Coverage Report

Created: 2022-08-24 06:25

/src/wolfssl-openssl-api/src/internal.c
Line
Count
Source (jump to first uncovered line)
1
/* internal.c
2
 *
3
 * Copyright (C) 2006-2022 wolfSSL Inc.
4
 *
5
 * This file is part of wolfSSL.
6
 *
7
 * wolfSSL is free software; you can redistribute it and/or modify
8
 * it under the terms of the GNU General Public License as published by
9
 * the Free Software Foundation; either version 2 of the License, or
10
 * (at your option) any later version.
11
 *
12
 * wolfSSL is distributed in the hope that it will be useful,
13
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15
 * GNU General Public License for more details.
16
 *
17
 * You should have received a copy of the GNU General Public License
18
 * along with this program; if not, write to the Free Software
19
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
20
 */
21
22
23
24
#ifdef HAVE_CONFIG_H
25
    #include <config.h>
26
#endif
27
28
#include <wolfssl/wolfcrypt/settings.h>
29
30
/*
31
 * WOLFSSL_SMALL_CERT_VERIFY:
32
 *     Verify the certificate signature without using DecodedCert. Doubles up
33
 *     on some code but allows smaller peak heap memory usage.
34
 *     Cannot be used with WOLFSSL_NONBLOCK_OCSP.
35
 * WOLFSSL_ALT_CERT_CHAINS:
36
 *     Allows CA's to be presented by peer, but not part of a valid chain.
37
 *     Default wolfSSL behavior is to require validation of all presented peer
38
 *     certificates. This also allows loading intermediate CA's as trusted
39
 *     and ignoring no signer failures for CA's up the chain to root.
40
 * WOLFSSL_DTLS_RESEND_ONLY_TIMEOUT:
41
 *     Enable resending the previous DTLS handshake flight only on a network
42
 *     read timeout. By default we resend in two more cases, when we receive:
43
 *     - an out of order last msg of the peer's flight
44
 *     - a duplicate of the first msg from the peer's flight
45
 * WOLFSSL_NO_DEF_TICKET_ENC_CB:
46
 *     No default ticket encryption callback.
47
 *     Server only.
48
 *     Application must set its own callback to use session tickets.
49
 * WOLFSSL_TICKET_ENC_CHACHA20_POLY1305
50
 *     Use ChaCha20-Poly1305 to encrypt/decrypt session tickets in default
51
 *     callback. Default algorithm if none defined and algorithms compiled in.
52
 *     Server only.
53
 * WOLFSSL_TICKET_ENC_AES128_GCM
54
 *     Use AES128-GCM to encrypt/decrypt session tickets in default callback.
55
 *     Server only. Default algorithm if ChaCha20/Poly1305 not compiled in.
56
 * WOLFSSL_TICKET_ENC_AES256_GCM
57
 *     Use AES256-GCM to encrypt/decrypt session tickets in default callback.
58
 *     Server only.
59
 * WOLFSSL_TICKET_DECRYPT_NO_CREATE
60
 *     Default callback will not request creation of new ticket on successful
61
 *     decryption.
62
 *     Server only.
63
 * WOLFSSL_TLS13_NO_PEEK_HANDSHAKE_DONE
64
 *     Once a normal TLS 1.3 handshake is complete, a session ticket message
65
 *     may be received by a client. To support detecting this, peek will
66
 *     return WOLFSSL_ERROR_WANT_READ.
67
 *     This define turns off this behaviour.
68
*  WOLFSSL_DTLS_NO_HVR_ON_RESUME
69
 *     If defined, a DTLS server will not do a cookie exchange on successful
70
 *     client resumption: the resumption will be faster (one RTT less) and
71
 *     will consume less bandwidth (one ClientHello and one HelloVerifyRequest
72
 *     less). On the other hand, if a valid SessionID is collected, forged
73
 *     clientHello messages will consume resources on the server.
74
 *     This define is turned off by default.
75
 * WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY
76
 *     Verify hostname/ip address using alternate name (SAN) only and do not
77
 *     use the common name. Forces use of the alternate name, so certificates
78
 *     missing SAN will be rejected during the handshake
79
 */
80
81
82
#ifdef EXTERNAL_OPTS_OPENVPN
83
#error EXTERNAL_OPTS_OPENVPN should not be defined\
84
    when building wolfSSL
85
#endif
86
87
#ifndef WOLFCRYPT_ONLY
88
89
#include <wolfssl/internal.h>
90
#include <wolfssl/error-ssl.h>
91
#include <wolfssl/wolfcrypt/asn.h>
92
#include <wolfssl/wolfcrypt/dh.h>
93
#ifdef NO_INLINE
94
    #include <wolfssl/wolfcrypt/misc.h>
95
#else
96
    #define WOLFSSL_MISC_INCLUDED
97
    #include <wolfcrypt/src/misc.c>
98
#endif
99
#if defined(OPENSSL_EXTRA) && defined(WOLFCRYPT_HAVE_SRP) && !defined(NO_SHA)
100
    #include <wolfssl/wolfcrypt/srp.h>
101
#endif
102
103
#if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK)
104
    #include <wolfssl/wolfcrypt/coding.h>
105
#endif
106
#ifdef HAVE_LIBZ
107
    #include "zlib.h"
108
#endif
109
110
#ifdef WOLFSSL_QNX_CAAM
111
    /* included to get CAAM devId value */
112
    #include <wolfssl/wolfcrypt/port/caam/wolfcaam.h>
113
#endif
114
115
#if defined(DEBUG_WOLFSSL) || defined(SHOW_SECRETS) || \
116
    defined(CHACHA_AEAD_TEST) || defined(WOLFSSL_SESSION_EXPORT_DEBUG)
117
    #ifndef NO_STDIO_FILESYSTEM
118
        #ifdef FUSION_RTOS
119
            #include <fclstdio.h>
120
        #else
121
            #include <stdio.h>
122
        #endif
123
    #endif
124
#endif
125
126
#ifdef __sun
127
    #include <sys/filio.h>
128
#endif
129
130
131
0
#define ERROR_OUT(err, eLabel) { ret = (err); goto eLabel; }
132
133
#ifdef _MSC_VER
134
    /* disable for while(0) cases at the .c level for now */
135
    #pragma warning(disable:4127)
136
#endif
137
138
#if defined(WOLFSSL_CALLBACKS) && !defined(LARGE_STATIC_BUFFERS)
139
    #error \
140
WOLFSSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add LARGE_STATIC_BUFFERS
141
#endif
142
143
#if defined(HAVE_SECURE_RENEGOTIATION) && defined(HAVE_RENEGOTIATION_INDICATION)
144
    #error Cannot use both secure-renegotiation and renegotiation-indication
145
#endif
146
147
#ifndef WOLFSSL_NO_TLS12
148
149
#ifndef NO_WOLFSSL_CLIENT
150
    static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
151
                                   word32* inOutIdx, word32 size);
152
    #ifndef NO_CERTS
153
        static int DoCertificateRequest(WOLFSSL* ssl, const byte* input,
154
                                        word32* inOutIdx, word32 size);
155
    #endif
156
    #ifdef HAVE_SESSION_TICKET
157
        static int DoSessionTicket(WOLFSSL* ssl, const byte* input,
158
                                   word32* inOutIdx, word32 size);
159
    #endif
160
#endif
161
162
163
#ifndef NO_WOLFSSL_SERVER
164
    static int DoClientKeyExchange(WOLFSSL* ssl, byte* input,
165
                                   word32* inOutIdx, word32 size);
166
    #if (!defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
167
                        defined(HAVE_ED448)) && !defined(WOLFSSL_NO_CLIENT_AUTH)
168
        static int DoCertificateVerify(WOLFSSL* ssl, byte* input,
169
                                       word32* inOutIdx, word32 size);
170
    #endif
171
    #ifdef WOLFSSL_DTLS
172
        static int SendHelloVerifyRequest(WOLFSSL* ssl,
173
                                          const byte* cookie, byte cookieSz);
174
    #endif /* WOLFSSL_DTLS */
175
176
#endif /* !NO_WOLFSSL_SERVER */
177
178
#endif /* !WOLFSSL_NO_TLS12 */
179
180
#ifndef NO_WOLFSSL_SERVER
181
    #if defined(HAVE_SESSION_TICKET) && !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB)
182
        static int TicketEncCbCtx_Init(WOLFSSL_CTX* ctx,
183
                                       TicketEncCbCtx* keyCtx);
184
        static void TicketEncCbCtx_Free(TicketEncCbCtx* keyCtx);
185
        static int DefTicketEncCb(WOLFSSL* ssl,
186
                                  byte key_name[WOLFSSL_TICKET_NAME_SZ],
187
                                  byte iv[WOLFSSL_TICKET_IV_SZ],
188
                                  byte mac[WOLFSSL_TICKET_MAC_SZ],
189
                                  int enc, byte* ticket, int inLen, int* outLen,
190
                                  void* userCtx);
191
    #endif
192
#endif
193
194
195
#ifdef WOLFSSL_DTLS
196
    static int _DtlsCheckWindow(WOLFSSL* ssl);
197
    static int _DtlsUpdateWindow(WOLFSSL* ssl);
198
#endif
199
200
#ifdef WOLFSSL_DTLS13
201
#ifndef WOLFSSL_DTLS13_SEND_MOREACK_DEFAULT
202
#define WOLFSSL_DTLS13_SEND_MOREACK_DEFAULT 0
203
#endif
204
#endif /* WOLFSSL_DTLS13 */
205
206
enum processReply {
207
    doProcessInit = 0,
208
#ifndef NO_WOLFSSL_SERVER
209
    runProcessOldClientHello,
210
#endif
211
    getRecordLayerHeader,
212
    getData,
213
    verifyEncryptedMessage,
214
    decryptMessage,
215
    verifyMessage,
216
    runProcessingOneRecord,
217
    runProcessingOneMessage
218
};
219
220
221
#ifndef WOLFSSL_NO_TLS12
222
#if !defined(NO_WOLFSSL_SERVER) || !defined(NO_WOLFSSL_CLIENT)
223
224
/* Server random bytes for TLS v1.3 described downgrade protection mechanism. */
225
static const byte tls13Downgrade[7] = {
226
    0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44
227
};
228
0
#define TLS13_DOWNGRADE_SZ  sizeof(tls13Downgrade)
229
230
#endif /* !NO_WOLFSSL_SERVER || !NO_WOLFSSL_CLIENT */
231
232
#if !defined(NO_OLD_TLS) && !defined(WOLFSSL_AEAD_ONLY)
233
static int SSL_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz,
234
                    int padLen, int content, int verify, int epochOrder);
235
236
#endif
237
238
#endif /* !WOLFSSL_NO_TLS12 */
239
240
241
#if defined(WOLFSSL_RENESAS_SCEPROTECT) || defined(WOLFSSL_RENESAS_TSIP_TLS)
242
#include <wolfssl/wolfcrypt/port/Renesas/renesas_cmn.h>
243
#endif
244
245
#if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK)
246
247
    static int  SessionSecret_callback(WOLFSSL* ssl, void* secret,
248
                                                  int* secretSz, void* ctx);
249
#ifdef WOLFSSL_TLS13
250
    static int  SessionSecret_callback_Tls13(WOLFSSL* ssl, int id,
251
                       const unsigned char* secret, int secretSz, void* ctx);
252
#endif
253
254
    /* Label string for client random. */
255
    #define SSC_CR      "CLIENT_RANDOM"
256
257
    /*
258
     * This function builds up string for key-logging then call user's
259
     * key-log-callback to pass the string for TLS1.2 and older.
260
     * The user's key-logging callback has been set via
261
     * wolfSSL_CTX_set_keylog_callback function. The logging string format is:
262
     * "CLIENT_RANDOM <hex-encoded client random> <hex-encoded master-secret>"
263
     * parameter
264
     *  - ssl: WOLFSSL object
265
     *  - secret: pointer to the buffer holding master-secret
266
     *  - secretSz: size of secret
267
     *  - ctx: not used
268
     * returns 0 on success, negative value on failure.
269
     */
270
    static int SessionSecret_callback(WOLFSSL* ssl, void* secret,
271
                    int* secretSz, void* ctx)
272
    {
273
        wolfSSL_CTX_keylog_cb_func logCb = NULL;
274
        int msSz;
275
        int hasVal;
276
        int i;
277
        const char* label = SSC_CR;
278
        int labelSz = sizeof(SSC_CR);
279
        int buffSz;
280
        byte* log = NULL;
281
        word32 outSz;
282
        int idx;
283
        int ret;
284
        (void)ctx;
285
286
        if (ssl == NULL || secret == NULL || *secretSz == 0)
287
            return BAD_FUNC_ARG;
288
        if (ssl->arrays == NULL)
289
            return BAD_FUNC_ARG;
290
291
        /* get the user-callback func from CTX*/
292
        logCb = ssl->ctx->keyLogCb;
293
        if (logCb == NULL)
294
            return 0;
295
296
        /* need to make sure the given master-secret has a meaningful value */
297
        msSz   = *secretSz;
298
        hasVal = 0;
299
        for (i = 0; i < msSz; i++) {
300
            if (*((byte*)secret) != 0) {
301
                hasVal = 1;
302
                break;
303
            }
304
        }
305
        if (hasVal == 0)
306
            return 0; /* master-secret looks invalid */
307
308
        /* build up a hex-decoded keylog string
309
           "CLIENT_RANDOM <hex-encoded client random> <hex-encoded master-secret>"
310
           note that each keylog string does not have CR/LF.
311
        */
312
        buffSz  = labelSz + (RAN_LEN * 2) + 1 + ((*secretSz) * 2) + 1;
313
        log     = XMALLOC(buffSz, ssl->heap, DYNAMIC_TYPE_SECRET);
314
        if (log == NULL)
315
            return MEMORY_E;
316
#ifdef WOLFSSL_CHECK_MEM_ZERO
317
        wc_MemZero_Add("SessionSecret log", log, buffSz);
318
#endif
319
320
        XMEMSET(log, 0, buffSz);
321
        XMEMCPY(log, label, labelSz -1);     /* put label w/o terminator */
322
        log[labelSz - 1] = ' ';              /* '\0' -> ' ' */
323
        idx = labelSz;
324
        outSz = buffSz - idx;
325
        if ((ret = Base16_Encode(ssl->arrays->clientRandom, RAN_LEN,
326
                                            log + idx, &outSz)) == 0) {
327
            idx += (outSz - 1); /* reduce terminator byte */
328
            outSz = buffSz - idx;
329
330
            if (outSz > 1) {
331
                log[idx++] = ' ';  /* add space*/
332
                outSz = buffSz - idx;
333
334
                if ((ret = Base16_Encode((byte*)secret, *secretSz,
335
                                             log + idx, &outSz)) == 0) {
336
                    /* pass the log to the client callback*/
337
                    logCb(ssl, (char*)log);
338
                    ret = 0;
339
                }
340
            }
341
            else
342
                ret = MEMORY_E;
343
        }
344
        /* Zero out Base16 encoded secret and other data. */
345
        ForceZero(log, buffSz);
346
        XFREE(log, ssl->heap, DYNAMIC_TYPE_SECRET);
347
        return ret;
348
    }
349
350
#if defined(WOLFSSL_TLS13)
351
352
     /* Label string for client early traffic secret. */
353
     #define SSC_TLS13_CETS     "CLIENT_EARLY_TRAFFIC_SECRET"
354
     /* Label string for client handshake traffic secret. */
355
     #define SSC_TLS13_CHTS     "CLIENT_HANDSHAKE_TRAFFIC_SECRET"
356
     /* Label string for server handshake traffic secret. */
357
     #define SSC_TLS13_SHTS     "SERVER_HANDSHAKE_TRAFFIC_SECRET"
358
     /* Label string for client traffic secret. */
359
     #define SSC_TLS13_CTS      "CLIENT_TRAFFIC_SECRET_0"
360
     /* Label string for server traffic secret. */
361
     #define SSC_TLS13_STS      "SERVER_TRAFFIC_SECRET_0"
362
     /* Label string for early exporter secret. */
363
     #define SSC_TLS13_EES      "EARLY_EXPORTER_SECRET"
364
     /* Label string for exporter secret. */
365
     #define SSC_TLS13_ES       "EXPORTER_SECRET"
366
367
    /*
368
     * This function builds up string for key-logging then call user's
369
     * key-log-callback to pass the string for TLS1.3.
370
     * The user's key-logging callback has been set via
371
     * wolfSSL_CTX_set_keylog_callback function. The logging string format is:
372
     * "<Label> <hex-encoded client random> <hex-encoded secret>"
373
     *
374
     * parameter
375
     *  - ssl: WOLFSSL object
376
     *  - id: type of secret for logging
377
     *  - secret: pointer to the buffer holding secret
378
     *  - secretSz: size of secret
379
     *  - ctx: not used
380
     * returns 0 on success, negative value on failure.
381
     */
382
    static int SessionSecret_callback_Tls13(WOLFSSL* ssl, int id,
383
        const unsigned char* secret, int secretSz, void* ctx)
384
    {
385
        wolfSSL_CTX_keylog_cb_func logCb = NULL;
386
        const char* label;
387
        int         labelSz = 0;
388
        int         buffSz  = 0;
389
        byte*       log     = NULL;
390
        word32 outSz;
391
        int idx;
392
        int ret;
393
394
        (void)ctx;
395
396
        if (ssl == NULL || secret == NULL || secretSz == 0)
397
            return BAD_FUNC_ARG;
398
        if (ssl->arrays == NULL)
399
            return BAD_FUNC_ARG;
400
401
        /* get the user-callback func from CTX*/
402
        logCb = ssl->ctx->keyLogCb;
403
        if (logCb == NULL)
404
            return 0;
405
406
        switch (id) {
407
            case CLIENT_EARLY_TRAFFIC_SECRET:
408
                labelSz = sizeof(SSC_TLS13_CETS);
409
                label = SSC_TLS13_CETS;
410
                break;
411
412
            case CLIENT_HANDSHAKE_TRAFFIC_SECRET:
413
                labelSz = sizeof(SSC_TLS13_CHTS);
414
                label = SSC_TLS13_CHTS;
415
                break;
416
417
            case SERVER_HANDSHAKE_TRAFFIC_SECRET:
418
                labelSz = sizeof(SSC_TLS13_SHTS);
419
                label = SSC_TLS13_SHTS;
420
                break;
421
422
            case CLIENT_TRAFFIC_SECRET:
423
                labelSz = sizeof(SSC_TLS13_CTS);
424
                label = SSC_TLS13_CTS;
425
                break;
426
427
            case SERVER_TRAFFIC_SECRET:
428
                labelSz = sizeof(SSC_TLS13_STS);
429
                label = SSC_TLS13_STS;
430
                break;
431
432
            case EARLY_EXPORTER_SECRET:
433
                labelSz = sizeof(SSC_TLS13_EES);
434
                label = SSC_TLS13_EES;
435
                break;
436
437
            case EXPORTER_SECRET:
438
                labelSz = sizeof(SSC_TLS13_ES);
439
                label = SSC_TLS13_ES;
440
                break;
441
442
            default:
443
                return BAD_FUNC_ARG;
444
        }
445
        /* prepare a log string for passing user callback
446
         * "<Label> <hex-encoded client random> <hex-encoded secret>" */
447
        buffSz = labelSz + (RAN_LEN * 2) + 1 + secretSz * 2 + 1;
448
        log    = XMALLOC(buffSz, ssl->heap, DYNAMIC_TYPE_SECRET);
449
        if (log == NULL)
450
            return MEMORY_E;
451
#ifdef WOLFSSL_CHECK_MEM_ZERO
452
        wc_MemZero_Add("SessionSecret log", log, buffSz);
453
#endif
454
455
        XMEMSET(log, 0, buffSz);
456
        XMEMCPY(log, label, labelSz - 1);     /* put label w/o terminator */
457
        log[labelSz - 1] = ' ';               /* '\0' -> ' ' */
458
459
        idx = labelSz;
460
        outSz = buffSz - idx;
461
        if ((ret = Base16_Encode(ssl->arrays->clientRandom, RAN_LEN,
462
                                            log + idx, &outSz)) == 0) {
463
            idx  += (outSz - 1); /* reduce terminator byte */
464
            outSz = buffSz - idx;
465
466
            if (outSz >1) {
467
                log[idx++] = ' ';        /* add space*/
468
                outSz = buffSz - idx;
469
470
                if ((ret = Base16_Encode((byte*)secret, secretSz,
471
                                log + idx, &outSz)) == 0) {
472
                    logCb(ssl, (char*)log);
473
                    ret = 0;
474
                }
475
            }
476
            else
477
                ret = MEMORY_E;
478
        }
479
        /* Zero out Base16 encoded secret and other data. */
480
        ForceZero(log, buffSz);
481
        XFREE(log, ssl->heap, DYNAMIC_TYPE_SECRET);
482
        return ret;
483
    }
484
#endif /* WOLFSSL_TLS13*/
485
#endif /* OPENSSL_EXTRA && HAVE_SECRET_CALLBACK*/
486
487
int IsTLS(const WOLFSSL* ssl)
488
0
{
489
0
    if (ssl->version.major == SSLv3_MAJOR && ssl->version.minor >=TLSv1_MINOR)
490
0
        return 1;
491
492
0
    return 0;
493
0
}
494
495
496
int IsAtLeastTLSv1_2(const WOLFSSL* ssl)
497
0
{
498
0
    if (ssl->version.major == SSLv3_MAJOR && ssl->version.minor >=TLSv1_2_MINOR)
499
0
        return 1;
500
#ifdef WOLFSSL_DTLS
501
    if (ssl->version.major == DTLS_MAJOR && ssl->version.minor <= DTLSv1_2_MINOR)
502
        return 1;
503
#endif
504
505
0
    return 0;
506
0
}
507
508
int IsAtLeastTLSv1_3(const ProtocolVersion pv)
509
0
{
510
0
    int ret;
511
0
    ret = (pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_3_MINOR);
512
513
#ifdef WOLFSSL_DTLS13
514
    if (ret == 0 && pv.major == DTLS_MAJOR && pv.minor <= DTLSv1_3_MINOR)
515
        return 1;
516
#endif
517
518
0
    return ret;
519
0
}
520
521
static WC_INLINE int IsEncryptionOn(WOLFSSL* ssl, int isSend)
522
0
{
523
    #ifdef WOLFSSL_DTLS
524
    /* For DTLS, epoch 0 is always not encrypted. */
525
    if (ssl->options.dtls && !isSend) {
526
        if (!IsAtLeastTLSv1_3(ssl->version) && ssl->keys.curEpoch == 0)
527
            return 0;
528
#ifdef WOLFSSL_DTLS13
529
        else if (IsAtLeastTLSv1_3(ssl->version)
530
                     && w64IsZero(ssl->keys.curEpoch64))
531
            return 0;
532
#endif /* WOLFSSL_DTLS13 */
533
534
    }
535
    #endif /* WOLFSSL_DTLS */
536
    #ifdef WOLFSSL_QUIC
537
        if (WOLFSSL_IS_QUIC(ssl) && IsAtLeastTLSv1_3(ssl->version)) {
538
            return 0;
539
        }
540
    #endif
541
0
    return ssl->keys.encryptionOn &&
542
0
        (isSend ? ssl->encrypt.setup : ssl->decrypt.setup);
543
0
}
544
545
546
#ifdef WOLFSSL_DTLS
547
/* Stream Control Transmission Protocol */
548
/* If SCTP is not enabled returns the state of the dtls option.
549
 * If SCTP is enabled returns dtls && !sctp. */
550
int IsDtlsNotSctpMode(WOLFSSL* ssl)
551
{
552
#ifdef WOLFSSL_SCTP
553
    return ssl->options.dtls && !ssl->options.dtlsSctp;
554
#else
555
    return ssl->options.dtls;
556
#endif
557
}
558
559
#if !defined(WOLFSSL_NO_TLS12) && !defined(NO_WOLFSSL_SERVER)
560
/* Secure Real-time Transport Protocol */
561
/* If SRTP is not enabled returns the state of the dtls option.
562
 * If SRTP is enabled returns dtls && !dtlsSrtpProfiles. */
563
static WC_INLINE int IsDtlsNotSrtpMode(WOLFSSL* ssl)
564
{
565
#ifdef WOLFSSL_SRTP
566
    return ssl->options.dtls && !ssl->dtlsSrtpProfiles;
567
#else
568
    return ssl->options.dtls;
569
#endif
570
}
571
#endif /* !WOLFSSL_NO_TLS12 && !NO_WOLFSSL_SERVER */
572
#endif /* WOLFSSL_DTLS */
573
574
575
#ifdef HAVE_LIBZ
576
577
    /* alloc user allocs to work with zlib */
578
    static void* myAlloc(void* opaque, unsigned int item, unsigned int size)
579
    {
580
        (void)opaque;
581
        return (void *)XMALLOC(item * size, opaque, DYNAMIC_TYPE_LIBZ);
582
    }
583
584
585
    static void myFree(void* opaque, void* memory)
586
    {
587
        (void)opaque;
588
        XFREE(memory, opaque, DYNAMIC_TYPE_LIBZ);
589
    }
590
591
592
    /* init zlib comp/decomp streams, 0 on success */
593
    static int InitStreams(WOLFSSL* ssl)
594
    {
595
        ssl->c_stream.zalloc = (alloc_func)myAlloc;
596
        ssl->c_stream.zfree  = (free_func)myFree;
597
        ssl->c_stream.opaque = (voidpf)ssl->heap;
598
599
        if (deflateInit(&ssl->c_stream, Z_DEFAULT_COMPRESSION) != Z_OK)
600
            return ZLIB_INIT_ERROR;
601
602
        ssl->didStreamInit = 1;
603
604
        ssl->d_stream.zalloc = (alloc_func)myAlloc;
605
        ssl->d_stream.zfree  = (free_func)myFree;
606
        ssl->d_stream.opaque = (voidpf)ssl->heap;
607
608
        if (inflateInit(&ssl->d_stream) != Z_OK) return ZLIB_INIT_ERROR;
609
610
        return 0;
611
    }
612
613
614
    static void FreeStreams(WOLFSSL* ssl)
615
    {
616
        if (ssl->didStreamInit) {
617
            deflateEnd(&ssl->c_stream);
618
            inflateEnd(&ssl->d_stream);
619
        }
620
    }
621
622
623
    /* compress in to out, return out size or error */
624
    static int myCompress(WOLFSSL* ssl, byte* in, int inSz, byte* out, int outSz)
625
    {
626
        int    err;
627
        int    currTotal = (int)ssl->c_stream.total_out;
628
629
        ssl->c_stream.next_in   = in;
630
        ssl->c_stream.avail_in  = inSz;
631
        ssl->c_stream.next_out  = out;
632
        ssl->c_stream.avail_out = outSz;
633
634
        err = deflate(&ssl->c_stream, Z_SYNC_FLUSH);
635
        if (err != Z_OK && err != Z_STREAM_END) return ZLIB_COMPRESS_ERROR;
636
637
        return (int)ssl->c_stream.total_out - currTotal;
638
    }
639
640
641
    /* decompress in to out, return out size or error */
642
    static int myDeCompress(WOLFSSL* ssl, byte* in,int inSz, byte* out,int outSz)
643
    {
644
        int    err;
645
        int    currTotal = (int)ssl->d_stream.total_out;
646
647
        ssl->d_stream.next_in   = in;
648
        ssl->d_stream.avail_in  = inSz;
649
        ssl->d_stream.next_out  = out;
650
        ssl->d_stream.avail_out = outSz;
651
652
        err = inflate(&ssl->d_stream, Z_SYNC_FLUSH);
653
        if (err != Z_OK && err != Z_STREAM_END) return ZLIB_DECOMPRESS_ERROR;
654
655
        return (int)ssl->d_stream.total_out - currTotal;
656
    }
657
658
#endif /* HAVE_LIBZ */
659
660
661
#ifdef WOLFSSL_SESSION_EXPORT
662
/**
663
 * serializes the cipher specs struct for exporting
664
 * @return the amount written to 'exp' buffer
665
 */
666
static int ExportCipherSpecState(WOLFSSL* ssl, byte* exp, word32 len, byte ver,
667
        int type)
668
{
669
    word32 idx = 0;
670
    CipherSpecs* specs;
671
672
    WOLFSSL_ENTER("ExportCipherSpecState");
673
674
    if (exp == NULL || ssl == NULL) {
675
        return BAD_FUNC_ARG;
676
    }
677
678
    specs = &ssl->specs;
679
    if (WOLFSSL_EXPORT_SPC_SZ > len) {
680
        return BUFFER_E;
681
    }
682
683
    XMEMSET(exp, 0, WOLFSSL_EXPORT_SPC_SZ);
684
685
    c16toa(specs->key_size, exp + idx);      idx += OPAQUE16_LEN;
686
    c16toa(specs->iv_size, exp + idx);       idx += OPAQUE16_LEN;
687
    c16toa(specs->block_size, exp + idx);    idx += OPAQUE16_LEN;
688
    c16toa(specs->aead_mac_size, exp + idx); idx += OPAQUE16_LEN;
689
    exp[idx++] = specs->bulk_cipher_algorithm;
690
    exp[idx++] = specs->cipher_type;
691
    exp[idx++] = specs->mac_algorithm;
692
    exp[idx++] = specs->kea;
693
    exp[idx++] = specs->sig_algo;
694
    exp[idx++] = specs->hash_size;
695
    exp[idx++] = specs->pad_size;
696
    exp[idx++] = specs->static_ecdh;
697
698
    if (idx != WOLFSSL_EXPORT_SPC_SZ) {
699
        WOLFSSL_MSG("WOLFSSL_EXPORT_SPC_SZ needs updated and export version");
700
        return DTLS_EXPORT_VER_E;
701
    }
702
703
    /* send over state of AES too */
704
    if (type == WOLFSSL_EXPORT_TLS &&
705
            ssl->specs.bulk_cipher_algorithm == wolfssl_aes) {
706
        byte *pt = (byte*)ssl->encrypt.aes->reg;
707
708
        if ((idx + 2*AES_BLOCK_SIZE) > len) {
709
            WOLFSSL_MSG("Can not fit AES state into buffer");
710
            return BUFFER_E;
711
        }
712
        XMEMCPY(exp + idx, pt, AES_BLOCK_SIZE);
713
        idx += AES_BLOCK_SIZE;
714
715
        pt = (byte*)ssl->decrypt.aes->reg;
716
        XMEMCPY(exp + idx, pt, AES_BLOCK_SIZE);
717
        idx += AES_BLOCK_SIZE;
718
    }
719
720
    WOLFSSL_LEAVE("ExportCipherSpecState", idx);
721
    (void)ver;
722
    return idx;
723
}
724
725
726
/* serializes the key struct for exporting */
727
static int ExportKeyState(WOLFSSL* ssl, byte* exp, word32 len, byte ver,
728
        byte small, int type)
729
{
730
    word32 idx = 0;
731
    byte   sz;
732
    Keys* keys;
733
734
    WOLFSSL_ENTER("ExportKeyState");
735
736
    if (exp == NULL || ssl == NULL) {
737
        return BAD_FUNC_ARG;
738
    }
739
740
    keys = &(ssl->keys);
741
742
    if (DTLS_EXPORT_MIN_KEY_SZ > len) {
743
        WOLFSSL_MSG("Buffer not large enough for minimum key struct size");
744
        return BUFFER_E;
745
    }
746
747
    XMEMSET(exp, 0, DTLS_EXPORT_MIN_KEY_SZ);
748
749
    c32toa(keys->peer_sequence_number_hi, exp + idx); idx += OPAQUE32_LEN;
750
    c32toa(keys->peer_sequence_number_lo, exp + idx); idx += OPAQUE32_LEN;
751
    c32toa(keys->sequence_number_hi, exp + idx);      idx += OPAQUE32_LEN;
752
    c32toa(keys->sequence_number_lo, exp + idx);      idx += OPAQUE32_LEN;
753
754
    #if defined(WOLFSSL_DTLS)
755
    if (type == WOLFSSL_EXPORT_DTLS) {
756
        c16toa(keys->peerSeq[0].nextEpoch, exp + idx);  idx += OPAQUE16_LEN;
757
        c16toa(keys->peerSeq[0].nextSeq_hi, exp + idx); idx += OPAQUE16_LEN;
758
        c32toa(keys->peerSeq[0].nextSeq_lo, exp + idx); idx += OPAQUE32_LEN;
759
        c16toa(keys->curEpoch, exp + idx);   idx += OPAQUE16_LEN;
760
        c16toa(keys->curSeq_hi, exp + idx);  idx += OPAQUE16_LEN;
761
        c32toa(keys->curSeq_lo, exp + idx);  idx += OPAQUE32_LEN;
762
        c16toa(keys->peerSeq[0].prevSeq_hi, exp + idx); idx += OPAQUE16_LEN;
763
        c32toa(keys->peerSeq[0].prevSeq_lo, exp + idx); idx += OPAQUE32_LEN;
764
765
        c16toa(keys->dtls_peer_handshake_number, exp + idx);
766
        idx += OPAQUE16_LEN;
767
        c16toa(keys->dtls_expected_peer_handshake_number, exp + idx);
768
        idx += OPAQUE16_LEN;
769
770
        c16toa(keys->dtls_sequence_number_hi, exp + idx); idx += OPAQUE16_LEN;
771
        c32toa(keys->dtls_sequence_number_lo, exp + idx); idx += OPAQUE32_LEN;
772
        c16toa(keys->dtls_prev_sequence_number_hi, exp + idx);
773
        idx += OPAQUE16_LEN;
774
        c32toa(keys->dtls_prev_sequence_number_lo, exp + idx);
775
        idx += OPAQUE32_LEN;
776
        c16toa(keys->dtls_epoch, exp + idx);              idx += OPAQUE16_LEN;
777
        c16toa(keys->dtls_handshake_number, exp + idx);   idx += OPAQUE16_LEN;
778
    }
779
    #endif
780
    c32toa(keys->encryptSz, exp + idx);                   idx += OPAQUE32_LEN;
781
    c32toa(keys->padSz, exp + idx);                       idx += OPAQUE32_LEN;
782
    exp[idx++] = keys->encryptionOn;
783
    exp[idx++] = keys->decryptedCur;
784
785
    /* from here on the buffer needs checked because is variable length that
786
     * can be larger than DTLS_EXPORT_MIN_KEY_SZ */
787
#ifdef WOLFSSL_DTLS
788
    if (type == WOLFSSL_EXPORT_DTLS) {
789
        word32 i;
790
        if ((OPAQUE16_LEN * 2) + idx +
791
                (2 * (WOLFSSL_DTLS_WINDOW_WORDS * OPAQUE32_LEN)) > len) {
792
            WOLFSSL_MSG("Buffer not large enough for WOLFSSL_DTLS_WINDOW_WORDS");
793
            return BUFFER_E;
794
        }
795
796
        c16toa(WOLFSSL_DTLS_WINDOW_WORDS, exp + idx); idx += OPAQUE16_LEN;
797
        for (i = 0; i < WOLFSSL_DTLS_WINDOW_WORDS; i++) {
798
            c32toa(keys->peerSeq[0].window[i], exp + idx);
799
            idx += OPAQUE32_LEN;
800
        }
801
        c16toa(WOLFSSL_DTLS_WINDOW_WORDS, exp + idx); idx += OPAQUE16_LEN;
802
        for (i = 0; i < WOLFSSL_DTLS_WINDOW_WORDS; i++) {
803
            c32toa(keys->peerSeq[0].prevWindow[i], exp + idx);
804
            idx += OPAQUE32_LEN;
805
        }
806
    }
807
#endif
808
809
    if (idx >= len) {
810
        WOLFSSL_MSG("Buffer not large enough for truncated hmac flag");
811
        return BUFFER_E;
812
    }
813
814
#ifdef HAVE_TRUNCATED_HMAC
815
    sz         = ssl->truncated_hmac ? TRUNCATED_HMAC_SZ: ssl->specs.hash_size;
816
    exp[idx++] = ssl->truncated_hmac;
817
#else
818
    sz         = ssl->specs.hash_size;
819
    exp[idx++] = 0; /* no truncated hmac */
820
#endif
821
822
    sz = (small)? 0: sz;
823
    if (idx + (sz * 2) + OPAQUE8_LEN > len) {
824
        WOLFSSL_MSG("Buffer not large enough for MAC secret");
825
        return BUFFER_E;
826
    }
827
828
    exp[idx++] = sz;
829
    if (sz > 0) {
830
    #ifndef WOLFSSL_AEAD_ONLY
831
        XMEMCPY(exp + idx, keys->client_write_MAC_secret, sz); idx += sz;
832
        XMEMCPY(exp + idx, keys->server_write_MAC_secret, sz); idx += sz;
833
    #else
834
        XMEMSET(exp + idx, 0, sz); idx += sz;
835
        XMEMSET(exp + idx, 0, sz); idx += sz;
836
    #endif
837
    }
838
839
    sz = (small)? 0: ssl->specs.key_size;
840
    if (idx + (sz * 2) + OPAQUE8_LEN > len) {
841
        WOLFSSL_MSG("Buffer not large enough for write key");
842
        return BUFFER_E;
843
    }
844
845
    exp[idx++] = sz;
846
    if (sz > 0) {
847
        XMEMCPY(exp + idx, keys->client_write_key, sz); idx += sz;
848
        XMEMCPY(exp + idx, keys->server_write_key, sz); idx += sz;
849
    }
850
851
    sz = (small)? 0: ssl->specs.iv_size;
852
    if (idx + (sz * 2) + OPAQUE8_LEN + AEAD_MAX_EXP_SZ > len) {
853
        WOLFSSL_MSG("Buffer not large enough for IVs");
854
        return BUFFER_E;
855
    }
856
857
    exp[idx++] = sz;
858
    if (sz > 0) {
859
        XMEMCPY(exp + idx, keys->client_write_IV, sz); idx += sz;
860
        XMEMCPY(exp + idx, keys->server_write_IV, sz); idx += sz;
861
    }
862
    XMEMCPY(exp + idx, keys->aead_exp_IV, AEAD_MAX_EXP_SZ);
863
    idx += AEAD_MAX_EXP_SZ;
864
865
    sz = (small)? 0: AEAD_MAX_IMP_SZ;
866
    if (idx + (sz * 2) + OPAQUE8_LEN > len) {
867
        WOLFSSL_MSG("Buffer not large enough for imp IVs");
868
        return BUFFER_E;
869
    }
870
    exp[idx++] = sz;
871
    if (sz > 0) {
872
        XMEMCPY(exp + idx, keys->aead_enc_imp_IV, sz); idx += sz;
873
        XMEMCPY(exp + idx, keys->aead_dec_imp_IV, sz); idx += sz;
874
    }
875
876
    /* DTLS_EXPORT_KEY_SZ is max value. idx size can vary */
877
    if (idx > DTLS_EXPORT_KEY_SZ) {
878
        WOLFSSL_MSG("DTLS_EXPORT_KEY_SZ needs updated and export version");
879
        return DTLS_EXPORT_VER_E;
880
    }
881
882
    WOLFSSL_LEAVE("ExportKeyState", idx);
883
    (void)ver;
884
    (void)type;
885
    return idx;
886
}
887
888
889
/**
890
 * Imports the buffer 'exp' into the 'ssl' CipherSpec structure.
891
 * @param ssl WOLFSSL structure to import into
892
 * @param exp input buffer to read from
893
 * @param len length of exp buffer
894
 * @param ver version of import buffer found
895
 * @param type flag for importing a TLS session or DTLS
896
 *
897
 * @return size of exp buffer consumed on success and negative value on fail
898
 */
899
static int ImportCipherSpecState(WOLFSSL* ssl, const byte* exp, word32 len,
900
        byte ver, int type)
901
{
902
    word32 idx = 0;
903
    CipherSpecs* specs;
904
    word32 tmp_seq_peer_lo;
905
    word32 tmp_seq_peer_hi;
906
    word32 tmp_seq_lo;
907
    word32 tmp_seq_hi;
908
909
    WOLFSSL_ENTER("ImportCipherSpecState");
910
911
    if (exp == NULL || ssl == NULL) {
912
        return BAD_FUNC_ARG;
913
    }
914
915
    specs= &(ssl->specs);
916
917
    if (WOLFSSL_EXPORT_SPC_SZ > len) {
918
        WOLFSSL_MSG("Buffer not large enough for max spec struct size");
919
        return BUFFER_E;
920
    }
921
922
    ato16(exp + idx, &specs->key_size);      idx += OPAQUE16_LEN;
923
    ato16(exp + idx, &specs->iv_size);       idx += OPAQUE16_LEN;
924
    ato16(exp + idx, &specs->block_size);    idx += OPAQUE16_LEN;
925
    ato16(exp + idx, &specs->aead_mac_size); idx += OPAQUE16_LEN;
926
    specs->bulk_cipher_algorithm = exp[idx++];
927
    specs->cipher_type           = exp[idx++];
928
    specs->mac_algorithm         = exp[idx++];
929
    specs->kea                   = exp[idx++];
930
    specs->sig_algo              = exp[idx++];
931
    specs->hash_size             = exp[idx++];
932
    specs->pad_size              = exp[idx++];
933
    specs->static_ecdh           = exp[idx++];
934
935
    if (specs->pad_size != PAD_MD5 && specs->pad_size != PAD_SHA) {
936
        WOLFSSL_MSG("Importing bad or unknown pad size");
937
        return BAD_STATE_E;
938
    }
939
940
    /* temporarily save the sequence numbers */
941
    tmp_seq_peer_lo = ssl->keys.peer_sequence_number_lo;
942
    tmp_seq_peer_hi = ssl->keys.peer_sequence_number_hi;
943
    tmp_seq_lo = ssl->keys.sequence_number_lo;
944
    tmp_seq_hi = ssl->keys.sequence_number_hi;
945
946
    SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE);
947
948
    /* reset sequence numbers after setting keys */
949
    ssl->keys.peer_sequence_number_lo = tmp_seq_peer_lo;
950
    ssl->keys.peer_sequence_number_hi = tmp_seq_peer_hi;
951
    ssl->keys.sequence_number_lo = tmp_seq_lo;
952
    ssl->keys.sequence_number_hi = tmp_seq_hi;
953
954
    if (type == WOLFSSL_EXPORT_TLS &&
955
            ssl->specs.bulk_cipher_algorithm == wolfssl_aes) {
956
        byte *pt = (byte*)ssl->encrypt.aes->reg;
957
        XMEMCPY(pt, exp + idx, AES_BLOCK_SIZE);
958
        idx += AES_BLOCK_SIZE;
959
960
        pt = (byte*)ssl->decrypt.aes->reg;
961
        XMEMCPY(pt, exp + idx, AES_BLOCK_SIZE);
962
        idx += AES_BLOCK_SIZE;
963
    }
964
965
    WOLFSSL_LEAVE("ImportCipherSpecState", idx);
966
    (void)ver;
967
    return idx;
968
}
969
970
971
/**
972
 * Import the Key structure
973
 *
974
 * @param ssl WOLFSSL structure to import into
975
 * @param exp buffer to read Key values from
976
 * @param len max length of buffer 'exp'
977
 * @param ver version of import buffer found
978
 * @param type flag for TLS vs DTLS
979
 *
980
 * @return amount of data read from exp on success or negative on fail
981
 */
982
static int ImportKeyState(WOLFSSL* ssl, const byte* exp, word32 len, byte ver,
983
        int type)
984
{
985
    word32 idx = 0;
986
    byte   sz;
987
    Keys  *keys;
988
989
    WOLFSSL_ENTER("ImportKeyState");
990
991
    if (exp == NULL || ssl == NULL) {
992
        return BAD_FUNC_ARG;
993
    }
994
995
    keys = &(ssl->keys);
996
997
    /* check minimum length -- includes byte used for size indicators */
998
    if (len < DTLS_EXPORT_MIN_KEY_SZ) {
999
        WOLFSSL_MSG("Buffer not large enough for minimum expected size");
1000
        return BUFFER_E;
1001
    }
1002
    ato32(exp + idx, &keys->peer_sequence_number_hi); idx += OPAQUE32_LEN;
1003
    ato32(exp + idx, &keys->peer_sequence_number_lo); idx += OPAQUE32_LEN;
1004
    ato32(exp + idx, &keys->sequence_number_hi);      idx += OPAQUE32_LEN;
1005
    ato32(exp + idx, &keys->sequence_number_lo);      idx += OPAQUE32_LEN;
1006
1007
    #if defined(WOLFSSL_DTLS)
1008
    if (type == WOLFSSL_EXPORT_DTLS) {
1009
        ato16(exp + idx, &keys->peerSeq[0].nextEpoch);  idx += OPAQUE16_LEN;
1010
        ato16(exp + idx, &keys->peerSeq[0].nextSeq_hi); idx += OPAQUE16_LEN;
1011
        ato32(exp + idx, &keys->peerSeq[0].nextSeq_lo); idx += OPAQUE32_LEN;
1012
        ato16(exp + idx, &keys->curEpoch);   idx += OPAQUE16_LEN;
1013
        ato16(exp + idx, &keys->curSeq_hi);  idx += OPAQUE16_LEN;
1014
        ato32(exp + idx, &keys->curSeq_lo);  idx += OPAQUE32_LEN;
1015
        ato16(exp + idx, &keys->peerSeq[0].prevSeq_hi); idx += OPAQUE16_LEN;
1016
        ato32(exp + idx, &keys->peerSeq[0].prevSeq_lo); idx += OPAQUE32_LEN;
1017
1018
        ato16(exp + idx, &keys->dtls_peer_handshake_number);
1019
        idx += OPAQUE16_LEN;
1020
        ato16(exp + idx, &keys->dtls_expected_peer_handshake_number);
1021
        idx += OPAQUE16_LEN;
1022
1023
        ato16(exp + idx, &keys->dtls_sequence_number_hi); idx += OPAQUE16_LEN;
1024
        ato32(exp + idx, &keys->dtls_sequence_number_lo); idx += OPAQUE32_LEN;
1025
        ato16(exp + idx, &keys->dtls_prev_sequence_number_hi);
1026
        idx += OPAQUE16_LEN;
1027
        ato32(exp + idx, &keys->dtls_prev_sequence_number_lo);
1028
        idx += OPAQUE32_LEN;
1029
        ato16(exp + idx, &keys->dtls_epoch);              idx += OPAQUE16_LEN;
1030
        ato16(exp + idx, &keys->dtls_handshake_number);   idx += OPAQUE16_LEN;
1031
    }
1032
    #endif
1033
    ato32(exp + idx, &keys->encryptSz);                   idx += OPAQUE32_LEN;
1034
    ato32(exp + idx, &keys->padSz);                       idx += OPAQUE32_LEN;
1035
    keys->encryptionOn = exp[idx++];
1036
    keys->decryptedCur = exp[idx++];
1037
1038
    #if defined(WOLFSSL_DTLS)
1039
    if (type == WOLFSSL_EXPORT_DTLS) {
1040
        word16 i, wordCount, wordAdj = 0;
1041
1042
        /* do window */
1043
        ato16(exp + idx, &wordCount);
1044
        idx += OPAQUE16_LEN;
1045
1046
        if (wordCount > WOLFSSL_DTLS_WINDOW_WORDS) {
1047
            wordCount = WOLFSSL_DTLS_WINDOW_WORDS;
1048
            wordAdj = (WOLFSSL_DTLS_WINDOW_WORDS - wordCount) * sizeof(word32);
1049
        }
1050
1051
        XMEMSET(keys->peerSeq[0].window, 0xFF, DTLS_SEQ_SZ);
1052
        for (i = 0; i < wordCount; i++) {
1053
            ato32(exp + idx, &keys->peerSeq[0].window[i]);
1054
            idx += OPAQUE32_LEN;
1055
        }
1056
        idx += wordAdj;
1057
1058
        /* do prevWindow */
1059
        ato16(exp + idx, &wordCount);
1060
        idx += OPAQUE16_LEN;
1061
1062
        if (wordCount > WOLFSSL_DTLS_WINDOW_WORDS) {
1063
            wordCount = WOLFSSL_DTLS_WINDOW_WORDS;
1064
            wordAdj = (WOLFSSL_DTLS_WINDOW_WORDS - wordCount) * sizeof(word32);
1065
        }
1066
1067
        XMEMSET(keys->peerSeq[0].prevWindow, 0xFF, DTLS_SEQ_SZ);
1068
        for (i = 0; i < wordCount; i++) {
1069
            ato32(exp + idx, &keys->peerSeq[0].prevWindow[i]);
1070
            idx += OPAQUE32_LEN;
1071
        }
1072
        idx += wordAdj;
1073
1074
    }
1075
    #endif
1076
1077
#ifdef HAVE_TRUNCATED_HMAC
1078
    ssl->truncated_hmac = exp[idx++];
1079
#else
1080
    idx++; /* no truncated hmac */
1081
#endif
1082
    sz = exp[idx++];
1083
#ifndef WOLFSSL_AEAD_ONLY
1084
    if (sz > sizeof(keys->client_write_MAC_secret) || (sz * 2) + idx > len) {
1085
        WOLFSSL_MSG("Buffer not large enough for MAC import");
1086
        return BUFFER_E;
1087
    }
1088
    if (sz > 0) {
1089
        XMEMCPY(keys->client_write_MAC_secret, exp + idx, sz); idx += sz;
1090
        XMEMCPY(keys->server_write_MAC_secret, exp + idx, sz); idx += sz;
1091
    }
1092
#else
1093
    if (sz + idx > len) {
1094
        return BUFFER_E;
1095
    }
1096
    idx += sz; idx += sz;
1097
#endif
1098
1099
    sz = exp[idx++];
1100
    if (sz > sizeof(keys->client_write_key) || (sz * 2) + idx > len) {
1101
        WOLFSSL_MSG("Buffer not large enough for key import");
1102
        return BUFFER_E;
1103
    }
1104
    if (sz > 0) {
1105
        XMEMCPY(keys->client_write_key, exp + idx, sz); idx += sz;
1106
        XMEMCPY(keys->server_write_key, exp + idx, sz); idx += sz;
1107
    }
1108
1109
    sz = exp[idx++];
1110
    if (sz > sizeof(keys->client_write_IV) || (sz * 2) + idx > len) {
1111
        WOLFSSL_MSG("Buffer not large enough for write IV import");
1112
        return BUFFER_E;
1113
    }
1114
    if (sz > 0) {
1115
        XMEMCPY(keys->client_write_IV, exp + idx, sz); idx += sz;
1116
        XMEMCPY(keys->server_write_IV, exp + idx, sz); idx += sz;
1117
    }
1118
    XMEMCPY(keys->aead_exp_IV, exp + idx, AEAD_MAX_EXP_SZ);
1119
    idx += AEAD_MAX_EXP_SZ;
1120
1121
    sz = exp[idx++];
1122
    if (sz > sizeof(keys->aead_enc_imp_IV) || (sz * 2) + idx > len) {
1123
        WOLFSSL_MSG("Buffer not large enough for imp IV import");
1124
        return BUFFER_E;
1125
    }
1126
    if (sz > 0) {
1127
        XMEMCPY(keys->aead_enc_imp_IV, exp + idx, sz); idx += sz;
1128
        XMEMCPY(keys->aead_dec_imp_IV, exp + idx, sz); idx += sz;
1129
    }
1130
1131
    WOLFSSL_LEAVE("ImportKeyState", idx);
1132
    (void)ver;
1133
    (void)type;
1134
    return idx;
1135
}
1136
1137
1138
/* copy over necessary information from Options struct to buffer
1139
 * On success returns size of buffer used on failure returns a negative value */
1140
static int ExportOptions(WOLFSSL* ssl, byte* exp, word32 len, byte ver,
1141
        int type)
1142
{
1143
    int      idx  = 0;
1144
    word16   zero = 0;
1145
    Options *options;
1146
1147
    WOLFSSL_ENTER("ExportOptions");
1148
1149
    if (ssl == NULL || exp == NULL || len < DTLS_EXPORT_OPT_SZ) {
1150
        return BAD_FUNC_ARG;
1151
    }
1152
1153
    options = &ssl->options;
1154
    if (options == NULL) {
1155
        return BAD_FUNC_ARG;
1156
    }
1157
1158
    XMEMSET(exp, 0, DTLS_EXPORT_OPT_SZ);
1159
1160
    /* these options are kept and sent to indicate verify status and strength
1161
     * of handshake */
1162
    exp[idx++] = options->sendVerify;
1163
    exp[idx++] = options->verifyPeer;
1164
    exp[idx++] = options->verifyNone;
1165
    exp[idx++] = options->downgrade;
1166
#ifndef NO_DH
1167
    c16toa(options->minDhKeySz, exp + idx); idx += OPAQUE16_LEN;
1168
    c16toa(options->maxDhKeySz, exp + idx); idx += OPAQUE16_LEN;
1169
    c16toa(options->dhKeySz, exp + idx);    idx += OPAQUE16_LEN;
1170
#else
1171
    c16toa(zero, exp + idx); idx += OPAQUE16_LEN;
1172
    c16toa(zero, exp + idx); idx += OPAQUE16_LEN;
1173
    c16toa(zero, exp + idx); idx += OPAQUE16_LEN;
1174
#endif
1175
#ifndef NO_RSA
1176
    c16toa((word16)(options->minRsaKeySz), exp + idx); idx += OPAQUE16_LEN;
1177
#else
1178
    c16toa(zero, exp + idx); idx += OPAQUE16_LEN;
1179
#endif
1180
#ifdef HAVE_ECC
1181
    c16toa((word16)(options->minEccKeySz), exp + idx); idx += OPAQUE16_LEN;
1182
#else
1183
    c16toa(zero, exp + idx); idx += OPAQUE16_LEN;
1184
#endif
1185
1186
    /* these options are kept to indicate state and behavior */
1187
#ifndef NO_PSK
1188
    exp[idx++] = options->havePSK;
1189
#else
1190
    exp[idx++] = 0;
1191
#endif
1192
    exp[idx++] = options->sessionCacheOff;
1193
    exp[idx++] = options->sessionCacheFlushOff;
1194
    exp[idx++] = options->side;
1195
    exp[idx++] = options->resuming;
1196
    exp[idx++] = options->haveSessionId;
1197
    exp[idx++] = options->tls;
1198
    exp[idx++] = options->tls1_1;
1199
    exp[idx++] = options->dtls;
1200
    exp[idx++] = options->connReset;
1201
    exp[idx++] = options->isClosed;
1202
    exp[idx++] = options->closeNotify;
1203
    exp[idx++] = options->sentNotify;
1204
    exp[idx++] = options->usingCompression;
1205
    exp[idx++] = options->haveRSA;
1206
    exp[idx++] = options->haveECC;
1207
    exp[idx++] = options->haveDH;
1208
    exp[idx++] = 0; /* Historical: haveNTRU */
1209
    exp[idx++] = 0; /* Historical: haveQSH */
1210
    exp[idx++] = options->haveECDSAsig;
1211
    exp[idx++] = options->haveStaticECC;
1212
    exp[idx++] = options->havePeerVerify;
1213
    exp[idx++] = options->usingPSK_cipher;
1214
    exp[idx++] = options->usingAnon_cipher;
1215
    exp[idx++] = 0; /* Historical: options->sendAlertState */
1216
    exp[idx++] = options->partialWrite;
1217
    exp[idx++] = options->quietShutdown;
1218
    exp[idx++] = options->groupMessages;
1219
#ifdef HAVE_POLY1305
1220
    exp[idx++] = options->oldPoly;
1221
#else
1222
    exp[idx++] = 0;
1223
#endif
1224
#ifdef HAVE_ANON
1225
    exp[idx++] = options->haveAnon;
1226
#else
1227
    exp[idx++] = 0;
1228
#endif
1229
#ifdef HAVE_SESSION_TICKET
1230
    exp[idx++] = options->createTicket;
1231
    exp[idx++] = options->useTicket;
1232
    exp[idx++] = options->noTicketTls12;
1233
#ifdef WOLFSSL_TLS13
1234
    if (ver > WOLFSSL_EXPORT_VERSION_3) {
1235
        exp[idx++] = options->noTicketTls13;
1236
    }
1237
#else
1238
    if (ver > WOLFSSL_EXPORT_VERSION_3) {
1239
        exp[idx++] = 0;
1240
    }
1241
#endif
1242
#else
1243
    exp[idx++] = 0;
1244
    exp[idx++] = 0;
1245
    exp[idx++] = 0;
1246
    if (ver > WOLFSSL_EXPORT_VERSION_3) {
1247
        exp[idx++] = 0;
1248
    }
1249
#endif
1250
    exp[idx++] = options->processReply;
1251
    exp[idx++] = options->cipherSuite0;
1252
    exp[idx++] = options->cipherSuite;
1253
    exp[idx++] = options->serverState;
1254
    exp[idx++] = options->clientState;
1255
    exp[idx++] = options->handShakeState;
1256
    exp[idx++] = options->handShakeDone;
1257
    exp[idx++] = options->minDowngrade;
1258
    exp[idx++] = options->connectState;
1259
    exp[idx++] = options->acceptState;
1260
    exp[idx++] = options->asyncState;
1261
1262
    if (type == WOLFSSL_EXPORT_TLS) {
1263
#ifdef HAVE_ENCRYPT_THEN_MAC
1264
        exp[idx++] = options->disallowEncThenMac;
1265
        exp[idx++] = options->encThenMac;
1266
        exp[idx++] = options->startedETMRead;
1267
        exp[idx++] = options->startedETMWrite;
1268
#else
1269
        exp[idx++] = 0;
1270
        exp[idx++] = 0;
1271
        exp[idx++] = 0;
1272
        exp[idx++] = 0;
1273
#endif
1274
    }
1275
1276
    /* version of connection */
1277
    exp[idx++] = ssl->version.major;
1278
    exp[idx++] = ssl->version.minor;
1279
1280
    (void)zero;
1281
1282
    /* check if changes were made and notify of need to update export version */
1283
    switch (ver) {
1284
        case WOLFSSL_EXPORT_VERSION_3:
1285
            if (idx != DTLS_EXPORT_OPT_SZ_3) {
1286
                WOLFSSL_MSG("Update DTLS_EXPORT_OPT_SZ and version of export");
1287
                return DTLS_EXPORT_VER_E;
1288
            }
1289
            break;
1290
1291
        case WOLFSSL_EXPORT_VERSION:
1292
            if (idx != DTLS_EXPORT_OPT_SZ && type == WOLFSSL_EXPORT_DTLS) {
1293
                WOLFSSL_MSG("Update DTLS_EXPORT_OPT_SZ and version of export");
1294
                return DTLS_EXPORT_VER_E;
1295
            }
1296
            break;
1297
1298
       default:
1299
            WOLFSSL_MSG("New version case needs added to wolfSSL export");
1300
            return DTLS_EXPORT_VER_E;
1301
    }
1302
1303
    WOLFSSL_LEAVE("ExportOptions", idx);
1304
1305
    (void)type;
1306
    return idx;
1307
}
1308
1309
1310
/* copy items from Export struct to Options struct
1311
 * On success returns size of buffer used on failure returns a negative value */
1312
static int ImportOptions(WOLFSSL* ssl, const byte* exp, word32 len, byte ver,
1313
        int type)
1314
{
1315
    int idx = 0;
1316
    Options* options = &ssl->options;
1317
1318
    switch (ver) {
1319
        case WOLFSSL_EXPORT_VERSION:
1320
            if (len < DTLS_EXPORT_OPT_SZ) {
1321
                WOLFSSL_MSG("Sanity check on buffer size failed");
1322
                return BAD_FUNC_ARG;
1323
            }
1324
            break;
1325
1326
        case WOLFSSL_EXPORT_VERSION_3:
1327
            if (len < DTLS_EXPORT_OPT_SZ_3) {
1328
                WOLFSSL_MSG("Sanity check on buffer size failed");
1329
                return BAD_FUNC_ARG;
1330
            }
1331
            break;
1332
1333
        default:
1334
            WOLFSSL_MSG("Export version not supported");
1335
            return BAD_FUNC_ARG;
1336
    }
1337
1338
    if (exp == NULL || options == NULL) {
1339
        return BAD_FUNC_ARG;
1340
    }
1341
1342
1343
    /* these options are kept and sent to indicate verify status and strength
1344
     * of handshake */
1345
    options->sendVerify = exp[idx++];
1346
    options->verifyPeer = exp[idx++];
1347
    options->verifyNone = exp[idx++];
1348
    options->downgrade  = exp[idx++];
1349
#ifndef NO_DH
1350
    ato16(exp + idx, &(options->minDhKeySz)); idx += OPAQUE16_LEN;
1351
    ato16(exp + idx, &(options->maxDhKeySz)); idx += OPAQUE16_LEN;
1352
    ato16(exp + idx, &(options->dhKeySz));    idx += OPAQUE16_LEN;
1353
#else
1354
    idx += OPAQUE16_LEN;
1355
    idx += OPAQUE16_LEN;
1356
    idx += OPAQUE16_LEN;
1357
#endif
1358
#ifndef NO_RSA
1359
    ato16(exp + idx, (word16*)&(options->minRsaKeySz)); idx += OPAQUE16_LEN;
1360
#else
1361
    idx += OPAQUE16_LEN;
1362
#endif
1363
#ifdef HAVE_ECC
1364
    ato16(exp + idx, (word16*)&(options->minEccKeySz)); idx += OPAQUE16_LEN;
1365
#else
1366
    idx += OPAQUE16_LEN;
1367
#endif
1368
1369
    /* these options are kept to indicate state and behavior */
1370
#ifndef NO_PSK
1371
    options->havePSK = exp[idx++];
1372
#else
1373
    idx++;
1374
#endif
1375
    options->sessionCacheOff      = exp[idx++];
1376
    options->sessionCacheFlushOff = exp[idx++];
1377
    options->side                 = exp[idx++];
1378
    options->resuming             = exp[idx++];
1379
    options->haveSessionId    = exp[idx++];
1380
    options->tls              = exp[idx++];
1381
    options->tls1_1           = exp[idx++];
1382
    options->dtls             = exp[idx++];
1383
    options->connReset        = exp[idx++];
1384
    options->isClosed         = exp[idx++];
1385
    options->closeNotify      = exp[idx++];
1386
    options->sentNotify       = exp[idx++];
1387
    options->usingCompression = exp[idx++];
1388
    options->haveRSA          = exp[idx++];
1389
    options->haveECC          = exp[idx++];
1390
    options->haveDH           = exp[idx++];
1391
    idx++; /* Historical: haveNTRU */
1392
    idx++; /* Historical: haveQSH */
1393
    options->haveECDSAsig     = exp[idx++];
1394
    options->haveStaticECC    = exp[idx++];
1395
    options->havePeerVerify   = exp[idx++];
1396
    options->usingPSK_cipher  = exp[idx++];
1397
    options->usingAnon_cipher = exp[idx++];
1398
    idx++; /* Historical: options->sendAlertState */
1399
    options->partialWrite     = exp[idx++];
1400
    options->quietShutdown    = exp[idx++];
1401
    options->groupMessages    = exp[idx++];
1402
#ifdef HAVE_POLY1305
1403
    options->oldPoly = exp[idx++];      /* set when to use old rfc way of poly*/
1404
#else
1405
    idx++;
1406
#endif
1407
#ifdef HAVE_ANON
1408
    options->haveAnon = exp[idx++];     /* User wants to allow Anon suites */
1409
#else
1410
    idx++;
1411
#endif
1412
#ifdef HAVE_SESSION_TICKET
1413
    options->createTicket  = exp[idx++]; /* Server to create new Ticket */
1414
    options->useTicket     = exp[idx++]; /* Use Ticket not session cache */
1415
    options->noTicketTls12 = exp[idx++]; /* Server won't create new Ticket */
1416
#ifdef WOLFSSL_TLS13
1417
    if (ver > WOLFSSL_EXPORT_VERSION_3) {
1418
        options->noTicketTls13 = exp[idx++];/* Server won't create new Ticket */
1419
    }
1420
#else
1421
    if (ver > WOLFSSL_EXPORT_VERSION_3) {
1422
        idx++;
1423
    }
1424
#endif
1425
#else
1426
    idx++;
1427
    idx++;
1428
    idx++;
1429
    if (ver > WOLFSSL_EXPORT_VERSION_3) {
1430
        idx++;
1431
    }
1432
#endif
1433
    options->processReply   = exp[idx++];
1434
    options->cipherSuite0   = exp[idx++];
1435
    options->cipherSuite    = exp[idx++];
1436
    options->serverState    = exp[idx++];
1437
    options->clientState    = exp[idx++];
1438
    options->handShakeState = exp[idx++];
1439
    options->handShakeDone  = exp[idx++];
1440
    options->minDowngrade   = exp[idx++];
1441
    options->connectState   = exp[idx++];
1442
    options->acceptState    = exp[idx++];
1443
    options->asyncState     = exp[idx++];
1444
1445
    if (type == WOLFSSL_EXPORT_TLS) {
1446
#ifdef HAVE_ENCRYPT_THEN_MAC
1447
        options->disallowEncThenMac = exp[idx++];
1448
        options->encThenMac         = exp[idx++];
1449
        options->startedETMRead     = exp[idx++];
1450
        options->startedETMWrite    = exp[idx++];
1451
#else
1452
        idx++;
1453
        idx++;
1454
        idx++;
1455
        idx++;
1456
#endif
1457
    }
1458
1459
    /* version of connection */
1460
    if (ssl->version.major != exp[idx++] || ssl->version.minor != exp[idx++]) {
1461
        WOLFSSL_MSG("Version mismatch ie DTLS v1 vs v1.2");
1462
        return VERSION_ERROR;
1463
    }
1464
1465
    /* set TLS 1.3 flag in options if this was a TLS 1.3 connection */
1466
    if (ssl->version.major == SSLv3_MAJOR &&
1467
            ssl->version.minor == TLSv1_3_MINOR) {
1468
        options->tls1_3 = 1;
1469
    }
1470
1471
    return idx;
1472
}
1473
1474
1475
#ifndef WOLFSSL_SESSION_EXPORT_NOPEER
1476
static int ExportPeerInfo(WOLFSSL* ssl, byte* exp, word32 len, byte ver)
1477
{
1478
    int    idx  = 0;
1479
    int    ipSz = MAX_EXPORT_IP; /* start as max size */
1480
    int    fam  = 0;
1481
    word16 port = 0;
1482
    char   ip[MAX_EXPORT_IP];
1483
1484
    if (ver != WOLFSSL_EXPORT_VERSION) {
1485
        WOLFSSL_MSG("Export version not supported");
1486
        return BAD_FUNC_ARG;
1487
    }
1488
1489
    if (ssl == NULL || exp == NULL ||
1490
            len < (sizeof(ip) + 3 * WOLFSSL_EXPORT_LEN)) {
1491
        return BAD_FUNC_ARG;
1492
    }
1493
1494
    if (ssl->ctx->CBGetPeer == NULL) {
1495
        WOLFSSL_MSG("No get peer call back set");
1496
        return BAD_FUNC_ARG;
1497
    }
1498
    if (ssl->ctx->CBGetPeer(ssl, ip, &ipSz, &port, &fam) != WOLFSSL_SUCCESS) {
1499
        WOLFSSL_MSG("Get peer callback error");
1500
        return SOCKET_ERROR_E;
1501
    }
1502
1503
    /* check that ipSz/fam is not negative or too large since user can set cb */
1504
    if (ipSz < 0 || ipSz > MAX_EXPORT_IP || fam < 0) {
1505
        WOLFSSL_MSG("Bad ipSz or fam returned from get peer callback");
1506
        return SOCKET_ERROR_E;
1507
    }
1508
1509
    c16toa((word16)fam, exp + idx);  idx += WOLFSSL_EXPORT_LEN;
1510
    c16toa((word16)ipSz, exp + idx); idx += WOLFSSL_EXPORT_LEN;
1511
    XMEMCPY(exp + idx, ip, ipSz);    idx += ipSz;
1512
    c16toa(port, exp + idx);         idx += WOLFSSL_EXPORT_LEN;
1513
1514
    return idx;
1515
}
1516
#endif /* !WOLFSSL_SESSION_EXPORT_NOPEER */
1517
1518
1519
static int ImportPeerInfo(WOLFSSL* ssl, const byte* buf, word32 len, byte ver)
1520
{
1521
    word16 idx = 0;
1522
    word16 ipSz;
1523
    word16 fam;
1524
    word16 port;
1525
    char   ip[MAX_EXPORT_IP];
1526
1527
    if (ver != WOLFSSL_EXPORT_VERSION && ver != WOLFSSL_EXPORT_VERSION_3) {
1528
        WOLFSSL_MSG("Export version not supported");
1529
        return BAD_FUNC_ARG;
1530
    }
1531
1532
    if (len == 0) {
1533
        WOLFSSL_MSG("No peer info sent");
1534
        return 0;
1535
    }
1536
1537
    if (ssl == NULL || buf == NULL || len < 3 * WOLFSSL_EXPORT_LEN) {
1538
        return BAD_FUNC_ARG;
1539
    }
1540
1541
    /* import sin family */
1542
    ato16(buf + idx, &fam); idx += WOLFSSL_EXPORT_LEN;
1543
1544
    /* import ip address idx, and ipSz are unsigned but cast for enum */
1545
    ato16(buf + idx, &ipSz); idx += WOLFSSL_EXPORT_LEN;
1546
    if (ipSz >= sizeof(ip) || (word16)(idx + ipSz + WOLFSSL_EXPORT_LEN) > len) {
1547
        return BUFFER_E;
1548
    }
1549
    XMEMSET(ip, 0, sizeof(ip));
1550
    XMEMCPY(ip, buf + idx, ipSz); idx += ipSz;
1551
    ip[ipSz] = '\0'; /* with check that ipSz less than ip this is valid */
1552
    ato16(buf + idx, &port); idx += WOLFSSL_EXPORT_LEN;
1553
1554
    /* sanity check for a function to call, then use it to import peer info */
1555
    if (ssl->ctx->CBSetPeer == NULL) {
1556
        WOLFSSL_MSG("No set peer function");
1557
        return BAD_FUNC_ARG;
1558
    }
1559
    if (ssl->ctx->CBSetPeer(ssl, ip, ipSz, port, fam) != WOLFSSL_SUCCESS) {
1560
        WOLFSSL_MSG("Error setting peer info");
1561
        return SOCKET_ERROR_E;
1562
    }
1563
1564
    return idx;
1565
}
1566
1567
1568
#ifdef WOLFSSL_DTLS
1569
/* WOLFSSL_LOCAL function that serializes the current WOLFSSL session state only
1570
 * buf is used to hold the serialized WOLFSSL struct and sz is the size of buf
1571
 * passed in.
1572
 * On success returns the size of serialized session state.*/
1573
int wolfSSL_dtls_export_state_internal(WOLFSSL* ssl, byte* buf, word32 sz)
1574
{
1575
    int ret;
1576
    word32 idx      = 0;
1577
    word32 totalLen = 0;
1578
1579
    WOLFSSL_ENTER("wolfSSL_dtls_export_state_internal");
1580
1581
    if (buf == NULL || ssl == NULL) {
1582
        WOLFSSL_LEAVE("wolfSSL_dtls_export_state_internal", BAD_FUNC_ARG);
1583
        return BAD_FUNC_ARG;
1584
    }
1585
1586
    totalLen += WOLFSSL_EXPORT_LEN * 2; /* 2 protocol bytes and 2 length bytes */
1587
    /* each of the following have a 2 byte length before data */
1588
    totalLen += WOLFSSL_EXPORT_LEN + DTLS_EXPORT_MIN_KEY_SZ;
1589
    if (totalLen > sz) {
1590
        WOLFSSL_LEAVE("wolfSSL_dtls_export_state_internal", BUFFER_E);
1591
        return BUFFER_E;
1592
    }
1593
1594
    buf[idx++] =  (byte)DTLS_EXPORT_STATE_PRO;
1595
    buf[idx++] = ((byte)DTLS_EXPORT_STATE_PRO & 0xF0) |
1596
                 ((byte)WOLFSSL_EXPORT_VERSION & 0X0F);
1597
    idx += WOLFSSL_EXPORT_LEN; /* leave room for total length */
1598
1599
    /* export keys struct and dtls state -- variable length stored in ret */
1600
    idx += WOLFSSL_EXPORT_LEN; /* leave room for length */
1601
    if ((ret = ExportKeyState(ssl, buf + idx, sz - idx,
1602
                    WOLFSSL_EXPORT_VERSION, 1, WOLFSSL_EXPORT_DTLS)) < 0) {
1603
        WOLFSSL_LEAVE("wolfSSL_dtls_export_state_internal", ret);
1604
        return ret;
1605
    }
1606
    c16toa((word16)ret, buf + idx - WOLFSSL_EXPORT_LEN); idx += ret;
1607
1608
    /* place total length of exported buffer minus 2 bytes protocol/version */
1609
    c16toa((word16)(idx - WOLFSSL_EXPORT_LEN), buf + WOLFSSL_EXPORT_LEN);
1610
1611
#ifdef WOLFSSL_SESSION_EXPORT_DEBUG
1612
    /* if compiled with debug options then print the version, protocol, size */
1613
    {
1614
        char debug[256];
1615
        XSNPRINTF(debug, sizeof(debug), "Exporting DTLS session state\n"
1616
                   "\tVersion  : %d\n\tProtocol : %02X%01X\n\tLength of: %d\n\n"
1617
               , (int)WOLFSSL_EXPORT_VERSION, buf[0], (buf[1] >> 4), idx - 2);
1618
        WOLFSSL_MSG(debug);
1619
    }
1620
#endif /* WOLFSSL_SESSION_EXPORT_DEBUG */
1621
1622
    WOLFSSL_LEAVE("wolfSSL_dtls_export_state_internal", idx);
1623
    return idx;
1624
}
1625
1626
1627
/* On success return amount of buffer consumed */
1628
int wolfSSL_dtls_import_state_internal(WOLFSSL* ssl, const byte* buf, word32 sz)
1629
{
1630
    word32 idx    = 0;
1631
    word16 length = 0;
1632
    int version;
1633
    int ret;
1634
1635
    WOLFSSL_ENTER("wolfSSL_dtls_import_state_internal");
1636
    /* check at least enough room for protocol and length */
1637
    if (sz < WOLFSSL_EXPORT_LEN * 2 || ssl == NULL) {
1638
        WOLFSSL_LEAVE("wolfSSL_dtls_import_state_internal", BAD_FUNC_ARG);
1639
        return BAD_FUNC_ARG;
1640
    }
1641
1642
    if (buf[idx++] !=  (byte)DTLS_EXPORT_STATE_PRO ||
1643
            (buf[idx] & 0xF0) != ((byte)DTLS_EXPORT_PRO & 0xF0)) {
1644
        WOLFSSL_MSG("Incorrect protocol");
1645
        return BAD_FUNC_ARG;
1646
    }
1647
    version = buf[idx++] & 0x0F;
1648
1649
    ato16(buf + idx, &length); idx += WOLFSSL_EXPORT_LEN;
1650
    if (length > sz - WOLFSSL_EXPORT_LEN) { /* subtract 2 for protocol */
1651
        WOLFSSL_MSG("Buffer size sanity check failed");
1652
        return BUFFER_E;
1653
    }
1654
1655
#ifdef WOLFSSL_SESSION_EXPORT_DEBUG
1656
    /* if compiled with debug options then print the version, protocol, size */
1657
    {
1658
        char debug[256];
1659
        XSNPRINTF(debug, sizeof(debug), "Importing DTLS session state\n"
1660
                   "\tVersion  : %d\n\tProtocol : %02X%01X\n\tLength of: %d\n\n"
1661
               , (int)version, buf[0], (buf[1] >> 4), length);
1662
        WOLFSSL_MSG(debug);
1663
    }
1664
#endif /* WOLFSSL_SESSION_EXPORT_DEBUG */
1665
1666
    /* perform sanity checks and extract Options information used */
1667
    switch (version) {
1668
        case WOLFSSL_EXPORT_VERSION:
1669
            break;
1670
1671
        default:
1672
            WOLFSSL_MSG("Bad export state version");
1673
            return BAD_FUNC_ARG;
1674
1675
    }
1676
1677
    /* perform sanity checks and extract Keys struct */
1678
    if (WOLFSSL_EXPORT_LEN + idx > sz) {
1679
        WOLFSSL_MSG("Import Key struct error");
1680
        return BUFFER_E;
1681
    }
1682
    ato16(buf + idx, &length); idx += WOLFSSL_EXPORT_LEN;
1683
    if (length > DTLS_EXPORT_KEY_SZ || length + idx > sz) {
1684
        WOLFSSL_MSG("Import Key struct error");
1685
        return BUFFER_E;
1686
    }
1687
    if ((ret = ImportKeyState(ssl, buf + idx, length, version,
1688
                    WOLFSSL_EXPORT_DTLS)) < 0) {
1689
        WOLFSSL_MSG("Import Key struct error");
1690
        WOLFSSL_LEAVE("wolfSSL_dtls_import_state_internal", ret);
1691
        return ret;
1692
    }
1693
    idx += ret;
1694
1695
    WOLFSSL_LEAVE("wolfSSL_dtls_import_state_internal", ret);
1696
    return idx;
1697
}
1698
#endif /* WOLFSSL_DTLS */
1699
1700
1701
/**
1702
 * Imports a serialized buffer (both TLS and DTLS)
1703
 *
1704
 * @param ssl WOLFSSL structure to import into
1705
 * @param buf buffer containing serialized session
1706
 * @param sz  size of buffer 'buf'
1707
 * @param type flag for TLS or DTLS
1708
 *
1709
 * @return the size of serialized buffer on success
1710
 */
1711
int wolfSSL_session_import_internal(WOLFSSL* ssl, const unsigned char* buf,
1712
        unsigned int sz, int type)
1713
{
1714
    word32 idx    = 0;
1715
    word16 length = 0;
1716
    int version   = 0;
1717
    int ret = 0;
1718
    int optSz = 0;
1719
    int rc;
1720
    byte validProto = 0; /* did we find a valid protocol */
1721
1722
    WOLFSSL_ENTER("wolfSSL_session_import_internal");
1723
    /* check at least enough room for protocol and length */
1724
    if (sz < WOLFSSL_EXPORT_LEN * 2 || ssl == NULL) {
1725
        ret = BAD_FUNC_ARG;
1726
    }
1727
1728
    /* Check if is TLS export protocol */
1729
    if (ret == 0) {
1730
        if (buf[idx]             ==  (byte)TLS_EXPORT_PRO &&
1731
           (buf[idx + 1] & 0xF0) == ((byte)TLS_EXPORT_PRO & 0xF0)) {
1732
            validProto = 1;
1733
        }
1734
1735
        /* Check if is DTLS export protocol */
1736
        if (buf[idx]             ==  (byte)DTLS_EXPORT_PRO &&
1737
           (buf[idx + 1] & 0xF0) == ((byte)DTLS_EXPORT_PRO & 0xF0)) {
1738
            validProto = 1;
1739
        }
1740
1741
        if (validProto == 0) {
1742
        #ifdef WOLFSSL_DTLS
1743
            /* check if importing state only */
1744
            return wolfSSL_dtls_import_state_internal(ssl, buf, sz);
1745
        #else
1746
            WOLFSSL_MSG("Invalid serialized session protocol value");
1747
            ret = BAD_FUNC_ARG;
1748
        #endif
1749
        }
1750
        idx += 1;
1751
    }
1752
1753
    if (ret == 0) {
1754
        version = buf[idx++] & 0x0F;
1755
        ato16(buf + idx, &length); idx += WOLFSSL_EXPORT_LEN;
1756
        if (length > sz - WOLFSSL_EXPORT_LEN) { /* subtract 2 for protocol */
1757
            ret = BUFFER_E;
1758
        }
1759
    }
1760
1761
    /* if compiled with debug options then print the version, protocol, size */
1762
#ifdef WOLFSSL_SESSION_EXPORT_DEBUG
1763
    {
1764
        char debug[256];
1765
        XSNPRINTF(debug, sizeof(debug), "Importing DTLS session\n"
1766
                   "\tVersion  : %d\n\tProtocol : %02X%01X\n\tLength of: %d\n\n"
1767
               , (int)version, buf[0], (buf[1] >> 4), length);
1768
        WOLFSSL_MSG(debug);
1769
    }
1770
#endif /* WOLFSSL_SESSION_EXPORT_DEBUG */
1771
1772
    /* perform sanity checks and extract Options information used */
1773
    if (ret == 0) {
1774
        switch (version) {
1775
            case WOLFSSL_EXPORT_VERSION:
1776
                if (type == WOLFSSL_EXPORT_DTLS) {
1777
                    optSz = DTLS_EXPORT_OPT_SZ;
1778
                }
1779
                else {
1780
                    optSz = TLS_EXPORT_OPT_SZ;
1781
                }
1782
                break;
1783
1784
            case WOLFSSL_EXPORT_VERSION_3:
1785
                WOLFSSL_MSG("Importing older version 3");
1786
                optSz = DTLS_EXPORT_OPT_SZ_3;
1787
                break;
1788
1789
            default:
1790
                WOLFSSL_MSG("Bad export version");
1791
                ret = BAD_FUNC_ARG;
1792
        }
1793
    }
1794
1795
    if (ret == 0 && (WOLFSSL_EXPORT_LEN + optSz + idx > sz)) {
1796
        WOLFSSL_MSG("Import Options struct error");
1797
        ret = BUFFER_E;
1798
    }
1799
1800
    if (ret == 0) {
1801
        ato16(buf + idx, &length); idx += WOLFSSL_EXPORT_LEN;
1802
        if (length != optSz) {
1803
            WOLFSSL_MSG("Import Options struct error");
1804
            ret = BUFFER_E;
1805
        }
1806
    }
1807
1808
    if (ret == 0) {
1809
        rc = ImportOptions(ssl, buf + idx, length, version, type);
1810
        if (rc < 0) {
1811
            WOLFSSL_MSG("Import Options struct error");
1812
            ret = rc;
1813
        }
1814
        else {
1815
            idx += length;
1816
        }
1817
    }
1818
1819
    /* perform sanity checks and extract Keys struct */
1820
    if (ret == 0 && (WOLFSSL_EXPORT_LEN + idx > sz)) {
1821
        WOLFSSL_MSG("Import Key struct error");
1822
        ret = BUFFER_E;
1823
    }
1824
1825
    if (ret == 0) {
1826
        ato16(buf + idx, &length); idx += WOLFSSL_EXPORT_LEN;
1827
        if (length > DTLS_EXPORT_KEY_SZ || length + idx > sz) {
1828
            WOLFSSL_MSG("Import Key struct error");
1829
            ret = BUFFER_E;
1830
        }
1831
    }
1832
1833
    if (ret == 0) {
1834
        rc = ImportKeyState(ssl, buf + idx, length, version, type);
1835
        if (rc < 0) {
1836
            WOLFSSL_MSG("Import Key struct error");
1837
            ret = rc;
1838
        }
1839
        else {
1840
            idx += rc;
1841
        }
1842
    }
1843
1844
    /* perform sanity checks and extract CipherSpecs struct */
1845
    if (ret == 0 && (WOLFSSL_EXPORT_LEN + WOLFSSL_EXPORT_SPC_SZ + idx > sz)) {
1846
        WOLFSSL_MSG("Import CipherSpecs struct error");
1847
        ret = BUFFER_E;
1848
    }
1849
1850
    if (ret == 0) {
1851
        ato16(buf + idx, &length); idx += WOLFSSL_EXPORT_LEN;
1852
        if (length != WOLFSSL_EXPORT_SPC_SZ) {
1853
            WOLFSSL_MSG("Import CipherSpecs struct error");
1854
            ret = BUFFER_E;
1855
        }
1856
    }
1857
1858
    if (ret == 0) {
1859
        rc = ImportCipherSpecState(ssl, buf + idx, length, version, type);
1860
        if (rc < 0) {
1861
            WOLFSSL_MSG("Import CipherSpecs struct error");
1862
            ret = rc;
1863
        }
1864
        else {
1865
            idx += rc;
1866
        }
1867
    }
1868
1869
    /* perform sanity checks and extract DTLS peer info */
1870
    if (ret == 0 && (WOLFSSL_EXPORT_LEN + idx > sz)) {
1871
        WOLFSSL_MSG("Import DTLS peer info error");
1872
        ret = BUFFER_E;
1873
    }
1874
1875
    if (ret == 0) {
1876
        ato16(buf + idx, &length); idx += WOLFSSL_EXPORT_LEN;
1877
        if (idx + length > sz) {
1878
            WOLFSSL_MSG("Import DTLS peer info error");
1879
            ret = BUFFER_E;
1880
        }
1881
    }
1882
1883
    if (ret == 0) {
1884
        rc = ImportPeerInfo(ssl, buf + idx, length, version);
1885
        if (rc < 0) {
1886
            WOLFSSL_MSG("Import Peer Addr error");
1887
            ret = rc;
1888
        }
1889
        else {
1890
            idx += rc;
1891
        }
1892
    }
1893
1894
    /* make sure is a valid suite used */
1895
    if (ret == 0 && wolfSSL_get_cipher(ssl) == NULL) {
1896
        WOLFSSL_MSG("Can not match cipher suite imported");
1897
        ret = MATCH_SUITE_ERROR;
1898
    }
1899
1900
#ifndef WOLFSSL_AEAD_ONLY
1901
    /* set hmac function to use when verifying */
1902
    if (ret == 0 && (ssl->options.tls == 1 || ssl->options.tls1_1 == 1 ||
1903
                     ssl->options.dtls == 1)) {
1904
    #if !defined(WOLFSSL_RENESAS_SCEPROTECT) && \
1905
        !defined(WOLFSSL_RENESAS_TSIP_TLS)
1906
        ssl->hmac = TLS_hmac;
1907
    #else
1908
        ssl->hmac = Renesas_cmn_TLS_hmac;
1909
    #endif
1910
    }
1911
1912
    /* do not allow stream ciphers with DTLS, except for NULL cipher */
1913
    if (ret == 0 && ssl->specs.cipher_type == stream &&
1914
        ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null) {
1915
        WOLFSSL_MSG("Can not import stream ciphers for DTLS");
1916
        ret = SANITY_CIPHER_E;
1917
    }
1918
#endif /* !WOLFSSL_AEAD_ONLY */
1919
1920
    if (ret != 0) {
1921
        idx = ret;
1922
    }
1923
    WOLFSSL_LEAVE("wolfSSL_session_import_internal", idx);
1924
    return idx;
1925
}
1926
1927
1928
/**
1929
 * Handles serializing the session information.
1930
 *
1931
 * @param ssl WOLFSSL structure to serialize session from
1932
 * @param buf output buffer to hold serialized session
1933
 * @param sz  the size of buffer 'buf', if too small then gets updated
1934
 * @param type if the input WOLFSSL structure is expected to be TLS or DTLS
1935
 *              1 for yes is TLS and 0 for no is DTLS
1936
 *
1937
 * @return the size of serialized buffer on success and negative values on fail
1938
 */
1939
int wolfSSL_session_export_internal(WOLFSSL* ssl, byte* buf, word32* sz,
1940
        int type)
1941
{
1942
    int ret = 0;
1943
    word32 idx      = 0;
1944
    word32 totalLen = 0;
1945
1946
    WOLFSSL_ENTER("wolfSSL_session_export_internal");
1947
1948
    if (ssl == NULL) {
1949
        WOLFSSL_MSG("unexpected null argument");
1950
        ret = BAD_FUNC_ARG;
1951
    }
1952
1953
    if (ret == 0) {
1954
        totalLen += WOLFSSL_EXPORT_LEN * 2; /* 2 protocol bytes and 2 length bytes */
1955
        /* each of the following have a 2 byte length before data */
1956
        totalLen += WOLFSSL_EXPORT_LEN + DTLS_EXPORT_OPT_SZ;
1957
        totalLen += WOLFSSL_EXPORT_LEN + DTLS_EXPORT_KEY_SZ;
1958
        totalLen += WOLFSSL_EXPORT_LEN + WOLFSSL_EXPORT_SPC_SZ;
1959
        #ifdef WOLFSSL_DTLS
1960
        if (type == WOLFSSL_EXPORT_DTLS) {
1961
            totalLen += WOLFSSL_EXPORT_LEN + ssl->buffers.dtlsCtx.peer.sz;
1962
        }
1963
        #endif
1964
    }
1965
1966
    /* check is at least the minimum size needed, TLS cipher states add more */
1967
    if (ret == 0 && (totalLen > *sz || buf == NULL)) {
1968
        WOLFSSL_MSG("export buffer was too small or null");
1969
        *sz = totalLen;
1970
1971
        /* possible AES state needed */
1972
        if (type == WOLFSSL_EXPORT_TLS) {
1973
            *sz += AES_BLOCK_SIZE*2;
1974
        }
1975
        ret = LENGTH_ONLY_E;
1976
    }
1977
1978
    if (ret == 0) {
1979
        buf[idx++] =  (byte)(type == WOLFSSL_EXPORT_TLS)? TLS_EXPORT_PRO :
1980
                    DTLS_EXPORT_PRO;
1981
        buf[idx++] = ((byte)((type == WOLFSSL_EXPORT_TLS)? TLS_EXPORT_PRO :
1982
                    DTLS_EXPORT_PRO) & 0xF0)
1983
                    | ((byte)WOLFSSL_EXPORT_VERSION & 0X0F);
1984
1985
        idx += WOLFSSL_EXPORT_LEN; /* leave spot for length of total buffer  */
1986
1987
        idx += WOLFSSL_EXPORT_LEN;
1988
        ret = ExportOptions(ssl, buf + idx, *sz - idx, WOLFSSL_EXPORT_VERSION,
1989
                type);
1990
        if (ret >= 0) {
1991
            c16toa((word16)ret, buf + idx - WOLFSSL_EXPORT_LEN);
1992
            idx += ret;
1993
            ret  = 0;
1994
        }
1995
    }
1996
1997
    /* export keys struct and dtls state -- variable length stored in ret */
1998
    if (ret == 0) {
1999
        idx += WOLFSSL_EXPORT_LEN; /* leave room for length */
2000
        ret = ExportKeyState(ssl, buf + idx, *sz - idx, WOLFSSL_EXPORT_VERSION,
2001
                0, type);
2002
        if (ret >= 0) {
2003
            c16toa((word16)ret, buf + idx - WOLFSSL_EXPORT_LEN); idx += ret;
2004
            ret = 0;
2005
        }
2006
    }
2007
2008
    /* export of cipher specs struct */
2009
    if (ret == 0) {
2010
        c16toa((word16)WOLFSSL_EXPORT_SPC_SZ, buf + idx);
2011
        idx += WOLFSSL_EXPORT_LEN;
2012
        ret = ExportCipherSpecState(ssl, buf + idx, *sz - idx,
2013
                                                 WOLFSSL_EXPORT_VERSION, type);
2014
        if (ret >= 0) {
2015
            idx += ret;
2016
            ret  = 0;
2017
        }
2018
    }
2019
2020
    /* export of peer information */
2021
    if (ret == 0) {
2022
        idx += WOLFSSL_EXPORT_LEN;
2023
    #ifdef WOLFSSL_SESSION_EXPORT_NOPEER
2024
        ret = 0; /* not saving peer port/ip information */
2025
    #else
2026
        ret = ExportPeerInfo(ssl, buf + idx, *sz - idx, WOLFSSL_EXPORT_VERSION);
2027
    #endif
2028
        if (ret >= 0) {
2029
            c16toa(ret, buf + idx - WOLFSSL_EXPORT_LEN);
2030
            idx += ret;
2031
            ret  = 0;
2032
        }
2033
    }
2034
2035
    if (ret != 0 && buf != NULL) {
2036
        /*in a fail case clear the buffer which could contain partial key info*/
2037
        XMEMSET(buf, 0, *sz);
2038
    }
2039
2040
    /* place total length of exported buffer minus 2 bytes protocol/version */
2041
    if (ret == 0) {
2042
        c16toa((word16)(idx - WOLFSSL_EXPORT_LEN), buf + WOLFSSL_EXPORT_LEN);
2043
        ret = idx;
2044
2045
    #ifdef WOLFSSL_SESSION_EXPORT_DEBUG
2046
        {
2047
            char debug[256];
2048
            XSNPRINTF(debug, sizeof(debug), "Exporting TLS session\n"
2049
                   "\tVersion  : %d\n\tProtocol : %02X%01X\n\tLength of: %d\n\n"
2050
                  ,(int)WOLFSSL_EXPORT_VERSION, buf[0], (buf[1] >> 4), idx - 2);
2051
            WOLFSSL_MSG(debug);
2052
        }
2053
    #endif /* WOLFSSL_SESSION_EXPORT_DEBUG */
2054
    }
2055
2056
    if (ret >= 0) {
2057
        *sz = ret;
2058
    }
2059
2060
    WOLFSSL_LEAVE("wolfSSL_session_export_internal", ret);
2061
    return ret;
2062
}
2063
#endif /* WOLFSSL_SESSION_EXPORT */
2064
2065
2066
void InitSSL_Method(WOLFSSL_METHOD* method, ProtocolVersion pv)
2067
0
{
2068
0
    method->version    = pv;
2069
0
    method->side       = WOLFSSL_CLIENT_END;
2070
0
    method->downgrade  = 0;
2071
0
}
2072
2073
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE) || \
2074
    defined(WOLFSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
2075
int InitSSL_Side(WOLFSSL* ssl, word16 side)
2076
0
{
2077
0
    if (ssl == NULL)
2078
0
        return BAD_FUNC_ARG;
2079
2080
    /* set side */
2081
0
    ssl->options.side = side;
2082
2083
    /* reset options that are side specific */
2084
0
#ifdef HAVE_ECC
2085
0
    if (ssl->options.side == WOLFSSL_CLIENT_END) {
2086
0
        ssl->options.haveECDSAsig  = 1; /* always on client side */
2087
0
        ssl->options.haveECC = 1;       /* server turns on with ECC key cert */
2088
0
        ssl->options.haveStaticECC = 1; /* server can turn on by loading key */
2089
0
    }
2090
#elif defined(HAVE_ED25519) || defined(HAVE_ED448)
2091
    if (ssl->options.side == WOLFSSL_CLIENT_END) {
2092
        ssl->options.haveECDSAsig  = 1; /* always on client side */
2093
        ssl->options.haveECC  = 1;      /* server turns on with ECC key cert */
2094
    }
2095
#endif
2096
#ifdef HAVE_PQC
2097
#ifdef HAVE_FALCON
2098
    if (ssl->options.side == WOLFSSL_CLIENT_END) {
2099
        ssl->options.haveFalconSig  = 1; /* always on client side */
2100
    }
2101
#endif /* HAVE_FALCON */
2102
#ifdef HAVE_DILITHIUM
2103
    if (ssl->options.side == WOLFSSL_CLIENT_END) {
2104
        ssl->options.haveDilithiumSig  = 1; /* always on client side */
2105
    }
2106
#endif /* HAVE_DILITHIUM */
2107
#endif /* HAVE_PQC */
2108
2109
0
#if defined(HAVE_EXTENDED_MASTER) && !defined(NO_WOLFSSL_CLIENT)
2110
0
    if (ssl->options.side == WOLFSSL_CLIENT_END) {
2111
0
        if ((ssl->ctx->method->version.major == SSLv3_MAJOR) &&
2112
0
             (ssl->ctx->method->version.minor >= TLSv1_MINOR)) {
2113
0
            ssl->options.haveEMS = 1;
2114
0
        }
2115
    #ifdef WOLFSSL_DTLS
2116
        if (ssl->ctx->method->version.major == DTLS_MAJOR)
2117
            ssl->options.haveEMS = 1;
2118
    #endif /* WOLFSSL_DTLS */
2119
0
    }
2120
0
#endif /* HAVE_EXTENDED_MASTER && !NO_WOLFSSL_CLIENT */
2121
2122
#if defined(WOLFSSL_DTLS) && !defined(NO_WOLFSSL_SERVER)
2123
    if (ssl->options.dtls && ssl->options.side == WOLFSSL_SERVER_END) {
2124
        int ret;
2125
        ret = wolfSSL_DTLS_SetCookieSecret(ssl, NULL, 0);
2126
        if (ret != 0) {
2127
            WOLFSSL_MSG("DTLS Cookie Secret error");
2128
            return ret;
2129
        }
2130
    }
2131
#endif /* WOLFSSL_DTLS && !NO_WOLFSSL_SERVER */
2132
2133
0
    return InitSSL_Suites(ssl);
2134
0
}
2135
#endif /* OPENSSL_EXTRA || WOLFSSL_EITHER_SIDE */
2136
2137
/* Initialize SSL context, return 0 on success */
2138
int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap)
2139
0
{
2140
0
    int ret = 0;
2141
2142
0
    XMEMSET(ctx, 0, sizeof(WOLFSSL_CTX));
2143
2144
0
    ctx->method   = method;
2145
0
    ctx->refCount = 1;          /* so either CTX_free or SSL_free can release */
2146
0
    ctx->heap     = ctx;        /* defaults to self */
2147
0
    ctx->timeout  = WOLFSSL_SESSION_TIMEOUT;
2148
2149
#ifdef WOLFSSL_DTLS
2150
    if (method->version.major == DTLS_MAJOR) {
2151
        ctx->minDowngrade = WOLFSSL_MIN_DTLS_DOWNGRADE;
2152
    }
2153
    else
2154
#endif /* WOLFSSL_DTLS */
2155
0
    {
2156
        /* current default: TLSv1_MINOR */
2157
0
        ctx->minDowngrade = WOLFSSL_MIN_DOWNGRADE;
2158
0
    }
2159
2160
0
    if (wc_InitMutex(&ctx->countMutex) < 0) {
2161
0
        WOLFSSL_MSG("Mutex error on CTX init");
2162
0
        ctx->err = CTX_INIT_MUTEX_E;
2163
0
        WOLFSSL_ERROR_VERBOSE(BAD_MUTEX_E);
2164
0
        return BAD_MUTEX_E;
2165
0
    }
2166
2167
0
#ifndef NO_CERTS
2168
0
    ctx->privateKeyDevId = INVALID_DEVID;
2169
0
#endif
2170
2171
0
#ifndef NO_DH
2172
0
    ctx->minDhKeySz  = MIN_DHKEY_SZ;
2173
0
    ctx->maxDhKeySz  = MAX_DHKEY_SZ;
2174
0
#endif
2175
0
#ifndef NO_RSA
2176
0
    ctx->minRsaKeySz = MIN_RSAKEY_SZ;
2177
0
#endif
2178
0
#ifdef HAVE_ECC
2179
0
    ctx->minEccKeySz  = MIN_ECCKEY_SZ;
2180
0
    ctx->eccTempKeySz = ECDHE_SIZE;
2181
0
#endif
2182
#ifdef HAVE_PQC
2183
#ifdef HAVE_FALCON
2184
    ctx->minFalconKeySz = MIN_FALCONKEY_SZ;
2185
#endif /* HAVE_FALCON */
2186
#ifdef HAVE_DILITHIUM
2187
    ctx->minDilithiumKeySz = MIN_DILITHIUMKEY_SZ;
2188
#endif /* HAVE_DILITHIUM */
2189
#endif /* HAVE_PQC */
2190
0
    ctx->verifyDepth = MAX_CHAIN_DEPTH;
2191
0
#ifdef OPENSSL_EXTRA
2192
0
    ctx->cbioFlag = WOLFSSL_CBIO_NONE;
2193
0
#endif
2194
2195
#ifdef HAVE_NETX
2196
    ctx->CBIORecv = NetX_Receive;
2197
    ctx->CBIOSend = NetX_Send;
2198
#elif defined(WOLFSSL_APACHE_MYNEWT) && !defined(WOLFSSL_LWIP)
2199
    ctx->CBIORecv = Mynewt_Receive;
2200
    ctx->CBIOSend = Mynewt_Send;
2201
#elif defined WOLFSSL_LWIP_NATIVE
2202
    ctx->CBIORecv = LwIPNativeReceive;
2203
    ctx->CBIOSend = LwIPNativeSend;
2204
#elif defined(WOLFSSL_GNRC)
2205
    ctx->CBIORecv = GNRC_ReceiveFrom;
2206
    ctx->CBIOSend = GNRC_SendTo;
2207
#elif defined WOLFSSL_ISOTP
2208
    ctx->CBIORecv = ISOTP_Receive;
2209
    ctx->CBIOSend = ISOTP_Send;
2210
#elif !defined(WOLFSSL_USER_IO)
2211
    #ifdef MICRIUM
2212
        ctx->CBIORecv = MicriumReceive;
2213
        ctx->CBIOSend = MicriumSend;
2214
        #ifdef WOLFSSL_DTLS
2215
            if (method->version.major == DTLS_MAJOR) {
2216
                ctx->CBIORecv   = MicriumReceiveFrom;
2217
                ctx->CBIOSend   = MicriumSendTo;
2218
            }
2219
            #ifdef WOLFSSL_SESSION_EXPORT
2220
                #error Micrium port does not support DTLS session export yet
2221
            #endif
2222
        #endif
2223
    #elif defined WOLFSSL_UIP
2224
        ctx->CBIORecv = uIPReceive;
2225
        ctx->CBIOSend = uIPSend;
2226
        #ifdef WOLFSSL_DTLS
2227
        if (method->version.major == DTLS_MAJOR) {
2228
            ctx->CBIOSendTo = uIPSendTo;
2229
            ctx->CBIORecvFrom = uIPRecvFrom;
2230
        }
2231
        #endif
2232
    #else
2233
0
        ctx->CBIORecv = EmbedReceive;
2234
0
        ctx->CBIOSend = EmbedSend;
2235
        #ifdef WOLFSSL_SESSION_EXPORT
2236
            ctx->CBGetPeer = EmbedGetPeer;
2237
            ctx->CBSetPeer = EmbedSetPeer;
2238
        #endif
2239
        #ifdef WOLFSSL_DTLS
2240
            if (method->version.major == DTLS_MAJOR) {
2241
                ctx->CBIORecv   = EmbedReceiveFrom;
2242
                ctx->CBIOSend   = EmbedSendTo;
2243
            }
2244
        #endif
2245
0
    #endif /* MICRIUM */
2246
0
#endif /* WOLFSSL_USER_IO */
2247
2248
#ifdef HAVE_PQC
2249
#ifdef HAVE_FALCON
2250
    if (method->side == WOLFSSL_CLIENT_END)
2251
        ctx->haveFalconSig = 1;        /* always on client side */
2252
                                       /* server can turn on by loading key */
2253
#endif /* HAVE_FALCON */
2254
#ifdef HAVE_DILITHIUM
2255
    if (method->side == WOLFSSL_CLIENT_END)
2256
        ctx->haveDilithiumSig = 1;     /* always on client side */
2257
                                       /* server can turn on by loading key */
2258
#endif /* HAVE_DILITHIUM */
2259
#endif /* HAVE_PQC */
2260
0
#ifdef HAVE_ECC
2261
0
    if (method->side == WOLFSSL_CLIENT_END) {
2262
0
        ctx->haveECDSAsig  = 1;        /* always on client side */
2263
0
        ctx->haveECC  = 1;             /* server turns on with ECC key cert */
2264
0
        ctx->haveStaticECC = 1;        /* server can turn on by loading key */
2265
0
    }
2266
#elif defined(HAVE_ED25519) || defined(HAVE_ED448)
2267
    if (method->side == WOLFSSL_CLIENT_END) {
2268
        ctx->haveECDSAsig  = 1;        /* always on client side */
2269
        ctx->haveECC  = 1;             /* server turns on with ECC key cert */
2270
    }
2271
#endif
2272
2273
#ifdef WOLFSSL_QNX_CAAM
2274
    /* default to try using CAAM when built */
2275
    ctx->devId = WOLFSSL_CAAM_DEVID;
2276
#else
2277
0
    ctx->devId = INVALID_DEVID;
2278
0
#endif
2279
2280
#if defined(WOLFSSL_DTLS)
2281
    #ifdef WOLFSSL_SCTP
2282
        ctx->dtlsMtuSz = MAX_RECORD_SIZE;
2283
    #elif defined(WOLFSSL_DTLS_MTU)
2284
        ctx->dtlsMtuSz = MAX_MTU;
2285
    #endif
2286
#endif
2287
2288
0
#ifndef NO_CERTS
2289
0
    ctx->cm = wolfSSL_CertManagerNew_ex(heap);
2290
0
    if (ctx->cm == NULL) {
2291
0
        WOLFSSL_MSG("Bad Cert Manager New");
2292
0
        WOLFSSL_ERROR_VERBOSE(BAD_CERT_MANAGER_ERROR);
2293
0
        return BAD_CERT_MANAGER_ERROR;
2294
0
    }
2295
0
    #ifdef OPENSSL_EXTRA
2296
    /* setup WOLFSSL_X509_STORE */
2297
0
    ctx->x509_store.cm = ctx->cm;
2298
    /* set pointer back to x509 store */
2299
0
    ctx->cm->x509_store_p = &ctx->x509_store;
2300
2301
    /* WOLFSSL_X509_VERIFY_PARAM */
2302
0
    if ((ctx->param = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC(
2303
0
                           sizeof(WOLFSSL_X509_VERIFY_PARAM),
2304
0
                           heap, DYNAMIC_TYPE_OPENSSL)) == NULL) {
2305
0
        WOLFSSL_MSG("ctx->param memory error");
2306
0
        return MEMORY_E;
2307
0
    }
2308
0
    XMEMSET(ctx->param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM));
2309
    /* WOLFSSL_X509_LOOKUP */
2310
0
    if ((ctx->x509_store.lookup.dirs =
2311
0
                            (WOLFSSL_BY_DIR*)XMALLOC(sizeof(WOLFSSL_BY_DIR),
2312
0
                            heap, DYNAMIC_TYPE_OPENSSL)) == NULL) {
2313
0
        WOLFSSL_MSG("ctx-x509_store.lookup.dir memory allocation error");
2314
0
        XFREE(ctx->param, heap, DYNAMIC_TYPE_OPENSSL);
2315
0
        ctx->param = NULL;
2316
0
        return MEMORY_E;
2317
0
    }
2318
0
    XMEMSET(ctx->x509_store.lookup.dirs, 0, sizeof(WOLFSSL_BY_DIR));
2319
0
    if (wc_InitMutex(&ctx->x509_store.lookup.dirs->lock) != 0) {
2320
0
        WOLFSSL_MSG("Bad mutex init");
2321
0
        XFREE(ctx->param, heap, DYNAMIC_TYPE_OPENSSL);
2322
0
        ctx->param = NULL;
2323
0
        XFREE(ctx->x509_store.lookup.dirs, heap, DYNAMIC_TYPE_OPENSSL);
2324
0
        ctx->x509_store.lookup.dirs = NULL;
2325
0
        WOLFSSL_ERROR_VERBOSE(BAD_MUTEX_E);
2326
0
        return BAD_MUTEX_E;
2327
0
    }
2328
0
    #endif
2329
0
#endif
2330
2331
0
#if defined(HAVE_EXTENDED_MASTER) && !defined(NO_WOLFSSL_CLIENT)
2332
0
    if (method->side == WOLFSSL_CLIENT_END) {
2333
0
        if ((method->version.major == SSLv3_MAJOR) &&
2334
0
             (method->version.minor >= TLSv1_MINOR)) {
2335
2336
0
            ctx->haveEMS = 1;
2337
0
        }
2338
#ifdef WOLFSSL_DTLS
2339
        if (method->version.major == DTLS_MAJOR)
2340
            ctx->haveEMS = 1;
2341
#endif /* WOLFSSL_DTLS */
2342
0
    }
2343
0
#endif /* HAVE_EXTENDED_MASTER && !NO_WOLFSSL_CLIENT */
2344
2345
0
#if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SERVER)
2346
0
#ifndef WOLFSSL_NO_DEF_TICKET_ENC_CB
2347
0
    ret = TicketEncCbCtx_Init(ctx, &ctx->ticketKeyCtx);
2348
0
    if (ret != 0) return ret;
2349
0
    ctx->ticketEncCb = DefTicketEncCb;
2350
0
    ctx->ticketEncCtx = (void*)&ctx->ticketKeyCtx;
2351
0
#endif
2352
0
    ctx->ticketHint = SESSION_TICKET_HINT_DEFAULT;
2353
0
#if defined(WOLFSSL_TLS13)
2354
0
    ctx->maxTicketTls13 = 1; /* default to sending a session ticket if compiled
2355
                                in */
2356
0
#endif
2357
0
#endif
2358
2359
#ifdef WOLFSSL_EARLY_DATA
2360
    ctx->maxEarlyDataSz = MAX_EARLY_DATA_SZ;
2361
#endif
2362
2363
#if defined(WOLFSSL_TLS13) && !defined(HAVE_SUPPORTED_CURVES)
2364
    ctx->noPskDheKe = 1;
2365
#endif
2366
2367
#if defined(WOLFSSL_QT) && !defined(NO_PSK)
2368
    /* Qt retrieves supported cipher list at initialization
2369
     * from get_cipher_compat().
2370
     * Qt doesn't allow to use a cipher if it is not in the supported list.
2371
     * Therefore, we need to enable PSK cipher at the beginning.
