
    ForceZero(ech, sizeof(WOLFSSL_ECH));
13812
    ech->state = ECH_WRITE_REAL;
13813
    ech->echConfig = echConfig;
13814
    /* 0 for outer */
13815
    ech->type = ECH_TYPE_OUTER;
13816
    /* kemId */
13817
    ech->kemId = echConfig->kemId;
13818
    /* cipherSuite kdf */
13819
    ech->cipherSuite.kdfId = echConfig->cipherSuites[suiteIndex].kdfId;
13820
    /* cipherSuite aead */
13821
    ech->cipherSuite.aeadId = echConfig->cipherSuites[suiteIndex].aeadId;
13822
    /* configId */
13823
    ech->configId = echConfig->configId;
13824
    /* encLen */
13825
    ech->encLen = wc_HpkeKemGetEncLen(echConfig->kemId);
13826
    if (ech->encLen == 0) {
13827
        XFREE(ech, heap, DYNAMIC_TYPE_TMP_BUFFER);
13828
        return BAD_FUNC_ARG;
13829
    }
13830
    /* setup hpke */
13831
    ech->hpke = (Hpke*)XMALLOC(sizeof(Hpke), heap, DYNAMIC_TYPE_TMP_BUFFER);
13832
    if (ech->hpke == NULL) {
13833
        XFREE(ech, heap, DYNAMIC_TYPE_TMP_BUFFER);
13834
        return MEMORY_E;
13835
    }
13836
    ret = wc_HpkeInit(ech->hpke, ech->kemId, ech->cipherSuite.kdfId,
13837
        ech->cipherSuite.aeadId, heap);
13838
    /* setup the ephemeralKey */
13839
    if (ret == 0)
13840
        ret = wc_HpkeGenerateKeyPair(ech->hpke, &ech->ephemeralKey, rng);
13841
    if (ret == 0) {
13842
        ret = TLSX_Push(extensions, TLSX_ECH, ech, heap);
13843
        if (ret != 0) {
13844
            wc_HpkeFreeKey(ech->hpke, ech->hpke->kem, ech->ephemeralKey,
13845
                ech->hpke->heap);
13846
        }
13847
    }
13848
    if (ret != 0) {
13849
        XFREE(ech->hpke, heap, DYNAMIC_TYPE_TMP_BUFFER);
13850
        XFREE(ech, heap, DYNAMIC_TYPE_TMP_BUFFER);
13851
    }
13852
    return ret;
13853
}
13854
13855
/* return status after setting up ech to read and decrypt */
13856
static int TLSX_ServerECH_Use(TLSX** extensions, void* heap,
13857
    WOLFSSL_EchConfig* configs)
13858
{
13859
    int ret;
13860
    WOLFSSL_ECH* ech;
13861
    TLSX* echX;
13862
    if (extensions == NULL)
13863
        return BAD_FUNC_ARG;
13864
    /* if we already have ech don't override it */
13865
    echX = TLSX_Find(*extensions, TLSX_ECH);
13866
    if (echX != NULL)
13867
        return 0;
13868
    ech = (WOLFSSL_ECH*)XMALLOC(sizeof(WOLFSSL_ECH), heap,
13869
        DYNAMIC_TYPE_TMP_BUFFER);
13870
    if (ech == NULL)
13871
        return MEMORY_E;
13872
    ForceZero(ech, sizeof(WOLFSSL_ECH));
13873
    ech->state = ECH_WRITE_NONE;
13874
    /* 0 for outer */
13875
    ech->type = ECH_TYPE_OUTER;
13876
    ech->echConfig = configs;
13877
    /* setup the rest of the settings when we receive ech from the client */
13878
    ret = TLSX_Push(extensions, TLSX_ECH, ech, heap);
13879
    if (ret != 0)
13880
        XFREE(ech, heap, DYNAMIC_TYPE_TMP_BUFFER);
13881
    return ret;
13882
}
13883
13884
/* return status after writing the ech and updating offset */
13885
static int TLSX_ECH_Write(WOLFSSL_ECH* ech, byte msgType, byte* writeBuf,
13886
    word16* offset)
13887
{
13888
    int ret = 0;
13889
    int rngRet = -1;
13890
    word32 configsLen = 0;
13891
    void* ephemeralKey = NULL;
13892
    byte* writeBuf_p = writeBuf;
13893
    WC_DECLARE_VAR(hpke, Hpke, 1, DYNAMIC_TYPE_TMP_BUFFER);
13894
    WC_DECLARE_VAR(rng, WC_RNG, 1, DYNAMIC_TYPE_RNG);
13895
13896
    WOLFSSL_MSG("TLSX_ECH_Write");
13897
    if (msgType == hello_retry_request) {
13898
        WC_ALLOC_VAR_EX(rng, WC_RNG, 1, NULL, DYNAMIC_TYPE_RNG, ret = MEMORY_E);
13899
        if (ret == 0) {
13900
            ret = wc_InitRng(rng);
13901
        }
13902
        if (ret == 0) {
13903
            /* randomize confirmation in case ech is rejected */
13904
            ret = wc_RNG_GenerateBlock(rng, writeBuf,
13905
                    ECH_ACCEPT_CONFIRMATION_SZ);
13906
            wc_FreeRng(rng);
13907
        }
13908
        if (ret == 0) {
13909
            *offset += ECH_ACCEPT_CONFIRMATION_SZ;
13910
            ech->confBuf = writeBuf;
13911
        }
13912
13913
        WC_FREE_VAR_EX(rng, NULL, DYNAMIC_TYPE_RNG);
13914
        return ret;
13915
    }
13916
    if (ech->state == ECH_WRITE_NONE || ech->state == ECH_PARSED_INTERNAL)
13917
        return 0;
13918
    if (ech->state == ECH_WRITE_RETRY_CONFIGS) {
13919
        /* get size then write */
13920
        ret = GetEchConfigsEx(ech->echConfig, NULL, &configsLen);
13921
        if (ret != WC_NO_ERR_TRACE(LENGTH_ONLY_E))
13922
            return ret;
13923
        ret = GetEchConfigsEx(ech->echConfig, writeBuf, &configsLen);
13924
        if (ret != WOLFSSL_SUCCESS)
13925
            return ret;
13926
        *offset += configsLen;
13927
        return 0;
13928
    }
13929
    /* type */
13930
    *writeBuf_p = ech->type;
13931
    writeBuf_p += sizeof(ech->type);
13932
    /* outer has body, inner does not */
13933
    if (ech->type == ECH_TYPE_OUTER) {
13934
        /* kdfId */
13935
        c16toa(ech->cipherSuite.kdfId, writeBuf_p);
13936
        writeBuf_p += sizeof(ech->cipherSuite.kdfId);
13937
        /* aeadId */
13938
        c16toa(ech->cipherSuite.aeadId, writeBuf_p);
13939
        writeBuf_p += sizeof(ech->cipherSuite.aeadId);
13940
        /* configId */
13941
        *writeBuf_p = ech->configId;
13942
        writeBuf_p += sizeof(ech->configId);
13943
        /* encLen */
13944
        if (ech->innerCount == 0) {
13945
            c16toa(ech->encLen, writeBuf_p);
13946
        }
13947
        else {
13948
            /* set to 0 if this is clientInner 2 */
13949
            c16toa(0, writeBuf_p);
13950
        }
13951
        writeBuf_p += 2;
13952
        if (ech->state == ECH_WRITE_GREASE) {
13953
            word32 size;
13954
            WC_ALLOC_VAR_EX(rng, WC_RNG, 1, NULL, DYNAMIC_TYPE_RNG,
13955
                ret = MEMORY_E);
13956
13957
            if (ret == 0)
13958
                rngRet = ret = wc_InitRng(rng);
13959
            if (ret == 0 && ech->innerCount == 0) {
13960
                WC_ALLOC_VAR_EX(hpke, Hpke, 1, NULL, DYNAMIC_TYPE_TMP_BUFFER,
13961
                    ret = MEMORY_E);
13962
13963
                /* hpke init */
13964
                if (ret == 0)
13965
                    ret = wc_HpkeInit(hpke, ech->kemId, ech->cipherSuite.kdfId,
13966
                        ech->cipherSuite.aeadId, NULL);
13967
                /* create the ephemeralKey */
13968
                if (ret == 0)
13969
                    ret = wc_HpkeGenerateKeyPair(hpke, &ephemeralKey, rng);
13970
                /* enc */
13971
                if (ret == 0) {
13972
                    ret = wc_HpkeSerializePublicKey(hpke, ephemeralKey,
13973
                        writeBuf_p, &ech->encLen);
13974
                    writeBuf_p += ech->encLen;
13975
                }
13976
13977
                if (ephemeralKey != NULL)
13978
                    wc_HpkeFreeKey(hpke, hpke->kem, ephemeralKey, hpke->heap);
13979
                WC_FREE_VAR_EX(hpke, NULL, DYNAMIC_TYPE_TMP_BUFFER);
13980
            }
13981
13982
            if (ret == 0) {
13983
                size = GREASE_ECH_SIZE + (ech->configId / 4);
13984
                size += ECH_PADDING_TO_32(size) + WC_AES_BLOCK_SIZE;
13985
13986
                /* innerClientHelloLen */
13987
                c16toa((word16)size, writeBuf_p);
13988
                writeBuf_p += 2;
13989
                /* innerClientHello */
13990
                ret = wc_RNG_GenerateBlock(rng, writeBuf_p, size);
13991
                writeBuf_p += size;
13992
            }
13993
13994
            if (rngRet == 0)
13995
                wc_FreeRng(rng);
13996
            WC_FREE_VAR_EX(rng, NULL, DYNAMIC_TYPE_RNG);
13997
        }
13998
        else {
13999
            if (ech->innerCount == 0) {
14000
                /* write enc to writeBuf_p */
14001
                ret = wc_HpkeSerializePublicKey(ech->hpke, ech->ephemeralKey,
14002
                    writeBuf_p, &ech->encLen);
14003
                writeBuf_p += ech->encLen;
14004
            }
14005
14006
            /* innerClientHelloLen */
14007
            c16toa((word16)ech->innerClientHelloLen, writeBuf_p);
14008
            writeBuf_p += 2;
14009
            /* set payload offset for when we finalize */
14010
            ech->outerClientPayload = writeBuf_p;
14011
            /* write zeros for payload */
14012
            XMEMSET(writeBuf_p, 0, ech->innerClientHelloLen);
14013
            writeBuf_p += ech->innerClientHelloLen;
14014
        }
14015
    }
14016
    if (ret == 0)
14017
        *offset += (writeBuf_p - writeBuf);
14018
    return ret;
14019
}
14020
14021
/* return the size needed for the ech extension */
14022
static int TLSX_ECH_GetSize(WOLFSSL_ECH* ech, byte msgType)
14023
{
14024
    int ret;
14025
    word32 size = 0;
14026
14027
    if (ech->state == ECH_WRITE_GREASE) {
14028
        word32 payload;
14029
        size = sizeof(ech->type) + sizeof(ech->cipherSuite) +
14030
            sizeof(ech->configId) + sizeof(word16) + sizeof(word16);
14031
        /* enc only printed on CH1 */
14032
        if (ech->innerCount == 0)
14033
            size += ech->encLen;
14034
        /* GREASE payload mimics the regular sealed inner:
14035
         *   plaintext length divisible by 32 and the AEAD tag
14036
         *   configId is used to randomize the GREASE length
14037
         *     (divide by 4 to save space) */
14038
        payload = GREASE_ECH_SIZE + (ech->configId / 4);
14039
        payload += ECH_PADDING_TO_32(payload) + WC_AES_BLOCK_SIZE;
14040
        size += payload;
14041
    }
14042
    else if (msgType == hello_retry_request) {
14043
        size = ECH_ACCEPT_CONFIRMATION_SZ;
14044
    }
14045
    else if (ech->state == ECH_WRITE_NONE ||
14046
        ech->state == ECH_PARSED_INTERNAL) {
14047
        size = 0;
14048
    }
14049
    else if (ech->state == ECH_WRITE_RETRY_CONFIGS) {
14050
        /* get the size of the raw configs */
14051
        ret = GetEchConfigsEx(ech->echConfig, NULL, &size);
14052
14053
        if (ret != WC_NO_ERR_TRACE(LENGTH_ONLY_E))
14054
            return ret;
14055
    }
14056
    else if (ech->type == ECH_TYPE_INNER)
14057
    {
14058
        size = sizeof(ech->type);
14059
    }
14060
    else
14061
    {
14062
        size = sizeof(ech->type) + sizeof(ech->cipherSuite) +
14063
            sizeof(ech->configId) + sizeof(word16) + sizeof(word16) +
14064
            ech->innerClientHelloLen;
14065
        /* enc only printed on CH1 */
14066
        if (ech->innerCount == 0)
14067
            size += ech->encLen;
14068
    }
14069
14070
    return (int)size;
14071
}
14072
14073
#ifdef HAVE_SECRET_CALLBACK
14074
/* log ECH_SECRET and ECH_CONFIG
14075
 * returns 0 on success, TLS13_SECRET_CB_E otherwise */
14076
static int EchWriteKeyLog(WOLFSSL* ssl, const byte* secret, word32 secretSz,
14077
    const byte* config, word32 configSz)
14078
{
14079
    int ret = 0;
14080
    if (ssl->tls13SecretCb != NULL) {
14081
        ret = ssl->tls13SecretCb(ssl, ECH_SECRET, secret, (int)secretSz,
14082
                ssl->tls13SecretCtx);
14083
        if (ret == 0) {
14084
            ret = ssl->tls13SecretCb(ssl, ECH_CONFIG, config, (int)configSz,
14085
                    ssl->tls13SecretCtx);
14086
        }
14087
        if (ret != 0) {
14088
            WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
14089
            ret = TLS13_SECRET_CB_E;
14090
        }
14091
    }
14092
#ifdef OPENSSL_EXTRA
14093
    if (ret == 0 && ssl->tls13KeyLogCb != NULL) {
14094
        ret = ssl->tls13KeyLogCb(ssl, ECH_SECRET, secret, (int)secretSz, NULL);
14095
        if (ret == 0) {
14096
            ret = ssl->tls13KeyLogCb(ssl, ECH_CONFIG, config, (int)configSz,
14097
                    NULL);
14098
        }
14099
        if (ret != 0) {
14100
            WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
14101
            ret = TLS13_SECRET_CB_E;
14102
        }
14103
    }
14104
#endif /* OPENSSL_EXTRA */
14105
    return ret;
14106
}
14107
#endif /* HAVE_SECRET_CALLBACK */
14108
14109
/* rough check that inner hello fields do not exceed length of decrypted
14110
 * information. Additionally, this function will check that all padding bytes
14111
 * are zero and decrease the innerHelloLen accordingly if so.
14112
 * returns 0 on success and otherwise failure */
14113
static int TLSX_ECH_CheckInnerPadding(WOLFSSL* ssl, WOLFSSL_ECH* ech)
14114
{
14115
    int headerSz;
14116
    const byte* innerCh;
14117
    word32 innerChLen;
14118
    word32 idx;
14119
    byte sessionIdLen;
14120
    word16 cipherSuitesLen;
14121
    byte compressionLen;
14122
    word16 extLen;
14123
    byte acc = 0;
14124
    word32 i;
14125
14126
#ifdef WOLFSSL_DTLS13
14127
    headerSz = ssl->options.dtls ? DTLS13_HANDSHAKE_HEADER_SZ :
14128
                                   HANDSHAKE_HEADER_SZ;
14129
#else
14130
    (void)ssl;
14131
14132
    headerSz = HANDSHAKE_HEADER_SZ;
14133
#endif
14134
14135
    innerCh = ech->innerClientHello + headerSz;
14136
    innerChLen = ech->innerClientHelloLen;
14137
14138
    idx = OPAQUE16_LEN + RAN_LEN;
14139
    if (idx >= innerChLen)
14140
        return BUFFER_ERROR;
14141
14142
    sessionIdLen = innerCh[idx++];
14143
    /* innerHello sessionID must initially be empty */
14144
    if (sessionIdLen != 0)
14145
        return INVALID_PARAMETER;
14146
    idx += sessionIdLen;
14147
    if (idx + OPAQUE16_LEN > innerChLen)
14148
        return BUFFER_ERROR;
14149
14150
    ato16(innerCh + idx, &cipherSuitesLen);
14151
    idx += OPAQUE16_LEN + cipherSuitesLen;
14152
    if (idx >= innerChLen)
14153
        return BUFFER_ERROR;
14154
14155
    compressionLen = innerCh[idx++];
14156
    idx += compressionLen;
14157
    if (idx + OPAQUE16_LEN > innerChLen)
14158
        return BUFFER_ERROR;
14159
14160
    ato16(innerCh + idx, &extLen);
14161
    idx += OPAQUE16_LEN + extLen;
14162
    if (idx > innerChLen)
14163
        return BUFFER_ERROR;
14164
14165
    /* should now be at the end of the innerHello
14166
     * Per ECH spec all padding bytes MUST be 0 */
14167
    for (i = idx; i < innerChLen; i++) {
14168
        acc |= innerCh[i];
14169
    }
14170
    if (acc != 0) {
14171
        return INVALID_PARAMETER;
14172
    }
14173
14174
    ech->innerClientHelloLen -= i - idx;
14175
    return 0;
14176
}
14177
14178
/* Locate the given extension type, use the extOffset to start off after where a
14179
 * previous call to this function ended
14180
 *
14181
 * outerCh          The outer ClientHello buffer.
14182
 * chLen            Outer ClientHello length.
14183
 * extType          Extension type to look for.
14184
 * extLen           Out parameter, length of found extension.
14185
 * extOffset        Offset into outer ClientHello to look for extension from.
14186
 * extensionsStart  Start of outer ClientHello extensions.
14187
 * extensionsLen    Length of outer ClientHello extensions.
14188
 * returns 0 on success and otherwise failure.
14189
 */
14190
static const byte* TLSX_ECH_FindOuterExtension(const byte* outerCh,
14191
    word32 chLen, word16 extType, word32* extLen, word32* extOffset,
14192
    word16* extensionsStart, word16* extensionsLen)
14193
{
14194
    word32 idx = *extOffset;
14195
    byte sessionIdLen;
14196
    word16 cipherSuitesLen;
14197
    byte compressionLen;
14198
    word16 type;
14199
    word16 len;
14200
14201
    if (idx == 0) {
14202
        idx = OPAQUE16_LEN + RAN_LEN;
14203
        if (idx >= chLen)
14204
            return NULL;
14205
14206
        sessionIdLen = outerCh[idx++];
14207
        idx += sessionIdLen;
14208
        if (idx + OPAQUE16_LEN > chLen)
14209
            return NULL;
14210
14211
        ato16(outerCh + idx, &cipherSuitesLen);
14212
        idx += OPAQUE16_LEN + cipherSuitesLen;
14213
        if (idx >= chLen)
14214
            return NULL;
14215
14216
        compressionLen = outerCh[idx++];
14217
        idx += compressionLen;
14218
        if (idx + OPAQUE16_LEN > chLen)
14219
            return NULL;
14220
14221
        ato16(outerCh + idx, extensionsLen);
14222
        idx += OPAQUE16_LEN;
14223
        *extensionsStart = (word16)idx;
14224
14225
        if (idx + *extensionsLen > chLen)
14226
            return NULL;
14227
    }
14228
14229
    while (idx - *extensionsStart < *extensionsLen) {
14230
        if (idx + OPAQUE16_LEN + OPAQUE16_LEN > chLen)
14231
            return NULL;
14232
14233
        ato16(outerCh + idx, &type);
14234
        idx += OPAQUE16_LEN;
14235
        ato16(outerCh + idx, &len);
14236
        idx += OPAQUE16_LEN;
14237
14238
        if (idx + len - *extensionsStart > *extensionsLen)
14239
            return NULL;
14240
14241
        if (type == extType) {
14242
            *extLen = len + OPAQUE16_LEN + OPAQUE16_LEN;
14243
            *extOffset = idx + len;
14244
            return outerCh + idx - OPAQUE16_LEN - OPAQUE16_LEN;
14245
        }
14246
14247
        idx += len;
14248
    }
14249
14250
    return NULL;
14251
}
14252
14253
/* If newinnerCh is NULL, validate ordering and existence of references
14254
 *   - updates newInnerChLen with total length of selected extensions
14255
 * If newinnerCh is not NULL, copy extensions into newInnerCh
14256
 *
14257
 * outerCh          The outer ClientHello buffer.
14258
 * outerChLen       Outer ClientHello length.
14259
 * newInnerCh       The inner ClientHello buffer.
14260
 * newInnerChLen    Inner ClientHello length.
14261
 * numOuterRefs     Number of references described by OuterExtensions extension.
14262
 * OuterRefTypes    References described by OuterExtensions extension.
14263
 * returns 0 on success and otherwise failure.
14264
 */
14265
static int TLSX_ECH_CopyOuterExtensions(const byte* outerCh, word32 outerChLen,
14266
    byte** newInnerCh, word32* newInnerChLen,
14267
    word16 numOuterRefs, const byte* outerRefTypes)
14268
{
14269
    int ret = 0;
14270
    word16 refType;
14271
    word32 outerExtLen;
14272
    word32 outerExtOffset = 0;
14273
    word16 extsStart = 0;
14274
    word16 extsLen = 0;
14275
    const byte* outerExtData;
14276
14277
    if (newInnerCh == NULL) {
14278
        *newInnerChLen = 0;
14279
    }
14280
14281
    while (numOuterRefs-- > 0) {
14282
        ato16(outerRefTypes, &refType);
14283
14284
        if (refType == TLSXT_ECH) {
14285
            WOLFSSL_MSG("ECH: ech_outer_extensions references ECH");
14286
            ret = INVALID_PARAMETER;
14287
            break;
14288
        }
14289
14290
        outerExtData = TLSX_ECH_FindOuterExtension(outerCh, outerChLen,
14291
                            refType, &outerExtLen, &outerExtOffset,
14292
                            &extsStart, &extsLen);
14293
14294
        if (outerExtData == NULL) {
14295
            WOLFSSL_MSG("ECH: referenced extension not in outer CH or out "
14296
                        "of order");
14297
            ret = INVALID_PARAMETER;
14298
            break;
14299
        }
14300
14301
        if (newInnerCh == NULL) {
14302
            *newInnerChLen += outerExtLen;
14303
        }
14304
        else {
14305
            XMEMCPY(*newInnerCh, outerExtData, outerExtLen);
14306
            *newInnerCh += outerExtLen;
14307
        }
14308
14309
        outerRefTypes += OPAQUE16_LEN;
14310
    }
14311
14312
    return ret;
14313
}
14314
14315
/* Expand ech_outer_extensions in the inner ClientHello by copying referenced
14316
 * extensions from the outer ClientHello.
14317
 * If the sessionID exists in the outer ClientHello then also copy that into the
14318
 * expanded inner ClientHello.
14319
 *
14320
 * ssl      SSL/TLS object.
14321
 * ech      ECH object.
14322
 * heap     Heap hint.
14323
 * returns 0 on success and otherwise failure.
