Line | Count | Source |
1 | | /* tls.c |
2 | | * |
3 | | * Copyright (C) 2006-2026 wolfSSL Inc. |
4 | | * |
5 | | * This file is part of wolfSSL. |
6 | | * |
7 | | * wolfSSL is free software; you can redistribute it and/or modify |
8 | | * it under the terms of the GNU General Public License as published by |
9 | | * the Free Software Foundation; either version 3 of the License, or |
10 | | * (at your option) any later version. |
11 | | * |
12 | | * wolfSSL is distributed in the hope that it will be useful, |
13 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
14 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
15 | | * GNU General Public License for more details. |
16 | | * |
17 | | * You should have received a copy of the GNU General Public License |
18 | | * along with this program; if not, write to the Free Software |
19 | | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA |
20 | | */ |
21 | | |
22 | | /* |
23 | | * TLS Build Options: |
24 | | * (See tls13.c for TLS 1.3-specific options) |
25 | | * |
26 | | * Protocol Control: |
27 | | * NO_OLD_TLS: Disable TLS 1.0 and 1.1 default: off |
28 | | * WOLFSSL_ALLOW_TLSV10: Allow TLS 1.0 connections default: off |
29 | | * WOLFSSL_NO_TLS12: Disable TLS 1.2 default: off |
30 | | * NO_TLS: Disable TLS entirely (SSL only) default: off |
31 | | * WOLFSSL_DTLS: Enable DTLS support default: off |
32 | | * WOLFSSL_DTLS13: Enable DTLS 1.3 support default: off |
33 | | * WOLFSSL_DTLS_CID: Enable DTLS Connection ID default: off |
34 | | * WOLFSSL_AEAD_ONLY: Only allow AEAD cipher suites default: off |
35 | | * NO_WOLFSSL_CLIENT: Disable TLS client functionality default: off |
36 | | * NO_WOLFSSL_SERVER: Disable TLS server functionality default: off |
37 | | * WOLFSSL_EITHER_SIDE: Allow same context for client/server default: off |
38 | | * HAVE_TLS_EXTENSIONS: Enable TLS extension support default: on |
39 | | * HAVE_SNI: Server Name Indication extension default: off |
40 | | * WOLFSSL_ALWAYS_KEEP_SNI: Keep SNI after handshake default: off |
41 | | * HAVE_MAX_FRAGMENT: Max Fragment Length extension default: off |
42 | | * HAVE_TRUNCATED_HMAC: Truncated HMAC extension default: off |
43 | | * HAVE_SUPPORTED_CURVES: Supported Curves extension default: on |
44 | | * HAVE_EXTENDED_MASTER: Extended Master Secret (RFC 7627) default: on |
45 | | * HAVE_ENCRYPT_THEN_MAC: Encrypt-Then-MAC extension default: on |
46 | | * HAVE_ALPN: Application-Layer Protocol Negotiation default: off |
47 | | * HAVE_CERTIFICATE_STATUS_REQUEST: OCSP stapling default: off |
48 | | * HAVE_CERTIFICATE_STATUS_REQUEST_V2: OCSP stapling v2 default: off |
49 | | * HAVE_SECURE_RENEGOTIATION: Secure renegotiation support default: off |
50 | | * HAVE_SERVER_RENEGOTIATION_INFO: Server renegotiation info default: off |
51 | | * HAVE_SESSION_TICKET: Session ticket support default: off |
52 | | * HAVE_TRUSTED_CA: Trusted CA Indication extension default: off |
53 | | * HAVE_RPK: Raw Public Key support (RFC 7250) default: off |
54 | | * HAVE_ECH: Encrypted Client Hello support default: off |
55 | | * WOLFSSL_NO_SIGALG: Disable signature algorithms ext default: off |
56 | | * WOLFSSL_NO_CA_NAMES: Disable CA Names in CertificateReq default: off |
57 | | * WOLFSSL_NO_SERVER_GROUPS_EXT: Don't send server groups ext default: off |
58 | | * NO_TLSX_PSKKEM_PLAIN_ANNOUNCE: Disable plain PSK announce default: off |
59 | | * WOLFSSL_OLD_UNSUPPORTED_EXTENSION: Old unsupported ext handling default: off |
60 | | * WOLFSSL_ALLOW_SERVER_SC_EXT: Allow server supported curves ext default: off |
61 | | * |
62 | | * Pre-Shared Keys: |
63 | | * NO_PSK: Disable PSK cipher suites default: off |
64 | | * |
65 | | * Key Exchange: |
66 | | * HAVE_FFDHE: Enable Finite Field DH ephemeral default: off |
67 | | * HAVE_FFDHE_2048: Enable FFDHE 2048-bit group default: off |
68 | | * HAVE_FFDHE_3072: Enable FFDHE 3072-bit group default: off |
69 | | * HAVE_FFDHE_4096: Enable FFDHE 4096-bit group default: off |
70 | | * HAVE_FFDHE_6144: Enable FFDHE 6144-bit group default: off |
71 | | * HAVE_FFDHE_8192: Enable FFDHE 8192-bit group default: off |
72 | | * HAVE_PUBLIC_FFDHE: Use public FFDHE parameters only default: off |
73 | | * WOLFSSL_OLD_PRIME_CHECK: Use old DH prime checking method default: off |
74 | | * WOLFSSL_STATIC_DH: Enable static DH cipher suites default: off |
75 | | * WOLFSSL_STATIC_EPHEMERAL: Enable static ephemeral key loading default: off |
76 | | * |
77 | | * Post-Quantum: |
78 | | * WOLFSSL_HAVE_MLKEM: Enable ML-KEM (Kyber) support default: off |
79 | | * WOLFSSL_MLKEM_KYBER: Use Kyber round 3 parameters default: off |
80 | | * WOLFSSL_KYBER512: Enable Kyber/ML-KEM-512 default: off |
81 | | * WOLFSSL_KYBER768: Enable Kyber/ML-KEM-768 default: off |
82 | | * WOLFSSL_KYBER1024: Enable Kyber/ML-KEM-1024 default: off |
83 | | * WOLFSSL_NO_ML_KEM: Disable all ML-KEM support default: off |
84 | | * WOLFSSL_NO_ML_KEM_512: Disable ML-KEM-512 default: off |
85 | | * WOLFSSL_NO_ML_KEM_768: Disable ML-KEM-768 default: off |
86 | | * WOLFSSL_NO_ML_KEM_1024: Disable ML-KEM-1024 default: off |
87 | | * WOLFSSL_ML_KEM_USE_OLD_IDS: Use old IANA IDs for ML-KEM default: off |
88 | | * WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ: Store ML-KEM object in ext default: off |
89 | | * WOLFSSL_TLSX_PQC_MLKEM_STORE_PRIV_KEY: Store ML-KEM priv key default: off |
90 | | * WOLFSSL_MLKEM_CACHE_A: Cache ML-KEM A matrix default: off |
91 | | * WOLFSSL_MLKEM_NO_MAKE_KEY: Disable ML-KEM key generation default: off |
92 | | * WOLFSSL_MLKEM_NO_ENCAPSULATE: Disable ML-KEM encapsulation default: off |
93 | | * WOLFSSL_MLKEM_NO_DECAPSULATE: Disable ML-KEM decapsulation default: off |
94 | | * HAVE_LIBOQS: Use liboqs for PQ algorithms default: off |
95 | | * |
96 | | * Curves: |
97 | | * HAVE_SECRET_CALLBACK: Enable TLS secret callback default: off |
98 | | * HAVE_PK_CALLBACKS: Enable public key callbacks default: off |
99 | | * HAVE_FUZZER: Enable fuzzing callback support default: off |
100 | | * |
101 | | * Features: |
102 | | * WOLFSSL_SNIFFER: Enable TLS packet sniffing support default: off |
103 | | * WOLFSSL_SNIFFER_KEYLOGFILE: Sniffer keylog file support default: off |
104 | | * WOLFSSL_SSLKEYLOGFILE: Enable SSL key log file output default: off |
105 | | * WOLFSSL_SRTP: Enable SRTP extension support default: off |
106 | | * WOLFSSL_DUAL_ALG_CERTS: Enable dual algorithm certificates default: off |
107 | | * WOLFSSL_HAVE_PRF: Enable TLS PRF function access default: off |
108 | | * WOLFSSL_DEBUG_TLS: Debug TLS protocol messages default: off |
109 | | * WOLFSSL_32BIT_MILLI_TIME: 32-bit millisecond time function default: off |
110 | | * WOLFSSL_REQUIRE_TCA: Require Trusted CA extension default: off |
111 | | * WOLFSSL_DH_EXTRA: Extra DH key info in SSL object default: off |
112 | | * WOLFSSL_CURVE25519_BLINDING: Curve25519 blinding in TLS default: off |
113 | | * HAVE_NULL_CIPHER: Allow NULL cipher suites default: off |
114 | | * HAVE_WEBSERVER: Enable web server features default: off |
115 | | * NO_CERTS: Disable certificate processing default: off |
116 | | */ |
117 | | |
118 | | #include <wolfssl/wolfcrypt/libwolfssl_sources.h> |
119 | | |
120 | | #ifndef WOLFCRYPT_ONLY |
121 | | |
122 | | #include <wolfssl/ssl.h> |
123 | | #include <wolfssl/internal.h> |
124 | | #include <wolfssl/error-ssl.h> |
125 | | #include <wolfssl/wolfcrypt/hash.h> |
126 | | #include <wolfssl/wolfcrypt/hmac.h> |
127 | | #include <wolfssl/wolfcrypt/kdf.h> |
128 | | #ifdef NO_INLINE |
129 | | #include <wolfssl/wolfcrypt/misc.h> |
130 | | #else |
131 | | #define WOLFSSL_MISC_INCLUDED |
132 | | #include <wolfcrypt/src/misc.c> |
133 | | #endif |
134 | | |
135 | | #ifdef HAVE_CURVE25519 |
136 | | #include <wolfssl/wolfcrypt/curve25519.h> |
137 | | #endif |
138 | | #ifdef HAVE_CURVE448 |
139 | | #include <wolfssl/wolfcrypt/curve448.h> |
140 | | #endif |
141 | | #ifdef WOLFSSL_HAVE_MLKEM |
142 | | #include <wolfssl/wolfcrypt/wc_mlkem.h> |
143 | | #endif |
144 | | |
145 | | #if defined(WOLFSSL_RENESAS_TSIP_TLS) |
146 | | #include <wolfssl/wolfcrypt/port/Renesas/renesas_tsip_internal.h> |
147 | | #endif |
148 | | |
149 | | #include <wolfssl/wolfcrypt/hpke.h> |
150 | | |
151 | | #ifndef NO_TLS |
152 | | |
153 | | #if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES) |
154 | | static void TLSX_KeyShare_FreeAll(KeyShareEntry* list, void* heap); |
155 | | #endif |
156 | | |
157 | | #ifdef HAVE_SUPPORTED_CURVES |
158 | | static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions); |
159 | | #endif |
160 | | |
161 | | /* Digest enable checks */ |
162 | | #ifdef NO_OLD_TLS /* TLS 1.2 only */ |
163 | | #if defined(NO_SHA256) && !defined(WOLFSSL_SHA384) && \ |
164 | | !defined(WOLFSSL_SHA512) |
165 | | #error Must have SHA256, SHA384 or SHA512 enabled for TLS 1.2 |
166 | | #endif |
167 | | #else /* TLS 1.1 or older */ |
168 | | #if defined(NO_MD5) && defined(NO_SHA) |
169 | | #error Must have SHA1 and MD5 enabled for old TLS |
170 | | #endif |
171 | | #endif |
172 | | |
173 | | #ifdef WOLFSSL_TLS13 |
174 | | #if !defined(NO_DH) && \ |
175 | | !defined(HAVE_FFDHE_2048) && !defined(HAVE_FFDHE_3072) && \ |
176 | | !defined(HAVE_FFDHE_4096) && !defined(HAVE_FFDHE_6144) && \ |
177 | | !defined(HAVE_FFDHE_8192) |
178 | | #error Please configure your TLS 1.3 DH key size using either: HAVE_FFDHE_2048, HAVE_FFDHE_3072, HAVE_FFDHE_4096, HAVE_FFDHE_6144 or HAVE_FFDHE_8192 |
179 | | #endif |
180 | | #if !defined(NO_RSA) && !defined(WC_RSA_PSS) |
181 | | #error The build option WC_RSA_PSS is required for TLS 1.3 with RSA |
182 | | #endif |
183 | | #ifndef HAVE_TLS_EXTENSIONS |
184 | | #if !defined(_MSC_VER) && !defined(__TASKING__) |
185 | | #error "The build option HAVE_TLS_EXTENSIONS is required for TLS 1.3" |
186 | | #else |
187 | | #pragma message("Error: The build option HAVE_TLS_EXTENSIONS is required for TLS 1.3") |
188 | | #endif |
189 | | #endif |
190 | | #endif |
191 | | |
192 | | /* Warn if secrets logging is enabled */ |
193 | | #if (defined(SHOW_SECRETS) || defined(WOLFSSL_SSLKEYLOGFILE)) && \ |
194 | | !defined(WOLFSSL_KEYLOG_EXPORT_WARNED) |
195 | | #if !defined(_MSC_VER) && !defined(__TASKING__) |
196 | | #warning The SHOW_SECRETS and WOLFSSL_SSLKEYLOGFILE options should only be used for debugging and never in a production environment |
197 | | #else |
198 | | #pragma message("Warning: The SHOW_SECRETS and WOLFSSL_SSLKEYLOGFILE options should only be used for debugging and never in a production environment") |
199 | | #endif |
200 | | #endif |
201 | | |
202 | | #ifndef WOLFSSL_NO_TLS12 |
203 | | |
204 | | #ifdef WOLFSSL_SHA384 |
205 | 0 | #define HSHASH_SZ WC_SHA384_DIGEST_SIZE |
206 | | #else |
207 | | #define HSHASH_SZ FINISHED_SZ |
208 | | #endif |
209 | | |
210 | | int BuildTlsHandshakeHash(WOLFSSL* ssl, byte* hash, word32* hashLen) |
211 | 0 | { |
212 | 0 | int ret = 0; |
213 | 0 | word32 hashSz = FINISHED_SZ; |
214 | |
|
215 | 0 | if (ssl == NULL || hash == NULL || hashLen == NULL || *hashLen < HSHASH_SZ) |
216 | 0 | return BAD_FUNC_ARG; |
217 | | |
218 | | /* for constant timing perform these even if error */ |
219 | | #ifndef NO_OLD_TLS |
220 | | ret |= wc_Md5GetHash(&ssl->hsHashes->hashMd5, hash); |
221 | | ret |= wc_ShaGetHash(&ssl->hsHashes->hashSha, &hash[WC_MD5_DIGEST_SIZE]); |
222 | | #endif |
223 | | |
224 | 0 | if (IsAtLeastTLSv1_2(ssl)) { |
225 | 0 | #ifndef NO_SHA256 |
226 | 0 | if (ssl->specs.mac_algorithm <= sha256_mac || |
227 | 0 | ssl->specs.mac_algorithm == blake2b_mac) { |
228 | 0 | ret |= wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash); |
229 | 0 | hashSz = WC_SHA256_DIGEST_SIZE; |
230 | 0 | } |
231 | 0 | #endif |
232 | 0 | #ifdef WOLFSSL_SHA384 |
233 | 0 | if (ssl->specs.mac_algorithm == sha384_mac) { |
234 | 0 | ret |= wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash); |
235 | 0 | hashSz = WC_SHA384_DIGEST_SIZE; |
236 | 0 | } |
237 | 0 | #endif |
238 | | #ifdef WOLFSSL_SM3 |
239 | | if (ssl->specs.mac_algorithm == sm3_mac) { |
240 | | ret |= wc_Sm3GetHash(&ssl->hsHashes->hashSm3, hash); |
241 | | hashSz = WC_SM3_DIGEST_SIZE; |
242 | | } |
243 | | #endif |
244 | 0 | } |
245 | |
|
246 | 0 | *hashLen = hashSz; |
247 | | #ifdef WOLFSSL_CHECK_MEM_ZERO |
248 | | wc_MemZero_Add("TLS handshake hash", hash, hashSz); |
249 | | #endif |
250 | |
|
251 | 0 | if (ret != 0) { |
252 | 0 | ret = BUILD_MSG_ERROR; |
253 | 0 | WOLFSSL_ERROR_VERBOSE(ret); |
254 | 0 | } |
255 | |
|
256 | 0 | return ret; |
257 | 0 | } |
258 | | |
259 | | |
260 | | int BuildTlsFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender) |
261 | 0 | { |
262 | 0 | int ret; |
263 | 0 | const byte* side = NULL; |
264 | 0 | word32 hashSz = HSHASH_SZ; |
265 | 0 | #if !defined(WOLFSSL_ASYNC_CRYPT) || defined(WC_ASYNC_NO_HASH) |
266 | 0 | byte handshake_hash[HSHASH_SZ]; |
267 | | #else |
268 | | byte* handshake_hash = NULL; |
269 | | handshake_hash = (byte*)XMALLOC(HSHASH_SZ, ssl->heap, DYNAMIC_TYPE_DIGEST); |
270 | | if (handshake_hash == NULL) |
271 | | return MEMORY_E; |
272 | | #endif |
273 | |
|
274 | 0 | XMEMSET(handshake_hash, 0, HSHASH_SZ); |
275 | 0 | ret = BuildTlsHandshakeHash(ssl, handshake_hash, &hashSz); |
276 | 0 | if (ret == 0) { |
277 | 0 | if (XSTRNCMP((const char*)sender, (const char*)kTlsClientStr, |
278 | 0 | SIZEOF_SENDER) == 0) { |
279 | 0 | side = kTlsClientFinStr; |
280 | 0 | } |
281 | 0 | else if (XSTRNCMP((const char*)sender, (const char*)kTlsServerStr, |
282 | 0 | SIZEOF_SENDER) == 0) { |
283 | 0 | side = kTlsServerFinStr; |
284 | 0 | } |
285 | 0 | else { |
286 | 0 | ret = BAD_FUNC_ARG; |
287 | 0 | WOLFSSL_MSG("Unexpected sender value"); |
288 | 0 | } |
289 | 0 | } |
290 | |
|
291 | 0 | if (ret == 0) { |
292 | 0 | #ifdef WOLFSSL_HAVE_PRF |
293 | | #if !defined(NO_CERTS) && defined(HAVE_PK_CALLBACKS) |
294 | | if (ssl->ctx->TlsFinishedCb) { |
295 | | void* ctx = wolfSSL_GetTlsFinishedCtx(ssl); |
296 | | ret = ssl->ctx->TlsFinishedCb(ssl, side, handshake_hash, hashSz, |
297 | | (byte*)hashes, ctx); |
298 | | } |
299 | | if (!ssl->ctx->TlsFinishedCb || |
300 | | ret == WC_NO_ERR_TRACE(PROTOCOLCB_UNAVAILABLE)) |
301 | | #endif |
302 | 0 | { |
303 | 0 | PRIVATE_KEY_UNLOCK(); |
304 | 0 | ret = wc_PRF_TLS((byte*)hashes, TLS_FINISHED_SZ, |
305 | 0 | ssl->arrays->masterSecret, SECRET_LEN, side, |
306 | 0 | FINISHED_LABEL_SZ, handshake_hash, hashSz, |
307 | 0 | IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm, |
308 | 0 | ssl->heap, ssl->devId); |
309 | 0 | PRIVATE_KEY_LOCK(); |
310 | 0 | } |
311 | 0 | ForceZero(handshake_hash, hashSz); |
312 | | #else |
313 | | /* Pseudo random function must be enabled in the configuration. */ |
314 | | ret = PRF_MISSING; |
315 | | WOLFSSL_ERROR_VERBOSE(ret); |
316 | | WOLFSSL_MSG("Pseudo-random function is not enabled"); |
317 | | |
318 | | (void)side; |
319 | | (void)hashes; |
320 | | #endif |
321 | 0 | } |
322 | |
|
323 | | #if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_ASYNC_NO_HASH) |
324 | | XFREE(handshake_hash, ssl->heap, DYNAMIC_TYPE_DIGEST); |
325 | | #elif defined(WOLFSSL_CHECK_MEM_ZERO) |
326 | | wc_MemZero_Check(handshake_hash, HSHASH_SZ); |
327 | | #endif |
328 | |
|
329 | 0 | return ret; |
330 | 0 | } |
331 | | |
332 | | #endif /* !WOLFSSL_NO_TLS12 */ |
333 | | |
334 | | #ifndef NO_OLD_TLS |
335 | | |
336 | | #ifdef WOLFSSL_ALLOW_TLSV10 |
337 | | ProtocolVersion MakeTLSv1(void) |
338 | | { |
339 | | ProtocolVersion pv; |
340 | | pv.major = SSLv3_MAJOR; |
341 | | pv.minor = TLSv1_MINOR; |
342 | | |
343 | | return pv; |
344 | | } |
345 | | #endif /* WOLFSSL_ALLOW_TLSV10 */ |
346 | | |
347 | | |
348 | | ProtocolVersion MakeTLSv1_1(void) |
349 | | { |
350 | | ProtocolVersion pv; |
351 | | pv.major = SSLv3_MAJOR; |
352 | | pv.minor = TLSv1_1_MINOR; |
353 | | |
354 | | return pv; |
355 | | } |
356 | | |
357 | | #endif /* !NO_OLD_TLS */ |
358 | | |
359 | | |
360 | | #ifndef WOLFSSL_NO_TLS12 |
361 | | |
362 | | ProtocolVersion MakeTLSv1_2(void) |
363 | 0 | { |
364 | 0 | ProtocolVersion pv; |
365 | 0 | pv.major = SSLv3_MAJOR; |
366 | 0 | pv.minor = TLSv1_2_MINOR; |
367 | |
|
368 | 0 | return pv; |
369 | 0 | } |
370 | | |
371 | | #endif /* !WOLFSSL_NO_TLS12 */ |
372 | | |
373 | | #ifdef WOLFSSL_TLS13 |
374 | | /* The TLS v1.3 protocol version. |
375 | | * |
376 | | * returns the protocol version data for TLS v1.3. |
377 | | */ |
378 | | ProtocolVersion MakeTLSv1_3(void) |
379 | 0 | { |
380 | 0 | ProtocolVersion pv; |
381 | 0 | pv.major = SSLv3_MAJOR; |
382 | 0 | pv.minor = TLSv1_3_MINOR; |
383 | |
|
384 | 0 | return pv; |
385 | 0 | } |
386 | | #endif |
387 | | |
388 | | #if defined(HAVE_SUPPORTED_CURVES) |
389 | | /* Sets the key exchange groups in rank order on a context. |
390 | | * |
391 | | * ctx SSL/TLS context object. |
392 | | * groups Array of groups. |
393 | | * count Number of groups in array. |
394 | | * returns BAD_FUNC_ARG when ctx or groups is NULL, not using TLS v1.3, count is |
395 | | * not positive or count is greater than WOLFSSL_MAX_GROUP_COUNT and |
396 | | * WOLFSSL_SUCCESS on success. |
397 | | */ |
398 | | int wolfSSL_CTX_set_groups(WOLFSSL_CTX* ctx, int* groups, int count) |
399 | 0 | { |
400 | 0 | int ret, i; |
401 | |
|
402 | 0 | WOLFSSL_ENTER("wolfSSL_CTX_set_groups"); |
403 | 0 | if (ctx == NULL || groups == NULL || count <= 0 || |
404 | 0 | count > WOLFSSL_MAX_GROUP_COUNT) |
405 | 0 | return BAD_FUNC_ARG; |
406 | 0 | if (!IsTLS_ex(ctx->method->version)) |
407 | 0 | return BAD_FUNC_ARG; |
408 | | |
409 | 0 | #ifdef WOLFSSL_TLS13 |
410 | 0 | ctx->numGroups = 0; |
411 | 0 | #endif |
412 | 0 | #if !defined(NO_TLS) |
413 | 0 | TLSX_Remove(&ctx->extensions, TLSX_SUPPORTED_GROUPS, ctx->heap); |
414 | 0 | #endif /* !NO_TLS */ |
415 | 0 | for (i = 0; i < count; i++) { |
416 | | /* Call to wolfSSL_CTX_UseSupportedCurve also checks if input groups |
417 | | * are valid */ |
418 | 0 | if ((ret = wolfSSL_CTX_UseSupportedCurve(ctx, (word16)groups[i])) |
419 | 0 | != WOLFSSL_SUCCESS) { |
420 | 0 | #if !defined(NO_TLS) |
421 | 0 | TLSX_Remove(&ctx->extensions, TLSX_SUPPORTED_GROUPS, ctx->heap); |
422 | 0 | #endif /* !NO_TLS */ |
423 | 0 | return ret; |
424 | 0 | } |
425 | 0 | #ifdef WOLFSSL_TLS13 |
426 | 0 | ctx->group[i] = (word16)groups[i]; |
427 | 0 | #endif |
428 | 0 | } |
429 | 0 | #ifdef WOLFSSL_TLS13 |
430 | 0 | ctx->numGroups = (byte)count; |
431 | 0 | #endif |
432 | |
|
433 | 0 | return WOLFSSL_SUCCESS; |
434 | 0 | } |
435 | | |
436 | | /* Sets the key exchange groups in rank order. |
437 | | * |
438 | | * ssl SSL/TLS object. |
439 | | * groups Array of groups. |
440 | | * count Number of groups in array. |
441 | | * returns BAD_FUNC_ARG when ssl or groups is NULL, not using TLS v1.3, count is |
442 | | * not positive or count is greater than WOLFSSL_MAX_GROUP_COUNT and |
443 | | * WOLFSSL_SUCCESS on success. |
444 | | */ |
445 | | int wolfSSL_set_groups(WOLFSSL* ssl, int* groups, int count) |
446 | 0 | { |
447 | 0 | int ret, i; |
448 | |
|
449 | 0 | WOLFSSL_ENTER("wolfSSL_set_groups"); |
450 | 0 | if (ssl == NULL || groups == NULL || count <= 0 || |
451 | 0 | count > WOLFSSL_MAX_GROUP_COUNT) |
452 | 0 | return BAD_FUNC_ARG; |
453 | 0 | if (!IsTLS_ex(ssl->version)) |
454 | 0 | return BAD_FUNC_ARG; |
455 | | |
456 | 0 | #ifdef WOLFSSL_TLS13 |
457 | 0 | ssl->numGroups = 0; |
458 | 0 | #endif |
459 | 0 | #if !defined(NO_TLS) |
460 | 0 | TLSX_Remove(&ssl->extensions, TLSX_SUPPORTED_GROUPS, ssl->heap); |
461 | 0 | #endif /* !NO_TLS */ |
462 | 0 | for (i = 0; i < count; i++) { |
463 | | /* Call to wolfSSL_UseSupportedCurve also checks if input groups |
464 | | * are valid */ |
465 | 0 | if ((ret = wolfSSL_UseSupportedCurve(ssl, (word16)groups[i])) |
466 | 0 | != WOLFSSL_SUCCESS) { |
467 | 0 | #if !defined(NO_TLS) |
468 | 0 | TLSX_Remove(&ssl->extensions, TLSX_SUPPORTED_GROUPS, ssl->heap); |
469 | 0 | #endif /* !NO_TLS */ |
470 | 0 | return ret; |
471 | 0 | } |
472 | 0 | #ifdef WOLFSSL_TLS13 |
473 | 0 | ssl->group[i] = (word16)groups[i]; |
474 | 0 | #endif |
475 | 0 | } |
476 | 0 | #ifdef WOLFSSL_TLS13 |
477 | 0 | ssl->numGroups = (byte)count; |
478 | 0 | #endif |
479 | |
|
480 | 0 | return WOLFSSL_SUCCESS; |
481 | 0 | } |
482 | | #endif /* HAVE_SUPPORTED_CURVES */ |
483 | | |
484 | | #ifndef WOLFSSL_NO_TLS12 |
485 | | |
486 | | #ifdef HAVE_EXTENDED_MASTER |
487 | | static const byte ext_master_label[EXT_MASTER_LABEL_SZ + 1] = |
488 | | "extended master secret"; |
489 | | #endif |
490 | | static const byte master_label[MASTER_LABEL_SZ + 1] = "master secret"; |
491 | | static const byte key_label [KEY_LABEL_SZ + 1] = "key expansion"; |
492 | | |
493 | | static int _DeriveTlsKeys(byte* key_dig, word32 key_dig_len, |
494 | | const byte* ms, word32 msLen, |
495 | | const byte* sr, const byte* cr, |
496 | | int tls1_2, int hash_type, |
497 | | void* heap, int devId) |
498 | 0 | { |
499 | 0 | int ret; |
500 | | #if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_ASYNC_NO_HASH) |
501 | | byte* seed = NULL; |
502 | | seed = (byte*)XMALLOC(SEED_LEN, heap, DYNAMIC_TYPE_SEED); |
503 | | if (seed == NULL) |
504 | | return MEMORY_E; |
505 | | #else |
506 | 0 | byte seed[SEED_LEN]; |
507 | 0 | #endif |
508 | |
|
509 | 0 | XMEMCPY(seed, sr, RAN_LEN); |
510 | 0 | XMEMCPY(seed + RAN_LEN, cr, RAN_LEN); |
511 | |
|
512 | 0 | #ifdef WOLFSSL_HAVE_PRF |
513 | 0 | PRIVATE_KEY_UNLOCK(); |
514 | 0 | ret = wc_PRF_TLS(key_dig, key_dig_len, ms, msLen, key_label, KEY_LABEL_SZ, |
515 | 0 | seed, SEED_LEN, tls1_2, hash_type, heap, devId); |
516 | 0 | PRIVATE_KEY_LOCK(); |
517 | | #else |
518 | | /* Pseudo random function must be enabled in the configuration. */ |
519 | | ret = PRF_MISSING; |
520 | | WOLFSSL_ERROR_VERBOSE(ret); |
521 | | WOLFSSL_MSG("Pseudo-random function is not enabled"); |
522 | | |
523 | | (void)key_dig; |
524 | | (void)key_dig_len; |
525 | | (void)ms; |
526 | | (void)msLen; |
527 | | (void)tls1_2; |
528 | | (void)hash_type; |
529 | | (void)heap; |
530 | | (void)devId; |
531 | | (void)key_label; |
532 | | (void)master_label; |
533 | | #ifdef HAVE_EXTENDED_MASTER |
534 | | (void)ext_master_label; |
535 | | #endif |
536 | | #endif |
537 | |
|
538 | | #if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_ASYNC_NO_HASH) |
539 | | XFREE(seed, heap, DYNAMIC_TYPE_SEED); |
540 | | #endif |
541 | |
|
542 | 0 | return ret; |
543 | 0 | } |
544 | | |
545 | | /* External facing wrapper so user can call as well, 0 on success */ |
546 | | int wolfSSL_DeriveTlsKeys(byte* key_data, word32 keyLen, |
547 | | const byte* ms, word32 msLen, |
548 | | const byte* sr, const byte* cr, |
549 | | int tls1_2, int hash_type) |
550 | 0 | { |
551 | 0 | return _DeriveTlsKeys(key_data, keyLen, ms, msLen, sr, cr, tls1_2, |
552 | 0 | hash_type, NULL, INVALID_DEVID); |
553 | 0 | } |
554 | | |
555 | | |
556 | | int DeriveTlsKeys(WOLFSSL* ssl) |
557 | 0 | { |
558 | 0 | int ret; |
559 | 0 | int key_dig_len = 2 * ssl->specs.hash_size + |
560 | 0 | 2 * ssl->specs.key_size + |
561 | 0 | 2 * ssl->specs.iv_size; |
562 | 0 | WC_DECLARE_VAR(key_dig, byte, MAX_PRF_DIG, 0); |
563 | |
|
564 | 0 | WC_ALLOC_VAR_EX(key_dig, byte, MAX_PRF_DIG, ssl->heap, |
565 | 0 | DYNAMIC_TYPE_DIGEST, return MEMORY_E); |
566 | |
|
567 | 0 | XMEMSET(key_dig, 0, MAX_PRF_DIG); |
568 | |
|
569 | | #if !defined(NO_CERTS) && defined(HAVE_PK_CALLBACKS) |
570 | | ret = PROTOCOLCB_UNAVAILABLE; |
571 | | if (ssl->ctx->GenSessionKeyCb) { |
572 | | void* ctx = wolfSSL_GetGenSessionKeyCtx(ssl); |
573 | | ret = ssl->ctx->GenSessionKeyCb(ssl, ctx); |
574 | | } |
575 | | if (!ssl->ctx->GenSessionKeyCb || |
576 | | ret == WC_NO_ERR_TRACE(PROTOCOLCB_UNAVAILABLE)) |
577 | | #endif |
578 | 0 | ret = _DeriveTlsKeys(key_dig, (word32)key_dig_len, |
579 | 0 | ssl->arrays->masterSecret, SECRET_LEN, |
580 | 0 | ssl->arrays->serverRandom, ssl->arrays->clientRandom, |
581 | 0 | IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm, |
582 | 0 | ssl->heap, ssl->devId); |
583 | 0 | if (ret == 0) |
584 | 0 | ret = StoreKeys(ssl, key_dig, PROVISION_CLIENT_SERVER); |
585 | |
|
586 | | #ifdef WOLFSSL_CHECK_MEM_ZERO |
587 | | wc_MemZero_Add("DeriveTlsKeys key_dig", key_dig, MAX_PRF_DIG); |
588 | | #endif |
589 | 0 | ForceZero(key_dig, MAX_PRF_DIG); |
590 | | #ifdef WOLFSSL_CHECK_MEM_ZERO |
591 | | wc_MemZero_Check(key_dig, MAX_PRF_DIG); |
592 | | #endif |
593 | |
|
594 | 0 | WC_FREE_VAR_EX(key_dig, ssl->heap, DYNAMIC_TYPE_DIGEST); |
595 | |
|
596 | 0 | return ret; |
597 | 0 | } |
598 | | |
599 | | static int _MakeTlsMasterSecret(byte* ms, word32 msLen, |
600 | | const byte* pms, word32 pmsLen, |
601 | | const byte* cr, const byte* sr, |
602 | | int tls1_2, int hash_type, |
603 | | void* heap, int devId) |
604 | 0 | { |
605 | 0 | int ret; |
606 | 0 | #if !defined(WOLFSSL_ASYNC_CRYPT) || defined(WC_ASYNC_NO_HASH) |
607 | 0 | byte seed[SEED_LEN]; |
608 | | #else |
609 | | byte* seed = NULL; |
610 | | seed = (byte*)XMALLOC(SEED_LEN, heap, DYNAMIC_TYPE_SEED); |
611 | | if (seed == NULL) |
612 | | return MEMORY_E; |
613 | | #endif |
614 | |
|
615 | 0 | XMEMCPY(seed, cr, RAN_LEN); |
616 | 0 | XMEMCPY(seed + RAN_LEN, sr, RAN_LEN); |
617 | |
|
618 | 0 | #ifdef WOLFSSL_HAVE_PRF |
619 | 0 | PRIVATE_KEY_UNLOCK(); |
620 | 0 | ret = wc_PRF_TLS(ms, msLen, pms, pmsLen, master_label, MASTER_LABEL_SZ, |
621 | 0 | seed, SEED_LEN, tls1_2, hash_type, heap, devId); |
622 | 0 | PRIVATE_KEY_LOCK(); |
623 | | #else |
624 | | /* Pseudo random function must be enabled in the configuration. */ |
625 | | ret = PRF_MISSING; |
626 | | WOLFSSL_MSG("Pseudo-random function is not enabled"); |
627 | | |
628 | | (void)ms; |
629 | | (void)msLen; |
630 | | (void)pms; |
631 | | (void)pmsLen; |
632 | | (void)tls1_2; |
633 | | (void)hash_type; |
634 | | (void)heap; |
635 | | (void)devId; |
636 | | #endif |
637 | |
|
638 | | #if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WC_ASYNC_NO_HASH) |
639 | | XFREE(seed, heap, DYNAMIC_TYPE_SEED); |
640 | | #endif |
641 | |
|
642 | 0 | return ret; |
643 | 0 | } |
644 | | |
645 | | /* External facing wrapper so user can call as well, 0 on success */ |
646 | | int wolfSSL_MakeTlsMasterSecret(byte* ms, word32 msLen, |
647 | | const byte* pms, word32 pmsLen, |
648 | | const byte* cr, const byte* sr, |
649 | | int tls1_2, int hash_type) |
650 | 0 | { |
651 | 0 | return _MakeTlsMasterSecret(ms, msLen, pms, pmsLen, cr, sr, tls1_2, |
652 | 0 | hash_type, NULL, INVALID_DEVID); |
653 | 0 | } |
654 | | |
655 | | |
656 | | #ifdef HAVE_EXTENDED_MASTER |
657 | | |
658 | | static int _MakeTlsExtendedMasterSecret(byte* ms, word32 msLen, |
659 | | const byte* pms, word32 pmsLen, |
660 | | const byte* sHash, word32 sHashLen, |
661 | | int tls1_2, int hash_type, |
662 | | void* heap, int devId) |
663 | 0 | { |
664 | 0 | int ret; |
665 | |
|
666 | 0 | #ifdef WOLFSSL_HAVE_PRF |
667 | 0 | PRIVATE_KEY_UNLOCK(); |
668 | 0 | ret = wc_PRF_TLS(ms, msLen, pms, pmsLen, ext_master_label, EXT_MASTER_LABEL_SZ, |
669 | 0 | sHash, sHashLen, tls1_2, hash_type, heap, devId); |
670 | 0 | PRIVATE_KEY_LOCK(); |
671 | | #else |
672 | | /* Pseudo random function must be enabled in the configuration. */ |
673 | | ret = PRF_MISSING; |
674 | | WOLFSSL_MSG("Pseudo-random function is not enabled"); |
675 | | |
676 | | (void)ms; |
677 | | (void)msLen; |
678 | | (void)pms; |
679 | | (void)pmsLen; |
680 | | (void)sHash; |
681 | | (void)sHashLen; |
682 | | (void)tls1_2; |
683 | | (void)hash_type; |
684 | | (void)heap; |
685 | | (void)devId; |
686 | | #endif |
687 | 0 | return ret; |
688 | 0 | } |
689 | | |
690 | | /* External facing wrapper so user can call as well, 0 on success */ |
691 | | int wolfSSL_MakeTlsExtendedMasterSecret(byte* ms, word32 msLen, |
692 | | const byte* pms, word32 pmsLen, |
693 | | const byte* sHash, word32 sHashLen, |
694 | | int tls1_2, int hash_type) |
695 | 0 | { |
696 | 0 | return _MakeTlsExtendedMasterSecret(ms, msLen, pms, pmsLen, sHash, sHashLen, |
697 | 0 | tls1_2, hash_type, NULL, INVALID_DEVID); |
698 | 0 | } |
699 | | |
700 | | #endif /* HAVE_EXTENDED_MASTER */ |
701 | | |
702 | | |
703 | | int MakeTlsMasterSecret(WOLFSSL* ssl) |
704 | 0 | { |
705 | 0 | int ret; |
706 | |
|
707 | | #if defined(WOLFSSL_SNIFFER) && defined(WOLFSSL_SNIFFER_KEYLOGFILE) |
708 | | /* If this is called from a sniffer session with keylog file support, obtain |
709 | | * the master secret from the callback */ |
710 | | if (ssl->snifferSecretCb != NULL) { |
711 | | ret = ssl->snifferSecretCb(ssl->arrays->clientRandom, |
712 | | SNIFFER_SECRET_TLS12_MASTER_SECRET, |
713 | | ssl->arrays->masterSecret); |
714 | | if (ret != 0) { |
715 | | return ret; |
716 | | } |
717 | | ret = DeriveTlsKeys(ssl); |
718 | | return ret; |
719 | | } |
720 | | #endif /* WOLFSSL_SNIFFER && WOLFSSL_SNIFFER_KEYLOGFILE */ |
721 | |
|
722 | 0 | #ifdef HAVE_EXTENDED_MASTER |
723 | 0 | if (ssl->options.haveEMS) { |
724 | 0 | word32 hashSz = HSHASH_SZ; |
725 | | #ifdef WOLFSSL_SMALL_STACK |
726 | | byte* handshake_hash = (byte*)XMALLOC(HSHASH_SZ, ssl->heap, |
727 | | DYNAMIC_TYPE_DIGEST); |
728 | | if (handshake_hash == NULL) |
729 | | return MEMORY_E; |
730 | | #else |
731 | 0 | byte handshake_hash[HSHASH_SZ]; |
732 | 0 | #endif |
733 | |
|
734 | 0 | XMEMSET(handshake_hash, 0, HSHASH_SZ); |
735 | 0 | ret = BuildTlsHandshakeHash(ssl, handshake_hash, &hashSz); |
736 | 0 | if (ret == 0) { |
737 | | #if !defined(NO_CERTS) && defined(HAVE_PK_CALLBACKS) |
738 | | ret = PROTOCOLCB_UNAVAILABLE; |
739 | | if (ssl->ctx->GenExtMasterCb) { |
740 | | void* ctx = wolfSSL_GetGenExtMasterSecretCtx(ssl); |
741 | | ret = ssl->ctx->GenExtMasterCb(ssl, handshake_hash, hashSz, |
742 | | ctx); |
743 | | } |
744 | | if (!ssl->ctx->GenExtMasterCb || |
745 | | ret == WC_NO_ERR_TRACE(PROTOCOLCB_UNAVAILABLE)) |
746 | | #endif /* (HAVE_SECRET_CALLBACK) && (HAVE_EXT_SECRET_CALLBACK) */ |
747 | 0 | { |
748 | 0 | ret = _MakeTlsExtendedMasterSecret( |
749 | 0 | ssl->arrays->masterSecret, SECRET_LEN, |
750 | 0 | ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz, |
751 | 0 | handshake_hash, hashSz, |
752 | 0 | IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm, |
753 | 0 | ssl->heap, ssl->devId); |
754 | 0 | } |
755 | 0 | ForceZero(handshake_hash, hashSz); |
756 | 0 | } |
757 | |
|
758 | | #ifdef WOLFSSL_SMALL_STACK |
759 | | XFREE(handshake_hash, ssl->heap, DYNAMIC_TYPE_DIGEST); |
760 | | #elif defined(WOLFSSL_CHECK_MEM_ZERO) |
761 | | wc_MemZero_Check(handshake_hash, HSHASH_SZ); |
762 | | #endif |
763 | 0 | } |
764 | 0 | else |
765 | 0 | #endif /* HAVE_EXTENDED_MASTER */ |
766 | 0 | { |
767 | |
|
768 | | #if !defined(NO_CERTS) && defined(HAVE_PK_CALLBACKS) |
769 | | ret = PROTOCOLCB_UNAVAILABLE; |
770 | | if (ssl->ctx->GenMasterCb) { |
771 | | void* ctx = wolfSSL_GetGenMasterSecretCtx(ssl); |
772 | | ret = ssl->ctx->GenMasterCb(ssl, ctx); |
773 | | } |
774 | | if (!ssl->ctx->GenMasterCb || |
775 | | ret == WC_NO_ERR_TRACE(PROTOCOLCB_UNAVAILABLE)) |
776 | | #endif |
777 | 0 | { |
778 | 0 | ret = _MakeTlsMasterSecret(ssl->arrays->masterSecret, |
779 | 0 | SECRET_LEN, ssl->arrays->preMasterSecret, |
780 | 0 | ssl->arrays->preMasterSz, ssl->arrays->clientRandom, |
781 | 0 | ssl->arrays->serverRandom, IsAtLeastTLSv1_2(ssl), |
782 | 0 | ssl->specs.mac_algorithm, ssl->heap, ssl->devId); |
783 | 0 | } |
784 | 0 | } |
785 | | #ifdef HAVE_SECRET_CALLBACK |
786 | | if (ret == 0 && ssl->tlsSecretCb != NULL) { |
787 | | ret = ssl->tlsSecretCb(ssl, ssl->arrays->masterSecret, |
788 | | SECRET_LEN, ssl->tlsSecretCtx); |
789 | | } |
790 | | #endif /* HAVE_SECRET_CALLBACK */ |
791 | 0 | if (ret == 0) { |
792 | 0 | ret = DeriveTlsKeys(ssl); |
793 | 0 | } |
794 | |
|
795 | 0 | return ret; |
796 | 0 | } |
797 | | |
798 | | |
799 | | /* Used by EAP-TLS and EAP-TTLS to derive keying material from |
800 | | * the master_secret. */ |
801 | | int wolfSSL_make_eap_keys(WOLFSSL* ssl, void* key, unsigned int len, |
802 | | const char* label) |
803 | 0 | { |
804 | 0 | int ret; |
805 | 0 | WC_DECLARE_VAR(seed, byte, SEED_LEN, 0); |
806 | |
|
807 | 0 | WC_ALLOC_VAR_EX(seed, byte, SEED_LEN, ssl->heap, DYNAMIC_TYPE_SEED, |
808 | 0 | return MEMORY_E); |
809 | | |
810 | | /* |
811 | | * As per RFC-5281, the order of the client and server randoms is reversed |
812 | | * from that used by the TLS protocol to derive keys. |
813 | | */ |
814 | 0 | XMEMCPY(seed, ssl->arrays->clientRandom, RAN_LEN); |
815 | 0 | XMEMCPY(seed + RAN_LEN, ssl->arrays->serverRandom, RAN_LEN); |
816 | |
|
817 | 0 | #ifdef WOLFSSL_HAVE_PRF |
818 | 0 | PRIVATE_KEY_UNLOCK(); |
819 | 0 | ret = wc_PRF_TLS((byte*)key, len, ssl->arrays->masterSecret, SECRET_LEN, |
820 | 0 | (const byte *)label, (word32)XSTRLEN(label), seed, SEED_LEN, |
821 | 0 | IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm, |
822 | 0 | ssl->heap, ssl->devId); |
823 | 0 | PRIVATE_KEY_LOCK(); |
824 | | #else |
825 | | /* Pseudo random function must be enabled in the configuration. */ |
826 | | ret = PRF_MISSING; |
827 | | WOLFSSL_MSG("Pseudo-random function is not enabled"); |
828 | | |
829 | | (void)key; |
830 | | (void)len; |
831 | | (void)label; |
832 | | #endif |
833 | |
|
834 | 0 | WC_FREE_VAR_EX(seed, ssl->heap, DYNAMIC_TYPE_SEED); |
835 | |
|
836 | 0 | return ret; |
837 | 0 | } |
838 | | |
839 | | /* return HMAC digest type in wolfSSL format */ |
840 | | int wolfSSL_GetHmacType(WOLFSSL* ssl) |
841 | 0 | { |
842 | 0 | if (ssl == NULL) |
843 | 0 | return BAD_FUNC_ARG; |
844 | | |
845 | 0 | return wolfSSL_GetHmacType_ex(&ssl->specs); |
846 | 0 | } |
847 | | |
848 | | |
849 | | int wolfSSL_SetTlsHmacInner(WOLFSSL* ssl, byte* inner, word32 sz, int content, |
850 | | int verify) |
851 | 0 | { |
852 | 0 | if (ssl == NULL || inner == NULL) |
853 | 0 | return BAD_FUNC_ARG; |
854 | | |
855 | 0 | if (content == dtls12_cid |
856 | | #if defined(WOLFSSL_DTLS) && defined(WOLFSSL_DTLS_CID) |
857 | | || (ssl->options.dtls && DtlsGetCidTxSize(ssl) > 0) |
858 | | #endif |
859 | 0 | ) { |
860 | 0 | WOLFSSL_MSG("wolfSSL_SetTlsHmacInner doesn't support CID"); |
861 | 0 | return BAD_FUNC_ARG; |
862 | 0 | } |
863 | | |
864 | 0 | XMEMSET(inner, 0, WOLFSSL_TLS_HMAC_INNER_SZ); |
865 | |
|
866 | 0 | WriteSEQ(ssl, verify, inner); |
867 | 0 | inner[SEQ_SZ] = (byte)content; |
868 | 0 | inner[SEQ_SZ + ENUM_LEN] = ssl->version.major; |
869 | 0 | inner[SEQ_SZ + ENUM_LEN + ENUM_LEN] = ssl->version.minor; |
870 | 0 | c16toa((word16)sz, inner + SEQ_SZ + ENUM_LEN + VERSION_SZ); |
871 | |
|
872 | 0 | return 0; |
873 | 0 | } |
874 | | |
875 | | |
876 | | #ifndef WOLFSSL_AEAD_ONLY |
877 | | #if !defined(WOLFSSL_NO_HASH_RAW) && !defined(HAVE_FIPS) && \ |
878 | | !defined(HAVE_SELFTEST) |
879 | | |
880 | | /* Update the hash in the HMAC. |
881 | | * |
882 | | * hmac HMAC object. |
883 | | * data Data to be hashed. |
884 | | * sz Size of data to hash. |
885 | | * returns 0 on success, otherwise failure. |
886 | | */ |
887 | | static int Hmac_HashUpdate(Hmac* hmac, const byte* data, word32 sz) |
888 | 0 | { |
889 | 0 | int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG); |
890 | |
|
891 | 0 | switch (hmac->macType) { |
892 | 0 | #ifndef NO_SHA |
893 | 0 | case WC_SHA: |
894 | 0 | ret = wc_ShaUpdate(&hmac->hash.sha, data, sz); |
895 | 0 | break; |
896 | 0 | #endif /* !NO_SHA */ |
897 | | |
898 | 0 | #ifndef NO_SHA256 |
899 | 0 | case WC_SHA256: |
900 | 0 | ret = wc_Sha256Update(&hmac->hash.sha256, data, sz); |
901 | 0 | break; |
902 | 0 | #endif /* !NO_SHA256 */ |
903 | | |
904 | 0 | #ifdef WOLFSSL_SHA384 |
905 | 0 | case WC_SHA384: |
906 | 0 | ret = wc_Sha384Update(&hmac->hash.sha384, data, sz); |
907 | 0 | break; |
908 | 0 | #endif /* WOLFSSL_SHA384 */ |
909 | | |
910 | 0 | #ifdef WOLFSSL_SHA512 |
911 | 0 | case WC_SHA512: |
912 | 0 | ret = wc_Sha512Update(&hmac->hash.sha512, data, sz); |
913 | 0 | break; |
914 | 0 | #endif /* WOLFSSL_SHA512 */ |
915 | | |
916 | | #ifdef WOLFSSL_SM3 |
917 | | case WC_SM3: |
918 | | ret = wc_Sm3Update(&hmac->hash.sm3, data, sz); |
919 | | break; |
920 | | #endif /* WOLFSSL_SM3 */ |
921 | | |
922 | 0 | default: |
923 | 0 | ret = BAD_FUNC_ARG; |
924 | 0 | break; |
925 | 0 | } |
926 | | |
927 | 0 | return ret; |
928 | 0 | } |
929 | | |
930 | | /* Finalize the hash but don't put the EOC, padding or length in. |
931 | | * |
932 | | * hmac HMAC object. |
933 | | * hash Hash result. |
934 | | * returns 0 on success, otherwise failure. |
935 | | */ |
936 | | static int Hmac_HashFinalRaw(Hmac* hmac, unsigned char* hash) |
937 | 0 | { |
938 | 0 | int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG); |
939 | |
|
940 | 0 | switch (hmac->macType) { |
941 | 0 | #ifndef NO_SHA |
942 | 0 | case WC_SHA: |
943 | 0 | ret = wc_ShaFinalRaw(&hmac->hash.sha, hash); |
944 | 0 | break; |
945 | 0 | #endif /* !NO_SHA */ |
946 | | |
947 | 0 | #ifndef NO_SHA256 |
948 | 0 | case WC_SHA256: |
949 | 0 | ret = wc_Sha256FinalRaw(&hmac->hash.sha256, hash); |
950 | 0 | break; |
951 | 0 | #endif /* !NO_SHA256 */ |
952 | | |
953 | 0 | #ifdef WOLFSSL_SHA384 |
954 | 0 | case WC_SHA384: |
955 | 0 | ret = wc_Sha384FinalRaw(&hmac->hash.sha384, hash); |
956 | 0 | break; |
957 | 0 | #endif /* WOLFSSL_SHA384 */ |
958 | | |
959 | 0 | #ifdef WOLFSSL_SHA512 |
960 | 0 | case WC_SHA512: |
961 | 0 | ret = wc_Sha512FinalRaw(&hmac->hash.sha512, hash); |
962 | 0 | break; |
963 | 0 | #endif /* WOLFSSL_SHA512 */ |
964 | | |
965 | | #ifdef WOLFSSL_SM3 |
966 | | case WC_SM3: |
967 | | ret = wc_Sm3FinalRaw(&hmac->hash.sm3, hash); |
968 | | break; |
969 | | #endif /* WOLFSSL_SM3 */ |
970 | | |
971 | 0 | default: |
972 | 0 | ret = BAD_FUNC_ARG; |
973 | 0 | break; |
974 | 0 | } |
975 | | |
976 | 0 | return ret; |
977 | 0 | } |
978 | | |
979 | | /* Finalize the HMAC by performing outer hash. |
980 | | * |
981 | | * hmac HMAC object. |
982 | | * mac MAC result. |
983 | | * returns 0 on success, otherwise failure. |
984 | | */ |
985 | | static int Hmac_OuterHash(Hmac* hmac, unsigned char* mac) |
986 | 0 | { |
987 | 0 | int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG); |
988 | 0 | WC_DECLARE_VAR(hash, wc_HashAlg, 1, hmac ? hmac->heap : NULL); |
989 | 0 | enum wc_HashType hashType = (enum wc_HashType)hmac->macType; |
990 | 0 | int digestSz = wc_HashGetDigestSize(hashType); |
991 | 0 | int blockSz = wc_HashGetBlockSize(hashType); |
992 | |
|
993 | 0 | WC_ALLOC_VAR_EX(hash, wc_HashAlg, 1, hmac->heap, DYNAMIC_TYPE_HASHES, |
994 | 0 | return MEMORY_E); |
995 | |
|
996 | 0 | if ((digestSz >= 0) && (blockSz >= 0)) { |
997 | 0 | ret = wc_HashInit(hash, hashType); |
998 | 0 | } |
999 | 0 | else { |
1000 | 0 | ret = BAD_FUNC_ARG; |
1001 | 0 | } |
1002 | |
|
1003 | 0 | if (ret == 0) { |
1004 | 0 | ret = wc_HashUpdate(hash, hashType, (byte*)hmac->opad, |
1005 | 0 | (word32)blockSz); |
1006 | 0 | if (ret == 0) |
1007 | 0 | ret = wc_HashUpdate(hash, hashType, (byte*)hmac->innerHash, |
1008 | 0 | (word32)digestSz); |
1009 | 0 | if (ret == 0) |
1010 | 0 | ret = wc_HashFinal(hash, hashType, mac); |
1011 | 0 | wc_HashFree(hash, hashType); |
1012 | 0 | } |
1013 | |
|
1014 | 0 | WC_FREE_VAR_EX(hash, hmac->heap, DYNAMIC_TYPE_HASHES); |
1015 | 0 | return ret; |
1016 | 0 | } |
1017 | | |
1018 | | /* Calculate the HMAC of the header + message data. |
1019 | | * Constant time implementation using wc_Sha*FinalRaw(). |
1020 | | * |
1021 | | * hmac HMAC object. |
1022 | | * digest MAC result. |
1023 | | * in Message data. |
1024 | | * sz Size of the message data. |
1025 | | * header Constructed record header with length of handshake data. |
1026 | | * headerSz Length of header |
1027 | | * returns 0 on success, otherwise failure. |
1028 | | */ |
1029 | | static int Hmac_UpdateFinal_CT(Hmac* hmac, byte* digest, const byte* in, |
1030 | | word32 sz, int macLen, byte* header, word32 headerSz) |
1031 | 0 | { |
1032 | 0 | byte lenBytes[8]; |
1033 | 0 | int i, j; |
1034 | 0 | unsigned int k; |
1035 | 0 | int blockBits, blockMask; |
1036 | 0 | int lastBlockLen, extraLen, eocIndex; |
1037 | 0 | int blocks; |
1038 | 0 | int safeBlocks; |
1039 | 0 | int lenBlock; |
1040 | 0 | int eocBlock; |
1041 | 0 | word32 maxLen; |
1042 | 0 | int blockSz, padSz; |
1043 | 0 | int ret; |
1044 | 0 | word32 realLen; |
1045 | 0 | byte extraBlock; |
1046 | |
|
1047 | 0 | if (macLen <= 0 || macLen > (int)sizeof(hmac->innerHash)) |
1048 | 0 | return BAD_FUNC_ARG; |
1049 | | |
1050 | 0 | switch (hmac->macType) { |
1051 | 0 | #ifndef NO_SHA |
1052 | 0 | case WC_SHA: |
1053 | 0 | blockSz = WC_SHA_BLOCK_SIZE; |
1054 | 0 | blockBits = 6; |
1055 | 0 | padSz = WC_SHA_BLOCK_SIZE - WC_SHA_PAD_SIZE + 1; |
1056 | 0 | break; |
1057 | 0 | #endif /* !NO_SHA */ |
1058 | | |
1059 | 0 | #ifndef NO_SHA256 |
1060 | 0 | case WC_SHA256: |
1061 | 0 | blockSz = WC_SHA256_BLOCK_SIZE; |
1062 | 0 | blockBits = 6; |
1063 | 0 | padSz = WC_SHA256_BLOCK_SIZE - WC_SHA256_PAD_SIZE + 1; |
1064 | 0 | break; |
1065 | 0 | #endif /* !NO_SHA256 */ |
1066 | | |
1067 | 0 | #ifdef WOLFSSL_SHA384 |
1068 | 0 | case WC_SHA384: |
1069 | 0 | blockSz = WC_SHA384_BLOCK_SIZE; |
1070 | 0 | blockBits = 7; |
1071 | 0 | padSz = WC_SHA384_BLOCK_SIZE - WC_SHA384_PAD_SIZE + 1; |
1072 | 0 | break; |
1073 | 0 | #endif /* WOLFSSL_SHA384 */ |
1074 | | |
1075 | 0 | #ifdef WOLFSSL_SHA512 |
1076 | 0 | case WC_SHA512: |
1077 | 0 | blockSz = WC_SHA512_BLOCK_SIZE; |
1078 | 0 | blockBits = 7; |
1079 | 0 | padSz = WC_SHA512_BLOCK_SIZE - WC_SHA512_PAD_SIZE + 1; |
1080 | 0 | break; |
1081 | 0 | #endif /* WOLFSSL_SHA512 */ |
1082 | | |
1083 | | #ifdef WOLFSSL_SM3 |
1084 | | case WC_SM3: |
1085 | | blockSz = WC_SM3_BLOCK_SIZE; |
1086 | | blockBits = 6; |
1087 | | padSz = WC_SM3_BLOCK_SIZE - WC_SM3_PAD_SIZE + 1; |
1088 | | break; |
1089 | | #endif /* WOLFSSL_SM3 */ |
1090 | | |
1091 | 0 | default: |
1092 | 0 | return BAD_FUNC_ARG; |
1093 | 0 | } |
1094 | 0 | blockMask = blockSz - 1; |
1095 | | |
1096 | | /* Size of data to HMAC if padding length byte is zero. */ |
1097 | 0 | maxLen = WOLFSSL_TLS_HMAC_INNER_SZ + sz - 1 - (word32)macLen; |
1098 | | |
1099 | | /* Complete data (including padding) has block for EOC and/or length. */ |
1100 | 0 | extraBlock = ctSetLTE(((int)maxLen + padSz) & blockMask, padSz); |
1101 | | /* Total number of blocks for data including padding. */ |
1102 | 0 | blocks = ((int)(maxLen + (word32)blockSz - 1) >> blockBits) + extraBlock; |
1103 | | /* Up to last 6 blocks can be hashed safely. */ |
1104 | 0 | safeBlocks = blocks - 6; |
1105 | | |
1106 | | /* Length of message data. */ |
1107 | 0 | realLen = maxLen - in[sz - 1]; |
1108 | | /* Number of message bytes in last block. */ |
1109 | 0 | lastBlockLen = (int)realLen & blockMask; |
1110 | | /* Number of padding bytes in last block. */ |
1111 | 0 | extraLen = ((blockSz * 2 - padSz - lastBlockLen) & blockMask) + 1; |
1112 | | /* Number of blocks to create for hash. */ |
1113 | 0 | lenBlock = ((int)realLen + extraLen) >> blockBits; |
1114 | | /* Block containing EOC byte. */ |
1115 | 0 | eocBlock = (int)(realLen >> (word32)blockBits); |
1116 | | /* Index of EOC byte in block. */ |
1117 | 0 | eocIndex = (int)(realLen & (word32)blockMask); |
1118 | | |
1119 | | /* Add length of hmac's ipad to total length. */ |
1120 | 0 | realLen += (word32)blockSz; |
1121 | | /* Length as bits - 8 bytes bigendian. */ |
1122 | 0 | c32toa(realLen >> ((sizeof(word32) * 8) - 3), lenBytes); |
1123 | 0 | c32toa(realLen << 3, lenBytes + sizeof(word32)); |
1124 | |
|
1125 | 0 | ret = Hmac_HashUpdate(hmac, (unsigned char*)hmac->ipad, (word32)blockSz); |
1126 | 0 | if (ret != 0) |
1127 | 0 | return ret; |
1128 | | |
1129 | 0 | XMEMSET(hmac->innerHash, 0, (size_t)macLen); |
1130 | |
|
1131 | 0 | if (safeBlocks > 0) { |
1132 | 0 | ret = Hmac_HashUpdate(hmac, header, headerSz); |
1133 | 0 | if (ret != 0) |
1134 | 0 | return ret; |
1135 | 0 | ret = Hmac_HashUpdate(hmac, in, (word32)(safeBlocks * blockSz - |
1136 | 0 | WOLFSSL_TLS_HMAC_INNER_SZ)); |
1137 | |
|
1138 | 0 | if (ret != 0) |
1139 | 0 | return ret; |
1140 | 0 | } |
1141 | 0 | else |
1142 | 0 | safeBlocks = 0; |
1143 | | |
1144 | 0 | XMEMSET(digest, 0, (size_t)macLen); |
1145 | 0 | k = (unsigned int)(safeBlocks * blockSz); |
1146 | 0 | for (i = safeBlocks; i < blocks; i++) { |
1147 | 0 | unsigned char hashBlock[WC_MAX_BLOCK_SIZE]; |
1148 | 0 | unsigned char isEocBlock = ctMaskEq(i, eocBlock); |
1149 | 0 | unsigned char isOutBlock = ctMaskEq(i, lenBlock); |
1150 | |
|
1151 | 0 | for (j = 0; j < blockSz; j++) { |
1152 | 0 | unsigned char atEoc = ctMaskEq(j, eocIndex) & isEocBlock; |
1153 | 0 | volatile unsigned char maskPastEoc = ctMaskGT(j, eocIndex); |
1154 | 0 | volatile unsigned char pastEoc = maskPastEoc & isEocBlock; |
1155 | 0 | unsigned char b = 0; |
1156 | |
|
1157 | 0 | if (k < headerSz) |
1158 | 0 | b = header[k]; |
1159 | 0 | else if (k < maxLen) |
1160 | 0 | b = in[k - headerSz]; |
1161 | 0 | k++; |
1162 | |
|
1163 | 0 | b = ctMaskSel(atEoc, 0x80, b); |
1164 | 0 | b &= (unsigned char)~(word32)pastEoc; |
1165 | 0 | b &= ((unsigned char)~(word32)isOutBlock) | isEocBlock; |
1166 | |
|
1167 | 0 | if (j >= blockSz - 8) { |
1168 | 0 | b = ctMaskSel(isOutBlock, lenBytes[j - (blockSz - 8)], b); |
1169 | 0 | } |
1170 | |
|
1171 | 0 | hashBlock[j] = b; |
1172 | 0 | } |
1173 | | |
1174 | | /* cppcheck-suppress uninitvar */ |
1175 | 0 | ret = Hmac_HashUpdate(hmac, hashBlock, (word32)blockSz); |
1176 | 0 | if (ret != 0) |
1177 | 0 | return ret; |
1178 | 0 | ret = Hmac_HashFinalRaw(hmac, hashBlock); |
1179 | 0 | if (ret != 0) |
1180 | 0 | return ret; |
1181 | 0 | for (j = 0; j < macLen; j++) |
1182 | 0 | ((unsigned char*)hmac->innerHash)[j] |= hashBlock[j] & isOutBlock; |
1183 | 0 | } |
1184 | | |
1185 | 0 | ret = Hmac_OuterHash(hmac, digest); |
1186 | |
|
1187 | 0 | return ret; |
1188 | 0 | } |
1189 | | |
1190 | | #endif |
1191 | | |
1192 | | #if defined(WOLFSSL_NO_HASH_RAW) || defined(HAVE_FIPS) || \ |
1193 | | defined(HAVE_SELFTEST) || defined(HAVE_BLAKE2B) |
1194 | | |
1195 | | /* Calculate the HMAC of the header + message data. |
1196 | | * Constant time implementation using normal hashing operations. |
1197 | | * Update-Final need to be constant time. |
1198 | | * |
1199 | | * hmac HMAC object. |
1200 | | * digest MAC result. |
1201 | | * in Message data. |
1202 | | * sz Size of the message data. |
1203 | | * header Constructed record header with length of handshake data. |
1204 | | * headerSz Length of header |
1205 | | * returns 0 on success, otherwise failure. |
1206 | | */ |
1207 | | static int Hmac_UpdateFinal(Hmac* hmac, byte* digest, const byte* in, |
1208 | | word32 sz, byte* header, word32 headerSz) |
1209 | | { |
1210 | | byte dummy[WC_MAX_BLOCK_SIZE] = {0}; |
1211 | | int ret = 0; |
1212 | | word32 msgSz, blockSz, macSz, padSz, maxSz, realSz; |
1213 | | word32 offset = 0; |
1214 | | int msgBlocks, blocks, blockBits; |
1215 | | int i; |
1216 | | |
1217 | | switch (hmac->macType) { |
1218 | | #ifndef NO_SHA |
1219 | | case WC_SHA: |
1220 | | blockSz = WC_SHA_BLOCK_SIZE; |
1221 | | blockBits = 6; |
1222 | | macSz = WC_SHA_DIGEST_SIZE; |
1223 | | padSz = WC_SHA_BLOCK_SIZE - WC_SHA_PAD_SIZE + 1; |
1224 | | break; |
1225 | | #endif /* !NO_SHA */ |
1226 | | |
1227 | | #ifndef NO_SHA256 |
1228 | | case WC_SHA256: |
1229 | | blockSz = WC_SHA256_BLOCK_SIZE; |
1230 | | blockBits = 6; |
1231 | | macSz = WC_SHA256_DIGEST_SIZE; |
1232 | | padSz = WC_SHA256_BLOCK_SIZE - WC_SHA256_PAD_SIZE + 1; |
1233 | | break; |
1234 | | #endif /* !NO_SHA256 */ |
1235 | | |
1236 | | #ifdef WOLFSSL_SHA384 |
1237 | | case WC_SHA384: |
1238 | | blockSz = WC_SHA384_BLOCK_SIZE; |
1239 | | blockBits = 7; |
1240 | | macSz = WC_SHA384_DIGEST_SIZE; |
1241 | | padSz = WC_SHA384_BLOCK_SIZE - WC_SHA384_PAD_SIZE + 1; |
1242 | | break; |
1243 | | #endif /* WOLFSSL_SHA384 */ |
1244 | | |
1245 | | #ifdef WOLFSSL_SHA512 |
1246 | | case WC_SHA512: |
1247 | | blockSz = WC_SHA512_BLOCK_SIZE; |
1248 | | blockBits = 7; |
1249 | | macSz = WC_SHA512_DIGEST_SIZE; |
1250 | | padSz = WC_SHA512_BLOCK_SIZE - WC_SHA512_PAD_SIZE + 1; |
1251 | | break; |
1252 | | #endif /* WOLFSSL_SHA512 */ |
1253 | | |
1254 | | #ifdef HAVE_BLAKE2B |
1255 | | case WC_HASH_TYPE_BLAKE2B: |
1256 | | blockSz = BLAKE2B_BLOCKBYTES; |
1257 | | blockBits = 7; |
1258 | | macSz = BLAKE2B_256; |
1259 | | padSz = 0; |
1260 | | break; |
1261 | | #endif /* HAVE_BLAKE2B */ |
1262 | | |
1263 | | #ifdef WOLFSSL_SM3 |
1264 | | case WC_SM3: |
1265 | | blockSz = WC_SM3_BLOCK_SIZE; |
1266 | | blockBits = 6; |
1267 | | macSz = WC_SM3_DIGEST_SIZE; |
1268 | | padSz = WC_SM3_BLOCK_SIZE - WC_SM3_PAD_SIZE + 1; |
1269 | | break; |
1270 | | #endif |
1271 | | |
1272 | | default: |
1273 | | WOLFSSL_MSG("ERROR: Hmac_UpdateFinal failed, no hmac->macType"); |
1274 | | return BAD_FUNC_ARG; |
1275 | | } |
1276 | | |
1277 | | msgSz = sz - (1 + in[sz - 1] + macSz); |
1278 | | /* Make negative result 0 */ |
1279 | | msgSz &= ~(0 - (msgSz >> 31)); |
1280 | | realSz = WOLFSSL_TLS_HMAC_INNER_SZ + msgSz; |
1281 | | maxSz = WOLFSSL_TLS_HMAC_INNER_SZ + (sz - 1) - macSz; |
1282 | | /* Make negative result 0 */ |
1283 | | maxSz &= ~(0 - (maxSz >> 31)); |
1284 | | |
1285 | | /* Calculate #blocks processed in HMAC for max and real data. */ |
1286 | | blocks = (int)(maxSz >> blockBits); |
1287 | | blocks += ((maxSz + padSz) % blockSz) < padSz; |
1288 | | msgBlocks = (int)(realSz >> blockBits); |
1289 | | /* #Extra blocks to process. */ |
1290 | | blocks -= msgBlocks + ((((realSz + padSz) % blockSz) < padSz) ? 1 : 0); |
1291 | | /* Calculate whole blocks. */ |
1292 | | msgBlocks--; |
1293 | | |
1294 | | ret = wc_HmacUpdate(hmac, header, headerSz); |
1295 | | if (ret == 0) { |
1296 | | /* Fill the rest of the block with any available data. */ |
1297 | | word32 currSz = ctMaskLT((int)msgSz, (int)blockSz) & msgSz; |
1298 | | currSz |= ctMaskGTE((int)msgSz, (int)blockSz) & blockSz; |
1299 | | currSz -= WOLFSSL_TLS_HMAC_INNER_SZ; |
1300 | | currSz &= ~(0 - (currSz >> 31)); |
1301 | | ret = wc_HmacUpdate(hmac, in, currSz); |
1302 | | offset = currSz; |
1303 | | } |
1304 | | if (ret == 0) { |
1305 | | /* Do the hash operations on a block basis. */ |
1306 | | for (i = 0; i < msgBlocks; i++, offset += blockSz) { |
1307 | | ret = wc_HmacUpdate(hmac, in + offset, blockSz); |
1308 | | if (ret != 0) |
1309 | | break; |
1310 | | } |
1311 | | } |
1312 | | if (ret == 0) |
1313 | | ret = wc_HmacUpdate(hmac, in + offset, msgSz - offset); |
1314 | | if (ret == 0) |
1315 | | ret = wc_HmacFinal(hmac, digest); |
1316 | | if (ret == 0) { |
1317 | | /* Do the dummy hash operations. Do at least one. */ |
1318 | | for (i = 0; i < blocks + 1; i++) { |
1319 | | ret = wc_HmacUpdate(hmac, dummy, blockSz); |
1320 | | if (ret != 0) |
1321 | | break; |
1322 | | } |
1323 | | } |
1324 | | |
1325 | | return ret; |
1326 | | } |
1327 | | |
1328 | | #endif |
1329 | | |
1330 | | #if defined(WOLFSSL_DTLS) && defined(WOLFSSL_DTLS_CID) |
1331 | | #define TLS_HMAC_CID_SZ(s, v) \ |
1332 | | ((v) ? DtlsGetCidRxSize((s)) \ |
1333 | | : DtlsGetCidTxSize((s))) |
1334 | | #define TLS_HMAC_CID(s, v, b, c) \ |
1335 | | ((v) ? wolfSSL_dtls_cid_get_rx((s), (b), (c)) \ |
1336 | | : wolfSSL_dtls_cid_get_tx((s), (b), (c))) |
1337 | | #endif |
1338 | | |
1339 | | static int TLS_hmac_SetInner(WOLFSSL* ssl, byte* inner, word32* innerSz, |
1340 | | word32 sz, int content, int verify, int epochOrder) |
1341 | 0 | { |
1342 | | #if defined(WOLFSSL_DTLS) && defined(WOLFSSL_DTLS_CID) |
1343 | | unsigned int cidSz = 0; |
1344 | | if (ssl->options.dtls && (cidSz = TLS_HMAC_CID_SZ(ssl, verify)) > 0) { |
1345 | | word32 idx = 0; |
1346 | | if (cidSz > DTLS_CID_MAX_SIZE) { |
1347 | | WOLFSSL_MSG("DTLS CID too large"); |
1348 | | return DTLS_CID_ERROR; |
1349 | | } |
1350 | | |
1351 | | XMEMSET(inner + idx, 0xFF, SEQ_SZ); |
1352 | | idx += SEQ_SZ; |
1353 | | inner[idx++] = dtls12_cid; |
1354 | | inner[idx++] = (byte)cidSz; |
1355 | | inner[idx++] = dtls12_cid; |
1356 | | inner[idx++] = ssl->version.major; |
1357 | | inner[idx++] = ssl->version.minor; |
1358 | | WriteSEQ(ssl, epochOrder, inner + idx); |
1359 | | idx += SEQ_SZ; |
1360 | | if (TLS_HMAC_CID(ssl, verify, inner + idx, cidSz) == |
1361 | | WC_NO_ERR_TRACE(WOLFSSL_FAILURE)) { |
1362 | | WOLFSSL_MSG("DTLS CID write failed"); |
1363 | | return DTLS_CID_ERROR; |
1364 | | } |
1365 | | idx += cidSz; |
1366 | | c16toa((word16)sz, inner + idx); |
1367 | | idx += LENGTH_SZ; |
1368 | | |
1369 | | *innerSz = idx; |
1370 | | return 0; |
1371 | | } |
1372 | | #endif |
1373 | 0 | *innerSz = WOLFSSL_TLS_HMAC_INNER_SZ; |
1374 | 0 | return wolfSSL_SetTlsHmacInner(ssl, inner, sz, content, |
1375 | 0 | !ssl->options.dtls ? verify : epochOrder); |
1376 | 0 | } |
1377 | | |
1378 | | #if defined(WOLFSSL_DTLS) && defined(WOLFSSL_DTLS_CID) |
1379 | | #define TLS_HMAC_INNER_SZ WOLFSSL_TLS_HMAC_CID_INNER_SZ |
1380 | | #else |
1381 | 0 | #define TLS_HMAC_INNER_SZ WOLFSSL_TLS_HMAC_INNER_SZ |
1382 | | #endif |
1383 | | |
1384 | | int TLS_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz, int padSz, |
1385 | | int content, int verify, int epochOrder) |
1386 | 0 | { |
1387 | 0 | WC_DECLARE_VAR(hmac, Hmac, 1, ssl ? ssl->heap : NULL); |
1388 | 0 | byte myInner[TLS_HMAC_INNER_SZ]; |
1389 | 0 | word32 innerSz = TLS_HMAC_INNER_SZ; |
1390 | 0 | int ret = 0; |
1391 | 0 | const byte* macSecret = NULL; |
1392 | 0 | word32 hashSz = 0; |
1393 | 0 | word32 totalSz = 0; |
1394 | |
|
1395 | 0 | if (ssl == NULL) |
1396 | 0 | return BAD_FUNC_ARG; |
1397 | | |
1398 | 0 | WC_ALLOC_VAR_EX(hmac, Hmac, 1, ssl->heap, DYNAMIC_TYPE_HMAC, |
1399 | 0 | return MEMORY_E); |
1400 | |
|
1401 | | #ifdef HAVE_TRUNCATED_HMAC |
1402 | | hashSz = ssl->truncated_hmac ? (byte)TRUNCATED_HMAC_SZ |
1403 | | : ssl->specs.hash_size; |
1404 | | #else |
1405 | 0 | hashSz = ssl->specs.hash_size; |
1406 | 0 | #endif |
1407 | | |
1408 | | /* Pre-compute sz + hashSz + padSz + 1 with overflow checking. |
1409 | | * Used by fuzzer callback and Hmac_UpdateFinal* in the verify path. */ |
1410 | 0 | if (verify && padSz >= 0) { |
1411 | 0 | word32 hmacSz = 0; |
1412 | 0 | if (!WC_SAFE_SUM_WORD32(sz, hashSz, hmacSz) || |
1413 | 0 | !WC_SAFE_SUM_WORD32(hmacSz, (word32)padSz, hmacSz) || |
1414 | 0 | !WC_SAFE_SUM_WORD32(hmacSz, 1, hmacSz)) { |
1415 | 0 | WC_FREE_VAR_EX(hmac, ssl->heap, DYNAMIC_TYPE_HMAC); |
1416 | 0 | return BUFFER_E; |
1417 | 0 | } |
1418 | 0 | totalSz = hmacSz; |
1419 | 0 | } |
1420 | | |
1421 | | #ifdef HAVE_FUZZER |
1422 | | /* Fuzz "in" buffer with sz to be used in HMAC algorithm */ |
1423 | | if (ssl->fuzzerCb) { |
1424 | | if (verify && padSz >= 0) { |
1425 | | ssl->fuzzerCb(ssl, in, totalSz, FUZZ_HMAC, |
1426 | | ssl->fuzzerCtx); |
1427 | | } |
1428 | | else { |
1429 | | ssl->fuzzerCb(ssl, in, sz, FUZZ_HMAC, ssl->fuzzerCtx); |
1430 | | } |
1431 | | } |
1432 | | #endif |
1433 | | |
1434 | 0 | ret = TLS_hmac_SetInner(ssl, myInner, &innerSz, sz, content, verify, |
1435 | 0 | epochOrder); |
1436 | 0 | if (ret != 0) { |
1437 | 0 | WC_FREE_VAR_EX(hmac, ssl->heap, DYNAMIC_TYPE_HMAC); |
1438 | 0 | return ret; |
1439 | 0 | } |
1440 | | |
1441 | 0 | ret = wc_HmacInit(hmac, ssl->heap, ssl->devId); |
1442 | 0 | if (ret != 0) { |
1443 | 0 | WC_FREE_VAR_EX(hmac, ssl->heap, DYNAMIC_TYPE_HMAC); |
1444 | 0 | return ret; |
1445 | 0 | } |
1446 | | |
1447 | | |
1448 | | #ifdef WOLFSSL_DTLS |
1449 | | if (ssl->options.dtls) |
1450 | | macSecret = wolfSSL_GetDtlsMacSecret(ssl, verify, epochOrder); |
1451 | | else |
1452 | | #endif |
1453 | 0 | macSecret = wolfSSL_GetMacSecret(ssl, verify); |
1454 | 0 | ret = wc_HmacSetKey(hmac, wolfSSL_GetHmacType(ssl), |
1455 | 0 | macSecret, |
1456 | 0 | ssl->specs.hash_size); |
1457 | |
|
1458 | 0 | if (ret == 0) { |
1459 | | /* Constant time verification required. */ |
1460 | 0 | if (verify && padSz >= 0) { |
1461 | 0 | #if !defined(WOLFSSL_NO_HASH_RAW) && !defined(HAVE_FIPS) && \ |
1462 | 0 | !defined(HAVE_SELFTEST) |
1463 | | #ifdef HAVE_BLAKE2B |
1464 | | if (wolfSSL_GetHmacType(ssl) == WC_HASH_TYPE_BLAKE2B) { |
1465 | | ret = Hmac_UpdateFinal(hmac, digest, in, |
1466 | | totalSz, myInner, innerSz); |
1467 | | } |
1468 | | else |
1469 | | #endif |
1470 | 0 | { |
1471 | 0 | ret = Hmac_UpdateFinal_CT(hmac, digest, in, |
1472 | 0 | totalSz, |
1473 | 0 | (int)hashSz, myInner, innerSz); |
1474 | |
|
1475 | 0 | } |
1476 | | #else |
1477 | | ret = Hmac_UpdateFinal(hmac, digest, in, totalSz, |
1478 | | myInner, innerSz); |
1479 | | #endif |
1480 | 0 | } |
1481 | 0 | else { |
1482 | 0 | ret = wc_HmacUpdate(hmac, myInner, innerSz); |
1483 | 0 | if (ret == 0) |
1484 | 0 | ret = wc_HmacUpdate(hmac, in, sz); /* content */ |
1485 | 0 | if (ret == 0) |
1486 | 0 | ret = wc_HmacFinal(hmac, digest); |
1487 | 0 | } |
1488 | 0 | } |
1489 | |
|
1490 | 0 | wc_HmacFree(hmac); |
1491 | 0 | WC_FREE_VAR_EX(hmac, ssl->heap, DYNAMIC_TYPE_HMAC); |
1492 | |
|
1493 | 0 | return ret; |
1494 | 0 | } |
1495 | | #endif /* WOLFSSL_AEAD_ONLY */ |
1496 | | |
1497 | | #endif /* !WOLFSSL_NO_TLS12 */ |
1498 | | |
1499 | | int wolfSSL_GetHmacType_ex(CipherSpecs* specs) |
1500 | 0 | { |
1501 | 0 | if (specs == NULL) |
1502 | 0 | return BAD_FUNC_ARG; |
1503 | | |
1504 | 0 | switch (specs->mac_algorithm) { |
1505 | | #ifndef NO_MD5 |
1506 | | case md5_mac: |
1507 | | { |
1508 | | return WC_MD5; |
1509 | | } |
1510 | | #endif |
1511 | 0 | #ifndef NO_SHA256 |
1512 | 0 | case sha256_mac: |
1513 | 0 | { |
1514 | 0 | return WC_SHA256; |
1515 | 0 | } |
1516 | 0 | #endif |
1517 | 0 | #ifdef WOLFSSL_SHA384 |
1518 | 0 | case sha384_mac: |
1519 | 0 | { |
1520 | 0 | return WC_SHA384; |
1521 | 0 | } |
1522 | 0 | #endif |
1523 | | #ifdef WOLFSSL_SM3 |
1524 | | case sm3_mac: |
1525 | | { |
1526 | | return WC_SM3; |
1527 | | } |
1528 | | #endif |
1529 | 0 | #ifndef NO_SHA |
1530 | 0 | case sha_mac: |
1531 | 0 | { |
1532 | 0 | return WC_SHA; |
1533 | 0 | } |
1534 | 0 | #endif |
1535 | | #ifdef HAVE_BLAKE2B |
1536 | | case blake2b_mac: |
1537 | | { |
1538 | | return BLAKE2B_ID; |
1539 | | } |
1540 | | #endif |
1541 | 0 | default: |
1542 | 0 | { |
1543 | 0 | return WOLFSSL_FATAL_ERROR; |
1544 | 0 | } |
1545 | 0 | } |
1546 | 0 | } |
1547 | | |
1548 | | #ifdef HAVE_TLS_EXTENSIONS |
1549 | | |
1550 | | /** |
1551 | | * The TLSX semaphore is used to calculate the size of the extensions to be sent |
1552 | | * from one peer to another. |
1553 | | */ |
1554 | | |
1555 | | /** Supports up to 72 flags. Increase as needed. */ |
1556 | | #define SEMAPHORE_SIZE 9 |
1557 | | |
1558 | | /** |
1559 | | * Converts the extension type (id) to an index in the semaphore. |
1560 | | * |
1561 | | * Official reference for TLS extension types: |
1562 | | * http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xml |
1563 | | * |
1564 | | * Motivation: |
1565 | | * Previously, we used the extension type itself as the index of that |
1566 | | * extension in the semaphore as the extension types were declared |
1567 | | * sequentially, but maintain a semaphore as big as the number of available |
1568 | | * extensions is no longer an option since the release of renegotiation_info. |
1569 | | * |
1570 | | * How to update: |
1571 | | * Assign extension types that extrapolate the number of available semaphores |
1572 | | * to the first available index going backwards in the semaphore array. |
1573 | | * When adding a new extension type that don't extrapolate the number of |
1574 | | * available semaphores, check for a possible collision with with a |
1575 | | * 'remapped' extension type. |
1576 | | * |
1577 | | * Update TLSX_Parse for duplicate detection if more added above 62. |
1578 | | */ |
1579 | | static WC_INLINE word16 TLSX_ToSemaphore(word16 type) |
1580 | 0 | { |
1581 | 0 | switch (type) { |
1582 | | |
1583 | 0 | case TLSX_RENEGOTIATION_INFO: /* 0xFF01 */ |
1584 | 0 | return 63; |
1585 | | #ifdef WOLFSSL_QUIC |
1586 | | case TLSX_KEY_QUIC_TP_PARAMS_DRAFT: /* 0xffa5 */ |
1587 | | return 64; |
1588 | | #endif |
1589 | | #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) |
1590 | | case TLSX_ECH: /* 0xfe0d */ |
1591 | | return 65; |
1592 | | #endif |
1593 | | #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_DUAL_ALG_CERTS) |
1594 | | case TLSX_CKS: |
1595 | | return 66; |
1596 | | #endif |
1597 | 0 | default: |
1598 | 0 | if (type > 62) { |
1599 | | /* This message SHOULD only happens during the adding of |
1600 | | new TLS extensions in which its IANA number overflows |
1601 | | the current semaphore's range, or if its number already |
1602 | | is assigned to be used by another extension. |
1603 | | Use this check value for the new extension and decrement |
1604 | | the check value by one. */ |
1605 | 0 | WOLFSSL_MSG("### TLSX semaphore collision or overflow detected!"); |
1606 | 0 | } |
1607 | 0 | } |
1608 | | |
1609 | 0 | return type; |
1610 | 0 | } |
1611 | | |
1612 | | /** Checks if a specific light (tls extension) is not set in the semaphore. */ |
1613 | | #define IS_OFF(semaphore, light) \ |
1614 | 0 | (!(((semaphore)[(light) / 8] & (byte) (0x01 << ((light) % 8))))) |
1615 | | |
1616 | | /** Turn on a specific light (tls extension) in the semaphore. */ |
1617 | | /* the semaphore marks the extensions already written to the message */ |
1618 | | #define TURN_ON(semaphore, light) \ |
1619 | 0 | ((semaphore)[(light) / 8] |= (byte) (0x01 << ((light) % 8))) |
1620 | | |
1621 | | /** Turn off a specific light (tls extension) in the semaphore. */ |
1622 | | #define TURN_OFF(semaphore, light) \ |
1623 | 0 | ((semaphore)[(light) / 8] &= (byte) ~(0x01 << ((light) % 8))) |
1624 | | |
1625 | | /** Creates a new extension. */ |
1626 | | static TLSX* TLSX_New(TLSX_Type type, const void* data, void* heap) |
1627 | 0 | { |
1628 | 0 | TLSX* extension = (TLSX*)XMALLOC(sizeof(TLSX), heap, DYNAMIC_TYPE_TLSX); |
1629 | |
|
1630 | 0 | (void)heap; |
1631 | |
|
1632 | 0 | if (extension) { |
1633 | 0 | extension->type = type; |
1634 | 0 | extension->data = (void*)data; |
1635 | 0 | extension->resp = 0; |
1636 | 0 | extension->next = NULL; |
1637 | 0 | } |
1638 | |
|
1639 | 0 | return extension; |
1640 | 0 | } |
1641 | | |
1642 | | /** |
1643 | | * Creates a new extension and appends it to the provided list. |
1644 | | * Checks for duplicate extensions, keeps the newest. |
1645 | | */ |
1646 | | int TLSX_Append(TLSX** list, TLSX_Type type, const void* data, void* heap) |
1647 | 0 | { |
1648 | 0 | TLSX* extension = TLSX_New(type, data, heap); |
1649 | 0 | TLSX* cur; |
1650 | 0 | TLSX** prevNext = list; |
1651 | |
|
1652 | 0 | if (extension == NULL) |
1653 | 0 | return MEMORY_E; |
1654 | | |
1655 | 0 | for (cur = *list; cur != NULL;) { |
1656 | 0 | if (cur->type == type) { |
1657 | 0 | *prevNext = cur->next; |
1658 | 0 | cur->next = NULL; |
1659 | 0 | TLSX_FreeAll(cur, heap); |
1660 | 0 | cur = *prevNext; |
1661 | 0 | } |
1662 | 0 | else { |
1663 | 0 | prevNext = &cur->next; |
1664 | 0 | cur = cur->next; |
1665 | 0 | } |
1666 | 0 | } |
1667 | | |
1668 | | /* Append the extension to the list */ |
1669 | 0 | *prevNext = extension; |
1670 | |
|
1671 | 0 | return 0; |
1672 | 0 | } |
1673 | | |
1674 | | /** |
1675 | | * Creates a new extension and pushes it to the provided list. |
1676 | | * Checks for duplicate extensions, keeps the newest. |
1677 | | */ |
1678 | | int TLSX_Push(TLSX** list, TLSX_Type type, const void* data, void* heap) |
1679 | 0 | { |
1680 | 0 | TLSX* extension = TLSX_New(type, data, heap); |
1681 | |
|
1682 | 0 | if (extension == NULL) |
1683 | 0 | return MEMORY_E; |
1684 | | |
1685 | | /* pushes the new extension on the list. */ |
1686 | 0 | extension->next = *list; |
1687 | 0 | *list = extension; |
1688 | | |
1689 | | /* remove duplicate extensions, there should be only one of each type. */ |
1690 | 0 | do { |
1691 | 0 | if (extension->next && extension->next->type == type) { |
1692 | 0 | TLSX *next = extension->next; |
1693 | |
|
1694 | 0 | extension->next = next->next; |
1695 | 0 | next->next = NULL; |
1696 | |
|
1697 | 0 | TLSX_FreeAll(next, heap); |
1698 | | |
1699 | | /* there is no way to occur more than |
1700 | | * two extensions of the same type. |
1701 | | */ |
1702 | 0 | break; |
1703 | 0 | } |
1704 | 0 | } while ((extension = extension->next)); |
1705 | |
|
1706 | 0 | return 0; |
1707 | 0 | } |
1708 | | |
1709 | | #ifndef NO_WOLFSSL_CLIENT |
1710 | | |
1711 | | int TLSX_CheckUnsupportedExtension(WOLFSSL* ssl, TLSX_Type type); |
1712 | | |
1713 | | int TLSX_CheckUnsupportedExtension(WOLFSSL* ssl, TLSX_Type type) |
1714 | 0 | { |
1715 | 0 | TLSX *extension = TLSX_Find(ssl->extensions, type); |
1716 | |
|
1717 | 0 | if (!extension) |
1718 | 0 | extension = TLSX_Find(ssl->ctx->extensions, type); |
1719 | |
|
1720 | 0 | return extension == NULL; |
1721 | 0 | } |
1722 | | |
1723 | | int TLSX_HandleUnsupportedExtension(WOLFSSL* ssl); |
1724 | | |
1725 | | int TLSX_HandleUnsupportedExtension(WOLFSSL* ssl) |
1726 | 0 | { |
1727 | 0 | SendAlert(ssl, alert_fatal, unsupported_extension); |
1728 | 0 | WOLFSSL_ERROR_VERBOSE(UNSUPPORTED_EXTENSION); |
1729 | 0 | return UNSUPPORTED_EXTENSION; |
1730 | 0 | } |
1731 | | |
1732 | | #else |
1733 | | |
1734 | | #define TLSX_CheckUnsupportedExtension(ssl, type) 0 |
1735 | | #define TLSX_HandleUnsupportedExtension(ssl) 0 |
1736 | | |
1737 | | #endif |
1738 | | |
1739 | | #if !defined(NO_WOLFSSL_SERVER) || defined(WOLFSSL_TLS13) |
1740 | | static void TLSX_SetResponseInList(TLSX* list, TLSX_Type type); |
1741 | | /** Mark an extension to be sent back to the client. |
1742 | | * Operates on a list instead of the ssl. |
1743 | | * (Should only be used on ssl->extensions or ech->extensions) */ |
1744 | | static void TLSX_SetResponseInList(TLSX* list, TLSX_Type type) |
1745 | 0 | { |
1746 | 0 | TLSX *extension = TLSX_Find(list, type); |
1747 | |
|
1748 | 0 | if (extension) |
1749 | 0 | extension->resp = 1; |
1750 | 0 | } |
1751 | | |
1752 | | void TLSX_SetResponse(WOLFSSL* ssl, TLSX_Type type); |
1753 | | /** Mark an extension to be sent back to the client. */ |
1754 | | void TLSX_SetResponse(WOLFSSL* ssl, TLSX_Type type) |
1755 | 0 | { |
1756 | 0 | TLSX_SetResponseInList(ssl->extensions, type); |
1757 | 0 | } |
1758 | | #endif |
1759 | | |
1760 | | /******************************************************************************/ |
1761 | | /* Application-Layer Protocol Negotiation */ |
1762 | | /******************************************************************************/ |
1763 | | |
1764 | | #ifdef HAVE_ALPN |
1765 | | /** Creates a new ALPN object, providing protocol name to use. */ |
1766 | | static ALPN* TLSX_ALPN_New(char *protocol_name, word16 protocol_nameSz, |
1767 | | void* heap) |
1768 | | { |
1769 | | ALPN *alpn; |
1770 | | |
1771 | | WOLFSSL_ENTER("TLSX_ALPN_New"); |
1772 | | |
1773 | | if (protocol_name == NULL || |
1774 | | protocol_nameSz > WOLFSSL_MAX_ALPN_PROTO_NAME_LEN) { |
1775 | | WOLFSSL_MSG("Invalid arguments"); |
1776 | | return NULL; |
1777 | | } |
1778 | | |
1779 | | alpn = (ALPN*)XMALLOC(sizeof(ALPN), heap, DYNAMIC_TYPE_TLSX); |
1780 | | if (alpn == NULL) { |
1781 | | WOLFSSL_MSG("Memory failure"); |
1782 | | return NULL; |
1783 | | } |
1784 | | |
1785 | | alpn->next = NULL; |
1786 | | alpn->negotiated = 0; |
1787 | | alpn->options = 0; |
1788 | | |
1789 | | alpn->protocol_name = (char*)XMALLOC(protocol_nameSz + 1, |
1790 | | heap, DYNAMIC_TYPE_TLSX); |
1791 | | if (alpn->protocol_name == NULL) { |
1792 | | WOLFSSL_MSG("Memory failure"); |
1793 | | XFREE(alpn, heap, DYNAMIC_TYPE_TLSX); |
1794 | | return NULL; |
1795 | | } |
1796 | | |
1797 | | XMEMCPY(alpn->protocol_name, protocol_name, protocol_nameSz); |
1798 | | alpn->protocol_name[protocol_nameSz] = 0; |
1799 | | |
1800 | | (void)heap; |
1801 | | |
1802 | | return alpn; |
1803 | | } |
1804 | | |
1805 | | /** Releases an ALPN object. */ |
1806 | | static void TLSX_ALPN_Free(ALPN *alpn, void* heap) |
1807 | | { |
1808 | | (void)heap; |
1809 | | |
1810 | | if (alpn == NULL) |
1811 | | return; |
1812 | | |
1813 | | XFREE(alpn->protocol_name, heap, DYNAMIC_TYPE_TLSX); |
1814 | | XFREE(alpn, heap, DYNAMIC_TYPE_TLSX); |
1815 | | } |
1816 | | |
1817 | | /** Releases all ALPN objects in the provided list. */ |
1818 | | static void TLSX_ALPN_FreeAll(ALPN *list, void* heap) |
1819 | | { |
1820 | | ALPN* alpn; |
1821 | | |
1822 | | while ((alpn = list)) { |
1823 | | list = alpn->next; |
1824 | | TLSX_ALPN_Free(alpn, heap); |
1825 | | } |
1826 | | } |
1827 | | |
1828 | | /** Tells the buffered size of the ALPN objects in a list. */ |
1829 | | static word16 TLSX_ALPN_GetSize(ALPN *list) |
1830 | | { |
1831 | | ALPN* alpn; |
1832 | | word32 length = OPAQUE16_LEN; /* list length */ |
1833 | | |
1834 | | while ((alpn = list)) { |
1835 | | list = alpn->next; |
1836 | | |
1837 | | length++; /* protocol name length is on one byte */ |
1838 | | length += (word32)XSTRLEN(alpn->protocol_name); |
1839 | | |
1840 | | if (length > WOLFSSL_MAX_16BIT) { |
1841 | | return 0; |
1842 | | } |
1843 | | } |
1844 | | |
1845 | | return (word16)length; |
1846 | | } |
1847 | | |
1848 | | /** Writes the ALPN objects of a list in a buffer. */ |
1849 | | static word16 TLSX_ALPN_Write(ALPN *list, byte *output) |
1850 | | { |
1851 | | ALPN* alpn; |
1852 | | word16 length = 0; |
1853 | | word16 offset = OPAQUE16_LEN; /* list length offset */ |
1854 | | |
1855 | | while ((alpn = list)) { |
1856 | | list = alpn->next; |
1857 | | |
1858 | | length = (word16)XSTRLEN(alpn->protocol_name); |
1859 | | |
1860 | | /* protocol name length */ |
1861 | | output[offset++] = (byte)length; |
1862 | | |
1863 | | /* protocol name value */ |
1864 | | XMEMCPY(output + offset, alpn->protocol_name, length); |
1865 | | |
1866 | | offset += length; |
1867 | | } |
1868 | | |
1869 | | /* writing list length */ |
1870 | | c16toa(offset - OPAQUE16_LEN, output); |
1871 | | |
1872 | | return offset; |
1873 | | } |
1874 | | |
1875 | | /** Finds a protocol name in the provided ALPN list */ |
1876 | | static ALPN* TLSX_ALPN_Find(ALPN *list, char *protocol_name, word16 size) |
1877 | | { |
1878 | | ALPN *alpn; |
1879 | | |
1880 | | if (list == NULL || protocol_name == NULL) |
1881 | | return NULL; |
1882 | | |
1883 | | alpn = list; |
1884 | | while (alpn != NULL && ( |
1885 | | (word16)XSTRLEN(alpn->protocol_name) != size || |
1886 | | XSTRNCMP(alpn->protocol_name, protocol_name, size))) |
1887 | | alpn = alpn->next; |
1888 | | |
1889 | | return alpn; |
1890 | | } |
1891 | | |
1892 | | /** Set the ALPN matching client and server requirements */ |
1893 | | static int TLSX_SetALPN(TLSX** extensions, const void* data, word16 size, |
1894 | | void* heap) |
1895 | | { |
1896 | | ALPN *alpn; |
1897 | | int ret; |
1898 | | |
1899 | | if (extensions == NULL || data == NULL) |
1900 | | return BAD_FUNC_ARG; |
1901 | | |
1902 | | alpn = TLSX_ALPN_New((char *)data, size, heap); |
1903 | | if (alpn == NULL) { |
1904 | | WOLFSSL_MSG("Memory failure"); |
1905 | | return MEMORY_E; |
1906 | | } |
1907 | | |
1908 | | alpn->negotiated = 1; |
1909 | | |
1910 | | ret = TLSX_Push(extensions, TLSX_APPLICATION_LAYER_PROTOCOL, (void*)alpn, |
1911 | | heap); |
1912 | | if (ret != 0) { |
1913 | | TLSX_ALPN_Free(alpn, heap); |
1914 | | return ret; |
1915 | | } |
1916 | | |
1917 | | return WOLFSSL_SUCCESS; |
1918 | | } |
1919 | | |
1920 | | static int ALPN_find_match(WOLFSSL *ssl, TLSX **pextension, |
1921 | | const byte **psel, byte *psel_len, |
1922 | | const byte *alpn_val, word16 alpn_val_len) |
1923 | | { |
1924 | | TLSX *extension; |
1925 | | ALPN *alpn, *list; |
1926 | | const byte *sel = NULL, *s; |
1927 | | byte sel_len = 0, wlen; |
1928 | | |
1929 | | extension = TLSX_Find(ssl->extensions, TLSX_APPLICATION_LAYER_PROTOCOL); |
1930 | | if (extension == NULL) |
1931 | | extension = TLSX_Find(ssl->ctx->extensions, |
1932 | | TLSX_APPLICATION_LAYER_PROTOCOL); |
1933 | | |
1934 | | /* No ALPN configured here */ |
1935 | | if (extension == NULL || extension->data == NULL) { |
1936 | | *pextension = NULL; |
1937 | | *psel = NULL; |
1938 | | *psel_len = 0; |
1939 | | return 0; |
1940 | | } |
1941 | | |
1942 | | list = (ALPN*)extension->data; |
1943 | | for (s = alpn_val; |
1944 | | (s - alpn_val) < alpn_val_len; |
1945 | | s += wlen) { |
1946 | | wlen = *s++; /* bounds already checked on save */ |
1947 | | alpn = TLSX_ALPN_Find(list, (char*)s, wlen); |
1948 | | if (alpn != NULL) { |
1949 | | WOLFSSL_MSG("ALPN protocol match"); |
1950 | | sel = s, |
1951 | | sel_len = wlen; |
1952 | | break; |
1953 | | } |
1954 | | } |
1955 | | |
1956 | | if (sel == NULL) { |
1957 | | WOLFSSL_MSG("No ALPN protocol match"); |
1958 | | |
1959 | | /* do nothing if no protocol match between client and server and option |
1960 | | is set to continue (like OpenSSL) */ |
1961 | | if (list->options & WOLFSSL_ALPN_CONTINUE_ON_MISMATCH) { |
1962 | | WOLFSSL_MSG("Continue on mismatch"); |
1963 | | } |
1964 | | else { |
1965 | | SendAlert(ssl, alert_fatal, no_application_protocol); |
1966 | | WOLFSSL_ERROR_VERBOSE(UNKNOWN_ALPN_PROTOCOL_NAME_E); |
1967 | | return UNKNOWN_ALPN_PROTOCOL_NAME_E; |
1968 | | } |
1969 | | } |
1970 | | |
1971 | | *pextension = extension; |
1972 | | *psel = sel; |
1973 | | *psel_len = sel_len; |
1974 | | return 0; |
1975 | | } |
1976 | | |
1977 | | int ALPN_Select(WOLFSSL *ssl) |
1978 | | { |
1979 | | TLSX *extension; |
1980 | | const byte *sel = NULL; |
1981 | | byte sel_len = 0; |
1982 | | int r = 0; |
1983 | | |
1984 | | WOLFSSL_ENTER("ALPN_Select"); |
1985 | | if (ssl->alpn_peer_requested == NULL) |
1986 | | return 0; |
1987 | | |
1988 | | #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) |
1989 | | if (ssl->alpnSelect != NULL && ssl->options.side == WOLFSSL_SERVER_END) { |
1990 | | r = ssl->alpnSelect(ssl, &sel, &sel_len, ssl->alpn_peer_requested, |
1991 | | ssl->alpn_peer_requested_length, ssl->alpnSelectArg); |
1992 | | switch (r) { |
1993 | | case SSL_TLSEXT_ERR_OK: |
1994 | | WOLFSSL_MSG("ALPN protocol match"); |
1995 | | break; |
1996 | | case SSL_TLSEXT_ERR_NOACK: |
1997 | | WOLFSSL_MSG("ALPN cb no match but not fatal"); |
1998 | | sel = NULL; |
1999 | | sel_len = 0; |
2000 | | break; |
2001 | | case SSL_TLSEXT_ERR_ALERT_FATAL: |
2002 | | default: |
2003 | | WOLFSSL_MSG("ALPN cb no match and fatal"); |
2004 | | SendAlert(ssl, alert_fatal, no_application_protocol); |
2005 | | WOLFSSL_ERROR_VERBOSE(UNKNOWN_ALPN_PROTOCOL_NAME_E); |
2006 | | return UNKNOWN_ALPN_PROTOCOL_NAME_E; |
2007 | | } |
2008 | | } |
2009 | | else |
2010 | | #endif |
2011 | | { |
2012 | | r = ALPN_find_match(ssl, &extension, &sel, &sel_len, |
2013 | | ssl->alpn_peer_requested, |
2014 | | ssl->alpn_peer_requested_length); |
2015 | | if (r != 0) |
2016 | | return r; |
2017 | | } |
2018 | | |
2019 | | if (sel != NULL) { |
2020 | | /* set the matching negotiated protocol */ |
2021 | | r = TLSX_SetALPN(&ssl->extensions, sel, sel_len, ssl->heap); |
2022 | | if (r != WOLFSSL_SUCCESS) { |
2023 | | WOLFSSL_MSG("TLSX_SetALPN failed"); |
2024 | | return BUFFER_ERROR; |
2025 | | } |
2026 | | /* reply to ALPN extension sent from peer */ |
2027 | | #ifndef NO_WOLFSSL_SERVER |
2028 | | TLSX_SetResponse(ssl, TLSX_APPLICATION_LAYER_PROTOCOL); |
2029 | | #endif |
2030 | | } |
2031 | | return 0; |
2032 | | } |
2033 | | |
2034 | | /** Parses a buffer of ALPN extensions and set the first one matching |
2035 | | * client and server requirements */ |
2036 | | static int TLSX_ALPN_ParseAndSet(WOLFSSL *ssl, const byte *input, word16 length, |
2037 | | byte isRequest) |
2038 | | { |
2039 | | word16 size = 0, offset = 0, wlen; |
2040 | | int r = WC_NO_ERR_TRACE(BUFFER_ERROR); |
2041 | | const byte *s; |
2042 | | word16 entryCount = 0; |
2043 | | |
2044 | | if (OPAQUE16_LEN > length) |
2045 | | return BUFFER_ERROR; |
2046 | | |
2047 | | ato16(input, &size); |
2048 | | offset += OPAQUE16_LEN; |
2049 | | |
2050 | | /* validating alpn list length */ |
2051 | | if (size == 0 || length != OPAQUE16_LEN + size) |
2052 | | return BUFFER_ERROR; |
2053 | | |
2054 | | /* validating length of entries before accepting */ |
2055 | | for (s = input + offset; (s - input) < length; s += wlen) { |
2056 | | wlen = *s++; |
2057 | | if (wlen == 0 || (s + wlen - input) > length) |
2058 | | return BUFFER_ERROR; |
2059 | | entryCount++; |
2060 | | } |
2061 | | |
2062 | | /* RFC 7301 Section 3.1: the server's ProtocolNameList in its ALPN |
2063 | | * response MUST contain exactly one ProtocolName. */ |
2064 | | if (!isRequest && entryCount != 1) { |
2065 | | SendAlert(ssl, alert_fatal, decode_error); |
2066 | | WOLFSSL_ERROR_VERBOSE(BUFFER_ERROR); |
2067 | | return BUFFER_ERROR; |
2068 | | } |
2069 | | |
2070 | | if (isRequest) { |
2071 | | /* keep the list sent by peer, if this is from a request. We |
2072 | | * use it later in ALPN_Select() for evaluation. */ |
2073 | | if (ssl->alpn_peer_requested != NULL) { |
2074 | | XFREE(ssl->alpn_peer_requested, ssl->heap, DYNAMIC_TYPE_ALPN); |
2075 | | ssl->alpn_peer_requested_length = 0; |
2076 | | } |
2077 | | ssl->alpn_peer_requested = (byte *)XMALLOC(size, ssl->heap, |
2078 | | DYNAMIC_TYPE_ALPN); |
2079 | | if (ssl->alpn_peer_requested == NULL) { |
2080 | | return MEMORY_ERROR; |
2081 | | } |
2082 | | ssl->alpn_peer_requested_length = size; |
2083 | | XMEMCPY(ssl->alpn_peer_requested, (char*)input + offset, size); |
2084 | | } |
2085 | | else { |
2086 | | /* a response, we should find the value in our config */ |
2087 | | const byte *sel = NULL; |
2088 | | byte sel_len = 0; |
2089 | | TLSX *extension = NULL; |
2090 | | |
2091 | | /* RFC 7301 Section 3.1: a ServerHello ALPN extension MUST contain |
2092 | | * exactly one protocol name. The first name's length byte plus its |
2093 | | * payload must therefore span the whole list. */ |
2094 | | if ((word16)(input[offset] + OPAQUE8_LEN) != size) { |
2095 | | SendAlert(ssl, alert_fatal, illegal_parameter); |
2096 | | WOLFSSL_ERROR_VERBOSE(BUFFER_ERROR); |
2097 | | return BUFFER_ERROR; |
2098 | | } |
2099 | | |
2100 | | r = ALPN_find_match(ssl, &extension, &sel, &sel_len, input + offset, size); |
2101 | | if (r != 0) |
2102 | | return r; |
2103 | | |
2104 | | if (sel != NULL) { |
2105 | | /* set the matching negotiated protocol */ |
2106 | | r = TLSX_SetALPN(&ssl->extensions, sel, sel_len, ssl->heap); |
2107 | | if (r != WOLFSSL_SUCCESS) { |
2108 | | WOLFSSL_MSG("TLSX_SetALPN failed"); |
2109 | | return BUFFER_ERROR; |
2110 | | } |
2111 | | } |
2112 | | /* If we had nothing configured, the response is unexpected */ |
2113 | | else if (extension == NULL) { |
2114 | | r = TLSX_HandleUnsupportedExtension(ssl); |
2115 | | if (r != 0) |
2116 | | return r; |
2117 | | } |
2118 | | } |
2119 | | return 0; |
2120 | | } |
2121 | | |
2122 | | /** Add a protocol name to the list of accepted usable ones */ |
2123 | | int TLSX_UseALPN(TLSX** extensions, const void* data, word16 size, byte options, |
2124 | | void* heap) |
2125 | | { |
2126 | | ALPN *alpn; |
2127 | | TLSX *extension; |
2128 | | int ret; |
2129 | | |
2130 | | if (extensions == NULL || data == NULL) |
2131 | | return BAD_FUNC_ARG; |
2132 | | |
2133 | | alpn = TLSX_ALPN_New((char *)data, size, heap); |
2134 | | if (alpn == NULL) { |
2135 | | WOLFSSL_MSG("Memory failure"); |
2136 | | return MEMORY_E; |
2137 | | } |
2138 | | |
2139 | | /* Set Options of ALPN */ |
2140 | | alpn->options = options; |
2141 | | |
2142 | | extension = TLSX_Find(*extensions, TLSX_APPLICATION_LAYER_PROTOCOL); |
2143 | | if (extension == NULL) { |
2144 | | ret = TLSX_Push(extensions, TLSX_APPLICATION_LAYER_PROTOCOL, |
2145 | | (void*)alpn, heap); |
2146 | | if (ret != 0) { |
2147 | | TLSX_ALPN_Free(alpn, heap); |
2148 | | return ret; |
2149 | | } |
2150 | | } |
2151 | | else { |
2152 | | /* push new ALPN object to extension data. */ |
2153 | | alpn->next = (ALPN*)extension->data; |
2154 | | extension->data = (void*)alpn; |
2155 | | } |
2156 | | |
2157 | | return WOLFSSL_SUCCESS; |
2158 | | } |
2159 | | |
2160 | | /** Get the protocol name set by the server */ |
2161 | | int TLSX_ALPN_GetRequest(TLSX* extensions, void** data, word16 *dataSz) |
2162 | | { |
2163 | | TLSX *extension; |
2164 | | ALPN *alpn; |
2165 | | |
2166 | | if (extensions == NULL || data == NULL || dataSz == NULL) |
2167 | | return BAD_FUNC_ARG; |
2168 | | |
2169 | | *data = NULL; |
2170 | | *dataSz = 0; |
2171 | | |
2172 | | extension = TLSX_Find(extensions, TLSX_APPLICATION_LAYER_PROTOCOL); |
2173 | | if (extension == NULL) { |
2174 | | WOLFSSL_MSG("TLS extension not found"); |
2175 | | WOLFSSL_ERROR_VERBOSE(WOLFSSL_ALPN_NOT_FOUND); |
2176 | | return WOLFSSL_ALPN_NOT_FOUND; |
2177 | | } |
2178 | | |
2179 | | alpn = (ALPN *)extension->data; |
2180 | | if (alpn == NULL) { |
2181 | | WOLFSSL_MSG("ALPN extension not found"); |
2182 | | WOLFSSL_ERROR_VERBOSE(WOLFSSL_FATAL_ERROR); |
2183 | | return WOLFSSL_FATAL_ERROR; |
2184 | | } |
2185 | | |
2186 | | if (alpn->negotiated != 1) { |
2187 | | |
2188 | | /* consider as an error */ |
2189 | | if (alpn->options & WOLFSSL_ALPN_FAILED_ON_MISMATCH) { |
2190 | | WOLFSSL_MSG("No protocol match with peer -> Failed"); |
2191 | | WOLFSSL_ERROR_VERBOSE(WOLFSSL_FATAL_ERROR); |
2192 | | return WOLFSSL_FATAL_ERROR; |
2193 | | } |
2194 | | |
2195 | | /* continue without negotiated protocol */ |
2196 | | WOLFSSL_MSG("No protocol match with peer -> Continue"); |
2197 | | WOLFSSL_ERROR_VERBOSE(WOLFSSL_ALPN_NOT_FOUND); |
2198 | | return WOLFSSL_ALPN_NOT_FOUND; |
2199 | | } |
2200 | | |
2201 | | if (alpn->next != NULL) { |
2202 | | WOLFSSL_MSG("Only one protocol name must be accepted"); |
2203 | | WOLFSSL_ERROR_VERBOSE(WOLFSSL_FATAL_ERROR); |
2204 | | return WOLFSSL_FATAL_ERROR; |
2205 | | } |
2206 | | |
2207 | | *data = alpn->protocol_name; |
2208 | | *dataSz = (word16)XSTRLEN((char*)*data); |
2209 | | |
2210 | | return WOLFSSL_SUCCESS; |
2211 | | } |
2212 | | |
2213 | | #define ALPN_FREE_ALL TLSX_ALPN_FreeAll |
2214 | | #define ALPN_GET_SIZE TLSX_ALPN_GetSize |
2215 | | #define ALPN_WRITE TLSX_ALPN_Write |
2216 | | #define ALPN_PARSE TLSX_ALPN_ParseAndSet |
2217 | | |
2218 | | #else /* HAVE_ALPN */ |
2219 | | |
2220 | 0 | #define ALPN_FREE_ALL(list, heap) WC_DO_NOTHING |
2221 | 0 | #define ALPN_GET_SIZE(list) 0 |
2222 | 0 | #define ALPN_WRITE(a, b) 0 |
2223 | 0 | #define ALPN_PARSE(a, b, c, d) 0 |
2224 | | |
2225 | | #endif /* HAVE_ALPN */ |
2226 | | |
2227 | | /******************************************************************************/ |
2228 | | /* Server Name Indication */ |
2229 | | /******************************************************************************/ |
2230 | | |
2231 | | #ifdef HAVE_SNI |
2232 | | |
2233 | | /** Creates a new SNI object. */ |
2234 | | static SNI* TLSX_SNI_New(byte type, const void* data, word16 size, void* heap) |
2235 | 0 | { |
2236 | 0 | SNI* sni = (SNI*)XMALLOC(sizeof(SNI), heap, DYNAMIC_TYPE_TLSX); |
2237 | |
|
2238 | 0 | (void)heap; |
2239 | |
|
2240 | 0 | if (sni) { |
2241 | 0 | sni->type = type; |
2242 | 0 | sni->next = NULL; |
2243 | |
|
2244 | 0 | #ifndef NO_WOLFSSL_SERVER |
2245 | 0 | sni->options = 0; |
2246 | 0 | sni->status = WOLFSSL_SNI_NO_MATCH; |
2247 | 0 | #endif |
2248 | |
|
2249 | 0 | switch (sni->type) { |
2250 | 0 | case WOLFSSL_SNI_HOST_NAME: |
2251 | 0 | sni->data.host_name = (char*)XMALLOC(size + 1, heap, |
2252 | 0 | DYNAMIC_TYPE_TLSX); |
2253 | 0 | if (sni->data.host_name) { |
2254 | 0 | XSTRNCPY(sni->data.host_name, (const char*)data, size); |
2255 | 0 | sni->data.host_name[size] = '\0'; |
2256 | 0 | } else { |
2257 | 0 | XFREE(sni, heap, DYNAMIC_TYPE_TLSX); |
2258 | 0 | sni = NULL; |
2259 | 0 | } |
2260 | 0 | break; |
2261 | | |
2262 | 0 | default: /* invalid type */ |
2263 | 0 | XFREE(sni, heap, DYNAMIC_TYPE_TLSX); |
2264 | 0 | sni = NULL; |
2265 | 0 | } |
2266 | 0 | } |
2267 | | |
2268 | 0 | return sni; |
2269 | 0 | } |
2270 | | |
2271 | | /** Releases a SNI object. */ |
2272 | | static void TLSX_SNI_Free(SNI* sni, void* heap) |
2273 | 0 | { |
2274 | 0 | if (sni) { |
2275 | 0 | switch (sni->type) { |
2276 | 0 | case WOLFSSL_SNI_HOST_NAME: |
2277 | 0 | XFREE(sni->data.host_name, heap, DYNAMIC_TYPE_TLSX); |
2278 | 0 | break; |
2279 | 0 | } |
2280 | | |
2281 | 0 | XFREE(sni, heap, DYNAMIC_TYPE_TLSX); |
2282 | 0 | } |
2283 | 0 | (void)heap; |
2284 | 0 | } |
2285 | | |
2286 | | /** Releases all SNI objects in the provided list. */ |
2287 | | static void TLSX_SNI_FreeAll(SNI* list, void* heap) |
2288 | 0 | { |
2289 | 0 | SNI* sni; |
2290 | |
|
2291 | 0 | while ((sni = list)) { |
2292 | 0 | list = sni->next; |
2293 | 0 | TLSX_SNI_Free(sni, heap); |
2294 | 0 | } |
2295 | 0 | } |
2296 | | |
2297 | | /** Tells the buffered size of the SNI objects in a list. */ |
2298 | | WOLFSSL_TEST_VIS word16 TLSX_SNI_GetSize(SNI* list) |
2299 | 0 | { |
2300 | 0 | SNI* sni; |
2301 | 0 | word32 length = OPAQUE16_LEN; /* list length */ |
2302 | |
|
2303 | 0 | while ((sni = list)) { |
2304 | 0 | list = sni->next; |
2305 | |
|
2306 | 0 | length += ENUM_LEN + OPAQUE16_LEN; /* sni type + sni length */ |
2307 | |
|
2308 | 0 | switch (sni->type) { |
2309 | 0 | case WOLFSSL_SNI_HOST_NAME: |
2310 | 0 | length += (word32)XSTRLEN((char*)sni->data.host_name); |
2311 | 0 | break; |
2312 | 0 | } |
2313 | | |
2314 | 0 | if (length > WOLFSSL_MAX_16BIT) { |
2315 | 0 | return 0; |
2316 | 0 | } |
2317 | 0 | } |
2318 | | |
2319 | 0 | return (word16)length; |
2320 | 0 | } |
2321 | | |
2322 | | /** Writes the SNI objects of a list in a buffer. */ |
2323 | | static word16 TLSX_SNI_Write(SNI* list, byte* output) |
2324 | 0 | { |
2325 | 0 | SNI* sni; |
2326 | 0 | word16 length = 0; |
2327 | 0 | word16 offset = OPAQUE16_LEN; /* list length offset */ |
2328 | |
|
2329 | 0 | while ((sni = list)) { |
2330 | 0 | list = sni->next; |
2331 | |
|
2332 | 0 | output[offset++] = sni->type; /* sni type */ |
2333 | |
|
2334 | 0 | switch (sni->type) { |
2335 | 0 | case WOLFSSL_SNI_HOST_NAME: |
2336 | 0 | length = (word16)XSTRLEN((char*)sni->data.host_name); |
2337 | |
|
2338 | 0 | c16toa(length, output + offset); /* sni length */ |
2339 | 0 | offset += OPAQUE16_LEN; |
2340 | |
|
2341 | 0 | XMEMCPY(output + offset, sni->data.host_name, length); |
2342 | |
|
2343 | 0 | offset += length; |
2344 | 0 | break; |
2345 | 0 | } |
2346 | 0 | } |
2347 | | |
2348 | 0 | c16toa(offset - OPAQUE16_LEN, output); /* writing list length */ |
2349 | |
|
2350 | 0 | return offset; |
2351 | 0 | } |
2352 | | |
2353 | | /** Finds a SNI object in the provided list. */ |
2354 | | static SNI* TLSX_SNI_Find(SNI *list, byte type) |
2355 | 0 | { |
2356 | 0 | SNI* sni = list; |
2357 | |
|
2358 | 0 | while (sni && sni->type != type) |
2359 | 0 | sni = sni->next; |
2360 | |
|
2361 | 0 | return sni; |
2362 | 0 | } |
2363 | | |
2364 | | #if (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)) |
2365 | | /** Sets the status of a SNI object. */ |
2366 | | static void TLSX_SNI_SetStatus(TLSX* extensions, byte type, byte status) |
2367 | 0 | { |
2368 | 0 | TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME); |
2369 | 0 | SNI* sni = TLSX_SNI_Find(extension ? (SNI*)extension->data : NULL, type); |
2370 | |
|
2371 | 0 | if (sni) |
2372 | 0 | sni->status = status; |
2373 | 0 | } |
2374 | | #endif |
2375 | | |
2376 | | /** Gets the status of a SNI object. */ |
2377 | | byte TLSX_SNI_Status(TLSX* extensions, byte type) |
2378 | 0 | { |
2379 | 0 | TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME); |
2380 | 0 | SNI* sni = TLSX_SNI_Find(extension ? (SNI*)extension->data : NULL, type); |
2381 | |
|
2382 | 0 | if (sni) |
2383 | 0 | return sni->status; |
2384 | | |
2385 | 0 | return 0; |
2386 | 0 | } |
2387 | | |
2388 | | /** Parses a buffer of SNI extensions. */ |
2389 | | static int TLSX_SNI_Parse(WOLFSSL* ssl, const byte* input, word16 length, |
2390 | | byte isRequest) |
2391 | 0 | { |
2392 | 0 | #ifndef NO_WOLFSSL_SERVER |
2393 | 0 | word16 size = 0; |
2394 | 0 | word16 offset = 0; |
2395 | 0 | int cacheOnly = 0; |
2396 | 0 | int checkPublic = 0; |
2397 | 0 | SNI* sni = NULL; |
2398 | 0 | byte type; |
2399 | 0 | byte matched = 0; |
2400 | | #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) |
2401 | | TLSX* echX = NULL; |
2402 | | WOLFSSL_ECH* ech = NULL; |
2403 | | WOLFSSL_EchConfig* workingConfig = NULL; |
2404 | | #endif |
2405 | 0 | #endif /* !NO_WOLFSSL_SERVER */ |
2406 | 0 | TLSX *extension = TLSX_Find(ssl->extensions, TLSX_SERVER_NAME); |
2407 | |
|
2408 | 0 | if (!extension) |
2409 | 0 | extension = TLSX_Find(ssl->ctx->extensions, TLSX_SERVER_NAME); |
2410 | |
|
2411 | 0 | if (!isRequest) { |
2412 | 0 | #ifndef NO_WOLFSSL_CLIENT |
2413 | 0 | if (!extension || !extension->data) |
2414 | 0 | return TLSX_HandleUnsupportedExtension(ssl); |
2415 | | |
2416 | 0 | if (length > 0) |
2417 | 0 | return BUFFER_ERROR; /* SNI response MUST be empty. */ |
2418 | | |
2419 | | /* This call enables wolfSSL_SNI_GetRequest() to be called in the |
2420 | | * client side to fetch the used SNI. It will only work if the SNI |
2421 | | * was set at the SSL object level. Right now we only support one |
2422 | | * name type, WOLFSSL_SNI_HOST_NAME, but in the future, the |
2423 | | * inclusion of other name types will turn this method inaccurate, |
2424 | | * as the extension response doesn't contains information of which |
2425 | | * name was accepted. |
2426 | | */ |
2427 | 0 | TLSX_SNI_SetStatus(ssl->extensions, WOLFSSL_SNI_HOST_NAME, |
2428 | 0 | WOLFSSL_SNI_REAL_MATCH); |
2429 | |
|
2430 | 0 | return 0; |
2431 | 0 | #endif |
2432 | 0 | } |
2433 | | |
2434 | 0 | #ifndef NO_WOLFSSL_SERVER |
2435 | | #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) |
2436 | | if (!ssl->options.disableECH && !ssl->options.echProcessingInner) { |
2437 | | echX = TLSX_Find(ssl->extensions, TLSX_ECH); |
2438 | | if (echX != NULL) { |
2439 | | ech = (WOLFSSL_ECH*)(echX->data); |
2440 | | } |
2441 | | } |
2442 | | #endif |
2443 | | |
2444 | 0 | if (!extension || !extension->data) { |
2445 | | /* This will keep SNI even though TLSX_UseSNI has not been called. |
2446 | | * Enable it so that the received sni is available to functions |
2447 | | * that use a custom callback when SNI is received. |
2448 | | */ |
2449 | | #ifdef WOLFSSL_ALWAYS_KEEP_SNI |
2450 | | cacheOnly = 1; |
2451 | | #endif |
2452 | 0 | if (ssl->ctx->sniRecvCb) { |
2453 | 0 | cacheOnly = 1; |
2454 | 0 | } |
2455 | |
|
2456 | 0 | if (cacheOnly) { |
2457 | 0 | WOLFSSL_MSG("Forcing SSL object to store SNI parameter"); |
2458 | 0 | } |
2459 | 0 | else { |
2460 | | #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) |
2461 | | if (ech == NULL) |
2462 | | #endif |
2463 | 0 | { |
2464 | | /* Skipping, SNI not enabled at server side. */ |
2465 | 0 | return 0; |
2466 | 0 | } |
2467 | |
|
2468 | | #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) |
2469 | | /* No server SNI configured but ECH is active: |
2470 | | * the outer SNI still needs to be matched against the echConfig |
2471 | | * publicName and recorded on ech->extensions. */ |
2472 | | checkPublic = 1; |
2473 | | #endif |
2474 | 0 | } |
2475 | 0 | } |
2476 | | |
2477 | 0 | if (OPAQUE16_LEN > length) |
2478 | 0 | return BUFFER_ERROR; |
2479 | | |
2480 | 0 | ato16(input, &size); |
2481 | 0 | offset += OPAQUE16_LEN; |
2482 | | |
2483 | | /* validating sni list length */ |
2484 | 0 | if (length != OPAQUE16_LEN + size || size == 0) |
2485 | 0 | return BUFFER_ERROR; |
2486 | | |
2487 | | /* SNI was badly specified and only one type is now recognized and allowed. |
2488 | | * Only one SNI value per type (RFC6066), so, no loop. */ |
2489 | 0 | type = input[offset++]; |
2490 | 0 | if (type != WOLFSSL_SNI_HOST_NAME) |
2491 | 0 | return BUFFER_ERROR; |
2492 | | |
2493 | 0 | if (offset + OPAQUE16_LEN > length) |
2494 | 0 | return BUFFER_ERROR; |
2495 | 0 | ato16(input + offset, &size); |
2496 | 0 | offset += OPAQUE16_LEN; |
2497 | |
|
2498 | 0 | if (offset + size != length || size == 0) |
2499 | 0 | return BUFFER_ERROR; |
2500 | | |
2501 | 0 | if (!cacheOnly && !checkPublic && |
2502 | 0 | !(sni = TLSX_SNI_Find((SNI*)extension->data, type))) |
2503 | 0 | return 0; /* not using this type of SNI. */ |
2504 | | |
2505 | 0 | #if defined(WOLFSSL_TLS13) |
2506 | | /* Don't process the second ClientHello SNI extension if there |