2372
     */
2373
    ctx->havePSK = 1;
2374
#endif
2375
0
    ctx->heap = heap; /* wolfSSL_CTX_load_static_memory sets */
2376
2377
#ifdef HAVE_WOLF_EVENT
2378
    ret = wolfEventQueue_Init(&ctx->event_queue);
2379
#endif /* HAVE_WOLF_EVENT */
2380
2381
0
    return ret;
2382
0
}
2383
2384
2385
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
2386
void wolfSSL_CRYPTO_cleanup_ex_data(WOLFSSL_CRYPTO_EX_DATA* ex_data)
2387
{
2388
    int n_ex_data = (int)(sizeof ex_data->ex_data / sizeof ex_data->ex_data[0]);
2389
    for (--n_ex_data; n_ex_data >= 0; --n_ex_data) {
2390
        if (ex_data->ex_data[n_ex_data] != NULL)
2391
            (void)wolfSSL_CRYPTO_set_ex_data_with_cleanup(ex_data, n_ex_data,
2392
                                                          NULL, NULL);
2393
    }
2394
}
2395
#endif /* HAVE_EX_DATA_CLEANUP_HOOKS */
2396
2397
/* In case contexts are held in array and don't want to free actual ctx. */
2398
2399
/* The allocations done in InitSSL_Ctx must be free'd with ctx->onHeapHint
2400
 * logic. A WOLFSSL_CTX can be assigned a static memory heap hint using
2401
 * wolfSSL_CTX_load_static_memory after CTX creation, which means variables
2402
 * allocated in InitSSL_Ctx were allocated from heap and should be free'd with
2403
 * a NULL heap hint. */
2404
void SSL_CtxResourceFree(WOLFSSL_CTX* ctx)
2405
0
{
2406
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) && \
2407
                     defined(HAVE_TLS_EXTENSIONS) && !defined(NO_WOLFSSL_SERVER)
2408
    int i;
2409
#endif
2410
0
    void* heapAtCTXInit = ctx->heap;
2411
#ifdef WOLFSSL_STATIC_MEMORY
2412
    if (ctx->onHeapHint == 0) {
2413
        heapAtCTXInit = NULL;
2414
    }
2415
#endif
2416
2417
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
2418
    wolfSSL_CRYPTO_cleanup_ex_data(&ctx->ex_data);
2419
#endif
2420
2421
#ifdef HAVE_WOLF_EVENT
2422
    wolfEventQueue_Free(&ctx->event_queue);
2423
#endif /* HAVE_WOLF_EVENT */
2424
2425
0
    XFREE(ctx->method, heapAtCTXInit, DYNAMIC_TYPE_METHOD);
2426
0
    ctx->method = NULL;
2427
2428
0
    if (ctx->suites) {
2429
0
        XFREE(ctx->suites, ctx->heap, DYNAMIC_TYPE_SUITES);
2430
0
        ctx->suites = NULL;
2431
0
    }
2432
2433
0
#ifndef NO_DH
2434
0
    XFREE(ctx->serverDH_G.buffer, ctx->heap, DYNAMIC_TYPE_PUBLIC_KEY);
2435
0
    ctx->serverDH_G.buffer = NULL;
2436
0
    XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_PUBLIC_KEY);
2437
0
    ctx->serverDH_P.buffer = NULL;
2438
0
#endif /* !NO_DH */
2439
2440
#ifdef SINGLE_THREADED
2441
    if (ctx->rng) {
2442
        wc_FreeRng(ctx->rng);
2443
        XFREE(ctx->rng, ctx->heap, DYNAMIC_TYPE_RNG);
2444
        ctx->rng = NULL;
2445
    }
2446
#endif /* SINGLE_THREADED */
2447
2448
0
#ifndef NO_CERTS
2449
0
    if (ctx->privateKey != NULL && ctx->privateKey->buffer != NULL) {
2450
0
        ForceZero(ctx->privateKey->buffer, ctx->privateKey->length);
2451
0
    }
2452
0
    FreeDer(&ctx->privateKey);
2453
0
#ifdef OPENSSL_ALL
2454
0
    wolfSSL_EVP_PKEY_free(ctx->privateKeyPKey);
2455
0
#endif
2456
0
    FreeDer(&ctx->certificate);
2457
0
    #ifdef KEEP_OUR_CERT
2458
0
        if (ctx->ourCert && ctx->ownOurCert) {
2459
0
            wolfSSL_X509_free(ctx->ourCert);
2460
0
            ctx->ourCert = NULL;
2461
0
        }
2462
0
    #endif /* KEEP_OUR_CERT */
2463
0
    FreeDer(&ctx->certChain);
2464
0
    wolfSSL_CertManagerFree(ctx->cm);
2465
0
    ctx->cm = NULL;
2466
0
    #ifdef OPENSSL_ALL
2467
0
        if (ctx->x509_store.objs != NULL) {
2468
0
            wolfSSL_sk_X509_OBJECT_pop_free(ctx->x509_store.objs, NULL);
2469
0
            ctx->x509_store.objs = NULL;
2470
0
        }
2471
0
    #endif
2472
0
    #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || \
2473
0
        defined(WOLFSSL_WPAS_SMALL)
2474
0
        wolfSSL_X509_STORE_free(ctx->x509_store_pt);
2475
0
    #endif
2476
0
    #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA) || defined(HAVE_LIGHTY)
2477
0
        wolfSSL_sk_X509_NAME_pop_free(ctx->ca_names, NULL);
2478
0
        ctx->ca_names = NULL;
2479
0
    #endif
2480
0
    #ifdef OPENSSL_EXTRA
2481
0
        if (ctx->x509Chain) {
2482
0
            wolfSSL_sk_X509_pop_free(ctx->x509Chain, NULL);
2483
0
            ctx->x509Chain = NULL;
2484
0
        }
2485
0
    #endif
2486
0
#endif /* !NO_CERTS */
2487
2488
0
#ifdef HAVE_TLS_EXTENSIONS
2489
0
#if !defined(NO_TLS)
2490
0
    TLSX_FreeAll(ctx->extensions, ctx->heap);
2491
0
#endif /* !NO_TLS */
2492
0
#ifndef NO_WOLFSSL_SERVER
2493
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
2494
 || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
2495
    if (ctx->certOcspRequest) {
2496
        FreeOcspRequest(ctx->certOcspRequest);
2497
        XFREE(ctx->certOcspRequest, ctx->heap, DYNAMIC_TYPE_OCSP_REQUEST);
2498
    }
2499
#endif
2500
2501
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
2502
    for (i = 0; i < MAX_CHAIN_DEPTH; i++) {
2503
        if (ctx->chainOcspRequest[i]) {
2504
            FreeOcspRequest(ctx->chainOcspRequest[i]);
2505
            XFREE(ctx->chainOcspRequest[i], ctx->heap, DYNAMIC_TYPE_OCSP_REQUEST);
2506
            ctx->chainOcspRequest[i] = NULL;
2507
        }
2508
    }
2509
#endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */
2510
0
#endif /* !NO_WOLFSSL_SERVER */
2511
2512
0
#endif /* HAVE_TLS_EXTENSIONS */
2513
0
#ifdef OPENSSL_EXTRA
2514
0
    if (ctx->alpn_cli_protos) {
2515
0
        XFREE((void*)ctx->alpn_cli_protos, ctx->heap, DYNAMIC_TYPE_OPENSSL);
2516
0
        ctx->alpn_cli_protos = NULL;
2517
0
    }
2518
0
    if (ctx->param) {
2519
0
        XFREE(ctx->param, heapAtCTXInit, DYNAMIC_TYPE_OPENSSL);
2520
0
        ctx->param = NULL;
2521
0
    }
2522
2523
0
    if (ctx->x509_store.lookup.dirs) {
2524
0
#if defined(OPENSSL_ALL) && !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR)
2525
0
        if (ctx->x509_store.lookup.dirs->dir_entry) {
2526
0
            wolfSSL_sk_BY_DIR_entry_free(ctx->x509_store.lookup.dirs->dir_entry);
2527
0
        }
2528
2529
0
#endif
2530
0
        wc_FreeMutex(&ctx->x509_store.lookup.dirs->lock);
2531
0
        XFREE(ctx->x509_store.lookup.dirs, heapAtCTXInit, DYNAMIC_TYPE_OPENSSL);
2532
0
    }
2533
0
#endif
2534
#ifdef WOLFSSL_STATIC_EPHEMERAL
2535
    #ifndef NO_DH
2536
    FreeDer(&ctx->staticKE.dhKey);
2537
    #endif
2538
    #ifdef HAVE_ECC
2539
    FreeDer(&ctx->staticKE.ecKey);
2540
    #endif
2541
    #ifdef HAVE_CURVE25519
2542
    FreeDer(&ctx->staticKE.x25519Key);
2543
    #endif
2544
    #ifdef HAVE_CURVE448
2545
    FreeDer(&ctx->staticKE.x448Key);
2546
    #endif
2547
    #ifndef SINGLE_THREADED
2548
    if (ctx->staticKELockInit) {
2549
        wc_FreeMutex(&ctx->staticKELock);
2550
        ctx->staticKELockInit = 0;
2551
    }
2552
    #endif
2553
#endif
2554
0
    (void)heapAtCTXInit;
2555
0
}
2556
2557
#ifdef WOLFSSL_STATIC_MEMORY
2558
static void SSL_CtxResourceFreeStaticMem(void* heap)
2559
{
2560
    if (heap != NULL
2561
    #ifdef WOLFSSL_HEAP_TEST
2562
        /* avoid dereferencing a test value */
2563
         && heap != (void*)WOLFSSL_HEAP_TEST
2564
    #endif
2565
    ) {
2566
        WOLFSSL_HEAP_HINT* hint = (WOLFSSL_HEAP_HINT*)heap;
2567
        WOLFSSL_HEAP*      mem  = hint->memory;
2568
        wc_FreeMutex(&mem->memory_mutex);
2569
    }
2570
}
2571
#endif /* WOLFSSL_STATIC_MEMORY */
2572
2573
void FreeSSL_Ctx(WOLFSSL_CTX* ctx)
2574
0
{
2575
0
    int refCount;
2576
0
    void* heap = ctx->heap;
2577
#ifdef WOLFSSL_STATIC_MEMORY
2578
    if (ctx->onHeapHint == 0) {
2579
        heap = NULL;
2580
    }
2581
#endif
2582
2583
    /* decrement CTX reference count */
2584
0
    if ((refCount = SSL_CTX_RefCount(ctx, -1)) < 0) {
2585
        /* check error state, if mutex error code then mutex init failed but
2586
         * CTX was still malloc'd */
2587
0
        if (ctx->err == CTX_INIT_MUTEX_E) {
2588
0
            SSL_CtxResourceFree(ctx);
2589
0
            XFREE(ctx, heap, DYNAMIC_TYPE_CTX);
2590
        #ifdef WOLFSSL_STATIC_MEMORY
2591
            SSL_CtxResourceFreeStaticMem(heap);
2592
        #endif
2593
0
        }
2594
0
        return;
2595
0
    }
2596
2597
0
    if (refCount == 0) {
2598
0
        WOLFSSL_MSG("CTX ref count down to 0, doing full free");
2599
2600
0
        SSL_CtxResourceFree(ctx);
2601
0
#if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SERVER) && \
2602
0
    !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB)
2603
0
        TicketEncCbCtx_Free(&ctx->ticketKeyCtx);
2604
0
#endif
2605
0
        wc_FreeMutex(&ctx->countMutex);
2606
0
        XFREE(ctx, heap, DYNAMIC_TYPE_CTX);
2607
    #ifdef WOLFSSL_STATIC_MEMORY
2608
        SSL_CtxResourceFreeStaticMem(heap);
2609
    #endif
2610
0
    }
2611
0
    else {
2612
0
        WOLFSSL_MSG("CTX ref count not 0 yet, no free");
2613
0
    }
2614
0
    (void)heap; /* not used in some builds */
2615
0
}
2616
2617
2618
/* Set cipher pointers to null */
2619
void InitCiphers(WOLFSSL* ssl)
2620
0
{
2621
0
#ifdef BUILD_ARC4
2622
0
    ssl->encrypt.arc4 = NULL;
2623
0
    ssl->decrypt.arc4 = NULL;
2624
0
#endif
2625
0
#ifdef BUILD_DES3
2626
0
    ssl->encrypt.des3 = NULL;
2627
0
    ssl->decrypt.des3 = NULL;
2628
0
#endif
2629
0
#ifdef BUILD_AES
2630
0
    ssl->encrypt.aes = NULL;
2631
0
    ssl->decrypt.aes = NULL;
2632
0
#endif
2633
0
#ifdef HAVE_CAMELLIA
2634
0
    ssl->encrypt.cam = NULL;
2635
0
    ssl->decrypt.cam = NULL;
2636
0
#endif
2637
0
#ifdef HAVE_CHACHA
2638
0
    ssl->encrypt.chacha = NULL;
2639
0
    ssl->decrypt.chacha = NULL;
2640
0
#endif
2641
0
#if defined(HAVE_POLY1305) && defined(HAVE_ONE_TIME_AUTH)
2642
0
    ssl->auth.poly1305 = NULL;
2643
0
#endif
2644
0
    ssl->encrypt.setup = 0;
2645
0
    ssl->decrypt.setup = 0;
2646
0
#ifdef HAVE_ONE_TIME_AUTH
2647
0
    ssl->auth.setup    = 0;
2648
0
#endif
2649
2650
#ifdef WOLFSSL_DTLS13
2651
    XMEMSET(&ssl->dtlsRecordNumberEncrypt, 0,
2652
        sizeof(ssl->dtlsRecordNumberEncrypt));
2653
    XMEMSET(&ssl->dtlsRecordNumberDecrypt, 0,
2654
         sizeof(ssl->dtlsRecordNumberEncrypt));
2655
#endif /* WOLFSSL_DTLS13 */
2656
2657
0
}
2658
2659
2660
/* Free ciphers */
2661
void FreeCiphers(WOLFSSL* ssl)
2662
0
{
2663
0
    (void)ssl;
2664
0
#ifdef BUILD_ARC4
2665
0
    wc_Arc4Free(ssl->encrypt.arc4);
2666
0
    wc_Arc4Free(ssl->decrypt.arc4);
2667
0
    XFREE(ssl->encrypt.arc4, ssl->heap, DYNAMIC_TYPE_CIPHER);
2668
0
    XFREE(ssl->decrypt.arc4, ssl->heap, DYNAMIC_TYPE_CIPHER);
2669
0
#endif
2670
0
#ifdef BUILD_DES3
2671
0
    wc_Des3Free(ssl->encrypt.des3);
2672
0
    wc_Des3Free(ssl->decrypt.des3);
2673
0
    XFREE(ssl->encrypt.des3, ssl->heap, DYNAMIC_TYPE_CIPHER);
2674
0
    XFREE(ssl->decrypt.des3, ssl->heap, DYNAMIC_TYPE_CIPHER);
2675
0
#endif
2676
0
#if defined(BUILD_AES) || defined(BUILD_AESGCM) /* See: InitKeys() in keys.c
2677
                                                 * on addition of BUILD_AESGCM
2678
                                                 * check (enc->aes, dec->aes) */
2679
0
    wc_AesFree(ssl->encrypt.aes);
2680
0
    wc_AesFree(ssl->decrypt.aes);
2681
0
    #if (defined(BUILD_AESGCM) || defined(HAVE_AESCCM)) && \
2682
0
                                                      !defined(WOLFSSL_NO_TLS12)
2683
0
        XFREE(ssl->decrypt.additional, ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
2684
0
        XFREE(ssl->encrypt.additional, ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
2685
0
    #endif
2686
0
    XFREE(ssl->encrypt.aes, ssl->heap, DYNAMIC_TYPE_CIPHER);
2687
0
    XFREE(ssl->decrypt.aes, ssl->heap, DYNAMIC_TYPE_CIPHER);
2688
0
#endif
2689
0
#ifdef CIPHER_NONCE
2690
0
    XFREE(ssl->decrypt.nonce, ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
2691
0
    XFREE(ssl->encrypt.nonce, ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
2692
0
#endif
2693
0
#ifdef HAVE_CAMELLIA
2694
0
    XFREE(ssl->encrypt.cam, ssl->heap, DYNAMIC_TYPE_CIPHER);
2695
0
    XFREE(ssl->decrypt.cam, ssl->heap, DYNAMIC_TYPE_CIPHER);
2696
0
#endif
2697
0
#ifdef HAVE_CHACHA
2698
0
    if (ssl->encrypt.chacha)
2699
0
        ForceZero(ssl->encrypt.chacha, sizeof(ChaCha));
2700
0
    if (ssl->decrypt.chacha)
2701
0
        ForceZero(ssl->decrypt.chacha, sizeof(ChaCha));
2702
0
    XFREE(ssl->encrypt.chacha, ssl->heap, DYNAMIC_TYPE_CIPHER);
2703
0
    XFREE(ssl->decrypt.chacha, ssl->heap, DYNAMIC_TYPE_CIPHER);
2704
0
#endif
2705
0
#if defined(HAVE_POLY1305) && defined(HAVE_ONE_TIME_AUTH)
2706
0
    if (ssl->auth.poly1305)
2707
0
        ForceZero(ssl->auth.poly1305, sizeof(Poly1305));
2708
0
    XFREE(ssl->auth.poly1305, ssl->heap, DYNAMIC_TYPE_CIPHER);
2709
0
#endif
2710
#if defined(WOLFSSL_TLS13) && defined(HAVE_NULL_CIPHER)
2711
    wc_HmacFree(ssl->encrypt.hmac);
2712
    wc_HmacFree(ssl->decrypt.hmac);
2713
    XFREE(ssl->encrypt.hmac, ssl->heap, DYNAMIC_TYPE_CIPHER);
2714
    XFREE(ssl->decrypt.hmac, ssl->heap, DYNAMIC_TYPE_CIPHER);
2715
#endif
2716
2717
#ifdef WOLFSSL_DTLS13
2718
#ifdef BUILD_AES
2719
    if (ssl->dtlsRecordNumberEncrypt.aes != NULL) {
2720
        wc_AesFree(ssl->dtlsRecordNumberEncrypt.aes);
2721
        XFREE(ssl->dtlsRecordNumberEncrypt.aes, ssl->heap, DYNAMIC_TYPE_CIPHER);
2722
        ssl->dtlsRecordNumberEncrypt.aes = NULL;
2723
    }
2724
    if (ssl->dtlsRecordNumberDecrypt.aes != NULL) {
2725
        wc_AesFree(ssl->dtlsRecordNumberDecrypt.aes);
2726
        XFREE(ssl->dtlsRecordNumberDecrypt.aes, ssl->heap, DYNAMIC_TYPE_CIPHER);
2727
        ssl->dtlsRecordNumberDecrypt.aes = NULL;
2728
    }
2729
#endif /* BUILD_AES */
2730
#ifdef HAVE_CHACHA
2731
    XFREE(ssl->dtlsRecordNumberEncrypt.chacha,
2732
          ssl->heap, DYNAMIC_TYPE_CIPHER);
2733
    XFREE(ssl->dtlsRecordNumberDecrypt.chacha,
2734
          ssl->heap, DYNAMIC_TYPE_CIPHER);
2735
    ssl->dtlsRecordNumberEncrypt.chacha = NULL;
2736
    ssl->dtlsRecordNumberDecrypt.chacha = NULL;
2737
#endif /* HAVE_CHACHA */
2738
#endif /* WOLFSSL_DTLS13 */
2739
0
}
2740
2741
2742
void InitCipherSpecs(CipherSpecs* cs)
2743
0
{
2744
0
    XMEMSET(cs, 0, sizeof(CipherSpecs));
2745
2746
0
    cs->bulk_cipher_algorithm = INVALID_BYTE;
2747
0
    cs->cipher_type           = INVALID_BYTE;
2748
0
    cs->mac_algorithm         = INVALID_BYTE;
2749
0
    cs->kea                   = INVALID_BYTE;
2750
0
    cs->sig_algo              = INVALID_BYTE;
2751
0
}
2752
2753
#if defined(USE_ECDSA_KEYSZ_HASH_ALGO) || (defined(WOLFSSL_TLS13) && \
2754
                                                              defined(HAVE_ECC))
2755
static int GetMacDigestSize(byte macAlgo)
2756
0
{
2757
0
    switch (macAlgo) {
2758
0
    #ifndef NO_SHA
2759
0
        case sha_mac:
2760
0
            return WC_SHA_DIGEST_SIZE;
2761
0
    #endif
2762
0
    #ifndef NO_SHA256
2763
0
        case sha256_mac:
2764
0
            return WC_SHA256_DIGEST_SIZE;
2765
0
    #endif
2766
0
    #ifdef WOLFSSL_SHA384
2767
0
        case sha384_mac:
2768
0
            return WC_SHA384_DIGEST_SIZE;
2769
0
    #endif
2770
0
    #ifdef WOLFSSL_SHA512
2771
0
        case sha512_mac:
2772
0
            return WC_SHA512_DIGEST_SIZE;
2773
0
    #endif
2774
0
        default:
2775
0
            break;
2776
0
    }
2777
0
    return NOT_COMPILED_IN;
2778
0
}
2779
#endif /* USE_ECDSA_KEYSZ_HASH_ALGO */
2780
2781
static WC_INLINE void AddSuiteHashSigAlgo(Suites* suites, byte macAlgo,
2782
    byte sigAlgo, int keySz, word16* inOutIdx)
2783
0
{
2784
0
    int addSigAlgo = 1;
2785
2786
#ifdef USE_ECDSA_KEYSZ_HASH_ALGO
2787
    if (sigAlgo == ecc_dsa_sa_algo) {
2788
        int digestSz = GetMacDigestSize(macAlgo);
2789
        /* do not add sig/algos with digest size larger than key size */
2790
        if (digestSz <= 0 || (keySz > 0 && digestSz > keySz)) {
2791
            addSigAlgo = 0;
2792
        }
2793
    }
2794
#else
2795
0
    (void)keySz;
2796
0
#endif /* USE_ECDSA_KEYSZ_HASH_ALGO */
2797
2798
0
    if (addSigAlgo) {
2799
0
    #ifdef HAVE_ED25519
2800
0
        if (sigAlgo == ed25519_sa_algo) {
2801
0
            suites->hashSigAlgo[*inOutIdx] = ED25519_SA_MAJOR;
2802
0
            *inOutIdx += 1;
2803
0
            suites->hashSigAlgo[*inOutIdx] = ED25519_SA_MINOR;
2804
0
            *inOutIdx += 1;
2805
0
        }
2806
0
        else
2807
0
    #endif
2808
0
    #ifdef HAVE_ED448
2809
0
        if (sigAlgo == ed448_sa_algo) {
2810
0
            suites->hashSigAlgo[*inOutIdx] = ED448_SA_MAJOR;
2811
0
            *inOutIdx += 1;
2812
0
            suites->hashSigAlgo[*inOutIdx] = ED448_SA_MINOR;
2813
0
            *inOutIdx += 1;
2814
0
        }
2815
0
        else
2816
0
    #endif
2817
    #ifdef HAVE_PQC
2818
    #ifdef HAVE_FALCON
2819
        if (sigAlgo == falcon_level1_sa_algo) {
2820
            suites->hashSigAlgo[*inOutIdx] = FALCON_LEVEL1_SA_MAJOR;
2821
            *inOutIdx += 1;
2822
            suites->hashSigAlgo[*inOutIdx] = FALCON_LEVEL1_SA_MINOR;
2823
            *inOutIdx += 1;
2824
        }
2825
        else
2826
        if (sigAlgo == falcon_level5_sa_algo) {
2827
            suites->hashSigAlgo[*inOutIdx] = FALCON_LEVEL5_SA_MAJOR;
2828
            *inOutIdx += 1;
2829
            suites->hashSigAlgo[*inOutIdx] = FALCON_LEVEL5_SA_MINOR;
2830
            *inOutIdx += 1;
2831
        }
2832
        else
2833
    #endif /* HAVE_FALCON */
2834
    #ifdef HAVE_DILITHIUM
2835
        if (sigAlgo == dilithium_level2_sa_algo) {
2836
            suites->hashSigAlgo[*inOutIdx] = DILITHIUM_LEVEL2_SA_MAJOR;
2837
            *inOutIdx += 1;
2838
            suites->hashSigAlgo[*inOutIdx] = DILITHIUM_LEVEL2_SA_MINOR;
2839
            *inOutIdx += 1;
2840
        }
2841
        else
2842
        if (sigAlgo == dilithium_level3_sa_algo) {
2843
            suites->hashSigAlgo[*inOutIdx] = DILITHIUM_LEVEL3_SA_MAJOR;
2844
            *inOutIdx += 1;
2845
            suites->hashSigAlgo[*inOutIdx] = DILITHIUM_LEVEL3_SA_MINOR;
2846
            *inOutIdx += 1;
2847
        }
2848
        else
2849
        if (sigAlgo == dilithium_level5_sa_algo) {
2850
            suites->hashSigAlgo[*inOutIdx] = DILITHIUM_LEVEL5_SA_MAJOR;
2851
            *inOutIdx += 1;
2852
            suites->hashSigAlgo[*inOutIdx] = DILITHIUM_LEVEL5_SA_MINOR;
2853
            *inOutIdx += 1;
2854
        }
2855
        else
2856
        if (sigAlgo == dilithium_aes_level2_sa_algo) {
2857
            suites->hashSigAlgo[*inOutIdx] = DILITHIUM_AES_LEVEL2_SA_MAJOR;
2858
            *inOutIdx += 1;
2859
            suites->hashSigAlgo[*inOutIdx] = DILITHIUM_AES_LEVEL2_SA_MINOR;
2860
            *inOutIdx += 1;
2861
        }
2862
        else
2863
        if (sigAlgo == dilithium_aes_level3_sa_algo) {
2864
            suites->hashSigAlgo[*inOutIdx] = DILITHIUM_AES_LEVEL3_SA_MAJOR;
2865
            *inOutIdx += 1;
2866
            suites->hashSigAlgo[*inOutIdx] = DILITHIUM_AES_LEVEL3_SA_MINOR;
2867
            *inOutIdx += 1;
2868
        }
2869
        else
2870
        if (sigAlgo == dilithium_aes_level5_sa_algo) {
2871
            suites->hashSigAlgo[*inOutIdx] = DILITHIUM_AES_LEVEL5_SA_MAJOR;
2872
            *inOutIdx += 1;
2873
            suites->hashSigAlgo[*inOutIdx] = DILITHIUM_AES_LEVEL5_SA_MINOR;
2874
            *inOutIdx += 1;
2875
        }
2876
        else
2877
    #endif /* HAVE_DILITHIUM */
2878
    #endif /* HAVE_PQC */
2879
0
#ifdef WC_RSA_PSS
2880
0
        if (sigAlgo == rsa_pss_sa_algo) {
2881
            /* RSA PSS is sig then mac */
2882
0
            suites->hashSigAlgo[*inOutIdx] = sigAlgo;
2883
0
            *inOutIdx += 1;
2884
0
            suites->hashSigAlgo[*inOutIdx] = macAlgo;
2885
0
            *inOutIdx += 1;
2886
0
    #ifdef WOLFSSL_TLS13
2887
            /* Add the certificate algorithm as well */
2888
0
            suites->hashSigAlgo[*inOutIdx] = sigAlgo;
2889
0
            *inOutIdx += 1;
2890
0
            suites->hashSigAlgo[*inOutIdx] = PSS_RSAE_TO_PSS_PSS(macAlgo);
2891
0
            *inOutIdx += 1;
2892
0
    #endif
2893
0
        }
2894
0
        else
2895
0
#endif
2896
0
        {
2897
0
            suites->hashSigAlgo[*inOutIdx] = macAlgo;
2898
0
            *inOutIdx += 1;
2899
0
            suites->hashSigAlgo[*inOutIdx] = sigAlgo;
2900
0
            *inOutIdx += 1;
2901
0
        }
2902
0
    }
2903
0
}
2904
2905
void InitSuitesHashSigAlgo(Suites* suites, int haveECDSAsig, int haveRSAsig,
2906
                           int haveFalconSig, int haveDilithiumSig,
2907
                           int haveAnon, int tls1_2, int keySz)
2908
0
{
2909
0
    word16 idx = 0;
2910
2911
0
    (void)tls1_2;
2912
0
    (void)keySz;
2913
2914
0
#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
2915
0
    if (haveECDSAsig) {
2916
0
#ifdef HAVE_ECC
2917
0
    #ifdef WOLFSSL_SHA512
2918
0
        AddSuiteHashSigAlgo(suites, sha512_mac, ecc_dsa_sa_algo, keySz, &idx);
2919
0
    #endif
2920
0
    #ifdef WOLFSSL_SHA384
2921
0
        AddSuiteHashSigAlgo(suites, sha384_mac, ecc_dsa_sa_algo, keySz, &idx);
2922
0
    #endif
2923
0
    #ifndef NO_SHA256
2924
0
        AddSuiteHashSigAlgo(suites, sha256_mac, ecc_dsa_sa_algo, keySz, &idx);
2925
0
    #endif
2926
0
    #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \
2927
0
                                            defined(WOLFSSL_ALLOW_TLS_SHA1))
2928
0
        AddSuiteHashSigAlgo(suites, sha_mac, ecc_dsa_sa_algo, keySz, &idx);
2929
0
    #endif
2930
0
#endif
2931
0
    #ifdef HAVE_ED25519
2932
0
        AddSuiteHashSigAlgo(suites, no_mac, ed25519_sa_algo, keySz, &idx);
2933
0
    #endif
2934
0
    #ifdef HAVE_ED448
2935
0
        AddSuiteHashSigAlgo(suites, no_mac, ed448_sa_algo, keySz, &idx);
2936
0
    #endif
2937
0
    }
2938
0
#endif /* HAVE_ECC || HAVE_ED25519 || HAVE_ED448 */
2939
0
    if (haveFalconSig) {
2940
#if defined(HAVE_PQC)
2941
#ifdef HAVE_FALCON
2942
        AddSuiteHashSigAlgo(suites, no_mac, falcon_level1_sa_algo, keySz, &idx);
2943
        AddSuiteHashSigAlgo(suites, no_mac, falcon_level5_sa_algo, keySz, &idx);
2944
#endif /* HAVE_FALCON */
2945
#endif /* HAVE_PQC */
2946
0
    }
2947
0
    if (haveDilithiumSig) {
2948
#if defined(HAVE_PQC)
2949
#ifdef HAVE_DILITHIUM
2950
        AddSuiteHashSigAlgo(suites, no_mac, dilithium_level2_sa_algo, keySz,
2951
                            &idx);
2952
        AddSuiteHashSigAlgo(suites, no_mac, dilithium_level3_sa_algo, keySz,
2953
                            &idx);
2954
        AddSuiteHashSigAlgo(suites, no_mac, dilithium_level5_sa_algo, keySz,
2955
                            &idx);
2956
        AddSuiteHashSigAlgo(suites, no_mac, dilithium_aes_level2_sa_algo, keySz,
2957
                            &idx);
2958
        AddSuiteHashSigAlgo(suites, no_mac, dilithium_aes_level3_sa_algo, keySz,
2959
                            &idx);
2960
        AddSuiteHashSigAlgo(suites, no_mac, dilithium_aes_level5_sa_algo, keySz,
2961
                            &idx);
2962
#endif /* HAVE_DILITHIUM */
2963
#endif /* HAVE_PQC */
2964
0
    }
2965
0
    if (haveRSAsig) {
2966
0
    #ifdef WC_RSA_PSS
2967
0
        if (tls1_2) {
2968
0
        #ifdef WOLFSSL_SHA512
2969
0
            AddSuiteHashSigAlgo(suites, sha512_mac, rsa_pss_sa_algo, keySz,
2970
0
                                                                          &idx);
2971
0
        #endif
2972
0
        #ifdef WOLFSSL_SHA384
2973
0
            AddSuiteHashSigAlgo(suites, sha384_mac, rsa_pss_sa_algo, keySz,
2974
0
                                                                          &idx);
2975
0
        #endif
2976
0
        #ifndef NO_SHA256
2977
0
            AddSuiteHashSigAlgo(suites, sha256_mac, rsa_pss_sa_algo, keySz,
2978
0
                                                                          &idx);
2979
0
        #endif
2980
0
        }
2981
0
    #endif
2982
0
    #ifdef WOLFSSL_SHA512
2983
0
        AddSuiteHashSigAlgo(suites, sha512_mac, rsa_sa_algo, keySz, &idx);
2984
0
    #endif
2985
0
    #ifdef WOLFSSL_SHA384
2986
0
        AddSuiteHashSigAlgo(suites, sha384_mac, rsa_sa_algo, keySz, &idx);
2987
0
    #endif
2988
0
    #ifndef NO_SHA256
2989
0
        AddSuiteHashSigAlgo(suites, sha256_mac, rsa_sa_algo, keySz, &idx);
2990
0
    #endif
2991
0
    #ifdef WOLFSSL_SHA224
2992
0
        AddSuiteHashSigAlgo(suites, sha224_mac, rsa_sa_algo, keySz, &idx);
2993
0
    #endif
2994
0
    #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \
2995
0
                                            defined(WOLFSSL_ALLOW_TLS_SHA1))
2996
0
        AddSuiteHashSigAlgo(suites, sha_mac, rsa_sa_algo, keySz, &idx);
2997
0
    #endif
2998
0
    }
2999
3000
#ifdef HAVE_ANON
3001
    if (haveAnon) {
3002
        AddSuiteHashSigAlgo(suites, sha_mac, anonymous_sa_algo, keySz, &idx);
3003
    }
3004
#endif
3005
3006
0
    (void)haveAnon;
3007
0
    (void)haveECDSAsig;
3008
0
    suites->hashSigAlgoSz = idx;
3009
0
}
3010
3011
void InitSuites(Suites* suites, ProtocolVersion pv, int keySz, word16 haveRSA,
3012
                word16 havePSK, word16 haveDH, word16 haveECDSAsig,
3013
                word16 haveECC, word16 haveStaticRSA, word16 haveStaticECC,
3014
                word16 haveFalconSig, word16 haveDilithiumSig, word16 haveAnon,
3015
                word16 haveNull, int side)
3016
0
{
3017
0
    word16 idx = 0;
3018
0
    int    tls    = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_MINOR;
3019
0
    int    tls1_2 = pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_2_MINOR;
3020
0
#ifdef WOLFSSL_TLS13
3021
0
    int    tls1_3 = IsAtLeastTLSv1_3(pv);
3022
0
#endif
3023
0
    int    dtls   = 0;
3024
0
    int    haveRSAsig = 1;
3025
3026
#ifdef WOLFSSL_DTLS
3027
    /* If DTLS v1.2 or later than set tls1_2 flag */
3028
    if (pv.major == DTLS_MAJOR && pv.minor <= DTLSv1_2_MINOR) {
3029
        tls1_2 = 1;
3030
    }
3031
#endif
3032
3033
0
    (void)tls;  /* shut up compiler */
3034
0
    (void)tls1_2;
3035
0
    (void)dtls;
3036
0
    (void)haveDH;
3037
0
    (void)havePSK;
3038
0
    (void)haveStaticRSA;
3039
0
    (void)haveStaticECC;
3040
0
    (void)haveECC;
3041
0
    (void)side;
3042
0
    (void)haveRSA;    /* some builds won't read */
3043
0
    (void)haveRSAsig; /* non ecc builds won't read */
3044
0
    (void)haveAnon;   /* anon ciphers optional */
3045
0
    (void)haveNull;
3046
0
    (void)haveFalconSig;
3047
0
    (void)haveDilithiumSig;
3048
3049
0
    if (suites == NULL) {
3050
0
        WOLFSSL_MSG("InitSuites pointer error");
3051
0
        return;
3052
0
    }
3053
3054
0
    if (suites->setSuites)
3055
0
        return;      /* trust user settings, don't override */
3056
3057
0
#ifdef WOLFSSL_TLS13
3058
0
#ifdef BUILD_TLS_AES_128_GCM_SHA256
3059
0
    if (tls1_3) {
3060
0
        suites->suites[idx++] = TLS13_BYTE;
3061
0
        suites->suites[idx++] = TLS_AES_128_GCM_SHA256;
3062
0
    }
3063
0
#endif
3064
3065
0
#ifdef BUILD_TLS_AES_256_GCM_SHA384
3066
0
    if (tls1_3) {
3067
0
        suites->suites[idx++] = TLS13_BYTE;
3068
0
        suites->suites[idx++] = TLS_AES_256_GCM_SHA384;
3069
0
    }
3070
0
#endif
3071
3072
0
#ifdef BUILD_TLS_CHACHA20_POLY1305_SHA256
3073
0
    if (tls1_3) {
3074
0
        suites->suites[idx++] = TLS13_BYTE;
3075
0
        suites->suites[idx++] = TLS_CHACHA20_POLY1305_SHA256;
3076
0
    }
3077
0
#endif
3078
3079
0
#ifdef BUILD_TLS_AES_128_CCM_SHA256
3080
0
    if (tls1_3) {
3081
0
        suites->suites[idx++] = TLS13_BYTE;
3082
0
        suites->suites[idx++] = TLS_AES_128_CCM_SHA256;
3083
0
    }
3084
0
#endif
3085
3086
0
#ifdef BUILD_TLS_AES_128_CCM_8_SHA256
3087
0
    if (tls1_3) {
3088
0
        suites->suites[idx++] = TLS13_BYTE;
3089
0
        suites->suites[idx++] = TLS_AES_128_CCM_8_SHA256;
3090
0
    }
3091
0
#endif
3092
3093
#ifdef HAVE_NULL_CIPHER
3094
    #ifdef BUILD_TLS_SHA256_SHA256
3095
        if (tls1_3 && haveNull) {
3096
            suites->suites[idx++] = ECC_BYTE;
3097
            suites->suites[idx++] = TLS_SHA256_SHA256;
3098
        }
3099
    #endif
3100
3101
    #ifdef BUILD_TLS_SHA384_SHA384
3102
        if (tls1_3 && haveNull) {
3103
            suites->suites[idx++] = ECC_BYTE;
3104
            suites->suites[idx++] = TLS_SHA384_SHA384;
3105
        }
3106
    #endif
3107
#endif
3108
0
#endif /* WOLFSSL_TLS13 */
3109
3110
0
#ifndef WOLFSSL_NO_TLS12
3111
3112
0
#if !defined(NO_WOLFSSL_SERVER) && !defined(NO_RSA)
3113
0
    if (side == WOLFSSL_SERVER_END && haveStaticECC) {
3114
0
        haveRSA = 0;   /* can't do RSA with ECDSA key */
3115
0
    }
3116
3117
0
    if (side == WOLFSSL_SERVER_END && haveECDSAsig) {
3118
0
        haveRSAsig = 0;     /* can't have RSA sig if signed by ECDSA */
3119
0
    }
3120
0
#endif /* !NO_WOLFSSL_SERVER */
3121
3122
#ifdef WOLFSSL_DTLS
3123
    if (pv.major == DTLS_MAJOR) {
3124
        dtls   = 1;
3125
        tls    = 1;
3126
        /* May be dead assignments dependent upon configuration */
3127
        (void) dtls;
3128
        (void) tls;
3129
        tls1_2 = pv.minor <= DTLSv1_2_MINOR;
3130
    }
3131
#endif
3132
3133
#ifdef HAVE_RENEGOTIATION_INDICATION
3134
    if (side == WOLFSSL_CLIENT_END) {
3135
        suites->suites[idx++] = CIPHER_BYTE;
3136
        suites->suites[idx++] = TLS_EMPTY_RENEGOTIATION_INFO_SCSV;
3137
    }
3138
#endif
3139
3140
0
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
3141
0
    if (tls1_2 && haveECC) {
3142
0
        suites->suites[idx++] = ECC_BYTE;
3143
0
        suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384;
3144
0
    }
3145
0
#endif
3146
3147
0
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
3148
0
    if (tls1_2 && haveECC) {
3149
0
        suites->suites[idx++] = ECC_BYTE;
3150
0
        suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256;
3151
0
    }
3152
0
#endif
3153
3154
0
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
3155
0
    if (tls1_2 && haveRSA) {
3156
0
        suites->suites[idx++] = ECC_BYTE;
3157
0
        suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384;
3158
0
    }
3159
0
#endif
3160
3161
0
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
3162
0
    if (tls1_2 && haveRSA) {
3163
0
        suites->suites[idx++] = ECC_BYTE;
3164
0
        suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
3165
0
    }
3166
0
#endif
3167
3168
0
#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
3169
0
    if (tls1_2 && haveDH && haveRSA) {
3170
0
        suites->suites[idx++] = CIPHER_BYTE;
3171
0
        suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_256_GCM_SHA384;
3172
0
    }
3173
0
#endif
3174
3175
0
#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
3176
0
    if (tls1_2 && haveDH && haveRSA) {
3177
0
        suites->suites[idx++] = CIPHER_BYTE;
3178
0
        suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256;
3179
0
    }
3180
0
#endif
3181
3182
#ifdef BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384
3183
    if (tls1_2 && haveRSA && haveStaticRSA) {
3184
        suites->suites[idx++] = CIPHER_BYTE;
3185
        suites->suites[idx++] = TLS_RSA_WITH_AES_256_GCM_SHA384;
3186
    }
3187
#endif
3188
3189
#ifdef BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256
3190
    if (tls1_2 && haveRSA && haveStaticRSA) {
3191
        suites->suites[idx++] = CIPHER_BYTE;
3192
        suites->suites[idx++] = TLS_RSA_WITH_AES_128_GCM_SHA256;
3193
    }
3194
#endif
3195
3196
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
3197
    if (tls1_2 && haveECC && haveStaticECC) {
3198
        suites->suites[idx++] = ECC_BYTE;
3199
        suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384;
3200
    }
3201
#endif
3202
3203
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
3204
    if (tls1_2 && haveECC && haveStaticECC) {
3205
        suites->suites[idx++] = ECC_BYTE;
3206
        suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256;
3207
    }
3208
#endif
3209
3210
#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
3211
    if (tls1_2 && haveRSAsig && haveStaticECC) {
3212
        suites->suites[idx++] = ECC_BYTE;
3213
        suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384;
3214
    }
3215
#endif
3216
3217
#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
3218
    if (tls1_2 && haveRSAsig && haveStaticECC) {
3219
        suites->suites[idx++] = ECC_BYTE;
3220
        suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256;
3221
    }
3222
#endif
3223
3224
#ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
3225
    if (tls1_2 && haveDH && havePSK) {
3226
        suites->suites[idx++] = CIPHER_BYTE;
3227
        suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_256_GCM_SHA384;
3228
    }
3229
#endif
3230
3231
#ifdef BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA
3232
    if (tls1_2 && haveDH && haveAnon) {
3233
      suites->suites[idx++] = CIPHER_BYTE;
3234
      suites->suites[idx++] = TLS_DH_anon_WITH_AES_128_CBC_SHA;
3235
    }
3236
#endif
3237
3238
#ifdef BUILD_TLS_DH_anon_WITH_AES_256_GCM_SHA384
3239
    if (tls1_2 && haveDH && haveAnon) {
3240
      suites->suites[idx++] = CIPHER_BYTE;
3241
      suites->suites[idx++] = TLS_DH_anon_WITH_AES_256_GCM_SHA384;
3242
    }
3243
#endif
3244
3245
#ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
3246
    if (tls1_2 && haveDH && havePSK) {
3247
        suites->suites[idx++] = CIPHER_BYTE;
3248
        suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_128_GCM_SHA256;
3249
    }
3250
#endif
3251
3252
#ifdef BUILD_TLS_PSK_WITH_AES_256_GCM_SHA384
3253
    if (tls1_2 && havePSK) {
3254
        suites->suites[idx++] = CIPHER_BYTE;
3255
        suites->suites[idx++] = TLS_PSK_WITH_AES_256_GCM_SHA384;
3256
    }
3257
#endif
3258
3259
#ifdef BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256
3260
    if (tls1_2 && havePSK) {
3261
        suites->suites[idx++] = CIPHER_BYTE;
3262
        suites->suites[idx++] = TLS_PSK_WITH_AES_128_GCM_SHA256;
3263
    }
3264
#endif
3265
3266
0
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
3267
0
    if (tls1_2 && haveECC) {
3268
0
        suites->suites[idx++] = CHACHA_BYTE;
3269
0
        suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256;
3270
0
    }
3271
0
#endif
3272
3273
0
#ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
3274
0
    if (tls1_2 && haveRSA) {
3275
0
        suites->suites[idx++] = CHACHA_BYTE;
3276
0
        suites->suites[idx++] = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256;
3277
0
    }
3278
0
#endif
3279
3280
0
#ifdef BUILD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
3281
0
    if (tls1_2 && haveRSA) {
3282
0
        suites->suites[idx++] = CHACHA_BYTE;
3283
0
        suites->suites[idx++] = TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256;
3284
0
    }
3285
0
#endif
3286
3287
/* Place as higher priority for MYSQL */
3288
#if defined(WOLFSSL_MYSQL_COMPATIBLE)
3289
#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
3290
    if (tls && haveDH && haveRSA) {
3291
        suites->suites[idx++] = CIPHER_BYTE;
3292
        suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA;
3293
    }
3294
#endif
3295
#endif
3296
3297
0
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
3298
0
    if (tls1_2 && haveRSA) {
3299
0
        suites->suites[idx++] = ECC_BYTE;
3300
0
        suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256;
3301
0
    }
3302
0
#endif
3303
3304
0
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
3305
0
    if (tls1_2 && haveECC) {
3306
0
        suites->suites[idx++] = ECC_BYTE;
3307
0
        suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256;
3308
0
    }
3309
0
#endif
3310
3311
#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
3312
    if (tls1_2 && haveRSAsig && haveStaticECC) {
3313
        suites->suites[idx++] = ECC_BYTE;
3314
        suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256;
3315
    }
3316
#endif
3317
3318
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
3319
    if (tls1_2 && haveECC && haveStaticECC) {
3320
        suites->suites[idx++] = ECC_BYTE;
3321
        suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256;
3322
    }
3323
#endif
3324
3325
0
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
3326
0
    if (tls1_2 && haveRSA) {
3327
0
        suites->suites[idx++] = ECC_BYTE;
3328
0
        suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384;
3329
0
    }
3330
0
#endif
3331
3332
0
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
3333
0
    if (tls1_2 && haveECC) {
3334
0
        suites->suites[idx++] = ECC_BYTE;
3335
0
        suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384;
3336
0
    }
3337
0
#endif
3338
3339
#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
3340
    if (tls1_2 && haveRSAsig && haveStaticECC) {
3341
        suites->suites[idx++] = ECC_BYTE;
3342
        suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384;
3343
    }
3344
#endif
3345
3346
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
3347
    if (tls1_2 && haveECC && haveStaticECC) {
3348
        suites->suites[idx++] = ECC_BYTE;
3349
        suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384;
3350
    }
3351
#endif
3352
3353
0
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
3354
0
    if (tls && haveECC) {
3355
0
        suites->suites[idx++] = ECC_BYTE;
3356
0
        suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA;
3357
0
    }
3358
0
#endif
3359
3360
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
3361
    if (tls && haveECC && haveStaticECC) {
3362
        suites->suites[idx++] = ECC_BYTE;
3363
        suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA;
3364
    }
3365
#endif
3366
3367
0
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
3368
0
    if (tls && haveECC) {
3369
0
        suites->suites[idx++] = ECC_BYTE;
3370
0
        suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA;
3371
0
    }
3372
0
#endif
3373
3374
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
3375
    if (tls && haveECC && haveStaticECC) {
3376
        suites->suites[idx++] = ECC_BYTE;
3377
        suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA;
3378
    }
3379
#endif
3380
3381
0
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
3382
0
    if (!dtls && tls && haveECC) {
3383
0
        suites->suites[idx++] = ECC_BYTE;
3384
0
        suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_RC4_128_SHA;
3385
0
    }
3386
0
#endif
3387
3388
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
3389
    if (!dtls && tls && haveECC && haveStaticECC) {
3390
        suites->suites[idx++] = ECC_BYTE;
3391
        suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_RC4_128_SHA;
3392
    }
3393
#endif
3394
3395
0
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
3396
0
    if (tls && haveECC) {
3397
0
        suites->suites[idx++] = ECC_BYTE;
3398
0
        suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA;
3399
0
    }
3400
0
#endif
3401
3402
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
3403
    if (tls && haveECC && haveStaticECC) {
3404
        suites->suites[idx++] = ECC_BYTE;
3405
        suites->suites[idx++] = TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA;
3406
    }
3407
#endif
3408
3409
0
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
3410
0
    if (tls && haveRSA) {
3411
0
        suites->suites[idx++] = ECC_BYTE;
3412
0
        suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA;
3413
0
    }
3414
0
#endif
3415
3416
#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
3417
    if (tls && haveRSAsig && haveStaticECC) {
3418
        suites->suites[idx++] = ECC_BYTE;
3419
        suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_256_CBC_SHA;
3420
    }
3421
#endif
3422
3423
0
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
3424
0
    if (tls && haveRSA) {
3425
0
        suites->suites[idx++] = ECC_BYTE;
3426
0
        suites->suites[idx++] = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA;
3427
0
    }
3428
0
#endif
3429
3430
#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
3431
    if (tls && haveRSAsig && haveStaticECC) {
3432
        suites->suites[idx++] = ECC_BYTE;
3433
        suites->suites[idx++] = TLS_ECDH_RSA_WITH_AES_128_CBC_SHA;
3434
    }
3435
#endif
3436
3437
0
#ifdef BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA
3438
0
    if (!dtls && tls && haveRSA) {
3439
0
        suites->suites[idx++] = ECC_BYTE;
3440
0
        suites->suites[idx++] = TLS_ECDHE_RSA_WITH_RC4_128_SHA;
3441
0
    }
3442
0
#endif
3443
3444
#ifdef BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA
3445
    if (!dtls && tls && haveRSAsig && haveStaticECC) {
3446
        suites->suites[idx++] = ECC_BYTE;
3447
        suites->suites[idx++] = TLS_ECDH_RSA_WITH_RC4_128_SHA;
3448
    }
3449
#endif
3450
3451
0
#ifdef BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
3452
0
    if (tls && haveRSA) {
3453
0
        suites->suites[idx++] = ECC_BYTE;
3454
0
        suites->suites[idx++] = TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA;
3455
0
    }
3456
0
#endif
3457
3458
#ifdef BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
3459
    if (tls && haveRSAsig && haveStaticECC) {
3460
        suites->suites[idx++] = ECC_BYTE;
3461
        suites->suites[idx++] = TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA;
3462
    }
3463
#endif
3464
3465
0
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM
3466
0
    if (tls1_2 && haveECC) {
3467
0
        suites->suites[idx++] = ECC_BYTE;
3468
0
        suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CCM;
3469
0
    }
3470
0
#endif
3471
3472
0
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
3473
0
    if (tls1_2 && haveECC) {
3474
0
        suites->suites[idx++] = ECC_BYTE;
3475
0
        suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8;
3476
0
    }
3477
0
#endif
3478
3479
0
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
3480
0
    if (tls1_2 && haveECC) {
3481
0
        suites->suites[idx++] = ECC_BYTE;
3482
0
        suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8;
3483
0
    }
3484
0
#endif
3485
3486
#ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8
3487
    if (tls1_2 && haveRSA && haveStaticRSA) {
3488
        suites->suites[idx++] = ECC_BYTE;
3489
        suites->suites[idx++] = TLS_RSA_WITH_AES_128_CCM_8;
3490
    }
3491
#endif
3492
3493
#ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8
3494
    if (tls1_2 && haveRSA && haveStaticRSA) {
3495
        suites->suites[idx++] = ECC_BYTE;
3496
        suites->suites[idx++] = TLS_RSA_WITH_AES_256_CCM_8;
3497
    }
3498
#endif
3499
3500
0
#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
3501
0
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
3502
0
    if (tls1_2 && haveDH && haveRSA)
3503
#else
3504
    if (tls && haveDH && haveRSA)
3505
#endif
3506
0
    {
3507
0
        suites->suites[idx++] = CIPHER_BYTE;
3508
0
        suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA256;
3509
0
    }
3510
0
#endif
3511
3512
0
#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
3513
0
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
3514
0
    if (tls1_2 && haveDH && haveRSA)
3515
#else
3516
    if (tls && haveDH && haveRSA)
3517
#endif
3518
0
    {
3519
0
        suites->suites[idx++] = CIPHER_BYTE;
3520
0
        suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256;
3521
0
    }
3522
0
#endif
3523
3524
/* Place as higher priority for MYSQL testing */
3525
0
#if !defined(WOLFSSL_MYSQL_COMPATIBLE)
3526
0
#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
3527
0
    if (tls && haveDH && haveRSA) {
3528
0
        suites->suites[idx++] = CIPHER_BYTE;
3529
0
        suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA;
3530
0
    }
3531
0
#endif
3532
0
#endif
3533
3534
0
#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
3535
0
    if (tls && haveDH && haveRSA) {
3536
0
        suites->suites[idx++] = CIPHER_BYTE;
3537
0
        suites->suites[idx++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA;
3538
0
    }
3539
0
#endif
3540
3541
0
#ifdef BUILD_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
3542
0
    if (tls && haveDH && haveRSA) {
3543
0
        suites->suites[idx++] = CIPHER_BYTE;
3544
0
        suites->suites[idx++] = TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA;
3545
0
    }
3546
0
#endif
3547
3548
#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256
3549
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
3550
    if (tls1_2 && haveRSA && haveStaticRSA)
3551
#else
3552
    if (tls && haveRSA && haveStaticRSA)
3553
#endif
3554
    {
3555
        suites->suites[idx++] = CIPHER_BYTE;
3556
        suites->suites[idx++] = TLS_RSA_WITH_AES_256_CBC_SHA256;
3557
    }
3558
#endif
3559
3560
#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256
3561
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
3562
    if (tls1_2 && haveRSA && haveStaticRSA)
3563
#else
3564
    if (tls && haveRSA && haveStaticRSA)
3565
#endif
3566
    {
3567
        suites->suites[idx++] = CIPHER_BYTE;
3568
        suites->suites[idx++] = TLS_RSA_WITH_AES_128_CBC_SHA256;
3569
    }
3570
#endif
3571
3572
#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA
3573
    if (tls && haveRSA && haveStaticRSA) {
3574
        suites->suites[idx++] = CIPHER_BYTE;
3575
        suites->suites[idx++] = TLS_RSA_WITH_AES_256_CBC_SHA;
3576
    }
3577
#endif
3578
3579
#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA
3580
    if (tls && haveRSA && haveStaticRSA) {
3581
        suites->suites[idx++] = CIPHER_BYTE;
3582
        suites->suites[idx++] = TLS_RSA_WITH_AES_128_CBC_SHA;
3583
    }
3584
#endif
3585
3586
0
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256
3587
0
    if (tls1_2 && haveECC) {
3588
0
        suites->suites[idx++] = CHACHA_BYTE;
3589
0
        suites->suites[idx++] =
3590
0
                              TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256;
3591
0
    }
3592
0
#endif
3593
3594
0
#ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256
3595
0
    if (tls1_2 && haveRSA) {
3596
0
        suites->suites[idx++] = CHACHA_BYTE;
3597
0
        suites->suites[idx++] = TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256;
3598
0
    }
3599
0
#endif
3600
3601
0
#ifdef BUILD_TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256
3602
0
    if (tls1_2 && haveRSA) {
3603
0
        suites->suites[idx++] = CHACHA_BYTE;
3604
0
        suites->suites[idx++] = TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256;
3605
0
    }
3606
0
#endif
3607
3608
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_NULL_SHA
3609
    if (tls && haveECC && haveNull) {
3610
        suites->suites[idx++] = ECC_BYTE;
3611
        suites->suites[idx++] = TLS_ECDHE_ECDSA_WITH_NULL_SHA;
3612
    }
3613
#endif
3614
3615
#ifdef BUILD_TLS_RSA_WITH_NULL_MD5
3616
    if (tls && haveRSA && haveNull && haveStaticRSA) {
3617
        suites->suites[idx++] = CIPHER_BYTE;
3618
        suites->suites[idx++] = TLS_RSA_WITH_NULL_MD5;
3619
    }
3620
#endif
3621
3622
#ifdef BUILD_TLS_RSA_WITH_NULL_SHA
3623
    if (tls && haveRSA && haveNull && haveStaticRSA) {
3624
        suites->suites[idx++] = CIPHER_BYTE;
3625
        suites->suites[idx++] = TLS_RSA_WITH_NULL_SHA;
3626
    }
3627
#endif
3628
3629
#ifdef BUILD_TLS_RSA_WITH_NULL_SHA256
3630
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
3631
    if (tls1_2 && haveRSA && haveNull && haveStaticRSA)
3632
#else
3633
    if (tls && haveRSA && haveNull && haveStaticRSA)
3634
#endif
3635
    {
3636
        suites->suites[idx++] = CIPHER_BYTE;
3637
        suites->suites[idx++] = TLS_RSA_WITH_NULL_SHA256;
3638
    }
3639
#endif
3640
3641
#ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA
3642
    if (tls && havePSK) {
3643
        suites->suites[idx++] = CIPHER_BYTE;
3644
        suites->suites[idx++] = TLS_PSK_WITH_AES_256_CBC_SHA;
3645
    }
3646
#endif
3647
3648
#ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
3649
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
3650
    if (tls1_2 && haveDH && havePSK)
3651
#else
3652
    if (tls && haveDH && havePSK)
3653
#endif
3654
    {
3655
        suites->suites[idx++] = CIPHER_BYTE;
3656
        suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_256_CBC_SHA384;
3657
    }
3658
#endif
3659
3660
#ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA384
3661
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
3662
    if (tls1_2 && havePSK)
3663
#else
3664
    if (tls && havePSK)
3665
#endif
3666
    {
3667
        suites->suites[idx++] = CIPHER_BYTE;
3668
        suites->suites[idx++] = TLS_PSK_WITH_AES_256_CBC_SHA384;
3669
    }
3670
#endif
3671
3672
#ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
3673
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
3674
    if (tls1_2 && haveDH && havePSK)
3675
#else
3676
    if (tls && haveDH && havePSK)
3677
#endif
3678
    {
3679
        suites->suites[idx++] = CIPHER_BYTE;
3680
        suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_128_CBC_SHA256;
3681
    }
3682
#endif
3683
3684
#ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256
3685
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
3686
    if (tls1_2 && havePSK)
3687
#else
3688
    if (tls1 && havePSK)
3689
#endif
3690
    {
3691
        suites->suites[idx++] = CIPHER_BYTE;
3692
        suites->suites[idx++] = TLS_PSK_WITH_AES_128_CBC_SHA256;
3693
    }
3694
#endif
3695
3696
#ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA
3697
    if (tls && havePSK) {
3698
        suites->suites[idx++] = CIPHER_BYTE;
3699
        suites->suites[idx++] = TLS_PSK_WITH_AES_128_CBC_SHA;
3700
    }
3701
#endif
3702
3703
#ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CCM
3704
    if (tls && haveDH && havePSK) {
3705
        suites->suites[idx++] = ECC_BYTE;
3706
        suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_128_CCM;
3707
    }
3708
#endif
3709
3710
#ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_CCM
3711
    if (tls && haveDH && havePSK) {
3712
        suites->suites[idx++] = ECC_BYTE;
3713
        suites->suites[idx++] = TLS_DHE_PSK_WITH_AES_256_CCM;
3714
    }
3715
#endif
3716
3717
#ifdef BUILD_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256
3718
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
3719
    if (tls1_2 && havePSK)
3720
#else
3721
    if (tls && havePSK)
3722
#endif
3723
    {
3724
        suites->suites[idx++] = CHACHA_BYTE;
3725
        suites->suites[idx++] = TLS_PSK_WITH_CHACHA20_POLY1305_SHA256;
3726
    }
3727
#endif
3728
3729
#ifdef BUILD_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256
3730
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
3731
    if (tls1_2 && havePSK)
3732
#else
3733
    if (tls && havePSK)
3734
#endif
3735
    {
3736
        suites->suites[idx++] = CHACHA_BYTE;
3737
        suites->suites[idx++] = TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256;
3738
    }
3739
#endif
3740
3741
#ifdef BUILD_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256
3742
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
3743
    if (tls1_2 && havePSK)
3744
#else
3745
    if (tls && havePSK)
3746
#endif
3747
    {
3748
        suites->suites[idx++] = CHACHA_BYTE;
3749
        suites->suites[idx++] = TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256;
3750
    }
3751
#endif
3752
3753
#ifdef BUILD_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
3754
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
3755
    if (tls1_2 && havePSK)
3756
#else
3757
    if (tls && havePSK)
3758
#endif
3759
    {
3760
        suites->suites[idx++] = ECC_BYTE;
3761
        suites->suites[idx++] = TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256;
3762
    }
3763
#endif
3764
3765
#ifdef BUILD_TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256
3766
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
3767
    if (tls1_2 && havePSK)
3768
#else
3769
    if (tls && havePSK)
3770
#endif
3771
    {
3772
        suites->suites[idx++] = ECDHE_PSK_BYTE;
3773
        suites->suites[idx++] = TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256;
3774
    }
3775
#endif
3776
3777
#ifdef BUILD_TLS_PSK_WITH_AES_128_CCM
3778
    if (tls && havePSK) {
3779
        suites->suites[idx++] = ECC_BYTE;
3780
        suites->suites[idx++] = TLS_PSK_WITH_AES_128_CCM;
3781
    }
3782
#endif
3783
3784
#ifdef BUILD_TLS_PSK_WITH_AES_256_CCM
3785
    if (tls && havePSK) {
3786
        suites->suites[idx++] = ECC_BYTE;
3787
        suites->suites[idx++] = TLS_PSK_WITH_AES_256_CCM;
3788
    }
3789
#endif
3790
3791
#ifdef BUILD_TLS_PSK_WITH_AES_128_CCM_8
3792
    if (tls && havePSK) {
3793
        suites->suites[idx++] = ECC_BYTE;
3794
        suites->suites[idx++] = TLS_PSK_WITH_AES_128_CCM_8;
3795
    }
3796
#endif
3797
3798
#ifdef BUILD_TLS_PSK_WITH_AES_256_CCM_8
3799
    if (tls && havePSK) {
3800
        suites->suites[idx++] = ECC_BYTE;
3801
        suites->suites[idx++] = TLS_PSK_WITH_AES_256_CCM_8;
3802
    }
3803
#endif
3804
3805
#ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA384
3806
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
3807
    if (tls1_2 && haveDH && havePSK)
3808
#else
3809
    if (tls && haveDH && havePSK && haveNull)
3810
#endif
3811
    {
3812
        suites->suites[idx++] = CIPHER_BYTE;
3813
        suites->suites[idx++] = TLS_DHE_PSK_WITH_NULL_SHA384;
3814
    }
3815
#endif
3816
3817
#ifdef BUILD_TLS_PSK_WITH_NULL_SHA384
3818
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
3819
    if (tls1_2 && havePSK && haveNull)
3820
#else
3821
    if (tls && havePSK && haveNull)
3822
#endif
3823
    {
3824
        suites->suites[idx++] = CIPHER_BYTE;
3825
        suites->suites[idx++] = TLS_PSK_WITH_NULL_SHA384;
3826
    }
3827
#endif
3828
3829
#ifdef BUILD_TLS_ECDHE_PSK_WITH_NULL_SHA256
3830
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
3831
    if (tls1_2 && havePSK && haveNull)
3832
#else
3833
    if (tls && havePSK && haveNull)
3834
#endif
3835
    {
3836
        suites->suites[idx++] = ECC_BYTE;
3837
        suites->suites[idx++] = TLS_ECDHE_PSK_WITH_NULL_SHA256;
3838
    }
3839
#endif
3840
3841
#ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA256
3842
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
3843
    if (tls1_2 && haveDH && havePSK && haveNull)
3844
#else
3845
    if (tls && haveDH && havePSK && haveNull)
3846
#endif
3847
    {
3848
        suites->suites[idx++] = CIPHER_BYTE;
3849
        suites->suites[idx++] = TLS_DHE_PSK_WITH_NULL_SHA256;
3850
    }
3851
#endif
3852
3853
#ifdef BUILD_TLS_PSK_WITH_NULL_SHA256
3854
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
3855
    if (tls1_2 && havePSK && haveNull)
3856
#else
3857
    if (tls && havePSK && haveNull)
3858
#endif
3859
    {
3860
        suites->suites[idx++] = CIPHER_BYTE;
3861
        suites->suites[idx++] = TLS_PSK_WITH_NULL_SHA256;
3862
    }
3863
#endif
3864
3865
#ifdef BUILD_TLS_PSK_WITH_NULL_SHA
3866
    if (tls && havePSK && haveNull) {
3867
        suites->suites[idx++] = CIPHER_BYTE;
3868
        suites->suites[idx++] = TLS_PSK_WITH_NULL_SHA;
3869
    }
3870
#endif
3871
3872
#ifdef BUILD_SSL_RSA_WITH_RC4_128_SHA
3873
    if (!dtls && haveRSA && haveStaticRSA) {
3874
        suites->suites[idx++] = CIPHER_BYTE;
3875
        suites->suites[idx++] = SSL_RSA_WITH_RC4_128_SHA;
3876
    }
3877
#endif
3878
3879
#ifdef BUILD_SSL_RSA_WITH_RC4_128_MD5
3880
    if (!dtls && haveRSA && haveStaticRSA) {
3881
        suites->suites[idx++] = CIPHER_BYTE;
3882
        suites->suites[idx++] = SSL_RSA_WITH_RC4_128_MD5;
3883
    }
3884
#endif
3885
3886
#ifdef BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA
3887
    if (haveRSA && haveStaticRSA) {
3888
        suites->suites[idx++] = CIPHER_BYTE;
3889
        suites->suites[idx++] = SSL_RSA_WITH_3DES_EDE_CBC_SHA;
3890
    }
3891
#endif
3892
3893
#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
3894
    if (tls && haveRSA && haveStaticRSA) {
3895
        suites->suites[idx++] = CIPHER_BYTE;
3896
        suites->suites[idx++] = TLS_RSA_WITH_CAMELLIA_128_CBC_SHA;
3897
    }
3898
#endif
3899
3900
0
#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
3901
0
    if (tls && haveDH && haveRSA && haveStaticRSA) {
3902
0
        suites->suites[idx++] = CIPHER_BYTE;
3903
0
        suites->suites[idx++] = TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA;
3904
0
    }
3905
0
#endif
3906
3907
#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
3908
    if (tls && haveRSA && haveStaticRSA) {
3909
        suites->suites[idx++] = CIPHER_BYTE;
3910
        suites->suites[idx++] = TLS_RSA_WITH_CAMELLIA_256_CBC_SHA;
3911
    }
3912
#endif
3913
3914
0
#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
3915
0
    if (tls && haveDH && haveRSA && haveStaticRSA) {
3916
0
        suites->suites[idx++] = CIPHER_BYTE;
3917
0
        suites->suites[idx++] = TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA;
3918
0
    }
3919
0
#endif
3920
3921
#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
3922
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
3923
    if (tls1_2 && haveRSA && haveStaticRSA)
3924
#else
3925
    if (tls && haveRSA && haveStaticRSA)
3926
#endif
3927
    {
3928
        suites->suites[idx++] = CIPHER_BYTE;
3929
        suites->suites[idx++] = TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256;
3930
    }
3931
#endif
3932
3933
0
#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
3934
0
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
3935
0
    if (tls1_2 && haveDH && haveRSA && haveStaticRSA)
3936
#else
3937
    if (tls && haveDH && haveRSA && haveStaticRSA)
3938
#endif
3939
0
    {
3940
0
        suites->suites[idx++] = CIPHER_BYTE;
3941
0
        suites->suites[idx++] = TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256;
3942
0
    }
3943
0
#endif
3944
3945
#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
3946
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
3947
    if (tls1_2 && haveRSA && haveStaticRSA)
3948
#else
3949
    if (tls && haveRSA && haveStaticRSA)
3950
#endif
3951
    {
3952
        suites->suites[idx++] = CIPHER_BYTE;
3953
        suites->suites[idx++] = TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256;
3954
    }
3955
#endif
3956
3957
0
#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
3958
0
#ifndef WOLFSSL_OLDTLS_SHA2_CIPHERSUITES
3959
0
    if (tls1_2 && haveDH && haveRSA && haveStaticRSA)
3960
#else
3961
    if (tls && haveDH && haveRSA && haveStaticRSA)
3962
#endif
3963
0
    {
3964
0
        suites->suites[idx++] = CIPHER_BYTE;
3965
0
        suites->suites[idx++] = TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256;
3966
0
    }
3967
0
#endif
3968
3969
0
#endif /* !WOLFSSL_NO_TLS12 */
3970
3971
0
    suites->suiteSz = idx;
3972
3973
0
    if (suites->hashSigAlgoSz == 0) {
3974
0
        InitSuitesHashSigAlgo(suites, haveECDSAsig | haveECC,
3975
0
                              haveRSAsig | haveRSA, haveFalconSig,
3976
0
                              haveDilithiumSig, 0, tls1_2, keySz);
3977
0
    }
3978
0
}
3979
3980
#if !defined(NO_WOLFSSL_SERVER) || !defined(NO_CERTS) || \
3981
    (!defined(NO_WOLFSSL_CLIENT) && (!defined(NO_DH) || defined(HAVE_ECC)))
3982
3983
/* Decode the signature algorithm.
3984
 *
3985
 * input     The encoded signature algorithm.
3986
 * hashalgo  The hash algorithm.
3987
 * hsType    The signature type.
3988
 */
3989
static WC_INLINE void DecodeSigAlg(const byte* input, byte* hashAlgo, byte* hsType)
3990
0
{
3991
0
    *hsType = invalid_sa_algo;
3992
0
    switch (input[0]) {
3993
0
        case NEW_SA_MAJOR:
3994
0
    #ifdef HAVE_ED25519
3995
            /* ED25519: 0x0807 */
3996
0
            if (input[1] == ED25519_SA_MINOR) {
3997
0
                *hsType = ed25519_sa_algo;
3998
                /* Hash performed as part of sign/verify operation. */
3999
0
                *hashAlgo = sha512_mac;
4000
0
            }
4001
0
            else
4002
0
    #endif
4003
0
    #ifdef HAVE_ED448
4004
            /* ED448: 0x0808 */
4005
0
            if (input[1] == ED448_SA_MINOR) {
4006
0
                *hsType = ed448_sa_algo;
4007
                /* Hash performed as part of sign/verify operation. */
4008
0
                *hashAlgo = sha512_mac;
4009
0
            }
4010
0
            else
4011
0
    #endif
4012
0
    #ifdef WC_RSA_PSS
4013
            /* PSS PSS signatures: 0x080[9-b] */
4014
0
            if (input[1] >= pss_sha256 && input[1] <= pss_sha512) {
4015
0
                *hsType   = rsa_pss_pss_algo;
4016
0
                *hashAlgo = PSS_PSS_HASH_TO_MAC(input[1]);
4017
0
            }
4018
0
            else
4019
0
    #endif
4020
0
            {
4021
0
                *hsType   = input[0];
4022
0
                *hashAlgo = input[1];
4023
0
            }
4024
0
            break;
4025
#ifdef HAVE_PQC
4026
        case PQC_SA_MAJOR:
4027
            /* Hash performed as part of sign/verify operation. */
4028
    #ifdef HAVE_FALCON
4029
            if (input[1] == FALCON_LEVEL1_SA_MINOR) {
4030
                *hsType = falcon_level1_sa_algo;
4031
                *hashAlgo = sha512_mac;
4032
            }
4033
            else if (input[1] == FALCON_LEVEL5_SA_MINOR) {
4034
                *hsType = falcon_level5_sa_algo;
4035
                *hashAlgo = sha512_mac;
4036
            }
4037
    #endif /* HAVE_FALCON */
4038
    #ifdef HAVE_DILITHIUM
4039
            if (input[1] == DILITHIUM_LEVEL2_SA_MINOR) {
4040
                *hsType = dilithium_level2_sa_algo;
4041
                *hashAlgo = sha512_mac;
4042
            }
4043
            else if (input[1] == DILITHIUM_LEVEL3_SA_MINOR) {
4044
                *hsType = dilithium_level3_sa_algo;
4045
                *hashAlgo = sha512_mac;
4046
            }
4047
            else if (input[1] == DILITHIUM_LEVEL5_SA_MINOR) {
4048
                *hsType = dilithium_level5_sa_algo;
4049
                *hashAlgo = sha512_mac;
4050
            }
4051
            else if (input[1] == DILITHIUM_AES_LEVEL2_SA_MINOR) {
4052
                *hsType = dilithium_aes_level2_sa_algo;
4053
                *hashAlgo = sha512_mac;
4054
            }
4055
            else if (input[1] == DILITHIUM_AES_LEVEL3_SA_MINOR) {
4056
                *hsType = dilithium_aes_level3_sa_algo;
4057
                *hashAlgo = sha512_mac;
4058
            }
4059
            else if (input[1] == DILITHIUM_AES_LEVEL5_SA_MINOR) {
4060
                *hsType = dilithium_aes_level5_sa_algo;
4061
                *hashAlgo = sha512_mac;
4062
            }
4063
    #endif /* HAVE_DILITHIUM */
4064
            break;
4065
#endif
4066
0
        default:
4067
0
            *hashAlgo = input[0];
4068
0
            *hsType   = input[1];
4069
0
            break;
4070
0
    }
4071
0
}
4072
#endif /* !NO_WOLFSSL_SERVER || !NO_CERTS */
4073
4074
#ifndef WOLFSSL_NO_TLS12
4075
#if !defined(NO_WOLFSSL_SERVER) || !defined(NO_WOLFSSL_CLIENT)
4076
#if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
4077
             defined(HAVE_CURVE448) || (!defined(NO_RSA) && defined(WC_RSA_PSS))
4078
4079
static enum wc_HashType HashAlgoToType(int hashAlgo)
4080
0
{
4081
0
    switch (hashAlgo) {
4082
0
    #ifdef WOLFSSL_SHA512
4083
0
        case sha512_mac:
4084
0
            return WC_HASH_TYPE_SHA512;
4085
0
    #endif
4086
0
    #ifdef WOLFSSL_SHA384
4087
0
        case sha384_mac:
4088
0
            return WC_HASH_TYPE_SHA384;
4089
0
    #endif
4090
0
    #ifndef NO_SHA256
4091
0
        case sha256_mac:
4092
0
            return WC_HASH_TYPE_SHA256;
4093
0
    #endif
4094
0
    #ifdef WOLFSSL_SHA224
4095
0
        case sha224_mac:
4096
0
            return WC_HASH_TYPE_SHA224;
4097
0
    #endif
4098
0
    #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \
4099
0
                             defined(WOLFSSL_ALLOW_TLS_SHA1))
4100
0
        case sha_mac:
4101
0
            return WC_HASH_TYPE_SHA;
4102
0
    #endif
4103
0
        default:
4104
0
            WOLFSSL_MSG("Bad hash sig algo");
4105
0
            break;
4106
0
    }
4107
4108
0
    return WC_HASH_TYPE_NONE;
4109
0
}
4110
#endif /* !NO_DH || HAVE_ECC || (!NO_RSA && WC_RSA_PSS) */
4111
#endif /* !NO_WOLFSSL_SERVER || !NO_WOLFSSL_CLIENT */
4112
#endif /* !WOLFSSL_NO_TLS12 */
4113
4114
#ifndef NO_CERTS
4115
4116
void InitX509Name(WOLFSSL_X509_NAME* name, int dynamicFlag, void* heap)
4117
0
{
4118
0
    (void)dynamicFlag;
4119
4120
0
    if (name != NULL) {
4121
0
        XMEMSET(name, 0, sizeof(WOLFSSL_X509_NAME));
4122
0
        name->name        = name->staticName;
4123
0
        name->heap = heap;
4124
0
        name->dynamicName = 0;
4125
0
    }
4126
0
}
4127
4128
4129
void FreeX509Name(WOLFSSL_X509_NAME* name)
4130
0
{
4131
0
    if (name != NULL) {
4132
0
        if (name->dynamicName) {
4133
0
            XFREE(name->name, name->heap, DYNAMIC_TYPE_SUBJECT_CN);
4134
0
            name->name = NULL;
4135
0
        }
4136
0
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
4137
0
        {
4138
0
            int i;
4139
0
            for (i = 0; i < MAX_NAME_ENTRIES; i++) {
4140
0
                if (name->entry[i].object != NULL)
4141
0
                    wolfSSL_ASN1_OBJECT_free(name->entry[i].object);
4142
0
                if (name->entry[i].value != NULL)
4143
0
                    wolfSSL_ASN1_STRING_free(name->entry[i].value);
4144
0
                XMEMSET(&name->entry[i], 0, sizeof(WOLFSSL_X509_NAME_ENTRY));
4145
0
            }
4146
0
        }
4147
0
#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
4148
0
#ifdef OPENSSL_ALL
4149
0
        if (name->entries) {
4150
0
            wolfSSL_sk_X509_NAME_ENTRY_free(name->entries);
4151
0
            name->entries = NULL;
4152
0
        }
4153
0
#endif
4154
0
    }
4155
0
}
4156
4157
4158
/* Initialize wolfSSL X509 type */
4159
void InitX509(WOLFSSL_X509* x509, int dynamicFlag, void* heap)
4160
0
{
4161
0
    if (x509 == NULL) {
4162
0
        WOLFSSL_MSG("Null parameter passed in!");
4163
0
        return;
4164
0
    }
4165
4166
0
    XMEMSET(x509, 0, sizeof(WOLFSSL_X509));
4167
4168
0
    x509->heap = heap;
4169
0
    InitX509Name(&x509->issuer, 0, heap);
4170
0
    InitX509Name(&x509->subject, 0, heap);
4171
0
    x509->dynamicMemory  = (byte)dynamicFlag;
4172
0
#if defined(OPENSSL_EXTRA_X509_SMALL) || defined(OPENSSL_EXTRA)
4173
0
    x509->refCount = 1;
4174
0
#ifndef SINGLE_THREADED
4175
0
    (void)wc_InitMutex(&x509->refMutex);
4176
0
#endif
4177
0
#endif
4178
0
}
4179
4180
4181
/* Free wolfSSL X509 type */
4182
void FreeX509(WOLFSSL_X509* x509)
4183
0
{
4184
0
    if (x509 == NULL)
4185
0
        return;
4186
4187
0
    FreeX509Name(&x509->issuer);
4188
0
    FreeX509Name(&x509->subject);
4189
0
    if (x509->pubKey.buffer) {
4190
0
        XFREE(x509->pubKey.buffer, x509->heap, DYNAMIC_TYPE_PUBLIC_KEY);
4191
0
        x509->pubKey.buffer = NULL;
4192
0
    }
4193
0
    FreeDer(&x509->derCert);
4194
0
    XFREE(x509->sig.buffer, x509->heap, DYNAMIC_TYPE_SIGNATURE);
4195
0
    x509->sig.buffer = NULL;
4196
0
    #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
4197
0
        if (x509->authKeyIdSrc != NULL) {
4198
0
            XFREE(x509->authKeyIdSrc, x509->heap, DYNAMIC_TYPE_X509_EXT);
4199
0
        }
4200
0
        else {
4201
0
            XFREE(x509->authKeyId, x509->heap, DYNAMIC_TYPE_X509_EXT);
4202
0
        }
4203
0
        x509->authKeyIdSrc = NULL;
4204
0
        x509->authKeyId = NULL;
4205
0
        XFREE(x509->subjKeyId, x509->heap, DYNAMIC_TYPE_X509_EXT);
4206
0
        x509->subjKeyId = NULL;
4207
0
        if (x509->authInfo != NULL) {
4208
0
            XFREE(x509->authInfo, x509->heap, DYNAMIC_TYPE_X509_EXT);
4209
0
            x509->authInfo = NULL;
4210
0
        }
4211
0
        if (x509->rawCRLInfo != NULL) {
4212
0
            XFREE(x509->rawCRLInfo, x509->heap, DYNAMIC_TYPE_X509_EXT);
4213
0
            x509->rawCRLInfo = NULL;
4214
0
        }
4215
0
        if (x509->CRLInfo != NULL) {
4216
0
            XFREE(x509->CRLInfo, x509->heap, DYNAMIC_TYPE_X509_EXT);
4217
0
            x509->CRLInfo = NULL;
4218
0
        }
4219
0
        #if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || \
4220
0
            defined(WOLFSSL_QT)
4221
0
        if (x509->authInfoCaIssuer != NULL) {
4222
0
            XFREE(x509->authInfoCaIssuer, x509->heap, DYNAMIC_TYPE_X509_EXT);
4223
0
        }
4224
0
        if (x509->ext_sk != NULL) {
4225
0
            wolfSSL_sk_X509_EXTENSION_pop_free(x509->ext_sk, NULL);
4226
0
        }
4227
0
        if (x509->ext_sk_full != NULL) {
4228
0
            wolfSSL_sk_X509_EXTENSION_pop_free(x509->ext_sk_full, NULL);
4229
0
        }
4230
0
        #endif /* OPENSSL_ALL || WOLFSSL_QT */
4231
0
        #ifdef OPENSSL_EXTRA
4232
        /* Free serialNumber that was set by wolfSSL_X509_get_serialNumber */
4233
0
        if (x509->serialNumber != NULL) {
4234
0
            wolfSSL_ASN1_INTEGER_free(x509->serialNumber);
4235
0
        }
4236
0
        #endif
4237
0
        if (x509->extKeyUsageSrc != NULL) {
4238
0
            XFREE(x509->extKeyUsageSrc, x509->heap, DYNAMIC_TYPE_X509_EXT);
4239
0
            x509->extKeyUsageSrc= NULL;
4240
0
        }
4241
0
    #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
4242
0
    #if defined(OPENSSL_ALL)
4243
0
        if (x509->algor.algorithm) {
4244
0
            wolfSSL_ASN1_OBJECT_free(x509->algor.algorithm);
4245
0
            x509->algor.algorithm = NULL;
4246
0
        }
4247
0
        if (x509->key.algor) {
4248
0
            wolfSSL_X509_ALGOR_free(x509->key.algor);
4249
0
            x509->key.algor = NULL;
4250
0
        }
4251
0
        if (x509->key.pkey) {
4252
0
            wolfSSL_EVP_PKEY_free(x509->key.pkey);
4253
0
            x509->key.pkey = NULL;
4254
0
        }
4255
0
        if (x509->subjAltNameSrc != NULL) {
4256
0
            XFREE(x509->subjAltNameSrc, x509->heap, DYNAMIC_TYPE_X509_EXT);
4257
0
            x509->subjAltNameSrc= NULL;
4258
0
        }
4259
0
    #endif /* OPENSSL_ALL */
4260
    #if defined(WOLFSSL_CERT_REQ) && defined(OPENSSL_ALL)
4261
        if (x509->reqAttributes) {
4262
            wolfSSL_sk_pop_free(x509->reqAttributes, NULL);
4263
        }
4264
    #endif /* WOLFSSL_CERT_REQ */
4265
0
    if (x509->altNames) {
4266
0
        FreeAltNames(x509->altNames, x509->heap);
4267
0
        x509->altNames = NULL;
4268
0
    }
4269
4270
0
    #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)
4271
0
    #ifndef SINGLE_THREADED
4272
0
        wc_FreeMutex(&x509->refMutex);
4273
0
    #endif
4274
0
    #endif
4275
0
}
4276
4277
4278
#if !defined(NO_WOLFSSL_SERVER) || !defined(NO_WOLFSSL_CLIENT)
4279
#if !defined(WOLFSSL_NO_TLS12)
4280
/* Encode the signature algorithm into buffer.
4281
 *
4282
 * hashalgo  The hash algorithm.
4283
 * hsType   The signature type.
4284
 * output    The buffer to encode into.
4285
 */
4286
static WC_INLINE void EncodeSigAlg(byte hashAlgo, byte hsType, byte* output)
4287
0
{
4288
0
    switch (hsType) {
4289
0
#ifdef HAVE_ECC
4290
0
        case ecc_dsa_sa_algo:
4291
0
            output[0] = hashAlgo;
4292
0
            output[1] = ecc_dsa_sa_algo;
4293
0
            break;
4294
0
#endif
4295
0
#ifdef HAVE_ED25519
4296
0
        case ed25519_sa_algo:
4297
0
            output[0] = ED25519_SA_MAJOR;
4298
0
            output[1] = ED25519_SA_MINOR;
4299
0
            (void)hashAlgo;
4300
0
            break;
4301
0
#endif
4302
0
#ifdef HAVE_ED448
4303
0
        case ed448_sa_algo:
4304
0
            output[0] = ED448_SA_MAJOR;
4305
0
            output[1] = ED448_SA_MINOR;
4306
0
            (void)hashAlgo;
4307
0
            break;
4308
0
#endif
4309
0
#ifndef NO_RSA
4310
0
        case rsa_sa_algo:
4311
0
            output[0] = hashAlgo;
4312
0
            output[1] = rsa_sa_algo;
4313
0
            break;
4314
0
    #ifdef WC_RSA_PSS
4315
        /* PSS signatures: 0x080[4-6] */
4316
0
        case rsa_pss_sa_algo:
4317
0
            output[0] = rsa_pss_sa_algo;
4318
0
            output[1] = hashAlgo;
4319
0
            break;
4320
0
    #endif
4321
0
#endif
4322
0
        default:
4323
0
            break;
4324
0
    }
4325
0
    (void)hashAlgo;
4326
0
    (void)output;
4327
0
}
4328
#endif
4329
4330
#if !defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_NO_CLIENT_AUTH)
4331
static void SetDigest(WOLFSSL* ssl, int hashAlgo)
4332
0
{
4333
0
    switch (hashAlgo) {
4334
0
    #ifndef NO_SHA
4335
0
        case sha_mac:
4336
0
            ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha;
4337
0
            ssl->buffers.digest.length = WC_SHA_DIGEST_SIZE;
4338
0
            break;
4339
0
    #endif /* !NO_SHA */
4340
0
    #ifndef NO_SHA256
4341
0
        case sha256_mac:
4342
0
            ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha256;
4343
0
            ssl->buffers.digest.length = WC_SHA256_DIGEST_SIZE;
4344
0
            break;
4345
0
    #endif /* !NO_SHA256 */
4346
0
    #ifdef WOLFSSL_SHA384
4347
0
        case sha384_mac:
4348
0
            ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha384;
4349
0
            ssl->buffers.digest.length = WC_SHA384_DIGEST_SIZE;
4350
0
            break;
4351
0
    #endif /* WOLFSSL_SHA384 */
4352
0
    #ifdef WOLFSSL_SHA512
4353
0
        case sha512_mac:
4354
0
            ssl->buffers.digest.buffer = ssl->hsHashes->certHashes.sha512;
4355
0
            ssl->buffers.digest.length = WC_SHA512_DIGEST_SIZE;
4356
0
            break;
4357
0
    #endif /* WOLFSSL_SHA512 */
4358
0
        default:
4359
0
            break;
4360
0
    } /* switch */
4361
0
}
4362
#endif /* !WOLFSSL_NO_TLS12 && !WOLFSSL_NO_CLIENT_AUTH */
4363
#endif /* !NO_WOLFSSL_SERVER || !NO_WOLFSSL_CLIENT */
4364
#endif /* !NO_CERTS */
4365
4366
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
4367
static word32 MacSize(WOLFSSL* ssl)
4368
0
{
4369
#ifdef HAVE_TRUNCATED_HMAC
4370
    word32 digestSz = ssl->truncated_hmac ? (byte)TRUNCATED_HMAC_SZ
4371
                                          : ssl->specs.hash_size;
4372
#else
4373
0
    word32 digestSz = ssl->specs.hash_size;
4374
0
#endif
4375
4376
0
    return digestSz;
4377
0
}
4378
#endif /* HAVE_ENCRYPT_THEN_MAC && !WOLFSSL_AEAD_ONLY */
4379
4380
#ifndef NO_RSA
4381
#if !defined(WOLFSSL_NO_TLS12) || \
4382
    (defined(WC_RSA_PSS) && defined(HAVE_PK_CALLBACKS))
4383
#if !defined(NO_WOLFSSL_SERVER) || !defined(NO_WOLFSSL_CLIENT)
4384
static int TypeHash(int hashAlgo)
4385
0
{
4386
0
    switch (hashAlgo) {
4387
0
    #ifdef WOLFSSL_SHA512
4388
0
        case sha512_mac:
4389
0
            return SHA512h;
4390
0
    #endif
4391
0
    #ifdef WOLFSSL_SHA384
4392
0
        case sha384_mac:
4393
0
            return SHA384h;
4394
0
    #endif
4395
0
    #ifndef NO_SHA256
4396
0
        case sha256_mac:
4397
0
            return SHA256h;
4398
0
    #endif
4399
0
    #ifdef WOLFSSL_SHA224
4400
0
        case sha224_mac:
4401
0
            return SHA224h;
4402
0
    #endif
4403
0
    #ifndef NO_SHA
4404
0
        case sha_mac:
4405
0
            return SHAh;
4406
0
    #endif
4407
0
        default:
4408
0
            break;
4409
0
    }
4410
4411
0
    return 0;
4412
0
}
4413
#endif /* !NO_WOLFSSL_SERVER && !NO_WOLFSSL_CLIENT */
4414
#endif /* !WOLFSSL_NO_TLS12 */
4415
4416
#if defined(WC_RSA_PSS)
4417
int ConvertHashPss(int hashAlgo, enum wc_HashType* hashType, int* mgf)
4418
0
{
4419
0
    switch (hashAlgo) {
4420
0
        #ifdef WOLFSSL_SHA512
4421
0
        case sha512_mac:
4422
0
            *hashType = WC_HASH_TYPE_SHA512;
4423
0
            if (mgf != NULL)
4424
0
                *mgf = WC_MGF1SHA512;
4425
0
            break;
4426
0
        #endif
4427
0
        #ifdef WOLFSSL_SHA384
4428
0
        case sha384_mac:
4429
0
            *hashType = WC_HASH_TYPE_SHA384;
4430
0
            if (mgf != NULL)
4431
0
                *mgf = WC_MGF1SHA384;
4432
0
            break;
4433
0
        #endif
4434
0
        #ifndef NO_SHA256
4435
0
        case sha256_mac:
4436
0
            *hashType = WC_HASH_TYPE_SHA256;
4437
0
            if (mgf != NULL)
4438
0
                *mgf = WC_MGF1SHA256;
4439
0
            break;
4440
0
        #endif
4441
0
        default:
4442
0
            return BAD_FUNC_ARG;
4443
0
    }
4444
4445
0
    return 0;
4446
0
}
4447
#endif
4448
4449
#if !defined(NO_WOLFSSL_SERVER) || !defined(WOLFSSL_NO_CLIENT_AUTH)
4450
int RsaSign(WOLFSSL* ssl, const byte* in, word32 inSz, byte* out,
4451
            word32* outSz, int sigAlgo, int hashAlgo, RsaKey* key,
4452
            DerBuffer* keyBufInfo)
4453
0
{
4454
0
    int ret;
4455
#ifdef HAVE_PK_CALLBACKS
4456
    const byte* keyBuf = NULL;
4457
    word32 keySz = 0;
4458
4459
    if (keyBufInfo) {
4460
        keyBuf = keyBufInfo->buffer;
4461
        keySz = keyBufInfo->length;
4462
    }
4463
#endif
4464
4465
0
    (void)ssl;
4466
0
    (void)keyBufInfo;
4467
0
    (void)sigAlgo;
4468
0
    (void)hashAlgo;
4469
4470
0
    WOLFSSL_ENTER("RsaSign");
4471
4472
#ifdef WOLFSSL_ASYNC_CRYPT
4473
    /* initialize event */
4474
    if (key) {
4475
        ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
4476
        if (ret != 0)
4477
            return ret;
4478
    }
4479
#endif
4480
4481
0
#if defined(WC_RSA_PSS)
4482
0
    if (sigAlgo == rsa_pss_sa_algo) {
4483
0
        enum wc_HashType hashType = WC_HASH_TYPE_NONE;
4484
0
        int mgf = 0;
4485
4486
0
        ret = ConvertHashPss(hashAlgo, &hashType, &mgf);
4487
0
        if (ret != 0)
4488
0
            return ret;
4489
4490
    #if defined(HAVE_PK_CALLBACKS)
4491
        if (ssl->ctx->RsaPssSignCb) {
4492
            void* ctx = wolfSSL_GetRsaPssSignCtx(ssl);
4493
            ret = ssl->ctx->RsaPssSignCb(ssl, in, inSz, out, outSz,
4494
                                         TypeHash(hashAlgo), mgf,
4495
                                         keyBuf, keySz, ctx);
4496
        }
4497
        else
4498
    #endif
4499
0
        {
4500
0
            ret = wc_RsaPSS_Sign(in, inSz, out, *outSz, hashType, mgf, key,
4501
0
                                                                      ssl->rng);
4502
0
        }
4503
0
    }
4504
0
    else
4505
0
#endif
4506
#if defined(HAVE_PK_CALLBACKS)
4507
    if (ssl->ctx->RsaSignCb) {
4508
        void* ctx = wolfSSL_GetRsaSignCtx(ssl);
4509
        ret = ssl->ctx->RsaSignCb(ssl, in, inSz, out, outSz, keyBuf, keySz,
4510
                                                                          ctx);
4511
    }
4512
    else
4513
#endif /*HAVE_PK_CALLBACKS */
4514
0
        ret = wc_RsaSSL_Sign(in, inSz, out, *outSz, key, ssl->rng);
4515
4516
    /* Handle async pending response */
4517
#ifdef WOLFSSL_ASYNC_CRYPT
4518
    if (key && ret == WC_PENDING_E) {
4519
        ret = wolfSSL_AsyncPush(ssl, &key->asyncDev);
4520
    }
4521
#endif /* WOLFSSL_ASYNC_CRYPT */
4522
4523
    /* For positive response return in outSz */
4524
0
    if (ret > 0) {
4525
0
        *outSz = ret;
4526
0
        ret = 0;
4527
0
    }
4528
4529
0
    WOLFSSL_LEAVE("RsaSign", ret);
4530
4531
0
    return ret;
4532
0
}
4533
#endif
4534
4535
int RsaVerify(WOLFSSL* ssl, byte* in, word32 inSz, byte** out, int sigAlgo,
4536
              int hashAlgo, RsaKey* key, buffer* keyBufInfo)
4537
0
{
4538
0
    int ret = SIG_VERIFY_E;
4539
4540
#ifdef HAVE_PK_CALLBACKS
4541
    const byte* keyBuf = NULL;
4542
    word32 keySz = 0;
4543
4544
    if (keyBufInfo) {
4545
        keyBuf = keyBufInfo->buffer;
4546
        keySz = keyBufInfo->length;
4547
    }
4548
#endif
4549
4550
0
    (void)ssl;
4551
0
    (void)keyBufInfo;
4552
0
    (void)sigAlgo;
4553
0
    (void)hashAlgo;
4554
4555
0
    WOLFSSL_ENTER("RsaVerify");
4556
4557
#ifdef WOLFSSL_ASYNC_CRYPT
4558
    /* initialize event */
4559
    ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
4560
    if (ret != 0)
4561
        return ret;
4562
#endif
4563
4564
0
#if defined(WC_RSA_PSS)
4565
0
    if (sigAlgo == rsa_pss_sa_algo) {
4566
0
        enum wc_HashType hashType = WC_HASH_TYPE_NONE;
4567
0
        int mgf = 0;
4568
4569
0
        ret = ConvertHashPss(hashAlgo, &hashType, &mgf);
4570
0
        if (ret != 0)
4571
0
            return ret;
4572
#ifdef HAVE_PK_CALLBACKS
4573
        if (ssl->ctx->RsaPssVerifyCb) {
4574
            void* ctx = wolfSSL_GetRsaPssVerifyCtx(ssl);
4575
            ret = ssl->ctx->RsaPssVerifyCb(ssl, in, inSz, out,
4576
                                           TypeHash(hashAlgo), mgf,
4577
                                           keyBuf, keySz, ctx);
4578
        }
4579
        else
4580
#endif /*HAVE_PK_CALLBACKS */
4581
0
            ret = wc_RsaPSS_VerifyInline(in, inSz, out, hashType, mgf, key);
4582
0
    }
4583
0
    else
4584
0
#endif
4585
#ifdef HAVE_PK_CALLBACKS
4586
    if (ssl->ctx->RsaVerifyCb) {
4587
        void* ctx = wolfSSL_GetRsaVerifyCtx(ssl);
4588
        ret = ssl->ctx->RsaVerifyCb(ssl, in, inSz, out, keyBuf, keySz, ctx);
4589
    }
4590
    #if !defined(WOLFSSL_RENESAS_SCEPROTECT) && \
4591
        !defined(WOLFSSL_RENESAS_TSIP_TLS)
4592
    else
4593
    #else
4594
    if (!ssl->ctx->RsaVerifyCb || ret == CRYPTOCB_UNAVAILABLE)
4595
    #endif
4596
#endif /*HAVE_PK_CALLBACKS */
4597
0
    {
4598
0
        ret = wc_RsaSSL_VerifyInline(in, inSz, out, key);
4599
0
    }
4600
4601
    /* Handle async pending response */
4602
#ifdef WOLFSSL_ASYNC_CRYPT
4603
    if (ret == WC_PENDING_E) {
4604
        ret = wolfSSL_AsyncPush(ssl, &key->asyncDev);
4605
    }
4606
#endif /* WOLFSSL_ASYNC_CRYPT */
4607
4608
0
    WOLFSSL_LEAVE("RsaVerify", ret);
4609
4610
0
    return ret;
4611
0
}
4612
4613
/* Verify RSA signature, 0 on success */
4614
/* This function is used to check the sign result */
4615
int VerifyRsaSign(WOLFSSL* ssl, byte* verifySig, word32 sigSz,
4616
    const byte* plain, word32 plainSz, int sigAlgo, int hashAlgo, RsaKey* key,
4617
    DerBuffer* keyBufInfo)
4618
0
{
4619
0
    byte* out = NULL;  /* inline result */
4620
0
    int   ret;
4621
#ifdef HAVE_PK_CALLBACKS
4622
    const byte* keyBuf = NULL;
4623
    word32 keySz = 0;
4624
4625
    if (keyBufInfo) {
4626
        keyBuf = keyBufInfo->buffer;
4627
        keySz = keyBufInfo->length;
4628
    }
4629
#endif
4630
4631
0
    (void)ssl;
4632
0
    (void)keyBufInfo;
4633
0
    (void)sigAlgo;
4634
0
    (void)hashAlgo;
4635
4636
0
    WOLFSSL_ENTER("VerifyRsaSign");
4637
4638
0
    if (verifySig == NULL || plain == NULL) {
4639
0
        return BAD_FUNC_ARG;
4640
0
    }
4641
4642
0
    if (sigSz > ENCRYPT_LEN) {
4643
0
        WOLFSSL_MSG("Signature buffer too big");
4644
0
        return BUFFER_E;
4645
0
    }
4646
4647
#ifdef WOLFSSL_ASYNC_CRYPT
4648
    /* initialize event */
4649
    if (key) {
4650
        ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
4651
        if (ret != 0)
4652
            return ret;
4653
    }
4654
#endif
4655
4656
0
#if defined(WC_RSA_PSS)
4657
0
    if (sigAlgo == rsa_pss_sa_algo) {
4658
0
        enum wc_HashType hashType = WC_HASH_TYPE_NONE;
4659
0
        int mgf = 0;
4660
4661
0
        ret = ConvertHashPss(hashAlgo, &hashType, &mgf);
4662
0
        if (ret != 0)
4663
0
            return ret;
4664
    #ifdef HAVE_PK_CALLBACKS
4665
        if (ssl->ctx->RsaPssSignCheckCb) {
4666
            /* The key buffer includes private/public portion,
4667
                but only public is used */
4668
            /* If HSM hardware is checking the signature result you can
4669
                optionally skip the sign check and return 0 */
4670
            /* The ctx here is the RsaSignCtx set using wolfSSL_SetRsaSignCtx */
4671
            void* ctx = wolfSSL_GetRsaPssSignCtx(ssl);
4672
            ret = ssl->ctx->RsaPssSignCheckCb(ssl, verifySig, sigSz, &out,
4673
                                           TypeHash(hashAlgo), mgf,
4674
                                           keyBuf, keySz, ctx);
4675
            if (ret > 0) {
4676
                ret = wc_RsaPSS_CheckPadding(plain, plainSz, out, ret,
4677
                                             hashType);
4678
                if (ret != 0) {
4679
                    ret = VERIFY_CERT_ERROR;
4680
                    WOLFSSL_ERROR_VERBOSE(ret);
4681
                }
4682
            }
4683
        }
4684
        else
4685
    #endif /* HAVE_PK_CALLBACKS */
4686
0
        {
4687
0
            ret = wc_RsaPSS_VerifyInline(verifySig, sigSz, &out, hashType, mgf,
4688
0
                                         key);
4689
0
            if (ret > 0) {
4690
    #ifdef HAVE_SELFTEST
4691
                ret = wc_RsaPSS_CheckPadding(plain, plainSz, out, ret,
4692
                                             hashType);
4693
    #else
4694
0
                ret = wc_RsaPSS_CheckPadding_ex(plain, plainSz, out, ret,
4695
0
                                                hashType, -1,
4696
0
                                                mp_count_bits(&key->n));
4697
0
    #endif
4698
0
                if (ret != 0) {
4699
0
                    ret = VERIFY_CERT_ERROR;
4700
0
                    WOLFSSL_ERROR_VERBOSE(ret);
4701
0
                }
4702
0
            }
4703
0
        }
4704
4705
0
    }
4706
0
    else
4707
0
#endif /* WC_RSA_PSS */
4708
0
    {
4709
    #ifdef HAVE_PK_CALLBACKS
4710
        if (ssl->ctx->RsaSignCheckCb) {
4711
            /* The key buffer includes private/public portion,
4712
                but only public is used */
4713
            /* If HSM hardware is checking the signature result you can
4714
                optionally skip the sign check and return 0 */
4715
            /* The ctx here is the RsaSignCtx set using wolfSSL_SetRsaSignCtx */
4716
            void* ctx = wolfSSL_GetRsaSignCtx(ssl);
4717
            ret = ssl->ctx->RsaSignCheckCb(ssl, verifySig, sigSz, &out,
4718
                keyBuf, keySz, ctx);
4719
        }
4720
        else
4721
    #endif /* HAVE_PK_CALLBACKS */
4722
0
        {
4723
0
            ret = wc_RsaSSL_VerifyInline(verifySig, sigSz, &out, key);
4724
0
        }
4725
4726
0
        if (ret > 0) {
4727
0
            if (ret != (int)plainSz || !out ||
4728
0
                                            XMEMCMP(plain, out, plainSz) != 0) {
4729
0
                WOLFSSL_MSG("RSA Signature verification failed");
4730
0
                ret = RSA_SIGN_FAULT;
4731
0
                WOLFSSL_ERROR_VERBOSE(ret);
4732
0
            }
4733
0
            else {
4734
0
                ret = 0;  /* RSA reset */
4735
0
            }
4736
0
        }
4737
0
    }
4738
4739
    /* Handle async pending response */
4740
#ifdef WOLFSSL_ASYNC_CRYPT
4741
    if (key && ret == WC_PENDING_E) {
4742
        ret = wolfSSL_AsyncPush(ssl, &key->asyncDev);
4743
    }
4744
#endif /* WOLFSSL_ASYNC_CRYPT */
4745
4746
0
    WOLFSSL_LEAVE("VerifyRsaSign", ret);
4747
4748
0
    return ret;
4749
0
}
4750
4751
#ifndef WOLFSSL_NO_TLS12
4752
4753
#if !defined(NO_WOLFSSL_SERVER) || !defined(WOLFSSL_NO_CLIENT_AUTH)
4754
int RsaDec(WOLFSSL* ssl, byte* in, word32 inSz, byte** out, word32* outSz,
4755
    RsaKey* key, DerBuffer* keyBufInfo)
4756
0
{
4757
0
    byte *outTmp;
4758
0
    byte mask;
4759
0
    int ret;
4760
#ifdef HAVE_PK_CALLBACKS
4761
    const byte* keyBuf = NULL;
4762
    word32 keySz = 0;
4763
4764
    if (keyBufInfo) {
4765
        keyBuf = keyBufInfo->buffer;
4766
        keySz = keyBufInfo->length;
4767
    }
4768
#endif
4769
4770
0
    (void)ssl;
4771
0
    (void)keyBufInfo;
4772
4773
0
    WOLFSSL_ENTER("RsaDec");
4774
4775
0
    outTmp = *out;
4776
#ifdef WOLFSSL_ASYNC_CRYPT
4777
    /* initialize event */
4778
    ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
4779
    if (ret != 0)
4780
        return ret;
4781
#endif
4782
4783
#ifdef HAVE_PK_CALLBACKS
4784
    if (ssl->ctx->RsaDecCb) {
4785
        void* ctx = wolfSSL_GetRsaDecCtx(ssl);
4786
        ret = ssl->ctx->RsaDecCb(ssl, in, inSz, &outTmp, keyBuf, keySz, ctx);
4787
    }
4788
    else
4789
#endif /* HAVE_PK_CALLBACKS */
4790
0
    {
4791
0
        #ifdef WC_RSA_BLINDING
4792
0
            ret = wc_RsaSetRNG(key, ssl->rng);
4793
0
            if (ret != 0)
4794
0
                return ret;
4795
0
        #endif
4796
0
        ret = wc_RsaPrivateDecryptInline(in, inSz, &outTmp, key);
4797
0
    }
4798
4799
    /* Handle async pending response */
4800
#ifdef WOLFSSL_ASYNC_CRYPT
4801
    if (ret == WC_PENDING_E) {
4802
        ret = wolfSSL_AsyncPush(ssl, &key->asyncDev);
4803
    }
4804
#endif /* WOLFSSL_ASYNC_CRYPT */
4805
4806
0
    mask = ctMaskGT(ret, 0);
4807
0
    *outSz = (word32)(ret & (int)(sword8)mask);
4808
0
    ret &= (int)(sword8)(~mask);
4809
    /* Copy pointer */
4810
0
    ctMaskCopy(mask, (byte*)out, (byte*)&outTmp, sizeof(*out));
4811
4812
0
    WOLFSSL_LEAVE("RsaDec", ret);
4813
4814
0
    return ret;
4815
0
}
4816
#endif /* !NO_WOLFSSL_SERVER) || !WOLFSSL_NO_CLIENT_AUTH */
4817
4818
int RsaEnc(WOLFSSL* ssl, const byte* in, word32 inSz, byte* out, word32* outSz,
4819
    RsaKey* key, buffer* keyBufInfo)
4820
0
{
4821
0
    int ret = BAD_FUNC_ARG;
4822
#ifdef HAVE_PK_CALLBACKS
4823
    const byte* keyBuf = NULL;
4824
    word32 keySz = 0;
4825
4826
    if (keyBufInfo) {
4827
        keyBuf = keyBufInfo->buffer;
4828
        keySz = keyBufInfo->length;
4829
    }
4830
#endif
4831
4832
0
    (void)ssl;
4833
0
    (void)keyBufInfo;
4834
4835
0
    WOLFSSL_ENTER("RsaEnc");
4836
4837
#ifdef WOLFSSL_ASYNC_CRYPT
4838
    /* initialize event */
4839
    ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
4840
    if (ret != 0)
4841
        return ret;
4842
#endif
4843
4844
#ifdef HAVE_PK_CALLBACKS
4845
    if (ssl->ctx->RsaEncCb) {
4846
        void* ctx = wolfSSL_GetRsaEncCtx(ssl);
4847
        ret = ssl->ctx->RsaEncCb(ssl, in, inSz, out, outSz, keyBuf, keySz, ctx);
4848
    }
4849
    #if !defined(WOLFSSL_RENESAS_SCEPROTECT) && \
4850
        !defined(WOLFSSL_RENESAS_TSIP_TLS)
4851
    else
4852
    #else
4853
    if (!ssl->ctx->RsaEncCb || ret == CRYPTOCB_UNAVAILABLE)
4854
    #endif
4855
#endif /* HAVE_PK_CALLBACKS */
4856
0
    {
4857
0
        ret = wc_RsaPublicEncrypt(in, inSz, out, *outSz, key, ssl->rng);
4858
0
    }
4859
4860
    /* Handle async pending response */
4861
#ifdef WOLFSSL_ASYNC_CRYPT
4862
    if (ret == WC_PENDING_E) {
4863
        ret = wolfSSL_AsyncPush(ssl, &key->asyncDev);
4864
    }
4865
#endif /* WOLFSSL_ASYNC_CRYPT */
4866
4867
    /* For positive response return in outSz */
4868
0
    if (ret > 0) {
4869
0
        *outSz = ret;
4870
0
        ret = 0;
4871
0
    }
4872
4873
0
    WOLFSSL_LEAVE("RsaEnc", ret);
4874
4875
0
    return ret;
4876
0
}
4877
4878
#endif /* !WOLFSSL_NO_TLS12 */
4879
4880
#endif /* NO_RSA */
4881
4882
#ifdef HAVE_ECC
4883
4884
int EccSign(WOLFSSL* ssl, const byte* in, word32 inSz, byte* out,
4885
    word32* outSz, ecc_key* key, DerBuffer* keyBufInfo)
4886
0
{
4887
0
    int ret;
4888
#ifdef HAVE_PK_CALLBACKS
4889
    const byte* keyBuf = NULL;
4890
    word32 keySz = 0;
4891
4892
    if (keyBufInfo) {
4893
        keyBuf = keyBufInfo->buffer;
4894
        keySz = keyBufInfo->length;
4895
    }
4896
#endif
4897
4898
0
    (void)ssl;
4899
0
    (void)keyBufInfo;
4900
4901
0
    WOLFSSL_ENTER("EccSign");
4902
4903
#ifdef WOLFSSL_ASYNC_CRYPT
4904
    /* initialize event */
4905
    if (key) {
4906
        ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
4907
        if (ret != 0)
4908
            return ret;
4909
    }
4910
#endif
4911
4912
#if defined(HAVE_PK_CALLBACKS)
4913
    if (ssl->ctx->EccSignCb) {
4914
        void* ctx = wolfSSL_GetEccSignCtx(ssl);
4915
        if (ctx == NULL) {
4916
            /* Try to get the WOLFSSL_CTX EccSignCtx*/
4917
            ctx = wolfSSL_CTX_GetEccSignCtx(ssl->ctx);
4918
        }
4919
        ret = ssl->ctx->EccSignCb(ssl, in, inSz, out, outSz, keyBuf,
4920
            keySz, ctx);
4921
    }
4922
    else
4923
#endif /* HAVE_PK_CALLBACKS */
4924
0
    {
4925
0
        ret = wc_ecc_sign_hash(in, inSz, out, outSz, ssl->rng, key);
4926
0
    }
4927
4928
    /* Handle async pending response */
4929
#ifdef WOLFSSL_ASYNC_CRYPT
4930
    if (key && ret == WC_PENDING_E) {
4931
        ret = wolfSSL_AsyncPush(ssl, &key->asyncDev);
4932
    }
4933
#endif /* WOLFSSL_ASYNC_CRYPT */
4934
4935
0
    WOLFSSL_LEAVE("EccSign", ret);
4936
4937
0
    return ret;
4938
0
}
4939
4940
int EccVerify(WOLFSSL* ssl, const byte* in, word32 inSz, const byte* out,
4941
    word32 outSz, ecc_key* key, buffer* keyBufInfo)
4942
0
{
4943
0
    int ret = SIG_VERIFY_E;
4944
#ifdef HAVE_PK_CALLBACKS
4945
    const byte* keyBuf = NULL;
4946
    word32 keySz = 0;
4947
4948
    if (keyBufInfo) {
4949
        keyBuf = keyBufInfo->buffer;
4950
        keySz = keyBufInfo->length;
4951
    }
4952
#endif
4953
4954
0
    (void)ssl;
4955
0
    (void)keyBufInfo;
4956
4957
0
    WOLFSSL_ENTER("EccVerify");
4958
4959
#ifdef WOLFSSL_ASYNC_CRYPT
4960
    /* initialize event */
4961
    ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
4962
    if (ret != 0)
4963
        return ret;
4964
#endif
4965
4966
#ifdef HAVE_PK_CALLBACKS
4967
    if (ssl->ctx->EccVerifyCb) {
4968
        void* ctx = wolfSSL_GetEccVerifyCtx(ssl);
4969
        ret = ssl->ctx->EccVerifyCb(ssl, in, inSz, out, outSz, keyBuf, keySz,
4970
            &ssl->eccVerifyRes, ctx);
4971
    }
4972
    #if !defined(WOLFSSL_RENESAS_SCEPROTECT) && \
4973
        !defined(WOLFSSL_RENESAS_TSIP_TLS)
4974
    else
4975
    #else
4976
    if (!ssl->ctx->EccVerifyCb || ret == CRYPTOCB_UNAVAILABLE)
4977
    #endif
4978
#endif /* HAVE_PK_CALLBACKS  */
4979
0
    {
4980
0
        ret = wc_ecc_verify_hash(in, inSz, out, outSz, &ssl->eccVerifyRes, key);
4981
0
    }
4982
4983
    /* Handle async pending response */
4984
#ifdef WOLFSSL_ASYNC_CRYPT
4985
    if (ret == WC_PENDING_E) {
4986
        ret = wolfSSL_AsyncPush(ssl, &key->asyncDev);
4987
    }
4988
    else
4989
#endif /* WOLFSSL_ASYNC_CRYPT */
4990
0
    {
4991
0
        if (ret != 0 || ssl->eccVerifyRes == 0) {
4992
0
            ret = VERIFY_SIGN_ERROR;
4993
0
            WOLFSSL_ERROR_VERBOSE(ret);
4994
0
        }
4995
0
        else {
4996
0
            ret = 0;
4997
0
        }
4998
0
    }
4999
5000
0
    WOLFSSL_LEAVE("EccVerify", ret);
5001
5002
0
    return ret;
5003
0
}
5004
5005
int EccSharedSecret(WOLFSSL* ssl, ecc_key* priv_key, ecc_key* pub_key,
5006
        byte* pubKeyDer, word32* pubKeySz, byte* out, word32* outlen,
5007
        int side)
5008
0
{
5009
0
    int ret;
5010
#ifdef WOLFSSL_ASYNC_CRYPT
5011
    WC_ASYNC_DEV* asyncDev = NULL;
5012
#endif
5013
5014
0
    (void)ssl;
5015
0
    (void)pubKeyDer;
5016
0
    (void)pubKeySz;
5017
0
    (void)side;
5018
5019
0
    WOLFSSL_ENTER("EccSharedSecret");
5020
5021
#ifdef WOLFSSL_ASYNC_CRYPT
5022
    /* initialize event */
5023
    if (priv_key != NULL) {
5024
        asyncDev = &priv_key->asyncDev;
5025
        ret = wolfSSL_AsyncInit(ssl, asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
5026
        if (ret != 0)
5027
            return ret;
5028
    }
5029
#endif
5030
5031
#ifdef HAVE_PK_CALLBACKS
5032
    if (ssl->ctx->EccSharedSecretCb) {
5033
        void* ctx = wolfSSL_GetEccSharedSecretCtx(ssl);
5034
        ecc_key* otherKey = (side == WOLFSSL_CLIENT_END) ? pub_key : priv_key;
5035
        ret = ssl->ctx->EccSharedSecretCb(ssl, otherKey, pubKeyDer,
5036
            pubKeySz, out, outlen, side, ctx);
5037
    }
5038
    else
5039
#endif
5040
0
    {
5041
0
#if defined(ECC_TIMING_RESISTANT) && (!defined(HAVE_FIPS) || \
5042
0
    !defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION != 2)) && \
5043
0
    !defined(HAVE_SELFTEST)
5044
0
        ret = wc_ecc_set_rng(priv_key, ssl->rng);
5045
0
        if (ret == 0)
5046
0
#endif
5047
0
        {
5048
0
            PRIVATE_KEY_UNLOCK();
5049
0
            ret = wc_ecc_shared_secret(priv_key, pub_key, out, outlen);
5050
0
            PRIVATE_KEY_LOCK();
5051
0
        }
5052
0
    }
5053
5054
    /* Handle async pending response */
5055
#ifdef WOLFSSL_ASYNC_CRYPT
5056
    if (ret == WC_PENDING_E) {
5057
        ret = wolfSSL_AsyncPush(ssl, asyncDev);
5058
    }
5059
#endif /* WOLFSSL_ASYNC_CRYPT */
5060
5061
0
    WOLFSSL_LEAVE("EccSharedSecret", ret);
5062
5063
0
    return ret;
5064
0
}
5065
5066
int EccMakeKey(WOLFSSL* ssl, ecc_key* key, ecc_key* peer)
5067
0
{
5068
0
    int ret = 0;
5069
0
    int keySz = 0;
5070
0
    int ecc_curve = ECC_CURVE_DEF;
5071
5072
0
    WOLFSSL_ENTER("EccMakeKey");
5073
5074
#ifdef WOLFSSL_ASYNC_CRYPT
5075
    /* initialize event */
5076
    ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_NONE);
5077
    if (ret != 0)
5078
        return ret;
5079
#endif
5080
5081
    /* get key size */
5082
0
    if (peer == NULL || peer->dp == NULL) {
5083
0
        keySz = ssl->eccTempKeySz;
5084
        /* get curve type */
5085
0
        if (ssl->ecdhCurveOID > 0) {
5086
0
            ecc_curve = wc_ecc_get_oid(ssl->ecdhCurveOID, NULL, NULL);
5087
0
        }
5088
0
    }
5089
0
    else {
5090
0
        keySz = peer->dp->size;
5091
0
        ecc_curve = peer->dp->id;
5092
0
    }
5093
5094
#ifdef HAVE_PK_CALLBACKS
5095
    if (ssl->ctx->EccKeyGenCb) {
5096
        void* ctx = wolfSSL_GetEccKeyGenCtx(ssl);
5097
        ret = ssl->ctx->EccKeyGenCb(ssl, key, keySz, ecc_curve, ctx);
5098
    }
5099
    else
5100
#endif
5101
0
    {
5102
0
        ret = wc_ecc_make_key_ex(ssl->rng, keySz, key, ecc_curve);
5103
0
    }
5104
5105
    /* make sure the curve is set for TLS */
5106
0
    if (ret == 0 && key->dp) {
5107
0
        ssl->ecdhCurveOID = key->dp->oidSum;
5108
0
    #if defined(WOLFSSL_TLS13) || defined(HAVE_FFDHE)
5109
0
        ssl->namedGroup = 0;
5110
0
    #endif
5111
0
    }
5112
5113
    /* Handle async pending response */
5114
#ifdef WOLFSSL_ASYNC_CRYPT
5115
    if (ret == WC_PENDING_E) {
5116
        ret = wolfSSL_AsyncPush(ssl, &key->asyncDev);
5117
    }
5118
#endif /* WOLFSSL_ASYNC_CRYPT */
5119
5120
0
    WOLFSSL_LEAVE("EccMakeKey", ret);
5121
5122
0
    return ret;
5123
0
}
5124
#endif /* HAVE_ECC */
5125
5126
#ifdef HAVE_ED25519
5127
/* Check whether the key contains a public key.