14324
 */
14325
static int TLSX_ECH_ExpandOuterExtensions(WOLFSSL* ssl, WOLFSSL_ECH* ech,
14326
    void* heap)
14327
{
14328
    int ret = 0;
14329
    int headerSz;
14330
    const byte* innerCh;
14331
    word32 innerChLen;
14332
    const byte* outerCh;
14333
    word32 outerChLen;
14334
    word32 idx;
14335
    byte sessionIdLen;
14336
    word16 cipherSuitesLen;
14337
    byte compressionLen;
14338
14339
    word32 innerExtIdx;
14340
    word16 innerExtLen;
14341
    word32 echOuterExtIdx = 0;
14342
    word16 echOuterExtLen = 0;
14343
    int foundEchOuter = 0;
14344
    word16 numOuterRefs = 0;
14345
    const byte* outerRefTypes = NULL;
14346
    word32 extraSize = 0;
14347
    byte* newInnerCh = NULL;
14348
    byte* newInnerChRef;
14349
    word32 newInnerChLen;
14350
    word32 copyLen;
14351
14352
    WOLFSSL_ENTER("TLSX_ExpandEchOuterExtensions");
14353
14354
    if (ech == NULL || ech->innerClientHello == NULL || ech->aad == NULL)
14355
        return BAD_FUNC_ARG;
14356
14357
#ifdef WOLFSSL_DTLS13
14358
    headerSz = ssl->options.dtls ? DTLS13_HANDSHAKE_HEADER_SZ :
14359
                                   HANDSHAKE_HEADER_SZ;
14360
#else
14361
    headerSz = HANDSHAKE_HEADER_SZ;
14362
#endif
14363
14364
    innerCh = ech->innerClientHello + headerSz;
14365
    innerChLen = ech->innerClientHelloLen;
14366
    outerCh = ech->aad;
14367
    outerChLen = ech->aadLen;
14368
14369
    /* don't need to check for buffer overflows here since they are caught by
14370
     * TLSX_ECH_CheckInnerPadding */
14371
    idx = OPAQUE16_LEN + RAN_LEN;
14372
14373
    sessionIdLen = innerCh[idx++];
14374
    idx += sessionIdLen;
14375
14376
    ato16(innerCh + idx, &cipherSuitesLen);
14377
    idx += OPAQUE16_LEN + cipherSuitesLen;
14378
14379
    compressionLen = innerCh[idx++];
14380
    idx += compressionLen;
14381
14382
    ato16(innerCh + idx, &innerExtLen);
14383
    idx += OPAQUE16_LEN;
14384
    innerExtIdx = idx;
14385
14386
    /* validate ech_outer_extensions and calculate extra size */
14387
    while (idx < innerChLen && (idx - innerExtIdx) < innerExtLen) {
14388
        word16 type;
14389
        word16 len;
14390
        byte outerExtListLen;
14391
14392
        if (idx + OPAQUE16_LEN + OPAQUE16_LEN > innerChLen)
14393
            return BUFFER_ERROR;
14394
14395
        ato16(innerCh + idx, &type);
14396
        idx += OPAQUE16_LEN;
14397
        ato16(innerCh + idx, &len);
14398
        idx += OPAQUE16_LEN;
14399
14400
        if (idx + len > innerChLen)
14401
            return BUFFER_ERROR;
14402
14403
        if (type == TLSXT_ECH_OUTER_EXTENSIONS) {
14404
            if (foundEchOuter) {
14405
                WOLFSSL_MSG("ECH: duplicate ech_outer_extensions");
14406
                return INVALID_PARAMETER;
14407
            }
14408
            foundEchOuter = 1;
14409
            echOuterExtIdx = idx - OPAQUE16_LEN - OPAQUE16_LEN;
14410
            echOuterExtLen = len + OPAQUE16_LEN + OPAQUE16_LEN;
14411
14412
            /* ech_outer_extensions data format: 1-byte length + extension types
14413
             * ExtensionType OuterExtensions<2..254>; */
14414
            if (len < 1)
14415
                return BUFFER_ERROR;
14416
            outerExtListLen = innerCh[idx];
14417
            if (outerExtListLen + 1 != len || outerExtListLen < 2 ||
14418
                    outerExtListLen == 255)
14419
                return BUFFER_ERROR;
14420
14421
            outerRefTypes = innerCh + idx + 1;
14422
            numOuterRefs = outerExtListLen / OPAQUE16_LEN;
14423
14424
            ret = TLSX_ECH_CopyOuterExtensions(outerCh, outerChLen, NULL,
14425
                    &extraSize, numOuterRefs, outerRefTypes);
14426
            if (ret != 0)
14427
                return ret;
14428
        }
14429
14430
        idx += len;
14431
    }
14432
14433
    newInnerChLen = innerChLen - echOuterExtLen + extraSize - sessionIdLen +
14434
                        ssl->session->sessionIDSz;
14435
    if (newInnerChLen > 0xFFFF) {
14436
        return BUFFER_E;
14437
    }
14438
14439
    if (!foundEchOuter && sessionIdLen == ssl->session->sessionIDSz) {
14440
        /* no extensions + no sessionID to copy */
14441
        WOLFSSL_MSG("ECH: no EchOuterExtensions extension found");
14442
        return ret;
14443
    }
14444
    else {
14445
        newInnerCh = (byte*)XMALLOC(newInnerChLen + headerSz, heap,
14446
                                    DYNAMIC_TYPE_TMP_BUFFER);
14447
        if (newInnerCh == NULL)
14448
            return MEMORY_E;
14449
    }
14450
14451
    /* note: The first HANDSHAKE_HEADER_SZ bytes are reserved for the header
14452
     * but not initialized here. The header will be properly set later by
14453
     * AddTls13HandShakeHeader() in DoTls13ClientHello(). */
14454
14455
    /* copy everything up to EchOuterExtensions */
14456
    newInnerChRef = newInnerCh + headerSz;
14457
    copyLen = OPAQUE16_LEN + RAN_LEN;
14458
    XMEMCPY(newInnerChRef, innerCh, copyLen);
14459
    newInnerChRef += copyLen;
14460
14461
    *newInnerChRef = ssl->session->sessionIDSz;
14462
    newInnerChRef += OPAQUE8_LEN;
14463
14464
    copyLen = ssl->session->sessionIDSz;
14465
    XMEMCPY(newInnerChRef, ssl->session->sessionID, copyLen);
14466
    newInnerChRef += copyLen;
14467
14468
    if (!foundEchOuter) {
14469
        WOLFSSL_MSG("ECH: no EchOuterExtensions extension found");
14470
14471
        copyLen = innerChLen - OPAQUE16_LEN - RAN_LEN - OPAQUE8_LEN -
14472
                sessionIdLen;
14473
        XMEMCPY(newInnerChRef, innerCh + OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN +
14474
                sessionIdLen, copyLen);
14475
    }
14476
    else {
14477
        innerExtIdx = headerSz + innerExtIdx - OPAQUE16_LEN -
14478
            sessionIdLen + ssl->session->sessionIDSz;
14479
14480
        copyLen = echOuterExtIdx - OPAQUE16_LEN - RAN_LEN - OPAQUE8_LEN -
14481
                sessionIdLen;
14482
        XMEMCPY(newInnerChRef, innerCh + OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN +
14483
                sessionIdLen, copyLen);
14484
        newInnerChRef += copyLen;
14485
14486
        /* update extensions length in the new ClientHello */
14487
        c16toa(innerExtLen - echOuterExtLen + (word16)extraSize,
14488
                newInnerCh + innerExtIdx);
14489
14490
        ret = TLSX_ECH_CopyOuterExtensions(outerCh, outerChLen, &newInnerChRef,
14491
                &newInnerChLen, numOuterRefs, outerRefTypes);
14492
        if (ret == 0) {
14493
            /* copy remaining extensions after ech_outer_extensions */
14494
            copyLen = innerChLen - (echOuterExtIdx + echOuterExtLen);
14495
            XMEMCPY(newInnerChRef, innerCh + echOuterExtIdx + echOuterExtLen,
14496
                    copyLen);
14497
14498
            WOLFSSL_MSG("ECH: expanded ech_outer_extensions successfully");
14499
        }
14500
    }
14501
14502
    if (ret == 0) {
14503
        XFREE(ech->innerClientHello, heap, DYNAMIC_TYPE_TMP_BUFFER);
14504
        ech->innerClientHello = newInnerCh;
14505
        ech->innerClientHelloLen = newInnerChLen;
14506
        newInnerCh = NULL;
14507
    }
14508
14509
    if (newInnerCh != NULL)
14510
        XFREE(newInnerCh, heap, DYNAMIC_TYPE_TMP_BUFFER);
14511
14512
    return ret;
14513
}
14514
14515
/* return status after attempting to open the hpke encrypted ech extension, if
14516
 * successful the inner client hello will be stored in
14517
 * ech->innerClientHelloLen */
14518
static int TLSX_ExtractEch(WOLFSSL* ssl, WOLFSSL_ECH* ech,
14519
    WOLFSSL_EchConfig* echConfig, byte* aad, word32 aadLen)
14520
{
14521
    int ret = 0;
14522
    int i;
14523
    int allocatedHpke = 0;
14524
    word32 rawConfigLen = 0;
14525
    byte* info = NULL;
14526
    word32 infoLen = 0;
14527
    if (ssl == NULL || ech == NULL || echConfig == NULL || aad == NULL)
14528
        return BAD_FUNC_ARG;
14529
    /* verify the kem and key len */
14530
    if (wc_HpkeKemGetEncLen(echConfig->kemId) != ech->encLen)
14531
        return BAD_FUNC_ARG;
14532
    /* verify the cipher suite */
14533
    for (i = 0; i < echConfig->numCipherSuites; i++) {
14534
        if (echConfig->cipherSuites[i].kdfId == ech->cipherSuite.kdfId &&
14535
            echConfig->cipherSuites[i].aeadId == ech->cipherSuite.aeadId) {
14536
            break;
14537
        }
14538
    }
14539
    if (i >= echConfig->numCipherSuites) {
14540
        return BAD_FUNC_ARG;
14541
    }
14542
    /* check if hpke already exists, may if HelloRetryRequest */
14543
    if (ech->hpke == NULL) {
14544
        allocatedHpke = 1;
14545
        ech->hpke = (Hpke*)XMALLOC(sizeof(Hpke), ssl->heap,
14546
            DYNAMIC_TYPE_TMP_BUFFER);
14547
        if (ech->hpke == NULL)
14548
            ret = MEMORY_E;
14549
        /* init the hpke struct */
14550
        if (ret == 0) {
14551
            ret = wc_HpkeInit(ech->hpke, echConfig->kemId,
14552
                ech->cipherSuite.kdfId, ech->cipherSuite.aeadId, ssl->heap);
14553
        }
14554
        if (ret == 0) {
14555
            /* allocate hpkeContext */
14556
            ech->hpkeContext =
14557
                (HpkeBaseContext*)XMALLOC(sizeof(HpkeBaseContext),
14558
                ech->hpke->heap, DYNAMIC_TYPE_TMP_BUFFER);
14559
            if (ech->hpkeContext == NULL)
14560
                ret = MEMORY_E;
14561
        }
14562
        /* get the rawConfigLen */
14563
        if (ret == 0)
14564
            ret = GetEchConfig(echConfig, NULL, &rawConfigLen);
14565
        if (ret == WC_NO_ERR_TRACE(LENGTH_ONLY_E))
14566
            ret = 0;
14567
        /* create info */
14568
        if (ret == 0) {
14569
            infoLen = TLS_INFO_CONST_STRING_SZ + 1 + rawConfigLen;
14570
            info = (byte*)XMALLOC(infoLen, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
14571
14572
            if (info == NULL)
14573
                ret = MEMORY_E;
14574
            else {
14575
                XMEMCPY(info, (byte*)TLS_INFO_CONST_STRING,
14576
                    TLS_INFO_CONST_STRING_SZ + 1);
14577
                ret = GetEchConfig(echConfig, info +
14578
                    TLS_INFO_CONST_STRING_SZ + 1, &rawConfigLen);
14579
            }
14580
        }
14581
#ifdef HAVE_SECRET_CALLBACK
14582
        /* allocate secret buffer for wc_HpkeInitOpenContext to copy into */
14583
        if (ret == 0 && (ssl->tls13SecretCb != NULL
14584
#ifdef OPENSSL_EXTRA
14585
                || ssl->tls13KeyLogCb != NULL
14586
#endif
14587
                )) {
14588
            ret = wc_HpkeInitEchSecret(ech->hpke);
14589
        }
14590
#endif /* HAVE_SECRET_CALLBACK */
14591
        /* init the context for opening */
14592
        if (ret == 0) {
14593
            ret = wc_HpkeInitOpenContext(ech->hpke, ech->hpkeContext,
14594
                echConfig->receiverPrivkey, ech->enc, ech->encLen, info,
14595
                infoLen);
14596
        }
14597
    }
14598
    /* decrypt the ech payload */
14599
    if (ret == 0) {
14600
        ret = wc_HpkeContextOpenBase(ech->hpke, ech->hpkeContext, aad, aadLen,
14601
            ech->outerClientPayload, ech->innerClientHelloLen,
14602
            ech->innerClientHello + HANDSHAKE_HEADER_SZ);
14603
    }
14604
14605
#ifdef HAVE_SECRET_CALLBACK
14606
    if (ret == 0 && ech->hpke->echSecret != NULL) {
14607
        ret = EchWriteKeyLog(ssl, ech->hpke->echSecret, ech->hpke->Nsecret,
14608
                info + TLS_INFO_CONST_STRING_SZ + 1, rawConfigLen);
14609
    }
14610
    wc_HpkeFreeEchSecret(ech->hpke);
14611
#endif /* HAVE_SECRET_CALLBACK */
14612
14613
    /* only free hpke/hpkeContext if allocated in this call; otherwise preserve
14614
     * them for clientHello2 */
14615
    if (ret != 0 && allocatedHpke) {
14616
        XFREE(ech->hpke, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
14617
        ech->hpke = NULL;
14618
        if (ech->hpkeContext != NULL) {
14619
            ForceZero(ech->hpkeContext, sizeof(HpkeBaseContext));
14620
            XFREE(ech->hpkeContext, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
14621
            ech->hpkeContext = NULL;
14622
        }
14623
    }
14624
14625
    if (info != NULL)
14626
        XFREE(info, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
14627
14628
    return ret;
14629
}
14630
14631
/* parse the ech extension, if internal update ech->state and return, if
14632
 * external attempt to extract the inner client_hello, return the status */
14633
static int TLSX_ECH_Parse(WOLFSSL* ssl, const byte* readBuf, word16 size,
14634
    byte msgType)
14635
{
14636
    int ret = 0;
14637
    TLSX* echX;
14638
    WOLFSSL_ECH* ech;
14639
    WOLFSSL_EchConfig* echConfig;
14640
    byte* aadCopy;
14641
    byte* readBuf_p = (byte*)readBuf;
14642
    word32 offset = 0;
14643
    word16 len;
14644
    word16 tmpVal16;
14645
    word16 lenCh;
14646
14647
    WOLFSSL_MSG("TLSX_ECH_Parse");
14648
    if (ssl->options.disableECH) {
14649
        WOLFSSL_MSG("TLSX_ECH_Parse: ECH disabled. Ignoring.");
14650
        return 0;
14651
    }
14652
    if (size == 0)
14653
        return BAD_FUNC_ARG;
14654
14655
    /* retry configs */
14656
    if (msgType == encrypted_extensions) {
14657
        /* configs must only be sent on ECH rejection (RFC9849, Section 5) */
14658
        if (ssl->options.echAccepted) {
14659
            SendAlert(ssl, alert_fatal, unsupported_extension);
14660
            WOLFSSL_ERROR_VERBOSE(UNSUPPORTED_EXTENSION);
14661
            return UNSUPPORTED_EXTENSION;
14662
        }
14663
14664
        ret = SetRetryConfigs(ssl, readBuf, (word32)size);
14665
        if (ret == WC_NO_ERR_TRACE(UNSUPPORTED_SUITE) ||
14666
                ret == WC_NO_ERR_TRACE(UNSUPPORTED_PROTO_VERSION)) {
14667
            WOLFSSL_MSG("ECH retry configs had 'bad version' or 'bad suite'");
14668
            ret = 0;
14669
        }
14670
14671
        if (ssl->echConfigs == NULL) {
14672
            /* on GREASE connection configs must be checked syntactically and
14673
             * must not be saved (RFC 9849, Section 6.2.1) */
14674
            FreeEchConfigs(ssl->echRetryConfigs, ssl->heap);
14675
            ssl->echRetryConfigs = NULL;
14676
        }
14677
14678
        /* retry configs may only be accepted at the point when ECH_REQUIRED is
14679
         * sent */
14680
        ssl->options.echRetryConfigsAccepted = 0;
14681
    }
14682
    /* HRR with special confirmation */
14683
    else if (msgType == hello_retry_request && ssl->echConfigs != NULL) {
14684
        /* length must be 8 */
14685
        if (size != ECH_ACCEPT_CONFIRMATION_SZ)
14686
            return BUFFER_ERROR;
14687
14688
        /* get extension */
14689
        echX = TLSX_Find(ssl->extensions, TLSX_ECH);
14690
        if (echX == NULL)
14691
            return BAD_FUNC_ARG;
14692
        ech = (WOLFSSL_ECH*)echX->data;
14693
14694
        ech->confBuf = (byte*)readBuf;
14695
    }
14696
    else if (msgType == client_hello && ssl->ctx->echConfigs != NULL) {
14697
        /* get extension */
14698
        echX = TLSX_Find(ssl->extensions, TLSX_ECH);
14699
        if (echX == NULL)
14700
            return BAD_FUNC_ARG;
14701
        ech = (WOLFSSL_ECH*)echX->data;
14702
14703
        /* if the first ECH was rejected or CH1 did not have ECH then there is
14704
         * no need to decrypt this one */
14705
        if (!ssl->options.echAccepted && ssl->options.serverState ==
14706
                SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
14707
            ech->state = ECH_WRITE_RETRY_CONFIGS;
14708
            return 0;
14709
        }
14710
14711
        /* read the ech parameters before the payload */
14712
        ech->type = *readBuf_p;
14713
        readBuf_p++;
14714
        offset += 1;
14715
        if (ssl->options.echProcessingInner && ech->type == ECH_TYPE_INNER) {
14716
            ech->state = ECH_PARSED_INTERNAL;
14717
            return 0;
14718
        }
14719
        else if ((!ssl->options.echProcessingInner &&
14720
                  ech->type != ECH_TYPE_OUTER) ||
14721
                 (ssl->options.echProcessingInner &&
14722
                  ech->type != ECH_TYPE_INNER)) {
14723
            /* MUST process INNER in inner hello and OUTER in outer hello */
14724
            return INVALID_PARAMETER;
14725
        }
14726
        /* Must have kdfId, aeadId, configId, enc len and payload len. */
14727
        if (size < offset + 2 + 2 + 1 + 2 + 2) {
14728
            return BUFFER_ERROR;
14729
        }
14730
        /* only get enc if we don't already have the hpke context */
14731
        if (ech->hpkeContext == NULL) {
14732
            /* kdfId */
14733
            ato16(readBuf_p, &ech->cipherSuite.kdfId);
14734
            readBuf_p += 2;
14735
            offset += 2;
14736
            /* aeadId */
14737
            ato16(readBuf_p, &ech->cipherSuite.aeadId);
14738
            readBuf_p += 2;
14739
            offset += 2;
14740
            /* configId */
14741
            ech->configId = *readBuf_p;
14742
            readBuf_p++;
14743
            offset++;
14744
            /* encLen */
14745
            ato16(readBuf_p, &len);
14746
            readBuf_p += 2;
14747
            offset += 2;
14748
            /* Check encLen isn't more than remaining bytes minus
14749
             * payload length. */
14750
            if (len > size - offset - 2) {
14751
                return BUFFER_ERROR;
14752
            }
14753
            if (len > HPKE_Npk_MAX) {
14754
                return BUFFER_ERROR;
14755
            }
14756
            /* read enc */
14757
            XMEMCPY(ech->enc, readBuf_p, len);
14758
            ech->encLen = len;
14759
        }
14760
        else {
14761
            /* kdfId, aeadId, and configId must be the same as last time */
14762
            /* kdfId */
14763
            ato16(readBuf_p, &tmpVal16);
14764
            if (tmpVal16 != ech->cipherSuite.kdfId) {
14765
                return INVALID_PARAMETER;
14766
            }
14767
            readBuf_p += 2;
14768
            offset += 2;
14769
            /* aeadId */
14770
            ato16(readBuf_p, &tmpVal16);
14771
            if (tmpVal16 != ech->cipherSuite.aeadId) {
14772
                return INVALID_PARAMETER;
14773
            }
14774
            readBuf_p += 2;
14775
            offset += 2;
14776
            /* configId */
14777
            if (*readBuf_p != ech->configId) {
14778
                return INVALID_PARAMETER;
14779
            }
14780
            readBuf_p++;
14781
            offset++;
14782
            /* on an HRR the enc value MUST be empty */
14783
            ato16(readBuf_p, &len);
14784
            if (len != 0) {
14785
                return INVALID_PARAMETER;
14786
            }
14787
            readBuf_p += 2;
14788
            offset += 2;
14789
        }
14790
        readBuf_p += len;
14791
        offset += len;
14792
        /* read payload (encrypted CH) len */
14793
        ato16(readBuf_p, &lenCh);
14794
        ech->innerClientHelloLen = lenCh;
14795
        readBuf_p += 2;
14796
        offset += 2;
14797
        /* Check payload is no bigger than remaining bytes. */
14798
        if (ech->innerClientHelloLen > size - offset) {
14799
            return BUFFER_ERROR;
14800
        }
14801
        if (ech->innerClientHelloLen < WC_AES_BLOCK_SIZE) {
14802
            return BUFFER_ERROR;
14803
        }
14804
        ech->innerClientHelloLen -= WC_AES_BLOCK_SIZE;
14805
        ech->outerClientPayload = readBuf_p;
14806
        /* make a copy of the aad */
14807
        aadCopy = (byte*)XMALLOC(ech->aadLen, ssl->heap,
14808
            DYNAMIC_TYPE_TMP_BUFFER);
14809
        if (aadCopy == NULL)
14810
            return MEMORY_E;
14811
        XMEMCPY(aadCopy, ech->aad, ech->aadLen);
14812
        /* set the ech payload of the copy to zeros */
14813
        XMEMSET(aadCopy + (readBuf_p - ech->aad), 0,
14814
            ech->innerClientHelloLen + WC_AES_BLOCK_SIZE);
14815
        /* free the old ech when this is the second client hello */
14816
        if (ech->innerClientHello != NULL)
14817
            XFREE(ech->innerClientHello, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
14818
        /* allocate the inner payload buffer */
14819
        ech->innerClientHello =
14820
            (byte*)XMALLOC(ech->innerClientHelloLen + HANDSHAKE_HEADER_SZ,
14821
            ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
14822
        if (ech->innerClientHello == NULL) {
14823
            XFREE(aadCopy, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
14824
            return MEMORY_E;
14825
        }
14826
        /* try to decrypt with matching configId */
14827
        echConfig = ssl->ctx->echConfigs;
14828
        while (echConfig != NULL) {
14829
            if (echConfig->configId == ech->configId) {
14830
                ret = TLSX_ExtractEch(ssl, ech, echConfig, aadCopy,
14831
                        ech->aadLen);
14832
                if (ret == 0 || ret == WC_NO_ERR_TRACE(TLS13_SECRET_CB_E))
14833
                    break;
14834
            }
14835
            echConfig = echConfig->next;
14836
        }
14837
        /* otherwise, try to decrypt with all configs (trial decryption) */
14838
        if (echConfig == NULL && ssl->options.enableEchTrialDecrypt) {
14839
            echConfig = ssl->ctx->echConfigs;
14840
            while (echConfig != NULL) {
14841
                if (echConfig->configId != ech->configId) {
14842
                    ret = TLSX_ExtractEch(ssl, ech, echConfig, aadCopy,
14843
                            ech->aadLen);
14844
                    if (ret == 0 || ret == WC_NO_ERR_TRACE(TLS13_SECRET_CB_E))
14845
                        break;
14846
                }
14847
                echConfig = echConfig->next;
14848
            }
14849
        }
14850
        /* TLS13_SECRET_CB_E isn't correlated with ECH acceptance so skip both
14851
         * paths */
14852
        if (ret != WC_NO_ERR_TRACE(TLS13_SECRET_CB_E)) {
14853
            /* if we failed to extract/expand */
14854
            if (ret != 0 || echConfig == NULL) {
14855
                WOLFSSL_MSG("ECH rejected");
14856
14857
                if (ssl->options.echAccepted == 0) {
14858
                    /* on SH1 prepare to write retry configs */
14859
                    XFREE(ech->innerClientHello, ssl->heap,
14860
                        DYNAMIC_TYPE_TMP_BUFFER);
14861
                    ech->innerClientHello = NULL;
14862
                    ech->state = ECH_WRITE_RETRY_CONFIGS;
14863
                    ret = 0;
14864
                }
14865
                else {
14866
                    /* on SH2 failure to decrypt is fatal */
14867
                    SendAlert(ssl, alert_fatal, decrypt_error);
14868
                    WOLFSSL_ERROR_VERBOSE(DECRYPT_ERROR);
14869
                    ret = DECRYPT_ERROR;
14870
                }
14871
            }
14872
            else {
14873
                WOLFSSL_MSG("ECH accepted");
14874
                ssl->options.echAccepted = 1;
14875
14876
                ret = TLSX_ECH_CheckInnerPadding(ssl, ech);
14877
                if (ret == 0) {
14878
                    /* expand EchOuterExtensions if present.
14879
                    * Also, if it exists, copy sessionID from outer hello */
14880
                    ret = TLSX_ECH_ExpandOuterExtensions(ssl, ech, ssl->heap);
14881
                }
14882
            }
14883
        }
14884
        if (ret != 0) {
14885
            XFREE(ech->innerClientHello, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
14886
            ech->innerClientHello = NULL;
14887
        }
14888
14889
        XFREE(aadCopy, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
14890
    }
14891
14892
    return ret;
14893
}
14894
14895
/* free the ech struct and the dynamic buffer it uses */
14896
static void TLSX_ECH_Free(WOLFSSL_ECH* ech, void* heap)
14897
{
14898
    XFREE(ech->innerClientHello, heap, DYNAMIC_TYPE_TMP_BUFFER);
14899
    if (ech->hpke != NULL) {
14900
        if (ech->ephemeralKey != NULL)
14901
            wc_HpkeFreeKey(ech->hpke, ech->hpke->kem, ech->ephemeralKey,
14902
                ech->hpke->heap);
14903
        /* wc_HpkeFreeEchSecret is intentionally not here, free it in
14904
         * TLSX_ExtractEch / TLSX_FinalizeEch */
14905
        XFREE(ech->hpke, heap, DYNAMIC_TYPE_TMP_BUFFER);
14906
    }
14907
    if (ech->hpkeContext != NULL) {
14908
        ForceZero(ech->hpkeContext, sizeof(HpkeBaseContext));
14909
        XFREE(ech->hpkeContext, heap, DYNAMIC_TYPE_TMP_BUFFER);
14910
    }
14911
    if (ech->privateName != NULL)
14912
        XFREE((char*)ech->privateName, heap, DYNAMIC_TYPE_TMP_BUFFER);
14913
14914
    XFREE(ech, heap, DYNAMIC_TYPE_TMP_BUFFER);
14915
    (void)heap;
14916
}
14917
14918
/* encrypt the client hello and store it in ech->outerClientPayload, return
14919
 * status */
14920
int TLSX_FinalizeEch(WOLFSSL* ssl, WOLFSSL_ECH* ech, byte* aad, word32 aadLen)
14921
{
14922
    int ret = 0;
14923
    void* receiverPubkey = NULL;
14924
    byte* info = NULL;
14925
    int infoLen = 0;
14926
    byte* aadCopy = NULL;
14927
    if (ssl == NULL || ech == NULL || aad == NULL)
14928
        return BAD_FUNC_ARG;
14929
    /* setup hpke context to seal, should be done at most once per connection */
14930
    if (ech->hpkeContext == NULL) {
14931
        /* import the server public key */
14932
        ret = wc_HpkeDeserializePublicKey(ech->hpke, &receiverPubkey,
14933
            ech->echConfig->receiverPubkey, ech->encLen);
14934
        if (ret == 0) {
14935
            /* allocate hpke context */
14936
            ech->hpkeContext =
14937
                (HpkeBaseContext*)XMALLOC(sizeof(HpkeBaseContext),
14938
                ech->hpke->heap, DYNAMIC_TYPE_TMP_BUFFER);
14939
            if (ech->hpkeContext == NULL)
14940
                ret = MEMORY_E;
14941
        }
14942
        if (ret == 0) {
14943
            /* create info */
14944
            infoLen = TLS_INFO_CONST_STRING_SZ + 1 + ech->echConfig->rawLen;
14945
            info = (byte*)XMALLOC(infoLen, ech->hpke->heap,
14946
                DYNAMIC_TYPE_TMP_BUFFER);
14947
            if (info == NULL)
14948
                ret = MEMORY_E;
14949
        }
14950
        if (ret == 0) {
14951
            /* puts the null byte in for me */
14952
            XMEMCPY(info, (byte*)TLS_INFO_CONST_STRING,
14953
                TLS_INFO_CONST_STRING_SZ + 1);
14954
            XMEMCPY(info + TLS_INFO_CONST_STRING_SZ + 1,
14955
                ech->echConfig->raw, ech->echConfig->rawLen);
14956
        }
14957
#ifdef HAVE_SECRET_CALLBACK
14958
        /* allocate secret buffer for wc_HpkeInitSealContext to copy into */
14959
        if (ret == 0 && (ssl->tls13SecretCb != NULL
14960
#ifdef OPENSSL_EXTRA
14961
                || ssl->tls13KeyLogCb != NULL
14962
#endif
14963
                )) {
14964
            ret = wc_HpkeInitEchSecret(ech->hpke);
14965
        }
14966
#endif /* HAVE_SECRET_CALLBACK */
14967
        if (ret == 0) {
14968
            /* init the context for seal with info and keys */
14969
            ret = wc_HpkeInitSealContext(ech->hpke, ech->hpkeContext,
14970
                ech->ephemeralKey, receiverPubkey, info, infoLen);
14971
        }
14972
    }
14973
    if (ret == 0) {
14974
        /* make a copy of the aad since we overwrite it */
14975
        aadCopy = (byte*)XMALLOC(aadLen, ech->hpke->heap,
14976
            DYNAMIC_TYPE_TMP_BUFFER);
14977
        if (aadCopy == NULL) {
14978
            ret = MEMORY_E;
14979
        }
14980
    }
14981
    if (ret == 0) {
14982
        XMEMCPY(aadCopy, aad, aadLen);
14983
        /* seal the payload with context */
14984
        ret = wc_HpkeContextSealBase(ech->hpke, ech->hpkeContext, aadCopy,
14985
            aadLen, ech->innerClientHello,
14986
            ech->innerClientHelloLen - ech->hpke->Nt, ech->outerClientPayload);
14987
    }
14988
14989
#ifdef HAVE_SECRET_CALLBACK
14990
    if (ret == 0 && ech->hpke->echSecret != NULL) {
14991
        ret = EchWriteKeyLog(ssl, ech->hpke->echSecret, ech->hpke->Nsecret,
14992
            ech->echConfig->raw, ech->echConfig->rawLen);
14993
    }
14994
    wc_HpkeFreeEchSecret(ech->hpke);
14995
#endif /* HAVE_SECRET_CALLBACK */
14996
14997
    if (info != NULL)
14998
        XFREE(info, ech->hpke->heap, DYNAMIC_TYPE_TMP_BUFFER);
14999
    if (aadCopy != NULL)
15000
        XFREE(aadCopy, ech->hpke->heap, DYNAMIC_TYPE_TMP_BUFFER);
15001
    if (receiverPubkey != NULL)
15002
        wc_HpkeFreeKey(ech->hpke, ech->hpke->kem, receiverPubkey,
15003
            ech->hpke->heap);
15004
    return ret;
15005
}
15006
15007
#define GREASE_ECH_USE TLSX_GreaseECH_Use
15008
#define ECH_USE TLSX_ECH_Use
15009
#define SERVER_ECH_USE TLSX_ServerECH_Use
15010
#define ECH_WRITE TLSX_ECH_Write
15011
#define ECH_GET_SIZE TLSX_ECH_GetSize
15012
#define ECH_PARSE TLSX_ECH_Parse
15013
#define ECH_FREE TLSX_ECH_Free
15014
15015
#endif /* WOLFSSL_TLS13 && HAVE_ECH */
15016
15017
/** Releases all extensions in the provided list. */
15018
void TLSX_FreeAll(TLSX* list, void* heap)
15019
0
{
15020
0
    TLSX* extension;
15021
15022
0
    while ((extension = list)) {
15023
0
        list = extension->next;
15024
15025
0
        switch (extension->type) {
15026
#if defined(HAVE_RPK)
15027
            case TLSX_CLIENT_CERTIFICATE_TYPE:
15028
                WOLFSSL_MSG("Client Certificate Type extension free");
15029
                /* nothing to do */
15030
                break;
15031
            case TLSX_SERVER_CERTIFICATE_TYPE:
15032
                WOLFSSL_MSG("Server Certificate Type extension free");
15033
                /* nothing to do */
15034
                break;
15035
#endif
15036
15037
0
#ifdef HAVE_SNI
15038
0
            case TLSX_SERVER_NAME:
15039
0
                WOLFSSL_MSG("SNI extension free");
15040
0
                SNI_FREE_ALL((SNI*)extension->data, heap);
15041
0
                break;
15042
0
#endif
15043
15044
0
            case TLSX_TRUSTED_CA_KEYS:
15045
0
                WOLFSSL_MSG("Trusted CA Indication extension free");
15046
0
                TCA_FREE_ALL((TCA*)extension->data, heap);
15047
0
                break;
15048
15049
0
            case TLSX_MAX_FRAGMENT_LENGTH:
15050
0
                WOLFSSL_MSG("Max Fragment Length extension free");
15051
0
                MFL_FREE_ALL(extension->data, heap);
15052
0
                break;
15053
15054
0
            case TLSX_EXTENDED_MASTER_SECRET:
15055
0
                WOLFSSL_MSG("Extended Master Secret free");
15056
                /* Nothing to do. */
15057
0
                break;
15058
0
            case TLSX_TRUNCATED_HMAC:
15059
0
                WOLFSSL_MSG("Truncated HMAC extension free");
15060
                /* Nothing to do. */
15061
0
                break;
15062
15063
0
            case TLSX_SUPPORTED_GROUPS:
15064
0
                WOLFSSL_MSG("Supported Groups extension free");
15065
0
                EC_FREE_ALL((SupportedCurve*)extension->data, heap);
15066
0
                break;
15067
15068
0
            case TLSX_EC_POINT_FORMATS:
15069
0
                WOLFSSL_MSG("Point Formats extension free");
15070
0
                PF_FREE_ALL((PointFormat*)extension->data, heap);
15071
0
                break;
15072
15073
0
            case TLSX_STATUS_REQUEST:
15074
0
                WOLFSSL_MSG("Certificate Status Request extension free");
15075
0
                CSR_FREE_ALL((CertificateStatusRequest*)extension->data, heap);
15076
0
                break;
15077
15078
0
            case TLSX_STATUS_REQUEST_V2:
15079
0
                WOLFSSL_MSG("Certificate Status Request v2 extension free");
15080
0
                CSR2_FREE_ALL((CertificateStatusRequestItemV2*)extension->data,
15081
0
                        heap);
15082
0
                break;
15083
15084
0
            case TLSX_RENEGOTIATION_INFO:
15085
0
                WOLFSSL_MSG("Secure Renegotiation extension free");
15086
0
                SCR_FREE_ALL(extension->data, heap);
15087
0
                break;
15088
15089
0
            case TLSX_SESSION_TICKET:
15090
0
                WOLFSSL_MSG("Session Ticket extension free");
15091
0
                WOLF_STK_FREE(extension->data, heap);
15092
0
                break;
15093
15094
0
            case TLSX_APPLICATION_LAYER_PROTOCOL:
15095
0
                WOLFSSL_MSG("ALPN extension free");
15096
0
                ALPN_FREE_ALL((ALPN*)extension->data, heap);
15097
0
                break;
15098
0
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
15099
0
            case TLSX_SIGNATURE_ALGORITHMS:
15100
0
                WOLFSSL_MSG("Signature Algorithms extension to free");
15101
0
                SA_FREE_ALL((SignatureAlgorithms*)extension->data, heap);
15102
0
                break;
15103
0
#endif
15104
0
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
15105
0
            case TLSX_ENCRYPT_THEN_MAC:
15106
0
                WOLFSSL_MSG("Encrypt-Then-Mac extension free");
15107
0
                break;
15108
0
#endif
15109
15110
0
#if defined(WOLFSSL_TLS13) || !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS)
15111
    #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
15112
            case TLSX_PRE_SHARED_KEY:
15113
                WOLFSSL_MSG("Pre-Shared Key extension free");
15114
                PSK_FREE_ALL((PreSharedKey*)extension->data, heap);
15115
                break;
15116
15117
        #ifdef WOLFSSL_TLS13
15118
            case TLSX_PSK_KEY_EXCHANGE_MODES:
15119
                WOLFSSL_MSG("PSK Key Exchange Modes extension free");
15120
                break;
15121
        #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
15122
            case TLSX_CERT_WITH_EXTERN_PSK:
15123
                WOLFSSL_MSG("Cert with external PSK extension free");
15124
                break;
15125
        #endif
15126
        #endif
15127
    #endif
15128
15129
0
            case TLSX_KEY_SHARE:
15130
0
                WOLFSSL_MSG("Key Share extension free");
15131
0
                KS_FREE_ALL((KeyShareEntry*)extension->data, heap);
15132
0
                break;
15133
0
#endif
15134
0
#ifdef WOLFSSL_TLS13
15135
0
            case TLSX_SUPPORTED_VERSIONS:
15136
0
                WOLFSSL_MSG("Supported Versions extension free");
15137
0
                break;
15138
15139
0
            case TLSX_COOKIE:
15140
0
                WOLFSSL_MSG("Cookie extension free");
15141
0
                CKE_FREE_ALL((Cookie*)extension->data, heap);
15142
0
                break;
15143
15144
    #ifdef WOLFSSL_EARLY_DATA
15145
            case TLSX_EARLY_DATA:
15146
                WOLFSSL_MSG("Early Data extension free");
15147
                break;
15148
    #endif
15149
15150
    #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
15151
            case TLSX_POST_HANDSHAKE_AUTH:
15152
                WOLFSSL_MSG("Post-Handshake Authentication extension free");
15153
                break;
15154
    #endif
15155
15156
0
    #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
15157
0
            case TLSX_SIGNATURE_ALGORITHMS_CERT:
15158
0
                WOLFSSL_MSG("Signature Algorithms extension free");
15159
0
                break;
15160
0
    #endif
15161
    #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES)
15162
            case TLSX_CERTIFICATE_AUTHORITIES:
15163
                WOLFSSL_MSG("Certificate Authorities extension free");
15164
                break;
15165
    #endif
15166
0
#endif
15167
#ifdef WOLFSSL_SRTP
15168
            case TLSX_USE_SRTP:
15169
                WOLFSSL_MSG("SRTP extension free");
15170
                SRTP_FREE((TlsxSrtp*)extension->data, heap);
15171
                break;
15172
#endif
15173
15174
    #ifdef WOLFSSL_QUIC
15175
            case TLSX_KEY_QUIC_TP_PARAMS:
15176
                FALL_THROUGH;
15177
            case TLSX_KEY_QUIC_TP_PARAMS_DRAFT:
15178
                WOLFSSL_MSG("QUIC transport parameter free");
15179
                QTP_FREE((QuicTransportParam*)extension->data, heap);
15180
                break;
15181
    #endif
15182
15183
#ifdef WOLFSSL_DTLS_CID
15184
            case TLSX_CONNECTION_ID:
15185
                WOLFSSL_MSG("Connection ID extension free");
15186
                CID_FREE((byte*)extension->data, heap);
15187
                break;
15188
#endif /* WOLFSSL_DTLS_CID */
15189
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
15190
            case TLSX_ECH:
15191
                WOLFSSL_MSG("ECH extension free");
15192
                ECH_FREE((WOLFSSL_ECH*)extension->data, heap);
15193
                break;
15194
#endif
15195
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_DUAL_ALG_CERTS)
15196
            case TLSX_CKS:
15197
                WOLFSSL_MSG("CKS extension free");
15198
                /* nothing to do */
15199
                break;
15200
#endif
15201
0
            default:
15202
0
                break;
15203
0
        }
15204
15205
0
        XFREE(extension, heap, DYNAMIC_TYPE_TLSX);
15206
0
    }
15207
15208
0
    (void)heap;
15209
0
}
15210
15211
/** Checks if the tls extensions are supported based on the protocol version. */
15212
0
int TLSX_SupportExtensions(WOLFSSL* ssl) {
15213
0
    return ssl && (IsTLS(ssl) || ssl->version.major == DTLS_MAJOR);
15214
0
}
15215
15216
/** Tells the buffered size of the extensions in a list. */
15217
static int TLSX_GetSize(TLSX* list, byte* semaphore, byte msgType,
15218
                        word16* pLength)
15219
0
{
15220
0
    int    ret = 0;
15221
0
    TLSX*  extension;
15222
    /* Use a word32 accumulator so that an extension whose contribution
15223
     * pushes the running total past 0xFFFF is detected rather than
15224
     * silently wrapped (the TLS extensions block length prefix on the
15225
     * wire is a 2-byte field). Callees that take a word16* accumulator
15226
     * are invoked via a per-iteration shim (`cbShim`) and their delta
15227
     * is added back into the word32 total.