2507 | | * was problems with the first. |
2508 | | */ |
2509 | 0 | if (!cacheOnly && sni != NULL && sni->status != WOLFSSL_SNI_NO_MATCH) |
2510 | 0 | return 0; |
2511 | 0 | #endif |
2512 | | |
2513 | | #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) |
2514 | | /* While parsing the outer CH accept a match against any |
2515 | | * echConfig publicName */ |
2516 | | if (ech != NULL) { |
2517 | | workingConfig = ech->echConfig; |
2518 | | while (workingConfig != NULL) { |
2519 | | if (XSTRLEN(workingConfig->publicName) == size && |
2520 | | XSTRNCMP(workingConfig->publicName, |
2521 | | (const char*)input + offset, size) == 0) { |
2522 | | matched = 1; |
2523 | | break; |
2524 | | } |
2525 | | workingConfig = workingConfig->next; |
2526 | | } |
2527 | | |
2528 | | /* If a publicName is matched then this SNI is not something that should |
2529 | | * be forcibly cached. This allows an SNI response to be given for the |
2530 | | * public name */ |
2531 | | if (matched) |
2532 | | cacheOnly = 0; |
2533 | | } |
2534 | | if (!matched) |
2535 | | #endif |
2536 | 0 | { |
2537 | 0 | const char* hostName; |
2538 | 0 | hostName = (sni != NULL) ? sni->data.host_name : NULL; |
2539 | 0 | matched = cacheOnly || (hostName != NULL && |
2540 | 0 | XSTRLEN(hostName) == size && |
2541 | 0 | XSTRNCMP(hostName, (const char*)input + offset, size) == 0); |
2542 | 0 | } |
2543 | | |
2544 | | /* No server SNI configured and the outer name did not match a publicName: |
2545 | | * stay permissive and record nothing. If ECH is accepted, the absent |
2546 | | * publicName match is caught after the outer parse. */ |
2547 | 0 | if (!matched && checkPublic) |
2548 | 0 | return 0; |
2549 | | |
2550 | 0 | if (matched || |
2551 | 0 | (sni != NULL && (sni->options & WOLFSSL_SNI_ANSWER_ON_MISMATCH))) { |
2552 | 0 | int matchStat; |
2553 | 0 | int r; |
2554 | 0 | TLSX** writeList = &ssl->extensions; |
2555 | | #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) |
2556 | | /* install onto ech->extensions if the public name was matched */ |
2557 | | if (workingConfig != NULL) |
2558 | | writeList = &ech->extensions; |
2559 | | #endif |
2560 | |
|
2561 | 0 | r = TLSX_UseSNI(writeList, type, input + offset, size, ssl->heap); |
2562 | |
|
2563 | 0 | if (r != WOLFSSL_SUCCESS) |
2564 | 0 | return r; /* throws error. */ |
2565 | | |
2566 | 0 | if (cacheOnly) { |
2567 | 0 | WOLFSSL_MSG("Forcing storage of SNI, Fake match"); |
2568 | 0 | matchStat = WOLFSSL_SNI_FORCE_KEEP; |
2569 | 0 | } |
2570 | 0 | else if (matched) { |
2571 | 0 | WOLFSSL_MSG("SNI did match!"); |
2572 | 0 | matchStat = WOLFSSL_SNI_REAL_MATCH; |
2573 | 0 | } |
2574 | 0 | else { |
2575 | 0 | WOLFSSL_MSG("fake SNI match from ANSWER_ON_MISMATCH"); |
2576 | 0 | matchStat = WOLFSSL_SNI_FAKE_MATCH; |
2577 | 0 | } |
2578 | |
|
2579 | 0 | TLSX_SNI_SetStatus(*writeList, type, (byte)matchStat); |
2580 | |
|
2581 | 0 | if (!cacheOnly) |
2582 | 0 | TLSX_SetResponseInList(*writeList, TLSX_SERVER_NAME); |
2583 | 0 | } |
2584 | 0 | else if ((sni == NULL) || |
2585 | 0 | !(sni->options & WOLFSSL_SNI_CONTINUE_ON_MISMATCH)) { |
2586 | 0 | SendAlert(ssl, alert_fatal, unrecognized_name); |
2587 | 0 | WOLFSSL_ERROR_VERBOSE(UNKNOWN_SNI_HOST_NAME_E); |
2588 | 0 | return UNKNOWN_SNI_HOST_NAME_E; |
2589 | 0 | } |
2590 | | #else |
2591 | | (void)input; |
2592 | | #endif /* !NO_WOLFSSL_SERVER */ |
2593 | | |
2594 | | #if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) |
2595 | | (void)length; |
2596 | | #endif |
2597 | | |
2598 | 0 | return 0; |
2599 | 0 | } |
2600 | | |
2601 | | static int TLSX_SNI_VerifyParse(WOLFSSL* ssl, byte isRequest) |
2602 | 0 | { |
2603 | 0 | (void)ssl; |
2604 | |
|
2605 | 0 | if (isRequest) { |
2606 | 0 | #ifndef NO_WOLFSSL_SERVER |
2607 | 0 | TLSX* ctx_ext = TLSX_Find(ssl->ctx->extensions, TLSX_SERVER_NAME); |
2608 | 0 | TLSX* ssl_ext = TLSX_Find(ssl->extensions, TLSX_SERVER_NAME); |
2609 | 0 | SNI* ctx_sni = ctx_ext ? (SNI*)ctx_ext->data : NULL; |
2610 | 0 | SNI* ssl_sni = ssl_ext ? (SNI*)ssl_ext->data : NULL; |
2611 | 0 | SNI* sni = NULL; |
2612 | |
|
2613 | 0 | for (; ctx_sni; ctx_sni = ctx_sni->next) { |
2614 | 0 | if (ctx_sni->options & WOLFSSL_SNI_ABORT_ON_ABSENCE) { |
2615 | 0 | sni = TLSX_SNI_Find(ssl_sni, ctx_sni->type); |
2616 | |
|
2617 | 0 | if (sni) { |
2618 | 0 | if (sni->status != WOLFSSL_SNI_NO_MATCH) |
2619 | 0 | continue; |
2620 | | |
2621 | | /* if ssl level overrides ctx level, it is ok. */ |
2622 | 0 | if ((sni->options & WOLFSSL_SNI_ABORT_ON_ABSENCE) == 0) |
2623 | 0 | continue; |
2624 | 0 | } |
2625 | | |
2626 | 0 | SendAlert(ssl, alert_fatal, |
2627 | 0 | IsAtLeastTLSv1_3(ssl->version) |
2628 | 0 | ? missing_extension |
2629 | 0 | : handshake_failure); |
2630 | 0 | WOLFSSL_ERROR_VERBOSE(SNI_ABSENT_ERROR); |
2631 | 0 | return SNI_ABSENT_ERROR; |
2632 | 0 | } |
2633 | 0 | } |
2634 | | |
2635 | 0 | for (; ssl_sni; ssl_sni = ssl_sni->next) { |
2636 | 0 | if (ssl_sni->options & WOLFSSL_SNI_ABORT_ON_ABSENCE) { |
2637 | 0 | if (ssl_sni->status != WOLFSSL_SNI_NO_MATCH) |
2638 | 0 | continue; |
2639 | | |
2640 | 0 | SendAlert(ssl, alert_fatal, |
2641 | 0 | IsAtLeastTLSv1_3(ssl->version) |
2642 | 0 | ? missing_extension |
2643 | 0 | : handshake_failure); |
2644 | 0 | WOLFSSL_ERROR_VERBOSE(SNI_ABSENT_ERROR); |
2645 | 0 | return SNI_ABSENT_ERROR; |
2646 | 0 | } |
2647 | 0 | } |
2648 | 0 | #endif /* NO_WOLFSSL_SERVER */ |
2649 | 0 | } |
2650 | | |
2651 | 0 | return 0; |
2652 | 0 | } |
2653 | | |
2654 | | int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, word16 size, |
2655 | | void* heap) |
2656 | 0 | { |
2657 | 0 | TLSX* extension; |
2658 | 0 | SNI* sni = NULL; |
2659 | |
|
2660 | 0 | if (extensions == NULL || data == NULL) |
2661 | 0 | return BAD_FUNC_ARG; |
2662 | | |
2663 | 0 | if ((type == WOLFSSL_SNI_HOST_NAME) && (size >= WOLFSSL_HOST_NAME_MAX)) |
2664 | 0 | return BAD_LENGTH_E; |
2665 | | |
2666 | 0 | if ((sni = TLSX_SNI_New(type, data, size, heap)) == NULL) |
2667 | 0 | return MEMORY_E; |
2668 | | |
2669 | 0 | extension = TLSX_Find(*extensions, TLSX_SERVER_NAME); |
2670 | 0 | if (!extension) { |
2671 | 0 | int ret = TLSX_Push(extensions, TLSX_SERVER_NAME, (void*)sni, heap); |
2672 | |
|
2673 | 0 | if (ret != 0) { |
2674 | 0 | TLSX_SNI_Free(sni, heap); |
2675 | 0 | return ret; |
2676 | 0 | } |
2677 | 0 | } |
2678 | 0 | else { |
2679 | | /* push new SNI object to extension data. */ |
2680 | 0 | sni->next = (SNI*)extension->data; |
2681 | 0 | extension->data = (void*)sni; |
2682 | | |
2683 | | /* remove duplicate SNI, there should be only one of each type. */ |
2684 | 0 | do { |
2685 | 0 | if (sni->next && sni->next->type == type) { |
2686 | 0 | SNI* next = sni->next; |
2687 | |
|
2688 | 0 | sni->next = next->next; |
2689 | 0 | TLSX_SNI_Free(next, heap); |
2690 | | |
2691 | | /* there is no way to occur more than |
2692 | | * two SNIs of the same type. |
2693 | | */ |
2694 | 0 | break; |
2695 | 0 | } |
2696 | 0 | } while ((sni = sni->next)); |
2697 | 0 | } |
2698 | | |
2699 | 0 | return WOLFSSL_SUCCESS; |
2700 | 0 | } |
2701 | | |
2702 | | /* client-side needs this function when ECH is enabled */ |
2703 | | #if !defined(NO_WOLFSSL_SERVER) || defined(HAVE_ECH) |
2704 | | /** Tells the SNI requested by the client. */ |
2705 | | word16 TLSX_SNI_GetRequest(TLSX* extensions, byte type, void** data, |
2706 | | byte ignoreStatus) |
2707 | 0 | { |
2708 | 0 | TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME); |
2709 | 0 | SNI* sni = TLSX_SNI_Find(extension ? (SNI*)extension->data : NULL, type); |
2710 | |
|
2711 | 0 | if (sni && (ignoreStatus || sni->status != WOLFSSL_SNI_NO_MATCH)) { |
2712 | 0 | switch (sni->type) { |
2713 | 0 | case WOLFSSL_SNI_HOST_NAME: |
2714 | 0 | if (data) { |
2715 | 0 | *data = sni->data.host_name; |
2716 | 0 | return (word16)XSTRLEN((char*)*data); |
2717 | 0 | } |
2718 | 0 | } |
2719 | 0 | } |
2720 | | |
2721 | 0 | return 0; |
2722 | 0 | } |
2723 | | #endif |
2724 | | |
2725 | | #ifndef NO_WOLFSSL_SERVER |
2726 | | /** Sets the options for a SNI object. */ |
2727 | | void TLSX_SNI_SetOptions(TLSX* extensions, byte type, byte options) |
2728 | 0 | { |
2729 | 0 | TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME); |
2730 | 0 | SNI* sni = TLSX_SNI_Find(extension ? (SNI*)extension->data : NULL, type); |
2731 | |
|
2732 | 0 | if (sni) |
2733 | 0 | sni->options = options; |
2734 | 0 | } |
2735 | | |
2736 | | /** Retrieves a SNI request from a client hello buffer. */ |
2737 | | int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz, |
2738 | | byte type, byte* sni, word32* inOutSz) |
2739 | 0 | { |
2740 | 0 | word32 offset = 0; |
2741 | 0 | word32 len32 = 0; |
2742 | 0 | word16 len16 = 0; |
2743 | |
|
2744 | 0 | if (helloSz < RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + CLIENT_HELLO_FIRST) |
2745 | 0 | return INCOMPLETE_DATA; |
2746 | | |
2747 | | /* TLS record header */ |
2748 | 0 | if ((enum ContentType) clientHello[offset++] != handshake) { |
2749 | | |
2750 | | /* checking for SSLv2.0 client hello according to: */ |
2751 | | /* http://tools.ietf.org/html/rfc4346#appendix-E.1 */ |
2752 | 0 | if ((enum HandShakeType) clientHello[++offset] == client_hello) { |
2753 | 0 | offset += ENUM_LEN + VERSION_SZ; /* skip version */ |
2754 | |
|
2755 | 0 | ato16(clientHello + offset, &len16); |
2756 | 0 | offset += OPAQUE16_LEN; |
2757 | |
|
2758 | 0 | if (len16 % 3) /* cipher_spec_length must be multiple of 3 */ |
2759 | 0 | return BUFFER_ERROR; |
2760 | | |
2761 | 0 | ato16(clientHello + offset, &len16); |
2762 | | /* Returning SNI_UNSUPPORTED do not increment offset here */ |
2763 | |
|
2764 | 0 | if (len16 != 0) /* session_id_length must be 0 */ |
2765 | 0 | return BUFFER_ERROR; |
2766 | | |
2767 | 0 | WOLFSSL_ERROR_VERBOSE(SNI_UNSUPPORTED); |
2768 | 0 | return SNI_UNSUPPORTED; |
2769 | 0 | } |
2770 | | |
2771 | 0 | return BUFFER_ERROR; |
2772 | 0 | } |
2773 | | |
2774 | 0 | if (clientHello[offset++] != SSLv3_MAJOR) |
2775 | 0 | return BUFFER_ERROR; |
2776 | | |
2777 | 0 | if (clientHello[offset++] < TLSv1_MINOR) { |
2778 | 0 | WOLFSSL_ERROR_VERBOSE(SNI_UNSUPPORTED); |
2779 | 0 | return SNI_UNSUPPORTED; |
2780 | 0 | } |
2781 | | |
2782 | 0 | ato16(clientHello + offset, &len16); |
2783 | 0 | offset += OPAQUE16_LEN; |
2784 | |
|
2785 | 0 | if (offset + len16 > helloSz) |
2786 | 0 | return INCOMPLETE_DATA; |
2787 | | |
2788 | | /* Handshake header */ |
2789 | 0 | if ((enum HandShakeType) clientHello[offset] != client_hello) |
2790 | 0 | return BUFFER_ERROR; |
2791 | | |
2792 | 0 | c24to32(clientHello + offset + 1, &len32); |
2793 | 0 | offset += HANDSHAKE_HEADER_SZ; |
2794 | |
|
2795 | 0 | if (offset + len32 > helloSz) |
2796 | 0 | return BUFFER_ERROR; |
2797 | | |
2798 | | /* client hello */ |
2799 | 0 | offset += VERSION_SZ + RAN_LEN; /* version, random */ |
2800 | |
|
2801 | 0 | if (helloSz < offset + clientHello[offset]) |
2802 | 0 | return BUFFER_ERROR; |
2803 | | |
2804 | 0 | offset += ENUM_LEN + clientHello[offset]; /* skip session id */ |
2805 | | |
2806 | | /* cypher suites */ |
2807 | 0 | if (helloSz < offset + OPAQUE16_LEN) |
2808 | 0 | return BUFFER_ERROR; |
2809 | | |
2810 | 0 | ato16(clientHello + offset, &len16); |
2811 | 0 | offset += OPAQUE16_LEN; |
2812 | |
|
2813 | 0 | if (helloSz < offset + len16) |
2814 | 0 | return BUFFER_ERROR; |
2815 | | |
2816 | 0 | offset += len16; /* skip cypher suites */ |
2817 | | |
2818 | | /* compression methods */ |
2819 | 0 | if (helloSz < offset + 1) |
2820 | 0 | return BUFFER_ERROR; |
2821 | | |
2822 | 0 | if (helloSz < offset + clientHello[offset]) |
2823 | 0 | return BUFFER_ERROR; |
2824 | | |
2825 | 0 | offset += ENUM_LEN + clientHello[offset]; /* skip compression methods */ |
2826 | | |
2827 | | /* extensions */ |
2828 | 0 | if (helloSz < offset + OPAQUE16_LEN) |
2829 | 0 | return 0; /* no extensions in client hello. */ |
2830 | | |
2831 | 0 | ato16(clientHello + offset, &len16); |
2832 | 0 | offset += OPAQUE16_LEN; |
2833 | |
|
2834 | 0 | if (helloSz < offset + len16) |
2835 | 0 | return BUFFER_ERROR; |
2836 | | |
2837 | 0 | while (len16 >= OPAQUE16_LEN + OPAQUE16_LEN) { |
2838 | 0 | word16 extType; |
2839 | 0 | word16 extLen; |
2840 | |
|
2841 | 0 | ato16(clientHello + offset, &extType); |
2842 | 0 | offset += OPAQUE16_LEN; |
2843 | |
|
2844 | 0 | ato16(clientHello + offset, &extLen); |
2845 | 0 | offset += OPAQUE16_LEN; |
2846 | |
|
2847 | 0 | if (helloSz < offset + extLen) |
2848 | 0 | return BUFFER_ERROR; |
2849 | | |
2850 | 0 | if (extType != TLSX_SERVER_NAME) { |
2851 | 0 | offset += extLen; /* skip extension */ |
2852 | 0 | } else { |
2853 | 0 | word16 listLen; |
2854 | |
|
2855 | 0 | if (extLen < OPAQUE16_LEN) |
2856 | 0 | return BUFFER_ERROR; |
2857 | | |
2858 | 0 | ato16(clientHello + offset, &listLen); |
2859 | 0 | offset += OPAQUE16_LEN; |
2860 | |
|
2861 | 0 | if (listLen != extLen - OPAQUE16_LEN) |
2862 | 0 | return BUFFER_ERROR; |
2863 | | |
2864 | 0 | if (helloSz < offset + listLen) |
2865 | 0 | return BUFFER_ERROR; |
2866 | | |
2867 | 0 | while (listLen > ENUM_LEN + OPAQUE16_LEN) { |
2868 | 0 | byte sniType = clientHello[offset++]; |
2869 | 0 | word16 sniLen; |
2870 | |
|
2871 | 0 | ato16(clientHello + offset, &sniLen); |
2872 | 0 | offset += OPAQUE16_LEN; |
2873 | |
|
2874 | 0 | if (sniLen > listLen - (ENUM_LEN + OPAQUE16_LEN)) |
2875 | 0 | return BUFFER_ERROR; |
2876 | | |
2877 | 0 | if (helloSz < offset + sniLen) |
2878 | 0 | return BUFFER_ERROR; |
2879 | | |
2880 | 0 | if (sniType != type) { |
2881 | 0 | offset += sniLen; |
2882 | 0 | listLen -= min(ENUM_LEN + OPAQUE16_LEN + sniLen, listLen); |
2883 | 0 | continue; |
2884 | 0 | } |
2885 | | |
2886 | 0 | *inOutSz = min(sniLen, *inOutSz); |
2887 | 0 | XMEMCPY(sni, clientHello + offset, *inOutSz); |
2888 | |
|
2889 | 0 | return WOLFSSL_SUCCESS; |
2890 | 0 | } |
2891 | 0 | } |
2892 | | |
2893 | 0 | len16 -= min(2 * OPAQUE16_LEN + extLen, len16); |
2894 | 0 | } |
2895 | | |
2896 | 0 | return len16 ? BUFFER_ERROR : 0; |
2897 | 0 | } |
2898 | | |
2899 | | #endif |
2900 | | |
2901 | 0 | #define SNI_FREE_ALL TLSX_SNI_FreeAll |
2902 | 0 | #define SNI_GET_SIZE TLSX_SNI_GetSize |
2903 | 0 | #define SNI_WRITE TLSX_SNI_Write |
2904 | 0 | #define SNI_PARSE TLSX_SNI_Parse |
2905 | 0 | #define SNI_VERIFY_PARSE TLSX_SNI_VerifyParse |
2906 | | |
2907 | | #else |
2908 | | |
2909 | | #define SNI_FREE_ALL(list, heap) WC_DO_NOTHING |
2910 | | #define SNI_GET_SIZE(list) 0 |
2911 | | #define SNI_WRITE(a, b) 0 |
2912 | | #define SNI_PARSE(a, b, c, d) 0 |
2913 | | #define SNI_VERIFY_PARSE(a, b) 0 |
2914 | | |
2915 | | #endif /* HAVE_SNI */ |
2916 | | |
2917 | | /******************************************************************************/ |
2918 | | /* Trusted CA Key Indication */ |
2919 | | /******************************************************************************/ |
2920 | | |
2921 | | #ifdef HAVE_TRUSTED_CA |
2922 | | |
2923 | | /** Creates a new TCA object. */ |
2924 | | static TCA* TLSX_TCA_New(byte type, const byte* id, word16 idSz, void* heap) |
2925 | | { |
2926 | | TCA* tca = (TCA*)XMALLOC(sizeof(TCA), heap, DYNAMIC_TYPE_TLSX); |
2927 | | |
2928 | | if (tca) { |
2929 | | XMEMSET(tca, 0, sizeof(TCA)); |
2930 | | tca->type = type; |
2931 | | |
2932 | | switch (type) { |
2933 | | case WOLFSSL_TRUSTED_CA_PRE_AGREED: |
2934 | | break; |
2935 | | |
2936 | | #ifndef NO_SHA |
2937 | | case WOLFSSL_TRUSTED_CA_KEY_SHA1: |
2938 | | case WOLFSSL_TRUSTED_CA_CERT_SHA1: |
2939 | | if (idSz == WC_SHA_DIGEST_SIZE && |
2940 | | (tca->id = |
2941 | | (byte*)XMALLOC(idSz, heap, DYNAMIC_TYPE_TLSX))) { |
2942 | | XMEMCPY(tca->id, id, idSz); |
2943 | | tca->idSz = idSz; |
2944 | | } |
2945 | | else { |
2946 | | XFREE(tca, heap, DYNAMIC_TYPE_TLSX); |
2947 | | tca = NULL; |
2948 | | } |
2949 | | break; |
2950 | | #endif |
2951 | | |
2952 | | case WOLFSSL_TRUSTED_CA_X509_NAME: |
2953 | | if (idSz > 0 && |
2954 | | (tca->id = |
2955 | | (byte*)XMALLOC(idSz, heap, DYNAMIC_TYPE_TLSX))) { |
2956 | | XMEMCPY(tca->id, id, idSz); |
2957 | | tca->idSz = idSz; |
2958 | | } |
2959 | | else { |
2960 | | XFREE(tca, heap, DYNAMIC_TYPE_TLSX); |
2961 | | tca = NULL; |
2962 | | } |
2963 | | break; |
2964 | | |
2965 | | default: /* invalid type */ |
2966 | | XFREE(tca, heap, DYNAMIC_TYPE_TLSX); |
2967 | | tca = NULL; |
2968 | | } |
2969 | | } |
2970 | | |
2971 | | (void)heap; |
2972 | | |
2973 | | return tca; |
2974 | | } |
2975 | | |
2976 | | /** Releases a TCA object. */ |
2977 | | static void TLSX_TCA_Free(TCA* tca, void* heap) |
2978 | | { |
2979 | | (void)heap; |
2980 | | |
2981 | | if (tca) { |
2982 | | XFREE(tca->id, heap, DYNAMIC_TYPE_TLSX); |
2983 | | XFREE(tca, heap, DYNAMIC_TYPE_TLSX); |
2984 | | } |
2985 | | } |
2986 | | |
2987 | | /** Releases all TCA objects in the provided list. */ |
2988 | | static void TLSX_TCA_FreeAll(TCA* list, void* heap) |
2989 | | { |
2990 | | TCA* tca; |
2991 | | |
2992 | | while ((tca = list)) { |
2993 | | list = tca->next; |
2994 | | TLSX_TCA_Free(tca, heap); |
2995 | | } |
2996 | | } |
2997 | | |
2998 | | /** Tells the buffered size of the TCA objects in a list. */ |
2999 | | static word16 TLSX_TCA_GetSize(TCA* list) |
3000 | | { |
3001 | | TCA* tca; |
3002 | | word32 length = OPAQUE16_LEN; /* list length */ |
3003 | | |
3004 | | while ((tca = list)) { |
3005 | | list = tca->next; |
3006 | | |
3007 | | length += ENUM_LEN; /* tca type */ |
3008 | | |
3009 | | switch (tca->type) { |
3010 | | case WOLFSSL_TRUSTED_CA_PRE_AGREED: |
3011 | | break; |
3012 | | case WOLFSSL_TRUSTED_CA_KEY_SHA1: |
3013 | | case WOLFSSL_TRUSTED_CA_CERT_SHA1: |
3014 | | length += tca->idSz; |
3015 | | break; |
3016 | | case WOLFSSL_TRUSTED_CA_X509_NAME: |
3017 | | length += OPAQUE16_LEN + tca->idSz; |
3018 | | break; |
3019 | | } |
3020 | | |
3021 | | if (length > WOLFSSL_MAX_16BIT) { |
3022 | | return 0; |
3023 | | } |
3024 | | } |
3025 | | |
3026 | | return (word16)length; |
3027 | | } |
3028 | | |
3029 | | /** Writes the TCA objects of a list in a buffer. */ |
3030 | | static word16 TLSX_TCA_Write(TCA* list, byte* output) |
3031 | | { |
3032 | | TCA* tca; |
3033 | | word16 offset = OPAQUE16_LEN; /* list length offset */ |
3034 | | |
3035 | | while ((tca = list)) { |
3036 | | list = tca->next; |
3037 | | |
3038 | | output[offset++] = tca->type; /* tca type */ |
3039 | | |
3040 | | switch (tca->type) { |
3041 | | case WOLFSSL_TRUSTED_CA_PRE_AGREED: |
3042 | | break; |
3043 | | #ifndef NO_SHA |
3044 | | case WOLFSSL_TRUSTED_CA_KEY_SHA1: |
3045 | | case WOLFSSL_TRUSTED_CA_CERT_SHA1: |
3046 | | if (tca->id != NULL) { |
3047 | | XMEMCPY(output + offset, tca->id, tca->idSz); |
3048 | | offset += tca->idSz; |
3049 | | } |
3050 | | else { |
3051 | | /* ID missing. Set to an empty string. */ |
3052 | | c16toa(0, output + offset); |
3053 | | offset += OPAQUE16_LEN; |
3054 | | } |
3055 | | break; |
3056 | | #endif |
3057 | | case WOLFSSL_TRUSTED_CA_X509_NAME: |
3058 | | if (tca->id != NULL) { |
3059 | | c16toa(tca->idSz, output + offset); /* tca length */ |
3060 | | offset += OPAQUE16_LEN; |
3061 | | XMEMCPY(output + offset, tca->id, tca->idSz); |
3062 | | offset += tca->idSz; |
3063 | | } |
3064 | | else { |
3065 | | /* ID missing. Set to an empty string. */ |
3066 | | c16toa(0, output + offset); |
3067 | | offset += OPAQUE16_LEN; |
3068 | | } |
3069 | | break; |
3070 | | default: |
3071 | | /* ID unknown. Set to an empty string. */ |
3072 | | c16toa(0, output + offset); |
3073 | | offset += OPAQUE16_LEN; |
3074 | | } |
3075 | | } |
3076 | | |
3077 | | c16toa(offset - OPAQUE16_LEN, output); /* writing list length */ |
3078 | | |
3079 | | return offset; |
3080 | | } |
3081 | | |
3082 | | #ifndef NO_WOLFSSL_SERVER |
3083 | | static TCA* TLSX_TCA_Find(TCA *list, byte type, const byte* id, word16 idSz) |
3084 | | { |
3085 | | TCA* tca = list; |
3086 | | |
3087 | | while (tca) { |
3088 | | if (type == WOLFSSL_TRUSTED_CA_PRE_AGREED) |
3089 | | break; |
3090 | | if (tca->type == type && idSz == tca->idSz && |
3091 | | XMEMCMP(id, tca->id, idSz) == 0) |
3092 | | break; |
3093 | | tca = tca->next; |
3094 | | } |
3095 | | |
3096 | | return tca; |
3097 | | } |
3098 | | #endif /* NO_WOLFSSL_SERVER */ |
3099 | | |
3100 | | /** Parses a buffer of TCA extensions. */ |
3101 | | static int TLSX_TCA_Parse(WOLFSSL* ssl, const byte* input, word16 length, |
3102 | | byte isRequest) |
3103 | | { |
3104 | | #ifndef NO_WOLFSSL_SERVER |
3105 | | word16 size = 0; |
3106 | | word16 offset = 0; |
3107 | | #endif |
3108 | | |
3109 | | TLSX *extension = TLSX_Find(ssl->extensions, TLSX_TRUSTED_CA_KEYS); |
3110 | | |
3111 | | if (!extension) |
3112 | | extension = TLSX_Find(ssl->ctx->extensions, TLSX_TRUSTED_CA_KEYS); |
3113 | | |
3114 | | if (!isRequest) { |
3115 | | #ifndef NO_WOLFSSL_CLIENT |
3116 | | if (!extension || !extension->data) |
3117 | | return TLSX_HandleUnsupportedExtension(ssl); |
3118 | | |
3119 | | if (length > 0) |
3120 | | return BUFFER_ERROR; /* TCA response MUST be empty. */ |
3121 | | |
3122 | | /* Set the flag that we're good for keys */ |
3123 | | TLSX_SetResponse(ssl, TLSX_TRUSTED_CA_KEYS); |
3124 | | |
3125 | | return 0; |
3126 | | #endif |
3127 | | } |
3128 | | |
3129 | | #ifndef NO_WOLFSSL_SERVER |
3130 | | if (!extension || !extension->data) { |
3131 | | /* Skipping, TCA not enabled at server side. */ |
3132 | | return 0; |
3133 | | } |
3134 | | |
3135 | | if (OPAQUE16_LEN > length) |
3136 | | return BUFFER_ERROR; |
3137 | | |
3138 | | ato16(input, &size); |
3139 | | offset += OPAQUE16_LEN; |
3140 | | |
3141 | | /* validating tca list length */ |
3142 | | if (length != OPAQUE16_LEN + size) |
3143 | | return BUFFER_ERROR; |
3144 | | |
3145 | | for (size = 0; offset < length; offset += size) { |
3146 | | TCA *tca = NULL; |
3147 | | byte type; |
3148 | | const byte* id = NULL; |
3149 | | word16 idSz = 0; |
3150 | | |
3151 | | if (offset + ENUM_LEN > length) |
3152 | | return BUFFER_ERROR; |
3153 | | |
3154 | | type = input[offset++]; |
3155 | | |
3156 | | switch (type) { |
3157 | | case WOLFSSL_TRUSTED_CA_PRE_AGREED: |
3158 | | break; |
3159 | | #ifndef NO_SHA |
3160 | | case WOLFSSL_TRUSTED_CA_KEY_SHA1: |
3161 | | case WOLFSSL_TRUSTED_CA_CERT_SHA1: |
3162 | | if (offset + WC_SHA_DIGEST_SIZE > length) |
3163 | | return BUFFER_ERROR; |
3164 | | idSz = WC_SHA_DIGEST_SIZE; |
3165 | | id = input + offset; |
3166 | | offset += idSz; |
3167 | | break; |
3168 | | #endif |
3169 | | case WOLFSSL_TRUSTED_CA_X509_NAME: |
3170 | | if (offset + OPAQUE16_LEN > length) |
3171 | | return BUFFER_ERROR; |
3172 | | ato16(input + offset, &idSz); |
3173 | | offset += OPAQUE16_LEN; |
3174 | | if ((offset > length) || (idSz > length - offset)) |
3175 | | return BUFFER_ERROR; |
3176 | | id = input + offset; |
3177 | | offset += idSz; |
3178 | | break; |
3179 | | default: |
3180 | | WOLFSSL_ERROR_VERBOSE(TCA_INVALID_ID_TYPE); |
3181 | | return TCA_INVALID_ID_TYPE; |
3182 | | } |
3183 | | |
3184 | | /* Find the type/ID in the TCA list. */ |
3185 | | tca = TLSX_TCA_Find((TCA*)extension->data, type, id, idSz); |
3186 | | if (tca != NULL) { |
3187 | | /* Found it. Set the response flag and break out of the loop. */ |
3188 | | TLSX_SetResponse(ssl, TLSX_TRUSTED_CA_KEYS); |
3189 | | break; |
3190 | | } |
3191 | | } |
3192 | | #else |
3193 | | (void)input; |
3194 | | #endif |
3195 | | |
3196 | | return 0; |
3197 | | } |
3198 | | |
3199 | | /* Checks to see if the server sent a response for the TCA. */ |
3200 | | static int TLSX_TCA_VerifyParse(WOLFSSL* ssl, byte isRequest) |
3201 | | { |
3202 | | (void)ssl; |
3203 | | |
3204 | | if (!isRequest) { |
3205 | | /* RFC 6066 section 6 states that the server responding |
3206 | | * to trusted_ca_keys is optional. Do not error out unless |
3207 | | * opted into with the define WOLFSSL_REQUIRE_TCA. */ |
3208 | | #if !defined(NO_WOLFSSL_CLIENT) && defined(WOLFSSL_REQUIRE_TCA) |
3209 | | TLSX* extension = TLSX_Find(ssl->extensions, TLSX_TRUSTED_CA_KEYS); |
3210 | | |
3211 | | if (extension && !extension->resp) { |
3212 | | SendAlert(ssl, alert_fatal, handshake_failure); |
3213 | | WOLFSSL_ERROR_VERBOSE(TCA_ABSENT_ERROR); |
3214 | | return TCA_ABSENT_ERROR; |
3215 | | } |
3216 | | #else |
3217 | | WOLFSSL_MSG("No response received for trusted_ca_keys. Continuing."); |
3218 | | #endif /* !NO_WOLFSSL_CLIENT && WOLFSSL_REQUIRE_TCA */ |
3219 | | } |
3220 | | |
3221 | | return 0; |
3222 | | } |
3223 | | |
3224 | | int TLSX_UseTrustedCA(TLSX** extensions, byte type, |
3225 | | const byte* id, word16 idSz, void* heap) |
3226 | | { |
3227 | | TLSX* extension; |
3228 | | TCA* tca = NULL; |
3229 | | |
3230 | | if (extensions == NULL) |
3231 | | return BAD_FUNC_ARG; |
3232 | | |
3233 | | if ((tca = TLSX_TCA_New(type, id, idSz, heap)) == NULL) |
3234 | | return MEMORY_E; |
3235 | | |
3236 | | extension = TLSX_Find(*extensions, TLSX_TRUSTED_CA_KEYS); |
3237 | | if (!extension) { |
3238 | | int ret = TLSX_Push(extensions, TLSX_TRUSTED_CA_KEYS, (void*)tca, heap); |
3239 | | |
3240 | | if (ret != 0) { |
3241 | | TLSX_TCA_Free(tca, heap); |
3242 | | return ret; |
3243 | | } |
3244 | | } |
3245 | | else { |
3246 | | /* push new TCA object to extension data. */ |
3247 | | tca->next = (TCA*)extension->data; |
3248 | | extension->data = (void*)tca; |
3249 | | } |
3250 | | |
3251 | | return WOLFSSL_SUCCESS; |
3252 | | } |
3253 | | |
3254 | | #define TCA_FREE_ALL TLSX_TCA_FreeAll |
3255 | | #define TCA_GET_SIZE TLSX_TCA_GetSize |
3256 | | #define TCA_WRITE TLSX_TCA_Write |
3257 | | #define TCA_PARSE TLSX_TCA_Parse |
3258 | | #define TCA_VERIFY_PARSE TLSX_TCA_VerifyParse |
3259 | | |
3260 | | #else /* HAVE_TRUSTED_CA */ |
3261 | | |
3262 | 0 | #define TCA_FREE_ALL(list, heap) WC_DO_NOTHING |
3263 | 0 | #define TCA_GET_SIZE(list) 0 |
3264 | 0 | #define TCA_WRITE(a, b) 0 |
3265 | 0 | #define TCA_PARSE(a, b, c, d) 0 |
3266 | 0 | #define TCA_VERIFY_PARSE(a, b) 0 |
3267 | | |
3268 | | #endif /* HAVE_TRUSTED_CA */ |
3269 | | |
3270 | | /******************************************************************************/ |
3271 | | /* Max Fragment Length Negotiation */ |
3272 | | /******************************************************************************/ |
3273 | | |
3274 | | #ifdef HAVE_MAX_FRAGMENT |
3275 | | |
3276 | | static word16 TLSX_MFL_Write(byte* data, byte* output) |
3277 | | { |
3278 | | output[0] = data[0]; |
3279 | | |
3280 | | return ENUM_LEN; |
3281 | | } |
3282 | | |
3283 | | static int TLSX_MFL_Parse(WOLFSSL* ssl, const byte* input, word16 length, |
3284 | | byte isRequest) |
3285 | | { |
3286 | | if (length != ENUM_LEN) |
3287 | | return BUFFER_ERROR; |
3288 | | |
3289 | | #ifdef WOLFSSL_OLD_UNSUPPORTED_EXTENSION |
3290 | | (void) isRequest; |
3291 | | #else |
3292 | | if (!isRequest) { |
3293 | | TLSX* extension; |
3294 | | |
3295 | | if (TLSX_CheckUnsupportedExtension(ssl, TLSX_MAX_FRAGMENT_LENGTH)) |
3296 | | return TLSX_HandleUnsupportedExtension(ssl); |
3297 | | |
3298 | | /* RFC 6066 Section 4: the server's response value must match the |
3299 | | * value the client requested. The request may have been configured on |
3300 | | * the WOLFSSL object or inherited from the WOLFSSL_CTX. */ |
3301 | | extension = TLSX_Find(ssl->extensions, TLSX_MAX_FRAGMENT_LENGTH); |
3302 | | if (extension == NULL) { |
3303 | | extension = TLSX_Find(ssl->ctx->extensions, |
3304 | | TLSX_MAX_FRAGMENT_LENGTH); |
3305 | | } |
3306 | | if (extension == NULL || extension->data == NULL || |
3307 | | ((byte*)extension->data)[0] != *input) { |
3308 | | SendAlert(ssl, alert_fatal, illegal_parameter); |
3309 | | WOLFSSL_ERROR_VERBOSE(UNKNOWN_MAX_FRAG_LEN_E); |
3310 | | return UNKNOWN_MAX_FRAG_LEN_E; |
3311 | | } |
3312 | | } |
3313 | | #endif |
3314 | | |
3315 | | switch (*input) { |
3316 | | case WOLFSSL_MFL_2_8 : ssl->max_fragment = 256; break; |
3317 | | case WOLFSSL_MFL_2_9 : ssl->max_fragment = 512; break; |
3318 | | case WOLFSSL_MFL_2_10: ssl->max_fragment = 1024; break; |
3319 | | case WOLFSSL_MFL_2_11: ssl->max_fragment = 2048; break; |
3320 | | case WOLFSSL_MFL_2_12: ssl->max_fragment = 4096; break; |
3321 | | case WOLFSSL_MFL_2_13: ssl->max_fragment = 8192; break; |
3322 | | |
3323 | | default: |
3324 | | SendAlert(ssl, alert_fatal, illegal_parameter); |
3325 | | WOLFSSL_ERROR_VERBOSE(UNKNOWN_MAX_FRAG_LEN_E); |
3326 | | return UNKNOWN_MAX_FRAG_LEN_E; |
3327 | | } |
3328 | | if (ssl->session != NULL) { |
3329 | | ssl->session->mfl = *input; |
3330 | | } |
3331 | | |
3332 | | #ifndef NO_WOLFSSL_SERVER |
3333 | | if (isRequest) { |
3334 | | int ret = TLSX_UseMaxFragment(&ssl->extensions, *input, ssl->heap); |
3335 | | |
3336 | | if (ret != WOLFSSL_SUCCESS) |
3337 | | return ret; /* throw error */ |
3338 | | |
3339 | | TLSX_SetResponse(ssl, TLSX_MAX_FRAGMENT_LENGTH); |
3340 | | } |
3341 | | #endif |
3342 | | |
3343 | | return 0; |
3344 | | } |
3345 | | |
3346 | | int TLSX_UseMaxFragment(TLSX** extensions, byte mfl, void* heap) |
3347 | | { |
3348 | | byte* data = NULL; |
3349 | | int ret = 0; |
3350 | | |
3351 | | if (extensions == NULL || mfl < WOLFSSL_MFL_MIN || mfl > WOLFSSL_MFL_MAX) |
3352 | | return BAD_FUNC_ARG; |
3353 | | |
3354 | | data = (byte*)XMALLOC(ENUM_LEN, heap, DYNAMIC_TYPE_TLSX); |
3355 | | if (data == NULL) |
3356 | | return MEMORY_E; |
3357 | | |
3358 | | data[0] = mfl; |
3359 | | |
3360 | | ret = TLSX_Push(extensions, TLSX_MAX_FRAGMENT_LENGTH, data, heap); |
3361 | | if (ret != 0) { |
3362 | | XFREE(data, heap, DYNAMIC_TYPE_TLSX); |
3363 | | return ret; |
3364 | | } |
3365 | | |
3366 | | return WOLFSSL_SUCCESS; |
3367 | | } |
3368 | | |
3369 | | |
3370 | | #define MFL_FREE_ALL(data, heap) XFREE(data, (heap), DYNAMIC_TYPE_TLSX) |
3371 | | #define MFL_GET_SIZE(data) ENUM_LEN |
3372 | | #define MFL_WRITE TLSX_MFL_Write |
3373 | | #define MFL_PARSE TLSX_MFL_Parse |
3374 | | |
3375 | | #else |
3376 | | |
3377 | 0 | #define MFL_FREE_ALL(a, b) WC_DO_NOTHING |
3378 | 0 | #define MFL_GET_SIZE(a) 0 |
3379 | 0 | #define MFL_WRITE(a, b) 0 |
3380 | 0 | #define MFL_PARSE(a, b, c, d) 0 |
3381 | | |
3382 | | #endif /* HAVE_MAX_FRAGMENT */ |
3383 | | |
3384 | | /******************************************************************************/ |
3385 | | /* Truncated HMAC */ |
3386 | | /******************************************************************************/ |
3387 | | |
3388 | | #ifdef HAVE_TRUNCATED_HMAC |
3389 | | |
3390 | | static int TLSX_THM_Parse(WOLFSSL* ssl, const byte* input, word16 length, |
3391 | | byte isRequest) |
3392 | | { |
3393 | | if (length != 0 || input == NULL) |
3394 | | return BUFFER_ERROR; |
3395 | | |
3396 | | if (!isRequest) { |
3397 | | #ifndef WOLFSSL_OLD_UNSUPPORTED_EXTENSION |
3398 | | if (TLSX_CheckUnsupportedExtension(ssl, TLSX_TRUNCATED_HMAC)) |
3399 | | return TLSX_HandleUnsupportedExtension(ssl); |
3400 | | #endif |
3401 | | } |
3402 | | else { |
3403 | | #ifndef NO_WOLFSSL_SERVER |
3404 | | int ret = TLSX_UseTruncatedHMAC(&ssl->extensions, ssl->heap); |
3405 | | |
3406 | | if (ret != WOLFSSL_SUCCESS) |
3407 | | return ret; /* throw error */ |
3408 | | |
3409 | | TLSX_SetResponse(ssl, TLSX_TRUNCATED_HMAC); |
3410 | | #endif |
3411 | | } |
3412 | | |
3413 | | ssl->truncated_hmac = 1; |
3414 | | |
3415 | | return 0; |
3416 | | } |
3417 | | |
3418 | | int TLSX_UseTruncatedHMAC(TLSX** extensions, void* heap) |
3419 | | { |
3420 | | int ret = 0; |
3421 | | |
3422 | | if (extensions == NULL) |
3423 | | return BAD_FUNC_ARG; |
3424 | | |
3425 | | ret = TLSX_Push(extensions, TLSX_TRUNCATED_HMAC, NULL, heap); |
3426 | | if (ret != 0) |
3427 | | return ret; |
3428 | | |
3429 | | return WOLFSSL_SUCCESS; |
3430 | | } |
3431 | | |
3432 | | #define THM_PARSE TLSX_THM_Parse |
3433 | | |
3434 | | #else |
3435 | | |
3436 | 0 | #define THM_PARSE(a, b, c, d) 0 |
3437 | | |
3438 | | #endif /* HAVE_TRUNCATED_HMAC */ |
3439 | | |
3440 | | /******************************************************************************/ |
3441 | | /* Certificate Status Request */ |
3442 | | /******************************************************************************/ |
3443 | | |
3444 | | #ifdef HAVE_CERTIFICATE_STATUS_REQUEST |
3445 | | |
3446 | | static void TLSX_CSR_Free(CertificateStatusRequest* csr, void* heap) |
3447 | | { |
3448 | | int i; |
3449 | | |
3450 | | switch (csr->status_type) { |
3451 | | case WOLFSSL_CSR_OCSP: |
3452 | | for (i = 0; i < csr->requests; i++) { |
3453 | | FreeOcspRequest(&csr->request.ocsp[i]); |
3454 | | } |
3455 | | break; |
3456 | | } |
3457 | | #ifdef WOLFSSL_TLS13 |
3458 | | for (i = 0; i < MAX_CERT_EXTENSIONS; i++) { |
3459 | | if (csr->responses[i].buffer != NULL) { |
3460 | | XFREE(csr->responses[i].buffer, heap, |
3461 | | DYNAMIC_TYPE_TMP_BUFFER); |
3462 | | } |
3463 | | } |
3464 | | #endif |
3465 | | XFREE(csr, heap, DYNAMIC_TYPE_TLSX); |
3466 | | (void)heap; |
3467 | | } |
3468 | | |
3469 | | word16 TLSX_CSR_GetSize_ex(CertificateStatusRequest* csr, byte isRequest, |
3470 | | int idx) |
3471 | | { |
3472 | | word32 size = 0; |
3473 | | |
3474 | | /* shut up compiler warnings */ |
3475 | | (void) csr; (void) isRequest; |
3476 | | #ifndef NO_WOLFSSL_CLIENT |
3477 | | if (isRequest) { |
3478 | | switch (csr->status_type) { |
3479 | | case WOLFSSL_CSR_OCSP: |
3480 | | size += ENUM_LEN + 2 * OPAQUE16_LEN; |
3481 | | |
3482 | | if (csr->request.ocsp[0].nonceSz) |
3483 | | size += OCSP_NONCE_EXT_SZ; |
3484 | | break; |
3485 | | } |
3486 | | } |
3487 | | #endif |
3488 | | #if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER) |
3489 | | if (!isRequest && IsAtLeastTLSv1_3(csr->ssl->version)) { |
3490 | | if (csr->ssl != NULL && SSL_CM(csr->ssl) != NULL && |
3491 | | SSL_CM(csr->ssl)->ocsp_stapling != NULL && |
3492 | | SSL_CM(csr->ssl)->ocsp_stapling->statusCb != NULL) { |
3493 | | if (WOLFSSL_MAX_16BIT - OPAQUE8_LEN - OPAQUE24_LEN < |
3494 | | csr->ssl->ocspCsrResp[idx].length) { |
3495 | | return 0; |
3496 | | } |
3497 | | size = OPAQUE8_LEN + OPAQUE24_LEN + |
3498 | | csr->ssl->ocspCsrResp[idx].length; |
3499 | | return (word16)size; |
3500 | | } |
3501 | | if (WOLFSSL_MAX_16BIT - OPAQUE8_LEN - OPAQUE24_LEN < |
3502 | | csr->responses[idx].length) { |
3503 | | return 0; |
3504 | | } |
3505 | | size = OPAQUE8_LEN + OPAQUE24_LEN + csr->responses[idx].length; |
3506 | | return (word16)size; |
3507 | | } |
3508 | | #else |
3509 | | (void)idx; |
3510 | | #endif |
3511 | | return (word16)size; |
3512 | | } |
3513 | | |
3514 | | #if (defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER)) |
3515 | | int TLSX_CSR_SetResponseWithStatusCB(WOLFSSL *ssl) |
3516 | | { |
3517 | | WOLFSSL_OCSP *ocsp; |
3518 | | int ret; |
3519 | | |
3520 | | if (ssl == NULL || SSL_CM(ssl) == NULL) |
3521 | | return BAD_FUNC_ARG; |
3522 | | ocsp = SSL_CM(ssl)->ocsp_stapling; |
3523 | | if (ocsp == NULL || ocsp->statusCb == NULL) |
3524 | | return BAD_FUNC_ARG; |
3525 | | ret = ocsp->statusCb(ssl, ocsp->statusCbArg); |
3526 | | switch (ret) { |
3527 | | case WOLFSSL_OCSP_STATUS_CB_OK: { |
3528 | | size_t i; |
3529 | | for (i = 0; i < XELEM_CNT(ssl->ocspCsrResp); i++) { |
3530 | | if (ssl->ocspCsrResp[i].length > 0) { |
3531 | | /* ack the extension, status cb provided the response in |
3532 | | * ssl->ocspCsrResp */ |
3533 | | TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST); |
3534 | | ssl->status_request = WOLFSSL_CSR_OCSP; |
3535 | | break; |
3536 | | } |
3537 | | } |
3538 | | ret = 0; |
3539 | | break; |
3540 | | } |
3541 | | case WOLFSSL_OCSP_STATUS_CB_NOACK: |
3542 | | /* suppressing as not critical */ |
3543 | | ret = 0; |
3544 | | break; |
3545 | | case WOLFSSL_OCSP_STATUS_CB_ALERT_FATAL: |
3546 | | default: |
3547 | | ret = WOLFSSL_FATAL_ERROR; |
3548 | | break; |
3549 | | } |
3550 | | return ret; |
3551 | | } |
3552 | | |
3553 | | static int TLSX_CSR_WriteWithStatusCB(CertificateStatusRequest* csr, |
3554 | | byte* output, int idx) |
3555 | | { |
3556 | | WOLFSSL *ssl = csr->ssl; |
3557 | | WOLFSSL_OCSP *ocsp; |
3558 | | word16 offset = 0; |
3559 | | byte *response; |
3560 | | int respSz; |
3561 | | |
3562 | | if (ssl == NULL || SSL_CM(ssl) == NULL) |
3563 | | return BAD_FUNC_ARG; |
3564 | | ocsp = SSL_CM(ssl)->ocsp_stapling; |
3565 | | if (ocsp == NULL || ocsp->statusCb == NULL) |
3566 | | return BAD_FUNC_ARG; |
3567 | | response = ssl->ocspCsrResp[idx].buffer; |
3568 | | respSz = ssl->ocspCsrResp[idx].length; |
3569 | | if (response == NULL || respSz == 0) |
3570 | | return BAD_FUNC_ARG; |
3571 | | output[offset++] = WOLFSSL_CSR_OCSP; |
3572 | | c32to24(respSz, output + offset); |
3573 | | offset += OPAQUE24_LEN; |
3574 | | XMEMCPY(output + offset, response, respSz); |
3575 | | return offset + respSz; |
3576 | | } |
3577 | | #endif /* (TLS13 && !NO_WOLFSLL_SERVER) */ |
3578 | | |
3579 | | static word16 TLSX_CSR_GetSize(CertificateStatusRequest* csr, byte isRequest) |
3580 | | { |
3581 | | return TLSX_CSR_GetSize_ex(csr, isRequest, 0); |
3582 | | } |
3583 | | |
3584 | | int TLSX_CSR_Write_ex(CertificateStatusRequest* csr, byte* output, |
3585 | | byte isRequest, int idx) |
3586 | | { |
3587 | | /* shut up compiler warnings */ |
3588 | | (void) csr; (void) output; (void) isRequest; |
3589 | | |
3590 | | #ifndef NO_WOLFSSL_CLIENT |
3591 | | if (isRequest) { |
3592 | | int ret = 0; |
3593 | | word16 offset = 0; |
3594 | | word16 length = 0; |
3595 | | |
3596 | | /* type */ |
3597 | | output[offset++] = csr->status_type; |
3598 | | |
3599 | | switch (csr->status_type) { |
3600 | | case WOLFSSL_CSR_OCSP: |
3601 | | /* responder id list */ |
3602 | | c16toa(0, output + offset); |
3603 | | offset += OPAQUE16_LEN; |
3604 | | |
3605 | | /* request extensions */ |
3606 | | if (csr->request.ocsp[0].nonceSz) { |
3607 | | ret = (int)EncodeOcspRequestExtensions(&csr->request.ocsp[0], |
3608 | | output + offset + OPAQUE16_LEN, |
3609 | | OCSP_NONCE_EXT_SZ); |
3610 | | |
3611 | | if (ret > 0) { |
3612 | | length = (word16)ret; |
3613 | | } |
3614 | | else { |
3615 | | return ret; |
3616 | | } |
3617 | | } |
3618 | | |
3619 | | c16toa(length, output + offset); |
3620 | | offset += OPAQUE16_LEN + length; |
3621 | | |
3622 | | break; |
3623 | | } |
3624 | | |
3625 | | return (int)offset; |
3626 | | } |
3627 | | #endif |
3628 | | #if defined(WOLFSSL_TLS13) && !defined(NO_WOLFSSL_SERVER) |
3629 | | if (!isRequest && IsAtLeastTLSv1_3(csr->ssl->version)) { |
3630 | | word16 offset = 0; |
3631 | | if (csr->ssl != NULL && SSL_CM(csr->ssl) != NULL && |
3632 | | SSL_CM(csr->ssl)->ocsp_stapling != NULL && |
3633 | | SSL_CM(csr->ssl)->ocsp_stapling->statusCb != NULL) { |
3634 | | return TLSX_CSR_WriteWithStatusCB(csr, output, idx); |
3635 | | } |
3636 | | output[offset++] = csr->status_type; |
3637 | | c32to24(csr->responses[idx].length, output + offset); |
3638 | | offset += OPAQUE24_LEN; |
3639 | | XMEMCPY(output + offset, csr->responses[idx].buffer, |
3640 | | csr->responses[idx].length); |
3641 | | offset += (word16)csr->responses[idx].length; |
3642 | | return offset; |
3643 | | } |
3644 | | #else |
3645 | | (void)idx; |
3646 | | #endif |
3647 | | |
3648 | | return 0; |
3649 | | } |
3650 | | |
3651 | | static int TLSX_CSR_Write(CertificateStatusRequest* csr, byte* output, |
3652 | | byte isRequest) |
3653 | | { |
3654 | | return TLSX_CSR_Write_ex(csr, output, isRequest, 0); |
3655 | | } |
3656 | | |
3657 | | #if !defined(NO_WOLFSSL_SERVER) && defined(WOLFSSL_TLS13) && \ |
3658 | | defined(WOLFSSL_TLS_OCSP_MULTI) |
3659 | | /* Process OCSP request certificate chain |
3660 | | * |
3661 | | * ssl SSL/TLS object. |
3662 | | * returns 0 on success, otherwise failure. |
3663 | | */ |
3664 | | int ProcessChainOCSPRequest(WOLFSSL* ssl) |
3665 | | { |
3666 | | DecodedCert* cert; |
3667 | | OcspRequest* request; |
3668 | | TLSX* extension; |
3669 | | CertificateStatusRequest* csr; |
3670 | | DerBuffer* chain; |
3671 | | word32 pos = 0; |
3672 | | buffer der; |
3673 | | int i = 1; |
3674 | | int ret = 0; |
3675 | | byte ctxOwnsRequest = 0; |
3676 | | |
3677 | | /* use certChain if available, otherwise use peer certificate */ |
3678 | | chain = ssl->buffers.certChain; |
3679 | | if (chain == NULL) { |
3680 | | chain = ssl->buffers.certificate; |
3681 | | } |
3682 | | |
3683 | | extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST); |
3684 | | csr = extension ? |
3685 | | (CertificateStatusRequest*)extension->data : NULL; |
3686 | | if (csr == NULL) |
3687 | | return MEMORY_ERROR; |
3688 | | |
3689 | | cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap, |
3690 | | DYNAMIC_TYPE_DCERT); |
3691 | | if (cert == NULL) { |
3692 | | return MEMORY_E; |
3693 | | } |
3694 | | |
3695 | | if (chain && chain->buffer) { |
3696 | | while (ret == 0 && pos + OPAQUE24_LEN < chain->length) { |
3697 | | if (i >= MAX_CERT_EXTENSIONS) { |
3698 | | WOLFSSL_MSG_EX( |
3699 | | "OCSP request cert chain exceeds maximum length: " |
3700 | | "i=%d, MAX_CERT_EXTENSIONS=%d", i, MAX_CERT_EXTENSIONS); |
3701 | | ret = MAX_CERT_EXTENSIONS_ERR; |
3702 | | break; |
3703 | | } |
3704 | | |
3705 | | c24to32(chain->buffer + pos, &der.length); |
3706 | | pos += OPAQUE24_LEN; |
3707 | | der.buffer = chain->buffer + pos; |
3708 | | pos += der.length; |
3709 | | |
3710 | | if (pos > chain->length) |
3711 | | break; |
3712 | | request = &csr->request.ocsp[i]; |
3713 | | if (ret == 0) { |
3714 | | ret = CreateOcspRequest(ssl, request, cert, |
3715 | | der.buffer, der.length, &ctxOwnsRequest); |
3716 | | if (ctxOwnsRequest) { |
3717 | | wolfSSL_Mutex* ocspLock = |
3718 | | &SSL_CM(ssl)->ocsp_stapling->ocspLock; |
3719 | | if (wc_LockMutex(ocspLock) == 0) { |
3720 | | /* the request is ours */ |
3721 | | ssl->ctx->certOcspRequest = NULL; |
3722 | | } |
3723 | | wc_UnLockMutex(ocspLock); |
3724 | | } |
3725 | | } |
3726 | | |
3727 | | if (ret == 0) { |
3728 | | request->ssl = ssl; |
3729 | | ret = CheckOcspRequest(SSL_CM(ssl)->ocsp_stapling, |
3730 | | request, &csr->responses[i], ssl->heap); |
3731 | | /* Suppressing soft-fail responder errors. OCSP_CERT_REVOKED |
3732 | | * is an explicit positive assertion of revocation and must |
3733 | | * not be ignored. */ |
3734 | | if (ret == WC_NO_ERR_TRACE(OCSP_CERT_UNKNOWN) || |
3735 | | ret == WC_NO_ERR_TRACE(OCSP_LOOKUP_FAIL)) { |
3736 | | ret = 0; |
3737 | | } |
3738 | | i++; |
3739 | | csr->requests++; |
3740 | | } |
3741 | | } |
3742 | | } |
3743 | | XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT); |
3744 | | |
3745 | | return ret; |
3746 | | } |
3747 | | #endif |
3748 | | |
3749 | | static int TLSX_CSR_Parse(WOLFSSL* ssl, const byte* input, word16 length, |
3750 | | byte isRequest) |
3751 | | { |
3752 | | int ret; |
3753 | | #if !defined(NO_WOLFSSL_SERVER) |
3754 | | byte status_type; |
3755 | | word16 size = 0; |
3756 | | #endif |
3757 | | |
3758 | | #if !defined(NO_WOLFSSL_CLIENT) |
3759 | | OcspRequest* request; |
3760 | | TLSX* extension; |
3761 | | CertificateStatusRequest* csr; |
3762 | | #endif |
3763 | | |
3764 | | #if !defined(NO_WOLFSSL_CLIENT) && defined(WOLFSSL_TLS13) \ |
3765 | | || !defined(NO_WOLFSSL_SERVER) |
3766 | | word32 offset = 0; |
3767 | | #endif |
3768 | | |
3769 | | #if !defined(NO_WOLFSSL_CLIENT) && defined(WOLFSSL_TLS13) |
3770 | | word32 resp_length = 0; |
3771 | | #endif |
3772 | | |
3773 | | /* shut up compiler warnings */ |
3774 | | (void) ssl; (void) input; |
3775 | | |
3776 | | if (!isRequest) { |
3777 | | #ifndef NO_WOLFSSL_CLIENT |
3778 | | extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST); |
3779 | | csr = extension ? (CertificateStatusRequest*)extension->data : NULL; |
3780 | | |
3781 | | if (!csr) { |
3782 | | /* look at context level */ |
3783 | | extension = TLSX_Find(ssl->ctx->extensions, TLSX_STATUS_REQUEST); |
3784 | | csr = extension ? (CertificateStatusRequest*)extension->data : NULL; |
3785 | | |
3786 | | if (!csr) /* unexpected extension */ |
3787 | | return TLSX_HandleUnsupportedExtension(ssl); |
3788 | | |
3789 | | /* enable extension at ssl level */ |
3790 | | ret = TLSX_UseCertificateStatusRequest(&ssl->extensions, |
3791 | | csr->status_type, csr->options, ssl, |
3792 | | ssl->heap, ssl->devId); |
3793 | | if (ret != WOLFSSL_SUCCESS) |
3794 | | return ret == 0 ? -1 : ret; |
3795 | | |
3796 | | switch (csr->status_type) { |
3797 | | case WOLFSSL_CSR_OCSP: |
3798 | | /* propagate nonce */ |
3799 | | if (csr->request.ocsp[0].nonceSz) { |
3800 | | request = |
3801 | | (OcspRequest*)TLSX_CSR_GetRequest(ssl->extensions); |
3802 | | |
3803 | | if (request) { |
3804 | | XMEMCPY(request->nonce, csr->request.ocsp[0].nonce, |
3805 | | (size_t)csr->request.ocsp[0].nonceSz); |
3806 | | request->nonceSz = csr->request.ocsp[0].nonceSz; |
3807 | | } |
3808 | | } |
3809 | | break; |
3810 | | } |
3811 | | } |
3812 | | |
3813 | | ssl->status_request = 1; |
3814 | | |
3815 | | #ifdef WOLFSSL_TLS13 |
3816 | | if (ssl->options.tls1_3) { |
3817 | | /* Get the new extension potentially created above. */ |
3818 | | extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST); |
3819 | | csr = extension ? (CertificateStatusRequest*)extension->data : NULL; |
3820 | | if (csr == NULL) |
3821 | | return MEMORY_ERROR; |
3822 | | |
3823 | | ret = 0; |
3824 | | if (OPAQUE8_LEN + OPAQUE24_LEN > length) |
3825 | | ret = BUFFER_ERROR; |
3826 | | if (ret == 0 && input[offset++] != WOLFSSL_CSR_OCSP) { |
3827 | | ret = BAD_CERTIFICATE_STATUS_ERROR; |
3828 | | WOLFSSL_ERROR_VERBOSE(ret); |
3829 | | } |
3830 | | if (ret == 0) { |
3831 | | c24to32(input + offset, &resp_length); |
3832 | | offset += OPAQUE24_LEN; |
3833 | | if (offset + resp_length != length) |
3834 | | ret = BUFFER_ERROR; |
3835 | | } |
3836 | | if (ret == 0) { |
3837 | | if (ssl->response_idx < (1 + MAX_CHAIN_DEPTH)) |
3838 | | csr->responses[ssl->response_idx].buffer = |
3839 | | (byte*)XMALLOC(resp_length, ssl->heap, |
3840 | | DYNAMIC_TYPE_TMP_BUFFER); |
3841 | | else |
3842 | | ret = BAD_FUNC_ARG; |
3843 | | |
3844 | | if (ret == 0 && |
3845 | | csr->responses[ssl->response_idx].buffer == NULL) |
3846 | | ret = MEMORY_ERROR; |
3847 | | } |
3848 | | if (ret == 0) { |
3849 | | XMEMCPY(csr->responses[ssl->response_idx].buffer, |
3850 | | input + offset, resp_length); |
3851 | | csr->responses[ssl->response_idx].length = resp_length; |
3852 | | } |
3853 | | |
3854 | | return ret; |
3855 | | } |
3856 | | else |
3857 | | #endif |
3858 | | { |
3859 | | /* extension_data MUST be empty. */ |
3860 | | return length ? BUFFER_ERROR : 0; |
3861 | | } |
3862 | | #endif |
3863 | | } |
3864 | | else { |
3865 | | #ifndef NO_WOLFSSL_SERVER |
3866 | | if (length == 0) |
3867 | | return 0; |
3868 | | |
3869 | | status_type = input[offset++]; |
3870 | | |
3871 | | switch (status_type) { |
3872 | | case WOLFSSL_CSR_OCSP: { |
3873 | | |
3874 | | /* skip responder_id_list */ |
3875 | | if ((int)(length - offset) < OPAQUE16_LEN) |
3876 | | return BUFFER_ERROR; |
3877 | | |
3878 | | ato16(input + offset, &size); |
3879 | | offset += OPAQUE16_LEN + size; |
3880 | | |
3881 | | /* skip request_extensions */ |
3882 | | if ((int)(length - offset) < OPAQUE16_LEN) |
3883 | | return BUFFER_ERROR; |
3884 | | |
3885 | | ato16(input + offset, &size); |
3886 | | offset += OPAQUE16_LEN + size; |
3887 | | |
3888 | | if (offset > length) |
3889 | | return BUFFER_ERROR; |
3890 | | |
3891 | | /* is able to send OCSP response? */ |
3892 | | if (SSL_CM(ssl) == NULL || !SSL_CM(ssl)->ocspStaplingEnabled) |
3893 | | return 0; |
3894 | | } |
3895 | | break; |
3896 | | |
3897 | | /* unknown status type */ |
3898 | | default: |
3899 | | return 0; |
3900 | | } |
3901 | | |
3902 | | /* if using status_request and already sending it, skip this one */ |
3903 | | #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 |
3904 | | if (ssl->status_request_v2) |
3905 | | return 0; |
3906 | | #endif |
3907 | | |
3908 | | /* accept the first good status_type and return */ |
3909 | | ret = TLSX_UseCertificateStatusRequest(&ssl->extensions, status_type, |
3910 | | 0, ssl, ssl->heap, ssl->devId); |
3911 | | if (ret != WOLFSSL_SUCCESS) |
3912 | | return ret == 0 ? -1 : ret; /* throw error */ |
3913 | | |
3914 | | TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST); |
3915 | | ssl->status_request = status_type; |
3916 | | #endif |
3917 | | } |
3918 | | |
3919 | | return 0; |
3920 | | } |
3921 | | |
3922 | | int TLSX_CSR_InitRequest_ex(TLSX* extensions, DecodedCert* cert, |
3923 | | void* heap, int idx) |
3924 | | { |
3925 | | TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST); |
3926 | | CertificateStatusRequest* csr = extension ? |
3927 | | (CertificateStatusRequest*)extension->data : NULL; |
3928 | | int ret = 0; |
3929 | | |
3930 | | if (csr) { |
3931 | | switch (csr->status_type) { |
3932 | | case WOLFSSL_CSR_OCSP: { |
3933 | | byte nonce[MAX_OCSP_NONCE_SZ]; |
3934 | | int req_cnt = idx == -1 ? csr->requests : idx; |
3935 | | int nonceSz = csr->request.ocsp[0].nonceSz; |
3936 | | OcspRequest* request; |
3937 | | |
3938 | | request = &csr->request.ocsp[req_cnt]; |
3939 | | if (request->serial != NULL) { |
3940 | | /* clear request contents before reuse */ |
3941 | | FreeOcspRequest(request); |
3942 | | if (csr->requests > 0) |
3943 | | csr->requests--; |
3944 | | } |
3945 | | /* preserve nonce */ |
3946 | | XMEMCPY(nonce, csr->request.ocsp->nonce, (size_t)nonceSz); |
3947 | | |
3948 | | if (req_cnt < MAX_CERT_EXTENSIONS) { |
3949 | | if ((ret = InitOcspRequest(request, cert, 0, heap)) != 0) |
3950 | | return ret; |
3951 | | |
3952 | | /* restore nonce */ |
3953 | | XMEMCPY(csr->request.ocsp->nonce, nonce, (size_t)nonceSz); |
3954 | | request->nonceSz = nonceSz; |
3955 | | csr->requests++; |
3956 | | } |
3957 | | else { |
3958 | | WOLFSSL_ERROR_VERBOSE(MAX_CERT_EXTENSIONS_ERR); |
3959 | | return MAX_CERT_EXTENSIONS_ERR; |
3960 | | } |
3961 | | } |
3962 | | break; |
3963 | | } |
3964 | | } |
3965 | | |
3966 | | return ret; |
3967 | | } |
3968 | | |
3969 | | int TLSX_CSR_InitRequest(TLSX* extensions, DecodedCert* cert, void* heap) |
3970 | | { |
3971 | | return TLSX_CSR_InitRequest_ex(extensions, cert, heap, -1); |
3972 | | } |
3973 | | |
3974 | | void* TLSX_CSR_GetRequest_ex(TLSX* extensions, int idx) |
3975 | | { |
3976 | | TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST); |
3977 | | CertificateStatusRequest* csr = extension ? |
3978 | | (CertificateStatusRequest*)extension->data : NULL; |
3979 | | |
3980 | | if (csr && csr->ssl) { |
3981 | | switch (csr->status_type) { |
3982 | | case WOLFSSL_CSR_OCSP: |
3983 | | if (IsAtLeastTLSv1_3(csr->ssl->version)) { |
3984 | | return idx < csr->requests ? &csr->request.ocsp[idx] : NULL; |
3985 | | } |
3986 | | else { |
3987 | | return idx == 0 ? &csr->request.ocsp[0] : NULL; |
3988 | | } |
3989 | | } |
3990 | | } |
3991 | | |
3992 | | return NULL; |
3993 | | } |
3994 | | |
3995 | | void* TLSX_CSR_GetRequest(TLSX* extensions) |
3996 | | { |
3997 | | return TLSX_CSR_GetRequest_ex(extensions, 0); |
3998 | | } |
3999 | | |
4000 | | int TLSX_CSR_ForceRequest(WOLFSSL* ssl) |
4001 | | { |
4002 | | TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST); |
4003 | | CertificateStatusRequest* csr = extension ? |
4004 | | (CertificateStatusRequest*)extension->data : NULL; |
4005 | | |
4006 | | if (csr) { |
4007 | | switch (csr->status_type) { |
4008 | | case WOLFSSL_CSR_OCSP: |
4009 | | if (SSL_CM(ssl)->ocspEnabled) { |
4010 | | csr->request.ocsp[0].ssl = ssl; |
4011 | | return CheckOcspRequest(SSL_CM(ssl)->ocsp, |
4012 | | &csr->request.ocsp[0], NULL, NULL); |
4013 | | } |
4014 | | else { |
4015 | | WOLFSSL_ERROR_VERBOSE(OCSP_LOOKUP_FAIL); |
4016 | | return OCSP_LOOKUP_FAIL; |
4017 | | } |
4018 | | } |
4019 | | } |
4020 | | |
4021 | | return 0; |
4022 | | } |
4023 | | |
4024 | | int TLSX_UseCertificateStatusRequest(TLSX** extensions, byte status_type, |
4025 | | byte options, WOLFSSL* ssl, void* heap, |
4026 | | int devId) |
4027 | | { |
4028 | | CertificateStatusRequest* csr = NULL; |
4029 | | int ret = 0; |
4030 | | |
4031 | | if (!extensions || status_type != WOLFSSL_CSR_OCSP) |
4032 | | return BAD_FUNC_ARG; |
4033 | | |
4034 | | csr = (CertificateStatusRequest*) |
4035 | | XMALLOC(sizeof(CertificateStatusRequest), heap, DYNAMIC_TYPE_TLSX); |
4036 | | if (!csr) |
4037 | | return MEMORY_E; |
4038 | | |
4039 | | ForceZero(csr, sizeof(CertificateStatusRequest)); |
4040 | | #if defined(WOLFSSL_TLS13) |
4041 | | XMEMSET(csr->responses, 0, sizeof(csr->responses)); |
4042 | | #endif |
4043 | | csr->status_type = status_type; |
4044 | | csr->options = options; |
4045 | | csr->ssl = ssl; |
4046 | | |
4047 | | switch (csr->status_type) { |
4048 | | case WOLFSSL_CSR_OCSP: |
4049 | | if (options & WOLFSSL_CSR_OCSP_USE_NONCE) { |
4050 | | WC_RNG rng; |
4051 | | |
4052 | | #ifndef HAVE_FIPS |
4053 | | ret = wc_InitRng_ex(&rng, heap, devId); |
4054 | | #else |
4055 | | ret = wc_InitRng(&rng); |
4056 | | (void)devId; |
4057 | | #endif |
4058 | | if (ret == 0) { |
4059 | | if (wc_RNG_GenerateBlock(&rng, csr->request.ocsp[0].nonce, |
4060 | | MAX_OCSP_NONCE_SZ) == 0) |
4061 | | csr->request.ocsp[0].nonceSz = MAX_OCSP_NONCE_SZ; |
4062 | | |
4063 | | wc_FreeRng(&rng); |
4064 | | } |
4065 | | } |
4066 | | break; |
4067 | | } |
4068 | | |
4069 | | if ((ret = TLSX_Push(extensions, TLSX_STATUS_REQUEST, csr, heap)) != 0) { |
4070 | | XFREE(csr, heap, DYNAMIC_TYPE_TLSX); |
4071 | | return ret; |
4072 | | } |
4073 | | |
4074 | | return WOLFSSL_SUCCESS; |
4075 | | } |
4076 | | |
4077 | | #define CSR_FREE_ALL TLSX_CSR_Free |
4078 | | #define CSR_GET_SIZE TLSX_CSR_GetSize |
4079 | | #define CSR_WRITE TLSX_CSR_Write |
4080 | | #define CSR_PARSE TLSX_CSR_Parse |
4081 | | |
4082 | | #else |
4083 | | |
4084 | 0 | #define CSR_FREE_ALL(data, heap) WC_DO_NOTHING |
4085 | 0 | #define CSR_GET_SIZE(a, b) 0 |
4086 | 0 | #define CSR_WRITE(a, b, c) 0 |
4087 | 0 | #define CSR_PARSE(a, b, c, d) 0 |
4088 | | |
4089 | | #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */ |
4090 | | |
4091 | | /******************************************************************************/ |
4092 | | /* Certificate Status Request v2 */ |
4093 | | /******************************************************************************/ |
4094 | | |
4095 | | #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 |
4096 | | |
4097 | | static void TLSX_CSR2_FreePendingSigners(Signer *s, void* heap) |
4098 | | { |
4099 | | Signer* next; |
4100 | | while(s) { |
4101 | | next = s->next; |
4102 | | FreeSigner(s, heap); |
4103 | | s = next; |
4104 | | } |
4105 | | } |
4106 | | static void TLSX_CSR2_FreeAll(CertificateStatusRequestItemV2* csr2, void* heap) |
4107 | | { |
4108 | | CertificateStatusRequestItemV2* next; |
4109 | | |
4110 | | TLSX_CSR2_FreePendingSigners(csr2->pendingSigners, heap); |
4111 | | for (; csr2; csr2 = next) { |
4112 | | next = csr2->next; |
4113 | | |
4114 | | switch (csr2->status_type) { |
4115 | | case WOLFSSL_CSR2_OCSP: |
4116 | | case WOLFSSL_CSR2_OCSP_MULTI: |
4117 | | while(csr2->requests--) |
4118 | | FreeOcspRequest(&csr2->request.ocsp[csr2->requests]); |
4119 | | break; |
4120 | | } |
4121 | | |
4122 | | XFREE(csr2, heap, DYNAMIC_TYPE_TLSX); |
4123 | | } |
4124 | | (void)heap; |
4125 | | } |
4126 | | |
4127 | | static word16 TLSX_CSR2_GetSize(CertificateStatusRequestItemV2* csr2, |
4128 | | byte isRequest) |
4129 | | { |
4130 | | word32 size = 0; |
4131 | | |
4132 | | /* shut up compiler warnings */ |
4133 | | (void) csr2; (void) isRequest; |
4134 | | |
4135 | | #ifndef NO_WOLFSSL_CLIENT |
4136 | | if (isRequest) { |
4137 | | CertificateStatusRequestItemV2* next; |
4138 | | |
4139 | | for (size = OPAQUE16_LEN; csr2; csr2 = next) { |
4140 | | next = csr2->next; |
4141 | | |
4142 | | switch (csr2->status_type) { |
4143 | | case WOLFSSL_CSR2_OCSP: |
4144 | | case WOLFSSL_CSR2_OCSP_MULTI: |
4145 | | size += ENUM_LEN + 3 * OPAQUE16_LEN; |
4146 | | |
4147 | | if (csr2->request.ocsp[0].nonceSz) |
4148 | | size += OCSP_NONCE_EXT_SZ; |
4149 | | break; |
4150 | | } |
4151 | | |
4152 | | if (size > WOLFSSL_MAX_16BIT) { |
4153 | | return 0; |
4154 | | } |
4155 | | } |
4156 | | } |
4157 | | #endif |
4158 | | |
4159 | | return (word16)size; |
4160 | | } |
4161 | | |
4162 | | static int TLSX_CSR2_Write(CertificateStatusRequestItemV2* csr2, |
4163 | | byte* output, byte isRequest) |
4164 | | { |
4165 | | /* shut up compiler warnings */ |
4166 | | (void) csr2; (void) output; (void) isRequest; |
4167 | | |
4168 | | #ifndef NO_WOLFSSL_CLIENT |
4169 | | if (isRequest) { |
4170 | | int ret = 0; |
4171 | | word16 offset; |
4172 | | word16 length; |
4173 | | |
4174 | | for (offset = OPAQUE16_LEN; csr2 != NULL; csr2 = csr2->next) { |
4175 | | /* status_type */ |
4176 | | output[offset++] = csr2->status_type; |
4177 | | |
4178 | | /* request */ |
4179 | | switch (csr2->status_type) { |
4180 | | case WOLFSSL_CSR2_OCSP: |
4181 | | case WOLFSSL_CSR2_OCSP_MULTI: |
4182 | | /* request_length */ |
4183 | | length = 2 * OPAQUE16_LEN; |
4184 | | |
4185 | | if (csr2->request.ocsp[0].nonceSz) |
4186 | | length += OCSP_NONCE_EXT_SZ; |
4187 | | |
4188 | | c16toa(length, output + offset); |
4189 | | offset += OPAQUE16_LEN; |
4190 | | |
4191 | | /* responder id list */ |
4192 | | c16toa(0, output + offset); |
4193 | | offset += OPAQUE16_LEN; |
4194 | | |
4195 | | /* request extensions */ |
4196 | | length = 0; |
4197 | | |
4198 | | if (csr2->request.ocsp[0].nonceSz) { |
4199 | | ret = (int)EncodeOcspRequestExtensions( |
4200 | | &csr2->request.ocsp[0], |
4201 | | output + offset + OPAQUE16_LEN, |
4202 | | OCSP_NONCE_EXT_SZ); |
4203 | | |
4204 | | if (ret > 0) { |
4205 | | length = (word16)ret; |
4206 | | } |
4207 | | else { |
4208 | | return ret; |
4209 | | } |
4210 | | } |
4211 | | |
4212 | | c16toa(length, output + offset); |
4213 | | offset += OPAQUE16_LEN + length; |
4214 | | break; |
4215 | | } |
4216 | | } |
4217 | | |
4218 | | /* list size */ |
4219 | | c16toa(offset - OPAQUE16_LEN, output); |
4220 | | |
4221 | | return (int)offset; |
4222 | | } |
4223 | | #endif |
4224 | | |
4225 | | return 0; |
4226 | | } |
4227 | | |
4228 | | static int TLSX_CSR2_Parse(WOLFSSL* ssl, const byte* input, word16 length, |
4229 | | byte isRequest) |
4230 | | { |
4231 | | int ret; |
4232 | | |
4233 | | /* shut up compiler warnings */ |
4234 | | (void) ssl; (void) input; |
4235 | | |
4236 | | if (!isRequest) { |
4237 | | #ifndef NO_WOLFSSL_CLIENT |
4238 | | TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST_V2); |
4239 | | CertificateStatusRequestItemV2* csr2 = extension ? |
4240 | | (CertificateStatusRequestItemV2*)extension->data : NULL; |
4241 | | |
4242 | | if (!csr2) { |
4243 | | /* look at context level */ |
4244 | | extension = TLSX_Find(ssl->ctx->extensions, TLSX_STATUS_REQUEST_V2); |
4245 | | csr2 = extension ? |
4246 | | (CertificateStatusRequestItemV2*)extension->data : NULL; |
4247 | | |
4248 | | if (!csr2) /* unexpected extension */ |
4249 | | return TLSX_HandleUnsupportedExtension(ssl); |
4250 | | |
4251 | | /* enable extension at ssl level */ |
4252 | | for (; csr2; csr2 = csr2->next) { |
4253 | | ret = TLSX_UseCertificateStatusRequestV2(&ssl->extensions, |
4254 | | csr2->status_type, csr2->options, ssl->heap, |
4255 | | ssl->devId); |
4256 | | if (ret != WOLFSSL_SUCCESS) |
4257 | | return ret; |
4258 | | |
4259 | | switch (csr2->status_type) { |
4260 | | case WOLFSSL_CSR2_OCSP: |
4261 | | /* followed by */ |
4262 | | case WOLFSSL_CSR2_OCSP_MULTI: |
4263 | | /* propagate nonce */ |
4264 | | if (csr2->request.ocsp[0].nonceSz) { |
4265 | | OcspRequest* request = |
4266 | | (OcspRequest*)TLSX_CSR2_GetRequest(ssl->extensions, |
4267 | | csr2->status_type, 0); |
4268 | | |
4269 | | if (request) { |
4270 | | XMEMCPY(request->nonce, |
4271 | | csr2->request.ocsp[0].nonce, |
4272 | | (size_t)csr2->request.ocsp[0].nonceSz); |
4273 | | |
4274 | | request->nonceSz = |
4275 | | csr2->request.ocsp[0].nonceSz; |
4276 | | } |
4277 | | } |
4278 | | break; |
4279 | | } |
4280 | | } |
4281 | | } |
4282 | | |
4283 | | ssl->status_request_v2 = 1; |
4284 | | |
4285 | | return length ? BUFFER_ERROR : 0; /* extension_data MUST be empty. */ |
4286 | | #endif |
4287 | | } |
4288 | | else { |
4289 | | #ifndef NO_WOLFSSL_SERVER |
4290 | | byte status_type; |
4291 | | word16 request_length; |
4292 | | word16 offset = 0; |
4293 | | word16 size = 0; |
4294 | | |
4295 | | /* list size */ |
4296 | | if (offset + OPAQUE16_LEN >= length) { |
4297 | | return BUFFER_E; |
4298 | | } |
4299 | | |
4300 | | ato16(input + offset, &request_length); |
4301 | | offset += OPAQUE16_LEN; |
4302 | | |
4303 | | if (length - OPAQUE16_LEN != request_length) |
4304 | | return BUFFER_ERROR; |
4305 | | |
4306 | | while (length > offset) { |
4307 | | if ((int)(length - offset) < ENUM_LEN + OPAQUE16_LEN) |
4308 | | return BUFFER_ERROR; |
4309 | | |
4310 | | status_type = input[offset++]; |
4311 | | |
4312 | | ato16(input + offset, &request_length); |
4313 | | offset += OPAQUE16_LEN; |
4314 | | |
4315 | | if (length - offset < request_length) |
4316 | | return BUFFER_ERROR; |
4317 | | |
4318 | | switch (status_type) { |
4319 | | case WOLFSSL_CSR2_OCSP: |
4320 | | case WOLFSSL_CSR2_OCSP_MULTI: |
4321 | | /* skip responder_id_list */ |
4322 | | if ((int)(length - offset) < OPAQUE16_LEN) |
4323 | | return BUFFER_ERROR; |
4324 | | |
4325 | | ato16(input + offset, &size); |
4326 | | if (length - offset - OPAQUE16_LEN < size) |
4327 | | return BUFFER_ERROR; |
4328 | | |
4329 | | offset += OPAQUE16_LEN + size; |
4330 | | /* skip request_extensions */ |
4331 | | if ((int)(length - offset) < OPAQUE16_LEN) |
4332 | | return BUFFER_ERROR; |
4333 | | |
4334 | | ato16(input + offset, &size); |
4335 | | if (length - offset < size) |
4336 | | return BUFFER_ERROR; |
4337 | | |
4338 | | offset += OPAQUE16_LEN + size; |
4339 | | if (offset > length) |
4340 | | return BUFFER_ERROR; |
4341 | | |
4342 | | /* is able to send OCSP response? */ |
4343 | | if (SSL_CM(ssl) == NULL |
4344 | | || !SSL_CM(ssl)->ocspStaplingEnabled) |
4345 | | continue; |
4346 | | break; |
4347 | | |
4348 | | default: |
4349 | | /* unknown status type, skipping! */ |
4350 | | offset += request_length; |
4351 | | continue; |
4352 | | } |
4353 | | |
4354 | | /* if using status_request and already sending it, remove it |
4355 | | * and prefer to use the v2 version */ |
4356 | | #ifdef HAVE_CERTIFICATE_STATUS_REQUEST |
4357 | | if (ssl->status_request) { |
4358 | | ssl->status_request = 0; |
4359 | | TLSX_Remove(&ssl->extensions, TLSX_STATUS_REQUEST, ssl->heap); |
4360 | | } |
4361 | | #endif |
4362 | | |
4363 | | /* TLS 1.3 servers MUST NOT act upon presence or information in |
4364 | | * this extension (RFC 8448 Section 4.4.2.1). |
4365 | | */ |
4366 | | if (!IsAtLeastTLSv1_3(ssl->version)) { |
4367 | | /* accept the first good status_type and return */ |
4368 | | ret = TLSX_UseCertificateStatusRequestV2(&ssl->extensions, |
4369 | | status_type, 0, ssl->heap, ssl->devId); |
4370 | | if (ret != WOLFSSL_SUCCESS) |
4371 | | return ret; /* throw error */ |
4372 | | |
4373 | | TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST_V2); |
4374 | | ssl->status_request_v2 = status_type; |
4375 | | } |
4376 | | |
4377 | | return 0; |
4378 | | } |
4379 | | #endif |
4380 | | } |
4381 | | |
4382 | | return 0; |
4383 | | } |
4384 | | |
4385 | | static CertificateStatusRequestItemV2* TLSX_CSR2_GetMulti(TLSX *extensions) |
4386 | | { |
4387 | | TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST_V2); |
4388 | | CertificateStatusRequestItemV2* csr2 = extension ? |
4389 | | (CertificateStatusRequestItemV2*)extension->data : NULL; |
4390 | | |
4391 | | for (; csr2; csr2 = csr2->next) { |
4392 | | if (csr2->status_type == WOLFSSL_CSR2_OCSP_MULTI) |
4393 | | return csr2; |
4394 | | } |
4395 | | return NULL; |
4396 | | } |
4397 | | |
4398 | | int TLSX_CSR2_IsMulti(TLSX *extensions) |
4399 | | { |
4400 | | return TLSX_CSR2_GetMulti(extensions) != NULL; |
4401 | | } |
4402 | | |
4403 | | int TLSX_CSR2_AddPendingSigner(TLSX *extensions, Signer *s) |
4404 | | { |
4405 | | CertificateStatusRequestItemV2* csr2; |
4406 | | |
4407 | | csr2 = TLSX_CSR2_GetMulti(extensions); |
4408 | | if (!csr2) |
4409 | | return WOLFSSL_FATAL_ERROR; |
4410 | | |
4411 | | s->next = csr2->pendingSigners; |
4412 | | csr2->pendingSigners = s; |
4413 | | return 0; |
4414 | | } |
4415 | | |
4416 | | Signer* TLSX_CSR2_GetPendingSigners(TLSX *extensions) |
4417 | | { |
4418 | | CertificateStatusRequestItemV2* csr2; |
4419 | | |
4420 | | csr2 = TLSX_CSR2_GetMulti(extensions); |
4421 | | if (!csr2) |
4422 | | return NULL; |
4423 | | |
4424 | | return csr2->pendingSigners; |
4425 | | } |
4426 | | |
4427 | | int TLSX_CSR2_ClearPendingCA(WOLFSSL *ssl) |
4428 | | { |
4429 | | CertificateStatusRequestItemV2* csr2; |
4430 | | |
4431 | | csr2 = TLSX_CSR2_GetMulti(ssl->extensions); |
4432 | | if (csr2 == NULL) |
4433 | | return 0; |
4434 | | |
4435 | | TLSX_CSR2_FreePendingSigners(csr2->pendingSigners, SSL_CM(ssl)->heap); |
4436 | | csr2->pendingSigners = NULL; |
4437 | | return 0; |
4438 | | } |
4439 | | |
4440 | | int TLSX_CSR2_MergePendingCA(WOLFSSL* ssl) |
4441 | | { |
4442 | | CertificateStatusRequestItemV2* csr2; |
4443 | | Signer *s, *next; |
4444 | | int r = 0; |
4445 | | |
4446 | | csr2 = TLSX_CSR2_GetMulti(ssl->extensions); |
4447 | | if (csr2 == NULL) |
4448 | | return 0; |
4449 | | |
4450 | | s = csr2->pendingSigners; |
4451 | | while (s != NULL) { |
4452 | | next = s->next; |
4453 | | r = AddSigner(SSL_CM(ssl), s); |
4454 | | if (r != 0) |
4455 | | FreeSigner(s, SSL_CM(ssl)->heap); |
4456 | | s = next; |
4457 | | } |
4458 | | csr2->pendingSigners = NULL; |
4459 | | return r; |
4460 | | } |
4461 | | |
4462 | | int TLSX_CSR2_InitRequests(TLSX* extensions, DecodedCert* cert, byte isPeer, |
4463 | | void* heap) |
4464 | | { |
4465 | | TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST_V2); |
4466 | | CertificateStatusRequestItemV2* csr2 = extension ? |
4467 | | (CertificateStatusRequestItemV2*)extension->data : NULL; |
4468 | | int ret = 0; |
4469 | | |
4470 | | for (; csr2; csr2 = csr2->next) { |
4471 | | switch (csr2->status_type) { |
4472 | | case WOLFSSL_CSR2_OCSP: |
4473 | | if (!isPeer || csr2->requests != 0) |
4474 | | break; |
4475 | | |
4476 | | FALL_THROUGH; /* followed by */ |
4477 | | |
4478 | | case WOLFSSL_CSR2_OCSP_MULTI: { |
4479 | | if (csr2->requests < 1 + MAX_CHAIN_DEPTH) { |
4480 | | byte nonce[MAX_OCSP_NONCE_SZ]; |
4481 | | int nonceSz = csr2->request.ocsp[0].nonceSz; |
4482 | | |
4483 | | /* preserve nonce, replicating nonce of ocsp[0] */ |
4484 | | XMEMCPY(nonce, csr2->request.ocsp[0].nonce, |
4485 | | (size_t)nonceSz); |
4486 | | |
4487 | | if ((ret = InitOcspRequest( |
4488 | | &csr2->request.ocsp[csr2->requests], cert, |
4489 | | 0, heap)) != 0) |
4490 | | return ret; |
4491 | | |
4492 | | /* restore nonce */ |
4493 | | XMEMCPY(csr2->request.ocsp[csr2->requests].nonce, |
4494 | | nonce, (size_t)nonceSz); |
4495 | | csr2->request.ocsp[csr2->requests].nonceSz = nonceSz; |
4496 | | csr2->requests++; |
4497 | | } |
4498 | | } |
4499 | | break; |
4500 | | } |
4501 | | } |
4502 | | |
4503 | | (void)cert; |
4504 | | return ret; |
4505 | | } |
4506 | | |
4507 | | void* TLSX_CSR2_GetRequest(TLSX* extensions, byte status_type, byte idx) |
4508 | | { |
4509 | | TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST_V2); |
4510 | | CertificateStatusRequestItemV2* csr2 = extension ? |
4511 | | (CertificateStatusRequestItemV2*)extension->data : NULL; |
4512 | | |
4513 | | for (; csr2; csr2 = csr2->next) { |
4514 | | if (csr2->status_type == status_type) { |
4515 | | switch (csr2->status_type) { |
4516 | | case WOLFSSL_CSR2_OCSP: |
4517 | | /* followed by */ |
4518 | | |
4519 | | case WOLFSSL_CSR2_OCSP_MULTI: |
4520 | | /* requests are initialized in the reverse order */ |
4521 | | return idx < csr2->requests |
4522 | | ? &csr2->request.ocsp[csr2->requests - idx - 1] |
4523 | | : NULL; |
4524 | | } |
4525 | | } |
4526 | | } |
4527 | | |
4528 | | return NULL; |
4529 | | } |
4530 | | |
4531 | | int TLSX_CSR2_ForceRequest(WOLFSSL* ssl) |
4532 | | { |
4533 | | TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST_V2); |
4534 | | CertificateStatusRequestItemV2* csr2 = extension ? |
4535 | | (CertificateStatusRequestItemV2*)extension->data : NULL; |
4536 | | |
4537 | | /* forces only the first one */ |
4538 | | if (csr2) { |
4539 | | switch (csr2->status_type) { |
4540 | | case WOLFSSL_CSR2_OCSP: |
4541 | | /* followed by */ |
4542 | | |
4543 | | case WOLFSSL_CSR2_OCSP_MULTI: |
4544 | | if (SSL_CM(ssl)->ocspEnabled && csr2->requests >= 1) { |
4545 | | csr2->request.ocsp[csr2->requests-1].ssl = ssl; |
4546 | | return CheckOcspRequest(SSL_CM(ssl)->ocsp, |
4547 | | &csr2->request.ocsp[csr2->requests-1], NULL, NULL); |
4548 | | } |
4549 | | else { |
4550 | | WOLFSSL_ERROR_VERBOSE(OCSP_LOOKUP_FAIL); |
4551 | | return OCSP_LOOKUP_FAIL; |
4552 | | } |
4553 | | } |
4554 | | } |
4555 | | |
4556 | | return 0; |
4557 | | } |
4558 | | |
4559 | | int TLSX_UseCertificateStatusRequestV2(TLSX** extensions, byte status_type, |
4560 | | byte options, void* heap, int devId) |
4561 | | { |
4562 | | TLSX* extension = NULL; |
4563 | | CertificateStatusRequestItemV2* csr2 = NULL; |
4564 | | int ret = 0; |
4565 | | |
4566 | | if (!extensions) |
4567 | | return BAD_FUNC_ARG; |
4568 | | |
4569 | | if (status_type != WOLFSSL_CSR2_OCSP |
4570 | | && status_type != WOLFSSL_CSR2_OCSP_MULTI) |
4571 | | return BAD_FUNC_ARG; |
4572 | | |
4573 | | csr2 = (CertificateStatusRequestItemV2*) |
4574 | | XMALLOC(sizeof(CertificateStatusRequestItemV2), heap, DYNAMIC_TYPE_TLSX); |
4575 | | if (!csr2) |
4576 | | return MEMORY_E; |
4577 | | |
4578 | | ForceZero(csr2, sizeof(CertificateStatusRequestItemV2)); |
4579 | | |
4580 | | csr2->status_type = status_type; |
4581 | | csr2->options = options; |
4582 | | csr2->next = NULL; |
4583 | | |
4584 | | switch (csr2->status_type) { |
4585 | | case WOLFSSL_CSR2_OCSP: |
4586 | | case WOLFSSL_CSR2_OCSP_MULTI: |
4587 | | if (options & WOLFSSL_CSR2_OCSP_USE_NONCE) { |
4588 | | WC_RNG rng; |
4589 | | |
4590 | | #ifndef HAVE_FIPS |
4591 | | ret = wc_InitRng_ex(&rng, heap, devId); |
4592 | | #else |
4593 | | ret = wc_InitRng(&rng); |
4594 | | (void)devId; |
4595 | | #endif |
4596 | | if (ret == 0) { |
4597 | | if (wc_RNG_GenerateBlock(&rng, csr2->request.ocsp[0].nonce, |
4598 | | MAX_OCSP_NONCE_SZ) == 0) |
4599 | | csr2->request.ocsp[0].nonceSz = MAX_OCSP_NONCE_SZ; |
4600 | | |
4601 | | wc_FreeRng(&rng); |
4602 | | } |
4603 | | } |
4604 | | break; |
4605 | | } |
4606 | | |
4607 | | /* append new item */ |
4608 | | if ((extension = TLSX_Find(*extensions, TLSX_STATUS_REQUEST_V2))) { |
4609 | | CertificateStatusRequestItemV2* last = |
4610 | | (CertificateStatusRequestItemV2*)extension->data; |
4611 | | |
4612 | | if (last == NULL) { |
4613 | | XFREE(csr2, heap, DYNAMIC_TYPE_TLSX); |
4614 | | return BAD_FUNC_ARG; |
4615 | | } |
4616 | | |
4617 | | for (; last->next; last = last->next); |
4618 | | |
4619 | | last->next = csr2; |
4620 | | } |
4621 | | else if ((ret = TLSX_Push(extensions, TLSX_STATUS_REQUEST_V2, csr2,heap))) { |
4622 | | XFREE(csr2, heap, DYNAMIC_TYPE_TLSX); |
4623 | | return ret; |
4624 | | } |
4625 | | |
4626 | | return WOLFSSL_SUCCESS; |
4627 | | } |
4628 | | |
4629 | | #define CSR2_FREE_ALL TLSX_CSR2_FreeAll |
4630 | | #define CSR2_GET_SIZE TLSX_CSR2_GetSize |
4631 | | #define CSR2_WRITE TLSX_CSR2_Write |
4632 | | #define CSR2_PARSE TLSX_CSR2_Parse |
4633 | | |
4634 | | #else |
4635 | | |
4636 | 0 | #define CSR2_FREE_ALL(data, heap) WC_DO_NOTHING |
4637 | 0 | #define CSR2_GET_SIZE(a, b) 0 |
4638 | 0 | #define CSR2_WRITE(a, b, c) 0 |
4639 | 0 | #define CSR2_PARSE(a, b, c, d) 0 |
4640 | | |
4641 | | #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ |
4642 | | |
4643 | | /* ML-KEM client support requires generating a key pair (encapsulation key) and |
4644 | | * decapsulating the server's ciphertext. */ |
4645 | | #if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_MAKE_KEY) && \ |
4646 | | !defined(WOLFSSL_MLKEM_NO_DECAPSULATE) |
4647 | | #define WOLFSSL_HAVE_MLKEM_CLIENT_SUPPORT |
4648 | | #endif |
4649 | | /* ML-KEM server support requires encapsulating to the client's key. */ |
4650 | | #if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_ENCAPSULATE) |
4651 | | #define WOLFSSL_HAVE_MLKEM_SERVER_SUPPORT |
4652 | | #endif |
4653 | | |
4654 | | #if defined(HAVE_SUPPORTED_CURVES) || \ |
4655 | | (defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES)) |
4656 | | |
4657 | | #ifdef WOLFSSL_HAVE_MLKEM |
4658 | | /* Returns whether ML-KEM groups are supported for the given side. |
4659 | | * |
4660 | | * ML-KEM groups require side specific crypto support. The client needs to |
4661 | | * generate a key and decapsulate, while the server needs to encapsulate. |
4662 | | * |
4663 | | * side The side of the connection the check is for: WOLFSSL_CLIENT_END, |
4664 | | * WOLFSSL_SERVER_END or WOLFSSL_NEITHER_END when the side is not known. |
4665 | | * returns 1 when supported or 0 otherwise. |
4666 | | */ |
4667 | | static int TLSX_IsMlKemGroupSupported(int side) |
4668 | 0 | { |
4669 | 0 | if (side == WOLFSSL_CLIENT_END) { |
4670 | 0 | #ifdef WOLFSSL_HAVE_MLKEM_CLIENT_SUPPORT |
4671 | 0 | return 1; |
4672 | | #else |
4673 | | return 0; |
4674 | | #endif |
4675 | 0 | } |
4676 | 0 | else if (side == WOLFSSL_SERVER_END) { |
4677 | 0 | #ifdef WOLFSSL_HAVE_MLKEM_SERVER_SUPPORT |
4678 | 0 | return 1; |
4679 | | #else |
4680 | | return 0; |
4681 | | #endif |
4682 | 0 | } |
4683 | 0 | else { |
4684 | | /* Side not known - supported if either side has the crypto support. */ |
4685 | 0 | #if defined(WOLFSSL_HAVE_MLKEM_CLIENT_SUPPORT) || \ |
4686 | 0 | defined(WOLFSSL_HAVE_MLKEM_SERVER_SUPPORT) |
4687 | 0 | return 1; |
4688 | | #else |
4689 | | return 0; |
4690 | | #endif |
4691 | 0 | } |
4692 | 0 | } |
4693 | | #endif /* WOLFSSL_HAVE_MLKEM */ |
4694 | | |
4695 | | /* Returns whether this group is supported. |
4696 | | * |
4697 | | * namedGroup The named group to check. |
4698 | | * side The side of the connection the check is for: WOLFSSL_CLIENT_END, |
4699 | | * WOLFSSL_SERVER_END or WOLFSSL_NEITHER_END when the side is not |
4700 | | * known. Used to determine whether the local side has the crypto |
4701 | | * support required to use the group (e.g. ML-KEM requires |
4702 | | * decapsulation on the client and encapsulation on the server). |
4703 | | * returns 1 when supported or 0 otherwise. |
4704 | | */ |
4705 | | int TLSX_IsGroupSupported(int namedGroup, int side) |
4706 | 0 | { |
4707 | 0 | (void)side; |
4708 | |
|
4709 | 0 | switch (namedGroup) { |
4710 | 0 | #ifdef HAVE_FFDHE_2048 |
4711 | 0 | case WOLFSSL_FFDHE_2048: |
4712 | 0 | break; |
4713 | 0 | #endif |
4714 | | #ifdef HAVE_FFDHE_3072 |
4715 | | case WOLFSSL_FFDHE_3072: |
4716 | | break; |
4717 | | #endif |
4718 | | #ifdef HAVE_FFDHE_4096 |
4719 | | case WOLFSSL_FFDHE_4096: |
4720 | | break; |
4721 | | #endif |
4722 | | #ifdef HAVE_FFDHE_6144 |
4723 | | case WOLFSSL_FFDHE_6144: |
4724 | | break; |
4725 | | #endif |
4726 | | #ifdef HAVE_FFDHE_8192 |
4727 | | case WOLFSSL_FFDHE_8192: |
4728 | | break; |
4729 | | #endif |
4730 | 0 | #if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256 |
4731 | | #ifdef HAVE_ECC_KOBLITZ |
4732 | | case WOLFSSL_ECC_SECP256K1: |
4733 | | break; |
4734 | | #endif |
4735 | 0 | #ifndef NO_ECC_SECP |
4736 | 0 | case WOLFSSL_ECC_SECP256R1: |
4737 | 0 | break; |
4738 | 0 | #endif /* !NO_ECC_SECP */ |
4739 | | #ifdef HAVE_ECC_BRAINPOOL |
4740 | | case WOLFSSL_ECC_BRAINPOOLP256R1: |
4741 | | case WOLFSSL_ECC_BRAINPOOLP256R1TLS13: |
4742 | | break; |
4743 | | #endif |
4744 | | #ifdef WOLFSSL_SM2 |
4745 | | case WOLFSSL_ECC_SM2P256V1: |
4746 | | break; |
4747 | | #endif /* WOLFSSL_SM2 */ |
4748 | 0 | #endif |
4749 | | #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256 |
4750 | | case WOLFSSL_ECC_X25519: |
4751 | | break; |
4752 | | #endif |
4753 | | #if defined(HAVE_CURVE448) && ECC_MIN_KEY_SZ <= 448 |
4754 | | case WOLFSSL_ECC_X448: |
4755 | | break; |
4756 | | #endif |
4757 | 0 | #if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384 |
4758 | 0 | #ifndef NO_ECC_SECP |
4759 | 0 | case WOLFSSL_ECC_SECP384R1: |
4760 | 0 | break; |
4761 | 0 | #endif /* !NO_ECC_SECP */ |
4762 | | #ifdef HAVE_ECC_BRAINPOOL |
4763 | | case WOLFSSL_ECC_BRAINPOOLP384R1: |
4764 | | case WOLFSSL_ECC_BRAINPOOLP384R1TLS13: |
4765 | | break; |
4766 | | #endif |
4767 | 0 | #endif |
4768 | 0 | #if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521 |
4769 | 0 | #ifndef NO_ECC_SECP |
4770 | 0 | case WOLFSSL_ECC_SECP521R1: |
4771 | 0 | break; |
4772 | 0 | #endif /* !NO_ECC_SECP */ |
4773 | 0 | #endif |
4774 | | #if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 160 |
4775 | | #ifdef HAVE_ECC_KOBLITZ |
4776 | | case WOLFSSL_ECC_SECP160K1: |
4777 | | break; |
4778 | | #endif |
4779 | | #ifndef NO_ECC_SECP |
4780 | | case WOLFSSL_ECC_SECP160R1: |
4781 | | break; |
4782 | | #endif |
4783 | | #ifdef HAVE_ECC_SECPR2 |
4784 | | case WOLFSSL_ECC_SECP160R2: |
4785 | | break; |
4786 | | #endif |
4787 | | #endif |
4788 | | #if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 192 |
4789 | | #ifdef HAVE_ECC_KOBLITZ |
4790 | | case WOLFSSL_ECC_SECP192K1: |
4791 | | break; |
4792 | | #endif |
4793 | | #ifndef NO_ECC_SECP |
4794 | | case WOLFSSL_ECC_SECP192R1: |
4795 | | break; |
4796 | | #endif |
4797 | | #endif |
4798 | 0 | #if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 224 |
4799 | | #ifdef HAVE_ECC_KOBLITZ |
4800 | | case WOLFSSL_ECC_SECP224K1: |
4801 | | break; |
4802 | | #endif |
4803 | 0 | #ifndef NO_ECC_SECP |
4804 | 0 | case WOLFSSL_ECC_SECP224R1: |
4805 | 0 | break; |
4806 | 0 | #endif |
4807 | 0 | #endif |
4808 | 0 | #if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 512 |
4809 | | #ifdef HAVE_ECC_BRAINPOOL |
4810 | | case WOLFSSL_ECC_BRAINPOOLP512R1: |
4811 | | case WOLFSSL_ECC_BRAINPOOLP512R1TLS13: |
4812 | | break; |
4813 | | #endif |
4814 | 0 | #endif |
4815 | 0 | #ifdef WOLFSSL_HAVE_MLKEM |
4816 | 0 | #ifndef WOLFSSL_NO_ML_KEM |
4817 | 0 | #ifndef WOLFSSL_NO_ML_KEM_512 |
4818 | | #ifndef WOLFSSL_TLS_NO_MLKEM_STANDALONE |
4819 | | case WOLFSSL_ML_KEM_512: |
4820 | | return TLSX_IsMlKemGroupSupported(side); |
4821 | | #endif /* !WOLFSSL_TLS_NO_MLKEM_STANDALONE */ |
4822 | | #ifdef WOLFSSL_EXTRA_PQC_HYBRIDS |
4823 | | case WOLFSSL_SECP256R1MLKEM512: |
4824 | | #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256 |
4825 | | case WOLFSSL_X25519MLKEM512: |
4826 | | #endif /* HAVE_CURVE25519 */ |
4827 | | return TLSX_IsMlKemGroupSupported(side); |
4828 | | #endif /* WOLFSSL_EXTRA_PQC_HYBRIDS */ |
4829 | 0 | #endif /* WOLFSSL_NO_ML_KEM_512 */ |
4830 | 0 | #ifndef WOLFSSL_NO_ML_KEM_768 |
4831 | | #ifndef WOLFSSL_TLS_NO_MLKEM_STANDALONE |
4832 | | case WOLFSSL_ML_KEM_768: |
4833 | | #endif /* !WOLFSSL_TLS_NO_MLKEM_STANDALONE */ |
4834 | 0 | #ifdef WOLFSSL_PQC_HYBRIDS |
4835 | 0 | case WOLFSSL_SECP256R1MLKEM768: |
4836 | | #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256 |
4837 | | case WOLFSSL_X25519MLKEM768: |
4838 | | #endif /* HAVE_CURVE25519 */ |
4839 | 0 | #endif /* WOLFSSL_PQC_HYBRIDS */ |
4840 | | #ifdef WOLFSSL_EXTRA_PQC_HYBRIDS |
4841 | | case WOLFSSL_SECP384R1MLKEM768: |
4842 | | #if defined(HAVE_CURVE448) && ECC_MIN_KEY_SZ <= 448 |
4843 | | case WOLFSSL_X448MLKEM768: |
4844 | | #endif /* HAVE_CURVE448 */ |
4845 | | #endif /* WOLFSSL_EXTRA_PQC_HYBRIDS */ |
4846 | 0 | return TLSX_IsMlKemGroupSupported(side); |
4847 | 0 | #endif /* WOLFSSL_NO_ML_KEM_768 */ |
4848 | 0 | #ifndef WOLFSSL_NO_ML_KEM_1024 |
4849 | | #ifndef WOLFSSL_TLS_NO_MLKEM_STANDALONE |
4850 | | case WOLFSSL_ML_KEM_1024: |
4851 | | #endif /* !WOLFSSL_TLS_NO_MLKEM_STANDALONE */ |
4852 | 0 | #ifdef WOLFSSL_PQC_HYBRIDS |
4853 | 0 | case WOLFSSL_SECP384R1MLKEM1024: |
4854 | 0 | #endif /* WOLFSSL_PQC_HYBRIDS */ |
4855 | | #ifdef WOLFSSL_EXTRA_PQC_HYBRIDS |
4856 | | case WOLFSSL_SECP521R1MLKEM1024: |
4857 | | #endif /* WOLFSSL_EXTRA_PQC_HYBRIDS */ |
4858 | 0 | return TLSX_IsMlKemGroupSupported(side); |
4859 | 0 | #endif |
4860 | | #if defined(WOLFSSL_ML_KEM_USE_OLD_IDS) && \ |
4861 | | defined (WOLFSSL_EXTRA_PQC_HYBRIDS) |
4862 | | case WOLFSSL_P256_ML_KEM_512_OLD: |
4863 | | case WOLFSSL_P384_ML_KEM_768_OLD: |
4864 | | case WOLFSSL_P521_ML_KEM_1024_OLD: |
4865 | | return TLSX_IsMlKemGroupSupported(side); |
4866 | | #endif /* WOLFSSL_ML_KEM_USE_OLD_IDS && WOLFSSL_EXTRA_PQC_HYBRIDS */ |
4867 | 0 | #endif /* WOLFSSL_NO_ML_KEM */ |
4868 | | #ifdef WOLFSSL_MLKEM_KYBER |
4869 | | #ifdef WOLFSSL_KYBER512 |
4870 | | case WOLFSSL_KYBER_LEVEL1: |
4871 | | case WOLFSSL_P256_KYBER_LEVEL1: |
4872 | | #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256 |
4873 | | case WOLFSSL_X25519_KYBER_LEVEL1: |
4874 | | #endif |
4875 | | #endif |
4876 | | #ifdef WOLFSSL_KYBER768 |
4877 | | case WOLFSSL_KYBER_LEVEL3: |
4878 | | case WOLFSSL_P384_KYBER_LEVEL3: |
4879 | | case WOLFSSL_P256_KYBER_LEVEL3: |
4880 | | #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256 |
4881 | | case WOLFSSL_X25519_KYBER_LEVEL3: |
4882 | | #endif |
4883 | | #if defined(HAVE_CURVE448) && ECC_MIN_KEY_SZ <= 448 |
4884 | | case WOLFSSL_X448_KYBER_LEVEL3: |
4885 | | #endif |
4886 | | #endif |
4887 | | #ifdef WOLFSSL_KYBER1024 |
4888 | | case WOLFSSL_KYBER_LEVEL5: |
4889 | | case WOLFSSL_P521_KYBER_LEVEL5: |
4890 | | #endif |
4891 | | return TLSX_IsMlKemGroupSupported(side); |
4892 | | #endif |
4893 | 0 | #endif /* WOLFSSL_HAVE_MLKEM */ |
4894 | 0 | default: |
4895 | 0 | return 0; |
4896 | 0 | } |
4897 | | |
4898 | 0 | return 1; |
4899 | 0 | } |
4900 | | #endif |
4901 | | |
4902 | | /******************************************************************************/ |
4903 | | /* Supported Elliptic Curves */ |
4904 | | /******************************************************************************/ |
4905 | | |
4906 | | #ifdef HAVE_SUPPORTED_CURVES |
4907 | | |
4908 | | #if !defined(HAVE_ECC) && !defined(HAVE_CURVE25519) && !defined(HAVE_CURVE448) \ |
4909 | | && !defined(HAVE_FFDHE) && !defined(WOLFSSL_HAVE_MLKEM) |
4910 | | #error Elliptic Curves Extension requires Elliptic Curve Cryptography or liboqs groups. \ |
4911 | | Use --enable-ecc and/or --enable-liboqs in the configure script or \ |
4912 | | define HAVE_ECC. Alternatively use FFDHE for DH cipher suites. |
4913 | | #endif |
4914 | | |
4915 | | static int TLSX_SupportedCurve_New(SupportedCurve** curve, word16 name, |
4916 | | void* heap) |
4917 | 0 | { |
4918 | 0 | if (curve == NULL) |
4919 | 0 | return BAD_FUNC_ARG; |
4920 | | |
4921 | 0 | (void)heap; |
4922 | |
|
4923 | 0 | *curve = (SupportedCurve*)XMALLOC(sizeof(SupportedCurve), heap, |
4924 | 0 | DYNAMIC_TYPE_TLSX); |
4925 | 0 | if (*curve == NULL) |
4926 | 0 | return MEMORY_E; |
4927 | | |
4928 | 0 | (*curve)->name = name; |
4929 | 0 | (*curve)->next = NULL; |
4930 | |
|
4931 | 0 | return 0; |
4932 | 0 | } |
4933 | | |
4934 | | static int TLSX_PointFormat_New(PointFormat** point, byte format, void* heap) |
4935 | 0 | { |
4936 | 0 | if (point == NULL) |
4937 | 0 | return BAD_FUNC_ARG; |
4938 | | |
4939 | 0 | (void)heap; |
4940 | |
|
4941 | 0 | *point = (PointFormat*)XMALLOC(sizeof(PointFormat), heap, |
4942 | 0 | DYNAMIC_TYPE_TLSX); |
4943 | 0 | if (*point == NULL) |
4944 | 0 | return MEMORY_E; |
4945 | | |
4946 | 0 | (*point)->format = format; |
4947 | 0 | (*point)->next = NULL; |
4948 | |
|
4949 | 0 | return 0; |
4950 | 0 | } |
4951 | | |
4952 | | static void TLSX_SupportedCurve_FreeAll(SupportedCurve* list, void* heap) |
4953 | 0 | { |
4954 | 0 | SupportedCurve* curve; |
4955 | |
|
4956 | 0 | while ((curve = list)) { |
4957 | 0 | list = curve->next; |
4958 | 0 | XFREE(curve, heap, DYNAMIC_TYPE_TLSX); |
4959 | 0 | } |
4960 | 0 | (void)heap; |
4961 | 0 | } |
4962 | | |
4963 | | static void TLSX_PointFormat_FreeAll(PointFormat* list, void* heap) |
4964 | 0 | { |
4965 | 0 | PointFormat* point; |
4966 | |
|
4967 | 0 | while ((point = list)) { |
4968 | 0 | list = point->next; |
4969 | 0 | XFREE(point, heap, DYNAMIC_TYPE_TLSX); |
4970 | 0 | } |
4971 | 0 | (void)heap; |
4972 | 0 | } |
4973 | | |
4974 | | static int TLSX_SupportedCurve_Append(SupportedCurve* list, word16 name, |
4975 | | void* heap) |
4976 | 0 | { |
4977 | 0 | int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG); |
4978 | |
|
4979 | 0 | while (list) { |
4980 | 0 | if (list->name == name) { |
4981 | 0 | ret = 0; /* curve already in use */ |
4982 | 0 | break; |
4983 | 0 | } |
4984 | | |
4985 | 0 | if (list->next == NULL) { |
4986 | 0 | ret = TLSX_SupportedCurve_New(&list->next, name, heap); |
4987 | 0 | break; |
4988 | 0 | } |
4989 | | |
4990 | 0 | list = list->next; |
4991 | 0 | } |
4992 | |
|
4993 | 0 | return ret; |
4994 | 0 | } |
4995 | | |
4996 | | static int TLSX_PointFormat_Append(PointFormat* list, byte format, void* heap) |
4997 | 0 | { |
4998 | 0 | int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG); |
4999 | |
|
5000 | 0 | while (list) { |
5001 | 0 | if (list->format == format) { |
5002 | 0 | ret = 0; /* format already in use */ |
5003 | 0 | break; |
5004 | 0 | } |
5005 | | |
5006 | 0 | if (list->next == NULL) { |
5007 | 0 | ret = TLSX_PointFormat_New(&list->next, format, heap); |
5008 | 0 | break; |
5009 | 0 | } |
5010 | | |
5011 | 0 | list = list->next; |
5012 | 0 | } |
5013 | |
|
5014 | 0 | return ret; |
5015 | 0 | } |
5016 | | |
5017 | | #if defined(WOLFSSL_TLS13) || !defined(NO_WOLFSSL_CLIENT) |
5018 | | |
5019 | | #if defined(HAVE_FFDHE) && (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \ |
5020 | | defined(HAVE_CURVE448)) |
5021 | | static void TLSX_SupportedCurve_ValidateRequest(const WOLFSSL* ssl, |
5022 | | const byte* semaphore) |
5023 | 0 | { |
5024 | | /* If all pre-defined parameter types for key exchange are supported then |
5025 | | * always send SupportedGroups extension. |
5026 | | */ |
5027 | 0 | (void)ssl; |
5028 | 0 | (void)semaphore; |
5029 | 0 | } |
5030 | | #else |
5031 | | static void TLSX_SupportedCurve_ValidateRequest(WOLFSSL* ssl, byte* semaphore) |
5032 | | { |
5033 | | word16 i; |
5034 | | const Suites* suites = WOLFSSL_SUITES(ssl); |
5035 | | |
5036 | | for (i = 0; i < suites->suiteSz; i += 2) { |
5037 | | if (suites->suites[i] == TLS13_BYTE) |
5038 | | return; |
5039 | | #ifdef BUILD_TLS_SM4_GCM_SM3 |
5040 | | if ((suites->suites[i] == CIPHER_BYTE) && |
5041 | | (suites->suites[i+1] == TLS_SM4_GCM_SM3)) |
5042 | | return; |
5043 | | #endif |
5044 | | #ifdef BUILD_TLS_SM4_CCM_SM3 |
5045 | | if ((suites->suites[i] == CIPHER_BYTE) && |
5046 | | (suites->suites[i+1] == TLS_SM4_CCM_SM3)) |
5047 | | return; |
5048 | | #endif |
5049 | | #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3 |
5050 | | if ((suites->suites[i] == SM_BYTE) && |
5051 | | (suites->suites[i+1] == TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3)) |
5052 | | return; |
5053 | | #endif |
5054 | | if ((suites->suites[i] == ECC_BYTE) || |
5055 | | (suites->suites[i] == ECDHE_PSK_BYTE) || |
5056 | | (suites->suites[i] == CHACHA_BYTE)) { |
5057 | | #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \ |
5058 | | defined(HAVE_CURVE448) |
5059 | | return; |
5060 | | #endif |
5061 | | } |
5062 | | #ifdef HAVE_FFDHE |
5063 | | else { |
5064 | | return; |
5065 | | } |
5066 | | #endif |
5067 | | } |
5068 | | |
5069 | | /* turns semaphore on to avoid sending this extension. */ |
5070 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_GROUPS)); |
5071 | | } |
5072 | | #endif |
5073 | | |
5074 | | /* Only send PointFormats if TLSv13, ECC or CHACHA cipher suite present. |
5075 | | */ |
5076 | | static void TLSX_PointFormat_ValidateRequest(WOLFSSL* ssl, byte* semaphore) |
5077 | 0 | { |
5078 | 0 | #ifdef HAVE_FFDHE |
5079 | 0 | (void)ssl; |
5080 | 0 | (void)semaphore; |
5081 | | #else |
5082 | | word16 i; |
5083 | | const Suites* suites = WOLFSSL_SUITES(ssl); |
5084 | | |
5085 | | if (suites == NULL) |
5086 | | return; |
5087 | | |
5088 | | for (i = 0; i < suites->suiteSz; i += 2) { |
5089 | | if (suites->suites[i] == TLS13_BYTE) |
5090 | | return; |
5091 | | #ifdef BUILD_TLS_SM4_GCM_SM3 |
5092 | | if ((suites->suites[i] == CIPHER_BYTE) && |
5093 | | (suites->suites[i+1] == TLS_SM4_GCM_SM3)) |
5094 | | return; |
5095 | | #endif |
5096 | | #ifdef BUILD_TLS_SM4_CCM_SM3 |
5097 | | if ((suites->suites[i] == CIPHER_BYTE) && |
5098 | | (suites->suites[i+1] == TLS_SM4_CCM_SM3)) |
5099 | | return; |
5100 | | #endif |
5101 | | #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3 |
5102 | | if ((suites->suites[i] == SM_BYTE) && |
5103 | | (suites->suites[i+1] == TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3)) |
5104 | | return; |
5105 | | #endif |
5106 | | if ((suites->suites[i] == ECC_BYTE) || |
5107 | | (suites->suites[i] == ECDHE_PSK_BYTE) || |
5108 | | (suites->suites[i] == CHACHA_BYTE)) { |
5109 | | #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \ |
5110 | | defined(HAVE_CURVE448) |
5111 | | return; |
5112 | | #endif |
5113 | | } |
5114 | | } |
5115 | | /* turns semaphore on to avoid sending this extension. */ |
5116 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EC_POINT_FORMATS)); |
5117 | | #endif |
5118 | 0 | } |
5119 | | |
5120 | | #endif /* WOLFSSL_TLS13 || !NO_WOLFSSL_CLIENT */ |
5121 | | |
5122 | | #ifndef NO_WOLFSSL_SERVER |
5123 | | |
5124 | | static void TLSX_PointFormat_ValidateResponse(WOLFSSL* ssl, byte* semaphore) |
5125 | 0 | { |
5126 | 0 | #if defined(HAVE_FFDHE) || defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \ |
5127 | 0 | defined(HAVE_CURVE448) |
5128 | 0 | (void)semaphore; |
5129 | 0 | #endif |
5130 | |
|
5131 | 0 | if (ssl->options.cipherSuite0 == TLS13_BYTE) |
5132 | 0 | return; |
5133 | | #ifdef BUILD_TLS_SM4_GCM_SM3 |
5134 | | if ((ssl->options.cipherSuite0 == CIPHER_BYTE) && |
5135 | | (ssl->options.cipherSuite == TLS_SM4_GCM_SM3)) |
5136 | | return; |
5137 | | #endif |
5138 | | #ifdef BUILD_TLS_SM4_CCM_SM3 |
5139 | | if ((ssl->options.cipherSuite0 == CIPHER_BYTE) && |
5140 | | (ssl->options.cipherSuite == TLS_SM4_CCM_SM3)) |
5141 | | return; |
5142 | | #endif |
5143 | | #ifdef BUILD_TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3 |
5144 | | if ((ssl->options.cipherSuite0 == SM_BYTE) && |
5145 | | (ssl->options.cipherSuite == TLS_ECDHE_ECDSA_WITH_SM4_CBC_SM3)) |
5146 | | return; |
5147 | | #endif |
5148 | 0 | #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448) |
5149 | 0 | if (ssl->options.cipherSuite0 == ECC_BYTE || |
5150 | 0 | ssl->options.cipherSuite0 == ECDHE_PSK_BYTE || |
5151 | 0 | ssl->options.cipherSuite0 == CHACHA_BYTE) { |
5152 | 0 | return; |
5153 | 0 | } |
5154 | 0 | #endif |
5155 | | |
5156 | | /* turns semaphore on to avoid sending this extension. */ |
5157 | 0 | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EC_POINT_FORMATS)); |
5158 | 0 | } |
5159 | | |
5160 | | #endif /* !NO_WOLFSSL_SERVER */ |
5161 | | |
5162 | | #if !defined(NO_WOLFSSL_CLIENT) || defined(WOLFSSL_TLS13) |
5163 | | |
5164 | | static word16 TLSX_SupportedCurve_GetSize(SupportedCurve* list) |
5165 | 0 | { |
5166 | 0 | SupportedCurve* curve; |
5167 | 0 | word16 length = OPAQUE16_LEN; /* list length */ |
5168 | |
|
5169 | 0 | while ((curve = list)) { |
5170 | 0 | list = curve->next; |
5171 | 0 | length += OPAQUE16_LEN; /* curve length */ |
5172 | 0 | } |
5173 | |
|
5174 | 0 | return length; |
5175 | 0 | } |
5176 | | |
5177 | | #endif |
5178 | | |
5179 | | static word16 TLSX_PointFormat_GetSize(PointFormat* list) |
5180 | 0 | { |
5181 | 0 | PointFormat* point; |
5182 | 0 | word16 length = ENUM_LEN; /* list length */ |
5183 | |
|
5184 | 0 | while ((point = list)) { |
5185 | 0 | list = point->next; |
5186 | 0 | length += ENUM_LEN; /* format length */ |
5187 | 0 | } |
5188 | |
|
5189 | 0 | return length; |
5190 | 0 | } |
5191 | | |
5192 | | #if !defined(NO_WOLFSSL_CLIENT) || defined(WOLFSSL_TLS13) |
5193 | | |
5194 | | static word16 TLSX_SupportedCurve_Write(SupportedCurve* list, byte* output) |
5195 | 0 | { |