5128
 * If not then pull it out of the leaf certificate.
5129
 *
5130
 * ssl  SSL/TLS object.
5131
 * returns MEMORY_E when unable to allocate memory, a parsing error, otherwise
5132
 * 0 on success.
5133
 */
5134
int Ed25519CheckPubKey(WOLFSSL* ssl)
5135
0
{
5136
#ifndef HAVE_ED25519_KEY_IMPORT
5137
    (void)ssl;
5138
    return NOT_COMPILED_IN;
5139
#else /* HAVE_ED25519_KEY_IMPORT */
5140
0
    ed25519_key* key = (ed25519_key*)ssl->hsKey;
5141
0
    int ret = 0;
5142
5143
    /* Public key required for signing. */
5144
0
    if (key != NULL && !key->pubKeySet) {
5145
0
        DerBuffer* leaf = ssl->buffers.certificate;
5146
0
        DecodedCert* cert = (DecodedCert*)XMALLOC(sizeof(*cert),
5147
0
                                     ssl->heap, DYNAMIC_TYPE_DCERT);
5148
0
        if (cert == NULL)
5149
0
            ret = MEMORY_E;
5150
5151
0
        if (ret == 0) {
5152
0
            InitDecodedCert(cert, leaf->buffer, leaf->length, ssl->heap);
5153
0
            ret = DecodeToKey(cert, 0);
5154
0
        }
5155
0
        if (ret == 0) {
5156
0
            ret = wc_ed25519_import_public(cert->publicKey, cert->pubKeySize,
5157
0
                                                                           key);
5158
0
        }
5159
0
        if (cert != NULL) {
5160
0
            FreeDecodedCert(cert);
5161
0
            XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT);
5162
0
        }
5163
0
    }
5164
5165
0
    return ret;
5166
0
#endif /* HAVE_ED25519_KEY_IMPORT */
5167
0
}
5168
5169
/* Sign the data using EdDSA and key using Ed25519.
5170
 *
5171
 * ssl    SSL object.
5172
 * in     Data or message to sign.
5173
 * inSz   Length of the data.
5174
 * out    Buffer to hold signature.
5175
 * outSz  On entry, size of the buffer. On exit, the size of the signature.
5176
 * key    The private Ed25519 key data.
5177
 * keySz  The length of the private key data in bytes.
5178
 * ctx    The callback context.
5179
 * returns 0 on success, otherwise the value is an error.
5180
 */
5181
int Ed25519Sign(WOLFSSL* ssl, const byte* in, word32 inSz, byte* out,
5182
                word32* outSz, ed25519_key* key, DerBuffer* keyBufInfo)
5183
0
{
5184
#ifndef HAVE_ED25519_SIGN
5185
    (void)ssl;
5186
    (void)in;
5187
    (void)inSz;
5188
    (void)out;
5189
    (void)outSz;
5190
    (void)key;
5191
    (void)keyBufInfo;
5192
    return NOT_COMPILED_IN;
5193
#else /* HAVE_ED25519_SIGN */
5194
0
    int ret;
5195
#ifdef HAVE_PK_CALLBACKS
5196
    const byte* keyBuf = NULL;
5197
    word32 keySz = 0;
5198
5199
    if (keyBufInfo) {
5200
        keyBuf = keyBufInfo->buffer;
5201
        keySz = keyBufInfo->length;
5202
    }
5203
#endif
5204
5205
0
    (void)ssl;
5206
0
    (void)keyBufInfo;
5207
5208
0
    WOLFSSL_ENTER("Ed25519Sign");
5209
5210
#ifdef WOLFSSL_ASYNC_CRYPT
5211
    /* initialize event */
5212
    ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
5213
    if (ret != 0)
5214
        return ret;
5215
#endif
5216
5217
#if defined(HAVE_PK_CALLBACKS)
5218
    if (ssl->ctx->Ed25519SignCb) {
5219
        void* ctx = wolfSSL_GetEd25519SignCtx(ssl);
5220
        ret = ssl->ctx->Ed25519SignCb(ssl, in, inSz, out, outSz, keyBuf,
5221
            keySz, ctx);
5222
    }
5223
    else
5224
#endif /* HAVE_PK_CALLBACKS */
5225
0
    {
5226
0
        ret = wc_ed25519_sign_msg(in, inSz, out, outSz, key);
5227
0
    }
5228
5229
    /* Handle async pending response */
5230
#ifdef WOLFSSL_ASYNC_CRYPT
5231
    if (ret == WC_PENDING_E) {
5232
        ret = wolfSSL_AsyncPush(ssl, &key->asyncDev);
5233
    }
5234
#endif /* WOLFSSL_ASYNC_CRYPT */
5235
5236
0
    WOLFSSL_LEAVE("Ed25519Sign", ret);
5237
5238
0
    return ret;
5239
0
#endif /* HAVE_ED25519_SIGN */
5240
0
}
5241
5242
/* Verify the data using EdDSA and key using Ed25519.
5243
 *
5244
 * ssl    SSL object.
5245
 * in     Signature data.
5246
 * inSz   Length of the signature data in bytes.
5247
 * msg    Message to verify.
5248
 * outSz  Length of message in bytes.
5249
 * key    The public Ed25519 key data.
5250
 * keySz  The length of the private key data in bytes.
5251
 * ctx    The callback context.
5252
 * returns 0 on success, otherwise the value is an error.
5253
 */
5254
int Ed25519Verify(WOLFSSL* ssl, const byte* in, word32 inSz, const byte* msg,
5255
                  word32 msgSz, ed25519_key* key, buffer* keyBufInfo)
5256
0
{
5257
#ifndef HAVE_ED25519_VERIFY
5258
    (void)ssl;
5259
    (void)in;
5260
    (void)inSz;
5261
    (void)msg;
5262
    (void)msgSz;
5263
    (void)key;
5264
    (void)keyBufInfo;
5265
    return NOT_COMPILED_IN;
5266
#else /* HAVE_ED25519_VERIFY */
5267
0
    int ret;
5268
#ifdef HAVE_PK_CALLBACKS
5269
    const byte* keyBuf = NULL;
5270
    word32 keySz = 0;
5271
5272
    if (keyBufInfo) {
5273
        keyBuf = keyBufInfo->buffer;
5274
        keySz = keyBufInfo->length;
5275
    }
5276
#endif
5277
5278
0
    (void)ssl;
5279
0
    (void)keyBufInfo;
5280
5281
0
    WOLFSSL_ENTER("Ed25519Verify");
5282
5283
#ifdef WOLFSSL_ASYNC_CRYPT
5284
    /* initialize event */
5285
    ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
5286
    if (ret != 0)
5287
        return ret;
5288
#endif
5289
5290
#ifdef HAVE_PK_CALLBACKS
5291
    if (ssl->ctx->Ed25519VerifyCb) {
5292
        void* ctx = wolfSSL_GetEd25519VerifyCtx(ssl);
5293
        ret = ssl->ctx->Ed25519VerifyCb(ssl, in, inSz, msg, msgSz, keyBuf,
5294
                                        keySz, &ssl->eccVerifyRes, ctx);
5295
    }
5296
    else
5297
#endif /* HAVE_PK_CALLBACKS  */
5298
0
    {
5299
0
        ret = wc_ed25519_verify_msg(in, inSz, msg, msgSz,
5300
0
                                    &ssl->eccVerifyRes, key);
5301
0
    }
5302
5303
    /* Handle async pending response */
5304
#ifdef WOLFSSL_ASYNC_CRYPT
5305
    if (ret == WC_PENDING_E) {
5306
        ret = wolfSSL_AsyncPush(ssl, &key->asyncDev);
5307
    }
5308
    else
5309
#endif /* WOLFSSL_ASYNC_CRYPT */
5310
0
    {
5311
0
        ret = (ret != 0 || ssl->eccVerifyRes == 0) ? VERIFY_SIGN_ERROR : 0;
5312
0
    }
5313
5314
0
    WOLFSSL_LEAVE("Ed25519Verify", ret);
5315
5316
0
    return ret;
5317
0
#endif /* HAVE_ED25519_VERIFY */
5318
0
}
5319
#endif /* HAVE_ED25519 */
5320
5321
#ifndef WOLFSSL_NO_TLS12
5322
5323
#ifdef HAVE_CURVE25519
5324
#ifdef HAVE_PK_CALLBACKS
5325
    /* Gets X25519 key for shared secret callback testing
5326
     * Client side: returns peer key
5327
     * Server side: returns private key
5328
     */
5329
    static int X25519GetKey(WOLFSSL* ssl, curve25519_key** otherKey)
5330
    {
5331
        int ret = NO_PEER_KEY;
5332
        struct curve25519_key* tmpKey = NULL;
5333
5334
        if (ssl == NULL || otherKey == NULL) {
5335
            return BAD_FUNC_ARG;
5336
        }
5337
5338
        if (ssl->options.side == WOLFSSL_CLIENT_END) {
5339
            if (!ssl->peerX25519Key || !ssl->peerX25519KeyPresent ||
5340
                                       !ssl->peerX25519Key->dp) {
5341
                return NO_PEER_KEY;
5342
            }
5343
            tmpKey = (struct curve25519_key*)ssl->peerX25519Key;
5344
        }
5345
        else if (ssl->options.side == WOLFSSL_SERVER_END) {
5346
            if (!ssl->eccTempKeyPresent) {
5347
                return NO_PRIVATE_KEY;
5348
            }
5349
            tmpKey = (struct curve25519_key*)ssl->eccTempKey;
5350
        }
5351
5352
        if (tmpKey) {
5353
            *otherKey = (curve25519_key *)tmpKey;
5354
            ret = 0;
5355
        }
5356
5357
        return ret;
5358
    }
5359
#endif /* HAVE_PK_CALLBACKS */
5360
5361
static int X25519SharedSecret(WOLFSSL* ssl, curve25519_key* priv_key,
5362
        curve25519_key* pub_key, byte* pubKeyDer, word32* pubKeySz,
5363
        byte* out, word32* outlen, int side)
5364
0
{
5365
0
    int ret;
5366
5367
0
    (void)ssl;
5368
0
    (void)pubKeyDer;
5369
0
    (void)pubKeySz;
5370
0
    (void)side;
5371
5372
0
    WOLFSSL_ENTER("X25519SharedSecret");
5373
5374
#ifdef WOLFSSL_ASYNC_CRYPT
5375
    /* initialize event */
5376
    ret = wolfSSL_AsyncInit(ssl, &priv_key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
5377
    if (ret != 0)
5378
        return ret;
5379
#endif
5380
5381
#ifdef HAVE_PK_CALLBACKS
5382
    if (ssl->ctx->X25519SharedSecretCb) {
5383
        curve25519_key* otherKey = NULL;
5384
5385
        ret = X25519GetKey(ssl, &otherKey);
5386
        if (ret == 0) {
5387
            void* ctx = wolfSSL_GetX25519SharedSecretCtx(ssl);
5388
            ret = ssl->ctx->X25519SharedSecretCb(ssl, otherKey, pubKeyDer,
5389
                pubKeySz, out, outlen, side, ctx);
5390
        }
5391
    }
5392
    else
5393
#endif
5394
0
    {
5395
0
        ret = wc_curve25519_shared_secret_ex(priv_key, pub_key, out, outlen,
5396
0
                                             EC25519_LITTLE_ENDIAN);
5397
0
    }
5398
5399
    /* Handle async pending response */
5400
#ifdef WOLFSSL_ASYNC_CRYPT
5401
    if (ret == WC_PENDING_E) {
5402
        ret = wolfSSL_AsyncPush(ssl, &priv_key->asyncDev);
5403
    }
5404
#endif /* WOLFSSL_ASYNC_CRYPT */
5405
5406
0
    WOLFSSL_LEAVE("X25519SharedSecret", ret);
5407
5408
0
    return ret;
5409
0
}
5410
5411
static int X25519MakeKey(WOLFSSL* ssl, curve25519_key* key,
5412
        curve25519_key* peer)
5413
0
{
5414
0
    int ret = 0;
5415
5416
0
    (void)peer;
5417
5418
0
    WOLFSSL_ENTER("X25519MakeKey");
5419
5420
#ifdef WOLFSSL_ASYNC_CRYPT
5421
    /* initialize event */
5422
    ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_NONE);
5423
    if (ret != 0)
5424
        return ret;
5425
#endif
5426
5427
#ifdef HAVE_PK_CALLBACKS
5428
    if (ssl->ctx->X25519KeyGenCb) {
5429
        void* ctx = wolfSSL_GetX25519KeyGenCtx(ssl);
5430
        ret = ssl->ctx->X25519KeyGenCb(ssl, key, CURVE25519_KEYSIZE, ctx);
5431
    }
5432
    else
5433
#endif
5434
0
    {
5435
0
        ret = wc_curve25519_make_key(ssl->rng, CURVE25519_KEYSIZE, key);
5436
0
    }
5437
5438
0
    if (ret == 0) {
5439
0
        ssl->ecdhCurveOID = ECC_X25519_OID;
5440
0
    #if defined(WOLFSSL_TLS13) || defined(HAVE_FFDHE)
5441
0
        ssl->namedGroup = 0;
5442
0
    #endif
5443
0
    }
5444
5445
    /* Handle async pending response */
5446
#ifdef WOLFSSL_ASYNC_CRYPT
5447
    if (ret == WC_PENDING_E) {
5448
        ret = wolfSSL_AsyncPush(ssl, &key->asyncDev);
5449
    }
5450
#endif /* WOLFSSL_ASYNC_CRYPT */
5451
5452
0
    WOLFSSL_LEAVE("X25519MakeKey", ret);
5453
5454
0
    return ret;
5455
0
}
5456
#endif /* HAVE_CURVE25519 */
5457
5458
#endif /* !WOLFSSL_NO_TLS12 */
5459
5460
#ifdef HAVE_ED448
5461
/* Check whether the key contains a public key.
5462
 * If not then pull it out of the leaf certificate.
5463
 *
5464
 * ssl  SSL/TLS object.
5465
 * returns MEMORY_E when unable to allocate memory, a parsing error, otherwise
5466
 * 0 on success.
5467
 */
5468
int Ed448CheckPubKey(WOLFSSL* ssl)
5469
0
{
5470
#ifndef HAVE_ED448_KEY_IMPORT
5471
    (void)ssl;
5472
    return NOT_COMPILED_IN;
5473
#else /* HAVE_ED448_KEY_IMPORT */
5474
0
    ed448_key* key = (ed448_key*)ssl->hsKey;
5475
0
    int ret = 0;
5476
5477
    /* Public key required for signing. */
5478
0
    if (key != NULL && !key->pubKeySet) {
5479
0
        DerBuffer* leaf = ssl->buffers.certificate;
5480
0
        DecodedCert* cert = (DecodedCert*)XMALLOC(sizeof(*cert), ssl->heap,
5481
0
            DYNAMIC_TYPE_DCERT);
5482
0
        if (cert == NULL)
5483
0
            ret = MEMORY_E;
5484
5485
0
        if (ret == 0) {
5486
0
            InitDecodedCert(cert, leaf->buffer, leaf->length, ssl->heap);
5487
0
            ret = DecodeToKey(cert, 0);
5488
0
        }
5489
0
        if (ret == 0) {
5490
0
            ret = wc_ed448_import_public(cert->publicKey, cert->pubKeySize,
5491
0
                key);
5492
0
        }
5493
0
        if (cert != NULL) {
5494
0
            FreeDecodedCert(cert);
5495
0
            XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT);
5496
0
        }
5497
0
    }
5498
5499
0
    return ret;
5500
0
#endif /* HAVE_ED448_KEY_IMPORT */
5501
0
}
5502
5503
/* Sign the data using EdDSA and key using Ed448.
5504
 *
5505
 * ssl    SSL object.
5506
 * in     Data or message to sign.
5507
 * inSz   Length of the data.
5508
 * out    Buffer to hold signature.
5509
 * outSz  On entry, size of the buffer. On exit, the size of the signature.
5510
 * key    The private Ed448 key data.
5511
 * keySz  The length of the private key data in bytes.
5512
 * ctx    The callback context.
5513
 * returns 0 on success, otherwise the value is an error.
5514
 */
5515
int Ed448Sign(WOLFSSL* ssl, const byte* in, word32 inSz, byte* out,
5516
              word32* outSz, ed448_key* key, DerBuffer* keyBufInfo)
5517
0
{
5518
#ifndef HAVE_ED448_SIGN
5519
    (void)ssl;
5520
    (void)in;
5521
    (void)inSz;
5522
    (void)out;
5523
    (void)outSz;
5524
    (void)key;
5525
    (void)keyBufInfo;
5526
    return NOT_COMPILED_IN;
5527
#else /* HAVE_ED448_SIGN */
5528
0
    int ret;
5529
#ifdef HAVE_PK_CALLBACKS
5530
    const byte* keyBuf = NULL;
5531
    word32 keySz = 0;
5532
5533
    if (keyBufInfo) {
5534
        keyBuf = keyBufInfo->buffer;
5535
        keySz = keyBufInfo->length;
5536
    }
5537
#endif
5538
5539
0
    (void)ssl;
5540
0
    (void)keyBufInfo;
5541
5542
0
    WOLFSSL_ENTER("Ed448Sign");
5543
5544
#ifdef WOLFSSL_ASYNC_CRYPT
5545
    /* initialize event */
5546
    ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
5547
    if (ret != 0)
5548
        return ret;
5549
#endif
5550
5551
#if defined(HAVE_PK_CALLBACKS)
5552
    if (ssl->ctx->Ed448SignCb) {
5553
        void* ctx = wolfSSL_GetEd448SignCtx(ssl);
5554
        ret = ssl->ctx->Ed448SignCb(ssl, in, inSz, out, outSz, keyBuf, keySz,
5555
            ctx);
5556
    }
5557
    else
5558
#endif /* HAVE_PK_CALLBACKS */
5559
0
    {
5560
0
        ret = wc_ed448_sign_msg(in, inSz, out, outSz, key, NULL, 0);
5561
0
    }
5562
5563
    /* Handle async pending response */
5564
#ifdef WOLFSSL_ASYNC_CRYPT
5565
    if (ret == WC_PENDING_E) {
5566
        ret = wolfSSL_AsyncPush(ssl, &key->asyncDev);
5567
    }
5568
#endif /* WOLFSSL_ASYNC_CRYPT */
5569
5570
0
    WOLFSSL_LEAVE("Ed448Sign", ret);
5571
5572
0
    return ret;
5573
0
#endif /* HAVE_ED448_SIGN */
5574
0
}
5575
5576
/* Verify the data using EdDSA and key using Ed448.
5577
 *
5578
 * ssl    SSL object.
5579
 * in     Signature data.
5580
 * inSz   Length of the signature data in bytes.
5581
 * msg    Message to verify.
5582
 * outSz  Length of message in bytes.
5583
 * key    The public Ed448 key data.
5584
 * keySz  The length of the private key data in bytes.
5585
 * ctx    The callback context.
5586
 * returns 0 on success, otherwise the value is an error.
5587
 */
5588
int Ed448Verify(WOLFSSL* ssl, const byte* in, word32 inSz, const byte* msg,
5589
                word32 msgSz, ed448_key* key, buffer* keyBufInfo)
5590
0
{
5591
#ifndef HAVE_ED448_VERIFY
5592
    (void)ssl;
5593
    (void)in;
5594
    (void)inSz;
5595
    (void)msg;
5596
    (void)msgSz;
5597
    (void)key;
5598
    (void)keyBufInfo;
5599
    return NOT_COMPILED_IN;
5600
#else /* HAVE_ED448_VERIFY */
5601
0
    int ret;
5602
#ifdef HAVE_PK_CALLBACKS
5603
    const byte* keyBuf = NULL;
5604
    word32 keySz = 0;
5605
5606
    if (keyBufInfo) {
5607
        keyBuf = keyBufInfo->buffer;
5608
        keySz = keyBufInfo->length;
5609
    }
5610
#endif
5611
5612
0
    (void)ssl;
5613
0
    (void)keyBufInfo;
5614
5615
0
    WOLFSSL_ENTER("Ed448Verify");
5616
5617
#ifdef WOLFSSL_ASYNC_CRYPT
5618
    /* initialize event */
5619
    ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
5620
    if (ret != 0)
5621
        return ret;
5622
#endif
5623
5624
#ifdef HAVE_PK_CALLBACKS
5625
    if (ssl->ctx->Ed448VerifyCb) {
5626
        void* ctx = wolfSSL_GetEd448VerifyCtx(ssl);
5627
        ret = ssl->ctx->Ed448VerifyCb(ssl, in, inSz, msg, msgSz, keyBuf, keySz,
5628
             &ssl->eccVerifyRes, ctx);
5629
    }
5630
    else
5631
#endif /* HAVE_PK_CALLBACKS  */
5632
0
    {
5633
0
        ret = wc_ed448_verify_msg(in, inSz, msg, msgSz, &ssl->eccVerifyRes, key,
5634
0
            NULL, 0);
5635
0
    }
5636
5637
    /* Handle async pending response */
5638
#ifdef WOLFSSL_ASYNC_CRYPT
5639
    if (ret == WC_PENDING_E) {
5640
        ret = wolfSSL_AsyncPush(ssl, &key->asyncDev);
5641
    }
5642
    else
5643
#endif /* WOLFSSL_ASYNC_CRYPT */
5644
0
    {
5645
0
        ret = (ret != 0 || ssl->eccVerifyRes == 0) ? VERIFY_SIGN_ERROR : 0;
5646
0
    }
5647
5648
0
    WOLFSSL_LEAVE("Ed448Verify", ret);
5649
5650
0
    return ret;
5651
0
#endif /* HAVE_ED448_VERIFY */
5652
0
}
5653
#endif /* HAVE_ED448 */
5654
5655
#ifndef WOLFSSL_NO_TLS12
5656
5657
#ifdef HAVE_CURVE448
5658
#ifdef HAVE_PK_CALLBACKS
5659
    /* Gets X448 key for shared secret callback testing
5660
     * Client side: returns peer key
5661
     * Server side: returns private key
5662
     */
5663
    static int X448GetKey(WOLFSSL* ssl, curve448_key** otherKey)
5664
    {
5665
        int ret = NO_PEER_KEY;
5666
        struct curve448_key* tmpKey = NULL;
5667
5668
        if (ssl == NULL || otherKey == NULL) {
5669
            return BAD_FUNC_ARG;
5670
        }
5671
5672
        if (ssl->options.side == WOLFSSL_CLIENT_END) {
5673
            if (!ssl->peerX448Key || !ssl->peerX448KeyPresent) {
5674
                return NO_PEER_KEY;
5675
            }
5676
            tmpKey = (struct curve448_key*)ssl->peerX448Key;
5677
        }
5678
        else if (ssl->options.side == WOLFSSL_SERVER_END) {
5679
            if (!ssl->eccTempKeyPresent) {
5680
                return NO_PRIVATE_KEY;
5681
            }
5682
            tmpKey = (struct curve448_key*)ssl->eccTempKey;
5683
        }
5684
5685
        if (tmpKey) {
5686
            *otherKey = (curve448_key *)tmpKey;
5687
            ret = 0;
5688
        }
5689
5690
        return ret;
5691
    }
5692
#endif /* HAVE_PK_CALLBACKS */
5693
5694
static int X448SharedSecret(WOLFSSL* ssl, curve448_key* priv_key,
5695
                            curve448_key* pub_key, byte* pubKeyDer,
5696
                            word32* pubKeySz, byte* out, word32* outlen,
5697
                            int side)
5698
0
{
5699
0
    int ret;
5700
5701
0
    (void)ssl;
5702
0
    (void)pubKeyDer;
5703
0
    (void)pubKeySz;
5704
0
    (void)side;
5705
5706
0
    WOLFSSL_ENTER("X448SharedSecret");
5707
5708
#ifdef WOLFSSL_ASYNC_CRYPT
5709
    /* initialize event */
5710
    ret = wolfSSL_AsyncInit(ssl, &priv_key->asyncDev, WC_ASYNC_FLAG_CALL_AGAIN);
5711
    if (ret != 0)
5712
        return ret;
5713
#endif
5714
5715
#ifdef HAVE_PK_CALLBACKS
5716
    if (ssl->ctx->X448SharedSecretCb) {
5717
        curve448_key* otherKey = NULL;
5718
5719
        ret = X448GetKey(ssl, &otherKey);
5720
        if (ret == 0) {
5721
            void* ctx = wolfSSL_GetX448SharedSecretCtx(ssl);
5722
            ret = ssl->ctx->X448SharedSecretCb(ssl, otherKey, pubKeyDer,
5723
                pubKeySz, out, outlen, side, ctx);
5724
        }
5725
    }
5726
    else
5727
#endif
5728
0
    {
5729
0
        ret = wc_curve448_shared_secret_ex(priv_key, pub_key, out, outlen,
5730
0
            EC448_LITTLE_ENDIAN);
5731
0
    }
5732
5733
    /* Handle async pending response */
5734
#ifdef WOLFSSL_ASYNC_CRYPT
5735
    if (ret == WC_PENDING_E) {
5736
        ret = wolfSSL_AsyncPush(ssl, &priv_key->asyncDev);
5737
    }
5738
#endif /* WOLFSSL_ASYNC_CRYPT */
5739
5740
0
    WOLFSSL_LEAVE("X448SharedSecret", ret);
5741
5742
0
    return ret;
5743
0
}
5744
5745
static int X448MakeKey(WOLFSSL* ssl, curve448_key* key, curve448_key* peer)
5746
0
{
5747
0
    int ret = 0;
5748
5749
0
    (void)peer;
5750
5751
0
    WOLFSSL_ENTER("X448MakeKey");
5752
5753
#ifdef WOLFSSL_ASYNC_CRYPT
5754
    /* initialize event */
5755
    ret = wolfSSL_AsyncInit(ssl, &key->asyncDev, WC_ASYNC_FLAG_NONE);
5756
    if (ret != 0)
5757
        return ret;
5758
#endif
5759
5760
#ifdef HAVE_PK_CALLBACKS
5761
    if (ssl->ctx->X448KeyGenCb) {
5762
        void* ctx = wolfSSL_GetX448KeyGenCtx(ssl);
5763
        ret = ssl->ctx->X448KeyGenCb(ssl, key, CURVE448_KEY_SIZE, ctx);
5764
    }
5765
    else
5766
#endif
5767
0
    {
5768
0
        ret = wc_curve448_make_key(ssl->rng, CURVE448_KEY_SIZE, key);
5769
0
    }
5770
5771
0
    if (ret == 0) {
5772
0
        ssl->ecdhCurveOID = ECC_X448_OID;
5773
0
    #if defined(WOLFSSL_TLS13) || defined(HAVE_FFDHE)
5774
0
        ssl->namedGroup = 0;
5775
0
    #endif
5776
0
    }
5777
5778
    /* Handle async pending response */
5779
#ifdef WOLFSSL_ASYNC_CRYPT
5780
    if (ret == WC_PENDING_E) {
5781
        ret = wolfSSL_AsyncPush(ssl, &key->asyncDev);
5782
    }
5783
#endif /* WOLFSSL_ASYNC_CRYPT */
5784
5785
0
    WOLFSSL_LEAVE("X448MakeKey", ret);
5786
5787
0
    return ret;
5788
0
}
5789
#endif /* HAVE_CURVE448 */
5790
5791
#endif /* !WOLFSSL_NO_TLS12 */
5792
5793
#if !defined(NO_CERTS) || !defined(NO_PSK)
5794
#if !defined(NO_DH)
5795
5796
int DhGenKeyPair(WOLFSSL* ssl, DhKey* dhKey,
5797
    byte* priv, word32* privSz,
5798
    byte* pub, word32* pubSz)
5799
0
{
5800
0
    int ret;
5801
5802
0
    WOLFSSL_ENTER("DhGenKeyPair");
5803
5804
#ifdef WOLFSSL_ASYNC_CRYPT
5805
    /* initialize event */
5806
    ret = wolfSSL_AsyncInit(ssl, &dhKey->asyncDev, WC_ASYNC_FLAG_NONE);
5807
    if (ret != 0)
5808
        return ret;
5809
#endif
5810
5811
0
    PRIVATE_KEY_UNLOCK();
5812
0
    ret = wc_DhGenerateKeyPair(dhKey, ssl->rng, priv, privSz, pub, pubSz);
5813
0
    PRIVATE_KEY_LOCK();
5814
5815
    /* Handle async pending response */
5816
#ifdef WOLFSSL_ASYNC_CRYPT
5817
    if (ret == WC_PENDING_E) {
5818
        ret = wolfSSL_AsyncPush(ssl, &dhKey->asyncDev);
5819
    }
5820
#endif /* WOLFSSL_ASYNC_CRYPT */
5821
5822
0
    WOLFSSL_LEAVE("DhGenKeyPair", ret);
5823
5824
0
    return ret;
5825
0
}
5826
5827
int DhAgree(WOLFSSL* ssl, DhKey* dhKey,
5828
    const byte* priv, word32 privSz,
5829
    const byte* otherPub, word32 otherPubSz,
5830
    byte* agree, word32* agreeSz,
5831
    const byte* prime, word32 primeSz)
5832
0
{
5833
0
    int ret;
5834
5835
0
    (void)ssl;
5836
5837
0
    WOLFSSL_ENTER("DhAgree");
5838
5839
#ifdef WOLFSSL_ASYNC_CRYPT
5840
    /* initialize event */
5841
    ret = wolfSSL_AsyncInit(ssl, &dhKey->asyncDev, WC_ASYNC_FLAG_NONE);
5842
    if (ret != 0)
5843
        return ret;
5844
#endif
5845
5846
#ifdef HAVE_PK_CALLBACKS
5847
    if (ssl->ctx->DhAgreeCb) {
5848
        void* ctx = wolfSSL_GetDhAgreeCtx(ssl);
5849
5850
        WOLFSSL_MSG("Calling DhAgree Callback Function");
5851
        ret = ssl->ctx->DhAgreeCb(ssl, dhKey, priv, privSz,
5852
                    otherPub, otherPubSz, agree, agreeSz, ctx);
5853
    }
5854
    else
5855
#endif
5856
0
    {
5857
0
#if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
5858
        /* check the public key has valid number */
5859
0
        if (dhKey != NULL && (prime == NULL || primeSz == 0)) {
5860
            /* wc_DhCheckPubKey does not do exponentiation */
5861
0
            ret = wc_DhCheckPubKey(dhKey, otherPub, otherPubSz);
5862
0
        }
5863
0
        else {
5864
0
            ret = wc_DhCheckPubValue(prime, primeSz, otherPub, otherPubSz);
5865
0
        }
5866
0
        if (ret != 0) {
5867
            /* translate to valid error (wc_DhCheckPubValue returns MP_VAL -1) */
5868
0
            ret = PEER_KEY_ERROR;
5869
0
            WOLFSSL_ERROR_VERBOSE(ret);
5870
5871
0
    #ifdef OPENSSL_EXTRA
5872
0
            SendAlert(ssl, alert_fatal, illegal_parameter);
5873
0
    #endif
5874
0
        }
5875
0
        else
5876
0
#endif
5877
0
        {
5878
0
            PRIVATE_KEY_UNLOCK();
5879
0
            ret = wc_DhAgree(dhKey, agree, agreeSz, priv, privSz, otherPub,
5880
0
                    otherPubSz);
5881
0
            PRIVATE_KEY_LOCK();
5882
0
        }
5883
0
    }
5884
5885
    /* Handle async pending response */
5886
#ifdef WOLFSSL_ASYNC_CRYPT
5887
    if (ret == WC_PENDING_E) {
5888
        ret = wolfSSL_AsyncPush(ssl, &dhKey->asyncDev);
5889
    }
5890
#endif /* WOLFSSL_ASYNC_CRYPT */
5891
5892
0
    WOLFSSL_LEAVE("DhAgree", ret);
5893
5894
0
    (void)prime;
5895
0
    (void)primeSz;
5896
5897
0
    return ret;
5898
0
}
5899
#endif /* !NO_DH */
5900
#endif /* !NO_CERTS || !NO_PSK */
5901
5902
5903
#ifdef HAVE_PK_CALLBACKS
5904
int wolfSSL_IsPrivatePkSet(WOLFSSL* ssl)
5905
{
5906
    int pkcbset = 0;
5907
    (void)ssl;
5908
5909
#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) || \
5910
                                                                !defined(NO_RSA)
5911
    if (0
5912
    #ifdef HAVE_ECC
5913
        || (ssl->ctx->EccSignCb != NULL &&
5914
                                        ssl->buffers.keyType == ecc_dsa_sa_algo)
5915
    #endif
5916
    #ifdef HAVE_ED25519
5917
        || (ssl->ctx->Ed25519SignCb != NULL &&
5918
                                        ssl->buffers.keyType == ed25519_sa_algo)
5919
    #endif
5920
    #ifdef HAVE_ED448
5921
        || (ssl->ctx->Ed448SignCb != NULL &&
5922
                                          ssl->buffers.keyType == ed448_sa_algo)
5923
    #endif
5924
    #ifndef NO_RSA
5925
        || (ssl->ctx->RsaSignCb != NULL && ssl->buffers.keyType == rsa_sa_algo)
5926
        || (ssl->ctx->RsaDecCb != NULL && ssl->buffers.keyType == rsa_kea)
5927
        #ifdef WC_RSA_PSS
5928
        || (ssl->ctx->RsaPssSignCb != NULL &&
5929
                                        ssl->buffers.keyType == rsa_pss_sa_algo)
5930
        #endif
5931
    #endif
5932
    ) {
5933
        pkcbset = 1;
5934
    }
5935
#endif
5936
    return pkcbset;
5937
}
5938
5939
int wolfSSL_CTX_IsPrivatePkSet(WOLFSSL_CTX* ctx)
5940
{
5941
    int pkcbset = 0;
5942
    (void)ctx;
5943
#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) || \
5944
                                                                !defined(NO_RSA)
5945
    if (0
5946
    #ifdef HAVE_ECC
5947
        || ctx->EccSignCb != NULL
5948
    #endif
5949
    #ifdef HAVE_ED25519
5950
        || ctx->Ed25519SignCb != NULL
5951
    #endif
5952
    #ifdef HAVE_ED448
5953
        || ctx->Ed448SignCb != NULL
5954
    #endif
5955
    #ifndef NO_RSA
5956
        || ctx->RsaSignCb != NULL
5957
        || ctx->RsaDecCb != NULL
5958
        #ifdef WC_RSA_PSS
5959
        || ctx->RsaPssSignCb != NULL
5960
        #endif
5961
    #endif
5962
    ) {
5963
        pkcbset = 1;
5964
    }
5965
#endif
5966
    return pkcbset;
5967
}
5968
#endif /* HAVE_PK_CALLBACKS */
5969
5970
5971
int InitSSL_Suites(WOLFSSL* ssl)
5972
0
{
5973
0
    int keySz = 0;
5974
0
    byte havePSK = 0;
5975
0
    byte haveAnon = 0;
5976
0
    byte haveRSA = 0;
5977
0
    byte haveMcast = 0;
5978
5979
0
    (void)haveAnon; /* Squash unused var warnings */
5980
0
    (void)haveMcast;
5981
5982
0
    if (!ssl)
5983
0
        return BAD_FUNC_ARG;
5984
5985
0
#ifndef NO_RSA
5986
0
    haveRSA = 1;
5987
0
#endif
5988
#ifndef NO_PSK
5989
    havePSK = (byte)ssl->options.havePSK;
5990
#endif /* NO_PSK */
5991
0
#if !defined(NO_CERTS) && !defined(WOLFSSL_SESSION_EXPORT)
5992
#ifdef HAVE_ANON
5993
    haveAnon = (byte)ssl->options.haveAnon;
5994
#endif /* HAVE_ANON*/
5995
#ifdef WOLFSSL_MULTICAST
5996
    haveMcast = (byte)ssl->options.haveMcast;
5997
#endif /* WOLFSSL_MULTICAST */
5998
0
#endif /* !NO_CERTS && !WOLFSSL_SESSION_EXPORT */
5999
6000
#ifdef WOLFSSL_EARLY_DATA
6001
    if (ssl->options.side == WOLFSSL_SERVER_END)
6002
        ssl->options.maxEarlyDataSz = ssl->ctx->maxEarlyDataSz;
6003
#endif
6004
0
#if !defined(WOLFSSL_NO_CLIENT_AUTH) && \
6005
0
               ((defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)) || \
6006
0
                (defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)))
6007
0
    ssl->options.cacheMessages = ssl->options.side == WOLFSSL_SERVER_END ||
6008
0
                                      ssl->buffers.keyType == ed25519_sa_algo ||
6009
0
                                      ssl->buffers.keyType == ed448_sa_algo;
6010
0
#endif
6011
6012
0
#ifndef NO_CERTS
6013
0
    keySz = ssl->buffers.keySz;
6014
0
#endif
6015
6016
    /* make sure server has DH parms, and add PSK if there */
6017
0
    if (ssl->options.side == WOLFSSL_SERVER_END) {
6018
0
        InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
6019
0
                   ssl->options.haveDH, ssl->options.haveECDSAsig,
6020
0
                   ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
6021
0
                   ssl->options.haveFalconSig, ssl->options.haveDilithiumSig,
6022
0
                   ssl->options.haveAnon, TRUE, ssl->options.side);
6023
0
    }
6024
0
    else {
6025
0
        InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK, TRUE,
6026
0
                   ssl->options.haveECDSAsig, ssl->options.haveECC, TRUE,
6027
0
                   ssl->options.haveStaticECC, ssl->options.haveFalconSig,
6028
0
                   ssl->options.haveDilithiumSig, ssl->options.haveAnon, TRUE,
6029
0
                   ssl->options.side);
6030
0
    }
6031
6032
0
#if !defined(NO_CERTS) && !defined(WOLFSSL_SESSION_EXPORT)
6033
    /* make sure server has cert and key unless using PSK, Anon, or
6034
     * Multicast. This should be true even if just switching ssl ctx */
6035
0
    if (ssl->options.side == WOLFSSL_SERVER_END &&
6036
0
            !havePSK && !haveAnon && !haveMcast) {
6037
6038
        /* server certificate must be loaded */
6039
0
        if (!ssl->buffers.certificate || !ssl->buffers.certificate->buffer) {
6040
0
            WOLFSSL_MSG("Server missing certificate");
6041
0
            WOLFSSL_ERROR_VERBOSE(NO_PRIVATE_KEY);
6042
0
            return NO_PRIVATE_KEY;
6043
0
        }
6044
6045
0
        if (!ssl->buffers.key || !ssl->buffers.key->buffer) {
6046
            /* allow no private key if using existing key */
6047
0
        #ifdef WOLF_PRIVATE_KEY_ID
6048
0
            if (ssl->devId != INVALID_DEVID
6049
            #ifdef HAVE_PK_CALLBACKS
6050
                || wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)
6051
            #endif
6052
0
            ) {
6053
0
                WOLFSSL_MSG("Allowing no server private key (external)");
6054
0
            }
6055
0
            else
6056
0
        #endif
6057
0
            {
6058
0
                WOLFSSL_MSG("Server missing private key");
6059
0
                WOLFSSL_ERROR_VERBOSE(NO_PRIVATE_KEY);
6060
0
                return NO_PRIVATE_KEY;
6061
0
            }
6062
0
        }
6063
0
    }
6064
0
#endif
6065
6066
0
    return WOLFSSL_SUCCESS;
6067
0
}
6068
6069
/* returns new reference count. Arg incr positive=up or negative=down */
6070
int SSL_CTX_RefCount(WOLFSSL_CTX* ctx, int incr)
6071
0
{
6072
0
    int refCount;
6073
6074
0
    if (ctx == NULL) {
6075
0
        return BAD_FUNC_ARG;
6076
0
    }
6077
6078
0
    if (wc_LockMutex(&ctx->countMutex) != 0) {
6079
0
        WOLFSSL_MSG("Couldn't lock CTX count mutex");
6080
0
        WOLFSSL_ERROR_VERBOSE(BAD_MUTEX_E);
6081
0
        return BAD_MUTEX_E;
6082
0
    }
6083
6084
0
    ctx->refCount += incr;
6085
    /* make sure refCount is never negative */
6086
0
    if (ctx->refCount < 0) {
6087
0
        ctx->refCount = 0;
6088
0
    }
6089
0
    refCount = ctx->refCount;
6090
6091
0
    wc_UnLockMutex(&ctx->countMutex);
6092
6093
0
    return refCount;
6094
0
}
6095
6096
/* This function inherits a WOLFSSL_CTX's fields into an SSL object.
6097
   It is used during initialization and to switch an ssl's CTX with
6098
   wolfSSL_Set_SSL_CTX.  Requires ssl->suites alloc and ssl-arrays with PSK
6099
   unless writeDup is on.
6100
6101
   ssl      object to initialize
6102
   ctx      parent factory
6103
   writeDup flag indicating this is a write dup only
6104
6105
   WOLFSSL_SUCCESS return value on success */
6106
int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
6107
0
{
6108
0
    int ret;
6109
0
    byte newSSL;
6110
6111
0
    if (!ssl || !ctx)
6112
0
        return BAD_FUNC_ARG;
6113
6114
0
#ifndef SINGLE_THREADED
6115
0
    if (ssl->suites == NULL && !writeDup)
6116
0
        return BAD_FUNC_ARG;
6117
0
#endif
6118
6119
0
    newSSL = ssl->ctx == NULL; /* Assign after null check */
6120
6121
#ifndef NO_PSK
6122
    if (ctx->server_hint[0] && ssl->arrays == NULL && !writeDup) {
6123
        return BAD_FUNC_ARG;  /* needed for copy below */
6124
    }
6125
#endif
6126
6127
    /* decrement previous CTX reference count if exists.
6128
     * This should only happen if switching ctxs!*/
6129
0
    if (!newSSL) {
6130
0
        WOLFSSL_MSG("freeing old ctx to decrement reference count. Switching ctx.");
6131
0
        wolfSSL_CTX_free(ssl->ctx);
6132
0
    }
6133
6134
    /* increment CTX reference count */
6135
0
    if ((ret = SSL_CTX_RefCount(ctx, 1)) < 0) {
6136
0
        return ret;
6137
0
    }
6138
0
    ret = WOLFSSL_SUCCESS; /* set default ret */
6139
6140
0
    ssl->ctx     = ctx; /* only for passing to calls, options could change */
6141
    /* Don't change version on a SSL object that has already started a
6142
     * handshake */
6143
0
    if (!ssl->msgsReceived.got_client_hello &&
6144
0
            !ssl->msgsReceived.got_server_hello)
6145
0
        ssl->version = ctx->method->version;
6146
0
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
6147
0
    ssl->options.mask = ctx->mask;
6148
0
    ssl->options.minProto = ctx->minProto;
6149
0
    ssl->options.maxProto = ctx->maxProto;
6150
0
#endif
6151
0
#ifdef OPENSSL_EXTRA
6152
0
    #ifdef WOLFSSL_TLS13
6153
0
    if (ssl->version.minor == TLSv1_3_MINOR &&
6154
0
     (ssl->options.mask & SSL_OP_NO_TLSv1_3) == SSL_OP_NO_TLSv1_3) {
6155
0
        if (!ctx->method->downgrade) {
6156
0
            WOLFSSL_MSG("\tInconsistent protocol options. TLS 1.3 set but not "
6157
0
                        "allowed and downgrading disabled.");
6158
0
            WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
6159
0
            return VERSION_ERROR;
6160
0
        }
6161
0
        WOLFSSL_MSG("\tOption set to not allow TLSv1.3, Downgrading");
6162
0
        ssl->version.minor = TLSv1_2_MINOR;
6163
0
    }
6164
0
    #endif
6165
0
    if (ssl->version.minor == TLSv1_2_MINOR &&
6166
0
     (ssl->options.mask & SSL_OP_NO_TLSv1_2) == SSL_OP_NO_TLSv1_2) {
6167
0
        if (!ctx->method->downgrade) {
6168
0
            WOLFSSL_MSG("\tInconsistent protocol options. TLS 1.2 set but not "
6169
0
                        "allowed and downgrading disabled.");
6170
0
            WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
6171
0
            return VERSION_ERROR;
6172
0
        }
6173
0
        WOLFSSL_MSG("\tOption set to not allow TLSv1.2, Downgrading");
6174
0
        ssl->version.minor = TLSv1_1_MINOR;
6175
0
    }
6176
0
    if (ssl->version.minor == TLSv1_1_MINOR &&
6177
0
     (ssl->options.mask & SSL_OP_NO_TLSv1_1) == SSL_OP_NO_TLSv1_1) {
6178
0
        if (!ctx->method->downgrade) {
6179
0
            WOLFSSL_MSG("\tInconsistent protocol options. TLS 1.1 set but not "
6180
0
                        "allowed and downgrading disabled.");
6181
0
            WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
6182
0
            return VERSION_ERROR;
6183
0
        }
6184
0
        WOLFSSL_MSG("\tOption set to not allow TLSv1.1, Downgrading");
6185
0
        ssl->options.tls1_1 = 0;
6186
0
        ssl->version.minor = TLSv1_MINOR;
6187
0
    }
6188
0
    if (ssl->version.minor == TLSv1_MINOR &&
6189
0
        (ssl->options.mask & SSL_OP_NO_TLSv1) == SSL_OP_NO_TLSv1) {
6190
0
        if (!ctx->method->downgrade) {
6191
0
            WOLFSSL_MSG("\tInconsistent protocol options. TLS 1 set but not "
6192
0
                        "allowed and downgrading disabled.");
6193
0
            WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
6194
0
            return VERSION_ERROR;
6195
0
        }
6196
0
        WOLFSSL_MSG("\tOption set to not allow TLSv1, Downgrading");
6197
0
        ssl->options.tls    = 0;
6198
0
        ssl->options.tls1_1 = 0;
6199
0
        ssl->version.minor = SSLv3_MINOR;
6200
0
    }
6201
0
    if (ssl->version.minor == SSLv3_MINOR &&
6202
0
        (ssl->options.mask & SSL_OP_NO_SSLv3) == SSL_OP_NO_SSLv3) {
6203
0
        WOLFSSL_MSG("\tError, option set to not allow SSLv3");
6204
0
        WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
6205
0
        return VERSION_ERROR;
6206
0
    }
6207
6208
0
    if (ssl->version.minor < ssl->options.minDowngrade) {
6209
0
        WOLFSSL_MSG("\tversion below minimum allowed, fatal error");
6210
0
        WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
6211
0
        return VERSION_ERROR;
6212
0
    }
6213
0
#endif
6214
6215
0
#ifdef HAVE_ECC
6216
0
    ssl->eccTempKeySz = ctx->eccTempKeySz;
6217
0
    ssl->ecdhCurveOID = ctx->ecdhCurveOID;
6218
0
#endif
6219
0
#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
6220
0
    ssl->pkCurveOID = ctx->pkCurveOID;
6221
0
#endif
6222
6223
0
#ifdef OPENSSL_EXTRA
6224
0
    ssl->CBIS         = ctx->CBIS;
6225
0
#endif
6226
0
    ssl->timeout = ctx->timeout;
6227
0
    ssl->verifyCallback    = ctx->verifyCallback;
6228
    /* If we are setting the ctx on an already initialized SSL object
6229
     * then we possibly already have a side defined. Don't overwrite unless
6230
     * the context has a well defined role. */
6231
0
    if (newSSL || ctx->method->side != WOLFSSL_NEITHER_END)
6232
0
        ssl->options.side      = ctx->method->side;
6233
0
    ssl->options.downgrade    = ctx->method->downgrade;
6234
0
    ssl->options.minDowngrade = ctx->minDowngrade;
6235
6236
0
    ssl->options.haveRSA          = ctx->haveRSA;
6237
0
    ssl->options.haveDH           = ctx->haveDH;
6238
0
    ssl->options.haveECDSAsig     = ctx->haveECDSAsig;
6239
0
    ssl->options.haveECC          = ctx->haveECC;
6240
0
    ssl->options.haveStaticECC    = ctx->haveStaticECC;
6241
0
    ssl->options.haveFalconSig    = ctx->haveFalconSig;
6242
0
    ssl->options.haveDilithiumSig = ctx->haveDilithiumSig;
6243
6244
#ifndef NO_PSK
6245
    ssl->options.havePSK       = ctx->havePSK;
6246
    ssl->options.client_psk_cb = ctx->client_psk_cb;
6247
    ssl->options.server_psk_cb = ctx->server_psk_cb;
6248
    ssl->options.psk_ctx       = ctx->psk_ctx;
6249
#ifdef WOLFSSL_TLS13
6250
    ssl->options.client_psk_cs_cb    = ctx->client_psk_cs_cb;
6251
    ssl->options.client_psk_tls13_cb = ctx->client_psk_tls13_cb;
6252
    ssl->options.server_psk_tls13_cb = ctx->server_psk_tls13_cb;
6253
#endif
6254
#endif /* NO_PSK */
6255
#ifdef WOLFSSL_EARLY_DATA
6256
    if (ssl->options.side == WOLFSSL_SERVER_END)
6257
        ssl->options.maxEarlyDataSz = ctx->maxEarlyDataSz;
6258
#endif
6259
6260
#ifdef HAVE_ANON
6261
    ssl->options.haveAnon = ctx->haveAnon;
6262
#endif
6263
0
#ifndef NO_DH
6264
0
    ssl->options.minDhKeySz = ctx->minDhKeySz;
6265
0
    ssl->options.maxDhKeySz = ctx->maxDhKeySz;
6266
0
#endif
6267
0
#ifndef NO_RSA
6268
0
    ssl->options.minRsaKeySz = ctx->minRsaKeySz;
6269
0
#endif
6270
0
#ifdef HAVE_ECC
6271
0
    ssl->options.minEccKeySz = ctx->minEccKeySz;
6272
0
#endif
6273
#ifdef HAVE_PQC
6274
#ifdef HAVE_FALCON
6275
    ssl->options.minFalconKeySz = ctx->minFalconKeySz;
6276
#endif /* HAVE_FALCON */
6277
#ifdef HAVE_DILITHIUM
6278
    ssl->options.minDilithiumKeySz = ctx->minDilithiumKeySz;
6279
#endif /* HAVE_DILITHIUM */
6280
#endif /* HAVE_PQC */
6281
0
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
6282
0
    ssl->options.verifyDepth = ctx->verifyDepth;
6283
0
#endif
6284
6285
0
    ssl->options.sessionCacheOff      = ctx->sessionCacheOff;
6286
0
    ssl->options.sessionCacheFlushOff = ctx->sessionCacheFlushOff;
6287
0
#ifdef HAVE_EXT_CACHE
6288
0
    ssl->options.internalCacheOff     = ctx->internalCacheOff;
6289
0
    ssl->options.internalCacheLookupOff = ctx->internalCacheLookupOff;
6290
0
#endif
6291
6292
0
    ssl->options.verifyPeer     = ctx->verifyPeer;
6293
0
    ssl->options.verifyNone     = ctx->verifyNone;
6294
0
    ssl->options.failNoCert     = ctx->failNoCert;
6295
0
    ssl->options.failNoCertxPSK = ctx->failNoCertxPSK;
6296
0
    ssl->options.sendVerify     = ctx->sendVerify;
6297
6298
0
    ssl->options.partialWrite  = ctx->partialWrite;
6299
0
    ssl->options.quietShutdown = ctx->quietShutdown;
6300
0
    ssl->options.groupMessages = ctx->groupMessages;
6301
6302
0
#ifndef NO_DH
6303
0
    #if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \
6304
0
        !defined(HAVE_SELFTEST)
6305
0
        ssl->options.dhKeyTested = ctx->dhKeyTested;
6306
0
    #endif
6307
0
    ssl->buffers.serverDH_P = ctx->serverDH_P;
6308
0
    ssl->buffers.serverDH_G = ctx->serverDH_G;
6309
0
#endif
6310
6311
0
#ifndef NO_CERTS
6312
    /* ctx still owns certificate, certChain, key, dh, and cm */
6313
0
    ssl->buffers.certificate = ctx->certificate;
6314
0
    ssl->buffers.certChain = ctx->certChain;
6315
0
#ifdef WOLFSSL_TLS13
6316
0
    ssl->buffers.certChainCnt = ctx->certChainCnt;
6317
0
#endif
6318
0
    ssl->buffers.key      = ctx->privateKey;
6319
0
    ssl->buffers.keyType  = ctx->privateKeyType;
6320
0
    ssl->buffers.keyId    = ctx->privateKeyId;
6321
0
    ssl->buffers.keyLabel = ctx->privateKeyLabel;
6322
0
    ssl->buffers.keySz    = ctx->privateKeySz;
6323
0
    ssl->buffers.keyDevId = ctx->privateKeyDevId;
6324
0
#endif
6325
0
#if !defined(WOLFSSL_NO_CLIENT_AUTH) && \
6326
0
               ((defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)) || \
6327
0
                (defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)))
6328
0
    ssl->options.cacheMessages = ssl->options.side == WOLFSSL_SERVER_END ||
6329
0
                                      ssl->buffers.keyType == ed25519_sa_algo ||
6330
0
                                      ssl->buffers.keyType == ed448_sa_algo;
6331
0
#endif
6332
6333
6334
#ifdef WOLFSSL_ASYNC_CRYPT
6335
    ssl->devId = ctx->devId;
6336
#endif
6337
6338
0
    if (writeDup == 0) {
6339
#ifndef NO_PSK
6340
        if (ctx->server_hint[0]) {   /* set in CTX */
6341
            XSTRNCPY(ssl->arrays->server_hint, ctx->server_hint,
6342
                                    sizeof(ssl->arrays->server_hint));
6343
            ssl->arrays->server_hint[MAX_PSK_ID_LEN] = '\0'; /* null term */
6344
        }
6345
#endif /* NO_PSK */
6346
6347
0
        if (ctx->suites) {
6348
0
#ifndef SINGLE_THREADED
6349
0
            *ssl->suites = *ctx->suites;
6350
#else
6351
            ssl->suites = ctx->suites;
6352
#endif
6353
0
        }
6354
0
        else {
6355
0
            XMEMSET(ssl->suites, 0, sizeof(Suites));
6356
0
        }
6357
6358
0
        if (ssl->options.side != WOLFSSL_NEITHER_END) {
6359
            /* Defer initializing suites until accept or connect */
6360
0
            ret = InitSSL_Suites(ssl);
6361
0
        }
6362
0
    }  /* writeDup check */
6363
6364
0
    if (ctx->mask != 0 && wolfSSL_set_options(ssl, ctx->mask) == 0) {
6365
0
        WOLFSSL_MSG("wolfSSL_set_options error");
6366
0
        return BAD_FUNC_ARG;
6367
0
    }
6368
6369
#ifdef WOLFSSL_SESSION_EXPORT
6370
    #ifdef WOLFSSL_DTLS
6371
    ssl->dtls_export = ctx->dtls_export; /* export function for session */
6372
    #endif
6373
#endif
6374
6375
#ifdef WOLFSSL_WOLFSENTRY_HOOKS
6376
    ssl->AcceptFilter = ctx->AcceptFilter;
6377
    ssl->AcceptFilter_arg = ctx->AcceptFilter_arg;
6378
    ssl->ConnectFilter = ctx->ConnectFilter;
6379
    ssl->ConnectFilter_arg = ctx->ConnectFilter_arg;
6380
#endif
6381
6382
0
#ifdef OPENSSL_EXTRA
6383
0
    ssl->readAhead = ctx->readAhead;
6384
0
#endif
6385
0
#if defined(OPENSSL_EXTRA) && !defined(NO_BIO)
6386
    /* Don't change recv callback if currently using BIO's */
6387
0
    if (ssl->CBIORecv != BioReceive)
6388
0
#endif
6389
0
        ssl->CBIORecv = ctx->CBIORecv;
6390
0
#if defined(OPENSSL_EXTRA) && !defined(NO_BIO)
6391
    /* Don't change send callback if currently using BIO's */
6392
0
    if (ssl->CBIOSend != BioSend)
6393
0
#endif
6394
0
        ssl->CBIOSend = ctx->CBIOSend;
6395
0
    ssl->verifyDepth = ctx->verifyDepth;
6396
6397
0
    return ret;
6398
0
}
6399
6400
int InitHandshakeHashes(WOLFSSL* ssl)
6401
0
{
6402
0
    int ret;
6403
6404
    /* make sure existing handshake hashes are free'd */
6405
0
    if (ssl->hsHashes != NULL) {
6406
0
        FreeHandshakeHashes(ssl);
6407
0
    }
6408
6409
    /* allocate handshake hashes */
6410
0
    ssl->hsHashes = (HS_Hashes*)XMALLOC(sizeof(HS_Hashes), ssl->heap,
6411
0
                                                           DYNAMIC_TYPE_HASHES);
6412
0
    if (ssl->hsHashes == NULL) {
6413
0
        WOLFSSL_MSG("HS_Hashes Memory error");
6414
0
        return MEMORY_E;
6415
0
    }
6416
0
    XMEMSET(ssl->hsHashes, 0, sizeof(HS_Hashes));
6417
6418
0
#ifndef NO_OLD_TLS
6419
0
#ifndef NO_MD5
6420
0
    ret = wc_InitMd5_ex(&ssl->hsHashes->hashMd5, ssl->heap, ssl->devId);
6421
0
    if (ret != 0)
6422
0
        return ret;
6423
0
    #ifdef WOLFSSL_HASH_FLAGS
6424
0
        wc_Md5SetFlags(&ssl->hsHashes->hashMd5, WC_HASH_FLAG_WILLCOPY);
6425
0
    #endif
6426
0
#endif
6427
0
#ifndef NO_SHA
6428
0
    ret = wc_InitSha_ex(&ssl->hsHashes->hashSha, ssl->heap, ssl->devId);
6429
0
    if (ret != 0)
6430
0
        return ret;
6431
0
    #ifdef WOLFSSL_HASH_FLAGS
6432
0
        wc_ShaSetFlags(&ssl->hsHashes->hashSha, WC_HASH_FLAG_WILLCOPY);
6433
0
    #endif
6434
0
#endif
6435
0
#endif /* !NO_OLD_TLS */
6436
0
#ifndef NO_SHA256
6437
0
    ret = wc_InitSha256_ex(&ssl->hsHashes->hashSha256, ssl->heap, ssl->devId);
6438
0
    if (ret != 0)
6439
0
        return ret;
6440
0
    #ifdef WOLFSSL_HASH_FLAGS
6441
0
        wc_Sha256SetFlags(&ssl->hsHashes->hashSha256, WC_HASH_FLAG_WILLCOPY);
6442
0
    #endif
6443
0
#endif
6444
0
#ifdef WOLFSSL_SHA384
6445
0
    ret = wc_InitSha384_ex(&ssl->hsHashes->hashSha384, ssl->heap, ssl->devId);
6446
0
    if (ret != 0)
6447
0
        return ret;
6448
0
    #ifdef WOLFSSL_HASH_FLAGS
6449
0
        wc_Sha384SetFlags(&ssl->hsHashes->hashSha384, WC_HASH_FLAG_WILLCOPY);
6450
0
    #endif
6451
0
#endif
6452
0
#ifdef WOLFSSL_SHA512
6453
0
    ret = wc_InitSha512_ex(&ssl->hsHashes->hashSha512, ssl->heap, ssl->devId);
6454
0
    if (ret != 0)
6455
0
        return ret;
6456
0
    #ifdef WOLFSSL_HASH_FLAGS
6457
0
        wc_Sha512SetFlags(&ssl->hsHashes->hashSha512, WC_HASH_FLAG_WILLCOPY);
6458
0
    #endif
6459
0
#endif
6460
6461
0
    return ret;
6462
0
}
6463
6464
void FreeHandshakeHashes(WOLFSSL* ssl)
6465
0
{
6466
0
    if (ssl->hsHashes) {
6467
0
#ifndef NO_OLD_TLS
6468
0
    #ifndef NO_MD5
6469
0
        wc_Md5Free(&ssl->hsHashes->hashMd5);
6470
0
    #endif
6471
0
    #ifndef NO_SHA
6472
0
        wc_ShaFree(&ssl->hsHashes->hashSha);
6473
0
    #endif
6474
0
#endif /* !NO_OLD_TLS */
6475
0
    #ifndef NO_SHA256
6476
0
        wc_Sha256Free(&ssl->hsHashes->hashSha256);
6477
0
    #endif
6478
0
    #ifdef WOLFSSL_SHA384
6479
0
        wc_Sha384Free(&ssl->hsHashes->hashSha384);
6480
0
    #endif
6481
0
    #ifdef WOLFSSL_SHA512
6482
0
        wc_Sha512Free(&ssl->hsHashes->hashSha512);
6483
0
    #endif
6484
0
    #if (defined(HAVE_ED25519) || defined(HAVE_ED448)) && \
6485
0
                                                !defined(WOLFSSL_NO_CLIENT_AUTH)
6486
0
        if (ssl->hsHashes->messages != NULL) {
6487
0
            ForceZero(ssl->hsHashes->messages, ssl->hsHashes->length);
6488
0
            XFREE(ssl->hsHashes->messages, ssl->heap, DYNAMIC_TYPE_HASHES);
6489
0
            ssl->hsHashes->messages = NULL;
6490
0
         }
6491
0
    #endif
6492
6493
0
        XFREE(ssl->hsHashes, ssl->heap, DYNAMIC_TYPE_HASHES);
6494
0
        ssl->hsHashes = NULL;
6495
0
    }
6496
0
}
6497
6498
/* called if user attempts to re-use WOLFSSL object for a new session.
6499
 * For example wolfSSL_clear() is called then wolfSSL_connect or accept */
6500
int ReinitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
6501
0
{
6502
0
    int ret = 0;
6503
6504
    /* arrays */
6505
0
    if (!writeDup && ssl->arrays == NULL) {
6506
0
        ssl->arrays = (Arrays*)XMALLOC(sizeof(Arrays), ssl->heap,
6507
0
                                                           DYNAMIC_TYPE_ARRAYS);
6508
0
        if (ssl->arrays == NULL) {
6509
0
            WOLFSSL_MSG("Arrays Memory error");
6510
0
            return MEMORY_E;
6511
0
        }
6512
#ifdef WOLFSSL_CHECK_MEM_ZERO
6513
        wc_MemZero_Add("SSL Arrays", ssl->arrays, sizeof(*ssl->arrays));
6514
#endif
6515
0
        XMEMSET(ssl->arrays, 0, sizeof(Arrays));
6516
0
#if defined(WOLFSSL_TLS13) || defined(WOLFSSL_SNIFFER)
6517
0
        ssl->arrays->preMasterSz = ENCRYPT_LEN;
6518
0
        ssl->arrays->preMasterSecret = (byte*)XMALLOC(ENCRYPT_LEN, ssl->heap,
6519
0
            DYNAMIC_TYPE_SECRET);
6520
0
        if (ssl->arrays->preMasterSecret == NULL) {
6521
0
            return MEMORY_E;
6522
0
        }
6523
#ifdef WOLFSSL_CHECK_MEM_ZERO
6524
        wc_MemZero_Add("SSL Arrays", ssl->arrays->preMasterSecret, ENCRYPT_LEN);
6525
#endif
6526
0
        XMEMSET(ssl->arrays->preMasterSecret, 0, ENCRYPT_LEN);
6527
0
#endif
6528
0
    }
6529
6530
    /* RNG */
6531
#ifdef SINGLE_THREADED
6532
    if (ssl->rng == NULL) {
6533
        ssl->rng = ctx->rng; /* CTX may have one, if so use it */
6534
    }
6535
#endif
6536
0
    if (ssl->rng == NULL) {
6537
0
        ssl->rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), ssl->heap,DYNAMIC_TYPE_RNG);
6538
0
        if (ssl->rng == NULL) {
6539
0
            WOLFSSL_MSG("RNG Memory error");
6540
0
            return MEMORY_E;
6541
0
        }
6542
0
        XMEMSET(ssl->rng, 0, sizeof(WC_RNG));
6543
0
        ssl->options.weOwnRng = 1;
6544
6545
        /* FIPS RNG API does not accept a heap hint */
6546
0
#ifndef HAVE_FIPS
6547
0
        if ( (ret = wc_InitRng_ex(ssl->rng, ssl->heap, ssl->devId)) != 0) {
6548
0
            WOLFSSL_MSG("RNG Init error");
6549
0
            return ret;
6550
0
        }
6551
#else
6552
        if ( (ret = wc_InitRng(ssl->rng)) != 0) {
6553
            WOLFSSL_MSG("RNG Init error");
6554
            return ret;
6555
        }
6556
#endif
6557
0
    }
6558
0
    (void)ctx;
6559
6560
0
    return ret;
6561
0
}
6562
6563
/* init everything to 0, NULL, default values before calling anything that may
6564
   fail so that destructor has a "good" state to cleanup
6565
6566
   ssl      object to initialize
6567
   ctx      parent factory
6568
   writeDup flag indicating this is a write dup only
6569
6570
   0 on success */
6571
int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
6572
0
{
6573
0
    int  ret;
6574
6575
0
    XMEMSET(ssl, 0, sizeof(WOLFSSL));
6576
#ifdef WOLFSSL_CHECK_MEM_ZERO
6577
    wc_MemZero_Add("SSL Keys", &ssl->keys, sizeof(ssl->keys));
6578
#ifdef WOLFSSL_TLS13
6579
    wc_MemZero_Add("SSL client secret", &ssl->clientSecret,
6580
        sizeof(ssl->clientSecret));
6581
    wc_MemZero_Add("SSL client secret", &ssl->serverSecret,
6582
        sizeof(ssl->serverSecret));
6583
#endif
6584
#ifdef WOLFSSL_HAVE_TLS_UNIQUE
6585
    wc_MemZero_Add("ClientFinished hash", &ssl->clientFinished,
6586
        TLS_FINISHED_SZ_MAX);
6587
    wc_MemZero_Add("ServerFinished hash", &ssl->serverFinished,
6588
        TLS_FINISHED_SZ_MAX);
6589
#endif
6590
#endif
6591
6592
#if defined(WOLFSSL_STATIC_MEMORY)
6593
    if (ctx->heap != NULL) {
6594
        WOLFSSL_HEAP_HINT* ssl_hint;
6595
        WOLFSSL_HEAP_HINT* ctx_hint;
6596
6597
        /* avoid dereferencing a test value */
6598
    #ifdef WOLFSSL_HEAP_TEST
6599
        if (ctx->heap == (void*)WOLFSSL_HEAP_TEST) {
6600
            ssl->heap = ctx->heap;
6601
        }
6602
        else {
6603
    #endif
6604
        ssl->heap = (WOLFSSL_HEAP_HINT*)XMALLOC(sizeof(WOLFSSL_HEAP_HINT),
6605
                                               ctx->heap, DYNAMIC_TYPE_SSL);
6606
        if (ssl->heap == NULL) {
6607
            return MEMORY_E;
6608
        }
6609
        XMEMSET(ssl->heap, 0, sizeof(WOLFSSL_HEAP_HINT));
6610
        ssl_hint = ((WOLFSSL_HEAP_HINT*)(ssl->heap));
6611
        ctx_hint = ((WOLFSSL_HEAP_HINT*)(ctx->heap));
6612
6613
        /* lock and check IO count / handshake count */
6614
        if (wc_LockMutex(&(ctx_hint->memory->memory_mutex)) != 0) {
6615
            WOLFSSL_MSG("Bad memory_mutex lock");
6616
            XFREE(ssl->heap, ctx->heap, DYNAMIC_TYPE_SSL);
6617
            ssl->heap = NULL; /* free and set to NULL for IO counter */
6618
            WOLFSSL_ERROR_VERBOSE(BAD_MUTEX_E);
6619
            return BAD_MUTEX_E;
6620
        }
6621
        if (ctx_hint->memory->maxHa > 0 &&
6622
                           ctx_hint->memory->maxHa <= ctx_hint->memory->curHa) {
6623
            WOLFSSL_MSG("At max number of handshakes for static memory");
6624
            wc_UnLockMutex(&(ctx_hint->memory->memory_mutex));
6625
            XFREE(ssl->heap, ctx->heap, DYNAMIC_TYPE_SSL);
6626
            ssl->heap = NULL; /* free and set to NULL for IO counter */
6627
            return MEMORY_E;
6628
        }
6629
6630
        if (ctx_hint->memory->maxIO > 0 &&
6631
                           ctx_hint->memory->maxIO <= ctx_hint->memory->curIO) {
6632
            WOLFSSL_MSG("At max number of IO allowed for static memory");
6633
            wc_UnLockMutex(&(ctx_hint->memory->memory_mutex));
6634
            XFREE(ssl->heap, ctx->heap, DYNAMIC_TYPE_SSL);
6635
            ssl->heap = NULL; /* free and set to NULL for IO counter */
6636
            return MEMORY_E;
6637
        }
6638
        ctx_hint->memory->curIO++;
6639
        ctx_hint->memory->curHa++;
6640
        ssl_hint->memory = ctx_hint->memory;
6641
        ssl_hint->haFlag = 1;
6642
        wc_UnLockMutex(&(ctx_hint->memory->memory_mutex));
6643
6644
        /* check if tracking stats */
6645
        if (ctx_hint->memory->flag & WOLFMEM_TRACK_STATS) {
6646
            ssl_hint->stats = (WOLFSSL_MEM_CONN_STATS*)XMALLOC(
6647
               sizeof(WOLFSSL_MEM_CONN_STATS), ctx->heap, DYNAMIC_TYPE_SSL);
6648
            if (ssl_hint->stats == NULL) {
6649
                return MEMORY_E;
6650
            }
6651
            XMEMSET(ssl_hint->stats, 0, sizeof(WOLFSSL_MEM_CONN_STATS));
6652
        }
6653
6654
        /* check if using fixed IO buffers */
6655
        if (ctx_hint->memory->flag & WOLFMEM_IO_POOL_FIXED) {
6656
            if (wc_LockMutex(&(ctx_hint->memory->memory_mutex)) != 0) {
6657
                WOLFSSL_MSG("Bad memory_mutex lock");
6658
                WOLFSSL_ERROR_VERBOSE(BAD_MUTEX_E);
6659
                return BAD_MUTEX_E;
6660
            }
6661
            if (SetFixedIO(ctx_hint->memory, &(ssl_hint->inBuf)) != 1) {
6662
                wc_UnLockMutex(&(ctx_hint->memory->memory_mutex));
6663
                return MEMORY_E;
6664
            }
6665
            if (SetFixedIO(ctx_hint->memory, &(ssl_hint->outBuf)) != 1) {
6666
                wc_UnLockMutex(&(ctx_hint->memory->memory_mutex));
6667
                return MEMORY_E;
6668
            }
6669
            if (ssl_hint->outBuf == NULL || ssl_hint->inBuf == NULL) {
6670
                WOLFSSL_MSG("Not enough memory to create fixed IO buffers");
6671
                wc_UnLockMutex(&(ctx_hint->memory->memory_mutex));
6672
                return MEMORY_E;
6673
            }
6674
            wc_UnLockMutex(&(ctx_hint->memory->memory_mutex));
6675
        }
6676
    #ifdef WOLFSSL_HEAP_TEST
6677
        }
6678
    #endif
6679
    }
6680
    else {
6681
        ssl->heap = ctx->heap;
6682
    }
6683
#else
6684
0
    ssl->heap = ctx->heap; /* carry over user heap without static memory */
6685
0
#endif /* WOLFSSL_STATIC_MEMORY */
6686
6687
0
    ssl->buffers.inputBuffer.buffer = ssl->buffers.inputBuffer.staticBuffer;
6688
0
    ssl->buffers.inputBuffer.bufferSize  = STATIC_BUFFER_LEN;
6689
6690
0
    ssl->buffers.outputBuffer.buffer = ssl->buffers.outputBuffer.staticBuffer;
6691
0
    ssl->buffers.outputBuffer.bufferSize  = STATIC_BUFFER_LEN;
6692
6693
0
#ifdef KEEP_PEER_CERT
6694
0
    InitX509(&ssl->peerCert, 0, ssl->heap);
6695
0
#endif
6696
6697
0
    ssl->rfd = -1;   /* set to invalid descriptor */
6698
0
    ssl->wfd = -1;
6699
0
    ssl->devId = ctx->devId; /* device for async HW (from wolfAsync_DevOpen) */
6700
6701
    /* initialize states */
6702
0
    ssl->options.serverState = NULL_STATE;
6703
0
    ssl->options.clientState = NULL_STATE;
6704
0
    ssl->options.connectState = CONNECT_BEGIN;
6705
0
    ssl->options.acceptState  = ACCEPT_BEGIN;
6706
0
    ssl->options.handShakeState  = NULL_STATE;
6707
0
    ssl->options.processReply = doProcessInit;
6708
0
    ssl->options.asyncState = TLS_ASYNC_BEGIN;
6709
0
    ssl->options.buildMsgState = BUILD_MSG_BEGIN;
6710
0
    ssl->encrypt.state = CIPHER_STATE_BEGIN;
6711
0
    ssl->decrypt.state = CIPHER_STATE_BEGIN;
6712
0
#ifndef NO_DH
6713
0
    #if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \
6714
0
        !defined(HAVE_SELFTEST)
6715
0
        ssl->options.dhDoKeyTest = 1;
6716
0
    #endif
6717
0
#endif
6718
6719
#ifdef WOLFSSL_DTLS
6720
    #ifdef WOLFSSL_SCTP
6721
        ssl->options.dtlsSctp           = ctx->dtlsSctp;
6722
    #endif
6723
    #ifdef WOLFSSL_SRTP
6724
        ssl->dtlsSrtpProfiles           = ctx->dtlsSrtpProfiles;
6725
    #endif
6726
    #if defined(WOLFSSL_SCTP) || defined(WOLFSSL_DTLS_MTU)
6727
        ssl->dtlsMtuSz                  = ctx->dtlsMtuSz;
6728
        /* Add some bytes so that we can operate with slight difference
6729
         * in set MTU size on each peer */
6730
        ssl->dtls_expected_rx           = ssl->dtlsMtuSz +
6731
                                            DTLS_MTU_ADDITIONAL_READ_BUFFER;
6732
    #else
6733
        ssl->dtls_expected_rx = MAX_MTU;
6734
    #endif
6735
    ssl->dtls_timeout_init              = DTLS_TIMEOUT_INIT;
6736
    ssl->dtls_timeout_max               = DTLS_TIMEOUT_MAX;
6737
    ssl->dtls_timeout                   = ssl->dtls_timeout_init;
6738
6739
    ssl->buffers.dtlsCtx.rfd            = -1;
6740
    ssl->buffers.dtlsCtx.wfd            = -1;
6741
6742
    ssl->IOCB_ReadCtx  = &ssl->buffers.dtlsCtx;  /* prevent invalid pointer access if not */
6743
    ssl->IOCB_WriteCtx = &ssl->buffers.dtlsCtx;  /* correctly set */
6744
#else
6745
#ifdef HAVE_NETX
6746
    ssl->IOCB_ReadCtx  = &ssl->nxCtx;  /* default NetX IO ctx, same for read */
6747
    ssl->IOCB_WriteCtx = &ssl->nxCtx;  /* and write */
6748
#elif defined(WOLFSSL_APACHE_MYNEWT) && !defined(WOLFSSL_LWIP)
6749
    ssl->mnCtx = mynewt_ctx_new();
6750
    if(!ssl->mnCtx) {
6751
        return MEMORY_E;
6752
    }
6753
    ssl->IOCB_ReadCtx  = ssl->mnCtx;  /* default Mynewt IO ctx, same for read */
6754
    ssl->IOCB_WriteCtx = ssl->mnCtx;  /* and write */
6755
#elif defined (WOLFSSL_GNRC)
6756
    ssl->IOCB_ReadCtx = ssl->gnrcCtx;
6757
    ssl->IOCB_WriteCtx = ssl->gnrcCtx;
6758
#else
6759
0
    ssl->IOCB_ReadCtx  = &ssl->rfd;  /* prevent invalid pointer access if not */
6760
0
    ssl->IOCB_WriteCtx = &ssl->wfd;  /* correctly set */
6761
0
#endif
6762
0
#endif
6763
6764
6765
0
#ifndef WOLFSSL_AEAD_ONLY
6766
0
    #ifndef NO_OLD_TLS
6767
0
        ssl->hmac = SSL_hmac; /* default to SSLv3 */
6768
    #elif !defined(WOLFSSL_NO_TLS12) && !defined(NO_TLS)
6769
      #if !defined(WOLFSSL_RENESAS_SCEPROTECT) && \
6770
          !defined(WOLFSSL_RENESAS_TSIP_TLS)
6771
        ssl->hmac = TLS_hmac;
6772
      #else
6773
        ssl->hmac = Renesas_cmn_TLS_hmac;
6774
      #endif
6775
    #endif
6776
0
#endif
6777
6778
#if defined(WOLFSSL_OPENVPN) && defined(HAVE_KEYING_MATERIAL)
6779
    /* Save arrays by default for OpenVPN */
6780
    ssl->options.saveArrays = 1;
6781
#endif
6782
6783
0
    ssl->cipher.ssl = ssl;
6784
6785
0
#ifdef HAVE_EXTENDED_MASTER
6786
0
    ssl->options.haveEMS = ctx->haveEMS;
6787
0
#endif
6788
0
    ssl->options.useClientOrder = ctx->useClientOrder;
6789
0
    ssl->options.mutualAuth = ctx->mutualAuth;
6790
6791
0
#ifdef WOLFSSL_TLS13
6792
0
    #if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SERVER)
6793
0
        ssl->options.maxTicketTls13 = ctx->maxTicketTls13;
6794
0
    #endif
6795
0
    #ifdef HAVE_SESSION_TICKET
6796
0
        ssl->options.noTicketTls13  = ctx->noTicketTls13;
6797
0
    #endif
6798
0
    ssl->options.noPskDheKe = ctx->noPskDheKe;
6799
    #if defined(WOLFSSL_POST_HANDSHAKE_AUTH)
6800
        ssl->options.postHandshakeAuth = ctx->postHandshakeAuth;
6801
        ssl->options.verifyPostHandshake = ctx->verifyPostHandshake;
6802
    #endif
6803
6804
0
    if (ctx->numGroups > 0) {
6805
0
        XMEMCPY(ssl->group, ctx->group, sizeof(*ctx->group) * ctx->numGroups);
6806
0
        ssl->numGroups = ctx->numGroups;
6807
0
    }
6808
0
#endif
6809
6810
0
#ifdef HAVE_TLS_EXTENSIONS
6811
#ifdef HAVE_MAX_FRAGMENT
6812
    ssl->max_fragment = MAX_RECORD_SIZE;
6813
#endif
6814
#ifdef HAVE_ALPN
6815
    ssl->alpn_client_list = NULL;
6816
    #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
6817
        ssl->alpnSelect    = ctx->alpnSelect;
6818
        ssl->alpnSelectArg = ctx->alpnSelectArg;
6819
    #endif
6820
    #if !defined(NO_BIO) && defined(OPENSSL_EXTRA)
6821
        if (ctx->alpn_cli_protos != NULL && ctx->alpn_cli_protos_len > 0) {
6822
            ret = wolfSSL_set_alpn_protos(ssl, ctx->alpn_cli_protos,
6823
                                            ctx->alpn_cli_protos_len);
6824
        #if defined(WOLFSSL_ERROR_CODE_OPENSSL)
6825
            if (ret) {
6826
        #else
6827
            if (!ret) {
6828
        #endif
6829
                WOLFSSL_MSG("failed to set alpn protos to ssl object");
6830
                return ret;
6831
            }
6832
        }
6833
    #endif
6834
#endif
6835
0
#ifdef HAVE_SUPPORTED_CURVES
6836
0
    ssl->options.userCurves = ctx->userCurves;
6837
0
#endif
6838
0
#endif /* HAVE_TLS_EXTENSIONS */
6839
6840
0
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
6841
0
    ssl->options.disallowEncThenMac = ctx->disallowEncThenMac;
6842
0
#endif
6843
6844
    /* default alert state (none) */
6845
0
    ssl->alert_history.last_rx.code  = -1;
6846
0
    ssl->alert_history.last_rx.level = -1;
6847
0
    ssl->alert_history.last_tx.code  = -1;
6848
0
    ssl->alert_history.last_tx.level = -1;
6849
6850
0
#ifdef OPENSSL_EXTRA
6851
    /* copy over application session context ID */
6852
0
    ssl->sessionCtxSz = ctx->sessionCtxSz;
6853
0
    XMEMCPY(ssl->sessionCtx, ctx->sessionCtx, ctx->sessionCtxSz);
6854
0
    ssl->cbioFlag = ctx->cbioFlag;
6855
6856
0
    ssl->protoMsgCb  = ctx->protoMsgCb;
6857
0
    ssl->protoMsgCtx = ctx->protoMsgCtx;
6858
6859
    /* follow default behavior of setting toInfoOn similar to
6860
     * wolfSSL_set_msg_callback when the callback is set */
6861
0
    if (ctx->protoMsgCb != NULL) {
6862
0
        ssl->toInfoOn = 1;
6863
0
    }
6864
6865
0
    ssl->disabledCurves = ctx->disabledCurves;
6866
0
#endif
6867
6868
0
    InitCiphers(ssl);
6869
0
    InitCipherSpecs(&ssl->specs);
6870
6871
    /* all done with init, now can return errors, call other stuff */
6872
0
    if ((ret = ReinitSSL(ssl, ctx, writeDup)) != 0) {
6873
0
        return ret;
6874
0
    }
6875
6876
0
    if (!writeDup) {
6877
0
#ifdef OPENSSL_EXTRA
6878
0
        if ((ssl->param = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC(
6879
0
                                    sizeof(WOLFSSL_X509_VERIFY_PARAM),
6880
0
                                    ssl->heap, DYNAMIC_TYPE_OPENSSL)) == NULL) {
6881
0
            WOLFSSL_MSG("ssl->param memory error");
6882
0
            return MEMORY_E;
6883
0
        }
6884
0
        XMEMSET(ssl->param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM));
6885
0
#endif
6886
6887
#ifdef SINGLE_THREADED
6888
        if (ctx->suites == NULL)
6889
#endif
6890
0
        {
6891
            /* suites */
6892
0
            ssl->suites = (Suites*)XMALLOC(sizeof(Suites), ssl->heap,
6893
0
                                       DYNAMIC_TYPE_SUITES);
6894
0
            if (ssl->suites == NULL) {
6895
0
                WOLFSSL_MSG("Suites Memory error");
6896
0
                return MEMORY_E;
6897
0
            }
6898
0
        #ifdef OPENSSL_ALL
6899
0
            ssl->suites->stack = NULL;
6900
0
        #endif
6901
#ifdef SINGLE_THREADED
6902
            ssl->options.ownSuites = 1;
6903
#endif
6904
0
        }
6905
#ifdef SINGLE_THREADED
6906
        else {
6907
            ssl->options.ownSuites = 0;
6908
        }
6909
#endif
6910
0
    } /* !writeDup */
6911
6912
    /* Initialize SSL with the appropriate fields from it's ctx */
6913
    /* requires valid arrays and suites unless writeDup ing */
6914
0
    if ((ret = SetSSL_CTX(ssl, ctx, writeDup)) != WOLFSSL_SUCCESS)
6915
0
        return ret;
6916
6917
0
    ssl->options.dtls = ssl->version.major == DTLS_MAJOR;
6918
6919
#ifdef HAVE_WRITE_DUP
6920
    if (writeDup) {
6921
        /* all done */
6922
        return 0;
6923
    }
6924
#endif
6925
6926
    /* hsHashes */
6927
0
    ret = InitHandshakeHashes(ssl);
6928
0
    if (ret != 0)
6929
0
        return ret;
6930
6931
#if defined(WOLFSSL_DTLS) && !defined(NO_WOLFSSL_SERVER)
6932
    if (ssl->options.dtls && ssl->options.side == WOLFSSL_SERVER_END) {
6933
        ret = wolfSSL_DTLS_SetCookieSecret(ssl, NULL, 0);
6934
        if (ret != 0) {
6935
            WOLFSSL_MSG("DTLS Cookie Secret error");
6936
            return ret;
6937
        }
6938
    }
6939
#endif /* WOLFSSL_DTLS && !NO_WOLFSSL_SERVER */
6940
6941
#ifdef HAVE_SECRET_CALLBACK
6942
    ssl->sessionSecretCb  = NULL;
6943
    ssl->sessionSecretCtx = NULL;
6944
#ifdef WOLFSSL_TLS13
6945
    ssl->tls13SecretCb  = NULL;
6946
    ssl->tls13SecretCtx = NULL;
6947
#endif
6948
#endif
6949
#if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK)
6950
    if (ctx->keyLogCb != NULL) {
6951
        ssl->keyLogCb = SessionSecret_callback;
6952
#if defined(WOLFSSL_TLS13)
6953
        ssl->tls13KeyLogCb = SessionSecret_callback_Tls13;
6954
#endif /*WOLFSSL_TLS13*/
6955
    }
6956
#endif /*OPENSSL_EXTRA && HAVE_SECRET_CALLBACK */
6957
6958
0
    ssl->session = wolfSSL_NewSession(ssl->heap);
6959
0
    if (ssl->session == NULL) {
6960
0
        WOLFSSL_MSG("SSL Session Memory error");
6961
0
        return MEMORY_E;
6962
0
    }
6963
6964
0
#ifdef HAVE_SESSION_TICKET
6965
0
    ssl->options.noTicketTls12 = ctx->noTicketTls12;
6966
0
#endif
6967
6968
#ifdef WOLFSSL_MULTICAST
6969
    if (ctx->haveMcast) {
6970
        int i;
6971
6972
        ssl->options.haveMcast = 1;
6973
        ssl->options.mcastID = ctx->mcastID;
6974
6975
        /* Force the state to look like handshake has completed. */
6976
        /* Keying material is supplied externally. */
6977
        ssl->options.serverState = SERVER_FINISHED_COMPLETE;
6978
        ssl->options.clientState = CLIENT_FINISHED_COMPLETE;
6979
        ssl->options.connectState = SECOND_REPLY_DONE;
6980
        ssl->options.acceptState = ACCEPT_THIRD_REPLY_DONE;
6981
        ssl->options.handShakeState = HANDSHAKE_DONE;
6982
        ssl->options.handShakeDone = 1;
6983
6984
        for (i = 0; i < WOLFSSL_DTLS_PEERSEQ_SZ; i++)
6985
            ssl->keys.peerSeq[i].peerId = INVALID_PEER_ID;
6986
    }
6987
#endif
6988
6989
#ifdef HAVE_SECURE_RENEGOTIATION
6990
    if (ssl->options.side == WOLFSSL_CLIENT_END) {
6991
        int useSecureReneg = ssl->ctx->useSecureReneg;
6992
        /* use secure renegotiation by default (not recommend) */
6993
    #ifdef WOLFSSL_SECURE_RENEGOTIATION_ON_BY_DEFAULT
6994
        useSecureReneg = 1;
6995
    #endif
6996
        if (useSecureReneg) {
6997
            ret = wolfSSL_UseSecureRenegotiation(ssl);
6998
            if (ret != WOLFSSL_SUCCESS)
6999
                return ret;
7000
            }
7001
    }
7002
#endif /* HAVE_SECURE_RENEGOTIATION */
7003
7004
7005
#ifdef WOLFSSL_DTLS13
7006
    /* setup 0 (un-protected) epoch */
7007
    ssl->dtls13Epochs[0].isValid = 1;
7008
    ssl->dtls13Epochs[0].side = ENCRYPT_AND_DECRYPT_SIDE;
7009
    ssl->dtls13EncryptEpoch = &ssl->dtls13Epochs[0];
7010
    ssl->dtls13DecryptEpoch = &ssl->dtls13Epochs[0];
7011
    ssl->options.dtls13SendMoreAcks = WOLFSSL_DTLS13_SEND_MOREACK_DEFAULT;
7012
    ssl->dtls13Rtx.rtxRecordTailPtr = &ssl->dtls13Rtx.rtxRecords;
7013
#endif /* WOLFSSL_DTLS13 */
7014
7015
#ifdef WOLFSSL_QUIC
7016
    if (ctx->quic.method) {
7017
        ret = wolfSSL_set_quic_method(ssl, ctx->quic.method);
7018
        if (ret != WOLFSSL_SUCCESS)
7019
            return ret;
7020
    }
7021
#endif
7022
0
    return 0;
7023
0
}
7024
7025
7026
/* free use of temporary arrays */
7027
void FreeArrays(WOLFSSL* ssl, int keep)
7028
0
{
7029
0
    if (ssl->arrays) {
7030
0
        if (keep && !IsAtLeastTLSv1_3(ssl->version)) {
7031
            /* keeps session id for user retrieval */
7032
0
            XMEMCPY(ssl->session->sessionID, ssl->arrays->sessionID, ID_LEN);
7033
0
            ssl->session->sessionIDSz = ssl->arrays->sessionIDSz;
7034
0
        }
7035
0
        if (ssl->arrays->preMasterSecret) {
7036
0
            ForceZero(ssl->arrays->preMasterSecret, ENCRYPT_LEN);
7037
0
            XFREE(ssl->arrays->preMasterSecret, ssl->heap, DYNAMIC_TYPE_SECRET);
7038
0
            ssl->arrays->preMasterSecret = NULL;
7039
0
        }
7040
0
        XFREE(ssl->arrays->pendingMsg, ssl->heap, DYNAMIC_TYPE_ARRAYS);
7041
0
        ssl->arrays->pendingMsg = NULL;
7042
0
        ForceZero(ssl->arrays, sizeof(Arrays)); /* clear arrays struct */
7043
0
    }
7044
0
    XFREE(ssl->arrays, ssl->heap, DYNAMIC_TYPE_ARRAYS);
7045
0
    ssl->arrays = NULL;
7046
0
}
7047
7048
void FreeKey(WOLFSSL* ssl, int type, void** pKey)
7049
0
{
7050
0
    if (ssl && pKey && *pKey) {
7051
0
        switch (type) {
7052
0
        #ifndef NO_RSA
7053
0
            case DYNAMIC_TYPE_RSA:
7054
0
                wc_FreeRsaKey((RsaKey*)*pKey);
7055
0
                break;
7056
0
        #endif /* ! NO_RSA */
7057
0
        #ifdef HAVE_ECC
7058
0
            case DYNAMIC_TYPE_ECC:
7059
0
                wc_ecc_free((ecc_key*)*pKey);
7060
0
                break;
7061
0
        #endif /* HAVE_ECC */
7062
0
        #ifdef HAVE_ED25519
7063
0
            case DYNAMIC_TYPE_ED25519:
7064
0
                wc_ed25519_free((ed25519_key*)*pKey);
7065
0
                break;
7066
0
        #endif /* HAVE_ED25519 */
7067
0
        #ifdef HAVE_CURVE25519
7068
0
            case DYNAMIC_TYPE_CURVE25519:
7069
0
                wc_curve25519_free((curve25519_key*)*pKey);
7070
0
                break;
7071
0
        #endif /* HAVE_CURVE25519 */
7072
0
        #ifdef HAVE_ED448
7073
0
            case DYNAMIC_TYPE_ED448:
7074
0
                wc_ed448_free((ed448_key*)*pKey);
7075
0
                break;
7076
0
        #endif /* HAVE_ED448 */
7077
0
        #ifdef HAVE_CURVE448
7078
0
            case DYNAMIC_TYPE_CURVE448:
7079
0
                wc_curve448_free((curve448_key*)*pKey);
7080
0
                break;
7081
0
        #endif /* HAVE_CURVE448 */
7082
        #if defined(HAVE_PQC)
7083
        #if defined(HAVE_FALCON)
7084
            case DYNAMIC_TYPE_FALCON:
7085
                wc_falcon_free((falcon_key*)*pKey);
7086
                break;
7087
        #endif /* HAVE_FALCON */
7088
        #if defined(HAVE_DILITHIUM)
7089
            case DYNAMIC_TYPE_DILITHIUM:
7090
                wc_dilithium_free((dilithium_key*)*pKey);
7091
                break;
7092
        #endif /* HAVE_DILITHIUM */
7093
        #endif /* HAVE_PQC */
7094
0
        #ifndef NO_DH
7095
0
            case DYNAMIC_TYPE_DH:
7096
0
                wc_FreeDhKey((DhKey*)*pKey);
7097
0
                break;
7098
0
        #endif /* !NO_DH */
7099
0
            default:
7100
0
                break;
7101
0
        }
7102
0
        XFREE(*pKey, ssl->heap, type);
7103
7104
        /* Reset pointer */
7105
0
        *pKey = NULL;
7106
0
    }
7107
0
}
7108
7109
int AllocKey(WOLFSSL* ssl, int type, void** pKey)
7110
0
{
7111
0
    int ret = BAD_FUNC_ARG;
7112
0
    int sz = 0;
7113
7114
0
    if (ssl == NULL || pKey == NULL) {
7115
0
        return BAD_FUNC_ARG;
7116
0
    }
7117
7118
    /* Sanity check key destination */
7119
0
    if (*pKey != NULL) {
7120
0
        WOLFSSL_MSG("Key already present!");
7121
0
        return BAD_STATE_E;
7122
0
    }
7123
7124
    /* Determine size */
7125
0
    switch (type) {
7126
0
    #ifndef NO_RSA
7127
0
        case DYNAMIC_TYPE_RSA:
7128
0
            sz = sizeof(RsaKey);
7129
0
            break;
7130
0
    #endif /* ! NO_RSA */
7131
0
    #ifdef HAVE_ECC
7132
0
        case DYNAMIC_TYPE_ECC:
7133
0
            sz = sizeof(ecc_key);
7134
0
            break;
7135
0
    #endif /* HAVE_ECC */
7136
0
    #ifdef HAVE_ED25519
7137
0
        case DYNAMIC_TYPE_ED25519:
7138
0
            sz = sizeof(ed25519_key);
7139
0
            break;
7140
0
    #endif /* HAVE_ED25519 */
7141
0
    #ifdef HAVE_CURVE25519
7142
0
        case DYNAMIC_TYPE_CURVE25519:
7143
0
            sz = sizeof(curve25519_key);
7144
0
            break;
7145
0
    #endif /* HAVE_CURVE25519 */
7146
0
    #ifdef HAVE_ED448
7147
0
        case DYNAMIC_TYPE_ED448:
7148
0
            sz = sizeof(ed448_key);
7149
0
            break;
7150
0
    #endif /* HAVE_ED448 */
7151
0
    #ifdef HAVE_CURVE448
7152
0
        case DYNAMIC_TYPE_CURVE448:
7153
0
            sz = sizeof(curve448_key);
7154
0
            break;
7155
0
    #endif /* HAVE_CURVE448 */
7156
    #if defined(HAVE_PQC)
7157
    #if defined(HAVE_FALCON)
7158
        case DYNAMIC_TYPE_FALCON:
7159
            sz = sizeof(falcon_key);
7160
            break;
7161
    #endif /* HAVE_FALCON */
7162
    #if defined(HAVE_DILITHIUM)
7163
        case DYNAMIC_TYPE_DILITHIUM:
7164
            sz = sizeof(dilithium_key);
7165
            break;
7166
    #endif /* HAVE_DILITHIUM */
7167
    #endif /* HAVE_PQC */
7168
0
    #ifndef NO_DH
7169
0
        case DYNAMIC_TYPE_DH:
7170
0
            sz = sizeof(DhKey);
7171
0
            break;
7172
0
    #endif /* !NO_DH */
7173
0
        default:
7174
0
            return BAD_FUNC_ARG;
7175
0
    }
7176
7177
    /* Allocate memory for key */
7178
0
    *pKey = (void *)XMALLOC(sz, ssl->heap, type);
7179
0
    if (*pKey == NULL) {
7180
0
        return MEMORY_E;
7181
0
    }
7182
7183
    /* Initialize key */
7184
0
    switch (type) {
7185
0
    #ifndef NO_RSA
7186
0
        case DYNAMIC_TYPE_RSA:
7187
0
            ret = wc_InitRsaKey_ex((RsaKey*)*pKey, ssl->heap, ssl->devId);
7188
0
            break;
7189
0
    #endif /* ! NO_RSA */
7190
0
    #ifdef HAVE_ECC
7191
0
        case DYNAMIC_TYPE_ECC:
7192
0
            ret = wc_ecc_init_ex((ecc_key*)*pKey, ssl->heap, ssl->devId);
7193
0
            break;
7194
0
    #endif /* HAVE_ECC */
7195
0
    #ifdef HAVE_ED25519
7196
0
        case DYNAMIC_TYPE_ED25519:
7197
0
            wc_ed25519_init_ex((ed25519_key*)*pKey, ssl->heap, ssl->devId);
7198
0
            ret = 0;
7199
0
            break;
7200
0
    #endif /* HAVE_CURVE25519 */
7201
0
    #ifdef HAVE_CURVE25519
7202
0
        case DYNAMIC_TYPE_CURVE25519:
7203
0
            wc_curve25519_init_ex((curve25519_key*)*pKey, ssl->heap, ssl->devId);
7204
0
            ret = 0;
7205
0
            break;
7206
0
    #endif /* HAVE_CURVE25519 */
7207
0
    #ifdef HAVE_ED448
7208
0
        case DYNAMIC_TYPE_ED448:
7209
0
            wc_ed448_init_ex((ed448_key*)*pKey, ssl->heap, ssl->devId);
7210
0
            ret = 0;
7211
0
            break;
7212
0
    #endif /* HAVE_CURVE448 */
7213
    #if defined(HAVE_PQC)
7214
    #if defined(HAVE_FALCON)
7215
        case DYNAMIC_TYPE_FALCON:
7216
            wc_falcon_init((falcon_key*)*pKey);
7217
            ret = 0;
7218
            break;
7219
    #endif /* HAVE_FALCON */
7220
    #if defined(HAVE_DILITHIUM)
7221
        case DYNAMIC_TYPE_DILITHIUM:
7222
            wc_dilithium_init((dilithium_key*)*pKey);
7223
            ret = 0;
7224
            break;
7225
    #endif /* HAVE_DILITHIUM */
7226
    #endif /* HAVE_PQC */
7227
0
    #ifdef HAVE_CURVE448
7228
0
        case DYNAMIC_TYPE_CURVE448:
7229
0
            wc_curve448_init((curve448_key*)*pKey);
7230
0
            ret = 0;
7231
0
            break;
7232
0
    #endif /* HAVE_CURVE448 */
7233
0
    #ifndef NO_DH
7234
0
        case DYNAMIC_TYPE_DH:
7235
0
            ret = wc_InitDhKey_ex((DhKey*)*pKey, ssl->heap, ssl->devId);
7236
0
            break;
7237
0
    #endif /* !NO_DH */
7238
0
        default:
7239
0
            return BAD_FUNC_ARG;
7240
0
    }
7241
7242
    /* On error free handshake key */
7243
0
    if (ret != 0) {
7244
0
        FreeKey(ssl, type, pKey);
7245
0
    }
7246
7247
0
    return ret;
7248
0
}
7249
7250
#if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
7251
    defined(HAVE_CURVE25519) || defined(HAVE_ED448) || \
7252
    defined(HAVE_CURVE448) || (defined(HAVE_PQC) && defined(HAVE_FALCON)) || \
7253
    (defined(HAVE_PQC) && defined(HAVE_DILITHIUM))
7254
static int ReuseKey(WOLFSSL* ssl, int type, void* pKey)
7255
0
{
7256
0
    int ret = 0;
7257
7258
0
    (void)ssl;
7259
7260
0
    switch (type) {
7261
0
    #ifndef NO_RSA
7262
0
        case DYNAMIC_TYPE_RSA:
7263
0
            wc_FreeRsaKey((RsaKey*)pKey);
7264
0
            ret = wc_InitRsaKey_ex((RsaKey*)pKey, ssl->heap, ssl->devId);
7265
0
            break;
7266
0
    #endif /* ! NO_RSA */
7267
0
    #ifdef HAVE_ECC
7268
0
        case DYNAMIC_TYPE_ECC:
7269
0
            wc_ecc_free((ecc_key*)pKey);
7270
0
            ret = wc_ecc_init_ex((ecc_key*)pKey, ssl->heap, ssl->devId);
7271
0
            break;
7272
0
    #endif /* HAVE_ECC */
7273
0
    #ifdef HAVE_ED25519
7274
0
        case DYNAMIC_TYPE_ED25519:
7275
0
            wc_ed25519_free((ed25519_key*)pKey);
7276
0
            ret = wc_ed25519_init_ex((ed25519_key*)pKey, ssl->heap,
7277
0
                ssl->devId);
7278
0
            break;
7279
0
    #endif /* HAVE_CURVE25519 */
7280
0
    #ifdef HAVE_CURVE25519
7281
0
        case DYNAMIC_TYPE_CURVE25519:
7282
0
            wc_curve25519_free((curve25519_key*)pKey);
7283
0
            ret = wc_curve25519_init_ex((curve25519_key*)pKey, ssl->heap,
7284
0
                ssl->devId);
7285
0
            break;
7286
0
    #endif /* HAVE_CURVE25519 */
7287
0
    #ifdef HAVE_ED448
7288
0
        case DYNAMIC_TYPE_ED448:
7289
0
            wc_ed448_free((ed448_key*)pKey);
7290
0
            ret = wc_ed448_init_ex((ed448_key*)pKey, ssl->heap, ssl->devId);
7291
0
            break;
7292
0
    #endif /* HAVE_CURVE448 */
7293
0
    #ifdef HAVE_CURVE448
7294
0
        case DYNAMIC_TYPE_CURVE448:
7295
0
            wc_curve448_free((curve448_key*)pKey);
7296
0
            ret = wc_curve448_init((curve448_key*)pKey);
7297
0
            break;
7298
0
    #endif /* HAVE_CURVE448 */
7299
    #if defined(HAVE_PQC) && defined(HAVE_FALCON)
7300
        case DYNAMIC_TYPE_FALCON:
7301
            wc_falcon_free((falcon_key*)pKey);
7302
            ret = wc_falcon_init((falcon_key*)pKey);
7303
            break;
7304
    #endif /* HAVE_PQC && HAVE_FALCON */
7305
0
    #ifndef NO_DH
7306
0
        case DYNAMIC_TYPE_DH:
7307
0
            wc_FreeDhKey((DhKey*)pKey);
7308
0
            ret = wc_InitDhKey_ex((DhKey*)pKey, ssl->heap, ssl->devId);
7309
0
            break;
7310
0
    #endif /* !NO_DH */
7311
0
        default:
7312
0
            return BAD_FUNC_ARG;
7313
0
    }
7314
7315
0
    return ret;
7316
0
}
7317
#endif
7318
7319
#ifdef WOLFSSL_ASYNC_IO
7320
void FreeAsyncCtx(WOLFSSL* ssl, byte freeAsync)
7321
0
{
7322
0
    if (ssl->async != NULL) {
7323
0
        if (ssl->async->freeArgs != NULL) {
7324
0
            ssl->async->freeArgs(ssl, ssl->async->args);
7325
0
            ssl->async->freeArgs = NULL;
7326
0
        }
7327
#if defined(WOLFSSL_ASYNC_CRYPT) && !defined(WOLFSSL_NO_TLS12)
7328
        if (ssl->options.buildArgsSet) {
7329
            FreeBuildMsgArgs(ssl, &ssl->async->buildArgs);
7330
            ssl->options.buildArgsSet = 0;
7331
        }
7332
#endif
7333
0
        if (freeAsync) {
7334
0
            XFREE(ssl->async, ssl->heap, DYNAMIC_TYPE_ASYNC);
7335
0
            ssl->async = NULL;
7336
0
        }
7337
0
    }
7338
0
}
7339
#endif
7340
7341
void FreeKeyExchange(WOLFSSL* ssl)
7342
0
{
7343
    /* Cleanup signature buffer */
7344
0
    if (ssl->buffers.sig.buffer) {
7345
0
        XFREE(ssl->buffers.sig.buffer, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
7346
0
        ssl->buffers.sig.buffer = NULL;
7347
0
        ssl->buffers.sig.length = 0;
7348
0
    }
7349
7350
    /* Cleanup digest buffer */
7351
0
    if (ssl->buffers.digest.buffer) {
7352
0
        XFREE(ssl->buffers.digest.buffer, ssl->heap, DYNAMIC_TYPE_DIGEST);
7353
0
        ssl->buffers.digest.buffer = NULL;
7354
0
        ssl->buffers.digest.length = 0;
7355
0
    }
7356
7357
    /* Free handshake key */
7358
0
    FreeKey(ssl, ssl->hsType, &ssl->hsKey);
7359
7360
0
#ifndef NO_DH
7361
    /* Free temp DH key */
7362
0
    FreeKey(ssl, DYNAMIC_TYPE_DH, (void**)&ssl->buffers.serverDH_Key);
7363
0
#endif
7364
0
}
7365
7366
7367
/* Free up all memory used by Suites structure from WOLFSSL */
7368
void FreeSuites(WOLFSSL* ssl)
7369
0
{
7370
#ifdef SINGLE_THREADED
7371
    if (ssl->options.ownSuites)
7372
#endif
7373
0
    {
7374
0
    #ifdef OPENSSL_ALL
7375
0
        if (ssl->suites != NULL) {
7376
            /* Enough to free stack structure since WOLFSSL_CIPHER
7377
             * isn't allocated separately. */
7378
0
            wolfSSL_sk_SSL_CIPHER_free(ssl->suites->stack);
7379
0
        }
7380
0
    #endif
7381
0
        XFREE(ssl->suites, ssl->heap, DYNAMIC_TYPE_SUITES);
7382
0
    }
7383
0
    ssl->suites = NULL;
7384
0
}
7385
7386
7387
/* In case holding SSL object in array and don't want to free actual ssl */
7388
void SSL_ResourceFree(WOLFSSL* ssl)
7389
0
{
7390
    /* Note: any resources used during the handshake should be released in the
7391
     * function FreeHandshakeResources(). Be careful with the special cases
7392
     * like the RNG which may optionally be kept for the whole session. (For
7393
     * example with the RNG, it isn't used beyond the handshake except when
7394
     * using stream ciphers where it is retained. */
7395
7396
0
    if (ssl->options.side == WOLFSSL_SERVER_END) {
7397
0
        WOLFSSL_MSG("Free'ing server ssl");
7398
0
    }
7399
0
    else {
7400
0
        WOLFSSL_MSG("Free'ing client ssl");
7401
0
    }
7402
7403
#ifdef HAVE_EX_DATA_CLEANUP_HOOKS
7404
    wolfSSL_CRYPTO_cleanup_ex_data(&ssl->ex_data);
7405
#endif
7406
7407
0
    FreeCiphers(ssl);
7408
0
    FreeArrays(ssl, 0);
7409
0
    FreeKeyExchange(ssl);
7410
0
#ifdef WOLFSSL_ASYNC_IO
7411
    /* Cleanup async */
7412
0
    FreeAsyncCtx(ssl, 1);
7413
0
#endif
7414
0
    if (ssl->options.weOwnRng) {
7415
0
        wc_FreeRng(ssl->rng);
7416
0
        XFREE(ssl->rng, ssl->heap, DYNAMIC_TYPE_RNG);
7417
0
    }
7418
0
    FreeSuites(ssl);
7419
0
    FreeHandshakeHashes(ssl);
7420
0
    XFREE(ssl->buffers.domainName.buffer, ssl->heap, DYNAMIC_TYPE_DOMAIN);
7421
7422
    /* clear keys struct after session */
7423
0
    ForceZero(&ssl->keys, sizeof(Keys));
7424
7425
0
#ifdef WOLFSSL_TLS13
7426
0
    if (ssl->options.tls1_3) {
7427
0
        ForceZero(&ssl->clientSecret, sizeof(ssl->clientSecret));
7428
0
        ForceZero(&ssl->serverSecret, sizeof(ssl->serverSecret));
7429
0
    }
7430
0
#endif
7431
0
#ifdef WOLFSSL_HAVE_TLS_UNIQUE
7432
0
    ForceZero(&ssl->clientFinished, TLS_FINISHED_SZ_MAX);
7433
0
    ForceZero(&ssl->serverFinished, TLS_FINISHED_SZ_MAX);
7434
0
    ssl->serverFinished_len = 0;
7435
0
    ssl->clientFinished_len = 0;
7436
0
#endif
7437
0
#ifndef NO_DH
7438
0
    if (ssl->buffers.serverDH_Priv.buffer != NULL) {
7439
0
        ForceZero(ssl->buffers.serverDH_Priv.buffer,
7440
0
                                             ssl->buffers.serverDH_Priv.length);
7441
0
    }
7442
0
    XFREE(ssl->buffers.serverDH_Priv.buffer, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
7443
0
    XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
7444
    /* parameters (p,g) may be owned by ctx */
7445
0
    if (ssl->buffers.weOwnDH) {
7446
0
        XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
7447
0
        XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
7448
0
    }
7449
0
#endif /* !NO_DH */
7450
0
#ifndef NO_CERTS
7451
0
    ssl->keepCert = 0; /* make sure certificate is free'd */
7452
0
    wolfSSL_UnloadCertsKeys(ssl);
7453
0
#endif
7454
0
#ifndef NO_RSA
7455
0
    FreeKey(ssl, DYNAMIC_TYPE_RSA, (void**)&ssl->peerRsaKey);
7456
0
    ssl->peerRsaKeyPresent = 0;
7457
0
#endif
7458
#if defined(WOLFSSL_RENESAS_TSIP_TLS) || defined(WOLFSSL_RENESAS_SCEPROTECT)
7459
    XFREE(ssl->peerSceTsipEncRsaKeyIndex, ssl->heap, DYNAMIC_TYPE_RSA);
7460
    Renesas_cmn_Cleanup(ssl);
7461
#endif
7462
0
    if (ssl->buffers.inputBuffer.dynamicFlag)
7463
0
        ShrinkInputBuffer(ssl, FORCED_FREE);
7464
0
    if (ssl->buffers.outputBuffer.dynamicFlag)
7465
0
        ShrinkOutputBuffer(ssl);
7466
#if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER)
7467
    if (ssl->buffers.tls13CookieSecret.buffer != NULL) {
7468
        ForceZero(ssl->buffers.tls13CookieSecret.buffer,
7469
            ssl->buffers.tls13CookieSecret.length);
7470
    }
7471
    XFREE(ssl->buffers.tls13CookieSecret.buffer, ssl->heap,
7472
          DYNAMIC_TYPE_COOKIE_PWD);
7473
#endif
7474
#ifdef WOLFSSL_DTLS
7475
    DtlsMsgPoolReset(ssl);
7476
    if (ssl->dtls_rx_msg_list != NULL) {
7477
        DtlsMsgListDelete(ssl->dtls_rx_msg_list, ssl->heap);
7478
        ssl->dtls_rx_msg_list = NULL;
7479
        ssl->dtls_rx_msg_list_sz = 0;
7480
    }
7481
    XFREE(ssl->buffers.dtlsCtx.peer.sa, ssl->heap, DYNAMIC_TYPE_SOCKADDR);
7482
    ssl->buffers.dtlsCtx.peer.sa = NULL;
7483
#ifndef NO_WOLFSSL_SERVER
7484
    if (ssl->buffers.dtlsCookieSecret.buffer != NULL) {
7485
        ForceZero(ssl->buffers.dtlsCookieSecret.buffer,
7486
            ssl->buffers.dtlsCookieSecret.length);
7487
    }
7488
    XFREE(ssl->buffers.dtlsCookieSecret.buffer, ssl->heap,
7489
          DYNAMIC_TYPE_COOKIE_PWD);
7490
#endif
7491
7492
#ifdef WOLFSSL_DTLS13
7493
    if (ssl->dtls13ClientHello != NULL) {
7494
        XFREE(ssl->dtls13ClientHello, ssl->heap, DYNAMIC_TYPE_DTLS_MSG);
7495
        ssl->dtls13ClientHello = NULL;
7496
        ssl->dtls13ClientHelloSz = 0;
7497
    }
7498
#endif /* WOLFSSL_DTLS13 */
7499
7500
#endif /* WOLFSSL_DTLS */
7501
0
#ifdef OPENSSL_EXTRA
7502
0
#ifndef NO_BIO
7503
    /* Don't free if there was/is a previous element in the chain.