15228
     *
15229
     * MAINTAINER NOTE: do NOT pass &length to any *_GET_SIZE function
15230
     * that expects a `word16*` out-parameter -- that would be a type
15231
     * mismatch (UB) and would silently bypass the overflow detection
15232
     * below. When adding a new extension case, either:
15233
     *   - use `length += FOO_GET_SIZE(...)` when the helper returns a
15234
     *     word16 by value, or
15235
     *   - use the cbShim pattern: `cbShim = 0; ret = FOO_GET_SIZE(...,
15236
     *     &cbShim); length += cbShim;`
15237
     */
15238
0
    word32 length = 0;
15239
0
    word16 cbShim = 0;
15240
0
    byte   isRequest = (msgType == client_hello ||
15241
0
                        msgType == certificate_request);
15242
0
    (void)cbShim;
15243
15244
0
    while ((extension = list)) {
15245
0
        list = extension->next;
15246
15247
        /* only extensions marked as response are sent back to the client. */
15248
0
        if (!isRequest && !extension->resp)
15249
0
            continue; /* skip! */
15250
15251
        /* ssl level extensions are expected to override ctx level ones. */
15252
0
        if (!IS_OFF(semaphore, TLSX_ToSemaphore((word16)extension->type)))
15253
0
            continue; /* skip! */
15254
15255
        /* extension type + extension data length. */
15256
0
        length += HELLO_EXT_TYPE_SZ + OPAQUE16_LEN;
15257
15258
0
        switch (extension->type) {
15259
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_DUAL_ALG_CERTS)
15260
            case TLSX_CKS:
15261
                length += ((WOLFSSL*)extension->data)->sigSpecSz ;
15262
                break;
15263
#endif
15264
0
#ifdef HAVE_SNI
15265
0
            case TLSX_SERVER_NAME:
15266
                /* SNI only sends the name on the request. */
15267
0
                if (isRequest)
15268
0
                    length += SNI_GET_SIZE((SNI*)extension->data);
15269
0
                break;
15270
0
#endif
15271
15272
0
            case TLSX_TRUSTED_CA_KEYS:
15273
                /* TCA only sends the list on the request. */
15274
0
                if (isRequest) {
15275
0
                    word16 tcaSz = TCA_GET_SIZE((TCA*)extension->data);
15276
                    /* 0 on non-empty list means 16-bit overflow. */
15277
0
                    if (tcaSz == 0 && extension->data != NULL) {
15278
0
                        ret = LENGTH_ERROR;
15279
0
                        break;
15280
0
                    }
15281
0
                    length += tcaSz;
15282
0
                }
15283
0
                break;
15284
15285
0
            case TLSX_MAX_FRAGMENT_LENGTH:
15286
0
                length += MFL_GET_SIZE(extension->data);
15287
0
                break;
15288
15289
0
            case TLSX_EXTENDED_MASTER_SECRET:
15290
0
            case TLSX_TRUNCATED_HMAC:
15291
                /* always empty. */
15292
0
                break;
15293
15294
0
            case TLSX_SUPPORTED_GROUPS:
15295
0
                length += EC_GET_SIZE((SupportedCurve*)extension->data);
15296
0
                break;
15297
15298
0
            case TLSX_EC_POINT_FORMATS:
15299
0
                length += PF_GET_SIZE((PointFormat*)extension->data);
15300
0
                break;
15301
15302
0
            case TLSX_STATUS_REQUEST:
15303
0
                length += CSR_GET_SIZE(
15304
0
                         (CertificateStatusRequest*)extension->data, isRequest);
15305
0
                break;
15306
15307
0
            case TLSX_STATUS_REQUEST_V2:
15308
0
                length += CSR2_GET_SIZE(
15309
0
                        (CertificateStatusRequestItemV2*)extension->data,
15310
0
                        isRequest);
15311
0
                break;
15312
15313
0
            case TLSX_RENEGOTIATION_INFO:
15314
0
                length += SCR_GET_SIZE((SecureRenegotiation*)extension->data,
15315
0
                        isRequest);
15316
0
                break;
15317
15318
0
            case TLSX_SESSION_TICKET:
15319
0
                length += WOLF_STK_GET_SIZE((SessionTicket*)extension->data,
15320
0
                        isRequest);
15321
0
                break;
15322
15323
0
            case TLSX_APPLICATION_LAYER_PROTOCOL: {
15324
0
                word16 alpnSz = ALPN_GET_SIZE((ALPN*)extension->data);
15325
                /* 0 on non-empty list means 16-bit overflow. */
15326
0
                if (alpnSz == 0 && extension->data != NULL) {
15327
0
                    ret = LENGTH_ERROR;
15328
0
                    break;
15329
0
                }
15330
0
                length += alpnSz;
15331
0
                break;
15332
0
            }
15333
0
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
15334
0
            case TLSX_SIGNATURE_ALGORITHMS:
15335
0
                length += SA_GET_SIZE(extension->data);
15336
0
                break;
15337
0
#endif
15338
0
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
15339
0
            case TLSX_ENCRYPT_THEN_MAC:
15340
0
                cbShim = 0;
15341
0
                ret = ETM_GET_SIZE(msgType, &cbShim);
15342
0
                length += cbShim;
15343
0
                break;
15344
0
#endif /* HAVE_ENCRYPT_THEN_MAC */
15345
15346
0
#if defined(WOLFSSL_TLS13) || !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS)
15347
    #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
15348
            case TLSX_PRE_SHARED_KEY:
15349
                cbShim = 0;
15350
                ret = PSK_GET_SIZE((PreSharedKey*)extension->data, msgType,
15351
                                                                       &cbShim);
15352
                length += cbShim;
15353
                break;
15354
        #ifdef WOLFSSL_TLS13
15355
            case TLSX_PSK_KEY_EXCHANGE_MODES:
15356
                cbShim = 0;
15357
                ret = PKM_GET_SIZE((byte)extension->val, msgType, &cbShim);
15358
                length += cbShim;
15359
                break;
15360
        #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
15361
            case TLSX_CERT_WITH_EXTERN_PSK:
15362
                cbShim = 0;
15363
                ret = PSK_WITH_CERT_GET_SIZE(msgType, &cbShim);
15364
                length += cbShim;
15365
                break;
15366
        #endif
15367
        #endif
15368
    #endif
15369
0
            case TLSX_KEY_SHARE:
15370
0
                length += KS_GET_SIZE((KeyShareEntry*)extension->data, msgType);
15371
0
                break;
15372
0
#endif
15373
15374
0
#ifdef WOLFSSL_TLS13
15375
0
            case TLSX_SUPPORTED_VERSIONS:
15376
0
                cbShim = 0;
15377
0
                ret = SV_GET_SIZE(extension->data, msgType, &cbShim);
15378
0
                length += cbShim;
15379
0
                break;
15380
15381
0
            case TLSX_COOKIE:
15382
0
                cbShim = 0;
15383
0
                ret = CKE_GET_SIZE((Cookie*)extension->data, msgType, &cbShim);
15384
0
                length += cbShim;
15385
0
                break;
15386
15387
    #ifdef WOLFSSL_EARLY_DATA
15388
            case TLSX_EARLY_DATA:
15389
                cbShim = 0;
15390
                ret = EDI_GET_SIZE(msgType, &cbShim);
15391
                length += cbShim;
15392
                break;
15393
    #endif
15394
15395
    #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
15396
            case TLSX_POST_HANDSHAKE_AUTH:
15397
                cbShim = 0;
15398
                ret = PHA_GET_SIZE(msgType, &cbShim);
15399
                length += cbShim;
15400
                break;
15401
    #endif
15402
15403
0
    #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
15404
0
            case TLSX_SIGNATURE_ALGORITHMS_CERT:
15405
0
                length += SAC_GET_SIZE(extension->data);
15406
0
                break;
15407
0
    #endif
15408
15409
    #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES)
15410
            case TLSX_CERTIFICATE_AUTHORITIES: {
15411
                word16 canSz = CAN_GET_SIZE(extension->data);
15412
                /* 0 on non-empty list means 16-bit overflow. */
15413
                if (canSz == 0) {
15414
                    ret = LENGTH_ERROR;
15415
                    break;
15416
                }
15417
                length += canSz;
15418
                break;
15419
            }
15420
    #endif
15421
0
#endif
15422
#ifdef WOLFSSL_SRTP
15423
            case TLSX_USE_SRTP:
15424
                length += SRTP_GET_SIZE((TlsxSrtp*)extension->data);
15425
                break;
15426
#endif
15427
15428
#ifdef HAVE_RPK
15429
            case TLSX_CLIENT_CERTIFICATE_TYPE:
15430
                length += CCT_GET_SIZE((WOLFSSL*)extension->data, msgType);
15431
                break;
15432
15433
            case TLSX_SERVER_CERTIFICATE_TYPE:
15434
                length += SCT_GET_SIZE((WOLFSSL*)extension->data, msgType);
15435
                break;
15436
#endif /* HAVE_RPK */
15437
15438
#ifdef WOLFSSL_QUIC
15439
            case TLSX_KEY_QUIC_TP_PARAMS:
15440
                FALL_THROUGH; /* followed by */
15441
            case TLSX_KEY_QUIC_TP_PARAMS_DRAFT:
15442
                length += QTP_GET_SIZE(extension);
15443
                break;
15444
#endif
15445
#ifdef WOLFSSL_DTLS_CID
15446
            case TLSX_CONNECTION_ID:
15447
                length += CID_GET_SIZE((byte*)extension->data);
15448
                break;
15449
#endif /* WOLFSSL_DTLS_CID */
15450
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
15451
            case TLSX_ECH:
15452
                length += ECH_GET_SIZE((WOLFSSL_ECH*)extension->data, msgType);
15453
                break;
15454
#endif
15455
0
            default:
15456
0
                break;
15457
0
        }
15458
15459
0
        if (ret != 0)
15460
0
            return ret;
15461
15462
        /* Early exit: stop accumulating as soon as the running total
15463
         * cannot possibly fit the 2-byte wire length. Check *before*
15464
         * marking the extension as processed so the semaphore is not
15465
         * left in an inconsistent state on the error path. */
15466
0
        if (length > WOLFSSL_MAX_16BIT) {
15467
0
            WOLFSSL_MSG("TLSX_GetSize extension length exceeds word16");
15468
0
            return BUFFER_E;
15469
0
        }
15470
15471
        /* marks the extension as processed so ctx level */
15472
        /* extensions don't overlap with ssl level ones. */
15473
0
        TURN_ON(semaphore, TLSX_ToSemaphore((word16)extension->type));
15474
0
    }
15475
15476
0
    if ((word32)*pLength + length > WOLFSSL_MAX_16BIT) {
15477
0
        WOLFSSL_MSG("TLSX_GetSize total extensions length exceeds word16");
15478
0
        return BUFFER_E;
15479
0
    }
15480
15481
0
    *pLength += (word16)length;
15482
15483
0
    return ret;
15484
0
}
15485
15486
/** Writes the extensions of a list in a buffer. */
15487
static int TLSX_Write(TLSX* list, byte* output, byte* semaphore,
15488
                         byte msgType, word16* pOffset)
15489
0
{
15490
0
    int    ret = 0;
15491
0
    TLSX*  extension;
15492
    /* Use word32 to symmetrize with TLSX_GetSize -- a single extension can
15493
     * contribute up to 0x10003 bytes (4-byte type/length header + 0xFFFF
15494
     * payload), which would word16-overflow undetectably (e.g. wrap to a
15495
     * value still above prevOffset). Per-iteration and aggregate bounds are
15496
     * checked below before truncating back into the word16 wire fields.
15497
     * Callees that take a word16* offset use the cbShim pattern (init to 0,
15498
     * then add the returned delta to the word32 accumulator). */
15499
0
    word32 offset = 0;
15500
0
    word32 length_offset = 0;
15501
0
    word32 prevOffset;
15502
0
    word16 cbShim = 0;
15503
0
    byte   isRequest = (msgType == client_hello ||
15504
0
                        msgType == certificate_request);
15505
0
    (void)cbShim;
15506
15507
0
    while ((extension = list)) {
15508
0
        list = extension->next;
15509
15510
        /* only extensions marked as response are written in a response. */
15511
0
        if (!isRequest && !extension->resp)
15512
0
            continue; /* skip! */
15513
15514
        /* ssl level extensions are expected to override ctx level ones. */
15515
0
        if (!IS_OFF(semaphore, TLSX_ToSemaphore((word16)extension->type)))
15516
0
            continue; /* skip! */
15517
15518
        /* Snapshot offset to detect word16 wrap within this iteration;
15519
         * see matching comment in TLSX_GetSize. */
15520
0
        prevOffset = offset;
15521
15522
        /* writes extension type. */
15523
0
        c16toa((word16)extension->type, output + offset);
15524
0
        offset += HELLO_EXT_TYPE_SZ + OPAQUE16_LEN;
15525
0
        length_offset = offset;
15526
15527
        /* extension data should be written internally. */
15528
0
        switch (extension->type) {
15529
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_DUAL_ALG_CERTS)
15530
            case TLSX_CKS:
15531
                WOLFSSL_MSG("CKS extension to write");
15532
                offset += CKS_WRITE(((WOLFSSL*)extension->data),
15533
                                    output + offset);
15534
                break;
15535
#endif
15536
0
#ifdef HAVE_SNI
15537
0
            case TLSX_SERVER_NAME:
15538
0
                if (isRequest) {
15539
0
                    WOLFSSL_MSG("SNI extension to write");
15540
0
                    offset += SNI_WRITE((SNI*)extension->data, output + offset);
15541
0
                }
15542
0
                break;
15543
0
#endif
15544
15545
0
            case TLSX_TRUSTED_CA_KEYS:
15546
0
                WOLFSSL_MSG("Trusted CA Indication extension to write");
15547
0
                if (isRequest) {
15548
0
                    offset += TCA_WRITE((TCA*)extension->data, output + offset);
15549
0
                }
15550
0
                break;
15551
15552
0
            case TLSX_MAX_FRAGMENT_LENGTH:
15553
0
                WOLFSSL_MSG("Max Fragment Length extension to write");
15554
0
                offset += MFL_WRITE((byte*)extension->data, output + offset);
15555
0
                break;
15556
15557
0
            case TLSX_EXTENDED_MASTER_SECRET:
15558
0
                WOLFSSL_MSG("Extended Master Secret");
15559
                /* always empty. */
15560
0
                break;
15561
15562
0
            case TLSX_TRUNCATED_HMAC:
15563
0
                WOLFSSL_MSG("Truncated HMAC extension to write");
15564
                /* always empty. */
15565
0
                break;
15566
15567
0
            case TLSX_SUPPORTED_GROUPS:
15568
0
                WOLFSSL_MSG("Supported Groups extension to write");
15569
0
                offset += EC_WRITE((SupportedCurve*)extension->data,
15570
0
                                    output + offset);
15571
0
                break;
15572
15573
0
            case TLSX_EC_POINT_FORMATS:
15574
0
                WOLFSSL_MSG("Point Formats extension to write");
15575
0
                offset += PF_WRITE((PointFormat*)extension->data,
15576
0
                                    output + offset);
15577
0
                break;
15578
15579
0
            case TLSX_STATUS_REQUEST:
15580
0
                WOLFSSL_MSG("Certificate Status Request extension to write");
15581
0
                ret = CSR_WRITE((CertificateStatusRequest*)extension->data,
15582
0
                        output + offset, isRequest);
15583
0
                if (ret > 0) {
15584
0
                    offset += (word16)ret;
15585
0
                    ret = 0;
15586
0
                }
15587
0
                break;
15588
15589
0
            case TLSX_STATUS_REQUEST_V2:
15590
0
                WOLFSSL_MSG("Certificate Status Request v2 extension to write");
15591
0
                ret = CSR2_WRITE(
15592
0
                        (CertificateStatusRequestItemV2*)extension->data,
15593
0
                        output + offset, isRequest);
15594
0
                if (ret > 0) {
15595
0
                    offset += (word16)ret;
15596
0
                    ret = 0;
15597
0
                }
15598
0
                break;
15599
15600
0
            case TLSX_RENEGOTIATION_INFO:
15601
0
                WOLFSSL_MSG("Secure Renegotiation extension to write");
15602
0
                offset += SCR_WRITE((SecureRenegotiation*)extension->data,
15603
0
                        output + offset, isRequest);
15604
0
                break;
15605
15606
0
            case TLSX_SESSION_TICKET:
15607
0
                WOLFSSL_MSG("Session Ticket extension to write");
15608
0
                offset += WOLF_STK_WRITE((SessionTicket*)extension->data,
15609
0
                        output + offset, isRequest);
15610
0
                break;
15611
15612
0
            case TLSX_APPLICATION_LAYER_PROTOCOL:
15613
0
                WOLFSSL_MSG("ALPN extension to write");
15614
0
                offset += ALPN_WRITE((ALPN*)extension->data, output + offset);
15615
0
                break;
15616
0
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
15617
0
            case TLSX_SIGNATURE_ALGORITHMS:
15618
0
                WOLFSSL_MSG("Signature Algorithms extension to write");
15619
0
                offset += SA_WRITE(extension->data, output + offset);
15620
0
                break;
15621
0
#endif
15622
0
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
15623
0
            case TLSX_ENCRYPT_THEN_MAC:
15624
0
                WOLFSSL_MSG("Encrypt-Then-Mac extension to write");
15625
0
                cbShim = 0;
15626
0
                ret = ETM_WRITE(extension->data, output, msgType, &cbShim);
15627
0
                offset += cbShim;
15628
0
                break;
15629
0
#endif /* HAVE_ENCRYPT_THEN_MAC */
15630
15631
0
#if defined(WOLFSSL_TLS13) || !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS)
15632
    #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
15633
            case TLSX_PRE_SHARED_KEY:
15634
                WOLFSSL_MSG("Pre-Shared Key extension to write");
15635
                cbShim = 0;
15636
                ret = PSK_WRITE((PreSharedKey*)extension->data, output + offset,
15637
                                                              msgType, &cbShim);
15638
                offset += cbShim;
15639
                break;
15640
15641
        #ifdef WOLFSSL_TLS13
15642
            case TLSX_PSK_KEY_EXCHANGE_MODES:
15643
                WOLFSSL_MSG("PSK Key Exchange Modes extension to write");
15644
                cbShim = 0;
15645
                ret = PKM_WRITE((byte)extension->val, output + offset, msgType,
15646
                                                                       &cbShim);
15647
                offset += cbShim;
15648
                break;
15649
        #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
15650
            case TLSX_CERT_WITH_EXTERN_PSK:
15651
                WOLFSSL_MSG("Cert with external PSK extension to write");
15652
                cbShim = 0;
15653
                ret = PSK_WITH_CERT_WRITE(output + offset, msgType, &cbShim);
15654
                offset += cbShim;
15655
                break;
15656
        #endif
15657
        #endif
15658
    #endif
15659
0
            case TLSX_KEY_SHARE:
15660
0
                WOLFSSL_MSG("Key Share extension to write");
15661
0
                offset += KS_WRITE((KeyShareEntry*)extension->data,
15662
0
                                                      output + offset, msgType);
15663
0
                break;
15664
0
#endif
15665
0
#ifdef WOLFSSL_TLS13
15666
0
            case TLSX_SUPPORTED_VERSIONS:
15667
0
                WOLFSSL_MSG("Supported Versions extension to write");
15668
0
                cbShim = 0;
15669
0
                ret = SV_WRITE(extension->data, output + offset, msgType,
15670
0
                                                                       &cbShim);
15671
0
                offset += cbShim;
15672
0
                break;
15673
15674
0
            case TLSX_COOKIE:
15675
0
                WOLFSSL_MSG("Cookie extension to write");
15676
0
                cbShim = 0;
15677
0
                ret = CKE_WRITE((Cookie*)extension->data, output + offset,
15678
0
                                msgType, &cbShim);
15679
0
                offset += cbShim;
15680
0
                break;
15681
15682
    #ifdef WOLFSSL_EARLY_DATA
15683
            case TLSX_EARLY_DATA:
15684
                WOLFSSL_MSG("Early Data extension to write");
15685
                cbShim = 0;
15686
                ret = EDI_WRITE(extension->val, output + offset, msgType,
15687
                                                                       &cbShim);
15688
                offset += cbShim;
15689
                break;
15690
    #endif
15691
15692
    #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
15693
            case TLSX_POST_HANDSHAKE_AUTH:
15694
                WOLFSSL_MSG("Post-Handshake Authentication extension to write");
15695
                cbShim = 0;
15696
                ret = PHA_WRITE(output + offset, msgType, &cbShim);
15697
                offset += cbShim;
15698
                break;
15699
    #endif
15700
15701
0
    #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
15702
0
            case TLSX_SIGNATURE_ALGORITHMS_CERT:
15703
0
                WOLFSSL_MSG("Signature Algorithms extension to write");
15704
0
                offset += SAC_WRITE(extension->data, output + offset);
15705
0
                break;
15706
0
    #endif
15707
15708
    #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES)
15709
            case TLSX_CERTIFICATE_AUTHORITIES:
15710
                WOLFSSL_MSG("Certificate Authorities extension to write");
15711
                offset += CAN_WRITE(extension->data, output + offset);
15712
                break;
15713
    #endif
15714
0
#endif
15715
#ifdef WOLFSSL_SRTP
15716
            case TLSX_USE_SRTP:
15717
                WOLFSSL_MSG("SRTP extension to write");
15718
                offset += SRTP_WRITE((TlsxSrtp*)extension->data, output+offset);
15719
                break;
15720
#endif
15721
15722
#ifdef HAVE_RPK
15723
            case TLSX_CLIENT_CERTIFICATE_TYPE:
15724
                WOLFSSL_MSG("Client Certificate Type extension to write");
15725
                offset += CCT_WRITE(extension->data, output + offset, msgType);
15726
                break;
15727
15728
            case TLSX_SERVER_CERTIFICATE_TYPE:
15729
                WOLFSSL_MSG("Server Certificate Type extension to write");
15730
                offset += SCT_WRITE(extension->data, output + offset, msgType);
15731
                break;
15732
#endif /* HAVE_RPK */
15733
15734
#ifdef WOLFSSL_QUIC
15735
            case TLSX_KEY_QUIC_TP_PARAMS:
15736
                FALL_THROUGH;
15737
            case TLSX_KEY_QUIC_TP_PARAMS_DRAFT:
15738
                WOLFSSL_MSG("QUIC transport parameter to write");
15739
                offset += QTP_WRITE((QuicTransportParam*)extension->data,
15740
                                    output + offset);
15741
                break;
15742
#endif
15743
#ifdef WOLFSSL_DTLS_CID
15744
            case TLSX_CONNECTION_ID:
15745
                WOLFSSL_MSG("Connection ID extension to write");
15746
                offset += CID_WRITE((byte*)extension->data, output+offset);
15747
                break;
15748
15749
#endif /* WOLFSSL_DTLS_CID */
15750
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
15751
            case TLSX_ECH:
15752
                WOLFSSL_MSG("ECH extension to write");
15753
                cbShim = 0;
15754
                ret = ECH_WRITE((WOLFSSL_ECH*)extension->data, msgType,
15755
                    output + offset, &cbShim);
15756
                offset += cbShim;
15757
                break;
15758
#endif
15759
0
            default:
15760
0
                break;
15761
0
        }
15762
15763
        /* Per-extension data length is a 2-byte wire field; reject any
15764
         * single extension whose payload exceeds that before truncating. */
15765
0
        if (offset - length_offset > WOLFSSL_MAX_16BIT) {
15766
0
            WOLFSSL_MSG("TLSX_Write single extension length exceeds word16");
15767
0
            return BUFFER_E;
15768
0
        }
15769
15770
        /* writes extension data length. */
15771
0
        c16toa((word16)(offset - length_offset),
15772
0
               output + length_offset - OPAQUE16_LEN);
15773
15774
        /* marks the extension as processed so ctx level */
15775
        /* extensions don't overlap with ssl level ones. */
15776
0
        TURN_ON(semaphore, TLSX_ToSemaphore((word16)extension->type));
15777
15778
        /* if we encountered an error propagate it */
15779
0
        if (ret != 0)
15780
0
            break;
15781
15782
0
        if (offset <= prevOffset) {
15783
0
            WOLFSSL_MSG("TLSX_Write extension made no progress");
15784
0
            return BUFFER_E;
15785
0
        }
15786
0
    }
15787
15788
    /* Only validate and commit the aggregate offset when the loop
15789
     * completed without error; on the error path, leave *pOffset
15790
     * unchanged and return the original failure reason so callers
15791
     * see the real error instead of a masking BUFFER_E. */
15792
0
    if (ret == 0) {
15793
0
        if ((word32)*pOffset + offset > WOLFSSL_MAX_16BIT) {
15794
0
            WOLFSSL_MSG("TLSX_Write total extensions length exceeds word16");
15795
0
            return BUFFER_E;
15796
0
        }
15797
0
        *pOffset += (word16)offset;
15798
0
    }
15799
15800
0
    return ret;
15801
0
}
15802
15803
#ifdef HAVE_SUPPORTED_CURVES
15804
15805
/* Populates the default supported groups / curves */
15806
static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
15807
0
{
15808
0
    int ret = WOLFSSL_SUCCESS;
15809
0
#ifdef WOLFSSL_TLS13
15810
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
15811
    if (ssl->options.resuming && ssl->session->namedGroup != 0) {
15812
        return TLSX_UseSupportedCurve(extensions, ssl->session->namedGroup,
15813
                                                  ssl->heap, ssl->options.side);
15814
    }
15815
#endif
15816
15817
0
    if (ssl->numGroups != 0) {
15818
0
        int i;
15819
0
        for (i = 0; i < ssl->numGroups; i++) {
15820
0
            ret = TLSX_UseSupportedCurve(extensions, ssl->group[i], ssl->heap,
15821
0
                                                             ssl->options.side);
15822
0
            if (ret != WOLFSSL_SUCCESS)
15823
0
                return ret;
15824
0
        }
15825
0
        return WOLFSSL_SUCCESS;
15826
0
    }
15827
0
#endif /* WOLFSSL_TLS13 */
15828
15829
0
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM_CLIENT_SUPPORT) && \
15830
0
    !defined(WOLFSSL_NO_ML_KEM) && defined(WOLFSSL_PQC_HYBRIDS)
15831
    /* Prefer non-experimental PQ/T hybrid groups (only for TLS 1.3) */
15832
0
    if (IsAtLeastTLSv1_3(ssl->version) &&
15833
0
            TLSX_IsMlKemGroupSupported(ssl->options.side)) {
15834
    #if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_CURVE25519) && \
15835
        ECC_MIN_KEY_SZ <= 256
15836
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_X25519MLKEM768,
15837
            ssl->heap, ssl->options.side);
15838
        if (ret != WOLFSSL_SUCCESS) return ret;
15839
    #endif
15840
0
    #if !defined(WOLFSSL_NO_ML_KEM_1024) && defined(HAVE_ECC) && \
15841
0
        (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && \
15842
0
        ECC_MIN_KEY_SZ <= 384
15843
0
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_SECP384R1MLKEM1024,
15844
0
            ssl->heap, ssl->options.side);
15845
0
        if (ret != WOLFSSL_SUCCESS) return ret;
15846
0
    #endif
15847
0
    #if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_ECC) && \
15848
0
        (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \
15849
0
        ECC_MIN_KEY_SZ <= 256
15850
0
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_SECP256R1MLKEM768,
15851
0
            ssl->heap, ssl->options.side);
15852
0
        if (ret != WOLFSSL_SUCCESS) return ret;
15853
0
    #endif
15854
0
    }
15855
0
#endif
15856
15857
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM_CLIENT_SUPPORT) && \
15858
    !defined(WOLFSSL_NO_ML_KEM) && !defined(WOLFSSL_NO_ML_KEM_1024) && \
15859
    !defined(WOLFSSL_TLS_NO_MLKEM_STANDALONE)
15860
    if (IsAtLeastTLSv1_3(ssl->version) &&
15861
            TLSX_IsMlKemGroupSupported(ssl->options.side)) {
15862
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_1024,
15863
                                     ssl->heap, ssl->options.side);
15864
        if (ret != WOLFSSL_SUCCESS) return ret;
15865
    }
15866
#endif
15867
15868
0
#if defined(HAVE_ECC)
15869
    /* list in order by strength, since not all servers choose by strength */
15870
0
    #if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521
15871
0
        #ifndef NO_ECC_SECP
15872
0
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP521R1,
15873
0
                                     ssl->heap, ssl->options.side);
15874
0
        if (ret != WOLFSSL_SUCCESS) return ret;
15875
0
        #endif
15876
0
    #endif
15877
0
    #if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 512
15878
        #ifdef HAVE_ECC_BRAINPOOL
15879
        if (IsAtLeastTLSv1_3(ssl->version)) {
15880
            /* TLS 1.3 BrainpoolP512 curve */
15881
            ret = TLSX_UseSupportedCurve(extensions,
15882
                WOLFSSL_ECC_BRAINPOOLP512R1TLS13, ssl->heap, ssl->options.side);
15883
            if (ret != WOLFSSL_SUCCESS) return ret;
15884
15885
            /* If TLS 1.2 is allowed, also add the TLS 1.2 curve */
15886
            if (ssl->options.downgrade &&
15887
                (ssl->options.minDowngrade <= TLSv1_2_MINOR ||
15888
                    ssl->options.minDowngrade <= DTLSv1_2_MINOR)) {
15889
                ret = TLSX_UseSupportedCurve(extensions,
15890
                    WOLFSSL_ECC_BRAINPOOLP512R1, ssl->heap, ssl->options.side);
15891
                if (ret != WOLFSSL_SUCCESS) return ret;
15892
            }
15893
        }
15894
        else {
15895
            /* TLS 1.2 only */
15896
            ret = TLSX_UseSupportedCurve(extensions,
15897
                WOLFSSL_ECC_BRAINPOOLP512R1, ssl->heap, ssl->options.side);
15898
            if (ret != WOLFSSL_SUCCESS) return ret;
15899
        }
15900
        #endif
15901
0
    #endif
15902
0
#endif
15903
15904