5196 | 0 | word16 offset = OPAQUE16_LEN; |
5197 | |
|
5198 | 0 | while (list) { |
5199 | 0 | c16toa(list->name, output + offset); |
5200 | 0 | offset += OPAQUE16_LEN; |
5201 | 0 | list = list->next; |
5202 | 0 | } |
5203 | |
|
5204 | 0 | c16toa(offset - OPAQUE16_LEN, output); /* writing list length */ |
5205 | |
|
5206 | 0 | return offset; |
5207 | 0 | } |
5208 | | |
5209 | | #endif |
5210 | | |
5211 | | static word16 TLSX_PointFormat_Write(PointFormat* list, byte* output) |
5212 | 0 | { |
5213 | 0 | word16 offset = ENUM_LEN; |
5214 | |
|
5215 | 0 | while (list) { |
5216 | 0 | output[offset++] = list->format; |
5217 | 0 | list = list->next; |
5218 | 0 | } |
5219 | |
|
5220 | 0 | output[0] = (byte)(offset - ENUM_LEN); |
5221 | |
|
5222 | 0 | return offset; |
5223 | 0 | } |
5224 | | |
5225 | | #if !defined(NO_WOLFSSL_SERVER) || (defined(WOLFSSL_TLS13) && \ |
5226 | | !defined(WOLFSSL_NO_SERVER_GROUPS_EXT)) |
5227 | | |
5228 | | int TLSX_SupportedCurve_Parse(const WOLFSSL* ssl, const byte* input, |
5229 | | word16 length, byte isRequest, TLSX** extensions) |
5230 | 0 | { |
5231 | 0 | word16 offset; |
5232 | 0 | word16 name; |
5233 | 0 | int ret = 0; |
5234 | 0 | TLSX* extension; |
5235 | |
|
5236 | 0 | if(!isRequest && !IsAtLeastTLSv1_3(ssl->version)) { |
5237 | | #ifdef WOLFSSL_ALLOW_SERVER_SC_EXT |
5238 | | return 0; |
5239 | | #else |
5240 | 0 | return BUFFER_ERROR; /* servers doesn't send this extension. */ |
5241 | 0 | #endif |
5242 | 0 | } |
5243 | 0 | if (OPAQUE16_LEN > length || length % OPAQUE16_LEN) |
5244 | 0 | return BUFFER_ERROR; |
5245 | 0 | ato16(input, &offset); |
5246 | | /* validating curve list length */ |
5247 | 0 | if (length != OPAQUE16_LEN + offset) |
5248 | 0 | return BUFFER_ERROR; |
5249 | 0 | offset = OPAQUE16_LEN; |
5250 | 0 | if (offset == length) { |
5251 | | /* An empty named group list is malformed (named_group_list<2..2^16-1>, |
5252 | | * RFC 8422 / RFC 8446). BUFFER_ERROR yields a decode_error alert (see |
5253 | | * TranslateErrorToAlert()). Accepting it would also make an explicit |
5254 | | * empty extension look absent and impose no group restriction. */ |
5255 | 0 | return BUFFER_ERROR; |
5256 | 0 | } |
5257 | | |
5258 | 0 | extension = TLSX_Find(*extensions, TLSX_SUPPORTED_GROUPS); |
5259 | 0 | if (extension == NULL) { |
5260 | | /* Just accept what the peer wants to use */ |
5261 | 0 | for (; offset < length; offset += OPAQUE16_LEN) { |
5262 | 0 | ato16(input + offset, &name); |
5263 | |
|
5264 | 0 | ret = TLSX_UseSupportedCurve(extensions, name, ssl->heap, |
5265 | 0 | ssl->options.side); |
5266 | | /* If it is BAD_FUNC_ARG then it is a group we do not support, but |
5267 | | * that is fine. */ |
5268 | 0 | if (ret != WOLFSSL_SUCCESS && |
5269 | 0 | ret != WC_NO_ERR_TRACE(BAD_FUNC_ARG)) |
5270 | 0 | break; |
5271 | 0 | ret = 0; |
5272 | 0 | } |
5273 | | /* All advertised groups are unsupported, so no node was added above. |
5274 | | * Record an empty node so suite selection still sees the restriction |
5275 | | * (e.g. ECC/ECDHE must not be chosen) instead of treating the |
5276 | | * extension as absent. */ |
5277 | 0 | if (ret == 0 && isRequest && |
5278 | 0 | TLSX_Find(*extensions, TLSX_SUPPORTED_GROUPS) == NULL) { |
5279 | 0 | ret = TLSX_Push(extensions, TLSX_SUPPORTED_GROUPS, NULL, ssl->heap); |
5280 | 0 | } |
5281 | 0 | } |
5282 | 0 | else { |
5283 | | /* Find the intersection with what the user has set */ |
5284 | 0 | SupportedCurve* commonCurves = NULL; |
5285 | 0 | for (; offset < length; offset += OPAQUE16_LEN) { |
5286 | 0 | SupportedCurve* foundCurve = (SupportedCurve*)extension->data; |
5287 | 0 | ato16(input + offset, &name); |
5288 | |
|
5289 | 0 | while (foundCurve != NULL && foundCurve->name != name) |
5290 | 0 | foundCurve = foundCurve->next; |
5291 | |
|
5292 | 0 | if (foundCurve != NULL) { |
5293 | 0 | ret = commonCurves == NULL ? |
5294 | 0 | TLSX_SupportedCurve_New(&commonCurves, name, ssl->heap) : |
5295 | 0 | TLSX_SupportedCurve_Append(commonCurves, name, ssl->heap); |
5296 | 0 | if (ret != 0) |
5297 | 0 | break; |
5298 | 0 | } |
5299 | 0 | } |
5300 | | /* If no common curves return error. In TLS 1.3 we can still try to save |
5301 | | * this by using HRR. */ |
5302 | 0 | if (ret == 0 && commonCurves == NULL && |
5303 | 0 | !IsAtLeastTLSv1_3(ssl->version)) |
5304 | 0 | ret = ECC_CURVE_ERROR; |
5305 | 0 | if (ret == 0) { |
5306 | | /* Now swap out the curves in the extension */ |
5307 | 0 | TLSX_SupportedCurve_FreeAll((SupportedCurve*)extension->data, |
5308 | 0 | ssl->heap); |
5309 | 0 | extension->data = commonCurves; |
5310 | 0 | commonCurves = NULL; |
5311 | 0 | } |
5312 | 0 | TLSX_SupportedCurve_FreeAll(commonCurves, ssl->heap); |
5313 | 0 | } |
5314 | |
|
5315 | 0 | return ret; |
5316 | 0 | } |
5317 | | #endif |
5318 | | |
5319 | | #if !defined(NO_WOLFSSL_SERVER) |
5320 | | |
5321 | | #if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NO_SERVER_GROUPS_EXT) |
5322 | | |
5323 | | /* Checks the priority of the groups on the server and set the supported groups |
5324 | | * response if there is a group not advertised by the client that is preferred. |
5325 | | * |
5326 | | * ssl SSL/TLS object. |
5327 | | * returns 0 on success, otherwise an error. |
5328 | | */ |
5329 | | int TLSX_SupportedCurve_CheckPriority(WOLFSSL* ssl) |
5330 | 0 | { |
5331 | 0 | int ret; |
5332 | 0 | TLSX* extension; |
5333 | 0 | TLSX* priority = NULL; |
5334 | 0 | TLSX* ext = NULL; |
5335 | 0 | word16 name; |
5336 | 0 | SupportedCurve* curve; |
5337 | |
|
5338 | 0 | extension = TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS); |
5339 | | /* May be doing PSK with no key exchange. */ |
5340 | 0 | if (extension == NULL) |
5341 | 0 | return 0; |
5342 | | |
5343 | 0 | ret = TLSX_PopulateSupportedGroups(ssl, &priority); |
5344 | 0 | if (ret != WOLFSSL_SUCCESS) { |
5345 | 0 | TLSX_FreeAll(priority, ssl->heap); |
5346 | 0 | return ret; |
5347 | 0 | } |
5348 | | |
5349 | 0 | ext = TLSX_Find(priority, TLSX_SUPPORTED_GROUPS); |
5350 | 0 | if (ext == NULL) { |
5351 | 0 | WOLFSSL_MSG("Could not find supported groups extension"); |
5352 | 0 | TLSX_FreeAll(priority, ssl->heap); |
5353 | 0 | return 0; |
5354 | 0 | } |
5355 | | |
5356 | 0 | curve = (SupportedCurve*)ext->data; |
5357 | 0 | name = curve->name; |
5358 | |
|
5359 | 0 | curve = (SupportedCurve*)extension->data; |
5360 | 0 | while (curve != NULL) { |
5361 | 0 | if (curve->name == name) |
5362 | 0 | break; |
5363 | 0 | curve = curve->next; |
5364 | 0 | } |
5365 | |
|
5366 | 0 | if (curve == NULL) { |
5367 | | /* Couldn't find the preferred group in client list. */ |
5368 | 0 | extension->resp = 1; |
5369 | | |
5370 | | /* Send server list back and free client list. */ |
5371 | 0 | curve = (SupportedCurve*)extension->data; |
5372 | 0 | extension->data = ext->data; |
5373 | 0 | ext->data = curve; |
5374 | 0 | } |
5375 | |
|
5376 | 0 | TLSX_FreeAll(priority, ssl->heap); |
5377 | |
|
5378 | 0 | return 0; |
5379 | 0 | } |
5380 | | |
5381 | | #endif /* WOLFSSL_TLS13 && !WOLFSSL_NO_SERVER_GROUPS_EXT */ |
5382 | | |
5383 | | #if defined(HAVE_FFDHE) && !defined(WOLFSSL_NO_TLS12) |
5384 | | #ifdef HAVE_PUBLIC_FFDHE |
5385 | | static int tlsx_ffdhe_find_group(WOLFSSL* ssl, SupportedCurve* clientGroup, |
5386 | | SupportedCurve* serverGroup) |
5387 | 0 | { |
5388 | 0 | int ret = 0; |
5389 | 0 | SupportedCurve* group; |
5390 | 0 | const DhParams* params = NULL; |
5391 | |
|
5392 | 0 | for (; serverGroup != NULL; serverGroup = serverGroup->next) { |
5393 | 0 | if (!WOLFSSL_NAMED_GROUP_IS_FFDHE(serverGroup->name)) |
5394 | 0 | continue; |
5395 | | |
5396 | 0 | for (group = clientGroup; group != NULL; group = group->next) { |
5397 | 0 | if (serverGroup->name != group->name) |
5398 | 0 | continue; |
5399 | | |
5400 | 0 | switch (serverGroup->name) { |
5401 | 0 | #ifdef HAVE_FFDHE_2048 |
5402 | 0 | case WOLFSSL_FFDHE_2048: |
5403 | 0 | params = wc_Dh_ffdhe2048_Get(); |
5404 | 0 | break; |
5405 | 0 | #endif |
5406 | | #ifdef HAVE_FFDHE_3072 |
5407 | | case WOLFSSL_FFDHE_3072: |
5408 | | params = wc_Dh_ffdhe3072_Get(); |
5409 | | break; |
5410 | | #endif |
5411 | | #ifdef HAVE_FFDHE_4096 |
5412 | | case WOLFSSL_FFDHE_4096: |
5413 | | params = wc_Dh_ffdhe4096_Get(); |
5414 | | break; |
5415 | | #endif |
5416 | | #ifdef HAVE_FFDHE_6144 |
5417 | | case WOLFSSL_FFDHE_6144: |
5418 | | params = wc_Dh_ffdhe6144_Get(); |
5419 | | break; |
5420 | | #endif |
5421 | | #ifdef HAVE_FFDHE_8192 |
5422 | | case WOLFSSL_FFDHE_8192: |
5423 | | params = wc_Dh_ffdhe8192_Get(); |
5424 | | break; |
5425 | | #endif |
5426 | 0 | default: |
5427 | 0 | break; |
5428 | 0 | } |
5429 | 0 | if (params == NULL) { |
5430 | 0 | ret = BAD_FUNC_ARG; |
5431 | 0 | break; |
5432 | 0 | } |
5433 | 0 | if (params->p_len >= ssl->options.minDhKeySz && |
5434 | 0 | params->p_len <= ssl->options.maxDhKeySz) { |
5435 | 0 | break; |
5436 | 0 | } |
5437 | 0 | } |
5438 | | |
5439 | 0 | if (ret != 0) |
5440 | 0 | break; |
5441 | 0 | if ((group != NULL) && (serverGroup->name == group->name)) |
5442 | 0 | break; |
5443 | 0 | } |
5444 | | |
5445 | 0 | if ((ret == 0) && (serverGroup != NULL) && (params != NULL)) { |
5446 | 0 | ssl->buffers.serverDH_P.buffer = (unsigned char *)params->p; |
5447 | 0 | ssl->buffers.serverDH_P.length = params->p_len; |
5448 | 0 | ssl->buffers.serverDH_G.buffer = (unsigned char *)params->g; |
5449 | 0 | ssl->buffers.serverDH_G.length = params->g_len; |
5450 | |
|
5451 | 0 | ssl->namedGroup = serverGroup->name; |
5452 | 0 | #if !defined(WOLFSSL_OLD_PRIME_CHECK) && \ |
5453 | 0 | !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) |
5454 | 0 | ssl->options.dhDoKeyTest = 0; |
5455 | 0 | #endif |
5456 | 0 | ssl->options.haveDH = 1; |
5457 | 0 | } |
5458 | |
|
5459 | 0 | return ret; |
5460 | 0 | } |
5461 | | #else |
5462 | | static int tlsx_ffdhe_find_group(WOLFSSL* ssl, SupportedCurve* clientGroup, |
5463 | | SupportedCurve* serverGroup) |
5464 | | { |
5465 | | int ret = 0; |
5466 | | SupportedCurve* group; |
5467 | | word32 p_len; |
5468 | | |
5469 | | for (; serverGroup != NULL; serverGroup = serverGroup->next) { |
5470 | | if (!WOLFSSL_NAMED_GROUP_IS_FFDHE(serverGroup->name)) |
5471 | | continue; |
5472 | | |
5473 | | for (group = clientGroup; group != NULL; group = group->next) { |
5474 | | if (serverGroup->name != group->name) |
5475 | | continue; |
5476 | | |
5477 | | ret = wc_DhGetNamedKeyParamSize(serverGroup->name, &p_len, NULL, NULL); |
5478 | | if (ret == 0) { |
5479 | | if (p_len == 0) { |
5480 | | ret = BAD_FUNC_ARG; |
5481 | | break; |
5482 | | } |
5483 | | if (p_len >= ssl->options.minDhKeySz && |
5484 | | p_len <= ssl->options.maxDhKeySz) { |
5485 | | break; |
5486 | | } |
5487 | | } |
5488 | | } |
5489 | | |
5490 | | if (ret != 0) |
5491 | | break; |
5492 | | if ((group != NULL) && (serverGroup->name == group->name)) |
5493 | | break; |
5494 | | } |
5495 | | |
5496 | | if ((ret == 0) && (serverGroup != NULL)) { |
5497 | | word32 pSz, gSz; |
5498 | | |
5499 | | ssl->buffers.serverDH_P.buffer = NULL; |
5500 | | ssl->buffers.serverDH_G.buffer = NULL; |
5501 | | ret = wc_DhGetNamedKeyParamSize(serverGroup->name, &pSz, &gSz, NULL); |
5502 | | if (ret == 0) { |
5503 | | ssl->buffers.serverDH_P.buffer = |
5504 | | (byte*)XMALLOC(pSz, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); |
5505 | | if (ssl->buffers.serverDH_P.buffer == NULL) |
5506 | | ret = MEMORY_E; |
5507 | | else |
5508 | | ssl->buffers.serverDH_P.length = pSz; |
5509 | | } |
5510 | | if (ret == 0) { |
5511 | | ssl->buffers.serverDH_G.buffer = |
5512 | | (byte*)XMALLOC(gSz, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); |
5513 | | if (ssl->buffers.serverDH_G.buffer == NULL) { |
5514 | | ret = MEMORY_E; |
5515 | | } else |
5516 | | ssl->buffers.serverDH_G.length = gSz; |
5517 | | } |
5518 | | if (ret == 0) { |
5519 | | ret = wc_DhCopyNamedKey(serverGroup->name, |
5520 | | ssl->buffers.serverDH_P.buffer, &pSz, |
5521 | | ssl->buffers.serverDH_G.buffer, &gSz, |
5522 | | NULL, NULL); |
5523 | | } |
5524 | | if (ret == 0) { |
5525 | | ssl->buffers.weOwnDH = 1; |
5526 | | |
5527 | | ssl->namedGroup = serverGroup->name; |
5528 | | #if !defined(WOLFSSL_OLD_PRIME_CHECK) && \ |
5529 | | !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) |
5530 | | ssl->options.dhDoKeyTest = 0; |
5531 | | #endif |
5532 | | ssl->options.haveDH = 1; |
5533 | | } |
5534 | | else { |
5535 | | if (ssl->buffers.serverDH_P.buffer != NULL) { |
5536 | | XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, |
5537 | | DYNAMIC_TYPE_PUBLIC_KEY); |
5538 | | ssl->buffers.serverDH_P.length = 0; |
5539 | | ssl->buffers.serverDH_P.buffer = NULL; |
5540 | | } |
5541 | | if (ssl->buffers.serverDH_G.buffer != NULL) { |
5542 | | XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap, |
5543 | | DYNAMIC_TYPE_PUBLIC_KEY); |
5544 | | ssl->buffers.serverDH_G.length = 0; |
5545 | | ssl->buffers.serverDH_G.buffer = NULL; |
5546 | | } |
5547 | | } |
5548 | | } |
5549 | | |
5550 | | return ret; |
5551 | | } |
5552 | | #endif |
5553 | | |
5554 | | /* Set the highest priority common FFDHE group on the server as compared to |
5555 | | * client extensions. |
5556 | | * |
5557 | | * ssl SSL/TLS object. |
5558 | | * returns 0 on success, otherwise an error. |
5559 | | */ |
5560 | | int TLSX_SupportedFFDHE_Set(WOLFSSL* ssl) |
5561 | 0 | { |
5562 | 0 | int ret; |
5563 | 0 | TLSX* priority = NULL; |
5564 | 0 | TLSX* ext = NULL; |
5565 | 0 | TLSX* extension; |
5566 | 0 | SupportedCurve* clientGroup; |
5567 | 0 | SupportedCurve* group; |
5568 | 0 | int found = 0; |
5569 | |
|
5570 | 0 | extension = TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS); |
5571 | | /* May be doing PSK with no key exchange. */ |
5572 | 0 | if (extension == NULL) |
5573 | 0 | return 0; |
5574 | 0 | clientGroup = (SupportedCurve*)extension->data; |
5575 | 0 | for (group = clientGroup; group != NULL; group = group->next) { |
5576 | 0 | if (WOLFSSL_NAMED_GROUP_IS_FFDHE(group->name)) { |
5577 | 0 | found = 1; |
5578 | 0 | break; |
5579 | 0 | } |
5580 | 0 | } |
5581 | 0 | if (!found) |
5582 | 0 | return 0; |
5583 | | |
5584 | 0 | if (ssl->buffers.serverDH_P.buffer && ssl->buffers.weOwnDH) { |
5585 | 0 | XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, |
5586 | 0 | DYNAMIC_TYPE_PUBLIC_KEY); |
5587 | 0 | } |
5588 | 0 | if (ssl->buffers.serverDH_G.buffer && ssl->buffers.weOwnDH) { |
5589 | 0 | XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap, |
5590 | 0 | DYNAMIC_TYPE_PUBLIC_KEY); |
5591 | 0 | } |
5592 | 0 | ssl->buffers.serverDH_P.buffer = NULL; |
5593 | 0 | ssl->buffers.serverDH_G.buffer = NULL; |
5594 | 0 | ssl->buffers.weOwnDH = 0; |
5595 | 0 | ssl->options.haveDH = 0; |
5596 | |
|
5597 | 0 | ret = TLSX_PopulateSupportedGroups(ssl, &priority); |
5598 | 0 | if (ret == WOLFSSL_SUCCESS) { |
5599 | 0 | SupportedCurve* serverGroup; |
5600 | |
|
5601 | 0 | ext = TLSX_Find(priority, TLSX_SUPPORTED_GROUPS); |
5602 | 0 | if (ext == NULL) { |
5603 | 0 | WOLFSSL_MSG("Could not find supported groups extension"); |
5604 | 0 | ret = 0; |
5605 | 0 | } |
5606 | 0 | else { |
5607 | 0 | serverGroup = (SupportedCurve*)ext->data; |
5608 | 0 | ret = tlsx_ffdhe_find_group(ssl, clientGroup, serverGroup); |
5609 | 0 | } |
5610 | 0 | } |
5611 | |
|
5612 | 0 | TLSX_FreeAll(priority, ssl->heap); |
5613 | |
|
5614 | 0 | return ret; |
5615 | 0 | } |
5616 | | #endif /* HAVE_FFDHE && !WOLFSSL_NO_TLS12 */ |
5617 | | #endif /* !NO_WOLFSSL_SERVER */ |
5618 | | |
5619 | | /* Check if the given curve is present in the supported groups extension. |
5620 | | * |
5621 | | * ssl SSL/TLS object. |
5622 | | * name The curve name to check. |
5623 | | * returns 1 if present, 0 otherwise. |
5624 | | */ |
5625 | | int TLSX_SupportedCurve_IsSupported(WOLFSSL* ssl, word16 name) |
5626 | 0 | { |
5627 | 0 | TLSX* extension; |
5628 | 0 | SupportedCurve* curve; |
5629 | |
|
5630 | 0 | extension = TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS); |
5631 | 0 | if (extension == NULL) |
5632 | 0 | return 0; |
5633 | | |
5634 | 0 | curve = (SupportedCurve*)extension->data; |
5635 | 0 | while (curve != NULL) { |
5636 | 0 | if (curve->name == name) |
5637 | 0 | return 1; |
5638 | 0 | curve = curve->next; |
5639 | 0 | } |
5640 | | |
5641 | 0 | return 0; |
5642 | 0 | } |
5643 | | |
5644 | | #if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NO_SERVER_GROUPS_EXT) |
5645 | | /* Return the preferred group. |
5646 | | * |
5647 | | * ssl SSL/TLS object. |
5648 | | * checkSupported Whether to check for the first supported group. |
5649 | | * returns BAD_FUNC_ARG if no group found, otherwise the group. |
5650 | | */ |
5651 | | int TLSX_SupportedCurve_Preferred(WOLFSSL* ssl, int checkSupported) |
5652 | 0 | { |
5653 | 0 | TLSX* extension; |
5654 | 0 | SupportedCurve* curve; |
5655 | |
|
5656 | 0 | extension = TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS); |
5657 | 0 | if (extension == NULL) |
5658 | 0 | return BAD_FUNC_ARG; |
5659 | | |
5660 | 0 | curve = (SupportedCurve*)extension->data; |
5661 | 0 | while (curve != NULL) { |
5662 | 0 | if (!checkSupported || |
5663 | 0 | TLSX_IsGroupSupported(curve->name, ssl->options.side)) |
5664 | 0 | return curve->name; |
5665 | 0 | curve = curve->next; |
5666 | 0 | } |
5667 | | |
5668 | 0 | return BAD_FUNC_ARG; |
5669 | 0 | } |
5670 | | |
5671 | | #endif /* HAVE_SUPPORTED_CURVES */ |
5672 | | |
5673 | | #ifndef NO_WOLFSSL_SERVER |
5674 | | |
5675 | | static int TLSX_PointFormat_Parse(WOLFSSL* ssl, const byte* input, |
5676 | | word16 length, byte isRequest) |
5677 | 0 | { |
5678 | 0 | int ret; |
5679 | | |
5680 | | /* validating formats list length */ |
5681 | 0 | if (ENUM_LEN > length || length != (word16)ENUM_LEN + input[0]) |
5682 | 0 | return BUFFER_ERROR; |
5683 | | |
5684 | 0 | if (isRequest) { |
5685 | 0 | #if defined(HAVE_TLS_EXTENSIONS) && defined(HAVE_SUPPORTED_CURVES) |
5686 | | /* RFC 8422 Section 5.1.2: a client that sends the ec_point_formats |
5687 | | * extension MUST include the uncompressed (0) format. Record whether |
5688 | | * it is missing so DoClientHello() can abort with an illegal_parameter |
5689 | | * alert if the client also advertised ECC named groups. The decision |
5690 | | * is deferred to after all extensions are parsed so it does not depend |
5691 | | * on the relative order of the supported_groups and ec_point_formats |
5692 | | * extensions in the ClientHello. */ |
5693 | 0 | word16 i; |
5694 | 0 | int found = 0; |
5695 | |
|
5696 | 0 | for (i = 0; i < input[0]; i++) { |
5697 | 0 | if (input[ENUM_LEN + i] == WOLFSSL_EC_PF_UNCOMPRESSED) { |
5698 | 0 | found = 1; |
5699 | 0 | break; |
5700 | 0 | } |
5701 | 0 | } |
5702 | 0 | ssl->options.peerNoUncompPF = (found == 0); |
5703 | 0 | #endif |
5704 | | |
5705 | | /* adding uncompressed point format to response */ |
5706 | 0 | ret = TLSX_UsePointFormat(&ssl->extensions, WOLFSSL_EC_PF_UNCOMPRESSED, |
5707 | 0 | ssl->heap); |
5708 | 0 | if (ret != WOLFSSL_SUCCESS) |
5709 | 0 | return ret; /* throw error */ |
5710 | | |
5711 | 0 | TLSX_SetResponse(ssl, TLSX_EC_POINT_FORMATS); |
5712 | 0 | } |
5713 | | |
5714 | 0 | return 0; |
5715 | 0 | } |
5716 | | |
5717 | | #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448) |
5718 | | int TLSX_ValidateSupportedCurves(const WOLFSSL* ssl, byte first, byte second, |
5719 | 0 | word32* ecdhCurveOID) { |
5720 | 0 | TLSX* extension = NULL; |
5721 | 0 | SupportedCurve* curve = NULL; |
5722 | 0 | word32 oid = 0; |
5723 | 0 | word32 defOid = 0; |
5724 | 0 | word32 defSz = 80; /* Maximum known curve size is 66. */ |
5725 | 0 | word32 nextOid = 0; |
5726 | 0 | word32 nextSz = 80; /* Maximum known curve size is 66. */ |
5727 | 0 | word32 currOid = ssl->ecdhCurveOID; |
5728 | 0 | int ephmSuite = 0; |
5729 | 0 | word16 octets = 0; /* according to 'ecc_set_type ecc_sets[];' */ |
5730 | 0 | int key = 0; /* validate key */ |
5731 | 0 | int foundCurve = 0; /* Found at least one supported curve */ |
5732 | |
|
5733 | 0 | (void)oid; |
5734 | |
|
5735 | 0 | if (first == CHACHA_BYTE) { |
5736 | 0 | switch (second) { |
5737 | 0 | case TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: |
5738 | 0 | case TLS_PSK_WITH_CHACHA20_POLY1305_SHA256: |
5739 | 0 | case TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256: |
5740 | 0 | case TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256: |
5741 | 0 | return 1; /* no suite restriction */ |
5742 | 0 | case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: |
5743 | 0 | case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256: |
5744 | 0 | case TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256: |
5745 | 0 | break; |
5746 | 0 | } |
5747 | 0 | } |
5748 | 0 | if (first == ECC_BYTE || first == ECDHE_PSK_BYTE || first == CHACHA_BYTE) |
5749 | 0 | extension = TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS); |
5750 | 0 | if (!extension) |
5751 | 0 | return 1; /* no suite restriction */ |
5752 | | |
5753 | 0 | for (curve = (SupportedCurve*)extension->data; |
5754 | 0 | curve && !key; |
5755 | 0 | curve = curve->next) { |
5756 | |
|
5757 | | #ifdef OPENSSL_EXTRA |
5758 | | /* skip if name is not in supported ECC range |
5759 | | * or disabled by user */ |
5760 | | if (wolfSSL_curve_is_disabled(ssl, curve->name)) |
5761 | | continue; |
5762 | | #endif |
5763 | | |
5764 | | /* find supported curve */ |
5765 | 0 | switch (curve->name) { |
5766 | 0 | #ifdef HAVE_ECC |
5767 | | #if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 160 |
5768 | | #ifndef NO_ECC_SECP |
5769 | | case WOLFSSL_ECC_SECP160R1: |
5770 | | oid = ECC_SECP160R1_OID; |
5771 | | octets = 20; |
5772 | | break; |
5773 | | #endif /* !NO_ECC_SECP */ |
5774 | | #ifdef HAVE_ECC_SECPR2 |
5775 | | case WOLFSSL_ECC_SECP160R2: |
5776 | | oid = ECC_SECP160R2_OID; |
5777 | | octets = 20; |
5778 | | break; |
5779 | | #endif /* HAVE_ECC_SECPR2 */ |
5780 | | #ifdef HAVE_ECC_KOBLITZ |
5781 | | case WOLFSSL_ECC_SECP160K1: |
5782 | | oid = ECC_SECP160K1_OID; |
5783 | | octets = 20; |
5784 | | break; |
5785 | | #endif /* HAVE_ECC_KOBLITZ */ |
5786 | | #endif |
5787 | | #if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 192 |
5788 | | #ifndef NO_ECC_SECP |
5789 | | case WOLFSSL_ECC_SECP192R1: |
5790 | | oid = ECC_SECP192R1_OID; |
5791 | | octets = 24; |
5792 | | break; |
5793 | | #endif /* !NO_ECC_SECP */ |
5794 | | #ifdef HAVE_ECC_KOBLITZ |
5795 | | case WOLFSSL_ECC_SECP192K1: |
5796 | | oid = ECC_SECP192K1_OID; |
5797 | | octets = 24; |
5798 | | break; |
5799 | | #endif /* HAVE_ECC_KOBLITZ */ |
5800 | | #endif |
5801 | 0 | #if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 224 |
5802 | 0 | #ifndef NO_ECC_SECP |
5803 | 0 | case WOLFSSL_ECC_SECP224R1: |
5804 | 0 | oid = ECC_SECP224R1_OID; |
5805 | 0 | octets = 28; |
5806 | 0 | break; |
5807 | 0 | #endif /* !NO_ECC_SECP */ |
5808 | | #ifdef HAVE_ECC_KOBLITZ |
5809 | | case WOLFSSL_ECC_SECP224K1: |
5810 | | oid = ECC_SECP224K1_OID; |
5811 | | octets = 28; |
5812 | | break; |
5813 | | #endif /* HAVE_ECC_KOBLITZ */ |
5814 | 0 | #endif |
5815 | 0 | #if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256 |
5816 | 0 | #ifndef NO_ECC_SECP |
5817 | 0 | case WOLFSSL_ECC_SECP256R1: |
5818 | 0 | oid = ECC_SECP256R1_OID; |
5819 | 0 | octets = 32; |
5820 | 0 | break; |
5821 | 0 | #endif /* !NO_ECC_SECP */ |
5822 | 0 | #endif /* !NO_ECC256 || HAVE_ALL_CURVES */ |
5823 | 0 | #endif |
5824 | | #if (defined(HAVE_CURVE25519) || defined(HAVE_ED25519)) && ECC_MIN_KEY_SZ <= 256 |
5825 | | case WOLFSSL_ECC_X25519: |
5826 | | oid = ECC_X25519_OID; |
5827 | | octets = 32; |
5828 | | break; |
5829 | | #endif /* HAVE_CURVE25519 */ |
5830 | 0 | #ifdef HAVE_ECC |
5831 | 0 | #if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256 |
5832 | | #ifdef HAVE_ECC_KOBLITZ |
5833 | | case WOLFSSL_ECC_SECP256K1: |
5834 | | oid = ECC_SECP256K1_OID; |
5835 | | octets = 32; |
5836 | | break; |
5837 | | #endif /* HAVE_ECC_KOBLITZ */ |
5838 | | #ifdef HAVE_ECC_BRAINPOOL |
5839 | | case WOLFSSL_ECC_BRAINPOOLP256R1: |
5840 | | oid = ECC_BRAINPOOLP256R1_OID; |
5841 | | octets = 32; |
5842 | | break; |
5843 | | #endif /* HAVE_ECC_BRAINPOOL */ |
5844 | | #ifdef WOLFSSL_SM2 |
5845 | | case WOLFSSL_ECC_SM2P256V1: |
5846 | | oid = ECC_SM2P256V1_OID; |
5847 | | octets = 32; |
5848 | | break; |
5849 | | #endif /* WOLFSSL_SM2 */ |
5850 | 0 | #endif |
5851 | 0 | #if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384 |
5852 | 0 | #ifndef NO_ECC_SECP |
5853 | 0 | case WOLFSSL_ECC_SECP384R1: |
5854 | 0 | oid = ECC_SECP384R1_OID; |
5855 | 0 | octets = 48; |
5856 | 0 | break; |
5857 | 0 | #endif /* !NO_ECC_SECP */ |
5858 | | #ifdef HAVE_ECC_BRAINPOOL |
5859 | | case WOLFSSL_ECC_BRAINPOOLP384R1: |
5860 | | oid = ECC_BRAINPOOLP384R1_OID; |
5861 | | octets = 48; |
5862 | | break; |
5863 | | #endif /* HAVE_ECC_BRAINPOOL */ |
5864 | 0 | #endif |
5865 | 0 | #endif |
5866 | | #if (defined(HAVE_CURVE448) || defined(HAVE_ED448)) && ECC_MIN_KEY_SZ <= 448 |
5867 | | case WOLFSSL_ECC_X448: |
5868 | | oid = ECC_X448_OID; |
5869 | | octets = 57; |
5870 | | break; |
5871 | | #endif /* HAVE_CURVE448 */ |
5872 | 0 | #ifdef HAVE_ECC |
5873 | 0 | #if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 512 |
5874 | | #ifdef HAVE_ECC_BRAINPOOL |
5875 | | case WOLFSSL_ECC_BRAINPOOLP512R1: |
5876 | | oid = ECC_BRAINPOOLP512R1_OID; |
5877 | | octets = 64; |
5878 | | break; |
5879 | | #endif /* HAVE_ECC_BRAINPOOL */ |
5880 | 0 | #endif |
5881 | 0 | #if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521 |
5882 | 0 | #ifndef NO_ECC_SECP |
5883 | 0 | case WOLFSSL_ECC_SECP521R1: |
5884 | 0 | oid = ECC_SECP521R1_OID; |
5885 | 0 | octets = 66; |
5886 | 0 | break; |
5887 | 0 | #endif /* !NO_ECC_SECP */ |
5888 | 0 | #endif |
5889 | 0 | #endif |
5890 | 0 | default: continue; /* unsupported curve */ |
5891 | 0 | } |
5892 | | |
5893 | 0 | foundCurve = 1; |
5894 | |
|
5895 | 0 | #ifdef HAVE_ECC |
5896 | | /* Set default Oid */ |
5897 | 0 | if (defOid == 0 && ssl->eccTempKeySz <= octets && defSz > octets) { |
5898 | 0 | defOid = oid; |
5899 | 0 | defSz = octets; |
5900 | 0 | } |
5901 | | |
5902 | | /* The eccTempKeySz is the preferred ephemeral key size */ |
5903 | 0 | if (currOid == 0 && ssl->eccTempKeySz == octets) |
5904 | 0 | currOid = oid; |
5905 | 0 | if ((nextOid == 0 || nextSz > octets) && ssl->eccTempKeySz <= octets) { |
5906 | 0 | nextOid = oid; |
5907 | 0 | nextSz = octets; |
5908 | 0 | } |
5909 | | #else |
5910 | | if (defOid == 0 && defSz > octets) { |
5911 | | defOid = oid; |
5912 | | defSz = octets; |
5913 | | } |
5914 | | |
5915 | | if (currOid == 0) |
5916 | | currOid = oid; |
5917 | | if (nextOid == 0 || nextSz > octets) { |
5918 | | nextOid = oid; |
5919 | | nextSz = octets; |
5920 | | } |
5921 | | #endif |
5922 | |
|
5923 | 0 | if (first == ECC_BYTE) { |
5924 | 0 | switch (second) { |
5925 | 0 | #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) |
5926 | | /* ECDHE_ECDSA */ |
5927 | 0 | case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: |
5928 | 0 | case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: |
5929 | 0 | case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: |
5930 | 0 | case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA: |
5931 | 0 | case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: |
5932 | 0 | case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384: |
5933 | 0 | case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: |
5934 | 0 | case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: |
5935 | 0 | case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8: |
5936 | 0 | case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8: |
5937 | 0 | key |= ssl->ecdhCurveOID == oid; |
5938 | 0 | ephmSuite = 1; |
5939 | 0 | break; |
5940 | | |
5941 | | #ifdef WOLFSSL_STATIC_DH |
5942 | | /* ECDH_ECDSA */ |
5943 | | case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA: |
5944 | | case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA: |
5945 | | case TLS_ECDH_ECDSA_WITH_RC4_128_SHA: |
5946 | | case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA: |
5947 | | case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256: |
5948 | | case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384: |
5949 | | case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256: |
5950 | | case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384: |
5951 | | if (oid == ECC_X25519_OID && defOid == oid) { |
5952 | | defOid = 0; |
5953 | | defSz = 80; |
5954 | | } |
5955 | | if (oid == ECC_X448_OID && defOid == oid) { |
5956 | | defOid = 0; |
5957 | | defSz = 80; |
5958 | | } |
5959 | | key |= ssl->pkCurveOID == oid; |
5960 | | break; |
5961 | | #endif /* WOLFSSL_STATIC_DH */ |
5962 | 0 | #endif /* HAVE_ECC || HAVE_ED25519 || HAVE_ED448 */ |
5963 | 0 | #ifndef NO_RSA |
5964 | | /* ECDHE_RSA */ |
5965 | 0 | case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: |
5966 | 0 | case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: |
5967 | 0 | case TLS_ECDHE_RSA_WITH_RC4_128_SHA: |
5968 | 0 | case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA: |
5969 | 0 | case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: |
5970 | 0 | case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384: |
5971 | 0 | case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: |
5972 | 0 | case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: |
5973 | 0 | key |= ssl->ecdhCurveOID == oid; |
5974 | 0 | ephmSuite = 1; |
5975 | 0 | break; |
5976 | | |
5977 | | #if defined(HAVE_ECC) && defined(WOLFSSL_STATIC_DH) |
5978 | | /* ECDH_RSA */ |
5979 | | case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA: |
5980 | | case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA: |
5981 | | case TLS_ECDH_RSA_WITH_RC4_128_SHA: |
5982 | | case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA: |
5983 | | case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256: |
5984 | | case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384: |
5985 | | case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256: |
5986 | | case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384: |
5987 | | if (oid == ECC_X25519_OID && defOid == oid) { |
5988 | | defOid = 0; |
5989 | | defSz = 80; |
5990 | | } |
5991 | | if (oid == ECC_X448_OID && defOid == oid) { |
5992 | | defOid = 0; |
5993 | | defSz = 80; |
5994 | | } |
5995 | | key |= ssl->pkCurveOID == oid; |
5996 | | break; |
5997 | | #endif /* HAVE_ECC && WOLFSSL_STATIC_DH */ |
5998 | 0 | #endif |
5999 | 0 | default: |
6000 | 0 | if (oid == ECC_X25519_OID && defOid == oid) { |
6001 | 0 | defOid = 0; |
6002 | 0 | defSz = 80; |
6003 | 0 | } |
6004 | 0 | if (oid == ECC_X448_OID && defOid == oid) { |
6005 | 0 | defOid = 0; |
6006 | 0 | defSz = 80; |
6007 | 0 | } |
6008 | 0 | key = 1; |
6009 | 0 | break; |
6010 | 0 | } |
6011 | 0 | } |
6012 | | |
6013 | | /* ChaCha20-Poly1305 ECC cipher suites */ |
6014 | 0 | if (first == CHACHA_BYTE) { |
6015 | 0 | switch (second) { |
6016 | 0 | #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) |
6017 | | /* ECDHE_ECDSA */ |
6018 | 0 | case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 : |
6019 | 0 | case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : |
6020 | 0 | key |= ssl->ecdhCurveOID == oid; |
6021 | 0 | ephmSuite = 1; |
6022 | 0 | break; |
6023 | 0 | #endif /* HAVE_ECC || HAVE_ED25519 || HAVE_ED448 */ |
6024 | 0 | #ifndef NO_RSA |
6025 | | /* ECDHE_RSA */ |
6026 | 0 | case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 : |
6027 | 0 | case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 : |
6028 | 0 | key |= ssl->ecdhCurveOID == oid; |
6029 | 0 | ephmSuite = 1; |
6030 | 0 | break; |
6031 | 0 | #endif |
6032 | 0 | default: |
6033 | 0 | key = 1; |
6034 | 0 | break; |
6035 | 0 | } |
6036 | 0 | } |
6037 | 0 | } |
6038 | | |
6039 | | /* Check we found at least one supported curve */ |
6040 | 0 | if (!foundCurve) |
6041 | 0 | return 0; |
6042 | | |
6043 | 0 | *ecdhCurveOID = ssl->ecdhCurveOID; |
6044 | | /* Choose the default if it is at the required strength. */ |
6045 | 0 | #ifdef HAVE_ECC |
6046 | 0 | if (*ecdhCurveOID == 0 && defSz == ssl->eccTempKeySz) |
6047 | | #else |
6048 | | if (*ecdhCurveOID == 0) |
6049 | | #endif |
6050 | 0 | { |
6051 | 0 | key = 1; |
6052 | 0 | *ecdhCurveOID = defOid; |
6053 | 0 | } |
6054 | | /* Choose any curve at the required strength. */ |
6055 | 0 | if (*ecdhCurveOID == 0) { |
6056 | 0 | key = 1; |
6057 | 0 | *ecdhCurveOID = currOid; |
6058 | 0 | } |
6059 | | /* Choose the default if it is at the next highest strength. */ |
6060 | 0 | if (*ecdhCurveOID == 0 && defSz == nextSz) |
6061 | 0 | *ecdhCurveOID = defOid; |
6062 | | /* Choose any curve at the next highest strength. */ |
6063 | 0 | if (*ecdhCurveOID == 0) |
6064 | 0 | *ecdhCurveOID = nextOid; |
6065 | | /* No curve and ephemeral ECC suite requires a matching curve. */ |
6066 | 0 | if (*ecdhCurveOID == 0 && ephmSuite) |
6067 | 0 | key = 0; |
6068 | |
|
6069 | 0 | return key; |
6070 | 0 | } |
6071 | | #endif |
6072 | | |
6073 | | #endif /* NO_WOLFSSL_SERVER */ |
6074 | | |
6075 | | |
6076 | | int TLSX_SupportedCurve_Copy(TLSX* src, TLSX** dst, void* heap) |
6077 | 0 | { |
6078 | 0 | TLSX* extension; |
6079 | 0 | int ret; |
6080 | |
|
6081 | 0 | extension = TLSX_Find(src, TLSX_SUPPORTED_GROUPS); |
6082 | 0 | if (extension != NULL) { |
6083 | 0 | SupportedCurve* curve; |
6084 | 0 | for (curve = (SupportedCurve*)extension->data; curve != NULL; |
6085 | 0 | curve = curve->next) { |
6086 | | /* Copying an already validated list - don't drop a group based on |
6087 | | * the side, so accept when either side has the crypto support. */ |
6088 | 0 | ret = TLSX_UseSupportedCurve(dst, curve->name, heap, |
6089 | 0 | WOLFSSL_NEITHER_END); |
6090 | 0 | if (ret != WOLFSSL_SUCCESS) |
6091 | 0 | return MEMORY_E; |
6092 | 0 | } |
6093 | 0 | } |
6094 | | |
6095 | 0 | return 0; |
6096 | 0 | } |
6097 | | |
6098 | | int TLSX_UseSupportedCurve(TLSX** extensions, word16 name, void* heap, int side) |
6099 | 0 | { |
6100 | 0 | TLSX* extension = NULL; |
6101 | 0 | SupportedCurve* curve = NULL; |
6102 | 0 | int ret; |
6103 | |
|
6104 | 0 | if (extensions == NULL) { |
6105 | 0 | return BAD_FUNC_ARG; |
6106 | 0 | } |
6107 | | |
6108 | 0 | if (!TLSX_IsGroupSupported(name, side)) { |
6109 | 0 | return BAD_FUNC_ARG; |
6110 | 0 | } |
6111 | | |
6112 | 0 | extension = TLSX_Find(*extensions, TLSX_SUPPORTED_GROUPS); |
6113 | |
|
6114 | 0 | if (!extension) { |
6115 | 0 | ret = TLSX_SupportedCurve_New(&curve, name, heap); |
6116 | 0 | if (ret != 0) |
6117 | 0 | return ret; |
6118 | | |
6119 | 0 | ret = TLSX_Push(extensions, TLSX_SUPPORTED_GROUPS, curve, heap); |
6120 | 0 | if (ret != 0) { |
6121 | 0 | XFREE(curve, heap, DYNAMIC_TYPE_TLSX); |
6122 | 0 | return ret; |
6123 | 0 | } |
6124 | 0 | } |
6125 | 0 | else { |
6126 | 0 | ret = TLSX_SupportedCurve_Append((SupportedCurve*)extension->data, name, |
6127 | 0 | heap); |
6128 | 0 | if (ret != 0) |
6129 | 0 | return ret; |
6130 | | #if defined(WOLFSSL_ML_KEM_USE_OLD_IDS) && \ |
6131 | | defined (WOLFSSL_EXTRA_PQC_HYBRIDS) |
6132 | | if (name == WOLFSSL_SECP256R1MLKEM512) { |
6133 | | ret = TLSX_SupportedCurve_Append((SupportedCurve*)extension->data, |
6134 | | WOLFSSL_P256_ML_KEM_512_OLD, heap); |
6135 | | } |
6136 | | else if (name == WOLFSSL_SECP384R1MLKEM768) { |
6137 | | ret = TLSX_SupportedCurve_Append((SupportedCurve*)extension->data, |
6138 | | WOLFSSL_P384_ML_KEM_768_OLD, heap); |
6139 | | } |
6140 | | else if (name == WOLFSSL_SECP521R1MLKEM1024) { |
6141 | | ret = TLSX_SupportedCurve_Append((SupportedCurve*)extension->data, |
6142 | | WOLFSSL_P521_ML_KEM_1024_OLD, heap); |
6143 | | } |
6144 | | if (ret != 0) { |
6145 | | return ret; |
6146 | | } |
6147 | | #endif /* WOLFSSL_ML_KEM_USE_OLD_IDS && WOLFSSL_EXTRA_PQC_HYBRIDS */ |
6148 | 0 | } |
6149 | | |
6150 | 0 | return WOLFSSL_SUCCESS; |
6151 | 0 | } |
6152 | | |
6153 | | int TLSX_UsePointFormat(TLSX** extensions, byte format, void* heap) |
6154 | 0 | { |
6155 | 0 | TLSX* extension = NULL; |
6156 | 0 | PointFormat* point = NULL; |
6157 | 0 | int ret = 0; |
6158 | |
|
6159 | 0 | if (extensions == NULL) |
6160 | 0 | return BAD_FUNC_ARG; |
6161 | | |
6162 | 0 | extension = TLSX_Find(*extensions, TLSX_EC_POINT_FORMATS); |
6163 | |
|
6164 | 0 | if (!extension) { |
6165 | 0 | ret = TLSX_PointFormat_New(&point, format, heap); |
6166 | 0 | if (ret != 0) |
6167 | 0 | return ret; |
6168 | | |
6169 | 0 | ret = TLSX_Push(extensions, TLSX_EC_POINT_FORMATS, point, heap); |
6170 | 0 | if (ret != 0) { |
6171 | 0 | XFREE(point, heap, DYNAMIC_TYPE_TLSX); |
6172 | 0 | return ret; |
6173 | 0 | } |
6174 | 0 | } |
6175 | 0 | else { |
6176 | 0 | ret = TLSX_PointFormat_Append((PointFormat*)extension->data, format, |
6177 | 0 | heap); |
6178 | 0 | if (ret != 0) |
6179 | 0 | return ret; |
6180 | 0 | } |
6181 | | |
6182 | 0 | return WOLFSSL_SUCCESS; |
6183 | 0 | } |
6184 | | |
6185 | 0 | #define EC_FREE_ALL TLSX_SupportedCurve_FreeAll |
6186 | 0 | #define EC_VALIDATE_REQUEST TLSX_SupportedCurve_ValidateRequest |
6187 | | |
6188 | | /* In TLS 1.2 the server never sends supported curve extension, but in TLS 1.3 |
6189 | | * the server can send supported groups extension to indicate what it will |
6190 | | * support for later connections. */ |
6191 | | #if !defined(NO_WOLFSSL_CLIENT) || defined(WOLFSSL_TLS13) |
6192 | 0 | #define EC_GET_SIZE TLSX_SupportedCurve_GetSize |
6193 | 0 | #define EC_WRITE TLSX_SupportedCurve_Write |
6194 | | #else |
6195 | | #define EC_GET_SIZE(list) 0 |
6196 | | #define EC_WRITE(a, b) 0 |
6197 | | #endif |
6198 | | |
6199 | | #if !defined(NO_WOLFSSL_SERVER) || (defined(WOLFSSL_TLS13) && \ |
6200 | | !defined(WOLFSSL_NO_SERVER_GROUPS_EXT)) |
6201 | 0 | #define EC_PARSE TLSX_SupportedCurve_Parse |
6202 | | #else |
6203 | | #define EC_PARSE(a, b, c, d, e) 0 |
6204 | | #endif |
6205 | | |
6206 | 0 | #define PF_FREE_ALL TLSX_PointFormat_FreeAll |
6207 | 0 | #define PF_VALIDATE_REQUEST TLSX_PointFormat_ValidateRequest |
6208 | 0 | #define PF_VALIDATE_RESPONSE TLSX_PointFormat_ValidateResponse |
6209 | | |
6210 | 0 | #define PF_GET_SIZE TLSX_PointFormat_GetSize |
6211 | 0 | #define PF_WRITE TLSX_PointFormat_Write |
6212 | | |
6213 | | #ifndef NO_WOLFSSL_SERVER |
6214 | 0 | #define PF_PARSE TLSX_PointFormat_Parse |
6215 | | #else |
6216 | | #define PF_PARSE(a, b, c, d) 0 |
6217 | | #endif |
6218 | | |
6219 | | #else |
6220 | | |
6221 | | #define EC_FREE_ALL(list, heap) WC_DO_NOTHING |
6222 | | #define EC_GET_SIZE(list) 0 |
6223 | | #define EC_WRITE(a, b) 0 |
6224 | | #define EC_PARSE(a, b, c, d, e) 0 |
6225 | | #define EC_VALIDATE_REQUEST(a, b) WC_DO_NOTHING |
6226 | | |
6227 | | #define PF_FREE_ALL(list, heap) WC_DO_NOTHING |
6228 | | #define PF_GET_SIZE(list) 0 |
6229 | | #define PF_WRITE(a, b) 0 |
6230 | | #define PF_PARSE(a, b, c, d) 0 |
6231 | | #define PF_VALIDATE_REQUEST(a, b) WC_DO_NOTHING |
6232 | | #define PF_VALIDATE_RESPONSE(a, b) WC_DO_NOTHING |
6233 | | |
6234 | | #endif /* HAVE_SUPPORTED_CURVES */ |
6235 | | |
6236 | | /******************************************************************************/ |
6237 | | /* Renegotiation Indication */ |
6238 | | /******************************************************************************/ |
6239 | | |
6240 | | #if defined(HAVE_SECURE_RENEGOTIATION) \ |
6241 | | || defined(HAVE_SERVER_RENEGOTIATION_INFO) |
6242 | | |
6243 | | static byte TLSX_SecureRenegotiation_GetSize(SecureRenegotiation* data, |
6244 | | int isRequest) |
6245 | 0 | { |
6246 | 0 | byte length = OPAQUE8_LEN; /* empty info length */ |
6247 | | |
6248 | | /* data will be NULL for HAVE_SERVER_RENEGOTIATION_INFO only */ |
6249 | 0 | if (data && data->enabled && data->verifySet) { |
6250 | | /* client sends client_verify_data only */ |
6251 | 0 | length += TLS_FINISHED_SZ; |
6252 | | |
6253 | | /* server also sends server_verify_data */ |
6254 | 0 | if (!isRequest) |
6255 | 0 | length += TLS_FINISHED_SZ; |
6256 | 0 | } |
6257 | |
|
6258 | 0 | return length; |
6259 | 0 | } |
6260 | | |
6261 | | static word16 TLSX_SecureRenegotiation_Write(SecureRenegotiation* data, |
6262 | | byte* output, int isRequest) |
6263 | 0 | { |
6264 | 0 | word16 offset = OPAQUE8_LEN; /* RenegotiationInfo length */ |
6265 | 0 | if (data && data->enabled && data->verifySet) { |
6266 | | /* client sends client_verify_data only */ |
6267 | 0 | XMEMCPY(output + offset, data->client_verify_data, TLS_FINISHED_SZ); |
6268 | 0 | offset += TLS_FINISHED_SZ; |
6269 | | |
6270 | | /* server also sends server_verify_data */ |
6271 | 0 | if (!isRequest) { |
6272 | 0 | XMEMCPY(output + offset, data->server_verify_data, TLS_FINISHED_SZ); |
6273 | 0 | offset += TLS_FINISHED_SZ; |
6274 | 0 | } |
6275 | 0 | } |
6276 | |
|
6277 | 0 | output[0] = (byte)(offset - 1); /* info length - self */ |
6278 | |
|
6279 | 0 | return offset; |
6280 | 0 | } |
6281 | | |
6282 | | static int TLSX_SecureRenegotiation_Parse(WOLFSSL* ssl, const byte* input, |
6283 | | word16 length, byte isRequest) |
6284 | 0 | { |
6285 | 0 | int ret = WC_NO_ERR_TRACE(SECURE_RENEGOTIATION_E); |
6286 | |
|
6287 | 0 | if (length >= OPAQUE8_LEN) { |
6288 | 0 | if (isRequest) { |
6289 | 0 | #ifndef NO_WOLFSSL_SERVER |
6290 | 0 | if (ssl->secure_renegotiation == NULL) { |
6291 | 0 | ret = wolfSSL_UseSecureRenegotiation(ssl); |
6292 | 0 | if (ret == WOLFSSL_SUCCESS) |
6293 | 0 | ret = 0; |
6294 | 0 | } |
6295 | | /* renegotiation_info seen (checked by DoClientHello, RFC 5746 3.7) */ |
6296 | 0 | if (ssl->secure_renegotiation != NULL) |
6297 | 0 | ssl->secure_renegotiation->renegInfoSeen = 1; |
6298 | 0 | if (ret != 0 && ret != WC_NO_ERR_TRACE(SECURE_RENEGOTIATION_E)) { |
6299 | 0 | } |
6300 | 0 | else if (ssl->secure_renegotiation == NULL) { |
6301 | 0 | } |
6302 | 0 | else if (!ssl->secure_renegotiation->enabled) { |
6303 | 0 | if (*input == 0) { |
6304 | 0 | input++; /* get past size */ |
6305 | |
|
6306 | 0 | ssl->secure_renegotiation->enabled = 1; |
6307 | 0 | TLSX_SetResponse(ssl, TLSX_RENEGOTIATION_INFO); |
6308 | 0 | ret = 0; |
6309 | 0 | } |
6310 | 0 | else { |
6311 | | /* already in error state */ |
6312 | 0 | WOLFSSL_MSG("SCR client verify data present"); |
6313 | 0 | } |
6314 | 0 | } |
6315 | 0 | else if (*input == TLS_FINISHED_SZ) { |
6316 | 0 | if (length < TLS_FINISHED_SZ + 1) { |
6317 | 0 | WOLFSSL_MSG("SCR malformed buffer"); |
6318 | 0 | ret = BUFFER_E; |
6319 | 0 | } |
6320 | 0 | else { |
6321 | 0 | input++; /* get past size */ |
6322 | | |
6323 | | /* validate client verify data */ |
6324 | 0 | if (ConstantCompare(input, |
6325 | 0 | ssl->secure_renegotiation->client_verify_data, |
6326 | 0 | TLS_FINISHED_SZ) == 0) { |
6327 | 0 | WOLFSSL_MSG("SCR client verify data match"); |
6328 | 0 | TLSX_SetResponse(ssl, TLSX_RENEGOTIATION_INFO); |
6329 | 0 | ret = 0; /* verified */ |
6330 | 0 | } |
6331 | 0 | else { |
6332 | | /* already in error state */ |
6333 | 0 | WOLFSSL_MSG("SCR client verify data Failure"); |
6334 | 0 | } |
6335 | 0 | } |
6336 | 0 | } |
6337 | 0 | #endif |
6338 | 0 | } |
6339 | 0 | else if (ssl->secure_renegotiation != NULL) { |
6340 | 0 | #ifndef NO_WOLFSSL_CLIENT |
6341 | 0 | if (!ssl->secure_renegotiation->enabled) { |
6342 | 0 | if (*input == 0) { |
6343 | 0 | ssl->secure_renegotiation->enabled = 1; |
6344 | 0 | ret = 0; |
6345 | 0 | } |
6346 | 0 | } |
6347 | 0 | else if (*input == 2 * TLS_FINISHED_SZ && |
6348 | 0 | length == 2 * TLS_FINISHED_SZ + OPAQUE8_LEN) { |
6349 | 0 | int cmpRes = 0; |
6350 | 0 | input++; /* get past size */ |
6351 | 0 | cmpRes |= ConstantCompare(input, |
6352 | 0 | ssl->secure_renegotiation->client_verify_data, |
6353 | 0 | TLS_FINISHED_SZ); |
6354 | 0 | cmpRes |= ConstantCompare(input + TLS_FINISHED_SZ, |
6355 | 0 | ssl->secure_renegotiation->server_verify_data, |
6356 | 0 | TLS_FINISHED_SZ); |
6357 | | /* validate client and server verify data */ |
6358 | 0 | if (cmpRes == 0) { |
6359 | 0 | WOLFSSL_MSG("SCR client and server verify data match"); |
6360 | 0 | ret = 0; /* verified */ |
6361 | 0 | } |
6362 | 0 | else { |
6363 | | /* already in error state */ |
6364 | 0 | WOLFSSL_MSG("SCR client and server verify data Failure"); |
6365 | 0 | } |
6366 | 0 | } |
6367 | 0 | #endif |
6368 | 0 | } |
6369 | 0 | else { |
6370 | 0 | ret = SECURE_RENEGOTIATION_E; |
6371 | 0 | } |
6372 | 0 | } |
6373 | 0 | else { |
6374 | 0 | ret = SECURE_RENEGOTIATION_E; |
6375 | 0 | } |
6376 | |
|
6377 | 0 | if (ret != 0) { |
6378 | 0 | WOLFSSL_ERROR_VERBOSE(ret); |
6379 | 0 | SendAlert(ssl, alert_fatal, handshake_failure); |
6380 | 0 | } |
6381 | |
|
6382 | 0 | return ret; |
6383 | 0 | } |
6384 | | |
6385 | | int TLSX_UseSecureRenegotiation(TLSX** extensions, void* heap) |
6386 | 0 | { |
6387 | 0 | int ret = 0; |
6388 | 0 | SecureRenegotiation* data; |
6389 | |
|
6390 | 0 | data = (SecureRenegotiation*)XMALLOC(sizeof(SecureRenegotiation), heap, |
6391 | 0 | DYNAMIC_TYPE_TLSX); |
6392 | 0 | if (data == NULL) |
6393 | 0 | return MEMORY_E; |
6394 | | |
6395 | 0 | XMEMSET(data, 0, sizeof(SecureRenegotiation)); |
6396 | |
|
6397 | 0 | ret = TLSX_Push(extensions, TLSX_RENEGOTIATION_INFO, data, heap); |
6398 | 0 | if (ret != 0) { |
6399 | 0 | XFREE(data, heap, DYNAMIC_TYPE_TLSX); |
6400 | 0 | return ret; |
6401 | 0 | } |
6402 | | |
6403 | 0 | return WOLFSSL_SUCCESS; |
6404 | 0 | } |
6405 | | |
6406 | | #ifdef HAVE_SERVER_RENEGOTIATION_INFO |
6407 | | |
6408 | | int TLSX_AddEmptyRenegotiationInfo(TLSX** extensions, void* heap) |
6409 | 0 | { |
6410 | 0 | int ret; |
6411 | | |
6412 | | /* send empty renegotiation_info extension */ |
6413 | 0 | TLSX* ext = TLSX_Find(*extensions, TLSX_RENEGOTIATION_INFO); |
6414 | 0 | if (ext == NULL) { |
6415 | 0 | ret = TLSX_UseSecureRenegotiation(extensions, heap); |
6416 | 0 | if (ret != WOLFSSL_SUCCESS) |
6417 | 0 | return ret; |
6418 | | |
6419 | 0 | ext = TLSX_Find(*extensions, TLSX_RENEGOTIATION_INFO); |
6420 | 0 | } |
6421 | 0 | if (ext) |
6422 | 0 | ext->resp = 1; |
6423 | |
|
6424 | 0 | return WOLFSSL_SUCCESS; |
6425 | 0 | } |
6426 | | |
6427 | | #endif /* HAVE_SERVER_RENEGOTIATION_INFO */ |
6428 | | |
6429 | | |
6430 | 0 | #define SCR_FREE_ALL(data, heap) XFREE(data, (heap), DYNAMIC_TYPE_TLSX) |
6431 | 0 | #define SCR_GET_SIZE TLSX_SecureRenegotiation_GetSize |
6432 | 0 | #define SCR_WRITE TLSX_SecureRenegotiation_Write |
6433 | 0 | #define SCR_PARSE TLSX_SecureRenegotiation_Parse |
6434 | | |
6435 | | #else |
6436 | | |
6437 | | #define SCR_FREE_ALL(a, heap) WC_DO_NOTHING |
6438 | | #define SCR_GET_SIZE(a, b) 0 |
6439 | | #define SCR_WRITE(a, b, c) 0 |
6440 | | #define SCR_PARSE(a, b, c, d) 0 |
6441 | | |
6442 | | #endif /* HAVE_SECURE_RENEGOTIATION || HAVE_SERVER_RENEGOTIATION_INFO */ |
6443 | | |
6444 | | /******************************************************************************/ |
6445 | | /* Session Tickets */ |
6446 | | /******************************************************************************/ |
6447 | | |
6448 | | #ifdef HAVE_SESSION_TICKET |
6449 | | |
6450 | | static word16 TLSX_SessionTicket_GetSize(SessionTicket* ticket, int isRequest) |
6451 | | { |
6452 | | (void)isRequest; |
6453 | | return ticket ? ticket->size : 0; |
6454 | | } |
6455 | | |
6456 | | static word16 TLSX_SessionTicket_Write(SessionTicket* ticket, byte* output, |
6457 | | int isRequest) |
6458 | | { |
6459 | | word16 offset = 0; /* empty ticket */ |
6460 | | |
6461 | | if (isRequest && ticket) { |
6462 | | XMEMCPY(output + offset, ticket->data, ticket->size); |
6463 | | offset += ticket->size; |
6464 | | } |
6465 | | |
6466 | | return offset; |
6467 | | } |
6468 | | |
6469 | | |
6470 | | static int TLSX_SessionTicket_Parse(WOLFSSL* ssl, const byte* input, |
6471 | | word16 length, byte isRequest) |
6472 | | { |
6473 | | int ret = 0; |
6474 | | |
6475 | | (void) input; /* avoid unused parameter if NO_WOLFSSL_SERVER defined */ |
6476 | | |
6477 | | if (!isRequest) { |
6478 | | if (TLSX_CheckUnsupportedExtension(ssl, TLSX_SESSION_TICKET)) |
6479 | | return TLSX_HandleUnsupportedExtension(ssl); |
6480 | | |
6481 | | if (length != 0) |
6482 | | return BUFFER_ERROR; |
6483 | | |
6484 | | #ifndef NO_WOLFSSL_CLIENT |
6485 | | ssl->expect_session_ticket = 1; |
6486 | | #endif |
6487 | | } |
6488 | | #ifndef NO_WOLFSSL_SERVER |
6489 | | else { |
6490 | | /* server side */ |
6491 | | if (ssl->ctx->ticketEncCb == NULL) { |
6492 | | WOLFSSL_MSG("Client sent session ticket, server has no callback"); |
6493 | | return 0; |
6494 | | } |
6495 | | |
6496 | | #ifdef HAVE_SECURE_RENEGOTIATION |
6497 | | if (IsSCR(ssl)) { |
6498 | | WOLFSSL_MSG("Client sent session ticket during SCR. Ignoring."); |
6499 | | return 0; |
6500 | | } |
6501 | | #endif |
6502 | | |
6503 | | if (length > SESSION_TICKET_LEN) { |
6504 | | ret = BAD_TICKET_MSG_SZ; |
6505 | | WOLFSSL_ERROR_VERBOSE(ret); |
6506 | | } else if (IsAtLeastTLSv1_3(ssl->version)) { |
6507 | | WOLFSSL_MSG("Process client ticket rejected, TLS 1.3 no support"); |
6508 | | ssl->options.rejectTicket = 1; |
6509 | | ret = 0; /* not fatal */ |
6510 | | } else if (ssl->options.noTicketTls12) { |
6511 | | /* ignore ticket request */ |
6512 | | } else if (length == 0) { |
6513 | | /* blank ticket */ |
6514 | | ret = TLSX_UseSessionTicket(&ssl->extensions, NULL, ssl->heap); |
6515 | | if (ret == WOLFSSL_SUCCESS) { |
6516 | | ret = 0; |
6517 | | /* send blank ticket */ |
6518 | | TLSX_SetResponse(ssl, TLSX_SESSION_TICKET); |
6519 | | ssl->options.createTicket = 1; /* will send ticket msg */ |
6520 | | ssl->options.useTicket = 1; |
6521 | | ssl->options.resuming = 0; /* no standard resumption */ |
6522 | | ssl->arrays->sessionIDSz = 0; /* no echo on blank ticket */ |
6523 | | } |
6524 | | } else { |
6525 | | /* got actual ticket from client */ |
6526 | | ret = DoClientTicket(ssl, input, length); |
6527 | | if (ret == WOLFSSL_TICKET_RET_OK) { /* use ticket to resume */ |
6528 | | WOLFSSL_MSG("Using existing client ticket"); |
6529 | | ssl->options.useTicket = 1; |
6530 | | ssl->options.resuming = 1; |
6531 | | /* SERVER: ticket is peer auth. */ |
6532 | | ssl->options.peerAuthGood = 1; |
6533 | | } else if (ret == WOLFSSL_TICKET_RET_CREATE) { |
6534 | | WOLFSSL_MSG("Using existing client ticket, creating new one"); |
6535 | | ret = TLSX_UseSessionTicket(&ssl->extensions, NULL, ssl->heap); |
6536 | | if (ret == WOLFSSL_SUCCESS) { |
6537 | | ret = 0; |
6538 | | TLSX_SetResponse(ssl, TLSX_SESSION_TICKET); |
6539 | | /* send blank ticket */ |
6540 | | ssl->options.createTicket = 1; /* will send ticket msg */ |
6541 | | ssl->options.useTicket = 1; |
6542 | | ssl->options.resuming = 1; |
6543 | | /* SERVER: ticket is peer auth. */ |
6544 | | ssl->options.peerAuthGood = 1; |
6545 | | } |
6546 | | } else if (ret == WOLFSSL_TICKET_RET_REJECT || |
6547 | | ret == WC_NO_ERR_TRACE(VERSION_ERROR)) { |
6548 | | WOLFSSL_MSG("Process client ticket rejected, not using"); |
6549 | | if (ret == WC_NO_ERR_TRACE(VERSION_ERROR)) |
6550 | | WOLFSSL_MSG("\tbad TLS version"); |
6551 | | ret = 0; /* not fatal */ |
6552 | | |
6553 | | ssl->options.rejectTicket = 1; |
6554 | | /* If we have session tickets enabled then send a new ticket */ |
6555 | | if (!TLSX_CheckUnsupportedExtension(ssl, TLSX_SESSION_TICKET)) { |
6556 | | ret = TLSX_UseSessionTicket(&ssl->extensions, NULL, |
6557 | | ssl->heap); |
6558 | | if (ret == WOLFSSL_SUCCESS) { |
6559 | | ret = 0; |
6560 | | TLSX_SetResponse(ssl, TLSX_SESSION_TICKET); |
6561 | | ssl->options.createTicket = 1; |
6562 | | ssl->options.useTicket = 1; |
6563 | | } |
6564 | | } |
6565 | | } else if (ret == WOLFSSL_TICKET_RET_FATAL) { |
6566 | | WOLFSSL_MSG("Process client ticket fatal error, not using"); |
6567 | | } else if (ret < 0) { |
6568 | | WOLFSSL_MSG("Process client ticket unknown error, not using"); |
6569 | | } |
6570 | | } |
6571 | | } |
6572 | | #endif /* NO_WOLFSSL_SERVER */ |
6573 | | |
6574 | | #if defined(NO_WOLFSSL_CLIENT) && defined(NO_WOLFSSL_SERVER) |
6575 | | (void)ssl; |
6576 | | #endif |
6577 | | |
6578 | | return ret; |
6579 | | } |
6580 | | |
6581 | | WOLFSSL_TEST_VIS SessionTicket* TLSX_SessionTicket_Create(word32 lifetime, |
6582 | | byte* data, word16 size, void* heap) |
6583 | | { |
6584 | | SessionTicket* ticket = (SessionTicket*)XMALLOC(sizeof(SessionTicket), |
6585 | | heap, DYNAMIC_TYPE_TLSX); |
6586 | | if (ticket) { |
6587 | | ticket->data = (byte*)XMALLOC(size, heap, DYNAMIC_TYPE_TLSX); |
6588 | | if (ticket->data == NULL) { |
6589 | | XFREE(ticket, heap, DYNAMIC_TYPE_TLSX); |
6590 | | return NULL; |
6591 | | } |
6592 | | |
6593 | | XMEMCPY(ticket->data, data, size); |
6594 | | ticket->size = size; |
6595 | | ticket->lifetime = lifetime; |
6596 | | } |
6597 | | |
6598 | | (void)heap; |
6599 | | |
6600 | | return ticket; |
6601 | | } |
6602 | | WOLFSSL_TEST_VIS void TLSX_SessionTicket_Free(SessionTicket* ticket, void* heap) |
6603 | | { |
6604 | | if (ticket) { |
6605 | | XFREE(ticket->data, heap, DYNAMIC_TYPE_TLSX); |
6606 | | XFREE(ticket, heap, DYNAMIC_TYPE_TLSX); |
6607 | | } |
6608 | | |
6609 | | (void)heap; |
6610 | | } |
6611 | | |
6612 | | int TLSX_UseSessionTicket(TLSX** extensions, SessionTicket* ticket, void* heap) |
6613 | | { |
6614 | | int ret = 0; |
6615 | | |
6616 | | if (extensions == NULL) |
6617 | | return BAD_FUNC_ARG; |
6618 | | |
6619 | | /* If the ticket is NULL, the client will request a new ticket from the |
6620 | | server. Otherwise, the client will use it in the next client hello. */ |
6621 | | if ((ret = TLSX_Push(extensions, TLSX_SESSION_TICKET, (void*)ticket, heap)) |
6622 | | != 0) |
6623 | | return ret; |
6624 | | |
6625 | | return WOLFSSL_SUCCESS; |
6626 | | } |
6627 | | |
6628 | | #define WOLF_STK_GET_SIZE TLSX_SessionTicket_GetSize |
6629 | | #define WOLF_STK_WRITE TLSX_SessionTicket_Write |
6630 | | #define WOLF_STK_PARSE TLSX_SessionTicket_Parse |
6631 | | #define WOLF_STK_FREE(stk, heap) TLSX_SessionTicket_Free((SessionTicket*)(stk),(heap)) |
6632 | | |
6633 | | #else |
6634 | | |
6635 | 0 | #define WOLF_STK_FREE(a, b) WC_DO_NOTHING |
6636 | | #define WOLF_STK_VALIDATE_REQUEST(a) WC_DO_NOTHING |
6637 | 0 | #define WOLF_STK_GET_SIZE(a, b) 0 |
6638 | 0 | #define WOLF_STK_WRITE(a, b, c) 0 |
6639 | 0 | #define WOLF_STK_PARSE(a, b, c, d) 0 |
6640 | | |
6641 | | #endif /* HAVE_SESSION_TICKET */ |
6642 | | |
6643 | | #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) |
6644 | | /******************************************************************************/ |
6645 | | /* Encrypt-then-MAC */ |
6646 | | /******************************************************************************/ |
6647 | | |
6648 | | #ifndef WOLFSSL_NO_TLS12 |
6649 | | static int TLSX_EncryptThenMac_Use(WOLFSSL* ssl); |
6650 | | |
6651 | | /** |
6652 | | * Get the size of the Encrypt-Then-MAC extension. |
6653 | | * |
6654 | | * msgType Type of message to put extension into. |
6655 | | * pSz Size of extension data. |
6656 | | * return SANITY_MSG_E when the message is not allowed to have extension and |
6657 | | * 0 otherwise. |
6658 | | */ |
6659 | | static int TLSX_EncryptThenMac_GetSize(byte msgType, word16* pSz) |
6660 | 0 | { |
6661 | 0 | (void)pSz; |
6662 | |
|
6663 | 0 | if (msgType != client_hello && msgType != server_hello) { |
6664 | 0 | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
6665 | 0 | return SANITY_MSG_E; |
6666 | 0 | } |
6667 | | |
6668 | | /* Empty extension */ |
6669 | | |
6670 | 0 | return 0; |
6671 | 0 | } |
6672 | | |
6673 | | /** |
6674 | | * Write the Encrypt-Then-MAC extension. |
6675 | | * |
6676 | | * data Unused |
6677 | | * output Extension data buffer. Unused. |
6678 | | * msgType Type of message to put extension into. |
6679 | | * pSz Size of extension data. |
6680 | | * return SANITY_MSG_E when the message is not allowed to have extension and |
6681 | | * 0 otherwise. |
6682 | | */ |
6683 | | static int TLSX_EncryptThenMac_Write(void* data, byte* output, byte msgType, |
6684 | | word16* pSz) |
6685 | 0 | { |
6686 | 0 | (void)data; |
6687 | 0 | (void)output; |
6688 | 0 | (void)pSz; |
6689 | |
|
6690 | 0 | if (msgType != client_hello && msgType != server_hello) { |
6691 | 0 | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
6692 | 0 | return SANITY_MSG_E; |
6693 | 0 | } |
6694 | | |
6695 | | /* Empty extension */ |
6696 | | |
6697 | 0 | return 0; |
6698 | 0 | } |
6699 | | |
6700 | | /** |
6701 | | * Parse the Encrypt-Then-MAC extension. |
6702 | | * |
6703 | | * ssl SSL object |
6704 | | * input Extension data buffer. |
6705 | | * length Length of this extension's data. |
6706 | | * msgType Type of message to extension appeared in. |
6707 | | * return SANITY_MSG_E when the message is not allowed to have extension, |
6708 | | * BUFFER_ERROR when the extension's data is invalid, |
6709 | | * MEMORY_E when unable to allocate memory and |
6710 | | * 0 otherwise. |
6711 | | */ |
6712 | | static int TLSX_EncryptThenMac_Parse(WOLFSSL* ssl, const byte* input, |
6713 | | word16 length, byte msgType) |
6714 | 0 | { |
6715 | 0 | int ret; |
6716 | |
|
6717 | 0 | (void)input; |
6718 | |
|
6719 | 0 | if (msgType != client_hello && msgType != server_hello) { |
6720 | 0 | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
6721 | 0 | return SANITY_MSG_E; |
6722 | 0 | } |
6723 | | |
6724 | | /* Empty extension */ |
6725 | 0 | if (length != 0) |
6726 | 0 | return BUFFER_ERROR; |
6727 | | |
6728 | 0 | if (msgType == client_hello) { |
6729 | | /* Check the user hasn't disallowed use of Encrypt-Then-Mac. */ |
6730 | 0 | if (!ssl->options.disallowEncThenMac) { |
6731 | 0 | ssl->options.encThenMac = 1; |
6732 | | /* Set the extension reply. */ |
6733 | 0 | ret = TLSX_EncryptThenMac_Use(ssl); |
6734 | 0 | if (ret != 0) |
6735 | 0 | return ret; |
6736 | 0 | } |
6737 | 0 | return 0; |
6738 | 0 | } |
6739 | | |
6740 | | /* Server Hello */ |
6741 | 0 | if (ssl->options.disallowEncThenMac) { |
6742 | 0 | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
6743 | 0 | return SANITY_MSG_E; |
6744 | 0 | } |
6745 | | |
6746 | 0 | ssl->options.encThenMac = 1; |
6747 | 0 | return 0; |
6748 | |
|
6749 | 0 | } |
6750 | | |
6751 | | /** |
6752 | | * Add the Encrypt-Then-MAC extension to list. |
6753 | | * |
6754 | | * ssl SSL object |
6755 | | * return MEMORY_E when unable to allocate memory and 0 otherwise. |
6756 | | */ |
6757 | | static int TLSX_EncryptThenMac_Use(WOLFSSL* ssl) |
6758 | 0 | { |
6759 | 0 | int ret = 0; |
6760 | 0 | TLSX* extension; |
6761 | | |
6762 | | /* Find the Encrypt-Then-Mac extension if it exists. */ |
6763 | 0 | extension = TLSX_Find(ssl->extensions, TLSX_ENCRYPT_THEN_MAC); |
6764 | 0 | if (extension == NULL) { |
6765 | | /* Push new Encrypt-Then-Mac extension. */ |
6766 | 0 | ret = TLSX_Push(&ssl->extensions, TLSX_ENCRYPT_THEN_MAC, NULL, |
6767 | 0 | ssl->heap); |
6768 | 0 | if (ret != 0) |
6769 | 0 | return ret; |
6770 | 0 | } |
6771 | | |
6772 | 0 | return 0; |
6773 | 0 | } |
6774 | | |
6775 | | /** |
6776 | | * Set the Encrypt-Then-MAC extension as one to respond too. |
6777 | | * |
6778 | | * ssl SSL object |
6779 | | * return EXT_MISSING when EncryptThenMac extension not in list. |
6780 | | */ |
6781 | | int TLSX_EncryptThenMac_Respond(WOLFSSL* ssl) |
6782 | 0 | { |
6783 | 0 | TLSX* extension; |
6784 | |
|
6785 | 0 | extension = TLSX_Find(ssl->extensions, TLSX_ENCRYPT_THEN_MAC); |
6786 | 0 | if (extension == NULL) |
6787 | 0 | return EXT_MISSING; |
6788 | 0 | extension->resp = 1; |
6789 | |
|
6790 | 0 | return 0; |
6791 | 0 | } |
6792 | | |
6793 | 0 | #define ETM_GET_SIZE TLSX_EncryptThenMac_GetSize |
6794 | 0 | #define ETM_WRITE TLSX_EncryptThenMac_Write |
6795 | 0 | #define ETM_PARSE TLSX_EncryptThenMac_Parse |
6796 | | |
6797 | | #else |
6798 | | |
6799 | | #define ETM_GET_SIZE(a, b) 0 |
6800 | | #define ETM_WRITE(a, b, c, d) 0 |
6801 | | #define ETM_PARSE(a, b, c, d) 0 |
6802 | | |
6803 | | #endif /* !WOLFSSL_NO_TLS12 */ |
6804 | | |
6805 | | #endif /* HAVE_ENCRYPT_THEN_MAC && !WOLFSSL_AEAD_ONLY */ |
6806 | | |
6807 | | |
6808 | | #ifdef WOLFSSL_SRTP |
6809 | | |
6810 | | /******************************************************************************/ |
6811 | | /* DTLS SRTP (Secure Real-time Transport Protocol) */ |
6812 | | /******************************************************************************/ |
6813 | | |
6814 | | /* Only support single SRTP profile */ |
6815 | | typedef struct TlsxSrtp { |
6816 | | word16 profileCount; |
6817 | | word16 ids; /* selected bits */ |
6818 | | } TlsxSrtp; |
6819 | | |
6820 | | #ifndef NO_WOLFSSL_SERVER |
6821 | | static int TLSX_UseSRTP_GetSize(TlsxSrtp *srtp) |
6822 | | { |
6823 | | /* SRTP Profile Len (2) |
6824 | | * SRTP Profiles (2) |
6825 | | * MKI (master key id) Length */ |
6826 | | return (OPAQUE16_LEN + (srtp->profileCount * OPAQUE16_LEN) + 1); |
6827 | | } |
6828 | | #endif |
6829 | | |
6830 | | static TlsxSrtp* TLSX_UseSRTP_New(word16 ids, void* heap) |
6831 | | { |
6832 | | TlsxSrtp* srtp; |
6833 | | int i; |
6834 | | |
6835 | | srtp = (TlsxSrtp*)XMALLOC(sizeof(TlsxSrtp), heap, DYNAMIC_TYPE_TLSX); |
6836 | | if (srtp == NULL) { |
6837 | | WOLFSSL_MSG("TLSX SRTP Memory failure"); |
6838 | | return NULL; |
6839 | | } |
6840 | | |
6841 | | /* count and test each bit set */ |
6842 | | srtp->profileCount = 0; |
6843 | | for (i=0; i<16; i++) { |
6844 | | if (ids & (1 << i)) { |
6845 | | srtp->profileCount++; |
6846 | | } |
6847 | | } |
6848 | | srtp->ids = ids; |
6849 | | |
6850 | | return srtp; |
6851 | | } |
6852 | | |
6853 | | static void TLSX_UseSRTP_Free(TlsxSrtp *srtp, void* heap) |
6854 | | { |
6855 | | XFREE(srtp, heap, DYNAMIC_TYPE_TLSX); |
6856 | | (void)heap; |
6857 | | } |
6858 | | |
6859 | | #ifndef NO_WOLFSSL_SERVER |
6860 | | static int TLSX_UseSRTP_Parse(WOLFSSL* ssl, const byte* input, word16 length, |
6861 | | byte isRequest) |
6862 | | { |
6863 | | int ret = WC_NO_ERR_TRACE(BAD_FUNC_ARG); |
6864 | | word16 profile_len = 0; |
6865 | | word16 profile_value = 0; |
6866 | | word16 offset = 0; |
6867 | | int i; |
6868 | | TlsxSrtp* srtp = NULL; |
6869 | | |
6870 | | if (length < OPAQUE16_LEN) { |
6871 | | return BUFFER_ERROR; |
6872 | | } |
6873 | | |
6874 | | /* reset selected DTLS SRTP profile ID */ |
6875 | | ssl->dtlsSrtpId = 0; |
6876 | | |
6877 | | /* total length, not include itself */ |
6878 | | ato16(input, &profile_len); |
6879 | | offset += OPAQUE16_LEN; |
6880 | | /* Check profile length is not bigger than remaining length. */ |
6881 | | if (profile_len > length - offset) { |
6882 | | return BUFFER_ERROR; |
6883 | | } |
6884 | | /* Protection profiles are 2 bytes long - ensure not an odd no. bytes. */ |
6885 | | if ((profile_len & 1) == 1) { |
6886 | | return BUFFER_ERROR; |
6887 | | } |
6888 | | /* Ignoring srtp_mki field - SRTP Make Key Identifier. |
6889 | | * Defined to be 0..255 bytes long. |
6890 | | */ |
6891 | | if ((length - profile_len - offset) > 255) { |
6892 | | return BUFFER_ERROR; |
6893 | | } |
6894 | | |
6895 | | if (!isRequest) { |
6896 | | #ifndef NO_WOLFSSL_CLIENT |
6897 | | /* Only one SRTP Protection Profile can be chosen. */ |
6898 | | if (profile_len != OPAQUE16_LEN) { |
6899 | | return BUFFER_ERROR; |
6900 | | } |
6901 | | |
6902 | | ato16(input + offset, &profile_value); |
6903 | | |
6904 | | /* check that the profile received was in the ones we support */ |
6905 | | if (profile_value < 16 && |
6906 | | (ssl->dtlsSrtpProfiles & (1 << profile_value))) { |
6907 | | ssl->dtlsSrtpId = profile_value; |
6908 | | ret = 0; /* success */ |
6909 | | } |
6910 | | #endif |
6911 | | } |
6912 | | else { |
6913 | | /* parse remainder one profile at a time, looking for match in CTX */ |
6914 | | ret = 0; |
6915 | | for (i = 0; i < profile_len; i += OPAQUE16_LEN) { |
6916 | | ato16(input + offset + i, &profile_value); |
6917 | | /* find first match */ |
6918 | | if (profile_value < 16 && |
6919 | | ssl->dtlsSrtpProfiles & (1 << profile_value)) { |
6920 | | ssl->dtlsSrtpId = profile_value; |
6921 | | |
6922 | | /* make sure we respond with selected SRTP id selected */ |
6923 | | srtp = TLSX_UseSRTP_New((1 << profile_value), ssl->heap); |
6924 | | if (srtp != NULL) { |
6925 | | ret = TLSX_Push(&ssl->extensions, TLSX_USE_SRTP, |
6926 | | (void*)srtp, ssl->heap); |
6927 | | if (ret == 0) { |
6928 | | TLSX_SetResponse(ssl, TLSX_USE_SRTP); |
6929 | | /* successfully set extension */ |
6930 | | } |
6931 | | } |
6932 | | else { |
6933 | | ret = MEMORY_E; |
6934 | | } |
6935 | | break; |
6936 | | } |
6937 | | } |
6938 | | } |
6939 | | |
6940 | | if (ret == 0 && ssl->dtlsSrtpId == 0) { |
6941 | | WOLFSSL_MSG("TLSX_UseSRTP_Parse profile not found!"); |
6942 | | /* not fatal */ |
6943 | | } |
6944 | | else if (ret != 0) { |
6945 | | ssl->dtlsSrtpId = 0; |
6946 | | TLSX_UseSRTP_Free(srtp, ssl->heap); |
6947 | | } |
6948 | | |
6949 | | return ret; |
6950 | | } |
6951 | | |
6952 | | static word16 TLSX_UseSRTP_Write(TlsxSrtp* srtp, byte* output) |
6953 | | { |
6954 | | word16 offset = 0; |
6955 | | int i, j; |
6956 | | |
6957 | | c16toa(srtp->profileCount * 2, output + offset); |
6958 | | offset += OPAQUE16_LEN; |
6959 | | j = 0; |
6960 | | for (i = 0; i < srtp->profileCount; i++) { |
6961 | | for (; j < 16; j++) { |
6962 | | if (srtp->ids & (1 << j)) { |
6963 | | c16toa(j, output + offset); |
6964 | | offset += OPAQUE16_LEN; |
6965 | | } |
6966 | | } |
6967 | | } |
6968 | | output[offset++] = 0x00; /* MKI Length */ |
6969 | | |
6970 | | return offset; |
6971 | | } |
6972 | | #endif |
6973 | | |
6974 | | static int TLSX_UseSRTP(TLSX** extensions, word16 profiles, void* heap) |
6975 | | { |
6976 | | int ret = 0; |
6977 | | TLSX* extension; |
6978 | | |
6979 | | if (extensions == NULL) { |
6980 | | return BAD_FUNC_ARG; |
6981 | | } |
6982 | | |
6983 | | extension = TLSX_Find(*extensions, TLSX_USE_SRTP); |
6984 | | if (extension == NULL) { |
6985 | | TlsxSrtp* srtp = TLSX_UseSRTP_New(profiles, heap); |
6986 | | if (srtp == NULL) { |
6987 | | return MEMORY_E; |
6988 | | } |
6989 | | |
6990 | | ret = TLSX_Push(extensions, TLSX_USE_SRTP, (void*)srtp, heap); |
6991 | | if (ret != 0) { |
6992 | | TLSX_UseSRTP_Free(srtp, heap); |
6993 | | } |
6994 | | } |
6995 | | |
6996 | | return ret; |
6997 | | } |
6998 | | |
6999 | | #ifndef NO_WOLFSSL_SERVER |
7000 | | #define SRTP_FREE TLSX_UseSRTP_Free |
7001 | | #define SRTP_PARSE TLSX_UseSRTP_Parse |
7002 | | #define SRTP_WRITE TLSX_UseSRTP_Write |
7003 | | #define SRTP_GET_SIZE TLSX_UseSRTP_GetSize |
7004 | | #else |
7005 | | #define SRTP_FREE(a, b) WC_DO_NOTHING |
7006 | | #define SRTP_PARSE(a, b, c, d) 0 |
7007 | | #define SRTP_WRITE(a, b) 0 |
7008 | | #define SRTP_GET_SIZE(a) 0 |
7009 | | #endif |
7010 | | |
7011 | | #endif /* WOLFSSL_SRTP */ |
7012 | | |
7013 | | |
7014 | | /******************************************************************************/ |
7015 | | /* Supported Versions */ |
7016 | | /******************************************************************************/ |
7017 | | |
7018 | | #ifdef WOLFSSL_TLS13 |
7019 | | static WC_INLINE int versionIsGreater(byte isDtls, byte a, byte b) |
7020 | 0 | { |
7021 | 0 | (void)isDtls; |
7022 | |
|
7023 | | #ifdef WOLFSSL_DTLS |
7024 | | /* DTLS version increases backwards (-1,-2,-3,etc) */ |
7025 | | if (isDtls) |
7026 | | return a < b; |
7027 | | #endif /* WOLFSSL_DTLS */ |
7028 | |
|
7029 | 0 | return a > b; |
7030 | 0 | } |
7031 | | |
7032 | | static WC_INLINE int versionIsLesser(byte isDtls, byte a, byte b) |
7033 | 0 | { |
7034 | 0 | (void)isDtls; |
7035 | |
|
7036 | | #ifdef WOLFSSL_DTLS |
7037 | | /* DTLS version increases backwards (-1,-2,-3,etc) */ |
7038 | | if (isDtls) |
7039 | | return a > b; |
7040 | | #endif /* WOLFSSL_DTLS */ |
7041 | |
|
7042 | 0 | return a < b; |
7043 | 0 | } |
7044 | | |
7045 | | static WC_INLINE int versionIsAtLeast(byte isDtls, byte a, byte b) |
7046 | 0 | { |
7047 | 0 | (void)isDtls; |
7048 | |
|
7049 | | #ifdef WOLFSSL_DTLS |
7050 | | /* DTLS version increases backwards (-1,-2,-3,etc) */ |
7051 | | if (isDtls) |
7052 | | return a <= b; |
7053 | | #endif /* WOLFSSL_DTLS */ |
7054 | |
|
7055 | 0 | return a >= b; |
7056 | 0 | } |
7057 | | |
7058 | | static WC_INLINE int versionIsLessEqual(byte isDtls, byte a, byte b) |
7059 | 0 | { |
7060 | 0 | (void)isDtls; |
7061 | |
|
7062 | | #ifdef WOLFSSL_DTLS |
7063 | | /* DTLS version increases backwards (-1,-2,-3,etc) */ |
7064 | | if (isDtls) |
7065 | | return a >= b; |
7066 | | #endif /* WOLFSSL_DTLS */ |
7067 | |
|
7068 | 0 | return a <= b; |
7069 | 0 | } |
7070 | | |
7071 | | /* Return the size of the SupportedVersions extension's data. |
7072 | | * |
7073 | | * data The SSL/TLS object. |
7074 | | * msgType The type of the message this extension is being written into. |
7075 | | * returns the length of data that will be in the extension. |
7076 | | */ |
7077 | | static int TLSX_SupportedVersions_GetSize(void* data, byte msgType, word16* pSz) |
7078 | 0 | { |
7079 | 0 | WOLFSSL* ssl = (WOLFSSL*)data; |
7080 | 0 | byte tls13Minor, tls12Minor, tls11Minor, isDtls; |
7081 | |
|
7082 | 0 | isDtls = !!ssl->options.dtls; |
7083 | 0 | tls13Minor = (byte)(isDtls ? DTLSv1_3_MINOR : TLSv1_3_MINOR); |
7084 | 0 | tls12Minor = (byte)(isDtls ? DTLSv1_2_MINOR : TLSv1_2_MINOR); |
7085 | 0 | tls11Minor = (byte)(isDtls ? DTLS_MINOR : TLSv1_1_MINOR); |
7086 | | |
7087 | | /* unused on some configuration */ |
7088 | 0 | (void)tls12Minor; |
7089 | 0 | (void)tls13Minor; |
7090 | 0 | (void)tls11Minor; |
7091 | |
|
7092 | 0 | if (msgType == client_hello) { |
7093 | | /* TLS v1.2 and TLS v1.3 */ |
7094 | 0 | int cnt = 0; |
7095 | |
|
7096 | 0 | if (versionIsLessEqual(isDtls, ssl->options.minDowngrade, tls13Minor) |
7097 | | #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \ |
7098 | | defined(WOLFSSL_WPAS_SMALL) |
7099 | | && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_3) == 0 |
7100 | | #endif |
7101 | 0 | ) { |
7102 | 0 | cnt++; |
7103 | 0 | } |
7104 | |
|
7105 | 0 | if (ssl->options.downgrade) { |
7106 | 0 | #ifndef WOLFSSL_NO_TLS12 |
7107 | 0 | if (versionIsLessEqual( |
7108 | 0 | isDtls, ssl->options.minDowngrade, tls12Minor) |
7109 | | #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \ |
7110 | | defined(WOLFSSL_WPAS_SMALL) |
7111 | | && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_2) == 0 |
7112 | | #endif |
7113 | 0 | ) { |
7114 | 0 | cnt++; |
7115 | 0 | } |
7116 | 0 | #endif |
7117 | | #ifndef NO_OLD_TLS |
7118 | | if (versionIsLessEqual( |
7119 | | isDtls, ssl->options.minDowngrade, tls11Minor) |
7120 | | #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \ |
7121 | | defined(WOLFSSL_WPAS_SMALL) |
7122 | | && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_1) == 0 |
7123 | | #endif |
7124 | | ) { |
7125 | | cnt++; |
7126 | | } |
7127 | | #ifdef WOLFSSL_ALLOW_TLSV10 |
7128 | | if (!ssl->options.dtls && (ssl->options.minDowngrade <= TLSv1_MINOR) |
7129 | | #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \ |
7130 | | defined(WOLFSSL_WPAS_SMALL) |
7131 | | && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1) == 0 |
7132 | | #endif |
7133 | | ) { |
7134 | | cnt++; |
7135 | | } |
7136 | | #endif |
7137 | | #endif |
7138 | 0 | } |
7139 | |
|
7140 | 0 | *pSz += (word16)(OPAQUE8_LEN + cnt * OPAQUE16_LEN); |
7141 | 0 | } |
7142 | 0 | else if (msgType == server_hello || msgType == hello_retry_request) { |
7143 | 0 | *pSz += OPAQUE16_LEN; |
7144 | 0 | } |
7145 | 0 | else { |
7146 | 0 | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
7147 | 0 | return SANITY_MSG_E; |
7148 | 0 | } |
7149 | | |
7150 | 0 | return 0; |
7151 | 0 | } |
7152 | | |
7153 | | /* Writes the SupportedVersions extension into the buffer. |
7154 | | * |
7155 | | * data The SSL/TLS object. |
7156 | | * output The buffer to write the extension into. |
7157 | | * msgType The type of the message this extension is being written into. |
7158 | | * returns the length of data that was written. |
7159 | | */ |
7160 | | static int TLSX_SupportedVersions_Write(void* data, byte* output, |
7161 | | byte msgType, word16* pSz) |
7162 | 0 | { |
7163 | 0 | WOLFSSL* ssl = (WOLFSSL*)data; |
7164 | 0 | byte tls13minor, tls12minor, tls11minor, isDtls = 0; |
7165 | |
|
7166 | 0 | tls13minor = (byte)TLSv1_3_MINOR; |
7167 | 0 | tls12minor = (byte)TLSv1_2_MINOR; |
7168 | 0 | tls11minor = (byte)TLSv1_1_MINOR; |
7169 | | |
7170 | | /* unused in some configuration */ |
7171 | 0 | (void)tls11minor; |
7172 | 0 | (void)tls12minor; |
7173 | |
|
7174 | | #ifdef WOLFSSL_DTLS13 |
7175 | | if (ssl->options.dtls) { |
7176 | | tls13minor = (byte)DTLSv1_3_MINOR; |
7177 | | #ifndef WOLFSSL_NO_TLS12 |
7178 | | tls12minor = (byte)DTLSv1_2_MINOR; |
7179 | | #endif |
7180 | | #ifndef NO_OLD_TLS |
7181 | | tls11minor = (byte)DTLS_MINOR; |
7182 | | #endif |
7183 | | isDtls = 1; |
7184 | | } |
7185 | | #endif /* WOLFSSL_DTLS13 */ |
7186 | |
|
7187 | 0 | if (msgType == client_hello) { |
7188 | 0 | byte major = ssl->ctx->method->version.major; |
7189 | |
|
7190 | 0 | byte* cnt = output++; |
7191 | 0 | *cnt = 0; |
7192 | |
|
7193 | 0 | if (versionIsLessEqual(isDtls, ssl->options.minDowngrade, tls13minor) |
7194 | | #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \ |
7195 | | defined(WOLFSSL_WPAS_SMALL) |
7196 | | && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_3) == 0 |
7197 | | #endif |
7198 | 0 | ) { |
7199 | 0 | *cnt += OPAQUE16_LEN; |
7200 | | #ifdef WOLFSSL_TLS13_DRAFT |
7201 | | /* The TLS draft major number. */ |
7202 | | *(output++) = TLS_DRAFT_MAJOR; |
7203 | | /* Version of draft supported. */ |
7204 | | *(output++) = TLS_DRAFT_MINOR; |
7205 | | #else |
7206 | 0 | *(output++) = major; |
7207 | 0 | *(output++) = tls13minor; |
7208 | 0 | #endif |
7209 | 0 | } |
7210 | |
|
7211 | 0 | if (ssl->options.downgrade) { |
7212 | 0 | #ifndef WOLFSSL_NO_TLS12 |
7213 | 0 | if (versionIsLessEqual(isDtls, ssl->options.minDowngrade, tls12minor) |
7214 | | #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \ |
7215 | | defined(WOLFSSL_WPAS_SMALL) |
7216 | | && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_2) == 0 |
7217 | | #endif |
7218 | 0 | ) { |
7219 | 0 | *cnt += OPAQUE16_LEN; |
7220 | 0 | *(output++) = major; |
7221 | 0 | *(output++) = tls12minor; |
7222 | 0 | } |
7223 | 0 | #endif |
7224 | |
|
7225 | | #ifndef NO_OLD_TLS |
7226 | | if (versionIsLessEqual(isDtls, ssl->options.minDowngrade, tls11minor) |
7227 | | #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \ |
7228 | | defined(WOLFSSL_WPAS_SMALL) |
7229 | | && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_1) == 0 |
7230 | | #endif |
7231 | | ) { |
7232 | | *cnt += OPAQUE16_LEN; |
7233 | | *(output++) = major; |
7234 | | *(output++) = tls11minor; |
7235 | | } |
7236 | | #ifdef WOLFSSL_ALLOW_TLSV10 |
7237 | | if (!ssl->options.dtls && (ssl->options.minDowngrade <= TLSv1_MINOR) |
7238 | | #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \ |
7239 | | defined(WOLFSSL_WPAS_SMALL) |
7240 | | && (ssl->options.mask & WOLFSSL_OP_NO_TLSv1) == 0 |
7241 | | #endif |
7242 | | ) { |
7243 | | *cnt += OPAQUE16_LEN; |
7244 | | *(output++) = major; |
7245 | | *(output++) = (byte)TLSv1_MINOR; |
7246 | | } |
7247 | | #endif |
7248 | | #endif |
7249 | 0 | } |
7250 | |
|
7251 | 0 | *pSz += (word16)(OPAQUE8_LEN + *cnt); |
7252 | 0 | } |
7253 | 0 | else if (msgType == server_hello || msgType == hello_retry_request) { |
7254 | 0 | output[0] = ssl->version.major; |
7255 | 0 | output[1] = ssl->version.minor; |
7256 | |
|
7257 | 0 | *pSz += OPAQUE16_LEN; |
7258 | 0 | } |
7259 | 0 | else { |
7260 | 0 | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
7261 | 0 | return SANITY_MSG_E; |
7262 | 0 | } |
7263 | | |
7264 | 0 | return 0; |
7265 | 0 | } |
7266 | | |
7267 | | /* Parse the SupportedVersions extension. |
7268 | | * |
7269 | | * ssl The SSL/TLS object. |
7270 | | * input The buffer with the extension data. |
7271 | | * length The length of the extension data. |
7272 | | * msgType The type of the message this extension is being parsed from. |
7273 | | * pv The output ProtocolVersion for the negotiated version |
7274 | | * opts The output options structure. Can be NULL. |
7275 | | * exts The output extensions list. Can be NULL. |
7276 | | * returns 0 on success, otherwise failure. |
7277 | | */ |
7278 | | int TLSX_SupportedVersions_Parse(const WOLFSSL* ssl, const byte* input, |
7279 | | word16 length, byte msgType, ProtocolVersion* pv, Options* opts, |
7280 | | TLSX** exts) |
7281 | 0 | { |
7282 | | /* The client's greatest minor version that we support */ |
7283 | 0 | byte clientGreatestMinor = SSLv3_MINOR; |
7284 | 0 | int ret; |
7285 | 0 | byte major, minor; |
7286 | 0 | byte tls13minor, tls12minor; |
7287 | 0 | byte isDtls; |
7288 | |
|
7289 | 0 | tls13minor = TLSv1_3_MINOR; |
7290 | 0 | tls12minor = TLSv1_2_MINOR; |
7291 | 0 | isDtls = ssl->options.dtls == 1; |
7292 | |
|
7293 | | #ifdef WOLFSSL_DTLS13 |
7294 | | if (ssl->options.dtls) { |
7295 | | tls13minor = DTLSv1_3_MINOR; |
7296 | | tls12minor = DTLSv1_2_MINOR; |
7297 | | clientGreatestMinor = DTLS_MINOR; |
7298 | | } |
7299 | | #endif /* WOLFSSL_DTLS13 */ |
7300 | |
|
7301 | 0 | if (msgType == client_hello) { |
7302 | 0 | int i; |
7303 | 0 | int len; |
7304 | 0 | int set = 0; |
7305 | | |
7306 | | /* Must contain a length and at least one version. */ |
7307 | 0 | if (length < OPAQUE8_LEN + OPAQUE16_LEN || (length & 1) != 1 |
7308 | 0 | || length > MAX_SV_EXT_LEN) { |
7309 | 0 | return BUFFER_ERROR; |
7310 | 0 | } |
7311 | | |
7312 | 0 | len = *input; |
7313 | | |
7314 | | /* Protocol version array must fill rest of data. */ |
7315 | 0 | if (length != (word16)OPAQUE8_LEN + len) |
7316 | 0 | return BUFFER_ERROR; |
7317 | | |
7318 | 0 | input++; |
7319 | | |
7320 | | /* Find first match. */ |
7321 | 0 | for (i = 0; i < len; i += OPAQUE16_LEN) { |
7322 | 0 | major = input[i]; |
7323 | 0 | minor = input[i + OPAQUE8_LEN]; |
7324 | |
|
7325 | | #ifdef WOLFSSL_TLS13_DRAFT |
7326 | | if (major == TLS_DRAFT_MAJOR && minor == TLS_DRAFT_MINOR) { |
7327 | | major = SSLv3_MAJOR; |
7328 | | minor = TLSv1_3_MINOR; |
7329 | | } |
7330 | | #else |
7331 | 0 | if (major == TLS_DRAFT_MAJOR) |
7332 | 0 | continue; |
7333 | 0 | #endif |
7334 | | |
7335 | 0 | if (major != ssl->ctx->method->version.major) |
7336 | 0 | continue; |
7337 | | |
7338 | | /* No upgrade allowed. */ |
7339 | 0 | if (versionIsGreater(isDtls, minor, ssl->version.minor)) |
7340 | 0 | continue; |
7341 | | |
7342 | | /* Check downgrade. */ |
7343 | 0 | if (versionIsLesser(isDtls, minor, ssl->version.minor)) { |
7344 | 0 | if (!ssl->options.downgrade) |
7345 | 0 | continue; |
7346 | | |
7347 | 0 | if (versionIsLesser(isDtls, minor, ssl->options.minDowngrade)) |
7348 | 0 | continue; |
7349 | 0 | } |
7350 | 0 | if (versionIsGreater(isDtls, minor, clientGreatestMinor)) |
7351 | 0 | clientGreatestMinor = minor; |
7352 | |
|
7353 | 0 | set = 1; |
7354 | 0 | } |
7355 | 0 | if (!set) { |
7356 | | /* No common supported version was negotiated */ |
7357 | 0 | SendAlert((WOLFSSL*)ssl, alert_fatal, |
7358 | 0 | wolfssl_alert_protocol_version); |
7359 | 0 | WOLFSSL_ERROR_VERBOSE(VERSION_ERROR); |
7360 | 0 | return VERSION_ERROR; |
7361 | 0 | } |
7362 | 0 | pv->minor = clientGreatestMinor; |
7363 | 0 | if (versionIsAtLeast(isDtls, clientGreatestMinor, tls13minor)) { |
7364 | 0 | if (opts != NULL) |
7365 | 0 | opts->tls1_3 = 1; |
7366 | | |
7367 | | /* TLS v1.3 requires supported version extension */ |
7368 | 0 | if (exts != NULL && |
7369 | 0 | TLSX_Find(*exts, TLSX_SUPPORTED_VERSIONS) == NULL) { |
7370 | 0 | ret = TLSX_Push(exts, |
7371 | 0 | TLSX_SUPPORTED_VERSIONS, ssl, ssl->heap); |
7372 | 0 | if (ret != 0) { |
7373 | 0 | return ret; |
7374 | 0 | } |
7375 | | /* *exts should be pointing to the TLSX_SUPPORTED_VERSIONS |
7376 | | * ext in the list since it was pushed. */ |
7377 | 0 | (*exts)->resp = 1; |
7378 | 0 | } |
7379 | 0 | } |
7380 | |
|
7381 | 0 | } |
7382 | 0 | else if (msgType == server_hello || msgType == hello_retry_request) { |
7383 | | /* Must contain one version. */ |
7384 | 0 | if (length != OPAQUE16_LEN) |
7385 | 0 | return BUFFER_ERROR; |
7386 | | |
7387 | 0 | major = input[0]; |
7388 | 0 | minor = input[OPAQUE8_LEN]; |
7389 | |
|
7390 | 0 | if (major != ssl->ctx->method->version.major) { |
7391 | 0 | WOLFSSL_ERROR_VERBOSE(VERSION_ERROR); |
7392 | 0 | return VERSION_ERROR; |
7393 | 0 | } |
7394 | | |
7395 | | /* Can't downgrade with this extension below TLS v1.3. */ |
7396 | 0 | if (versionIsLesser(isDtls, minor, tls13minor)) { |
7397 | 0 | WOLFSSL_ERROR_VERBOSE(VERSION_ERROR); |
7398 | 0 | return VERSION_ERROR; |
7399 | 0 | } |
7400 | | |
7401 | | /* Version is TLS v1.2 to handle downgrading from TLS v1.3+. */ |
7402 | 0 | if (ssl->options.downgrade && ssl->version.minor == tls12minor) { |
7403 | | /* Set minor version back to TLS v1.3+ */ |
7404 | 0 | pv->minor = ssl->ctx->method->version.minor; |
7405 | 0 | } |
7406 | | |
7407 | | /* No upgrade allowed. */ |
7408 | 0 | if (versionIsLesser(isDtls, ssl->version.minor, minor)) { |
7409 | 0 | WOLFSSL_ERROR_VERBOSE(VERSION_ERROR); |
7410 | 0 | return VERSION_ERROR; |
7411 | 0 | } |
7412 | | |
7413 | | /* Check downgrade. */ |
7414 | 0 | if (versionIsGreater(isDtls, ssl->version.minor, minor)) { |
7415 | 0 | if (!ssl->options.downgrade) { |
7416 | 0 | WOLFSSL_ERROR_VERBOSE(VERSION_ERROR); |
7417 | 0 | return VERSION_ERROR; |
7418 | 0 | } |
7419 | | |
7420 | 0 | if (versionIsLesser( |
7421 | 0 | isDtls, minor, ssl->options.minDowngrade)) { |
7422 | 0 | WOLFSSL_ERROR_VERBOSE(VERSION_ERROR); |
7423 | 0 | return VERSION_ERROR; |
7424 | 0 | } |
7425 | | |
7426 | | /* Downgrade the version. */ |
7427 | 0 | pv->minor = minor; |
7428 | 0 | } |
7429 | 0 | } |
7430 | 0 | else { |
7431 | 0 | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
7432 | 0 | return SANITY_MSG_E; |
7433 | 0 | } |
7434 | | |
7435 | 0 | return 0; |
7436 | 0 | } |
7437 | | |
7438 | | /* Sets a new SupportedVersions extension into the extension list. |
7439 | | * |
7440 | | * extensions The list of extensions. |
7441 | | * data The extensions specific data. |
7442 | | * heap The heap used for allocation. |
7443 | | * returns 0 on success, otherwise failure. |
7444 | | */ |
7445 | | static int TLSX_SetSupportedVersions(TLSX** extensions, const void* data, |
7446 | | void* heap) |
7447 | 0 | { |
7448 | 0 | if (extensions == NULL || data == NULL) |
7449 | 0 | return BAD_FUNC_ARG; |
7450 | | |
7451 | 0 | return TLSX_Push(extensions, TLSX_SUPPORTED_VERSIONS, data, heap); |
7452 | 0 | } |
7453 | | |
7454 | 0 | #define SV_GET_SIZE TLSX_SupportedVersions_GetSize |
7455 | 0 | #define SV_WRITE TLSX_SupportedVersions_Write |
7456 | 0 | #define SV_PARSE TLSX_SupportedVersions_Parse |
7457 | | |
7458 | | #else |
7459 | | |
7460 | | #define SV_GET_SIZE(a, b, c) 0 |
7461 | | #define SV_WRITE(a, b, c, d) 0 |
7462 | | #define SV_PARSE(a, b, c, d, e, f, g) 0 |
7463 | | |
7464 | | #endif /* WOLFSSL_TLS13 */ |
7465 | | |
7466 | | #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_SEND_HRR_COOKIE) |
7467 | | |
7468 | | /******************************************************************************/ |
7469 | | /* Cookie */ |
7470 | | /******************************************************************************/ |
7471 | | |
7472 | | /* Free the cookie data. |
7473 | | * |
7474 | | * cookie Cookie data. |
7475 | | * heap The heap used for allocation. |
7476 | | */ |
7477 | | static void TLSX_Cookie_FreeAll(Cookie* cookie, void* heap) |
7478 | | { |
7479 | | (void)heap; |
7480 | | |
7481 | | XFREE(cookie, heap, DYNAMIC_TYPE_TLSX); |
7482 | | } |
7483 | | |
7484 | | /* Get the size of the encoded Cookie extension. |
7485 | | * In messages: ClientHello and HelloRetryRequest. |
7486 | | * |
7487 | | * cookie The cookie to write. |
7488 | | * msgType The type of the message this extension is being written into. |
7489 | | * returns the number of bytes of the encoded Cookie extension. |
7490 | | */ |
7491 | | static int TLSX_Cookie_GetSize(Cookie* cookie, byte msgType, word16* pSz) |
7492 | | { |
7493 | | if (msgType == client_hello || msgType == hello_retry_request) { |
7494 | | *pSz += OPAQUE16_LEN + cookie->len; |
7495 | | } |
7496 | | else { |
7497 | | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
7498 | | return SANITY_MSG_E; |
7499 | | } |
7500 | | return 0; |
7501 | | } |
7502 | | |
7503 | | /* Writes the Cookie extension into the output buffer. |
7504 | | * Assumes that the the output buffer is big enough to hold data. |
7505 | | * In messages: ClientHello and HelloRetryRequest. |
7506 | | * |
7507 | | * cookie The cookie to write. |
7508 | | * output The buffer to write into. |
7509 | | * msgType The type of the message this extension is being written into. |
7510 | | * returns the number of bytes written into the buffer. |
7511 | | */ |
7512 | | static int TLSX_Cookie_Write(Cookie* cookie, byte* output, byte msgType, |
7513 | | word16* pSz) |
7514 | | { |
7515 | | if (msgType == client_hello || msgType == hello_retry_request) { |
7516 | | c16toa(cookie->len, output); |
7517 | | output += OPAQUE16_LEN; |
7518 | | XMEMCPY(output, cookie->data, cookie->len); |
7519 | | *pSz += OPAQUE16_LEN + cookie->len; |
7520 | | } |
7521 | | else { |
7522 | | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
7523 | | return SANITY_MSG_E; |
7524 | | } |
7525 | | return 0; |
7526 | | } |
7527 | | |
7528 | | /* Parse the Cookie extension. |
7529 | | * In messages: ClientHello and HelloRetryRequest. |
7530 | | * |
7531 | | * ssl The SSL/TLS object. |
7532 | | * input The extension data. |
7533 | | * length The length of the extension data. |
7534 | | * msgType The type of the message this extension is being parsed from. |
7535 | | * returns 0 on success and other values indicate failure. |
7536 | | */ |
7537 | | static int TLSX_Cookie_Parse(WOLFSSL* ssl, const byte* input, word16 length, |
7538 | | byte msgType) |
7539 | | { |
7540 | | word16 len; |
7541 | | word16 idx = 0; |
7542 | | TLSX* extension; |
7543 | | Cookie* cookie; |
7544 | | |
7545 | | if (msgType != client_hello && msgType != hello_retry_request) { |
7546 | | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
7547 | | return SANITY_MSG_E; |
7548 | | } |
7549 | | |
7550 | | /* Message contains length and Cookie which must be at least one byte |
7551 | | * in length. |
7552 | | */ |
7553 | | if (length < OPAQUE16_LEN + 1) |
7554 | | return BUFFER_E; |
7555 | | ato16(input + idx, &len); |
7556 | | idx += OPAQUE16_LEN; |
7557 | | if (length - idx != len) |
7558 | | return BUFFER_E; |
7559 | | |
7560 | | if (msgType == hello_retry_request) { |
7561 | | ssl->options.hrrSentCookie = 1; |
7562 | | return TLSX_Cookie_Use(ssl, input + idx, len, NULL, 0, 1, |
7563 | | &ssl->extensions); |
7564 | | } |
7565 | | |
7566 | | /* client_hello */ |
7567 | | extension = TLSX_Find(ssl->extensions, TLSX_COOKIE); |
7568 | | if (extension == NULL) { |
7569 | | #ifdef WOLFSSL_DTLS13 |
7570 | | if (ssl->options.dtls && IsAtLeastTLSv1_3(ssl->version)) |
7571 | | /* Allow a cookie extension with DTLS 1.3 because it is possible |
7572 | | * that a different SSL instance sent the cookie but we are now |
7573 | | * receiving it. */ |
7574 | | return TLSX_Cookie_Use(ssl, input + idx, len, NULL, 0, 0, |
7575 | | &ssl->extensions); |
7576 | | else |
7577 | | #endif |
7578 | | { |
7579 | | WOLFSSL_ERROR_VERBOSE(HRR_COOKIE_ERROR); |
7580 | | return HRR_COOKIE_ERROR; |
7581 | | } |
7582 | | } |
7583 | | |
7584 | | cookie = (Cookie*)extension->data; |
7585 | | if (cookie->len != len || XMEMCMP(cookie->data, input + idx, len) != 0) { |
7586 | | WOLFSSL_ERROR_VERBOSE(HRR_COOKIE_ERROR); |
7587 | | return HRR_COOKIE_ERROR; |
7588 | | } |
7589 | | |
7590 | | /* Request seen. */ |
7591 | | extension->resp = 0; |
7592 | | |
7593 | | return 0; |
7594 | | } |
7595 | | |
7596 | | /* Use the data to create a new Cookie object in the extensions. |
7597 | | * |
7598 | | * ssl SSL/TLS object. |
7599 | | * data Cookie data. |
7600 | | * len Length of cookie data in bytes. |
7601 | | * mac MAC data. |
7602 | | * macSz Length of MAC data in bytes. |
7603 | | * resp Indicates the extension will go into a response (HelloRetryRequest). |
7604 | | * returns 0 on success and other values indicate failure. |
7605 | | */ |
7606 | | int TLSX_Cookie_Use(const WOLFSSL* ssl, const byte* data, word16 len, byte* mac, |
7607 | | byte macSz, int resp, TLSX** exts) |
7608 | | { |
7609 | | int ret = 0; |
7610 | | TLSX* extension; |
7611 | | Cookie* cookie; |
7612 | | |
7613 | | /* Find the cookie extension if it exists. */ |
7614 | | extension = TLSX_Find(*exts, TLSX_COOKIE); |
7615 | | if (extension == NULL) { |
7616 | | /* Push new cookie extension. */ |
7617 | | ret = TLSX_Push(exts, TLSX_COOKIE, NULL, ssl->heap); |
7618 | | if (ret != 0) |
7619 | | return ret; |
7620 | | |
7621 | | extension = TLSX_Find(*exts, TLSX_COOKIE); |
7622 | | if (extension == NULL) |
7623 | | return MEMORY_E; |
7624 | | } |
7625 | | |
7626 | | cookie = (Cookie*)XMALLOC(sizeof(Cookie) + len + macSz, ssl->heap, |
7627 | | DYNAMIC_TYPE_TLSX); |
7628 | | if (cookie == NULL) |
7629 | | return MEMORY_E; |
7630 | | |
7631 | | cookie->len = len + macSz; |
7632 | | XMEMCPY(cookie->data, data, len); |
7633 | | if (mac != NULL) |
7634 | | XMEMCPY(cookie->data + len, mac, macSz); |
7635 | | |
7636 | | XFREE(extension->data, ssl->heap, DYNAMIC_TYPE_TLSX); |
7637 | | |
7638 | | extension->data = (void*)cookie; |
7639 | | extension->resp = (byte)resp; |
7640 | | |
7641 | | return 0; |
7642 | | } |
7643 | | |
7644 | | #define CKE_FREE_ALL TLSX_Cookie_FreeAll |
7645 | | #define CKE_GET_SIZE TLSX_Cookie_GetSize |
7646 | | #define CKE_WRITE TLSX_Cookie_Write |
7647 | | #define CKE_PARSE TLSX_Cookie_Parse |
7648 | | |
7649 | | #else |
7650 | | |
7651 | 0 | #define CKE_FREE_ALL(a, b) WC_DO_NOTHING |
7652 | 0 | #define CKE_GET_SIZE(a, b, c) 0 |
7653 | 0 | #define CKE_WRITE(a, b, c, d) 0 |
7654 | 0 | #define CKE_PARSE(a, b, c, d) 0 |
7655 | | |
7656 | | #endif |
7657 | | |
7658 | | #if defined(WOLFSSL_TLS13) && !defined(NO_CERTS) && \ |
7659 | | !defined(WOLFSSL_NO_CA_NAMES) && defined(OPENSSL_EXTRA) |
7660 | | /* Currently only settable through compatibility API */ |
7661 | | /******************************************************************************/ |
7662 | | /* Certificate Authorities */ |
7663 | | /******************************************************************************/ |
7664 | | |
7665 | | static word16 TLSX_CA_Names_GetSize(void* data) |
7666 | | { |
7667 | | WOLFSSL* ssl = (WOLFSSL*)data; |
7668 | | WOLF_STACK_OF(WOLFSSL_X509_NAME)* names; |
7669 | | word32 size = 0; |
7670 | | |
7671 | | /* Length of names */ |
7672 | | size += OPAQUE16_LEN; |
7673 | | for (names = SSL_PRIORITY_CA_NAMES(ssl); names != NULL; names = names->next) { |
7674 | | byte seq[MAX_SEQ_SZ]; |
7675 | | WOLFSSL_X509_NAME* name = names->data.name; |
7676 | | |
7677 | | if (name != NULL) { |
7678 | | /* 16-bit length | SEQ | Len | DER of name */ |
7679 | | size += (word32)(OPAQUE16_LEN + SetSequence(name->rawLen, seq) + |
7680 | | name->rawLen); |
7681 | | if (size > WOLFSSL_MAX_16BIT) { |
7682 | | return 0; |
7683 | | } |
7684 | | } |
7685 | | } |
7686 | | return (word16)size; |
7687 | | } |
7688 | | |
7689 | | static word16 TLSX_CA_Names_Write(void* data, byte* output) |
7690 | | { |
7691 | | WOLFSSL* ssl = (WOLFSSL*)data; |
7692 | | WOLF_STACK_OF(WOLFSSL_X509_NAME)* names; |
7693 | | byte* len; |
7694 | | |
7695 | | /* Reserve space for the length value */ |
7696 | | len = output; |
7697 | | output += OPAQUE16_LEN; |
7698 | | for (names = SSL_PRIORITY_CA_NAMES(ssl); names != NULL; names = names->next) { |
7699 | | byte seq[MAX_SEQ_SZ]; |
7700 | | WOLFSSL_X509_NAME* name = names->data.name; |
7701 | | |
7702 | | if (name != NULL) { |
7703 | | c16toa((word16)name->rawLen + |
7704 | | (word16)SetSequence(name->rawLen, seq), output); |
7705 | | output += OPAQUE16_LEN; |