7504
     * This means that this BIO was part of a chain that will be
7505
     * free'd separately. */
7506
0
    if (ssl->biord != ssl->biowr)        /* only free write if different */
7507
0
        if (ssl->biowr != NULL && ssl->biowr->prev == NULL)
7508
0
            wolfSSL_BIO_free(ssl->biowr);
7509
0
    if (ssl->biord != NULL && ssl->biord->prev == NULL)
7510
0
        wolfSSL_BIO_free(ssl->biord);
7511
0
    ssl->biowr = NULL;
7512
0
    ssl->biord = NULL;
7513
0
#endif
7514
0
#endif
7515
#ifdef HAVE_LIBZ
7516
    FreeStreams(ssl);
7517
#endif
7518
0
#ifdef HAVE_ECC
7519
0
    FreeKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->peerEccKey);
7520
0
    ssl->peerEccKeyPresent = 0;
7521
0
    FreeKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->peerEccDsaKey);
7522
0
    ssl->peerEccDsaKeyPresent = 0;
7523
0
#endif
7524
0
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) ||defined(HAVE_CURVE448)
7525
0
    {
7526
0
        int dtype = 0;
7527
0
    #ifdef HAVE_ECC
7528
0
        dtype = DYNAMIC_TYPE_ECC;
7529
0
    #endif
7530
0
    #ifdef HAVE_CURVE25519
7531
0
        if (ssl->peerX25519KeyPresent
7532
0
    #ifdef HAVE_ECC
7533
0
                           || ssl->eccTempKeyPresent == DYNAMIC_TYPE_CURVE25519
7534
0
    #endif /* HAVE_ECC */
7535
0
           )
7536
0
        {
7537
0
            dtype = DYNAMIC_TYPE_CURVE25519;
7538
0
        }
7539
0
    #endif /* HAVE_CURVE25519 */
7540
0
    #ifdef HAVE_CURVE448
7541
0
        if (ssl->peerX448KeyPresent
7542
0
    #ifdef HAVE_ECC
7543
0
                             || ssl->eccTempKeyPresent == DYNAMIC_TYPE_CURVE448
7544
0
    #endif /* HAVE_ECC */
7545
0
           )
7546
0
        {
7547
0
            dtype = DYNAMIC_TYPE_CURVE448;
7548
0
        }
7549
0
    #endif /* HAVE_CURVE448 */
7550
0
        FreeKey(ssl, dtype, (void**)&ssl->eccTempKey);
7551
0
        ssl->eccTempKeyPresent = 0;
7552
0
    }
7553
0
#endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
7554
0
#ifdef HAVE_CURVE25519
7555
0
    FreeKey(ssl, DYNAMIC_TYPE_CURVE25519, (void**)&ssl->peerX25519Key);
7556
0
    ssl->peerX25519KeyPresent = 0;
7557
0
#endif
7558
0
#ifdef HAVE_ED25519
7559
0
    FreeKey(ssl, DYNAMIC_TYPE_ED25519, (void**)&ssl->peerEd25519Key);
7560
0
    ssl->peerEd25519KeyPresent = 0;
7561
    #ifdef HAVE_PK_CALLBACKS
7562
        if (ssl->buffers.peerEd25519Key.buffer != NULL) {
7563
            XFREE(ssl->buffers.peerEd25519Key.buffer, ssl->heap,
7564
                                                          DYNAMIC_TYPE_ED25519);
7565
            ssl->buffers.peerEd25519Key.buffer = NULL;
7566
        }
7567
    #endif
7568
0
#endif
7569
0
#ifdef HAVE_CURVE448
7570
0
    FreeKey(ssl, DYNAMIC_TYPE_CURVE448, (void**)&ssl->peerX448Key);
7571
0
    ssl->peerX448KeyPresent = 0;
7572
0
#endif
7573
0
#ifdef HAVE_ED448
7574
0
    FreeKey(ssl, DYNAMIC_TYPE_ED448, (void**)&ssl->peerEd448Key);
7575
0
    ssl->peerEd448KeyPresent = 0;
7576
    #ifdef HAVE_PK_CALLBACKS
7577
        if (ssl->buffers.peerEd448Key.buffer != NULL) {
7578
            XFREE(ssl->buffers.peerEd448Key.buffer, ssl->heap,
7579
                                                            DYNAMIC_TYPE_ED448);
7580
            ssl->buffers.peerEd448Key.buffer = NULL;
7581
        }
7582
    #endif
7583
0
#endif
7584
#ifdef HAVE_PQC
7585
    FreeKey(ssl, DYNAMIC_TYPE_FALCON, (void**)&ssl->peerFalconKey);
7586
    ssl->peerFalconKeyPresent = 0;
7587
#endif
7588
#ifdef HAVE_PK_CALLBACKS
7589
    #ifdef HAVE_ECC
7590
        XFREE(ssl->buffers.peerEccDsaKey.buffer, ssl->heap, DYNAMIC_TYPE_ECC);
7591
    #endif /* HAVE_ECC */
7592
    #ifndef NO_RSA
7593
        XFREE(ssl->buffers.peerRsaKey.buffer, ssl->heap, DYNAMIC_TYPE_RSA);
7594
    #endif /* NO_RSA */
7595
#endif /* HAVE_PK_CALLBACKS */
7596
0
#ifdef HAVE_TLS_EXTENSIONS
7597
0
#if !defined(NO_TLS)
7598
0
    TLSX_FreeAll(ssl->extensions, ssl->heap);
7599
0
#endif /* !NO_TLS */
7600
#ifdef HAVE_ALPN
7601
    if (ssl->alpn_client_list != NULL) {
7602
        XFREE(ssl->alpn_client_list, ssl->heap, DYNAMIC_TYPE_ALPN);
7603
        ssl->alpn_client_list = NULL;
7604
    }
7605
#endif
7606
0
#endif /* HAVE_TLS_EXTENSIONS */
7607
#if defined(WOLFSSL_APACHE_MYNEWT) && !defined(WOLFSSL_LWIP)
7608
    if (ssl->mnCtx) {
7609
        mynewt_ctx_clear(ssl->mnCtx);
7610
        ssl->mnCtx = NULL;
7611
    }
7612
#endif
7613
#ifdef HAVE_NETX
7614
    if (ssl->nxCtx.nxPacket)
7615
        nx_packet_release(ssl->nxCtx.nxPacket);
7616
#endif
7617
0
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
7618
0
    if (ssl->x509_store_pt)
7619
0
        wolfSSL_X509_STORE_free(ssl->x509_store_pt);
7620
0
#endif
7621
0
#ifdef KEEP_PEER_CERT
7622
0
    FreeX509(&ssl->peerCert);
7623
0
#endif
7624
7625
0
    if (ssl->session != NULL)
7626
0
        wolfSSL_FreeSession(ssl->ctx, ssl->session);
7627
#ifdef HAVE_WRITE_DUP
7628
    if (ssl->dupWrite) {
7629
        FreeWriteDup(ssl);
7630
    }
7631
#endif
7632
0
#ifdef OPENSSL_EXTRA
7633
0
    if (ssl->param) {
7634
0
        XFREE(ssl->param, ssl->heap, DYNAMIC_TYPE_OPENSSL);
7635
0
    }
7636
0
#endif
7637
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
7638
    while (ssl->certReqCtx != NULL) {
7639
        CertReqCtx* curr = ssl->certReqCtx;
7640
        ssl->certReqCtx = curr->next;
7641
        XFREE(curr, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
7642
    }
7643
#endif
7644
#ifdef WOLFSSL_STATIC_EPHEMERAL
7645
    #ifndef NO_DH
7646
    FreeDer(&ssl->staticKE.dhKey);
7647
    #endif
7648
    #ifdef HAVE_ECC
7649
    FreeDer(&ssl->staticKE.ecKey);
7650
    #endif
7651
    #ifdef HAVE_CURVE25519
7652
    FreeDer(&ssl->staticKE.x25519Key);
7653
    #endif
7654
    #ifdef HAVE_CURVE448
7655
    FreeDer(&ssl->staticKE.x448Key);
7656
    #endif
7657
#endif
7658
7659
#ifdef WOLFSSL_STATIC_MEMORY
7660
    /* check if using fixed io buffers and free them */
7661
    if (ssl->heap != NULL) {
7662
    #ifdef WOLFSSL_HEAP_TEST
7663
    /* avoid dereferencing a test value */
7664
    if (ssl->heap != (void*)WOLFSSL_HEAP_TEST) {
7665
    #endif
7666
        WOLFSSL_HEAP_HINT* ssl_hint = (WOLFSSL_HEAP_HINT*)ssl->heap;
7667
        WOLFSSL_HEAP*      ctx_heap;
7668
        void* heap = ssl->ctx ? ssl->ctx->heap : ssl->heap;
7669
7670
        ctx_heap = ssl_hint->memory;
7671
        if (wc_LockMutex(&(ctx_heap->memory_mutex)) != 0) {
7672
            WOLFSSL_MSG("Bad memory_mutex lock");
7673
        }
7674
        ctx_heap->curIO--;
7675
        if (FreeFixedIO(ctx_heap, &(ssl_hint->outBuf)) != 1) {
7676
            WOLFSSL_MSG("Error freeing fixed output buffer");
7677
        }
7678
        if (FreeFixedIO(ctx_heap, &(ssl_hint->inBuf)) != 1) {
7679
            WOLFSSL_MSG("Error freeing fixed output buffer");
7680
        }
7681
        if (ssl_hint->haFlag) { /* check if handshake count has been decreased*/
7682
            ctx_heap->curHa--;
7683
        }
7684
        wc_UnLockMutex(&(ctx_heap->memory_mutex));
7685
7686
        /* check if tracking stats */
7687
        if (ctx_heap->flag & WOLFMEM_TRACK_STATS) {
7688
            XFREE(ssl_hint->stats, heap, DYNAMIC_TYPE_SSL);
7689
        }
7690
        XFREE(ssl->heap, heap, DYNAMIC_TYPE_SSL);
7691
    #ifdef WOLFSSL_HEAP_TEST
7692
    }
7693
    #endif
7694
    }
7695
#endif /* WOLFSSL_STATIC_MEMORY */
7696
0
#ifdef OPENSSL_EXTRA
7697
    /* Enough to free stack structure since WOLFSSL_CIPHER
7698
     * isn't allocated separately. */
7699
0
    wolfSSL_sk_CIPHER_free(ssl->supportedCiphers);
7700
0
    wolfSSL_sk_X509_pop_free(ssl->peerCertChain, NULL);
7701
0
    #ifdef KEEP_OUR_CERT
7702
0
    wolfSSL_sk_X509_pop_free(ssl->ourCertChain, NULL);
7703
0
    #endif
7704
0
#endif
7705
0
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA) || defined(HAVE_LIGHTY)
7706
0
    wolfSSL_sk_X509_NAME_pop_free(ssl->ca_names, NULL);
7707
0
    ssl->ca_names = NULL;
7708
0
#endif
7709
#ifdef WOLFSSL_DTLS13
7710
    Dtls13FreeFsmResources(ssl);
7711
#endif /* WOLFSSL_DTLS13 */
7712
#ifdef WOLFSSL_QUIC
7713
    wolfSSL_quic_free(ssl);
7714
#endif
7715
0
}
7716
7717
/* Free any handshake resources no longer needed */
7718
void FreeHandshakeResources(WOLFSSL* ssl)
7719
0
{
7720
0
    WOLFSSL_ENTER("FreeHandshakeResources");
7721
7722
#ifdef WOLFSSL_DTLS
7723
    if (ssl->options.dtls) {
7724
        /* DTLS_POOL (DTLSv1.3 flushes the queue autonomously) */
7725
        if(!IsAtLeastTLSv1_3(ssl->version)) {
7726
            DtlsMsgPoolReset(ssl);
7727
            DtlsMsgListDelete(ssl->dtls_rx_msg_list, ssl->heap);
7728
            ssl->dtls_rx_msg_list = NULL;
7729
            ssl->dtls_rx_msg_list_sz = 0;
7730
        }
7731
#ifdef WOLFSSL_DTLS13
7732
        if (ssl->dtls13ClientHello != NULL) {
7733
            XFREE(ssl->dtls13ClientHello, ssl->heap, DYNAMIC_TYPE_DTLS_MSG);
7734
            ssl->dtls13ClientHello = NULL;
7735
            ssl->dtls13ClientHelloSz = 0;
7736
        }
7737
#endif /* WOLFSSL_DTLS13 */
7738
    }
7739
#endif
7740
7741
#ifdef HAVE_SECURE_RENEGOTIATION
7742
    if (ssl->secure_renegotiation && ssl->secure_renegotiation->enabled) {
7743
        WOLFSSL_MSG("Secure Renegotiation needs to retain handshake resources");
7744
        return;
7745
    }
7746
#endif
7747
7748
    /* input buffer */
7749
0
    if (ssl->buffers.inputBuffer.dynamicFlag)
7750
0
        ShrinkInputBuffer(ssl, NO_FORCED_FREE);
7751
7752
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
7753
    if (!ssl->options.tls1_3)
7754
#endif
7755
0
    {
7756
    #ifndef OPENSSL_EXTRA
7757
        /* free suites unless using compatibility layer */
7758
        FreeSuites(ssl);
7759
    #endif
7760
        /* hsHashes */
7761
0
        FreeHandshakeHashes(ssl);
7762
0
    }
7763
7764
    /* RNG */
7765
0
    if (ssl->options.tls1_1 == 0
7766
0
#ifndef WOLFSSL_AEAD_ONLY
7767
0
        || ssl->specs.cipher_type == stream
7768
0
#endif
7769
0
#if defined(WOLFSSL_TLS13)
7770
    /* Post-handshake auth requires random on client side for TLS 1.3.
7771
     * Session ticket requires random on server side.
7772
     */
7773
    #if !defined(WOLFSSL_POST_HANDSHAKE_AUTH) && !defined(HAVE_SESSION_TICKET)
7774
        || ssl->options.tls1_3
7775
    #elif !defined(WOLFSSL_POST_HANDSHAKE_AUTH) && defined(HAVE_SESSION_TICKET)
7776
0
        || (ssl->options.tls1_3 && ssl->options.side == WOLFSSL_CLIENT_END)
7777
    #elif !defined(HAVE_SESSION_TICKET)
7778
        || (ssl->options.tls1_3 && ssl->options.side == WOLFSSL_SERVER_END)
7779
    #endif
7780
0
#endif
7781
0
    ) {
7782
0
        if (ssl->options.weOwnRng) {
7783
0
            wc_FreeRng(ssl->rng);
7784
0
            XFREE(ssl->rng, ssl->heap, DYNAMIC_TYPE_RNG);
7785
0
            ssl->rng = NULL;
7786
0
            ssl->options.weOwnRng = 0;
7787
0
        }
7788
0
    }
7789
7790
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH) && \
7791
                                                    defined(HAVE_SESSION_TICKET)
7792
    if (!ssl->options.tls1_3)
7793
#endif
7794
        /* arrays */
7795
0
        if (ssl->options.saveArrays == 0)
7796
0
            FreeArrays(ssl, 1);
7797
7798
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
7799
    if (!ssl->options.tls1_3 || ssl->options.side == WOLFSSL_CLIENT_END)
7800
#endif
7801
0
    {
7802
0
#ifndef NO_RSA
7803
        /* peerRsaKey */
7804
0
        FreeKey(ssl, DYNAMIC_TYPE_RSA, (void**)&ssl->peerRsaKey);
7805
0
        ssl->peerRsaKeyPresent = 0;
7806
0
#endif
7807
0
#ifdef HAVE_ECC
7808
0
        FreeKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->peerEccDsaKey);
7809
0
        ssl->peerEccDsaKeyPresent = 0;
7810
0
#endif /* HAVE_ECC */
7811
0
#ifdef HAVE_ED25519
7812
0
        FreeKey(ssl, DYNAMIC_TYPE_ED25519, (void**)&ssl->peerEd25519Key);
7813
0
        ssl->peerEd25519KeyPresent = 0;
7814
0
#endif /* HAVE_ED25519 */
7815
0
#ifdef HAVE_ED448
7816
0
        FreeKey(ssl, DYNAMIC_TYPE_ED448, (void**)&ssl->peerEd448Key);
7817
0
        ssl->peerEd448KeyPresent = 0;
7818
0
#endif /* HAVE_ED448 */
7819
#ifdef HAVE_PQC
7820
        FreeKey(ssl, DYNAMIC_TYPE_FALCON, (void**)&ssl->peerFalconKey);
7821
        ssl->peerFalconKeyPresent = 0;
7822
#endif /* HAVE_PQC */
7823
0
    }
7824
7825
0
#ifdef HAVE_ECC
7826
0
    FreeKey(ssl, DYNAMIC_TYPE_ECC, (void**)&ssl->peerEccKey);
7827
0
    ssl->peerEccKeyPresent = 0;
7828
0
#endif
7829
0
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
7830
0
    {
7831
0
        int dtype;
7832
0
    #ifdef HAVE_ECC
7833
0
        dtype = DYNAMIC_TYPE_ECC;
7834
    #elif defined(HAVE_CURVE25519)
7835
        dtype = DYNAMIC_TYPE_CURVE25519;
7836
    #else
7837
        dtype = DYNAMIC_TYPE_CURVE448;
7838
    #endif
7839
0
    #if defined(HAVE_ECC) && defined(HAVE_CURVE25519)
7840
0
        if (ssl->peerX25519KeyPresent ||
7841
0
                              ssl->eccTempKeyPresent == DYNAMIC_TYPE_CURVE25519)
7842
0
         {
7843
0
            dtype = DYNAMIC_TYPE_CURVE25519;
7844
0
         }
7845
0
    #endif
7846
0
    #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519)) && \
7847
0
                                                          defined(HAVE_CURVE448)
7848
0
        if (ssl->peerX448KeyPresent ||
7849
0
                                ssl->eccTempKeyPresent == DYNAMIC_TYPE_CURVE448)
7850
0
         {
7851
0
            dtype = DYNAMIC_TYPE_CURVE448;
7852
0
         }
7853
0
    #endif
7854
0
        FreeKey(ssl, dtype, (void**)&ssl->eccTempKey);
7855
0
        ssl->eccTempKeyPresent = 0;
7856
0
    }
7857
0
#endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
7858
0
#ifdef HAVE_CURVE25519
7859
0
    FreeKey(ssl, DYNAMIC_TYPE_CURVE25519, (void**)&ssl->peerX25519Key);
7860
0
    ssl->peerX25519KeyPresent = 0;
7861
0
#endif
7862
0
#ifdef HAVE_CURVE448
7863
0
    FreeKey(ssl, DYNAMIC_TYPE_CURVE448, (void**)&ssl->peerX448Key);
7864
0
    ssl->peerX448KeyPresent = 0;
7865
0
#endif
7866
7867
0
#ifndef NO_DH
7868
0
    if (ssl->buffers.serverDH_Priv.buffer) {
7869
0
        ForceZero(ssl->buffers.serverDH_Priv.buffer,
7870
0
                                             ssl->buffers.serverDH_Priv.length);
7871
0
    }
7872
0
    XFREE(ssl->buffers.serverDH_Priv.buffer, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
7873
0
    ssl->buffers.serverDH_Priv.buffer = NULL;
7874
0
    XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
7875
0
    ssl->buffers.serverDH_Pub.buffer = NULL;
7876
    /* parameters (p,g) may be owned by ctx */
7877
0
    if (ssl->buffers.weOwnDH) {
7878
0
        XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
7879
0
        ssl->buffers.serverDH_G.buffer = NULL;
7880
0
        XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
7881
0
        ssl->buffers.serverDH_P.buffer = NULL;
7882
0
    }
7883
0
#endif /* !NO_DH */
7884
7885
0
#ifndef NO_CERTS
7886
0
    wolfSSL_UnloadCertsKeys(ssl);
7887
0
#endif
7888
#ifdef HAVE_PK_CALLBACKS
7889
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
7890
    if (!ssl->options.tls1_3 || ssl->options.side == WOLFSSL_CLIENT_END)
7891
#endif
7892
    {
7893
    #ifdef HAVE_ECC
7894
        XFREE(ssl->buffers.peerEccDsaKey.buffer, ssl->heap, DYNAMIC_TYPE_ECC);
7895
        ssl->buffers.peerEccDsaKey.buffer = NULL;
7896
    #endif /* HAVE_ECC */
7897
    #ifndef NO_RSA
7898
        XFREE(ssl->buffers.peerRsaKey.buffer, ssl->heap, DYNAMIC_TYPE_RSA);
7899
        ssl->buffers.peerRsaKey.buffer = NULL;
7900
    #endif /* NO_RSA */
7901
    #ifdef HAVE_ED25519
7902
        XFREE(ssl->buffers.peerEd25519Key.buffer, ssl->heap,
7903
                                                          DYNAMIC_TYPE_ED25519);
7904
        ssl->buffers.peerEd25519Key.buffer = NULL;
7905
    #endif
7906
    #ifdef HAVE_ED448
7907
        XFREE(ssl->buffers.peerEd448Key.buffer, ssl->heap, DYNAMIC_TYPE_ED448);
7908
        ssl->buffers.peerEd448Key.buffer = NULL;
7909
    #endif
7910
    }
7911
#endif /* HAVE_PK_CALLBACKS */
7912
7913
#if defined(HAVE_TLS_EXTENSIONS) && !defined(HAVE_SNI) && \
7914
!defined(NO_TLS) && !defined(HAVE_ALPN) && !defined(WOLFSSL_POST_HANDSHAKE_AUTH) && \
7915
    !defined(WOLFSSL_DTLS_CID)
7916
    /* Some extensions need to be kept for post-handshake querying. */
7917
    TLSX_FreeAll(ssl->extensions, ssl->heap);
7918
    ssl->extensions = NULL;
7919
#endif
7920
7921
#ifdef WOLFSSL_STATIC_MEMORY
7922
    /* when done with handshake decrement current handshake count */
7923
    if (ssl->heap != NULL) {
7924
    #ifdef WOLFSSL_HEAP_TEST
7925
    /* avoid dereferencing a test value */
7926
    if (ssl->heap != (void*)WOLFSSL_HEAP_TEST) {
7927
    #endif
7928
        WOLFSSL_HEAP_HINT* ssl_hint = (WOLFSSL_HEAP_HINT*)ssl->heap;
7929
        WOLFSSL_HEAP*      ctx_heap;
7930
7931
        ctx_heap = ssl_hint->memory;
7932
        if (wc_LockMutex(&(ctx_heap->memory_mutex)) != 0) {
7933
            WOLFSSL_MSG("Bad memory_mutex lock");
7934
        }
7935
        ctx_heap->curHa--;
7936
        ssl_hint->haFlag = 0; /* set to zero since handshake has been dec */
7937
        wc_UnLockMutex(&(ctx_heap->memory_mutex));
7938
    #ifdef WOLFSSL_HEAP_TEST
7939
    }
7940
    #endif
7941
    }
7942
#endif /* WOLFSSL_STATIC_MEMORY */
7943
0
}
7944
7945
7946
/* heap argument is the heap hint used when creating SSL */
7947
void FreeSSL(WOLFSSL* ssl, void* heap)
7948
0
{
7949
0
    WOLFSSL_CTX* ctx = ssl->ctx;
7950
0
    SSL_ResourceFree(ssl);
7951
0
    XFREE(ssl, heap, DYNAMIC_TYPE_SSL);
7952
0
    if (ctx)
7953
0
        FreeSSL_Ctx(ctx); /* will decrement and free underlying CTX if 0 */
7954
0
    (void)heap;
7955
#ifdef WOLFSSL_CHECK_MEM_ZERO
7956
    wc_MemZero_Check(ssl, sizeof(*ssl));
7957
#endif
7958
0
}
7959
7960
#if !defined(NO_OLD_TLS) || defined(WOLFSSL_DTLS) || \
7961
    !defined(WOLFSSL_NO_TLS12) || \
7962
    ((defined(HAVE_CHACHA) || defined(HAVE_AESCCM) || defined(HAVE_AESGCM)) \
7963
     && defined(HAVE_AEAD))
7964
7965
#if defined(WOLFSSL_DTLS) || !defined(WOLFSSL_NO_TLS12)
7966
static WC_INLINE void GetSEQIncrement(WOLFSSL* ssl, int verify, word32 seq[2])
7967
0
{
7968
0
    if (verify) {
7969
0
        seq[0] = ssl->keys.peer_sequence_number_hi;
7970
0
        seq[1] = ssl->keys.peer_sequence_number_lo++;
7971
0
        if (seq[1] > ssl->keys.peer_sequence_number_lo) {
7972
            /* handle rollover */
7973
0
            ssl->keys.peer_sequence_number_hi++;
7974
0
        }
7975
0
    }
7976
0
    else {
7977
0
        seq[0] = ssl->keys.sequence_number_hi;
7978
0
        seq[1] = ssl->keys.sequence_number_lo++;
7979
0
        if (seq[1] > ssl->keys.sequence_number_lo) {
7980
            /* handle rollover */
7981
0
            ssl->keys.sequence_number_hi++;
7982
0
        }
7983
0
    }
7984
0
}
7985
#endif /* WOLFSSL_DTLS || !WOLFSSL_NO_TLS12 */
7986
7987
7988
#ifdef WOLFSSL_DTLS
7989
static WC_INLINE void DtlsGetSEQ(WOLFSSL* ssl, int order, word32 seq[2])
7990
{
7991
#ifdef HAVE_SECURE_RENEGOTIATION
7992
    order = DtlsCheckOrder(ssl, order);
7993
#endif
7994
    if (order == PREV_ORDER) {
7995
        /* Previous epoch case */
7996
        if (ssl->options.haveMcast) {
7997
        #ifdef WOLFSSL_MULTICAST
7998
            seq[0] = (((word32)ssl->keys.dtls_epoch - 1) << 16) |
7999
                     (ssl->options.mcastID << 8) |
8000
                     (ssl->keys.dtls_prev_sequence_number_hi & 0xFF);
8001
        #endif
8002
        }
8003
        else
8004
            seq[0] = (((word32)ssl->keys.dtls_epoch - 1) << 16) |
8005
                     (ssl->keys.dtls_prev_sequence_number_hi & 0xFFFF);
8006
        seq[1] = ssl->keys.dtls_prev_sequence_number_lo;
8007
    }
8008
    else if (order == PEER_ORDER) {
8009
        if (ssl->options.haveMcast) {
8010
        #ifdef WOLFSSL_MULTICAST
8011
            seq[0] = ((word32)ssl->keys.curEpoch << 16) |
8012
                     (ssl->keys.curPeerId << 8) |
8013
                     (ssl->keys.curSeq_hi & 0xFF);
8014
        #endif
8015
        }
8016
        else
8017
            seq[0] = ((word32)ssl->keys.curEpoch << 16) |
8018
                     (ssl->keys.curSeq_hi & 0xFFFF);
8019
        seq[1] = ssl->keys.curSeq_lo; /* explicit from peer */
8020
    }
8021
    else {
8022
        if (ssl->options.haveMcast) {
8023
        #ifdef WOLFSSL_MULTICAST
8024
            seq[0] = ((word32)ssl->keys.dtls_epoch << 16) |
8025
                     (ssl->options.mcastID << 8) |
8026
                     (ssl->keys.dtls_sequence_number_hi & 0xFF);
8027
        #endif
8028
        }
8029
        else
8030
            seq[0] = ((word32)ssl->keys.dtls_epoch << 16) |
8031
                     (ssl->keys.dtls_sequence_number_hi & 0xFFFF);
8032
        seq[1] = ssl->keys.dtls_sequence_number_lo;
8033
    }
8034
}
8035
8036
static WC_INLINE void DtlsSEQIncrement(WOLFSSL* ssl, int order)
8037
{
8038
    word32 seq;
8039
#ifdef HAVE_SECURE_RENEGOTIATION
8040
    order = DtlsCheckOrder(ssl, order);
8041
#endif
8042
8043
    if (order == PREV_ORDER) {
8044
        seq = ssl->keys.dtls_prev_sequence_number_lo++;
8045
        if (seq > ssl->keys.dtls_prev_sequence_number_lo) {
8046
            /* handle rollover */
8047
            ssl->keys.dtls_prev_sequence_number_hi++;
8048
        }
8049
    }
8050
    else if (order == PEER_ORDER) {
8051
        seq = ssl->keys.peer_sequence_number_lo++;
8052
        if (seq > ssl->keys.peer_sequence_number_lo) {
8053
            /* handle rollover */
8054
            ssl->keys.peer_sequence_number_hi++;
8055
        }
8056
    }
8057
    else {
8058
        seq = ssl->keys.dtls_sequence_number_lo++;
8059
        if (seq > ssl->keys.dtls_sequence_number_lo) {
8060
            /* handle rollover */
8061
            ssl->keys.dtls_sequence_number_hi++;
8062
        }
8063
    }
8064
}
8065
#endif /* WOLFSSL_DTLS */
8066
8067
#if defined(WOLFSSL_DTLS) || !defined(WOLFSSL_NO_TLS12)
8068
void WriteSEQ(WOLFSSL* ssl, int verifyOrder, byte* out)
8069
0
{
8070
0
    word32 seq[2] = {0, 0};
8071
8072
0
    if (!ssl->options.dtls) {
8073
0
        GetSEQIncrement(ssl, verifyOrder, seq);
8074
0
    }
8075
0
    else {
8076
#ifdef WOLFSSL_DTLS
8077
        DtlsGetSEQ(ssl, verifyOrder, seq);
8078
#endif
8079
0
    }
8080
8081
0
    c32toa(seq[0], out);
8082
0
    c32toa(seq[1], out + OPAQUE32_LEN);
8083
0
}
8084
#endif /* WOLFSSL_DTLS || !WOLFSSL_NO_TLS12 */
8085
#endif /* !NO_OLD_TLS || WOLFSSL_DTLS || !WOLFSSL_NO_TLS12 ||
8086
        *     ((HAVE_CHACHA || HAVE_AESCCM || HAVE_AESGCM) && HAVE_AEAD) */
8087
8088
#ifdef WOLFSSL_DTLS
8089
8090
/* functions for managing DTLS datagram reordering */
8091
8092
/* Need to allocate space for the handshake message header. The hashing
8093
 * routines assume the message pointer is still within the buffer that
8094
 * has the headers, and will include those headers in the hash. The store
8095
 * routines need to take that into account as well. New will allocate
8096
 * extra space for the headers. */
8097
DtlsMsg* DtlsMsgNew(word32 sz, void* heap)
8098
{
8099
    DtlsMsg* msg;
8100
    WOLFSSL_ENTER("DtlsMsgNew()");
8101
8102
    (void)heap;
8103
    msg = (DtlsMsg*)XMALLOC(sizeof(DtlsMsg), heap, DYNAMIC_TYPE_DTLS_MSG);
8104
8105
    if (msg != NULL) {
8106
        XMEMSET(msg, 0, sizeof(DtlsMsg));
8107
        msg->buf = (byte*)XMALLOC(sz + DTLS_HANDSHAKE_HEADER_SZ,
8108
                                                heap, DYNAMIC_TYPE_DTLS_BUFFER);
8109
        if (msg->buf != NULL) {
8110
            msg->sz = sz;
8111
            msg->type = no_shake;
8112
            msg->msg = msg->buf + DTLS_HANDSHAKE_HEADER_SZ;
8113
        }
8114
        else {
8115
            XFREE(msg, heap, DYNAMIC_TYPE_DTLS_MSG);
8116
            msg = NULL;
8117
        }
8118
    }
8119
8120
    return msg;
8121
}
8122
8123
void DtlsMsgDelete(DtlsMsg* item, void* heap)
8124
{
8125
    (void)heap;
8126
    WOLFSSL_ENTER("DtlsMsgDelete()");
8127
8128
    if (item != NULL) {
8129
        DtlsFrag* cur = item->fragList;
8130
        while (cur != NULL) {
8131
            DtlsFrag* next = cur->next;
8132
            XFREE(cur, heap, DYNAMIC_TYPE_DTLS_FRAG);
8133
            cur = next;
8134
        }
8135
        if (item->buf != NULL)
8136
            XFREE(item->buf, heap, DYNAMIC_TYPE_DTLS_BUFFER);
8137
        XFREE(item, heap, DYNAMIC_TYPE_DTLS_MSG);
8138
    }
8139
}
8140
8141
8142
void DtlsMsgListDelete(DtlsMsg* head, void* heap)
8143
{
8144
    DtlsMsg* next;
8145
    WOLFSSL_ENTER("DtlsMsgListDelete()");
8146
    while (head) {
8147
        next = head->next;
8148
        DtlsMsgDelete(head, heap);
8149
        head = next;
8150
    }
8151
}
8152
8153
/**
8154
 * Drop messages when they are no longer going to be retransmitted
8155
 */
8156
void DtlsTxMsgListClean(WOLFSSL* ssl)
8157
{
8158
    DtlsMsg* head = ssl->dtls_tx_msg_list;
8159
    DtlsMsg* next;
8160
    WOLFSSL_ENTER("DtlsTxMsgListClean()");
8161
    while (head) {
8162
        next = head->next;
8163
        if (VerifyForTxDtlsMsgDelete(ssl, head))
8164
            DtlsMsgDelete(head, ssl->heap);
8165
        else
8166
            /* Stored packets should be in order so break on first failed
8167
             * verify */
8168
            break;
8169
        ssl->dtls_tx_msg_list_sz--;
8170
        head = next;
8171
    }
8172
    ssl->dtls_tx_msg_list = head;
8173
}
8174
8175
/* Create a DTLS Fragment from *begin - end, adjust new *begin and bytesLeft */
8176
static DtlsFrag* CreateFragment(word32* begin, word32 end, const byte* data,
8177
                                byte* buf, word32* bytesLeft, void* heap)
8178
{
8179
    DtlsFrag* newFrag;
8180
    word32 added = end - *begin + 1;
8181
8182
    WOLFSSL_ENTER("CreateFragment()");
8183
8184
    (void)heap;
8185
    newFrag = (DtlsFrag*)XMALLOC(sizeof(DtlsFrag), heap,
8186
                                 DYNAMIC_TYPE_DTLS_FRAG);
8187
    if (newFrag != NULL) {
8188
        newFrag->next = NULL;
8189
        newFrag->begin = *begin;
8190
        newFrag->end = end;
8191
8192
        XMEMCPY(buf + *begin, data, added);
8193
        *bytesLeft -= added;
8194
        *begin = newFrag->end + 1;
8195
    }
8196
8197
    return newFrag;
8198
}
8199
8200
8201
int DtlsMsgSet(DtlsMsg* msg, word32 seq, word16 epoch, const byte* data, byte type,
8202
                                   word32 fragOffset, word32 fragSz, void* heap)
8203
{
8204
    WOLFSSL_ENTER("DtlsMsgSet()");
8205
    if (msg != NULL && data != NULL && msg->fragSz <= msg->sz &&
8206
        fragSz <= msg->sz && fragOffset <= msg->sz &&
8207
        (fragOffset + fragSz) <= msg->sz) {
8208
        DtlsFrag* cur = msg->fragList;
8209
        DtlsFrag* prev = cur;
8210
        DtlsFrag* newFrag;
8211
        word32 bytesLeft = fragSz; /* could be overlapping fragment */
8212
        word32 startOffset = fragOffset;
8213
        word32 added;
8214
8215
        msg->seq = seq;
8216
        msg->epoch = epoch;
8217
        msg->type = type;
8218
8219
        if (fragOffset == 0) {
8220
            XMEMCPY(msg->buf, data - DTLS_HANDSHAKE_HEADER_SZ,
8221
                    DTLS_HANDSHAKE_HEADER_SZ);
8222
            c32to24(msg->sz, msg->msg - DTLS_HANDSHAKE_FRAG_SZ);
8223
        }
8224
8225
        /* if no message data, just return */
8226
        if (fragSz == 0)
8227
            return 0;
8228
8229
        /* if list is empty add full fragment to front */
8230
        if (cur == NULL) {
8231
            newFrag = CreateFragment(&fragOffset, fragOffset + fragSz - 1, data,
8232
                                     msg->msg, &bytesLeft, heap);
8233
            if (newFrag == NULL)
8234
                return MEMORY_E;
8235
8236
            msg->fragSz = fragSz;
8237
            msg->fragList = newFrag;
8238
8239
            return 0;
8240
        }
8241
8242
        /* add to front if before current front, up to next->begin */
8243
        if (fragOffset < cur->begin) {
8244
            word32 end = fragOffset + fragSz - 1;
8245
8246
            if (end >= cur->begin)
8247
                end = cur->begin - 1;
8248
8249
            added = end - fragOffset + 1;
8250
            newFrag = CreateFragment(&fragOffset, end, data, msg->msg,
8251
                                     &bytesLeft, heap);
8252
            if (newFrag == NULL)
8253
                return MEMORY_E;
8254
8255
            msg->fragSz += added;
8256
8257
            newFrag->next = cur;
8258
            msg->fragList = newFrag;
8259
        }
8260
8261
        /* while we have bytes left, try to find a gap to fill */
8262
        while (bytesLeft > 0) {
8263
            /* get previous packet in list */
8264
            while (cur && (fragOffset >= cur->begin)) {
8265
                prev = cur;
8266
                cur = cur->next;
8267
            }
8268
8269
            /* don't add duplicate data */
8270
            if (prev->end >= fragOffset) {
8271
                if ( (fragOffset + bytesLeft - 1) <= prev->end)
8272
                    return 0;
8273
                fragOffset = prev->end + 1;
8274
                bytesLeft = startOffset + fragSz - fragOffset;
8275
            }
8276
8277
            if (cur == NULL)
8278
                /* we're at the end */
8279
                added = bytesLeft;
8280
            else
8281
                /* we're in between two frames */
8282
                added = min(bytesLeft, cur->begin - fragOffset);
8283
8284
            /* data already there */
8285
            if (added == 0)
8286
                continue;
8287
8288
            newFrag = CreateFragment(&fragOffset, fragOffset + added - 1,
8289
                                     data + fragOffset - startOffset,
8290
                                     msg->msg, &bytesLeft, heap);
8291
            if (newFrag == NULL)
8292
                return MEMORY_E;
8293
8294
            msg->fragSz += added;
8295
8296
            newFrag->next = prev->next;
8297
            prev->next = newFrag;
8298
        }
8299
    }
8300
8301
    return 0;
8302
}
8303
8304
8305
DtlsMsg* DtlsMsgFind(DtlsMsg* head, word16 epoch, word32 seq)
8306
{
8307
    WOLFSSL_ENTER("DtlsMsgFind()");
8308
    while (head != NULL && !(head->epoch == epoch && head->seq == seq)) {
8309
        head = head->next;
8310
    }
8311
    return head;
8312
}
8313
8314
8315
void DtlsMsgStore(WOLFSSL* ssl, word16 epoch, word32 seq, const byte* data,
8316
        word32 dataSz, byte type, word32 fragOffset, word32 fragSz, void* heap)
8317
{
8318
    /* See if seq exists in the list. If it isn't in the list, make
8319
     * a new item of size dataSz, copy fragSz bytes from data to msg->msg
8320
     * starting at offset fragOffset, and add fragSz to msg->fragSz. If
8321
     * the seq is in the list and it isn't full, copy fragSz bytes from
8322
     * data to msg->msg starting at offset fragOffset, and add fragSz to
8323
     * msg->fragSz. Insertions take into account data already in the list
8324
     * in case there are overlaps in the handshake message due to retransmit
8325
     * messages. The new item should be inserted into the list in its
8326
     * proper position.
8327
     *
8328
     * 1. Find seq in list, or where seq should go in list. If seq not in
8329
     *    list, create new item and insert into list. Either case, keep
8330
     *    pointer to item.
8331
     * 2. Copy the data from the message to the stored message where it
8332
     *    belongs without overlaps.
8333
     */
8334
8335
    DtlsMsg* head = ssl->dtls_rx_msg_list;
8336
    WOLFSSL_ENTER("DtlsMsgStore()");
8337
8338
    if (head != NULL) {
8339
        DtlsMsg* cur = DtlsMsgFind(head, epoch, seq);
8340
        if (cur == NULL) {
8341
            cur = DtlsMsgNew(dataSz, heap);
8342
            if (cur != NULL) {
8343
                if (DtlsMsgSet(cur, seq, epoch, data, type,
8344
                                               fragOffset, fragSz, heap) < 0) {
8345
                    DtlsMsgDelete(cur, heap);
8346
                }
8347
                else {
8348
                    ssl->dtls_rx_msg_list_sz++;
8349
                    head = DtlsMsgInsert(head, cur);
8350
                }
8351
            }
8352
        }
8353
        else {
8354
            /* If this fails, the data is just dropped. */
8355
            DtlsMsgSet(cur, seq, epoch, data, type, fragOffset,
8356
                    fragSz, heap);
8357
        }
8358
    }
8359
    else {
8360
        head = DtlsMsgNew(dataSz, heap);
8361
        if (DtlsMsgSet(head, seq, epoch, data, type, fragOffset,
8362
                    fragSz, heap) < 0) {
8363
            DtlsMsgDelete(head, heap);
8364
            head = NULL;
8365
        }
8366
        else {
8367
            ssl->dtls_rx_msg_list_sz++;
8368
        }
8369
    }
8370
8371
    ssl->dtls_rx_msg_list = head;
8372
}
8373
8374
8375
/* DtlsMsgInsert() is an in-order insert. */
8376
DtlsMsg* DtlsMsgInsert(DtlsMsg* head, DtlsMsg* item)
8377
{
8378
    WOLFSSL_ENTER("DtlsMsgInsert()");
8379
    if (head == NULL || (item->epoch <= head->epoch &&
8380
                         item->seq   <  head->seq)) {
8381
        item->next = head;
8382
        head = item;
8383
    }
8384
    else if (head->next == NULL) {
8385
        head->next = item;
8386
    }
8387
    else {
8388
        DtlsMsg* cur = head->next;
8389
        DtlsMsg* prev = head;
8390
        while (cur) {
8391
            if (item->epoch <= cur->epoch &&
8392
                item->seq   <  cur->seq) {
8393
                item->next = cur;
8394
                prev->next = item;
8395
                break;
8396
            }
8397
            prev = cur;
8398
            cur = cur->next;
8399
        }
8400
        if (cur == NULL) {
8401
            prev->next = item;
8402
        }
8403
    }
8404
8405
    return head;
8406
}
8407
8408
8409
/**
8410
 * DtlsMsgPoolSave() adds the message to the end of the stored transmit
8411
 * list. Must be called BEFORE BuildMessage or DtlsSEQIncrement or
8412
 * anything else that increments ssl->keys.dtls_handshake_number.
8413
 */
8414
int DtlsMsgPoolSave(WOLFSSL* ssl, const byte* data, word32 dataSz,
8415
                    enum HandShakeType type)
8416
{
8417
    DtlsMsg* item;
8418
    int ret = 0;
8419
8420
    WOLFSSL_ENTER("DtlsMsgPoolSave()");
8421
8422
    if (ssl->dtls_tx_msg_list_sz > DTLS_POOL_SZ) {
8423
        WOLFSSL_ERROR(DTLS_POOL_SZ_E);
8424
        return DTLS_POOL_SZ_E;
8425
    }
8426
8427
    item = DtlsMsgNew(dataSz, ssl->heap);
8428
8429
    if (item != NULL) {
8430
        DtlsMsg* cur = ssl->dtls_tx_msg_list;
8431
8432
        XMEMCPY(item->buf, data, dataSz);
8433
        item->sz = dataSz;
8434
        item->epoch = ssl->keys.dtls_epoch;
8435
        item->seq = ssl->keys.dtls_handshake_number;
8436
        item->type = type;
8437
8438
        if (cur == NULL)
8439
            ssl->dtls_tx_msg_list = item;
8440
        else {
8441
            while (cur->next)
8442
                cur = cur->next;
8443
            cur->next = item;
8444
        }
8445
        ssl->dtls_tx_msg_list_sz++;
8446
    }
8447
    else
8448
        ret = MEMORY_E;
8449
8450
    WOLFSSL_LEAVE("DtlsMsgPoolSave()", ret);
8451
    return ret;
8452
}
8453
8454
8455
/* DtlsMsgPoolTimeout() updates the timeout time. */
8456
int DtlsMsgPoolTimeout(WOLFSSL* ssl)
8457
{
8458
    int result = -1;
8459
    WOLFSSL_ENTER("DtlsMsgPoolTimeout()");
8460
    if (ssl->dtls_timeout <  ssl->dtls_timeout_max) {
8461
        ssl->dtls_timeout *= DTLS_TIMEOUT_MULTIPLIER;
8462
        result = 0;
8463
    }
8464
    WOLFSSL_LEAVE("DtlsMsgPoolTimeout()", result);
8465
    return result;
8466
}
8467
8468
8469
/* DtlsMsgPoolReset() deletes the stored transmit list. */
8470
void DtlsMsgPoolReset(WOLFSSL* ssl)
8471
{
8472
    WOLFSSL_ENTER("DtlsMsgPoolReset()");
8473
    if (ssl->dtls_tx_msg_list) {
8474
        DtlsMsgListDelete(ssl->dtls_tx_msg_list, ssl->heap);
8475
        ssl->dtls_tx_msg_list = NULL;
8476
        ssl->dtls_tx_msg = NULL;
8477
        ssl->dtls_tx_msg_list_sz = 0;
8478
    }
8479
}
8480
8481
8482
int VerifyForDtlsMsgPoolSend(WOLFSSL* ssl, byte type, word32 fragOffset)
8483
{
8484
    /**
8485
     * only the first message from previous flight should be valid
8486
     * to be used for triggering retransmission of whole DtlsMsgPool.
8487
     * change cipher suite type is not verified here
8488
     */
8489
    return ((fragOffset == 0) &&
8490
           (((ssl->options.side == WOLFSSL_SERVER_END) &&
8491
             ((type == client_hello) ||
8492
             ((ssl->options.verifyPeer) && (type == certificate)) ||
8493
             ((!ssl->options.verifyPeer) && (type == client_key_exchange)))) ||
8494
            ((ssl->options.side == WOLFSSL_CLIENT_END) &&
8495
             (type == hello_request || type == server_hello))));
8496
}
8497
8498
8499
/**
8500
 * Verify if message `item` from `ssl->dtls_tx_msg_list` should be deleted
8501
 * depending on the current state of the handshake negotiation.
8502
 */
8503
int VerifyForTxDtlsMsgDelete(WOLFSSL* ssl, DtlsMsg* item)
8504
{
8505
    WOLFSSL_ENTER("VerifyForTxDtlsMsgDelete()");
8506
    if (item->epoch < ssl->keys.dtls_epoch - 1)
8507
        /* Messages not from current or previous epoch can be deleted */
8508
        return 1;
8509
    switch (ssl->options.side) {
8510
    case WOLFSSL_CLIENT_END:
8511
        if (item->type == client_hello &&
8512
                ssl->options.serverState >= SERVER_HELLODONE_COMPLETE)
8513
            return 1; /* client can forget first client_hello if received full
8514
                       * flight of packets from server */
8515
        else
8516
            return 0;
8517
    case WOLFSSL_SERVER_END:
8518
        if (ssl->options.clientState >= CLIENT_HELLO_COMPLETE &&
8519
                item->type == hello_request)
8520
            return 1; /* Server can forget HelloRequest if client sent a valid
8521
                       * ClientHello */
8522
        if (ssl->options.clientState >= CLIENT_FINISHED_COMPLETE &&
8523
                item->type <= server_hello_done)
8524
            return 1; /* server can forget everything up to ServerHelloDone if
8525
                       * a client finished message has been received and
8526
                       * successfully processed */
8527
        else
8528
            return 0;
8529
    default:
8530
        return 0;
8531
    }
8532
}
8533
8534
8535
/* DtlsMsgPoolSend() will send the stored transmit list. The stored list is
8536
 * updated with new sequence numbers, and will be re-encrypted if needed. */
8537
int DtlsMsgPoolSend(WOLFSSL* ssl, int sendOnlyFirstPacket)
8538
{
8539
    int ret = 0;
8540
    DtlsMsg* pool;
8541
    int epochOrder;
8542
8543
    WOLFSSL_ENTER("DtlsMsgPoolSend()");
8544
8545
    pool = ssl->dtls_tx_msg == NULL ? ssl->dtls_tx_msg_list : ssl->dtls_tx_msg;
8546
8547
    if (pool != NULL) {
8548
        if ((ssl->options.side == WOLFSSL_SERVER_END &&
8549
             !(ssl->options.acceptState == ACCEPT_BEGIN_RENEG ||
8550
               ssl->options.acceptState == SERVER_HELLO_DONE ||
8551
               ssl->options.acceptState == ACCEPT_FINISHED_DONE ||
8552
               ssl->options.acceptState == ACCEPT_THIRD_REPLY_DONE)) ||
8553
            (ssl->options.side == WOLFSSL_CLIENT_END &&
8554
             !(ssl->options.connectState == CLIENT_HELLO_SENT ||
8555
               ssl->options.connectState == HELLO_AGAIN_REPLY ||
8556
               ssl->options.connectState == FINISHED_DONE ||
8557
               ssl->options.connectState == SECOND_REPLY_DONE))) {
8558
8559
            WOLFSSL_ERROR(DTLS_RETX_OVER_TX);
8560
            ssl->error = DTLS_RETX_OVER_TX;
8561
            return WOLFSSL_FATAL_ERROR;
8562
        }
8563
8564
        while (pool != NULL) {
8565
            if (pool->epoch == 0) {
8566
                DtlsRecordLayerHeader* dtls;
8567
8568
                dtls = (DtlsRecordLayerHeader*)pool->buf;
8569
                /* If the stored record's epoch is 0, and the currently set
8570
                 * epoch is 0, use the "current order" sequence number.
8571
                 * If the stored record's epoch is 0 and the currently set
8572
                 * epoch is not 0, the stored record is considered a "previous
8573
                 * order" sequence number. */
8574
                epochOrder = (ssl->keys.dtls_epoch == 0) ?
8575
                             CUR_ORDER : PREV_ORDER;
8576
8577
                WriteSEQ(ssl, epochOrder, dtls->sequence_number);
8578
                DtlsSEQIncrement(ssl, epochOrder);
8579
                if ((ret = CheckAvailableSize(ssl, pool->sz)) != 0) {
8580
                    WOLFSSL_ERROR(ret);
8581
                    return ret;
8582
                }
8583
8584
                XMEMCPY(ssl->buffers.outputBuffer.buffer +
8585
                        ssl->buffers.outputBuffer.idx +
8586
                        ssl->buffers.outputBuffer.length,
8587
                        pool->buf, pool->sz);
8588
                ssl->buffers.outputBuffer.length += pool->sz;
8589
            }
8590
            else {
8591
                /* Handle sending packets from previous epoch */
8592
                byte*  input;
8593
                byte*  output;
8594
                int    inputSz, sendSz;
8595
8596
                input = pool->buf;
8597
                inputSz = pool->sz;
8598
                sendSz = inputSz + cipherExtraData(ssl);
8599
8600
#ifdef HAVE_SECURE_RENEGOTIATION
8601
                /*
8602
                 * CUR_ORDER will use ssl->secure_renegotiation from epoch 2+.
8603
                 * ssl->keys otherwise
8604
                 * PREV_ORDER will always use ssl->keys
8605
                 */
8606
                if (DtlsSCRKeysSet(ssl)) {
8607
                    if (pool->epoch == ssl->secure_renegotiation->tmp_keys.dtls_epoch)
8608
                        epochOrder = CUR_ORDER;
8609
                    else
8610
                        epochOrder = PREV_ORDER;
8611
                }
8612
                else {
8613
                    epochOrder = CUR_ORDER;
8614
                }
8615
#else
8616
                epochOrder = CUR_ORDER;
8617
#endif
8618
8619
8620
                /* add back in header space from saved pool size */
8621
                sendSz += DTLS_HANDSHAKE_EXTRA;
8622
                sendSz += DTLS_RECORD_EXTRA;
8623
8624
                if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) {
8625
                    WOLFSSL_ERROR(ret);
8626
                    return ret;
8627
                }
8628
8629
                output = ssl->buffers.outputBuffer.buffer +
8630
                         ssl->buffers.outputBuffer.length;
8631
                if (inputSz != ENUM_LEN)
8632
                    sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
8633
                                          handshake, 0, 0, 0, epochOrder);
8634
                else
8635
                    /* inputSz == ENUM_LEN must mean that this is a change cipher
8636
                     * spec message */
8637
                    sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
8638
                                          change_cipher_spec, 0, 0, 0, epochOrder);
8639
8640
                if (sendSz < 0) {
8641
                    WOLFSSL_ERROR(BUILD_MSG_ERROR);
8642
                    return BUILD_MSG_ERROR;
8643
                }
8644
8645
                ssl->buffers.outputBuffer.length += sendSz;
8646
            }
8647
8648
8649
            if (!ssl->options.groupMessages)
8650
                ret = SendBuffered(ssl);
8651
8652
            /**
8653
             * on server side, retransmission is being triggered only by sending
8654
             * first message of given flight, in order to trigger client
8655
             * to retransmit its whole flight. Sending the whole previous flight
8656
             * could lead to retransmission of previous client flight for each
8657
             * server message from previous flight. Therefore one message should
8658
             * be enough to do the trick.
8659
             */
8660
            if (sendOnlyFirstPacket &&
8661
                ssl->options.side == WOLFSSL_SERVER_END)
8662
                pool = NULL;
8663
            else
8664
                pool = pool->next;
8665
            ssl->dtls_tx_msg = pool;
8666
        }
8667
8668
        if (ret == 0 && ssl->options.groupMessages)
8669
            ret = SendBuffered(ssl);
8670
    }
8671
8672
    WOLFSSL_LEAVE("DtlsMsgPoolSend()", ret);
8673
    return ret;
8674
}
8675
8676
#endif /* WOLFSSL_DTLS */
8677
8678
#if defined(WOLFSSL_ALLOW_SSLV3) && !defined(NO_OLD_TLS)
8679
8680
ProtocolVersion MakeSSLv3(void)
8681
{
8682
    ProtocolVersion pv;
8683
    pv.major = SSLv3_MAJOR;
8684
    pv.minor = SSLv3_MINOR;
8685
8686
    return pv;
8687
}
8688
8689
#endif /* WOLFSSL_ALLOW_SSLV3 && !NO_OLD_TLS */
8690
8691
8692
#ifdef WOLFSSL_DTLS
8693
8694
ProtocolVersion MakeDTLSv1(void)
8695
{
8696
    ProtocolVersion pv;
8697
    pv.major = DTLS_MAJOR;
8698
    pv.minor = DTLS_MINOR;
8699
8700
    return pv;
8701
}
8702
8703
#ifndef WOLFSSL_NO_TLS12
8704
8705
ProtocolVersion MakeDTLSv1_2(void)
8706
{
8707
    ProtocolVersion pv;
8708
    pv.major = DTLS_MAJOR;
8709
    pv.minor = DTLSv1_2_MINOR;
8710
8711
    return pv;
8712
}
8713
8714
#endif /* !WOLFSSL_NO_TLS12 */
8715
8716
#ifdef WOLFSSL_DTLS13
8717
8718
ProtocolVersion MakeDTLSv1_3(void)
8719
{
8720
    ProtocolVersion pv;
8721
    pv.major = DTLS_MAJOR;
8722
    pv.minor = DTLSv1_3_MINOR;
8723
8724
    return pv;
8725
}
8726
8727
#endif /* WOLFSSL_DTLS13 */
8728
#endif /* WOLFSSL_DTLS */
8729
8730
8731
#ifndef NO_ASN_TIME
8732
#if defined(USER_TICKS)
8733
#if 0
8734
    word32 LowResTimer(void)
8735
    {
8736
        /*
8737
        write your own clock tick function if don't want time(0)
8738
        needs second accuracy but doesn't have to correlated to EPOCH
8739
        */
8740
    }
8741
#endif
8742
8743
#elif defined(TIME_OVERRIDES)
8744
#if !defined(NO_ASN) && !defined(NO_ASN_TIME)
8745
    /* use same asn time overrides unless user wants tick override above */
8746
8747
    word32 LowResTimer(void)
8748
    {
8749
        return (word32) wc_Time(0);
8750
    }
8751
#else
8752
    #ifndef HAVE_TIME_T_TYPE
8753
        typedef long time_t;
8754
    #endif
8755
    extern time_t XTIME(time_t * timer);
8756
8757
    word32 LowResTimer(void)
8758
    {
8759
        return (word32) XTIME(0);
8760
    }
8761
#endif
8762
8763
#elif defined(USE_WINDOWS_API)
8764
8765
    word32 LowResTimer(void)
8766
    {
8767
        static int           init = 0;
8768
        static LARGE_INTEGER freq;
8769
        LARGE_INTEGER        count;
8770
8771
        if (!init) {
8772
            QueryPerformanceFrequency(&freq);
8773
            init = 1;
8774
        }
8775
8776
        QueryPerformanceCounter(&count);
8777
8778
        return (word32)(count.QuadPart / freq.QuadPart);
8779
    }
8780
8781
#elif defined(HAVE_RTP_SYS)
8782
8783
    #include "rtptime.h"
8784
8785
    word32 LowResTimer(void)
8786
    {
8787
        return (word32)rtp_get_system_sec();
8788
    }
8789
8790
#elif defined(WOLFSSL_DEOS)
8791
8792
    word32 LowResTimer(void)
8793
    {
8794
        const word32 systemTickTimeInHz = 1000000 / systemTickInMicroseconds();
8795
        const volatile word32 *systemTickPtr = systemTickPointer();
8796
8797
        return (word32) *systemTickPtr/systemTickTimeInHz;
8798
    }
8799
8800
#elif defined(MICRIUM)
8801
8802
    word32 LowResTimer(void)
8803
    {
8804
        OS_TICK ticks = 0;
8805
        OS_ERR  err;
8806
8807
        ticks = OSTimeGet(&err);
8808
8809
        return (word32) (ticks / OSCfg_TickRate_Hz);
8810
    }
8811
8812
8813
#elif defined(MICROCHIP_TCPIP_V5)
8814
8815
    word32 LowResTimer(void)
8816
    {
8817
        return (word32) (TickGet() / TICKS_PER_SECOND);
8818
    }
8819
8820
8821
#elif defined(MICROCHIP_TCPIP)
8822
8823
    #if defined(MICROCHIP_MPLAB_HARMONY)
8824
8825
        #include <system/tmr/sys_tmr.h>
8826
8827
        word32 LowResTimer(void)
8828
        {
8829
            return (word32) (SYS_TMR_TickCountGet() /
8830
                             SYS_TMR_TickCounterFrequencyGet());
8831
        }
8832
8833
    #else
8834
8835
        word32 LowResTimer(void)
8836
        {
8837
            return (word32) (SYS_TICK_Get() / SYS_TICK_TicksPerSecondGet());
8838
        }
8839
8840
    #endif
8841
8842
#elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
8843
8844
    word32 LowResTimer(void)
8845
    {
8846
        TIME_STRUCT mqxTime;
8847
8848
        _time_get_elapsed(&mqxTime);
8849
8850
        return (word32) mqxTime.SECONDS;
8851
    }
8852
#elif defined(FREESCALE_FREE_RTOS) || defined(FREESCALE_KSDK_FREERTOS)
8853
8854
    #include "include/task.h"
8855
8856
    unsigned int LowResTimer(void)
8857
    {
8858
        return (unsigned int)(((float)xTaskGetTickCount())/configTICK_RATE_HZ);
8859
    }
8860
8861
#elif defined(FREERTOS)
8862
8863
    #include "task.h"
8864
8865
    unsigned int LowResTimer(void)
8866
    {
8867
        return (unsigned int)(((float)xTaskGetTickCount())/configTICK_RATE_HZ);
8868
    }
8869
8870
#elif defined(FREESCALE_KSDK_BM)
8871
8872
    #include "lwip/sys.h" /* lwIP */
8873
    word32 LowResTimer(void)
8874
    {
8875
        return sys_now()/1000;
8876
    }
8877
8878
#elif defined(WOLFSSL_TIRTOS)
8879
8880
    word32 LowResTimer(void)
8881
    {
8882
        return (word32) Seconds_get();
8883
    }
8884
#elif defined(WOLFSSL_XILINX)
8885
    #include "xrtcpsu.h"
8886
8887
    word32 LowResTimer(void)
8888
    {
8889
        XRtcPsu_Config* con;
8890
        XRtcPsu         rtc;
8891
8892
        con = XRtcPsu_LookupConfig(XPAR_XRTCPSU_0_DEVICE_ID);
8893
        if (con != NULL) {
8894
            if (XRtcPsu_CfgInitialize(&rtc, con, con->BaseAddr)
8895
                    == XST_SUCCESS) {
8896
                return (word32)XRtcPsu_GetCurrentTime(&rtc);
8897
            }
8898
            else {
8899
                WOLFSSL_MSG("Unable to initialize RTC");
8900
            }
8901
        }
8902
8903
        return 0;
8904
    }
8905
8906
#elif defined(WOLFSSL_UTASKER)
8907
8908
    word32 LowResTimer(void)
8909
    {
8910
        return (word32)(uTaskerSystemTick / TICK_RESOLUTION);
8911
    }
8912
8913
#elif defined(WOLFSSL_NUCLEUS_1_2)
8914
8915
    #define NU_TICKS_PER_SECOND 100
8916
8917
    word32 LowResTimer(void)
8918
    {
8919
        /* returns number of 10ms ticks, so 100 ticks/sec */
8920
        return NU_Retrieve_Clock() / NU_TICKS_PER_SECOND;
8921
    }
8922
#elif defined(WOLFSSL_APACHE_MYNEWT)
8923
8924
    #include "os/os_time.h"
8925
    word32 LowResTimer(void)
8926
    {
8927
        word32 now;
8928
        struct os_timeval tv;
8929
        os_gettimeofday(&tv, NULL);
8930
        now = (word32)tv.tv_sec;
8931
        return now;
8932
    }
8933
8934
#elif defined(WOLFSSL_ZEPHYR)
8935
8936
    word32 LowResTimer(void)
8937
    {
8938
        return k_uptime_get() / 1000;
8939
    }
8940
8941
#elif defined(WOLFSSL_LINUXKM)
8942
    word32 LowResTimer(void)
8943
    {
8944
        return (word32)time(NULL);
8945
    }
8946
8947
#else
8948
    /* Posix style time */
8949
    #if !defined(USER_TIME) && !defined(USE_WOLF_TM)
8950
    #include <time.h>
8951
    #endif
8952
8953
    word32 LowResTimer(void)
8954
0
    {
8955
0
    #if !defined(NO_ASN) && !defined(NO_ASN_TIME)
8956
0
        return (word32)wc_Time(0);
8957
    #else
8958
        return (word32)XTIME(0);
8959
    #endif
8960
0
    }
8961
#endif
8962
#else
8963
    /* user must supply timer function to return elapsed seconds:
8964
     *   word32 LowResTimer(void);
8965
     */
8966
#endif /* !NO_ASN_TIME */
8967
8968
#if !defined(WOLFSSL_NO_CLIENT_AUTH) && \
8969
               ((defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)) || \
8970
                (defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)))
8971
/* Store the message for use with CertificateVerify using EdDSA.
8972
 *
8973
 * ssl   SSL/TLS object.
8974
 * data  Message to store.
8975
 * sz    Size of message to store.
8976
 * returns MEMORY_E if not able to reallocate, otherwise 0.
8977
 */
8978
static int EdDSA_Update(WOLFSSL* ssl, const byte* data, int sz)
8979
0
{
8980
0
    int   ret = 0;
8981
0
    byte* msgs;
8982
8983
0
    if (ssl->options.cacheMessages) {
8984
0
        msgs = (byte*)XMALLOC(ssl->hsHashes->length + sz, ssl->heap,
8985
0
            DYNAMIC_TYPE_HASHES);
8986
0
        if (msgs == NULL)
8987
0
            ret = MEMORY_E;
8988
0
        if ((ret == 0) && (ssl->hsHashes->messages != NULL)) {
8989
0
            XMEMCPY(msgs, ssl->hsHashes->messages, ssl->hsHashes->length);
8990
0
            ForceZero(ssl->hsHashes->messages, ssl->hsHashes->length);
8991
0
            XFREE(ssl->hsHashes->messages, ssl->heap, DYNAMIC_TYPE_HASHES);
8992
0
        }
8993
0
        if (ret == 0) {
8994
        #ifdef WOLFSSL_CHECK_MEM_ZERO
8995
            wc_MemZero_Add("Handshake messages", msgs,
8996
                ssl->hsHashes->length + sz);
8997
        #endif
8998
0
            ssl->hsHashes->messages = msgs;
8999
0
            XMEMCPY(msgs + ssl->hsHashes->length, data, sz);
9000
0
            ssl->hsHashes->prevLen = ssl->hsHashes->length;
9001
0
            ssl->hsHashes->length += sz;
9002
0
        }
9003
0
    }
9004
9005
0
    return ret;
9006
0
}
9007
#endif /* (HAVE_ED25519 || HAVE_ED448) && !WOLFSSL_NO_CLIENT_AUTH */
9008
9009
int HashRaw(WOLFSSL* ssl, const byte* data, int sz)
9010
0
{
9011
0
    int ret = 0;
9012
#ifdef WOLFSSL_DEBUG_TLS
9013
    byte digest[WC_MAX_DIGEST_SIZE];
9014
9015
    WOLFSSL_MSG("HashRaw:");
9016
    WOLFSSL_MSG("Data:");
9017
    WOLFSSL_BUFFER(data, sz);
9018
    WOLFSSL_MSG("Hashes:");
9019
#endif
9020
9021
0
    (void)data;
9022
0
    (void)sz;
9023
9024
0
    if (ssl->hsHashes == NULL) {
9025
0
        return BAD_FUNC_ARG;
9026
0
    }
9027
9028
#if defined(WOLFSSL_RENESAS_TSIP_TLS) && (WOLFSSL_RENESAS_TSIP_VER >= 115)
9029
    ret = tsip_StoreMessage(ssl, data, sz);
9030
    if (ret != 0 && ret != CRYPTOCB_UNAVAILABLE) {
9031
        return ret;
9032
    }
9033
#endif /* WOLFSSL_RENESAS_TSIP_TLS && WOLFSSL_RENESAS_TSIP_VER >= 115 */
9034
9035
0
#ifndef NO_OLD_TLS
9036
0
    #ifndef NO_SHA
9037
0
        wc_ShaUpdate(&ssl->hsHashes->hashSha, data, sz);
9038
0
    #endif
9039
0
    #ifndef NO_MD5
9040
0
        wc_Md5Update(&ssl->hsHashes->hashMd5, data, sz);
9041
0
    #endif
9042
0
#endif /* NO_OLD_TLS */
9043
9044
0
    if (IsAtLeastTLSv1_2(ssl)) {
9045
0
    #ifndef NO_SHA256
9046
0
        ret = wc_Sha256Update(&ssl->hsHashes->hashSha256, data, sz);
9047
0
        if (ret != 0)
9048
0
            return ret;
9049
    #ifdef WOLFSSL_DEBUG_TLS
9050
        WOLFSSL_MSG("Sha256");
9051
        wc_Sha256GetHash(&ssl->hsHashes->hashSha256, digest);
9052
        WOLFSSL_BUFFER(digest, WC_SHA224_DIGEST_SIZE);
9053
    #endif
9054
0
    #endif
9055
0
    #ifdef WOLFSSL_SHA384
9056
0
        ret = wc_Sha384Update(&ssl->hsHashes->hashSha384, data, sz);
9057
0
        if (ret != 0)
9058
0
            return ret;
9059
    #ifdef WOLFSSL_DEBUG_TLS
9060
        WOLFSSL_MSG("Sha384");
9061
        wc_Sha384GetHash(&ssl->hsHashes->hashSha384, digest);
9062
        WOLFSSL_BUFFER(digest, WC_SHA384_DIGEST_SIZE);
9063
    #endif
9064
0
    #endif
9065
0
    #ifdef WOLFSSL_SHA512
9066
0
        ret = wc_Sha512Update(&ssl->hsHashes->hashSha512, data, sz);
9067
0
        if (ret != 0)
9068
0
            return ret;
9069
    #ifdef WOLFSSL_DEBUG_TLS
9070
        WOLFSSL_MSG("Sha512");
9071
        wc_Sha512GetHash(&ssl->hsHashes->hashSha512, digest);
9072
        WOLFSSL_BUFFER(digest, WC_SHA512_DIGEST_SIZE);
9073
    #endif
9074
0
    #endif
9075
0
    #if !defined(WOLFSSL_NO_CLIENT_AUTH) && \
9076
0
               ((defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)) || \
9077
0
                (defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)))
9078
0
        ret = EdDSA_Update(ssl, data, sz);
9079
0
        if (ret != 0)
9080
0
            return ret;
9081
0
    #endif
9082
0
    }
9083
9084
0
    return ret;
9085
0
}
9086
9087
/* add output to md5 and sha handshake hashes, exclude record header */
9088
int HashOutput(WOLFSSL* ssl, const byte* output, int sz, int ivSz)
9089
0
{
9090
0
    const byte* adj;
9091
9092
0
    if (ssl->hsHashes == NULL)
9093
0
        return BAD_FUNC_ARG;
9094
9095
0
    adj = output + RECORD_HEADER_SZ + ivSz;
9096
0
    sz -= RECORD_HEADER_SZ;
9097
9098
#ifdef HAVE_FUZZER
9099
    if (ssl->fuzzerCb)
9100
        ssl->fuzzerCb(ssl, output, sz, FUZZ_HASH, ssl->fuzzerCtx);
9101
#endif
9102
#ifdef WOLFSSL_DTLS
9103
    if (ssl->options.dtls) {
9104
        if (IsAtLeastTLSv1_3(ssl->version)) {
9105
#ifdef WOLFSSL_DTLS13
9106
            word16 dtls_record_extra;
9107
            dtls_record_extra = Dtls13GetRlHeaderLength(ssl, IsEncryptionOn(ssl, 1));
9108
            dtls_record_extra -= RECORD_HEADER_SZ;
9109
9110
            adj += dtls_record_extra;
9111
            sz  -= dtls_record_extra;
9112
#endif /* WOLFSSL_DTLS13 */
9113
        } else {
9114
            adj += DTLS_RECORD_EXTRA;
9115
            sz  -= DTLS_RECORD_EXTRA;
9116
        }
9117
    }
9118
#endif
9119
9120
0
    return HashRaw(ssl, adj, sz);
9121
0
}
9122
9123
9124
/* add input to md5 and sha handshake hashes, include handshake header */
9125
int HashInput(WOLFSSL* ssl, const byte* input, int sz)
9126
0
{
9127
0
    const byte* adj;
9128
9129
0
    if (ssl->hsHashes == NULL) {
9130
0
        return BAD_FUNC_ARG;
9131
0
    }
9132
9133
0
    adj = input - HANDSHAKE_HEADER_SZ;
9134
0
    sz += HANDSHAKE_HEADER_SZ;
9135
9136
#ifdef WOLFSSL_DTLS
9137
    if (ssl->options.dtls) {
9138
        adj -= DTLS_HANDSHAKE_EXTRA;
9139
        sz  += DTLS_HANDSHAKE_EXTRA;
9140
9141
#ifdef WOLFSSL_DTLS13
9142
        if (IsAtLeastTLSv1_3(ssl->version))
9143
            return Dtls13HashHandshake(ssl, adj, sz);
9144
#endif /* WOLFSSL_DTLS13 */
9145
9146
    }
9147
#endif
9148
9149
0
    return HashRaw(ssl, adj, sz);
9150
0
}
9151
9152
9153
/* add record layer header for message */
9154
static void AddRecordHeader(byte* output, word32 length, byte type, WOLFSSL* ssl, int epochOrder)
9155
0
{
9156
0
    RecordLayerHeader* rl;
9157
9158
0
    (void)epochOrder;
9159
9160
    /* record layer header */
9161
0
    rl = (RecordLayerHeader*)output;
9162
0
    if (rl == NULL) {
9163
0
        return;
9164
0
    }
9165
0
    rl->type    = type;
9166
0
    rl->pvMajor = ssl->version.major;       /* type and version same in each */
9167
0
#ifdef WOLFSSL_TLS13
9168
0
    if (IsAtLeastTLSv1_3(ssl->version)) {
9169
0
        rl->pvMinor = TLSv1_2_MINOR;
9170
0
    }
9171
0
    else
9172
0
#endif
9173
0
        rl->pvMinor = ssl->version.minor;
9174
9175
#ifdef WOLFSSL_ALTERNATIVE_DOWNGRADE
9176
    if (ssl->options.side == WOLFSSL_CLIENT_END
9177
    &&  ssl->options.connectState == CONNECT_BEGIN
9178
    && !ssl->options.resuming) {
9179
        rl->pvMinor = ssl->options.downgrade ? ssl->options.minDowngrade
9180
                                             : ssl->version.minor;
9181
    }
9182
#endif
9183
9184
0
    if (!ssl->options.dtls) {
9185
0
        c16toa((word16)length, rl->length);
9186
0
    }
9187
0
    else {
9188
#ifdef WOLFSSL_DTLS
9189
        DtlsRecordLayerHeader* dtls;
9190
9191
        /* dtls record layer header extensions */
9192
        dtls = (DtlsRecordLayerHeader*)output;
9193
        WriteSEQ(ssl, epochOrder, dtls->sequence_number);
9194
        c16toa((word16)length, dtls->length);
9195
#endif
9196
0
    }
9197
0
}
9198
9199
9200
#if !defined(WOLFSSL_NO_TLS12) || (defined(HAVE_SESSION_TICKET) && \
9201
                                                    !defined(NO_WOLFSSL_SERVER))
9202
/* add handshake header for message */
9203
static void AddHandShakeHeader(byte* output, word32 length,
9204
                               word32 fragOffset, word32 fragLength,
9205
                               byte type, WOLFSSL* ssl)
9206
0
{
9207
0
    HandShakeHeader* hs;
9208
0
    (void)fragOffset;
9209
0
    (void)fragLength;
9210
0
    (void)ssl;
9211
9212
    /* handshake header */
9213
0
    hs = (HandShakeHeader*)output;
9214
0
    if (hs == NULL)
9215
0
        return;
9216
9217
0
    hs->type = type;
9218
0
    c32to24(length, hs->length);         /* type and length same for each */
9219
#ifdef WOLFSSL_DTLS
9220
    if (ssl->options.dtls) {
9221
        DtlsHandShakeHeader* dtls;
9222
9223
        /* dtls handshake header extensions */
9224
        dtls = (DtlsHandShakeHeader*)output;
9225
        c16toa(ssl->keys.dtls_handshake_number++, dtls->message_seq);
9226
        c32to24(fragOffset, dtls->fragment_offset);
9227
        c32to24(fragLength, dtls->fragment_length);
9228
    }
9229
#endif
9230
0
}
9231
9232
/* add both headers for handshake message */
9233
static void AddHeaders(byte* output, word32 length, byte type, WOLFSSL* ssl)
9234
0
{
9235
0
    word32 lengthAdj = HANDSHAKE_HEADER_SZ;
9236
0
    word32 outputAdj = RECORD_HEADER_SZ;
9237
9238
#ifdef WOLFSSL_DTLS
9239
    if (ssl->options.dtls) {
9240
        lengthAdj += DTLS_HANDSHAKE_EXTRA;
9241
        outputAdj += DTLS_RECORD_EXTRA;
9242
    }
9243
#endif
9244
9245
0
    AddRecordHeader(output, length + lengthAdj, handshake, ssl, CUR_ORDER);
9246
0
    AddHandShakeHeader(output + outputAdj, length, 0, length, type, ssl);
9247
0
}
9248
#endif /* !WOLFSSL_NO_TLS12 || (HAVE_SESSION_TICKET && !NO_WOLFSSL_SERVER) */
9249
9250
9251
#ifndef WOLFSSL_NO_TLS12
9252
#if !defined(NO_CERTS) && (!defined(NO_WOLFSSL_SERVER) || \
9253
                           !defined(WOLFSSL_NO_CLIENT_AUTH)) || \
9254
                           defined(WOLFSSL_DTLS)
9255
static void AddFragHeaders(byte* output, word32 fragSz, word32 fragOffset,
9256
                           word32 length, byte type, WOLFSSL* ssl)
9257
0
{
9258
0
    word32 lengthAdj = HANDSHAKE_HEADER_SZ;
9259
0
    word32 outputAdj = RECORD_HEADER_SZ;
9260
0
    (void)fragSz;
9261
9262
#ifdef WOLFSSL_DTLS
9263
    if (ssl->options.dtls) {
9264
        lengthAdj += DTLS_HANDSHAKE_EXTRA;
9265
        outputAdj += DTLS_RECORD_EXTRA;
9266
    }
9267
#endif
9268
9269
0
    AddRecordHeader(output, fragSz + lengthAdj, handshake, ssl, CUR_ORDER);
9270
0
    AddHandShakeHeader(output + outputAdj, length, fragOffset, fragSz, type, ssl);
9271
0
}
9272
#endif /* NO_CERTS */
9273
9274
#if !defined(NO_WOLFSSL_SERVER) || \
9275
    (!defined(NO_WOLFSSL_CLIENT) && !defined(NO_CERTS) && \
9276
     !defined(WOLFSSL_NO_CLIENT_AUTH))
9277
/**
9278
 * Send the handshake message. This function handles fragmenting the message
9279
 * so that it will fit into the desired MTU or the max fragment size.
9280
 * @param ssl     Connection object
9281
 * @param input   Input starting at the record layer header. This function
9282
 *                assumes that the appropriate record and handshake headers
9283
 *                are present. These headers must assume no fragmentation.
9284
 *                That is handled here.
9285
 * @param inputSz Length of message excluding headers (this is the total
9286
 *                length of all fragments)
9287
 * @param type    Type of message being sent
9288
 * @return        0 on success and negative otherwise
9289
 */
9290
static int SendHandshakeMsg(WOLFSSL* ssl, byte* input, word32 inputSz,
9291
        enum HandShakeType type, const char* packetName)
9292
0
{
9293
0
    int maxFrag;
9294
0
    int ret = 0;
9295
0
    int headerSz;
9296
9297
0
    WOLFSSL_ENTER("SendHandshakeMsg");
9298
0
    (void)type;
9299
0
    (void)packetName;
9300
9301
0
    if (ssl == NULL || input == NULL)
9302
0
        return BAD_FUNC_ARG;
9303
#ifdef WOLFSSL_DTLS
9304
    if (ssl->options.dtls)
9305
        headerSz = DTLS_RECORD_HEADER_SZ + DTLS_HANDSHAKE_HEADER_SZ;
9306
    else
9307
#endif
9308
0
    {
9309
        /* In TLS we send one handshake header in total, not one
9310
         * per fragment like in DTLS. The handshake header should
9311
         * already be in the input buffer. */
9312
0
        inputSz += HANDSHAKE_HEADER_SZ;
9313
0
        headerSz = RECORD_HEADER_SZ;
9314
0
    }
9315
0
    maxFrag = wolfSSL_GetMaxFragSize(ssl, (int)inputSz);
9316
9317
    /* Make sure input is not the ssl output buffer as this
9318
     * function doesn't handle that */
9319
0
    if (input >= ssl->buffers.outputBuffer.buffer &&
9320
0
            input < ssl->buffers.outputBuffer.buffer +
9321
0
                     ssl->buffers.outputBuffer.bufferSize) {
9322
0
        WOLFSSL_MSG("Can't use output buffer for input in SendHandshakeMsg");
9323
0
        return BAD_FUNC_ARG;
9324
0
    }
9325
0
    if (!ssl->options.buildingMsg) {
9326
        /* Hash it before the loop as we modify the input with
9327
         * encryption on */
9328
0
        ret = HashOutput(ssl, input, headerSz + (int)inputSz, 0);
9329
0
        if (ret != 0)
9330
0
            return ret;
9331
#ifdef WOLFSSL_DTLS
9332
        /* Decrement msg number so that we continue to use the
9333
         * same msg number for this msg */
9334
        if (ssl->options.dtls)
9335
            ssl->keys.dtls_handshake_number--;
9336
#endif
9337
0
    }
9338
0
    while (ssl->fragOffset < inputSz) {
9339
0
        byte* output;
9340
0
        int outputSz;
9341
0
        byte* data = input + ssl->fragOffset + headerSz;
9342
0
        word32 fragSz = (word32)maxFrag;
9343
9344
0
        ssl->options.buildingMsg = 1;
9345
9346
0
        if (inputSz - ssl->fragOffset < fragSz)
9347
0
            fragSz = inputSz - ssl->fragOffset;
9348
9349
        /* check for available size */
9350
0
        outputSz = headerSz + fragSz;
9351
0
        if (IsEncryptionOn(ssl, 1))
9352
0
            outputSz += cipherExtraData(ssl);
9353
0
        if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)
9354
0
            return ret;
9355
0
        if (ssl->buffers.outputBuffer.buffer == NULL)
9356
0
            return MEMORY_E;
9357
0
        output = ssl->buffers.outputBuffer.buffer +
9358
0
                 ssl->buffers.outputBuffer.length;
9359
9360
0
        if (IsEncryptionOn(ssl, 1)) {
9361
            /* First we need to add the fragment header ourselves.
9362
             * We do this in the input to minimize allocations */
9363
0
            int dataSz = (int)fragSz;
9364
#ifdef WOLFSSL_DTLS
9365
            if (ssl->options.dtls) {
9366
                data   -= DTLS_HANDSHAKE_HEADER_SZ;
9367
                dataSz += DTLS_HANDSHAKE_HEADER_SZ;
9368
                AddHandShakeHeader(data,
9369
                        inputSz, ssl->fragOffset, fragSz, type, ssl);
9370
                ssl->keys.dtls_handshake_number--;
9371
            }
9372
            if (IsDtlsNotSctpMode(ssl) &&
9373
                (ret = DtlsMsgPoolSave(ssl, data,
9374
                        fragSz + DTLS_HANDSHAKE_HEADER_SZ, type))
9375
                    != 0)
9376
                return ret;
9377
#endif
9378
0
            ret = BuildMessage(ssl, output, outputSz,
9379
0
                        data, dataSz, handshake, 0, 0, 0, CUR_ORDER);
9380
0
            if (ret >= 0)
9381
0
                outputSz = ret;
9382
0
            else
9383
0
                return ret;
9384
0
            ret = 0;
9385
0
        }
9386
0
        else {
9387
#ifdef WOLFSSL_DTLS
9388
            if (ssl->options.dtls)
9389
                AddFragHeaders(output, fragSz, ssl->fragOffset,
9390
                        inputSz, type, ssl);
9391
            else
9392
#endif
9393
0
                AddRecordHeader(output, fragSz, handshake, ssl, CUR_ORDER);
9394
9395
0
            XMEMCPY(output + headerSz, data, fragSz);
9396
#ifdef WOLFSSL_DTLS
9397
            if (ssl->options.dtls) {
9398
                ssl->keys.dtls_handshake_number--;
9399
                DtlsSEQIncrement(ssl, CUR_ORDER);
9400
            }
9401
            if (IsDtlsNotSctpMode(ssl)) {
9402
                if ((ret = DtlsMsgPoolSave(ssl, output, headerSz + fragSz,
9403
                        type)) != 0) {
9404
                    return ret;
9405
                }
9406
            }
9407
#endif
9408
0
        }
9409
0
        ssl->buffers.outputBuffer.length += outputSz;
9410
0
#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
9411
0
        if (ssl->hsInfoOn) {
9412
0
            AddPacketName(ssl, packetName);
9413
0
        }
9414
0
        if (ssl->toInfoOn) {
9415
0
            AddPacketInfo(ssl, packetName, handshake,
9416
0
                output, outputSz, WRITE_PROTO, ssl->heap);
9417
0
        }
9418
0
#endif
9419
0
        ssl->fragOffset += fragSz;
9420
0
        if (!ssl->options.groupMessages)
9421
0
            ret = SendBuffered(ssl);
9422
0
        if (ret != 0)
9423
0
            return ret;
9424
0
    }
9425
#ifdef WOLFSSL_DTLS
9426
    /* Increment msg number once we sent all fragments */
9427
    if (ssl->options.dtls)
9428
        ssl->keys.dtls_handshake_number++;
9429
#endif
9430
0
    ssl->fragOffset = 0;
9431
0
    ssl->options.buildingMsg = 0;
9432
0
    return ret;
9433
0
}
9434
#endif /* !NO_WOLFSSL_SERVER || (!NO_WOLFSSL_CLIENT && !NO_CERTS &&
9435
        *  !WOLFSSL_NO_CLIENT_AUTH) */
9436
9437
#endif /* !WOLFSSL_NO_TLS12 */
9438
9439
9440
/* return bytes received, -1 on error */
9441
static int wolfSSLReceive(WOLFSSL* ssl, byte* buf, word32 sz)
9442
0
{
9443
0
    int recvd;
9444
0
    int retryLimit = WOLFSSL_MODE_AUTO_RETRY_ATTEMPTS;
9445
9446
#ifdef WOLFSSL_QUIC
9447
    if (WOLFSSL_IS_QUIC(ssl)) {
9448
        /* QUIC only "reads" from data provided by the application
9449
         * via wolfSSL_provide_quic_data(). Transfer from there
9450
         * into the inputBuffer. */
9451
        return wolfSSL_quic_receive(ssl, buf, sz);
9452
    }
9453
#endif
9454
9455
0
    if (ssl->CBIORecv == NULL) {
9456
0
        WOLFSSL_MSG("Your IO Recv callback is null, please set");
9457
0
        return -1;
9458
0
    }
9459
9460
0
retry:
9461
0
    recvd = ssl->CBIORecv(ssl, (char *)buf, (int)sz, ssl->IOCB_ReadCtx);
9462
0
    if (recvd < 0) {
9463
0
        switch (recvd) {
9464
0
            case WOLFSSL_CBIO_ERR_GENERAL:        /* general/unknown error */
9465
                #ifdef WOLFSSL_APACHE_HTTPD
9466
                #ifndef NO_BIO
9467
                    if (ssl->biord) {
9468
                        /* If retry and read flags are set, return WANT_READ */
9469
                        if ((ssl->biord->flags & WOLFSSL_BIO_FLAG_READ) &&
9470
                            (ssl->biord->flags & WOLFSSL_BIO_FLAG_RETRY)) {
9471
                            return WANT_READ;
9472
                        }
9473
                    }
9474
                #endif
9475
                #endif
9476
0
                return -1;
9477
9478
0
            case WOLFSSL_CBIO_ERR_WANT_READ:      /* want read, would block */
9479
0
                if (retryLimit > 0 && ssl->ctx->autoRetry &&
9480
0
                        !ssl->options.handShakeDone && !ssl->options.dtls) {
9481
0
                    retryLimit--;
9482
0
                    goto retry;
9483
0
                }
9484
0
                return WANT_READ;
9485
9486
0
            case WOLFSSL_CBIO_ERR_CONN_RST:       /* connection reset */
9487
                #ifdef USE_WINDOWS_API
9488
                if (ssl->options.dtls) {
9489
                    goto retry;
9490
                }
9491
                #endif
9492
0
                ssl->options.connReset = 1;
9493
0
                return -1;
9494
9495
0
            case WOLFSSL_CBIO_ERR_ISR:            /* interrupt */
9496
                /* see if we got our timeout */
9497
                #ifdef WOLFSSL_CALLBACKS
9498
                    if (ssl->toInfoOn) {
9499
                        struct itimerval timeout;
9500
                        getitimer(ITIMER_REAL, &timeout);
9501
                        if (timeout.it_value.tv_sec == 0 &&
9502
                                                timeout.it_value.tv_usec == 0) {
9503
                            XSTRNCPY(ssl->timeoutInfo.timeoutName,
9504
                                    "recv() timeout", MAX_TIMEOUT_NAME_SZ);
9505
                            ssl->timeoutInfo.timeoutName[
9506
                                MAX_TIMEOUT_NAME_SZ] = '\0';
9507
9508
                            WOLFSSL_MSG("Got our timeout");
9509
                            return WANT_READ;
9510
                        }
9511
                    }
9512
                #endif
9513
0
                goto retry;
9514
9515
0
            case WOLFSSL_CBIO_ERR_CONN_CLOSE:     /* peer closed connection */
9516
0
                ssl->options.isClosed = 1;
9517
0
                return -1;
9518
9519
0
            case WOLFSSL_CBIO_ERR_TIMEOUT:
9520
            #ifdef WOLFSSL_DTLS
9521
#ifdef WOLFSSL_DTLS13
9522
                if (ssl->options.dtls && IsAtLeastTLSv1_3(ssl->version)) {
9523
                    /* TODO: support WANT_WRITE here */
9524
                    if (Dtls13RtxTimeout(ssl) < 0) {
9525
                        WOLFSSL_MSG(
9526
                            "Error trying to retransmit DTLS buffered message");
9527
                        return -1;
9528
                    }
9529
                    goto retry;
9530
                }
9531
#endif /* WOLFSSL_DTLS13 */
9532
9533
                if (IsDtlsNotSctpMode(ssl) &&
9534
                    ssl->options.handShakeState != HANDSHAKE_DONE &&
9535
                    DtlsMsgPoolTimeout(ssl) == 0 &&
9536
                    DtlsMsgPoolSend(ssl, 0) == 0) {
9537
9538
                    /* retry read for DTLS during handshake only */
9539
                    goto retry;
9540
                }
9541
            #endif
9542
0
                return -1;
9543
9544
0
            default:
9545
0
                WOLFSSL_MSG("Unexpected recv return code");
9546
0
                return recvd;
9547
0
        }
9548
0
    }
9549
9550
0
    return recvd;
9551
0
}
9552
9553
9554
/* Switch dynamic output buffer back to static, buffer is assumed clear */
9555
void ShrinkOutputBuffer(WOLFSSL* ssl)
9556
0
{
9557
0
    WOLFSSL_MSG("Shrinking output buffer");
9558
0
    if (IsEncryptionOn(ssl, 0)) {
9559
0
        ForceZero(ssl->buffers.outputBuffer.buffer -
9560
0
            ssl->buffers.outputBuffer.offset,
9561
0
            ssl->buffers.outputBuffer.bufferSize);
9562
0
    }
9563
0
    XFREE(ssl->buffers.outputBuffer.buffer - ssl->buffers.outputBuffer.offset,
9564
0
          ssl->heap, DYNAMIC_TYPE_OUT_BUFFER);
9565
0
    ssl->buffers.outputBuffer.buffer = ssl->buffers.outputBuffer.staticBuffer;
9566
0
    ssl->buffers.outputBuffer.bufferSize  = STATIC_BUFFER_LEN;
9567
0
    ssl->buffers.outputBuffer.dynamicFlag = 0;
9568
0
    ssl->buffers.outputBuffer.offset      = 0;
9569
0
}
9570
9571
9572
/* Switch dynamic input buffer back to static, keep any remaining input */
9573
/* forced free means cleaning up */
9574
/* Be *CAREFUL* where this function is called. ProcessReply relies on
9575
 * inputBuffer.idx *NOT* changing inside the ProcessReply function. ProcessReply
9576
 * calls ShrinkInputBuffer itself when it is safe to do so. Don't overuse it. */
9577
void ShrinkInputBuffer(WOLFSSL* ssl, int forcedFree)
9578
0
{
9579
0
    int usedLength = ssl->buffers.inputBuffer.length -
9580
0
                     ssl->buffers.inputBuffer.idx;
9581
0
    if (!forcedFree && (usedLength > STATIC_BUFFER_LEN ||
9582
0
            ssl->buffers.clearOutputBuffer.length > 0))
9583
0
        return;
9584
9585
0
    WOLFSSL_MSG("Shrinking input buffer");
9586
9587
0
    if (!forcedFree && usedLength > 0) {
9588
0
        XMEMCPY(ssl->buffers.inputBuffer.staticBuffer,
9589
0
               ssl->buffers.inputBuffer.buffer + ssl->buffers.inputBuffer.idx,
9590
0
               usedLength);
9591
0
    }
9592
9593
0
    if (IsEncryptionOn(ssl, 1) || forcedFree) {
9594
0
        ForceZero(ssl->buffers.inputBuffer.buffer -
9595
0
            ssl->buffers.inputBuffer.offset,
9596
0
            ssl->buffers.inputBuffer.bufferSize);
9597
0
    }
9598
0
    XFREE(ssl->buffers.inputBuffer.buffer - ssl->buffers.inputBuffer.offset,
9599
0
          ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
9600
0
    ssl->buffers.inputBuffer.buffer = ssl->buffers.inputBuffer.staticBuffer;
9601
0
    ssl->buffers.inputBuffer.bufferSize  = STATIC_BUFFER_LEN;
9602
0
    ssl->buffers.inputBuffer.dynamicFlag = 0;
9603
0
    ssl->buffers.inputBuffer.offset      = 0;
9604
0
    ssl->buffers.inputBuffer.idx = 0;
9605
0
    ssl->buffers.inputBuffer.length = usedLength;
9606
0
}
9607
9608
int SendBuffered(WOLFSSL* ssl)
9609
0
{
9610
0
    if (ssl->CBIOSend == NULL && !WOLFSSL_IS_QUIC(ssl)) {
9611
0
        WOLFSSL_MSG("Your IO Send callback is null, please set");
9612
0
        return SOCKET_ERROR_E;
9613
0
    }
9614
9615
#ifdef WOLFSSL_DEBUG_TLS
9616
    if (ssl->buffers.outputBuffer.idx == 0) {
9617
        WOLFSSL_MSG("Data to send");
9618
        WOLFSSL_BUFFER(ssl->buffers.outputBuffer.buffer,
9619
                       ssl->buffers.outputBuffer.length);
9620
    }
9621
#endif
9622
9623
#ifdef WOLFSSL_QUIC
9624
    if (WOLFSSL_IS_QUIC(ssl)) {
9625
        return wolfSSL_quic_send(ssl);
9626
    }
9627
#endif
9628
9629
0
    while (ssl->buffers.outputBuffer.length > 0) {
9630
0
        int sent = ssl->CBIOSend(ssl,
9631
0
                                      (char*)ssl->buffers.outputBuffer.buffer +
9632
0
                                      ssl->buffers.outputBuffer.idx,
9633
0
                                      (int)ssl->buffers.outputBuffer.length,
9634
0
                                      ssl->IOCB_WriteCtx);
9635
0
        if (sent < 0) {
9636
0
            switch (sent) {
9637
9638
0
                case WOLFSSL_CBIO_ERR_WANT_WRITE:        /* would block */
9639
0
                    return WANT_WRITE;
9640
9641
0
                case WOLFSSL_CBIO_ERR_CONN_RST:          /* connection reset */
9642
0
                    ssl->options.connReset = 1;
9643
0
                    break;
9644
9645
0
                case WOLFSSL_CBIO_ERR_ISR:               /* interrupt */
9646
                    /* see if we got our timeout */
9647
                    #ifdef WOLFSSL_CALLBACKS
9648
                        if (ssl->toInfoOn) {
9649
                            struct itimerval timeout;
9650
                            getitimer(ITIMER_REAL, &timeout);
9651
                            if (timeout.it_value.tv_sec == 0 &&
9652
                                                timeout.it_value.tv_usec == 0) {
9653
                                XSTRNCPY(ssl->timeoutInfo.timeoutName,
9654
                                        "send() timeout", MAX_TIMEOUT_NAME_SZ);
9655
                                ssl->timeoutInfo.timeoutName[
9656
                                    MAX_TIMEOUT_NAME_SZ] = '\0';
9657
9658
                                WOLFSSL_MSG("Got our timeout");
9659
                                return WANT_WRITE;
9660
                            }
9661
                        }
9662
                    #endif
9663
0
                    continue;
9664
9665
0
                case WOLFSSL_CBIO_ERR_CONN_CLOSE: /* epipe / conn closed */
9666
0
                    ssl->options.connReset = 1;  /* treat same as reset */
9667
0
                    break;
9668
9669
0
                default:
9670
0
                    return SOCKET_ERROR_E;
9671
0
            }
9672
9673
0
            return SOCKET_ERROR_E;
9674
0
        }
9675
9676
0
        if (sent > (int)ssl->buffers.outputBuffer.length) {
9677
0
            WOLFSSL_MSG("SendBuffered() out of bounds read");
9678
0
            return SEND_OOB_READ_E;
9679
0
        }
9680
9681
0
        ssl->buffers.outputBuffer.idx += sent;
9682
0
        ssl->buffers.outputBuffer.length -= sent;
9683
0
    }
9684
9685
0
    ssl->buffers.outputBuffer.idx = 0;
9686
9687
0
    if (ssl->buffers.outputBuffer.dynamicFlag)
9688
0
        ShrinkOutputBuffer(ssl);
9689
9690
0
    return 0;
9691
0
}
9692
9693
9694
/* Grow the output buffer */
9695
static WC_INLINE int GrowOutputBuffer(WOLFSSL* ssl, int size)
9696
0
{
9697
0
    byte* tmp;
9698
#if WOLFSSL_GENERAL_ALIGNMENT > 0
9699
    byte  hdrSz = ssl->options.dtls ? DTLS_RECORD_HEADER_SZ :
9700
                                      RECORD_HEADER_SZ;
9701
    byte align = WOLFSSL_GENERAL_ALIGNMENT;
9702
#else
9703
0
    const byte align = WOLFSSL_GENERAL_ALIGNMENT;
9704
0
#endif
9705
9706
#if WOLFSSL_GENERAL_ALIGNMENT > 0
9707
    /* the encrypted data will be offset from the front of the buffer by
9708
       the header, if the user wants encrypted alignment they need
9709
       to define their alignment requirement */
9710
9711
    while (align < hdrSz)
9712
        align *= 2;
9713
#endif
9714
9715
0
    tmp = (byte*)XMALLOC(size + ssl->buffers.outputBuffer.length + align,
9716
0
                             ssl->heap, DYNAMIC_TYPE_OUT_BUFFER);
9717
0
    WOLFSSL_MSG("growing output buffer");
9718
9719
0
    if (tmp == NULL)
9720
0
        return MEMORY_E;
9721
9722
#if WOLFSSL_GENERAL_ALIGNMENT > 0
9723
    if (align)
9724
        tmp += align - hdrSz;
9725
#endif
9726
9727
#ifdef WOLFSSL_STATIC_MEMORY
9728
    /* can be from IO memory pool which does not need copy if same buffer */
9729
    if (ssl->buffers.outputBuffer.length &&
9730
            tmp == ssl->buffers.outputBuffer.buffer) {
9731
        ssl->buffers.outputBuffer.bufferSize =
9732
            size + ssl->buffers.outputBuffer.length;
9733
        return 0;
9734
    }
9735
#endif
9736
9737
0
    if (ssl->buffers.outputBuffer.length)
9738
0
        XMEMCPY(tmp, ssl->buffers.outputBuffer.buffer,
9739
0
               ssl->buffers.outputBuffer.length);
9740
9741
0
    if (ssl->buffers.outputBuffer.dynamicFlag) {
9742
0
        if (IsEncryptionOn(ssl, 0)) {
9743
0
            ForceZero(ssl->buffers.outputBuffer.buffer -
9744
0
                ssl->buffers.outputBuffer.offset,
9745
0
                ssl->buffers.outputBuffer.bufferSize);
9746
0
        }
9747
0
        XFREE(ssl->buffers.outputBuffer.buffer -
9748
0
              ssl->buffers.outputBuffer.offset, ssl->heap,
9749
0
              DYNAMIC_TYPE_OUT_BUFFER);
9750
0
    }
9751
0
    ssl->buffers.outputBuffer.dynamicFlag = 1;
9752
9753
#if WOLFSSL_GENERAL_ALIGNMENT > 0
9754
    if (align)
9755
        ssl->buffers.outputBuffer.offset = align - hdrSz;
9756
    else
9757
#endif
9758
0
        ssl->buffers.outputBuffer.offset = 0;
9759
9760
0
    ssl->buffers.outputBuffer.buffer = tmp;
9761
0
    ssl->buffers.outputBuffer.bufferSize = size +
9762
0
                                           ssl->buffers.outputBuffer.length;
9763
0
    return 0;
9764
0
}
9765
9766
9767
/* Grow the input buffer, should only be to read cert or big app data */
9768
int GrowInputBuffer(WOLFSSL* ssl, int size, int usedLength)
9769
0
{
9770
0
    byte* tmp;
9771
#if defined(WOLFSSL_DTLS) || WOLFSSL_GENERAL_ALIGNMENT > 0
9772
    byte  align = ssl->options.dtls ? WOLFSSL_GENERAL_ALIGNMENT : 0;
9773
    byte  hdrSz = DTLS_RECORD_HEADER_SZ;
9774
#else
9775
0
    const byte align = WOLFSSL_GENERAL_ALIGNMENT;
9776
0
#endif
9777
9778
#if defined(WOLFSSL_DTLS) || WOLFSSL_GENERAL_ALIGNMENT > 0
9779
    /* the encrypted data will be offset from the front of the buffer by
9780
       the dtls record header, if the user wants encrypted alignment they need
9781
       to define their alignment requirement. in tls we read record header
9782
       to get size of record and put actual data back at front, so don't need */
9783
9784
    if (align) {
9785
       while (align < hdrSz)
9786
           align *= 2;
9787
    }
9788
#endif
9789
9790
0
    if (usedLength < 0 || size < 0) {
9791
0
        WOLFSSL_MSG("GrowInputBuffer() called with negative number");
9792
0
        return BAD_FUNC_ARG;
9793
0
    }
9794
9795
0
    tmp = (byte*)XMALLOC(size + usedLength + align,
9796
0
                             ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
9797
0
    WOLFSSL_MSG("growing input buffer");
9798
9799
0
    if (tmp == NULL)
9800
0
        return MEMORY_E;
9801
9802
#if defined(WOLFSSL_DTLS) || WOLFSSL_GENERAL_ALIGNMENT > 0
9803
    if (align)
9804
        tmp += align - hdrSz;
9805
#endif
9806
9807
#ifdef WOLFSSL_STATIC_MEMORY
9808
    /* can be from IO memory pool which does not need copy if same buffer */
9809
    if (usedLength && tmp == ssl->buffers.inputBuffer.buffer) {
9810
        ssl->buffers.inputBuffer.bufferSize = size + usedLength;
9811
        ssl->buffers.inputBuffer.idx    = 0;
9812
        ssl->buffers.inputBuffer.length = usedLength;
9813
        return 0;
9814
    }
9815
#endif
9816
9817
0
    if (usedLength)
9818
0
        XMEMCPY(tmp, ssl->buffers.inputBuffer.buffer +
9819
0
                    ssl->buffers.inputBuffer.idx, usedLength);
9820
9821
0
    if (ssl->buffers.inputBuffer.dynamicFlag) {
9822
0
        if (IsEncryptionOn(ssl, 1)) {
9823
0
            ForceZero(ssl->buffers.inputBuffer.buffer -
9824
0
                ssl->buffers.inputBuffer.offset,
9825
0
                ssl->buffers.inputBuffer.bufferSize);
9826
0
        }
9827
0
        XFREE(ssl->buffers.inputBuffer.buffer - ssl->buffers.inputBuffer.offset,
9828
0
              ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
9829
0
    }
9830
9831
0
    ssl->buffers.inputBuffer.dynamicFlag = 1;
9832
#if defined(WOLFSSL_DTLS) || WOLFSSL_GENERAL_ALIGNMENT > 0
9833
    if (align)
9834
        ssl->buffers.inputBuffer.offset = align - hdrSz;
9835
    else
9836
#endif
9837
0
        ssl->buffers.inputBuffer.offset = 0;
9838
9839
0
    ssl->buffers.inputBuffer.buffer = tmp;
9840
0
    ssl->buffers.inputBuffer.bufferSize = size + usedLength;
9841
0
    ssl->buffers.inputBuffer.idx    = 0;
9842
0
    ssl->buffers.inputBuffer.length = usedLength;
9843
9844
0
    return 0;
9845
0
}
9846
9847
9848
/* Check available size into output buffer, make room if needed.
