Coverage Report

Created: 2026-07-16 06:50

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/wolfssl/src/tls.c
Line
Count
Source
1
/* tls.c
2
 *
3
 * Copyright (C) 2006-2026 wolfSSL Inc.
4
 *
5
 * This file is part of wolfSSL.
6
 *
7
 * wolfSSL is free software; you can redistribute it and/or modify
8
 * it under the terms of the GNU General Public License as published by
9
 * the Free Software Foundation; either version 3 of the License, or
10
 * (at your option) any later version.
11
 *
12
 * wolfSSL is distributed in the hope that it will be useful,
13
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15
 * GNU General Public License for more details.
16
 *
17
 * You should have received a copy of the GNU General Public License
18
 * along with this program; if not, write to the Free Software
19
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
20
 */
21
22
/*
23
 * TLS Build Options:
24
 * (See tls13.c for TLS 1.3-specific options)
25
 *
26
 * Protocol Control:
27
 * NO_OLD_TLS:               Disable TLS 1.0 and 1.1              default: off
28
 * WOLFSSL_ALLOW_TLSV10:     Allow TLS 1.0 connections             default: off
29
 * WOLFSSL_NO_TLS12:         Disable TLS 1.2                       default: off
30
 * NO_TLS:                   Disable TLS entirely (SSL only)       default: off
31
 * WOLFSSL_DTLS:             Enable DTLS support                   default: off
32
 * WOLFSSL_DTLS13:           Enable DTLS 1.3 support               default: off
33
 * WOLFSSL_DTLS_CID:         Enable DTLS Connection ID             default: off
34
 * WOLFSSL_AEAD_ONLY:        Only allow AEAD cipher suites         default: off
35
 * NO_WOLFSSL_CLIENT:        Disable TLS client functionality      default: off
36
 * NO_WOLFSSL_SERVER:        Disable TLS server functionality      default: off
37
 * WOLFSSL_EITHER_SIDE:      Allow same context for client/server  default: off
38
 * HAVE_TLS_EXTENSIONS:      Enable TLS extension support          default: on
39
 * HAVE_SNI:                 Server Name Indication extension      default: off
40
 * WOLFSSL_ALWAYS_KEEP_SNI:  Keep SNI after handshake              default: off
41
 * HAVE_MAX_FRAGMENT:        Max Fragment Length extension          default: off
42
 * HAVE_TRUNCATED_HMAC:      Truncated HMAC extension              default: off
43
 * HAVE_SUPPORTED_CURVES:    Supported Curves extension            default: on
44
 * HAVE_EXTENDED_MASTER:     Extended Master Secret (RFC 7627)     default: on
45
 * HAVE_ENCRYPT_THEN_MAC:    Encrypt-Then-MAC extension            default: on
46
 * HAVE_ALPN:                Application-Layer Protocol Negotiation default: off
47
 * HAVE_CERTIFICATE_STATUS_REQUEST: OCSP stapling                  default: off
48
 * HAVE_CERTIFICATE_STATUS_REQUEST_V2: OCSP stapling v2            default: off
49
 * HAVE_SECURE_RENEGOTIATION: Secure renegotiation support         default: off
50
 * HAVE_SERVER_RENEGOTIATION_INFO: Server renegotiation info       default: off
51
 * HAVE_SESSION_TICKET:      Session ticket support                default: off
52
 * HAVE_TRUSTED_CA:          Trusted CA Indication extension       default: off
53
 * HAVE_RPK:                 Raw Public Key support (RFC 7250)     default: off
54
 * HAVE_ECH:                 Encrypted Client Hello support        default: off
55
 * WOLFSSL_NO_SIGALG:        Disable signature algorithms ext      default: off
56
 * WOLFSSL_NO_CA_NAMES:      Disable CA Names in CertificateReq   default: off
57
 * WOLFSSL_NO_SERVER_GROUPS_EXT: Don't send server groups ext      default: off
58
 * NO_TLSX_PSKKEM_PLAIN_ANNOUNCE: Disable plain PSK announce      default: off
59
 * WOLFSSL_OLD_UNSUPPORTED_EXTENSION: Old unsupported ext handling default: off
60
 * WOLFSSL_ALLOW_SERVER_SC_EXT: Allow server supported curves ext  default: off
61
 *
62
 * Pre-Shared Keys:
63
 * NO_PSK:                   Disable PSK cipher suites             default: off
64
 *
65
 * Key Exchange:
66
 * HAVE_FFDHE:               Enable Finite Field DH ephemeral      default: off
67
 * HAVE_FFDHE_2048:          Enable FFDHE 2048-bit group           default: off
68
 * HAVE_FFDHE_3072:          Enable FFDHE 3072-bit group           default: off
69
 * HAVE_FFDHE_4096:          Enable FFDHE 4096-bit group           default: off
70
 * HAVE_FFDHE_6144:          Enable FFDHE 6144-bit group           default: off
71
 * HAVE_FFDHE_8192:          Enable FFDHE 8192-bit group           default: off
72
 * HAVE_PUBLIC_FFDHE:        Use public FFDHE parameters only      default: off
73
 * WOLFSSL_OLD_PRIME_CHECK:  Use old DH prime checking method      default: off
74
 * WOLFSSL_STATIC_DH:        Enable static DH cipher suites       default: off
75
 * WOLFSSL_STATIC_EPHEMERAL: Enable static ephemeral key loading   default: off
76
 *
77
 * Post-Quantum:
78
 * WOLFSSL_HAVE_MLKEM:       Enable ML-KEM (Kyber) support         default: off
79
 * WOLFSSL_MLKEM_KYBER:      Use Kyber round 3 parameters          default: off
80
 * WOLFSSL_KYBER512:         Enable Kyber/ML-KEM-512               default: off
81
 * WOLFSSL_KYBER768:         Enable Kyber/ML-KEM-768               default: off
82
 * WOLFSSL_KYBER1024:        Enable Kyber/ML-KEM-1024              default: off
83
 * WOLFSSL_NO_ML_KEM:        Disable all ML-KEM support            default: off
84
 * WOLFSSL_NO_ML_KEM_512:    Disable ML-KEM-512                    default: off
85
 * WOLFSSL_NO_ML_KEM_768:    Disable ML-KEM-768                    default: off
86
 * WOLFSSL_NO_ML_KEM_1024:   Disable ML-KEM-1024                  default: off
87
 * WOLFSSL_ML_KEM_USE_OLD_IDS: Use old IANA IDs for ML-KEM        default: off
88
 * WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ: Store ML-KEM object in ext   default: off
89
 * WOLFSSL_TLSX_PQC_MLKEM_STORE_PRIV_KEY: Store ML-KEM priv key   default: off
90
 * WOLFSSL_MLKEM_CACHE_A:    Cache ML-KEM A matrix                 default: off
91
 * WOLFSSL_MLKEM_NO_MAKE_KEY: Disable ML-KEM key generation       default: off
92
 * WOLFSSL_MLKEM_NO_ENCAPSULATE: Disable ML-KEM encapsulation     default: off
93
 * WOLFSSL_MLKEM_NO_DECAPSULATE: Disable ML-KEM decapsulation     default: off
94
 * HAVE_LIBOQS:              Use liboqs for PQ algorithms          default: off
95
 *
96
 * Curves:
97
 * HAVE_SECRET_CALLBACK:     Enable TLS secret callback            default: off
98
 * HAVE_PK_CALLBACKS:        Enable public key callbacks           default: off
99
 * HAVE_FUZZER:              Enable fuzzing callback support        default: off
100
 *
101
 * Features:
102
 * WOLFSSL_SNIFFER:          Enable TLS packet sniffing support    default: off
103
 * WOLFSSL_SNIFFER_KEYLOGFILE: Sniffer keylog file support         default: off
104
 * WOLFSSL_SSLKEYLOGFILE:    Enable SSL key log file output        default: off
105
 * WOLFSSL_SRTP:             Enable SRTP extension support         default: off
106
 * WOLFSSL_DUAL_ALG_CERTS:   Enable dual algorithm certificates   default: off
107
 * WOLFSSL_HAVE_PRF:         Enable TLS PRF function access        default: off
108
 * WOLFSSL_DEBUG_TLS:        Debug TLS protocol messages            default: off
109
 * WOLFSSL_32BIT_MILLI_TIME: 32-bit millisecond time function      default: off
110
 * WOLFSSL_REQUIRE_TCA:      Require Trusted CA extension          default: off
111
 * WOLFSSL_DH_EXTRA:         Extra DH key info in SSL object       default: off
112
 * WOLFSSL_CURVE25519_BLINDING: Curve25519 blinding in TLS         default: off
113
 * HAVE_NULL_CIPHER:         Allow NULL cipher suites               default: off
114
 * HAVE_WEBSERVER:           Enable web server features             default: off
115
 * NO_CERTS:                 Disable certificate processing        default: off
116
 */
117
118
#include <wolfssl/wolfcrypt/libwolfssl_sources.h>
119
120
#ifndef WOLFCRYPT_ONLY
121
122
#include <wolfssl/ssl.h>
123
#include <wolfssl/internal.h>
124
#include <wolfssl/error-ssl.h>
125
#include <wolfssl/wolfcrypt/hash.h>
126
#include <wolfssl/wolfcrypt/hmac.h>
127
#include <wolfssl/wolfcrypt/kdf.h>
128
#ifdef NO_INLINE
129
    #include <wolfssl/wolfcrypt/misc.h>
130
#else
131
    #define WOLFSSL_MISC_INCLUDED
132
    #include <wolfcrypt/src/misc.c>
133
#endif
134
135
#ifdef HAVE_CURVE25519
136
    #include <wolfssl/wolfcrypt/curve25519.h>
137
#endif
138
#ifdef HAVE_CURVE448
139
    #include <wolfssl/wolfcrypt/curve448.h>
140
#endif
141
#ifdef WOLFSSL_HAVE_MLKEM
142
    #include <wolfssl/wolfcrypt/wc_mlkem.h>
143
#endif
144
145
#if defined(WOLFSSL_RENESAS_TSIP_TLS)
146
    #include <wolfssl/wolfcrypt/port/Renesas/renesas_tsip_internal.h>
147
#endif
148
149
#include <wolfssl/wolfcrypt/hpke.h>
150
151
#ifndef NO_TLS
152
153
#if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES)
154
static void TLSX_KeyShare_FreeAll(KeyShareEntry* list, void* heap);
155
#endif
156
157
#ifdef HAVE_SUPPORTED_CURVES
158
static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions);
159
#endif
160
161
/* Digest enable checks */
162
#ifdef NO_OLD_TLS /* TLS 1.2 only */
163
    #if defined(NO_SHA256) && !defined(WOLFSSL_SHA384) && \
164
            !defined(WOLFSSL_SHA512)
165
        #error Must have SHA256, SHA384 or SHA512 enabled for TLS 1.2
166
    #endif
167
#else  /* TLS 1.1 or older */
168
    #if defined(NO_MD5) && defined(NO_SHA)
169
        #error Must have SHA1 and MD5 enabled for old TLS
170
    #endif
171
#endif
172
173
#ifdef WOLFSSL_TLS13
174
    #if !defined(NO_DH) && \
175
        !defined(HAVE_FFDHE_2048) && !defined(HAVE_FFDHE_3072) && \
176
        !defined(HAVE_FFDHE_4096) && !defined(HAVE_FFDHE_6144) && \
177
        !defined(HAVE_FFDHE_8192)
178
        #error Please configure your TLS 1.3 DH key size using either: HAVE_FFDHE_2048, HAVE_FFDHE_3072, HAVE_FFDHE_4096, HAVE_FFDHE_6144 or HAVE_FFDHE_8192
179
    #endif
180
    #if !defined(NO_RSA) && !defined(WC_RSA_PSS)
181
        #error The build option WC_RSA_PSS is required for TLS 1.3 with RSA
182
    #endif
183
    #ifndef HAVE_TLS_EXTENSIONS
184
        #if !defined(_MSC_VER) && !defined(__TASKING__)
185
            #error "The build option HAVE_TLS_EXTENSIONS is required for TLS 1.3"
186
        #else
187
            #pragma message("Error: The build option HAVE_TLS_EXTENSIONS is required for TLS 1.3")
188
        #endif
189
    #endif
190
#endif
191
192
/* Warn if secrets logging is enabled */
193
#if (defined(SHOW_SECRETS) || defined(WOLFSSL_SSLKEYLOGFILE)) && \
194
    !defined(WOLFSSL_KEYLOG_EXPORT_WARNED)
195
    #if !defined(_MSC_VER) && !defined(__TASKING__)
196
        #warning The SHOW_SECRETS and WOLFSSL_SSLKEYLOGFILE options should only be used for debugging and never in a production environment
197
    #else
198
        #pragma message("Warning: The SHOW_SECRETS and WOLFSSL_SSLKEYLOGFILE options should only be used for debugging and never in a production environment")
199
    #endif
200
#endif
201
202
#ifndef WOLFSSL_NO_TLS12
203
204
#ifdef WOLFSSL_SHA384
205
0
    #define HSHASH_SZ WC_SHA384_DIGEST_SIZE
206
#else
207
    #define HSHASH_SZ FINISHED_SZ
208
#endif
209
210
int BuildTlsHandshakeHash(WOLFSSL* ssl, byte* hash, word32* hashLen)
211
0
{
212
0
    int ret = 0;
213
0
    word32 hashSz = FINISHED_SZ;
214
215
0
    if (ssl == NULL || hash == NULL || hashLen == NULL || *hashLen < HSHASH_SZ)
216
0
        return BAD_FUNC_ARG;
217
218
    /* for constant timing perform these even if error */
219
#ifndef NO_OLD_TLS
220
    ret |= wc_Md5GetHash(&ssl->hsHashes->hashMd5, hash);
221
    ret |= wc_ShaGetHash(&ssl->hsHashes->hashSha, &hash[WC_MD5_DIGEST_SIZE]);
222
#endif
223
224
0
    if (IsAtLeastTLSv1_2(ssl)) {
225
0
#ifndef NO_SHA256
226
0
        if (ssl->specs.mac_algorithm <= sha256_mac ||
227
0
            ssl->specs.mac_algorithm == blake2b_mac) {
228
0
            ret |= wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
229
0
            hashSz = WC_SHA256_DIGEST_SIZE;
230
0
        }
231
0
#endif
232
0
#ifdef WOLFSSL_SHA384
233
0
        if (ssl->specs.mac_algorithm == sha384_mac) {
234
0
            ret |= wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
235
0
            hashSz = WC_SHA384_DIGEST_SIZE;
236
0
        }
237
0
#endif
238
#ifdef WOLFSSL_SM3
239
        if (ssl->specs.mac_algorithm == sm3_mac) {
240
            ret |= wc_Sm3GetHash(&ssl->hsHashes->hashSm3, hash);
241
            hashSz = WC_SM3_DIGEST_SIZE;
242
        }
243
#endif
244
0
    }
245
246
0
    *hashLen = hashSz;
247
#ifdef WOLFSSL_CHECK_MEM_ZERO
248
     wc_MemZero_Add("TLS handshake hash", hash, hashSz);
249
#endif
250
251
0
    if (ret != 0) {
252
0
        ret = BUILD_MSG_ERROR;
253
0
        WOLFSSL_ERROR_VERBOSE(ret);
254
0
    }
255
256
0
    return ret;
257
0
}
258
259
260
int BuildTlsFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
261
0
{
262
0
    int ret;
263
0
    const byte* side = NULL;
264
0
    word32 hashSz = HSHASH_SZ;
265
0
#if !defined(WOLFSSL_ASYNC_CRYPT) || defined(WC_ASYNC_NO_HASH)
266
0
    byte handshake_hash[HSHASH_SZ];
267
#else
268
    byte* handshake_hash = NULL;
269
    handshake_hash = (byte*)XMALLOC(HSHASH_SZ, ssl->heap, DYNAMIC_TYPE_DIGEST);
270
    if (handshake_hash == NULL)
271
        return MEMORY_E;
272
#endif
273
274
0
    XMEMSET(handshake_hash, 0, HSHASH_SZ);
275
0
    ret = BuildTlsHandshakeHash(ssl, handshake_hash, &hashSz);
276
0
    if (ret == 0) {
277
0
        if (XSTRNCMP((const char*)sender, (const char*)kTlsClientStr,
278
0
                                                          SIZEOF_SENDER) == 0) {
279
0
            side = kTlsClientFinStr;
280
0
        }
281
0
        else if (XSTRNCMP((const char*)sender, (const char*)kTlsServerStr,
282
0
                                                          SIZEOF_SENDER) == 0) {
283
0
            side = kTlsServerFinStr;
284
0
        }
285
0
        else {
286
0
            ret = BAD_FUNC_ARG;
287
0
            WOLFSSL_MSG("Unexpected sender value");
288
0
        }
289
0
    }
290
291
0
    if (ret == 0) {
292
0
#ifdef WOLFSSL_HAVE_PRF
293
#if !defined(NO_CERTS) && defined(HAVE_PK_CALLBACKS)
294
        if (ssl->ctx->TlsFinishedCb) {
295
            void* ctx = wolfSSL_GetTlsFinishedCtx(ssl);
296
            ret = ssl->ctx->TlsFinishedCb(ssl, side, handshake_hash, hashSz,
297
                                          (byte*)hashes, ctx);
298
        }
299
        if (!ssl->ctx->TlsFinishedCb ||
300
            ret == WC_NO_ERR_TRACE(PROTOCOLCB_UNAVAILABLE))
301
#endif
302
0
        {
303
0
            PRIVATE_KEY_UNLOCK();
304
0
            ret = wc_PRF_TLS((byte*)hashes, TLS_FINISHED_SZ,
305
0
                      ssl->arrays->masterSecret, SECRET_LEN, side,
306
0
                      FINISHED_LABEL_SZ, handshake_hash, hashSz,
307
0
                      IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm,
308
0
                      ssl->heap, ssl->devId);
309
0
            PRIVATE_KEY_LOCK();
310
0
        }
311
0
        ForceZero(handshake_hash, hashSz);
312
#else
313
        /* Pseudo random function must be enabled in the configuration. */
314
        ret = PRF_MISSING;
315
        WOLFSSL_ERROR_VERBOSE(ret);
316
        WOLFSSL_MSG("Pseudo-random function is not enabled");
317
318
        (void)side;
319
        (void)hashes;
320
#endif
321
0
    }
322
323
#if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_ASYNC_NO_HASH)
324
    XFREE(handshake_hash, ssl->heap, DYNAMIC_TYPE_DIGEST);
325
#elif defined(WOLFSSL_CHECK_MEM_ZERO)
326
    wc_MemZero_Check(handshake_hash, HSHASH_SZ);
327
#endif
328
329
0
    return ret;
330
0
}
331
332
#endif /* !WOLFSSL_NO_TLS12 */
333
334
#ifndef NO_OLD_TLS
335
336
#ifdef WOLFSSL_ALLOW_TLSV10
337
ProtocolVersion MakeTLSv1(void)
338
{
339
    ProtocolVersion pv;
340
    pv.major = SSLv3_MAJOR;
341
    pv.minor = TLSv1_MINOR;
342
343
    return pv;
344
}
345
#endif /* WOLFSSL_ALLOW_TLSV10 */
346
347
348
ProtocolVersion MakeTLSv1_1(void)
349
{
350
    ProtocolVersion pv;
351
    pv.major = SSLv3_MAJOR;
352
    pv.minor = TLSv1_1_MINOR;
353
354
    return pv;
355
}
356
357
#endif /* !NO_OLD_TLS */
358
359
360
#ifndef WOLFSSL_NO_TLS12
361
362
ProtocolVersion MakeTLSv1_2(void)
363
0
{
364
0
    ProtocolVersion pv;
365
0
    pv.major = SSLv3_MAJOR;
366
0
    pv.minor = TLSv1_2_MINOR;
367
368
0
    return pv;
369
0
}
370
371
#endif /* !WOLFSSL_NO_TLS12 */
372
373
#ifdef WOLFSSL_TLS13
374
/* The TLS v1.3 protocol version.
375
 *
376
 * returns the protocol version data for TLS v1.3.
377
 */
378
ProtocolVersion MakeTLSv1_3(void)
379
0
{
380
0
    ProtocolVersion pv;
381
0
    pv.major = SSLv3_MAJOR;
382
0
    pv.minor = TLSv1_3_MINOR;
383
384
0
    return pv;
385
0
}
386
#endif
387
388
#if defined(HAVE_SUPPORTED_CURVES)
389
/* Sets the key exchange groups in rank order on a context.
390
 *
391
 * ctx     SSL/TLS context object.
392
 * groups  Array of groups.
393
 * count   Number of groups in array.
394
 * returns BAD_FUNC_ARG when ctx or groups is NULL, not using TLS v1.3, count is
395
 * not positive or count is greater than WOLFSSL_MAX_GROUP_COUNT and
396
 * WOLFSSL_SUCCESS on success.
397
 */
398
int wolfSSL_CTX_set_groups(WOLFSSL_CTX* ctx, int* groups, int count)
399
0
{
400
0
    int ret, i;
401
402
0
    WOLFSSL_ENTER("wolfSSL_CTX_set_groups");
403
0
    if (ctx == NULL || groups == NULL || count <= 0 ||
404
0
            count > WOLFSSL_MAX_GROUP_COUNT)
405
0
        return BAD_FUNC_ARG;
406
0
    if (!IsTLS_ex(ctx->method->version))
407
0
        return BAD_FUNC_ARG;
408
409
0
    #ifdef WOLFSSL_TLS13
410
0
    ctx->numGroups = 0;
411
0
    #endif
412
0
    #if !defined(NO_TLS)
413
0
    TLSX_Remove(&ctx->extensions, TLSX_SUPPORTED_GROUPS, ctx->heap);
414
0
    #endif /* !NO_TLS */
415
0
    for (i = 0; i < count; i++) {
416
        /* Call to wolfSSL_CTX_UseSupportedCurve also checks if input groups
417
         * are valid */
418
0
        if ((ret = wolfSSL_CTX_UseSupportedCurve(ctx, (word16)groups[i]))
419
0
                != WOLFSSL_SUCCESS) {
420
0
    #if !defined(NO_TLS)
421
0
            TLSX_Remove(&ctx->extensions, TLSX_SUPPORTED_GROUPS, ctx->heap);
422
0
    #endif /* !NO_TLS */
423
0
            return ret;
424
0
        }
425
0
        #ifdef WOLFSSL_TLS13
426
0
        ctx->group[i] = (word16)groups[i];
427
0
        #endif
428
0
    }
429
0
    #ifdef WOLFSSL_TLS13
430
0
    ctx->numGroups = (byte)count;
431
0
    #endif
432
433
0
    return WOLFSSL_SUCCESS;
434
0
}
435
436
/* Sets the key exchange groups in rank order.
437
 *
438
 * ssl     SSL/TLS object.
439
 * groups  Array of groups.
440
 * count   Number of groups in array.
441
 * returns BAD_FUNC_ARG when ssl or groups is NULL, not using TLS v1.3, count is
442
 * not positive or count is greater than WOLFSSL_MAX_GROUP_COUNT and
443
 * WOLFSSL_SUCCESS on success.
444
 */
445
int wolfSSL_set_groups(WOLFSSL* ssl, int* groups, int count)
446
0
{
447
0
    int ret, i;
448
449
0
    WOLFSSL_ENTER("wolfSSL_set_groups");
450
0
    if (ssl == NULL || groups == NULL || count <= 0 ||
451
0
            count > WOLFSSL_MAX_GROUP_COUNT)
452
0
        return BAD_FUNC_ARG;
453
0
    if (!IsTLS_ex(ssl->version))
454
0
        return BAD_FUNC_ARG;
455
456
0
    #ifdef WOLFSSL_TLS13
457
0
    ssl->numGroups = 0;
458
0
    #endif
459
0
    #if !defined(NO_TLS)
460
0
    TLSX_Remove(&ssl->extensions, TLSX_SUPPORTED_GROUPS, ssl->heap);
461
0
    #endif /* !NO_TLS */
462
0
    for (i = 0; i < count; i++) {
463
        /* Call to wolfSSL_UseSupportedCurve also checks if input groups
464
                 * are valid */
465
0
        if ((ret = wolfSSL_UseSupportedCurve(ssl, (word16)groups[i]))
466
0
                != WOLFSSL_SUCCESS) {
467
0
    #if !defined(NO_TLS)
468
0
            TLSX_Remove(&ssl->extensions, TLSX_SUPPORTED_GROUPS, ssl->heap);
469
0
    #endif /* !NO_TLS */
470
0
            return ret;
471
0
        }
472
0
        #ifdef WOLFSSL_TLS13
473
0
        ssl->group[i] = (word16)groups[i];
474
0
        #endif
475
0
    }
476
0
    #ifdef WOLFSSL_TLS13
477
0
    ssl->numGroups = (byte)count;
478
0
    #endif
479
480
0
    return WOLFSSL_SUCCESS;
481
0
}
482
#endif /* HAVE_SUPPORTED_CURVES */
483
484
#ifndef WOLFSSL_NO_TLS12
485
486
#ifdef HAVE_EXTENDED_MASTER
487
static const byte ext_master_label[EXT_MASTER_LABEL_SZ + 1] =
488
                                                      "extended master secret";
489
#endif
490
static const byte master_label[MASTER_LABEL_SZ + 1] = "master secret";
491
static const byte key_label   [KEY_LABEL_SZ + 1]    = "key expansion";
492
493
static int _DeriveTlsKeys(byte* key_dig, word32 key_dig_len,
494
                         const byte* ms, word32 msLen,
495
                         const byte* sr, const byte* cr,
496
                         int tls1_2, int hash_type,
497
                         void* heap, int devId)
498
0
{
499
0
    int ret;
500
#if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_ASYNC_NO_HASH)
501
    byte* seed = NULL;
502
    seed = (byte*)XMALLOC(SEED_LEN, heap, DYNAMIC_TYPE_SEED);
503
    if (seed == NULL)
504
        return MEMORY_E;
505
#else
506
0
    byte seed[SEED_LEN];
507
0
#endif
508
509
0
    XMEMCPY(seed,           sr, RAN_LEN);
510
0
    XMEMCPY(seed + RAN_LEN, cr, RAN_LEN);
511
512
0
#ifdef WOLFSSL_HAVE_PRF
513
0
    PRIVATE_KEY_UNLOCK();
514
0
    ret = wc_PRF_TLS(key_dig, key_dig_len, ms, msLen, key_label, KEY_LABEL_SZ,
515
0
               seed, SEED_LEN, tls1_2, hash_type, heap, devId);
516
0
    PRIVATE_KEY_LOCK();
517
#else
518
    /* Pseudo random function must be enabled in the configuration. */
519
    ret = PRF_MISSING;
520
    WOLFSSL_ERROR_VERBOSE(ret);
521
    WOLFSSL_MSG("Pseudo-random function is not enabled");
522
523
    (void)key_dig;
524
    (void)key_dig_len;
525
    (void)ms;
526
    (void)msLen;
527
    (void)tls1_2;
528
    (void)hash_type;
529
    (void)heap;
530
    (void)devId;
531
    (void)key_label;
532
    (void)master_label;
533
#ifdef HAVE_EXTENDED_MASTER
534
    (void)ext_master_label;
535
#endif
536
#endif
537
538
#if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_ASYNC_NO_HASH)
539
    XFREE(seed, heap, DYNAMIC_TYPE_SEED);
540
#endif
541
542
0
    return ret;
543
0
}
544
545
/* External facing wrapper so user can call as well, 0 on success */
546
int wolfSSL_DeriveTlsKeys(byte* key_data, word32 keyLen,
547
                         const byte* ms, word32 msLen,
548
                         const byte* sr, const byte* cr,
549
                         int tls1_2, int hash_type)
550
0
{
551
0
    return _DeriveTlsKeys(key_data, keyLen, ms, msLen, sr, cr, tls1_2,
552
0
        hash_type, NULL, INVALID_DEVID);
553
0
}
554
555
556
int DeriveTlsKeys(WOLFSSL* ssl)
557
0
{
558
0
    int   ret;
559
0
    int   key_dig_len = 2 * ssl->specs.hash_size +
560
0
                        2 * ssl->specs.key_size  +
561
0
                        2 * ssl->specs.iv_size;
562
0
    WC_DECLARE_VAR(key_dig, byte, MAX_PRF_DIG, 0);
563
564
0
    WC_ALLOC_VAR_EX(key_dig, byte, MAX_PRF_DIG, ssl->heap,
565
0
        DYNAMIC_TYPE_DIGEST, return MEMORY_E);
566
567
0
    XMEMSET(key_dig, 0, MAX_PRF_DIG);
568
569
#if !defined(NO_CERTS) && defined(HAVE_PK_CALLBACKS)
570
    ret = PROTOCOLCB_UNAVAILABLE;
571
    if (ssl->ctx->GenSessionKeyCb) {
572
        void* ctx = wolfSSL_GetGenSessionKeyCtx(ssl);
573
        ret = ssl->ctx->GenSessionKeyCb(ssl, ctx);
574
    }
575
    if (!ssl->ctx->GenSessionKeyCb ||
576
        ret == WC_NO_ERR_TRACE(PROTOCOLCB_UNAVAILABLE))
577
#endif
578
0
    ret = _DeriveTlsKeys(key_dig, (word32)key_dig_len,
579
0
                     ssl->arrays->masterSecret, SECRET_LEN,
580
0
                     ssl->arrays->serverRandom, ssl->arrays->clientRandom,
581
0
                     IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm,
582
0
                     ssl->heap, ssl->devId);
583
0
    if (ret == 0)
584
0
        ret = StoreKeys(ssl, key_dig, PROVISION_CLIENT_SERVER);
585
586
#ifdef WOLFSSL_CHECK_MEM_ZERO
587
    wc_MemZero_Add("DeriveTlsKeys key_dig", key_dig, MAX_PRF_DIG);
588
#endif
589
0
    ForceZero(key_dig, MAX_PRF_DIG);
590
#ifdef WOLFSSL_CHECK_MEM_ZERO
591
    wc_MemZero_Check(key_dig, MAX_PRF_DIG);
592
#endif
593
594
0
    WC_FREE_VAR_EX(key_dig, ssl->heap, DYNAMIC_TYPE_DIGEST);
595
596
0
    return ret;
597
0
}
598
599
static int _MakeTlsMasterSecret(byte* ms, word32 msLen,
600
                               const byte* pms, word32 pmsLen,
601
                               const byte* cr, const byte* sr,
602
                               int tls1_2, int hash_type,
603
                               void* heap, int devId)
604
0
{
605
0
    int ret;
606
0
#if !defined(WOLFSSL_ASYNC_CRYPT) || defined(WC_ASYNC_NO_HASH)
607
0
    byte seed[SEED_LEN];
608
#else
609
    byte* seed = NULL;
610
    seed = (byte*)XMALLOC(SEED_LEN, heap, DYNAMIC_TYPE_SEED);
611
    if (seed == NULL)
612
        return MEMORY_E;
613
#endif
614
615
0
    XMEMCPY(seed,           cr, RAN_LEN);
616
0
    XMEMCPY(seed + RAN_LEN, sr, RAN_LEN);
617
618
0
#ifdef WOLFSSL_HAVE_PRF
619
0
    PRIVATE_KEY_UNLOCK();
620
0
    ret = wc_PRF_TLS(ms, msLen, pms, pmsLen, master_label, MASTER_LABEL_SZ,
621
0
               seed, SEED_LEN, tls1_2, hash_type, heap, devId);
622
0
    PRIVATE_KEY_LOCK();
623
#else
624
    /* Pseudo random function must be enabled in the configuration. */
625
    ret = PRF_MISSING;
626
    WOLFSSL_MSG("Pseudo-random function is not enabled");
627
628
    (void)ms;
629
    (void)msLen;
630
    (void)pms;
631
    (void)pmsLen;
632
    (void)tls1_2;
633
    (void)hash_type;
634
    (void)heap;
635
    (void)devId;
636
#endif
637
638
#if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_ASYNC_NO_HASH)
639
    XFREE(seed, heap, DYNAMIC_TYPE_SEED);
640
#endif
641
642
0
    return ret;
643
0
}
644
645
/* External facing wrapper so user can call as well, 0 on success */
646
int wolfSSL_MakeTlsMasterSecret(byte* ms, word32 msLen,
647
                               const byte* pms, word32 pmsLen,
648
                               const byte* cr, const byte* sr,
649
                               int tls1_2, int hash_type)
650
0
{
651
0
    return _MakeTlsMasterSecret(ms, msLen, pms, pmsLen, cr, sr, tls1_2,
652
0
        hash_type, NULL, INVALID_DEVID);
653
0
}
654
655
656
#ifdef HAVE_EXTENDED_MASTER
657
658
static int _MakeTlsExtendedMasterSecret(byte* ms, word32 msLen,
659
                                        const byte* pms, word32 pmsLen,
660
                                        const byte* sHash, word32 sHashLen,
661
                                        int tls1_2, int hash_type,
662
                                        void* heap, int devId)
663
0
{
664
0
    int ret;
665
666
0
#ifdef WOLFSSL_HAVE_PRF
667
0
    PRIVATE_KEY_UNLOCK();
668
0
    ret = wc_PRF_TLS(ms, msLen, pms, pmsLen, ext_master_label, EXT_MASTER_LABEL_SZ,
669
0
               sHash, sHashLen, tls1_2, hash_type, heap, devId);
670
0
    PRIVATE_KEY_LOCK();
671
#else
672
    /* Pseudo random function must be enabled in the configuration. */
673
    ret = PRF_MISSING;
674
    WOLFSSL_MSG("Pseudo-random function is not enabled");
675
676
    (void)ms;
677
    (void)msLen;
678
    (void)pms;
679
    (void)pmsLen;
680
    (void)sHash;
681
    (void)sHashLen;
682
    (void)tls1_2;
683
    (void)hash_type;
684
    (void)heap;
685
    (void)devId;
686
#endif
687
0
    return ret;
688
0
}
689
690
/* External facing wrapper so user can call as well, 0 on success */
691
int wolfSSL_MakeTlsExtendedMasterSecret(byte* ms, word32 msLen,
692
                                        const byte* pms, word32 pmsLen,
693
                                        const byte* sHash, word32 sHashLen,
694
                                        int tls1_2, int hash_type)
695
0
{
696
0
    return _MakeTlsExtendedMasterSecret(ms, msLen, pms, pmsLen, sHash, sHashLen,
697
0
        tls1_2, hash_type, NULL, INVALID_DEVID);
698
0
}
699
700
#endif /* HAVE_EXTENDED_MASTER */
701
702
703
int MakeTlsMasterSecret(WOLFSSL* ssl)
704
0
{
705
0
    int ret;
706
707
#if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_KEYLOGFILE)
708
    /* If this is called from a sniffer session with keylog file support, obtain
709
     * the master secret from the callback */
710
    if (ssl->snifferSecretCb != NULL) {
711
        ret = ssl->snifferSecretCb(ssl->arrays->clientRandom,
712
                                   SNIFFER_SECRET_TLS12_MASTER_SECRET,
713
                                   ssl->arrays->masterSecret);
714
        if (ret != 0) {
715
            return ret;
716
        }
717
        ret = DeriveTlsKeys(ssl);
718
        return ret;
719
    }
720
#endif /* WOLFSSL_SNIFFER && WOLFSSL_SNIFFER_KEYLOGFILE */
721
722
0
#ifdef HAVE_EXTENDED_MASTER
723
0
    if (ssl->options.haveEMS) {
724
0
        word32 hashSz = HSHASH_SZ;
725
    #ifdef WOLFSSL_SMALL_STACK
726
        byte* handshake_hash = (byte*)XMALLOC(HSHASH_SZ, ssl->heap,
727
                                              DYNAMIC_TYPE_DIGEST);
728
        if (handshake_hash == NULL)
729
            return MEMORY_E;
730
    #else
731
0
        byte handshake_hash[HSHASH_SZ];
732
0
    #endif
733
734
0
        XMEMSET(handshake_hash, 0, HSHASH_SZ);
735
0
        ret = BuildTlsHandshakeHash(ssl, handshake_hash, &hashSz);
736
0
        if (ret == 0) {
737
        #if !defined(NO_CERTS) && defined(HAVE_PK_CALLBACKS)
738
            ret = PROTOCOLCB_UNAVAILABLE;
739
            if (ssl->ctx->GenExtMasterCb) {
740
                void* ctx = wolfSSL_GetGenExtMasterSecretCtx(ssl);
741
                ret = ssl->ctx->GenExtMasterCb(ssl, handshake_hash, hashSz,
742
                                                ctx);
743
            }
744
            if (!ssl->ctx->GenExtMasterCb ||
745
                ret == WC_NO_ERR_TRACE(PROTOCOLCB_UNAVAILABLE))
746
        #endif /* (HAVE_SECRET_CALLBACK) && (HAVE_EXT_SECRET_CALLBACK) */
747
0
            {
748
0
                ret = _MakeTlsExtendedMasterSecret(
749
0
                    ssl->arrays->masterSecret, SECRET_LEN,
750
0
                    ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz,
751
0
                    handshake_hash, hashSz,
752
0
                    IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm,
753
0
                    ssl->heap, ssl->devId);
754
0
            }
755
0
            ForceZero(handshake_hash, hashSz);
756
0
        }
757
758
    #ifdef WOLFSSL_SMALL_STACK
759
        XFREE(handshake_hash, ssl->heap, DYNAMIC_TYPE_DIGEST);
760
    #elif defined(WOLFSSL_CHECK_MEM_ZERO)
761
        wc_MemZero_Check(handshake_hash, HSHASH_SZ);
762
    #endif
763
0
    }
764
0
    else
765
0
#endif /* HAVE_EXTENDED_MASTER */
766
0
    {
767
768
#if !defined(NO_CERTS) && defined(HAVE_PK_CALLBACKS)
769
        ret = PROTOCOLCB_UNAVAILABLE;
770
        if (ssl->ctx->GenMasterCb) {
771
            void* ctx = wolfSSL_GetGenMasterSecretCtx(ssl);
772
            ret = ssl->ctx->GenMasterCb(ssl, ctx);
773
        }
774
        if (!ssl->ctx->GenMasterCb ||
775
            ret == WC_NO_ERR_TRACE(PROTOCOLCB_UNAVAILABLE))
776
#endif
777
0
        {
778
0
            ret = _MakeTlsMasterSecret(ssl->arrays->masterSecret,
779
0
                      SECRET_LEN, ssl->arrays->preMasterSecret,
780
0
                      ssl->arrays->preMasterSz, ssl->arrays->clientRandom,
781
0
                      ssl->arrays->serverRandom, IsAtLeastTLSv1_2(ssl),
782
0
                      ssl->specs.mac_algorithm, ssl->heap, ssl->devId);
783
0
        }
784
0
    }
785
#ifdef HAVE_SECRET_CALLBACK
786
    if (ret == 0 && ssl->tlsSecretCb != NULL) {
787
        ret = ssl->tlsSecretCb(ssl, ssl->arrays->masterSecret,
788
                SECRET_LEN, ssl->tlsSecretCtx);
789
    }
790
#endif /* HAVE_SECRET_CALLBACK */
791
0
    if (ret == 0) {
792
0
        ret = DeriveTlsKeys(ssl);
793
0
    }
794
795
0
    return ret;
796
0
}
797
798
799
/* Used by EAP-TLS and EAP-TTLS to derive keying material from
800
 * the master_secret. */
801
int wolfSSL_make_eap_keys(WOLFSSL* ssl, void* key, unsigned int len,
802
                                                              const char* label)
803
0
{
804
0
    int   ret;
805
0
    WC_DECLARE_VAR(seed, byte, SEED_LEN, 0);
806
807
0
    WC_ALLOC_VAR_EX(seed, byte, SEED_LEN, ssl->heap, DYNAMIC_TYPE_SEED,
808
0
        return MEMORY_E);
809
810
    /*
811
     * As per RFC-5281, the order of the client and server randoms is reversed
812
     * from that used by the TLS protocol to derive keys.
813
     */
814
0
    XMEMCPY(seed,           ssl->arrays->clientRandom, RAN_LEN);
815
0
    XMEMCPY(seed + RAN_LEN, ssl->arrays->serverRandom, RAN_LEN);
816
817
0
#ifdef WOLFSSL_HAVE_PRF
818
0
    PRIVATE_KEY_UNLOCK();
819
0
    ret = wc_PRF_TLS((byte*)key, len, ssl->arrays->masterSecret, SECRET_LEN,
820
0
              (const byte *)label, (word32)XSTRLEN(label), seed, SEED_LEN,
821
0
              IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm,
822
0
              ssl->heap, ssl->devId);
823
0
    PRIVATE_KEY_LOCK();
824
#else
825
    /* Pseudo random function must be enabled in the configuration. */
826
    ret = PRF_MISSING;
827
    WOLFSSL_MSG("Pseudo-random function is not enabled");
828
829
    (void)key;
830
    (void)len;
831
    (void)label;
832
#endif
833
834
0
    WC_FREE_VAR_EX(seed, ssl->heap, DYNAMIC_TYPE_SEED);
835
836
0
    return ret;
837
0
}
838
839
/* return HMAC digest type in wolfSSL format */
840
int wolfSSL_GetHmacType(WOLFSSL* ssl)
841
0
{
842
0
    if (ssl == NULL)
843
0
        return BAD_FUNC_ARG;
844
845
0
    return wolfSSL_GetHmacType_ex(&ssl->specs);
846
0
}
847
848
849
int wolfSSL_SetTlsHmacInner(WOLFSSL* ssl, byte* inner, word32 sz, int content,
850
                           int verify)
851
0
{
852
0
    if (ssl == NULL || inner == NULL)
853
0
        return BAD_FUNC_ARG;
854
855
0
    if (content == dtls12_cid
856
#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_DTLS_CID)
857
       || (ssl->options.dtls && DtlsGetCidTxSize(ssl) > 0)
858
#endif
859
0
    ) {
860
0
        WOLFSSL_MSG("wolfSSL_SetTlsHmacInner doesn't support CID");
861
0
        return BAD_FUNC_ARG;
862
0
    }
863
864
0
    XMEMSET(inner, 0, WOLFSSL_TLS_HMAC_INNER_SZ);
865
866
0
    WriteSEQ(ssl, verify, inner);
867
0
    inner[SEQ_SZ] = (byte)content;
868
0
    inner[SEQ_SZ + ENUM_LEN]            = ssl->version.major;
869
0
    inner[SEQ_SZ + ENUM_LEN + ENUM_LEN] = ssl->version.minor;
870
0
    c16toa((word16)sz, inner + SEQ_SZ + ENUM_LEN + VERSION_SZ);
871
872
0
    return 0;
873
0
}
874
875
876
#ifndef WOLFSSL_AEAD_ONLY
877
#if !defined(WOLFSSL_NO_HASH_RAW) && !defined(HAVE_FIPS) && \
878
    !defined(HAVE_SELFTEST)
879
880
/* Update the hash in the HMAC.
881
 *
882
 * hmac  HMAC object.
883
 * data  Data to be hashed.
884
 * sz    Size of data to hash.
885
 * returns 0 on success, otherwise failure.
886
 */
887
static int Hmac_HashUpdate(Hmac* hmac, const byte* data, word32 sz)
888
0
{
889
0
    int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
890
891
0
    switch (hmac->macType) {
892
0
    #ifndef NO_SHA
893
0
        case WC_SHA:
894
0
            ret = wc_ShaUpdate(&hmac->hash.sha, data, sz);
895
0
            break;
896
0
    #endif /* !NO_SHA */
897
898
0
    #ifndef NO_SHA256
899
0
        case WC_SHA256:
900
0
            ret = wc_Sha256Update(&hmac->hash.sha256, data, sz);
901
0
            break;
902
0
    #endif /* !NO_SHA256 */
903
904
0
    #ifdef WOLFSSL_SHA384
905
0
        case WC_SHA384:
906
0
            ret = wc_Sha384Update(&hmac->hash.sha384, data, sz);
907
0
            break;
908
0
    #endif /* WOLFSSL_SHA384 */
909
910
0
    #ifdef WOLFSSL_SHA512
911
0
        case WC_SHA512:
912
0
            ret = wc_Sha512Update(&hmac->hash.sha512, data, sz);
913
0
            break;
914
0
    #endif /* WOLFSSL_SHA512 */
915
916
    #ifdef WOLFSSL_SM3
917
        case WC_SM3:
918
            ret = wc_Sm3Update(&hmac->hash.sm3, data, sz);
919
            break;
920
    #endif /* WOLFSSL_SM3 */
921
922
0
        default:
923
0
            ret = BAD_FUNC_ARG;
924
0
            break;
925
0
    }
926
927
0
    return ret;
928
0
}
929
930
/* Finalize the hash but don't put the EOC, padding or length in.
931
 *
932
 * hmac  HMAC object.
933
 * hash  Hash result.
934
 * returns 0 on success, otherwise failure.
935
 */
936
static int Hmac_HashFinalRaw(Hmac* hmac, unsigned char* hash)
937
0
{
938
0
    int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
939
940
0
    switch (hmac->macType) {
941
0
    #ifndef NO_SHA
942
0
        case WC_SHA:
943
0
            ret = wc_ShaFinalRaw(&hmac->hash.sha, hash);
944
0
            break;
945
0
    #endif /* !NO_SHA */
946
947
0
    #ifndef NO_SHA256
948
0
        case WC_SHA256:
949
0
            ret = wc_Sha256FinalRaw(&hmac->hash.sha256, hash);
950
0
            break;
951
0
    #endif /* !NO_SHA256 */
952
953
0
    #ifdef WOLFSSL_SHA384
954
0
        case WC_SHA384:
955
0
            ret = wc_Sha384FinalRaw(&hmac->hash.sha384, hash);
956
0
            break;
957
0
    #endif /* WOLFSSL_SHA384 */
958
959
0
    #ifdef WOLFSSL_SHA512
960
0
        case WC_SHA512:
961
0
            ret = wc_Sha512FinalRaw(&hmac->hash.sha512, hash);
962
0
            break;
963
0
    #endif /* WOLFSSL_SHA512 */
964
965
    #ifdef WOLFSSL_SM3
966
        case WC_SM3:
967
            ret = wc_Sm3FinalRaw(&hmac->hash.sm3, hash);
968
            break;
969
    #endif /* WOLFSSL_SM3 */
970
971
0
        default:
972
0
            ret = BAD_FUNC_ARG;
973
0
            break;
974
0
    }
975
976
0
    return ret;
977
0
}
978
979
/* Finalize the HMAC by performing outer hash.
980
 *
981
 * hmac  HMAC object.
982
 * mac   MAC result.
983
 * returns 0 on success, otherwise failure.
984
 */
985
static int Hmac_OuterHash(Hmac* hmac, unsigned char* mac)
986
0
{
987
0
    int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
988
0
    WC_DECLARE_VAR(hash, wc_HashAlg, 1, hmac ? hmac->heap : NULL);
989
0
    enum wc_HashType hashType = (enum wc_HashType)hmac->macType;
990
0
    int digestSz = wc_HashGetDigestSize(hashType);
991
0
    int blockSz = wc_HashGetBlockSize(hashType);
992
993
0
    WC_ALLOC_VAR_EX(hash, wc_HashAlg, 1, hmac->heap, DYNAMIC_TYPE_HASHES,
994
0
                    return MEMORY_E);
995
996
0
    if ((digestSz >= 0) && (blockSz >= 0)) {
997
0
        ret = wc_HashInit(hash, hashType);
998
0
    }
999
0
    else {
1000
0
        ret = BAD_FUNC_ARG;
1001
0
    }
1002
1003
0
    if (ret == 0) {
1004
0
        ret = wc_HashUpdate(hash, hashType, (byte*)hmac->opad,
1005
0
            (word32)blockSz);
1006
0
        if (ret == 0)
1007
0
            ret = wc_HashUpdate(hash, hashType, (byte*)hmac->innerHash,
1008
0
                (word32)digestSz);
1009
0
        if (ret == 0)
1010
0
            ret = wc_HashFinal(hash, hashType, mac);
1011
0
        wc_HashFree(hash, hashType);
1012
0
    }
1013
1014
0
    WC_FREE_VAR_EX(hash, hmac->heap, DYNAMIC_TYPE_HASHES);
1015
0
    return ret;
1016
0
}
1017
1018
/* Calculate the HMAC of the header + message data.
1019
 * Constant time implementation using wc_Sha*FinalRaw().
1020
 *
1021
 * hmac    HMAC object.
1022
 * digest  MAC result.
1023
 * in      Message data.
1024
 * sz      Size of the message data.
1025
 * header  Constructed record header with length of handshake data.
1026
 * headerSz Length of header
1027
 * returns 0 on success, otherwise failure.
1028
 */
1029
static int Hmac_UpdateFinal_CT(Hmac* hmac, byte* digest, const byte* in,
1030
                           word32 sz, int macLen, byte* header, word32 headerSz)
1031
0
{
1032
0
    byte         lenBytes[8];
1033
0
    int          i, j;
1034
0
    unsigned int k;
1035
0
    int          blockBits, blockMask;
1036
0
    int          lastBlockLen, extraLen, eocIndex;
1037
0
    int          blocks;
1038
0
    int          safeBlocks;
1039
0
    int          lenBlock;
1040
0
    int          eocBlock;
1041
0
    word32       maxLen;
1042
0
    int          blockSz, padSz;
1043
0
    int          ret;
1044
0
    word32       realLen;
1045
0
    byte         extraBlock;
1046
1047
0
    if (macLen <= 0 || macLen > (int)sizeof(hmac->innerHash))
1048
0
        return BAD_FUNC_ARG;
1049
1050
0
    switch (hmac->macType) {
1051
0
    #ifndef NO_SHA
1052
0
        case WC_SHA:
1053
0
            blockSz = WC_SHA_BLOCK_SIZE;
1054
0
            blockBits = 6;
1055
0
            padSz = WC_SHA_BLOCK_SIZE - WC_SHA_PAD_SIZE + 1;
1056
0
            break;
1057
0
    #endif /* !NO_SHA */
1058
1059
0
    #ifndef NO_SHA256
1060
0
        case WC_SHA256:
1061
0
            blockSz = WC_SHA256_BLOCK_SIZE;
1062
0
            blockBits = 6;
1063
0
            padSz = WC_SHA256_BLOCK_SIZE - WC_SHA256_PAD_SIZE + 1;
1064
0
            break;
1065
0
    #endif /* !NO_SHA256 */
1066
1067
0
    #ifdef WOLFSSL_SHA384
1068
0
        case WC_SHA384:
1069
0
            blockSz = WC_SHA384_BLOCK_SIZE;
1070
0
            blockBits = 7;
1071
0
            padSz = WC_SHA384_BLOCK_SIZE - WC_SHA384_PAD_SIZE + 1;
1072
0
            break;
1073
0
    #endif /* WOLFSSL_SHA384 */
1074
1075
0
    #ifdef WOLFSSL_SHA512
1076
0
        case WC_SHA512:
1077
0
            blockSz = WC_SHA512_BLOCK_SIZE;
1078
0
            blockBits = 7;
1079
0
            padSz = WC_SHA512_BLOCK_SIZE - WC_SHA512_PAD_SIZE + 1;
1080
0
            break;
1081
0
    #endif /* WOLFSSL_SHA512 */
1082
1083
    #ifdef WOLFSSL_SM3
1084
        case WC_SM3:
1085
            blockSz = WC_SM3_BLOCK_SIZE;
1086
            blockBits = 6;
1087
            padSz = WC_SM3_BLOCK_SIZE - WC_SM3_PAD_SIZE + 1;
1088
            break;
1089
    #endif /* WOLFSSL_SM3 */
1090
1091
0
        default:
1092
0
            return BAD_FUNC_ARG;
1093
0
    }
1094
0
    blockMask = blockSz - 1;
1095
1096
    /* Size of data to HMAC if padding length byte is zero. */
1097
0
    maxLen = WOLFSSL_TLS_HMAC_INNER_SZ + sz - 1 - (word32)macLen;
1098
1099
    /* Complete data (including padding) has block for EOC and/or length. */
1100
0
    extraBlock = ctSetLTE(((int)maxLen + padSz) & blockMask, padSz);
1101
    /* Total number of blocks for data including padding. */
1102
0
    blocks = ((int)(maxLen + (word32)blockSz - 1) >> blockBits) + extraBlock;
1103
    /* Up to last 6 blocks can be hashed safely. */
1104
0
    safeBlocks = blocks - 6;
1105
1106
    /* Length of message data. */
1107
0
    realLen = maxLen - in[sz - 1];
1108
    /* Number of message bytes in last block. */
1109
0
    lastBlockLen = (int)realLen & blockMask;
1110
    /* Number of padding bytes in last block. */
1111
0
    extraLen = ((blockSz * 2 - padSz - lastBlockLen) & blockMask) + 1;
1112
    /* Number of blocks to create for hash. */
1113
0
    lenBlock = ((int)realLen + extraLen) >> blockBits;
1114
    /* Block containing EOC byte. */
1115
0
    eocBlock = (int)(realLen >> (word32)blockBits);
1116
    /* Index of EOC byte in block. */
1117
0
    eocIndex = (int)(realLen & (word32)blockMask);
1118
1119
    /* Add length of hmac's ipad to total length. */
1120
0
    realLen += (word32)blockSz;
1121
    /* Length as bits - 8 bytes bigendian. */
1122
0
    c32toa(realLen >> ((sizeof(word32) * 8) - 3), lenBytes);
1123
0
    c32toa(realLen << 3, lenBytes + sizeof(word32));
1124
1125
0
    ret = Hmac_HashUpdate(hmac, (unsigned char*)hmac->ipad, (word32)blockSz);
1126
0
    if (ret != 0)
1127
0
        return ret;
1128
1129
0
    XMEMSET(hmac->innerHash, 0, (size_t)macLen);
1130
1131
0
    if (safeBlocks > 0) {
1132
0
        ret = Hmac_HashUpdate(hmac, header, headerSz);
1133
0
        if (ret != 0)
1134
0
            return ret;
1135
0
        ret = Hmac_HashUpdate(hmac, in, (word32)(safeBlocks * blockSz -
1136
0
                                WOLFSSL_TLS_HMAC_INNER_SZ));
1137
1138
0
        if (ret != 0)
1139
0
            return ret;
1140
0
    }
1141
0
    else
1142
0
        safeBlocks = 0;
1143
1144
0
    XMEMSET(digest, 0, (size_t)macLen);
1145
0
    k = (unsigned int)(safeBlocks * blockSz);
1146
0
    for (i = safeBlocks; i < blocks; i++) {
1147
0
        unsigned char hashBlock[WC_MAX_BLOCK_SIZE];
1148
0
        unsigned char isEocBlock = ctMaskEq(i, eocBlock);
1149
0
        unsigned char isOutBlock = ctMaskEq(i, lenBlock);
1150
1151
0
        for (j = 0; j < blockSz; j++) {
1152
0
            unsigned char atEoc = ctMaskEq(j, eocIndex) & isEocBlock;
1153
0
            volatile unsigned char maskPastEoc = ctMaskGT(j, eocIndex);
1154
0
            volatile unsigned char pastEoc = maskPastEoc & isEocBlock;
1155
0
            unsigned char b = 0;
1156
1157
0
            if (k < headerSz)
1158
0
                b = header[k];
1159
0
            else if (k < maxLen)
1160
0
                b = in[k - headerSz];
1161
0
            k++;
1162
1163
0
            b = ctMaskSel(atEoc, 0x80, b);
1164
0
            b &= (unsigned char)~(word32)pastEoc;
1165
0
            b &= ((unsigned char)~(word32)isOutBlock) | isEocBlock;
1166
1167
0
            if (j >= blockSz - 8) {
1168
0
                b = ctMaskSel(isOutBlock, lenBytes[j - (blockSz - 8)], b);
1169
0
            }
1170
1171
0
            hashBlock[j] = b;
1172
0
        }
1173
1174
        /* cppcheck-suppress uninitvar */
1175
0
        ret = Hmac_HashUpdate(hmac, hashBlock, (word32)blockSz);
1176
0
        if (ret != 0)
1177
0
            return ret;
1178
0
        ret = Hmac_HashFinalRaw(hmac, hashBlock);
1179
0
        if (ret != 0)
1180
0
            return ret;
1181
0
        for (j = 0; j < macLen; j++)
1182
0
            ((unsigned char*)hmac->innerHash)[j] |= hashBlock[j] & isOutBlock;
1183
0
    }
1184
1185
0
    ret = Hmac_OuterHash(hmac, digest);
1186
1187
0
    return ret;
1188
0
}
1189
1190
#endif
1191
1192
#if defined(WOLFSSL_NO_HASH_RAW) || defined(HAVE_FIPS) || \
1193
    defined(HAVE_SELFTEST) || defined(HAVE_BLAKE2B)
1194
1195
/* Calculate the HMAC of the header + message data.
1196
 * Constant time implementation using normal hashing operations.
1197
 * Update-Final need to be constant time.
1198
 *
1199
 * hmac    HMAC object.
1200
 * digest  MAC result.
1201
 * in      Message data.
1202
 * sz      Size of the message data.
1203
 * header  Constructed record header with length of handshake data.
1204
 * headerSz Length of header
1205
 * returns 0 on success, otherwise failure.
1206
 */
1207
static int Hmac_UpdateFinal(Hmac* hmac, byte* digest, const byte* in,
1208
                            word32 sz, byte* header, word32 headerSz)
1209
{
1210
    byte       dummy[WC_MAX_BLOCK_SIZE] = {0};
1211
    int        ret = 0;
1212
    word32     msgSz, blockSz, macSz, padSz, maxSz, realSz;
1213
    word32     offset = 0;
1214
    int        msgBlocks, blocks, blockBits;
1215
    int        i;
1216
1217
    switch (hmac->macType) {
1218
    #ifndef NO_SHA
1219
        case WC_SHA:
1220
            blockSz = WC_SHA_BLOCK_SIZE;
1221
            blockBits = 6;
1222
            macSz = WC_SHA_DIGEST_SIZE;
1223
            padSz = WC_SHA_BLOCK_SIZE - WC_SHA_PAD_SIZE + 1;
1224
            break;
1225
    #endif /* !NO_SHA */
1226
1227
    #ifndef NO_SHA256
1228
        case WC_SHA256:
1229
            blockSz = WC_SHA256_BLOCK_SIZE;
1230
            blockBits = 6;
1231
            macSz = WC_SHA256_DIGEST_SIZE;
1232
            padSz = WC_SHA256_BLOCK_SIZE - WC_SHA256_PAD_SIZE + 1;
1233
            break;
1234
    #endif /* !NO_SHA256 */
1235
1236
    #ifdef WOLFSSL_SHA384
1237
        case WC_SHA384:
1238
            blockSz = WC_SHA384_BLOCK_SIZE;
1239
            blockBits = 7;
1240
            macSz = WC_SHA384_DIGEST_SIZE;
1241
            padSz = WC_SHA384_BLOCK_SIZE - WC_SHA384_PAD_SIZE + 1;
1242
            break;
1243
    #endif /* WOLFSSL_SHA384 */
1244
1245
    #ifdef WOLFSSL_SHA512
1246
        case WC_SHA512:
1247
            blockSz = WC_SHA512_BLOCK_SIZE;
1248
            blockBits = 7;
1249
            macSz = WC_SHA512_DIGEST_SIZE;
1250
            padSz = WC_SHA512_BLOCK_SIZE - WC_SHA512_PAD_SIZE + 1;
1251
            break;
1252
    #endif /* WOLFSSL_SHA512 */
1253
1254
    #ifdef HAVE_BLAKE2B
1255
        case WC_HASH_TYPE_BLAKE2B:
1256
            blockSz = BLAKE2B_BLOCKBYTES;
1257
            blockBits = 7;
1258
            macSz = BLAKE2B_256;
1259
            padSz = 0;
1260
            break;
1261
    #endif /* HAVE_BLAKE2B */
1262
1263
    #ifdef WOLFSSL_SM3
1264
        case WC_SM3:
1265
            blockSz = WC_SM3_BLOCK_SIZE;
1266
            blockBits = 6;
1267
            macSz = WC_SM3_DIGEST_SIZE;
1268
            padSz = WC_SM3_BLOCK_SIZE - WC_SM3_PAD_SIZE + 1;
1269
            break;
1270
    #endif
1271
1272
        default:
1273
            WOLFSSL_MSG("ERROR: Hmac_UpdateFinal failed, no hmac->macType");
1274
            return BAD_FUNC_ARG;
1275
    }
1276
1277
    msgSz = sz - (1 + in[sz - 1] + macSz);
1278
    /* Make negative result 0 */
1279
    msgSz &= ~(0 - (msgSz >> 31));
1280
    realSz = WOLFSSL_TLS_HMAC_INNER_SZ + msgSz;
1281
    maxSz = WOLFSSL_TLS_HMAC_INNER_SZ + (sz - 1) - macSz;
1282
    /* Make negative result 0 */
1283
    maxSz &= ~(0 - (maxSz >> 31));
1284
1285
    /* Calculate #blocks processed in HMAC for max and real data. */
1286
    blocks      = (int)(maxSz >> blockBits);
1287
    blocks     += ((maxSz + padSz) % blockSz) < padSz;
1288
    msgBlocks   = (int)(realSz >> blockBits);
1289
    /* #Extra blocks to process. */
1290
    blocks -= msgBlocks + ((((realSz + padSz) % blockSz) < padSz) ? 1 : 0);
1291
    /* Calculate whole blocks. */
1292
    msgBlocks--;
1293
1294
    ret = wc_HmacUpdate(hmac, header, headerSz);
1295
    if (ret == 0) {
1296
        /* Fill the rest of the block with any available data. */
1297
        word32 currSz = ctMaskLT((int)msgSz, (int)blockSz) & msgSz;
1298
        currSz |= ctMaskGTE((int)msgSz, (int)blockSz) & blockSz;
1299
        currSz -= WOLFSSL_TLS_HMAC_INNER_SZ;
1300
        currSz &= ~(0 - (currSz >> 31));
1301
        ret = wc_HmacUpdate(hmac, in, currSz);
1302
        offset = currSz;
1303
    }
1304
    if (ret == 0) {
1305
        /* Do the hash operations on a block basis. */
1306
        for (i = 0; i < msgBlocks; i++, offset += blockSz) {
1307
            ret = wc_HmacUpdate(hmac, in + offset, blockSz);
1308
            if (ret != 0)
1309
                break;
1310
        }
1311
    }
1312
    if (ret == 0)
1313
        ret = wc_HmacUpdate(hmac, in + offset, msgSz - offset);
1314
    if (ret == 0)
1315
        ret = wc_HmacFinal(hmac, digest);
1316
    if (ret == 0) {
1317
        /* Do the dummy hash operations. Do at least one. */
1318
        for (i = 0; i < blocks + 1; i++) {
1319
            ret = wc_HmacUpdate(hmac, dummy, blockSz);
1320
            if (ret != 0)
1321
                break;
1322
        }
1323
    }
1324
1325
    return ret;
1326
}
1327
1328
#endif
1329
1330
#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_DTLS_CID)
1331
#define TLS_HMAC_CID_SZ(s, v) \
1332
                ((v) ? DtlsGetCidRxSize((s)) \
1333
                     : DtlsGetCidTxSize((s)))
1334
#define TLS_HMAC_CID(s, v, b, c) \
1335
                ((v) ? wolfSSL_dtls_cid_get_rx((s), (b), (c)) \
1336
                     : wolfSSL_dtls_cid_get_tx((s), (b), (c)))
1337
#endif
1338
1339
static int TLS_hmac_SetInner(WOLFSSL* ssl, byte* inner, word32* innerSz,
1340
        word32 sz, int content, int verify, int epochOrder)
1341
0
{
1342
#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_DTLS_CID)
1343
    unsigned int cidSz = 0;
1344
    if (ssl->options.dtls && (cidSz = TLS_HMAC_CID_SZ(ssl, verify)) > 0) {
1345
        word32 idx = 0;
1346
        if (cidSz > DTLS_CID_MAX_SIZE) {
1347
            WOLFSSL_MSG("DTLS CID too large");
1348
            return DTLS_CID_ERROR;
1349
        }
1350
1351
        XMEMSET(inner + idx, 0xFF, SEQ_SZ);
1352
        idx += SEQ_SZ;
1353
        inner[idx++] = dtls12_cid;
1354
        inner[idx++] = (byte)cidSz;
1355
        inner[idx++] = dtls12_cid;
1356
        inner[idx++] = ssl->version.major;
1357
        inner[idx++] = ssl->version.minor;
1358
        WriteSEQ(ssl, epochOrder, inner + idx);
1359
        idx += SEQ_SZ;
1360
        if (TLS_HMAC_CID(ssl, verify, inner + idx, cidSz) ==
1361
                WC_NO_ERR_TRACE(WOLFSSL_FAILURE)) {
1362
            WOLFSSL_MSG("DTLS CID write failed");
1363
            return DTLS_CID_ERROR;
1364
        }
1365
        idx += cidSz;
1366
        c16toa((word16)sz, inner + idx);
1367
        idx += LENGTH_SZ;
1368
1369
        *innerSz = idx;
1370
        return 0;
1371
    }
1372
#endif
1373
0
    *innerSz = WOLFSSL_TLS_HMAC_INNER_SZ;
1374
0
    return wolfSSL_SetTlsHmacInner(ssl, inner, sz, content,
1375
0
            !ssl->options.dtls ? verify : epochOrder);
1376
0
}
1377
1378
#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_DTLS_CID)
1379
#define TLS_HMAC_INNER_SZ WOLFSSL_TLS_HMAC_CID_INNER_SZ
1380
#else
1381
0
#define TLS_HMAC_INNER_SZ WOLFSSL_TLS_HMAC_INNER_SZ
1382
#endif
1383
1384
int TLS_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz, int padSz,
1385
             int content, int verify, int epochOrder)
1386
0
{
1387
0
    WC_DECLARE_VAR(hmac, Hmac, 1, ssl ? ssl->heap : NULL);
1388
0
    byte   myInner[TLS_HMAC_INNER_SZ];
1389
0
    word32 innerSz = TLS_HMAC_INNER_SZ;
1390
0
    int    ret = 0;
1391
0
    const byte* macSecret = NULL;
1392
0
    word32 hashSz = 0;
1393
0
    word32 totalSz = 0;
1394
1395
0
    if (ssl == NULL)
1396
0
        return BAD_FUNC_ARG;
1397
1398
0
    WC_ALLOC_VAR_EX(hmac, Hmac, 1, ssl->heap, DYNAMIC_TYPE_HMAC,
1399
0
                    return MEMORY_E);
1400
1401
#ifdef HAVE_TRUNCATED_HMAC
1402
    hashSz = ssl->truncated_hmac ? (byte)TRUNCATED_HMAC_SZ
1403
                                        : ssl->specs.hash_size;
1404
#else
1405
0
    hashSz = ssl->specs.hash_size;
1406
0
#endif
1407
1408
    /* Pre-compute sz + hashSz + padSz + 1 with overflow checking.
1409
     * Used by fuzzer callback and Hmac_UpdateFinal* in the verify path. */
1410
0
    if (verify && padSz >= 0) {
1411
0
        word32 hmacSz = 0;
1412
0
        if (!WC_SAFE_SUM_WORD32(sz, hashSz, hmacSz) ||
1413
0
            !WC_SAFE_SUM_WORD32(hmacSz, (word32)padSz, hmacSz) ||
1414
0
            !WC_SAFE_SUM_WORD32(hmacSz, 1, hmacSz)) {
1415
0
            WC_FREE_VAR_EX(hmac, ssl->heap, DYNAMIC_TYPE_HMAC);
1416
0
            return BUFFER_E;
1417
0
        }
1418
0
        totalSz = hmacSz;
1419
0
    }
1420
1421
#ifdef HAVE_FUZZER
1422
    /* Fuzz "in" buffer with sz to be used in HMAC algorithm */
1423
    if (ssl->fuzzerCb) {
1424
        if (verify && padSz >= 0) {
1425
            ssl->fuzzerCb(ssl, in, totalSz, FUZZ_HMAC,
1426
                          ssl->fuzzerCtx);
1427
        }
1428
        else {
1429
            ssl->fuzzerCb(ssl, in, sz, FUZZ_HMAC, ssl->fuzzerCtx);
1430
        }
1431
    }
1432
#endif
1433
1434
0
    ret = TLS_hmac_SetInner(ssl, myInner, &innerSz, sz, content, verify,
1435
0
                            epochOrder);
1436
0
    if (ret != 0) {
1437
0
        WC_FREE_VAR_EX(hmac, ssl->heap, DYNAMIC_TYPE_HMAC);
1438
0
        return ret;
1439
0
    }
1440
1441
0
    ret = wc_HmacInit(hmac, ssl->heap, ssl->devId);
1442
0
    if (ret != 0) {
1443
0
        WC_FREE_VAR_EX(hmac, ssl->heap, DYNAMIC_TYPE_HMAC);
1444
0
        return ret;
1445
0
    }
1446
1447
1448
#ifdef WOLFSSL_DTLS
1449
    if (ssl->options.dtls)
1450
        macSecret = wolfSSL_GetDtlsMacSecret(ssl, verify, epochOrder);
1451
    else
1452
#endif
1453
0
        macSecret = wolfSSL_GetMacSecret(ssl, verify);
1454
0
    ret = wc_HmacSetKey(hmac, wolfSSL_GetHmacType(ssl),
1455
0
                                              macSecret,
1456
0
                                              ssl->specs.hash_size);
1457
1458
0
    if (ret == 0) {
1459
        /* Constant time verification required. */
1460
0
        if (verify && padSz >= 0) {
1461
0
#if !defined(WOLFSSL_NO_HASH_RAW) && !defined(HAVE_FIPS) && \
1462
0
    !defined(HAVE_SELFTEST)
1463
    #ifdef HAVE_BLAKE2B
1464
            if (wolfSSL_GetHmacType(ssl) == WC_HASH_TYPE_BLAKE2B) {
1465
                ret = Hmac_UpdateFinal(hmac, digest, in,
1466
                        totalSz, myInner, innerSz);
1467
            }
1468
            else
1469
    #endif
1470
0
            {
1471
0
                ret = Hmac_UpdateFinal_CT(hmac, digest, in,
1472
0
                                      totalSz,
1473
0
                                      (int)hashSz, myInner, innerSz);
1474
1475
0
            }
1476
#else
1477
            ret = Hmac_UpdateFinal(hmac, digest, in, totalSz,
1478
                                        myInner, innerSz);
1479
#endif
1480
0
        }
1481
0
        else {
1482
0
            ret = wc_HmacUpdate(hmac, myInner, innerSz);
1483
0
            if (ret == 0)
1484
0
                ret = wc_HmacUpdate(hmac, in, sz);                /* content */
1485
0
            if (ret == 0)
1486
0
                ret = wc_HmacFinal(hmac, digest);
1487
0
        }
1488
0
    }
1489
1490
0
    wc_HmacFree(hmac);
1491
0
    WC_FREE_VAR_EX(hmac, ssl->heap, DYNAMIC_TYPE_HMAC);
1492
1493
0
    return ret;
1494
0
}
1495
#endif /* WOLFSSL_AEAD_ONLY */
1496
1497
#endif /* !WOLFSSL_NO_TLS12 */
1498
1499
int wolfSSL_GetHmacType_ex(CipherSpecs* specs)
1500
0
{
1501
0
    if (specs == NULL)
1502
0
        return BAD_FUNC_ARG;
1503
1504
0
    switch (specs->mac_algorithm) {
1505
        #ifndef NO_MD5
1506
        case md5_mac:
1507
        {
1508
            return WC_MD5;
1509
        }
1510
        #endif
1511
0
        #ifndef NO_SHA256
1512
0
        case sha256_mac:
1513
0
        {
1514
0
            return WC_SHA256;
1515
0
        }
1516
0
        #endif
1517
0
        #ifdef WOLFSSL_SHA384
1518
0
        case sha384_mac:
1519
0
        {
1520
0
            return WC_SHA384;
1521
0
        }
1522
0
        #endif
1523
        #ifdef WOLFSSL_SM3
1524
        case sm3_mac:
1525
        {
1526
            return WC_SM3;
1527
        }
1528
        #endif
1529
0
        #ifndef NO_SHA
1530
0
        case sha_mac:
1531
0
        {
1532
0
            return WC_SHA;
1533
0
        }
1534
0
        #endif
1535
        #ifdef HAVE_BLAKE2B
1536
        case blake2b_mac:
1537
        {
1538
            return BLAKE2B_ID;
1539
        }
1540
        #endif
1541
0
        default:
1542
0
        {
1543
0
            return WOLFSSL_FATAL_ERROR;
1544
0
        }
1545
0
    }
1546
0
}
1547
1548
#ifdef HAVE_TLS_EXTENSIONS
1549
1550
/**
1551
 * The TLSX semaphore is used to calculate the size of the extensions to be sent
1552
 * from one peer to another.
1553
 */
1554
1555
/** Supports up to 72 flags. Increase as needed. */
1556
#define SEMAPHORE_SIZE 9
1557
1558
/**
1559
 * Converts the extension type (id) to an index in the semaphore.
1560
 *
1561
 * Official reference for TLS extension types:
1562
 *   http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xml
1563
 *
1564
 * Motivation:
1565
 *   Previously, we used the extension type itself as the index of that
1566
 *   extension in the semaphore as the extension types were declared
1567
 *   sequentially, but maintain a semaphore as big as the number of available
1568
 *   extensions is no longer an option since the release of renegotiation_info.
1569
 *
1570
 * How to update:
1571
 *   Assign extension types that extrapolate the number of available semaphores
1572
 *   to the first available index going backwards in the semaphore array.
1573
 *   When adding a new extension type that don't extrapolate the number of
1574
 *   available semaphores, check for a possible collision with with a
1575
 *   'remapped' extension type.
1576
 *
1577
 * Update TLSX_Parse for duplicate detection if more added above 62.
1578
 */
1579
static WC_INLINE word16 TLSX_ToSemaphore(word16 type)
1580
0
{
1581
0
    switch (type) {
1582
1583
0
        case TLSX_RENEGOTIATION_INFO: /* 0xFF01 */
1584
0
            return 63;
1585
#ifdef WOLFSSL_QUIC
1586
        case TLSX_KEY_QUIC_TP_PARAMS_DRAFT: /* 0xffa5 */
1587
            return 64;
1588
#endif
1589
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
1590
        case TLSX_ECH: /* 0xfe0d */
1591
            return 65;
1592
#endif
1593
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_DUAL_ALG_CERTS)
1594
        case TLSX_CKS:
1595
            return 66;
1596
#endif
1597
0
        default:
1598
0
            if (type > 62) {
1599
                /* This message SHOULD only happens during the adding of
1600
                   new TLS extensions in which its IANA number overflows
1601
                   the current semaphore's range, or if its number already
1602
                   is assigned to be used by another extension.
1603
                   Use this check value for the new extension and decrement
1604
                   the check value by one. */
1605
0
                WOLFSSL_MSG("### TLSX semaphore collision or overflow detected!");
1606
0
            }
1607
0
    }
1608
1609
0
    return type;
1610
0
}
1611
1612
/** Checks if a specific light (tls extension) is not set in the semaphore. */
1613
#define IS_OFF(semaphore, light) \
1614
0
    (!(((semaphore)[(light) / 8] &  (byte) (0x01 << ((light) % 8)))))
1615
1616
/** Turn on a specific light (tls extension) in the semaphore. */
1617
/* the semaphore marks the extensions already written to the message */
1618
#define TURN_ON(semaphore, light) \
1619
0
    ((semaphore)[(light) / 8] |= (byte) (0x01 << ((light) % 8)))
1620
1621
/** Turn off a specific light (tls extension) in the semaphore. */
1622
#define TURN_OFF(semaphore, light) \
1623
0
    ((semaphore)[(light) / 8] &= (byte) ~(0x01 << ((light) % 8)))
1624
1625
/** Creates a new extension. */
1626
static TLSX* TLSX_New(TLSX_Type type, const void* data, void* heap)
1627
0
{
1628
0
    TLSX* extension = (TLSX*)XMALLOC(sizeof(TLSX), heap, DYNAMIC_TYPE_TLSX);
1629
1630
0
    (void)heap;
1631
1632
0
    if (extension) {
1633
0
        extension->type = type;
1634
0
        extension->data = (void*)data;
1635
0
        extension->resp = 0;
1636
0
        extension->next = NULL;
1637
0
    }
1638
1639
0
    return extension;
1640
0
}
1641
1642
/**
1643
 * Creates a new extension and appends it to the provided list.
1644
 * Checks for duplicate extensions, keeps the newest.
1645
 */
1646
int TLSX_Append(TLSX** list, TLSX_Type type, const void* data, void* heap)
1647
0
{
1648
0
    TLSX* extension = TLSX_New(type, data, heap);
1649
0
    TLSX* cur;
1650
0
    TLSX** prevNext = list;
1651
1652
0
    if (extension == NULL)
1653
0
        return MEMORY_E;
1654
1655
0
    for (cur = *list; cur != NULL;) {
1656
0
        if (cur->type == type) {
1657
0
            *prevNext = cur->next;
1658
0
            cur->next = NULL;
1659
0
            TLSX_FreeAll(cur, heap);
1660
0
            cur = *prevNext;
1661
0
        }
1662
0
        else {
1663
0
            prevNext = &cur->next;
1664
0
            cur = cur->next;
1665
0
        }
1666
0
    }
1667
1668
    /* Append the extension to the list */
1669
0
    *prevNext = extension;
1670
1671
0
    return 0;
1672
0
}
1673
1674
/**
1675
 * Creates a new extension and pushes it to the provided list.
1676
 * Checks for duplicate extensions, keeps the newest.
1677
 */
1678
int TLSX_Push(TLSX** list, TLSX_Type type, const void* data, void* heap)
1679
0
{
1680
0
    TLSX* extension = TLSX_New(type, data, heap);
1681
1682
0
    if (extension == NULL)
1683
0
        return MEMORY_E;
1684
1685
    /* pushes the new extension on the list. */
1686
0
    extension->next = *list;
1687
0
    *list = extension;
1688
1689
    /* remove duplicate extensions, there should be only one of each type. */
1690
0
    do {
1691
0
        if (extension->next && extension->next->type == type) {
1692
0
            TLSX *next = extension->next;
1693
1694
0
            extension->next = next->next;
1695
0
            next->next = NULL;
1696
1697
0
            TLSX_FreeAll(next, heap);
1698
1699
            /* there is no way to occur more than
1700
             * two extensions of the same type.
1701
             */
1702
0
            break;
1703
0
        }
1704
0
    } while ((extension = extension->next));
1705
1706
0
    return 0;
1707
0
}
1708
1709
#ifndef NO_WOLFSSL_CLIENT
1710
1711
int TLSX_CheckUnsupportedExtension(WOLFSSL* ssl, TLSX_Type type);
1712
1713
int TLSX_CheckUnsupportedExtension(WOLFSSL* ssl, TLSX_Type type)
1714
0
{
1715
0
    TLSX *extension = TLSX_Find(ssl->extensions, type);
1716
1717
0
    if (!extension)
1718
0
        extension = TLSX_Find(ssl->ctx->extensions, type);
1719
1720
0
    return extension == NULL;
1721
0
}
1722
1723
int TLSX_HandleUnsupportedExtension(WOLFSSL* ssl);
1724
1725
int TLSX_HandleUnsupportedExtension(WOLFSSL* ssl)
1726
0
{
1727
0
    SendAlert(ssl, alert_fatal, unsupported_extension);
1728
0
    WOLFSSL_ERROR_VERBOSE(UNSUPPORTED_EXTENSION);
1729
0
    return UNSUPPORTED_EXTENSION;
1730
0
}
1731
1732
#else
1733
1734
#define TLSX_CheckUnsupportedExtension(ssl, type) 0
1735
#define TLSX_HandleUnsupportedExtension(ssl) 0
1736
1737
#endif
1738
1739
#if !defined(NO_WOLFSSL_SERVER) || defined(WOLFSSL_TLS13)
1740
static void TLSX_SetResponseInList(TLSX* list, TLSX_Type type);
1741
/** Mark an extension to be sent back to the client.
1742
 *  Operates on a list instead of the ssl.
1743
 *      (Should only be used on ssl->extensions or ech->extensions) */
1744
static void TLSX_SetResponseInList(TLSX* list, TLSX_Type type)
1745
0
{
1746
0
    TLSX *extension = TLSX_Find(list, type);
1747
1748
0
    if (extension)
1749
0
        extension->resp = 1;
1750
0
}
1751
1752
void TLSX_SetResponse(WOLFSSL* ssl, TLSX_Type type);
1753
/** Mark an extension to be sent back to the client. */
1754
void TLSX_SetResponse(WOLFSSL* ssl, TLSX_Type type)
1755
0
{
1756
0
    TLSX_SetResponseInList(ssl->extensions, type);
1757
0
}
1758
#endif
1759
1760
/******************************************************************************/
1761
/* Application-Layer Protocol Negotiation                                     */
1762
/******************************************************************************/
1763
1764
#ifdef HAVE_ALPN
1765
/** Creates a new ALPN object, providing protocol name to use. */
1766
static ALPN* TLSX_ALPN_New(char *protocol_name, word16 protocol_nameSz,
1767
                                                                     void* heap)
1768
{
1769
    ALPN *alpn;
1770
1771
    WOLFSSL_ENTER("TLSX_ALPN_New");
1772
1773
    if (protocol_name == NULL ||
1774
        protocol_nameSz > WOLFSSL_MAX_ALPN_PROTO_NAME_LEN) {
1775
        WOLFSSL_MSG("Invalid arguments");
1776
        return NULL;
1777
    }
1778
1779
    alpn = (ALPN*)XMALLOC(sizeof(ALPN), heap, DYNAMIC_TYPE_TLSX);
1780
    if (alpn == NULL) {
1781
        WOLFSSL_MSG("Memory failure");
1782
        return NULL;
1783
    }
1784
1785
    alpn->next = NULL;
1786
    alpn->negotiated = 0;
1787
    alpn->options = 0;
1788
1789
    alpn->protocol_name = (char*)XMALLOC(protocol_nameSz + 1,
1790
                                         heap, DYNAMIC_TYPE_TLSX);
1791
    if (alpn->protocol_name == NULL) {
1792
        WOLFSSL_MSG("Memory failure");
1793
        XFREE(alpn, heap, DYNAMIC_TYPE_TLSX);
1794
        return NULL;
1795
    }
1796
1797
    XMEMCPY(alpn->protocol_name, protocol_name, protocol_nameSz);
1798
    alpn->protocol_name[protocol_nameSz] = 0;
1799
1800
    (void)heap;
1801
1802
    return alpn;
1803
}
1804
1805
/** Releases an ALPN object. */
1806
static void TLSX_ALPN_Free(ALPN *alpn, void* heap)
1807
{
1808
    (void)heap;
1809
1810
    if (alpn == NULL)
1811
        return;
1812
1813
    XFREE(alpn->protocol_name, heap, DYNAMIC_TYPE_TLSX);
1814
    XFREE(alpn, heap, DYNAMIC_TYPE_TLSX);
1815
}
1816
1817
/** Releases all ALPN objects in the provided list. */
1818
static void TLSX_ALPN_FreeAll(ALPN *list, void* heap)
1819
{
1820
    ALPN* alpn;
1821
1822
    while ((alpn = list)) {
1823
        list = alpn->next;
1824
        TLSX_ALPN_Free(alpn, heap);
1825
    }
1826
}
1827
1828
/** Tells the buffered size of the ALPN objects in a list. */
1829
static word16 TLSX_ALPN_GetSize(ALPN *list)
1830
{
1831
    ALPN* alpn;
1832
    word32 length = OPAQUE16_LEN; /* list length */
1833
1834
    while ((alpn = list)) {
1835
        list = alpn->next;
1836
1837
        length++; /* protocol name length is on one byte */
1838
        length += (word32)XSTRLEN(alpn->protocol_name);
1839
1840
        if (length > WOLFSSL_MAX_16BIT) {
1841
            return 0;
1842
        }
1843
    }
1844
1845
    return (word16)length;
1846
}
1847
1848
/** Writes the ALPN objects of a list in a buffer. */
1849
static word16 TLSX_ALPN_Write(ALPN *list, byte *output)
1850
{
1851
    ALPN* alpn;
1852
    word16 length = 0;
1853
    word16 offset = OPAQUE16_LEN; /* list length offset */
1854
1855
    while ((alpn = list)) {
1856
        list = alpn->next;
1857
1858
        length = (word16)XSTRLEN(alpn->protocol_name);
1859
1860
        /* protocol name length */
1861
        output[offset++] = (byte)length;
1862
1863
        /* protocol name value */
1864
        XMEMCPY(output + offset, alpn->protocol_name, length);
1865
1866
        offset += length;
1867
    }
1868
1869
    /* writing list length */
1870
    c16toa(offset - OPAQUE16_LEN, output);
1871
1872
    return offset;
1873
}
1874
1875
/** Finds a protocol name in the provided ALPN list */
1876
static ALPN* TLSX_ALPN_Find(ALPN *list, char *protocol_name, word16 size)
1877
{
1878
    ALPN *alpn;
1879
1880
    if (list == NULL || protocol_name == NULL)
1881
        return NULL;
1882
1883
    alpn = list;
1884
    while (alpn != NULL && (
1885
           (word16)XSTRLEN(alpn->protocol_name) != size ||
1886
           XSTRNCMP(alpn->protocol_name, protocol_name, size)))
1887
        alpn = alpn->next;
1888
1889
    return alpn;
1890
}
1891
1892
/** Set the ALPN matching client and server requirements */
1893
static int TLSX_SetALPN(TLSX** extensions, const void* data, word16 size,
1894
                                                                     void* heap)
1895
{
1896
    ALPN *alpn;
1897
    int  ret;
1898
1899
    if (extensions == NULL || data == NULL)
1900
        return BAD_FUNC_ARG;
1901
1902
    alpn = TLSX_ALPN_New((char *)data, size, heap);
1903
    if (alpn == NULL) {
1904
        WOLFSSL_MSG("Memory failure");
1905
        return MEMORY_E;
1906
    }
1907
1908
    alpn->negotiated = 1;
1909
1910
    ret = TLSX_Push(extensions, TLSX_APPLICATION_LAYER_PROTOCOL, (void*)alpn,
1911
                                                                          heap);
1912
    if (ret != 0) {
1913
        TLSX_ALPN_Free(alpn, heap);
1914
        return ret;
1915
    }
1916
1917
    return WOLFSSL_SUCCESS;
1918
}
1919
1920
static int ALPN_find_match(WOLFSSL *ssl, TLSX **pextension,
1921
                           const byte **psel, byte *psel_len,
1922
                           const byte *alpn_val, word16 alpn_val_len)
1923
{
1924
    TLSX    *extension;
1925
    ALPN    *alpn, *list;
1926
    const byte *sel = NULL, *s;
1927
    byte sel_len = 0, wlen;
1928
1929
    extension = TLSX_Find(ssl->extensions, TLSX_APPLICATION_LAYER_PROTOCOL);
1930
    if (extension == NULL)
1931
        extension = TLSX_Find(ssl->ctx->extensions,
1932
                              TLSX_APPLICATION_LAYER_PROTOCOL);
1933
1934
    /* No ALPN configured here */
1935
    if (extension == NULL || extension->data == NULL) {
1936
        *pextension = NULL;
1937
        *psel = NULL;
1938
        *psel_len = 0;
1939
        return 0;
1940
    }
1941
1942
    list = (ALPN*)extension->data;
1943
    for (s = alpn_val;
1944
         (s - alpn_val) < alpn_val_len;
1945
         s += wlen) {
1946
        wlen = *s++; /* bounds already checked on save */
1947
        alpn = TLSX_ALPN_Find(list, (char*)s, wlen);
1948
        if (alpn != NULL) {
1949
            WOLFSSL_MSG("ALPN protocol match");
1950
            sel = s,
1951
            sel_len = wlen;
1952
            break;
1953
        }
1954
    }
1955
1956
    if (sel == NULL) {
1957
        WOLFSSL_MSG("No ALPN protocol match");
1958
1959
        /* do nothing if no protocol match between client and server and option
1960
         is set to continue (like OpenSSL) */
1961
        if (list->options & WOLFSSL_ALPN_CONTINUE_ON_MISMATCH) {
1962
            WOLFSSL_MSG("Continue on mismatch");
1963
        }
1964
        else {
1965
            SendAlert(ssl, alert_fatal, no_application_protocol);
1966
            WOLFSSL_ERROR_VERBOSE(UNKNOWN_ALPN_PROTOCOL_NAME_E);
1967
            return UNKNOWN_ALPN_PROTOCOL_NAME_E;
1968
        }
1969
    }
1970
1971
    *pextension = extension;
1972
    *psel = sel;
1973
    *psel_len = sel_len;
1974
    return 0;
1975
}
1976
1977
int ALPN_Select(WOLFSSL *ssl)
1978
{
1979
    TLSX *extension;
1980
    const byte *sel = NULL;
1981
    byte sel_len = 0;
1982
    int r = 0;
1983
1984
    WOLFSSL_ENTER("ALPN_Select");
1985
    if (ssl->alpn_peer_requested == NULL)
1986
        return 0;
1987
1988
#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
1989
    if (ssl->alpnSelect != NULL && ssl->options.side == WOLFSSL_SERVER_END) {
1990
        r = ssl->alpnSelect(ssl, &sel, &sel_len, ssl->alpn_peer_requested,
1991
                ssl->alpn_peer_requested_length, ssl->alpnSelectArg);
1992
        switch (r) {
1993
            case SSL_TLSEXT_ERR_OK:
1994
                WOLFSSL_MSG("ALPN protocol match");
1995
                break;
1996
            case SSL_TLSEXT_ERR_NOACK:
1997
                WOLFSSL_MSG("ALPN cb no match but not fatal");
1998
                sel = NULL;
1999
                sel_len = 0;
2000
                break;
2001
            case SSL_TLSEXT_ERR_ALERT_FATAL:
2002
            default:
2003
                WOLFSSL_MSG("ALPN cb no match and fatal");
2004
                SendAlert(ssl, alert_fatal, no_application_protocol);
2005
                WOLFSSL_ERROR_VERBOSE(UNKNOWN_ALPN_PROTOCOL_NAME_E);
2006
                return UNKNOWN_ALPN_PROTOCOL_NAME_E;
2007
        }
2008
    }
2009
    else
2010
#endif
2011
    {
2012
        r = ALPN_find_match(ssl, &extension, &sel, &sel_len,
2013
                            ssl->alpn_peer_requested,
2014
                            ssl->alpn_peer_requested_length);
2015
        if (r != 0)
2016
            return r;
2017
    }
2018
2019
    if (sel != NULL) {
2020
        /* set the matching negotiated protocol */
2021
        r = TLSX_SetALPN(&ssl->extensions, sel, sel_len, ssl->heap);
2022
        if (r != WOLFSSL_SUCCESS) {
2023
            WOLFSSL_MSG("TLSX_SetALPN failed");
2024
            return BUFFER_ERROR;
2025
        }
2026
        /* reply to ALPN extension sent from peer */
2027
#ifndef NO_WOLFSSL_SERVER
2028
        TLSX_SetResponse(ssl, TLSX_APPLICATION_LAYER_PROTOCOL);
2029
#endif
2030
    }
2031
    return 0;
2032
}
2033
2034
/** Parses a buffer of ALPN extensions and set the first one matching
2035
 * client and server requirements */
2036
static int TLSX_ALPN_ParseAndSet(WOLFSSL *ssl, const byte *input, word16 length,
2037
                                 byte isRequest)
2038
{
2039
    word16  size = 0, offset = 0, wlen;
2040
    int     r = WC_NO_ERR_TRACE(BUFFER_ERROR);
2041
    const byte *s;
2042
    word16  entryCount = 0;
2043
2044
    if (OPAQUE16_LEN > length)
2045
        return BUFFER_ERROR;
2046
2047
    ato16(input, &size);
2048
    offset += OPAQUE16_LEN;
2049
2050
    /* validating alpn list length */
2051
    if (size == 0 || length != OPAQUE16_LEN + size)
2052
        return BUFFER_ERROR;
2053
2054
    /* validating length of entries before accepting */
2055
    for (s = input + offset; (s - input) < length; s += wlen) {
2056
        wlen = *s++;
2057
        if (wlen == 0 || (s + wlen - input) > length)
2058
            return BUFFER_ERROR;
2059
        entryCount++;
2060
    }
2061
2062
    /* RFC 7301 Section 3.1: the server's ProtocolNameList in its ALPN
2063
     * response MUST contain exactly one ProtocolName. */
2064
    if (!isRequest && entryCount != 1) {
2065
        SendAlert(ssl, alert_fatal, decode_error);
2066
        WOLFSSL_ERROR_VERBOSE(BUFFER_ERROR);
2067
        return BUFFER_ERROR;
2068
    }
2069
2070
    if (isRequest) {
2071
        /* keep the list sent by peer, if this is from a request. We
2072
         * use it later in ALPN_Select() for evaluation. */
2073
        if (ssl->alpn_peer_requested != NULL) {
2074
            XFREE(ssl->alpn_peer_requested, ssl->heap, DYNAMIC_TYPE_ALPN);
2075
            ssl->alpn_peer_requested_length = 0;
2076
        }
2077
        ssl->alpn_peer_requested = (byte *)XMALLOC(size, ssl->heap,
2078
                                                   DYNAMIC_TYPE_ALPN);
2079
        if (ssl->alpn_peer_requested == NULL) {
2080
            return MEMORY_ERROR;
2081
        }
2082
        ssl->alpn_peer_requested_length = size;
2083
        XMEMCPY(ssl->alpn_peer_requested, (char*)input + offset, size);
2084
    }
2085
    else {
2086
        /* a response, we should find the value in our config */
2087
        const byte *sel = NULL;
2088
        byte sel_len = 0;
2089
        TLSX *extension = NULL;
2090
2091
        /* RFC 7301 Section 3.1: a ServerHello ALPN extension MUST contain
2092
         * exactly one protocol name. The first name's length byte plus its
2093
         * payload must therefore span the whole list. */
2094
        if ((word16)(input[offset] + OPAQUE8_LEN) != size) {
2095
            SendAlert(ssl, alert_fatal, illegal_parameter);
2096
            WOLFSSL_ERROR_VERBOSE(BUFFER_ERROR);
2097
            return BUFFER_ERROR;
2098
        }
2099
2100
        r = ALPN_find_match(ssl, &extension, &sel, &sel_len, input + offset, size);
2101
        if (r != 0)
2102
            return r;
2103
2104
        if (sel != NULL) {
2105
            /* set the matching negotiated protocol */
2106
            r = TLSX_SetALPN(&ssl->extensions, sel, sel_len, ssl->heap);
2107
            if (r != WOLFSSL_SUCCESS) {
2108
                WOLFSSL_MSG("TLSX_SetALPN failed");
2109
                return BUFFER_ERROR;
2110
            }
2111
        }
2112
        /* If we had nothing configured, the response is unexpected */
2113
        else if (extension == NULL) {
2114
            r = TLSX_HandleUnsupportedExtension(ssl);
2115
            if (r != 0)
2116
                return r;
2117
        }
2118
    }
2119
    return 0;
2120
}
2121
2122
/** Add a protocol name to the list of accepted usable ones */
2123
int TLSX_UseALPN(TLSX** extensions, const void* data, word16 size, byte options,
2124
                                                                     void* heap)
2125
{
2126
    ALPN *alpn;
2127
    TLSX *extension;
2128
    int  ret;
2129
2130
    if (extensions == NULL || data == NULL)
2131
        return BAD_FUNC_ARG;
2132
2133
    alpn = TLSX_ALPN_New((char *)data, size, heap);
2134
    if (alpn == NULL) {
2135
        WOLFSSL_MSG("Memory failure");
2136
        return MEMORY_E;
2137
    }
2138
2139
    /* Set Options of ALPN */
2140
    alpn->options = options;
2141
2142
    extension = TLSX_Find(*extensions, TLSX_APPLICATION_LAYER_PROTOCOL);
2143
    if (extension == NULL) {
2144
        ret = TLSX_Push(extensions, TLSX_APPLICATION_LAYER_PROTOCOL,
2145
                                                             (void*)alpn, heap);
2146
        if (ret != 0) {
2147
            TLSX_ALPN_Free(alpn, heap);
2148
            return ret;
2149
        }
2150
    }
2151
    else {
2152
        /* push new ALPN object to extension data. */
2153
        alpn->next = (ALPN*)extension->data;
2154
        extension->data = (void*)alpn;
2155
    }
2156
2157
    return WOLFSSL_SUCCESS;
2158
}
2159
2160
/** Get the protocol name set by the server */
2161
int TLSX_ALPN_GetRequest(TLSX* extensions, void** data, word16 *dataSz)
2162
{
2163
    TLSX *extension;
2164
    ALPN *alpn;
2165
2166
    if (extensions == NULL || data == NULL || dataSz == NULL)
2167
        return BAD_FUNC_ARG;
2168
2169
    *data = NULL;
2170
    *dataSz = 0;
2171
2172
    extension = TLSX_Find(extensions, TLSX_APPLICATION_LAYER_PROTOCOL);
2173
    if (extension == NULL) {
2174
        WOLFSSL_MSG("TLS extension not found");
2175
        WOLFSSL_ERROR_VERBOSE(WOLFSSL_ALPN_NOT_FOUND);
2176
        return WOLFSSL_ALPN_NOT_FOUND;
2177
    }
2178
2179
    alpn = (ALPN *)extension->data;
2180
    if (alpn == NULL) {
2181
        WOLFSSL_MSG("ALPN extension not found");
2182
        WOLFSSL_ERROR_VERBOSE(WOLFSSL_FATAL_ERROR);
2183
        return WOLFSSL_FATAL_ERROR;
2184
    }
2185
2186
    if (alpn->negotiated != 1) {
2187
2188
        /* consider as an error */
2189
        if (alpn->options & WOLFSSL_ALPN_FAILED_ON_MISMATCH) {
2190
            WOLFSSL_MSG("No protocol match with peer -> Failed");
2191
            WOLFSSL_ERROR_VERBOSE(WOLFSSL_FATAL_ERROR);
2192
            return WOLFSSL_FATAL_ERROR;
2193
        }
2194
2195
        /* continue without negotiated protocol */
2196
        WOLFSSL_MSG("No protocol match with peer -> Continue");
2197
        WOLFSSL_ERROR_VERBOSE(WOLFSSL_ALPN_NOT_FOUND);
2198
        return WOLFSSL_ALPN_NOT_FOUND;
2199
    }
2200
2201
    if (alpn->next != NULL) {
2202
        WOLFSSL_MSG("Only one protocol name must be accepted");
2203
        WOLFSSL_ERROR_VERBOSE(WOLFSSL_FATAL_ERROR);
2204
        return WOLFSSL_FATAL_ERROR;
2205
    }
2206
2207
    *data = alpn->protocol_name;
2208
    *dataSz = (word16)XSTRLEN((char*)*data);
2209
2210
    return WOLFSSL_SUCCESS;
2211
}
2212
2213
#define ALPN_FREE_ALL     TLSX_ALPN_FreeAll
2214
#define ALPN_GET_SIZE     TLSX_ALPN_GetSize
2215
#define ALPN_WRITE        TLSX_ALPN_Write
2216
#define ALPN_PARSE        TLSX_ALPN_ParseAndSet
2217
2218
#else /* HAVE_ALPN */
2219
2220
0
#define ALPN_FREE_ALL(list, heap) WC_DO_NOTHING
2221
0
#define ALPN_GET_SIZE(list)     0
2222
0
#define ALPN_WRITE(a, b)        0
2223
0
#define ALPN_PARSE(a, b, c, d)  0
2224
2225
#endif /* HAVE_ALPN */
2226
2227
/******************************************************************************/
2228
/* Server Name Indication                                                     */
2229
/******************************************************************************/
2230
2231
#ifdef HAVE_SNI
2232
2233
/** Creates a new SNI object. */
2234
static SNI* TLSX_SNI_New(byte type, const void* data, word16 size, void* heap)
2235
0
{
2236
0
    SNI* sni = (SNI*)XMALLOC(sizeof(SNI), heap, DYNAMIC_TYPE_TLSX);
2237
2238
0
    (void)heap;
2239
2240
0
    if (sni) {
2241
0
        sni->type = type;
2242
0
        sni->next = NULL;
2243
2244
0
    #ifndef NO_WOLFSSL_SERVER
2245
0
        sni->options = 0;
2246
0
        sni->status  = WOLFSSL_SNI_NO_MATCH;
2247
0
    #endif
2248
2249
0
        switch (sni->type) {
2250
0
            case WOLFSSL_SNI_HOST_NAME:
2251
0
                sni->data.host_name = (char*)XMALLOC(size + 1, heap,
2252
0
                                                     DYNAMIC_TYPE_TLSX);
2253
0
                if (sni->data.host_name) {
2254
0
                    XSTRNCPY(sni->data.host_name, (const char*)data, size);
2255
0
                    sni->data.host_name[size] = '\0';
2256
0
                } else {
2257
0
                    XFREE(sni, heap, DYNAMIC_TYPE_TLSX);
2258
0
                    sni = NULL;
2259
0
                }
2260
0
            break;
2261
2262
0
            default: /* invalid type */
2263
0
                XFREE(sni, heap, DYNAMIC_TYPE_TLSX);
2264
0
                sni = NULL;
2265
0
        }
2266
0
    }
2267
2268
0
    return sni;
2269
0
}
2270
2271
/** Releases a SNI object. */
2272
static void TLSX_SNI_Free(SNI* sni, void* heap)
2273
0
{
2274
0
    if (sni) {
2275
0
        switch (sni->type) {
2276
0
            case WOLFSSL_SNI_HOST_NAME:
2277
0
                XFREE(sni->data.host_name, heap, DYNAMIC_TYPE_TLSX);
2278
0
            break;
2279
0
        }
2280
2281
0
        XFREE(sni, heap, DYNAMIC_TYPE_TLSX);
2282
0
    }
2283
0
    (void)heap;
2284
0
}
2285
2286
/** Releases all SNI objects in the provided list. */
2287
static void TLSX_SNI_FreeAll(SNI* list, void* heap)
2288
0
{
2289
0
    SNI* sni;
2290
2291
0
    while ((sni = list)) {
2292
0
        list = sni->next;
2293
0
        TLSX_SNI_Free(sni, heap);
2294
0
    }
2295
0
}
2296
2297
/** Tells the buffered size of the SNI objects in a list. */
2298
WOLFSSL_TEST_VIS word16 TLSX_SNI_GetSize(SNI* list)
2299
0
{
2300
0
    SNI* sni;
2301
0
    word32 length = OPAQUE16_LEN; /* list length */
2302
2303
0
    while ((sni = list)) {
2304
0
        list = sni->next;
2305
2306
0
        length += ENUM_LEN + OPAQUE16_LEN; /* sni type + sni length */
2307
2308
0
        switch (sni->type) {
2309
0
            case WOLFSSL_SNI_HOST_NAME:
2310
0
                length += (word32)XSTRLEN((char*)sni->data.host_name);
2311
0
            break;
2312
0
        }
2313
2314
0
        if (length > WOLFSSL_MAX_16BIT) {
2315
0
            return 0;
2316
0
        }
2317
0
    }
2318
2319
0
    return (word16)length;
2320
0
}
2321
2322
/** Writes the SNI objects of a list in a buffer. */
2323
static word16 TLSX_SNI_Write(SNI* list, byte* output)
2324
0
{
2325
0
    SNI* sni;
2326
0
    word16 length = 0;
2327
0
    word16 offset = OPAQUE16_LEN; /* list length offset */
2328
2329
0
    while ((sni = list)) {
2330
0
        list = sni->next;
2331
2332
0
        output[offset++] = sni->type; /* sni type */
2333
2334
0
        switch (sni->type) {
2335
0
            case WOLFSSL_SNI_HOST_NAME:
2336
0
                length = (word16)XSTRLEN((char*)sni->data.host_name);
2337
2338
0
                c16toa(length, output + offset); /* sni length */
2339
0
                offset += OPAQUE16_LEN;
2340
2341
0
                XMEMCPY(output + offset, sni->data.host_name, length);
2342
2343
0
                offset += length;
2344
0
            break;
2345
0
        }
2346
0
    }
2347
2348
0
    c16toa(offset - OPAQUE16_LEN, output); /* writing list length */
2349
2350
0
    return offset;
2351
0
}
2352
2353
/** Finds a SNI object in the provided list. */
2354
static SNI* TLSX_SNI_Find(SNI *list, byte type)
2355
0
{
2356
0
    SNI* sni = list;
2357
2358
0
    while (sni && sni->type != type)
2359
0
        sni = sni->next;
2360
2361
0
    return sni;
2362
0
}
2363
2364
#if (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER))
2365
/** Sets the status of a SNI object. */
2366
static void TLSX_SNI_SetStatus(TLSX* extensions, byte type, byte status)
2367
0
{
2368
0
    TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME);
2369
0
    SNI* sni = TLSX_SNI_Find(extension ? (SNI*)extension->data : NULL, type);
2370
2371
0
    if (sni)
2372
0
        sni->status = status;
2373
0
}
2374
#endif
2375
2376
/** Gets the status of a SNI object. */
2377
byte TLSX_SNI_Status(TLSX* extensions, byte type)
2378
0
{
2379
0
    TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME);
2380
0
    SNI* sni = TLSX_SNI_Find(extension ? (SNI*)extension->data : NULL, type);
2381
2382
0
    if (sni)
2383
0
        return sni->status;
2384
2385
0
    return 0;
2386
0
}
2387
2388
/** Parses a buffer of SNI extensions. */
2389
static int TLSX_SNI_Parse(WOLFSSL* ssl, const byte* input, word16 length,
2390
                          byte isRequest)
2391
0
{
2392
0
#ifndef NO_WOLFSSL_SERVER
2393
0
    word16 size = 0;
2394
0
    word16 offset = 0;
2395
0
    int cacheOnly = 0;
2396
0
    int checkPublic = 0;
2397
0
    SNI* sni = NULL;
2398
0
    byte type;
2399
0
    byte matched = 0;
2400
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
2401
    TLSX* echX = NULL;
2402
    WOLFSSL_ECH* ech = NULL;
2403
    WOLFSSL_EchConfig* workingConfig = NULL;
2404
#endif
2405
0
#endif /* !NO_WOLFSSL_SERVER */
2406
0
    TLSX *extension = TLSX_Find(ssl->extensions, TLSX_SERVER_NAME);
2407
2408
0
    if (!extension)
2409
0
        extension = TLSX_Find(ssl->ctx->extensions, TLSX_SERVER_NAME);
2410
2411
0
    if (!isRequest) {
2412
0
        #ifndef NO_WOLFSSL_CLIENT
2413
0
            if (!extension || !extension->data)
2414
0
                return TLSX_HandleUnsupportedExtension(ssl);
2415
2416
0
            if (length > 0)
2417
0
                return BUFFER_ERROR; /* SNI response MUST be empty. */
2418
2419
            /* This call enables wolfSSL_SNI_GetRequest() to be called in the
2420
             * client side to fetch the used SNI. It will only work if the SNI
2421
             * was set at the SSL object level. Right now we only support one
2422
             * name type, WOLFSSL_SNI_HOST_NAME, but in the future, the
2423
             * inclusion of other name types will turn this method inaccurate,
2424
             * as the extension response doesn't contains information of which
2425
             * name was accepted.