7706 | | output += SetSequence(name->rawLen, output); |
7707 | | XMEMCPY(output, name->raw, name->rawLen); |
7708 | | output += name->rawLen; |
7709 | | } |
7710 | | } |
7711 | | /* Write the total length */ |
7712 | | c16toa((word16)(output - len - OPAQUE16_LEN), len); |
7713 | | return (word16)(output - len); |
7714 | | } |
7715 | | |
7716 | | static int TLSX_CA_Names_Parse(WOLFSSL *ssl, const byte* input, |
7717 | | word16 length, byte isRequest) |
7718 | | { |
7719 | | word16 extLen; |
7720 | | |
7721 | | (void)isRequest; |
7722 | | |
7723 | | wolfSSL_sk_X509_NAME_pop_free(ssl->peer_ca_names, NULL); |
7724 | | ssl->peer_ca_names = wolfSSL_sk_X509_NAME_new(NULL); |
7725 | | if (ssl->peer_ca_names == NULL) |
7726 | | return MEMORY_ERROR; |
7727 | | |
7728 | | if (length < OPAQUE16_LEN) |
7729 | | return BUFFER_ERROR; |
7730 | | |
7731 | | ato16(input, &extLen); |
7732 | | input += OPAQUE16_LEN; |
7733 | | length -= OPAQUE16_LEN; |
7734 | | if (extLen != length) |
7735 | | return BUFFER_ERROR; |
7736 | | |
7737 | | while (length) { |
7738 | | word16 idx = 0; |
7739 | | WOLFSSL_X509_NAME* name = NULL; |
7740 | | int ret = 0; |
7741 | | int didInit = FALSE; |
7742 | | /* Use a DecodedCert struct to get access to GetName to |
7743 | | * parse DN name */ |
7744 | | #ifdef WOLFSSL_SMALL_STACK |
7745 | | DecodedCert *cert = (DecodedCert *)XMALLOC( |
7746 | | sizeof(*cert), ssl->heap, DYNAMIC_TYPE_DCERT); |
7747 | | if (cert == NULL) |
7748 | | return MEMORY_ERROR; |
7749 | | #else |
7750 | | DecodedCert cert[1]; |
7751 | | #endif |
7752 | | |
7753 | | if (length < OPAQUE16_LEN) { |
7754 | | ret = BUFFER_ERROR; |
7755 | | } |
7756 | | |
7757 | | if (ret == 0) { |
7758 | | ato16(input, &extLen); |
7759 | | idx += OPAQUE16_LEN; |
7760 | | |
7761 | | if (extLen > length - idx) |
7762 | | ret = BUFFER_ERROR; |
7763 | | } |
7764 | | |
7765 | | if (ret == 0) { |
7766 | | InitDecodedCert(cert, input + idx, extLen, ssl->heap); |
7767 | | didInit = TRUE; |
7768 | | idx += extLen; |
7769 | | ret = GetName(cert, ASN_SUBJECT, extLen); |
7770 | | } |
7771 | | |
7772 | | if (ret == 0 && (name = wolfSSL_X509_NAME_new()) == NULL) |
7773 | | ret = MEMORY_ERROR; |
7774 | | |
7775 | | if (ret == 0) { |
7776 | | CopyDecodedName(name, cert, ASN_SUBJECT); |
7777 | | if (wolfSSL_sk_X509_NAME_push(ssl->peer_ca_names, name) <= 0) { |
7778 | | wolfSSL_X509_NAME_free(name); |
7779 | | ret = MEMORY_ERROR; |
7780 | | } |
7781 | | } |
7782 | | |
7783 | | if (didInit) |
7784 | | FreeDecodedCert(cert); |
7785 | | |
7786 | | WC_FREE_VAR_EX(cert, ssl->heap, DYNAMIC_TYPE_DCERT); |
7787 | | if (ret != 0) |
7788 | | return ret; |
7789 | | |
7790 | | input += idx; |
7791 | | length -= idx; |
7792 | | } |
7793 | | return 0; |
7794 | | } |
7795 | | |
7796 | | #define CAN_GET_SIZE(data) TLSX_CA_Names_GetSize(data) |
7797 | | #define CAN_WRITE(data, output) TLSX_CA_Names_Write(data, output) |
7798 | | #define CAN_PARSE(ssl, input, length, isRequest) \ |
7799 | | TLSX_CA_Names_Parse(ssl, input, length, isRequest) |
7800 | | |
7801 | | #else |
7802 | | |
7803 | | #define CAN_GET_SIZE(data) 0 |
7804 | | #define CAN_WRITE(data, output) 0 |
7805 | | #define CAN_PARSE(ssl, input, length, isRequest) 0 |
7806 | | |
7807 | | #endif |
7808 | | |
7809 | | #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG) |
7810 | | /******************************************************************************/ |
7811 | | /* Signature Algorithms */ |
7812 | | /******************************************************************************/ |
7813 | | |
7814 | | /* Return the size of the SignatureAlgorithms extension's data. |
7815 | | * |
7816 | | * data Unused |
7817 | | * returns the length of data that will be in the extension. |
7818 | | */ |
7819 | | |
7820 | | static word16 TLSX_SignatureAlgorithms_GetSize(void* data) |
7821 | 0 | { |
7822 | 0 | SignatureAlgorithms* sa = (SignatureAlgorithms*)data; |
7823 | |
|
7824 | 0 | if (sa->hashSigAlgoSz == 0) |
7825 | 0 | return OPAQUE16_LEN + WOLFSSL_SUITES(sa->ssl)->hashSigAlgoSz; |
7826 | 0 | else |
7827 | 0 | return OPAQUE16_LEN + sa->hashSigAlgoSz; |
7828 | 0 | } |
7829 | | |
7830 | | /* Creates a bit string of supported hash algorithms with RSA PSS. |
7831 | | * The bit string is used when determining which signature algorithm to use |
7832 | | * when creating the CertificateVerify message. |
7833 | | * Note: Valid data has an even length as each signature algorithm is two bytes. |
7834 | | * |
7835 | | * ssl The SSL/TLS object. |
7836 | | * input The buffer with the list of supported signature algorithms. |
7837 | | * length The length of the list in bytes. |
7838 | | * returns 0 on success, BUFFER_ERROR when the length is not even. |
7839 | | */ |
7840 | | static int TLSX_SignatureAlgorithms_MapPss(WOLFSSL *ssl, const byte* input, |
7841 | | word16 length) |
7842 | 0 | { |
7843 | 0 | word16 i; |
7844 | |
|
7845 | 0 | if ((length & 1) == 1) |
7846 | 0 | return BUFFER_ERROR; |
7847 | | |
7848 | 0 | ssl->pssAlgo = 0; |
7849 | 0 | for (i = 0; i < length; i += 2) { |
7850 | 0 | if (input[i] == rsa_pss_sa_algo && input[i + 1] <= sha512_mac) |
7851 | 0 | ssl->pssAlgo |= 1 << input[i + 1]; |
7852 | 0 | #ifdef WOLFSSL_TLS13 |
7853 | 0 | if (input[i] == rsa_pss_sa_algo && input[i + 1] >= pss_sha256 && |
7854 | 0 | input[i + 1] <= pss_sha512) { |
7855 | 0 | ssl->pssAlgo |= 1 << input[i + 1]; |
7856 | 0 | } |
7857 | 0 | #endif |
7858 | 0 | } |
7859 | |
|
7860 | 0 | return 0; |
7861 | 0 | } |
7862 | | |
7863 | | /* Writes the SignatureAlgorithms extension into the buffer. |
7864 | | * |
7865 | | * data Unused |
7866 | | * output The buffer to write the extension into. |
7867 | | * returns the length of data that was written. |
7868 | | */ |
7869 | | static word16 TLSX_SignatureAlgorithms_Write(void* data, byte* output) |
7870 | 0 | { |
7871 | 0 | SignatureAlgorithms* sa = (SignatureAlgorithms*)data; |
7872 | 0 | const Suites* suites = WOLFSSL_SUITES(sa->ssl); |
7873 | 0 | word16 hashSigAlgoSz; |
7874 | |
|
7875 | 0 | if (sa->hashSigAlgoSz == 0) { |
7876 | 0 | c16toa(suites->hashSigAlgoSz, output); |
7877 | 0 | XMEMCPY(output + OPAQUE16_LEN, suites->hashSigAlgo, |
7878 | 0 | suites->hashSigAlgoSz); |
7879 | 0 | hashSigAlgoSz = suites->hashSigAlgoSz; |
7880 | 0 | } |
7881 | 0 | else { |
7882 | 0 | c16toa(sa->hashSigAlgoSz, output); |
7883 | 0 | XMEMCPY(output + OPAQUE16_LEN, sa->hashSigAlgo, |
7884 | 0 | sa->hashSigAlgoSz); |
7885 | 0 | hashSigAlgoSz = sa->hashSigAlgoSz; |
7886 | 0 | } |
7887 | |
|
7888 | 0 | #ifndef NO_RSA |
7889 | 0 | TLSX_SignatureAlgorithms_MapPss(sa->ssl, output + OPAQUE16_LEN, |
7890 | 0 | hashSigAlgoSz); |
7891 | 0 | #endif |
7892 | |
|
7893 | 0 | return OPAQUE16_LEN + hashSigAlgoSz; |
7894 | 0 | } |
7895 | | |
7896 | | /* Parse the SignatureAlgorithms extension. |
7897 | | * |
7898 | | * ssl The SSL/TLS object. |
7899 | | * input The buffer with the extension data. |
7900 | | * length The length of the extension data. |
7901 | | * returns 0 on success, otherwise failure. |
7902 | | */ |
7903 | | static int TLSX_SignatureAlgorithms_Parse(WOLFSSL *ssl, const byte* input, |
7904 | | word16 length, byte isRequest, Suites* suites) |
7905 | 0 | { |
7906 | 0 | word16 len; |
7907 | |
|
7908 | 0 | if (!isRequest) |
7909 | 0 | return BUFFER_ERROR; |
7910 | | |
7911 | | /* Must contain a length and at least algorithm. */ |
7912 | 0 | if (length < OPAQUE16_LEN + OPAQUE16_LEN || (length & 1) != 0) |
7913 | 0 | return BUFFER_ERROR; |
7914 | | |
7915 | 0 | ato16(input, &len); |
7916 | 0 | input += OPAQUE16_LEN; |
7917 | | |
7918 | | /* Algorithm array must fill rest of data. */ |
7919 | 0 | if (length != OPAQUE16_LEN + len) |
7920 | 0 | return BUFFER_ERROR; |
7921 | | |
7922 | | /* Truncate hashSigAlgo list if too long. */ |
7923 | 0 | suites->hashSigAlgoSz = len; |
7924 | | /* Sig Algo list size must be even. */ |
7925 | 0 | if (suites->hashSigAlgoSz % 2 != 0) |
7926 | 0 | return BUFFER_ERROR; |
7927 | 0 | if (suites->hashSigAlgoSz > WOLFSSL_MAX_SIGALGO) { |
7928 | 0 | WOLFSSL_MSG("TLSX SigAlgo list exceeds max, truncating"); |
7929 | 0 | suites->hashSigAlgoSz = WOLFSSL_MAX_SIGALGO; |
7930 | 0 | } |
7931 | 0 | XMEMCPY(suites->hashSigAlgo, input, suites->hashSigAlgoSz); |
7932 | |
|
7933 | 0 | return TLSX_SignatureAlgorithms_MapPss(ssl, input, suites->hashSigAlgoSz); |
7934 | 0 | } |
7935 | | |
7936 | | /* Sets a new SignatureAlgorithms extension into the extension list. |
7937 | | * |
7938 | | * extensions The list of extensions. |
7939 | | * data The extensions specific data. |
7940 | | * heap The heap used for allocation. |
7941 | | * returns 0 on success, otherwise failure. |
7942 | | */ |
7943 | | static int TLSX_SetSignatureAlgorithms(TLSX** extensions, WOLFSSL* ssl, |
7944 | | void* heap) |
7945 | 0 | { |
7946 | 0 | SignatureAlgorithms* sa; |
7947 | 0 | int ret; |
7948 | |
|
7949 | 0 | if (extensions == NULL) |
7950 | 0 | return BAD_FUNC_ARG; |
7951 | | |
7952 | | /* Already present */ |
7953 | 0 | if (TLSX_Find(*extensions, TLSX_SIGNATURE_ALGORITHMS) != NULL) |
7954 | 0 | return 0; |
7955 | | |
7956 | 0 | sa = TLSX_SignatureAlgorithms_New(ssl, 0, heap); |
7957 | 0 | if (sa == NULL) |
7958 | 0 | return MEMORY_ERROR; |
7959 | | |
7960 | 0 | ret = TLSX_Push(extensions, TLSX_SIGNATURE_ALGORITHMS, sa, heap); |
7961 | 0 | if (ret != 0) |
7962 | 0 | TLSX_SignatureAlgorithms_FreeAll(sa, heap); |
7963 | 0 | return ret; |
7964 | 0 | } |
7965 | | |
7966 | | SignatureAlgorithms* TLSX_SignatureAlgorithms_New(WOLFSSL* ssl, |
7967 | | word16 hashSigAlgoSz, void* heap) |
7968 | 0 | { |
7969 | 0 | SignatureAlgorithms* sa; |
7970 | 0 | (void)heap; |
7971 | |
|
7972 | 0 | sa = (SignatureAlgorithms*)XMALLOC(sizeof(*sa) + hashSigAlgoSz, heap, |
7973 | 0 | DYNAMIC_TYPE_TLSX); |
7974 | 0 | if (sa != NULL) { |
7975 | 0 | XMEMSET(sa, 0, sizeof(*sa) + hashSigAlgoSz); |
7976 | 0 | sa->ssl = ssl; |
7977 | 0 | sa->hashSigAlgoSz = hashSigAlgoSz; |
7978 | 0 | } |
7979 | 0 | return sa; |
7980 | 0 | } |
7981 | | |
7982 | | void TLSX_SignatureAlgorithms_FreeAll(SignatureAlgorithms* sa, |
7983 | | void* heap) |
7984 | 0 | { |
7985 | 0 | XFREE(sa, heap, DYNAMIC_TYPE_TLSX); |
7986 | 0 | (void)heap; |
7987 | 0 | } |
7988 | | |
7989 | 0 | #define SA_GET_SIZE TLSX_SignatureAlgorithms_GetSize |
7990 | 0 | #define SA_WRITE TLSX_SignatureAlgorithms_Write |
7991 | 0 | #define SA_PARSE TLSX_SignatureAlgorithms_Parse |
7992 | 0 | #define SA_FREE_ALL TLSX_SignatureAlgorithms_FreeAll |
7993 | | #endif |
7994 | | /******************************************************************************/ |
7995 | | /* Signature Algorithms Certificate */ |
7996 | | /******************************************************************************/ |
7997 | | |
7998 | | #if defined(WOLFSSL_TLS13) && !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG) |
7999 | | /* Return the size of the SignatureAlgorithms extension's data. |
8000 | | * |
8001 | | * data Unused |
8002 | | * returns the length of data that will be in the extension. |
8003 | | */ |
8004 | | static word16 TLSX_SignatureAlgorithmsCert_GetSize(void* data) |
8005 | 0 | { |
8006 | 0 | WOLFSSL* ssl = (WOLFSSL*)data; |
8007 | |
|
8008 | 0 | return OPAQUE16_LEN + ssl->certHashSigAlgoSz; |
8009 | 0 | } |
8010 | | |
8011 | | /* Writes the SignatureAlgorithmsCert extension into the buffer. |
8012 | | * |
8013 | | * data Unused |
8014 | | * output The buffer to write the extension into. |
8015 | | * returns the length of data that was written. |
8016 | | */ |
8017 | | static word16 TLSX_SignatureAlgorithmsCert_Write(void* data, byte* output) |
8018 | 0 | { |
8019 | 0 | WOLFSSL* ssl = (WOLFSSL*)data; |
8020 | |
|
8021 | 0 | c16toa(ssl->certHashSigAlgoSz, output); |
8022 | 0 | XMEMCPY(output + OPAQUE16_LEN, ssl->certHashSigAlgo, |
8023 | 0 | ssl->certHashSigAlgoSz); |
8024 | |
|
8025 | 0 | return OPAQUE16_LEN + ssl->certHashSigAlgoSz; |
8026 | 0 | } |
8027 | | |
8028 | | /* Parse the SignatureAlgorithmsCert extension. |
8029 | | * |
8030 | | * ssl The SSL/TLS object. |
8031 | | * input The buffer with the extension data. |
8032 | | * length The length of the extension data. |
8033 | | * returns 0 on success, otherwise failure. |
8034 | | */ |
8035 | | static int TLSX_SignatureAlgorithmsCert_Parse(WOLFSSL *ssl, const byte* input, |
8036 | | word16 length, byte isRequest) |
8037 | 0 | { |
8038 | 0 | word16 len; |
8039 | |
|
8040 | 0 | if (!isRequest) |
8041 | 0 | return BUFFER_ERROR; |
8042 | | |
8043 | | /* Must contain a length and at least algorithm. */ |
8044 | 0 | if (length < OPAQUE16_LEN + OPAQUE16_LEN || (length & 1) != 0) |
8045 | 0 | return BUFFER_ERROR; |
8046 | | |
8047 | 0 | ato16(input, &len); |
8048 | 0 | input += OPAQUE16_LEN; |
8049 | | |
8050 | | /* Algorithm array must fill rest of data. */ |
8051 | 0 | if (length != OPAQUE16_LEN + len) |
8052 | 0 | return BUFFER_ERROR; |
8053 | | |
8054 | | /* truncate hashSigAlgo list if too long */ |
8055 | 0 | ssl->certHashSigAlgoSz = len; |
8056 | 0 | if (ssl->certHashSigAlgoSz > WOLFSSL_MAX_SIGALGO) { |
8057 | 0 | WOLFSSL_MSG("TLSX SigAlgo list exceeds max, truncating"); |
8058 | 0 | ssl->certHashSigAlgoSz = WOLFSSL_MAX_SIGALGO; |
8059 | 0 | } |
8060 | 0 | XMEMCPY(ssl->certHashSigAlgo, input, ssl->certHashSigAlgoSz); |
8061 | |
|
8062 | 0 | return 0; |
8063 | 0 | } |
8064 | | |
8065 | | /* Sets a new SignatureAlgorithmsCert extension into the extension list. |
8066 | | * |
8067 | | * extensions The list of extensions. |
8068 | | * data The extensions specific data. |
8069 | | * heap The heap used for allocation. |
8070 | | * returns 0 on success, otherwise failure. |
8071 | | */ |
8072 | | static int TLSX_SetSignatureAlgorithmsCert(TLSX** extensions, |
8073 | | const WOLFSSL* data, void* heap) |
8074 | 0 | { |
8075 | 0 | if (extensions == NULL) |
8076 | 0 | return BAD_FUNC_ARG; |
8077 | | |
8078 | 0 | return TLSX_Push(extensions, TLSX_SIGNATURE_ALGORITHMS_CERT, data, heap); |
8079 | 0 | } |
8080 | | |
8081 | 0 | #define SAC_GET_SIZE TLSX_SignatureAlgorithmsCert_GetSize |
8082 | 0 | #define SAC_WRITE TLSX_SignatureAlgorithmsCert_Write |
8083 | 0 | #define SAC_PARSE TLSX_SignatureAlgorithmsCert_Parse |
8084 | | #endif /* WOLFSSL_TLS13 */ |
8085 | | |
8086 | | |
8087 | | /******************************************************************************/ |
8088 | | /* Key Share */ |
8089 | | /******************************************************************************/ |
8090 | | |
8091 | | #ifndef MAX_KEYSHARE_NAMED_GROUPS |
8092 | | #if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_MAKE_KEY) && \ |
8093 | | !defined(WOLFSSL_MLKEM_NO_DECAPSULATE) |
8094 | 0 | #define MAX_KEYSHARE_NAMED_GROUPS 24 |
8095 | | #else |
8096 | | #define MAX_KEYSHARE_NAMED_GROUPS 12 |
8097 | | #endif |
8098 | | #endif |
8099 | | |
8100 | | #if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES) |
8101 | | /* Create a key share entry using named Diffie-Hellman parameters group. |
8102 | | * Generates a key pair. |
8103 | | * |
8104 | | * ssl The SSL/TLS object. |
8105 | | * kse The key share entry object. |
8106 | | * returns 0 on success, otherwise failure. |
8107 | | */ |
8108 | | static int TLSX_KeyShare_GenDhKey(WOLFSSL *ssl, KeyShareEntry* kse) |
8109 | 0 | { |
8110 | 0 | int ret = 0; |
8111 | 0 | #if !defined(NO_DH) && (!defined(NO_CERTS) || !defined(NO_PSK)) |
8112 | 0 | word32 pSz = 0, pvtSz = 0; |
8113 | 0 | DhKey* dhKey = (DhKey*)kse->key; |
8114 | | |
8115 | | /* Pick the parameters from the named group. */ |
8116 | 0 | #ifdef HAVE_PUBLIC_FFDHE |
8117 | 0 | const DhParams* params = NULL; |
8118 | 0 | switch (kse->group) { |
8119 | 0 | #ifdef HAVE_FFDHE_2048 |
8120 | 0 | case WOLFSSL_FFDHE_2048: |
8121 | 0 | params = wc_Dh_ffdhe2048_Get(); |
8122 | 0 | pvtSz = 29; |
8123 | 0 | break; |
8124 | 0 | #endif |
8125 | | #ifdef HAVE_FFDHE_3072 |
8126 | | case WOLFSSL_FFDHE_3072: |
8127 | | params = wc_Dh_ffdhe3072_Get(); |
8128 | | pvtSz = 34; |
8129 | | break; |
8130 | | #endif |
8131 | | #ifdef HAVE_FFDHE_4096 |
8132 | | case WOLFSSL_FFDHE_4096: |
8133 | | params = wc_Dh_ffdhe4096_Get(); |
8134 | | pvtSz = 39; |
8135 | | break; |
8136 | | #endif |
8137 | | #ifdef HAVE_FFDHE_6144 |
8138 | | case WOLFSSL_FFDHE_6144: |
8139 | | params = wc_Dh_ffdhe6144_Get(); |
8140 | | pvtSz = 46; |
8141 | | break; |
8142 | | #endif |
8143 | | #ifdef HAVE_FFDHE_8192 |
8144 | | case WOLFSSL_FFDHE_8192: |
8145 | | params = wc_Dh_ffdhe8192_Get(); |
8146 | | pvtSz = 52; |
8147 | | break; |
8148 | | #endif |
8149 | 0 | default: |
8150 | 0 | break; |
8151 | 0 | } |
8152 | 0 | if (params == NULL) |
8153 | 0 | return BAD_FUNC_ARG; |
8154 | 0 | pSz = params->p_len; |
8155 | | #else |
8156 | | pvtSz = wc_DhGetNamedKeyMinSize(kse->group); |
8157 | | if (pvtSz == 0) { |
8158 | | return BAD_FUNC_ARG; |
8159 | | } |
8160 | | ret = wc_DhGetNamedKeyParamSize(kse->group, &pSz, NULL, NULL); |
8161 | | if (ret != 0) { |
8162 | | return BAD_FUNC_ARG; |
8163 | | } |
8164 | | #endif |
8165 | | |
8166 | | /* Trigger Key Generation */ |
8167 | 0 | if (kse->pubKey == NULL || kse->privKey == NULL) { |
8168 | 0 | if (kse->key == NULL) { |
8169 | 0 | kse->key = (DhKey*)XMALLOC(sizeof(DhKey), ssl->heap, |
8170 | 0 | DYNAMIC_TYPE_DH); |
8171 | 0 | if (kse->key == NULL) |
8172 | 0 | return MEMORY_E; |
8173 | | |
8174 | | /* Setup Key */ |
8175 | 0 | ret = wc_InitDhKey_ex((DhKey*)kse->key, ssl->heap, ssl->devId); |
8176 | 0 | if (ret == 0) { |
8177 | 0 | dhKey = (DhKey*)kse->key; |
8178 | 0 | #ifdef HAVE_PUBLIC_FFDHE |
8179 | 0 | ret = wc_DhSetKey(dhKey, params->p, params->p_len, params->g, |
8180 | 0 | params->g_len); |
8181 | | #else |
8182 | | ret = wc_DhSetNamedKey(dhKey, kse->group); |
8183 | | #endif |
8184 | 0 | } |
8185 | | #if defined(WC_DH_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \ |
8186 | | defined(WC_ASYNC_ENABLE_DH) |
8187 | | /* Only set non-blocking context when async device is active. With |
8188 | | * INVALID_DEVID there is no async loop to retry on MP_WOULDBLOCK, so |
8189 | | * skip non-blocking setup and use blocking mode instead. */ |
8190 | | if (ret == 0 && ssl->devId != INVALID_DEVID) { |
8191 | | DhNb* dhNb = (DhNb*)XMALLOC(sizeof(DhNb), ssl->heap, |
8192 | | DYNAMIC_TYPE_TMP_BUFFER); |
8193 | | if (dhNb == NULL) { |
8194 | | ret = MEMORY_E; |
8195 | | } |
8196 | | else { |
8197 | | ret = wc_DhSetNonBlock((DhKey*)kse->key, dhNb); |
8198 | | if (ret != 0) { |
8199 | | XFREE(dhNb, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); |
8200 | | } |
8201 | | } |
8202 | | } |
8203 | | #endif /* WC_DH_NONBLOCK && WOLFSSL_ASYNC_CRYPT_SW && |
8204 | | WC_ASYNC_ENABLE_DH */ |
8205 | 0 | } |
8206 | | |
8207 | | /* Allocate space for the private and public key */ |
8208 | 0 | if (ret == 0 && kse->pubKey == NULL) { |
8209 | 0 | kse->pubKey = (byte*)XMALLOC(pSz, ssl->heap, |
8210 | 0 | DYNAMIC_TYPE_PUBLIC_KEY); |
8211 | 0 | if (kse->pubKey == NULL) |
8212 | 0 | ret = MEMORY_E; |
8213 | 0 | } |
8214 | |
|
8215 | 0 | if (ret == 0 && kse->privKey == NULL) { |
8216 | 0 | kse->privKey = (byte*)XMALLOC(pvtSz, ssl->heap, |
8217 | 0 | DYNAMIC_TYPE_PRIVATE_KEY); |
8218 | 0 | if (kse->privKey == NULL) |
8219 | 0 | ret = MEMORY_E; |
8220 | 0 | } |
8221 | |
|
8222 | 0 | if (ret == 0) { |
8223 | | #if defined(WOLFSSL_STATIC_EPHEMERAL) && defined(WOLFSSL_DH_EXTRA) |
8224 | | ret = wolfSSL_StaticEphemeralKeyLoad(ssl, WC_PK_TYPE_DH, kse->key); |
8225 | | kse->pubKeyLen = pSz; |
8226 | | kse->keyLen = pvtSz; |
8227 | | if (ret == 0) { |
8228 | | ret = wc_DhExportKeyPair(dhKey, |
8229 | | (byte*)kse->privKey, &kse->keyLen, /* private */ |
8230 | | kse->pubKey, &kse->pubKeyLen /* public */ |
8231 | | ); |
8232 | | } |
8233 | | else |
8234 | | #endif |
8235 | 0 | { |
8236 | | /* Generate a new key pair */ |
8237 | | /* For async this is called once and when event is done, the |
8238 | | * provided buffers will be populated. |
8239 | | * Final processing is zero pad below. */ |
8240 | 0 | kse->pubKeyLen = pSz; |
8241 | 0 | kse->keyLen = pvtSz; |
8242 | 0 | ret = DhGenKeyPair(ssl, dhKey, |
8243 | 0 | (byte*)kse->privKey, &kse->keyLen, /* private */ |
8244 | 0 | kse->pubKey, &kse->pubKeyLen /* public */ |
8245 | 0 | ); |
8246 | | #ifdef WOLFSSL_ASYNC_CRYPT |
8247 | | if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) { |
8248 | | return ret; |
8249 | | } |
8250 | | #endif |
8251 | 0 | } |
8252 | 0 | } |
8253 | 0 | } |
8254 | | |
8255 | 0 | if (ret == 0) { |
8256 | 0 | if (pSz != kse->pubKeyLen) { |
8257 | | /* Zero pad the front of the public key to match prime "p" size */ |
8258 | 0 | XMEMMOVE(kse->pubKey + pSz - kse->pubKeyLen, kse->pubKey, |
8259 | 0 | kse->pubKeyLen); |
8260 | 0 | XMEMSET(kse->pubKey, 0, pSz - kse->pubKeyLen); |
8261 | 0 | kse->pubKeyLen = pSz; |
8262 | 0 | } |
8263 | |
|
8264 | 0 | if (pvtSz != kse->keyLen) { |
8265 | | /* Zero pad the front of the private key */ |
8266 | 0 | XMEMMOVE(kse->privKey + pvtSz - kse->keyLen, kse->privKey, |
8267 | 0 | kse->keyLen); |
8268 | 0 | XMEMSET(kse->privKey, 0, pvtSz - kse->keyLen); |
8269 | 0 | kse->keyLen = pvtSz; |
8270 | 0 | } |
8271 | |
|
8272 | | #ifdef WOLFSSL_DEBUG_TLS |
8273 | | WOLFSSL_MSG("Public DH Key"); |
8274 | | WOLFSSL_BUFFER(kse->pubKey, kse->pubKeyLen); |
8275 | | #endif |
8276 | 0 | } |
8277 | | |
8278 | | /* Always release the DH key to free up memory. |
8279 | | * The DhKey will be setup again in TLSX_KeyShare_ProcessDh */ |
8280 | 0 | if (dhKey != NULL) { |
8281 | | #if defined(WC_DH_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \ |
8282 | | defined(WC_ASYNC_ENABLE_DH) |
8283 | | if (dhKey->nb != NULL) { |
8284 | | XFREE(dhKey->nb, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); |
8285 | | dhKey->nb = NULL; |
8286 | | } |
8287 | | #endif |
8288 | 0 | wc_FreeDhKey(dhKey); |
8289 | 0 | } |
8290 | 0 | XFREE(kse->key, ssl->heap, DYNAMIC_TYPE_DH); |
8291 | 0 | kse->key = NULL; |
8292 | |
|
8293 | 0 | if (ret != 0) { |
8294 | | /* Cleanup on error, otherwise data owned by key share entry */ |
8295 | 0 | if (kse->privKey) { |
8296 | 0 | ForceZero(kse->privKey, pvtSz); |
8297 | 0 | XFREE(kse->privKey, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY); |
8298 | 0 | kse->privKey = NULL; |
8299 | 0 | } |
8300 | 0 | XFREE(kse->pubKey, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); |
8301 | 0 | kse->pubKey = NULL; |
8302 | 0 | } |
8303 | | #else |
8304 | | (void)ssl; |
8305 | | (void)kse; |
8306 | | |
8307 | | ret = NOT_COMPILED_IN; |
8308 | | WOLFSSL_ERROR_VERBOSE(ret); |
8309 | | #endif |
8310 | |
|
8311 | 0 | return ret; |
8312 | 0 | } |
8313 | | |
8314 | | /* Create a key share entry using X25519 parameters group. |
8315 | | * Generates a key pair. |
8316 | | * |
8317 | | * ssl The SSL/TLS object. |
8318 | | * kse The key share entry object. |
8319 | | * returns 0 on success, otherwise failure. |
8320 | | */ |
8321 | | static int TLSX_KeyShare_GenX25519Key(WOLFSSL *ssl, KeyShareEntry* kse) |
8322 | 0 | { |
8323 | 0 | int ret = 0; |
8324 | | #ifdef HAVE_CURVE25519 |
8325 | | curve25519_key* key = (curve25519_key*)kse->key; |
8326 | | |
8327 | | if (kse->key == NULL) { |
8328 | | /* Allocate a Curve25519 key to hold private key. */ |
8329 | | kse->key = (curve25519_key*)XMALLOC(sizeof(curve25519_key), ssl->heap, |
8330 | | DYNAMIC_TYPE_PRIVATE_KEY); |
8331 | | if (kse->key == NULL) { |
8332 | | WOLFSSL_MSG("GenX25519Key memory error"); |
8333 | | return MEMORY_E; |
8334 | | } |
8335 | | |
8336 | | /* Make an Curve25519 key. */ |
8337 | | ret = wc_curve25519_init_ex((curve25519_key*)kse->key, ssl->heap, |
8338 | | ssl->devId); |
8339 | | if (ret == 0) { |
8340 | | /* setting "key" means okay to call wc_curve25519_free */ |
8341 | | key = (curve25519_key*)kse->key; |
8342 | | kse->keyLen = CURVE25519_KEYSIZE; |
8343 | | } |
8344 | | #if defined(WC_X25519_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \ |
8345 | | defined(WC_ASYNC_ENABLE_X25519) |
8346 | | /* Only set non-blocking context when async device is active. With |
8347 | | * INVALID_DEVID there is no async loop to retry on FP_WOULDBLOCK, so |
8348 | | * skip non-blocking setup and use blocking mode instead. */ |
8349 | | if (ret == 0 && ssl->devId != INVALID_DEVID) { |
8350 | | x25519_nb_ctx_t* nb_ctx = (x25519_nb_ctx_t*)XMALLOC( |
8351 | | sizeof(x25519_nb_ctx_t), ssl->heap, |
8352 | | DYNAMIC_TYPE_TMP_BUFFER); |
8353 | | if (nb_ctx == NULL) { |
8354 | | ret = MEMORY_E; |
8355 | | } |
8356 | | else { |
8357 | | ret = wc_curve25519_set_nonblock(key, nb_ctx); |
8358 | | if (ret != 0) { |
8359 | | XFREE(nb_ctx, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); |
8360 | | } |
8361 | | } |
8362 | | } |
8363 | | #endif /* WC_X25519_NONBLOCK && WOLFSSL_ASYNC_CRYPT_SW && |
8364 | | WC_ASYNC_ENABLE_X25519 */ |
8365 | | if (ret == 0) { |
8366 | | #ifdef WOLFSSL_STATIC_EPHEMERAL |
8367 | | ret = wolfSSL_StaticEphemeralKeyLoad(ssl, WC_PK_TYPE_CURVE25519, kse->key); |
8368 | | if (ret != 0) /* on failure, fallback to local key generation */ |
8369 | | #endif |
8370 | | { |
8371 | | #ifdef WOLFSSL_ASYNC_CRYPT |
8372 | | /* initialize event */ |
8373 | | ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, |
8374 | | WC_ASYNC_FLAG_NONE); |
8375 | | if (ret != 0) |
8376 | | return ret; |
8377 | | #endif |
8378 | | ret = wc_curve25519_make_key(ssl->rng, CURVE25519_KEYSIZE, key); |
8379 | | |
8380 | | /* Handle async pending response */ |
8381 | | #ifdef WOLFSSL_ASYNC_CRYPT |
8382 | | if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) { |
8383 | | return wolfSSL_AsyncPush(ssl, &key->asyncDev); |
8384 | | } |
8385 | | #endif /* WOLFSSL_ASYNC_CRYPT */ |
8386 | | } |
8387 | | } |
8388 | | } |
8389 | | |
8390 | | if (ret == 0 && kse->pubKey == NULL) { |
8391 | | /* Allocate space for the public key. */ |
8392 | | kse->pubKey = (byte*)XMALLOC(CURVE25519_KEYSIZE, ssl->heap, |
8393 | | DYNAMIC_TYPE_PUBLIC_KEY); |
8394 | | if (kse->pubKey == NULL) { |
8395 | | WOLFSSL_MSG("GenX25519Key pub memory error"); |
8396 | | ret = MEMORY_E; |
8397 | | } |
8398 | | } |
8399 | | |
8400 | | if (ret == 0) { |
8401 | | /* Export Curve25519 public key. */ |
8402 | | kse->pubKeyLen = CURVE25519_KEYSIZE; |
8403 | | if (wc_curve25519_export_public_ex(key, kse->pubKey, &kse->pubKeyLen, |
8404 | | EC25519_LITTLE_ENDIAN) != 0) { |
8405 | | ret = ECC_EXPORT_ERROR; |
8406 | | WOLFSSL_ERROR_VERBOSE(ret); |
8407 | | } |
8408 | | kse->pubKeyLen = CURVE25519_KEYSIZE; /* always CURVE25519_KEYSIZE */ |
8409 | | } |
8410 | | |
8411 | | #ifdef WOLFSSL_DEBUG_TLS |
8412 | | if (ret == 0) { |
8413 | | WOLFSSL_MSG("Public Curve25519 Key"); |
8414 | | WOLFSSL_BUFFER(kse->pubKey, kse->pubKeyLen); |
8415 | | } |
8416 | | #endif |
8417 | | |
8418 | | if (ret != 0) { |
8419 | | /* Data owned by key share entry otherwise. */ |
8420 | | XFREE(kse->pubKey, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); |
8421 | | kse->pubKey = NULL; |
8422 | | if (key != NULL) { |
8423 | | #if defined(WC_X25519_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) |
8424 | | if (key->nb_ctx != NULL) { |
8425 | | XFREE(key->nb_ctx, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); |
8426 | | } |
8427 | | #endif |
8428 | | wc_curve25519_free(key); |
8429 | | } |
8430 | | XFREE(kse->key, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY); |
8431 | | kse->key = NULL; |
8432 | | } |
8433 | | #else |
8434 | 0 | (void)ssl; |
8435 | 0 | (void)kse; |
8436 | |
|
8437 | 0 | ret = NOT_COMPILED_IN; |
8438 | 0 | WOLFSSL_ERROR_VERBOSE(ret); |
8439 | 0 | #endif /* HAVE_CURVE25519 */ |
8440 | |
|
8441 | 0 | return ret; |
8442 | 0 | } |
8443 | | |
8444 | | /* Create a key share entry using X448 parameters group. |
8445 | | * Generates a key pair. |
8446 | | * |
8447 | | * ssl The SSL/TLS object. |
8448 | | * kse The key share entry object. |
8449 | | * returns 0 on success, otherwise failure. |
8450 | | */ |
8451 | | static int TLSX_KeyShare_GenX448Key(WOLFSSL *ssl, KeyShareEntry* kse) |
8452 | 0 | { |
8453 | 0 | int ret = 0; |
8454 | | #ifdef HAVE_CURVE448 |
8455 | | curve448_key* key = (curve448_key*)kse->key; |
8456 | | |
8457 | | if (kse->key == NULL) { |
8458 | | /* Allocate a Curve448 key to hold private key. */ |
8459 | | kse->key = (curve448_key*)XMALLOC(sizeof(curve448_key), ssl->heap, |
8460 | | DYNAMIC_TYPE_PRIVATE_KEY); |
8461 | | if (kse->key == NULL) { |
8462 | | WOLFSSL_MSG("GenX448Key memory error"); |
8463 | | return MEMORY_E; |
8464 | | } |
8465 | | |
8466 | | /* Make an Curve448 key. */ |
8467 | | ret = wc_curve448_init((curve448_key*)kse->key); |
8468 | | if (ret == 0) { |
8469 | | key = (curve448_key*)kse->key; |
8470 | | kse->keyLen = CURVE448_KEY_SIZE; |
8471 | | |
8472 | | #ifdef WOLFSSL_STATIC_EPHEMERAL |
8473 | | ret = wolfSSL_StaticEphemeralKeyLoad(ssl, WC_PK_TYPE_CURVE448, kse->key); |
8474 | | if (ret != 0) |
8475 | | #endif |
8476 | | { |
8477 | | ret = wc_curve448_make_key(ssl->rng, CURVE448_KEY_SIZE, key); |
8478 | | } |
8479 | | } |
8480 | | } |
8481 | | |
8482 | | if (ret == 0 && kse->pubKey == NULL) { |
8483 | | /* Allocate space for the public key. */ |
8484 | | kse->pubKey = (byte*)XMALLOC(CURVE448_KEY_SIZE, ssl->heap, |
8485 | | DYNAMIC_TYPE_PUBLIC_KEY); |
8486 | | if (kse->pubKey == NULL) { |
8487 | | WOLFSSL_MSG("GenX448Key pub memory error"); |
8488 | | ret = MEMORY_E; |
8489 | | } |
8490 | | } |
8491 | | |
8492 | | if (ret == 0) { |
8493 | | /* Export Curve448 public key. */ |
8494 | | kse->pubKeyLen = CURVE448_KEY_SIZE; |
8495 | | if (wc_curve448_export_public_ex(key, kse->pubKey, &kse->pubKeyLen, |
8496 | | EC448_LITTLE_ENDIAN) != 0) { |
8497 | | ret = ECC_EXPORT_ERROR; |
8498 | | } |
8499 | | kse->pubKeyLen = CURVE448_KEY_SIZE; /* always CURVE448_KEY_SIZE */ |
8500 | | } |
8501 | | |
8502 | | #ifdef WOLFSSL_DEBUG_TLS |
8503 | | if (ret == 0) { |
8504 | | WOLFSSL_MSG("Public Curve448 Key"); |
8505 | | WOLFSSL_BUFFER(kse->pubKey, kse->pubKeyLen); |
8506 | | } |
8507 | | #endif |
8508 | | |
8509 | | if (ret != 0) { |
8510 | | /* Data owned by key share entry otherwise. */ |
8511 | | XFREE(kse->pubKey, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); |
8512 | | kse->pubKey = NULL; |
8513 | | if (key != NULL) |
8514 | | wc_curve448_free(key); |
8515 | | XFREE(kse->key, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY); |
8516 | | kse->key = NULL; |
8517 | | } |
8518 | | #else |
8519 | 0 | (void)ssl; |
8520 | 0 | (void)kse; |
8521 | |
|
8522 | 0 | ret = NOT_COMPILED_IN; |
8523 | 0 | WOLFSSL_ERROR_VERBOSE(ret); |
8524 | 0 | #endif /* HAVE_CURVE448 */ |
8525 | |
|
8526 | 0 | return ret; |
8527 | 0 | } |
8528 | | |
8529 | | /* Create a key share entry using named elliptic curve parameters group. |
8530 | | * Generates a key pair. |
8531 | | * |
8532 | | * ssl The SSL/TLS object. |
8533 | | * kse The key share entry object. |
8534 | | * returns 0 on success, otherwise failure. |
8535 | | */ |
8536 | | static int TLSX_KeyShare_GenEccKey(WOLFSSL *ssl, KeyShareEntry* kse) |
8537 | 0 | { |
8538 | 0 | int ret = 0; |
8539 | 0 | #if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT) |
8540 | 0 | word32 keySize = 0; |
8541 | 0 | word16 curveId = (word16) ECC_CURVE_INVALID; |
8542 | 0 | ecc_key* eccKey = (ecc_key*)kse->key; |
8543 | | |
8544 | | /* Translate named group to a curve id. */ |
8545 | 0 | switch (kse->group) { |
8546 | 0 | #if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256 |
8547 | 0 | #ifndef NO_ECC_SECP |
8548 | 0 | case WOLFSSL_ECC_SECP256R1: |
8549 | 0 | curveId = ECC_SECP256R1; |
8550 | 0 | break; |
8551 | 0 | #endif /* !NO_ECC_SECP */ |
8552 | | #ifdef WOLFSSL_SM2 |
8553 | | case WOLFSSL_ECC_SM2P256V1: |
8554 | | curveId = ECC_SM2P256V1; |
8555 | | break; |
8556 | | #endif /* !WOLFSSL_SM2 */ |
8557 | | #ifdef HAVE_ECC_BRAINPOOL |
8558 | | case WOLFSSL_ECC_BRAINPOOLP256R1TLS13: |
8559 | | curveId = ECC_BRAINPOOLP256R1; |
8560 | | break; |
8561 | | #endif /* HAVE_ECC_BRAINPOOL */ |
8562 | 0 | #endif |
8563 | 0 | #if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384 |
8564 | 0 | #ifndef NO_ECC_SECP |
8565 | 0 | case WOLFSSL_ECC_SECP384R1: |
8566 | 0 | curveId = ECC_SECP384R1; |
8567 | 0 | break; |
8568 | 0 | #endif /* !NO_ECC_SECP */ |
8569 | | #ifdef HAVE_ECC_BRAINPOOL |
8570 | | case WOLFSSL_ECC_BRAINPOOLP384R1TLS13: |
8571 | | curveId = ECC_BRAINPOOLP384R1; |
8572 | | break; |
8573 | | #endif /* HAVE_ECC_BRAINPOOL */ |
8574 | 0 | #endif |
8575 | 0 | #if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 512 |
8576 | | #ifdef HAVE_ECC_BRAINPOOL |
8577 | | case WOLFSSL_ECC_BRAINPOOLP512R1TLS13: |
8578 | | curveId = ECC_BRAINPOOLP512R1; |
8579 | | break; |
8580 | | #endif /* HAVE_ECC_BRAINPOOL */ |
8581 | 0 | #endif |
8582 | 0 | #if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521 |
8583 | 0 | #ifndef NO_ECC_SECP |
8584 | 0 | case WOLFSSL_ECC_SECP521R1: |
8585 | 0 | curveId = ECC_SECP521R1; |
8586 | 0 | break; |
8587 | 0 | #endif /* !NO_ECC_SECP */ |
8588 | 0 | #endif |
8589 | 0 | default: |
8590 | 0 | WOLFSSL_ERROR_VERBOSE(BAD_FUNC_ARG); |
8591 | 0 | return BAD_FUNC_ARG; |
8592 | 0 | } |
8593 | | |
8594 | 0 | { |
8595 | 0 | int size = wc_ecc_get_curve_size_from_id(curveId); |
8596 | 0 | if (size < 0) { |
8597 | 0 | WOLFSSL_ERROR_VERBOSE(size); |
8598 | 0 | return size; |
8599 | 0 | } |
8600 | 0 | keySize = (word32)size; |
8601 | 0 | } |
8602 | | |
8603 | 0 | if (kse->key == NULL) { |
8604 | | /* Allocate an ECC key to hold private key. */ |
8605 | 0 | kse->key = (byte*)XMALLOC(sizeof(ecc_key), ssl->heap, DYNAMIC_TYPE_ECC); |
8606 | 0 | if (kse->key == NULL) { |
8607 | 0 | WOLFSSL_MSG_EX("Failed to allocate %d bytes, ssl->heap: %p", |
8608 | 0 | (int)sizeof(ecc_key), (wc_ptr_t)ssl->heap); |
8609 | 0 | WOLFSSL_MSG("EccTempKey Memory error!"); |
8610 | 0 | return MEMORY_E; |
8611 | 0 | } |
8612 | | |
8613 | | /* Initialize an ECC key struct for the ephemeral key */ |
8614 | 0 | ret = wc_ecc_init_ex((ecc_key*)kse->key, ssl->heap, ssl->devId); |
8615 | |
|
8616 | | #if defined(WC_ECC_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \ |
8617 | | defined(WC_ASYNC_ENABLE_ECC) |
8618 | | /* Only set non-blocking context when async device is active. With |
8619 | | * INVALID_DEVID there is no async loop to retry on FP_WOULDBLOCK, so |
8620 | | * skip non-blocking setup and use blocking mode instead. */ |
8621 | | if (ret == 0 && ssl->devId != INVALID_DEVID) { |
8622 | | ecc_nb_ctx_t* eccNbCtx = (ecc_nb_ctx_t*)XMALLOC( |
8623 | | sizeof(ecc_nb_ctx_t), ssl->heap, |
8624 | | DYNAMIC_TYPE_TMP_BUFFER); |
8625 | | if (eccNbCtx == NULL) { |
8626 | | ret = MEMORY_E; |
8627 | | } |
8628 | | else { |
8629 | | ret = wc_ecc_set_nonblock((ecc_key*)kse->key, eccNbCtx); |
8630 | | if (ret != 0) { |
8631 | | XFREE(eccNbCtx, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); |
8632 | | } |
8633 | | } |
8634 | | } |
8635 | | #endif /* WC_ECC_NONBLOCK && WOLFSSL_ASYNC_CRYPT_SW && |
8636 | | WC_ASYNC_ENABLE_ECC */ |
8637 | |
|
8638 | 0 | if (ret == 0) { |
8639 | 0 | kse->keyLen = keySize; |
8640 | 0 | kse->pubKeyLen = keySize * 2 + 1; |
8641 | |
|
8642 | | #if defined(WOLFSSL_RENESAS_TSIP_TLS) |
8643 | | ret = tsip_Tls13GenEccKeyPair(ssl, kse); |
8644 | | if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) { |
8645 | | return ret; |
8646 | | } |
8647 | | #endif |
8648 | | /* setting eccKey means okay to call wc_ecc_free */ |
8649 | 0 | eccKey = (ecc_key*)kse->key; |
8650 | |
|
8651 | | #ifdef WOLFSSL_STATIC_EPHEMERAL |
8652 | | ret = wolfSSL_StaticEphemeralKeyLoad(ssl, WC_PK_TYPE_ECDH, kse->key); |
8653 | | if (ret != 0 || eccKey->dp->id != curveId) |
8654 | | #endif |
8655 | 0 | { |
8656 | | /* set curve info for EccMakeKey "peer" info */ |
8657 | 0 | ret = wc_ecc_set_curve(eccKey, (int)kse->keyLen, curveId); |
8658 | 0 | if (ret == 0) { |
8659 | | #ifdef WOLFSSL_ASYNC_CRYPT |
8660 | | /* Detect when private key generation is done */ |
8661 | | if (ssl->error == WC_NO_ERR_TRACE(WC_PENDING_E) && |
8662 | | eccKey->type == ECC_PRIVATEKEY) { |
8663 | | ret = 0; /* ECC Key Generation is done */ |
8664 | | } |
8665 | | else |
8666 | | #endif |
8667 | 0 | { |
8668 | | /* Generate ephemeral ECC key */ |
8669 | | /* For async this is called once and when event is done, the |
8670 | | * provided buffers in key be populated. |
8671 | | * Final processing is x963 key export below. */ |
8672 | 0 | ret = EccMakeKey(ssl, eccKey, eccKey); |
8673 | 0 | } |
8674 | 0 | } |
8675 | | #ifdef WOLFSSL_ASYNC_CRYPT |
8676 | | if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) |
8677 | | return ret; |
8678 | | #endif |
8679 | 0 | } |
8680 | 0 | } |
8681 | 0 | } |
8682 | | |
8683 | 0 | if (ret == 0 && kse->pubKey == NULL) { |
8684 | | /* Allocate space for the public key */ |
8685 | 0 | kse->pubKey = (byte*)XMALLOC(kse->pubKeyLen, ssl->heap, |
8686 | 0 | DYNAMIC_TYPE_PUBLIC_KEY); |
8687 | 0 | if (kse->pubKey == NULL) { |
8688 | 0 | WOLFSSL_MSG("Key data Memory error"); |
8689 | 0 | ret = MEMORY_E; |
8690 | 0 | } |
8691 | 0 | } |
8692 | |
|
8693 | 0 | if (ret == 0) { |
8694 | 0 | XMEMSET(kse->pubKey, 0, kse->pubKeyLen); |
8695 | | |
8696 | | /* Export public key. */ |
8697 | 0 | PRIVATE_KEY_UNLOCK(); |
8698 | 0 | if (wc_ecc_export_x963(eccKey, kse->pubKey, &kse->pubKeyLen) != 0) { |
8699 | 0 | ret = ECC_EXPORT_ERROR; |
8700 | 0 | WOLFSSL_ERROR_VERBOSE(ret); |
8701 | 0 | } |
8702 | 0 | PRIVATE_KEY_LOCK(); |
8703 | 0 | } |
8704 | | #ifdef WOLFSSL_DEBUG_TLS |
8705 | | if (ret == 0) { |
8706 | | WOLFSSL_MSG("Public ECC Key"); |
8707 | | WOLFSSL_BUFFER(kse->pubKey, kse->pubKeyLen); |
8708 | | } |
8709 | | #endif |
8710 | |
|
8711 | 0 | if (ret != 0) { |
8712 | | /* Cleanup on error, otherwise data owned by key share entry */ |
8713 | 0 | XFREE(kse->pubKey, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); |
8714 | 0 | kse->pubKey = NULL; |
8715 | 0 | if (eccKey != NULL) { |
8716 | | #if defined(WC_ECC_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \ |
8717 | | defined(WC_ASYNC_ENABLE_ECC) |
8718 | | if (eccKey->nb_ctx != NULL) { |
8719 | | XFREE(eccKey->nb_ctx, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); |
8720 | | } |
8721 | | #endif |
8722 | 0 | wc_ecc_free(eccKey); |
8723 | 0 | } |
8724 | 0 | XFREE(kse->key, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY); |
8725 | 0 | kse->key = NULL; |
8726 | 0 | } |
8727 | | #else |
8728 | | (void)ssl; |
8729 | | (void)kse; |
8730 | | |
8731 | | ret = NOT_COMPILED_IN; |
8732 | | WOLFSSL_ERROR_VERBOSE(ret); |
8733 | | #endif /* HAVE_ECC && HAVE_ECC_KEY_EXPORT */ |
8734 | |
|
8735 | 0 | return ret; |
8736 | 0 | } |
8737 | | |
8738 | | #ifdef WOLFSSL_HAVE_MLKEM |
8739 | | #if (defined(WOLFSSL_MLKEM_CACHE_A) || \ |
8740 | | (defined(HAVE_PKCS11) && !defined(NO_PKCS11_MLKEM))) && \ |
8741 | | !defined(WOLFSSL_TLSX_PQC_MLKEM_STORE_PRIV_KEY) |
8742 | | /* Store MlKemKey object rather than private key bytes in key share entry. |
8743 | | * Improves performance at cost of more dynamic memory being used. */ |
8744 | | #define WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ |
8745 | | #endif |
8746 | | #if defined(WOLFSSL_TLSX_PQC_MLKEM_STORE_PRIV_KEY) && \ |
8747 | | defined(WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ) |
8748 | | #error "Choose WOLFSSL_TLSX_PQC_MLKEM_STORE_PRIV_KEY or " |
8749 | | "WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ" |
8750 | | #endif |
8751 | | |
8752 | | #if (!defined(WOLFSSL_MLKEM_NO_MAKE_KEY) && \ |
8753 | | !defined(WOLFSSL_MLKEM_NO_DECAPSULATE)) || \ |
8754 | | !defined(WOLFSSL_MLKEM_NO_ENCAPSULATE) || \ |
8755 | | (!defined(WOLFSSL_MLKEM_NO_DECAPSULATE) && \ |
8756 | | !defined(WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ)) |
8757 | | static int mlkem_id2type(int id, int *type) |
8758 | 0 | { |
8759 | 0 | int ret = 0; |
8760 | |
|
8761 | 0 | switch (id) { |
8762 | 0 | #ifndef WOLFSSL_NO_ML_KEM |
8763 | 0 | #ifndef WOLFSSL_NO_ML_KEM_512 |
8764 | 0 | case WOLFSSL_ML_KEM_512: |
8765 | 0 | *type = WC_ML_KEM_512; |
8766 | 0 | break; |
8767 | 0 | #endif |
8768 | 0 | #ifndef WOLFSSL_NO_ML_KEM_768 |
8769 | 0 | case WOLFSSL_ML_KEM_768: |
8770 | 0 | *type = WC_ML_KEM_768; |
8771 | 0 | break; |
8772 | 0 | #endif |
8773 | 0 | #ifndef WOLFSSL_NO_ML_KEM_1024 |
8774 | 0 | case WOLFSSL_ML_KEM_1024: |
8775 | 0 | *type = WC_ML_KEM_1024; |
8776 | 0 | break; |
8777 | 0 | #endif |
8778 | 0 | #endif |
8779 | | #ifdef WOLFSSL_MLKEM_KYBER |
8780 | | #ifdef WOLFSSL_KYBER512 |
8781 | | case WOLFSSL_KYBER_LEVEL1: |
8782 | | *type = KYBER512; |
8783 | | break; |
8784 | | #endif |
8785 | | #ifdef WOLFSSL_KYBER768 |
8786 | | case WOLFSSL_KYBER_LEVEL3: |
8787 | | *type = KYBER768; |
8788 | | break; |
8789 | | #endif |
8790 | | #ifdef WOLFSSL_KYBER1024 |
8791 | | case WOLFSSL_KYBER_LEVEL5: |
8792 | | *type = KYBER1024; |
8793 | | break; |
8794 | | #endif |
8795 | | #endif |
8796 | 0 | default: |
8797 | 0 | ret = NOT_COMPILED_IN; |
8798 | 0 | break; |
8799 | 0 | } |
8800 | | |
8801 | 0 | return ret; |
8802 | 0 | } |
8803 | | #endif |
8804 | | |
8805 | | #if defined(WOLFSSL_NO_ML_KEM_768) && defined(WOLFSSL_NO_ML_KEM_1024) && \ |
8806 | | defined(WOLFSSL_PQC_HYBRIDS) |
8807 | | #error "PQC hybrid combinations require either ML-KEM 768 or ML-KEM 1024" |
8808 | | #endif |
8809 | | |
8810 | | /* Structures and objects needed for hybrid key exchanges using both classic |
8811 | | * ECDHE and PQC KEM key material. */ |
8812 | | typedef struct PqcHybridMapping { |
8813 | | int hybrid; |
8814 | | int ecc; |
8815 | | int pqc; |
8816 | | int pqc_first; |
8817 | | } PqcHybridMapping; |
8818 | | |
8819 | | static const PqcHybridMapping pqc_hybrid_mapping[] = { |
8820 | | #ifndef WOLFSSL_NO_ML_KEM |
8821 | | #ifdef WOLFSSL_PQC_HYBRIDS |
8822 | | {WOLFSSL_SECP256R1MLKEM768, WOLFSSL_ECC_SECP256R1, WOLFSSL_ML_KEM_768, 0}, |
8823 | | {WOLFSSL_SECP384R1MLKEM1024, WOLFSSL_ECC_SECP384R1, WOLFSSL_ML_KEM_1024, 0}, |
8824 | | #endif /* WOLFSSL_PQC_HYBRIDS */ |
8825 | | #ifdef WOLFSSL_EXTRA_PQC_HYBRIDS |
8826 | | {WOLFSSL_SECP256R1MLKEM512, WOLFSSL_ECC_SECP256R1, WOLFSSL_ML_KEM_512, 0}, |
8827 | | {WOLFSSL_SECP384R1MLKEM768, WOLFSSL_ECC_SECP384R1, WOLFSSL_ML_KEM_768, 0}, |
8828 | | {WOLFSSL_SECP521R1MLKEM1024, WOLFSSL_ECC_SECP521R1, WOLFSSL_ML_KEM_1024, 0}, |
8829 | | #ifdef WOLFSSL_ML_KEM_USE_OLD_IDS |
8830 | | {WOLFSSL_P256_ML_KEM_512_OLD, WOLFSSL_ECC_SECP256R1, WOLFSSL_ML_KEM_512, 0}, |
8831 | | {WOLFSSL_P384_ML_KEM_768_OLD, WOLFSSL_ECC_SECP384R1, WOLFSSL_ML_KEM_768, 0}, |
8832 | | {WOLFSSL_P521_ML_KEM_1024_OLD, WOLFSSL_ECC_SECP521R1, WOLFSSL_ML_KEM_1024, 0}, |
8833 | | #endif /* WOLFSSL_ML_KEM_USE_OLD_IDS */ |
8834 | | #endif /* WOLFSSL_EXTRA_PQC_HYBRIDS */ |
8835 | | #ifdef HAVE_CURVE25519 |
8836 | | #ifdef WOLFSSL_PQC_HYBRIDS |
8837 | | {WOLFSSL_X25519MLKEM768, WOLFSSL_ECC_X25519, WOLFSSL_ML_KEM_768, 1}, |
8838 | | #endif /* WOLFSSL_PQC_HYBRIDS */ |
8839 | | #ifdef WOLFSSL_EXTRA_PQC_HYBRIDS |
8840 | | {WOLFSSL_X25519MLKEM512, WOLFSSL_ECC_X25519, WOLFSSL_ML_KEM_512, 1}, |
8841 | | #endif /* WOLFSSL_EXTRA_PQC_HYBRIDS */ |
8842 | | #endif /* HAVE_CURVE25519 */ |
8843 | | #ifdef HAVE_CURVE448 |
8844 | | #ifdef WOLFSSL_EXTRA_PQC_HYBRIDS |
8845 | | {WOLFSSL_X448MLKEM768, WOLFSSL_ECC_X448, WOLFSSL_ML_KEM_768, 1}, |
8846 | | #endif /* WOLFSSL_EXTRA_PQC_HYBRIDS */ |
8847 | | #endif /* HAVE_CURVE448 */ |
8848 | | #endif /* WOLFSSL_NO_ML_KEM */ |
8849 | | #ifdef WOLFSSL_MLKEM_KYBER |
8850 | | {WOLFSSL_P256_KYBER_LEVEL1, WOLFSSL_ECC_SECP256R1, WOLFSSL_KYBER_LEVEL1, 0}, |
8851 | | {WOLFSSL_P384_KYBER_LEVEL3, WOLFSSL_ECC_SECP384R1, WOLFSSL_KYBER_LEVEL3, 0}, |
8852 | | {WOLFSSL_P256_KYBER_LEVEL3, WOLFSSL_ECC_SECP256R1, WOLFSSL_KYBER_LEVEL3, 0}, |
8853 | | {WOLFSSL_P521_KYBER_LEVEL5, WOLFSSL_ECC_SECP521R1, WOLFSSL_KYBER_LEVEL5, 0}, |
8854 | | #ifdef HAVE_CURVE25519 |
8855 | | {WOLFSSL_X25519_KYBER_LEVEL1, WOLFSSL_ECC_X25519, WOLFSSL_KYBER_LEVEL1, 0}, |
8856 | | {WOLFSSL_X25519_KYBER_LEVEL3, WOLFSSL_ECC_X25519, WOLFSSL_KYBER_LEVEL3, 0}, |
8857 | | #endif |
8858 | | #ifdef HAVE_CURVE448 |
8859 | | {WOLFSSL_X448_KYBER_LEVEL3, WOLFSSL_ECC_X448, WOLFSSL_KYBER_LEVEL3, 0}, |
8860 | | #endif |
8861 | | #endif /* WOLFSSL_MLKEM_KYBER */ |
8862 | | {0, 0, 0, 0} |
8863 | | }; |
8864 | | |
8865 | | /* Map an ecc-pqc hybrid group into its ecc group and pqc kem group. */ |
8866 | | static void findEccPqc(int *ecc, int *pqc, int *pqc_first, int group) |
8867 | 0 | { |
8868 | 0 | int i; |
8869 | |
|
8870 | 0 | if (pqc != NULL) |
8871 | 0 | *pqc = 0; |
8872 | 0 | if (ecc != NULL) |
8873 | 0 | *ecc = 0; |
8874 | 0 | if (pqc_first != NULL) |
8875 | 0 | *pqc_first = 0; |
8876 | |
|
8877 | 0 | for (i = 0; pqc_hybrid_mapping[i].hybrid != 0; i++) { |
8878 | 0 | if (pqc_hybrid_mapping[i].hybrid == group) { |
8879 | 0 | if (pqc != NULL) |
8880 | 0 | *pqc = pqc_hybrid_mapping[i].pqc; |
8881 | 0 | if (ecc != NULL) |
8882 | 0 | *ecc = pqc_hybrid_mapping[i].ecc; |
8883 | 0 | if (pqc_first != NULL) |
8884 | 0 | *pqc_first = pqc_hybrid_mapping[i].pqc_first; |
8885 | 0 | break; |
8886 | 0 | } |
8887 | 0 | } |
8888 | 0 | } |
8889 | | |
8890 | | #if !defined(WOLFSSL_MLKEM_NO_MAKE_KEY) && \ |
8891 | | !defined(WOLFSSL_MLKEM_NO_DECAPSULATE) |
8892 | | /* Create a key share entry using pqc parameters group on the client side. |
8893 | | * Generates a key pair. |
8894 | | * |
8895 | | * ssl The SSL/TLS object. |
8896 | | * kse The key share entry object. |
8897 | | * returns 0 on success, otherwise failure. |
8898 | | */ |
8899 | | static int TLSX_KeyShare_GenPqcKeyClient(WOLFSSL *ssl, KeyShareEntry* kse) |
8900 | 0 | { |
8901 | 0 | int ret = 0; |
8902 | 0 | int type = 0; |
8903 | 0 | #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ |
8904 | 0 | WC_DECLARE_VAR(kem, MlKemKey, 1, 0); |
8905 | 0 | byte* privKey = NULL; |
8906 | 0 | word32 privSz = 0; |
8907 | | #else |
8908 | | MlKemKey* kem = NULL; |
8909 | | #endif |
8910 | | |
8911 | | /* This gets called twice. Once during parsing of the key share and once |
8912 | | * during the population of the extension. No need to do work the second |
8913 | | * time. Just return success if its already been done. */ |
8914 | 0 | if (kse->pubKey != NULL) { |
8915 | 0 | return ret; |
8916 | 0 | } |
8917 | | |
8918 | | /* Get the type of key we need from the key share group. */ |
8919 | 0 | ret = mlkem_id2type(kse->group, &type); |
8920 | 0 | if (ret == WC_NO_ERR_TRACE(NOT_COMPILED_IN)) { |
8921 | 0 | WOLFSSL_MSG("Invalid ML-KEM algorithm specified."); |
8922 | 0 | ret = BAD_FUNC_ARG; |
8923 | 0 | } |
8924 | |
|
8925 | 0 | #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ |
8926 | |
|
8927 | | #ifdef WOLFSSL_SMALL_STACK |
8928 | | if (ret == 0) { |
8929 | | kem = (MlKemKey *)XMALLOC(sizeof(*kem), ssl->heap, |
8930 | | DYNAMIC_TYPE_PRIVATE_KEY); |
8931 | | if (kem == NULL) { |
8932 | | WOLFSSL_MSG("KEM memory allocation failure"); |
8933 | | ret = MEMORY_ERROR; |
8934 | | } |
8935 | | } |
8936 | | #endif /* WOLFSSL_SMALL_STACK */ |
8937 | |
|
8938 | 0 | if (ret == 0) { |
8939 | 0 | ret = wc_MlKemKey_Init(kem, type, ssl->heap, ssl->devId); |
8940 | 0 | if (ret != 0) { |
8941 | 0 | WOLFSSL_MSG("Failed to initialize ML-KEM Key."); |
8942 | 0 | } |
8943 | 0 | } |
8944 | |
|
8945 | 0 | if (ret == 0) { |
8946 | 0 | ret = wc_MlKemKey_PrivateKeySize(kem, &privSz); |
8947 | 0 | } |
8948 | 0 | if (ret == 0) { |
8949 | 0 | ret = wc_MlKemKey_PublicKeySize(kem, &kse->pubKeyLen); |
8950 | 0 | } |
8951 | |
|
8952 | 0 | if (ret == 0) { |
8953 | 0 | privKey = (byte*)XMALLOC(privSz, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY); |
8954 | 0 | if (privKey == NULL) { |
8955 | 0 | WOLFSSL_MSG("privkey memory allocation failure"); |
8956 | 0 | ret = MEMORY_ERROR; |
8957 | 0 | } |
8958 | 0 | } |
8959 | | #else |
8960 | | if (ret == 0) { |
8961 | | /* Allocate an ML-KEM key to hold private key. */ |
8962 | | kem = (MlKemKey*)XMALLOC(sizeof(MlKemKey), ssl->heap, |
8963 | | DYNAMIC_TYPE_PRIVATE_KEY); |
8964 | | if (kem == NULL) { |
8965 | | WOLFSSL_MSG("KEM memory allocation failure"); |
8966 | | ret = MEMORY_ERROR; |
8967 | | } |
8968 | | } |
8969 | | if (ret == 0) { |
8970 | | ret = wc_MlKemKey_Init(kem, type, ssl->heap, ssl->devId); |
8971 | | if (ret != 0) { |
8972 | | WOLFSSL_MSG("Failed to initialize ML-KEM Key."); |
8973 | | } |
8974 | | } |
8975 | | if (ret == 0) { |
8976 | | ret = wc_MlKemKey_PublicKeySize(kem, &kse->pubKeyLen); |
8977 | | } |
8978 | | #endif |
8979 | |
|
8980 | 0 | if (ret == 0) { |
8981 | 0 | kse->pubKey = (byte*)XMALLOC(kse->pubKeyLen, ssl->heap, |
8982 | 0 | DYNAMIC_TYPE_PUBLIC_KEY); |
8983 | 0 | if (kse->pubKey == NULL) { |
8984 | 0 | WOLFSSL_MSG("pubkey memory allocation failure"); |
8985 | 0 | ret = MEMORY_ERROR; |
8986 | 0 | } |
8987 | 0 | } |
8988 | |
|
8989 | 0 | if (ret == 0) { |
8990 | 0 | ret = wc_MlKemKey_MakeKey(kem, ssl->rng); |
8991 | 0 | if (ret != 0) { |
8992 | 0 | WOLFSSL_MSG("ML-KEM keygen failure"); |
8993 | 0 | } |
8994 | 0 | } |
8995 | 0 | if (ret == 0) { |
8996 | 0 | ret = wc_MlKemKey_EncodePublicKey(kem, kse->pubKey, |
8997 | 0 | kse->pubKeyLen); |
8998 | 0 | } |
8999 | |
|
9000 | 0 | #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ |
9001 | 0 | if (ret == 0) { |
9002 | 0 | PRIVATE_KEY_UNLOCK(); |
9003 | 0 | ret = wc_MlKemKey_EncodePrivateKey(kem, privKey, privSz); |
9004 | 0 | PRIVATE_KEY_LOCK(); |
9005 | 0 | } |
9006 | 0 | #endif |
9007 | |
|
9008 | | #ifdef WOLFSSL_DEBUG_TLS |
9009 | | WOLFSSL_MSG("Public ML-KEM Key"); |
9010 | | WOLFSSL_BUFFER(kse->pubKey, kse->pubKeyLen ); |
9011 | | #endif |
9012 | |
|
9013 | 0 | if (ret != 0) { |
9014 | | /* Data owned by key share entry otherwise. */ |
9015 | 0 | wc_MlKemKey_Free(kem); |
9016 | 0 | XFREE(kse->pubKey, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); |
9017 | 0 | kse->pubKey = NULL; |
9018 | 0 | #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ |
9019 | 0 | if (privKey) { |
9020 | 0 | ForceZero(privKey, privSz); |
9021 | 0 | XFREE(privKey, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY); |
9022 | 0 | privKey = NULL; |
9023 | 0 | } |
9024 | | #else |
9025 | | XFREE(kem, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY); |
9026 | | kse->key = NULL; |
9027 | | #endif |
9028 | 0 | } |
9029 | 0 | else { |
9030 | 0 | #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ |
9031 | 0 | wc_MlKemKey_Free(kem); |
9032 | 0 | kse->privKey = (byte*)privKey; |
9033 | 0 | kse->privKeyLen = privSz; |
9034 | | #else |
9035 | | kse->key = kem; |
9036 | | #endif |
9037 | 0 | } |
9038 | |
|
9039 | | #if !defined(WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ) && \ |
9040 | | defined(WOLFSSL_SMALL_STACK) |
9041 | | XFREE(kem, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY); |
9042 | | #endif |
9043 | |
|
9044 | 0 | return ret; |
9045 | 0 | } |
9046 | | |
9047 | | /* Create a key share entry using both ecdhe and pqc parameters groups. |
9048 | | * Generates two key pairs on the client side. |
9049 | | * |
9050 | | * ssl The SSL/TLS object. |
9051 | | * kse The key share entry object. |
9052 | | * returns 0 on success, otherwise failure. |
9053 | | */ |
9054 | | static int TLSX_KeyShare_GenPqcHybridKeyClient(WOLFSSL *ssl, KeyShareEntry* kse) |
9055 | 0 | { |
9056 | 0 | int ret = 0; |
9057 | 0 | KeyShareEntry *ecc_kse = NULL; |
9058 | 0 | KeyShareEntry *pqc_kse = NULL; |
9059 | 0 | int pqc_group = 0; |
9060 | 0 | int ecc_group = 0; |
9061 | 0 | int pqc_first = 0; |
9062 | | |
9063 | | /* This gets called twice. Once during parsing of the key share and once |
9064 | | * during the population of the extension. No need to do work the second |
9065 | | * time. Just return success if its already been done. */ |
9066 | 0 | if (kse->pubKey != NULL) { |
9067 | 0 | return ret; |
9068 | 0 | } |
9069 | | |
9070 | | /* Determine the ECC and PQC group of the hybrid combination */ |
9071 | 0 | findEccPqc(&ecc_group, &pqc_group, &pqc_first, kse->group); |
9072 | 0 | if (ecc_group == 0 || pqc_group == 0) { |
9073 | 0 | WOLFSSL_MSG("Invalid hybrid group"); |
9074 | 0 | ret = BAD_FUNC_ARG; |
9075 | 0 | } |
9076 | |
|
9077 | 0 | if (ret == 0) { |
9078 | 0 | ecc_kse = (KeyShareEntry*)XMALLOC(sizeof(*ecc_kse), ssl->heap, |
9079 | 0 | DYNAMIC_TYPE_TLSX); |
9080 | 0 | if (ecc_kse == NULL) { |
9081 | 0 | WOLFSSL_MSG("kse memory allocation failure"); |
9082 | 0 | ret = MEMORY_ERROR; |
9083 | 0 | } |
9084 | 0 | else { |
9085 | 0 | XMEMSET(ecc_kse, 0, sizeof(*ecc_kse)); |
9086 | 0 | } |
9087 | 0 | } |
9088 | 0 | if (ret == 0) { |
9089 | 0 | pqc_kse = (KeyShareEntry*)XMALLOC(sizeof(*pqc_kse), ssl->heap, |
9090 | 0 | DYNAMIC_TYPE_TLSX); |
9091 | 0 | if (pqc_kse == NULL) { |
9092 | 0 | WOLFSSL_MSG("kse memory allocation failure"); |
9093 | 0 | ret = MEMORY_ERROR; |
9094 | 0 | } |
9095 | 0 | else { |
9096 | 0 | XMEMSET(pqc_kse, 0, sizeof(*pqc_kse)); |
9097 | 0 | } |
9098 | 0 | } |
9099 | | |
9100 | | /* Generate ECC key share part */ |
9101 | 0 | if (ret == 0) { |
9102 | 0 | ecc_kse->group = ecc_group; |
9103 | |
|
9104 | | #ifdef WOLFSSL_ASYNC_CRYPT |
9105 | | /* Check if the provided kse already contains an ECC key and the |
9106 | | * last error was WC_PENDING_E. In this case, we already tried to |
9107 | | * generate an ECC key. Hence, we have to restore it. */ |
9108 | | if (kse->key != NULL && kse->keyLen > 0 && |
9109 | | kse->lastRet == WC_NO_ERR_TRACE(WC_PENDING_E)) { |
9110 | | ecc_kse->key = kse->key; |
9111 | | ecc_kse->keyLen = kse->keyLen; |
9112 | | ecc_kse->pubKeyLen = kse->pubKeyLen; |
9113 | | ecc_kse->lastRet = kse->lastRet; |
9114 | | kse->key = NULL; |
9115 | | } |
9116 | | #endif |
9117 | |
|
9118 | | #ifdef HAVE_CURVE25519 |
9119 | | if (ecc_group == WOLFSSL_ECC_X25519) { |
9120 | | ret = TLSX_KeyShare_GenX25519Key(ssl, ecc_kse); |
9121 | | } |
9122 | | else |
9123 | | #endif |
9124 | | #ifdef HAVE_CURVE448 |
9125 | | if (ecc_group == WOLFSSL_ECC_X448) { |
9126 | | ret = TLSX_KeyShare_GenX448Key(ssl, ecc_kse); |
9127 | | } |
9128 | | else |
9129 | | #endif |
9130 | 0 | { |
9131 | 0 | ret = TLSX_KeyShare_GenEccKey(ssl, ecc_kse); |
9132 | 0 | } |
9133 | |
|
9134 | | #ifdef WOLFSSL_ASYNC_CRYPT |
9135 | | if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) { |
9136 | | /* Store the generated ECC key in the provided kse to later |
9137 | | * restore it.*/ |
9138 | | kse->key = ecc_kse->key; |
9139 | | kse->keyLen = ecc_kse->keyLen; |
9140 | | kse->pubKeyLen = ecc_kse->pubKeyLen; |
9141 | | ecc_kse->key = NULL; |
9142 | | } |
9143 | | #endif |
9144 | 0 | } |
9145 | | |
9146 | | /* Generate PQC key share part */ |
9147 | 0 | if (ret == 0) { |
9148 | 0 | pqc_kse->group = pqc_group; |
9149 | 0 | ret = TLSX_KeyShare_GenPqcKeyClient(ssl, pqc_kse); |
9150 | | /* No error message, TLSX_KeyShare_GenPqcKeyClient will do it. */ |
9151 | 0 | } |
9152 | | |
9153 | | /* Allocate memory for combined public key */ |
9154 | 0 | if (ret == 0) { |
9155 | 0 | kse->pubKey = (byte*)XMALLOC(ecc_kse->pubKeyLen + pqc_kse->pubKeyLen, |
9156 | 0 | ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); |
9157 | 0 | if (kse->pubKey == NULL) { |
9158 | 0 | WOLFSSL_MSG("pubkey memory allocation failure"); |
9159 | 0 | ret = MEMORY_ERROR; |
9160 | 0 | } |
9161 | 0 | } |
9162 | | |
9163 | | /* Create combined public key. The order of classic/pqc key material is |
9164 | | * indicated by the pqc_first variable. */ |
9165 | 0 | if (ret == 0) { |
9166 | 0 | if (pqc_first) { |
9167 | 0 | XMEMCPY(kse->pubKey, pqc_kse->pubKey, pqc_kse->pubKeyLen); |
9168 | 0 | XMEMCPY(kse->pubKey + pqc_kse->pubKeyLen, ecc_kse->pubKey, |
9169 | 0 | ecc_kse->pubKeyLen); |
9170 | 0 | } |
9171 | 0 | else { |
9172 | 0 | XMEMCPY(kse->pubKey, ecc_kse->pubKey, ecc_kse->pubKeyLen); |
9173 | 0 | XMEMCPY(kse->pubKey + ecc_kse->pubKeyLen, pqc_kse->pubKey, |
9174 | 0 | pqc_kse->pubKeyLen); |
9175 | 0 | } |
9176 | 0 | kse->pubKeyLen = ecc_kse->pubKeyLen + pqc_kse->pubKeyLen; |
9177 | 0 | } |
9178 | | |
9179 | | /* Store the private keys. |
9180 | | * Note we are saving the PQC private key and ECC private key |
9181 | | * separately. That's because the ECC private key is not simply a |
9182 | | * buffer. Its is an ecc_key struct. */ |
9183 | 0 | if (ret == 0) { |
9184 | 0 | #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ |
9185 | | /* PQC private key is an encoded byte array */ |
9186 | 0 | kse->privKey = pqc_kse->privKey; |
9187 | 0 | kse->privKeyLen = pqc_kse->privKeyLen; |
9188 | 0 | pqc_kse->privKey = NULL; |
9189 | | #else |
9190 | | /* PQC private key is a pointer to MlKemKey object */ |
9191 | | kse->privKey = (byte*)pqc_kse->key; |
9192 | | kse->privKeyLen = 0; |
9193 | | pqc_kse->key = NULL; |
9194 | | #endif |
9195 | | /* ECC private key is a pointer to ecc_key object */ |
9196 | 0 | kse->key = ecc_kse->key; |
9197 | 0 | kse->keyLen = ecc_kse->keyLen; |
9198 | 0 | ecc_kse->key = NULL; |
9199 | 0 | } |
9200 | |
|
9201 | | #ifdef WOLFSSL_DEBUG_TLS |
9202 | | WOLFSSL_MSG("Public ML-KEM Key"); |
9203 | | WOLFSSL_BUFFER(kse->pubKey, kse->pubKeyLen ); |
9204 | | #endif |
9205 | |
|
9206 | 0 | TLSX_KeyShare_FreeAll(ecc_kse, ssl->heap); |
9207 | 0 | TLSX_KeyShare_FreeAll(pqc_kse, ssl->heap); |
9208 | |
|
9209 | 0 | return ret; |
9210 | 0 | } |
9211 | | #endif /* !WOLFSSL_MLKEM_NO_MAKE_KEY && !WOLFSSL_MLKEM_NO_DECAPSULATE */ |
9212 | | #endif /* WOLFSSL_HAVE_MLKEM */ |
9213 | | |
9214 | | /* Generate a secret/key using the key share entry. |
9215 | | * |
9216 | | * ssl The SSL/TLS object. |
9217 | | * kse The key share entry holding peer data. |
9218 | | */ |
9219 | | int TLSX_KeyShare_GenKey(WOLFSSL *ssl, KeyShareEntry *kse) |
9220 | 0 | { |
9221 | 0 | int ret; |
9222 | | /* Named FFDHE groups have a bit set to identify them. */ |
9223 | 0 | if (WOLFSSL_NAMED_GROUP_IS_FFDHE(kse->group)) |
9224 | 0 | ret = TLSX_KeyShare_GenDhKey(ssl, kse); |
9225 | 0 | else if (kse->group == WOLFSSL_ECC_X25519) |
9226 | 0 | ret = TLSX_KeyShare_GenX25519Key(ssl, kse); |
9227 | 0 | else if (kse->group == WOLFSSL_ECC_X448) |
9228 | 0 | ret = TLSX_KeyShare_GenX448Key(ssl, kse); |
9229 | 0 | #if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_MAKE_KEY) && \ |
9230 | 0 | !defined(WOLFSSL_MLKEM_NO_DECAPSULATE) |
9231 | 0 | else if (WOLFSSL_NAMED_GROUP_IS_PQC(kse->group)) |
9232 | 0 | ret = TLSX_KeyShare_GenPqcKeyClient(ssl, kse); |
9233 | 0 | else if (WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(kse->group)) |
9234 | 0 | ret = TLSX_KeyShare_GenPqcHybridKeyClient(ssl, kse); |
9235 | 0 | #endif |
9236 | 0 | else |
9237 | 0 | ret = TLSX_KeyShare_GenEccKey(ssl, kse); |
9238 | | #ifdef WOLFSSL_ASYNC_CRYPT |
9239 | | kse->lastRet = ret; |
9240 | | #endif |
9241 | 0 | return ret; |
9242 | 0 | } |
9243 | | |
9244 | | /* Free the key share dynamic data. |
9245 | | * |
9246 | | * list The linked list of key share entry objects. |
9247 | | * heap The heap used for allocation. |
9248 | | */ |
9249 | | static void TLSX_KeyShare_FreeAll(KeyShareEntry* list, void* heap) |
9250 | 0 | { |
9251 | 0 | KeyShareEntry* current; |
9252 | |
|
9253 | 0 | while ((current = list) != NULL) { |
9254 | 0 | list = current->next; |
9255 | 0 | if (WOLFSSL_NAMED_GROUP_IS_FFDHE(current->group)) { |
9256 | 0 | #ifndef NO_DH |
9257 | | #if defined(WC_DH_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \ |
9258 | | defined(WC_ASYNC_ENABLE_DH) |
9259 | | if (current->key != NULL && |
9260 | | ((DhKey*)current->key)->nb != NULL) { |
9261 | | XFREE(((DhKey*)current->key)->nb, heap, |
9262 | | DYNAMIC_TYPE_TMP_BUFFER); |
9263 | | ((DhKey*)current->key)->nb = NULL; |
9264 | | } |
9265 | | #endif |
9266 | 0 | wc_FreeDhKey((DhKey*)current->key); |
9267 | 0 | if (current->privKey != NULL && current->privKeyLen > 0) { |
9268 | 0 | ForceZero(current->privKey, current->privKeyLen); |
9269 | 0 | } |
9270 | 0 | #endif |
9271 | 0 | } |
9272 | 0 | else if (current->group == WOLFSSL_ECC_X25519) { |
9273 | | #ifdef HAVE_CURVE25519 |
9274 | | #if defined(WC_X25519_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) |
9275 | | if (current->key != NULL && |
9276 | | ((curve25519_key*)current->key)->nb_ctx != NULL) { |
9277 | | XFREE(((curve25519_key*)current->key)->nb_ctx, heap, |
9278 | | DYNAMIC_TYPE_TMP_BUFFER); |
9279 | | } |
9280 | | #endif |
9281 | | wc_curve25519_free((curve25519_key*)current->key); |
9282 | | #endif |
9283 | 0 | } |
9284 | 0 | else if (current->group == WOLFSSL_ECC_X448) { |
9285 | | #ifdef HAVE_CURVE448 |
9286 | | wc_curve448_free((curve448_key*)current->key); |
9287 | | #endif |
9288 | 0 | } |
9289 | 0 | else if (WOLFSSL_NAMED_GROUP_IS_PQC(current->group)) { |
9290 | 0 | #ifdef WOLFSSL_HAVE_MLKEM |
9291 | 0 | wc_MlKemKey_Free((MlKemKey*)current->key); |
9292 | 0 | #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ |
9293 | 0 | if (current->privKey != NULL) { |
9294 | 0 | ForceZero(current->privKey, current->privKeyLen); |
9295 | 0 | } |
9296 | 0 | #endif |
9297 | 0 | #endif |
9298 | 0 | } |
9299 | 0 | else if (WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(current->group)) { |
9300 | 0 | #ifdef WOLFSSL_HAVE_MLKEM |
9301 | 0 | int ecc_group = 0; |
9302 | 0 | findEccPqc(&ecc_group, NULL, NULL, current->group); |
9303 | | |
9304 | | /* Free PQC private key */ |
9305 | | #ifdef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ |
9306 | | wc_MlKemKey_Free((MlKemKey*)current->privKey); |
9307 | | #else |
9308 | 0 | if (current->privKey != NULL) { |
9309 | 0 | ForceZero(current->privKey, current->privKeyLen); |
9310 | 0 | } |
9311 | 0 | #endif |
9312 | | |
9313 | | /* Free ECC private key */ |
9314 | 0 | if (ecc_group == WOLFSSL_ECC_X25519) { |
9315 | | #ifdef HAVE_CURVE25519 |
9316 | | wc_curve25519_free((curve25519_key*)current->key); |
9317 | | #endif |
9318 | 0 | } |
9319 | 0 | else if (ecc_group == WOLFSSL_ECC_X448) { |
9320 | | #ifdef HAVE_CURVE448 |
9321 | | wc_curve448_free((curve448_key*)current->key); |
9322 | | #endif |
9323 | 0 | } |
9324 | 0 | else { |
9325 | 0 | #ifdef HAVE_ECC |
9326 | | #if defined(WC_ECC_NONBLOCK) && \ |
9327 | | defined(WOLFSSL_ASYNC_CRYPT_SW) && \ |
9328 | | defined(WC_ASYNC_ENABLE_ECC) |
9329 | | if (current->key != NULL && |
9330 | | ((ecc_key*)current->key)->nb_ctx != NULL) { |
9331 | | XFREE(((ecc_key*)current->key)->nb_ctx, heap, |
9332 | | DYNAMIC_TYPE_TMP_BUFFER); |
9333 | | } |
9334 | | #endif |
9335 | 0 | wc_ecc_free((ecc_key*)current->key); |
9336 | 0 | #endif |
9337 | 0 | } |
9338 | 0 | #endif |
9339 | 0 | } |
9340 | 0 | else { |
9341 | 0 | #ifdef HAVE_ECC |
9342 | | #if defined(WC_ECC_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \ |
9343 | | defined(WC_ASYNC_ENABLE_ECC) |
9344 | | if (current->key != NULL && |
9345 | | ((ecc_key*)current->key)->nb_ctx != NULL) { |
9346 | | XFREE(((ecc_key*)current->key)->nb_ctx, heap, |
9347 | | DYNAMIC_TYPE_TMP_BUFFER); |
9348 | | } |
9349 | | #endif |
9350 | 0 | wc_ecc_free((ecc_key*)current->key); |
9351 | 0 | #endif |
9352 | 0 | } |
9353 | 0 | XFREE(current->key, heap, DYNAMIC_TYPE_PRIVATE_KEY); |
9354 | 0 | #if !defined(NO_DH) || defined(WOLFSSL_HAVE_MLKEM) |
9355 | 0 | XFREE(current->privKey, heap, DYNAMIC_TYPE_PRIVATE_KEY); |
9356 | 0 | #endif |
9357 | 0 | XFREE(current->pubKey, heap, DYNAMIC_TYPE_PUBLIC_KEY); |
9358 | 0 | XFREE(current->ke, heap, DYNAMIC_TYPE_PUBLIC_KEY); |
9359 | 0 | XFREE(current, heap, DYNAMIC_TYPE_TLSX); |
9360 | 0 | } |
9361 | |
|
9362 | 0 | (void)heap; |
9363 | 0 | } |
9364 | | |
9365 | | /* Get the size of the encoded key share extension. |
9366 | | * |
9367 | | * list The linked list of key share extensions. |
9368 | | * msgType The type of the message this extension is being written into. |
9369 | | * returns the number of bytes of the encoded key share extension. |
9370 | | */ |
9371 | | static word16 TLSX_KeyShare_GetSize(KeyShareEntry* list, byte msgType) |
9372 | 0 | { |
9373 | 0 | word16 len = 0; |
9374 | 0 | byte isRequest = (msgType == client_hello); |
9375 | 0 | KeyShareEntry* current; |
9376 | | |
9377 | | /* The named group the server wants to use. */ |
9378 | 0 | if (msgType == hello_retry_request) |
9379 | 0 | return OPAQUE16_LEN; |
9380 | | |
9381 | | /* List of key exchange groups. */ |
9382 | 0 | if (isRequest) |
9383 | 0 | len += OPAQUE16_LEN; |
9384 | 0 | while ((current = list) != NULL) { |
9385 | 0 | list = current->next; |
9386 | |
|
9387 | 0 | if (!isRequest && current->pubKey == NULL) |
9388 | 0 | continue; |
9389 | | |
9390 | 0 | len += (word16)(KE_GROUP_LEN + OPAQUE16_LEN + current->pubKeyLen); |
9391 | 0 | } |
9392 | |
|
9393 | 0 | return len; |
9394 | 0 | } |
9395 | | |
9396 | | /* Writes the key share extension into the output buffer. |
9397 | | * Assumes that the the output buffer is big enough to hold data. |
9398 | | * |
9399 | | * list The linked list of key share entries. |
9400 | | * output The buffer to write into. |
9401 | | * msgType The type of the message this extension is being written into. |
9402 | | * returns the number of bytes written into the buffer. |
9403 | | */ |
9404 | | static word16 TLSX_KeyShare_Write(KeyShareEntry* list, byte* output, |
9405 | | byte msgType) |
9406 | 0 | { |
9407 | 0 | word16 i = 0; |
9408 | 0 | byte isRequest = (msgType == client_hello); |
9409 | 0 | KeyShareEntry* current; |
9410 | |
|
9411 | 0 | if (msgType == hello_retry_request) { |
9412 | 0 | c16toa(list->group, output); |
9413 | 0 | return OPAQUE16_LEN; |
9414 | 0 | } |
9415 | | |
9416 | | /* ClientHello has a list but ServerHello is only the chosen. */ |
9417 | 0 | if (isRequest) |
9418 | 0 | i += OPAQUE16_LEN; |
9419 | | |
9420 | | /* Write out all in the list. */ |
9421 | 0 | while ((current = list) != NULL) { |
9422 | 0 | list = current->next; |
9423 | |
|
9424 | 0 | if (!isRequest && current->pubKey == NULL) |
9425 | 0 | continue; |
9426 | | |
9427 | 0 | c16toa(current->group, &output[i]); |
9428 | 0 | i += KE_GROUP_LEN; |
9429 | 0 | c16toa((word16)(current->pubKeyLen), &output[i]); |
9430 | 0 | i += OPAQUE16_LEN; |
9431 | 0 | XMEMCPY(&output[i], current->pubKey, current->pubKeyLen); |
9432 | 0 | i += (word16)current->pubKeyLen; |
9433 | 0 | } |
9434 | | /* Write the length of the list if required. */ |
9435 | 0 | if (isRequest) |
9436 | 0 | c16toa(i - OPAQUE16_LEN, output); |
9437 | |
|
9438 | 0 | return i; |
9439 | 0 | } |
9440 | | |
9441 | | /* Process the DH key share extension on the client side. |
9442 | | * |
9443 | | * ssl The SSL/TLS object. |
9444 | | * keyShareEntry The key share entry object to use to calculate shared secret. |
9445 | | * returns 0 on success and other values indicate failure. |
9446 | | */ |
9447 | | static int TLSX_KeyShare_ProcessDh(WOLFSSL* ssl, KeyShareEntry* keyShareEntry) |
9448 | 0 | { |
9449 | 0 | int ret = 0; |
9450 | 0 | #if !defined(NO_DH) && (!defined(NO_CERTS) || !defined(NO_PSK)) |
9451 | 0 | word32 pSz = 0; |
9452 | 0 | DhKey* dhKey = (DhKey*)keyShareEntry->key; |
9453 | |
|
9454 | 0 | #ifdef HAVE_PUBLIC_FFDHE |
9455 | 0 | const DhParams* params = NULL; |
9456 | 0 | switch (keyShareEntry->group) { |
9457 | 0 | #ifdef HAVE_FFDHE_2048 |
9458 | 0 | case WOLFSSL_FFDHE_2048: |
9459 | 0 | params = wc_Dh_ffdhe2048_Get(); |
9460 | 0 | break; |
9461 | 0 | #endif |
9462 | | #ifdef HAVE_FFDHE_3072 |
9463 | | case WOLFSSL_FFDHE_3072: |
9464 | | params = wc_Dh_ffdhe3072_Get(); |
9465 | | break; |
9466 | | #endif |
9467 | | #ifdef HAVE_FFDHE_4096 |
9468 | | case WOLFSSL_FFDHE_4096: |
9469 | | params = wc_Dh_ffdhe4096_Get(); |
9470 | | break; |
9471 | | #endif |
9472 | | #ifdef HAVE_FFDHE_6144 |
9473 | | case WOLFSSL_FFDHE_6144: |
9474 | | params = wc_Dh_ffdhe6144_Get(); |
9475 | | break; |
9476 | | #endif |
9477 | | #ifdef HAVE_FFDHE_8192 |
9478 | | case WOLFSSL_FFDHE_8192: |
9479 | | params = wc_Dh_ffdhe8192_Get(); |
9480 | | break; |
9481 | | #endif |
9482 | 0 | default: |
9483 | 0 | break; |
9484 | 0 | } |
9485 | 0 | if (params == NULL) { |
9486 | 0 | WOLFSSL_ERROR_VERBOSE(PEER_KEY_ERROR); |
9487 | 0 | return PEER_KEY_ERROR; |
9488 | 0 | } |
9489 | 0 | pSz = params->p_len; |
9490 | | #else |
9491 | | ret = wc_DhGetNamedKeyParamSize(keyShareEntry->group, &pSz, NULL, NULL); |
9492 | | if (ret != 0 || pSz == 0) { |
9493 | | WOLFSSL_ERROR_VERBOSE(PEER_KEY_ERROR); |
9494 | | return PEER_KEY_ERROR; |
9495 | | } |
9496 | | #endif |
9497 | | |
9498 | | /* RFC 8446 Section 4.2.8.1: FFDHE key_exchange values are left-padded with |
9499 | | * zeros to the size of the named-group prime. Reject any peer key share |
9500 | | * whose byte length does not match the expected prime size. */ |
9501 | 0 | if (keyShareEntry->keLen != pSz) { |
9502 | 0 | WOLFSSL_ERROR_VERBOSE(PEER_KEY_ERROR); |
9503 | 0 | return PEER_KEY_ERROR; |
9504 | 0 | } |
9505 | | |
9506 | | /* if DhKey is not setup, do it now */ |
9507 | 0 | if (keyShareEntry->key == NULL) { |
9508 | 0 | keyShareEntry->key = (DhKey*)XMALLOC(sizeof(DhKey), ssl->heap, |
9509 | 0 | DYNAMIC_TYPE_DH); |
9510 | 0 | if (keyShareEntry->key == NULL) |
9511 | 0 | return MEMORY_E; |
9512 | | |
9513 | | /* Setup Key */ |
9514 | 0 | ret = wc_InitDhKey_ex((DhKey*)keyShareEntry->key, ssl->heap, ssl->devId); |
9515 | 0 | if (ret == 0) { |
9516 | 0 | dhKey = (DhKey*)keyShareEntry->key; |
9517 | | /* Set key */ |
9518 | 0 | #ifdef HAVE_PUBLIC_FFDHE |
9519 | 0 | ret = wc_DhSetKey(dhKey, params->p, params->p_len, params->g, |
9520 | 0 | params->g_len); |
9521 | | #else |
9522 | | ret = wc_DhSetNamedKey(dhKey, keyShareEntry->group); |
9523 | | #endif |
9524 | 0 | } |
9525 | | #if defined(WC_DH_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \ |
9526 | | defined(WC_ASYNC_ENABLE_DH) |
9527 | | /* Only set non-blocking context when async device is active. With |
9528 | | * INVALID_DEVID there is no async loop to retry on MP_WOULDBLOCK, so |
9529 | | * skip non-blocking setup and use blocking mode instead. */ |
9530 | | if (ret == 0 && ssl->devId != INVALID_DEVID) { |
9531 | | DhNb* dhNb = (DhNb*)XMALLOC(sizeof(DhNb), ssl->heap, |
9532 | | DYNAMIC_TYPE_TMP_BUFFER); |
9533 | | if (dhNb == NULL) { |
9534 | | ret = MEMORY_E; |
9535 | | } |
9536 | | else { |
9537 | | ret = wc_DhSetNonBlock((DhKey*)keyShareEntry->key, dhNb); |
9538 | | if (ret != 0) { |
9539 | | XFREE(dhNb, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); |
9540 | | } |
9541 | | } |
9542 | | } |
9543 | | #endif /* WC_DH_NONBLOCK && WOLFSSL_ASYNC_CRYPT_SW && |
9544 | | WC_ASYNC_ENABLE_DH */ |
9545 | 0 | } |
9546 | | |
9547 | 0 | if (ret == 0 |
9548 | | #ifdef WOLFSSL_ASYNC_CRYPT |
9549 | | && keyShareEntry->lastRet == 0 /* don't enter here if WC_PENDING_E */ |
9550 | | #endif |
9551 | 0 | ) { |
9552 | | #ifdef WOLFSSL_DEBUG_TLS |
9553 | | WOLFSSL_MSG("Peer DH Key"); |
9554 | | WOLFSSL_BUFFER(keyShareEntry->ke, keyShareEntry->keLen); |
9555 | | #endif |
9556 | |
|
9557 | 0 | ssl->options.dhKeySz = (word16)pSz; |
9558 | | |
9559 | | /* Derive secret from private key and peer's public key. */ |
9560 | 0 | ret = DhAgree(ssl, dhKey, |
9561 | 0 | (const byte*)keyShareEntry->privKey, keyShareEntry->keyLen, /* our private */ |
9562 | 0 | keyShareEntry->ke, keyShareEntry->keLen, /* peer's public key */ |
9563 | 0 | ssl->arrays->preMasterSecret, &ssl->arrays->preMasterSz, /* secret */ |
9564 | 0 | NULL, 0 |
9565 | 0 | ); |
9566 | | #ifdef WOLFSSL_ASYNC_CRYPT |
9567 | | if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) { |
9568 | | return ret; |
9569 | | } |
9570 | | #endif |
9571 | 0 | } |
9572 | | |
9573 | | /* RFC 8446 Section 7.4.1: |
9574 | | * ... left-padded with zeros up to the size of the prime. ... |
9575 | | */ |
9576 | 0 | if (ret == 0 && (word32)ssl->options.dhKeySz > ssl->arrays->preMasterSz) { |
9577 | 0 | word32 diff = (word32)ssl->options.dhKeySz - ssl->arrays->preMasterSz; |
9578 | 0 | XMEMMOVE(ssl->arrays->preMasterSecret + diff, |
9579 | 0 | ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz); |
9580 | 0 | XMEMSET(ssl->arrays->preMasterSecret, 0, diff); |
9581 | 0 | ssl->arrays->preMasterSz = ssl->options.dhKeySz; |
9582 | 0 | } |
9583 | | |
9584 | | /* done with key share, release resources */ |
9585 | 0 | if (dhKey) { |
9586 | | #if defined(WC_DH_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \ |
9587 | | defined(WC_ASYNC_ENABLE_DH) |
9588 | | if (dhKey->nb != NULL) { |
9589 | | XFREE(dhKey->nb, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); |
9590 | | dhKey->nb = NULL; |
9591 | | } |
9592 | | #endif |
9593 | 0 | wc_FreeDhKey(dhKey); |
9594 | 0 | } |
9595 | 0 | XFREE(keyShareEntry->key, ssl->heap, DYNAMIC_TYPE_DH); |
9596 | 0 | keyShareEntry->key = NULL; |
9597 | 0 | if (keyShareEntry->privKey) { |
9598 | 0 | ForceZero(keyShareEntry->privKey, keyShareEntry->keyLen); |
9599 | 0 | XFREE(keyShareEntry->privKey, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY); |
9600 | 0 | keyShareEntry->privKey = NULL; |
9601 | 0 | } |
9602 | 0 | XFREE(keyShareEntry->pubKey, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); |
9603 | 0 | keyShareEntry->pubKey = NULL; |
9604 | 0 | XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); |
9605 | 0 | keyShareEntry->ke = NULL; |
9606 | | #else |
9607 | | (void)ssl; |
9608 | | (void)keyShareEntry; |
9609 | | ret = PEER_KEY_ERROR; |
9610 | | WOLFSSL_ERROR_VERBOSE(ret); |
9611 | | #endif |
9612 | 0 | return ret; |
9613 | 0 | } |
9614 | | |
9615 | | /* Process the X25519 key share extension on the client side. |
9616 | | * |
9617 | | * ssl The SSL/TLS object. |
9618 | | * keyShareEntry The key share entry object to use to calculate shared secret. |
9619 | | * ssOutput The destination buffer for the shared secret. |
9620 | | * ssOutSz The size of the generated shared secret. |
9621 | | * |
9622 | | * returns 0 on success and other values indicate failure. |
9623 | | */ |
9624 | | static int TLSX_KeyShare_ProcessX25519_ex(WOLFSSL* ssl, |
9625 | | KeyShareEntry* keyShareEntry, |
9626 | | unsigned char* ssOutput, |
9627 | | word32* ssOutSz) |
9628 | 0 | { |
9629 | 0 | int ret = 0; |
9630 | |
|
9631 | | #ifdef HAVE_CURVE25519 |
9632 | | curve25519_key* key = (curve25519_key*)keyShareEntry->key; |
9633 | | |
9634 | | #ifdef WOLFSSL_ASYNC_CRYPT |
9635 | | if (keyShareEntry->lastRet == 0) /* don't enter here if WC_PENDING_E */ |
9636 | | #endif |
9637 | | { |
9638 | | #ifdef HAVE_ECC |
9639 | | if (ssl->peerEccKey != NULL) { |
9640 | | wc_ecc_free(ssl->peerEccKey); |
9641 | | ssl->peerEccKey = NULL; |
9642 | | ssl->peerEccKeyPresent = 0; |
9643 | | } |
9644 | | #endif |
9645 | | |
9646 | | ssl->peerX25519Key = (curve25519_key*)XMALLOC(sizeof(curve25519_key), |
9647 | | ssl->heap, DYNAMIC_TYPE_TLSX); |
9648 | | if (ssl->peerX25519Key == NULL) { |
9649 | | WOLFSSL_MSG("PeerX25519Key Memory error"); |
9650 | | return MEMORY_ERROR; |
9651 | | } |
9652 | | ret = wc_curve25519_init(ssl->peerX25519Key); |
9653 | | if (ret != 0) { |
9654 | | XFREE(ssl->peerX25519Key, ssl->heap, DYNAMIC_TYPE_TLSX); |
9655 | | ssl->peerX25519Key = NULL; |
9656 | | return ret; |
9657 | | } |
9658 | | #ifdef WOLFSSL_DEBUG_TLS |
9659 | | WOLFSSL_MSG("Peer Curve25519 Key"); |
9660 | | WOLFSSL_BUFFER(keyShareEntry->ke, keyShareEntry->keLen); |
9661 | | #endif |
9662 | | |
9663 | | if (wc_curve25519_check_public(keyShareEntry->ke, keyShareEntry->keLen, |
9664 | | EC25519_LITTLE_ENDIAN) != 0) { |
9665 | | ret = ECC_PEERKEY_ERROR; |
9666 | | WOLFSSL_ERROR_VERBOSE(ret); |
9667 | | } |
9668 | | |
9669 | | if (ret == 0) { |
9670 | | if (wc_curve25519_import_public_ex(keyShareEntry->ke, |
9671 | | keyShareEntry->keLen, |
9672 | | ssl->peerX25519Key, |
9673 | | EC25519_LITTLE_ENDIAN) != 0) { |
9674 | | ret = ECC_PEERKEY_ERROR; |
9675 | | WOLFSSL_ERROR_VERBOSE(ret); |
9676 | | } |
9677 | | } |
9678 | | |
9679 | | if (ret == 0) { |
9680 | | ssl->ecdhCurveOID = ECC_X25519_OID; |
9681 | | ssl->peerX25519KeyPresent = 1; |
9682 | | } |
9683 | | } |
9684 | | |
9685 | | if (ret == 0 && key == NULL) |
9686 | | ret = BAD_FUNC_ARG; |
9687 | | if (ret == 0) { |
9688 | | #ifdef WOLFSSL_CURVE25519_BLINDING |
9689 | | ret = wc_curve25519_set_rng(key, ssl->rng); |
9690 | | } |
9691 | | if (ret == 0) { |
9692 | | #endif |
9693 | | #ifdef WOLFSSL_ASYNC_CRYPT |
9694 | | if (keyShareEntry->lastRet != WC_NO_ERR_TRACE(WC_PENDING_E)) |
9695 | | #endif |
9696 | | { |
9697 | | #ifdef WOLFSSL_ASYNC_CRYPT |
9698 | | /* initialize event */ |
9699 | | ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, |
9700 | | WC_ASYNC_FLAG_CALL_AGAIN); |
9701 | | if (ret != 0) |
9702 | | return ret; |
9703 | | #endif |
9704 | | ret = wc_curve25519_shared_secret_ex(key, ssl->peerX25519Key, |
9705 | | ssOutput, ssOutSz, EC25519_LITTLE_ENDIAN); |
9706 | | #ifdef WOLFSSL_ASYNC_CRYPT |
9707 | | if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) { |
9708 | | return wolfSSL_AsyncPush(ssl, &key->asyncDev); |
9709 | | } |
9710 | | #endif |
9711 | | } |
9712 | | /* On CALL_AGAIN re-entry (lastRet == PENDING): the block above |
9713 | | * is skipped entirely, so wc_curve25519_shared_secret_ex is not |
9714 | | * called again. ret stays 0 from initialization, and execution |
9715 | | * falls through to the cleanup code below. */ |
9716 | | } |
9717 | | |
9718 | | /* done with key share, release resources */ |
9719 | | if (ssl->peerX25519Key != NULL) { |
9720 | | wc_curve25519_free(ssl->peerX25519Key); |
9721 | | XFREE(ssl->peerX25519Key, ssl->heap, DYNAMIC_TYPE_TLSX); |
9722 | | ssl->peerX25519Key = NULL; |
9723 | | ssl->peerX25519KeyPresent = 0; |
9724 | | } |
9725 | | if (keyShareEntry->key != NULL) { |
9726 | | #if defined(WC_X25519_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) |
9727 | | if (((curve25519_key*)keyShareEntry->key)->nb_ctx != NULL) { |
9728 | | XFREE(((curve25519_key*)keyShareEntry->key)->nb_ctx, ssl->heap, |
9729 | | DYNAMIC_TYPE_TMP_BUFFER); |
9730 | | } |
9731 | | #endif |
9732 | | wc_curve25519_free((curve25519_key*)keyShareEntry->key); |
9733 | | XFREE(keyShareEntry->key, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY); |
9734 | | keyShareEntry->key = NULL; |
9735 | | } |
9736 | | XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); |
9737 | | keyShareEntry->ke = NULL; |
9738 | | #else |
9739 | 0 | (void)ssl; |
9740 | 0 | (void)keyShareEntry; |
9741 | 0 | (void)ssOutput; |
9742 | 0 | (void)ssOutSz; |
9743 | |
|
9744 | 0 | ret = PEER_KEY_ERROR; |
9745 | 0 | WOLFSSL_ERROR_VERBOSE(ret); |
9746 | 0 | #endif /* HAVE_CURVE25519 */ |
9747 | |
|
9748 | 0 | return ret; |
9749 | 0 | } |
9750 | | |
9751 | | /* Process the X25519 key share extension on the client side. |
9752 | | * |
9753 | | * ssl The SSL/TLS object. |
9754 | | * keyShareEntry The key share entry object to use to calculate shared secret. |
9755 | | * |
9756 | | * returns 0 on success and other values indicate failure. |
9757 | | */ |
9758 | | static int TLSX_KeyShare_ProcessX25519(WOLFSSL* ssl, |
9759 | | KeyShareEntry* keyShareEntry) |
9760 | 0 | { |
9761 | 0 | return TLSX_KeyShare_ProcessX25519_ex(ssl, keyShareEntry, |
9762 | 0 | ssl->arrays->preMasterSecret, &ssl->arrays->preMasterSz); |
9763 | 0 | } |
9764 | | |
9765 | | /* Process the X448 key share extension on the client side. |
9766 | | * |
9767 | | * ssl The SSL/TLS object. |
9768 | | * keyShareEntry The key share entry object to use to calculate shared secret. |
9769 | | * ssOutput The destination buffer for the shared secret. |
9770 | | * ssOutSz The size of the generated shared secret. |
9771 | | * |
9772 | | * returns 0 on success and other values indicate failure. |
9773 | | */ |
9774 | | static int TLSX_KeyShare_ProcessX448_ex(WOLFSSL* ssl, |
9775 | | KeyShareEntry* keyShareEntry, |
9776 | | unsigned char* ssOutput, |
9777 | | word32* ssOutSz) |
9778 | 0 | { |
9779 | 0 | int ret; |
9780 | |
|
9781 | | #ifdef HAVE_CURVE448 |
9782 | | curve448_key* key = (curve448_key*)keyShareEntry->key; |
9783 | | curve448_key* peerX448Key; |
9784 | | |
9785 | | #ifdef HAVE_ECC |
9786 | | if (ssl->peerEccKey != NULL) { |
9787 | | wc_ecc_free(ssl->peerEccKey); |
9788 | | ssl->peerEccKey = NULL; |
9789 | | ssl->peerEccKeyPresent = 0; |
9790 | | } |
9791 | | #endif |
9792 | | |
9793 | | peerX448Key = (curve448_key*)XMALLOC(sizeof(curve448_key), ssl->heap, |
9794 | | DYNAMIC_TYPE_TLSX); |
9795 | | if (peerX448Key == NULL) { |
9796 | | WOLFSSL_MSG("PeerEccKey Memory error"); |
9797 | | return MEMORY_ERROR; |
9798 | | } |
9799 | | ret = wc_curve448_init(peerX448Key); |
9800 | | if (ret != 0) { |
9801 | | XFREE(peerX448Key, ssl->heap, DYNAMIC_TYPE_TLSX); |
9802 | | return ret; |
9803 | | } |
9804 | | #ifdef WOLFSSL_DEBUG_TLS |
9805 | | WOLFSSL_MSG("Peer Curve448 Key"); |
9806 | | WOLFSSL_BUFFER(keyShareEntry->ke, keyShareEntry->keLen); |
9807 | | #endif |
9808 | | |
9809 | | if (wc_curve448_check_public(keyShareEntry->ke, keyShareEntry->keLen, |
9810 | | EC448_LITTLE_ENDIAN) != 0) { |
9811 | | ret = ECC_PEERKEY_ERROR; |
9812 | | WOLFSSL_ERROR_VERBOSE(ret); |
9813 | | } |
9814 | | |
9815 | | if (ret == 0) { |
9816 | | if (wc_curve448_import_public_ex(keyShareEntry->ke, |
9817 | | keyShareEntry->keLen, peerX448Key, |
9818 | | EC448_LITTLE_ENDIAN) != 0) { |
9819 | | ret = ECC_PEERKEY_ERROR; |
9820 | | WOLFSSL_ERROR_VERBOSE(ret); |
9821 | | } |
9822 | | } |
9823 | | |
9824 | | if (ret == 0) { |
9825 | | ssl->ecdhCurveOID = ECC_X448_OID; |
9826 | | |
9827 | | ret = wc_curve448_shared_secret_ex(key, peerX448Key, |
9828 | | ssOutput, ssOutSz, EC448_LITTLE_ENDIAN); |
9829 | | } |
9830 | | |
9831 | | wc_curve448_free(peerX448Key); |
9832 | | XFREE(peerX448Key, ssl->heap, DYNAMIC_TYPE_TLSX); |
9833 | | wc_curve448_free((curve448_key*)keyShareEntry->key); |
9834 | | XFREE(keyShareEntry->key, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY); |
9835 | | keyShareEntry->key = NULL; |
9836 | | XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); |
9837 | | keyShareEntry->ke = NULL; |
9838 | | #else |
9839 | 0 | (void)ssl; |
9840 | 0 | (void)keyShareEntry; |
9841 | 0 | (void)ssOutput; |
9842 | 0 | (void)ssOutSz; |
9843 | |
|
9844 | 0 | ret = PEER_KEY_ERROR; |
9845 | 0 | WOLFSSL_ERROR_VERBOSE(ret); |
9846 | 0 | #endif /* HAVE_CURVE448 */ |
9847 | |
|
9848 | 0 | return ret; |
9849 | 0 | } |
9850 | | |
9851 | | /* Process the X448 key share extension on the client side. |
9852 | | * |
9853 | | * ssl The SSL/TLS object. |
9854 | | * keyShareEntry The key share entry object to use to calculate shared secret. |
9855 | | * returns 0 on success and other values indicate failure. |
9856 | | */ |
9857 | | static int TLSX_KeyShare_ProcessX448(WOLFSSL* ssl, KeyShareEntry* keyShareEntry) |
9858 | 0 | { |
9859 | 0 | return TLSX_KeyShare_ProcessX448_ex(ssl, keyShareEntry, |
9860 | 0 | ssl->arrays->preMasterSecret, &ssl->arrays->preMasterSz); |
9861 | 0 | } |
9862 | | |
9863 | | /* Process the ECC key share extension on the client side. |
9864 | | * |
9865 | | * ssl The SSL/TLS object. |
9866 | | * keyShareEntry The key share entry object to use to calculate shared secret. |
9867 | | * ssOutput The destination buffer for the shared secret. |
9868 | | * ssOutSz The size of the generated shared secret. |
9869 | | * |
9870 | | * returns 0 on success and other values indicate failure. |
9871 | | */ |
9872 | | static int TLSX_KeyShare_ProcessEcc_ex(WOLFSSL* ssl, |
9873 | | KeyShareEntry* keyShareEntry, |
9874 | | unsigned char* ssOutput, |
9875 | | word32* ssOutSz) |
9876 | 0 | { |
9877 | 0 | int ret = 0; |
9878 | 0 | #ifdef HAVE_ECC |
9879 | 0 | int curveId = ECC_CURVE_INVALID; |
9880 | 0 | ecc_key* eccKey = (ecc_key*)keyShareEntry->key; |
9881 | | |
9882 | | /* find supported curve */ |
9883 | 0 | switch (keyShareEntry->group) { |
9884 | 0 | #if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256 |
9885 | 0 | #ifndef NO_ECC_SECP |
9886 | 0 | case WOLFSSL_ECC_SECP256R1: |
9887 | 0 | curveId = ECC_SECP256R1; |
9888 | 0 | break; |
9889 | 0 | #endif /* !NO_ECC_SECP */ |
9890 | | #ifdef WOLFSSL_SM2 |
9891 | | case WOLFSSL_ECC_SM2P256V1: |
9892 | | curveId = ECC_SM2P256V1; |
9893 | | break; |
9894 | | #endif /* WOLFSSL_SM2 */ |
9895 | | #ifdef HAVE_ECC_BRAINPOOL |
9896 | | case WOLFSSL_ECC_BRAINPOOLP256R1TLS13: |
9897 | | curveId = ECC_BRAINPOOLP256R1; |
9898 | | break; |
9899 | | #endif /* HAVE_ECC_BRAINPOOL */ |
9900 | 0 | #endif |
9901 | 0 | #if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384 |
9902 | 0 | #ifndef NO_ECC_SECP |
9903 | 0 | case WOLFSSL_ECC_SECP384R1: |
9904 | 0 | curveId = ECC_SECP384R1; |
9905 | 0 | break; |
9906 | 0 | #endif /* !NO_ECC_SECP */ |
9907 | | #ifdef HAVE_ECC_BRAINPOOL |
9908 | | case WOLFSSL_ECC_BRAINPOOLP384R1TLS13: |
9909 | | curveId = ECC_BRAINPOOLP384R1; |
9910 | | break; |
9911 | | #endif /* HAVE_ECC_BRAINPOOL */ |
9912 | 0 | #endif |
9913 | 0 | #if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 512 |
9914 | | #ifdef HAVE_ECC_BRAINPOOL |
9915 | | case WOLFSSL_ECC_BRAINPOOLP512R1TLS13: |
9916 | | curveId = ECC_BRAINPOOLP512R1; |
9917 | | break; |
9918 | | #endif /* HAVE_ECC_BRAINPOOL */ |
9919 | 0 | #endif |
9920 | 0 | #if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521 |
9921 | 0 | #ifndef NO_ECC_SECP |
9922 | 0 | case WOLFSSL_ECC_SECP521R1: |
9923 | 0 | curveId = ECC_SECP521R1; |
9924 | 0 | break; |
9925 | 0 | #endif /* !NO_ECC_SECP */ |
9926 | 0 | #endif |
9927 | | #if defined(HAVE_X448) && ECC_MIN_KEY_SZ <= 448 |
9928 | | case WOLFSSL_ECC_X448: |
9929 | | curveId = ECC_X448; |
9930 | | break; |
9931 | | #endif |
9932 | 0 | default: |
9933 | | /* unsupported curve */ |
9934 | 0 | WOLFSSL_ERROR_VERBOSE(ECC_PEERKEY_ERROR); |
9935 | 0 | return ECC_PEERKEY_ERROR; |
9936 | 0 | } |
9937 | | |
9938 | | #ifdef WOLFSSL_ASYNC_CRYPT |
9939 | | if (keyShareEntry->lastRet == 0) /* don't enter here if WC_PENDING_E */ |
9940 | | #endif |
9941 | 0 | { |
9942 | | #ifdef WOLFSSL_DEBUG_TLS |
9943 | | WOLFSSL_MSG("Peer ECC Key"); |
9944 | | WOLFSSL_BUFFER(keyShareEntry->ke, keyShareEntry->keLen); |
9945 | | #endif |
9946 | |
|
9947 | 0 | if (ssl->peerEccKey != NULL) { |
9948 | 0 | wc_ecc_free(ssl->peerEccKey); |
9949 | 0 | XFREE(ssl->peerEccKey, ssl->heap, DYNAMIC_TYPE_ECC); |
9950 | 0 | ssl->peerEccKeyPresent = 0; |
9951 | 0 | } |
9952 | | #if defined(WOLFSSL_RENESAS_TSIP_TLS) |
9953 | | ret = tsip_Tls13GenSharedSecret(ssl, keyShareEntry); |
9954 | | if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE)) { |
9955 | | return ret; |
9956 | | } |
9957 | | ret = 0; |
9958 | | #endif |
9959 | |
|
9960 | 0 | ssl->peerEccKey = (ecc_key*)XMALLOC(sizeof(ecc_key), ssl->heap, |
9961 | 0 | DYNAMIC_TYPE_ECC); |
9962 | 0 | if (ssl->peerEccKey == NULL) { |
9963 | 0 | WOLFSSL_MSG("PeerEccKey Memory error"); |
9964 | 0 | ret = MEMORY_ERROR; |
9965 | 0 | } |
9966 | |
|
9967 | 0 | if (ret == 0) { |
9968 | 0 | ret = wc_ecc_init_ex(ssl->peerEccKey, ssl->heap, ssl->devId); |
9969 | 0 | } |
9970 | | |
9971 | | /* Point is validated by import function. */ |
9972 | 0 | if (ret == 0) { |
9973 | 0 | #if !defined(HAVE_SELFTEST) && !defined(HAVE_FIPS) |
9974 | 0 | ret = wc_ecc_import_x963_ex2(keyShareEntry->ke, |
9975 | 0 | keyShareEntry->keLen, ssl->peerEccKey, curveId, 1); |
9976 | | #else |
9977 | | /* FIPS has validation define on. */ |
9978 | | ret = wc_ecc_import_x963_ex(keyShareEntry->ke, |
9979 | | keyShareEntry->keLen, ssl->peerEccKey, curveId); |
9980 | | #endif |
9981 | 0 | if (ret != 0) { |
9982 | 0 | ret = ECC_PEERKEY_ERROR; |
9983 | 0 | WOLFSSL_ERROR_VERBOSE(ret); |
9984 | 0 | } |
9985 | 0 | } |
9986 | |
|
9987 | 0 | if (ret == 0) { |
9988 | 0 | ssl->ecdhCurveOID = ssl->peerEccKey->dp->oidSum; |
9989 | 0 | ssl->peerEccKeyPresent = 1; |
9990 | 0 | } |
9991 | 0 | } |
9992 | |
|
9993 | 0 | if (ret == 0 && eccKey == NULL) |
9994 | 0 | ret = BAD_FUNC_ARG; |
9995 | 0 | if (ret == 0) { |
9996 | 0 | ret = EccSharedSecret(ssl, eccKey, ssl->peerEccKey, |
9997 | 0 | keyShareEntry->ke, &keyShareEntry->keLen, |
9998 | 0 | ssOutput, ssOutSz, ssl->options.side); |
9999 | | #ifdef WOLFSSL_ASYNC_CRYPT |
10000 | | if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) |
10001 | | return ret; |
10002 | | #endif |
10003 | 0 | } |
10004 | | |
10005 | | /* done with key share, release resources */ |
10006 | 0 | if (ssl->peerEccKey != NULL |
10007 | | #ifdef HAVE_PK_CALLBACKS |
10008 | | && ssl->ctx->EccSharedSecretCb == NULL |
10009 | | #endif |
10010 | 0 | ) { |
10011 | 0 | wc_ecc_free(ssl->peerEccKey); |
10012 | 0 | XFREE(ssl->peerEccKey, ssl->heap, DYNAMIC_TYPE_ECC); |
10013 | 0 | ssl->peerEccKey = NULL; |
10014 | 0 | ssl->peerEccKeyPresent = 0; |
10015 | 0 | } |
10016 | 0 | if (eccKey != NULL) { |
10017 | | #if defined(WC_ECC_NONBLOCK) && defined(WOLFSSL_ASYNC_CRYPT_SW) && \ |
10018 | | defined(WC_ASYNC_ENABLE_ECC) |
10019 | | if (eccKey->nb_ctx != NULL) { |
10020 | | XFREE(eccKey->nb_ctx, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); |
10021 | | } |
10022 | | #endif |
10023 | 0 | wc_ecc_free(eccKey); |
10024 | 0 | XFREE(keyShareEntry->key, ssl->heap, DYNAMIC_TYPE_ECC); |
10025 | 0 | keyShareEntry->key = NULL; |
10026 | 0 | } |
10027 | 0 | XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); |
10028 | 0 | keyShareEntry->ke = NULL; |
10029 | | #else |
10030 | | (void)ssl; |
10031 | | (void)keyShareEntry; |
10032 | | (void)ssOutput; |
10033 | | (void)ssOutSz; |
10034 | | |
10035 | | ret = PEER_KEY_ERROR; |
10036 | | WOLFSSL_ERROR_VERBOSE(ret); |
10037 | | #endif /* HAVE_ECC */ |
10038 | |
|
10039 | 0 | return ret; |
10040 | 0 | } |
10041 | | |
10042 | | /* Process the ECC key share extension on the client side. |
10043 | | * |
10044 | | * ssl The SSL/TLS object. |
10045 | | * keyShareEntry The key share entry object to use to calculate shared secret. |
10046 | | * returns 0 on success and other values indicate failure. |
10047 | | */ |
10048 | | static int TLSX_KeyShare_ProcessEcc(WOLFSSL* ssl, KeyShareEntry* keyShareEntry) |
10049 | 0 | { |
10050 | 0 | return TLSX_KeyShare_ProcessEcc_ex(ssl, keyShareEntry, |
10051 | 0 | ssl->arrays->preMasterSecret, &ssl->arrays->preMasterSz); |
10052 | 0 | } |
10053 | | |
10054 | | #if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_DECAPSULATE) |
10055 | | /* Process the ML-KEM key share extension on the client side. |
10056 | | * |
10057 | | * ssl The SSL/TLS object. |
10058 | | * keyShareEntry The key share entry object to use to calculate shared secret. |
10059 | | * ssOutput The destination buffer for the shared secret. |
10060 | | * ssOutSz The size of the generated shared secret. |
10061 | | * |
10062 | | * returns 0 on success and other values indicate failure. |
10063 | | */ |
10064 | | static int TLSX_KeyShare_ProcessPqcClient_ex(WOLFSSL* ssl, |
10065 | | KeyShareEntry* keyShareEntry, |
10066 | | unsigned char* ssOutput, |
10067 | | word32* ssOutSz) |
10068 | 0 | { |
10069 | 0 | int ret = 0; |
10070 | 0 | MlKemKey* kem = (MlKemKey*)keyShareEntry->key; |
10071 | 0 | #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ |
10072 | 0 | word32 privSz = 0; |
10073 | 0 | #endif |
10074 | 0 | word32 ctSz = 0; |
10075 | 0 | word32 ssSz = 0; |
10076 | |
|
10077 | 0 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
10078 | | /* I am the server, the shared secret has already been generated and |
10079 | | * is in ssl->arrays->preMasterSecret, so nothing really to do here. */ |
10080 | 0 | return 0; |
10081 | 0 | } |
10082 | | |
10083 | 0 | if (keyShareEntry->ke == NULL) { |
10084 | 0 | WOLFSSL_MSG("Invalid PQC algorithm specified."); |
10085 | 0 | return BAD_FUNC_ARG; |
10086 | 0 | } |
10087 | 0 | if (ssOutSz == NULL) |
10088 | 0 | return BAD_FUNC_ARG; |
10089 | | |
10090 | 0 | #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ |
10091 | 0 | if (kem == NULL) { |
10092 | 0 | int type = 0; |
10093 | | |
10094 | | /* Allocate an ML-KEM key to hold private key. */ |
10095 | 0 | kem = (MlKemKey*) XMALLOC(sizeof(MlKemKey), ssl->heap, |
10096 | 0 | DYNAMIC_TYPE_PRIVATE_KEY); |
10097 | 0 | if (kem == NULL) { |
10098 | 0 | WOLFSSL_MSG("GenPqcKey memory error"); |
10099 | 0 | ret = MEMORY_E; |
10100 | 0 | } |
10101 | 0 | if (ret == 0) { |
10102 | 0 | ret = mlkem_id2type(keyShareEntry->group, &type); |
10103 | 0 | } |
10104 | 0 | if (ret != 0) { |
10105 | 0 | WOLFSSL_MSG("Invalid PQC algorithm specified."); |
10106 | 0 | ret = BAD_FUNC_ARG; |
10107 | 0 | } |