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \
15905
    !defined(WOLFSSL_NO_ML_KEM) && !defined(WOLFSSL_NO_ML_KEM_768) && \
15906
    !defined(WOLFSSL_TLS_NO_MLKEM_STANDALONE)
15907
    if (IsAtLeastTLSv1_3(ssl->version) &&
15908
            TLSX_IsMlKemGroupSupported(ssl->options.side)) {
15909
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_768,
15910
                                     ssl->heap, ssl->options.side);
15911
        if (ret != WOLFSSL_SUCCESS) return ret;
15912
    }
15913
#endif
15914
15915
0
#if defined(HAVE_ECC)
15916
0
    #if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384
15917
0
        #ifndef NO_ECC_SECP
15918
0
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP384R1,
15919
0
            ssl->heap, ssl->options.side);
15920
0
        if (ret != WOLFSSL_SUCCESS) return ret;
15921
0
        #endif
15922
        #ifdef HAVE_ECC_BRAINPOOL
15923
        if (IsAtLeastTLSv1_3(ssl->version)) {
15924
            /* TLS 1.3 BrainpoolP384 curve */
15925
            ret = TLSX_UseSupportedCurve(extensions,
15926
                WOLFSSL_ECC_BRAINPOOLP384R1TLS13, ssl->heap, ssl->options.side);
15927
            if (ret != WOLFSSL_SUCCESS) return ret;
15928
15929
            /* If TLS 1.2 is allowed, also add the TLS 1.2 curve */
15930
            if (ssl->options.downgrade &&
15931
                (ssl->options.minDowngrade <= TLSv1_2_MINOR ||
15932
                    ssl->options.minDowngrade <= DTLSv1_2_MINOR)) {
15933
                ret = TLSX_UseSupportedCurve(extensions,
15934
                    WOLFSSL_ECC_BRAINPOOLP384R1, ssl->heap, ssl->options.side);
15935
                if (ret != WOLFSSL_SUCCESS) return ret;
15936
            }
15937
        }
15938
        else {
15939
            /* TLS 1.2 only */
15940
            ret = TLSX_UseSupportedCurve(extensions,
15941
                WOLFSSL_ECC_BRAINPOOLP384R1, ssl->heap, ssl->options.side);
15942
            if (ret != WOLFSSL_SUCCESS) return ret;
15943
        }
15944
        #endif
15945
0
    #endif
15946
0
#endif /* HAVE_ECC */
15947
15948
0
#ifndef HAVE_FIPS
15949
    #if defined(HAVE_CURVE448) && ECC_MIN_KEY_SZ <= 448
15950
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_X448, ssl->heap,
15951
            ssl->options.side);
15952
        if (ret != WOLFSSL_SUCCESS) return ret;
15953
    #endif
15954
0
#endif /* HAVE_FIPS */
15955
15956
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \
15957
    !defined(WOLFSSL_NO_ML_KEM) && !defined(WOLFSSL_NO_ML_KEM_512) && \
15958
    !defined(WOLFSSL_TLS_NO_MLKEM_STANDALONE)
15959
    if (IsAtLeastTLSv1_3(ssl->version) &&
15960
            TLSX_IsMlKemGroupSupported(ssl->options.side)) {
15961
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_512, ssl->heap,
15962
            ssl->options.side);
15963
        if (ret != WOLFSSL_SUCCESS) return ret;
15964
    }
15965
#endif
15966
15967
0
#if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES)
15968
0
    #if (!defined(NO_ECC256)  || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
15969
0
        #ifndef NO_ECC_SECP
15970
0
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP256R1,
15971
0
            ssl->heap, ssl->options.side);
15972
0
        if (ret != WOLFSSL_SUCCESS) return ret;
15973
0
        #endif
15974
        #ifdef HAVE_ECC_KOBLITZ
15975
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP256K1,
15976
            ssl->heap, ssl->options.side);
15977
        if (ret != WOLFSSL_SUCCESS) return ret;
15978
        #endif
15979
        #ifdef HAVE_ECC_BRAINPOOL
15980
        if (IsAtLeastTLSv1_3(ssl->version)) {
15981
            /* TLS 1.3 BrainpoolP256 curve */
15982
            ret = TLSX_UseSupportedCurve(extensions,
15983
                WOLFSSL_ECC_BRAINPOOLP256R1TLS13, ssl->heap, ssl->options.side);
15984
            if (ret != WOLFSSL_SUCCESS) return ret;
15985
15986
            /* If TLS 1.2 is allowed, also add the TLS 1.2 curve */
15987
            if (ssl->options.downgrade &&
15988
                (ssl->options.minDowngrade <= TLSv1_2_MINOR ||
15989
                    ssl->options.minDowngrade <= DTLSv1_2_MINOR)) {
15990
                ret = TLSX_UseSupportedCurve(extensions,
15991
                    WOLFSSL_ECC_BRAINPOOLP256R1, ssl->heap, ssl->options.side);
15992
                if (ret != WOLFSSL_SUCCESS) return ret;
15993
            }
15994
        }
15995
        else {
15996
            /* TLS 1.2 only */
15997
            ret = TLSX_UseSupportedCurve(extensions,
15998
                WOLFSSL_ECC_BRAINPOOLP256R1, ssl->heap, ssl->options.side);
15999
            if (ret != WOLFSSL_SUCCESS) return ret;
16000
        }
16001
        #endif
16002
        #if !defined(HAVE_FIPS) && defined(WOLFSSL_SM2)
16003
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SM2P256V1,
16004
            ssl->heap, ssl->options.side);
16005
        if (ret != WOLFSSL_SUCCESS) return ret;
16006
        #endif
16007
0
    #endif
16008
0
#endif /* HAVE_ECC */
16009
16010
0
#ifndef HAVE_FIPS
16011
    #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256
16012
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_X25519,
16013
            ssl->heap, ssl->options.side);
16014
        if (ret != WOLFSSL_SUCCESS) return ret;
16015
    #endif
16016
0
#endif /* HAVE_FIPS */
16017
16018
0
#if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES)
16019
0
    #if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 224
16020
0
        #ifndef NO_ECC_SECP
16021
0
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP224R1,
16022
0
            ssl->heap, ssl->options.side);
16023
0
        if (ret != WOLFSSL_SUCCESS) return ret;
16024
0
        #endif
16025
        #ifdef HAVE_ECC_KOBLITZ
16026
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP224K1,
16027
            ssl->heap, ssl->options.side);
16028
        if (ret != WOLFSSL_SUCCESS) return ret;
16029
        #endif
16030
0
    #endif
16031
16032
0
    #ifndef HAVE_FIPS
16033
        #if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 192
16034
            #ifndef NO_ECC_SECP
16035
                ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP192R1,
16036
                    ssl->heap, ssl->options.side);
16037
                if (ret != WOLFSSL_SUCCESS) return ret;
16038
            #endif
16039
            #ifdef HAVE_ECC_KOBLITZ
16040
                ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP192K1,
16041
                    ssl->heap, ssl->options.side);
16042
                if (ret != WOLFSSL_SUCCESS) return ret;
16043
            #endif
16044
        #endif
16045
        #if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 160
16046
            #ifndef NO_ECC_SECP
16047
                ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP160R1,
16048
                    ssl->heap, ssl->options.side);
16049
                if (ret != WOLFSSL_SUCCESS) return ret;
16050
            #endif
16051
            #ifdef HAVE_ECC_SECPR2
16052
                ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP160R2,
16053
                    ssl->heap, ssl->options.side);
16054
                if (ret != WOLFSSL_SUCCESS) return ret;
16055
            #endif
16056
            #ifdef HAVE_ECC_KOBLITZ
16057
                ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP160K1,
16058
                    ssl->heap, ssl->options.side);
16059
                if (ret != WOLFSSL_SUCCESS) return ret;
16060
            #endif
16061
        #endif
16062
0
    #endif /* HAVE_FIPS */
16063
0
#endif /* HAVE_ECC */
16064
16065
0
#ifndef NO_DH
16066
        /* Add FFDHE supported groups. */
16067
    #ifdef HAVE_FFDHE_8192
16068
        if (8192/8 >= ssl->options.minDhKeySz &&
16069
                                        8192/8 <= ssl->options.maxDhKeySz) {
16070
            ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_FFDHE_8192,
16071
                ssl->heap, ssl->options.side);
16072
            if (ret != WOLFSSL_SUCCESS)
16073
                return ret;
16074
        }
16075
    #endif
16076
    #ifdef HAVE_FFDHE_6144
16077
        if (6144/8 >= ssl->options.minDhKeySz &&
16078
                                        6144/8 <= ssl->options.maxDhKeySz) {
16079
            ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_FFDHE_6144,
16080
                ssl->heap, ssl->options.side);
16081
            if (ret != WOLFSSL_SUCCESS)
16082
                return ret;
16083
        }
16084
    #endif
16085
    #ifdef HAVE_FFDHE_4096
16086
        if (4096/8 >= ssl->options.minDhKeySz &&
16087
                                        4096/8 <= ssl->options.maxDhKeySz) {
16088
            ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_FFDHE_4096,
16089
                ssl->heap, ssl->options.side);
16090
            if (ret != WOLFSSL_SUCCESS)
16091
                return ret;
16092
        }
16093
    #endif
16094
    #ifdef HAVE_FFDHE_3072
16095
        if (3072/8 >= ssl->options.minDhKeySz &&
16096
                                        3072/8 <= ssl->options.maxDhKeySz) {
16097
            ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_FFDHE_3072,
16098
                ssl->heap, ssl->options.side);
16099
            if (ret != WOLFSSL_SUCCESS)
16100
                return ret;
16101
        }
16102
    #endif
16103
0
    #ifdef HAVE_FFDHE_2048
16104
0
        if (2048/8 >= ssl->options.minDhKeySz &&
16105
0
                                        2048/8 <= ssl->options.maxDhKeySz) {
16106
0
            ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_FFDHE_2048,
16107
0
                ssl->heap, ssl->options.side);
16108
0
            if (ret != WOLFSSL_SUCCESS)
16109
0
                return ret;
16110
0
        }
16111
0
    #endif
16112
0
#endif
16113
16114
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \
16115
    !defined(WOLFSSL_NO_ML_KEM) && defined(WOLFSSL_EXTRA_PQC_HYBRIDS)
16116
    if (IsAtLeastTLSv1_3(ssl->version) &&
16117
            TLSX_IsMlKemGroupSupported(ssl->options.side)) {
16118
#if !defined(WOLFSSL_NO_ML_KEM_1024) && defined(HAVE_ECC) && \
16119
    (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521
16120
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_SECP521R1MLKEM1024,
16121
                                     ssl->heap, ssl->options.side);
16122
        if (ret != WOLFSSL_SUCCESS) return ret;
16123
#endif
16124
#if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_ECC) && \
16125
    (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384
16126
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_SECP384R1MLKEM768,
16127
                                     ssl->heap, ssl->options.side);
16128
        if (ret != WOLFSSL_SUCCESS) return ret;
16129
#endif
16130
#if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_CURVE448) && \
16131
    ECC_MIN_KEY_SZ <= 448
16132
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_X448MLKEM768,
16133
                                     ssl->heap, ssl->options.side);
16134
        if (ret != WOLFSSL_SUCCESS) return ret;
16135
#endif
16136
#if !defined(WOLFSSL_NO_ML_KEM_512) && defined(HAVE_ECC) && \
16137
    (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
16138
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_SECP256R1MLKEM512,
16139
                                     ssl->heap, ssl->options.side);
16140
        if (ret != WOLFSSL_SUCCESS) return ret;
16141
#endif
16142
#if !defined(WOLFSSL_NO_ML_KEM_512) && defined(HAVE_CURVE25519) && \
16143
    ECC_MIN_KEY_SZ <= 256
16144
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_X25519MLKEM512,
16145
                                     ssl->heap, ssl->options.side);
16146
        if (ret != WOLFSSL_SUCCESS) return ret;
16147
#endif
16148
    }
16149
#endif
16150
16151
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \
16152
    defined(WOLFSSL_MLKEM_KYBER)
16153
    if (IsAtLeastTLSv1_3(ssl->version) &&
16154
            TLSX_IsMlKemGroupSupported(ssl->options.side)) {
16155
#ifdef WOLFSSL_KYBER1024
16156
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_KYBER_LEVEL5,
16157
                                     ssl->heap, ssl->options.side);
16158
        if (ret != WOLFSSL_SUCCESS) return ret;
16159
#if defined(HAVE_ECC) && (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && \
16160
    ECC_MIN_KEY_SZ <= 521
16161
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P521_KYBER_LEVEL5,
16162
                                     ssl->heap, ssl->options.side);
16163
        if (ret != WOLFSSL_SUCCESS) return ret;
16164
#endif
16165
#endif
16166
#ifdef WOLFSSL_KYBER768
16167
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_KYBER_LEVEL3,
16168
                                     ssl->heap, ssl->options.side);
16169
        if (ret != WOLFSSL_SUCCESS) return ret;
16170
#if defined(HAVE_ECC) && (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && \
16171
        ECC_MIN_KEY_SZ <= 384
16172
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P384_KYBER_LEVEL3,
16173
                                     ssl->heap, ssl->options.side);
16174
        if (ret != WOLFSSL_SUCCESS) return ret;
16175
#endif
16176
#if defined(HAVE_ECC) && (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \
16177
    ECC_MIN_KEY_SZ <= 256
16178
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P256_KYBER_LEVEL3,
16179
                                     ssl->heap, ssl->options.side);
16180
        if (ret != WOLFSSL_SUCCESS) return ret;
16181
#endif
16182
#if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256
16183
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_X25519_KYBER_LEVEL3,
16184
                                     ssl->heap, ssl->options.side);
16185
        if (ret != WOLFSSL_SUCCESS) return ret;
16186
#endif
16187
#if defined(HAVE_CURVE448) && ECC_MIN_KEY_SZ <= 448
16188
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_X448_KYBER_LEVEL3,
16189
                                     ssl->heap, ssl->options.side);
16190
        if (ret != WOLFSSL_SUCCESS) return ret;
16191
#endif
16192
#endif
16193
#ifdef WOLFSSL_KYBER512
16194
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_KYBER_LEVEL1,
16195
                                     ssl->heap, ssl->options.side);
16196
        if (ret != WOLFSSL_SUCCESS) return ret;
16197
#if defined(HAVE_ECC) && (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \
16198
    ECC_MIN_KEY_SZ <= 256
16199
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P256_KYBER_LEVEL1,
16200
                                     ssl->heap, ssl->options.side);
16201
        if (ret != WOLFSSL_SUCCESS) return ret;
16202
#endif
16203
#if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256
16204
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_X25519_KYBER_LEVEL1,
16205
                                     ssl->heap, ssl->options.side);
16206
        if (ret != WOLFSSL_SUCCESS) return ret;
16207
#endif
16208
#endif
16209
    }
16210
#endif
16211
16212
0
    (void)ssl;
16213
0
    (void)extensions;
16214
16215
0
    return ret;
16216
0
}
16217
16218
#endif /* HAVE_SUPPORTED_CURVES */
16219
16220
int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
16221
0
{
16222
0
    int ret = 0;
16223
0
    byte* public_key      = NULL;
16224
0
    word16 public_key_len = 0;
16225
#if defined(WOLFSSL_TLS13) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK))
16226
    int usingPSK = 0;
16227
#endif
16228
0
#if defined(HAVE_SUPPORTED_CURVES) && defined(WOLFSSL_TLS13)
16229
0
    TLSX* extension = NULL;
16230
0
    word16 namedGroup = WOLFSSL_NAMED_GROUP_INVALID;
16231
0
#endif
16232
16233
    /* server will add extension depending on what is parsed from client */
16234
0
    if (!isServer) {
16235
#if defined(HAVE_RPK)
16236
        ret = TLSX_ClientCertificateType_Use(ssl, isServer);
16237
        if (ret != 0)
16238
            return ret;
16239
16240
        ret = TLSX_ServerCertificateType_Use(ssl, isServer);
16241
        if (ret != 0)
16242
            return ret;
16243
#endif /* HAVE_RPK */
16244
16245
0
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) && \
16246
0
    !defined(WOLFSSL_NO_TLS12)
16247
0
        if (!ssl->options.disallowEncThenMac) {
16248
0
            ret = TLSX_EncryptThenMac_Use(ssl);
16249
0
            if (ret != 0)
16250
0
                return ret;
16251
0
        }
16252
0
#endif
16253
16254
0
#if defined(HAVE_SUPPORTED_CURVES)
16255
0
        if (!ssl->options.userCurves && !ssl->ctx->userCurves) {
16256
0
            if (TLSX_Find(ssl->ctx->extensions,
16257
0
                                               TLSX_SUPPORTED_GROUPS) == NULL) {
16258
0
                ret = TLSX_PopulateSupportedGroups(ssl, &ssl->extensions);
16259
0
                if (ret != WOLFSSL_SUCCESS)
16260
0
                    return ret;
16261
0
            }
16262
0
        }
16263
0
    #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
16264
0
        if ((!IsAtLeastTLSv1_3(ssl->version) || ssl->options.downgrade) &&
16265
0
               TLSX_Find(ssl->ctx->extensions, TLSX_EC_POINT_FORMATS) == NULL &&
16266
0
               TLSX_Find(ssl->extensions, TLSX_EC_POINT_FORMATS) == NULL) {
16267
0
            ret = TLSX_UsePointFormat(&ssl->extensions,
16268
0
                                         WOLFSSL_EC_PF_UNCOMPRESSED, ssl->heap);
16269
0
            if (ret != WOLFSSL_SUCCESS)
16270
0
                return ret;
16271
0
        }
16272
0
    #endif
16273
0
#endif /* HAVE_SUPPORTED_CURVES */
16274
16275
#ifdef WOLFSSL_SRTP
16276
        if (ssl->options.dtls && ssl->dtlsSrtpProfiles != 0) {
16277
            WOLFSSL_MSG("Adding DTLS SRTP extension");
16278
            if ((ret = TLSX_UseSRTP(&ssl->extensions, ssl->dtlsSrtpProfiles,
16279
                                                                ssl->heap)) != 0) {
16280
                return ret;
16281
            }
16282
        }
16283
#endif
16284
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_DUAL_ALG_CERTS)
16285
        if ((IsAtLeastTLSv1_3(ssl->version)) && (ssl->sigSpec != NULL)) {
16286
            WOLFSSL_MSG("Adding CKS extension");
16287
            if ((ret = TLSX_UseCKS(&ssl->extensions, ssl, ssl->heap)) != 0) {
16288
                return ret;
16289
            }
16290
        }
16291
#endif
16292
0
    } /* is not server */
16293
16294
0
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
16295
0
    WOLFSSL_MSG("Adding signature algorithms extension");
16296
0
    if ((ret = TLSX_SetSignatureAlgorithms(&ssl->extensions, ssl, ssl->heap))
16297
0
                                                                         != 0) {
16298
0
            return ret;
16299
0
    }
16300
#else
16301
    ret = 0;
16302
#endif
16303
0
#ifdef WOLFSSL_TLS13
16304
    #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES)
16305
        if (IsAtLeastTLSv1_3(ssl->version) &&
16306
                SSL_PRIORITY_CA_NAMES(ssl) != NULL) {
16307
            WOLFSSL_MSG("Adding certificate authorities extension");
16308
            if ((ret = TLSX_Push(&ssl->extensions,
16309
                    TLSX_CERTIFICATE_AUTHORITIES, ssl, ssl->heap)) != 0) {
16310
                    return ret;
16311
            }
16312
        }
16313
    #endif
16314
0
        if (!isServer && IsAtLeastTLSv1_3(ssl->version)) {
16315
            /* Add mandatory TLS v1.3 extension: supported version */
16316
0
            WOLFSSL_MSG("Adding supported versions extension");
16317
0
            if ((ret = TLSX_SetSupportedVersions(&ssl->extensions, ssl,
16318
0
                                                             ssl->heap)) != 0) {
16319
0
                return ret;
16320
0
            }
16321
16322
0
        #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
16323
0
            if (ssl->certHashSigAlgoSz > 0) {
16324
0
                WOLFSSL_MSG("Adding signature algorithms cert extension");
16325
0
                if ((ret = TLSX_SetSignatureAlgorithmsCert(&ssl->extensions,
16326
0
                                                        ssl, ssl->heap)) != 0) {
16327
0
                    return ret;
16328
0
                }
16329
0
            }
16330
0
        #endif
16331
16332
0
        #if defined(HAVE_SUPPORTED_CURVES)
16333
0
            extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
16334
0
            if (extension == NULL) {
16335
            #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
16336
                if (ssl->options.resuming && ssl->session->namedGroup != 0)
16337
                    namedGroup = ssl->session->namedGroup;
16338
                else
16339
            #endif
16340
0
                if (ssl->numGroups > 0) {
16341
0
                    int set = 0;
16342
0
                    int i, j;
16343
16344
                    /* Find the first element of ssl->group[] that is also
16345
                     * present in preferredGroup[]. The user's ranking wins;
16346
                     * if nothing intersects, send no key share and let the
16347
                     * server drive group selection via HRR. */
16348
0
                    namedGroup = WOLFSSL_NAMED_GROUP_INVALID;
16349
0
                    for (i = 0; i < ssl->numGroups && !set; i++) {
16350
0
                        for (j = 0; preferredGroup[j] != WOLFSSL_NAMED_GROUP_INVALID; j++) {
16351
0
                            if (preferredGroup[j] == ssl->group[i]) {
16352
0
                                namedGroup = ssl->group[i];
16353
0
                                set = 1;
16354
0
                                break;
16355
0
                            }
16356
0
                        }
16357
0
                    }
16358
0
                }
16359
0
                else {
16360
                    /* Choose the most preferred group. */
16361
0
                    namedGroup = WOLFSSL_KEY_SHARE_DEFAULT_GROUP;
16362
0
                }
16363
0
            }
16364
0
            else {
16365
0
                KeyShareEntry* kse = (KeyShareEntry*)extension->data;
16366
0
                if (kse)
16367
0
                    namedGroup = kse->group;
16368
0
            }
16369
0
            if (namedGroup != WOLFSSL_NAMED_GROUP_INVALID) {
16370
0
                ret = TLSX_KeyShare_Use(ssl, namedGroup, 0, NULL, NULL,
16371
0
                        &ssl->extensions);
16372
0
            }
16373
0
            else {
16374
                /* No suitable key share group found, send no key share to
16375
                 * trigger a HRR with the server's preferred group. */
16376
0
                WOLFSSL_MSG("Sending no key share to trigger HRR");
16377
0
                ret = TLSX_KeyShare_Empty(ssl);
16378
0
            }
16379
0
            if (ret != 0)
16380
0
                return ret;
16381
0
        #endif /* HAVE_SUPPORTED_CURVES */
16382
16383
        #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
16384
            TLSX_Remove(&ssl->extensions, TLSX_PRE_SHARED_KEY, ssl->heap);
16385
        #endif
16386
        #if defined(HAVE_SESSION_TICKET)
16387
            if (ssl->options.resuming && ssl->session->ticketLen > 0
16388
        #if defined(WOLFSSL_CERT_WITH_EXTERN_PSK)
16389
                && !ssl->options.certWithExternPsk
16390
        #endif
16391
            ) {
16392
                WOLFSSL_SESSION* sess = ssl->session;
16393
            #ifdef WOLFSSL_32BIT_MILLI_TIME
16394
                word32 now, milli;
16395
            #else
16396
                word64 now, milli;
16397
            #endif
16398
16399
                /* Determine the MAC algorithm for the cipher suite used. */
16400
                ssl->options.cipherSuite0 = sess->cipherSuite0;
16401
                ssl->options.cipherSuite  = sess->cipherSuite;
16402
                ret = SetCipherSpecs(ssl);
16403
                if (ret != 0)
16404
                    return ret;
16405
                now = (word64)TimeNowInMilliseconds();
16406
                if (now == 0)
16407
                    return GETTIME_ERROR;
16408
            #ifdef WOLFSSL_32BIT_MILLI_TIME
16409
                if (now < sess->ticketSeen)
16410
                    milli = (0xFFFFFFFFU - sess->ticketSeen) + 1 + now;
16411
                else
16412
                    milli = now - sess->ticketSeen;
16413
                milli += sess->ticketAdd;
16414
16415
                /* Pre-shared key is mandatory extension for resumption. */
16416
                ret = TLSX_PreSharedKey_Use(&ssl->extensions, sess->ticket,
16417
                    sess->ticketLen, milli, ssl->specs.mac_algorithm,
16418
                    ssl->options.cipherSuite0, ssl->options.cipherSuite, 1,
16419
                    NULL, ssl->heap);
16420
            #else
16421
                milli = now - sess->ticketSeen + sess->ticketAdd;
16422
16423
                /* Pre-shared key is mandatory extension for resumption. */
16424
                ret = TLSX_PreSharedKey_Use(&ssl->extensions, sess->ticket,
16425
                    sess->ticketLen, (word32)milli, ssl->specs.mac_algorithm,
16426
                    ssl->options.cipherSuite0, ssl->options.cipherSuite, 1,
16427
                    NULL, ssl->heap);
16428
            #endif
16429
                if (ret != 0)
16430
                    return ret;
16431
16432
                usingPSK = 1;
16433
            }
16434
        #endif
16435
    #ifndef NO_PSK
16436
        #ifndef WOLFSSL_PSK_ONE_ID
16437
            if (ssl->options.client_psk_cs_cb != NULL) {
16438
                int i;
16439
                const Suites* suites = WOLFSSL_SUITES(ssl);
16440
                for (i = 0; i < suites->suiteSz; i += 2) {
16441
                    byte cipherSuite0 = suites->suites[i + 0];
16442
                    byte cipherSuite = suites->suites[i + 1];
16443
                    unsigned int keySz;
16444
                #ifdef WOLFSSL_PSK_MULTI_ID_PER_CS
16445
                    int cnt = 0;
16446
                #endif
16447
16448
                #ifdef HAVE_NULL_CIPHER
16449
                    if (cipherSuite0 == ECC_BYTE ||
16450
                        cipherSuite0 == ECDHE_PSK_BYTE) {
16451
                        if (cipherSuite != TLS_SHA256_SHA256 &&
16452
                                             cipherSuite != TLS_SHA384_SHA384) {
16453
                            continue;
16454
                        }
16455
                    }
16456
                    else
16457
                #endif
16458
                #if (defined(WOLFSSL_SM4_GCM) || defined(WOLFSSL_SM4_CCM)) && \
16459
                    defined(WOLFSSL_SM3)
16460
                    if (cipherSuite0 == CIPHER_BYTE) {
16461
                        if ((cipherSuite != TLS_SM4_GCM_SM3) &&
16462
                            (cipherSuite != TLS_SM4_CCM_SM3)) {
16463
                            continue;
16464
                        }
16465
                    }
16466
                    else
16467
                #endif
16468
                    if (cipherSuite0 != TLS13_BYTE)
16469
                        continue;
16470
16471
                #ifdef WOLFSSL_PSK_MULTI_ID_PER_CS
16472
                    do {
16473
                        ssl->arrays->client_identity[0] = cnt;
16474
                #endif
16475
16476
                        ssl->arrays->client_identity[MAX_PSK_ID_LEN] = '\0';
16477
                        keySz = ssl->options.client_psk_cs_cb(
16478
                            ssl, ssl->arrays->server_hint,
16479
                            ssl->arrays->client_identity, MAX_PSK_ID_LEN,
16480
                            ssl->arrays->psk_key, MAX_PSK_KEY_LEN,
16481
                            GetCipherNameInternal(cipherSuite0, cipherSuite));
16482
                        if (keySz > 0) {
16483
                            ssl->arrays->psk_keySz = keySz;
16484
                            ret = TLSX_PreSharedKey_Use(&ssl->extensions,
16485
                                (byte*)ssl->arrays->client_identity,
16486
                                (word16)XSTRLEN(ssl->arrays->client_identity),
16487
                                0, SuiteMac(WOLFSSL_SUITES(ssl)->suites + i),
16488
                                cipherSuite0, cipherSuite, 0, NULL, ssl->heap);
16489
                            if (ret != 0)
16490
                                return ret;
16491
                #ifdef WOLFSSL_PSK_MULTI_ID_PER_CS
16492
                            cnt++;
16493
                #endif
16494
                        }
16495
                #ifdef WOLFSSL_PSK_MULTI_ID_PER_CS
16496
                    }
16497
                    while (keySz > 0);
16498
                #endif
16499
                }
16500
16501
                usingPSK = 1;
16502
            }
16503
            else
16504
        #endif
16505
            if (ssl->options.client_psk_cb != NULL ||
16506
                ssl->options.client_psk_tls13_cb != NULL) {
16507
                /* Default cipher suite. */
16508
                byte cipherSuite0 = TLS13_BYTE;
16509
                byte cipherSuite = WOLFSSL_DEF_PSK_CIPHER;
16510
                int cipherSuiteFlags = WOLFSSL_CIPHER_SUITE_FLAG_NONE;
16511
                const char* cipherName = NULL;
16512
16513
                if (ssl->options.client_psk_tls13_cb != NULL) {
16514
                    ssl->arrays->psk_keySz = ssl->options.client_psk_tls13_cb(
16515
                        ssl, ssl->arrays->server_hint,
16516
                        ssl->arrays->client_identity, MAX_PSK_ID_LEN,
16517
                        ssl->arrays->psk_key, MAX_PSK_KEY_LEN, &cipherName);
16518
                    if (GetCipherSuiteFromName(cipherName, &cipherSuite0,
16519
                            &cipherSuite, NULL, NULL, &cipherSuiteFlags) != 0) {
16520
                        return PSK_KEY_ERROR;
16521
                    }
16522
                }
16523
                else {
16524
                    ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl,
16525
                        ssl->arrays->server_hint, ssl->arrays->client_identity,
16526
                        MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN);
16527
                }
16528
                if (
16529
                #ifdef OPENSSL_EXTRA
16530
                    /* OpenSSL treats a PSK key length of 0
16531
                     * to indicate no PSK available.