9849
 * This function needs to be called before anything gets put
9850
 * into the output buffers since it flushes pending data if it
9851
 * predicts that the msg will exceed MTU. */
9852
int CheckAvailableSize(WOLFSSL *ssl, int size)
9853
0
{
9854
0
    if (size < 0) {
9855
0
        WOLFSSL_MSG("CheckAvailableSize() called with negative number");
9856
0
        return BAD_FUNC_ARG;
9857
0
    }
9858
9859
#ifdef WOLFSSL_DTLS
9860
    if (ssl->options.dtls) {
9861
        if (size + ssl->buffers.outputBuffer.length -
9862
            ssl->buffers.outputBuffer.idx >
9863
#if defined(WOLFSSL_SCTP) || defined(WOLFSSL_DTLS_MTU)
9864
                ssl->dtlsMtuSz
9865
#else
9866
                ssl->dtls_expected_rx
9867
#endif
9868
                ) {
9869
            int ret;
9870
            WOLFSSL_MSG("CheckAvailableSize() flushing buffer "
9871
                        "to make room for new message");
9872
            if ((ret = SendBuffered(ssl)) != 0) {
9873
                return ret;
9874
            }
9875
        }
9876
        if (size > (int)
9877
#if defined(WOLFSSL_SCTP) || defined(WOLFSSL_DTLS_MTU)
9878
                ssl->dtlsMtuSz
9879
#else
9880
                ssl->dtls_expected_rx
9881
#endif
9882
#ifdef WOLFSSL_DTLS13
9883
            /* DTLS1.3 uses the output buffer to store the full message and deal
9884
               with fragmentation later in dtls13HandshakeSend() */
9885
            && !IsAtLeastTLSv1_3(ssl->version)
9886
#endif /* WOLFSSL_DTLS13 */
9887
            ) {
9888
            WOLFSSL_MSG("CheckAvailableSize() called with size greater than MTU.");
9889
            return DTLS_SIZE_ERROR;
9890
        }
9891
    }
9892
#endif
9893
9894
0
    if (ssl->buffers.outputBuffer.bufferSize - ssl->buffers.outputBuffer.length
9895
0
                                             < (word32)size) {
9896
0
        if (GrowOutputBuffer(ssl, size) < 0)
9897
0
            return MEMORY_E;
9898
0
    }
9899
9900
0
    return 0;
9901
0
}
9902
9903
#ifdef WOLFSSL_DTLS13
9904
static int GetInputData(WOLFSSL *ssl, word32 size);
9905
static int GetDtls13RecordHeader(WOLFSSL* ssl, const byte* input,
9906
    word32* inOutIdx, RecordLayerHeader* rh, word16* size)
9907
{
9908
9909
    Dtls13UnifiedHdrInfo hdrInfo;
9910
    w64wrapper epochNumber;
9911
    byte epochBits;
9912
    int readSize;
9913
    int ret;
9914
9915
    readSize = ssl->buffers.inputBuffer.length - *inOutIdx;
9916
9917
    if (readSize < DTLS_UNIFIED_HEADER_MIN_SZ)
9918
        return BUFFER_ERROR;
9919
9920
    epochBits = *(input + *inOutIdx) & EE_MASK;
9921
    ret = Dtls13ReconstructEpochNumber(ssl, epochBits, &epochNumber);
9922
    if (ret != 0)
9923
        return ret;
9924
9925
#ifdef WOLFSSL_DEBUG_TLS
9926
    WOLFSSL_MSG_EX("reconstructed epoch number: %ld",
9927
                   epochNumber);
9928
#endif /* WOLFSSL_DEBUG_TLS */
9929
9930
    /* protected records always use unified_headers in DTLSv1.3 */
9931
    if (w64IsZero(epochNumber))
9932
        return SEQUENCE_ERROR;
9933
9934
    if (ssl->dtls13DecryptEpoch == NULL)
9935
        return BAD_STATE_E;
9936
9937
#ifdef WOLFSSL_EARLY_DATA
9938
    if (w64Equal(epochNumber, w64From32(0x0, DTLS13_EPOCH_EARLYDATA)) &&
9939
            ssl->options.handShakeDone) {
9940
        WOLFSSL_MSG("discarding early data after handshake");
9941
        return SEQUENCE_ERROR;
9942
    }
9943
#endif /* WOLFSSL_DTLS13 */
9944
9945
    if (!w64Equal(ssl->dtls13DecryptEpoch->epochNumber, epochNumber)) {
9946
        ret = Dtls13SetEpochKeys(ssl, epochNumber, DECRYPT_SIDE_ONLY);
9947
        if (ret != 0)
9948
            return SEQUENCE_ERROR;
9949
    }
9950
9951
    ret = Dtls13GetUnifiedHeaderSize(ssl,
9952
        *(input+*inOutIdx), &ssl->dtls13CurRlLength);
9953
    if (ret != 0)
9954
        return ret;
9955
9956
    if (readSize < ssl->dtls13CurRlLength) {
9957
        /* when using DTLS over a medium that does not guarantee that a full
9958
         * message is received in a single read, we may end up without the full
9959
         * header */
9960
        ret = GetInputData(ssl, ssl->dtls13CurRlLength - readSize);
9961
        if (ret != 0)
9962
            return ret;
9963
    }
9964
9965
    ret = Dtls13ParseUnifiedRecordLayer(ssl, input + *inOutIdx, readSize,
9966
        &hdrInfo);
9967
9968
    if (ret != 0)
9969
        return ret;
9970
9971
    *size = hdrInfo.recordLength;
9972
    c16toa(*size, rh->length);
9973
9974
   /* type is implicit */
9975
    rh->type = application_data;
9976
9977
    /* version is implicit */
9978
    rh->pvMajor = ssl->version.major;
9979
    rh->pvMinor = DTLSv1_2_MINOR;
9980
9981
    ssl->keys.curEpoch64 = epochNumber;
9982
9983
    ret = Dtls13ReconstructSeqNumber(ssl, &hdrInfo, &ssl->keys.curSeq);
9984
    if (ret != 0)
9985
        return ret;
9986
9987
#ifdef WOLFSSL_DEBUG_TLS
9988
    WOLFSSL_MSG_EX("reconstructed seq number: %ld",
9989
                   ssl->keys.curSeq);
9990
#endif /* WOLFSSL_DEBUG_TLS */
9991
9992
    XMEMCPY(ssl->dtls13CurRL, input + *inOutIdx, ssl->dtls13CurRlLength);
9993
    *inOutIdx += ssl->dtls13CurRlLength;
9994
9995
    return 0;
9996
}
9997
9998
#endif /* WOLFSSL_DTLS13 */
9999
10000
#ifdef WOLFSSL_DTLS
10001
static int GetDtlsRecordHeader(WOLFSSL* ssl, const byte* input,
10002
    word32* inOutIdx, RecordLayerHeader* rh, word16* size)
10003
{
10004
10005
#ifdef HAVE_FUZZER
10006
    if (ssl->fuzzerCb)
10007
        ssl->fuzzerCb(ssl, input + *inOutIdx, DTLS_RECORD_HEADER_SZ,
10008
                       FUZZ_HEAD, ssl->fuzzerCtx);
10009
#endif
10010
10011
#ifdef WOLFSSL_DTLS13
10012
    word32 read_size;
10013
    int ret;
10014
10015
    read_size = ssl->buffers.inputBuffer.length - *inOutIdx;
10016
10017
    if (Dtls13IsUnifiedHeader(*(input + *inOutIdx))) {
10018
10019
        /* version 1.3 already negotiated */
10020
        if (ssl->options.tls1_3) {
10021
            ret = GetDtls13RecordHeader(ssl, input, inOutIdx, rh, size);
10022
            if (ret == 0 || ret != SEQUENCE_ERROR || ret != DTLS_CID_ERROR)
10023
                return ret;
10024
        }
10025
10026
#ifndef NO_WOLFSSL_CLIENT
10027
        if (ssl->options.side == WOLFSSL_CLIENT_END
10028
            && ssl->options.serverState < SERVER_HELLO_COMPLETE
10029
            && IsAtLeastTLSv1_3(ssl->version)
10030
            && !ssl->options.handShakeDone) {
10031
            /* we may have lost ServerHello. Try to send a empty ACK to shortcut
10032
               Server retransmission timer */
10033
            ssl->dtls13Rtx.sendAcks = 1;
10034
        }
10035
#endif
10036
        return SEQUENCE_ERROR;
10037
    }
10038
10039
    /* not a unified header, check that we have at least
10040
     * DTLS_RECORD_HEADER_SZ */
10041
    if (read_size < DTLS_RECORD_HEADER_SZ) {
10042
        ret = GetInputData(ssl, DTLS_RECORD_HEADER_SZ - read_size);
10043
        if (ret != 0)
10044
            return LENGTH_ERROR;
10045
    }
10046
#endif /* WOLFSSL_DTLS13 */
10047
10048
    /* type and version in same spot */
10049
    XMEMCPY(rh, input + *inOutIdx, ENUM_LEN + VERSION_SZ);
10050
    *inOutIdx += ENUM_LEN + VERSION_SZ;
10051
    ato16(input + *inOutIdx, &ssl->keys.curEpoch);
10052
#ifdef WOLFSSL_DTLS13
10053
    /* only non protected message can use the DTLSPlaintext record header */
10054
    if (ssl->options.tls1_3 && ssl->keys.curEpoch != 0)
10055
            return SEQUENCE_ERROR;
10056
10057
    w64Zero(&ssl->keys.curEpoch64);
10058
    if (!w64IsZero(ssl->dtls13DecryptEpoch->epochNumber))
10059
        Dtls13SetEpochKeys(ssl, ssl->keys.curEpoch64, DECRYPT_SIDE_ONLY);
10060
10061
#endif /* WOLFSSL_DTLS13 */
10062
    *inOutIdx += OPAQUE16_LEN;
10063
    if (ssl->options.haveMcast) {
10064
    #ifdef WOLFSSL_MULTICAST
10065
        ssl->keys.curPeerId = input[*inOutIdx];
10066
        ssl->keys.curSeq_hi = input[*inOutIdx+1];
10067
    #endif
10068
    }
10069
    else
10070
        ato16(input + *inOutIdx, &ssl->keys.curSeq_hi);
10071
    *inOutIdx += OPAQUE16_LEN;
10072
    ato32(input + *inOutIdx, &ssl->keys.curSeq_lo);
10073
    *inOutIdx += OPAQUE32_LEN;  /* advance past rest of seq */
10074
10075
#ifdef WOLFSSL_DTLS13
10076
    /* DTLSv1.3 PlainText records use DTLSv1.2 sequence number encoding. Update
10077
       the DTLv1.3 word64 version as well */
10078
    ssl->keys.curSeq = w64From32(ssl->keys.curSeq_hi, ssl->keys.curSeq_lo);
10079
#endif /* WOLFSSL_DTLS13 */
10080
10081
    ato16(input + *inOutIdx, size);
10082
    *inOutIdx += LENGTH_SZ;
10083
10084
    return 0;
10085
}
10086
#endif /* WOLFSSL_DTLS */
10087
10088
/* do all verify and sanity checks on record header */
10089
static int GetRecordHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
10090
                           RecordLayerHeader* rh, word16 *size)
10091
0
{
10092
0
    byte tls12minor;
10093
#ifdef WOLFSSL_DTLS
10094
    int ret;
10095
#endif /* WOLFSSL_DTLS */
10096
10097
0
#ifdef OPENSSL_ALL
10098
0
    word32 start = *inOutIdx;
10099
0
#endif
10100
10101
0
    (void)tls12minor;
10102
10103
0
    if (!ssl->options.dtls) {
10104
#ifdef HAVE_FUZZER
10105
        if (ssl->fuzzerCb)
10106
            ssl->fuzzerCb(ssl, input + *inOutIdx, RECORD_HEADER_SZ, FUZZ_HEAD,
10107
                    ssl->fuzzerCtx);
10108
#endif
10109
0
        XMEMCPY(rh, input + *inOutIdx, RECORD_HEADER_SZ);
10110
0
        *inOutIdx += RECORD_HEADER_SZ;
10111
0
        ato16(rh->length, size);
10112
0
    }
10113
0
    else {
10114
#ifdef WOLFSSL_DTLS
10115
        ret = GetDtlsRecordHeader(ssl, input, inOutIdx, rh, size);
10116
        if (ret != 0)
10117
            return ret;
10118
#endif
10119
0
    }
10120
10121
#ifdef WOLFSSL_DTLS
10122
    /* DTLSv1.3 MUST check window after deprotecting to avoid timing channel
10123
       (RFC9147 Section 4.5.1) */
10124
    if (IsDtlsNotSctpMode(ssl) && !IsAtLeastTLSv1_3(ssl->version)) {
10125
        if (!_DtlsCheckWindow(ssl) ||
10126
                (rh->type == application_data && ssl->keys.curEpoch == 0) ||
10127
                (rh->type == alert && ssl->options.handShakeDone &&
10128
                        ssl->keys.curEpoch == 0 && ssl->keys.dtls_epoch != 0)) {
10129
            WOLFSSL_LEAVE("GetRecordHeader()", SEQUENCE_ERROR);
10130
            return SEQUENCE_ERROR;
10131
        }
10132
    }
10133
#endif
10134
10135
0
    tls12minor = TLSv1_2_MINOR;
10136
#ifdef WOLFSSL_DTLS13
10137
    if (ssl->options.dtls)
10138
        tls12minor = DTLSv1_2_MINOR;
10139
#endif /* WOLFSSL_DTLS13 */
10140
    /* catch version mismatch */
10141
#ifndef WOLFSSL_TLS13
10142
    if (rh->pvMajor != ssl->version.major || rh->pvMinor != ssl->version.minor)
10143
#else
10144
0
    if (rh->pvMajor != ssl->version.major ||
10145
0
        (rh->pvMinor != ssl->version.minor &&
10146
0
         (!IsAtLeastTLSv1_3(ssl->version) || rh->pvMinor != tls12minor)
10147
0
        ))
10148
0
#endif
10149
0
    {
10150
0
        if (ssl->options.side == WOLFSSL_SERVER_END &&
10151
0
            ssl->options.acceptState < ACCEPT_FIRST_REPLY_DONE)
10152
10153
0
            WOLFSSL_MSG("Client attempting to connect with different version");
10154
0
        else if (ssl->options.side == WOLFSSL_CLIENT_END &&
10155
0
                                 ssl->options.downgrade &&
10156
0
                                 ssl->options.connectState < FIRST_REPLY_DONE)
10157
0
            WOLFSSL_MSG("Server attempting to accept with different version");
10158
0
        else if (ssl->options.dtls && rh->type == handshake)
10159
            /* Check the DTLS handshake message RH version later. */
10160
0
            WOLFSSL_MSG("DTLS handshake, skip RH version number check");
10161
#ifdef WOLFSSL_DTLS13
10162
        else if (ssl->options.dtls && !ssl->options.handShakeDone) {
10163
            /* we may have lost the ServerHello and this is a unified record
10164
               before version been negotiated */
10165
            if (Dtls13IsUnifiedHeader(*input)) {
10166
                return SEQUENCE_ERROR;
10167
            }
10168
        }
10169
#endif /* WOLFSSL_DTLS13 */
10170
0
        else {
10171
0
            WOLFSSL_MSG("SSL version error");
10172
            /* send alert per RFC5246 Appendix E. Backward Compatibility */
10173
0
            if (ssl->options.side == WOLFSSL_CLIENT_END) {
10174
#ifdef WOLFSSL_MYSQL_COMPATIBLE
10175
                SendAlert(ssl, alert_fatal, wc_protocol_version);
10176
#else
10177
0
                SendAlert(ssl, alert_fatal, protocol_version);
10178
0
#endif
10179
0
            }
10180
0
            WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
10181
0
            return VERSION_ERROR;              /* only use requested version */
10182
0
        }
10183
0
    }
10184
10185
    /* record layer length check */
10186
#ifdef HAVE_MAX_FRAGMENT
10187
    if (*size > (ssl->max_fragment + MAX_COMP_EXTRA + MAX_MSG_EXTRA)) {
10188
        SendAlert(ssl, alert_fatal, record_overflow);
10189
        WOLFSSL_ERROR_VERBOSE(LENGTH_ERROR);
10190
        return LENGTH_ERROR;
10191
    }
10192
#else
10193
0
    if (*size > (MAX_RECORD_SIZE + MAX_COMP_EXTRA + MAX_MSG_EXTRA)) {
10194
0
        WOLFSSL_ERROR_VERBOSE(LENGTH_ERROR);
10195
0
        return LENGTH_ERROR;
10196
0
    }
10197
0
#endif
10198
10199
0
    if (*size == 0 && rh->type != application_data) {
10200
0
        WOLFSSL_MSG("0 length, non-app data record.");
10201
0
        WOLFSSL_ERROR_VERBOSE(LENGTH_ERROR);
10202
0
        return LENGTH_ERROR;
10203
0
    }
10204
10205
    /* verify record type here as well */
10206
0
    switch (rh->type) {
10207
0
        case handshake:
10208
0
        case change_cipher_spec:
10209
0
        case application_data:
10210
0
        case alert:
10211
#ifdef WOLFSSL_DTLS13
10212
        case ack:
10213
#endif /* WOLFSSL_DTLS13 */
10214
0
            break;
10215
0
        case no_type:
10216
0
        default:
10217
0
#ifdef OPENSSL_ALL
10218
0
            {
10219
0
                char *method = (char*)input + start;
10220
                /* Attempt to identify if this is a plain HTTP request.
10221
                 * No size checks because this function assumes at least
10222
                 * RECORD_HEADER_SZ size of data has been read which is
10223
                 * also the longest string comparison in this if. */
10224
0
                if (XSTRNCMP(method, "GET ", XSTR_SIZEOF("GET ")) == 0 ||
10225
0
                    XSTRNCMP(method, "POST ", XSTR_SIZEOF("POST ")) == 0 ||
10226
0
                    XSTRNCMP(method, "HEAD ", XSTR_SIZEOF("HEAD ")) == 0 ||
10227
0
                    XSTRNCMP(method, "PUT ", XSTR_SIZEOF("PUT ")) == 0) {
10228
0
                    WOLFSSL_MSG("Plain HTTP request detected");
10229
0
                    return SSL_R_HTTP_REQUEST;
10230
0
                }
10231
0
            }
10232
0
#endif
10233
0
            WOLFSSL_MSG("Unknown Record Type");
10234
0
            WOLFSSL_ERROR_VERBOSE(UNKNOWN_RECORD_TYPE);
10235
0
            return UNKNOWN_RECORD_TYPE;
10236
0
    }
10237
10238
    /* haven't decrypted this record yet */
10239
0
    ssl->keys.decryptedCur = 0;
10240
10241
0
    return 0;
10242
0
}
10243
10244
#ifndef WOLFSSL_NO_TLS12
10245
static int GetHandShakeHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
10246
                              byte *type, word32 *size, word32 totalSz)
10247
0
{
10248
0
    const byte *ptr = input + *inOutIdx;
10249
0
    (void)ssl;
10250
10251
0
    *inOutIdx += HANDSHAKE_HEADER_SZ;
10252
0
    if (*inOutIdx > totalSz)
10253
0
        return BUFFER_E;
10254
10255
0
    *type = ptr[0];
10256
0
    c24to32(&ptr[1], size);
10257
10258
0
    return 0;
10259
0
}
10260
#endif
10261
10262
#ifdef WOLFSSL_DTLS
10263
int GetDtlsHandShakeHeader(WOLFSSL* ssl, const byte* input,
10264
                           word32* inOutIdx, byte *type, word32 *size,
10265
                           word32 *fragOffset, word32 *fragSz,
10266
                           word32 totalSz)
10267
{
10268
    word32 idx = *inOutIdx;
10269
10270
    *inOutIdx += HANDSHAKE_HEADER_SZ + DTLS_HANDSHAKE_EXTRA;
10271
    if (*inOutIdx > totalSz) {
10272
        WOLFSSL_ERROR(BUFFER_E);
10273
        return BUFFER_E;
10274
    }
10275
10276
    *type = input[idx++];
10277
    c24to32(input + idx, size);
10278
    idx += OPAQUE24_LEN;
10279
10280
    ato16(input + idx, &ssl->keys.dtls_peer_handshake_number);
10281
    idx += DTLS_HANDSHAKE_SEQ_SZ;
10282
10283
    c24to32(input + idx, fragOffset);
10284
    idx += DTLS_HANDSHAKE_FRAG_SZ;
10285
    c24to32(input + idx, fragSz);
10286
10287
    if ((ssl->curRL.pvMajor != ssl->version.major) ||
10288
        (!IsAtLeastTLSv1_3(ssl->version) && ssl->curRL.pvMinor != ssl->version.minor) ||
10289
        (IsAtLeastTLSv1_3(ssl->version) && ssl->curRL.pvMinor != DTLSv1_2_MINOR)
10290
        ) {
10291
        if (*type != client_hello && *type != hello_verify_request && *type != server_hello) {
10292
            WOLFSSL_ERROR(VERSION_ERROR);
10293
            return VERSION_ERROR;
10294
        }
10295
        else {
10296
            WOLFSSL_MSG("DTLS Handshake ignoring hello or verify version");
10297
        }
10298
    }
10299
    return 0;
10300
}
10301
#endif
10302
10303
10304
#if !defined(NO_OLD_TLS) || \
10305
    (defined(NO_OLD_TLS) && defined(WOLFSSL_ALLOW_TLS_SHA1))
10306
/* fill with MD5 pad size since biggest required */
10307
static const byte PAD1[PAD_MD5] =
10308
                              { 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
10309
                                0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
10310
                                0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
10311
                                0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
10312
                                0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36,
10313
                                0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36, 0x36
10314
                              };
10315
static const byte PAD2[PAD_MD5] =
10316
                              { 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
10317
                                0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
10318
                                0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
10319
                                0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
10320
                                0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c,
10321
                                0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c, 0x5c
10322
                              };
10323
#endif /* !NO_OLD_TLS || (NO_OLD_TLS && WOLFSSL_ALLOW_TLS_SHA1) */
10324
10325
#ifndef NO_OLD_TLS
10326
10327
/* calculate MD5 hash for finished */
10328
#ifdef WOLFSSL_TI_HASH
10329
#include <wolfssl/wolfcrypt/hash.h>
10330
#endif
10331
10332
static int BuildMD5(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
10333
0
{
10334
0
    int ret;
10335
0
    byte md5_result[WC_MD5_DIGEST_SIZE];
10336
0
#ifdef WOLFSSL_SMALL_STACK
10337
0
    wc_Md5* md5 = (wc_Md5*)XMALLOC(sizeof(wc_Md5), ssl->heap, DYNAMIC_TYPE_HASHCTX);
10338
0
    if (md5 == NULL)
10339
0
        return MEMORY_E;
10340
#else
10341
    wc_Md5  md5[1];
10342
#endif
10343
10344
    /* make md5 inner */
10345
0
    ret = wc_Md5Copy(&ssl->hsHashes->hashMd5, md5);
10346
0
    if (ret == 0)
10347
0
        ret = wc_Md5Update(md5, sender, SIZEOF_SENDER);
10348
0
    if (ret == 0)
10349
0
        ret = wc_Md5Update(md5, ssl->arrays->masterSecret,SECRET_LEN);
10350
0
    if (ret == 0)
10351
0
        ret = wc_Md5Update(md5, PAD1, PAD_MD5);
10352
0
    if (ret == 0)
10353
0
        ret = wc_Md5Final(md5, md5_result);
10354
10355
    /* make md5 outer */
10356
0
    if (ret == 0) {
10357
0
        ret = wc_InitMd5_ex(md5, ssl->heap, ssl->devId);
10358
0
        if (ret == 0) {
10359
0
            ret = wc_Md5Update(md5, ssl->arrays->masterSecret,SECRET_LEN);
10360
0
            if (ret == 0)
10361
0
                ret = wc_Md5Update(md5, PAD2, PAD_MD5);
10362
0
            if (ret == 0)
10363
0
                ret = wc_Md5Update(md5, md5_result, WC_MD5_DIGEST_SIZE);
10364
0
            if (ret == 0)
10365
0
                ret = wc_Md5Final(md5, hashes->md5);
10366
0
            wc_Md5Free(md5);
10367
0
        }
10368
0
    }
10369
10370
0
#ifdef WOLFSSL_SMALL_STACK
10371
0
    XFREE(md5, ssl->heap, DYNAMIC_TYPE_HASHCTX);
10372
0
#endif
10373
10374
0
    return ret;
10375
0
}
10376
10377
10378
/* calculate SHA hash for finished */
10379
static int BuildSHA(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
10380
0
{
10381
0
    int ret;
10382
0
    byte sha_result[WC_SHA_DIGEST_SIZE];
10383
0
#ifdef WOLFSSL_SMALL_STACK
10384
0
    wc_Sha* sha = (wc_Sha*)XMALLOC(sizeof(wc_Sha), ssl->heap, DYNAMIC_TYPE_HASHCTX);
10385
0
    if (sha == NULL)
10386
0
        return MEMORY_E;
10387
#else
10388
    wc_Sha  sha[1];
10389
#endif
10390
    /* make sha inner */
10391
0
    ret = wc_ShaCopy(&ssl->hsHashes->hashSha, sha); /* Save current position */
10392
0
    if (ret == 0)
10393
0
        ret = wc_ShaUpdate(sha, sender, SIZEOF_SENDER);
10394
0
    if (ret == 0)
10395
0
        ret = wc_ShaUpdate(sha, ssl->arrays->masterSecret,SECRET_LEN);
10396
0
    if (ret == 0)
10397
0
        ret = wc_ShaUpdate(sha, PAD1, PAD_SHA);
10398
0
    if (ret == 0)
10399
0
        ret = wc_ShaFinal(sha, sha_result);
10400
10401
    /* make sha outer */
10402
0
    if (ret == 0) {
10403
0
        ret = wc_InitSha_ex(sha, ssl->heap, ssl->devId);
10404
0
        if (ret == 0) {
10405
0
            ret = wc_ShaUpdate(sha, ssl->arrays->masterSecret,SECRET_LEN);
10406
0
            if (ret == 0)
10407
0
                ret = wc_ShaUpdate(sha, PAD2, PAD_SHA);
10408
0
            if (ret == 0)
10409
0
                ret = wc_ShaUpdate(sha, sha_result, WC_SHA_DIGEST_SIZE);
10410
0
            if (ret == 0)
10411
0
                ret = wc_ShaFinal(sha, hashes->sha);
10412
0
            wc_ShaFree(sha);
10413
0
        }
10414
0
    }
10415
10416
0
#ifdef WOLFSSL_SMALL_STACK
10417
0
    XFREE(sha, ssl->heap, DYNAMIC_TYPE_HASHCTX);
10418
0
#endif
10419
10420
0
    return ret;
10421
0
}
10422
#endif
10423
10424
#ifndef WOLFSSL_NO_TLS12
10425
10426
/* Finished doesn't support SHA512, not SHA512 cipher suites yet */
10427
static int BuildFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
10428
0
{
10429
0
    int ret = 0;
10430
10431
0
    if (ssl == NULL)
10432
0
        return BAD_FUNC_ARG;
10433
10434
0
#ifndef NO_TLS
10435
0
    if (ssl->options.tls) {
10436
0
        ret = BuildTlsFinished(ssl, hashes, sender);
10437
0
    }
10438
#else
10439
    (void)hashes;
10440
    (void)sender;
10441
#endif
10442
0
#ifndef NO_OLD_TLS
10443
0
    if (!ssl->options.tls) {
10444
0
        ret = BuildMD5(ssl, hashes, sender);
10445
0
        if (ret == 0) {
10446
0
            ret = BuildSHA(ssl, hashes, sender);
10447
0
        }
10448
0
    }
10449
0
#endif
10450
10451
0
    return ret;
10452
0
}
10453
10454
#endif /* WOLFSSL_NO_TLS12 */
10455
10456
#if !defined(NO_WOLFSSL_SERVER) || !defined(NO_WOLFSSL_CLIENT)
10457
    /* cipher requirements */
10458
    enum {
10459
        REQUIRES_RSA,
10460
        REQUIRES_DHE,
10461
        REQUIRES_ECC,
10462
        REQUIRES_ECC_STATIC,
10463
        REQUIRES_PSK,
10464
        REQUIRES_RSA_SIG,
10465
        REQUIRES_AEAD
10466
    };
10467
10468
10469
10470
    /* Does this cipher suite (first, second) have the requirement
10471
       an ephemeral key exchange will still require the key for signing
10472
       the key exchange so ECDHE_RSA requires an rsa key thus rsa_kea */
10473
    static int CipherRequires(byte first, byte second, int requirement)
10474
0
    {
10475
10476
0
        (void)requirement;
10477
10478
0
#ifndef WOLFSSL_NO_TLS12
10479
10480
0
#ifdef HAVE_CHACHA
10481
0
        if (first == CHACHA_BYTE) {
10482
10483
0
        switch (second) {
10484
0
            case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 :
10485
0
                if (requirement == REQUIRES_RSA)
10486
0
                    return 1;
10487
0
                break;
10488
10489
0
            case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 :
10490
0
                if (requirement == REQUIRES_ECC)
10491
0
                    return 1;
10492
0
                break;
10493
10494
0
            case TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 :
10495
0
                if (requirement == REQUIRES_RSA)
10496
0
                    return 1;
10497
0
                if (requirement == REQUIRES_DHE)
10498
0
                    return 1;
10499
0
                break;
10500
10501
0
            case TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 :
10502
0
                if (requirement == REQUIRES_RSA)
10503
0
                    return 1;
10504
0
                break;
10505
10506
0
            case TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256 :
10507
0
                if (requirement == REQUIRES_ECC)
10508
0
                    return 1;
10509
0
                break;
10510
10511
0
            case TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256 :
10512
0
                if (requirement == REQUIRES_RSA)
10513
0
                    return 1;
10514
0
                if (requirement == REQUIRES_DHE)
10515
0
                    return 1;
10516
0
                break;
10517
10518
10519
0
            case TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 :
10520
0
                if (requirement == REQUIRES_PSK)
10521
0
                    return 1;
10522
0
                break;
10523
10524
0
            case TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 :
10525
0
                if (requirement == REQUIRES_PSK)
10526
0
                    return 1;
10527
0
                break;
10528
10529
0
            case TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 :
10530
0
                if (requirement == REQUIRES_PSK)
10531
0
                    return 1;
10532
0
                if (requirement == REQUIRES_DHE)
10533
0
                    return 1;
10534
0
                break;
10535
0
        }
10536
10537
0
        if (requirement == REQUIRES_AEAD)
10538
0
            return 1;
10539
0
        }
10540
0
#endif /* HAVE_CHACHA */
10541
10542
        /* ECC extensions */
10543
0
        if (first == ECC_BYTE) {
10544
10545
0
        switch (second) {
10546
0
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
10547
0
    #ifndef NO_RSA
10548
0
        case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA :
10549
0
            if (requirement == REQUIRES_RSA)
10550
0
                return 1;
10551
0
            break;
10552
10553
0
        case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA :
10554
0
            if (requirement == REQUIRES_ECC_STATIC)
10555
0
                return 1;
10556
0
            if (requirement == REQUIRES_RSA_SIG)
10557
0
                return 1;
10558
0
            break;
10559
10560
0
    #ifndef NO_DES3
10561
0
        case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA :
10562
0
            if (requirement == REQUIRES_RSA)
10563
0
                return 1;
10564
0
            break;
10565
10566
0
        case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA :
10567
0
            if (requirement == REQUIRES_ECC_STATIC)
10568
0
                return 1;
10569
0
            if (requirement == REQUIRES_RSA_SIG)
10570
0
                return 1;
10571
0
            break;
10572
0
    #endif /* !NO_DES3 */
10573
10574
0
    #ifndef NO_RC4
10575
0
        case TLS_ECDHE_RSA_WITH_RC4_128_SHA :
10576
0
            if (requirement == REQUIRES_RSA)
10577
0
                return 1;
10578
0
            break;
10579
10580
0
        case TLS_ECDH_RSA_WITH_RC4_128_SHA :
10581
0
            if (requirement == REQUIRES_ECC_STATIC)
10582
0
                return 1;
10583
0
            if (requirement == REQUIRES_RSA_SIG)
10584
0
                return 1;
10585
0
            break;
10586
0
    #endif /* !NO_RC4 */
10587
0
    #endif /* NO_RSA */
10588
10589
0
    #ifndef NO_DES3
10590
0
        case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA :
10591
0
            if (requirement == REQUIRES_ECC)
10592
0
                return 1;
10593
0
            break;
10594
10595
0
        case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA :
10596
0
            if (requirement == REQUIRES_ECC_STATIC)
10597
0
                return 1;
10598
0
            break;
10599
0
    #endif /* !NO_DES3  */
10600
0
    #ifndef NO_RC4
10601
0
        case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA :
10602
0
            if (requirement == REQUIRES_ECC)
10603
0
                return 1;
10604
0
            break;
10605
10606
0
        case TLS_ECDH_ECDSA_WITH_RC4_128_SHA :
10607
0
            if (requirement == REQUIRES_ECC_STATIC)
10608
0
                return 1;
10609
0
            break;
10610
0
    #endif /* !NO_RC4 */
10611
0
    #ifndef NO_RSA
10612
0
        case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA :
10613
0
            if (requirement == REQUIRES_RSA)
10614
0
                return 1;
10615
0
            break;
10616
10617
0
        case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA :
10618
0
            if (requirement == REQUIRES_ECC_STATIC)
10619
0
                return 1;
10620
0
            if (requirement == REQUIRES_RSA_SIG)
10621
0
                return 1;
10622
0
            break;
10623
0
    #endif /* !NO_RSA */
10624
10625
0
        case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA :
10626
0
            if (requirement == REQUIRES_ECC)
10627
0
                return 1;
10628
0
            break;
10629
10630
0
        case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA :
10631
0
            if (requirement == REQUIRES_ECC_STATIC)
10632
0
                return 1;
10633
0
            break;
10634
10635
0
        case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA :
10636
0
            if (requirement == REQUIRES_ECC)
10637
0
                return 1;
10638
0
            break;
10639
10640
0
        case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA :
10641
0
            if (requirement == REQUIRES_ECC_STATIC)
10642
0
                return 1;
10643
0
            break;
10644
10645
0
        case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 :
10646
0
            if (requirement == REQUIRES_ECC)
10647
0
                return 1;
10648
0
            if (requirement == REQUIRES_AEAD)
10649
0
                return 1;
10650
0
            break;
10651
10652
0
        case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 :
10653
0
            if (requirement == REQUIRES_ECC)
10654
0
                return 1;
10655
0
            if (requirement == REQUIRES_AEAD)
10656
0
                return 1;
10657
0
            break;
10658
10659
0
        case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 :
10660
0
            if (requirement == REQUIRES_ECC_STATIC)
10661
0
                return 1;
10662
0
            if (requirement == REQUIRES_AEAD)
10663
0
                return 1;
10664
0
            break;
10665
10666
0
        case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 :
10667
0
            if (requirement == REQUIRES_ECC_STATIC)
10668
0
                return 1;
10669
0
            if (requirement == REQUIRES_AEAD)
10670
0
                return 1;
10671
0
            break;
10672
0
#endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
10673
10674
0
#ifndef NO_RSA
10675
0
    #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
10676
0
        case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 :
10677
0
            if (requirement == REQUIRES_RSA)
10678
0
                return 1;
10679
0
            if (requirement == REQUIRES_AEAD)
10680
0
                return 1;
10681
0
            break;
10682
10683
0
        case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 :
10684
0
            if (requirement == REQUIRES_RSA)
10685
0
                return 1;
10686
0
            if (requirement == REQUIRES_AEAD)
10687
0
                return 1;
10688
0
            break;
10689
10690
0
        case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 :
10691
0
            if (requirement == REQUIRES_ECC_STATIC)
10692
0
                return 1;
10693
0
            if (requirement == REQUIRES_RSA_SIG)
10694
0
                return 1;
10695
0
            if (requirement == REQUIRES_AEAD)
10696
0
                return 1;
10697
0
            break;
10698
10699
0
        case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 :
10700
0
            if (requirement == REQUIRES_ECC_STATIC)
10701
0
                return 1;
10702
0
            if (requirement == REQUIRES_RSA_SIG)
10703
0
                return 1;
10704
0
            if (requirement == REQUIRES_AEAD)
10705
0
                return 1;
10706
0
            break;
10707
0
    #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
10708
0
    #ifdef HAVE_AESCCM
10709
0
        case TLS_RSA_WITH_AES_128_CCM_8 :
10710
0
        case TLS_RSA_WITH_AES_256_CCM_8 :
10711
0
            if (requirement == REQUIRES_RSA)
10712
0
                return 1;
10713
0
            if (requirement == REQUIRES_RSA_SIG)
10714
0
                return 1;
10715
0
            if (requirement == REQUIRES_AEAD)
10716
0
                return 1;
10717
0
            break;
10718
0
    #endif /* HAVE_AESCCM */
10719
0
    #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
10720
10721
0
        case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 :
10722
0
        case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 :
10723
0
            if (requirement == REQUIRES_RSA)
10724
0
                return 1;
10725
0
            break;
10726
10727
0
        case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 :
10728
0
        case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 :
10729
0
            if (requirement == REQUIRES_RSA_SIG)
10730
0
                return 1;
10731
0
            if (requirement == REQUIRES_ECC_STATIC)
10732
0
                return 1;
10733
0
            break;
10734
0
    #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
10735
0
#endif /* !NO_RSA */
10736
10737
0
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
10738
0
        case TLS_ECDHE_ECDSA_WITH_AES_128_CCM :
10739
0
        case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 :
10740
0
        case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 :
10741
0
            if (requirement == REQUIRES_ECC)
10742
0
                return 1;
10743
0
            if (requirement == REQUIRES_AEAD)
10744
0
                return 1;
10745
0
            break;
10746
10747
0
        case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 :
10748
0
        case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 :
10749
0
            if (requirement == REQUIRES_ECC)
10750
0
                return 1;
10751
0
            break;
10752
10753
0
        case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 :
10754
0
        case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 :
10755
0
            if (requirement == REQUIRES_ECC)
10756
0
                return 1;
10757
0
            if (requirement == REQUIRES_ECC_STATIC)
10758
0
                return 1;
10759
0
            break;
10760
0
#endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
10761
10762
#ifndef NO_PSK
10763
        case TLS_PSK_WITH_AES_128_CCM:
10764
        case TLS_PSK_WITH_AES_256_CCM:
10765
        case TLS_PSK_WITH_AES_128_CCM_8:
10766
        case TLS_PSK_WITH_AES_256_CCM_8:
10767
            if (requirement == REQUIRES_PSK)
10768
                return 1;
10769
            if (requirement == REQUIRES_AEAD)
10770
                return 1;
10771
            break;
10772
10773
        case TLS_DHE_PSK_WITH_AES_128_CCM:
10774
        case TLS_DHE_PSK_WITH_AES_256_CCM:
10775
            if (requirement == REQUIRES_PSK)
10776
                return 1;
10777
            if (requirement == REQUIRES_DHE)
10778
                return 1;
10779
            if (requirement == REQUIRES_AEAD)
10780
                return 1;
10781
            break;
10782
#endif /* !NO_PSK */
10783
0
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
10784
0
        case TLS_ECDHE_ECDSA_WITH_NULL_SHA :
10785
0
            if (requirement == REQUIRES_ECC)
10786
0
                return 1;
10787
0
            break;
10788
10789
0
        case TLS_ECDHE_PSK_WITH_NULL_SHA256 :
10790
0
            if (requirement == REQUIRES_PSK)
10791
0
                return 1;
10792
0
            break;
10793
10794
0
        case TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 :
10795
0
            if (requirement == REQUIRES_PSK)
10796
0
                return 1;
10797
0
            break;
10798
0
#endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
10799
10800
#if defined(WOLFSSL_TLS13) && defined(HAVE_NULL_CIPHER)
10801
        case TLS_SHA256_SHA256:
10802
            break;
10803
        case TLS_SHA384_SHA384:
10804
            break;
10805
#endif
10806
10807
0
        default:
10808
0
            WOLFSSL_MSG("Unsupported cipher suite, CipherRequires ECC");
10809
0
            return 0;
10810
0
        }   /* switch */
10811
0
        }   /* if     */
10812
10813
        /* ECC extensions */
10814
0
        if (first == ECDHE_PSK_BYTE) {
10815
10816
0
        switch (second) {
10817
0
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
10818
0
        case TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 :
10819
0
            if (requirement == REQUIRES_PSK)
10820
0
                return 1;
10821
0
            break;
10822
0
#endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
10823
0
        default:
10824
0
            WOLFSSL_MSG("Unsupported cipher suite, CipherRequires ECC PSK");
10825
0
            return 0;
10826
0
        }   /* switch */
10827
0
        }   /* if     */
10828
0
#endif /* !WOLFSSL_NO_TLS12 */
10829
10830
        /* Distinct TLS v1.3 cipher suites with cipher and digest only. */
10831
0
        if (first == TLS13_BYTE) {
10832
10833
0
            switch (second) {
10834
0
#ifdef WOLFSSL_TLS13
10835
0
            case TLS_AES_128_GCM_SHA256:
10836
0
            case TLS_AES_256_GCM_SHA384:
10837
0
            case TLS_CHACHA20_POLY1305_SHA256:
10838
0
            case TLS_AES_128_CCM_SHA256:
10839
0
            case TLS_AES_128_CCM_8_SHA256:
10840
0
                break;
10841
0
#endif
10842
10843
0
            default:
10844
0
                WOLFSSL_MSG("Unsupported cipher suite, CipherRequires "
10845
0
                            "TLS v1.3");
10846
0
                return 0;
10847
0
            }
10848
0
        }
10849
10850
0
#ifndef WOLFSSL_NO_TLS12
10851
10852
0
        if (first != ECC_BYTE && first != CHACHA_BYTE &&
10853
0
            first != TLS13_BYTE && first != ECDHE_PSK_BYTE) {
10854
        /* normal suites */
10855
0
        switch (second) {
10856
10857
0
#ifndef NO_RSA
10858
0
    #ifndef NO_RC4
10859
0
        case SSL_RSA_WITH_RC4_128_SHA :
10860
0
            if (requirement == REQUIRES_RSA)
10861
0
                return 1;
10862
0
            break;
10863
10864
0
        case SSL_RSA_WITH_RC4_128_MD5 :
10865
0
            if (requirement == REQUIRES_RSA)
10866
0
                return 1;
10867
0
            break;
10868
0
    #endif /* NO_RC4 */
10869
10870
0
        case SSL_RSA_WITH_3DES_EDE_CBC_SHA :
10871
0
            if (requirement == REQUIRES_RSA)
10872
0
                return 1;
10873
0
            break;
10874
10875
0
        case TLS_RSA_WITH_AES_128_CBC_SHA :
10876
0
            if (requirement == REQUIRES_RSA)
10877
0
                return 1;
10878
0
            break;
10879
10880
0
        case TLS_RSA_WITH_AES_128_CBC_SHA256 :
10881
0
            if (requirement == REQUIRES_RSA)
10882
0
                return 1;
10883
0
            break;
10884
10885
0
        case TLS_RSA_WITH_AES_256_CBC_SHA :
10886
0
            if (requirement == REQUIRES_RSA)
10887
0
                return 1;
10888
0
            break;
10889
10890
0
        case TLS_RSA_WITH_AES_256_CBC_SHA256 :
10891
0
            if (requirement == REQUIRES_RSA)
10892
0
                return 1;
10893
0
            break;
10894
10895
0
        case TLS_RSA_WITH_NULL_MD5 :
10896
0
        case TLS_RSA_WITH_NULL_SHA :
10897
0
        case TLS_RSA_WITH_NULL_SHA256 :
10898
0
            if (requirement == REQUIRES_RSA)
10899
0
                return 1;
10900
0
            break;
10901
10902
0
#endif /* !NO_RSA */
10903
10904
#ifndef NO_PSK
10905
        case TLS_PSK_WITH_AES_128_GCM_SHA256 :
10906
            if (requirement == REQUIRES_PSK)
10907
                return 1;
10908
            if (requirement == REQUIRES_AEAD)
10909
                return 1;
10910
            break;
10911
10912
        case TLS_PSK_WITH_AES_256_GCM_SHA384 :
10913
            if (requirement == REQUIRES_PSK)
10914
                return 1;
10915
            if (requirement == REQUIRES_AEAD)
10916
                return 1;
10917
            break;
10918
10919
        case TLS_PSK_WITH_AES_128_CBC_SHA256 :
10920
        case TLS_PSK_WITH_AES_256_CBC_SHA384 :
10921
        case TLS_PSK_WITH_AES_128_CBC_SHA :
10922
        case TLS_PSK_WITH_AES_256_CBC_SHA :
10923
        case TLS_PSK_WITH_NULL_SHA384 :
10924
        case TLS_PSK_WITH_NULL_SHA256 :
10925
        case TLS_PSK_WITH_NULL_SHA :
10926
            if (requirement == REQUIRES_PSK)
10927
                return 1;
10928
            break;
10929
10930
        case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 :
10931
        case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 :
10932
            if (requirement == REQUIRES_DHE)
10933
                return 1;
10934
            if (requirement == REQUIRES_PSK)
10935
                return 1;
10936
            if (requirement == REQUIRES_AEAD)
10937
                return 1;
10938
            break;
10939
10940
        case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 :
10941
        case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 :
10942
        case TLS_DHE_PSK_WITH_NULL_SHA384 :
10943
        case TLS_DHE_PSK_WITH_NULL_SHA256 :
10944
            if (requirement == REQUIRES_DHE)
10945
                return 1;
10946
            if (requirement == REQUIRES_PSK)
10947
                return 1;
10948
            break;
10949
#endif /* NO_PSK */
10950
10951
0
#ifndef NO_RSA
10952
0
        case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 :
10953
0
            if (requirement == REQUIRES_RSA)
10954
0
                return 1;
10955
0
            if (requirement == REQUIRES_DHE)
10956
0
                return 1;
10957
0
            break;
10958
10959
0
        case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 :
10960
0
            if (requirement == REQUIRES_RSA)
10961
0
                return 1;
10962
0
            if (requirement == REQUIRES_DHE)
10963
0
                return 1;
10964
0
            break;
10965
10966
0
        case TLS_DHE_RSA_WITH_AES_128_CBC_SHA :
10967
0
            if (requirement == REQUIRES_RSA)
10968
0
                return 1;
10969
0
            if (requirement == REQUIRES_DHE)
10970
0
                return 1;
10971
0
            break;
10972
10973
0
        case TLS_DHE_RSA_WITH_AES_256_CBC_SHA :
10974
0
            if (requirement == REQUIRES_RSA)
10975
0
                return 1;
10976
0
            if (requirement == REQUIRES_DHE)
10977
0
                return 1;
10978
0
            break;
10979
10980
0
        case TLS_RSA_WITH_AES_128_GCM_SHA256 :
10981
0
        case TLS_RSA_WITH_AES_256_GCM_SHA384 :
10982
0
            if (requirement == REQUIRES_RSA)
10983
0
                return 1;
10984
0
            if (requirement == REQUIRES_AEAD)
10985
0
                return 1;
10986
0
            break;
10987
10988
0
        case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 :
10989
0
        case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 :
10990
0
            if (requirement == REQUIRES_RSA)
10991
0
                return 1;
10992
0
            if (requirement == REQUIRES_DHE)
10993
0
                return 1;
10994
0
            if (requirement == REQUIRES_AEAD)
10995
0
                return 1;
10996
0
            break;
10997
10998
0
#ifdef HAVE_CAMELLIA
10999
0
        case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA :
11000
0
        case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA :
11001
0
        case TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 :
11002
0
        case TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 :
11003
0
            if (requirement == REQUIRES_RSA)
11004
0
                return 1;
11005
0
            break;
11006
11007
0
        case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA :
11008
0
        case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA :
11009
0
        case TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 :
11010
0
        case TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 :
11011
0
            if (requirement == REQUIRES_RSA)
11012
0
                return 1;
11013
0
            if (requirement == REQUIRES_RSA_SIG)
11014
0
                return 1;
11015
0
            if (requirement == REQUIRES_DHE)
11016
0
                return 1;
11017
0
            break;
11018
0
#endif /* HAVE_CAMELLIA */
11019
11020
0
        case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
11021
0
            if (requirement == REQUIRES_RSA)
11022
0
                return 1;
11023
0
            if (requirement == REQUIRES_RSA_SIG)
11024
0
                return 1;
11025
0
            if (requirement == REQUIRES_DHE)
11026
0
                return 1;
11027
0
            break;
11028
0
#endif
11029
#ifdef HAVE_ANON
11030
        case TLS_DH_anon_WITH_AES_128_CBC_SHA :
11031
            if (requirement == REQUIRES_DHE)
11032
                return 1;
11033
            break;
11034
        case TLS_DH_anon_WITH_AES_256_GCM_SHA384:
11035
            if (requirement == REQUIRES_DHE)
11036
                return 1;
11037
            if (requirement == REQUIRES_AEAD)
11038
                return 1;
11039
            break;
11040
#endif
11041
#ifdef WOLFSSL_MULTICAST
11042
        case WDM_WITH_NULL_SHA256 :
11043
            break;
11044
#endif
11045
11046
0
        default:
11047
0
            WOLFSSL_MSG("Unsupported cipher suite, CipherRequires");
11048
0
            return 0;
11049
0
        }  /* switch */
11050
0
        }  /* if ECC / Normal suites else */
11051
11052
0
#endif /* !WOLFSSL_NO_TLS12 */
11053
11054
0
        return 0;
11055
0
    }
11056
11057
#endif /* !NO_WOLFSSL_SERVER && !NO_WOLFSSL_CLIENT */
11058
11059
11060
#ifndef NO_CERTS
11061
11062
11063
/* Match names with wildcards, each wildcard can represent a single name
11064
   component or fragment but not multiple names, i.e.,
11065
   *.z.com matches y.z.com but not x.y.z.com
11066
11067
   return 1 on success */
11068
int MatchDomainName(const char* pattern, int len, const char* str)
11069
0
{
11070
0
    int ret = 0;
11071
0
    char p, s;
11072
11073
0
    if (pattern == NULL || str == NULL || len <= 0)
11074
0
        return 0;
11075
11076
0
    while (len > 0) {
11077
11078
0
        p = (char)XTOLOWER((unsigned char)*pattern++);
11079
0
        if (p == '\0')
11080
0
            break;
11081
11082
0
        if (p == '*') {
11083
0
            while (--len > 0 &&
11084
0
                (p = (char)XTOLOWER((unsigned char)*pattern++)) == '*') {
11085
0
            }
11086
11087
0
            if (len == 0)
11088
0
                p = '\0';
11089
11090
0
            while ( (s = (char)XTOLOWER((unsigned char) *str)) != '\0') {
11091
0
                if (s == p)
11092
0
                    break;
11093
0
                if (s == '.')
11094
0
                    return 0;
11095
0
                str++;
11096
0
            }
11097
0
        }
11098
0
        else {
11099
0
            if (p != (char)XTOLOWER((unsigned char) *str))
11100
0
                return 0;
11101
0
        }
11102
11103
11104
0
        if (len > 0) {
11105
0
            str++;
11106
0
            len--;
11107
0
        }
11108
0
    }
11109
11110
0
    if (*str == '\0' && len == 0) {
11111
0
        ret = 1; /* success */
11112
0
    }
11113
11114
0
    return ret;
11115
0
}
11116
11117
11118
/* Check that alternative names, if they exists, match the domain.
11119
 * Fail if there are wild patterns and they didn't match.
11120
 * Check the common name if no alternative names matched.
11121
 *
11122
 * dCert    Decoded cert to get the alternative names from.
11123
 * domain   Domain name to compare against.
11124
 * checkCN  Whether to check the common name.
11125
 * returns  1 : match was found.
11126
 *          0 : no match found.
11127
 *         -1 : No matches and wild pattern match failed.
11128
 */
11129
int CheckForAltNames(DecodedCert* dCert, const char* domain, int* checkCN)
11130
0
{
11131
0
    int match = 0;
11132
0
    DNS_entry* altName = NULL;
11133
0
    char *buf;
11134
0
    word32 len;
11135
11136
0
    WOLFSSL_MSG("Checking AltNames");
11137
11138
0
    if (dCert)
11139
0
        altName = dCert->altNames;
11140
11141
0
    if (checkCN != NULL) {
11142
0
        *checkCN = (altName == NULL) ? 1 : 0;
11143
0
    }
11144
11145
0
    while (altName) {
11146
0
        WOLFSSL_MSG("\tindividual AltName check");
11147
11148
0
#if defined(OPENSSL_ALL) || defined(WOLFSSL_IP_ALT_NAME)
11149
0
        if (altName->type == ASN_IP_TYPE) {
11150
0
            buf = altName->ipString;
11151
0
            len = (word32)XSTRLEN(buf);
11152
0
        }
11153
0
        else
11154
0
#endif /* OPENSSL_ALL || WOLFSSL_IP_ALT_NAME */
11155
0
        {
11156
0
            buf = altName->name;
11157
0
            len = altName->len;
11158
0
        }
11159
11160
0
        if (MatchDomainName(buf, len, domain)) {
11161
0
            match = 1;
11162
0
            if (checkCN != NULL) {
11163
0
                *checkCN = 0;
11164
0
            }
11165
0
            WOLFSSL_MSG("\tmatch found");
11166
0
            break;
11167
0
        }
11168
        /* No matches and wild pattern match failed. */
11169
0
        else if (buf && (len >=1) && (buf[0] == '*')) {
11170
0
            match = -1;
11171
0
            WOLFSSL_MSG("\twildcard match failed");
11172
0
        }
11173
11174
0
        altName = altName->next;
11175
0
    }
11176
11177
0
    return match;
11178
0
}
11179
11180
11181
/* Check the domain name matches the subject alternative name or the subject
11182
 * name.
11183
 *
11184
 * dcert          Decoded certificate.
11185
 * domainName     The domain name.
11186
 * domainNameLen  The length of the domain name.
11187
 * returns DOMAIN_NAME_MISMATCH when no match found and 0 on success.
11188
 */
11189
int CheckHostName(DecodedCert* dCert, const char *domainName, size_t domainNameLen)
11190
0
{
11191
0
    int checkCN;
11192
0
    int ret = DOMAIN_NAME_MISMATCH;
11193
11194
    /* Assume name is NUL terminated. */
11195
0
    (void)domainNameLen;
11196
11197
0
    if (CheckForAltNames(dCert, domainName, &checkCN) != 1) {
11198
0
        WOLFSSL_MSG("DomainName match on alt names failed");
11199
0
    }
11200
0
    else {
11201
0
        ret = 0;
11202
0
    }
11203
11204
0
#ifndef WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY
11205
0
    if (checkCN == 1) {
11206
0
        if (MatchDomainName(dCert->subjectCN, dCert->subjectCNLen,
11207
0
                            domainName) == 1) {
11208
0
            ret = 0;
11209
0
        }
11210
0
        else {
11211
0
            WOLFSSL_MSG("DomainName match on common name failed");
11212
0
        }
11213
0
    }
11214
0
#endif /* !WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY */
11215
11216
0
    return ret;
11217
0
}
11218
11219
int CheckIPAddr(DecodedCert* dCert, const char* ipasc)
11220
0
{
11221
0
    WOLFSSL_MSG("Checking IPAddr");
11222
11223
0
    return CheckHostName(dCert, ipasc, (size_t)XSTRLEN(ipasc));
11224
0
}
11225
11226
11227
#ifdef SESSION_CERTS
11228
static void AddSessionCertToChain(WOLFSSL_X509_CHAIN* chain,
11229
    byte* certBuf, word32 certSz)
11230
{
11231
   if (chain->count < MAX_CHAIN_DEPTH &&
11232
                               certSz < MAX_X509_SIZE) {
11233
        chain->certs[chain->count].length = certSz;
11234
        XMEMCPY(chain->certs[chain->count].buffer, certBuf, certSz);
11235
        chain->count++;
11236
    }
11237
    else {
11238
        WOLFSSL_MSG("Couldn't store chain cert for session");
11239
    }
11240
}
11241
#endif
11242
11243
#if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) || \
11244
    defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
11245
static void CopyDecodedName(WOLFSSL_X509_NAME* name, DecodedCert* dCert, int nameType)
11246
0
{
11247
0
    if (nameType == SUBJECT) {
11248
0
        XSTRNCPY(name->name, dCert->subject, ASN_NAME_MAX);
11249
0
        name->name[ASN_NAME_MAX - 1] = '\0';
11250
0
        name->sz = (int)XSTRLEN(name->name) + 1;
11251
0
#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)
11252
0
        name->rawLen = min(dCert->subjectRawLen, ASN_NAME_MAX);
11253
0
        XMEMCPY(name->raw, dCert->subjectRaw, name->rawLen);
11254
0
#endif
11255
0
    }
11256
0
    else {
11257
0
        XSTRNCPY(name->name, dCert->issuer, ASN_NAME_MAX);
11258
0
        name->name[ASN_NAME_MAX - 1] = '\0';
11259
0
        name->sz = (int)XSTRLEN(name->name) + 1;
11260
#if (defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)) \
11261
    && (defined(HAVE_PKCS7) || defined(WOLFSSL_CERT_EXT))
11262
        name->rawLen = min(dCert->issuerRawLen, ASN_NAME_MAX);
11263
        if (name->rawLen) {
11264
            XMEMCPY(name->raw, dCert->issuerRaw, name->rawLen);
11265
        }
11266
#endif
11267
0
    }
11268
0
}
11269
11270
11271
#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \
11272
    !defined(IGNORE_NAME_CONSTRAINTS)
11273
/* copies over additional alt names such as dirName
11274
 * returns 0 on success
11275
 */
11276
static int CopyAdditionalAltNames(DNS_entry** to, DNS_entry* from, int type,
11277
        void* heap)
11278
0
{
11279
0
    DNS_entry* cur = from;
11280
11281
0
    if (to == NULL) {
11282
0
        return BAD_FUNC_ARG;
11283
0
    }
11284
11285
0
    while (cur != NULL) {
11286
0
        if (cur->type == type) {
11287
0
            DNS_entry* dnsEntry;
11288
0
            int strLen = cur->len;
11289
11290
0
            dnsEntry = AltNameNew(heap);
11291
0
            if (dnsEntry == NULL) {
11292
0
                WOLFSSL_MSG("\tOut of Memory");
11293
0
                return MEMORY_E;
11294
0
            }
11295
11296
0
            dnsEntry->type = type;
11297
0
            dnsEntry->name = (char*)XMALLOC(strLen + 1, heap,
11298
0
                    DYNAMIC_TYPE_ALTNAME);
11299
0
            if (dnsEntry->name == NULL) {
11300
0
                WOLFSSL_MSG("\tOut of Memory");
11301
0
                XFREE(dnsEntry, heap, DYNAMIC_TYPE_ALTNAME);
11302
0
                return MEMORY_E;
11303
0
            }
11304
0
            dnsEntry->len = strLen;
11305
0
            XMEMCPY(dnsEntry->name, cur->name, strLen);
11306
0
            dnsEntry->name[strLen] = '\0';
11307
11308
0
            dnsEntry->next = *to;
11309
0
            *to = dnsEntry;
11310
0
        }
11311
0
        cur = cur->next;
11312
0
    }
11313
0
    return 0;
11314
0
}
11315
#endif /* OPENSSL_EXTRA */
11316
11317
#ifdef WOLFSSL_CERT_REQ
11318
static int CopyREQAttributes(WOLFSSL_X509* x509, DecodedCert* dCert)
11319
{
11320
    int ret = 0;
11321
11322
    if (dCert->cPwd) {
11323
        if (dCert->cPwdLen < CTC_NAME_SIZE) {
11324
            XMEMCPY(x509->challengePw, dCert->cPwd, dCert->cPwdLen);
11325
            x509->challengePw[dCert->cPwdLen] = '\0';
11326
        #if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN)
11327
            if (wolfSSL_X509_REQ_add1_attr_by_NID(x509,
11328
                                        NID_pkcs9_challengePassword,
11329
                                        MBSTRING_ASC,
11330
                                        (const byte*)dCert->cPwd,
11331
                                        dCert->cPwdLen) != WOLFSSL_SUCCESS) {
11332
                ret = REQ_ATTRIBUTE_E;
11333
                WOLFSSL_ERROR_VERBOSE(ret);
11334
            }
11335
        #endif
11336
        }
11337
        else {
11338
            WOLFSSL_MSG("Challenge password too long");
11339
            ret = MEMORY_E;
11340
        }
11341
    }
11342
11343
    if (dCert->contentType) {
11344
        if (dCert->contentTypeLen < CTC_NAME_SIZE) {
11345
            XMEMCPY(x509->contentType, dCert->contentType, dCert->contentTypeLen);
11346
            x509->contentType[dCert->contentTypeLen] = '\0';
11347
        }
11348
    #if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN)
11349
        if (wolfSSL_X509_REQ_add1_attr_by_NID(x509,
11350
                                        NID_pkcs9_contentType,
11351
                                        MBSTRING_ASC,
11352
                                        (const byte*)dCert->contentType,
11353
                                        dCert->contentTypeLen) !=
11354
                WOLFSSL_SUCCESS) {
11355
            ret = REQ_ATTRIBUTE_E;
11356
            WOLFSSL_ERROR_VERBOSE(ret);
11357
        }
11358
    #endif
11359
    }
11360
11361
    #if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN)
11362
    if (dCert->sNum) {
11363
        if (wolfSSL_X509_REQ_add1_attr_by_NID(x509,
11364
                                        NID_serialNumber,
11365
                                        MBSTRING_ASC,
11366
                                        (const byte*)dCert->sNum,
11367
                                        dCert->sNumLen) != WOLFSSL_SUCCESS) {
11368
            ret = REQ_ATTRIBUTE_E;
11369
            WOLFSSL_ERROR_VERBOSE(ret);
11370
        }
11371
    }
11372
    if (dCert->unstructuredName) {
11373
        if (wolfSSL_X509_REQ_add1_attr_by_NID(x509,
11374
                                        NID_pkcs9_unstructuredName,
11375
                                        MBSTRING_ASC,
11376
                                        (const byte*)dCert->unstructuredName,
11377
                                        dCert->unstructuredNameLen)
11378
                != WOLFSSL_SUCCESS) {
11379
            ret = REQ_ATTRIBUTE_E;
11380
            WOLFSSL_ERROR_VERBOSE(ret);
11381
        }
11382
    }
11383
    if (dCert->surname) {
11384
        if (wolfSSL_X509_REQ_add1_attr_by_NID(x509,
11385
                                        NID_surname,
11386
                                        MBSTRING_ASC,
11387
                                        (const byte*)dCert->surname,
11388
                                        dCert->surnameLen) != WOLFSSL_SUCCESS) {
11389
            ret = REQ_ATTRIBUTE_E;
11390
            WOLFSSL_ERROR_VERBOSE(ret);
11391
        }
11392
    }
11393
    if (dCert->givenName) {
11394
        if (wolfSSL_X509_REQ_add1_attr_by_NID(x509,
11395
                                        NID_givenName,
11396
                                        MBSTRING_ASC,
11397
                                        (const byte*)dCert->givenName,
11398
                                        dCert->givenNameLen) != WOLFSSL_SUCCESS) {
11399
            ret = REQ_ATTRIBUTE_E;
11400
            WOLFSSL_ERROR_VERBOSE(ret);
11401
        }
11402
    }
11403
    if (dCert->dnQualifier) {
11404
        if (wolfSSL_X509_REQ_add1_attr_by_NID(x509,
11405
                                        NID_dnQualifier,
11406
                                        MBSTRING_ASC,
11407
                                        (const byte*)dCert->dnQualifier,
11408
                                        dCert->dnQualifierLen) != WOLFSSL_SUCCESS) {
11409
            ret = REQ_ATTRIBUTE_E;
11410
            WOLFSSL_ERROR_VERBOSE(ret);
11411
        }
11412
    }
11413
    if (dCert->initials) {
11414
        if (wolfSSL_X509_REQ_add1_attr_by_NID(x509,
11415
                                        NID_initials,
11416
                                        MBSTRING_ASC,
11417
                                        (const byte*)dCert->initials,
11418
                                        dCert->initialsLen) != WOLFSSL_SUCCESS) {
11419
            ret = REQ_ATTRIBUTE_E;
11420
            WOLFSSL_ERROR_VERBOSE(ret);
11421
        }
11422
    }
11423
    #endif /* OPENSSL_ALL */
11424
11425
    return ret;
11426
}
11427
#endif /* WOLFSSL_CERT_REQ */
11428
11429
/* Copy parts X509 needs from Decoded cert, 0 on success */
11430
/* The same DecodedCert cannot be copied to WOLFSSL_X509 twice otherwise the
11431
 * altNames pointers could be free'd by second x509 still active by first */
11432
int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert)
11433
0
{
11434
0
    int ret = 0;
11435
11436
0
    if (x509 == NULL || dCert == NULL ||
11437
0
        dCert->subjectCNLen < 0)
11438
0
        return BAD_FUNC_ARG;
11439
11440
0
    if (x509->issuer.name == NULL || x509->subject.name == NULL) {
11441
0
        WOLFSSL_MSG("Either init was not called on X509 or programming error");
11442
0
        WOLFSSL_ERROR_VERBOSE(BAD_FUNC_ARG);
11443
0
        return BAD_FUNC_ARG;
11444
0
    }
11445
11446
0
    x509->version = dCert->version + 1;
11447
11448
0
    CopyDecodedName(&x509->issuer, dCert, ISSUER);
11449
0
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
11450
0
    if (dCert->issuerName != NULL) {
11451
0
        wolfSSL_X509_set_issuer_name(x509,
11452
0
                (WOLFSSL_X509_NAME*)dCert->issuerName);
11453
0
        x509->issuer.x509 = x509;
11454
0
    }
11455
0
#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
11456
0
    CopyDecodedName(&x509->subject, dCert, SUBJECT);
11457
0
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
11458
0
    if (dCert->subjectName != NULL) {
11459
0
        wolfSSL_X509_set_subject_name(x509,
11460
0
                (WOLFSSL_X509_NAME*)dCert->subjectName);
11461
0
        x509->subject.x509 = x509;
11462
0
    }
11463
0
#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
11464
11465
0
    XMEMCPY(x509->serial, dCert->serial, EXTERNAL_SERIAL_SIZE);
11466
0
    x509->serialSz = dCert->serialSz;
11467
0
    if (dCert->subjectCN && dCert->subjectCNLen < ASN_NAME_MAX) {
11468
0
        XMEMCPY(x509->subjectCN, dCert->subjectCN, dCert->subjectCNLen);
11469
0
        x509->subjectCN[dCert->subjectCNLen] = '\0';
11470
0
    }
11471
0
    else
11472
0
        x509->subjectCN[0] = '\0';
11473
11474
#ifdef WOLFSSL_CERT_REQ
11475
    x509->isCSR = dCert->isCSR;
11476
11477
    /* CSR attributes */
11478
    if (x509->isCSR) {
11479
        ret = CopyREQAttributes(x509, dCert);
11480
    }
11481
#endif /* WOLFSSL_CERT_REQ */
11482
11483
#ifdef WOLFSSL_SEP
11484
    {
11485
        int minSz = min(dCert->deviceTypeSz, EXTERNAL_SERIAL_SIZE);
11486
        if (minSz > 0) {
11487
            x509->deviceTypeSz = minSz;
11488
            XMEMCPY(x509->deviceType, dCert->deviceType, minSz);
11489
        }
11490
        else
11491
            x509->deviceTypeSz = 0;
11492
        minSz = min(dCert->hwTypeSz, EXTERNAL_SERIAL_SIZE);
11493
        if (minSz > 0) {
11494
            x509->hwTypeSz = minSz;
11495
            XMEMCPY(x509->hwType, dCert->hwType, minSz);
11496
        }
11497
        else
11498
            x509->hwTypeSz = 0;
11499
        minSz = min(dCert->hwSerialNumSz, EXTERNAL_SERIAL_SIZE);
11500
        if (minSz > 0) {
11501
            x509->hwSerialNumSz = minSz;
11502
            XMEMCPY(x509->hwSerialNum, dCert->hwSerialNum, minSz);
11503
        }
11504
        else
11505
            x509->hwSerialNumSz = 0;
11506
    }
11507
#endif /* WOLFSSL_SEP */
11508
0
    {
11509
0
        int minSz;
11510
0
        if (dCert->beforeDateLen > 0) {
11511
0
            minSz = min(dCert->beforeDate[1], MAX_DATE_SZ);
11512
0
            x509->notBefore.type = dCert->beforeDate[0];
11513
0
            x509->notBefore.length = minSz;
11514
0
            XMEMCPY(x509->notBefore.data, &dCert->beforeDate[2], minSz);
11515
0
        }
11516
0
        else
11517
0
            x509->notBefore.length = 0;
11518
0
        if (dCert->afterDateLen > 0) {
11519
0
            minSz = min(dCert->afterDate[1], MAX_DATE_SZ);
11520
0
            x509->notAfter.type = dCert->afterDate[0];
11521
0
            x509->notAfter.length = minSz;
11522
0
            XMEMCPY(x509->notAfter.data, &dCert->afterDate[2], minSz);
11523
0
        }
11524
0
        else
11525
0
            x509->notAfter.length = 0;
11526
0
    }
11527
11528
0
    if (dCert->publicKey != NULL && dCert->pubKeySize != 0) {
11529
0
        x509->pubKey.buffer = (byte*)XMALLOC(
11530
0
                        dCert->pubKeySize, x509->heap, DYNAMIC_TYPE_PUBLIC_KEY);
11531
0
        if (x509->pubKey.buffer != NULL) {
11532
0
            x509->pubKeyOID = dCert->keyOID;
11533
0
            x509->pubKey.length = dCert->pubKeySize;
11534
0
            XMEMCPY(x509->pubKey.buffer, dCert->publicKey, dCert->pubKeySize);
11535
0
        }
11536
0
        else
11537
0
            ret = MEMORY_E;
11538
0
#if defined(OPENSSL_ALL)
11539
0
        if (ret == 0) {
11540
0
            x509->key.pubKeyOID = dCert->keyOID;
11541
11542
0
            if (!x509->key.algor) {
11543
0
                x509->key.algor = wolfSSL_X509_ALGOR_new();
11544
0
            } else {
11545
0
                wolfSSL_ASN1_OBJECT_free(x509->key.algor->algorithm);
11546
0
            }
11547
0
            if (!x509->key.algor) {
11548
0
                ret = MEMORY_E;
11549
0
            } else {
11550
0
                if (!(x509->key.algor->algorithm =
11551
0
                    wolfSSL_OBJ_nid2obj(oid2nid(dCert->keyOID, oidKeyType)))) {
11552
0
                    ret = PUBLIC_KEY_E;
11553
0
                    WOLFSSL_ERROR_VERBOSE(ret);
11554
0
                }
11555
0
            }
11556
11557
0
            wolfSSL_EVP_PKEY_free(x509->key.pkey);
11558
0
            if (!(x509->key.pkey = wolfSSL_d2i_PUBKEY(NULL,
11559
0
                                                      &dCert->publicKey,
11560
0
                                                      dCert->pubKeySize))) {
11561
0
                ret = PUBLIC_KEY_E;
11562
0
                WOLFSSL_ERROR_VERBOSE(ret);
11563
0
            }
11564
0
        }
11565
0
#endif
11566
0
    }
11567
11568
0
    if (dCert->signature != NULL && dCert->sigLength != 0 &&
11569
0
            dCert->sigLength <= MAX_ENCODED_SIG_SZ) {
11570
0
        x509->sig.buffer = (byte*)XMALLOC(
11571
0
                          dCert->sigLength, x509->heap, DYNAMIC_TYPE_SIGNATURE);
11572
0
        if (x509->sig.buffer == NULL) {
11573
0
            ret = MEMORY_E;
11574
0
        }
11575
0
        else {
11576
0
            XMEMCPY(x509->sig.buffer, dCert->signature, dCert->sigLength);
11577
0
            x509->sig.length = dCert->sigLength;
11578
0
            x509->sigOID = dCert->signatureOID;
11579
0
        }
11580
0
#if defined(OPENSSL_ALL)
11581
0
        wolfSSL_ASN1_OBJECT_free(x509->algor.algorithm);
11582
0
        if (!(x509->algor.algorithm =
11583
0
                wolfSSL_OBJ_nid2obj(oid2nid(dCert->signatureOID, oidSigType)))) {
11584
0
            ret = PUBLIC_KEY_E;
11585
0
            WOLFSSL_ERROR_VERBOSE(ret);
11586
0
        }
11587
0
#endif
11588
0
    }
11589
11590
    /* if der contains original source buffer then store for potential
11591
     * retrieval */
11592
0
    if (dCert->source != NULL && dCert->maxIdx > 0) {
11593
0
        if (AllocDer(&x509->derCert, dCert->maxIdx, CERT_TYPE, x509->heap)
11594
0
                                                                         == 0) {
11595
0
            XMEMCPY(x509->derCert->buffer, dCert->source, dCert->maxIdx);
11596
0
        }
11597
0
        else {
11598
0
            ret = MEMORY_E;
11599
0
        }
11600
0
    }
11601
11602
0
    x509->altNames       = dCert->altNames;
11603
0
    dCert->weOwnAltNames = 0;
11604
0
#if (defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)) && \
11605
0
    !defined(IGNORE_NAME_CONSTRAINTS)
11606
    /* add copies of email names from dCert to X509 */
11607
0
    if (CopyAdditionalAltNames(&x509->altNames, dCert->altEmailNames,
11608
0
                ASN_RFC822_TYPE, x509->heap) != 0) {
11609
0
        return MEMORY_E;
11610
0
    }
11611
0
#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
11612
0
#if defined(OPENSSL_EXTRA) && !defined(IGNORE_NAME_CONSTRAINTS)
11613
    /* add copies of alternate directory names from dCert to X509 */
11614
0
    if (CopyAdditionalAltNames(&x509->altNames, dCert->altDirNames,
11615
0
                ASN_DIR_TYPE, x509->heap) != 0) {
11616
0
        return MEMORY_E;
11617
0
    }
11618
0
#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
11619
0
    x509->altNamesNext   = x509->altNames;  /* index hint */
11620
11621
0
    x509->isCa = dCert->isCA;
11622
0
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
11623
0
    x509->pathLength = dCert->pathLength;
11624
0
    x509->keyUsage = dCert->extKeyUsage;
11625
11626
0
    x509->CRLdistSet = dCert->extCRLdistSet;
11627
0
    x509->CRLdistCrit = dCert->extCRLdistCrit;
11628
0
    if (dCert->extCrlInfoRaw != NULL && dCert->extCrlInfoRawSz > 0) {
11629
0
        x509->rawCRLInfo = (byte*)XMALLOC(dCert->extCrlInfoRawSz, x509->heap,
11630
0
            DYNAMIC_TYPE_X509_EXT);
11631
0
        if (x509->rawCRLInfo != NULL) {
11632
0
            XMEMCPY(x509->rawCRLInfo, dCert->extCrlInfoRaw, dCert->extCrlInfoRawSz);
11633
0
            x509->rawCRLInfoSz = dCert->extCrlInfoRawSz;
11634
0
        }
11635
0
        else {
11636
0
            ret = MEMORY_E;
11637
0
        }
11638
0
    }
11639
0
    if (dCert->extCrlInfo != NULL && dCert->extCrlInfoSz > 0) {
11640
0
        x509->CRLInfo = (byte*)XMALLOC(dCert->extCrlInfoSz, x509->heap,
11641
0
            DYNAMIC_TYPE_X509_EXT);
11642
0
        if (x509->CRLInfo != NULL) {
11643
0
            XMEMCPY(x509->CRLInfo, dCert->extCrlInfo, dCert->extCrlInfoSz);
11644
0
            x509->CRLInfoSz = dCert->extCrlInfoSz;
11645
0
        }
11646
0
        else {
11647
0
            ret = MEMORY_E;
11648
0
        }
11649
0
    }
11650
0
    x509->authInfoSet = dCert->extAuthInfoSet;
11651
0
    x509->authInfoCrit = dCert->extAuthInfoCrit;
11652
0
    if (dCert->extAuthInfo != NULL && dCert->extAuthInfoSz > 0) {
11653
0
        x509->authInfo = (byte*)XMALLOC(dCert->extAuthInfoSz, x509->heap,
11654
0
                DYNAMIC_TYPE_X509_EXT);
11655
0
        if (x509->authInfo != NULL) {
11656
0
            XMEMCPY(x509->authInfo, dCert->extAuthInfo, dCert->extAuthInfoSz);
11657
0
            x509->authInfoSz = dCert->extAuthInfoSz;
11658
0
        }
11659
0
        else {
11660
0
            ret = MEMORY_E;
11661
0
        }
11662
0
    }
11663
0
    #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
11664
0
    if (dCert->extAuthInfoCaIssuer != NULL && dCert->extAuthInfoCaIssuerSz > 0) {
11665
0
        x509->authInfoCaIssuer = (byte*)XMALLOC(dCert->extAuthInfoCaIssuerSz, x509->heap,
11666
0
                DYNAMIC_TYPE_X509_EXT);
11667
0
        if (x509->authInfoCaIssuer != NULL) {
11668
0
            XMEMCPY(x509->authInfoCaIssuer, dCert->extAuthInfoCaIssuer, dCert->extAuthInfoCaIssuerSz);
11669
0
            x509->authInfoCaIssuerSz = dCert->extAuthInfoCaIssuerSz;
11670
0
        }
11671
0
        else {
11672
0
            ret = MEMORY_E;
11673
0
        }
11674
0
    }
11675
0
    #endif
11676
0
    x509->basicConstSet = dCert->extBasicConstSet;
11677
0
    x509->basicConstCrit = dCert->extBasicConstCrit;
11678
0
    x509->basicConstPlSet = dCert->pathLengthSet;
11679
0
    x509->subjAltNameSet = dCert->extSubjAltNameSet;
11680
0
    x509->subjAltNameCrit = dCert->extSubjAltNameCrit;
11681
0
    x509->authKeyIdSet = dCert->extAuthKeyIdSet;
11682
0
    x509->authKeyIdCrit = dCert->extAuthKeyIdCrit;
11683
0
    if (dCert->extAuthKeyIdSrc != NULL && dCert->extAuthKeyIdSz != 0) {
11684
0
    #ifdef WOLFSSL_AKID_NAME
11685
0
        if (dCert->extRawAuthKeyIdSrc != NULL &&
11686
0
                dCert->extAuthKeyIdSrc > dCert->extRawAuthKeyIdSrc &&
11687
0
                dCert->extAuthKeyIdSrc <
11688
0
                    (dCert->extRawAuthKeyIdSrc + dCert->extRawAuthKeyIdSz)) {
11689
            /* Confirmed: extAuthKeyIdSrc points inside extRawAuthKeyIdSrc */
11690
0
            x509->authKeyIdSrc = (byte*)XMALLOC(dCert->extRawAuthKeyIdSz,
11691
0
                    x509->heap, DYNAMIC_TYPE_X509_EXT);
11692
0
            if (x509->authKeyIdSrc != NULL) {
11693
0
                XMEMCPY(x509->authKeyIdSrc, dCert->extRawAuthKeyIdSrc,
11694
0
                        dCert->extRawAuthKeyIdSz);
11695
0
                x509->authKeyIdSrcSz = dCert->extRawAuthKeyIdSz;
11696
                /* Set authKeyId to same offset inside authKeyIdSrc */
11697
0
                x509->authKeyId = x509->authKeyIdSrc +
11698
0
                        (dCert->extAuthKeyIdSrc - dCert->extRawAuthKeyIdSrc);
11699
0
                x509->authKeyIdSz = dCert->extAuthKeyIdSz;
11700
0
            }
11701
0
            else
11702
0
                ret = MEMORY_E;
11703
0
        }
11704
    #else
11705
        x509->authKeyId = (byte*)XMALLOC(dCert->extAuthKeyIdSz, x509->heap,
11706
                                         DYNAMIC_TYPE_X509_EXT);
11707
        if (x509->authKeyId != NULL) {
11708
            XMEMCPY(x509->authKeyId,
11709
                                 dCert->extAuthKeyIdSrc, dCert->extAuthKeyIdSz);
11710
            x509->authKeyIdSz = dCert->extAuthKeyIdSz;
11711
        }
11712
    #endif
11713
0
        else
11714
0
            ret = MEMORY_E;
11715
0
    }
11716
0
    x509->subjKeyIdSet = dCert->extSubjKeyIdSet;
11717
0
    x509->subjKeyIdCrit = dCert->extSubjKeyIdCrit;
11718
0
    if (dCert->extSubjKeyIdSrc != NULL && dCert->extSubjKeyIdSz != 0) {
11719
0
        x509->subjKeyId = (byte*)XMALLOC(dCert->extSubjKeyIdSz, x509->heap,
11720
0
                                         DYNAMIC_TYPE_X509_EXT);
11721
0
        if (x509->subjKeyId != NULL) {
11722
0
            XMEMCPY(x509->subjKeyId,
11723
0
                                 dCert->extSubjKeyIdSrc, dCert->extSubjKeyIdSz);
11724
0
            x509->subjKeyIdSz = dCert->extSubjKeyIdSz;
11725
0
        }
11726
0
        else
11727
0
            ret = MEMORY_E;
11728
0
    }
11729
0
    x509->keyUsageSet = dCert->extKeyUsageSet;
11730
0
    x509->keyUsageCrit = dCert->extKeyUsageCrit;
11731
0
    if (dCert->extExtKeyUsageSrc != NULL && dCert->extExtKeyUsageSz > 0) {
11732
0
        x509->extKeyUsageSrc = (byte*)XMALLOC(dCert->extExtKeyUsageSz,
11733
0
                x509->heap, DYNAMIC_TYPE_X509_EXT);
11734
0
        if (x509->extKeyUsageSrc != NULL) {
11735
0
            XMEMCPY(x509->extKeyUsageSrc, dCert->extExtKeyUsageSrc,
11736
0
                                                       dCert->extExtKeyUsageSz);
11737
0
            x509->extKeyUsage      = dCert->extExtKeyUsage;
11738
0
            x509->extKeyUsageSz    = dCert->extExtKeyUsageSz;
11739
0
            x509->extKeyUsageCrit  = dCert->extExtKeyUsageCrit;
11740
0
            x509->extKeyUsageCount = dCert->extExtKeyUsageCount;
11741
0
        }
11742
0
        else {
11743
0
            ret = MEMORY_E;
11744
0
        }
11745
0
    }
11746
0
    #ifndef IGNORE_NETSCAPE_CERT_TYPE
11747
0
    x509->nsCertType = dCert->nsCertType;
11748
0
    #endif
11749
    #if defined(WOLFSSL_SEP) || defined(WOLFSSL_QT)
11750
        x509->certPolicySet = dCert->extCertPolicySet;
11751
        x509->certPolicyCrit = dCert->extCertPolicyCrit;
11752
    #endif /* WOLFSSL_SEP || WOLFSSL_QT */
11753
    #ifdef WOLFSSL_CERT_EXT
11754
        {
11755
            int i;
11756
            for (i = 0; i < dCert->extCertPoliciesNb && i < MAX_CERTPOL_NB; i++)
11757
                XMEMCPY(x509->certPolicies[i], dCert->extCertPolicies[i],
11758
                                                                MAX_CERTPOL_SZ);
11759
            x509->certPoliciesNb = dCert->extCertPoliciesNb;
11760
        }
11761
    #endif /* WOLFSSL_CERT_EXT */
11762
0
#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
11763
0
#ifdef OPENSSL_ALL
11764
0
    if (dCert->extSubjAltNameSrc != NULL && dCert->extSubjAltNameSz != 0) {
11765
0
        x509->subjAltNameSrc = (byte*)XMALLOC(dCert->extSubjAltNameSz, x509->heap,
11766
0
                                         DYNAMIC_TYPE_X509_EXT);
11767
0
        if (x509->subjAltNameSrc != NULL) {
11768
0
            XMEMCPY(x509->subjAltNameSrc,
11769
0
                                 dCert->extSubjAltNameSrc, dCert->extSubjAltNameSz);
11770
0
            x509->subjAltNameSz = dCert->extSubjAltNameSz;
11771
0
        }
11772
0
        else
11773
0
            ret = MEMORY_E;
11774
0
    }
11775
0
#endif
11776
0
#if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
11777
0
    x509->pkCurveOID = dCert->pkCurveOID;
11778
0
#endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
11779
11780
0
    return ret;
11781
0
}
11782
11783
#endif /* KEEP_PEER_CERT || SESSION_CERTS */
11784
11785
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \
11786
     (defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) && !defined(WOLFSSL_NO_TLS12))
11787
static int ProcessCSR(WOLFSSL* ssl, byte* input, word32* inOutIdx,
11788
                      word32 status_length)
11789
{
11790
    int ret = 0;
11791
    OcspRequest* request;
11792
11793
    #ifdef WOLFSSL_SMALL_STACK
11794
        CertStatus* status;
11795
        OcspEntry* single;
11796
        OcspResponse* response;
11797
    #else
11798
        CertStatus status[1];
11799
        OcspEntry single[1];
11800
        OcspResponse response[1];
11801
    #endif
11802
11803
    WOLFSSL_ENTER("ProcessCSR");
11804
11805
    do {
11806
        #ifdef HAVE_CERTIFICATE_STATUS_REQUEST
11807
            if (ssl->status_request) {
11808
                request = (OcspRequest*)TLSX_CSR_GetRequest(ssl->extensions);
11809
                ssl->status_request = 0;
11810
                break;
11811
            }
11812
        #endif
11813
11814
        #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
11815
            if (ssl->status_request_v2) {
11816
                request = (OcspRequest*)TLSX_CSR2_GetRequest(ssl->extensions,
11817
                                                          WOLFSSL_CSR2_OCSP, 0);
11818
                ssl->status_request_v2 = 0;
11819
                break;
11820
            }
11821
        #endif
11822
11823
        return BUFFER_ERROR;
11824
    } while(0);
11825
11826
    if (request == NULL)
11827
        return BAD_CERTIFICATE_STATUS_ERROR; /* not expected */
11828
11829
    #ifdef WOLFSSL_SMALL_STACK
11830
        status = (CertStatus*)XMALLOC(sizeof(CertStatus), ssl->heap,
11831
                                                    DYNAMIC_TYPE_OCSP_STATUS);
11832
        single = (OcspEntry*)XMALLOC(sizeof(OcspEntry), ssl->heap,
11833
                                                    DYNAMIC_TYPE_OCSP_ENTRY);
11834
        response = (OcspResponse*)XMALLOC(sizeof(OcspResponse), ssl->heap,
11835
                                                    DYNAMIC_TYPE_OCSP_REQUEST);
11836
11837
        if (status == NULL || single == NULL || response == NULL) {
11838
            if (status)
11839
                XFREE(status, ssl->heap, DYNAMIC_TYPE_OCSP_STATUS);
11840
            if (single)
11841
                XFREE(single, ssl->heap, DYNAMIC_TYPE_OCSP_ENTRY);
11842
            if (response)
11843
                XFREE(response, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST);
11844
11845
            return MEMORY_ERROR;
11846
        }
11847
    #endif
11848
11849
    InitOcspResponse(response, single, status, input +*inOutIdx, status_length, ssl->heap);
11850
11851
    if (OcspResponseDecode(response, SSL_CM(ssl), ssl->heap, 0) != 0)
11852
        ret = BAD_CERTIFICATE_STATUS_ERROR;
11853
    else if (CompareOcspReqResp(request, response) != 0)
11854
        ret = BAD_CERTIFICATE_STATUS_ERROR;
11855
    else if (response->responseStatus != OCSP_SUCCESSFUL)
11856
        ret = BAD_CERTIFICATE_STATUS_ERROR;
11857
    else if (response->single->status->status == CERT_REVOKED)
11858
        ret = OCSP_CERT_REVOKED;
11859
    else if (response->single->status->status != CERT_GOOD)
11860
        ret = BAD_CERTIFICATE_STATUS_ERROR;
11861
11862
    else {
11863
        XMEMCPY(ssl->ocspProducedDate, response->producedDate, sizeof ssl->ocspProducedDate);
11864
        ssl->ocspProducedDateFormat = response->producedDateFormat;
11865
    }
11866
11867
    *inOutIdx += status_length;
11868
11869
    #ifdef WOLFSSL_SMALL_STACK
11870
        XFREE(status,   ssl->heap, DYNAMIC_TYPE_OCSP_STATUS);
11871
        XFREE(single,   ssl->heap, DYNAMIC_TYPE_OCSP_ENTRY);
11872
        XFREE(response, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST);
11873
    #endif
11874
11875
    WOLFSSL_LEAVE("ProcessCSR", ret);
11876
    return ret;
11877
}
11878
#endif
11879
11880
11881
11882
#ifdef HAVE_PK_CALLBACKS
11883
11884
#ifdef HAVE_ECC
11885
    static int SigPkCbEccVerify(const unsigned char* sig, unsigned int sigSz,
11886
       const unsigned char* hash, unsigned int hashSz,
11887
       const unsigned char* keyDer, unsigned int keySz,
11888
       int* result, void* ctx)
11889
    {
11890
        int ret = NOT_COMPILED_IN;
11891
        WOLFSSL* ssl = (WOLFSSL*)ctx;
11892
11893
        if (ssl && ssl->ctx->EccVerifyCb) {
11894
            ret = ssl->ctx->EccVerifyCb(ssl, sig, sigSz, hash, hashSz,
11895
                keyDer, keySz, result, ssl->EccVerifyCtx);
11896
        }
11897
        return ret;
11898
    }
11899
#endif
11900
#ifndef NO_RSA
11901
    static int SigPkCbRsaVerify(unsigned char* sig, unsigned int sigSz,
11902
       unsigned char** out, const unsigned char* keyDer, unsigned int keySz,
11903
       void* ctx)
11904
    {
11905
        int ret = NOT_COMPILED_IN;
11906
        WOLFSSL* ssl = (WOLFSSL*)ctx;
11907
11908
        if (ssl && ssl->ctx->RsaVerifyCb) {
11909
            ret = ssl->ctx->RsaVerifyCb(ssl, sig, sigSz, out, keyDer, keySz,
11910
                ssl->RsaVerifyCtx);
11911
        }
11912
        return ret;
11913
    }
11914
#endif
11915
11916
int InitSigPkCb(WOLFSSL* ssl, SignatureCtx* sigCtx)
11917
{
11918
    if (ssl == NULL || sigCtx == NULL)
11919
        return BAD_FUNC_ARG;
11920
11921
    /* only setup the verify callback if a PK is set */
11922
#ifdef HAVE_ECC
11923
    #if defined(WOLFSSL_RENESAS_SCEPROTECT) || defined(WOLFSSL_RENESAS_TSIP_TLS)
11924
    sigCtx->pkCbEcc = Renesas_cmn_SigPkCbEccVerify;
11925
    sigCtx->pkCtxEcc = (void*)&sigCtx->CertAtt;
11926
    (void)SigPkCbEccVerify;
11927
    #else
11928
    if (ssl->ctx->EccVerifyCb) {
11929
        sigCtx->pkCbEcc = SigPkCbEccVerify;
11930
        sigCtx->pkCtxEcc = ssl;
11931
    }
11932
    #endif
11933
11934
#endif
11935
#ifndef NO_RSA
11936
    /* only setup the verify callback if a PK is set */
11937
    #if defined(WOLFSSL_RENESAS_SCEPROTECT) || defined(WOLFSSL_RENESAS_TSIP_TLS)
11938
    sigCtx->pkCbRsa = Renesas_cmn_SigPkCbRsaVerify;
11939
    sigCtx->pkCtxRsa = (void*)&sigCtx->CertAtt;
11940
    (void)SigPkCbRsaVerify;
11941
    #else
11942
    if (ssl->ctx->RsaVerifyCb) {
11943
        sigCtx->pkCbRsa = SigPkCbRsaVerify;
11944
        sigCtx->pkCtxRsa = ssl;
11945
    }
11946
    #endif
11947
11948
#endif
11949
11950
    return 0;
11951
}
11952
11953
#endif /* HAVE_PK_CALLBACKS */
11954
11955
11956
#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
11957
void DoCertFatalAlert(WOLFSSL* ssl, int ret)
11958
0
{
11959
0
    int alertWhy;
11960
0
    if (ssl == NULL || ret == 0) {
11961
0
        return;
11962
0
    }
11963
0
    WOLFSSL_ERROR(ret);
11964
11965
    /* Determine alert reason */
11966
0
    alertWhy = bad_certificate;
11967
0
    if (ret == ASN_AFTER_DATE_E || ret == ASN_BEFORE_DATE_E) {
11968
0
        alertWhy = certificate_expired;
11969
0
    } else if (ret == ASN_NO_SIGNER_E) {
11970
0
        alertWhy = unknown_ca;
11971
0
    }
11972
0
#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD))
11973
0
    else if (ret == CRL_CERT_REVOKED) {
11974
0
        alertWhy = certificate_revoked;
11975
0
    }
11976
0
#endif
11977
0
    else if (ret == NO_PEER_CERT) {
11978
0
#ifdef WOLFSSL_TLS13
11979
0
        if (ssl->options.tls1_3) {
11980
0
            alertWhy = certificate_required;
11981
0
        }
11982
0
        else
11983
0
#endif
11984
0
        {
11985
0
            alertWhy = handshake_failure;
11986
0
        }
11987
0
    }
11988
11989
    /* send fatal alert and mark connection closed */
11990
0
    SendAlert(ssl, alert_fatal, alertWhy); /* try to send */
11991
0
    ssl->options.isClosed = 1;
11992
0
}
11993
11994
/* WOLFSSL_ALWAYS_VERIFY_CB: Use verify callback for success or failure cases */
11995
/* WOLFSSL_VERIFY_CB_ALL_CERTS: Issue callback for all intermediate certificates */
11996
11997
/* Callback is issued for certificate presented in TLS Certificate (11) packet.