10108 | 0 | if (ret == 0) { |
10109 | 0 | ret = wc_MlKemKey_Init(kem, type, ssl->heap, ssl->devId); |
10110 | 0 | if (ret != 0) { |
10111 | 0 | WOLFSSL_MSG("Error creating ML-KEM key"); |
10112 | 0 | } |
10113 | 0 | } |
10114 | 0 | } |
10115 | | #else |
10116 | | if (kem == NULL || keyShareEntry->privKeyLen != 0) { |
10117 | | WOLFSSL_MSG("Invalid ML-KEM key."); |
10118 | | ret = BAD_FUNC_ARG; |
10119 | | } |
10120 | | #endif |
10121 | |
|
10122 | 0 | if (ret == 0) { |
10123 | 0 | ret = wc_MlKemKey_SharedSecretSize(kem, &ssSz); |
10124 | 0 | } |
10125 | 0 | if (ret == 0) { |
10126 | 0 | ret = wc_MlKemKey_CipherTextSize(kem, &ctSz); |
10127 | 0 | } |
10128 | |
|
10129 | 0 | #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ |
10130 | 0 | if (ret == 0) { |
10131 | 0 | ret = wc_MlKemKey_PrivateKeySize(kem, &privSz); |
10132 | 0 | } |
10133 | 0 | if (ret == 0 && privSz != keyShareEntry->privKeyLen) { |
10134 | 0 | WOLFSSL_MSG("Invalid private key size."); |
10135 | 0 | ret = BAD_FUNC_ARG; |
10136 | 0 | } |
10137 | 0 | if (ret == 0) { |
10138 | 0 | PRIVATE_KEY_UNLOCK(); |
10139 | 0 | ret = wc_MlKemKey_DecodePrivateKey(kem, keyShareEntry->privKey, privSz); |
10140 | 0 | PRIVATE_KEY_LOCK(); |
10141 | 0 | } |
10142 | 0 | #endif |
10143 | |
|
10144 | 0 | if (ret == 0 && keyShareEntry->keLen < ctSz) { |
10145 | 0 | WOLFSSL_MSG("PQC key share data too short for ciphertext."); |
10146 | 0 | ret = BUFFER_E; |
10147 | 0 | } |
10148 | 0 | if (ret == 0) { |
10149 | 0 | PRIVATE_KEY_UNLOCK(); |
10150 | 0 | ret = wc_MlKemKey_Decapsulate(kem, ssOutput, |
10151 | 0 | keyShareEntry->ke, ctSz); |
10152 | 0 | PRIVATE_KEY_LOCK(); |
10153 | 0 | if (ret != 0) { |
10154 | 0 | WOLFSSL_MSG("wc_MlKemKey decapsulation failure."); |
10155 | 0 | ret = BAD_FUNC_ARG; |
10156 | 0 | } |
10157 | 0 | } |
10158 | 0 | if (ret == 0) { |
10159 | 0 | *ssOutSz = ssSz; |
10160 | 0 | } |
10161 | |
|
10162 | 0 | wc_MlKemKey_Free(kem); |
10163 | |
|
10164 | 0 | XFREE(kem, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY); |
10165 | 0 | keyShareEntry->key = NULL; |
10166 | |
|
10167 | 0 | XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); |
10168 | 0 | keyShareEntry->ke = NULL; |
10169 | |
|
10170 | 0 | return ret; |
10171 | 0 | } |
10172 | | |
10173 | | /* Process the ML-KEM key share extension on the client side. |
10174 | | * |
10175 | | * ssl The SSL/TLS object. |
10176 | | * keyShareEntry The key share entry object to use to calculate shared secret. |
10177 | | * |
10178 | | * returns 0 on success and other values indicate failure. |
10179 | | */ |
10180 | | static int TLSX_KeyShare_ProcessPqcClient(WOLFSSL* ssl, |
10181 | | KeyShareEntry* keyShareEntry) |
10182 | 0 | { |
10183 | 0 | return TLSX_KeyShare_ProcessPqcClient_ex(ssl, keyShareEntry, |
10184 | 0 | ssl->arrays->preMasterSecret, |
10185 | 0 | &ssl->arrays->preMasterSz); |
10186 | 0 | } |
10187 | | |
10188 | | /* Process the hybrid key share extension on the client side. |
10189 | | * |
10190 | | * ssl The SSL/TLS object. |
10191 | | * keyShareEntry The key share entry object to use to calculate shared secret. |
10192 | | * returns 0 on success and other values indicate failure. |
10193 | | */ |
10194 | | static int TLSX_KeyShare_ProcessPqcHybridClient(WOLFSSL* ssl, |
10195 | | KeyShareEntry* keyShareEntry) |
10196 | 0 | { |
10197 | 0 | int ret = 0; |
10198 | 0 | int pqc_group = 0; |
10199 | 0 | int ecc_group = 0; |
10200 | 0 | int pqc_first = 0; |
10201 | 0 | KeyShareEntry* pqc_kse = NULL; |
10202 | 0 | KeyShareEntry *ecc_kse = NULL; |
10203 | 0 | word32 ctSz = 0; |
10204 | 0 | word32 ssSzPqc = 0; |
10205 | |
|
10206 | 0 | if (ssl->options.side == WOLFSSL_SERVER_END) { |
10207 | | /* I am the server, the shared secret has already been generated and |
10208 | | * is in ssl->arrays->preMasterSecret, so nothing really to do here. */ |
10209 | 0 | return 0; |
10210 | 0 | } |
10211 | | |
10212 | 0 | if (keyShareEntry->ke == NULL) { |
10213 | 0 | WOLFSSL_MSG("Invalid PQC algorithm specified."); |
10214 | 0 | return BAD_FUNC_ARG; |
10215 | 0 | } |
10216 | | |
10217 | | /* I am the client, both the PQC ciphertext and the ECHD public key are in |
10218 | | * keyShareEntry->ke */ |
10219 | | |
10220 | | /* Determine the ECC and PQC group of the hybrid combination */ |
10221 | 0 | findEccPqc(&ecc_group, &pqc_group, &pqc_first, keyShareEntry->group); |
10222 | 0 | if (ecc_group == 0 || pqc_group == 0) { |
10223 | 0 | WOLFSSL_MSG("Invalid hybrid group"); |
10224 | 0 | ret = BAD_FUNC_ARG; |
10225 | 0 | } |
10226 | |
|
10227 | 0 | if (ret == 0) { |
10228 | 0 | ecc_kse = (KeyShareEntry*)XMALLOC(sizeof(*ecc_kse), ssl->heap, |
10229 | 0 | DYNAMIC_TYPE_TLSX); |
10230 | 0 | if (ecc_kse == NULL) { |
10231 | 0 | WOLFSSL_MSG("kse memory allocation failure"); |
10232 | 0 | ret = MEMORY_ERROR; |
10233 | 0 | } |
10234 | 0 | else { |
10235 | 0 | XMEMSET(ecc_kse, 0, sizeof(*ecc_kse)); |
10236 | 0 | } |
10237 | 0 | } |
10238 | 0 | if (ret == 0) { |
10239 | 0 | pqc_kse = (KeyShareEntry*)XMALLOC(sizeof(*pqc_kse), ssl->heap, |
10240 | 0 | DYNAMIC_TYPE_TLSX); |
10241 | 0 | if (pqc_kse == NULL) { |
10242 | 0 | WOLFSSL_MSG("kse memory allocation failure"); |
10243 | 0 | ret = MEMORY_ERROR; |
10244 | 0 | } |
10245 | 0 | else { |
10246 | 0 | XMEMSET(pqc_kse, 0, sizeof(*pqc_kse)); |
10247 | 0 | } |
10248 | 0 | } |
10249 | | |
10250 | | /* The ciphertext and shared secret sizes of a KEM are fixed. Hence, we |
10251 | | * decode these sizes to separate the KEM ciphertext from the ECDH public |
10252 | | * key. */ |
10253 | 0 | if (ret == 0) { |
10254 | 0 | #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ |
10255 | 0 | int type; |
10256 | |
|
10257 | 0 | pqc_kse->privKey = keyShareEntry->privKey; |
10258 | |
|
10259 | 0 | ret = mlkem_id2type(pqc_group, &type); |
10260 | 0 | if (ret != 0) { |
10261 | 0 | WOLFSSL_MSG("Invalid ML-KEM algorithm specified."); |
10262 | 0 | ret = BAD_FUNC_ARG; |
10263 | 0 | } |
10264 | 0 | if (ret == 0) { |
10265 | 0 | pqc_kse->key = XMALLOC(sizeof(MlKemKey), ssl->heap, |
10266 | 0 | DYNAMIC_TYPE_PRIVATE_KEY); |
10267 | 0 | if (pqc_kse->key == NULL) { |
10268 | 0 | WOLFSSL_MSG("GenPqcKey memory error"); |
10269 | 0 | ret = MEMORY_E; |
10270 | 0 | } |
10271 | 0 | } |
10272 | 0 | if (ret == 0) { |
10273 | 0 | ret = wc_MlKemKey_Init((MlKemKey*)pqc_kse->key, type, |
10274 | 0 | ssl->heap, ssl->devId); |
10275 | 0 | if (ret != 0) { |
10276 | 0 | WOLFSSL_MSG("Error creating ML-KEM key"); |
10277 | 0 | } |
10278 | 0 | } |
10279 | | #else |
10280 | | pqc_kse->key = keyShareEntry->privKey; |
10281 | | #endif |
10282 | |
|
10283 | 0 | pqc_kse->group = pqc_group; |
10284 | 0 | pqc_kse->privKeyLen = keyShareEntry->privKeyLen; |
10285 | |
|
10286 | 0 | if (ret == 0) { |
10287 | 0 | ret = wc_MlKemKey_SharedSecretSize((MlKemKey*)pqc_kse->key, |
10288 | 0 | &ssSzPqc); |
10289 | 0 | } |
10290 | 0 | if (ret == 0) { |
10291 | 0 | ret = wc_MlKemKey_CipherTextSize((MlKemKey*)pqc_kse->key, |
10292 | 0 | &ctSz); |
10293 | 0 | if (ret == 0 && keyShareEntry->keLen <= ctSz) { |
10294 | 0 | WOLFSSL_MSG("Invalid ciphertext size."); |
10295 | 0 | ret = BAD_FUNC_ARG; |
10296 | 0 | } |
10297 | 0 | } |
10298 | 0 | if (ret == 0) { |
10299 | 0 | pqc_kse->keLen = ctSz; |
10300 | 0 | pqc_kse->ke = (byte*)XMALLOC(pqc_kse->keLen, ssl->heap, |
10301 | 0 | DYNAMIC_TYPE_PUBLIC_KEY); |
10302 | 0 | if (pqc_kse->ke == NULL) { |
10303 | 0 | WOLFSSL_MSG("pqc_kse memory allocation failure"); |
10304 | 0 | ret = MEMORY_ERROR; |
10305 | 0 | } |
10306 | | /* Copy the PQC KEM ciphertext. Depending on the pqc_first flag, |
10307 | | * the KEM ciphertext comes before or after the ECDH public key. */ |
10308 | 0 | if (ret == 0) { |
10309 | 0 | int offset = keyShareEntry->keLen - ctSz; |
10310 | |
|
10311 | 0 | if (pqc_first) |
10312 | 0 | offset = 0; |
10313 | |
|
10314 | 0 | XMEMCPY(pqc_kse->ke, keyShareEntry->ke + offset, ctSz); |
10315 | 0 | } |
10316 | 0 | } |
10317 | 0 | } |
10318 | |
|
10319 | 0 | if (ret == 0) { |
10320 | 0 | ecc_kse->group = ecc_group; |
10321 | 0 | ecc_kse->keLen = keyShareEntry->keLen - ctSz; |
10322 | 0 | ecc_kse->key = keyShareEntry->key; |
10323 | 0 | ecc_kse->ke = (byte*)XMALLOC(ecc_kse->keLen, ssl->heap, |
10324 | 0 | DYNAMIC_TYPE_PUBLIC_KEY); |
10325 | 0 | if (ecc_kse->ke == NULL) { |
10326 | 0 | WOLFSSL_MSG("ecc_kse memory allocation failure"); |
10327 | 0 | ret = MEMORY_ERROR; |
10328 | 0 | } |
10329 | | /* Copy the ECDH public key. Depending on the pqc_first flag, the |
10330 | | * KEM ciphertext comes before or after the ECDH public key. */ |
10331 | 0 | if (ret == 0) { |
10332 | 0 | int offset = 0; |
10333 | |
|
10334 | 0 | if (pqc_first) |
10335 | 0 | offset = ctSz; |
10336 | |
|
10337 | 0 | XMEMCPY(ecc_kse->ke, keyShareEntry->ke + offset, ecc_kse->keLen); |
10338 | 0 | } |
10339 | | #ifdef WOLFSSL_ASYNC_CRYPT |
10340 | | ecc_kse->lastRet = keyShareEntry->lastRet; |
10341 | | #endif |
10342 | 0 | } |
10343 | | |
10344 | | /* Process ECDH key share part. The generated shared secret is directly |
10345 | | * stored in the ssl->arrays->preMasterSecret buffer. Depending on the |
10346 | | * pqc_first flag, the ECDH shared secret part goes before or after the |
10347 | | * KEM part. */ |
10348 | 0 | if (ret == 0) { |
10349 | 0 | int offset = 0; |
10350 | |
|
10351 | 0 | if (pqc_first) |
10352 | 0 | offset = ssSzPqc; |
10353 | |
|
10354 | | #ifdef HAVE_CURVE25519 |
10355 | | if (ecc_group == WOLFSSL_ECC_X25519) { |
10356 | | ret = TLSX_KeyShare_ProcessX25519_ex(ssl, ecc_kse, |
10357 | | ssl->arrays->preMasterSecret + offset, |
10358 | | &ssl->arrays->preMasterSz); |
10359 | | } |
10360 | | else |
10361 | | #endif |
10362 | | #ifdef HAVE_CURVE448 |
10363 | | if (ecc_group == WOLFSSL_ECC_X448) { |
10364 | | ret = TLSX_KeyShare_ProcessX448_ex(ssl, ecc_kse, |
10365 | | ssl->arrays->preMasterSecret + offset, |
10366 | | &ssl->arrays->preMasterSz); |
10367 | | } |
10368 | | else |
10369 | | #endif |
10370 | 0 | { |
10371 | 0 | ret = TLSX_KeyShare_ProcessEcc_ex(ssl, ecc_kse, |
10372 | 0 | ssl->arrays->preMasterSecret + offset, |
10373 | 0 | &ssl->arrays->preMasterSz); |
10374 | 0 | } |
10375 | |
|
10376 | | #ifdef WOLFSSL_ASYNC_CRYPT |
10377 | | if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) { |
10378 | | keyShareEntry->lastRet = WC_PENDING_E; |
10379 | | /* Prevent freeing of the ECC and ML-KEM private keys */ |
10380 | | ecc_kse->key = NULL; |
10381 | | #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ |
10382 | | pqc_kse->privKey = NULL; |
10383 | | #else |
10384 | | pqc_kse->key = NULL; |
10385 | | #endif |
10386 | | } |
10387 | | else |
10388 | | #endif |
10389 | 0 | { |
10390 | | /* Re-sync keyShareEntry->key with ecc_kse->key. ecc_kse->key was |
10391 | | * aliased to keyShareEntry->key above. The inner Process*_ex |
10392 | | * either ran its end-of-function cleanup and set ecc_kse->key |
10393 | | * to NULL (so the outer pointer must also become NULL to avoid |
10394 | | * UAF/double-free in TLSX_KeyShare_FreeAll), or returned early |
10395 | | * before cleanup with ecc_kse->key still pointing at the live |
10396 | | * key (so the outer pointer must keep that pointer for later |
10397 | | * freeing). Mirroring whatever the inner left in ecc_kse->key |
10398 | | * handles both cases correctly. */ |
10399 | 0 | keyShareEntry->key = ecc_kse->key; |
10400 | 0 | } |
10401 | 0 | } |
10402 | |
|
10403 | 0 | if (ret == 0) { |
10404 | 0 | if ((ssl->arrays->preMasterSz + ssSzPqc) > ENCRYPT_LEN) { |
10405 | 0 | WOLFSSL_MSG("shared secret is too long."); |
10406 | 0 | ret = LENGTH_ERROR; |
10407 | 0 | } |
10408 | 0 | } |
10409 | | |
10410 | | /* Process PQC KEM key share part. Depending on the pqc_first flag, the |
10411 | | * KEM shared secret part goes before or after the ECDH part. */ |
10412 | 0 | if (ret == 0) { |
10413 | 0 | int offset = ssl->arrays->preMasterSz; |
10414 | |
|
10415 | 0 | if (pqc_first) |
10416 | 0 | offset = 0; |
10417 | |
|
10418 | 0 | ret = TLSX_KeyShare_ProcessPqcClient_ex(ssl, pqc_kse, |
10419 | 0 | ssl->arrays->preMasterSecret + offset, &ssSzPqc); |
10420 | 0 | } |
10421 | |
|
10422 | 0 | if (ret == 0) { |
10423 | 0 | keyShareEntry->privKey = (byte*)pqc_kse->key; |
10424 | |
|
10425 | 0 | ssl->arrays->preMasterSz += ssSzPqc; |
10426 | 0 | } |
10427 | 0 | else |
10428 | | #ifdef WOLFSSL_ASYNC_CRYPT |
10429 | | if (ret != WC_NO_ERR_TRACE(WC_PENDING_E)) |
10430 | | #endif |
10431 | 0 | { |
10432 | | /* Clear the pre master secret buffer to prevent leaking any |
10433 | | * intermediate keys in the error case. Do not use preMasterSz |
10434 | | * here as it may already been set to the ECC shared secret size, |
10435 | | * which would be too small due to the PQC offset case. */ |
10436 | 0 | ForceZero(ssl->arrays->preMasterSecret, ENCRYPT_LEN); |
10437 | | |
10438 | | /* Prevent FreeAll from freeing pointers owned by keyShareEntry. */ |
10439 | 0 | if (ecc_kse != NULL) |
10440 | 0 | ecc_kse->key = NULL; |
10441 | 0 | if (pqc_kse != NULL) { |
10442 | 0 | #ifndef WOLFSSL_TLSX_PQC_MLKEM_STORE_OBJ |
10443 | 0 | pqc_kse->privKey = NULL; |
10444 | | #else |
10445 | | pqc_kse->key = NULL; |
10446 | | #endif |
10447 | 0 | } |
10448 | 0 | } |
10449 | |
|
10450 | 0 | TLSX_KeyShare_FreeAll(ecc_kse, ssl->heap); |
10451 | 0 | TLSX_KeyShare_FreeAll(pqc_kse, ssl->heap); |
10452 | |
|
10453 | 0 | return ret; |
10454 | 0 | } |
10455 | | #endif /* WOLFSSL_HAVE_MLKEM && !WOLFSSL_MLKEM_NO_DECAPSULATE */ |
10456 | | |
10457 | | /* Process the key share extension on the client side. |
10458 | | * |
10459 | | * ssl The SSL/TLS object. |
10460 | | * keyShareEntry The key share entry object to use to calculate shared secret. |
10461 | | * returns 0 on success and other values indicate failure. |
10462 | | */ |
10463 | | static int TLSX_KeyShare_Process(WOLFSSL* ssl, KeyShareEntry* keyShareEntry) |
10464 | 0 | { |
10465 | 0 | int ret; |
10466 | |
|
10467 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
10468 | | keyShareEntry->session = ssl->session->namedGroup; |
10469 | | ssl->session->namedGroup = keyShareEntry->group; |
10470 | | #endif |
10471 | | /* reset the pre master secret size */ |
10472 | 0 | if (ssl->arrays->preMasterSz == 0) |
10473 | 0 | ssl->arrays->preMasterSz = ENCRYPT_LEN; |
10474 | | |
10475 | | /* Use Key Share Data from server. */ |
10476 | 0 | if (WOLFSSL_NAMED_GROUP_IS_FFDHE(keyShareEntry->group)) |
10477 | 0 | ret = TLSX_KeyShare_ProcessDh(ssl, keyShareEntry); |
10478 | 0 | else if (keyShareEntry->group == WOLFSSL_ECC_X25519) |
10479 | 0 | ret = TLSX_KeyShare_ProcessX25519(ssl, keyShareEntry); |
10480 | 0 | else if (keyShareEntry->group == WOLFSSL_ECC_X448) |
10481 | 0 | ret = TLSX_KeyShare_ProcessX448(ssl, keyShareEntry); |
10482 | 0 | #if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_DECAPSULATE) |
10483 | 0 | else if (WOLFSSL_NAMED_GROUP_IS_PQC(keyShareEntry->group)) |
10484 | 0 | ret = TLSX_KeyShare_ProcessPqcClient(ssl, keyShareEntry); |
10485 | 0 | else if (WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(keyShareEntry->group)) |
10486 | 0 | ret = TLSX_KeyShare_ProcessPqcHybridClient(ssl, keyShareEntry); |
10487 | 0 | #endif |
10488 | 0 | else |
10489 | 0 | ret = TLSX_KeyShare_ProcessEcc(ssl, keyShareEntry); |
10490 | |
|
10491 | | #ifdef WOLFSSL_DEBUG_TLS |
10492 | | if (ret == 0) { |
10493 | | WOLFSSL_MSG("KE Secret"); |
10494 | | WOLFSSL_BUFFER(ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz); |
10495 | | } |
10496 | | #endif |
10497 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
10498 | | keyShareEntry->derived = (ret == 0); |
10499 | | #endif |
10500 | | #ifdef WOLFSSL_ASYNC_CRYPT |
10501 | | keyShareEntry->lastRet = ret; |
10502 | | #endif |
10503 | |
|
10504 | 0 | return ret; |
10505 | 0 | } |
10506 | | |
10507 | | /* Parse an entry of the KeyShare extension. |
10508 | | * |
10509 | | * ssl The SSL/TLS object. |
10510 | | * input The extension data. |
10511 | | * length The length of the extension data. |
10512 | | * kse The new key share entry object. |
10513 | | * returns a positive number to indicate amount of data parsed and a negative |
10514 | | * number on error. |
10515 | | */ |
10516 | | static int TLSX_KeyShareEntry_Parse(const WOLFSSL* ssl, const byte* input, |
10517 | | word16 length, KeyShareEntry **kse, word16* seenGroups, |
10518 | | int* seenGroupsCnt, TLSX** extensions) |
10519 | 0 | { |
10520 | 0 | int ret; |
10521 | 0 | word16 group; |
10522 | 0 | word16 keLen; |
10523 | 0 | int offset = 0; |
10524 | 0 | byte* ke; |
10525 | 0 | int i; |
10526 | |
|
10527 | 0 | if (length < OPAQUE16_LEN + OPAQUE16_LEN) |
10528 | 0 | return BUFFER_ERROR; |
10529 | | /* Named group */ |
10530 | 0 | ato16(&input[offset], &group); |
10531 | 0 | offset += OPAQUE16_LEN; |
10532 | | /* Key exchange data - public key. */ |
10533 | 0 | ato16(&input[offset], &keLen); |
10534 | 0 | offset += OPAQUE16_LEN; |
10535 | 0 | if (keLen == 0) |
10536 | 0 | return BUFFER_ERROR; |
10537 | 0 | if (keLen > length - offset) |
10538 | 0 | return BUFFER_ERROR; |
10539 | | |
10540 | 0 | if (seenGroups != NULL) { |
10541 | 0 | if (*seenGroupsCnt >= MAX_KEYSHARE_NAMED_GROUPS) { |
10542 | 0 | return BAD_KEY_SHARE_DATA; |
10543 | 0 | } |
10544 | 0 | for (i = 0; i < *seenGroupsCnt; i++) { |
10545 | 0 | if (seenGroups[i] == group) { |
10546 | 0 | return BAD_KEY_SHARE_DATA; |
10547 | 0 | } |
10548 | 0 | } |
10549 | 0 | seenGroups[i] = group; |
10550 | 0 | *seenGroupsCnt = i + 1; |
10551 | 0 | } |
10552 | | |
10553 | | /* Store a copy in the key share object. */ |
10554 | 0 | ke = (byte*)XMALLOC(keLen, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); |
10555 | 0 | if (ke == NULL) |
10556 | 0 | return MEMORY_E; |
10557 | 0 | XMEMCPY(ke, &input[offset], keLen); |
10558 | | |
10559 | | /* Populate a key share object in the extension. */ |
10560 | 0 | ret = TLSX_KeyShare_Use(ssl, group, keLen, ke, kse, extensions); |
10561 | 0 | if (ret != 0) { |
10562 | 0 | XFREE(ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); |
10563 | 0 | return ret; |
10564 | 0 | } |
10565 | | |
10566 | | /* Total length of the parsed data. */ |
10567 | 0 | return offset + keLen; |
10568 | 0 | } |
10569 | | |
10570 | | /* Searches the groups sent for the specified named group. |
10571 | | * |
10572 | | * ssl SSL/TLS object. |
10573 | | * name Group name to match. |
10574 | | * returns 1 when the extension has the group name and 0 otherwise. |
10575 | | */ |
10576 | | static int TLSX_KeyShare_Find(WOLFSSL* ssl, word16 group) |
10577 | 0 | { |
10578 | 0 | TLSX* extension; |
10579 | 0 | KeyShareEntry* list; |
10580 | |
|
10581 | 0 | extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE); |
10582 | 0 | if (extension == NULL) { |
10583 | 0 | extension = TLSX_Find(ssl->ctx->extensions, TLSX_KEY_SHARE); |
10584 | 0 | if (extension == NULL) |
10585 | 0 | return 0; |
10586 | 0 | } |
10587 | | |
10588 | 0 | list = (KeyShareEntry*)extension->data; |
10589 | 0 | while (list != NULL) { |
10590 | 0 | if (list->group == group) |
10591 | 0 | return 1; |
10592 | 0 | list = list->next; |
10593 | 0 | } |
10594 | | |
10595 | 0 | return 0; |
10596 | 0 | } |
10597 | | |
10598 | | |
10599 | | /* Searches the supported groups extension for the specified named group. |
10600 | | * |
10601 | | * ssl The SSL/TLS object. |
10602 | | * name The group name to match. |
10603 | | * returns 1 when the extension has the group name and 0 otherwise. |
10604 | | */ |
10605 | | static int TLSX_SupportedGroups_Find(const WOLFSSL* ssl, word16 name, |
10606 | | TLSX* extensions) |
10607 | 0 | { |
10608 | 0 | #ifdef HAVE_SUPPORTED_CURVES |
10609 | 0 | TLSX* extension; |
10610 | 0 | SupportedCurve* curve = NULL; |
10611 | |
|
10612 | 0 | if ((extension = TLSX_Find(extensions, TLSX_SUPPORTED_GROUPS)) == NULL) { |
10613 | 0 | if ((extension = TLSX_Find(ssl->ctx->extensions, |
10614 | 0 | TLSX_SUPPORTED_GROUPS)) == NULL) { |
10615 | 0 | return 0; |
10616 | 0 | } |
10617 | 0 | } |
10618 | | |
10619 | 0 | for (curve = (SupportedCurve*)extension->data; curve; curve = curve->next) { |
10620 | 0 | if (curve->name == name) |
10621 | 0 | return 1; |
10622 | 0 | } |
10623 | 0 | #endif |
10624 | | |
10625 | 0 | (void)ssl; |
10626 | 0 | (void)name; |
10627 | |
|
10628 | 0 | return 0; |
10629 | 0 | } |
10630 | | |
10631 | | int TLSX_KeyShare_Parse_ClientHello(const WOLFSSL* ssl, |
10632 | | const byte* input, word16 length, TLSX** extensions) |
10633 | 0 | { |
10634 | 0 | int ret; |
10635 | 0 | int offset = 0; |
10636 | 0 | word16 len; |
10637 | 0 | TLSX* extension; |
10638 | 0 | word16 seenGroups[MAX_KEYSHARE_NAMED_GROUPS]; |
10639 | 0 | int seenGroupsCnt = 0; |
10640 | | |
10641 | | /* Add a KeyShare extension if it doesn't exist even if peer sent no |
10642 | | * entries. The presence of this extension signals that the peer can be |
10643 | | * negotiated with. */ |
10644 | 0 | extension = TLSX_Find(*extensions, TLSX_KEY_SHARE); |
10645 | 0 | if (extension == NULL) { |
10646 | | /* Push new KeyShare extension. */ |
10647 | 0 | ret = TLSX_Push(extensions, TLSX_KEY_SHARE, NULL, ssl->heap); |
10648 | 0 | if (ret != 0) |
10649 | 0 | return ret; |
10650 | 0 | } |
10651 | | |
10652 | 0 | if (length < OPAQUE16_LEN) |
10653 | 0 | return BUFFER_ERROR; |
10654 | | |
10655 | | /* ClientHello contains zero or more key share entries. Limits extension |
10656 | | * length to 2^16-1 and subtracting 4 bytes for header size per RFC 8446 */ |
10657 | 0 | ato16(input, &len); |
10658 | 0 | if ((len != length - OPAQUE16_LEN) || |
10659 | 0 | length > (MAX_EXT_DATA_LEN - HELLO_EXT_SZ)) { |
10660 | 0 | return BUFFER_ERROR; |
10661 | 0 | } |
10662 | 0 | offset += OPAQUE16_LEN; |
10663 | |
|
10664 | 0 | while (offset < (int)length) { |
10665 | 0 | ret = TLSX_KeyShareEntry_Parse(ssl, &input[offset], |
10666 | 0 | length - (word16)offset, NULL, seenGroups, &seenGroupsCnt, |
10667 | 0 | extensions); |
10668 | 0 | if (ret < 0) |
10669 | 0 | return ret; |
10670 | | |
10671 | 0 | offset += ret; |
10672 | 0 | } |
10673 | | |
10674 | 0 | return 0; |
10675 | 0 | } |
10676 | | |
10677 | | /* Parse the KeyShare extension. |
10678 | | * Different formats in different messages. |
10679 | | * |
10680 | | * ssl The SSL/TLS object. |
10681 | | * input The extension data. |
10682 | | * length The length of the extension data. |
10683 | | * msgType The type of the message this extension is being parsed from. |
10684 | | * returns 0 on success and other values indicate failure. |
10685 | | */ |
10686 | | int TLSX_KeyShare_Parse(WOLFSSL* ssl, const byte* input, word16 length, |
10687 | | byte msgType) |
10688 | 0 | { |
10689 | 0 | int ret = 0; |
10690 | 0 | KeyShareEntry *keyShareEntry = NULL; |
10691 | 0 | word16 group; |
10692 | |
|
10693 | 0 | if (msgType == client_hello) { |
10694 | 0 | ret = TLSX_KeyShare_Parse_ClientHello(ssl, input, length, |
10695 | 0 | &ssl->extensions); |
10696 | 0 | } |
10697 | 0 | else if (msgType == server_hello) { |
10698 | 0 | int len; |
10699 | |
|
10700 | 0 | if (length < OPAQUE16_LEN) |
10701 | 0 | return BUFFER_ERROR; |
10702 | | |
10703 | 0 | ssl->options.shSentKeyShare = 1; |
10704 | | |
10705 | | /* The data is the named group the server wants to use. */ |
10706 | 0 | ato16(input, &group); |
10707 | | |
10708 | | /* Check the selected group was supported by ClientHello extensions. */ |
10709 | 0 | if (!TLSX_SupportedGroups_Find(ssl, group, ssl->extensions)) { |
10710 | 0 | WOLFSSL_ERROR_VERBOSE(BAD_KEY_SHARE_DATA); |
10711 | 0 | return BAD_KEY_SHARE_DATA; |
10712 | 0 | } |
10713 | | |
10714 | | /* Check if the group was sent. */ |
10715 | 0 | if (!TLSX_KeyShare_Find(ssl, group)) { |
10716 | 0 | WOLFSSL_ERROR_VERBOSE(BAD_KEY_SHARE_DATA); |
10717 | 0 | return BAD_KEY_SHARE_DATA; |
10718 | 0 | } |
10719 | | |
10720 | | /* ServerHello contains one key share entry. */ |
10721 | 0 | len = TLSX_KeyShareEntry_Parse(ssl, input, length, &keyShareEntry, NULL, |
10722 | 0 | NULL, &ssl->extensions); |
10723 | 0 | if (len != (int)length) |
10724 | 0 | return BUFFER_ERROR; |
10725 | | |
10726 | | /* Not in list sent if there isn't a private key. */ |
10727 | 0 | if (keyShareEntry == NULL || (keyShareEntry->key == NULL |
10728 | 0 | #if !defined(NO_DH) || defined(WOLFSSL_HAVE_MLKEM) |
10729 | 0 | && keyShareEntry->privKey == NULL |
10730 | 0 | #endif |
10731 | 0 | )) { |
10732 | 0 | WOLFSSL_ERROR_VERBOSE(BAD_KEY_SHARE_DATA); |
10733 | 0 | return BAD_KEY_SHARE_DATA; |
10734 | 0 | } |
10735 | | |
10736 | | /* Process the entry to calculate the secret. */ |
10737 | 0 | ret = TLSX_KeyShare_Process(ssl, keyShareEntry); |
10738 | 0 | if (ret == 0) |
10739 | 0 | ssl->session->namedGroup = ssl->namedGroup = group; |
10740 | 0 | } |
10741 | 0 | else if (msgType == hello_retry_request) { |
10742 | 0 | if (length != OPAQUE16_LEN) |
10743 | 0 | return BUFFER_ERROR; |
10744 | | |
10745 | 0 | ssl->options.hrrSentKeyShare = 1; |
10746 | | |
10747 | | /* The data is the named group the server wants to use. */ |
10748 | 0 | ato16(input, &group); |
10749 | |
|
10750 | | #ifdef WOLFSSL_ASYNC_CRYPT |
10751 | | /* only perform find and clear TLSX if not returning from async */ |
10752 | | if (ssl->error != WC_NO_ERR_TRACE(WC_PENDING_E)) |
10753 | | #endif |
10754 | 0 | { |
10755 | | /* Check the selected group was supported by ClientHello extensions. |
10756 | | */ |
10757 | 0 | if (!TLSX_SupportedGroups_Find(ssl, group, ssl->extensions)) { |
10758 | 0 | WOLFSSL_ERROR_VERBOSE(BAD_KEY_SHARE_DATA); |
10759 | 0 | return BAD_KEY_SHARE_DATA; |
10760 | 0 | } |
10761 | | |
10762 | | /* Make sure KeyShare for server requested group was not sent in |
10763 | | * ClientHello. */ |
10764 | 0 | if (TLSX_KeyShare_Find(ssl, group)) { |
10765 | 0 | WOLFSSL_ERROR_VERBOSE(BAD_KEY_SHARE_DATA); |
10766 | 0 | return BAD_KEY_SHARE_DATA; |
10767 | 0 | } |
10768 | | |
10769 | | /* Clear out unusable key shares. */ |
10770 | 0 | ret = TLSX_KeyShare_Empty(ssl); |
10771 | 0 | if (ret != 0) |
10772 | 0 | return ret; |
10773 | 0 | } |
10774 | | |
10775 | 0 | ret = TLSX_KeyShare_Use(ssl, group, 0, NULL, NULL, &ssl->extensions); |
10776 | 0 | if (ret == 0) |
10777 | 0 | ssl->session->namedGroup = ssl->namedGroup = group; |
10778 | 0 | } |
10779 | 0 | else { |
10780 | | /* Not a message type that is allowed to have this extension. */ |
10781 | 0 | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
10782 | 0 | return SANITY_MSG_E; |
10783 | 0 | } |
10784 | | |
10785 | 0 | return ret; |
10786 | 0 | } |
10787 | | |
10788 | | /* Create a new key share entry and put it into the list. |
10789 | | * |
10790 | | * list The linked list of key share entries. |
10791 | | * group The named group. |
10792 | | * heap The memory to allocate with. |
10793 | | * keyShareEntry The new key share entry object. |
10794 | | * returns 0 on success and other values indicate failure. |
10795 | | */ |
10796 | | static int TLSX_KeyShare_New(KeyShareEntry** list, int group, void *heap, |
10797 | | KeyShareEntry** keyShareEntry) |
10798 | 0 | { |
10799 | 0 | KeyShareEntry* kse; |
10800 | 0 | KeyShareEntry** next; |
10801 | |
|
10802 | 0 | kse = (KeyShareEntry*)XMALLOC(sizeof(KeyShareEntry), heap, |
10803 | 0 | DYNAMIC_TYPE_TLSX); |
10804 | 0 | if (kse == NULL) |
10805 | 0 | return MEMORY_E; |
10806 | | |
10807 | 0 | XMEMSET(kse, 0, sizeof(*kse)); |
10808 | 0 | kse->group = (word16)group; |
10809 | | |
10810 | | /* Add it to the back and maintain the links. */ |
10811 | 0 | while (*list != NULL) { |
10812 | | /* Assign to temporary to work around compiler bug found by customer. */ |
10813 | 0 | next = &((*list)->next); |
10814 | 0 | list = next; |
10815 | 0 | } |
10816 | 0 | *list = kse; |
10817 | 0 | *keyShareEntry = kse; |
10818 | |
|
10819 | 0 | (void)heap; |
10820 | |
|
10821 | 0 | return 0; |
10822 | 0 | } |
10823 | | |
10824 | | #if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_ENCAPSULATE) |
10825 | | /* Process the ML-KEM key share extension on the server side. |
10826 | | * |
10827 | | * ssl The SSL/TLS object. |
10828 | | * keyShareEntry The key share entry object to be sent to the client. |
10829 | | * data The key share data received from the client. |
10830 | | * len The length of the key share data from the client. |
10831 | | * ssOutput The destination buffer for the shared secret. |
10832 | | * ssOutSz The size of the generated shared secret. |
10833 | | * |
10834 | | * returns 0 on success and other values indicate failure. |
10835 | | */ |
10836 | | static int TLSX_KeyShare_HandlePqcKeyServer(WOLFSSL* ssl, |
10837 | | KeyShareEntry* keyShareEntry, byte* clientData, word16 clientLen, |
10838 | | unsigned char* ssOutput, word32* ssOutSz) |
10839 | 0 | { |
10840 | | /* We are on the server side. The key share contains a PQC KEM public key |
10841 | | * that we are using for an encapsulate operation. The resulting ciphertext |
10842 | | * is stored in the server key share. */ |
10843 | 0 | MlKemKey* kemKey = (MlKemKey*)keyShareEntry->key; |
10844 | 0 | byte* ciphertext = NULL; |
10845 | 0 | int ret = 0; |
10846 | 0 | word32 pubSz = 0; |
10847 | 0 | word32 ctSz = 0; |
10848 | 0 | word32 ssSz = 0; |
10849 | |
|
10850 | 0 | if (clientData == NULL) { |
10851 | 0 | WOLFSSL_MSG("No KEM public key from the client."); |
10852 | 0 | return BAD_FUNC_ARG; |
10853 | 0 | } |
10854 | | |
10855 | 0 | if (kemKey == NULL) { |
10856 | 0 | int type = 0; |
10857 | | |
10858 | | /* Allocate an ML-KEM key to hold private key. */ |
10859 | 0 | kemKey = (MlKemKey*) XMALLOC(sizeof(MlKemKey), ssl->heap, |
10860 | 0 | DYNAMIC_TYPE_PRIVATE_KEY); |
10861 | 0 | if (kemKey == NULL) { |
10862 | 0 | WOLFSSL_MSG("GenPqcKey memory error"); |
10863 | 0 | ret = MEMORY_E; |
10864 | 0 | } |
10865 | 0 | if (ret == 0) { |
10866 | 0 | ret = mlkem_id2type(keyShareEntry->group, &type); |
10867 | 0 | } |
10868 | 0 | if (ret != 0) { |
10869 | 0 | WOLFSSL_MSG("Invalid PQC algorithm specified."); |
10870 | 0 | ret = BAD_FUNC_ARG; |
10871 | 0 | } |
10872 | 0 | if (ret == 0) { |
10873 | 0 | ret = wc_MlKemKey_Init(kemKey, type, ssl->heap, ssl->devId); |
10874 | 0 | if (ret != 0) { |
10875 | 0 | WOLFSSL_MSG("Error creating ML-KEM key"); |
10876 | 0 | } |
10877 | 0 | } |
10878 | 0 | } |
10879 | |
|
10880 | 0 | if (ret == 0) { |
10881 | 0 | ret = wc_MlKemKey_PublicKeySize(kemKey, &pubSz); |
10882 | 0 | } |
10883 | 0 | if (ret == 0) { |
10884 | 0 | ret = wc_MlKemKey_CipherTextSize(kemKey, &ctSz); |
10885 | 0 | } |
10886 | 0 | if (ret == 0) { |
10887 | 0 | ret = wc_MlKemKey_SharedSecretSize(kemKey, &ssSz); |
10888 | 0 | } |
10889 | |
|
10890 | 0 | if (ret == 0 && clientLen != pubSz) { |
10891 | 0 | WOLFSSL_MSG("Invalid public key."); |
10892 | 0 | ret = BAD_FUNC_ARG; |
10893 | 0 | } |
10894 | |
|
10895 | 0 | if (ret == 0) { |
10896 | 0 | ciphertext = (byte*)XMALLOC(ctSz, ssl->heap, DYNAMIC_TYPE_TLSX); |
10897 | |
|
10898 | 0 | if (ciphertext == NULL) { |
10899 | 0 | WOLFSSL_MSG("Ciphertext memory allocation failure."); |
10900 | 0 | ret = MEMORY_E; |
10901 | 0 | } |
10902 | 0 | } |
10903 | |
|
10904 | 0 | if (ret == 0) { |
10905 | 0 | ret = wc_MlKemKey_DecodePublicKey(kemKey, clientData, pubSz); |
10906 | 0 | } |
10907 | 0 | if (ret == 0) { |
10908 | 0 | ret = wc_MlKemKey_Encapsulate(kemKey, ciphertext, |
10909 | 0 | ssOutput, ssl->rng); |
10910 | 0 | if (ret != 0) { |
10911 | 0 | WOLFSSL_MSG("wc_MlKemKey encapsulation failure."); |
10912 | 0 | } |
10913 | 0 | } |
10914 | |
|
10915 | 0 | if (ret == 0) { |
10916 | 0 | XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); |
10917 | |
|
10918 | 0 | *ssOutSz = ssSz; |
10919 | 0 | keyShareEntry->ke = NULL; |
10920 | 0 | keyShareEntry->keLen = 0; |
10921 | |
|
10922 | 0 | XFREE(keyShareEntry->pubKey, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); |
10923 | 0 | keyShareEntry->pubKey = ciphertext; |
10924 | 0 | keyShareEntry->pubKeyLen = ctSz; |
10925 | 0 | ciphertext = NULL; |
10926 | | |
10927 | | /* Set namedGroup so wolfSSL_get_curve_name() can function properly on |
10928 | | * the server side. */ |
10929 | 0 | ssl->namedGroup = keyShareEntry->group; |
10930 | 0 | } |
10931 | |
|
10932 | 0 | XFREE(ciphertext, ssl->heap, DYNAMIC_TYPE_TLSX); |
10933 | |
|
10934 | 0 | wc_MlKemKey_Free(kemKey); |
10935 | 0 | XFREE(kemKey, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY); |
10936 | 0 | keyShareEntry->key = NULL; |
10937 | 0 | return ret; |
10938 | 0 | } |
10939 | | |
10940 | | int TLSX_KeyShare_HandlePqcHybridKeyServer(WOLFSSL* ssl, |
10941 | | KeyShareEntry* keyShareEntry, byte* data, word16 len) |
10942 | 0 | { |
10943 | | /* I am the server. The data parameter is the concatenation of the client's |
10944 | | * ECDH public key and the KEM public key. I need to generate a matching |
10945 | | * public key for ECDH and encapsulate a shared secret using the KEM public |
10946 | | * key. We send the ECDH public key and the KEM ciphertext back to the |
10947 | | * client. Additionally, we create the ECDH shared secret here already. |
10948 | | */ |
10949 | 0 | int type; |
10950 | 0 | byte* ciphertext = NULL; |
10951 | 0 | int ret = 0; |
10952 | 0 | int pqc_group = 0; |
10953 | 0 | int ecc_group = 0; |
10954 | 0 | int pqc_first = 0; |
10955 | 0 | KeyShareEntry *ecc_kse = NULL; |
10956 | 0 | KeyShareEntry *pqc_kse = NULL; |
10957 | 0 | word32 pubSz = 0; |
10958 | 0 | word32 ctSz = 0; |
10959 | 0 | word32 ssSzPqc = 0; |
10960 | |
|
10961 | 0 | if (data == NULL) { |
10962 | 0 | WOLFSSL_MSG("No hybrid key share data from the client."); |
10963 | 0 | return BAD_FUNC_ARG; |
10964 | 0 | } |
10965 | | |
10966 | | /* Determine the ECC and PQC group of the hybrid combination */ |
10967 | 0 | findEccPqc(&ecc_group, &pqc_group, &pqc_first, keyShareEntry->group); |
10968 | 0 | if (ecc_group == 0 || pqc_group == 0) { |
10969 | 0 | WOLFSSL_MSG("Invalid hybrid group"); |
10970 | 0 | ret = BAD_FUNC_ARG; |
10971 | 0 | } |
10972 | |
|
10973 | 0 | if (ret == 0) { |
10974 | 0 | ecc_kse = (KeyShareEntry*)XMALLOC(sizeof(*ecc_kse), ssl->heap, |
10975 | 0 | DYNAMIC_TYPE_TLSX); |
10976 | 0 | if (ecc_kse == NULL) { |
10977 | 0 | WOLFSSL_MSG("kse memory allocation failure"); |
10978 | 0 | ret = MEMORY_ERROR; |
10979 | 0 | } |
10980 | 0 | } |
10981 | 0 | if (ret == 0) { |
10982 | 0 | XMEMSET(ecc_kse, 0, sizeof(*ecc_kse)); |
10983 | 0 | ecc_kse->group = ecc_group; |
10984 | |
|
10985 | 0 | pqc_kse = (KeyShareEntry*)XMALLOC(sizeof(*pqc_kse), ssl->heap, |
10986 | 0 | DYNAMIC_TYPE_TLSX); |
10987 | 0 | if (pqc_kse == NULL) { |
10988 | 0 | WOLFSSL_MSG("kse memory allocation failure"); |
10989 | 0 | ret = MEMORY_ERROR; |
10990 | 0 | } |
10991 | 0 | } |
10992 | 0 | if (ret == 0) { |
10993 | 0 | XMEMSET(pqc_kse, 0, sizeof(*pqc_kse)); |
10994 | 0 | pqc_kse->group = pqc_group; |
10995 | 0 | } |
10996 | | |
10997 | | /* The ciphertext and shared secret sizes of a KEM are fixed. Hence, we |
10998 | | * decode these sizes to properly concatenate the KEM ciphertext with the |
10999 | | * ECDH public key. */ |
11000 | 0 | if (ret == 0) { |
11001 | | /* Allocate an ML-KEM key to hold private key. */ |
11002 | 0 | pqc_kse->key = (MlKemKey*) XMALLOC(sizeof(MlKemKey), ssl->heap, |
11003 | 0 | DYNAMIC_TYPE_PRIVATE_KEY); |
11004 | 0 | if (pqc_kse->key == NULL) { |
11005 | 0 | WOLFSSL_MSG("GenPqcKey memory error"); |
11006 | 0 | ret = MEMORY_E; |
11007 | 0 | } |
11008 | 0 | if (ret == 0) { |
11009 | 0 | ret = mlkem_id2type(pqc_kse->group, &type); |
11010 | 0 | } |
11011 | 0 | if (ret != 0) { |
11012 | 0 | WOLFSSL_MSG("Invalid PQC algorithm specified."); |
11013 | 0 | ret = BAD_FUNC_ARG; |
11014 | 0 | } |
11015 | 0 | if (ret == 0) { |
11016 | 0 | ret = wc_MlKemKey_Init((MlKemKey*)pqc_kse->key, type, |
11017 | 0 | ssl->heap, ssl->devId); |
11018 | 0 | if (ret != 0) { |
11019 | 0 | WOLFSSL_MSG("Error creating ML-KEM key"); |
11020 | 0 | } |
11021 | 0 | } |
11022 | 0 | if (ret == 0) { |
11023 | 0 | ret = wc_MlKemKey_SharedSecretSize((MlKemKey*)pqc_kse->key, |
11024 | 0 | &ssSzPqc); |
11025 | 0 | } |
11026 | 0 | if (ret == 0) { |
11027 | 0 | ret = wc_MlKemKey_CipherTextSize((MlKemKey*)pqc_kse->key, |
11028 | 0 | &ctSz); |
11029 | 0 | } |
11030 | 0 | if (ret == 0) { |
11031 | 0 | ret = wc_MlKemKey_PublicKeySize((MlKemKey*)pqc_kse->key, |
11032 | 0 | &pubSz); |
11033 | 0 | } |
11034 | 0 | } |
11035 | |
|
11036 | | #ifdef WOLFSSL_ASYNC_CRYPT |
11037 | | if (ret == 0) { |
11038 | | /* Restore ECC state from a prior suspended pass. This is not gated on |
11039 | | * a still-pending lastRet: the async layer clears lastRet to 0 on |
11040 | | * completion, which would skip the restore and regenerate the key. */ |
11041 | | if (keyShareEntry->key != NULL && keyShareEntry->keyLen > 0) { |
11042 | | ecc_kse->key = keyShareEntry->key; |
11043 | | ecc_kse->keyLen = keyShareEntry->keyLen; |
11044 | | ecc_kse->pubKey = keyShareEntry->pubKey; |
11045 | | ecc_kse->pubKeyLen = keyShareEntry->pubKeyLen; |
11046 | | ecc_kse->lastRet = keyShareEntry->lastRet; |
11047 | | keyShareEntry->key = NULL; |
11048 | | keyShareEntry->pubKey = NULL; |
11049 | | } |
11050 | | } |
11051 | | #endif |
11052 | | |
11053 | | /* Generate the ECDH key share part to be sent to the client */ |
11054 | 0 | if (ret == 0 && ecc_group != 0 && ecc_kse->pubKey == NULL) { |
11055 | | #ifdef HAVE_CURVE25519 |
11056 | | if (ecc_group == WOLFSSL_ECC_X25519) { |
11057 | | ret = TLSX_KeyShare_GenX25519Key(ssl, ecc_kse); |
11058 | | } |
11059 | | else |
11060 | | #endif |
11061 | | #ifdef HAVE_CURVE448 |
11062 | | if (ecc_group == WOLFSSL_ECC_X448) { |
11063 | | ret = TLSX_KeyShare_GenX448Key(ssl, ecc_kse); |
11064 | | } |
11065 | | else |
11066 | | #endif |
11067 | 0 | { |
11068 | 0 | ret = TLSX_KeyShare_GenEccKey(ssl, ecc_kse); |
11069 | 0 | } |
11070 | | #ifdef WOLFSSL_ASYNC_CRYPT |
11071 | | if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) { |
11072 | | /* Store the generated ECC key in the provided kse to later |
11073 | | * restore it.*/ |
11074 | | keyShareEntry->key = ecc_kse->key; |
11075 | | keyShareEntry->keyLen = ecc_kse->keyLen; |
11076 | | keyShareEntry->pubKeyLen = ecc_kse->pubKeyLen; |
11077 | | keyShareEntry->lastRet = WC_PENDING_E; |
11078 | | ecc_kse->key = NULL; |
11079 | | } |
11080 | | else if (ret == 0 && |
11081 | | keyShareEntry->lastRet == WC_NO_ERR_TRACE(WC_PENDING_E)) { |
11082 | | keyShareEntry->lastRet = 0; |
11083 | | ecc_kse->lastRet = 0; |
11084 | | } |
11085 | | #endif |
11086 | 0 | } |
11087 | |
|
11088 | 0 | if (ret == 0 && len != pubSz + ecc_kse->pubKeyLen) { |
11089 | 0 | WOLFSSL_MSG("Invalid public key."); |
11090 | 0 | ret = BAD_FUNC_ARG; |
11091 | 0 | } |
11092 | | |
11093 | | /* Allocate buffer for the concatenated client key share data |
11094 | | * (PQC KEM ciphertext + ECDH public key) */ |
11095 | 0 | if (ret == 0) { |
11096 | 0 | ciphertext = (byte*)XMALLOC(ecc_kse->pubKeyLen + ctSz, ssl->heap, |
11097 | 0 | DYNAMIC_TYPE_TLSX); |
11098 | |
|
11099 | 0 | if (ciphertext == NULL) { |
11100 | 0 | WOLFSSL_MSG("Ciphertext memory allocation failure."); |
11101 | 0 | ret = MEMORY_E; |
11102 | 0 | } |
11103 | 0 | } |
11104 | | |
11105 | | /* Process ECDH key share part. The generated shared secret is directly |
11106 | | * stored in the ssl->arrays->preMasterSecret buffer. Depending on the |
11107 | | * pqc_first flag, the ECDH shared secret part goes before or after the |
11108 | | * KEM part. */ |
11109 | 0 | if (ret == 0) { |
11110 | 0 | ecc_kse->keLen = len - pubSz; |
11111 | 0 | ecc_kse->ke = (byte*)XMALLOC(ecc_kse->keLen, ssl->heap, |
11112 | 0 | DYNAMIC_TYPE_PUBLIC_KEY); |
11113 | 0 | if (ecc_kse->ke == NULL) { |
11114 | 0 | WOLFSSL_MSG("ecc_kse memory allocation failure"); |
11115 | 0 | ret = MEMORY_ERROR; |
11116 | 0 | } |
11117 | 0 | if (ret == 0) { |
11118 | 0 | int pubOffset = 0; |
11119 | 0 | int ssOffset = 0; |
11120 | |
|
11121 | 0 | if (pqc_first) { |
11122 | 0 | pubOffset = pubSz; |
11123 | 0 | ssOffset = ssSzPqc; |
11124 | 0 | } |
11125 | |
|
11126 | 0 | XMEMCPY(ecc_kse->ke, data + pubOffset, ecc_kse->keLen); |
11127 | |
|
11128 | | #ifdef HAVE_CURVE25519 |
11129 | | if (ecc_group == WOLFSSL_ECC_X25519) { |
11130 | | ret = TLSX_KeyShare_ProcessX25519_ex(ssl, ecc_kse, |
11131 | | ssl->arrays->preMasterSecret + ssOffset, |
11132 | | &ssl->arrays->preMasterSz); |
11133 | | } |
11134 | | else |
11135 | | #endif |
11136 | | #ifdef HAVE_CURVE448 |
11137 | | if (ecc_group == WOLFSSL_ECC_X448) { |
11138 | | ret = TLSX_KeyShare_ProcessX448_ex(ssl, ecc_kse, |
11139 | | ssl->arrays->preMasterSecret + ssOffset, |
11140 | | &ssl->arrays->preMasterSz); |
11141 | | } |
11142 | | else |
11143 | | #endif |
11144 | 0 | { |
11145 | 0 | ret = TLSX_KeyShare_ProcessEcc_ex(ssl, ecc_kse, |
11146 | 0 | ssl->arrays->preMasterSecret + ssOffset, |
11147 | 0 | &ssl->arrays->preMasterSz); |
11148 | 0 | } |
11149 | 0 | } |
11150 | 0 | if (ret == 0) { |
11151 | 0 | if (ssl->arrays->preMasterSz != ecc_kse->keyLen) { |
11152 | 0 | WOLFSSL_MSG("Data length mismatch."); |
11153 | 0 | ret = BAD_FUNC_ARG; |
11154 | 0 | } |
11155 | 0 | } |
11156 | | #ifdef WOLFSSL_ASYNC_CRYPT |
11157 | | else if (ret == WC_NO_ERR_TRACE(WC_PENDING_E)) { |
11158 | | keyShareEntry->lastRet = WC_PENDING_E; |
11159 | | keyShareEntry->key = ecc_kse->key; |
11160 | | keyShareEntry->keyLen = ecc_kse->keyLen; |
11161 | | keyShareEntry->pubKey = ecc_kse->pubKey; |
11162 | | keyShareEntry->pubKeyLen = ecc_kse->pubKeyLen; |
11163 | | ecc_kse->key = NULL; |
11164 | | ecc_kse->pubKey = NULL; |
11165 | | } |
11166 | | #endif |
11167 | 0 | } |
11168 | |
|
11169 | 0 | if (ret == 0 && ssl->arrays->preMasterSz + ssSzPqc > ENCRYPT_LEN) { |
11170 | 0 | WOLFSSL_MSG("shared secret is too long."); |
11171 | 0 | ret = LENGTH_ERROR; |
11172 | 0 | } |
11173 | | |
11174 | | /* Process PQC KEM key share part. Depending on the pqc_first flag, the |
11175 | | * KEM shared secret part goes before or after the ECDH part. */ |
11176 | 0 | if (ret == 0) { |
11177 | 0 | int input_offset = ecc_kse->keLen; |
11178 | 0 | int output_offset = ssl->arrays->preMasterSz; |
11179 | |
|
11180 | 0 | if (pqc_first) { |
11181 | 0 | input_offset = 0; |
11182 | 0 | output_offset = 0; |
11183 | 0 | } |
11184 | |
|
11185 | 0 | ret = TLSX_KeyShare_HandlePqcKeyServer(ssl, pqc_kse, |
11186 | 0 | data + input_offset, pubSz, |
11187 | 0 | ssl->arrays->preMasterSecret + output_offset, &ssSzPqc); |
11188 | 0 | } |
11189 | |
|
11190 | 0 | if (ret == 0) { |
11191 | 0 | XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); |
11192 | |
|
11193 | 0 | ssl->arrays->preMasterSz += ssSzPqc; |
11194 | 0 | keyShareEntry->ke = NULL; |
11195 | 0 | keyShareEntry->keLen = 0; |
11196 | | #ifdef WOLFSSL_ASYNC_CRYPT |
11197 | | /* Hybrid encapsulation is fully complete here. Clear the pending |
11198 | | * state so the TLS_ASYNC_VERIFY re-drive is skipped and does not |
11199 | | * re-enter this handler with the now-freed ke. */ |
11200 | | keyShareEntry->lastRet = 0; |
11201 | | #endif |
11202 | | |
11203 | | /* Concatenate the ECDH public key and the PQC KEM ciphertext. Based on |
11204 | | * the pqc_first flag, the ECDH public key goes before or after the KEM |
11205 | | * ciphertext. */ |
11206 | 0 | if (pqc_first) { |
11207 | 0 | XMEMCPY(ciphertext, pqc_kse->pubKey, ctSz); |
11208 | 0 | XMEMCPY(ciphertext + ctSz, ecc_kse->pubKey, ecc_kse->pubKeyLen); |
11209 | 0 | } |
11210 | 0 | else { |
11211 | 0 | XMEMCPY(ciphertext, ecc_kse->pubKey, ecc_kse->pubKeyLen); |
11212 | 0 | XMEMCPY(ciphertext + ecc_kse->pubKeyLen, pqc_kse->pubKey, ctSz); |
11213 | 0 | } |
11214 | |
|
11215 | 0 | XFREE(keyShareEntry->pubKey, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); |
11216 | 0 | keyShareEntry->pubKey = ciphertext; |
11217 | 0 | keyShareEntry->pubKeyLen = ecc_kse->pubKeyLen + ctSz; |
11218 | 0 | ciphertext = NULL; |
11219 | | |
11220 | | /* Set namedGroup so wolfSSL_get_curve_name() can function properly on |
11221 | | * the server side. */ |
11222 | 0 | ssl->namedGroup = keyShareEntry->group; |
11223 | 0 | } |
11224 | 0 | else |
11225 | | #ifdef WOLFSSL_ASYNC_CRYPT |
11226 | | if (ret != WC_NO_ERR_TRACE(WC_PENDING_E)) |
11227 | | #endif |
11228 | 0 | { |
11229 | | /* Clear the pre master secret buffer to prevent leaking any |
11230 | | * intermediate keys in the error case. Do not use preMasterSz |
11231 | | * here as it may already been set to the ECC shared secret size, |
11232 | | * which would be too small due to the PQC offset case. */ |
11233 | 0 | ForceZero(ssl->arrays->preMasterSecret, ENCRYPT_LEN); |
11234 | 0 | } |
11235 | |
|
11236 | 0 | TLSX_KeyShare_FreeAll(ecc_kse, ssl->heap); |
11237 | 0 | TLSX_KeyShare_FreeAll(pqc_kse, ssl->heap); |
11238 | 0 | XFREE(ciphertext, ssl->heap, DYNAMIC_TYPE_TLSX); |
11239 | 0 | return ret; |
11240 | 0 | } |
11241 | | #endif /* WOLFSSL_HAVE_MLKEM && !WOLFSSL_MLKEM_NO_ENCAPSULATE */ |
11242 | | |
11243 | | /* Use the data to create a new key share object in the extensions. |
11244 | | * |
11245 | | * ssl The SSL/TLS object. |
11246 | | * group The named group. |
11247 | | * len The length of the public key data. |
11248 | | * data The public key data. |
11249 | | * kse The new key share entry object. |
11250 | | * returns 0 on success and other values indicate failure. |
11251 | | */ |
11252 | | int TLSX_KeyShare_Use(const WOLFSSL* ssl, word16 group, word16 len, byte* data, |
11253 | | KeyShareEntry **kse, TLSX** extensions) |
11254 | 0 | { |
11255 | 0 | int ret = 0; |
11256 | 0 | TLSX* extension; |
11257 | 0 | KeyShareEntry* keyShareEntry = NULL; |
11258 | | |
11259 | | /* Find the KeyShare extension if it exists. */ |
11260 | 0 | extension = TLSX_Find(*extensions, TLSX_KEY_SHARE); |
11261 | 0 | if (extension == NULL) { |
11262 | | /* Push new KeyShare extension. */ |
11263 | 0 | ret = TLSX_Push(extensions, TLSX_KEY_SHARE, NULL, ssl->heap); |
11264 | 0 | if (ret != 0) |
11265 | 0 | return ret; |
11266 | | |
11267 | 0 | extension = TLSX_Find(*extensions, TLSX_KEY_SHARE); |
11268 | 0 | if (extension == NULL) |
11269 | 0 | return MEMORY_E; |
11270 | 0 | } |
11271 | 0 | extension->resp = 0; |
11272 | | |
11273 | | /* Try to find the key share entry with this group. */ |
11274 | 0 | keyShareEntry = (KeyShareEntry*)extension->data; |
11275 | 0 | while (keyShareEntry != NULL) { |
11276 | | #if defined(WOLFSSL_ML_KEM_USE_OLD_IDS) && \ |
11277 | | defined (WOLFSSL_EXTRA_PQC_HYBRIDS) |
11278 | | if ((group == WOLFSSL_P256_ML_KEM_512_OLD && |
11279 | | keyShareEntry->group == WOLFSSL_SECP256R1MLKEM512) || |
11280 | | (group == WOLFSSL_P384_ML_KEM_768_OLD && |
11281 | | keyShareEntry->group == WOLFSSL_SECP384R1MLKEM768) || |
11282 | | (group == WOLFSSL_P521_ML_KEM_1024_OLD && |
11283 | | keyShareEntry->group == WOLFSSL_SECP521R1MLKEM1024)) { |
11284 | | keyShareEntry->group = group; |
11285 | | break; |
11286 | | } |
11287 | | else |
11288 | | #endif /* WOLFSSL_ML_KEM_USE_OLD_IDS && WOLFSSL_EXTRA_PQC_HYBRIDS */ |
11289 | 0 | if (keyShareEntry->group == group) |
11290 | 0 | break; |
11291 | 0 | keyShareEntry = keyShareEntry->next; |
11292 | 0 | } |
11293 | | |
11294 | | /* Create a new key share entry if not found. */ |
11295 | 0 | if (keyShareEntry == NULL) { |
11296 | 0 | ret = TLSX_KeyShare_New((KeyShareEntry**)&extension->data, group, |
11297 | 0 | ssl->heap, &keyShareEntry); |
11298 | 0 | if (ret != 0) |
11299 | 0 | return ret; |
11300 | 0 | } |
11301 | | |
11302 | 0 | if (data != NULL) { |
11303 | | /* Store the peer data in the key share object. */ |
11304 | 0 | XFREE(keyShareEntry->ke, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY); |
11305 | 0 | keyShareEntry->ke = data; |
11306 | 0 | keyShareEntry->keLen = len; |
11307 | 0 | } |
11308 | 0 | else { |
11309 | | /* Generate a key pair. Casting to non-const since changes inside are |
11310 | | * minimal but would require an extensive redesign to refactor. Also |
11311 | | * this path shouldn't be taken when parsing a ClientHello in stateless |
11312 | | * mode. */ |
11313 | 0 | ret = TLSX_KeyShare_GenKey((WOLFSSL*)ssl, keyShareEntry); |
11314 | 0 | if (ret != 0) |
11315 | 0 | return ret; |
11316 | 0 | } |
11317 | | |
11318 | 0 | if (kse != NULL) |
11319 | 0 | *kse = keyShareEntry; |
11320 | |
|
11321 | 0 | return 0; |
11322 | 0 | } |
11323 | | |
11324 | | /* Set an empty Key Share extension. |
11325 | | * |
11326 | | * ssl The SSL/TLS object. |
11327 | | * returns 0 on success and other values indicate failure. |
11328 | | */ |
11329 | | int TLSX_KeyShare_Empty(WOLFSSL* ssl) |
11330 | 0 | { |
11331 | 0 | int ret = 0; |
11332 | 0 | TLSX* extension; |
11333 | | |
11334 | | /* Find the KeyShare extension if it exists. */ |
11335 | 0 | extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE); |
11336 | 0 | if (extension == NULL) { |
11337 | | /* Push new KeyShare extension. */ |
11338 | 0 | ret = TLSX_Push(&ssl->extensions, TLSX_KEY_SHARE, NULL, ssl->heap); |
11339 | 0 | } |
11340 | 0 | else if (extension->data != NULL) { |
11341 | 0 | TLSX_KeyShare_FreeAll((KeyShareEntry*)extension->data, ssl->heap); |
11342 | 0 | extension->data = NULL; |
11343 | 0 | } |
11344 | |
|
11345 | 0 | return ret; |
11346 | 0 | } |
11347 | | |
11348 | | /* Compile-time gating must stay aligned with TLSX_PopulateSupportedGroups(). |
11349 | | * Runtime-only conditions in that function (TLS 1.3 version check, FFDHE |
11350 | | * key-size bounds, session-resumption short-circuit, downgrade-aware |
11351 | | * Brainpool TLS 1.2 selection) are intentionally not represented here. */ |
11352 | | static const word16 preferredGroup[] = { |
11353 | | /* Sort by strength, but prefer non-experimental PQ/T hybrid groups */ |
11354 | | #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \ |
11355 | | !defined(WOLFSSL_NO_ML_KEM) && defined(WOLFSSL_PQC_HYBRIDS) |
11356 | | #if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_CURVE25519) && \ |
11357 | | ECC_MIN_KEY_SZ <= 256 |
11358 | | WOLFSSL_X25519MLKEM768, |
11359 | | #endif |
11360 | | #if !defined(WOLFSSL_NO_ML_KEM_1024) && defined(HAVE_ECC) && \ |
11361 | | (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && \ |
11362 | | ECC_MIN_KEY_SZ <= 384 |
11363 | | WOLFSSL_SECP384R1MLKEM1024, |
11364 | | #endif |
11365 | | #if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_ECC) && \ |
11366 | | (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \ |
11367 | | ECC_MIN_KEY_SZ <= 256 |
11368 | | WOLFSSL_SECP256R1MLKEM768, |
11369 | | #endif |
11370 | | #endif /* WOLFSSL_TLS13 && WOLFSSL_HAVE_MLKEM && !WOLFSSL_NO_ML_KEM && |
11371 | | * WOLFSSL_PQC_HYBRIDS */ |
11372 | | #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \ |
11373 | | !defined(WOLFSSL_NO_ML_KEM) && !defined(WOLFSSL_NO_ML_KEM_1024) && \ |
11374 | | !defined(WOLFSSL_TLS_NO_MLKEM_STANDALONE) |
11375 | | WOLFSSL_ML_KEM_1024, |
11376 | | #endif |
11377 | | #if defined(HAVE_ECC) && (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && \ |
11378 | | !defined(NO_ECC_SECP) && ECC_MIN_KEY_SZ <= 521 |
11379 | | WOLFSSL_ECC_SECP521R1, |
11380 | | #endif |
11381 | | #if defined(HAVE_ECC) && (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && \ |
11382 | | defined(HAVE_ECC_BRAINPOOL) && ECC_MIN_KEY_SZ <= 512 |
11383 | | WOLFSSL_ECC_BRAINPOOLP512R1TLS13, |
11384 | | WOLFSSL_ECC_BRAINPOOLP512R1, |
11385 | | #endif |
11386 | | #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \ |
11387 | | !defined(WOLFSSL_NO_ML_KEM) && !defined(WOLFSSL_NO_ML_KEM_768) && \ |
11388 | | !defined(WOLFSSL_TLS_NO_MLKEM_STANDALONE) |
11389 | | WOLFSSL_ML_KEM_768, |
11390 | | #endif |
11391 | | #if defined(HAVE_ECC) && (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && \ |
11392 | | ECC_MIN_KEY_SZ <= 384 |
11393 | | #ifndef NO_ECC_SECP |
11394 | | WOLFSSL_ECC_SECP384R1, |
11395 | | #endif |
11396 | | #ifdef HAVE_ECC_BRAINPOOL |
11397 | | WOLFSSL_ECC_BRAINPOOLP384R1TLS13, |
11398 | | WOLFSSL_ECC_BRAINPOOLP384R1, |
11399 | | #endif |
11400 | | #endif |
11401 | | #if !defined(HAVE_FIPS) && defined(HAVE_CURVE448) && ECC_MIN_KEY_SZ <= 448 |
11402 | | WOLFSSL_ECC_X448, |
11403 | | #endif |
11404 | | #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \ |
11405 | | !defined(WOLFSSL_NO_ML_KEM) && !defined(WOLFSSL_NO_ML_KEM_512) && \ |
11406 | | !defined(WOLFSSL_TLS_NO_MLKEM_STANDALONE) |
11407 | | WOLFSSL_ML_KEM_512, |
11408 | | #endif |
11409 | | #if defined(HAVE_ECC) && (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \ |
11410 | | ECC_MIN_KEY_SZ <= 256 |
11411 | | #ifndef NO_ECC_SECP |
11412 | | WOLFSSL_ECC_SECP256R1, |
11413 | | #endif |
11414 | | #ifdef HAVE_ECC_KOBLITZ |
11415 | | WOLFSSL_ECC_SECP256K1, |
11416 | | #endif |
11417 | | #ifdef HAVE_ECC_BRAINPOOL |
11418 | | WOLFSSL_ECC_BRAINPOOLP256R1TLS13, |
11419 | | WOLFSSL_ECC_BRAINPOOLP256R1, |
11420 | | #endif |
11421 | | #if !defined(HAVE_FIPS) && defined(WOLFSSL_SM2) |
11422 | | WOLFSSL_ECC_SM2P256V1, |
11423 | | #endif |
11424 | | #endif |
11425 | | #if !defined(HAVE_FIPS) && defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256 |
11426 | | WOLFSSL_ECC_X25519, |
11427 | | #endif |
11428 | | #if defined(HAVE_ECC) && (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && \ |
11429 | | ECC_MIN_KEY_SZ <= 224 |
11430 | | #ifndef NO_ECC_SECP |
11431 | | WOLFSSL_ECC_SECP224R1, |
11432 | | #endif |
11433 | | #ifdef HAVE_ECC_KOBLITZ |
11434 | | WOLFSSL_ECC_SECP224K1, |
11435 | | #endif |
11436 | | #endif |
11437 | | #if !defined(HAVE_FIPS) && defined(HAVE_ECC) |
11438 | | #if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && \ |
11439 | | ECC_MIN_KEY_SZ <= 192 |
11440 | | #ifndef NO_ECC_SECP |
11441 | | WOLFSSL_ECC_SECP192R1, |
11442 | | #endif |
11443 | | #ifdef HAVE_ECC_KOBLITZ |
11444 | | WOLFSSL_ECC_SECP192K1, |
11445 | | #endif |
11446 | | #endif |
11447 | | #if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && \ |
11448 | | ECC_MIN_KEY_SZ <= 160 |
11449 | | #ifndef NO_ECC_SECP |
11450 | | WOLFSSL_ECC_SECP160R1, |
11451 | | #endif |
11452 | | #ifdef HAVE_ECC_SECPR2 |
11453 | | WOLFSSL_ECC_SECP160R2, |
11454 | | #endif |
11455 | | #ifdef HAVE_ECC_KOBLITZ |
11456 | | WOLFSSL_ECC_SECP160K1, |
11457 | | #endif |
11458 | | #endif |
11459 | | #endif /* !HAVE_FIPS && HAVE_ECC */ |
11460 | | #if defined(HAVE_FFDHE_8192) |
11461 | | WOLFSSL_FFDHE_8192, |
11462 | | #endif |
11463 | | #if defined(HAVE_FFDHE_6144) |
11464 | | WOLFSSL_FFDHE_6144, |
11465 | | #endif |
11466 | | #if defined(HAVE_FFDHE_4096) |
11467 | | WOLFSSL_FFDHE_4096, |
11468 | | #endif |
11469 | | #if defined(HAVE_FFDHE_3072) |
11470 | | WOLFSSL_FFDHE_3072, |
11471 | | #endif |
11472 | | #if defined(HAVE_FFDHE_2048) |
11473 | | WOLFSSL_FFDHE_2048, |
11474 | | #endif |
11475 | | #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \ |
11476 | | !defined(WOLFSSL_NO_ML_KEM) && defined(WOLFSSL_EXTRA_PQC_HYBRIDS) |
11477 | | #if !defined(WOLFSSL_NO_ML_KEM_1024) && defined(HAVE_ECC) && \ |
11478 | | (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && \ |
11479 | | ECC_MIN_KEY_SZ <= 521 |
11480 | | WOLFSSL_SECP521R1MLKEM1024, |
11481 | | #endif |
11482 | | #if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_ECC) && \ |
11483 | | (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && \ |
11484 | | ECC_MIN_KEY_SZ <= 384 |
11485 | | WOLFSSL_SECP384R1MLKEM768, |
11486 | | #endif |
11487 | | #if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_CURVE448) && \ |
11488 | | ECC_MIN_KEY_SZ <= 448 |
11489 | | WOLFSSL_X448MLKEM768, |
11490 | | #endif |
11491 | | #if !defined(WOLFSSL_NO_ML_KEM_512) && defined(HAVE_ECC) && \ |
11492 | | (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \ |
11493 | | ECC_MIN_KEY_SZ <= 256 |
11494 | | WOLFSSL_SECP256R1MLKEM512, |
11495 | | #endif |
11496 | | #if !defined(WOLFSSL_NO_ML_KEM_512) && defined(HAVE_CURVE25519) && \ |
11497 | | ECC_MIN_KEY_SZ <= 256 |
11498 | | WOLFSSL_X25519MLKEM512, |
11499 | | #endif |
11500 | | #endif /* WOLFSSL_TLS13 && WOLFSSL_HAVE_MLKEM && !WOLFSSL_NO_ML_KEM && |
11501 | | * WOLFSSL_EXTRA_PQC_HYBRIDS */ |
11502 | | #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \ |
11503 | | defined(WOLFSSL_MLKEM_KYBER) |
11504 | | #ifdef WOLFSSL_KYBER1024 |
11505 | | WOLFSSL_KYBER_LEVEL5, |
11506 | | #if defined(HAVE_ECC) && (defined(HAVE_ECC521) || \ |
11507 | | defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521 |
11508 | | WOLFSSL_P521_KYBER_LEVEL5, |
11509 | | #endif |
11510 | | #endif |
11511 | | #ifdef WOLFSSL_KYBER768 |
11512 | | WOLFSSL_KYBER_LEVEL3, |
11513 | | #if defined(HAVE_ECC) && (defined(HAVE_ECC384) || \ |
11514 | | defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384 |
11515 | | WOLFSSL_P384_KYBER_LEVEL3, |
11516 | | #endif |
11517 | | #if defined(HAVE_ECC) && (!defined(NO_ECC256) || \ |
11518 | | defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256 |
11519 | | WOLFSSL_P256_KYBER_LEVEL3, |
11520 | | #endif |
11521 | | #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256 |
11522 | | WOLFSSL_X25519_KYBER_LEVEL3, |
11523 | | #endif |
11524 | | #if defined(HAVE_CURVE448) && ECC_MIN_KEY_SZ <= 448 |
11525 | | WOLFSSL_X448_KYBER_LEVEL3, |
11526 | | #endif |
11527 | | #endif |
11528 | | #ifdef WOLFSSL_KYBER512 |
11529 | | WOLFSSL_KYBER_LEVEL1, |
11530 | | #if defined(HAVE_ECC) && (!defined(NO_ECC256) || \ |
11531 | | defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256 |
11532 | | WOLFSSL_P256_KYBER_LEVEL1, |
11533 | | #endif |
11534 | | #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256 |
11535 | | WOLFSSL_X25519_KYBER_LEVEL1, |
11536 | | #endif |
11537 | | #endif |
11538 | | #endif /* WOLFSSL_TLS13 && WOLFSSL_HAVE_MLKEM && WOLFSSL_MLKEM_KYBER */ |
11539 | | WOLFSSL_NAMED_GROUP_INVALID |
11540 | | }; |
11541 | | |
11542 | | #define PREFERRED_GROUP_SZ \ |
11543 | 0 | ((sizeof(preferredGroup)/sizeof(*preferredGroup)) - 1) |
11544 | | /* -1 for the invalid group */ |
11545 | | |
11546 | | /* WOLFSSL_KEY_SHARE_DEFAULT_GROUP - group used for the speculative key share |
11547 | | * in ClientHello messages when the application has not selected one via |
11548 | | * wolfSSL_CTX_set_groups() / wolfSSL_set_groups() or wolfSSL_UseKeyShare(). |
11549 | | * |
11550 | | * The default is optimized for the likelihood that the server will accept the |
11551 | | * speculative key share without forcing a HelloRetryRequest. It therefore |
11552 | | * differs from preferredGroup[] (which is sorted by strength): we pick the |
11553 | | * most widely deployed group at each tier rather than the strongest. |
11554 | | * |
11555 | | * Selection order when not user-defined: |
11556 | | * 1. A standardized PQ/T hybrid using X25519 or SECP256R1, if available. |
11557 | | * 2. SECP256R1, then X25519, then SECP384R1. |
11558 | | * 3. FFDHE 2048 or 3072, for DH-only TLS 1.3 builds. |
11559 | | * 4. preferredGroup[0] as a final fallback for any other configuration. |
11560 | | * |
11561 | | * Users can override the default by defining WOLFSSL_KEY_SHARE_DEFAULT_GROUP |
11562 | | * in user_settings.h to any of the WOLFSSL_* group identifiers from |
11563 | | * wolfssl/ssl.h (or the numeric IANA code point). The macro is substituted |
11564 | | * directly into an assignment, so wrap non-trivial expressions in parentheses. |
11565 | | */ |
11566 | | #ifndef WOLFSSL_KEY_SHARE_DEFAULT_GROUP |
11567 | | #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM_CLIENT_SUPPORT) && \ |
11568 | | !defined(WOLFSSL_NO_ML_KEM) && defined(WOLFSSL_PQC_HYBRIDS) && \ |
11569 | | !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_CURVE25519) && \ |
11570 | | ECC_MIN_KEY_SZ <= 256 |
11571 | | #define WOLFSSL_KEY_SHARE_DEFAULT_GROUP WOLFSSL_X25519MLKEM768 |
11572 | | #elif defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM_CLIENT_SUPPORT) && \ |
11573 | | !defined(WOLFSSL_NO_ML_KEM) && defined(WOLFSSL_PQC_HYBRIDS) && \ |
11574 | | !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_ECC) && \ |
11575 | | (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \ |
11576 | | ECC_MIN_KEY_SZ <= 256 |
11577 | 0 | #define WOLFSSL_KEY_SHARE_DEFAULT_GROUP WOLFSSL_SECP256R1MLKEM768 |
11578 | | #elif defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM_CLIENT_SUPPORT) && \ |
11579 | | !defined(WOLFSSL_NO_ML_KEM) && defined(WOLFSSL_PQC_HYBRIDS) && \ |
11580 | | !defined(WOLFSSL_NO_ML_KEM_1024) && defined(HAVE_ECC) && \ |
11581 | | (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && \ |
11582 | | ECC_MIN_KEY_SZ <= 384 |
11583 | | #define WOLFSSL_KEY_SHARE_DEFAULT_GROUP WOLFSSL_SECP384R1MLKEM1024 |
11584 | | #elif defined(HAVE_ECC) && (!defined(NO_ECC256) || \ |
11585 | | defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256 && \ |
11586 | | !defined(NO_ECC_SECP) |
11587 | | #define WOLFSSL_KEY_SHARE_DEFAULT_GROUP WOLFSSL_ECC_SECP256R1 |
11588 | | #elif !defined(HAVE_FIPS) && defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256 |
11589 | | #define WOLFSSL_KEY_SHARE_DEFAULT_GROUP WOLFSSL_ECC_X25519 |
11590 | | #elif defined(HAVE_ECC) && (defined(HAVE_ECC384) || \ |
11591 | | defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384 && \ |
11592 | | !defined(NO_ECC_SECP) |
11593 | | #define WOLFSSL_KEY_SHARE_DEFAULT_GROUP WOLFSSL_ECC_SECP384R1 |
11594 | | #elif defined(HAVE_FFDHE_2048) |
11595 | | #define WOLFSSL_KEY_SHARE_DEFAULT_GROUP WOLFSSL_FFDHE_2048 |
11596 | | #elif defined(HAVE_FFDHE_3072) |
11597 | | #define WOLFSSL_KEY_SHARE_DEFAULT_GROUP WOLFSSL_FFDHE_3072 |
11598 | | #else |
11599 | | /* Fall back to whatever preferredGroup[] starts with. */ |
11600 | | #define WOLFSSL_KEY_SHARE_DEFAULT_GROUP (preferredGroup[0]) |
11601 | | #endif |
11602 | | #endif /* !WOLFSSL_KEY_SHARE_DEFAULT_GROUP */ |
11603 | | |
11604 | | /* Examines the application specified group ranking and returns the rank of the |
11605 | | * group. |
11606 | | * If no group ranking set then all groups are rank 0 (highest). |
11607 | | * |
11608 | | * ssl The SSL/TLS object. |
11609 | | * group The group to check ranking for. |
11610 | | * returns ranking from 0 to MAX_GROUP_COUNT-1 or -1 when group not in list. |
11611 | | */ |
11612 | | static int TLSX_KeyShare_GroupRank(const WOLFSSL* ssl, int group) |
11613 | 0 | { |
11614 | 0 | byte i; |
11615 | 0 | const word16* groups; |
11616 | 0 | byte numGroups; |
11617 | |
|
11618 | 0 | if (ssl->numGroups == 0) { |
11619 | | /* If the user didn't specify a group list with a preferred order, |
11620 | | * use the internal preferred group list. */ |
11621 | 0 | groups = preferredGroup; |
11622 | 0 | numGroups = PREFERRED_GROUP_SZ; |
11623 | 0 | } |
11624 | 0 | else { |
11625 | 0 | groups = ssl->group; |
11626 | 0 | numGroups = ssl->numGroups; |
11627 | 0 | } |
11628 | |
|
11629 | 0 | for (i = 0; i < numGroups; i++) { |
11630 | | #if defined(WOLFSSL_ML_KEM_USE_OLD_IDS) && \ |
11631 | | defined (WOLFSSL_EXTRA_PQC_HYBRIDS) |
11632 | | if ((group == WOLFSSL_P256_ML_KEM_512_OLD && |
11633 | | groups[i] == WOLFSSL_SECP256R1MLKEM512) || |
11634 | | (group == WOLFSSL_P384_ML_KEM_768_OLD && |
11635 | | groups[i] == WOLFSSL_SECP384R1MLKEM768) || |
11636 | | (group == WOLFSSL_P521_ML_KEM_1024_OLD && |
11637 | | groups[i] == WOLFSSL_SECP521R1MLKEM1024)) { |
11638 | | return i; |
11639 | | } |
11640 | | #endif |
11641 | 0 | if (groups[i] == (word16)group) |
11642 | 0 | return i; |
11643 | 0 | } |
11644 | | |
11645 | 0 | return WOLFSSL_FATAL_ERROR; |
11646 | 0 | } |
11647 | | |
11648 | | /* Set a key share that is supported by the client into extensions. |
11649 | | * |
11650 | | * ssl The SSL/TLS object. |
11651 | | * returns BAD_KEY_SHARE_DATA if no supported group has a key share, |
11652 | | * 0 if a supported group has a key share and other values indicate an error. |
11653 | | */ |
11654 | | int TLSX_KeyShare_SetSupported(const WOLFSSL* ssl, TLSX** extensions) |
11655 | 0 | { |
11656 | 0 | int ret; |
11657 | 0 | #ifdef HAVE_SUPPORTED_CURVES |
11658 | 0 | TLSX* extension; |
11659 | 0 | SupportedCurve* curve = NULL; |
11660 | 0 | SupportedCurve* preferredCurve = NULL; |
11661 | 0 | word16 name = WOLFSSL_NAMED_GROUP_INVALID; |
11662 | 0 | KeyShareEntry* kse = NULL; |
11663 | 0 | int preferredRank = WOLFSSL_MAX_GROUP_COUNT; |
11664 | 0 | int rank; |
11665 | |
|
11666 | 0 | extension = TLSX_Find(*extensions, TLSX_SUPPORTED_GROUPS); |
11667 | 0 | if (extension != NULL) |
11668 | 0 | curve = (SupportedCurve*)extension->data; |
11669 | 0 | for (; curve != NULL; curve = curve->next) { |
11670 | | /* Use server's preference order. Common group was found but key share |
11671 | | * was missing */ |
11672 | 0 | if (!TLSX_IsGroupSupported(curve->name, ssl->options.side)) |
11673 | 0 | continue; |
11674 | 0 | if (wolfSSL_curve_is_disabled(ssl, curve->name)) |
11675 | 0 | continue; |
11676 | | |
11677 | 0 | rank = TLSX_KeyShare_GroupRank(ssl, curve->name); |
11678 | 0 | if (rank == -1) |
11679 | 0 | continue; |
11680 | 0 | if (rank < preferredRank) { |
11681 | 0 | preferredCurve = curve; |
11682 | 0 | preferredRank = rank; |
11683 | 0 | } |
11684 | 0 | } |
11685 | 0 | curve = preferredCurve; |
11686 | |
|
11687 | 0 | if (curve == NULL) { |
11688 | 0 | byte i; |
11689 | | /* Fallback to user selected group */ |
11690 | 0 | preferredRank = WOLFSSL_MAX_GROUP_COUNT; |
11691 | 0 | for (i = 0; i < ssl->numGroups; i++) { |
11692 | 0 | rank = TLSX_KeyShare_GroupRank(ssl, ssl->group[i]); |
11693 | 0 | if (rank == -1) |
11694 | 0 | continue; |
11695 | 0 | if (rank < preferredRank) { |
11696 | 0 | name = ssl->group[i]; |
11697 | 0 | preferredRank = rank; |
11698 | 0 | } |
11699 | 0 | } |
11700 | 0 | if (name == WOLFSSL_NAMED_GROUP_INVALID) { |
11701 | | /* No group selected or specified by the server */ |
11702 | 0 | WOLFSSL_ERROR_VERBOSE(BAD_KEY_SHARE_DATA); |
11703 | 0 | return BAD_KEY_SHARE_DATA; |
11704 | 0 | } |
11705 | 0 | } |
11706 | 0 | else { |
11707 | 0 | name = curve->name; |
11708 | 0 | } |
11709 | | |
11710 | | #ifdef WOLFSSL_ASYNC_CRYPT |
11711 | | /* Check the old key share data list. */ |
11712 | | extension = TLSX_Find(*extensions, TLSX_KEY_SHARE); |
11713 | | if (extension != NULL) { |
11714 | | kse = (KeyShareEntry*)extension->data; |
11715 | | /* We should not be computing keys if we are only going to advertise |
11716 | | * our choice here. */ |
11717 | | if (kse != NULL && kse->lastRet == WC_NO_ERR_TRACE(WC_PENDING_E)) { |
11718 | | WOLFSSL_ERROR_VERBOSE(BAD_KEY_SHARE_DATA); |
11719 | | return BAD_KEY_SHARE_DATA; |
11720 | | } |
11721 | | } |
11722 | | #endif |
11723 | | |
11724 | | /* Push new KeyShare extension. This will also free the old one */ |
11725 | 0 | ret = TLSX_Push(extensions, TLSX_KEY_SHARE, NULL, ssl->heap); |
11726 | 0 | if (ret != 0) |
11727 | 0 | return ret; |
11728 | | /* Extension got pushed to head */ |
11729 | 0 | extension = *extensions; |
11730 | | /* Push the selected curve */ |
11731 | 0 | ret = TLSX_KeyShare_New((KeyShareEntry**)&extension->data, name, |
11732 | 0 | ssl->heap, &kse); |
11733 | 0 | if (ret != 0) |
11734 | 0 | return ret; |
11735 | | /* Set extension to be in response. */ |
11736 | 0 | extension->resp = 1; |
11737 | | #else |
11738 | | |
11739 | | (void)ssl; |
11740 | | |
11741 | | WOLFSSL_ERROR_VERBOSE(NOT_COMPILED_IN); |
11742 | | ret = NOT_COMPILED_IN; |
11743 | | #endif |
11744 | |
|
11745 | 0 | return ret; |
11746 | 0 | } |
11747 | | |
11748 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
11749 | | /* Writes the CKS objects of a list in a buffer. */ |
11750 | | static word16 CKS_WRITE(WOLFSSL* ssl, byte* output) |
11751 | | { |
11752 | | XMEMCPY(output, ssl->sigSpec, ssl->sigSpecSz); |
11753 | | return ssl->sigSpecSz; |
11754 | | } |
11755 | | |
11756 | | static int TLSX_UseCKS(TLSX** extensions, WOLFSSL* ssl, void* heap) |
11757 | | { |
11758 | | int ret = 0; |
11759 | | TLSX* extension; |
11760 | | |
11761 | | if (extensions == NULL) { |
11762 | | return BAD_FUNC_ARG; |
11763 | | } |
11764 | | |
11765 | | extension = TLSX_Find(*extensions, TLSX_CKS); |
11766 | | /* If it is already present, do nothing. */ |
11767 | | if (extension == NULL) { |
11768 | | /* The data required is in the ssl struct, so push it in. */ |
11769 | | ret = TLSX_Push(extensions, TLSX_CKS, (void*)ssl, heap); |
11770 | | } |
11771 | | |
11772 | | return ret; |
11773 | | } |
11774 | | |
11775 | | int TLSX_CKS_Set(WOLFSSL* ssl, TLSX** extensions) |
11776 | | { |
11777 | | int ret; |
11778 | | TLSX* extension; |
11779 | | /* Push new KeyShare extension. This will also free the old one */ |
11780 | | ret = TLSX_Push(extensions, TLSX_CKS, NULL, ssl->heap); |
11781 | | if (ret != 0) |
11782 | | return ret; |
11783 | | /* Extension got pushed to head */ |
11784 | | extension = *extensions; |
11785 | | /* Need ssl->sigSpecSz during extension length calculation. */ |
11786 | | extension->data = ssl; |
11787 | | /* Set extension to be in response. */ |
11788 | | extension->resp = 1; |
11789 | | return ret; |
11790 | | } |
11791 | | |
11792 | | int TLSX_CKS_Parse(WOLFSSL* ssl, byte* input, word16 length, |
11793 | | TLSX** extensions) |
11794 | | { |
11795 | | int ret; |
11796 | | int i, j; |
11797 | | |
11798 | | (void) extensions; |
11799 | | |
11800 | | /* Validating the input. */ |
11801 | | if (length == 0) |
11802 | | return BUFFER_ERROR; |
11803 | | for (i = 0; i < length; i++) { |
11804 | | switch (input[i]) |
11805 | | { |
11806 | | case WOLFSSL_CKS_SIGSPEC_NATIVE: |
11807 | | case WOLFSSL_CKS_SIGSPEC_ALTERNATIVE: |
11808 | | case WOLFSSL_CKS_SIGSPEC_BOTH: |
11809 | | /* These are all valid values; do nothing */ |
11810 | | break; |
11811 | | case WOLFSSL_CKS_SIGSPEC_EXTERNAL: |
11812 | | default: |
11813 | | /* All other values (including external) are not. */ |
11814 | | return BAD_FUNC_ARG; |
11815 | | } |
11816 | | } |
11817 | | |
11818 | | /* This could be a situation where the client tried to start with TLS 1.3 |
11819 | | * when it sent ClientHello and the server down-graded to TLS 1.2. In that |
11820 | | * case, erroring out because it is TLS 1.2 is not a reasonable thing to do. |
11821 | | * In the case of TLS 1.2, the CKS values will be ignored. */ |
11822 | | if (!IsAtLeastTLSv1_3(ssl->version)) { |
11823 | | ssl->sigSpec = NULL; |
11824 | | ssl->sigSpecSz = 0; |
11825 | | return 0; |
11826 | | } |
11827 | | |
11828 | | /* Extension data is valid, but if we are the server and we don't have an |
11829 | | * alt private key, do not respond with CKS extension. */ |
11830 | | if (wolfSSL_is_server(ssl) && ssl->buffers.altKey == NULL) { |
11831 | | ssl->sigSpec = NULL; |
11832 | | ssl->sigSpecSz = 0; |
11833 | | return 0; |
11834 | | } |
11835 | | |
11836 | | /* Copy as the lifetime of input seems to be ephemeral. */ |
11837 | | ssl->peerSigSpec = (byte*)XMALLOC(length, ssl->heap, DYNAMIC_TYPE_TLSX); |
11838 | | if (ssl->peerSigSpec == NULL) { |
11839 | | return BUFFER_ERROR; |
11840 | | } |
11841 | | XMEMCPY(ssl->peerSigSpec, input, length); |
11842 | | ssl->peerSigSpecSz = length; |
11843 | | |
11844 | | /* If there is no preference set, use theirs... */ |
11845 | | if (ssl->sigSpec == NULL) { |
11846 | | ret = wolfSSL_UseCKS(ssl, ssl->peerSigSpec, 1); |
11847 | | if (ret == WOLFSSL_SUCCESS) { |
11848 | | ret = TLSX_UseCKS(&ssl->extensions, ssl, ssl->heap); |
11849 | | TLSX_SetResponse(ssl, TLSX_CKS); |
11850 | | } |
11851 | | return ret; |
11852 | | } |
11853 | | |
11854 | | /* ...otherwise, prioritize our preference. */ |
11855 | | for (i = 0; i < ssl->sigSpecSz; i++) { |
11856 | | for (j = 0; j < length; j++) { |
11857 | | if (ssl->sigSpec[i] == input[j]) { |
11858 | | /* Got the match, set to this one. */ |
11859 | | ret = wolfSSL_UseCKS(ssl, &ssl->sigSpec[i], 1); |
11860 | | if (ret == WOLFSSL_SUCCESS) { |
11861 | | ret = TLSX_UseCKS(&ssl->extensions, ssl, ssl->heap); |
11862 | | TLSX_SetResponse(ssl, TLSX_CKS); |
11863 | | } |
11864 | | return ret; |
11865 | | } |
11866 | | } |
11867 | | } |
11868 | | |
11869 | | /* No match found. Cannot continue. */ |
11870 | | return MATCH_SUITE_ERROR; |
11871 | | } |
11872 | | #endif /* WOLFSSL_DUAL_ALG_CERTS */ |
11873 | | |
11874 | | /* Server side KSE processing */ |
11875 | | int TLSX_KeyShare_Choose(const WOLFSSL *ssl, TLSX* extensions, |
11876 | | byte cipherSuite0, byte cipherSuite, KeyShareEntry** kse, byte* searched) |
11877 | 0 | { |
11878 | 0 | TLSX* extension; |
11879 | 0 | KeyShareEntry* clientKSE = NULL; |
11880 | 0 | KeyShareEntry* list = NULL; |
11881 | 0 | KeyShareEntry* preferredKSE = NULL; |
11882 | 0 | int preferredRank = WOLFSSL_MAX_GROUP_COUNT; |
11883 | 0 | int rank; |
11884 | |
|
11885 | 0 | (void)cipherSuite0; |
11886 | 0 | (void)cipherSuite; |
11887 | |
|
11888 | 0 | if (ssl == NULL || ssl->options.side != WOLFSSL_SERVER_END) |
11889 | 0 | return BAD_FUNC_ARG; |
11890 | | |
11891 | 0 | *searched = 0; |
11892 | | |
11893 | | /* Find the KeyShare extension if it exists. */ |
11894 | 0 | extension = TLSX_Find(extensions, TLSX_KEY_SHARE); |
11895 | 0 | if (extension != NULL) |
11896 | 0 | list = (KeyShareEntry*)extension->data; |
11897 | |
|
11898 | 0 | if (extension && extension->resp == 1) { |
11899 | | /* Outside of the async case this path should not be taken. */ |
11900 | 0 | int ret = WC_NO_ERR_TRACE(INCOMPLETE_DATA); |
11901 | | #ifdef WOLFSSL_ASYNC_CRYPT |
11902 | | /* in async case make sure key generation is finalized */ |
11903 | | KeyShareEntry* serverKSE = (KeyShareEntry*)extension->data; |
11904 | | if (serverKSE && serverKSE->lastRet == WC_NO_ERR_TRACE(WC_PENDING_E)) { |
11905 | | if (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE) |
11906 | | *searched = 1; |
11907 | | ret = TLSX_KeyShare_GenKey((WOLFSSL*)ssl, serverKSE); |
11908 | | } |
11909 | | else |
11910 | | #endif |
11911 | 0 | { |
11912 | 0 | ret = INCOMPLETE_DATA; |
11913 | 0 | } |
11914 | 0 | return ret; |
11915 | 0 | } |
11916 | | |
11917 | | /* Use server's preference order. */ |
11918 | 0 | for (clientKSE = list; clientKSE != NULL; clientKSE = clientKSE->next) { |
11919 | 0 | if (clientKSE->ke == NULL) |
11920 | 0 | continue; |
11921 | | |
11922 | | #ifdef WOLFSSL_SM2 |
11923 | | if ((cipherSuite0 == CIPHER_BYTE) && |
11924 | | ((cipherSuite == TLS_SM4_GCM_SM3) || |
11925 | | (cipherSuite == TLS_SM4_CCM_SM3))) { |
11926 | | if (clientKSE->group != WOLFSSL_ECC_SM2P256V1) { |
11927 | | continue; |
11928 | | } |
11929 | | } |
11930 | | else if (clientKSE->group == WOLFSSL_ECC_SM2P256V1) { |
11931 | | continue; |
11932 | | } |
11933 | | #endif |
11934 | | |
11935 | | /* Check consistency now - extensions in any order. */ |
11936 | 0 | if (!TLSX_SupportedGroups_Find(ssl, clientKSE->group, extensions)) |
11937 | 0 | continue; |
11938 | | |
11939 | 0 | if (!WOLFSSL_NAMED_GROUP_IS_FFDHE(clientKSE->group)) { |
11940 | | /* Check max value supported. */ |
11941 | 0 | if (clientKSE->group > WOLFSSL_ECC_MAX) { |
11942 | 0 | #ifdef WOLFSSL_HAVE_MLKEM |
11943 | 0 | if (!WOLFSSL_NAMED_GROUP_IS_PQC(clientKSE->group) && |
11944 | 0 | !WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(clientKSE->group)) |
11945 | 0 | #endif |
11946 | 0 | continue; |
11947 | 0 | } |
11948 | 0 | if (wolfSSL_curve_is_disabled(ssl, clientKSE->group)) |
11949 | 0 | continue; |
11950 | 0 | } |
11951 | 0 | if (!TLSX_IsGroupSupported(clientKSE->group, ssl->options.side)) |
11952 | 0 | continue; |
11953 | | |
11954 | 0 | rank = TLSX_KeyShare_GroupRank(ssl, clientKSE->group); |
11955 | 0 | if (rank == -1) |
11956 | 0 | continue; |
11957 | 0 | if (rank < preferredRank) { |
11958 | 0 | preferredKSE = clientKSE; |
11959 | 0 | preferredRank = rank; |
11960 | 0 | } |
11961 | 0 | } |
11962 | 0 | *kse = preferredKSE; |
11963 | 0 | *searched = 1; |
11964 | 0 | return 0; |
11965 | 0 | } |
11966 | | |
11967 | | /* Server side KSE processing */ |
11968 | | int TLSX_KeyShare_Setup(WOLFSSL *ssl, KeyShareEntry* clientKSE) |
11969 | 0 | { |
11970 | 0 | int ret; |
11971 | 0 | TLSX* extension; |
11972 | 0 | KeyShareEntry* serverKSE; |
11973 | 0 | KeyShareEntry* list = NULL; |
11974 | |
|
11975 | 0 | if (ssl == NULL || ssl->options.side != WOLFSSL_SERVER_END) |
11976 | 0 | return BAD_FUNC_ARG; |
11977 | | |
11978 | 0 | extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE); |
11979 | 0 | if (extension == NULL) |
11980 | 0 | return BAD_STATE_E; |
11981 | | |
11982 | 0 | if (clientKSE == NULL) { |
11983 | | #ifdef WOLFSSL_ASYNC_CRYPT |
11984 | | /* Not necessarily an error. The key may have already been setup. */ |
11985 | | if (extension != NULL && extension->resp == 1) { |
11986 | | serverKSE = (KeyShareEntry*)extension->data; |
11987 | | if (serverKSE != NULL) { |
11988 | | #if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_ENCAPSULATE) |
11989 | | /* Re-drive server hybrid encapsulation on resume. GenKey |
11990 | | * routes a hybrid group to the client generator, and the |
11991 | | * lastRet == 0 path treats the share as done after only the |
11992 | | * ECDH part completed, dropping the KEM ciphertext. ke holds |
11993 | | * the client share until the handler completes and clears it. */ |
11994 | | if (serverKSE->ke != NULL && |
11995 | | WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(serverKSE->group)) { |
11996 | | return TLSX_KeyShare_HandlePqcHybridKeyServer((WOLFSSL*)ssl, |
11997 | | serverKSE, serverKSE->ke, serverKSE->keLen); |
11998 | | } |
11999 | | #endif |
12000 | | /* in async case make sure key generation is finalized */ |
12001 | | if (serverKSE->lastRet == WC_NO_ERR_TRACE(WC_PENDING_E)) |
12002 | | return TLSX_KeyShare_GenKey((WOLFSSL*)ssl, serverKSE); |
12003 | | else if (serverKSE->lastRet == 0) |
12004 | | return 0; |
12005 | | } |
12006 | | } |
12007 | | #endif |
12008 | 0 | return BAD_FUNC_ARG; |
12009 | 0 | } |
12010 | | |
12011 | | /* Generate a new key pair except in the case of PQC KEM because we |
12012 | | * are going to encapsulate and that does not require us to generate a |
12013 | | * key pair. |
12014 | | */ |
12015 | 0 | ret = TLSX_KeyShare_New(&list, clientKSE->group, ssl->heap, &serverKSE); |
12016 | 0 | if (ret != 0) |
12017 | 0 | return ret; |
12018 | | |
12019 | 0 | if (clientKSE->key == NULL) { |
12020 | 0 | #if defined(WOLFSSL_HAVE_MLKEM) && !defined(WOLFSSL_MLKEM_NO_ENCAPSULATE) |
12021 | 0 | if (WOLFSSL_NAMED_GROUP_IS_PQC(clientKSE->group)) { |
12022 | 0 | ret = TLSX_KeyShare_HandlePqcKeyServer(ssl, serverKSE, |
12023 | 0 | clientKSE->ke, clientKSE->keLen, |
12024 | 0 | ssl->arrays->preMasterSecret, &ssl->arrays->preMasterSz); |
12025 | 0 | } |
12026 | 0 | else if (WOLFSSL_NAMED_GROUP_IS_PQC_HYBRID(clientKSE->group)) { |
12027 | 0 | ret = TLSX_KeyShare_HandlePqcHybridKeyServer(ssl, serverKSE, |
12028 | 0 | clientKSE->ke, clientKSE->keLen); |
12029 | 0 | } |
12030 | 0 | else |
12031 | 0 | #endif |
12032 | 0 | { |
12033 | 0 | ret = TLSX_KeyShare_GenKey(ssl, serverKSE); |
12034 | 0 | } |
12035 | | |
12036 | | /* for async do setup of serverKSE below, but return WC_PENDING_E */ |
12037 | 0 | if (ret != 0 |
12038 | | #ifdef WOLFSSL_ASYNC_CRYPT |
12039 | | && ret != WC_NO_ERR_TRACE(WC_PENDING_E) |
12040 | | #endif |
12041 | 0 | ) { |
12042 | 0 | TLSX_KeyShare_FreeAll(list, ssl->heap); |
12043 | 0 | return ret; |
12044 | 0 | } |
12045 | 0 | } |
12046 | 0 | else { |
12047 | | /* transfer buffers to serverKSE */ |
12048 | 0 | serverKSE->key = clientKSE->key; |
12049 | 0 | clientKSE->key = NULL; |
12050 | 0 | serverKSE->keyLen = clientKSE->keyLen; |
12051 | 0 | serverKSE->pubKey = clientKSE->pubKey; |
12052 | 0 | clientKSE->pubKey = NULL; |
12053 | 0 | serverKSE->pubKeyLen = clientKSE->pubKeyLen; |
12054 | 0 | #ifndef NO_DH |
12055 | 0 | serverKSE->privKey = clientKSE->privKey; |
12056 | 0 | clientKSE->privKey = NULL; |
12057 | 0 | #endif |
12058 | 0 | } |
12059 | 0 | serverKSE->ke = clientKSE->ke; |
12060 | 0 | serverKSE->keLen = clientKSE->keLen; |
12061 | 0 | clientKSE->ke = NULL; |
12062 | 0 | clientKSE->keLen = 0; |
12063 | 0 | ssl->namedGroup = serverKSE->group; |
12064 | |
|
12065 | 0 | TLSX_KeyShare_FreeAll((KeyShareEntry*)extension->data, ssl->heap); |
12066 | 0 | extension->data = (void *)serverKSE; |
12067 | |
|
12068 | 0 | extension->resp = 1; |
12069 | 0 | return ret; |
12070 | 0 | } |
12071 | | |
12072 | | /* Ensure there is a key pair that can be used for key exchange. |
12073 | | * |
12074 | | * ssl The SSL/TLS object. |
12075 | | * doHelloRetry If set to non-zero will do hello_retry |
12076 | | * returns 0 on success and other values indicate failure. |
12077 | | */ |
12078 | | int TLSX_KeyShare_Establish(WOLFSSL *ssl, int* doHelloRetry) |
12079 | 0 | { |
12080 | 0 | int ret; |
12081 | 0 | KeyShareEntry* clientKSE = NULL; |
12082 | 0 | byte searched = 0; |
12083 | |
|
12084 | 0 | *doHelloRetry = 0; |
12085 | |
|
12086 | 0 | ret = TLSX_KeyShare_Choose(ssl, ssl->extensions, ssl->cipher.cipherSuite0, |
12087 | 0 | ssl->cipher.cipherSuite, &clientKSE, &searched); |
12088 | 0 | if (ret != 0 || !searched) |
12089 | 0 | return ret; |
12090 | | |
12091 | | /* No supported group found - send HelloRetryRequest. */ |
12092 | 0 | if (clientKSE == NULL) { |
12093 | | /* Set KEY_SHARE_ERROR to indicate HelloRetryRequest required. */ |
12094 | 0 | *doHelloRetry = 1; |
12095 | 0 | return TLSX_KeyShare_SetSupported(ssl, &ssl->extensions); |
12096 | 0 | } |
12097 | | |
12098 | 0 | return TLSX_KeyShare_Setup(ssl, clientKSE); |
12099 | 0 | } |
12100 | | |
12101 | | /* Derive the shared secret of the key exchange. |
12102 | | * |
12103 | | * ssl The SSL/TLS object. |
12104 | | * returns 0 on success and other values indicate failure. |
12105 | | */ |
12106 | | int TLSX_KeyShare_DeriveSecret(WOLFSSL *ssl) |
12107 | 0 | { |
12108 | 0 | int ret; |
12109 | 0 | TLSX* extension; |
12110 | 0 | KeyShareEntry* list = NULL; |
12111 | |
|
12112 | | #ifdef WOLFSSL_ASYNC_CRYPT |
12113 | | ret = wolfSSL_AsyncPop(ssl, NULL); |
12114 | | /* Check for error */ |
12115 | | if (ret != WC_NO_ERR_TRACE(WC_NO_PENDING_E) && ret < 0) { |
12116 | | return ret; |
12117 | | } |
12118 | | #endif |
12119 | | |
12120 | | /* Find the KeyShare extension if it exists. */ |
12121 | 0 | extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE); |
12122 | 0 | if (extension != NULL) |
12123 | 0 | list = (KeyShareEntry*)extension->data; |
12124 | |
|
12125 | 0 | if (list == NULL) |
12126 | 0 | return KEY_SHARE_ERROR; |
12127 | | |
12128 | | /* Calculate secret. */ |
12129 | 0 | ret = TLSX_KeyShare_Process(ssl, list); |
12130 | |
|
12131 | 0 | return ret; |
12132 | 0 | } |
12133 | | |
12134 | 0 | #define KS_FREE_ALL TLSX_KeyShare_FreeAll |
12135 | 0 | #define KS_GET_SIZE TLSX_KeyShare_GetSize |
12136 | 0 | #define KS_WRITE TLSX_KeyShare_Write |
12137 | 0 | #define KS_PARSE TLSX_KeyShare_Parse |
12138 | | |
12139 | | #else |
12140 | | |
12141 | | #define KS_FREE_ALL(a, b) WC_DO_NOTHING |
12142 | | #define KS_GET_SIZE(a, b) 0 |
12143 | | #define KS_WRITE(a, b, c) 0 |
12144 | | #define KS_PARSE(a, b, c, d) 0 |
12145 | | |
12146 | | #endif /* WOLFSSL_TLS13 */ |
12147 | | |
12148 | | /******************************************************************************/ |
12149 | | /* Pre-Shared Key */ |
12150 | | /******************************************************************************/ |
12151 | | |
12152 | | #if defined(WOLFSSL_TLS13) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) |
12153 | | /* Free the pre-shared key dynamic data. |
12154 | | * |
12155 | | * list The linked list of key share entry objects. |
12156 | | * heap The heap used for allocation. |
12157 | | */ |
12158 | | static void TLSX_PreSharedKey_FreeAll(PreSharedKey* list, void* heap) |
12159 | | { |
12160 | | PreSharedKey* current; |
12161 | | |
12162 | | while ((current = list) != NULL) { |
12163 | | list = current->next; |
12164 | | XFREE(current->identity, heap, DYNAMIC_TYPE_TLSX); |
12165 | | XFREE(current, heap, DYNAMIC_TYPE_TLSX); |
12166 | | } |
12167 | | |
12168 | | (void)heap; |
12169 | | } |
12170 | | |
12171 | | /* Get the size of the encoded pre shared key extension. |
12172 | | * |
12173 | | * list The linked list of pre-shared key extensions. |
12174 | | * msgType The type of the message this extension is being written into. |
12175 | | * returns the number of bytes of the encoded pre-shared key extension or |
12176 | | * SANITY_MSG_E to indicate invalid message type. |
12177 | | */ |
12178 | | static int TLSX_PreSharedKey_GetSize(PreSharedKey* list, byte msgType, |
12179 | | word16* pSz) |
12180 | | { |
12181 | | if (msgType == client_hello) { |
12182 | | /* Length of identities + Length of binders. */ |
12183 | | word32 len = OPAQUE16_LEN + OPAQUE16_LEN; |
12184 | | while (list != NULL) { |
12185 | | /* Each entry has: identity, ticket age and binder. */ |
12186 | | len += OPAQUE16_LEN + list->identityLen + OPAQUE32_LEN + |
12187 | | OPAQUE8_LEN + (word32)list->binderLen; |
12188 | | if (len > WOLFSSL_MAX_16BIT) { |
12189 | | WOLFSSL_ERROR_VERBOSE(LENGTH_ERROR); |
12190 | | return LENGTH_ERROR; |
12191 | | } |
12192 | | list = list->next; |
12193 | | } |
12194 | | if ((word32)*pSz + len > WOLFSSL_MAX_16BIT) { |
12195 | | WOLFSSL_ERROR_VERBOSE(LENGTH_ERROR); |
12196 | | return LENGTH_ERROR; |
12197 | | } |
12198 | | *pSz += (word16)len; |
12199 | | return 0; |
12200 | | } |
12201 | | |
12202 | | if (msgType == server_hello) { |
12203 | | *pSz += OPAQUE16_LEN; |
12204 | | return 0; |
12205 | | } |
12206 | | |
12207 | | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
12208 | | return SANITY_MSG_E; |
12209 | | } |
12210 | | |
12211 | | /* The number of bytes to be written for the binders. |
12212 | | * |
12213 | | * list The linked list of pre-shared key extensions. |
12214 | | * msgType The type of the message this extension is being written into. |
12215 | | * returns the number of bytes of the encoded pre-shared key extension or |
12216 | | * SANITY_MSG_E to indicate invalid message type. |
12217 | | */ |
12218 | | int TLSX_PreSharedKey_GetSizeBinders(PreSharedKey* list, byte msgType, |
12219 | | word16* pSz) |
12220 | | { |
12221 | | word32 len; |
12222 | | |
12223 | | if (msgType != client_hello) { |
12224 | | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
12225 | | return SANITY_MSG_E; |
12226 | | } |
12227 | | |
12228 | | /* Length of all binders. */ |
12229 | | len = OPAQUE16_LEN; |
12230 | | while (list != NULL) { |
12231 | | len += OPAQUE8_LEN + (word32)list->binderLen; |
12232 | | if (len > WOLFSSL_MAX_16BIT) { |
12233 | | WOLFSSL_ERROR_VERBOSE(LENGTH_ERROR); |
12234 | | return LENGTH_ERROR; |
12235 | | } |
12236 | | list = list->next; |
12237 | | } |
12238 | | |
12239 | | *pSz = (word16)len; |
12240 | | return 0; |
12241 | | } |
12242 | | |
12243 | | /* Writes the pre-shared key extension into the output buffer - binders only. |
12244 | | * Assumes that the the output buffer is big enough to hold data. |
12245 | | * |
12246 | | * list The linked list of key share entries. |
12247 | | * output The buffer to write into. |
12248 | | * msgType The type of the message this extension is being written into. |
12249 | | * returns the number of bytes written into the buffer. |
12250 | | */ |
12251 | | int TLSX_PreSharedKey_WriteBinders(PreSharedKey* list, byte* output, |
12252 | | byte msgType, word16* pSz) |
12253 | | { |
12254 | | PreSharedKey* current = list; |
12255 | | word16 idx = 0; |
12256 | | word16 lenIdx; |
12257 | | word16 len; |
12258 | | |
12259 | | if (msgType != client_hello) { |
12260 | | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
12261 | | return SANITY_MSG_E; |
12262 | | } |
12263 | | |
12264 | | /* Skip length of all binders. */ |
12265 | | lenIdx = idx; |
12266 | | idx += OPAQUE16_LEN; |
12267 | | while (current != NULL) { |
12268 | | /* Binder data length. */ |
12269 | | output[idx++] = (byte)current->binderLen; |
12270 | | /* Binder data. */ |
12271 | | XMEMCPY(output + idx, current->binder, current->binderLen); |
12272 | | idx += (word16)current->binderLen; |
12273 | | |
12274 | | current = current->next; |
12275 | | } |
12276 | | /* Length of the binders. */ |
12277 | | len = idx - lenIdx - OPAQUE16_LEN; |
12278 | | c16toa(len, output + lenIdx); |
12279 | | |
12280 | | *pSz = idx; |
12281 | | return 0; |
12282 | | } |
12283 | | |
12284 | | |
12285 | | /* Writes the pre-shared key extension into the output buffer. |
12286 | | * Assumes that the the output buffer is big enough to hold data. |
12287 | | * |
12288 | | * list The linked list of key share entries. |
12289 | | * output The buffer to write into. |
12290 | | * msgType The type of the message this extension is being written into. |
12291 | | * returns the number of bytes written into the buffer. |
12292 | | */ |
12293 | | static int TLSX_PreSharedKey_Write(PreSharedKey* list, byte* output, |
12294 | | byte msgType, word16* pSz) |
12295 | | { |
12296 | | if (msgType == client_hello) { |
12297 | | PreSharedKey* current = list; |
12298 | | word16 idx = 0; |
12299 | | word16 lenIdx; |
12300 | | word16 len; |
12301 | | int ret; |
12302 | | |
12303 | | /* Write identities only. Binders after HMACing over this. */ |
12304 | | lenIdx = idx; |
12305 | | idx += OPAQUE16_LEN; |
12306 | | while (current != NULL) { |
12307 | | /* Identity length */ |
12308 | | c16toa(current->identityLen, output + idx); |
12309 | | idx += OPAQUE16_LEN; |
12310 | | /* Identity data */ |
12311 | | XMEMCPY(output + idx, current->identity, current->identityLen); |
12312 | | idx += current->identityLen; |
12313 | | |
12314 | | /* Obfuscated ticket age. */ |
12315 | | c32toa(current->ticketAge, output + idx); |
12316 | | idx += OPAQUE32_LEN; |
12317 | | |
12318 | | current = current->next; |
12319 | | } |
12320 | | /* Length of the identities. */ |
12321 | | len = idx - lenIdx - OPAQUE16_LEN; |
12322 | | c16toa(len, output + lenIdx); |
12323 | | |
12324 | | /* Don't include binders here. |
12325 | | * The binders are based on the hash of all the ClientHello data up to |
12326 | | * and include the identities written above. |
12327 | | */ |
12328 | | ret = TLSX_PreSharedKey_GetSizeBinders(list, msgType, &len); |
12329 | | if (ret < 0) |
12330 | | return ret; |
12331 | | *pSz += idx + len; |
12332 | | } |
12333 | | else if (msgType == server_hello) { |
12334 | | word16 i; |
12335 | | |
12336 | | /* Find the index of the chosen identity. */ |
12337 | | for (i=0; list != NULL && !list->chosen; i++) |
12338 | | list = list->next; |
12339 | | if (list == NULL) { |
12340 | | WOLFSSL_ERROR_VERBOSE(BUILD_MSG_ERROR); |
12341 | | return BUILD_MSG_ERROR; |
12342 | | } |
12343 | | |
12344 | | /* The index of the identity chosen by the server from the list supplied |
12345 | | * by the client. |
12346 | | */ |
12347 | | c16toa(i, output); |
12348 | | *pSz += OPAQUE16_LEN; |
12349 | | } |
12350 | | else { |
12351 | | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
12352 | | return SANITY_MSG_E; |
12353 | | } |
12354 | | |
12355 | | return 0; |
12356 | | } |
12357 | | |
12358 | | int TLSX_PreSharedKey_Parse_ClientHello(TLSX** extensions, const byte* input, |
12359 | | word16 length, void* heap) |
12360 | | { |
12361 | | |
12362 | | int ret; |
12363 | | word16 len; |
12364 | | word16 idx = 0; |
12365 | | TLSX* extension; |
12366 | | PreSharedKey* list; |
12367 | | |
12368 | | TLSX_Remove(extensions, TLSX_PRE_SHARED_KEY, heap); |
12369 | | |
12370 | | /* Length of identities and of binders. */ |
12371 | | if ((int)(length - idx) < OPAQUE16_LEN + OPAQUE16_LEN) |
12372 | | return BUFFER_E; |
12373 | | |
12374 | | /* Length of identities. */ |
12375 | | ato16(input + idx, &len); |
12376 | | idx += OPAQUE16_LEN; |
12377 | | if (len < MIN_PSK_ID_LEN || length - idx < len) |
12378 | | return BUFFER_E; |
12379 | | |
12380 | | /* Create a pre-shared key object for each identity. */ |
12381 | | while (len > 0) { |
12382 | | const byte* identity; |
12383 | | word16 identityLen; |
12384 | | word32 age; |
12385 | | |
12386 | | if (len < OPAQUE16_LEN) |
12387 | | return BUFFER_E; |
12388 | | |
12389 | | /* Length of identity. */ |
12390 | | ato16(input + idx, &identityLen); |
12391 | | idx += OPAQUE16_LEN; |
12392 | | if (len < OPAQUE16_LEN + identityLen + OPAQUE32_LEN || |
12393 | | identityLen > MAX_PSK_ID_LEN) |