2426
             */
2427
0
            TLSX_SNI_SetStatus(ssl->extensions, WOLFSSL_SNI_HOST_NAME,
2428
0
                                                        WOLFSSL_SNI_REAL_MATCH);
2429
2430
0
            return 0;
2431
0
        #endif
2432
0
    }
2433
2434
0
#ifndef NO_WOLFSSL_SERVER
2435
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
2436
    if (!ssl->options.disableECH && !ssl->options.echProcessingInner) {
2437
        echX = TLSX_Find(ssl->extensions, TLSX_ECH);
2438
        if (echX != NULL) {
2439
            ech = (WOLFSSL_ECH*)(echX->data);
2440
        }
2441
    }
2442
#endif
2443
2444
0
    if (!extension || !extension->data) {
2445
        /* This will keep SNI even though TLSX_UseSNI has not been called.
2446
         * Enable it so that the received sni is available to functions
2447
         * that use a custom callback when SNI is received.
2448
         */
2449
    #ifdef WOLFSSL_ALWAYS_KEEP_SNI
2450
        cacheOnly = 1;
2451
    #endif
2452
0
        if (ssl->ctx->sniRecvCb) {
2453
0
            cacheOnly = 1;
2454
0
        }
2455
2456
0
        if (cacheOnly) {
2457
0
            WOLFSSL_MSG("Forcing SSL object to store SNI parameter");
2458
0
        }
2459
0
        else {
2460
        #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
2461
            if (ech == NULL)
2462
        #endif
2463
0
            {
2464
                /* Skipping, SNI not enabled at server side. */
2465
0
                return 0;
2466
0
            }
2467
2468
        #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
2469
            /* No server SNI configured but ECH is active:
2470
             * the outer SNI still needs to be matched against the echConfig
2471
             * publicName and recorded on ech->extensions. */
2472
            checkPublic = 1;
2473
        #endif
2474
0
        }
2475
0
    }
2476
2477
0
    if (OPAQUE16_LEN > length)
2478
0
        return BUFFER_ERROR;
2479
2480
0
    ato16(input, &size);
2481
0
    offset += OPAQUE16_LEN;
2482
2483
    /* validating sni list length */
2484
0
    if (length != OPAQUE16_LEN + size || size == 0)
2485
0
        return BUFFER_ERROR;
2486
2487
    /* SNI was badly specified and only one type is now recognized and allowed.
2488
     * Only one SNI value per type (RFC6066), so, no loop. */
2489
0
    type = input[offset++];
2490
0
    if (type != WOLFSSL_SNI_HOST_NAME)
2491
0
        return BUFFER_ERROR;
2492
2493
0
    if (offset + OPAQUE16_LEN > length)
2494
0
        return BUFFER_ERROR;
2495
0
    ato16(input + offset, &size);
2496
0
    offset += OPAQUE16_LEN;
2497
2498
0
    if (offset + size != length || size == 0)
2499
0
        return BUFFER_ERROR;
2500
2501
0
    if (!cacheOnly && !checkPublic &&
2502
0
            !(sni = TLSX_SNI_Find((SNI*)extension->data, type)))
2503
0
        return 0; /* not using this type of SNI. */
2504
2505
0
#if defined(WOLFSSL_TLS13)
2506
    /* Don't process the second ClientHello SNI extension if there
2507
     * was problems with the first.
2508
     */
2509
0
    if (!cacheOnly && sni != NULL && sni->status != WOLFSSL_SNI_NO_MATCH)
2510
0
        return 0;
2511
0
#endif
2512
2513
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
2514
    /* While parsing the outer CH accept a match against any
2515
     * echConfig publicName */
2516
    if (ech != NULL) {
2517
        workingConfig = ech->echConfig;
2518
        while (workingConfig != NULL) {
2519
            if (XSTRLEN(workingConfig->publicName) == size &&
2520
                    XSTRNCMP(workingConfig->publicName,
2521
                    (const char*)input + offset, size) == 0) {
2522
                matched = 1;
2523
                break;
2524
            }
2525
            workingConfig = workingConfig->next;
2526
        }
2527
2528
        /* If a publicName is matched then this SNI is not something that should
2529
         * be forcibly cached. This allows an SNI response to be given for the
2530
         * public name */
2531
        if (matched)
2532
            cacheOnly = 0;
2533
    }
2534
    if (!matched)
2535
#endif
2536
0
    {
2537
0
        const char* hostName;
2538
0
        hostName = (sni != NULL) ? sni->data.host_name : NULL;
2539
0
        matched = cacheOnly || (hostName != NULL &&
2540
0
            XSTRLEN(hostName) == size &&
2541
0
            XSTRNCMP(hostName, (const char*)input + offset, size) == 0);
2542
0
    }
2543
2544
    /* No server SNI configured and the outer name did not match a publicName:
2545
     * stay permissive and record nothing. If ECH is accepted, the absent
2546
     * publicName match is caught after the outer parse. */
2547
0
    if (!matched && checkPublic)
2548
0
        return 0;
2549
2550
0
    if (matched ||
2551
0
            (sni != NULL && (sni->options & WOLFSSL_SNI_ANSWER_ON_MISMATCH))) {
2552
0
        int matchStat;
2553
0
        int r;
2554
0
        TLSX** writeList = &ssl->extensions;
2555
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
2556
        /* install onto ech->extensions if the public name was matched */
2557
        if (workingConfig != NULL)
2558
            writeList = &ech->extensions;
2559
#endif
2560
2561
0
        r = TLSX_UseSNI(writeList, type, input + offset, size, ssl->heap);
2562
2563
0
        if (r != WOLFSSL_SUCCESS)
2564
0
            return r; /* throws error. */
2565
2566
0
        if (cacheOnly) {
2567
0
            WOLFSSL_MSG("Forcing storage of SNI, Fake match");
2568
0
            matchStat = WOLFSSL_SNI_FORCE_KEEP;
2569
0
        }
2570
0
        else if (matched) {
2571
0
            WOLFSSL_MSG("SNI did match!");
2572
0
            matchStat = WOLFSSL_SNI_REAL_MATCH;
2573
0
        }
2574
0
        else {
2575
0
            WOLFSSL_MSG("fake SNI match from ANSWER_ON_MISMATCH");
2576
0
            matchStat = WOLFSSL_SNI_FAKE_MATCH;
2577
0
        }
2578
2579
0
        TLSX_SNI_SetStatus(*writeList, type, (byte)matchStat);
2580
2581
0
        if (!cacheOnly)
2582
0
            TLSX_SetResponseInList(*writeList, TLSX_SERVER_NAME);
2583
0
    }
2584
0
    else if ((sni == NULL) ||
2585
0
            !(sni->options & WOLFSSL_SNI_CONTINUE_ON_MISMATCH)) {
2586
0
        SendAlert(ssl, alert_fatal, unrecognized_name);
2587
0
        WOLFSSL_ERROR_VERBOSE(UNKNOWN_SNI_HOST_NAME_E);
2588
0
        return UNKNOWN_SNI_HOST_NAME_E;
2589
0
    }
2590
#else
2591
    (void)input;
2592
#endif /* !NO_WOLFSSL_SERVER */
2593
2594
#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER)
2595
    (void)length;
2596
#endif
2597
2598
0
    return 0;
2599
0
}
2600
2601
static int TLSX_SNI_VerifyParse(WOLFSSL* ssl,  byte isRequest)
2602
0
{
2603
0
    (void)ssl;
2604
2605
0
    if (isRequest) {
2606
0
    #ifndef NO_WOLFSSL_SERVER
2607
0
        TLSX* ctx_ext = TLSX_Find(ssl->ctx->extensions, TLSX_SERVER_NAME);
2608
0
        TLSX* ssl_ext = TLSX_Find(ssl->extensions,      TLSX_SERVER_NAME);
2609
0
        SNI* ctx_sni = ctx_ext ? (SNI*)ctx_ext->data : NULL;
2610
0
        SNI* ssl_sni = ssl_ext ? (SNI*)ssl_ext->data : NULL;
2611
0
        SNI* sni = NULL;
2612
2613
0
        for (; ctx_sni; ctx_sni = ctx_sni->next) {
2614
0
            if (ctx_sni->options & WOLFSSL_SNI_ABORT_ON_ABSENCE) {
2615
0
                sni = TLSX_SNI_Find(ssl_sni, ctx_sni->type);
2616
2617
0
                if (sni) {
2618
0
                    if (sni->status != WOLFSSL_SNI_NO_MATCH)
2619
0
                        continue;
2620
2621
                    /* if ssl level overrides ctx level, it is ok. */
2622
0
                    if ((sni->options & WOLFSSL_SNI_ABORT_ON_ABSENCE) == 0)
2623
0
                        continue;
2624
0
                }
2625
2626
0
                SendAlert(ssl, alert_fatal,
2627
0
                          IsAtLeastTLSv1_3(ssl->version)
2628
0
                              ? missing_extension
2629
0
                              : handshake_failure);
2630
0
                WOLFSSL_ERROR_VERBOSE(SNI_ABSENT_ERROR);
2631
0
                return SNI_ABSENT_ERROR;
2632
0
            }
2633
0
        }
2634
2635
0
        for (; ssl_sni; ssl_sni = ssl_sni->next) {
2636
0
            if (ssl_sni->options & WOLFSSL_SNI_ABORT_ON_ABSENCE) {
2637
0
                if (ssl_sni->status != WOLFSSL_SNI_NO_MATCH)
2638
0
                    continue;
2639
2640
0
                SendAlert(ssl, alert_fatal,
2641
0
                          IsAtLeastTLSv1_3(ssl->version)
2642
0
                              ? missing_extension
2643
0
                              : handshake_failure);
2644
0
                WOLFSSL_ERROR_VERBOSE(SNI_ABSENT_ERROR);
2645
0
                return SNI_ABSENT_ERROR;
2646
0
            }
2647
0
        }
2648
0
    #endif /* NO_WOLFSSL_SERVER */
2649
0
    }
2650
2651
0
    return 0;
2652
0
}
2653
2654
int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, word16 size,
2655
                                                                     void* heap)
2656
0
{
2657
0
    TLSX* extension;
2658
0
    SNI* sni = NULL;
2659
2660
0
    if (extensions == NULL || data == NULL)
2661
0
        return BAD_FUNC_ARG;
2662
2663
0
    if ((type == WOLFSSL_SNI_HOST_NAME) && (size >= WOLFSSL_HOST_NAME_MAX))
2664
0
        return BAD_LENGTH_E;
2665
2666
0
    if ((sni = TLSX_SNI_New(type, data, size, heap)) == NULL)
2667
0
        return MEMORY_E;
2668
2669
0
    extension = TLSX_Find(*extensions, TLSX_SERVER_NAME);
2670
0
    if (!extension) {
2671
0
        int ret = TLSX_Push(extensions, TLSX_SERVER_NAME, (void*)sni, heap);
2672
2673
0
        if (ret != 0) {
2674
0
            TLSX_SNI_Free(sni, heap);
2675
0
            return ret;
2676
0
        }
2677
0
    }
2678
0
    else {
2679
        /* push new SNI object to extension data. */
2680
0
        sni->next = (SNI*)extension->data;
2681
0
        extension->data = (void*)sni;
2682
2683
        /* remove duplicate SNI, there should be only one of each type. */
2684
0
        do {
2685
0
            if (sni->next && sni->next->type == type) {
2686
0
                SNI* next = sni->next;
2687
2688
0
                sni->next = next->next;
2689
0
                TLSX_SNI_Free(next, heap);
2690
2691
                /* there is no way to occur more than
2692
                 * two SNIs of the same type.
2693
                 */
2694
0
                break;
2695
0
            }
2696
0
        } while ((sni = sni->next));
2697
0
    }
2698
2699
0
    return WOLFSSL_SUCCESS;
2700
0
}
2701
2702
/* client-side needs this function when ECH is enabled */
2703
#if !defined(NO_WOLFSSL_SERVER) || defined(HAVE_ECH)
2704
/** Tells the SNI requested by the client. */
2705
word16 TLSX_SNI_GetRequest(TLSX* extensions, byte type, void** data,
2706
        byte ignoreStatus)
2707
0
{
2708
0
    TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME);
2709
0
    SNI* sni = TLSX_SNI_Find(extension ? (SNI*)extension->data : NULL, type);
2710
2711
0
    if (sni && (ignoreStatus || sni->status != WOLFSSL_SNI_NO_MATCH)) {
2712
0
        switch (sni->type) {
2713
0
            case WOLFSSL_SNI_HOST_NAME:
2714
0
                if (data) {
2715
0
                    *data = sni->data.host_name;
2716
0
                    return (word16)XSTRLEN((char*)*data);
2717
0
                }
2718
0
        }
2719
0
    }
2720
2721
0
    return 0;
2722
0
}
2723
#endif
2724
2725
#ifndef NO_WOLFSSL_SERVER
2726
/** Sets the options for a SNI object. */
2727
void TLSX_SNI_SetOptions(TLSX* extensions, byte type, byte options)
2728
0
{
2729
0
    TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME);
2730
0
    SNI* sni = TLSX_SNI_Find(extension ? (SNI*)extension->data : NULL, type);
2731
2732
0
    if (sni)
2733
0
        sni->options = options;
2734
0
}
2735
2736
/** Retrieves a SNI request from a client hello buffer. */
2737
int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz,
2738
                           byte type, byte* sni, word32* inOutSz)
2739
0
{
2740
0
    word32 offset = 0;
2741
0
    word32 len32 = 0;
2742
0
    word16 len16 = 0;
2743
2744
0
    if (helloSz < RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + CLIENT_HELLO_FIRST)
2745
0
        return INCOMPLETE_DATA;
2746
2747
    /* TLS record header */
2748
0
    if ((enum ContentType) clientHello[offset++] != handshake) {
2749
2750
        /* checking for SSLv2.0 client hello according to: */
2751
        /* http://tools.ietf.org/html/rfc4346#appendix-E.1 */
2752
0
        if ((enum HandShakeType) clientHello[++offset] == client_hello) {
2753
0
            offset += ENUM_LEN + VERSION_SZ; /* skip version */
2754
2755
0
            ato16(clientHello + offset, &len16);
2756
0
            offset += OPAQUE16_LEN;
2757
2758
0
            if (len16 % 3) /* cipher_spec_length must be multiple of 3 */
2759
0
                return BUFFER_ERROR;
2760
2761
0
            ato16(clientHello + offset, &len16);
2762
            /* Returning SNI_UNSUPPORTED do not increment offset here */
2763
2764
0
            if (len16 != 0) /* session_id_length must be 0 */
2765
0
                return BUFFER_ERROR;
2766
2767
0
            WOLFSSL_ERROR_VERBOSE(SNI_UNSUPPORTED);
2768
0
            return SNI_UNSUPPORTED;
2769
0
        }
2770
2771
0
        return BUFFER_ERROR;
2772
0
    }
2773
2774
0
    if (clientHello[offset++] != SSLv3_MAJOR)
2775
0
        return BUFFER_ERROR;
2776
2777
0
    if (clientHello[offset++] < TLSv1_MINOR) {
2778
0
        WOLFSSL_ERROR_VERBOSE(SNI_UNSUPPORTED);
2779
0
        return SNI_UNSUPPORTED;
2780
0
    }
2781
2782
0
    ato16(clientHello + offset, &len16);
2783
0
    offset += OPAQUE16_LEN;
2784
2785
0
    if (offset + len16 > helloSz)
2786
0
        return INCOMPLETE_DATA;
2787
2788
    /* Handshake header */
2789
0
    if ((enum HandShakeType) clientHello[offset] != client_hello)
2790
0
        return BUFFER_ERROR;
2791
2792
0
    c24to32(clientHello + offset + 1, &len32);
2793
0
    offset += HANDSHAKE_HEADER_SZ;
2794
2795
0
    if (offset + len32 > helloSz)
2796
0
        return BUFFER_ERROR;
2797
2798
    /* client hello */
2799
0
    offset += VERSION_SZ + RAN_LEN; /* version, random */
2800
2801
0
    if (helloSz < offset + clientHello[offset])
2802
0
        return BUFFER_ERROR;
2803
2804
0
    offset += ENUM_LEN + clientHello[offset]; /* skip session id */
2805
2806
    /* cypher suites */
2807
0
    if (helloSz < offset + OPAQUE16_LEN)
2808
0
        return BUFFER_ERROR;
2809
2810
0
    ato16(clientHello + offset, &len16);
2811
0
    offset += OPAQUE16_LEN;
2812
2813
0
    if (helloSz < offset + len16)
2814
0
        return BUFFER_ERROR;
2815
2816
0
    offset += len16; /* skip cypher suites */
2817
2818
    /* compression methods */
2819
0
    if (helloSz < offset + 1)
2820
0
        return BUFFER_ERROR;
2821
2822
0
    if (helloSz < offset + clientHello[offset])
2823
0
        return BUFFER_ERROR;
2824
2825
0
    offset += ENUM_LEN + clientHello[offset]; /* skip compression methods */
2826
2827
    /* extensions */
2828
0
    if (helloSz < offset + OPAQUE16_LEN)
2829
0
        return 0; /* no extensions in client hello. */
2830
2831
0
    ato16(clientHello + offset, &len16);
2832
0
    offset += OPAQUE16_LEN;
2833
2834
0
    if (helloSz < offset + len16)
2835
0
        return BUFFER_ERROR;
2836
2837
0
    while (len16 >= OPAQUE16_LEN + OPAQUE16_LEN) {
2838
0
        word16 extType;
2839
0
        word16 extLen;
2840
2841
0
        ato16(clientHello + offset, &extType);
2842
0
        offset += OPAQUE16_LEN;
2843
2844
0
        ato16(clientHello + offset, &extLen);
2845
0
        offset += OPAQUE16_LEN;
2846
2847
0
        if (helloSz < offset + extLen)
2848
0
            return BUFFER_ERROR;
2849
2850
0
        if (extType != TLSX_SERVER_NAME) {
2851
0
            offset += extLen; /* skip extension */
2852
0
        } else {
2853
0
            word16 listLen;
2854
2855
0
            if (extLen < OPAQUE16_LEN)
2856
0
                return BUFFER_ERROR;
2857
2858
0
            ato16(clientHello + offset, &listLen);
2859
0
            offset += OPAQUE16_LEN;
2860
2861
0
            if (listLen != extLen - OPAQUE16_LEN)
2862
0
                return BUFFER_ERROR;
2863
2864
0
            if (helloSz < offset + listLen)
2865
0
                return BUFFER_ERROR;
2866
2867
0
            while (listLen > ENUM_LEN + OPAQUE16_LEN) {
2868
0
                byte   sniType = clientHello[offset++];
2869
0
                word16 sniLen;
2870
2871
0
                ato16(clientHello + offset, &sniLen);
2872
0
                offset += OPAQUE16_LEN;
2873
2874
0
                if (sniLen > listLen - (ENUM_LEN + OPAQUE16_LEN))
2875
0
                    return BUFFER_ERROR;
2876
2877
0
                if (helloSz < offset + sniLen)
2878
0
                    return BUFFER_ERROR;
2879
2880
0
                if (sniType != type) {
2881
0
                    offset  += sniLen;
2882
0
                    listLen -= min(ENUM_LEN + OPAQUE16_LEN + sniLen, listLen);
2883
0
                    continue;
2884
0
                }
2885
2886
0
                *inOutSz = min(sniLen, *inOutSz);
2887
0
                XMEMCPY(sni, clientHello + offset, *inOutSz);
2888
2889
0
                return WOLFSSL_SUCCESS;
2890
0
            }
2891
0
        }
2892
2893
0
        len16 -= min(2 * OPAQUE16_LEN + extLen, len16);
2894
0
    }
2895
2896
0
    return len16 ? BUFFER_ERROR : 0;
2897
0
}
2898
2899
#endif
2900
2901
0
#define SNI_FREE_ALL     TLSX_SNI_FreeAll
2902
0
#define SNI_GET_SIZE     TLSX_SNI_GetSize
2903
0
#define SNI_WRITE        TLSX_SNI_Write
2904
0
#define SNI_PARSE        TLSX_SNI_Parse
2905
0
#define SNI_VERIFY_PARSE TLSX_SNI_VerifyParse
2906
2907
#else
2908
2909
#define SNI_FREE_ALL(list, heap) WC_DO_NOTHING
2910
#define SNI_GET_SIZE(list)     0
2911
#define SNI_WRITE(a, b)        0
2912
#define SNI_PARSE(a, b, c, d)  0
2913
#define SNI_VERIFY_PARSE(a, b) 0
2914
2915
#endif /* HAVE_SNI */
2916
2917
/******************************************************************************/
2918
/* Trusted CA Key Indication                                                  */
2919
/******************************************************************************/
2920
2921
#ifdef HAVE_TRUSTED_CA
2922
2923
/** Creates a new TCA object. */
2924
static TCA* TLSX_TCA_New(byte type, const byte* id, word16 idSz, void* heap)
2925
{
2926
    TCA* tca = (TCA*)XMALLOC(sizeof(TCA), heap, DYNAMIC_TYPE_TLSX);
2927
2928
    if (tca) {
2929
        XMEMSET(tca, 0, sizeof(TCA));
2930
        tca->type = type;
2931
2932
        switch (type) {
2933
            case WOLFSSL_TRUSTED_CA_PRE_AGREED:
2934
                break;
2935
2936
            #ifndef NO_SHA
2937
            case WOLFSSL_TRUSTED_CA_KEY_SHA1:
2938
            case WOLFSSL_TRUSTED_CA_CERT_SHA1:
2939
                if (idSz == WC_SHA_DIGEST_SIZE &&
2940
                        (tca->id =
2941
                            (byte*)XMALLOC(idSz, heap, DYNAMIC_TYPE_TLSX))) {
2942
                    XMEMCPY(tca->id, id, idSz);
2943
                    tca->idSz = idSz;
2944
                }
2945
                else {
2946
                    XFREE(tca, heap, DYNAMIC_TYPE_TLSX);
2947
                    tca = NULL;
2948
                }
2949
                break;
2950
            #endif
2951
2952
            case WOLFSSL_TRUSTED_CA_X509_NAME:
2953
                if (idSz > 0 &&
2954
                        (tca->id =
2955
                            (byte*)XMALLOC(idSz, heap, DYNAMIC_TYPE_TLSX))) {
2956
                    XMEMCPY(tca->id, id, idSz);
2957
                    tca->idSz = idSz;
2958
                }
2959
                else {
2960
                    XFREE(tca, heap, DYNAMIC_TYPE_TLSX);
2961
                    tca = NULL;
2962
                }
2963
                break;
2964
2965
            default: /* invalid type */
2966
                XFREE(tca, heap, DYNAMIC_TYPE_TLSX);
2967
                tca = NULL;
2968
        }
2969
    }
2970
2971
    (void)heap;
2972
2973
    return tca;
2974
}
2975
2976
/** Releases a TCA object. */
2977
static void TLSX_TCA_Free(TCA* tca, void* heap)
2978
{
2979
    (void)heap;
2980
2981
    if (tca) {
2982
        XFREE(tca->id, heap, DYNAMIC_TYPE_TLSX);
2983
        XFREE(tca, heap, DYNAMIC_TYPE_TLSX);
2984
    }
2985
}
2986
2987
/** Releases all TCA objects in the provided list. */
2988
static void TLSX_TCA_FreeAll(TCA* list, void* heap)
2989
{
2990
    TCA* tca;
2991
2992
    while ((tca = list)) {
2993
        list = tca->next;
2994
        TLSX_TCA_Free(tca, heap);
2995
    }
2996
}
2997
2998
/** Tells the buffered size of the TCA objects in a list. */
2999
static word16 TLSX_TCA_GetSize(TCA* list)
3000
{
3001
    TCA* tca;
3002
    word32 length = OPAQUE16_LEN; /* list length */
3003
3004
    while ((tca = list)) {
3005
        list = tca->next;
3006
3007
        length += ENUM_LEN; /* tca type */
3008
3009
        switch (tca->type) {
3010
            case WOLFSSL_TRUSTED_CA_PRE_AGREED:
3011
                break;
3012
            case WOLFSSL_TRUSTED_CA_KEY_SHA1:
3013
            case WOLFSSL_TRUSTED_CA_CERT_SHA1:
3014
                length += tca->idSz;
3015
                break;
3016
            case WOLFSSL_TRUSTED_CA_X509_NAME:
3017
                length += OPAQUE16_LEN + tca->idSz;
3018
                break;
3019
        }
3020
3021
        if (length > WOLFSSL_MAX_16BIT) {
3022
            return 0;
3023
        }
3024
    }
3025
3026
    return (word16)length;
3027
}
3028
3029
/** Writes the TCA objects of a list in a buffer. */
3030
static word16 TLSX_TCA_Write(TCA* list, byte* output)
3031
{
3032
    TCA* tca;
3033
    word16 offset = OPAQUE16_LEN; /* list length offset */
3034
3035
    while ((tca = list)) {
3036
        list = tca->next;
3037
3038
        output[offset++] = tca->type; /* tca type */
3039
3040
        switch (tca->type) {
3041
            case WOLFSSL_TRUSTED_CA_PRE_AGREED:
3042
                break;
3043
            #ifndef NO_SHA
3044
            case WOLFSSL_TRUSTED_CA_KEY_SHA1:
3045
            case WOLFSSL_TRUSTED_CA_CERT_SHA1:
3046
                if (tca->id != NULL) {
3047
                    XMEMCPY(output + offset, tca->id, tca->idSz);
3048
                    offset += tca->idSz;
3049
                }
3050
                else {
3051
                    /* ID missing. Set to an empty string. */
3052
                    c16toa(0, output + offset);
3053
                    offset += OPAQUE16_LEN;
3054
                }
3055
                break;
3056
            #endif
3057
            case WOLFSSL_TRUSTED_CA_X509_NAME:
3058
                if (tca->id != NULL) {
3059
                    c16toa(tca->idSz, output + offset); /* tca length */
3060
                    offset += OPAQUE16_LEN;
3061
                    XMEMCPY(output + offset, tca->id, tca->idSz);
3062
                    offset += tca->idSz;
3063
                }
3064
                else {
3065
                    /* ID missing. Set to an empty string. */
3066
                    c16toa(0, output + offset);
3067
                    offset += OPAQUE16_LEN;
3068
                }
3069
                break;
3070
            default:
3071
                /* ID unknown. Set to an empty string. */
3072
                c16toa(0, output + offset);
3073
                offset += OPAQUE16_LEN;
3074
        }
3075
    }
3076
3077
    c16toa(offset - OPAQUE16_LEN, output); /* writing list length */
3078
3079
    return offset;
3080
}
3081
3082
#ifndef NO_WOLFSSL_SERVER
3083
static TCA* TLSX_TCA_Find(TCA *list, byte type, const byte* id, word16 idSz)
3084
{
3085
    TCA* tca = list;
3086
3087
    while (tca) {
3088
        if (type == WOLFSSL_TRUSTED_CA_PRE_AGREED)
3089
            break;
3090
        if (tca->type == type && idSz == tca->idSz &&
3091
                XMEMCMP(id, tca->id, idSz) == 0)
3092
            break;
3093
        tca = tca->next;
3094
    }
3095
3096
    return tca;
3097
}
3098
#endif /* NO_WOLFSSL_SERVER */
3099
3100
/** Parses a buffer of TCA extensions. */
3101
static int TLSX_TCA_Parse(WOLFSSL* ssl, const byte* input, word16 length,
3102
                          byte isRequest)
3103
{
3104
#ifndef NO_WOLFSSL_SERVER
3105
    word16 size = 0;
3106
    word16 offset = 0;
3107
#endif
3108
3109
    TLSX *extension = TLSX_Find(ssl->extensions, TLSX_TRUSTED_CA_KEYS);
3110
3111
    if (!extension)
3112
        extension = TLSX_Find(ssl->ctx->extensions, TLSX_TRUSTED_CA_KEYS);
3113
3114
    if (!isRequest) {
3115
        #ifndef NO_WOLFSSL_CLIENT
3116
            if (!extension || !extension->data)
3117
                return TLSX_HandleUnsupportedExtension(ssl);
3118
3119
            if (length > 0)
3120
                return BUFFER_ERROR; /* TCA response MUST be empty. */
3121
3122
            /* Set the flag that we're good for keys */
3123
            TLSX_SetResponse(ssl, TLSX_TRUSTED_CA_KEYS);
3124
3125
            return 0;
3126
        #endif
3127
    }
3128
3129
#ifndef NO_WOLFSSL_SERVER
3130
    if (!extension || !extension->data) {
3131
        /* Skipping, TCA not enabled at server side. */
3132
        return 0;
3133
    }
3134
3135
    if (OPAQUE16_LEN > length)
3136
        return BUFFER_ERROR;
3137
3138
    ato16(input, &size);
3139
    offset += OPAQUE16_LEN;
3140
3141
    /* validating tca list length */
3142
    if (length != OPAQUE16_LEN + size)
3143
        return BUFFER_ERROR;
3144
3145
    for (size = 0; offset < length; offset += size) {
3146
        TCA *tca = NULL;
3147
        byte type;
3148
        const byte* id = NULL;
3149
        word16 idSz = 0;
3150
3151
        if (offset + ENUM_LEN > length)
3152
            return BUFFER_ERROR;
3153
3154
        type = input[offset++];
3155
3156
        switch (type) {
3157
            case WOLFSSL_TRUSTED_CA_PRE_AGREED:
3158
                break;
3159
            #ifndef NO_SHA
3160
            case WOLFSSL_TRUSTED_CA_KEY_SHA1:
3161
            case WOLFSSL_TRUSTED_CA_CERT_SHA1:
3162
                if (offset + WC_SHA_DIGEST_SIZE > length)
3163
                    return BUFFER_ERROR;
3164
                idSz = WC_SHA_DIGEST_SIZE;
3165
                id = input + offset;
3166
                offset += idSz;
3167
                break;
3168
            #endif
3169
            case WOLFSSL_TRUSTED_CA_X509_NAME:
3170
                if (offset + OPAQUE16_LEN > length)
3171
                    return BUFFER_ERROR;
3172
                ato16(input + offset, &idSz);
3173
                offset += OPAQUE16_LEN;
3174
                if ((offset > length) || (idSz > length - offset))
3175
                    return BUFFER_ERROR;
3176
                id = input + offset;
3177
                offset += idSz;
3178
                break;
3179
            default:
3180
                WOLFSSL_ERROR_VERBOSE(TCA_INVALID_ID_TYPE);
3181
                return TCA_INVALID_ID_TYPE;
3182
        }
3183
3184
        /* Find the type/ID in the TCA list. */
3185
        tca = TLSX_TCA_Find((TCA*)extension->data, type, id, idSz);
3186
        if (tca != NULL) {
3187
            /* Found it. Set the response flag and break out of the loop. */
3188
            TLSX_SetResponse(ssl, TLSX_TRUSTED_CA_KEYS);
3189
            break;
3190
        }
3191
    }
3192
#else
3193
    (void)input;
3194
#endif
3195
3196
    return 0;
3197
}
3198
3199
/* Checks to see if the server sent a response for the TCA. */
3200
static int TLSX_TCA_VerifyParse(WOLFSSL* ssl, byte isRequest)
3201
{
3202
    (void)ssl;
3203
3204
    if (!isRequest) {
3205
        /* RFC 6066 section 6 states that the server responding
3206
         * to trusted_ca_keys is optional.  Do not error out unless
3207
         * opted into with the define WOLFSSL_REQUIRE_TCA. */
3208
    #if !defined(NO_WOLFSSL_CLIENT) && defined(WOLFSSL_REQUIRE_TCA)
3209
        TLSX* extension = TLSX_Find(ssl->extensions, TLSX_TRUSTED_CA_KEYS);
3210
3211
        if (extension && !extension->resp) {
3212
            SendAlert(ssl, alert_fatal, handshake_failure);
3213
            WOLFSSL_ERROR_VERBOSE(TCA_ABSENT_ERROR);
3214
            return TCA_ABSENT_ERROR;
3215
        }
3216
    #else
3217
        WOLFSSL_MSG("No response received for trusted_ca_keys.  Continuing.");
3218
    #endif /* !NO_WOLFSSL_CLIENT && WOLFSSL_REQUIRE_TCA */
3219
    }
3220
3221
    return 0;
3222
}
3223
3224
int TLSX_UseTrustedCA(TLSX** extensions, byte type,
3225
                    const byte* id, word16 idSz, void* heap)
3226
{
3227
    TLSX* extension;
3228
    TCA* tca = NULL;
3229
3230
    if (extensions == NULL)
3231
        return BAD_FUNC_ARG;
3232
3233
    if ((tca = TLSX_TCA_New(type, id, idSz, heap)) == NULL)
3234
        return MEMORY_E;
3235
3236
    extension = TLSX_Find(*extensions, TLSX_TRUSTED_CA_KEYS);
3237
    if (!extension) {
3238
        int ret = TLSX_Push(extensions, TLSX_TRUSTED_CA_KEYS, (void*)tca, heap);
3239
3240
        if (ret != 0) {
3241
            TLSX_TCA_Free(tca, heap);
3242
            return ret;
3243
        }
3244
    }
3245
    else {
3246
        /* push new TCA object to extension data. */
3247
        tca->next = (TCA*)extension->data;
3248
        extension->data = (void*)tca;
3249
    }
3250
3251
    return WOLFSSL_SUCCESS;
3252
}
3253
3254
#define TCA_FREE_ALL     TLSX_TCA_FreeAll
3255
#define TCA_GET_SIZE     TLSX_TCA_GetSize
3256
#define TCA_WRITE        TLSX_TCA_Write
3257
#define TCA_PARSE        TLSX_TCA_Parse
3258
#define TCA_VERIFY_PARSE TLSX_TCA_VerifyParse
3259
3260
#else /* HAVE_TRUSTED_CA */
3261
3262
0
#define TCA_FREE_ALL(list, heap) WC_DO_NOTHING
3263
0
#define TCA_GET_SIZE(list)     0
3264
0
#define TCA_WRITE(a, b)        0
3265
0
#define TCA_PARSE(a, b, c, d)  0
3266
0
#define TCA_VERIFY_PARSE(a, b) 0
3267
3268
#endif /* HAVE_TRUSTED_CA */
3269
3270
/******************************************************************************/
3271
/* Max Fragment Length Negotiation                                            */
3272
/******************************************************************************/
3273
3274
#ifdef HAVE_MAX_FRAGMENT
3275
3276
static word16 TLSX_MFL_Write(byte* data, byte* output)
3277
{
3278
    output[0] = data[0];
3279
3280
    return ENUM_LEN;
3281
}
3282
3283
static int TLSX_MFL_Parse(WOLFSSL* ssl, const byte* input, word16 length,
3284
                          byte isRequest)
3285
{
3286
    if (length != ENUM_LEN)
3287
        return BUFFER_ERROR;
3288
3289
#ifdef WOLFSSL_OLD_UNSUPPORTED_EXTENSION
3290
    (void) isRequest;
3291
#else
3292
    if (!isRequest) {
3293
        TLSX* extension;
3294
3295
        if (TLSX_CheckUnsupportedExtension(ssl, TLSX_MAX_FRAGMENT_LENGTH))
3296
            return TLSX_HandleUnsupportedExtension(ssl);
3297
3298
        /* RFC 6066 Section 4: the server's response value must match the
3299
         * value the client requested. The request may have been configured on
3300
         * the WOLFSSL object or inherited from the WOLFSSL_CTX. */
3301
        extension = TLSX_Find(ssl->extensions, TLSX_MAX_FRAGMENT_LENGTH);
3302
        if (extension == NULL) {
3303
            extension = TLSX_Find(ssl->ctx->extensions,
3304
                    TLSX_MAX_FRAGMENT_LENGTH);
3305
        }
3306
        if (extension == NULL || extension->data == NULL ||
3307
                ((byte*)extension->data)[0] != *input) {
3308
            SendAlert(ssl, alert_fatal, illegal_parameter);
3309
            WOLFSSL_ERROR_VERBOSE(UNKNOWN_MAX_FRAG_LEN_E);
3310
            return UNKNOWN_MAX_FRAG_LEN_E;
3311
        }
3312
    }
3313
#endif
3314
3315
    switch (*input) {
3316
        case WOLFSSL_MFL_2_8 : ssl->max_fragment =  256; break;
3317
        case WOLFSSL_MFL_2_9 : ssl->max_fragment =  512; break;
3318
        case WOLFSSL_MFL_2_10: ssl->max_fragment = 1024; break;
3319
        case WOLFSSL_MFL_2_11: ssl->max_fragment = 2048; break;
3320
        case WOLFSSL_MFL_2_12: ssl->max_fragment = 4096; break;
3321
        case WOLFSSL_MFL_2_13: ssl->max_fragment = 8192; break;
3322
3323
        default:
3324
            SendAlert(ssl, alert_fatal, illegal_parameter);
3325
            WOLFSSL_ERROR_VERBOSE(UNKNOWN_MAX_FRAG_LEN_E);
3326
            return UNKNOWN_MAX_FRAG_LEN_E;
3327
    }
3328
    if (ssl->session != NULL) {
3329
        ssl->session->mfl = *input;
3330
    }
3331
3332
#ifndef NO_WOLFSSL_SERVER
3333
    if (isRequest) {
3334
        int ret = TLSX_UseMaxFragment(&ssl->extensions, *input, ssl->heap);
3335
3336
        if (ret != WOLFSSL_SUCCESS)
3337
            return ret; /* throw error */
3338
3339
        TLSX_SetResponse(ssl, TLSX_MAX_FRAGMENT_LENGTH);
3340
    }
3341
#endif
3342
3343
    return 0;
3344
}
3345
3346
int TLSX_UseMaxFragment(TLSX** extensions, byte mfl, void* heap)
3347
{
3348
    byte* data = NULL;
3349
    int ret = 0;
3350
3351
    if (extensions == NULL || mfl < WOLFSSL_MFL_MIN || mfl > WOLFSSL_MFL_MAX)
3352
        return BAD_FUNC_ARG;
3353
3354
    data = (byte*)XMALLOC(ENUM_LEN, heap, DYNAMIC_TYPE_TLSX);
3355
    if (data == NULL)
3356
        return MEMORY_E;
3357
3358
    data[0] = mfl;
3359
3360
    ret = TLSX_Push(extensions, TLSX_MAX_FRAGMENT_LENGTH, data, heap);
3361
    if (ret != 0) {
3362
        XFREE(data, heap, DYNAMIC_TYPE_TLSX);
3363
        return ret;
3364
    }
3365
3366
    return WOLFSSL_SUCCESS;
3367
}
3368
3369
3370
#define MFL_FREE_ALL(data, heap) XFREE(data, (heap), DYNAMIC_TYPE_TLSX)
3371
#define MFL_GET_SIZE(data) ENUM_LEN
3372
#define MFL_WRITE          TLSX_MFL_Write
3373
#define MFL_PARSE          TLSX_MFL_Parse
3374
3375
#else
3376
3377
0
#define MFL_FREE_ALL(a, b) WC_DO_NOTHING
3378
0
#define MFL_GET_SIZE(a)       0
3379
0
#define MFL_WRITE(a, b)       0
3380
0
#define MFL_PARSE(a, b, c, d) 0
3381
3382
#endif /* HAVE_MAX_FRAGMENT */
3383
3384
/******************************************************************************/
3385
/* Truncated HMAC                                                             */
3386
/******************************************************************************/
3387
3388
#ifdef HAVE_TRUNCATED_HMAC
3389
3390
static int TLSX_THM_Parse(WOLFSSL* ssl, const byte* input, word16 length,
3391
                          byte isRequest)
3392
{
3393
    if (length != 0 || input == NULL)
3394
        return BUFFER_ERROR;
3395
3396
    if (!isRequest) {
3397
    #ifndef WOLFSSL_OLD_UNSUPPORTED_EXTENSION
3398
        if (TLSX_CheckUnsupportedExtension(ssl, TLSX_TRUNCATED_HMAC))
3399
            return TLSX_HandleUnsupportedExtension(ssl);
3400
    #endif
3401
    }
3402
    else {
3403
        #ifndef NO_WOLFSSL_SERVER
3404
            int ret = TLSX_UseTruncatedHMAC(&ssl->extensions, ssl->heap);
3405
3406
            if (ret != WOLFSSL_SUCCESS)
3407
                return ret; /* throw error */
3408
3409
            TLSX_SetResponse(ssl, TLSX_TRUNCATED_HMAC);
3410
        #endif
3411
    }
3412
3413
    ssl->truncated_hmac = 1;
3414
3415
    return 0;
3416
}
3417
3418
int TLSX_UseTruncatedHMAC(TLSX** extensions, void* heap)
3419
{
3420
    int ret = 0;
3421
3422
    if (extensions == NULL)
3423
        return BAD_FUNC_ARG;
3424
3425
    ret = TLSX_Push(extensions, TLSX_TRUNCATED_HMAC, NULL, heap);
3426
    if (ret != 0)
3427
        return ret;
3428
3429
    return WOLFSSL_SUCCESS;
3430
}
3431
3432
#define THM_PARSE TLSX_THM_Parse
3433
3434
#else
3435
3436
0
#define THM_PARSE(a, b, c, d) 0
3437
3438
#endif /* HAVE_TRUNCATED_HMAC */
3439
3440
/******************************************************************************/
3441
/* Certificate Status Request                                                 */
3442
/******************************************************************************/
3443
3444
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
3445
3446
static void TLSX_CSR_Free(CertificateStatusRequest* csr, void* heap)
3447
{
3448
    int i;
3449
3450
    switch (csr->status_type) {
3451
        case WOLFSSL_CSR_OCSP:
3452
            for (i = 0; i < csr->requests; i++) {
3453
                FreeOcspRequest(&csr->request.ocsp[i]);
3454
            }
3455
        break;
3456
    }
3457
#ifdef WOLFSSL_TLS13
3458
    for (i = 0; i < MAX_CERT_EXTENSIONS; i++) {
3459
        if (csr->responses[i].buffer != NULL) {
3460
            XFREE(csr->responses[i].buffer, heap,
3461
                DYNAMIC_TYPE_TMP_BUFFER);
3462
        }
3463
    }
3464
#endif
3465
    XFREE(csr, heap, DYNAMIC_TYPE_TLSX);
3466
    (void)heap;
3467
}
3468
3469
word16 TLSX_CSR_GetSize_ex(CertificateStatusRequest* csr, byte isRequest,
3470
                                                             int idx)
3471
{
3472
    word32 size = 0;
3473
3474
    /* shut up compiler warnings */
3475
    (void) csr; (void) isRequest;
3476
#ifndef NO_WOLFSSL_CLIENT
3477
    if (isRequest) {
3478
        switch (csr->status_type) {
3479
            case WOLFSSL_CSR_OCSP:
3480
                size += ENUM_LEN + 2 * OPAQUE16_LEN;
3481
3482
                if (csr->request.ocsp[0].nonceSz)
3483
                    size += OCSP_NONCE_EXT_SZ;
3484
            break;
3485
        }
3486
    }
3487
#endif
3488
#if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER)
3489
    if (!isRequest && IsAtLeastTLSv1_3(csr->ssl->version)) {
3490
        if (csr->ssl != NULL && SSL_CM(csr->ssl) != NULL &&
3491
                SSL_CM(csr->ssl)->ocsp_stapling != NULL &&
3492
                SSL_CM(csr->ssl)->ocsp_stapling->statusCb != NULL) {
3493
            if (WOLFSSL_MAX_16BIT - OPAQUE8_LEN - OPAQUE24_LEN <
3494
                    csr->ssl->ocspCsrResp[idx].length) {
3495
                return 0;
3496
            }
3497
            size = OPAQUE8_LEN + OPAQUE24_LEN +
3498
                    csr->ssl->ocspCsrResp[idx].length;
3499
            return (word16)size;
3500
        }
3501
        if (WOLFSSL_MAX_16BIT - OPAQUE8_LEN - OPAQUE24_LEN <
3502
                csr->responses[idx].length) {
3503
            return 0;
3504
        }
3505
        size = OPAQUE8_LEN + OPAQUE24_LEN + csr->responses[idx].length;
3506
        return (word16)size;
3507
    }
3508
#else
3509
    (void)idx;
3510
#endif
3511
    return (word16)size;
3512
}
3513
3514
#if (defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER))
3515
int TLSX_CSR_SetResponseWithStatusCB(WOLFSSL *ssl)
3516
{
3517
    WOLFSSL_OCSP *ocsp;
3518
    int ret;
3519
3520
    if (ssl == NULL || SSL_CM(ssl) == NULL)
3521
        return BAD_FUNC_ARG;
3522
    ocsp = SSL_CM(ssl)->ocsp_stapling;
3523
    if (ocsp == NULL || ocsp->statusCb == NULL)
3524
        return BAD_FUNC_ARG;
3525
    ret = ocsp->statusCb(ssl, ocsp->statusCbArg);
3526
    switch (ret) {
3527
        case WOLFSSL_OCSP_STATUS_CB_OK: {
3528
            size_t i;
3529
            for (i = 0; i < XELEM_CNT(ssl->ocspCsrResp); i++) {
3530
                if (ssl->ocspCsrResp[i].length > 0) {
3531
                    /* ack the extension, status cb provided the response in
3532
                     * ssl->ocspCsrResp */
3533
                    TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST);
3534
                    ssl->status_request = WOLFSSL_CSR_OCSP;
3535
                    break;
3536
                }
3537
            }
3538
            ret = 0;
3539
            break;
3540
        }
3541
        case WOLFSSL_OCSP_STATUS_CB_NOACK:
3542
            /* suppressing as not critical */
3543
            ret = 0;
3544
            break;
3545
        case WOLFSSL_OCSP_STATUS_CB_ALERT_FATAL:
3546
        default:
3547
            ret = WOLFSSL_FATAL_ERROR;
3548
            break;
3549
    }
3550
    return ret;
3551
}
3552
3553
static int TLSX_CSR_WriteWithStatusCB(CertificateStatusRequest* csr,
3554
    byte* output, int idx)
3555
{
3556
    WOLFSSL *ssl = csr->ssl;
3557
    WOLFSSL_OCSP *ocsp;
3558
    word16 offset = 0;
3559
    byte *response;
3560
    int respSz;
3561
3562
    if (ssl == NULL || SSL_CM(ssl) == NULL)
3563
        return BAD_FUNC_ARG;
3564
    ocsp = SSL_CM(ssl)->ocsp_stapling;
3565
    if (ocsp == NULL || ocsp->statusCb == NULL)
3566
        return BAD_FUNC_ARG;
3567
    response = ssl->ocspCsrResp[idx].buffer;
3568
    respSz = ssl->ocspCsrResp[idx].length;
3569
    if (response == NULL || respSz == 0)
3570
        return BAD_FUNC_ARG;
3571
    output[offset++] = WOLFSSL_CSR_OCSP;
3572
    c32to24(respSz, output + offset);
3573
    offset += OPAQUE24_LEN;
3574
    XMEMCPY(output + offset, response, respSz);
3575
    return offset + respSz;
3576
}
3577
#endif /* (TLS13 && !NO_WOLFSLL_SERVER) */
3578
3579
static word16 TLSX_CSR_GetSize(CertificateStatusRequest* csr, byte isRequest)
3580
{
3581
    return TLSX_CSR_GetSize_ex(csr, isRequest, 0);
3582
}
3583
3584
int TLSX_CSR_Write_ex(CertificateStatusRequest* csr, byte* output,
3585
                          byte isRequest, int idx)
3586
{
3587
    /* shut up compiler warnings */
3588
    (void) csr; (void) output; (void) isRequest;
3589
3590
#ifndef NO_WOLFSSL_CLIENT
3591
    if (isRequest) {
3592
        int ret = 0;
3593
        word16 offset = 0;
3594
        word16 length = 0;
3595
3596
        /* type */
3597
        output[offset++] = csr->status_type;
3598
3599
        switch (csr->status_type) {
3600
            case WOLFSSL_CSR_OCSP:
3601
                /* responder id list */
3602
                c16toa(0, output + offset);
3603
                offset += OPAQUE16_LEN;
3604
3605
                /* request extensions */
3606
                if (csr->request.ocsp[0].nonceSz) {
3607
                    ret = (int)EncodeOcspRequestExtensions(&csr->request.ocsp[0],
3608
                                                 output + offset + OPAQUE16_LEN,
3609
                                                 OCSP_NONCE_EXT_SZ);
3610
3611
                    if (ret > 0) {
3612
                        length = (word16)ret;
3613
                    }
3614
                    else {
3615
                        return ret;
3616
                    }
3617
                }
3618
3619
                c16toa(length, output + offset);
3620
                offset += OPAQUE16_LEN + length;
3621
3622
            break;
3623
        }
3624
3625
        return (int)offset;
3626
    }
3627
#endif
3628
#if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER)
3629
    if (!isRequest && IsAtLeastTLSv1_3(csr->ssl->version)) {
3630
        word16 offset = 0;
3631
        if (csr->ssl != NULL && SSL_CM(csr->ssl) != NULL &&
3632
                SSL_CM(csr->ssl)->ocsp_stapling != NULL &&
3633
                SSL_CM(csr->ssl)->ocsp_stapling->statusCb != NULL) {
3634
            return TLSX_CSR_WriteWithStatusCB(csr, output, idx);
3635
        }
3636
        output[offset++] = csr->status_type;
3637
        c32to24(csr->responses[idx].length, output + offset);
3638
        offset += OPAQUE24_LEN;
3639
        XMEMCPY(output + offset, csr->responses[idx].buffer,
3640
                                        csr->responses[idx].length);
3641
        offset += (word16)csr->responses[idx].length;
3642
        return offset;
3643
    }
3644
#else
3645
    (void)idx;
3646
#endif
3647
3648
    return 0;
3649
}
3650
3651
static int TLSX_CSR_Write(CertificateStatusRequest* csr, byte* output,
3652
                          byte isRequest)
3653
{
3654
    return TLSX_CSR_Write_ex(csr, output, isRequest, 0);
3655
}
3656
3657
#if !defined(NO_WOLFSSL_SERVER) && defined(WOLFSSL_TLS13) && \
3658
    defined(WOLFSSL_TLS_OCSP_MULTI)
3659
/* Process OCSP request certificate chain
3660
 *
3661
 * ssl       SSL/TLS object.
3662
 * returns 0 on success, otherwise failure.
3663
 */
3664
int ProcessChainOCSPRequest(WOLFSSL* ssl)
3665
{
3666
    DecodedCert* cert;
3667
    OcspRequest* request;
3668
    TLSX* extension;
3669
    CertificateStatusRequest* csr;
3670
    DerBuffer* chain;
3671
    word32 pos = 0;
3672
    buffer der;
3673
    int i = 1;
3674
    int ret = 0;
3675
    byte ctxOwnsRequest = 0;
3676
3677
    /* use certChain if available, otherwise use peer certificate */
3678
    chain = ssl->buffers.certChain;
3679
    if (chain == NULL) {
3680
        chain = ssl->buffers.certificate;
3681
    }
3682
3683
    extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST);
3684
    csr = extension ?
3685
                (CertificateStatusRequest*)extension->data : NULL;
3686
    if (csr == NULL)
3687
        return MEMORY_ERROR;
3688
3689
    cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap,
3690
                                         DYNAMIC_TYPE_DCERT);
3691
    if (cert == NULL) {
3692
        return MEMORY_E;
3693
    }
3694
3695
    if (chain && chain->buffer) {
3696
        while (ret == 0 && pos + OPAQUE24_LEN < chain->length) {
3697
            if (i >= MAX_CERT_EXTENSIONS) {
3698
                WOLFSSL_MSG_EX(
3699
                    "OCSP request cert chain exceeds maximum length: "
3700
                    "i=%d, MAX_CERT_EXTENSIONS=%d", i, MAX_CERT_EXTENSIONS);
3701
                ret = MAX_CERT_EXTENSIONS_ERR;
3702
                break;
3703
            }
3704
3705
            c24to32(chain->buffer + pos, &der.length);
3706
            pos += OPAQUE24_LEN;
3707
            der.buffer = chain->buffer + pos;
3708
            pos += der.length;
3709
3710
            if (pos > chain->length)
3711
                break;
3712
            request = &csr->request.ocsp[i];
3713
            if (ret == 0) {
3714
                ret = CreateOcspRequest(ssl, request, cert,
3715
                        der.buffer, der.length, &ctxOwnsRequest);
3716
                if (ctxOwnsRequest) {
3717
                    wolfSSL_Mutex* ocspLock =
3718
                        &SSL_CM(ssl)->ocsp_stapling->ocspLock;
3719
                    if (wc_LockMutex(ocspLock) == 0) {
3720
                        /* the request is ours */
3721
                        ssl->ctx->certOcspRequest = NULL;
3722
                    }
3723
                    wc_UnLockMutex(ocspLock);
3724
                }
3725
            }
3726
3727
            if (ret == 0) {
3728
                request->ssl = ssl;
3729
                ret = CheckOcspRequest(SSL_CM(ssl)->ocsp_stapling,
3730
                                 request, &csr->responses[i], ssl->heap);
3731
                /* Suppressing soft-fail responder errors. OCSP_CERT_REVOKED
3732
                 * is an explicit positive assertion of revocation and must
3733
                 * not be ignored. */
3734
                if (ret == WC_NO_ERR_TRACE(OCSP_CERT_UNKNOWN) ||
3735
                    ret == WC_NO_ERR_TRACE(OCSP_LOOKUP_FAIL)) {
3736
                    ret = 0;
3737
                }
3738
                i++;
3739
                csr->requests++;
3740
            }
3741
        }
3742
    }
3743
    XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT);
3744
3745
    return ret;
3746
}
3747
#endif
3748
3749
static int TLSX_CSR_Parse(WOLFSSL* ssl, const byte* input, word16 length,
3750
                          byte isRequest)
3751
{
3752
    int ret;
3753
#if !defined(NO_WOLFSSL_SERVER)
3754
    byte status_type;
3755
    word16 size = 0;
3756
#endif
3757
3758
#if !defined(NO_WOLFSSL_CLIENT)
3759
    OcspRequest* request;
3760
    TLSX* extension;
3761
    CertificateStatusRequest* csr;
3762
#endif
3763
3764
#if !defined(NO_WOLFSSL_CLIENT) && defined(WOLFSSL_TLS13) \
3765
 || !defined(NO_WOLFSSL_SERVER)
3766
    word32 offset = 0;
3767
#endif
3768
3769
#if !defined(NO_WOLFSSL_CLIENT) && defined(WOLFSSL_TLS13)
3770
    word32 resp_length = 0;
3771
#endif
3772
3773
    /* shut up compiler warnings */
3774
    (void) ssl; (void) input;
3775
3776
    if (!isRequest) {
3777
#ifndef NO_WOLFSSL_CLIENT
3778
        extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST);
3779
        csr = extension ? (CertificateStatusRequest*)extension->data : NULL;
3780
3781
        if (!csr) {
3782
            /* look at context level */
3783
            extension = TLSX_Find(ssl->ctx->extensions, TLSX_STATUS_REQUEST);
3784
            csr = extension ? (CertificateStatusRequest*)extension->data : NULL;
3785
3786
            if (!csr) /* unexpected extension */
3787
                return TLSX_HandleUnsupportedExtension(ssl);
3788
3789
            /* enable extension at ssl level */
3790
            ret = TLSX_UseCertificateStatusRequest(&ssl->extensions,
3791
                                     csr->status_type, csr->options, ssl,
3792
                                     ssl->heap, ssl->devId);
3793
            if (ret != WOLFSSL_SUCCESS)
3794
                return ret == 0 ? -1 : ret;
3795
3796
            switch (csr->status_type) {
3797
                case WOLFSSL_CSR_OCSP:
3798
                    /* propagate nonce */
3799
                    if (csr->request.ocsp[0].nonceSz) {
3800
                        request =
3801
                            (OcspRequest*)TLSX_CSR_GetRequest(ssl->extensions);
3802
3803
                        if (request) {
3804
                            XMEMCPY(request->nonce, csr->request.ocsp[0].nonce,
3805
                                        (size_t)csr->request.ocsp[0].nonceSz);
3806
                            request->nonceSz = csr->request.ocsp[0].nonceSz;
3807
                        }
3808
                    }
3809
                break;
3810
            }
3811
        }
3812
3813
        ssl->status_request = 1;
3814
3815
    #ifdef WOLFSSL_TLS13
3816
        if (ssl->options.tls1_3) {
3817
            /* Get the new extension potentially created above. */
3818
            extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST);
3819
            csr = extension ? (CertificateStatusRequest*)extension->data : NULL;
3820
            if (csr == NULL)
3821
                return MEMORY_ERROR;
3822
3823
            ret = 0;
3824
            if (OPAQUE8_LEN + OPAQUE24_LEN > length)
3825
                ret = BUFFER_ERROR;
3826
            if (ret == 0 && input[offset++] != WOLFSSL_CSR_OCSP) {
3827
                ret = BAD_CERTIFICATE_STATUS_ERROR;
3828
                WOLFSSL_ERROR_VERBOSE(ret);
3829
            }
3830
            if (ret == 0) {
3831
                c24to32(input + offset, &resp_length);
3832
                offset += OPAQUE24_LEN;
3833
                if (offset + resp_length != length)
3834
                    ret = BUFFER_ERROR;
3835
            }
3836
            if (ret == 0) {
3837
                if (ssl->response_idx < (1 + MAX_CHAIN_DEPTH))
3838
                    csr->responses[ssl->response_idx].buffer =
3839
                    (byte*)XMALLOC(resp_length, ssl->heap,
3840
                        DYNAMIC_TYPE_TMP_BUFFER);
3841
                else
3842
                    ret = BAD_FUNC_ARG;
3843
3844
                if (ret == 0 &&
3845
                        csr->responses[ssl->response_idx].buffer == NULL)
3846
                    ret = MEMORY_ERROR;
3847
            }
3848
            if (ret == 0) {
3849
                XMEMCPY(csr->responses[ssl->response_idx].buffer,
3850
                                            input + offset, resp_length);
3851
                csr->responses[ssl->response_idx].length = resp_length;
3852
            }
3853
3854
            return ret;
3855
        }
3856
        else
3857
    #endif
3858
        {
3859
            /* extension_data MUST be empty. */
3860
            return length ? BUFFER_ERROR : 0;
3861
        }
3862
#endif
3863
    }
3864
    else {
3865
#ifndef NO_WOLFSSL_SERVER
3866
        if (length == 0)
3867
            return 0;
3868
3869
        status_type = input[offset++];
3870
3871
        switch (status_type) {
3872
            case WOLFSSL_CSR_OCSP: {
3873
3874
                /* skip responder_id_list */
3875
                if ((int)(length - offset) < OPAQUE16_LEN)
3876
                    return BUFFER_ERROR;
3877
3878
                ato16(input + offset, &size);
3879
                offset += OPAQUE16_LEN + size;
3880
3881
                /* skip request_extensions */
3882
                if ((int)(length - offset) < OPAQUE16_LEN)
3883
                    return BUFFER_ERROR;
3884
3885
                ato16(input + offset, &size);
3886
                offset += OPAQUE16_LEN + size;
3887
3888
                if (offset > length)
3889
                    return BUFFER_ERROR;
3890
3891
                /* is able to send OCSP response? */
3892
                if (SSL_CM(ssl) == NULL || !SSL_CM(ssl)->ocspStaplingEnabled)
3893
                    return 0;
3894
            }
3895
            break;
3896
3897
            /* unknown status type */
3898
            default:
3899
                return 0;
3900
        }
3901
3902
        /* if using status_request and already sending it, skip this one */
3903
        #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
3904
        if (ssl->status_request_v2)
3905
            return 0;
3906
        #endif
3907
3908
        /* accept the first good status_type and return */
3909
        ret = TLSX_UseCertificateStatusRequest(&ssl->extensions, status_type,
3910
                                                 0, ssl, ssl->heap, ssl->devId);
3911
        if (ret != WOLFSSL_SUCCESS)
3912
            return ret == 0 ? -1 : ret; /* throw error */
3913
3914
        TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST);
3915
        ssl->status_request = status_type;
3916
#endif
3917
    }
3918
3919
    return 0;
3920
}
3921
3922
int TLSX_CSR_InitRequest_ex(TLSX* extensions, DecodedCert* cert,
3923
                                                            void* heap, int idx)
3924
{
3925
     TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST);
3926
    CertificateStatusRequest* csr = extension ?
3927
        (CertificateStatusRequest*)extension->data : NULL;
3928
    int ret = 0;
3929
3930
    if (csr) {
3931
        switch (csr->status_type) {
3932
            case WOLFSSL_CSR_OCSP: {
3933
                byte nonce[MAX_OCSP_NONCE_SZ];
3934
                int  req_cnt = idx == -1 ? csr->requests : idx;
3935
                int  nonceSz = csr->request.ocsp[0].nonceSz;
3936
                OcspRequest* request;
3937
3938
                request = &csr->request.ocsp[req_cnt];
3939
                if (request->serial != NULL) {
3940
                    /* clear request contents before reuse */
3941
                    FreeOcspRequest(request);
3942
                    if (csr->requests > 0)
3943
                        csr->requests--;
3944
                }
3945
                /* preserve nonce */
3946
                XMEMCPY(nonce, csr->request.ocsp->nonce, (size_t)nonceSz);
3947
3948
                if (req_cnt < MAX_CERT_EXTENSIONS) {
3949
                    if ((ret = InitOcspRequest(request, cert, 0, heap)) != 0)
3950
                        return ret;
3951
3952
                    /* restore nonce */
3953
                    XMEMCPY(csr->request.ocsp->nonce, nonce, (size_t)nonceSz);
3954
                    request->nonceSz = nonceSz;
3955
                    csr->requests++;
3956
                }
3957
                else {
3958
                    WOLFSSL_ERROR_VERBOSE(MAX_CERT_EXTENSIONS_ERR);
3959
                    return MAX_CERT_EXTENSIONS_ERR;
3960
                }
3961
            }
3962
            break;
3963
        }
3964
    }
3965
3966
    return ret;
3967
}
3968
3969
int TLSX_CSR_InitRequest(TLSX* extensions, DecodedCert* cert, void* heap)
3970
{
3971
    return TLSX_CSR_InitRequest_ex(extensions, cert, heap, -1);
3972
}
3973
3974
void* TLSX_CSR_GetRequest_ex(TLSX* extensions, int idx)
3975
{
3976
    TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST);
3977
    CertificateStatusRequest* csr = extension ?
3978
                              (CertificateStatusRequest*)extension->data : NULL;
3979
3980
    if (csr && csr->ssl) {
3981
        switch (csr->status_type) {
3982
            case WOLFSSL_CSR_OCSP:
3983
                if (IsAtLeastTLSv1_3(csr->ssl->version)) {
3984
                    return idx < csr->requests ? &csr->request.ocsp[idx] : NULL;
3985
                }
3986
                else {
3987
                    return idx == 0 ? &csr->request.ocsp[0] : NULL;
3988
                }
3989
        }
3990
    }
3991
3992
    return NULL;
3993
}
3994
3995
void* TLSX_CSR_GetRequest(TLSX* extensions)
3996
{
3997
    return TLSX_CSR_GetRequest_ex(extensions, 0);
3998
}
3999
4000
int TLSX_CSR_ForceRequest(WOLFSSL* ssl)
4001
{
4002
    TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST);
4003
    CertificateStatusRequest* csr = extension ?
4004
                              (CertificateStatusRequest*)extension->data : NULL;
4005
4006
    if (csr) {
4007
        switch (csr->status_type) {
4008
            case WOLFSSL_CSR_OCSP:
4009
                if (SSL_CM(ssl)->ocspEnabled) {
4010
                    csr->request.ocsp[0].ssl = ssl;
4011
                    return CheckOcspRequest(SSL_CM(ssl)->ocsp,
4012
                                              &csr->request.ocsp[0], NULL, NULL);
4013
                }
4014
                else {
4015
                    WOLFSSL_ERROR_VERBOSE(OCSP_LOOKUP_FAIL);
4016
                    return OCSP_LOOKUP_FAIL;
4017
                }
4018
        }
4019
    }
4020
4021
    return 0;
4022
}
4023
4024
int TLSX_UseCertificateStatusRequest(TLSX** extensions, byte status_type,
4025
                                         byte options, WOLFSSL* ssl, void* heap,
4026
                                                                      int devId)
4027
{
4028
    CertificateStatusRequest* csr = NULL;
4029
    int ret = 0;
4030
4031
    if (!extensions || status_type != WOLFSSL_CSR_OCSP)
4032
        return BAD_FUNC_ARG;
4033
4034
    csr = (CertificateStatusRequest*)
4035
             XMALLOC(sizeof(CertificateStatusRequest), heap, DYNAMIC_TYPE_TLSX);
4036
    if (!csr)
4037
        return MEMORY_E;
4038
4039
    ForceZero(csr, sizeof(CertificateStatusRequest));
4040
#if defined(WOLFSSL_TLS13)
4041
    XMEMSET(csr->responses, 0, sizeof(csr->responses));
4042
#endif
4043
    csr->status_type = status_type;
4044
    csr->options     = options;
4045
    csr->ssl         = ssl;
4046
4047
    switch (csr->status_type) {
4048
        case WOLFSSL_CSR_OCSP:
4049
            if (options & WOLFSSL_CSR_OCSP_USE_NONCE) {
4050
                WC_RNG rng;
4051
4052
            #ifndef HAVE_FIPS
4053
                ret = wc_InitRng_ex(&rng, heap, devId);
4054
            #else
4055
                ret = wc_InitRng(&rng);
4056
                (void)devId;
4057
            #endif
4058
                if (ret == 0) {
4059
                    if (wc_RNG_GenerateBlock(&rng, csr->request.ocsp[0].nonce,
4060
                                                        MAX_OCSP_NONCE_SZ) == 0)
4061
                        csr->request.ocsp[0].nonceSz = MAX_OCSP_NONCE_SZ;
4062
4063
                    wc_FreeRng(&rng);
4064
                }
4065
            }
4066
        break;
4067
    }
4068
4069
    if ((ret = TLSX_Push(extensions, TLSX_STATUS_REQUEST, csr, heap)) != 0) {
4070
        XFREE(csr, heap, DYNAMIC_TYPE_TLSX);
4071
        return ret;
4072
    }
4073
4074
    return WOLFSSL_SUCCESS;
4075
}
4076
4077
#define CSR_FREE_ALL TLSX_CSR_Free
4078
#define CSR_GET_SIZE TLSX_CSR_GetSize
4079
#define CSR_WRITE    TLSX_CSR_Write
4080
#define CSR_PARSE    TLSX_CSR_Parse
4081
4082
#else
4083
4084
0
#define CSR_FREE_ALL(data, heap) WC_DO_NOTHING
4085
0
#define CSR_GET_SIZE(a, b)    0
4086
0
#define CSR_WRITE(a, b, c)    0
4087
0
#define CSR_PARSE(a, b, c, d) 0
4088
4089
#endif /* HAVE_CERTIFICATE_STATUS_REQUEST */
4090
4091
/******************************************************************************/
4092
/* Certificate Status Request v2                                              */
4093
/******************************************************************************/
4094
4095
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
4096
4097
static void TLSX_CSR2_FreePendingSigners(Signer *s, void* heap)
4098
{
4099
    Signer* next;
4100
    while(s) {
4101
        next = s->next;
4102
        FreeSigner(s, heap);
4103
        s = next;
4104
    }
4105
}
4106
static void TLSX_CSR2_FreeAll(CertificateStatusRequestItemV2* csr2, void* heap)
4107
{
4108
    CertificateStatusRequestItemV2* next;
4109
4110
    TLSX_CSR2_FreePendingSigners(csr2->pendingSigners, heap);
4111
    for (; csr2; csr2 = next) {
4112
        next = csr2->next;
4113
4114
        switch (csr2->status_type) {
4115
            case WOLFSSL_CSR2_OCSP:
4116
            case WOLFSSL_CSR2_OCSP_MULTI:
4117
                while(csr2->requests--)
4118
                    FreeOcspRequest(&csr2->request.ocsp[csr2->requests]);
4119
            break;
4120
        }
4121
4122
        XFREE(csr2, heap, DYNAMIC_TYPE_TLSX);
4123
    }
4124
    (void)heap;
4125
}
4126
4127
static word16 TLSX_CSR2_GetSize(CertificateStatusRequestItemV2* csr2,
4128
                                                                 byte isRequest)
4129
{
4130
    word32 size = 0;
4131
4132
    /* shut up compiler warnings */
4133
    (void) csr2; (void) isRequest;
4134
4135
#ifndef NO_WOLFSSL_CLIENT
4136
    if (isRequest) {
4137
        CertificateStatusRequestItemV2* next;
4138
4139
        for (size = OPAQUE16_LEN; csr2; csr2 = next) {
4140
            next = csr2->next;
4141
4142
            switch (csr2->status_type) {
4143
                case WOLFSSL_CSR2_OCSP:
4144
                case WOLFSSL_CSR2_OCSP_MULTI:
4145
                    size += ENUM_LEN + 3 * OPAQUE16_LEN;
4146
4147
                    if (csr2->request.ocsp[0].nonceSz)
4148
                        size += OCSP_NONCE_EXT_SZ;
4149
                break;
4150
            }
4151
4152
            if (size > WOLFSSL_MAX_16BIT) {
4153
                return 0;
4154
            }
4155
        }
4156
    }
4157
#endif
4158
4159
    return (word16)size;
4160
}
4161
4162
static int TLSX_CSR2_Write(CertificateStatusRequestItemV2* csr2,
4163
                                                   byte* output, byte isRequest)
4164
{
4165
    /* shut up compiler warnings */
4166
    (void) csr2; (void) output; (void) isRequest;
4167
4168
#ifndef NO_WOLFSSL_CLIENT
4169
    if (isRequest) {
4170
        int ret = 0;
4171
        word16 offset;
4172
        word16 length;
4173
4174
        for (offset = OPAQUE16_LEN; csr2 != NULL; csr2 = csr2->next) {
4175
            /* status_type */
4176
            output[offset++] = csr2->status_type;
4177
4178
            /* request */
4179
            switch (csr2->status_type) {
4180
                case WOLFSSL_CSR2_OCSP:
4181
                case WOLFSSL_CSR2_OCSP_MULTI:
4182
                    /* request_length */
4183
                    length = 2 * OPAQUE16_LEN;
4184
4185
                    if (csr2->request.ocsp[0].nonceSz)
4186
                        length += OCSP_NONCE_EXT_SZ;
4187
4188
                    c16toa(length, output + offset);
4189
                    offset += OPAQUE16_LEN;
4190
4191
                    /* responder id list */
4192
                    c16toa(0, output + offset);
4193
                    offset += OPAQUE16_LEN;
4194
4195
                    /* request extensions */
4196
                    length = 0;
4197
4198
                    if (csr2->request.ocsp[0].nonceSz) {
4199
                        ret = (int)EncodeOcspRequestExtensions(
4200
                                                 &csr2->request.ocsp[0],
4201
                                                 output + offset + OPAQUE16_LEN,
4202
                                                 OCSP_NONCE_EXT_SZ);
4203
4204
                        if (ret > 0) {
4205
                            length = (word16)ret;
4206
                        }
4207
                        else {
4208
                            return ret;
4209
                        }
4210
                    }
4211
4212
                    c16toa(length, output + offset);
4213
                    offset += OPAQUE16_LEN + length;
4214
                break;
4215
            }
4216
        }
4217
4218
        /* list size */
4219
        c16toa(offset - OPAQUE16_LEN, output);
4220
4221
        return (int)offset;
4222
    }
4223
#endif
4224
4225
    return 0;
4226
}
4227
4228
static int TLSX_CSR2_Parse(WOLFSSL* ssl, const byte* input, word16 length,
4229
                           byte isRequest)
4230
{
4231
    int ret;
4232
4233
    /* shut up compiler warnings */
4234
    (void) ssl; (void) input;
4235
4236
    if (!isRequest) {
4237
#ifndef NO_WOLFSSL_CLIENT
4238
        TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST_V2);
4239
        CertificateStatusRequestItemV2* csr2 = extension ?
4240
                        (CertificateStatusRequestItemV2*)extension->data : NULL;
4241
4242
        if (!csr2) {
4243
            /* look at context level */
4244
            extension = TLSX_Find(ssl->ctx->extensions, TLSX_STATUS_REQUEST_V2);
4245
            csr2 = extension ?
4246
                        (CertificateStatusRequestItemV2*)extension->data : NULL;
4247
4248
            if (!csr2) /* unexpected extension */
4249
                return TLSX_HandleUnsupportedExtension(ssl);
4250
4251
            /* enable extension at ssl level */
4252
            for (; csr2; csr2 = csr2->next) {
4253
                ret = TLSX_UseCertificateStatusRequestV2(&ssl->extensions,
4254
                                    csr2->status_type, csr2->options, ssl->heap,
4255
                                                                    ssl->devId);
4256
                if (ret != WOLFSSL_SUCCESS)
4257
                    return ret;
4258
4259
                switch (csr2->status_type) {
4260
                    case WOLFSSL_CSR2_OCSP:
4261
                        /* followed by */
4262
                    case WOLFSSL_CSR2_OCSP_MULTI:
4263
                        /* propagate nonce */
4264
                        if (csr2->request.ocsp[0].nonceSz) {
4265
                            OcspRequest* request =
4266
                             (OcspRequest*)TLSX_CSR2_GetRequest(ssl->extensions,
4267
                                                          csr2->status_type, 0);
4268
4269
                            if (request) {
4270
                                XMEMCPY(request->nonce,
4271
                                        csr2->request.ocsp[0].nonce,
4272
                                        (size_t)csr2->request.ocsp[0].nonceSz);
4273
4274
                                request->nonceSz =
4275
                                                  csr2->request.ocsp[0].nonceSz;
4276
                            }
4277
                        }
4278
                    break;
4279
                }
4280
            }
4281
        }
4282
4283
        ssl->status_request_v2 = 1;
4284
4285
        return length ? BUFFER_ERROR : 0; /* extension_data MUST be empty. */
4286
#endif
4287
    }
4288
    else {
4289
#ifndef NO_WOLFSSL_SERVER
4290
        byte   status_type;
4291
        word16 request_length;
4292
        word16 offset = 0;
4293
        word16 size = 0;
4294
4295
        /* list size */
4296
        if (offset + OPAQUE16_LEN >= length) {
4297
            return BUFFER_E;
4298
        }
4299
4300
        ato16(input + offset, &request_length);
4301
        offset += OPAQUE16_LEN;
4302
4303
        if (length - OPAQUE16_LEN != request_length)
4304
            return BUFFER_ERROR;
4305
4306
        while (length > offset) {
4307
            if ((int)(length - offset) < ENUM_LEN + OPAQUE16_LEN)
4308
                return BUFFER_ERROR;
4309
4310
            status_type = input[offset++];
4311
4312
            ato16(input + offset, &request_length);
4313
            offset += OPAQUE16_LEN;
4314
4315
            if (length - offset < request_length)
4316
                return BUFFER_ERROR;
4317
4318
            switch (status_type) {
4319
                case WOLFSSL_CSR2_OCSP:
4320
                case WOLFSSL_CSR2_OCSP_MULTI:
4321
                    /* skip responder_id_list */
4322
                    if ((int)(length - offset) < OPAQUE16_LEN)
4323
                        return BUFFER_ERROR;
4324
4325
                    ato16(input + offset, &size);
4326
                    if (length - offset - OPAQUE16_LEN < size)
4327
                        return BUFFER_ERROR;
4328
4329
                    offset += OPAQUE16_LEN + size;
4330
                    /* skip request_extensions */
4331
                    if ((int)(length - offset) < OPAQUE16_LEN)
4332
                        return BUFFER_ERROR;
4333
4334
                    ato16(input + offset, &size);
4335
                    if (length - offset < size)
4336
                        return BUFFER_ERROR;
4337
4338
                    offset += OPAQUE16_LEN + size;
4339
                    if (offset > length)
4340
                        return BUFFER_ERROR;
4341
4342
                    /* is able to send OCSP response? */
4343
                    if (SSL_CM(ssl) == NULL
4344
                    || !SSL_CM(ssl)->ocspStaplingEnabled)
4345
                        continue;
4346
                break;
4347
4348
                default:
4349
                    /* unknown status type, skipping! */
4350
                    offset += request_length;
4351
                    continue;
4352
            }
4353
4354
            /* if using status_request and already sending it, remove it
4355
             * and prefer to use the v2 version */
4356
            #ifdef HAVE_CERTIFICATE_STATUS_REQUEST
4357
            if (ssl->status_request) {
4358
                ssl->status_request = 0;
4359
                TLSX_Remove(&ssl->extensions, TLSX_STATUS_REQUEST, ssl->heap);
4360
            }
4361
            #endif
4362
4363
            /* TLS 1.3 servers MUST NOT act upon presence or information in
4364
             * this extension (RFC 8448 Section 4.4.2.1).
4365
             */
4366
            if (!IsAtLeastTLSv1_3(ssl->version)) {
4367
                /* accept the first good status_type and return */
4368
                ret = TLSX_UseCertificateStatusRequestV2(&ssl->extensions,
4369
                                         status_type, 0, ssl->heap, ssl->devId);
4370
                if (ret != WOLFSSL_SUCCESS)
4371
                    return ret; /* throw error */
4372
4373
                TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST_V2);
4374
                ssl->status_request_v2 = status_type;
4375
            }
4376
4377
            return 0;
4378
        }
4379
#endif
4380
    }
4381
4382
    return 0;
4383
}
4384
4385
static CertificateStatusRequestItemV2* TLSX_CSR2_GetMulti(TLSX *extensions)
4386
{
4387
    TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST_V2);
4388
    CertificateStatusRequestItemV2* csr2 = extension ?
4389
        (CertificateStatusRequestItemV2*)extension->data : NULL;
4390
4391
    for (; csr2; csr2 = csr2->next) {
4392
        if (csr2->status_type == WOLFSSL_CSR2_OCSP_MULTI)
4393
            return csr2;
4394
    }
4395
    return NULL;
4396
}
4397
4398
int TLSX_CSR2_IsMulti(TLSX *extensions)
4399
{
4400
    return TLSX_CSR2_GetMulti(extensions) != NULL;
4401
}
4402
4403
int TLSX_CSR2_AddPendingSigner(TLSX *extensions, Signer *s)
4404
{
4405
    CertificateStatusRequestItemV2* csr2;
4406
4407
    csr2 = TLSX_CSR2_GetMulti(extensions);
4408
    if (!csr2)
4409
        return WOLFSSL_FATAL_ERROR;
4410
4411
    s->next = csr2->pendingSigners;
4412
    csr2->pendingSigners = s;
4413
    return 0;
4414
}
4415
4416
Signer* TLSX_CSR2_GetPendingSigners(TLSX *extensions)
4417
{
4418
    CertificateStatusRequestItemV2* csr2;
4419
4420
    csr2 = TLSX_CSR2_GetMulti(extensions);
4421
    if (!csr2)
4422
        return NULL;
4423
4424
    return csr2->pendingSigners;
4425
}
4426
4427
int TLSX_CSR2_ClearPendingCA(WOLFSSL *ssl)
4428
{
4429
    CertificateStatusRequestItemV2* csr2;
4430
4431
    csr2 = TLSX_CSR2_GetMulti(ssl->extensions);
4432
    if (csr2 == NULL)
4433
        return 0;
4434
4435
    TLSX_CSR2_FreePendingSigners(csr2->pendingSigners, SSL_CM(ssl)->heap);
4436
    csr2->pendingSigners = NULL;
4437
    return 0;
4438
}
4439
4440
int TLSX_CSR2_MergePendingCA(WOLFSSL* ssl)
4441
{
4442
    CertificateStatusRequestItemV2* csr2;
4443
    Signer *s, *next;
4444
    int r = 0;
4445
4446
    csr2 = TLSX_CSR2_GetMulti(ssl->extensions);
4447
    if (csr2 == NULL)
4448
        return 0;
4449
4450
    s = csr2->pendingSigners;
4451
    while (s != NULL) {
4452
        next = s->next;
4453
        r = AddSigner(SSL_CM(ssl), s);
4454
        if (r != 0)
4455
            FreeSigner(s, SSL_CM(ssl)->heap);
4456
        s = next;
4457
    }
4458
    csr2->pendingSigners = NULL;
4459
    return r;
4460
}
4461
4462
int TLSX_CSR2_InitRequests(TLSX* extensions, DecodedCert* cert, byte isPeer,
4463
                                                                     void* heap)
4464
{
4465
    TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST_V2);
4466
    CertificateStatusRequestItemV2* csr2 = extension ?
4467
        (CertificateStatusRequestItemV2*)extension->data : NULL;
4468
    int ret = 0;
4469
4470
    for (; csr2; csr2 = csr2->next) {
4471
        switch (csr2->status_type) {
4472
            case WOLFSSL_CSR2_OCSP:
4473
                if (!isPeer || csr2->requests != 0)
4474
                    break;
4475
4476
                FALL_THROUGH; /* followed by */
4477
4478
            case WOLFSSL_CSR2_OCSP_MULTI: {
4479
                if (csr2->requests < 1 + MAX_CHAIN_DEPTH) {
4480
                    byte nonce[MAX_OCSP_NONCE_SZ];
4481
                    int  nonceSz = csr2->request.ocsp[0].nonceSz;
4482
4483
                    /* preserve nonce, replicating nonce of ocsp[0] */
4484
                    XMEMCPY(nonce, csr2->request.ocsp[0].nonce,
4485
                    (size_t)nonceSz);
4486
4487
                    if ((ret = InitOcspRequest(
4488
                                      &csr2->request.ocsp[csr2->requests], cert,
4489
                                                                 0, heap)) != 0)
4490
                        return ret;
4491
4492
                    /* restore nonce */
4493
                    XMEMCPY(csr2->request.ocsp[csr2->requests].nonce,
4494
                                                        nonce, (size_t)nonceSz);
4495
                    csr2->request.ocsp[csr2->requests].nonceSz = nonceSz;
4496
                    csr2->requests++;
4497
                }
4498
            }
4499
            break;
4500
        }
4501
    }
4502
4503
    (void)cert;
4504
    return ret;
4505
}
4506
4507
void* TLSX_CSR2_GetRequest(TLSX* extensions, byte status_type, byte idx)
4508
{
4509
    TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST_V2);
4510
    CertificateStatusRequestItemV2* csr2 = extension ?
4511
                        (CertificateStatusRequestItemV2*)extension->data : NULL;
4512
4513
    for (; csr2; csr2 = csr2->next) {
4514
        if (csr2->status_type == status_type) {
4515
            switch (csr2->status_type) {
4516
                case WOLFSSL_CSR2_OCSP:
4517
                    /* followed by */
4518
4519
                case WOLFSSL_CSR2_OCSP_MULTI:
4520
                    /* requests are initialized in the reverse order */
4521
                    return idx < csr2->requests
4522
                         ? &csr2->request.ocsp[csr2->requests - idx - 1]
4523
                         : NULL;
4524
            }
4525
        }
4526
    }
4527
4528
    return NULL;
4529
}
4530
4531
int TLSX_CSR2_ForceRequest(WOLFSSL* ssl)
4532
{
4533
    TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST_V2);
4534
    CertificateStatusRequestItemV2* csr2 = extension ?
4535
                        (CertificateStatusRequestItemV2*)extension->data : NULL;
4536
4537
    /* forces only the first one */
4538
    if (csr2) {
4539
        switch (csr2->status_type) {
4540
            case WOLFSSL_CSR2_OCSP:
4541
                /* followed by */
4542
4543
            case WOLFSSL_CSR2_OCSP_MULTI:
4544
                if (SSL_CM(ssl)->ocspEnabled && csr2->requests >= 1) {
4545
                    csr2->request.ocsp[csr2->requests-1].ssl = ssl;
4546
                    return CheckOcspRequest(SSL_CM(ssl)->ocsp,
4547
                                          &csr2->request.ocsp[csr2->requests-1], NULL, NULL);
4548
                }
4549
                else {
4550
                    WOLFSSL_ERROR_VERBOSE(OCSP_LOOKUP_FAIL);
4551
                    return OCSP_LOOKUP_FAIL;
4552
                }
4553
        }
4554
    }
4555
4556
    return 0;
4557
}
4558
4559
int TLSX_UseCertificateStatusRequestV2(TLSX** extensions, byte status_type,
4560
                                           byte options, void* heap, int devId)
4561
{
4562
    TLSX* extension = NULL;
4563
    CertificateStatusRequestItemV2* csr2 = NULL;
4564
    int ret = 0;
4565
4566
    if (!extensions)
4567
        return BAD_FUNC_ARG;
4568
4569
    if (status_type != WOLFSSL_CSR2_OCSP
4570
    &&  status_type != WOLFSSL_CSR2_OCSP_MULTI)
4571
        return BAD_FUNC_ARG;
4572
4573
    csr2 = (CertificateStatusRequestItemV2*)
4574
       XMALLOC(sizeof(CertificateStatusRequestItemV2), heap, DYNAMIC_TYPE_TLSX);
4575
    if (!csr2)
4576
        return MEMORY_E;
4577
4578
    ForceZero(csr2, sizeof(CertificateStatusRequestItemV2));
4579
4580
    csr2->status_type = status_type;
4581
    csr2->options     = options;
4582
    csr2->next        = NULL;
4583
4584
    switch (csr2->status_type) {
4585
        case WOLFSSL_CSR2_OCSP:
4586
        case WOLFSSL_CSR2_OCSP_MULTI:
4587
            if (options & WOLFSSL_CSR2_OCSP_USE_NONCE) {
4588
                WC_RNG rng;
4589
4590
            #ifndef HAVE_FIPS
4591
                ret = wc_InitRng_ex(&rng, heap, devId);
4592
            #else
4593
                ret = wc_InitRng(&rng);
4594
                (void)devId;
4595
            #endif
4596
                if (ret == 0) {
4597
                    if (wc_RNG_GenerateBlock(&rng, csr2->request.ocsp[0].nonce,
4598
                                                        MAX_OCSP_NONCE_SZ) == 0)
4599
                        csr2->request.ocsp[0].nonceSz = MAX_OCSP_NONCE_SZ;
4600
4601
                    wc_FreeRng(&rng);
4602
                }
4603
            }
4604
        break;
4605
    }
4606
4607
    /* append new item */
4608
    if ((extension = TLSX_Find(*extensions, TLSX_STATUS_REQUEST_V2))) {
4609
        CertificateStatusRequestItemV2* last =
4610
                               (CertificateStatusRequestItemV2*)extension->data;
4611
4612
        if (last == NULL) {
4613
            XFREE(csr2, heap, DYNAMIC_TYPE_TLSX);
4614
            return BAD_FUNC_ARG;
4615
        }
4616
4617
        for (; last->next; last = last->next);
4618
4619
        last->next = csr2;
4620
    }
4621
    else if ((ret = TLSX_Push(extensions, TLSX_STATUS_REQUEST_V2, csr2,heap))) {
4622
        XFREE(csr2, heap, DYNAMIC_TYPE_TLSX);
4623
        return ret;
4624
    }
4625
4626
    return WOLFSSL_SUCCESS;
4627
}
4628
4629
#define CSR2_FREE_ALL TLSX_CSR2_FreeAll
4630
#define CSR2_GET_SIZE TLSX_CSR2_GetSize
4631
#define CSR2_WRITE    TLSX_CSR2_Write
4632
#define CSR2_PARSE    TLSX_CSR2_Parse
4633
4634
#else
4635
4636
0
#define CSR2_FREE_ALL(data, heap) WC_DO_NOTHING
4637
0
#define CSR2_GET_SIZE(a, b)    0
4638
0
#define CSR2_WRITE(a, b, c)    0
4639
0
#define CSR2_PARSE(a, b, c, d) 0
4640
4641
#endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */
4642
4643
/* ML-KEM client support requires generating a key pair (encapsulation key) and
4644
 * decapsulating the server's ciphertext. */
4645
#if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_MAKE_KEY) && \
4646
     !defined(WOLFSSL_MLKEM_NO_DECAPSULATE)
4647
    #define WOLFSSL_HAVE_MLKEM_CLIENT_SUPPORT
4648
#endif
4649
/* ML-KEM server support requires encapsulating to the client's key. */
4650
#if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_ENCAPSULATE)
4651
    #define WOLFSSL_HAVE_MLKEM_SERVER_SUPPORT
4652
#endif
4653
4654
#if defined(HAVE_SUPPORTED_CURVES) || \
4655
    (defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES))
4656
4657
#ifdef WOLFSSL_HAVE_MLKEM
4658
/* Returns whether ML-KEM groups are supported for the given side.
4659
 *
4660
 * ML-KEM groups require side specific crypto support. The client needs to
4661
 * generate a key and decapsulate, while the server needs to encapsulate.
4662
 *
4663
 * side  The side of the connection the check is for: WOLFSSL_CLIENT_END,
4664
 *       WOLFSSL_SERVER_END or WOLFSSL_NEITHER_END when the side is not known.
4665
 * returns 1 when supported or 0 otherwise.
4666
 */
4667
static int TLSX_IsMlKemGroupSupported(int side)
4668
0
{
4669
0
    if (side == WOLFSSL_CLIENT_END) {
4670
0
    #ifdef WOLFSSL_HAVE_MLKEM_CLIENT_SUPPORT
4671
0
        return 1;
4672
    #else
4673
        return 0;
4674
    #endif
4675
0
    }
4676
0
    else if (side == WOLFSSL_SERVER_END) {
4677
0
    #ifdef WOLFSSL_HAVE_MLKEM_SERVER_SUPPORT
4678
0
        return 1;
4679
    #else
4680
        return 0;
4681
    #endif
4682
0
    }
4683
0
    else {
4684
        /* Side not known - supported if either side has the crypto support. */
4685
0
    #if defined(WOLFSSL_HAVE_MLKEM_CLIENT_SUPPORT) || \
4686
0
        defined(WOLFSSL_HAVE_MLKEM_SERVER_SUPPORT)
4687
0
        return 1;
4688
    #else
4689
        return 0;
4690
    #endif
4691
0
    }
4692
0
}
4693
#endif /* WOLFSSL_HAVE_MLKEM */
4694
4695
/* Returns whether this group is supported.
4696
 *
4697
 * namedGroup  The named group to check.
4698
 * side        The side of the connection the check is for: WOLFSSL_CLIENT_END,
4699
 *             WOLFSSL_SERVER_END or WOLFSSL_NEITHER_END when the side is not
4700
 *             known. Used to determine whether the local side has the crypto
4701
 *             support required to use the group (e.g. ML-KEM requires
4702
 *             decapsulation on the client and encapsulation on the server).
4703
 * returns 1 when supported or 0 otherwise.
4704
 */
4705
int TLSX_IsGroupSupported(int namedGroup, int side)
4706
0
{
4707
0
    (void)side;
4708
4709
0
    switch (namedGroup) {
4710
0
    #ifdef HAVE_FFDHE_2048
4711
0
        case WOLFSSL_FFDHE_2048:
4712
0
            break;
4713
0
    #endif
4714
    #ifdef HAVE_FFDHE_3072
4715
        case WOLFSSL_FFDHE_3072:
4716
            break;
4717
    #endif
4718
    #ifdef HAVE_FFDHE_4096
4719
        case WOLFSSL_FFDHE_4096:
4720
            break;
4721
    #endif
4722
    #ifdef HAVE_FFDHE_6144
4723
        case WOLFSSL_FFDHE_6144:
4724
            break;
4725
    #endif
4726
    #ifdef HAVE_FFDHE_8192
4727
        case WOLFSSL_FFDHE_8192:
4728
            break;
4729
    #endif
4730
0
    #if (!defined(NO_ECC256)  || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
4731
        #ifdef HAVE_ECC_KOBLITZ
4732
        case WOLFSSL_ECC_SECP256K1:
4733
            break;
4734
        #endif
4735
0
        #ifndef NO_ECC_SECP
4736
0
        case WOLFSSL_ECC_SECP256R1:
4737
0
            break;
4738
0
        #endif /* !NO_ECC_SECP */
4739
        #ifdef HAVE_ECC_BRAINPOOL
4740
        case WOLFSSL_ECC_BRAINPOOLP256R1:
4741
        case WOLFSSL_ECC_BRAINPOOLP256R1TLS13:
4742
            break;
4743
        #endif
4744
        #ifdef WOLFSSL_SM2
4745
        case WOLFSSL_ECC_SM2P256V1:
4746
            break;
4747
        #endif /* WOLFSSL_SM2 */
4748
0
    #endif
4749
    #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256
4750
        case WOLFSSL_ECC_X25519:
4751
            break;
4752
    #endif
4753
    #if defined(HAVE_CURVE448) && ECC_MIN_KEY_SZ <= 448
4754
        case WOLFSSL_ECC_X448:
4755
            break;
4756
    #endif
4757
0
    #if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384
4758
0
        #ifndef NO_ECC_SECP
4759
0
        case WOLFSSL_ECC_SECP384R1:
4760
0
            break;
4761
0
        #endif /* !NO_ECC_SECP */
4762
        #ifdef HAVE_ECC_BRAINPOOL
4763
        case WOLFSSL_ECC_BRAINPOOLP384R1:
4764
        case WOLFSSL_ECC_BRAINPOOLP384R1TLS13:
4765
            break;
4766
        #endif
4767
0
    #endif
4768
0
    #if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521
4769
0
        #ifndef NO_ECC_SECP
4770
0
        case WOLFSSL_ECC_SECP521R1:
4771
0
            break;
4772
0
        #endif /* !NO_ECC_SECP */
4773
0
    #endif
4774
    #if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 160
4775
        #ifdef HAVE_ECC_KOBLITZ
4776
        case WOLFSSL_ECC_SECP160K1:
4777
            break;
4778
        #endif
4779
        #ifndef NO_ECC_SECP
4780
        case WOLFSSL_ECC_SECP160R1:
4781
            break;
4782
        #endif
4783
        #ifdef HAVE_ECC_SECPR2
4784
        case WOLFSSL_ECC_SECP160R2:
4785
            break;
4786
        #endif
4787
    #endif
4788
    #if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 192
4789
        #ifdef HAVE_ECC_KOBLITZ
4790
        case WOLFSSL_ECC_SECP192K1:
4791
            break;
4792
        #endif
4793
        #ifndef NO_ECC_SECP
4794
        case WOLFSSL_ECC_SECP192R1:
4795
            break;
4796
        #endif
4797
    #endif
4798
0
    #if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 224
4799
        #ifdef HAVE_ECC_KOBLITZ
4800
        case WOLFSSL_ECC_SECP224K1:
4801
            break;
4802
        #endif
4803
0
        #ifndef NO_ECC_SECP
4804
0
        case WOLFSSL_ECC_SECP224R1:
4805
0
            break;
4806
0
        #endif
4807
0
    #endif
4808
0
    #if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 512
4809
        #ifdef HAVE_ECC_BRAINPOOL
4810
        case WOLFSSL_ECC_BRAINPOOLP512R1:
4811
        case WOLFSSL_ECC_BRAINPOOLP512R1TLS13:
4812
            break;
4813
        #endif
4814
0
    #endif
4815
0
#ifdef WOLFSSL_HAVE_MLKEM
4816
0
#ifndef WOLFSSL_NO_ML_KEM
4817
0
        #ifndef WOLFSSL_NO_ML_KEM_512
4818
            #ifndef WOLFSSL_TLS_NO_MLKEM_STANDALONE
4819
            case WOLFSSL_ML_KEM_512:
4820
                return TLSX_IsMlKemGroupSupported(side);
4821
            #endif /* !WOLFSSL_TLS_NO_MLKEM_STANDALONE */
4822
            #ifdef WOLFSSL_EXTRA_PQC_HYBRIDS
4823
            case WOLFSSL_SECP256R1MLKEM512:
4824
            #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256
4825
            case WOLFSSL_X25519MLKEM512:
4826
            #endif /* HAVE_CURVE25519 */
4827
                return TLSX_IsMlKemGroupSupported(side);
4828
            #endif /* WOLFSSL_EXTRA_PQC_HYBRIDS */
4829
0
        #endif /* WOLFSSL_NO_ML_KEM_512 */
4830
0
        #ifndef WOLFSSL_NO_ML_KEM_768
4831
            #ifndef WOLFSSL_TLS_NO_MLKEM_STANDALONE
4832
            case WOLFSSL_ML_KEM_768:
4833
            #endif /* !WOLFSSL_TLS_NO_MLKEM_STANDALONE */
4834
0
            #ifdef WOLFSSL_PQC_HYBRIDS
4835
0
            case WOLFSSL_SECP256R1MLKEM768:
4836
            #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256
4837
            case WOLFSSL_X25519MLKEM768:
4838
            #endif /* HAVE_CURVE25519 */
4839
0
            #endif /* WOLFSSL_PQC_HYBRIDS */
4840
            #ifdef WOLFSSL_EXTRA_PQC_HYBRIDS
4841
            case WOLFSSL_SECP384R1MLKEM768:
4842
            #if defined(HAVE_CURVE448) && ECC_MIN_KEY_SZ <= 448
4843
            case WOLFSSL_X448MLKEM768:
4844
            #endif /* HAVE_CURVE448 */
4845
            #endif /* WOLFSSL_EXTRA_PQC_HYBRIDS */
4846
0
                return TLSX_IsMlKemGroupSupported(side);
4847
0
        #endif /* WOLFSSL_NO_ML_KEM_768 */
4848
0
        #ifndef WOLFSSL_NO_ML_KEM_1024
4849
            #ifndef WOLFSSL_TLS_NO_MLKEM_STANDALONE
4850
            case WOLFSSL_ML_KEM_1024:
4851
            #endif /* !WOLFSSL_TLS_NO_MLKEM_STANDALONE */
4852
0
            #ifdef WOLFSSL_PQC_HYBRIDS
4853
0
            case WOLFSSL_SECP384R1MLKEM1024:
4854
0
            #endif /* WOLFSSL_PQC_HYBRIDS */
4855
            #ifdef WOLFSSL_EXTRA_PQC_HYBRIDS
4856
            case WOLFSSL_SECP521R1MLKEM1024:
4857
            #endif /* WOLFSSL_EXTRA_PQC_HYBRIDS */
4858
0
                return TLSX_IsMlKemGroupSupported(side);
4859
0
        #endif
4860
        #if defined(WOLFSSL_ML_KEM_USE_OLD_IDS) && \
4861
                                             defined (WOLFSSL_EXTRA_PQC_HYBRIDS)
4862
            case WOLFSSL_P256_ML_KEM_512_OLD:
4863
            case WOLFSSL_P384_ML_KEM_768_OLD:
4864
            case WOLFSSL_P521_ML_KEM_1024_OLD:
4865
                return TLSX_IsMlKemGroupSupported(side);
4866
        #endif /* WOLFSSL_ML_KEM_USE_OLD_IDS && WOLFSSL_EXTRA_PQC_HYBRIDS */
4867
0
#endif /* WOLFSSL_NO_ML_KEM */
4868
#ifdef WOLFSSL_MLKEM_KYBER
4869
        #ifdef WOLFSSL_KYBER512
4870
            case WOLFSSL_KYBER_LEVEL1:
4871
            case WOLFSSL_P256_KYBER_LEVEL1:
4872
        #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256
4873
            case WOLFSSL_X25519_KYBER_LEVEL1:
4874
        #endif
4875
        #endif
4876
        #ifdef WOLFSSL_KYBER768
4877
            case WOLFSSL_KYBER_LEVEL3:
4878
            case WOLFSSL_P384_KYBER_LEVEL3:
4879
            case WOLFSSL_P256_KYBER_LEVEL3:
4880
        #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256
4881
            case WOLFSSL_X25519_KYBER_LEVEL3:
4882
        #endif
4883
        #if defined(HAVE_CURVE448) && ECC_MIN_KEY_SZ <= 448
4884
            case WOLFSSL_X448_KYBER_LEVEL3:
4885
        #endif
4886
        #endif
4887
        #ifdef WOLFSSL_KYBER1024
4888
            case WOLFSSL_KYBER_LEVEL5:
4889
            case WOLFSSL_P521_KYBER_LEVEL5:
4890
        #endif
4891
                return TLSX_IsMlKemGroupSupported(side);
4892
#endif
4893
0
#endif /* WOLFSSL_HAVE_MLKEM */
4894
0
        default:
4895
0
            return 0;
4896
0
    }
4897
4898
0
    return 1;
4899
0
}
4900
#endif
4901
4902
/******************************************************************************/
4903
/* Supported Elliptic Curves                                                  */
4904
/******************************************************************************/
4905
4906
#ifdef HAVE_SUPPORTED_CURVES
4907
4908
#if !defined(HAVE_ECC) && !defined(HAVE_CURVE25519) && !defined(HAVE_CURVE448) \
4909
                       && !defined(HAVE_FFDHE) && !defined(WOLFSSL_HAVE_MLKEM)
4910
#error Elliptic Curves Extension requires Elliptic Curve Cryptography or liboqs groups. \
4911
       Use --enable-ecc and/or --enable-liboqs in the configure script or \
4912
       define HAVE_ECC. Alternatively use FFDHE for DH cipher suites.
4913
#endif
4914
4915
static int TLSX_SupportedCurve_New(SupportedCurve** curve, word16 name,
4916
                                                                     void* heap)
4917
0
{
4918
0
    if (curve == NULL)
4919
0
        return BAD_FUNC_ARG;
4920
4921
0
    (void)heap;
4922
4923
0
    *curve = (SupportedCurve*)XMALLOC(sizeof(SupportedCurve), heap,
4924
0
                                                             DYNAMIC_TYPE_TLSX);
4925
0
    if (*curve == NULL)
4926
0
        return MEMORY_E;
4927
4928
0
    (*curve)->name = name;
4929
0
    (*curve)->next = NULL;
4930
4931
0
    return 0;
4932
0
}
4933
4934
static int TLSX_PointFormat_New(PointFormat** point, byte format, void* heap)
4935
0
{
4936
0
    if (point == NULL)
4937
0
        return BAD_FUNC_ARG;
4938
4939
0
    (void)heap;
4940
4941
0
    *point = (PointFormat*)XMALLOC(sizeof(PointFormat), heap,
4942
0
                                                             DYNAMIC_TYPE_TLSX);
4943
0
    if (*point == NULL)
4944
0
        return MEMORY_E;
4945
4946
0
    (*point)->format = format;
4947
0
    (*point)->next = NULL;
4948
4949
0
    return 0;
4950
0
}
4951
4952
static void TLSX_SupportedCurve_FreeAll(SupportedCurve* list, void* heap)
4953
0
{
4954
0
    SupportedCurve* curve;
4955
4956
0
    while ((curve = list)) {
4957
0
        list = curve->next;
4958
0
        XFREE(curve, heap, DYNAMIC_TYPE_TLSX);
4959
0
    }
4960
0
    (void)heap;
4961
0
}
4962
4963
static void TLSX_PointFormat_FreeAll(PointFormat* list, void* heap)
4964
0
{
4965
0
    PointFormat* point;
4966
4967
0
    while ((point = list)) {
4968
0
        list = point->next;
4969
0
        XFREE(point, heap, DYNAMIC_TYPE_TLSX);
4970
0
    }
4971
0
    (void)heap;
4972
0
}
4973
4974
static int TLSX_SupportedCurve_Append(SupportedCurve* list, word16 name,
4975
                                                                     void* heap)
4976
0
{
4977
0
    int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
4978
4979
0
    while (list) {
4980
0
        if (list->name == name) {
4981
0
            ret = 0; /* curve already in use */
4982
0
            break;
4983
0
        }
4984
4985
0
        if (list->next == NULL) {
4986
0
            ret = TLSX_SupportedCurve_New(&list->next, name, heap);
4987
0
            break;
4988
0
        }
4989
4990
0
        list = list->next;
4991
0
    }
4992
4993
0
    return ret;
4994
0
}
4995
4996
static int TLSX_PointFormat_Append(PointFormat* list, byte format, void* heap)
4997
0
{
4998
0
    int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
4999
5000
0
    while (list) {
5001
0
        if (list->format == format) {
5002
0
            ret = 0; /* format already in use */
5003
0
            break;
5004
0
        }
5005
5006
0
        if (list->next == NULL) {
5007
0
            ret = TLSX_PointFormat_New(&list->next, format, heap);
5008
0
            break;
5009
0
        }
5010
5011
0
        list = list->next;
5012
0
    }
5013
5014
0
    return ret;
5015
0
}
5016
5017
#if defined(WOLFSSL_TLS13) || !defined(NO_WOLFSSL_CLIENT)
5018
5019
#if defined(HAVE_FFDHE) && (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
5020
                                                         defined(HAVE_CURVE448))
5021
static void TLSX_SupportedCurve_ValidateRequest(const WOLFSSL* ssl,
5022
                                                const byte* semaphore)
5023
0
{
5024
    /* If all pre-defined parameter types for key exchange are supported then
5025
     * always send SupportedGroups extension.