16532
                     */
16533
                    ssl->arrays->psk_keySz == 0 ||
16534
                #endif
16535
                         (ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN &&
16536
                     (int)ssl->arrays->psk_keySz != WC_NO_ERR_TRACE(USE_HW_PSK))) {
16537
                #ifndef OPENSSL_EXTRA
16538
                    ret = PSK_KEY_ERROR;
16539
                #endif
16540
                }
16541
                else {
16542
                    ssl->arrays->client_identity[MAX_PSK_ID_LEN] = '\0';
16543
16544
                    ssl->options.cipherSuite0 = cipherSuite0;
16545
                    ssl->options.cipherSuite  = cipherSuite;
16546
                    (void)cipherSuiteFlags;
16547
                    ret = SetCipherSpecs(ssl);
16548
                    if (ret == 0) {
16549
                        ret = TLSX_PreSharedKey_Use(
16550
                            &ssl->extensions,
16551
                                     (byte*)ssl->arrays->client_identity,
16552
                            (word16)XSTRLEN(ssl->arrays->client_identity),
16553
                            0, ssl->specs.mac_algorithm,
16554
                            cipherSuite0, cipherSuite, 0,
16555
                            NULL, ssl->heap);
16556
                    }
16557
                    if (ret == 0)
16558
                        usingPSK = 1;
16559
                }
16560
                if (ret != 0)
16561
                    return ret;
16562
            }
16563
    #endif /* !NO_PSK */
16564
        #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
16565
16566
            /* Some servers do not generate session tickets unless
16567
             * the extension is seen in a non-resume client hello.
16568
             * We used to send it only if we were otherwise using PSK.
16569
             * Now always send it. Define NO_TLSX_PSKKEM_PLAIN_ANNOUNCE
16570
             * to revert to the old behaviour. */
16571
            #ifdef NO_TLSX_PSKKEM_PLAIN_ANNOUNCE
16572
            if (usingPSK)
16573
            #endif
16574
            {
16575
                byte modes = 0;
16576
16577
                (void)usingPSK;
16578
                /* Pre-shared key modes: mandatory extension for resumption. */
16579
            #ifdef HAVE_SUPPORTED_CURVES
16580
                if (!ssl->options.onlyPskDheKe)
16581
            #endif
16582
                {
16583
                    modes = 1 << PSK_KE;
16584
                }
16585
            #if !defined(NO_DH) || defined(HAVE_ECC) || \
16586
                          defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
16587
                if (!ssl->options.noPskDheKe) {
16588
                    modes |= 1 << PSK_DHE_KE;
16589
                }
16590
            #endif
16591
            #if defined(WOLFSSL_CERT_WITH_EXTERN_PSK)
16592
                if (ssl->options.certWithExternPsk) {
16593
                    /* RFC8773bis requires psk_dhe_ke with cert_with_extern_psk. */
16594
                    modes |= 1 << PSK_DHE_KE;
16595
                }
16596
            #endif
16597
                ret = TLSX_PskKeyModes_Use(ssl, modes);
16598
                if (ret != 0)
16599
                    return ret;
16600
            }
16601
16602
        #if defined(WOLFSSL_CERT_WITH_EXTERN_PSK)
16603
            if (usingPSK && ssl->options.certWithExternPsk) {
16604
                ret = TLSX_CertWithExternPsk_Use(ssl);
16605
                if (ret != 0)
16606
                    return ret;
16607
                /* Require server confirmation before using cert-with-PSK path. */
16608
                ssl->options.certWithExternPsk = 0;
16609
            }
16610
        #endif
16611
        #endif
16612
        #if defined(WOLFSSL_POST_HANDSHAKE_AUTH)
16613
            if (!isServer && ssl->options.postHandshakeAuth) {
16614
                ret = TLSX_PostHandAuth_Use(ssl);
16615
                if (ret != 0)
16616
                    return ret;
16617
            }
16618
        #endif
16619
#if defined(HAVE_ECH)
16620
            /* GREASE ECH */
16621
            if (!ssl->options.disableECH) {
16622
                if (ssl->echConfigs == NULL) {
16623
                    ret = GREASE_ECH_USE(&(ssl->extensions), ssl->heap,
16624
                            ssl->rng);
16625
                }
16626
                else if (ssl->echConfigs != NULL) {
16627
                    ret = ECH_USE(ssl->echConfigs, &(ssl->extensions),
16628
                            ssl->heap, ssl->rng);
16629
                }
16630
            }
16631
#endif
16632
0
        }
16633
#if defined(HAVE_ECH)
16634
        else if (IsAtLeastTLSv1_3(ssl->version)) {
16635
            if (ssl->ctx->echConfigs != NULL && !ssl->options.disableECH) {
16636
                ret = SERVER_ECH_USE(&(ssl->extensions), ssl->heap,
16637
                    ssl->ctx->echConfigs);
16638
16639
                if (ret == 0)
16640
                    TLSX_SetResponse(ssl, TLSX_ECH);
16641
            }
16642
        }
16643
#endif
16644
16645
0
#endif
16646
16647
0
    (void)isServer;
16648
0
    (void)public_key;
16649
0
    (void)public_key_len;
16650
0
    (void)ssl;
16651
16652
0
    return ret;
16653
0
}
16654
16655
16656
#if defined(WOLFSSL_TLS13) || !defined(NO_WOLFSSL_CLIENT)
16657
16658
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
16659
static int TLSX_EchChangeSNI(WOLFSSL* ssl, TLSX** pEchX,
16660
                             char* serverName, TLSX** pServerNameX,
16661
                             TLSX*** pExtensions)
16662
{
16663
    int ret = 0;
16664
    TLSX* echX = NULL;
16665
    TLSX* serverNameX = NULL;
16666
    TLSX** extensions = NULL;
16667
16668
    /* calculate the rest of the extensions length with inner ech */
16669
    if (ssl->extensions)
16670
        echX = TLSX_Find(ssl->extensions, TLSX_ECH);
16671
16672
    if (echX == NULL && ssl->ctx && ssl->ctx->extensions)
16673
        /* if not NULL the semaphore will stop it from being counted */
16674
        echX = TLSX_Find(ssl->ctx->extensions, TLSX_ECH);
16675
16676
    /* if type is outer and this is a real ECH then change sni to public name */
16677
    if (echX != NULL && ssl->echConfigs != NULL &&
16678
        ((WOLFSSL_ECH*)echX->data)->type == ECH_TYPE_OUTER) {
16679
        if (ssl->extensions) {
16680
            serverNameX = TLSX_Find(ssl->extensions, TLSX_SERVER_NAME);
16681
16682
            if (serverNameX != NULL)
16683
                extensions = &ssl->extensions;
16684
        }
16685
16686
        if (serverNameX == NULL && ssl->ctx && ssl->ctx->extensions) {
16687
            serverNameX = TLSX_Find(ssl->ctx->extensions, TLSX_SERVER_NAME);
16688
            if (serverNameX != NULL)
16689
                extensions = &ssl->ctx->extensions;
16690
        }
16691
16692
        /* ECH requires an inner SNI to be present for ClientHelloInner.
16693
         * Without it, fail instead of mutating extension lists. */
16694
        if (serverNameX == NULL) {
16695
            ret = BAD_FUNC_ARG;
16696
        }
16697
16698
        /* store the inner server name */
16699
        if (ret == 0 && serverNameX != NULL) {
16700
            char* hostName = ((SNI*)serverNameX->data)->data.host_name;
16701
            word32 hostNameSz = (word32)XSTRLEN(hostName) + 1;
16702
16703
            if (hostNameSz > WOLFSSL_HOST_NAME_MAX)
16704
                ret = BAD_LENGTH_E;
16705
            else
16706
                XMEMCPY(serverName, hostName, hostNameSz);
16707
        }
16708
16709
        /* only swap the SNI if one was found; extensions is non-NULL if an
16710
         * SNI entry was found on ssl->extensions or ctx->extensions */
16711
        if (ret == 0 && extensions != NULL) {
16712
            /* remove the inner server name */
16713
            TLSX_Remove(extensions, TLSX_SERVER_NAME, ssl->heap);
16714
16715
            /* set the public name as the server name */
16716
            if ((ret = TLSX_UseSNI(extensions, WOLFSSL_SNI_HOST_NAME,
16717
                    ((WOLFSSL_ECH*)echX->data)->echConfig->publicName,
16718
                    XSTRLEN(((WOLFSSL_ECH*)echX->data)->echConfig->publicName),
16719
                    ssl->heap)) == WOLFSSL_SUCCESS)
16720
                ret = 0;
16721
        }
16722
    }
16723
    *pServerNameX = serverNameX;
16724
    *pExtensions = extensions;
16725
    *pEchX = echX;
16726
    return ret;
16727
}
16728
16729
static int TLSX_EchRestoreSNI(WOLFSSL* ssl, char* serverName,
16730
                              TLSX* serverNameX, TLSX** extensions)
16731
{
16732
    int ret = 0;
16733
16734
    /* always remove the publicName SNI we injected, regardless of whether
16735
     * there was a prior inner SNI to restore */
16736
    if (extensions != NULL)
16737
        TLSX_Remove(extensions, TLSX_SERVER_NAME, ssl->heap);
16738
16739
    if (serverNameX != NULL) {
16740
        /* restore the inner server name */
16741
        ret = TLSX_UseSNI(extensions, WOLFSSL_SNI_HOST_NAME,
16742
            serverName, XSTRLEN(serverName), ssl->heap);
16743
16744
        if (ret == WOLFSSL_SUCCESS)
16745
            ret = 0;
16746
    }
16747
    return ret;
16748
}
16749
16750
/* Returns 1 if the extension may be encoded into ech_outer_extensions,
16751
 * 0 otherwise */
16752
static int TLSX_ECH_IsEncodable(word16 type)
16753
{
16754
    /* supported_versions being here prevents the inner hello from advertising
16755
     * a version less than TLS1.3 */
16756
    switch (type) {
16757
        case TLSX_SERVER_NAME:
16758
        case TLSX_APPLICATION_LAYER_PROTOCOL:
16759
        case TLSX_SUPPORTED_VERSIONS:
16760
        case TLSX_ECH:
16761
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
16762
        case TLSX_PRE_SHARED_KEY:
16763
#endif
16764
#ifdef WOLFSSL_EARLY_DATA
16765
        case TLSX_EARLY_DATA:
16766
#endif
16767
            return 0;
16768
        default:
16769
            return 1;
16770
    }
16771
}
16772
16773
/* find extensions that can be encoded into ech_outer_extensions.
16774
 * If output is non-NULL, then write the encoded form.
16775
 *
16776
 * Layout of OuterExtensions (RFC 9849, S5.1):
16777
 *   2-byte extension_type + 2-byte extension_data length +
16778
 *   1-byte list length    + 2*count bytes of extension types
16779
 */
16780
static int TLSX_ECH_BuildOuterExtensions(WOLFSSL* ssl, const byte* semaphore,
16781
    byte msgType, byte* output, word16* pOffset, word16* outCount,
16782
    byte* encodeMask)
16783
{
16784
    TLSX* list;
16785
    TLSX* extension;
16786
    byte* typesStart = NULL;
16787
    int listIdx;
16788
    word16 count = 0;
16789
    byte isRequest = (msgType == client_hello ||
16790
                      msgType == certificate_request);
16791
    byte seen[SEMAPHORE_SIZE];
16792
16793
    /* backup semaphore so it can be aliased by encodeMask */
16794
    XMEMCPY(seen, semaphore, SEMAPHORE_SIZE);
16795
16796
    if (output != NULL && pOffset != NULL) {
16797
        typesStart = output + *pOffset
16798
                     + HELLO_EXT_TYPE_SZ + OPAQUE16_LEN + OPAQUE8_LEN;
16799
    }
16800
16801
    for (listIdx = 0; listIdx < 2; listIdx++) {
16802
        list = (listIdx == 0) ? ssl->extensions :
16803
            (ssl->ctx != NULL ? ssl->ctx->extensions : NULL);
16804
        for (extension = list; extension != NULL; extension = extension->next) {
16805
            word16 type = (word16)extension->type;
16806
            word16 semIdx = TLSX_ToSemaphore(type);
16807
16808
            /* OuterExtensions is <2..254>, so reference at most 127 types */
16809
            if (count >= 127) {
16810
                WOLFSSL_MSG("ECH: cannot encode more than 127 extensions");
16811
                break;
16812
            }
16813
16814
            if (!isRequest && !extension->resp)
16815
                continue;
16816
            if (!IS_OFF(seen, semIdx))
16817
                continue;
16818
            TURN_ON(seen, semIdx);
16819
            if (!TLSX_ECH_IsEncodable(type))
16820
                continue;
16821
16822
            if (typesStart != NULL)
16823
                c16toa(type, typesStart + count * OPAQUE16_LEN);
16824
            count++;
16825
            TURN_ON(encodeMask, semIdx);
16826
        }
16827
    }
16828
16829
    if (count > 0 && pOffset != NULL) {
16830
        word16 listLen = (word16)(OPAQUE16_LEN * count);
16831
        word16 blockSz = (word16)(HELLO_EXT_TYPE_SZ + OPAQUE16_LEN
16832
                                + OPAQUE8_LEN + listLen);
16833
        if ((word32)*pOffset + blockSz > WOLFSSL_MAX_16BIT) {
16834
            WOLFSSL_MSG("ECH OuterExtensions overflows extensions length");
16835
            return BUFFER_E;
16836
        }
16837
        if (output != NULL) {
16838
            byte* hdr = output + *pOffset;
16839
            c16toa(TLSXT_ECH_OUTER_EXTENSIONS, hdr);
16840
            c16toa((word16)(OPAQUE8_LEN + listLen), hdr + OPAQUE16_LEN);
16841
            hdr[OPAQUE16_LEN + OPAQUE16_LEN] = (byte)listLen;
16842
        }
16843
16844
        /* accumulate offset even if nothing is written */
16845
        *pOffset += blockSz;
16846
    }
16847
16848
    *outCount = count;
16849
    return 0;
16850
}
16851
16852
/* because the size of ech depends on the size of other extensions we need to
16853
 * get the size with ech special and process ech last, return status */
16854
static int TLSX_GetSizeWithEch(WOLFSSL* ssl, byte* semaphore, byte msgType,
16855
    word16* pLength)
16856
{
16857
    int ret = 0, r = 0;
16858
    TLSX* echX = NULL;
16859
    TLSX* serverNameX = NULL;
16860
    TLSX** extensions = NULL;
16861
    WOLFSSL_ECH* ech = NULL;
16862
    word16 count = 0;
16863
    WC_DECLARE_VAR(serverName, char, WOLFSSL_HOST_NAME_MAX, 0);
16864
16865
    WC_ALLOC_VAR_EX(serverName, char, WOLFSSL_HOST_NAME_MAX, NULL,
16866
                    DYNAMIC_TYPE_TMP_BUFFER, return MEMORY_E);
16867
16868
    r = TLSX_EchChangeSNI(ssl, &echX, serverName, &serverNameX, &extensions);
16869
16870
    if (echX != NULL)
16871
        ech = (WOLFSSL_ECH*)echX->data;
16872
16873
    /* if encoding, then count encoded form of inner ClientHello.
16874
     * `semaphore` is in/out so encodable extensions will later be ignored */
16875
    if (r == 0 && ech != NULL && ech->type == ECH_TYPE_INNER &&
16876
            ech->writeEncoded) {
16877
        ret = TLSX_ECH_BuildOuterExtensions(ssl, semaphore, msgType,
16878
            NULL, pLength, &count, semaphore);
16879
    }
16880
    if (r == 0 && ret == 0 && ssl->extensions)
16881
        ret = TLSX_GetSize(ssl->extensions, semaphore, msgType, pLength);
16882
    if (r == 0 && ret == 0 && ssl->ctx && ssl->ctx->extensions)
16883
        ret = TLSX_GetSize(ssl->ctx->extensions, semaphore, msgType, pLength);
16884
    if (r == 0)
16885
        r = TLSX_EchRestoreSNI(ssl, serverName, serverNameX, extensions);
16886
16887
    WC_FREE_VAR_EX(serverName, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
16888
    if (ret == 0 && r != 0)
16889
        ret = r;
16890
    return ret;
16891
}
16892
#endif
16893
16894
/** Tells the buffered size of extensions to be sent into the client hello. */
16895
int TLSX_GetRequestSize(WOLFSSL* ssl, byte msgType, word32* pLength)
16896
0
{
16897
0
    int ret = 0;
16898
0
    word16 length = 0;
16899
0
    byte semaphore[SEMAPHORE_SIZE] = {0};
16900
16901
0
    if (!TLSX_SupportExtensions(ssl))
16902
0
        return 0;
16903
0
    if (msgType == client_hello) {
16904
0
        EC_VALIDATE_REQUEST(ssl, semaphore);
16905
0
        PF_VALIDATE_REQUEST(ssl, semaphore);
16906
0
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
16907
0
        if (WOLFSSL_SUITES(ssl)->hashSigAlgoSz == 0)
16908
0
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
16909
0
#endif
16910
0
#if defined(WOLFSSL_TLS13)
16911
0
        if (!IsAtLeastTLSv1_2(ssl)) {
16912
0
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
16913
0
        }
16914
0
    #if !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS)
16915
0
        if (!IsAtLeastTLSv1_3(ssl->version)) {
16916
0
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
16917
        #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
16918
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
16919
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PSK_KEY_EXCHANGE_MODES));
16920
        #endif
16921
        #ifdef WOLFSSL_EARLY_DATA
16922
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EARLY_DATA));
16923
        #endif
16924
        #ifdef WOLFSSL_SEND_HRR_COOKIE
16925
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_COOKIE));
16926
        #endif
16927
        #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
16928
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_POST_HANDSHAKE_AUTH));
16929
        #endif
16930
0
        }
16931
0
    #endif
16932
    #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES)
16933
        if (!IsAtLeastTLSv1_3(ssl->version) ||
16934
                SSL_CA_NAMES(ssl) == NULL) {
16935
            TURN_ON(semaphore,
16936
                    TLSX_ToSemaphore(TLSX_CERTIFICATE_AUTHORITIES));
16937
        }
16938
    #endif
16939
0
#endif /* WOLFSSL_TLS13 */
16940
    #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
16941
     || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
16942
        if (!SSL_CM(ssl)->ocspStaplingEnabled) {
16943
            /* mark already sent, so it won't send it */
16944
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST));
16945
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST_V2));
16946
        }
16947
    #endif
16948
0
    }
16949
16950
0
#ifdef WOLFSSL_TLS13
16951
0
    #ifndef NO_CERTS
16952
0
    else if (msgType == certificate_request) {
16953
        /* Don't send out any extension except those that are turned off. */
16954
0
        XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
16955
0
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
16956
0
        TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
16957
0
#endif
16958
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES)
16959
        if (SSL_PRIORITY_CA_NAMES(ssl) != NULL) {
16960
            TURN_OFF(semaphore,
16961
                    TLSX_ToSemaphore(TLSX_CERTIFICATE_AUTHORITIES));
16962
        }
16963
#endif
16964
        /* TODO: TLSX_SIGNED_CERTIFICATE_TIMESTAMP, OID_FILTERS
16965
         *       TLSX_STATUS_REQUEST
16966
         */
16967
0
    }
16968
0
    #endif
16969
#if defined(HAVE_ECH)
16970
    if (!ssl->options.disableECH && msgType == client_hello) {
16971
        ret = TLSX_GetSizeWithEch(ssl, semaphore, msgType, &length);
16972
        if (ret != 0)
16973
            return ret;
16974
    }
16975
    else
16976
#endif /* HAVE_ECH */
16977
0
#endif /* WOLFSSL_TLS13 */
16978
0
    {
16979
0
        if (ssl->extensions) {
16980
0
            ret = TLSX_GetSize(ssl->extensions, semaphore, msgType, &length);
16981
0
            if (ret != 0)
16982
0
                return ret;
16983
0
        }
16984
0
        if (ssl->ctx && ssl->ctx->extensions) {
16985
0
            ret = TLSX_GetSize(ssl->ctx->extensions, semaphore, msgType,
16986
0
                &length);
16987
0
            if (ret != 0)
16988
0
                return ret;
16989
0
        }
16990
0
    }
16991
16992
0
#ifdef HAVE_EXTENDED_MASTER
16993
0
    if (msgType == client_hello && ssl->options.haveEMS &&
16994
0
                  (!IsAtLeastTLSv1_3(ssl->version) || ssl->options.downgrade)) {
16995
0
        length += HELLO_EXT_SZ;
16996
0
    }
16997
0
#endif
16998
16999
    /* The TLS extensions block length prefix is a 2-byte field, so any
17000
     * accumulated total above 0xFFFF must be rejected rather than silently
17001
     * truncating and producing a short, malformed handshake message. */
17002
0
    if (length > (word16)(WOLFSSL_MAX_16BIT - OPAQUE16_LEN)) {
17003
0
        WOLFSSL_MSG("TLSX_GetRequestSize extensions exceed word16");
17004
0
        return BUFFER_E;
17005
0
    }
17006
0
    if (length)
17007
0
        length += OPAQUE16_LEN; /* for total length storage. */
17008
17009
0
    *pLength += length;
17010
17011
0
    return ret;
17012
0
}
17013
17014
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
17015
/* return status after writing the extensions with ech written last */
17016
static int TLSX_WriteWithEch(WOLFSSL* ssl, byte* output, byte* semaphore,
17017
    byte msgType, word16* pOffset)
17018
{
17019
    int r = 0, ret = 0;
17020
    TLSX* echX = NULL;
17021
    TLSX* serverNameX = NULL;
17022
    TLSX** extensions = NULL;
17023
    WOLFSSL_ECH* ech = NULL;
17024
    WC_DECLARE_VAR(serverName, char, WOLFSSL_HOST_NAME_MAX, 0);
17025
17026
    WC_ALLOC_VAR_EX(serverName, char, WOLFSSL_HOST_NAME_MAX, NULL,
17027
                    DYNAMIC_TYPE_TMP_BUFFER, return MEMORY_E);
17028
    r = TLSX_EchChangeSNI(ssl, &echX, serverName, &serverNameX, &extensions);
17029
    ret = r;
17030
    if (ret == 0 && echX != NULL) {
17031
        ech = (WOLFSSL_ECH*)echX->data;
17032
        /* turn ech on so it doesn't write, then write it last */
17033
        TURN_ON(semaphore, TLSX_ToSemaphore(echX->type));
17034
    }
17035
17036
    /* for ECH inner, print the encodable block first, then the non-encodables.
17037
     * This allows the same transcript to be produced on either side
17038
     * (the transcript is over the expanded form). */
17039
    if (ret == 0 && ech != NULL && ech->type == ECH_TYPE_INNER) {
17040
        byte encodeMask[SEMAPHORE_SIZE];
17041
        byte* mask = ech->writeEncoded ? semaphore : encodeMask;
17042
        word16 count = 0;
17043
        int i;
17044
17045
        XMEMSET(encodeMask, 0, SEMAPHORE_SIZE);
17046
17047
        ret = TLSX_ECH_BuildOuterExtensions(ssl, semaphore, msgType,
17048
            ech->writeEncoded ? output : NULL,
17049
            ech->writeEncoded ? pOffset : NULL,
17050
            &count, mask);
17051
        if (ret == 0 && count >= 1 && !ech->writeEncoded) {
17052
            /* expanded: print encodable block normally */
17053
            for (i = 0; i < SEMAPHORE_SIZE; i++) {
17054
                semaphore[i] |= encodeMask[i];
17055
                encodeMask[i] = (byte)~encodeMask[i];
17056
            }
17057
            if (ssl->extensions) {
17058
                ret = TLSX_Write(ssl->extensions, output + *pOffset,
17059
                        encodeMask, msgType, pOffset);
17060
            }
17061
            if (ret == 0 && ssl->ctx && ssl->ctx->extensions) {
17062
                ret = TLSX_Write(ssl->ctx->extensions, output + *pOffset,
17063
                        encodeMask, msgType, pOffset);
17064
            }
17065
        }
17066
    }
17067
17068
    /* print non-encodable block */
17069
    if (ret == 0 && ssl->extensions) {
17070
        ret = TLSX_Write(ssl->extensions, output + *pOffset, semaphore,
17071
                         msgType, pOffset);
17072
    }
17073
    if (ret == 0 && ssl->ctx && ssl->ctx->extensions) {
17074
        ret = TLSX_Write(ssl->ctx->extensions, output + *pOffset, semaphore,
17075
                         msgType, pOffset);
17076
    }
17077
17078
    /* write ECH last */
17079
    if (ret == 0 && echX != NULL) {
17080
        /* turn off and write it last */
17081
        TURN_OFF(semaphore, TLSX_ToSemaphore(echX->type));
17082
17083
        if (ret == 0 && ssl->extensions) {
17084
            ret = TLSX_Write(ssl->extensions, output + *pOffset, semaphore,
17085
                msgType, pOffset);
17086
        }
17087
17088
        if (ret == 0 && ssl->ctx && ssl->ctx->extensions) {
17089
            ret = TLSX_Write(ssl->ctx->extensions, output + *pOffset, semaphore,
17090
                msgType, pOffset);
17091
        }
17092
    }
17093
17094
    if (r == 0)
17095
        r = TLSX_EchRestoreSNI(ssl, serverName, serverNameX, extensions);
17096
    WC_FREE_VAR_EX(serverName, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
17097
17098
    if (ret == 0 && r != 0)
17099
        ret = r;
17100
    return ret;
17101
}
17102
#endif
17103
17104
/** Writes the extensions to be sent into the client hello. */
17105
int TLSX_WriteRequest(WOLFSSL* ssl, byte* output, byte msgType, word32* pOffset)
17106
0
{
17107
0
    int ret = 0;
17108
0
    word16 offset = 0;
17109
0
    byte semaphore[SEMAPHORE_SIZE] = {0};
17110
17111
0
    if (!TLSX_SupportExtensions(ssl) || output == NULL)
17112
0
        return 0;
17113
17114
0
    offset += OPAQUE16_LEN; /* extensions length */
17115
17116
0
    if (msgType == client_hello) {
17117
0
        EC_VALIDATE_REQUEST(ssl, semaphore);
17118
0
        PF_VALIDATE_REQUEST(ssl, semaphore);
17119
0
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
17120
0
        if (WOLFSSL_SUITES(ssl)->hashSigAlgoSz == 0)
17121
0
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
17122
0
#endif
17123
0
#ifdef WOLFSSL_TLS13
17124
0
        if (!IsAtLeastTLSv1_2(ssl)) {
17125
0
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
17126
0
        }
17127
0
    #if !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS)
17128
0
        if (!IsAtLeastTLSv1_3(ssl->version)) {
17129
0
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
17130
        #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
17131
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PSK_KEY_EXCHANGE_MODES));
17132
        #endif
17133
        #ifdef WOLFSSL_EARLY_DATA
17134
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EARLY_DATA));
17135
        #endif
17136
        #ifdef WOLFSSL_SEND_HRR_COOKIE
17137
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_COOKIE));
17138
        #endif
17139
        #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
17140
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_POST_HANDSHAKE_AUTH));
17141
        #endif
17142
        #ifdef WOLFSSL_DUAL_ALG_CERTS
17143
            TURN_ON(semaphore,
17144
                    TLSX_ToSemaphore(TLSX_CKS));
17145
        #endif
17146
0
        }
17147
0
    #endif
17148
    #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES)
17149
        if (!IsAtLeastTLSv1_3(ssl->version) || SSL_CA_NAMES(ssl) == NULL) {
17150
            TURN_ON(semaphore,
17151
                    TLSX_ToSemaphore(TLSX_CERTIFICATE_AUTHORITIES));
17152
        }
17153
    #endif
17154
    #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
17155
        /* Must write Pre-shared Key extension at the end in TLS v1.3.