12394 | | return BUFFER_E; |
12395 | | /* Cache identity pointer. */ |
12396 | | identity = input + idx; |
12397 | | idx += identityLen; |
12398 | | /* Ticket age. */ |
12399 | | ato32(input + idx, &age); |
12400 | | idx += OPAQUE32_LEN; |
12401 | | |
12402 | | ret = TLSX_PreSharedKey_Use(extensions, identity, identityLen, age, no_mac, |
12403 | | 0, 0, 1, NULL, heap); |
12404 | | if (ret != 0) |
12405 | | return ret; |
12406 | | |
12407 | | /* Done with this identity. */ |
12408 | | len -= OPAQUE16_LEN + identityLen + OPAQUE32_LEN; |
12409 | | } |
12410 | | |
12411 | | /* Find the list of identities sent to server. */ |
12412 | | extension = TLSX_Find(*extensions, TLSX_PRE_SHARED_KEY); |
12413 | | if (extension == NULL) |
12414 | | return PSK_KEY_ERROR; |
12415 | | list = (PreSharedKey*)extension->data; |
12416 | | |
12417 | | /* Length of binders. */ |
12418 | | if (idx + OPAQUE16_LEN > length) |
12419 | | return BUFFER_E; |
12420 | | ato16(input + idx, &len); |
12421 | | idx += OPAQUE16_LEN; |
12422 | | if (len < MIN_PSK_BINDERS_LEN || length - idx < len) |
12423 | | return BUFFER_E; |
12424 | | |
12425 | | /* Set binder for each identity. */ |
12426 | | while (list != NULL && len > 0) { |
12427 | | /* Length of binder */ |
12428 | | list->binderLen = input[idx++]; |
12429 | | if (list->binderLen < WC_SHA256_DIGEST_SIZE || |
12430 | | list->binderLen > WC_MAX_DIGEST_SIZE) |
12431 | | return BUFFER_E; |
12432 | | if (len < OPAQUE8_LEN + list->binderLen) |
12433 | | return BUFFER_E; |
12434 | | |
12435 | | /* Copy binder into static buffer. */ |
12436 | | XMEMCPY(list->binder, input + idx, list->binderLen); |
12437 | | idx += (word16)list->binderLen; |
12438 | | |
12439 | | /* Done with binder entry. */ |
12440 | | len -= OPAQUE8_LEN + (word16)list->binderLen; |
12441 | | |
12442 | | /* Next identity. */ |
12443 | | list = list->next; |
12444 | | } |
12445 | | if (list != NULL || len != 0) |
12446 | | return BUFFER_E; |
12447 | | |
12448 | | return 0; |
12449 | | |
12450 | | } |
12451 | | |
12452 | | /* Parse the pre-shared key extension. |
12453 | | * Different formats in different messages. |
12454 | | * |
12455 | | * ssl The SSL/TLS object. |
12456 | | * input The extension data. |
12457 | | * length The length of the extension data. |
12458 | | * msgType The type of the message this extension is being parsed from. |
12459 | | * returns 0 on success and other values indicate failure. |
12460 | | */ |
12461 | | static int TLSX_PreSharedKey_Parse(WOLFSSL* ssl, const byte* input, |
12462 | | word16 length, byte msgType) |
12463 | | { |
12464 | | |
12465 | | if (msgType == client_hello) { |
12466 | | return TLSX_PreSharedKey_Parse_ClientHello(&ssl->extensions, input, |
12467 | | length, ssl->heap); |
12468 | | } |
12469 | | |
12470 | | if (msgType == server_hello) { |
12471 | | word16 idx; |
12472 | | PreSharedKey* list; |
12473 | | TLSX* extension; |
12474 | | |
12475 | | /* Index of identity chosen by server. */ |
12476 | | if (length != OPAQUE16_LEN) |
12477 | | return BUFFER_E; |
12478 | | ato16(input, &idx); |
12479 | | |
12480 | | #ifdef WOLFSSL_EARLY_DATA |
12481 | | ssl->options.pskIdIndex = idx + 1; |
12482 | | #endif |
12483 | | |
12484 | | /* Find the list of identities sent to server. */ |
12485 | | extension = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY); |
12486 | | if (extension == NULL) |
12487 | | return INCOMPLETE_DATA; |
12488 | | list = (PreSharedKey*)extension->data; |
12489 | | |
12490 | | /* Mark the identity as chosen. */ |
12491 | | for (; list != NULL && idx > 0; idx--) |
12492 | | list = list->next; |
12493 | | if (list == NULL) { |
12494 | | WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR); |
12495 | | return PSK_KEY_ERROR; |
12496 | | } |
12497 | | list->chosen = 1; |
12498 | | |
12499 | | if (list->resumption) { |
12500 | | /* Check that the session's details are the same as the server's. */ |
12501 | | if (ssl->options.cipherSuite0 != ssl->session->cipherSuite0 || |
12502 | | ssl->options.cipherSuite != ssl->session->cipherSuite || |
12503 | | ssl->session->version.major != ssl->ctx->method->version.major || |
12504 | | ssl->session->version.minor != ssl->ctx->method->version.minor) { |
12505 | | WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR); |
12506 | | return PSK_KEY_ERROR; |
12507 | | } |
12508 | | } |
12509 | | |
12510 | | return 0; |
12511 | | } |
12512 | | |
12513 | | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
12514 | | return SANITY_MSG_E; |
12515 | | } |
12516 | | |
12517 | | /* Create a new pre-shared key and put it into the list. |
12518 | | * |
12519 | | * list The linked list of pre-shared key. |
12520 | | * identity The identity. |
12521 | | * len The length of the identity data. |
12522 | | * heap The memory to allocate with. |
12523 | | * preSharedKey The new pre-shared key object. |
12524 | | * returns 0 on success and other values indicate failure. |
12525 | | */ |
12526 | | static int TLSX_PreSharedKey_New(PreSharedKey** list, const byte* identity, |
12527 | | word16 len, void *heap, |
12528 | | PreSharedKey** preSharedKey) |
12529 | | { |
12530 | | PreSharedKey* psk; |
12531 | | PreSharedKey** next; |
12532 | | |
12533 | | psk = (PreSharedKey*)XMALLOC(sizeof(PreSharedKey), heap, DYNAMIC_TYPE_TLSX); |
12534 | | if (psk == NULL) |
12535 | | return MEMORY_E; |
12536 | | XMEMSET(psk, 0, sizeof(*psk)); |
12537 | | |
12538 | | /* Make a copy of the identity data. */ |
12539 | | psk->identity = (byte*)XMALLOC(len + NULL_TERM_LEN, heap, |
12540 | | DYNAMIC_TYPE_TLSX); |
12541 | | if (psk->identity == NULL) { |
12542 | | XFREE(psk, heap, DYNAMIC_TYPE_TLSX); |
12543 | | return MEMORY_E; |
12544 | | } |
12545 | | XMEMCPY(psk->identity, identity, len); |
12546 | | psk->identityLen = len; |
12547 | | /* Use a NULL terminator in case it is a C string */ |
12548 | | psk->identity[psk->identityLen] = '\0'; |
12549 | | |
12550 | | /* Add it to the end and maintain the links. */ |
12551 | | while (*list != NULL) { |
12552 | | /* Assign to temporary to work around compiler bug found by customer. */ |
12553 | | next = &((*list)->next); |
12554 | | list = next; |
12555 | | } |
12556 | | *list = psk; |
12557 | | *preSharedKey = psk; |
12558 | | |
12559 | | (void)heap; |
12560 | | |
12561 | | return 0; |
12562 | | } |
12563 | | |
12564 | | static WC_INLINE byte GetHmacLength(int hmac) |
12565 | | { |
12566 | | switch (hmac) { |
12567 | | #ifndef NO_SHA256 |
12568 | | case sha256_mac: |
12569 | | return WC_SHA256_DIGEST_SIZE; |
12570 | | #endif |
12571 | | #ifdef WOLFSSL_SHA384 |
12572 | | case sha384_mac: |
12573 | | return WC_SHA384_DIGEST_SIZE; |
12574 | | #endif |
12575 | | #ifdef WOLFSSL_SHA512 |
12576 | | case sha512_mac: |
12577 | | return WC_SHA512_DIGEST_SIZE; |
12578 | | #endif |
12579 | | #ifdef WOLFSSL_SM3 |
12580 | | case sm3_mac: |
12581 | | return WC_SM3_DIGEST_SIZE; |
12582 | | #endif |
12583 | | default: |
12584 | | break; |
12585 | | } |
12586 | | return 0; |
12587 | | } |
12588 | | |
12589 | | /* Use the data to create a new pre-shared key object in the extensions. |
12590 | | * |
12591 | | * ssl The SSL/TLS object. |
12592 | | * identity The identity. |
12593 | | * len The length of the identity data. |
12594 | | * age The age of the identity. |
12595 | | * hmac The HMAC algorithm. |
12596 | | * cipherSuite0 The first byte of the cipher suite to use. |
12597 | | * cipherSuite The second byte of the cipher suite to use. |
12598 | | * resumption The PSK is for resumption of a session. |
12599 | | * preSharedKey The new pre-shared key object. |
12600 | | * returns 0 on success and other values indicate failure. |
12601 | | */ |
12602 | | int TLSX_PreSharedKey_Use(TLSX** extensions, const byte* identity, word16 len, |
12603 | | word32 age, byte hmac, byte cipherSuite0, |
12604 | | byte cipherSuite, byte resumption, |
12605 | | PreSharedKey **preSharedKey, void* heap) |
12606 | | { |
12607 | | int ret = 0; |
12608 | | TLSX* extension; |
12609 | | PreSharedKey* psk = NULL; |
12610 | | |
12611 | | /* Find the pre-shared key extension if it exists. */ |
12612 | | extension = TLSX_Find(*extensions, TLSX_PRE_SHARED_KEY); |
12613 | | if (extension == NULL) { |
12614 | | /* Push new pre-shared key extension. */ |
12615 | | ret = TLSX_Push(extensions, TLSX_PRE_SHARED_KEY, NULL, heap); |
12616 | | if (ret != 0) |
12617 | | return ret; |
12618 | | |
12619 | | extension = TLSX_Find(*extensions, TLSX_PRE_SHARED_KEY); |
12620 | | if (extension == NULL) |
12621 | | return MEMORY_E; |
12622 | | } |
12623 | | |
12624 | | /* Try to find the pre-shared key with this identity. */ |
12625 | | psk = (PreSharedKey*)extension->data; |
12626 | | while (psk != NULL) { |
12627 | | if ((psk->identityLen == len) && |
12628 | | (XMEMCMP(psk->identity, identity, len) == 0)) { |
12629 | | break; |
12630 | | } |
12631 | | psk = psk->next; |
12632 | | } |
12633 | | |
12634 | | /* Create a new pre-shared key object if not found. */ |
12635 | | if (psk == NULL) { |
12636 | | ret = TLSX_PreSharedKey_New((PreSharedKey**)&extension->data, identity, |
12637 | | len, heap, &psk); |
12638 | | if (ret != 0) |
12639 | | return ret; |
12640 | | } |
12641 | | |
12642 | | /* Update/set age and HMAC algorithm. */ |
12643 | | psk->ticketAge = age; |
12644 | | psk->hmac = hmac; |
12645 | | psk->cipherSuite0 = cipherSuite0; |
12646 | | psk->cipherSuite = cipherSuite; |
12647 | | psk->resumption = resumption; |
12648 | | psk->binderLen = GetHmacLength(psk->hmac); |
12649 | | |
12650 | | if (preSharedKey != NULL) |
12651 | | *preSharedKey = psk; |
12652 | | |
12653 | | return 0; |
12654 | | } |
12655 | | |
12656 | | #define PSK_FREE_ALL TLSX_PreSharedKey_FreeAll |
12657 | | #define PSK_GET_SIZE TLSX_PreSharedKey_GetSize |
12658 | | #define PSK_WRITE TLSX_PreSharedKey_Write |
12659 | | #define PSK_PARSE TLSX_PreSharedKey_Parse |
12660 | | |
12661 | | #else |
12662 | | |
12663 | | #define PSK_FREE_ALL(a, b) WC_DO_NOTHING |
12664 | | #define PSK_GET_SIZE(a, b, c) 0 |
12665 | | #define PSK_WRITE(a, b, c, d) 0 |
12666 | | #define PSK_PARSE(a, b, c, d) 0 |
12667 | | |
12668 | | #endif |
12669 | | |
12670 | | /******************************************************************************/ |
12671 | | /* Certificate Authentication with External Pre-Shared Key */ |
12672 | | /******************************************************************************/ |
12673 | | |
12674 | | #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_CERT_WITH_EXTERN_PSK) && \ |
12675 | | !defined(NO_PSK) |
12676 | | |
12677 | | static int TLSX_CertWithExternPsk_GetSize(byte msgType, word16* pSz) |
12678 | | { |
12679 | | (void)msgType; |
12680 | | (void)pSz; |
12681 | | /* Zero-length extension - nothing to add. */ |
12682 | | return 0; |
12683 | | } |
12684 | | |
12685 | | static int TLSX_CertWithExternPsk_Write(byte* output, byte msgType, |
12686 | | word16* pSz) |
12687 | | { |
12688 | | (void)output; |
12689 | | (void)msgType; |
12690 | | (void)pSz; |
12691 | | /* Zero-length extension - nothing to write. */ |
12692 | | return 0; |
12693 | | } |
12694 | | |
12695 | | static int TLSX_CertWithExternPsk_Parse(WOLFSSL* ssl, byte msgType) |
12696 | | { |
12697 | | if (msgType == client_hello) { |
12698 | | /* Server has not opted in - treat the extension as unknown. */ |
12699 | | if (!ssl->options.certWithExternPsk) |
12700 | | return 0; |
12701 | | /* Record that the client offered the extension, leaving resp=0. |
12702 | | * CheckPreSharedKeys() is the sole writer that flips resp to 1, and |
12703 | | * only after confirming that a non-ticket PSK was matched. */ |
12704 | | if (TLSX_Find(ssl->extensions, TLSX_CERT_WITH_EXTERN_PSK) == NULL) { |
12705 | | return TLSX_Push(&ssl->extensions, TLSX_CERT_WITH_EXTERN_PSK, |
12706 | | NULL, ssl->heap); |
12707 | | } |
12708 | | return 0; |
12709 | | } |
12710 | | |
12711 | | if (msgType == server_hello) { |
12712 | | if (TLSX_Find(ssl->extensions, TLSX_CERT_WITH_EXTERN_PSK) == NULL) { |
12713 | | WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); |
12714 | | return EXT_NOT_ALLOWED; |
12715 | | } |
12716 | | ssl->options.certWithExternPsk = 1; |
12717 | | return 0; |
12718 | | } |
12719 | | |
12720 | | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
12721 | | return SANITY_MSG_E; |
12722 | | } |
12723 | | |
12724 | | int TLSX_CertWithExternPsk_Use(WOLFSSL* ssl) |
12725 | | { |
12726 | | TLSX* extension = TLSX_Find(ssl->extensions, TLSX_CERT_WITH_EXTERN_PSK); |
12727 | | |
12728 | | if (extension == NULL) { |
12729 | | int ret = TLSX_Push(&ssl->extensions, TLSX_CERT_WITH_EXTERN_PSK, NULL, |
12730 | | ssl->heap); |
12731 | | if (ret != 0) |
12732 | | return ret; |
12733 | | extension = TLSX_Find(ssl->extensions, TLSX_CERT_WITH_EXTERN_PSK); |
12734 | | if (extension == NULL) |
12735 | | return MEMORY_E; |
12736 | | } |
12737 | | extension->resp = 1; |
12738 | | return 0; |
12739 | | } |
12740 | | |
12741 | | #define PSK_WITH_CERT_GET_SIZE TLSX_CertWithExternPsk_GetSize |
12742 | | #define PSK_WITH_CERT_WRITE TLSX_CertWithExternPsk_Write |
12743 | | #define PSK_WITH_CERT_PARSE TLSX_CertWithExternPsk_Parse |
12744 | | |
12745 | | #else |
12746 | | |
12747 | | #define PSK_WITH_CERT_GET_SIZE(a, b) 0 |
12748 | | #define PSK_WITH_CERT_WRITE(a, b, c) 0 |
12749 | | #define PSK_WITH_CERT_PARSE(a, b) 0 |
12750 | | |
12751 | | #endif /* WOLFSSL_TLS13 && WOLFSSL_CERT_WITH_EXTERN_PSK */ |
12752 | | |
12753 | | /******************************************************************************/ |
12754 | | /* PSK Key Exchange Modes */ |
12755 | | /******************************************************************************/ |
12756 | | |
12757 | | #if defined(WOLFSSL_TLS13) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) |
12758 | | /* Get the size of the encoded PSK KE modes extension. |
12759 | | * Only in ClientHello. |
12760 | | * |
12761 | | * modes The PSK KE mode bit string. |
12762 | | * msgType The type of the message this extension is being written into. |
12763 | | * returns the number of bytes of the encoded PSK KE mode extension. |
12764 | | */ |
12765 | | static int TLSX_PskKeModes_GetSize(byte modes, byte msgType, word16* pSz) |
12766 | | { |
12767 | | if (msgType == client_hello) { |
12768 | | /* Format: Len | Modes* */ |
12769 | | word16 len = OPAQUE8_LEN; |
12770 | | /* Check whether each possible mode is to be written. */ |
12771 | | if (modes & (1 << PSK_KE)) |
12772 | | len += OPAQUE8_LEN; |
12773 | | if (modes & (1 << PSK_DHE_KE)) |
12774 | | len += OPAQUE8_LEN; |
12775 | | *pSz += len; |
12776 | | return 0; |
12777 | | } |
12778 | | |
12779 | | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
12780 | | return SANITY_MSG_E; |
12781 | | } |
12782 | | |
12783 | | /* Writes the PSK KE modes extension into the output buffer. |
12784 | | * Assumes that the the output buffer is big enough to hold data. |
12785 | | * Only in ClientHello. |
12786 | | * |
12787 | | * modes The PSK KE mode bit string. |
12788 | | * output The buffer to write into. |
12789 | | * msgType The type of the message this extension is being written into. |
12790 | | * returns the number of bytes written into the buffer. |
12791 | | */ |
12792 | | static int TLSX_PskKeModes_Write(byte modes, byte* output, byte msgType, |
12793 | | word16* pSz) |
12794 | | { |
12795 | | if (msgType == client_hello) { |
12796 | | /* Format: Len | Modes* */ |
12797 | | word16 idx = OPAQUE8_LEN; |
12798 | | |
12799 | | /* Write out each possible mode. */ |
12800 | | if (modes & (1 << PSK_KE)) |
12801 | | output[idx++] = PSK_KE; |
12802 | | if (modes & (1 << PSK_DHE_KE)) |
12803 | | output[idx++] = PSK_DHE_KE; |
12804 | | /* Write out length of mode list. */ |
12805 | | output[0] = (byte)(idx - OPAQUE8_LEN); |
12806 | | |
12807 | | *pSz += idx; |
12808 | | return 0; |
12809 | | } |
12810 | | |
12811 | | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
12812 | | return SANITY_MSG_E; |
12813 | | } |
12814 | | |
12815 | | int TLSX_PskKeyModes_Parse_Modes(const byte* input, word16 length, byte msgType, |
12816 | | byte* modes) |
12817 | | { |
12818 | | if (msgType == client_hello) { |
12819 | | /* Format: Len | Modes* */ |
12820 | | int idx = 0; |
12821 | | word16 len; |
12822 | | *modes = 0; |
12823 | | |
12824 | | /* Ensure length byte exists. */ |
12825 | | if (length < OPAQUE8_LEN) |
12826 | | return BUFFER_E; |
12827 | | |
12828 | | /* Get length of mode list and ensure that is the only data. */ |
12829 | | len = input[0]; |
12830 | | if (length - OPAQUE8_LEN != len) |
12831 | | return BUFFER_E; |
12832 | | |
12833 | | idx = OPAQUE8_LEN; |
12834 | | /* Set a bit for each recognized modes. */ |
12835 | | while (len > 0) { |
12836 | | /* Ignore unrecognized modes. */ |
12837 | | if (input[idx] <= PSK_DHE_KE) |
12838 | | *modes |= 1 << input[idx]; |
12839 | | idx++; |
12840 | | len--; |
12841 | | } |
12842 | | return 0; |
12843 | | } |
12844 | | |
12845 | | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
12846 | | return SANITY_MSG_E; |
12847 | | } |
12848 | | |
12849 | | /* Parse the PSK KE modes extension. |
12850 | | * Only in ClientHello. |
12851 | | * |
12852 | | * ssl The SSL/TLS object. |
12853 | | * input The extension data. |
12854 | | * length The length of the extension data. |
12855 | | * msgType The type of the message this extension is being parsed from. |
12856 | | * returns 0 on success and other values indicate failure. |
12857 | | */ |
12858 | | static int TLSX_PskKeModes_Parse(WOLFSSL* ssl, const byte* input, word16 length, |
12859 | | byte msgType) |
12860 | | { |
12861 | | int ret; |
12862 | | byte modes; |
12863 | | |
12864 | | ret = TLSX_PskKeyModes_Parse_Modes(input, length, msgType, &modes); |
12865 | | if (ret == 0) |
12866 | | ret = TLSX_PskKeyModes_Use(ssl, modes); |
12867 | | |
12868 | | if (ret != 0) { |
12869 | | WOLFSSL_ERROR_VERBOSE(ret); |
12870 | | } |
12871 | | |
12872 | | return ret; |
12873 | | } |
12874 | | |
12875 | | /* Use the data to create a new PSK Key Exchange Modes object in the extensions. |
12876 | | * |
12877 | | * ssl The SSL/TLS object. |
12878 | | * modes The PSK key exchange modes. |
12879 | | * returns 0 on success and other values indicate failure. |
12880 | | */ |
12881 | | int TLSX_PskKeyModes_Use(WOLFSSL* ssl, byte modes) |
12882 | | { |
12883 | | int ret = 0; |
12884 | | TLSX* extension; |
12885 | | |
12886 | | /* Find the PSK key exchange modes extension if it exists. */ |
12887 | | extension = TLSX_Find(ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES); |
12888 | | if (extension == NULL) { |
12889 | | /* Push new PSK key exchange modes extension. */ |
12890 | | ret = TLSX_Push(&ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES, NULL, |
12891 | | ssl->heap); |
12892 | | if (ret != 0) |
12893 | | return ret; |
12894 | | |
12895 | | extension = TLSX_Find(ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES); |
12896 | | if (extension == NULL) |
12897 | | return MEMORY_E; |
12898 | | } |
12899 | | |
12900 | | extension->val = modes; |
12901 | | |
12902 | | return 0; |
12903 | | } |
12904 | | |
12905 | | #define PKM_GET_SIZE TLSX_PskKeModes_GetSize |
12906 | | #define PKM_WRITE TLSX_PskKeModes_Write |
12907 | | #define PKM_PARSE TLSX_PskKeModes_Parse |
12908 | | |
12909 | | #else |
12910 | | |
12911 | | #define PKM_GET_SIZE(a, b, c) 0 |
12912 | | #define PKM_WRITE(a, b, c, d) 0 |
12913 | | #define PKM_PARSE(a, b, c, d) 0 |
12914 | | |
12915 | | #endif |
12916 | | |
12917 | | /******************************************************************************/ |
12918 | | /* Post-Handshake Authentication */ |
12919 | | /******************************************************************************/ |
12920 | | |
12921 | | #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) |
12922 | | /* Get the size of the encoded Post-Handshake Authentication extension. |
12923 | | * Only in ClientHello. |
12924 | | * |
12925 | | * msgType The type of the message this extension is being written into. |
12926 | | * returns the number of bytes of the encoded Post-Handshake Authentication |
12927 | | * extension. |
12928 | | */ |
12929 | | static int TLSX_PostHandAuth_GetSize(byte msgType, word16* pSz) |
12930 | | { |
12931 | | if (msgType == client_hello) { |
12932 | | *pSz += 0; |
12933 | | return 0; |
12934 | | } |
12935 | | |
12936 | | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
12937 | | return SANITY_MSG_E; |
12938 | | } |
12939 | | |
12940 | | /* Writes the Post-Handshake Authentication extension into the output buffer. |
12941 | | * Assumes that the the output buffer is big enough to hold data. |
12942 | | * Only in ClientHello. |
12943 | | * |
12944 | | * output The buffer to write into. |
12945 | | * msgType The type of the message this extension is being written into. |
12946 | | * returns the number of bytes written into the buffer. |
12947 | | */ |
12948 | | static int TLSX_PostHandAuth_Write(byte* output, byte msgType, word16* pSz) |
12949 | | { |
12950 | | (void)output; |
12951 | | |
12952 | | if (msgType == client_hello) { |
12953 | | *pSz += 0; |
12954 | | return 0; |
12955 | | } |
12956 | | |
12957 | | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
12958 | | return SANITY_MSG_E; |
12959 | | } |
12960 | | |
12961 | | /* Parse the Post-Handshake Authentication extension. |
12962 | | * Only in ClientHello. |
12963 | | * |
12964 | | * ssl The SSL/TLS object. |
12965 | | * input The extension data. |
12966 | | * length The length of the extension data. |
12967 | | * msgType The type of the message this extension is being parsed from. |
12968 | | * returns 0 on success and other values indicate failure. |
12969 | | */ |
12970 | | static int TLSX_PostHandAuth_Parse(WOLFSSL* ssl, const byte* input, |
12971 | | word16 length, byte msgType) |
12972 | | { |
12973 | | (void)input; |
12974 | | |
12975 | | if (msgType == client_hello) { |
12976 | | /* Ensure extension is empty. */ |
12977 | | if (length != 0) |
12978 | | return BUFFER_E; |
12979 | | |
12980 | | ssl->options.postHandshakeAuth = 1; |
12981 | | return 0; |
12982 | | } |
12983 | | |
12984 | | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
12985 | | return SANITY_MSG_E; |
12986 | | } |
12987 | | |
12988 | | /* Create a new Post-handshake authentication object in the extensions. |
12989 | | * |
12990 | | * ssl The SSL/TLS object. |
12991 | | * returns 0 on success and other values indicate failure. |
12992 | | */ |
12993 | | static int TLSX_PostHandAuth_Use(WOLFSSL* ssl) |
12994 | | { |
12995 | | int ret = 0; |
12996 | | TLSX* extension; |
12997 | | |
12998 | | /* Find the PSK key exchange modes extension if it exists. */ |
12999 | | extension = TLSX_Find(ssl->extensions, TLSX_POST_HANDSHAKE_AUTH); |
13000 | | if (extension == NULL) { |
13001 | | /* Push new Post-handshake Authentication extension. */ |
13002 | | ret = TLSX_Push(&ssl->extensions, TLSX_POST_HANDSHAKE_AUTH, NULL, |
13003 | | ssl->heap); |
13004 | | if (ret != 0) |
13005 | | return ret; |
13006 | | } |
13007 | | |
13008 | | return 0; |
13009 | | } |
13010 | | |
13011 | | #define PHA_GET_SIZE TLSX_PostHandAuth_GetSize |
13012 | | #define PHA_WRITE TLSX_PostHandAuth_Write |
13013 | | #define PHA_PARSE TLSX_PostHandAuth_Parse |
13014 | | |
13015 | | #else |
13016 | | |
13017 | | #define PHA_GET_SIZE(a, b) 0 |
13018 | | #define PHA_WRITE(a, b, c) 0 |
13019 | | #define PHA_PARSE(a, b, c, d) 0 |
13020 | | |
13021 | | #endif |
13022 | | |
13023 | | /******************************************************************************/ |
13024 | | /* Early Data Indication */ |
13025 | | /******************************************************************************/ |
13026 | | |
13027 | | #ifdef WOLFSSL_EARLY_DATA |
13028 | | /* Get the size of the encoded Early Data Indication extension. |
13029 | | * In messages: ClientHello, EncryptedExtensions and NewSessionTicket. |
13030 | | * |
13031 | | * msgType The type of the message this extension is being written into. |
13032 | | * returns the number of bytes of the encoded Early Data Indication extension. |
13033 | | */ |
13034 | | static int TLSX_EarlyData_GetSize(byte msgType, word16* pSz) |
13035 | | { |
13036 | | int ret = 0; |
13037 | | |
13038 | | if (msgType == client_hello || msgType == encrypted_extensions) |
13039 | | *pSz += 0; |
13040 | | else if (msgType == session_ticket) |
13041 | | *pSz += OPAQUE32_LEN; |
13042 | | else { |
13043 | | ret = SANITY_MSG_E; |
13044 | | WOLFSSL_ERROR_VERBOSE(ret); |
13045 | | } |
13046 | | |
13047 | | return ret; |
13048 | | } |
13049 | | |
13050 | | /* Writes the Early Data Indicator extension into the output buffer. |
13051 | | * Assumes that the the output buffer is big enough to hold data. |
13052 | | * In messages: ClientHello, EncryptedExtensions and NewSessionTicket. |
13053 | | * |
13054 | | * maxSz The maximum early data size. |
13055 | | * output The buffer to write into. |
13056 | | * msgType The type of the message this extension is being written into. |
13057 | | * returns the number of bytes written into the buffer. |
13058 | | */ |
13059 | | static int TLSX_EarlyData_Write(word32 maxSz, byte* output, byte msgType, |
13060 | | word16* pSz) |
13061 | | { |
13062 | | if (msgType == client_hello || msgType == encrypted_extensions) |
13063 | | return 0; |
13064 | | else if (msgType == session_ticket) { |
13065 | | c32toa(maxSz, output); |
13066 | | *pSz += OPAQUE32_LEN; |
13067 | | return 0; |
13068 | | } |
13069 | | |
13070 | | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
13071 | | return SANITY_MSG_E; |
13072 | | } |
13073 | | |
13074 | | /* Parse the Early Data Indicator extension. |
13075 | | * In messages: ClientHello, EncryptedExtensions and NewSessionTicket. |
13076 | | * |
13077 | | * ssl The SSL/TLS object. |
13078 | | * input The extension data. |
13079 | | * length The length of the extension data. |
13080 | | * msgType The type of the message this extension is being parsed from. |
13081 | | * returns 0 on success and other values indicate failure. |
13082 | | */ |
13083 | | static int TLSX_EarlyData_Parse(WOLFSSL* ssl, const byte* input, word16 length, |
13084 | | byte msgType) |
13085 | | { |
13086 | | WOLFSSL_ENTER("TLSX_EarlyData_Parse"); |
13087 | | if (msgType == client_hello) { |
13088 | | if (length != 0) |
13089 | | return BUFFER_E; |
13090 | | |
13091 | | if (ssl->earlyData == expecting_early_data) { |
13092 | | |
13093 | | if (ssl->options.maxEarlyDataSz != 0) |
13094 | | ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_ACCEPTED; |
13095 | | else |
13096 | | ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_REJECTED; |
13097 | | |
13098 | | return TLSX_EarlyData_Use(ssl, 0, 0); |
13099 | | } |
13100 | | ssl->earlyData = early_data_ext; |
13101 | | |
13102 | | return 0; |
13103 | | } |
13104 | | if (msgType == encrypted_extensions) { |
13105 | | if (length != 0) |
13106 | | return BUFFER_E; |
13107 | | |
13108 | | /* Ensure the index of PSK identity chosen by server is 0. |
13109 | | * Index is plus one to handle 'not set' value of 0. |
13110 | | */ |
13111 | | if (ssl->options.pskIdIndex != 1) { |
13112 | | WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR); |
13113 | | return PSK_KEY_ERROR; |
13114 | | } |
13115 | | |
13116 | | if (ssl->options.side == WOLFSSL_CLIENT_END) { |
13117 | | /* the extension from server comes in */ |
13118 | | ssl->earlyDataStatus = WOLFSSL_EARLY_DATA_ACCEPTED; |
13119 | | } |
13120 | | |
13121 | | return TLSX_EarlyData_Use(ssl, 1, 1); |
13122 | | } |
13123 | | if (msgType == session_ticket) { |
13124 | | word32 maxSz; |
13125 | | |
13126 | | if (length != OPAQUE32_LEN) |
13127 | | return BUFFER_E; |
13128 | | ato32(input, &maxSz); |
13129 | | |
13130 | | ssl->session->maxEarlyDataSz = maxSz; |
13131 | | return 0; |
13132 | | } |
13133 | | |
13134 | | WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E); |
13135 | | return SANITY_MSG_E; |
13136 | | } |
13137 | | |
13138 | | /* Use the data to create a new Early Data object in the extensions. |
13139 | | * |
13140 | | * ssl The SSL/TLS object. |
13141 | | * maxSz The maximum early data size. |
13142 | | * is_response if this extension is part of a response |
13143 | | * returns 0 on success and other values indicate failure. |
13144 | | */ |
13145 | | int TLSX_EarlyData_Use(WOLFSSL* ssl, word32 maxSz, int is_response) |
13146 | | { |
13147 | | int ret = 0; |
13148 | | TLSX* extension; |
13149 | | |
13150 | | /* Find the early data extension if it exists. */ |
13151 | | extension = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA); |
13152 | | if (extension == NULL) { |
13153 | | /* Push new early data extension. */ |
13154 | | ret = TLSX_Push(&ssl->extensions, TLSX_EARLY_DATA, NULL, ssl->heap); |
13155 | | if (ret != 0) |
13156 | | return ret; |
13157 | | |
13158 | | extension = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA); |
13159 | | if (extension == NULL) |
13160 | | return MEMORY_E; |
13161 | | } |
13162 | | |
13163 | | extension->resp = is_response; |
13164 | | /* In QUIC, earlydata size is either 0 or 0xffffffff. |
13165 | | * Override any size between, possibly left from our initial value */ |
13166 | | extension->val = (WOLFSSL_IS_QUIC(ssl) && is_response && maxSz > 0) ? |
13167 | | WOLFSSL_MAX_32BIT : maxSz; |
13168 | | |
13169 | | return 0; |
13170 | | } |
13171 | | |
13172 | | #define EDI_GET_SIZE TLSX_EarlyData_GetSize |
13173 | | #define EDI_WRITE TLSX_EarlyData_Write |
13174 | | #define EDI_PARSE TLSX_EarlyData_Parse |
13175 | | |
13176 | | #else |
13177 | | |
13178 | | #define EDI_GET_SIZE(a, b) 0 |
13179 | | #define EDI_WRITE(a, b, c, d) 0 |
13180 | | #define EDI_PARSE(a, b, c, d) 0 |
13181 | | |
13182 | | #endif |
13183 | | |
13184 | | /******************************************************************************/ |
13185 | | /* QUIC transport parameter extension */ |
13186 | | /******************************************************************************/ |
13187 | | #ifdef WOLFSSL_QUIC |
13188 | | |
13189 | | static word16 TLSX_QuicTP_GetSize(TLSX* extension) |
13190 | | { |
13191 | | const QuicTransportParam *tp = (QuicTransportParam*)extension->data; |
13192 | | |
13193 | | return tp ? tp->len : 0; |
13194 | | } |
13195 | | |
13196 | | int TLSX_QuicTP_Use(WOLFSSL* ssl, TLSX_Type ext_type, int is_response) |
13197 | | { |
13198 | | int ret = 0; |
13199 | | TLSX* extension; |
13200 | | |
13201 | | WOLFSSL_ENTER("TLSX_QuicTP_Use"); |
13202 | | if (ssl->quic.transport_local == NULL) { |
13203 | | /* RFC9000, ch 7.3: "An endpoint MUST treat the absence of [...] |
13204 | | * from either endpoint [...] as a connection error of type |
13205 | | * TRANSPORT_PARAMETER_ERROR." |
13206 | | */ |
13207 | | ret = QUIC_TP_MISSING_E; |
13208 | | goto cleanup; |
13209 | | } |
13210 | | |
13211 | | extension = TLSX_Find(ssl->extensions, ext_type); |
13212 | | if (extension == NULL) { |
13213 | | ret = TLSX_Push(&ssl->extensions, ext_type, NULL, ssl->heap); |
13214 | | if (ret != 0) |
13215 | | goto cleanup; |
13216 | | |
13217 | | extension = TLSX_Find(ssl->extensions, ext_type); |
13218 | | if (extension == NULL) { |
13219 | | ret = MEMORY_E; |
13220 | | goto cleanup; |
13221 | | } |
13222 | | } |
13223 | | if (extension->data) { |
13224 | | QuicTransportParam_free((QuicTransportParam*)extension->data, ssl->heap); |
13225 | | extension->data = NULL; |
13226 | | } |
13227 | | extension->resp = is_response; |
13228 | | extension->data = (void*)QuicTransportParam_dup(ssl->quic.transport_local, ssl->heap); |
13229 | | if (!extension->data) { |
13230 | | ret = MEMORY_E; |
13231 | | goto cleanup; |
13232 | | } |
13233 | | |
13234 | | cleanup: |
13235 | | WOLFSSL_LEAVE("TLSX_QuicTP_Use", ret); |
13236 | | return ret; |
13237 | | } |
13238 | | |
13239 | | static word16 TLSX_QuicTP_Write(QuicTransportParam *tp, byte* output) |
13240 | | { |
13241 | | word16 len = 0; |
13242 | | |
13243 | | WOLFSSL_ENTER("TLSX_QuicTP_Write"); |
13244 | | if (tp && tp->len) { |
13245 | | XMEMCPY(output, tp->data, tp->len); |
13246 | | len = tp->len; |
13247 | | } |
13248 | | WOLFSSL_LEAVE("TLSX_QuicTP_Write", len); |
13249 | | return len; |
13250 | | } |
13251 | | |
13252 | | static int TLSX_QuicTP_Parse(WOLFSSL *ssl, const byte *input, size_t len, int ext_type, int msgType) |
13253 | | { |
13254 | | const QuicTransportParam *tp, **ptp; |
13255 | | |
13256 | | (void)msgType; |
13257 | | tp = QuicTransportParam_new(input, len, ssl->heap); |
13258 | | if (!tp) { |
13259 | | return MEMORY_E; |
13260 | | } |
13261 | | ptp = (ext_type == TLSX_KEY_QUIC_TP_PARAMS_DRAFT) ? |
13262 | | &ssl->quic.transport_peer_draft : &ssl->quic.transport_peer; |
13263 | | if (*ptp) { |
13264 | | QTP_FREE(*ptp, ssl->heap); |
13265 | | } |
13266 | | *ptp = tp; |
13267 | | return 0; |
13268 | | } |
13269 | | |
13270 | | #define QTP_GET_SIZE TLSX_QuicTP_GetSize |
13271 | | #define QTP_USE TLSX_QuicTP_Use |
13272 | | #define QTP_WRITE TLSX_QuicTP_Write |
13273 | | #define QTP_PARSE TLSX_QuicTP_Parse |
13274 | | |
13275 | | #endif /* WOLFSSL_QUIC */ |
13276 | | |
13277 | | #if defined(WOLFSSL_DTLS_CID) |
13278 | | #define CID_GET_SIZE TLSX_ConnectionID_GetSize |
13279 | | #define CID_WRITE TLSX_ConnectionID_Write |
13280 | | #define CID_PARSE TLSX_ConnectionID_Parse |
13281 | | #define CID_FREE TLSX_ConnectionID_Free |
13282 | | #else |
13283 | | #define CID_GET_SIZE(a) 0 |
13284 | | #define CID_WRITE(a, b) 0 |
13285 | | #define CID_PARSE(a, b, c, d) 0 |
13286 | | #define CID_FREE(a, b) 0 |
13287 | | #endif /* defined(WOLFSSL_DTLS_CID) */ |
13288 | | |
13289 | | #if defined(HAVE_RPK) |
13290 | | /******************************************************************************/ |
13291 | | /* Client_Certificate_Type extension */ |
13292 | | /******************************************************************************/ |
13293 | | /* return 1 if specified type is included in the given list, otherwise 0 */ |
13294 | | static int IsCertTypeListed(byte type, byte cnt, const byte* list) |
13295 | | { |
13296 | | int ret = 0; |
13297 | | int i; |
13298 | | |
13299 | | if (cnt == 0 || list == NULL) |
13300 | | return ret; |
13301 | | |
13302 | | if (cnt > 0 && cnt <= MAX_CLIENT_CERT_TYPE_CNT) { |
13303 | | for (i = 0; i < cnt; i++) { |
13304 | | if (list[i] == type) |
13305 | | return 1; |
13306 | | } |
13307 | | } |
13308 | | return 0; |
13309 | | } |
13310 | | |
13311 | | /* Search both arrays from above to find a common value between the two given |
13312 | | * arrays(a and b). return 1 if it finds a common value, otherwise return 0. |
13313 | | */ |
13314 | | static int GetCommonItem(const byte* a, byte aLen, const byte* b, byte bLen, |
13315 | | byte* type) |
13316 | | { |
13317 | | int i, j; |
13318 | | |
13319 | | if (a == NULL || b == NULL) |
13320 | | return 0; |
13321 | | |
13322 | | for (i = 0; i < aLen; i++) { |
13323 | | for (j = 0; j < bLen; j++) { |
13324 | | if (a[i] == b[j]) { |
13325 | | *type = a[i]; |
13326 | | return 1; |
13327 | | } |
13328 | | } |
13329 | | } |
13330 | | return 0; |
13331 | | } |
13332 | | |
13333 | | /* Creates a "client certificate type" extension if necessary. |
13334 | | * Returns 0 if no error occurred, negative value otherwise. |
13335 | | * A return of 0, it does not indicae that the extension was created. |
13336 | | */ |
13337 | | static int TLSX_ClientCertificateType_Use(WOLFSSL* ssl, byte isServer) |
13338 | | { |
13339 | | int ret = 0; |
13340 | | |
13341 | | if (ssl == NULL) |
13342 | | return BAD_FUNC_ARG; |
13343 | | |
13344 | | if (isServer) { |
13345 | | /* [in server side] |
13346 | | */ |
13347 | | |
13348 | | if (IsCertTypeListed(WOLFSSL_CERT_TYPE_RPK, |
13349 | | ssl->options.rpkConfig.preferred_ClientCertTypeCnt, |
13350 | | ssl->options.rpkConfig.preferred_ClientCertTypes)) { |
13351 | | |
13352 | | WOLFSSL_MSG("Adding Client Certificate Type extension"); |
13353 | | ret = TLSX_Push(&ssl->extensions, TLSX_CLIENT_CERTIFICATE_TYPE, ssl, |
13354 | | ssl->heap); |
13355 | | if (ret == 0) { |
13356 | | TLSX_SetResponse(ssl, TLSX_CLIENT_CERTIFICATE_TYPE); |
13357 | | } |
13358 | | } |
13359 | | } |
13360 | | else { |
13361 | | /* [in client side] |
13362 | | * This extension MUST be omitted from the ClientHello unless the RPK |
13363 | | * certificate is preferred by the user and actually loaded. |
13364 | | */ |
13365 | | |
13366 | | if (IsCertTypeListed(WOLFSSL_CERT_TYPE_RPK, |
13367 | | ssl->options.rpkConfig.preferred_ClientCertTypeCnt, |
13368 | | ssl->options.rpkConfig.preferred_ClientCertTypes)) { |
13369 | | |
13370 | | if (ssl->options.rpkState.isRPKLoaded) { |
13371 | | |
13372 | | ssl->options.rpkState.sending_ClientCertTypeCnt = 1; |
13373 | | ssl->options.rpkState.sending_ClientCertTypes[0] = |
13374 | | WOLFSSL_CERT_TYPE_RPK; |
13375 | | |
13376 | | /* Push new client_certificate_type extension. */ |
13377 | | WOLFSSL_MSG("Adding Client Certificate Type extension"); |
13378 | | ret = TLSX_Push(&ssl->extensions, TLSX_CLIENT_CERTIFICATE_TYPE, |
13379 | | ssl, ssl->heap); |
13380 | | } |
13381 | | else { |
13382 | | WOLFSSL_MSG("Willing to use RPK cert but not loaded it"); |
13383 | | } |
13384 | | } |
13385 | | else { |
13386 | | WOLFSSL_MSG("No will to use RPK cert"); |
13387 | | } |
13388 | | } |
13389 | | return ret; |
13390 | | } |
13391 | | |
13392 | | /* Parse a "client certificate type" extension received from peer. |
13393 | | * returns 0 on success and other values indicate failure. |
13394 | | */ |
13395 | | static int TLSX_ClientCertificateType_Parse(WOLFSSL* ssl, const byte* input, |
13396 | | word16 length, byte msgType) |
13397 | | { |
13398 | | byte typeCnt; |
13399 | | int idx = 0; |
13400 | | int ret = 0; |
13401 | | int i; |
13402 | | int populate = 0; |
13403 | | byte cmnType; |
13404 | | |
13405 | | |
13406 | | if (msgType == client_hello) { |
13407 | | /* [parse ClientHello in server end] |
13408 | | * case 1) if peer verify is disabled, this extension must be omitted |
13409 | | * from ServerHello. |
13410 | | * case 2) if user have not set his preference, find X509 in parsed |
13411 | | * result, then populate "Client Certificate Type" extension. |
13412 | | * case 3) if user have not set his preference and X509 isn't included |
13413 | | * in parsed result, send "unsupported certificate" alert. |
13414 | | * case 4) if user have set his preference, find a common cert type |
13415 | | * in users preference and received cert types. |
13416 | | * case 5) if user have set his preference, but no common cert type |
13417 | | * found. |
13418 | | */ |
13419 | | |
13420 | | /* case 1 */ |
13421 | | if (ssl->options.verifyNone) { |
13422 | | return ret; |
13423 | | } |
13424 | | |
13425 | | /* parse extension */ |
13426 | | if (length < OPAQUE8_LEN) |
13427 | | return BUFFER_E; |
13428 | | |
13429 | | typeCnt = input[idx]; |
13430 | | |
13431 | | if (typeCnt > MAX_CLIENT_CERT_TYPE_CNT) |
13432 | | return BUFFER_E; |
13433 | | |
13434 | | if ((typeCnt + 1) * OPAQUE8_LEN != length){ |
13435 | | return BUFFER_E; |
13436 | | } |
13437 | | |
13438 | | ssl->options.rpkState.received_ClientCertTypeCnt = input[idx]; |
13439 | | idx += OPAQUE8_LEN; |
13440 | | |
13441 | | for (i = 0; i < typeCnt; i++) { |
13442 | | ssl->options.rpkState.received_ClientCertTypes[i] = input[idx]; |
13443 | | idx += OPAQUE8_LEN; |
13444 | | } |
13445 | | |
13446 | | if (ssl->options.rpkConfig.preferred_ClientCertTypeCnt == 0) { |
13447 | | /* case 2 */ |
13448 | | if (IsCertTypeListed(WOLFSSL_CERT_TYPE_X509, |
13449 | | ssl->options.rpkState.received_ClientCertTypeCnt, |
13450 | | ssl->options.rpkState.received_ClientCertTypes)) { |
13451 | | |
13452 | | ssl->options.rpkState.sending_ClientCertTypeCnt = 1; |
13453 | | ssl->options.rpkState.sending_ClientCertTypes[0] = |
13454 | | WOLFSSL_CERT_TYPE_X509; |
13455 | | populate = 1; |
13456 | | } |
13457 | | /* case 3 */ |
13458 | | else { |
13459 | | WOLFSSL_MSG("No common cert type found in client_certificate_type ext"); |
13460 | | SendAlert(ssl, alert_fatal, unsupported_certificate); |
13461 | | return UNSUPPORTED_CERTIFICATE; |
13462 | | } |
13463 | | } |
13464 | | else if (ssl->options.rpkConfig.preferred_ClientCertTypeCnt > 0) { |
13465 | | /* case 4 */ |
13466 | | if (GetCommonItem( |
13467 | | ssl->options.rpkConfig.preferred_ClientCertTypes, |
13468 | | ssl->options.rpkConfig.preferred_ClientCertTypeCnt, |
13469 | | ssl->options.rpkState.received_ClientCertTypes, |
13470 | | ssl->options.rpkState.received_ClientCertTypeCnt, |
13471 | | &cmnType)) { |
13472 | | ssl->options.rpkState.sending_ClientCertTypeCnt = 1; |
13473 | | ssl->options.rpkState.sending_ClientCertTypes[0] = cmnType; |
13474 | | populate = 1; |
13475 | | } |
13476 | | /* case 5 */ |
13477 | | else { |
13478 | | WOLFSSL_MSG("No common cert type found in client_certificate_type ext"); |
13479 | | SendAlert(ssl, alert_fatal, unsupported_certificate); |
13480 | | return UNSUPPORTED_CERTIFICATE; |
13481 | | } |
13482 | | } |
13483 | | |
13484 | | /* populate client_certificate_type extension */ |
13485 | | if (populate) { |
13486 | | WOLFSSL_MSG("Adding Client Certificate Type extension"); |
13487 | | ret = TLSX_Push(&ssl->extensions, TLSX_CLIENT_CERTIFICATE_TYPE, ssl, |
13488 | | ssl->heap); |
13489 | | if (ret == 0) { |
13490 | | TLSX_SetResponse(ssl, TLSX_CLIENT_CERTIFICATE_TYPE); |
13491 | | } |
13492 | | } |
13493 | | } |
13494 | | else if (msgType == server_hello || msgType == encrypted_extensions) { |
13495 | | /* parse it in client side */ |
13496 | | if (length == 1) { |
13497 | | ssl->options.rpkState.received_ClientCertTypeCnt = 1; |
13498 | | ssl->options.rpkState.received_ClientCertTypes[0] = *input; |
13499 | | } |
13500 | | else { |
13501 | | return BUFFER_E; |
13502 | | } |
13503 | | } |
13504 | | |
13505 | | return ret; |
13506 | | } |
13507 | | |
13508 | | /* Write out the "client certificate type" extension data into the given buffer. |
13509 | | * return the size wrote in the buffer on success, negative value on error. |
13510 | | */ |
13511 | | static word16 TLSX_ClientCertificateType_Write(void* data, byte* output, |
13512 | | byte msgType) |
13513 | | { |
13514 | | WOLFSSL* ssl = (WOLFSSL*)data; |
13515 | | word16 idx = 0; |
13516 | | byte cnt = 0; |
13517 | | int i; |
13518 | | |
13519 | | /* skip to write extension if count is zero */ |
13520 | | cnt = ssl->options.rpkState.sending_ClientCertTypeCnt; |
13521 | | |
13522 | | if (cnt == 0) |
13523 | | return 0; |
13524 | | |
13525 | | if (msgType == client_hello) { |
13526 | | /* client side */ |
13527 | | |
13528 | | *(output + idx) = cnt; |
13529 | | idx += OPAQUE8_LEN; |
13530 | | |
13531 | | for (i = 0; i < cnt; i++) { |
13532 | | *(output + idx) = ssl->options.rpkState.sending_ClientCertTypes[i]; |
13533 | | idx += OPAQUE8_LEN; |
13534 | | } |
13535 | | return idx; |
13536 | | } |
13537 | | else if (msgType == server_hello || msgType == encrypted_extensions) { |
13538 | | /* sever side */ |
13539 | | if (cnt == 1) { |
13540 | | *(output + idx) = ssl->options.rpkState.sending_ClientCertTypes[0]; |
13541 | | idx += OPAQUE8_LEN; |
13542 | | } |
13543 | | } |
13544 | | return idx; |
13545 | | } |
13546 | | |
13547 | | /* Calculate then return the size of the "client certificate type" extension |
13548 | | * data. |
13549 | | * return the extension data size on success, negative value on error. |
13550 | | */ |
13551 | | static int TLSX_ClientCertificateType_GetSize(WOLFSSL* ssl, byte msgType) |
13552 | | { |
13553 | | int ret = 0; |
13554 | | byte cnt; |
13555 | | |
13556 | | if (ssl == NULL) |
13557 | | return BAD_FUNC_ARG; |
13558 | | |
13559 | | if (msgType == client_hello) { |
13560 | | /* client side */ |
13561 | | cnt = ssl->options.rpkState.sending_ClientCertTypeCnt; |
13562 | | ret = (int)(OPAQUE8_LEN + cnt * OPAQUE8_LEN); |
13563 | | } |
13564 | | else if (msgType == server_hello || msgType == encrypted_extensions) { |
13565 | | /* server side */ |
13566 | | cnt = ssl->options.rpkState.sending_ClientCertTypeCnt;/* must be one */ |
13567 | | if (cnt != 1) |
13568 | | return SANITY_MSG_E; |
13569 | | ret = OPAQUE8_LEN; |
13570 | | } |
13571 | | else { |
13572 | | return SANITY_MSG_E; |
13573 | | } |
13574 | | return ret; |
13575 | | } |
13576 | | |
13577 | | #define CCT_GET_SIZE TLSX_ClientCertificateType_GetSize |
13578 | | #define CCT_WRITE TLSX_ClientCertificateType_Write |
13579 | | #define CCT_PARSE TLSX_ClientCertificateType_Parse |
13580 | | #else |
13581 | | #define CCT_GET_SIZE(a) 0 |
13582 | | #define CCT_WRITE(a, b) 0 |
13583 | | #define CCT_PARSE(a, b, c, d) 0 |
13584 | | #endif /* HAVE_RPK */ |
13585 | | |
13586 | | #if defined(HAVE_RPK) |
13587 | | /******************************************************************************/ |
13588 | | /* Server_Certificate_Type extension */ |
13589 | | /******************************************************************************/ |
13590 | | /* Creates a "server certificate type" extension if necessary. |
13591 | | * Returns 0 if no error occurred, negative value otherwise. |
13592 | | * A return of 0, it does not indicae that the extension was created. |
13593 | | */ |
13594 | | static int TLSX_ServerCertificateType_Use(WOLFSSL* ssl, byte isServer) |
13595 | | { |
13596 | | int ret = 0; |
13597 | | byte ctype; |
13598 | | |
13599 | | if (ssl == NULL) |
13600 | | return BAD_FUNC_ARG; |
13601 | | |
13602 | | if (isServer) { |
13603 | | /* [in server side] */ |
13604 | | /* find common cert type to both end */ |
13605 | | if (GetCommonItem( |
13606 | | ssl->options.rpkConfig.preferred_ServerCertTypes, |
13607 | | ssl->options.rpkConfig.preferred_ServerCertTypeCnt, |
13608 | | ssl->options.rpkState.received_ServerCertTypes, |
13609 | | ssl->options.rpkState.received_ServerCertTypeCnt, |
13610 | | &ctype)) { |
13611 | | ssl->options.rpkState.sending_ServerCertTypeCnt = 1; |
13612 | | ssl->options.rpkState.sending_ServerCertTypes[0] = ctype; |
13613 | | |
13614 | | /* Push new server_certificate_type extension. */ |
13615 | | WOLFSSL_MSG("Adding Server Certificate Type extension"); |
13616 | | ret = TLSX_Push(&ssl->extensions, TLSX_SERVER_CERTIFICATE_TYPE, ssl, |
13617 | | ssl->heap); |
13618 | | if (ret == 0) { |
13619 | | TLSX_SetResponse(ssl, TLSX_SERVER_CERTIFICATE_TYPE); |
13620 | | } |
13621 | | } |
13622 | | else { |
13623 | | /* no common cert type found */ |
13624 | | WOLFSSL_MSG("No common cert type found in server_certificate_type ext"); |
13625 | | SendAlert(ssl, alert_fatal, unsupported_certificate); |
13626 | | ret = UNSUPPORTED_CERTIFICATE; |
13627 | | } |
13628 | | } |
13629 | | else { |
13630 | | /* [in client side] */ |
13631 | | if (IsCertTypeListed(WOLFSSL_CERT_TYPE_RPK, |
13632 | | ssl->options.rpkConfig.preferred_ServerCertTypeCnt, |
13633 | | ssl->options.rpkConfig.preferred_ServerCertTypes)) { |
13634 | | |
13635 | | ssl->options.rpkState.sending_ServerCertTypeCnt = |
13636 | | ssl->options.rpkConfig.preferred_ServerCertTypeCnt; |
13637 | | XMEMCPY(ssl->options.rpkState.sending_ServerCertTypes, |
13638 | | ssl->options.rpkConfig.preferred_ServerCertTypes, |
13639 | | ssl->options.rpkConfig.preferred_ServerCertTypeCnt); |
13640 | | |
13641 | | /* Push new server_certificate_type extension. */ |
13642 | | WOLFSSL_MSG("Adding Server Certificate Type extension"); |
13643 | | ret = TLSX_Push(&ssl->extensions, TLSX_SERVER_CERTIFICATE_TYPE, ssl, |
13644 | | ssl->heap); |
13645 | | } |
13646 | | else { |
13647 | | WOLFSSL_MSG("No will to accept RPK cert"); |
13648 | | } |
13649 | | } |
13650 | | |
13651 | | return ret; |
13652 | | } |
13653 | | |
13654 | | /* Parse a "server certificate type" extension received from peer. |
13655 | | * returns 0 on success and other values indicate failure. |
13656 | | */ |
13657 | | static int TLSX_ServerCertificateType_Parse(WOLFSSL* ssl, const byte* input, |
13658 | | word16 length, byte msgType) |
13659 | | { |
13660 | | byte typeCnt; |
13661 | | int idx = 0; |
13662 | | int ret = 0; |
13663 | | int i; |
13664 | | |
13665 | | if (msgType == client_hello) { |
13666 | | /* in server side */ |
13667 | | |
13668 | | if (length < OPAQUE8_LEN) |
13669 | | return BUFFER_E; |
13670 | | |
13671 | | typeCnt = input[idx]; |
13672 | | |
13673 | | if (typeCnt > MAX_SERVER_CERT_TYPE_CNT) |
13674 | | return BUFFER_E; |
13675 | | |
13676 | | if ((typeCnt + 1) * OPAQUE8_LEN != length){ |
13677 | | return BUFFER_E; |
13678 | | } |
13679 | | ssl->options.rpkState.received_ServerCertTypeCnt = input[idx]; |
13680 | | idx += OPAQUE8_LEN; |
13681 | | |
13682 | | for (i = 0; i < typeCnt; i++) { |
13683 | | ssl->options.rpkState.received_ServerCertTypes[i] = input[idx]; |
13684 | | idx += OPAQUE8_LEN; |
13685 | | } |
13686 | | |
13687 | | ret = TLSX_ServerCertificateType_Use(ssl, 1); |
13688 | | if (ret == 0) { |
13689 | | TLSX_SetResponse(ssl, TLSX_SERVER_CERTIFICATE_TYPE); |
13690 | | } |
13691 | | } |
13692 | | else if (msgType == server_hello || msgType == encrypted_extensions) { |
13693 | | /* in client side */ |
13694 | | if (length != 1) /* length slould be 1 */ |
13695 | | return BUFFER_E; |
13696 | | |
13697 | | ssl->options.rpkState.received_ServerCertTypeCnt = 1; |
13698 | | ssl->options.rpkState.received_ServerCertTypes[0] = *input; |
13699 | | } |
13700 | | |
13701 | | return 0; |
13702 | | } |
13703 | | |
13704 | | /* Write out the "server certificate type" extension data into the given buffer. |
13705 | | * return the size wrote in the buffer on success, negative value on error. |
13706 | | */ |
13707 | | static word16 TLSX_ServerCertificateType_Write(void* data, byte* output, |
13708 | | byte msgType) |
13709 | | { |
13710 | | WOLFSSL* ssl = (WOLFSSL*)data; |
13711 | | word16 idx = 0; |
13712 | | int cnt = 0; |
13713 | | int i; |
13714 | | |
13715 | | /* skip to write extension if count is zero */ |
13716 | | cnt = ssl->options.rpkState.sending_ServerCertTypeCnt; |
13717 | | |
13718 | | if (cnt == 0) |
13719 | | return 0; |
13720 | | |
13721 | | if (msgType == client_hello) { |
13722 | | /* in client side */ |
13723 | | |
13724 | | *(output + idx) = cnt; |
13725 | | idx += OPAQUE8_LEN; |
13726 | | |
13727 | | for (i = 0; i < cnt; i++) { |
13728 | | *(output + idx) = ssl->options.rpkState.sending_ServerCertTypes[i]; |
13729 | | idx += OPAQUE8_LEN; |
13730 | | } |
13731 | | } |
13732 | | else if (msgType == server_hello || msgType == encrypted_extensions) { |
13733 | | /* in server side */ |
13734 | | /* ensure cnt is one */ |
13735 | | if (cnt != 1) |
13736 | | return 0; |
13737 | | |
13738 | | *(output + idx) = ssl->options.rpkState.sending_ServerCertTypes[0]; |
13739 | | idx += OPAQUE8_LEN; |
13740 | | } |
13741 | | return idx; |
13742 | | } |
13743 | | |
13744 | | /* Calculate then return the size of the "server certificate type" extension |
13745 | | * data. |
13746 | | * return the extension data size on success, negative value on error. |
13747 | | */ |
13748 | | static int TLSX_ServerCertificateType_GetSize(WOLFSSL* ssl, byte msgType) |
13749 | | { |
13750 | | int ret = 0; |
13751 | | int cnt; |
13752 | | |
13753 | | if (ssl == NULL) |
13754 | | return BAD_FUNC_ARG; |
13755 | | |
13756 | | if (msgType == client_hello) { |
13757 | | /* in clent side */ |
13758 | | cnt = ssl->options.rpkState.sending_ServerCertTypeCnt; |
13759 | | if (cnt > 0) { |
13760 | | ret = (int)(OPAQUE8_LEN + cnt * OPAQUE8_LEN); |
13761 | | } |
13762 | | } |
13763 | | else if (msgType == server_hello || msgType == encrypted_extensions) { |
13764 | | /* in server side */ |
13765 | | ret = (int)OPAQUE8_LEN; |
13766 | | } |
13767 | | else { |
13768 | | return SANITY_MSG_E; |
13769 | | } |
13770 | | return ret; |
13771 | | } |
13772 | | |
13773 | | #define SCT_GET_SIZE TLSX_ServerCertificateType_GetSize |
13774 | | #define SCT_WRITE TLSX_ServerCertificateType_Write |
13775 | | #define SCT_PARSE TLSX_ServerCertificateType_Parse |
13776 | | #else |
13777 | | #define SCT_GET_SIZE(a) 0 |
13778 | | #define SCT_WRITE(a, b) 0 |
13779 | | #define SCT_PARSE(a, b, c, d) 0 |
13780 | | #endif /* HAVE_RPK */ |
13781 | | |
13782 | | /******************************************************************************/ |
13783 | | /* TLS Extensions Framework */ |
13784 | | /******************************************************************************/ |
13785 | | |
13786 | | /** Finds an extension in the provided list. */ |
13787 | | TLSX* TLSX_Find(TLSX* list, TLSX_Type type) |
13788 | 0 | { |
13789 | 0 | TLSX* extension = list; |
13790 | |
|
13791 | 0 | while (extension && extension->type != type) |
13792 | 0 | extension = extension->next; |
13793 | |
|
13794 | 0 | return extension; |
13795 | 0 | } |
13796 | | |
13797 | | /** Remove an extension. */ |
13798 | | void TLSX_Remove(TLSX** list, TLSX_Type type, void* heap) |
13799 | 0 | { |
13800 | 0 | TLSX* extension; |
13801 | 0 | TLSX** next; |
13802 | |
|
13803 | 0 | if (list == NULL) |
13804 | 0 | return; |
13805 | | |
13806 | 0 | extension = *list; |
13807 | 0 | next = list; |
13808 | |
|
13809 | 0 | while (extension && extension->type != type) { |
13810 | 0 | next = &extension->next; |
13811 | 0 | extension = extension->next; |
13812 | 0 | } |
13813 | |
|
13814 | 0 | if (extension) { |
13815 | 0 | *next = extension->next; |
13816 | 0 | extension->next = NULL; |
13817 | 0 | TLSX_FreeAll(extension, heap); |
13818 | 0 | } |
13819 | 0 | } |
13820 | | |
13821 | | #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) |
13822 | | #define GREASE_ECH_SIZE 160 |
13823 | | #define TLS_INFO_CONST_STRING "tls ech" |
13824 | | #define TLS_INFO_CONST_STRING_SZ 7 |
13825 | | |
13826 | | /* return status after setting up ech to write a grease ech */ |
13827 | | static int TLSX_GreaseECH_Use(TLSX** extensions, void* heap, WC_RNG* rng) |
13828 | | { |
13829 | | int ret = 0; |
13830 | | TLSX* echX; |
13831 | | WOLFSSL_ECH* ech; |
13832 | | |
13833 | | if (extensions == NULL) |
13834 | | return BAD_FUNC_ARG; |
13835 | | /* skip if we already have an ech extension, we will for hrr */ |
13836 | | echX = TLSX_Find(*extensions, TLSX_ECH); |
13837 | | if (echX != NULL) |
13838 | | return 0; |
13839 | | |
13840 | | ech = (WOLFSSL_ECH*)XMALLOC(sizeof(WOLFSSL_ECH), heap, |
13841 | | DYNAMIC_TYPE_TMP_BUFFER); |
13842 | | if (ech == NULL) |
13843 | | return MEMORY_E; |
13844 | | XMEMSET(ech, 0, sizeof(WOLFSSL_ECH)); |
13845 | | |
13846 | | ech->state = ECH_WRITE_GREASE; |
13847 | | |
13848 | | /* 0 for outer */ |
13849 | | ech->type = ECH_TYPE_OUTER; |
13850 | | /* kemId */ |
13851 | | ech->kemId = DHKEM_X25519_HKDF_SHA256; |
13852 | | /* cipherSuite kdf */ |
13853 | | ech->cipherSuite.kdfId = HKDF_SHA256; |
13854 | | /* cipherSuite aead */ |
13855 | | ech->cipherSuite.aeadId = HPKE_AES_128_GCM; |
13856 | | |
13857 | | /* random configId */ |
13858 | | ret = wc_RNG_GenerateByte(rng, &(ech->configId)); |
13859 | | |
13860 | | /* curve25519 encLen */ |
13861 | | ech->encLen = DHKEM_X25519_ENC_LEN; |
13862 | | |
13863 | | if (ret == 0) |
13864 | | ret = TLSX_Push(extensions, TLSX_ECH, ech, heap); |
13865 | | |
13866 | | if (ret != 0) { |
13867 | | XFREE(ech, heap, DYNAMIC_TYPE_TMP_BUFFER); |
13868 | | } |
13869 | | |
13870 | | return ret; |
13871 | | } |
13872 | | |
13873 | | /* return status after setting up ech to write real ech */ |
13874 | | static int TLSX_ECH_Use(WOLFSSL_EchConfig* echConfig, TLSX** extensions, |
13875 | | void* heap, WC_RNG* rng) |
13876 | | { |
13877 | | int ret = 0; |
13878 | | int suiteIndex; |
13879 | | TLSX* echX; |
13880 | | WOLFSSL_ECH* ech; |
13881 | | if (extensions == NULL) |
13882 | | return BAD_FUNC_ARG; |
13883 | | /* skip if we already have an ech extension, we will for hrr */ |
13884 | | echX = TLSX_Find(*extensions, TLSX_ECH); |
13885 | | if (echX != NULL) |
13886 | | return 0; |
13887 | | /* find a supported cipher suite */ |
13888 | | suiteIndex = EchConfigGetSupportedCipherSuite(echConfig); |
13889 | | if (suiteIndex < 0) |
13890 | | return suiteIndex; |
13891 | | ech = (WOLFSSL_ECH*)XMALLOC(sizeof(WOLFSSL_ECH), heap, |
13892 | | DYNAMIC_TYPE_TMP_BUFFER); |
13893 | | if (ech == NULL) |
13894 | | return MEMORY_E; |
13895 | | XMEMSET(ech, 0, sizeof(WOLFSSL_ECH)); |
13896 | | ech->state = ECH_WRITE_REAL; |
13897 | | ech->echConfig = echConfig; |
13898 | | /* 0 for outer */ |
13899 | | ech->type = ECH_TYPE_OUTER; |
13900 | | /* kemId */ |
13901 | | ech->kemId = echConfig->kemId; |
13902 | | /* cipherSuite kdf */ |
13903 | | ech->cipherSuite.kdfId = echConfig->cipherSuites[suiteIndex].kdfId; |
13904 | | /* cipherSuite aead */ |
13905 | | ech->cipherSuite.aeadId = echConfig->cipherSuites[suiteIndex].aeadId; |
13906 | | /* configId */ |
13907 | | ech->configId = echConfig->configId; |
13908 | | /* encLen */ |
13909 | | ech->encLen = wc_HpkeKemGetEncLen(echConfig->kemId); |
13910 | | if (ech->encLen == 0) { |
13911 | | XFREE(ech, heap, DYNAMIC_TYPE_TMP_BUFFER); |
13912 | | return BAD_FUNC_ARG; |
13913 | | } |
13914 | | /* setup hpke */ |
13915 | | ech->hpke = (Hpke*)XMALLOC(sizeof(Hpke), heap, DYNAMIC_TYPE_TMP_BUFFER); |
13916 | | if (ech->hpke == NULL) { |
13917 | | XFREE(ech, heap, DYNAMIC_TYPE_TMP_BUFFER); |
13918 | | return MEMORY_E; |
13919 | | } |
13920 | | ret = wc_HpkeInit(ech->hpke, ech->kemId, ech->cipherSuite.kdfId, |
13921 | | ech->cipherSuite.aeadId, heap); |
13922 | | /* setup the ephemeralKey */ |
13923 | | if (ret == 0) |
13924 | | ret = wc_HpkeGenerateKeyPair(ech->hpke, &ech->ephemeralKey, rng); |
13925 | | if (ret == 0) { |
13926 | | /* use the chosen config's public name for the outer SNI */ |
13927 | | ret = TLSX_UseSNI(&ech->extensions, WOLFSSL_SNI_HOST_NAME, |
13928 | | echConfig->publicName, (word16)XSTRLEN(echConfig->publicName), |
13929 | | heap); |
13930 | | if (ret != WOLFSSL_SUCCESS || |
13931 | | (ret = TLSX_Push(extensions, TLSX_ECH, ech, heap)) != 0) { |
13932 | | TLSX_FreeAll(ech->extensions, heap); |
13933 | | wc_HpkeFreeKey(ech->hpke, ech->hpke->kem, ech->ephemeralKey, |
13934 | | ech->hpke->heap); |
13935 | | } |
13936 | | } |
13937 | | if (ret != 0) { |
13938 | | XFREE(ech->hpke, heap, DYNAMIC_TYPE_TMP_BUFFER); |
13939 | | XFREE(ech, heap, DYNAMIC_TYPE_TMP_BUFFER); |
13940 | | } |
13941 | | return ret; |
13942 | | } |
13943 | | |
13944 | | /* return status after setting up ech to read and decrypt */ |
13945 | | WOLFSSL_TEST_VIS int TLSX_ServerECH_Use(TLSX** extensions, void* heap, |
13946 | | WOLFSSL_EchConfig* configs) |
13947 | | { |
13948 | | int ret; |
13949 | | WOLFSSL_ECH* ech; |
13950 | | TLSX* echX; |
13951 | | if (extensions == NULL) |
13952 | | return BAD_FUNC_ARG; |
13953 | | /* if we already have ech don't override it */ |
13954 | | echX = TLSX_Find(*extensions, TLSX_ECH); |
13955 | | if (echX != NULL) |
13956 | | return 0; |
13957 | | ech = (WOLFSSL_ECH*)XMALLOC(sizeof(WOLFSSL_ECH), heap, |
13958 | | DYNAMIC_TYPE_TMP_BUFFER); |
13959 | | if (ech == NULL) |
13960 | | return MEMORY_E; |
13961 | | XMEMSET(ech, 0, sizeof(WOLFSSL_ECH)); |
13962 | | ech->state = ECH_WRITE_NONE; |
13963 | | /* 0 for outer */ |
13964 | | ech->type = ECH_TYPE_OUTER; |
13965 | | ech->echConfig = configs; |
13966 | | /* setup the rest of the settings when we receive ech from the client */ |
13967 | | ret = TLSX_Push(extensions, TLSX_ECH, ech, heap); |
13968 | | if (ret != 0) |
13969 | | XFREE(ech, heap, DYNAMIC_TYPE_TMP_BUFFER); |
13970 | | return ret; |
13971 | | } |
13972 | | |
13973 | | /* return status after writing the ech and updating offset */ |
13974 | | static int TLSX_ECH_Write(WOLFSSL_ECH* ech, byte msgType, byte* writeBuf, |
13975 | | word16* offset) |
13976 | | { |
13977 | | int ret = 0; |
13978 | | int rngRet = -1; |
13979 | | word32 configsLen = 0; |
13980 | | void* ephemeralKey = NULL; |
13981 | | byte* writeBuf_p = writeBuf; |
13982 | | WC_DECLARE_VAR(hpke, Hpke, 1, DYNAMIC_TYPE_TMP_BUFFER); |
13983 | | WC_DECLARE_VAR(rng, WC_RNG, 1, DYNAMIC_TYPE_RNG); |
13984 | | |
13985 | | WOLFSSL_MSG("TLSX_ECH_Write"); |
13986 | | if (msgType == hello_retry_request) { |
13987 | | WC_ALLOC_VAR_EX(rng, WC_RNG, 1, NULL, DYNAMIC_TYPE_RNG, ret = MEMORY_E); |
13988 | | if (ret == 0) { |
13989 | | ret = wc_InitRng(rng); |
13990 | | } |
13991 | | if (ret == 0) { |
13992 | | /* randomize confirmation in case ech is rejected */ |
13993 | | ret = wc_RNG_GenerateBlock(rng, writeBuf, |
13994 | | ECH_ACCEPT_CONFIRMATION_SZ); |
13995 | | wc_FreeRng(rng); |
13996 | | } |
13997 | | if (ret == 0) { |
13998 | | *offset += ECH_ACCEPT_CONFIRMATION_SZ; |
13999 | | ech->confBuf = writeBuf; |
14000 | | } |
14001 | | |
14002 | | WC_FREE_VAR_EX(rng, NULL, DYNAMIC_TYPE_RNG); |
14003 | | return ret; |
14004 | | } |
14005 | | if (ech->state == ECH_WRITE_NONE || ech->state == ECH_PARSED_INTERNAL) |
14006 | | return 0; |
14007 | | if (ech->state == ECH_WRITE_RETRY_CONFIGS) { |
14008 | | /* get size then write */ |
14009 | | ret = GetEchConfigsEx(ech->echConfig, NULL, &configsLen); |
14010 | | if (ret != WC_NO_ERR_TRACE(LENGTH_ONLY_E)) |
14011 | | return ret; |
14012 | | ret = GetEchConfigsEx(ech->echConfig, writeBuf, &configsLen); |
14013 | | if (ret != WOLFSSL_SUCCESS) |
14014 | | return ret; |
14015 | | *offset += configsLen; |
14016 | | return 0; |
14017 | | } |
14018 | | /* type */ |
14019 | | *writeBuf_p = ech->type; |
14020 | | writeBuf_p += sizeof(ech->type); |
14021 | | /* outer has body, inner does not */ |
14022 | | if (ech->type == ECH_TYPE_OUTER) { |
14023 | | /* kdfId */ |
14024 | | c16toa(ech->cipherSuite.kdfId, writeBuf_p); |
14025 | | writeBuf_p += sizeof(ech->cipherSuite.kdfId); |
14026 | | /* aeadId */ |
14027 | | c16toa(ech->cipherSuite.aeadId, writeBuf_p); |
14028 | | writeBuf_p += sizeof(ech->cipherSuite.aeadId); |
14029 | | /* configId */ |
14030 | | *writeBuf_p = ech->configId; |
14031 | | writeBuf_p += sizeof(ech->configId); |
14032 | | /* encLen */ |
14033 | | if (ech->innerCount == 0) { |
14034 | | c16toa(ech->encLen, writeBuf_p); |
14035 | | } |
14036 | | else { |
14037 | | /* set to 0 if this is clientInner 2 */ |
14038 | | c16toa(0, writeBuf_p); |
14039 | | } |
14040 | | writeBuf_p += 2; |
14041 | | if (ech->state == ECH_WRITE_GREASE) { |
14042 | | word32 size; |
14043 | | WC_ALLOC_VAR_EX(rng, WC_RNG, 1, NULL, DYNAMIC_TYPE_RNG, |
14044 | | ret = MEMORY_E); |
14045 | | |
14046 | | if (ret == 0) |
14047 | | rngRet = ret = wc_InitRng(rng); |
14048 | | if (ret == 0 && ech->innerCount == 0) { |
14049 | | WC_ALLOC_VAR_EX(hpke, Hpke, 1, NULL, DYNAMIC_TYPE_TMP_BUFFER, |
14050 | | ret = MEMORY_E); |
14051 | | |
14052 | | /* hpke init */ |
14053 | | if (ret == 0) |
14054 | | ret = wc_HpkeInit(hpke, ech->kemId, ech->cipherSuite.kdfId, |
14055 | | ech->cipherSuite.aeadId, NULL); |
14056 | | /* create the ephemeralKey */ |
14057 | | if (ret == 0) |
14058 | | ret = wc_HpkeGenerateKeyPair(hpke, &ephemeralKey, rng); |
14059 | | /* enc */ |
14060 | | if (ret == 0) { |
14061 | | ret = wc_HpkeSerializePublicKey(hpke, ephemeralKey, |
14062 | | writeBuf_p, &ech->encLen); |
14063 | | writeBuf_p += ech->encLen; |
14064 | | } |
14065 | | |
14066 | | if (ephemeralKey != NULL) |
14067 | | wc_HpkeFreeKey(hpke, hpke->kem, ephemeralKey, hpke->heap); |
14068 | | WC_FREE_VAR_EX(hpke, NULL, DYNAMIC_TYPE_TMP_BUFFER); |
14069 | | } |
14070 | | |
14071 | | if (ret == 0) { |
14072 | | size = GREASE_ECH_SIZE + (ech->configId / 4); |
14073 | | size += ECH_PADDING_TO_32(size) + WC_AES_BLOCK_SIZE; |
14074 | | |
14075 | | /* innerClientHelloLen */ |
14076 | | c16toa((word16)size, writeBuf_p); |
14077 | | writeBuf_p += 2; |
14078 | | /* innerClientHello */ |
14079 | | ret = wc_RNG_GenerateBlock(rng, writeBuf_p, size); |
14080 | | writeBuf_p += size; |
14081 | | } |
14082 | | |
14083 | | if (rngRet == 0) |
14084 | | wc_FreeRng(rng); |
14085 | | WC_FREE_VAR_EX(rng, NULL, DYNAMIC_TYPE_RNG); |
14086 | | } |
14087 | | else { |
14088 | | if (ech->innerCount == 0) { |
14089 | | /* write enc to writeBuf_p */ |
14090 | | ret = wc_HpkeSerializePublicKey(ech->hpke, ech->ephemeralKey, |
14091 | | writeBuf_p, &ech->encLen); |
14092 | | writeBuf_p += ech->encLen; |
14093 | | } |
14094 | | |
14095 | | /* innerClientHelloLen */ |
14096 | | c16toa((word16)ech->innerClientHelloLen, writeBuf_p); |
14097 | | writeBuf_p += 2; |
14098 | | /* set payload offset for when we finalize */ |
14099 | | ech->outerClientPayload = writeBuf_p; |
14100 | | /* write zeros for payload */ |
14101 | | XMEMSET(writeBuf_p, 0, ech->innerClientHelloLen); |
14102 | | writeBuf_p += ech->innerClientHelloLen; |
14103 | | } |
14104 | | } |
14105 | | if (ret == 0) |
14106 | | *offset += (writeBuf_p - writeBuf); |
14107 | | return ret; |
14108 | | } |
14109 | | |
14110 | | /* return the size needed for the ech extension */ |
14111 | | static int TLSX_ECH_GetSize(WOLFSSL_ECH* ech, byte msgType) |
14112 | | { |
14113 | | int ret; |
14114 | | word32 size = 0; |
14115 | | |
14116 | | if (ech->state == ECH_WRITE_GREASE) { |
14117 | | word32 payload; |
14118 | | size = sizeof(ech->type) + sizeof(ech->cipherSuite) + |
14119 | | sizeof(ech->configId) + sizeof(word16) + sizeof(word16); |
14120 | | /* enc only printed on CH1 */ |
14121 | | if (ech->innerCount == 0) |
14122 | | size += ech->encLen; |
14123 | | /* GREASE payload mimics the regular sealed inner: |
14124 | | * plaintext length divisible by 32 and the AEAD tag |
14125 | | * configId is used to randomize the GREASE length |
14126 | | * (divide by 4 to save space) */ |
14127 | | payload = GREASE_ECH_SIZE + (ech->configId / 4); |
14128 | | payload += ECH_PADDING_TO_32(payload) + WC_AES_BLOCK_SIZE; |
14129 | | size += payload; |
14130 | | } |
14131 | | else if (msgType == hello_retry_request) { |
14132 | | size = ECH_ACCEPT_CONFIRMATION_SZ; |
14133 | | } |
14134 | | else if (ech->state == ECH_WRITE_NONE || |
14135 | | ech->state == ECH_PARSED_INTERNAL) { |
14136 | | size = 0; |
14137 | | } |
14138 | | else if (ech->state == ECH_WRITE_RETRY_CONFIGS) { |
14139 | | /* get the size of the raw configs */ |
14140 | | ret = GetEchConfigsEx(ech->echConfig, NULL, &size); |
14141 | | |
14142 | | if (ret != WC_NO_ERR_TRACE(LENGTH_ONLY_E)) |
14143 | | return ret; |
14144 | | } |
14145 | | else if (ech->type == ECH_TYPE_INNER) |
14146 | | { |
14147 | | size = sizeof(ech->type); |
14148 | | } |
14149 | | else |
14150 | | { |
14151 | | size = sizeof(ech->type) + sizeof(ech->cipherSuite) + |
14152 | | sizeof(ech->configId) + sizeof(word16) + sizeof(word16) + |
14153 | | ech->innerClientHelloLen; |
14154 | | /* enc only printed on CH1 */ |
14155 | | if (ech->innerCount == 0) |
14156 | | size += ech->encLen; |
14157 | | } |
14158 | | |
14159 | | return (int)size; |
14160 | | } |
14161 | | |
14162 | | #ifdef HAVE_SECRET_CALLBACK |
14163 | | /* log ECH_SECRET and ECH_CONFIG |
14164 | | * returns 0 on success, TLS13_SECRET_CB_E otherwise */ |
14165 | | static int EchWriteKeyLog(WOLFSSL* ssl, const byte* secret, word32 secretSz, |
14166 | | const byte* config, word32 configSz) |
14167 | | { |
14168 | | int ret = 0; |
14169 | | if (ssl->tls13SecretCb != NULL) { |
14170 | | ret = ssl->tls13SecretCb(ssl, ECH_SECRET, secret, (int)secretSz, |
14171 | | ssl->tls13SecretCtx); |
14172 | | if (ret == 0) { |
14173 | | ret = ssl->tls13SecretCb(ssl, ECH_CONFIG, config, (int)configSz, |
14174 | | ssl->tls13SecretCtx); |
14175 | | } |
14176 | | if (ret != 0) { |
14177 | | WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E); |
14178 | | ret = TLS13_SECRET_CB_E; |
14179 | | } |
14180 | | } |
14181 | | #ifdef OPENSSL_EXTRA |
14182 | | if (ret == 0 && ssl->tls13KeyLogCb != NULL) { |
14183 | | ret = ssl->tls13KeyLogCb(ssl, ECH_SECRET, secret, (int)secretSz, NULL); |
14184 | | if (ret == 0) { |
14185 | | ret = ssl->tls13KeyLogCb(ssl, ECH_CONFIG, config, (int)configSz, |
14186 | | NULL); |
14187 | | } |
14188 | | if (ret != 0) { |
14189 | | WOLFSSL_ERROR_VERBOSE(TLS13_SECRET_CB_E); |
14190 | | ret = TLS13_SECRET_CB_E; |
14191 | | } |
14192 | | } |
14193 | | #endif /* OPENSSL_EXTRA */ |
14194 | | return ret; |
14195 | | } |
14196 | | #endif /* HAVE_SECRET_CALLBACK */ |
14197 | | |
14198 | | /* rough check that inner hello fields do not exceed length of decrypted |
14199 | | * information. Additionally, this function will check that all padding bytes |
14200 | | * are zero and decrease the innerHelloLen accordingly if so. |
14201 | | * returns 0 on success and otherwise failure */ |
14202 | | static int TLSX_ECH_CheckInnerPadding(WOLFSSL* ssl, WOLFSSL_ECH* ech) |
14203 | | { |
14204 | | int headerSz; |
14205 | | const byte* innerCh; |
14206 | | word32 innerChLen; |
14207 | | word32 idx; |
14208 | | byte sessionIdLen; |
14209 | | word16 cipherSuitesLen; |
14210 | | byte compressionLen; |
14211 | | word16 extLen; |
14212 | | byte acc = 0; |
14213 | | word32 i; |
14214 | | |
14215 | | #ifdef WOLFSSL_DTLS13 |
14216 | | headerSz = ssl->options.dtls ? DTLS13_HANDSHAKE_HEADER_SZ : |
14217 | | HANDSHAKE_HEADER_SZ; |
14218 | | #else |
14219 | | (void)ssl; |
14220 | | |
14221 | | headerSz = HANDSHAKE_HEADER_SZ; |
14222 | | #endif |
14223 | | |
14224 | | innerCh = ech->innerClientHello + headerSz; |
14225 | | innerChLen = ech->innerClientHelloLen; |
14226 | | |
14227 | | idx = OPAQUE16_LEN + RAN_LEN; |
14228 | | if (idx >= innerChLen) |
14229 | | return BUFFER_ERROR; |
14230 | | |
14231 | | sessionIdLen = innerCh[idx++]; |
14232 | | /* innerHello sessionID must initially be empty */ |
14233 | | if (sessionIdLen != 0) |
14234 | | return INVALID_PARAMETER; |
14235 | | idx += sessionIdLen; |
14236 | | if (idx + OPAQUE16_LEN > innerChLen) |
14237 | | return BUFFER_ERROR; |
14238 | | |
14239 | | ato16(innerCh + idx, &cipherSuitesLen); |
14240 | | idx += OPAQUE16_LEN + cipherSuitesLen; |
14241 | | if (idx >= innerChLen) |
14242 | | return BUFFER_ERROR; |
14243 | | |
14244 | | compressionLen = innerCh[idx++]; |
14245 | | idx += compressionLen; |
14246 | | if (idx + OPAQUE16_LEN > innerChLen) |
14247 | | return BUFFER_ERROR; |
14248 | | |
14249 | | ato16(innerCh + idx, &extLen); |
14250 | | idx += OPAQUE16_LEN + extLen; |
14251 | | if (idx > innerChLen) |
14252 | | return BUFFER_ERROR; |
14253 | | |
14254 | | /* should now be at the end of the innerHello |
14255 | | * Per ECH spec all padding bytes MUST be 0 */ |
14256 | | for (i = idx; i < innerChLen; i++) { |
14257 | | acc |= innerCh[i]; |
14258 | | } |
14259 | | if (acc != 0) { |
14260 | | return INVALID_PARAMETER; |
14261 | | } |
14262 | | |
14263 | | ech->innerClientHelloLen -= i - idx; |
14264 | | return 0; |
14265 | | } |
14266 | | |
14267 | | /* Locate the given extension type, use the extOffset to start off after where a |
14268 | | * previous call to this function ended |
14269 | | * |
14270 | | * outerCh The outer ClientHello buffer. |
14271 | | * chLen Outer ClientHello length. |
14272 | | * extType Extension type to look for. |
14273 | | * extLen Out parameter, length of found extension. |
14274 | | * extOffset Offset into outer ClientHello to look for extension from. |
14275 | | * extensionsStart Start of outer ClientHello extensions. |
14276 | | * extensionsLen Length of outer ClientHello extensions. |
14277 | | * returns 0 on success and otherwise failure. |
14278 | | */ |
14279 | | static const byte* TLSX_ECH_FindOuterExtension(const byte* outerCh, |
14280 | | word32 chLen, word16 extType, word32* extLen, word32* extOffset, |
14281 | | word16* extensionsStart, word16* extensionsLen) |
14282 | | { |
14283 | | word32 idx = *extOffset; |
14284 | | byte sessionIdLen; |
14285 | | word16 cipherSuitesLen; |
14286 | | byte compressionLen; |
14287 | | word16 type; |
14288 | | word16 len; |
14289 | | |
14290 | | if (idx == 0) { |
14291 | | idx = OPAQUE16_LEN + RAN_LEN; |
14292 | | if (idx >= chLen) |
14293 | | return NULL; |
14294 | | |
14295 | | sessionIdLen = outerCh[idx++]; |
14296 | | idx += sessionIdLen; |
14297 | | if (idx + OPAQUE16_LEN > chLen) |
14298 | | return NULL; |
14299 | | |
14300 | | ato16(outerCh + idx, &cipherSuitesLen); |
14301 | | idx += OPAQUE16_LEN + cipherSuitesLen; |
14302 | | if (idx >= chLen) |
14303 | | return NULL; |
14304 | | |
14305 | | compressionLen = outerCh[idx++]; |
14306 | | idx += compressionLen; |
14307 | | if (idx + OPAQUE16_LEN > chLen) |
14308 | | return NULL; |
14309 | | |
14310 | | ato16(outerCh + idx, extensionsLen); |
14311 | | idx += OPAQUE16_LEN; |
14312 | | *extensionsStart = (word16)idx; |
14313 | | |
14314 | | if (idx + *extensionsLen > chLen) |
14315 | | return NULL; |
14316 | | } |
14317 | | |
14318 | | while (idx - *extensionsStart < *extensionsLen) { |
14319 | | if (idx + OPAQUE16_LEN + OPAQUE16_LEN > chLen) |
14320 | | return NULL; |
14321 | | |
14322 | | ato16(outerCh + idx, &type); |
14323 | | idx += OPAQUE16_LEN; |
14324 | | ato16(outerCh + idx, &len); |
14325 | | idx += OPAQUE16_LEN; |
14326 | | |
14327 | | if (idx + len - *extensionsStart > *extensionsLen) |
14328 | | return NULL; |
14329 | | |
14330 | | if (type == extType) { |
14331 | | *extLen = len + OPAQUE16_LEN + OPAQUE16_LEN; |
14332 | | *extOffset = idx + len; |
14333 | | return outerCh + idx - OPAQUE16_LEN - OPAQUE16_LEN; |
14334 | | } |
14335 | | |
14336 | | idx += len; |
14337 | | } |
14338 | | |
14339 | | return NULL; |
14340 | | } |
14341 | | |
14342 | | /* If newinnerCh is NULL, validate ordering and existence of references |
14343 | | * - updates newInnerChLen with total length of selected extensions |
14344 | | * If newinnerCh is not NULL, copy extensions into newInnerCh |
14345 | | * |
14346 | | * outerCh The outer ClientHello buffer. |
14347 | | * outerChLen Outer ClientHello length. |
14348 | | * newInnerCh The inner ClientHello buffer. |
14349 | | * newInnerChLen Inner ClientHello length. |
14350 | | * numOuterRefs Number of references described by OuterExtensions extension. |
14351 | | * OuterRefTypes References described by OuterExtensions extension. |
14352 | | * returns 0 on success and otherwise failure. |
14353 | | */ |
14354 | | static int TLSX_ECH_CopyOuterExtensions(const byte* outerCh, word32 outerChLen, |
14355 | | byte** newInnerCh, word32* newInnerChLen, |
14356 | | word16 numOuterRefs, const byte* outerRefTypes) |
14357 | | { |
14358 | | int ret = 0; |
14359 | | word16 refType; |
14360 | | word32 outerExtLen; |
14361 | | word32 outerExtOffset = 0; |
14362 | | word16 extsStart = 0; |
14363 | | word16 extsLen = 0; |
14364 | | const byte* outerExtData; |
14365 | | |
14366 | | if (newInnerCh == NULL) { |
14367 | | *newInnerChLen = 0; |
14368 | | } |
14369 | | |
14370 | | while (numOuterRefs-- > 0) { |
14371 | | ato16(outerRefTypes, &refType); |
14372 | | |
14373 | | if (refType == TLSXT_ECH) { |
14374 | | WOLFSSL_MSG("ECH: ech_outer_extensions references ECH"); |
14375 | | ret = INVALID_PARAMETER; |
14376 | | break; |
14377 | | } |
14378 | | |
14379 | | outerExtData = TLSX_ECH_FindOuterExtension(outerCh, outerChLen, |
14380 | | refType, &outerExtLen, &outerExtOffset, |
14381 | | &extsStart, &extsLen); |
14382 | | |
14383 | | if (outerExtData == NULL) { |
14384 | | WOLFSSL_MSG("ECH: referenced extension not in outer CH or out " |
14385 | | "of order"); |
14386 | | ret = INVALID_PARAMETER; |
14387 | | break; |
14388 | | } |
14389 | | |
14390 | | if (newInnerCh == NULL) { |
14391 | | *newInnerChLen += outerExtLen; |
14392 | | } |
14393 | | else { |
14394 | | XMEMCPY(*newInnerCh, outerExtData, outerExtLen); |
14395 | | *newInnerCh += outerExtLen; |
14396 | | } |
14397 | | |
14398 | | outerRefTypes += OPAQUE16_LEN; |
14399 | | } |
14400 | | |
14401 | | return ret; |
14402 | | } |
14403 | | |
14404 | | /* Expand ech_outer_extensions in the inner ClientHello by copying referenced |
14405 | | * extensions from the outer ClientHello. |
14406 | | * If the sessionID exists in the outer ClientHello then also copy that into the |
14407 | | * expanded inner ClientHello. |
14408 | | * |
14409 | | * ssl SSL/TLS object. |
14410 | | * ech ECH object. |
14411 | | * heap Heap hint. |
14412 | | * returns 0 on success and otherwise failure. |
14413 | | */ |
14414 | | static int TLSX_ECH_ExpandOuterExtensions(WOLFSSL* ssl, WOLFSSL_ECH* ech, |
14415 | | void* heap) |
14416 | | { |
14417 | | int ret = 0; |
14418 | | int headerSz; |
14419 | | const byte* innerCh; |
14420 | | word32 innerChLen; |
14421 | | const byte* outerCh; |
14422 | | word32 outerChLen; |
14423 | | word32 idx; |
14424 | | byte sessionIdLen; |
14425 | | word16 cipherSuitesLen; |
14426 | | byte compressionLen; |
14427 | | |
14428 | | word32 innerExtIdx; |
14429 | | word16 innerExtLen; |
14430 | | word32 echOuterExtIdx = 0; |
14431 | | word16 echOuterExtLen = 0; |
14432 | | int foundEchOuter = 0; |
14433 | | word16 numOuterRefs = 0; |
14434 | | const byte* outerRefTypes = NULL; |
14435 | | word32 extraSize = 0; |
14436 | | byte* newInnerCh = NULL; |
14437 | | byte* newInnerChRef; |
14438 | | word32 newInnerChLen; |
14439 | | word32 copyLen; |
14440 | | |
14441 | | WOLFSSL_ENTER("TLSX_ExpandEchOuterExtensions"); |
14442 | | |
14443 | | if (ech == NULL || ech->innerClientHello == NULL || ech->aad == NULL) |
14444 | | return BAD_FUNC_ARG; |
14445 | | |
14446 | | #ifdef WOLFSSL_DTLS13 |
14447 | | headerSz = ssl->options.dtls ? DTLS13_HANDSHAKE_HEADER_SZ : |
14448 | | HANDSHAKE_HEADER_SZ; |
14449 | | #else |
14450 | | headerSz = HANDSHAKE_HEADER_SZ; |
14451 | | #endif |
14452 | | |
14453 | | innerCh = ech->innerClientHello + headerSz; |
14454 | | innerChLen = ech->innerClientHelloLen; |
14455 | | outerCh = ech->aad; |
14456 | | outerChLen = ech->aadLen; |
14457 | | |
14458 | | /* don't need to check for buffer overflows here since they are caught by |
14459 | | * TLSX_ECH_CheckInnerPadding */ |
14460 | | idx = OPAQUE16_LEN + RAN_LEN; |
14461 | | |
14462 | | sessionIdLen = innerCh[idx++]; |
14463 | | idx += sessionIdLen; |
14464 | | |
14465 | | ato16(innerCh + idx, &cipherSuitesLen); |
14466 | | idx += OPAQUE16_LEN + cipherSuitesLen; |
14467 | | |
14468 | | compressionLen = innerCh[idx++]; |
14469 | | idx += compressionLen; |
14470 | | |
14471 | | ato16(innerCh + idx, &innerExtLen); |
14472 | | idx += OPAQUE16_LEN; |
14473 | | innerExtIdx = idx; |
14474 | | |
14475 | | /* validate ech_outer_extensions and calculate extra size */ |
14476 | | while (idx < innerChLen && (idx - innerExtIdx) < innerExtLen) { |
14477 | | word16 type; |
14478 | | word16 len; |
14479 | | byte outerExtListLen; |
14480 | | |
14481 | | if (idx + OPAQUE16_LEN + OPAQUE16_LEN > innerChLen) |
14482 | | return BUFFER_ERROR; |
14483 | | |
14484 | | ato16(innerCh + idx, &type); |
14485 | | idx += OPAQUE16_LEN; |
14486 | | ato16(innerCh + idx, &len); |
14487 | | idx += OPAQUE16_LEN; |
14488 | | |
14489 | | if (idx + len > innerChLen) |
14490 | | return BUFFER_ERROR; |
14491 | | |
14492 | | if (type == TLSXT_ECH_OUTER_EXTENSIONS) { |
14493 | | if (foundEchOuter) { |
14494 | | WOLFSSL_MSG("ECH: duplicate ech_outer_extensions"); |
14495 | | return INVALID_PARAMETER; |
14496 | | } |
14497 | | foundEchOuter = 1; |
14498 | | echOuterExtIdx = idx - OPAQUE16_LEN - OPAQUE16_LEN; |
14499 | | echOuterExtLen = len + OPAQUE16_LEN + OPAQUE16_LEN; |
14500 | | |
14501 | | /* ech_outer_extensions data format: 1-byte length + extension types |
14502 | | * ExtensionType OuterExtensions<2..254>; */ |
14503 | | if (len < 1) |
14504 | | return BUFFER_ERROR; |
14505 | | outerExtListLen = innerCh[idx]; |
14506 | | if (outerExtListLen + 1 != len || outerExtListLen < 2 || |
14507 | | outerExtListLen == 255) |
14508 | | return BUFFER_ERROR; |
14509 | | |
14510 | | outerRefTypes = innerCh + idx + 1; |
14511 | | numOuterRefs = outerExtListLen / OPAQUE16_LEN; |
14512 | | |
14513 | | ret = TLSX_ECH_CopyOuterExtensions(outerCh, outerChLen, NULL, |
14514 | | &extraSize, numOuterRefs, outerRefTypes); |
14515 | | if (ret != 0) |
14516 | | return ret; |
14517 | | } |
14518 | | |
14519 | | idx += len; |
14520 | | } |
14521 | | |
14522 | | newInnerChLen = innerChLen - echOuterExtLen + extraSize - sessionIdLen + |
14523 | | ssl->session->sessionIDSz; |
14524 | | if (newInnerChLen > 0xFFFF) { |
14525 | | return BUFFER_E; |
14526 | | } |
14527 | | |
14528 | | if (!foundEchOuter && sessionIdLen == ssl->session->sessionIDSz) { |
14529 | | /* no extensions + no sessionID to copy */ |
14530 | | WOLFSSL_MSG("ECH: no EchOuterExtensions extension found"); |
14531 | | return ret; |
14532 | | } |
14533 | | else { |
14534 | | newInnerCh = (byte*)XMALLOC(newInnerChLen + headerSz, heap, |
14535 | | DYNAMIC_TYPE_TMP_BUFFER); |
14536 | | if (newInnerCh == NULL) |
14537 | | return MEMORY_E; |
14538 | | } |
14539 | | |
14540 | | /* note: The first HANDSHAKE_HEADER_SZ bytes are reserved for the header |
14541 | | * but not initialized here. The header will be properly set later by |
14542 | | * AddTls13HandShakeHeader() in DoTls13ClientHello(). */ |
14543 | | |
14544 | | /* copy everything up to EchOuterExtensions */ |
14545 | | newInnerChRef = newInnerCh + headerSz; |
14546 | | copyLen = OPAQUE16_LEN + RAN_LEN; |
14547 | | XMEMCPY(newInnerChRef, innerCh, copyLen); |
14548 | | newInnerChRef += copyLen; |
14549 | | |
14550 | | *newInnerChRef = ssl->session->sessionIDSz; |
14551 | | newInnerChRef += OPAQUE8_LEN; |
14552 | | |
14553 | | copyLen = ssl->session->sessionIDSz; |
14554 | | XMEMCPY(newInnerChRef, ssl->session->sessionID, copyLen); |
14555 | | newInnerChRef += copyLen; |
14556 | | |
14557 | | if (!foundEchOuter) { |
14558 | | WOLFSSL_MSG("ECH: no EchOuterExtensions extension found"); |
14559 | | |
14560 | | copyLen = innerChLen - OPAQUE16_LEN - RAN_LEN - OPAQUE8_LEN - |
14561 | | sessionIdLen; |
14562 | | XMEMCPY(newInnerChRef, innerCh + OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN + |
14563 | | sessionIdLen, copyLen); |
14564 | | } |
14565 | | else { |
14566 | | innerExtIdx = headerSz + innerExtIdx - OPAQUE16_LEN - |
14567 | | sessionIdLen + ssl->session->sessionIDSz; |
14568 | | |
14569 | | copyLen = echOuterExtIdx - OPAQUE16_LEN - RAN_LEN - OPAQUE8_LEN - |
14570 | | sessionIdLen; |
14571 | | XMEMCPY(newInnerChRef, innerCh + OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN + |
14572 | | sessionIdLen, copyLen); |
14573 | | newInnerChRef += copyLen; |
14574 | | |
14575 | | /* update extensions length in the new ClientHello */ |
14576 | | c16toa(innerExtLen - echOuterExtLen + (word16)extraSize, |
14577 | | newInnerCh + innerExtIdx); |
14578 | | |
14579 | | ret = TLSX_ECH_CopyOuterExtensions(outerCh, outerChLen, &newInnerChRef, |
14580 | | &newInnerChLen, numOuterRefs, outerRefTypes); |
14581 | | if (ret == 0) { |
14582 | | /* copy remaining extensions after ech_outer_extensions */ |
14583 | | copyLen = innerChLen - (echOuterExtIdx + echOuterExtLen); |
14584 | | XMEMCPY(newInnerChRef, innerCh + echOuterExtIdx + echOuterExtLen, |
14585 | | copyLen); |
14586 | | |
14587 | | WOLFSSL_MSG("ECH: expanded ech_outer_extensions successfully"); |
14588 | | } |
14589 | | } |
14590 | | |
14591 | | if (ret == 0) { |
14592 | | XFREE(ech->innerClientHello, heap, DYNAMIC_TYPE_TMP_BUFFER); |
14593 | | ech->innerClientHello = newInnerCh; |
14594 | | ech->innerClientHelloLen = newInnerChLen; |
14595 | | newInnerCh = NULL; |
14596 | | } |
14597 | | |
14598 | | if (newInnerCh != NULL) |
14599 | | XFREE(newInnerCh, heap, DYNAMIC_TYPE_TMP_BUFFER); |
14600 | | |
14601 | | return ret; |
14602 | | } |
14603 | | |
14604 | | /* return status after attempting to open the hpke encrypted ech extension, if |
14605 | | * successful the inner client hello will be stored in |
14606 | | * ech->innerClientHelloLen */ |
14607 | | static int TLSX_ExtractEch(WOLFSSL* ssl, WOLFSSL_ECH* ech, |
14608 | | WOLFSSL_EchConfig* echConfig, byte* aad, word32 aadLen) |
14609 | | { |
14610 | | int ret = 0; |
14611 | | int i; |
14612 | | int allocatedHpke = 0; |
14613 | | word32 rawConfigLen = 0; |
14614 | | byte* info = NULL; |
14615 | | word32 infoLen = 0; |
14616 | | if (ssl == NULL || ech == NULL || echConfig == NULL || aad == NULL) |
14617 | | return BAD_FUNC_ARG; |
14618 | | /* verify the kem and key len */ |
14619 | | if (wc_HpkeKemGetEncLen(echConfig->kemId) != ech->encLen) |
14620 | | return BAD_FUNC_ARG; |
14621 | | /* verify the cipher suite */ |
14622 | | for (i = 0; i < echConfig->numCipherSuites; i++) { |
14623 | | if (echConfig->cipherSuites[i].kdfId == ech->cipherSuite.kdfId && |
14624 | | echConfig->cipherSuites[i].aeadId == ech->cipherSuite.aeadId) { |
14625 | | break; |
14626 | | } |
14627 | | } |
14628 | | if (i >= echConfig->numCipherSuites) { |
14629 | | return BAD_FUNC_ARG; |
14630 | | } |
14631 | | /* check if hpke already exists, may if HelloRetryRequest */ |
14632 | | if (ech->hpke == NULL) { |
14633 | | allocatedHpke = 1; |
14634 | | ech->hpke = (Hpke*)XMALLOC(sizeof(Hpke), ssl->heap, |
14635 | | DYNAMIC_TYPE_TMP_BUFFER); |
14636 | | if (ech->hpke == NULL) |
14637 | | ret = MEMORY_E; |
14638 | | /* init the hpke struct */ |
14639 | | if (ret == 0) { |
14640 | | ret = wc_HpkeInit(ech->hpke, echConfig->kemId, |
14641 | | ech->cipherSuite.kdfId, ech->cipherSuite.aeadId, ssl->heap); |
14642 | | } |
14643 | | if (ret == 0) { |
14644 | | /* allocate hpkeContext */ |
14645 | | ech->hpkeContext = |
14646 | | (HpkeBaseContext*)XMALLOC(sizeof(HpkeBaseContext), |
14647 | | ech->hpke->heap, DYNAMIC_TYPE_TMP_BUFFER); |
14648 | | if (ech->hpkeContext == NULL) |
14649 | | ret = MEMORY_E; |
14650 | | } |
14651 | | /* get the rawConfigLen */ |
14652 | | if (ret == 0) |
14653 | | ret = GetEchConfig(echConfig, NULL, &rawConfigLen); |
14654 | | if (ret == WC_NO_ERR_TRACE(LENGTH_ONLY_E)) |
14655 | | ret = 0; |
14656 | | /* create info */ |
14657 | | if (ret == 0) { |
14658 | | infoLen = TLS_INFO_CONST_STRING_SZ + 1 + rawConfigLen; |
14659 | | info = (byte*)XMALLOC(infoLen, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); |
14660 | | |
14661 | | if (info == NULL) |
14662 | | ret = MEMORY_E; |
14663 | | else { |
14664 | | XMEMCPY(info, (byte*)TLS_INFO_CONST_STRING, |
14665 | | TLS_INFO_CONST_STRING_SZ + 1); |
14666 | | ret = GetEchConfig(echConfig, info + |
14667 | | TLS_INFO_CONST_STRING_SZ + 1, &rawConfigLen); |
14668 | | } |
14669 | | } |
14670 | | #ifdef HAVE_SECRET_CALLBACK |
14671 | | /* allocate secret buffer for wc_HpkeInitOpenContext to copy into */ |
14672 | | if (ret == 0 && (ssl->tls13SecretCb != NULL |
14673 | | #ifdef OPENSSL_EXTRA |
14674 | | || ssl->tls13KeyLogCb != NULL |
14675 | | #endif |
14676 | | )) { |
14677 | | ret = wc_HpkeInitEchSecret(ech->hpke); |
14678 | | } |
14679 | | #endif /* HAVE_SECRET_CALLBACK */ |
14680 | | /* init the context for opening */ |
14681 | | if (ret == 0) { |
14682 | | ret = wc_HpkeInitOpenContext(ech->hpke, ech->hpkeContext, |
14683 | | echConfig->receiverPrivkey, ech->enc, ech->encLen, info, |
14684 | | infoLen); |
14685 | | } |
14686 | | } |
14687 | | /* decrypt the ech payload */ |
14688 | | if (ret == 0) { |
14689 | | ret = wc_HpkeContextOpenBase(ech->hpke, ech->hpkeContext, aad, aadLen, |
14690 | | ech->outerClientPayload, ech->innerClientHelloLen, |
14691 | | ech->innerClientHello + HANDSHAKE_HEADER_SZ); |
14692 | | } |
14693 | | |
14694 | | #ifdef HAVE_SECRET_CALLBACK |
14695 | | if (ret == 0 && ech->hpke->echSecret != NULL) { |
14696 | | ret = EchWriteKeyLog(ssl, ech->hpke->echSecret, ech->hpke->Nsecret, |
14697 | | info + TLS_INFO_CONST_STRING_SZ + 1, rawConfigLen); |
14698 | | } |
14699 | | wc_HpkeFreeEchSecret(ech->hpke); |
14700 | | #endif /* HAVE_SECRET_CALLBACK */ |
14701 | | |
14702 | | /* only free hpke/hpkeContext if allocated in this call; otherwise preserve |
14703 | | * them for clientHello2 */ |
14704 | | if (ret != 0 && allocatedHpke) { |
14705 | | XFREE(ech->hpke, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); |
14706 | | ech->hpke = NULL; |
14707 | | if (ech->hpkeContext != NULL) { |
14708 | | ForceZero(ech->hpkeContext, sizeof(HpkeBaseContext)); |
14709 | | XFREE(ech->hpkeContext, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); |
14710 | | ech->hpkeContext = NULL; |
14711 | | } |
14712 | | } |
14713 | | |
14714 | | if (info != NULL) |
14715 | | XFREE(info, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); |
14716 | | |
14717 | | return ret; |
14718 | | } |
14719 | | |
14720 | | /* parse the ech extension, if internal update ech->state and return, if |
14721 | | * external attempt to extract the inner client_hello, return the status */ |
14722 | | static int TLSX_ECH_Parse(WOLFSSL* ssl, const byte* readBuf, word16 size, |
14723 | | byte msgType) |
14724 | | { |
14725 | | int ret = 0; |
14726 | | TLSX* echX; |
14727 | | WOLFSSL_ECH* ech; |
14728 | | WOLFSSL_EchConfig* echConfig; |
14729 | | byte* aadCopy; |
14730 | | byte* readBuf_p = (byte*)readBuf; |
14731 | | word32 offset = 0; |
14732 | | word16 len; |
14733 | | word16 tmpVal16; |
14734 | | word16 lenCh; |
14735 | | |
14736 | | WOLFSSL_MSG("TLSX_ECH_Parse"); |
14737 | | if (ssl->options.disableECH) { |
14738 | | WOLFSSL_MSG("TLSX_ECH_Parse: ECH disabled. Ignoring."); |
14739 | | return 0; |
14740 | | } |
14741 | | if (size == 0) |
14742 | | return BAD_FUNC_ARG; |
14743 | | |
14744 | | /* retry configs */ |
14745 | | if (msgType == encrypted_extensions) { |
14746 | | /* configs must only be sent on ECH rejection (RFC9849, Section 5) */ |
14747 | | if (ssl->options.echAccepted) { |
14748 | | SendAlert(ssl, alert_fatal, unsupported_extension); |
14749 | | WOLFSSL_ERROR_VERBOSE(UNSUPPORTED_EXTENSION); |
14750 | | return UNSUPPORTED_EXTENSION; |
14751 | | } |
14752 | | |
14753 | | ret = SetRetryConfigs(ssl, readBuf, (word32)size); |
14754 | | if (ret == WC_NO_ERR_TRACE(UNSUPPORTED_SUITE) || |
14755 | | ret == WC_NO_ERR_TRACE(UNSUPPORTED_PROTO_VERSION)) { |
14756 | | WOLFSSL_MSG("ECH retry configs had 'bad version' or 'bad suite'"); |
14757 | | ret = 0; |
14758 | | } |
14759 | | |
14760 | | if (ssl->echConfigs == NULL) { |
14761 | | /* on GREASE connection configs must be checked syntactically and |
14762 | | * must not be saved (RFC 9849, Section 6.2.1) */ |
14763 | | FreeEchConfigs(ssl->echRetryConfigs, ssl->heap); |
14764 | | ssl->echRetryConfigs = NULL; |
14765 | | } |
14766 | | |
14767 | | /* retry configs may only be accepted at the point when ECH_REQUIRED is |
14768 | | * sent */ |
14769 | | ssl->options.echRetryConfigsAccepted = 0; |
14770 | | } |
14771 | | /* HRR with special confirmation */ |
14772 | | else if (msgType == hello_retry_request && ssl->echConfigs != NULL) { |
14773 | | /* length must be 8 */ |
14774 | | if (size != ECH_ACCEPT_CONFIRMATION_SZ) |
14775 | | return BUFFER_ERROR; |
14776 | | |
14777 | | /* get extension */ |
14778 | | echX = TLSX_Find(ssl->extensions, TLSX_ECH); |
14779 | | if (echX == NULL) |
14780 | | return BAD_FUNC_ARG; |
14781 | | ech = (WOLFSSL_ECH*)echX->data; |
14782 | | |
14783 | | ech->confBuf = (byte*)readBuf; |
14784 | | } |
14785 | | else if (msgType == client_hello && ssl->ctx->echConfigs != NULL) { |
14786 | | /* get extension */ |
14787 | | echX = TLSX_Find(ssl->extensions, TLSX_ECH); |
14788 | | if (echX == NULL) |
14789 | | return BAD_FUNC_ARG; |
14790 | | ech = (WOLFSSL_ECH*)echX->data; |
14791 | | |
14792 | | /* if the first ECH was rejected or CH1 did not have ECH then there is |
14793 | | * no need to decrypt this one */ |
14794 | | if (!ssl->options.echAccepted && ssl->options.serverState == |
14795 | | SERVER_HELLO_RETRY_REQUEST_COMPLETE) { |
14796 | | ech->state = ECH_WRITE_RETRY_CONFIGS; |
14797 | | return 0; |
14798 | | } |
14799 | | |
14800 | | /* read the ech parameters before the payload */ |
14801 | | ech->type = *readBuf_p; |
14802 | | readBuf_p++; |
14803 | | offset += 1; |
14804 | | if (ssl->options.echProcessingInner && ech->type == ECH_TYPE_INNER) { |
14805 | | ech->state = ECH_PARSED_INTERNAL; |
14806 | | return 0; |
14807 | | } |
14808 | | else if ((!ssl->options.echProcessingInner && |
14809 | | ech->type != ECH_TYPE_OUTER) || |