11998
 * The intermediates are done first then peer leaf cert last. Use the
11999
 * store->error_depth member to determine index (0=peer, >1 intermediates)
12000
 */
12001
12002
int DoVerifyCallback(WOLFSSL_CERT_MANAGER* cm, WOLFSSL* ssl, int ret,
12003
                                                        ProcPeerCertArgs* args)
12004
0
{
12005
0
    int verify_ok = 0, use_cb = 0;
12006
0
    void *heap;
12007
12008
0
    if (cm == NULL) {
12009
0
        return BAD_FUNC_ARG;
12010
0
    }
12011
12012
0
    heap = (ssl != NULL) ? ssl->heap : cm->heap;
12013
12014
    /* Determine if verify was okay */
12015
0
    if (ret == 0) {
12016
0
        verify_ok = 1;
12017
0
    }
12018
12019
    /* Determine if verify callback should be used */
12020
0
    if (ret != 0) {
12021
0
        if ((ssl != NULL) && (!ssl->options.verifyNone)) {
12022
0
            use_cb = 1; /* always report errors */
12023
0
        }
12024
0
    }
12025
0
#ifdef WOLFSSL_ALWAYS_VERIFY_CB
12026
    /* always use verify callback on peer leaf cert */
12027
0
    if (args->certIdx == 0) {
12028
0
        use_cb = 1;
12029
0
    }
12030
0
#endif
12031
0
#ifdef WOLFSSL_VERIFY_CB_ALL_CERTS
12032
    /* perform verify callback on other intermediate certs (not just peer) */
12033
0
    if (args->certIdx > 0) {
12034
0
        use_cb = 1;
12035
0
    }
12036
0
#endif
12037
0
#if defined(OPENSSL_EXTRA)
12038
    /* Perform domain and IP check only for the leaf certificate */
12039
0
    if (args->certIdx == 0) {
12040
        /* perform domain name check on the peer certificate */
12041
0
        if (args->dCertInit && args->dCert && (ssl != NULL) &&
12042
0
                ssl->param && ssl->param->hostName[0]) {
12043
            /* If altNames names is present, then subject common name is ignored */
12044
0
            if (args->dCert->altNames != NULL) {
12045
0
                if (CheckForAltNames(args->dCert, ssl->param->hostName, NULL) != 1) {
12046
0
                    if (ret == 0) {
12047
0
                        ret = DOMAIN_NAME_MISMATCH;
12048
0
                        WOLFSSL_ERROR_VERBOSE(ret);
12049
0
                    }
12050
0
                }
12051
0
            }
12052
0
        #ifndef WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY
12053
0
            else {
12054
0
                if (args->dCert->subjectCN) {
12055
0
                    if (MatchDomainName(args->dCert->subjectCN,
12056
0
                                        args->dCert->subjectCNLen,
12057
0
                                        ssl->param->hostName) == 0) {
12058
0
                        if (ret == 0) {
12059
0
                            ret = DOMAIN_NAME_MISMATCH;
12060
0
                            WOLFSSL_ERROR_VERBOSE(ret);
12061
0
                        }
12062
0
                    }
12063
0
                }
12064
0
            }
12065
        #else
12066
            else {
12067
                if (ret == 0) {
12068
                    ret = DOMAIN_NAME_MISMATCH;
12069
                    WOLFSSL_ERROR_VERBOSE(ret);
12070
                }
12071
            }
12072
        #endif /* !WOLFSSL_HOSTNAME_VERIFY_ALT_NAME_ONLY */
12073
0
        }
12074
12075
        /* perform IP address check on the peer certificate */
12076
0
        if ((args->dCertInit != 0) && (args->dCert != NULL) && (ssl != NULL) &&
12077
0
            (ssl->param != NULL) && (XSTRLEN(ssl->param->ipasc) > 0)) {
12078
0
            if (CheckIPAddr(args->dCert, ssl->param->ipasc) != 0) {
12079
0
                if (ret == 0) {
12080
0
                    ret = IPADDR_MISMATCH;
12081
0
                    WOLFSSL_ERROR_VERBOSE(ret);
12082
0
                }
12083
0
            }
12084
0
        }
12085
0
    }
12086
0
#endif
12087
    /* if verify callback has been set */
12088
0
    if ((use_cb && (ssl != NULL) && ((ssl->verifyCallback != NULL)
12089
0
    #ifdef OPENSSL_ALL
12090
0
        || (ssl->ctx->verifyCertCb != NULL)
12091
0
    #endif
12092
0
        ))
12093
0
    #ifndef NO_WOLFSSL_CM_VERIFY
12094
0
        || (cm->verifyCallback != NULL)
12095
0
    #endif
12096
0
        ) {
12097
0
        int verifyFail = 0;
12098
0
    #ifdef WOLFSSL_SMALL_STACK
12099
0
        WOLFSSL_X509_STORE_CTX* store;
12100
0
        #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
12101
0
        WOLFSSL_X509* x509;
12102
0
        #endif
12103
0
        char* domain = NULL;
12104
    #else
12105
        WOLFSSL_X509_STORE_CTX store[1];
12106
        #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
12107
        WOLFSSL_X509           x509[1];
12108
        #endif
12109
        char domain[ASN_NAME_MAX];
12110
    #endif
12111
0
    #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
12112
0
        int x509Free = 0;
12113
0
    #endif
12114
12115
0
    #ifdef WOLFSSL_SMALL_STACK
12116
0
        store = (WOLFSSL_X509_STORE_CTX*)XMALLOC(
12117
0
            sizeof(WOLFSSL_X509_STORE_CTX), heap, DYNAMIC_TYPE_X509_STORE);
12118
0
        if (store == NULL) {
12119
0
            return MEMORY_E;
12120
0
        }
12121
0
        #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
12122
0
        x509 = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), heap,
12123
0
            DYNAMIC_TYPE_X509);
12124
0
        if (x509 == NULL) {
12125
0
            XFREE(store, heap, DYNAMIC_TYPE_X509_STORE);
12126
0
            return MEMORY_E;
12127
0
        }
12128
0
        #endif
12129
0
        domain = (char*)XMALLOC(ASN_NAME_MAX, heap, DYNAMIC_TYPE_STRING);
12130
0
        if (domain == NULL) {
12131
0
            XFREE(store, heap, DYNAMIC_TYPE_X509_STORE);
12132
0
            #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
12133
0
            XFREE(x509, heap, DYNAMIC_TYPE_X509);
12134
0
            #endif
12135
0
            return MEMORY_E;
12136
0
        }
12137
0
    #endif /* WOLFSSL_SMALL_STACK */
12138
12139
0
        XMEMSET(store, 0, sizeof(WOLFSSL_X509_STORE_CTX));
12140
0
    #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
12141
0
        XMEMSET(x509, 0, sizeof(WOLFSSL_X509));
12142
0
    #endif
12143
0
        domain[0] = '\0';
12144
12145
        /* build subject CN as string to return in store */
12146
0
        if (args->dCertInit && args->dCert && args->dCert->subjectCN) {
12147
0
            int subjectCNLen = args->dCert->subjectCNLen;
12148
0
            if (subjectCNLen > ASN_NAME_MAX-1)
12149
0
                subjectCNLen = ASN_NAME_MAX-1;
12150
0
            if (subjectCNLen > 0) {
12151
0
                XMEMCPY(domain, args->dCert->subjectCN, subjectCNLen);
12152
0
                domain[subjectCNLen] = '\0';
12153
0
            }
12154
0
        }
12155
12156
0
#ifndef OPENSSL_COMPATIBLE_DEFAULTS
12157
0
        store->error = ret;
12158
#else
12159
        store->error = GetX509Error(ret);
12160
#endif
12161
0
        store->error_depth = args->certIdx;
12162
0
        store->discardSessionCerts = 0;
12163
0
        store->domain = domain;
12164
0
        if (ssl != NULL) {
12165
0
            if (ssl->verifyCbCtx != NULL) {
12166
                /* Use the WOLFSSL user context if set */
12167
0
                store->userCtx = ssl->verifyCbCtx;
12168
0
            }
12169
0
            else {
12170
                /* Else use the WOLFSSL_CTX user context */
12171
0
                store->userCtx = ssl->ctx->verifyCbCtx;
12172
0
            }
12173
0
        }
12174
0
        else {
12175
0
            store->userCtx = cm;
12176
0
        }
12177
0
        store->certs = args->certs;
12178
0
        store->totalCerts = args->totalCerts;
12179
    #if defined(HAVE_EX_DATA) && \
12180
        (defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL))
12181
        if (wolfSSL_CRYPTO_set_ex_data(&store->ex_data, 0, ssl)
12182
                != WOLFSSL_SUCCESS) {
12183
            WOLFSSL_MSG("Failed to store ssl context in WOLFSSL_X509_STORE_CTX");
12184
        }
12185
    #endif
12186
12187
0
        if (ssl != NULL) {
12188
0
    #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
12189
0
            store->store = SSL_STORE(ssl);
12190
0
    #if defined(OPENSSL_EXTRA)
12191
0
            store->depth = args->count;
12192
0
            store->param = (WOLFSSL_X509_VERIFY_PARAM*)XMALLOC(
12193
0
                            sizeof(WOLFSSL_X509_VERIFY_PARAM),
12194
0
                            heap, DYNAMIC_TYPE_OPENSSL);
12195
0
            if (store->param == NULL) {
12196
0
        #ifdef WOLFSSL_SMALL_STACK
12197
0
                XFREE(domain, heap, DYNAMIC_TYPE_STRING);
12198
0
            #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
12199
0
                XFREE(x509, heap, DYNAMIC_TYPE_X509);
12200
0
            #endif
12201
0
                XFREE(store, heap, DYNAMIC_TYPE_X509_STORE);
12202
0
        #endif
12203
0
                return MEMORY_E;
12204
0
            }
12205
0
            XMEMSET(store->param, 0, sizeof(WOLFSSL_X509_VERIFY_PARAM));
12206
            /* Overwrite with non-default param values in SSL */
12207
0
            if (ssl->param) {
12208
0
                if (ssl->param->check_time)
12209
0
                    store->param->check_time = ssl->param->check_time;
12210
12211
0
                if (ssl->param->flags)
12212
0
                    store->param->flags = ssl->param->flags;
12213
12214
0
                if (ssl->param->hostName[0])
12215
0
                    XMEMCPY(store->param->hostName, ssl->param->hostName,
12216
0
                            WOLFSSL_HOST_NAME_MAX);
12217
12218
0
            }
12219
0
    #endif /* defined(OPENSSL_EXTRA) */
12220
0
    #endif /* defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)*/
12221
0
    #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
12222
0
        #ifdef KEEP_PEER_CERT
12223
0
            if (args->certIdx == 0) {
12224
0
                store->current_cert = &ssl->peerCert; /* use existing X509 */
12225
0
            }
12226
0
            else
12227
0
        #endif
12228
0
            {
12229
0
                InitX509(x509, 0, heap);
12230
0
                if (CopyDecodedToX509(x509, args->dCert) == 0) {
12231
0
                    store->current_cert = x509;
12232
0
                    x509Free = 1;
12233
0
                }
12234
0
                else {
12235
0
                    FreeX509(x509);
12236
0
                }
12237
0
            }
12238
0
    #endif
12239
    #ifdef SESSION_CERTS
12240
            store->sesChain = &ssl->session->chain;
12241
    #endif
12242
0
        }
12243
0
    #ifndef NO_WOLFSSL_CM_VERIFY
12244
        /* non-zero return code indicates failure override */
12245
0
        if (cm->verifyCallback != NULL) {
12246
0
            store->userCtx = cm;
12247
0
            if (cm->verifyCallback(verify_ok, store)) {
12248
0
                if (ret != 0) {
12249
0
                    WOLFSSL_MSG("Verify CM callback overriding error!");
12250
0
                    ret = 0;
12251
0
                }
12252
0
            }
12253
0
            else {
12254
0
                verifyFail = 1;
12255
0
            }
12256
0
        }
12257
0
    #endif
12258
12259
0
        if (ssl != NULL) {
12260
0
    #ifdef OPENSSL_ALL
12261
            /* non-zero return code indicates failure override */
12262
0
            if (ssl->ctx->verifyCertCb) {
12263
0
                if (ssl->ctx->verifyCertCb(store, ssl->ctx->verifyCertCbArg)) {
12264
0
                    if (ret != 0) {
12265
0
                        WOLFSSL_MSG("Verify Cert callback overriding error!");
12266
0
                        ret = 0;
12267
0
                    }
12268
0
                }
12269
0
                else {
12270
0
                    verifyFail = 1;
12271
0
                }
12272
0
            }
12273
0
    #endif
12274
12275
            /* non-zero return code indicates failure override */
12276
0
            if (ssl->verifyCallback) {
12277
0
                if (ssl->verifyCallback(verify_ok, store)) {
12278
0
                    if (ret != 0) {
12279
0
                        WOLFSSL_MSG("Verify callback overriding error!");
12280
0
                        ret = 0;
12281
0
                    }
12282
0
                }
12283
0
                else {
12284
0
                    verifyFail = 1;
12285
0
                }
12286
0
            }
12287
0
        }
12288
12289
0
        if (verifyFail) {
12290
            /* induce error if one not present */
12291
0
            if (ret == 0) {
12292
0
                ret = VERIFY_CERT_ERROR;
12293
0
                WOLFSSL_ERROR_VERBOSE(ret);
12294
0
            }
12295
12296
            /* mark as verify error */
12297
0
            args->verifyErr = 1;
12298
0
        }
12299
0
    #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
12300
0
        if (x509Free) {
12301
0
            FreeX509(x509);
12302
0
        }
12303
0
    #endif
12304
    #if defined(SESSION_CERTS) && defined(OPENSSL_EXTRA)
12305
        wolfSSL_sk_X509_pop_free(store->chain, NULL);
12306
        store->chain = NULL;
12307
    #endif
12308
    #ifdef SESSION_CERTS
12309
        if ((ssl != NULL) && (store->discardSessionCerts)) {
12310
            WOLFSSL_MSG("Verify callback requested discard sess certs");
12311
            ssl->session->chain.count = 0;
12312
        #ifdef WOLFSSL_ALT_CERT_CHAINS
12313
            ssl->session->altChain.count = 0;
12314
        #endif
12315
        }
12316
    #endif /* SESSION_CERTS */
12317
0
#ifdef OPENSSL_EXTRA
12318
0
        if ((ssl != NULL) && (store->param)) {
12319
0
            XFREE(store->param, heap, DYNAMIC_TYPE_OPENSSL);
12320
0
        }
12321
0
#endif
12322
0
    #ifdef WOLFSSL_SMALL_STACK
12323
0
        XFREE(domain, heap, DYNAMIC_TYPE_STRING);
12324
0
        #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
12325
0
        XFREE(x509, heap, DYNAMIC_TYPE_X509);
12326
0
        #endif
12327
0
        XFREE(store, heap, DYNAMIC_TYPE_X509_STORE);
12328
0
    #endif
12329
0
    }
12330
12331
0
    (void)heap;
12332
12333
0
    return ret;
12334
0
}
12335
12336
static void FreeProcPeerCertArgs(WOLFSSL* ssl, void* pArgs)
12337
0
{
12338
0
    ProcPeerCertArgs* args = (ProcPeerCertArgs*)pArgs;
12339
12340
0
    (void)ssl;
12341
12342
0
    if (args->certs) {
12343
0
        XFREE(args->certs, ssl->heap, DYNAMIC_TYPE_DER);
12344
0
        args->certs = NULL;
12345
0
    }
12346
0
#ifdef WOLFSSL_TLS13
12347
0
    if (args->exts) {
12348
0
        XFREE(args->exts, ssl->heap, DYNAMIC_TYPE_CERT_EXT);
12349
0
        args->exts = NULL;
12350
0
    }
12351
0
#endif
12352
0
    if (args->dCert) {
12353
0
        if (args->dCertInit) {
12354
0
            FreeDecodedCert(args->dCert);
12355
0
            args->dCertInit = 0;
12356
0
        }
12357
0
        XFREE(args->dCert, ssl->heap, DYNAMIC_TYPE_DCERT);
12358
0
        args->dCert = NULL;
12359
0
    }
12360
0
}
12361
#if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN) && \
12362
    (defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT)) && \
12363
    !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR)
12364
/* load certificate file which has the form <hash>.(r)N[0..N]       */
12365
/* in the folder.                                                   */
12366
/* (r), in the case of CRL file                                     */
12367
/* @param store  a pointer to X509_STORE structure                  */
12368
/* @param issuer a pointer to X509_NAME that presents an issuer     */
12369
/* @param type   X509_LU_X509 or X509_LU_CRL                        */
12370
/* @return WOLFSSL_SUCCESS on successful, otherwise WOLFSSL_FAILURE */
12371
int LoadCertByIssuer(WOLFSSL_X509_STORE* store, X509_NAME* issuer, int type)
12372
{
12373
    const int MAX_SUFFIX = 10;/* The number comes from CA_TABLE_SIZE=10 */
12374
    int ret = WOLFSSL_SUCCESS;
12375
    WOLFSSL_X509_LOOKUP* lookup;
12376
    WOLFSSL_BY_DIR_entry* entry;
12377
    WOLFSSL_BY_DIR_HASH   hash_tmp;
12378
    WOLFSSL_BY_DIR_HASH*  ph = NULL;
12379
    WOLFSSL_X509* x509;
12380
    unsigned long hash = 0;
12381
    char*   filename = NULL;
12382
    const char* post = "";
12383
    byte*   pbuf = NULL;
12384
    int     len, num, i, idx;
12385
    int    suffix = 0;
12386
    int retHash = NOT_COMPILED_IN;
12387
    byte dgt[WC_MAX_DIGEST_SIZE];
12388
12389
    WOLFSSL_ENTER("LoadCertByIssuer");
12390
12391
    /* sanity check */
12392
    if (store == NULL || issuer == NULL || (type != X509_LU_X509 && type != X509_LU_CRL)) {
12393
        return WOLFSSL_FAILURE;
12394
    }
12395
    lookup = &store->lookup;
12396
    if (lookup->dirs == NULL || lookup->type != 1) {
12397
        return WOLFSSL_FAILURE;
12398
    }
12399
12400
    len = wolfSSL_i2d_X509_NAME_canon(issuer, &pbuf);
12401
    if (len > 0) {
12402
        #ifndef NO_SHA
12403
        retHash = wc_ShaHash((const byte*)pbuf, len, dgt);
12404
        #endif
12405
        if (retHash == 0) {
12406
            /* 4 bytes in little endian as unsigned long */
12407
            hash = (((unsigned long)dgt[3] << 24) |
12408
                    ((unsigned long)dgt[2] << 16) |
12409
                    ((unsigned long)dgt[1] <<  8) |
12410
                    ((unsigned long)dgt[0]));
12411
        } else {
12412
            WOLFSSL_MSG("failed hash operation");
12413
            return WOLFSSL_FAILURE;
12414
        }
12415
        wolfSSL_OPENSSL_free(pbuf);
12416
    }
12417
12418
    /* try to load each hashed name file in path */
12419
#if !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR)
12420
12421
    if (type == X509_LU_CRL) {
12422
        post = "r";
12423
    }
12424
12425
    num = wolfSSL_sk_BY_DIR_entry_num(lookup->dirs->dir_entry);
12426
12427
    for (i=0; i<num; i++) {
12428
12429
        entry = wolfSSL_sk_BY_DIR_entry_value(lookup->dirs->dir_entry, i);
12430
12431
        if (type == X509_LU_CRL && entry->hashes != NULL &&
12432
            wolfSSL_sk_BY_DIR_HASH_num(entry->hashes) > 0) {
12433
            /* lock the list */
12434
            if (wc_LockMutex(&lookup->dirs->lock) != 0) {
12435
                WOLFSSL_MSG("wc_LockMutex cdir Lock error");
12436
                return BAD_MUTEX_E;
12437
            }
12438
12439
            hash_tmp.hash_value = hash;
12440
            idx = wolfSSL_sk_BY_DIR_HASH_find(entry->hashes, &hash_tmp);
12441
            if (idx >= 0) {
12442
                WOLFSSL_MSG("find hashed CRL in list");
12443
                ph = wolfSSL_sk_BY_DIR_HASH_value(entry->hashes, idx);
12444
                suffix = ph->last_suffix;
12445
            } else {
12446
                ph = NULL;
12447
                suffix = 0;
12448
            }
12449
12450
            wc_UnLockMutex(&lookup->dirs->lock);
12451
        }
12452
12453
        /* Additional buffer length for file name memory allocation :   */
12454
        /* / <hashvalue>.(r)N\0                                         */
12455
        /*|1|     8    |1|1|1|1|           => 13                        */
12456
        len = (int)XSTRLEN(entry->dir_name) + 13;
12457
        if (filename != NULL) {
12458
            XFREE(filename, NULL, DYNAMIC_TYPE_OPENSSL);
12459
        }
12460
12461
        filename = (char*)XMALLOC(len, NULL, DYNAMIC_TYPE_OPENSSL);
12462
        if (filename == NULL) {
12463
            WOLFSSL_MSG("memory allocation error");
12464
            return MEMORY_E;
12465
        }
12466
12467
        /* set as FAILURE, if successfully loading cert of CRL, this becomes */
12468
        /* WOLFSSL_SUCCESS                                                  */
12469
        ret = WOLFSSL_FAILURE;
12470
12471
        for (; suffix < MAX_SUFFIX; suffix++) {
12472
            /* /folder-path/<hash>.(r)N[0..9] */
12473
            if (XSNPRINTF(filename, len, "%s/%08lx.%s%d", entry->dir_name,
12474
                                                       hash, post, suffix)
12475
                >= len)
12476
            {
12477
                WOLFSSL_MSG("buffer overrun in LoadCertByIssuer");
12478
                ret = BUFFER_E;
12479
                break;
12480
            }
12481
12482
            if(wc_FileExists(filename) == 0/*0 file exists */) {
12483
12484
                if (type == X509_LU_X509) {
12485
                    x509 = wolfSSL_X509_load_certificate_file(filename,
12486
                                                        WOLFSSL_FILETYPE_PEM);
12487
                    if (x509 != NULL) {
12488
                       ret = wolfSSL_X509_STORE_add_cert(store, x509);
12489
                       wolfSSL_X509_free(x509);
12490
                    } else {
12491
                       WOLFSSL_MSG("failed to load certificate");
12492
                       ret = WOLFSSL_FAILURE;
12493
                       break;
12494
                    }
12495
                }
12496
                else if (type == X509_LU_CRL) {
12497
#if defined(HAVE_CRL)
12498
                    ret = wolfSSL_X509_load_crl_file(&store->lookup, filename,
12499
                                                    WOLFSSL_FILETYPE_PEM);
12500
                    if (ret != WOLFSSL_SUCCESS) {
12501
                        WOLFSSL_MSG("failed to load CRL");
12502
                        break;
12503
                    }
12504
#else
12505
                    WOLFSSL_MSG("CRL is not supported");
12506
                    ret = WOLFSSL_FAILURE;
12507
                    break;
12508
#endif /* HAVE_CRL  */
12509
                }
12510
            } else
12511
                break;
12512
        }
12513
12514
        if (ret != WOLFSSL_SUCCESS) {
12515
            WOLFSSL_MSG("not found file");
12516
            ret = WOLFSSL_FAILURE;
12517
        } else {
12518
            if (type == X509_LU_CRL) {
12519
                if (wc_LockMutex(&lookup->dirs->lock) != 0) {
12520
                    WOLFSSL_MSG("wc_LockMutex cdir Lock error");
12521
                    XFREE(filename, NULL, DYNAMIC_TYPE_OPENSSL);
12522
                    WOLFSSL_ERROR_VERBOSE(BAD_MUTEX_E);
12523
                    return BAD_MUTEX_E;
12524
                }
12525
                if (ph == NULL) {
12526
                    ph = wolfSSL_BY_DIR_HASH_new();
12527
                    if (ph == NULL) {
12528
                        WOLFSSL_MSG("failed to allocate hash stack");
12529
                        ret = WOLFSSL_FAILURE;
12530
                    } else {
12531
                        ph->hash_value = hash;
12532
                        ph->last_suffix = suffix;
12533
12534
                        ret = wolfSSL_sk_BY_DIR_HASH_push(entry->hashes, ph);
12535
                    }
12536
                }
12537
                wc_UnLockMutex(&lookup->dirs->lock);
12538
            }
12539
        }
12540
12541
        XFREE(filename, NULL, DYNAMIC_TYPE_OPENSSL);
12542
    }
12543
#else
12544
    (void) type;
12545
    (void) ret;
12546
    (void) x509;
12547
    (void) filename;
12548
    (void) suffix;
12549
    (void) num;
12550
    (void) i;
12551
    ret = WOLFSSL_NOT_IMPLEMENTED;
12552
#endif
12553
    WOLFSSL_LEAVE("LoadCertByIssuer", ret);
12554
12555
    return ret;
12556
}
12557
#endif
12558
12559
12560
static int ProcessPeerCertParse(WOLFSSL* ssl, ProcPeerCertArgs* args,
12561
    int certType, int verify, byte** pSubjectHash, int* pAlreadySigner)
12562
0
{
12563
0
    int ret = 0;
12564
0
    buffer* cert;
12565
0
    byte* subjectHash = NULL;
12566
0
    int alreadySigner = 0;
12567
#ifdef WOLFSSL_SMALL_CERT_VERIFY
12568
    int sigRet = 0;
12569
#endif
12570
12571
0
    if (ssl == NULL || args == NULL
12572
0
    #ifndef WOLFSSL_SMALL_CERT_VERIFY
12573
0
        || args->dCert == NULL
12574
0
    #endif
12575
0
    ) {
12576
0
        return BAD_FUNC_ARG;
12577
0
    }
12578
12579
    /* check to make sure certificate index is valid */
12580
0
    if (args->certIdx > args->count)
12581
0
        return BUFFER_E;
12582
12583
    /* check if returning from non-blocking OCSP */
12584
    /* skip this section because cert is already initialized and parsed */
12585
#ifdef WOLFSSL_NONBLOCK_OCSP
12586
    if (args->lastErr == OCSP_WANT_READ) {
12587
        args->lastErr = 0; /* clear error */
12588
        return 0;
12589
    }
12590
#endif
12591
12592
#ifdef WOLFSSL_TRUST_PEER_CERT
12593
    /* we have trusted peer */
12594
    if (args->haveTrustPeer) {
12595
        return 0;
12596
    }
12597
#endif
12598
12599
    /* get certificate buffer */
12600
0
    cert = &args->certs[args->certIdx];
12601
12602
#ifdef WOLFSSL_SMALL_CERT_VERIFY
12603
    if (verify == VERIFY) {
12604
        /* for small cert verify, release decoded cert during signature check to
12605
            reduce peak memory usage */
12606
        if (args->dCert != NULL) {
12607
            if (args->dCertInit) {
12608
                FreeDecodedCert(args->dCert);
12609
                args->dCertInit = 0;
12610
            }
12611
            XFREE(args->dCert, ssl->heap, DYNAMIC_TYPE_DCERT);
12612
            args->dCert = NULL;
12613
        }
12614
12615
        /* perform cert parsing and signature check */
12616
        sigRet = CheckCertSignature(cert->buffer, cert->length,
12617
                                         ssl->heap, SSL_CM(ssl));
12618
        /* fail on errors here after the ParseCertRelative call, so dCert is populated */
12619
12620
        /* verify name only in ParseCertRelative below, signature check done */
12621
        verify = VERIFY_NAME;
12622
    }
12623
#endif /* WOLFSSL_SMALL_CERT_VERIFY */
12624
12625
    /* make sure the decoded cert structure is allocated and initialized */
12626
0
    if (!args->dCertInit
12627
    #ifdef WOLFSSL_SMALL_CERT_VERIFY
12628
        || args->dCert == NULL
12629
    #endif
12630
0
    ) {
12631
    #ifdef WOLFSSL_SMALL_CERT_VERIFY
12632
        if (args->dCert == NULL) {
12633
            args->dCert = (DecodedCert*)XMALLOC(
12634
                                 sizeof(DecodedCert), ssl->heap,
12635
                                 DYNAMIC_TYPE_DCERT);
12636
            if (args->dCert == NULL) {
12637
                return MEMORY_E;
12638
            }
12639
        }
12640
    #endif
12641
12642
0
        InitDecodedCert(args->dCert, cert->buffer, cert->length, ssl->heap);
12643
12644
0
        args->dCertInit = 1;
12645
0
        args->dCert->sigCtx.devId = ssl->devId;
12646
    #ifdef WOLFSSL_ASYNC_CRYPT
12647
        args->dCert->sigCtx.asyncCtx = ssl;
12648
    #endif
12649
12650
    #ifdef HAVE_PK_CALLBACKS
12651
        /* setup the PK callback context */
12652
        ret = InitSigPkCb(ssl, &args->dCert->sigCtx);
12653
        if (ret != 0)
12654
            return ret;
12655
    #endif
12656
0
    }
12657
12658
    /* Parse Certificate */
12659
0
    ret = ParseCertRelative(args->dCert, certType, verify, SSL_CM(ssl));
12660
    /* perform below checks for date failure cases */
12661
0
    if (ret == 0 || ret == ASN_BEFORE_DATE_E || ret == ASN_AFTER_DATE_E) {
12662
        /* get subject and determine if already loaded */
12663
0
    #ifndef NO_SKID
12664
0
        if (args->dCert->extAuthKeyIdSet)
12665
0
            subjectHash = args->dCert->extSubjKeyId;
12666
0
        else
12667
0
    #endif
12668
0
            subjectHash = args->dCert->subjectHash;
12669
0
        alreadySigner = AlreadySigner(SSL_CM(ssl), subjectHash);
12670
0
    }
12671
12672
#ifdef WOLFSSL_SMALL_CERT_VERIFY
12673
    /* get signature check failures from above */
12674
    if (ret == 0)
12675
        ret = sigRet;
12676
#endif
12677
12678
0
    if (pSubjectHash)
12679
0
        *pSubjectHash = subjectHash;
12680
0
    if (pAlreadySigner)
12681
0
        *pAlreadySigner = alreadySigner;
12682
12683
#ifdef WOLFSSL_ASYNC_CRYPT
12684
    if (ret == WC_PENDING_E) {
12685
        ret = wolfSSL_AsyncPush(ssl,
12686
            args->dCert->sigCtx.asyncDev);
12687
    }
12688
#endif
12689
12690
0
    return ret;
12691
0
}
12692
12693
/* Check key sizes for certs. Is redundant check since
12694
   ProcessBuffer also performs this check. */
12695
static int ProcessPeerCertCheckKey(WOLFSSL* ssl, ProcPeerCertArgs* args)
12696
0
{
12697
0
    int ret = 0;
12698
12699
0
    if (ssl->options.verifyNone) {
12700
0
        return ret;
12701
0
    }
12702
12703
0
    switch (args->dCert->keyOID) {
12704
0
    #ifndef NO_RSA
12705
0
        #ifdef WC_RSA_PSS
12706
0
        case RSAPSSk:
12707
0
        #endif
12708
0
        case RSAk:
12709
0
            if (ssl->options.minRsaKeySz < 0 ||
12710
0
                    args->dCert->pubKeySize <
12711
0
                     (word16)ssl->options.minRsaKeySz) {
12712
0
                WOLFSSL_MSG(
12713
0
                    "RSA key size in cert chain error");
12714
0
                ret = RSA_KEY_SIZE_E;
12715
0
                WOLFSSL_ERROR_VERBOSE(ret);
12716
0
            }
12717
0
            break;
12718
0
    #endif /* !NO_RSA */
12719
0
    #ifdef HAVE_ECC
12720
0
        case ECDSAk:
12721
0
            if (ssl->options.minEccKeySz < 0 ||
12722
0
                    args->dCert->pubKeySize <
12723
0
                     (word16)ssl->options.minEccKeySz) {
12724
0
                WOLFSSL_MSG(
12725
0
                    "ECC key size in cert chain error");
12726
0
                ret = ECC_KEY_SIZE_E;
12727
0
                WOLFSSL_ERROR_VERBOSE(ret);
12728
0
            }
12729
0
            break;
12730
0
    #endif /* HAVE_ECC */
12731
0
    #ifdef HAVE_ED25519
12732
0
        case ED25519k:
12733
0
            if (ssl->options.minEccKeySz < 0 ||
12734
0
                    ED25519_KEY_SIZE < (word16)ssl->options.minEccKeySz) {
12735
0
                WOLFSSL_MSG(
12736
0
                    "ECC key size in cert chain error");
12737
0
                ret = ECC_KEY_SIZE_E;
12738
0
                WOLFSSL_ERROR_VERBOSE(ret);
12739
0
            }
12740
0
            break;
12741
0
    #endif /* HAVE_ED25519 */
12742
0
    #ifdef HAVE_ED448
12743
0
        case ED448k:
12744
0
            if (ssl->options.minEccKeySz < 0 ||
12745
0
                    ED448_KEY_SIZE < (word16)ssl->options.minEccKeySz) {
12746
0
                WOLFSSL_MSG(
12747
0
                    "ECC key size in cert chain error");
12748
0
                ret = ECC_KEY_SIZE_E;
12749
0
                WOLFSSL_ERROR_VERBOSE(ret);
12750
0
            }
12751
0
            break;
12752
0
    #endif /* HAVE_ED448 */
12753
    #if defined(HAVE_PQC)
12754
    #if defined(HAVE_FALCON)
12755
        case FALCON_LEVEL1k:
12756
            if (ssl->options.minFalconKeySz < 0 ||
12757
                FALCON_LEVEL1_KEY_SIZE < (word16)ssl->options.minFalconKeySz) {
12758
                WOLFSSL_MSG("Falcon key size in cert chain error");
12759
                ret = FALCON_KEY_SIZE_E;
12760
                WOLFSSL_ERROR_VERBOSE(ret);
12761
            }
12762
            break;
12763
        case FALCON_LEVEL5k:
12764
            if (ssl->options.minFalconKeySz < 0 ||
12765
                FALCON_LEVEL5_KEY_SIZE < (word16)ssl->options.minFalconKeySz) {
12766
                WOLFSSL_MSG("Falcon key size in cert chain error");
12767
                ret = FALCON_KEY_SIZE_E;
12768
                WOLFSSL_ERROR_VERBOSE(ret);
12769
            }
12770
            break;
12771
    #endif /* HAVE_FALCON */
12772
    #endif /* HAVE_PQC */
12773
    #if defined(HAVE_DILITHIUM)
12774
        case DILITHIUM_LEVEL2k:
12775
        case DILITHIUM_AES_LEVEL2k:
12776
            if (ssl->options.minDilithiumKeySz < 0 ||
12777
                DILITHIUM_LEVEL2_KEY_SIZE
12778
                < (word16)ssl->options.minDilithiumKeySz) {
12779
                WOLFSSL_MSG("Dilithium key size in cert chain error");
12780
                ret = DILITHIUM_KEY_SIZE_E;
12781
            }
12782
            break;
12783
        case DILITHIUM_LEVEL3k:
12784
        case DILITHIUM_AES_LEVEL3k:
12785
            if (ssl->options.minDilithiumKeySz < 0 ||
12786
                DILITHIUM_LEVEL3_KEY_SIZE
12787
                < (word16)ssl->options.minDilithiumKeySz) {
12788
                WOLFSSL_MSG( "Dilithium key size in cert chain error");
12789
                ret = DILITHIUM_KEY_SIZE_E;
12790
            }
12791
            break;
12792
        case DILITHIUM_LEVEL5k:
12793
        case DILITHIUM_AES_LEVEL5k:
12794
            if (ssl->options.minDilithiumKeySz < 0 ||
12795
                DILITHIUM_LEVEL5_KEY_SIZE
12796
                < (word16)ssl->options.minDilithiumKeySz) {
12797
                WOLFSSL_MSG("Dilithium key size in cert chain error");
12798
                ret = DILITHIUM_KEY_SIZE_E;
12799
            }
12800
            break;
12801
    #endif /* HAVE_DILITHIUM */
12802
0
        default:
12803
0
            WOLFSSL_MSG("Key size not checked");
12804
            /* key not being checked for size if not in
12805
               switch */
12806
0
            break;
12807
0
    }
12808
12809
0
    return ret;
12810
0
}
12811
12812
int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
12813
                     word32 totalSz)
12814
0
{
12815
0
    int ret = 0;
12816
#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP)
12817
    ProcPeerCertArgs* args = NULL;
12818
    WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
12819
#elif defined(WOLFSSL_SMALL_STACK)
12820
0
    ProcPeerCertArgs* args = NULL;
12821
#else
12822
    ProcPeerCertArgs  args[1];
12823
#endif
12824
0
    byte* subjectHash = NULL;
12825
0
    int alreadySigner = 0;
12826
12827
0
    WOLFSSL_ENTER("ProcessPeerCerts");
12828
12829
#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP)
12830
    if (ssl->async == NULL) {
12831
        ssl->async = (struct WOLFSSL_ASYNC*)
12832
                XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
12833
                        DYNAMIC_TYPE_ASYNC);
12834
        if (ssl->async == NULL)
12835
            ERROR_OUT(MEMORY_E, exit_ppc);
12836
    }
12837
    args = (ProcPeerCertArgs*)ssl->async->args;
12838
#ifdef WOLFSSL_ASYNC_CRYPT
12839
    ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
12840
    if (ret != WC_NOT_PENDING_E) {
12841
        /* Check for error */
12842
        if (ret < 0)
12843
            goto exit_ppc;
12844
    }
12845
    else
12846
#endif
12847
#ifdef WOLFSSL_NONBLOCK_OCSP
12848
    if (ssl->error == OCSP_WANT_READ) {
12849
        /* Re-entry after non-blocking OCSP */
12850
    }
12851
    else
12852
#endif
12853
#elif defined(WOLFSSL_SMALL_STACK)
12854
0
    args = (ProcPeerCertArgs*)XMALLOC(
12855
0
        sizeof(ProcPeerCertArgs), ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
12856
0
    if (args == NULL) {
12857
0
        ERROR_OUT(MEMORY_E, exit_ppc);
12858
0
    }
12859
0
#endif
12860
0
    {
12861
        /* Reset state */
12862
0
        ret = 0;
12863
0
        ssl->options.asyncState = TLS_ASYNC_BEGIN;
12864
0
        XMEMSET(args, 0, sizeof(ProcPeerCertArgs));
12865
0
        args->idx = *inOutIdx;
12866
0
        args->begin = *inOutIdx;
12867
    #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP)
12868
        ssl->async->freeArgs = FreeProcPeerCertArgs;
12869
    #endif
12870
0
    }
12871
12872
0
    switch (ssl->options.asyncState)
12873
0
    {
12874
0
        case TLS_ASYNC_BEGIN:
12875
0
        {
12876
0
            word32 listSz;
12877
12878
        #ifdef WOLFSSL_CALLBACKS
12879
            if (ssl->hsInfoOn)
12880
                AddPacketName(ssl, "Certificate");
12881
            if (ssl->toInfoOn)
12882
                AddLateName("Certificate", &ssl->timeoutInfo);
12883
        #endif
12884
12885
0
        #ifdef WOLFSSL_TLS13
12886
0
            if (ssl->options.tls1_3) {
12887
0
                byte ctxSz;
12888
12889
                /* Certificate Request Context */
12890
0
                if ((args->idx - args->begin) + OPAQUE8_LEN > totalSz)
12891
0
                    ERROR_OUT(BUFFER_ERROR, exit_ppc);
12892
0
                ctxSz = *(input + args->idx);
12893
0
                args->idx++;
12894
0
                if ((args->idx - args->begin) + ctxSz > totalSz)
12895
0
                    ERROR_OUT(BUFFER_ERROR, exit_ppc);
12896
0
            #ifndef NO_WOLFSSL_CLIENT
12897
                /* Must be empty when received from server. */
12898
0
                if (ssl->options.side == WOLFSSL_CLIENT_END) {
12899
0
                    if (ctxSz != 0) {
12900
0
                        WOLFSSL_ERROR_VERBOSE(INVALID_CERT_CTX_E);
12901
0
                        ERROR_OUT(INVALID_CERT_CTX_E, exit_ppc);
12902
0
                    }
12903
0
                }
12904
0
            #endif
12905
0
            #ifndef NO_WOLFSSL_SERVER
12906
                /* Must contain value sent in request. */
12907
0
                if (ssl->options.side == WOLFSSL_SERVER_END) {
12908
0
                    if (ssl->options.handShakeState != HANDSHAKE_DONE &&
12909
0
                                                                   ctxSz != 0) {
12910
0
                        WOLFSSL_ERROR_VERBOSE(INVALID_CERT_CTX_E);
12911
0
                        ERROR_OUT(INVALID_CERT_CTX_E, exit_ppc);
12912
0
                    }
12913
0
                    else if (ssl->options.handShakeState == HANDSHAKE_DONE) {
12914
                #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
12915
                         CertReqCtx* curr = ssl->certReqCtx;
12916
                         CertReqCtx* prev = NULL;
12917
                         while (curr != NULL) {
12918
                             if ((ctxSz == curr->len) &&
12919
                                 XMEMCMP(&curr->ctx, input + args->idx, ctxSz)
12920
                                                                         == 0) {
12921
                                     if (prev != NULL)
12922
                                         prev->next = curr->next;
12923
                                     else
12924
                                         ssl->certReqCtx = curr->next;
12925
                                     XFREE(curr, ssl->heap,
12926
                                           DYNAMIC_TYPE_TMP_BUFFER);
12927
                                     break;
12928
                             }
12929
                             prev = curr;
12930
                             curr = curr->next;
12931
                        }
12932
                        if (curr == NULL)
12933
                #endif
12934
0
                        {
12935
0
                            WOLFSSL_ERROR_VERBOSE(INVALID_CERT_CTX_E);
12936
0
                            ERROR_OUT(INVALID_CERT_CTX_E, exit_ppc);
12937
0
                        }
12938
0
                    }
12939
0
                }
12940
0
            #endif
12941
0
                args->idx += ctxSz;
12942
12943
                /* allocate buffer for cert extensions */
12944
0
                args->exts = (buffer*)XMALLOC(sizeof(buffer) *
12945
0
                     MAX_CHAIN_DEPTH, ssl->heap, DYNAMIC_TYPE_CERT_EXT);
12946
0
                if (args->exts == NULL) {
12947
0
                    ERROR_OUT(MEMORY_E, exit_ppc);
12948
0
                }
12949
0
            }
12950
0
        #endif
12951
12952
            /* allocate buffer for certs */
12953
0
            args->certs = (buffer*)XMALLOC(sizeof(buffer) * MAX_CHAIN_DEPTH,
12954
0
                                            ssl->heap, DYNAMIC_TYPE_DER);
12955
0
            if (args->certs == NULL) {
12956
0
                ERROR_OUT(MEMORY_E, exit_ppc);
12957
0
            }
12958
0
            XMEMSET(args->certs, 0, sizeof(buffer) * MAX_CHAIN_DEPTH);
12959
12960
            /* Certificate List */
12961
0
            if ((args->idx - args->begin) + OPAQUE24_LEN > totalSz) {
12962
0
                ERROR_OUT(BUFFER_ERROR, exit_ppc);
12963
0
            }
12964
0
            c24to32(input + args->idx, &listSz);
12965
0
            args->idx += OPAQUE24_LEN;
12966
0
            if (listSz > MAX_CERTIFICATE_SZ) {
12967
0
                ERROR_OUT(BUFFER_ERROR, exit_ppc);
12968
0
            }
12969
0
            if ((args->idx - args->begin) + listSz != totalSz) {
12970
0
                ERROR_OUT(BUFFER_ERROR, exit_ppc);
12971
0
            }
12972
12973
0
            WOLFSSL_MSG("Loading peer's cert chain");
12974
            /* first put cert chain into buffer so can verify top down
12975
               we're sent bottom up */
12976
0
            while (listSz) {
12977
0
                word32 certSz;
12978
12979
12980
0
            #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
12981
0
                if (args->totalCerts >= MAX_CHAIN_DEPTH) {
12982
0
                    if (ssl->peerVerifyRet == 0) /* Return first cert error here */
12983
0
                        ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG;
12984
0
                    ret = MAX_CHAIN_ERROR;
12985
0
                    WOLFSSL_ERROR_VERBOSE(ret);
12986
0
                    WOLFSSL_MSG("Too many certs for MAX_CHAIN_DEPTH");
12987
0
                    break; /* break out to avoid reading more certs then buffer
12988
                            * can hold */
12989
0
                }
12990
            #else
12991
                if (args->totalCerts >= ssl->verifyDepth ||
12992
                        args->totalCerts >= MAX_CHAIN_DEPTH) {
12993
                    WOLFSSL_ERROR_VERBOSE(MAX_CHAIN_ERROR);
12994
                    ERROR_OUT(MAX_CHAIN_ERROR, exit_ppc);
12995
                }
12996
            #endif
12997
12998
0
                if ((args->idx - args->begin) + OPAQUE24_LEN > totalSz) {
12999
0
                    ERROR_OUT(BUFFER_ERROR, exit_ppc);
13000
0
                }
13001
13002
0
                c24to32(input + args->idx, &certSz);
13003
0
                args->idx += OPAQUE24_LEN;
13004
13005
0
                if ((args->idx - args->begin) + certSz > totalSz) {
13006
0
                    ERROR_OUT(BUFFER_ERROR, exit_ppc);
13007
0
                }
13008
13009
0
                args->certs[args->totalCerts].length = certSz;
13010
0
                args->certs[args->totalCerts].buffer = input + args->idx;
13011
13012
            #ifdef SESSION_CERTS
13013
                AddSessionCertToChain(&ssl->session->chain,
13014
                    input + args->idx, certSz);
13015
            #endif /* SESSION_CERTS */
13016
13017
0
                args->idx += certSz;
13018
0
                listSz -= certSz + CERT_HEADER_SZ;
13019
13020
0
            #ifdef WOLFSSL_TLS13
13021
                /* Extensions */
13022
0
                if (ssl->options.tls1_3) {
13023
0
                    word16 extSz;
13024
13025
0
                    if (args->exts == NULL) {
13026
0
                        ERROR_OUT(BUFFER_ERROR, exit_ppc);
13027
0
                    }
13028
0
                    if ((args->idx - args->begin) + OPAQUE16_LEN > totalSz) {
13029
0
                        ERROR_OUT(BUFFER_ERROR, exit_ppc);
13030
0
                    }
13031
0
                    ato16(input + args->idx, &extSz);
13032
0
                    args->idx += OPAQUE16_LEN;
13033
0
                    if ((args->idx - args->begin) + extSz > totalSz) {
13034
0
                        ERROR_OUT(BUFFER_ERROR, exit_ppc);
13035
0
                    }
13036
                    /* Store extension data info for later processing. */
13037
0
                    args->exts[args->totalCerts].length = extSz;
13038
0
                    args->exts[args->totalCerts].buffer = input + args->idx;
13039
0
                    args->idx += extSz;
13040
0
                    listSz -= extSz + OPAQUE16_LEN;
13041
0
                    WOLFSSL_MSG_EX("\tParsing %d bytes of cert extensions",
13042
0
                            args->exts[args->totalCerts].length);
13043
0
                    #if !defined(NO_TLS)
13044
0
                    ret = TLSX_Parse(ssl, args->exts[args->totalCerts].buffer,
13045
0
                        (word16)args->exts[args->totalCerts].length,
13046
0
                        certificate, NULL);
13047
0
                    #endif /* !NO_TLS */
13048
0
                    if (ret < 0) {
13049
0
                        WOLFSSL_ERROR_VERBOSE(ret);
13050
0
                        ERROR_OUT(ret, exit_ppc);
13051
0
                    }
13052
0
                }
13053
0
            #endif
13054
13055
0
                args->totalCerts++;
13056
0
                WOLFSSL_MSG("\tPut another cert into chain");
13057
0
            } /* while (listSz) */
13058
13059
0
            args->count = args->totalCerts;
13060
0
            args->certIdx = 0; /* select peer cert (first one) */
13061
13062
0
            if (args->count == 0) {
13063
                /* Empty certificate message. */
13064
0
                if ((ssl->options.side == WOLFSSL_SERVER_END) &&
13065
0
                    (ssl->options.mutualAuth || (ssl->options.failNoCert &&
13066
0
                                             IsAtLeastTLSv1_3(ssl->version)))) {
13067
0
                    WOLFSSL_MSG("No peer cert from Client");
13068
0
                    ret = NO_PEER_CERT;
13069
0
                    WOLFSSL_ERROR_VERBOSE(ret);
13070
0
                    DoCertFatalAlert(ssl, ret);
13071
0
                }
13072
0
                else if ((ssl->options.side == WOLFSSL_CLIENT_END) &&
13073
0
                         IsAtLeastTLSv1_3(ssl->version)) {
13074
0
                    WOLFSSL_MSG("No peer cert from Server");
13075
0
                    ret = NO_PEER_CERT;
13076
0
                    WOLFSSL_ERROR_VERBOSE(ret);
13077
0
                    SendAlert(ssl, alert_fatal, decode_error);
13078
0
                }
13079
0
            }
13080
13081
0
            args->dCertInit = 0;
13082
0
        #ifndef WOLFSSL_SMALL_CERT_VERIFY
13083
0
            args->dCert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap,
13084
0
                                                       DYNAMIC_TYPE_DCERT);
13085
0
            if (args->dCert == NULL) {
13086
0
                ERROR_OUT(MEMORY_E, exit_ppc);
13087
0
            }
13088
0
            XMEMSET(args->dCert, 0, sizeof(DecodedCert));
13089
0
        #endif
13090
13091
            /* Advance state and proceed */
13092
0
            ssl->options.asyncState = TLS_ASYNC_BUILD;
13093
0
        } /* case TLS_ASYNC_BEGIN */
13094
0
        FALL_THROUGH;
13095
13096
0
        case TLS_ASYNC_BUILD:
13097
0
        {
13098
0
            if (args->count > 0) {
13099
13100
                /* check for trusted peer and get untrustedDepth */
13101
0
            #if defined(WOLFSSL_TRUST_PEER_CERT) || defined(OPENSSL_EXTRA)
13102
0
                if (args->certIdx == 0) {
13103
                #ifdef WOLFSSL_TRUST_PEER_CERT
13104
                    TrustedPeerCert* tp;
13105
                #endif
13106
13107
0
                    ret = ProcessPeerCertParse(ssl, args, CERT_TYPE, NO_VERIFY,
13108
0
                        &subjectHash, &alreadySigner);
13109
0
                    if (ret != 0)
13110
0
                        goto exit_ppc;
13111
13112
0
                #ifdef OPENSSL_EXTRA
13113
                    /* Determine untrusted depth */
13114
0
                    if (!alreadySigner && (!args->dCert ||
13115
0
                            !args->dCertInit || !args->dCert->selfSigned)) {
13116
0
                        args->untrustedDepth = 1;
13117
0
                    }
13118
0
                #endif
13119
13120
                #ifdef WOLFSSL_TRUST_PEER_CERT
13121
                    tp = GetTrustedPeer(SSL_CM(ssl), args->dCert);
13122
                    WOLFSSL_MSG("Checking for trusted peer cert");
13123
13124
                    if (tp && MatchTrustedPeer(tp, args->dCert)) {
13125
                        WOLFSSL_MSG("Found matching trusted peer cert");
13126
                        args->haveTrustPeer = 1;
13127
                    }
13128
                    else if (tp == NULL) {
13129
                        /* no trusted peer cert */
13130
                        WOLFSSL_MSG("No matching trusted peer cert. Checking CAs");
13131
                    }
13132
                    else {
13133
                        WOLFSSL_MSG("Trusted peer cert did not match!");
13134
                    }
13135
                    if (!args->haveTrustPeer)
13136
                #endif
13137
0
                    {
13138
                        /* free cert if not trusted peer */
13139
0
                        FreeDecodedCert(args->dCert);
13140
0
                        args->dCertInit = 0;
13141
0
                    }
13142
0
                }
13143
0
            #endif /* WOLFSSL_TRUST_PEER_CERT || OPENSSL_EXTRA */
13144
13145
                /* check certificate up to peer's first */
13146
                /* do not verify chain if trusted peer cert found */
13147
0
                while (args->count > 1
13148
                #ifdef WOLFSSL_TRUST_PEER_CERT
13149
                    && !args->haveTrustPeer
13150
                #endif /* WOLFSSL_TRUST_PEER_CERT */
13151
0
                ) {
13152
0
                    int skipAddCA = 0;
13153
13154
                    /* select last certificate */
13155
0
                    args->certIdx = args->count - 1;
13156
13157
0
                    ret = ProcessPeerCertParse(ssl, args, CERT_TYPE,
13158
0
                        !ssl->options.verifyNone ? VERIFY : NO_VERIFY,
13159
0
                        &subjectHash, &alreadySigner);
13160
#if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN) && \
13161
    (defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT)) && \
13162
    !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR)
13163
                    if (ret == ASN_NO_SIGNER_E || ret == ASN_SELF_SIGNED_E) {
13164
                        WOLFSSL_MSG("try to load certificate if hash dir is set");
13165
                        ret = LoadCertByIssuer(SSL_STORE(ssl),
13166
                           (WOLFSSL_X509_NAME*)args->dCert->issuerName,
13167
                                                          X509_LU_X509);
13168
                        if (ret == WOLFSSL_SUCCESS) {
13169
                            FreeDecodedCert(args->dCert);
13170
                            args->dCertInit = 0;
13171
                            /* once again */
13172
                            ret = ProcessPeerCertParse(ssl, args, CERT_TYPE,
13173
                                !ssl->options.verifyNone ? VERIFY : NO_VERIFY,
13174
                                &subjectHash, &alreadySigner);
13175
                        }
13176
                        else {
13177
                            ret = ASN_NO_SIGNER_E;
13178
                            WOLFSSL_ERROR_VERBOSE(ret);
13179
                        }
13180
                    }
13181
#endif
13182
                #ifdef WOLFSSL_ASYNC_CRYPT
13183
                    if (ret == WC_PENDING_E)
13184
                        goto exit_ppc;
13185
                #endif
13186
0
                    if (ret == 0) {
13187
0
                        ret = ProcessPeerCertCheckKey(ssl, args);
13188
0
                    }
13189
13190
0
                    if (ret == 0 && args->dCert->isCA == 0) {
13191
0
                        WOLFSSL_MSG("Chain cert is not a CA, not adding as one");
13192
0
                    }
13193
0
                    else if (ret == 0 && ssl->options.verifyNone) {
13194
0
                        WOLFSSL_MSG("Chain cert not verified by option, "
13195
0
                            "not adding as CA");
13196
0
                    }
13197
0
                    else if (ret == 0) {
13198
0
                    #ifdef OPENSSL_EXTRA
13199
0
                        if (args->certIdx > args->untrustedDepth) {
13200
0
                            args->untrustedDepth = (char)args->certIdx + 1;
13201
0
                        }
13202
0
                    #endif
13203
13204
0
                        if (alreadySigner) {
13205
0
                            WOLFSSL_MSG("Verified CA from chain and already had it");
13206
0
                        }
13207
0
                    }
13208
0
                    else {
13209
0
                        WOLFSSL_MSG("Failed to verify CA from chain");
13210
0
                    #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
13211
0
                        if (ssl->peerVerifyRet == 0) /* Return first cert error here */
13212
0
                            ssl->peerVerifyRet = X509_V_ERR_INVALID_CA;
13213
0
                    #endif
13214
0
                    }
13215
13216
0
            #if defined(HAVE_OCSP) || defined(HAVE_CRL)
13217
0
                    if (ret == 0) {
13218
0
                        int doCrlLookup = 1;
13219
0
                #ifdef HAVE_OCSP
13220
                    #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
13221
                        if (ssl->status_request_v2) {
13222
                            ret = TLSX_CSR2_InitRequests(ssl->extensions,
13223
                                                    args->dCert, 0, ssl->heap);
13224
                        }
13225
                        else /* skips OCSP and force CRL check */
13226
                    #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */
13227
0
                        if (SSL_CM(ssl)->ocspEnabled &&
13228
0
                                            SSL_CM(ssl)->ocspCheckAll) {
13229
0
                            WOLFSSL_MSG("Doing Non Leaf OCSP check");
13230
0
                            ret = CheckCertOCSP_ex(SSL_CM(ssl)->ocsp,
13231
0
                                                    args->dCert, NULL, ssl);
13232
                        #ifdef WOLFSSL_NONBLOCK_OCSP
13233
                            if (ret == OCSP_WANT_READ) {
13234
                                args->lastErr = ret;
13235
                                goto exit_ppc;
13236
                            }
13237
                        #endif
13238
0
                            doCrlLookup = (ret == OCSP_CERT_UNKNOWN);
13239
0
                            if (ret != 0) {
13240
0
                                doCrlLookup = 0;
13241
0
                                WOLFSSL_ERROR_VERBOSE(ret);
13242
0
                                WOLFSSL_MSG("\tOCSP Lookup not ok");
13243
0
                            }
13244
0
                        }
13245
0
                #endif /* HAVE_OCSP */
13246
13247
                #ifdef HAVE_CRL
13248
                        if (ret == 0 && doCrlLookup &&
13249
                                    SSL_CM(ssl)->crlEnabled &&
13250
                                                SSL_CM(ssl)->crlCheckAll) {
13251
                            WOLFSSL_MSG("Doing Non Leaf CRL check");
13252
                            ret = CheckCertCRL(SSL_CM(ssl)->crl, args->dCert);
13253
                        #ifdef WOLFSSL_NONBLOCK_OCSP
13254
                            if (ret == OCSP_WANT_READ) {
13255
                                args->lastErr = ret;
13256
                                goto exit_ppc;
13257
                            }
13258
                        #endif
13259
                            if (ret != 0) {
13260
                                WOLFSSL_ERROR_VERBOSE(ret);
13261
                                WOLFSSL_MSG("\tCRL check not ok");
13262
                            }
13263
                        }
13264
                #endif /* HAVE_CRL */
13265
0
                        (void)doCrlLookup;
13266
0
                    }
13267
0
            #endif /* HAVE_OCSP || HAVE_CRL */
13268
0
            #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
13269
0
                    if (ret == 0 &&
13270
                        /* extend the limit "+1" until reaching
13271
                         * an ultimately trusted issuer.*/
13272
0
                        args->count > (ssl->verifyDepth + 1)) {
13273
0
                        if (ssl->peerVerifyRet == 0) /* Return first cert error here */
13274
0
                            ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG;
13275
0
                        ret = MAX_CHAIN_ERROR;
13276
0
                        WOLFSSL_ERROR_VERBOSE(ret);
13277
0
                    }
13278
0
            #endif
13279
                #ifdef WOLFSSL_ALT_CERT_CHAINS
13280
                    /* For alternate cert chain, its okay for a CA cert to fail
13281
                        with ASN_NO_SIGNER_E here. The "alternate" certificate
13282
                        chain mode only requires that the peer certificate
13283
                        validate to a trusted CA */
13284
                    if (ret != 0 && args->dCert->isCA) {
13285
                        if (ret == ASN_NO_SIGNER_E || ret == ASN_SELF_SIGNED_E) {
13286
                            if (!ssl->options.usingAltCertChain) {
13287
                                WOLFSSL_MSG("Trying alternate cert chain");
13288
                                ssl->options.usingAltCertChain = 1;
13289
                            }
13290
13291
                            ret = 0; /* clear errors and continue */
13292
                    #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
13293
                            ssl->peerVerifyRet = 0;
13294
                    #endif
13295
                            args->verifyErr = 0;
13296
                        }
13297
13298
                        /* do not add to certificate manager */
13299
                        skipAddCA = 1;
13300
                    }
13301
                #endif /* WOLFSSL_ALT_CERT_CHAINS */
13302
13303
                    /* Do verify callback */
13304
0
                    ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
13305
0
                    if (ssl->options.verifyNone &&
13306
0
                              (ret == CRL_MISSING || ret == CRL_CERT_REVOKED ||
13307
0
                               ret == CRL_CERT_DATE_ERR)) {
13308
0
                        WOLFSSL_MSG("Ignoring CRL problem based on verify setting");
13309
0
                        ret = ssl->error = 0;
13310
0
                    }
13311
13312
13313
13314
                    /* If valid CA then add to Certificate Manager */
13315
0
                    if (ret == 0 && args->dCert->isCA &&
13316
0
                            !ssl->options.verifyNone && !skipAddCA) {
13317
0
                        buffer* cert = &args->certs[args->certIdx];
13318
13319
                        /* Is valid CA */
13320
                    #if defined(SESSION_CERTS) && defined(WOLFSSL_ALT_CERT_CHAINS)
13321
                        /* if using alternate chain, store the cert used */
13322
                        if (ssl->options.usingAltCertChain) {
13323
                            AddSessionCertToChain(&ssl->session->altChain,
13324
                                cert->buffer, cert->length);
13325
                        }
13326
                    #endif /* SESSION_CERTS && WOLFSSL_ALT_CERT_CHAINS */
13327
0
                        if (!alreadySigner) {
13328
0
                            DerBuffer* add = NULL;
13329
0
                            ret = AllocDer(&add, cert->length, CA_TYPE, ssl->heap);
13330
0
                            if (ret < 0)
13331
0
                                goto exit_ppc;
13332
13333
0
                            XMEMCPY(add->buffer, cert->buffer, cert->length);
13334
13335
                            /* CA already verified above in ParseCertRelative */
13336
0
                            WOLFSSL_MSG("Adding CA from chain");
13337
0
                            ret = AddCA(SSL_CM(ssl), &add, WOLFSSL_CHAIN_CA,
13338
0
                                NO_VERIFY);
13339
0
                            if (ret == WOLFSSL_SUCCESS) {
13340
0
                                ret = 0;
13341
0
                            }
13342
0
                        }
13343
0
                    }
13344
13345
                    /* Handle error codes */
13346
0
                    if (ret != 0) {
13347
0
                        if (!ssl->options.verifyNone) {
13348
0
                            WOLFSSL_ERROR_VERBOSE(ret);
13349
0
                            DoCertFatalAlert(ssl, ret);
13350
0
                        }
13351
0
                        ssl->error = ret; /* Report SSL error */
13352
13353
0
                        if (args->lastErr == 0) {
13354
0
                            args->lastErr = ret; /* save error from last time */
13355
0
                            ret = 0; /* reset error */
13356
0
                        }
13357
0
                    }
13358
13359
0
                    FreeDecodedCert(args->dCert);
13360
0
                    args->dCertInit = 0;
13361
0
                    args->count--;
13362
0
                } /* while (count > 0 && !args->haveTrustPeer) */
13363
0
            } /* if (count > 0) */
13364
13365
            /* Check for error */
13366
0
            if (ret != 0) {
13367
0
                goto exit_ppc;
13368
0
            }
13369
13370
            /* Advance state and proceed */
13371
0
            ssl->options.asyncState = TLS_ASYNC_DO;
13372
0
        } /* case TLS_ASYNC_BUILD */
13373
0
        FALL_THROUGH;
13374
13375
0
        case TLS_ASYNC_DO:
13376
0
        {
13377
            /* peer's, may not have one if blank client cert sent by TLSv1.2 */
13378
0
            if (args->count > 0) {
13379
0
                WOLFSSL_MSG("Verifying Peer's cert");
13380
13381
                /* select peer cert (first one) */
13382
0
                args->certIdx = 0;
13383
13384
0
                ret = ProcessPeerCertParse(ssl, args, CERT_TYPE,
13385
0
                        !ssl->options.verifyNone ? VERIFY : NO_VERIFY,
13386
0
                        &subjectHash, &alreadySigner);
13387
#if defined(OPENSSL_ALL) && defined(WOLFSSL_CERT_GEN) && \
13388
    (defined(WOLFSSL_CERT_REQ) || defined(WOLFSSL_CERT_EXT)) && \
13389
    !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR)
13390
                    if (ret == ASN_NO_SIGNER_E || ret == ASN_SELF_SIGNED_E) {
13391
                        WOLFSSL_MSG("try to load certificate if hash dir is set");
13392
                        ret = LoadCertByIssuer(SSL_STORE(ssl),
13393
                           (WOLFSSL_X509_NAME*)args->dCert->issuerName,
13394
                                                          X509_LU_X509);
13395
                        if (ret == WOLFSSL_SUCCESS) {
13396
                            FreeDecodedCert(args->dCert);
13397
                            args->dCertInit = 0;
13398
                            /* once again */
13399
                            ret = ProcessPeerCertParse(ssl, args, CERT_TYPE,
13400
                                !ssl->options.verifyNone ? VERIFY : NO_VERIFY,
13401
                                &subjectHash, &alreadySigner);
13402
                        }
13403
                        else {
13404
                            ret = ASN_NO_SIGNER_E;
13405
                            WOLFSSL_ERROR_VERBOSE(ret);
13406
                        }
13407
                    }
13408
#endif
13409
            #ifdef WOLFSSL_ASYNC_CRYPT
13410
                if (ret == WC_PENDING_E)
13411
                    goto exit_ppc;
13412
            #endif
13413
0
                if (ret == 0) {
13414
0
                    WOLFSSL_MSG("Verified Peer's cert");
13415
0
                #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
13416
0
                    if (ssl->peerVerifyRet == 0) /* Return first cert error here */
13417
0
                        ssl->peerVerifyRet = X509_V_OK;
13418
0
                #endif
13419
                #if defined(SESSION_CERTS) && defined(WOLFSSL_ALT_CERT_CHAINS)
13420
                    /* if using alternate chain, store the cert used */
13421
                    if (ssl->options.usingAltCertChain) {
13422
                        buffer* cert = &args->certs[args->certIdx];
13423
                        AddSessionCertToChain(&ssl->session->altChain,
13424
                            cert->buffer, cert->length);
13425
                    }
13426
                #endif /* SESSION_CERTS && WOLFSSL_ALT_CERT_CHAINS */
13427
13428
0
                #ifndef OPENSSL_COMPATIBLE_DEFAULTS
13429
                    /* Check peer's certificate version number. TLS 1.2 / 1.3
13430
                     * requires the clients certificate be version 3 unless a
13431
                     * different version has been negotiated using RFC 7250.
13432
                     * OpenSSL doesn't appear to be performing this check.
13433
                     * For TLS 1.3 see RFC8446 Section 4.4.2.3 */
13434
0
                    if (ssl->options.side == WOLFSSL_SERVER_END) {
13435
0
                        if (args->dCert->version != WOLFSSL_X509_V3) {
13436
0
                            WOLFSSL_MSG("Peers certificate was not version 3!");
13437
0
                            args->lastErr = ASN_VERSION_E;
13438
                            /* setting last error but not considering it fatal
13439
                             * giving the user a chance to override */
13440
0
                        }
13441
0
                    }
13442
0
                #endif
13443
13444
                    /* check if fatal error */
13445
0
                    if (args->verifyErr) {
13446
0
                        args->fatal = 1;
13447
0
                        ret = args->lastErr;
13448
0
                    }
13449
0
                    else {
13450
0
                        args->fatal = 0;
13451
0
                    }
13452
0
                }
13453
0
                else if (ret == ASN_PARSE_E || ret == BUFFER_E) {
13454
0
                    WOLFSSL_MSG("Got Peer cert ASN PARSE or BUFFER ERROR");
13455
0
                #if defined(WOLFSSL_EXTRA_ALERTS) || defined(OPENSSL_EXTRA) || \
13456
0
                                               defined(OPENSSL_EXTRA_X509_SMALL)
13457
0
                    DoCertFatalAlert(ssl, ret);
13458
0
                #endif
13459
0
                #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
13460
0
                    if (ssl->peerVerifyRet == 0) /* Return first cert error here */
13461
0
                        ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED;
13462
0
                #endif
13463
0
                    args->fatal = 1;
13464
0
                }
13465
0
                else {
13466
0
                    WOLFSSL_MSG("Failed to verify Peer's cert");
13467
0
                    #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
13468
0
                    if (ssl->peerVerifyRet == 0) { /* Return first cert error here */
13469
0
                        if (ret == ASN_BEFORE_DATE_E) {
13470
0
                            ssl->peerVerifyRet =
13471
0
                                   (unsigned long)X509_V_ERR_CERT_NOT_YET_VALID;
13472
0
                        }
13473
0
                        else if (ret == ASN_AFTER_DATE_E) {
13474
0
                            ssl->peerVerifyRet =
13475
0
                                   (unsigned long)X509_V_ERR_CERT_HAS_EXPIRED;
13476
0
                        }
13477
0
                        else {
13478
0
                            ssl->peerVerifyRet =
13479
0
                                   (unsigned long)
13480
0
                                   X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
13481
0
                        }
13482
0
                    }
13483
0
                    #endif
13484
0
                    if (ssl->verifyCallback) {
13485
0
                        WOLFSSL_MSG(
13486
0
                            "\tCallback override available, will continue");
13487
                        /* check if fatal error */
13488
0
                        args->fatal = (args->verifyErr) ? 1 : 0;
13489
0
                        if (args->fatal)
13490
0
                            DoCertFatalAlert(ssl, ret);
13491
0
                    }
13492
0
                    else {
13493
0
                        WOLFSSL_MSG("\tNo callback override available, fatal");
13494
0
                        args->fatal = 1;
13495
0
                        DoCertFatalAlert(ssl, ret);
13496
0
                    }
13497
0
                }
13498
13499
            #ifdef HAVE_SECURE_RENEGOTIATION
13500
                if (args->fatal == 0 && !IsAtLeastTLSv1_3(ssl->version)
13501
                                     && ssl->secure_renegotiation
13502
                                     && ssl->secure_renegotiation->enabled) {
13503
13504
                    if (IsEncryptionOn(ssl, 0)) {
13505
                        /* compare against previous time */
13506
                        if (ssl->secure_renegotiation->subject_hash_set) {
13507
                            if (XMEMCMP(args->dCert->subjectHash,
13508
                                        ssl->secure_renegotiation->subject_hash,
13509
                                        KEYID_SIZE) != 0) {
13510
                                WOLFSSL_MSG(
13511
                                  "Peer sent different cert during scr, fatal");
13512
                                args->fatal = 1;
13513
                                ret = SCR_DIFFERENT_CERT_E;
13514
                                WOLFSSL_ERROR_VERBOSE(ret);
13515
                            }
13516
                        }
13517
                    }
13518
13519
                    /* cache peer's hash */
13520
                    if (args->fatal == 0) {
13521
                        XMEMCPY(ssl->secure_renegotiation->subject_hash,
13522
                                args->dCert->subjectHash, KEYID_SIZE);
13523
                        ssl->secure_renegotiation->subject_hash_set = 1;
13524
                    }
13525
                }
13526
            #endif /* HAVE_SECURE_RENEGOTIATION */
13527
0
            } /* if (count > 0) */
13528
13529
            /* Check for error */
13530
0
            if (args->fatal && ret != 0) {
13531
0
                goto exit_ppc;
13532
0
            }
13533
13534
            /* Advance state and proceed */
13535
0
            ssl->options.asyncState = TLS_ASYNC_VERIFY;
13536
0
        } /* case TLS_ASYNC_DO */
13537
0
        FALL_THROUGH;
13538
13539
0
        case TLS_ASYNC_VERIFY:
13540
0
        {
13541
0
            if (args->count > 0) {
13542
0
            #if defined(HAVE_OCSP) || defined(HAVE_CRL)
13543
                /* only attempt to check OCSP or CRL if not previous error such
13544
                 * as ASN_BEFORE_DATE_E or ASN_AFTER_DATE_E */
13545
0
                if (args->fatal == 0 && ret == 0) {
13546
0
                    int doLookup = 1;
13547
13548
0
                    WOLFSSL_MSG("Checking if ocsp needed");
13549
13550
0
                    if (ssl->options.side == WOLFSSL_CLIENT_END) {
13551
                #ifdef HAVE_CERTIFICATE_STATUS_REQUEST
13552
                        if (ssl->status_request) {
13553
                            args->fatal = (TLSX_CSR_InitRequest(ssl->extensions,
13554
                                                args->dCert, ssl->heap) != 0);
13555
                            doLookup = 0;
13556
                            WOLFSSL_MSG("\tHave status request");
13557
                        #if defined(WOLFSSL_TLS13)
13558
                            if (ssl->options.tls1_3) {
13559
                                TLSX* ext = TLSX_Find(ssl->extensions,
13560
                                                           TLSX_STATUS_REQUEST);
13561
                                if (ext != NULL) {
13562
                                    word32 idx = 0;
13563
                                    CertificateStatusRequest* csr =
13564
                                           (CertificateStatusRequest*)ext->data;
13565
                                    ret = ProcessCSR(ssl, csr->response.buffer,
13566
                                                    &idx, csr->response.length);
13567
                                    if (ret < 0) {
13568
                                        WOLFSSL_ERROR_VERBOSE(ret);
13569
                                        goto exit_ppc;
13570
                                    }
13571
                                }
13572
                            }
13573
                        #endif
13574
                        }
13575
                        /* Ensure a stapling response was seen */
13576
                        else if (ssl->options.tls1_3 &&
13577
                                                 SSL_CM(ssl)->ocspMustStaple) {
13578
                             ret = OCSP_CERT_UNKNOWN;
13579
                             goto exit_ppc;
13580
                        }
13581
                #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */
13582
                #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
13583
                        if (ssl->status_request_v2) {
13584
                            args->fatal = (TLSX_CSR2_InitRequests(ssl->extensions,
13585
                                                 args->dCert, 1, ssl->heap) != 0);
13586
                            doLookup = 0;
13587
                            WOLFSSL_MSG("\tHave status request v2");
13588
                        }
13589
                #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */
13590
0
                    }
13591
13592
0
                #ifdef HAVE_OCSP
13593
0
                    if (doLookup && SSL_CM(ssl)->ocspEnabled) {
13594
0
                        WOLFSSL_MSG("Doing Leaf OCSP check");
13595
0
                        ret = CheckCertOCSP_ex(SSL_CM(ssl)->ocsp,
13596
0
                                                    args->dCert, NULL, ssl);
13597
                    #ifdef WOLFSSL_NONBLOCK_OCSP
13598
                        if (ret == OCSP_WANT_READ) {
13599
                            goto exit_ppc;
13600
                        }
13601
                    #endif
13602
0
                        doLookup = (ret == OCSP_CERT_UNKNOWN);
13603
0
                        if (ret != 0) {
13604
0
                            WOLFSSL_MSG("\tOCSP Lookup not ok");
13605
0
                            args->fatal = 0;
13606
0
                        #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
13607
0
                            if (ssl->peerVerifyRet == 0) {
13608
                                /* Return first cert error here */
13609
0
                                ssl->peerVerifyRet =
13610
0
                                        ret == OCSP_CERT_REVOKED
13611
0
                                            ? X509_V_ERR_CERT_REVOKED
13612
0
                                            : X509_V_ERR_CERT_REJECTED;
13613
0
                            }
13614
0
                        #endif
13615
0
                        }
13616
0
                    }
13617
0
                #endif /* HAVE_OCSP */
13618
13619
                #ifdef HAVE_CRL
13620
                    if (ret == 0 && doLookup && SSL_CM(ssl)->crlEnabled) {
13621
                        WOLFSSL_MSG("Doing Leaf CRL check");
13622
                        ret = CheckCertCRL(SSL_CM(ssl)->crl, args->dCert);
13623
                    #ifdef WOLFSSL_NONBLOCK_OCSP
13624
                        if (ret == OCSP_WANT_READ) {
13625
                            goto exit_ppc;
13626
                        }
13627
                    #endif
13628
                        if (ret != 0) {
13629
                            WOLFSSL_MSG("\tCRL check not ok");
13630
                            args->fatal = 0;
13631
                        #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
13632
                            if (ssl->peerVerifyRet == 0) {
13633
                                /* Return first cert error here */
13634
                                ssl->peerVerifyRet =
13635
                                        ret == CRL_CERT_REVOKED
13636
                                            ? X509_V_ERR_CERT_REVOKED
13637
                                            : X509_V_ERR_CERT_REJECTED;;
13638
                            }
13639
                        #endif
13640
                        }
13641
                    }
13642
                #endif /* HAVE_CRL */
13643
0
                    (void)doLookup;
13644
0
                }
13645
0
            #endif /* HAVE_OCSP || HAVE_CRL */
13646
13647
0
            #ifdef KEEP_PEER_CERT
13648
0
                if (args->fatal == 0) {
13649
0
                    int copyRet = 0;
13650
13651
                    #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
13652
                        if (ssl->options.handShakeDone) {
13653
                            FreeX509(&ssl->peerCert);
13654
                            InitX509(&ssl->peerCert, 0, ssl->heap);
13655
                        }
13656
                        else
13657
                    #endif
13658
                    #ifdef HAVE_SECURE_RENEGOTIATION
13659
                        if (ssl->secure_renegotiation &&
13660
                                           ssl->secure_renegotiation->enabled) {
13661
                            /* free old peer cert */
13662
                            FreeX509(&ssl->peerCert);
13663
                            InitX509(&ssl->peerCert, 0, ssl->heap);
13664
                        }
13665
                        else
13666
                    #endif
13667
0
                        {
13668
0
                        }
13669
13670
                    /* set X509 format for peer cert */
13671
0
                    copyRet = CopyDecodedToX509(&ssl->peerCert, args->dCert);
13672
0
                    if (copyRet == MEMORY_E) {
13673
0
                        args->fatal = 1;
13674
0
                    }
13675
0
                }
13676
0
            #endif /* KEEP_PEER_CERT */
13677
13678
0
            #ifndef IGNORE_KEY_EXTENSIONS
13679
0
                #if defined(OPENSSL_EXTRA)
13680
                  /* when compatibility layer is turned on and no verify is
13681
                   * set then ignore the certificate key extension */
13682
0
                    if (args->dCert->extKeyUsageSet &&
13683
0
                          args->dCert->extKeyUsageCrit == 0 &&
13684
0
                          ssl->options.verifyNone) {
13685
0
                        WOLFSSL_MSG("Not verifying certificate key usage");
13686
0
                    }
13687
0
                    else
13688
0
                #endif
13689
0
                if (args->dCert->extKeyUsageSet) {
13690
0
                    if ((ssl->specs.kea == rsa_kea) &&
13691
0
                        (ssl->options.side == WOLFSSL_CLIENT_END) &&
13692
0
                        (args->dCert->extKeyUsage & KEYUSE_KEY_ENCIPHER) == 0) {
13693
0
                        ret = KEYUSE_ENCIPHER_E;
13694
0
                        WOLFSSL_ERROR_VERBOSE(ret);
13695
0
                    }
13696
0
                    if ((ssl->specs.kea != rsa_kea) &&
13697
0
                        (ssl->specs.sig_algo == rsa_sa_algo ||
13698
0
                            (ssl->specs.sig_algo == ecc_dsa_sa_algo &&
13699
0
                                 !ssl->specs.static_ecdh)) &&
13700
0
                        (args->dCert->extKeyUsage & KEYUSE_DIGITAL_SIG) == 0) {
13701
0
                        WOLFSSL_MSG("KeyUse Digital Sig not set");
13702
0
                        ret = KEYUSE_SIGNATURE_E;
13703
0
                        WOLFSSL_ERROR_VERBOSE(ret);
13704
0
                    }
13705
0
                }
13706
13707
0
                #if defined(OPENSSL_EXTRA)
13708
                    /* when compatibility layer is turned on and no verify is
13709
                     * set then ignore the certificate key extension */
13710
0
                    if (args->dCert->extExtKeyUsageSet &&
13711
0
                            args->dCert->extExtKeyUsageCrit == 0 &&
13712
0
                          ssl->options.verifyNone) {
13713
0
                                WOLFSSL_MSG("Not verifying certificate ext key usage");
13714
0
                    }
13715
0
                    else
13716
0
                #endif
13717
0
                if (args->dCert->extExtKeyUsageSet) {
13718
0
                    if (ssl->options.side == WOLFSSL_CLIENT_END) {
13719
0
                        if ((args->dCert->extExtKeyUsage &
13720
0
                                (EXTKEYUSE_ANY | EXTKEYUSE_SERVER_AUTH)) == 0) {
13721
0
                            WOLFSSL_MSG("ExtKeyUse Server Auth not set");
13722
0
                            ret = EXTKEYUSE_AUTH_E;
13723
0
                            WOLFSSL_ERROR_VERBOSE(ret);
13724
0
                        }
13725
0
                    }
13726
0
                    else {
13727
0
                        if ((args->dCert->extExtKeyUsage &
13728
0
                                (EXTKEYUSE_ANY | EXTKEYUSE_CLIENT_AUTH)) == 0) {
13729
0
                            WOLFSSL_MSG("ExtKeyUse Client Auth not set");
13730
0
                            ret = EXTKEYUSE_AUTH_E;
13731
0
                            WOLFSSL_ERROR_VERBOSE(ret);
13732
0
                        }
13733
0
                    }
13734
0
                }
13735
0
            #endif /* IGNORE_KEY_EXTENSIONS */
13736
13737
0
                if (args->fatal) {
13738
0
                    ssl->error = ret;
13739
0
                #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
13740
0
                    SendAlert(ssl, alert_fatal, bad_certificate);
13741
0
                    if (ssl->peerVerifyRet == 0) /* Return first cert error here */
13742
0
                        ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED;
13743
0
                #endif
13744
0
                    goto exit_ppc;
13745
0
                }
13746
13747
                /* Certificate validated and stored. */
13748
0
                ssl->options.havePeerCert = 1;
13749
0
            #if !defined(NO_WOLFSSL_CLIENT) && !defined(NO_RSA)
13750
0
                if (ssl->options.side == WOLFSSL_CLIENT_END &&
13751
0
                    ssl->specs.sig_algo == rsa_kea) {
13752
                    /* CLIENT: No ServerKeyExchange message sent by server. */
13753
0
                    ssl->options.peerAuthGood = 1;
13754
0
                }
13755
0
            #endif
13756
0
            #if !defined(NO_WOLFSSL_CLIENT) && defined(HAVE_ECC)
13757
0
                if (ssl->options.side == WOLFSSL_CLIENT_END &&
13758
0
                    ssl->specs.static_ecdh) {
13759
                    /* CLIENT: No ServerKeyExchange message sent by server. */
13760
0
                    ssl->options.peerAuthGood = 1;
13761
0
                }
13762
0
            #endif
13763
13764
13765
0
                if (!ssl->options.verifyNone && ssl->buffers.domainName.buffer) {
13766
0
                #ifndef WOLFSSL_ALLOW_NO_CN_IN_SAN
13767
                    /* Per RFC 5280 section 4.2.1.6, "Whenever such identities
13768
                     * are to be bound into a certificate, the subject
13769
                     * alternative name extension MUST be used." */
13770
0
                    if (args->dCert->altNames) {
13771
0
                        if (CheckForAltNames(args->dCert,
13772
0
                                (char*)ssl->buffers.domainName.buffer,
13773
0
                                NULL) != 1) {
13774
0
                            WOLFSSL_MSG("DomainName match on alt names failed");
13775
                            /* try to get peer key still */
13776
0
                            ret = DOMAIN_NAME_MISMATCH;
13777
0
                            WOLFSSL_ERROR_VERBOSE(ret);
13778
0
                        }
13779
0
                    }
13780
0
                    else {
13781
0
                        if (MatchDomainName(
13782
0
                                 args->dCert->subjectCN,
13783
0
                                 args->dCert->subjectCNLen,
13784
0
                                 (char*)ssl->buffers.domainName.buffer) == 0) {
13785
0
                            WOLFSSL_MSG("DomainName match on common name failed");
13786
0
                            ret = DOMAIN_NAME_MISMATCH;
13787
0
                            WOLFSSL_ERROR_VERBOSE(ret);
13788
0
                        }
13789
0
                    }
13790
                #else /* WOLFSSL_ALL_NO_CN_IN_SAN */
13791
                    /* Old behavior. */
13792
                    if (MatchDomainName(args->dCert->subjectCN,
13793
                                args->dCert->subjectCNLen,
13794
                                (char*)ssl->buffers.domainName.buffer) == 0) {
13795
                        WOLFSSL_MSG("DomainName match on common name failed");
13796
                        if (CheckForAltNames(args->dCert,
13797
                                 (char*)ssl->buffers.domainName.buffer,
13798
                                 NULL) != 1) {
13799
                            WOLFSSL_MSG(
13800
                                "DomainName match on alt names failed too");
13801
                            /* try to get peer key still */
13802
                            ret = DOMAIN_NAME_MISMATCH;
13803
                            WOLFSSL_ERROR_VERBOSE(ret);
13804
                        }
13805
                    }
13806
                #endif /* WOLFSSL_ALL_NO_CN_IN_SAN */
13807
0
                }
13808
13809
                /* decode peer key */
13810
0
                switch (args->dCert->keyOID) {
13811
0
                #ifndef NO_RSA
13812
0
                    #ifdef WC_RSA_PSS
13813
0
                    case RSAPSSk:
13814
0
                    #endif
13815
0
                    case RSAk:
13816
0
                    {
13817
0
                        word32 keyIdx = 0;
13818
0
                        int keyRet = 0;
13819
13820
0
                        if (ssl->peerRsaKey == NULL) {
13821
0
                            keyRet = AllocKey(ssl, DYNAMIC_TYPE_RSA,
13822
0
                                                (void**)&ssl->peerRsaKey);
13823
0
                        } else if (ssl->peerRsaKeyPresent) {
13824
0
                            keyRet = ReuseKey(ssl, DYNAMIC_TYPE_RSA,
13825
0
                                              ssl->peerRsaKey);
13826
0
                            ssl->peerRsaKeyPresent = 0;
13827
0
                        }
13828
13829
0
                        if (keyRet != 0 || wc_RsaPublicKeyDecode(
13830
0
                               args->dCert->publicKey, &keyIdx, ssl->peerRsaKey,
13831
0
                                                args->dCert->pubKeySize) != 0) {
13832
0
                            ret = PEER_KEY_ERROR;
13833
0
                            WOLFSSL_ERROR_VERBOSE(ret);
13834
0
                        }
13835
0
                        else {
13836
0
                            ssl->peerRsaKeyPresent = 1;
13837
                    #if defined(WOLFSSL_RENESAS_TSIP_TLS) || \
13838
                                             defined(WOLFSSL_RENESAS_SCEPROTECT)
13839
                        /* copy encrypted tsip key index into ssl object */
13840
                        if (args->dCert->sce_tsip_encRsaKeyIdx) {
13841
                            if (!ssl->peerSceTsipEncRsaKeyIndex) {
13842
                                ssl->peerSceTsipEncRsaKeyIndex = (byte*)XMALLOC(
13843
                                    TSIP_TLS_ENCPUBKEY_SZ_BY_CERTVRFY,
13844
                                    ssl->heap, DYNAMIC_TYPE_RSA);
13845
                                if (!ssl->peerSceTsipEncRsaKeyIndex) {
13846
                                    args->lastErr = MEMORY_E;
13847
                                    goto exit_ppc;
13848
                                }
13849
                            }
13850
13851
                            XMEMCPY(ssl->peerSceTsipEncRsaKeyIndex,
13852
                                        args->dCert->sce_tsip_encRsaKeyIdx,
13853
                                        TSIP_TLS_ENCPUBKEY_SZ_BY_CERTVRFY);
13854
                         }
13855
                    #endif
13856
                    #ifdef HAVE_PK_CALLBACKS
13857
                        #if defined(HAVE_SECURE_RENEGOTIATION) || \
13858
                                        defined(WOLFSSL_POST_HANDSHAKE_AUTH)
13859
                        if (ssl->buffers.peerRsaKey.buffer) {
13860
                            XFREE(ssl->buffers.peerRsaKey.buffer,
13861
                                    ssl->heap, DYNAMIC_TYPE_RSA);
13862
                            ssl->buffers.peerRsaKey.buffer = NULL;
13863
                        }
13864
                        #endif
13865
13866
13867
                        ssl->buffers.peerRsaKey.buffer =
13868
                               (byte*)XMALLOC(args->dCert->pubKeySize,
13869
                                            ssl->heap, DYNAMIC_TYPE_RSA);
13870
                        if (ssl->buffers.peerRsaKey.buffer == NULL) {
13871
                            ret = MEMORY_ERROR;
13872
                        }
13873
                        else {
13874
                            XMEMCPY(ssl->buffers.peerRsaKey.buffer,
13875
                                    args->dCert->publicKey,
13876
                                    args->dCert->pubKeySize);
13877
                            ssl->buffers.peerRsaKey.length =
13878
                                args->dCert->pubKeySize;
13879
                        }
13880
                    #endif /* HAVE_PK_CALLBACKS */
13881
0
                        }
13882
13883
                        /* check size of peer RSA key */
13884
0
                        if (ret == 0 && ssl->peerRsaKeyPresent &&
13885
0
                                          !ssl->options.verifyNone &&
13886
0
                                          wc_RsaEncryptSize(ssl->peerRsaKey)
13887
0
                                              < ssl->options.minRsaKeySz) {
13888
0
                            ret = RSA_KEY_SIZE_E;
13889
0
                            WOLFSSL_ERROR_VERBOSE(ret);
13890
0
                            WOLFSSL_MSG("Peer RSA key is too small");
13891
0
                        }
13892
0
                        break;
13893
0
                    }
13894
0
                #endif /* NO_RSA */
13895
0
                #ifdef HAVE_ECC
13896
0
                    case ECDSAk:
13897
0
                    {
13898
0
                        int keyRet = 0;
13899
0
                        word32 idx = 0;
13900
                    #if defined(WOLFSSL_RENESAS_SCEPROTECT) || \
13901
                        defined(WOLFSSL_RENESAS_TSIP_TLS)
13902
                        /* copy encrypted tsip/sce key index into ssl object */
13903
                        if (args->dCert->sce_tsip_encRsaKeyIdx) {
13904
                            if (!ssl->peerSceTsipEncRsaKeyIndex) {
13905
                                ssl->peerSceTsipEncRsaKeyIndex = (byte*)XMALLOC(
13906
                                    TSIP_TLS_ENCPUBKEY_SZ_BY_CERTVRFY,
13907
                                    ssl->heap, DYNAMIC_TYPE_RSA);
13908
                                if (!ssl->peerSceTsipEncRsaKeyIndex) {
13909
                                    args->lastErr = MEMORY_E;
13910
                                    ERROR_OUT(MEMORY_ERROR, exit_ppc);
13911
                                }
13912
                            }
13913
13914
                            XMEMCPY(ssl->peerSceTsipEncRsaKeyIndex,
13915
                                        args->dCert->sce_tsip_encRsaKeyIdx,
13916
                                        TSIP_TLS_ENCPUBKEY_SZ_BY_CERTVRFY);
13917
                         }
13918
                    #endif
13919
0
                        if (ssl->peerEccDsaKey == NULL) {
13920
                            /* alloc/init on demand */
13921
0
                            keyRet = AllocKey(ssl, DYNAMIC_TYPE_ECC,
13922
0
                                    (void**)&ssl->peerEccDsaKey);
13923
0
                        } else if (ssl->peerEccDsaKeyPresent) {
13924
0
                            keyRet = ReuseKey(ssl, DYNAMIC_TYPE_ECC,
13925
0
                                              ssl->peerEccDsaKey);
13926
0
                            ssl->peerEccDsaKeyPresent = 0;
13927
0
                        }
13928
13929
0
                        if (keyRet != 0 ||
13930
0
                            wc_EccPublicKeyDecode(args->dCert->publicKey, &idx,
13931
0
                                                ssl->peerEccDsaKey,
13932
0
                                                args->dCert->pubKeySize) != 0) {
13933
0
                            ret = PEER_KEY_ERROR;
13934
0
                            WOLFSSL_ERROR_VERBOSE(ret);
13935
0
                        }
13936
0
                        else {
13937
0
                            ssl->peerEccDsaKeyPresent = 1;
13938
13939
                    #ifdef HAVE_PK_CALLBACKS
13940
                            if (ssl->buffers.peerEccDsaKey.buffer)
13941
                                XFREE(ssl->buffers.peerEccDsaKey.buffer,
13942
                                      ssl->heap, DYNAMIC_TYPE_ECC);
13943
                            ssl->buffers.peerEccDsaKey.buffer =
13944
                                   (byte*)XMALLOC(args->dCert->pubKeySize,
13945
                                           ssl->heap, DYNAMIC_TYPE_ECC);
13946
                            if (ssl->buffers.peerEccDsaKey.buffer == NULL) {
13947
                                ERROR_OUT(MEMORY_ERROR, exit_ppc);
13948
                            }
13949
                            else {
13950
                                XMEMCPY(ssl->buffers.peerEccDsaKey.buffer,
13951
                                        args->dCert->publicKey,
13952
                                        args->dCert->pubKeySize);
13953
                                ssl->buffers.peerEccDsaKey.length =
13954
                                        args->dCert->pubKeySize;
13955
                            }
13956
                    #endif /* HAVE_PK_CALLBACKS */
13957
0
                        }
13958
13959
                        /* check size of peer ECC key */
13960
0
                        if (ret == 0 && ssl->peerEccDsaKeyPresent &&
13961
0
                                              !ssl->options.verifyNone &&
13962
0
                                              wc_ecc_size(ssl->peerEccDsaKey)
13963
0
                                              < ssl->options.minEccKeySz) {
13964
0
                            ret = ECC_KEY_SIZE_E;
13965
0
                            WOLFSSL_ERROR_VERBOSE(ret);
13966
0
                            WOLFSSL_MSG("Peer ECC key is too small");
13967
0
                        }
13968
13969
                        /* populate curve oid - if missing */
13970
0
                        if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->ecdhCurveOID == 0)
13971
0
                            ssl->ecdhCurveOID = args->dCert->pkCurveOID;
13972
0
                        break;
13973
0
                    }
13974
0
                #endif /* HAVE_ECC */
13975
0
                #if defined(HAVE_ED25519) && defined(HAVE_ED25519_KEY_IMPORT)
13976
0
                    case ED25519k:
13977
0
                    {
13978
0
                        int keyRet = 0;
13979
0
                        if (ssl->peerEd25519Key == NULL) {
13980
                            /* alloc/init on demand */
13981
0
                            keyRet = AllocKey(ssl, DYNAMIC_TYPE_ED25519,
13982
0
                                    (void**)&ssl->peerEd25519Key);
13983
0
                        } else if (ssl->peerEd25519KeyPresent) {
13984
0
                            keyRet = ReuseKey(ssl, DYNAMIC_TYPE_ED25519,
13985
0
                                              ssl->peerEd25519Key);
13986
0
                            ssl->peerEd25519KeyPresent = 0;
13987
0
                        }
13988
13989
0
                        if (keyRet != 0 ||
13990
0
                            wc_ed25519_import_public(args->dCert->publicKey,
13991
0
                                                     args->dCert->pubKeySize,
13992
0
                                                     ssl->peerEd25519Key)
13993
0
                                                                         != 0) {
13994
0
                            ret = PEER_KEY_ERROR;
13995
0
                            WOLFSSL_ERROR_VERBOSE(ret);
13996
0
                        }
13997
0
                        else {
13998
0
                            ssl->peerEd25519KeyPresent = 1;
13999
                    #ifdef HAVE_PK_CALLBACKS
14000
                            ssl->buffers.peerEd25519Key.buffer =
14001
                                   (byte*)XMALLOC(args->dCert->pubKeySize,
14002
                                           ssl->heap, DYNAMIC_TYPE_ED25519);
14003
                            if (ssl->buffers.peerEd25519Key.buffer == NULL) {
14004
                                ERROR_OUT(MEMORY_ERROR, exit_ppc);
14005
                            }
14006
                            else {
14007
                                XMEMCPY(ssl->buffers.peerEd25519Key.buffer,
14008
                                        args->dCert->publicKey,
14009
                                        args->dCert->pubKeySize);
14010
                                ssl->buffers.peerEd25519Key.length =
14011
                                        args->dCert->pubKeySize;
14012
                            }
14013
                    #endif /*HAVE_PK_CALLBACKS */
14014
0
                        }
14015
14016
                        /* check size of peer ECC key */
14017
0
                        if (ret == 0 && ssl->peerEd25519KeyPresent &&
14018
0
                                  !ssl->options.verifyNone &&
14019
0
                                  ED25519_KEY_SIZE < ssl->options.minEccKeySz) {
14020
0
                            ret = ECC_KEY_SIZE_E;
14021
0
                            WOLFSSL_ERROR_VERBOSE(ret);
14022
0
                            WOLFSSL_MSG("Peer ECC key is too small");
14023
0
                        }
14024
14025
                        /* populate curve oid - if missing */
14026
0
                        if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->ecdhCurveOID == 0)
14027
0
                            ssl->ecdhCurveOID = ECC_X25519_OID;
14028
0
                        break;
14029
0
                    }
14030
0
                #endif /* HAVE_ED25519 && HAVE_ED25519_KEY_IMPORT */
14031
0
                #if defined(HAVE_ED448) && defined(HAVE_ED448_KEY_IMPORT)
14032
0
                    case ED448k:
14033
0
                    {
14034
0
                        int keyRet = 0;
14035
0
                        if (ssl->peerEd448Key == NULL) {
14036
                            /* alloc/init on demand */
14037
0
                            keyRet = AllocKey(ssl, DYNAMIC_TYPE_ED448,
14038
0
                                    (void**)&ssl->peerEd448Key);
14039
0
                        } else if (ssl->peerEd448KeyPresent) {
14040
0
                            keyRet = ReuseKey(ssl, DYNAMIC_TYPE_ED448,
14041
0
                                    ssl->peerEd448Key);
14042
0
                            ssl->peerEd448KeyPresent = 0;
14043
0
                        }
14044
14045
0
                        if (keyRet != 0 ||
14046
0
                            wc_ed448_import_public(args->dCert->publicKey,
14047
0
                                    args->dCert->pubKeySize,
14048
0
                                    ssl->peerEd448Key) != 0) {
14049
0
                            ret = PEER_KEY_ERROR;
14050
0
                            WOLFSSL_ERROR_VERBOSE(ret);
14051
0
                        }
14052
0
                        else {
14053
0
                            ssl->peerEd448KeyPresent = 1;
14054
                    #ifdef HAVE_PK_CALLBACKS
14055
                            ssl->buffers.peerEd448Key.buffer =
14056
                                   (byte*)XMALLOC(args->dCert->pubKeySize,
14057
                                           ssl->heap, DYNAMIC_TYPE_ED448);
14058
                            if (ssl->buffers.peerEd448Key.buffer == NULL) {
14059
                                ERROR_OUT(MEMORY_ERROR, exit_ppc);
14060
                            }
14061
                            else {
14062
                                XMEMCPY(ssl->buffers.peerEd448Key.buffer,
14063
                                        args->dCert->publicKey,
14064
                                        args->dCert->pubKeySize);
14065
                                ssl->buffers.peerEd448Key.length =
14066
                                        args->dCert->pubKeySize;
14067
                            }
14068
                    #endif /*HAVE_PK_CALLBACKS */
14069
0
                        }
14070
14071
                        /* check size of peer ECC key */
14072
0
                        if (ret == 0 && ssl->peerEd448KeyPresent &&
14073
0
                               !ssl->options.verifyNone &&
14074
0
                               ED448_KEY_SIZE < ssl->options.minEccKeySz) {
14075
0
                            ret = ECC_KEY_SIZE_E;
14076
0
                            WOLFSSL_ERROR_VERBOSE(ret);
14077
0
                            WOLFSSL_MSG("Peer ECC key is too small");
14078
0
                        }
14079
14080
                        /* populate curve oid - if missing */
14081
0
                        if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->ecdhCurveOID == 0)
14082
0
                            ssl->ecdhCurveOID = ECC_X448_OID;
14083
0
                        break;
14084
0
                    }
14085
0
                #endif /* HAVE_ED448 && HAVE_ED448_KEY_IMPORT */
14086
                #if defined(HAVE_PQC)
14087
                #if defined(HAVE_FALCON)
14088
                    case FALCON_LEVEL1k:
14089
                    case FALCON_LEVEL5k:
14090
                    {
14091
                        int keyRet = 0;
14092
                        if (ssl->peerFalconKey == NULL) {
14093
                            /* alloc/init on demand */
14094
                            keyRet = AllocKey(ssl, DYNAMIC_TYPE_FALCON,
14095
                                    (void**)&ssl->peerFalconKey);
14096
                        } else if (ssl->peerFalconKeyPresent) {
14097
                            keyRet = ReuseKey(ssl, DYNAMIC_TYPE_FALCON,
14098
                                    ssl->peerFalconKey);
14099
                            ssl->peerFalconKeyPresent = 0;
14100
                        }
14101
14102
                        if (keyRet == 0) {
14103
                            if (args->dCert->keyOID == FALCON_LEVEL1k) {
14104
                                keyRet = wc_falcon_set_level(ssl->peerFalconKey,
14105
                                1);
14106
                            }
14107
                            else {
14108
                                keyRet = wc_falcon_set_level(ssl->peerFalconKey,
14109
                                5);
14110
                            }
14111
                        }
14112
14113
                        if (keyRet != 0 ||
14114
                            wc_falcon_import_public(args->dCert->publicKey,
14115
                                                    args->dCert->pubKeySize,
14116
                                                    ssl->peerFalconKey) != 0) {
14117
                            ret = PEER_KEY_ERROR;
14118
                            WOLFSSL_ERROR_VERBOSE(ret);
14119
                        }
14120
                        else {
14121
                            ssl->peerFalconKeyPresent = 1;
14122
                        }
14123
14124
                        /* check size of peer Falcon key */
14125
                        if (ret == 0 && ssl->peerFalconKeyPresent &&
14126
                               !ssl->options.verifyNone &&
14127
                               FALCON_MAX_KEY_SIZE <
14128
                               ssl->options.minFalconKeySz) {
14129
                            ret = FALCON_KEY_SIZE_E;
14130
                            WOLFSSL_ERROR_VERBOSE(ret);
14131
                            WOLFSSL_MSG("Peer Falcon key is too small");
14132
                        }
14133
                        break;
14134
                    }
14135
                #endif /* HAVE_FALCON */
14136
                #if defined(HAVE_DILITHIUM)
14137
                    case DILITHIUM_LEVEL2k:
14138
                    case DILITHIUM_LEVEL3k:
14139
                    case DILITHIUM_LEVEL5k:
14140
                    case DILITHIUM_AES_LEVEL2k:
14141
                    case DILITHIUM_AES_LEVEL3k:
14142
                    case DILITHIUM_AES_LEVEL5k:
14143
                    {
14144
                        int keyRet = 0;
14145
                        if (ssl->peerDilithiumKey == NULL) {
14146
                            /* alloc/init on demand */
14147
                            keyRet = AllocKey(ssl, DYNAMIC_TYPE_DILITHIUM,
14148
                                    (void**)&ssl->peerDilithiumKey);
14149
                        } else if (ssl->peerDilithiumKeyPresent) {
14150
                            keyRet = ReuseKey(ssl, DYNAMIC_TYPE_DILITHIUM,
14151
                                    ssl->peerDilithiumKey);
14152
                            ssl->peerDilithiumKeyPresent = 0;
14153
                        }
14154
14155
                        if (keyRet == 0) {
14156
                            if (args->dCert->keyOID == DILITHIUM_LEVEL2k) {
14157
                                keyRet = wc_dilithium_set_level_and_sym(
14158
                                             ssl->peerDilithiumKey, 2,
14159
                                             SHAKE_VARIANT);
14160
                            }
14161
                            else if (args->dCert->keyOID == DILITHIUM_LEVEL3k) {
14162
                                keyRet = wc_dilithium_set_level_and_sym(
14163
                                             ssl->peerDilithiumKey, 3,
14164
                                             SHAKE_VARIANT);
14165
                            }
14166
                            else if (args->dCert->keyOID == DILITHIUM_LEVEL5k) {
14167
                                keyRet = wc_dilithium_set_level_and_sym(
14168
                                             ssl->peerDilithiumKey, 5,
14169
                                             SHAKE_VARIANT);
14170
                            }
14171
                            else if (args->dCert->keyOID
14172
                                     == DILITHIUM_AES_LEVEL2k) {
14173
                                keyRet = wc_dilithium_set_level_and_sym(
14174
                                             ssl->peerDilithiumKey, 2,
14175
                                             AES_VARIANT);
14176
                            }
14177
                            else if (args->dCert->keyOID
14178
                                     == DILITHIUM_AES_LEVEL3k) {
14179
                                keyRet = wc_dilithium_set_level_and_sym(
14180
                                             ssl->peerDilithiumKey, 3,
14181
                                             AES_VARIANT);
14182
                            }
14183
                            else if (args->dCert->keyOID
14184
                                     == DILITHIUM_AES_LEVEL5k) {
14185
                                keyRet = wc_dilithium_set_level_and_sym(
14186
                                             ssl->peerDilithiumKey, 5,
14187
                                             AES_VARIANT);
14188
                            }
14189
                        }
14190
14191
                        if (keyRet != 0 ||
14192
                            wc_dilithium_import_public(args->dCert->publicKey,
14193
                                                       args->dCert->pubKeySize,
14194
                                                       ssl->peerDilithiumKey)
14195
                            != 0) {
14196
                            ret = PEER_KEY_ERROR;
14197
                        }
14198
                        else {
14199
                            ssl->peerDilithiumKeyPresent = 1;
14200
                        }
14201
14202
                        /* check size of peer Dilithium key */
14203
                        if (ret == 0 && ssl->peerDilithiumKeyPresent &&
14204
                               !ssl->options.verifyNone &&
14205
                               DILITHIUM_MAX_KEY_SIZE <
14206
                               ssl->options.minDilithiumKeySz) {
14207
                            ret = DILITHIUM_KEY_SIZE_E;
14208
                            WOLFSSL_MSG("Peer Dilithium key is too small");
14209
                        }
14210
                        break;
14211
                    }
14212
                #endif /* HAVE_DILITHIUM */
14213
                #endif /* HAVE_PQC */
14214
0
                    default:
14215
0
                        break;
14216
0
                }
14217
14218
                /* args->dCert free'd in function cleanup after callback */
14219
0
            } /* if (count > 0) */
14220
14221
            /* Check for error */
14222
0
            if (args->fatal && ret != 0) {
14223
0
                goto exit_ppc;
14224
0
            }
14225
14226
            /* Advance state and proceed */
14227
0
            ssl->options.asyncState = TLS_ASYNC_FINALIZE;
14228
0
        } /* case TLS_ASYNC_VERIFY */
14229
0
        FALL_THROUGH;
14230
14231
0
        case TLS_ASYNC_FINALIZE:
14232
0
        {
14233
            /* load last error */
14234
0
            if (args->lastErr != 0 && ret == 0) {
14235
0
                ret = args->lastErr;
14236
0
            }
14237
14238
0
        #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
14239
           /* limit compliant with OpenSSL verify Depth + 1
14240
            * OpenSSL tries to expand the chain one longer than limit until
14241
            * reaching an ultimately trusted issuer. Becoming failure if
14242
            * we hit the limit, with X509_V_ERR_CERT_CHAIN_TOO_LONG
14243
            */
14244
0
            if (args->untrustedDepth > (ssl->options.verifyDepth + 1)) {
14245
0
                if (ssl->peerVerifyRet == 0) /* Return first cert error here */
14246
0
                    ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG;
14247
0
                ret = MAX_CHAIN_ERROR;
14248
0
                WOLFSSL_ERROR_VERBOSE(ret);
14249
0
            }
14250
0
        #endif
14251
14252
            /* Do verify callback */
14253
0
            ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
14254
14255
0
            if (ssl->options.verifyNone &&
14256
0
                              (ret == CRL_MISSING || ret == CRL_CERT_REVOKED ||
14257
0
                               ret == CRL_CERT_DATE_ERR)) {
14258
0
                WOLFSSL_MSG("Ignoring CRL problem based on verify setting");
14259
0
                ret = ssl->error = 0;
14260
0
            }
14261
14262
0
            if (ret != 0) {
14263
0
                if (!ssl->options.verifyNone) {
14264
0
                    DoCertFatalAlert(ssl, ret);
14265
0
                }
14266
0
                ssl->error = ret; /* Report SSL error */
14267
0
            }
14268
14269
0
            if (ret == 0 && ssl->options.side == WOLFSSL_CLIENT_END) {
14270
0
                ssl->options.serverState = SERVER_CERT_COMPLETE;
14271
0
            }
14272
14273
0
            if (IsEncryptionOn(ssl, 0)) {
14274
0
                args->idx += ssl->keys.padSz;
14275
0
            #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
14276
0
                if (ssl->options.startedETMRead)
14277
0
                    args->idx += MacSize(ssl);
14278
0
            #endif
14279
0
            }
14280
14281
            /* Advance state and proceed */
14282
0
            ssl->options.asyncState = TLS_ASYNC_END;
14283
0
        } /* case TLS_ASYNC_FINALIZE */
14284
0
        FALL_THROUGH;
14285
14286
0
        case TLS_ASYNC_END:
14287
0
        {
14288
            /* Set final index */
14289
0
            *inOutIdx = args->idx;
14290
14291
0
            break;
14292
0
        }
14293
0
        default:
14294
0
            ret = INPUT_CASE_ERROR;
14295
0
            break;
14296
0
    } /* switch(ssl->options.asyncState) */
14297
14298
0
exit_ppc:
14299
14300
0
    WOLFSSL_LEAVE("ProcessPeerCerts", ret);
14301
14302
14303
#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP)
14304
    if (ret == WC_PENDING_E || ret == OCSP_WANT_READ) {
14305
        /* Mark message as not received so it can process again */
14306
        ssl->msgsReceived.got_certificate = 0;
14307
14308
        return ret;
14309
    }
14310
#endif /* WOLFSSL_ASYNC_CRYPT || WOLFSSL_NONBLOCK_OCSP */
14311
14312
#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP)
14313
    /* Cleanup async */
14314
    FreeAsyncCtx(ssl, 0);
14315
#elif defined(WOLFSSL_SMALL_STACK)
14316
0
    if (args)
14317
0
    {
14318
0
        FreeProcPeerCertArgs(ssl, args);
14319
0
    }
14320
#else
14321
    FreeProcPeerCertArgs(ssl, args);
14322
#endif /* WOLFSSL_ASYNC_CRYPT || WOLFSSL_NONBLOCK_OCSP || WOLFSSL_SMALL_STACK */
14323
14324
0
#if !defined(WOLFSSL_ASYNC_CRYPT) && defined(WOLFSSL_SMALL_STACK)
14325
0
    XFREE(args, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
14326
0
#endif
14327
14328
0
    FreeKeyExchange(ssl);
14329
14330
0
    return ret;
14331
0
}
14332
#endif
14333
14334
#ifndef WOLFSSL_NO_TLS12
14335
#if !defined(NO_WOLFSSL_CLIENT) || !defined(WOLFSSL_NO_CLIENT_AUTH)
14336
14337
/* handle processing of certificate (11) */
14338
static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
14339
                                                                word32 size)
14340
0
{
14341
0
    int ret;
14342
14343
0
    WOLFSSL_START(WC_FUNC_CERTIFICATE_DO);
14344
0
    WOLFSSL_ENTER("DoCertificate");
14345
14346
#ifdef SESSION_CERTS
14347
    /* Reset the session cert chain count in case the session resume failed. */
14348
    ssl->session->chain.count = 0;
14349
    #ifdef WOLFSSL_ALT_CERT_CHAINS
14350
        ssl->session->altChain.count = 0;
14351
    #endif
14352
#endif /* SESSION_CERTS */
14353
14354
0
    ret = ProcessPeerCerts(ssl, input, inOutIdx, size);
14355
0
#ifdef WOLFSSL_EXTRA_ALERTS
14356
0
    if (ret == BUFFER_ERROR || ret == ASN_PARSE_E)
14357
0
        SendAlert(ssl, alert_fatal, decode_error);
14358
0
#endif
14359
14360
0
#ifdef OPENSSL_EXTRA
14361
0
    ssl->options.serverState = SERVER_CERT_COMPLETE;
14362
0
#endif
14363
14364
0
    WOLFSSL_LEAVE("DoCertificate", ret);
14365
0
    WOLFSSL_END(WC_FUNC_CERTIFICATE_DO);
14366
14367
0
    return ret;
14368
0
}
14369
14370
/* handle processing of certificate_status (22) */
14371
static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx,
14372
                                                                    word32 size)
14373
0
{
14374
0
    int    ret = 0;
14375
0
    byte   status_type;
14376
0
    word32 status_length;
14377
14378
0
    WOLFSSL_START(WC_FUNC_CERTIFICATE_STATUS_DO);
14379
0
    WOLFSSL_ENTER("DoCertificateStatus");
14380
14381
0
    if (size < ENUM_LEN + OPAQUE24_LEN)
14382
0
        return BUFFER_ERROR;
14383
14384
0
    status_type = input[(*inOutIdx)++];
14385
14386
0
    c24to32(input + *inOutIdx, &status_length);
14387
0
    *inOutIdx += OPAQUE24_LEN;
14388
14389
0
    if (size != ENUM_LEN + OPAQUE24_LEN + status_length)
14390
0
        return BUFFER_ERROR;
14391
14392
0
    switch (status_type) {
14393
14394
    #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
14395
     || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
14396
14397
        /* WOLFSSL_CSR_OCSP overlaps with WOLFSSL_CSR2_OCSP */
14398
        case WOLFSSL_CSR2_OCSP:
14399
            ret = ProcessCSR(ssl, input, inOutIdx, status_length);
14400
            break;
14401
14402
    #endif
14403
14404
    #if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
14405
14406
        case WOLFSSL_CSR2_OCSP_MULTI: {
14407
            OcspRequest* request;
14408
            word32 list_length = status_length;
14409
            byte   idx = 0;
14410
14411
            #ifdef WOLFSSL_SMALL_STACK
14412
                CertStatus*   status;
14413
                OcspEntry*    single;
14414
                OcspResponse* response;
14415
            #else
14416
                CertStatus   status[1];
14417
                OcspEntry    single[1];
14418
                OcspResponse response[1];
14419
            #endif
14420
14421
            do {
14422
                if (ssl->status_request_v2) {
14423
                    ssl->status_request_v2 = 0;
14424
                    break;
14425
                }
14426
14427
                return BUFFER_ERROR;
14428
            } while(0);
14429
14430
            #ifdef WOLFSSL_SMALL_STACK
14431
                status = (CertStatus*)XMALLOC(sizeof(CertStatus), ssl->heap,
14432
                                                       DYNAMIC_TYPE_OCSP_STATUS);
14433
                single = (OcspEntry*)XMALLOC(sizeof(OcspEntry), ssl->heap,
14434
                                                              DYNAMIC_TYPE_OCSP_ENTRY);
14435
                response = (OcspResponse*)XMALLOC(sizeof(OcspResponse), ssl->heap,
14436
                                                             DYNAMIC_TYPE_OCSP_REQUEST);
14437
14438
                if (status == NULL || single == NULL || response == NULL) {
14439
                    if (status)
14440
                        XFREE(status, ssl->heap, DYNAMIC_TYPE_OCSP_STATUS);
14441
                    if (single)
14442
                        XFREE(single, ssl->heap, DYNAMIC_TYPE_OCSP_ENTRY);
14443
                    if (response)
14444
                        XFREE(response, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST);
14445
14446
                    return MEMORY_ERROR;
14447
                }
14448
            #endif
14449
14450
            while (list_length && ret == 0) {
14451
                if (OPAQUE24_LEN > list_length) {
14452
                    ret = BUFFER_ERROR;
14453
                    break;
14454
                }
14455
14456
                c24to32(input + *inOutIdx, &status_length);
14457
                *inOutIdx   += OPAQUE24_LEN;
14458
                list_length -= OPAQUE24_LEN;
14459
14460
                if (status_length > list_length) {
14461
                    ret = BUFFER_ERROR;
14462
                    break;
14463
                }
14464
14465
                if (status_length) {
14466
                    InitOcspResponse(response, single, status, input +*inOutIdx,
14467
                                     status_length, ssl->heap);
14468
14469
                    if ((OcspResponseDecode(response, SSL_CM(ssl), ssl->heap,
14470
                                                                        0) != 0)
14471
                    ||  (response->responseStatus != OCSP_SUCCESSFUL)
14472
                    ||  (response->single->status->status != CERT_GOOD))
14473
                        ret = BAD_CERTIFICATE_STATUS_ERROR;
14474
14475
                    while (ret == 0) {
14476
                        request = (OcspRequest*)TLSX_CSR2_GetRequest(
14477
                                ssl->extensions, status_type, idx++);
14478
14479
                        if (request == NULL)
14480
                            ret = BAD_CERTIFICATE_STATUS_ERROR;
14481
                        else if (CompareOcspReqResp(request, response) == 0)
14482
                            break;
14483
                        else if (idx == 1) /* server cert must be OK */
14484
                            ret = BAD_CERTIFICATE_STATUS_ERROR;
14485
                    }
14486
                    FreeOcspResponse(response);
14487
14488
                    *inOutIdx   += status_length;
14489
                    list_length -= status_length;
14490
                }
14491
            }
14492
14493
            ssl->status_request_v2 = 0;
14494
14495
            #ifdef WOLFSSL_SMALL_STACK
14496
                XFREE(status,   NULL, DYNAMIC_TYPE_OCSP_STATUS);
14497
                XFREE(single,   NULL, DYNAMIC_TYPE_OCSP_ENTRY);
14498
                XFREE(response, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
14499
            #endif
14500
14501
        }
14502
        break;
14503
14504
    #endif
14505
14506
0
        default:
14507
0
            ret = BUFFER_ERROR;
14508
0
    }
14509
14510
0
    if (ret != 0) {
14511
0
        WOLFSSL_ERROR_VERBOSE(ret);
14512
0
        SendAlert(ssl, alert_fatal, bad_certificate_status_response);
14513
0
    }
14514
14515
0
    if (IsEncryptionOn(ssl, 0)) {
14516
0
    #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
14517
0
        if (ssl->options.startedETMRead) {
14518
0
            word32 digestSz = MacSize(ssl);
14519
0
            if (*inOutIdx + ssl->keys.padSz + digestSz > size)
14520
0
                return BUFFER_E;
14521
0
            *inOutIdx += ssl->keys.padSz + digestSz;
14522
0
        }
14523
0
        else
14524
0
    #endif
14525
0
        {
14526
0
            if (*inOutIdx + ssl->keys.padSz > size)
14527
0
                return BUFFER_E;
14528
0
            *inOutIdx += ssl->keys.padSz;
14529
0
        }
14530
0
    }
14531
14532
0
    WOLFSSL_LEAVE("DoCertificateStatus", ret);
14533
0
    WOLFSSL_END(WC_FUNC_CERTIFICATE_STATUS_DO);
14534
14535
0
    return ret;
14536
0
}
14537
14538
#endif
14539
14540
#endif /* !WOLFSSL_NO_TLS12 */
14541
14542
#endif /* !NO_CERTS */
14543
14544
#ifndef WOLFSSL_NO_TLS12
14545
14546
static int DoHelloRequest(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
14547
                                                    word32 size, word32 totalSz)
14548
0
{
14549
0
    (void)input;
14550
14551
0
    WOLFSSL_START(WC_FUNC_HELLO_REQUEST_DO);
14552
0
    WOLFSSL_ENTER("DoHelloRequest");
14553
14554
0
    if (size) /* must be 0 */
14555
0
        return BUFFER_ERROR;
14556
14557
0
    if (IsEncryptionOn(ssl, 0)) {
14558
        /* If size == totalSz then we are in DtlsMsgDrain so no need to worry
14559
         * about padding */
14560
0
    #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
14561
0
        if (ssl->options.startedETMRead) {
14562
0
            word32 digestSz = MacSize(ssl);
14563
0
            if (size != totalSz &&
14564
0
                    *inOutIdx + ssl->keys.padSz + digestSz > totalSz)
14565
0
                return BUFFER_E;
14566
0
            *inOutIdx += ssl->keys.padSz + digestSz;
14567
0
        }
14568
0
        else
14569
0
    #endif
14570
0
        {
14571
            /* access beyond input + size should be checked against totalSz */
14572
0
            if (size != totalSz &&
14573
0
                    *inOutIdx + ssl->keys.padSz > totalSz)
14574
0
                return BUFFER_E;
14575
14576
0
            *inOutIdx += ssl->keys.padSz;
14577
0
        }
14578
0
    }
14579
14580
0
    if (ssl->options.side == WOLFSSL_SERVER_END) {
14581
0
        SendAlert(ssl, alert_fatal, unexpected_message); /* try */
14582
0
        WOLFSSL_ERROR_VERBOSE(FATAL_ERROR);
14583
0
        return FATAL_ERROR;
14584
0
    }
14585
#ifdef HAVE_SECURE_RENEGOTIATION
14586
    else if (ssl->secure_renegotiation && ssl->secure_renegotiation->enabled) {
14587
        ssl->secure_renegotiation->startScr = 1;
14588
        WOLFSSL_LEAVE("DoHelloRequest", 0);
14589
        WOLFSSL_END(WC_FUNC_HELLO_REQUEST_DO);
14590
        return 0;
14591
    }
14592
#endif
14593
0
    else {
14594
0
        return SendAlert(ssl, alert_warning, no_renegotiation);
14595
0
    }
14596
0
}
14597
14598
14599
int DoFinished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, word32 size,
14600
                                                      word32 totalSz, int sniff)
14601
0
{
14602
0
    word32 finishedSz = (ssl->options.tls ? TLS_FINISHED_SZ : FINISHED_SZ);
14603
14604
0
    WOLFSSL_START(WC_FUNC_FINISHED_DO);
14605
0
    WOLFSSL_ENTER("DoFinished");
14606
14607
0
    if (finishedSz != size)
14608
0
        return BUFFER_ERROR;
14609
14610
    /* check against totalSz
14611
     * If size == totalSz then we are in DtlsMsgDrain so no need to worry about
14612
     * padding */
14613
0
    if (size != totalSz) {
14614
0
    #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
14615
0
        if (ssl->options.startedETMRead) {
14616
0
            if (*inOutIdx + size + ssl->keys.padSz + MacSize(ssl) > totalSz)
14617
0
                return BUFFER_E;
14618
0
        }
14619
0
        else
14620
0
    #endif
14621
0
        {
14622
0
            if (*inOutIdx + size + ssl->keys.padSz > totalSz)
14623
0
                return BUFFER_E;
14624
0
        }
14625
0
    }
14626
14627
    #ifdef WOLFSSL_CALLBACKS
14628
        if (ssl->hsInfoOn) AddPacketName(ssl, "Finished");
14629
        if (ssl->toInfoOn) AddLateName("Finished", &ssl->timeoutInfo);
14630
    #endif
14631
14632
0
    if (sniff == NO_SNIFF) {
14633
0
        if (XMEMCMP(input + *inOutIdx, &ssl->hsHashes->verifyHashes,size) != 0){
14634
0
            WOLFSSL_MSG("Verify finished error on hashes");
14635
0
    #ifdef WOLFSSL_EXTRA_ALERTS
14636
0
            SendAlert(ssl, alert_fatal, decrypt_error);
14637
0
    #endif
14638
0
            WOLFSSL_ERROR_VERBOSE(VERIFY_FINISHED_ERROR);
14639
0
            return VERIFY_FINISHED_ERROR;
14640
0
        }
14641
0
    }
14642
14643
#ifdef HAVE_SECURE_RENEGOTIATION
14644
    if (ssl->secure_renegotiation) {
14645
        /* save peer's state */
14646
        if (ssl->options.side == WOLFSSL_CLIENT_END)
14647
            XMEMCPY(ssl->secure_renegotiation->server_verify_data,
14648
                    input + *inOutIdx, TLS_FINISHED_SZ);
14649
        else
14650
            XMEMCPY(ssl->secure_renegotiation->client_verify_data,
14651
                    input + *inOutIdx, TLS_FINISHED_SZ);
14652
        ssl->secure_renegotiation->verifySet = 1;
14653
    }
14654
#endif
14655
0
#ifdef WOLFSSL_HAVE_TLS_UNIQUE
14656
0
    if (ssl->options.side == WOLFSSL_CLIENT_END) {
14657
0
        XMEMCPY(ssl->serverFinished,
14658
0
                input + *inOutIdx, TLS_FINISHED_SZ);
14659
0
        ssl->serverFinished_len = TLS_FINISHED_SZ;
14660
0
    }
14661
0
    else {
14662
0
        XMEMCPY(ssl->clientFinished,
14663
0
                input + *inOutIdx, TLS_FINISHED_SZ);
14664
0
        ssl->clientFinished_len = TLS_FINISHED_SZ;
14665
0
    }
14666
0
#endif
14667
14668
    /* force input exhaustion at ProcessReply consuming padSz */
14669
0
    *inOutIdx += size + ssl->keys.padSz;
14670
0
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
14671
0
    if (ssl->options.startedETMRead)
14672
0
        *inOutIdx += MacSize(ssl);
14673
0
#endif
14674
14675
0
    if (ssl->options.side == WOLFSSL_CLIENT_END) {
14676
0
        ssl->options.serverState = SERVER_FINISHED_COMPLETE;
14677
0
#ifdef OPENSSL_EXTRA
14678
0
        ssl->cbmode = SSL_CB_MODE_WRITE;
14679
0
        ssl->options.clientState = CLIENT_FINISHED_COMPLETE;
14680
0
#endif
14681
0
        if (!ssl->options.resuming) {
14682
0
#ifdef OPENSSL_EXTRA
14683
0
            if (ssl->CBIS != NULL) {
14684
0
                ssl->CBIS(ssl, SSL_CB_CONNECT_LOOP, SSL_SUCCESS);
14685
0
            }
14686
0
#endif
14687
0
            ssl->options.handShakeState = HANDSHAKE_DONE;
14688
0
            ssl->options.handShakeDone  = 1;
14689
0
        }
14690
0
    }
14691
0
    else {
14692
0
        ssl->options.clientState = CLIENT_FINISHED_COMPLETE;
14693
0
#ifdef OPENSSL_EXTRA
14694
0
        ssl->cbmode = SSL_CB_MODE_READ;
14695
0
        ssl->options.serverState = SERVER_FINISHED_COMPLETE;
14696
0
#endif
14697
0
        if (ssl->options.resuming) {
14698
0
#ifdef OPENSSL_EXTRA
14699
0
            if (ssl->CBIS != NULL) {
14700
0
                ssl->CBIS(ssl, SSL_CB_ACCEPT_LOOP, SSL_SUCCESS);
14701
0
            }
14702
0
#endif
14703
0
            ssl->options.handShakeState = HANDSHAKE_DONE;
14704
0
            ssl->options.handShakeDone  = 1;
14705
0
        }
14706
0
    }
14707
#ifdef WOLFSSL_DTLS
14708
    if (ssl->options.dtls) {
14709
        if ((!ssl->options.resuming && ssl->options.side == WOLFSSL_CLIENT_END) ||
14710
             (ssl->options.resuming && ssl->options.side == WOLFSSL_SERVER_END)){
14711
            DtlsMsgPoolReset(ssl);
14712
            ssl->keys.dtls_handshake_number = 0;
14713
            ssl->keys.dtls_expected_peer_handshake_number = 0;
14714
        }
14715
    }
14716
#endif
14717
14718
0
    WOLFSSL_LEAVE("DoFinished", 0);
14719
0
    WOLFSSL_END(WC_FUNC_FINISHED_DO);
14720
14721
0
    return 0;
14722
0
}
14723
14724
14725
/* Make sure no duplicates, no fast forward, or other problems; 0 on success */
14726
static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
14727
0
{
14728
    /* verify not a duplicate, mark received, check state */
14729
0
    switch (type) {
14730
14731
0
#ifndef NO_WOLFSSL_CLIENT
14732
0
        case hello_request:
14733
0
        #ifndef NO_WOLFSSL_SERVER
14734
0
            if (ssl->options.side == WOLFSSL_SERVER_END) {
14735
0
                WOLFSSL_MSG("HelloRequest received by server");
14736
0
                WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
14737
0
                return SIDE_ERROR;
14738
0
            }
14739
0
        #endif
14740
0
            if (ssl->msgsReceived.got_hello_request) {
14741
0
                WOLFSSL_MSG("Duplicate HelloRequest received");
14742
0
                WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
14743
0
                return DUPLICATE_MSG_E;
14744
0
            }
14745
0
            ssl->msgsReceived.got_hello_request = 1;
14746
14747
0
            break;
14748
0
#endif
14749
14750
0
#ifndef NO_WOLFSSL_SERVER
14751
0
        case client_hello:
14752
0
        #ifndef NO_WOLFSSL_CLIENT
14753
0
            if (ssl->options.side == WOLFSSL_CLIENT_END) {
14754
0
                WOLFSSL_MSG("ClientHello received by client");
14755
0
                WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
14756
0
                return SIDE_ERROR;
14757
0
            }
14758
0
        #endif
14759
0
            if (ssl->msgsReceived.got_client_hello) {
14760
0
                WOLFSSL_MSG("Duplicate ClientHello received");
14761
0
    #ifdef WOLFSSL_EXTRA_ALERTS
14762
0
                SendAlert(ssl, alert_fatal, unexpected_message);
14763
0
    #endif
14764
0
                WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
14765
0
                return DUPLICATE_MSG_E;
14766
0
            }
14767
0
            ssl->msgsReceived.got_client_hello = 1;
14768
14769
0
            break;
14770
0
#endif
14771
14772
0
#ifndef NO_WOLFSSL_CLIENT
14773
0
        case server_hello:
14774
0
        #ifndef NO_WOLFSSL_SERVER
14775
0
            if (ssl->options.side == WOLFSSL_SERVER_END) {
14776
0
                WOLFSSL_MSG("ServerHello received by server");
14777
0
                WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
14778
0
                return SIDE_ERROR;
14779
0
            }
14780
0
        #endif
14781
0
            if (ssl->msgsReceived.got_server_hello) {
14782
0
                WOLFSSL_MSG("Duplicate ServerHello received");
14783
0
                WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
14784
0
                return DUPLICATE_MSG_E;
14785
0
            }
14786
0
            ssl->msgsReceived.got_server_hello = 1;
14787
14788
0
            break;
14789
0
#endif
14790
14791
0
#ifndef NO_WOLFSSL_CLIENT
14792
0
        case hello_verify_request:
14793
0
        #ifndef NO_WOLFSSL_SERVER
14794
0
            if (ssl->options.side == WOLFSSL_SERVER_END) {
14795
0
                WOLFSSL_MSG("HelloVerifyRequest received by server");
14796
0
                WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
14797
0
                return SIDE_ERROR;
14798
0
            }
14799
0
        #endif
14800
0
            if (ssl->msgsReceived.got_hello_verify_request) {
14801
0
                WOLFSSL_MSG("Duplicate HelloVerifyRequest received");
14802
0
                WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
14803
0
                return DUPLICATE_MSG_E;
14804
0
            }
14805
0
            ssl->msgsReceived.got_hello_verify_request = 1;
14806
14807
0
            break;
14808
0
#endif
14809
14810
0
#ifndef NO_WOLFSSL_CLIENT
14811
0
        case session_ticket:
14812
0
        #ifndef NO_WOLFSSL_SERVER
14813
0
            if (ssl->options.side == WOLFSSL_SERVER_END) {
14814
0
                WOLFSSL_MSG("SessionTicket received by server");
14815
0
                WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
14816
0
                return SIDE_ERROR;
14817
0
            }
14818
0
        #endif
14819
0
            if (ssl->msgsReceived.got_session_ticket) {
14820
0
                WOLFSSL_MSG("Duplicate SessionTicket received");
14821
0
                WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
14822
0
                return DUPLICATE_MSG_E;
14823
0
            }
14824
0
            ssl->msgsReceived.got_session_ticket = 1;
14825
14826
0
            break;
14827
0
#endif
14828
14829
0
        case certificate:
14830
0
            if (ssl->msgsReceived.got_certificate) {
14831
0
                WOLFSSL_MSG("Duplicate Certificate received");
14832
0
                WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
14833
0
                return DUPLICATE_MSG_E;
14834
0
            }
14835
0
            ssl->msgsReceived.got_certificate = 1;
14836
14837
0
#ifndef NO_WOLFSSL_CLIENT
14838
0
            if (ssl->options.side == WOLFSSL_CLIENT_END) {
14839
0
                if ( ssl->msgsReceived.got_server_hello == 0) {
14840
0
                    WOLFSSL_MSG("No ServerHello before Cert");
14841
0
                    WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
14842
0
                    return OUT_OF_ORDER_E;
14843
0
                }
14844
0
            }
14845
0
#endif
14846
0
#ifndef NO_WOLFSSL_SERVER
14847
0
            if (ssl->options.side == WOLFSSL_SERVER_END) {
14848
0
                if ( ssl->msgsReceived.got_client_hello == 0) {
14849
0
                    WOLFSSL_MSG("No ClientHello before Cert");
14850
0
                    WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
14851
0
                    return OUT_OF_ORDER_E;
14852
0
                }
14853
0
            }
14854
0
#endif
14855
0
            break;
14856
14857
0
#ifndef NO_WOLFSSL_CLIENT
14858
0
        case certificate_status:
14859
0
        #ifndef NO_WOLFSSL_SERVER
14860
0
            if (ssl->options.side == WOLFSSL_SERVER_END) {
14861
0
                WOLFSSL_MSG("CertificateStatus received by server");
14862
0
                WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
14863
0
                return SIDE_ERROR;
14864
0
            }
14865
0
        #endif
14866
0
            if (ssl->msgsReceived.got_certificate_status) {
14867
0
                WOLFSSL_MSG("Duplicate CertificateStatus received");
14868
0
                WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
14869
0
                return DUPLICATE_MSG_E;
14870
0
            }
14871
0
            ssl->msgsReceived.got_certificate_status = 1;
14872
14873
0
            if (ssl->msgsReceived.got_certificate == 0) {
14874
0
                WOLFSSL_MSG("No Certificate before CertificateStatus");
14875
0
                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
14876
0
                return OUT_OF_ORDER_E;
14877
0
            }
14878
0
            if (ssl->msgsReceived.got_server_key_exchange != 0) {
14879
0
                WOLFSSL_MSG("CertificateStatus after ServerKeyExchange");
14880
0
                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
14881
0
                return OUT_OF_ORDER_E;
14882
0
            }
14883
14884
0
            break;
14885
0
#endif
14886
14887
0
#ifndef NO_WOLFSSL_CLIENT
14888
0
        case server_key_exchange:
14889
0
        #ifndef NO_WOLFSSL_SERVER
14890
0
            if (ssl->options.side == WOLFSSL_SERVER_END) {
14891
0
                WOLFSSL_MSG("ServerKeyExchange received by server");
14892
0
                WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
14893
0
                return SIDE_ERROR;
14894
0
            }
14895
0
        #endif
14896
0
            if (ssl->msgsReceived.got_server_key_exchange) {
14897
0
                WOLFSSL_MSG("Duplicate ServerKeyExchange received");
14898
0
                WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
14899
0
                return DUPLICATE_MSG_E;
14900
0
            }
14901
0
            ssl->msgsReceived.got_server_key_exchange = 1;
14902
14903
0
            if (ssl->msgsReceived.got_server_hello == 0) {
14904
0
                WOLFSSL_MSG("No ServerHello before ServerKeyExchange");
14905
0
                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
14906
0
                return OUT_OF_ORDER_E;
14907
0
            }
14908
0
            if (ssl->msgsReceived.got_certificate_status == 0) {
14909
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
14910
                if (ssl->status_request) {
14911
                    int ret;
14912
14913
                    WOLFSSL_MSG("No CertificateStatus before ServerKeyExchange");
14914
                    if ((ret = TLSX_CSR_ForceRequest(ssl)) != 0)
14915
                        return ret;
14916
                }
14917
#endif
14918
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
14919
                if (ssl->status_request_v2) {
14920
                    int ret;
14921
14922
                    WOLFSSL_MSG("No CertificateStatus before ServerKeyExchange");
14923
                    if ((ret = TLSX_CSR2_ForceRequest(ssl)) != 0)
14924
                        return ret;
14925
                }
14926
#endif
14927
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \
14928
                                     defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
14929
                /* Check that a status request extension was seen as the
14930
                 * CertificateStatus wasn't when an OCSP staple is required.