17156
         * Must not write out Pre-shared Key extension in earlier versions of
17157
         * protocol.
17158
         */
17159
        TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
17160
    #endif
17161
0
#endif /* WOLFSSL_TLS13 */
17162
    #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
17163
     || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
17164
         /* mark already sent, so it won't send it */
17165
        if (!SSL_CM(ssl)->ocspStaplingEnabled) {
17166
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST));
17167
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST_V2));
17168
        }
17169
    #endif
17170
0
    }
17171
0
#ifdef WOLFSSL_TLS13
17172
0
    #ifndef NO_CERTS
17173
0
    else if (msgType == certificate_request) {
17174
        /* Don't send out any extension except those that are turned off. */
17175
0
        XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
17176
0
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
17177
0
        TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
17178
0
#endif
17179
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES)
17180
        if (SSL_PRIORITY_CA_NAMES(ssl) != NULL) {
17181
            TURN_OFF(semaphore,
17182
                    TLSX_ToSemaphore(TLSX_CERTIFICATE_AUTHORITIES));
17183
        }
17184
#endif
17185
        /* TODO: TLSX_SIGNED_CERTIFICATE_TIMESTAMP, TLSX_OID_FILTERS
17186
         *       TLSX_STATUS_REQUEST
17187
         */
17188
0
    }
17189
0
    #endif
17190
0
#endif
17191
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
17192
    if (!ssl->options.disableECH && msgType == client_hello) {
17193
        ret = TLSX_WriteWithEch(ssl, output, semaphore, msgType, &offset);
17194
        if (ret != 0)
17195
            return ret;
17196
    }
17197
    else
17198
#endif
17199
0
    {
17200
0
        if (ssl->extensions) {
17201
0
            ret = TLSX_Write(ssl->extensions, output + offset, semaphore,
17202
0
                             msgType, &offset);
17203
0
            if (ret != 0)
17204
0
                return ret;
17205
0
        }
17206
0
        if (ssl->ctx && ssl->ctx->extensions) {
17207
0
            ret = TLSX_Write(ssl->ctx->extensions, output + offset, semaphore,
17208
0
                             msgType, &offset);
17209
0
            if (ret != 0)
17210
0
                return ret;
17211
0
        }
17212
0
    }
17213
17214
0
#ifdef HAVE_EXTENDED_MASTER
17215
0
    if (msgType == client_hello && ssl->options.haveEMS &&
17216
0
                  (!IsAtLeastTLSv1_3(ssl->version) || ssl->options.downgrade)) {
17217
0
        WOLFSSL_MSG("EMS extension to write");
17218
0
        c16toa(HELLO_EXT_EXTMS, output + offset);
17219
0
        offset += HELLO_EXT_TYPE_SZ;
17220
0
        c16toa(0, output + offset);
17221
0
        offset += HELLO_EXT_SZ_SZ;
17222
0
    }
17223
0
#endif
17224
17225
0
#ifdef WOLFSSL_TLS13
17226
    #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
17227
    if (msgType == client_hello && IsAtLeastTLSv1_3(ssl->version)) {
17228
        /* Write out what we can of Pre-shared key extension.  */
17229
        TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
17230
        ret = TLSX_Write(ssl->extensions, output + offset, semaphore,
17231
                         client_hello, &offset);
17232
        if (ret != 0)
17233
            return ret;
17234
    }
17235
    #endif
17236
0
#endif
17237
17238
    /* Wrap detection for the TLSX_Write calls above is handled inside
17239
     * TLSX_Write itself: any iteration that would push the local word16
17240
     * offset past 0xFFFF returns BUFFER_E so we never reach here with a
17241
     * truncated value. The TLS extensions block length prefix on the
17242
     * wire is a 2-byte field, matching this invariant. */
17243
17244
0
    if (offset > OPAQUE16_LEN || msgType != client_hello)
17245
0
        c16toa(offset - OPAQUE16_LEN, output); /* extensions length */
17246
17247
0
     *pOffset += offset;
17248
17249
0
    return ret;
17250
0
}
17251
#endif /* WOLFSSL_TLS13 || !NO_WOLFSSL_CLIENT */
17252
17253
#if defined(WOLFSSL_TLS13) || !defined(NO_WOLFSSL_SERVER)
17254
17255
/** Tells the buffered size of extensions to be sent into the server hello. */
17256
int TLSX_GetResponseSize(WOLFSSL* ssl, byte msgType, word16* pLength)
17257
0
{
17258
0
    int ret = 0;
17259
0
    word16 length = 0;
17260
0
    byte semaphore[SEMAPHORE_SIZE] = {0};
17261
17262
0
    switch (msgType) {
17263
0
#ifndef NO_WOLFSSL_SERVER
17264
0
        case server_hello:
17265
0
            PF_VALIDATE_RESPONSE(ssl, semaphore);
17266
0
        #ifdef WOLFSSL_TLS13
17267
0
                if (IsAtLeastTLSv1_3(ssl->version)) {
17268
0
                    XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
17269
0
                    TURN_OFF(semaphore,
17270
0
                                     TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
17271
0
                #if defined(HAVE_SUPPORTED_CURVES)
17272
                #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
17273
                    if (!ssl->options.noPskDheKe)
17274
                #endif
17275
0
                    {
17276
                        /* Expect KeyShare extension in ServerHello. */
17277
0
                        TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
17278
0
                    }
17279
0
                #endif
17280
                #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
17281
                    TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
17282
                #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
17283
                    TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_CERT_WITH_EXTERN_PSK));
17284
                #endif
17285
                #endif
17286
0
                }
17287
0
            #if !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS)
17288
0
                else {
17289
0
                #ifdef HAVE_SUPPORTED_CURVES
17290
0
                    TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
17291
0
                #endif
17292
                #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
17293
                    TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
17294
                #endif
17295
0
                }
17296
0
            #endif
17297
            #ifdef WOLFSSL_DTLS_CID
17298
                TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_CONNECTION_ID));
17299
            #endif
17300
0
        #endif /* WOLFSSL_TLS13 */
17301
0
            break;
17302
17303
0
    #ifdef WOLFSSL_TLS13
17304
0
        case hello_retry_request:
17305
0
            XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
17306
0
            TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
17307
0
        #ifdef HAVE_SUPPORTED_CURVES
17308
        #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
17309
            if (!ssl->options.noPskDheKe)
17310
        #endif
17311
0
            {
17312
                /* Expect KeyShare extension in HelloRetryRequest. */
17313
0
                TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
17314
0
            }
17315
0
        #endif
17316
        #ifdef WOLFSSL_SEND_HRR_COOKIE
17317
            TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_COOKIE));
17318
        #endif
17319
#ifdef HAVE_ECH
17320
            /* send the special confirmation */
17321
            TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_ECH));
17322
#endif
17323
0
            break;
17324
0
    #endif
17325
17326
0
    #ifdef WOLFSSL_TLS13
17327
0
        case encrypted_extensions:
17328
            /* Send out all extension except those that are turned on. */
17329
0
        #ifdef HAVE_ECC
17330
0
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EC_POINT_FORMATS));
17331
0
        #endif
17332
0
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
17333
        #ifdef HAVE_SESSION_TICKET
17334
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SESSION_TICKET));
17335
        #endif
17336
0
        #ifdef HAVE_SUPPORTED_CURVES
17337
0
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
17338
0
        #endif
17339
        #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
17340
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
17341
        #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
17342
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_CERT_WITH_EXTERN_PSK));
17343
        #endif
17344
        #endif
17345
        #ifdef HAVE_CERTIFICATE_STATUS_REQUEST
17346
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST));
17347
        #endif
17348
        #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
17349
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST_V2));
17350
        #endif
17351
0
        #if defined(HAVE_SERVER_RENEGOTIATION_INFO)
17352
0
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_RENEGOTIATION_INFO));
17353
0
        #endif
17354
        #ifdef WOLFSSL_DTLS_CID
17355
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_CONNECTION_ID));
17356
        #endif /* WOLFSSL_DTLS_CID */
17357
0
            break;
17358
17359
        #ifdef WOLFSSL_EARLY_DATA
17360
        case session_ticket:
17361
            if (ssl->options.tls1_3) {
17362
                XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
17363
                TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_EARLY_DATA));
17364
            }
17365
            break;
17366
        #endif
17367
0
    #endif
17368
0
#endif
17369
17370
0
#ifdef WOLFSSL_TLS13
17371
0
    #ifndef NO_CERTS
17372
0
        case certificate:
17373
            /* Don't send out any extension except those that are turned off. */
17374
0
            XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
17375
0
            TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST));
17376
            /* TODO: TLSX_SIGNED_CERTIFICATE_TIMESTAMP,
17377
             *       TLSX_SERVER_CERTIFICATE_TYPE
17378
             */
17379
0
            break;
17380
0
    #endif
17381
0
#endif
17382
0
    }
17383
17384
0
#ifdef HAVE_EXTENDED_MASTER
17385
0
    if (ssl->options.haveEMS && msgType == server_hello &&
17386
0
                                              !IsAtLeastTLSv1_3(ssl->version)) {
17387
0
        length += HELLO_EXT_SZ;
17388
0
    }
17389
0
#endif
17390
17391
0
    if (TLSX_SupportExtensions(ssl)) {
17392
0
        ret = TLSX_GetSize(ssl->extensions, semaphore, msgType, &length);
17393
0
        if (ret != 0)
17394
0
            return ret;
17395
0
    }
17396
17397
    /* All the response data is set at the ssl object only, so no ctx here. */
17398
17399
0
    if (length || msgType != server_hello)
17400
0
        length += OPAQUE16_LEN; /* for total length storage. */
17401
17402
0
    *pLength += length;
17403
17404
0
    return ret;
17405
0
}
17406
17407
/** Writes the server hello extensions into a buffer. */
17408
int TLSX_WriteResponse(WOLFSSL *ssl, byte* output, byte msgType, word16* pOffset)
17409
0
{
17410
0
    int ret = 0;
17411
0
    word16 offset = 0;
17412
17413
0
    if (TLSX_SupportExtensions(ssl) && output) {
17414
0
        byte semaphore[SEMAPHORE_SIZE] = {0};
17415
17416
0
        switch (msgType) {
17417
0
#ifndef NO_WOLFSSL_SERVER
17418
0
            case server_hello:
17419
0
                PF_VALIDATE_RESPONSE(ssl, semaphore);
17420
0
        #ifdef WOLFSSL_TLS13
17421
0
                if (IsAtLeastTLSv1_3(ssl->version)) {
17422
0
                    XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
17423
0
                    TURN_OFF(semaphore,
17424
0
                                     TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
17425
0
            #ifdef HAVE_SUPPORTED_CURVES
17426
                #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
17427
                    if (!ssl->options.noPskDheKe)
17428
                #endif
17429
0
                    {
17430
                        /* Write out KeyShare in ServerHello. */
17431
0
                        TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
17432
0
                    }
17433
0
            #endif
17434
            #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
17435
                    TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
17436
            #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
17437
                    TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_CERT_WITH_EXTERN_PSK));
17438
            #endif
17439
            #endif
17440
0
                }
17441
0
                else
17442
0
        #endif /* WOLFSSL_TLS13 */
17443
0
                {
17444
0
        #if !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS)
17445
0
            #ifdef HAVE_SUPPORTED_CURVES
17446
0
                    TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
17447
0
            #endif
17448
            #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
17449
                    TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
17450
            #endif
17451
0
        #endif
17452
0
                    WC_DO_NOTHING; /* avoid empty brackets */
17453
0
                }
17454
        #ifdef WOLFSSL_DTLS_CID
17455
                TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_CONNECTION_ID));
17456
        #endif /* WOLFSSL_DTLS_CID */
17457
0
                break;
17458
17459
0
    #ifdef WOLFSSL_TLS13
17460
0
            case hello_retry_request:
17461
0
                XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
17462
0
                TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
17463
0
        #ifdef HAVE_SUPPORTED_CURVES
17464
            #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
17465
                if (!ssl->options.noPskDheKe)
17466
            #endif
17467
0
                {
17468
                    /* Write out KeyShare in HelloRetryRequest. */
17469
0
                    TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
17470
0
                }
17471
0
        #endif
17472
0
                break;
17473
0
    #endif
17474
17475
0
    #ifdef WOLFSSL_TLS13
17476
0
            case encrypted_extensions:
17477
                /* Send out all extension except those that are turned on. */
17478
0
        #ifdef HAVE_ECC
17479
0
                TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EC_POINT_FORMATS));
17480
0
        #endif
17481
0
                TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
17482
        #ifdef HAVE_SESSION_TICKET
17483
                TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SESSION_TICKET));
17484
        #endif
17485
0
        #ifdef HAVE_SUPPORTED_CURVES
17486
0
                TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
17487
0
        #endif
17488
        #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
17489
                TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
17490
        #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
17491
                TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_CERT_WITH_EXTERN_PSK));
17492
        #endif
17493
        #endif
17494
        #ifdef HAVE_CERTIFICATE_STATUS_REQUEST
17495
                TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST));
17496
        #endif
17497
        #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
17498
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST_V2));
17499
        #endif
17500
0
        #if defined(HAVE_SERVER_RENEGOTIATION_INFO)
17501
0
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_RENEGOTIATION_INFO));
17502
0
        #endif
17503
        #ifdef WOLFSSL_DTLS_CID
17504
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_CONNECTION_ID));
17505
        #endif /* WOLFSSL_DTLS_CID */
17506
0
                break;
17507
17508
        #ifdef WOLFSSL_EARLY_DATA
17509
            case session_ticket:
17510
                if (ssl->options.tls1_3) {
17511
                    XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
17512
                    TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_EARLY_DATA));
17513
                }
17514
                break;
17515
        #endif
17516
0
    #endif
17517
0
#endif
17518
17519
0
    #ifdef WOLFSSL_TLS13
17520
0
        #ifndef NO_CERTS
17521
0
            case certificate:
17522
                /* Don't send out any extension except those that are turned
17523
                 * off. */
17524
0
                XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
17525
0
                TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST));
17526
                /* TODO: TLSX_SIGNED_CERTIFICATE_TIMESTAMP,
17527
                 *       TLSX_SERVER_CERTIFICATE_TYPE
17528
                 */
17529
0
                break;
17530
0
        #endif
17531
0
    #endif
17532
17533
0
            default:
17534
0
                break;
17535
0
        }
17536
17537
0
        offset += OPAQUE16_LEN; /* extensions length */
17538
17539
0
        ret = TLSX_Write(ssl->extensions, output + offset, semaphore,
17540
0
                         msgType, &offset);
17541
0
        if (ret != 0)
17542
0
            return ret;
17543
17544
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_SEND_HRR_COOKIE)
17545
        if (msgType == hello_retry_request) {
17546
            XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
17547
            TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_COOKIE));
17548
            ret = TLSX_Write(ssl->extensions, output + offset, semaphore,
17549
                             msgType, &offset);
17550
            if (ret != 0)
17551
                return ret;
17552
        }
17553
#endif
17554
17555
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
17556
        /* write ECH last to promote interop with other implementations */
17557
        if (msgType == hello_retry_request) {
17558
            XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
17559
            TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_ECH));
17560
            ret = TLSX_Write(ssl->extensions, output + offset, semaphore,
17561
                             msgType, &offset);
17562
            if (ret != 0)
17563
                return ret;
17564
        }
17565
#endif
17566
17567
0
#ifdef HAVE_EXTENDED_MASTER
17568
0
        if (ssl->options.haveEMS && msgType == server_hello &&
17569
0
                                              !IsAtLeastTLSv1_3(ssl->version)) {
17570
0
            WOLFSSL_MSG("EMS extension to write");
17571
0
            c16toa(HELLO_EXT_EXTMS, output + offset);
17572
0
            offset += HELLO_EXT_TYPE_SZ;
17573
0
            c16toa(0, output + offset);
17574
0
            offset += HELLO_EXT_SZ_SZ;
17575
0
        }
17576
0
#endif
17577
17578
0
        if (offset > OPAQUE16_LEN || msgType != server_hello)
17579
0
            c16toa(offset - OPAQUE16_LEN, output); /* extensions length */
17580
0
    }
17581
17582
0
    if (pOffset)
17583
0
        *pOffset += offset;
17584
17585
0
    return ret;
17586
0
}
17587
17588
#endif /* WOLFSSL_TLS13 || !NO_WOLFSSL_SERVER */
17589
17590
#ifdef WOLFSSL_TLS13
17591
int TLSX_ParseVersion(WOLFSSL* ssl, const byte* input, word16 length,
17592
                      byte msgType, int* found)
17593
0
{
17594
0
    int ret = 0;
17595
0
    int offset = 0;
17596
17597
0
    *found = 0;
17598
0
    while (offset < (int)length) {
17599
0
        word16 type;
17600
0
        word16 size;
17601
17602
0
        if (offset + (2 * OPAQUE16_LEN) > length) {
17603
0
            ret = BUFFER_ERROR;
17604
0
            break;
17605
0
        }
17606
17607
0
        ato16(input + offset, &type);
17608
0
        offset += HELLO_EXT_TYPE_SZ;
17609
17610
0
        ato16(input + offset, &size);
17611
0
        offset += OPAQUE16_LEN;
17612
17613
0
        if (offset + size > length) {
17614
0
            ret = BUFFER_ERROR;
17615
0
            break;
17616
0
        }
17617
17618
0
        if (type == TLSX_SUPPORTED_VERSIONS) {
17619
0
            *found = 1;
17620
17621
0
            WOLFSSL_MSG("Supported Versions extension received");
17622
17623
0
            ret = SV_PARSE(ssl, input + offset, size, msgType, &ssl->version,
17624
0
                           &ssl->options, &ssl->extensions);
17625
0
            break;
17626
0
        }
17627
17628
0
        offset += size;
17629
0
    }
17630
17631
0
    return ret;
17632
0
}
17633
#endif
17634
/* Jump Table to check minimum size values for client case in TLSX_Parse */
17635
#ifndef NO_WOLFSSL_SERVER
17636
static word16 TLSX_GetMinSize_Client(word16* type)
17637
0
{
17638
0
    switch (*type) {
17639
0
        case TLSXT_SERVER_NAME:
17640
0
            return WOLFSSL_SNI_MIN_SIZE_CLIENT;
17641
0
        case TLSXT_EARLY_DATA:
17642
0
            return WOLFSSL_EDI_MIN_SIZE_CLIENT;
17643
0
        case TLSXT_MAX_FRAGMENT_LENGTH:
17644
0
            return WOLFSSL_MFL_MIN_SIZE_CLIENT;
17645
0
        case TLSXT_TRUSTED_CA_KEYS:
17646
0
            return WOLFSSL_TCA_MIN_SIZE_CLIENT;
17647
0
        case TLSXT_TRUNCATED_HMAC:
17648
0
            return WOLFSSL_THM_MIN_SIZE_CLIENT;
17649
0
        case TLSXT_STATUS_REQUEST:
17650
0
            return WOLFSSL_CSR_MIN_SIZE_CLIENT;
17651
0
        case TLSXT_SUPPORTED_GROUPS:
17652
0
            return WOLFSSL_EC_MIN_SIZE_CLIENT;
17653
0
        case TLSXT_EC_POINT_FORMATS:
17654
0
            return WOLFSSL_PF_MIN_SIZE_CLIENT;
17655
0
        case TLSXT_SIGNATURE_ALGORITHMS:
17656
0
            return WOLFSSL_SA_MIN_SIZE_CLIENT;
17657
0
        case TLSXT_USE_SRTP:
17658
0
            return WOLFSSL_SRTP_MIN_SIZE_CLIENT;
17659
0
        case TLSXT_APPLICATION_LAYER_PROTOCOL:
17660
0
            return WOLFSSL_ALPN_MIN_SIZE_CLIENT;
17661
0
        case TLSXT_STATUS_REQUEST_V2:
17662
0
            return WOLFSSL_CSR2_MIN_SIZE_CLIENT;
17663
0
        case TLSXT_CLIENT_CERTIFICATE:
17664
0
            return WOLFSSL_CCT_MIN_SIZE_CLIENT;
17665
0
        case TLSXT_SERVER_CERTIFICATE:
17666
0
            return WOLFSSL_SCT_MIN_SIZE_CLIENT;
17667
0
        case TLSXT_ENCRYPT_THEN_MAC:
17668
0
            return WOLFSSL_ETM_MIN_SIZE_CLIENT;
17669
0
        case TLSXT_SESSION_TICKET:
17670
0
            return WOLFSSL_STK_MIN_SIZE_CLIENT;
17671
0
        case TLSXT_PRE_SHARED_KEY:
17672
0
            return WOLFSSL_PSK_MIN_SIZE_CLIENT;
17673
0
        case TLSXT_COOKIE:
17674
0
            return WOLFSSL_CKE_MIN_SIZE_CLIENT;
17675
0
        case TLSXT_PSK_KEY_EXCHANGE_MODES:
17676
0
            return WOLFSSL_PKM_MIN_SIZE_CLIENT;
17677
0
        case TLSXT_CERT_WITH_EXTERN_PSK:
17678
0
            return WOLFSSL_CWEP_MIN_SIZE_CLIENT;
17679
0
        case TLSXT_CERTIFICATE_AUTHORITIES:
17680
0
            return WOLFSSL_CAN_MIN_SIZE_CLIENT;
17681
0
        case TLSXT_POST_HANDSHAKE_AUTH:
17682
0
            return WOLFSSL_PHA_MIN_SIZE_CLIENT;
17683
0
        case TLSXT_SIGNATURE_ALGORITHMS_CERT:
17684
0
            return WOLFSSL_SA_MIN_SIZE_CLIENT;
17685
0
        case TLSXT_KEY_SHARE:
17686
0
            return WOLFSSL_KS_MIN_SIZE_CLIENT;
17687
0
        case TLSXT_CONNECTION_ID:
17688
0
            return WOLFSSL_CID_MIN_SIZE_CLIENT;
17689
0
        case TLSXT_RENEGOTIATION_INFO:
17690
0
            return WOLFSSL_SCR_MIN_SIZE_CLIENT;
17691
0
        case TLSXT_KEY_QUIC_TP_PARAMS_DRAFT:
17692
0
            return WOLFSSL_QTP_MIN_SIZE_CLIENT;
17693
0
        case TLSXT_ECH:
17694
0
            return WOLFSSL_ECH_MIN_SIZE_CLIENT;
17695
0
        default:
17696
0
            return 0;
17697
0
    }
17698
0
}
17699
0
    #define TLSX_GET_MIN_SIZE_CLIENT(type) TLSX_GetMinSize_Client(type)
17700
#else
17701
    #define TLSX_GET_MIN_SIZE_CLIENT(type) 0
17702
#endif
17703
17704
17705
#ifndef NO_WOLFSSL_CLIENT
17706
/* Jump Table to check minimum size values for server case in TLSX_Parse */
17707
static word16 TLSX_GetMinSize_Server(const word16 *type)
17708
0
{
17709
0
    switch (*type) {
17710
0
        case TLSXT_SERVER_NAME:
17711
0
            return WOLFSSL_SNI_MIN_SIZE_SERVER;
17712
0
        case TLSXT_EARLY_DATA:
17713
0
            return WOLFSSL_EDI_MIN_SIZE_SERVER;
17714
0
        case TLSXT_MAX_FRAGMENT_LENGTH:
17715
0
            return WOLFSSL_MFL_MIN_SIZE_SERVER;
17716
0
        case TLSXT_TRUSTED_CA_KEYS:
17717
0
            return WOLFSSL_TCA_MIN_SIZE_SERVER;
17718
0
        case TLSXT_TRUNCATED_HMAC:
17719
0
            return WOLFSSL_THM_MIN_SIZE_SERVER;
17720
0
        case TLSXT_STATUS_REQUEST:
17721
0
            return WOLFSSL_CSR_MIN_SIZE_SERVER;
17722
0
        case TLSXT_SUPPORTED_GROUPS:
17723
0
            return WOLFSSL_EC_MIN_SIZE_SERVER;
17724
0
        case TLSXT_EC_POINT_FORMATS:
17725
0
            return WOLFSSL_PF_MIN_SIZE_SERVER;
17726
0
        case TLSXT_SIGNATURE_ALGORITHMS:
17727
0
            return WOLFSSL_SA_MIN_SIZE_SERVER;
17728
0
        case TLSXT_USE_SRTP:
17729
0
            return WOLFSSL_SRTP_MIN_SIZE_SERVER;
17730
0
        case TLSXT_APPLICATION_LAYER_PROTOCOL:
17731
0
            return WOLFSSL_ALPN_MIN_SIZE_SERVER;
17732
0
        case TLSXT_STATUS_REQUEST_V2:
17733
0
            return WOLFSSL_CSR2_MIN_SIZE_SERVER;
17734
0
        case TLSXT_CLIENT_CERTIFICATE:
17735
0
            return WOLFSSL_CCT_MIN_SIZE_SERVER;
17736
0
        case TLSXT_SERVER_CERTIFICATE:
17737
0
            return WOLFSSL_SCT_MIN_SIZE_SERVER;
17738
0
        case TLSXT_ENCRYPT_THEN_MAC:
17739
0
            return WOLFSSL_ETM_MIN_SIZE_SERVER;
17740
0
        case TLSXT_SESSION_TICKET:
17741
0
            return WOLFSSL_STK_MIN_SIZE_SERVER;
17742
0
        case TLSXT_PRE_SHARED_KEY:
17743
0
            return WOLFSSL_PSK_MIN_SIZE_SERVER;
17744
0
        case TLSXT_COOKIE:
17745
0
            return WOLFSSL_CKE_MIN_SIZE_SERVER;
17746
0
        case TLSXT_PSK_KEY_EXCHANGE_MODES:
17747
0
            return WOLFSSL_PKM_MIN_SIZE_SERVER;
17748
0
        case TLSXT_CERT_WITH_EXTERN_PSK:
17749
0
            return WOLFSSL_CWEP_MIN_SIZE_SERVER;
17750
0
        case TLSXT_CERTIFICATE_AUTHORITIES:
17751
0
            return WOLFSSL_CAN_MIN_SIZE_SERVER;
17752
0
        case TLSXT_POST_HANDSHAKE_AUTH:
17753
0
            return WOLFSSL_PHA_MIN_SIZE_SERVER;
17754
0
        case TLSXT_SIGNATURE_ALGORITHMS_CERT:
17755
0
            return WOLFSSL_SA_MIN_SIZE_SERVER;
17756
0
        case TLSXT_KEY_SHARE:
17757
0
            return WOLFSSL_KS_MIN_SIZE_SERVER;
17758
0
        case TLSXT_CONNECTION_ID:
17759
0
            return WOLFSSL_CID_MIN_SIZE_SERVER;
17760
0
        case TLSXT_RENEGOTIATION_INFO:
17761
0
            return WOLFSSL_SCR_MIN_SIZE_SERVER;
17762
0
        case TLSXT_KEY_QUIC_TP_PARAMS_DRAFT:
17763
0
            return WOLFSSL_QTP_MIN_SIZE_SERVER;
17764
0
        case TLSXT_ECH:
17765
0
            return WOLFSSL_ECH_MIN_SIZE_SERVER;
17766
0
        default:
17767
0
            return 0;
17768
0
    }
17769
0
}
17770
0
    #define TLSX_GET_MIN_SIZE_SERVER(type) TLSX_GetMinSize_Server(type)
17771
#else
17772
    #define TLSX_GET_MIN_SIZE_SERVER(type) 0
17773
#endif
17774
17775
17776
/** Parses a buffer of TLS extensions. */
17777
WOLFSSL_TEST_VIS int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length,
17778
                                byte msgType, Suites *suites)
17779
0
{
17780
0
    int ret = 0;
17781
0
    word16 offset = 0;
17782
0
    byte isRequest = (msgType == client_hello ||
17783
0
                      msgType == certificate_request);
17784
17785
0
#ifdef HAVE_EXTENDED_MASTER
17786
0
    byte pendingEMS = 0;
17787
0
#endif
17788
#if defined(WOLFSSL_TLS13) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK))
17789
    int pskDone = 0;
17790
#endif
17791
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_CERT_WITH_EXTERN_PSK) && \
17792
    !defined(NO_PSK)
17793
    int secondClientHello = 0;
17794
    int prevHasPskWithCert = 0;
17795
#endif
17796
0
    byte seenType[SEMAPHORE_SIZE];  /* Seen known extensions. */
17797
17798
0
    if (!ssl || !input || (isRequest && !suites))
17799
0
        return BAD_FUNC_ARG;
17800
17801
    /* No known extensions seen yet. */
17802
0
    XMEMSET(seenType, 0, sizeof(seenType));
17803
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_CERT_WITH_EXTERN_PSK) && \
17804
    !defined(NO_PSK)
17805
    if (IsAtLeastTLSv1_3(ssl->version) && msgType == client_hello &&
17806
            ssl->msgsReceived.got_client_hello == 2) {
17807
        secondClientHello = 1;
17808
        prevHasPskWithCert =
17809
            TLSX_Find(ssl->extensions, TLSX_CERT_WITH_EXTERN_PSK) != NULL;
17810
    }
17811
#endif
17812
17813
0
    while (ret == 0 && offset < length) {
17814
0
        word16 type;
17815
0
        word16 size;
17816
17817
#if defined(WOLFSSL_TLS13) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK))
17818
        if (msgType == client_hello && pskDone) {
17819
            WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
17820
            return PSK_KEY_ERROR;
17821
        }
17822
#endif
17823
17824
0
        if (length - offset < HELLO_EXT_TYPE_SZ + OPAQUE16_LEN)
17825
0
            return BUFFER_ERROR;
17826
17827
0
        ato16(input + offset, &type);
17828
0
        offset += HELLO_EXT_TYPE_SZ;
17829
17830
0
        ato16(input + offset, &size);
17831
0
        offset += OPAQUE16_LEN;
17832
17833
        /* Check we have a bit for extension type. */
17834
0
        if ((type <= 62) || (type == TLSX_RENEGOTIATION_INFO)
17835
        #ifdef WOLFSSL_QUIC
17836
            || (type == TLSX_KEY_QUIC_TP_PARAMS_DRAFT)
17837
        #endif
17838
        #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
17839
            || (type == TLSX_ECH)
17840
        #endif
17841
        #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_DUAL_ALG_CERTS)
17842
            || (type == TLSX_CKS)
17843
        #endif
17844
0
            )
17845
0
        {
17846
            /* Detect duplicate recognized extensions. */
17847
0
            if (IS_OFF(seenType, TLSX_ToSemaphore(type))) {
17848
0
                TURN_ON(seenType, TLSX_ToSemaphore(type));
17849
0
            }
17850
0
            else {
17851
0
                return DUPLICATE_TLS_EXT_E;
17852
0
            }
17853
0
        }
17854
17855
0
        if (length - offset < size)
17856
0
            return BUFFER_ERROR;
17857
17858
        /* Check minimum size required for TLSX, even if disabled */
17859
0
        switch (msgType) {
17860
0
            #ifndef NO_WOLFSSL_SERVER
17861
0
            case client_hello:
17862
0
                if (size < TLSX_GET_MIN_SIZE_CLIENT(&type)){
17863
0
                    WOLFSSL_MSG("Minimum TLSX Size Requirement not Satisfied");
17864
0
                    return BUFFER_ERROR;