14810 | | (ssl->options.echProcessingInner && |
14811 | | ech->type != ECH_TYPE_INNER)) { |
14812 | | /* MUST process INNER in inner hello and OUTER in outer hello */ |
14813 | | return INVALID_PARAMETER; |
14814 | | } |
14815 | | /* Must have kdfId, aeadId, configId, enc len and payload len. */ |
14816 | | if (size < offset + 2 + 2 + 1 + 2 + 2) { |
14817 | | return BUFFER_ERROR; |
14818 | | } |
14819 | | /* only get enc if we don't already have the hpke context */ |
14820 | | if (ech->hpkeContext == NULL) { |
14821 | | /* kdfId */ |
14822 | | ato16(readBuf_p, &ech->cipherSuite.kdfId); |
14823 | | readBuf_p += 2; |
14824 | | offset += 2; |
14825 | | /* aeadId */ |
14826 | | ato16(readBuf_p, &ech->cipherSuite.aeadId); |
14827 | | readBuf_p += 2; |
14828 | | offset += 2; |
14829 | | /* configId */ |
14830 | | ech->configId = *readBuf_p; |
14831 | | readBuf_p++; |
14832 | | offset++; |
14833 | | /* encLen */ |
14834 | | ato16(readBuf_p, &len); |
14835 | | readBuf_p += 2; |
14836 | | offset += 2; |
14837 | | /* Check encLen isn't more than remaining bytes minus |
14838 | | * payload length. */ |
14839 | | if (len > size - offset - 2) { |
14840 | | return BUFFER_ERROR; |
14841 | | } |
14842 | | if (len > HPKE_Npk_MAX) { |
14843 | | return BUFFER_ERROR; |
14844 | | } |
14845 | | /* read enc */ |
14846 | | XMEMCPY(ech->enc, readBuf_p, len); |
14847 | | ech->encLen = len; |
14848 | | } |
14849 | | else { |
14850 | | /* kdfId, aeadId, and configId must be the same as last time */ |
14851 | | /* kdfId */ |
14852 | | ato16(readBuf_p, &tmpVal16); |
14853 | | if (tmpVal16 != ech->cipherSuite.kdfId) { |
14854 | | return INVALID_PARAMETER; |
14855 | | } |
14856 | | readBuf_p += 2; |
14857 | | offset += 2; |
14858 | | /* aeadId */ |
14859 | | ato16(readBuf_p, &tmpVal16); |
14860 | | if (tmpVal16 != ech->cipherSuite.aeadId) { |
14861 | | return INVALID_PARAMETER; |
14862 | | } |
14863 | | readBuf_p += 2; |
14864 | | offset += 2; |
14865 | | /* configId */ |
14866 | | if (*readBuf_p != ech->configId) { |
14867 | | return INVALID_PARAMETER; |
14868 | | } |
14869 | | readBuf_p++; |
14870 | | offset++; |
14871 | | /* on an HRR the enc value MUST be empty */ |
14872 | | ato16(readBuf_p, &len); |
14873 | | if (len != 0) { |
14874 | | return INVALID_PARAMETER; |
14875 | | } |
14876 | | readBuf_p += 2; |
14877 | | offset += 2; |
14878 | | } |
14879 | | readBuf_p += len; |
14880 | | offset += len; |
14881 | | /* read payload (encrypted CH) len */ |
14882 | | ato16(readBuf_p, &lenCh); |
14883 | | ech->innerClientHelloLen = lenCh; |
14884 | | readBuf_p += 2; |
14885 | | offset += 2; |
14886 | | /* Check payload is no bigger than remaining bytes. */ |
14887 | | if (ech->innerClientHelloLen > size - offset) { |
14888 | | return BUFFER_ERROR; |
14889 | | } |
14890 | | if (ech->innerClientHelloLen < WC_AES_BLOCK_SIZE) { |
14891 | | return BUFFER_ERROR; |
14892 | | } |
14893 | | ech->innerClientHelloLen -= WC_AES_BLOCK_SIZE; |
14894 | | ech->outerClientPayload = readBuf_p; |
14895 | | /* make a copy of the aad */ |
14896 | | aadCopy = (byte*)XMALLOC(ech->aadLen, ssl->heap, |
14897 | | DYNAMIC_TYPE_TMP_BUFFER); |
14898 | | if (aadCopy == NULL) |
14899 | | return MEMORY_E; |
14900 | | XMEMCPY(aadCopy, ech->aad, ech->aadLen); |
14901 | | /* set the ech payload of the copy to zeros */ |
14902 | | XMEMSET(aadCopy + (readBuf_p - ech->aad), 0, |
14903 | | ech->innerClientHelloLen + WC_AES_BLOCK_SIZE); |
14904 | | /* free the old ech when this is the second client hello */ |
14905 | | if (ech->innerClientHello != NULL) |
14906 | | XFREE(ech->innerClientHello, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); |
14907 | | /* allocate the inner payload buffer */ |
14908 | | ech->innerClientHello = |
14909 | | (byte*)XMALLOC(ech->innerClientHelloLen + HANDSHAKE_HEADER_SZ, |
14910 | | ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); |
14911 | | if (ech->innerClientHello == NULL) { |
14912 | | XFREE(aadCopy, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); |
14913 | | return MEMORY_E; |
14914 | | } |
14915 | | /* try to decrypt with matching configId */ |
14916 | | echConfig = ssl->ctx->echConfigs; |
14917 | | while (echConfig != NULL) { |
14918 | | if (echConfig->configId == ech->configId) { |
14919 | | ret = TLSX_ExtractEch(ssl, ech, echConfig, aadCopy, |
14920 | | ech->aadLen); |
14921 | | if (ret == 0 || ret == WC_NO_ERR_TRACE(TLS13_SECRET_CB_E)) |
14922 | | break; |
14923 | | } |
14924 | | echConfig = echConfig->next; |
14925 | | } |
14926 | | /* otherwise, try to decrypt with all configs (trial decryption) */ |
14927 | | if (echConfig == NULL && ssl->options.enableEchTrialDecrypt) { |
14928 | | echConfig = ssl->ctx->echConfigs; |
14929 | | while (echConfig != NULL) { |
14930 | | if (echConfig->configId != ech->configId) { |
14931 | | ret = TLSX_ExtractEch(ssl, ech, echConfig, aadCopy, |
14932 | | ech->aadLen); |
14933 | | if (ret == 0 || ret == WC_NO_ERR_TRACE(TLS13_SECRET_CB_E)) |
14934 | | break; |
14935 | | } |
14936 | | echConfig = echConfig->next; |
14937 | | } |
14938 | | } |
14939 | | /* TLS13_SECRET_CB_E isn't correlated with ECH acceptance so skip both |
14940 | | * paths */ |
14941 | | if (ret != WC_NO_ERR_TRACE(TLS13_SECRET_CB_E)) { |
14942 | | /* if we failed to extract/expand */ |
14943 | | if (ret != 0 || echConfig == NULL) { |
14944 | | WOLFSSL_MSG("ECH rejected"); |
14945 | | |
14946 | | if (ssl->options.echAccepted == 0) { |
14947 | | /* on SH1 prepare to write retry configs */ |
14948 | | XFREE(ech->innerClientHello, ssl->heap, |
14949 | | DYNAMIC_TYPE_TMP_BUFFER); |
14950 | | ech->innerClientHello = NULL; |
14951 | | ech->state = ECH_WRITE_RETRY_CONFIGS; |
14952 | | ret = 0; |
14953 | | } |
14954 | | else { |
14955 | | /* on SH2 failure to decrypt is fatal */ |
14956 | | SendAlert(ssl, alert_fatal, decrypt_error); |
14957 | | WOLFSSL_ERROR_VERBOSE(DECRYPT_ERROR); |
14958 | | ret = DECRYPT_ERROR; |
14959 | | } |
14960 | | } |
14961 | | else { |
14962 | | WOLFSSL_MSG("ECH accepted"); |
14963 | | ssl->options.echAccepted = 1; |
14964 | | |
14965 | | ret = TLSX_ECH_CheckInnerPadding(ssl, ech); |
14966 | | if (ret == 0) { |
14967 | | /* expand EchOuterExtensions if present. |
14968 | | * Also, if it exists, copy sessionID from outer hello */ |
14969 | | ret = TLSX_ECH_ExpandOuterExtensions(ssl, ech, ssl->heap); |
14970 | | } |
14971 | | } |
14972 | | } |
14973 | | if (ret != 0) { |
14974 | | XFREE(ech->innerClientHello, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); |
14975 | | ech->innerClientHello = NULL; |
14976 | | } |
14977 | | |
14978 | | XFREE(aadCopy, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); |
14979 | | } |
14980 | | |
14981 | | return ret; |
14982 | | } |
14983 | | |
14984 | | /* free the ech struct and the dynamic buffer it uses */ |
14985 | | static void TLSX_ECH_Free(WOLFSSL_ECH* ech, void* heap) |
14986 | | { |
14987 | | XFREE(ech->innerClientHello, heap, DYNAMIC_TYPE_TMP_BUFFER); |
14988 | | if (ech->hpke != NULL) { |
14989 | | wc_HpkeFreeKey(ech->hpke, ech->hpke->kem, ech->ephemeralKey, |
14990 | | ech->hpke->heap); |
14991 | | /* wc_HpkeFreeEchSecret is intentionally not here, free it in |
14992 | | * TLSX_ExtractEch / TLSX_FinalizeEch */ |
14993 | | XFREE(ech->hpke, heap, DYNAMIC_TYPE_TMP_BUFFER); |
14994 | | } |
14995 | | if (ech->hpkeContext != NULL) { |
14996 | | ForceZero(ech->hpkeContext, sizeof(HpkeBaseContext)); |
14997 | | XFREE(ech->hpkeContext, heap, DYNAMIC_TYPE_TMP_BUFFER); |
14998 | | } |
14999 | | |
15000 | | XFREE(ech, heap, DYNAMIC_TYPE_TMP_BUFFER); |
15001 | | (void)heap; |
15002 | | } |
15003 | | |
15004 | | /* encrypt the client hello and store it in ech->outerClientPayload, return |
15005 | | * status */ |
15006 | | int TLSX_FinalizeEch(WOLFSSL* ssl, WOLFSSL_ECH* ech, byte* aad, word32 aadLen) |
15007 | | { |
15008 | | int ret = 0; |
15009 | | void* receiverPubkey = NULL; |
15010 | | byte* info = NULL; |
15011 | | int infoLen = 0; |
15012 | | byte* aadCopy = NULL; |
15013 | | if (ssl == NULL || ech == NULL || aad == NULL) |
15014 | | return BAD_FUNC_ARG; |
15015 | | /* setup hpke context to seal, should be done at most once per connection */ |
15016 | | if (ech->hpkeContext == NULL) { |
15017 | | /* import the server public key */ |
15018 | | ret = wc_HpkeDeserializePublicKey(ech->hpke, &receiverPubkey, |
15019 | | ech->echConfig->receiverPubkey, ech->encLen); |
15020 | | if (ret == 0) { |
15021 | | /* allocate hpke context */ |
15022 | | ech->hpkeContext = |
15023 | | (HpkeBaseContext*)XMALLOC(sizeof(HpkeBaseContext), |
15024 | | ech->hpke->heap, DYNAMIC_TYPE_TMP_BUFFER); |
15025 | | if (ech->hpkeContext == NULL) |
15026 | | ret = MEMORY_E; |
15027 | | } |
15028 | | if (ret == 0) { |
15029 | | /* create info */ |
15030 | | infoLen = TLS_INFO_CONST_STRING_SZ + 1 + ech->echConfig->rawLen; |
15031 | | info = (byte*)XMALLOC(infoLen, ech->hpke->heap, |
15032 | | DYNAMIC_TYPE_TMP_BUFFER); |
15033 | | if (info == NULL) |
15034 | | ret = MEMORY_E; |
15035 | | } |
15036 | | if (ret == 0) { |
15037 | | /* puts the null byte in for me */ |
15038 | | XMEMCPY(info, (byte*)TLS_INFO_CONST_STRING, |
15039 | | TLS_INFO_CONST_STRING_SZ + 1); |
15040 | | XMEMCPY(info + TLS_INFO_CONST_STRING_SZ + 1, |
15041 | | ech->echConfig->raw, ech->echConfig->rawLen); |
15042 | | } |
15043 | | #ifdef HAVE_SECRET_CALLBACK |
15044 | | /* allocate secret buffer for wc_HpkeInitSealContext to copy into */ |
15045 | | if (ret == 0 && (ssl->tls13SecretCb != NULL |
15046 | | #ifdef OPENSSL_EXTRA |
15047 | | || ssl->tls13KeyLogCb != NULL |
15048 | | #endif |
15049 | | )) { |
15050 | | ret = wc_HpkeInitEchSecret(ech->hpke); |
15051 | | } |
15052 | | #endif /* HAVE_SECRET_CALLBACK */ |
15053 | | if (ret == 0) { |
15054 | | /* init the context for seal with info and keys */ |
15055 | | ret = wc_HpkeInitSealContext(ech->hpke, ech->hpkeContext, |
15056 | | ech->ephemeralKey, receiverPubkey, info, infoLen); |
15057 | | } |
15058 | | } |
15059 | | if (ret == 0) { |
15060 | | /* make a copy of the aad since we overwrite it */ |
15061 | | aadCopy = (byte*)XMALLOC(aadLen, ech->hpke->heap, |
15062 | | DYNAMIC_TYPE_TMP_BUFFER); |
15063 | | if (aadCopy == NULL) { |
15064 | | ret = MEMORY_E; |
15065 | | } |
15066 | | } |
15067 | | if (ret == 0) { |
15068 | | XMEMCPY(aadCopy, aad, aadLen); |
15069 | | /* seal the payload with context */ |
15070 | | ret = wc_HpkeContextSealBase(ech->hpke, ech->hpkeContext, aadCopy, |
15071 | | aadLen, ech->innerClientHello, |
15072 | | ech->innerClientHelloLen - ech->hpke->Nt, ech->outerClientPayload); |
15073 | | } |
15074 | | |
15075 | | #ifdef HAVE_SECRET_CALLBACK |
15076 | | if (ret == 0 && ech->hpke->echSecret != NULL) { |
15077 | | ret = EchWriteKeyLog(ssl, ech->hpke->echSecret, ech->hpke->Nsecret, |
15078 | | ech->echConfig->raw, ech->echConfig->rawLen); |
15079 | | } |
15080 | | wc_HpkeFreeEchSecret(ech->hpke); |
15081 | | #endif /* HAVE_SECRET_CALLBACK */ |
15082 | | |
15083 | | if (info != NULL) |
15084 | | XFREE(info, ech->hpke->heap, DYNAMIC_TYPE_TMP_BUFFER); |
15085 | | if (aadCopy != NULL) |
15086 | | XFREE(aadCopy, ech->hpke->heap, DYNAMIC_TYPE_TMP_BUFFER); |
15087 | | if (receiverPubkey != NULL) |
15088 | | wc_HpkeFreeKey(ech->hpke, ech->hpke->kem, receiverPubkey, |
15089 | | ech->hpke->heap); |
15090 | | return ret; |
15091 | | } |
15092 | | |
15093 | | #define GREASE_ECH_USE TLSX_GreaseECH_Use |
15094 | | #define ECH_USE TLSX_ECH_Use |
15095 | | #define SERVER_ECH_USE TLSX_ServerECH_Use |
15096 | | #define ECH_WRITE TLSX_ECH_Write |
15097 | | #define ECH_GET_SIZE TLSX_ECH_GetSize |
15098 | | #define ECH_PARSE TLSX_ECH_Parse |
15099 | | #define ECH_FREE TLSX_ECH_Free |
15100 | | |
15101 | | #endif /* WOLFSSL_TLS13 && HAVE_ECH */ |
15102 | | |
15103 | | /** Releases all extensions in the provided list. */ |
15104 | | void TLSX_FreeAll(TLSX* list, void* heap) |
15105 | 0 | { |
15106 | 0 | TLSX* extension; |
15107 | | #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) |
15108 | | TLSX* echList; |
15109 | | TLSX* tail; |
15110 | | #endif |
15111 | |
|
15112 | 0 | while ((extension = list)) { |
15113 | 0 | list = extension->next; |
15114 | |
|
15115 | 0 | switch (extension->type) { |
15116 | | #if defined(HAVE_RPK) |
15117 | | case TLSX_CLIENT_CERTIFICATE_TYPE: |
15118 | | WOLFSSL_MSG("Client Certificate Type extension free"); |
15119 | | /* nothing to do */ |
15120 | | break; |
15121 | | case TLSX_SERVER_CERTIFICATE_TYPE: |
15122 | | WOLFSSL_MSG("Server Certificate Type extension free"); |
15123 | | /* nothing to do */ |
15124 | | break; |
15125 | | #endif |
15126 | | |
15127 | 0 | #ifdef HAVE_SNI |
15128 | 0 | case TLSX_SERVER_NAME: |
15129 | 0 | WOLFSSL_MSG("SNI extension free"); |
15130 | 0 | SNI_FREE_ALL((SNI*)extension->data, heap); |
15131 | 0 | break; |
15132 | 0 | #endif |
15133 | | |
15134 | 0 | case TLSX_TRUSTED_CA_KEYS: |
15135 | 0 | WOLFSSL_MSG("Trusted CA Indication extension free"); |
15136 | 0 | TCA_FREE_ALL((TCA*)extension->data, heap); |
15137 | 0 | break; |
15138 | | |
15139 | 0 | case TLSX_MAX_FRAGMENT_LENGTH: |
15140 | 0 | WOLFSSL_MSG("Max Fragment Length extension free"); |
15141 | 0 | MFL_FREE_ALL(extension->data, heap); |
15142 | 0 | break; |
15143 | | |
15144 | 0 | case TLSX_EXTENDED_MASTER_SECRET: |
15145 | 0 | WOLFSSL_MSG("Extended Master Secret free"); |
15146 | | /* Nothing to do. */ |
15147 | 0 | break; |
15148 | 0 | case TLSX_TRUNCATED_HMAC: |
15149 | 0 | WOLFSSL_MSG("Truncated HMAC extension free"); |
15150 | | /* Nothing to do. */ |
15151 | 0 | break; |
15152 | | |
15153 | 0 | case TLSX_SUPPORTED_GROUPS: |
15154 | 0 | WOLFSSL_MSG("Supported Groups extension free"); |
15155 | 0 | EC_FREE_ALL((SupportedCurve*)extension->data, heap); |
15156 | 0 | break; |
15157 | | |
15158 | 0 | case TLSX_EC_POINT_FORMATS: |
15159 | 0 | WOLFSSL_MSG("Point Formats extension free"); |
15160 | 0 | PF_FREE_ALL((PointFormat*)extension->data, heap); |
15161 | 0 | break; |
15162 | | |
15163 | 0 | case TLSX_STATUS_REQUEST: |
15164 | 0 | WOLFSSL_MSG("Certificate Status Request extension free"); |
15165 | 0 | CSR_FREE_ALL((CertificateStatusRequest*)extension->data, heap); |
15166 | 0 | break; |
15167 | | |
15168 | 0 | case TLSX_STATUS_REQUEST_V2: |
15169 | 0 | WOLFSSL_MSG("Certificate Status Request v2 extension free"); |
15170 | 0 | CSR2_FREE_ALL((CertificateStatusRequestItemV2*)extension->data, |
15171 | 0 | heap); |
15172 | 0 | break; |
15173 | | |
15174 | 0 | case TLSX_RENEGOTIATION_INFO: |
15175 | 0 | WOLFSSL_MSG("Secure Renegotiation extension free"); |
15176 | 0 | SCR_FREE_ALL(extension->data, heap); |
15177 | 0 | break; |
15178 | | |
15179 | 0 | case TLSX_SESSION_TICKET: |
15180 | 0 | WOLFSSL_MSG("Session Ticket extension free"); |
15181 | 0 | WOLF_STK_FREE(extension->data, heap); |
15182 | 0 | break; |
15183 | | |
15184 | 0 | case TLSX_APPLICATION_LAYER_PROTOCOL: |
15185 | 0 | WOLFSSL_MSG("ALPN extension free"); |
15186 | 0 | ALPN_FREE_ALL((ALPN*)extension->data, heap); |
15187 | 0 | break; |
15188 | 0 | #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG) |
15189 | 0 | case TLSX_SIGNATURE_ALGORITHMS: |
15190 | 0 | WOLFSSL_MSG("Signature Algorithms extension to free"); |
15191 | 0 | SA_FREE_ALL((SignatureAlgorithms*)extension->data, heap); |
15192 | 0 | break; |
15193 | 0 | #endif |
15194 | 0 | #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) |
15195 | 0 | case TLSX_ENCRYPT_THEN_MAC: |
15196 | 0 | WOLFSSL_MSG("Encrypt-Then-Mac extension free"); |
15197 | 0 | break; |
15198 | 0 | #endif |
15199 | | |
15200 | 0 | #if defined(WOLFSSL_TLS13) || !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS) |
15201 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
15202 | | case TLSX_PRE_SHARED_KEY: |
15203 | | WOLFSSL_MSG("Pre-Shared Key extension free"); |
15204 | | PSK_FREE_ALL((PreSharedKey*)extension->data, heap); |
15205 | | break; |
15206 | | |
15207 | | #ifdef WOLFSSL_TLS13 |
15208 | | case TLSX_PSK_KEY_EXCHANGE_MODES: |
15209 | | WOLFSSL_MSG("PSK Key Exchange Modes extension free"); |
15210 | | break; |
15211 | | #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK |
15212 | | case TLSX_CERT_WITH_EXTERN_PSK: |
15213 | | WOLFSSL_MSG("Cert with external PSK extension free"); |
15214 | | break; |
15215 | | #endif |
15216 | | #endif |
15217 | | #endif |
15218 | | |
15219 | 0 | case TLSX_KEY_SHARE: |
15220 | 0 | WOLFSSL_MSG("Key Share extension free"); |
15221 | 0 | KS_FREE_ALL((KeyShareEntry*)extension->data, heap); |
15222 | 0 | break; |
15223 | 0 | #endif |
15224 | 0 | #ifdef WOLFSSL_TLS13 |
15225 | 0 | case TLSX_SUPPORTED_VERSIONS: |
15226 | 0 | WOLFSSL_MSG("Supported Versions extension free"); |
15227 | 0 | break; |
15228 | | |
15229 | 0 | case TLSX_COOKIE: |
15230 | 0 | WOLFSSL_MSG("Cookie extension free"); |
15231 | 0 | CKE_FREE_ALL((Cookie*)extension->data, heap); |
15232 | 0 | break; |
15233 | | |
15234 | | #ifdef WOLFSSL_EARLY_DATA |
15235 | | case TLSX_EARLY_DATA: |
15236 | | WOLFSSL_MSG("Early Data extension free"); |
15237 | | break; |
15238 | | #endif |
15239 | | |
15240 | | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH |
15241 | | case TLSX_POST_HANDSHAKE_AUTH: |
15242 | | WOLFSSL_MSG("Post-Handshake Authentication extension free"); |
15243 | | break; |
15244 | | #endif |
15245 | | |
15246 | 0 | #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG) |
15247 | 0 | case TLSX_SIGNATURE_ALGORITHMS_CERT: |
15248 | 0 | WOLFSSL_MSG("Signature Algorithms extension free"); |
15249 | 0 | break; |
15250 | 0 | #endif |
15251 | | #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES) |
15252 | | case TLSX_CERTIFICATE_AUTHORITIES: |
15253 | | WOLFSSL_MSG("Certificate Authorities extension free"); |
15254 | | break; |
15255 | | #endif |
15256 | 0 | #endif |
15257 | | #ifdef WOLFSSL_SRTP |
15258 | | case TLSX_USE_SRTP: |
15259 | | WOLFSSL_MSG("SRTP extension free"); |
15260 | | SRTP_FREE((TlsxSrtp*)extension->data, heap); |
15261 | | break; |
15262 | | #endif |
15263 | | |
15264 | | #ifdef WOLFSSL_QUIC |
15265 | | case TLSX_KEY_QUIC_TP_PARAMS: |
15266 | | FALL_THROUGH; |
15267 | | case TLSX_KEY_QUIC_TP_PARAMS_DRAFT: |
15268 | | WOLFSSL_MSG("QUIC transport parameter free"); |
15269 | | QTP_FREE((QuicTransportParam*)extension->data, heap); |
15270 | | break; |
15271 | | #endif |
15272 | | |
15273 | | #ifdef WOLFSSL_DTLS_CID |
15274 | | case TLSX_CONNECTION_ID: |
15275 | | WOLFSSL_MSG("Connection ID extension free"); |
15276 | | CID_FREE((byte*)extension->data, heap); |
15277 | | break; |
15278 | | #endif /* WOLFSSL_DTLS_CID */ |
15279 | | #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) |
15280 | | case TLSX_ECH: |
15281 | | WOLFSSL_MSG("ECH extension free"); |
15282 | | /* append the ech extensions to the tail of the list so a |
15283 | | * recursive TLSX_FreeAll is not necessary */ |
15284 | | echList = ((WOLFSSL_ECH*)extension->data)->extensions; |
15285 | | if (echList != NULL) { |
15286 | | if (list == NULL) { |
15287 | | list = echList; |
15288 | | } |
15289 | | else { |
15290 | | tail = list; |
15291 | | while (tail->next != NULL) |
15292 | | tail = tail->next; |
15293 | | tail->next = echList; |
15294 | | } |
15295 | | } |
15296 | | ECH_FREE((WOLFSSL_ECH*)extension->data, heap); |
15297 | | break; |
15298 | | #endif |
15299 | | #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_DUAL_ALG_CERTS) |
15300 | | case TLSX_CKS: |
15301 | | WOLFSSL_MSG("CKS extension free"); |
15302 | | /* nothing to do */ |
15303 | | break; |
15304 | | #endif |
15305 | 0 | default: |
15306 | 0 | break; |
15307 | 0 | } |
15308 | | |
15309 | 0 | XFREE(extension, heap, DYNAMIC_TYPE_TLSX); |
15310 | 0 | } |
15311 | | |
15312 | 0 | (void)heap; |
15313 | 0 | } |
15314 | | |
15315 | | /** Checks if the tls extensions are supported based on the protocol version. */ |
15316 | 0 | int TLSX_SupportExtensions(WOLFSSL* ssl) { |
15317 | 0 | return ssl && (IsTLS(ssl) || ssl->version.major == DTLS_MAJOR); |
15318 | 0 | } |
15319 | | |
15320 | | /** Tells the buffered size of the extensions in a list. */ |
15321 | | static int TLSX_GetSize(TLSX* list, byte* semaphore, byte msgType, |
15322 | | word16* pLength) |
15323 | 0 | { |
15324 | 0 | int ret = 0; |
15325 | 0 | TLSX* extension; |
15326 | | /* Use a word32 accumulator so that an extension whose contribution |
15327 | | * pushes the running total past 0xFFFF is detected rather than |
15328 | | * silently wrapped (the TLS extensions block length prefix on the |
15329 | | * wire is a 2-byte field). Callees that take a word16* accumulator |
15330 | | * are invoked via a per-iteration shim (`cbShim`) and their delta |
15331 | | * is added back into the word32 total. |
15332 | | * |
15333 | | * MAINTAINER NOTE: do NOT pass &length to any *_GET_SIZE function |
15334 | | * that expects a `word16*` out-parameter -- that would be a type |
15335 | | * mismatch (UB) and would silently bypass the overflow detection |
15336 | | * below. When adding a new extension case, either: |
15337 | | * - use `length += FOO_GET_SIZE(...)` when the helper returns a |
15338 | | * word16 by value, or |
15339 | | * - use the cbShim pattern: `cbShim = 0; ret = FOO_GET_SIZE(..., |
15340 | | * &cbShim); length += cbShim;` |
15341 | | */ |
15342 | 0 | word32 length = 0; |
15343 | 0 | word16 cbShim = 0; |
15344 | 0 | byte isRequest = (msgType == client_hello || |
15345 | 0 | msgType == certificate_request); |
15346 | 0 | (void)cbShim; |
15347 | |
|
15348 | 0 | while ((extension = list)) { |
15349 | 0 | list = extension->next; |
15350 | | |
15351 | | /* only extensions marked as response are sent back to the client. */ |
15352 | 0 | if (!isRequest && !extension->resp) |
15353 | 0 | continue; /* skip! */ |
15354 | | |
15355 | | /* ssl level extensions are expected to override ctx level ones. */ |
15356 | 0 | if (!IS_OFF(semaphore, TLSX_ToSemaphore((word16)extension->type))) |
15357 | 0 | continue; /* skip! */ |
15358 | | |
15359 | | /* extension type + extension data length. */ |
15360 | 0 | length += HELLO_EXT_TYPE_SZ + OPAQUE16_LEN; |
15361 | |
|
15362 | 0 | switch (extension->type) { |
15363 | | #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_DUAL_ALG_CERTS) |
15364 | | case TLSX_CKS: |
15365 | | length += ((WOLFSSL*)extension->data)->sigSpecSz ; |
15366 | | break; |
15367 | | #endif |
15368 | 0 | #ifdef HAVE_SNI |
15369 | 0 | case TLSX_SERVER_NAME: |
15370 | | /* SNI only sends the name on the request. */ |
15371 | 0 | if (isRequest) |
15372 | 0 | length += SNI_GET_SIZE((SNI*)extension->data); |
15373 | 0 | break; |
15374 | 0 | #endif |
15375 | | |
15376 | 0 | case TLSX_TRUSTED_CA_KEYS: |
15377 | | /* TCA only sends the list on the request. */ |
15378 | 0 | if (isRequest) { |
15379 | 0 | word16 tcaSz = TCA_GET_SIZE((TCA*)extension->data); |
15380 | | /* 0 on non-empty list means 16-bit overflow. */ |
15381 | 0 | if (tcaSz == 0 && extension->data != NULL) { |
15382 | 0 | ret = LENGTH_ERROR; |
15383 | 0 | break; |
15384 | 0 | } |
15385 | 0 | length += tcaSz; |
15386 | 0 | } |
15387 | 0 | break; |
15388 | | |
15389 | 0 | case TLSX_MAX_FRAGMENT_LENGTH: |
15390 | 0 | length += MFL_GET_SIZE(extension->data); |
15391 | 0 | break; |
15392 | | |
15393 | 0 | case TLSX_EXTENDED_MASTER_SECRET: |
15394 | 0 | case TLSX_TRUNCATED_HMAC: |
15395 | | /* always empty. */ |
15396 | 0 | break; |
15397 | | |
15398 | 0 | case TLSX_SUPPORTED_GROUPS: |
15399 | 0 | length += EC_GET_SIZE((SupportedCurve*)extension->data); |
15400 | 0 | break; |
15401 | | |
15402 | 0 | case TLSX_EC_POINT_FORMATS: |
15403 | 0 | length += PF_GET_SIZE((PointFormat*)extension->data); |
15404 | 0 | break; |
15405 | | |
15406 | 0 | case TLSX_STATUS_REQUEST: |
15407 | 0 | length += CSR_GET_SIZE( |
15408 | 0 | (CertificateStatusRequest*)extension->data, isRequest); |
15409 | 0 | break; |
15410 | | |
15411 | 0 | case TLSX_STATUS_REQUEST_V2: |
15412 | 0 | length += CSR2_GET_SIZE( |
15413 | 0 | (CertificateStatusRequestItemV2*)extension->data, |
15414 | 0 | isRequest); |
15415 | 0 | break; |
15416 | | |
15417 | 0 | case TLSX_RENEGOTIATION_INFO: |
15418 | 0 | length += SCR_GET_SIZE((SecureRenegotiation*)extension->data, |
15419 | 0 | isRequest); |
15420 | 0 | break; |
15421 | | |
15422 | 0 | case TLSX_SESSION_TICKET: |
15423 | 0 | length += WOLF_STK_GET_SIZE((SessionTicket*)extension->data, |
15424 | 0 | isRequest); |
15425 | 0 | break; |
15426 | | |
15427 | 0 | case TLSX_APPLICATION_LAYER_PROTOCOL: { |
15428 | 0 | word16 alpnSz = ALPN_GET_SIZE((ALPN*)extension->data); |
15429 | | /* 0 on non-empty list means 16-bit overflow. */ |
15430 | 0 | if (alpnSz == 0 && extension->data != NULL) { |
15431 | 0 | ret = LENGTH_ERROR; |
15432 | 0 | break; |
15433 | 0 | } |
15434 | 0 | length += alpnSz; |
15435 | 0 | break; |
15436 | 0 | } |
15437 | 0 | #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG) |
15438 | 0 | case TLSX_SIGNATURE_ALGORITHMS: |
15439 | 0 | length += SA_GET_SIZE(extension->data); |
15440 | 0 | break; |
15441 | 0 | #endif |
15442 | 0 | #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) |
15443 | 0 | case TLSX_ENCRYPT_THEN_MAC: |
15444 | 0 | cbShim = 0; |
15445 | 0 | ret = ETM_GET_SIZE(msgType, &cbShim); |
15446 | 0 | length += cbShim; |
15447 | 0 | break; |
15448 | 0 | #endif /* HAVE_ENCRYPT_THEN_MAC */ |
15449 | | |
15450 | 0 | #if defined(WOLFSSL_TLS13) || !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS) |
15451 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
15452 | | case TLSX_PRE_SHARED_KEY: |
15453 | | cbShim = 0; |
15454 | | ret = PSK_GET_SIZE((PreSharedKey*)extension->data, msgType, |
15455 | | &cbShim); |
15456 | | length += cbShim; |
15457 | | break; |
15458 | | #ifdef WOLFSSL_TLS13 |
15459 | | case TLSX_PSK_KEY_EXCHANGE_MODES: |
15460 | | cbShim = 0; |
15461 | | ret = PKM_GET_SIZE((byte)extension->val, msgType, &cbShim); |
15462 | | length += cbShim; |
15463 | | break; |
15464 | | #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK |
15465 | | case TLSX_CERT_WITH_EXTERN_PSK: |
15466 | | cbShim = 0; |
15467 | | ret = PSK_WITH_CERT_GET_SIZE(msgType, &cbShim); |
15468 | | length += cbShim; |
15469 | | break; |
15470 | | #endif |
15471 | | #endif |
15472 | | #endif |
15473 | 0 | case TLSX_KEY_SHARE: |
15474 | 0 | length += KS_GET_SIZE((KeyShareEntry*)extension->data, msgType); |
15475 | 0 | break; |
15476 | 0 | #endif |
15477 | | |
15478 | 0 | #ifdef WOLFSSL_TLS13 |
15479 | 0 | case TLSX_SUPPORTED_VERSIONS: |
15480 | 0 | cbShim = 0; |
15481 | 0 | ret = SV_GET_SIZE(extension->data, msgType, &cbShim); |
15482 | 0 | length += cbShim; |
15483 | 0 | break; |
15484 | | |
15485 | 0 | case TLSX_COOKIE: |
15486 | 0 | cbShim = 0; |
15487 | 0 | ret = CKE_GET_SIZE((Cookie*)extension->data, msgType, &cbShim); |
15488 | 0 | length += cbShim; |
15489 | 0 | break; |
15490 | | |
15491 | | #ifdef WOLFSSL_EARLY_DATA |
15492 | | case TLSX_EARLY_DATA: |
15493 | | cbShim = 0; |
15494 | | ret = EDI_GET_SIZE(msgType, &cbShim); |
15495 | | length += cbShim; |
15496 | | break; |
15497 | | #endif |
15498 | | |
15499 | | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH |
15500 | | case TLSX_POST_HANDSHAKE_AUTH: |
15501 | | cbShim = 0; |
15502 | | ret = PHA_GET_SIZE(msgType, &cbShim); |
15503 | | length += cbShim; |
15504 | | break; |
15505 | | #endif |
15506 | | |
15507 | 0 | #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG) |
15508 | 0 | case TLSX_SIGNATURE_ALGORITHMS_CERT: |
15509 | 0 | length += SAC_GET_SIZE(extension->data); |
15510 | 0 | break; |
15511 | 0 | #endif |
15512 | | |
15513 | | #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES) |
15514 | | case TLSX_CERTIFICATE_AUTHORITIES: { |
15515 | | word16 canSz = CAN_GET_SIZE(extension->data); |
15516 | | /* 0 on non-empty list means 16-bit overflow. */ |
15517 | | if (canSz == 0) { |
15518 | | ret = LENGTH_ERROR; |
15519 | | break; |
15520 | | } |
15521 | | length += canSz; |
15522 | | break; |
15523 | | } |
15524 | | #endif |
15525 | 0 | #endif |
15526 | | #ifdef WOLFSSL_SRTP |
15527 | | case TLSX_USE_SRTP: |
15528 | | length += SRTP_GET_SIZE((TlsxSrtp*)extension->data); |
15529 | | break; |
15530 | | #endif |
15531 | | |
15532 | | #ifdef HAVE_RPK |
15533 | | case TLSX_CLIENT_CERTIFICATE_TYPE: |
15534 | | length += CCT_GET_SIZE((WOLFSSL*)extension->data, msgType); |
15535 | | break; |
15536 | | |
15537 | | case TLSX_SERVER_CERTIFICATE_TYPE: |
15538 | | length += SCT_GET_SIZE((WOLFSSL*)extension->data, msgType); |
15539 | | break; |
15540 | | #endif /* HAVE_RPK */ |
15541 | | |
15542 | | #ifdef WOLFSSL_QUIC |
15543 | | case TLSX_KEY_QUIC_TP_PARAMS: |
15544 | | FALL_THROUGH; /* followed by */ |
15545 | | case TLSX_KEY_QUIC_TP_PARAMS_DRAFT: |
15546 | | length += QTP_GET_SIZE(extension); |
15547 | | break; |
15548 | | #endif |
15549 | | #ifdef WOLFSSL_DTLS_CID |
15550 | | case TLSX_CONNECTION_ID: |
15551 | | length += CID_GET_SIZE((byte*)extension->data); |
15552 | | break; |
15553 | | #endif /* WOLFSSL_DTLS_CID */ |
15554 | | #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) |
15555 | | case TLSX_ECH: |
15556 | | length += ECH_GET_SIZE((WOLFSSL_ECH*)extension->data, msgType); |
15557 | | break; |
15558 | | #endif |
15559 | 0 | default: |
15560 | 0 | break; |
15561 | 0 | } |
15562 | | |
15563 | 0 | if (ret != 0) |
15564 | 0 | return ret; |
15565 | | |
15566 | | /* Early exit: stop accumulating as soon as the running total |
15567 | | * cannot possibly fit the 2-byte wire length. Check *before* |
15568 | | * marking the extension as processed so the semaphore is not |
15569 | | * left in an inconsistent state on the error path. */ |
15570 | 0 | if (length > WOLFSSL_MAX_16BIT) { |
15571 | 0 | WOLFSSL_MSG("TLSX_GetSize extension length exceeds word16"); |
15572 | 0 | return BUFFER_E; |
15573 | 0 | } |
15574 | | |
15575 | | /* marks the extension as processed so ctx level */ |
15576 | | /* extensions don't overlap with ssl level ones. */ |
15577 | 0 | TURN_ON(semaphore, TLSX_ToSemaphore((word16)extension->type)); |
15578 | 0 | } |
15579 | | |
15580 | 0 | if ((word32)*pLength + length > WOLFSSL_MAX_16BIT) { |
15581 | 0 | WOLFSSL_MSG("TLSX_GetSize total extensions length exceeds word16"); |
15582 | 0 | return BUFFER_E; |
15583 | 0 | } |
15584 | | |
15585 | 0 | *pLength += (word16)length; |
15586 | |
|
15587 | 0 | return ret; |
15588 | 0 | } |
15589 | | |
15590 | | /** Writes the extensions of a list in a buffer. */ |
15591 | | static int TLSX_Write(TLSX* list, byte* output, byte* semaphore, |
15592 | | byte msgType, word16* pOffset) |
15593 | 0 | { |
15594 | 0 | int ret = 0; |
15595 | 0 | TLSX* extension; |
15596 | | /* Use word32 to symmetrize with TLSX_GetSize -- a single extension can |
15597 | | * contribute up to 0x10003 bytes (4-byte type/length header + 0xFFFF |
15598 | | * payload), which would word16-overflow undetectably (e.g. wrap to a |
15599 | | * value still above prevOffset). Per-iteration and aggregate bounds are |
15600 | | * checked below before truncating back into the word16 wire fields. |
15601 | | * Callees that take a word16* offset use the cbShim pattern (init to 0, |
15602 | | * then add the returned delta to the word32 accumulator). */ |
15603 | 0 | word32 offset = 0; |
15604 | 0 | word32 length_offset = 0; |
15605 | 0 | word32 prevOffset; |
15606 | 0 | word16 cbShim = 0; |
15607 | 0 | byte isRequest = (msgType == client_hello || |
15608 | 0 | msgType == certificate_request); |
15609 | 0 | (void)cbShim; |
15610 | |
|
15611 | 0 | while ((extension = list)) { |
15612 | 0 | list = extension->next; |
15613 | | |
15614 | | /* only extensions marked as response are written in a response. */ |
15615 | 0 | if (!isRequest && !extension->resp) |
15616 | 0 | continue; /* skip! */ |
15617 | | |
15618 | | /* ssl level extensions are expected to override ctx level ones. */ |
15619 | 0 | if (!IS_OFF(semaphore, TLSX_ToSemaphore((word16)extension->type))) |
15620 | 0 | continue; /* skip! */ |
15621 | | |
15622 | | /* Snapshot offset to detect word16 wrap within this iteration; |
15623 | | * see matching comment in TLSX_GetSize. */ |
15624 | 0 | prevOffset = offset; |
15625 | | |
15626 | | /* writes extension type. */ |
15627 | 0 | c16toa((word16)extension->type, output + offset); |
15628 | 0 | offset += HELLO_EXT_TYPE_SZ + OPAQUE16_LEN; |
15629 | 0 | length_offset = offset; |
15630 | | |
15631 | | /* extension data should be written internally. */ |
15632 | 0 | switch (extension->type) { |
15633 | | #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_DUAL_ALG_CERTS) |
15634 | | case TLSX_CKS: |
15635 | | WOLFSSL_MSG("CKS extension to write"); |
15636 | | offset += CKS_WRITE(((WOLFSSL*)extension->data), |
15637 | | output + offset); |
15638 | | break; |
15639 | | #endif |
15640 | 0 | #ifdef HAVE_SNI |
15641 | 0 | case TLSX_SERVER_NAME: |
15642 | 0 | if (isRequest) { |
15643 | 0 | WOLFSSL_MSG("SNI extension to write"); |
15644 | 0 | offset += SNI_WRITE((SNI*)extension->data, output + offset); |
15645 | 0 | } |
15646 | 0 | break; |
15647 | 0 | #endif |
15648 | | |
15649 | 0 | case TLSX_TRUSTED_CA_KEYS: |
15650 | 0 | WOLFSSL_MSG("Trusted CA Indication extension to write"); |
15651 | 0 | if (isRequest) { |
15652 | 0 | offset += TCA_WRITE((TCA*)extension->data, output + offset); |
15653 | 0 | } |
15654 | 0 | break; |
15655 | | |
15656 | 0 | case TLSX_MAX_FRAGMENT_LENGTH: |
15657 | 0 | WOLFSSL_MSG("Max Fragment Length extension to write"); |
15658 | 0 | offset += MFL_WRITE((byte*)extension->data, output + offset); |
15659 | 0 | break; |
15660 | | |
15661 | 0 | case TLSX_EXTENDED_MASTER_SECRET: |
15662 | 0 | WOLFSSL_MSG("Extended Master Secret"); |
15663 | | /* always empty. */ |
15664 | 0 | break; |
15665 | | |
15666 | 0 | case TLSX_TRUNCATED_HMAC: |
15667 | 0 | WOLFSSL_MSG("Truncated HMAC extension to write"); |
15668 | | /* always empty. */ |
15669 | 0 | break; |
15670 | | |
15671 | 0 | case TLSX_SUPPORTED_GROUPS: |
15672 | 0 | WOLFSSL_MSG("Supported Groups extension to write"); |
15673 | 0 | offset += EC_WRITE((SupportedCurve*)extension->data, |
15674 | 0 | output + offset); |
15675 | 0 | break; |
15676 | | |
15677 | 0 | case TLSX_EC_POINT_FORMATS: |
15678 | 0 | WOLFSSL_MSG("Point Formats extension to write"); |
15679 | 0 | offset += PF_WRITE((PointFormat*)extension->data, |
15680 | 0 | output + offset); |
15681 | 0 | break; |
15682 | | |
15683 | 0 | case TLSX_STATUS_REQUEST: |
15684 | 0 | WOLFSSL_MSG("Certificate Status Request extension to write"); |
15685 | 0 | ret = CSR_WRITE((CertificateStatusRequest*)extension->data, |
15686 | 0 | output + offset, isRequest); |
15687 | 0 | if (ret > 0) { |
15688 | 0 | offset += (word16)ret; |
15689 | 0 | ret = 0; |
15690 | 0 | } |
15691 | 0 | break; |
15692 | | |
15693 | 0 | case TLSX_STATUS_REQUEST_V2: |
15694 | 0 | WOLFSSL_MSG("Certificate Status Request v2 extension to write"); |
15695 | 0 | ret = CSR2_WRITE( |
15696 | 0 | (CertificateStatusRequestItemV2*)extension->data, |
15697 | 0 | output + offset, isRequest); |
15698 | 0 | if (ret > 0) { |
15699 | 0 | offset += (word16)ret; |
15700 | 0 | ret = 0; |
15701 | 0 | } |
15702 | 0 | break; |
15703 | | |
15704 | 0 | case TLSX_RENEGOTIATION_INFO: |
15705 | 0 | WOLFSSL_MSG("Secure Renegotiation extension to write"); |
15706 | 0 | offset += SCR_WRITE((SecureRenegotiation*)extension->data, |
15707 | 0 | output + offset, isRequest); |
15708 | 0 | break; |
15709 | | |
15710 | 0 | case TLSX_SESSION_TICKET: |
15711 | 0 | WOLFSSL_MSG("Session Ticket extension to write"); |
15712 | 0 | offset += WOLF_STK_WRITE((SessionTicket*)extension->data, |
15713 | 0 | output + offset, isRequest); |
15714 | 0 | break; |
15715 | | |
15716 | 0 | case TLSX_APPLICATION_LAYER_PROTOCOL: |
15717 | 0 | WOLFSSL_MSG("ALPN extension to write"); |
15718 | 0 | offset += ALPN_WRITE((ALPN*)extension->data, output + offset); |
15719 | 0 | break; |
15720 | 0 | #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG) |
15721 | 0 | case TLSX_SIGNATURE_ALGORITHMS: |
15722 | 0 | WOLFSSL_MSG("Signature Algorithms extension to write"); |
15723 | 0 | offset += SA_WRITE(extension->data, output + offset); |
15724 | 0 | break; |
15725 | 0 | #endif |
15726 | 0 | #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) |
15727 | 0 | case TLSX_ENCRYPT_THEN_MAC: |
15728 | 0 | WOLFSSL_MSG("Encrypt-Then-Mac extension to write"); |
15729 | 0 | cbShim = 0; |
15730 | 0 | ret = ETM_WRITE(extension->data, output, msgType, &cbShim); |
15731 | 0 | offset += cbShim; |
15732 | 0 | break; |
15733 | 0 | #endif /* HAVE_ENCRYPT_THEN_MAC */ |
15734 | | |
15735 | 0 | #if defined(WOLFSSL_TLS13) || !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS) |
15736 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
15737 | | case TLSX_PRE_SHARED_KEY: |
15738 | | WOLFSSL_MSG("Pre-Shared Key extension to write"); |
15739 | | cbShim = 0; |
15740 | | ret = PSK_WRITE((PreSharedKey*)extension->data, output + offset, |
15741 | | msgType, &cbShim); |
15742 | | offset += cbShim; |
15743 | | break; |
15744 | | |
15745 | | #ifdef WOLFSSL_TLS13 |
15746 | | case TLSX_PSK_KEY_EXCHANGE_MODES: |
15747 | | WOLFSSL_MSG("PSK Key Exchange Modes extension to write"); |
15748 | | cbShim = 0; |
15749 | | ret = PKM_WRITE((byte)extension->val, output + offset, msgType, |
15750 | | &cbShim); |
15751 | | offset += cbShim; |
15752 | | break; |
15753 | | #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK |
15754 | | case TLSX_CERT_WITH_EXTERN_PSK: |
15755 | | WOLFSSL_MSG("Cert with external PSK extension to write"); |
15756 | | cbShim = 0; |
15757 | | ret = PSK_WITH_CERT_WRITE(output + offset, msgType, &cbShim); |
15758 | | offset += cbShim; |
15759 | | break; |
15760 | | #endif |
15761 | | #endif |
15762 | | #endif |
15763 | 0 | case TLSX_KEY_SHARE: |
15764 | 0 | WOLFSSL_MSG("Key Share extension to write"); |
15765 | 0 | offset += KS_WRITE((KeyShareEntry*)extension->data, |
15766 | 0 | output + offset, msgType); |
15767 | 0 | break; |
15768 | 0 | #endif |
15769 | 0 | #ifdef WOLFSSL_TLS13 |
15770 | 0 | case TLSX_SUPPORTED_VERSIONS: |
15771 | 0 | WOLFSSL_MSG("Supported Versions extension to write"); |
15772 | 0 | cbShim = 0; |
15773 | 0 | ret = SV_WRITE(extension->data, output + offset, msgType, |
15774 | 0 | &cbShim); |
15775 | 0 | offset += cbShim; |
15776 | 0 | break; |
15777 | | |
15778 | 0 | case TLSX_COOKIE: |
15779 | 0 | WOLFSSL_MSG("Cookie extension to write"); |
15780 | 0 | cbShim = 0; |
15781 | 0 | ret = CKE_WRITE((Cookie*)extension->data, output + offset, |
15782 | 0 | msgType, &cbShim); |
15783 | 0 | offset += cbShim; |
15784 | 0 | break; |
15785 | | |
15786 | | #ifdef WOLFSSL_EARLY_DATA |
15787 | | case TLSX_EARLY_DATA: |
15788 | | WOLFSSL_MSG("Early Data extension to write"); |
15789 | | cbShim = 0; |
15790 | | ret = EDI_WRITE(extension->val, output + offset, msgType, |
15791 | | &cbShim); |
15792 | | offset += cbShim; |
15793 | | break; |
15794 | | #endif |
15795 | | |
15796 | | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH |
15797 | | case TLSX_POST_HANDSHAKE_AUTH: |
15798 | | WOLFSSL_MSG("Post-Handshake Authentication extension to write"); |
15799 | | cbShim = 0; |
15800 | | ret = PHA_WRITE(output + offset, msgType, &cbShim); |
15801 | | offset += cbShim; |
15802 | | break; |
15803 | | #endif |
15804 | | |
15805 | 0 | #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG) |
15806 | 0 | case TLSX_SIGNATURE_ALGORITHMS_CERT: |
15807 | 0 | WOLFSSL_MSG("Signature Algorithms extension to write"); |
15808 | 0 | offset += SAC_WRITE(extension->data, output + offset); |
15809 | 0 | break; |
15810 | 0 | #endif |
15811 | | |
15812 | | #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES) |
15813 | | case TLSX_CERTIFICATE_AUTHORITIES: |
15814 | | WOLFSSL_MSG("Certificate Authorities extension to write"); |
15815 | | offset += CAN_WRITE(extension->data, output + offset); |
15816 | | break; |
15817 | | #endif |
15818 | 0 | #endif |
15819 | | #ifdef WOLFSSL_SRTP |
15820 | | case TLSX_USE_SRTP: |
15821 | | WOLFSSL_MSG("SRTP extension to write"); |
15822 | | offset += SRTP_WRITE((TlsxSrtp*)extension->data, output+offset); |
15823 | | break; |
15824 | | #endif |
15825 | | |
15826 | | #ifdef HAVE_RPK |
15827 | | case TLSX_CLIENT_CERTIFICATE_TYPE: |
15828 | | WOLFSSL_MSG("Client Certificate Type extension to write"); |
15829 | | offset += CCT_WRITE(extension->data, output + offset, msgType); |
15830 | | break; |
15831 | | |
15832 | | case TLSX_SERVER_CERTIFICATE_TYPE: |
15833 | | WOLFSSL_MSG("Server Certificate Type extension to write"); |
15834 | | offset += SCT_WRITE(extension->data, output + offset, msgType); |
15835 | | break; |
15836 | | #endif /* HAVE_RPK */ |
15837 | | |
15838 | | #ifdef WOLFSSL_QUIC |
15839 | | case TLSX_KEY_QUIC_TP_PARAMS: |
15840 | | FALL_THROUGH; |
15841 | | case TLSX_KEY_QUIC_TP_PARAMS_DRAFT: |
15842 | | WOLFSSL_MSG("QUIC transport parameter to write"); |
15843 | | offset += QTP_WRITE((QuicTransportParam*)extension->data, |
15844 | | output + offset); |
15845 | | break; |
15846 | | #endif |
15847 | | #ifdef WOLFSSL_DTLS_CID |
15848 | | case TLSX_CONNECTION_ID: |
15849 | | WOLFSSL_MSG("Connection ID extension to write"); |
15850 | | offset += CID_WRITE((byte*)extension->data, output+offset); |
15851 | | break; |
15852 | | |
15853 | | #endif /* WOLFSSL_DTLS_CID */ |
15854 | | #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) |
15855 | | case TLSX_ECH: |
15856 | | WOLFSSL_MSG("ECH extension to write"); |
15857 | | cbShim = 0; |
15858 | | ret = ECH_WRITE((WOLFSSL_ECH*)extension->data, msgType, |
15859 | | output + offset, &cbShim); |
15860 | | offset += cbShim; |
15861 | | break; |
15862 | | #endif |
15863 | 0 | default: |
15864 | 0 | break; |
15865 | 0 | } |
15866 | | |
15867 | | /* Per-extension data length is a 2-byte wire field; reject any |
15868 | | * single extension whose payload exceeds that before truncating. */ |
15869 | 0 | if (offset - length_offset > WOLFSSL_MAX_16BIT) { |
15870 | 0 | WOLFSSL_MSG("TLSX_Write single extension length exceeds word16"); |
15871 | 0 | return BUFFER_E; |
15872 | 0 | } |
15873 | | |
15874 | | /* writes extension data length. */ |
15875 | 0 | c16toa((word16)(offset - length_offset), |
15876 | 0 | output + length_offset - OPAQUE16_LEN); |
15877 | | |
15878 | | /* marks the extension as processed so ctx level */ |
15879 | | /* extensions don't overlap with ssl level ones. */ |
15880 | 0 | TURN_ON(semaphore, TLSX_ToSemaphore((word16)extension->type)); |
15881 | | |
15882 | | /* if we encountered an error propagate it */ |
15883 | 0 | if (ret != 0) |
15884 | 0 | break; |
15885 | | |
15886 | 0 | if (offset <= prevOffset) { |
15887 | 0 | WOLFSSL_MSG("TLSX_Write extension made no progress"); |
15888 | 0 | return BUFFER_E; |
15889 | 0 | } |
15890 | 0 | } |
15891 | | |
15892 | | /* Only validate and commit the aggregate offset when the loop |
15893 | | * completed without error; on the error path, leave *pOffset |
15894 | | * unchanged and return the original failure reason so callers |
15895 | | * see the real error instead of a masking BUFFER_E. */ |
15896 | 0 | if (ret == 0) { |
15897 | 0 | if ((word32)*pOffset + offset > WOLFSSL_MAX_16BIT) { |
15898 | 0 | WOLFSSL_MSG("TLSX_Write total extensions length exceeds word16"); |
15899 | 0 | return BUFFER_E; |
15900 | 0 | } |
15901 | 0 | *pOffset += (word16)offset; |
15902 | 0 | } |
15903 | | |
15904 | 0 | return ret; |
15905 | 0 | } |
15906 | | |
15907 | | #ifdef HAVE_SUPPORTED_CURVES |
15908 | | |
15909 | | /* Populates the default supported groups / curves */ |
15910 | | static int TLSX_PopulateSupportedGroups(WOLFSSL* ssl, TLSX** extensions) |
15911 | 0 | { |
15912 | 0 | int ret = WOLFSSL_SUCCESS; |
15913 | 0 | #ifdef WOLFSSL_TLS13 |
15914 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
15915 | | if (ssl->options.resuming && ssl->session->namedGroup != 0) { |
15916 | | return TLSX_UseSupportedCurve(extensions, ssl->session->namedGroup, |
15917 | | ssl->heap, ssl->options.side); |
15918 | | } |
15919 | | #endif |
15920 | |
|
15921 | 0 | if (ssl->numGroups != 0) { |
15922 | 0 | int i; |
15923 | 0 | for (i = 0; i < ssl->numGroups; i++) { |
15924 | 0 | ret = TLSX_UseSupportedCurve(extensions, ssl->group[i], ssl->heap, |
15925 | 0 | ssl->options.side); |
15926 | 0 | if (ret != WOLFSSL_SUCCESS) |
15927 | 0 | return ret; |
15928 | 0 | } |
15929 | 0 | return WOLFSSL_SUCCESS; |
15930 | 0 | } |
15931 | 0 | #endif /* WOLFSSL_TLS13 */ |
15932 | | |
15933 | 0 | #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM_CLIENT_SUPPORT) && \ |
15934 | 0 | !defined(WOLFSSL_NO_ML_KEM) && defined(WOLFSSL_PQC_HYBRIDS) |
15935 | | /* Prefer non-experimental PQ/T hybrid groups (only for TLS 1.3) */ |
15936 | 0 | if (IsAtLeastTLSv1_3(ssl->version) && |
15937 | 0 | TLSX_IsMlKemGroupSupported(ssl->options.side)) { |
15938 | | #if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_CURVE25519) && \ |
15939 | | ECC_MIN_KEY_SZ <= 256 |
15940 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_X25519MLKEM768, |
15941 | | ssl->heap, ssl->options.side); |
15942 | | if (ret != WOLFSSL_SUCCESS) return ret; |
15943 | | #endif |
15944 | 0 | #if !defined(WOLFSSL_NO_ML_KEM_1024) && defined(HAVE_ECC) && \ |
15945 | 0 | (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && \ |
15946 | 0 | ECC_MIN_KEY_SZ <= 384 |
15947 | 0 | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_SECP384R1MLKEM1024, |
15948 | 0 | ssl->heap, ssl->options.side); |
15949 | 0 | if (ret != WOLFSSL_SUCCESS) return ret; |
15950 | 0 | #endif |
15951 | 0 | #if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_ECC) && \ |
15952 | 0 | (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \ |
15953 | 0 | ECC_MIN_KEY_SZ <= 256 |
15954 | 0 | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_SECP256R1MLKEM768, |
15955 | 0 | ssl->heap, ssl->options.side); |
15956 | 0 | if (ret != WOLFSSL_SUCCESS) return ret; |
15957 | 0 | #endif |
15958 | 0 | } |
15959 | 0 | #endif |
15960 | | |
15961 | | #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM_CLIENT_SUPPORT) && \ |
15962 | | !defined(WOLFSSL_NO_ML_KEM) && !defined(WOLFSSL_NO_ML_KEM_1024) && \ |
15963 | | !defined(WOLFSSL_TLS_NO_MLKEM_STANDALONE) |
15964 | | if (IsAtLeastTLSv1_3(ssl->version) && |
15965 | | TLSX_IsMlKemGroupSupported(ssl->options.side)) { |
15966 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_1024, |
15967 | | ssl->heap, ssl->options.side); |
15968 | | if (ret != WOLFSSL_SUCCESS) return ret; |
15969 | | } |
15970 | | #endif |
15971 | | |
15972 | 0 | #if defined(HAVE_ECC) |
15973 | | /* list in order by strength, since not all servers choose by strength */ |
15974 | 0 | #if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521 |
15975 | 0 | #ifndef NO_ECC_SECP |
15976 | 0 | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP521R1, |
15977 | 0 | ssl->heap, ssl->options.side); |
15978 | 0 | if (ret != WOLFSSL_SUCCESS) return ret; |
15979 | 0 | #endif |
15980 | 0 | #endif |
15981 | 0 | #if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 512 |
15982 | | #ifdef HAVE_ECC_BRAINPOOL |
15983 | | if (IsAtLeastTLSv1_3(ssl->version)) { |
15984 | | /* TLS 1.3 BrainpoolP512 curve */ |
15985 | | ret = TLSX_UseSupportedCurve(extensions, |
15986 | | WOLFSSL_ECC_BRAINPOOLP512R1TLS13, ssl->heap, ssl->options.side); |
15987 | | if (ret != WOLFSSL_SUCCESS) return ret; |
15988 | | |
15989 | | /* If TLS 1.2 is allowed, also add the TLS 1.2 curve */ |
15990 | | if (ssl->options.downgrade && |
15991 | | (ssl->options.minDowngrade <= TLSv1_2_MINOR || |
15992 | | ssl->options.minDowngrade <= DTLSv1_2_MINOR)) { |
15993 | | ret = TLSX_UseSupportedCurve(extensions, |
15994 | | WOLFSSL_ECC_BRAINPOOLP512R1, ssl->heap, ssl->options.side); |
15995 | | if (ret != WOLFSSL_SUCCESS) return ret; |
15996 | | } |
15997 | | } |
15998 | | else { |
15999 | | /* TLS 1.2 only */ |
16000 | | ret = TLSX_UseSupportedCurve(extensions, |
16001 | | WOLFSSL_ECC_BRAINPOOLP512R1, ssl->heap, ssl->options.side); |
16002 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16003 | | } |
16004 | | #endif |
16005 | 0 | #endif |
16006 | 0 | #endif |
16007 | | |
16008 | | #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \ |
16009 | | !defined(WOLFSSL_NO_ML_KEM) && !defined(WOLFSSL_NO_ML_KEM_768) && \ |
16010 | | !defined(WOLFSSL_TLS_NO_MLKEM_STANDALONE) |
16011 | | if (IsAtLeastTLSv1_3(ssl->version) && |
16012 | | TLSX_IsMlKemGroupSupported(ssl->options.side)) { |
16013 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_768, |
16014 | | ssl->heap, ssl->options.side); |
16015 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16016 | | } |
16017 | | #endif |
16018 | | |
16019 | 0 | #if defined(HAVE_ECC) |
16020 | 0 | #if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384 |
16021 | 0 | #ifndef NO_ECC_SECP |
16022 | 0 | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP384R1, |
16023 | 0 | ssl->heap, ssl->options.side); |
16024 | 0 | if (ret != WOLFSSL_SUCCESS) return ret; |
16025 | 0 | #endif |
16026 | | #ifdef HAVE_ECC_BRAINPOOL |
16027 | | if (IsAtLeastTLSv1_3(ssl->version)) { |
16028 | | /* TLS 1.3 BrainpoolP384 curve */ |
16029 | | ret = TLSX_UseSupportedCurve(extensions, |
16030 | | WOLFSSL_ECC_BRAINPOOLP384R1TLS13, ssl->heap, ssl->options.side); |
16031 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16032 | | |
16033 | | /* If TLS 1.2 is allowed, also add the TLS 1.2 curve */ |
16034 | | if (ssl->options.downgrade && |
16035 | | (ssl->options.minDowngrade <= TLSv1_2_MINOR || |
16036 | | ssl->options.minDowngrade <= DTLSv1_2_MINOR)) { |
16037 | | ret = TLSX_UseSupportedCurve(extensions, |
16038 | | WOLFSSL_ECC_BRAINPOOLP384R1, ssl->heap, ssl->options.side); |
16039 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16040 | | } |
16041 | | } |
16042 | | else { |
16043 | | /* TLS 1.2 only */ |
16044 | | ret = TLSX_UseSupportedCurve(extensions, |
16045 | | WOLFSSL_ECC_BRAINPOOLP384R1, ssl->heap, ssl->options.side); |
16046 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16047 | | } |
16048 | | #endif |
16049 | 0 | #endif |
16050 | 0 | #endif /* HAVE_ECC */ |
16051 | | |
16052 | 0 | #ifndef HAVE_FIPS |
16053 | | #if defined(HAVE_CURVE448) && ECC_MIN_KEY_SZ <= 448 |
16054 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_X448, ssl->heap, |
16055 | | ssl->options.side); |
16056 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16057 | | #endif |
16058 | 0 | #endif /* HAVE_FIPS */ |
16059 | | |
16060 | | #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \ |
16061 | | !defined(WOLFSSL_NO_ML_KEM) && !defined(WOLFSSL_NO_ML_KEM_512) && \ |
16062 | | !defined(WOLFSSL_TLS_NO_MLKEM_STANDALONE) |
16063 | | if (IsAtLeastTLSv1_3(ssl->version) && |
16064 | | TLSX_IsMlKemGroupSupported(ssl->options.side)) { |
16065 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ML_KEM_512, ssl->heap, |
16066 | | ssl->options.side); |
16067 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16068 | | } |
16069 | | #endif |
16070 | | |
16071 | 0 | #if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES) |
16072 | 0 | #if (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256 |
16073 | 0 | #ifndef NO_ECC_SECP |
16074 | 0 | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP256R1, |
16075 | 0 | ssl->heap, ssl->options.side); |
16076 | 0 | if (ret != WOLFSSL_SUCCESS) return ret; |
16077 | 0 | #endif |
16078 | | #ifdef HAVE_ECC_KOBLITZ |
16079 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP256K1, |
16080 | | ssl->heap, ssl->options.side); |
16081 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16082 | | #endif |
16083 | | #ifdef HAVE_ECC_BRAINPOOL |
16084 | | if (IsAtLeastTLSv1_3(ssl->version)) { |
16085 | | /* TLS 1.3 BrainpoolP256 curve */ |
16086 | | ret = TLSX_UseSupportedCurve(extensions, |
16087 | | WOLFSSL_ECC_BRAINPOOLP256R1TLS13, ssl->heap, ssl->options.side); |
16088 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16089 | | |
16090 | | /* If TLS 1.2 is allowed, also add the TLS 1.2 curve */ |
16091 | | if (ssl->options.downgrade && |
16092 | | (ssl->options.minDowngrade <= TLSv1_2_MINOR || |
16093 | | ssl->options.minDowngrade <= DTLSv1_2_MINOR)) { |
16094 | | ret = TLSX_UseSupportedCurve(extensions, |
16095 | | WOLFSSL_ECC_BRAINPOOLP256R1, ssl->heap, ssl->options.side); |
16096 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16097 | | } |
16098 | | } |
16099 | | else { |
16100 | | /* TLS 1.2 only */ |
16101 | | ret = TLSX_UseSupportedCurve(extensions, |
16102 | | WOLFSSL_ECC_BRAINPOOLP256R1, ssl->heap, ssl->options.side); |
16103 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16104 | | } |
16105 | | #endif |
16106 | | #if !defined(HAVE_FIPS) && defined(WOLFSSL_SM2) |
16107 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SM2P256V1, |
16108 | | ssl->heap, ssl->options.side); |
16109 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16110 | | #endif |
16111 | 0 | #endif |
16112 | 0 | #endif /* HAVE_ECC */ |
16113 | | |
16114 | 0 | #ifndef HAVE_FIPS |
16115 | | #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256 |
16116 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_X25519, |
16117 | | ssl->heap, ssl->options.side); |
16118 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16119 | | #endif |
16120 | 0 | #endif /* HAVE_FIPS */ |
16121 | | |
16122 | 0 | #if defined(HAVE_ECC) && defined(HAVE_SUPPORTED_CURVES) |
16123 | 0 | #if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 224 |
16124 | 0 | #ifndef NO_ECC_SECP |
16125 | 0 | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP224R1, |
16126 | 0 | ssl->heap, ssl->options.side); |
16127 | 0 | if (ret != WOLFSSL_SUCCESS) return ret; |
16128 | 0 | #endif |
16129 | | #ifdef HAVE_ECC_KOBLITZ |
16130 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP224K1, |
16131 | | ssl->heap, ssl->options.side); |
16132 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16133 | | #endif |
16134 | 0 | #endif |
16135 | | |
16136 | 0 | #ifndef HAVE_FIPS |
16137 | | #if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 192 |
16138 | | #ifndef NO_ECC_SECP |
16139 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP192R1, |
16140 | | ssl->heap, ssl->options.side); |
16141 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16142 | | #endif |
16143 | | #ifdef HAVE_ECC_KOBLITZ |
16144 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP192K1, |
16145 | | ssl->heap, ssl->options.side); |
16146 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16147 | | #endif |
16148 | | #endif |
16149 | | #if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 160 |
16150 | | #ifndef NO_ECC_SECP |
16151 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP160R1, |
16152 | | ssl->heap, ssl->options.side); |
16153 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16154 | | #endif |
16155 | | #ifdef HAVE_ECC_SECPR2 |
16156 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP160R2, |
16157 | | ssl->heap, ssl->options.side); |
16158 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16159 | | #endif |
16160 | | #ifdef HAVE_ECC_KOBLITZ |
16161 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_ECC_SECP160K1, |
16162 | | ssl->heap, ssl->options.side); |
16163 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16164 | | #endif |
16165 | | #endif |
16166 | 0 | #endif /* HAVE_FIPS */ |
16167 | 0 | #endif /* HAVE_ECC */ |
16168 | | |
16169 | 0 | #ifndef NO_DH |
16170 | | /* Add FFDHE supported groups. */ |
16171 | | #ifdef HAVE_FFDHE_8192 |
16172 | | if (8192/8 >= ssl->options.minDhKeySz && |
16173 | | 8192/8 <= ssl->options.maxDhKeySz) { |
16174 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_FFDHE_8192, |
16175 | | ssl->heap, ssl->options.side); |
16176 | | if (ret != WOLFSSL_SUCCESS) |
16177 | | return ret; |
16178 | | } |
16179 | | #endif |
16180 | | #ifdef HAVE_FFDHE_6144 |
16181 | | if (6144/8 >= ssl->options.minDhKeySz && |
16182 | | 6144/8 <= ssl->options.maxDhKeySz) { |
16183 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_FFDHE_6144, |
16184 | | ssl->heap, ssl->options.side); |
16185 | | if (ret != WOLFSSL_SUCCESS) |
16186 | | return ret; |
16187 | | } |
16188 | | #endif |
16189 | | #ifdef HAVE_FFDHE_4096 |
16190 | | if (4096/8 >= ssl->options.minDhKeySz && |
16191 | | 4096/8 <= ssl->options.maxDhKeySz) { |
16192 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_FFDHE_4096, |
16193 | | ssl->heap, ssl->options.side); |
16194 | | if (ret != WOLFSSL_SUCCESS) |
16195 | | return ret; |
16196 | | } |
16197 | | #endif |
16198 | | #ifdef HAVE_FFDHE_3072 |
16199 | | if (3072/8 >= ssl->options.minDhKeySz && |
16200 | | 3072/8 <= ssl->options.maxDhKeySz) { |
16201 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_FFDHE_3072, |
16202 | | ssl->heap, ssl->options.side); |
16203 | | if (ret != WOLFSSL_SUCCESS) |
16204 | | return ret; |
16205 | | } |
16206 | | #endif |
16207 | 0 | #ifdef HAVE_FFDHE_2048 |
16208 | 0 | if (2048/8 >= ssl->options.minDhKeySz && |
16209 | 0 | 2048/8 <= ssl->options.maxDhKeySz) { |
16210 | 0 | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_FFDHE_2048, |
16211 | 0 | ssl->heap, ssl->options.side); |
16212 | 0 | if (ret != WOLFSSL_SUCCESS) |
16213 | 0 | return ret; |
16214 | 0 | } |
16215 | 0 | #endif |
16216 | 0 | #endif |
16217 | | |
16218 | | #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \ |
16219 | | !defined(WOLFSSL_NO_ML_KEM) && defined(WOLFSSL_EXTRA_PQC_HYBRIDS) |
16220 | | if (IsAtLeastTLSv1_3(ssl->version) && |
16221 | | TLSX_IsMlKemGroupSupported(ssl->options.side)) { |
16222 | | #if !defined(WOLFSSL_NO_ML_KEM_1024) && defined(HAVE_ECC) && \ |
16223 | | (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521 |
16224 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_SECP521R1MLKEM1024, |
16225 | | ssl->heap, ssl->options.side); |
16226 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16227 | | #endif |
16228 | | #if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_ECC) && \ |
16229 | | (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384 |
16230 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_SECP384R1MLKEM768, |
16231 | | ssl->heap, ssl->options.side); |
16232 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16233 | | #endif |
16234 | | #if !defined(WOLFSSL_NO_ML_KEM_768) && defined(HAVE_CURVE448) && \ |
16235 | | ECC_MIN_KEY_SZ <= 448 |
16236 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_X448MLKEM768, |
16237 | | ssl->heap, ssl->options.side); |
16238 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16239 | | #endif |
16240 | | #if !defined(WOLFSSL_NO_ML_KEM_512) && defined(HAVE_ECC) && \ |
16241 | | (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256 |
16242 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_SECP256R1MLKEM512, |
16243 | | ssl->heap, ssl->options.side); |
16244 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16245 | | #endif |
16246 | | #if !defined(WOLFSSL_NO_ML_KEM_512) && defined(HAVE_CURVE25519) && \ |
16247 | | ECC_MIN_KEY_SZ <= 256 |
16248 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_X25519MLKEM512, |
16249 | | ssl->heap, ssl->options.side); |
16250 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16251 | | #endif |
16252 | | } |
16253 | | #endif |
16254 | | |
16255 | | #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_MLKEM) && \ |
16256 | | defined(WOLFSSL_MLKEM_KYBER) |
16257 | | if (IsAtLeastTLSv1_3(ssl->version) && |
16258 | | TLSX_IsMlKemGroupSupported(ssl->options.side)) { |
16259 | | #ifdef WOLFSSL_KYBER1024 |
16260 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_KYBER_LEVEL5, |
16261 | | ssl->heap, ssl->options.side); |
16262 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16263 | | #if defined(HAVE_ECC) && (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && \ |
16264 | | ECC_MIN_KEY_SZ <= 521 |
16265 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P521_KYBER_LEVEL5, |
16266 | | ssl->heap, ssl->options.side); |
16267 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16268 | | #endif |
16269 | | #endif |
16270 | | #ifdef WOLFSSL_KYBER768 |
16271 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_KYBER_LEVEL3, |
16272 | | ssl->heap, ssl->options.side); |
16273 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16274 | | #if defined(HAVE_ECC) && (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && \ |
16275 | | ECC_MIN_KEY_SZ <= 384 |
16276 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P384_KYBER_LEVEL3, |
16277 | | ssl->heap, ssl->options.side); |
16278 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16279 | | #endif |
16280 | | #if defined(HAVE_ECC) && (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \ |
16281 | | ECC_MIN_KEY_SZ <= 256 |
16282 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P256_KYBER_LEVEL3, |
16283 | | ssl->heap, ssl->options.side); |
16284 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16285 | | #endif |
16286 | | #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256 |
16287 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_X25519_KYBER_LEVEL3, |
16288 | | ssl->heap, ssl->options.side); |
16289 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16290 | | #endif |
16291 | | #if defined(HAVE_CURVE448) && ECC_MIN_KEY_SZ <= 448 |
16292 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_X448_KYBER_LEVEL3, |
16293 | | ssl->heap, ssl->options.side); |
16294 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16295 | | #endif |
16296 | | #endif |
16297 | | #ifdef WOLFSSL_KYBER512 |
16298 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_KYBER_LEVEL1, |
16299 | | ssl->heap, ssl->options.side); |
16300 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16301 | | #if defined(HAVE_ECC) && (!defined(NO_ECC256) || defined(HAVE_ALL_CURVES)) && \ |
16302 | | ECC_MIN_KEY_SZ <= 256 |
16303 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_P256_KYBER_LEVEL1, |
16304 | | ssl->heap, ssl->options.side); |
16305 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16306 | | #endif |
16307 | | #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256 |
16308 | | ret = TLSX_UseSupportedCurve(extensions, WOLFSSL_X25519_KYBER_LEVEL1, |
16309 | | ssl->heap, ssl->options.side); |
16310 | | if (ret != WOLFSSL_SUCCESS) return ret; |
16311 | | #endif |
16312 | | #endif |
16313 | | } |
16314 | | #endif |
16315 | | |
16316 | 0 | (void)ssl; |
16317 | 0 | (void)extensions; |
16318 | |
|
16319 | 0 | return ret; |
16320 | 0 | } |
16321 | | |
16322 | | #endif /* HAVE_SUPPORTED_CURVES */ |
16323 | | |
16324 | | int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer) |
16325 | 0 | { |
16326 | 0 | int ret = 0; |
16327 | 0 | byte* public_key = NULL; |
16328 | 0 | word16 public_key_len = 0; |
16329 | | #if defined(WOLFSSL_TLS13) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) |
16330 | | int usingPSK = 0; |
16331 | | #endif |
16332 | 0 | #if defined(HAVE_SUPPORTED_CURVES) && defined(WOLFSSL_TLS13) |
16333 | 0 | TLSX* extension = NULL; |
16334 | 0 | word16 namedGroup = WOLFSSL_NAMED_GROUP_INVALID; |
16335 | 0 | #endif |
16336 | | |
16337 | | /* server will add extension depending on what is parsed from client */ |
16338 | 0 | if (!isServer) { |
16339 | | #if defined(HAVE_RPK) |
16340 | | ret = TLSX_ClientCertificateType_Use(ssl, isServer); |
16341 | | if (ret != 0) |
16342 | | return ret; |
16343 | | |
16344 | | ret = TLSX_ServerCertificateType_Use(ssl, isServer); |
16345 | | if (ret != 0) |
16346 | | return ret; |
16347 | | #endif /* HAVE_RPK */ |
16348 | |
|
16349 | 0 | #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) && \ |
16350 | 0 | !defined(WOLFSSL_NO_TLS12) |
16351 | 0 | if (!ssl->options.disallowEncThenMac) { |
16352 | 0 | ret = TLSX_EncryptThenMac_Use(ssl); |
16353 | 0 | if (ret != 0) |
16354 | 0 | return ret; |
16355 | 0 | } |
16356 | 0 | #endif |
16357 | | |
16358 | 0 | #if defined(HAVE_SUPPORTED_CURVES) |
16359 | 0 | if (!ssl->options.userCurves && !ssl->ctx->userCurves) { |
16360 | 0 | if (TLSX_Find(ssl->ctx->extensions, |
16361 | 0 | TLSX_SUPPORTED_GROUPS) == NULL) { |
16362 | 0 | ret = TLSX_PopulateSupportedGroups(ssl, &ssl->extensions); |
16363 | 0 | if (ret != WOLFSSL_SUCCESS) |
16364 | 0 | return ret; |
16365 | 0 | } |
16366 | 0 | } |
16367 | 0 | #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448) |
16368 | 0 | if ((!IsAtLeastTLSv1_3(ssl->version) || ssl->options.downgrade) && |
16369 | 0 | TLSX_Find(ssl->ctx->extensions, TLSX_EC_POINT_FORMATS) == NULL && |
16370 | 0 | TLSX_Find(ssl->extensions, TLSX_EC_POINT_FORMATS) == NULL) { |
16371 | 0 | ret = TLSX_UsePointFormat(&ssl->extensions, |
16372 | 0 | WOLFSSL_EC_PF_UNCOMPRESSED, ssl->heap); |
16373 | 0 | if (ret != WOLFSSL_SUCCESS) |
16374 | 0 | return ret; |
16375 | 0 | } |
16376 | 0 | #endif |
16377 | 0 | #endif /* HAVE_SUPPORTED_CURVES */ |
16378 | |
|
16379 | | #ifdef WOLFSSL_SRTP |
16380 | | if (ssl->options.dtls && ssl->dtlsSrtpProfiles != 0) { |
16381 | | WOLFSSL_MSG("Adding DTLS SRTP extension"); |
16382 | | if ((ret = TLSX_UseSRTP(&ssl->extensions, ssl->dtlsSrtpProfiles, |
16383 | | ssl->heap)) != 0) { |
16384 | | return ret; |
16385 | | } |
16386 | | } |
16387 | | #endif |
16388 | | #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_DUAL_ALG_CERTS) |
16389 | | if ((IsAtLeastTLSv1_3(ssl->version)) && (ssl->sigSpec != NULL)) { |
16390 | | WOLFSSL_MSG("Adding CKS extension"); |
16391 | | if ((ret = TLSX_UseCKS(&ssl->extensions, ssl, ssl->heap)) != 0) { |
16392 | | return ret; |
16393 | | } |
16394 | | } |
16395 | | #endif |
16396 | 0 | } /* is not server */ |
16397 | | |
16398 | 0 | #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG) |
16399 | 0 | WOLFSSL_MSG("Adding signature algorithms extension"); |
16400 | 0 | if ((ret = TLSX_SetSignatureAlgorithms(&ssl->extensions, ssl, ssl->heap)) |
16401 | 0 | != 0) { |
16402 | 0 | return ret; |
16403 | 0 | } |
16404 | | #else |
16405 | | ret = 0; |
16406 | | #endif |
16407 | 0 | #ifdef WOLFSSL_TLS13 |
16408 | | #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES) |
16409 | | if (IsAtLeastTLSv1_3(ssl->version) && |
16410 | | SSL_PRIORITY_CA_NAMES(ssl) != NULL) { |
16411 | | WOLFSSL_MSG("Adding certificate authorities extension"); |
16412 | | if ((ret = TLSX_Push(&ssl->extensions, |
16413 | | TLSX_CERTIFICATE_AUTHORITIES, ssl, ssl->heap)) != 0) { |
16414 | | return ret; |
16415 | | } |
16416 | | } |
16417 | | #endif |
16418 | 0 | if (!isServer && IsAtLeastTLSv1_3(ssl->version)) { |
16419 | | /* Add mandatory TLS v1.3 extension: supported version */ |
16420 | 0 | WOLFSSL_MSG("Adding supported versions extension"); |
16421 | 0 | if ((ret = TLSX_SetSupportedVersions(&ssl->extensions, ssl, |
16422 | 0 | ssl->heap)) != 0) { |
16423 | 0 | return ret; |
16424 | 0 | } |
16425 | | |
16426 | 0 | #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG) |
16427 | 0 | if (ssl->certHashSigAlgoSz > 0) { |
16428 | 0 | WOLFSSL_MSG("Adding signature algorithms cert extension"); |
16429 | 0 | if ((ret = TLSX_SetSignatureAlgorithmsCert(&ssl->extensions, |
16430 | 0 | ssl, ssl->heap)) != 0) { |
16431 | 0 | return ret; |
16432 | 0 | } |
16433 | 0 | } |
16434 | 0 | #endif |
16435 | | |
16436 | 0 | #if defined(HAVE_SUPPORTED_CURVES) |
16437 | 0 | extension = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE); |
16438 | 0 | if (extension == NULL) { |
16439 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
16440 | | if (ssl->options.resuming && ssl->session->namedGroup != 0) |
16441 | | namedGroup = ssl->session->namedGroup; |
16442 | | else |
16443 | | #endif |
16444 | 0 | if (ssl->numGroups > 0) { |
16445 | 0 | int set = 0; |
16446 | 0 | int i, j; |
16447 | | |
16448 | | /* Find the first element of ssl->group[] that is also |
16449 | | * present in preferredGroup[]. The user's ranking wins; |
16450 | | * if nothing intersects, send no key share and let the |
16451 | | * server drive group selection via HRR. */ |
16452 | 0 | namedGroup = WOLFSSL_NAMED_GROUP_INVALID; |
16453 | 0 | for (i = 0; i < ssl->numGroups && !set; i++) { |
16454 | 0 | for (j = 0; preferredGroup[j] != WOLFSSL_NAMED_GROUP_INVALID; j++) { |
16455 | 0 | if (preferredGroup[j] == ssl->group[i]) { |
16456 | 0 | namedGroup = ssl->group[i]; |
16457 | 0 | set = 1; |
16458 | 0 | break; |
16459 | 0 | } |
16460 | 0 | } |
16461 | 0 | } |
16462 | 0 | } |
16463 | 0 | else { |
16464 | | /* Choose the most preferred group. */ |
16465 | 0 | namedGroup = WOLFSSL_KEY_SHARE_DEFAULT_GROUP; |
16466 | 0 | } |
16467 | 0 | } |
16468 | 0 | else { |
16469 | 0 | KeyShareEntry* kse = (KeyShareEntry*)extension->data; |
16470 | 0 | if (kse) |
16471 | 0 | namedGroup = kse->group; |
16472 | 0 | } |
16473 | 0 | if (namedGroup != WOLFSSL_NAMED_GROUP_INVALID) { |
16474 | 0 | ret = TLSX_KeyShare_Use(ssl, namedGroup, 0, NULL, NULL, |
16475 | 0 | &ssl->extensions); |
16476 | 0 | } |
16477 | 0 | else { |
16478 | | /* No suitable key share group found, send no key share to |
16479 | | * trigger a HRR with the server's preferred group. */ |
16480 | 0 | WOLFSSL_MSG("Sending no key share to trigger HRR"); |
16481 | 0 | ret = TLSX_KeyShare_Empty(ssl); |
16482 | 0 | } |
16483 | 0 | if (ret != 0) |
16484 | 0 | return ret; |
16485 | 0 | #endif /* HAVE_SUPPORTED_CURVES */ |
16486 | |
|
16487 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
16488 | | TLSX_Remove(&ssl->extensions, TLSX_PRE_SHARED_KEY, ssl->heap); |
16489 | | #endif |
16490 | | #if defined(HAVE_SESSION_TICKET) |
16491 | | if (ssl->options.resuming && ssl->session->ticketLen > 0 |
16492 | | #if defined(WOLFSSL_CERT_WITH_EXTERN_PSK) |
16493 | | && !ssl->options.certWithExternPsk |
16494 | | #endif |
16495 | | ) { |
16496 | | WOLFSSL_SESSION* sess = ssl->session; |
16497 | | #ifdef WOLFSSL_32BIT_MILLI_TIME |
16498 | | word32 now, milli; |
16499 | | #else |
16500 | | word64 now, milli; |
16501 | | #endif |
16502 | | |
16503 | | /* Determine the MAC algorithm for the cipher suite used. */ |
16504 | | ssl->options.cipherSuite0 = sess->cipherSuite0; |
16505 | | ssl->options.cipherSuite = sess->cipherSuite; |
16506 | | ret = SetCipherSpecs(ssl); |
16507 | | if (ret != 0) |
16508 | | return ret; |
16509 | | now = (word64)TimeNowInMilliseconds(); |
16510 | | if (now == 0) |
16511 | | return GETTIME_ERROR; |
16512 | | #ifdef WOLFSSL_32BIT_MILLI_TIME |
16513 | | if (now < sess->ticketSeen) |
16514 | | milli = (0xFFFFFFFFU - sess->ticketSeen) + 1 + now; |
16515 | | else |
16516 | | milli = now - sess->ticketSeen; |
16517 | | milli += sess->ticketAdd; |
16518 | | |
16519 | | /* Pre-shared key is mandatory extension for resumption. */ |
16520 | | ret = TLSX_PreSharedKey_Use(&ssl->extensions, sess->ticket, |
16521 | | sess->ticketLen, milli, ssl->specs.mac_algorithm, |
16522 | | ssl->options.cipherSuite0, ssl->options.cipherSuite, 1, |
16523 | | NULL, ssl->heap); |
16524 | | #else |
16525 | | milli = now - sess->ticketSeen + sess->ticketAdd; |
16526 | | |
16527 | | /* Pre-shared key is mandatory extension for resumption. */ |
16528 | | ret = TLSX_PreSharedKey_Use(&ssl->extensions, sess->ticket, |
16529 | | sess->ticketLen, (word32)milli, ssl->specs.mac_algorithm, |
16530 | | ssl->options.cipherSuite0, ssl->options.cipherSuite, 1, |
16531 | | NULL, ssl->heap); |
16532 | | #endif |
16533 | | if (ret != 0) |
16534 | | return ret; |
16535 | | |
16536 | | usingPSK = 1; |
16537 | | } |
16538 | | #endif |
16539 | | #ifndef NO_PSK |
16540 | | #ifndef WOLFSSL_PSK_ONE_ID |
16541 | | if (ssl->options.client_psk_cs_cb != NULL) { |
16542 | | int i; |
16543 | | const Suites* suites = WOLFSSL_SUITES(ssl); |
16544 | | for (i = 0; i < suites->suiteSz; i += 2) { |
16545 | | byte cipherSuite0 = suites->suites[i + 0]; |
16546 | | byte cipherSuite = suites->suites[i + 1]; |
16547 | | unsigned int keySz; |
16548 | | #ifdef WOLFSSL_PSK_MULTI_ID_PER_CS |
16549 | | int cnt = 0; |
16550 | | #endif |
16551 | | |
16552 | | #ifdef HAVE_NULL_CIPHER |
16553 | | if (cipherSuite0 == ECC_BYTE || |
16554 | | cipherSuite0 == ECDHE_PSK_BYTE) { |
16555 | | if (cipherSuite != TLS_SHA256_SHA256 && |
16556 | | cipherSuite != TLS_SHA384_SHA384) { |
16557 | | continue; |
16558 | | } |
16559 | | } |
16560 | | else |
16561 | | #endif |
16562 | | #if (defined(WOLFSSL_SM4_GCM) || defined(WOLFSSL_SM4_CCM)) && \ |
16563 | | defined(WOLFSSL_SM3) |
16564 | | if (cipherSuite0 == CIPHER_BYTE) { |
16565 | | if ((cipherSuite != TLS_SM4_GCM_SM3) && |
16566 | | (cipherSuite != TLS_SM4_CCM_SM3)) { |
16567 | | continue; |
16568 | | } |
16569 | | } |
16570 | | else |
16571 | | #endif |
16572 | | if (cipherSuite0 != TLS13_BYTE) |
16573 | | continue; |
16574 | | |
16575 | | #ifdef WOLFSSL_PSK_MULTI_ID_PER_CS |
16576 | | do { |
16577 | | ssl->arrays->client_identity[0] = cnt; |
16578 | | #endif |
16579 | | |
16580 | | ssl->arrays->client_identity[MAX_PSK_ID_LEN] = '\0'; |
16581 | | keySz = ssl->options.client_psk_cs_cb( |
16582 | | ssl, ssl->arrays->server_hint, |
16583 | | ssl->arrays->client_identity, MAX_PSK_ID_LEN, |
16584 | | ssl->arrays->psk_key, MAX_PSK_KEY_LEN, |
16585 | | GetCipherNameInternal(cipherSuite0, cipherSuite)); |
16586 | | if (keySz > 0) { |
16587 | | ssl->arrays->psk_keySz = keySz; |
16588 | | ret = TLSX_PreSharedKey_Use(&ssl->extensions, |
16589 | | (byte*)ssl->arrays->client_identity, |
16590 | | (word16)XSTRLEN(ssl->arrays->client_identity), |
16591 | | 0, SuiteMac(WOLFSSL_SUITES(ssl)->suites + i), |
16592 | | cipherSuite0, cipherSuite, 0, NULL, ssl->heap); |
16593 | | if (ret != 0) |
16594 | | return ret; |
16595 | | #ifdef WOLFSSL_PSK_MULTI_ID_PER_CS |
16596 | | cnt++; |
16597 | | #endif |
16598 | | } |
16599 | | #ifdef WOLFSSL_PSK_MULTI_ID_PER_CS |
16600 | | } |
16601 | | while (keySz > 0); |
16602 | | #endif |
16603 | | } |
16604 | | |
16605 | | usingPSK = 1; |
16606 | | } |
16607 | | else |
16608 | | #endif |
16609 | | if (ssl->options.client_psk_cb != NULL || |
16610 | | ssl->options.client_psk_tls13_cb != NULL) { |
16611 | | /* Default cipher suite. */ |
16612 | | byte cipherSuite0 = TLS13_BYTE; |
16613 | | byte cipherSuite = WOLFSSL_DEF_PSK_CIPHER; |
16614 | | int cipherSuiteFlags = WOLFSSL_CIPHER_SUITE_FLAG_NONE; |
16615 | | const char* cipherName = NULL; |
16616 | | |
16617 | | if (ssl->options.client_psk_tls13_cb != NULL) { |
16618 | | ssl->arrays->psk_keySz = ssl->options.client_psk_tls13_cb( |
16619 | | ssl, ssl->arrays->server_hint, |
16620 | | ssl->arrays->client_identity, MAX_PSK_ID_LEN, |
16621 | | ssl->arrays->psk_key, MAX_PSK_KEY_LEN, &cipherName); |
16622 | | if (GetCipherSuiteFromName(cipherName, &cipherSuite0, |
16623 | | &cipherSuite, NULL, NULL, &cipherSuiteFlags) != 0) { |
16624 | | return PSK_KEY_ERROR; |
16625 | | } |
16626 | | } |
16627 | | else { |
16628 | | ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl, |
16629 | | ssl->arrays->server_hint, ssl->arrays->client_identity, |
16630 | | MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN); |
16631 | | } |
16632 | | if ( |
16633 | | #ifdef OPENSSL_EXTRA |
16634 | | /* OpenSSL treats a PSK key length of 0 |
16635 | | * to indicate no PSK available. |
16636 | | */ |
16637 | | ssl->arrays->psk_keySz == 0 || |
16638 | | #endif |
16639 | | (ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN && |
16640 | | (int)ssl->arrays->psk_keySz != WC_NO_ERR_TRACE(USE_HW_PSK))) { |
16641 | | #ifndef OPENSSL_EXTRA |
16642 | | ret = PSK_KEY_ERROR; |
16643 | | #endif |
16644 | | } |
16645 | | else { |
16646 | | ssl->arrays->client_identity[MAX_PSK_ID_LEN] = '\0'; |
16647 | | |
16648 | | ssl->options.cipherSuite0 = cipherSuite0; |
16649 | | ssl->options.cipherSuite = cipherSuite; |
16650 | | (void)cipherSuiteFlags; |
16651 | | ret = SetCipherSpecs(ssl); |
16652 | | if (ret == 0) { |
16653 | | ret = TLSX_PreSharedKey_Use( |
16654 | | &ssl->extensions, |
16655 | | (byte*)ssl->arrays->client_identity, |
16656 | | (word16)XSTRLEN(ssl->arrays->client_identity), |
16657 | | 0, ssl->specs.mac_algorithm, |
16658 | | cipherSuite0, cipherSuite, 0, |
16659 | | NULL, ssl->heap); |
16660 | | } |
16661 | | if (ret == 0) |
16662 | | usingPSK = 1; |
16663 | | } |
16664 | | if (ret != 0) |
16665 | | return ret; |
16666 | | } |
16667 | | #endif /* !NO_PSK */ |
16668 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
16669 | | |
16670 | | /* Some servers do not generate session tickets unless |
16671 | | * the extension is seen in a non-resume client hello. |
16672 | | * We used to send it only if we were otherwise using PSK. |
16673 | | * Now always send it. Define NO_TLSX_PSKKEM_PLAIN_ANNOUNCE |
16674 | | * to revert to the old behaviour. */ |
16675 | | #ifdef NO_TLSX_PSKKEM_PLAIN_ANNOUNCE |
16676 | | if (usingPSK) |
16677 | | #endif |
16678 | | { |
16679 | | byte modes = 0; |
16680 | | |
16681 | | (void)usingPSK; |
16682 | | /* Pre-shared key modes: mandatory extension for resumption. */ |
16683 | | #ifdef HAVE_SUPPORTED_CURVES |
16684 | | if (!ssl->options.onlyPskDheKe) |
16685 | | #endif |
16686 | | { |
16687 | | modes = 1 << PSK_KE; |
16688 | | } |
16689 | | #if !defined(NO_DH) || defined(HAVE_ECC) || \ |
16690 | | defined(HAVE_CURVE25519) || defined(HAVE_CURVE448) |
16691 | | if (!ssl->options.noPskDheKe) { |
16692 | | modes |= 1 << PSK_DHE_KE; |
16693 | | } |
16694 | | #endif |
16695 | | #if defined(WOLFSSL_CERT_WITH_EXTERN_PSK) |
16696 | | if (ssl->options.certWithExternPsk) { |
16697 | | /* RFC8773bis requires psk_dhe_ke with cert_with_extern_psk. */ |
16698 | | modes |= 1 << PSK_DHE_KE; |
16699 | | } |
16700 | | #endif |
16701 | | ret = TLSX_PskKeyModes_Use(ssl, modes); |
16702 | | if (ret != 0) |
16703 | | return ret; |
16704 | | } |
16705 | | |
16706 | | #if defined(WOLFSSL_CERT_WITH_EXTERN_PSK) |
16707 | | if (usingPSK && ssl->options.certWithExternPsk) { |
16708 | | ret = TLSX_CertWithExternPsk_Use(ssl); |
16709 | | if (ret != 0) |
16710 | | return ret; |
16711 | | /* Require server confirmation before using cert-with-PSK path. */ |
16712 | | ssl->options.certWithExternPsk = 0; |
16713 | | } |
16714 | | #endif |
16715 | | #endif |
16716 | | #if defined(WOLFSSL_POST_HANDSHAKE_AUTH) |
16717 | | if (!isServer && ssl->options.postHandshakeAuth) { |
16718 | | ret = TLSX_PostHandAuth_Use(ssl); |
16719 | | if (ret != 0) |
16720 | | return ret; |
16721 | | } |
16722 | | #endif |
16723 | | #if defined(HAVE_ECH) |
16724 | | /* GREASE ECH */ |
16725 | | if (!ssl->options.disableECH) { |
16726 | | if (ssl->echConfigs == NULL) { |
16727 | | ret = GREASE_ECH_USE(&(ssl->extensions), ssl->heap, |
16728 | | ssl->rng); |
16729 | | } |
16730 | | else if (ssl->echConfigs != NULL) { |
16731 | | ret = ECH_USE(ssl->echConfigs, &(ssl->extensions), |
16732 | | ssl->heap, ssl->rng); |
16733 | | } |
16734 | | } |
16735 | | #endif |
16736 | 0 | } |
16737 | | #if defined(HAVE_ECH) |
16738 | | else if (IsAtLeastTLSv1_3(ssl->version)) { |
16739 | | if (ssl->ctx->echConfigs != NULL && !ssl->options.disableECH) { |
16740 | | ret = SERVER_ECH_USE(&(ssl->extensions), ssl->heap, |
16741 | | ssl->ctx->echConfigs); |
16742 | | |
16743 | | if (ret == 0) |
16744 | | TLSX_SetResponse(ssl, TLSX_ECH); |
16745 | | } |
16746 | | } |
16747 | | #endif |
16748 | | |
16749 | 0 | #endif |
16750 | | |
16751 | 0 | (void)isServer; |
16752 | 0 | (void)public_key; |
16753 | 0 | (void)public_key_len; |
16754 | 0 | (void)ssl; |
16755 | |
|
16756 | 0 | return ret; |
16757 | 0 | } |
16758 | | |
16759 | | |
16760 | | #if defined(WOLFSSL_TLS13) || !defined(NO_WOLFSSL_CLIENT) |
16761 | | |
16762 | | #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) |
16763 | | /* Returns 1 if the extensions should be hidden for this write */ |
16764 | | static int TLSX_EchShouldHideInner(WOLFSSL_ECH* ech) |
16765 | | { |
16766 | | return ech != NULL && ech->type == ECH_TYPE_OUTER && |
16767 | | ech->state != ECH_WRITE_GREASE; |
16768 | | } |
16769 | | |
16770 | | /* Swap matching extension types between *sslExts and *echExts. |
16771 | | * Non-matched extensions in *echExts are appended to the tail of *sslExts |
16772 | | * |
16773 | | * Extensions are stored in reverse wire order, so non-matched extensions are |
16774 | | * appended to the tail rather than the head; this avoids displacing the leading |
16775 | | * extension (e.g. pre_shared_key, which must stay last on the wire). |
16776 | | * |
16777 | | * *appended is in/out: |
16778 | | * in -> number of trailing extensions to move from *sslExts to *echExts |
16779 | | * out -> the number of extensions appended to the tail of *sslExts |
16780 | | * |
16781 | | * Returns 0 on success, error otherwise. */ |
16782 | | WOLFSSL_TEST_VIS int TLSX_EchSwapExtensions(TLSX** sslExts, TLSX** echExts, |
16783 | | word16* appended) |
16784 | | { |
16785 | | TLSX* chunk = NULL; |
16786 | | TLSX* node; |
16787 | | TLSX* outer; |
16788 | | TLSX* inner; |
16789 | | TLSX** outerLink; |
16790 | | TLSX** innerLink; |
16791 | | TLSX** sslTail; |
16792 | | word16 len = 0; |
16793 | | |
16794 | | if (*appended > 0) { |
16795 | | for (node = *sslExts; node != NULL; node = node->next) |
16796 | | len++; |
16797 | | if (*appended >= len) |
16798 | | return BAD_FUNC_ARG; |
16799 | | sslTail = sslExts; |
16800 | | while (len > *appended) { |
16801 | | sslTail = &(*sslTail)->next; |
16802 | | len--; |
16803 | | } |
16804 | | chunk = *sslTail; |
16805 | | *sslTail = NULL; |
16806 | | } |
16807 | | |
16808 | | *appended = 0; |
16809 | | |
16810 | | outerLink = echExts; |
16811 | | while (*outerLink != NULL) { |
16812 | | innerLink = sslExts; |
16813 | | outer = *outerLink; |
16814 | | |
16815 | | while (*innerLink != NULL && (*innerLink)->type != outer->type) |
16816 | | innerLink = &(*innerLink)->next; |
16817 | | |
16818 | | if (*innerLink != NULL) { |
16819 | | inner = *innerLink; |
16820 | | |
16821 | | *innerLink = outer; |
16822 | | *outerLink = inner; |
16823 | | node = outer->next; |
16824 | | outer->next = inner->next; |
16825 | | inner->next = node; |
16826 | | |
16827 | | outerLink = &inner->next; |
16828 | | } |
16829 | | else { |
16830 | | *outerLink = outer->next; |
16831 | | *innerLink = outer; |
16832 | | outer->next = NULL; |
16833 | | *appended += 1; |
16834 | | } |
16835 | | } |
16836 | | |
16837 | | /* outerLink is at the tail of *echExts; append the chunk */ |
16838 | | *outerLink = chunk; |
16839 | | |
16840 | | return 0; |
16841 | | } |
16842 | | |
16843 | | /* sets installed if extensions were concealed, clears it otherwise. |
16844 | | * updates appended with the number of extensions appended. |
16845 | | * returns 0 on success, error otherwise */ |
16846 | | static int TLSX_EchConcealExtensions(WOLFSSL* ssl, WOLFSSL_ECH* ech, |
16847 | | word16* appended, int* installed) |
16848 | | { |
16849 | | int ret = 0; |
16850 | | |
16851 | | *installed = 0; |
16852 | | *appended = 0; |
16853 | | if (TLSX_EchShouldHideInner(ech)) { |
16854 | | ret = TLSX_EchSwapExtensions(&ssl->extensions, &ech->extensions, |
16855 | | appended); |
16856 | | if (ret == 0) |
16857 | | *installed = 1; |
16858 | | } |
16859 | | |
16860 | | return ret; |
16861 | | } |
16862 | | |
16863 | | /* reverses TLSX_EchConcealExtensions |
16864 | | * returns 0 on success, error otherwise */ |
16865 | | static int TLSX_EchExposeExtensions(WOLFSSL* ssl, WOLFSSL_ECH* ech, |
16866 | | word16 appended, int installed) |
16867 | | { |
16868 | | int ret = 0; |
16869 | | |
16870 | | if (installed) { |
16871 | | /* this is expected to always succeed, but in the case that it does not |
16872 | | * the handshake should be aborted and the ssl should not be reused. */ |
16873 | | ret = TLSX_EchSwapExtensions(&ssl->extensions, &ech->extensions, |
16874 | | &appended); |
16875 | | if (ret == 0 && appended != 0) { |
16876 | | WOLFSSL_MSG("Bad restore with TLSX_EchSwapExtensions"); |
16877 | | ret = BAD_STATE_E; |
16878 | | } |
16879 | | } |
16880 | | |
16881 | | return ret; |
16882 | | } |
16883 | | |
16884 | | /* If ECH is accepted, delete ech->extensions |
16885 | | * If rejected, replace matching ssl->extensions with ech->extensions, |
16886 | | * appending to the tail if necessary */ |
16887 | | int TLSX_EchReplaceExtensions(WOLFSSL* ssl, byte accepted) |
16888 | | { |
16889 | | int ret = 0; |
16890 | | TLSX* echX; |
16891 | | WOLFSSL_ECH* ech; |
16892 | | word16 appended = 0; |
16893 | | |
16894 | | echX = TLSX_Find(ssl->extensions, TLSX_ECH); |
16895 | | if (echX == NULL || echX->data == NULL) |
16896 | | return 0; |
16897 | | ech = (WOLFSSL_ECH*)echX->data; |
16898 | | |
16899 | | if (!accepted) |
16900 | | ret = TLSX_EchSwapExtensions(&ssl->extensions, &ech->extensions, |
16901 | | &appended); |
16902 | | |
16903 | | if (ret == 0) { |
16904 | | TLSX_FreeAll(ech->extensions, ssl->heap); |
16905 | | ech->extensions = NULL; |
16906 | | } |
16907 | | |
16908 | | return ret; |
16909 | | } |
16910 | | |
16911 | | /* Returns 1 if the extension may be encoded into ech_outer_extensions, |
16912 | | * 0 otherwise */ |
16913 | | static int TLSX_ECH_IsEncodable(word16 type) |
16914 | | { |
16915 | | /* supported_versions being here prevents the inner hello from advertising |
16916 | | * a version less than TLS1.3 */ |
16917 | | switch (type) { |
16918 | | case TLSX_SERVER_NAME: |
16919 | | case TLSX_APPLICATION_LAYER_PROTOCOL: |
16920 | | case TLSX_SUPPORTED_VERSIONS: |
16921 | | case TLSX_ECH: |
16922 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
16923 | | case TLSX_PRE_SHARED_KEY: |
16924 | | #endif |
16925 | | #ifdef WOLFSSL_EARLY_DATA |
16926 | | case TLSX_EARLY_DATA: |
16927 | | #endif |
16928 | | return 0; |
16929 | | default: |
16930 | | return 1; |
16931 | | } |
16932 | | } |
16933 | | |
16934 | | /* find extensions that can be encoded into ech_outer_extensions. |
16935 | | * If output is non-NULL, then write the encoded form. |
16936 | | * |
16937 | | * Layout of OuterExtensions (RFC 9849, S5.1): |
16938 | | * 2-byte extension_type + 2-byte extension_data length + |
16939 | | * 1-byte list length + 2*count bytes of extension types |
16940 | | */ |
16941 | | static int TLSX_ECH_BuildOuterExtensions(WOLFSSL* ssl, const byte* semaphore, |
16942 | | byte msgType, byte* output, word16* pOffset, word16* outCount, |
16943 | | byte* encodeMask) |
16944 | | { |
16945 | | TLSX* list; |
16946 | | TLSX* extension; |
16947 | | byte* typesStart = NULL; |
16948 | | int listIdx; |
16949 | | word16 count = 0; |
16950 | | byte isRequest = (msgType == client_hello || |
16951 | | msgType == certificate_request); |
16952 | | byte seen[SEMAPHORE_SIZE]; |
16953 | | |
16954 | | /* backup semaphore so it can be aliased by encodeMask */ |
16955 | | XMEMCPY(seen, semaphore, SEMAPHORE_SIZE); |
16956 | | |
16957 | | if (output != NULL && pOffset != NULL) { |
16958 | | typesStart = output + *pOffset |
16959 | | + HELLO_EXT_TYPE_SZ + OPAQUE16_LEN + OPAQUE8_LEN; |
16960 | | } |
16961 | | |
16962 | | for (listIdx = 0; listIdx < 2; listIdx++) { |
16963 | | list = (listIdx == 0) ? ssl->extensions : |
16964 | | (ssl->ctx != NULL ? ssl->ctx->extensions : NULL); |
16965 | | for (extension = list; extension != NULL; extension = extension->next) { |
16966 | | word16 type = (word16)extension->type; |
16967 | | word16 semIdx = TLSX_ToSemaphore(type); |
16968 | | |
16969 | | /* OuterExtensions is <2..254>, so reference at most 127 types */ |
16970 | | if (count >= 127) { |
16971 | | WOLFSSL_MSG("ECH: cannot encode more than 127 extensions"); |
16972 | | break; |
16973 | | } |
16974 | | |
16975 | | if (!isRequest && !extension->resp) |
16976 | | continue; |
16977 | | if (!IS_OFF(seen, semIdx)) |
16978 | | continue; |
16979 | | TURN_ON(seen, semIdx); |
16980 | | if (!TLSX_ECH_IsEncodable(type)) |
16981 | | continue; |
16982 | | |
16983 | | if (typesStart != NULL) |
16984 | | c16toa(type, typesStart + count * OPAQUE16_LEN); |
16985 | | count++; |
16986 | | TURN_ON(encodeMask, semIdx); |
16987 | | } |
16988 | | } |
16989 | | |
16990 | | if (count > 0 && pOffset != NULL) { |
16991 | | word16 listLen = (word16)(OPAQUE16_LEN * count); |
16992 | | word16 blockSz = (word16)(HELLO_EXT_TYPE_SZ + OPAQUE16_LEN |
16993 | | + OPAQUE8_LEN + listLen); |
16994 | | if ((word32)*pOffset + blockSz > WOLFSSL_MAX_16BIT) { |
16995 | | WOLFSSL_MSG("ECH OuterExtensions overflows extensions length"); |
16996 | | return BUFFER_E; |
16997 | | } |
16998 | | if (output != NULL) { |
16999 | | byte* hdr = output + *pOffset; |
17000 | | c16toa(TLSXT_ECH_OUTER_EXTENSIONS, hdr); |
17001 | | c16toa((word16)(OPAQUE8_LEN + listLen), hdr + OPAQUE16_LEN); |
17002 | | hdr[OPAQUE16_LEN + OPAQUE16_LEN] = (byte)listLen; |
17003 | | } |
17004 | | |
17005 | | /* accumulate offset even if nothing is written */ |
17006 | | *pOffset += blockSz; |
17007 | | } |
17008 | | |
17009 | | *outCount = count; |
17010 | | return 0; |
17011 | | } |
17012 | | |
17013 | | /* because the size of ech depends on the size of other extensions we need to |
17014 | | * get the size with ech special and process ech last, return status */ |
17015 | | static int TLSX_GetSizeWithEch(WOLFSSL* ssl, byte* semaphore, byte msgType, |
17016 | | word16* pLength) |
17017 | | { |
17018 | | int ret = 0; |
17019 | | int retC; |
17020 | | int installed = 0; |
17021 | | TLSX* echX = NULL; |
17022 | | WOLFSSL_ECH* ech = NULL; |
17023 | | word16 count = 0; |
17024 | | word16 appended = 0; |
17025 | | |
17026 | | if (ssl->extensions) |
17027 | | echX = TLSX_Find(ssl->extensions, TLSX_ECH); |
17028 | | if (echX != NULL) |
17029 | | ech = (WOLFSSL_ECH*)echX->data; |
17030 | | |
17031 | | ret = retC = TLSX_EchConcealExtensions(ssl, ech, &appended, &installed); |
17032 | | |
17033 | | /* if encoding, then count encoded form of inner ClientHello. |
17034 | | * `semaphore` is in/out so encodable extensions will later be ignored */ |
17035 | | if (ret == 0 && |
17036 | | ech != NULL && ech->type == ECH_TYPE_INNER && ech->writeEncoded) { |
17037 | | ret = TLSX_ECH_BuildOuterExtensions(ssl, semaphore, msgType, |
17038 | | NULL, pLength, &count, semaphore); |
17039 | | } |
17040 | | if (ret == 0 && ssl->extensions) |
17041 | | ret = TLSX_GetSize(ssl->extensions, semaphore, msgType, pLength); |
17042 | | if (ret == 0 && ssl->ctx && ssl->ctx->extensions) |
17043 | | ret = TLSX_GetSize(ssl->ctx->extensions, semaphore, msgType, pLength); |
17044 | | |
17045 | | /* always try to restore extensions to a good state */ |
17046 | | if (retC == 0) |
17047 | | retC = TLSX_EchExposeExtensions(ssl, ech, appended, installed); |
17048 | | |
17049 | | if (ret == 0) |
17050 | | ret = retC; |
17051 | | return ret; |
17052 | | } |
17053 | | #endif |
17054 | | |
17055 | | /** Tells the buffered size of extensions to be sent into the client hello. */ |
17056 | | int TLSX_GetRequestSize(WOLFSSL* ssl, byte msgType, word32* pLength) |
17057 | 0 | { |
17058 | 0 | int ret = 0; |
17059 | 0 | word16 length = 0; |
17060 | 0 | byte semaphore[SEMAPHORE_SIZE] = {0}; |
17061 | |
|
17062 | 0 | if (!TLSX_SupportExtensions(ssl)) |
17063 | 0 | return 0; |
17064 | 0 | if (msgType == client_hello) { |
17065 | 0 | EC_VALIDATE_REQUEST(ssl, semaphore); |
17066 | 0 | PF_VALIDATE_REQUEST(ssl, semaphore); |
17067 | 0 | #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG) |
17068 | 0 | if (WOLFSSL_SUITES(ssl)->hashSigAlgoSz == 0) |
17069 | 0 | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS)); |
17070 | 0 | #endif |
17071 | 0 | #if defined(WOLFSSL_TLS13) |
17072 | 0 | if (!IsAtLeastTLSv1_2(ssl)) { |
17073 | 0 | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS)); |
17074 | 0 | } |
17075 | 0 | #if !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS) |
17076 | 0 | if (!IsAtLeastTLSv1_3(ssl->version)) { |
17077 | 0 | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE)); |
17078 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
17079 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY)); |
17080 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PSK_KEY_EXCHANGE_MODES)); |
17081 | | #endif |
17082 | | #ifdef WOLFSSL_EARLY_DATA |
17083 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EARLY_DATA)); |
17084 | | #endif |