5026
     */
5027
0
    (void)ssl;
5028
0
    (void)semaphore;
5029
0
}
5030
#else
5031
static void TLSX_SupportedCurve_ValidateRequest(WOLFSSL* ssl, byte* semaphore)
5032
{
5033
    word16 i;
5034
    const Suites* suites = WOLFSSL_SUITES(ssl);
5035
5036
    for (i = 0; i < suites->suiteSz; i += 2) {
5037
        if (suites->suites[i] == TLS13_BYTE)
5038
            return;
5039
    #ifdef BUILD_TLS_SM4_GCM_SM3
5040
        if ((suites->suites[i] == CIPHER_BYTE) &&
5041
            (suites->suites[i+1] == TLS_SM4_GCM_SM3))
5042
            return;
5043
    #endif
5044
    #ifdef BUILD_TLS_SM4_CCM_SM3
5045
        if ((suites->suites[i] == CIPHER_BYTE) &&
5046
            (suites->suites[i+1] == TLS_SM4_CCM_SM3))
5047
            return;
5048
    #endif
5049
    #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3
5050
        if ((suites->suites[i] == SM_BYTE) &&
5051
            (suites->suites[i+1] == TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3))
5052
            return;
5053
    #endif
5054
        if ((suites->suites[i] == ECC_BYTE) ||
5055
            (suites->suites[i] == ECDHE_PSK_BYTE) ||
5056
            (suites->suites[i] == CHACHA_BYTE)) {
5057
        #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
5058
                                                          defined(HAVE_CURVE448)
5059
            return;
5060
        #endif
5061
        }
5062
        #ifdef HAVE_FFDHE
5063
        else {
5064
            return;
5065
        }
5066
        #endif
5067
    }
5068
5069
    /* turns semaphore on to avoid sending this extension. */
5070
    TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_GROUPS));
5071
}
5072
#endif
5073
5074
/* Only send PointFormats if TLSv13, ECC or CHACHA cipher suite present.
5075
 */
5076
static void TLSX_PointFormat_ValidateRequest(WOLFSSL* ssl, byte* semaphore)
5077
0
{
5078
0
#ifdef HAVE_FFDHE
5079
0
    (void)ssl;
5080
0
    (void)semaphore;
5081
#else
5082
    word16 i;
5083
    const Suites* suites = WOLFSSL_SUITES(ssl);
5084
5085
    if (suites == NULL)
5086
        return;
5087
5088
    for (i = 0; i < suites->suiteSz; i += 2) {
5089
        if (suites->suites[i] == TLS13_BYTE)
5090
            return;
5091
    #ifdef BUILD_TLS_SM4_GCM_SM3
5092
        if ((suites->suites[i] == CIPHER_BYTE) &&
5093
            (suites->suites[i+1] == TLS_SM4_GCM_SM3))
5094
            return;
5095
    #endif
5096
    #ifdef BUILD_TLS_SM4_CCM_SM3
5097
        if ((suites->suites[i] == CIPHER_BYTE) &&
5098
            (suites->suites[i+1] == TLS_SM4_CCM_SM3))
5099
            return;
5100
    #endif
5101
    #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3
5102
        if ((suites->suites[i] == SM_BYTE) &&
5103
            (suites->suites[i+1] == TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3))
5104
            return;
5105
    #endif
5106
        if ((suites->suites[i] == ECC_BYTE) ||
5107
            (suites->suites[i] == ECDHE_PSK_BYTE) ||
5108
            (suites->suites[i] == CHACHA_BYTE)) {
5109
        #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
5110
                                                          defined(HAVE_CURVE448)
5111
            return;
5112
        #endif
5113
        }
5114
    }
5115
   /* turns semaphore on to avoid sending this extension. */
5116
   TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EC_POINT_FORMATS));
5117
#endif
5118
0
}
5119
5120
#endif /* WOLFSSL_TLS13 || !NO_WOLFSSL_CLIENT */
5121
5122
#ifndef NO_WOLFSSL_SERVER
5123
5124
static void TLSX_PointFormat_ValidateResponse(WOLFSSL* ssl, byte* semaphore)
5125
0
{
5126
0
#if defined(HAVE_FFDHE) || defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
5127
0
                                                          defined(HAVE_CURVE448)
5128
0
    (void)semaphore;
5129
0
#endif
5130
5131
0
    if (ssl->options.cipherSuite0 == TLS13_BYTE)
5132
0
        return;
5133
#ifdef BUILD_TLS_SM4_GCM_SM3
5134
    if ((ssl->options.cipherSuite0 == CIPHER_BYTE) &&
5135
        (ssl->options.cipherSuite == TLS_SM4_GCM_SM3))
5136
        return;
5137
#endif
5138
#ifdef BUILD_TLS_SM4_CCM_SM3
5139
    if ((ssl->options.cipherSuite0 == CIPHER_BYTE) &&
5140
        (ssl->options.cipherSuite == TLS_SM4_CCM_SM3))
5141
        return;
5142
#endif
5143
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3
5144
    if ((ssl->options.cipherSuite0 == SM_BYTE) &&
5145
        (ssl->options.cipherSuite == TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3))
5146
        return;
5147
#endif
5148
0
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
5149
0
    if (ssl->options.cipherSuite0 == ECC_BYTE ||
5150
0
        ssl->options.cipherSuite0 == ECDHE_PSK_BYTE ||
5151
0
        ssl->options.cipherSuite0 == CHACHA_BYTE) {
5152
0
        return;
5153
0
    }
5154
0
#endif
5155
5156
    /* turns semaphore on to avoid sending this extension. */
5157
0
    TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EC_POINT_FORMATS));
5158
0
}
5159
5160
#endif /* !NO_WOLFSSL_SERVER */
5161
5162
#if !defined(NO_WOLFSSL_CLIENT) || defined(WOLFSSL_TLS13)
5163
5164
static word16 TLSX_SupportedCurve_GetSize(SupportedCurve* list)
5165
0
{
5166
0
    SupportedCurve* curve;
5167
0
    word16 length = OPAQUE16_LEN; /* list length */
5168
5169
0
    while ((curve = list)) {
5170
0
        list = curve->next;
5171
0
        length += OPAQUE16_LEN; /* curve length */
5172
0
    }
5173
5174
0
    return length;
5175
0
}
5176
5177
#endif
5178
5179
static word16 TLSX_PointFormat_GetSize(PointFormat* list)
5180
0
{
5181
0
    PointFormat* point;
5182
0
    word16 length = ENUM_LEN; /* list length */
5183
5184
0
    while ((point = list)) {
5185
0
        list = point->next;
5186
0
        length += ENUM_LEN; /* format length */
5187
0
    }
5188
5189
0
    return length;
5190
0
}
5191
5192
#if !defined(NO_WOLFSSL_CLIENT) || defined(WOLFSSL_TLS13)
5193
5194
static word16 TLSX_SupportedCurve_Write(SupportedCurve* list, byte* output)
5195
0
{
5196
0
    word16 offset = OPAQUE16_LEN;
5197
5198
0
    while (list) {
5199
0
        c16toa(list->name, output + offset);
5200
0
        offset += OPAQUE16_LEN;
5201
0
        list = list->next;
5202
0
    }
5203
5204
0
    c16toa(offset - OPAQUE16_LEN, output); /* writing list length */
5205
5206
0
    return offset;
5207
0
}
5208
5209
#endif
5210
5211
static word16 TLSX_PointFormat_Write(PointFormat* list, byte* output)
5212
0
{
5213
0
    word16 offset = ENUM_LEN;
5214
5215
0
    while (list) {
5216
0
        output[offset++] = list->format;
5217
0
        list = list->next;
5218
0
    }
5219
5220
0
    output[0] = (byte)(offset - ENUM_LEN);
5221
5222
0
    return offset;
5223
0
}
5224
5225
#if !defined(NO_WOLFSSL_SERVER) || (defined(WOLFSSL_TLS13) && \
5226
                                         !defined(WOLFSSL_NO_SERVER_GROUPS_EXT))
5227
5228
int TLSX_SupportedCurve_Parse(const WOLFSSL* ssl, const byte* input,
5229
                              word16 length, byte isRequest, TLSX** extensions)
5230
0
{
5231
0
    word16 offset;
5232
0
    word16 name;
5233
0
    int ret = 0;
5234
0
    TLSX* extension;
5235
5236
0
    if(!isRequest && !IsAtLeastTLSv1_3(ssl->version)) {
5237
#ifdef WOLFSSL_ALLOW_SERVER_SC_EXT
5238
        return 0;
5239
#else
5240
0
        return BUFFER_ERROR; /* servers doesn't send this extension. */
5241
0
#endif
5242
0
    }
5243
0
    if (OPAQUE16_LEN > length || length % OPAQUE16_LEN)
5244
0
        return BUFFER_ERROR;
5245
0
    ato16(input, &offset);
5246
    /* validating curve list length */
5247
0
    if (length != OPAQUE16_LEN + offset)
5248
0
        return BUFFER_ERROR;
5249
0
    offset = OPAQUE16_LEN;
5250
0
    if (offset == length) {
5251
        /* An empty named group list is malformed (named_group_list<2..2^16-1>,
5252
         * RFC 8422 / RFC 8446). BUFFER_ERROR yields a decode_error alert (see
5253
         * TranslateErrorToAlert()). Accepting it would also make an explicit
5254
         * empty extension look absent and impose no group restriction. */
5255
0
        return BUFFER_ERROR;
5256
0
    }
5257
5258
0
    extension = TLSX_Find(*extensions, TLSX_SUPPORTED_GROUPS);
5259
0
    if (extension == NULL) {
5260
        /* Just accept what the peer wants to use */
5261
0
        for (; offset < length; offset += OPAQUE16_LEN) {
5262
0
            ato16(input + offset, &name);
5263
5264
0
            ret = TLSX_UseSupportedCurve(extensions, name, ssl->heap,
5265
0
                                         ssl->options.side);
5266
            /* If it is BAD_FUNC_ARG then it is a group we do not support, but
5267
             * that is fine. */
5268
0
            if (ret != WOLFSSL_SUCCESS &&
5269
0
                    ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG))
5270
0
                break;
5271
0
            ret = 0;
5272
0
        }
5273
        /* All advertised groups are unsupported, so no node was added above.
5274
         * Record an empty node so suite selection still sees the restriction
5275
         * (e.g. ECC/ECDHE must not be chosen) instead of treating the
5276
         * extension as absent. */
5277
0
        if (ret == 0 && isRequest &&
5278
0
                TLSX_Find(*extensions, TLSX_SUPPORTED_GROUPS) == NULL) {
5279
0
            ret = TLSX_Push(extensions, TLSX_SUPPORTED_GROUPS, NULL, ssl->heap);
5280
0
        }
5281
0
    }
5282
0
    else {
5283
        /* Find the intersection with what the user has set */
5284
0
        SupportedCurve* commonCurves = NULL;
5285
0
        for (; offset < length; offset += OPAQUE16_LEN) {
5286
0
            SupportedCurve* foundCurve = (SupportedCurve*)extension->data;
5287
0
            ato16(input + offset, &name);
5288
5289
0
            while (foundCurve != NULL && foundCurve->name != name)
5290
0
                foundCurve = foundCurve->next;
5291
5292
0
            if (foundCurve != NULL) {
5293
0
                ret = commonCurves == NULL ?
5294
0
                      TLSX_SupportedCurve_New(&commonCurves, name, ssl->heap) :
5295
0
                      TLSX_SupportedCurve_Append(commonCurves, name, ssl->heap);
5296
0
                if (ret != 0)
5297
0
                    break;
5298
0
            }
5299
0
        }
5300
        /* If no common curves return error. In TLS 1.3 we can still try to save
5301
         * this by using HRR. */
5302
0
        if (ret == 0 && commonCurves == NULL &&
5303
0
                !IsAtLeastTLSv1_3(ssl->version))
5304
0
            ret = ECC_CURVE_ERROR;
5305
0
        if (ret == 0) {
5306
            /* Now swap out the curves in the extension */
5307
0
            TLSX_SupportedCurve_FreeAll((SupportedCurve*)extension->data,
5308
0
                                        ssl->heap);
5309
0
            extension->data = commonCurves;
5310
0
            commonCurves = NULL;
5311
0
        }
5312
0
        TLSX_SupportedCurve_FreeAll(commonCurves, ssl->heap);
5313
0
    }
5314
5315
0
    return ret;
5316
0
}
5317
#endif
5318
5319
#if !defined(NO_WOLFSSL_SERVER)
5320
5321
#if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NO_SERVER_GROUPS_EXT)
5322
5323
/* Checks the priority of the groups on the server and set the supported groups
5324
 * response if there is a group not advertised by the client that is preferred.
5325
 *
5326
 * ssl  SSL/TLS object.
5327
 * returns 0 on success, otherwise an error.
5328
 */
5329
int TLSX_SupportedCurve_CheckPriority(WOLFSSL* ssl)
5330
0
{
5331
0
    int ret;
5332
0
    TLSX* extension;
5333
0
    TLSX* priority = NULL;
5334
0
    TLSX* ext = NULL;
5335
0
    word16 name;
5336
0
    SupportedCurve* curve;
5337
5338
0
    extension = TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS);
5339
    /* May be doing PSK with no key exchange. */
5340
0
    if (extension == NULL)
5341
0
        return 0;
5342
5343
0
    ret = TLSX_PopulateSupportedGroups(ssl, &priority);
5344
0
    if (ret != WOLFSSL_SUCCESS) {
5345
0
        TLSX_FreeAll(priority, ssl->heap);
5346
0
        return ret;
5347
0
    }
5348
5349
0
    ext = TLSX_Find(priority, TLSX_SUPPORTED_GROUPS);
5350
0
    if (ext == NULL) {
5351
0
        WOLFSSL_MSG("Could not find supported groups extension");
5352
0
        TLSX_FreeAll(priority, ssl->heap);
5353
0
        return 0;
5354
0
    }
5355
5356
0
    curve = (SupportedCurve*)ext->data;
5357
0
    name = curve->name;
5358
5359
0
    curve = (SupportedCurve*)extension->data;
5360
0
    while (curve != NULL) {
5361
0
        if (curve->name == name)
5362
0
            break;
5363
0
        curve = curve->next;
5364
0
    }
5365
5366
0
    if (curve == NULL) {
5367
        /* Couldn't find the preferred group in client list. */
5368
0
        extension->resp = 1;
5369
5370
        /* Send server list back and free client list. */
5371
0
        curve = (SupportedCurve*)extension->data;
5372
0
        extension->data = ext->data;
5373
0
        ext->data = curve;
5374
0
    }
5375
5376
0
    TLSX_FreeAll(priority, ssl->heap);
5377
5378
0
    return 0;
5379
0
}
5380
5381
#endif /* WOLFSSL_TLS13 && !WOLFSSL_NO_SERVER_GROUPS_EXT */
5382
5383
#if defined(HAVE_FFDHE) && !defined(WOLFSSL_NO_TLS12)
5384
#ifdef HAVE_PUBLIC_FFDHE
5385
static int tlsx_ffdhe_find_group(WOLFSSL* ssl, SupportedCurve* clientGroup,
5386
    SupportedCurve* serverGroup)
5387
0
{
5388
0
    int ret = 0;
5389
0
    SupportedCurve* group;
5390
0
    const DhParams* params = NULL;
5391
5392
0
    for (; serverGroup != NULL; serverGroup = serverGroup->next) {
5393
0
        if (!WOLFSSL_NAMED_GROUP_IS_FFDHE(serverGroup->name))
5394
0
            continue;
5395
5396
0
        for (group = clientGroup; group != NULL; group = group->next) {
5397
0
            if (serverGroup->name != group->name)
5398
0
                continue;
5399
5400
0
            switch (serverGroup->name) {
5401
0
            #ifdef HAVE_FFDHE_2048
5402
0
                case WOLFSSL_FFDHE_2048:
5403
0
                    params = wc_Dh_ffdhe2048_Get();
5404
0
                    break;
5405
0
            #endif
5406
            #ifdef HAVE_FFDHE_3072
5407
                case WOLFSSL_FFDHE_3072:
5408
                    params = wc_Dh_ffdhe3072_Get();
5409
                    break;
5410
            #endif
5411
            #ifdef HAVE_FFDHE_4096
5412
                case WOLFSSL_FFDHE_4096:
5413
                    params = wc_Dh_ffdhe4096_Get();
5414
                    break;
5415
            #endif
5416
            #ifdef HAVE_FFDHE_6144
5417
                case WOLFSSL_FFDHE_6144:
5418
                    params = wc_Dh_ffdhe6144_Get();
5419
                    break;
5420
            #endif
5421
            #ifdef HAVE_FFDHE_8192
5422
                case WOLFSSL_FFDHE_8192:
5423
                    params = wc_Dh_ffdhe8192_Get();
5424
                    break;
5425
            #endif
5426
0
                default:
5427
0
                    break;
5428
0
            }
5429
0
            if (params == NULL) {
5430
0
                ret = BAD_FUNC_ARG;
5431
0
                break;
5432
0
            }
5433
0
            if (params->p_len >= ssl->options.minDhKeySz &&
5434
0
                                     params->p_len <= ssl->options.maxDhKeySz) {
5435
0
                break;
5436
0
            }
5437
0
        }
5438
5439
0
        if (ret != 0)
5440
0
            break;
5441
0
        if ((group != NULL) && (serverGroup->name == group->name))
5442
0
            break;
5443
0
    }
5444
5445
0
    if ((ret == 0) && (serverGroup != NULL) && (params != NULL)) {
5446
0
        ssl->buffers.serverDH_P.buffer = (unsigned char *)params->p;
5447
0
        ssl->buffers.serverDH_P.length = params->p_len;
5448
0
        ssl->buffers.serverDH_G.buffer = (unsigned char *)params->g;
5449
0
        ssl->buffers.serverDH_G.length = params->g_len;
5450
5451
0
        ssl->namedGroup = serverGroup->name;
5452
0
    #if !defined(WOLFSSL_OLD_PRIME_CHECK) && \
5453
0
        !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
5454
0
        ssl->options.dhDoKeyTest = 0;
5455
0
    #endif
5456
0
        ssl->options.haveDH = 1;
5457
0
    }
5458
5459
0
    return ret;
5460
0
}
5461
#else
5462
static int tlsx_ffdhe_find_group(WOLFSSL* ssl, SupportedCurve* clientGroup,
5463
    SupportedCurve* serverGroup)
5464
{
5465
    int ret = 0;
5466
    SupportedCurve* group;
5467
    word32 p_len;
5468
5469
    for (; serverGroup != NULL; serverGroup = serverGroup->next) {
5470
        if (!WOLFSSL_NAMED_GROUP_IS_FFDHE(serverGroup->name))
5471
            continue;
5472
5473
        for (group = clientGroup; group != NULL; group = group->next) {
5474
            if (serverGroup->name != group->name)
5475
                continue;
5476
5477
            ret = wc_DhGetNamedKeyParamSize(serverGroup->name, &p_len, NULL, NULL);
5478
            if (ret == 0) {
5479
                if (p_len == 0) {
5480
                    ret = BAD_FUNC_ARG;
5481
                    break;
5482
                }
5483
                if (p_len >= ssl->options.minDhKeySz &&
5484
                                                p_len <= ssl->options.maxDhKeySz) {
5485
                    break;
5486
                }
5487
            }
5488
        }
5489
5490
        if (ret != 0)
5491
            break;
5492
        if ((group != NULL) && (serverGroup->name == group->name))
5493
            break;
5494
    }
5495
5496
    if ((ret == 0) && (serverGroup != NULL)) {
5497
        word32 pSz, gSz;
5498
5499
        ssl->buffers.serverDH_P.buffer = NULL;
5500
        ssl->buffers.serverDH_G.buffer = NULL;
5501
        ret = wc_DhGetNamedKeyParamSize(serverGroup->name, &pSz, &gSz, NULL);
5502
        if (ret == 0) {
5503
            ssl->buffers.serverDH_P.buffer =
5504
                (byte*)XMALLOC(pSz, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
5505
            if (ssl->buffers.serverDH_P.buffer == NULL)
5506
                ret = MEMORY_E;
5507
            else
5508
                ssl->buffers.serverDH_P.length = pSz;
5509
        }
5510
        if (ret == 0) {
5511
            ssl->buffers.serverDH_G.buffer =
5512
                (byte*)XMALLOC(gSz, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
5513
            if (ssl->buffers.serverDH_G.buffer == NULL) {
5514
                ret = MEMORY_E;
5515
            } else
5516
                ssl->buffers.serverDH_G.length = gSz;
5517
        }
5518
        if (ret == 0) {
5519
            ret = wc_DhCopyNamedKey(serverGroup->name,
5520
                              ssl->buffers.serverDH_P.buffer, &pSz,
5521
                              ssl->buffers.serverDH_G.buffer, &gSz,
5522
                              NULL, NULL);
5523
        }
5524
        if (ret == 0) {
5525
            ssl->buffers.weOwnDH = 1;
5526
5527
            ssl->namedGroup = serverGroup->name;
5528
        #if !defined(WOLFSSL_OLD_PRIME_CHECK) && \
5529
            !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
5530
            ssl->options.dhDoKeyTest = 0;
5531
        #endif
5532
            ssl->options.haveDH = 1;
5533
        }
5534
        else {
5535
            if (ssl->buffers.serverDH_P.buffer != NULL) {
5536
                XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap,
5537
                    DYNAMIC_TYPE_PUBLIC_KEY);
5538
                ssl->buffers.serverDH_P.length = 0;
5539
                ssl->buffers.serverDH_P.buffer = NULL;
5540
            }
5541
            if (ssl->buffers.serverDH_G.buffer != NULL) {
5542
                XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap,
5543
                    DYNAMIC_TYPE_PUBLIC_KEY);
5544
                ssl->buffers.serverDH_G.length = 0;
5545
                ssl->buffers.serverDH_G.buffer = NULL;
5546
            }
5547
        }
5548
    }
5549
5550
    return ret;
5551
}
5552
#endif
5553
5554
/* Set the highest priority common FFDHE group on the server as compared to
5555
 * client extensions.
5556
 *
5557
 * ssl    SSL/TLS object.
5558
 * returns 0 on success, otherwise an error.
5559
 */
5560
int TLSX_SupportedFFDHE_Set(WOLFSSL* ssl)
5561
0
{
5562
0
    int ret;
5563
0
    TLSX* priority = NULL;
5564
0
    TLSX* ext = NULL;
5565
0
    TLSX* extension;
5566
0
    SupportedCurve* clientGroup;
5567
0
    SupportedCurve* group;
5568
0
    int found = 0;
5569
5570
0
    extension = TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS);
5571
    /* May be doing PSK with no key exchange. */
5572
0
    if (extension == NULL)
5573
0
        return 0;
5574
0
    clientGroup = (SupportedCurve*)extension->data;
5575
0
    for (group = clientGroup; group != NULL; group = group->next) {
5576
0
        if (WOLFSSL_NAMED_GROUP_IS_FFDHE(group->name)) {
5577
0
            found = 1;
5578
0
            break;
5579
0
        }
5580
0
    }
5581
0
    if (!found)
5582
0
        return 0;
5583
5584
0
    if (ssl->buffers.serverDH_P.buffer && ssl->buffers.weOwnDH) {
5585
0
        XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap,
5586
0
                                                       DYNAMIC_TYPE_PUBLIC_KEY);
5587
0
    }
5588
0
    if (ssl->buffers.serverDH_G.buffer && ssl->buffers.weOwnDH) {
5589
0
        XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap,
5590
0
                                                       DYNAMIC_TYPE_PUBLIC_KEY);
5591
0
    }
5592
0
    ssl->buffers.serverDH_P.buffer = NULL;
5593
0
    ssl->buffers.serverDH_G.buffer = NULL;
5594
0
    ssl->buffers.weOwnDH = 0;
5595
0
    ssl->options.haveDH = 0;
5596
5597
0
    ret = TLSX_PopulateSupportedGroups(ssl, &priority);
5598
0
    if (ret == WOLFSSL_SUCCESS) {
5599
0
        SupportedCurve* serverGroup;
5600
5601
0
        ext = TLSX_Find(priority, TLSX_SUPPORTED_GROUPS);
5602
0
        if (ext == NULL) {
5603
0
            WOLFSSL_MSG("Could not find supported groups extension");
5604
0
            ret = 0;
5605
0
        }
5606
0
        else {
5607
0
            serverGroup = (SupportedCurve*)ext->data;
5608
0
            ret = tlsx_ffdhe_find_group(ssl, clientGroup, serverGroup);
5609
0
        }
5610
0
    }
5611
5612
0
    TLSX_FreeAll(priority, ssl->heap);
5613
5614
0
    return ret;
5615
0
}
5616
#endif /* HAVE_FFDHE && !WOLFSSL_NO_TLS12 */
5617
#endif /* !NO_WOLFSSL_SERVER */
5618
5619
/* Check if the given curve is present in the supported groups extension.
5620
 *
5621
 * ssl             SSL/TLS object.
5622
 * name            The curve name to check.
5623
 * returns 1 if present, 0 otherwise.
5624
 */
5625
int TLSX_SupportedCurve_IsSupported(WOLFSSL* ssl, word16 name)
5626
0
{
5627
0
    TLSX* extension;
5628
0
    SupportedCurve* curve;
5629
5630
0
    extension = TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS);
5631
0
    if (extension == NULL)
5632
0
        return 0;
5633
5634
0
    curve = (SupportedCurve*)extension->data;
5635
0
    while (curve != NULL) {
5636
0
        if (curve->name == name)
5637
0
            return 1;
5638
0
        curve = curve->next;
5639
0
    }
5640
5641
0
    return 0;
5642
0
}
5643
5644
#if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NO_SERVER_GROUPS_EXT)
5645
/* Return the preferred group.
5646
 *
5647
 * ssl             SSL/TLS object.
5648
 * checkSupported  Whether to check for the first supported group.
5649
 * returns BAD_FUNC_ARG if no group found, otherwise the group.
5650
 */
5651
int TLSX_SupportedCurve_Preferred(WOLFSSL* ssl, int checkSupported)
5652
0
{
5653
0
    TLSX* extension;
5654
0
    SupportedCurve* curve;
5655
5656
0
    extension = TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS);
5657
0
    if (extension == NULL)
5658
0
        return BAD_FUNC_ARG;
5659
5660
0
    curve = (SupportedCurve*)extension->data;
5661
0
    while (curve != NULL) {
5662
0
        if (!checkSupported ||
5663
0
                TLSX_IsGroupSupported(curve->name, ssl->options.side))
5664
0
            return curve->name;
5665
0
        curve = curve->next;
5666
0
    }
5667
5668
0
    return BAD_FUNC_ARG;
5669
0
}
5670
5671
#endif /* HAVE_SUPPORTED_CURVES */
5672
5673
#ifndef NO_WOLFSSL_SERVER
5674
5675
static int TLSX_PointFormat_Parse(WOLFSSL* ssl, const byte* input,
5676
                                  word16 length, byte isRequest)
5677
0
{
5678
0
    int ret;
5679
5680
    /* validating formats list length */
5681
0
    if (ENUM_LEN > length || length != (word16)ENUM_LEN + input[0])
5682
0
        return BUFFER_ERROR;
5683
5684
0
    if (isRequest) {
5685
0
    #if defined(HAVE_TLS_EXTENSIONS) && defined(HAVE_SUPPORTED_CURVES)
5686
        /* RFC 8422 Section 5.1.2: a client that sends the ec_point_formats
5687
         * extension MUST include the uncompressed (0) format. Record whether
5688
         * it is missing so DoClientHello() can abort with an illegal_parameter
5689
         * alert if the client also advertised ECC named groups. The decision
5690
         * is deferred to after all extensions are parsed so it does not depend
5691
         * on the relative order of the supported_groups and ec_point_formats
5692
         * extensions in the ClientHello. */
5693
0
        word16 i;
5694
0
        int found = 0;
5695
5696
0
        for (i = 0; i < input[0]; i++) {
5697
0
            if (input[ENUM_LEN + i] == WOLFSSL_EC_PF_UNCOMPRESSED) {
5698
0
                found = 1;
5699
0
                break;
5700
0
            }
5701
0
        }
5702
0
        ssl->options.peerNoUncompPF = (found == 0);
5703
0
    #endif
5704
5705
        /* adding uncompressed point format to response */
5706
0
        ret = TLSX_UsePointFormat(&ssl->extensions, WOLFSSL_EC_PF_UNCOMPRESSED,
5707
0
                                                                     ssl->heap);
5708
0
        if (ret != WOLFSSL_SUCCESS)
5709
0
            return ret; /* throw error */
5710
5711
0
        TLSX_SetResponse(ssl, TLSX_EC_POINT_FORMATS);
5712
0
    }
5713
5714
0
    return 0;
5715
0
}
5716
5717
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
5718
int TLSX_ValidateSupportedCurves(const WOLFSSL* ssl, byte first, byte second,
5719
0
                                 word32* ecdhCurveOID) {
5720
0
    TLSX*           extension = NULL;
5721
0
    SupportedCurve* curve     = NULL;
5722
0
    word32          oid       = 0;
5723
0
    word32          defOid    = 0;
5724
0
    word32          defSz     = 80; /* Maximum known curve size is 66. */
5725
0
    word32          nextOid   = 0;
5726
0
    word32          nextSz    = 80; /* Maximum known curve size is 66. */
5727
0
    word32          currOid   = ssl->ecdhCurveOID;
5728
0
    int             ephmSuite = 0;
5729
0
    word16          octets    = 0; /* according to 'ecc_set_type ecc_sets[];' */
5730
0
    int             key       = 0; /* validate key       */
5731
0
    int             foundCurve = 0; /* Found at least one supported curve */
5732
5733
0
    (void)oid;
5734
5735
0
    if (first == CHACHA_BYTE) {
5736
0
        switch (second) {
5737
0
            case TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
5738
0
            case TLS_PSK_WITH_CHACHA20_POLY1305_SHA256:
5739
0
            case TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256:
5740
0
            case TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256:
5741
0
                return 1; /* no suite restriction */
5742
0
            case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:
5743
0
            case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256:
5744
0
            case TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256:
5745
0
                break;
5746
0
        }
5747
0
    }
5748
0
    if (first == ECC_BYTE || first == ECDHE_PSK_BYTE || first == CHACHA_BYTE)
5749
0
        extension = TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS);
5750
0
    if (!extension)
5751
0
        return 1; /* no suite restriction */
5752
5753
0
    for (curve = (SupportedCurve*)extension->data;
5754
0
         curve && !key;
5755
0
         curve = curve->next) {
5756
5757
    #ifdef OPENSSL_EXTRA
5758
        /* skip if name is not in supported ECC range
5759
         * or disabled by user */
5760
        if (wolfSSL_curve_is_disabled(ssl, curve->name))
5761
            continue;
5762
    #endif
5763
5764
        /* find supported curve */
5765
0
        switch (curve->name) {
5766
0
#ifdef HAVE_ECC
5767
    #if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 160
5768
        #ifndef NO_ECC_SECP
5769
            case WOLFSSL_ECC_SECP160R1:
5770
                oid = ECC_SECP160R1_OID;
5771
                octets = 20;
5772
                break;
5773
        #endif /* !NO_ECC_SECP */
5774
        #ifdef HAVE_ECC_SECPR2
5775
            case WOLFSSL_ECC_SECP160R2:
5776
                oid = ECC_SECP160R2_OID;
5777
                octets = 20;
5778
                break;
5779
        #endif /* HAVE_ECC_SECPR2 */
5780
        #ifdef HAVE_ECC_KOBLITZ
5781
            case WOLFSSL_ECC_SECP160K1:
5782
                oid = ECC_SECP160K1_OID;
5783
                octets = 20;
5784
                break;
5785
        #endif /* HAVE_ECC_KOBLITZ */
5786
        #endif
5787
    #if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 192
5788
        #ifndef NO_ECC_SECP
5789
            case WOLFSSL_ECC_SECP192R1:
5790
                oid = ECC_SECP192R1_OID;
5791
                octets = 24;
5792
                break;
5793
        #endif /* !NO_ECC_SECP */
5794
        #ifdef HAVE_ECC_KOBLITZ
5795
            case WOLFSSL_ECC_SECP192K1:
5796
                oid = ECC_SECP192K1_OID;
5797
                octets = 24;
5798
                break;
5799
        #endif /* HAVE_ECC_KOBLITZ */
5800
    #endif
5801
0
    #if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 224
5802
0
        #ifndef NO_ECC_SECP
5803
0
            case WOLFSSL_ECC_SECP224R1:
5804
0
                oid = ECC_SECP224R1_OID;
5805
0
                octets = 28;
5806
0
                break;
5807
0
        #endif /* !NO_ECC_SECP */
5808
        #ifdef HAVE_ECC_KOBLITZ
5809
            case WOLFSSL_ECC_SECP224K1:
5810
                oid = ECC_SECP224K1_OID;
5811
                octets = 28;
5812
                break;
5813
        #endif /* HAVE_ECC_KOBLITZ */
5814
0
    #endif
5815
0
    #if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
5816
0
        #ifndef NO_ECC_SECP
5817
0
            case WOLFSSL_ECC_SECP256R1:
5818
0
                oid = ECC_SECP256R1_OID;
5819
0
                octets = 32;
5820
0
                break;
5821
0
        #endif /* !NO_ECC_SECP */
5822
0
    #endif /* !NO_ECC256 || HAVE_ALL_CURVES */
5823
0
#endif
5824
        #if (defined(HAVE_CURVE25519) || defined(HAVE_ED25519)) && ECC_MIN_KEY_SZ <= 256
5825
            case WOLFSSL_ECC_X25519:
5826
                oid = ECC_X25519_OID;
5827
                octets = 32;
5828
                break;
5829
        #endif /* HAVE_CURVE25519 */
5830
0
#ifdef HAVE_ECC
5831
0
    #if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
5832
        #ifdef HAVE_ECC_KOBLITZ
5833
            case WOLFSSL_ECC_SECP256K1:
5834
                oid = ECC_SECP256K1_OID;
5835
                octets = 32;
5836
                break;
5837
        #endif /* HAVE_ECC_KOBLITZ */
5838
        #ifdef HAVE_ECC_BRAINPOOL
5839
            case WOLFSSL_ECC_BRAINPOOLP256R1:
5840
                oid = ECC_BRAINPOOLP256R1_OID;
5841
                octets = 32;
5842
                break;
5843
        #endif /* HAVE_ECC_BRAINPOOL */
5844
        #ifdef WOLFSSL_SM2
5845
            case WOLFSSL_ECC_SM2P256V1:
5846
                oid = ECC_SM2P256V1_OID;
5847
                octets = 32;
5848
                break;
5849
        #endif /* WOLFSSL_SM2 */
5850
0
    #endif
5851
0
    #if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384
5852
0
        #ifndef NO_ECC_SECP
5853
0
            case WOLFSSL_ECC_SECP384R1:
5854
0
                oid = ECC_SECP384R1_OID;
5855
0
                octets = 48;
5856
0
                break;
5857
0
        #endif /* !NO_ECC_SECP */
5858
        #ifdef HAVE_ECC_BRAINPOOL
5859
            case WOLFSSL_ECC_BRAINPOOLP384R1:
5860
                oid = ECC_BRAINPOOLP384R1_OID;
5861
                octets = 48;
5862
                break;
5863
        #endif /* HAVE_ECC_BRAINPOOL */
5864
0
    #endif
5865
0
#endif
5866
        #if (defined(HAVE_CURVE448) || defined(HAVE_ED448)) && ECC_MIN_KEY_SZ <= 448
5867
            case WOLFSSL_ECC_X448:
5868
                oid = ECC_X448_OID;
5869
                octets = 57;
5870
                break;
5871
        #endif /* HAVE_CURVE448 */
5872
0
#ifdef HAVE_ECC
5873
0
    #if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 512
5874
        #ifdef HAVE_ECC_BRAINPOOL
5875
            case WOLFSSL_ECC_BRAINPOOLP512R1:
5876
                oid = ECC_BRAINPOOLP512R1_OID;
5877
                octets = 64;
5878
                break;
5879
        #endif /* HAVE_ECC_BRAINPOOL */
5880
0
    #endif
5881
0
    #if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521
5882
0
        #ifndef NO_ECC_SECP
5883
0
            case WOLFSSL_ECC_SECP521R1:
5884
0
                oid = ECC_SECP521R1_OID;
5885
0
                octets = 66;
5886
0
                break;
5887
0
        #endif /* !NO_ECC_SECP */
5888
0
    #endif
5889
0
#endif
5890
0
            default: continue; /* unsupported curve */
5891
0
        }
5892
5893
0
        foundCurve = 1;
5894
5895
0
    #ifdef HAVE_ECC
5896
        /* Set default Oid */
5897
0
        if (defOid == 0 && ssl->eccTempKeySz <= octets && defSz > octets) {
5898
0
            defOid = oid;
5899
0
            defSz = octets;
5900
0
        }
5901
5902
        /* The eccTempKeySz is the preferred ephemeral key size */
5903
0
        if (currOid == 0 && ssl->eccTempKeySz == octets)
5904
0
            currOid = oid;
5905
0
        if ((nextOid == 0 || nextSz > octets) && ssl->eccTempKeySz <= octets) {
5906
0
            nextOid = oid;
5907
0
            nextSz  = octets;
5908
0
        }
5909
    #else
5910
        if (defOid == 0 && defSz > octets) {
5911
            defOid = oid;
5912
            defSz = octets;
5913
        }
5914
5915
        if (currOid == 0)
5916
            currOid = oid;
5917
        if (nextOid == 0 || nextSz > octets) {
5918
            nextOid = oid;
5919
            nextSz  = octets;
5920
        }
5921
    #endif
5922
5923
0
        if (first == ECC_BYTE) {
5924
0
            switch (second) {
5925
0
#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
5926
                /* ECDHE_ECDSA */
5927
0
                case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
5928
0
                case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
5929
0
                case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:
5930
0
                case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA:
5931
0
                case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
5932
0
                case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
5933
0
                case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
5934
0
                case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
5935
0
                case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8:
5936
0
                case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8:
5937
0
                    key |= ssl->ecdhCurveOID == oid;
5938
0
                    ephmSuite = 1;
5939
0
                break;
5940
5941
    #ifdef WOLFSSL_STATIC_DH
5942
                /* ECDH_ECDSA */
5943
                case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA:
5944
                case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA:
5945
                case TLS_ECDH_ECDSA_WITH_RC4_128_SHA:
5946
                case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA:
5947
                case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256:
5948
                case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384:
5949
                case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256:
5950
                case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384:
5951
                    if (oid == ECC_X25519_OID && defOid == oid) {
5952
                        defOid = 0;
5953
                        defSz = 80;
5954
                    }
5955
                    if (oid == ECC_X448_OID && defOid == oid) {
5956
                        defOid = 0;
5957
                        defSz = 80;
5958
                    }
5959
                    key |= ssl->pkCurveOID == oid;
5960
                break;
5961
    #endif /* WOLFSSL_STATIC_DH */
5962
0
#endif /* HAVE_ECC || HAVE_ED25519 || HAVE_ED448 */
5963
0
#ifndef NO_RSA
5964
                /* ECDHE_RSA */
5965
0
                case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
5966
0
                case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
5967
0
                case TLS_ECDHE_RSA_WITH_RC4_128_SHA:
5968
0
                case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:
5969
0
                case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
5970
0
                case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:
5971
0
                case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
5972
0
                case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
5973
0
                    key |= ssl->ecdhCurveOID == oid;
5974
0
                    ephmSuite = 1;
5975
0
                break;
5976
5977
    #if defined(HAVE_ECC) && defined(WOLFSSL_STATIC_DH)
5978
                /* ECDH_RSA */
5979
                case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA:
5980
                case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA:
5981
                case TLS_ECDH_RSA_WITH_RC4_128_SHA:
5982
                case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA:
5983
                case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256:
5984
                case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384:
5985
                case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256:
5986
                case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384:
5987
                    if (oid == ECC_X25519_OID && defOid == oid) {
5988
                        defOid = 0;
5989
                        defSz = 80;
5990
                    }
5991
                    if (oid == ECC_X448_OID && defOid == oid) {
5992
                        defOid = 0;
5993
                        defSz = 80;
5994
                    }
5995
                    key |= ssl->pkCurveOID == oid;
5996
                break;
5997
    #endif /* HAVE_ECC && WOLFSSL_STATIC_DH */
5998
0
#endif
5999
0
                default:
6000
0
                    if (oid == ECC_X25519_OID && defOid == oid) {
6001
0
                        defOid = 0;
6002
0
                        defSz = 80;
6003
0
                    }
6004
0
                    if (oid == ECC_X448_OID && defOid == oid) {
6005
0
                        defOid = 0;
6006
0
                        defSz = 80;
6007
0
                    }
6008
0
                    key = 1;
6009
0
                break;
6010
0
            }
6011
0
        }
6012
6013
        /* ChaCha20-Poly1305 ECC cipher suites */
6014
0
        if (first == CHACHA_BYTE) {
6015
0
            switch (second) {
6016
0
#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
6017
                /* ECDHE_ECDSA */
6018
0
                case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 :
6019
0
                case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 :
6020
0
                    key |= ssl->ecdhCurveOID == oid;
6021
0
                    ephmSuite = 1;
6022
0
                break;
6023
0
#endif /* HAVE_ECC || HAVE_ED25519 || HAVE_ED448 */
6024
0
#ifndef NO_RSA
6025
                /* ECDHE_RSA */
6026
0
                case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 :
6027
0
                case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 :
6028
0
                    key |= ssl->ecdhCurveOID == oid;
6029
0
                    ephmSuite = 1;
6030
0
                break;
6031
0
#endif
6032
0
                default:
6033
0
                    key = 1;
6034
0
                break;
6035
0
            }
6036
0
        }
6037
0
    }
6038
6039
    /* Check we found at least one supported curve */
6040
0
    if (!foundCurve)
6041
0
        return 0;
6042
6043
0
    *ecdhCurveOID = ssl->ecdhCurveOID;
6044
    /* Choose the default if it is at the required strength. */
6045
0
#ifdef HAVE_ECC
6046
0
    if (*ecdhCurveOID == 0 && defSz == ssl->eccTempKeySz)
6047
#else
6048
    if (*ecdhCurveOID == 0)
6049
#endif
6050
0
    {
6051
0
        key = 1;
6052
0
        *ecdhCurveOID = defOid;
6053
0
    }
6054
    /* Choose any curve at the required strength. */
6055
0
    if (*ecdhCurveOID == 0) {
6056
0
        key = 1;
6057
0
        *ecdhCurveOID = currOid;
6058
0
    }
6059
    /* Choose the default if it is at the next highest strength. */
6060
0
    if (*ecdhCurveOID == 0 && defSz == nextSz)
6061
0
        *ecdhCurveOID = defOid;
6062
    /* Choose any curve at the next highest strength. */
6063
0
    if (*ecdhCurveOID == 0)
6064
0
        *ecdhCurveOID = nextOid;
6065
    /* No curve and ephemeral ECC suite requires a matching curve. */
6066
0
    if (*ecdhCurveOID == 0 && ephmSuite)
6067
0
        key = 0;
6068
6069
0
    return key;
6070
0
}
6071
#endif
6072
6073
#endif /* NO_WOLFSSL_SERVER */
6074
6075
6076
int TLSX_SupportedCurve_Copy(TLSX* src, TLSX** dst, void* heap)
6077
0
{
6078
0
    TLSX* extension;
6079
0
    int ret;
6080
6081
0
    extension = TLSX_Find(src, TLSX_SUPPORTED_GROUPS);
6082
0
    if (extension != NULL) {
6083
0
        SupportedCurve* curve;
6084
0
        for (curve = (SupportedCurve*)extension->data; curve != NULL;
6085
0
                curve = curve->next) {
6086
            /* Copying an already validated list - don't drop a group based on
6087
             * the side, so accept when either side has the crypto support. */
6088
0
            ret = TLSX_UseSupportedCurve(dst, curve->name, heap,
6089
0
                                         WOLFSSL_NEITHER_END);
6090
0
            if (ret != WOLFSSL_SUCCESS)
6091
0
                return MEMORY_E;
6092
0
        }
6093
0
    }
6094
6095
0
    return 0;
6096
0
}
6097
6098
int TLSX_UseSupportedCurve(TLSX** extensions, word16 name, void* heap, int side)
6099
0
{
6100
0
    TLSX* extension = NULL;
6101
0
    SupportedCurve* curve = NULL;
6102
0
    int ret;
6103
6104
0
    if (extensions == NULL) {
6105
0
        return BAD_FUNC_ARG;
6106
0
    }
6107
6108
0
    if (!TLSX_IsGroupSupported(name, side)) {
6109
0
        return BAD_FUNC_ARG;
6110
0
    }
6111
6112
0
    extension = TLSX_Find(*extensions, TLSX_SUPPORTED_GROUPS);
6113
6114
0
    if (!extension) {
6115
0
        ret = TLSX_SupportedCurve_New(&curve, name, heap);
6116
0
        if (ret != 0)
6117
0
            return ret;
6118
6119
0
        ret = TLSX_Push(extensions, TLSX_SUPPORTED_GROUPS, curve, heap);
6120
0
        if (ret != 0) {
6121
0
            XFREE(curve, heap, DYNAMIC_TYPE_TLSX);
6122
0
            return ret;
6123
0
        }
6124
0
    }
6125
0
    else {
6126
0
        ret = TLSX_SupportedCurve_Append((SupportedCurve*)extension->data, name,
6127
0
                                                                          heap);
6128
0
        if (ret != 0)
6129
0
            return ret;
6130
    #if defined(WOLFSSL_ML_KEM_USE_OLD_IDS) && \
6131
                                             defined (WOLFSSL_EXTRA_PQC_HYBRIDS)
6132
        if (name == WOLFSSL_SECP256R1MLKEM512) {
6133
            ret = TLSX_SupportedCurve_Append((SupportedCurve*)extension->data,
6134
                WOLFSSL_P256_ML_KEM_512_OLD, heap);
6135
        }
6136
        else if (name == WOLFSSL_SECP384R1MLKEM768) {
6137
            ret = TLSX_SupportedCurve_Append((SupportedCurve*)extension->data,
6138
                WOLFSSL_P384_ML_KEM_768_OLD, heap);
6139
        }
6140
        else if (name == WOLFSSL_SECP521R1MLKEM1024) {
6141
            ret = TLSX_SupportedCurve_Append((SupportedCurve*)extension->data,
6142
                WOLFSSL_P521_ML_KEM_1024_OLD, heap);
6143
        }
6144
        if (ret != 0) {
6145
            return ret;
6146
        }
6147
    #endif /* WOLFSSL_ML_KEM_USE_OLD_IDS && WOLFSSL_EXTRA_PQC_HYBRIDS */
6148
0
    }
6149
6150
0
    return WOLFSSL_SUCCESS;
6151
0
}
6152
6153
int TLSX_UsePointFormat(TLSX** extensions, byte format, void* heap)
6154
0
{
6155
0
    TLSX* extension = NULL;
6156
0
    PointFormat* point = NULL;
6157
0
    int ret = 0;
6158
6159
0
    if (extensions == NULL)
6160
0
        return BAD_FUNC_ARG;
6161
6162
0
    extension = TLSX_Find(*extensions, TLSX_EC_POINT_FORMATS);
6163
6164
0
    if (!extension) {
6165
0
        ret = TLSX_PointFormat_New(&point, format, heap);
6166
0
        if (ret != 0)
6167
0
            return ret;
6168
6169
0
        ret = TLSX_Push(extensions, TLSX_EC_POINT_FORMATS, point, heap);
6170
0
        if (ret != 0) {
6171
0
            XFREE(point, heap, DYNAMIC_TYPE_TLSX);
6172
0
            return ret;
6173
0
        }
6174
0
    }
6175
0
    else {
6176
0
        ret = TLSX_PointFormat_Append((PointFormat*)extension->data, format,
6177
0
                                                                          heap);
6178
0
        if (ret != 0)
6179
0
            return ret;
6180
0
    }
6181
6182
0
    return WOLFSSL_SUCCESS;
6183
0
}
6184
6185
0
#define EC_FREE_ALL         TLSX_SupportedCurve_FreeAll
6186
0
#define EC_VALIDATE_REQUEST TLSX_SupportedCurve_ValidateRequest
6187
6188
/* In TLS 1.2 the server never sends supported curve extension, but in TLS 1.3
6189
 * the server can send supported groups extension to indicate what it will
6190
 * support for later connections. */
6191
#if !defined(NO_WOLFSSL_CLIENT) || defined(WOLFSSL_TLS13)
6192
0
#define EC_GET_SIZE TLSX_SupportedCurve_GetSize
6193
0
#define EC_WRITE    TLSX_SupportedCurve_Write
6194
#else
6195
#define EC_GET_SIZE(list)         0
6196
#define EC_WRITE(a, b)            0
6197
#endif
6198
6199
#if !defined(NO_WOLFSSL_SERVER) || (defined(WOLFSSL_TLS13) && \
6200
                                         !defined(WOLFSSL_NO_SERVER_GROUPS_EXT))
6201
0
#define EC_PARSE TLSX_SupportedCurve_Parse
6202
#else
6203
#define EC_PARSE(a, b, c, d, e)   0
6204
#endif
6205
6206
0
#define PF_FREE_ALL          TLSX_PointFormat_FreeAll
6207
0
#define PF_VALIDATE_REQUEST  TLSX_PointFormat_ValidateRequest
6208
0
#define PF_VALIDATE_RESPONSE TLSX_PointFormat_ValidateResponse
6209
6210
0
#define PF_GET_SIZE TLSX_PointFormat_GetSize
6211
0
#define PF_WRITE    TLSX_PointFormat_Write
6212
6213
#ifndef NO_WOLFSSL_SERVER
6214
0
#define PF_PARSE TLSX_PointFormat_Parse
6215
#else
6216
#define PF_PARSE(a, b, c, d)      0
6217
#endif
6218
6219
#else
6220
6221
#define EC_FREE_ALL(list, heap) WC_DO_NOTHING
6222
#define EC_GET_SIZE(list)         0
6223
#define EC_WRITE(a, b)            0
6224
#define EC_PARSE(a, b, c, d, e)   0
6225
#define EC_VALIDATE_REQUEST(a, b) WC_DO_NOTHING
6226
6227
#define PF_FREE_ALL(list, heap)   WC_DO_NOTHING
6228
#define PF_GET_SIZE(list)         0
6229
#define PF_WRITE(a, b)            0
6230
#define PF_PARSE(a, b, c, d)      0
6231
#define PF_VALIDATE_REQUEST(a, b) WC_DO_NOTHING
6232
#define PF_VALIDATE_RESPONSE(a, b) WC_DO_NOTHING
6233
6234
#endif /* HAVE_SUPPORTED_CURVES */
6235
6236
/******************************************************************************/
6237
/* Renegotiation Indication                                                   */
6238
/******************************************************************************/
6239
6240
#if defined(HAVE_SECURE_RENEGOTIATION) \
6241
 || defined(HAVE_SERVER_RENEGOTIATION_INFO)
6242
6243
static byte TLSX_SecureRenegotiation_GetSize(SecureRenegotiation* data,
6244
                                                                  int isRequest)
6245
0
{
6246
0
    byte length = OPAQUE8_LEN; /* empty info length */
6247
6248
    /* data will be NULL for HAVE_SERVER_RENEGOTIATION_INFO only */
6249
0
    if (data && data->enabled && data->verifySet) {
6250
        /* client sends client_verify_data only */
6251
0
        length += TLS_FINISHED_SZ;
6252
6253
        /* server also sends server_verify_data */
6254
0
        if (!isRequest)
6255
0
            length += TLS_FINISHED_SZ;
6256
0
    }
6257
6258
0
    return length;
6259
0
}
6260
6261
static word16 TLSX_SecureRenegotiation_Write(SecureRenegotiation* data,
6262
                                                    byte* output, int isRequest)
6263
0
{
6264
0
    word16 offset = OPAQUE8_LEN; /* RenegotiationInfo length */
6265
0
    if (data && data->enabled && data->verifySet) {
6266
        /* client sends client_verify_data only */
6267
0
        XMEMCPY(output + offset, data->client_verify_data, TLS_FINISHED_SZ);
6268
0
        offset += TLS_FINISHED_SZ;
6269
6270
        /* server also sends server_verify_data */
6271
0
        if (!isRequest) {
6272
0
            XMEMCPY(output + offset, data->server_verify_data, TLS_FINISHED_SZ);
6273
0
            offset += TLS_FINISHED_SZ;
6274
0
        }
6275
0
    }
6276
6277
0
    output[0] = (byte)(offset - 1);  /* info length - self */
6278
6279
0
    return offset;
6280
0
}
6281
6282
static int TLSX_SecureRenegotiation_Parse(WOLFSSL* ssl, const byte* input,
6283
                                          word16 length, byte isRequest)
6284
0
{
6285
0
    int ret = WC_NO_ERR_TRACE(SECURE_RENEGOTIATION_E);
6286
6287
0
    if (length >= OPAQUE8_LEN) {
6288
0
        if (isRequest) {
6289
0
        #ifndef NO_WOLFSSL_SERVER
6290
0
            if (ssl->secure_renegotiation == NULL) {
6291
0
                ret = wolfSSL_UseSecureRenegotiation(ssl);
6292
0
                if (ret == WOLFSSL_SUCCESS)
6293
0
                    ret = 0;
6294
0
            }
6295
            /* renegotiation_info seen (checked by DoClientHello, RFC 5746 3.7) */
6296
0
            if (ssl->secure_renegotiation != NULL)
6297
0
                ssl->secure_renegotiation->renegInfoSeen = 1;
6298
0
            if (ret != 0 && ret != WC_NO_ERR_TRACE(SECURE_RENEGOTIATION_E)) {
6299
0
            }
6300
0
            else if (ssl->secure_renegotiation == NULL) {
6301
0
            }
6302
0
            else if (!ssl->secure_renegotiation->enabled) {
6303
0
                if (*input == 0) {
6304
0
                    input++; /* get past size */
6305
6306
0
                    ssl->secure_renegotiation->enabled = 1;
6307
0
                    TLSX_SetResponse(ssl, TLSX_RENEGOTIATION_INFO);
6308
0
                    ret = 0;
6309
0
                }
6310
0
                else {
6311
                    /* already in error state */
6312
0
                    WOLFSSL_MSG("SCR client verify data present");
6313
0
                }
6314
0
            }
6315
0
            else if (*input == TLS_FINISHED_SZ) {
6316
0
                if (length < TLS_FINISHED_SZ + 1) {
6317
0
                    WOLFSSL_MSG("SCR malformed buffer");
6318
0
                    ret = BUFFER_E;
6319
0
                }
6320
0
                else {
6321
0
                    input++; /* get past size */
6322
6323
                    /* validate client verify data */
6324
0
                    if (ConstantCompare(input,
6325
0
                            ssl->secure_renegotiation->client_verify_data,
6326
0
                            TLS_FINISHED_SZ) == 0) {
6327
0
                        WOLFSSL_MSG("SCR client verify data match");
6328
0
                        TLSX_SetResponse(ssl, TLSX_RENEGOTIATION_INFO);
6329
0
                        ret = 0;  /* verified */
6330
0
                    }
6331
0
                    else {
6332
                        /* already in error state */
6333
0
                        WOLFSSL_MSG("SCR client verify data Failure");
6334
0
                    }
6335
0
                }
6336
0
            }
6337
0
        #endif
6338
0
        }
6339
0
        else if (ssl->secure_renegotiation != NULL) {
6340
0
        #ifndef NO_WOLFSSL_CLIENT
6341
0
            if (!ssl->secure_renegotiation->enabled) {
6342
0
                if (*input == 0) {
6343
0
                    ssl->secure_renegotiation->enabled = 1;
6344
0
                    ret = 0;
6345
0
                }
6346
0
            }
6347
0
            else if (*input == 2 * TLS_FINISHED_SZ &&
6348
0
                     length == 2 * TLS_FINISHED_SZ + OPAQUE8_LEN) {
6349
0
                int cmpRes = 0;
6350
0
                input++;  /* get past size */
6351
0
                cmpRes |= ConstantCompare(input,
6352
0
                        ssl->secure_renegotiation->client_verify_data,
6353
0
                        TLS_FINISHED_SZ);
6354
0
                cmpRes |= ConstantCompare(input + TLS_FINISHED_SZ,
6355
0
                        ssl->secure_renegotiation->server_verify_data,
6356
0
                        TLS_FINISHED_SZ);
6357
                /* validate client and server verify data */
6358
0
                if (cmpRes == 0) {
6359
0
                    WOLFSSL_MSG("SCR client and server verify data match");
6360
0
                    ret = 0;  /* verified */
6361
0
                }
6362
0
                else {
6363
                    /* already in error state */
6364
0
                    WOLFSSL_MSG("SCR client and server verify data Failure");
6365
0
                }
6366
0
            }
6367
0
        #endif
6368
0
        }
6369
0
        else {
6370
0
            ret = SECURE_RENEGOTIATION_E;
6371
0
        }
6372
0
    }
6373
0
    else {
6374
0
        ret = SECURE_RENEGOTIATION_E;
6375
0
    }
6376
6377
0
    if (ret != 0) {
6378
0
        WOLFSSL_ERROR_VERBOSE(ret);
6379
0
        SendAlert(ssl, alert_fatal, handshake_failure);
6380
0
    }
6381
6382
0
    return ret;
6383
0
}
6384
6385
int TLSX_UseSecureRenegotiation(TLSX** extensions, void* heap)
6386
0
{
6387
0
    int ret = 0;
6388
0
    SecureRenegotiation* data;
6389
6390
0
    data = (SecureRenegotiation*)XMALLOC(sizeof(SecureRenegotiation), heap,
6391
0
                                                             DYNAMIC_TYPE_TLSX);
6392
0
    if (data == NULL)
6393
0
        return MEMORY_E;
6394
6395
0
    XMEMSET(data, 0, sizeof(SecureRenegotiation));
6396
6397
0
    ret = TLSX_Push(extensions, TLSX_RENEGOTIATION_INFO, data, heap);
6398
0
    if (ret != 0) {
6399
0
        XFREE(data, heap, DYNAMIC_TYPE_TLSX);
6400
0
        return ret;
6401
0
    }
6402
6403
0
    return WOLFSSL_SUCCESS;
6404
0
}
6405
6406
#ifdef HAVE_SERVER_RENEGOTIATION_INFO
6407
6408
int TLSX_AddEmptyRenegotiationInfo(TLSX** extensions, void* heap)
6409
0
{
6410
0
    int ret;
6411
6412
    /* send empty renegotiation_info extension */
6413
0
    TLSX* ext = TLSX_Find(*extensions, TLSX_RENEGOTIATION_INFO);
6414
0
    if (ext == NULL) {
6415
0
        ret = TLSX_UseSecureRenegotiation(extensions, heap);
6416
0
        if (ret != WOLFSSL_SUCCESS)
6417
0
            return ret;
6418
6419
0
        ext = TLSX_Find(*extensions, TLSX_RENEGOTIATION_INFO);
6420
0
    }
6421
0
    if (ext)
6422
0
        ext->resp = 1;
6423
6424
0
    return WOLFSSL_SUCCESS;
6425
0
}
6426
6427
#endif /* HAVE_SERVER_RENEGOTIATION_INFO */
6428
6429
6430
0
#define SCR_FREE_ALL(data, heap) XFREE(data, (heap), DYNAMIC_TYPE_TLSX)
6431
0
#define SCR_GET_SIZE       TLSX_SecureRenegotiation_GetSize
6432
0
#define SCR_WRITE          TLSX_SecureRenegotiation_Write
6433
0
#define SCR_PARSE          TLSX_SecureRenegotiation_Parse
6434
6435
#else
6436
6437
#define SCR_FREE_ALL(a, heap) WC_DO_NOTHING
6438
#define SCR_GET_SIZE(a, b)    0
6439
#define SCR_WRITE(a, b, c)    0
6440
#define SCR_PARSE(a, b, c, d) 0
6441
6442
#endif /* HAVE_SECURE_RENEGOTIATION || HAVE_SERVER_RENEGOTIATION_INFO */
6443
6444
/******************************************************************************/
6445
/* Session Tickets                                                            */
6446
/******************************************************************************/
6447
6448
#ifdef HAVE_SESSION_TICKET
6449
6450
static word16 TLSX_SessionTicket_GetSize(SessionTicket* ticket, int isRequest)
6451
{
6452
    (void)isRequest;
6453
    return ticket ? ticket->size : 0;
6454
}
6455
6456
static word16 TLSX_SessionTicket_Write(SessionTicket* ticket, byte* output,
6457
                                       int isRequest)
6458
{
6459
    word16 offset = 0; /* empty ticket */
6460
6461
    if (isRequest && ticket) {
6462
        XMEMCPY(output + offset, ticket->data, ticket->size);
6463
        offset += ticket->size;
6464
    }
6465
6466
    return offset;
6467
}
6468
6469
6470
static int TLSX_SessionTicket_Parse(WOLFSSL* ssl, const byte* input,
6471
                                    word16 length, byte isRequest)
6472
{
6473
    int ret = 0;
6474
6475
    (void) input; /* avoid unused parameter if NO_WOLFSSL_SERVER defined */
6476
6477
    if (!isRequest) {
6478
        if (TLSX_CheckUnsupportedExtension(ssl, TLSX_SESSION_TICKET))
6479
            return TLSX_HandleUnsupportedExtension(ssl);
6480
6481
        if (length != 0)
6482
            return BUFFER_ERROR;
6483
6484
#ifndef NO_WOLFSSL_CLIENT
6485
        ssl->expect_session_ticket = 1;
6486
#endif
6487
    }
6488
#ifndef NO_WOLFSSL_SERVER
6489
    else {
6490
        /* server side */
6491
        if (ssl->ctx->ticketEncCb == NULL) {
6492
            WOLFSSL_MSG("Client sent session ticket, server has no callback");
6493
            return 0;
6494
        }
6495
6496
#ifdef HAVE_SECURE_RENEGOTIATION
6497
        if (IsSCR(ssl)) {
6498
            WOLFSSL_MSG("Client sent session ticket during SCR. Ignoring.");
6499
            return 0;
6500
        }
6501
#endif
6502
6503
        if (length > SESSION_TICKET_LEN) {
6504
            ret = BAD_TICKET_MSG_SZ;
6505
            WOLFSSL_ERROR_VERBOSE(ret);
6506
        } else if (IsAtLeastTLSv1_3(ssl->version)) {
6507
            WOLFSSL_MSG("Process client ticket rejected, TLS 1.3 no support");
6508
            ssl->options.rejectTicket = 1;
6509
            ret = 0;  /* not fatal */
6510
        } else if (ssl->options.noTicketTls12) {
6511
            /* ignore ticket request */
6512
        } else if (length == 0) {
6513
            /* blank ticket */
6514
            ret = TLSX_UseSessionTicket(&ssl->extensions, NULL, ssl->heap);
6515
            if (ret == WOLFSSL_SUCCESS) {
6516
                ret = 0;
6517
                /* send blank ticket */
6518
                TLSX_SetResponse(ssl, TLSX_SESSION_TICKET);
6519
                ssl->options.createTicket = 1;  /* will send ticket msg */
6520
                ssl->options.useTicket    = 1;
6521
                ssl->options.resuming     = 0;  /* no standard resumption */
6522
                ssl->arrays->sessionIDSz  = 0;  /* no echo on blank ticket */
6523
            }
6524
        } else {
6525
            /* got actual ticket from client */
6526
            ret = DoClientTicket(ssl, input, length);
6527
            if (ret == WOLFSSL_TICKET_RET_OK) {    /* use ticket to resume */
6528
                WOLFSSL_MSG("Using existing client ticket");
6529
                ssl->options.useTicket    = 1;
6530
                ssl->options.resuming     = 1;
6531
                /* SERVER: ticket is peer auth. */
6532
                ssl->options.peerAuthGood = 1;
6533
            } else if (ret == WOLFSSL_TICKET_RET_CREATE) {
6534
                WOLFSSL_MSG("Using existing client ticket, creating new one");
6535
                ret = TLSX_UseSessionTicket(&ssl->extensions, NULL, ssl->heap);
6536
                if (ret == WOLFSSL_SUCCESS) {
6537
                    ret = 0;
6538
                    TLSX_SetResponse(ssl, TLSX_SESSION_TICKET);
6539
                                                    /* send blank ticket */
6540
                    ssl->options.createTicket = 1;  /* will send ticket msg */
6541
                    ssl->options.useTicket    = 1;
6542
                    ssl->options.resuming     = 1;
6543
                    /* SERVER: ticket is peer auth. */
6544
                    ssl->options.peerAuthGood = 1;
6545
                }
6546
            } else if (ret == WOLFSSL_TICKET_RET_REJECT ||
6547
                    ret == WC_NO_ERR_TRACE(VERSION_ERROR)) {
6548
                WOLFSSL_MSG("Process client ticket rejected, not using");
6549
                if (ret == WC_NO_ERR_TRACE(VERSION_ERROR))
6550
                    WOLFSSL_MSG("\tbad TLS version");
6551
                ret = 0;  /* not fatal */
6552
6553
                ssl->options.rejectTicket = 1;
6554
                /* If we have session tickets enabled then send a new ticket */
6555
                if (!TLSX_CheckUnsupportedExtension(ssl, TLSX_SESSION_TICKET)) {
6556
                    ret = TLSX_UseSessionTicket(&ssl->extensions, NULL,
6557
                                                ssl->heap);
6558
                    if (ret == WOLFSSL_SUCCESS) {
6559
                        ret = 0;
6560
                        TLSX_SetResponse(ssl, TLSX_SESSION_TICKET);
6561
                        ssl->options.createTicket = 1;
6562
                        ssl->options.useTicket    = 1;
6563
                    }
6564
                }
6565
            } else if (ret == WOLFSSL_TICKET_RET_FATAL) {
6566
                WOLFSSL_MSG("Process client ticket fatal error, not using");
6567
            } else if (ret < 0) {
6568
                WOLFSSL_MSG("Process client ticket unknown error, not using");
6569
            }
6570
        }
6571
    }
6572
#endif /* NO_WOLFSSL_SERVER */
6573
6574
#if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER)
6575
    (void)ssl;
6576
#endif
6577
6578
    return ret;
6579
}
6580
6581
WOLFSSL_TEST_VIS SessionTicket* TLSX_SessionTicket_Create(word32 lifetime,
6582
                                            byte* data, word16 size, void* heap)
6583
{
6584
    SessionTicket* ticket = (SessionTicket*)XMALLOC(sizeof(SessionTicket),
6585
                                                       heap, DYNAMIC_TYPE_TLSX);
6586
    if (ticket) {
6587
        ticket->data = (byte*)XMALLOC(size, heap, DYNAMIC_TYPE_TLSX);
6588
        if (ticket->data == NULL) {
6589
            XFREE(ticket, heap, DYNAMIC_TYPE_TLSX);
6590
            return NULL;
6591
        }
6592
6593
        XMEMCPY(ticket->data, data, size);
6594
        ticket->size     = size;
6595
        ticket->lifetime = lifetime;
6596
    }
6597
6598
    (void)heap;
6599
6600
    return ticket;
6601
}
6602
WOLFSSL_TEST_VIS void TLSX_SessionTicket_Free(SessionTicket* ticket, void* heap)
6603
{
6604
    if (ticket) {
6605
        XFREE(ticket->data, heap, DYNAMIC_TYPE_TLSX);
6606
        XFREE(ticket,       heap, DYNAMIC_TYPE_TLSX);
6607
    }
6608
6609
    (void)heap;
6610
}
6611
6612
int TLSX_UseSessionTicket(TLSX** extensions, SessionTicket* ticket, void* heap)
6613
{
6614
    int ret = 0;
6615
6616
    if (extensions == NULL)
6617
        return BAD_FUNC_ARG;
6618
6619
    /* If the ticket is NULL, the client will request a new ticket from the
6620
       server. Otherwise, the client will use it in the next client hello. */
6621
    if ((ret = TLSX_Push(extensions, TLSX_SESSION_TICKET, (void*)ticket, heap))
6622
                                                                           != 0)
6623
        return ret;
6624
6625
    return WOLFSSL_SUCCESS;
6626
}
6627
6628
#define WOLF_STK_GET_SIZE         TLSX_SessionTicket_GetSize
6629
#define WOLF_STK_WRITE            TLSX_SessionTicket_Write
6630
#define WOLF_STK_PARSE            TLSX_SessionTicket_Parse
6631
#define WOLF_STK_FREE(stk, heap)  TLSX_SessionTicket_Free((SessionTicket*)(stk),(heap))
6632
6633
#else
6634
6635
0
#define WOLF_STK_FREE(a, b) WC_DO_NOTHING
6636
#define WOLF_STK_VALIDATE_REQUEST(a) WC_DO_NOTHING
6637
0
#define WOLF_STK_GET_SIZE(a, b)      0
6638
0
#define WOLF_STK_WRITE(a, b, c)      0
6639
0
#define WOLF_STK_PARSE(a, b, c, d)   0
6640
6641
#endif /* HAVE_SESSION_TICKET */
6642
6643
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
6644
/******************************************************************************/
6645
/* Encrypt-then-MAC                                                           */
6646
/******************************************************************************/
6647
6648
#ifndef WOLFSSL_NO_TLS12
6649
static int TLSX_EncryptThenMac_Use(WOLFSSL* ssl);
6650
6651
/**
6652
 * Get the size of the Encrypt-Then-MAC extension.
6653
 *
6654
 * msgType  Type of message to put extension into.
6655
 * pSz      Size of extension data.
6656
 * return SANITY_MSG_E when the message is not allowed to have extension and
6657
 *        0 otherwise.
6658
 */
6659
static int TLSX_EncryptThenMac_GetSize(byte msgType, word16* pSz)
6660
0
{
6661
0
    (void)pSz;
6662
6663
0
    if (msgType != client_hello && msgType != server_hello) {
6664
0
        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
6665
0
        return SANITY_MSG_E;
6666
0
    }
6667
6668
    /* Empty extension */
6669
6670
0
    return 0;
6671
0
}
6672
6673
/**
6674
 * Write the Encrypt-Then-MAC extension.
6675
 *
6676
 * data     Unused
6677
 * output   Extension data buffer. Unused.
6678
 * msgType  Type of message to put extension into.
6679
 * pSz      Size of extension data.
6680
 * return SANITY_MSG_E when the message is not allowed to have extension and
6681
 *        0 otherwise.
6682
 */
6683
static int TLSX_EncryptThenMac_Write(void* data, byte* output, byte msgType,
6684
                                     word16* pSz)
6685
0
{
6686
0
    (void)data;
6687
0
    (void)output;
6688
0
    (void)pSz;
6689
6690
0
    if (msgType != client_hello && msgType != server_hello) {
6691
0
        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
6692
0
        return SANITY_MSG_E;
6693
0
    }
6694
6695
    /* Empty extension */
6696
6697
0
    return 0;
6698
0
}
6699
6700
/**
6701
 * Parse the Encrypt-Then-MAC extension.
6702
 *
6703
 * ssl      SSL object
6704
 * input    Extension data buffer.
6705
 * length   Length of this extension's data.
6706
 * msgType  Type of message to extension appeared in.
6707
 * return SANITY_MSG_E when the message is not allowed to have extension,
6708
 *        BUFFER_ERROR when the extension's data is invalid,
6709
 *        MEMORY_E when unable to allocate memory and
6710
 *        0 otherwise.
6711
 */
6712
static int TLSX_EncryptThenMac_Parse(WOLFSSL* ssl, const byte* input,
6713
                                     word16 length, byte msgType)
6714
0
{
6715
0
    int ret;
6716
6717
0
    (void)input;
6718
6719
0
    if (msgType != client_hello && msgType != server_hello) {
6720
0
        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
6721
0
        return SANITY_MSG_E;
6722
0
    }
6723
6724
    /* Empty extension */
6725
0
    if (length != 0)
6726
0
        return BUFFER_ERROR;
6727
6728
0
    if (msgType == client_hello) {
6729
        /* Check the user hasn't disallowed use of Encrypt-Then-Mac. */
6730
0
        if (!ssl->options.disallowEncThenMac) {
6731
0
            ssl->options.encThenMac = 1;
6732
            /* Set the extension reply. */
6733
0
            ret = TLSX_EncryptThenMac_Use(ssl);
6734
0
            if (ret != 0)
6735
0
                return ret;
6736
0
        }
6737
0
        return 0;
6738
0
    }
6739
6740
    /* Server Hello */
6741
0
    if (ssl->options.disallowEncThenMac) {
6742
0
        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
6743
0
        return SANITY_MSG_E;
6744
0
    }
6745
6746
0
    ssl->options.encThenMac = 1;
6747
0
    return 0;
6748
6749
0
}
6750
6751
/**
6752
 * Add the Encrypt-Then-MAC extension to list.
6753
 *
6754
 * ssl      SSL object
6755
 * return MEMORY_E when unable to allocate memory and 0 otherwise.
6756
 */
6757
static int TLSX_EncryptThenMac_Use(WOLFSSL* ssl)
6758
0
{
6759
0
    int   ret = 0;
6760
0
    TLSX* extension;
6761
6762
    /* Find the Encrypt-Then-Mac extension if it exists. */
6763
0
    extension = TLSX_Find(ssl->extensions, TLSX_ENCRYPT_THEN_MAC);
6764
0
    if (extension == NULL) {
6765
        /* Push new Encrypt-Then-Mac extension. */
6766
0
        ret = TLSX_Push(&ssl->extensions, TLSX_ENCRYPT_THEN_MAC, NULL,
6767
0
            ssl->heap);
6768
0
        if (ret != 0)
6769
0
            return ret;
6770
0
    }
6771
6772
0
    return 0;
6773
0
}
6774
6775
/**
6776
 * Set the Encrypt-Then-MAC extension as one to respond too.
6777
 *
6778
 * ssl      SSL object
6779
 * return EXT_MISSING when EncryptThenMac extension not in list.
6780
 */
6781
int TLSX_EncryptThenMac_Respond(WOLFSSL* ssl)
6782
0
{
6783
0
    TLSX* extension;
6784
6785
0
    extension = TLSX_Find(ssl->extensions, TLSX_ENCRYPT_THEN_MAC);
6786
0
    if (extension == NULL)
6787
0
        return EXT_MISSING;
6788
0
    extension->resp = 1;
6789
6790
0
    return 0;
6791
0
}
6792
6793
0
#define ETM_GET_SIZE  TLSX_EncryptThenMac_GetSize
6794
0
#define ETM_WRITE     TLSX_EncryptThenMac_Write
6795
0
#define ETM_PARSE     TLSX_EncryptThenMac_Parse
6796
6797
#else
6798
6799
#define ETM_GET_SIZE(a, b)    0
6800
#define ETM_WRITE(a, b, c, d) 0
6801
#define ETM_PARSE(a, b, c, d) 0
6802
6803
#endif /* !WOLFSSL_NO_TLS12 */
6804
6805
#endif /* HAVE_ENCRYPT_THEN_MAC && !WOLFSSL_AEAD_ONLY */
6806
6807
6808
#ifdef WOLFSSL_SRTP
6809
6810
/******************************************************************************/
6811
/* DTLS SRTP (Secure Real-time Transport Protocol)                            */
6812
/******************************************************************************/
6813
6814
/* Only support single SRTP profile */
6815
typedef struct TlsxSrtp {
6816
    word16 profileCount;
6817
    word16 ids; /* selected bits */
6818
} TlsxSrtp;
6819
6820
#ifndef NO_WOLFSSL_SERVER
6821
static int TLSX_UseSRTP_GetSize(TlsxSrtp *srtp)
6822
{
6823
    /*   SRTP Profile Len (2)
6824
     *      SRTP Profiles (2)
6825
     *   MKI (master key id) Length */
6826
    return (OPAQUE16_LEN + (srtp->profileCount * OPAQUE16_LEN) + 1);
6827
}
6828
#endif
6829
6830
static TlsxSrtp* TLSX_UseSRTP_New(word16 ids, void* heap)
6831
{
6832
    TlsxSrtp* srtp;
6833
    int i;
6834
6835
    srtp = (TlsxSrtp*)XMALLOC(sizeof(TlsxSrtp), heap, DYNAMIC_TYPE_TLSX);
6836
    if (srtp == NULL) {
6837
        WOLFSSL_MSG("TLSX SRTP Memory failure");
6838
        return NULL;
6839
    }
6840
6841
    /* count and test each bit set */
6842
    srtp->profileCount = 0;
6843
    for (i=0; i<16; i++) {
6844
        if (ids & (1 << i)) {
6845
            srtp->profileCount++;
6846
        }
6847
    }
6848
    srtp->ids = ids;
6849
6850
    return srtp;
6851
}
6852
6853
static void TLSX_UseSRTP_Free(TlsxSrtp *srtp, void* heap)
6854
{
6855
    XFREE(srtp, heap, DYNAMIC_TYPE_TLSX);
6856
    (void)heap;
6857
}
6858
6859
#ifndef NO_WOLFSSL_SERVER
6860
static int TLSX_UseSRTP_Parse(WOLFSSL* ssl, const byte* input, word16 length,
6861
    byte isRequest)
6862
{
6863
    int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG);
6864
    word16 profile_len = 0;
6865
    word16 profile_value = 0;
6866
    word16 offset = 0;
6867
    int i;
6868
    TlsxSrtp* srtp = NULL;
6869
6870
    if (length < OPAQUE16_LEN) {
6871
        return BUFFER_ERROR;
6872
    }
6873
6874
    /* reset selected DTLS SRTP profile ID */
6875
    ssl->dtlsSrtpId = 0;
6876
6877
    /* total length, not include itself */
6878
    ato16(input, &profile_len);
6879
    offset += OPAQUE16_LEN;
6880
    /* Check profile length is not bigger than remaining length. */
6881
    if (profile_len > length - offset) {
6882
        return BUFFER_ERROR;
6883
    }
6884
    /* Protection profiles are 2 bytes long - ensure not an odd no. bytes. */
6885
    if ((profile_len & 1) == 1) {
6886
        return BUFFER_ERROR;
6887
    }
6888
    /* Ignoring srtp_mki field - SRTP Make Key Identifier.
6889
     * Defined to be 0..255 bytes long.
6890
     */
6891
    if ((length - profile_len - offset) > 255) {
6892
        return BUFFER_ERROR;
6893
    }
6894
6895
    if (!isRequest) {
6896
#ifndef NO_WOLFSSL_CLIENT
6897
        /* Only one SRTP Protection Profile can be chosen. */
6898
        if (profile_len != OPAQUE16_LEN) {
6899
            return BUFFER_ERROR;
6900
        }
6901
6902
        ato16(input + offset, &profile_value);
6903
6904
        /* check that the profile received was in the ones we support */
6905
        if (profile_value < 16 &&
6906
                               (ssl->dtlsSrtpProfiles & (1 << profile_value))) {
6907
            ssl->dtlsSrtpId = profile_value;
6908
            ret = 0; /* success */
6909
        }
6910
#endif
6911
    }
6912
    else {
6913
        /* parse remainder one profile at a time, looking for match in CTX */
6914
        ret = 0;
6915
        for (i = 0; i < profile_len; i += OPAQUE16_LEN) {
6916
            ato16(input + offset + i, &profile_value);
6917
            /* find first match */
6918
            if (profile_value < 16 &&
6919
                                 ssl->dtlsSrtpProfiles & (1 << profile_value)) {
6920
                ssl->dtlsSrtpId = profile_value;
6921
6922
                /* make sure we respond with selected SRTP id selected */
6923
                srtp = TLSX_UseSRTP_New((1 << profile_value), ssl->heap);
6924
                if (srtp != NULL) {
6925
                    ret = TLSX_Push(&ssl->extensions, TLSX_USE_SRTP,
6926
                        (void*)srtp, ssl->heap);
6927
                    if (ret == 0) {
6928
                        TLSX_SetResponse(ssl, TLSX_USE_SRTP);
6929
                        /* successfully set extension */
6930
                    }
6931
                }
6932
                else {
6933
                    ret = MEMORY_E;
6934
                }
6935
                break;
6936
            }
6937
        }
6938
    }
6939
6940
    if (ret == 0 && ssl->dtlsSrtpId == 0) {
6941
        WOLFSSL_MSG("TLSX_UseSRTP_Parse profile not found!");
6942
        /* not fatal */
6943
    }
6944
    else if (ret != 0) {
6945
        ssl->dtlsSrtpId = 0;
6946
        TLSX_UseSRTP_Free(srtp, ssl->heap);
6947
    }
6948
6949
    return ret;
6950
}
6951
6952
static word16 TLSX_UseSRTP_Write(TlsxSrtp* srtp, byte* output)
6953
{
6954
    word16 offset = 0;
6955
    int i, j;
6956
6957
    c16toa(srtp->profileCount * 2, output + offset);
6958
    offset += OPAQUE16_LEN;
6959
    j = 0;
6960
    for (i = 0; i < srtp->profileCount; i++) {
6961
        for (; j < 16; j++) {
6962
            if (srtp->ids & (1 << j)) {
6963
                c16toa(j, output + offset);
6964
                offset += OPAQUE16_LEN;
6965
            }
6966
        }
6967
    }
6968
    output[offset++] = 0x00; /* MKI Length */
6969
6970
    return offset;
6971
}
6972
#endif
6973
6974
static int TLSX_UseSRTP(TLSX** extensions, word16 profiles, void* heap)
6975
{
6976
    int ret = 0;
6977
    TLSX* extension;
6978
6979
    if (extensions == NULL) {
6980
        return BAD_FUNC_ARG;
6981
    }
6982
6983
    extension = TLSX_Find(*extensions, TLSX_USE_SRTP);
6984
    if (extension == NULL) {
6985
        TlsxSrtp* srtp = TLSX_UseSRTP_New(profiles, heap);
6986
        if (srtp == NULL) {
6987
            return MEMORY_E;
6988
        }
6989
6990
        ret = TLSX_Push(extensions, TLSX_USE_SRTP, (void*)srtp, heap);
6991
        if (ret != 0) {
6992
            TLSX_UseSRTP_Free(srtp, heap);
6993
        }
6994
    }
6995
6996
    return ret;
6997
}
6998
6999
#ifndef NO_WOLFSSL_SERVER
7000
    #define SRTP_FREE     TLSX_UseSRTP_Free
7001
    #define SRTP_PARSE    TLSX_UseSRTP_Parse
7002
    #define SRTP_WRITE    TLSX_UseSRTP_Write
7003
    #define SRTP_GET_SIZE TLSX_UseSRTP_GetSize
7004
#else
7005
    #define SRTP_FREE(a, b) WC_DO_NOTHING
7006
    #define SRTP_PARSE(a, b, c, d)      0
7007
    #define SRTP_WRITE(a, b)            0
7008
    #define SRTP_GET_SIZE(a)            0
7009
#endif
7010
7011
#endif /* WOLFSSL_SRTP */
7012
7013
7014
/******************************************************************************/
7015
/* Supported Versions                                                         */
7016
/******************************************************************************/
7017
7018
#ifdef WOLFSSL_TLS13
7019
static WC_INLINE int versionIsGreater(byte isDtls, byte a, byte b)
7020
0
{
7021
0
    (void)isDtls;
7022
7023
#ifdef WOLFSSL_DTLS
7024
    /* DTLS version increases backwards (-1,-2,-3,etc) */
7025
    if (isDtls)
7026
        return a < b;
7027
#endif /* WOLFSSL_DTLS */
7028
7029
0
    return a > b;
7030
0
}
7031
7032
static WC_INLINE int versionIsLesser(byte isDtls, byte a, byte b)
7033
0
{
7034
0
    (void)isDtls;
7035
7036
#ifdef WOLFSSL_DTLS
7037
    /* DTLS version increases backwards (-1,-2,-3,etc) */
7038
    if (isDtls)
7039
        return a > b;
7040
#endif /* WOLFSSL_DTLS */
7041
7042
0
    return a < b;
7043
0
}
7044
7045
static WC_INLINE int versionIsAtLeast(byte isDtls, byte a, byte b)
7046
0
{
7047
0
    (void)isDtls;
7048
7049
#ifdef WOLFSSL_DTLS
7050
    /* DTLS version increases backwards (-1,-2,-3,etc) */
7051
    if (isDtls)
7052
        return a <= b;
7053
#endif /* WOLFSSL_DTLS */
7054
7055
0
    return a >= b;
7056
0
}
7057
7058
static WC_INLINE int versionIsLessEqual(byte isDtls, byte a, byte b)
7059
0
{
7060
0
    (void)isDtls;
7061
7062
#ifdef WOLFSSL_DTLS
7063
    /* DTLS version increases backwards (-1,-2,-3,etc) */
7064
    if (isDtls)
7065
        return a >= b;
7066
#endif /* WOLFSSL_DTLS */
7067
7068
0
    return a <= b;
7069
0
}
7070
7071
/* Return the size of the SupportedVersions extension's data.
7072
 *
7073
 * data       The SSL/TLS object.
7074
 * msgType The type of the message this extension is being written into.
7075
 * returns the length of data that will be in the extension.
7076
 */
7077
static int TLSX_SupportedVersions_GetSize(void* data, byte msgType, word16* pSz)
7078
0
{
7079
0
    WOLFSSL* ssl = (WOLFSSL*)data;
7080
0
    byte tls13Minor, tls12Minor, tls11Minor, isDtls;
7081
7082
0
    isDtls = !!ssl->options.dtls;
7083
0
    tls13Minor = (byte)(isDtls ? DTLSv1_3_MINOR : TLSv1_3_MINOR);
7084
0
    tls12Minor = (byte)(isDtls ? DTLSv1_2_MINOR : TLSv1_2_MINOR);
7085
0
    tls11Minor = (byte)(isDtls ? DTLS_MINOR : TLSv1_1_MINOR);
7086
7087
    /* unused on some configuration */
7088
0
    (void)tls12Minor;
7089
0
    (void)tls13Minor;
7090
0
    (void)tls11Minor;
7091
7092
0
    if (msgType == client_hello) {
7093
        /* TLS v1.2 and TLS v1.3  */
7094
0
        int cnt = 0;
7095
7096
0
        if (versionIsLessEqual(isDtls, ssl->options.minDowngrade, tls13Minor)
7097
        #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \
7098
            defined(WOLFSSL_WPAS_SMALL)
7099
            && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_3) == 0
7100
        #endif
7101
0
        ) {
7102
0
            cnt++;
7103
0
        }
7104
7105
0
        if (ssl->options.downgrade) {
7106
0
    #ifndef WOLFSSL_NO_TLS12
7107
0
            if (versionIsLessEqual(
7108
0
                    isDtls, ssl->options.minDowngrade, tls12Minor)
7109
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) ||                       \
7110
    defined(WOLFSSL_WPAS_SMALL)
7111
                && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_2) == 0
7112
#endif
7113
0
            ) {
7114
0
                cnt++;
7115
0
            }
7116
0
#endif
7117
    #ifndef NO_OLD_TLS
7118
            if (versionIsLessEqual(
7119
                    isDtls, ssl->options.minDowngrade, tls11Minor)
7120
            #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \
7121
                defined(WOLFSSL_WPAS_SMALL)
7122
                && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_1) == 0
7123
            #endif
7124
            ) {
7125
                cnt++;
7126
            }
7127
        #ifdef WOLFSSL_ALLOW_TLSV10
7128
            if (!ssl->options.dtls && (ssl->options.minDowngrade <= TLSv1_MINOR)
7129
            #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \
7130
                defined(WOLFSSL_WPAS_SMALL)
7131
                && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1) == 0
7132
            #endif
7133
            ) {
7134
                cnt++;
7135
            }
7136
        #endif
7137
    #endif
7138
0
        }
7139
7140
0
        *pSz += (word16)(OPAQUE8_LEN + cnt * OPAQUE16_LEN);
7141
0
    }
7142
0
    else if (msgType == server_hello || msgType == hello_retry_request) {
7143
0
        *pSz += OPAQUE16_LEN;
7144
0
    }
7145
0
    else {
7146
0
        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
7147
0
        return SANITY_MSG_E;
7148
0
    }
7149
7150
0
    return 0;
7151
0
}
7152
7153
/* Writes the SupportedVersions extension into the buffer.
7154
 *
7155
 * data    The SSL/TLS object.
7156
 * output  The buffer to write the extension into.
7157
 * msgType The type of the message this extension is being written into.
7158
 * returns the length of data that was written.
7159
 */
7160
static int TLSX_SupportedVersions_Write(void* data, byte* output,
7161
                                        byte msgType, word16* pSz)
7162
0
{
7163
0
    WOLFSSL* ssl = (WOLFSSL*)data;
7164
0
    byte tls13minor, tls12minor, tls11minor, isDtls = 0;
7165
7166
0
    tls13minor = (byte)TLSv1_3_MINOR;
7167
0
    tls12minor = (byte)TLSv1_2_MINOR;
7168
0
    tls11minor = (byte)TLSv1_1_MINOR;
7169
7170
    /* unused in some configuration */
7171
0
    (void)tls11minor;
7172
0
    (void)tls12minor;
7173
7174
#ifdef WOLFSSL_DTLS13
7175
    if (ssl->options.dtls) {
7176
        tls13minor = (byte)DTLSv1_3_MINOR;
7177
    #ifndef WOLFSSL_NO_TLS12
7178
        tls12minor = (byte)DTLSv1_2_MINOR;
7179
    #endif
7180
    #ifndef NO_OLD_TLS
7181
        tls11minor = (byte)DTLS_MINOR;
7182
    #endif
7183
        isDtls = 1;
7184
    }
7185
#endif /* WOLFSSL_DTLS13 */
7186
7187
0
    if (msgType == client_hello) {
7188
0
        byte major = ssl->ctx->method->version.major;
7189
7190
0
        byte* cnt = output++;
7191
0
        *cnt = 0;
7192
7193
0
        if (versionIsLessEqual(isDtls, ssl->options.minDowngrade, tls13minor)
7194
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) ||                       \
7195
    defined(WOLFSSL_WPAS_SMALL)
7196
            && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_3) == 0
7197
#endif
7198
0
        ) {
7199
0
            *cnt += OPAQUE16_LEN;
7200
        #ifdef WOLFSSL_TLS13_DRAFT
7201
            /* The TLS draft major number. */
7202
            *(output++) = TLS_DRAFT_MAJOR;
7203
            /* Version of draft supported. */
7204
            *(output++) = TLS_DRAFT_MINOR;
7205
        #else
7206
0
            *(output++) = major;
7207
0
            *(output++) = tls13minor;
7208
0
        #endif
7209
0
        }
7210
7211
0
        if (ssl->options.downgrade) {
7212
0
        #ifndef WOLFSSL_NO_TLS12
7213
0
            if (versionIsLessEqual(isDtls, ssl->options.minDowngrade, tls12minor)
7214
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \
7215
                defined(WOLFSSL_WPAS_SMALL)
7216
                && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_2) == 0
7217
            #endif
7218
0
            ) {
7219
0
                *cnt += OPAQUE16_LEN;
7220
0
                *(output++) = major;
7221
0
                *(output++) = tls12minor;
7222
0
            }
7223
0
        #endif
7224
7225
    #ifndef NO_OLD_TLS
7226
            if (versionIsLessEqual(isDtls, ssl->options.minDowngrade, tls11minor)
7227
            #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \
7228
                defined(WOLFSSL_WPAS_SMALL)
7229
                && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_1) == 0
7230
            #endif
7231
            ) {
7232
                *cnt += OPAQUE16_LEN;
7233
                *(output++) = major;
7234
                *(output++) = tls11minor;
7235
            }
7236
        #ifdef WOLFSSL_ALLOW_TLSV10
7237
            if (!ssl->options.dtls && (ssl->options.minDowngrade <= TLSv1_MINOR)
7238
            #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \
7239
                defined(WOLFSSL_WPAS_SMALL)
7240
                && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1) == 0
7241
            #endif
7242
            ) {
7243
                *cnt += OPAQUE16_LEN;
7244
                *(output++) = major;
7245
                *(output++) = (byte)TLSv1_MINOR;
7246
            }
7247
        #endif
7248
    #endif
7249
0
        }
7250
7251
0
        *pSz += (word16)(OPAQUE8_LEN + *cnt);
7252
0
    }
7253
0
    else if (msgType == server_hello || msgType == hello_retry_request) {
7254
0
        output[0] = ssl->version.major;
7255
0
        output[1] = ssl->version.minor;
7256
7257
0
        *pSz += OPAQUE16_LEN;
7258
0
    }
7259
0
    else {
7260
0
        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
7261
0
        return SANITY_MSG_E;
7262
0
    }
7263
7264
0
    return 0;
7265
0
}
7266
7267
/* Parse the SupportedVersions extension.
7268
 *
7269
 * ssl     The SSL/TLS object.
7270
 * input   The buffer with the extension data.
7271
 * length  The length of the extension data.
7272
 * msgType The type of the message this extension is being parsed from.
7273
 * pv      The output ProtocolVersion for the negotiated version
7274
 * opts    The output options structure. Can be NULL.
7275
 * exts    The output extensions list. Can be NULL.
7276
 * returns 0 on success, otherwise failure.
7277
 */
7278
int TLSX_SupportedVersions_Parse(const WOLFSSL* ssl, const byte* input,
7279
        word16 length, byte msgType, ProtocolVersion* pv, Options* opts,
7280
        TLSX** exts)
7281
0
{
7282
    /* The client's greatest minor version that we support */
7283
0
    byte clientGreatestMinor = SSLv3_MINOR;
7284
0
    int ret;
7285
0
    byte major, minor;
7286
0
    byte tls13minor, tls12minor;
7287
0
    byte isDtls;
7288
7289
0
    tls13minor = TLSv1_3_MINOR;
7290
0
    tls12minor = TLSv1_2_MINOR;
7291
0
    isDtls = ssl->options.dtls == 1;
7292
7293
#ifdef WOLFSSL_DTLS13
7294
    if (ssl->options.dtls) {
7295
        tls13minor = DTLSv1_3_MINOR;
7296
        tls12minor = DTLSv1_2_MINOR;
7297
        clientGreatestMinor = DTLS_MINOR;
7298
    }
7299
#endif /* WOLFSSL_DTLS13 */
7300
7301
0
    if (msgType == client_hello) {
7302
0
        int i;
7303
0
        int len;
7304
0
        int set = 0;
7305
7306
        /* Must contain a length and at least one version. */
7307
0
        if (length < OPAQUE8_LEN + OPAQUE16_LEN || (length & 1) != 1
7308
0
            || length > MAX_SV_EXT_LEN) {
7309
0
            return BUFFER_ERROR;
7310
0
        }
7311
7312
0
        len = *input;
7313
7314
        /* Protocol version array must fill rest of data. */
7315
0
        if (length != (word16)OPAQUE8_LEN + len)
7316
0
            return BUFFER_ERROR;
7317
7318
0
        input++;
7319
7320
        /* Find first match. */
7321
0
        for (i = 0; i < len; i += OPAQUE16_LEN) {
7322
0
            major = input[i];
7323
0
            minor = input[i + OPAQUE8_LEN];
7324
7325
#ifdef WOLFSSL_TLS13_DRAFT
7326
            if (major == TLS_DRAFT_MAJOR && minor == TLS_DRAFT_MINOR) {
7327
                major = SSLv3_MAJOR;
7328
                minor = TLSv1_3_MINOR;
7329
            }
7330
#else
7331
0
            if (major == TLS_DRAFT_MAJOR)
7332
0
                continue;
7333
0
#endif
7334
7335
0
            if (major != ssl->ctx->method->version.major)
7336
0
                continue;
7337
7338
            /* No upgrade allowed. */
7339
0
            if (versionIsGreater(isDtls, minor, ssl->version.minor))
7340
0
                continue;
7341
7342
            /* Check downgrade. */
7343
0
            if (versionIsLesser(isDtls, minor, ssl->version.minor)) {
7344
0
                if (!ssl->options.downgrade)
7345
0
                    continue;
7346
7347
0
                if (versionIsLesser(isDtls, minor, ssl->options.minDowngrade))
7348
0
                    continue;
7349
0
            }
7350
0
            if (versionIsGreater(isDtls, minor, clientGreatestMinor))
7351
0
                clientGreatestMinor = minor;
7352
7353
0
            set = 1;
7354
0
        }
7355
0
        if (!set) {
7356
            /* No common supported version was negotiated */
7357
0
            SendAlert((WOLFSSL*)ssl, alert_fatal,
7358
0
                      wolfssl_alert_protocol_version);
7359
0
            WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
7360
0
            return VERSION_ERROR;
7361
0
        }
7362
0
        pv->minor = clientGreatestMinor;
7363
0
        if (versionIsAtLeast(isDtls, clientGreatestMinor, tls13minor)) {
7364
0
            if (opts != NULL)
7365
0
                opts->tls1_3 = 1;
7366
7367
            /* TLS v1.3 requires supported version extension */
7368
0
            if (exts != NULL &&
7369
0
                    TLSX_Find(*exts, TLSX_SUPPORTED_VERSIONS) == NULL) {
7370
0
                ret = TLSX_Push(exts,
7371
0
                          TLSX_SUPPORTED_VERSIONS, ssl, ssl->heap);
7372
0
                if (ret != 0) {
7373
0
                    return ret;
7374
0
                }
7375
                /* *exts should be pointing to the TLSX_SUPPORTED_VERSIONS
7376
                 * ext in the list since it was pushed. */
7377
0
                (*exts)->resp = 1;
7378
0
            }
7379
0
        }
7380
7381
0
    }
7382
0
    else if (msgType == server_hello || msgType == hello_retry_request) {
7383
        /* Must contain one version. */
7384
0
        if (length != OPAQUE16_LEN)
7385
0
            return BUFFER_ERROR;
7386
7387
0
        major = input[0];
7388
0
        minor = input[OPAQUE8_LEN];
7389
7390
0
        if (major != ssl->ctx->method->version.major) {
7391
0
            WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
7392
0
            return VERSION_ERROR;
7393
0
        }
7394
7395
        /* Can't downgrade with this extension below TLS v1.3. */
7396
0
        if (versionIsLesser(isDtls, minor, tls13minor)) {
7397
0
            WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
7398
0
            return VERSION_ERROR;
7399
0
        }
7400
7401
        /* Version is TLS v1.2 to handle downgrading from TLS v1.3+. */
7402
0
        if (ssl->options.downgrade && ssl->version.minor == tls12minor) {
7403
            /* Set minor version back to TLS v1.3+ */
7404
0
            pv->minor = ssl->ctx->method->version.minor;
7405
0
        }
7406
7407
        /* No upgrade allowed. */
7408
0
        if (versionIsLesser(isDtls, ssl->version.minor, minor)) {
7409
0
            WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
7410
0
            return VERSION_ERROR;
7411
0
        }
7412
7413
        /* Check downgrade. */
7414
0
        if (versionIsGreater(isDtls, ssl->version.minor, minor)) {
7415
0
            if (!ssl->options.downgrade) {
7416
0
                WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
7417
0
                return VERSION_ERROR;
7418
0
            }
7419
7420
0
            if (versionIsLesser(
7421
0
                    isDtls, minor, ssl->options.minDowngrade)) {
7422
0
                WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
7423
0
                return VERSION_ERROR;
7424
0
            }
7425
7426
            /* Downgrade the version. */
7427
0
            pv->minor = minor;
7428
0
        }
7429
0
    }
7430
0
    else {
7431
0
        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
7432
0
        return SANITY_MSG_E;
7433
0
    }
7434
7435
0
    return 0;
7436
0
}
7437
7438
/* Sets a new SupportedVersions extension into the extension list.
7439
 *
7440
 * extensions  The list of extensions.
7441
 * data        The extensions specific data.
7442
 * heap        The heap used for allocation.
7443
 * returns 0 on success, otherwise failure.
7444
 */
7445
static int TLSX_SetSupportedVersions(TLSX** extensions, const void* data,
7446
                                     void* heap)
7447
0
{
7448
0
    if (extensions == NULL || data == NULL)
7449
0
        return BAD_FUNC_ARG;
7450
7451
0
    return TLSX_Push(extensions, TLSX_SUPPORTED_VERSIONS, data, heap);
7452
0
}
7453
7454
0
#define SV_GET_SIZE  TLSX_SupportedVersions_GetSize
7455
0
#define SV_WRITE     TLSX_SupportedVersions_Write
7456
0
#define SV_PARSE     TLSX_SupportedVersions_Parse
7457
7458
#else
7459
7460
#define SV_GET_SIZE(a, b, c) 0
7461
#define SV_WRITE(a, b, c, d) 0
7462
#define SV_PARSE(a, b, c, d, e, f, g) 0
7463
7464
#endif /* WOLFSSL_TLS13 */
7465
7466
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_SEND_HRR_COOKIE)
7467
7468
/******************************************************************************/
7469
/* Cookie                                                                     */
7470
/******************************************************************************/
7471
7472
/* Free the cookie data.
7473
 *
7474
 * cookie  Cookie data.
7475
 * heap    The heap used for allocation.
7476
 */
7477
static void TLSX_Cookie_FreeAll(Cookie* cookie, void* heap)
7478
{
7479
    (void)heap;
7480
7481
    XFREE(cookie, heap, DYNAMIC_TYPE_TLSX);
7482
}
7483
7484
/* Get the size of the encoded Cookie extension.
7485
 * In messages: ClientHello and HelloRetryRequest.
7486
 *
7487
 * cookie   The cookie to write.
7488
 * msgType  The type of the message this extension is being written into.
7489
 * returns the number of bytes of the encoded Cookie extension.
7490
 */
7491
static int TLSX_Cookie_GetSize(Cookie* cookie, byte msgType, word16* pSz)
7492
{
7493
    if (msgType == client_hello || msgType == hello_retry_request) {
7494
        *pSz += OPAQUE16_LEN + cookie->len;
7495
    }
7496
    else {
7497
        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
7498
        return SANITY_MSG_E;
7499
    }
7500
    return 0;
7501
}
7502
7503
/* Writes the Cookie extension into the output buffer.
7504
 * Assumes that the the output buffer is big enough to hold data.
7505
 * In messages: ClientHello and HelloRetryRequest.
7506
 *
7507
 * cookie   The cookie to write.
7508
 * output   The buffer to write into.
7509
 * msgType  The type of the message this extension is being written into.
7510
 * returns the number of bytes written into the buffer.
7511
 */
7512
static int TLSX_Cookie_Write(Cookie* cookie, byte* output, byte msgType,
7513
                             word16* pSz)
7514
{
7515
    if (msgType == client_hello || msgType == hello_retry_request) {
7516
        c16toa(cookie->len, output);
7517
        output += OPAQUE16_LEN;
7518
        XMEMCPY(output, cookie->data, cookie->len);
7519
        *pSz += OPAQUE16_LEN + cookie->len;
7520
    }
7521
    else {
7522
        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
7523
        return SANITY_MSG_E;
7524
    }
7525
    return 0;
7526
}
7527
7528
/* Parse the Cookie extension.
7529
 * In messages: ClientHello and HelloRetryRequest.
7530
 *
7531
 * ssl      The SSL/TLS object.
7532
 * input    The extension data.
7533
 * length   The length of the extension data.
7534
 * msgType  The type of the message this extension is being parsed from.
7535
 * returns 0 on success and other values indicate failure.
7536
 */
7537
static int TLSX_Cookie_Parse(WOLFSSL* ssl, const byte* input, word16 length,
7538
                             byte msgType)
7539
{
7540
    word16  len;
7541
    word16  idx = 0;
7542
    TLSX*   extension;
7543
    Cookie* cookie;
7544
7545
    if (msgType != client_hello && msgType != hello_retry_request) {
7546
        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
7547
        return SANITY_MSG_E;
7548
    }
7549
7550
    /* Message contains length and Cookie which must be at least one byte
7551
     * in length.