14931
                 */
14932
                if (
14933
    #ifdef HAVE_CERTIFICATE_STATUS_REQUEST
14934
                     !ssl->status_request &&
14935
    #endif
14936
    #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
14937
                     !ssl->status_request_v2 &&
14938
    #endif
14939
                                                 SSL_CM(ssl)->ocspMustStaple) {
14940
                    WOLFSSL_ERROR_VERBOSE(OCSP_CERT_UNKNOWN);
14941
                    return OCSP_CERT_UNKNOWN;
14942
                }
14943
                #endif
14944
0
            }
14945
14946
0
            break;
14947
0
#endif
14948
14949
0
#ifndef NO_WOLFSSL_CLIENT
14950
0
        case certificate_request:
14951
0
        #ifndef NO_WOLFSSL_SERVER
14952
0
            if (ssl->options.side == WOLFSSL_SERVER_END) {
14953
0
                WOLFSSL_MSG("CertificateRequest received by server");
14954
0
                WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
14955
0
                return SIDE_ERROR;
14956
0
            }
14957
0
        #endif
14958
0
            if (ssl->msgsReceived.got_certificate_request) {
14959
0
                WOLFSSL_MSG("Duplicate CertificateRequest received");
14960
0
                WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
14961
0
                return DUPLICATE_MSG_E;
14962
0
            }
14963
0
            ssl->msgsReceived.got_certificate_request = 1;
14964
14965
0
            break;
14966
0
#endif
14967
14968
0
#ifndef NO_WOLFSSL_CLIENT
14969
0
        case server_hello_done:
14970
0
        #ifndef NO_WOLFSSL_SERVER
14971
0
            if (ssl->options.side == WOLFSSL_SERVER_END) {
14972
0
                WOLFSSL_MSG("ServerHelloDone received by server");
14973
0
                WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
14974
0
                return SIDE_ERROR;
14975
0
            }
14976
0
        #endif
14977
0
            if (ssl->msgsReceived.got_server_hello_done) {
14978
0
                WOLFSSL_MSG("Duplicate ServerHelloDone received");
14979
0
                WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
14980
0
                return DUPLICATE_MSG_E;
14981
0
            }
14982
0
            ssl->msgsReceived.got_server_hello_done = 1;
14983
14984
0
            if (ssl->msgsReceived.got_certificate == 0) {
14985
0
                if (ssl->specs.kea == psk_kea ||
14986
0
                    ssl->specs.kea == dhe_psk_kea ||
14987
0
                    ssl->specs.kea == ecdhe_psk_kea ||
14988
0
                    ssl->options.usingAnon_cipher) {
14989
0
                    WOLFSSL_MSG("No Cert required");
14990
0
                }
14991
0
                else {
14992
0
                    WOLFSSL_MSG("No Certificate before ServerHelloDone");
14993
0
                    WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
14994
0
                    return OUT_OF_ORDER_E;
14995
0
                }
14996
0
            }
14997
0
            if (ssl->msgsReceived.got_server_key_exchange == 0) {
14998
0
                int pskNoServerHint = 0;  /* not required in this case */
14999
15000
                #ifndef NO_PSK
15001
                    if (ssl->specs.kea == psk_kea &&
15002
                        ssl->arrays != NULL &&
15003
                        ssl->arrays->server_hint[0] == 0)
15004
                        pskNoServerHint = 1;
15005
                #endif
15006
0
                if (ssl->specs.static_ecdh == 1 ||
15007
0
                    ssl->specs.kea == rsa_kea ||
15008
0
                    pskNoServerHint) {
15009
0
                    WOLFSSL_MSG("No KeyExchange required");
15010
0
                }
15011
0
                else {
15012
0
                    WOLFSSL_MSG("No ServerKeyExchange before ServerDone");
15013
0
                    WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
15014
0
                    return OUT_OF_ORDER_E;
15015
0
                }
15016
0
            }
15017
0
            break;
15018
0
#endif
15019
15020
0
#ifndef NO_WOLFSSL_SERVER
15021
0
        case certificate_verify:
15022
0
        #ifndef NO_WOLFSSL_CLIENT
15023
0
            if (ssl->options.side == WOLFSSL_CLIENT_END) {
15024
0
                WOLFSSL_MSG("CertificateVerify received by client");
15025
0
                WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
15026
0
                return SIDE_ERROR;
15027
0
            }
15028
0
        #endif
15029
0
            if (ssl->msgsReceived.got_certificate_verify) {
15030
0
                WOLFSSL_MSG("Duplicate CertificateVerify received");
15031
0
                WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
15032
0
                return DUPLICATE_MSG_E;
15033
0
            }
15034
0
            ssl->msgsReceived.got_certificate_verify = 1;
15035
15036
0
            if ( ssl->msgsReceived.got_certificate == 0) {
15037
0
                WOLFSSL_MSG("No Cert before CertVerify");
15038
0
                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
15039
0
                return OUT_OF_ORDER_E;
15040
0
            }
15041
0
            break;
15042
0
#endif
15043
15044
0
#ifndef NO_WOLFSSL_SERVER
15045
0
        case client_key_exchange:
15046
0
        #ifndef NO_WOLFSSL_CLIENT
15047
0
            if (ssl->options.side == WOLFSSL_CLIENT_END) {
15048
0
                WOLFSSL_MSG("ClientKeyExchange received by client");
15049
0
                WOLFSSL_ERROR_VERBOSE(SIDE_ERROR);
15050
0
                return SIDE_ERROR;
15051
0
            }
15052
0
        #endif
15053
0
            if (ssl->msgsReceived.got_client_key_exchange) {
15054
0
                WOLFSSL_MSG("Duplicate ClientKeyExchange received");
15055
0
    #ifdef WOLFSSL_EXTRA_ALERTS
15056
0
                SendAlert(ssl, alert_fatal, unexpected_message);
15057
0
    #endif
15058
0
                WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
15059
0
                return DUPLICATE_MSG_E;
15060
0
            }
15061
0
            ssl->msgsReceived.got_client_key_exchange = 1;
15062
15063
0
            if (ssl->msgsReceived.got_client_hello == 0) {
15064
0
                WOLFSSL_MSG("No ClientHello before ClientKeyExchange");
15065
0
                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
15066
0
                return OUT_OF_ORDER_E;
15067
0
            }
15068
0
            break;
15069
0
#endif
15070
15071
0
        case finished:
15072
0
            if (ssl->msgsReceived.got_finished) {
15073
0
                WOLFSSL_MSG("Duplicate Finished received");
15074
0
                WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
15075
0
                return DUPLICATE_MSG_E;
15076
0
            }
15077
#ifdef WOLFSSL_DTLS
15078
            if (ssl->options.dtls) {
15079
                if (ssl->keys.curEpoch == 0) {
15080
                    WOLFSSL_MSG("Finished received with epoch 0");
15081
                    WOLFSSL_ERROR_VERBOSE(SEQUENCE_ERROR);
15082
                    return SEQUENCE_ERROR;
15083
                }
15084
            }
15085
#endif
15086
0
            ssl->msgsReceived.got_finished = 1;
15087
15088
0
            if (ssl->msgsReceived.got_change_cipher == 0) {
15089
0
                WOLFSSL_MSG("Finished received before ChangeCipher");
15090
0
    #ifdef WOLFSSL_EXTRA_ALERTS
15091
0
                SendAlert(ssl, alert_fatal, unexpected_message);
15092
0
    #endif
15093
0
                WOLFSSL_ERROR_VERBOSE(NO_CHANGE_CIPHER_E);
15094
0
                return NO_CHANGE_CIPHER_E;
15095
0
            }
15096
0
            break;
15097
15098
0
        case change_cipher_hs:
15099
0
            if (ssl->msgsReceived.got_change_cipher) {
15100
0
                WOLFSSL_MSG("Duplicate ChangeCipher received");
15101
0
                WOLFSSL_ERROR_VERBOSE(DUPLICATE_MSG_E);
15102
0
                return DUPLICATE_MSG_E;
15103
0
            }
15104
            /* DTLS is going to ignore the CCS message if the client key
15105
             * exchange message wasn't received yet. */
15106
0
            if (!ssl->options.dtls)
15107
0
                ssl->msgsReceived.got_change_cipher = 1;
15108
15109
0
#ifndef NO_WOLFSSL_CLIENT
15110
0
            if (ssl->options.side == WOLFSSL_CLIENT_END) {
15111
0
                if (!ssl->options.resuming) {
15112
0
                   if (ssl->msgsReceived.got_server_hello_done == 0) {
15113
0
                        WOLFSSL_MSG("No ServerHelloDone before ChangeCipher");
15114
0
                        WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
15115
0
                        return OUT_OF_ORDER_E;
15116
0
                   }
15117
0
                }
15118
0
                else {
15119
0
                    if (ssl->msgsReceived.got_server_hello == 0) {
15120
0
                        WOLFSSL_MSG("No ServerHello before ChangeCipher on "
15121
0
                                    "Resume");
15122
0
                        WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
15123
0
                        return OUT_OF_ORDER_E;
15124
0
                    }
15125
0
                }
15126
0
                #ifdef HAVE_SESSION_TICKET
15127
0
                    if (ssl->expect_session_ticket) {
15128
0
                        WOLFSSL_MSG("Expected session ticket missing");
15129
                        #ifdef WOLFSSL_DTLS
15130
                            if (ssl->options.dtls) {
15131
                                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
15132
                                return OUT_OF_ORDER_E;
15133
                            }
15134
                        #endif
15135
0
                        WOLFSSL_ERROR_VERBOSE(SESSION_TICKET_EXPECT_E);
15136
0
                        return SESSION_TICKET_EXPECT_E;
15137
0
                    }
15138
0
                #endif
15139
0
            }
15140
0
#endif
15141
0
#ifndef NO_WOLFSSL_SERVER
15142
0
            if (ssl->options.side == WOLFSSL_SERVER_END) {
15143
0
                if (!ssl->options.resuming &&
15144
0
                               ssl->msgsReceived.got_client_key_exchange == 0) {
15145
0
                    WOLFSSL_MSG("No ClientKeyExchange before ChangeCipher");
15146
0
    #ifdef WOLFSSL_EXTRA_ALERTS
15147
0
                    SendAlert(ssl, alert_fatal, unexpected_message);
15148
0
    #endif
15149
0
                    WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
15150
0
                    return OUT_OF_ORDER_E;
15151
0
                }
15152
0
                #ifndef NO_CERTS
15153
0
                    if (ssl->options.verifyPeer &&
15154
0
                        ssl->options.havePeerCert) {
15155
15156
0
                        if (!ssl->options.havePeerVerify ||
15157
0
                                !ssl->msgsReceived.got_certificate_verify) {
15158
0
                            WOLFSSL_MSG("client didn't send cert verify");
15159
                            #ifdef WOLFSSL_DTLS
15160
                                if (ssl->options.dtls) {
15161
                                    WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
15162
                                    return OUT_OF_ORDER_E;
15163
                                }
15164
                            #endif
15165
0
                            WOLFSSL_ERROR_VERBOSE(NO_PEER_VERIFY);
15166
0
                            return NO_PEER_VERIFY;
15167
0
                        }
15168
0
                    }
15169
0
                #endif
15170
0
            }
15171
0
#endif
15172
0
            if (ssl->options.dtls)
15173
0
                ssl->msgsReceived.got_change_cipher = 1;
15174
0
            break;
15175
15176
0
        default:
15177
0
            WOLFSSL_MSG("Unknown message type");
15178
0
            WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
15179
0
            return SANITY_MSG_E;
15180
0
    }
15181
15182
0
    return 0;
15183
0
}
15184
15185
15186
static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
15187
                          byte type, word32 size, word32 totalSz)
15188
0
{
15189
0
    int ret = 0;
15190
0
    word32 expectedIdx;
15191
15192
0
    WOLFSSL_ENTER("DoHandShakeMsgType");
15193
15194
0
#ifdef WOLFSSL_TLS13
15195
0
    if (type == hello_retry_request) {
15196
0
        return DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size,
15197
0
                                       totalSz);
15198
0
    }
15199
0
#endif
15200
15201
    /* make sure can read the message */
15202
0
    if (*inOutIdx + size > totalSz) {
15203
0
        WOLFSSL_MSG("Incomplete Data");
15204
0
        WOLFSSL_ERROR_VERBOSE(INCOMPLETE_DATA);
15205
0
        return INCOMPLETE_DATA;
15206
0
    }
15207
15208
0
    expectedIdx = *inOutIdx + size +
15209
0
                  (ssl->keys.encryptionOn ? ssl->keys.padSz : 0);
15210
0
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
15211
0
    if (ssl->options.startedETMRead && ssl->keys.encryptionOn)
15212
0
        expectedIdx += MacSize(ssl);
15213
0
#endif
15214
15215
#if !defined(NO_WOLFSSL_SERVER) && \
15216
    defined(HAVE_SECURE_RENEGOTIATION) && \
15217
    defined(HAVE_SERVER_RENEGOTIATION_INFO)
15218
    if (ssl->options.handShakeDone && type == client_hello &&
15219
            ssl->secure_renegotiation &&
15220
            ssl->secure_renegotiation->enabled)
15221
    {
15222
        WOLFSSL_MSG("Reset handshake state");
15223
        XMEMSET(&ssl->msgsReceived, 0, sizeof(MsgsReceived));
15224
        ssl->options.serverState = NULL_STATE;
15225
        ssl->options.clientState = NULL_STATE;
15226
        ssl->options.connectState = CONNECT_BEGIN;
15227
        ssl->options.acceptState = ACCEPT_FIRST_REPLY_DONE;
15228
        ssl->options.handShakeState = NULL_STATE;
15229
        ssl->secure_renegotiation->cache_status = SCR_CACHE_NEEDED;
15230
15231
        ret = InitHandshakeHashes(ssl);
15232
        if (ret != 0)
15233
            return ret;
15234
    }
15235
#endif
15236
15237
    /* sanity check msg received */
15238
0
    if ( (ret = SanityCheckMsgReceived(ssl, type)) != 0) {
15239
0
        WOLFSSL_MSG("Sanity Check on handshake message type received failed");
15240
0
        return ret;
15241
0
    }
15242
15243
0
#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
15244
    /* add name later, add on record and handshake header part back on */
15245
0
    if (ssl->toInfoOn) {
15246
0
        int add = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
15247
0
        AddPacketInfo(ssl, 0, handshake, input + *inOutIdx - add,
15248
0
                      size + add, READ_PROTO, ssl->heap);
15249
        #ifdef WOLFSSL_CALLBACKS
15250
        AddLateRecordHeader(&ssl->curRL, &ssl->timeoutInfo);
15251
        #endif
15252
0
    }
15253
0
#endif
15254
15255
0
    if (ssl->options.handShakeState == HANDSHAKE_DONE && type != hello_request){
15256
0
        WOLFSSL_MSG("HandShake message after handshake complete");
15257
0
        SendAlert(ssl, alert_fatal, unexpected_message);
15258
0
        WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
15259
0
        return OUT_OF_ORDER_E;
15260
0
    }
15261
15262
0
    if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->options.dtls == 0 &&
15263
0
               ssl->options.serverState == NULL_STATE && type != server_hello) {
15264
0
        WOLFSSL_MSG("First server message not server hello");
15265
0
        SendAlert(ssl, alert_fatal, unexpected_message);
15266
0
        WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
15267
0
        return OUT_OF_ORDER_E;
15268
0
    }
15269
15270
0
    if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->options.dtls &&
15271
0
            type == server_hello_done &&
15272
0
            ssl->options.serverState < SERVER_HELLO_COMPLETE) {
15273
0
        WOLFSSL_MSG("Server hello done received before server hello in DTLS");
15274
0
        SendAlert(ssl, alert_fatal, unexpected_message);
15275
0
        WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
15276
0
        return OUT_OF_ORDER_E;
15277
0
    }
15278
15279
0
    if (ssl->options.side == WOLFSSL_SERVER_END &&
15280
0
               ssl->options.clientState == NULL_STATE && type != client_hello) {
15281
0
        WOLFSSL_MSG("First client message not client hello");
15282
0
        SendAlert(ssl, alert_fatal, unexpected_message);
15283
0
        WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
15284
0
        return OUT_OF_ORDER_E;
15285
0
    }
15286
15287
    /* above checks handshake state */
15288
    /* hello_request not hashed */
15289
    /* Also, skip hashing the client_hello message here for DTLS. It will be
15290
     * hashed later if the DTLS cookie is correct. */
15291
0
    if (type != hello_request
15292
    #ifdef WOLFSSL_ASYNC_CRYPT
15293
            && ssl->error != WC_PENDING_E
15294
    #endif
15295
    #ifdef WOLFSSL_NONBLOCK_OCSP
15296
            && ssl->error != OCSP_WANT_READ
15297
    #endif
15298
0
    ) {
15299
0
        ret = HashInput(ssl, input + *inOutIdx, size);
15300
0
        if (ret != 0) {
15301
0
            WOLFSSL_MSG("Incomplete handshake hashes");
15302
0
            return ret;
15303
0
        }
15304
0
    }
15305
15306
0
    if (ssl->options.side == WOLFSSL_CLIENT_END) {
15307
0
        switch (type) {
15308
0
        case certificate:
15309
0
        case server_key_exchange:
15310
0
        case certificate_request:
15311
0
        case server_hello_done:
15312
0
            if (ssl->options.resuming) {
15313
#ifdef WOLFSSL_WPAS
15314
                /* This can occur when ssl->sessionSecretCb is set. EAP-FAST
15315
                 * (RFC 4851) allows for detecting server session resumption
15316
                 * based on the msg received after the ServerHello. */
15317
                WOLFSSL_MSG("Not resuming as thought");
15318
                ssl->options.resuming = 0;
15319
                /* No longer resuming, reset peer authentication state. */
15320
                ssl->options.peerAuthGood = 0;
15321
#else
15322
                /* Fatal error. Only try to send an alert. RFC 5246 does not
15323
                 * allow for reverting back to a full handshake after the
15324
                 * server has indicated the intention to do a resumption. */
15325
0
                (void)SendAlert(ssl, alert_fatal, unexpected_message);
15326
0
                WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
15327
0
                return OUT_OF_ORDER_E;
15328
0
#endif
15329
0
            }
15330
0
        }
15331
0
    }
15332
15333
0
#ifdef OPENSSL_EXTRA
15334
0
    if (ssl->CBIS != NULL){
15335
0
        ssl->cbmode = SSL_CB_MODE_READ;
15336
0
        ssl->cbtype = type;
15337
0
        ssl->CBIS(ssl, SSL_CB_ACCEPT_LOOP, SSL_SUCCESS);
15338
0
    }
15339
0
#endif
15340
15341
0
    switch (type) {
15342
15343
0
    case hello_request:
15344
0
        WOLFSSL_MSG("processing hello request");
15345
0
        ret = DoHelloRequest(ssl, input, inOutIdx, size, totalSz);
15346
0
        break;
15347
15348
0
#ifndef NO_WOLFSSL_CLIENT
15349
0
    case hello_verify_request:
15350
0
        WOLFSSL_MSG("processing hello verify request");
15351
0
        ret = DoHelloVerifyRequest(ssl, input,inOutIdx, size);
15352
0
        if (IsEncryptionOn(ssl, 0)) {
15353
0
        #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
15354
0
            if (ssl->options.startedETMRead) {
15355
0
                word32 digestSz = MacSize(ssl);
15356
0
                if (*inOutIdx + ssl->keys.padSz + digestSz > totalSz)
15357
0
                    return BUFFER_E;
15358
0
                *inOutIdx += ssl->keys.padSz + digestSz;
15359
0
            }
15360
0
            else
15361
0
        #endif
15362
0
            {
15363
                /* access beyond input + size should be checked against totalSz
15364
                 */
15365
0
                if (*inOutIdx + ssl->keys.padSz > totalSz)
15366
0
                    return BUFFER_E;
15367
15368
0
                *inOutIdx += ssl->keys.padSz;
15369
0
            }
15370
0
        }
15371
0
        break;
15372
15373
0
    case server_hello:
15374
0
        WOLFSSL_MSG("processing server hello");
15375
0
        ret = DoServerHello(ssl, input, inOutIdx, size);
15376
0
    #if !defined(WOLFSSL_NO_CLIENT_AUTH) && \
15377
0
               ((defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)) || \
15378
0
                (defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)))
15379
0
        if (ssl->options.resuming || !IsAtLeastTLSv1_2(ssl) ||
15380
0
                                               IsAtLeastTLSv1_3(ssl->version)) {
15381
15382
        #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP)
15383
            if (ret != WC_PENDING_E && ret != OCSP_WANT_READ)
15384
        #endif
15385
0
            {
15386
0
                ssl->options.cacheMessages = 0;
15387
0
                if ((ssl->hsHashes != NULL) && (ssl->hsHashes->messages != NULL)) {
15388
0
                    ForceZero(ssl->hsHashes->messages, ssl->hsHashes->length);
15389
0
                    XFREE(ssl->hsHashes->messages, ssl->heap,
15390
0
                        DYNAMIC_TYPE_HASHES);
15391
0
                    ssl->hsHashes->messages = NULL;
15392
0
                }
15393
0
            }
15394
0
        }
15395
0
    #endif
15396
0
        break;
15397
15398
0
#ifndef NO_CERTS
15399
0
    case certificate_request:
15400
0
        WOLFSSL_MSG("processing certificate request");
15401
0
        ret = DoCertificateRequest(ssl, input, inOutIdx, size);
15402
0
        break;
15403
0
#endif
15404
15405
0
    case server_key_exchange:
15406
0
        WOLFSSL_MSG("processing server key exchange");
15407
0
        ret = DoServerKeyExchange(ssl, input, inOutIdx, size);
15408
0
        break;
15409
15410
0
#ifdef HAVE_SESSION_TICKET
15411
0
    case session_ticket:
15412
0
        WOLFSSL_MSG("processing session ticket");
15413
0
        ret = DoSessionTicket(ssl, input, inOutIdx, size);
15414
0
        break;
15415
0
#endif /* HAVE_SESSION_TICKET */
15416
0
#endif
15417
15418
0
#if !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \
15419
0
                                               !defined(WOLFSSL_NO_CLIENT_AUTH))
15420
0
    case certificate:
15421
0
        WOLFSSL_MSG("processing certificate");
15422
0
        ret = DoCertificate(ssl, input, inOutIdx, size);
15423
0
        break;
15424
15425
0
    case certificate_status:
15426
0
        WOLFSSL_MSG("processing certificate status");
15427
0
        ret = DoCertificateStatus(ssl, input, inOutIdx, size);
15428
0
        break;
15429
0
#endif
15430
15431
0
    case server_hello_done:
15432
0
        WOLFSSL_MSG("processing server hello done");
15433
    #ifdef WOLFSSL_CALLBACKS
15434
        if (ssl->hsInfoOn)
15435
            AddPacketName(ssl, "ServerHelloDone");
15436
        if (ssl->toInfoOn)
15437
            AddLateName("ServerHelloDone", &ssl->timeoutInfo);
15438
    #endif
15439
0
        ssl->options.serverState = SERVER_HELLODONE_COMPLETE;
15440
0
        if (IsEncryptionOn(ssl, 0)) {
15441
0
            *inOutIdx += ssl->keys.padSz;
15442
0
        #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
15443
0
            if (ssl->options.startedETMRead)
15444
0
                *inOutIdx += MacSize(ssl);
15445
0
        #endif
15446
0
        }
15447
0
        break;
15448
15449
0
    case finished:
15450
0
        WOLFSSL_MSG("processing finished");
15451
0
        ret = DoFinished(ssl, input, inOutIdx, size, totalSz, NO_SNIFF);
15452
0
        break;
15453
15454
0
#ifndef NO_WOLFSSL_SERVER
15455
0
    case client_hello:
15456
0
        WOLFSSL_MSG("processing client hello");
15457
0
        ret = DoClientHello(ssl, input, inOutIdx, size);
15458
0
    #if !defined(WOLFSSL_NO_CLIENT_AUTH) && \
15459
0
               ((defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)) || \
15460
0
                (defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)))
15461
0
        if (ssl->options.resuming || !ssl->options.verifyPeer || \
15462
0
                     !IsAtLeastTLSv1_2(ssl) || IsAtLeastTLSv1_3(ssl->version)) {
15463
        #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP)
15464
            if (ret != WC_PENDING_E && ret != OCSP_WANT_READ)
15465
        #endif
15466
0
            {
15467
0
                ssl->options.cacheMessages = 0;
15468
0
                if ((ssl->hsHashes != NULL) && (ssl->hsHashes->messages != NULL)) {
15469
0
                    ForceZero(ssl->hsHashes->messages, ssl->hsHashes->length);
15470
0
                    XFREE(ssl->hsHashes->messages, ssl->heap, DYNAMIC_TYPE_HASHES);
15471
0
                    ssl->hsHashes->messages = NULL;
15472
0
                }
15473
0
            }
15474
0
        }
15475
0
    #endif
15476
        /* If size == totalSz then we are in DtlsMsgDrain so no need to worry
15477
         * about padding */
15478
0
        if (IsEncryptionOn(ssl, 0)) {
15479
0
        #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
15480
0
            if (ssl->options.startedETMRead) {
15481
0
                word32 digestSz = MacSize(ssl);
15482
0
                if (size != totalSz &&
15483
0
                        *inOutIdx + ssl->keys.padSz + digestSz > totalSz)
15484
0
                    return BUFFER_E;
15485
0
                *inOutIdx += ssl->keys.padSz + digestSz;
15486
0
            }
15487
0
            else
15488
0
        #endif
15489
0
            {
15490
                /* access beyond input + size should be checked against totalSz
15491
                 */
15492
0
                if (size != totalSz &&
15493
0
                        *inOutIdx + ssl->keys.padSz > totalSz)
15494
0
                    return BUFFER_E;
15495
0
                *inOutIdx += ssl->keys.padSz;
15496
0
            }
15497
0
        }
15498
0
        break;
15499
15500
0
    case client_key_exchange:
15501
0
        WOLFSSL_MSG("processing client key exchange");
15502
0
        ret = DoClientKeyExchange(ssl, input, inOutIdx, size);
15503
0
        break;
15504
15505
0
#if (!defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
15506
0
                        defined(HAVE_ED448)) && !defined(WOLFSSL_NO_CLIENT_AUTH)
15507
0
    case certificate_verify:
15508
0
        WOLFSSL_MSG("processing certificate verify");
15509
0
        ret = DoCertificateVerify(ssl, input, inOutIdx, size);
15510
0
        break;
15511
0
#endif /* (!NO_RSA || ECC || ED25519 || ED448) && !WOLFSSL_NO_CLIENT_AUTH */
15512
15513
0
#endif /* !NO_WOLFSSL_SERVER */
15514
15515
0
    default:
15516
0
        WOLFSSL_MSG("Unknown handshake message type");
15517
0
        ret = UNKNOWN_HANDSHAKE_TYPE;
15518
0
        break;
15519
0
    }
15520
0
    if (ret == 0 && expectedIdx != *inOutIdx) {
15521
0
        WOLFSSL_MSG("Extra data in handshake message");
15522
0
        if (!ssl->options.dtls)
15523
0
            SendAlert(ssl, alert_fatal, decode_error);
15524
0
        ret = DECODE_E;
15525
0
        WOLFSSL_ERROR_VERBOSE(ret);
15526
0
    }
15527
15528
#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP)
15529
    /* if async, offset index so this msg will be processed again */
15530
    if ((ret == WC_PENDING_E || ret == OCSP_WANT_READ) && *inOutIdx > 0) {
15531
        *inOutIdx -= HANDSHAKE_HEADER_SZ;
15532
    #ifdef WOLFSSL_DTLS
15533
        if (ssl->options.dtls) {
15534
            *inOutIdx -= DTLS_HANDSHAKE_EXTRA;
15535
        }
15536
    #endif
15537
    }
15538
15539
    /* make sure async error is cleared */
15540
    if (ret == 0 && (ssl->error == WC_PENDING_E || ssl->error == OCSP_WANT_READ)) {
15541
        ssl->error = 0;
15542
    }
15543
#endif /* WOLFSSL_ASYNC_CRYPT || WOLFSSL_NONBLOCK_OCSP */
15544
15545
#ifdef WOLFSSL_DTLS
15546
    if (ret == 0) {
15547
        if (type == client_hello) {
15548
            /* Advance expected number only if cookie exchange complete */
15549
            if (ssl->msgsReceived.got_client_hello)
15550
                ssl->keys.dtls_expected_peer_handshake_number =
15551
                    ssl->keys.dtls_peer_handshake_number + 1;
15552
        }
15553
        else if (type != finished) {
15554
            ssl->keys.dtls_expected_peer_handshake_number++;
15555
        }
15556
    }
15557
#endif
15558
15559
0
    WOLFSSL_LEAVE("DoHandShakeMsgType()", ret);
15560
0
    return ret;
15561
0
}
15562
15563
15564
static int DoHandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
15565
                          word32 totalSz)
15566
0
{
15567
0
    int    ret = 0;
15568
0
    word32 inputLength;
15569
15570
0
    WOLFSSL_ENTER("DoHandShakeMsg()");
15571
15572
0
    if (ssl->arrays == NULL) {
15573
0
        byte   type;
15574
0
        word32 size;
15575
15576
0
        if (GetHandShakeHeader(ssl,input,inOutIdx,&type, &size, totalSz) != 0) {
15577
0
            WOLFSSL_ERROR_VERBOSE(PARSE_ERROR);
15578
0
            return PARSE_ERROR;
15579
0
        }
15580
15581
0
        return DoHandShakeMsgType(ssl, input, inOutIdx, type, size, totalSz);
15582
0
    }
15583
15584
0
    inputLength = ssl->buffers.inputBuffer.length - *inOutIdx;
15585
15586
    /* If there is a pending fragmented handshake message,
15587
     * pending message size will be non-zero. */
15588
0
    if (ssl->arrays->pendingMsgSz == 0) {
15589
0
        byte   type;
15590
0
        word32 size;
15591
15592
0
        if (GetHandShakeHeader(ssl, input, inOutIdx, &type, &size,
15593
0
                               totalSz) != 0) {
15594
0
            WOLFSSL_ERROR_VERBOSE(PARSE_ERROR);
15595
0
            return PARSE_ERROR;
15596
0
        }
15597
15598
        /* Cap the maximum size of a handshake message to something reasonable.
15599
         * By default is the maximum size of a certificate message assuming
15600
         * nine 2048-bit RSA certificates in the chain. */
15601
0
        if (size > MAX_HANDSHAKE_SZ) {
15602
0
            WOLFSSL_MSG("Handshake message too large");
15603
0
            WOLFSSL_ERROR_VERBOSE(HANDSHAKE_SIZE_ERROR);
15604
0
            return HANDSHAKE_SIZE_ERROR;
15605
0
        }
15606
15607
        /* size is the size of the certificate message payload */
15608
0
        if (inputLength - HANDSHAKE_HEADER_SZ < size) {
15609
0
            ssl->arrays->pendingMsgType = type;
15610
0
            ssl->arrays->pendingMsgSz = size + HANDSHAKE_HEADER_SZ;
15611
0
            ssl->arrays->pendingMsg = (byte*)XMALLOC(size + HANDSHAKE_HEADER_SZ,
15612
0
                                                     ssl->heap,
15613
0
                                                     DYNAMIC_TYPE_ARRAYS);
15614
0
            if (ssl->arrays->pendingMsg == NULL)
15615
0
                return MEMORY_E;
15616
0
            XMEMCPY(ssl->arrays->pendingMsg,
15617
0
                    input + *inOutIdx - HANDSHAKE_HEADER_SZ,
15618
0
                    inputLength);
15619
0
            ssl->arrays->pendingMsgOffset = inputLength;
15620
0
            *inOutIdx += inputLength - HANDSHAKE_HEADER_SZ;
15621
0
            return 0;
15622
0
        }
15623
15624
0
        ret = DoHandShakeMsgType(ssl, input, inOutIdx, type, size, totalSz);
15625
0
    }
15626
0
    else {
15627
0
        word32 pendSz =
15628
0
            ssl->arrays->pendingMsgSz - ssl->arrays->pendingMsgOffset;
15629
15630
        /* Catch the case where there may be the remainder of a fragmented
15631
         * handshake message and the next handshake message in the same
15632
         * record. */
15633
0
        if (inputLength > pendSz)
15634
0
            inputLength = pendSz;
15635
15636
    #ifdef WOLFSSL_ASYNC_CRYPT
15637
        if (ssl->error != WC_PENDING_E)
15638
    #endif
15639
0
        {
15640
            /* for async this copy was already done, do not replace, since
15641
             * contents may have been changed for inline operations */
15642
0
            XMEMCPY(ssl->arrays->pendingMsg + ssl->arrays->pendingMsgOffset,
15643
0
                    input + *inOutIdx, inputLength);
15644
0
        }
15645
0
        ssl->arrays->pendingMsgOffset += inputLength;
15646
0
        *inOutIdx += inputLength;
15647
15648
0
        if (ssl->arrays->pendingMsgOffset == ssl->arrays->pendingMsgSz)
15649
0
        {
15650
0
            word32 idx = HANDSHAKE_HEADER_SZ;
15651
0
            ret = DoHandShakeMsgType(ssl,
15652
0
                                     ssl->arrays->pendingMsg,
15653
0
                                     &idx, ssl->arrays->pendingMsgType,
15654
0
                                     ssl->arrays->pendingMsgSz - idx,
15655
0
                                     ssl->arrays->pendingMsgSz);
15656
        #ifdef WOLFSSL_ASYNC_CRYPT
15657
            if (ret == WC_PENDING_E) {
15658
                /* setup to process fragment again */
15659
                ssl->arrays->pendingMsgOffset -= inputLength;
15660
                *inOutIdx -= inputLength;
15661
            }
15662
            else
15663
        #endif
15664
0
            {
15665
0
                XFREE(ssl->arrays->pendingMsg, ssl->heap, DYNAMIC_TYPE_ARRAYS);
15666
0
                ssl->arrays->pendingMsg = NULL;
15667
0
                ssl->arrays->pendingMsgSz = 0;
15668
0
            }
15669
0
        }
15670
0
    }
15671
15672
0
    WOLFSSL_LEAVE("DoHandShakeMsg()", ret);
15673
0
    return ret;
15674
0
}
15675
15676
#endif /* !WOLFSSL_NO_TLS12 */
15677
15678
#ifdef WOLFSSL_DTLS
15679
15680
static int _DtlsCheckWindow(WOLFSSL* ssl)
15681
{
15682
    word32* window;
15683
    word16 cur_hi, next_hi;
15684
    word32 cur_lo, next_lo, diff;
15685
    int curLT;
15686
    WOLFSSL_DTLS_PEERSEQ* peerSeq = NULL;
15687
15688
    if (!ssl->options.haveMcast)
15689
        peerSeq = ssl->keys.peerSeq;
15690
    else {
15691
#ifdef WOLFSSL_MULTICAST
15692
        WOLFSSL_DTLS_PEERSEQ* p;
15693
        int i;
15694
15695
        for (i = 0, p = ssl->keys.peerSeq;
15696
             i < WOLFSSL_DTLS_PEERSEQ_SZ;
15697
             i++, p++) {
15698
15699
            if (p->peerId == ssl->keys.curPeerId) {
15700
                peerSeq = p;
15701
                break;
15702
            }
15703
        }
15704
#endif
15705
    }
15706
15707
    if (peerSeq == NULL) {
15708
        WOLFSSL_MSG("Could not find peer sequence");
15709
        return 0;
15710
    }
15711
15712
    if (ssl->keys.curEpoch == peerSeq->nextEpoch) {
15713
        next_hi = peerSeq->nextSeq_hi;
15714
        next_lo = peerSeq->nextSeq_lo;
15715
        window = peerSeq->window;
15716
    }
15717
    else if (ssl->keys.curEpoch == peerSeq->nextEpoch - 1) {
15718
        next_hi = peerSeq->prevSeq_hi;
15719
        next_lo = peerSeq->prevSeq_lo;
15720
        window = peerSeq->prevWindow;
15721
    }
15722
    else {
15723
        return 0;
15724
    }
15725
15726
    cur_hi = ssl->keys.curSeq_hi;
15727
    cur_lo = ssl->keys.curSeq_lo;
15728
15729
    /* If the difference between next and cur is > 2^32, way outside window. */
15730
    if ((cur_hi > next_hi + 1) || (next_hi > cur_hi + 1)) {
15731
        WOLFSSL_MSG("Current record from way too far in the future.");
15732
        return 0;
15733
    }
15734
15735
    if (cur_hi == next_hi) {
15736
        curLT = cur_lo < next_lo;
15737
        diff = curLT ? next_lo - cur_lo : cur_lo - next_lo;
15738
    }
15739
    else {
15740
        curLT = cur_hi < next_hi;
15741
        diff = curLT ? cur_lo - next_lo : next_lo - cur_lo;
15742
    }
15743
15744
    /* Check to see that the next value is greater than the number of messages
15745
     * trackable in the window, and that the difference between the next
15746
     * expected sequence number and the received sequence number is inside the
15747
     * window. */
15748
    if ((next_hi || next_lo > DTLS_SEQ_BITS) &&
15749
        curLT && (diff > DTLS_SEQ_BITS)) {
15750
15751
        WOLFSSL_MSG("Current record sequence number from the past.");
15752
        return 0;
15753
    }
15754
#ifdef WOLFSSL_DTLS_DISALLOW_FUTURE
15755
    else if (!curLT && (diff > DTLS_SEQ_BITS)) {
15756
        WOLFSSL_MSG("Rejecting message too far into the future.");
15757
        return 0;
15758
    }
15759
#endif
15760
    else if (curLT) {
15761
        word32 idx;
15762
        word32 newDiff;
15763
        if (diff == 0) {
15764
            WOLFSSL_MSG("DTLS sanity check failed");
15765
            return 0;
15766
        }
15767
        diff--;
15768
        idx = diff / DTLS_WORD_BITS;
15769
        newDiff = diff % DTLS_WORD_BITS;
15770
15771
        /* verify idx is valid for window array */
15772
        if (idx >= WOLFSSL_DTLS_WINDOW_WORDS) {
15773
            WOLFSSL_MSG("Invalid DTLS windows index");
15774
            return 0;
15775
        }
15776
15777
        if (window[idx] & (1 << newDiff)) {
15778
            WOLFSSL_MSG("Current record sequence number already received.");
15779
            return 0;
15780
        }
15781
    }
15782
15783
    return 1;
15784
}
15785
15786
#ifdef WOLFSSL_DTLS13
15787
static WC_INLINE int Dtls13CheckWindow(WOLFSSL* ssl)
15788
{
15789
    w64wrapper nextSeq, seq;
15790
    w64wrapper diff64;
15791
    word32 *window;
15792
    int wordOffset;
15793
    int wordIndex;
15794
    word32 diff;
15795
15796
    if (ssl->dtls13DecryptEpoch == NULL) {
15797
        WOLFSSL_MSG("Can't find decrypting epoch");
15798
        return 0;
15799
    }
15800
15801
    nextSeq = ssl->dtls13DecryptEpoch->nextPeerSeqNumber;
15802
    window = ssl->dtls13DecryptEpoch->window;
15803
    seq = ssl->keys.curSeq;
15804
15805
    if (w64GTE(seq, nextSeq))
15806
        return 1;
15807
15808
    /* seq < nextSeq, nextSeq - seq */
15809
    diff64 = w64Sub(nextSeq, seq);
15810
15811
    /* diff >= DTLS_SEQ_BITS, outside of the window */
15812
    if (w64GT(diff64, w64From32(0, DTLS_SEQ_BITS)))
15813
        return 0;
15814
15815
    /* we are assuming DTLS_SEQ_BITS <= 2**32 */
15816
    diff = w64GetLow32(diff64);
15817
15818
    /* zero based index */
15819
    diff--;
15820
15821
    wordIndex = ((int)diff) / DTLS_WORD_BITS;
15822
    wordOffset = ((int)diff) % DTLS_WORD_BITS;
15823
15824
    if (window[wordIndex] & (1 << wordOffset))
15825
        return 0;
15826
15827
    return 1;
15828
}
15829
15830
#endif /* WOLFSSL_DTLS13 */
15831
15832
#ifdef WOLFSSL_MULTICAST
15833
static WC_INLINE word32 UpdateHighwaterMark(word32 cur, word32 first,
15834
                                         word32 second, word32 high)
15835
{
15836
    word32 newCur = 0;
15837
15838
    if (cur < first)
15839
        newCur = first;
15840
    else if (cur < second)
15841
        newCur = second;
15842
    else if (cur < high)
15843
        newCur = high;
15844
15845
    return newCur;
15846
}
15847
#endif /* WOLFSSL_MULTICAST */
15848
15849
/* diff is the difference between the message sequence and the
15850
 * expected sequence number. 0 is special where it is an overflow. */
15851
static void _DtlsUpdateWindowGTSeq(word32 diff, word32* window)
15852
{
15853
    word32 idx, temp, i;
15854
    word32 oldWindow[WOLFSSL_DTLS_WINDOW_WORDS];
15855
15856
    if (diff == 0 || diff >= DTLS_SEQ_BITS)
15857
        XMEMSET(window, 0, DTLS_SEQ_SZ);
15858
    else {
15859
        temp = 0;
15860
        idx = diff / DTLS_WORD_BITS;
15861
        diff %= DTLS_WORD_BITS;
15862
15863
        XMEMCPY(oldWindow, window, sizeof(oldWindow));
15864
15865
        for (i = 0; i < WOLFSSL_DTLS_WINDOW_WORDS; i++) {
15866
            if (i < idx)
15867
                window[i] = 0;
15868
            else {
15869
                temp |= (oldWindow[i-idx] << diff);
15870
                window[i] = temp;
15871
                if (diff > 0)
15872
                    temp = oldWindow[i-idx] >> (DTLS_WORD_BITS - diff);
15873
                else
15874
                    temp = 0;
15875
            }
15876
        }
15877
    }
15878
    window[0] |= 1;
15879
}
15880
15881
int wolfSSL_DtlsUpdateWindow(word16 cur_hi, word32 cur_lo,
15882
        word16* next_hi, word32* next_lo, word32 *window)
15883
{
15884
    word32 diff;
15885
    int curLT;
15886
15887
    if (cur_hi == *next_hi) {
15888
        curLT = cur_lo < *next_lo;
15889
        diff = curLT ? *next_lo - cur_lo : cur_lo - *next_lo;
15890
    }
15891
    else {
15892
        if (cur_hi > *next_hi + 1) {
15893
            /* reset window */
15894
            _DtlsUpdateWindowGTSeq(0, window);
15895
            *next_lo = cur_lo + 1;
15896
            if (*next_lo == 0)
15897
                *next_hi = cur_hi + 1;
15898
            else
15899
                *next_hi = cur_hi;
15900
            return 1;
15901
        }
15902
        else if (*next_hi > cur_hi + 1) {
15903
            return 1;
15904
        }
15905
        else {
15906
            curLT = cur_hi < *next_hi;
15907
            if (curLT) {
15908
                if (*next_lo < DTLS_SEQ_BITS &&
15909
                        cur_lo >= (((word32)0xFFFFFFFF) - DTLS_SEQ_BITS)) {
15910
                    /* diff here can still result in a difference that can not
15911
                     * be stored in the window. The index is checked against
15912
                     * WOLFSSL_DTLS_WINDOW_WORDS later. */
15913
                    diff = *next_lo + ((word32)0xFFFFFFFF - cur_lo) + 1;
15914
                }
15915
                else {
15916
                    /* Too far back to update */
15917
                    return 1;
15918
                }
15919
            }
15920
            else {
15921
                if (*next_lo >= (((word32)0xFFFFFFFF) - DTLS_SEQ_BITS) &&
15922
                        cur_lo < DTLS_SEQ_BITS) {
15923
                    /* diff here can still result in a difference that can not
15924
                     * be stored in the window. The index is checked against
15925
                     * WOLFSSL_DTLS_WINDOW_WORDS later. */
15926
                    diff = cur_lo - *next_lo;
15927
                }
15928
                else {
15929
                    _DtlsUpdateWindowGTSeq(0, window);
15930
                    *next_lo = cur_lo + 1;
15931
                    if (*next_lo == 0)
15932
                        *next_hi = cur_hi + 1;
15933
                    else
15934
                        *next_hi = cur_hi;
15935
                    return 1;
15936
                }
15937
            }
15938
        }
15939
    }
15940
15941
    if (curLT) {
15942
        word32 idx;
15943
15944
        diff--;
15945
        idx = diff / DTLS_WORD_BITS;
15946
        diff %= DTLS_WORD_BITS;
15947
15948
        if (idx < WOLFSSL_DTLS_WINDOW_WORDS)
15949
            window[idx] |= (1 << diff);
15950
    }
15951
    else {
15952
        _DtlsUpdateWindowGTSeq(diff + 1, window);
15953
        *next_lo = cur_lo + 1;
15954
        if (*next_lo == 0)
15955
            *next_hi = cur_hi + 1;
15956
        else
15957
            *next_hi = cur_hi;
15958
    }
15959
15960
    return 1;
15961
}
15962
15963
static int _DtlsUpdateWindow(WOLFSSL* ssl)
15964
{
15965
    WOLFSSL_DTLS_PEERSEQ* peerSeq = ssl->keys.peerSeq;
15966
    word16 *next_hi;
15967
    word32 *next_lo;
15968
    word32* window;
15969
15970
#ifdef WOLFSSL_MULTICAST
15971
    word32 cur_lo = ssl->keys.curSeq_lo;
15972
15973
    if (ssl->options.haveMcast) {
15974
        WOLFSSL_DTLS_PEERSEQ* p;
15975
        int i;
15976
15977
        peerSeq = NULL;
15978
        for (i = 0, p = ssl->keys.peerSeq;
15979
             i < WOLFSSL_DTLS_PEERSEQ_SZ;
15980
             i++, p++) {
15981
15982
            if (p->peerId == ssl->keys.curPeerId) {
15983
                peerSeq = p;
15984
                break;
15985
            }
15986
        }
15987
15988
        if (peerSeq == NULL) {
15989
            WOLFSSL_MSG("Couldn't find that peer ID to update window.");
15990
            return 0;
15991
        }
15992
15993
        if (p->highwaterMark && cur_lo >= p->highwaterMark) {
15994
            int cbError = 0;
15995
15996
            if (ssl->ctx->mcastHwCb)
15997
                cbError = ssl->ctx->mcastHwCb(p->peerId,
15998
                                              ssl->ctx->mcastMaxSeq,
15999
                                              cur_lo, ssl->mcastHwCbCtx);
16000
            if (cbError) {
16001
                WOLFSSL_MSG("Multicast highwater callback returned an error.");
16002
                return MCAST_HIGHWATER_CB_E;
16003
            }
16004
16005
            p->highwaterMark = UpdateHighwaterMark(cur_lo,
16006
                                                   ssl->ctx->mcastFirstSeq,
16007
                                                   ssl->ctx->mcastSecondSeq,
16008
                                                   ssl->ctx->mcastMaxSeq);
16009
        }
16010
    }
16011
#endif
16012
16013
    if (ssl->keys.curEpoch == peerSeq->nextEpoch) {
16014
        next_hi = &peerSeq->nextSeq_hi;
16015
        next_lo = &peerSeq->nextSeq_lo;
16016
        window = peerSeq->window;
16017
    }
16018
    else {
16019
        next_hi = &peerSeq->prevSeq_hi;
16020
        next_lo = &peerSeq->prevSeq_lo;
16021
        window = peerSeq->prevWindow;
16022
    }
16023
16024
    return wolfSSL_DtlsUpdateWindow(ssl->keys.curSeq_hi, ssl->keys.curSeq_lo,
16025
            next_hi, next_lo, window);
16026
}
16027
16028
#ifdef WOLFSSL_DTLS13
16029
static WC_INLINE int Dtls13UpdateWindow(WOLFSSL* ssl)
16030
{
16031
    w64wrapper nextSeq, seq;
16032
    w64wrapper diff64;
16033
    word32 *window;
16034
    int wordOffset;
16035
    int wordIndex;
16036
    word32 diff;
16037
16038
    if (ssl->dtls13DecryptEpoch == NULL) {
16039
        WOLFSSL_MSG("Can't find decrypting Epoch");
16040
        return BAD_STATE_E;
16041
    }
16042
16043
    nextSeq = ssl->dtls13DecryptEpoch->nextPeerSeqNumber;
16044
    window = ssl->dtls13DecryptEpoch->window;
16045
    seq = ssl->keys.curSeq;
16046
16047
    /* seq < nextSeq */
16048
    if (w64LT(seq, nextSeq)) {
16049
        diff64 = w64Sub(nextSeq, seq);
16050
16051
        /* zero based index */
16052
        w64Decrement(&diff64);
16053
16054
        /* FIXME: check that diff64 < DTLS_WORDS_BITS */
16055
        diff = w64GetLow32(diff64);
16056
        wordIndex = ((int)diff) / DTLS_WORD_BITS;
16057
        wordOffset = ((int)diff) % DTLS_WORD_BITS;
16058
16059
        if (wordIndex >= WOLFSSL_DTLS_WINDOW_WORDS) {
16060
            WOLFSSL_MSG("Invalid sequence number to Dtls13UpdateWindow");
16061
            return BAD_STATE_E;
16062
        }
16063
16064
        window[wordIndex] |= (1 << wordOffset);
16065
        return 1;
16066
    }
16067
16068
    /* seq >= nextSeq, seq - nextSeq */
16069
    diff64 = w64Sub(seq, nextSeq);
16070
16071
    /* as we are considering nextSeq inside the window, we should add + 1 */
16072
    w64Increment(&diff64);
16073
    _DtlsUpdateWindowGTSeq(w64GetLow32(diff64), window);
16074
16075
    w64Increment(&seq);
16076
    ssl->dtls13DecryptEpoch->nextPeerSeqNumber = seq;
16077
16078
    return 1;
16079
}
16080
#endif /* WOLFSSL_DTLS13 */
16081
16082
16083
int DtlsMsgDrain(WOLFSSL* ssl)
16084
{
16085
    DtlsMsg* item = ssl->dtls_rx_msg_list;
16086
    int ret = 0;
16087
16088
    WOLFSSL_ENTER("DtlsMsgDrain()");
16089
16090
    /* While there is an item in the store list, and it is the expected
16091
     * message, and it is complete, and there hasn't been an error in the
16092
     * last message... */
16093
    while (item != NULL &&
16094
            ssl->keys.dtls_expected_peer_handshake_number == item->seq &&
16095
            item->fragSz == item->sz &&
16096
            ret == 0) {
16097
        word32 idx = 0;
16098
16099
    #ifdef WOLFSSL_NO_TLS12
16100
        ret = DoTls13HandShakeMsgType(ssl, item->msg, &idx, item->type,
16101
                                      item->sz, item->sz);
16102
    #else
16103
        ret = DoHandShakeMsgType(ssl, item->msg, &idx, item->type,
16104
                                      item->sz, item->sz);
16105
    #endif
16106
        if (ret == 0) {
16107
            DtlsTxMsgListClean(ssl);
16108
        }
16109
    #ifdef WOLFSSL_ASYNC_CRYPT
16110
        if (ret == WC_PENDING_E) {
16111
            break;
16112
        }
16113
    #endif
16114
        ssl->dtls_rx_msg_list = item->next;
16115
        DtlsMsgDelete(item, ssl->heap);
16116
        item = ssl->dtls_rx_msg_list;
16117
        ssl->dtls_rx_msg_list_sz--;
16118
    }
16119
16120
    WOLFSSL_LEAVE("DtlsMsgDrain()", ret);
16121
    return ret;
16122
}
16123
16124
16125
static int DoDtlsHandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
16126
                          word32 totalSz)
16127
{
16128
    byte type;
16129
    word32 size;
16130
    word32 fragOffset, fragSz;
16131
    int ret = 0;
16132
    int ignoreFinished = 0;
16133
16134
    WOLFSSL_ENTER("DoDtlsHandShakeMsg()");
16135
16136
    /* parse header */
16137
    if (GetDtlsHandShakeHeader(ssl, input, inOutIdx, &type,
16138
                               &size, &fragOffset, &fragSz, totalSz) != 0) {
16139
        WOLFSSL_ERROR(PARSE_ERROR);
16140
        return PARSE_ERROR;
16141
    }
16142
16143
    /* Cap the maximum size of a handshake message to something reasonable.
16144
     * By default is the maximum size of a certificate message assuming
16145
     * nine 2048-bit RSA certificates in the chain. */
16146
    if (size > MAX_HANDSHAKE_SZ) {
16147
        WOLFSSL_MSG("Handshake message too large");
16148
        return HANDSHAKE_SIZE_ERROR;
16149
    }
16150
16151
    /* check that we have complete fragment */
16152
    if (*inOutIdx + fragSz > totalSz) {
16153
        WOLFSSL_ERROR(INCOMPLETE_DATA);
16154
        return INCOMPLETE_DATA;
16155
    }
16156
16157
    /* check that the fragment is contained in the message */
16158
    if (fragOffset + fragSz > size) {
16159
        WOLFSSL_ERROR(LENGTH_ERROR);
16160
        return LENGTH_ERROR;
16161
    }
16162
16163
    if (type == finished && ssl->keys.dtls_peer_handshake_number >=
16164
                            ssl->keys.dtls_expected_peer_handshake_number &&
16165
                            ssl->keys.curEpoch == ssl->keys.dtls_epoch) {
16166
        /* finished msg should be ignore from the current epoch
16167
         * if it comes from a previous handshake */
16168
        if (ssl->options.side == WOLFSSL_CLIENT_END) {
16169
            ignoreFinished = ssl->options.connectState < FINISHED_DONE;
16170
        }
16171
        else {
16172
            ignoreFinished = ssl->options.acceptState < ACCEPT_FINISHED_DONE;
16173
        }
16174
    }
16175
16176
    /* Check the handshake sequence number first. If out of order,
16177
     * add the current message to the list. If the message is in order,
16178
     * but it is a fragment, add the current message to the list, then
16179
     * check the head of the list to see if it is complete, if so, pop
16180
     * it out as the current message. If the message is complete and in
16181
     * order, process it. Check the head of the list to see if it is in
16182
     * order, if so, process it. (Repeat until list exhausted.) If the
16183
     * head is out of order, return for more processing.
16184
     */
16185
    if (ssl->keys.dtls_peer_handshake_number >
16186
            ssl->keys.dtls_expected_peer_handshake_number &&
16187
            /* Only client_hello shouldn't be ignored if the handshake
16188
             * num is greater */
16189
            (type == client_hello ||
16190
                    ssl->options.handShakeState != HANDSHAKE_DONE) &&
16191
            !ignoreFinished) {
16192
        /* Current message is out of order. It will get stored in the list.
16193
         * Storing also takes care of defragmentation. If the messages is a
16194
         * client hello, we need to process this out of order; the server
16195
         * is not supposed to keep state, but the second client hello will
16196
         * have a different handshake sequence number than is expected, and
16197
         * the server shouldn't be expecting any particular handshake sequence
16198
         * number. (If the cookie changes multiple times in quick succession,
16199
         * the client could be sending multiple new client hello messages
16200
         * with newer and newer cookies.) */
16201
        if (type != client_hello) {
16202
            WOLFSSL_MSG("Current message is out of order");
16203
            if (ssl->dtls_rx_msg_list_sz < DTLS_POOL_SZ) {
16204
                DtlsMsgStore(ssl, ssl->keys.curEpoch,
16205
                             ssl->keys.dtls_peer_handshake_number,
16206
                             input + *inOutIdx, size, type,
16207
                             fragOffset, fragSz, ssl->heap);
16208
            }
16209
            *inOutIdx += fragSz;
16210
            #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
16211
            if (ssl->options.startedETMRead && ssl->keys.curEpoch != 0) {
16212
                word32 digestSz = MacSize(ssl);
16213
                if (*inOutIdx + ssl->keys.padSz + digestSz > totalSz) {
16214
                    WOLFSSL_ERROR(BUFFER_E);
16215
                    return BUFFER_E;
16216
                }
16217
                *inOutIdx += digestSz;
16218
            }
16219
            else
16220
            #endif
16221
            {
16222
                if (*inOutIdx + ssl->keys.padSz > totalSz) {
16223
                    WOLFSSL_ERROR(BUFFER_E);
16224
                    return BUFFER_E;
16225
                }
16226
            }
16227
            *inOutIdx += ssl->keys.padSz;
16228
            ret = 0;
16229
            #ifndef WOLFSSL_DTLS_RESEND_ONLY_TIMEOUT
16230
            /* If we receive an out of order last flight msg then retransmit */
16231
            if (type == server_hello_done || type == finished) {
16232
                ret = DtlsMsgPoolSend(ssl, 0);
16233
            }
16234
            #endif
16235
        }
16236
        else {
16237
            if (fragSz < size) {
16238
                /* a fragmented ClientHello, very probably forged or
16239
                   erroneous. Even if the packet is valid, we don't want to save
16240
                   state while processing a ClientHello to avoid DoS attacks */
16241
                WOLFSSL_MSG("Ignoring datagram with fragmented ClientHello");
16242
                *inOutIdx = totalSz;
16243
            }
16244
            else {
16245
            #ifdef WOLFSSL_NO_TLS12
16246
                ret = DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size,
16247
                    totalSz);
16248
            #else
16249
                ret = DoHandShakeMsgType(ssl, input, inOutIdx, type, size,
16250
                    totalSz);
16251
            #endif
16252
            }
16253
        }
16254
    }
16255
    else if (ssl->keys.dtls_peer_handshake_number <
16256
                ssl->keys.dtls_expected_peer_handshake_number ||
16257
            /* ignore all handshake messages if we are done with the
16258
             * handshake */
16259
            (ssl->keys.dtls_peer_handshake_number >
16260
                ssl->keys.dtls_expected_peer_handshake_number &&
16261
                ssl->options.handShakeState == HANDSHAKE_DONE) ||
16262
            ignoreFinished) {
16263
        /* Already saw this message and processed it. It can be ignored. */
16264
        WOLFSSL_MSG("Already saw this message and processed it");
16265
        *inOutIdx += fragSz;
16266
        #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
16267
        if (ssl->options.startedETMRead && ssl->keys.curEpoch != 0) {
16268
            word32 digestSz = MacSize(ssl);
16269
            if (*inOutIdx + ssl->keys.padSz + digestSz > totalSz) {
16270
                WOLFSSL_ERROR(BUFFER_E);
16271
                return BUFFER_E;
16272
            }
16273
            *inOutIdx += digestSz;
16274
        }
16275
        else
16276
        #endif
16277
        {
16278
            if (*inOutIdx + ssl->keys.padSz > totalSz) {
16279
                WOLFSSL_ERROR(BUFFER_E);
16280
                return BUFFER_E;
16281
            }
16282
        }
16283
        #ifndef WOLFSSL_DTLS_RESEND_ONLY_TIMEOUT
16284
        if (IsDtlsNotSctpMode(ssl) &&
16285
            VerifyForDtlsMsgPoolSend(ssl, type, fragOffset)) {
16286
16287
            ret = DtlsMsgPoolSend(ssl, 0);
16288
        }
16289
        #endif
16290
        *inOutIdx += ssl->keys.padSz;
16291
    }
16292
    else if (fragSz < size) {
16293
        /* Since this branch is in order, but fragmented, dtls_rx_msg_list will
16294
         * be pointing to the message with this fragment in it. Check it to see
16295
         * if it is completed. */
16296
        WOLFSSL_MSG("Branch is in order, but fragmented");
16297
16298
        if (type == client_hello) {
16299
            WOLFSSL_MSG("Ignoring datagram with fragmented ClientHello");
16300
            *inOutIdx = totalSz;
16301
            return 0;
16302
        }
16303
16304
        if (ssl->dtls_rx_msg_list_sz < DTLS_POOL_SZ) {
16305
            DtlsMsgStore(ssl, ssl->keys.curEpoch,
16306
                         ssl->keys.dtls_peer_handshake_number,
16307
                         input + *inOutIdx, size, type,
16308
                         fragOffset, fragSz, ssl->heap);
16309
        }
16310
        *inOutIdx += fragSz;
16311
        *inOutIdx += ssl->keys.padSz;
16312
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
16313
        if (ssl->options.startedETMRead && ssl->keys.curEpoch != 0) {
16314
            word32 digestSz = MacSize(ssl);
16315
            if (*inOutIdx + digestSz > totalSz) {
16316
                WOLFSSL_ERROR(BUFFER_E);
16317
                return BUFFER_E;
16318
            }
16319
            *inOutIdx += digestSz;
16320
        }
16321
#endif
16322
        ret = 0;
16323
        if (ssl->dtls_rx_msg_list != NULL &&
16324
            ssl->dtls_rx_msg_list->fragSz >= ssl->dtls_rx_msg_list->sz)
16325
            ret = DtlsMsgDrain(ssl);
16326
    }
16327
    else {
16328
        /* This branch is in order next, and a complete message. On success
16329
         * clean the tx list. */
16330
        WOLFSSL_MSG("Branch is in order and a complete message");
16331
16332
#ifdef WOLFSSL_ASYNC_CRYPT
16333
        if (ssl->devId != INVALID_DEVID) {
16334
            word32 idx = *inOutIdx;
16335
            if (ssl->dtls_rx_msg_list_sz >= DTLS_POOL_SZ) {
16336
                WOLFSSL_ERROR(BUFFER_ERROR);
16337
                return BUFFER_ERROR;
16338
            }
16339
            if (idx + fragSz + ssl->keys.padSz > totalSz)
16340
                return BUFFER_E;
16341
            *inOutIdx = idx + fragSz + ssl->keys.padSz;
16342
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
16343
            if (ssl->options.startedETMRead && ssl->keys.curEpoch != 0) {
16344
                word32 digestSz = MacSize(ssl);
16345
                if (*inOutIdx + digestSz > totalSz)
16346
                    return BUFFER_E;
16347
                *inOutIdx += digestSz;
16348
            }
16349
#endif
16350
            /* In async mode always store the message and process it with
16351
             * DtlsMsgDrain because in case of a WC_PENDING_E it will be
16352
             * easier this way. */
16353
            DtlsMsgStore(ssl, ssl->keys.curEpoch,
16354
                         ssl->keys.dtls_peer_handshake_number,
16355
                         input + idx, size, type,
16356
                         fragOffset, fragSz, ssl->heap);
16357
            ret = DtlsMsgDrain(ssl);
16358
        }
16359
        else
16360
#endif
16361
        {
16362
#ifdef WOLFSSL_NO_TLS12
16363
            ret = DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size,
16364
                                  totalSz);
16365
#else
16366
            ret = DoHandShakeMsgType(ssl, input, inOutIdx, type, size, totalSz);
16367
#endif
16368
            if (ret == 0) {
16369
                DtlsTxMsgListClean(ssl);
16370
                if (ssl->dtls_rx_msg_list != NULL) {
16371
                    ret = DtlsMsgDrain(ssl);
16372
                }
16373
            }
16374
        }
16375
    }
16376
16377
    WOLFSSL_LEAVE("DoDtlsHandShakeMsg()", ret);
16378
    return ret;
16379
}
16380
#endif /* WOLFSSL_DTLS13 */
16381
16382
#ifndef WOLFSSL_NO_TLS12
16383
16384
#ifdef HAVE_AEAD
16385
16386
#if (!defined(NO_PUBLIC_GCM_SET_IV) && \
16387
    ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \
16388
    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)))) || \
16389
    (defined(HAVE_POLY1305) && defined(HAVE_CHACHA))
16390
static WC_INLINE void AeadIncrementExpIV(WOLFSSL* ssl)
16391
0
{
16392
0
    int i;
16393
0
    for (i = AEAD_MAX_EXP_SZ-1; i >= 0; i--) {
16394
0
        if (++ssl->keys.aead_exp_IV[i]) return;
16395
0
    }
16396
0
}
16397
#endif
16398
16399
16400
#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) && !defined(NO_CHAPOL_AEAD)
16401
/* Used for the older version of creating AEAD tags with Poly1305 */
16402
static int Poly1305TagOld(WOLFSSL* ssl, byte* additional, const byte* out,
16403
                       byte* cipher, word16 sz, byte* tag)
16404
0
{
16405
0
    int ret       = 0;
16406
0
    int msglen    = (sz - ssl->specs.aead_mac_size);
16407
0
    word32 keySz  = 32;
16408
0
    byte padding[8]; /* used to temporarily store lengths */
16409
16410
#ifdef CHACHA_AEAD_TEST
16411
      printf("Using old version of poly1305 input.\n");
16412
#endif
16413
16414
0
    if (msglen < 0)
16415
0
        return INPUT_CASE_ERROR;
16416
16417
0
    if ((ret = wc_Poly1305SetKey(ssl->auth.poly1305, cipher, keySz)) != 0)
16418
0
        return ret;
16419
16420
0
    if ((ret = wc_Poly1305Update(ssl->auth.poly1305, additional,
16421
0
                   AEAD_AUTH_DATA_SZ)) != 0)
16422
0
        return ret;
16423
16424
    /* length of additional input plus padding */
16425
0
    XMEMSET(padding, 0, sizeof(padding));
16426
0
    padding[0] = AEAD_AUTH_DATA_SZ;
16427
0
    if ((ret = wc_Poly1305Update(ssl->auth.poly1305, padding,
16428
0
                    sizeof(padding))) != 0)
16429
0
        return ret;
16430
16431
16432
    /* add cipher info and then its length */
16433
0
    XMEMSET(padding, 0, sizeof(padding));
16434
0
    if ((ret = wc_Poly1305Update(ssl->auth.poly1305, out, msglen)) != 0)
16435
0
        return ret;
16436
16437
    /* 32 bit size of cipher to 64 bit endian */
16438
0
    padding[0] =  msglen        & 0xff;
16439
0
    padding[1] = (msglen >>  8) & 0xff;
16440
0
    padding[2] = ((word32)msglen >> 16) & 0xff;
16441
0
    padding[3] = ((word32)msglen >> 24) & 0xff;
16442
0
    if ((ret = wc_Poly1305Update(ssl->auth.poly1305, padding, sizeof(padding)))
16443
0
        != 0)
16444
0
        return ret;
16445
16446
    /* generate tag */
16447
0
    if ((ret = wc_Poly1305Final(ssl->auth.poly1305, tag)) != 0)
16448
0
        return ret;
16449
16450
0
    return ret;
16451
0
}
16452
16453
16454
/* When the flag oldPoly is not set this follows RFC7905. When oldPoly is set
16455
 * the implementation follows an older draft for creating the nonce and MAC.
16456
 * The flag oldPoly gets set automatically depending on what cipher suite was
16457
 * negotiated in the handshake. This is able to be done because the IDs for the
16458
 * cipher suites was updated in RFC7905 giving unique values for the older
16459
 * draft in comparison to the more recent RFC.
16460
 *
16461
 * ssl   WOLFSSL structure to get cipher and TLS state from
16462
 * out   output buffer to hold encrypted data
16463
 * input data to encrypt
16464
 * sz    size of input
16465
 *
16466
 * Return 0 on success negative values in error case
16467
 */
16468
int ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input,
16469
                              word16 sz)
16470
0
{
16471
0
    const byte* additionalSrc = input - RECORD_HEADER_SZ;
16472
0
    int ret       = 0;
16473
0
    word32 msgLen = (sz - ssl->specs.aead_mac_size);
16474
0
    byte tag[POLY1305_AUTH_SZ];
16475
0
    byte add[AEAD_AUTH_DATA_SZ];
16476
0
    byte nonce[CHACHA20_NONCE_SZ];
16477
0
    byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for poly1305 */
16478
    #ifdef CHACHA_AEAD_TEST
16479
        int i;
16480
    #endif
16481
0
    Keys* keys = &ssl->keys;
16482
16483
0
    XMEMSET(tag,   0, sizeof(tag));
16484
0
    XMEMSET(nonce, 0, sizeof(nonce));
16485
0
    XMEMSET(poly,  0, sizeof(poly));
16486
0
    XMEMSET(add,   0, sizeof(add));
16487
16488
#if defined(WOLFSSL_DTLS) && defined(HAVE_SECURE_RENEGOTIATION)
16489
    /*
16490
     * For epochs 2+:
16491
     * * use ssl->secure_renegotiation when encrypting the current epoch as it
16492
     *   has the current epoch cipher material
16493
     * * use PREV_ORDER if encrypting the epoch not in
16494
     *   ssl->secure_renegotiation
16495
     */
16496
    /* opaque SEQ number stored for AD */
16497
    if (ssl->options.dtls && DtlsSCRKeysSet(ssl)) {
16498
        if (ssl->keys.dtls_epoch ==
16499
                    ssl->secure_renegotiation->tmp_keys.dtls_epoch) {
16500
            keys = &ssl->secure_renegotiation->tmp_keys;
16501
            WriteSEQ(ssl, CUR_ORDER, add);
16502
        }
16503
        else
16504
            WriteSEQ(ssl, PREV_ORDER, add);
16505
    }
16506
    else
16507
#endif
16508
0
        WriteSEQ(ssl, CUR_ORDER, add);
16509
16510
0
    if (ssl->options.oldPoly != 0) {
16511
        /* get nonce. SEQ should not be incremented again here */
16512
0
        XMEMCPY(nonce + CHACHA20_OLD_OFFSET, add, OPAQUE32_LEN * 2);
16513
0
    }
16514
16515
    /* Store the type, version. Unfortunately, they are in
16516
     * the input buffer ahead of the plaintext. */
16517
    #ifdef WOLFSSL_DTLS
16518
        if (ssl->options.dtls) {
16519
            additionalSrc -= DTLS_HANDSHAKE_EXTRA;
16520
        }
16521
    #endif
16522
16523
    /* add TLS message size to additional data */
16524
0
    add[AEAD_AUTH_DATA_SZ - 2] = (msgLen >> 8) & 0xff;
16525
0
    add[AEAD_AUTH_DATA_SZ - 1] =  msgLen       & 0xff;
16526
16527
0
    XMEMCPY(add + AEAD_TYPE_OFFSET, additionalSrc, 3);
16528
16529
    #ifdef CHACHA_AEAD_TEST
16530
        printf("Encrypt Additional : ");
16531
        for (i = 0; i < AEAD_AUTH_DATA_SZ; i++) {
16532
            printf("%02x", add[i]);
16533
        }
16534
        printf("\n\n");
16535
        printf("input before encryption :\n");
16536
        for (i = 0; i < sz; i++) {
16537
            printf("%02x", input[i]);
16538
            if ((i + 1) % 16 == 0)
16539
                printf("\n");
16540
        }
16541
        printf("\n");
16542
    #endif
16543
16544
0
    if (ssl->options.oldPoly == 0) {
16545
        /* nonce is formed by 4 0x00 byte padded to the left followed by 8 byte
16546
         * record sequence number XORed with client_write_IV/server_write_IV */
16547
0
        XMEMCPY(nonce, keys->aead_enc_imp_IV, CHACHA20_IMP_IV_SZ);
16548
0
        nonce[4]  ^= add[0];
16549
0
        nonce[5]  ^= add[1];
16550
0
        nonce[6]  ^= add[2];
16551
0
        nonce[7]  ^= add[3];
16552
0
        nonce[8]  ^= add[4];
16553
0
        nonce[9]  ^= add[5];
16554
0
        nonce[10] ^= add[6];
16555
0
        nonce[11] ^= add[7];
16556
0
    }
16557
#ifdef WOLFSSL_CHECK_MEM_ZERO
16558
    wc_MemZero_Add("ChachaAEADEncrypt nonce", nonce, CHACHA20_NONCE_SZ);
16559
#endif
16560
16561
    /* set the nonce for chacha and get poly1305 key */
16562
0
    if ((ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 0)) != 0) {
16563
0
        ForceZero(nonce, CHACHA20_NONCE_SZ);
16564
    #ifdef WOLFSSL_CHECK_MEM_ZERO
16565
        wc_MemZero_Check(nonce, CHACHA20_NONCE_SZ);
16566
    #endif
16567
0
        return ret;
16568
0
    }
16569
16570
    /* create Poly1305 key using chacha20 keystream */
16571
0
    if ((ret = wc_Chacha_Process(ssl->encrypt.chacha, poly,
16572
0
                                                    poly, sizeof(poly))) != 0) {
16573
0
        ForceZero(nonce, CHACHA20_NONCE_SZ);
16574
    #ifdef WOLFSSL_CHECK_MEM_ZERO
16575
        wc_MemZero_Check(nonce, CHACHA20_NONCE_SZ);
16576
    #endif
16577
0
        return ret;
16578
0
    }
16579
#ifdef WOLFSSL_CHECK_MEM_ZERO
16580
    wc_MemZero_Add("ChachaAEADEncrypt poly", poly, CHACHA20_256_KEY_SIZE);
16581
#endif
16582
16583
    /* set the counter after getting poly1305 key */
16584
0
    if ((ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 1)) != 0) {
16585
0
        ForceZero(nonce, CHACHA20_NONCE_SZ);
16586
0
        ForceZero(poly, sizeof(poly));
16587
    #ifdef WOLFSSL_CHECK_MEM_ZERO
16588
        wc_MemZero_Check(nonce, CHACHA20_NONCE_SZ);
16589
        wc_MemZero_Check(poly, CHACHA20_256_KEY_SIZE);
16590
    #endif
16591
0
        return ret;
16592
0
    }
16593
0
    ForceZero(nonce, CHACHA20_NONCE_SZ); /* done with nonce, clear it */
16594
#ifdef WOLFSSL_CHECK_MEM_ZERO
16595
    wc_MemZero_Check(nonce, CHACHA20_NONCE_SZ);
16596
#endif
16597
16598
    /* encrypt the plain text */
16599
0
    if ((ret = wc_Chacha_Process(ssl->encrypt.chacha, out,
16600
0
                                                         input, msgLen)) != 0) {
16601
0
        ForceZero(poly, sizeof(poly));
16602
    #ifdef WOLFSSL_CHECK_MEM_ZERO
16603
        wc_MemZero_Check(poly, CHACHA20_256_KEY_SIZE);
16604
    #endif
16605
0
        return ret;
16606
0
    }
16607
16608
    /* get the poly1305 tag using either old padding scheme or more recent */
16609
0
    if (ssl->options.oldPoly != 0) {
16610
0
        if ((ret = Poly1305TagOld(ssl, add, (const byte* )out,
16611
0
                                                         poly, sz, tag)) != 0) {
16612
0
            ForceZero(poly, sizeof(poly));
16613
        #ifdef WOLFSSL_CHECK_MEM_ZERO
16614
            wc_MemZero_Check(poly, CHACHA20_256_KEY_SIZE);
16615
        #endif
16616
0
            return ret;
16617
0
        }
16618
0
    }
16619
0
    else {
16620
0
        if ((ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly,
16621
0
                                                          sizeof(poly))) != 0) {
16622
0
            ForceZero(poly, sizeof(poly));
16623
        #ifdef WOLFSSL_CHECK_MEM_ZERO
16624
            wc_MemZero_Check(poly, CHACHA20_256_KEY_SIZE);
16625
        #endif
16626
0
            return ret;
16627
0
        }
16628
0
        if ((ret = wc_Poly1305_MAC(ssl->auth.poly1305, add,
16629
0
                            sizeof(add), out, msgLen, tag, sizeof(tag))) != 0) {
16630
0
            ForceZero(poly, sizeof(poly));
16631
        #ifdef WOLFSSL_CHECK_MEM_ZERO
16632
            wc_MemZero_Check(poly, CHACHA20_256_KEY_SIZE);
16633
        #endif
16634
0
            return ret;
16635
0
        }
16636
0
    }
16637
0
    ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */
16638
#ifdef WOLFSSL_CHECK_MEM_ZERO
16639
    wc_MemZero_Check(poly, CHACHA20_256_KEY_SIZE);
16640
#endif
16641
16642
    /* append tag to ciphertext */
16643
0
    XMEMCPY(out + msgLen, tag, sizeof(tag));
16644
16645
0
    AeadIncrementExpIV(ssl);
16646
16647
    #ifdef CHACHA_AEAD_TEST
16648
       printf("mac tag :\n");
16649
        for (i = 0; i < 16; i++) {
16650
           printf("%02x", tag[i]);
16651
           if ((i + 1) % 16 == 0)
16652
               printf("\n");
16653
        }
16654
       printf("\n\noutput after encrypt :\n");
16655
        for (i = 0; i < sz; i++) {
16656
           printf("%02x", out[i]);
16657
           if ((i + 1) % 16 == 0)
16658
               printf("\n");
16659
        }
16660
        printf("\n");
16661
    #endif
16662
16663
0
    return ret;
16664
0
}
16665
16666
16667
/* When the flag oldPoly is not set this follows RFC7905. When oldPoly is set
16668
 * the implementation follows an older draft for creating the nonce and MAC.
16669
 * The flag oldPoly gets set automatically depending on what cipher suite was
16670
 * negotiated in the handshake. This is able to be done because the IDs for the
16671
 * cipher suites was updated in RFC7905 giving unique values for the older
16672
 * draft in comparison to the more recent RFC.