17085 | | #ifdef WOLFSSL_SEND_HRR_COOKIE |
17086 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_COOKIE)); |
17087 | | #endif |
17088 | | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH |
17089 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_POST_HANDSHAKE_AUTH)); |
17090 | | #endif |
17091 | 0 | } |
17092 | 0 | #endif |
17093 | | #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES) |
17094 | | if (!IsAtLeastTLSv1_3(ssl->version) || |
17095 | | SSL_CA_NAMES(ssl) == NULL) { |
17096 | | TURN_ON(semaphore, |
17097 | | TLSX_ToSemaphore(TLSX_CERTIFICATE_AUTHORITIES)); |
17098 | | } |
17099 | | #endif |
17100 | 0 | #endif /* WOLFSSL_TLS13 */ |
17101 | | #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ |
17102 | | || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) |
17103 | | if (!SSL_CM(ssl)->ocspStaplingEnabled) { |
17104 | | /* mark already sent, so it won't send it */ |
17105 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST)); |
17106 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST_V2)); |
17107 | | } |
17108 | | #endif |
17109 | 0 | } |
17110 | | |
17111 | 0 | #ifdef WOLFSSL_TLS13 |
17112 | 0 | #ifndef NO_CERTS |
17113 | 0 | else if (msgType == certificate_request) { |
17114 | | /* Don't send out any extension except those that are turned off. */ |
17115 | 0 | XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE); |
17116 | 0 | #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG) |
17117 | 0 | TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS)); |
17118 | 0 | #endif |
17119 | | #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES) |
17120 | | if (SSL_PRIORITY_CA_NAMES(ssl) != NULL) { |
17121 | | TURN_OFF(semaphore, |
17122 | | TLSX_ToSemaphore(TLSX_CERTIFICATE_AUTHORITIES)); |
17123 | | } |
17124 | | #endif |
17125 | | /* TODO: TLSX_SIGNED_CERTIFICATE_TIMESTAMP, OID_FILTERS |
17126 | | * TLSX_STATUS_REQUEST |
17127 | | */ |
17128 | 0 | } |
17129 | 0 | #endif |
17130 | | #if defined(HAVE_ECH) |
17131 | | if (!ssl->options.disableECH && msgType == client_hello) { |
17132 | | ret = TLSX_GetSizeWithEch(ssl, semaphore, msgType, &length); |
17133 | | if (ret != 0) |
17134 | | return ret; |
17135 | | } |
17136 | | else |
17137 | | #endif /* HAVE_ECH */ |
17138 | 0 | #endif /* WOLFSSL_TLS13 */ |
17139 | 0 | { |
17140 | 0 | if (ssl->extensions) { |
17141 | 0 | ret = TLSX_GetSize(ssl->extensions, semaphore, msgType, &length); |
17142 | 0 | if (ret != 0) |
17143 | 0 | return ret; |
17144 | 0 | } |
17145 | 0 | if (ssl->ctx && ssl->ctx->extensions) { |
17146 | 0 | ret = TLSX_GetSize(ssl->ctx->extensions, semaphore, msgType, |
17147 | 0 | &length); |
17148 | 0 | if (ret != 0) |
17149 | 0 | return ret; |
17150 | 0 | } |
17151 | 0 | } |
17152 | | |
17153 | 0 | #ifdef HAVE_EXTENDED_MASTER |
17154 | 0 | if (msgType == client_hello && ssl->options.haveEMS && |
17155 | 0 | (!IsAtLeastTLSv1_3(ssl->version) || ssl->options.downgrade)) { |
17156 | 0 | length += HELLO_EXT_SZ; |
17157 | 0 | } |
17158 | 0 | #endif |
17159 | | |
17160 | | /* The TLS extensions block length prefix is a 2-byte field, so any |
17161 | | * accumulated total above 0xFFFF must be rejected rather than silently |
17162 | | * truncating and producing a short, malformed handshake message. */ |
17163 | 0 | if (length > (word16)(WOLFSSL_MAX_16BIT - OPAQUE16_LEN)) { |
17164 | 0 | WOLFSSL_MSG("TLSX_GetRequestSize extensions exceed word16"); |
17165 | 0 | return BUFFER_E; |
17166 | 0 | } |
17167 | 0 | if (length) |
17168 | 0 | length += OPAQUE16_LEN; /* for total length storage. */ |
17169 | |
|
17170 | 0 | *pLength += length; |
17171 | |
|
17172 | 0 | return ret; |
17173 | 0 | } |
17174 | | |
17175 | | #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) |
17176 | | /* return status after writing the extensions with ech written last */ |
17177 | | static int TLSX_WriteWithEch(WOLFSSL* ssl, byte* output, byte* semaphore, |
17178 | | byte msgType, word16* pOffset) |
17179 | | { |
17180 | | int ret = 0; |
17181 | | int retC; |
17182 | | int installed = 0; |
17183 | | TLSX* echX = NULL; |
17184 | | WOLFSSL_ECH* ech = NULL; |
17185 | | word16 appended = 0; |
17186 | | |
17187 | | if (ssl->extensions) |
17188 | | echX = TLSX_Find(ssl->extensions, TLSX_ECH); |
17189 | | if (echX != NULL) |
17190 | | ech = (WOLFSSL_ECH*)echX->data; |
17191 | | |
17192 | | ret = retC = TLSX_EchConcealExtensions(ssl, ech, &appended, &installed); |
17193 | | |
17194 | | if (ret == 0 && echX != NULL) { |
17195 | | /* turn ech on so it doesn't write, then write it last */ |
17196 | | TURN_ON(semaphore, TLSX_ToSemaphore(echX->type)); |
17197 | | } |
17198 | | |
17199 | | /* for ECH inner, print the encodable block first, then the non-encodables. |
17200 | | * This allows the same transcript to be produced on either side |
17201 | | * (the transcript is over the expanded form). */ |
17202 | | if (ret == 0 && ech != NULL && ech->type == ECH_TYPE_INNER) { |
17203 | | byte encodeMask[SEMAPHORE_SIZE]; |
17204 | | byte* mask = ech->writeEncoded ? semaphore : encodeMask; |
17205 | | word16 count = 0; |
17206 | | int i; |
17207 | | |
17208 | | XMEMSET(encodeMask, 0, SEMAPHORE_SIZE); |
17209 | | |
17210 | | ret = TLSX_ECH_BuildOuterExtensions(ssl, semaphore, msgType, |
17211 | | ech->writeEncoded ? output : NULL, |
17212 | | ech->writeEncoded ? pOffset : NULL, |
17213 | | &count, mask); |
17214 | | if (ret == 0 && count >= 1 && !ech->writeEncoded) { |
17215 | | /* expanded: print encodable block normally */ |
17216 | | for (i = 0; i < SEMAPHORE_SIZE; i++) { |
17217 | | semaphore[i] |= encodeMask[i]; |
17218 | | encodeMask[i] = (byte)~encodeMask[i]; |
17219 | | } |
17220 | | if (ssl->extensions) { |
17221 | | ret = TLSX_Write(ssl->extensions, output + *pOffset, |
17222 | | encodeMask, msgType, pOffset); |
17223 | | } |
17224 | | if (ret == 0 && ssl->ctx && ssl->ctx->extensions) { |
17225 | | ret = TLSX_Write(ssl->ctx->extensions, output + *pOffset, |
17226 | | encodeMask, msgType, pOffset); |
17227 | | } |
17228 | | } |
17229 | | } |
17230 | | |
17231 | | /* print non-encodable block */ |
17232 | | if (ret == 0 && ssl->extensions) { |
17233 | | ret = TLSX_Write(ssl->extensions, output + *pOffset, semaphore, |
17234 | | msgType, pOffset); |
17235 | | } |
17236 | | if (ret == 0 && ssl->ctx && ssl->ctx->extensions) { |
17237 | | ret = TLSX_Write(ssl->ctx->extensions, output + *pOffset, semaphore, |
17238 | | msgType, pOffset); |
17239 | | } |
17240 | | |
17241 | | /* write ECH last */ |
17242 | | if (ret == 0 && echX != NULL) { |
17243 | | /* turn off and write it last */ |
17244 | | TURN_OFF(semaphore, TLSX_ToSemaphore(echX->type)); |
17245 | | |
17246 | | if (ssl->extensions) { |
17247 | | ret = TLSX_Write(ssl->extensions, output + *pOffset, semaphore, |
17248 | | msgType, pOffset); |
17249 | | } |
17250 | | |
17251 | | if (ret == 0 && ssl->ctx && ssl->ctx->extensions) { |
17252 | | ret = TLSX_Write(ssl->ctx->extensions, output + *pOffset, semaphore, |
17253 | | msgType, pOffset); |
17254 | | } |
17255 | | } |
17256 | | |
17257 | | /* always try to restore extensions to a good state */ |
17258 | | if (retC == 0) |
17259 | | retC = TLSX_EchExposeExtensions(ssl, ech, appended, installed); |
17260 | | |
17261 | | if (ret == 0) |
17262 | | ret = retC; |
17263 | | return ret; |
17264 | | } |
17265 | | #endif |
17266 | | |
17267 | | /** Writes the extensions to be sent into the client hello. */ |
17268 | | int TLSX_WriteRequest(WOLFSSL* ssl, byte* output, byte msgType, word32* pOffset) |
17269 | 0 | { |
17270 | 0 | int ret = 0; |
17271 | 0 | word16 offset = 0; |
17272 | 0 | byte semaphore[SEMAPHORE_SIZE] = {0}; |
17273 | |
|
17274 | 0 | if (!TLSX_SupportExtensions(ssl) || output == NULL) |
17275 | 0 | return 0; |
17276 | | |
17277 | 0 | offset += OPAQUE16_LEN; /* extensions length */ |
17278 | |
|
17279 | 0 | if (msgType == client_hello) { |
17280 | 0 | EC_VALIDATE_REQUEST(ssl, semaphore); |
17281 | 0 | PF_VALIDATE_REQUEST(ssl, semaphore); |
17282 | 0 | #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG) |
17283 | 0 | if (WOLFSSL_SUITES(ssl)->hashSigAlgoSz == 0) |
17284 | 0 | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS)); |
17285 | 0 | #endif |
17286 | 0 | #ifdef WOLFSSL_TLS13 |
17287 | 0 | if (!IsAtLeastTLSv1_2(ssl)) { |
17288 | 0 | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS)); |
17289 | 0 | } |
17290 | 0 | #if !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS) |
17291 | 0 | if (!IsAtLeastTLSv1_3(ssl->version)) { |
17292 | 0 | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE)); |
17293 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
17294 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PSK_KEY_EXCHANGE_MODES)); |
17295 | | #endif |
17296 | | #ifdef WOLFSSL_EARLY_DATA |
17297 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EARLY_DATA)); |
17298 | | #endif |
17299 | | #ifdef WOLFSSL_SEND_HRR_COOKIE |
17300 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_COOKIE)); |
17301 | | #endif |
17302 | | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH |
17303 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_POST_HANDSHAKE_AUTH)); |
17304 | | #endif |
17305 | | #ifdef WOLFSSL_DUAL_ALG_CERTS |
17306 | | TURN_ON(semaphore, |
17307 | | TLSX_ToSemaphore(TLSX_CKS)); |
17308 | | #endif |
17309 | 0 | } |
17310 | 0 | #endif |
17311 | | #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES) |
17312 | | if (!IsAtLeastTLSv1_3(ssl->version) || SSL_CA_NAMES(ssl) == NULL) { |
17313 | | TURN_ON(semaphore, |
17314 | | TLSX_ToSemaphore(TLSX_CERTIFICATE_AUTHORITIES)); |
17315 | | } |
17316 | | #endif |
17317 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
17318 | | /* Must write Pre-shared Key extension at the end in TLS v1.3. |
17319 | | * Must not write out Pre-shared Key extension in earlier versions of |
17320 | | * protocol. |
17321 | | */ |
17322 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY)); |
17323 | | #endif |
17324 | 0 | #endif /* WOLFSSL_TLS13 */ |
17325 | | #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ |
17326 | | || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) |
17327 | | /* mark already sent, so it won't send it */ |
17328 | | if (!SSL_CM(ssl)->ocspStaplingEnabled) { |
17329 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST)); |
17330 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST_V2)); |
17331 | | } |
17332 | | #endif |
17333 | 0 | } |
17334 | 0 | #ifdef WOLFSSL_TLS13 |
17335 | 0 | #ifndef NO_CERTS |
17336 | 0 | else if (msgType == certificate_request) { |
17337 | | /* Don't send out any extension except those that are turned off. */ |
17338 | 0 | XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE); |
17339 | 0 | #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG) |
17340 | 0 | TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS)); |
17341 | 0 | #endif |
17342 | | #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES) |
17343 | | if (SSL_PRIORITY_CA_NAMES(ssl) != NULL) { |
17344 | | TURN_OFF(semaphore, |
17345 | | TLSX_ToSemaphore(TLSX_CERTIFICATE_AUTHORITIES)); |
17346 | | } |
17347 | | #endif |
17348 | | /* TODO: TLSX_SIGNED_CERTIFICATE_TIMESTAMP, TLSX_OID_FILTERS |
17349 | | * TLSX_STATUS_REQUEST |
17350 | | */ |
17351 | 0 | } |
17352 | 0 | #endif |
17353 | 0 | #endif |
17354 | | #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) |
17355 | | if (!ssl->options.disableECH && msgType == client_hello) { |
17356 | | ret = TLSX_WriteWithEch(ssl, output, semaphore, msgType, &offset); |
17357 | | if (ret != 0) |
17358 | | return ret; |
17359 | | } |
17360 | | else |
17361 | | #endif |
17362 | 0 | { |
17363 | 0 | if (ssl->extensions) { |
17364 | 0 | ret = TLSX_Write(ssl->extensions, output + offset, semaphore, |
17365 | 0 | msgType, &offset); |
17366 | 0 | if (ret != 0) |
17367 | 0 | return ret; |
17368 | 0 | } |
17369 | 0 | if (ssl->ctx && ssl->ctx->extensions) { |
17370 | 0 | ret = TLSX_Write(ssl->ctx->extensions, output + offset, semaphore, |
17371 | 0 | msgType, &offset); |
17372 | 0 | if (ret != 0) |
17373 | 0 | return ret; |
17374 | 0 | } |
17375 | 0 | } |
17376 | | |
17377 | 0 | #ifdef HAVE_EXTENDED_MASTER |
17378 | 0 | if (msgType == client_hello && ssl->options.haveEMS && |
17379 | 0 | (!IsAtLeastTLSv1_3(ssl->version) || ssl->options.downgrade)) { |
17380 | 0 | WOLFSSL_MSG("EMS extension to write"); |
17381 | 0 | c16toa(HELLO_EXT_EXTMS, output + offset); |
17382 | 0 | offset += HELLO_EXT_TYPE_SZ; |
17383 | 0 | c16toa(0, output + offset); |
17384 | 0 | offset += HELLO_EXT_SZ_SZ; |
17385 | 0 | } |
17386 | 0 | #endif |
17387 | |
|
17388 | 0 | #ifdef WOLFSSL_TLS13 |
17389 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
17390 | | if (msgType == client_hello && IsAtLeastTLSv1_3(ssl->version)) { |
17391 | | /* Write out what we can of Pre-shared key extension. */ |
17392 | | TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY)); |
17393 | | ret = TLSX_Write(ssl->extensions, output + offset, semaphore, |
17394 | | client_hello, &offset); |
17395 | | if (ret != 0) |
17396 | | return ret; |
17397 | | } |
17398 | | #endif |
17399 | 0 | #endif |
17400 | | |
17401 | | /* Wrap detection for the TLSX_Write calls above is handled inside |
17402 | | * TLSX_Write itself: any iteration that would push the local word16 |
17403 | | * offset past 0xFFFF returns BUFFER_E so we never reach here with a |
17404 | | * truncated value. The TLS extensions block length prefix on the |
17405 | | * wire is a 2-byte field, matching this invariant. */ |
17406 | |
|
17407 | 0 | if (offset > OPAQUE16_LEN || msgType != client_hello) |
17408 | 0 | c16toa(offset - OPAQUE16_LEN, output); /* extensions length */ |
17409 | |
|
17410 | 0 | *pOffset += offset; |
17411 | |
|
17412 | 0 | return ret; |
17413 | 0 | } |
17414 | | #endif /* WOLFSSL_TLS13 || !NO_WOLFSSL_CLIENT */ |
17415 | | |
17416 | | #if defined(WOLFSSL_TLS13) || !defined(NO_WOLFSSL_SERVER) |
17417 | | |
17418 | | /** Tells the buffered size of extensions to be sent into the server hello. */ |
17419 | | int TLSX_GetResponseSize(WOLFSSL* ssl, byte msgType, word16* pLength) |
17420 | 0 | { |
17421 | 0 | int ret = 0; |
17422 | 0 | word16 length = 0; |
17423 | 0 | byte semaphore[SEMAPHORE_SIZE] = {0}; |
17424 | |
|
17425 | 0 | switch (msgType) { |
17426 | 0 | #ifndef NO_WOLFSSL_SERVER |
17427 | 0 | case server_hello: |
17428 | 0 | PF_VALIDATE_RESPONSE(ssl, semaphore); |
17429 | 0 | #ifdef WOLFSSL_TLS13 |
17430 | 0 | if (IsAtLeastTLSv1_3(ssl->version)) { |
17431 | 0 | XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE); |
17432 | 0 | TURN_OFF(semaphore, |
17433 | 0 | TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS)); |
17434 | 0 | #if defined(HAVE_SUPPORTED_CURVES) |
17435 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
17436 | | if (!ssl->options.noPskDheKe) |
17437 | | #endif |
17438 | 0 | { |
17439 | | /* Expect KeyShare extension in ServerHello. */ |
17440 | 0 | TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE)); |
17441 | 0 | } |
17442 | 0 | #endif |
17443 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
17444 | | TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY)); |
17445 | | #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK |
17446 | | TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_CERT_WITH_EXTERN_PSK)); |
17447 | | #endif |
17448 | | #endif |
17449 | 0 | } |
17450 | 0 | #if !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS) |
17451 | 0 | else { |
17452 | 0 | #ifdef HAVE_SUPPORTED_CURVES |
17453 | 0 | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE)); |
17454 | 0 | #endif |
17455 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
17456 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY)); |
17457 | | #endif |
17458 | 0 | } |
17459 | 0 | #endif |
17460 | | #ifdef WOLFSSL_DTLS_CID |
17461 | | TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_CONNECTION_ID)); |
17462 | | #endif |
17463 | 0 | #endif /* WOLFSSL_TLS13 */ |
17464 | 0 | break; |
17465 | | |
17466 | 0 | #ifdef WOLFSSL_TLS13 |
17467 | 0 | case hello_retry_request: |
17468 | 0 | XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE); |
17469 | 0 | TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS)); |
17470 | 0 | #ifdef HAVE_SUPPORTED_CURVES |
17471 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
17472 | | if (!ssl->options.noPskDheKe) |
17473 | | #endif |
17474 | 0 | { |
17475 | | /* Expect KeyShare extension in HelloRetryRequest. */ |
17476 | 0 | TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE)); |
17477 | 0 | } |
17478 | 0 | #endif |
17479 | | #ifdef WOLFSSL_SEND_HRR_COOKIE |
17480 | | TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_COOKIE)); |
17481 | | #endif |
17482 | | #ifdef HAVE_ECH |
17483 | | /* send the special confirmation */ |
17484 | | TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_ECH)); |
17485 | | #endif |
17486 | 0 | break; |
17487 | 0 | #endif |
17488 | | |
17489 | 0 | #ifdef WOLFSSL_TLS13 |
17490 | 0 | case encrypted_extensions: |
17491 | | /* Send out all extension except those that are turned on. */ |
17492 | 0 | #ifdef HAVE_ECC |
17493 | 0 | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EC_POINT_FORMATS)); |
17494 | 0 | #endif |
17495 | 0 | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS)); |
17496 | | #ifdef HAVE_SESSION_TICKET |
17497 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SESSION_TICKET)); |
17498 | | #endif |
17499 | 0 | #ifdef HAVE_SUPPORTED_CURVES |
17500 | 0 | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE)); |
17501 | 0 | #endif |
17502 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
17503 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY)); |
17504 | | #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK |
17505 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_CERT_WITH_EXTERN_PSK)); |
17506 | | #endif |
17507 | | #endif |
17508 | | #ifdef HAVE_CERTIFICATE_STATUS_REQUEST |
17509 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST)); |
17510 | | #endif |
17511 | | #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 |
17512 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST_V2)); |
17513 | | #endif |
17514 | 0 | #if defined(HAVE_SERVER_RENEGOTIATION_INFO) |
17515 | 0 | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_RENEGOTIATION_INFO)); |
17516 | 0 | #endif |
17517 | | #ifdef WOLFSSL_DTLS_CID |
17518 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_CONNECTION_ID)); |
17519 | | #endif /* WOLFSSL_DTLS_CID */ |
17520 | 0 | break; |
17521 | | |
17522 | | #ifdef WOLFSSL_EARLY_DATA |
17523 | | case session_ticket: |
17524 | | if (ssl->options.tls1_3) { |
17525 | | XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE); |
17526 | | TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_EARLY_DATA)); |
17527 | | } |
17528 | | break; |
17529 | | #endif |
17530 | 0 | #endif |
17531 | 0 | #endif |
17532 | | |
17533 | 0 | #ifdef WOLFSSL_TLS13 |
17534 | 0 | #ifndef NO_CERTS |
17535 | 0 | case certificate: |
17536 | | /* Don't send out any extension except those that are turned off. */ |
17537 | 0 | XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE); |
17538 | 0 | TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST)); |
17539 | | /* TODO: TLSX_SIGNED_CERTIFICATE_TIMESTAMP, |
17540 | | * TLSX_SERVER_CERTIFICATE_TYPE |
17541 | | */ |
17542 | 0 | break; |
17543 | 0 | #endif |
17544 | 0 | #endif |
17545 | 0 | } |
17546 | | |
17547 | 0 | #ifdef HAVE_EXTENDED_MASTER |
17548 | 0 | if (ssl->options.haveEMS && msgType == server_hello && |
17549 | 0 | !IsAtLeastTLSv1_3(ssl->version)) { |
17550 | 0 | length += HELLO_EXT_SZ; |
17551 | 0 | } |
17552 | 0 | #endif |
17553 | |
|
17554 | 0 | if (TLSX_SupportExtensions(ssl)) { |
17555 | 0 | ret = TLSX_GetSize(ssl->extensions, semaphore, msgType, &length); |
17556 | 0 | if (ret != 0) |
17557 | 0 | return ret; |
17558 | 0 | } |
17559 | | |
17560 | | /* All the response data is set at the ssl object only, so no ctx here. */ |
17561 | | |
17562 | 0 | if (length || msgType != server_hello) |
17563 | 0 | length += OPAQUE16_LEN; /* for total length storage. */ |
17564 | |
|
17565 | 0 | *pLength += length; |
17566 | |
|
17567 | 0 | return ret; |
17568 | 0 | } |
17569 | | |
17570 | | /** Writes the server hello extensions into a buffer. */ |
17571 | | int TLSX_WriteResponse(WOLFSSL *ssl, byte* output, byte msgType, word16* pOffset) |
17572 | 0 | { |
17573 | 0 | int ret = 0; |
17574 | 0 | word16 offset = 0; |
17575 | |
|
17576 | 0 | if (TLSX_SupportExtensions(ssl) && output) { |
17577 | 0 | byte semaphore[SEMAPHORE_SIZE] = {0}; |
17578 | |
|
17579 | 0 | switch (msgType) { |
17580 | 0 | #ifndef NO_WOLFSSL_SERVER |
17581 | 0 | case server_hello: |
17582 | 0 | PF_VALIDATE_RESPONSE(ssl, semaphore); |
17583 | 0 | #ifdef WOLFSSL_TLS13 |
17584 | 0 | if (IsAtLeastTLSv1_3(ssl->version)) { |
17585 | 0 | XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE); |
17586 | 0 | TURN_OFF(semaphore, |
17587 | 0 | TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS)); |
17588 | 0 | #ifdef HAVE_SUPPORTED_CURVES |
17589 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
17590 | | if (!ssl->options.noPskDheKe) |
17591 | | #endif |
17592 | 0 | { |
17593 | | /* Write out KeyShare in ServerHello. */ |
17594 | 0 | TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE)); |
17595 | 0 | } |
17596 | 0 | #endif |
17597 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
17598 | | TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY)); |
17599 | | #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK |
17600 | | TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_CERT_WITH_EXTERN_PSK)); |
17601 | | #endif |
17602 | | #endif |
17603 | 0 | } |
17604 | 0 | else |
17605 | 0 | #endif /* WOLFSSL_TLS13 */ |
17606 | 0 | { |
17607 | 0 | #if !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS) |
17608 | 0 | #ifdef HAVE_SUPPORTED_CURVES |
17609 | 0 | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE)); |
17610 | 0 | #endif |
17611 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
17612 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY)); |
17613 | | #endif |
17614 | 0 | #endif |
17615 | 0 | WC_DO_NOTHING; /* avoid empty brackets */ |
17616 | 0 | } |
17617 | | #ifdef WOLFSSL_DTLS_CID |
17618 | | TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_CONNECTION_ID)); |
17619 | | #endif /* WOLFSSL_DTLS_CID */ |
17620 | 0 | break; |
17621 | | |
17622 | 0 | #ifdef WOLFSSL_TLS13 |
17623 | 0 | case hello_retry_request: |
17624 | 0 | XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE); |
17625 | 0 | TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS)); |
17626 | 0 | #ifdef HAVE_SUPPORTED_CURVES |
17627 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
17628 | | if (!ssl->options.noPskDheKe) |
17629 | | #endif |
17630 | 0 | { |
17631 | | /* Write out KeyShare in HelloRetryRequest. */ |
17632 | 0 | TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE)); |
17633 | 0 | } |
17634 | 0 | #endif |
17635 | 0 | break; |
17636 | 0 | #endif |
17637 | | |
17638 | 0 | #ifdef WOLFSSL_TLS13 |
17639 | 0 | case encrypted_extensions: |
17640 | | /* Send out all extension except those that are turned on. */ |
17641 | 0 | #ifdef HAVE_ECC |
17642 | 0 | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_EC_POINT_FORMATS)); |
17643 | 0 | #endif |
17644 | 0 | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_VERSIONS)); |
17645 | | #ifdef HAVE_SESSION_TICKET |
17646 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SESSION_TICKET)); |
17647 | | #endif |
17648 | 0 | #ifdef HAVE_SUPPORTED_CURVES |
17649 | 0 | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_KEY_SHARE)); |
17650 | 0 | #endif |
17651 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
17652 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY)); |
17653 | | #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK |
17654 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_CERT_WITH_EXTERN_PSK)); |
17655 | | #endif |
17656 | | #endif |
17657 | | #ifdef HAVE_CERTIFICATE_STATUS_REQUEST |
17658 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST)); |
17659 | | #endif |
17660 | | #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 |
17661 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST_V2)); |
17662 | | #endif |
17663 | 0 | #if defined(HAVE_SERVER_RENEGOTIATION_INFO) |
17664 | 0 | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_RENEGOTIATION_INFO)); |
17665 | 0 | #endif |
17666 | | #ifdef WOLFSSL_DTLS_CID |
17667 | | TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_CONNECTION_ID)); |
17668 | | #endif /* WOLFSSL_DTLS_CID */ |
17669 | 0 | break; |
17670 | | |
17671 | | #ifdef WOLFSSL_EARLY_DATA |
17672 | | case session_ticket: |
17673 | | if (ssl->options.tls1_3) { |
17674 | | XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE); |
17675 | | TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_EARLY_DATA)); |
17676 | | } |
17677 | | break; |
17678 | | #endif |
17679 | 0 | #endif |
17680 | 0 | #endif |
17681 | | |
17682 | 0 | #ifdef WOLFSSL_TLS13 |
17683 | 0 | #ifndef NO_CERTS |
17684 | 0 | case certificate: |
17685 | | /* Don't send out any extension except those that are turned |
17686 | | * off. */ |
17687 | 0 | XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE); |
17688 | 0 | TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_STATUS_REQUEST)); |
17689 | | /* TODO: TLSX_SIGNED_CERTIFICATE_TIMESTAMP, |
17690 | | * TLSX_SERVER_CERTIFICATE_TYPE |
17691 | | */ |
17692 | 0 | break; |
17693 | 0 | #endif |
17694 | 0 | #endif |
17695 | | |
17696 | 0 | default: |
17697 | 0 | break; |
17698 | 0 | } |
17699 | | |
17700 | 0 | offset += OPAQUE16_LEN; /* extensions length */ |
17701 | |
|
17702 | 0 | ret = TLSX_Write(ssl->extensions, output + offset, semaphore, |
17703 | 0 | msgType, &offset); |
17704 | 0 | if (ret != 0) |
17705 | 0 | return ret; |
17706 | | |
17707 | | #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_SEND_HRR_COOKIE) |
17708 | | if (msgType == hello_retry_request) { |
17709 | | XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE); |
17710 | | TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_COOKIE)); |
17711 | | ret = TLSX_Write(ssl->extensions, output + offset, semaphore, |
17712 | | msgType, &offset); |
17713 | | if (ret != 0) |
17714 | | return ret; |
17715 | | } |
17716 | | #endif |
17717 | | |
17718 | | #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) |
17719 | | /* write ECH last to promote interop with other implementations */ |
17720 | | if (msgType == hello_retry_request) { |
17721 | | XMEMSET(semaphore, 0xff, SEMAPHORE_SIZE); |
17722 | | TURN_OFF(semaphore, TLSX_ToSemaphore(TLSX_ECH)); |
17723 | | ret = TLSX_Write(ssl->extensions, output + offset, semaphore, |
17724 | | msgType, &offset); |
17725 | | if (ret != 0) |
17726 | | return ret; |
17727 | | } |
17728 | | #endif |
17729 | | |
17730 | 0 | #ifdef HAVE_EXTENDED_MASTER |
17731 | 0 | if (ssl->options.haveEMS && msgType == server_hello && |
17732 | 0 | !IsAtLeastTLSv1_3(ssl->version)) { |
17733 | 0 | WOLFSSL_MSG("EMS extension to write"); |
17734 | 0 | c16toa(HELLO_EXT_EXTMS, output + offset); |
17735 | 0 | offset += HELLO_EXT_TYPE_SZ; |
17736 | 0 | c16toa(0, output + offset); |
17737 | 0 | offset += HELLO_EXT_SZ_SZ; |
17738 | 0 | } |
17739 | 0 | #endif |
17740 | |
|
17741 | 0 | if (offset > OPAQUE16_LEN || msgType != server_hello) |
17742 | 0 | c16toa(offset - OPAQUE16_LEN, output); /* extensions length */ |
17743 | 0 | } |
17744 | | |
17745 | 0 | if (pOffset) |
17746 | 0 | *pOffset += offset; |
17747 | |
|
17748 | 0 | return ret; |
17749 | 0 | } |
17750 | | |
17751 | | #endif /* WOLFSSL_TLS13 || !NO_WOLFSSL_SERVER */ |
17752 | | |
17753 | | #ifdef WOLFSSL_TLS13 |
17754 | | int TLSX_ParseVersion(WOLFSSL* ssl, const byte* input, word16 length, |
17755 | | byte msgType, int* found) |
17756 | 0 | { |
17757 | 0 | int ret = 0; |
17758 | 0 | int offset = 0; |
17759 | |
|
17760 | 0 | *found = 0; |
17761 | 0 | while (offset < (int)length) { |
17762 | 0 | word16 type; |
17763 | 0 | word16 size; |
17764 | |
|
17765 | 0 | if (offset + (2 * OPAQUE16_LEN) > length) { |
17766 | 0 | ret = BUFFER_ERROR; |
17767 | 0 | break; |
17768 | 0 | } |
17769 | | |
17770 | 0 | ato16(input + offset, &type); |
17771 | 0 | offset += HELLO_EXT_TYPE_SZ; |
17772 | |
|
17773 | 0 | ato16(input + offset, &size); |
17774 | 0 | offset += OPAQUE16_LEN; |
17775 | |
|
17776 | 0 | if (offset + size > length) { |
17777 | 0 | ret = BUFFER_ERROR; |
17778 | 0 | break; |
17779 | 0 | } |
17780 | | |
17781 | 0 | if (type == TLSX_SUPPORTED_VERSIONS) { |
17782 | 0 | *found = 1; |
17783 | |
|
17784 | 0 | WOLFSSL_MSG("Supported Versions extension received"); |
17785 | |
|
17786 | 0 | ret = SV_PARSE(ssl, input + offset, size, msgType, &ssl->version, |
17787 | 0 | &ssl->options, &ssl->extensions); |
17788 | 0 | break; |
17789 | 0 | } |
17790 | | |
17791 | 0 | offset += size; |
17792 | 0 | } |
17793 | |
|
17794 | 0 | return ret; |
17795 | 0 | } |
17796 | | #endif |
17797 | | /* Jump Table to check minimum size values for client case in TLSX_Parse */ |
17798 | | #ifndef NO_WOLFSSL_SERVER |
17799 | | static word16 TLSX_GetMinSize_Client(word16* type) |
17800 | 0 | { |
17801 | 0 | switch (*type) { |
17802 | 0 | case TLSXT_SERVER_NAME: |
17803 | 0 | return WOLFSSL_SNI_MIN_SIZE_CLIENT; |
17804 | 0 | case TLSXT_EARLY_DATA: |
17805 | 0 | return WOLFSSL_EDI_MIN_SIZE_CLIENT; |
17806 | 0 | case TLSXT_MAX_FRAGMENT_LENGTH: |
17807 | 0 | return WOLFSSL_MFL_MIN_SIZE_CLIENT; |
17808 | 0 | case TLSXT_TRUSTED_CA_KEYS: |
17809 | 0 | return WOLFSSL_TCA_MIN_SIZE_CLIENT; |
17810 | 0 | case TLSXT_TRUNCATED_HMAC: |
17811 | 0 | return WOLFSSL_THM_MIN_SIZE_CLIENT; |
17812 | 0 | case TLSXT_STATUS_REQUEST: |
17813 | 0 | return WOLFSSL_CSR_MIN_SIZE_CLIENT; |
17814 | 0 | case TLSXT_SUPPORTED_GROUPS: |
17815 | 0 | return WOLFSSL_EC_MIN_SIZE_CLIENT; |
17816 | 0 | case TLSXT_EC_POINT_FORMATS: |
17817 | 0 | return WOLFSSL_PF_MIN_SIZE_CLIENT; |
17818 | 0 | case TLSXT_SIGNATURE_ALGORITHMS: |
17819 | 0 | return WOLFSSL_SA_MIN_SIZE_CLIENT; |
17820 | 0 | case TLSXT_USE_SRTP: |
17821 | 0 | return WOLFSSL_SRTP_MIN_SIZE_CLIENT; |
17822 | 0 | case TLSXT_APPLICATION_LAYER_PROTOCOL: |
17823 | 0 | return WOLFSSL_ALPN_MIN_SIZE_CLIENT; |
17824 | 0 | case TLSXT_STATUS_REQUEST_V2: |
17825 | 0 | return WOLFSSL_CSR2_MIN_SIZE_CLIENT; |
17826 | 0 | case TLSXT_CLIENT_CERTIFICATE: |
17827 | 0 | return WOLFSSL_CCT_MIN_SIZE_CLIENT; |
17828 | 0 | case TLSXT_SERVER_CERTIFICATE: |
17829 | 0 | return WOLFSSL_SCT_MIN_SIZE_CLIENT; |
17830 | 0 | case TLSXT_ENCRYPT_THEN_MAC: |
17831 | 0 | return WOLFSSL_ETM_MIN_SIZE_CLIENT; |
17832 | 0 | case TLSXT_SESSION_TICKET: |
17833 | 0 | return WOLFSSL_STK_MIN_SIZE_CLIENT; |
17834 | 0 | case TLSXT_PRE_SHARED_KEY: |
17835 | 0 | return WOLFSSL_PSK_MIN_SIZE_CLIENT; |
17836 | 0 | case TLSXT_COOKIE: |
17837 | 0 | return WOLFSSL_CKE_MIN_SIZE_CLIENT; |
17838 | 0 | case TLSXT_PSK_KEY_EXCHANGE_MODES: |
17839 | 0 | return WOLFSSL_PKM_MIN_SIZE_CLIENT; |
17840 | 0 | case TLSXT_CERT_WITH_EXTERN_PSK: |
17841 | 0 | return WOLFSSL_CWEP_MIN_SIZE_CLIENT; |
17842 | 0 | case TLSXT_CERTIFICATE_AUTHORITIES: |
17843 | 0 | return WOLFSSL_CAN_MIN_SIZE_CLIENT; |
17844 | 0 | case TLSXT_POST_HANDSHAKE_AUTH: |
17845 | 0 | return WOLFSSL_PHA_MIN_SIZE_CLIENT; |
17846 | 0 | case TLSXT_SIGNATURE_ALGORITHMS_CERT: |
17847 | 0 | return WOLFSSL_SA_MIN_SIZE_CLIENT; |
17848 | 0 | case TLSXT_KEY_SHARE: |
17849 | 0 | return WOLFSSL_KS_MIN_SIZE_CLIENT; |
17850 | 0 | case TLSXT_CONNECTION_ID: |
17851 | 0 | return WOLFSSL_CID_MIN_SIZE_CLIENT; |
17852 | 0 | case TLSXT_RENEGOTIATION_INFO: |
17853 | 0 | return WOLFSSL_SCR_MIN_SIZE_CLIENT; |
17854 | 0 | case TLSXT_KEY_QUIC_TP_PARAMS_DRAFT: |
17855 | 0 | return WOLFSSL_QTP_MIN_SIZE_CLIENT; |
17856 | 0 | case TLSXT_ECH: |
17857 | 0 | return WOLFSSL_ECH_MIN_SIZE_CLIENT; |
17858 | 0 | default: |
17859 | 0 | return 0; |
17860 | 0 | } |
17861 | 0 | } |
17862 | 0 | #define TLSX_GET_MIN_SIZE_CLIENT(type) TLSX_GetMinSize_Client(type) |
17863 | | #else |
17864 | | #define TLSX_GET_MIN_SIZE_CLIENT(type) 0 |
17865 | | #endif |
17866 | | |
17867 | | |
17868 | | #ifndef NO_WOLFSSL_CLIENT |
17869 | | /* Jump Table to check minimum size values for server case in TLSX_Parse */ |
17870 | | static word16 TLSX_GetMinSize_Server(const word16 *type) |
17871 | 0 | { |
17872 | 0 | switch (*type) { |
17873 | 0 | case TLSXT_SERVER_NAME: |
17874 | 0 | return WOLFSSL_SNI_MIN_SIZE_SERVER; |
17875 | 0 | case TLSXT_EARLY_DATA: |
17876 | 0 | return WOLFSSL_EDI_MIN_SIZE_SERVER; |
17877 | 0 | case TLSXT_MAX_FRAGMENT_LENGTH: |
17878 | 0 | return WOLFSSL_MFL_MIN_SIZE_SERVER; |
17879 | 0 | case TLSXT_TRUSTED_CA_KEYS: |
17880 | 0 | return WOLFSSL_TCA_MIN_SIZE_SERVER; |
17881 | 0 | case TLSXT_TRUNCATED_HMAC: |
17882 | 0 | return WOLFSSL_THM_MIN_SIZE_SERVER; |
17883 | 0 | case TLSXT_STATUS_REQUEST: |
17884 | 0 | return WOLFSSL_CSR_MIN_SIZE_SERVER; |
17885 | 0 | case TLSXT_SUPPORTED_GROUPS: |
17886 | 0 | return WOLFSSL_EC_MIN_SIZE_SERVER; |
17887 | 0 | case TLSXT_EC_POINT_FORMATS: |
17888 | 0 | return WOLFSSL_PF_MIN_SIZE_SERVER; |
17889 | 0 | case TLSXT_SIGNATURE_ALGORITHMS: |
17890 | 0 | return WOLFSSL_SA_MIN_SIZE_SERVER; |
17891 | 0 | case TLSXT_USE_SRTP: |
17892 | 0 | return WOLFSSL_SRTP_MIN_SIZE_SERVER; |
17893 | 0 | case TLSXT_APPLICATION_LAYER_PROTOCOL: |
17894 | 0 | return WOLFSSL_ALPN_MIN_SIZE_SERVER; |
17895 | 0 | case TLSXT_STATUS_REQUEST_V2: |
17896 | 0 | return WOLFSSL_CSR2_MIN_SIZE_SERVER; |
17897 | 0 | case TLSXT_CLIENT_CERTIFICATE: |
17898 | 0 | return WOLFSSL_CCT_MIN_SIZE_SERVER; |
17899 | 0 | case TLSXT_SERVER_CERTIFICATE: |
17900 | 0 | return WOLFSSL_SCT_MIN_SIZE_SERVER; |
17901 | 0 | case TLSXT_ENCRYPT_THEN_MAC: |
17902 | 0 | return WOLFSSL_ETM_MIN_SIZE_SERVER; |
17903 | 0 | case TLSXT_SESSION_TICKET: |
17904 | 0 | return WOLFSSL_STK_MIN_SIZE_SERVER; |
17905 | 0 | case TLSXT_PRE_SHARED_KEY: |
17906 | 0 | return WOLFSSL_PSK_MIN_SIZE_SERVER; |
17907 | 0 | case TLSXT_COOKIE: |
17908 | 0 | return WOLFSSL_CKE_MIN_SIZE_SERVER; |
17909 | 0 | case TLSXT_PSK_KEY_EXCHANGE_MODES: |
17910 | 0 | return WOLFSSL_PKM_MIN_SIZE_SERVER; |
17911 | 0 | case TLSXT_CERT_WITH_EXTERN_PSK: |
17912 | 0 | return WOLFSSL_CWEP_MIN_SIZE_SERVER; |
17913 | 0 | case TLSXT_CERTIFICATE_AUTHORITIES: |
17914 | 0 | return WOLFSSL_CAN_MIN_SIZE_SERVER; |
17915 | 0 | case TLSXT_POST_HANDSHAKE_AUTH: |
17916 | 0 | return WOLFSSL_PHA_MIN_SIZE_SERVER; |
17917 | 0 | case TLSXT_SIGNATURE_ALGORITHMS_CERT: |
17918 | 0 | return WOLFSSL_SA_MIN_SIZE_SERVER; |
17919 | 0 | case TLSXT_KEY_SHARE: |
17920 | 0 | return WOLFSSL_KS_MIN_SIZE_SERVER; |
17921 | 0 | case TLSXT_CONNECTION_ID: |
17922 | 0 | return WOLFSSL_CID_MIN_SIZE_SERVER; |
17923 | 0 | case TLSXT_RENEGOTIATION_INFO: |
17924 | 0 | return WOLFSSL_SCR_MIN_SIZE_SERVER; |
17925 | 0 | case TLSXT_KEY_QUIC_TP_PARAMS_DRAFT: |
17926 | 0 | return WOLFSSL_QTP_MIN_SIZE_SERVER; |
17927 | 0 | case TLSXT_ECH: |
17928 | 0 | return WOLFSSL_ECH_MIN_SIZE_SERVER; |
17929 | 0 | default: |
17930 | 0 | return 0; |
17931 | 0 | } |
17932 | 0 | } |
17933 | 0 | #define TLSX_GET_MIN_SIZE_SERVER(type) TLSX_GetMinSize_Server(type) |
17934 | | #else |
17935 | | #define TLSX_GET_MIN_SIZE_SERVER(type) 0 |
17936 | | #endif |
17937 | | |
17938 | | |
17939 | | /** Parses a buffer of TLS extensions. */ |
17940 | | WOLFSSL_TEST_VIS int TLSX_Parse(WOLFSSL* ssl, const byte* input, word16 length, |
17941 | | byte msgType, Suites *suites) |
17942 | 0 | { |
17943 | 0 | int ret = 0; |
17944 | 0 | word16 offset = 0; |
17945 | 0 | byte isRequest = (msgType == client_hello || |
17946 | 0 | msgType == certificate_request); |
17947 | |
|
17948 | 0 | #ifdef HAVE_EXTENDED_MASTER |
17949 | 0 | byte pendingEMS = 0; |
17950 | 0 | #endif |
17951 | | #if defined(WOLFSSL_TLS13) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) |
17952 | | int pskDone = 0; |
17953 | | #endif |
17954 | | #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_CERT_WITH_EXTERN_PSK) && \ |
17955 | | !defined(NO_PSK) |
17956 | | int secondClientHello = 0; |
17957 | | int prevHasPskWithCert = 0; |
17958 | | #endif |
17959 | 0 | byte seenType[SEMAPHORE_SIZE]; /* Seen known extensions. */ |
17960 | |
|
17961 | 0 | if (!ssl || !input || (isRequest && !suites)) |
17962 | 0 | return BAD_FUNC_ARG; |
17963 | | |
17964 | | /* No known extensions seen yet. */ |
17965 | 0 | XMEMSET(seenType, 0, sizeof(seenType)); |
17966 | | #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_CERT_WITH_EXTERN_PSK) && \ |
17967 | | !defined(NO_PSK) |
17968 | | if (IsAtLeastTLSv1_3(ssl->version) && msgType == client_hello && |
17969 | | ssl->msgsReceived.got_client_hello == 2) { |
17970 | | secondClientHello = 1; |
17971 | | prevHasPskWithCert = |
17972 | | TLSX_Find(ssl->extensions, TLSX_CERT_WITH_EXTERN_PSK) != NULL; |
17973 | | } |
17974 | | #endif |
17975 | |
|
17976 | 0 | while (ret == 0 && offset < length) { |
17977 | 0 | word16 type; |
17978 | 0 | word16 size; |
17979 | |
|
17980 | | #if defined(WOLFSSL_TLS13) && (defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)) |
17981 | | if (msgType == client_hello && pskDone) { |
17982 | | WOLFSSL_ERROR_VERBOSE(PSK_KEY_ERROR); |
17983 | | return PSK_KEY_ERROR; |
17984 | | } |
17985 | | #endif |
17986 | |
|
17987 | 0 | if (length - offset < HELLO_EXT_TYPE_SZ + OPAQUE16_LEN) |
17988 | 0 | return BUFFER_ERROR; |
17989 | | |
17990 | 0 | ato16(input + offset, &type); |
17991 | 0 | offset += HELLO_EXT_TYPE_SZ; |
17992 | |
|
17993 | 0 | ato16(input + offset, &size); |
17994 | 0 | offset += OPAQUE16_LEN; |
17995 | | |
17996 | | /* Check we have a bit for extension type. */ |
17997 | 0 | if ((type <= 62) || (type == TLSX_RENEGOTIATION_INFO) |
17998 | | #ifdef WOLFSSL_QUIC |
17999 | | || (type == TLSX_KEY_QUIC_TP_PARAMS_DRAFT) |
18000 | | #endif |
18001 | | #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) |
18002 | | || (type == TLSX_ECH) |
18003 | | #endif |
18004 | | #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_DUAL_ALG_CERTS) |
18005 | | || (type == TLSX_CKS) |
18006 | | #endif |
18007 | 0 | ) |
18008 | 0 | { |
18009 | | /* Detect duplicate recognized extensions. */ |
18010 | 0 | if (IS_OFF(seenType, TLSX_ToSemaphore(type))) { |
18011 | 0 | TURN_ON(seenType, TLSX_ToSemaphore(type)); |
18012 | 0 | } |
18013 | 0 | else { |
18014 | 0 | return DUPLICATE_TLS_EXT_E; |
18015 | 0 | } |
18016 | 0 | } |
18017 | | |
18018 | 0 | if (length - offset < size) |
18019 | 0 | return BUFFER_ERROR; |
18020 | | |
18021 | | /* Check minimum size required for TLSX, even if disabled */ |
18022 | 0 | switch (msgType) { |
18023 | 0 | #ifndef NO_WOLFSSL_SERVER |
18024 | 0 | case client_hello: |
18025 | 0 | if (size < TLSX_GET_MIN_SIZE_CLIENT(&type)){ |
18026 | 0 | WOLFSSL_MSG("Minimum TLSX Size Requirement not Satisfied"); |
18027 | 0 | return BUFFER_ERROR; |
18028 | 0 | } |
18029 | 0 | break; |
18030 | 0 | #endif |
18031 | 0 | #ifndef NO_WOLFSSL_CLIENT |
18032 | 0 | case server_hello: |
18033 | 0 | case hello_retry_request: |
18034 | 0 | if (size < TLSX_GET_MIN_SIZE_SERVER(&type)){ |
18035 | 0 | WOLFSSL_MSG("Minimum TLSX Size Requirement not Satisfied"); |
18036 | 0 | return BUFFER_ERROR; |
18037 | 0 | } |
18038 | 0 | break; |
18039 | 0 | #endif |
18040 | 0 | default: |
18041 | 0 | break; |
18042 | 0 | } |
18043 | | |
18044 | 0 | #ifdef WOLFSSL_TLS13 |
18045 | | /* RFC 8446 4.4.2: extensions in a Certificate message MUST |
18046 | | * correspond to ones offered in our prior ClientHello (client) or |
18047 | | * CertificateRequest (server). Reject anything we did not offer. */ |
18048 | 0 | if (msgType == certificate && |
18049 | 0 | IsAtLeastTLSv1_3(ssl->version) && |
18050 | 0 | TLSX_Find(ssl->extensions, (TLSX_Type)type) == NULL) { |
18051 | 0 | WOLFSSL_MSG("Cert-msg extension not offered in CH/CR"); |
18052 | 0 | SendAlert(ssl, alert_fatal, unsupported_extension); |
18053 | 0 | WOLFSSL_ERROR_VERBOSE(UNSUPPORTED_EXTENSION); |
18054 | 0 | return UNSUPPORTED_EXTENSION; |
18055 | 0 | } |
18056 | 0 | #endif |
18057 | | |
18058 | 0 | switch (type) { |
18059 | 0 | #ifdef HAVE_SNI |
18060 | 0 | case TLSX_SERVER_NAME: |
18061 | 0 | WOLFSSL_MSG("SNI extension received"); |
18062 | | #ifdef WOLFSSL_DEBUG_TLS |
18063 | | WOLFSSL_BUFFER(input + offset, size); |
18064 | | #endif |
18065 | |
|
18066 | 0 | #ifdef WOLFSSL_TLS13 |
18067 | 0 | if (IsAtLeastTLSv1_3(ssl->version)) { |
18068 | 0 | if (msgType != client_hello && |
18069 | 0 | msgType != encrypted_extensions) |
18070 | 0 | return EXT_NOT_ALLOWED; |
18071 | 0 | } |
18072 | 0 | else |
18073 | 0 | #endif |
18074 | 0 | { |
18075 | 0 | if (msgType != client_hello && |
18076 | 0 | msgType != server_hello) |
18077 | 0 | return EXT_NOT_ALLOWED; |
18078 | 0 | } |
18079 | 0 | ret = SNI_PARSE(ssl, input + offset, size, isRequest); |
18080 | 0 | break; |
18081 | 0 | #endif |
18082 | | |
18083 | 0 | case TLSX_TRUSTED_CA_KEYS: |
18084 | 0 | WOLFSSL_MSG("Trusted CA extension received"); |
18085 | | #ifdef WOLFSSL_DEBUG_TLS |
18086 | | WOLFSSL_BUFFER(input + offset, size); |
18087 | | #endif |
18088 | |
|
18089 | 0 | #ifdef WOLFSSL_TLS13 |
18090 | | /* RFC 8446 4.2.4 states trusted_ca_keys is not used |
18091 | | in TLS 1.3. */ |
18092 | 0 | if (IsAtLeastTLSv1_3(ssl->version)) { |
18093 | 0 | break; |
18094 | 0 | } |
18095 | 0 | else |
18096 | 0 | #endif |
18097 | 0 | { |
18098 | 0 | if (msgType != client_hello && |
18099 | 0 | msgType != server_hello) |
18100 | 0 | return EXT_NOT_ALLOWED; |
18101 | 0 | } |
18102 | 0 | ret = TCA_PARSE(ssl, input + offset, size, isRequest); |
18103 | 0 | break; |
18104 | | |
18105 | 0 | case TLSX_MAX_FRAGMENT_LENGTH: |
18106 | 0 | WOLFSSL_MSG("Max Fragment Length extension received"); |
18107 | | #ifdef WOLFSSL_DEBUG_TLS |
18108 | | WOLFSSL_BUFFER(input + offset, size); |
18109 | | #endif |
18110 | |
|
18111 | 0 | #ifdef WOLFSSL_TLS13 |
18112 | 0 | if (IsAtLeastTLSv1_3(ssl->version)) { |
18113 | 0 | if (msgType != client_hello && |
18114 | 0 | msgType != encrypted_extensions) { |
18115 | 0 | WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); |
18116 | 0 | return EXT_NOT_ALLOWED; |
18117 | 0 | } |
18118 | 0 | } |
18119 | 0 | else |
18120 | 0 | #endif |
18121 | 0 | { |
18122 | 0 | if (msgType != client_hello && |
18123 | 0 | msgType != server_hello) { |
18124 | 0 | WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); |
18125 | 0 | return EXT_NOT_ALLOWED; |
18126 | 0 | } |
18127 | 0 | } |
18128 | 0 | ret = MFL_PARSE(ssl, input + offset, size, isRequest); |
18129 | 0 | break; |
18130 | | |
18131 | 0 | case TLSX_TRUNCATED_HMAC: |
18132 | 0 | WOLFSSL_MSG("Truncated HMAC extension received"); |
18133 | | #ifdef WOLFSSL_DEBUG_TLS |
18134 | | WOLFSSL_BUFFER(input + offset, size); |
18135 | | #endif |
18136 | |
|
18137 | 0 | #ifdef WOLFSSL_TLS13 |
18138 | 0 | if (IsAtLeastTLSv1_3(ssl->version)) |
18139 | 0 | break; |
18140 | 0 | #endif |
18141 | 0 | if (msgType != client_hello) |
18142 | 0 | return EXT_NOT_ALLOWED; |
18143 | 0 | ret = THM_PARSE(ssl, input + offset, size, isRequest); |
18144 | 0 | break; |
18145 | | |
18146 | 0 | case TLSX_SUPPORTED_GROUPS: |
18147 | 0 | WOLFSSL_MSG("Supported Groups extension received"); |
18148 | | #ifdef WOLFSSL_DEBUG_TLS |
18149 | | WOLFSSL_BUFFER(input + offset, size); |
18150 | | #endif |
18151 | |
|
18152 | 0 | #ifdef WOLFSSL_TLS13 |
18153 | 0 | if (IsAtLeastTLSv1_3(ssl->version)) { |
18154 | 0 | if (msgType != client_hello && |
18155 | 0 | msgType != encrypted_extensions) { |
18156 | 0 | WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); |
18157 | 0 | return EXT_NOT_ALLOWED; |
18158 | 0 | } |
18159 | 0 | } |
18160 | 0 | else |
18161 | 0 | #endif |
18162 | 0 | { |
18163 | 0 | if (msgType != client_hello) { |
18164 | 0 | WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); |
18165 | 0 | return EXT_NOT_ALLOWED; |
18166 | 0 | } |
18167 | 0 | } |
18168 | 0 | ret = EC_PARSE(ssl, input + offset, size, isRequest, |
18169 | 0 | &ssl->extensions); |
18170 | 0 | break; |
18171 | | #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_DUAL_ALG_CERTS) |
18172 | | case TLSX_CKS: |
18173 | | WOLFSSL_MSG("CKS extension received"); |
18174 | | if (msgType != client_hello && |
18175 | | msgType != encrypted_extensions) { |
18176 | | WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); |
18177 | | return EXT_NOT_ALLOWED; |
18178 | | } |
18179 | | ret = TLSX_CKS_Parse(ssl, (byte *)(input + offset), size, |
18180 | | &ssl->extensions); |
18181 | | break; |
18182 | | #endif /* WOLFSSL_DUAL_ALG_CERTS */ |
18183 | 0 | case TLSX_EC_POINT_FORMATS: |
18184 | 0 | WOLFSSL_MSG("Point Formats extension received"); |
18185 | | #ifdef WOLFSSL_DEBUG_TLS |
18186 | | WOLFSSL_BUFFER(input + offset, size); |
18187 | | #endif |
18188 | |
|
18189 | 0 | #ifdef WOLFSSL_TLS13 |
18190 | 0 | if (IsAtLeastTLSv1_3(ssl->version)) |
18191 | 0 | break; |
18192 | 0 | #endif |
18193 | 0 | if (msgType != client_hello && |
18194 | 0 | msgType != server_hello) { |
18195 | 0 | WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); |
18196 | 0 | return EXT_NOT_ALLOWED; |
18197 | 0 | } |
18198 | | |
18199 | 0 | ret = PF_PARSE(ssl, input + offset, size, isRequest); |
18200 | 0 | break; |
18201 | | |
18202 | 0 | case TLSX_STATUS_REQUEST: |
18203 | 0 | WOLFSSL_MSG("Certificate Status Request extension received"); |
18204 | | #ifdef WOLFSSL_DEBUG_TLS |
18205 | | WOLFSSL_BUFFER(input + offset, size); |
18206 | | #endif |
18207 | |
|
18208 | 0 | #ifdef WOLFSSL_TLS13 |
18209 | 0 | if (IsAtLeastTLSv1_3(ssl->version)) { |
18210 | 0 | if (msgType != client_hello && |
18211 | 0 | msgType != certificate_request && |
18212 | 0 | msgType != certificate) |
18213 | 0 | return EXT_NOT_ALLOWED; |
18214 | 0 | } |
18215 | 0 | else |
18216 | 0 | #endif |
18217 | 0 | { |
18218 | 0 | if (msgType != client_hello && |
18219 | 0 | msgType != server_hello) |
18220 | 0 | return EXT_NOT_ALLOWED; |
18221 | 0 | } |
18222 | 0 | ret = CSR_PARSE(ssl, input + offset, size, isRequest); |
18223 | 0 | break; |
18224 | | |
18225 | 0 | case TLSX_STATUS_REQUEST_V2: |
18226 | 0 | WOLFSSL_MSG("Certificate Status Request v2 extension received"); |
18227 | | #ifdef WOLFSSL_DEBUG_TLS |
18228 | | WOLFSSL_BUFFER(input + offset, size); |
18229 | | #endif |
18230 | |
|
18231 | | #if defined(WOLFSSL_TLS13) && defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) |
18232 | | if (IsAtLeastTLSv1_3(ssl->version)) { |
18233 | | if (msgType != client_hello && |
18234 | | msgType != certificate_request && |
18235 | | msgType != certificate) |
18236 | | return EXT_NOT_ALLOWED; |
18237 | | } |
18238 | | else |
18239 | | #endif |
18240 | 0 | { |
18241 | 0 | if (msgType != client_hello && |
18242 | 0 | msgType != server_hello) |
18243 | 0 | return EXT_NOT_ALLOWED; |
18244 | 0 | } |
18245 | 0 | ret = CSR2_PARSE(ssl, input + offset, size, isRequest); |
18246 | 0 | break; |
18247 | | |
18248 | 0 | #ifdef HAVE_EXTENDED_MASTER |
18249 | 0 | case HELLO_EXT_EXTMS: |
18250 | 0 | WOLFSSL_MSG("Extended Master Secret extension received"); |
18251 | | #ifdef WOLFSSL_DEBUG_TLS |
18252 | | WOLFSSL_BUFFER(input + offset, size); |
18253 | | #endif |
18254 | |
|
18255 | 0 | #if defined(WOLFSSL_TLS13) |
18256 | 0 | if (IsAtLeastTLSv1_3(ssl->version)) |
18257 | 0 | break; |
18258 | 0 | #endif |
18259 | 0 | if (msgType != client_hello && |
18260 | 0 | msgType != server_hello) |
18261 | 0 | return EXT_NOT_ALLOWED; |
18262 | 0 | if (size != 0) |
18263 | 0 | return BUFFER_ERROR; |
18264 | | |
18265 | 0 | #ifndef NO_WOLFSSL_SERVER |
18266 | 0 | if (isRequest) |
18267 | 0 | ssl->options.haveEMS = 1; |
18268 | 0 | #endif |
18269 | 0 | pendingEMS = 1; |
18270 | 0 | break; |
18271 | 0 | #endif |
18272 | | |
18273 | 0 | case TLSX_RENEGOTIATION_INFO: |
18274 | 0 | WOLFSSL_MSG("Secure Renegotiation extension received"); |
18275 | | #ifdef WOLFSSL_DEBUG_TLS |
18276 | | WOLFSSL_BUFFER(input + offset, size); |
18277 | | #endif |
18278 | |
|
18279 | 0 | #ifdef WOLFSSL_TLS13 |
18280 | 0 | if (IsAtLeastTLSv1_3(ssl->version)) |
18281 | 0 | break; |
18282 | 0 | #endif |
18283 | 0 | if (msgType != client_hello && |
18284 | 0 | msgType != server_hello) |
18285 | 0 | return EXT_NOT_ALLOWED; |
18286 | 0 | ret = SCR_PARSE(ssl, input + offset, size, isRequest); |
18287 | 0 | break; |
18288 | | |
18289 | 0 | case TLSX_SESSION_TICKET: |
18290 | 0 | WOLFSSL_MSG("Session Ticket extension received"); |
18291 | | #ifdef WOLFSSL_DEBUG_TLS |
18292 | | WOLFSSL_BUFFER(input + offset, size); |
18293 | | #endif |
18294 | |
|
18295 | | #if defined(WOLFSSL_TLS13) && defined(HAVE_SESSION_TICKET) |
18296 | | if (IsAtLeastTLSv1_3(ssl->version)) { |
18297 | | if (msgType != client_hello) |
18298 | | return EXT_NOT_ALLOWED; |
18299 | | } |
18300 | | else |
18301 | | #endif |
18302 | 0 | { |
18303 | 0 | if (msgType != client_hello && |
18304 | 0 | msgType != server_hello) |
18305 | 0 | return EXT_NOT_ALLOWED; |
18306 | 0 | } |
18307 | 0 | ret = WOLF_STK_PARSE(ssl, input + offset, size, isRequest); |
18308 | 0 | break; |
18309 | | |
18310 | 0 | case TLSX_APPLICATION_LAYER_PROTOCOL: |
18311 | 0 | WOLFSSL_MSG("ALPN extension received"); |
18312 | |
|
18313 | | #ifdef WOLFSSL_DEBUG_TLS |
18314 | | WOLFSSL_BUFFER(input + offset, size); |
18315 | | #endif |
18316 | |
|
18317 | | #if defined(WOLFSSL_TLS13) && defined(HAVE_ALPN) |
18318 | | if (IsAtLeastTLSv1_3(ssl->version)) { |
18319 | | if (msgType != client_hello && |
18320 | | msgType != encrypted_extensions) |
18321 | | return EXT_NOT_ALLOWED; |
18322 | | } |
18323 | | else |
18324 | | #endif |
18325 | 0 | { |
18326 | 0 | if (msgType != client_hello && |
18327 | 0 | msgType != server_hello) |
18328 | 0 | return EXT_NOT_ALLOWED; |
18329 | 0 | } |
18330 | 0 | ret = ALPN_PARSE(ssl, input + offset, size, isRequest); |
18331 | 0 | break; |
18332 | 0 | #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG) |
18333 | 0 | case TLSX_SIGNATURE_ALGORITHMS: |
18334 | 0 | WOLFSSL_MSG("Signature Algorithms extension received"); |
18335 | | #ifdef WOLFSSL_DEBUG_TLS |
18336 | | WOLFSSL_BUFFER(input + offset, size); |
18337 | | #endif |
18338 | |
|
18339 | 0 | if (!IsAtLeastTLSv1_2(ssl)) |
18340 | 0 | break; |
18341 | 0 | #ifdef WOLFSSL_TLS13 |
18342 | 0 | if (IsAtLeastTLSv1_3(ssl->version)) { |
18343 | 0 | if (msgType != client_hello && |
18344 | 0 | msgType != certificate_request) |
18345 | 0 | return EXT_NOT_ALLOWED; |
18346 | 0 | } |
18347 | 0 | else |
18348 | 0 | #endif |
18349 | 0 | { |
18350 | 0 | if (msgType != client_hello) |
18351 | 0 | return EXT_NOT_ALLOWED; |
18352 | 0 | } |
18353 | 0 | ret = SA_PARSE(ssl, input + offset, size, isRequest, suites); |
18354 | 0 | break; |
18355 | 0 | #endif |
18356 | | |
18357 | 0 | #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY) |
18358 | 0 | case TLSX_ENCRYPT_THEN_MAC: |
18359 | 0 | WOLFSSL_MSG("Encrypt-Then-Mac extension received"); |
18360 | | |
18361 | | /* Ignore for TLS 1.3+ */ |
18362 | 0 | if (IsAtLeastTLSv1_3(ssl->version)) |
18363 | 0 | break; |
18364 | 0 | if (msgType != client_hello && |
18365 | 0 | msgType != server_hello) |
18366 | 0 | return EXT_NOT_ALLOWED; |
18367 | | |
18368 | 0 | ret = ETM_PARSE(ssl, input + offset, size, msgType); |
18369 | 0 | break; |
18370 | 0 | #endif /* HAVE_ENCRYPT_THEN_MAC */ |
18371 | | |
18372 | 0 | #ifdef WOLFSSL_TLS13 |
18373 | 0 | case TLSX_SUPPORTED_VERSIONS: |
18374 | 0 | WOLFSSL_MSG("Skipping Supported Versions - already processed"); |
18375 | | #ifdef WOLFSSL_DEBUG_TLS |
18376 | | WOLFSSL_BUFFER(input + offset, size); |
18377 | | #endif |
18378 | 0 | if (msgType != client_hello && |
18379 | 0 | msgType != server_hello && |
18380 | 0 | msgType != hello_retry_request) |
18381 | 0 | return EXT_NOT_ALLOWED; |
18382 | | |
18383 | 0 | break; |
18384 | | |
18385 | 0 | case TLSX_COOKIE: |
18386 | 0 | WOLFSSL_MSG("Cookie extension received"); |
18387 | | #ifdef WOLFSSL_DEBUG_TLS |
18388 | | WOLFSSL_BUFFER(input + offset, size); |
18389 | | #endif |
18390 | 0 | if (!IsAtLeastTLSv1_3(ssl->version)) |
18391 | 0 | break; |
18392 | | |
18393 | 0 | if (msgType != client_hello && |
18394 | 0 | msgType != hello_retry_request) { |
18395 | 0 | return EXT_NOT_ALLOWED; |
18396 | 0 | } |
18397 | | |
18398 | 0 | ret = CKE_PARSE(ssl, input + offset, size, msgType); |
18399 | 0 | break; |
18400 | | |
18401 | | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK) |
18402 | | case TLSX_PRE_SHARED_KEY: |
18403 | | WOLFSSL_MSG("Pre-Shared Key extension received"); |
18404 | | #ifdef WOLFSSL_DEBUG_TLS |
18405 | | WOLFSSL_BUFFER(input + offset, size); |
18406 | | #endif |
18407 | | |
18408 | | if (!IsAtLeastTLSv1_3(ssl->version)) |
18409 | | break; |
18410 | | |
18411 | | if (msgType != client_hello && |
18412 | | msgType != server_hello) { |
18413 | | WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); |
18414 | | return EXT_NOT_ALLOWED; |
18415 | | } |
18416 | | |
18417 | | ret = PSK_PARSE(ssl, input + offset, size, msgType); |
18418 | | pskDone = 1; |
18419 | | break; |
18420 | | |
18421 | | case TLSX_PSK_KEY_EXCHANGE_MODES: |
18422 | | WOLFSSL_MSG("PSK Key Exchange Modes extension received"); |
18423 | | #ifdef WOLFSSL_DEBUG_TLS |
18424 | | WOLFSSL_BUFFER(input + offset, size); |
18425 | | #endif |
18426 | | |
18427 | | if (!IsAtLeastTLSv1_3(ssl->version)) |
18428 | | break; |
18429 | | |
18430 | | if (msgType != client_hello) { |
18431 | | WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); |
18432 | | return EXT_NOT_ALLOWED; |
18433 | | } |
18434 | | |
18435 | | ret = PKM_PARSE(ssl, input + offset, size, msgType); |
18436 | | break; |
18437 | | |
18438 | | #ifdef WOLFSSL_CERT_WITH_EXTERN_PSK |
18439 | | case TLSX_CERT_WITH_EXTERN_PSK: |
18440 | | WOLFSSL_MSG("Cert with external PSK extension received"); |
18441 | | #ifdef WOLFSSL_DEBUG_TLS |
18442 | | WOLFSSL_BUFFER(input + offset, size); |
18443 | | #endif |
18444 | | |
18445 | | if (!IsAtLeastTLSv1_3(ssl->version)) |
18446 | | break; |
18447 | | |
18448 | | if (msgType != client_hello && msgType != server_hello) { |
18449 | | WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); |
18450 | | return EXT_NOT_ALLOWED; |
18451 | | } |
18452 | | if (size != 0) { |
18453 | | WOLFSSL_ERROR_VERBOSE(BUFFER_ERROR); |
18454 | | return BUFFER_ERROR; |
18455 | | } |
18456 | | |
18457 | | ret = PSK_WITH_CERT_PARSE(ssl, msgType); |
18458 | | break; |
18459 | | #endif |
18460 | | #endif |
18461 | | |
18462 | | #ifdef WOLFSSL_EARLY_DATA |
18463 | | case TLSX_EARLY_DATA: |
18464 | | WOLFSSL_MSG("Early Data extension received"); |
18465 | | #ifdef WOLFSSL_DEBUG_TLS |
18466 | | WOLFSSL_BUFFER(input + offset, size); |
18467 | | #endif |
18468 | | |
18469 | | if (!IsAtLeastTLSv1_3(ssl->version)) |
18470 | | break; |
18471 | | |
18472 | | if (msgType != client_hello && msgType != session_ticket && |
18473 | | msgType != encrypted_extensions) { |
18474 | | WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); |
18475 | | return EXT_NOT_ALLOWED; |
18476 | | } |
18477 | | ret = EDI_PARSE(ssl, input + offset, size, msgType); |
18478 | | break; |
18479 | | #endif |
18480 | | |
18481 | | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH |
18482 | | case TLSX_POST_HANDSHAKE_AUTH: |
18483 | | WOLFSSL_MSG("Post Handshake Authentication extension received"); |
18484 | | #ifdef WOLFSSL_DEBUG_TLS |
18485 | | WOLFSSL_BUFFER(input + offset, size); |
18486 | | #endif |
18487 | | |
18488 | | if (!IsAtLeastTLSv1_3(ssl->version)) |
18489 | | break; |
18490 | | |
18491 | | if (msgType != client_hello) { |
18492 | | WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); |
18493 | | return EXT_NOT_ALLOWED; |
18494 | | } |
18495 | | |
18496 | | ret = PHA_PARSE(ssl, input + offset, size, msgType); |
18497 | | break; |
18498 | | #endif |
18499 | | |
18500 | 0 | #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_SIGALG) |
18501 | 0 | case TLSX_SIGNATURE_ALGORITHMS_CERT: |
18502 | 0 | WOLFSSL_MSG("Signature Algorithms extension received"); |
18503 | | #ifdef WOLFSSL_DEBUG_TLS |
18504 | | WOLFSSL_BUFFER(input + offset, size); |
18505 | | #endif |
18506 | |
|
18507 | 0 | if (!IsAtLeastTLSv1_3(ssl->version)) |
18508 | 0 | break; |
18509 | | |
18510 | 0 | if (msgType != client_hello && |
18511 | 0 | msgType != certificate_request) { |
18512 | 0 | WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); |
18513 | 0 | return EXT_NOT_ALLOWED; |
18514 | 0 | } |
18515 | | |
18516 | 0 | ret = SAC_PARSE(ssl, input + offset, size, isRequest); |
18517 | 0 | break; |
18518 | 0 | #endif |
18519 | | |
18520 | | #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CA_NAMES) |
18521 | | case TLSX_CERTIFICATE_AUTHORITIES: |
18522 | | WOLFSSL_MSG("Certificate Authorities extension received"); |
18523 | | #ifdef WOLFSSL_DEBUG_TLS |
18524 | | WOLFSSL_BUFFER(input + offset, size); |
18525 | | #endif |
18526 | | |
18527 | | if (!IsAtLeastTLSv1_3(ssl->version)) |
18528 | | break; |
18529 | | |
18530 | | if (msgType != client_hello && |
18531 | | msgType != certificate_request) { |
18532 | | WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); |
18533 | | return EXT_NOT_ALLOWED; |
18534 | | } |
18535 | | |
18536 | | ret = CAN_PARSE(ssl, input + offset, size, isRequest); |
18537 | | break; |
18538 | | #endif |
18539 | | |
18540 | 0 | case TLSX_KEY_SHARE: |
18541 | 0 | WOLFSSL_MSG("Key Share extension received"); |
18542 | | #ifdef WOLFSSL_DEBUG_TLS |
18543 | | WOLFSSL_BUFFER(input + offset, size); |
18544 | | #endif |
18545 | |
|
18546 | 0 | #ifdef HAVE_SUPPORTED_CURVES |
18547 | 0 | if (!IsAtLeastTLSv1_3(ssl->version)) |
18548 | 0 | break; |
18549 | | |
18550 | 0 | if (msgType != client_hello && msgType != server_hello && |
18551 | 0 | msgType != hello_retry_request) { |
18552 | 0 | WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); |
18553 | 0 | return EXT_NOT_ALLOWED; |
18554 | 0 | } |
18555 | 0 | #endif |
18556 | | |
18557 | 0 | ret = KS_PARSE(ssl, input + offset, size, msgType); |
18558 | 0 | break; |
18559 | 0 | #endif |
18560 | | #ifdef WOLFSSL_SRTP |
18561 | | case TLSX_USE_SRTP: |
18562 | | WOLFSSL_MSG("Use SRTP extension received"); |
18563 | | |
18564 | | #if defined(WOLFSSL_TLS13) |
18565 | | if (IsAtLeastTLSv1_3(ssl->version)) { |
18566 | | if (msgType != client_hello && |
18567 | | msgType != encrypted_extensions) |
18568 | | return EXT_NOT_ALLOWED; |
18569 | | } |
18570 | | else |
18571 | | #endif |
18572 | | { |
18573 | | if (msgType != client_hello && |
18574 | | msgType != server_hello) |
18575 | | return EXT_NOT_ALLOWED; |
18576 | | } |
18577 | | ret = SRTP_PARSE(ssl, input + offset, size, isRequest); |
18578 | | break; |
18579 | | #endif |
18580 | | #ifdef WOLFSSL_QUIC |
18581 | | case TLSX_KEY_QUIC_TP_PARAMS: |
18582 | | FALL_THROUGH; |
18583 | | case TLSX_KEY_QUIC_TP_PARAMS_DRAFT: |
18584 | | WOLFSSL_MSG("QUIC transport parameter received"); |
18585 | | #ifdef WOLFSSL_DEBUG_TLS |
18586 | | WOLFSSL_BUFFER(input + offset, size); |
18587 | | #endif |
18588 | | |
18589 | | if (IsAtLeastTLSv1_3(ssl->version) && |
18590 | | msgType != client_hello && |
18591 | | msgType != encrypted_extensions) { |
18592 | | return EXT_NOT_ALLOWED; |
18593 | | } |
18594 | | else if (!IsAtLeastTLSv1_3(ssl->version) && |
18595 | | msgType == encrypted_extensions) { |
18596 | | return EXT_NOT_ALLOWED; |
18597 | | } |
18598 | | else if (WOLFSSL_IS_QUIC(ssl)) { |
18599 | | ret = QTP_PARSE(ssl, input + offset, size, type, msgType); |
18600 | | } |
18601 | | else { |
18602 | | WOLFSSL_MSG("QUIC transport param TLS extension type, but no QUIC"); |
18603 | | return EXT_NOT_ALLOWED; /* be safe, this should not happen */ |
18604 | | } |
18605 | | break; |
18606 | | #endif /* WOLFSSL_QUIC */ |
18607 | | #if defined(WOLFSSL_DTLS_CID) |
18608 | | case TLSX_CONNECTION_ID: |
18609 | | if (msgType != client_hello && msgType != server_hello) |
18610 | | return EXT_NOT_ALLOWED; |
18611 | | |
18612 | | WOLFSSL_MSG("ConnectionID extension received"); |
18613 | | ret = CID_PARSE(ssl, input + offset, size, isRequest); |
18614 | | break; |
18615 | | |
18616 | | #endif /* defined(WOLFSSL_DTLS_CID) */ |
18617 | | #if defined(HAVE_RPK) |
18618 | | case TLSX_CLIENT_CERTIFICATE_TYPE: |
18619 | | WOLFSSL_MSG("Client Certificate Type extension received"); |
18620 | | #if defined(WOLFSSL_TLS13) |
18621 | | /* RFC 8446, Section 4.2 (Extensions), client_certificate_type |
18622 | | and server_certificate_type MUST be sent in ClientHello(CH) |
18623 | | or EncryptedExtensions(EE) */ |
18624 | | if (IsAtLeastTLSv1_3(ssl->version)) { |
18625 | | if (msgType != client_hello && |
18626 | | msgType != encrypted_extensions) { |
18627 | | WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); |
18628 | | return EXT_NOT_ALLOWED; |
18629 | | } |
18630 | | } |
18631 | | else |
18632 | | #endif |
18633 | | { |
18634 | | /* TLS 1.2: allowed in CH and SH (RFC 7250) */ |
18635 | | if (msgType != client_hello && |
18636 | | msgType != server_hello) { |
18637 | | WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); |
18638 | | return EXT_NOT_ALLOWED; |
18639 | | } |
18640 | | } |
18641 | | ret = CCT_PARSE(ssl, input + offset, size, msgType); |
18642 | | break; |
18643 | | |
18644 | | case TLSX_SERVER_CERTIFICATE_TYPE: |
18645 | | WOLFSSL_MSG("Server Certificate Type extension received"); |
18646 | | #if defined(WOLFSSL_TLS13) |
18647 | | /* RFC 8446, Section 4.2 (Extensions) */ |
18648 | | if (IsAtLeastTLSv1_3(ssl->version)) { |
18649 | | if (msgType != client_hello && |
18650 | | msgType != encrypted_extensions) { |
18651 | | WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); |
18652 | | return EXT_NOT_ALLOWED; |
18653 | | } |
18654 | | } |
18655 | | else |
18656 | | #endif |
18657 | | { |
18658 | | /* TLS 1.2: allowed in CH and SH (RFC 7250) */ |
18659 | | if (msgType != client_hello && |
18660 | | msgType != server_hello) { |
18661 | | WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); |
18662 | | return EXT_NOT_ALLOWED; |
18663 | | } |
18664 | | } |
18665 | | ret = SCT_PARSE(ssl, input + offset, size, msgType); |
18666 | | break; |
18667 | | #endif /* HAVE_RPK */ |
18668 | | #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) |
18669 | | case TLSX_ECH: |
18670 | | WOLFSSL_MSG("ECH extension received"); |
18671 | | if (!IsAtLeastTLSv1_3(ssl->version)) |
18672 | | break; |
18673 | | |
18674 | | if (msgType != client_hello && |
18675 | | msgType != encrypted_extensions && |
18676 | | msgType != hello_retry_request) { |
18677 | | return EXT_NOT_ALLOWED; |
18678 | | } |
18679 | | |
18680 | | ret = ECH_PARSE(ssl, input + offset, size, msgType); |
18681 | | break; |
18682 | | case TLSXT_ECH_OUTER_EXTENSIONS: |
18683 | | /* RFC 9849 s5.1: ech_outer_extensions MUST only appear in |
18684 | | * the EncodedClientHelloInner */ |
18685 | | WOLFSSL_MSG("ech_outer_extensions in plaintext message"); |
18686 | | WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER); |
18687 | | return INVALID_PARAMETER; |
18688 | | #endif |
18689 | 0 | default: |
18690 | 0 | WOLFSSL_MSG("Unknown TLS extension type"); |
18691 | 0 | #if defined(WOLFSSL_TLS13) |
18692 | | /* RFC 8446 Sec. 4.2: a TLS 1.3 client MUST abort with an |
18693 | | * unsupported_extension alert when it receives an extension |
18694 | | * "response" that was not advertised in the ClientHello. The |
18695 | | * rule applies only to messages whose extensions are responses |
18696 | | * to the ClientHello: ServerHello, HelloRetryRequest, |
18697 | | * EncryptedExtensions and Certificate. |
18698 | | * |
18699 | | * Extensions in CertificateRequest and NewSessionTicket are |
18700 | | * independent server-initiated payloads, not responses, and |
18701 | | * per RFC 8701 (GREASE) the server MAY include unknown |
18702 | | * (GREASE) extension types there which the client MUST treat |
18703 | | * like any other unknown value (i.e. ignore them). */ |
18704 | 0 | if (IsAtLeastTLSv1_3(ssl->version) && |
18705 | 0 | (msgType == server_hello || |
18706 | 0 | msgType == hello_retry_request || |
18707 | 0 | msgType == encrypted_extensions || |
18708 | 0 | msgType == certificate)) { |
18709 | 0 | SendAlert((WOLFSSL*)ssl, alert_fatal, unsupported_extension); |
18710 | 0 | WOLFSSL_ERROR_VERBOSE(UNSUPPORTED_EXTENSION); |
18711 | 0 | return UNSUPPORTED_EXTENSION; |
18712 | 0 | } |
18713 | 0 | #endif |
18714 | 0 | } |
18715 | | |
18716 | | /* offset should be updated here! */ |
18717 | 0 | offset += size; |
18718 | 0 | } |
18719 | | |
18720 | 0 | #ifdef HAVE_EXTENDED_MASTER |
18721 | 0 | if (IsAtLeastTLSv1_3(ssl->version) && |
18722 | 0 | (msgType == hello_retry_request || msgType == hello_verify_request)) { |
18723 | | /* Don't change EMS status until server_hello received. |
18724 | | * Second ClientHello must have same extensions. |
18725 | | */ |
18726 | 0 | } |
18727 | 0 | else if (!isRequest && ssl->options.haveEMS && !pendingEMS) |
18728 | 0 | ssl->options.haveEMS = 0; |
18729 | 0 | #endif |
18730 | | #if defined(WOLFSSL_TLS13) && !defined(NO_PSK) |
18731 | | if (IsAtLeastTLSv1_3(ssl->version) && msgType == server_hello && |
18732 | | IS_OFF(seenType, TLSX_ToSemaphore(TLSX_KEY_SHARE))) { |
18733 | | ssl->options.noPskDheKe = 1; |
18734 | | } |
18735 | | #endif |
18736 | | #if defined(WOLFSSL_TLS13) && defined(WOLFSSL_CERT_WITH_EXTERN_PSK) && \ |
18737 | | !defined(NO_PSK) |
18738 | | if (IsAtLeastTLSv1_3(ssl->version)) { |
18739 | | int hasPskWithCert = !IS_OFF(seenType, |
18740 | | TLSX_ToSemaphore(TLSX_CERT_WITH_EXTERN_PSK)); |
18741 | | if (hasPskWithCert && ssl->options.certWithExternPsk) { |
18742 | | int hasPsk = !IS_OFF(seenType, TLSX_ToSemaphore(TLSX_PRE_SHARED_KEY)); |
18743 | | int hasPskModes = !IS_OFF(seenType, |
18744 | | TLSX_ToSemaphore(TLSX_PSK_KEY_EXCHANGE_MODES)); |
18745 | | int hasKeyShare = !IS_OFF(seenType, TLSX_ToSemaphore(TLSX_KEY_SHARE)); |
18746 | | int hasSg = !IS_OFF(seenType, |
18747 | | TLSX_ToSemaphore(TLSX_SUPPORTED_GROUPS)); |
18748 | | int hasSigAlg = !IS_OFF(seenType, |
18749 | | TLSX_ToSemaphore(TLSX_SIGNATURE_ALGORITHMS)); |
18750 | | #ifdef WOLFSSL_EARLY_DATA |
18751 | | int hasEarlyData = !IS_OFF(seenType, TLSX_ToSemaphore(TLSX_EARLY_DATA)); |
18752 | | #endif |
18753 | | |
18754 | | if (msgType == client_hello && isRequest) { |
18755 | | TLSX* pskm; |
18756 | | /* RFC8773bis: CH2 after HRR must keep CH1's extension set. */ |
18757 | | if (secondClientHello && !prevHasPskWithCert) { |
18758 | | WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); |
18759 | | return EXT_NOT_ALLOWED; |
18760 | | } |
18761 | | /* RFC8773bis: cert_with_extern_psk depends on these extensions. */ |
18762 | | if (!hasPsk || !hasPskModes || !hasKeyShare || !hasSg || |
18763 | | !hasSigAlg) { |
18764 | | WOLFSSL_ERROR_VERBOSE(EXT_MISSING); |
18765 | | return EXT_MISSING; |
18766 | | } |
18767 | | #ifdef WOLFSSL_EARLY_DATA |
18768 | | /* External PSK + certificate mode forbids 0-RTT in CH. |
18769 | | * When WOLFSSL_EARLY_DATA is not defined there is no parser |
18770 | | * case for TLSX_EARLY_DATA, so an incoming early_data |
18771 | | * extension is treated as unknown and ignored per RFC 8446 |
18772 | | * Sect. 4.2 - no additional check is needed in that case. */ |
18773 | | if (hasEarlyData) { |
18774 | | WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); |
18775 | | return EXT_NOT_ALLOWED; |
18776 | | } |
18777 | | #endif |
18778 | | pskm = TLSX_Find(ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES); |
18779 | | /* RFC8773bis requires client support for psk_dhe_ke mode. */ |
18780 | | if (pskm == NULL || (pskm->val & (1 << PSK_DHE_KE)) == 0) { |
18781 | | WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); |
18782 | | return EXT_NOT_ALLOWED; |
18783 | | } |
18784 | | } |
18785 | | else if (msgType == server_hello && !isRequest) { |
18786 | | /* SH confirming cert_with_extern_psk must also confirm PSK and KSE. */ |
18787 | | if (!hasPsk || !hasKeyShare) { |
18788 | | WOLFSSL_ERROR_VERBOSE(EXT_MISSING); |
18789 | | return EXT_MISSING; |
18790 | | } |
18791 | | } |
18792 | | } |
18793 | | else if (msgType == client_hello && isRequest && secondClientHello && |
18794 | | prevHasPskWithCert) { |
18795 | | /* RFC8773bis: reject dropping the extension in CH2 after HRR. */ |
18796 | | WOLFSSL_ERROR_VERBOSE(EXT_NOT_ALLOWED); |
18797 | | return EXT_NOT_ALLOWED; |
18798 | | } |
18799 | | } |
18800 | | #endif |
18801 | 0 | #if defined(WOLFSSL_TLS13) && defined(HAVE_SUPPORTED_CURVES) |
18802 | | /* RFC 8446 Section 9.2: ClientHello with KeyShare must |
18803 | | * contain SupportedGroups and vice-versa. */ |
18804 | 0 | if (IsAtLeastTLSv1_3(ssl->version) && msgType == client_hello && isRequest) { |
18805 | 0 | int hasKeyShare = !IS_OFF(seenType, TLSX_ToSemaphore(TLSX_KEY_SHARE)); |
18806 | 0 | int hasSupportedGroups = !IS_OFF(seenType, |
18807 | 0 | TLSX_ToSemaphore(TLSX_SUPPORTED_GROUPS)); |
18808 | |
|
18809 | 0 | if (hasKeyShare && !hasSupportedGroups) { |
18810 | 0 | WOLFSSL_MSG("ClientHello with KeyShare extension missing required " |
18811 | 0 | "SupportedGroups extension"); |
18812 | 0 | return INCOMPLETE_DATA; |
18813 | 0 | } |
18814 | 0 | if (hasSupportedGroups && !hasKeyShare) { |
18815 | 0 | WOLFSSL_MSG("ClientHello with SupportedGroups extension missing " |
18816 | 0 | "required KeyShare extension"); |
18817 | 0 | return INCOMPLETE_DATA; |
18818 | 0 | } |
18819 | 0 | } |
18820 | 0 | #endif |
18821 | | |
18822 | | #if defined(WOLFSSL_TLS13) && defined(HAVE_ECH) |
18823 | | /* Reconcile ECH inner/outer extensions before verifying SNI so the verify |
18824 | | * pass sees the authoritative list */ |
18825 | | if (ret == 0 && msgType == client_hello && isRequest && |
18826 | | !ssl->options.echProcessingInner && |
18827 | | ssl->ctx->echConfigs != NULL && !ssl->options.disableECH) { |
18828 | | TLSX* echX = TLSX_Find(ssl->extensions, TLSX_ECH); |
18829 | | WOLFSSL_ECH* ech = NULL; |
18830 | | if (echX != NULL) |
18831 | | ech = (WOLFSSL_ECH*)echX->data; |
18832 | | |
18833 | | if (ech != NULL) { |
18834 | | if (ech->state == ECH_WRITE_NONE && ech->innerClientHello != NULL) { |
18835 | | /* ECH accepted: use private extensions |
18836 | | * return early, inner hello needs to be parsed before VERIFY */ |
18837 | | return TLSX_EchReplaceExtensions(ssl, ssl->options.echAccepted); |
18838 | | } |
18839 | | else { |
18840 | | /* If ECH was accepted in CH1 then CH2 MUST contain an ECH |
18841 | | * extension */ |
18842 | | if (ssl->options.serverState == |
18843 | | SERVER_HELLO_RETRY_REQUEST_COMPLETE && |
18844 | | ssl->options.echAccepted) { |
18845 | | WOLFSSL_MSG("Client did not send an EncryptedClientHello " |
18846 | | "extension"); |
18847 | | WOLFSSL_ERROR_VERBOSE(INCOMPLETE_DATA); |
18848 | | return INCOMPLETE_DATA; |
18849 | | } |
18850 | | /* Otherwise ECH rejected: use public extensions */ |
18851 | | if (ech->state == ECH_WRITE_NONE || |
18852 | | ech->state == ECH_WRITE_RETRY_CONFIGS) { |
18853 | | ret = TLSX_EchReplaceExtensions(ssl, |
18854 | | ssl->options.echAccepted); |
18855 | | if (ret == 0 && ech->state == ECH_WRITE_NONE) { |
18856 | | echX->resp = 0; |
18857 | | } |
18858 | | } |
18859 | | } |
18860 | | } |
18861 | | } |
18862 | | #endif |
18863 | | |
18864 | 0 | if (ret == 0) |
18865 | 0 | ret = SNI_VERIFY_PARSE(ssl, isRequest); |
18866 | 0 | if (ret == 0) |
18867 | 0 | ret = TCA_VERIFY_PARSE(ssl, isRequest); |
18868 | |
|
18869 | 0 | WOLFSSL_LEAVE("Leaving TLSX_Parse", ret); |
18870 | 0 | return ret; |
18871 | 0 | } |
18872 | | |
18873 | | /* undefining semaphore macros */ |
18874 | | #undef IS_OFF |
18875 | | #undef TURN_ON |
18876 | | #undef SEMAPHORE_SIZE |
18877 | | |
18878 | | #endif /* HAVE_TLS_EXTENSIONS */ |
18879 | | |
18880 | | #ifndef NO_WOLFSSL_CLIENT |
18881 | | |
18882 | | WOLFSSL_METHOD* wolfTLS_client_method(void) |
18883 | 0 | { |
18884 | 0 | return wolfTLS_client_method_ex(NULL); |
18885 | 0 | } |
18886 | | WOLFSSL_METHOD* wolfTLS_client_method_ex(void* heap) |
18887 | 0 | { |
18888 | 0 | WOLFSSL_METHOD* method = |
18889 | 0 | (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), |
18890 | 0 | heap, DYNAMIC_TYPE_METHOD); |
18891 | 0 | (void)heap; |
18892 | 0 | WOLFSSL_ENTER("TLS_client_method_ex"); |
18893 | 0 | if (method) { |
18894 | 0 | #if defined(WOLFSSL_TLS13) |
18895 | 0 | InitSSL_Method(method, MakeTLSv1_3()); |
18896 | | #elif !defined(WOLFSSL_NO_TLS12) |
18897 | | InitSSL_Method(method, MakeTLSv1_2()); |
18898 | | #elif !defined(NO_OLD_TLS) |
18899 | | InitSSL_Method(method, MakeTLSv1_1()); |
18900 | | #elif defined(WOLFSSL_ALLOW_TLSV10) |
18901 | | InitSSL_Method(method, MakeTLSv1()); |
18902 | | #else |
18903 | | #error No TLS version enabled! Consider using NO_TLS or WOLFCRYPT_ONLY. |
18904 | | #endif |
18905 | |
|
18906 | 0 | method->downgrade = 1; |
18907 | 0 | method->side = WOLFSSL_CLIENT_END; |
18908 | 0 | } |
18909 | 0 | return method; |
18910 | 0 | } |
18911 | | |
18912 | | #ifndef NO_OLD_TLS |
18913 | | #ifdef WOLFSSL_ALLOW_TLSV10 |
18914 | | WOLFSSL_METHOD* wolfTLSv1_client_method(void) |
18915 | | { |
18916 | | return wolfTLSv1_client_method_ex(NULL); |
18917 | | } |
18918 | | WOLFSSL_METHOD* wolfTLSv1_client_method_ex(void* heap) |
18919 | | { |
18920 | | WOLFSSL_METHOD* method = |
18921 | | (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), |
18922 | | heap, DYNAMIC_TYPE_METHOD); |
18923 | | (void)heap; |
18924 | | WOLFSSL_ENTER("TLSv1_client_method_ex"); |
18925 | | if (method) |
18926 | | InitSSL_Method(method, MakeTLSv1()); |
18927 | | return method; |
18928 | | } |
18929 | | #endif /* WOLFSSL_ALLOW_TLSV10 */ |
18930 | | |
18931 | | WOLFSSL_METHOD* wolfTLSv1_1_client_method(void) |
18932 | | { |
18933 | | return wolfTLSv1_1_client_method_ex(NULL); |
18934 | | } |
18935 | | WOLFSSL_METHOD* wolfTLSv1_1_client_method_ex(void* heap) |
18936 | | { |
18937 | | WOLFSSL_METHOD* method = |
18938 | | (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), |
18939 | | heap, DYNAMIC_TYPE_METHOD); |
18940 | | (void)heap; |
18941 | | WOLFSSL_ENTER("TLSv1_1_client_method_ex"); |
18942 | | if (method) |
18943 | | InitSSL_Method(method, MakeTLSv1_1()); |
18944 | | return method; |
18945 | | } |
18946 | | #endif /* !NO_OLD_TLS */ |
18947 | | |
18948 | | #ifndef WOLFSSL_NO_TLS12 |
18949 | | WOLFSSL_ABI |
18950 | | WOLFSSL_METHOD* wolfTLSv1_2_client_method(void) |
18951 | 0 | { |
18952 | 0 | return wolfTLSv1_2_client_method_ex(NULL); |
18953 | 0 | } |
18954 | | WOLFSSL_METHOD* wolfTLSv1_2_client_method_ex(void* heap) |
18955 | 0 | { |
18956 | 0 | WOLFSSL_METHOD* method = |
18957 | 0 | (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), |
18958 | 0 | heap, DYNAMIC_TYPE_METHOD); |
18959 | 0 | (void)heap; |
18960 | 0 | WOLFSSL_ENTER("TLSv1_2_client_method_ex"); |
18961 | 0 | if (method) |
18962 | 0 | InitSSL_Method(method, MakeTLSv1_2()); |
18963 | 0 | return method; |
18964 | 0 | } |
18965 | | #endif /* WOLFSSL_NO_TLS12 */ |
18966 | | |
18967 | | #ifdef WOLFSSL_TLS13 |
18968 | | /* The TLS v1.3 client method data. |
18969 | | * |
18970 | | * returns the method data for a TLS v1.3 client. |
18971 | | */ |
18972 | | WOLFSSL_ABI |
18973 | | WOLFSSL_METHOD* wolfTLSv1_3_client_method(void) |
18974 | 0 | { |
18975 | 0 | return wolfTLSv1_3_client_method_ex(NULL); |
18976 | 0 | } |
18977 | | |
18978 | | /* The TLS v1.3 client method data. |
18979 | | * |
18980 | | * heap The heap used for allocation. |
18981 | | * returns the method data for a TLS v1.3 client. |
18982 | | */ |
18983 | | WOLFSSL_METHOD* wolfTLSv1_3_client_method_ex(void* heap) |
18984 | 0 | { |
18985 | 0 | WOLFSSL_METHOD* method = (WOLFSSL_METHOD*) |
18986 | 0 | XMALLOC(sizeof(WOLFSSL_METHOD), heap, |
18987 | 0 | DYNAMIC_TYPE_METHOD); |
18988 | 0 | (void)heap; |
18989 | 0 | WOLFSSL_ENTER("TLSv1_3_client_method_ex"); |
18990 | 0 | if (method) |
18991 | 0 | InitSSL_Method(method, MakeTLSv1_3()); |
18992 | 0 | return method; |
18993 | 0 | } |
18994 | | #endif /* WOLFSSL_TLS13 */ |
18995 | | |
18996 | | #ifdef WOLFSSL_DTLS |
18997 | | |
18998 | | WOLFSSL_METHOD* wolfDTLS_client_method(void) |
18999 | | { |
19000 | | return wolfDTLS_client_method_ex(NULL); |
19001 | | } |
19002 | | WOLFSSL_METHOD* wolfDTLS_client_method_ex(void* heap) |
19003 | | { |
19004 | | WOLFSSL_METHOD* method = |
19005 | | (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), |
19006 | | heap, DYNAMIC_TYPE_METHOD); |
19007 | | (void)heap; |
19008 | | WOLFSSL_ENTER("DTLS_client_method_ex"); |
19009 | | if (method) { |
19010 | | #if defined(WOLFSSL_DTLS13) |
19011 | | InitSSL_Method(method, MakeDTLSv1_3()); |
19012 | | #elif !defined(WOLFSSL_NO_TLS12) |
19013 | | InitSSL_Method(method, MakeDTLSv1_2()); |
19014 | | #elif !defined(NO_OLD_TLS) |
19015 | | InitSSL_Method(method, MakeDTLSv1()); |
19016 | | #else |
19017 | | #error No DTLS version enabled! |
19018 | | #endif |
19019 | | |
19020 | | method->downgrade = 1; |
19021 | | method->side = WOLFSSL_CLIENT_END; |
19022 | | } |
19023 | | return method; |
19024 | | } |
19025 | | |
19026 | | #ifndef NO_OLD_TLS |
19027 | | WOLFSSL_METHOD* wolfDTLSv1_client_method(void) |
19028 | | { |
19029 | | return wolfDTLSv1_client_method_ex(NULL); |
19030 | | } |
19031 | | WOLFSSL_METHOD* wolfDTLSv1_client_method_ex(void* heap) |
19032 | | { |
19033 | | WOLFSSL_METHOD* method = |
19034 | | (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), |
19035 | | heap, DYNAMIC_TYPE_METHOD); |
19036 | | (void)heap; |
19037 | | WOLFSSL_ENTER("DTLSv1_client_method_ex"); |
19038 | | if (method) |
19039 | | InitSSL_Method(method, MakeDTLSv1()); |
19040 | | return method; |
19041 | | } |
19042 | | #endif /* NO_OLD_TLS */ |
19043 | | |
19044 | | #ifndef WOLFSSL_NO_TLS12 |
19045 | | WOLFSSL_METHOD* wolfDTLSv1_2_client_method(void) |
19046 | | { |
19047 | | return wolfDTLSv1_2_client_method_ex(NULL); |
19048 | | } |
19049 | | WOLFSSL_METHOD* wolfDTLSv1_2_client_method_ex(void* heap) |
19050 | | { |
19051 | | WOLFSSL_METHOD* method = |
19052 | | (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), |
19053 | | heap, DYNAMIC_TYPE_METHOD); |
19054 | | (void)heap; |
19055 | | WOLFSSL_ENTER("DTLSv1_2_client_method_ex"); |
19056 | | if (method) |
19057 | | InitSSL_Method(method, MakeDTLSv1_2()); |
19058 | | (void)heap; |
19059 | | return method; |
19060 | | } |
19061 | | #endif /* !WOLFSSL_NO_TLS12 */ |
19062 | | #endif /* WOLFSSL_DTLS */ |
19063 | | |
19064 | | #endif /* NO_WOLFSSL_CLIENT */ |
19065 | | |
19066 | | |
19067 | | /* EITHER SIDE METHODS */ |
19068 | | #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) |
19069 | | #ifndef NO_OLD_TLS |
19070 | | #ifdef WOLFSSL_ALLOW_TLSV10 |
19071 | | /* Gets a WOLFSSL_METHOD type that is not set as client or server |
19072 | | * |
19073 | | * Returns a pointer to a WOLFSSL_METHOD struct |
19074 | | */ |
19075 | | WOLFSSL_METHOD* wolfTLSv1_method(void) |
19076 | | { |
19077 | | return wolfTLSv1_method_ex(NULL); |
19078 | | } |
19079 | | WOLFSSL_METHOD* wolfTLSv1_method_ex(void* heap) |
19080 | | { |
19081 | | WOLFSSL_METHOD* m; |
19082 | | WOLFSSL_ENTER("TLSv1_method"); |
19083 | | #ifndef NO_WOLFSSL_CLIENT |
19084 | | m = wolfTLSv1_client_method_ex(heap); |
19085 | | #else |
19086 | | m = wolfTLSv1_server_method_ex(heap); |
19087 | | #endif |
19088 | | if (m != NULL) { |
19089 | | m->side = WOLFSSL_NEITHER_END; |
19090 | | } |
19091 | | |
19092 | | return m; |
19093 | | } |
19094 | | #endif /* WOLFSSL_ALLOW_TLSV10 */ |
19095 | | |
19096 | | /* Gets a WOLFSSL_METHOD type that is not set as client or server |
19097 | | * |
19098 | | * Returns a pointer to a WOLFSSL_METHOD struct |
19099 | | */ |
19100 | | WOLFSSL_METHOD* wolfTLSv1_1_method(void) |
19101 | | { |
19102 | | return wolfTLSv1_1_method_ex(NULL); |
19103 | | } |
19104 | | WOLFSSL_METHOD* wolfTLSv1_1_method_ex(void* heap) |
19105 | | { |
19106 | | WOLFSSL_METHOD* m; |
19107 | | WOLFSSL_ENTER("TLSv1_1_method"); |
19108 | | #ifndef NO_WOLFSSL_CLIENT |
19109 | | m = wolfTLSv1_1_client_method_ex(heap); |
19110 | | #else |
19111 | | m = wolfTLSv1_1_server_method_ex(heap); |
19112 | | #endif |
19113 | | if (m != NULL) { |
19114 | | m->side = WOLFSSL_NEITHER_END; |
19115 | | } |
19116 | | return m; |
19117 | | } |
19118 | | #endif /* !NO_OLD_TLS */ |
19119 | | |
19120 | | #ifndef WOLFSSL_NO_TLS12 |
19121 | | /* Gets a WOLFSSL_METHOD type that is not set as client or server |
19122 | | * |
19123 | | * Returns a pointer to a WOLFSSL_METHOD struct |
19124 | | */ |
19125 | | WOLFSSL_METHOD* wolfTLSv1_2_method(void) |
19126 | | { |
19127 | | return wolfTLSv1_2_method_ex(NULL); |
19128 | | } |
19129 | | WOLFSSL_METHOD* wolfTLSv1_2_method_ex(void* heap) |
19130 | | { |
19131 | | WOLFSSL_METHOD* m; |
19132 | | WOLFSSL_ENTER("TLSv1_2_method"); |
19133 | | #ifndef NO_WOLFSSL_CLIENT |
19134 | | m = wolfTLSv1_2_client_method_ex(heap); |
19135 | | #else |
19136 | | m = wolfTLSv1_2_server_method_ex(heap); |
19137 | | #endif |
19138 | | if (m != NULL) { |
19139 | | m->side = WOLFSSL_NEITHER_END; |
19140 | | } |
19141 | | return m; |
19142 | | } |
19143 | | #endif /* !WOLFSSL_NO_TLS12 */ |
19144 | | |
19145 | | #ifdef WOLFSSL_TLS13 |
19146 | | /* Gets a WOLFSSL_METHOD type that is not set as client or server |
19147 | | * |
19148 | | * Returns a pointer to a WOLFSSL_METHOD struct |
19149 | | */ |
19150 | | WOLFSSL_METHOD* wolfTLSv1_3_method(void) |
19151 | | { |
19152 | | return wolfTLSv1_3_method_ex(NULL); |
19153 | | } |
19154 | | WOLFSSL_METHOD* wolfTLSv1_3_method_ex(void* heap) |
19155 | | { |
19156 | | WOLFSSL_METHOD* m; |
19157 | | WOLFSSL_ENTER("TLSv1_3_method"); |
19158 | | #ifndef NO_WOLFSSL_CLIENT |
19159 | | m = wolfTLSv1_3_client_method_ex(heap); |
19160 | | #else |
19161 | | m = wolfTLSv1_3_server_method_ex(heap); |
19162 | | #endif |
19163 | | if (m != NULL) { |
19164 | | m->side = WOLFSSL_NEITHER_END; |
19165 | | } |
19166 | | return m; |
19167 | | } |
19168 | | #endif /* WOLFSSL_TLS13 */ |
19169 | | |
19170 | | #ifdef WOLFSSL_DTLS |
19171 | | WOLFSSL_METHOD* wolfDTLS_method(void) |
19172 | | { |
19173 | | return wolfDTLS_method_ex(NULL); |
19174 | | } |
19175 | | WOLFSSL_METHOD* wolfDTLS_method_ex(void* heap) |
19176 | | { |
19177 | | WOLFSSL_METHOD* m; |
19178 | | WOLFSSL_ENTER("DTLS_method_ex"); |
19179 | | #ifndef NO_WOLFSSL_CLIENT |
19180 | | m = wolfDTLS_client_method_ex(heap); |
19181 | | #else |
19182 | | m = wolfDTLS_server_method_ex(heap); |
19183 | | #endif |
19184 | | if (m != NULL) { |
19185 | | m->side = WOLFSSL_NEITHER_END; |
19186 | | } |
19187 | | return m; |
19188 | | } |
19189 | | |
19190 | | #ifndef NO_OLD_TLS |
19191 | | WOLFSSL_METHOD* wolfDTLSv1_method(void) |
19192 | | { |
19193 | | return wolfDTLSv1_method_ex(NULL); |
19194 | | } |
19195 | | WOLFSSL_METHOD* wolfDTLSv1_method_ex(void* heap) |
19196 | | { |
19197 | | WOLFSSL_METHOD* m; |
19198 | | WOLFSSL_ENTER("DTLSv1_method_ex"); |
19199 | | #ifndef NO_WOLFSSL_CLIENT |
19200 | | m = wolfDTLSv1_client_method_ex(heap); |
19201 | | #else |
19202 | | m = wolfDTLSv1_server_method_ex(heap); |
19203 | | #endif |
19204 | | if (m != NULL) { |
19205 | | m->side = WOLFSSL_NEITHER_END; |
19206 | | } |
19207 | | return m; |
19208 | | } |
19209 | | #endif /* !NO_OLD_TLS */ |
19210 | | #ifndef WOLFSSL_NO_TLS12 |
19211 | | WOLFSSL_METHOD* wolfDTLSv1_2_method(void) |
19212 | | { |
19213 | | return wolfDTLSv1_2_method_ex(NULL); |
19214 | | } |
19215 | | WOLFSSL_METHOD* wolfDTLSv1_2_method_ex(void* heap) |
19216 | | { |
19217 | | WOLFSSL_METHOD* m; |
19218 | | WOLFSSL_ENTER("DTLSv1_2_method"); |
19219 | | #ifndef NO_WOLFSSL_CLIENT |
19220 | | m = wolfDTLSv1_2_client_method_ex(heap); |
19221 | | #else |
19222 | | m = wolfDTLSv1_2_server_method_ex(heap); |
19223 | | #endif |
19224 | | if (m != NULL) { |
19225 | | m->side = WOLFSSL_NEITHER_END; |
19226 | | } |
19227 | | return m; |
19228 | | } |
19229 | | #endif /* !WOLFSSL_NO_TLS12 */ |
19230 | | #ifdef WOLFSSL_DTLS13 |
19231 | | WOLFSSL_METHOD* wolfDTLSv1_3_method(void) |
19232 | | { |
19233 | | return wolfDTLSv1_3_method_ex(NULL); |
19234 | | } |
19235 | | WOLFSSL_METHOD* wolfDTLSv1_3_method_ex(void* heap) |
19236 | | { |
19237 | | WOLFSSL_METHOD* m; |
19238 | | WOLFSSL_ENTER("DTLSv1_3_method"); |
19239 | | #ifndef NO_WOLFSSL_CLIENT |
19240 | | m = wolfDTLSv1_3_client_method_ex(heap); |
19241 | | #else |
19242 | | m = wolfDTLSv1_3_server_method_ex(heap); |
19243 | | #endif |
19244 | | if (m != NULL) { |
19245 | | m->side = WOLFSSL_NEITHER_END; |
19246 | | } |
19247 | | return m; |
19248 | | } |
19249 | | #endif /* WOLFSSL_DTLS13 */ |
19250 | | #endif /* WOLFSSL_DTLS */ |
19251 | | #endif /* OPENSSL_EXTRA || WOLFSSL_EITHER_SIDE */ |
19252 | | |
19253 | | |
19254 | | #ifndef NO_WOLFSSL_SERVER |
19255 | | |
19256 | | WOLFSSL_METHOD* wolfTLS_server_method(void) |
19257 | 0 | { |
19258 | 0 | return wolfTLS_server_method_ex(NULL); |
19259 | 0 | } |
19260 | | |
19261 | | WOLFSSL_METHOD* wolfTLS_server_method_ex(void* heap) |
19262 | 0 | { |
19263 | 0 | WOLFSSL_METHOD* method = |
19264 | 0 | (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), |
19265 | 0 | heap, DYNAMIC_TYPE_METHOD); |
19266 | 0 | (void)heap; |
19267 | 0 | WOLFSSL_ENTER("TLS_server_method_ex"); |
19268 | 0 | if (method) { |
19269 | 0 | #if defined(WOLFSSL_TLS13) |
19270 | 0 | InitSSL_Method(method, MakeTLSv1_3()); |
19271 | | #elif !defined(WOLFSSL_NO_TLS12) |
19272 | | InitSSL_Method(method, MakeTLSv1_2()); |
19273 | | #elif !defined(NO_OLD_TLS) |
19274 | | InitSSL_Method(method, MakeTLSv1_1()); |
19275 | | #elif defined(WOLFSSL_ALLOW_TLSV10) |
19276 | | InitSSL_Method(method, MakeTLSv1()); |
19277 | | #else |
19278 | | #error No TLS version enabled! Consider using NO_TLS or WOLFCRYPT_ONLY. |
19279 | | #endif |
19280 | |
|
19281 | 0 | method->downgrade = 1; |
19282 | 0 | method->side = WOLFSSL_SERVER_END; |
19283 | 0 | } |
19284 | 0 | return method; |
19285 | 0 | } |
19286 | | |
19287 | | #ifndef NO_OLD_TLS |
19288 | | #ifdef WOLFSSL_ALLOW_TLSV10 |
19289 | | WOLFSSL_METHOD* wolfTLSv1_server_method(void) |
19290 | | { |
19291 | | return wolfTLSv1_server_method_ex(NULL); |
19292 | | } |
19293 | | WOLFSSL_METHOD* wolfTLSv1_server_method_ex(void* heap) |
19294 | | { |
19295 | | WOLFSSL_METHOD* method = |
19296 | | (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), |
19297 | | heap, DYNAMIC_TYPE_METHOD); |
19298 | | (void)heap; |
19299 | | WOLFSSL_ENTER("TLSv1_server_method_ex"); |
19300 | | if (method) { |
19301 | | InitSSL_Method(method, MakeTLSv1()); |
19302 | | method->side = WOLFSSL_SERVER_END; |
19303 | | } |
19304 | | return method; |
19305 | | } |
19306 | | #endif /* WOLFSSL_ALLOW_TLSV10 */ |
19307 | | |
19308 | | WOLFSSL_METHOD* wolfTLSv1_1_server_method(void) |
19309 | | { |
19310 | | return wolfTLSv1_1_server_method_ex(NULL); |
19311 | | } |
19312 | | WOLFSSL_METHOD* wolfTLSv1_1_server_method_ex(void* heap) |
19313 | | { |
19314 | | WOLFSSL_METHOD* method = |
19315 | | (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), |
19316 | | heap, DYNAMIC_TYPE_METHOD); |
19317 | | (void)heap; |
19318 | | WOLFSSL_ENTER("TLSv1_1_server_method_ex"); |
19319 | | if (method) { |
19320 | | InitSSL_Method(method, MakeTLSv1_1()); |
19321 | | method->side = WOLFSSL_SERVER_END; |
19322 | | } |
19323 | | return method; |
19324 | | } |
19325 | | #endif /* !NO_OLD_TLS */ |
19326 | | |
19327 | | |
19328 | | #ifndef WOLFSSL_NO_TLS12 |
19329 | | WOLFSSL_ABI |
19330 | | WOLFSSL_METHOD* wolfTLSv1_2_server_method(void) |
19331 | 0 | { |
19332 | 0 | return wolfTLSv1_2_server_method_ex(NULL); |
19333 | 0 | } |
19334 | | WOLFSSL_METHOD* wolfTLSv1_2_server_method_ex(void* heap) |
19335 | 0 | { |
19336 | 0 | WOLFSSL_METHOD* method = |
19337 | 0 | (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), |
19338 | 0 | heap, DYNAMIC_TYPE_METHOD); |
19339 | 0 | (void)heap; |
19340 | 0 | WOLFSSL_ENTER("TLSv1_2_server_method_ex"); |
19341 | 0 | if (method) { |
19342 | 0 | InitSSL_Method(method, MakeTLSv1_2()); |
19343 | 0 | method->side = WOLFSSL_SERVER_END; |
19344 | 0 | } |
19345 | 0 | return method; |
19346 | 0 | } |
19347 | | #endif /* !WOLFSSL_NO_TLS12 */ |
19348 | | |
19349 | | #ifdef WOLFSSL_TLS13 |
19350 | | /* The TLS v1.3 server method data. |
19351 | | * |
19352 | | * returns the method data for a TLS v1.3 server. |
19353 | | */ |
19354 | | WOLFSSL_ABI |
19355 | | WOLFSSL_METHOD* wolfTLSv1_3_server_method(void) |
19356 | 0 | { |
19357 | 0 | return wolfTLSv1_3_server_method_ex(NULL); |
19358 | 0 | } |
19359 | | |
19360 | | /* The TLS v1.3 server method data. |
19361 | | * |
19362 | | * heap The heap used for allocation. |
19363 | | * returns the method data for a TLS v1.3 server. |
19364 | | */ |
19365 | | WOLFSSL_METHOD* wolfTLSv1_3_server_method_ex(void* heap) |
19366 | 0 | { |
19367 | 0 | WOLFSSL_METHOD* method = |
19368 | 0 | (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), |
19369 | 0 | heap, DYNAMIC_TYPE_METHOD); |
19370 | 0 | (void)heap; |
19371 | 0 | WOLFSSL_ENTER("TLSv1_3_server_method_ex"); |
19372 | 0 | if (method) { |
19373 | 0 | InitSSL_Method(method, MakeTLSv1_3()); |
19374 | 0 | method->side = WOLFSSL_SERVER_END; |
19375 | 0 | } |
19376 | 0 | return method; |
19377 | 0 | } |
19378 | | #endif /* WOLFSSL_TLS13 */ |
19379 | | |
19380 | | #ifdef WOLFSSL_DTLS |
19381 | | WOLFSSL_METHOD* wolfDTLS_server_method(void) |
19382 | | { |
19383 | | return wolfDTLS_server_method_ex(NULL); |
19384 | | } |
19385 | | WOLFSSL_METHOD* wolfDTLS_server_method_ex(void* heap) |
19386 | | { |
19387 | | WOLFSSL_METHOD* method = |
19388 | | (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), |
19389 | | heap, DYNAMIC_TYPE_METHOD); |
19390 | | (void)heap; |
19391 | | WOLFSSL_ENTER("DTLS_server_method_ex"); |
19392 | | if (method) { |
19393 | | #if defined(WOLFSSL_DTLS13) |
19394 | | InitSSL_Method(method, MakeDTLSv1_3()); |
19395 | | #elif !defined(WOLFSSL_NO_TLS12) |
19396 | | InitSSL_Method(method, MakeDTLSv1_2()); |
19397 | | #elif !defined(NO_OLD_TLS) |
19398 | | InitSSL_Method(method, MakeDTLSv1()); |
19399 | | #else |
19400 | | #error No DTLS version enabled! |
19401 | | #endif |
19402 | | |
19403 | | method->downgrade = 1; |
19404 | | method->side = WOLFSSL_SERVER_END; |
19405 | | } |
19406 | | return method; |
19407 | | } |
19408 | | |
19409 | | #ifndef NO_OLD_TLS |
19410 | | WOLFSSL_METHOD* wolfDTLSv1_server_method(void) |
19411 | | { |
19412 | | return wolfDTLSv1_server_method_ex(NULL); |
19413 | | } |
19414 | | WOLFSSL_METHOD* wolfDTLSv1_server_method_ex(void* heap) |
19415 | | { |
19416 | | WOLFSSL_METHOD* method = |
19417 | | (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), |
19418 | | heap, DYNAMIC_TYPE_METHOD); |
19419 | | (void)heap; |
19420 | | WOLFSSL_ENTER("DTLSv1_server_method_ex"); |
19421 | | if (method) { |
19422 | | InitSSL_Method(method, MakeDTLSv1()); |
19423 | | method->side = WOLFSSL_SERVER_END; |
19424 | | } |
19425 | | return method; |
19426 | | } |
19427 | | #endif /* !NO_OLD_TLS */ |
19428 | | |
19429 | | #ifndef WOLFSSL_NO_TLS12 |
19430 | | WOLFSSL_METHOD* wolfDTLSv1_2_server_method(void) |
19431 | | { |
19432 | | return wolfDTLSv1_2_server_method_ex(NULL); |
19433 | | } |
19434 | | WOLFSSL_METHOD* wolfDTLSv1_2_server_method_ex(void* heap) |
19435 | | { |
19436 | | WOLFSSL_METHOD* method = |
19437 | | (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), |
19438 | | heap, DYNAMIC_TYPE_METHOD); |
19439 | | WOLFSSL_ENTER("DTLSv1_2_server_method_ex"); |
19440 | | (void)heap; |
19441 | | if (method) { |
19442 | | InitSSL_Method(method, MakeDTLSv1_2()); |
19443 | | method->side = WOLFSSL_SERVER_END; |
19444 | | } |
19445 | | (void)heap; |
19446 | | return method; |
19447 | | } |
19448 | | #endif /* !WOLFSSL_NO_TLS12 */ |
19449 | | #endif /* WOLFSSL_DTLS */ |
19450 | | |
19451 | | #endif /* NO_WOLFSSL_SERVER */ |
19452 | | |
19453 | | #endif /* NO_TLS */ |
19454 | | |
19455 | | #endif /* WOLFCRYPT_ONLY */ |