7552
     */
7553
    if (length < OPAQUE16_LEN + 1)
7554
        return BUFFER_E;
7555
    ato16(input + idx, &len);
7556
    idx += OPAQUE16_LEN;
7557
    if (length - idx != len)
7558
        return BUFFER_E;
7559
7560
    if (msgType == hello_retry_request) {
7561
        ssl->options.hrrSentCookie = 1;
7562
        return TLSX_Cookie_Use(ssl, input + idx, len, NULL, 0, 1,
7563
                               &ssl->extensions);
7564
    }
7565
7566
    /* client_hello */
7567
    extension = TLSX_Find(ssl->extensions, TLSX_COOKIE);
7568
    if (extension == NULL) {
7569
#ifdef WOLFSSL_DTLS13
7570
        if (ssl->options.dtls && IsAtLeastTLSv1_3(ssl->version))
7571
            /* Allow a cookie extension with DTLS 1.3 because it is possible
7572
             * that a different SSL instance sent the cookie but we are now
7573
             * receiving it. */
7574
            return TLSX_Cookie_Use(ssl, input + idx, len, NULL, 0, 0,
7575
                                   &ssl->extensions);
7576
        else
7577
#endif
7578
        {
7579
            WOLFSSL_ERROR_VERBOSE(HRR_COOKIE_ERROR);
7580
            return HRR_COOKIE_ERROR;
7581
        }
7582
    }
7583
7584
    cookie = (Cookie*)extension->data;
7585
    if (cookie->len != len || XMEMCMP(cookie->data, input + idx, len) != 0) {
7586
        WOLFSSL_ERROR_VERBOSE(HRR_COOKIE_ERROR);
7587
        return HRR_COOKIE_ERROR;
7588
    }
7589
7590
    /* Request seen. */
7591
    extension->resp = 0;
7592
7593
    return 0;
7594
}
7595
7596
/* Use the data to create a new Cookie object in the extensions.
7597
 *
7598
 * ssl    SSL/TLS object.
7599
 * data   Cookie data.
7600
 * len    Length of cookie data in bytes.
7601
 * mac    MAC data.
7602
 * macSz  Length of MAC data in bytes.
7603
 * resp   Indicates the extension will go into a response (HelloRetryRequest).
7604
 * returns 0 on success and other values indicate failure.
7605
 */
7606
int TLSX_Cookie_Use(const WOLFSSL* ssl, const byte* data, word16 len, byte* mac,
7607
                    byte macSz, int resp, TLSX** exts)
7608
{
7609
    int     ret = 0;
7610
    TLSX*   extension;
7611
    Cookie* cookie;
7612
7613
    /* Find the cookie extension if it exists. */
7614
    extension = TLSX_Find(*exts, TLSX_COOKIE);
7615
    if (extension == NULL) {
7616
        /* Push new cookie extension. */
7617
        ret = TLSX_Push(exts, TLSX_COOKIE, NULL, ssl->heap);
7618
        if (ret != 0)
7619
            return ret;
7620
7621
        extension = TLSX_Find(*exts, TLSX_COOKIE);
7622
        if (extension == NULL)
7623
            return MEMORY_E;
7624
    }
7625
7626
    cookie = (Cookie*)XMALLOC(sizeof(Cookie) + len + macSz, ssl->heap,
7627
                              DYNAMIC_TYPE_TLSX);
7628
    if (cookie == NULL)
7629
        return MEMORY_E;
7630
7631
    cookie->len = len + macSz;
7632
    XMEMCPY(cookie->data, data, len);
7633
    if (mac != NULL)
7634
        XMEMCPY(cookie->data + len, mac, macSz);
7635
7636
    XFREE(extension->data, ssl->heap, DYNAMIC_TYPE_TLSX);
7637
7638
    extension->data = (void*)cookie;
7639
    extension->resp = (byte)resp;
7640
7641
    return 0;
7642
}
7643
7644
#define CKE_FREE_ALL  TLSX_Cookie_FreeAll
7645
#define CKE_GET_SIZE  TLSX_Cookie_GetSize
7646
#define CKE_WRITE     TLSX_Cookie_Write
7647
#define CKE_PARSE     TLSX_Cookie_Parse
7648
7649
#else
7650
7651
0
#define CKE_FREE_ALL(a, b)    WC_DO_NOTHING
7652
0
#define CKE_GET_SIZE(a, b, c) 0
7653
0
#define CKE_WRITE(a, b, c, d) 0
7654
0
#define CKE_PARSE(a, b, c, d) 0
7655
7656
#endif
7657
7658
#if defined(WOLFSSL_TLS13) && !defined(NO_CERTS) && \
7659
    !defined(WOLFSSL_NO_CA_NAMES) && defined(OPENSSL_EXTRA)
7660
/* Currently only settable through compatibility API */
7661
/******************************************************************************/
7662
/* Certificate Authorities                                                       */
7663
/******************************************************************************/
7664
7665
static word16 TLSX_CA_Names_GetSize(void* data)
7666
{
7667
    WOLFSSL* ssl = (WOLFSSL*)data;
7668
    WOLF_STACK_OF(WOLFSSL_X509_NAME)* names;
7669
    word32 size = 0;
7670
7671
    /* Length of names */
7672
    size += OPAQUE16_LEN;
7673
    for (names = SSL_PRIORITY_CA_NAMES(ssl); names != NULL; names = names->next) {
7674
        byte seq[MAX_SEQ_SZ];
7675
        WOLFSSL_X509_NAME* name = names->data.name;
7676
7677
        if (name != NULL) {
7678
            /* 16-bit length | SEQ | Len | DER of name */
7679
            size += (word32)(OPAQUE16_LEN + SetSequence(name->rawLen, seq) +
7680
                             name->rawLen);
7681
            if (size > WOLFSSL_MAX_16BIT) {
7682
                return 0;
7683
            }
7684
        }
7685
    }
7686
    return (word16)size;
7687
}
7688
7689
static word16 TLSX_CA_Names_Write(void* data, byte* output)
7690
{
7691
    WOLFSSL* ssl = (WOLFSSL*)data;
7692
    WOLF_STACK_OF(WOLFSSL_X509_NAME)* names;
7693
    byte* len;
7694
7695
    /* Reserve space for the length value */
7696
    len = output;
7697
    output += OPAQUE16_LEN;
7698
    for (names = SSL_PRIORITY_CA_NAMES(ssl); names != NULL; names = names->next) {
7699
        byte seq[MAX_SEQ_SZ];
7700
        WOLFSSL_X509_NAME* name = names->data.name;
7701
7702
        if (name != NULL) {
7703
            c16toa((word16)name->rawLen +
7704
                   (word16)SetSequence(name->rawLen, seq), output);
7705
            output += OPAQUE16_LEN;
7706
            output += SetSequence(name->rawLen, output);
7707
            XMEMCPY(output, name->raw, name->rawLen);
7708
            output += name->rawLen;
7709
        }
7710
    }
7711
    /* Write the total length */
7712
    c16toa((word16)(output - len - OPAQUE16_LEN), len);
7713
    return (word16)(output - len);
7714
}
7715
7716
static int TLSX_CA_Names_Parse(WOLFSSL *ssl, const byte* input,
7717
                                  word16 length, byte isRequest)
7718
{
7719
    word16 extLen;
7720
7721
    (void)isRequest;
7722
7723
    wolfSSL_sk_X509_NAME_pop_free(ssl->peer_ca_names, NULL);
7724
    ssl->peer_ca_names = wolfSSL_sk_X509_NAME_new(NULL);
7725
    if (ssl->peer_ca_names == NULL)
7726
        return MEMORY_ERROR;
7727
7728
    if (length < OPAQUE16_LEN)
7729
        return BUFFER_ERROR;
7730
7731
    ato16(input, &extLen);
7732
    input += OPAQUE16_LEN;
7733
    length -= OPAQUE16_LEN;
7734
    if (extLen != length)
7735
        return BUFFER_ERROR;
7736
7737
    while (length) {
7738
        word16 idx = 0;
7739
        WOLFSSL_X509_NAME* name = NULL;
7740
        int ret = 0;
7741
        int didInit = FALSE;
7742
        /* Use a DecodedCert struct to get access to GetName to
7743
         * parse DN name */
7744
#ifdef WOLFSSL_SMALL_STACK
7745
        DecodedCert *cert = (DecodedCert *)XMALLOC(
7746
            sizeof(*cert), ssl->heap, DYNAMIC_TYPE_DCERT);
7747
        if (cert == NULL)
7748
            return MEMORY_ERROR;
7749
#else
7750
        DecodedCert cert[1];
7751
#endif
7752
7753
        if (length < OPAQUE16_LEN) {
7754
            ret = BUFFER_ERROR;
7755
        }
7756
7757
        if (ret == 0) {
7758
            ato16(input, &extLen);
7759
            idx += OPAQUE16_LEN;
7760
7761
            if (extLen > length - idx)
7762
                ret = BUFFER_ERROR;
7763
        }
7764
7765
        if (ret == 0) {
7766
            InitDecodedCert(cert, input + idx, extLen, ssl->heap);
7767
            didInit = TRUE;
7768
            idx += extLen;
7769
            ret = GetName(cert, ASN_SUBJECT, extLen);
7770
        }
7771
7772
        if (ret == 0 && (name = wolfSSL_X509_NAME_new()) == NULL)
7773
            ret = MEMORY_ERROR;
7774
7775
        if (ret == 0) {
7776
            CopyDecodedName(name, cert, ASN_SUBJECT);
7777
            if (wolfSSL_sk_X509_NAME_push(ssl->peer_ca_names, name) <= 0) {
7778
                wolfSSL_X509_NAME_free(name);
7779
                ret = MEMORY_ERROR;
7780
            }
7781
        }
7782
7783
        if (didInit)
7784
            FreeDecodedCert(cert);
7785
7786
        WC_FREE_VAR_EX(cert, ssl->heap, DYNAMIC_TYPE_DCERT);
7787
        if (ret != 0)
7788
            return ret;
7789
7790
        input += idx;
7791
        length -= idx;
7792
    }
7793
    return 0;
7794
}
7795
7796
#define CAN_GET_SIZE(data)      TLSX_CA_Names_GetSize(data)
7797
#define CAN_WRITE(data, output) TLSX_CA_Names_Write(data, output)
7798
#define CAN_PARSE(ssl, input, length, isRequest) \
7799
                                TLSX_CA_Names_Parse(ssl, input, length, isRequest)
7800
7801
#else
7802
7803
#define CAN_GET_SIZE(data)                       0
7804
#define CAN_WRITE(data, output)                  0
7805
#define CAN_PARSE(ssl, input, length, isRequest) 0
7806
7807
#endif
7808
7809
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
7810
/******************************************************************************/
7811
/* Signature Algorithms                                                       */
7812
/******************************************************************************/
7813
7814
/* Return the size of the SignatureAlgorithms extension's data.
7815
 *
7816
 * data  Unused
7817
 * returns the length of data that will be in the extension.
7818
 */
7819
7820
static word16 TLSX_SignatureAlgorithms_GetSize(void* data)
7821
0
{
7822
0
    SignatureAlgorithms* sa = (SignatureAlgorithms*)data;
7823
7824
0
    if (sa->hashSigAlgoSz == 0)
7825
0
        return OPAQUE16_LEN + WOLFSSL_SUITES(sa->ssl)->hashSigAlgoSz;
7826
0
    else
7827
0
        return OPAQUE16_LEN + sa->hashSigAlgoSz;
7828
0
}
7829
7830
/* Creates a bit string of supported hash algorithms with RSA PSS.
7831
 * The bit string is used when determining which signature algorithm to use
7832
 * when creating the CertificateVerify message.
7833
 * Note: Valid data has an even length as each signature algorithm is two bytes.
7834
 *
7835
 * ssl     The SSL/TLS object.
7836
 * input   The buffer with the list of supported signature algorithms.
7837
 * length  The length of the list in bytes.
7838
 * returns 0 on success, BUFFER_ERROR when the length is not even.
7839
 */
7840
static int TLSX_SignatureAlgorithms_MapPss(WOLFSSL *ssl, const byte* input,
7841
                                           word16 length)
7842
0
{
7843
0
    word16 i;
7844
7845
0
    if ((length & 1) == 1)
7846
0
        return BUFFER_ERROR;
7847
7848
0
    ssl->pssAlgo = 0;
7849
0
    for (i = 0; i < length; i += 2) {
7850
0
        if (input[i] == rsa_pss_sa_algo && input[i + 1] <= sha512_mac)
7851
0
            ssl->pssAlgo |= 1 << input[i + 1];
7852
0
    #ifdef WOLFSSL_TLS13
7853
0
        if (input[i] == rsa_pss_sa_algo && input[i + 1] >= pss_sha256 &&
7854
0
                                                   input[i + 1] <= pss_sha512) {
7855
0
            ssl->pssAlgo |= 1 << input[i + 1];
7856
0
        }
7857
0
    #endif
7858
0
    }
7859
7860
0
    return 0;
7861
0
}
7862
7863
/* Writes the SignatureAlgorithms extension into the buffer.
7864
 *
7865
 * data    Unused
7866
 * output  The buffer to write the extension into.
7867
 * returns the length of data that was written.
7868
 */
7869
static word16 TLSX_SignatureAlgorithms_Write(void* data, byte* output)
7870
0
{
7871
0
    SignatureAlgorithms* sa = (SignatureAlgorithms*)data;
7872
0
    const Suites* suites = WOLFSSL_SUITES(sa->ssl);
7873
0
    word16 hashSigAlgoSz;
7874
7875
0
    if (sa->hashSigAlgoSz == 0) {
7876
0
        c16toa(suites->hashSigAlgoSz, output);
7877
0
        XMEMCPY(output + OPAQUE16_LEN, suites->hashSigAlgo,
7878
0
                suites->hashSigAlgoSz);
7879
0
        hashSigAlgoSz = suites->hashSigAlgoSz;
7880
0
    }
7881
0
    else {
7882
0
        c16toa(sa->hashSigAlgoSz, output);
7883
0
        XMEMCPY(output + OPAQUE16_LEN, sa->hashSigAlgo,
7884
0
                sa->hashSigAlgoSz);
7885
0
        hashSigAlgoSz = sa->hashSigAlgoSz;
7886
0
    }
7887
7888
0
#ifndef NO_RSA
7889
0
    TLSX_SignatureAlgorithms_MapPss(sa->ssl, output + OPAQUE16_LEN,
7890
0
            hashSigAlgoSz);
7891
0
#endif
7892
7893
0
    return OPAQUE16_LEN + hashSigAlgoSz;
7894
0
}
7895
7896
/* Parse the SignatureAlgorithms extension.
7897
 *
7898
 * ssl     The SSL/TLS object.
7899
 * input   The buffer with the extension data.
7900
 * length  The length of the extension data.
7901
 * returns 0 on success, otherwise failure.
7902
 */
7903
static int TLSX_SignatureAlgorithms_Parse(WOLFSSL *ssl, const byte* input,
7904
                                  word16 length, byte isRequest, Suites* suites)
7905
0
{
7906
0
    word16 len;
7907
7908
0
    if (!isRequest)
7909
0
        return BUFFER_ERROR;
7910
7911
    /* Must contain a length and at least algorithm. */
7912
0
    if (length < OPAQUE16_LEN + OPAQUE16_LEN || (length & 1) != 0)
7913
0
        return BUFFER_ERROR;
7914
7915
0
    ato16(input, &len);
7916
0
    input += OPAQUE16_LEN;
7917
7918
    /* Algorithm array must fill rest of data. */
7919
0
    if (length != OPAQUE16_LEN + len)
7920
0
        return BUFFER_ERROR;
7921
7922
    /* Truncate hashSigAlgo list if too long. */
7923
0
    suites->hashSigAlgoSz = len;
7924
    /* Sig Algo list size must be even. */
7925
0
    if (suites->hashSigAlgoSz % 2 != 0)
7926
0
        return BUFFER_ERROR;
7927
0
    if (suites->hashSigAlgoSz > WOLFSSL_MAX_SIGALGO) {
7928
0
        WOLFSSL_MSG("TLSX SigAlgo list exceeds max, truncating");
7929
0
        suites->hashSigAlgoSz = WOLFSSL_MAX_SIGALGO;
7930
0
    }
7931
0
    XMEMCPY(suites->hashSigAlgo, input, suites->hashSigAlgoSz);
7932
7933
0
    return TLSX_SignatureAlgorithms_MapPss(ssl, input, suites->hashSigAlgoSz);
7934
0
}
7935
7936
/* Sets a new SignatureAlgorithms extension into the extension list.
7937
 *
7938
 * extensions  The list of extensions.
7939
 * data        The extensions specific data.
7940
 * heap        The heap used for allocation.
7941
 * returns 0 on success, otherwise failure.
7942
 */
7943
static int TLSX_SetSignatureAlgorithms(TLSX** extensions, WOLFSSL* ssl,
7944
                                       void* heap)
7945
0
{
7946
0
    SignatureAlgorithms* sa;
7947
0
    int ret;
7948
7949
0
    if (extensions == NULL)
7950
0
        return BAD_FUNC_ARG;
7951
7952
    /* Already present */
7953
0
    if (TLSX_Find(*extensions, TLSX_SIGNATURE_ALGORITHMS) != NULL)
7954
0
        return 0;
7955
7956
0
    sa = TLSX_SignatureAlgorithms_New(ssl, 0, heap);
7957
0
    if (sa == NULL)
7958
0
        return MEMORY_ERROR;
7959
7960
0
    ret = TLSX_Push(extensions, TLSX_SIGNATURE_ALGORITHMS, sa, heap);
7961
0
    if (ret != 0)
7962
0
        TLSX_SignatureAlgorithms_FreeAll(sa, heap);
7963
0
    return ret;
7964
0
}
7965
7966
SignatureAlgorithms* TLSX_SignatureAlgorithms_New(WOLFSSL* ssl,
7967
        word16 hashSigAlgoSz, void* heap)
7968
0
{
7969
0
    SignatureAlgorithms* sa;
7970
0
    (void)heap;
7971
7972
0
    sa = (SignatureAlgorithms*)XMALLOC(sizeof(*sa) + hashSigAlgoSz, heap,
7973
0
                                       DYNAMIC_TYPE_TLSX);
7974
0
    if (sa != NULL) {
7975
0
        XMEMSET(sa, 0, sizeof(*sa) + hashSigAlgoSz);
7976
0
        sa->ssl = ssl;
7977
0
        sa->hashSigAlgoSz = hashSigAlgoSz;
7978
0
    }
7979
0
    return sa;
7980
0
}
7981
7982
void TLSX_SignatureAlgorithms_FreeAll(SignatureAlgorithms* sa,
7983
                                             void* heap)
7984
0
{
7985
0
    XFREE(sa, heap, DYNAMIC_TYPE_TLSX);
7986
0
    (void)heap;
7987
0
}
7988
7989
0
#define SA_GET_SIZE  TLSX_SignatureAlgorithms_GetSize
7990
0
#define SA_WRITE     TLSX_SignatureAlgorithms_Write
7991
0
#define SA_PARSE     TLSX_SignatureAlgorithms_Parse
7992
0
#define SA_FREE_ALL  TLSX_SignatureAlgorithms_FreeAll
7993
#endif
7994
/******************************************************************************/
7995
/* Signature Algorithms Certificate                                           */
7996
/******************************************************************************/
7997
7998
#if defined(WOLFSSL_TLS13) && !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
7999
/* Return the size of the SignatureAlgorithms extension's data.
8000
 *
8001
 * data  Unused
8002
 * returns the length of data that will be in the extension.
8003
 */
8004
static word16 TLSX_SignatureAlgorithmsCert_GetSize(void* data)
8005
0
{
8006
0
    WOLFSSL* ssl = (WOLFSSL*)data;
8007
8008
0
    return OPAQUE16_LEN + ssl->certHashSigAlgoSz;
8009
0
}
8010
8011
/* Writes the SignatureAlgorithmsCert extension into the buffer.
8012
 *
8013
 * data    Unused
8014
 * output  The buffer to write the extension into.
8015
 * returns the length of data that was written.
8016
 */
8017
static word16 TLSX_SignatureAlgorithmsCert_Write(void* data, byte* output)
8018
0
{
8019
0
    WOLFSSL* ssl = (WOLFSSL*)data;
8020
8021
0
    c16toa(ssl->certHashSigAlgoSz, output);
8022
0
    XMEMCPY(output + OPAQUE16_LEN, ssl->certHashSigAlgo,
8023
0
            ssl->certHashSigAlgoSz);
8024
8025
0
    return OPAQUE16_LEN + ssl->certHashSigAlgoSz;
8026
0
}
8027
8028
/* Parse the SignatureAlgorithmsCert extension.
8029
 *
8030
 * ssl     The SSL/TLS object.
8031
 * input   The buffer with the extension data.
8032
 * length  The length of the extension data.
8033
 * returns 0 on success, otherwise failure.
8034
 */
8035
static int TLSX_SignatureAlgorithmsCert_Parse(WOLFSSL *ssl, const byte* input,
8036
                                              word16 length, byte isRequest)
8037
0
{
8038
0
    word16 len;
8039
8040
0
    if (!isRequest)
8041
0
        return BUFFER_ERROR;
8042
8043
    /* Must contain a length and at least algorithm. */
8044
0
    if (length < OPAQUE16_LEN + OPAQUE16_LEN || (length & 1) != 0)
8045
0
        return BUFFER_ERROR;
8046
8047
0
    ato16(input, &len);
8048
0
    input += OPAQUE16_LEN;
8049
8050
    /* Algorithm array must fill rest of data. */
8051
0
    if (length != OPAQUE16_LEN + len)
8052
0
        return BUFFER_ERROR;
8053
8054
    /* truncate hashSigAlgo list if too long */
8055
0
    ssl->certHashSigAlgoSz = len;
8056
0
    if (ssl->certHashSigAlgoSz > WOLFSSL_MAX_SIGALGO) {
8057
0
        WOLFSSL_MSG("TLSX SigAlgo list exceeds max, truncating");
8058
0
        ssl->certHashSigAlgoSz = WOLFSSL_MAX_SIGALGO;
8059
0
    }
8060
0
    XMEMCPY(ssl->certHashSigAlgo, input, ssl->certHashSigAlgoSz);
8061
8062
0
    return 0;
8063
0
}
8064
8065
/* Sets a new SignatureAlgorithmsCert extension into the extension list.
8066
 *
8067
 * extensions  The list of extensions.
8068
 * data        The extensions specific data.
8069
 * heap        The heap used for allocation.
8070
 * returns 0 on success, otherwise failure.
8071
 */
8072
static int TLSX_SetSignatureAlgorithmsCert(TLSX** extensions,
8073
        const WOLFSSL* data, void* heap)
8074
0
{
8075
0
    if (extensions == NULL)
8076
0
        return BAD_FUNC_ARG;
8077
8078
0
    return TLSX_Push(extensions, TLSX_SIGNATURE_ALGORITHMS_CERT, data, heap);
8079
0
}
8080
8081
0
#define SAC_GET_SIZE  TLSX_SignatureAlgorithmsCert_GetSize
8082
0
#define SAC_WRITE     TLSX_SignatureAlgorithmsCert_Write
8083
0
#define SAC_PARSE     TLSX_SignatureAlgorithmsCert_Parse
8084
#endif /* WOLFSSL_TLS13 */
8085
8086
8087
/******************************************************************************/
8088
/* Key Share                                                                  */
8089
/******************************************************************************/
8090
8091
#ifndef MAX_KEYSHARE_NAMED_GROUPS
8092
    #if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_MAKE_KEY) && \
8093
        !defined(WOLFSSL_MLKEM_NO_DECAPSULATE)
8094
0
        #define MAX_KEYSHARE_NAMED_GROUPS    24
8095
    #else
8096
        #define MAX_KEYSHARE_NAMED_GROUPS    12
8097
    #endif
8098
#endif
8099
8100
#if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES)
8101
/* Create a key share entry using named Diffie-Hellman parameters group.
8102
 * Generates a key pair.
8103
 *
8104
 * ssl   The SSL/TLS object.
8105
 * kse   The key share entry object.
8106
 * returns 0 on success, otherwise failure.
8107
 */
8108
static int TLSX_KeyShare_GenDhKey(WOLFSSL *ssl, KeyShareEntry* kse)
8109
0
{
8110
0
    int ret = 0;
8111
0
#if !defined(NO_DH) && (!defined(NO_CERTS) || !defined(NO_PSK))
8112
0
    word32 pSz = 0, pvtSz = 0;
8113
0
    DhKey* dhKey = (DhKey*)kse->key;
8114
8115
    /* Pick the parameters from the named group. */
8116
0
#ifdef HAVE_PUBLIC_FFDHE
8117
0
    const DhParams* params = NULL;
8118
0
    switch (kse->group) {
8119
0
    #ifdef HAVE_FFDHE_2048
8120
0
        case WOLFSSL_FFDHE_2048:
8121
0
            params = wc_Dh_ffdhe2048_Get();
8122
0
            pvtSz = 29;
8123
0
            break;
8124
0
    #endif
8125
    #ifdef HAVE_FFDHE_3072
8126
        case WOLFSSL_FFDHE_3072:
8127
            params = wc_Dh_ffdhe3072_Get();
8128
            pvtSz = 34;
8129
            break;
8130
    #endif
8131
    #ifdef HAVE_FFDHE_4096
8132
        case WOLFSSL_FFDHE_4096:
8133
            params = wc_Dh_ffdhe4096_Get();
8134
            pvtSz = 39;
8135
            break;
8136
    #endif
8137
    #ifdef HAVE_FFDHE_6144
8138
        case WOLFSSL_FFDHE_6144:
8139
            params = wc_Dh_ffdhe6144_Get();
8140
            pvtSz = 46;
8141
            break;
8142
    #endif
8143
    #ifdef HAVE_FFDHE_8192
8144
        case WOLFSSL_FFDHE_8192:
8145
            params = wc_Dh_ffdhe8192_Get();
8146
            pvtSz = 52;
8147
            break;
8148
    #endif
8149
0
        default:
8150
0
            break;
8151
0
    }
8152
0
    if (params == NULL)
8153
0
        return BAD_FUNC_ARG;
8154
0
    pSz = params->p_len;
8155
#else
8156
    pvtSz = wc_DhGetNamedKeyMinSize(kse->group);
8157
    if (pvtSz == 0) {
8158
        return BAD_FUNC_ARG;
8159
    }
8160
    ret = wc_DhGetNamedKeyParamSize(kse->group, &pSz, NULL, NULL);
8161
    if (ret != 0) {
8162
        return BAD_FUNC_ARG;
8163
    }
8164
#endif
8165
8166
    /* Trigger Key Generation */
8167
0
    if (kse->pubKey == NULL || kse->privKey == NULL) {
8168
0
        if (kse->key == NULL) {
8169
0
            kse->key = (DhKey*)XMALLOC(sizeof(DhKey), ssl->heap,
8170
0
                DYNAMIC_TYPE_DH);
8171
0
            if (kse->key == NULL)
8172
0
                return MEMORY_E;
8173
8174
            /* Setup Key */
8175
0
            ret = wc_InitDhKey_ex((DhKey*)kse->key, ssl->heap, ssl->devId);
8176
0
            if (ret == 0) {
8177
0
                dhKey = (DhKey*)kse->key;
8178
0
            #ifdef HAVE_PUBLIC_FFDHE
8179
0
                ret = wc_DhSetKey(dhKey, params->p, params->p_len, params->g,
8180
0
                                                                 params->g_len);
8181
            #else
8182
                ret = wc_DhSetNamedKey(dhKey, kse->group);
8183
            #endif
8184
0
            }
8185
        #if defined(WC_DH_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
8186
            defined(WC_ASYNC_ENABLE_DH)
8187
            /* Only set non-blocking context when async device is active. With
8188
             * INVALID_DEVID there is no async loop to retry on MP_WOULDBLOCK, so
8189
             * skip non-blocking setup and use blocking mode instead. */
8190
            if (ret == 0 && ssl->devId != INVALID_DEVID) {
8191
                DhNb* dhNb = (DhNb*)XMALLOC(sizeof(DhNb), ssl->heap,
8192
                                            DYNAMIC_TYPE_TMP_BUFFER);
8193
                if (dhNb == NULL) {
8194
                    ret = MEMORY_E;
8195
                }
8196
                else {
8197
                    ret = wc_DhSetNonBlock((DhKey*)kse->key, dhNb);
8198
                    if (ret != 0) {
8199
                        XFREE(dhNb, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
8200
                    }
8201
                }
8202
            }
8203
        #endif /* WC_DH_NONBLOCK && WOLFSSL_ASYNC_CRYPT_SW &&
8204
                  WC_ASYNC_ENABLE_DH */
8205
0
        }
8206
8207
        /* Allocate space for the private and public key */
8208
0
        if (ret == 0 && kse->pubKey == NULL) {
8209
0
            kse->pubKey = (byte*)XMALLOC(pSz, ssl->heap,
8210
0
                DYNAMIC_TYPE_PUBLIC_KEY);
8211
0
            if (kse->pubKey == NULL)
8212
0
                ret = MEMORY_E;
8213
0
        }
8214
8215
0
        if (ret == 0 && kse->privKey == NULL) {
8216
0
            kse->privKey = (byte*)XMALLOC(pvtSz, ssl->heap,
8217
0
                DYNAMIC_TYPE_PRIVATE_KEY);
8218
0
            if (kse->privKey == NULL)
8219
0
                ret = MEMORY_E;
8220
0
        }
8221
8222
0
        if (ret == 0) {
8223
        #if defined(WOLFSSL_STATIC_EPHEMERAL) && defined(WOLFSSL_DH_EXTRA)
8224
            ret = wolfSSL_StaticEphemeralKeyLoad(ssl, WC_PK_TYPE_DH, kse->key);
8225
            kse->pubKeyLen = pSz;
8226
            kse->keyLen = pvtSz;
8227
            if (ret == 0) {
8228
                ret = wc_DhExportKeyPair(dhKey,
8229
                    (byte*)kse->privKey, &kse->keyLen, /* private */
8230
                    kse->pubKey, &kse->pubKeyLen /* public */
8231
                );
8232
            }
8233
            else
8234
        #endif
8235
0
            {
8236
                /* Generate a new key pair */
8237
                /* For async this is called once and when event is done, the
8238
                 *   provided buffers will be populated.
8239
                 * Final processing is zero pad below. */
8240
0
                kse->pubKeyLen = pSz;
8241
0
                kse->keyLen = pvtSz;
8242
0
                ret = DhGenKeyPair(ssl, dhKey,
8243
0
                    (byte*)kse->privKey, &kse->keyLen, /* private */
8244
0
                    kse->pubKey, &kse->pubKeyLen /* public */
8245
0
                );
8246
            #ifdef WOLFSSL_ASYNC_CRYPT
8247
                if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
8248
                    return ret;
8249
                }
8250
            #endif
8251
0
            }
8252
0
        }
8253
0
    }
8254
8255
0
    if (ret == 0) {
8256
0
        if (pSz != kse->pubKeyLen) {
8257
            /* Zero pad the front of the public key to match prime "p" size */
8258
0
            XMEMMOVE(kse->pubKey + pSz - kse->pubKeyLen, kse->pubKey,
8259
0
                kse->pubKeyLen);
8260
0
            XMEMSET(kse->pubKey, 0, pSz - kse->pubKeyLen);
8261
0
            kse->pubKeyLen = pSz;
8262
0
        }
8263
8264
0
        if (pvtSz != kse->keyLen) {
8265
            /* Zero pad the front of the private key */
8266
0
            XMEMMOVE(kse->privKey + pvtSz - kse->keyLen, kse->privKey,
8267
0
                kse->keyLen);
8268
0
            XMEMSET(kse->privKey, 0, pvtSz - kse->keyLen);
8269
0
            kse->keyLen = pvtSz;
8270
0
        }
8271
8272
    #ifdef WOLFSSL_DEBUG_TLS
8273
        WOLFSSL_MSG("Public DH Key");
8274
        WOLFSSL_BUFFER(kse->pubKey, kse->pubKeyLen);
8275
    #endif
8276
0
    }
8277
8278
    /* Always release the DH key to free up memory.
8279
     * The DhKey will be setup again in TLSX_KeyShare_ProcessDh */
8280
0
    if (dhKey != NULL) {
8281
    #if defined(WC_DH_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
8282
        defined(WC_ASYNC_ENABLE_DH)
8283
        if (dhKey->nb != NULL) {
8284
            XFREE(dhKey->nb, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
8285
            dhKey->nb = NULL;
8286
        }
8287
    #endif
8288
0
        wc_FreeDhKey(dhKey);
8289
0
    }
8290
0
    XFREE(kse->key, ssl->heap, DYNAMIC_TYPE_DH);
8291
0
    kse->key = NULL;
8292
8293
0
    if (ret != 0) {
8294
        /* Cleanup on error, otherwise data owned by key share entry */
8295
0
        if (kse->privKey) {
8296
0
            ForceZero(kse->privKey, pvtSz);
8297
0
            XFREE(kse->privKey, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
8298
0
            kse->privKey = NULL;
8299
0
        }
8300
0
        XFREE(kse->pubKey, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
8301
0
        kse->pubKey = NULL;
8302
0
    }
8303
#else
8304
    (void)ssl;
8305
    (void)kse;
8306
8307
    ret = NOT_COMPILED_IN;
8308
    WOLFSSL_ERROR_VERBOSE(ret);
8309
#endif
8310
8311
0
    return ret;
8312
0
}
8313
8314
/* Create a key share entry using X25519 parameters group.
8315
 * Generates a key pair.
8316
 *
8317
 * ssl   The SSL/TLS object.
8318
 * kse   The key share entry object.
8319
 * returns 0 on success, otherwise failure.
8320
 */
8321
static int TLSX_KeyShare_GenX25519Key(WOLFSSL *ssl, KeyShareEntry* kse)
8322
0
{
8323
0
    int ret = 0;
8324
#ifdef HAVE_CURVE25519
8325
    curve25519_key* key = (curve25519_key*)kse->key;
8326
8327
    if (kse->key == NULL) {
8328
        /* Allocate a Curve25519 key to hold private key. */
8329
        kse->key = (curve25519_key*)XMALLOC(sizeof(curve25519_key), ssl->heap,
8330
                                                      DYNAMIC_TYPE_PRIVATE_KEY);
8331
        if (kse->key == NULL) {
8332
            WOLFSSL_MSG("GenX25519Key memory error");
8333
            return MEMORY_E;
8334
        }
8335
8336
        /* Make an Curve25519 key. */
8337
        ret = wc_curve25519_init_ex((curve25519_key*)kse->key, ssl->heap,
8338
            ssl->devId);
8339
        if (ret == 0) {
8340
            /* setting "key" means okay to call wc_curve25519_free */
8341
            key = (curve25519_key*)kse->key;
8342
            kse->keyLen = CURVE25519_KEYSIZE;
8343
        }
8344
    #if defined(WC_X25519_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
8345
        defined(WC_ASYNC_ENABLE_X25519)
8346
        /* Only set non-blocking context when async device is active. With
8347
         * INVALID_DEVID there is no async loop to retry on FP_WOULDBLOCK, so
8348
         * skip non-blocking setup and use blocking mode instead. */
8349
        if (ret == 0 && ssl->devId != INVALID_DEVID) {
8350
            x25519_nb_ctx_t* nb_ctx = (x25519_nb_ctx_t*)XMALLOC(
8351
                sizeof(x25519_nb_ctx_t), ssl->heap,
8352
                DYNAMIC_TYPE_TMP_BUFFER);
8353
            if (nb_ctx == NULL) {
8354
                ret = MEMORY_E;
8355
            }
8356
            else {
8357
                ret = wc_curve25519_set_nonblock(key, nb_ctx);
8358
                if (ret != 0) {
8359
                    XFREE(nb_ctx, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
8360
                }
8361
            }
8362
        }
8363
    #endif /* WC_X25519_NONBLOCK && WOLFSSL_ASYNC_CRYPT_SW &&
8364
              WC_ASYNC_ENABLE_X25519 */
8365
        if (ret == 0) {
8366
        #ifdef WOLFSSL_STATIC_EPHEMERAL
8367
            ret = wolfSSL_StaticEphemeralKeyLoad(ssl, WC_PK_TYPE_CURVE25519, kse->key);
8368
            if (ret != 0) /* on failure, fallback to local key generation */
8369
        #endif
8370
            {
8371
            #ifdef WOLFSSL_ASYNC_CRYPT
8372
                /* initialize event */
8373
                ret = wolfSSL_AsyncInit(ssl, &key->asyncDev,
8374
                    WC_ASYNC_FLAG_NONE);
8375
                if (ret != 0)
8376
                    return ret;
8377
            #endif
8378
                ret = wc_curve25519_make_key(ssl->rng, CURVE25519_KEYSIZE, key);
8379
8380
                /* Handle async pending response */
8381
            #ifdef WOLFSSL_ASYNC_CRYPT
8382
                if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
8383
                    return wolfSSL_AsyncPush(ssl, &key->asyncDev);
8384
                }
8385
            #endif /* WOLFSSL_ASYNC_CRYPT */
8386
            }
8387
        }
8388
    }
8389
8390
    if (ret == 0 && kse->pubKey == NULL) {
8391
        /* Allocate space for the public key. */
8392
        kse->pubKey = (byte*)XMALLOC(CURVE25519_KEYSIZE, ssl->heap,
8393
                                                       DYNAMIC_TYPE_PUBLIC_KEY);
8394
        if (kse->pubKey == NULL) {
8395
            WOLFSSL_MSG("GenX25519Key pub memory error");
8396
            ret = MEMORY_E;
8397
        }
8398
    }
8399
8400
    if (ret == 0) {
8401
        /* Export Curve25519 public key. */
8402
        kse->pubKeyLen = CURVE25519_KEYSIZE;
8403
        if (wc_curve25519_export_public_ex(key, kse->pubKey, &kse->pubKeyLen,
8404
                                                  EC25519_LITTLE_ENDIAN) != 0) {
8405
            ret = ECC_EXPORT_ERROR;
8406
            WOLFSSL_ERROR_VERBOSE(ret);
8407
        }
8408
        kse->pubKeyLen = CURVE25519_KEYSIZE; /* always CURVE25519_KEYSIZE */
8409
    }
8410
8411
#ifdef WOLFSSL_DEBUG_TLS
8412
    if (ret == 0) {
8413
        WOLFSSL_MSG("Public Curve25519 Key");
8414
        WOLFSSL_BUFFER(kse->pubKey, kse->pubKeyLen);
8415
    }
8416
#endif
8417
8418
    if (ret != 0) {
8419
        /* Data owned by key share entry otherwise. */
8420
        XFREE(kse->pubKey, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
8421
        kse->pubKey = NULL;
8422
        if (key != NULL) {
8423
        #if defined(WC_X25519_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW)
8424
            if (key->nb_ctx != NULL) {
8425
                XFREE(key->nb_ctx, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
8426
            }
8427
        #endif
8428
            wc_curve25519_free(key);
8429
        }
8430
        XFREE(kse->key, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
8431
        kse->key = NULL;
8432
    }
8433
#else
8434
0
    (void)ssl;
8435
0
    (void)kse;
8436
8437
0
    ret = NOT_COMPILED_IN;
8438
0
    WOLFSSL_ERROR_VERBOSE(ret);
8439
0
#endif /* HAVE_CURVE25519 */
8440
8441
0
    return ret;
8442
0
}
8443
8444
/* Create a key share entry using X448 parameters group.
8445
 * Generates a key pair.
8446
 *
8447
 * ssl   The SSL/TLS object.
8448
 * kse   The key share entry object.
8449
 * returns 0 on success, otherwise failure.
8450
 */
8451
static int TLSX_KeyShare_GenX448Key(WOLFSSL *ssl, KeyShareEntry* kse)
8452
0
{
8453
0
    int ret = 0;
8454
#ifdef HAVE_CURVE448
8455
    curve448_key* key = (curve448_key*)kse->key;
8456
8457
    if (kse->key == NULL) {
8458
        /* Allocate a Curve448 key to hold private key. */
8459
        kse->key = (curve448_key*)XMALLOC(sizeof(curve448_key), ssl->heap,
8460
                                                      DYNAMIC_TYPE_PRIVATE_KEY);
8461
        if (kse->key == NULL) {
8462
            WOLFSSL_MSG("GenX448Key memory error");
8463
            return MEMORY_E;
8464
        }
8465
8466
        /* Make an Curve448 key. */
8467
        ret = wc_curve448_init((curve448_key*)kse->key);
8468
        if (ret == 0) {
8469
            key = (curve448_key*)kse->key;
8470
            kse->keyLen = CURVE448_KEY_SIZE;
8471
8472
            #ifdef WOLFSSL_STATIC_EPHEMERAL
8473
            ret = wolfSSL_StaticEphemeralKeyLoad(ssl, WC_PK_TYPE_CURVE448, kse->key);
8474
            if (ret != 0)
8475
        #endif
8476
            {
8477
                ret = wc_curve448_make_key(ssl->rng, CURVE448_KEY_SIZE, key);
8478
            }
8479
        }
8480
    }
8481
8482
    if (ret == 0 && kse->pubKey == NULL) {
8483
        /* Allocate space for the public key. */
8484
        kse->pubKey = (byte*)XMALLOC(CURVE448_KEY_SIZE, ssl->heap,
8485
                                                       DYNAMIC_TYPE_PUBLIC_KEY);
8486
        if (kse->pubKey == NULL) {
8487
            WOLFSSL_MSG("GenX448Key pub memory error");
8488
            ret = MEMORY_E;
8489
        }
8490
    }
8491
8492
    if (ret == 0) {
8493
        /* Export Curve448 public key. */
8494
        kse->pubKeyLen = CURVE448_KEY_SIZE;
8495
        if (wc_curve448_export_public_ex(key, kse->pubKey, &kse->pubKeyLen,
8496
                                                    EC448_LITTLE_ENDIAN) != 0) {
8497
            ret = ECC_EXPORT_ERROR;
8498
        }
8499
        kse->pubKeyLen = CURVE448_KEY_SIZE; /* always CURVE448_KEY_SIZE */
8500
    }
8501
8502
#ifdef WOLFSSL_DEBUG_TLS
8503
    if (ret == 0) {
8504
        WOLFSSL_MSG("Public Curve448 Key");
8505
        WOLFSSL_BUFFER(kse->pubKey, kse->pubKeyLen);
8506
    }
8507
#endif
8508
8509
    if (ret != 0) {
8510
        /* Data owned by key share entry otherwise. */
8511
        XFREE(kse->pubKey, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
8512
        kse->pubKey = NULL;
8513
        if (key != NULL)
8514
            wc_curve448_free(key);
8515
        XFREE(kse->key, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
8516
        kse->key = NULL;
8517
    }
8518
#else
8519
0
    (void)ssl;
8520
0
    (void)kse;
8521
8522
0
    ret = NOT_COMPILED_IN;
8523
0
    WOLFSSL_ERROR_VERBOSE(ret);
8524
0
#endif /* HAVE_CURVE448 */
8525
8526
0
    return ret;
8527
0
}
8528
8529
/* Create a key share entry using named elliptic curve parameters group.
8530
 * Generates a key pair.
8531
 *
8532
 * ssl   The SSL/TLS object.
8533
 * kse   The key share entry object.
8534
 * returns 0 on success, otherwise failure.
8535
 */
8536
static int TLSX_KeyShare_GenEccKey(WOLFSSL *ssl, KeyShareEntry* kse)
8537
0
{
8538
0
    int ret = 0;
8539
0
#if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT)
8540
0
    word32 keySize = 0;
8541
0
    word16 curveId = (word16) ECC_CURVE_INVALID;
8542
0
    ecc_key* eccKey = (ecc_key*)kse->key;
8543
8544
    /* Translate named group to a curve id. */
8545
0
    switch (kse->group) {
8546
0
    #if (!defined(NO_ECC256)  || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
8547
0
        #ifndef NO_ECC_SECP
8548
0
        case WOLFSSL_ECC_SECP256R1:
8549
0
            curveId = ECC_SECP256R1;
8550
0
            break;
8551
0
        #endif /* !NO_ECC_SECP */
8552
        #ifdef WOLFSSL_SM2
8553
        case WOLFSSL_ECC_SM2P256V1:
8554
            curveId = ECC_SM2P256V1;
8555
            break;
8556
        #endif /* !WOLFSSL_SM2 */
8557
        #ifdef HAVE_ECC_BRAINPOOL
8558
        case WOLFSSL_ECC_BRAINPOOLP256R1TLS13:
8559
            curveId = ECC_BRAINPOOLP256R1;
8560
            break;
8561
        #endif /* HAVE_ECC_BRAINPOOL */
8562
0
    #endif
8563
0
    #if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384
8564
0
        #ifndef NO_ECC_SECP
8565
0
        case WOLFSSL_ECC_SECP384R1:
8566
0
            curveId = ECC_SECP384R1;
8567
0
            break;
8568
0
        #endif /* !NO_ECC_SECP */
8569
        #ifdef HAVE_ECC_BRAINPOOL
8570
        case WOLFSSL_ECC_BRAINPOOLP384R1TLS13:
8571
            curveId = ECC_BRAINPOOLP384R1;
8572
            break;
8573
        #endif /* HAVE_ECC_BRAINPOOL */
8574
0
    #endif
8575
0
    #if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 512
8576
        #ifdef HAVE_ECC_BRAINPOOL
8577
        case WOLFSSL_ECC_BRAINPOOLP512R1TLS13:
8578
            curveId = ECC_BRAINPOOLP512R1;
8579
            break;
8580
        #endif /* HAVE_ECC_BRAINPOOL */
8581
0
    #endif
8582
0
    #if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521
8583
0
        #ifndef NO_ECC_SECP
8584
0
        case WOLFSSL_ECC_SECP521R1:
8585
0
            curveId = ECC_SECP521R1;
8586
0
            break;
8587
0
        #endif /* !NO_ECC_SECP */
8588
0
    #endif
8589
0
        default:
8590
0
            WOLFSSL_ERROR_VERBOSE(BAD_FUNC_ARG);
8591
0
            return BAD_FUNC_ARG;
8592
0
    }
8593
8594
0
    {
8595
0
        int size = wc_ecc_get_curve_size_from_id(curveId);
8596
0
        if (size < 0) {
8597
0
            WOLFSSL_ERROR_VERBOSE(size);
8598
0
            return size;
8599
0
        }
8600
0
        keySize = (word32)size;
8601
0
    }
8602
8603
0
    if (kse->key == NULL) {
8604
        /* Allocate an ECC key to hold private key. */
8605
0
        kse->key = (byte*)XMALLOC(sizeof(ecc_key), ssl->heap, DYNAMIC_TYPE_ECC);
8606
0
        if (kse->key == NULL) {
8607
0
            WOLFSSL_MSG_EX("Failed to allocate %d bytes, ssl->heap: %p",
8608
0
                           (int)sizeof(ecc_key), (wc_ptr_t)ssl->heap);
8609
0
            WOLFSSL_MSG("EccTempKey Memory error!");
8610
0
            return MEMORY_E;
8611
0
        }
8612
8613
        /* Initialize an ECC key struct for the ephemeral key */
8614
0
        ret = wc_ecc_init_ex((ecc_key*)kse->key, ssl->heap, ssl->devId);
8615
8616
    #if defined(WC_ECC_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
8617
        defined(WC_ASYNC_ENABLE_ECC)
8618
        /* Only set non-blocking context when async device is active. With
8619
         * INVALID_DEVID there is no async loop to retry on FP_WOULDBLOCK, so
8620
         * skip non-blocking setup and use blocking mode instead. */
8621
        if (ret == 0 && ssl->devId != INVALID_DEVID) {
8622
            ecc_nb_ctx_t* eccNbCtx = (ecc_nb_ctx_t*)XMALLOC(
8623
                sizeof(ecc_nb_ctx_t), ssl->heap,
8624
                DYNAMIC_TYPE_TMP_BUFFER);
8625
            if (eccNbCtx == NULL) {
8626
                ret = MEMORY_E;
8627
            }
8628
            else {
8629
                ret = wc_ecc_set_nonblock((ecc_key*)kse->key, eccNbCtx);
8630
                if (ret != 0) {
8631
                    XFREE(eccNbCtx, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
8632
                }
8633
            }
8634
        }
8635
    #endif /* WC_ECC_NONBLOCK && WOLFSSL_ASYNC_CRYPT_SW &&
8636
              WC_ASYNC_ENABLE_ECC */
8637
8638
0
        if (ret == 0) {
8639
0
            kse->keyLen = keySize;
8640
0
            kse->pubKeyLen = keySize * 2 + 1;
8641
8642
        #if defined(WOLFSSL_RENESAS_TSIP_TLS)
8643
            ret = tsip_Tls13GenEccKeyPair(ssl, kse);
8644
            if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
8645
                return ret;
8646
            }
8647
        #endif
8648
            /* setting eccKey means okay to call wc_ecc_free */
8649
0
            eccKey = (ecc_key*)kse->key;
8650
8651
        #ifdef WOLFSSL_STATIC_EPHEMERAL
8652
            ret = wolfSSL_StaticEphemeralKeyLoad(ssl, WC_PK_TYPE_ECDH, kse->key);
8653
            if (ret != 0 || eccKey->dp->id != curveId)
8654
        #endif
8655
0
            {
8656
                /* set curve info for EccMakeKey "peer" info */
8657
0
                ret = wc_ecc_set_curve(eccKey, (int)kse->keyLen, curveId);
8658
0
                if (ret == 0) {
8659
            #ifdef WOLFSSL_ASYNC_CRYPT
8660
                    /* Detect when private key generation is done */
8661
                    if (ssl->error == WC_NO_ERR_TRACE(WC_PENDING_E) &&
8662
                            eccKey->type == ECC_PRIVATEKEY) {
8663
                        ret = 0; /* ECC Key Generation is done */
8664
                    }
8665
                    else
8666
            #endif
8667
0
                    {
8668
                        /* Generate ephemeral ECC key */
8669
                        /* For async this is called once and when event is done, the
8670
                        *   provided buffers in key be populated.
8671
                        * Final processing is x963 key export below. */
8672
0
                        ret = EccMakeKey(ssl, eccKey, eccKey);
8673
0
                    }
8674
0
                }
8675
            #ifdef WOLFSSL_ASYNC_CRYPT
8676
                if (ret == WC_NO_ERR_TRACE(WC_PENDING_E))
8677
                    return ret;
8678
            #endif
8679
0
            }
8680
0
        }
8681
0
    }
8682
8683
0
    if (ret == 0 && kse->pubKey == NULL) {
8684
        /* Allocate space for the public key */
8685
0
        kse->pubKey = (byte*)XMALLOC(kse->pubKeyLen, ssl->heap,
8686
0
            DYNAMIC_TYPE_PUBLIC_KEY);
8687
0
        if (kse->pubKey == NULL) {
8688
0
            WOLFSSL_MSG("Key data Memory error");
8689
0
            ret = MEMORY_E;
8690
0
        }
8691
0
    }
8692
8693
0
    if (ret == 0) {
8694
0
        XMEMSET(kse->pubKey, 0, kse->pubKeyLen);
8695
8696
        /* Export public key. */
8697
0
        PRIVATE_KEY_UNLOCK();
8698
0
        if (wc_ecc_export_x963(eccKey, kse->pubKey, &kse->pubKeyLen) != 0) {
8699
0
            ret = ECC_EXPORT_ERROR;
8700
0
            WOLFSSL_ERROR_VERBOSE(ret);
8701
0
        }
8702
0
        PRIVATE_KEY_LOCK();
8703
0
    }
8704
#ifdef WOLFSSL_DEBUG_TLS
8705
    if (ret == 0) {
8706
        WOLFSSL_MSG("Public ECC Key");
8707
        WOLFSSL_BUFFER(kse->pubKey, kse->pubKeyLen);
8708
    }
8709
#endif
8710
8711
0
    if (ret != 0) {
8712
        /* Cleanup on error, otherwise data owned by key share entry */
8713
0
        XFREE(kse->pubKey, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
8714
0
        kse->pubKey = NULL;
8715
0
        if (eccKey != NULL) {
8716
    #if defined(WC_ECC_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
8717
        defined(WC_ASYNC_ENABLE_ECC)
8718
            if (eccKey->nb_ctx != NULL) {
8719
                XFREE(eccKey->nb_ctx, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
8720
            }
8721
    #endif
8722
0
            wc_ecc_free(eccKey);
8723
0
        }
8724
0
        XFREE(kse->key, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
8725
0
        kse->key = NULL;
8726
0
    }
8727
#else
8728
    (void)ssl;
8729
    (void)kse;
8730
8731
    ret = NOT_COMPILED_IN;
8732
    WOLFSSL_ERROR_VERBOSE(ret);
8733
#endif /* HAVE_ECC && HAVE_ECC_KEY_EXPORT */
8734
8735
0
    return ret;
8736
0
}
8737
8738
#ifdef WOLFSSL_HAVE_MLKEM
8739
#if (defined(WOLFSSL_MLKEM_CACHE_A) || \
8740
    (defined(HAVE_PKCS11) && !defined(NO_PKCS11_MLKEM))) && \
8741
    !defined(WOLFSSL_TLSX_PQC_MLKEM_STORE_PRIV_KEY)
8742
    /* Store MlKemKey object rather than private key bytes in key share entry.
8743
     * Improves performance at cost of more dynamic memory being used. */
8744
    #define WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
8745
#endif
8746
#if defined(WOLFSSL_TLSX_PQC_MLKEM_STORE_PRIV_KEY) && \
8747
    defined(WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ)
8748
    #error "Choose WOLFSSL_TLSX_PQC_MLKEM_STORE_PRIV_KEY or "
8749
           "WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ"
8750
#endif
8751
8752
#if (!defined(WOLFSSL_MLKEM_NO_MAKE_KEY) && \
8753
     !defined(WOLFSSL_MLKEM_NO_DECAPSULATE)) || \
8754
    !defined(WOLFSSL_MLKEM_NO_ENCAPSULATE) || \
8755
    (!defined(WOLFSSL_MLKEM_NO_DECAPSULATE) && \
8756
     !defined(WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ))
8757
static int mlkem_id2type(int id, int *type)
8758
0
{
8759
0
    int ret = 0;
8760
8761
0
    switch (id) {
8762
0
#ifndef WOLFSSL_NO_ML_KEM
8763
0
    #ifndef WOLFSSL_NO_ML_KEM_512
8764
0
        case WOLFSSL_ML_KEM_512:
8765
0
            *type = WC_ML_KEM_512;
8766
0
            break;
8767
0
    #endif
8768
0
    #ifndef WOLFSSL_NO_ML_KEM_768
8769
0
        case WOLFSSL_ML_KEM_768:
8770
0
            *type = WC_ML_KEM_768;
8771
0
            break;
8772
0
    #endif
8773
0
    #ifndef WOLFSSL_NO_ML_KEM_1024
8774
0
        case WOLFSSL_ML_KEM_1024:
8775
0
            *type = WC_ML_KEM_1024;
8776
0
            break;
8777
0
    #endif
8778
0
#endif
8779
#ifdef WOLFSSL_MLKEM_KYBER
8780
    #ifdef WOLFSSL_KYBER512
8781
        case WOLFSSL_KYBER_LEVEL1:
8782
            *type = KYBER512;
8783
            break;
8784
    #endif
8785
    #ifdef WOLFSSL_KYBER768
8786
        case WOLFSSL_KYBER_LEVEL3:
8787
            *type = KYBER768;
8788
            break;
8789
    #endif
8790
    #ifdef WOLFSSL_KYBER1024
8791
        case WOLFSSL_KYBER_LEVEL5:
8792
            *type = KYBER1024;
8793
            break;
8794
    #endif
8795
#endif
8796
0
        default:
8797
0
            ret = NOT_COMPILED_IN;
8798
0
            break;
8799
0
    }
8800
8801
0
    return ret;
8802
0
}
8803
#endif
8804
8805
#if defined(WOLFSSL_NO_ML_KEM_768) && defined(WOLFSSL_NO_ML_KEM_1024) && \
8806
    defined(WOLFSSL_PQC_HYBRIDS)
8807
    #error "PQC hybrid combinations require either ML-KEM 768 or ML-KEM 1024"
8808
#endif
8809
8810
/* Structures and objects needed for hybrid key exchanges using both classic
8811
 * ECDHE and PQC KEM key material. */
8812
typedef struct PqcHybridMapping {
8813
    int hybrid;
8814
    int ecc;
8815
    int pqc;
8816
    int pqc_first;
8817
} PqcHybridMapping;
8818
8819
static const PqcHybridMapping pqc_hybrid_mapping[] = {
8820
#ifndef WOLFSSL_NO_ML_KEM
8821
#ifdef WOLFSSL_PQC_HYBRIDS
8822
    {WOLFSSL_SECP256R1MLKEM768, WOLFSSL_ECC_SECP256R1, WOLFSSL_ML_KEM_768, 0},
8823
    {WOLFSSL_SECP384R1MLKEM1024, WOLFSSL_ECC_SECP384R1, WOLFSSL_ML_KEM_1024, 0},
8824
#endif /* WOLFSSL_PQC_HYBRIDS */
8825
#ifdef WOLFSSL_EXTRA_PQC_HYBRIDS
8826
    {WOLFSSL_SECP256R1MLKEM512, WOLFSSL_ECC_SECP256R1, WOLFSSL_ML_KEM_512, 0},
8827
    {WOLFSSL_SECP384R1MLKEM768, WOLFSSL_ECC_SECP384R1, WOLFSSL_ML_KEM_768, 0},
8828
    {WOLFSSL_SECP521R1MLKEM1024, WOLFSSL_ECC_SECP521R1, WOLFSSL_ML_KEM_1024, 0},
8829
#ifdef WOLFSSL_ML_KEM_USE_OLD_IDS
8830
    {WOLFSSL_P256_ML_KEM_512_OLD, WOLFSSL_ECC_SECP256R1, WOLFSSL_ML_KEM_512, 0},
8831
    {WOLFSSL_P384_ML_KEM_768_OLD, WOLFSSL_ECC_SECP384R1, WOLFSSL_ML_KEM_768, 0},
8832
    {WOLFSSL_P521_ML_KEM_1024_OLD, WOLFSSL_ECC_SECP521R1, WOLFSSL_ML_KEM_1024, 0},
8833
#endif /* WOLFSSL_ML_KEM_USE_OLD_IDS */
8834
#endif /* WOLFSSL_EXTRA_PQC_HYBRIDS */
8835
#ifdef HAVE_CURVE25519
8836
#ifdef WOLFSSL_PQC_HYBRIDS
8837
    {WOLFSSL_X25519MLKEM768, WOLFSSL_ECC_X25519, WOLFSSL_ML_KEM_768, 1},
8838
#endif /* WOLFSSL_PQC_HYBRIDS */
8839
#ifdef WOLFSSL_EXTRA_PQC_HYBRIDS
8840
    {WOLFSSL_X25519MLKEM512, WOLFSSL_ECC_X25519, WOLFSSL_ML_KEM_512, 1},
8841
#endif /* WOLFSSL_EXTRA_PQC_HYBRIDS */
8842
#endif /* HAVE_CURVE25519 */
8843
#ifdef HAVE_CURVE448
8844
#ifdef WOLFSSL_EXTRA_PQC_HYBRIDS
8845
    {WOLFSSL_X448MLKEM768, WOLFSSL_ECC_X448, WOLFSSL_ML_KEM_768, 1},
8846
#endif /* WOLFSSL_EXTRA_PQC_HYBRIDS */
8847
#endif /* HAVE_CURVE448 */
8848
#endif /* WOLFSSL_NO_ML_KEM */
8849
#ifdef WOLFSSL_MLKEM_KYBER
8850
    {WOLFSSL_P256_KYBER_LEVEL1, WOLFSSL_ECC_SECP256R1, WOLFSSL_KYBER_LEVEL1, 0},
8851
    {WOLFSSL_P384_KYBER_LEVEL3, WOLFSSL_ECC_SECP384R1, WOLFSSL_KYBER_LEVEL3, 0},
8852
    {WOLFSSL_P256_KYBER_LEVEL3, WOLFSSL_ECC_SECP256R1, WOLFSSL_KYBER_LEVEL3, 0},
8853
    {WOLFSSL_P521_KYBER_LEVEL5, WOLFSSL_ECC_SECP521R1, WOLFSSL_KYBER_LEVEL5, 0},
8854
#ifdef HAVE_CURVE25519
8855
    {WOLFSSL_X25519_KYBER_LEVEL1, WOLFSSL_ECC_X25519, WOLFSSL_KYBER_LEVEL1, 0},
8856
    {WOLFSSL_X25519_KYBER_LEVEL3, WOLFSSL_ECC_X25519, WOLFSSL_KYBER_LEVEL3, 0},
8857
#endif
8858
#ifdef HAVE_CURVE448
8859
    {WOLFSSL_X448_KYBER_LEVEL3, WOLFSSL_ECC_X448, WOLFSSL_KYBER_LEVEL3, 0},
8860
#endif
8861
#endif /* WOLFSSL_MLKEM_KYBER */
8862
    {0, 0, 0, 0}
8863
};
8864
8865
/* Map an ecc-pqc hybrid group into its ecc group and pqc kem group. */
8866
static void findEccPqc(int *ecc, int *pqc, int *pqc_first, int group)
8867
0
{
8868
0
    int i;
8869
8870
0
    if (pqc != NULL)
8871
0
        *pqc = 0;
8872
0
    if (ecc != NULL)
8873
0
        *ecc = 0;
8874
0
    if (pqc_first != NULL)
8875
0
        *pqc_first = 0;
8876
8877
0
    for (i = 0; pqc_hybrid_mapping[i].hybrid != 0; i++) {
8878
0
        if (pqc_hybrid_mapping[i].hybrid == group) {
8879
0
            if (pqc != NULL)
8880
0
                *pqc = pqc_hybrid_mapping[i].pqc;
8881
0
            if (ecc != NULL)
8882
0
                *ecc = pqc_hybrid_mapping[i].ecc;
8883
0
            if (pqc_first != NULL)
8884
0
                *pqc_first = pqc_hybrid_mapping[i].pqc_first;
8885
0
            break;
8886
0
        }
8887
0
    }
8888
0
}
8889
8890
#if !defined(WOLFSSL_MLKEM_NO_MAKE_KEY) && \
8891
    !defined(WOLFSSL_MLKEM_NO_DECAPSULATE)
8892
/* Create a key share entry using pqc parameters group on the client side.
8893
 * Generates a key pair.
8894
 *
8895
 * ssl   The SSL/TLS object.
8896
 * kse   The key share entry object.
8897
 * returns 0 on success, otherwise failure.
8898
 */
8899
static int TLSX_KeyShare_GenPqcKeyClient(WOLFSSL *ssl, KeyShareEntry* kse)
8900
0
{
8901
0
    int ret = 0;
8902
0
    int type = 0;
8903
0
#ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
8904
0
        WC_DECLARE_VAR(kem, MlKemKey, 1, 0);
8905
0
    byte* privKey = NULL;
8906
0
    word32 privSz = 0;
8907
#else
8908
    MlKemKey* kem = NULL;
8909
#endif
8910
8911
    /* This gets called twice. Once during parsing of the key share and once
8912
     * during the population of the extension. No need to do work the second
8913
     * time. Just return success if its already been done. */
8914
0
    if (kse->pubKey != NULL) {
8915
0
        return ret;
8916
0
    }
8917
8918
    /* Get the type of key we need from the key share group. */
8919
0
    ret = mlkem_id2type(kse->group, &type);
8920
0
    if (ret == WC_NO_ERR_TRACE(NOT_COMPILED_IN)) {
8921
0
        WOLFSSL_MSG("Invalid ML-KEM algorithm specified.");
8922
0
        ret = BAD_FUNC_ARG;
8923
0
    }
8924
8925
0
#ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
8926
8927
    #ifdef WOLFSSL_SMALL_STACK
8928
    if (ret == 0) {
8929
        kem = (MlKemKey *)XMALLOC(sizeof(*kem), ssl->heap,
8930
                                  DYNAMIC_TYPE_PRIVATE_KEY);
8931
        if (kem == NULL) {
8932
            WOLFSSL_MSG("KEM memory allocation failure");
8933
            ret = MEMORY_ERROR;
8934
        }
8935
    }
8936
    #endif /* WOLFSSL_SMALL_STACK */
8937
8938
0
    if (ret == 0) {
8939
0
        ret = wc_MlKemKey_Init(kem, type, ssl->heap, ssl->devId);
8940
0
        if (ret != 0) {
8941
0
            WOLFSSL_MSG("Failed to initialize ML-KEM Key.");
8942
0
        }
8943
0
    }
8944
8945
0
    if (ret == 0) {
8946
0
        ret = wc_MlKemKey_PrivateKeySize(kem, &privSz);
8947
0
    }
8948
0
    if (ret == 0) {
8949
0
        ret = wc_MlKemKey_PublicKeySize(kem, &kse->pubKeyLen);
8950
0
    }
8951
8952
0
    if (ret == 0) {
8953
0
        privKey = (byte*)XMALLOC(privSz, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
8954
0
        if (privKey == NULL) {
8955
0
            WOLFSSL_MSG("privkey memory allocation failure");
8956
0
            ret = MEMORY_ERROR;
8957
0
        }
8958
0
    }
8959
#else
8960
    if (ret == 0) {
8961
        /* Allocate an ML-KEM key to hold private key. */
8962
        kem = (MlKemKey*)XMALLOC(sizeof(MlKemKey), ssl->heap,
8963
                                 DYNAMIC_TYPE_PRIVATE_KEY);
8964
        if (kem == NULL) {
8965
            WOLFSSL_MSG("KEM memory allocation failure");
8966
            ret = MEMORY_ERROR;
8967
        }
8968
    }
8969
    if (ret == 0) {
8970
        ret = wc_MlKemKey_Init(kem, type, ssl->heap, ssl->devId);
8971
        if (ret != 0) {
8972
            WOLFSSL_MSG("Failed to initialize ML-KEM Key.");
8973
        }
8974
    }
8975
    if (ret == 0) {
8976
        ret = wc_MlKemKey_PublicKeySize(kem, &kse->pubKeyLen);
8977
    }
8978
#endif
8979
8980
0
    if (ret == 0) {
8981
0
        kse->pubKey = (byte*)XMALLOC(kse->pubKeyLen, ssl->heap,
8982
0
                                     DYNAMIC_TYPE_PUBLIC_KEY);
8983
0
        if (kse->pubKey == NULL) {
8984
0
            WOLFSSL_MSG("pubkey memory allocation failure");
8985
0
            ret = MEMORY_ERROR;
8986
0
        }
8987
0
    }
8988
8989
0
    if (ret == 0) {
8990
0
        ret = wc_MlKemKey_MakeKey(kem, ssl->rng);
8991
0
        if (ret != 0) {
8992
0
            WOLFSSL_MSG("ML-KEM keygen failure");
8993
0
        }
8994
0
    }
8995
0
    if (ret == 0) {
8996
0
        ret = wc_MlKemKey_EncodePublicKey(kem, kse->pubKey,
8997
0
                                          kse->pubKeyLen);
8998
0
    }
8999
9000
0
#ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
9001
0
    if (ret == 0) {
9002
0
        PRIVATE_KEY_UNLOCK();
9003
0
        ret = wc_MlKemKey_EncodePrivateKey(kem, privKey, privSz);
9004
0
        PRIVATE_KEY_LOCK();
9005
0
    }
9006
0
#endif
9007
9008
#ifdef WOLFSSL_DEBUG_TLS
9009
    WOLFSSL_MSG("Public ML-KEM Key");
9010
    WOLFSSL_BUFFER(kse->pubKey, kse->pubKeyLen );
9011
#endif
9012
9013
0
    if (ret != 0) {
9014
        /* Data owned by key share entry otherwise. */
9015
0
        wc_MlKemKey_Free(kem);
9016
0
        XFREE(kse->pubKey, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
9017
0
        kse->pubKey = NULL;
9018
0
    #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
9019
0
        if (privKey) {
9020
0
            ForceZero(privKey, privSz);
9021
0
            XFREE(privKey, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
9022
0
            privKey = NULL;
9023
0
        }
9024
    #else
9025
        XFREE(kem, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
9026
        kse->key = NULL;
9027
    #endif
9028
0
    }
9029
0
    else {
9030
0
    #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
9031
0
        wc_MlKemKey_Free(kem);
9032
0
        kse->privKey = (byte*)privKey;
9033
0
        kse->privKeyLen = privSz;
9034
    #else
9035
        kse->key = kem;
9036
    #endif
9037
0
    }
9038
9039
    #if !defined(WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ) && \
9040
        defined(WOLFSSL_SMALL_STACK)
9041
    XFREE(kem, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
9042
    #endif
9043
9044
0
    return ret;
9045
0
}
9046
9047
/* Create a key share entry using both ecdhe and pqc parameters groups.
9048
 * Generates two key pairs on the client side.
9049
 *
9050
 * ssl   The SSL/TLS object.
9051
 * kse   The key share entry object.
9052
 * returns 0 on success, otherwise failure.
9053
 */
9054
static int TLSX_KeyShare_GenPqcHybridKeyClient(WOLFSSL *ssl, KeyShareEntry* kse)
9055
0
{
9056
0
    int ret = 0;
9057
0
    KeyShareEntry *ecc_kse = NULL;
9058
0
    KeyShareEntry *pqc_kse = NULL;
9059
0
    int pqc_group = 0;
9060
0
    int ecc_group = 0;
9061
0
    int pqc_first = 0;
9062
9063
    /* This gets called twice. Once during parsing of the key share and once
9064
     * during the population of the extension. No need to do work the second
9065
     * time. Just return success if its already been done. */
9066
0
    if (kse->pubKey != NULL) {
9067
0
        return ret;
9068
0
    }
9069
9070
    /* Determine the ECC and PQC group of the hybrid combination */
9071
0
    findEccPqc(&ecc_group, &pqc_group, &pqc_first, kse->group);
9072
0
    if (ecc_group == 0 || pqc_group == 0) {
9073
0
        WOLFSSL_MSG("Invalid hybrid group");
9074
0
        ret = BAD_FUNC_ARG;
9075
0
    }
9076
9077
0
    if (ret == 0) {
9078
0
        ecc_kse = (KeyShareEntry*)XMALLOC(sizeof(*ecc_kse), ssl->heap,
9079
0
                   DYNAMIC_TYPE_TLSX);
9080
0
        if (ecc_kse == NULL) {
9081
0
            WOLFSSL_MSG("kse memory allocation failure");
9082
0
            ret = MEMORY_ERROR;
9083
0
        }
9084
0
        else {
9085
0
            XMEMSET(ecc_kse, 0, sizeof(*ecc_kse));
9086
0
        }
9087
0
    }
9088
0
    if (ret == 0) {
9089
0
        pqc_kse = (KeyShareEntry*)XMALLOC(sizeof(*pqc_kse), ssl->heap,
9090
0
                   DYNAMIC_TYPE_TLSX);
9091
0
        if (pqc_kse == NULL) {
9092
0
            WOLFSSL_MSG("kse memory allocation failure");
9093
0
            ret = MEMORY_ERROR;
9094
0
        }
9095
0
        else {
9096
0
            XMEMSET(pqc_kse, 0, sizeof(*pqc_kse));
9097
0
        }
9098
0
    }
9099
9100
    /* Generate ECC key share part */
9101
0
    if (ret == 0) {
9102
0
        ecc_kse->group = ecc_group;
9103
9104
    #ifdef WOLFSSL_ASYNC_CRYPT
9105
        /* Check if the provided kse already contains an ECC key and the
9106
         * last error was WC_PENDING_E. In this case, we already tried to
9107
         * generate an ECC key. Hence, we have to restore it. */
9108
        if (kse->key != NULL && kse->keyLen > 0 &&
9109
            kse->lastRet == WC_NO_ERR_TRACE(WC_PENDING_E)) {
9110
            ecc_kse->key = kse->key;
9111
            ecc_kse->keyLen = kse->keyLen;
9112
            ecc_kse->pubKeyLen = kse->pubKeyLen;
9113
            ecc_kse->lastRet = kse->lastRet;
9114
            kse->key = NULL;
9115
        }
9116
    #endif
9117
9118
    #ifdef HAVE_CURVE25519
9119
        if (ecc_group == WOLFSSL_ECC_X25519) {
9120
            ret = TLSX_KeyShare_GenX25519Key(ssl, ecc_kse);
9121
        }
9122
        else
9123
    #endif
9124
    #ifdef HAVE_CURVE448
9125
        if (ecc_group == WOLFSSL_ECC_X448) {
9126
            ret = TLSX_KeyShare_GenX448Key(ssl, ecc_kse);
9127
        }
9128
        else
9129
    #endif
9130
0
        {
9131
0
            ret = TLSX_KeyShare_GenEccKey(ssl, ecc_kse);
9132
0
        }
9133
9134
    #ifdef WOLFSSL_ASYNC_CRYPT
9135
        if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
9136
            /* Store the generated ECC key in the provided kse to later
9137
             * restore it.*/
9138
            kse->key = ecc_kse->key;
9139
            kse->keyLen = ecc_kse->keyLen;
9140
            kse->pubKeyLen = ecc_kse->pubKeyLen;
9141
            ecc_kse->key = NULL;
9142
        }
9143
    #endif
9144
0
    }
9145
9146
    /* Generate PQC key share part */
9147
0
    if (ret == 0) {
9148
0
        pqc_kse->group = pqc_group;
9149
0
        ret = TLSX_KeyShare_GenPqcKeyClient(ssl, pqc_kse);
9150
        /* No error message, TLSX_KeyShare_GenPqcKeyClient will do it. */
9151
0
    }
9152
9153
    /* Allocate memory for combined public key */
9154
0
    if (ret == 0) {
9155
0
        kse->pubKey = (byte*)XMALLOC(ecc_kse->pubKeyLen + pqc_kse->pubKeyLen,
9156
0
                                     ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
9157
0
        if (kse->pubKey == NULL) {
9158
0
            WOLFSSL_MSG("pubkey memory allocation failure");
9159
0
            ret = MEMORY_ERROR;
9160
0
        }
9161
0
    }
9162
9163
    /* Create combined public key. The order of classic/pqc key material is
9164
     * indicated by the pqc_first variable. */
9165
0
    if (ret == 0) {
9166
0
        if (pqc_first) {
9167
0
            XMEMCPY(kse->pubKey, pqc_kse->pubKey, pqc_kse->pubKeyLen);
9168
0
            XMEMCPY(kse->pubKey + pqc_kse->pubKeyLen, ecc_kse->pubKey,
9169
0
                    ecc_kse->pubKeyLen);
9170
0
        }
9171
0
        else {
9172
0
            XMEMCPY(kse->pubKey, ecc_kse->pubKey, ecc_kse->pubKeyLen);
9173
0
            XMEMCPY(kse->pubKey + ecc_kse->pubKeyLen, pqc_kse->pubKey,
9174
0
                    pqc_kse->pubKeyLen);
9175
0
        }
9176
0
        kse->pubKeyLen = ecc_kse->pubKeyLen + pqc_kse->pubKeyLen;
9177
0
    }
9178
9179
    /* Store the private keys.
9180
     * Note we are saving the PQC private key and ECC private key
9181
     * separately. That's because the ECC private key is not simply a
9182
     * buffer. Its is an ecc_key struct. */
9183
0
    if (ret == 0) {
9184
0
    #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
9185
        /* PQC private key is an encoded byte array */
9186
0
        kse->privKey = pqc_kse->privKey;
9187
0
        kse->privKeyLen = pqc_kse->privKeyLen;
9188
0
        pqc_kse->privKey = NULL;
9189
    #else
9190
        /* PQC private key is a pointer to MlKemKey object */
9191
        kse->privKey = (byte*)pqc_kse->key;
9192
        kse->privKeyLen = 0;
9193
        pqc_kse->key = NULL;
9194
    #endif
9195
        /* ECC private key is a pointer to ecc_key object */
9196
0
        kse->key = ecc_kse->key;
9197
0
        kse->keyLen = ecc_kse->keyLen;
9198
0
        ecc_kse->key = NULL;
9199
0
    }
9200
9201
#ifdef WOLFSSL_DEBUG_TLS
9202
    WOLFSSL_MSG("Public ML-KEM Key");
9203
    WOLFSSL_BUFFER(kse->pubKey, kse->pubKeyLen );
9204
#endif
9205
9206
0
    TLSX_KeyShare_FreeAll(ecc_kse, ssl->heap);
9207
0
    TLSX_KeyShare_FreeAll(pqc_kse, ssl->heap);
9208
9209
0
    return ret;
9210
0
}
9211
#endif /* !WOLFSSL_MLKEM_NO_MAKE_KEY && !WOLFSSL_MLKEM_NO_DECAPSULATE */
9212
#endif /* WOLFSSL_HAVE_MLKEM */
9213
9214
/* Generate a secret/key using the key share entry.
9215
 *
9216
 * ssl  The SSL/TLS object.
9217
 * kse  The key share entry holding peer data.
9218
 */
9219
int TLSX_KeyShare_GenKey(WOLFSSL *ssl, KeyShareEntry *kse)
9220
0
{
9221
0
    int ret;
9222
    /* Named FFDHE groups have a bit set to identify them. */
9223
0
    if (WOLFSSL_NAMED_GROUP_IS_FFDHE(kse->group))
9224
0
        ret = TLSX_KeyShare_GenDhKey(ssl, kse);
9225
0
    else if (kse->group == WOLFSSL_ECC_X25519)
9226
0
        ret = TLSX_KeyShare_GenX25519Key(ssl, kse);
9227
0
    else if (kse->group == WOLFSSL_ECC_X448)
9228
0
        ret = TLSX_KeyShare_GenX448Key(ssl, kse);
9229
0
#if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_MAKE_KEY) && \
9230
0
    !defined(WOLFSSL_MLKEM_NO_DECAPSULATE)
9231
0
    else if (WOLFSSL_NAMED_GROUP_IS_PQC(kse->group))
9232
0
        ret = TLSX_KeyShare_GenPqcKeyClient(ssl, kse);
9233
0
    else if (WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(kse->group))
9234
0
        ret = TLSX_KeyShare_GenPqcHybridKeyClient(ssl, kse);
9235
0
#endif
9236
0
    else
9237
0
        ret = TLSX_KeyShare_GenEccKey(ssl, kse);
9238
#ifdef WOLFSSL_ASYNC_CRYPT
9239
    kse->lastRet = ret;
9240
#endif
9241
0
    return ret;
9242
0
}
9243
9244
/* Free the key share dynamic data.
9245
 *
9246
 * list  The linked list of key share entry objects.
9247
 * heap  The heap used for allocation.
9248
 */
9249
static void TLSX_KeyShare_FreeAll(KeyShareEntry* list, void* heap)
9250
0
{
9251
0
    KeyShareEntry* current;
9252
9253
0
    while ((current = list) != NULL) {
9254
0
        list = current->next;
9255
0
        if (WOLFSSL_NAMED_GROUP_IS_FFDHE(current->group)) {
9256
0
#ifndef NO_DH
9257
        #if defined(WC_DH_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
9258
            defined(WC_ASYNC_ENABLE_DH)
9259
            if (current->key != NULL &&
9260
                    ((DhKey*)current->key)->nb != NULL) {
9261
                XFREE(((DhKey*)current->key)->nb, heap,
9262
                    DYNAMIC_TYPE_TMP_BUFFER);
9263
                ((DhKey*)current->key)->nb = NULL;
9264
            }
9265
        #endif
9266
0
            wc_FreeDhKey((DhKey*)current->key);
9267
0
            if (current->privKey != NULL && current->privKeyLen > 0) {
9268
0
                ForceZero(current->privKey, current->privKeyLen);
9269
0
            }
9270
0
#endif
9271
0
        }
9272
0
        else if (current->group == WOLFSSL_ECC_X25519) {
9273
#ifdef HAVE_CURVE25519
9274
        #if defined(WC_X25519_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW)
9275
            if (current->key != NULL &&
9276
                    ((curve25519_key*)current->key)->nb_ctx != NULL) {
9277
                XFREE(((curve25519_key*)current->key)->nb_ctx, heap,
9278
                    DYNAMIC_TYPE_TMP_BUFFER);
9279
            }
9280
        #endif
9281
            wc_curve25519_free((curve25519_key*)current->key);
9282
#endif
9283
0
        }
9284
0
        else if (current->group == WOLFSSL_ECC_X448) {
9285
#ifdef HAVE_CURVE448
9286
            wc_curve448_free((curve448_key*)current->key);
9287
#endif
9288
0
        }
9289
0
        else if (WOLFSSL_NAMED_GROUP_IS_PQC(current->group)) {
9290
0
#ifdef WOLFSSL_HAVE_MLKEM
9291
0
            wc_MlKemKey_Free((MlKemKey*)current->key);
9292
0
        #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
9293
0
            if (current->privKey != NULL) {
9294
0
                ForceZero(current->privKey, current->privKeyLen);
9295
0
            }
9296
0
        #endif
9297
0
#endif
9298
0
        }
9299
0
        else if (WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(current->group)) {
9300
0
#ifdef WOLFSSL_HAVE_MLKEM
9301
0
            int ecc_group = 0;
9302
0
            findEccPqc(&ecc_group, NULL, NULL, current->group);
9303
9304
            /* Free PQC private key */
9305
        #ifdef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
9306
            wc_MlKemKey_Free((MlKemKey*)current->privKey);
9307
        #else
9308
0
            if (current->privKey != NULL) {
9309
0
                ForceZero(current->privKey, current->privKeyLen);
9310
0
            }
9311
0
        #endif
9312
9313
            /* Free ECC private key */
9314
0
            if (ecc_group == WOLFSSL_ECC_X25519) {
9315
            #ifdef HAVE_CURVE25519
9316
                wc_curve25519_free((curve25519_key*)current->key);
9317
            #endif
9318
0
            }
9319
0
            else if (ecc_group == WOLFSSL_ECC_X448) {
9320
            #ifdef HAVE_CURVE448
9321
                wc_curve448_free((curve448_key*)current->key);
9322
            #endif
9323
0
            }
9324
0
            else {
9325
0
            #ifdef HAVE_ECC
9326
                #if defined(WC_ECC_NONBLOCK) && \
9327
                    defined(WOLFSSL_ASYNC_CRYPT_SW) && \
9328
                    defined(WC_ASYNC_ENABLE_ECC)
9329
                if (current->key != NULL &&
9330
                        ((ecc_key*)current->key)->nb_ctx != NULL) {
9331
                    XFREE(((ecc_key*)current->key)->nb_ctx, heap,
9332
                        DYNAMIC_TYPE_TMP_BUFFER);
9333
                }
9334
                #endif
9335
0
                wc_ecc_free((ecc_key*)current->key);
9336
0
            #endif
9337
0
            }
9338
0
#endif
9339
0
        }
9340
0
        else {
9341
0
#ifdef HAVE_ECC
9342
        #if defined(WC_ECC_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
9343
            defined(WC_ASYNC_ENABLE_ECC)
9344
            if (current->key != NULL &&
9345
                    ((ecc_key*)current->key)->nb_ctx != NULL) {
9346
                XFREE(((ecc_key*)current->key)->nb_ctx, heap,
9347
                    DYNAMIC_TYPE_TMP_BUFFER);
9348
            }
9349
        #endif
9350
0
            wc_ecc_free((ecc_key*)current->key);
9351
0
#endif
9352
0
        }
9353
0
        XFREE(current->key, heap, DYNAMIC_TYPE_PRIVATE_KEY);
9354
0
    #if !defined(NO_DH) || defined(WOLFSSL_HAVE_MLKEM)
9355
0
        XFREE(current->privKey, heap, DYNAMIC_TYPE_PRIVATE_KEY);
9356
0
    #endif
9357
0
        XFREE(current->pubKey, heap, DYNAMIC_TYPE_PUBLIC_KEY);
9358
0
        XFREE(current->ke, heap, DYNAMIC_TYPE_PUBLIC_KEY);
9359
0
        XFREE(current, heap, DYNAMIC_TYPE_TLSX);
9360
0
    }
9361
9362
0
    (void)heap;
9363
0
}
9364
9365
/* Get the size of the encoded key share extension.
9366
 *
9367
 * list     The linked list of key share extensions.
9368
 * msgType  The type of the message this extension is being written into.
9369
 * returns the number of bytes of the encoded key share extension.
9370
 */
9371
static word16 TLSX_KeyShare_GetSize(KeyShareEntry* list, byte msgType)
9372
0
{
9373
0
    word16         len = 0;
9374
0
    byte           isRequest = (msgType == client_hello);
9375
0
    KeyShareEntry* current;
9376
9377
    /* The named group the server wants to use. */
9378
0
    if (msgType == hello_retry_request)
9379
0
        return OPAQUE16_LEN;
9380
9381
    /* List of key exchange groups. */
9382
0
    if (isRequest)
9383
0
        len += OPAQUE16_LEN;
9384
0
    while ((current = list) != NULL) {
9385
0
        list = current->next;
9386
9387
0
        if (!isRequest && current->pubKey == NULL)
9388
0
            continue;
9389
9390
0
        len += (word16)(KE_GROUP_LEN + OPAQUE16_LEN + current->pubKeyLen);
9391
0
    }
9392
9393
0
    return len;
9394
0
}
9395
9396
/* Writes the key share extension into the output buffer.
9397
 * Assumes that the the output buffer is big enough to hold data.
9398
 *
9399
 * list     The linked list of key share entries.
9400
 * output   The buffer to write into.
9401
 * msgType  The type of the message this extension is being written into.
9402
 * returns the number of bytes written into the buffer.
9403
 */
9404
static word16 TLSX_KeyShare_Write(KeyShareEntry* list, byte* output,
9405
                                  byte msgType)
9406
0
{
9407
0
    word16         i = 0;
9408
0
    byte           isRequest = (msgType == client_hello);
9409
0
    KeyShareEntry* current;
9410
9411
0
    if (msgType == hello_retry_request) {
9412
0
        c16toa(list->group, output);
9413
0
        return OPAQUE16_LEN;
9414
0
    }
9415
9416
    /* ClientHello has a list but ServerHello is only the chosen. */
9417
0
    if (isRequest)
9418
0
        i += OPAQUE16_LEN;
9419
9420
    /* Write out all in the list. */
9421
0
    while ((current = list) != NULL) {
9422
0
        list = current->next;
9423
9424
0
        if (!isRequest && current->pubKey == NULL)
9425
0
            continue;
9426
9427
0
        c16toa(current->group, &output[i]);
9428
0
        i += KE_GROUP_LEN;
9429
0
        c16toa((word16)(current->pubKeyLen), &output[i]);
9430
0
        i += OPAQUE16_LEN;
9431
0
        XMEMCPY(&output[i], current->pubKey, current->pubKeyLen);
9432
0
        i += (word16)current->pubKeyLen;
9433
0
    }
9434
    /* Write the length of the list if required. */
9435
0
    if (isRequest)
9436
0
        c16toa(i - OPAQUE16_LEN, output);
9437
9438
0
    return i;
9439
0
}
9440
9441
/* Process the DH key share extension on the client side.
9442
 *
9443
 * ssl            The SSL/TLS object.
9444
 * keyShareEntry  The key share entry object to use to calculate shared secret.
9445
 * returns 0 on success and other values indicate failure.
9446
 */
9447
static int TLSX_KeyShare_ProcessDh(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
9448
0
{
9449
0
    int ret = 0;
9450
0
#if !defined(NO_DH) && (!defined(NO_CERTS) || !defined(NO_PSK))
9451
0
    word32 pSz = 0;
9452
0
    DhKey* dhKey = (DhKey*)keyShareEntry->key;
9453
9454
0
#ifdef HAVE_PUBLIC_FFDHE
9455
0
    const DhParams* params = NULL;
9456
0
    switch (keyShareEntry->group) {
9457
0
    #ifdef HAVE_FFDHE_2048
9458
0
        case WOLFSSL_FFDHE_2048:
9459
0
            params = wc_Dh_ffdhe2048_Get();
9460
0
            break;
9461
0
    #endif
9462
    #ifdef HAVE_FFDHE_3072
9463
        case WOLFSSL_FFDHE_3072:
9464
            params = wc_Dh_ffdhe3072_Get();
9465
            break;
9466
    #endif
9467
    #ifdef HAVE_FFDHE_4096
9468
        case WOLFSSL_FFDHE_4096:
9469
            params = wc_Dh_ffdhe4096_Get();
9470
            break;
9471
    #endif
9472
    #ifdef HAVE_FFDHE_6144
9473
        case WOLFSSL_FFDHE_6144:
9474
            params = wc_Dh_ffdhe6144_Get();
9475
            break;
9476
    #endif
9477
    #ifdef HAVE_FFDHE_8192
9478
        case WOLFSSL_FFDHE_8192:
9479
            params = wc_Dh_ffdhe8192_Get();
9480
            break;
9481
    #endif
9482
0
        default:
9483
0
            break;
9484
0
    }
9485
0
    if (params == NULL) {
9486
0
        WOLFSSL_ERROR_VERBOSE(PEER_KEY_ERROR);
9487
0
        return PEER_KEY_ERROR;
9488
0
    }
9489
0
    pSz = params->p_len;
9490
#else
9491
    ret = wc_DhGetNamedKeyParamSize(keyShareEntry->group, &pSz, NULL, NULL);
9492
    if (ret != 0 || pSz == 0) {
9493
        WOLFSSL_ERROR_VERBOSE(PEER_KEY_ERROR);
9494
        return PEER_KEY_ERROR;
9495
    }
9496
#endif
9497
9498
    /* RFC 8446 Section 4.2.8.1: FFDHE key_exchange values are left-padded with
9499
     * zeros to the size of the named-group prime. Reject any peer key share
9500
     * whose byte length does not match the expected prime size. */
9501
0
    if (keyShareEntry->keLen != pSz) {
9502
0
        WOLFSSL_ERROR_VERBOSE(PEER_KEY_ERROR);
9503
0
        return PEER_KEY_ERROR;
9504
0
    }
9505
9506
    /* if DhKey is not setup, do it now */
9507
0
    if (keyShareEntry->key == NULL) {
9508
0
        keyShareEntry->key = (DhKey*)XMALLOC(sizeof(DhKey), ssl->heap,
9509
0
            DYNAMIC_TYPE_DH);
9510
0
        if (keyShareEntry->key == NULL)
9511
0
            return MEMORY_E;
9512
9513
        /* Setup Key */
9514
0
        ret = wc_InitDhKey_ex((DhKey*)keyShareEntry->key, ssl->heap, ssl->devId);
9515
0
        if (ret == 0) {
9516
0
            dhKey = (DhKey*)keyShareEntry->key;
9517
        /* Set key */
9518
0
        #ifdef HAVE_PUBLIC_FFDHE
9519
0
            ret = wc_DhSetKey(dhKey, params->p, params->p_len, params->g,
9520
0
                                                                params->g_len);
9521
        #else
9522
            ret = wc_DhSetNamedKey(dhKey, keyShareEntry->group);
9523
        #endif
9524
0
        }
9525
    #if defined(WC_DH_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
9526
        defined(WC_ASYNC_ENABLE_DH)
9527
        /* Only set non-blocking context when async device is active. With
9528
         * INVALID_DEVID there is no async loop to retry on MP_WOULDBLOCK, so
9529
         * skip non-blocking setup and use blocking mode instead. */
9530
        if (ret == 0 && ssl->devId != INVALID_DEVID) {
9531
            DhNb* dhNb = (DhNb*)XMALLOC(sizeof(DhNb), ssl->heap,
9532
                                        DYNAMIC_TYPE_TMP_BUFFER);
9533
            if (dhNb == NULL) {
9534
                ret = MEMORY_E;
9535
            }
9536
            else {
9537
                ret = wc_DhSetNonBlock((DhKey*)keyShareEntry->key, dhNb);
9538
                if (ret != 0) {
9539
                    XFREE(dhNb, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
9540
                }
9541
            }
9542
        }
9543
    #endif /* WC_DH_NONBLOCK && WOLFSSL_ASYNC_CRYPT_SW &&
9544
              WC_ASYNC_ENABLE_DH */
9545
0
    }
9546
9547
0
    if (ret == 0
9548
    #ifdef WOLFSSL_ASYNC_CRYPT
9549
        && keyShareEntry->lastRet == 0 /* don't enter here if WC_PENDING_E */
9550
    #endif
9551
0
    ) {
9552
    #ifdef WOLFSSL_DEBUG_TLS
9553
        WOLFSSL_MSG("Peer DH Key");
9554
        WOLFSSL_BUFFER(keyShareEntry->ke, keyShareEntry->keLen);
9555
    #endif
9556
9557
0
        ssl->options.dhKeySz = (word16)pSz;
9558
9559
        /* Derive secret from private key and peer's public key. */
9560
0
        ret = DhAgree(ssl, dhKey,
9561
0
            (const byte*)keyShareEntry->privKey, keyShareEntry->keyLen, /* our private */
9562
0
            keyShareEntry->ke, keyShareEntry->keLen,                    /* peer's public key */
9563
0
            ssl->arrays->preMasterSecret, &ssl->arrays->preMasterSz,    /* secret */
9564
0
            NULL, 0
9565
0
        );
9566
    #ifdef WOLFSSL_ASYNC_CRYPT
9567
        if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
9568
            return ret;
9569
        }
9570
    #endif
9571
0
    }
9572
9573
    /* RFC 8446 Section 7.4.1:
9574
     *     ... left-padded with zeros up to the size of the prime. ...
9575
     */
9576
0
    if (ret == 0 && (word32)ssl->options.dhKeySz > ssl->arrays->preMasterSz) {
9577
0
        word32 diff = (word32)ssl->options.dhKeySz - ssl->arrays->preMasterSz;
9578
0
        XMEMMOVE(ssl->arrays->preMasterSecret + diff,
9579
0
                        ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz);
9580
0
        XMEMSET(ssl->arrays->preMasterSecret, 0, diff);
9581
0
        ssl->arrays->preMasterSz = ssl->options.dhKeySz;
9582
0
    }
9583
9584
    /* done with key share, release resources */
9585
0
    if (dhKey) {
9586
    #if defined(WC_DH_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
9587
        defined(WC_ASYNC_ENABLE_DH)
9588
        if (dhKey->nb != NULL) {
9589
            XFREE(dhKey->nb, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
9590
            dhKey->nb = NULL;
9591
        }
9592
    #endif
9593
0
        wc_FreeDhKey(dhKey);
9594
0
    }
9595
0
    XFREE(keyShareEntry->key, ssl->heap, DYNAMIC_TYPE_DH);
9596
0
    keyShareEntry->key = NULL;
9597
0
    if (keyShareEntry->privKey) {
9598
0
        ForceZero(keyShareEntry->privKey, keyShareEntry->keyLen);
9599
0
        XFREE(keyShareEntry->privKey, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
9600
0
        keyShareEntry->privKey = NULL;
9601
0
    }
9602
0
    XFREE(keyShareEntry->pubKey, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
9603
0
    keyShareEntry->pubKey = NULL;
9604
0
    XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
9605
0
    keyShareEntry->ke = NULL;
9606
#else
9607
    (void)ssl;
9608
    (void)keyShareEntry;
9609
    ret = PEER_KEY_ERROR;
9610
    WOLFSSL_ERROR_VERBOSE(ret);
9611
#endif
9612
0
    return ret;
9613
0
}
9614
9615
/* Process the X25519 key share extension on the client side.
9616
 *
9617
 * ssl            The SSL/TLS object.
9618
 * keyShareEntry  The key share entry object to use to calculate shared secret.
9619
 * ssOutput       The destination buffer for the shared secret.
9620
 * ssOutSz        The size of the generated shared secret.
9621
 *
9622
 * returns 0 on success and other values indicate failure.
9623
 */
9624
static int TLSX_KeyShare_ProcessX25519_ex(WOLFSSL* ssl,
9625
                                          KeyShareEntry* keyShareEntry,
9626
                                          unsigned char* ssOutput,
9627
                                          word32* ssOutSz)
9628
0
{
9629
0
    int ret = 0;
9630
9631
#ifdef HAVE_CURVE25519
9632
    curve25519_key* key = (curve25519_key*)keyShareEntry->key;
9633
9634
#ifdef WOLFSSL_ASYNC_CRYPT
9635
    if (keyShareEntry->lastRet == 0) /* don't enter here if WC_PENDING_E */
9636
#endif
9637
    {
9638
    #ifdef HAVE_ECC
9639
        if (ssl->peerEccKey != NULL) {
9640
            wc_ecc_free(ssl->peerEccKey);
9641
            ssl->peerEccKey = NULL;
9642
            ssl->peerEccKeyPresent = 0;
9643
        }
9644
    #endif
9645
9646
        ssl->peerX25519Key = (curve25519_key*)XMALLOC(sizeof(curve25519_key),
9647
                                        ssl->heap, DYNAMIC_TYPE_TLSX);
9648
        if (ssl->peerX25519Key == NULL) {
9649
            WOLFSSL_MSG("PeerX25519Key Memory error");
9650
            return MEMORY_ERROR;
9651
        }
9652
        ret = wc_curve25519_init(ssl->peerX25519Key);
9653
        if (ret != 0) {
9654
            XFREE(ssl->peerX25519Key, ssl->heap, DYNAMIC_TYPE_TLSX);
9655
            ssl->peerX25519Key = NULL;
9656
            return ret;
9657
        }
9658
    #ifdef WOLFSSL_DEBUG_TLS
9659
        WOLFSSL_MSG("Peer Curve25519 Key");
9660
        WOLFSSL_BUFFER(keyShareEntry->ke, keyShareEntry->keLen);
9661
    #endif
9662
9663
        if (wc_curve25519_check_public(keyShareEntry->ke, keyShareEntry->keLen,
9664
                                                  EC25519_LITTLE_ENDIAN) != 0) {
9665
            ret = ECC_PEERKEY_ERROR;
9666
            WOLFSSL_ERROR_VERBOSE(ret);
9667
        }
9668
9669
        if (ret == 0) {
9670
            if (wc_curve25519_import_public_ex(keyShareEntry->ke,
9671
                                        keyShareEntry->keLen,
9672
                                        ssl->peerX25519Key,
9673
                                        EC25519_LITTLE_ENDIAN) != 0) {
9674
                ret = ECC_PEERKEY_ERROR;
9675
                WOLFSSL_ERROR_VERBOSE(ret);
9676
            }
9677
        }
9678
9679
        if (ret == 0) {
9680
            ssl->ecdhCurveOID = ECC_X25519_OID;
9681
            ssl->peerX25519KeyPresent = 1;
9682
        }
9683
    }
9684
9685
    if (ret == 0 && key == NULL)
9686
        ret = BAD_FUNC_ARG;
9687
    if (ret == 0) {
9688
    #ifdef WOLFSSL_CURVE25519_BLINDING
9689
        ret = wc_curve25519_set_rng(key, ssl->rng);
9690
    }
9691
    if (ret == 0) {
9692
    #endif
9693
    #ifdef WOLFSSL_ASYNC_CRYPT
9694
        if (keyShareEntry->lastRet != WC_NO_ERR_TRACE(WC_PENDING_E))
9695
    #endif
9696
        {
9697
        #ifdef WOLFSSL_ASYNC_CRYPT
9698
            /* initialize event */
9699
            ret = wolfSSL_AsyncInit(ssl, &key->asyncDev,
9700
                WC_ASYNC_FLAG_CALL_AGAIN);
9701
            if (ret != 0)
9702
                return ret;
9703
        #endif
9704
            ret = wc_curve25519_shared_secret_ex(key, ssl->peerX25519Key,
9705
                        ssOutput, ssOutSz, EC25519_LITTLE_ENDIAN);
9706
        #ifdef WOLFSSL_ASYNC_CRYPT
9707
            if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
9708
                return wolfSSL_AsyncPush(ssl, &key->asyncDev);
9709
            }
9710
        #endif
9711
        }
9712
        /* On CALL_AGAIN re-entry (lastRet == PENDING): the block above
9713
         * is skipped entirely, so wc_curve25519_shared_secret_ex is not
9714
         * called again. ret stays 0 from initialization, and execution
9715
         * falls through to the cleanup code below. */
9716
    }
9717
9718
    /* done with key share, release resources */
9719
    if (ssl->peerX25519Key != NULL) {
9720
        wc_curve25519_free(ssl->peerX25519Key);
9721
        XFREE(ssl->peerX25519Key, ssl->heap, DYNAMIC_TYPE_TLSX);
9722
        ssl->peerX25519Key = NULL;
9723
        ssl->peerX25519KeyPresent = 0;
9724
    }
9725
    if (keyShareEntry->key != NULL) {
9726
    #if defined(WC_X25519_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW)
9727
        if (((curve25519_key*)keyShareEntry->key)->nb_ctx != NULL) {
9728
            XFREE(((curve25519_key*)keyShareEntry->key)->nb_ctx, ssl->heap,
9729
                DYNAMIC_TYPE_TMP_BUFFER);
9730
        }
9731
    #endif
9732
        wc_curve25519_free((curve25519_key*)keyShareEntry->key);
9733
        XFREE(keyShareEntry->key, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
9734
        keyShareEntry->key = NULL;
9735
    }
9736
    XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
9737
    keyShareEntry->ke = NULL;
9738
#else
9739
0
    (void)ssl;
9740
0
    (void)keyShareEntry;
9741
0
    (void)ssOutput;
9742
0
    (void)ssOutSz;
9743
9744
0
    ret = PEER_KEY_ERROR;
9745
0
    WOLFSSL_ERROR_VERBOSE(ret);
9746
0
#endif /* HAVE_CURVE25519 */
9747
9748
0
    return ret;
9749
0
}
9750
9751
/* Process the X25519 key share extension on the client side.
9752
 *
9753
 * ssl            The SSL/TLS object.
9754
 * keyShareEntry  The key share entry object to use to calculate shared secret.
9755
 *
9756
 * returns 0 on success and other values indicate failure.
9757
 */
9758
static int TLSX_KeyShare_ProcessX25519(WOLFSSL* ssl,
9759
                                       KeyShareEntry* keyShareEntry)
9760
0
{
9761
0
    return TLSX_KeyShare_ProcessX25519_ex(ssl, keyShareEntry,
9762
0
                ssl->arrays->preMasterSecret, &ssl->arrays->preMasterSz);
9763
0
}
9764
9765
/* Process the X448 key share extension on the client side.
9766
 *
9767
 * ssl            The SSL/TLS object.
9768
 * keyShareEntry  The key share entry object to use to calculate shared secret.
9769
 * ssOutput       The destination buffer for the shared secret.
9770
 * ssOutSz        The size of the generated shared secret.
9771
 *
9772
 * returns 0 on success and other values indicate failure.
9773
 */
9774
static int TLSX_KeyShare_ProcessX448_ex(WOLFSSL* ssl,
9775
                                        KeyShareEntry* keyShareEntry,
9776
                                        unsigned char* ssOutput,
9777
                                        word32* ssOutSz)
9778
0
{
9779
0
    int ret;
9780
9781
#ifdef HAVE_CURVE448
9782
    curve448_key* key = (curve448_key*)keyShareEntry->key;
9783
    curve448_key* peerX448Key;
9784
9785
#ifdef HAVE_ECC
9786
    if (ssl->peerEccKey != NULL) {
9787
        wc_ecc_free(ssl->peerEccKey);
9788
        ssl->peerEccKey = NULL;
9789
        ssl->peerEccKeyPresent = 0;
9790
    }
9791
#endif
9792
9793
    peerX448Key = (curve448_key*)XMALLOC(sizeof(curve448_key), ssl->heap,
9794
                                                             DYNAMIC_TYPE_TLSX);
9795
    if (peerX448Key == NULL) {
9796
        WOLFSSL_MSG("PeerEccKey Memory error");
9797
        return MEMORY_ERROR;
9798
    }
9799
    ret = wc_curve448_init(peerX448Key);
9800
    if (ret != 0) {
9801
        XFREE(peerX448Key, ssl->heap, DYNAMIC_TYPE_TLSX);
9802
        return ret;
9803
    }
9804
#ifdef WOLFSSL_DEBUG_TLS
9805
    WOLFSSL_MSG("Peer Curve448 Key");
9806
    WOLFSSL_BUFFER(keyShareEntry->ke, keyShareEntry->keLen);
9807
#endif
9808
9809
    if (wc_curve448_check_public(keyShareEntry->ke, keyShareEntry->keLen,
9810
                                                    EC448_LITTLE_ENDIAN) != 0) {
9811
        ret = ECC_PEERKEY_ERROR;
9812
        WOLFSSL_ERROR_VERBOSE(ret);
9813
    }
9814
9815
    if (ret == 0) {
9816
        if (wc_curve448_import_public_ex(keyShareEntry->ke,
9817
                                              keyShareEntry->keLen, peerX448Key,
9818
                                              EC448_LITTLE_ENDIAN) != 0) {
9819
            ret = ECC_PEERKEY_ERROR;
9820
            WOLFSSL_ERROR_VERBOSE(ret);
9821
        }
9822
    }
9823
9824
    if (ret == 0) {
9825
        ssl->ecdhCurveOID = ECC_X448_OID;
9826
9827
        ret = wc_curve448_shared_secret_ex(key, peerX448Key,
9828
                    ssOutput, ssOutSz, EC448_LITTLE_ENDIAN);
9829
    }
9830
9831
    wc_curve448_free(peerX448Key);
9832
    XFREE(peerX448Key, ssl->heap, DYNAMIC_TYPE_TLSX);
9833
    wc_curve448_free((curve448_key*)keyShareEntry->key);
9834
    XFREE(keyShareEntry->key, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
9835
    keyShareEntry->key = NULL;
9836
    XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
9837
    keyShareEntry->ke = NULL;
9838
#else
9839
0
    (void)ssl;
9840
0
    (void)keyShareEntry;
9841
0
    (void)ssOutput;
9842
0
    (void)ssOutSz;
9843
9844
0
    ret = PEER_KEY_ERROR;
9845
0
    WOLFSSL_ERROR_VERBOSE(ret);
9846
0
#endif /* HAVE_CURVE448 */
9847
9848
0
    return ret;
9849
0
}
9850
9851
/* Process the X448 key share extension on the client side.