17865
0
                }
17866
0
            break;
17867
0
            #endif
17868
0
            #ifndef NO_WOLFSSL_CLIENT
17869
0
            case server_hello:
17870
0
            case hello_retry_request:
17871
0
                if (size < TLSX_GET_MIN_SIZE_SERVER(&type)){
17872
0
                    WOLFSSL_MSG("Minimum TLSX Size Requirement not Satisfied");
17873
0
                    return BUFFER_ERROR;
17874
0
                }
17875
0
            break;
17876
0
            #endif
17877
0
            default:
17878
0
            break;
17879
0
        }
17880
17881
0
#ifdef WOLFSSL_TLS13
17882
        /* RFC 8446 4.4.2: extensions in a Certificate message MUST
17883
         * correspond to ones offered in our prior ClientHello (client) or
17884
         * CertificateRequest (server). Reject anything we did not offer. */
17885
0
        if (msgType == certificate &&
17886
0
            IsAtLeastTLSv1_3(ssl->version) &&
17887
0
            TLSX_Find(ssl->extensions, (TLSX_Type)type) == NULL) {
17888
0
            WOLFSSL_MSG("Cert-msg extension not offered in CH/CR");
17889
0
            SendAlert(ssl, alert_fatal, unsupported_extension);
17890
0
            WOLFSSL_ERROR_VERBOSE(UNSUPPORTED_EXTENSION);
17891
0
            return UNSUPPORTED_EXTENSION;
17892
0
        }
17893
0
#endif
17894
17895
0
        switch (type) {
17896
0
#ifdef HAVE_SNI
17897
0
            case TLSX_SERVER_NAME:
17898
0
                WOLFSSL_MSG("SNI extension received");
17899
            #ifdef WOLFSSL_DEBUG_TLS
17900
                WOLFSSL_BUFFER(input + offset, size);
17901
            #endif
17902
17903
0
#ifdef WOLFSSL_TLS13
17904
0
                if (IsAtLeastTLSv1_3(ssl->version)) {
17905
0
                    if (msgType != client_hello &&
17906
0
                        msgType != encrypted_extensions)
17907
0
                        return EXT_NOT_ALLOWED;
17908
0
                }
17909
0
                else
17910
0
#endif
17911
0
                {
17912
0
                    if (msgType != client_hello &&
17913
0
                        msgType != server_hello)
17914
0
                        return EXT_NOT_ALLOWED;
17915
0
                }
17916
0
                ret = SNI_PARSE(ssl, input + offset, size, isRequest);
17917
0
                break;
17918
0
#endif
17919
17920
0
            case TLSX_TRUSTED_CA_KEYS:
17921
0
                WOLFSSL_MSG("Trusted CA extension received");
17922
            #ifdef WOLFSSL_DEBUG_TLS
17923
                WOLFSSL_BUFFER(input + offset, size);
17924
            #endif
17925
17926
0
#ifdef WOLFSSL_TLS13
17927
                /* RFC 8446 4.2.4 states trusted_ca_keys is not used
17928
                   in TLS 1.3. */
17929
0
                if (IsAtLeastTLSv1_3(ssl->version)) {
17930
0
                    break;
17931
0
                }
17932
0
                else
17933
0
#endif
17934
0
                {
17935
0
                    if (msgType != client_hello &&
17936
0
                        msgType != server_hello)
17937
0
                        return EXT_NOT_ALLOWED;
17938
0
                }
17939
0
                ret = TCA_PARSE(ssl, input + offset, size, isRequest);
17940
0
                break;
17941
17942
0
            case TLSX_MAX_FRAGMENT_LENGTH:
17943
0
                WOLFSSL_MSG("Max Fragment Length extension received");
17944
            #ifdef WOLFSSL_DEBUG_TLS
17945
                WOLFSSL_BUFFER(input + offset, size);
17946
            #endif
17947
17948
0
#ifdef WOLFSSL_TLS13
17949
0
                if (IsAtLeastTLSv1_3(ssl->version)) {
17950
0
                    if (msgType != client_hello &&
17951
0
                        msgType != encrypted_extensions) {
17952
0
                        WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
17953
0
                        return EXT_NOT_ALLOWED;
17954
0
                    }
17955
0
                }
17956
0
                else
17957
0
#endif
17958
0
                {
17959
0
                    if (msgType != client_hello &&
17960
0
                        msgType != server_hello) {
17961
0
                        WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
17962
0
                        return EXT_NOT_ALLOWED;
17963
0
                    }
17964
0
                }
17965
0
                ret = MFL_PARSE(ssl, input + offset, size, isRequest);
17966
0
                break;
17967
17968
0
            case TLSX_TRUNCATED_HMAC:
17969
0
                WOLFSSL_MSG("Truncated HMAC extension received");
17970
            #ifdef WOLFSSL_DEBUG_TLS
17971
                WOLFSSL_BUFFER(input + offset, size);
17972
            #endif
17973
17974
0
#ifdef WOLFSSL_TLS13
17975
0
                if (IsAtLeastTLSv1_3(ssl->version))
17976
0
                    break;
17977
0
#endif
17978
0
                if (msgType != client_hello)
17979
0
                    return EXT_NOT_ALLOWED;
17980
0
                ret = THM_PARSE(ssl, input + offset, size, isRequest);
17981
0
                break;
17982
17983
0
            case TLSX_SUPPORTED_GROUPS:
17984
0
                WOLFSSL_MSG("Supported Groups extension received");
17985
            #ifdef WOLFSSL_DEBUG_TLS
17986
                WOLFSSL_BUFFER(input + offset, size);
17987
            #endif
17988
17989
0
#ifdef WOLFSSL_TLS13
17990
0
                if (IsAtLeastTLSv1_3(ssl->version)) {
17991
0
                    if (msgType != client_hello &&
17992
0
                        msgType != encrypted_extensions) {
17993
0
                        WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
17994
0
                        return EXT_NOT_ALLOWED;
17995
0
                    }
17996
0
                }
17997
0
                else
17998
0
#endif
17999
0
                {
18000
0
                    if (msgType != client_hello) {
18001
0
                        WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18002
0
                        return EXT_NOT_ALLOWED;
18003
0
                    }
18004
0
                }
18005
0
                ret = EC_PARSE(ssl, input + offset, size, isRequest,
18006
0
                        &ssl->extensions);
18007
0
                break;
18008
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_DUAL_ALG_CERTS)
18009
            case TLSX_CKS:
18010
                WOLFSSL_MSG("CKS extension received");
18011
                if (msgType != client_hello &&
18012
                     msgType != encrypted_extensions) {
18013
                        WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18014
                        return EXT_NOT_ALLOWED;
18015
                }
18016
                ret = TLSX_CKS_Parse(ssl, (byte *)(input + offset), size,
18017
                                     &ssl->extensions);
18018
            break;
18019
#endif /* WOLFSSL_DUAL_ALG_CERTS */
18020
0
            case TLSX_EC_POINT_FORMATS:
18021
0
                WOLFSSL_MSG("Point Formats extension received");
18022
            #ifdef WOLFSSL_DEBUG_TLS
18023
                WOLFSSL_BUFFER(input + offset, size);
18024
            #endif
18025
18026
0
#ifdef WOLFSSL_TLS13
18027
0
                if (IsAtLeastTLSv1_3(ssl->version))
18028
0
                    break;
18029
0
#endif
18030
0
                if (msgType != client_hello &&
18031
0
                    msgType != server_hello) {
18032
0
                    WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18033
0
                    return EXT_NOT_ALLOWED;
18034
0
                }
18035
18036
0
                ret = PF_PARSE(ssl, input + offset, size, isRequest);
18037
0
                break;
18038
18039
0
            case TLSX_STATUS_REQUEST:
18040
0
                WOLFSSL_MSG("Certificate Status Request extension received");
18041
            #ifdef WOLFSSL_DEBUG_TLS
18042
                WOLFSSL_BUFFER(input + offset, size);
18043
            #endif
18044
18045
0
#ifdef WOLFSSL_TLS13
18046
0
                if (IsAtLeastTLSv1_3(ssl->version)) {
18047
0
                    if (msgType != client_hello &&
18048
0
                        msgType != certificate_request &&
18049
0
                        msgType != certificate)
18050
0
                        return EXT_NOT_ALLOWED;
18051
0
                }
18052
0
                else
18053
0
 #endif
18054
0
                {
18055
0
                    if (msgType != client_hello &&
18056
0
                        msgType != server_hello)
18057
0
                        return EXT_NOT_ALLOWED;
18058
0
                }
18059
0
                ret = CSR_PARSE(ssl, input + offset, size, isRequest);
18060
0
                break;
18061
18062
0
            case TLSX_STATUS_REQUEST_V2:
18063
0
                WOLFSSL_MSG("Certificate Status Request v2 extension received");
18064
            #ifdef WOLFSSL_DEBUG_TLS
18065
                WOLFSSL_BUFFER(input + offset, size);
18066
            #endif
18067
18068
#if defined(WOLFSSL_TLS13) && defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
18069
                if (IsAtLeastTLSv1_3(ssl->version)) {
18070
                    if (msgType != client_hello &&
18071
                        msgType != certificate_request &&
18072
                        msgType != certificate)
18073
                        return EXT_NOT_ALLOWED;
18074
                }
18075
                else
18076
#endif
18077
0
                {
18078
0
                    if (msgType != client_hello &&
18079
0
                        msgType != server_hello)
18080
0
                        return EXT_NOT_ALLOWED;
18081
0
                }
18082
0
                ret = CSR2_PARSE(ssl, input + offset, size, isRequest);
18083
0
                break;
18084
18085
0
#ifdef HAVE_EXTENDED_MASTER
18086
0
            case HELLO_EXT_EXTMS:
18087
0
                WOLFSSL_MSG("Extended Master Secret extension received");
18088
            #ifdef WOLFSSL_DEBUG_TLS
18089
                WOLFSSL_BUFFER(input + offset, size);
18090
            #endif
18091
18092
0
#if defined(WOLFSSL_TLS13)
18093
0
                if (IsAtLeastTLSv1_3(ssl->version))
18094
0
                    break;
18095
0
#endif
18096
0
                if (msgType != client_hello &&
18097
0
                    msgType != server_hello)
18098
0
                    return EXT_NOT_ALLOWED;
18099
0
                if (size != 0)
18100
0
                    return BUFFER_ERROR;
18101
18102
0
#ifndef NO_WOLFSSL_SERVER
18103
0
                if (isRequest)
18104
0
                    ssl->options.haveEMS = 1;
18105
0
#endif
18106
0
                pendingEMS = 1;
18107
0
                break;
18108
0
#endif
18109
18110
0
            case TLSX_RENEGOTIATION_INFO:
18111
0
                WOLFSSL_MSG("Secure Renegotiation extension received");
18112
            #ifdef WOLFSSL_DEBUG_TLS
18113
                WOLFSSL_BUFFER(input + offset, size);
18114
            #endif
18115
18116
0
#ifdef WOLFSSL_TLS13
18117
0
                if (IsAtLeastTLSv1_3(ssl->version))
18118
0
                    break;
18119
0
#endif
18120
0
                if (msgType != client_hello &&
18121
0
                    msgType != server_hello)
18122
0
                    return EXT_NOT_ALLOWED;
18123
0
                ret = SCR_PARSE(ssl, input + offset, size, isRequest);
18124
0
                break;
18125
18126
0
            case TLSX_SESSION_TICKET:
18127
0
                WOLFSSL_MSG("Session Ticket extension received");
18128
            #ifdef WOLFSSL_DEBUG_TLS
18129
                WOLFSSL_BUFFER(input + offset, size);
18130
            #endif
18131
18132
#if defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)
18133
                if (IsAtLeastTLSv1_3(ssl->version)) {
18134
                    if (msgType != client_hello)
18135
                        return EXT_NOT_ALLOWED;
18136
                }
18137
                else
18138
#endif
18139
0
                {
18140
0
                    if (msgType != client_hello &&
18141
0
                        msgType != server_hello)
18142
0
                        return EXT_NOT_ALLOWED;
18143
0
                }
18144
0
                ret = WOLF_STK_PARSE(ssl, input + offset, size, isRequest);
18145
0
                break;
18146
18147
0
            case TLSX_APPLICATION_LAYER_PROTOCOL:
18148
0
                WOLFSSL_MSG("ALPN extension received");
18149
18150
            #ifdef WOLFSSL_DEBUG_TLS
18151
                WOLFSSL_BUFFER(input + offset, size);
18152
            #endif
18153
18154
#if defined(WOLFSSL_TLS13) && defined(HAVE_ALPN)
18155
                if (IsAtLeastTLSv1_3(ssl->version)) {
18156
                    if (msgType != client_hello &&
18157
                        msgType != encrypted_extensions)
18158
                        return EXT_NOT_ALLOWED;
18159
                }
18160
                else
18161
#endif
18162
0
                {
18163
0
                    if (msgType != client_hello &&
18164
0
                        msgType != server_hello)
18165
0
                        return EXT_NOT_ALLOWED;
18166
0
                }
18167
0
                ret = ALPN_PARSE(ssl, input + offset, size, isRequest);
18168
0
                break;
18169
0
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
18170
0
            case TLSX_SIGNATURE_ALGORITHMS:
18171
0
                WOLFSSL_MSG("Signature Algorithms extension received");
18172
            #ifdef WOLFSSL_DEBUG_TLS
18173
                WOLFSSL_BUFFER(input + offset, size);
18174
            #endif
18175
18176
0
                if (!IsAtLeastTLSv1_2(ssl))
18177
0
                    break;
18178
0
            #ifdef WOLFSSL_TLS13
18179
0
                if (IsAtLeastTLSv1_3(ssl->version)) {
18180
0
                    if (msgType != client_hello &&
18181
0
                        msgType != certificate_request)
18182
0
                        return EXT_NOT_ALLOWED;
18183
0
                }
18184
0
                else
18185
0
            #endif
18186
0
                {
18187
0
                    if (msgType != client_hello)
18188
0
                        return EXT_NOT_ALLOWED;
18189
0
                }
18190
0
                ret = SA_PARSE(ssl, input + offset, size, isRequest, suites);
18191
0
                break;
18192
0
#endif
18193
18194
0
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
18195
0
            case TLSX_ENCRYPT_THEN_MAC:
18196
0
                WOLFSSL_MSG("Encrypt-Then-Mac extension received");
18197
18198
                /* Ignore for TLS 1.3+ */
18199
0
                if (IsAtLeastTLSv1_3(ssl->version))
18200
0
                    break;
18201
0
                if (msgType != client_hello &&
18202
0
                    msgType != server_hello)
18203
0
                    return EXT_NOT_ALLOWED;
18204
18205
0
                ret = ETM_PARSE(ssl, input + offset, size, msgType);
18206
0
                break;
18207
0
#endif /* HAVE_ENCRYPT_THEN_MAC */
18208
18209
0
#ifdef WOLFSSL_TLS13
18210
0
            case TLSX_SUPPORTED_VERSIONS:
18211
0
                WOLFSSL_MSG("Skipping Supported Versions - already processed");
18212
            #ifdef WOLFSSL_DEBUG_TLS
18213
                WOLFSSL_BUFFER(input + offset, size);
18214
            #endif
18215
0
                if (msgType != client_hello &&
18216
0
                    msgType != server_hello &&
18217
0
                    msgType != hello_retry_request)
18218
0
                    return EXT_NOT_ALLOWED;
18219
18220
0
                break;
18221
18222
0
            case TLSX_COOKIE:
18223
0
                WOLFSSL_MSG("Cookie extension received");
18224
            #ifdef WOLFSSL_DEBUG_TLS
18225
                WOLFSSL_BUFFER(input + offset, size);
18226
            #endif
18227
0
                if (!IsAtLeastTLSv1_3(ssl->version))
18228
0
                    break;
18229
18230
0
                if (msgType != client_hello &&
18231
0
                    msgType != hello_retry_request) {
18232
0
                    return EXT_NOT_ALLOWED;
18233
0
                }
18234
18235
0
                ret = CKE_PARSE(ssl, input + offset, size, msgType);
18236
0
                break;
18237
18238
    #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
18239
            case TLSX_PRE_SHARED_KEY:
18240
                WOLFSSL_MSG("Pre-Shared Key extension received");
18241
            #ifdef WOLFSSL_DEBUG_TLS
18242
                WOLFSSL_BUFFER(input + offset, size);
18243
            #endif
18244
18245
                if (!IsAtLeastTLSv1_3(ssl->version))
18246
                    break;
18247
18248
                if (msgType != client_hello &&
18249
                    msgType != server_hello) {
18250
                    WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18251
                    return EXT_NOT_ALLOWED;
18252
                }
18253
18254
                ret = PSK_PARSE(ssl, input + offset, size, msgType);
18255
                pskDone = 1;
18256
                break;
18257
18258
            case TLSX_PSK_KEY_EXCHANGE_MODES:
18259
                WOLFSSL_MSG("PSK Key Exchange Modes extension received");
18260
            #ifdef WOLFSSL_DEBUG_TLS
18261
                WOLFSSL_BUFFER(input + offset, size);
18262
            #endif
18263
18264
                if (!IsAtLeastTLSv1_3(ssl->version))
18265
                    break;
18266
18267
                if (msgType != client_hello) {
18268
                    WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18269
                    return EXT_NOT_ALLOWED;
18270
                }
18271
18272
                ret = PKM_PARSE(ssl, input + offset, size, msgType);
18273
                break;
18274
18275
    #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
18276
            case TLSX_CERT_WITH_EXTERN_PSK:
18277
                WOLFSSL_MSG("Cert with external PSK extension received");
18278
            #ifdef WOLFSSL_DEBUG_TLS
18279
                WOLFSSL_BUFFER(input + offset, size);
18280
            #endif
18281
18282
                if (!IsAtLeastTLSv1_3(ssl->version))
18283
                    break;
18284
18285
                if (msgType != client_hello && msgType != server_hello) {
18286
                    WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18287
                    return EXT_NOT_ALLOWED;
18288
                }
18289
                if (size != 0) {
18290
                    WOLFSSL_ERROR_VERBOSE(BUFFER_ERROR);
18291
                    return BUFFER_ERROR;
18292
                }
18293
18294
                ret = PSK_WITH_CERT_PARSE(ssl, msgType);
18295
                break;
18296
    #endif
18297
    #endif
18298
18299
    #ifdef WOLFSSL_EARLY_DATA
18300
            case TLSX_EARLY_DATA:
18301
                WOLFSSL_MSG("Early Data extension received");
18302
            #ifdef WOLFSSL_DEBUG_TLS
18303
                WOLFSSL_BUFFER(input + offset, size);
18304
            #endif
18305
18306
                if (!IsAtLeastTLSv1_3(ssl->version))
18307
                    break;
18308
18309
                if (msgType != client_hello && msgType != session_ticket &&
18310
                    msgType != encrypted_extensions) {
18311
                    WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18312
                    return EXT_NOT_ALLOWED;
18313
                }
18314
                ret = EDI_PARSE(ssl, input + offset, size, msgType);
18315
                break;
18316
    #endif
18317
18318
    #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
18319
            case TLSX_POST_HANDSHAKE_AUTH:
18320
                WOLFSSL_MSG("Post Handshake Authentication extension received");
18321
            #ifdef WOLFSSL_DEBUG_TLS
18322
                WOLFSSL_BUFFER(input + offset, size);
18323
            #endif
18324
18325
                if (!IsAtLeastTLSv1_3(ssl->version))
18326
                    break;
18327
18328
                if (msgType != client_hello) {
18329
                    WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18330
                    return EXT_NOT_ALLOWED;
18331
                }
18332
18333
                ret = PHA_PARSE(ssl, input + offset, size, msgType);
18334
                break;
18335
    #endif
18336
18337
0
    #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
18338
0
            case TLSX_SIGNATURE_ALGORITHMS_CERT:
18339
0
                WOLFSSL_MSG("Signature Algorithms extension received");
18340
            #ifdef WOLFSSL_DEBUG_TLS
18341
                WOLFSSL_BUFFER(input + offset, size);
18342
            #endif
18343
18344
0
                if (!IsAtLeastTLSv1_3(ssl->version))
18345
0
                    break;
18346
18347
0
                if (msgType != client_hello &&
18348
0
                        msgType != certificate_request) {
18349
0
                    WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18350
0
                    return EXT_NOT_ALLOWED;
18351
0
                }
18352
18353
0
                ret = SAC_PARSE(ssl, input + offset, size, isRequest);
18354
0
                break;
18355
0
    #endif
18356
18357
    #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES)
18358
            case TLSX_CERTIFICATE_AUTHORITIES:
18359
                WOLFSSL_MSG("Certificate Authorities extension received");
18360
            #ifdef WOLFSSL_DEBUG_TLS
18361
                WOLFSSL_BUFFER(input + offset, size);
18362
            #endif
18363
18364
                if (!IsAtLeastTLSv1_3(ssl->version))
18365
                    break;
18366
18367
                if (msgType != client_hello &&
18368
                        msgType != certificate_request) {
18369
                    WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18370
                    return EXT_NOT_ALLOWED;
18371
                }
18372
18373
                ret = CAN_PARSE(ssl, input + offset, size, isRequest);
18374
                break;
18375
    #endif
18376
18377
0
            case TLSX_KEY_SHARE:
18378
0
                WOLFSSL_MSG("Key Share extension received");
18379
            #ifdef WOLFSSL_DEBUG_TLS
18380
                WOLFSSL_BUFFER(input + offset, size);
18381
            #endif
18382
18383
0
    #ifdef HAVE_SUPPORTED_CURVES
18384
0
                if (!IsAtLeastTLSv1_3(ssl->version))
18385
0
                    break;
18386
18387
0
                if (msgType != client_hello && msgType != server_hello &&
18388
0
                        msgType != hello_retry_request) {
18389
0
                    WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18390
0
                    return EXT_NOT_ALLOWED;
18391
0
                }
18392
0
    #endif
18393
18394
0
                ret = KS_PARSE(ssl, input + offset, size, msgType);
18395
0
                break;
18396
0
#endif
18397
#ifdef WOLFSSL_SRTP
18398
            case TLSX_USE_SRTP:
18399
                WOLFSSL_MSG("Use SRTP extension received");
18400
18401
#if defined(WOLFSSL_TLS13)
18402
                if (IsAtLeastTLSv1_3(ssl->version)) {
18403
                    if (msgType != client_hello &&
18404
                        msgType != encrypted_extensions)
18405
                        return EXT_NOT_ALLOWED;
18406
                }
18407
                else
18408
#endif
18409
                {
18410
                    if (msgType != client_hello &&
18411
                        msgType != server_hello)
18412
                        return EXT_NOT_ALLOWED;
18413
                }
18414
                ret = SRTP_PARSE(ssl, input + offset, size, isRequest);
18415
                break;
18416
#endif
18417
#ifdef WOLFSSL_QUIC
18418
            case TLSX_KEY_QUIC_TP_PARAMS:
18419
                FALL_THROUGH;
18420
            case TLSX_KEY_QUIC_TP_PARAMS_DRAFT:
18421
                WOLFSSL_MSG("QUIC transport parameter received");
18422
            #ifdef WOLFSSL_DEBUG_TLS
18423
                WOLFSSL_BUFFER(input + offset, size);
18424
            #endif
18425
18426
                if (IsAtLeastTLSv1_3(ssl->version) &&
18427
                        msgType != client_hello &&
18428
                        msgType != encrypted_extensions) {
18429
                    return EXT_NOT_ALLOWED;
18430
                }
18431
                else if (!IsAtLeastTLSv1_3(ssl->version) &&
18432
                         msgType == encrypted_extensions) {
18433
                    return EXT_NOT_ALLOWED;
18434
                }
18435
                else if (WOLFSSL_IS_QUIC(ssl)) {
18436
                    ret = QTP_PARSE(ssl, input + offset, size, type, msgType);
18437
                }
18438
                else {
18439
                    WOLFSSL_MSG("QUIC transport param TLS extension type, but no QUIC");
18440
                    return EXT_NOT_ALLOWED; /* be safe, this should not happen */
18441
                }
18442
                break;
18443
#endif /* WOLFSSL_QUIC */
18444
#if defined(WOLFSSL_DTLS_CID)
18445
            case TLSX_CONNECTION_ID:
18446
                if (msgType != client_hello && msgType != server_hello)
18447
                    return EXT_NOT_ALLOWED;
18448
18449
                WOLFSSL_MSG("ConnectionID extension received");
18450
                ret = CID_PARSE(ssl, input + offset, size, isRequest);
18451
                break;
18452
18453
#endif /* defined(WOLFSSL_DTLS_CID) */
18454
#if defined(HAVE_RPK)
18455
            case TLSX_CLIENT_CERTIFICATE_TYPE:
18456
                WOLFSSL_MSG("Client Certificate Type extension received");
18457
#if defined(WOLFSSL_TLS13)
18458
                /* RFC 8446, Section 4.2 (Extensions), client_certificate_type
18459
                   and server_certificate_type MUST be sent in ClientHello(CH)
18460
                   or EncryptedExtensions(EE) */
18461
                if (IsAtLeastTLSv1_3(ssl->version)) {
18462
                    if (msgType != client_hello &&
18463
                        msgType != encrypted_extensions) {
18464
                        WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18465
                        return EXT_NOT_ALLOWED;
18466
                    }
18467
                }
18468
                else
18469
#endif
18470
                {
18471
                    /* TLS 1.2: allowed in CH and SH (RFC 7250) */
18472
                    if (msgType != client_hello &&
18473
                        msgType != server_hello) {
18474
                        WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18475
                        return EXT_NOT_ALLOWED;
18476
                    }
18477
                }
18478
                ret = CCT_PARSE(ssl, input + offset, size, msgType);
18479
                break;
18480
18481
            case TLSX_SERVER_CERTIFICATE_TYPE:
18482
                WOLFSSL_MSG("Server Certificate Type extension received");
18483
#if defined(WOLFSSL_TLS13)
18484
                /* RFC 8446, Section 4.2 (Extensions) */
18485
                if (IsAtLeastTLSv1_3(ssl->version)) {
18486
                    if (msgType != client_hello &&
18487
                        msgType != encrypted_extensions) {
18488
                        WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18489
                        return EXT_NOT_ALLOWED;
18490
                    }
18491
                }
18492
                else
18493
#endif
18494
                {
18495
                    /* TLS 1.2: allowed in CH and SH (RFC 7250) */
18496
                    if (msgType != client_hello &&
18497
                        msgType != server_hello) {
18498
                        WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18499
                        return EXT_NOT_ALLOWED;
18500
                    }
18501
                }
18502
                ret = SCT_PARSE(ssl, input + offset, size, msgType);
18503
                break;
18504
#endif /* HAVE_RPK */
18505
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
18506
            case TLSX_ECH:
18507
                WOLFSSL_MSG("ECH extension received");
18508
                if (!IsAtLeastTLSv1_3(ssl->version))
18509
                    break;
18510
18511
                if (msgType != client_hello &&
18512
                    msgType != encrypted_extensions &&
18513
                    msgType != hello_retry_request) {
18514
                    return EXT_NOT_ALLOWED;
18515
                }
18516
18517
                ret = ECH_PARSE(ssl, input + offset, size, msgType);
18518
                break;
18519
            case TLSXT_ECH_OUTER_EXTENSIONS:
18520
                /* RFC 9849 s5.1: ech_outer_extensions MUST only appear in
18521
                 * the EncodedClientHelloInner */
18522
                WOLFSSL_MSG("ech_outer_extensions in plaintext message");
18523
                WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
18524
                return INVALID_PARAMETER;
18525
#endif
18526
0
            default:
18527
0
                WOLFSSL_MSG("Unknown TLS extension type");
18528
0
#if defined(WOLFSSL_TLS13)
18529
                /* RFC 8446 Sec. 4.2: a TLS 1.3 client MUST abort with an
18530
                 * unsupported_extension alert when it receives an extension
18531
                 * "response" that was not advertised in the ClientHello. The
18532
                 * rule applies only to messages whose extensions are responses
18533
                 * to the ClientHello: ServerHello, HelloRetryRequest,
18534
                 * EncryptedExtensions and Certificate.
18535
                 *
18536
                 * Extensions in CertificateRequest and NewSessionTicket are
18537
                 * independent server-initiated payloads, not responses, and
18538
                 * per RFC 8701 (GREASE) the server MAY include unknown
18539
                 * (GREASE) extension types there which the client MUST treat
18540
                 * like any other unknown value (i.e. ignore them). */
18541
0
                if (IsAtLeastTLSv1_3(ssl->version) &&
18542
0
                        (msgType == server_hello ||
18543
0
                         msgType == hello_retry_request ||
18544
0
                         msgType == encrypted_extensions ||
18545
0
                         msgType == certificate)) {
18546
0
                    SendAlert((WOLFSSL*)ssl, alert_fatal, unsupported_extension);
18547
0
                    WOLFSSL_ERROR_VERBOSE(UNSUPPORTED_EXTENSION);
18548
0
                    return UNSUPPORTED_EXTENSION;
18549
0
                }
18550
0
#endif
18551
0
        }
18552
18553
        /* offset should be updated here! */
18554
0
        offset += size;
18555
0
    }
18556
18557
0
#ifdef HAVE_EXTENDED_MASTER
18558
0
    if (IsAtLeastTLSv1_3(ssl->version) &&
18559
0
        (msgType == hello_retry_request || msgType == hello_verify_request)) {
18560
        /* Don't change EMS status until server_hello received.
18561
         * Second ClientHello must have same extensions.