9852
 *
9853
 * ssl            The SSL/TLS object.
9854
 * keyShareEntry  The key share entry object to use to calculate shared secret.
9855
 * returns 0 on success and other values indicate failure.
9856
 */
9857
static int TLSX_KeyShare_ProcessX448(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
9858
0
{
9859
0
    return TLSX_KeyShare_ProcessX448_ex(ssl, keyShareEntry,
9860
0
                ssl->arrays->preMasterSecret, &ssl->arrays->preMasterSz);
9861
0
}
9862
9863
/* Process the ECC key share extension on the client side.
9864
 *
9865
 * ssl            The SSL/TLS object.
9866
 * keyShareEntry  The key share entry object to use to calculate shared secret.
9867
 * ssOutput       The destination buffer for the shared secret.
9868
 * ssOutSz        The size of the generated shared secret.
9869
 *
9870
 * returns 0 on success and other values indicate failure.
9871
 */
9872
static int TLSX_KeyShare_ProcessEcc_ex(WOLFSSL* ssl,
9873
                                       KeyShareEntry* keyShareEntry,
9874
                                       unsigned char* ssOutput,
9875
                                       word32* ssOutSz)
9876
0
{
9877
0
    int ret = 0;
9878
0
#ifdef HAVE_ECC
9879
0
    int curveId = ECC_CURVE_INVALID;
9880
0
    ecc_key* eccKey = (ecc_key*)keyShareEntry->key;
9881
9882
    /* find supported curve */
9883
0
    switch (keyShareEntry->group) {
9884
0
    #if (!defined(NO_ECC256)  || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
9885
0
        #ifndef NO_ECC_SECP
9886
0
        case WOLFSSL_ECC_SECP256R1:
9887
0
            curveId = ECC_SECP256R1;
9888
0
            break;
9889
0
        #endif /* !NO_ECC_SECP */
9890
        #ifdef WOLFSSL_SM2
9891
        case WOLFSSL_ECC_SM2P256V1:
9892
            curveId = ECC_SM2P256V1;
9893
            break;
9894
        #endif /* WOLFSSL_SM2 */
9895
        #ifdef HAVE_ECC_BRAINPOOL
9896
        case WOLFSSL_ECC_BRAINPOOLP256R1TLS13:
9897
            curveId = ECC_BRAINPOOLP256R1;
9898
            break;
9899
        #endif /* HAVE_ECC_BRAINPOOL */
9900
0
    #endif
9901
0
    #if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384
9902
0
        #ifndef NO_ECC_SECP
9903
0
        case WOLFSSL_ECC_SECP384R1:
9904
0
            curveId = ECC_SECP384R1;
9905
0
            break;
9906
0
        #endif /* !NO_ECC_SECP */
9907
        #ifdef HAVE_ECC_BRAINPOOL
9908
        case WOLFSSL_ECC_BRAINPOOLP384R1TLS13:
9909
            curveId = ECC_BRAINPOOLP384R1;
9910
            break;
9911
        #endif /* HAVE_ECC_BRAINPOOL */
9912
0
    #endif
9913
0
    #if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 512
9914
        #ifdef HAVE_ECC_BRAINPOOL
9915
        case WOLFSSL_ECC_BRAINPOOLP512R1TLS13:
9916
            curveId = ECC_BRAINPOOLP512R1;
9917
            break;
9918
        #endif /* HAVE_ECC_BRAINPOOL */
9919
0
    #endif
9920
0
    #if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521
9921
0
        #ifndef NO_ECC_SECP
9922
0
        case WOLFSSL_ECC_SECP521R1:
9923
0
            curveId = ECC_SECP521R1;
9924
0
            break;
9925
0
        #endif /* !NO_ECC_SECP */
9926
0
    #endif
9927
    #if defined(HAVE_X448) && ECC_MIN_KEY_SZ <= 448
9928
        case WOLFSSL_ECC_X448:
9929
            curveId = ECC_X448;
9930
            break;
9931
    #endif
9932
0
        default:
9933
            /* unsupported curve */
9934
0
            WOLFSSL_ERROR_VERBOSE(ECC_PEERKEY_ERROR);
9935
0
            return ECC_PEERKEY_ERROR;
9936
0
    }
9937
9938
#ifdef WOLFSSL_ASYNC_CRYPT
9939
    if (keyShareEntry->lastRet == 0) /* don't enter here if WC_PENDING_E */
9940
#endif
9941
0
    {
9942
    #ifdef WOLFSSL_DEBUG_TLS
9943
        WOLFSSL_MSG("Peer ECC Key");
9944
        WOLFSSL_BUFFER(keyShareEntry->ke, keyShareEntry->keLen);
9945
    #endif
9946
9947
0
        if (ssl->peerEccKey != NULL) {
9948
0
            wc_ecc_free(ssl->peerEccKey);
9949
0
            XFREE(ssl->peerEccKey, ssl->heap, DYNAMIC_TYPE_ECC);
9950
0
            ssl->peerEccKeyPresent = 0;
9951
0
        }
9952
#if defined(WOLFSSL_RENESAS_TSIP_TLS)
9953
        ret = tsip_Tls13GenSharedSecret(ssl, keyShareEntry);
9954
        if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) {
9955
            return ret;
9956
        }
9957
        ret = 0;
9958
#endif
9959
9960
0
        ssl->peerEccKey = (ecc_key*)XMALLOC(sizeof(ecc_key), ssl->heap,
9961
0
                                            DYNAMIC_TYPE_ECC);
9962
0
        if (ssl->peerEccKey == NULL) {
9963
0
            WOLFSSL_MSG("PeerEccKey Memory error");
9964
0
            ret = MEMORY_ERROR;
9965
0
        }
9966
9967
0
        if (ret == 0) {
9968
0
            ret = wc_ecc_init_ex(ssl->peerEccKey, ssl->heap, ssl->devId);
9969
0
        }
9970
9971
        /* Point is validated by import function. */
9972
0
        if (ret == 0) {
9973
0
#if !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS)
9974
0
            ret = wc_ecc_import_x963_ex2(keyShareEntry->ke,
9975
0
                keyShareEntry->keLen, ssl->peerEccKey, curveId, 1);
9976
#else
9977
            /* FIPS has validation define on. */
9978
            ret = wc_ecc_import_x963_ex(keyShareEntry->ke,
9979
                keyShareEntry->keLen, ssl->peerEccKey, curveId);
9980
#endif
9981
0
            if (ret != 0) {
9982
0
                ret = ECC_PEERKEY_ERROR;
9983
0
                WOLFSSL_ERROR_VERBOSE(ret);
9984
0
            }
9985
0
        }
9986
9987
0
        if (ret == 0) {
9988
0
            ssl->ecdhCurveOID = ssl->peerEccKey->dp->oidSum;
9989
0
            ssl->peerEccKeyPresent = 1;
9990
0
        }
9991
0
    }
9992
9993
0
    if (ret == 0 && eccKey == NULL)
9994
0
        ret = BAD_FUNC_ARG;
9995
0
    if (ret == 0) {
9996
0
        ret = EccSharedSecret(ssl, eccKey, ssl->peerEccKey,
9997
0
            keyShareEntry->ke, &keyShareEntry->keLen,
9998
0
            ssOutput, ssOutSz, ssl->options.side);
9999
    #ifdef WOLFSSL_ASYNC_CRYPT
10000
        if (ret == WC_NO_ERR_TRACE(WC_PENDING_E))
10001
            return ret;
10002
    #endif
10003
0
    }
10004
10005
    /* done with key share, release resources */
10006
0
    if (ssl->peerEccKey != NULL
10007
    #ifdef HAVE_PK_CALLBACKS
10008
        && ssl->ctx->EccSharedSecretCb == NULL
10009
    #endif
10010
0
    ) {
10011
0
        wc_ecc_free(ssl->peerEccKey);
10012
0
        XFREE(ssl->peerEccKey, ssl->heap, DYNAMIC_TYPE_ECC);
10013
0
        ssl->peerEccKey = NULL;
10014
0
        ssl->peerEccKeyPresent = 0;
10015
0
    }
10016
0
    if (eccKey != NULL) {
10017
    #if defined(WC_ECC_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \
10018
        defined(WC_ASYNC_ENABLE_ECC)
10019
        if (eccKey->nb_ctx != NULL) {
10020
            XFREE(eccKey->nb_ctx, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
10021
        }
10022
    #endif
10023
0
        wc_ecc_free(eccKey);
10024
0
        XFREE(keyShareEntry->key, ssl->heap, DYNAMIC_TYPE_ECC);
10025
0
        keyShareEntry->key = NULL;
10026
0
    }
10027
0
    XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
10028
0
    keyShareEntry->ke = NULL;
10029
#else
10030
    (void)ssl;
10031
    (void)keyShareEntry;
10032
    (void)ssOutput;
10033
    (void)ssOutSz;
10034
10035
    ret = PEER_KEY_ERROR;
10036
    WOLFSSL_ERROR_VERBOSE(ret);
10037
#endif /* HAVE_ECC */
10038
10039
0
    return ret;
10040
0
}
10041
10042
/* Process the ECC key share extension on the client side.
10043
 *
10044
 * ssl            The SSL/TLS object.
10045
 * keyShareEntry  The key share entry object to use to calculate shared secret.
10046
 * returns 0 on success and other values indicate failure.
10047
 */
10048
static int TLSX_KeyShare_ProcessEcc(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
10049
0
{
10050
0
    return TLSX_KeyShare_ProcessEcc_ex(ssl, keyShareEntry,
10051
0
                ssl->arrays->preMasterSecret, &ssl->arrays->preMasterSz);
10052
0
}
10053
10054
#if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_DECAPSULATE)
10055
/* Process the ML-KEM key share extension on the client side.
10056
 *
10057
 * ssl            The SSL/TLS object.
10058
 * keyShareEntry  The key share entry object to use to calculate shared secret.
10059
 * ssOutput       The destination buffer for the shared secret.
10060
 * ssOutSz        The size of the generated shared secret.
10061
 *
10062
 * returns 0 on success and other values indicate failure.
10063
 */
10064
static int TLSX_KeyShare_ProcessPqcClient_ex(WOLFSSL* ssl,
10065
                                             KeyShareEntry* keyShareEntry,
10066
                                             unsigned char* ssOutput,
10067
                                             word32* ssOutSz)
10068
0
{
10069
0
    int       ret = 0;
10070
0
    MlKemKey* kem = (MlKemKey*)keyShareEntry->key;
10071
0
#ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
10072
0
    word32    privSz = 0;
10073
0
#endif
10074
0
    word32    ctSz = 0;
10075
0
    word32    ssSz = 0;
10076
10077
0
    if (ssl->options.side == WOLFSSL_SERVER_END) {
10078
        /* I am the server, the shared secret has already been generated and
10079
         * is in ssl->arrays->preMasterSecret, so nothing really to do here. */
10080
0
        return 0;
10081
0
    }
10082
10083
0
    if (keyShareEntry->ke == NULL) {
10084
0
        WOLFSSL_MSG("Invalid PQC algorithm specified.");
10085
0
        return BAD_FUNC_ARG;
10086
0
    }
10087
0
    if (ssOutSz == NULL)
10088
0
        return BAD_FUNC_ARG;
10089
10090
0
#ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
10091
0
    if (kem == NULL) {
10092
0
        int type = 0;
10093
10094
        /* Allocate an ML-KEM key to hold private key. */
10095
0
        kem = (MlKemKey*) XMALLOC(sizeof(MlKemKey), ssl->heap,
10096
0
                                  DYNAMIC_TYPE_PRIVATE_KEY);
10097
0
        if (kem == NULL) {
10098
0
            WOLFSSL_MSG("GenPqcKey memory error");
10099
0
            ret = MEMORY_E;
10100
0
        }
10101
0
        if (ret == 0) {
10102
0
            ret = mlkem_id2type(keyShareEntry->group, &type);
10103
0
        }
10104
0
        if (ret != 0) {
10105
0
            WOLFSSL_MSG("Invalid PQC algorithm specified.");
10106
0
            ret = BAD_FUNC_ARG;
10107
0
        }
10108
0
        if (ret == 0) {
10109
0
            ret = wc_MlKemKey_Init(kem, type, ssl->heap, ssl->devId);
10110
0
            if (ret != 0) {
10111
0
                WOLFSSL_MSG("Error creating ML-KEM key");
10112
0
            }
10113
0
        }
10114
0
    }
10115
#else
10116
    if (kem == NULL || keyShareEntry->privKeyLen != 0) {
10117
        WOLFSSL_MSG("Invalid ML-KEM key.");
10118
        ret = BAD_FUNC_ARG;
10119
    }
10120
#endif
10121
10122
0
    if (ret == 0) {
10123
0
        ret = wc_MlKemKey_SharedSecretSize(kem, &ssSz);
10124
0
    }
10125
0
    if (ret == 0) {
10126
0
        ret = wc_MlKemKey_CipherTextSize(kem, &ctSz);
10127
0
    }
10128
10129
0
#ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
10130
0
    if (ret == 0) {
10131
0
        ret = wc_MlKemKey_PrivateKeySize(kem, &privSz);
10132
0
    }
10133
0
    if (ret == 0 && privSz != keyShareEntry->privKeyLen) {
10134
0
        WOLFSSL_MSG("Invalid private key size.");
10135
0
        ret = BAD_FUNC_ARG;
10136
0
    }
10137
0
    if (ret == 0) {
10138
0
        PRIVATE_KEY_UNLOCK();
10139
0
        ret = wc_MlKemKey_DecodePrivateKey(kem, keyShareEntry->privKey, privSz);
10140
0
        PRIVATE_KEY_LOCK();
10141
0
    }
10142
0
#endif
10143
10144
0
    if (ret == 0 && keyShareEntry->keLen < ctSz) {
10145
0
        WOLFSSL_MSG("PQC key share data too short for ciphertext.");
10146
0
        ret = BUFFER_E;
10147
0
    }
10148
0
    if (ret == 0) {
10149
0
        PRIVATE_KEY_UNLOCK();
10150
0
        ret = wc_MlKemKey_Decapsulate(kem, ssOutput,
10151
0
                                      keyShareEntry->ke, ctSz);
10152
0
        PRIVATE_KEY_LOCK();
10153
0
        if (ret != 0) {
10154
0
            WOLFSSL_MSG("wc_MlKemKey decapsulation failure.");
10155
0
            ret = BAD_FUNC_ARG;
10156
0
        }
10157
0
    }
10158
0
    if (ret == 0) {
10159
0
        *ssOutSz = ssSz;
10160
0
    }
10161
10162
0
    wc_MlKemKey_Free(kem);
10163
10164
0
    XFREE(kem, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
10165
0
    keyShareEntry->key = NULL;
10166
10167
0
    XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
10168
0
    keyShareEntry->ke = NULL;
10169
10170
0
    return ret;
10171
0
}
10172
10173
/* Process the ML-KEM key share extension on the client side.
10174
 *
10175
 * ssl            The SSL/TLS object.
10176
 * keyShareEntry  The key share entry object to use to calculate shared secret.
10177
 *
10178
 * returns 0 on success and other values indicate failure.
10179
 */
10180
static int TLSX_KeyShare_ProcessPqcClient(WOLFSSL* ssl,
10181
                                          KeyShareEntry* keyShareEntry)
10182
0
{
10183
0
    return TLSX_KeyShare_ProcessPqcClient_ex(ssl, keyShareEntry,
10184
0
                                             ssl->arrays->preMasterSecret,
10185
0
                                             &ssl->arrays->preMasterSz);
10186
0
}
10187
10188
/* Process the hybrid key share extension on the client side.
10189
 *
10190
 * ssl            The SSL/TLS object.
10191
 * keyShareEntry  The key share entry object to use to calculate shared secret.
10192
 * returns 0 on success and other values indicate failure.
10193
 */
10194
static int TLSX_KeyShare_ProcessPqcHybridClient(WOLFSSL* ssl,
10195
                                                KeyShareEntry* keyShareEntry)
10196
0
{
10197
0
    int      ret = 0;
10198
0
    int      pqc_group = 0;
10199
0
    int      ecc_group = 0;
10200
0
    int      pqc_first = 0;
10201
0
    KeyShareEntry* pqc_kse = NULL;
10202
0
    KeyShareEntry *ecc_kse = NULL;
10203
0
    word32   ctSz = 0;
10204
0
    word32   ssSzPqc = 0;
10205
10206
0
    if (ssl->options.side == WOLFSSL_SERVER_END) {
10207
        /* I am the server, the shared secret has already been generated and
10208
         * is in ssl->arrays->preMasterSecret, so nothing really to do here. */
10209
0
        return 0;
10210
0
    }
10211
10212
0
    if (keyShareEntry->ke == NULL) {
10213
0
        WOLFSSL_MSG("Invalid PQC algorithm specified.");
10214
0
        return BAD_FUNC_ARG;
10215
0
    }
10216
10217
    /* I am the client, both the PQC ciphertext and the ECHD public key are in
10218
     * keyShareEntry->ke */
10219
10220
    /* Determine the ECC and PQC group of the hybrid combination */
10221
0
    findEccPqc(&ecc_group, &pqc_group, &pqc_first, keyShareEntry->group);
10222
0
    if (ecc_group == 0 || pqc_group == 0) {
10223
0
        WOLFSSL_MSG("Invalid hybrid group");
10224
0
        ret = BAD_FUNC_ARG;
10225
0
    }
10226
10227
0
    if (ret == 0) {
10228
0
        ecc_kse = (KeyShareEntry*)XMALLOC(sizeof(*ecc_kse), ssl->heap,
10229
0
                   DYNAMIC_TYPE_TLSX);
10230
0
        if (ecc_kse == NULL) {
10231
0
            WOLFSSL_MSG("kse memory allocation failure");
10232
0
            ret = MEMORY_ERROR;
10233
0
        }
10234
0
        else {
10235
0
            XMEMSET(ecc_kse, 0, sizeof(*ecc_kse));
10236
0
        }
10237
0
    }
10238
0
    if (ret == 0) {
10239
0
        pqc_kse = (KeyShareEntry*)XMALLOC(sizeof(*pqc_kse), ssl->heap,
10240
0
                   DYNAMIC_TYPE_TLSX);
10241
0
        if (pqc_kse == NULL) {
10242
0
            WOLFSSL_MSG("kse memory allocation failure");
10243
0
            ret = MEMORY_ERROR;
10244
0
        }
10245
0
        else {
10246
0
            XMEMSET(pqc_kse, 0, sizeof(*pqc_kse));
10247
0
        }
10248
0
    }
10249
10250
    /* The ciphertext and shared secret sizes of a KEM are fixed. Hence, we
10251
     * decode these sizes to separate the KEM ciphertext from the ECDH public
10252
     * key. */
10253
0
    if (ret == 0) {
10254
0
    #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
10255
0
        int type;
10256
10257
0
        pqc_kse->privKey = keyShareEntry->privKey;
10258
10259
0
        ret = mlkem_id2type(pqc_group, &type);
10260
0
        if (ret != 0) {
10261
0
            WOLFSSL_MSG("Invalid ML-KEM algorithm specified.");
10262
0
            ret = BAD_FUNC_ARG;
10263
0
        }
10264
0
        if (ret == 0) {
10265
0
            pqc_kse->key = XMALLOC(sizeof(MlKemKey), ssl->heap,
10266
0
                                DYNAMIC_TYPE_PRIVATE_KEY);
10267
0
            if (pqc_kse->key == NULL) {
10268
0
                WOLFSSL_MSG("GenPqcKey memory error");
10269
0
                ret = MEMORY_E;
10270
0
            }
10271
0
        }
10272
0
        if (ret == 0) {
10273
0
            ret = wc_MlKemKey_Init((MlKemKey*)pqc_kse->key, type,
10274
0
                                   ssl->heap, ssl->devId);
10275
0
            if (ret != 0) {
10276
0
                WOLFSSL_MSG("Error creating ML-KEM key");
10277
0
            }
10278
0
        }
10279
    #else
10280
        pqc_kse->key = keyShareEntry->privKey;
10281
    #endif
10282
10283
0
        pqc_kse->group = pqc_group;
10284
0
        pqc_kse->privKeyLen = keyShareEntry->privKeyLen;
10285
10286
0
        if (ret == 0) {
10287
0
            ret = wc_MlKemKey_SharedSecretSize((MlKemKey*)pqc_kse->key,
10288
0
                                               &ssSzPqc);
10289
0
        }
10290
0
        if (ret == 0) {
10291
0
            ret = wc_MlKemKey_CipherTextSize((MlKemKey*)pqc_kse->key,
10292
0
                                             &ctSz);
10293
0
            if (ret == 0 && keyShareEntry->keLen <= ctSz) {
10294
0
                WOLFSSL_MSG("Invalid ciphertext size.");
10295
0
                ret = BAD_FUNC_ARG;
10296
0
            }
10297
0
        }
10298
0
        if (ret == 0) {
10299
0
            pqc_kse->keLen = ctSz;
10300
0
            pqc_kse->ke = (byte*)XMALLOC(pqc_kse->keLen, ssl->heap,
10301
0
                                         DYNAMIC_TYPE_PUBLIC_KEY);
10302
0
            if (pqc_kse->ke == NULL) {
10303
0
                WOLFSSL_MSG("pqc_kse memory allocation failure");
10304
0
                ret = MEMORY_ERROR;
10305
0
            }
10306
            /* Copy the PQC KEM ciphertext. Depending on the pqc_first flag,
10307
             * the KEM ciphertext comes before or after the ECDH public key. */
10308
0
            if (ret == 0) {
10309
0
                int offset = keyShareEntry->keLen - ctSz;
10310
10311
0
                if (pqc_first)
10312
0
                    offset = 0;
10313
10314
0
                XMEMCPY(pqc_kse->ke, keyShareEntry->ke + offset, ctSz);
10315
0
            }
10316
0
        }
10317
0
    }
10318
10319
0
    if (ret == 0) {
10320
0
        ecc_kse->group = ecc_group;
10321
0
        ecc_kse->keLen = keyShareEntry->keLen - ctSz;
10322
0
        ecc_kse->key = keyShareEntry->key;
10323
0
        ecc_kse->ke = (byte*)XMALLOC(ecc_kse->keLen, ssl->heap,
10324
0
                                        DYNAMIC_TYPE_PUBLIC_KEY);
10325
0
        if (ecc_kse->ke == NULL) {
10326
0
            WOLFSSL_MSG("ecc_kse memory allocation failure");
10327
0
            ret = MEMORY_ERROR;
10328
0
        }
10329
        /* Copy the ECDH public key. Depending on the pqc_first flag, the
10330
         * KEM ciphertext comes before or after the ECDH public key. */
10331
0
        if (ret == 0) {
10332
0
            int offset = 0;
10333
10334
0
            if (pqc_first)
10335
0
                offset = ctSz;
10336
10337
0
            XMEMCPY(ecc_kse->ke, keyShareEntry->ke + offset, ecc_kse->keLen);
10338
0
        }
10339
    #ifdef WOLFSSL_ASYNC_CRYPT
10340
        ecc_kse->lastRet = keyShareEntry->lastRet;
10341
    #endif
10342
0
    }
10343
10344
    /* Process ECDH key share part. The generated shared secret is directly
10345
     * stored in the ssl->arrays->preMasterSecret buffer. Depending on the
10346
     * pqc_first flag, the ECDH shared secret part goes before or after the
10347
     * KEM part. */
10348
0
    if (ret == 0) {
10349
0
        int offset = 0;
10350
10351
0
        if (pqc_first)
10352
0
            offset = ssSzPqc;
10353
10354
    #ifdef HAVE_CURVE25519
10355
        if (ecc_group == WOLFSSL_ECC_X25519) {
10356
            ret = TLSX_KeyShare_ProcessX25519_ex(ssl, ecc_kse,
10357
                    ssl->arrays->preMasterSecret + offset,
10358
                    &ssl->arrays->preMasterSz);
10359
        }
10360
        else
10361
    #endif
10362
    #ifdef HAVE_CURVE448
10363
        if (ecc_group == WOLFSSL_ECC_X448) {
10364
            ret = TLSX_KeyShare_ProcessX448_ex(ssl, ecc_kse,
10365
                    ssl->arrays->preMasterSecret + offset,
10366
                    &ssl->arrays->preMasterSz);
10367
        }
10368
        else
10369
    #endif
10370
0
        {
10371
0
            ret = TLSX_KeyShare_ProcessEcc_ex(ssl, ecc_kse,
10372
0
                    ssl->arrays->preMasterSecret + offset,
10373
0
                    &ssl->arrays->preMasterSz);
10374
0
        }
10375
10376
    #ifdef WOLFSSL_ASYNC_CRYPT
10377
        if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
10378
            keyShareEntry->lastRet = WC_PENDING_E;
10379
            /* Prevent freeing of the ECC and ML-KEM private keys */
10380
            ecc_kse->key = NULL;
10381
        #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
10382
            pqc_kse->privKey = NULL;
10383
        #else
10384
            pqc_kse->key = NULL;
10385
        #endif
10386
        }
10387
        else
10388
    #endif
10389
0
        {
10390
            /* Re-sync keyShareEntry->key with ecc_kse->key. ecc_kse->key was
10391
             * aliased to keyShareEntry->key above. The inner Process*_ex
10392
             * either ran its end-of-function cleanup and set ecc_kse->key
10393
             * to NULL (so the outer pointer must also become NULL to avoid
10394
             * UAF/double-free in TLSX_KeyShare_FreeAll), or returned early
10395
             * before cleanup with ecc_kse->key still pointing at the live
10396
             * key (so the outer pointer must keep that pointer for later
10397
             * freeing). Mirroring whatever the inner left in ecc_kse->key
10398
             * handles both cases correctly. */
10399
0
            keyShareEntry->key = ecc_kse->key;
10400
0
        }
10401
0
    }
10402
10403
0
    if (ret == 0) {
10404
0
        if ((ssl->arrays->preMasterSz + ssSzPqc) > ENCRYPT_LEN) {
10405
0
            WOLFSSL_MSG("shared secret is too long.");
10406
0
            ret = LENGTH_ERROR;
10407
0
        }
10408
0
    }
10409
10410
    /* Process PQC KEM key share part. Depending on the pqc_first flag, the
10411
     * KEM shared secret part goes before or after the ECDH part. */
10412
0
    if (ret == 0) {
10413
0
        int offset = ssl->arrays->preMasterSz;
10414
10415
0
        if (pqc_first)
10416
0
            offset = 0;
10417
10418
0
        ret = TLSX_KeyShare_ProcessPqcClient_ex(ssl, pqc_kse,
10419
0
                ssl->arrays->preMasterSecret + offset, &ssSzPqc);
10420
0
    }
10421
10422
0
    if (ret == 0) {
10423
0
        keyShareEntry->privKey = (byte*)pqc_kse->key;
10424
10425
0
        ssl->arrays->preMasterSz += ssSzPqc;
10426
0
    }
10427
0
    else
10428
#ifdef WOLFSSL_ASYNC_CRYPT
10429
        if (ret != WC_NO_ERR_TRACE(WC_PENDING_E))
10430
#endif
10431
0
    {
10432
        /* Clear the pre master secret buffer to prevent leaking any
10433
         * intermediate keys in the error case. Do not use preMasterSz
10434
         * here as it may already been set to the ECC shared secret size,
10435
         * which would be too small due to the PQC offset case. */
10436
0
        ForceZero(ssl->arrays->preMasterSecret, ENCRYPT_LEN);
10437
10438
        /* Prevent FreeAll from freeing pointers owned by keyShareEntry. */
10439
0
        if (ecc_kse != NULL)
10440
0
            ecc_kse->key = NULL;
10441
0
        if (pqc_kse != NULL) {
10442
0
        #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ
10443
0
            pqc_kse->privKey = NULL;
10444
        #else
10445
            pqc_kse->key = NULL;
10446
        #endif
10447
0
        }
10448
0
    }
10449
10450
0
    TLSX_KeyShare_FreeAll(ecc_kse, ssl->heap);
10451
0
    TLSX_KeyShare_FreeAll(pqc_kse, ssl->heap);
10452
10453
0
    return ret;
10454
0
}
10455
#endif /* WOLFSSL_HAVE_MLKEM && !WOLFSSL_MLKEM_NO_DECAPSULATE */
10456
10457
/* Process the key share extension on the client side.
10458
 *
10459
 * ssl            The SSL/TLS object.
10460
 * keyShareEntry  The key share entry object to use to calculate shared secret.
10461
 * returns 0 on success and other values indicate failure.
10462
 */
10463
static int TLSX_KeyShare_Process(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
10464
0
{
10465
0
    int ret;
10466
10467
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
10468
    keyShareEntry->session = ssl->session->namedGroup;
10469
    ssl->session->namedGroup = keyShareEntry->group;
10470
#endif
10471
    /* reset the pre master secret size */
10472
0
    if (ssl->arrays->preMasterSz == 0)
10473
0
        ssl->arrays->preMasterSz = ENCRYPT_LEN;
10474
10475
    /* Use Key Share Data from server. */
10476
0
    if (WOLFSSL_NAMED_GROUP_IS_FFDHE(keyShareEntry->group))
10477
0
        ret = TLSX_KeyShare_ProcessDh(ssl, keyShareEntry);
10478
0
    else if (keyShareEntry->group == WOLFSSL_ECC_X25519)
10479
0
        ret = TLSX_KeyShare_ProcessX25519(ssl, keyShareEntry);
10480
0
    else if (keyShareEntry->group == WOLFSSL_ECC_X448)
10481
0
        ret = TLSX_KeyShare_ProcessX448(ssl, keyShareEntry);
10482
0
#if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_DECAPSULATE)
10483
0
    else if (WOLFSSL_NAMED_GROUP_IS_PQC(keyShareEntry->group))
10484
0
        ret = TLSX_KeyShare_ProcessPqcClient(ssl, keyShareEntry);
10485
0
    else if (WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(keyShareEntry->group))
10486
0
        ret = TLSX_KeyShare_ProcessPqcHybridClient(ssl, keyShareEntry);
10487
0
#endif
10488
0
    else
10489
0
        ret = TLSX_KeyShare_ProcessEcc(ssl, keyShareEntry);
10490
10491
#ifdef WOLFSSL_DEBUG_TLS
10492
    if (ret == 0) {
10493
        WOLFSSL_MSG("KE Secret");
10494
        WOLFSSL_BUFFER(ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz);
10495
    }
10496
#endif
10497
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
10498
    keyShareEntry->derived = (ret == 0);
10499
#endif
10500
#ifdef WOLFSSL_ASYNC_CRYPT
10501
    keyShareEntry->lastRet = ret;
10502
#endif
10503
10504
0
    return ret;
10505
0
}
10506
10507
/* Parse an entry of the KeyShare extension.
10508
 *
10509
 * ssl     The SSL/TLS object.
10510
 * input   The extension data.
10511
 * length  The length of the extension data.
10512
 * kse     The new key share entry object.
10513
 * returns a positive number to indicate amount of data parsed and a negative
10514
 * number on error.
10515
 */
10516
static int TLSX_KeyShareEntry_Parse(const WOLFSSL* ssl, const byte* input,
10517
            word16 length, KeyShareEntry **kse, word16* seenGroups,
10518
            int* seenGroupsCnt, TLSX** extensions)
10519
0
{
10520
0
    int    ret;
10521
0
    word16 group;
10522
0
    word16 keLen;
10523
0
    int    offset = 0;
10524
0
    byte*  ke;
10525
0
    int    i;
10526
10527
0
    if (length < OPAQUE16_LEN + OPAQUE16_LEN)
10528
0
        return BUFFER_ERROR;
10529
    /* Named group */
10530
0
    ato16(&input[offset], &group);
10531
0
    offset += OPAQUE16_LEN;
10532
    /* Key exchange data - public key. */
10533
0
    ato16(&input[offset], &keLen);
10534
0
    offset += OPAQUE16_LEN;
10535
0
    if (keLen == 0)
10536
0
        return BUFFER_ERROR;
10537
0
    if (keLen > length - offset)
10538
0
        return BUFFER_ERROR;
10539
10540
0
    if (seenGroups != NULL) {
10541
0
        if (*seenGroupsCnt >= MAX_KEYSHARE_NAMED_GROUPS) {
10542
0
            return BAD_KEY_SHARE_DATA;
10543
0
        }
10544
0
        for (i = 0; i < *seenGroupsCnt; i++) {
10545
0
            if (seenGroups[i] == group) {
10546
0
                return BAD_KEY_SHARE_DATA;
10547
0
            }
10548
0
        }
10549
0
        seenGroups[i] = group;
10550
0
        *seenGroupsCnt = i + 1;
10551
0
    }
10552
10553
    /* Store a copy in the key share object. */
10554
0
    ke = (byte*)XMALLOC(keLen, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
10555
0
    if (ke == NULL)
10556
0
        return MEMORY_E;
10557
0
    XMEMCPY(ke, &input[offset], keLen);
10558
10559
    /* Populate a key share object in the extension. */
10560
0
    ret = TLSX_KeyShare_Use(ssl, group, keLen, ke, kse, extensions);
10561
0
    if (ret != 0) {
10562
0
        XFREE(ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
10563
0
        return ret;
10564
0
    }
10565
10566
    /* Total length of the parsed data. */
10567
0
    return offset + keLen;
10568
0
}
10569
10570
/* Searches the groups sent for the specified named group.
10571
 *
10572
 * ssl    SSL/TLS object.
10573
 * name   Group name to match.
10574
 * returns 1 when the extension has the group name and 0 otherwise.
10575
 */
10576
static int TLSX_KeyShare_Find(WOLFSSL* ssl, word16 group)
10577
0
{
10578
0
    TLSX*          extension;
10579
0
    KeyShareEntry* list;
10580
10581
0
    extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
10582
0
    if (extension == NULL) {
10583
0
        extension = TLSX_Find(ssl->ctx->extensions, TLSX_KEY_SHARE);
10584
0
        if (extension == NULL)
10585
0
            return 0;
10586
0
    }
10587
10588
0
    list = (KeyShareEntry*)extension->data;
10589
0
    while (list != NULL) {
10590
0
        if (list->group == group)
10591
0
            return 1;
10592
0
        list = list->next;
10593
0
    }
10594
10595
0
    return 0;
10596
0
}
10597
10598
10599
/* Searches the supported groups extension for the specified named group.
10600
 *
10601
 * ssl   The SSL/TLS object.
10602
 * name  The group name to match.
10603
 * returns 1 when the extension has the group name and 0 otherwise.
10604
 */
10605
static int TLSX_SupportedGroups_Find(const WOLFSSL* ssl, word16 name,
10606
                                     TLSX* extensions)
10607
0
{
10608
0
#ifdef HAVE_SUPPORTED_CURVES
10609
0
    TLSX*          extension;
10610
0
    SupportedCurve* curve = NULL;
10611
10612
0
    if ((extension = TLSX_Find(extensions, TLSX_SUPPORTED_GROUPS)) == NULL) {
10613
0
        if ((extension = TLSX_Find(ssl->ctx->extensions,
10614
0
                                              TLSX_SUPPORTED_GROUPS)) == NULL) {
10615
0
            return 0;
10616
0
        }
10617
0
    }
10618
10619
0
    for (curve = (SupportedCurve*)extension->data; curve; curve = curve->next) {
10620
0
        if (curve->name == name)
10621
0
            return 1;
10622
0
    }
10623
0
#endif
10624
10625
0
    (void)ssl;
10626
0
    (void)name;
10627
10628
0
    return 0;
10629
0
}
10630
10631
int TLSX_KeyShare_Parse_ClientHello(const WOLFSSL* ssl,
10632
        const byte* input, word16 length, TLSX** extensions)
10633
0
{
10634
0
    int ret;
10635
0
    int    offset = 0;
10636
0
    word16 len;
10637
0
    TLSX*  extension;
10638
0
    word16 seenGroups[MAX_KEYSHARE_NAMED_GROUPS];
10639
0
    int    seenGroupsCnt = 0;
10640
10641
    /* Add a KeyShare extension if it doesn't exist even if peer sent no
10642
     * entries. The presence of this extension signals that the peer can be
10643
     * negotiated with. */
10644
0
    extension = TLSX_Find(*extensions, TLSX_KEY_SHARE);
10645
0
    if (extension == NULL) {
10646
        /* Push new KeyShare extension. */
10647
0
        ret = TLSX_Push(extensions, TLSX_KEY_SHARE, NULL, ssl->heap);
10648
0
        if (ret != 0)
10649
0
            return ret;
10650
0
    }
10651
10652
0
    if (length < OPAQUE16_LEN)
10653
0
        return BUFFER_ERROR;
10654
10655
    /* ClientHello contains zero or more key share entries. Limits extension
10656
     * length to 2^16-1 and subtracting 4 bytes for header size per RFC 8446 */
10657
0
    ato16(input, &len);
10658
0
    if ((len != length - OPAQUE16_LEN) ||
10659
0
         length > (MAX_EXT_DATA_LEN - HELLO_EXT_SZ)) {
10660
0
        return BUFFER_ERROR;
10661
0
    }
10662
0
    offset += OPAQUE16_LEN;
10663
10664
0
    while (offset < (int)length) {
10665
0
        ret = TLSX_KeyShareEntry_Parse(ssl, &input[offset],
10666
0
                length - (word16)offset, NULL, seenGroups, &seenGroupsCnt,
10667
0
                extensions);
10668
0
        if (ret < 0)
10669
0
            return ret;
10670
10671
0
        offset += ret;
10672
0
    }
10673
10674
0
    return 0;
10675
0
}
10676
10677
/* Parse the KeyShare extension.
10678
 * Different formats in different messages.
10679
 *
10680
 * ssl      The SSL/TLS object.
10681
 * input    The extension data.
10682
 * length   The length of the extension data.
10683
 * msgType  The type of the message this extension is being parsed from.
10684
 * returns 0 on success and other values indicate failure.
10685
 */
10686
int TLSX_KeyShare_Parse(WOLFSSL* ssl, const byte* input, word16 length,
10687
                               byte msgType)
10688
0
{
10689
0
    int ret = 0;
10690
0
    KeyShareEntry *keyShareEntry = NULL;
10691
0
    word16 group;
10692
10693
0
    if (msgType == client_hello) {
10694
0
        ret = TLSX_KeyShare_Parse_ClientHello(ssl, input, length,
10695
0
                                              &ssl->extensions);
10696
0
    }
10697
0
    else if (msgType == server_hello) {
10698
0
        int len;
10699
10700
0
        if (length < OPAQUE16_LEN)
10701
0
            return BUFFER_ERROR;
10702
10703
0
        ssl->options.shSentKeyShare = 1;
10704
10705
        /* The data is the named group the server wants to use. */
10706
0
        ato16(input, &group);
10707
10708
        /* Check the selected group was supported by ClientHello extensions. */
10709
0
        if (!TLSX_SupportedGroups_Find(ssl, group, ssl->extensions)) {
10710
0
            WOLFSSL_ERROR_VERBOSE(BAD_KEY_SHARE_DATA);
10711
0
            return BAD_KEY_SHARE_DATA;
10712
0
        }
10713
10714
        /* Check if the group was sent. */
10715
0
        if (!TLSX_KeyShare_Find(ssl, group)) {
10716
0
            WOLFSSL_ERROR_VERBOSE(BAD_KEY_SHARE_DATA);
10717
0
            return BAD_KEY_SHARE_DATA;
10718
0
        }
10719
10720
        /* ServerHello contains one key share entry. */
10721
0
        len = TLSX_KeyShareEntry_Parse(ssl, input, length, &keyShareEntry, NULL,
10722
0
                NULL, &ssl->extensions);
10723
0
        if (len != (int)length)
10724
0
            return BUFFER_ERROR;
10725
10726
        /* Not in list sent if there isn't a private key. */
10727
0
        if (keyShareEntry == NULL || (keyShareEntry->key == NULL
10728
0
        #if !defined(NO_DH) || defined(WOLFSSL_HAVE_MLKEM)
10729
0
            && keyShareEntry->privKey == NULL
10730
0
        #endif
10731
0
        )) {
10732
0
            WOLFSSL_ERROR_VERBOSE(BAD_KEY_SHARE_DATA);
10733
0
            return BAD_KEY_SHARE_DATA;
10734
0
        }
10735
10736
        /* Process the entry to calculate the secret. */
10737
0
        ret = TLSX_KeyShare_Process(ssl, keyShareEntry);
10738
0
        if (ret == 0)
10739
0
            ssl->session->namedGroup = ssl->namedGroup = group;
10740
0
    }
10741
0
    else if (msgType == hello_retry_request) {
10742
0
        if (length != OPAQUE16_LEN)
10743
0
            return BUFFER_ERROR;
10744
10745
0
        ssl->options.hrrSentKeyShare = 1;
10746
10747
        /* The data is the named group the server wants to use. */
10748
0
        ato16(input, &group);
10749
10750
    #ifdef WOLFSSL_ASYNC_CRYPT
10751
        /* only perform find and clear TLSX if not returning from async */
10752
        if (ssl->error != WC_NO_ERR_TRACE(WC_PENDING_E))
10753
    #endif
10754
0
        {
10755
            /* Check the selected group was supported by ClientHello extensions.
10756
             */
10757
0
            if (!TLSX_SupportedGroups_Find(ssl, group, ssl->extensions)) {
10758
0
                WOLFSSL_ERROR_VERBOSE(BAD_KEY_SHARE_DATA);
10759
0
                return BAD_KEY_SHARE_DATA;
10760
0
            }
10761
10762
            /* Make sure KeyShare for server requested group was not sent in
10763
             * ClientHello. */
10764
0
            if (TLSX_KeyShare_Find(ssl, group)) {
10765
0
                WOLFSSL_ERROR_VERBOSE(BAD_KEY_SHARE_DATA);
10766
0
                return BAD_KEY_SHARE_DATA;
10767
0
            }
10768
10769
            /* Clear out unusable key shares. */
10770
0
            ret = TLSX_KeyShare_Empty(ssl);
10771
0
            if (ret != 0)
10772
0
                return ret;
10773
0
        }
10774
10775
0
        ret = TLSX_KeyShare_Use(ssl, group, 0, NULL, NULL, &ssl->extensions);
10776
0
        if (ret == 0)
10777
0
            ssl->session->namedGroup = ssl->namedGroup = group;
10778
0
    }
10779
0
    else {
10780
        /* Not a message type that is allowed to have this extension. */
10781
0
        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
10782
0
        return SANITY_MSG_E;
10783
0
    }
10784
10785
0
    return ret;
10786
0
}
10787
10788
/* Create a new key share entry and put it into the list.
10789
 *
10790
 * list           The linked list of key share entries.
10791
 * group          The named group.
10792
 * heap           The memory to allocate with.
10793
 * keyShareEntry  The new key share entry object.
10794
 * returns 0 on success and other values indicate failure.
10795
 */
10796
static int TLSX_KeyShare_New(KeyShareEntry** list, int group, void *heap,
10797
                             KeyShareEntry** keyShareEntry)
10798
0
{
10799
0
    KeyShareEntry* kse;
10800
0
    KeyShareEntry** next;
10801
10802
0
    kse = (KeyShareEntry*)XMALLOC(sizeof(KeyShareEntry), heap,
10803
0
                                  DYNAMIC_TYPE_TLSX);
10804
0
    if (kse == NULL)
10805
0
        return MEMORY_E;
10806
10807
0
    XMEMSET(kse, 0, sizeof(*kse));
10808
0
    kse->group = (word16)group;
10809
10810
    /* Add it to the back and maintain the links. */
10811
0
    while (*list != NULL) {
10812
        /* Assign to temporary to work around compiler bug found by customer. */
10813
0
        next = &((*list)->next);
10814
0
        list = next;
10815
0
    }
10816
0
    *list = kse;
10817
0
    *keyShareEntry = kse;
10818
10819
0
    (void)heap;
10820
10821
0
    return 0;
10822
0
}
10823
10824
#if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_ENCAPSULATE)
10825
/* Process the ML-KEM key share extension on the server side.
10826
 *
10827
 * ssl            The SSL/TLS object.
10828
 * keyShareEntry  The key share entry object to be sent to the client.
10829
 * data           The key share data received from the client.
10830
 * len            The length of the key share data from the client.
10831
 * ssOutput       The destination buffer for the shared secret.
10832
 * ssOutSz        The size of the generated shared secret.
10833
 *
10834
 * returns 0 on success and other values indicate failure.
10835
 */
10836
static int TLSX_KeyShare_HandlePqcKeyServer(WOLFSSL* ssl,
10837
    KeyShareEntry* keyShareEntry, byte* clientData, word16 clientLen,
10838
    unsigned char* ssOutput, word32* ssOutSz)
10839
0
{
10840
    /* We are on the server side. The key share contains a PQC KEM public key
10841
     * that we are using for an encapsulate operation. The resulting ciphertext
10842
     * is stored in the server key share. */
10843
0
    MlKemKey* kemKey = (MlKemKey*)keyShareEntry->key;
10844
0
    byte* ciphertext = NULL;
10845
0
    int ret = 0;
10846
0
    word32 pubSz = 0;
10847
0
    word32 ctSz = 0;
10848
0
    word32 ssSz = 0;
10849
10850
0
    if (clientData == NULL) {
10851
0
        WOLFSSL_MSG("No KEM public key from the client.");
10852
0
        return BAD_FUNC_ARG;
10853
0
    }
10854
10855
0
    if (kemKey == NULL) {
10856
0
        int type = 0;
10857
10858
        /* Allocate an ML-KEM key to hold private key. */
10859
0
        kemKey = (MlKemKey*) XMALLOC(sizeof(MlKemKey), ssl->heap,
10860
0
                                     DYNAMIC_TYPE_PRIVATE_KEY);
10861
0
        if (kemKey == NULL) {
10862
0
            WOLFSSL_MSG("GenPqcKey memory error");
10863
0
            ret = MEMORY_E;
10864
0
        }
10865
0
        if (ret == 0) {
10866
0
            ret = mlkem_id2type(keyShareEntry->group, &type);
10867
0
        }
10868
0
        if (ret != 0) {
10869
0
            WOLFSSL_MSG("Invalid PQC algorithm specified.");
10870
0
            ret = BAD_FUNC_ARG;
10871
0
        }
10872
0
        if (ret == 0) {
10873
0
            ret = wc_MlKemKey_Init(kemKey, type, ssl->heap, ssl->devId);
10874
0
            if (ret != 0) {
10875
0
                WOLFSSL_MSG("Error creating ML-KEM key");
10876
0
            }
10877
0
        }
10878
0
    }
10879
10880
0
    if (ret == 0) {
10881
0
        ret = wc_MlKemKey_PublicKeySize(kemKey, &pubSz);
10882
0
    }
10883
0
    if (ret == 0) {
10884
0
        ret = wc_MlKemKey_CipherTextSize(kemKey, &ctSz);
10885
0
    }
10886
0
    if (ret == 0) {
10887
0
        ret = wc_MlKemKey_SharedSecretSize(kemKey, &ssSz);
10888
0
    }
10889
10890
0
    if (ret == 0 && clientLen != pubSz) {
10891
0
        WOLFSSL_MSG("Invalid public key.");
10892
0
        ret = BAD_FUNC_ARG;
10893
0
    }
10894
10895
0
    if (ret == 0) {
10896
0
        ciphertext = (byte*)XMALLOC(ctSz, ssl->heap, DYNAMIC_TYPE_TLSX);
10897
10898
0
        if (ciphertext == NULL) {
10899
0
            WOLFSSL_MSG("Ciphertext memory allocation failure.");
10900
0
            ret = MEMORY_E;
10901
0
        }
10902
0
    }
10903
10904
0
    if (ret == 0) {
10905
0
        ret = wc_MlKemKey_DecodePublicKey(kemKey, clientData, pubSz);
10906
0
    }
10907
0
    if (ret == 0) {
10908
0
        ret = wc_MlKemKey_Encapsulate(kemKey, ciphertext,
10909
0
                                      ssOutput, ssl->rng);
10910
0
        if (ret != 0) {
10911
0
            WOLFSSL_MSG("wc_MlKemKey encapsulation failure.");
10912
0
        }
10913
0
    }
10914
10915
0
    if (ret == 0) {
10916
0
        XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
10917
10918
0
        *ssOutSz = ssSz;
10919
0
        keyShareEntry->ke = NULL;
10920
0
        keyShareEntry->keLen = 0;
10921
10922
0
        XFREE(keyShareEntry->pubKey, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
10923
0
        keyShareEntry->pubKey = ciphertext;
10924
0
        keyShareEntry->pubKeyLen = ctSz;
10925
0
        ciphertext = NULL;
10926
10927
        /* Set namedGroup so wolfSSL_get_curve_name() can function properly on
10928
         * the server side. */
10929
0
        ssl->namedGroup = keyShareEntry->group;
10930
0
    }
10931
10932
0
    XFREE(ciphertext, ssl->heap, DYNAMIC_TYPE_TLSX);
10933
10934
0
    wc_MlKemKey_Free(kemKey);
10935
0
    XFREE(kemKey, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
10936
0
    keyShareEntry->key = NULL;
10937
0
    return ret;
10938
0
}
10939
10940
int TLSX_KeyShare_HandlePqcHybridKeyServer(WOLFSSL* ssl,
10941
    KeyShareEntry* keyShareEntry, byte* data, word16 len)
10942
0
{
10943
    /* I am the server. The data parameter is the concatenation of the client's
10944
     * ECDH public key and the KEM public key. I need to generate a matching
10945
     * public key for ECDH and encapsulate a shared secret using the KEM public
10946
     * key. We send the ECDH public key and the KEM ciphertext back to the
10947
     * client. Additionally, we create the ECDH shared secret here already.
10948
     */
10949
0
    int    type;
10950
0
    byte*  ciphertext = NULL;
10951
0
    int    ret = 0;
10952
0
    int    pqc_group = 0;
10953
0
    int    ecc_group = 0;
10954
0
    int    pqc_first = 0;
10955
0
    KeyShareEntry *ecc_kse = NULL;
10956
0
    KeyShareEntry *pqc_kse = NULL;
10957
0
    word32 pubSz = 0;
10958
0
    word32 ctSz = 0;
10959
0
    word32 ssSzPqc = 0;
10960
10961
0
    if (data == NULL) {
10962
0
        WOLFSSL_MSG("No hybrid key share data from the client.");
10963
0
        return BAD_FUNC_ARG;
10964
0
    }
10965
10966
    /* Determine the ECC and PQC group of the hybrid combination */
10967
0
    findEccPqc(&ecc_group, &pqc_group, &pqc_first, keyShareEntry->group);
10968
0
    if (ecc_group == 0 || pqc_group == 0) {
10969
0
        WOLFSSL_MSG("Invalid hybrid group");
10970
0
        ret = BAD_FUNC_ARG;
10971
0
    }
10972
10973
0
    if (ret == 0) {
10974
0
        ecc_kse = (KeyShareEntry*)XMALLOC(sizeof(*ecc_kse), ssl->heap,
10975
0
                   DYNAMIC_TYPE_TLSX);
10976
0
        if (ecc_kse == NULL) {
10977
0
            WOLFSSL_MSG("kse memory allocation failure");
10978
0
            ret = MEMORY_ERROR;
10979
0
        }
10980
0
    }
10981
0
    if (ret == 0) {
10982
0
        XMEMSET(ecc_kse, 0, sizeof(*ecc_kse));
10983
0
        ecc_kse->group = ecc_group;
10984
10985
0
        pqc_kse = (KeyShareEntry*)XMALLOC(sizeof(*pqc_kse), ssl->heap,
10986
0
                   DYNAMIC_TYPE_TLSX);
10987
0
        if (pqc_kse == NULL) {
10988
0
            WOLFSSL_MSG("kse memory allocation failure");
10989
0
            ret = MEMORY_ERROR;
10990
0
        }
10991
0
    }
10992
0
    if (ret == 0) {
10993
0
        XMEMSET(pqc_kse, 0, sizeof(*pqc_kse));
10994
0
        pqc_kse->group = pqc_group;
10995
0
    }
10996
10997
    /* The ciphertext and shared secret sizes of a KEM are fixed. Hence, we
10998
     * decode these sizes to properly concatenate the KEM ciphertext with the
10999
     * ECDH public key. */
11000
0
    if (ret == 0) {
11001
        /* Allocate an ML-KEM key to hold private key. */
11002
0
        pqc_kse->key = (MlKemKey*) XMALLOC(sizeof(MlKemKey), ssl->heap,
11003
0
                                           DYNAMIC_TYPE_PRIVATE_KEY);
11004
0
        if (pqc_kse->key == NULL) {
11005
0
            WOLFSSL_MSG("GenPqcKey memory error");
11006
0
            ret = MEMORY_E;
11007
0
        }
11008
0
        if (ret == 0) {
11009
0
            ret = mlkem_id2type(pqc_kse->group, &type);
11010
0
        }
11011
0
        if (ret != 0) {
11012
0
            WOLFSSL_MSG("Invalid PQC algorithm specified.");
11013
0
            ret = BAD_FUNC_ARG;
11014
0
        }
11015
0
        if (ret == 0) {
11016
0
            ret = wc_MlKemKey_Init((MlKemKey*)pqc_kse->key, type,
11017
0
                                   ssl->heap, ssl->devId);
11018
0
            if (ret != 0) {
11019
0
                WOLFSSL_MSG("Error creating ML-KEM key");
11020
0
            }
11021
0
        }
11022
0
        if (ret == 0) {
11023
0
            ret = wc_MlKemKey_SharedSecretSize((MlKemKey*)pqc_kse->key,
11024
0
                                               &ssSzPqc);
11025
0
        }
11026
0
        if (ret == 0) {
11027
0
            ret = wc_MlKemKey_CipherTextSize((MlKemKey*)pqc_kse->key,
11028
0
                                             &ctSz);
11029
0
        }
11030
0
        if (ret == 0) {
11031
0
            ret = wc_MlKemKey_PublicKeySize((MlKemKey*)pqc_kse->key,
11032
0
                                            &pubSz);
11033
0
        }
11034
0
    }
11035
11036
#ifdef WOLFSSL_ASYNC_CRYPT
11037
    if (ret == 0) {
11038
        /* Restore ECC state from a prior suspended pass. This is not gated on
11039
         * a still-pending lastRet: the async layer clears lastRet to 0 on
11040
         * completion, which would skip the restore and regenerate the key. */
11041
        if (keyShareEntry->key != NULL && keyShareEntry->keyLen > 0) {
11042
            ecc_kse->key = keyShareEntry->key;
11043
            ecc_kse->keyLen = keyShareEntry->keyLen;
11044
            ecc_kse->pubKey = keyShareEntry->pubKey;
11045
            ecc_kse->pubKeyLen = keyShareEntry->pubKeyLen;
11046
            ecc_kse->lastRet = keyShareEntry->lastRet;
11047
            keyShareEntry->key = NULL;
11048
            keyShareEntry->pubKey = NULL;
11049
        }
11050
    }
11051
#endif
11052
11053
    /* Generate the ECDH key share part to be sent to the client */
11054
0
    if (ret == 0 && ecc_group != 0 && ecc_kse->pubKey == NULL) {
11055
    #ifdef HAVE_CURVE25519
11056
        if (ecc_group == WOLFSSL_ECC_X25519) {
11057
            ret = TLSX_KeyShare_GenX25519Key(ssl, ecc_kse);
11058
        }
11059
        else
11060
    #endif
11061
    #ifdef HAVE_CURVE448
11062
        if (ecc_group == WOLFSSL_ECC_X448) {
11063
            ret = TLSX_KeyShare_GenX448Key(ssl, ecc_kse);
11064
        }
11065
        else
11066
    #endif
11067
0
        {
11068
0
            ret = TLSX_KeyShare_GenEccKey(ssl, ecc_kse);
11069
0
        }
11070
    #ifdef WOLFSSL_ASYNC_CRYPT
11071
        if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
11072
            /* Store the generated ECC key in the provided kse to later
11073
             * restore it.*/
11074
            keyShareEntry->key = ecc_kse->key;
11075
            keyShareEntry->keyLen = ecc_kse->keyLen;
11076
            keyShareEntry->pubKeyLen = ecc_kse->pubKeyLen;
11077
            keyShareEntry->lastRet = WC_PENDING_E;
11078
            ecc_kse->key = NULL;
11079
        }
11080
        else if (ret == 0 &&
11081
                 keyShareEntry->lastRet == WC_NO_ERR_TRACE(WC_PENDING_E)) {
11082
            keyShareEntry->lastRet = 0;
11083
            ecc_kse->lastRet = 0;
11084
        }
11085
    #endif
11086
0
    }
11087
11088
0
    if (ret == 0 && len != pubSz + ecc_kse->pubKeyLen) {
11089
0
        WOLFSSL_MSG("Invalid public key.");
11090
0
        ret = BAD_FUNC_ARG;
11091
0
    }
11092
11093
    /* Allocate buffer for the concatenated client key share data
11094
     * (PQC KEM ciphertext + ECDH public key) */
11095
0
    if (ret == 0) {
11096
0
        ciphertext = (byte*)XMALLOC(ecc_kse->pubKeyLen + ctSz, ssl->heap,
11097
0
            DYNAMIC_TYPE_TLSX);
11098
11099
0
        if (ciphertext == NULL) {
11100
0
            WOLFSSL_MSG("Ciphertext memory allocation failure.");
11101
0
            ret = MEMORY_E;
11102
0
        }
11103
0
    }
11104
11105
    /* Process ECDH key share part. The generated shared secret is directly
11106
     * stored in the ssl->arrays->preMasterSecret buffer. Depending on the
11107
     * pqc_first flag, the ECDH shared secret part goes before or after the
11108
     * KEM part. */
11109
0
    if (ret == 0) {
11110
0
        ecc_kse->keLen = len - pubSz;
11111
0
        ecc_kse->ke = (byte*)XMALLOC(ecc_kse->keLen, ssl->heap,
11112
0
                                     DYNAMIC_TYPE_PUBLIC_KEY);
11113
0
        if (ecc_kse->ke == NULL) {
11114
0
            WOLFSSL_MSG("ecc_kse memory allocation failure");
11115
0
            ret = MEMORY_ERROR;
11116
0
        }
11117
0
        if (ret == 0) {
11118
0
            int pubOffset = 0;
11119
0
            int ssOffset = 0;
11120
11121
0
            if (pqc_first) {
11122
0
                pubOffset = pubSz;
11123
0
                ssOffset = ssSzPqc;
11124
0
            }
11125
11126
0
            XMEMCPY(ecc_kse->ke, data + pubOffset, ecc_kse->keLen);
11127
11128
        #ifdef HAVE_CURVE25519
11129
            if (ecc_group == WOLFSSL_ECC_X25519) {
11130
                ret = TLSX_KeyShare_ProcessX25519_ex(ssl, ecc_kse,
11131
                        ssl->arrays->preMasterSecret + ssOffset,
11132
                        &ssl->arrays->preMasterSz);
11133
            }
11134
            else
11135
        #endif
11136
        #ifdef HAVE_CURVE448
11137
            if (ecc_group == WOLFSSL_ECC_X448) {
11138
                ret = TLSX_KeyShare_ProcessX448_ex(ssl, ecc_kse,
11139
                        ssl->arrays->preMasterSecret + ssOffset,
11140
                        &ssl->arrays->preMasterSz);
11141
            }
11142
            else
11143
        #endif
11144
0
            {
11145
0
                ret = TLSX_KeyShare_ProcessEcc_ex(ssl, ecc_kse,
11146
0
                        ssl->arrays->preMasterSecret + ssOffset,
11147
0
                        &ssl->arrays->preMasterSz);
11148
0
            }
11149
0
        }
11150
0
        if (ret == 0) {
11151
0
            if (ssl->arrays->preMasterSz != ecc_kse->keyLen) {
11152
0
                WOLFSSL_MSG("Data length mismatch.");
11153
0
                ret = BAD_FUNC_ARG;
11154
0
            }
11155
0
        }
11156
    #ifdef WOLFSSL_ASYNC_CRYPT
11157
        else if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) {
11158
            keyShareEntry->lastRet = WC_PENDING_E;
11159
            keyShareEntry->key = ecc_kse->key;
11160
            keyShareEntry->keyLen = ecc_kse->keyLen;
11161
            keyShareEntry->pubKey = ecc_kse->pubKey;
11162
            keyShareEntry->pubKeyLen = ecc_kse->pubKeyLen;
11163
            ecc_kse->key = NULL;
11164
            ecc_kse->pubKey = NULL;
11165
        }
11166
    #endif
11167
0
    }
11168
11169
0
    if (ret == 0 && ssl->arrays->preMasterSz + ssSzPqc > ENCRYPT_LEN) {
11170
0
        WOLFSSL_MSG("shared secret is too long.");
11171
0
        ret = LENGTH_ERROR;
11172
0
    }
11173
11174
    /* Process PQC KEM key share part. Depending on the pqc_first flag, the
11175
     * KEM shared secret part goes before or after the ECDH part. */
11176
0
    if (ret == 0) {
11177
0
        int input_offset = ecc_kse->keLen;
11178
0
        int output_offset = ssl->arrays->preMasterSz;
11179
11180
0
        if (pqc_first) {
11181
0
            input_offset = 0;
11182
0
            output_offset = 0;
11183
0
        }
11184
11185
0
        ret = TLSX_KeyShare_HandlePqcKeyServer(ssl, pqc_kse,
11186
0
                data + input_offset, pubSz,
11187
0
                ssl->arrays->preMasterSecret + output_offset, &ssSzPqc);
11188
0
    }
11189
11190
0
    if (ret == 0) {
11191
0
        XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
11192
11193
0
        ssl->arrays->preMasterSz += ssSzPqc;
11194
0
        keyShareEntry->ke = NULL;
11195
0
        keyShareEntry->keLen = 0;
11196
    #ifdef WOLFSSL_ASYNC_CRYPT
11197
        /* Hybrid encapsulation is fully complete here. Clear the pending
11198
         * state so the TLS_ASYNC_VERIFY re-drive is skipped and does not
11199
         * re-enter this handler with the now-freed ke. */
11200
        keyShareEntry->lastRet = 0;
11201
    #endif
11202
11203
        /* Concatenate the ECDH public key and the PQC KEM ciphertext. Based on
11204
         * the pqc_first flag, the ECDH public key goes before or after the KEM
11205
         * ciphertext. */
11206
0
        if (pqc_first) {
11207
0
            XMEMCPY(ciphertext, pqc_kse->pubKey, ctSz);
11208
0
            XMEMCPY(ciphertext + ctSz, ecc_kse->pubKey, ecc_kse->pubKeyLen);
11209
0
        }
11210
0
        else {
11211
0
            XMEMCPY(ciphertext, ecc_kse->pubKey, ecc_kse->pubKeyLen);
11212
0
            XMEMCPY(ciphertext + ecc_kse->pubKeyLen, pqc_kse->pubKey, ctSz);
11213
0
        }
11214
11215
0
        XFREE(keyShareEntry->pubKey, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
11216
0
        keyShareEntry->pubKey = ciphertext;
11217
0
        keyShareEntry->pubKeyLen = ecc_kse->pubKeyLen + ctSz;
11218
0
        ciphertext = NULL;
11219
11220
        /* Set namedGroup so wolfSSL_get_curve_name() can function properly on
11221
         * the server side. */
11222
0
        ssl->namedGroup = keyShareEntry->group;
11223
0
    }
11224
0
    else
11225
#ifdef WOLFSSL_ASYNC_CRYPT
11226
        if (ret != WC_NO_ERR_TRACE(WC_PENDING_E))
11227
#endif
11228
0
    {
11229
        /* Clear the pre master secret buffer to prevent leaking any
11230
         * intermediate keys in the error case. Do not use preMasterSz
11231
         * here as it may already been set to the ECC shared secret size,
11232
         * which would be too small due to the PQC offset case. */
11233
0
        ForceZero(ssl->arrays->preMasterSecret, ENCRYPT_LEN);
11234
0
    }
11235
11236
0
    TLSX_KeyShare_FreeAll(ecc_kse, ssl->heap);
11237
0
    TLSX_KeyShare_FreeAll(pqc_kse, ssl->heap);
11238
0
    XFREE(ciphertext, ssl->heap, DYNAMIC_TYPE_TLSX);
11239
0
    return ret;
11240
0
}
11241
#endif /* WOLFSSL_HAVE_MLKEM && !WOLFSSL_MLKEM_NO_ENCAPSULATE */
11242
11243
/* Use the data to create a new key share object in the extensions.
11244
 *
11245
 * ssl    The SSL/TLS object.
11246
 * group  The named group.
11247
 * len    The length of the public key data.
11248
 * data   The public key data.
11249
 * kse    The new key share entry object.
11250
 * returns 0 on success and other values indicate failure.
11251
 */
11252
int TLSX_KeyShare_Use(const WOLFSSL* ssl, word16 group, word16 len, byte* data,
11253
                      KeyShareEntry **kse, TLSX** extensions)
11254
0
{
11255
0
    int            ret = 0;
11256
0
    TLSX*          extension;
11257
0
    KeyShareEntry* keyShareEntry = NULL;
11258
11259
    /* Find the KeyShare extension if it exists. */
11260
0
    extension = TLSX_Find(*extensions, TLSX_KEY_SHARE);
11261
0
    if (extension == NULL) {
11262
        /* Push new KeyShare extension. */
11263
0
        ret = TLSX_Push(extensions, TLSX_KEY_SHARE, NULL, ssl->heap);
11264
0
        if (ret != 0)
11265
0
            return ret;
11266
11267
0
        extension = TLSX_Find(*extensions, TLSX_KEY_SHARE);
11268
0
        if (extension == NULL)
11269
0
            return MEMORY_E;
11270
0
    }
11271
0
    extension->resp = 0;
11272
11273
    /* Try to find the key share entry with this group. */
11274
0
    keyShareEntry = (KeyShareEntry*)extension->data;
11275
0
    while (keyShareEntry != NULL) {
11276
    #if defined(WOLFSSL_ML_KEM_USE_OLD_IDS) && \
11277
                                             defined (WOLFSSL_EXTRA_PQC_HYBRIDS)
11278
        if ((group == WOLFSSL_P256_ML_KEM_512_OLD &&
11279
                keyShareEntry->group == WOLFSSL_SECP256R1MLKEM512) ||
11280
            (group == WOLFSSL_P384_ML_KEM_768_OLD &&
11281
                keyShareEntry->group == WOLFSSL_SECP384R1MLKEM768) ||
11282
            (group == WOLFSSL_P521_ML_KEM_1024_OLD &&
11283
                keyShareEntry->group == WOLFSSL_SECP521R1MLKEM1024)) {
11284
            keyShareEntry->group = group;
11285
            break;
11286
        }
11287
        else
11288
    #endif /* WOLFSSL_ML_KEM_USE_OLD_IDS && WOLFSSL_EXTRA_PQC_HYBRIDS */
11289
0
        if (keyShareEntry->group == group)
11290
0
            break;
11291
0
        keyShareEntry = keyShareEntry->next;
11292
0
    }
11293
11294
    /* Create a new key share entry if not found. */
11295
0
    if (keyShareEntry == NULL) {
11296
0
        ret = TLSX_KeyShare_New((KeyShareEntry**)&extension->data, group,
11297
0
                                ssl->heap, &keyShareEntry);
11298
0
        if (ret != 0)
11299
0
            return ret;
11300
0
    }
11301
11302
0
    if (data != NULL) {
11303
        /* Store the peer data in the key share object. */
11304
0
        XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
11305
0
        keyShareEntry->ke = data;
11306
0
        keyShareEntry->keLen = len;
11307
0
    }
11308
0
    else {
11309
        /* Generate a key pair. Casting to non-const since changes inside are
11310
         * minimal but would require an extensive redesign to refactor. Also
11311
         * this path shouldn't be taken when parsing a ClientHello in stateless
11312
         * mode. */
11313
0
        ret = TLSX_KeyShare_GenKey((WOLFSSL*)ssl, keyShareEntry);
11314
0
        if (ret != 0)
11315
0
            return ret;
11316
0
    }
11317
11318
0
    if (kse != NULL)
11319
0
        *kse = keyShareEntry;
11320
11321
0
    return 0;
11322
0
}
11323
11324
/* Set an empty Key Share extension.
11325
 *
11326
 * ssl  The SSL/TLS object.
11327
 * returns 0 on success and other values indicate failure.
11328
 */
11329
int TLSX_KeyShare_Empty(WOLFSSL* ssl)
11330
0
{
11331
0
    int   ret = 0;
11332
0
    TLSX* extension;
11333
11334
    /* Find the KeyShare extension if it exists. */
11335
0
    extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
11336
0
    if (extension == NULL) {
11337
        /* Push new KeyShare extension. */
11338
0
        ret = TLSX_Push(&ssl->extensions, TLSX_KEY_SHARE, NULL, ssl->heap);
11339
0
    }
11340
0
    else if (extension->data != NULL) {
11341
0
        TLSX_KeyShare_FreeAll((KeyShareEntry*)extension->data, ssl->heap);
11342
0
        extension->data = NULL;
11343
0
    }
11344
11345
0
    return ret;
11346
0
}
11347
11348
/* Compile-time gating must stay aligned with TLSX_PopulateSupportedGroups().
11349
 * Runtime-only conditions in that function (TLS 1.3 version check, FFDHE
11350
 * key-size bounds, session-resumption short-circuit, downgrade-aware
11351
 * Brainpool TLS 1.2 selection) are intentionally not represented here. */
11352
static const word16 preferredGroup[] = {
11353
    /* Sort by strength, but prefer non-experimental PQ/T hybrid groups */
11354
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \
11355
    !defined(WOLFSSL_NO_ML_KEM) && defined(WOLFSSL_PQC_HYBRIDS)
11356
    #if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_CURVE25519) && \
11357
        ECC_MIN_KEY_SZ <= 256
11358
    WOLFSSL_X25519MLKEM768,
11359
    #endif
11360
    #if !defined(WOLFSSL_NO_ML_KEM_1024) && defined(HAVE_ECC) && \
11361
        (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && \
11362
        ECC_MIN_KEY_SZ <= 384
11363
    WOLFSSL_SECP384R1MLKEM1024,
11364
    #endif
11365
    #if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_ECC) && \
11366
        (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \
11367
        ECC_MIN_KEY_SZ <= 256
11368
    WOLFSSL_SECP256R1MLKEM768,
11369
    #endif
11370
#endif /* WOLFSSL_TLS13 && WOLFSSL_HAVE_MLKEM && !WOLFSSL_NO_ML_KEM &&
11371
        * WOLFSSL_PQC_HYBRIDS */
11372
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \
11373
    !defined(WOLFSSL_NO_ML_KEM) && !defined(WOLFSSL_NO_ML_KEM_1024) && \
11374
    !defined(WOLFSSL_TLS_NO_MLKEM_STANDALONE)
11375
    WOLFSSL_ML_KEM_1024,
11376
#endif
11377
#if defined(HAVE_ECC) && (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && \
11378
    !defined(NO_ECC_SECP) && ECC_MIN_KEY_SZ <= 521
11379
    WOLFSSL_ECC_SECP521R1,
11380
#endif
11381
#if defined(HAVE_ECC) && (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && \
11382
    defined(HAVE_ECC_BRAINPOOL) && ECC_MIN_KEY_SZ <= 512
11383
    WOLFSSL_ECC_BRAINPOOLP512R1TLS13,
11384
    WOLFSSL_ECC_BRAINPOOLP512R1,
11385
#endif
11386
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \
11387
    !defined(WOLFSSL_NO_ML_KEM) && !defined(WOLFSSL_NO_ML_KEM_768) && \
11388
    !defined(WOLFSSL_TLS_NO_MLKEM_STANDALONE)
11389
    WOLFSSL_ML_KEM_768,
11390
#endif
11391
#if defined(HAVE_ECC) && (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && \
11392
    ECC_MIN_KEY_SZ <= 384
11393
    #ifndef NO_ECC_SECP
11394
    WOLFSSL_ECC_SECP384R1,
11395
    #endif
11396
    #ifdef HAVE_ECC_BRAINPOOL
11397
    WOLFSSL_ECC_BRAINPOOLP384R1TLS13,
11398
    WOLFSSL_ECC_BRAINPOOLP384R1,
11399
    #endif
11400
#endif
11401
#if !defined(HAVE_FIPS) && defined(HAVE_CURVE448) && ECC_MIN_KEY_SZ <= 448
11402
    WOLFSSL_ECC_X448,
11403
#endif
11404
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \
11405
    !defined(WOLFSSL_NO_ML_KEM) && !defined(WOLFSSL_NO_ML_KEM_512) && \
11406
    !defined(WOLFSSL_TLS_NO_MLKEM_STANDALONE)
11407
    WOLFSSL_ML_KEM_512,
11408
#endif
11409
#if defined(HAVE_ECC) && (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \
11410
    ECC_MIN_KEY_SZ <= 256
11411
    #ifndef NO_ECC_SECP
11412
    WOLFSSL_ECC_SECP256R1,
11413
    #endif
11414
    #ifdef HAVE_ECC_KOBLITZ
11415
    WOLFSSL_ECC_SECP256K1,
11416
    #endif
11417
    #ifdef HAVE_ECC_BRAINPOOL
11418
    WOLFSSL_ECC_BRAINPOOLP256R1TLS13,
11419
    WOLFSSL_ECC_BRAINPOOLP256R1,
11420
    #endif
11421
    #if !defined(HAVE_FIPS) && defined(WOLFSSL_SM2)
11422
    WOLFSSL_ECC_SM2P256V1,
11423
    #endif
11424
#endif
11425
#if !defined(HAVE_FIPS) && defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256
11426
    WOLFSSL_ECC_X25519,
11427
#endif
11428
#if defined(HAVE_ECC) && (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && \
11429
    ECC_MIN_KEY_SZ <= 224
11430
    #ifndef NO_ECC_SECP
11431
    WOLFSSL_ECC_SECP224R1,
11432
    #endif
11433
    #ifdef HAVE_ECC_KOBLITZ
11434
    WOLFSSL_ECC_SECP224K1,
11435
    #endif
11436
#endif
11437
#if !defined(HAVE_FIPS) && defined(HAVE_ECC)
11438
    #if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && \
11439
        ECC_MIN_KEY_SZ <= 192
11440
        #ifndef NO_ECC_SECP
11441
        WOLFSSL_ECC_SECP192R1,
11442
        #endif
11443
        #ifdef HAVE_ECC_KOBLITZ
11444
        WOLFSSL_ECC_SECP192K1,
11445
        #endif
11446
    #endif
11447
    #if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && \
11448
        ECC_MIN_KEY_SZ <= 160
11449
        #ifndef NO_ECC_SECP
11450
        WOLFSSL_ECC_SECP160R1,
11451
        #endif
11452
        #ifdef HAVE_ECC_SECPR2
11453
        WOLFSSL_ECC_SECP160R2,
11454
        #endif
11455
        #ifdef HAVE_ECC_KOBLITZ
11456
        WOLFSSL_ECC_SECP160K1,
11457
        #endif
11458
    #endif
11459
#endif /* !HAVE_FIPS && HAVE_ECC */
11460
#if defined(HAVE_FFDHE_8192)
11461
    WOLFSSL_FFDHE_8192,
11462
#endif
11463
#if defined(HAVE_FFDHE_6144)
11464
    WOLFSSL_FFDHE_6144,
11465
#endif
11466
#if defined(HAVE_FFDHE_4096)
11467
    WOLFSSL_FFDHE_4096,
11468
#endif
11469
#if defined(HAVE_FFDHE_3072)
11470
    WOLFSSL_FFDHE_3072,
11471
#endif
11472
#if defined(HAVE_FFDHE_2048)
11473
    WOLFSSL_FFDHE_2048,
11474
#endif
11475
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \
11476
    !defined(WOLFSSL_NO_ML_KEM) && defined(WOLFSSL_EXTRA_PQC_HYBRIDS)
11477
    #if !defined(WOLFSSL_NO_ML_KEM_1024) && defined(HAVE_ECC) && \
11478
        (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && \
11479
        ECC_MIN_KEY_SZ <= 521
11480
    WOLFSSL_SECP521R1MLKEM1024,
11481
    #endif
11482
    #if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_ECC) && \
11483
        (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && \
11484
        ECC_MIN_KEY_SZ <= 384
11485
    WOLFSSL_SECP384R1MLKEM768,
11486
    #endif
11487
    #if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_CURVE448) && \
11488
        ECC_MIN_KEY_SZ <= 448
11489
    WOLFSSL_X448MLKEM768,
11490
    #endif
11491
    #if !defined(WOLFSSL_NO_ML_KEM_512) && defined(HAVE_ECC) && \
11492
        (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \
11493
        ECC_MIN_KEY_SZ <= 256
11494
    WOLFSSL_SECP256R1MLKEM512,
11495
    #endif
11496
    #if !defined(WOLFSSL_NO_ML_KEM_512) && defined(HAVE_CURVE25519) && \
11497
        ECC_MIN_KEY_SZ <= 256
11498
    WOLFSSL_X25519MLKEM512,
11499
    #endif
11500
#endif /* WOLFSSL_TLS13 && WOLFSSL_HAVE_MLKEM && !WOLFSSL_NO_ML_KEM &&
11501
        * WOLFSSL_EXTRA_PQC_HYBRIDS */
11502
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \
11503
    defined(WOLFSSL_MLKEM_KYBER)
11504
    #ifdef WOLFSSL_KYBER1024
11505
    WOLFSSL_KYBER_LEVEL5,
11506
    #if defined(HAVE_ECC) && (defined(HAVE_ECC521) || \
11507
        defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521
11508
    WOLFSSL_P521_KYBER_LEVEL5,
11509
    #endif
11510
    #endif
11511
    #ifdef WOLFSSL_KYBER768
11512
    WOLFSSL_KYBER_LEVEL3,
11513
    #if defined(HAVE_ECC) && (defined(HAVE_ECC384) || \
11514
        defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384
11515
    WOLFSSL_P384_KYBER_LEVEL3,
11516
    #endif
11517
    #if defined(HAVE_ECC) && (!defined(NO_ECC256) || \
11518
        defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
11519
    WOLFSSL_P256_KYBER_LEVEL3,
11520
    #endif
11521
    #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256
11522
    WOLFSSL_X25519_KYBER_LEVEL3,
11523
    #endif
11524
    #if defined(HAVE_CURVE448) && ECC_MIN_KEY_SZ <= 448
11525
    WOLFSSL_X448_KYBER_LEVEL3,
11526
    #endif
11527
    #endif
11528
    #ifdef WOLFSSL_KYBER512
11529
    WOLFSSL_KYBER_LEVEL1,
11530
    #if defined(HAVE_ECC) && (!defined(NO_ECC256) || \
11531
        defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
11532
    WOLFSSL_P256_KYBER_LEVEL1,
11533
    #endif
11534
    #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256
11535
    WOLFSSL_X25519_KYBER_LEVEL1,
11536
    #endif
11537
    #endif
11538
#endif /* WOLFSSL_TLS13 && WOLFSSL_HAVE_MLKEM && WOLFSSL_MLKEM_KYBER */
11539
    WOLFSSL_NAMED_GROUP_INVALID
11540
};
11541
11542
#define PREFERRED_GROUP_SZ \
11543
0
    ((sizeof(preferredGroup)/sizeof(*preferredGroup)) - 1)
11544
                                            /* -1 for the invalid group */
11545
11546
/* WOLFSSL_KEY_SHARE_DEFAULT_GROUP - group used for the speculative key share
11547
 * in ClientHello messages when the application has not selected one via
11548
 * wolfSSL_CTX_set_groups() / wolfSSL_set_groups() or wolfSSL_UseKeyShare().
11549
 *
11550
 * The default is optimized for the likelihood that the server will accept the
11551
 * speculative key share without forcing a HelloRetryRequest. It therefore
11552
 * differs from preferredGroup[] (which is sorted by strength): we pick the
11553
 * most widely deployed group at each tier rather than the strongest.
11554
 *
11555
 * Selection order when not user-defined:
11556
 *   1. A standardized PQ/T hybrid using X25519 or SECP256R1, if available.
11557
 *   2. SECP256R1, then X25519, then SECP384R1.
11558
 *   3. FFDHE 2048 or 3072, for DH-only TLS 1.3 builds.
11559
 *   4. preferredGroup[0] as a final fallback for any other configuration.
11560
 *
11561
 * Users can override the default by defining WOLFSSL_KEY_SHARE_DEFAULT_GROUP
11562
 * in user_settings.h to any of the WOLFSSL_* group identifiers from
11563
 * wolfssl/ssl.h (or the numeric IANA code point). The macro is substituted
11564
 * directly into an assignment, so wrap non-trivial expressions in parentheses.
11565
 */
11566
#ifndef WOLFSSL_KEY_SHARE_DEFAULT_GROUP
11567
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM_CLIENT_SUPPORT) && \
11568
      !defined(WOLFSSL_NO_ML_KEM) && defined(WOLFSSL_PQC_HYBRIDS) && \
11569
      !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_CURVE25519) && \
11570
      ECC_MIN_KEY_SZ <= 256
11571
    #define WOLFSSL_KEY_SHARE_DEFAULT_GROUP WOLFSSL_X25519MLKEM768
11572
#elif defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM_CLIENT_SUPPORT) && \
11573
      !defined(WOLFSSL_NO_ML_KEM) && defined(WOLFSSL_PQC_HYBRIDS) && \
11574
      !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_ECC) && \
11575
      (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \
11576
      ECC_MIN_KEY_SZ <= 256
11577
0
    #define WOLFSSL_KEY_SHARE_DEFAULT_GROUP WOLFSSL_SECP256R1MLKEM768
11578
#elif defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM_CLIENT_SUPPORT) && \
11579
      !defined(WOLFSSL_NO_ML_KEM) && defined(WOLFSSL_PQC_HYBRIDS) && \
11580
      !defined(WOLFSSL_NO_ML_KEM_1024) && defined(HAVE_ECC) && \
11581
      (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && \
11582
      ECC_MIN_KEY_SZ <= 384
11583
    #define WOLFSSL_KEY_SHARE_DEFAULT_GROUP WOLFSSL_SECP384R1MLKEM1024
11584
#elif defined(HAVE_ECC) && (!defined(NO_ECC256) || \
11585
      defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256 && \
11586
      !defined(NO_ECC_SECP)
11587
    #define WOLFSSL_KEY_SHARE_DEFAULT_GROUP WOLFSSL_ECC_SECP256R1
11588
#elif !defined(HAVE_FIPS) && defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256
11589
    #define WOLFSSL_KEY_SHARE_DEFAULT_GROUP WOLFSSL_ECC_X25519
11590
#elif defined(HAVE_ECC) && (defined(HAVE_ECC384) || \
11591
      defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384 && \
11592
      !defined(NO_ECC_SECP)
11593
    #define WOLFSSL_KEY_SHARE_DEFAULT_GROUP WOLFSSL_ECC_SECP384R1
11594
#elif defined(HAVE_FFDHE_2048)
11595
    #define WOLFSSL_KEY_SHARE_DEFAULT_GROUP WOLFSSL_FFDHE_2048
11596
#elif defined(HAVE_FFDHE_3072)
11597
    #define WOLFSSL_KEY_SHARE_DEFAULT_GROUP WOLFSSL_FFDHE_3072
11598
#else
11599
    /* Fall back to whatever preferredGroup[] starts with. */
11600
    #define WOLFSSL_KEY_SHARE_DEFAULT_GROUP (preferredGroup[0])
11601
#endif
11602
#endif /* !WOLFSSL_KEY_SHARE_DEFAULT_GROUP */
11603
11604
/* Examines the application specified group ranking and returns the rank of the
11605
 * group.
11606
 * If no group ranking set then all groups are rank 0 (highest).
11607
 *
11608
 * ssl    The SSL/TLS object.
11609
 * group  The group to check ranking for.
11610
 * returns ranking from 0 to MAX_GROUP_COUNT-1 or -1 when group not in list.
11611
 */
11612
static int TLSX_KeyShare_GroupRank(const WOLFSSL* ssl, int group)
11613
0
{
11614
0
    byte i;
11615
0
    const word16* groups;
11616
0
    byte numGroups;
11617
11618
0
    if (ssl->numGroups == 0) {
11619
        /* If the user didn't specify a group list with a preferred order,
11620
         * use the internal preferred group list. */
11621
0
        groups = preferredGroup;
11622
0
        numGroups = PREFERRED_GROUP_SZ;
11623
0
    }
11624
0
    else {
11625
0
        groups = ssl->group;
11626
0
        numGroups = ssl->numGroups;
11627
0
    }
11628
11629
0
    for (i = 0; i < numGroups; i++) {
11630
#if defined(WOLFSSL_ML_KEM_USE_OLD_IDS) && \
11631
                                             defined (WOLFSSL_EXTRA_PQC_HYBRIDS)
11632
        if ((group == WOLFSSL_P256_ML_KEM_512_OLD &&
11633
             groups[i] == WOLFSSL_SECP256R1MLKEM512) ||
11634
            (group == WOLFSSL_P384_ML_KEM_768_OLD &&
11635
             groups[i] == WOLFSSL_SECP384R1MLKEM768) ||
11636
            (group == WOLFSSL_P521_ML_KEM_1024_OLD &&
11637
             groups[i] == WOLFSSL_SECP521R1MLKEM1024)) {
11638
            return i;
11639
        }
11640
#endif
11641
0
        if (groups[i] == (word16)group)
11642
0
            return i;
11643
0
    }
11644
11645
0
    return WOLFSSL_FATAL_ERROR;
11646
0
}
11647
11648
/* Set a key share that is supported by the client into extensions.
11649
 *
11650
 * ssl  The SSL/TLS object.
11651
 * returns BAD_KEY_SHARE_DATA if no supported group has a key share,
11652
 * 0 if a supported group has a key share and other values indicate an error.
11653
 */
11654
int TLSX_KeyShare_SetSupported(const WOLFSSL* ssl, TLSX** extensions)
11655
0
{
11656
0
    int             ret;
11657
0
#ifdef HAVE_SUPPORTED_CURVES
11658
0
    TLSX*           extension;
11659
0
    SupportedCurve* curve = NULL;
11660
0
    SupportedCurve* preferredCurve = NULL;
11661
0
    word16          name = WOLFSSL_NAMED_GROUP_INVALID;
11662
0
    KeyShareEntry*  kse = NULL;
11663
0
    int             preferredRank = WOLFSSL_MAX_GROUP_COUNT;
11664
0
    int             rank;
11665
11666
0
    extension = TLSX_Find(*extensions, TLSX_SUPPORTED_GROUPS);
11667
0
    if (extension != NULL)
11668
0
        curve = (SupportedCurve*)extension->data;
11669
0
    for (; curve != NULL; curve = curve->next) {
11670
        /* Use server's preference order. Common group was found but key share
11671
         * was missing */
11672
0
        if (!TLSX_IsGroupSupported(curve->name, ssl->options.side))
11673
0
            continue;
11674
0
        if (wolfSSL_curve_is_disabled(ssl, curve->name))
11675
0
            continue;
11676
11677
0
        rank = TLSX_KeyShare_GroupRank(ssl, curve->name);
11678
0
        if (rank == -1)
11679
0
            continue;
11680
0
        if (rank < preferredRank) {
11681
0
            preferredCurve = curve;
11682
0
            preferredRank = rank;
11683
0
        }
11684
0
    }
11685
0
    curve = preferredCurve;
11686
11687
0
    if (curve == NULL) {
11688
0
        byte i;
11689
        /* Fallback to user selected group */
11690
0
        preferredRank = WOLFSSL_MAX_GROUP_COUNT;
11691
0
        for (i = 0; i < ssl->numGroups; i++) {
11692
0
            rank = TLSX_KeyShare_GroupRank(ssl, ssl->group[i]);
11693
0
            if (rank == -1)
11694
0
                continue;
11695
0
            if (rank < preferredRank) {
11696
0
                name = ssl->group[i];
11697
0
                preferredRank = rank;
11698
0
            }
11699
0
        }
11700
0
        if (name == WOLFSSL_NAMED_GROUP_INVALID) {
11701
            /* No group selected or specified by the server */
11702
0
            WOLFSSL_ERROR_VERBOSE(BAD_KEY_SHARE_DATA);
11703
0
            return BAD_KEY_SHARE_DATA;
11704
0
        }
11705
0
    }
11706
0
    else {
11707
0
        name = curve->name;
11708
0
    }
11709
11710
    #ifdef WOLFSSL_ASYNC_CRYPT
11711
    /* Check the old key share data list. */
11712
    extension = TLSX_Find(*extensions, TLSX_KEY_SHARE);
11713
    if (extension != NULL) {
11714
        kse = (KeyShareEntry*)extension->data;
11715
        /* We should not be computing keys if we are only going to advertise
11716
         * our choice here. */
11717
        if (kse != NULL && kse->lastRet == WC_NO_ERR_TRACE(WC_PENDING_E)) {
11718
            WOLFSSL_ERROR_VERBOSE(BAD_KEY_SHARE_DATA);
11719
            return BAD_KEY_SHARE_DATA;
11720
        }
11721
    }
11722
    #endif
11723
11724
    /* Push new KeyShare extension. This will also free the old one */
11725
0
    ret = TLSX_Push(extensions, TLSX_KEY_SHARE, NULL, ssl->heap);
11726
0
    if (ret != 0)
11727
0
        return ret;
11728
    /* Extension got pushed to head */
11729
0
    extension = *extensions;
11730
    /* Push the selected curve */
11731
0
    ret = TLSX_KeyShare_New((KeyShareEntry**)&extension->data, name,
11732
0
                            ssl->heap, &kse);
11733
0
    if (ret != 0)
11734
0
        return ret;
11735
    /* Set extension to be in response. */
11736
0
    extension->resp = 1;
11737
#else
11738
11739
    (void)ssl;
11740
11741
    WOLFSSL_ERROR_VERBOSE(NOT_COMPILED_IN);
11742
    ret = NOT_COMPILED_IN;
11743
#endif
11744
11745
0
    return ret;
11746
0
}
11747
11748
#ifdef WOLFSSL_DUAL_ALG_CERTS
11749
/* Writes the CKS objects of a list in a buffer. */
11750
static word16 CKS_WRITE(WOLFSSL* ssl, byte* output)
11751
{
11752
    XMEMCPY(output, ssl->sigSpec, ssl->sigSpecSz);
11753
    return ssl->sigSpecSz;
11754
}
11755
11756
static int TLSX_UseCKS(TLSX** extensions, WOLFSSL* ssl, void* heap)
11757
{
11758
    int ret = 0;
11759
    TLSX* extension;
11760
11761
    if (extensions == NULL) {
11762
        return BAD_FUNC_ARG;
11763
    }
11764
11765
    extension = TLSX_Find(*extensions, TLSX_CKS);
11766
    /* If it is already present, do nothing. */
11767
    if (extension == NULL) {
11768
        /* The data required is in the ssl struct, so push it in. */
11769
        ret = TLSX_Push(extensions, TLSX_CKS, (void*)ssl, heap);
11770
    }
11771
11772
    return ret;
11773
}
11774
11775
int TLSX_CKS_Set(WOLFSSL* ssl, TLSX** extensions)
11776
{
11777
    int ret;
11778
    TLSX* extension;
11779
    /* Push new KeyShare extension. This will also free the old one */
11780
    ret = TLSX_Push(extensions, TLSX_CKS, NULL, ssl->heap);
11781
    if (ret != 0)
11782
        return ret;
11783
    /* Extension got pushed to head */
11784
    extension = *extensions;
11785
    /* Need ssl->sigSpecSz during extension length calculation. */
11786
    extension->data = ssl;
11787
    /* Set extension to be in response. */
11788
    extension->resp = 1;
11789
    return ret;
11790
}
11791
11792
int TLSX_CKS_Parse(WOLFSSL* ssl, byte* input, word16 length,
11793
                   TLSX** extensions)
11794
{
11795
    int ret;
11796
    int i, j;
11797
11798
    (void) extensions;
11799
11800
    /* Validating the input. */
11801
    if (length == 0)
11802
        return BUFFER_ERROR;
11803
    for (i = 0; i < length; i++) {
11804
        switch (input[i])
11805
        {
11806
            case WOLFSSL_CKS_SIGSPEC_NATIVE:
11807
            case WOLFSSL_CKS_SIGSPEC_ALTERNATIVE:
11808
            case WOLFSSL_CKS_SIGSPEC_BOTH:
11809
                /* These are all valid values; do nothing */
11810
                break;
11811
            case WOLFSSL_CKS_SIGSPEC_EXTERNAL:
11812
            default:
11813
                /* All other values (including external) are not. */
11814
                return BAD_FUNC_ARG;
11815
        }
11816
    }
11817
11818
    /* This could be a situation where the client tried to start with TLS 1.3
11819
     * when it sent ClientHello and the server down-graded to TLS 1.2. In that
11820
     * case, erroring out because it is TLS 1.2 is not a reasonable thing to do.
11821
     * In the case of TLS 1.2, the CKS values will be ignored. */
11822
    if (!IsAtLeastTLSv1_3(ssl->version)) {
11823
        ssl->sigSpec = NULL;
11824
        ssl->sigSpecSz = 0;
11825
        return 0;
11826
    }
11827
11828
    /* Extension data is valid, but if we are the server and we don't have an
11829
     * alt private key, do not respond with CKS extension. */
11830
    if (wolfSSL_is_server(ssl) && ssl->buffers.altKey == NULL) {
11831
        ssl->sigSpec = NULL;
11832
        ssl->sigSpecSz = 0;
11833
        return 0;
11834
    }
11835
11836
    /* Copy as the lifetime of input seems to be ephemeral. */
11837
    ssl->peerSigSpec = (byte*)XMALLOC(length, ssl->heap, DYNAMIC_TYPE_TLSX);
11838
    if (ssl->peerSigSpec == NULL) {
11839
        return BUFFER_ERROR;
11840
    }
11841
    XMEMCPY(ssl->peerSigSpec, input, length);
11842
    ssl->peerSigSpecSz = length;
11843
11844
    /* If there is no preference set, use theirs... */
11845
    if (ssl->sigSpec == NULL) {
11846
        ret = wolfSSL_UseCKS(ssl, ssl->peerSigSpec, 1);
11847
        if (ret == WOLFSSL_SUCCESS) {
11848
            ret = TLSX_UseCKS(&ssl->extensions, ssl, ssl->heap);
11849
            TLSX_SetResponse(ssl, TLSX_CKS);
11850
        }
11851
        return ret;
11852
    }
11853
11854
    /* ...otherwise, prioritize our preference. */
11855
    for (i = 0; i < ssl->sigSpecSz; i++) {
11856
        for (j = 0; j < length; j++) {
11857
            if (ssl->sigSpec[i] == input[j]) {
11858
                /* Got the match, set to this one. */
11859
                ret = wolfSSL_UseCKS(ssl, &ssl->sigSpec[i], 1);
11860
                if (ret == WOLFSSL_SUCCESS) {
11861
                    ret = TLSX_UseCKS(&ssl->extensions, ssl, ssl->heap);
11862
                    TLSX_SetResponse(ssl, TLSX_CKS);
11863
                }
11864
                return ret;
11865
            }
11866
        }
11867
    }
11868
11869
    /* No match found. Cannot continue. */
11870
    return MATCH_SUITE_ERROR;
11871
}
11872
#endif /* WOLFSSL_DUAL_ALG_CERTS */
11873
11874
/* Server side KSE processing */
11875
int TLSX_KeyShare_Choose(const WOLFSSL *ssl, TLSX* extensions,
11876
    byte cipherSuite0, byte cipherSuite, KeyShareEntry** kse, byte* searched)
11877
0
{
11878
0
    TLSX*          extension;
11879
0
    KeyShareEntry* clientKSE = NULL;
11880
0
    KeyShareEntry* list = NULL;
11881
0
    KeyShareEntry* preferredKSE = NULL;
11882
0
    int preferredRank = WOLFSSL_MAX_GROUP_COUNT;
11883
0
    int rank;
11884
11885
0
    (void)cipherSuite0;
11886
0
    (void)cipherSuite;
11887
11888
0
    if (ssl == NULL || ssl->options.side != WOLFSSL_SERVER_END)
11889
0
        return BAD_FUNC_ARG;
11890
11891
0
    *searched = 0;
11892
11893
    /* Find the KeyShare extension if it exists. */
11894
0
    extension = TLSX_Find(extensions, TLSX_KEY_SHARE);
11895
0
    if (extension != NULL)
11896
0
        list = (KeyShareEntry*)extension->data;
11897
11898
0
    if (extension && extension->resp == 1) {
11899
        /* Outside of the async case this path should not be taken. */
11900
0
        int ret = WC_NO_ERR_TRACE(INCOMPLETE_DATA);
11901
    #ifdef WOLFSSL_ASYNC_CRYPT
11902
        /* in async case make sure key generation is finalized */
11903
        KeyShareEntry* serverKSE = (KeyShareEntry*)extension->data;
11904
        if (serverKSE && serverKSE->lastRet == WC_NO_ERR_TRACE(WC_PENDING_E)) {
11905
            if (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE)
11906
                *searched = 1;
11907
            ret = TLSX_KeyShare_GenKey((WOLFSSL*)ssl, serverKSE);
11908
        }
11909
        else
11910
    #endif
11911
0
        {
11912
0
            ret = INCOMPLETE_DATA;
11913
0
        }
11914
0
        return ret;
11915
0
    }
11916
11917
    /* Use server's preference order. */
11918
0
    for (clientKSE = list; clientKSE != NULL; clientKSE = clientKSE->next) {
11919
0
        if (clientKSE->ke == NULL)
11920
0
            continue;
11921
11922
#ifdef WOLFSSL_SM2
11923
        if ((cipherSuite0 == CIPHER_BYTE) &&
11924
            ((cipherSuite == TLS_SM4_GCM_SM3) ||
11925
             (cipherSuite == TLS_SM4_CCM_SM3))) {
11926
           if (clientKSE->group != WOLFSSL_ECC_SM2P256V1) {
11927
               continue;
11928
           }
11929
        }
11930
        else if (clientKSE->group == WOLFSSL_ECC_SM2P256V1) {
11931
           continue;
11932
        }
11933
#endif
11934
11935
        /* Check consistency now - extensions in any order. */
11936
0
        if (!TLSX_SupportedGroups_Find(ssl, clientKSE->group, extensions))
11937
0
            continue;
11938
11939
0
        if (!WOLFSSL_NAMED_GROUP_IS_FFDHE(clientKSE->group)) {
11940
            /* Check max value supported. */
11941
0
            if (clientKSE->group > WOLFSSL_ECC_MAX) {
11942
0
#ifdef WOLFSSL_HAVE_MLKEM
11943
0
                if (!WOLFSSL_NAMED_GROUP_IS_PQC(clientKSE->group) &&
11944
0
                    !WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(clientKSE->group))
11945
0
#endif
11946
0
                    continue;
11947
0
            }
11948
0
            if (wolfSSL_curve_is_disabled(ssl, clientKSE->group))
11949
0
                continue;
11950
0
        }
11951
0
        if (!TLSX_IsGroupSupported(clientKSE->group, ssl->options.side))
11952
0
            continue;
11953
11954
0
        rank = TLSX_KeyShare_GroupRank(ssl, clientKSE->group);
11955
0
        if (rank == -1)
11956
0
            continue;
11957
0
        if (rank < preferredRank) {
11958
0
            preferredKSE = clientKSE;
11959
0
            preferredRank = rank;
11960
0
        }
11961
0
    }
11962
0
    *kse = preferredKSE;
11963
0
    *searched = 1;
11964
0
    return 0;
11965
0
}
11966
11967
/* Server side KSE processing */
11968
int TLSX_KeyShare_Setup(WOLFSSL *ssl, KeyShareEntry* clientKSE)
11969
0
{
11970
0
    int            ret;
11971
0
    TLSX*          extension;
11972
0
    KeyShareEntry* serverKSE;
11973
0
    KeyShareEntry* list = NULL;
11974
11975
0
    if (ssl == NULL || ssl->options.side != WOLFSSL_SERVER_END)
11976
0
        return BAD_FUNC_ARG;
11977
11978
0
    extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
11979
0
    if (extension == NULL)
11980
0
        return BAD_STATE_E;
11981
11982
0
    if (clientKSE == NULL) {
11983
#ifdef WOLFSSL_ASYNC_CRYPT
11984
        /* Not necessarily an error. The key may have already been setup. */
11985
        if (extension != NULL && extension->resp == 1) {
11986
            serverKSE = (KeyShareEntry*)extension->data;
11987
            if (serverKSE != NULL) {
11988
#if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_ENCAPSULATE)
11989
                /* Re-drive server hybrid encapsulation on resume. GenKey
11990
                 * routes a hybrid group to the client generator, and the
11991
                 * lastRet == 0 path treats the share as done after only the
11992
                 * ECDH part completed, dropping the KEM ciphertext. ke holds
11993
                 * the client share until the handler completes and clears it. */
11994
                if (serverKSE->ke != NULL &&
11995
                        WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(serverKSE->group)) {
11996
                    return TLSX_KeyShare_HandlePqcHybridKeyServer((WOLFSSL*)ssl,
11997
                            serverKSE, serverKSE->ke, serverKSE->keLen);
11998
                }
11999
#endif
12000
                /* in async case make sure key generation is finalized */
12001
                if (serverKSE->lastRet == WC_NO_ERR_TRACE(WC_PENDING_E))
12002
                    return TLSX_KeyShare_GenKey((WOLFSSL*)ssl, serverKSE);
12003
                else if (serverKSE->lastRet == 0)
12004
                    return 0;
12005
            }
12006
        }
12007
#endif
12008
0
        return BAD_FUNC_ARG;
12009
0
    }
12010
12011
    /* Generate a new key pair except in the case of PQC KEM because we
12012
     * are going to encapsulate and that does not require us to generate a
12013
     * key pair.
12014
     */
12015
0
    ret = TLSX_KeyShare_New(&list, clientKSE->group, ssl->heap, &serverKSE);
12016
0
    if (ret != 0)
12017
0
        return ret;
12018
12019
0
    if (clientKSE->key == NULL) {
12020
0
#if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_ENCAPSULATE)
12021
0
        if (WOLFSSL_NAMED_GROUP_IS_PQC(clientKSE->group)) {
12022
0
            ret = TLSX_KeyShare_HandlePqcKeyServer(ssl, serverKSE,
12023
0
                    clientKSE->ke, clientKSE->keLen,
12024
0
                    ssl->arrays->preMasterSecret, &ssl->arrays->preMasterSz);
12025
0
        }
12026
0
        else if (WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(clientKSE->group)) {
12027
0
            ret = TLSX_KeyShare_HandlePqcHybridKeyServer(ssl, serverKSE,
12028
0
                    clientKSE->ke, clientKSE->keLen);
12029
0
        }
12030
0
        else
12031
0
#endif
12032
0
        {
12033
0
            ret = TLSX_KeyShare_GenKey(ssl, serverKSE);
12034
0
        }
12035
12036
        /* for async do setup of serverKSE below, but return WC_PENDING_E */
12037
0
        if (ret != 0
12038
        #ifdef WOLFSSL_ASYNC_CRYPT
12039
            && ret != WC_NO_ERR_TRACE(WC_PENDING_E)
12040
        #endif
12041
0
        ) {
12042
0
            TLSX_KeyShare_FreeAll(list, ssl->heap);
12043
0
            return ret;
12044
0
        }
12045
0
    }
12046
0
    else {
12047
        /* transfer buffers to serverKSE */
12048
0
        serverKSE->key = clientKSE->key;
12049
0
        clientKSE->key = NULL;
12050
0
        serverKSE->keyLen = clientKSE->keyLen;
12051
0
        serverKSE->pubKey = clientKSE->pubKey;
12052
0
        clientKSE->pubKey = NULL;
12053
0
        serverKSE->pubKeyLen = clientKSE->pubKeyLen;
12054
0
    #ifndef NO_DH
12055
0
        serverKSE->privKey = clientKSE->privKey;
12056
0
        clientKSE->privKey = NULL;
12057
0
    #endif
12058
0
    }
12059
0
    serverKSE->ke = clientKSE->ke;
12060
0
    serverKSE->keLen = clientKSE->keLen;
12061
0
    clientKSE->ke = NULL;
12062
0
    clientKSE->keLen = 0;
12063
0
    ssl->namedGroup = serverKSE->group;
12064
12065
0
    TLSX_KeyShare_FreeAll((KeyShareEntry*)extension->data, ssl->heap);
12066
0
    extension->data = (void *)serverKSE;
12067
12068
0
    extension->resp = 1;
12069
0
    return ret;
12070
0
}
12071
12072
/* Ensure there is a key pair that can be used for key exchange.
12073
 *
12074
 * ssl  The SSL/TLS object.
12075
 * doHelloRetry If set to non-zero will do hello_retry
12076
 * returns 0 on success and other values indicate failure.
12077
 */
12078
int TLSX_KeyShare_Establish(WOLFSSL *ssl, int* doHelloRetry)
12079
0
{
12080
0
    int            ret;
12081
0
    KeyShareEntry* clientKSE = NULL;
12082
0
    byte           searched = 0;
12083
12084
0
    *doHelloRetry = 0;
12085
12086
0
    ret = TLSX_KeyShare_Choose(ssl, ssl->extensions, ssl->cipher.cipherSuite0,
12087
0
        ssl->cipher.cipherSuite, &clientKSE, &searched);
12088
0
    if (ret != 0 || !searched)
12089
0
        return ret;
12090
12091
    /* No supported group found - send HelloRetryRequest. */
12092
0
    if (clientKSE == NULL) {
12093
        /* Set KEY_SHARE_ERROR to indicate HelloRetryRequest required. */
12094
0
        *doHelloRetry = 1;
12095
0
        return TLSX_KeyShare_SetSupported(ssl, &ssl->extensions);
12096
0
    }
12097
12098
0
    return TLSX_KeyShare_Setup(ssl, clientKSE);
12099
0
}
12100
12101
/* Derive the shared secret of the key exchange.
12102
 *
12103
 * ssl  The SSL/TLS object.
12104
 * returns 0 on success and other values indicate failure.
12105
 */
12106
int TLSX_KeyShare_DeriveSecret(WOLFSSL *ssl)
12107
0
{
12108
0
    int            ret;
12109
0
    TLSX*          extension;
12110
0
    KeyShareEntry* list = NULL;
12111
12112
#ifdef WOLFSSL_ASYNC_CRYPT
12113
    ret = wolfSSL_AsyncPop(ssl, NULL);
12114
    /* Check for error */
12115
    if (ret != WC_NO_ERR_TRACE(WC_NO_PENDING_E) && ret < 0) {
12116
        return ret;
12117
    }
12118
#endif
12119
12120
    /* Find the KeyShare extension if it exists. */
12121
0
    extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
12122
0
    if (extension != NULL)
12123
0
        list = (KeyShareEntry*)extension->data;
12124
12125
0
    if (list == NULL)
12126
0
        return KEY_SHARE_ERROR;
12127
12128
    /* Calculate secret. */
12129
0
    ret = TLSX_KeyShare_Process(ssl, list);
12130
12131
0
    return ret;
12132
0
}
12133
12134
0
#define KS_FREE_ALL  TLSX_KeyShare_FreeAll
12135
0
#define KS_GET_SIZE  TLSX_KeyShare_GetSize
12136
0
#define KS_WRITE     TLSX_KeyShare_Write
12137
0
#define KS_PARSE     TLSX_KeyShare_Parse
12138
12139
#else
12140
12141
#define KS_FREE_ALL(a, b) WC_DO_NOTHING
12142
#define KS_GET_SIZE(a, b)    0
12143
#define KS_WRITE(a, b, c)    0
12144
#define KS_PARSE(a, b, c, d) 0
12145
12146
#endif /* WOLFSSL_TLS13 */
12147
12148
/******************************************************************************/
12149
/* Pre-Shared Key                                                             */
12150
/******************************************************************************/
12151
12152
#if defined(WOLFSSL_TLS13) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK))
12153
/* Free the pre-shared key dynamic data.
12154
 *
12155
 * list  The linked list of key share entry objects.
12156
 * heap  The heap used for allocation.
12157
 */
12158
static void TLSX_PreSharedKey_FreeAll(PreSharedKey* list, void* heap)
12159
{
12160
    PreSharedKey* current;
12161
12162
    while ((current = list) != NULL) {
12163
        list = current->next;
12164
        XFREE(current->identity, heap, DYNAMIC_TYPE_TLSX);
12165
        XFREE(current, heap, DYNAMIC_TYPE_TLSX);
12166
    }
12167
12168
    (void)heap;
12169
}
12170
12171
/* Get the size of the encoded pre shared key extension.
12172
 *
12173
 * list     The linked list of pre-shared key extensions.
12174
 * msgType  The type of the message this extension is being written into.
12175
 * returns the number of bytes of the encoded pre-shared key extension or
12176
 * SANITY_MSG_E to indicate invalid message type.
12177
 */
12178
static int TLSX_PreSharedKey_GetSize(PreSharedKey* list, byte msgType,
12179
                                     word16* pSz)
12180
{
12181
    if (msgType == client_hello) {
12182
        /* Length of identities + Length of binders. */
12183
        word32 len = OPAQUE16_LEN + OPAQUE16_LEN;
12184
        while (list != NULL) {
12185
            /* Each entry has: identity, ticket age and binder. */
12186
            len += OPAQUE16_LEN + list->identityLen + OPAQUE32_LEN +
12187
                   OPAQUE8_LEN + (word32)list->binderLen;
12188
            if (len > WOLFSSL_MAX_16BIT) {
12189
                WOLFSSL_ERROR_VERBOSE(LENGTH_ERROR);
12190
                return LENGTH_ERROR;
12191
            }
12192
            list = list->next;
12193
        }
12194
        if ((word32)*pSz + len > WOLFSSL_MAX_16BIT) {
12195
            WOLFSSL_ERROR_VERBOSE(LENGTH_ERROR);
12196
            return LENGTH_ERROR;
12197
        }
12198
        *pSz += (word16)len;
12199
        return 0;
12200
    }
12201
12202
    if (msgType == server_hello) {
12203
        *pSz += OPAQUE16_LEN;
12204
        return 0;
12205
    }
12206
12207
    WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
12208
    return SANITY_MSG_E;
12209
}
12210
12211
/* The number of bytes to be written for the binders.
12212
 *
12213
 * list     The linked list of pre-shared key extensions.
12214
 * msgType  The type of the message this extension is being written into.
12215
 * returns the number of bytes of the encoded pre-shared key extension or
12216
 * SANITY_MSG_E to indicate invalid message type.
12217
 */
12218
int TLSX_PreSharedKey_GetSizeBinders(PreSharedKey* list, byte msgType,
12219
                                     word16* pSz)
12220
{
12221
    word32 len;
12222
12223
    if (msgType != client_hello) {
12224
        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
12225
        return SANITY_MSG_E;
12226
    }
12227
12228
    /* Length of all binders. */
12229
    len = OPAQUE16_LEN;
12230
    while (list != NULL) {
12231
        len += OPAQUE8_LEN + (word32)list->binderLen;
12232
        if (len > WOLFSSL_MAX_16BIT) {
12233
            WOLFSSL_ERROR_VERBOSE(LENGTH_ERROR);
12234
            return LENGTH_ERROR;
12235
        }
12236
        list = list->next;
12237
    }
12238
12239
    *pSz = (word16)len;
12240
    return 0;
12241
}
12242
12243
/* Writes the pre-shared key extension into the output buffer - binders only.
12244
 * Assumes that the the output buffer is big enough to hold data.
12245
 *
12246
 * list     The linked list of key share entries.
12247
 * output   The buffer to write into.
12248
 * msgType  The type of the message this extension is being written into.
12249
 * returns the number of bytes written into the buffer.
12250
 */
12251
int TLSX_PreSharedKey_WriteBinders(PreSharedKey* list, byte* output,
12252
                                   byte msgType, word16* pSz)
12253
{
12254
    PreSharedKey* current = list;
12255
    word16 idx = 0;
12256
    word16 lenIdx;
12257
    word16 len;
12258
12259
    if (msgType != client_hello) {
12260
        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
12261
        return SANITY_MSG_E;
12262
    }
12263
12264
    /* Skip length of all binders. */
12265
    lenIdx = idx;
12266
    idx += OPAQUE16_LEN;
12267
    while (current != NULL) {
12268
        /* Binder data length. */
12269
        output[idx++] = (byte)current->binderLen;
12270
        /* Binder data. */
12271
        XMEMCPY(output + idx, current->binder, current->binderLen);
12272
        idx += (word16)current->binderLen;
12273
12274
        current = current->next;
12275
    }
12276
    /* Length of the binders. */
12277
    len = idx - lenIdx - OPAQUE16_LEN;
12278
    c16toa(len, output + lenIdx);
12279
12280
    *pSz = idx;
12281
    return 0;
12282
}
12283
12284
12285
/* Writes the pre-shared key extension into the output buffer.
12286
 * Assumes that the the output buffer is big enough to hold data.
12287
 *
12288
 * list     The linked list of key share entries.
12289
 * output   The buffer to write into.
12290
 * msgType  The type of the message this extension is being written into.
12291
 * returns the number of bytes written into the buffer.
12292
 */
12293
static int TLSX_PreSharedKey_Write(PreSharedKey* list, byte* output,
12294
                                   byte msgType, word16* pSz)
12295
{
12296
    if (msgType == client_hello) {
12297
        PreSharedKey* current = list;
12298
        word16 idx = 0;
12299
        word16 lenIdx;
12300
        word16 len;
12301
        int ret;
12302
12303
        /* Write identities only. Binders after HMACing over this. */
12304
        lenIdx = idx;
12305
        idx += OPAQUE16_LEN;
12306
        while (current != NULL) {
12307
            /* Identity length */
12308
            c16toa(current->identityLen, output + idx);
12309
            idx += OPAQUE16_LEN;
12310
            /* Identity data */
12311
            XMEMCPY(output + idx, current->identity, current->identityLen);
12312
            idx += current->identityLen;
12313
12314
            /* Obfuscated ticket age. */
12315
            c32toa(current->ticketAge, output + idx);
12316
            idx += OPAQUE32_LEN;
12317
12318
            current = current->next;
12319
        }
12320
        /* Length of the identities. */
12321
        len = idx - lenIdx - OPAQUE16_LEN;
12322
        c16toa(len, output + lenIdx);
12323
12324
        /* Don't include binders here.
12325
         * The binders are based on the hash of all the ClientHello data up to
12326
         * and include the identities written above.
12327
         */
12328
        ret = TLSX_PreSharedKey_GetSizeBinders(list, msgType, &len);
12329
        if (ret < 0)
12330
            return ret;
12331
        *pSz += idx + len;
12332
    }
12333
    else if (msgType == server_hello) {
12334
        word16 i;
12335
12336
        /* Find the index of the chosen identity. */
12337
        for (i=0; list != NULL && !list->chosen; i++)
12338
            list = list->next;
12339
        if (list == NULL) {
12340
            WOLFSSL_ERROR_VERBOSE(BUILD_MSG_ERROR);
12341
            return BUILD_MSG_ERROR;
12342
        }
12343
12344
        /* The index of the identity chosen by the server from the list supplied
12345
         * by the client.
12346
         */
12347
        c16toa(i, output);
12348
        *pSz += OPAQUE16_LEN;
12349
    }
12350
    else {
12351
        WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
12352
        return SANITY_MSG_E;
12353
    }
12354
12355
    return 0;
12356
}
12357
12358
int TLSX_PreSharedKey_Parse_ClientHello(TLSX** extensions, const byte* input,
12359
                                        word16 length, void* heap)
12360
{
12361
12362
    int    ret;
12363
    word16 len;
12364
    word16 idx = 0;
12365
    TLSX*         extension;
12366
    PreSharedKey* list;
12367
12368
    TLSX_Remove(extensions, TLSX_PRE_SHARED_KEY, heap);
12369
12370
    /* Length of identities and of binders. */
12371
    if ((int)(length - idx) < OPAQUE16_LEN + OPAQUE16_LEN)
12372
        return BUFFER_E;
12373
12374
    /* Length of identities. */
12375
    ato16(input + idx, &len);
12376
    idx += OPAQUE16_LEN;
12377
    if (len < MIN_PSK_ID_LEN || length - idx < len)
12378
        return BUFFER_E;
12379
12380
    /* Create a pre-shared key object for each identity. */
12381
    while (len > 0) {
12382
        const byte* identity;
12383
        word16      identityLen;
12384
        word32      age;
12385
12386
        if (len < OPAQUE16_LEN)
12387
            return BUFFER_E;
12388
12389
        /* Length of identity. */
12390
        ato16(input + idx, &identityLen);
12391
        idx += OPAQUE16_LEN;
12392
        if (len < OPAQUE16_LEN + identityLen + OPAQUE32_LEN ||
12393
                identityLen > MAX_PSK_ID_LEN)
12394
            return BUFFER_E;
12395
        /* Cache identity pointer. */
12396
        identity = input + idx;
12397
        idx += identityLen;
12398
        /* Ticket age. */
12399
        ato32(input + idx, &age);
12400
        idx += OPAQUE32_LEN;
12401
12402
        ret = TLSX_PreSharedKey_Use(extensions, identity, identityLen, age, no_mac,
12403
                                    0, 0, 1, NULL, heap);
12404
        if (ret != 0)
12405
            return ret;
12406
12407
        /* Done with this identity. */
12408
        len -= OPAQUE16_LEN + identityLen + OPAQUE32_LEN;
12409
    }
12410
12411
    /* Find the list of identities sent to server. */
12412
    extension = TLSX_Find(*extensions, TLSX_PRE_SHARED_KEY);
12413
    if (extension == NULL)
12414
        return PSK_KEY_ERROR;
12415
    list = (PreSharedKey*)extension->data;
12416
12417
    /* Length of binders. */
12418
    if (idx + OPAQUE16_LEN > length)
12419
        return BUFFER_E;
12420
    ato16(input + idx, &len);
12421
    idx += OPAQUE16_LEN;
12422
    if (len < MIN_PSK_BINDERS_LEN || length - idx < len)
12423
        return BUFFER_E;
12424
12425
    /* Set binder for each identity. */
12426
    while (list != NULL && len > 0) {
12427
        /* Length of binder */
12428
        list->binderLen = input[idx++];
12429
        if (list->binderLen < WC_SHA256_DIGEST_SIZE ||
12430
                list->binderLen > WC_MAX_DIGEST_SIZE)
12431
            return BUFFER_E;
12432
        if (len < OPAQUE8_LEN + list->binderLen)
12433
            return BUFFER_E;
12434
12435
        /* Copy binder into static buffer. */
12436
        XMEMCPY(list->binder, input + idx, list->binderLen);
12437
        idx += (word16)list->binderLen;
12438
12439
        /* Done with binder entry. */
12440
        len -= OPAQUE8_LEN + (word16)list->binderLen;
12441
12442
        /* Next identity. */
12443
        list = list->next;
12444
    }
12445
    if (list != NULL || len != 0)
12446
        return BUFFER_E;
12447
12448
    return 0;
12449
12450
}
12451
12452
/* Parse the pre-shared key extension.
12453
 * Different formats in different messages.
12454
 *
12455
 * ssl      The SSL/TLS object.
12456
 * input    The extension data.
12457
 * length   The length of the extension data.
12458
 * msgType  The type of the message this extension is being parsed from.
12459
 * returns 0 on success and other values indicate failure.
12460
 */
12461
static int TLSX_PreSharedKey_Parse(WOLFSSL* ssl, const byte* input,
12462
                                   word16 length, byte msgType)
12463
{
12464
12465
    if (msgType == client_hello) {
12466
        return TLSX_PreSharedKey_Parse_ClientHello(&ssl->extensions, input,
12467
                                                   length, ssl->heap);
12468
    }
12469
12470
    if (msgType == server_hello) {
12471
        word16 idx;
12472
        PreSharedKey* list;
12473
        TLSX*         extension;
12474
12475
        /* Index of identity chosen by server. */
12476
        if (length != OPAQUE16_LEN)
12477
            return BUFFER_E;
12478
        ato16(input, &idx);
12479
12480
    #ifdef WOLFSSL_EARLY_DATA
12481
        ssl->options.pskIdIndex = idx + 1;
12482
    #endif
12483
12484
        /* Find the list of identities sent to server. */
12485
        extension = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
12486
        if (extension == NULL)
12487
            return INCOMPLETE_DATA;
12488
        list = (PreSharedKey*)extension->data;
12489
12490
        /* Mark the identity as chosen. */
12491
        for (; list != NULL && idx > 0; idx--)
12492
            list = list->next;
12493
        if (list == NULL) {
12494
            WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
12495
            return PSK_KEY_ERROR;
12496
        }
12497
        list->chosen = 1;
12498
12499
        if (list->resumption) {
12500
           /* Check that the session's details are the same as the server's. */
12501
           if (ssl->options.cipherSuite0  != ssl->session->cipherSuite0       ||
12502
               ssl->options.cipherSuite   != ssl->session->cipherSuite        ||
12503
               ssl->session->version.major != ssl->ctx->method->version.major ||
12504
               ssl->session->version.minor != ssl->ctx->method->version.minor) {
12505
                WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
12506
               return PSK_KEY_ERROR;
12507
           }
12508
        }
12509
12510
        return 0;
12511
    }
12512
12513
    WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
12514
    return SANITY_MSG_E;
12515
}
12516
12517
/* Create a new pre-shared key and put it into the list.
12518
 *
12519
 * list          The linked list of pre-shared key.
12520
 * identity      The identity.
12521
 * len           The length of the identity data.
12522
 * heap          The memory to allocate with.
12523
 * preSharedKey  The new pre-shared key object.
12524
 * returns 0 on success and other values indicate failure.
12525
 */
12526
static int TLSX_PreSharedKey_New(PreSharedKey** list, const byte* identity,
12527
                                 word16 len, void *heap,
12528
                                 PreSharedKey** preSharedKey)
12529
{
12530
    PreSharedKey* psk;
12531
    PreSharedKey** next;
12532
12533
    psk = (PreSharedKey*)XMALLOC(sizeof(PreSharedKey), heap, DYNAMIC_TYPE_TLSX);
12534
    if (psk == NULL)
12535
        return MEMORY_E;
12536
    XMEMSET(psk, 0, sizeof(*psk));
12537
12538
    /* Make a copy of the identity data. */
12539
    psk->identity = (byte*)XMALLOC(len + NULL_TERM_LEN, heap,
12540
                                   DYNAMIC_TYPE_TLSX);
12541
    if (psk->identity == NULL) {
12542
        XFREE(psk, heap, DYNAMIC_TYPE_TLSX);
12543
        return MEMORY_E;
12544
    }
12545
    XMEMCPY(psk->identity, identity, len);
12546
    psk->identityLen = len;
12547
    /* Use a NULL terminator in case it is a C string */
12548
    psk->identity[psk->identityLen] = '\0';
12549
12550
    /* Add it to the end and maintain the links. */
12551
    while (*list != NULL) {
12552
        /* Assign to temporary to work around compiler bug found by customer. */
12553
        next = &((*list)->next);
12554
        list = next;
12555
    }
12556
    *list = psk;
12557
    *preSharedKey = psk;
12558
12559
    (void)heap;
12560
12561
    return 0;
12562
}
12563
12564
static WC_INLINE byte GetHmacLength(int hmac)
12565
{
12566
    switch (hmac) {
12567
    #ifndef NO_SHA256
12568
        case sha256_mac:
12569
            return WC_SHA256_DIGEST_SIZE;
12570
    #endif
12571
    #ifdef WOLFSSL_SHA384
12572
        case sha384_mac:
12573
            return WC_SHA384_DIGEST_SIZE;
12574
    #endif
12575
    #ifdef WOLFSSL_SHA512
12576
        case sha512_mac:
12577
            return WC_SHA512_DIGEST_SIZE;
12578
    #endif
12579
    #ifdef WOLFSSL_SM3
12580
        case sm3_mac:
12581
            return WC_SM3_DIGEST_SIZE;
12582
    #endif
12583
        default:
12584
            break;
12585
    }
12586
    return 0;
12587
}
12588
12589
/* Use the data to create a new pre-shared key object in the extensions.
12590
 *
12591
 * ssl           The SSL/TLS object.
12592
 * identity      The identity.
12593
 * len           The length of the identity data.
12594
 * age           The age of the identity.
12595
 * hmac          The HMAC algorithm.
12596
 * cipherSuite0  The first byte of the cipher suite to use.
12597
 * cipherSuite   The second byte of the cipher suite to use.
12598
 * resumption    The PSK is for resumption of a session.
12599
 * preSharedKey  The new pre-shared key object.
12600
 * returns 0 on success and other values indicate failure.
12601
 */
12602
int TLSX_PreSharedKey_Use(TLSX** extensions, const byte* identity, word16 len,
12603
                          word32 age, byte hmac, byte cipherSuite0,
12604
                          byte cipherSuite, byte resumption,
12605
                          PreSharedKey **preSharedKey, void* heap)
12606
{
12607
    int           ret = 0;
12608
    TLSX*         extension;
12609
    PreSharedKey* psk = NULL;
12610
12611
    /* Find the pre-shared key extension if it exists. */
12612
    extension = TLSX_Find(*extensions, TLSX_PRE_SHARED_KEY);
12613
    if (extension == NULL) {
12614
        /* Push new pre-shared key extension. */
12615
        ret = TLSX_Push(extensions, TLSX_PRE_SHARED_KEY, NULL, heap);
12616
        if (ret != 0)
12617
            return ret;
12618
12619
        extension = TLSX_Find(*extensions, TLSX_PRE_SHARED_KEY);
12620
        if (extension == NULL)
12621
            return MEMORY_E;
12622
    }
12623
12624
    /* Try to find the pre-shared key with this identity. */
12625
    psk = (PreSharedKey*)extension->data;
12626
    while (psk != NULL) {
12627
        if ((psk->identityLen == len) &&
12628
               (XMEMCMP(psk->identity, identity, len) == 0)) {
12629
            break;
12630
        }
12631
        psk = psk->next;
12632
    }
12633
12634
    /* Create a new pre-shared key object if not found. */
12635
    if (psk == NULL) {
12636
        ret = TLSX_PreSharedKey_New((PreSharedKey**)&extension->data, identity,
12637
                                    len, heap, &psk);
12638
        if (ret != 0)
12639
            return ret;
12640
    }
12641
12642
    /* Update/set age and HMAC algorithm. */
12643
    psk->ticketAge    = age;
12644
    psk->hmac         = hmac;
12645
    psk->cipherSuite0 = cipherSuite0;
12646
    psk->cipherSuite  = cipherSuite;
12647
    psk->resumption   = resumption;
12648
    psk->binderLen    = GetHmacLength(psk->hmac);
12649
12650
    if (preSharedKey != NULL)
12651
        *preSharedKey = psk;
12652
12653
    return 0;
12654
}
12655
12656
#define PSK_FREE_ALL  TLSX_PreSharedKey_FreeAll
12657
#define PSK_GET_SIZE  TLSX_PreSharedKey_GetSize
12658
#define PSK_WRITE     TLSX_PreSharedKey_Write
12659
#define PSK_PARSE     TLSX_PreSharedKey_Parse
12660
12661
#else
12662
12663
#define PSK_FREE_ALL(a, b) WC_DO_NOTHING
12664
#define PSK_GET_SIZE(a, b, c) 0
12665
#define PSK_WRITE(a, b, c, d) 0
12666
#define PSK_PARSE(a, b, c, d) 0
12667
12668
#endif
12669
12670
/******************************************************************************/
12671
/* Certificate Authentication with External Pre-Shared Key                    */
12672
/******************************************************************************/
12673
12674
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_CERT_WITH_EXTERN_PSK) && \
12675
    !defined(NO_PSK)
12676
12677
static int TLSX_CertWithExternPsk_GetSize(byte msgType, word16* pSz)
12678
{
12679
    (void)msgType;
12680
    (void)pSz;
12681
    /* Zero-length extension - nothing to add. */
12682
    return 0;
12683
}
12684
12685
static int TLSX_CertWithExternPsk_Write(byte* output, byte msgType,
12686
    word16* pSz)
12687
{
12688
    (void)output;
12689
    (void)msgType;
12690
    (void)pSz;
12691
    /* Zero-length extension - nothing to write. */
12692
    return 0;
12693
}
12694
12695
static int TLSX_CertWithExternPsk_Parse(WOLFSSL* ssl, byte msgType)
12696
{
12697
    if (msgType == client_hello) {
12698
        /* Server has not opted in - treat the extension as unknown. */
12699
        if (!ssl->options.certWithExternPsk)
12700
            return 0;
12701
        /* Record that the client offered the extension, leaving resp=0.
12702
         * CheckPreSharedKeys() is the sole writer that flips resp to 1, and
12703
         * only after confirming that a non-ticket PSK was matched. */
12704
        if (TLSX_Find(ssl->extensions, TLSX_CERT_WITH_EXTERN_PSK) == NULL) {
12705
            return TLSX_Push(&ssl->extensions, TLSX_CERT_WITH_EXTERN_PSK,
12706
                NULL, ssl->heap);
12707
        }
12708
        return 0;
12709
    }
12710
12711
    if (msgType == server_hello) {
12712
        if (TLSX_Find(ssl->extensions, TLSX_CERT_WITH_EXTERN_PSK) == NULL) {
12713
            WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
12714
            return EXT_NOT_ALLOWED;
12715
        }
12716
        ssl->options.certWithExternPsk = 1;
12717
        return 0;
12718
    }
12719
12720
    WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
12721
    return SANITY_MSG_E;
12722
}
12723
12724
int TLSX_CertWithExternPsk_Use(WOLFSSL* ssl)
12725
{
12726
    TLSX* extension = TLSX_Find(ssl->extensions, TLSX_CERT_WITH_EXTERN_PSK);
12727
12728
    if (extension == NULL) {
12729
        int ret = TLSX_Push(&ssl->extensions, TLSX_CERT_WITH_EXTERN_PSK, NULL,
12730
            ssl->heap);
12731
        if (ret != 0)
12732
            return ret;
12733
        extension = TLSX_Find(ssl->extensions, TLSX_CERT_WITH_EXTERN_PSK);
12734
        if (extension == NULL)
12735
            return MEMORY_E;
12736
    }
12737
    extension->resp = 1;
12738
    return 0;
12739
}
12740
12741
#define PSK_WITH_CERT_GET_SIZE  TLSX_CertWithExternPsk_GetSize
12742
#define PSK_WITH_CERT_WRITE     TLSX_CertWithExternPsk_Write
12743
#define PSK_WITH_CERT_PARSE     TLSX_CertWithExternPsk_Parse
12744
12745
#else
12746
12747
#define PSK_WITH_CERT_GET_SIZE(a, b) 0
12748
#define PSK_WITH_CERT_WRITE(a, b, c) 0
12749
#define PSK_WITH_CERT_PARSE(a, b) 0
12750
12751
#endif /* WOLFSSL_TLS13 && WOLFSSL_CERT_WITH_EXTERN_PSK */
12752
12753
/******************************************************************************/
12754
/* PSK Key Exchange Modes                                                     */
12755
/******************************************************************************/
12756
12757
#if defined(WOLFSSL_TLS13) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK))
12758
/* Get the size of the encoded PSK KE modes extension.
12759
 * Only in ClientHello.
12760
 *
12761
 * modes    The PSK KE mode bit string.
12762
 * msgType  The type of the message this extension is being written into.
12763
 * returns the number of bytes of the encoded PSK KE mode extension.
12764
 */
12765
static int TLSX_PskKeModes_GetSize(byte modes, byte msgType, word16* pSz)
12766
{
12767
    if (msgType == client_hello) {
12768
        /* Format: Len | Modes* */
12769
        word16 len = OPAQUE8_LEN;
12770
        /* Check whether each possible mode is to be written. */
12771
        if (modes & (1 << PSK_KE))
12772
            len += OPAQUE8_LEN;
12773
        if (modes & (1 << PSK_DHE_KE))
12774
            len += OPAQUE8_LEN;
12775
        *pSz += len;
12776
        return 0;
12777
    }
12778
12779
    WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
12780
    return SANITY_MSG_E;
12781
}
12782
12783
/* Writes the PSK KE modes extension into the output buffer.
12784
 * Assumes that the the output buffer is big enough to hold data.
12785
 * Only in ClientHello.
12786
 *
12787
 * modes    The PSK KE mode bit string.
12788
 * output   The buffer to write into.
12789
 * msgType  The type of the message this extension is being written into.
12790
 * returns the number of bytes written into the buffer.
12791
 */
12792
static int TLSX_PskKeModes_Write(byte modes, byte* output, byte msgType,
12793
                                 word16* pSz)
12794
{
12795
    if (msgType == client_hello) {
12796
        /* Format: Len | Modes* */
12797
        word16 idx = OPAQUE8_LEN;
12798
12799
        /* Write out each possible mode. */
12800
        if (modes & (1 << PSK_KE))
12801
            output[idx++] = PSK_KE;
12802
        if (modes & (1 << PSK_DHE_KE))
12803
            output[idx++] = PSK_DHE_KE;
12804
        /* Write out length of mode list. */
12805
        output[0] = (byte)(idx - OPAQUE8_LEN);
12806
12807
        *pSz += idx;
12808
        return 0;
12809
    }
12810
12811
    WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
12812
    return SANITY_MSG_E;
12813
}
12814
12815
int TLSX_PskKeyModes_Parse_Modes(const byte* input, word16 length, byte msgType,
12816
                                byte* modes)
12817
{
12818
    if (msgType == client_hello) {
12819
        /* Format: Len | Modes* */
12820
        int   idx = 0;
12821
        word16 len;
12822
        *modes = 0;
12823
12824
        /* Ensure length byte exists. */
12825
        if (length < OPAQUE8_LEN)
12826
            return BUFFER_E;
12827
12828
        /* Get length of mode list and ensure that is the only data. */
12829
        len = input[0];
12830
        if (length - OPAQUE8_LEN != len)
12831
            return BUFFER_E;
12832
12833
        idx = OPAQUE8_LEN;
12834
        /* Set a bit for each recognized modes. */
12835
        while (len > 0) {
12836
            /* Ignore unrecognized modes.  */
12837
            if (input[idx] <= PSK_DHE_KE)
12838
               *modes |= 1 << input[idx];
12839
            idx++;
12840
            len--;
12841
        }
12842
        return 0;
12843
    }
12844
12845
    WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
12846
    return SANITY_MSG_E;
12847
}
12848
12849
/* Parse the PSK KE modes extension.
12850
 * Only in ClientHello.
12851
 *
12852
 * ssl      The SSL/TLS object.
12853
 * input    The extension data.
12854
 * length   The length of the extension data.
12855
 * msgType  The type of the message this extension is being parsed from.
12856
 * returns 0 on success and other values indicate failure.
12857
 */
12858
static int TLSX_PskKeModes_Parse(WOLFSSL* ssl, const byte* input, word16 length,
12859
                                 byte msgType)
12860
{
12861
    int    ret;
12862
    byte modes;
12863
12864
    ret = TLSX_PskKeyModes_Parse_Modes(input, length, msgType, &modes);
12865
    if (ret == 0)
12866
        ret = TLSX_PskKeyModes_Use(ssl, modes);
12867
12868
    if (ret != 0) {
12869
        WOLFSSL_ERROR_VERBOSE(ret);
12870
    }
12871
12872
    return ret;
12873
}
12874
12875
/* Use the data to create a new PSK Key Exchange Modes object in the extensions.
12876
 *
12877
 * ssl    The SSL/TLS object.
12878
 * modes  The PSK key exchange modes.
12879
 * returns 0 on success and other values indicate failure.
12880
 */
12881
int TLSX_PskKeyModes_Use(WOLFSSL* ssl, byte modes)
12882
{
12883
    int           ret = 0;
12884
    TLSX*         extension;
12885
12886
    /* Find the PSK key exchange modes extension if it exists. */
12887
    extension = TLSX_Find(ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES);
12888
    if (extension == NULL) {
12889
        /* Push new PSK key exchange modes extension. */
12890
        ret = TLSX_Push(&ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES, NULL,
12891
            ssl->heap);
12892
        if (ret != 0)
12893
            return ret;
12894
12895
        extension = TLSX_Find(ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES);
12896
        if (extension == NULL)
12897
            return MEMORY_E;
12898
    }
12899
12900
    extension->val = modes;
12901
12902
    return 0;
12903
}
12904
12905
#define PKM_GET_SIZE  TLSX_PskKeModes_GetSize
12906
#define PKM_WRITE     TLSX_PskKeModes_Write
12907
#define PKM_PARSE     TLSX_PskKeModes_Parse
12908
12909
#else
12910
12911
#define PKM_GET_SIZE(a, b, c) 0
12912
#define PKM_WRITE(a, b, c, d) 0
12913
#define PKM_PARSE(a, b, c, d) 0
12914
12915
#endif
12916
12917
/******************************************************************************/
12918
/* Post-Handshake Authentication                                              */
12919
/******************************************************************************/
12920
12921
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
12922
/* Get the size of the encoded Post-Handshake Authentication extension.
12923
 * Only in ClientHello.
12924
 *
12925
 * msgType  The type of the message this extension is being written into.
12926
 * returns the number of bytes of the encoded Post-Handshake Authentication
12927
 * extension.
12928
 */
12929
static int TLSX_PostHandAuth_GetSize(byte msgType, word16* pSz)
12930
{
12931
    if (msgType == client_hello) {
12932
        *pSz += 0;
12933
        return 0;
12934
    }
12935
12936
    WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
12937
    return SANITY_MSG_E;
12938
}
12939
12940
/* Writes the Post-Handshake Authentication extension into the output buffer.
12941
 * Assumes that the the output buffer is big enough to hold data.
12942
 * Only in ClientHello.
12943
 *
12944
 * output   The buffer to write into.
12945
 * msgType  The type of the message this extension is being written into.
12946
 * returns the number of bytes written into the buffer.
12947
 */
12948
static int TLSX_PostHandAuth_Write(byte* output, byte msgType, word16* pSz)
12949
{
12950
    (void)output;
12951
12952
    if (msgType == client_hello) {
12953
        *pSz += 0;
12954
        return 0;
12955
    }
12956
12957
    WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
12958
    return SANITY_MSG_E;
12959
}
12960
12961
/* Parse the Post-Handshake Authentication extension.
12962
 * Only in ClientHello.
12963
 *
12964
 * ssl      The SSL/TLS object.
12965
 * input    The extension data.
12966
 * length   The length of the extension data.
12967
 * msgType  The type of the message this extension is being parsed from.
12968
 * returns 0 on success and other values indicate failure.
12969
 */
12970
static int TLSX_PostHandAuth_Parse(WOLFSSL* ssl, const byte* input,
12971
                                   word16 length, byte msgType)
12972
{
12973
    (void)input;
12974
12975
    if (msgType == client_hello) {
12976
        /* Ensure extension is empty. */
12977
        if (length != 0)
12978
            return BUFFER_E;
12979
12980
        ssl->options.postHandshakeAuth = 1;
12981
        return 0;
12982
    }
12983
12984
    WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
12985
    return SANITY_MSG_E;
12986
}
12987
12988
/* Create a new Post-handshake authentication object in the extensions.
12989
 *
12990
 * ssl    The SSL/TLS object.
12991
 * returns 0 on success and other values indicate failure.
12992
 */
12993
static int TLSX_PostHandAuth_Use(WOLFSSL* ssl)
12994
{
12995
    int   ret = 0;
12996
    TLSX* extension;
12997
12998
    /* Find the PSK key exchange modes extension if it exists. */
12999
    extension = TLSX_Find(ssl->extensions, TLSX_POST_HANDSHAKE_AUTH);
13000
    if (extension == NULL) {
13001
        /* Push new Post-handshake Authentication extension. */
13002
        ret = TLSX_Push(&ssl->extensions, TLSX_POST_HANDSHAKE_AUTH, NULL,
13003
            ssl->heap);
13004
        if (ret != 0)
13005
            return ret;
13006
    }
13007
13008
    return 0;
13009
}
13010
13011
#define PHA_GET_SIZE  TLSX_PostHandAuth_GetSize
13012
#define PHA_WRITE     TLSX_PostHandAuth_Write
13013
#define PHA_PARSE     TLSX_PostHandAuth_Parse
13014
13015
#else
13016
13017
#define PHA_GET_SIZE(a, b)    0
13018
#define PHA_WRITE(a, b, c)    0
13019
#define PHA_PARSE(a, b, c, d) 0
13020
13021
#endif
13022
13023
/******************************************************************************/
13024
/* Early Data Indication                                                      */
13025
/******************************************************************************/
13026
13027
#ifdef WOLFSSL_EARLY_DATA
13028
/* Get the size of the encoded Early Data Indication extension.
13029
 * In messages: ClientHello, EncryptedExtensions and NewSessionTicket.
13030
 *
13031
 * msgType  The type of the message this extension is being written into.
13032
 * returns the number of bytes of the encoded Early Data Indication extension.
13033
 */
13034
static int TLSX_EarlyData_GetSize(byte msgType, word16* pSz)
13035
{
13036
    int ret = 0;
13037
13038
    if (msgType == client_hello || msgType == encrypted_extensions)
13039
        *pSz += 0;
13040
    else if (msgType == session_ticket)
13041
        *pSz += OPAQUE32_LEN;
13042
    else {
13043
        ret = SANITY_MSG_E;
13044
        WOLFSSL_ERROR_VERBOSE(ret);
13045
    }
13046
13047
    return ret;
13048
}
13049
13050
/* Writes the Early Data Indicator extension into the output buffer.
13051
 * Assumes that the the output buffer is big enough to hold data.
13052
 * In messages: ClientHello, EncryptedExtensions and NewSessionTicket.
13053
 *
13054
 * maxSz    The maximum early data size.
13055
 * output   The buffer to write into.
13056
 * msgType  The type of the message this extension is being written into.
13057
 * returns the number of bytes written into the buffer.
13058
 */
13059
static int TLSX_EarlyData_Write(word32 maxSz, byte* output, byte msgType,
13060
                                word16* pSz)
13061
{
13062
    if (msgType == client_hello || msgType == encrypted_extensions)
13063
        return 0;
13064
    else if (msgType == session_ticket) {
13065
        c32toa(maxSz, output);
13066
        *pSz += OPAQUE32_LEN;
13067
        return 0;
13068
    }
13069
13070
    WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
13071
    return SANITY_MSG_E;
13072
}
13073
13074
/* Parse the Early Data Indicator extension.
13075
 * In messages: ClientHello, EncryptedExtensions and NewSessionTicket.
13076
 *
13077
 * ssl      The SSL/TLS object.
13078
 * input    The extension data.
13079
 * length   The length of the extension data.
13080
 * msgType  The type of the message this extension is being parsed from.
13081
 * returns 0 on success and other values indicate failure.
13082
 */
13083
static int TLSX_EarlyData_Parse(WOLFSSL* ssl, const byte* input, word16 length,
13084
                                 byte msgType)
13085
{
13086
    WOLFSSL_ENTER("TLSX_EarlyData_Parse");
13087
    if (msgType == client_hello) {
13088
        if (length != 0)
13089
            return BUFFER_E;
13090
13091
        if (ssl->earlyData == expecting_early_data) {
13092
13093
            if (ssl->options.maxEarlyDataSz != 0)
13094
                ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_ACCEPTED;
13095
            else
13096
                ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_REJECTED;
13097
13098
            return TLSX_EarlyData_Use(ssl, 0, 0);
13099
        }
13100
        ssl->earlyData = early_data_ext;
13101
13102
        return 0;
13103
    }
13104
    if (msgType == encrypted_extensions) {
13105
        if (length != 0)
13106
            return BUFFER_E;
13107
13108
        /* Ensure the index of PSK identity chosen by server is 0.
13109
         * Index is plus one to handle 'not set' value of 0.
13110
         */
13111
        if (ssl->options.pskIdIndex != 1) {
13112
            WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
13113
            return PSK_KEY_ERROR;
13114
        }
13115
13116
        if (ssl->options.side == WOLFSSL_CLIENT_END) {
13117
            /* the extension from server comes in */
13118
            ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_ACCEPTED;
13119
        }
13120
13121
        return TLSX_EarlyData_Use(ssl, 1, 1);
13122
    }
13123
    if (msgType == session_ticket) {
13124
        word32 maxSz;
13125
13126
        if (length != OPAQUE32_LEN)
13127
            return BUFFER_E;
13128
        ato32(input, &maxSz);
13129
13130
        ssl->session->maxEarlyDataSz = maxSz;
13131
        return 0;
13132
    }
13133
13134
    WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
13135
    return SANITY_MSG_E;
13136
}
13137
13138
/* Use the data to create a new Early Data object in the extensions.
13139
 *
13140
 * ssl    The SSL/TLS object.
13141
 * maxSz  The maximum early data size.
13142
 * is_response   if this extension is part of a response
13143
 * returns 0 on success and other values indicate failure.
13144
 */
13145
int TLSX_EarlyData_Use(WOLFSSL* ssl, word32 maxSz, int is_response)
13146
{
13147
    int   ret = 0;
13148
    TLSX* extension;
13149
13150
    /* Find the early data extension if it exists. */
13151
    extension = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA);
13152
    if (extension == NULL) {
13153
        /* Push new early data extension. */
13154
        ret = TLSX_Push(&ssl->extensions, TLSX_EARLY_DATA, NULL, ssl->heap);
13155
        if (ret != 0)
13156
            return ret;
13157
13158
        extension = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA);
13159
        if (extension == NULL)
13160
            return MEMORY_E;
13161
    }
13162
13163
    extension->resp = is_response;
13164
    /* In QUIC, earlydata size is either 0 or 0xffffffff.
13165
     * Override any size between, possibly left from our initial value */
13166
    extension->val  = (WOLFSSL_IS_QUIC(ssl) && is_response && maxSz > 0) ?
13167
                       WOLFSSL_MAX_32BIT : maxSz;
13168
13169
    return 0;
13170
}
13171
13172
#define EDI_GET_SIZE  TLSX_EarlyData_GetSize
13173
#define EDI_WRITE     TLSX_EarlyData_Write
13174
#define EDI_PARSE     TLSX_EarlyData_Parse
13175
13176
#else
13177
13178
#define EDI_GET_SIZE(a, b)    0
13179
#define EDI_WRITE(a, b, c, d) 0
13180
#define EDI_PARSE(a, b, c, d) 0
13181
13182
#endif
13183
13184
/******************************************************************************/
13185
/* QUIC transport parameter extension                                         */
13186
/******************************************************************************/
13187
#ifdef WOLFSSL_QUIC
13188
13189
static word16 TLSX_QuicTP_GetSize(TLSX* extension)
13190
{
13191
    const QuicTransportParam *tp = (QuicTransportParam*)extension->data;
13192
13193
    return tp ? tp->len : 0;
13194
}
13195
13196
int TLSX_QuicTP_Use(WOLFSSL* ssl, TLSX_Type ext_type, int is_response)
13197
{
13198
    int ret = 0;
13199
    TLSX* extension;
13200
13201
    WOLFSSL_ENTER("TLSX_QuicTP_Use");
13202
    if (ssl->quic.transport_local == NULL) {
13203
        /* RFC9000, ch 7.3: "An endpoint MUST treat the absence of [...]
13204
         *     from either endpoint [...] as a connection error of type
13205
         *     TRANSPORT_PARAMETER_ERROR."
13206
         */
13207
        ret = QUIC_TP_MISSING_E;
13208
        goto cleanup;
13209
    }
13210
13211
    extension = TLSX_Find(ssl->extensions, ext_type);
13212
    if (extension == NULL) {
13213
        ret = TLSX_Push(&ssl->extensions, ext_type, NULL, ssl->heap);
13214
        if (ret != 0)
13215
            goto cleanup;
13216
13217
        extension = TLSX_Find(ssl->extensions, ext_type);
13218
        if (extension == NULL) {
13219
            ret = MEMORY_E;
13220
            goto cleanup;
13221
        }
13222
    }
13223
    if (extension->data) {
13224
        QuicTransportParam_free((QuicTransportParam*)extension->data, ssl->heap);
13225
        extension->data = NULL;
13226
    }
13227
    extension->resp = is_response;
13228
    extension->data = (void*)QuicTransportParam_dup(ssl->quic.transport_local, ssl->heap);
13229
    if (!extension->data) {
13230
        ret = MEMORY_E;
13231
        goto cleanup;
13232
    }
13233
13234
cleanup:
13235
    WOLFSSL_LEAVE("TLSX_QuicTP_Use", ret);
13236
    return ret;
13237
}
13238
13239
static word16 TLSX_QuicTP_Write(QuicTransportParam *tp, byte* output)
13240
{
13241
    word16 len = 0;
13242
13243
    WOLFSSL_ENTER("TLSX_QuicTP_Write");
13244
    if (tp && tp->len) {
13245
        XMEMCPY(output, tp->data, tp->len);
13246
        len = tp->len;
13247
    }
13248
    WOLFSSL_LEAVE("TLSX_QuicTP_Write", len);
13249
    return len;
13250
}
13251
13252
static int TLSX_QuicTP_Parse(WOLFSSL *ssl, const byte *input, size_t len, int ext_type, int msgType)
13253
{
13254
    const QuicTransportParam *tp, **ptp;
13255
13256
    (void)msgType;
13257
    tp = QuicTransportParam_new(input, len, ssl->heap);
13258
    if (!tp) {
13259
        return MEMORY_E;
13260
    }
13261
    ptp = (ext_type == TLSX_KEY_QUIC_TP_PARAMS_DRAFT) ?
13262
        &ssl->quic.transport_peer_draft : &ssl->quic.transport_peer;
13263
    if (*ptp) {
13264
        QTP_FREE(*ptp, ssl->heap);
13265
    }
13266
    *ptp = tp;
13267
    return 0;
13268
}
13269
13270
#define QTP_GET_SIZE    TLSX_QuicTP_GetSize
13271
#define QTP_USE         TLSX_QuicTP_Use
13272
#define QTP_WRITE       TLSX_QuicTP_Write
13273
#define QTP_PARSE       TLSX_QuicTP_Parse
13274
13275
#endif /* WOLFSSL_QUIC */
13276
13277
#if defined(WOLFSSL_DTLS_CID)
13278
#define CID_GET_SIZE  TLSX_ConnectionID_GetSize
13279
#define CID_WRITE  TLSX_ConnectionID_Write
13280
#define CID_PARSE  TLSX_ConnectionID_Parse
13281
#define CID_FREE  TLSX_ConnectionID_Free
13282
#else
13283
#define CID_GET_SIZE(a) 0
13284
#define CID_WRITE(a, b) 0
13285
#define CID_PARSE(a, b, c, d) 0
13286
#define CID_FREE(a, b) 0
13287
#endif /* defined(WOLFSSL_DTLS_CID) */
13288
13289
#if defined(HAVE_RPK)
13290
/******************************************************************************/
13291
/* Client_Certificate_Type extension                                          */
13292
/******************************************************************************/
13293
/* return 1 if specified type is included in the given list, otherwise 0 */
13294
static int IsCertTypeListed(byte type, byte cnt, const byte* list)
13295
{
13296
    int ret = 0;
13297
    int i;
13298
13299
    if (cnt == 0 || list == NULL)
13300
        return ret;
13301
13302
    if (cnt > 0 && cnt <= MAX_CLIENT_CERT_TYPE_CNT) {
13303
        for (i = 0; i < cnt; i++) {
13304
            if (list[i] == type)
13305
                return 1;
13306
        }
13307
    }
13308
    return 0;
13309
}
13310
13311
/* Search both arrays from above to find a common value between the two given
13312
 * arrays(a and b). return 1 if it finds a common value, otherwise return 0.
13313
 */
13314
static int GetCommonItem(const byte* a, byte aLen, const byte* b, byte bLen,
13315
                                                                    byte* type)
13316
{
13317
    int i, j;
13318
13319
    if (a == NULL || b == NULL)
13320
        return 0;
13321
13322
    for (i = 0; i < aLen; i++) {
13323
        for (j = 0; j < bLen; j++) {
13324
            if (a[i] == b[j]) {
13325
                *type = a[i];
13326
                return 1;
13327
            }
13328
        }
13329
    }
13330
    return 0;
13331
}
13332
13333
/* Creates a "client certificate type" extension if necessary.
13334
 * Returns 0 if no error occurred, negative value otherwise.
13335
 * A return of 0, it does not indicae that the extension was created.
13336
 */
13337
static int TLSX_ClientCertificateType_Use(WOLFSSL* ssl, byte isServer)
13338
{
13339
    int ret = 0;
13340
13341
    if (ssl == NULL)
13342
        return BAD_FUNC_ARG;
13343
13344
    if (isServer) {
13345
        /* [in server side]
13346
         */
13347
13348
        if (IsCertTypeListed(WOLFSSL_CERT_TYPE_RPK,
13349
                        ssl->options.rpkConfig.preferred_ClientCertTypeCnt,
13350
                        ssl->options.rpkConfig.preferred_ClientCertTypes)) {
13351
13352
            WOLFSSL_MSG("Adding Client Certificate Type extension");
13353
            ret = TLSX_Push(&ssl->extensions, TLSX_CLIENT_CERTIFICATE_TYPE, ssl,
13354
                                                                    ssl->heap);
13355
            if (ret == 0) {
13356
                TLSX_SetResponse(ssl, TLSX_CLIENT_CERTIFICATE_TYPE);
13357
            }
13358
        }
13359
    }
13360
    else {
13361
        /* [in client side]
13362
         * This extension MUST be omitted from the ClientHello unless the RPK
13363
         * certificate is preferred by the user and actually loaded.
13364
         */
13365
13366
        if (IsCertTypeListed(WOLFSSL_CERT_TYPE_RPK,
13367
                        ssl->options.rpkConfig.preferred_ClientCertTypeCnt,
13368
                        ssl->options.rpkConfig.preferred_ClientCertTypes)) {
13369
13370
            if (ssl->options.rpkState.isRPKLoaded) {
13371
13372
                ssl->options.rpkState.sending_ClientCertTypeCnt = 1;
13373
                ssl->options.rpkState.sending_ClientCertTypes[0] =
13374
                                                        WOLFSSL_CERT_TYPE_RPK;
13375
13376
                /* Push new client_certificate_type extension. */
13377
                WOLFSSL_MSG("Adding Client Certificate Type extension");
13378
                ret = TLSX_Push(&ssl->extensions, TLSX_CLIENT_CERTIFICATE_TYPE,
13379
                                                                ssl, ssl->heap);
13380
            }
13381
            else {
13382
                WOLFSSL_MSG("Willing to use RPK cert but not loaded it");
13383
            }
13384
        }
13385
        else {
13386
            WOLFSSL_MSG("No will to use RPK cert");
13387
        }
13388
    }
13389
    return ret;
13390
}
13391
13392
/* Parse a "client certificate type" extension received from peer.
13393
 * returns 0 on success and other values indicate failure.
13394
 */
13395
static int TLSX_ClientCertificateType_Parse(WOLFSSL* ssl, const byte* input,
13396
                                                word16 length, byte msgType)
13397
{
13398
    byte typeCnt;
13399
    int idx = 0;
13400
    int ret = 0;
13401
    int i;
13402
    int populate = 0;
13403
    byte  cmnType;
13404
13405
13406
    if (msgType == client_hello) {
13407
        /* [parse ClientHello in server end]
13408
         * case 1) if peer verify is disabled, this extension must be omitted
13409
         *         from ServerHello.
13410
         * case 2) if user have not set his preference, find X509 in parsed
13411
         *         result, then populate "Client Certificate Type" extension.
13412
         * case 3) if user have not set his preference and X509 isn't included
13413
         *         in parsed result, send "unsupported certificate" alert.
13414
         * case 4) if user have set his preference, find a common cert type
13415
         *         in users preference and received cert types.
13416
         * case 5) if user have set his preference, but no common cert type
13417
         *         found.
13418
         */
13419
13420
        /* case 1 */
13421
        if (ssl->options.verifyNone) {
13422
            return ret;
13423
        }
13424
13425
        /* parse extension */
13426
        if (length < OPAQUE8_LEN)
13427
            return BUFFER_E;
13428
13429
        typeCnt = input[idx];
13430
13431
        if (typeCnt > MAX_CLIENT_CERT_TYPE_CNT)
13432
            return BUFFER_E;
13433
13434
        if ((typeCnt + 1) * OPAQUE8_LEN != length){
13435
            return BUFFER_E;
13436
        }
13437
13438
        ssl->options.rpkState.received_ClientCertTypeCnt = input[idx];
13439
        idx += OPAQUE8_LEN;
13440
13441
        for (i = 0; i < typeCnt; i++) {
13442
            ssl->options.rpkState.received_ClientCertTypes[i] = input[idx];
13443
            idx += OPAQUE8_LEN;
13444
        }
13445
13446
        if (ssl->options.rpkConfig.preferred_ClientCertTypeCnt == 0) {
13447
            /* case 2 */
13448
            if (IsCertTypeListed(WOLFSSL_CERT_TYPE_X509,
13449
                            ssl->options.rpkState.received_ClientCertTypeCnt,
13450
                            ssl->options.rpkState.received_ClientCertTypes)) {
13451
13452
                ssl->options.rpkState.sending_ClientCertTypeCnt = 1;
13453
                ssl->options.rpkState.sending_ClientCertTypes[0] =
13454
                                                        WOLFSSL_CERT_TYPE_X509;
13455
                populate = 1;
13456
            }
13457
            /* case 3 */
13458
            else {
13459
                WOLFSSL_MSG("No common cert type found in client_certificate_type ext");
13460
                SendAlert(ssl, alert_fatal, unsupported_certificate);
13461
                return UNSUPPORTED_CERTIFICATE;
13462
            }
13463
        }
13464
        else if (ssl->options.rpkConfig.preferred_ClientCertTypeCnt > 0) {
13465
            /* case 4 */
13466
            if (GetCommonItem(
13467
                            ssl->options.rpkConfig.preferred_ClientCertTypes,
13468
                            ssl->options.rpkConfig.preferred_ClientCertTypeCnt,
13469
                            ssl->options.rpkState.received_ClientCertTypes,
13470
                            ssl->options.rpkState.received_ClientCertTypeCnt,
13471
                            &cmnType)) {
13472
                ssl->options.rpkState.sending_ClientCertTypeCnt  = 1;
13473
                ssl->options.rpkState.sending_ClientCertTypes[0] = cmnType;
13474
                populate = 1;
13475
            }
13476
            /* case 5 */
13477
            else {
13478
                WOLFSSL_MSG("No common cert type found in client_certificate_type ext");
13479
                SendAlert(ssl, alert_fatal, unsupported_certificate);
13480
                return UNSUPPORTED_CERTIFICATE;
13481
            }
13482
        }
13483
13484
        /* populate client_certificate_type extension */
13485
        if (populate) {
13486
            WOLFSSL_MSG("Adding Client Certificate Type extension");
13487
            ret = TLSX_Push(&ssl->extensions, TLSX_CLIENT_CERTIFICATE_TYPE, ssl,
13488
                                                                    ssl->heap);
13489
            if (ret == 0) {
13490
                TLSX_SetResponse(ssl, TLSX_CLIENT_CERTIFICATE_TYPE);
13491
            }
13492
        }
13493
    }
13494
    else if (msgType == server_hello || msgType == encrypted_extensions) {
13495
        /* parse it in client side */
13496
        if (length == 1) {
13497
            ssl->options.rpkState.received_ClientCertTypeCnt  = 1;
13498
            ssl->options.rpkState.received_ClientCertTypes[0] = *input;
13499
        }
13500
        else {
13501
            return BUFFER_E;
13502
        }
13503
    }
13504
13505
    return ret;
13506
}
13507
13508
/* Write out the "client certificate type" extension data into the given buffer.
13509
 * return the size wrote in the buffer on success, negative value on error.
13510
 */
13511
static word16 TLSX_ClientCertificateType_Write(void* data, byte* output,
13512
                                              byte msgType)
13513
{
13514
    WOLFSSL* ssl = (WOLFSSL*)data;
13515
    word16 idx = 0;
13516
    byte cnt = 0;
13517
    int i;
13518
13519
    /* skip to write extension if count is zero */
13520
    cnt = ssl->options.rpkState.sending_ClientCertTypeCnt;
13521
13522
    if (cnt == 0)
13523
        return 0;
13524
13525
    if (msgType == client_hello) {
13526
        /* client side */
13527
13528
        *(output + idx) = cnt;
13529
        idx += OPAQUE8_LEN;
13530
13531
        for (i = 0; i < cnt; i++) {
13532
            *(output + idx) = ssl->options.rpkState.sending_ClientCertTypes[i];
13533
            idx += OPAQUE8_LEN;
13534
        }
13535
        return idx;
13536
    }
13537
    else if (msgType == server_hello || msgType == encrypted_extensions) {
13538
        /* sever side */
13539
        if (cnt == 1) {
13540
            *(output + idx) = ssl->options.rpkState.sending_ClientCertTypes[0];
13541
            idx += OPAQUE8_LEN;
13542
        }
13543
    }
13544
    return idx;
13545
}
13546
13547
/* Calculate then return the size of the "client certificate type" extension
13548
 * data.
13549
 * return the extension data size on success, negative value on error.
13550
*/
13551
static int TLSX_ClientCertificateType_GetSize(WOLFSSL* ssl, byte msgType)
13552
{
13553
    int ret = 0;
13554
    byte cnt;
13555
13556
    if (ssl == NULL)
13557
        return BAD_FUNC_ARG;
13558
13559
    if (msgType == client_hello) {
13560
        /* client side */
13561
        cnt = ssl->options.rpkState.sending_ClientCertTypeCnt;
13562
        ret = (int)(OPAQUE8_LEN + cnt * OPAQUE8_LEN);
13563
    }
13564
    else if (msgType == server_hello || msgType == encrypted_extensions) {
13565
        /* server side */
13566
        cnt = ssl->options.rpkState.sending_ClientCertTypeCnt;/* must be one */
13567
        if (cnt != 1)
13568
            return SANITY_MSG_E;
13569
        ret = OPAQUE8_LEN;
13570
    }
13571
    else {
13572
        return SANITY_MSG_E;
13573
    }
13574
    return ret;
13575
}
13576
13577
    #define CCT_GET_SIZE  TLSX_ClientCertificateType_GetSize
13578
    #define CCT_WRITE     TLSX_ClientCertificateType_Write
13579
    #define CCT_PARSE     TLSX_ClientCertificateType_Parse
13580
#else
13581
    #define CCT_GET_SIZE(a)  0
13582
    #define CCT_WRITE(a, b)  0
13583
    #define CCT_PARSE(a, b, c, d) 0
13584
#endif /* HAVE_RPK */
13585
13586
#if defined(HAVE_RPK)
13587
/******************************************************************************/
13588
/* Server_Certificate_Type extension                                          */
13589
/******************************************************************************/
13590
/* Creates a "server certificate type" extension if necessary.
13591
 * Returns 0 if no error occurred, negative value otherwise.
13592
 * A return of 0, it does not indicae that the extension was created.
13593
 */
13594
static int TLSX_ServerCertificateType_Use(WOLFSSL* ssl, byte isServer)
13595
{
13596
    int ret = 0;
13597
    byte ctype;
13598
13599
    if (ssl == NULL)
13600
        return BAD_FUNC_ARG;
13601
13602
    if (isServer) {
13603
        /* [in server side] */
13604
        /* find common cert type to both end */
13605
        if (GetCommonItem(
13606
                ssl->options.rpkConfig.preferred_ServerCertTypes,
13607
                ssl->options.rpkConfig.preferred_ServerCertTypeCnt,
13608
                ssl->options.rpkState.received_ServerCertTypes,
13609
                ssl->options.rpkState.received_ServerCertTypeCnt,
13610
                &ctype)) {
13611
            ssl->options.rpkState.sending_ServerCertTypeCnt = 1;
13612
            ssl->options.rpkState.sending_ServerCertTypes[0] = ctype;
13613
13614
            /* Push new server_certificate_type extension. */
13615
            WOLFSSL_MSG("Adding Server Certificate Type extension");
13616
            ret = TLSX_Push(&ssl->extensions, TLSX_SERVER_CERTIFICATE_TYPE, ssl,
13617
                                                                    ssl->heap);
13618
            if (ret == 0) {
13619
                TLSX_SetResponse(ssl, TLSX_SERVER_CERTIFICATE_TYPE);
13620
            }
13621
        }
13622
        else {
13623
            /* no common cert type found */
13624
            WOLFSSL_MSG("No common cert type found in server_certificate_type ext");
13625
            SendAlert(ssl, alert_fatal, unsupported_certificate);
13626
            ret = UNSUPPORTED_CERTIFICATE;
13627
        }
13628
    }
13629
    else {
13630
        /* [in client side] */
13631
        if (IsCertTypeListed(WOLFSSL_CERT_TYPE_RPK,
13632
                            ssl->options.rpkConfig.preferred_ServerCertTypeCnt,
13633
                            ssl->options.rpkConfig.preferred_ServerCertTypes)) {
13634
13635
            ssl->options.rpkState.sending_ServerCertTypeCnt =
13636
                        ssl->options.rpkConfig.preferred_ServerCertTypeCnt;
13637
            XMEMCPY(ssl->options.rpkState.sending_ServerCertTypes,
13638
                    ssl->options.rpkConfig.preferred_ServerCertTypes,
13639
                    ssl->options.rpkConfig.preferred_ServerCertTypeCnt);
13640
13641
            /* Push new server_certificate_type extension. */
13642
            WOLFSSL_MSG("Adding Server Certificate Type extension");
13643
            ret = TLSX_Push(&ssl->extensions, TLSX_SERVER_CERTIFICATE_TYPE, ssl,
13644
                                                                    ssl->heap);
13645
        }
13646
        else {
13647
            WOLFSSL_MSG("No will to accept RPK cert");
13648
        }
13649
    }
13650
13651
    return ret;
13652
}
13653
13654
/* Parse a "server certificate type" extension received from peer.
13655
 * returns 0 on success and other values indicate failure.
13656
 */
13657
static int TLSX_ServerCertificateType_Parse(WOLFSSL* ssl, const byte* input,
13658
                                                word16 length, byte msgType)
13659
{
13660
    byte typeCnt;
13661
    int idx = 0;
13662
    int ret = 0;
13663
    int i;
13664
13665
    if (msgType == client_hello) {
13666
        /* in server side */
13667
13668
        if (length < OPAQUE8_LEN)
13669
            return BUFFER_E;
13670
13671
        typeCnt = input[idx];
13672
13673
        if (typeCnt > MAX_SERVER_CERT_TYPE_CNT)
13674
            return BUFFER_E;
13675
13676
        if ((typeCnt + 1) * OPAQUE8_LEN != length){
13677
            return BUFFER_E;
13678
        }
13679
        ssl->options.rpkState.received_ServerCertTypeCnt = input[idx];
13680
        idx += OPAQUE8_LEN;
13681
13682
        for (i = 0; i < typeCnt; i++) {
13683
            ssl->options.rpkState.received_ServerCertTypes[i] = input[idx];
13684
            idx += OPAQUE8_LEN;
13685
        }
13686
13687
        ret = TLSX_ServerCertificateType_Use(ssl, 1);
13688
        if (ret == 0) {
13689
            TLSX_SetResponse(ssl, TLSX_SERVER_CERTIFICATE_TYPE);
13690
        }
13691
    }
13692
    else if (msgType == server_hello || msgType == encrypted_extensions) {
13693
        /* in client side */
13694
        if (length != 1)                     /* length slould be 1 */
13695
            return BUFFER_E;
13696
13697
        ssl->options.rpkState.received_ServerCertTypeCnt  = 1;
13698
        ssl->options.rpkState.received_ServerCertTypes[0] = *input;
13699
    }
13700
13701
    return 0;
13702
}
13703
13704
/* Write out the "server certificate type" extension data into the given buffer.
13705
 * return the size wrote in the buffer on success, negative value on error.
13706
 */
13707
static word16 TLSX_ServerCertificateType_Write(void* data, byte* output,
13708
                                                                byte msgType)
13709
{
13710
    WOLFSSL* ssl = (WOLFSSL*)data;
13711
    word16 idx = 0;
13712
    int cnt = 0;
13713
    int i;
13714
13715
    /* skip to write extension if count is zero */
13716
    cnt = ssl->options.rpkState.sending_ServerCertTypeCnt;
13717
13718
    if (cnt == 0)
13719
        return 0;
13720
13721
    if (msgType == client_hello) {
13722
        /* in client side */
13723
13724
        *(output + idx) = cnt;
13725
        idx += OPAQUE8_LEN;
13726
13727
        for (i = 0; i < cnt; i++) {
13728
            *(output + idx) = ssl->options.rpkState.sending_ServerCertTypes[i];
13729
            idx += OPAQUE8_LEN;
13730
        }
13731
    }
13732
    else if (msgType == server_hello || msgType == encrypted_extensions) {
13733
        /* in server side */
13734
        /* ensure cnt is one */
13735
        if (cnt != 1)
13736
            return 0;
13737
13738
        *(output + idx) =  ssl->options.rpkState.sending_ServerCertTypes[0];
13739
        idx += OPAQUE8_LEN;
13740
    }
13741
    return idx;
13742
}
13743
13744
/* Calculate then return the size of the "server certificate type" extension
13745
 * data.
13746
 * return the extension data size on success, negative value on error.
13747
*/
13748
static int TLSX_ServerCertificateType_GetSize(WOLFSSL* ssl, byte msgType)
13749
{
13750
    int ret = 0;
13751
    int cnt;
13752
13753
    if (ssl == NULL)
13754
        return BAD_FUNC_ARG;
13755
13756
    if (msgType == client_hello) {
13757
        /* in clent side */
13758
        cnt = ssl->options.rpkState.sending_ServerCertTypeCnt;
13759
        if (cnt > 0) {
13760
            ret = (int)(OPAQUE8_LEN + cnt * OPAQUE8_LEN);
13761
        }
13762
    }
13763
    else if (msgType == server_hello || msgType == encrypted_extensions) {
13764
        /* in server side */
13765
        ret = (int)OPAQUE8_LEN;
13766
    }
13767
    else {
13768
        return SANITY_MSG_E;
13769
    }
13770
    return ret;
13771
}
13772
13773
    #define SCT_GET_SIZE  TLSX_ServerCertificateType_GetSize
13774
    #define SCT_WRITE     TLSX_ServerCertificateType_Write
13775
    #define SCT_PARSE     TLSX_ServerCertificateType_Parse
13776
#else
13777
    #define SCT_GET_SIZE(a)  0
13778
    #define SCT_WRITE(a, b)  0
13779
    #define SCT_PARSE(a, b, c, d) 0
13780
#endif /* HAVE_RPK */
13781
13782
/******************************************************************************/
13783
/* TLS Extensions Framework                                                   */
13784
/******************************************************************************/
13785
13786
/** Finds an extension in the provided list. */
13787
TLSX* TLSX_Find(TLSX* list, TLSX_Type type)
13788
0
{
13789
0
    TLSX* extension = list;
13790
13791
0
    while (extension && extension->type != type)
13792
0
        extension = extension->next;
13793
13794
0
    return extension;
13795
0
}
13796
13797
/** Remove an extension. */
13798
void TLSX_Remove(TLSX** list, TLSX_Type type, void* heap)
13799
0
{
13800
0
    TLSX* extension;
13801
0
    TLSX** next;
13802
13803
0
    if (list == NULL)
13804
0
        return;
13805
13806
0
    extension = *list;
13807
0
    next = list;
13808
13809
0
    while (extension && extension->type != type) {
13810
0
        next = &extension->next;
13811
0
        extension = extension->next;
13812
0
    }
13813
13814
0
    if (extension) {
13815
0
        *next = extension->next;
13816
0
        extension->next = NULL;
13817
0
        TLSX_FreeAll(extension, heap);
13818
0
    }
13819
0
}
13820
13821
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
13822
#define GREASE_ECH_SIZE 160
13823
#define TLS_INFO_CONST_STRING "tls ech"
13824
#define TLS_INFO_CONST_STRING_SZ 7
13825
13826
/* return status after setting up ech to write a grease ech */
13827
static int TLSX_GreaseECH_Use(TLSX** extensions, void* heap, WC_RNG* rng)
13828
{
13829
    int ret = 0;
13830
    TLSX* echX;
13831
    WOLFSSL_ECH* ech;
13832
13833
    if (extensions == NULL)
13834
        return BAD_FUNC_ARG;
13835
    /* skip if we already have an ech extension, we will for hrr */
13836
    echX = TLSX_Find(*extensions, TLSX_ECH);
13837
    if (echX != NULL)
13838
        return 0;
13839
13840
    ech = (WOLFSSL_ECH*)XMALLOC(sizeof(WOLFSSL_ECH), heap,
13841
        DYNAMIC_TYPE_TMP_BUFFER);
13842
    if (ech == NULL)
13843
        return MEMORY_E;
13844
    XMEMSET(ech, 0, sizeof(WOLFSSL_ECH));
13845
13846
    ech->state = ECH_WRITE_GREASE;
13847
13848
    /* 0 for outer */
13849
    ech->type = ECH_TYPE_OUTER;
13850
    /* kemId */
13851
    ech->kemId = DHKEM_X25519_HKDF_SHA256;
13852
    /* cipherSuite kdf */
13853
    ech->cipherSuite.kdfId = HKDF_SHA256;
13854
    /* cipherSuite aead */
13855
    ech->cipherSuite.aeadId = HPKE_AES_128_GCM;
13856
13857
    /* random configId */
13858
    ret = wc_RNG_GenerateByte(rng, &(ech->configId));
13859
13860
    /* curve25519 encLen */
13861
    ech->encLen = DHKEM_X25519_ENC_LEN;
13862
13863
    if (ret == 0)
13864
        ret = TLSX_Push(extensions, TLSX_ECH, ech, heap);
13865
13866
    if (ret != 0) {
13867
        XFREE(ech, heap, DYNAMIC_TYPE_TMP_BUFFER);
13868
    }
13869
13870
    return ret;
13871
}
13872
13873
/* return status after setting up ech to write real ech */
13874
static int TLSX_ECH_Use(WOLFSSL_EchConfig* echConfig, TLSX** extensions,
13875
    void* heap, WC_RNG* rng)
13876
{
13877
    int ret = 0;
13878
    int suiteIndex;
13879
    TLSX* echX;
13880
    WOLFSSL_ECH* ech;
13881
    if (extensions == NULL)
13882
        return BAD_FUNC_ARG;
13883
    /* skip if we already have an ech extension, we will for hrr */
13884
    echX = TLSX_Find(*extensions, TLSX_ECH);
13885
    if (echX != NULL)
13886
        return 0;
13887
    /* find a supported cipher suite */
13888
    suiteIndex = EchConfigGetSupportedCipherSuite(echConfig);
13889
    if (suiteIndex < 0)
13890
        return suiteIndex;
13891
    ech = (WOLFSSL_ECH*)XMALLOC(sizeof(WOLFSSL_ECH), heap,
13892
        DYNAMIC_TYPE_TMP_BUFFER);
13893
    if (ech == NULL)
13894
        return MEMORY_E;
13895
    XMEMSET(ech, 0, sizeof(WOLFSSL_ECH));
13896
    ech->state = ECH_WRITE_REAL;
13897
    ech->echConfig = echConfig;
13898
    /* 0 for outer */
13899
    ech->type = ECH_TYPE_OUTER;
13900
    /* kemId */
13901
    ech->kemId = echConfig->kemId;
13902
    /* cipherSuite kdf */
13903
    ech->cipherSuite.kdfId = echConfig->cipherSuites[suiteIndex].kdfId;
13904
    /* cipherSuite aead */
13905
    ech->cipherSuite.aeadId = echConfig->cipherSuites[suiteIndex].aeadId;
13906
    /* configId */
13907
    ech->configId = echConfig->configId;
13908
    /* encLen */
13909
    ech->encLen = wc_HpkeKemGetEncLen(echConfig->kemId);
13910
    if (ech->encLen == 0) {
13911
        XFREE(ech, heap, DYNAMIC_TYPE_TMP_BUFFER);
13912
        return BAD_FUNC_ARG;
13913
    }
13914
    /* setup hpke */
13915
    ech->hpke = (Hpke*)XMALLOC(sizeof(Hpke), heap, DYNAMIC_TYPE_TMP_BUFFER);
13916
    if (ech->hpke == NULL) {
13917
        XFREE(ech, heap, DYNAMIC_TYPE_TMP_BUFFER);
13918
        return MEMORY_E;
13919
    }
13920
    ret = wc_HpkeInit(ech->hpke, ech->kemId, ech->cipherSuite.kdfId,
13921
        ech->cipherSuite.aeadId, heap);
13922
    /* setup the ephemeralKey */
13923
    if (ret == 0)
13924
        ret = wc_HpkeGenerateKeyPair(ech->hpke, &ech->ephemeralKey, rng);
13925
    if (ret == 0) {
13926
        /* use the chosen config's public name for the outer SNI */
13927
        ret = TLSX_UseSNI(&ech->extensions, WOLFSSL_SNI_HOST_NAME,
13928
            echConfig->publicName, (word16)XSTRLEN(echConfig->publicName),
13929
            heap);
13930
        if (ret != WOLFSSL_SUCCESS ||
13931
                (ret = TLSX_Push(extensions, TLSX_ECH, ech, heap)) != 0) {
13932
            TLSX_FreeAll(ech->extensions, heap);
13933
            wc_HpkeFreeKey(ech->hpke, ech->hpke->kem, ech->ephemeralKey,
13934
                ech->hpke->heap);
13935
        }
13936
    }
13937
    if (ret != 0) {
13938
        XFREE(ech->hpke, heap, DYNAMIC_TYPE_TMP_BUFFER);
13939
        XFREE(ech, heap, DYNAMIC_TYPE_TMP_BUFFER);
13940
    }
13941
    return ret;
13942
}
13943
13944
/* return status after setting up ech to read and decrypt */
13945
WOLFSSL_TEST_VIS int TLSX_ServerECH_Use(TLSX** extensions, void* heap,
13946
    WOLFSSL_EchConfig* configs)
13947
{
13948
    int ret;
13949
    WOLFSSL_ECH* ech;
13950
    TLSX* echX;
13951
    if (extensions == NULL)
13952
        return BAD_FUNC_ARG;
13953
    /* if we already have ech don't override it */
13954
    echX = TLSX_Find(*extensions, TLSX_ECH);
13955
    if (echX != NULL)
13956
        return 0;
13957
    ech = (WOLFSSL_ECH*)XMALLOC(sizeof(WOLFSSL_ECH), heap,
13958
        DYNAMIC_TYPE_TMP_BUFFER);
13959
    if (ech == NULL)
13960
        return MEMORY_E;
13961
    XMEMSET(ech, 0, sizeof(WOLFSSL_ECH));
13962
    ech->state = ECH_WRITE_NONE;
13963
    /* 0 for outer */
13964
    ech->type = ECH_TYPE_OUTER;
13965
    ech->echConfig = configs;
13966
    /* setup the rest of the settings when we receive ech from the client */
13967
    ret = TLSX_Push(extensions, TLSX_ECH, ech, heap);
13968
    if (ret != 0)
13969
        XFREE(ech, heap, DYNAMIC_TYPE_TMP_BUFFER);
13970
    return ret;
13971
}
13972
13973
/* return status after writing the ech and updating offset */
13974
static int TLSX_ECH_Write(WOLFSSL_ECH* ech, byte msgType, byte* writeBuf,
13975
    word16* offset)
13976
{
13977
    int ret = 0;
13978
    int rngRet = -1;
13979
    word32 configsLen = 0;
13980
    void* ephemeralKey = NULL;
13981
    byte* writeBuf_p = writeBuf;
13982
    WC_DECLARE_VAR(hpke, Hpke, 1, DYNAMIC_TYPE_TMP_BUFFER);
13983
    WC_DECLARE_VAR(rng, WC_RNG, 1, DYNAMIC_TYPE_RNG);
13984
13985
    WOLFSSL_MSG("TLSX_ECH_Write");
13986
    if (msgType == hello_retry_request) {
13987
        WC_ALLOC_VAR_EX(rng, WC_RNG, 1, NULL, DYNAMIC_TYPE_RNG, ret = MEMORY_E);
13988
        if (ret == 0) {
13989
            ret = wc_InitRng(rng);
13990
        }
13991
        if (ret == 0) {
13992
            /* randomize confirmation in case ech is rejected */
13993
            ret = wc_RNG_GenerateBlock(rng, writeBuf,
13994
                    ECH_ACCEPT_CONFIRMATION_SZ);
13995
            wc_FreeRng(rng);
13996
        }
13997
        if (ret == 0) {
13998
            *offset += ECH_ACCEPT_CONFIRMATION_SZ;
13999
            ech->confBuf = writeBuf;
14000
        }
14001
14002
        WC_FREE_VAR_EX(rng, NULL, DYNAMIC_TYPE_RNG);
14003
        return ret;
14004
    }
14005
    if (ech->state == ECH_WRITE_NONE || ech->state == ECH_PARSED_INTERNAL)
14006
        return 0;
14007
    if (ech->state == ECH_WRITE_RETRY_CONFIGS) {
14008
        /* get size then write */
14009
        ret = GetEchConfigsEx(ech->echConfig, NULL, &configsLen);
14010
        if (ret != WC_NO_ERR_TRACE(LENGTH_ONLY_E))
14011
            return ret;
14012
        ret = GetEchConfigsEx(ech->echConfig, writeBuf, &configsLen);
14013
        if (ret != WOLFSSL_SUCCESS)
14014
            return ret;
14015
        *offset += configsLen;
14016
        return 0;
14017
    }
14018
    /* type */
14019
    *writeBuf_p = ech->type;
14020
    writeBuf_p += sizeof(ech->type);
14021
    /* outer has body, inner does not */
14022
    if (ech->type == ECH_TYPE_OUTER) {
14023
        /* kdfId */
14024
        c16toa(ech->cipherSuite.kdfId, writeBuf_p);
14025
        writeBuf_p += sizeof(ech->cipherSuite.kdfId);
14026
        /* aeadId */
14027
        c16toa(ech->cipherSuite.aeadId, writeBuf_p);
14028
        writeBuf_p += sizeof(ech->cipherSuite.aeadId);
14029
        /* configId */
14030
        *writeBuf_p = ech->configId;
14031
        writeBuf_p += sizeof(ech->configId);
14032
        /* encLen */
14033
        if (ech->innerCount == 0) {
14034
            c16toa(ech->encLen, writeBuf_p);
14035
        }
14036
        else {
14037
            /* set to 0 if this is clientInner 2 */
14038
            c16toa(0, writeBuf_p);
14039
        }
14040
        writeBuf_p += 2;
14041
        if (ech->state == ECH_WRITE_GREASE) {
14042
            word32 size;
14043
            WC_ALLOC_VAR_EX(rng, WC_RNG, 1, NULL, DYNAMIC_TYPE_RNG,
14044
                ret = MEMORY_E);
14045
14046
            if (ret == 0)
14047
                rngRet = ret = wc_InitRng(rng);
14048
            if (ret == 0 && ech->innerCount == 0) {
14049
                WC_ALLOC_VAR_EX(hpke, Hpke, 1, NULL, DYNAMIC_TYPE_TMP_BUFFER,
14050
                    ret = MEMORY_E);
14051
14052
                /* hpke init */
14053
                if (ret == 0)
14054
                    ret = wc_HpkeInit(hpke, ech->kemId, ech->cipherSuite.kdfId,
14055
                        ech->cipherSuite.aeadId, NULL);
14056
                /* create the ephemeralKey */
14057
                if (ret == 0)
14058
                    ret = wc_HpkeGenerateKeyPair(hpke, &ephemeralKey, rng);
14059
                /* enc */
14060
                if (ret == 0) {
14061
                    ret = wc_HpkeSerializePublicKey(hpke, ephemeralKey,
14062
                        writeBuf_p, &ech->encLen);
14063
                    writeBuf_p += ech->encLen;
14064
                }
14065
14066
                if (ephemeralKey != NULL)
14067
                    wc_HpkeFreeKey(hpke, hpke->kem, ephemeralKey, hpke->heap);
14068
                WC_FREE_VAR_EX(hpke, NULL, DYNAMIC_TYPE_TMP_BUFFER);
14069
            }
14070
14071
            if (ret == 0) {
14072
                size = GREASE_ECH_SIZE + (ech->configId / 4);
14073
                size += ECH_PADDING_TO_32(size) + WC_AES_BLOCK_SIZE;
14074
14075
                /* innerClientHelloLen */
14076
                c16toa((word16)size, writeBuf_p);
14077
                writeBuf_p += 2;
14078
                /* innerClientHello */
14079
                ret = wc_RNG_GenerateBlock(rng, writeBuf_p, size);
14080
                writeBuf_p += size;
14081
            }
14082
14083
            if (rngRet == 0)
14084
                wc_FreeRng(rng);
14085
            WC_FREE_VAR_EX(rng, NULL, DYNAMIC_TYPE_RNG);
14086
        }
14087
        else {
14088
            if (ech->innerCount == 0) {
14089
                /* write enc to writeBuf_p */
14090
                ret = wc_HpkeSerializePublicKey(ech->hpke, ech->ephemeralKey,
14091
                    writeBuf_p, &ech->encLen);
14092
                writeBuf_p += ech->encLen;
14093
            }
14094
14095
            /* innerClientHelloLen */
14096
            c16toa((word16)ech->innerClientHelloLen, writeBuf_p);
14097
            writeBuf_p += 2;
14098
            /* set payload offset for when we finalize */
14099
            ech->outerClientPayload = writeBuf_p;
14100
            /* write zeros for payload */
14101
            XMEMSET(writeBuf_p, 0, ech->innerClientHelloLen);
14102
            writeBuf_p += ech->innerClientHelloLen;
14103
        }
14104
    }
14105
    if (ret == 0)
14106
        *offset += (writeBuf_p - writeBuf);
14107
    return ret;
14108
}
14109
14110
/* return the size needed for the ech extension */
14111
static int TLSX_ECH_GetSize(WOLFSSL_ECH* ech, byte msgType)
14112
{
14113
    int ret;
14114
    word32 size = 0;
14115
14116
    if (ech->state == ECH_WRITE_GREASE) {
14117
        word32 payload;
14118
        size = sizeof(ech->type) + sizeof(ech->cipherSuite) +
14119
            sizeof(ech->configId) + sizeof(word16) + sizeof(word16);
14120
        /* enc only printed on CH1 */
14121
        if (ech->innerCount == 0)
14122
            size += ech->encLen;
14123
        /* GREASE payload mimics the regular sealed inner:
14124
         *   plaintext length divisible by 32 and the AEAD tag
14125
         *   configId is used to randomize the GREASE length
14126
         *     (divide by 4 to save space) */
14127
        payload = GREASE_ECH_SIZE + (ech->configId / 4);
14128
        payload += ECH_PADDING_TO_32(payload) + WC_AES_BLOCK_SIZE;
14129
        size += payload;
14130
    }
14131
    else if (msgType == hello_retry_request) {
14132
        size = ECH_ACCEPT_CONFIRMATION_SZ;
14133
    }
14134
    else if (ech->state == ECH_WRITE_NONE ||
14135
        ech->state == ECH_PARSED_INTERNAL) {
14136
        size = 0;
14137
    }
14138
    else if (ech->state == ECH_WRITE_RETRY_CONFIGS) {
14139
        /* get the size of the raw configs */
14140
        ret = GetEchConfigsEx(ech->echConfig, NULL, &size);
14141
14142
        if (ret != WC_NO_ERR_TRACE(LENGTH_ONLY_E))
14143
            return ret;
14144
    }
14145
    else if (ech->type == ECH_TYPE_INNER)
14146
    {
14147
        size = sizeof(ech->type);
14148
    }
14149
    else
14150
    {
14151
        size = sizeof(ech->type) + sizeof(ech->cipherSuite) +
14152
            sizeof(ech->configId) + sizeof(word16) + sizeof(word16) +
14153
            ech->innerClientHelloLen;
14154
        /* enc only printed on CH1 */
14155
        if (ech->innerCount == 0)
14156
            size += ech->encLen;
14157
    }
14158
14159
    return (int)size;
14160
}
14161
14162
#ifdef HAVE_SECRET_CALLBACK
14163
/* log ECH_SECRET and ECH_CONFIG
14164
 * returns 0 on success, TLS13_SECRET_CB_E otherwise */
14165
static int EchWriteKeyLog(WOLFSSL* ssl, const byte* secret, word32 secretSz,
14166
    const byte* config, word32 configSz)
14167
{
14168
    int ret = 0;
14169
    if (ssl->tls13SecretCb != NULL) {
14170
        ret = ssl->tls13SecretCb(ssl, ECH_SECRET, secret, (int)secretSz,
14171
                ssl->tls13SecretCtx);
14172
        if (ret == 0) {
14173
            ret = ssl->tls13SecretCb(ssl, ECH_CONFIG, config, (int)configSz,
14174
                    ssl->tls13SecretCtx);
14175
        }
14176
        if (ret != 0) {
14177
            WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
14178
            ret = TLS13_SECRET_CB_E;
14179
        }
14180
    }
14181
#ifdef OPENSSL_EXTRA
14182
    if (ret == 0 && ssl->tls13KeyLogCb != NULL) {
14183
        ret = ssl->tls13KeyLogCb(ssl, ECH_SECRET, secret, (int)secretSz, NULL);
14184
        if (ret == 0) {
14185
            ret = ssl->tls13KeyLogCb(ssl, ECH_CONFIG, config, (int)configSz,
14186
                    NULL);
14187
        }
14188
        if (ret != 0) {
14189
            WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E);
14190
            ret = TLS13_SECRET_CB_E;
14191
        }
14192
    }
14193
#endif /* OPENSSL_EXTRA */
14194
    return ret;
14195
}
14196
#endif /* HAVE_SECRET_CALLBACK */
14197
14198
/* rough check that inner hello fields do not exceed length of decrypted
14199
 * information. Additionally, this function will check that all padding bytes
14200
 * are zero and decrease the innerHelloLen accordingly if so.
14201
 * returns 0 on success and otherwise failure */
14202
static int TLSX_ECH_CheckInnerPadding(WOLFSSL* ssl, WOLFSSL_ECH* ech)
14203
{
14204
    int headerSz;
14205
    const byte* innerCh;
14206
    word32 innerChLen;
14207
    word32 idx;
14208
    byte sessionIdLen;
14209
    word16 cipherSuitesLen;
14210
    byte compressionLen;
14211
    word16 extLen;
14212
    byte acc = 0;
14213
    word32 i;
14214
14215
#ifdef WOLFSSL_DTLS13
14216
    headerSz = ssl->options.dtls ? DTLS13_HANDSHAKE_HEADER_SZ :
14217
                                   HANDSHAKE_HEADER_SZ;
14218
#else
14219
    (void)ssl;
14220
14221
    headerSz = HANDSHAKE_HEADER_SZ;
14222
#endif
14223
14224
    innerCh = ech->innerClientHello + headerSz;
14225
    innerChLen = ech->innerClientHelloLen;
14226
14227
    idx = OPAQUE16_LEN + RAN_LEN;
14228
    if (idx >= innerChLen)
14229
        return BUFFER_ERROR;
14230
14231
    sessionIdLen = innerCh[idx++];
14232
    /* innerHello sessionID must initially be empty */
14233
    if (sessionIdLen != 0)
14234
        return INVALID_PARAMETER;
14235
    idx += sessionIdLen;
14236
    if (idx + OPAQUE16_LEN > innerChLen)
14237
        return BUFFER_ERROR;
14238
14239
    ato16(innerCh + idx, &cipherSuitesLen);
14240
    idx += OPAQUE16_LEN + cipherSuitesLen;
14241
    if (idx >= innerChLen)
14242
        return BUFFER_ERROR;
14243
14244
    compressionLen = innerCh[idx++];
14245
    idx += compressionLen;
14246
    if (idx + OPAQUE16_LEN > innerChLen)
14247
        return BUFFER_ERROR;
14248
14249
    ato16(innerCh + idx, &extLen);
14250
    idx += OPAQUE16_LEN + extLen;
14251
    if (idx > innerChLen)
14252
        return BUFFER_ERROR;
14253
14254
    /* should now be at the end of the innerHello
14255
     * Per ECH spec all padding bytes MUST be 0 */
14256
    for (i = idx; i < innerChLen; i++) {
14257
        acc |= innerCh[i];
14258
    }
14259
    if (acc != 0) {
14260
        return INVALID_PARAMETER;
14261
    }
14262
14263
    ech->innerClientHelloLen -= i - idx;
14264
    return 0;
14265
}
14266
14267
/* Locate the given extension type, use the extOffset to start off after where a
14268
 * previous call to this function ended
14269
 *
14270
 * outerCh          The outer ClientHello buffer.
14271
 * chLen            Outer ClientHello length.
14272
 * extType          Extension type to look for.
14273
 * extLen           Out parameter, length of found extension.
14274
 * extOffset        Offset into outer ClientHello to look for extension from.
14275
 * extensionsStart  Start of outer ClientHello extensions.
14276
 * extensionsLen    Length of outer ClientHello extensions.
14277
 * returns 0 on success and otherwise failure.
14278
 */
14279
static const byte* TLSX_ECH_FindOuterExtension(const byte* outerCh,
14280
    word32 chLen, word16 extType, word32* extLen, word32* extOffset,
14281
    word16* extensionsStart, word16* extensionsLen)
14282
{
14283
    word32 idx = *extOffset;
14284
    byte sessionIdLen;
14285
    word16 cipherSuitesLen;
14286
    byte compressionLen;
14287
    word16 type;
14288
    word16 len;
14289
14290
    if (idx == 0) {
14291
        idx = OPAQUE16_LEN + RAN_LEN;
14292
        if (idx >= chLen)
14293
            return NULL;
14294
14295
        sessionIdLen = outerCh[idx++];
14296
        idx += sessionIdLen;
14297
        if (idx + OPAQUE16_LEN > chLen)
14298
            return NULL;
14299
14300
        ato16(outerCh + idx, &cipherSuitesLen);
14301
        idx += OPAQUE16_LEN + cipherSuitesLen;
14302
        if (idx >= chLen)
14303
            return NULL;
14304
14305
        compressionLen = outerCh[idx++];
14306
        idx += compressionLen;
14307
        if (idx + OPAQUE16_LEN > chLen)
14308
            return NULL;
14309
14310
        ato16(outerCh + idx, extensionsLen);
14311
        idx += OPAQUE16_LEN;
14312
        *extensionsStart = (word16)idx;
14313
14314
        if (idx + *extensionsLen > chLen)
14315
            return NULL;
14316
    }
14317
14318
    while (idx - *extensionsStart < *extensionsLen) {
14319
        if (idx + OPAQUE16_LEN + OPAQUE16_LEN > chLen)
14320
            return NULL;
14321
14322
        ato16(outerCh + idx, &type);
14323
        idx += OPAQUE16_LEN;
14324
        ato16(outerCh + idx, &len);
14325
        idx += OPAQUE16_LEN;
14326
14327
        if (idx + len - *extensionsStart > *extensionsLen)
14328
            return NULL;
14329
14330
        if (type == extType) {
14331
            *extLen = len + OPAQUE16_LEN + OPAQUE16_LEN;
14332
            *extOffset = idx + len;
14333
            return outerCh + idx - OPAQUE16_LEN - OPAQUE16_LEN;
14334
        }
14335
14336
        idx += len;
14337
    }
14338
14339
    return NULL;
14340
}
14341
14342
/* If newinnerCh is NULL, validate ordering and existence of references
14343
 *   - updates newInnerChLen with total length of selected extensions
14344
 * If newinnerCh is not NULL, copy extensions into newInnerCh
14345
 *
14346
 * outerCh          The outer ClientHello buffer.
14347
 * outerChLen       Outer ClientHello length.
14348
 * newInnerCh       The inner ClientHello buffer.
14349
 * newInnerChLen    Inner ClientHello length.
14350
 * numOuterRefs     Number of references described by OuterExtensions extension.
14351
 * OuterRefTypes    References described by OuterExtensions extension.
14352
 * returns 0 on success and otherwise failure.
14353
 */
14354
static int TLSX_ECH_CopyOuterExtensions(const byte* outerCh, word32 outerChLen,
14355
    byte** newInnerCh, word32* newInnerChLen,
14356
    word16 numOuterRefs, const byte* outerRefTypes)
14357
{
14358
    int ret = 0;
14359
    word16 refType;
14360
    word32 outerExtLen;
14361
    word32 outerExtOffset = 0;
14362
    word16 extsStart = 0;
14363
    word16 extsLen = 0;
14364
    const byte* outerExtData;
14365
14366
    if (newInnerCh == NULL) {
14367
        *newInnerChLen = 0;
14368
    }
14369
14370
    while (numOuterRefs-- > 0) {
14371
        ato16(outerRefTypes, &refType);
14372
14373
        if (refType == TLSXT_ECH) {
14374
            WOLFSSL_MSG("ECH: ech_outer_extensions references ECH");
14375
            ret = INVALID_PARAMETER;
14376
            break;
14377
        }
14378
14379
        outerExtData = TLSX_ECH_FindOuterExtension(outerCh, outerChLen,
14380
                            refType, &outerExtLen, &outerExtOffset,
14381
                            &extsStart, &extsLen);
14382
14383
        if (outerExtData == NULL) {
14384
            WOLFSSL_MSG("ECH: referenced extension not in outer CH or out "
14385
                        "of order");
14386
            ret = INVALID_PARAMETER;
14387
            break;
14388
        }
14389
14390
        if (newInnerCh == NULL) {
14391
            *newInnerChLen += outerExtLen;
14392
        }
14393
        else {
14394
            XMEMCPY(*newInnerCh, outerExtData, outerExtLen);
14395
            *newInnerCh += outerExtLen;
14396
        }
14397
14398
        outerRefTypes += OPAQUE16_LEN;
14399
    }
14400
14401
    return ret;
14402
}
14403
14404
/* Expand ech_outer_extensions in the inner ClientHello by copying referenced
14405
 * extensions from the outer ClientHello.
14406
 * If the sessionID exists in the outer ClientHello then also copy that into the
14407
 * expanded inner ClientHello.
14408
 *
14409
 * ssl      SSL/TLS object.
14410
 * ech      ECH object.
14411
 * heap     Heap hint.
14412
 * returns 0 on success and otherwise failure.