18562
         */
18563
0
    }
18564
0
    else if (!isRequest && ssl->options.haveEMS && !pendingEMS)
18565
0
        ssl->options.haveEMS = 0;
18566
0
#endif
18567
#if defined(WOLFSSL_TLS13) && !defined(NO_PSK)
18568
    if (IsAtLeastTLSv1_3(ssl->version) && msgType == server_hello &&
18569
        IS_OFF(seenType, TLSX_ToSemaphore(TLSX_KEY_SHARE))) {
18570
        ssl->options.noPskDheKe = 1;
18571
    }
18572
#endif
18573
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_CERT_WITH_EXTERN_PSK) && \
18574
    !defined(NO_PSK)
18575
    if (IsAtLeastTLSv1_3(ssl->version)) {
18576
        int hasPskWithCert = !IS_OFF(seenType,
18577
            TLSX_ToSemaphore(TLSX_CERT_WITH_EXTERN_PSK));
18578
        if (hasPskWithCert && ssl->options.certWithExternPsk) {
18579
            int hasPsk = !IS_OFF(seenType, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
18580
            int hasPskModes = !IS_OFF(seenType,
18581
                TLSX_ToSemaphore(TLSX_PSK_KEY_EXCHANGE_MODES));
18582
            int hasKeyShare = !IS_OFF(seenType, TLSX_ToSemaphore(TLSX_KEY_SHARE));
18583
            int hasSg = !IS_OFF(seenType,
18584
                TLSX_ToSemaphore(TLSX_SUPPORTED_GROUPS));
18585
            int hasSigAlg = !IS_OFF(seenType,
18586
                TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
18587
#ifdef WOLFSSL_EARLY_DATA
18588
            int hasEarlyData = !IS_OFF(seenType, TLSX_ToSemaphore(TLSX_EARLY_DATA));
18589
#endif
18590
18591
            if (msgType == client_hello && isRequest) {
18592
                TLSX* pskm;
18593
                /* RFC8773bis: CH2 after HRR must keep CH1's extension set. */
18594
                if (secondClientHello && !prevHasPskWithCert) {
18595
                    WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18596
                    return EXT_NOT_ALLOWED;
18597
                }
18598
                /* RFC8773bis: cert_with_extern_psk depends on these extensions. */
18599
                if (!hasPsk || !hasPskModes || !hasKeyShare || !hasSg ||
18600
                    !hasSigAlg) {
18601
                    WOLFSSL_ERROR_VERBOSE(EXT_MISSING);
18602
                    return EXT_MISSING;
18603
                }
18604
#ifdef WOLFSSL_EARLY_DATA
18605
                /* External PSK + certificate mode forbids 0-RTT in CH.
18606
                 * When WOLFSSL_EARLY_DATA is not defined there is no parser
18607
                 * case for TLSX_EARLY_DATA, so an incoming early_data
18608
                 * extension is treated as unknown and ignored per RFC 8446
18609
                 * Sect. 4.2 - no additional check is needed in that case. */
18610
                if (hasEarlyData) {
18611
                    WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18612
                    return EXT_NOT_ALLOWED;
18613
                }
18614
#endif
18615
                pskm = TLSX_Find(ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES);
18616
                /* RFC8773bis requires client support for psk_dhe_ke mode. */
18617
                if (pskm == NULL || (pskm->val & (1 << PSK_DHE_KE)) == 0) {
18618
                    WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18619
                    return EXT_NOT_ALLOWED;
18620
                }
18621
            }
18622
            else if (msgType == server_hello && !isRequest) {
18623
                /* SH confirming cert_with_extern_psk must also confirm PSK and KSE. */
18624
                if (!hasPsk || !hasKeyShare) {
18625
                    WOLFSSL_ERROR_VERBOSE(EXT_MISSING);
18626
                    return EXT_MISSING;
18627
                }
18628
            }
18629
        }
18630
        else if (msgType == client_hello && isRequest && secondClientHello &&
18631
                prevHasPskWithCert) {
18632
            /* RFC8773bis: reject dropping the extension in CH2 after HRR. */
18633
            WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18634
            return EXT_NOT_ALLOWED;
18635
        }
18636
    }
18637
#endif
18638
0
#if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES)
18639
    /* RFC 8446 Section 9.2: ClientHello with KeyShare must
18640
     * contain SupportedGroups and vice-versa. */
18641
0
    if (IsAtLeastTLSv1_3(ssl->version) && msgType == client_hello && isRequest) {
18642
0
        int hasKeyShare = !IS_OFF(seenType, TLSX_ToSemaphore(TLSX_KEY_SHARE));
18643
0
        int hasSupportedGroups = !IS_OFF(seenType,
18644
0
            TLSX_ToSemaphore(TLSX_SUPPORTED_GROUPS));
18645
18646
0
        if (hasKeyShare && !hasSupportedGroups) {
18647
0
            WOLFSSL_MSG("ClientHello with KeyShare extension missing required "
18648
0
                        "SupportedGroups extension");
18649
0
            return INCOMPLETE_DATA;
18650
0
        }
18651
0
        if (hasSupportedGroups && !hasKeyShare) {
18652
0
            WOLFSSL_MSG("ClientHello with SupportedGroups extension missing "
18653
0
                        "required KeyShare extension");
18654
0
            return INCOMPLETE_DATA;
18655
0
        }
18656
0
    }
18657
0
#endif
18658
18659
0
    if (ret == 0)
18660
0
        ret = SNI_VERIFY_PARSE(ssl, isRequest);
18661
0
    if (ret == 0)
18662
0
        ret = TCA_VERIFY_PARSE(ssl, isRequest);
18663
18664
0
    WOLFSSL_LEAVE("Leaving TLSX_Parse", ret);
18665
0
    return ret;
18666
0
}
18667
18668
/* undefining semaphore macros */
18669
#undef IS_OFF
18670
#undef TURN_ON
18671
#undef SEMAPHORE_SIZE
18672
18673
#endif /* HAVE_TLS_EXTENSIONS */
18674
18675
#ifndef NO_WOLFSSL_CLIENT
18676
18677
    WOLFSSL_METHOD* wolfTLS_client_method(void)
18678
0
    {
18679
0
        return wolfTLS_client_method_ex(NULL);
18680
0
    }
18681
    WOLFSSL_METHOD* wolfTLS_client_method_ex(void* heap)
18682
0
    {
18683
0
        WOLFSSL_METHOD* method =
18684
0
                              (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
18685
0
                                                     heap, DYNAMIC_TYPE_METHOD);
18686
0
        (void)heap;
18687
0
        WOLFSSL_ENTER("TLS_client_method_ex");
18688
0
        if (method) {
18689
0
        #if defined(WOLFSSL_TLS13)
18690
0
            InitSSL_Method(method, MakeTLSv1_3());
18691
        #elif !defined(WOLFSSL_NO_TLS12)
18692
            InitSSL_Method(method, MakeTLSv1_2());
18693
        #elif !defined(NO_OLD_TLS)
18694
            InitSSL_Method(method, MakeTLSv1_1());
18695
        #elif defined(WOLFSSL_ALLOW_TLSV10)
18696
            InitSSL_Method(method, MakeTLSv1());
18697
        #else
18698
        #error No TLS version enabled! Consider using NO_TLS or WOLFCRYPT_ONLY.
18699
        #endif
18700
18701
0
            method->downgrade = 1;
18702
0
            method->side      = WOLFSSL_CLIENT_END;
18703
0
        }
18704
0
        return method;
18705
0
    }
18706
18707
#ifndef NO_OLD_TLS
18708
    #ifdef WOLFSSL_ALLOW_TLSV10
18709
    WOLFSSL_METHOD* wolfTLSv1_client_method(void)
18710
    {
18711
        return wolfTLSv1_client_method_ex(NULL);
18712
    }
18713
    WOLFSSL_METHOD* wolfTLSv1_client_method_ex(void* heap)
18714
    {
18715
        WOLFSSL_METHOD* method =
18716
                             (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
18717
                                                     heap, DYNAMIC_TYPE_METHOD);
18718
        (void)heap;
18719
        WOLFSSL_ENTER("TLSv1_client_method_ex");
18720
        if (method)
18721
            InitSSL_Method(method, MakeTLSv1());
18722
        return method;
18723
    }
18724
    #endif /* WOLFSSL_ALLOW_TLSV10 */
18725
18726
    WOLFSSL_METHOD* wolfTLSv1_1_client_method(void)
18727
    {
18728
        return wolfTLSv1_1_client_method_ex(NULL);
18729
    }
18730
    WOLFSSL_METHOD* wolfTLSv1_1_client_method_ex(void* heap)
18731
    {
18732
        WOLFSSL_METHOD* method =
18733
                              (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
18734
                                                     heap, DYNAMIC_TYPE_METHOD);
18735
        (void)heap;
18736
        WOLFSSL_ENTER("TLSv1_1_client_method_ex");
18737
        if (method)
18738
            InitSSL_Method(method, MakeTLSv1_1());
18739
        return method;
18740
    }
18741
#endif /* !NO_OLD_TLS */
18742
18743
#ifndef WOLFSSL_NO_TLS12
18744
    WOLFSSL_ABI
18745
    WOLFSSL_METHOD* wolfTLSv1_2_client_method(void)
18746
0
    {
18747
0
        return wolfTLSv1_2_client_method_ex(NULL);
18748
0
    }
18749
    WOLFSSL_METHOD* wolfTLSv1_2_client_method_ex(void* heap)
18750
0
    {
18751
0
        WOLFSSL_METHOD* method =
18752
0
                              (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
18753
0
                                                     heap, DYNAMIC_TYPE_METHOD);
18754
0
        (void)heap;
18755
0
        WOLFSSL_ENTER("TLSv1_2_client_method_ex");
18756
0
        if (method)
18757
0
            InitSSL_Method(method, MakeTLSv1_2());
18758
0
        return method;
18759
0
    }
18760
#endif /* WOLFSSL_NO_TLS12 */
18761
18762
#ifdef WOLFSSL_TLS13
18763
    /* The TLS v1.3 client method data.
18764
     *
18765
     * returns the method data for a TLS v1.3 client.
18766
     */
18767
    WOLFSSL_ABI
18768
    WOLFSSL_METHOD* wolfTLSv1_3_client_method(void)
18769
0
    {
18770
0
        return wolfTLSv1_3_client_method_ex(NULL);
18771
0
    }
18772
18773
    /* The TLS v1.3 client method data.
18774
     *
18775
     * heap  The heap used for allocation.
18776
     * returns the method data for a TLS v1.3 client.
18777
     */
18778
    WOLFSSL_METHOD* wolfTLSv1_3_client_method_ex(void* heap)
18779
0
    {
18780
0
        WOLFSSL_METHOD* method = (WOLFSSL_METHOD*)
18781
0
                                 XMALLOC(sizeof(WOLFSSL_METHOD), heap,
18782
0
                                         DYNAMIC_TYPE_METHOD);
18783
0
        (void)heap;
18784
0
        WOLFSSL_ENTER("TLSv1_3_client_method_ex");
18785
0
        if (method)
18786
0
            InitSSL_Method(method, MakeTLSv1_3());
18787
0
        return method;
18788
0
    }
18789
#endif /* WOLFSSL_TLS13 */
18790
18791
#ifdef WOLFSSL_DTLS
18792
18793
    WOLFSSL_METHOD* wolfDTLS_client_method(void)
18794
    {
18795
        return wolfDTLS_client_method_ex(NULL);
18796
    }
18797
    WOLFSSL_METHOD* wolfDTLS_client_method_ex(void* heap)
18798
    {
18799
        WOLFSSL_METHOD* method =
18800
                              (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
18801
                                                     heap, DYNAMIC_TYPE_METHOD);
18802
        (void)heap;
18803
        WOLFSSL_ENTER("DTLS_client_method_ex");
18804
        if (method) {
18805
        #if defined(WOLFSSL_DTLS13)
18806
            InitSSL_Method(method, MakeDTLSv1_3());
18807
        #elif !defined(WOLFSSL_NO_TLS12)
18808
            InitSSL_Method(method, MakeDTLSv1_2());
18809
        #elif !defined(NO_OLD_TLS)
18810
            InitSSL_Method(method, MakeDTLSv1());
18811
        #else
18812
            #error No DTLS version enabled!
18813
        #endif
18814
18815
            method->downgrade = 1;
18816
            method->side      = WOLFSSL_CLIENT_END;
18817
        }
18818
        return method;
18819
    }
18820
18821
    #ifndef NO_OLD_TLS
18822
    WOLFSSL_METHOD* wolfDTLSv1_client_method(void)
18823
    {
18824
        return wolfDTLSv1_client_method_ex(NULL);
18825
    }
18826
    WOLFSSL_METHOD* wolfDTLSv1_client_method_ex(void* heap)
18827
    {
18828
        WOLFSSL_METHOD* method =
18829
                          (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
18830
                                                 heap, DYNAMIC_TYPE_METHOD);
18831
        (void)heap;
18832
        WOLFSSL_ENTER("DTLSv1_client_method_ex");
18833
        if (method)
18834
            InitSSL_Method(method, MakeDTLSv1());
18835
        return method;
18836
    }
18837
    #endif  /* NO_OLD_TLS */
18838
18839
    #ifndef WOLFSSL_NO_TLS12
18840
    WOLFSSL_METHOD* wolfDTLSv1_2_client_method(void)
18841
    {
18842
        return wolfDTLSv1_2_client_method_ex(NULL);
18843
    }
18844
    WOLFSSL_METHOD* wolfDTLSv1_2_client_method_ex(void* heap)
18845
    {
18846
        WOLFSSL_METHOD* method =
18847
                          (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
18848
                                                 heap, DYNAMIC_TYPE_METHOD);
18849
        (void)heap;
18850
        WOLFSSL_ENTER("DTLSv1_2_client_method_ex");
18851
        if (method)
18852
            InitSSL_Method(method, MakeDTLSv1_2());
18853
        (void)heap;
18854
        return method;
18855
    }
18856
    #endif /* !WOLFSSL_NO_TLS12 */
18857
#endif /* WOLFSSL_DTLS */
18858
18859
#endif /* NO_WOLFSSL_CLIENT */
18860
18861
18862
/* EITHER SIDE METHODS */
18863
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE)
18864
    #ifndef NO_OLD_TLS
18865
    #ifdef WOLFSSL_ALLOW_TLSV10
18866
    /* Gets a WOLFSSL_METHOD type that is not set as client or server
18867
     *
18868
     * Returns a pointer to a WOLFSSL_METHOD struct
18869
     */
18870
    WOLFSSL_METHOD* wolfTLSv1_method(void)
18871
    {
18872
        return wolfTLSv1_method_ex(NULL);
18873
    }
18874
    WOLFSSL_METHOD* wolfTLSv1_method_ex(void* heap)
18875
    {
18876
        WOLFSSL_METHOD* m;
18877
        WOLFSSL_ENTER("TLSv1_method");
18878
    #ifndef NO_WOLFSSL_CLIENT
18879
        m = wolfTLSv1_client_method_ex(heap);
18880
    #else
18881
        m = wolfTLSv1_server_method_ex(heap);
18882
    #endif
18883
        if (m != NULL) {
18884
            m->side = WOLFSSL_NEITHER_END;
18885
        }
18886
18887
        return m;
18888
    }
18889
    #endif /* WOLFSSL_ALLOW_TLSV10 */
18890
18891
    /* Gets a WOLFSSL_METHOD type that is not set as client or server
18892
     *
18893
     * Returns a pointer to a WOLFSSL_METHOD struct
18894
     */
18895
    WOLFSSL_METHOD* wolfTLSv1_1_method(void)
18896
    {
18897
        return wolfTLSv1_1_method_ex(NULL);
18898
    }
18899
    WOLFSSL_METHOD* wolfTLSv1_1_method_ex(void* heap)
18900
    {
18901
        WOLFSSL_METHOD* m;
18902
        WOLFSSL_ENTER("TLSv1_1_method");
18903
    #ifndef NO_WOLFSSL_CLIENT
18904
        m = wolfTLSv1_1_client_method_ex(heap);
18905
    #else
18906
        m = wolfTLSv1_1_server_method_ex(heap);
18907
    #endif
18908
        if (m != NULL) {
18909
            m->side = WOLFSSL_NEITHER_END;
18910
        }
18911
        return m;
18912
    }
18913
    #endif /* !NO_OLD_TLS */
18914
18915
    #ifndef WOLFSSL_NO_TLS12
18916
    /* Gets a WOLFSSL_METHOD type that is not set as client or server
18917
     *
18918
     * Returns a pointer to a WOLFSSL_METHOD struct
18919
     */
18920
    WOLFSSL_METHOD* wolfTLSv1_2_method(void)
18921
    {
18922
        return wolfTLSv1_2_method_ex(NULL);
18923
    }
18924
    WOLFSSL_METHOD* wolfTLSv1_2_method_ex(void* heap)
18925
    {
18926
        WOLFSSL_METHOD* m;
18927
        WOLFSSL_ENTER("TLSv1_2_method");
18928
    #ifndef NO_WOLFSSL_CLIENT
18929
        m = wolfTLSv1_2_client_method_ex(heap);
18930
    #else
18931
        m = wolfTLSv1_2_server_method_ex(heap);
18932
    #endif
18933
        if (m != NULL) {
18934
            m->side = WOLFSSL_NEITHER_END;
18935
        }
18936
        return m;
18937
    }
18938
    #endif /* !WOLFSSL_NO_TLS12 */
18939
18940
    #ifdef WOLFSSL_TLS13
18941
    /* Gets a WOLFSSL_METHOD type that is not set as client or server
18942
     *
18943
     * Returns a pointer to a WOLFSSL_METHOD struct
18944
     */
18945
    WOLFSSL_METHOD* wolfTLSv1_3_method(void)
18946
    {
18947
        return wolfTLSv1_3_method_ex(NULL);
18948
    }
18949
    WOLFSSL_METHOD* wolfTLSv1_3_method_ex(void* heap)
18950
    {
18951
        WOLFSSL_METHOD* m;
18952
        WOLFSSL_ENTER("TLSv1_3_method");
18953
    #ifndef NO_WOLFSSL_CLIENT
18954
        m = wolfTLSv1_3_client_method_ex(heap);
18955
    #else
18956
        m = wolfTLSv1_3_server_method_ex(heap);
18957
    #endif
18958
        if (m != NULL) {
18959
            m->side = WOLFSSL_NEITHER_END;
18960
        }
18961
        return m;
18962
    }
18963
    #endif /* WOLFSSL_TLS13 */
18964
18965
#ifdef WOLFSSL_DTLS
18966
    WOLFSSL_METHOD* wolfDTLS_method(void)
18967
    {
18968
        return wolfDTLS_method_ex(NULL);
18969
    }
18970
    WOLFSSL_METHOD* wolfDTLS_method_ex(void* heap)
18971
    {
18972
        WOLFSSL_METHOD* m;
18973
        WOLFSSL_ENTER("DTLS_method_ex");
18974
    #ifndef NO_WOLFSSL_CLIENT
18975
        m = wolfDTLS_client_method_ex(heap);
18976
    #else
18977
        m = wolfDTLS_server_method_ex(heap);
18978
    #endif
18979
        if (m != NULL) {
18980
            m->side = WOLFSSL_NEITHER_END;
18981
        }
18982
        return m;
18983
    }
18984
18985
    #ifndef NO_OLD_TLS
18986
    WOLFSSL_METHOD* wolfDTLSv1_method(void)
18987
    {
18988
        return wolfDTLSv1_method_ex(NULL);
18989
    }
18990
    WOLFSSL_METHOD* wolfDTLSv1_method_ex(void* heap)
18991
    {
18992
        WOLFSSL_METHOD* m;
18993
        WOLFSSL_ENTER("DTLSv1_method_ex");
18994
    #ifndef NO_WOLFSSL_CLIENT
18995
        m = wolfDTLSv1_client_method_ex(heap);
18996
    #else
18997
        m = wolfDTLSv1_server_method_ex(heap);
18998
    #endif
18999
        if (m != NULL) {
19000
            m->side = WOLFSSL_NEITHER_END;
19001
        }
19002
        return m;
19003
    }
19004
    #endif /* !NO_OLD_TLS */
19005
    #ifndef WOLFSSL_NO_TLS12
19006
    WOLFSSL_METHOD* wolfDTLSv1_2_method(void)
19007
    {
19008
        return wolfDTLSv1_2_method_ex(NULL);
19009
    }
19010
    WOLFSSL_METHOD* wolfDTLSv1_2_method_ex(void* heap)
19011
    {
19012
        WOLFSSL_METHOD* m;
19013
        WOLFSSL_ENTER("DTLSv1_2_method");
19014
    #ifndef NO_WOLFSSL_CLIENT
19015
        m = wolfDTLSv1_2_client_method_ex(heap);
19016
    #else
19017
        m = wolfDTLSv1_2_server_method_ex(heap);
19018
    #endif
19019
        if (m != NULL) {
19020
            m->side = WOLFSSL_NEITHER_END;
19021
        }
19022
        return m;
19023
    }
19024
    #endif /* !WOLFSSL_NO_TLS12 */
19025
    #ifdef WOLFSSL_DTLS13
19026
    WOLFSSL_METHOD* wolfDTLSv1_3_method(void)
19027
    {
19028
        return wolfDTLSv1_3_method_ex(NULL);
19029
    }
19030
    WOLFSSL_METHOD* wolfDTLSv1_3_method_ex(void* heap)
19031
    {
19032
        WOLFSSL_METHOD* m;
19033
        WOLFSSL_ENTER("DTLSv1_3_method");
19034
    #ifndef NO_WOLFSSL_CLIENT
19035
        m = wolfDTLSv1_3_client_method_ex(heap);
19036
    #else
19037
        m = wolfDTLSv1_3_server_method_ex(heap);
19038
    #endif
19039
        if (m != NULL) {
19040
            m->side = WOLFSSL_NEITHER_END;
19041
        }
19042
        return m;
19043
    }
19044
    #endif /* WOLFSSL_DTLS13 */
19045
#endif /* WOLFSSL_DTLS */
19046
#endif /* OPENSSL_EXTRA || WOLFSSL_EITHER_SIDE */
19047
19048
19049
#ifndef NO_WOLFSSL_SERVER
19050
19051
    WOLFSSL_METHOD* wolfTLS_server_method(void)
19052
0
    {
19053
0
        return wolfTLS_server_method_ex(NULL);
19054
0
    }
19055
19056
    WOLFSSL_METHOD* wolfTLS_server_method_ex(void* heap)
19057
0
    {
19058
0
        WOLFSSL_METHOD* method =
19059
0
                              (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
19060
0
                                                     heap, DYNAMIC_TYPE_METHOD);
19061
0
        (void)heap;
19062
0
        WOLFSSL_ENTER("TLS_server_method_ex");
19063
0
        if (method) {
19064
0
        #if defined(WOLFSSL_TLS13)
19065
0
            InitSSL_Method(method, MakeTLSv1_3());
19066
        #elif !defined(WOLFSSL_NO_TLS12)
19067
            InitSSL_Method(method, MakeTLSv1_2());
19068
        #elif !defined(NO_OLD_TLS)
19069
            InitSSL_Method(method, MakeTLSv1_1());
19070
        #elif defined(WOLFSSL_ALLOW_TLSV10)
19071
            InitSSL_Method(method, MakeTLSv1());
19072
        #else
19073
        #error No TLS version enabled! Consider using NO_TLS or WOLFCRYPT_ONLY.
19074
        #endif
19075
19076
0
            method->downgrade = 1;
19077
0
            method->side      = WOLFSSL_SERVER_END;
19078
0
        }
19079
0
        return method;
19080
0
    }
19081
19082
#ifndef NO_OLD_TLS
19083
    #ifdef WOLFSSL_ALLOW_TLSV10
19084
    WOLFSSL_METHOD* wolfTLSv1_server_method(void)
19085
    {
19086
        return wolfTLSv1_server_method_ex(NULL);
19087
    }
19088
    WOLFSSL_METHOD* wolfTLSv1_server_method_ex(void* heap)
19089
    {
19090
        WOLFSSL_METHOD* method =
19091
                              (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
19092
                                                     heap, DYNAMIC_TYPE_METHOD);
19093
        (void)heap;
19094
        WOLFSSL_ENTER("TLSv1_server_method_ex");
19095
        if (method) {
19096
            InitSSL_Method(method, MakeTLSv1());
19097
            method->side = WOLFSSL_SERVER_END;
19098
        }
19099
        return method;
19100
    }
19101
    #endif /* WOLFSSL_ALLOW_TLSV10 */
19102
19103
    WOLFSSL_METHOD* wolfTLSv1_1_server_method(void)
19104
    {
19105
        return wolfTLSv1_1_server_method_ex(NULL);
19106
    }
19107
    WOLFSSL_METHOD* wolfTLSv1_1_server_method_ex(void* heap)
19108
    {
19109
        WOLFSSL_METHOD* method =
19110
                              (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
19111
                                                     heap, DYNAMIC_TYPE_METHOD);
19112
        (void)heap;
19113
        WOLFSSL_ENTER("TLSv1_1_server_method_ex");
19114
        if (method) {
19115
            InitSSL_Method(method, MakeTLSv1_1());
19116
            method->side = WOLFSSL_SERVER_END;
19117
        }
19118
        return method;
19119
    }
19120
#endif /* !NO_OLD_TLS */
19121
19122
19123
#ifndef WOLFSSL_NO_TLS12
19124
    WOLFSSL_ABI
19125
    WOLFSSL_METHOD* wolfTLSv1_2_server_method(void)
19126
0
    {
19127
0
        return wolfTLSv1_2_server_method_ex(NULL);
19128
0
    }
19129
    WOLFSSL_METHOD* wolfTLSv1_2_server_method_ex(void* heap)
19130
0
    {
19131
0
        WOLFSSL_METHOD* method =
19132
0
                              (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
19133
0
                                                     heap, DYNAMIC_TYPE_METHOD);
19134
0
        (void)heap;
19135
0
        WOLFSSL_ENTER("TLSv1_2_server_method_ex");
19136
0
        if (method) {
19137
0
            InitSSL_Method(method, MakeTLSv1_2());
19138
0
            method->side = WOLFSSL_SERVER_END;
19139
0
        }
19140
0
        return method;
19141
0
    }
19142
#endif /* !WOLFSSL_NO_TLS12 */
19143
19144
#ifdef WOLFSSL_TLS13
19145
    /* The TLS v1.3 server method data.
19146
     *
19147
     * returns the method data for a TLS v1.3 server.
19148
     */
19149
    WOLFSSL_ABI
19150
    WOLFSSL_METHOD* wolfTLSv1_3_server_method(void)
19151
0
    {
19152
0
        return wolfTLSv1_3_server_method_ex(NULL);
19153
0
    }
19154
19155
    /* The TLS v1.3 server method data.
19156
     *
19157
     * heap  The heap used for allocation.
19158
     * returns the method data for a TLS v1.3 server.
19159
     */
19160
    WOLFSSL_METHOD* wolfTLSv1_3_server_method_ex(void* heap)
19161
0
    {
19162
0
        WOLFSSL_METHOD* method =
19163
0
                              (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
19164
0
                                                     heap, DYNAMIC_TYPE_METHOD);
19165
0
        (void)heap;
19166
0
        WOLFSSL_ENTER("TLSv1_3_server_method_ex");
19167
0
        if (method) {
19168
0
            InitSSL_Method(method, MakeTLSv1_3());
19169
0
            method->side = WOLFSSL_SERVER_END;
19170
0
        }
19171
0
        return method;
19172
0
    }
19173
#endif /* WOLFSSL_TLS13 */
19174
19175
#ifdef WOLFSSL_DTLS
19176
    WOLFSSL_METHOD* wolfDTLS_server_method(void)
19177
    {
19178
        return wolfDTLS_server_method_ex(NULL);
19179
    }
19180
    WOLFSSL_METHOD* wolfDTLS_server_method_ex(void* heap)
19181
    {
19182
        WOLFSSL_METHOD* method =
19183
                              (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
19184
                                                     heap, DYNAMIC_TYPE_METHOD);
19185
        (void)heap;
19186
        WOLFSSL_ENTER("DTLS_server_method_ex");
19187
        if (method) {
19188
        #if defined(WOLFSSL_DTLS13)
19189
            InitSSL_Method(method, MakeDTLSv1_3());
19190
        #elif !defined(WOLFSSL_NO_TLS12)
19191
            InitSSL_Method(method, MakeDTLSv1_2());
19192
        #elif !defined(NO_OLD_TLS)
19193
            InitSSL_Method(method, MakeDTLSv1());
19194
        #else
19195
            #error No DTLS version enabled!
19196
        #endif
19197
19198
            method->downgrade = 1;
19199
            method->side      = WOLFSSL_SERVER_END;
19200
        }
19201
        return method;
19202
    }
19203
19204
    #ifndef NO_OLD_TLS
19205
    WOLFSSL_METHOD* wolfDTLSv1_server_method(void)
19206
    {
19207
        return wolfDTLSv1_server_method_ex(NULL);
19208
    }
19209
    WOLFSSL_METHOD* wolfDTLSv1_server_method_ex(void* heap)
19210
    {
19211
        WOLFSSL_METHOD* method =
19212
                          (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
19213
                                                 heap, DYNAMIC_TYPE_METHOD);
19214
        (void)heap;
19215
        WOLFSSL_ENTER("DTLSv1_server_method_ex");
19216
        if (method) {
19217
            InitSSL_Method(method, MakeDTLSv1());
19218
            method->side = WOLFSSL_SERVER_END;
19219
        }
19220
        return method;
19221
    }
19222
    #endif /* !NO_OLD_TLS */
19223
19224
    #ifndef WOLFSSL_NO_TLS12
19225
    WOLFSSL_METHOD* wolfDTLSv1_2_server_method(void)
19226
    {
19227
        return wolfDTLSv1_2_server_method_ex(NULL);
19228
    }
19229
    WOLFSSL_METHOD* wolfDTLSv1_2_server_method_ex(void* heap)
19230
    {
19231
        WOLFSSL_METHOD* method =
19232
                          (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
19233
                                                 heap, DYNAMIC_TYPE_METHOD);
19234
        WOLFSSL_ENTER("DTLSv1_2_server_method_ex");
19235
        (void)heap;
19236
        if (method) {
19237
            InitSSL_Method(method, MakeDTLSv1_2());
19238
            method->side = WOLFSSL_SERVER_END;
19239
        }
19240
        (void)heap;
19241
        return method;
19242
    }
19243
    #endif /* !WOLFSSL_NO_TLS12 */
19244
#endif /* WOLFSSL_DTLS */
19245
19246
#endif /* NO_WOLFSSL_SERVER */
19247
19248
#endif /* NO_TLS */
19249
19250
#endif /* WOLFCRYPT_ONLY */