14413
 */
14414
static int TLSX_ECH_ExpandOuterExtensions(WOLFSSL* ssl, WOLFSSL_ECH* ech,
14415
    void* heap)
14416
{
14417
    int ret = 0;
14418
    int headerSz;
14419
    const byte* innerCh;
14420
    word32 innerChLen;
14421
    const byte* outerCh;
14422
    word32 outerChLen;
14423
    word32 idx;
14424
    byte sessionIdLen;
14425
    word16 cipherSuitesLen;
14426
    byte compressionLen;
14427
14428
    word32 innerExtIdx;
14429
    word16 innerExtLen;
14430
    word32 echOuterExtIdx = 0;
14431
    word16 echOuterExtLen = 0;
14432
    int foundEchOuter = 0;
14433
    word16 numOuterRefs = 0;
14434
    const byte* outerRefTypes = NULL;
14435
    word32 extraSize = 0;
14436
    byte* newInnerCh = NULL;
14437
    byte* newInnerChRef;
14438
    word32 newInnerChLen;
14439
    word32 copyLen;
14440
14441
    WOLFSSL_ENTER("TLSX_ExpandEchOuterExtensions");
14442
14443
    if (ech == NULL || ech->innerClientHello == NULL || ech->aad == NULL)
14444
        return BAD_FUNC_ARG;
14445
14446
#ifdef WOLFSSL_DTLS13
14447
    headerSz = ssl->options.dtls ? DTLS13_HANDSHAKE_HEADER_SZ :
14448
                                   HANDSHAKE_HEADER_SZ;
14449
#else
14450
    headerSz = HANDSHAKE_HEADER_SZ;
14451
#endif
14452
14453
    innerCh = ech->innerClientHello + headerSz;
14454
    innerChLen = ech->innerClientHelloLen;
14455
    outerCh = ech->aad;
14456
    outerChLen = ech->aadLen;
14457
14458
    /* don't need to check for buffer overflows here since they are caught by
14459
     * TLSX_ECH_CheckInnerPadding */
14460
    idx = OPAQUE16_LEN + RAN_LEN;
14461
14462
    sessionIdLen = innerCh[idx++];
14463
    idx += sessionIdLen;
14464
14465
    ato16(innerCh + idx, &cipherSuitesLen);
14466
    idx += OPAQUE16_LEN + cipherSuitesLen;
14467
14468
    compressionLen = innerCh[idx++];
14469
    idx += compressionLen;
14470
14471
    ato16(innerCh + idx, &innerExtLen);
14472
    idx += OPAQUE16_LEN;
14473
    innerExtIdx = idx;
14474
14475
    /* validate ech_outer_extensions and calculate extra size */
14476
    while (idx < innerChLen && (idx - innerExtIdx) < innerExtLen) {
14477
        word16 type;
14478
        word16 len;
14479
        byte outerExtListLen;
14480
14481
        if (idx + OPAQUE16_LEN + OPAQUE16_LEN > innerChLen)
14482
            return BUFFER_ERROR;
14483
14484
        ato16(innerCh + idx, &type);
14485
        idx += OPAQUE16_LEN;
14486
        ato16(innerCh + idx, &len);
14487
        idx += OPAQUE16_LEN;
14488
14489
        if (idx + len > innerChLen)
14490
            return BUFFER_ERROR;
14491
14492
        if (type == TLSXT_ECH_OUTER_EXTENSIONS) {
14493
            if (foundEchOuter) {
14494
                WOLFSSL_MSG("ECH: duplicate ech_outer_extensions");
14495
                return INVALID_PARAMETER;
14496
            }
14497
            foundEchOuter = 1;
14498
            echOuterExtIdx = idx - OPAQUE16_LEN - OPAQUE16_LEN;
14499
            echOuterExtLen = len + OPAQUE16_LEN + OPAQUE16_LEN;
14500
14501
            /* ech_outer_extensions data format: 1-byte length + extension types
14502
             * ExtensionType OuterExtensions<2..254>; */
14503
            if (len < 1)
14504
                return BUFFER_ERROR;
14505
            outerExtListLen = innerCh[idx];
14506
            if (outerExtListLen + 1 != len || outerExtListLen < 2 ||
14507
                    outerExtListLen == 255)
14508
                return BUFFER_ERROR;
14509
14510
            outerRefTypes = innerCh + idx + 1;
14511
            numOuterRefs = outerExtListLen / OPAQUE16_LEN;
14512
14513
            ret = TLSX_ECH_CopyOuterExtensions(outerCh, outerChLen, NULL,
14514
                    &extraSize, numOuterRefs, outerRefTypes);
14515
            if (ret != 0)
14516
                return ret;
14517
        }
14518
14519
        idx += len;
14520
    }
14521
14522
    newInnerChLen = innerChLen - echOuterExtLen + extraSize - sessionIdLen +
14523
                        ssl->session->sessionIDSz;
14524
    if (newInnerChLen > 0xFFFF) {
14525
        return BUFFER_E;
14526
    }
14527
14528
    if (!foundEchOuter && sessionIdLen == ssl->session->sessionIDSz) {
14529
        /* no extensions + no sessionID to copy */
14530
        WOLFSSL_MSG("ECH: no EchOuterExtensions extension found");
14531
        return ret;
14532
    }
14533
    else {
14534
        newInnerCh = (byte*)XMALLOC(newInnerChLen + headerSz, heap,
14535
                                    DYNAMIC_TYPE_TMP_BUFFER);
14536
        if (newInnerCh == NULL)
14537
            return MEMORY_E;
14538
    }
14539
14540
    /* note: The first HANDSHAKE_HEADER_SZ bytes are reserved for the header
14541
     * but not initialized here. The header will be properly set later by
14542
     * AddTls13HandShakeHeader() in DoTls13ClientHello(). */
14543
14544
    /* copy everything up to EchOuterExtensions */
14545
    newInnerChRef = newInnerCh + headerSz;
14546
    copyLen = OPAQUE16_LEN + RAN_LEN;
14547
    XMEMCPY(newInnerChRef, innerCh, copyLen);
14548
    newInnerChRef += copyLen;
14549
14550
    *newInnerChRef = ssl->session->sessionIDSz;
14551
    newInnerChRef += OPAQUE8_LEN;
14552
14553
    copyLen = ssl->session->sessionIDSz;
14554
    XMEMCPY(newInnerChRef, ssl->session->sessionID, copyLen);
14555
    newInnerChRef += copyLen;
14556
14557
    if (!foundEchOuter) {
14558
        WOLFSSL_MSG("ECH: no EchOuterExtensions extension found");
14559
14560
        copyLen = innerChLen - OPAQUE16_LEN - RAN_LEN - OPAQUE8_LEN -
14561
                sessionIdLen;
14562
        XMEMCPY(newInnerChRef, innerCh + OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN +
14563
                sessionIdLen, copyLen);
14564
    }
14565
    else {
14566
        innerExtIdx = headerSz + innerExtIdx - OPAQUE16_LEN -
14567
            sessionIdLen + ssl->session->sessionIDSz;
14568
14569
        copyLen = echOuterExtIdx - OPAQUE16_LEN - RAN_LEN - OPAQUE8_LEN -
14570
                sessionIdLen;
14571
        XMEMCPY(newInnerChRef, innerCh + OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN +
14572
                sessionIdLen, copyLen);
14573
        newInnerChRef += copyLen;
14574
14575
        /* update extensions length in the new ClientHello */
14576
        c16toa(innerExtLen - echOuterExtLen + (word16)extraSize,
14577
                newInnerCh + innerExtIdx);
14578
14579
        ret = TLSX_ECH_CopyOuterExtensions(outerCh, outerChLen, &newInnerChRef,
14580
                &newInnerChLen, numOuterRefs, outerRefTypes);
14581
        if (ret == 0) {
14582
            /* copy remaining extensions after ech_outer_extensions */
14583
            copyLen = innerChLen - (echOuterExtIdx + echOuterExtLen);
14584
            XMEMCPY(newInnerChRef, innerCh + echOuterExtIdx + echOuterExtLen,
14585
                    copyLen);
14586
14587
            WOLFSSL_MSG("ECH: expanded ech_outer_extensions successfully");
14588
        }
14589
    }
14590
14591
    if (ret == 0) {
14592
        XFREE(ech->innerClientHello, heap, DYNAMIC_TYPE_TMP_BUFFER);
14593
        ech->innerClientHello = newInnerCh;
14594
        ech->innerClientHelloLen = newInnerChLen;
14595
        newInnerCh = NULL;
14596
    }
14597
14598
    if (newInnerCh != NULL)
14599
        XFREE(newInnerCh, heap, DYNAMIC_TYPE_TMP_BUFFER);
14600
14601
    return ret;
14602
}
14603
14604
/* return status after attempting to open the hpke encrypted ech extension, if
14605
 * successful the inner client hello will be stored in
14606
 * ech->innerClientHelloLen */
14607
static int TLSX_ExtractEch(WOLFSSL* ssl, WOLFSSL_ECH* ech,
14608
    WOLFSSL_EchConfig* echConfig, byte* aad, word32 aadLen)
14609
{
14610
    int ret = 0;
14611
    int i;
14612
    int allocatedHpke = 0;
14613
    word32 rawConfigLen = 0;
14614
    byte* info = NULL;
14615
    word32 infoLen = 0;
14616
    if (ssl == NULL || ech == NULL || echConfig == NULL || aad == NULL)
14617
        return BAD_FUNC_ARG;
14618
    /* verify the kem and key len */
14619
    if (wc_HpkeKemGetEncLen(echConfig->kemId) != ech->encLen)
14620
        return BAD_FUNC_ARG;
14621
    /* verify the cipher suite */
14622
    for (i = 0; i < echConfig->numCipherSuites; i++) {
14623
        if (echConfig->cipherSuites[i].kdfId == ech->cipherSuite.kdfId &&
14624
            echConfig->cipherSuites[i].aeadId == ech->cipherSuite.aeadId) {
14625
            break;
14626
        }
14627
    }
14628
    if (i >= echConfig->numCipherSuites) {
14629
        return BAD_FUNC_ARG;
14630
    }
14631
    /* check if hpke already exists, may if HelloRetryRequest */
14632
    if (ech->hpke == NULL) {
14633
        allocatedHpke = 1;
14634
        ech->hpke = (Hpke*)XMALLOC(sizeof(Hpke), ssl->heap,
14635
            DYNAMIC_TYPE_TMP_BUFFER);
14636
        if (ech->hpke == NULL)
14637
            ret = MEMORY_E;
14638
        /* init the hpke struct */
14639
        if (ret == 0) {
14640
            ret = wc_HpkeInit(ech->hpke, echConfig->kemId,
14641
                ech->cipherSuite.kdfId, ech->cipherSuite.aeadId, ssl->heap);
14642
        }
14643
        if (ret == 0) {
14644
            /* allocate hpkeContext */
14645
            ech->hpkeContext =
14646
                (HpkeBaseContext*)XMALLOC(sizeof(HpkeBaseContext),
14647
                ech->hpke->heap, DYNAMIC_TYPE_TMP_BUFFER);
14648
            if (ech->hpkeContext == NULL)
14649
                ret = MEMORY_E;
14650
        }
14651
        /* get the rawConfigLen */
14652
        if (ret == 0)
14653
            ret = GetEchConfig(echConfig, NULL, &rawConfigLen);
14654
        if (ret == WC_NO_ERR_TRACE(LENGTH_ONLY_E))
14655
            ret = 0;
14656
        /* create info */
14657
        if (ret == 0) {
14658
            infoLen = TLS_INFO_CONST_STRING_SZ + 1 + rawConfigLen;
14659
            info = (byte*)XMALLOC(infoLen, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
14660
14661
            if (info == NULL)
14662
                ret = MEMORY_E;
14663
            else {
14664
                XMEMCPY(info, (byte*)TLS_INFO_CONST_STRING,
14665
                    TLS_INFO_CONST_STRING_SZ + 1);
14666
                ret = GetEchConfig(echConfig, info +
14667
                    TLS_INFO_CONST_STRING_SZ + 1, &rawConfigLen);
14668
            }
14669
        }
14670
#ifdef HAVE_SECRET_CALLBACK
14671
        /* allocate secret buffer for wc_HpkeInitOpenContext to copy into */
14672
        if (ret == 0 && (ssl->tls13SecretCb != NULL
14673
#ifdef OPENSSL_EXTRA
14674
                || ssl->tls13KeyLogCb != NULL
14675
#endif
14676
                )) {
14677
            ret = wc_HpkeInitEchSecret(ech->hpke);
14678
        }
14679
#endif /* HAVE_SECRET_CALLBACK */
14680
        /* init the context for opening */
14681
        if (ret == 0) {
14682
            ret = wc_HpkeInitOpenContext(ech->hpke, ech->hpkeContext,
14683
                echConfig->receiverPrivkey, ech->enc, ech->encLen, info,
14684
                infoLen);
14685
        }
14686
    }
14687
    /* decrypt the ech payload */
14688
    if (ret == 0) {
14689
        ret = wc_HpkeContextOpenBase(ech->hpke, ech->hpkeContext, aad, aadLen,
14690
            ech->outerClientPayload, ech->innerClientHelloLen,
14691
            ech->innerClientHello + HANDSHAKE_HEADER_SZ);
14692
    }
14693
14694
#ifdef HAVE_SECRET_CALLBACK
14695
    if (ret == 0 && ech->hpke->echSecret != NULL) {
14696
        ret = EchWriteKeyLog(ssl, ech->hpke->echSecret, ech->hpke->Nsecret,
14697
                info + TLS_INFO_CONST_STRING_SZ + 1, rawConfigLen);
14698
    }
14699
    wc_HpkeFreeEchSecret(ech->hpke);
14700
#endif /* HAVE_SECRET_CALLBACK */
14701
14702
    /* only free hpke/hpkeContext if allocated in this call; otherwise preserve
14703
     * them for clientHello2 */
14704
    if (ret != 0 && allocatedHpke) {
14705
        XFREE(ech->hpke, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
14706
        ech->hpke = NULL;
14707
        if (ech->hpkeContext != NULL) {
14708
            ForceZero(ech->hpkeContext, sizeof(HpkeBaseContext));
14709
            XFREE(ech->hpkeContext, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
14710
            ech->hpkeContext = NULL;
14711
        }
14712
    }
14713
14714
    if (info != NULL)
14715
        XFREE(info, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
14716
14717
    return ret;
14718
}
14719
14720
/* parse the ech extension, if internal update ech->state and return, if
14721
 * external attempt to extract the inner client_hello, return the status */
14722
static int TLSX_ECH_Parse(WOLFSSL* ssl, const byte* readBuf, word16 size,
14723
    byte msgType)
14724
{
14725
    int ret = 0;
14726
    TLSX* echX;
14727
    WOLFSSL_ECH* ech;
14728
    WOLFSSL_EchConfig* echConfig;
14729
    byte* aadCopy;
14730
    byte* readBuf_p = (byte*)readBuf;
14731
    word32 offset = 0;
14732
    word16 len;
14733
    word16 tmpVal16;
14734
    word16 lenCh;
14735
14736
    WOLFSSL_MSG("TLSX_ECH_Parse");
14737
    if (ssl->options.disableECH) {
14738
        WOLFSSL_MSG("TLSX_ECH_Parse: ECH disabled. Ignoring.");
14739
        return 0;
14740
    }
14741
    if (size == 0)
14742
        return BAD_FUNC_ARG;
14743
14744
    /* retry configs */
14745
    if (msgType == encrypted_extensions) {
14746
        /* configs must only be sent on ECH rejection (RFC9849, Section 5) */
14747
        if (ssl->options.echAccepted) {
14748
            SendAlert(ssl, alert_fatal, unsupported_extension);
14749
            WOLFSSL_ERROR_VERBOSE(UNSUPPORTED_EXTENSION);
14750
            return UNSUPPORTED_EXTENSION;
14751
        }
14752
14753
        ret = SetRetryConfigs(ssl, readBuf, (word32)size);
14754
        if (ret == WC_NO_ERR_TRACE(UNSUPPORTED_SUITE) ||
14755
                ret == WC_NO_ERR_TRACE(UNSUPPORTED_PROTO_VERSION)) {
14756
            WOLFSSL_MSG("ECH retry configs had 'bad version' or 'bad suite'");
14757
            ret = 0;
14758
        }
14759
14760
        if (ssl->echConfigs == NULL) {
14761
            /* on GREASE connection configs must be checked syntactically and
14762
             * must not be saved (RFC 9849, Section 6.2.1) */
14763
            FreeEchConfigs(ssl->echRetryConfigs, ssl->heap);
14764
            ssl->echRetryConfigs = NULL;
14765
        }
14766
14767
        /* retry configs may only be accepted at the point when ECH_REQUIRED is
14768
         * sent */
14769
        ssl->options.echRetryConfigsAccepted = 0;
14770
    }
14771
    /* HRR with special confirmation */
14772
    else if (msgType == hello_retry_request && ssl->echConfigs != NULL) {
14773
        /* length must be 8 */
14774
        if (size != ECH_ACCEPT_CONFIRMATION_SZ)
14775
            return BUFFER_ERROR;
14776
14777
        /* get extension */
14778
        echX = TLSX_Find(ssl->extensions, TLSX_ECH);
14779
        if (echX == NULL)
14780
            return BAD_FUNC_ARG;
14781
        ech = (WOLFSSL_ECH*)echX->data;
14782
14783
        ech->confBuf = (byte*)readBuf;
14784
    }
14785
    else if (msgType == client_hello && ssl->ctx->echConfigs != NULL) {
14786
        /* get extension */
14787
        echX = TLSX_Find(ssl->extensions, TLSX_ECH);
14788
        if (echX == NULL)
14789
            return BAD_FUNC_ARG;
14790
        ech = (WOLFSSL_ECH*)echX->data;
14791
14792
        /* if the first ECH was rejected or CH1 did not have ECH then there is
14793
         * no need to decrypt this one */
14794
        if (!ssl->options.echAccepted && ssl->options.serverState ==
14795
                SERVER_HELLO_RETRY_REQUEST_COMPLETE) {
14796
            ech->state = ECH_WRITE_RETRY_CONFIGS;
14797
            return 0;
14798
        }
14799
14800
        /* read the ech parameters before the payload */
14801
        ech->type = *readBuf_p;
14802
        readBuf_p++;
14803
        offset += 1;
14804
        if (ssl->options.echProcessingInner && ech->type == ECH_TYPE_INNER) {
14805
            ech->state = ECH_PARSED_INTERNAL;
14806
            return 0;
14807
        }
14808
        else if ((!ssl->options.echProcessingInner &&
14809
                  ech->type != ECH_TYPE_OUTER) ||
14810
                 (ssl->options.echProcessingInner &&
14811
                  ech->type != ECH_TYPE_INNER)) {
14812
            /* MUST process INNER in inner hello and OUTER in outer hello */
14813
            return INVALID_PARAMETER;
14814
        }
14815
        /* Must have kdfId, aeadId, configId, enc len and payload len. */
14816
        if (size < offset + 2 + 2 + 1 + 2 + 2) {
14817
            return BUFFER_ERROR;
14818
        }
14819
        /* only get enc if we don't already have the hpke context */
14820
        if (ech->hpkeContext == NULL) {
14821
            /* kdfId */
14822
            ato16(readBuf_p, &ech->cipherSuite.kdfId);
14823
            readBuf_p += 2;
14824
            offset += 2;
14825
            /* aeadId */
14826
            ato16(readBuf_p, &ech->cipherSuite.aeadId);
14827
            readBuf_p += 2;
14828
            offset += 2;
14829
            /* configId */
14830
            ech->configId = *readBuf_p;
14831
            readBuf_p++;
14832
            offset++;
14833
            /* encLen */
14834
            ato16(readBuf_p, &len);
14835
            readBuf_p += 2;
14836
            offset += 2;
14837
            /* Check encLen isn't more than remaining bytes minus
14838
             * payload length. */
14839
            if (len > size - offset - 2) {
14840
                return BUFFER_ERROR;
14841
            }
14842
            if (len > HPKE_Npk_MAX) {
14843
                return BUFFER_ERROR;
14844
            }
14845
            /* read enc */
14846
            XMEMCPY(ech->enc, readBuf_p, len);
14847
            ech->encLen = len;
14848
        }
14849
        else {
14850
            /* kdfId, aeadId, and configId must be the same as last time */
14851
            /* kdfId */
14852
            ato16(readBuf_p, &tmpVal16);
14853
            if (tmpVal16 != ech->cipherSuite.kdfId) {
14854
                return INVALID_PARAMETER;
14855
            }
14856
            readBuf_p += 2;
14857
            offset += 2;
14858
            /* aeadId */
14859
            ato16(readBuf_p, &tmpVal16);
14860
            if (tmpVal16 != ech->cipherSuite.aeadId) {
14861
                return INVALID_PARAMETER;
14862
            }
14863
            readBuf_p += 2;
14864
            offset += 2;
14865
            /* configId */
14866
            if (*readBuf_p != ech->configId) {
14867
                return INVALID_PARAMETER;
14868
            }
14869
            readBuf_p++;
14870
            offset++;
14871
            /* on an HRR the enc value MUST be empty */
14872
            ato16(readBuf_p, &len);
14873
            if (len != 0) {
14874
                return INVALID_PARAMETER;
14875
            }
14876
            readBuf_p += 2;
14877
            offset += 2;
14878
        }
14879
        readBuf_p += len;
14880
        offset += len;
14881
        /* read payload (encrypted CH) len */
14882
        ato16(readBuf_p, &lenCh);
14883
        ech->innerClientHelloLen = lenCh;
14884
        readBuf_p += 2;
14885
        offset += 2;
14886
        /* Check payload is no bigger than remaining bytes. */
14887
        if (ech->innerClientHelloLen > size - offset) {
14888
            return BUFFER_ERROR;
14889
        }
14890
        if (ech->innerClientHelloLen < WC_AES_BLOCK_SIZE) {
14891
            return BUFFER_ERROR;
14892
        }
14893
        ech->innerClientHelloLen -= WC_AES_BLOCK_SIZE;
14894
        ech->outerClientPayload = readBuf_p;
14895
        /* make a copy of the aad */
14896
        aadCopy = (byte*)XMALLOC(ech->aadLen, ssl->heap,
14897
            DYNAMIC_TYPE_TMP_BUFFER);
14898
        if (aadCopy == NULL)
14899
            return MEMORY_E;
14900
        XMEMCPY(aadCopy, ech->aad, ech->aadLen);
14901
        /* set the ech payload of the copy to zeros */
14902
        XMEMSET(aadCopy + (readBuf_p - ech->aad), 0,
14903
            ech->innerClientHelloLen + WC_AES_BLOCK_SIZE);
14904
        /* free the old ech when this is the second client hello */
14905
        if (ech->innerClientHello != NULL)
14906
            XFREE(ech->innerClientHello, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
14907
        /* allocate the inner payload buffer */
14908
        ech->innerClientHello =
14909
            (byte*)XMALLOC(ech->innerClientHelloLen + HANDSHAKE_HEADER_SZ,
14910
            ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
14911
        if (ech->innerClientHello == NULL) {
14912
            XFREE(aadCopy, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
14913
            return MEMORY_E;
14914
        }
14915
        /* try to decrypt with matching configId */
14916
        echConfig = ssl->ctx->echConfigs;
14917
        while (echConfig != NULL) {
14918
            if (echConfig->configId == ech->configId) {
14919
                ret = TLSX_ExtractEch(ssl, ech, echConfig, aadCopy,
14920
                        ech->aadLen);
14921
                if (ret == 0 || ret == WC_NO_ERR_TRACE(TLS13_SECRET_CB_E))
14922
                    break;
14923
            }
14924
            echConfig = echConfig->next;
14925
        }
14926
        /* otherwise, try to decrypt with all configs (trial decryption) */
14927
        if (echConfig == NULL && ssl->options.enableEchTrialDecrypt) {
14928
            echConfig = ssl->ctx->echConfigs;
14929
            while (echConfig != NULL) {
14930
                if (echConfig->configId != ech->configId) {
14931
                    ret = TLSX_ExtractEch(ssl, ech, echConfig, aadCopy,
14932
                            ech->aadLen);
14933
                    if (ret == 0 || ret == WC_NO_ERR_TRACE(TLS13_SECRET_CB_E))
14934
                        break;
14935
                }
14936
                echConfig = echConfig->next;
14937
            }
14938
        }
14939
        /* TLS13_SECRET_CB_E isn't correlated with ECH acceptance so skip both
14940
         * paths */
14941
        if (ret != WC_NO_ERR_TRACE(TLS13_SECRET_CB_E)) {
14942
            /* if we failed to extract/expand */
14943
            if (ret != 0 || echConfig == NULL) {
14944
                WOLFSSL_MSG("ECH rejected");
14945
14946
                if (ssl->options.echAccepted == 0) {
14947
                    /* on SH1 prepare to write retry configs */
14948
                    XFREE(ech->innerClientHello, ssl->heap,
14949
                        DYNAMIC_TYPE_TMP_BUFFER);
14950
                    ech->innerClientHello = NULL;
14951
                    ech->state = ECH_WRITE_RETRY_CONFIGS;
14952
                    ret = 0;
14953
                }
14954
                else {
14955
                    /* on SH2 failure to decrypt is fatal */
14956
                    SendAlert(ssl, alert_fatal, decrypt_error);
14957
                    WOLFSSL_ERROR_VERBOSE(DECRYPT_ERROR);
14958
                    ret = DECRYPT_ERROR;
14959
                }
14960
            }
14961
            else {
14962
                WOLFSSL_MSG("ECH accepted");
14963
                ssl->options.echAccepted = 1;
14964
14965
                ret = TLSX_ECH_CheckInnerPadding(ssl, ech);
14966
                if (ret == 0) {
14967
                    /* expand EchOuterExtensions if present.
14968
                    * Also, if it exists, copy sessionID from outer hello */
14969
                    ret = TLSX_ECH_ExpandOuterExtensions(ssl, ech, ssl->heap);
14970
                }
14971
            }
14972
        }
14973
        if (ret != 0) {
14974
            XFREE(ech->innerClientHello, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
14975
            ech->innerClientHello = NULL;
14976
        }
14977
14978
        XFREE(aadCopy, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
14979
    }
14980
14981
    return ret;
14982
}
14983
14984
/* free the ech struct and the dynamic buffer it uses */
14985
static void TLSX_ECH_Free(WOLFSSL_ECH* ech, void* heap)
14986
{
14987
    XFREE(ech->innerClientHello, heap, DYNAMIC_TYPE_TMP_BUFFER);
14988
    if (ech->hpke != NULL) {
14989
        wc_HpkeFreeKey(ech->hpke, ech->hpke->kem, ech->ephemeralKey,
14990
            ech->hpke->heap);
14991
        /* wc_HpkeFreeEchSecret is intentionally not here, free it in
14992
         * TLSX_ExtractEch / TLSX_FinalizeEch */
14993
        XFREE(ech->hpke, heap, DYNAMIC_TYPE_TMP_BUFFER);
14994
    }
14995
    if (ech->hpkeContext != NULL) {
14996
        ForceZero(ech->hpkeContext, sizeof(HpkeBaseContext));
14997
        XFREE(ech->hpkeContext, heap, DYNAMIC_TYPE_TMP_BUFFER);
14998
    }
14999
15000
    XFREE(ech, heap, DYNAMIC_TYPE_TMP_BUFFER);
15001
    (void)heap;
15002
}
15003
15004
/* encrypt the client hello and store it in ech->outerClientPayload, return
15005
 * status */
15006
int TLSX_FinalizeEch(WOLFSSL* ssl, WOLFSSL_ECH* ech, byte* aad, word32 aadLen)
15007
{
15008
    int ret = 0;
15009
    void* receiverPubkey = NULL;
15010
    byte* info = NULL;
15011
    int infoLen = 0;
15012
    byte* aadCopy = NULL;
15013
    if (ssl == NULL || ech == NULL || aad == NULL)
15014
        return BAD_FUNC_ARG;
15015
    /* setup hpke context to seal, should be done at most once per connection */
15016
    if (ech->hpkeContext == NULL) {
15017
        /* import the server public key */
15018
        ret = wc_HpkeDeserializePublicKey(ech->hpke, &receiverPubkey,
15019
            ech->echConfig->receiverPubkey, ech->encLen);
15020
        if (ret == 0) {
15021
            /* allocate hpke context */
15022
            ech->hpkeContext =
15023
                (HpkeBaseContext*)XMALLOC(sizeof(HpkeBaseContext),
15024
                ech->hpke->heap, DYNAMIC_TYPE_TMP_BUFFER);
15025
            if (ech->hpkeContext == NULL)
15026
                ret = MEMORY_E;
15027
        }
15028
        if (ret == 0) {
15029
            /* create info */
15030
            infoLen = TLS_INFO_CONST_STRING_SZ + 1 + ech->echConfig->rawLen;
15031
            info = (byte*)XMALLOC(infoLen, ech->hpke->heap,
15032
                DYNAMIC_TYPE_TMP_BUFFER);
15033
            if (info == NULL)
15034
                ret = MEMORY_E;
15035
        }
15036
        if (ret == 0) {
15037
            /* puts the null byte in for me */
15038
            XMEMCPY(info, (byte*)TLS_INFO_CONST_STRING,
15039
                TLS_INFO_CONST_STRING_SZ + 1);
15040
            XMEMCPY(info + TLS_INFO_CONST_STRING_SZ + 1,
15041
                ech->echConfig->raw, ech->echConfig->rawLen);
15042
        }
15043
#ifdef HAVE_SECRET_CALLBACK
15044
        /* allocate secret buffer for wc_HpkeInitSealContext to copy into */
15045
        if (ret == 0 && (ssl->tls13SecretCb != NULL
15046
#ifdef OPENSSL_EXTRA
15047
                || ssl->tls13KeyLogCb != NULL
15048
#endif
15049
                )) {
15050
            ret = wc_HpkeInitEchSecret(ech->hpke);
15051
        }
15052
#endif /* HAVE_SECRET_CALLBACK */
15053
        if (ret == 0) {
15054
            /* init the context for seal with info and keys */
15055
            ret = wc_HpkeInitSealContext(ech->hpke, ech->hpkeContext,
15056
                ech->ephemeralKey, receiverPubkey, info, infoLen);
15057
        }
15058
    }
15059
    if (ret == 0) {
15060
        /* make a copy of the aad since we overwrite it */
15061
        aadCopy = (byte*)XMALLOC(aadLen, ech->hpke->heap,
15062
            DYNAMIC_TYPE_TMP_BUFFER);
15063
        if (aadCopy == NULL) {
15064
            ret = MEMORY_E;
15065
        }
15066
    }
15067
    if (ret == 0) {
15068
        XMEMCPY(aadCopy, aad, aadLen);
15069
        /* seal the payload with context */
15070
        ret = wc_HpkeContextSealBase(ech->hpke, ech->hpkeContext, aadCopy,
15071
            aadLen, ech->innerClientHello,
15072
            ech->innerClientHelloLen - ech->hpke->Nt, ech->outerClientPayload);
15073
    }
15074
15075
#ifdef HAVE_SECRET_CALLBACK
15076
    if (ret == 0 && ech->hpke->echSecret != NULL) {
15077
        ret = EchWriteKeyLog(ssl, ech->hpke->echSecret, ech->hpke->Nsecret,
15078
            ech->echConfig->raw, ech->echConfig->rawLen);
15079
    }
15080
    wc_HpkeFreeEchSecret(ech->hpke);
15081
#endif /* HAVE_SECRET_CALLBACK */
15082
15083
    if (info != NULL)
15084
        XFREE(info, ech->hpke->heap, DYNAMIC_TYPE_TMP_BUFFER);
15085
    if (aadCopy != NULL)
15086
        XFREE(aadCopy, ech->hpke->heap, DYNAMIC_TYPE_TMP_BUFFER);
15087
    if (receiverPubkey != NULL)
15088
        wc_HpkeFreeKey(ech->hpke, ech->hpke->kem, receiverPubkey,
15089
            ech->hpke->heap);
15090
    return ret;
15091
}
15092
15093
#define GREASE_ECH_USE TLSX_GreaseECH_Use
15094
#define ECH_USE TLSX_ECH_Use
15095
#define SERVER_ECH_USE TLSX_ServerECH_Use
15096
#define ECH_WRITE TLSX_ECH_Write
15097
#define ECH_GET_SIZE TLSX_ECH_GetSize
15098
#define ECH_PARSE TLSX_ECH_Parse
15099
#define ECH_FREE TLSX_ECH_Free
15100
15101
#endif /* WOLFSSL_TLS13 && HAVE_ECH */
15102
15103
/** Releases all extensions in the provided list. */
15104
void TLSX_FreeAll(TLSX* list, void* heap)
15105
0
{
15106
0
    TLSX* extension;
15107
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
15108
    TLSX* echList;
15109
    TLSX* tail;
15110
#endif
15111
15112
0
    while ((extension = list)) {
15113
0
        list = extension->next;
15114
15115
0
        switch (extension->type) {
15116
#if defined(HAVE_RPK)
15117
            case TLSX_CLIENT_CERTIFICATE_TYPE:
15118
                WOLFSSL_MSG("Client Certificate Type extension free");
15119
                /* nothing to do */
15120
                break;
15121
            case TLSX_SERVER_CERTIFICATE_TYPE:
15122
                WOLFSSL_MSG("Server Certificate Type extension free");
15123
                /* nothing to do */
15124
                break;
15125
#endif
15126
15127
0
#ifdef HAVE_SNI
15128
0
            case TLSX_SERVER_NAME:
15129
0
                WOLFSSL_MSG("SNI extension free");
15130
0
                SNI_FREE_ALL((SNI*)extension->data, heap);
15131
0
                break;
15132
0
#endif
15133
15134
0
            case TLSX_TRUSTED_CA_KEYS:
15135
0
                WOLFSSL_MSG("Trusted CA Indication extension free");
15136
0
                TCA_FREE_ALL((TCA*)extension->data, heap);
15137
0
                break;
15138
15139
0
            case TLSX_MAX_FRAGMENT_LENGTH:
15140
0
                WOLFSSL_MSG("Max Fragment Length extension free");
15141
0
                MFL_FREE_ALL(extension->data, heap);
15142
0
                break;
15143
15144
0
            case TLSX_EXTENDED_MASTER_SECRET:
15145
0
                WOLFSSL_MSG("Extended Master Secret free");
15146
                /* Nothing to do. */
15147
0
                break;
15148
0
            case TLSX_TRUNCATED_HMAC:
15149
0
                WOLFSSL_MSG("Truncated HMAC extension free");
15150
                /* Nothing to do. */
15151
0
                break;
15152
15153
0
            case TLSX_SUPPORTED_GROUPS:
15154
0
                WOLFSSL_MSG("Supported Groups extension free");
15155
0
                EC_FREE_ALL((SupportedCurve*)extension->data, heap);
15156
0
                break;
15157
15158
0
            case TLSX_EC_POINT_FORMATS:
15159
0
                WOLFSSL_MSG("Point Formats extension free");
15160
0
                PF_FREE_ALL((PointFormat*)extension->data, heap);
15161
0
                break;
15162
15163
0
            case TLSX_STATUS_REQUEST:
15164
0
                WOLFSSL_MSG("Certificate Status Request extension free");
15165
0
                CSR_FREE_ALL((CertificateStatusRequest*)extension->data, heap);
15166
0
                break;
15167
15168
0
            case TLSX_STATUS_REQUEST_V2:
15169
0
                WOLFSSL_MSG("Certificate Status Request v2 extension free");
15170
0
                CSR2_FREE_ALL((CertificateStatusRequestItemV2*)extension->data,
15171
0
                        heap);
15172
0
                break;
15173
15174
0
            case TLSX_RENEGOTIATION_INFO:
15175
0
                WOLFSSL_MSG("Secure Renegotiation extension free");
15176
0
                SCR_FREE_ALL(extension->data, heap);
15177
0
                break;
15178
15179
0
            case TLSX_SESSION_TICKET:
15180
0
                WOLFSSL_MSG("Session Ticket extension free");
15181
0
                WOLF_STK_FREE(extension->data, heap);
15182
0
                break;
15183
15184
0
            case TLSX_APPLICATION_LAYER_PROTOCOL:
15185
0
                WOLFSSL_MSG("ALPN extension free");
15186
0
                ALPN_FREE_ALL((ALPN*)extension->data, heap);
15187
0
                break;
15188
0
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
15189
0
            case TLSX_SIGNATURE_ALGORITHMS:
15190
0
                WOLFSSL_MSG("Signature Algorithms extension to free");
15191
0
                SA_FREE_ALL((SignatureAlgorithms*)extension->data, heap);
15192
0
                break;
15193
0
#endif
15194
0
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
15195
0
            case TLSX_ENCRYPT_THEN_MAC:
15196
0
                WOLFSSL_MSG("Encrypt-Then-Mac extension free");
15197
0
                break;
15198
0
#endif
15199
15200
0
#if defined(WOLFSSL_TLS13) || !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS)
15201
    #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
15202
            case TLSX_PRE_SHARED_KEY:
15203
                WOLFSSL_MSG("Pre-Shared Key extension free");
15204
                PSK_FREE_ALL((PreSharedKey*)extension->data, heap);
15205
                break;
15206
15207
        #ifdef WOLFSSL_TLS13
15208
            case TLSX_PSK_KEY_EXCHANGE_MODES:
15209
                WOLFSSL_MSG("PSK Key Exchange Modes extension free");
15210
                break;
15211
        #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
15212
            case TLSX_CERT_WITH_EXTERN_PSK:
15213
                WOLFSSL_MSG("Cert with external PSK extension free");
15214
                break;
15215
        #endif
15216
        #endif
15217
    #endif
15218
15219
0
            case TLSX_KEY_SHARE:
15220
0
                WOLFSSL_MSG("Key Share extension free");
15221
0
                KS_FREE_ALL((KeyShareEntry*)extension->data, heap);
15222
0
                break;
15223
0
#endif
15224
0
#ifdef WOLFSSL_TLS13
15225
0
            case TLSX_SUPPORTED_VERSIONS:
15226
0
                WOLFSSL_MSG("Supported Versions extension free");
15227
0
                break;
15228
15229
0
            case TLSX_COOKIE:
15230
0
                WOLFSSL_MSG("Cookie extension free");
15231
0
                CKE_FREE_ALL((Cookie*)extension->data, heap);
15232
0
                break;
15233
15234
    #ifdef WOLFSSL_EARLY_DATA
15235
            case TLSX_EARLY_DATA:
15236
                WOLFSSL_MSG("Early Data extension free");
15237
                break;
15238
    #endif
15239
15240
    #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
15241
            case TLSX_POST_HANDSHAKE_AUTH:
15242
                WOLFSSL_MSG("Post-Handshake Authentication extension free");
15243
                break;
15244
    #endif
15245
15246
0
    #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
15247
0
            case TLSX_SIGNATURE_ALGORITHMS_CERT:
15248
0
                WOLFSSL_MSG("Signature Algorithms extension free");
15249
0
                break;
15250
0
    #endif
15251
    #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES)
15252
            case TLSX_CERTIFICATE_AUTHORITIES:
15253
                WOLFSSL_MSG("Certificate Authorities extension free");
15254
                break;
15255
    #endif
15256
0
#endif
15257
#ifdef WOLFSSL_SRTP
15258
            case TLSX_USE_SRTP:
15259
                WOLFSSL_MSG("SRTP extension free");
15260
                SRTP_FREE((TlsxSrtp*)extension->data, heap);
15261
                break;
15262
#endif
15263
15264
    #ifdef WOLFSSL_QUIC
15265
            case TLSX_KEY_QUIC_TP_PARAMS:
15266
                FALL_THROUGH;
15267
            case TLSX_KEY_QUIC_TP_PARAMS_DRAFT:
15268
                WOLFSSL_MSG("QUIC transport parameter free");
15269
                QTP_FREE((QuicTransportParam*)extension->data, heap);
15270
                break;
15271
    #endif
15272
15273
#ifdef WOLFSSL_DTLS_CID
15274
            case TLSX_CONNECTION_ID:
15275
                WOLFSSL_MSG("Connection ID extension free");
15276
                CID_FREE((byte*)extension->data, heap);
15277
                break;
15278
#endif /* WOLFSSL_DTLS_CID */
15279
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
15280
            case TLSX_ECH:
15281
                WOLFSSL_MSG("ECH extension free");
15282
                /* append the ech extensions to the tail of the list so a
15283
                 * recursive TLSX_FreeAll is not necessary */
15284
                echList = ((WOLFSSL_ECH*)extension->data)->extensions;
15285
                if (echList != NULL) {
15286
                    if (list == NULL) {
15287
                        list = echList;
15288
                    }
15289
                    else {
15290
                        tail = list;
15291
                        while (tail->next != NULL)
15292
                            tail = tail->next;
15293
                        tail->next = echList;
15294
                    }
15295
                }
15296
                ECH_FREE((WOLFSSL_ECH*)extension->data, heap);
15297
                break;
15298
#endif
15299
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_DUAL_ALG_CERTS)
15300
            case TLSX_CKS:
15301
                WOLFSSL_MSG("CKS extension free");
15302
                /* nothing to do */
15303
                break;
15304
#endif
15305
0
            default:
15306
0
                break;
15307
0
        }
15308
15309
0
        XFREE(extension, heap, DYNAMIC_TYPE_TLSX);
15310
0
    }
15311
15312
0
    (void)heap;
15313
0
}
15314
15315
/** Checks if the tls extensions are supported based on the protocol version. */
15316
0
int TLSX_SupportExtensions(WOLFSSL* ssl) {
15317
0
    return ssl && (IsTLS(ssl) || ssl->version.major == DTLS_MAJOR);
15318
0
}
15319
15320
/** Tells the buffered size of the extensions in a list. */
15321
static int TLSX_GetSize(TLSX* list, byte* semaphore, byte msgType,
15322
                        word16* pLength)
15323
0
{
15324
0
    int    ret = 0;
15325
0
    TLSX*  extension;
15326
    /* Use a word32 accumulator so that an extension whose contribution
15327
     * pushes the running total past 0xFFFF is detected rather than
15328
     * silently wrapped (the TLS extensions block length prefix on the
15329
     * wire is a 2-byte field). Callees that take a word16* accumulator
15330
     * are invoked via a per-iteration shim (`cbShim`) and their delta
15331
     * is added back into the word32 total.
15332
     *
15333
     * MAINTAINER NOTE: do NOT pass &length to any *_GET_SIZE function
15334
     * that expects a `word16*` out-parameter -- that would be a type
15335
     * mismatch (UB) and would silently bypass the overflow detection
15336
     * below. When adding a new extension case, either:
15337
     *   - use `length += FOO_GET_SIZE(...)` when the helper returns a
15338
     *     word16 by value, or
15339
     *   - use the cbShim pattern: `cbShim = 0; ret = FOO_GET_SIZE(...,
15340
     *     &cbShim); length += cbShim;`
15341
     */
15342
0
    word32 length = 0;
15343
0
    word16 cbShim = 0;
15344
0
    byte   isRequest = (msgType == client_hello ||
15345
0
                        msgType == certificate_request);
15346
0
    (void)cbShim;
15347
15348
0
    while ((extension = list)) {
15349
0
        list = extension->next;
15350
15351
        /* only extensions marked as response are sent back to the client. */
15352
0
        if (!isRequest && !extension->resp)
15353
0
            continue; /* skip! */
15354
15355
        /* ssl level extensions are expected to override ctx level ones. */
15356
0
        if (!IS_OFF(semaphore, TLSX_ToSemaphore((word16)extension->type)))
15357
0
            continue; /* skip! */
15358
15359
        /* extension type + extension data length. */
15360
0
        length += HELLO_EXT_TYPE_SZ + OPAQUE16_LEN;
15361
15362
0
        switch (extension->type) {
15363
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_DUAL_ALG_CERTS)
15364
            case TLSX_CKS:
15365
                length += ((WOLFSSL*)extension->data)->sigSpecSz ;
15366
                break;
15367
#endif
15368
0
#ifdef HAVE_SNI
15369
0
            case TLSX_SERVER_NAME:
15370
                /* SNI only sends the name on the request. */
15371
0
                if (isRequest)
15372
0
                    length += SNI_GET_SIZE((SNI*)extension->data);
15373
0
                break;
15374
0
#endif
15375
15376
0
            case TLSX_TRUSTED_CA_KEYS:
15377
                /* TCA only sends the list on the request. */
15378
0
                if (isRequest) {
15379
0
                    word16 tcaSz = TCA_GET_SIZE((TCA*)extension->data);
15380
                    /* 0 on non-empty list means 16-bit overflow. */
15381
0
                    if (tcaSz == 0 && extension->data != NULL) {
15382
0
                        ret = LENGTH_ERROR;
15383
0
                        break;
15384
0
                    }
15385
0
                    length += tcaSz;
15386
0
                }
15387
0
                break;
15388
15389
0
            case TLSX_MAX_FRAGMENT_LENGTH:
15390
0
                length += MFL_GET_SIZE(extension->data);
15391
0
                break;
15392
15393
0
            case TLSX_EXTENDED_MASTER_SECRET:
15394
0
            case TLSX_TRUNCATED_HMAC:
15395
                /* always empty. */
15396
0
                break;
15397
15398
0
            case TLSX_SUPPORTED_GROUPS:
15399
0
                length += EC_GET_SIZE((SupportedCurve*)extension->data);
15400
0
                break;
15401
15402
0
            case TLSX_EC_POINT_FORMATS:
15403
0
                length += PF_GET_SIZE((PointFormat*)extension->data);
15404
0
                break;
15405
15406
0
            case TLSX_STATUS_REQUEST:
15407
0
                length += CSR_GET_SIZE(
15408
0
                         (CertificateStatusRequest*)extension->data, isRequest);
15409
0
                break;
15410
15411
0
            case TLSX_STATUS_REQUEST_V2:
15412
0
                length += CSR2_GET_SIZE(
15413
0
                        (CertificateStatusRequestItemV2*)extension->data,
15414
0
                        isRequest);
15415
0
                break;
15416
15417
0
            case TLSX_RENEGOTIATION_INFO:
15418
0
                length += SCR_GET_SIZE((SecureRenegotiation*)extension->data,
15419
0
                        isRequest);
15420
0
                break;
15421
15422
0
            case TLSX_SESSION_TICKET:
15423
0
                length += WOLF_STK_GET_SIZE((SessionTicket*)extension->data,
15424
0
                        isRequest);
15425
0
                break;
15426
15427
0
            case TLSX_APPLICATION_LAYER_PROTOCOL: {
15428
0
                word16 alpnSz = ALPN_GET_SIZE((ALPN*)extension->data);
15429
                /* 0 on non-empty list means 16-bit overflow. */
15430
0
                if (alpnSz == 0 && extension->data != NULL) {
15431
0
                    ret = LENGTH_ERROR;
15432
0
                    break;
15433
0
                }
15434
0
                length += alpnSz;
15435
0
                break;
15436
0
            }
15437
0
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
15438
0
            case TLSX_SIGNATURE_ALGORITHMS:
15439
0
                length += SA_GET_SIZE(extension->data);
15440
0
                break;
15441
0
#endif
15442
0
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
15443
0
            case TLSX_ENCRYPT_THEN_MAC:
15444
0
                cbShim = 0;
15445
0
                ret = ETM_GET_SIZE(msgType, &cbShim);
15446
0
                length += cbShim;
15447
0
                break;
15448
0
#endif /* HAVE_ENCRYPT_THEN_MAC */
15449
15450
0
#if defined(WOLFSSL_TLS13) || !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS)
15451
    #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
15452
            case TLSX_PRE_SHARED_KEY:
15453
                cbShim = 0;
15454
                ret = PSK_GET_SIZE((PreSharedKey*)extension->data, msgType,
15455
                                                                       &cbShim);
15456
                length += cbShim;
15457
                break;
15458
        #ifdef WOLFSSL_TLS13
15459
            case TLSX_PSK_KEY_EXCHANGE_MODES:
15460
                cbShim = 0;
15461
                ret = PKM_GET_SIZE((byte)extension->val, msgType, &cbShim);
15462
                length += cbShim;
15463
                break;
15464
        #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
15465
            case TLSX_CERT_WITH_EXTERN_PSK:
15466
                cbShim = 0;
15467
                ret = PSK_WITH_CERT_GET_SIZE(msgType, &cbShim);
15468
                length += cbShim;
15469
                break;
15470
        #endif
15471
        #endif
15472
    #endif
15473
0
            case TLSX_KEY_SHARE:
15474
0
                length += KS_GET_SIZE((KeyShareEntry*)extension->data, msgType);
15475
0
                break;
15476
0
#endif
15477
15478
0
#ifdef WOLFSSL_TLS13
15479
0
            case TLSX_SUPPORTED_VERSIONS:
15480
0
                cbShim = 0;
15481
0
                ret = SV_GET_SIZE(extension->data, msgType, &cbShim);
15482
0
                length += cbShim;
15483
0
                break;
15484
15485
0
            case TLSX_COOKIE:
15486
0
                cbShim = 0;
15487
0
                ret = CKE_GET_SIZE((Cookie*)extension->data, msgType, &cbShim);
15488
0
                length += cbShim;
15489
0
                break;
15490
15491
    #ifdef WOLFSSL_EARLY_DATA
15492
            case TLSX_EARLY_DATA:
15493
                cbShim = 0;
15494
                ret = EDI_GET_SIZE(msgType, &cbShim);
15495
                length += cbShim;
15496
                break;
15497
    #endif
15498
15499
    #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
15500
            case TLSX_POST_HANDSHAKE_AUTH:
15501
                cbShim = 0;
15502
                ret = PHA_GET_SIZE(msgType, &cbShim);
15503
                length += cbShim;
15504
                break;
15505
    #endif
15506
15507
0
    #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
15508
0
            case TLSX_SIGNATURE_ALGORITHMS_CERT:
15509
0
                length += SAC_GET_SIZE(extension->data);
15510
0
                break;
15511
0
    #endif
15512
15513
    #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES)
15514
            case TLSX_CERTIFICATE_AUTHORITIES: {
15515
                word16 canSz = CAN_GET_SIZE(extension->data);
15516
                /* 0 on non-empty list means 16-bit overflow. */
15517
                if (canSz == 0) {
15518
                    ret = LENGTH_ERROR;
15519
                    break;
15520
                }
15521
                length += canSz;
15522
                break;
15523
            }
15524
    #endif
15525
0
#endif
15526
#ifdef WOLFSSL_SRTP
15527
            case TLSX_USE_SRTP:
15528
                length += SRTP_GET_SIZE((TlsxSrtp*)extension->data);
15529
                break;
15530
#endif
15531
15532
#ifdef HAVE_RPK
15533
            case TLSX_CLIENT_CERTIFICATE_TYPE:
15534
                length += CCT_GET_SIZE((WOLFSSL*)extension->data, msgType);
15535
                break;
15536
15537
            case TLSX_SERVER_CERTIFICATE_TYPE:
15538
                length += SCT_GET_SIZE((WOLFSSL*)extension->data, msgType);
15539
                break;
15540
#endif /* HAVE_RPK */
15541
15542
#ifdef WOLFSSL_QUIC
15543
            case TLSX_KEY_QUIC_TP_PARAMS:
15544
                FALL_THROUGH; /* followed by */
15545
            case TLSX_KEY_QUIC_TP_PARAMS_DRAFT:
15546
                length += QTP_GET_SIZE(extension);
15547
                break;
15548
#endif
15549
#ifdef WOLFSSL_DTLS_CID
15550
            case TLSX_CONNECTION_ID:
15551
                length += CID_GET_SIZE((byte*)extension->data);
15552
                break;
15553
#endif /* WOLFSSL_DTLS_CID */
15554
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
15555
            case TLSX_ECH:
15556
                length += ECH_GET_SIZE((WOLFSSL_ECH*)extension->data, msgType);
15557
                break;
15558
#endif
15559
0
            default:
15560
0
                break;
15561
0
        }
15562
15563
0
        if (ret != 0)
15564
0
            return ret;
15565
15566
        /* Early exit: stop accumulating as soon as the running total
15567
         * cannot possibly fit the 2-byte wire length. Check *before*
15568
         * marking the extension as processed so the semaphore is not
15569
         * left in an inconsistent state on the error path. */
15570
0
        if (length > WOLFSSL_MAX_16BIT) {
15571
0
            WOLFSSL_MSG("TLSX_GetSize extension length exceeds word16");
15572
0
            return BUFFER_E;
15573
0
        }
15574
15575
        /* marks the extension as processed so ctx level */
15576
        /* extensions don't overlap with ssl level ones. */
15577
0
        TURN_ON(semaphore, TLSX_ToSemaphore((word16)extension->type));
15578
0
    }
15579
15580
0
    if ((word32)*pLength + length > WOLFSSL_MAX_16BIT) {
15581
0
        WOLFSSL_MSG("TLSX_GetSize total extensions length exceeds word16");
15582
0
        return BUFFER_E;
15583
0
    }
15584
15585
0
    *pLength += (word16)length;
15586
15587
0
    return ret;
15588
0
}
15589
15590
/** Writes the extensions of a list in a buffer. */
15591
static int TLSX_Write(TLSX* list, byte* output, byte* semaphore,
15592
                         byte msgType, word16* pOffset)
15593
0
{
15594
0
    int    ret = 0;
15595
0
    TLSX*  extension;
15596
    /* Use word32 to symmetrize with TLSX_GetSize -- a single extension can
15597
     * contribute up to 0x10003 bytes (4-byte type/length header + 0xFFFF
15598
     * payload), which would word16-overflow undetectably (e.g. wrap to a
15599
     * value still above prevOffset). Per-iteration and aggregate bounds are
15600
     * checked below before truncating back into the word16 wire fields.
15601
     * Callees that take a word16* offset use the cbShim pattern (init to 0,
15602
     * then add the returned delta to the word32 accumulator). */
15603
0
    word32 offset = 0;
15604
0
    word32 length_offset = 0;
15605
0
    word32 prevOffset;
15606
0
    word16 cbShim = 0;
15607
0
    byte   isRequest = (msgType == client_hello ||
15608
0
                        msgType == certificate_request);
15609
0
    (void)cbShim;
15610
15611
0
    while ((extension = list)) {
15612
0
        list = extension->next;
15613
15614
        /* only extensions marked as response are written in a response. */
15615
0
        if (!isRequest && !extension->resp)
15616
0
            continue; /* skip! */
15617
15618
        /* ssl level extensions are expected to override ctx level ones. */
15619
0
        if (!IS_OFF(semaphore, TLSX_ToSemaphore((word16)extension->type)))
15620
0
            continue; /* skip! */
15621
15622
        /* Snapshot offset to detect word16 wrap within this iteration;
15623
         * see matching comment in TLSX_GetSize. */
15624
0
        prevOffset = offset;
15625
15626
        /* writes extension type. */
15627
0
        c16toa((word16)extension->type, output + offset);
15628
0
        offset += HELLO_EXT_TYPE_SZ + OPAQUE16_LEN;
15629
0
        length_offset = offset;
15630
15631
        /* extension data should be written internally. */
15632
0
        switch (extension->type) {
15633
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_DUAL_ALG_CERTS)
15634
            case TLSX_CKS:
15635
                WOLFSSL_MSG("CKS extension to write");
15636
                offset += CKS_WRITE(((WOLFSSL*)extension->data),
15637
                                    output + offset);
15638
                break;
15639
#endif
15640
0
#ifdef HAVE_SNI
15641
0
            case TLSX_SERVER_NAME:
15642
0
                if (isRequest) {
15643
0
                    WOLFSSL_MSG("SNI extension to write");
15644
0
                    offset += SNI_WRITE((SNI*)extension->data, output + offset);
15645
0
                }
15646
0
                break;
15647
0
#endif
15648
15649
0
            case TLSX_TRUSTED_CA_KEYS:
15650
0
                WOLFSSL_MSG("Trusted CA Indication extension to write");
15651
0
                if (isRequest) {
15652
0
                    offset += TCA_WRITE((TCA*)extension->data, output + offset);
15653
0
                }
15654
0
                break;
15655
15656
0
            case TLSX_MAX_FRAGMENT_LENGTH:
15657
0
                WOLFSSL_MSG("Max Fragment Length extension to write");
15658
0
                offset += MFL_WRITE((byte*)extension->data, output + offset);
15659
0
                break;
15660
15661
0
            case TLSX_EXTENDED_MASTER_SECRET:
15662
0
                WOLFSSL_MSG("Extended Master Secret");
15663
                /* always empty. */
15664
0
                break;
15665
15666
0
            case TLSX_TRUNCATED_HMAC:
15667
0
                WOLFSSL_MSG("Truncated HMAC extension to write");
15668
                /* always empty. */
15669
0
                break;
15670
15671
0
            case TLSX_SUPPORTED_GROUPS:
15672
0
                WOLFSSL_MSG("Supported Groups extension to write");
15673
0
                offset += EC_WRITE((SupportedCurve*)extension->data,
15674
0
                                    output + offset);
15675
0
                break;
15676
15677
0
            case TLSX_EC_POINT_FORMATS:
15678
0
                WOLFSSL_MSG("Point Formats extension to write");
15679
0
                offset += PF_WRITE((PointFormat*)extension->data,
15680
0
                                    output + offset);
15681
0
                break;
15682
15683
0
            case TLSX_STATUS_REQUEST:
15684
0
                WOLFSSL_MSG("Certificate Status Request extension to write");
15685
0
                ret = CSR_WRITE((CertificateStatusRequest*)extension->data,
15686
0
                        output + offset, isRequest);
15687
0
                if (ret > 0) {
15688
0
                    offset += (word16)ret;
15689
0
                    ret = 0;
15690
0
                }
15691
0
                break;
15692
15693
0
            case TLSX_STATUS_REQUEST_V2:
15694
0
                WOLFSSL_MSG("Certificate Status Request v2 extension to write");
15695
0
                ret = CSR2_WRITE(
15696
0
                        (CertificateStatusRequestItemV2*)extension->data,
15697
0
                        output + offset, isRequest);
15698
0
                if (ret > 0) {
15699
0
                    offset += (word16)ret;
15700
0
                    ret = 0;
15701
0
                }
15702
0
                break;
15703
15704
0
            case TLSX_RENEGOTIATION_INFO:
15705
0
                WOLFSSL_MSG("Secure Renegotiation extension to write");
15706
0
                offset += SCR_WRITE((SecureRenegotiation*)extension->data,
15707
0
                        output + offset, isRequest);
15708
0
                break;
15709
15710
0
            case TLSX_SESSION_TICKET:
15711
0
                WOLFSSL_MSG("Session Ticket extension to write");
15712
0
                offset += WOLF_STK_WRITE((SessionTicket*)extension->data,
15713
0
                        output + offset, isRequest);
15714
0
                break;
15715
15716
0
            case TLSX_APPLICATION_LAYER_PROTOCOL:
15717
0
                WOLFSSL_MSG("ALPN extension to write");
15718
0
                offset += ALPN_WRITE((ALPN*)extension->data, output + offset);
15719
0
                break;
15720
0
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
15721
0
            case TLSX_SIGNATURE_ALGORITHMS:
15722
0
                WOLFSSL_MSG("Signature Algorithms extension to write");
15723
0
                offset += SA_WRITE(extension->data, output + offset);
15724
0
                break;
15725
0
#endif
15726
0
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
15727
0
            case TLSX_ENCRYPT_THEN_MAC:
15728
0
                WOLFSSL_MSG("Encrypt-Then-Mac extension to write");
15729
0
                cbShim = 0;
15730
0
                ret = ETM_WRITE(extension->data, output, msgType, &cbShim);
15731
0
                offset += cbShim;
15732
0
                break;
15733
0
#endif /* HAVE_ENCRYPT_THEN_MAC */
15734
15735
0
#if defined(WOLFSSL_TLS13) || !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS)
15736
    #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
15737
            case TLSX_PRE_SHARED_KEY:
15738
                WOLFSSL_MSG("Pre-Shared Key extension to write");
15739
                cbShim = 0;
15740
                ret = PSK_WRITE((PreSharedKey*)extension->data, output + offset,
15741
                                                              msgType, &cbShim);
15742
                offset += cbShim;
15743
                break;
15744
15745
        #ifdef WOLFSSL_TLS13
15746
            case TLSX_PSK_KEY_EXCHANGE_MODES:
15747
                WOLFSSL_MSG("PSK Key Exchange Modes extension to write");
15748
                cbShim = 0;
15749
                ret = PKM_WRITE((byte)extension->val, output + offset, msgType,
15750
                                                                       &cbShim);
15751
                offset += cbShim;
15752
                break;
15753
        #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
15754
            case TLSX_CERT_WITH_EXTERN_PSK:
15755
                WOLFSSL_MSG("Cert with external PSK extension to write");
15756
                cbShim = 0;
15757
                ret = PSK_WITH_CERT_WRITE(output + offset, msgType, &cbShim);
15758
                offset += cbShim;
15759
                break;
15760
        #endif
15761
        #endif
15762
    #endif
15763
0
            case TLSX_KEY_SHARE:
15764
0
                WOLFSSL_MSG("Key Share extension to write");
15765
0
                offset += KS_WRITE((KeyShareEntry*)extension->data,
15766
0
                                                      output + offset, msgType);
15767
0
                break;
15768
0
#endif
15769
0
#ifdef WOLFSSL_TLS13
15770
0
            case TLSX_SUPPORTED_VERSIONS:
15771
0
                WOLFSSL_MSG("Supported Versions extension to write");
15772
0
                cbShim = 0;
15773
0
                ret = SV_WRITE(extension->data, output + offset, msgType,
15774
0
                                                                       &cbShim);
15775
0
                offset += cbShim;
15776
0
                break;
15777
15778
0
            case TLSX_COOKIE:
15779
0
                WOLFSSL_MSG("Cookie extension to write");
15780
0
                cbShim = 0;
15781
0
                ret = CKE_WRITE((Cookie*)extension->data, output + offset,
15782
0
                                msgType, &cbShim);
15783
0
                offset += cbShim;
15784
0
                break;
15785
15786
    #ifdef WOLFSSL_EARLY_DATA
15787
            case TLSX_EARLY_DATA:
15788
                WOLFSSL_MSG("Early Data extension to write");
15789
                cbShim = 0;
15790
                ret = EDI_WRITE(extension->val, output + offset, msgType,
15791
                                                                       &cbShim);
15792
                offset += cbShim;
15793
                break;
15794
    #endif
15795
15796
    #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
15797
            case TLSX_POST_HANDSHAKE_AUTH:
15798
                WOLFSSL_MSG("Post-Handshake Authentication extension to write");
15799
                cbShim = 0;
15800
                ret = PHA_WRITE(output + offset, msgType, &cbShim);
15801
                offset += cbShim;
15802
                break;
15803
    #endif
15804
15805
0
    #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
15806
0
            case TLSX_SIGNATURE_ALGORITHMS_CERT:
15807
0
                WOLFSSL_MSG("Signature Algorithms extension to write");
15808
0
                offset += SAC_WRITE(extension->data, output + offset);
15809
0
                break;
15810
0
    #endif
15811
15812
    #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES)
15813
            case TLSX_CERTIFICATE_AUTHORITIES:
15814
                WOLFSSL_MSG("Certificate Authorities extension to write");
15815
                offset += CAN_WRITE(extension->data, output + offset);
15816
                break;
15817
    #endif
15818
0
#endif
15819
#ifdef WOLFSSL_SRTP
15820
            case TLSX_USE_SRTP:
15821
                WOLFSSL_MSG("SRTP extension to write");
15822
                offset += SRTP_WRITE((TlsxSrtp*)extension->data, output+offset);
15823
                break;
15824
#endif
15825
15826
#ifdef HAVE_RPK
15827
            case TLSX_CLIENT_CERTIFICATE_TYPE:
15828
                WOLFSSL_MSG("Client Certificate Type extension to write");
15829
                offset += CCT_WRITE(extension->data, output + offset, msgType);
15830
                break;
15831
15832
            case TLSX_SERVER_CERTIFICATE_TYPE:
15833
                WOLFSSL_MSG("Server Certificate Type extension to write");
15834
                offset += SCT_WRITE(extension->data, output + offset, msgType);
15835
                break;
15836
#endif /* HAVE_RPK */
15837
15838
#ifdef WOLFSSL_QUIC
15839
            case TLSX_KEY_QUIC_TP_PARAMS:
15840
                FALL_THROUGH;
15841
            case TLSX_KEY_QUIC_TP_PARAMS_DRAFT:
15842
                WOLFSSL_MSG("QUIC transport parameter to write");
15843
                offset += QTP_WRITE((QuicTransportParam*)extension->data,
15844
                                    output + offset);
15845
                break;
15846
#endif
15847
#ifdef WOLFSSL_DTLS_CID
15848
            case TLSX_CONNECTION_ID:
15849
                WOLFSSL_MSG("Connection ID extension to write");
15850
                offset += CID_WRITE((byte*)extension->data, output+offset);
15851
                break;
15852
15853
#endif /* WOLFSSL_DTLS_CID */
15854
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
15855
            case TLSX_ECH:
15856
                WOLFSSL_MSG("ECH extension to write");
15857
                cbShim = 0;
15858
                ret = ECH_WRITE((WOLFSSL_ECH*)extension->data, msgType,
15859
                    output + offset, &cbShim);
15860
                offset += cbShim;
15861
                break;
15862
#endif
15863
0
            default:
15864
0
                break;
15865
0
        }
15866
15867
        /* Per-extension data length is a 2-byte wire field; reject any
15868
         * single extension whose payload exceeds that before truncating. */
15869
0
        if (offset - length_offset > WOLFSSL_MAX_16BIT) {
15870
0
            WOLFSSL_MSG("TLSX_Write single extension length exceeds word16");
15871
0
            return BUFFER_E;
15872
0
        }
15873
15874
        /* writes extension data length. */
15875
0
        c16toa((word16)(offset - length_offset),
15876
0
               output + length_offset - OPAQUE16_LEN);
15877
15878
        /* marks the extension as processed so ctx level */
15879
        /* extensions don't overlap with ssl level ones. */
15880
0
        TURN_ON(semaphore, TLSX_ToSemaphore((word16)extension->type));
15881
15882
        /* if we encountered an error propagate it */
15883
0
        if (ret != 0)
15884
0
            break;
15885
15886
0
        if (offset <= prevOffset) {
15887
0
            WOLFSSL_MSG("TLSX_Write extension made no progress");
15888
0
            return BUFFER_E;
15889
0
        }
15890
0
    }
15891
15892
    /* Only validate and commit the aggregate offset when the loop
15893
     * completed without error; on the error path, leave *pOffset
15894
     * unchanged and return the original failure reason so callers
15895
     * see the real error instead of a masking BUFFER_E. */
15896
0
    if (ret == 0) {
15897
0
        if ((word32)*pOffset + offset > WOLFSSL_MAX_16BIT) {
15898
0
            WOLFSSL_MSG("TLSX_Write total extensions length exceeds word16");
15899
0
            return BUFFER_E;
15900
0
        }
15901
0
        *pOffset += (word16)offset;
15902
0
    }
15903
15904
0
    return ret;
15905
0
}
15906
15907
#ifdef HAVE_SUPPORTED_CURVES
15908
15909
/* Populates the default supported groups / curves */
15910
static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions)
15911
0
{
15912
0
    int ret = WOLFSSL_SUCCESS;
15913
0
#ifdef WOLFSSL_TLS13
15914
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
15915
    if (ssl->options.resuming && ssl->session->namedGroup != 0) {
15916
        return TLSX_UseSupportedCurve(extensions, ssl->session->namedGroup,
15917
                                                  ssl->heap, ssl->options.side);
15918
    }
15919
#endif
15920
15921
0
    if (ssl->numGroups != 0) {
15922
0
        int i;
15923
0
        for (i = 0; i < ssl->numGroups; i++) {
15924
0
            ret = TLSX_UseSupportedCurve(extensions, ssl->group[i], ssl->heap,
15925
0
                                                             ssl->options.side);
15926
0
            if (ret != WOLFSSL_SUCCESS)
15927
0
                return ret;
15928
0
        }
15929
0
        return WOLFSSL_SUCCESS;
15930
0
    }
15931
0
#endif /* WOLFSSL_TLS13 */
15932
15933
0
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM_CLIENT_SUPPORT) && \
15934
0
    !defined(WOLFSSL_NO_ML_KEM) && defined(WOLFSSL_PQC_HYBRIDS)
15935
    /* Prefer non-experimental PQ/T hybrid groups (only for TLS 1.3) */
15936
0
    if (IsAtLeastTLSv1_3(ssl->version) &&
15937
0
            TLSX_IsMlKemGroupSupported(ssl->options.side)) {
15938
    #if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_CURVE25519) && \
15939
        ECC_MIN_KEY_SZ <= 256
15940
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_X25519MLKEM768,
15941
            ssl->heap, ssl->options.side);
15942
        if (ret != WOLFSSL_SUCCESS) return ret;
15943
    #endif
15944
0
    #if !defined(WOLFSSL_NO_ML_KEM_1024) && defined(HAVE_ECC) && \
15945
0
        (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && \
15946
0
        ECC_MIN_KEY_SZ <= 384
15947
0
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_SECP384R1MLKEM1024,
15948
0
            ssl->heap, ssl->options.side);
15949
0
        if (ret != WOLFSSL_SUCCESS) return ret;
15950
0
    #endif
15951
0
    #if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_ECC) && \
15952
0
        (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \
15953
0
        ECC_MIN_KEY_SZ <= 256
15954
0
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_SECP256R1MLKEM768,
15955
0
            ssl->heap, ssl->options.side);
15956
0
        if (ret != WOLFSSL_SUCCESS) return ret;
15957
0
    #endif
15958
0
    }
15959
0
#endif
15960
15961
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM_CLIENT_SUPPORT) && \
15962
    !defined(WOLFSSL_NO_ML_KEM) && !defined(WOLFSSL_NO_ML_KEM_1024) && \
15963
    !defined(WOLFSSL_TLS_NO_MLKEM_STANDALONE)
15964
    if (IsAtLeastTLSv1_3(ssl->version) &&
15965
            TLSX_IsMlKemGroupSupported(ssl->options.side)) {
15966
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_1024,
15967
                                     ssl->heap, ssl->options.side);
15968
        if (ret != WOLFSSL_SUCCESS) return ret;
15969
    }
15970
#endif
15971
15972
0
#if defined(HAVE_ECC)
15973
    /* list in order by strength, since not all servers choose by strength */
15974
0
    #if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521
15975
0
        #ifndef NO_ECC_SECP
15976
0
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP521R1,
15977
0
                                     ssl->heap, ssl->options.side);
15978
0
        if (ret != WOLFSSL_SUCCESS) return ret;
15979
0
        #endif
15980
0
    #endif
15981
0
    #if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 512
15982
        #ifdef HAVE_ECC_BRAINPOOL
15983
        if (IsAtLeastTLSv1_3(ssl->version)) {
15984
            /* TLS 1.3 BrainpoolP512 curve */
15985
            ret = TLSX_UseSupportedCurve(extensions,
15986
                WOLFSSL_ECC_BRAINPOOLP512R1TLS13, ssl->heap, ssl->options.side);
15987
            if (ret != WOLFSSL_SUCCESS) return ret;
15988
15989
            /* If TLS 1.2 is allowed, also add the TLS 1.2 curve */
15990
            if (ssl->options.downgrade &&
15991
                (ssl->options.minDowngrade <= TLSv1_2_MINOR ||
15992
                    ssl->options.minDowngrade <= DTLSv1_2_MINOR)) {
15993
                ret = TLSX_UseSupportedCurve(extensions,
15994
                    WOLFSSL_ECC_BRAINPOOLP512R1, ssl->heap, ssl->options.side);
15995
                if (ret != WOLFSSL_SUCCESS) return ret;
15996
            }
15997
        }
15998
        else {
15999
            /* TLS 1.2 only */
16000
            ret = TLSX_UseSupportedCurve(extensions,
16001
                WOLFSSL_ECC_BRAINPOOLP512R1, ssl->heap, ssl->options.side);
16002
            if (ret != WOLFSSL_SUCCESS) return ret;
16003
        }
16004
        #endif
16005
0
    #endif
16006
0
#endif
16007
16008
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \
16009
    !defined(WOLFSSL_NO_ML_KEM) && !defined(WOLFSSL_NO_ML_KEM_768) && \
16010
    !defined(WOLFSSL_TLS_NO_MLKEM_STANDALONE)
16011
    if (IsAtLeastTLSv1_3(ssl->version) &&
16012
            TLSX_IsMlKemGroupSupported(ssl->options.side)) {
16013
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_768,
16014
                                     ssl->heap, ssl->options.side);
16015
        if (ret != WOLFSSL_SUCCESS) return ret;
16016
    }
16017
#endif
16018
16019
0
#if defined(HAVE_ECC)
16020
0
    #if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384
16021
0
        #ifndef NO_ECC_SECP
16022
0
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP384R1,
16023
0
            ssl->heap, ssl->options.side);
16024
0
        if (ret != WOLFSSL_SUCCESS) return ret;
16025
0
        #endif
16026
        #ifdef HAVE_ECC_BRAINPOOL
16027
        if (IsAtLeastTLSv1_3(ssl->version)) {
16028
            /* TLS 1.3 BrainpoolP384 curve */
16029
            ret = TLSX_UseSupportedCurve(extensions,
16030
                WOLFSSL_ECC_BRAINPOOLP384R1TLS13, ssl->heap, ssl->options.side);
16031
            if (ret != WOLFSSL_SUCCESS) return ret;
16032
16033
            /* If TLS 1.2 is allowed, also add the TLS 1.2 curve */
16034
            if (ssl->options.downgrade &&
16035
                (ssl->options.minDowngrade <= TLSv1_2_MINOR ||
16036
                    ssl->options.minDowngrade <= DTLSv1_2_MINOR)) {
16037
                ret = TLSX_UseSupportedCurve(extensions,
16038
                    WOLFSSL_ECC_BRAINPOOLP384R1, ssl->heap, ssl->options.side);
16039
                if (ret != WOLFSSL_SUCCESS) return ret;
16040
            }
16041
        }
16042
        else {
16043
            /* TLS 1.2 only */
16044
            ret = TLSX_UseSupportedCurve(extensions,
16045
                WOLFSSL_ECC_BRAINPOOLP384R1, ssl->heap, ssl->options.side);
16046
            if (ret != WOLFSSL_SUCCESS) return ret;
16047
        }
16048
        #endif
16049
0
    #endif
16050
0
#endif /* HAVE_ECC */
16051
16052
0
#ifndef HAVE_FIPS
16053
    #if defined(HAVE_CURVE448) && ECC_MIN_KEY_SZ <= 448
16054
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_X448, ssl->heap,
16055
            ssl->options.side);
16056
        if (ret != WOLFSSL_SUCCESS) return ret;
16057
    #endif
16058
0
#endif /* HAVE_FIPS */
16059
16060
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \
16061
    !defined(WOLFSSL_NO_ML_KEM) && !defined(WOLFSSL_NO_ML_KEM_512) && \
16062
    !defined(WOLFSSL_TLS_NO_MLKEM_STANDALONE)
16063
    if (IsAtLeastTLSv1_3(ssl->version) &&
16064
            TLSX_IsMlKemGroupSupported(ssl->options.side)) {
16065
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_512, ssl->heap,
16066
            ssl->options.side);
16067
        if (ret != WOLFSSL_SUCCESS) return ret;
16068
    }
16069
#endif
16070
16071
0
#if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES)
16072
0
    #if (!defined(NO_ECC256)  || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
16073
0
        #ifndef NO_ECC_SECP
16074
0
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP256R1,
16075
0
            ssl->heap, ssl->options.side);
16076
0
        if (ret != WOLFSSL_SUCCESS) return ret;
16077
0
        #endif
16078
        #ifdef HAVE_ECC_KOBLITZ
16079
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP256K1,
16080
            ssl->heap, ssl->options.side);
16081
        if (ret != WOLFSSL_SUCCESS) return ret;
16082
        #endif
16083
        #ifdef HAVE_ECC_BRAINPOOL
16084
        if (IsAtLeastTLSv1_3(ssl->version)) {
16085
            /* TLS 1.3 BrainpoolP256 curve */
16086
            ret = TLSX_UseSupportedCurve(extensions,
16087
                WOLFSSL_ECC_BRAINPOOLP256R1TLS13, ssl->heap, ssl->options.side);
16088
            if (ret != WOLFSSL_SUCCESS) return ret;
16089
16090
            /* If TLS 1.2 is allowed, also add the TLS 1.2 curve */
16091
            if (ssl->options.downgrade &&
16092
                (ssl->options.minDowngrade <= TLSv1_2_MINOR ||
16093
                    ssl->options.minDowngrade <= DTLSv1_2_MINOR)) {
16094
                ret = TLSX_UseSupportedCurve(extensions,
16095
                    WOLFSSL_ECC_BRAINPOOLP256R1, ssl->heap, ssl->options.side);
16096
                if (ret != WOLFSSL_SUCCESS) return ret;
16097
            }
16098
        }
16099
        else {
16100
            /* TLS 1.2 only */
16101
            ret = TLSX_UseSupportedCurve(extensions,
16102
                WOLFSSL_ECC_BRAINPOOLP256R1, ssl->heap, ssl->options.side);
16103
            if (ret != WOLFSSL_SUCCESS) return ret;
16104
        }
16105
        #endif
16106
        #if !defined(HAVE_FIPS) && defined(WOLFSSL_SM2)
16107
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SM2P256V1,
16108
            ssl->heap, ssl->options.side);
16109
        if (ret != WOLFSSL_SUCCESS) return ret;
16110
        #endif
16111
0
    #endif
16112
0
#endif /* HAVE_ECC */
16113
16114
0
#ifndef HAVE_FIPS
16115
    #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256
16116
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_X25519,
16117
            ssl->heap, ssl->options.side);
16118
        if (ret != WOLFSSL_SUCCESS) return ret;
16119
    #endif
16120
0
#endif /* HAVE_FIPS */
16121
16122
0
#if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES)
16123
0
    #if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 224
16124
0
        #ifndef NO_ECC_SECP
16125
0
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP224R1,
16126
0
            ssl->heap, ssl->options.side);
16127
0
        if (ret != WOLFSSL_SUCCESS) return ret;
16128
0
        #endif
16129
        #ifdef HAVE_ECC_KOBLITZ
16130
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP224K1,
16131
            ssl->heap, ssl->options.side);
16132
        if (ret != WOLFSSL_SUCCESS) return ret;
16133
        #endif
16134
0
    #endif
16135
16136
0
    #ifndef HAVE_FIPS
16137
        #if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 192
16138
            #ifndef NO_ECC_SECP
16139
                ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP192R1,
16140
                    ssl->heap, ssl->options.side);
16141
                if (ret != WOLFSSL_SUCCESS) return ret;
16142
            #endif
16143
            #ifdef HAVE_ECC_KOBLITZ
16144
                ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP192K1,
16145
                    ssl->heap, ssl->options.side);
16146
                if (ret != WOLFSSL_SUCCESS) return ret;
16147
            #endif
16148
        #endif
16149
        #if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 160
16150
            #ifndef NO_ECC_SECP
16151
                ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP160R1,
16152
                    ssl->heap, ssl->options.side);
16153
                if (ret != WOLFSSL_SUCCESS) return ret;
16154
            #endif
16155
            #ifdef HAVE_ECC_SECPR2
16156
                ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP160R2,
16157
                    ssl->heap, ssl->options.side);
16158
                if (ret != WOLFSSL_SUCCESS) return ret;
16159
            #endif
16160
            #ifdef HAVE_ECC_KOBLITZ
16161
                ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP160K1,
16162
                    ssl->heap, ssl->options.side);
16163
                if (ret != WOLFSSL_SUCCESS) return ret;
16164
            #endif
16165
        #endif
16166
0
    #endif /* HAVE_FIPS */
16167
0
#endif /* HAVE_ECC */
16168
16169
0
#ifndef NO_DH
16170
        /* Add FFDHE supported groups. */
16171
    #ifdef HAVE_FFDHE_8192
16172
        if (8192/8 >= ssl->options.minDhKeySz &&
16173
                                        8192/8 <= ssl->options.maxDhKeySz) {
16174
            ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_FFDHE_8192,
16175
                ssl->heap, ssl->options.side);
16176
            if (ret != WOLFSSL_SUCCESS)
16177
                return ret;
16178
        }
16179
    #endif
16180
    #ifdef HAVE_FFDHE_6144
16181
        if (6144/8 >= ssl->options.minDhKeySz &&
16182
                                        6144/8 <= ssl->options.maxDhKeySz) {
16183
            ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_FFDHE_6144,
16184
                ssl->heap, ssl->options.side);
16185
            if (ret != WOLFSSL_SUCCESS)
16186
                return ret;
16187
        }
16188
    #endif
16189
    #ifdef HAVE_FFDHE_4096
16190
        if (4096/8 >= ssl->options.minDhKeySz &&
16191
                                        4096/8 <= ssl->options.maxDhKeySz) {
16192
            ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_FFDHE_4096,
16193
                ssl->heap, ssl->options.side);
16194
            if (ret != WOLFSSL_SUCCESS)
16195
                return ret;
16196
        }
16197
    #endif
16198
    #ifdef HAVE_FFDHE_3072
16199
        if (3072/8 >= ssl->options.minDhKeySz &&
16200
                                        3072/8 <= ssl->options.maxDhKeySz) {
16201
            ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_FFDHE_3072,
16202
                ssl->heap, ssl->options.side);
16203
            if (ret != WOLFSSL_SUCCESS)
16204
                return ret;
16205
        }
16206
    #endif
16207
0
    #ifdef HAVE_FFDHE_2048
16208
0
        if (2048/8 >= ssl->options.minDhKeySz &&
16209
0
                                        2048/8 <= ssl->options.maxDhKeySz) {
16210
0
            ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_FFDHE_2048,
16211
0
                ssl->heap, ssl->options.side);
16212
0
            if (ret != WOLFSSL_SUCCESS)
16213
0
                return ret;
16214
0
        }
16215
0
    #endif
16216
0
#endif
16217
16218
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \
16219
    !defined(WOLFSSL_NO_ML_KEM) && defined(WOLFSSL_EXTRA_PQC_HYBRIDS)
16220
    if (IsAtLeastTLSv1_3(ssl->version) &&
16221
            TLSX_IsMlKemGroupSupported(ssl->options.side)) {
16222
#if !defined(WOLFSSL_NO_ML_KEM_1024) && defined(HAVE_ECC) && \
16223
    (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521
16224
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_SECP521R1MLKEM1024,
16225
                                     ssl->heap, ssl->options.side);
16226
        if (ret != WOLFSSL_SUCCESS) return ret;
16227
#endif
16228
#if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_ECC) && \
16229
    (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384
16230
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_SECP384R1MLKEM768,
16231
                                     ssl->heap, ssl->options.side);
16232
        if (ret != WOLFSSL_SUCCESS) return ret;
16233
#endif
16234
#if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_CURVE448) && \
16235
    ECC_MIN_KEY_SZ <= 448
16236
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_X448MLKEM768,
16237
                                     ssl->heap, ssl->options.side);
16238
        if (ret != WOLFSSL_SUCCESS) return ret;
16239
#endif
16240
#if !defined(WOLFSSL_NO_ML_KEM_512) && defined(HAVE_ECC) && \
16241
    (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
16242
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_SECP256R1MLKEM512,
16243
                                     ssl->heap, ssl->options.side);
16244
        if (ret != WOLFSSL_SUCCESS) return ret;
16245
#endif
16246
#if !defined(WOLFSSL_NO_ML_KEM_512) && defined(HAVE_CURVE25519) && \
16247
    ECC_MIN_KEY_SZ <= 256
16248
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_X25519MLKEM512,
16249
                                     ssl->heap, ssl->options.side);
16250
        if (ret != WOLFSSL_SUCCESS) return ret;
16251
#endif
16252
    }
16253
#endif
16254
16255
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \
16256
    defined(WOLFSSL_MLKEM_KYBER)
16257
    if (IsAtLeastTLSv1_3(ssl->version) &&
16258
            TLSX_IsMlKemGroupSupported(ssl->options.side)) {
16259
#ifdef WOLFSSL_KYBER1024
16260
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_KYBER_LEVEL5,
16261
                                     ssl->heap, ssl->options.side);
16262
        if (ret != WOLFSSL_SUCCESS) return ret;
16263
#if defined(HAVE_ECC) && (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && \
16264
    ECC_MIN_KEY_SZ <= 521
16265
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P521_KYBER_LEVEL5,
16266
                                     ssl->heap, ssl->options.side);
16267
        if (ret != WOLFSSL_SUCCESS) return ret;
16268
#endif
16269
#endif
16270
#ifdef WOLFSSL_KYBER768
16271
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_KYBER_LEVEL3,
16272
                                     ssl->heap, ssl->options.side);
16273
        if (ret != WOLFSSL_SUCCESS) return ret;
16274
#if defined(HAVE_ECC) && (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && \
16275
        ECC_MIN_KEY_SZ <= 384
16276
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P384_KYBER_LEVEL3,
16277
                                     ssl->heap, ssl->options.side);
16278
        if (ret != WOLFSSL_SUCCESS) return ret;
16279
#endif
16280
#if defined(HAVE_ECC) && (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \
16281
    ECC_MIN_KEY_SZ <= 256
16282
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P256_KYBER_LEVEL3,
16283
                                     ssl->heap, ssl->options.side);
16284
        if (ret != WOLFSSL_SUCCESS) return ret;
16285
#endif
16286
#if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256
16287
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_X25519_KYBER_LEVEL3,
16288
                                     ssl->heap, ssl->options.side);
16289
        if (ret != WOLFSSL_SUCCESS) return ret;
16290
#endif
16291
#if defined(HAVE_CURVE448) && ECC_MIN_KEY_SZ <= 448
16292
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_X448_KYBER_LEVEL3,
16293
                                     ssl->heap, ssl->options.side);
16294
        if (ret != WOLFSSL_SUCCESS) return ret;
16295
#endif
16296
#endif
16297
#ifdef WOLFSSL_KYBER512
16298
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_KYBER_LEVEL1,
16299
                                     ssl->heap, ssl->options.side);
16300
        if (ret != WOLFSSL_SUCCESS) return ret;
16301
#if defined(HAVE_ECC) && (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \
16302
    ECC_MIN_KEY_SZ <= 256
16303
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P256_KYBER_LEVEL1,
16304
                                     ssl->heap, ssl->options.side);
16305
        if (ret != WOLFSSL_SUCCESS) return ret;
16306
#endif
16307
#if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256
16308
        ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_X25519_KYBER_LEVEL1,
16309
                                     ssl->heap, ssl->options.side);
16310
        if (ret != WOLFSSL_SUCCESS) return ret;
16311
#endif
16312
#endif
16313
    }
16314
#endif
16315
16316
0
    (void)ssl;
16317
0
    (void)extensions;
16318
16319
0
    return ret;
16320
0
}
16321
16322
#endif /* HAVE_SUPPORTED_CURVES */
16323
16324
int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
16325
0
{
16326
0
    int ret = 0;
16327
0
    byte* public_key      = NULL;
16328
0
    word16 public_key_len = 0;
16329
#if defined(WOLFSSL_TLS13) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK))
16330
    int usingPSK = 0;
16331
#endif
16332
0
#if defined(HAVE_SUPPORTED_CURVES) && defined(WOLFSSL_TLS13)
16333
0
    TLSX* extension = NULL;
16334
0
    word16 namedGroup = WOLFSSL_NAMED_GROUP_INVALID;
16335
0
#endif
16336
16337
    /* server will add extension depending on what is parsed from client */
16338
0
    if (!isServer) {
16339
#if defined(HAVE_RPK)
16340
        ret = TLSX_ClientCertificateType_Use(ssl, isServer);
16341
        if (ret != 0)
16342
            return ret;
16343
16344
        ret = TLSX_ServerCertificateType_Use(ssl, isServer);
16345
        if (ret != 0)
16346
            return ret;
16347
#endif /* HAVE_RPK */
16348
16349
0
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) && \
16350
0
    !defined(WOLFSSL_NO_TLS12)
16351
0
        if (!ssl->options.disallowEncThenMac) {
16352
0
            ret = TLSX_EncryptThenMac_Use(ssl);
16353
0
            if (ret != 0)
16354
0
                return ret;
16355
0
        }
16356
0
#endif
16357
16358
0
#if defined(HAVE_SUPPORTED_CURVES)
16359
0
        if (!ssl->options.userCurves && !ssl->ctx->userCurves) {
16360
0
            if (TLSX_Find(ssl->ctx->extensions,
16361
0
                                               TLSX_SUPPORTED_GROUPS) == NULL) {
16362
0
                ret = TLSX_PopulateSupportedGroups(ssl, &ssl->extensions);
16363
0
                if (ret != WOLFSSL_SUCCESS)
16364
0
                    return ret;
16365
0
            }
16366
0
        }
16367
0
    #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
16368
0
        if ((!IsAtLeastTLSv1_3(ssl->version) || ssl->options.downgrade) &&
16369
0
               TLSX_Find(ssl->ctx->extensions, TLSX_EC_POINT_FORMATS) == NULL &&
16370
0
               TLSX_Find(ssl->extensions, TLSX_EC_POINT_FORMATS) == NULL) {
16371
0
            ret = TLSX_UsePointFormat(&ssl->extensions,
16372
0
                                         WOLFSSL_EC_PF_UNCOMPRESSED, ssl->heap);
16373
0
            if (ret != WOLFSSL_SUCCESS)
16374
0
                return ret;
16375
0
        }
16376
0
    #endif
16377
0
#endif /* HAVE_SUPPORTED_CURVES */
16378
16379
#ifdef WOLFSSL_SRTP
16380
        if (ssl->options.dtls && ssl->dtlsSrtpProfiles != 0) {
16381
            WOLFSSL_MSG("Adding DTLS SRTP extension");
16382
            if ((ret = TLSX_UseSRTP(&ssl->extensions, ssl->dtlsSrtpProfiles,
16383
                                                                ssl->heap)) != 0) {
16384
                return ret;
16385
            }
16386
        }
16387
#endif
16388
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_DUAL_ALG_CERTS)
16389
        if ((IsAtLeastTLSv1_3(ssl->version)) && (ssl->sigSpec != NULL)) {
16390
            WOLFSSL_MSG("Adding CKS extension");
16391
            if ((ret = TLSX_UseCKS(&ssl->extensions, ssl, ssl->heap)) != 0) {
16392
                return ret;
16393
            }
16394
        }
16395
#endif
16396
0
    } /* is not server */
16397
16398
0
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
16399
0
    WOLFSSL_MSG("Adding signature algorithms extension");
16400
0
    if ((ret = TLSX_SetSignatureAlgorithms(&ssl->extensions, ssl, ssl->heap))
16401
0
                                                                         != 0) {
16402
0
            return ret;
16403
0
    }
16404
#else
16405
    ret = 0;
16406
#endif
16407
0
#ifdef WOLFSSL_TLS13
16408
    #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES)
16409
        if (IsAtLeastTLSv1_3(ssl->version) &&
16410
                SSL_PRIORITY_CA_NAMES(ssl) != NULL) {
16411
            WOLFSSL_MSG("Adding certificate authorities extension");
16412
            if ((ret = TLSX_Push(&ssl->extensions,
16413
                    TLSX_CERTIFICATE_AUTHORITIES, ssl, ssl->heap)) != 0) {
16414
                    return ret;
16415
            }
16416
        }
16417
    #endif
16418
0
        if (!isServer && IsAtLeastTLSv1_3(ssl->version)) {
16419
            /* Add mandatory TLS v1.3 extension: supported version */
16420
0
            WOLFSSL_MSG("Adding supported versions extension");
16421
0
            if ((ret = TLSX_SetSupportedVersions(&ssl->extensions, ssl,
16422
0
                                                             ssl->heap)) != 0) {
16423
0
                return ret;
16424
0
            }
16425
16426
0
        #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
16427
0
            if (ssl->certHashSigAlgoSz > 0) {
16428
0
                WOLFSSL_MSG("Adding signature algorithms cert extension");
16429
0
                if ((ret = TLSX_SetSignatureAlgorithmsCert(&ssl->extensions,
16430
0
                                                        ssl, ssl->heap)) != 0) {
16431
0
                    return ret;
16432
0
                }
16433
0
            }
16434
0
        #endif
16435
16436
0
        #if defined(HAVE_SUPPORTED_CURVES)
16437
0
            extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
16438
0
            if (extension == NULL) {
16439
            #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
16440
                if (ssl->options.resuming && ssl->session->namedGroup != 0)
16441
                    namedGroup = ssl->session->namedGroup;
16442
                else
16443
            #endif
16444
0
                if (ssl->numGroups > 0) {
16445
0
                    int set = 0;
16446
0
                    int i, j;
16447
16448
                    /* Find the first element of ssl->group[] that is also
16449
                     * present in preferredGroup[]. The user's ranking wins;
16450
                     * if nothing intersects, send no key share and let the
16451
                     * server drive group selection via HRR. */
16452
0
                    namedGroup = WOLFSSL_NAMED_GROUP_INVALID;
16453
0
                    for (i = 0; i < ssl->numGroups && !set; i++) {
16454
0
                        for (j = 0; preferredGroup[j] != WOLFSSL_NAMED_GROUP_INVALID; j++) {
16455
0
                            if (preferredGroup[j] == ssl->group[i]) {
16456
0
                                namedGroup = ssl->group[i];
16457
0
                                set = 1;
16458
0
                                break;
16459
0
                            }
16460
0
                        }
16461
0
                    }
16462
0
                }
16463
0
                else {
16464
                    /* Choose the most preferred group. */
16465
0
                    namedGroup = WOLFSSL_KEY_SHARE_DEFAULT_GROUP;
16466
0
                }
16467
0
            }
16468
0
            else {
16469
0
                KeyShareEntry* kse = (KeyShareEntry*)extension->data;
16470
0
                if (kse)
16471
0
                    namedGroup = kse->group;
16472
0
            }
16473
0
            if (namedGroup != WOLFSSL_NAMED_GROUP_INVALID) {
16474
0
                ret = TLSX_KeyShare_Use(ssl, namedGroup, 0, NULL, NULL,
16475
0
                        &ssl->extensions);
16476
0
            }
16477
0
            else {
16478
                /* No suitable key share group found, send no key share to
16479
                 * trigger a HRR with the server's preferred group. */
16480
0
                WOLFSSL_MSG("Sending no key share to trigger HRR");
16481
0
                ret = TLSX_KeyShare_Empty(ssl);
16482
0
            }
16483
0
            if (ret != 0)
16484
0
                return ret;
16485
0
        #endif /* HAVE_SUPPORTED_CURVES */
16486
16487
        #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
16488
            TLSX_Remove(&ssl->extensions, TLSX_PRE_SHARED_KEY, ssl->heap);
16489
        #endif
16490
        #if defined(HAVE_SESSION_TICKET)
16491
            if (ssl->options.resuming && ssl->session->ticketLen > 0
16492
        #if defined(WOLFSSL_CERT_WITH_EXTERN_PSK)
16493
                && !ssl->options.certWithExternPsk
16494
        #endif
16495
            ) {
16496
                WOLFSSL_SESSION* sess = ssl->session;
16497
            #ifdef WOLFSSL_32BIT_MILLI_TIME
16498
                word32 now, milli;
16499
            #else
16500
                word64 now, milli;
16501
            #endif
16502
16503
                /* Determine the MAC algorithm for the cipher suite used. */
16504
                ssl->options.cipherSuite0 = sess->cipherSuite0;
16505
                ssl->options.cipherSuite  = sess->cipherSuite;
16506
                ret = SetCipherSpecs(ssl);
16507
                if (ret != 0)
16508
                    return ret;
16509
                now = (word64)TimeNowInMilliseconds();
16510
                if (now == 0)
16511
                    return GETTIME_ERROR;
16512
            #ifdef WOLFSSL_32BIT_MILLI_TIME
16513
                if (now < sess->ticketSeen)
16514
                    milli = (0xFFFFFFFFU - sess->ticketSeen) + 1 + now;
16515
                else
16516
                    milli = now - sess->ticketSeen;
16517
                milli += sess->ticketAdd;
16518
16519
                /* Pre-shared key is mandatory extension for resumption. */
16520
                ret = TLSX_PreSharedKey_Use(&ssl->extensions, sess->ticket,
16521
                    sess->ticketLen, milli, ssl->specs.mac_algorithm,
16522
                    ssl->options.cipherSuite0, ssl->options.cipherSuite, 1,
16523
                    NULL, ssl->heap);
16524
            #else
16525
                milli = now - sess->ticketSeen + sess->ticketAdd;
16526
16527
                /* Pre-shared key is mandatory extension for resumption. */
16528
                ret = TLSX_PreSharedKey_Use(&ssl->extensions, sess->ticket,
16529
                    sess->ticketLen, (word32)milli, ssl->specs.mac_algorithm,
16530
                    ssl->options.cipherSuite0, ssl->options.cipherSuite, 1,
16531
                    NULL, ssl->heap);
16532
            #endif
16533
                if (ret != 0)
16534
                    return ret;
16535
16536
                usingPSK = 1;
16537
            }
16538
        #endif
16539
    #ifndef NO_PSK
16540
        #ifndef WOLFSSL_PSK_ONE_ID
16541
            if (ssl->options.client_psk_cs_cb != NULL) {
16542
                int i;
16543
                const Suites* suites = WOLFSSL_SUITES(ssl);
16544
                for (i = 0; i < suites->suiteSz; i += 2) {
16545
                    byte cipherSuite0 = suites->suites[i + 0];
16546
                    byte cipherSuite = suites->suites[i + 1];
16547
                    unsigned int keySz;
16548
                #ifdef WOLFSSL_PSK_MULTI_ID_PER_CS
16549
                    int cnt = 0;
16550
                #endif
16551
16552
                #ifdef HAVE_NULL_CIPHER
16553
                    if (cipherSuite0 == ECC_BYTE ||
16554
                        cipherSuite0 == ECDHE_PSK_BYTE) {
16555
                        if (cipherSuite != TLS_SHA256_SHA256 &&
16556
                                             cipherSuite != TLS_SHA384_SHA384) {
16557
                            continue;
16558
                        }
16559
                    }
16560
                    else
16561
                #endif
16562
                #if (defined(WOLFSSL_SM4_GCM) || defined(WOLFSSL_SM4_CCM)) && \
16563
                    defined(WOLFSSL_SM3)
16564
                    if (cipherSuite0 == CIPHER_BYTE) {
16565
                        if ((cipherSuite != TLS_SM4_GCM_SM3) &&
16566
                            (cipherSuite != TLS_SM4_CCM_SM3)) {
16567
                            continue;
16568
                        }
16569
                    }
16570
                    else
16571
                #endif
16572
                    if (cipherSuite0 != TLS13_BYTE)
16573
                        continue;
16574
16575
                #ifdef WOLFSSL_PSK_MULTI_ID_PER_CS
16576
                    do {
16577
                        ssl->arrays->client_identity[0] = cnt;
16578
                #endif
16579
16580
                        ssl->arrays->client_identity[MAX_PSK_ID_LEN] = '\0';
16581
                        keySz = ssl->options.client_psk_cs_cb(
16582
                            ssl, ssl->arrays->server_hint,
16583
                            ssl->arrays->client_identity, MAX_PSK_ID_LEN,
16584
                            ssl->arrays->psk_key, MAX_PSK_KEY_LEN,
16585
                            GetCipherNameInternal(cipherSuite0, cipherSuite));
16586
                        if (keySz > 0) {
16587
                            ssl->arrays->psk_keySz = keySz;
16588
                            ret = TLSX_PreSharedKey_Use(&ssl->extensions,
16589
                                (byte*)ssl->arrays->client_identity,
16590
                                (word16)XSTRLEN(ssl->arrays->client_identity),
16591
                                0, SuiteMac(WOLFSSL_SUITES(ssl)->suites + i),
16592
                                cipherSuite0, cipherSuite, 0, NULL, ssl->heap);
16593
                            if (ret != 0)
16594
                                return ret;
16595
                #ifdef WOLFSSL_PSK_MULTI_ID_PER_CS
16596
                            cnt++;
16597
                #endif
16598
                        }
16599
                #ifdef WOLFSSL_PSK_MULTI_ID_PER_CS
16600
                    }
16601
                    while (keySz > 0);
16602
                #endif
16603
                }
16604
16605
                usingPSK = 1;
16606
            }
16607
            else
16608
        #endif
16609
            if (ssl->options.client_psk_cb != NULL ||
16610
                ssl->options.client_psk_tls13_cb != NULL) {
16611
                /* Default cipher suite. */
16612
                byte cipherSuite0 = TLS13_BYTE;
16613
                byte cipherSuite = WOLFSSL_DEF_PSK_CIPHER;
16614
                int cipherSuiteFlags = WOLFSSL_CIPHER_SUITE_FLAG_NONE;
16615
                const char* cipherName = NULL;
16616
16617
                if (ssl->options.client_psk_tls13_cb != NULL) {
16618
                    ssl->arrays->psk_keySz = ssl->options.client_psk_tls13_cb(
16619
                        ssl, ssl->arrays->server_hint,
16620
                        ssl->arrays->client_identity, MAX_PSK_ID_LEN,
16621
                        ssl->arrays->psk_key, MAX_PSK_KEY_LEN, &cipherName);
16622
                    if (GetCipherSuiteFromName(cipherName, &cipherSuite0,
16623
                            &cipherSuite, NULL, NULL, &cipherSuiteFlags) != 0) {
16624
                        return PSK_KEY_ERROR;
16625
                    }
16626
                }
16627
                else {
16628
                    ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl,
16629
                        ssl->arrays->server_hint, ssl->arrays->client_identity,
16630
                        MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN);
16631
                }
16632
                if (
16633
                #ifdef OPENSSL_EXTRA
16634
                    /* OpenSSL treats a PSK key length of 0
16635
                     * to indicate no PSK available.
16636
                     */
16637
                    ssl->arrays->psk_keySz == 0 ||
16638
                #endif
16639
                         (ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN &&
16640
                     (int)ssl->arrays->psk_keySz != WC_NO_ERR_TRACE(USE_HW_PSK))) {
16641
                #ifndef OPENSSL_EXTRA
16642
                    ret = PSK_KEY_ERROR;
16643
                #endif
16644
                }
16645
                else {
16646
                    ssl->arrays->client_identity[MAX_PSK_ID_LEN] = '\0';
16647
16648
                    ssl->options.cipherSuite0 = cipherSuite0;
16649
                    ssl->options.cipherSuite  = cipherSuite;
16650
                    (void)cipherSuiteFlags;
16651
                    ret = SetCipherSpecs(ssl);
16652
                    if (ret == 0) {
16653
                        ret = TLSX_PreSharedKey_Use(
16654
                            &ssl->extensions,
16655
                                     (byte*)ssl->arrays->client_identity,
16656
                            (word16)XSTRLEN(ssl->arrays->client_identity),
16657
                            0, ssl->specs.mac_algorithm,
16658
                            cipherSuite0, cipherSuite, 0,
16659
                            NULL, ssl->heap);
16660
                    }
16661
                    if (ret == 0)
16662
                        usingPSK = 1;
16663
                }
16664
                if (ret != 0)
16665
                    return ret;
16666
            }
16667
    #endif /* !NO_PSK */
16668
        #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
16669
16670
            /* Some servers do not generate session tickets unless
16671
             * the extension is seen in a non-resume client hello.
16672
             * We used to send it only if we were otherwise using PSK.
16673
             * Now always send it. Define NO_TLSX_PSKKEM_PLAIN_ANNOUNCE
16674
             * to revert to the old behaviour. */
16675
            #ifdef NO_TLSX_PSKKEM_PLAIN_ANNOUNCE
16676
            if (usingPSK)
16677
            #endif
16678
            {
16679
                byte modes = 0;
16680
16681
                (void)usingPSK;
16682
                /* Pre-shared key modes: mandatory extension for resumption. */
16683
            #ifdef HAVE_SUPPORTED_CURVES
16684
                if (!ssl->options.onlyPskDheKe)
16685
            #endif
16686
                {
16687
                    modes = 1 << PSK_KE;
16688
                }
16689
            #if !defined(NO_DH) || defined(HAVE_ECC) || \
16690
                          defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
16691
                if (!ssl->options.noPskDheKe) {
16692
                    modes |= 1 << PSK_DHE_KE;
16693
                }
16694
            #endif
16695
            #if defined(WOLFSSL_CERT_WITH_EXTERN_PSK)
16696
                if (ssl->options.certWithExternPsk) {
16697
                    /* RFC8773bis requires psk_dhe_ke with cert_with_extern_psk. */
16698
                    modes |= 1 << PSK_DHE_KE;
16699
                }
16700
            #endif
16701
                ret = TLSX_PskKeyModes_Use(ssl, modes);
16702
                if (ret != 0)
16703
                    return ret;
16704
            }
16705
16706
        #if defined(WOLFSSL_CERT_WITH_EXTERN_PSK)
16707
            if (usingPSK && ssl->options.certWithExternPsk) {
16708
                ret = TLSX_CertWithExternPsk_Use(ssl);
16709
                if (ret != 0)
16710
                    return ret;
16711
                /* Require server confirmation before using cert-with-PSK path. */
16712
                ssl->options.certWithExternPsk = 0;
16713
            }
16714
        #endif
16715
        #endif
16716
        #if defined(WOLFSSL_POST_HANDSHAKE_AUTH)
16717
            if (!isServer && ssl->options.postHandshakeAuth) {
16718
                ret = TLSX_PostHandAuth_Use(ssl);
16719
                if (ret != 0)
16720
                    return ret;
16721
            }
16722
        #endif
16723
#if defined(HAVE_ECH)
16724
            /* GREASE ECH */
16725
            if (!ssl->options.disableECH) {
16726
                if (ssl->echConfigs == NULL) {
16727
                    ret = GREASE_ECH_USE(&(ssl->extensions), ssl->heap,
16728
                            ssl->rng);
16729
                }
16730
                else if (ssl->echConfigs != NULL) {
16731
                    ret = ECH_USE(ssl->echConfigs, &(ssl->extensions),
16732
                            ssl->heap, ssl->rng);
16733
                }
16734
            }
16735
#endif
16736
0
        }
16737
#if defined(HAVE_ECH)
16738
        else if (IsAtLeastTLSv1_3(ssl->version)) {
16739
            if (ssl->ctx->echConfigs != NULL && !ssl->options.disableECH) {
16740
                ret = SERVER_ECH_USE(&(ssl->extensions), ssl->heap,
16741
                    ssl->ctx->echConfigs);
16742
16743
                if (ret == 0)
16744
                    TLSX_SetResponse(ssl, TLSX_ECH);
16745
            }
16746
        }
16747
#endif
16748
16749
0
#endif
16750
16751
0
    (void)isServer;
16752
0
    (void)public_key;
16753
0
    (void)public_key_len;
16754
0
    (void)ssl;
16755
16756
0
    return ret;
16757
0
}
16758
16759
16760
#if defined(WOLFSSL_TLS13) || !defined(NO_WOLFSSL_CLIENT)
16761
16762
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
16763
/* Returns 1 if the extensions should be hidden for this write */
16764
static int TLSX_EchShouldHideInner(WOLFSSL_ECH* ech)
16765
{
16766
    return ech != NULL && ech->type == ECH_TYPE_OUTER &&
16767
        ech->state != ECH_WRITE_GREASE;
16768
}
16769
16770
/* Swap matching extension types between *sslExts and *echExts.
16771
 *   Non-matched extensions in *echExts are appended to the tail of *sslExts
16772
 *
16773
 * Extensions are stored in reverse wire order, so non-matched extensions are
16774
 * appended to the tail rather than the head; this avoids displacing the leading
16775
 * extension (e.g. pre_shared_key, which must stay last on the wire).
16776
 *
16777
 * *appended is in/out:
16778
 *  in  -> number of trailing extensions to move from *sslExts to *echExts
16779
 *  out -> the number of extensions appended to the tail of *sslExts
16780
 *
16781
 * Returns 0 on success, error otherwise. */
16782
WOLFSSL_TEST_VIS int TLSX_EchSwapExtensions(TLSX** sslExts, TLSX** echExts,
16783
    word16* appended)
16784
{
16785
    TLSX* chunk = NULL;
16786
    TLSX* node;
16787
    TLSX* outer;
16788
    TLSX* inner;
16789
    TLSX** outerLink;
16790
    TLSX** innerLink;
16791
    TLSX** sslTail;
16792
    word16 len = 0;
16793
16794
    if (*appended > 0) {
16795
        for (node = *sslExts; node != NULL; node = node->next)
16796
            len++;
16797
        if (*appended >= len)
16798
            return BAD_FUNC_ARG;
16799
        sslTail = sslExts;
16800
        while (len > *appended) {
16801
            sslTail = &(*sslTail)->next;
16802
            len--;
16803
        }
16804
        chunk = *sslTail;
16805
        *sslTail = NULL;
16806
    }
16807
16808
    *appended = 0;
16809
16810
    outerLink = echExts;
16811
    while (*outerLink != NULL) {
16812
        innerLink = sslExts;
16813
        outer = *outerLink;
16814
16815
        while (*innerLink != NULL && (*innerLink)->type != outer->type)
16816
            innerLink = &(*innerLink)->next;
16817
16818
        if (*innerLink != NULL) {
16819
            inner = *innerLink;
16820
16821
            *innerLink  = outer;
16822
            *outerLink  = inner;
16823
            node        = outer->next;
16824
            outer->next = inner->next;
16825
            inner->next = node;
16826
16827
            outerLink = &inner->next;
16828
        }
16829
        else {
16830
            *outerLink  = outer->next;
16831
            *innerLink  = outer;
16832
            outer->next = NULL;
16833
            *appended   += 1;
16834
        }
16835
    }
16836
16837
    /* outerLink is at the tail of *echExts; append the chunk */
16838
    *outerLink = chunk;
16839
16840
    return 0;
16841
}
16842
16843
/* sets installed if extensions were concealed, clears it otherwise.
16844
 * updates appended with the number of extensions appended.
16845
 * returns 0 on success, error otherwise */
16846
static int TLSX_EchConcealExtensions(WOLFSSL* ssl, WOLFSSL_ECH* ech,
16847
    word16* appended, int* installed)
16848
{
16849
    int ret = 0;
16850
16851
    *installed = 0;
16852
    *appended = 0;
16853
    if (TLSX_EchShouldHideInner(ech)) {
16854
        ret = TLSX_EchSwapExtensions(&ssl->extensions, &ech->extensions,
16855
                appended);
16856
        if (ret == 0)
16857
            *installed = 1;
16858
    }
16859
16860
    return ret;
16861
}
16862
16863
/* reverses TLSX_EchConcealExtensions
16864
 * returns 0 on success, error otherwise */
16865
static int TLSX_EchExposeExtensions(WOLFSSL* ssl, WOLFSSL_ECH* ech,
16866
    word16 appended, int installed)
16867
{
16868
    int ret = 0;
16869
16870
    if (installed) {
16871
        /* this is expected to always succeed, but in the case that it does not
16872
         * the handshake should be aborted and the ssl should not be reused. */
16873
        ret = TLSX_EchSwapExtensions(&ssl->extensions, &ech->extensions,
16874
            &appended);
16875
        if (ret == 0 && appended != 0) {
16876
            WOLFSSL_MSG("Bad restore with TLSX_EchSwapExtensions");
16877
            ret = BAD_STATE_E;
16878
        }
16879
    }
16880
16881
    return ret;
16882
}
16883
16884
/* If ECH is accepted, delete ech->extensions
16885
 * If rejected, replace matching ssl->extensions with ech->extensions,
16886
 *   appending to the tail if necessary */
16887
int TLSX_EchReplaceExtensions(WOLFSSL* ssl, byte accepted)
16888
{
16889
    int ret = 0;
16890
    TLSX* echX;
16891
    WOLFSSL_ECH* ech;
16892
    word16 appended = 0;
16893
16894
    echX = TLSX_Find(ssl->extensions, TLSX_ECH);
16895
    if (echX == NULL || echX->data == NULL)
16896
        return 0;
16897
    ech = (WOLFSSL_ECH*)echX->data;
16898
16899
    if (!accepted)
16900
        ret = TLSX_EchSwapExtensions(&ssl->extensions, &ech->extensions,
16901
            &appended);
16902
16903
    if (ret == 0) {
16904
        TLSX_FreeAll(ech->extensions, ssl->heap);
16905
        ech->extensions = NULL;
16906
    }
16907
16908
    return ret;
16909
}
16910
16911
/* Returns 1 if the extension may be encoded into ech_outer_extensions,
16912
 * 0 otherwise */
16913
static int TLSX_ECH_IsEncodable(word16 type)
16914
{
16915
    /* supported_versions being here prevents the inner hello from advertising
16916
     * a version less than TLS1.3 */
16917
    switch (type) {
16918
        case TLSX_SERVER_NAME:
16919
        case TLSX_APPLICATION_LAYER_PROTOCOL:
16920
        case TLSX_SUPPORTED_VERSIONS:
16921
        case TLSX_ECH:
16922
#if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
16923
        case TLSX_PRE_SHARED_KEY:
16924
#endif
16925
#ifdef WOLFSSL_EARLY_DATA
16926
        case TLSX_EARLY_DATA:
16927
#endif
16928
            return 0;
16929
        default:
16930
            return 1;
16931
    }
16932
}
16933
16934
/* find extensions that can be encoded into ech_outer_extensions.
16935
 * If output is non-NULL, then write the encoded form.
16936
 *
16937
 * Layout of OuterExtensions (RFC 9849, S5.1):
16938
 *   2-byte extension_type + 2-byte extension_data length +
16939
 *   1-byte list length    + 2*count bytes of extension types
16940
 */
16941
static int TLSX_ECH_BuildOuterExtensions(WOLFSSL* ssl, const byte* semaphore,
16942
    byte msgType, byte* output, word16* pOffset, word16* outCount,
16943
    byte* encodeMask)
16944
{
16945
    TLSX* list;
16946
    TLSX* extension;
16947
    byte* typesStart = NULL;
16948
    int listIdx;
16949
    word16 count = 0;
16950
    byte isRequest = (msgType == client_hello ||
16951
                      msgType == certificate_request);
16952
    byte seen[SEMAPHORE_SIZE];
16953
16954
    /* backup semaphore so it can be aliased by encodeMask */
16955
    XMEMCPY(seen, semaphore, SEMAPHORE_SIZE);
16956
16957
    if (output != NULL && pOffset != NULL) {
16958
        typesStart = output + *pOffset
16959
                     + HELLO_EXT_TYPE_SZ + OPAQUE16_LEN + OPAQUE8_LEN;
16960
    }
16961
16962
    for (listIdx = 0; listIdx < 2; listIdx++) {
16963
        list = (listIdx == 0) ? ssl->extensions :
16964
            (ssl->ctx != NULL ? ssl->ctx->extensions : NULL);
16965
        for (extension = list; extension != NULL; extension = extension->next) {
16966
            word16 type = (word16)extension->type;
16967
            word16 semIdx = TLSX_ToSemaphore(type);
16968
16969
            /* OuterExtensions is <2..254>, so reference at most 127 types */
16970
            if (count >= 127) {
16971
                WOLFSSL_MSG("ECH: cannot encode more than 127 extensions");
16972
                break;
16973
            }
16974
16975
            if (!isRequest && !extension->resp)
16976
                continue;
16977
            if (!IS_OFF(seen, semIdx))
16978
                continue;
16979
            TURN_ON(seen, semIdx);
16980
            if (!TLSX_ECH_IsEncodable(type))
16981
                continue;
16982
16983
            if (typesStart != NULL)
16984
                c16toa(type, typesStart + count * OPAQUE16_LEN);
16985
            count++;
16986
            TURN_ON(encodeMask, semIdx);
16987
        }
16988
    }
16989
16990
    if (count > 0 && pOffset != NULL) {
16991
        word16 listLen = (word16)(OPAQUE16_LEN * count);
16992
        word16 blockSz = (word16)(HELLO_EXT_TYPE_SZ + OPAQUE16_LEN
16993
                                + OPAQUE8_LEN + listLen);
16994
        if ((word32)*pOffset + blockSz > WOLFSSL_MAX_16BIT) {
16995
            WOLFSSL_MSG("ECH OuterExtensions overflows extensions length");
16996
            return BUFFER_E;
16997
        }
16998
        if (output != NULL) {
16999
            byte* hdr = output + *pOffset;
17000
            c16toa(TLSXT_ECH_OUTER_EXTENSIONS, hdr);
17001
            c16toa((word16)(OPAQUE8_LEN + listLen), hdr + OPAQUE16_LEN);
17002
            hdr[OPAQUE16_LEN + OPAQUE16_LEN] = (byte)listLen;
17003
        }
17004
17005
        /* accumulate offset even if nothing is written */
17006
        *pOffset += blockSz;
17007
    }
17008
17009
    *outCount = count;
17010
    return 0;
17011
}
17012
17013
/* because the size of ech depends on the size of other extensions we need to
17014
 * get the size with ech special and process ech last, return status */
17015
static int TLSX_GetSizeWithEch(WOLFSSL* ssl, byte* semaphore, byte msgType,
17016
    word16* pLength)
17017
{
17018
    int ret = 0;
17019
    int retC;
17020
    int installed = 0;
17021
    TLSX* echX = NULL;
17022
    WOLFSSL_ECH* ech = NULL;
17023
    word16 count = 0;
17024
    word16 appended = 0;
17025
17026
    if (ssl->extensions)
17027
        echX = TLSX_Find(ssl->extensions, TLSX_ECH);
17028
    if (echX != NULL)
17029
        ech = (WOLFSSL_ECH*)echX->data;
17030
17031
    ret = retC = TLSX_EchConcealExtensions(ssl, ech, &appended, &installed);
17032
17033
    /* if encoding, then count encoded form of inner ClientHello.
17034
     * `semaphore` is in/out so encodable extensions will later be ignored */
17035
    if (ret == 0 &&
17036
            ech != NULL && ech->type == ECH_TYPE_INNER && ech->writeEncoded) {
17037
        ret = TLSX_ECH_BuildOuterExtensions(ssl, semaphore, msgType,
17038
            NULL, pLength, &count, semaphore);
17039
    }
17040
    if (ret == 0 && ssl->extensions)
17041
        ret = TLSX_GetSize(ssl->extensions, semaphore, msgType, pLength);
17042
    if (ret == 0 && ssl->ctx && ssl->ctx->extensions)
17043
        ret = TLSX_GetSize(ssl->ctx->extensions, semaphore, msgType, pLength);
17044
17045
    /* always try to restore extensions to a good state */
17046
    if (retC == 0)
17047
        retC = TLSX_EchExposeExtensions(ssl, ech, appended, installed);
17048
17049
    if (ret == 0)
17050
        ret = retC;
17051
    return ret;
17052
}
17053
#endif
17054
17055
/** Tells the buffered size of extensions to be sent into the client hello. */
17056
int TLSX_GetRequestSize(WOLFSSL* ssl, byte msgType, word32* pLength)
17057
0
{
17058
0
    int ret = 0;
17059
0
    word16 length = 0;
17060
0
    byte semaphore[SEMAPHORE_SIZE] = {0};
17061
17062
0
    if (!TLSX_SupportExtensions(ssl))
17063
0
        return 0;
17064
0
    if (msgType == client_hello) {
17065
0
        EC_VALIDATE_REQUEST(ssl, semaphore);
17066
0
        PF_VALIDATE_REQUEST(ssl, semaphore);
17067
0
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
17068
0
        if (WOLFSSL_SUITES(ssl)->hashSigAlgoSz == 0)
17069
0
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
17070
0
#endif
17071
0
#if defined(WOLFSSL_TLS13)
17072
0
        if (!IsAtLeastTLSv1_2(ssl)) {
17073
0
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
17074
0
        }
17075
0
    #if !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS)
17076
0
        if (!IsAtLeastTLSv1_3(ssl->version)) {
17077
0
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
17078
        #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
17079
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
17080
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PSK_KEY_EXCHANGE_MODES));
17081
        #endif
17082
        #ifdef WOLFSSL_EARLY_DATA
17083
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EARLY_DATA));
17084
        #endif
17085
        #ifdef WOLFSSL_SEND_HRR_COOKIE
17086
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_COOKIE));
17087
        #endif
17088
        #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
17089
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_POST_HANDSHAKE_AUTH));
17090
        #endif
17091
0
        }
17092
0
    #endif
17093
    #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES)
17094
        if (!IsAtLeastTLSv1_3(ssl->version) ||
17095
                SSL_CA_NAMES(ssl) == NULL) {
17096
            TURN_ON(semaphore,
17097
                    TLSX_ToSemaphore(TLSX_CERTIFICATE_AUTHORITIES));
17098
        }
17099
    #endif
17100
0
#endif /* WOLFSSL_TLS13 */
17101
    #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
17102
     || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
17103
        if (!SSL_CM(ssl)->ocspStaplingEnabled) {
17104
            /* mark already sent, so it won't send it */
17105
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST));
17106
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST_V2));
17107
        }
17108
    #endif
17109
0
    }
17110
17111
0
#ifdef WOLFSSL_TLS13
17112
0
    #ifndef NO_CERTS
17113
0
    else if (msgType == certificate_request) {
17114
        /* Don't send out any extension except those that are turned off. */
17115
0
        XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
17116
0
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
17117
0
        TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
17118
0
#endif
17119
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES)
17120
        if (SSL_PRIORITY_CA_NAMES(ssl) != NULL) {
17121
            TURN_OFF(semaphore,
17122
                    TLSX_ToSemaphore(TLSX_CERTIFICATE_AUTHORITIES));
17123
        }
17124
#endif
17125
        /* TODO: TLSX_SIGNED_CERTIFICATE_TIMESTAMP, OID_FILTERS
17126
         *       TLSX_STATUS_REQUEST
17127
         */
17128
0
    }
17129
0
    #endif
17130
#if defined(HAVE_ECH)
17131
    if (!ssl->options.disableECH && msgType == client_hello) {
17132
        ret = TLSX_GetSizeWithEch(ssl, semaphore, msgType, &length);
17133
        if (ret != 0)
17134
            return ret;
17135
    }
17136
    else
17137
#endif /* HAVE_ECH */
17138
0
#endif /* WOLFSSL_TLS13 */
17139
0
    {
17140
0
        if (ssl->extensions) {
17141
0
            ret = TLSX_GetSize(ssl->extensions, semaphore, msgType, &length);
17142
0
            if (ret != 0)
17143
0
                return ret;
17144
0
        }
17145
0
        if (ssl->ctx && ssl->ctx->extensions) {
17146
0
            ret = TLSX_GetSize(ssl->ctx->extensions, semaphore, msgType,
17147
0
                &length);
17148
0
            if (ret != 0)
17149
0
                return ret;
17150
0
        }
17151
0
    }
17152
17153
0
#ifdef HAVE_EXTENDED_MASTER
17154
0
    if (msgType == client_hello && ssl->options.haveEMS &&
17155
0
                  (!IsAtLeastTLSv1_3(ssl->version) || ssl->options.downgrade)) {
17156
0
        length += HELLO_EXT_SZ;
17157
0
    }
17158
0
#endif
17159
17160
    /* The TLS extensions block length prefix is a 2-byte field, so any
17161
     * accumulated total above 0xFFFF must be rejected rather than silently
17162
     * truncating and producing a short, malformed handshake message. */
17163
0
    if (length > (word16)(WOLFSSL_MAX_16BIT - OPAQUE16_LEN)) {
17164
0
        WOLFSSL_MSG("TLSX_GetRequestSize extensions exceed word16");
17165
0
        return BUFFER_E;
17166
0
    }
17167
0
    if (length)
17168
0
        length += OPAQUE16_LEN; /* for total length storage. */
17169
17170
0
    *pLength += length;
17171
17172
0
    return ret;
17173
0
}
17174
17175
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
17176
/* return status after writing the extensions with ech written last */
17177
static int TLSX_WriteWithEch(WOLFSSL* ssl, byte* output, byte* semaphore,
17178
    byte msgType, word16* pOffset)
17179
{
17180
    int ret = 0;
17181
    int retC;
17182
    int installed = 0;
17183
    TLSX* echX = NULL;
17184
    WOLFSSL_ECH* ech = NULL;
17185
    word16 appended = 0;
17186
17187
    if (ssl->extensions)
17188
        echX = TLSX_Find(ssl->extensions, TLSX_ECH);
17189
    if (echX != NULL)
17190
        ech = (WOLFSSL_ECH*)echX->data;
17191
17192
    ret = retC = TLSX_EchConcealExtensions(ssl, ech, &appended, &installed);
17193
17194
    if (ret == 0 && echX != NULL) {
17195
        /* turn ech on so it doesn't write, then write it last */
17196
        TURN_ON(semaphore, TLSX_ToSemaphore(echX->type));
17197
    }
17198
17199
    /* for ECH inner, print the encodable block first, then the non-encodables.
17200
     * This allows the same transcript to be produced on either side
17201
     * (the transcript is over the expanded form). */
17202
    if (ret == 0 && ech != NULL && ech->type == ECH_TYPE_INNER) {
17203
        byte encodeMask[SEMAPHORE_SIZE];
17204
        byte* mask = ech->writeEncoded ? semaphore : encodeMask;
17205
        word16 count = 0;
17206
        int i;
17207
17208
        XMEMSET(encodeMask, 0, SEMAPHORE_SIZE);
17209
17210
        ret = TLSX_ECH_BuildOuterExtensions(ssl, semaphore, msgType,
17211
            ech->writeEncoded ? output : NULL,
17212
            ech->writeEncoded ? pOffset : NULL,
17213
            &count, mask);
17214
        if (ret == 0 && count >= 1 && !ech->writeEncoded) {
17215
            /* expanded: print encodable block normally */
17216
            for (i = 0; i < SEMAPHORE_SIZE; i++) {
17217
                semaphore[i] |= encodeMask[i];
17218
                encodeMask[i] = (byte)~encodeMask[i];
17219
            }
17220
            if (ssl->extensions) {
17221
                ret = TLSX_Write(ssl->extensions, output + *pOffset,
17222
                        encodeMask, msgType, pOffset);
17223
            }
17224
            if (ret == 0 && ssl->ctx && ssl->ctx->extensions) {
17225
                ret = TLSX_Write(ssl->ctx->extensions, output + *pOffset,
17226
                        encodeMask, msgType, pOffset);
17227
            }
17228
        }
17229
    }
17230
17231
    /* print non-encodable block */
17232
    if (ret == 0 && ssl->extensions) {
17233
        ret = TLSX_Write(ssl->extensions, output + *pOffset, semaphore,
17234
                         msgType, pOffset);
17235
    }
17236
    if (ret == 0 && ssl->ctx && ssl->ctx->extensions) {
17237
        ret = TLSX_Write(ssl->ctx->extensions, output + *pOffset, semaphore,
17238
                         msgType, pOffset);
17239
    }
17240
17241
    /* write ECH last */
17242
    if (ret == 0 && echX != NULL) {
17243
        /* turn off and write it last */
17244
        TURN_OFF(semaphore, TLSX_ToSemaphore(echX->type));
17245
17246
        if (ssl->extensions) {
17247
            ret = TLSX_Write(ssl->extensions, output + *pOffset, semaphore,
17248
                msgType, pOffset);
17249
        }
17250
17251
        if (ret == 0 && ssl->ctx && ssl->ctx->extensions) {
17252
            ret = TLSX_Write(ssl->ctx->extensions, output + *pOffset, semaphore,
17253
                msgType, pOffset);
17254
        }
17255
    }
17256
17257
    /* always try to restore extensions to a good state */
17258
    if (retC == 0)
17259
        retC = TLSX_EchExposeExtensions(ssl, ech, appended, installed);
17260
17261
    if (ret == 0)
17262
        ret = retC;
17263
    return ret;
17264
}
17265
#endif
17266
17267
/** Writes the extensions to be sent into the client hello. */
17268
int TLSX_WriteRequest(WOLFSSL* ssl, byte* output, byte msgType, word32* pOffset)
17269
0
{
17270
0
    int ret = 0;
17271
0
    word16 offset = 0;
17272
0
    byte semaphore[SEMAPHORE_SIZE] = {0};
17273
17274
0
    if (!TLSX_SupportExtensions(ssl) || output == NULL)
17275
0
        return 0;
17276
17277
0
    offset += OPAQUE16_LEN; /* extensions length */
17278
17279
0
    if (msgType == client_hello) {
17280
0
        EC_VALIDATE_REQUEST(ssl, semaphore);
17281
0
        PF_VALIDATE_REQUEST(ssl, semaphore);
17282
0
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
17283
0
        if (WOLFSSL_SUITES(ssl)->hashSigAlgoSz == 0)
17284
0
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
17285
0
#endif
17286
0
#ifdef WOLFSSL_TLS13
17287
0
        if (!IsAtLeastTLSv1_2(ssl)) {
17288
0
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
17289
0
        }
17290
0
    #if !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS)
17291
0
        if (!IsAtLeastTLSv1_3(ssl->version)) {
17292
0
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
17293
        #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
17294
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PSK_KEY_EXCHANGE_MODES));
17295
        #endif
17296
        #ifdef WOLFSSL_EARLY_DATA
17297
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EARLY_DATA));
17298
        #endif
17299
        #ifdef WOLFSSL_SEND_HRR_COOKIE
17300
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_COOKIE));
17301
        #endif
17302
        #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
17303
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_POST_HANDSHAKE_AUTH));
17304
        #endif
17305
        #ifdef WOLFSSL_DUAL_ALG_CERTS
17306
            TURN_ON(semaphore,
17307
                    TLSX_ToSemaphore(TLSX_CKS));
17308
        #endif
17309
0
        }
17310
0
    #endif
17311
    #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES)
17312
        if (!IsAtLeastTLSv1_3(ssl->version) || SSL_CA_NAMES(ssl) == NULL) {
17313
            TURN_ON(semaphore,
17314
                    TLSX_ToSemaphore(TLSX_CERTIFICATE_AUTHORITIES));
17315
        }
17316
    #endif
17317
    #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
17318
        /* Must write Pre-shared Key extension at the end in TLS v1.3.
17319
         * Must not write out Pre-shared Key extension in earlier versions of
17320
         * protocol.
17321
         */
17322
        TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
17323
    #endif
17324
0
#endif /* WOLFSSL_TLS13 */
17325
    #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
17326
     || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
17327
         /* mark already sent, so it won't send it */
17328
        if (!SSL_CM(ssl)->ocspStaplingEnabled) {
17329
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST));
17330
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST_V2));
17331
        }
17332
    #endif
17333
0
    }
17334
0
#ifdef WOLFSSL_TLS13
17335
0
    #ifndef NO_CERTS
17336
0
    else if (msgType == certificate_request) {
17337
        /* Don't send out any extension except those that are turned off. */
17338
0
        XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
17339
0
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
17340
0
        TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
17341
0
#endif
17342
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES)
17343
        if (SSL_PRIORITY_CA_NAMES(ssl) != NULL) {
17344
            TURN_OFF(semaphore,
17345
                    TLSX_ToSemaphore(TLSX_CERTIFICATE_AUTHORITIES));
17346
        }
17347
#endif
17348
        /* TODO: TLSX_SIGNED_CERTIFICATE_TIMESTAMP, TLSX_OID_FILTERS
17349
         *       TLSX_STATUS_REQUEST
17350
         */
17351
0
    }
17352
0
    #endif
17353
0
#endif
17354
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
17355
    if (!ssl->options.disableECH && msgType == client_hello) {
17356
        ret = TLSX_WriteWithEch(ssl, output, semaphore, msgType, &offset);
17357
        if (ret != 0)
17358
            return ret;
17359
    }
17360
    else
17361
#endif
17362
0
    {
17363
0
        if (ssl->extensions) {
17364
0
            ret = TLSX_Write(ssl->extensions, output + offset, semaphore,
17365
0
                             msgType, &offset);
17366
0
            if (ret != 0)
17367
0
                return ret;
17368
0
        }
17369
0
        if (ssl->ctx && ssl->ctx->extensions) {
17370
0
            ret = TLSX_Write(ssl->ctx->extensions, output + offset, semaphore,
17371
0
                             msgType, &offset);
17372
0
            if (ret != 0)
17373
0
                return ret;
17374
0
        }
17375
0
    }
17376
17377
0
#ifdef HAVE_EXTENDED_MASTER
17378
0
    if (msgType == client_hello && ssl->options.haveEMS &&
17379
0
                  (!IsAtLeastTLSv1_3(ssl->version) || ssl->options.downgrade)) {
17380
0
        WOLFSSL_MSG("EMS extension to write");
17381
0
        c16toa(HELLO_EXT_EXTMS, output + offset);
17382
0
        offset += HELLO_EXT_TYPE_SZ;
17383
0
        c16toa(0, output + offset);
17384
0
        offset += HELLO_EXT_SZ_SZ;
17385
0
    }
17386
0
#endif
17387
17388
0
#ifdef WOLFSSL_TLS13
17389
    #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
17390
    if (msgType == client_hello && IsAtLeastTLSv1_3(ssl->version)) {
17391
        /* Write out what we can of Pre-shared key extension.  */
17392
        TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
17393
        ret = TLSX_Write(ssl->extensions, output + offset, semaphore,
17394
                         client_hello, &offset);
17395
        if (ret != 0)
17396
            return ret;
17397
    }
17398
    #endif
17399
0
#endif
17400
17401
    /* Wrap detection for the TLSX_Write calls above is handled inside
17402
     * TLSX_Write itself: any iteration that would push the local word16
17403
     * offset past 0xFFFF returns BUFFER_E so we never reach here with a
17404
     * truncated value. The TLS extensions block length prefix on the
17405
     * wire is a 2-byte field, matching this invariant. */
17406
17407
0
    if (offset > OPAQUE16_LEN || msgType != client_hello)
17408
0
        c16toa(offset - OPAQUE16_LEN, output); /* extensions length */
17409
17410
0
     *pOffset += offset;
17411
17412
0
    return ret;
17413
0
}
17414
#endif /* WOLFSSL_TLS13 || !NO_WOLFSSL_CLIENT */
17415
17416
#if defined(WOLFSSL_TLS13) || !defined(NO_WOLFSSL_SERVER)
17417
17418
/** Tells the buffered size of extensions to be sent into the server hello. */
17419
int TLSX_GetResponseSize(WOLFSSL* ssl, byte msgType, word16* pLength)
17420
0
{
17421
0
    int ret = 0;
17422
0
    word16 length = 0;
17423
0
    byte semaphore[SEMAPHORE_SIZE] = {0};
17424
17425
0
    switch (msgType) {
17426
0
#ifndef NO_WOLFSSL_SERVER
17427
0
        case server_hello:
17428
0
            PF_VALIDATE_RESPONSE(ssl, semaphore);
17429
0
        #ifdef WOLFSSL_TLS13
17430
0
                if (IsAtLeastTLSv1_3(ssl->version)) {
17431
0
                    XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
17432
0
                    TURN_OFF(semaphore,
17433
0
                                     TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
17434
0
                #if defined(HAVE_SUPPORTED_CURVES)
17435
                #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
17436
                    if (!ssl->options.noPskDheKe)
17437
                #endif
17438
0
                    {
17439
                        /* Expect KeyShare extension in ServerHello. */
17440
0
                        TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
17441
0
                    }
17442
0
                #endif
17443
                #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
17444
                    TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
17445
                #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
17446
                    TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_CERT_WITH_EXTERN_PSK));
17447
                #endif
17448
                #endif
17449
0
                }
17450
0
            #if !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS)
17451
0
                else {
17452
0
                #ifdef HAVE_SUPPORTED_CURVES
17453
0
                    TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
17454
0
                #endif
17455
                #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
17456
                    TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
17457
                #endif
17458
0
                }
17459
0
            #endif
17460
            #ifdef WOLFSSL_DTLS_CID
17461
                TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_CONNECTION_ID));
17462
            #endif
17463
0
        #endif /* WOLFSSL_TLS13 */
17464
0
            break;
17465
17466
0
    #ifdef WOLFSSL_TLS13
17467
0
        case hello_retry_request:
17468
0
            XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
17469
0
            TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
17470
0
        #ifdef HAVE_SUPPORTED_CURVES
17471
        #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
17472
            if (!ssl->options.noPskDheKe)
17473
        #endif
17474
0
            {
17475
                /* Expect KeyShare extension in HelloRetryRequest. */
17476
0
                TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
17477
0
            }
17478
0
        #endif
17479
        #ifdef WOLFSSL_SEND_HRR_COOKIE
17480
            TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_COOKIE));
17481
        #endif
17482
#ifdef HAVE_ECH
17483
            /* send the special confirmation */
17484
            TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_ECH));
17485
#endif
17486
0
            break;
17487
0
    #endif
17488
17489
0
    #ifdef WOLFSSL_TLS13
17490
0
        case encrypted_extensions:
17491
            /* Send out all extension except those that are turned on. */
17492
0
        #ifdef HAVE_ECC
17493
0
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EC_POINT_FORMATS));
17494
0
        #endif
17495
0
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
17496
        #ifdef HAVE_SESSION_TICKET
17497
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SESSION_TICKET));
17498
        #endif
17499
0
        #ifdef HAVE_SUPPORTED_CURVES
17500
0
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
17501
0
        #endif
17502
        #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
17503
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
17504
        #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
17505
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_CERT_WITH_EXTERN_PSK));
17506
        #endif
17507
        #endif
17508
        #ifdef HAVE_CERTIFICATE_STATUS_REQUEST
17509
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST));
17510
        #endif
17511
        #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
17512
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST_V2));
17513
        #endif
17514
0
        #if defined(HAVE_SERVER_RENEGOTIATION_INFO)
17515
0
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_RENEGOTIATION_INFO));
17516
0
        #endif
17517
        #ifdef WOLFSSL_DTLS_CID
17518
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_CONNECTION_ID));
17519
        #endif /* WOLFSSL_DTLS_CID */
17520
0
            break;
17521
17522
        #ifdef WOLFSSL_EARLY_DATA
17523
        case session_ticket:
17524
            if (ssl->options.tls1_3) {
17525
                XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
17526
                TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_EARLY_DATA));
17527
            }
17528
            break;
17529
        #endif
17530
0
    #endif
17531
0
#endif
17532
17533
0
#ifdef WOLFSSL_TLS13
17534
0
    #ifndef NO_CERTS
17535
0
        case certificate:
17536
            /* Don't send out any extension except those that are turned off. */
17537
0
            XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
17538
0
            TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST));
17539
            /* TODO: TLSX_SIGNED_CERTIFICATE_TIMESTAMP,
17540
             *       TLSX_SERVER_CERTIFICATE_TYPE
17541
             */
17542
0
            break;
17543
0
    #endif
17544
0
#endif
17545
0
    }
17546
17547
0
#ifdef HAVE_EXTENDED_MASTER
17548
0
    if (ssl->options.haveEMS && msgType == server_hello &&
17549
0
                                              !IsAtLeastTLSv1_3(ssl->version)) {
17550
0
        length += HELLO_EXT_SZ;
17551
0
    }
17552
0
#endif
17553
17554
0
    if (TLSX_SupportExtensions(ssl)) {
17555
0
        ret = TLSX_GetSize(ssl->extensions, semaphore, msgType, &length);
17556
0
        if (ret != 0)
17557
0
            return ret;
17558
0
    }
17559
17560
    /* All the response data is set at the ssl object only, so no ctx here. */
17561
17562
0
    if (length || msgType != server_hello)
17563
0
        length += OPAQUE16_LEN; /* for total length storage. */
17564
17565
0
    *pLength += length;
17566
17567
0
    return ret;
17568
0
}
17569
17570
/** Writes the server hello extensions into a buffer. */
17571
int TLSX_WriteResponse(WOLFSSL *ssl, byte* output, byte msgType, word16* pOffset)
17572
0
{
17573
0
    int ret = 0;
17574
0
    word16 offset = 0;
17575
17576
0
    if (TLSX_SupportExtensions(ssl) && output) {
17577
0
        byte semaphore[SEMAPHORE_SIZE] = {0};
17578
17579
0
        switch (msgType) {
17580
0
#ifndef NO_WOLFSSL_SERVER
17581
0
            case server_hello:
17582
0
                PF_VALIDATE_RESPONSE(ssl, semaphore);
17583
0
        #ifdef WOLFSSL_TLS13
17584
0
                if (IsAtLeastTLSv1_3(ssl->version)) {
17585
0
                    XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
17586
0
                    TURN_OFF(semaphore,
17587
0
                                     TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
17588
0
            #ifdef HAVE_SUPPORTED_CURVES
17589
                #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
17590
                    if (!ssl->options.noPskDheKe)
17591
                #endif
17592
0
                    {
17593
                        /* Write out KeyShare in ServerHello. */
17594
0
                        TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
17595
0
                    }
17596
0
            #endif
17597
            #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
17598
                    TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
17599
            #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
17600
                    TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_CERT_WITH_EXTERN_PSK));
17601
            #endif
17602
            #endif
17603
0
                }
17604
0
                else
17605
0
        #endif /* WOLFSSL_TLS13 */
17606
0
                {
17607
0
        #if !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS)
17608
0
            #ifdef HAVE_SUPPORTED_CURVES
17609
0
                    TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
17610
0
            #endif
17611
            #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
17612
                    TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
17613
            #endif
17614
0
        #endif
17615
0
                    WC_DO_NOTHING; /* avoid empty brackets */
17616
0
                }
17617
        #ifdef WOLFSSL_DTLS_CID
17618
                TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_CONNECTION_ID));
17619
        #endif /* WOLFSSL_DTLS_CID */
17620
0
                break;
17621
17622
0
    #ifdef WOLFSSL_TLS13
17623
0
            case hello_retry_request:
17624
0
                XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
17625
0
                TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
17626
0
        #ifdef HAVE_SUPPORTED_CURVES
17627
            #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
17628
                if (!ssl->options.noPskDheKe)
17629
            #endif
17630
0
                {
17631
                    /* Write out KeyShare in HelloRetryRequest. */
17632
0
                    TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
17633
0
                }
17634
0
        #endif
17635
0
                break;
17636
0
    #endif
17637
17638
0
    #ifdef WOLFSSL_TLS13
17639
0
            case encrypted_extensions:
17640
                /* Send out all extension except those that are turned on. */
17641
0
        #ifdef HAVE_ECC
17642
0
                TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EC_POINT_FORMATS));
17643
0
        #endif
17644
0
                TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS));
17645
        #ifdef HAVE_SESSION_TICKET
17646
                TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SESSION_TICKET));
17647
        #endif
17648
0
        #ifdef HAVE_SUPPORTED_CURVES
17649
0
                TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE));
17650
0
        #endif
17651
        #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
17652
                TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
17653
        #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
17654
                TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_CERT_WITH_EXTERN_PSK));
17655
        #endif
17656
        #endif
17657
        #ifdef HAVE_CERTIFICATE_STATUS_REQUEST
17658
                TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST));
17659
        #endif
17660
        #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
17661
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST_V2));
17662
        #endif
17663
0
        #if defined(HAVE_SERVER_RENEGOTIATION_INFO)
17664
0
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_RENEGOTIATION_INFO));
17665
0
        #endif
17666
        #ifdef WOLFSSL_DTLS_CID
17667
            TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_CONNECTION_ID));
17668
        #endif /* WOLFSSL_DTLS_CID */
17669
0
                break;
17670
17671
        #ifdef WOLFSSL_EARLY_DATA
17672
            case session_ticket:
17673
                if (ssl->options.tls1_3) {
17674
                    XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
17675
                    TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_EARLY_DATA));
17676
                }
17677
                break;
17678
        #endif
17679
0
    #endif
17680
0
#endif
17681
17682
0
    #ifdef WOLFSSL_TLS13
17683
0
        #ifndef NO_CERTS
17684
0
            case certificate:
17685
                /* Don't send out any extension except those that are turned
17686
                 * off. */
17687
0
                XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
17688
0
                TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST));
17689
                /* TODO: TLSX_SIGNED_CERTIFICATE_TIMESTAMP,
17690
                 *       TLSX_SERVER_CERTIFICATE_TYPE
17691
                 */
17692
0
                break;
17693
0
        #endif
17694
0
    #endif
17695
17696
0
            default:
17697
0
                break;
17698
0
        }
17699
17700
0
        offset += OPAQUE16_LEN; /* extensions length */
17701
17702
0
        ret = TLSX_Write(ssl->extensions, output + offset, semaphore,
17703
0
                         msgType, &offset);
17704
0
        if (ret != 0)
17705
0
            return ret;
17706
17707
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_SEND_HRR_COOKIE)
17708
        if (msgType == hello_retry_request) {
17709
            XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
17710
            TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_COOKIE));
17711
            ret = TLSX_Write(ssl->extensions, output + offset, semaphore,
17712
                             msgType, &offset);
17713
            if (ret != 0)
17714
                return ret;
17715
        }
17716
#endif
17717
17718
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
17719
        /* write ECH last to promote interop with other implementations */
17720
        if (msgType == hello_retry_request) {
17721
            XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE);
17722
            TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_ECH));
17723
            ret = TLSX_Write(ssl->extensions, output + offset, semaphore,
17724
                             msgType, &offset);
17725
            if (ret != 0)
17726
                return ret;
17727
        }
17728
#endif
17729
17730
0
#ifdef HAVE_EXTENDED_MASTER
17731
0
        if (ssl->options.haveEMS && msgType == server_hello &&
17732
0
                                              !IsAtLeastTLSv1_3(ssl->version)) {
17733
0
            WOLFSSL_MSG("EMS extension to write");
17734
0
            c16toa(HELLO_EXT_EXTMS, output + offset);
17735
0
            offset += HELLO_EXT_TYPE_SZ;
17736
0
            c16toa(0, output + offset);
17737
0
            offset += HELLO_EXT_SZ_SZ;
17738
0
        }
17739
0
#endif
17740
17741
0
        if (offset > OPAQUE16_LEN || msgType != server_hello)
17742
0
            c16toa(offset - OPAQUE16_LEN, output); /* extensions length */
17743
0
    }
17744
17745
0
    if (pOffset)
17746
0
        *pOffset += offset;
17747
17748
0
    return ret;
17749
0
}
17750
17751
#endif /* WOLFSSL_TLS13 || !NO_WOLFSSL_SERVER */
17752
17753
#ifdef WOLFSSL_TLS13
17754
int TLSX_ParseVersion(WOLFSSL* ssl, const byte* input, word16 length,
17755
                      byte msgType, int* found)
17756
0
{
17757
0
    int ret = 0;
17758
0
    int offset = 0;
17759
17760
0
    *found = 0;
17761
0
    while (offset < (int)length) {
17762
0
        word16 type;
17763
0
        word16 size;
17764
17765
0
        if (offset + (2 * OPAQUE16_LEN) > length) {
17766
0
            ret = BUFFER_ERROR;
17767
0
            break;
17768
0
        }
17769
17770
0
        ato16(input + offset, &type);
17771
0
        offset += HELLO_EXT_TYPE_SZ;
17772
17773
0
        ato16(input + offset, &size);
17774
0
        offset += OPAQUE16_LEN;
17775
17776
0
        if (offset + size > length) {
17777
0
            ret = BUFFER_ERROR;
17778
0
            break;
17779
0
        }
17780
17781
0
        if (type == TLSX_SUPPORTED_VERSIONS) {
17782
0
            *found = 1;
17783
17784
0
            WOLFSSL_MSG("Supported Versions extension received");
17785
17786
0
            ret = SV_PARSE(ssl, input + offset, size, msgType, &ssl->version,
17787
0
                           &ssl->options, &ssl->extensions);
17788
0
            break;
17789
0
        }
17790
17791
0
        offset += size;
17792
0
    }
17793
17794
0
    return ret;
17795
0
}
17796
#endif
17797
/* Jump Table to check minimum size values for client case in TLSX_Parse */
17798
#ifndef NO_WOLFSSL_SERVER
17799
static word16 TLSX_GetMinSize_Client(word16* type)
17800
0
{
17801
0
    switch (*type) {
17802
0
        case TLSXT_SERVER_NAME:
17803
0
            return WOLFSSL_SNI_MIN_SIZE_CLIENT;
17804
0
        case TLSXT_EARLY_DATA:
17805
0
            return WOLFSSL_EDI_MIN_SIZE_CLIENT;
17806
0
        case TLSXT_MAX_FRAGMENT_LENGTH:
17807
0
            return WOLFSSL_MFL_MIN_SIZE_CLIENT;
17808
0
        case TLSXT_TRUSTED_CA_KEYS:
17809
0
            return WOLFSSL_TCA_MIN_SIZE_CLIENT;
17810
0
        case TLSXT_TRUNCATED_HMAC:
17811
0
            return WOLFSSL_THM_MIN_SIZE_CLIENT;
17812
0
        case TLSXT_STATUS_REQUEST:
17813
0
            return WOLFSSL_CSR_MIN_SIZE_CLIENT;
17814
0
        case TLSXT_SUPPORTED_GROUPS:
17815
0
            return WOLFSSL_EC_MIN_SIZE_CLIENT;
17816
0
        case TLSXT_EC_POINT_FORMATS:
17817
0
            return WOLFSSL_PF_MIN_SIZE_CLIENT;
17818
0
        case TLSXT_SIGNATURE_ALGORITHMS:
17819
0
            return WOLFSSL_SA_MIN_SIZE_CLIENT;
17820
0
        case TLSXT_USE_SRTP:
17821
0
            return WOLFSSL_SRTP_MIN_SIZE_CLIENT;
17822
0
        case TLSXT_APPLICATION_LAYER_PROTOCOL:
17823
0
            return WOLFSSL_ALPN_MIN_SIZE_CLIENT;
17824
0
        case TLSXT_STATUS_REQUEST_V2:
17825
0
            return WOLFSSL_CSR2_MIN_SIZE_CLIENT;
17826
0
        case TLSXT_CLIENT_CERTIFICATE:
17827
0
            return WOLFSSL_CCT_MIN_SIZE_CLIENT;
17828
0
        case TLSXT_SERVER_CERTIFICATE:
17829
0
            return WOLFSSL_SCT_MIN_SIZE_CLIENT;
17830
0
        case TLSXT_ENCRYPT_THEN_MAC:
17831
0
            return WOLFSSL_ETM_MIN_SIZE_CLIENT;
17832
0
        case TLSXT_SESSION_TICKET:
17833
0
            return WOLFSSL_STK_MIN_SIZE_CLIENT;
17834
0
        case TLSXT_PRE_SHARED_KEY:
17835
0
            return WOLFSSL_PSK_MIN_SIZE_CLIENT;
17836
0
        case TLSXT_COOKIE:
17837
0
            return WOLFSSL_CKE_MIN_SIZE_CLIENT;
17838
0
        case TLSXT_PSK_KEY_EXCHANGE_MODES:
17839
0
            return WOLFSSL_PKM_MIN_SIZE_CLIENT;
17840
0
        case TLSXT_CERT_WITH_EXTERN_PSK:
17841
0
            return WOLFSSL_CWEP_MIN_SIZE_CLIENT;
17842
0
        case TLSXT_CERTIFICATE_AUTHORITIES:
17843
0
            return WOLFSSL_CAN_MIN_SIZE_CLIENT;
17844
0
        case TLSXT_POST_HANDSHAKE_AUTH:
17845
0
            return WOLFSSL_PHA_MIN_SIZE_CLIENT;
17846
0
        case TLSXT_SIGNATURE_ALGORITHMS_CERT:
17847
0
            return WOLFSSL_SA_MIN_SIZE_CLIENT;
17848
0
        case TLSXT_KEY_SHARE:
17849
0
            return WOLFSSL_KS_MIN_SIZE_CLIENT;
17850
0
        case TLSXT_CONNECTION_ID:
17851
0
            return WOLFSSL_CID_MIN_SIZE_CLIENT;
17852
0
        case TLSXT_RENEGOTIATION_INFO:
17853
0
            return WOLFSSL_SCR_MIN_SIZE_CLIENT;
17854
0
        case TLSXT_KEY_QUIC_TP_PARAMS_DRAFT:
17855
0
            return WOLFSSL_QTP_MIN_SIZE_CLIENT;
17856
0
        case TLSXT_ECH:
17857
0
            return WOLFSSL_ECH_MIN_SIZE_CLIENT;
17858
0
        default:
17859
0
            return 0;
17860
0
    }
17861
0
}
17862
0
    #define TLSX_GET_MIN_SIZE_CLIENT(type) TLSX_GetMinSize_Client(type)
17863
#else
17864
    #define TLSX_GET_MIN_SIZE_CLIENT(type) 0
17865
#endif
17866
17867
17868
#ifndef NO_WOLFSSL_CLIENT
17869
/* Jump Table to check minimum size values for server case in TLSX_Parse */
17870
static word16 TLSX_GetMinSize_Server(const word16 *type)
17871
0
{
17872
0
    switch (*type) {
17873
0
        case TLSXT_SERVER_NAME:
17874
0
            return WOLFSSL_SNI_MIN_SIZE_SERVER;
17875
0
        case TLSXT_EARLY_DATA:
17876
0
            return WOLFSSL_EDI_MIN_SIZE_SERVER;
17877
0
        case TLSXT_MAX_FRAGMENT_LENGTH:
17878
0
            return WOLFSSL_MFL_MIN_SIZE_SERVER;
17879
0
        case TLSXT_TRUSTED_CA_KEYS:
17880
0
            return WOLFSSL_TCA_MIN_SIZE_SERVER;
17881
0
        case TLSXT_TRUNCATED_HMAC:
17882
0
            return WOLFSSL_THM_MIN_SIZE_SERVER;
17883
0
        case TLSXT_STATUS_REQUEST:
17884
0
            return WOLFSSL_CSR_MIN_SIZE_SERVER;
17885
0
        case TLSXT_SUPPORTED_GROUPS:
17886
0
            return WOLFSSL_EC_MIN_SIZE_SERVER;
17887
0
        case TLSXT_EC_POINT_FORMATS:
17888
0
            return WOLFSSL_PF_MIN_SIZE_SERVER;
17889
0
        case TLSXT_SIGNATURE_ALGORITHMS:
17890
0
            return WOLFSSL_SA_MIN_SIZE_SERVER;
17891
0
        case TLSXT_USE_SRTP:
17892
0
            return WOLFSSL_SRTP_MIN_SIZE_SERVER;
17893
0
        case TLSXT_APPLICATION_LAYER_PROTOCOL:
17894
0
            return WOLFSSL_ALPN_MIN_SIZE_SERVER;
17895
0
        case TLSXT_STATUS_REQUEST_V2:
17896
0
            return WOLFSSL_CSR2_MIN_SIZE_SERVER;
17897
0
        case TLSXT_CLIENT_CERTIFICATE:
17898
0
            return WOLFSSL_CCT_MIN_SIZE_SERVER;
17899
0
        case TLSXT_SERVER_CERTIFICATE:
17900
0
            return WOLFSSL_SCT_MIN_SIZE_SERVER;
17901
0
        case TLSXT_ENCRYPT_THEN_MAC:
17902
0
            return WOLFSSL_ETM_MIN_SIZE_SERVER;
17903
0
        case TLSXT_SESSION_TICKET:
17904
0
            return WOLFSSL_STK_MIN_SIZE_SERVER;
17905
0
        case TLSXT_PRE_SHARED_KEY:
17906
0
            return WOLFSSL_PSK_MIN_SIZE_SERVER;
17907
0
        case TLSXT_COOKIE:
17908
0
            return WOLFSSL_CKE_MIN_SIZE_SERVER;
17909
0
        case TLSXT_PSK_KEY_EXCHANGE_MODES:
17910
0
            return WOLFSSL_PKM_MIN_SIZE_SERVER;
17911
0
        case TLSXT_CERT_WITH_EXTERN_PSK:
17912
0
            return WOLFSSL_CWEP_MIN_SIZE_SERVER;
17913
0
        case TLSXT_CERTIFICATE_AUTHORITIES:
17914
0
            return WOLFSSL_CAN_MIN_SIZE_SERVER;
17915
0
        case TLSXT_POST_HANDSHAKE_AUTH:
17916
0
            return WOLFSSL_PHA_MIN_SIZE_SERVER;
17917
0
        case TLSXT_SIGNATURE_ALGORITHMS_CERT:
17918
0
            return WOLFSSL_SA_MIN_SIZE_SERVER;
17919
0
        case TLSXT_KEY_SHARE:
17920
0
            return WOLFSSL_KS_MIN_SIZE_SERVER;
17921
0
        case TLSXT_CONNECTION_ID:
17922
0
            return WOLFSSL_CID_MIN_SIZE_SERVER;
17923
0
        case TLSXT_RENEGOTIATION_INFO:
17924
0
            return WOLFSSL_SCR_MIN_SIZE_SERVER;
17925
0
        case TLSXT_KEY_QUIC_TP_PARAMS_DRAFT:
17926
0
            return WOLFSSL_QTP_MIN_SIZE_SERVER;
17927
0
        case TLSXT_ECH:
17928
0
            return WOLFSSL_ECH_MIN_SIZE_SERVER;
17929
0
        default:
17930
0
            return 0;
17931
0
    }
17932
0
}
17933
0
    #define TLSX_GET_MIN_SIZE_SERVER(type) TLSX_GetMinSize_Server(type)
17934
#else
17935
    #define TLSX_GET_MIN_SIZE_SERVER(type) 0
17936
#endif
17937
17938
17939
/** Parses a buffer of TLS extensions. */
17940
WOLFSSL_TEST_VIS int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length,
17941
                                byte msgType, Suites *suites)
17942
0
{
17943
0
    int ret = 0;
17944
0
    word16 offset = 0;
17945
0
    byte isRequest = (msgType == client_hello ||
17946
0
                      msgType == certificate_request);
17947
17948
0
#ifdef HAVE_EXTENDED_MASTER
17949
0
    byte pendingEMS = 0;
17950
0
#endif
17951
#if defined(WOLFSSL_TLS13) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK))
17952
    int pskDone = 0;
17953
#endif
17954
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_CERT_WITH_EXTERN_PSK) && \
17955
    !defined(NO_PSK)
17956
    int secondClientHello = 0;
17957
    int prevHasPskWithCert = 0;
17958
#endif
17959
0
    byte seenType[SEMAPHORE_SIZE];  /* Seen known extensions. */
17960
17961
0
    if (!ssl || !input || (isRequest && !suites))
17962
0
        return BAD_FUNC_ARG;
17963
17964
    /* No known extensions seen yet. */
17965
0
    XMEMSET(seenType, 0, sizeof(seenType));
17966
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_CERT_WITH_EXTERN_PSK) && \
17967
    !defined(NO_PSK)
17968
    if (IsAtLeastTLSv1_3(ssl->version) && msgType == client_hello &&
17969
            ssl->msgsReceived.got_client_hello == 2) {
17970
        secondClientHello = 1;
17971
        prevHasPskWithCert =
17972
            TLSX_Find(ssl->extensions, TLSX_CERT_WITH_EXTERN_PSK) != NULL;
17973
    }
17974
#endif
17975
17976
0
    while (ret == 0 && offset < length) {
17977
0
        word16 type;
17978
0
        word16 size;
17979
17980
#if defined(WOLFSSL_TLS13) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK))
17981
        if (msgType == client_hello && pskDone) {
17982
            WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR);
17983
            return PSK_KEY_ERROR;
17984
        }
17985
#endif
17986
17987
0
        if (length - offset < HELLO_EXT_TYPE_SZ + OPAQUE16_LEN)
17988
0
            return BUFFER_ERROR;
17989
17990
0
        ato16(input + offset, &type);
17991
0
        offset += HELLO_EXT_TYPE_SZ;
17992
17993
0
        ato16(input + offset, &size);
17994
0
        offset += OPAQUE16_LEN;
17995
17996
        /* Check we have a bit for extension type. */
17997
0
        if ((type <= 62) || (type == TLSX_RENEGOTIATION_INFO)
17998
        #ifdef WOLFSSL_QUIC
17999
            || (type == TLSX_KEY_QUIC_TP_PARAMS_DRAFT)
18000
        #endif
18001
        #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
18002
            || (type == TLSX_ECH)
18003
        #endif
18004
        #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_DUAL_ALG_CERTS)
18005
            || (type == TLSX_CKS)
18006
        #endif
18007
0
            )
18008
0
        {
18009
            /* Detect duplicate recognized extensions. */
18010
0
            if (IS_OFF(seenType, TLSX_ToSemaphore(type))) {
18011
0
                TURN_ON(seenType, TLSX_ToSemaphore(type));
18012
0
            }
18013
0
            else {
18014
0
                return DUPLICATE_TLS_EXT_E;
18015
0
            }
18016
0
        }
18017
18018
0
        if (length - offset < size)
18019
0
            return BUFFER_ERROR;
18020
18021
        /* Check minimum size required for TLSX, even if disabled */
18022
0
        switch (msgType) {
18023
0
            #ifndef NO_WOLFSSL_SERVER
18024
0
            case client_hello:
18025
0
                if (size < TLSX_GET_MIN_SIZE_CLIENT(&type)){
18026
0
                    WOLFSSL_MSG("Minimum TLSX Size Requirement not Satisfied");
18027
0
                    return BUFFER_ERROR;
18028
0
                }
18029
0
            break;
18030
0
            #endif
18031
0
            #ifndef NO_WOLFSSL_CLIENT
18032
0
            case server_hello:
18033
0
            case hello_retry_request:
18034
0
                if (size < TLSX_GET_MIN_SIZE_SERVER(&type)){
18035
0
                    WOLFSSL_MSG("Minimum TLSX Size Requirement not Satisfied");
18036
0
                    return BUFFER_ERROR;
18037
0
                }
18038
0
            break;
18039
0
            #endif
18040
0
            default:
18041
0
            break;
18042
0
        }
18043
18044
0
#ifdef WOLFSSL_TLS13
18045
        /* RFC 8446 4.4.2: extensions in a Certificate message MUST
18046
         * correspond to ones offered in our prior ClientHello (client) or
18047
         * CertificateRequest (server). Reject anything we did not offer. */
18048
0
        if (msgType == certificate &&
18049
0
            IsAtLeastTLSv1_3(ssl->version) &&
18050
0
            TLSX_Find(ssl->extensions, (TLSX_Type)type) == NULL) {
18051
0
            WOLFSSL_MSG("Cert-msg extension not offered in CH/CR");
18052
0
            SendAlert(ssl, alert_fatal, unsupported_extension);
18053
0
            WOLFSSL_ERROR_VERBOSE(UNSUPPORTED_EXTENSION);
18054
0
            return UNSUPPORTED_EXTENSION;
18055
0
        }
18056
0
#endif
18057
18058
0
        switch (type) {
18059
0
#ifdef HAVE_SNI
18060
0
            case TLSX_SERVER_NAME:
18061
0
                WOLFSSL_MSG("SNI extension received");
18062
            #ifdef WOLFSSL_DEBUG_TLS
18063
                WOLFSSL_BUFFER(input + offset, size);
18064
            #endif
18065
18066
0
#ifdef WOLFSSL_TLS13
18067
0
                if (IsAtLeastTLSv1_3(ssl->version)) {
18068
0
                    if (msgType != client_hello &&
18069
0
                        msgType != encrypted_extensions)
18070
0
                        return EXT_NOT_ALLOWED;
18071
0
                }
18072
0
                else
18073
0
#endif
18074
0
                {
18075
0
                    if (msgType != client_hello &&
18076
0
                        msgType != server_hello)
18077
0
                        return EXT_NOT_ALLOWED;
18078
0
                }
18079
0
                ret = SNI_PARSE(ssl, input + offset, size, isRequest);
18080
0
                break;
18081
0
#endif
18082
18083
0
            case TLSX_TRUSTED_CA_KEYS:
18084
0
                WOLFSSL_MSG("Trusted CA extension received");
18085
            #ifdef WOLFSSL_DEBUG_TLS
18086
                WOLFSSL_BUFFER(input + offset, size);
18087
            #endif
18088
18089
0
#ifdef WOLFSSL_TLS13
18090
                /* RFC 8446 4.2.4 states trusted_ca_keys is not used
18091
                   in TLS 1.3. */
18092
0
                if (IsAtLeastTLSv1_3(ssl->version)) {
18093
0
                    break;
18094
0
                }
18095
0
                else
18096
0
#endif
18097
0
                {
18098
0
                    if (msgType != client_hello &&
18099
0
                        msgType != server_hello)
18100
0
                        return EXT_NOT_ALLOWED;
18101
0
                }
18102
0
                ret = TCA_PARSE(ssl, input + offset, size, isRequest);
18103
0
                break;
18104
18105
0
            case TLSX_MAX_FRAGMENT_LENGTH:
18106
0
                WOLFSSL_MSG("Max Fragment Length extension received");
18107
            #ifdef WOLFSSL_DEBUG_TLS
18108
                WOLFSSL_BUFFER(input + offset, size);
18109
            #endif
18110
18111
0
#ifdef WOLFSSL_TLS13
18112
0
                if (IsAtLeastTLSv1_3(ssl->version)) {
18113
0
                    if (msgType != client_hello &&
18114
0
                        msgType != encrypted_extensions) {
18115
0
                        WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18116
0
                        return EXT_NOT_ALLOWED;
18117
0
                    }
18118
0
                }
18119
0
                else
18120
0
#endif
18121
0
                {
18122
0
                    if (msgType != client_hello &&
18123
0
                        msgType != server_hello) {
18124
0
                        WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18125
0
                        return EXT_NOT_ALLOWED;
18126
0
                    }
18127
0
                }
18128
0
                ret = MFL_PARSE(ssl, input + offset, size, isRequest);
18129
0
                break;
18130
18131
0
            case TLSX_TRUNCATED_HMAC:
18132
0
                WOLFSSL_MSG("Truncated HMAC extension received");
18133
            #ifdef WOLFSSL_DEBUG_TLS
18134
                WOLFSSL_BUFFER(input + offset, size);
18135
            #endif
18136
18137
0
#ifdef WOLFSSL_TLS13
18138
0
                if (IsAtLeastTLSv1_3(ssl->version))
18139
0
                    break;
18140
0
#endif
18141
0
                if (msgType != client_hello)
18142
0
                    return EXT_NOT_ALLOWED;
18143
0
                ret = THM_PARSE(ssl, input + offset, size, isRequest);
18144
0
                break;
18145
18146
0
            case TLSX_SUPPORTED_GROUPS:
18147
0
                WOLFSSL_MSG("Supported Groups extension received");
18148
            #ifdef WOLFSSL_DEBUG_TLS
18149
                WOLFSSL_BUFFER(input + offset, size);
18150
            #endif
18151
18152
0
#ifdef WOLFSSL_TLS13
18153
0
                if (IsAtLeastTLSv1_3(ssl->version)) {
18154
0
                    if (msgType != client_hello &&
18155
0
                        msgType != encrypted_extensions) {
18156
0
                        WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18157
0
                        return EXT_NOT_ALLOWED;
18158
0
                    }
18159
0
                }
18160
0
                else
18161
0
#endif
18162
0
                {
18163
0
                    if (msgType != client_hello) {
18164
0
                        WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18165
0
                        return EXT_NOT_ALLOWED;
18166
0
                    }
18167
0
                }
18168
0
                ret = EC_PARSE(ssl, input + offset, size, isRequest,
18169
0
                        &ssl->extensions);
18170
0
                break;
18171
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_DUAL_ALG_CERTS)
18172
            case TLSX_CKS:
18173
                WOLFSSL_MSG("CKS extension received");
18174
                if (msgType != client_hello &&
18175
                     msgType != encrypted_extensions) {
18176
                        WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18177
                        return EXT_NOT_ALLOWED;
18178
                }
18179
                ret = TLSX_CKS_Parse(ssl, (byte *)(input + offset), size,
18180
                                     &ssl->extensions);
18181
            break;
18182
#endif /* WOLFSSL_DUAL_ALG_CERTS */
18183
0
            case TLSX_EC_POINT_FORMATS:
18184
0
                WOLFSSL_MSG("Point Formats extension received");
18185
            #ifdef WOLFSSL_DEBUG_TLS
18186
                WOLFSSL_BUFFER(input + offset, size);
18187
            #endif
18188
18189
0
#ifdef WOLFSSL_TLS13
18190
0
                if (IsAtLeastTLSv1_3(ssl->version))
18191
0
                    break;
18192
0
#endif
18193
0
                if (msgType != client_hello &&
18194
0
                    msgType != server_hello) {
18195
0
                    WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18196
0
                    return EXT_NOT_ALLOWED;
18197
0
                }
18198
18199
0
                ret = PF_PARSE(ssl, input + offset, size, isRequest);
18200
0
                break;
18201
18202
0
            case TLSX_STATUS_REQUEST:
18203
0
                WOLFSSL_MSG("Certificate Status Request extension received");
18204
            #ifdef WOLFSSL_DEBUG_TLS
18205
                WOLFSSL_BUFFER(input + offset, size);
18206
            #endif
18207
18208
0
#ifdef WOLFSSL_TLS13
18209
0
                if (IsAtLeastTLSv1_3(ssl->version)) {
18210
0
                    if (msgType != client_hello &&
18211
0
                        msgType != certificate_request &&
18212
0
                        msgType != certificate)
18213
0
                        return EXT_NOT_ALLOWED;
18214
0
                }
18215
0
                else
18216
0
 #endif
18217
0
                {
18218
0
                    if (msgType != client_hello &&
18219
0
                        msgType != server_hello)
18220
0
                        return EXT_NOT_ALLOWED;
18221
0
                }
18222
0
                ret = CSR_PARSE(ssl, input + offset, size, isRequest);
18223
0
                break;
18224
18225
0
            case TLSX_STATUS_REQUEST_V2:
18226
0
                WOLFSSL_MSG("Certificate Status Request v2 extension received");
18227
            #ifdef WOLFSSL_DEBUG_TLS
18228
                WOLFSSL_BUFFER(input + offset, size);
18229
            #endif
18230
18231
#if defined(WOLFSSL_TLS13) && defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
18232
                if (IsAtLeastTLSv1_3(ssl->version)) {
18233
                    if (msgType != client_hello &&
18234
                        msgType != certificate_request &&
18235
                        msgType != certificate)
18236
                        return EXT_NOT_ALLOWED;
18237
                }
18238
                else
18239
#endif
18240
0
                {
18241
0
                    if (msgType != client_hello &&
18242
0
                        msgType != server_hello)
18243
0
                        return EXT_NOT_ALLOWED;
18244
0
                }
18245
0
                ret = CSR2_PARSE(ssl, input + offset, size, isRequest);
18246
0
                break;
18247
18248
0
#ifdef HAVE_EXTENDED_MASTER
18249
0
            case HELLO_EXT_EXTMS:
18250
0
                WOLFSSL_MSG("Extended Master Secret extension received");
18251
            #ifdef WOLFSSL_DEBUG_TLS
18252
                WOLFSSL_BUFFER(input + offset, size);
18253
            #endif
18254
18255
0
#if defined(WOLFSSL_TLS13)
18256
0
                if (IsAtLeastTLSv1_3(ssl->version))
18257
0
                    break;
18258
0
#endif
18259
0
                if (msgType != client_hello &&
18260
0
                    msgType != server_hello)
18261
0
                    return EXT_NOT_ALLOWED;
18262
0
                if (size != 0)
18263
0
                    return BUFFER_ERROR;
18264
18265
0
#ifndef NO_WOLFSSL_SERVER
18266
0
                if (isRequest)
18267
0
                    ssl->options.haveEMS = 1;
18268
0
#endif
18269
0
                pendingEMS = 1;
18270
0
                break;
18271
0
#endif
18272
18273
0
            case TLSX_RENEGOTIATION_INFO:
18274
0
                WOLFSSL_MSG("Secure Renegotiation extension received");
18275
            #ifdef WOLFSSL_DEBUG_TLS
18276
                WOLFSSL_BUFFER(input + offset, size);
18277
            #endif
18278
18279
0
#ifdef WOLFSSL_TLS13
18280
0
                if (IsAtLeastTLSv1_3(ssl->version))
18281
0
                    break;
18282
0
#endif
18283
0
                if (msgType != client_hello &&
18284
0
                    msgType != server_hello)
18285
0
                    return EXT_NOT_ALLOWED;
18286
0
                ret = SCR_PARSE(ssl, input + offset, size, isRequest);
18287
0
                break;
18288
18289
0
            case TLSX_SESSION_TICKET:
18290
0
                WOLFSSL_MSG("Session Ticket extension received");
18291
            #ifdef WOLFSSL_DEBUG_TLS
18292
                WOLFSSL_BUFFER(input + offset, size);
18293
            #endif
18294
18295
#if defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET)
18296
                if (IsAtLeastTLSv1_3(ssl->version)) {
18297
                    if (msgType != client_hello)
18298
                        return EXT_NOT_ALLOWED;
18299
                }
18300
                else
18301
#endif
18302
0
                {
18303
0
                    if (msgType != client_hello &&
18304
0
                        msgType != server_hello)
18305
0
                        return EXT_NOT_ALLOWED;
18306
0
                }
18307
0
                ret = WOLF_STK_PARSE(ssl, input + offset, size, isRequest);
18308
0
                break;
18309
18310
0
            case TLSX_APPLICATION_LAYER_PROTOCOL:
18311
0
                WOLFSSL_MSG("ALPN extension received");
18312
18313
            #ifdef WOLFSSL_DEBUG_TLS
18314
                WOLFSSL_BUFFER(input + offset, size);
18315
            #endif
18316
18317
#if defined(WOLFSSL_TLS13) && defined(HAVE_ALPN)
18318
                if (IsAtLeastTLSv1_3(ssl->version)) {
18319
                    if (msgType != client_hello &&
18320
                        msgType != encrypted_extensions)
18321
                        return EXT_NOT_ALLOWED;
18322
                }
18323
                else
18324
#endif
18325
0
                {
18326
0
                    if (msgType != client_hello &&
18327
0
                        msgType != server_hello)
18328
0
                        return EXT_NOT_ALLOWED;
18329
0
                }
18330
0
                ret = ALPN_PARSE(ssl, input + offset, size, isRequest);
18331
0
                break;
18332
0
#if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
18333
0
            case TLSX_SIGNATURE_ALGORITHMS:
18334
0
                WOLFSSL_MSG("Signature Algorithms extension received");
18335
            #ifdef WOLFSSL_DEBUG_TLS
18336
                WOLFSSL_BUFFER(input + offset, size);
18337
            #endif
18338
18339
0
                if (!IsAtLeastTLSv1_2(ssl))
18340
0
                    break;
18341
0
            #ifdef WOLFSSL_TLS13
18342
0
                if (IsAtLeastTLSv1_3(ssl->version)) {
18343
0
                    if (msgType != client_hello &&
18344
0
                        msgType != certificate_request)
18345
0
                        return EXT_NOT_ALLOWED;
18346
0
                }
18347
0
                else
18348
0
            #endif
18349
0
                {
18350
0
                    if (msgType != client_hello)
18351
0
                        return EXT_NOT_ALLOWED;
18352
0
                }
18353
0
                ret = SA_PARSE(ssl, input + offset, size, isRequest, suites);
18354
0
                break;
18355
0
#endif
18356
18357
0
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
18358
0
            case TLSX_ENCRYPT_THEN_MAC:
18359
0
                WOLFSSL_MSG("Encrypt-Then-Mac extension received");
18360
18361
                /* Ignore for TLS 1.3+ */
18362
0
                if (IsAtLeastTLSv1_3(ssl->version))
18363
0
                    break;
18364
0
                if (msgType != client_hello &&
18365
0
                    msgType != server_hello)
18366
0
                    return EXT_NOT_ALLOWED;
18367
18368
0
                ret = ETM_PARSE(ssl, input + offset, size, msgType);
18369
0
                break;
18370
0
#endif /* HAVE_ENCRYPT_THEN_MAC */
18371
18372
0
#ifdef WOLFSSL_TLS13
18373
0
            case TLSX_SUPPORTED_VERSIONS:
18374
0
                WOLFSSL_MSG("Skipping Supported Versions - already processed");
18375
            #ifdef WOLFSSL_DEBUG_TLS
18376
                WOLFSSL_BUFFER(input + offset, size);
18377
            #endif
18378
0
                if (msgType != client_hello &&
18379
0
                    msgType != server_hello &&
18380
0
                    msgType != hello_retry_request)
18381
0
                    return EXT_NOT_ALLOWED;
18382
18383
0
                break;
18384
18385
0
            case TLSX_COOKIE:
18386
0
                WOLFSSL_MSG("Cookie extension received");
18387
            #ifdef WOLFSSL_DEBUG_TLS
18388
                WOLFSSL_BUFFER(input + offset, size);
18389
            #endif
18390
0
                if (!IsAtLeastTLSv1_3(ssl->version))
18391
0
                    break;
18392
18393
0
                if (msgType != client_hello &&
18394
0
                    msgType != hello_retry_request) {
18395
0
                    return EXT_NOT_ALLOWED;
18396
0
                }
18397
18398
0
                ret = CKE_PARSE(ssl, input + offset, size, msgType);
18399
0
                break;
18400
18401
    #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
18402
            case TLSX_PRE_SHARED_KEY:
18403
                WOLFSSL_MSG("Pre-Shared Key extension received");
18404
            #ifdef WOLFSSL_DEBUG_TLS
18405
                WOLFSSL_BUFFER(input + offset, size);
18406
            #endif
18407
18408
                if (!IsAtLeastTLSv1_3(ssl->version))
18409
                    break;
18410
18411
                if (msgType != client_hello &&
18412
                    msgType != server_hello) {
18413
                    WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18414
                    return EXT_NOT_ALLOWED;
18415
                }
18416
18417
                ret = PSK_PARSE(ssl, input + offset, size, msgType);
18418
                pskDone = 1;
18419
                break;
18420
18421
            case TLSX_PSK_KEY_EXCHANGE_MODES:
18422
                WOLFSSL_MSG("PSK Key Exchange Modes extension received");
18423
            #ifdef WOLFSSL_DEBUG_TLS
18424
                WOLFSSL_BUFFER(input + offset, size);
18425
            #endif
18426
18427
                if (!IsAtLeastTLSv1_3(ssl->version))
18428
                    break;
18429
18430
                if (msgType != client_hello) {
18431
                    WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18432
                    return EXT_NOT_ALLOWED;
18433
                }
18434
18435
                ret = PKM_PARSE(ssl, input + offset, size, msgType);
18436
                break;
18437
18438
    #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK
18439
            case TLSX_CERT_WITH_EXTERN_PSK:
18440
                WOLFSSL_MSG("Cert with external PSK extension received");
18441
            #ifdef WOLFSSL_DEBUG_TLS
18442
                WOLFSSL_BUFFER(input + offset, size);
18443
            #endif
18444
18445
                if (!IsAtLeastTLSv1_3(ssl->version))
18446
                    break;
18447
18448
                if (msgType != client_hello && msgType != server_hello) {
18449
                    WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18450
                    return EXT_NOT_ALLOWED;
18451
                }
18452
                if (size != 0) {
18453
                    WOLFSSL_ERROR_VERBOSE(BUFFER_ERROR);
18454
                    return BUFFER_ERROR;
18455
                }
18456
18457
                ret = PSK_WITH_CERT_PARSE(ssl, msgType);
18458
                break;
18459
    #endif
18460
    #endif
18461
18462
    #ifdef WOLFSSL_EARLY_DATA
18463
            case TLSX_EARLY_DATA:
18464
                WOLFSSL_MSG("Early Data extension received");
18465
            #ifdef WOLFSSL_DEBUG_TLS
18466
                WOLFSSL_BUFFER(input + offset, size);
18467
            #endif
18468
18469
                if (!IsAtLeastTLSv1_3(ssl->version))
18470
                    break;
18471
18472
                if (msgType != client_hello && msgType != session_ticket &&
18473
                    msgType != encrypted_extensions) {
18474
                    WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18475
                    return EXT_NOT_ALLOWED;
18476
                }
18477
                ret = EDI_PARSE(ssl, input + offset, size, msgType);
18478
                break;
18479
    #endif
18480
18481
    #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
18482
            case TLSX_POST_HANDSHAKE_AUTH:
18483
                WOLFSSL_MSG("Post Handshake Authentication extension received");
18484
            #ifdef WOLFSSL_DEBUG_TLS
18485
                WOLFSSL_BUFFER(input + offset, size);
18486
            #endif
18487
18488
                if (!IsAtLeastTLSv1_3(ssl->version))
18489
                    break;
18490
18491
                if (msgType != client_hello) {
18492
                    WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18493
                    return EXT_NOT_ALLOWED;
18494
                }
18495
18496
                ret = PHA_PARSE(ssl, input + offset, size, msgType);
18497
                break;
18498
    #endif
18499
18500
0
    #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG)
18501
0
            case TLSX_SIGNATURE_ALGORITHMS_CERT:
18502
0
                WOLFSSL_MSG("Signature Algorithms extension received");
18503
            #ifdef WOLFSSL_DEBUG_TLS
18504
                WOLFSSL_BUFFER(input + offset, size);
18505
            #endif
18506
18507
0
                if (!IsAtLeastTLSv1_3(ssl->version))
18508
0
                    break;
18509
18510
0
                if (msgType != client_hello &&
18511
0
                        msgType != certificate_request) {
18512
0
                    WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18513
0
                    return EXT_NOT_ALLOWED;
18514
0
                }
18515
18516
0
                ret = SAC_PARSE(ssl, input + offset, size, isRequest);
18517
0
                break;
18518
0
    #endif
18519
18520
    #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES)
18521
            case TLSX_CERTIFICATE_AUTHORITIES:
18522
                WOLFSSL_MSG("Certificate Authorities extension received");
18523
            #ifdef WOLFSSL_DEBUG_TLS
18524
                WOLFSSL_BUFFER(input + offset, size);
18525
            #endif
18526
18527
                if (!IsAtLeastTLSv1_3(ssl->version))
18528
                    break;
18529
18530
                if (msgType != client_hello &&
18531
                        msgType != certificate_request) {
18532
                    WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18533
                    return EXT_NOT_ALLOWED;
18534
                }
18535
18536
                ret = CAN_PARSE(ssl, input + offset, size, isRequest);
18537
                break;
18538
    #endif
18539
18540
0
            case TLSX_KEY_SHARE:
18541
0
                WOLFSSL_MSG("Key Share extension received");
18542
            #ifdef WOLFSSL_DEBUG_TLS
18543
                WOLFSSL_BUFFER(input + offset, size);
18544
            #endif
18545
18546
0
    #ifdef HAVE_SUPPORTED_CURVES
18547
0
                if (!IsAtLeastTLSv1_3(ssl->version))
18548
0
                    break;
18549
18550
0
                if (msgType != client_hello && msgType != server_hello &&
18551
0
                        msgType != hello_retry_request) {
18552
0
                    WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18553
0
                    return EXT_NOT_ALLOWED;
18554
0
                }
18555
0
    #endif
18556
18557
0
                ret = KS_PARSE(ssl, input + offset, size, msgType);
18558
0
                break;
18559
0
#endif
18560
#ifdef WOLFSSL_SRTP
18561
            case TLSX_USE_SRTP:
18562
                WOLFSSL_MSG("Use SRTP extension received");
18563
18564
#if defined(WOLFSSL_TLS13)
18565
                if (IsAtLeastTLSv1_3(ssl->version)) {
18566
                    if (msgType != client_hello &&
18567
                        msgType != encrypted_extensions)
18568
                        return EXT_NOT_ALLOWED;
18569
                }
18570
                else
18571
#endif
18572
                {
18573
                    if (msgType != client_hello &&
18574
                        msgType != server_hello)
18575
                        return EXT_NOT_ALLOWED;
18576
                }
18577
                ret = SRTP_PARSE(ssl, input + offset, size, isRequest);
18578
                break;
18579
#endif
18580
#ifdef WOLFSSL_QUIC
18581
            case TLSX_KEY_QUIC_TP_PARAMS:
18582
                FALL_THROUGH;
18583
            case TLSX_KEY_QUIC_TP_PARAMS_DRAFT:
18584
                WOLFSSL_MSG("QUIC transport parameter received");
18585
            #ifdef WOLFSSL_DEBUG_TLS
18586
                WOLFSSL_BUFFER(input + offset, size);
18587
            #endif
18588
18589
                if (IsAtLeastTLSv1_3(ssl->version) &&
18590
                        msgType != client_hello &&
18591
                        msgType != encrypted_extensions) {
18592
                    return EXT_NOT_ALLOWED;
18593
                }
18594
                else if (!IsAtLeastTLSv1_3(ssl->version) &&
18595
                         msgType == encrypted_extensions) {
18596
                    return EXT_NOT_ALLOWED;
18597
                }
18598
                else if (WOLFSSL_IS_QUIC(ssl)) {
18599
                    ret = QTP_PARSE(ssl, input + offset, size, type, msgType);
18600
                }
18601
                else {
18602
                    WOLFSSL_MSG("QUIC transport param TLS extension type, but no QUIC");
18603
                    return EXT_NOT_ALLOWED; /* be safe, this should not happen */
18604
                }
18605
                break;
18606
#endif /* WOLFSSL_QUIC */
18607
#if defined(WOLFSSL_DTLS_CID)
18608
            case TLSX_CONNECTION_ID:
18609
                if (msgType != client_hello && msgType != server_hello)
18610
                    return EXT_NOT_ALLOWED;
18611
18612
                WOLFSSL_MSG("ConnectionID extension received");
18613
                ret = CID_PARSE(ssl, input + offset, size, isRequest);
18614
                break;
18615
18616
#endif /* defined(WOLFSSL_DTLS_CID) */
18617
#if defined(HAVE_RPK)
18618
            case TLSX_CLIENT_CERTIFICATE_TYPE:
18619
                WOLFSSL_MSG("Client Certificate Type extension received");
18620
#if defined(WOLFSSL_TLS13)
18621
                /* RFC 8446, Section 4.2 (Extensions), client_certificate_type
18622
                   and server_certificate_type MUST be sent in ClientHello(CH)
18623
                   or EncryptedExtensions(EE) */
18624
                if (IsAtLeastTLSv1_3(ssl->version)) {
18625
                    if (msgType != client_hello &&
18626
                        msgType != encrypted_extensions) {
18627
                        WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18628
                        return EXT_NOT_ALLOWED;
18629
                    }
18630
                }
18631
                else
18632
#endif
18633
                {
18634
                    /* TLS 1.2: allowed in CH and SH (RFC 7250) */
18635
                    if (msgType != client_hello &&
18636
                        msgType != server_hello) {
18637
                        WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18638
                        return EXT_NOT_ALLOWED;
18639
                    }
18640
                }
18641
                ret = CCT_PARSE(ssl, input + offset, size, msgType);
18642
                break;
18643
18644
            case TLSX_SERVER_CERTIFICATE_TYPE:
18645
                WOLFSSL_MSG("Server Certificate Type extension received");
18646
#if defined(WOLFSSL_TLS13)
18647
                /* RFC 8446, Section 4.2 (Extensions) */
18648
                if (IsAtLeastTLSv1_3(ssl->version)) {
18649
                    if (msgType != client_hello &&
18650
                        msgType != encrypted_extensions) {
18651
                        WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18652
                        return EXT_NOT_ALLOWED;
18653
                    }
18654
                }
18655
                else
18656
#endif
18657
                {
18658
                    /* TLS 1.2: allowed in CH and SH (RFC 7250) */
18659
                    if (msgType != client_hello &&
18660
                        msgType != server_hello) {
18661
                        WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18662
                        return EXT_NOT_ALLOWED;
18663
                    }
18664
                }
18665
                ret = SCT_PARSE(ssl, input + offset, size, msgType);
18666
                break;
18667
#endif /* HAVE_RPK */
18668
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
18669
            case TLSX_ECH:
18670
                WOLFSSL_MSG("ECH extension received");
18671
                if (!IsAtLeastTLSv1_3(ssl->version))
18672
                    break;
18673
18674
                if (msgType != client_hello &&
18675
                    msgType != encrypted_extensions &&
18676
                    msgType != hello_retry_request) {
18677
                    return EXT_NOT_ALLOWED;
18678
                }
18679
18680
                ret = ECH_PARSE(ssl, input + offset, size, msgType);
18681
                break;
18682
            case TLSXT_ECH_OUTER_EXTENSIONS:
18683
                /* RFC 9849 s5.1: ech_outer_extensions MUST only appear in
18684
                 * the EncodedClientHelloInner */
18685
                WOLFSSL_MSG("ech_outer_extensions in plaintext message");
18686
                WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
18687
                return INVALID_PARAMETER;
18688
#endif
18689
0
            default:
18690
0
                WOLFSSL_MSG("Unknown TLS extension type");
18691
0
#if defined(WOLFSSL_TLS13)
18692
                /* RFC 8446 Sec. 4.2: a TLS 1.3 client MUST abort with an
18693
                 * unsupported_extension alert when it receives an extension
18694
                 * "response" that was not advertised in the ClientHello. The
18695
                 * rule applies only to messages whose extensions are responses
18696
                 * to the ClientHello: ServerHello, HelloRetryRequest,
18697
                 * EncryptedExtensions and Certificate.
18698
                 *
18699
                 * Extensions in CertificateRequest and NewSessionTicket are
18700
                 * independent server-initiated payloads, not responses, and
18701
                 * per RFC 8701 (GREASE) the server MAY include unknown
18702
                 * (GREASE) extension types there which the client MUST treat
18703
                 * like any other unknown value (i.e. ignore them). */
18704
0
                if (IsAtLeastTLSv1_3(ssl->version) &&
18705
0
                        (msgType == server_hello ||
18706
0
                         msgType == hello_retry_request ||
18707
0
                         msgType == encrypted_extensions ||
18708
0
                         msgType == certificate)) {
18709
0
                    SendAlert((WOLFSSL*)ssl, alert_fatal, unsupported_extension);
18710
0
                    WOLFSSL_ERROR_VERBOSE(UNSUPPORTED_EXTENSION);
18711
0
                    return UNSUPPORTED_EXTENSION;
18712
0
                }
18713
0
#endif
18714
0
        }
18715
18716
        /* offset should be updated here! */
18717
0
        offset += size;
18718
0
    }
18719
18720
0
#ifdef HAVE_EXTENDED_MASTER
18721
0
    if (IsAtLeastTLSv1_3(ssl->version) &&
18722
0
        (msgType == hello_retry_request || msgType == hello_verify_request)) {
18723
        /* Don't change EMS status until server_hello received.
18724
         * Second ClientHello must have same extensions.
18725
         */
18726
0
    }
18727
0
    else if (!isRequest && ssl->options.haveEMS && !pendingEMS)
18728
0
        ssl->options.haveEMS = 0;
18729
0
#endif
18730
#if defined(WOLFSSL_TLS13) && !defined(NO_PSK)
18731
    if (IsAtLeastTLSv1_3(ssl->version) && msgType == server_hello &&
18732
        IS_OFF(seenType, TLSX_ToSemaphore(TLSX_KEY_SHARE))) {
18733
        ssl->options.noPskDheKe = 1;
18734
    }
18735
#endif
18736
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_CERT_WITH_EXTERN_PSK) && \
18737
    !defined(NO_PSK)
18738
    if (IsAtLeastTLSv1_3(ssl->version)) {
18739
        int hasPskWithCert = !IS_OFF(seenType,
18740
            TLSX_ToSemaphore(TLSX_CERT_WITH_EXTERN_PSK));
18741
        if (hasPskWithCert && ssl->options.certWithExternPsk) {
18742
            int hasPsk = !IS_OFF(seenType, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY));
18743
            int hasPskModes = !IS_OFF(seenType,
18744
                TLSX_ToSemaphore(TLSX_PSK_KEY_EXCHANGE_MODES));
18745
            int hasKeyShare = !IS_OFF(seenType, TLSX_ToSemaphore(TLSX_KEY_SHARE));
18746
            int hasSg = !IS_OFF(seenType,
18747
                TLSX_ToSemaphore(TLSX_SUPPORTED_GROUPS));
18748
            int hasSigAlg = !IS_OFF(seenType,
18749
                TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS));
18750
#ifdef WOLFSSL_EARLY_DATA
18751
            int hasEarlyData = !IS_OFF(seenType, TLSX_ToSemaphore(TLSX_EARLY_DATA));
18752
#endif
18753
18754
            if (msgType == client_hello && isRequest) {
18755
                TLSX* pskm;
18756
                /* RFC8773bis: CH2 after HRR must keep CH1's extension set. */
18757
                if (secondClientHello && !prevHasPskWithCert) {
18758
                    WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18759
                    return EXT_NOT_ALLOWED;
18760
                }
18761
                /* RFC8773bis: cert_with_extern_psk depends on these extensions. */
18762
                if (!hasPsk || !hasPskModes || !hasKeyShare || !hasSg ||
18763
                    !hasSigAlg) {
18764
                    WOLFSSL_ERROR_VERBOSE(EXT_MISSING);
18765
                    return EXT_MISSING;
18766
                }
18767
#ifdef WOLFSSL_EARLY_DATA
18768
                /* External PSK + certificate mode forbids 0-RTT in CH.
18769
                 * When WOLFSSL_EARLY_DATA is not defined there is no parser
18770
                 * case for TLSX_EARLY_DATA, so an incoming early_data
18771
                 * extension is treated as unknown and ignored per RFC 8446
18772
                 * Sect. 4.2 - no additional check is needed in that case. */
18773
                if (hasEarlyData) {
18774
                    WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18775
                    return EXT_NOT_ALLOWED;
18776
                }
18777
#endif
18778
                pskm = TLSX_Find(ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES);
18779
                /* RFC8773bis requires client support for psk_dhe_ke mode. */
18780
                if (pskm == NULL || (pskm->val & (1 << PSK_DHE_KE)) == 0) {
18781
                    WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18782
                    return EXT_NOT_ALLOWED;
18783
                }
18784
            }
18785
            else if (msgType == server_hello && !isRequest) {
18786
                /* SH confirming cert_with_extern_psk must also confirm PSK and KSE. */
18787
                if (!hasPsk || !hasKeyShare) {
18788
                    WOLFSSL_ERROR_VERBOSE(EXT_MISSING);
18789
                    return EXT_MISSING;
18790
                }
18791
            }
18792
        }
18793
        else if (msgType == client_hello && isRequest && secondClientHello &&
18794
                prevHasPskWithCert) {
18795
            /* RFC8773bis: reject dropping the extension in CH2 after HRR. */
18796
            WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED);
18797
            return EXT_NOT_ALLOWED;
18798
        }
18799
    }
18800
#endif
18801
0
#if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES)
18802
    /* RFC 8446 Section 9.2: ClientHello with KeyShare must
18803
     * contain SupportedGroups and vice-versa. */
18804
0
    if (IsAtLeastTLSv1_3(ssl->version) && msgType == client_hello && isRequest) {
18805
0
        int hasKeyShare = !IS_OFF(seenType, TLSX_ToSemaphore(TLSX_KEY_SHARE));
18806
0
        int hasSupportedGroups = !IS_OFF(seenType,
18807
0
            TLSX_ToSemaphore(TLSX_SUPPORTED_GROUPS));
18808
18809
0
        if (hasKeyShare && !hasSupportedGroups) {
18810
0
            WOLFSSL_MSG("ClientHello with KeyShare extension missing required "
18811
0
                        "SupportedGroups extension");
18812
0
            return INCOMPLETE_DATA;
18813
0
        }
18814
0
        if (hasSupportedGroups && !hasKeyShare) {
18815
0
            WOLFSSL_MSG("ClientHello with SupportedGroups extension missing "
18816
0
                        "required KeyShare extension");
18817
0
            return INCOMPLETE_DATA;
18818
0
        }
18819
0
    }
18820
0
#endif
18821
18822
#if defined(WOLFSSL_TLS13) && defined(HAVE_ECH)
18823
    /* Reconcile ECH inner/outer extensions before verifying SNI so the verify
18824
     * pass sees the authoritative list */
18825
    if (ret == 0 && msgType == client_hello && isRequest &&
18826
            !ssl->options.echProcessingInner &&
18827
            ssl->ctx->echConfigs != NULL && !ssl->options.disableECH) {
18828
        TLSX* echX = TLSX_Find(ssl->extensions, TLSX_ECH);
18829
        WOLFSSL_ECH* ech = NULL;
18830
        if (echX != NULL)
18831
            ech = (WOLFSSL_ECH*)echX->data;
18832
18833
        if (ech != NULL) {
18834
            if (ech->state == ECH_WRITE_NONE && ech->innerClientHello != NULL) {
18835
                /* ECH accepted: use private extensions
18836
                 * return early, inner hello needs to be parsed before VERIFY */
18837
                return TLSX_EchReplaceExtensions(ssl, ssl->options.echAccepted);
18838
            }
18839
            else {
18840
                /* If ECH was accepted in CH1 then CH2 MUST contain an ECH
18841
                 * extension */
18842
                if (ssl->options.serverState ==
18843
                            SERVER_HELLO_RETRY_REQUEST_COMPLETE &&
18844
                        ssl->options.echAccepted) {
18845
                    WOLFSSL_MSG("Client did not send an EncryptedClientHello "
18846
                                "extension");
18847
                    WOLFSSL_ERROR_VERBOSE(INCOMPLETE_DATA);
18848
                    return INCOMPLETE_DATA;
18849
                }
18850
                /* Otherwise ECH rejected: use public extensions */
18851
                if (ech->state == ECH_WRITE_NONE ||
18852
                        ech->state == ECH_WRITE_RETRY_CONFIGS) {
18853
                    ret = TLSX_EchReplaceExtensions(ssl,
18854
                        ssl->options.echAccepted);
18855
                    if (ret == 0 && ech->state == ECH_WRITE_NONE) {
18856
                        echX->resp = 0;
18857
                    }
18858
                }
18859
            }
18860
        }
18861
    }
18862
#endif
18863
18864
0
    if (ret == 0)
18865
0
        ret = SNI_VERIFY_PARSE(ssl, isRequest);
18866
0
    if (ret == 0)
18867
0
        ret = TCA_VERIFY_PARSE(ssl, isRequest);
18868
18869
0
    WOLFSSL_LEAVE("Leaving TLSX_Parse", ret);
18870
0
    return ret;
18871
0
}
18872
18873
/* undefining semaphore macros */
18874
#undef IS_OFF
18875
#undef TURN_ON
18876
#undef SEMAPHORE_SIZE
18877
18878
#endif /* HAVE_TLS_EXTENSIONS */
18879
18880
#ifndef NO_WOLFSSL_CLIENT
18881
18882
    WOLFSSL_METHOD* wolfTLS_client_method(void)
18883
0
    {
18884
0
        return wolfTLS_client_method_ex(NULL);
18885
0
    }
18886
    WOLFSSL_METHOD* wolfTLS_client_method_ex(void* heap)
18887
0
    {
18888
0
        WOLFSSL_METHOD* method =
18889
0
                              (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
18890
0
                                                     heap, DYNAMIC_TYPE_METHOD);
18891
0
        (void)heap;
18892
0
        WOLFSSL_ENTER("TLS_client_method_ex");
18893
0
        if (method) {
18894
0
        #if defined(WOLFSSL_TLS13)
18895
0
            InitSSL_Method(method, MakeTLSv1_3());
18896
        #elif !defined(WOLFSSL_NO_TLS12)
18897
            InitSSL_Method(method, MakeTLSv1_2());
18898
        #elif !defined(NO_OLD_TLS)
18899
            InitSSL_Method(method, MakeTLSv1_1());
18900
        #elif defined(WOLFSSL_ALLOW_TLSV10)
18901
            InitSSL_Method(method, MakeTLSv1());
18902
        #else
18903
        #error No TLS version enabled! Consider using NO_TLS or WOLFCRYPT_ONLY.
18904
        #endif
18905
18906
0
            method->downgrade = 1;
18907
0
            method->side      = WOLFSSL_CLIENT_END;
18908
0
        }
18909
0
        return method;
18910
0
    }
18911
18912
#ifndef NO_OLD_TLS
18913
    #ifdef WOLFSSL_ALLOW_TLSV10
18914
    WOLFSSL_METHOD* wolfTLSv1_client_method(void)
18915
    {
18916
        return wolfTLSv1_client_method_ex(NULL);
18917
    }
18918
    WOLFSSL_METHOD* wolfTLSv1_client_method_ex(void* heap)
18919
    {
18920
        WOLFSSL_METHOD* method =
18921
                             (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
18922
                                                     heap, DYNAMIC_TYPE_METHOD);
18923
        (void)heap;
18924
        WOLFSSL_ENTER("TLSv1_client_method_ex");
18925
        if (method)
18926
            InitSSL_Method(method, MakeTLSv1());
18927
        return method;
18928
    }
18929
    #endif /* WOLFSSL_ALLOW_TLSV10 */
18930
18931
    WOLFSSL_METHOD* wolfTLSv1_1_client_method(void)
18932
    {
18933
        return wolfTLSv1_1_client_method_ex(NULL);
18934
    }
18935
    WOLFSSL_METHOD* wolfTLSv1_1_client_method_ex(void* heap)
18936
    {
18937
        WOLFSSL_METHOD* method =
18938
                              (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
18939
                                                     heap, DYNAMIC_TYPE_METHOD);
18940
        (void)heap;
18941
        WOLFSSL_ENTER("TLSv1_1_client_method_ex");
18942
        if (method)
18943
            InitSSL_Method(method, MakeTLSv1_1());
18944
        return method;
18945
    }
18946
#endif /* !NO_OLD_TLS */
18947
18948
#ifndef WOLFSSL_NO_TLS12
18949
    WOLFSSL_ABI
18950
    WOLFSSL_METHOD* wolfTLSv1_2_client_method(void)
18951
0
    {
18952
0
        return wolfTLSv1_2_client_method_ex(NULL);
18953
0
    }
18954
    WOLFSSL_METHOD* wolfTLSv1_2_client_method_ex(void* heap)
18955
0
    {
18956
0
        WOLFSSL_METHOD* method =
18957
0
                              (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
18958
0
                                                     heap, DYNAMIC_TYPE_METHOD);
18959
0
        (void)heap;
18960
0
        WOLFSSL_ENTER("TLSv1_2_client_method_ex");
18961
0
        if (method)
18962
0
            InitSSL_Method(method, MakeTLSv1_2());
18963
0
        return method;
18964
0
    }
18965
#endif /* WOLFSSL_NO_TLS12 */
18966
18967
#ifdef WOLFSSL_TLS13
18968
    /* The TLS v1.3 client method data.
18969
     *
18970
     * returns the method data for a TLS v1.3 client.
18971
     */
18972
    WOLFSSL_ABI
18973
    WOLFSSL_METHOD* wolfTLSv1_3_client_method(void)
18974
0
    {
18975
0
        return wolfTLSv1_3_client_method_ex(NULL);
18976
0
    }
18977
18978
    /* The TLS v1.3 client method data.
18979
     *
18980
     * heap  The heap used for allocation.
18981
     * returns the method data for a TLS v1.3 client.
18982
     */
18983
    WOLFSSL_METHOD* wolfTLSv1_3_client_method_ex(void* heap)
18984
0
    {
18985
0
        WOLFSSL_METHOD* method = (WOLFSSL_METHOD*)
18986
0
                                 XMALLOC(sizeof(WOLFSSL_METHOD), heap,
18987
0
                                         DYNAMIC_TYPE_METHOD);
18988
0
        (void)heap;
18989
0
        WOLFSSL_ENTER("TLSv1_3_client_method_ex");
18990
0
        if (method)
18991
0
            InitSSL_Method(method, MakeTLSv1_3());
18992
0
        return method;
18993
0
    }
18994
#endif /* WOLFSSL_TLS13 */
18995
18996
#ifdef WOLFSSL_DTLS
18997
18998
    WOLFSSL_METHOD* wolfDTLS_client_method(void)
18999
    {
19000
        return wolfDTLS_client_method_ex(NULL);
19001
    }
19002
    WOLFSSL_METHOD* wolfDTLS_client_method_ex(void* heap)
19003
    {
19004
        WOLFSSL_METHOD* method =
19005
                              (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
19006
                                                     heap, DYNAMIC_TYPE_METHOD);
19007
        (void)heap;
19008
        WOLFSSL_ENTER("DTLS_client_method_ex");
19009
        if (method) {
19010
        #if defined(WOLFSSL_DTLS13)
19011
            InitSSL_Method(method, MakeDTLSv1_3());
19012
        #elif !defined(WOLFSSL_NO_TLS12)
19013
            InitSSL_Method(method, MakeDTLSv1_2());
19014
        #elif !defined(NO_OLD_TLS)
19015
            InitSSL_Method(method, MakeDTLSv1());
19016
        #else
19017
            #error No DTLS version enabled!
19018
        #endif
19019
19020
            method->downgrade = 1;
19021
            method->side      = WOLFSSL_CLIENT_END;
19022
        }
19023
        return method;
19024
    }
19025
19026
    #ifndef NO_OLD_TLS
19027
    WOLFSSL_METHOD* wolfDTLSv1_client_method(void)
19028
    {
19029
        return wolfDTLSv1_client_method_ex(NULL);
19030
    }
19031
    WOLFSSL_METHOD* wolfDTLSv1_client_method_ex(void* heap)
19032
    {
19033
        WOLFSSL_METHOD* method =
19034
                          (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
19035
                                                 heap, DYNAMIC_TYPE_METHOD);
19036
        (void)heap;
19037
        WOLFSSL_ENTER("DTLSv1_client_method_ex");
19038
        if (method)
19039
            InitSSL_Method(method, MakeDTLSv1());
19040
        return method;
19041
    }
19042
    #endif  /* NO_OLD_TLS */
19043
19044
    #ifndef WOLFSSL_NO_TLS12
19045
    WOLFSSL_METHOD* wolfDTLSv1_2_client_method(void)
19046
    {
19047
        return wolfDTLSv1_2_client_method_ex(NULL);
19048
    }
19049
    WOLFSSL_METHOD* wolfDTLSv1_2_client_method_ex(void* heap)
19050
    {
19051
        WOLFSSL_METHOD* method =
19052
                          (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
19053
                                                 heap, DYNAMIC_TYPE_METHOD);
19054
        (void)heap;
19055
        WOLFSSL_ENTER("DTLSv1_2_client_method_ex");
19056
        if (method)
19057
            InitSSL_Method(method, MakeDTLSv1_2());
19058
        (void)heap;
19059
        return method;
19060
    }
19061
    #endif /* !WOLFSSL_NO_TLS12 */
19062
#endif /* WOLFSSL_DTLS */
19063
19064
#endif /* NO_WOLFSSL_CLIENT */
19065
19066
19067
/* EITHER SIDE METHODS */
19068
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE)
19069
    #ifndef NO_OLD_TLS
19070
    #ifdef WOLFSSL_ALLOW_TLSV10
19071
    /* Gets a WOLFSSL_METHOD type that is not set as client or server
19072
     *
19073
     * Returns a pointer to a WOLFSSL_METHOD struct
19074
     */
19075
    WOLFSSL_METHOD* wolfTLSv1_method(void)
19076
    {
19077
        return wolfTLSv1_method_ex(NULL);
19078
    }
19079
    WOLFSSL_METHOD* wolfTLSv1_method_ex(void* heap)
19080
    {
19081
        WOLFSSL_METHOD* m;
19082
        WOLFSSL_ENTER("TLSv1_method");
19083
    #ifndef NO_WOLFSSL_CLIENT
19084
        m = wolfTLSv1_client_method_ex(heap);
19085
    #else
19086
        m = wolfTLSv1_server_method_ex(heap);
19087
    #endif
19088
        if (m != NULL) {
19089
            m->side = WOLFSSL_NEITHER_END;
19090
        }
19091
19092
        return m;
19093
    }
19094
    #endif /* WOLFSSL_ALLOW_TLSV10 */
19095
19096
    /* Gets a WOLFSSL_METHOD type that is not set as client or server
19097
     *
19098
     * Returns a pointer to a WOLFSSL_METHOD struct
19099
     */
19100
    WOLFSSL_METHOD* wolfTLSv1_1_method(void)
19101
    {
19102
        return wolfTLSv1_1_method_ex(NULL);
19103
    }
19104
    WOLFSSL_METHOD* wolfTLSv1_1_method_ex(void* heap)
19105
    {
19106
        WOLFSSL_METHOD* m;
19107
        WOLFSSL_ENTER("TLSv1_1_method");
19108
    #ifndef NO_WOLFSSL_CLIENT
19109
        m = wolfTLSv1_1_client_method_ex(heap);
19110
    #else
19111
        m = wolfTLSv1_1_server_method_ex(heap);
19112
    #endif
19113
        if (m != NULL) {
19114
            m->side = WOLFSSL_NEITHER_END;
19115
        }
19116
        return m;
19117
    }
19118
    #endif /* !NO_OLD_TLS */
19119
19120
    #ifndef WOLFSSL_NO_TLS12
19121
    /* Gets a WOLFSSL_METHOD type that is not set as client or server
19122
     *
19123
     * Returns a pointer to a WOLFSSL_METHOD struct
19124
     */
19125
    WOLFSSL_METHOD* wolfTLSv1_2_method(void)
19126
    {
19127
        return wolfTLSv1_2_method_ex(NULL);
19128
    }
19129
    WOLFSSL_METHOD* wolfTLSv1_2_method_ex(void* heap)
19130
    {
19131
        WOLFSSL_METHOD* m;
19132
        WOLFSSL_ENTER("TLSv1_2_method");
19133
    #ifndef NO_WOLFSSL_CLIENT
19134
        m = wolfTLSv1_2_client_method_ex(heap);
19135
    #else
19136
        m = wolfTLSv1_2_server_method_ex(heap);
19137
    #endif
19138
        if (m != NULL) {
19139
            m->side = WOLFSSL_NEITHER_END;
19140
        }
19141
        return m;
19142
    }
19143
    #endif /* !WOLFSSL_NO_TLS12 */
19144
19145
    #ifdef WOLFSSL_TLS13
19146
    /* Gets a WOLFSSL_METHOD type that is not set as client or server
19147
     *
19148
     * Returns a pointer to a WOLFSSL_METHOD struct
19149
     */
19150
    WOLFSSL_METHOD* wolfTLSv1_3_method(void)
19151
    {
19152
        return wolfTLSv1_3_method_ex(NULL);
19153
    }
19154
    WOLFSSL_METHOD* wolfTLSv1_3_method_ex(void* heap)
19155
    {
19156
        WOLFSSL_METHOD* m;
19157
        WOLFSSL_ENTER("TLSv1_3_method");
19158
    #ifndef NO_WOLFSSL_CLIENT
19159
        m = wolfTLSv1_3_client_method_ex(heap);
19160
    #else
19161
        m = wolfTLSv1_3_server_method_ex(heap);
19162
    #endif
19163
        if (m != NULL) {
19164
            m->side = WOLFSSL_NEITHER_END;
19165
        }
19166
        return m;
19167
    }
19168
    #endif /* WOLFSSL_TLS13 */
19169
19170
#ifdef WOLFSSL_DTLS
19171
    WOLFSSL_METHOD* wolfDTLS_method(void)
19172
    {
19173
        return wolfDTLS_method_ex(NULL);
19174
    }
19175
    WOLFSSL_METHOD* wolfDTLS_method_ex(void* heap)
19176
    {
19177
        WOLFSSL_METHOD* m;
19178
        WOLFSSL_ENTER("DTLS_method_ex");
19179
    #ifndef NO_WOLFSSL_CLIENT
19180
        m = wolfDTLS_client_method_ex(heap);
19181
    #else
19182
        m = wolfDTLS_server_method_ex(heap);
19183
    #endif
19184
        if (m != NULL) {
19185
            m->side = WOLFSSL_NEITHER_END;
19186
        }
19187
        return m;
19188
    }
19189
19190
    #ifndef NO_OLD_TLS
19191
    WOLFSSL_METHOD* wolfDTLSv1_method(void)
19192
    {
19193
        return wolfDTLSv1_method_ex(NULL);
19194
    }
19195
    WOLFSSL_METHOD* wolfDTLSv1_method_ex(void* heap)
19196
    {
19197
        WOLFSSL_METHOD* m;
19198
        WOLFSSL_ENTER("DTLSv1_method_ex");
19199
    #ifndef NO_WOLFSSL_CLIENT
19200
        m = wolfDTLSv1_client_method_ex(heap);
19201
    #else
19202
        m = wolfDTLSv1_server_method_ex(heap);
19203
    #endif
19204
        if (m != NULL) {
19205
            m->side = WOLFSSL_NEITHER_END;
19206
        }
19207
        return m;
19208
    }
19209
    #endif /* !NO_OLD_TLS */
19210
    #ifndef WOLFSSL_NO_TLS12
19211
    WOLFSSL_METHOD* wolfDTLSv1_2_method(void)
19212
    {
19213
        return wolfDTLSv1_2_method_ex(NULL);
19214
    }
19215
    WOLFSSL_METHOD* wolfDTLSv1_2_method_ex(void* heap)
19216
    {
19217
        WOLFSSL_METHOD* m;
19218
        WOLFSSL_ENTER("DTLSv1_2_method");
19219
    #ifndef NO_WOLFSSL_CLIENT
19220
        m = wolfDTLSv1_2_client_method_ex(heap);
19221
    #else
19222
        m = wolfDTLSv1_2_server_method_ex(heap);
19223
    #endif
19224
        if (m != NULL) {
19225
            m->side = WOLFSSL_NEITHER_END;
19226
        }
19227
        return m;
19228
    }
19229
    #endif /* !WOLFSSL_NO_TLS12 */
19230
    #ifdef WOLFSSL_DTLS13
19231
    WOLFSSL_METHOD* wolfDTLSv1_3_method(void)
19232
    {
19233
        return wolfDTLSv1_3_method_ex(NULL);
19234
    }
19235
    WOLFSSL_METHOD* wolfDTLSv1_3_method_ex(void* heap)
19236
    {
19237
        WOLFSSL_METHOD* m;
19238
        WOLFSSL_ENTER("DTLSv1_3_method");
19239
    #ifndef NO_WOLFSSL_CLIENT
19240
        m = wolfDTLSv1_3_client_method_ex(heap);
19241
    #else
19242
        m = wolfDTLSv1_3_server_method_ex(heap);
19243
    #endif
19244
        if (m != NULL) {
19245
            m->side = WOLFSSL_NEITHER_END;
19246
        }
19247
        return m;
19248
    }
19249
    #endif /* WOLFSSL_DTLS13 */
19250
#endif /* WOLFSSL_DTLS */
19251
#endif /* OPENSSL_EXTRA || WOLFSSL_EITHER_SIDE */
19252
19253
19254
#ifndef NO_WOLFSSL_SERVER
19255
19256
    WOLFSSL_METHOD* wolfTLS_server_method(void)
19257
0
    {
19258
0
        return wolfTLS_server_method_ex(NULL);
19259
0
    }
19260
19261
    WOLFSSL_METHOD* wolfTLS_server_method_ex(void* heap)
19262
0
    {
19263
0
        WOLFSSL_METHOD* method =
19264
0
                              (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
19265
0
                                                     heap, DYNAMIC_TYPE_METHOD);
19266
0
        (void)heap;
19267
0
        WOLFSSL_ENTER("TLS_server_method_ex");
19268
0
        if (method) {
19269
0
        #if defined(WOLFSSL_TLS13)
19270
0
            InitSSL_Method(method, MakeTLSv1_3());
19271
        #elif !defined(WOLFSSL_NO_TLS12)
19272
            InitSSL_Method(method, MakeTLSv1_2());
19273
        #elif !defined(NO_OLD_TLS)
19274
            InitSSL_Method(method, MakeTLSv1_1());
19275
        #elif defined(WOLFSSL_ALLOW_TLSV10)
19276
            InitSSL_Method(method, MakeTLSv1());
19277
        #else
19278
        #error No TLS version enabled! Consider using NO_TLS or WOLFCRYPT_ONLY.
19279
        #endif
19280
19281
0
            method->downgrade = 1;
19282
0
            method->side      = WOLFSSL_SERVER_END;
19283
0
        }
19284
0
        return method;
19285
0
    }
19286
19287
#ifndef NO_OLD_TLS
19288
    #ifdef WOLFSSL_ALLOW_TLSV10
19289
    WOLFSSL_METHOD* wolfTLSv1_server_method(void)
19290
    {
19291
        return wolfTLSv1_server_method_ex(NULL);
19292
    }
19293
    WOLFSSL_METHOD* wolfTLSv1_server_method_ex(void* heap)
19294
    {
19295
        WOLFSSL_METHOD* method =
19296
                              (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
19297
                                                     heap, DYNAMIC_TYPE_METHOD);
19298
        (void)heap;
19299
        WOLFSSL_ENTER("TLSv1_server_method_ex");
19300
        if (method) {
19301
            InitSSL_Method(method, MakeTLSv1());
19302
            method->side = WOLFSSL_SERVER_END;
19303
        }
19304
        return method;
19305
    }
19306
    #endif /* WOLFSSL_ALLOW_TLSV10 */
19307
19308
    WOLFSSL_METHOD* wolfTLSv1_1_server_method(void)
19309
    {
19310
        return wolfTLSv1_1_server_method_ex(NULL);
19311
    }
19312
    WOLFSSL_METHOD* wolfTLSv1_1_server_method_ex(void* heap)
19313
    {
19314
        WOLFSSL_METHOD* method =
19315
                              (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
19316
                                                     heap, DYNAMIC_TYPE_METHOD);
19317
        (void)heap;
19318
        WOLFSSL_ENTER("TLSv1_1_server_method_ex");
19319
        if (method) {
19320
            InitSSL_Method(method, MakeTLSv1_1());
19321
            method->side = WOLFSSL_SERVER_END;
19322
        }
19323
        return method;
19324
    }
19325
#endif /* !NO_OLD_TLS */
19326
19327
19328
#ifndef WOLFSSL_NO_TLS12
19329
    WOLFSSL_ABI
19330
    WOLFSSL_METHOD* wolfTLSv1_2_server_method(void)
19331
0
    {
19332
0
        return wolfTLSv1_2_server_method_ex(NULL);
19333
0
    }
19334
    WOLFSSL_METHOD* wolfTLSv1_2_server_method_ex(void* heap)
19335
0
    {
19336
0
        WOLFSSL_METHOD* method =
19337
0
                              (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
19338
0
                                                     heap, DYNAMIC_TYPE_METHOD);
19339
0
        (void)heap;
19340
0
        WOLFSSL_ENTER("TLSv1_2_server_method_ex");
19341
0
        if (method) {
19342
0
            InitSSL_Method(method, MakeTLSv1_2());
19343
0
            method->side = WOLFSSL_SERVER_END;
19344
0
        }
19345
0
        return method;
19346
0
    }
19347
#endif /* !WOLFSSL_NO_TLS12 */
19348
19349
#ifdef WOLFSSL_TLS13
19350
    /* The TLS v1.3 server method data.
19351
     *
19352
     * returns the method data for a TLS v1.3 server.
19353
     */
19354
    WOLFSSL_ABI
19355
    WOLFSSL_METHOD* wolfTLSv1_3_server_method(void)
19356
0
    {
19357
0
        return wolfTLSv1_3_server_method_ex(NULL);
19358
0
    }
19359
19360
    /* The TLS v1.3 server method data.
19361
     *
19362
     * heap  The heap used for allocation.
19363
     * returns the method data for a TLS v1.3 server.
19364
     */
19365
    WOLFSSL_METHOD* wolfTLSv1_3_server_method_ex(void* heap)
19366
0
    {
19367
0
        WOLFSSL_METHOD* method =
19368
0
                              (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
19369
0
                                                     heap, DYNAMIC_TYPE_METHOD);
19370
0
        (void)heap;
19371
0
        WOLFSSL_ENTER("TLSv1_3_server_method_ex");
19372
0
        if (method) {
19373
0
            InitSSL_Method(method, MakeTLSv1_3());
19374
0
            method->side = WOLFSSL_SERVER_END;
19375
0
        }
19376
0
        return method;
19377
0
    }
19378
#endif /* WOLFSSL_TLS13 */
19379
19380
#ifdef WOLFSSL_DTLS
19381
    WOLFSSL_METHOD* wolfDTLS_server_method(void)
19382
    {
19383
        return wolfDTLS_server_method_ex(NULL);
19384
    }
19385
    WOLFSSL_METHOD* wolfDTLS_server_method_ex(void* heap)
19386
    {
19387
        WOLFSSL_METHOD* method =
19388
                              (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
19389
                                                     heap, DYNAMIC_TYPE_METHOD);
19390
        (void)heap;
19391
        WOLFSSL_ENTER("DTLS_server_method_ex");
19392
        if (method) {
19393
        #if defined(WOLFSSL_DTLS13)
19394
            InitSSL_Method(method, MakeDTLSv1_3());
19395
        #elif !defined(WOLFSSL_NO_TLS12)
19396
            InitSSL_Method(method, MakeDTLSv1_2());
19397
        #elif !defined(NO_OLD_TLS)
19398
            InitSSL_Method(method, MakeDTLSv1());
19399
        #else
19400
            #error No DTLS version enabled!
19401
        #endif
19402
19403
            method->downgrade = 1;
19404
            method->side      = WOLFSSL_SERVER_END;
19405
        }
19406
        return method;
19407
    }
19408
19409
    #ifndef NO_OLD_TLS
19410
    WOLFSSL_METHOD* wolfDTLSv1_server_method(void)
19411
    {
19412
        return wolfDTLSv1_server_method_ex(NULL);
19413
    }
19414
    WOLFSSL_METHOD* wolfDTLSv1_server_method_ex(void* heap)
19415
    {
19416
        WOLFSSL_METHOD* method =
19417
                          (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
19418
                                                 heap, DYNAMIC_TYPE_METHOD);
19419
        (void)heap;
19420
        WOLFSSL_ENTER("DTLSv1_server_method_ex");
19421
        if (method) {
19422
            InitSSL_Method(method, MakeDTLSv1());
19423
            method->side = WOLFSSL_SERVER_END;
19424
        }
19425
        return method;
19426
    }
19427
    #endif /* !NO_OLD_TLS */
19428
19429
    #ifndef WOLFSSL_NO_TLS12
19430
    WOLFSSL_METHOD* wolfDTLSv1_2_server_method(void)
19431
    {
19432
        return wolfDTLSv1_2_server_method_ex(NULL);
19433
    }
19434
    WOLFSSL_METHOD* wolfDTLSv1_2_server_method_ex(void* heap)
19435
    {
19436
        WOLFSSL_METHOD* method =
19437
                          (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD),
19438
                                                 heap, DYNAMIC_TYPE_METHOD);
19439
        WOLFSSL_ENTER("DTLSv1_2_server_method_ex");
19440
        (void)heap;
19441
        if (method) {
19442
            InitSSL_Method(method, MakeDTLSv1_2());
19443
            method->side = WOLFSSL_SERVER_END;
19444
        }
19445
        (void)heap;
19446
        return method;
19447
    }
19448
    #endif /* !WOLFSSL_NO_TLS12 */
19449
#endif /* WOLFSSL_DTLS */
19450
19451
#endif /* NO_WOLFSSL_SERVER */
19452
19453
#endif /* NO_TLS */
19454
19455
#endif /* WOLFCRYPT_ONLY */