16673
 *
16674
 * ssl   WOLFSSL structure to get cipher and TLS state from
16675
 * plain output buffer to hold decrypted data
16676
 * input data to decrypt
16677
 * sz    size of input
16678
 *
16679
 * Return 0 on success negative values in error case
16680
 */
16681
static int ChachaAEADDecrypt(WOLFSSL* ssl, byte* plain, const byte* input,
16682
                           word16 sz)
16683
0
{
16684
0
    byte add[AEAD_AUTH_DATA_SZ];
16685
0
    byte nonce[CHACHA20_NONCE_SZ];
16686
0
    byte tag[POLY1305_AUTH_SZ];
16687
0
    byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for mac */
16688
0
    int ret    = 0;
16689
0
    int msgLen = (sz - ssl->specs.aead_mac_size);
16690
0
    Keys* keys = &ssl->keys;
16691
16692
    #ifdef CHACHA_AEAD_TEST
16693
       int i;
16694
       printf("input before decrypt :\n");
16695
        for (i = 0; i < sz; i++) {
16696
           printf("%02x", input[i]);
16697
           if ((i + 1) % 16 == 0)
16698
               printf("\n");
16699
        }
16700
        printf("\n");
16701
    #endif
16702
16703
0
    XMEMSET(tag,   0, sizeof(tag));
16704
0
    XMEMSET(poly,  0, sizeof(poly));
16705
0
    XMEMSET(nonce, 0, sizeof(nonce));
16706
0
    XMEMSET(add,   0, sizeof(add));
16707
16708
#if defined(WOLFSSL_DTLS) && defined(HAVE_SECURE_RENEGOTIATION)
16709
    /*
16710
     * For epochs 2+:
16711
     * * use ssl->secure_renegotiation when decrypting the latest epoch as it
16712
     *   has the latest epoch cipher material
16713
     */
16714
    if (ssl->options.dtls && DtlsSCRKeysSet(ssl) &&
16715
        ssl->keys.curEpoch == ssl->secure_renegotiation->tmp_keys.dtls_epoch)
16716
        keys = &ssl->secure_renegotiation->tmp_keys;
16717
#endif
16718
16719
    /* sequence number field is 64-bits */
16720
0
    WriteSEQ(ssl, PEER_ORDER, add);
16721
16722
0
    if (ssl->options.oldPoly != 0) {
16723
        /* get nonce, SEQ should not be incremented again here */
16724
0
        XMEMCPY(nonce + CHACHA20_OLD_OFFSET, add, OPAQUE32_LEN * 2);
16725
0
    }
16726
16727
    /* get AD info */
16728
    /* Store the type, version. */
16729
0
    add[AEAD_TYPE_OFFSET] = ssl->curRL.type;
16730
0
    add[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor;
16731
0
    add[AEAD_VMIN_OFFSET] = ssl->curRL.pvMinor;
16732
16733
    /* add TLS message size to additional data */
16734
0
    add[AEAD_AUTH_DATA_SZ - 2] = (msgLen >> 8) & 0xff;
16735
0
    add[AEAD_AUTH_DATA_SZ - 1] =  msgLen       & 0xff;
16736
16737
    #ifdef CHACHA_AEAD_TEST
16738
        printf("Decrypt Additional : ");
16739
        for (i = 0; i < AEAD_AUTH_DATA_SZ; i++) {
16740
            printf("%02x", add[i]);
16741
        }
16742
        printf("\n\n");
16743
    #endif
16744
16745
0
    if (ssl->options.oldPoly == 0) {
16746
        /* nonce is formed by 4 0x00 byte padded to the left followed by 8 byte
16747
         * record sequence number XORed with client_write_IV/server_write_IV */
16748
0
        XMEMCPY(nonce, keys->aead_dec_imp_IV, CHACHA20_IMP_IV_SZ);
16749
0
        nonce[4]  ^= add[0];
16750
0
        nonce[5]  ^= add[1];
16751
0
        nonce[6]  ^= add[2];
16752
0
        nonce[7]  ^= add[3];
16753
0
        nonce[8]  ^= add[4];
16754
0
        nonce[9]  ^= add[5];
16755
0
        nonce[10] ^= add[6];
16756
0
        nonce[11] ^= add[7];
16757
0
    }
16758
#ifdef WOLFSSL_CHECK_MEM_ZERO
16759
    wc_MemZero_Add("ChachaAEADEncrypt nonce", nonce, CHACHA20_NONCE_SZ);
16760
#endif
16761
16762
    /* set nonce and get poly1305 key */
16763
0
    if ((ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 0)) != 0) {
16764
0
        ForceZero(nonce, CHACHA20_NONCE_SZ);
16765
    #ifdef WOLFSSL_CHECK_MEM_ZERO
16766
        wc_MemZero_Check(nonce, CHACHA20_NONCE_SZ);
16767
    #endif
16768
0
        return ret;
16769
0
    }
16770
16771
    /* use chacha20 keystream to get poly1305 key for tag */
16772
0
    if ((ret = wc_Chacha_Process(ssl->decrypt.chacha, poly,
16773
0
                                                    poly, sizeof(poly))) != 0) {
16774
0
        ForceZero(nonce, CHACHA20_NONCE_SZ);
16775
    #ifdef WOLFSSL_CHECK_MEM_ZERO
16776
        wc_MemZero_Check(nonce, CHACHA20_NONCE_SZ);
16777
    #endif
16778
0
        return ret;
16779
0
    }
16780
#ifdef WOLFSSL_CHECK_MEM_ZERO
16781
    wc_MemZero_Add("ChachaAEADEncrypt poly", poly, CHACHA20_256_KEY_SIZE);
16782
#endif
16783
16784
    /* set counter after getting poly1305 key */
16785
0
    if ((ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 1)) != 0) {
16786
0
        ForceZero(nonce, CHACHA20_NONCE_SZ);
16787
0
        ForceZero(poly, sizeof(poly));
16788
    #ifdef WOLFSSL_CHECK_MEM_ZERO
16789
        wc_MemZero_Check(nonce, CHACHA20_NONCE_SZ);
16790
        wc_MemZero_Check(poly, CHACHA20_256_KEY_SIZE);
16791
    #endif
16792
0
        return ret;
16793
0
    }
16794
0
    ForceZero(nonce, CHACHA20_NONCE_SZ); /* done with nonce, clear it */
16795
#ifdef WOLFSSL_CHECK_MEM_ZERO
16796
    wc_MemZero_Check(nonce, CHACHA20_NONCE_SZ);
16797
#endif
16798
16799
    /* get the tag using Poly1305 */
16800
0
    if (ssl->options.oldPoly != 0) {
16801
0
        if ((ret = Poly1305TagOld(ssl, add, input, poly, sz, tag)) != 0) {
16802
0
            ForceZero(poly, sizeof(poly));
16803
        #ifdef WOLFSSL_CHECK_MEM_ZERO
16804
            wc_MemZero_Check(poly, CHACHA20_256_KEY_SIZE);
16805
        #endif
16806
0
            return ret;
16807
0
        }
16808
0
    }
16809
0
    else {
16810
0
        if ((ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly,
16811
0
                                                          sizeof(poly))) != 0) {
16812
0
            ForceZero(poly, sizeof(poly));
16813
        #ifdef WOLFSSL_CHECK_MEM_ZERO
16814
            wc_MemZero_Check(poly, CHACHA20_256_KEY_SIZE);
16815
        #endif
16816
0
            return ret;
16817
0
        }
16818
0
        if ((ret = wc_Poly1305_MAC(ssl->auth.poly1305, add,
16819
0
                          sizeof(add), input, msgLen, tag, sizeof(tag))) != 0) {
16820
0
            ForceZero(poly, sizeof(poly));
16821
        #ifdef WOLFSSL_CHECK_MEM_ZERO
16822
            wc_MemZero_Check(poly, CHACHA20_256_KEY_SIZE);
16823
        #endif
16824
0
            return ret;
16825
0
        }
16826
0
    }
16827
0
    ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */
16828
#ifdef WOLFSSL_CHECK_MEM_ZERO
16829
    wc_MemZero_Check(poly, CHACHA20_256_KEY_SIZE);
16830
#endif
16831
16832
    /* check tag sent along with packet */
16833
0
    if (ConstantCompare(input + msgLen, tag, ssl->specs.aead_mac_size) != 0) {
16834
0
        WOLFSSL_MSG("MAC did not match");
16835
0
        if (!ssl->options.dtls)
16836
0
            SendAlert(ssl, alert_fatal, bad_record_mac);
16837
0
        WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
16838
0
        return VERIFY_MAC_ERROR;
16839
0
    }
16840
16841
    /* if the tag was good decrypt message */
16842
0
    if ((ret = wc_Chacha_Process(ssl->decrypt.chacha, plain,
16843
0
                                                           input, msgLen)) != 0)
16844
0
        return ret;
16845
16846
    #ifdef CHACHA_AEAD_TEST
16847
       printf("plain after decrypt :\n");
16848
        for (i = 0; i < sz; i++) {
16849
           printf("%02x", plain[i]);
16850
           if ((i + 1) % 16 == 0)
16851
               printf("\n");
16852
        }
16853
        printf("\n");
16854
    #endif
16855
16856
0
    return ret;
16857
0
}
16858
#endif /* HAVE_CHACHA && HAVE_POLY1305 && !NO_CHAPOL_AEAD*/
16859
#endif /* HAVE_AEAD */
16860
16861
16862
#if defined(BUILD_AESGCM) || defined(HAVE_AESCCM)
16863
16864
#if !defined(NO_GCM_ENCRYPT_EXTRA) && \
16865
    ((!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \
16866
    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)))
16867
/* The following type is used to share code between AES-GCM and AES-CCM. */
16868
    typedef int (*AesAuthEncryptFunc)(Aes* aes, byte* out,
16869
                                       const byte* in, word32 sz,
16870
                                       byte* iv, word32 ivSz,
16871
                                       byte* authTag, word32 authTagSz,
16872
                                       const byte* authIn, word32 authInSz);
16873
0
    #define AES_AUTH_ENCRYPT_FUNC AesAuthEncryptFunc
16874
0
    #define AES_GCM_ENCRYPT wc_AesGcmEncrypt_ex
16875
0
    #define AES_CCM_ENCRYPT wc_AesCcmEncrypt_ex
16876
#else
16877
    #define AES_AUTH_ENCRYPT_FUNC wc_AesAuthEncryptFunc
16878
    #define AES_GCM_ENCRYPT wc_AesGcmEncrypt
16879
    #define AES_CCM_ENCRYPT wc_AesCcmEncrypt
16880
#endif
16881
16882
#endif
16883
16884
16885
static WC_INLINE int EncryptDo(WOLFSSL* ssl, byte* out, const byte* input,
16886
    word16 sz, int asyncOkay)
16887
0
{
16888
0
    int ret = 0;
16889
#ifdef WOLFSSL_ASYNC_CRYPT
16890
    WC_ASYNC_DEV* asyncDev = NULL;
16891
    word32 event_flags = WC_ASYNC_FLAG_CALL_AGAIN;
16892
#else
16893
0
    (void)asyncOkay;
16894
0
#endif
16895
16896
0
    (void)out;
16897
0
    (void)input;
16898
0
    (void)sz;
16899
16900
0
    if (input == NULL) {
16901
0
        return BAD_FUNC_ARG;
16902
0
    }
16903
16904
0
    switch (ssl->specs.bulk_cipher_algorithm) {
16905
0
    #ifdef BUILD_ARC4
16906
0
        case wolfssl_rc4:
16907
0
            wc_Arc4Process(ssl->encrypt.arc4, out, input, sz);
16908
0
            break;
16909
0
    #endif
16910
16911
0
    #ifdef BUILD_DES3
16912
0
        case wolfssl_triple_des:
16913
        #ifdef WOLFSSL_ASYNC_CRYPT
16914
            /* initialize event */
16915
            asyncDev = &ssl->encrypt.des3->asyncDev;
16916
            ret = wolfSSL_AsyncInit(ssl, asyncDev, event_flags);
16917
            if (ret != 0)
16918
                break;
16919
        #endif
16920
16921
0
            ret = wc_Des3_CbcEncrypt(ssl->encrypt.des3, out, input, sz);
16922
        #ifdef WOLFSSL_ASYNC_CRYPT
16923
            if (ret == WC_PENDING_E && asyncOkay) {
16924
                ret = wolfSSL_AsyncPush(ssl, asyncDev);
16925
            }
16926
        #endif
16927
0
            break;
16928
0
    #endif
16929
16930
0
    #if defined(BUILD_AES) && defined(HAVE_AES_CBC)
16931
0
        case wolfssl_aes:
16932
        #ifdef WOLFSSL_ASYNC_CRYPT
16933
            /* initialize event */
16934
            asyncDev = &ssl->encrypt.aes->asyncDev;
16935
            ret = wolfSSL_AsyncInit(ssl, asyncDev, event_flags);
16936
            if (ret != 0)
16937
                break;
16938
        #endif
16939
0
            ret = wc_AesCbcEncrypt(ssl->encrypt.aes, out, input, sz);
16940
        #ifdef WOLFSSL_ASYNC_CRYPT
16941
            if (ret == WC_PENDING_E && asyncOkay) {
16942
                ret = wolfSSL_AsyncPush(ssl, asyncDev);
16943
            }
16944
        #endif
16945
0
            break;
16946
0
    #endif
16947
16948
0
    #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM)
16949
0
        case wolfssl_aes_gcm:
16950
0
        case wolfssl_aes_ccm:/* GCM AEAD macros use same size as CCM */
16951
0
        {
16952
0
            AES_AUTH_ENCRYPT_FUNC aes_auth_fn;
16953
0
            const byte* additionalSrc;
16954
16955
        #ifdef WOLFSSL_ASYNC_CRYPT
16956
            /* initialize event */
16957
            asyncDev = &ssl->encrypt.aes->asyncDev;
16958
            ret = wolfSSL_AsyncInit(ssl, asyncDev, event_flags);
16959
            if (ret != 0)
16960
                break;
16961
        #endif
16962
16963
0
        #if defined(BUILD_AESGCM) && defined(HAVE_AESCCM)
16964
0
            aes_auth_fn = (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm)
16965
0
                            ? AES_GCM_ENCRYPT : AES_CCM_ENCRYPT;
16966
        #elif defined(BUILD_AESGCM)
16967
            aes_auth_fn = AES_GCM_ENCRYPT;
16968
        #else
16969
            aes_auth_fn = AES_CCM_ENCRYPT;
16970
        #endif
16971
0
            additionalSrc = input - 5;
16972
16973
0
            XMEMSET(ssl->encrypt.additional, 0, AEAD_AUTH_DATA_SZ);
16974
16975
            /* sequence number field is 64-bits */
16976
0
            WriteSEQ(ssl, CUR_ORDER, ssl->encrypt.additional);
16977
16978
            /* Store the type, version. Unfortunately, they are in
16979
             * the input buffer ahead of the plaintext. */
16980
        #ifdef WOLFSSL_DTLS
16981
            if (ssl->options.dtls) {
16982
                additionalSrc -= DTLS_HANDSHAKE_EXTRA;
16983
            }
16984
        #endif
16985
0
            XMEMCPY(ssl->encrypt.additional + AEAD_TYPE_OFFSET,
16986
0
                                                        additionalSrc, 3);
16987
16988
            /* Store the length of the plain text minus the explicit
16989
             * IV length minus the authentication tag size. */
16990
0
            c16toa(sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
16991
0
                                ssl->encrypt.additional + AEAD_LEN_OFFSET);
16992
#if !defined(NO_PUBLIC_GCM_SET_IV) && \
16993
    ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \
16994
    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)))
16995
            XMEMCPY(ssl->encrypt.nonce,
16996
                                ssl->keys.aead_enc_imp_IV, AESGCM_IMP_IV_SZ);
16997
            XMEMCPY(ssl->encrypt.nonce + AESGCM_IMP_IV_SZ,
16998
                                ssl->keys.aead_exp_IV, AESGCM_EXP_IV_SZ);
16999
#endif
17000
0
            ret = aes_auth_fn(ssl->encrypt.aes,
17001
0
                    out + AESGCM_EXP_IV_SZ, input + AESGCM_EXP_IV_SZ,
17002
0
                    sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
17003
0
                    ssl->encrypt.nonce, AESGCM_NONCE_SZ,
17004
0
                    out + sz - ssl->specs.aead_mac_size,
17005
0
                    ssl->specs.aead_mac_size,
17006
0
                    ssl->encrypt.additional, AEAD_AUTH_DATA_SZ);
17007
        #ifdef WOLFSSL_ASYNC_CRYPT
17008
            if (ret == WC_PENDING_E && asyncOkay) {
17009
                ret = wolfSSL_AsyncPush(ssl, asyncDev);
17010
            }
17011
        #endif
17012
0
#if !defined(NO_PUBLIC_GCM_SET_IV) && \
17013
0
    ((!defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)) || \
17014
0
    (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION >= 2)))
17015
0
            XMEMCPY(out,
17016
0
                    ssl->encrypt.nonce + AESGCM_IMP_IV_SZ, AESGCM_EXP_IV_SZ);
17017
0
#endif
17018
0
        }
17019
0
        break;
17020
0
    #endif /* BUILD_AESGCM || HAVE_AESCCM */
17021
17022
0
    #ifdef HAVE_CAMELLIA
17023
0
        case wolfssl_camellia:
17024
0
            ret = wc_CamelliaCbcEncrypt(ssl->encrypt.cam, out, input, sz);
17025
0
            break;
17026
0
    #endif
17027
17028
0
    #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) && \
17029
0
        !defined(NO_CHAPOL_AEAD)
17030
0
        case wolfssl_chacha:
17031
0
            ret = ChachaAEADEncrypt(ssl, out, input, sz);
17032
0
            break;
17033
0
    #endif
17034
17035
    #ifdef HAVE_NULL_CIPHER
17036
        case wolfssl_cipher_null:
17037
            if (input != out) {
17038
                XMEMMOVE(out, input, sz);
17039
            }
17040
            break;
17041
    #endif
17042
17043
0
        default:
17044
0
            WOLFSSL_MSG("wolfSSL Encrypt programming error");
17045
0
            ret = ENCRYPT_ERROR;
17046
0
            WOLFSSL_ERROR_VERBOSE(ret);
17047
0
    }
17048
17049
#ifdef WOLFSSL_ASYNC_CRYPT
17050
    /* if async is not okay, then block */
17051
    if (ret == WC_PENDING_E && !asyncOkay) {
17052
        ret = wc_AsyncWait(ret, asyncDev, event_flags);
17053
    }
17054
#endif
17055
17056
0
    return ret;
17057
0
}
17058
17059
static WC_INLINE int Encrypt(WOLFSSL* ssl, byte* out, const byte* input,
17060
    word16 sz, int asyncOkay)
17061
0
{
17062
0
    int ret = 0;
17063
17064
#ifdef WOLFSSL_ASYNC_CRYPT
17065
    if (ssl->error == WC_PENDING_E) {
17066
        ssl->error = 0; /* clear async */
17067
    }
17068
#endif
17069
17070
0
    switch (ssl->encrypt.state) {
17071
0
        case CIPHER_STATE_BEGIN:
17072
0
        {
17073
0
            if (ssl->encrypt.setup == 0) {
17074
0
                WOLFSSL_MSG("Encrypt ciphers not setup");
17075
0
                WOLFSSL_ERROR_VERBOSE(ENCRYPT_ERROR);
17076
0
                return ENCRYPT_ERROR;
17077
0
            }
17078
17079
        #ifdef WOLFSSL_CIPHER_TEXT_CHECK
17080
            if (ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null) {
17081
                XMEMCPY(ssl->encrypt.sanityCheck, input,
17082
                    min(sz, sizeof(ssl->encrypt.sanityCheck)));
17083
            }
17084
        #endif
17085
17086
        #ifdef HAVE_FUZZER
17087
            if (ssl->fuzzerCb)
17088
                ssl->fuzzerCb(ssl, input, sz, FUZZ_ENCRYPT, ssl->fuzzerCtx);
17089
        #endif
17090
17091
0
        #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM)
17092
            /* make sure AES GCM/CCM memory is allocated */
17093
            /* free for these happens in FreeCiphers */
17094
0
            if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_ccm ||
17095
0
                ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm) {
17096
                /* make sure auth iv and auth are allocated */
17097
0
                if (ssl->encrypt.additional == NULL)
17098
0
                    ssl->encrypt.additional = (byte*)XMALLOC(AEAD_AUTH_DATA_SZ,
17099
0
                                            ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
17100
0
                if (ssl->encrypt.nonce == NULL) {
17101
0
                    ssl->encrypt.nonce = (byte*)XMALLOC(AESGCM_NONCE_SZ,
17102
0
                                            ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
17103
                #ifdef WOLFSSL_CHECK_MEM_ZERO
17104
                    if (ssl->encrypt.nonce != NULL) {
17105
                        wc_MemZero_Add("Encrypt nonce", ssl->encrypt.nonce,
17106
                            AESGCM_NONCE_SZ);
17107
                    }
17108
                #endif
17109
0
                }
17110
0
                if (ssl->encrypt.additional == NULL ||
17111
0
                         ssl->encrypt.nonce == NULL) {
17112
0
                    return MEMORY_E;
17113
0
                }
17114
0
            }
17115
0
        #endif /* BUILD_AESGCM || HAVE_AESCCM */
17116
17117
            /* Advance state and proceed */
17118
0
            ssl->encrypt.state = CIPHER_STATE_DO;
17119
0
        }
17120
0
        FALL_THROUGH;
17121
17122
0
        case CIPHER_STATE_DO:
17123
0
        {
17124
0
            ret = EncryptDo(ssl, out, input, sz, asyncOkay);
17125
17126
            /* Advance state */
17127
0
            ssl->encrypt.state = CIPHER_STATE_END;
17128
17129
        #ifdef WOLFSSL_ASYNC_CRYPT
17130
            /* If pending, then leave and return will resume below */
17131
            if (ret == WC_PENDING_E) {
17132
                return ret;
17133
            }
17134
        #endif
17135
0
        }
17136
0
        FALL_THROUGH;
17137
17138
0
        case CIPHER_STATE_END:
17139
0
        {
17140
        #ifdef WOLFSSL_CIPHER_TEXT_CHECK
17141
            if (ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null &&
17142
                XMEMCMP(out, ssl->encrypt.sanityCheck,
17143
                    min(sz, sizeof(ssl->encrypt.sanityCheck))) == 0) {
17144
17145
                WOLFSSL_MSG("Encrypt sanity check failed! Glitch?");
17146
                WOLFSSL_ERROR_VERBOSE(ENCRYPT_ERROR);
17147
                return ENCRYPT_ERROR;
17148
            }
17149
            ForceZero(ssl->encrypt.sanityCheck,
17150
                sizeof(ssl->encrypt.sanityCheck));
17151
        #endif
17152
17153
0
        #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM)
17154
0
            if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_ccm ||
17155
0
                ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm)
17156
0
            {
17157
                /* finalize authentication cipher */
17158
#if !defined(NO_PUBLIC_GCM_SET_IV) && \
17159
    ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \
17160
    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)))
17161
                AeadIncrementExpIV(ssl);
17162
#endif
17163
0
                if (ssl->encrypt.nonce)
17164
0
                    ForceZero(ssl->encrypt.nonce, AESGCM_NONCE_SZ);
17165
0
            }
17166
0
        #endif /* BUILD_AESGCM || HAVE_AESCCM */
17167
        #ifdef WOLFSSL_CHECK_MEM_ZERO
17168
            if ((ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null) &&
17169
                    (out != input) && (ret == 0)) {
17170
                wc_MemZero_Add("TLS Encrypt plaintext", input, sz);
17171
            }
17172
        #endif
17173
0
            break;
17174
0
        }
17175
17176
0
        default:
17177
0
            break;
17178
0
    }
17179
17180
    /* Reset state */
17181
0
    ssl->encrypt.state = CIPHER_STATE_BEGIN;
17182
17183
0
    return ret;
17184
0
}
17185
17186
17187
static WC_INLINE int DecryptDo(WOLFSSL* ssl, byte* plain, const byte* input,
17188
                           word16 sz)
17189
0
{
17190
0
    int ret = 0;
17191
17192
0
    (void)plain;
17193
0
    (void)input;
17194
0
    (void)sz;
17195
17196
0
    switch (ssl->specs.bulk_cipher_algorithm)
17197
0
    {
17198
0
    #ifdef BUILD_ARC4
17199
0
        case wolfssl_rc4:
17200
0
            wc_Arc4Process(ssl->decrypt.arc4, plain, input, sz);
17201
0
            break;
17202
0
    #endif
17203
17204
0
    #ifdef BUILD_DES3
17205
0
        case wolfssl_triple_des:
17206
        #ifdef WOLFSSL_ASYNC_CRYPT
17207
            /* initialize event */
17208
            ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.des3->asyncDev,
17209
                WC_ASYNC_FLAG_CALL_AGAIN);
17210
            if (ret != 0)
17211
                break;
17212
        #endif
17213
17214
0
            ret = wc_Des3_CbcDecrypt(ssl->decrypt.des3, plain, input, sz);
17215
        #ifdef WOLFSSL_ASYNC_CRYPT
17216
            if (ret == WC_PENDING_E) {
17217
                ret = wolfSSL_AsyncPush(ssl, &ssl->decrypt.des3->asyncDev);
17218
            }
17219
        #endif
17220
0
            break;
17221
0
    #endif
17222
17223
0
    #if defined(BUILD_AES) && defined(HAVE_AES_CBC)
17224
0
        case wolfssl_aes:
17225
        #ifdef WOLFSSL_ASYNC_CRYPT
17226
            /* initialize event */
17227
            ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.aes->asyncDev,
17228
                WC_ASYNC_FLAG_CALL_AGAIN);
17229
            if (ret != 0)
17230
                break;
17231
        #endif
17232
0
            ret = wc_AesCbcDecrypt(ssl->decrypt.aes, plain, input, sz);
17233
        #ifdef WOLFSSL_ASYNC_CRYPT
17234
            if (ret == WC_PENDING_E) {
17235
                ret = wolfSSL_AsyncPush(ssl, &ssl->decrypt.aes->asyncDev);
17236
            }
17237
        #endif
17238
0
            break;
17239
0
    #endif
17240
17241
0
    #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM)
17242
0
        case wolfssl_aes_gcm:
17243
0
        case wolfssl_aes_ccm: /* GCM AEAD macros use same size as CCM */
17244
0
        {
17245
0
            wc_AesAuthDecryptFunc aes_auth_fn;
17246
17247
        #ifdef WOLFSSL_ASYNC_CRYPT
17248
            /* initialize event */
17249
            ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.aes->asyncDev,
17250
                WC_ASYNC_FLAG_CALL_AGAIN);
17251
            if (ret != 0)
17252
                break;
17253
        #endif
17254
17255
0
        #if defined(BUILD_AESGCM) && defined(HAVE_AESCCM)
17256
0
            aes_auth_fn = (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm)
17257
0
                            ? wc_AesGcmDecrypt : wc_AesCcmDecrypt;
17258
        #elif defined(BUILD_AESGCM)
17259
            aes_auth_fn = wc_AesGcmDecrypt;
17260
        #else
17261
            aes_auth_fn = wc_AesCcmDecrypt;
17262
        #endif
17263
17264
0
            XMEMSET(ssl->decrypt.additional, 0, AEAD_AUTH_DATA_SZ);
17265
17266
            /* sequence number field is 64-bits */
17267
0
            WriteSEQ(ssl, PEER_ORDER, ssl->decrypt.additional);
17268
17269
0
            ssl->decrypt.additional[AEAD_TYPE_OFFSET] = ssl->curRL.type;
17270
0
            ssl->decrypt.additional[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor;
17271
0
            ssl->decrypt.additional[AEAD_VMIN_OFFSET] = ssl->curRL.pvMinor;
17272
17273
0
            c16toa(sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
17274
0
                                    ssl->decrypt.additional + AEAD_LEN_OFFSET);
17275
17276
        #if defined(WOLFSSL_DTLS) && defined(HAVE_SECURE_RENEGOTIATION)
17277
            if (ssl->options.dtls && IsDtlsMsgSCRKeys(ssl))
17278
                XMEMCPY(ssl->decrypt.nonce,
17279
                        ssl->secure_renegotiation->tmp_keys.aead_dec_imp_IV,
17280
                        AESGCM_IMP_IV_SZ);
17281
            else
17282
        #endif
17283
0
                XMEMCPY(ssl->decrypt.nonce, ssl->keys.aead_dec_imp_IV,
17284
0
                        AESGCM_IMP_IV_SZ);
17285
0
            XMEMCPY(ssl->decrypt.nonce + AESGCM_IMP_IV_SZ, input,
17286
0
                                                            AESGCM_EXP_IV_SZ);
17287
0
            if ((ret = aes_auth_fn(ssl->decrypt.aes,
17288
0
                        plain + AESGCM_EXP_IV_SZ,
17289
0
                        input + AESGCM_EXP_IV_SZ,
17290
0
                           sz - AESGCM_EXP_IV_SZ - ssl->specs.aead_mac_size,
17291
0
                        ssl->decrypt.nonce, AESGCM_NONCE_SZ,
17292
0
                        input + sz - ssl->specs.aead_mac_size,
17293
0
                        ssl->specs.aead_mac_size,
17294
0
                        ssl->decrypt.additional, AEAD_AUTH_DATA_SZ)) < 0) {
17295
            #ifdef WOLFSSL_ASYNC_CRYPT
17296
                if (ret == WC_PENDING_E) {
17297
                    ret = wolfSSL_AsyncPush(ssl, &ssl->decrypt.aes->asyncDev);
17298
                }
17299
            #endif
17300
0
            }
17301
0
        }
17302
0
        break;
17303
0
    #endif /* BUILD_AESGCM || HAVE_AESCCM */
17304
17305
0
    #ifdef HAVE_CAMELLIA
17306
0
        case wolfssl_camellia:
17307
0
            ret = wc_CamelliaCbcDecrypt(ssl->decrypt.cam, plain, input, sz);
17308
0
            break;
17309
0
    #endif
17310
17311
0
    #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) && \
17312
0
        !defined(NO_CHAPOL_AEAD)
17313
0
        case wolfssl_chacha:
17314
0
            ret = ChachaAEADDecrypt(ssl, plain, input, sz);
17315
0
            break;
17316
0
    #endif
17317
17318
    #ifdef HAVE_NULL_CIPHER
17319
        case wolfssl_cipher_null:
17320
            if (input != plain) {
17321
                XMEMMOVE(plain, input, sz);
17322
            }
17323
            break;
17324
    #endif
17325
17326
0
        default:
17327
0
            WOLFSSL_MSG("wolfSSL Decrypt programming error");
17328
0
            WOLFSSL_ERROR_VERBOSE(DECRYPT_ERROR);
17329
0
            ret = DECRYPT_ERROR;
17330
0
    }
17331
17332
#ifdef WOLFSSL_CHECK_MEM_ZERO
17333
    if ((ssl->specs.bulk_cipher_algorithm != wolfssl_cipher_null) &&
17334
            (ret == 0)) {
17335
        wc_MemZero_Add("Decrypted data", plain, sz);
17336
    }
17337
#endif
17338
17339
0
    return ret;
17340
0
}
17341
17342
static int DecryptTls(WOLFSSL* ssl, byte* plain, const byte* input, word16 sz)
17343
0
{
17344
0
    int ret = 0;
17345
17346
#ifdef WOLFSSL_ASYNC_CRYPT
17347
    ret = wolfSSL_AsyncPop(ssl, &ssl->decrypt.state);
17348
    if (ret != WC_NOT_PENDING_E) {
17349
        /* check for still pending */
17350
        if (ret == WC_PENDING_E)
17351
            return ret;
17352
17353
        ssl->error = 0; /* clear async */
17354
17355
        /* let failures through so CIPHER_STATE_END logic is run */
17356
    }
17357
    else
17358
#endif
17359
0
    {
17360
        /* Reset state */
17361
0
        ret = 0;
17362
0
        ssl->decrypt.state = CIPHER_STATE_BEGIN;
17363
0
    }
17364
17365
0
    switch (ssl->decrypt.state) {
17366
0
        case CIPHER_STATE_BEGIN:
17367
0
        {
17368
0
            if (ssl->decrypt.setup == 0) {
17369
0
                WOLFSSL_MSG("Decrypt ciphers not setup");
17370
0
                WOLFSSL_ERROR_VERBOSE(DECRYPT_ERROR);
17371
0
                return DECRYPT_ERROR;
17372
0
            }
17373
17374
0
        #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM)
17375
            /* make sure AES GCM/CCM memory is allocated */
17376
            /* free for these happens in FreeCiphers */
17377
0
            if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_ccm ||
17378
0
                ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm) {
17379
                /* make sure auth iv and auth are allocated */
17380
0
                if (ssl->decrypt.additional == NULL)
17381
0
                    ssl->decrypt.additional = (byte*)XMALLOC(AEAD_AUTH_DATA_SZ,
17382
0
                                            ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
17383
0
                if (ssl->decrypt.nonce == NULL) {
17384
0
                    ssl->decrypt.nonce = (byte*)XMALLOC(AESGCM_NONCE_SZ,
17385
0
                                            ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
17386
                #ifdef WOLFSSL_CHECK_MEM_ZERO
17387
                    if (ssl->decrypt.nonce != NULL) {
17388
                        wc_MemZero_Add("DecryptTls nonce", ssl->decrypt.nonce,
17389
                            AESGCM_NONCE_SZ);
17390
                    }
17391
                #endif
17392
0
                }
17393
0
                if (ssl->decrypt.additional == NULL ||
17394
0
                         ssl->decrypt.nonce == NULL) {
17395
0
                    return MEMORY_E;
17396
0
                }
17397
0
            }
17398
0
        #endif /* BUILD_AESGCM || HAVE_AESCCM */
17399
17400
            /* Advance state and proceed */
17401
0
            ssl->decrypt.state = CIPHER_STATE_DO;
17402
0
        }
17403
0
        FALL_THROUGH;
17404
0
        case CIPHER_STATE_DO:
17405
0
        {
17406
        #if defined(WOLFSSL_DTLS) && defined(HAVE_SECURE_RENEGOTIATION)
17407
            if (ssl->options.dtls && DtlsSCRKeysSet(ssl)) {
17408
                /* For epochs >1 the current cipher parameters are located in
17409
                 * ssl->secure_renegotiation->tmp_keys. Previous cipher
17410
                 * parameters and for epoch 1 use ssl->keys */
17411
                if (ssl->keys.curEpoch ==
17412
                        ssl->secure_renegotiation->tmp_keys.dtls_epoch) {
17413
                    if (ssl->decrypt.src != SCR) {
17414
                        ssl->secure_renegotiation->cache_status =
17415
                                SCR_CACHE_NEEDED;
17416
                        if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
17417
                            break;
17418
                    }
17419
                }
17420
                else {
17421
                    if (ssl->decrypt.src != KEYS) {
17422
                        ssl->secure_renegotiation->cache_status =
17423
                                SCR_CACHE_NULL;
17424
                        if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
17425
                            break;
17426
                    }
17427
                }
17428
            }
17429
        #endif
17430
17431
0
            ret = DecryptDo(ssl, plain, input, sz);
17432
17433
            /* Advance state */
17434
0
            ssl->decrypt.state = CIPHER_STATE_END;
17435
17436
        #ifdef WOLFSSL_ASYNC_CRYPT
17437
            /* If pending, leave and return below */
17438
            if (ret == WC_PENDING_E) {
17439
                return ret;
17440
            }
17441
        #endif
17442
0
        }
17443
0
        FALL_THROUGH;
17444
0
        case CIPHER_STATE_END:
17445
0
        {
17446
0
        #if defined(BUILD_AESGCM) || defined(HAVE_AESCCM)
17447
            /* make sure AES GCM/CCM nonce is cleared */
17448
0
            if (ssl->specs.bulk_cipher_algorithm == wolfssl_aes_ccm ||
17449
0
                ssl->specs.bulk_cipher_algorithm == wolfssl_aes_gcm) {
17450
0
                if (ssl->decrypt.nonce)
17451
0
                    ForceZero(ssl->decrypt.nonce, AESGCM_NONCE_SZ);
17452
17453
0
                if (ret < 0) {
17454
0
                    ret = VERIFY_MAC_ERROR;
17455
0
                    WOLFSSL_ERROR_VERBOSE(ret);
17456
0
                }
17457
0
            }
17458
0
        #endif /* BUILD_AESGCM || HAVE_AESCCM */
17459
0
            break;
17460
0
        }
17461
17462
0
        default:
17463
0
            break;
17464
0
    }
17465
17466
    /* Reset state */
17467
0
    ssl->decrypt.state = CIPHER_STATE_BEGIN;
17468
17469
0
    return ret;
17470
0
}
17471
17472
#endif /* !WOLFSSL_NO_TLS12 */
17473
17474
/* Check conditions for a cipher to have an explicit IV.
17475
 *
17476
 * ssl  The SSL/TLS object.
17477
 * returns 1 if the cipher in use has an explicit IV and 0 otherwise.
17478
 */
17479
static WC_INLINE int CipherHasExpIV(WOLFSSL *ssl)
17480
0
{
17481
0
#ifdef WOLFSSL_TLS13
17482
0
    if (ssl->options.tls1_3)
17483
0
        return 0;
17484
0
#endif
17485
0
    return (ssl->specs.cipher_type == aead) &&
17486
0
            (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha);
17487
0
}
17488
17489
/* check cipher text size for sanity */
17490
static int SanityCheckCipherText(WOLFSSL* ssl, word32 encryptSz)
17491
0
{
17492
#ifdef HAVE_TRUNCATED_HMAC
17493
    word32 minLength = ssl->truncated_hmac ? (byte)TRUNCATED_HMAC_SZ
17494
                                           : ssl->specs.hash_size;
17495
#else
17496
0
    word32 minLength = ssl->specs.hash_size; /* covers stream */
17497
0
#endif
17498
17499
0
#ifndef WOLFSSL_AEAD_ONLY
17500
0
    if (ssl->specs.cipher_type == block) {
17501
0
#ifdef HAVE_ENCRYPT_THEN_MAC
17502
0
        if (ssl->options.startedETMRead) {
17503
0
            if ((encryptSz - MacSize(ssl)) % ssl->specs.block_size) {
17504
0
                WOLFSSL_MSG("Block ciphertext not block size");
17505
0
                WOLFSSL_ERROR_VERBOSE(SANITY_CIPHER_E);
17506
0
                return SANITY_CIPHER_E;
17507
0
            }
17508
0
        }
17509
0
        else
17510
0
#endif
17511
0
        if (encryptSz % ssl->specs.block_size) {
17512
0
            WOLFSSL_MSG("Block ciphertext not block size");
17513
0
            WOLFSSL_ERROR_VERBOSE(SANITY_CIPHER_E);
17514
0
            return SANITY_CIPHER_E;
17515
0
        }
17516
17517
0
        minLength++;  /* pad byte */
17518
17519
0
        if (ssl->specs.block_size > minLength)
17520
0
            minLength = ssl->specs.block_size;
17521
17522
0
        if (ssl->options.tls1_1)
17523
0
            minLength += ssl->specs.block_size;  /* explicit IV */
17524
0
    }
17525
0
    else
17526
0
#endif
17527
0
    if (ssl->specs.cipher_type == aead) {
17528
0
        minLength = ssl->specs.aead_mac_size;    /* authTag size */
17529
0
        if (CipherHasExpIV(ssl))
17530
0
            minLength += AESGCM_EXP_IV_SZ;       /* explicit IV  */
17531
0
    }
17532
17533
0
    if (encryptSz < minLength) {
17534
0
        WOLFSSL_MSG("Ciphertext not minimum size");
17535
0
        WOLFSSL_ERROR_VERBOSE(SANITY_CIPHER_E);
17536
0
        return SANITY_CIPHER_E;
17537
0
    }
17538
17539
0
    return 0;
17540
0
}
17541
17542
17543
#ifndef WOLFSSL_AEAD_ONLY
17544
#ifdef WOLSSL_OLD_TIMINGPADVERIFY
17545
#define COMPRESS_LOWER      64
17546
#define COMPRESS_UPPER      55
17547
#define COMPRESS_CONSTANT   13
17548
17549
#ifndef NO_OLD_TLS
17550
17551
static WC_INLINE void Md5Rounds(int rounds, const byte* data, int sz)
17552
{
17553
    wc_Md5 md5;
17554
    int i;
17555
17556
    wc_InitMd5(&md5);   /* no error check on purpose, dummy round */
17557
17558
    for (i = 0; i < rounds; i++)
17559
        wc_Md5Update(&md5, data, sz);
17560
    wc_Md5Free(&md5); /* in case needed to release resources */
17561
}
17562
17563
17564
17565
/* do a dummy sha round */
17566
static WC_INLINE void ShaRounds(int rounds, const byte* data, int sz)
17567
{
17568
    wc_Sha sha;
17569
    int i;
17570
17571
    wc_InitSha(&sha);  /* no error check on purpose, dummy round */
17572
17573
    for (i = 0; i < rounds; i++)
17574
        wc_ShaUpdate(&sha, data, sz);
17575
    wc_ShaFree(&sha); /* in case needed to release resources */
17576
}
17577
#endif
17578
17579
17580
#ifndef NO_SHA256
17581
17582
static WC_INLINE void Sha256Rounds(int rounds, const byte* data, int sz)
17583
{
17584
    wc_Sha256 sha256;
17585
    int i;
17586
17587
    wc_InitSha256(&sha256);  /* no error check on purpose, dummy round */
17588
17589
    for (i = 0; i < rounds; i++) {
17590
        wc_Sha256Update(&sha256, data, sz);
17591
        /* no error check on purpose, dummy round */
17592
    }
17593
    wc_Sha256Free(&sha256); /* in case needed to release resources */
17594
}
17595
17596
#endif
17597
17598
17599
#ifdef WOLFSSL_SHA384
17600
17601
static WC_INLINE void Sha384Rounds(int rounds, const byte* data, int sz)
17602
{
17603
    wc_Sha384 sha384;
17604
    int i;
17605
17606
    wc_InitSha384(&sha384);  /* no error check on purpose, dummy round */
17607
17608
    for (i = 0; i < rounds; i++) {
17609
        wc_Sha384Update(&sha384, data, sz);
17610
        /* no error check on purpose, dummy round */
17611
    }
17612
    wc_Sha384Free(&sha384); /* in case needed to release resources */
17613
}
17614
17615
#endif
17616
17617
17618
#ifdef WOLFSSL_SHA512
17619
static WC_INLINE void Sha512Rounds(int rounds, const byte* data, int sz)
17620
{
17621
    wc_Sha512 sha512;
17622
    int i;
17623
17624
    wc_InitSha512(&sha512);  /* no error check on purpose, dummy round */
17625
17626
    for (i = 0; i < rounds; i++) {
17627
        wc_Sha512Update(&sha512, data, sz);
17628
        /* no error check on purpose, dummy round */
17629
    }
17630
    wc_Sha512Free(&sha512); /* in case needed to release resources */
17631
}
17632
17633
#endif
17634
17635
17636
#ifdef WOLFSSL_RIPEMD
17637
17638
static WC_INLINE void RmdRounds(int rounds, const byte* data, int sz)
17639
{
17640
    RipeMd ripemd;
17641
    int i;
17642
17643
    wc_InitRipeMd(&ripemd);
17644
17645
    for (i = 0; i < rounds; i++)
17646
        wc_RipeMdUpdate(&ripemd, data, sz);
17647
}
17648
17649
#endif
17650
17651
17652
/* Do dummy rounds */
17653
static WC_INLINE void DoRounds(int type, int rounds, const byte* data, int sz)
17654
{
17655
    (void)rounds;
17656
    (void)data;
17657
    (void)sz;
17658
17659
    switch (type) {
17660
        case no_mac :
17661
            break;
17662
17663
#ifndef NO_OLD_TLS
17664
#ifndef NO_MD5
17665
        case md5_mac :
17666
            Md5Rounds(rounds, data, sz);
17667
            break;
17668
#endif
17669
17670
#ifndef NO_SHA
17671
        case sha_mac :
17672
            ShaRounds(rounds, data, sz);
17673
            break;
17674
#endif
17675
#endif
17676
17677
#ifndef NO_SHA256
17678
        case sha256_mac :
17679
            Sha256Rounds(rounds, data, sz);
17680
            break;
17681
#endif
17682
17683
#ifdef WOLFSSL_SHA384
17684
        case sha384_mac :
17685
            Sha384Rounds(rounds, data, sz);
17686
            break;
17687
#endif
17688
17689
#ifdef WOLFSSL_SHA512
17690
        case sha512_mac :
17691
            Sha512Rounds(rounds, data, sz);
17692
            break;
17693
#endif
17694
17695
#ifdef WOLFSSL_RIPEMD
17696
        case rmd_mac :
17697
            RmdRounds(rounds, data, sz);
17698
            break;
17699
#endif
17700
17701
        default:
17702
            WOLFSSL_MSG("Bad round type");
17703
            break;
17704
    }
17705
}
17706
17707
17708
/* do number of compression rounds on dummy data */
17709
static WC_INLINE void CompressRounds(WOLFSSL* ssl, int rounds, const byte* dummy)
17710
{
17711
    if (rounds)
17712
        DoRounds(ssl->specs.mac_algorithm, rounds, dummy, COMPRESS_LOWER);
17713
}
17714
17715
17716
/* check all length bytes for the pad value, return 0 on success */
17717
static int PadCheck(const byte* a, byte pad, int length)
17718
{
17719
    int i;
17720
    int compareSum = 0;
17721
17722
    for (i = 0; i < length; i++) {
17723
        compareSum |= a[i] ^ pad;
17724
    }
17725
17726
    return compareSum;
17727
}
17728
17729
17730
/* get compression extra rounds */
17731
static WC_INLINE int GetRounds(int pLen, int padLen, int t)
17732
{
17733
    int  roundL1 = 1;  /* round up flags */
17734
    int  roundL2 = 1;
17735
17736
    int L1 = COMPRESS_CONSTANT + pLen - t;
17737
    int L2 = COMPRESS_CONSTANT + pLen - padLen - 1 - t;
17738
17739
    L1 -= COMPRESS_UPPER;
17740
    L2 -= COMPRESS_UPPER;
17741
17742
    if ( (L1 % COMPRESS_LOWER) == 0)
17743
        roundL1 = 0;
17744
    if ( (L2 % COMPRESS_LOWER) == 0)
17745
        roundL2 = 0;
17746
17747
    L1 /= COMPRESS_LOWER;
17748
    L2 /= COMPRESS_LOWER;
17749
17750
    L1 += roundL1;
17751
    L2 += roundL2;
17752
17753
    return L1 - L2;
17754
}
17755
17756
17757
/* timing resistant pad/verify check, return 0 on success */
17758
 int TimingPadVerify(WOLFSSL* ssl, const byte* input, int padLen, int t,
17759
                     int pLen, int content)
17760
{
17761
    byte verify[WC_MAX_DIGEST_SIZE];
17762
    byte dmy[sizeof(WOLFSSL) >= MAX_PAD_SIZE ? 1 : MAX_PAD_SIZE] = {0};
17763
    byte* dummy = sizeof(dmy) < MAX_PAD_SIZE ? (byte*) ssl : dmy;
17764
    int  ret = 0;
17765
17766
    (void)dmy;
17767
17768
    if ( (t + padLen + 1) > pLen) {
17769
        WOLFSSL_MSG("Plain Len not long enough for pad/mac");
17770
        PadCheck(dummy, (byte)padLen, MAX_PAD_SIZE);
17771
        /* still compare */
17772
        ssl->hmac(ssl, verify, input, pLen - t, -1, content, 1, PEER_ORDER);
17773
        ConstantCompare(verify, input + pLen - t, t);
17774
        WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
17775
        return VERIFY_MAC_ERROR;
17776
    }
17777
17778
    if (PadCheck(input + pLen - (padLen + 1), (byte)padLen, padLen + 1) != 0) {
17779
        WOLFSSL_MSG("PadCheck failed");
17780
        PadCheck(dummy, (byte)padLen, MAX_PAD_SIZE - padLen - 1);
17781
        /* still compare */
17782
        ssl->hmac(ssl, verify, input, pLen - t, -1, content, 1, PEER_ORDER);
17783
        ConstantCompare(verify, input + pLen - t, t);
17784
        WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
17785
        return VERIFY_MAC_ERROR;
17786
    }
17787
17788
    PadCheck(dummy, (byte)padLen, MAX_PAD_SIZE - padLen - 1);
17789
    ret = ssl->hmac(ssl, verify, input, pLen - padLen - 1 - t, -1, content,
17790
                                                                 1, PEER_ORDER);
17791
17792
    CompressRounds(ssl, GetRounds(pLen, padLen, t), dummy);
17793
17794
    if (ConstantCompare(verify, input + (pLen - padLen - 1 - t), t) != 0) {
17795
        WOLFSSL_MSG("Verify MAC compare failed");
17796
        WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
17797
        return VERIFY_MAC_ERROR;
17798
    }
17799
17800
    /* treat any failure as verify MAC error */
17801
    if (ret != 0) {
17802
        ret = VERIFY_MAC_ERROR;
17803
        WOLFSSL_ERROR_VERBOSE(ret);
17804
    }
17805
17806
    return ret;
17807
}
17808
#else
17809
17810
#if !defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_AEAD_ONLY)
17811
/* check all length bytes for the pad value, return 0 on success */
17812
static int PadCheck(const byte* a, byte pad, int length)
17813
0
{
17814
0
    int i;
17815
0
    int compareSum = 0;
17816
17817
0
    for (i = 0; i < length; i++) {
17818
0
        compareSum |= a[i] ^ pad;
17819
0
    }
17820
17821
0
    return compareSum;
17822
0
}
17823
17824
17825
/* Mask the padding bytes with the expected values.
17826
 * Constant time implementation - does maximum pad size possible.
17827
 *
17828
 * data   Message data.
17829
 * sz     Size of the message including MAC and padding and padding length.
17830
 * macSz  Size of the MAC.
17831
 * returns 0 on success, otherwise failure.
17832
 */
17833
static byte MaskPadding(const byte* data, int sz, int macSz)
17834
0
{
17835
0
    int i;
17836
0
    int checkSz = sz - 1;
17837
0
    byte paddingSz = data[sz - 1];
17838
0
    byte mask;
17839
0
    byte good = ctMaskGT(paddingSz, sz - 1 - macSz);
17840
17841
0
    if (checkSz > TLS_MAX_PAD_SZ)
17842
0
        checkSz = TLS_MAX_PAD_SZ;
17843
17844
0
    for (i = 0; i < checkSz; i++) {
17845
0
        mask = ctMaskLTE(i, paddingSz);
17846
0
        good |= mask & (data[sz - 1 - i] ^ paddingSz);
17847
0
    }
17848
17849
0
    return good;
17850
0
}
17851
17852
/* Mask the MAC in the message with the MAC calculated.
17853
 * Constant time implementation - starts looking for MAC where maximum padding
17854
 * size has it.
17855
 *
17856
 * data    Message data.
17857
 * sz      Size of the message including MAC and padding and padding length.
17858
 * macSz   Size of the MAC data.
17859
 * expMac  Expected MAC value.
17860
 * returns 0 on success, otherwise failure.
17861
 */
17862
static byte MaskMac(const byte* data, int sz, int macSz, byte* expMac)
17863
0
{
17864
0
    int i, j;
17865
0
    unsigned char mac[WC_MAX_DIGEST_SIZE];
17866
0
    int scanStart = sz - 1 - TLS_MAX_PAD_SZ - macSz;
17867
0
    int macEnd = sz - 1 - data[sz - 1];
17868
0
    int macStart = macEnd - macSz;
17869
0
    int r = 0;
17870
0
    unsigned char started, notEnded;
17871
0
    unsigned char good = 0;
17872
17873
0
    scanStart &= ctMaskIntGTE(scanStart, 0);
17874
0
    macStart &= ctMaskIntGTE(macStart, 0);
17875
17876
    /* Div on Intel has different speeds depending on value.
17877
     * Use a bitwise AND or mod a specific value (converted to mul). */
17878
0
    if ((macSz & (macSz - 1)) == 0)
17879
0
        r = (macSz - (scanStart - macStart)) & (macSz - 1);
17880
0
#ifndef NO_SHA
17881
0
    else if (macSz == WC_SHA_DIGEST_SIZE)
17882
0
        r = (macSz - (scanStart - macStart)) % WC_SHA_DIGEST_SIZE;
17883
0
#endif
17884
0
#ifdef WOLFSSL_SHA384
17885
0
    else if (macSz == WC_SHA384_DIGEST_SIZE)
17886
0
        r = (macSz - (scanStart - macStart)) % WC_SHA384_DIGEST_SIZE;
17887
0
#endif
17888
17889
0
    XMEMSET(mac, 0, macSz);
17890
0
    for (i = scanStart; i < sz; i += macSz) {
17891
0
        for (j = 0; j < macSz && j + i < sz; j++) {
17892
0
            started = ctMaskGTE(i + j, macStart);
17893
0
            notEnded = ctMaskLT(i + j, macEnd);
17894
0
            mac[j] |= started & notEnded & data[i + j];
17895
0
        }
17896
0
    }
17897
17898
0
    if ((macSz & (macSz - 1)) == 0) {
17899
0
        for (i = 0; i < macSz; i++)
17900
0
            good |= expMac[i] ^ mac[(i + r) & (macSz - 1)];
17901
0
    }
17902
0
#ifndef NO_SHA
17903
0
    else if (macSz == WC_SHA_DIGEST_SIZE) {
17904
0
        for (i = 0; i < macSz; i++)
17905
0
            good |= expMac[i] ^ mac[(i + r) % WC_SHA_DIGEST_SIZE];
17906
0
    }
17907
0
#endif
17908
0
#ifdef WOLFSSL_SHA384
17909
0
    else if (macSz == WC_SHA384_DIGEST_SIZE) {
17910
0
        for (i = 0; i < macSz; i++)
17911
0
            good |= expMac[i] ^ mac[(i + r) % WC_SHA384_DIGEST_SIZE];
17912
0
    }
17913
0
#endif
17914
17915
0
    return good;
17916
0
}
17917
17918
/* timing resistant pad/verify check, return 0 on success */
17919
int TimingPadVerify(WOLFSSL* ssl, const byte* input, int padLen, int macSz,
17920
                    int pLen, int content)
17921
0
{
17922
0
    byte verify[WC_MAX_DIGEST_SIZE];
17923
0
    byte good;
17924
0
    int  ret = 0;
17925
17926
0
    good = MaskPadding(input, pLen, macSz);
17927
    /* 4th argument has potential to underflow, ssl->hmac function should
17928
     * either increment the size by (macSz + padLen + 1) before use or check on
17929
     * the size to make sure is valid. */
17930
0
    ret = ssl->hmac(ssl, verify, input, pLen - macSz - padLen - 1, padLen,
17931
0
                                                        content, 1, PEER_ORDER);
17932
0
    good |= MaskMac(input, pLen, ssl->specs.hash_size, verify);
17933
17934
    /* Non-zero on failure. */
17935
0
    good = (byte)~(word32)good;
17936
0
    good &= good >> 4;
17937
0
    good &= good >> 2;
17938
0
    good &= good >> 1;
17939
    /* Make ret negative on masking failure. */
17940
0
    ret -= 1 - good;
17941
17942
    /* Treat any failure as verify MAC error. */
17943
0
    if (ret != 0) {
17944
0
        ret = VERIFY_MAC_ERROR;
17945
0
        WOLFSSL_ERROR_VERBOSE(ret);
17946
0
    }
17947
17948
0
    return ret;
17949
0
}
17950
#endif /* !WOLFSSL_NO_TLS12 && !WOLFSSL_AEAD_ONLY */
17951
#endif /* WOLSSL_OLD_TIMINGPADVERIFY */
17952
#endif /* WOLFSSL_AEAD_ONLY */
17953
17954
int DoApplicationData(WOLFSSL* ssl, byte* input, word32* inOutIdx, int sniff)
17955
0
{
17956
0
    word32 msgSz   = WOLFSSL_IS_QUIC(ssl)? ssl->curSize : ssl->keys.encryptSz;
17957
0
    word32 idx     = *inOutIdx;
17958
0
    int    dataSz;
17959
0
    int    ivExtra = 0;
17960
0
    byte*  rawData = input + idx;  /* keep current  for hmac */
17961
#ifdef HAVE_LIBZ
17962
    byte   decomp[MAX_RECORD_SIZE + MAX_COMP_EXTRA];
17963
#endif
17964
17965
#ifdef WOLFSSL_EARLY_DATA
17966
    if (ssl->options.tls1_3 && ssl->options.handShakeDone == 0) {
17967
        int process = 0;
17968
17969
        if (ssl->options.side == WOLFSSL_SERVER_END) {
17970
            if ((ssl->earlyData != no_early_data) &&
17971
                          (ssl->options.clientState == CLIENT_HELLO_COMPLETE)) {
17972
                process = 1;
17973
            }
17974
            if (!process) {
17975
                WOLFSSL_MSG("Ignoring EarlyData!");
17976
                *inOutIdx += ssl->curSize;
17977
                if (*inOutIdx > ssl->buffers.inputBuffer.length)
17978
                    return BUFFER_E;
17979
17980
                return 0;
17981
            }
17982
        }
17983
        if (!process) {
17984
            WOLFSSL_MSG("Received App data before a handshake completed");
17985
            if (sniff == NO_SNIFF) {
17986
                SendAlert(ssl, alert_fatal, unexpected_message);
17987
            }
17988
            WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
17989
            return OUT_OF_ORDER_E;
17990
        }
17991
    }
17992
    else
17993
#endif
17994
0
    if (ssl->options.handShakeDone == 0) {
17995
0
        WOLFSSL_MSG("Received App data before a handshake completed");
17996
0
        if (sniff == NO_SNIFF) {
17997
0
            SendAlert(ssl, alert_fatal, unexpected_message);
17998
0
        }
17999
0
        WOLFSSL_ERROR_VERBOSE(OUT_OF_ORDER_E);
18000
0
        return OUT_OF_ORDER_E;
18001
0
    }
18002
18003
0
#ifndef WOLFSSL_AEAD_ONLY
18004
0
    if (ssl->specs.cipher_type == block) {
18005
0
        if (ssl->options.tls1_1)
18006
0
            ivExtra = ssl->specs.block_size;
18007
0
    }
18008
0
    else
18009
0
#endif
18010
0
    if (ssl->specs.cipher_type == aead) {
18011
0
        if (CipherHasExpIV(ssl))
18012
0
            ivExtra = AESGCM_EXP_IV_SZ;
18013
0
    }
18014
18015
0
    dataSz = msgSz - ivExtra - ssl->keys.padSz;
18016
0
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
18017
0
    if (ssl->options.startedETMRead)
18018
0
        dataSz -= MacSize(ssl);
18019
0
#endif
18020
0
    if (dataSz < 0) {
18021
0
        WOLFSSL_MSG("App data buffer error, malicious input?");
18022
0
        if (sniff == NO_SNIFF) {
18023
0
            SendAlert(ssl, alert_fatal, unexpected_message);
18024
0
        }
18025
0
        WOLFSSL_ERROR_VERBOSE(BUFFER_ERROR);
18026
0
        return BUFFER_ERROR;
18027
0
    }
18028
#ifdef WOLFSSL_EARLY_DATA
18029
    if (ssl->earlyData > early_data_ext) {
18030
        if (ssl->earlyDataSz + dataSz > ssl->options.maxEarlyDataSz) {
18031
            if (sniff == NO_SNIFF) {
18032
                SendAlert(ssl, alert_fatal, unexpected_message);
18033
            }
18034
            return WOLFSSL_FATAL_ERROR;
18035
        }
18036
        ssl->earlyDataSz += dataSz;
18037
    }
18038
#endif
18039
18040
    /* read data */
18041
0
    if (dataSz) {
18042
0
        int rawSz = dataSz;       /* keep raw size for idx adjustment */
18043
18044
#ifdef HAVE_LIBZ
18045
        if (ssl->options.usingCompression) {
18046
            dataSz = myDeCompress(ssl, rawData, dataSz, decomp, sizeof(decomp));
18047
            if (dataSz < 0) return dataSz;
18048
        }
18049
#endif
18050
0
        idx += rawSz;
18051
18052
0
        ssl->buffers.clearOutputBuffer.buffer = rawData;
18053
0
        ssl->buffers.clearOutputBuffer.length = dataSz;
18054
0
    }
18055
18056
0
    idx += ssl->keys.padSz;
18057
0
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
18058
0
    if (ssl->options.startedETMRead)
18059
0
        idx += MacSize(ssl);
18060
0
#endif
18061
18062
#ifdef HAVE_LIBZ
18063
    /* decompress could be bigger, overwrite after verify */
18064
    if (ssl->options.usingCompression)
18065
        XMEMMOVE(rawData, decomp, dataSz);
18066
#endif
18067
18068
0
    *inOutIdx = idx;
18069
#ifdef HAVE_SECURE_RENEGOTIATION
18070
    if (IsSCR(ssl)) {
18071
        /* Reset the processReply state since
18072
         * we finished processing this message. */
18073
        ssl->options.processReply = doProcessInit;
18074
        /* If we are in a secure renegotiation then APP DATA is treated
18075
         * differently */
18076
        return APP_DATA_READY;
18077
    }
18078
#endif
18079
0
    return 0;
18080
0
}
18081
18082
const char* AlertTypeToString(int type)
18083
0
{
18084
0
    switch (type) {
18085
0
        case close_notify:
18086
0
            {
18087
0
                static const char close_notify_str[] =
18088
0
                    "close_notify";
18089
0
                return close_notify_str;
18090
0
            }
18091
18092
0
        case unexpected_message:
18093
0
            {
18094
0
                static const char unexpected_message_str[] =
18095
0
                    "unexpected_message";
18096
0
                return unexpected_message_str;
18097
0
            }
18098
18099
0
        case bad_record_mac:
18100
0
            {
18101
0
                static const char bad_record_mac_str[] =
18102
0
                    "bad_record_mac";
18103
0
                return bad_record_mac_str;
18104
0
            }
18105
18106
0
        case record_overflow:
18107
0
            {
18108
0
                static const char record_overflow_str[] =
18109
0
                    "record_overflow";
18110
0
                return record_overflow_str;
18111
0
            }
18112
18113
0
        case decompression_failure:
18114
0
            {
18115
0
                static const char decompression_failure_str[] =
18116
0
                    "decompression_failure";
18117
0
                return decompression_failure_str;
18118
0
            }
18119
18120
0
        case handshake_failure:
18121
0
            {
18122
0
                static const char handshake_failure_str[] =
18123
0
                    "handshake_failure";
18124
0
                return handshake_failure_str;
18125
0
            }
18126
18127
0
        case no_certificate:
18128
0
            {
18129
0
                static const char no_certificate_str[] =
18130
0
                    "no_certificate";
18131
0
                return no_certificate_str;
18132
0
            }
18133
18134
0
        case bad_certificate:
18135
0
            {
18136
0
                static const char bad_certificate_str[] =
18137
0
                    "bad_certificate";
18138
0
                return bad_certificate_str;
18139
0
            }
18140
18141
0
        case unsupported_certificate:
18142
0
            {
18143
0
                static const char unsupported_certificate_str[] =
18144
0
                    "unsupported_certificate";
18145
0
                return unsupported_certificate_str;
18146
0
            }
18147
18148
0
        case certificate_revoked:
18149
0
            {
18150
0
                static const char certificate_revoked_str[] =
18151
0
                    "certificate_revoked";
18152
0
                return certificate_revoked_str;
18153
0
            }
18154
18155
0
        case certificate_expired:
18156
0
            {
18157
0
                static const char certificate_expired_str[] =
18158
0
                    "certificate_expired";
18159
0
                return certificate_expired_str;
18160
0
            }
18161
18162
0
        case certificate_unknown:
18163
0
            {
18164
0
                static const char certificate_unknown_str[] =
18165
0
                    "certificate_unknown";
18166
0
                return certificate_unknown_str;
18167
0
            }
18168
18169
0
        case illegal_parameter:
18170
0
            {
18171
0
                static const char illegal_parameter_str[] =
18172
0
                    "illegal_parameter";
18173
0
                return illegal_parameter_str;
18174
0
            }
18175
18176
0
        case unknown_ca:
18177
0
            {
18178
0
                static const char unknown_ca_str[] =
18179
0
                    "unknown_ca";
18180
0
                return unknown_ca_str;
18181
0
            }
18182
18183
0
        case access_denied:
18184
0
            {
18185
0
                static const char access_denied_str[] =
18186
0
                    "access_denied";
18187
0
                return access_denied_str;
18188
0
            }
18189
18190
0
        case decode_error:
18191
0
            {
18192
0
                static const char decode_error_str[] =
18193
0
                    "decode_error";
18194
0
                return decode_error_str;
18195
0
            }
18196
18197
0
        case decrypt_error:
18198
0
            {
18199
0
                static const char decrypt_error_str[] =
18200
0
                    "decrypt_error";
18201
0
                return decrypt_error_str;
18202
0
            }
18203
18204
    #ifdef WOLFSSL_MYSQL_COMPATIBLE
18205
    /* catch name conflict for enum protocol with MYSQL build */
18206
        case wc_protocol_version:
18207
            {
18208
                static const char wc_protocol_version_str[] =
18209
                    "wc_protocol_version";
18210
                return wc_protocol_version_str;
18211
            }
18212
18213
    #else
18214
0
        case protocol_version:
18215
0
            {
18216
0
                static const char protocol_version_str[] =
18217
0
                    "protocol_version";
18218
0
                return protocol_version_str;
18219
0
            }
18220
18221
0
    #endif
18222
0
        case insufficient_security:
18223
0
            {
18224
0
                static const char insufficient_security_str[] =
18225
0
                    "insufficient_security";
18226
0
                return insufficient_security_str;
18227
0
            }
18228
18229
0
        case internal_error:
18230
0
            {
18231
0
                static const char internal_error_str[] =
18232
0
                    "internal_error";
18233
0
                return internal_error_str;
18234
0
            }
18235
18236
0
        case user_canceled:
18237
0
            {
18238
0
                static const char user_canceled_str[] =
18239
0
                    "user_canceled";
18240
0
                return user_canceled_str;
18241
0
            }
18242
18243
0
        case no_renegotiation:
18244
0
            {
18245
0
                static const char no_renegotiation_str[] =
18246
0
                    "no_renegotiation";
18247
0
                return no_renegotiation_str;
18248
0
            }
18249
18250
0
        case unrecognized_name:
18251
0
            {
18252
0
                static const char unrecognized_name_str[] =
18253
0
                    "unrecognized_name";
18254
0
                return unrecognized_name_str;
18255
0
            }
18256
18257
0
        case bad_certificate_status_response:
18258
0
            {
18259
0
                static const char bad_certificate_status_response_str[] =
18260
0
                    "bad_certificate_status_response";
18261
0
                return bad_certificate_status_response_str;
18262
0
            }
18263
18264
0
        case no_application_protocol:
18265
0
            {
18266
0
                static const char no_application_protocol_str[] =
18267
0
                    "no_application_protocol";
18268
0
                return no_application_protocol_str;
18269
0
            }
18270
18271
0
        default:
18272
0
            WOLFSSL_MSG("Unknown Alert");
18273
0
            return NULL;
18274
0
    }
18275
0
}
18276
18277
static void LogAlert(int type)
18278
0
{
18279
#ifdef DEBUG_WOLFSSL
18280
    const char* typeStr;
18281
    char buff[60];
18282
18283
    typeStr = AlertTypeToString(type);
18284
    if (typeStr != NULL) {
18285
        XSNPRINTF(buff, sizeof(buff), "Alert type: %s", typeStr);
18286
        WOLFSSL_MSG(buff);
18287
    }
18288
#else
18289
0
    (void)type;
18290
0
#endif /* DEBUG_WOLFSSL */
18291
0
}
18292
18293
/* process alert, return level */
18294
static int DoAlert(WOLFSSL* ssl, byte* input, word32* inOutIdx, int* type)
18295
0
{
18296
0
    byte level;
18297
0
    byte code;
18298
0
    word32 dataSz = (word32)ssl->curSize;
18299
0
    int ivExtra = 0;
18300
18301
0
    #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
18302
0
        if (ssl->hsInfoOn)
18303
0
            AddPacketName(ssl, "Alert");
18304
0
        if (ssl->toInfoOn)
18305
            /* add record header back on to info + alert bytes level/code */
18306
0
            AddPacketInfo(ssl, "Alert", alert, input + *inOutIdx -
18307
0
                          RECORD_HEADER_SZ, RECORD_HEADER_SZ + ALERT_SIZE,
18308
0
                          READ_PROTO, ssl->heap);
18309
0
    #endif
18310
18311
0
    if (IsEncryptionOn(ssl, 0)) {
18312
0
#ifndef WOLFSSL_AEAD_ONLY
18313
0
        if (ssl->specs.cipher_type == block) {
18314
0
            if (ssl->options.tls1_1)
18315
0
                ivExtra = ssl->specs.block_size;
18316
0
        }
18317
0
        else
18318
0
#endif
18319
0
        if (ssl->specs.cipher_type == aead) {
18320
0
            if (CipherHasExpIV(ssl))
18321
0
                ivExtra = AESGCM_EXP_IV_SZ;
18322
0
        }
18323
0
        dataSz -= ivExtra;
18324
0
        dataSz -= ssl->keys.padSz;
18325
0
    #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
18326
0
        if (ssl->options.startedETMRead)
18327
0
            dataSz -= MacSize(ssl);
18328
0
    #endif
18329
0
    }
18330
18331
    /* make sure can read the message */
18332
0
    if (dataSz != ALERT_SIZE) {
18333
0
#ifdef WOLFSSL_EXTRA_ALERTS
18334
0
        SendAlert(ssl, alert_fatal, unexpected_message);
18335
0
#endif
18336
0
        return BUFFER_E;
18337
0
    }
18338
18339
0
    level = input[(*inOutIdx)++];
18340
0
    code  = input[(*inOutIdx)++];
18341
0
    ssl->alert_history.last_rx.code = code;
18342
0
    ssl->alert_history.last_rx.level = level;
18343
0
    *type = code;
18344
0
    if (level == alert_fatal) {
18345
0
        ssl->options.isClosed = 1;  /* Don't send close_notify */
18346
0
    }
18347
18348
0
    if (++ssl->options.alertCount >= WOLFSSL_ALERT_COUNT_MAX) {
18349
0
        WOLFSSL_MSG("Alert count exceeded");
18350
0
#ifdef WOLFSSL_EXTRA_ALERTS
18351
0
        if (level != alert_warning || code != close_notify)
18352
0
            SendAlert(ssl, alert_fatal, unexpected_message);
18353
0
#endif
18354
0
        WOLFSSL_ERROR_VERBOSE(ALERT_COUNT_E);
18355
0
        return ALERT_COUNT_E;
18356
0
    }
18357
18358
0
    LogAlert(*type);
18359
0
    if (*type == close_notify) {
18360
0
        ssl->options.closeNotify = 1;
18361
0
    }
18362
0
    else {
18363
        /*
18364
         * A close_notify alert doesn't mean there's been an error, so we only
18365
         * add other types of alerts to the error queue
18366
         */
18367
0
        WOLFSSL_ERROR(*type);
18368
0
    }
18369
18370
0
    if (IsEncryptionOn(ssl, 0)) {
18371
0
        *inOutIdx += ssl->keys.padSz;
18372
0
    #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
18373
0
        if (ssl->options.startedETMRead)
18374
0
            *inOutIdx += MacSize(ssl);
18375
0
    #endif
18376
0
    }
18377
18378
0
    return level;
18379
0
}
18380
18381
static int GetInputData(WOLFSSL *ssl, word32 size)
18382
0
{
18383
0
    int in;
18384
0
    int inSz;
18385
0
    int maxLength;
18386
0
    int usedLength;
18387
0
    int dtlsExtra = 0;
18388
18389
18390
    /* check max input length */
18391
0
    usedLength = ssl->buffers.inputBuffer.length - ssl->buffers.inputBuffer.idx;
18392
0
    maxLength  = ssl->buffers.inputBuffer.bufferSize - usedLength;
18393
0
    inSz       = (int)(size - usedLength);      /* from last partial read */
18394
18395
#ifdef WOLFSSL_DTLS
18396
    if (ssl->options.dtls) {
18397
        if (size < ssl->dtls_expected_rx)
18398
            dtlsExtra = (int)(ssl->dtls_expected_rx - size);
18399
        inSz = ssl->dtls_expected_rx;
18400
    }
18401
#endif
18402
18403
    /* check that no lengths or size values are negative */
18404
0
    if (usedLength < 0 || maxLength < 0 || inSz <= 0) {
18405
0
        return BUFFER_ERROR;
18406
0
    }
18407
18408
0
    if (inSz > maxLength) {
18409
0
        if (GrowInputBuffer(ssl, size + dtlsExtra, usedLength) < 0)
18410
0
            return MEMORY_E;
18411
0
    }
18412
18413
    /* Put buffer data at start if not there */
18414
0
    if (usedLength > 0 && ssl->buffers.inputBuffer.idx != 0)
18415
0
        XMEMMOVE(ssl->buffers.inputBuffer.buffer,
18416
0
                ssl->buffers.inputBuffer.buffer + ssl->buffers.inputBuffer.idx,
18417
0
                usedLength);
18418
18419
    /* remove processed data */
18420
0
    ssl->buffers.inputBuffer.idx    = 0;
18421
0
    ssl->buffers.inputBuffer.length = usedLength;
18422
18423
    /* read data from network */
18424
0
    do {
18425
0
        in = wolfSSLReceive(ssl,
18426
0
                     ssl->buffers.inputBuffer.buffer +
18427
0
                     ssl->buffers.inputBuffer.length,
18428
0
                     inSz);
18429
0
        if (in == WANT_READ)
18430
0
            return WANT_READ;
18431
18432
0
        if (in < 0) {
18433
0
            WOLFSSL_ERROR_VERBOSE(SOCKET_ERROR_E);
18434
0
            return SOCKET_ERROR_E;
18435
0
        }
18436
18437
0
        if (in > inSz) {
18438
0
            WOLFSSL_ERROR_VERBOSE(RECV_OVERFLOW_E);
18439
0
            return RECV_OVERFLOW_E;
18440
0
        }
18441
18442
0
        ssl->buffers.inputBuffer.length += in;
18443
0
        inSz -= in;
18444
18445
0
    } while (ssl->buffers.inputBuffer.length < size);
18446
18447
#ifdef WOLFSSL_DEBUG_TLS
18448
    if (ssl->buffers.inputBuffer.idx == 0) {
18449
        WOLFSSL_MSG("Data received");
18450
        WOLFSSL_BUFFER(ssl->buffers.inputBuffer.buffer,
18451
                       ssl->buffers.inputBuffer.length);
18452
    }
18453
#endif
18454
18455
0
    return 0;
18456
0
}
18457
18458
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
18459
static WC_INLINE int VerifyMacEnc(WOLFSSL* ssl, const byte* input, word32 msgSz,
18460
                                  int content)
18461
0
{
18462
0
    int    ret;
18463
#ifdef HAVE_TRUNCATED_HMAC
18464
    word32 digestSz = ssl->truncated_hmac ? (byte)TRUNCATED_HMAC_SZ
18465
                                          : ssl->specs.hash_size;
18466
#else
18467
0
    word32 digestSz = ssl->specs.hash_size;
18468
0
#endif
18469
0
    byte   verify[WC_MAX_DIGEST_SIZE];
18470
18471
0
    WOLFSSL_MSG("Verify MAC of Encrypted Data");
18472
18473
0
    if (msgSz < digestSz) {
18474
0
        WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
18475
0
        return VERIFY_MAC_ERROR;
18476
0
    }
18477
18478
0
    ret  = ssl->hmac(ssl, verify, input, msgSz - digestSz, -1, content, 1, PEER_ORDER);
18479
0
    ret |= ConstantCompare(verify, input + msgSz - digestSz, digestSz);
18480
0
    if (ret != 0) {
18481
0
        WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
18482
0
        return VERIFY_MAC_ERROR;
18483
0
    }
18484
18485
0
    return 0;
18486
0
}
18487
#endif
18488
18489
static WC_INLINE int VerifyMac(WOLFSSL* ssl, const byte* input, word32 msgSz,
18490
                            int content, word32* padSz)
18491
0
{
18492
0
#if !defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_AEAD_ONLY)
18493
0
    int    ivExtra = 0;
18494
0
    int    ret;
18495
0
    word32 pad     = 0;
18496
0
    word32 padByte = 0;
18497
#ifdef HAVE_TRUNCATED_HMAC
18498
    word32 digestSz = ssl->truncated_hmac ? (byte)TRUNCATED_HMAC_SZ
18499
                                          : ssl->specs.hash_size;
18500
#else
18501
0
    word32 digestSz = ssl->specs.hash_size;
18502
0
#endif
18503
0
    byte   verify[WC_MAX_DIGEST_SIZE];
18504
18505
18506
0
    if (ssl->specs.cipher_type == block) {
18507
0
        if (ssl->options.tls1_1)
18508
0
            ivExtra = ssl->specs.block_size;
18509
0
        pad = *(input + msgSz - ivExtra - 1);
18510
0
        padByte = 1;
18511
18512
0
        if (ssl->options.tls) {
18513
#if !defined(NO_CERTS) && defined(HAVE_PK_CALLBACKS)
18514
            ret = PROTOCOLCB_UNAVAILABLE;
18515
            if(ssl->ctx->VerifyMacCb) {
18516
                void* ctx = wolfSSL_GetVerifyMacCtx(ssl);
18517
                ret = ssl->ctx->VerifyMacCb(ssl, input,
18518
                           (msgSz - ivExtra) - digestSz - pad - 1,
18519
                           digestSz, content, ctx);
18520
                if (ret != 0 && ret != PROTOCOLCB_UNAVAILABLE) {
18521
                    return ret;
18522
                }
18523
            }
18524
            if (!ssl->ctx->VerifyMacCb || ret == PROTOCOLCB_UNAVAILABLE)
18525
#endif
18526
0
            ret = TimingPadVerify(ssl, input, pad, digestSz, msgSz - ivExtra,
18527
0
                                  content);
18528
0
            if (ret != 0)
18529
0
                return ret;
18530
0
        }
18531
0
        else {  /* sslv3, some implementations have bad padding, but don't
18532
                 * allow bad read */
18533
0
            int  badPadLen = 0;
18534
0
            byte dmy[sizeof(WOLFSSL) >= MAX_PAD_SIZE ? 1 : MAX_PAD_SIZE];
18535
0
            byte* dummy = sizeof(dmy) < MAX_PAD_SIZE ? (byte*) ssl : dmy;
18536
0
            XMEMSET(dmy, 0, sizeof(dmy));
18537
18538
0
            if (pad > (msgSz - digestSz - 1)) {
18539
0
                WOLFSSL_MSG("Plain Len not long enough for pad/mac");
18540
0
                pad       = 0;  /* no bad read */
18541
0
                badPadLen = 1;
18542
0
            }
18543
0
            (void)PadCheck(dummy, (byte)pad, MAX_PAD_SIZE);  /* timing only */
18544
0
            ret = ssl->hmac(ssl, verify, input, msgSz - digestSz - pad - 1,
18545
0
                            pad, content, 1, PEER_ORDER);
18546
0
            if (ConstantCompare(verify, input + msgSz - digestSz - pad - 1,
18547
0
                                digestSz) != 0) {
18548
0
                WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
18549
0
                return VERIFY_MAC_ERROR;
18550
0
            }
18551
0
            if (ret != 0 || badPadLen) {
18552
0
                WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
18553
0
                return VERIFY_MAC_ERROR;
18554
0
            }
18555
0
        }
18556
0
    }
18557
0
    else if (ssl->specs.cipher_type == stream) {
18558
0
        ret = ssl->hmac(ssl, verify, input, msgSz - digestSz, -1, content, 1,
18559
0
                        PEER_ORDER);
18560
0
        if (ConstantCompare(verify, input + msgSz - digestSz, digestSz) != 0) {
18561
0
            WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
18562
0
            return VERIFY_MAC_ERROR;
18563
0
        }
18564
0
        if (ret != 0) {
18565
0
            WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
18566
0
            return VERIFY_MAC_ERROR;
18567
0
        }
18568
0
    }
18569
0
#endif /* !WOLFSSL_NO_TLS12 && !WOLFSSL_AEAD_ONLY */
18570
18571
0
    if (ssl->specs.cipher_type == aead) {
18572
0
        *padSz = ssl->specs.aead_mac_size;
18573
0
    }
18574
0
#if !defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_AEAD_ONLY)
18575
0
    else {
18576
0
        *padSz = digestSz + pad + padByte;
18577
0
    }
18578
0
#endif /* !WOLFSSL_NO_TLS12 && !WOLFSSL_AEAD_ONLY */
18579
18580
0
    (void)input;
18581
0
    (void)msgSz;
18582
0
    (void)content;
18583
18584
0
    return 0;
18585
0
}
18586
18587
int ProcessReply(WOLFSSL* ssl)
18588
0
{
18589
0
    return ProcessReplyEx(ssl, 0);
18590
0
}
18591
18592
/* Process input requests. Return 0 is done, 1 is call again to complete, and
18593
   negative number is error. If allowSocketErr is set, SOCKET_ERROR_E in
18594
   ssl->error will be whitelisted. This is useful when the connection has been
18595
   closed and the endpoint wants to check for an alert sent by the other end. */
18596
int ProcessReplyEx(WOLFSSL* ssl, int allowSocketErr)
18597
0
{
18598
0
    int    ret = 0, type = internal_error, readSz;
18599
0
    int    atomicUser = 0;
18600
0
    word32 startIdx = 0;
18601
#if defined(WOLFSSL_DTLS)
18602
    int    used;
18603
#endif
18604
18605
#ifdef ATOMIC_USER
18606
    if (ssl->ctx->DecryptVerifyCb)
18607
        atomicUser = 1;
18608
#endif
18609
18610
0
    if (ssl->error != 0 && ssl->error != WANT_READ && ssl->error != WANT_WRITE
18611
    #ifdef HAVE_SECURE_RENEGOTIATION
18612
        && ssl->error != APP_DATA_READY
18613
    #endif
18614
    #ifdef WOLFSSL_ASYNC_CRYPT
18615
        && ssl->error != WC_PENDING_E
18616
    #endif
18617
    #ifdef WOLFSSL_NONBLOCK_OCSP
18618
        && ssl->error != OCSP_WANT_READ
18619
    #endif
18620
0
        && (allowSocketErr != 1 || ssl->error != SOCKET_ERROR_E)
18621
0
    ) {
18622
0
        WOLFSSL_MSG("ProcessReply retry in error state, not allowed");
18623
0
        return ssl->error;
18624
0
    }
18625
18626
#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_ASYNC_CRYPT)
18627
    /* process any pending DTLS messages - this flow can happen with async */
18628
    if (ssl->dtls_rx_msg_list != NULL) {
18629
        word32 pendingMsg = ssl->dtls_rx_msg_list_sz;
18630
        if(IsAtLeastTLSv1_3(ssl->version)) {
18631
#ifdef WOLFSSL_DTLS13
18632
            ret = Dtls13ProcessBufferedMessages(ssl);
18633
#else
18634
            ret = NOT_COMPILED_IN;
18635
#endif /* WOLFSSL_DTLS13 */
18636
        }
18637
        else {
18638
            ret = DtlsMsgDrain(ssl);
18639
        }
18640
        if (ret != 0) {
18641
            WOLFSSL_ERROR(ret);
18642
            return ret;
18643
        }
18644
        /* we processed some messages, return so connect/accept can make
18645
           progress */
18646
        if (ssl->dtls_rx_msg_list_sz != pendingMsg)
18647
            return ret;
18648
    }
18649
#endif
18650
18651
0
    ret = RetrySendAlert(ssl);
18652
0
    if (ret != 0)
18653
0
        return ret;
18654
18655
0
    for (;;) {
18656
0
        switch (ssl->options.processReply) {
18657
18658
        /* in the WOLFSSL_SERVER case, get the first byte for detecting
18659
         * old client hello */
18660
0
        case doProcessInit:
18661
18662
0
            readSz = RECORD_HEADER_SZ;
18663
18664
        #ifdef WOLFSSL_DTLS
18665
            if (ssl->options.dtls) {
18666
                readSz = DTLS_RECORD_HEADER_SZ;
18667
#ifdef WOLFSSL_DTLS13
18668
                if (ssl->options.tls1_3) {
18669
                    /* dtls1.3 unified header can be as little as 2 bytes */
18670
                    readSz = DTLS_UNIFIED_HEADER_MIN_SZ;
18671
                }
18672
#endif /* WOLFSSL_DTLS13 */
18673
            }
18674
        #endif
18675
18676
            /* get header or return error */
18677
0
            if (!ssl->options.dtls) {
18678
0
                if ((ret = GetInputData(ssl, readSz)) < 0)
18679
0
                    return ret;
18680
0
            } else {
18681
            #ifdef WOLFSSL_DTLS
18682
                /* read ahead may already have header */
18683
                used = ssl->buffers.inputBuffer.length -
18684
                       ssl->buffers.inputBuffer.idx;
18685
                if (used < readSz) {
18686
                    if ((ret = GetInputData(ssl, readSz)) < 0)
18687
                        return ret;
18688
                }
18689
            #endif
18690
0
            }
18691
18692
#ifdef OLD_HELLO_ALLOWED
18693
18694
            /* see if sending SSLv2 client hello */
18695
            if ( ssl->options.side == WOLFSSL_SERVER_END &&
18696
                 ssl->options.clientState == NULL_STATE &&
18697
                 ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx]
18698
                         != handshake) {
18699
                byte b0, b1;
18700
18701
                ssl->options.processReply = runProcessOldClientHello;
18702
18703
                /* sanity checks before getting size at front */
18704
                if (ssl->buffers.inputBuffer.buffer[
18705
                          ssl->buffers.inputBuffer.idx + OPAQUE16_LEN] != OLD_HELLO_ID) {
18706
                    WOLFSSL_MSG("Not a valid old client hello");
18707
                    WOLFSSL_ERROR_VERBOSE(PARSE_ERROR);
18708
                    return PARSE_ERROR;
18709
                }
18710
18711
                if (ssl->buffers.inputBuffer.buffer[
18712
                          ssl->buffers.inputBuffer.idx + OPAQUE24_LEN] != SSLv3_MAJOR &&
18713
                    ssl->buffers.inputBuffer.buffer[
18714
                          ssl->buffers.inputBuffer.idx + OPAQUE24_LEN] != DTLS_MAJOR) {
18715
                    WOLFSSL_MSG("Not a valid version in old client hello");
18716
                    WOLFSSL_ERROR_VERBOSE(PARSE_ERROR);
18717
                    return PARSE_ERROR;
18718
                }
18719
18720
                /* how many bytes need ProcessOldClientHello */
18721
                b0 =
18722
                ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx++];
18723
                b1 =
18724
                ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx++];
18725
                ssl->curSize = (word16)(((b0 & 0x7f) << 8) | b1);
18726
            }
18727
            else {
18728
                ssl->options.processReply = getRecordLayerHeader;
18729
                continue;
18730
            }
18731
            FALL_THROUGH;
18732
18733
        /* in the WOLFSSL_SERVER case, run the old client hello */
18734
        case runProcessOldClientHello:
18735
18736
            /* get sz bytes or return error */
18737
            if (!ssl->options.dtls) {
18738
                if ((ret = GetInputData(ssl, ssl->curSize)) < 0)
18739
                    return ret;
18740
            } else {
18741
            #ifdef WOLFSSL_DTLS
18742
                /* read ahead may already have */
18743
                used = ssl->buffers.inputBuffer.length -
18744
                       ssl->buffers.inputBuffer.idx;
18745
                if (used < ssl->curSize)
18746
                    if ((ret = GetInputData(ssl, ssl->curSize - used)) < 0)
18747
                        return ret;
18748
            #endif  /* WOLFSSL_DTLS */
18749
            }
18750
18751
            ret = ProcessOldClientHello(ssl, ssl->buffers.inputBuffer.buffer,
18752
                                        &ssl->buffers.inputBuffer.idx,
18753
                                        ssl->buffers.inputBuffer.length -
18754
                                        ssl->buffers.inputBuffer.idx,
18755
                                        ssl->curSize);
18756
            if (ret < 0)
18757
                return ret;
18758
18759
            else if (ssl->buffers.inputBuffer.idx ==
18760
                     ssl->buffers.inputBuffer.length) {
18761
                ssl->options.processReply = doProcessInit;
18762
                return 0;
18763
            }
18764
18765
#endif  /* OLD_HELLO_ALLOWED */
18766
0
            FALL_THROUGH;
18767
18768
        /* get the record layer header */
18769
0
        case getRecordLayerHeader:
18770
18771
            /* DTLSv1.3 record numbers in the header are encrypted, and AAD
18772
             * uses the unecrypted form. Because of this we need to modify the
18773
             * header, decrypting the numbers inside
18774
             * DtlsParseUnifiedRecordLayer(). This violates the const attribute
18775
             * of the buffer parameter of GetRecordHeader() used here. */
18776
0
            ret = GetRecordHeader(ssl, ssl->buffers.inputBuffer.buffer,
18777
0
                                       &ssl->buffers.inputBuffer.idx,
18778
0
                                       &ssl->curRL, &ssl->curSize);
18779
18780
#ifdef WOLFSSL_DTLS
18781
            if (ssl->options.dtls &&
18782
                    (ret == SEQUENCE_ERROR || ret == DTLS_CID_ERROR)) {
18783
                WOLFSSL_MSG("Silently dropping DTLS message");
18784
                ssl->options.processReply = doProcessInit;
18785
                ssl->buffers.inputBuffer.length = 0;
18786
                ssl->buffers.inputBuffer.idx = 0;
18787
#ifdef WOLFSSL_DTLS_DROP_STATS
18788
                ssl->replayDropCount++;
18789
#endif /* WOLFSSL_DTLS_DROP_STATS */
18790
18791
#ifdef WOLFSSL_DTLS13
18792
                /* return to send ACKS and shortcut rtx timer */
18793
                if (IsAtLeastTLSv1_3(ssl->version)
18794
                    && ssl->dtls13Rtx.sendAcks)
18795
                    return 0;
18796
#endif /* WOLFSSL_DTLS13 */
18797
18798
                continue;
18799
            }
18800
#endif
18801
0
            if (ret != 0)
18802
0
                return ret;
18803
18804
0
#ifdef WOLFSSL_TLS13
18805
0
            if (IsAtLeastTLSv1_3(ssl->version) && IsEncryptionOn(ssl, 0) &&
18806
0
                                        ssl->curRL.type != application_data &&
18807
0
                                        ssl->curRL.type != change_cipher_spec) {
18808
0
                SendAlert(ssl, alert_fatal, unexpected_message);
18809
0
                WOLFSSL_ERROR_VERBOSE(PARSE_ERROR);
18810
0
                return PARSE_ERROR;
18811
0
            }
18812
0
#endif
18813
18814
0
            ssl->options.processReply = getData;
18815
0
            FALL_THROUGH;
18816
18817
        /* retrieve record layer data */
18818
0
        case getData:
18819
18820
            /* get sz bytes or return error */
18821
0
            if (!ssl->options.dtls) {
18822
0
                if ((ret = GetInputData(ssl, ssl->curSize)) < 0) {
18823
0
#ifdef WOLFSSL_EXTRA_ALERTS
18824
0
                    if (ret != WANT_READ)
18825
0
                        SendAlert(ssl, alert_fatal, bad_record_mac);
18826
0
#endif
18827
0
                    return ret;
18828
0
                }
18829
0
            }
18830
0
            else {
18831
#ifdef WOLFSSL_DTLS
18832
                /* read ahead may already have */
18833
                used = ssl->buffers.inputBuffer.length -
18834
                       ssl->buffers.inputBuffer.idx;
18835
                if (used < ssl->curSize)
18836
                    if ((ret = GetInputData(ssl, ssl->curSize)) < 0)
18837
                        return ret;
18838
#endif
18839
0
            }
18840
18841
0
            if (IsEncryptionOn(ssl, 0)) {
18842
0
#if defined(WOLFSSL_TLS13) || defined(WOLFSSL_EXTRA_ALERTS)
18843
0
                int tooLong = 0;
18844
0
#endif
18845
18846
0
#ifdef WOLFSSL_TLS13
18847
0
                if (IsAtLeastTLSv1_3(ssl->version)) {
18848
0
                    tooLong  = ssl->curSize > MAX_TLS13_ENC_SZ;
18849
0
                    tooLong |= ssl->curSize - ssl->specs.aead_mac_size >
18850
0
                                                             MAX_TLS13_PLAIN_SZ;
18851
0
                }
18852
0
#endif
18853
0
#ifdef WOLFSSL_EXTRA_ALERTS
18854
0
                if (!IsAtLeastTLSv1_3(ssl->version))
18855
0
                    tooLong = ssl->curSize > MAX_TLS_CIPHER_SZ;
18856
0
#endif
18857
0
#if defined(WOLFSSL_TLS13) || defined(WOLFSSL_EXTRA_ALERTS)
18858
0
                if (tooLong) {
18859
0
                    WOLFSSL_MSG("Encrypted data too long");
18860
0
                    SendAlert(ssl, alert_fatal, record_overflow);
18861
0
                    return BUFFER_ERROR;
18862
0
                }
18863
0
#endif
18864
0
            }
18865
0
            ssl->keys.padSz = 0;
18866
18867
0
            ssl->options.processReply = verifyEncryptedMessage;
18868
0
            startIdx = ssl->buffers.inputBuffer.idx;  /* in case > 1 msg per */
18869
0
            FALL_THROUGH;
18870
18871
        /* verify digest of encrypted message */
18872
0
        case verifyEncryptedMessage:
18873
0
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
18874
0
            if (IsEncryptionOn(ssl, 0) && ssl->keys.decryptedCur == 0 &&
18875
0
                                   !atomicUser && ssl->options.startedETMRead) {
18876
0
                ret = VerifyMacEnc(ssl, ssl->buffers.inputBuffer.buffer +
18877
0
                                   ssl->buffers.inputBuffer.idx,
18878
0
                                   ssl->curSize, ssl->curRL.type);
18879
            #ifdef WOLFSSL_ASYNC_CRYPT
18880
                if (ret == WC_PENDING_E)
18881
                    return ret;
18882
            #endif
18883
0
                if (ret < 0) {
18884
0
                    WOLFSSL_MSG("VerifyMacEnc failed");
18885
0
                    WOLFSSL_ERROR(ret);
18886
                #ifdef WOLFSSL_DTLS
18887
                    /* If in DTLS mode, if the decrypt fails for any
18888
                     * reason, pretend the datagram never happened. */
18889
                    if (ssl->options.dtls) {
18890
                        ssl->options.processReply = doProcessInit;
18891
                        ssl->buffers.inputBuffer.idx =
18892
                                        ssl->buffers.inputBuffer.length;
18893
                        #ifdef WOLFSSL_DTLS_DROP_STATS
18894
                            ssl->macDropCount++;
18895
                        #endif /* WOLFSSL_DTLS_DROP_STATS */
18896
                    }
18897
                #endif /* WOLFSSL_DTLS */
18898
0
                #ifdef WOLFSSL_EXTRA_ALERTS
18899
0
                    if (!ssl->options.dtls)
18900
0
                        SendAlert(ssl, alert_fatal, bad_record_mac);
18901
0
                #endif
18902
0
                    WOLFSSL_ERROR_VERBOSE(DECRYPT_ERROR);
18903
0
                    return DECRYPT_ERROR;
18904
0
                }
18905
0
                ssl->keys.encryptSz    = ssl->curSize;
18906
0
            }
18907
0
#endif
18908
0
            ssl->options.processReply = decryptMessage;
18909
0
            FALL_THROUGH;
18910
18911
        /* decrypt message */
18912
0
        case decryptMessage:
18913
18914
0
            if (IsEncryptionOn(ssl, 0) && ssl->keys.decryptedCur == 0 &&
18915
0
                                        (!IsAtLeastTLSv1_3(ssl->version) ||
18916
0
                                         ssl->curRL.type != change_cipher_spec))
18917
0
            {
18918
0
                bufferStatic* in = &ssl->buffers.inputBuffer;
18919
18920
0
                ret = SanityCheckCipherText(ssl, ssl->curSize);
18921
0
                if (ret < 0) {
18922
0
                #ifdef WOLFSSL_EXTRA_ALERTS
18923
0
                    SendAlert(ssl, alert_fatal, bad_record_mac);
18924
0
                #endif
18925
0
                    return ret;
18926
0
                }
18927
18928
0
                if (atomicUser) {
18929
        #ifdef ATOMIC_USER
18930
            #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
18931
                    if (ssl->options.startedETMRead) {
18932
                        ret = ssl->ctx->VerifyDecryptCb(ssl,
18933
                                     in->buffer + in->idx, in->buffer + in->idx,
18934
                                     ssl->curSize - MacSize(ssl),
18935
                                     ssl->curRL.type, 1, &ssl->keys.padSz,
18936
                                     ssl->DecryptVerifyCtx);
18937
                    }
18938
                    else
18939
            #endif
18940
                    {
18941
                        ret = ssl->ctx->DecryptVerifyCb(ssl,
18942
                                      in->buffer + in->idx,
18943
                                      in->buffer + in->idx,
18944
                                      ssl->curSize, ssl->curRL.type, 1,
18945
                                      &ssl->keys.padSz, ssl->DecryptVerifyCtx);
18946
                    }
18947
        #endif /* ATOMIC_USER */
18948
0
                }
18949
0
                else {
18950
0
                    if (!ssl->options.tls1_3) {
18951
0
        #ifndef WOLFSSL_NO_TLS12
18952
0
            #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
18953
0
                    if (ssl->options.startedETMRead) {
18954
0
                        word32 digestSz = MacSize(ssl);
18955
0
                        ret = DecryptTls(ssl,
18956
0
                                      in->buffer + in->idx,
18957
0
                                      in->buffer + in->idx,
18958
0
                                      ssl->curSize - (word16)digestSz);
18959
0
                        if (ret == 0) {
18960
0
                            byte invalid = 0;
18961
0
                            byte padding = (byte)-1;
18962
0
                            word32 i;
18963
0
                            word32 off = in->idx + ssl->curSize - digestSz - 1;
18964
18965
                            /* Last of padding bytes - indicates length. */
18966
0
                            ssl->keys.padSz = in->buffer[off];
18967
                            /* Constant time checking of padding - don't leak
18968
                             * the length of the data.
18969
                             */
18970
                            /* Compare max pad bytes or at most data + pad. */
18971
0
                            for (i = 1; i < MAX_PAD_SIZE && off >= i; i++) {
18972
                                /* Mask on indicates this is expected to be a
18973
                                 * padding byte.
18974
                                 */
18975
0
                                padding &= ctMaskLTE(i, ssl->keys.padSz);
18976
                                /* When this is a padding byte and not equal
18977
                                 * to length then mask is set.
18978
                                 */
18979
0
                                invalid |= padding &
18980
0
                                           ctMaskNotEq(in->buffer[off - i],
18981
0
                                                       ssl->keys.padSz);
18982
0
                            }
18983
                            /* If mask is set then there was an error. */
18984
0
                            if (invalid) {
18985
0
                                ret = DECRYPT_ERROR;
18986
0
                            }
18987
0
                            ssl->keys.padSz += 1;
18988
0
                            ssl->keys.decryptedCur = 1;
18989
0
                        }
18990
0
                    }
18991
0
                    else
18992
0
            #endif
18993
0
                    {
18994
0
                        ret = DecryptTls(ssl,
18995
0
                                      in->buffer + in->idx,
18996
0
                                      in->buffer + in->idx,
18997
0
                                      ssl->curSize);
18998
0
                    }
18999
        #else
19000
                        ret = DECRYPT_ERROR;
19001
        #endif
19002
0
                    }
19003
0
                    else
19004
0
                    {
19005
0
                #ifdef WOLFSSL_TLS13
19006
0
                        byte *aad = (byte*)&ssl->curRL;
19007
0
                        word16 aad_size = RECORD_HEADER_SZ;
19008
                    #ifdef WOLFSSL_DTLS13
19009
                        if (ssl->options.dtls) {
19010
                            /* aad now points to the record header */
19011
                            aad = ssl->dtls13CurRL;
19012
                            aad_size = ssl->dtls13CurRlLength;
19013
                        }
19014
                    #endif /* WOLFSSL_DTLS13 */
19015
                        /* Don't send an alert for DTLS. We will just drop it
19016
                         * silently later. */
19017
0
                        ret = DecryptTls13(ssl,
19018
0
                                        in->buffer + in->idx,
19019
0
                                        in->buffer + in->idx,
19020
0
                                        ssl->curSize,
19021
0
                                        aad, aad_size);
19022
                #else
19023
                        ret = DECRYPT_ERROR;
19024
                #endif /* WOLFSSL_TLS13 */
19025
0
                    }
19026
0
                    (void)in;
19027
0
                }
19028
19029
            #ifdef WOLFSSL_ASYNC_CRYPT
19030
                if (ret == WC_PENDING_E)
19031
                    return ret;
19032
            #endif
19033
19034
0
                if (ret >= 0) {
19035
0
            #ifndef WOLFSSL_NO_TLS12
19036
                    /* handle success */
19037
0
                #ifndef WOLFSSL_AEAD_ONLY
19038
0
                    if (ssl->options.tls1_1 && ssl->specs.cipher_type == block)
19039
0
                        ssl->buffers.inputBuffer.idx += ssl->specs.block_size;
19040
0
                #endif
19041
                    /* go past TLSv1.1 IV */
19042
0
                    if (CipherHasExpIV(ssl))
19043
0
                        ssl->buffers.inputBuffer.idx += AESGCM_EXP_IV_SZ;
19044
0
            #endif
19045
0
                }
19046
0
                else {
19047
0
                    WOLFSSL_MSG("Decrypt failed");
19048
                #ifdef WOLFSSL_DTLS
19049
                    /* If in DTLS mode, if the decrypt fails for any
19050
                     * reason, pretend the datagram never happened. */
19051
                    if (ssl->options.dtls) {
19052
                        WOLFSSL_MSG("DTLS: Ignoring failed decryption");
19053
                        ssl->options.processReply = doProcessInit;
19054
                        ssl->buffers.inputBuffer.idx =
19055
                                        ssl->buffers.inputBuffer.length;
19056
                    #ifdef WOLFSSL_DTLS_DROP_STATS
19057
                        ssl->macDropCount++;
19058
                    #endif /* WOLFSSL_DTLS_DROP_STATS */
19059
                        return 0;
19060
                    }
19061
                #endif /* WOLFSSL_DTLS */
19062
                #ifdef WOLFSSL_EARLY_DATA
19063
                    if (ssl->options.tls1_3) {
19064
                         if (ssl->options.side == WOLFSSL_SERVER_END &&
19065
                                 ssl->earlyData != no_early_data &&
19066
                                 ssl->options.clientState <
19067
                                                     CLIENT_FINISHED_COMPLETE) {
19068
                            ssl->earlyDataSz += ssl->curSize;
19069
                            if (ssl->earlyDataSz <=
19070
                                                  ssl->options.maxEarlyDataSz) {
19071
                                WOLFSSL_MSG("Ignoring EarlyData!");
19072
                                if (ssl->keys.peer_sequence_number_lo-- == 0)
19073
                                    ssl->keys.peer_sequence_number_hi--;
19074
                                ssl->options.processReply = doProcessInit;
19075
                                ssl->buffers.inputBuffer.idx += ssl->curSize;
19076
                                if (ssl->buffers.inputBuffer.idx >
19077
                                    ssl->buffers.inputBuffer.length) {
19078
                                    WOLFSSL_ERROR(BUFFER_E);
19079
                                    return BUFFER_E;
19080
                                }
19081
19082
                                return 0;
19083
                            }
19084
                            WOLFSSL_MSG("Too much EarlyData!");
19085
                            SendAlert(ssl, alert_fatal, unexpected_message);
19086
                            WOLFSSL_ERROR(TOO_MUCH_EARLY_DATA);
19087
                            return TOO_MUCH_EARLY_DATA;
19088
                        }
19089
                    }
19090
                #endif
19091
0
                    SendAlert(ssl, alert_fatal, bad_record_mac);
19092
                    /* Push error once we know that we will error out here */
19093
0
                    WOLFSSL_ERROR(ret);
19094
0
                    return ret;
19095
0
                }
19096
0
            }
19097
19098
0
            ssl->options.processReply = verifyMessage;
19099
0
            FALL_THROUGH;
19100
19101
        /* verify digest of message */
19102
0
        case verifyMessage:
19103
19104
0
            if (IsEncryptionOn(ssl, 0) && ssl->keys.decryptedCur == 0 &&
19105
0
                                        (!IsAtLeastTLSv1_3(ssl->version) ||
19106
0
                                         ssl->curRL.type != change_cipher_spec))
19107
0
            {
19108
0
                if (!atomicUser
19109
0
#if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
19110
0
                                && !ssl->options.startedETMRead
19111
0
#endif
19112
0
                    ) {
19113
0
                    ret = VerifyMac(ssl, ssl->buffers.inputBuffer.buffer +
19114
0
                                    ssl->buffers.inputBuffer.idx,
19115
0
                                    ssl->curSize, ssl->curRL.type,
19116
0
                                    &ssl->keys.padSz);
19117
                #ifdef WOLFSSL_ASYNC_CRYPT
19118
                    if (ret == WC_PENDING_E)
19119
                        return ret;
19120
                #endif
19121
0
                    if (ret < 0) {
19122
0
                        WOLFSSL_MSG("VerifyMac failed");
19123
0
                        WOLFSSL_ERROR(ret);
19124
                    #ifdef WOLFSSL_DTLS
19125
                        /* If in DTLS mode, if the decrypt fails for any
19126
                         * reason, pretend the datagram never happened. */
19127
                        if (ssl->options.dtls) {
19128
                            ssl->options.processReply = doProcessInit;
19129
                            ssl->buffers.inputBuffer.idx =
19130
                                            ssl->buffers.inputBuffer.length;
19131
                            #ifdef WOLFSSL_DTLS_DROP_STATS
19132
                                ssl->macDropCount++;
19133
                            #endif /* WOLFSSL_DTLS_DROP_STATS */
19134
                        }
19135
                    #endif /* WOLFSSL_DTLS */
19136
0
                    #ifdef WOLFSSL_EXTRA_ALERTS
19137
0
                        if (!ssl->options.dtls)
19138
0
                            SendAlert(ssl, alert_fatal, bad_record_mac);
19139
0
                    #endif
19140
0
                        WOLFSSL_ERROR_VERBOSE(DECRYPT_ERROR);
19141
0
                        return DECRYPT_ERROR;
19142
0
                    }
19143
0
                }
19144
19145
0
                ssl->keys.encryptSz    = ssl->curSize;
19146
0
                ssl->keys.decryptedCur = 1;
19147
0
#ifdef WOLFSSL_TLS13
19148
0
                if (ssl->options.tls1_3) {
19149
                    /* end of plaintext */
19150
0
                    word16 i = (word16)(ssl->buffers.inputBuffer.idx +
19151
0
                                 ssl->curSize - ssl->specs.aead_mac_size);
19152
19153
0
                    if (i > ssl->buffers.inputBuffer.length) {
19154
0
                        WOLFSSL_ERROR(BUFFER_ERROR);
19155
0
                        return BUFFER_ERROR;
19156
0
                    }
19157
19158
                    /* Remove padding from end of plain text. */
19159
0
                    for (--i; i > ssl->buffers.inputBuffer.idx; i--) {
19160
0
                        if (ssl->buffers.inputBuffer.buffer[i] != 0)
19161
0
                            break;
19162
0
                    }
19163
19164
                    /* Get the real content type from the end of the data. */
19165
0
                    ssl->curRL.type = ssl->buffers.inputBuffer.buffer[i];
19166
                    /* consider both contentType byte and MAC as padding */
19167
0
                    ssl->keys.padSz = ssl->buffers.inputBuffer.idx
19168
0
                        + ssl->curSize - i;
19169
0
                }
19170
0
#endif
19171
0
            }
19172
19173
0
            ssl->options.processReply = runProcessingOneRecord;
19174
0
            FALL_THROUGH;
19175
19176
        /* the record layer is here */
19177
0
        case runProcessingOneRecord:
19178
#ifdef WOLFSSL_DTLS13
19179
            if (ssl->options.dtls && IsAtLeastTLSv1_3(ssl->version)) {
19180
19181
                if(!Dtls13CheckWindow(ssl)) {
19182
                    /* drop packet */
19183
                    WOLFSSL_MSG(
19184
                            "Dropping DTLS record outside receiving window");
19185
                    ssl->options.processReply = doProcessInit;
19186
                    ssl->buffers.inputBuffer.idx += ssl->curSize;
19187
                    if (ssl->buffers.inputBuffer.idx >
19188
                            ssl->buffers.inputBuffer.length)
19189
                        return BUFFER_E;
19190
19191
                    continue;
19192
                }
19193
19194
                ret = Dtls13UpdateWindow(ssl);
19195
                if (ret != 1) {
19196
                    WOLFSSL_ERROR(ret);
19197
                    return ret;
19198
                }
19199
19200
                ret = Dtls13RecordRecvd(ssl);
19201
                if (ret != 0) {
19202
                    WOLFSSL_ERROR(ret);
19203
                    return ret;
19204
                }
19205
            }
19206
#endif /* WOLFSSL_DTLS13 */
19207
0
            ssl->options.processReply = runProcessingOneMessage;
19208
0
            FALL_THROUGH;
19209
19210
0
        case runProcessingOneMessage:
19211
            /* can't process a message if we have no data.  */
19212
0
            if (ssl->buffers.inputBuffer.idx
19213
0
                    >= ssl->buffers.inputBuffer.length) {
19214
0
                return BUFFER_ERROR;
19215
0
            }
19216
0
       #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
19217
0
            if (IsEncryptionOn(ssl, 0) && ssl->options.startedETMRead) {
19218
                /* For TLS v1.1 the block size and explcit IV are added to idx,
19219
                 * so it needs to be included in this limit check */
19220
0
                if ((ssl->curSize - ssl->keys.padSz -
19221
0
                        (ssl->buffers.inputBuffer.idx - startIdx) -
19222
0
                        MacSize(ssl) > MAX_PLAINTEXT_SZ)
19223
#ifdef WOLFSSL_ASYNC_CRYPT
19224
                        && ssl->buffers.inputBuffer.length !=
19225
                                ssl->buffers.inputBuffer.idx
19226
#endif
19227
0
                                ) {
19228
0
                    WOLFSSL_MSG("Plaintext too long - Encrypt-Then-MAC");
19229
0
            #if defined(WOLFSSL_EXTRA_ALERTS)
19230
0
                    SendAlert(ssl, alert_fatal, record_overflow);
19231
0
            #endif
19232
0
                    WOLFSSL_ERROR_VERBOSE(BUFFER_ERROR);
19233
0
                    return BUFFER_ERROR;
19234
0
                }
19235
0
            }
19236
0
            else
19237
0
       #endif
19238
                /* TLS13 plaintext limit is checked earlier before decryption */
19239
                /* For TLS v1.1 the block size and explcit IV are added to idx,
19240
                 * so it needs to be included in this limit check */
19241
0
                if (!IsAtLeastTLSv1_3(ssl->version)
19242
0
                        && ssl->curSize - ssl->keys.padSz -
19243
0
                            (ssl->buffers.inputBuffer.idx - startIdx)
19244
0
                                > MAX_PLAINTEXT_SZ
19245
#ifdef WOLFSSL_ASYNC_CRYPT
19246
                        && ssl->buffers.inputBuffer.length !=
19247
                                ssl->buffers.inputBuffer.idx
19248
#endif
19249
0
                                ) {
19250
0
                WOLFSSL_MSG("Plaintext too long");
19251
0
#if defined(WOLFSSL_TLS13) || defined(WOLFSSL_EXTRA_ALERTS)
19252
0
                SendAlert(ssl, alert_fatal, record_overflow);
19253
0
#endif
19254
0
                WOLFSSL_ERROR_VERBOSE(BUFFER_ERROR);
19255
0
                return BUFFER_ERROR;
19256
0
            }
19257
19258
#ifdef WOLFSSL_DTLS
19259
            if (IsDtlsNotSctpMode(ssl) && !IsAtLeastTLSv1_3(ssl->version)) {
19260
                _DtlsUpdateWindow(ssl);
19261
            }
19262
19263
            if (ssl->options.dtls) {
19264
                /* Reset timeout as we have received a valid DTLS message */
19265
                ssl->dtls_timeout = ssl->dtls_timeout_init;
19266
            }
19267
#endif /* WOLFSSL_DTLS */
19268
19269
0
            WOLFSSL_MSG("received record layer msg");
19270
19271
0
            switch (ssl->curRL.type) {
19272
0
                case handshake :
19273
0
                    WOLFSSL_MSG("got HANDSHAKE");
19274
                    /* debugging in DoHandShakeMsg */
19275
0
                    if (ssl->options.dtls) {
19276
#ifdef WOLFSSL_DTLS
19277
                        if (!IsAtLeastTLSv1_3(ssl->version)) {
19278
                                ret = DoDtlsHandShakeMsg(ssl,
19279
                                                         ssl->buffers.inputBuffer.buffer,
19280
                                                         &ssl->buffers.inputBuffer.idx,
19281
                                                         ssl->buffers.inputBuffer.length);
19282
                        }
19283
#endif
19284
#ifdef WOLFSSL_DTLS13
19285
                        if (IsAtLeastTLSv1_3(ssl->version)) {
19286
                            ret = Dtls13HandshakeRecv(ssl,
19287
                                ssl->buffers.inputBuffer.buffer,
19288
                                &ssl->buffers.inputBuffer.idx,
19289
                                ssl->buffers.inputBuffer.length);
19290
#ifdef WOLFSSL_EARLY_DATA
19291
                            if (ret == 0 &&
19292
                                ssl->options.side == WOLFSSL_SERVER_END &&
19293
                                ssl->earlyData > early_data_ext &&
19294
                                ssl->options.handShakeState == HANDSHAKE_DONE) {
19295
19296
                                /* return so wolfSSL_read_early_data can return
19297
                                   exit */
19298
                                ssl->earlyData = no_early_data;
19299
                                ssl->options.processReply = doProcessInit;
19300
19301
                                return ZERO_RETURN;
19302
                            }
19303
#endif /* WOLFSSL_EARLY_DATA */
19304
19305
                        }
19306
#endif /* WOLFSSL_DTLS13 */
19307
0
                    }
19308
0
                    else if (!IsAtLeastTLSv1_3(ssl->version)
19309
0
#if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NO_TLS12)
19310
0
                            || !TLSv1_3_Capable(ssl)
19311
0
#endif
19312
0
                            ) {
19313
0
#ifndef WOLFSSL_NO_TLS12
19314
0
                        ret = DoHandShakeMsg(ssl,
19315
0
                                            ssl->buffers.inputBuffer.buffer,
19316
0
                                            &ssl->buffers.inputBuffer.idx,
19317
0
                                            ssl->buffers.inputBuffer.length);
19318
#else
19319
                        ret = BUFFER_ERROR;
19320
#endif
19321
0
                    }
19322
0
                    else {
19323
0
#ifdef WOLFSSL_TLS13
19324
0
                        ssl->msgsReceived.got_change_cipher = 0;
19325
0
                        ret = DoTls13HandShakeMsg(ssl,
19326
0
                                            ssl->buffers.inputBuffer.buffer,
19327
0
                                            &ssl->buffers.inputBuffer.idx,
19328
0
                                            ssl->buffers.inputBuffer.length);
19329
    #ifdef WOLFSSL_EARLY_DATA
19330
                        if (ret != 0)
19331
                            return ret;
19332
                        if (ssl->options.side == WOLFSSL_SERVER_END &&
19333
                                ssl->earlyData > early_data_ext &&
19334
                                ssl->options.handShakeState == HANDSHAKE_DONE) {
19335
                            ssl->earlyData = no_early_data;
19336
                            ssl->options.processReply = doProcessInit;
19337
                            return ZERO_RETURN;
19338
                        }
19339
    #endif
19340
#else
19341
                        ret = BUFFER_ERROR;
19342
#endif
19343
0
                    }
19344
0
                    if (ret != 0
19345
                            /* DoDtlsHandShakeMsg can return a WANT_WRITE when
19346
                             * calling DtlsMsgPoolSend. This msg is done
19347
                             * processing so let's move on. */
19348
0
                        && (!ssl->options.dtls
19349
0
                            || ret != WANT_WRITE)
19350
#ifdef WOLFSSL_ASYNC_CRYPT
19351
                    /* In async case, on pending, move onto next message.
19352
                     * Current message should have been DtlsMsgStore'ed and
19353
                     * should be processed with DtlsMsgDrain */
19354
                            && (!ssl->options.dtls
19355
                                || ret != WC_PENDING_E)
19356
#endif
19357
0
                    ) {
19358
0
                        WOLFSSL_ERROR(ret);
19359
0
                        return ret;
19360
0
                    }
19361
0
                    break;
19362
19363
0
                case change_cipher_spec:
19364
0
                    WOLFSSL_MSG("got CHANGE CIPHER SPEC");
19365
0
                    #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
19366
0
                        if (ssl->hsInfoOn)
19367
0
                            AddPacketName(ssl, "ChangeCipher");
19368
                        /* add record header back on info */
19369
0
                        if (ssl->toInfoOn) {
19370
0
                            AddPacketInfo(ssl, "ChangeCipher",
19371
0
                                change_cipher_spec,
19372
0
                                ssl->buffers.inputBuffer.buffer +
19373
0
                                ssl->buffers.inputBuffer.idx - RECORD_HEADER_SZ -
19374
0
                                (ssl->options.dtls ? DTLS_RECORD_EXTRA : 0),
19375
0
                                1 + RECORD_HEADER_SZ, READ_PROTO, ssl->heap);
19376
                            #ifdef WOLFSSL_CALLBACKS
19377
                            AddLateRecordHeader(&ssl->curRL, &ssl->timeoutInfo);
19378
                            #endif
19379
0
                        }
19380
0
                    #endif
19381
19382
0
#ifdef WOLFSSL_TLS13
19383
0
                    if (IsAtLeastTLSv1_3(ssl->version)) {
19384
0
                        word32 i = ssl->buffers.inputBuffer.idx;
19385
0
                        if (ssl->options.handShakeState == HANDSHAKE_DONE) {
19386
0
                            SendAlert(ssl, alert_fatal, unexpected_message);
19387
0
                            WOLFSSL_ERROR_VERBOSE(UNKNOWN_RECORD_TYPE);
19388
0
                            return UNKNOWN_RECORD_TYPE;
19389
0
                        }
19390
0
                        if (ssl->curSize != 1 ||
19391
0
                                      ssl->buffers.inputBuffer.buffer[i] != 1) {
19392
0
                            SendAlert(ssl, alert_fatal, illegal_parameter);
19393
0
                            WOLFSSL_ERROR_VERBOSE(UNKNOWN_RECORD_TYPE);
19394
0
                            return UNKNOWN_RECORD_TYPE;
19395
0
                        }
19396
0
                        ssl->buffers.inputBuffer.idx++;
19397
0
                        if (!ssl->msgsReceived.got_change_cipher) {
19398
0
                            ssl->msgsReceived.got_change_cipher = 1;
19399
0
                        }
19400
0
                        else {
19401
0
                            SendAlert(ssl, alert_fatal, illegal_parameter);
19402
0
                            WOLFSSL_ERROR_VERBOSE(UNKNOWN_RECORD_TYPE);
19403
0
                            return UNKNOWN_RECORD_TYPE;
19404
0
                        }
19405
0
                        break;
19406
0
                    }
19407
0
#endif
19408
19409
0
#ifndef WOLFSSL_NO_TLS12
19410
0
                    if (ssl->buffers.inputBuffer.idx >=
19411
0
                            ssl->buffers.inputBuffer.length ||
19412
0
                            ssl->curSize < 1) {
19413
0
                        WOLFSSL_MSG("ChangeCipher msg too short");
19414
0
                        WOLFSSL_ERROR_VERBOSE(LENGTH_ERROR);
19415
0
                        return LENGTH_ERROR;
19416
0
                    }
19417
0
                    if (ssl->buffers.inputBuffer.buffer[
19418
0
                            ssl->buffers.inputBuffer.idx] != 1) {
19419
0
                        WOLFSSL_MSG("ChangeCipher msg wrong value");
19420
0
                        WOLFSSL_ERROR_VERBOSE(LENGTH_ERROR);
19421
0
                        return LENGTH_ERROR;
19422
0
                    }
19423
19424
0
                    if (IsEncryptionOn(ssl, 0) && ssl->options.handShakeDone) {
19425
0
#ifdef HAVE_AEAD
19426
0
                        if (ssl->specs.cipher_type == aead) {
19427
0
                            if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha)
19428
0
                                ssl->curSize -= AESGCM_EXP_IV_SZ;
19429
0
                            ssl->buffers.inputBuffer.idx += ssl->specs.aead_mac_size;
19430
0
                            ssl->curSize -= ssl->specs.aead_mac_size;
19431
0
                        }
19432
0
                        else
19433
0
#endif
19434
0
                        {
19435
0
                            ssl->buffers.inputBuffer.idx += ssl->keys.padSz;
19436
0
                            ssl->curSize -= (word16)ssl->keys.padSz;
19437
0
                            ssl->curSize -= ssl->specs.iv_size;
19438
0
                        }
19439
19440
0
            #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
19441
0
                        if (ssl->options.startedETMRead) {
19442
0
                            word32 digestSz = MacSize(ssl);
19443
0
                            ssl->buffers.inputBuffer.idx += digestSz;
19444
0
                            ssl->curSize -= (word16)digestSz;
19445
0
                        }
19446
0
            #endif
19447
0
                    }
19448
19449
0
                    if (ssl->curSize != 1) {
19450
0
                        WOLFSSL_MSG("Malicious or corrupted ChangeCipher msg");
19451
0
                        WOLFSSL_ERROR_VERBOSE(LENGTH_ERROR);
19452
0
                        return LENGTH_ERROR;
19453
0
                    }
19454
19455
0
                    ssl->buffers.inputBuffer.idx++;
19456
19457
0
                    ret = SanityCheckMsgReceived(ssl, change_cipher_hs);
19458
0
                    if (ret != 0) {
19459
0
                        if (!ssl->options.dtls) {
19460
0
                            return ret;
19461
0
                        }
19462
0
                        else {
19463
                        #ifdef WOLFSSL_DTLS
19464
                        /* Check for duplicate CCS message in DTLS mode.
19465
                         * DTLS allows for duplicate messages, and it should be
19466
                         * skipped. Also skip if out of order. */
19467
                            if (ret != DUPLICATE_MSG_E && ret != OUT_OF_ORDER_E)
19468
                                return ret;
19469
                            /* Reset error */
19470
                            ret = 0;
19471
                            break;
19472
                        #endif /* WOLFSSL_DTLS */
19473
0
                        }
19474
0
                    }
19475
19476
0
                    ssl->keys.encryptionOn = 1;
19477
19478
                    /* setup decrypt keys for following messages */
19479
                    /* XXX This might not be what we want to do when
19480
                     * receiving a CCS with multicast. We update the
19481
                     * key when the application updates them. */
19482
0
                    if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
19483
0
                        return ret;
19484
19485
0
            #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
19486
0
                    ssl->options.startedETMRead = ssl->options.encThenMac;
19487
0
            #endif
19488
19489
                    #ifdef WOLFSSL_DTLS
19490
                        if (ssl->options.dtls) {
19491
                            WOLFSSL_DTLS_PEERSEQ* peerSeq = ssl->keys.peerSeq;
19492
#ifdef WOLFSSL_MULTICAST
19493
                            if (ssl->options.haveMcast) {
19494
                                peerSeq += ssl->keys.curPeerId;
19495
                                peerSeq->highwaterMark = UpdateHighwaterMark(0,
19496
                                        ssl->ctx->mcastFirstSeq,
19497
                                        ssl->ctx->mcastSecondSeq,
19498
                                        ssl->ctx->mcastMaxSeq);
19499
                            }
19500
#endif
19501
                            peerSeq->nextEpoch++;
19502
                            peerSeq->prevSeq_lo = peerSeq->nextSeq_lo;
19503
                            peerSeq->prevSeq_hi = peerSeq->nextSeq_hi;
19504
                            peerSeq->nextSeq_lo = 0;
19505
                            peerSeq->nextSeq_hi = 0;
19506
                            XMEMCPY(peerSeq->prevWindow, peerSeq->window,
19507
                                    DTLS_SEQ_SZ);
19508
                            XMEMSET(peerSeq->window, 0, DTLS_SEQ_SZ);
19509
                        }
19510
                    #endif
19511
19512
                    #ifdef HAVE_LIBZ
19513
                        if (ssl->options.usingCompression)
19514
                            if ( (ret = InitStreams(ssl)) != 0)
19515
                                return ret;
19516
                    #endif
19517
0
                    ret = BuildFinished(ssl, &ssl->hsHashes->verifyHashes,
19518
0
                                       ssl->options.side == WOLFSSL_CLIENT_END ?
19519
0
                                       kTlsServerStr : kTlsClientStr);
19520
0
                    if (ret != 0)
19521
0
                        return ret;
19522
0
#endif /* !WOLFSSL_NO_TLS12 */
19523
0
                    break;
19524
19525
0
                case application_data:
19526
0
                    WOLFSSL_MSG("got app DATA");
19527
                    #ifdef WOLFSSL_DTLS
19528
                        if (ssl->options.dtls && ssl->options.dtlsHsRetain) {
19529
                        #ifdef HAVE_SECURE_RENEGOTIATION
19530
                            /*
19531
                             * Only free HS resources when not in the process of a
19532
                             * secure renegotiation and we have received APP DATA
19533
                             * from the current epoch
19534
                             */
19535
                            if (!IsSCR(ssl) && (DtlsUseSCRKeys(ssl)
19536
                                    || !DtlsSCRKeysSet(ssl))) {
19537
                                FreeHandshakeResources(ssl);
19538
                                ssl->options.dtlsHsRetain = 0;
19539
                            }
19540
                        #else
19541
                            FreeHandshakeResources(ssl);
19542
                            ssl->options.dtlsHsRetain = 0;
19543
                        #endif
19544
                        }
19545
                    #endif
19546
0
                    #ifdef WOLFSSL_TLS13
19547
0
                        if (ssl->keys.keyUpdateRespond) {
19548
0
                            WOLFSSL_MSG("No KeyUpdate from peer seen");
19549
0
                            WOLFSSL_ERROR_VERBOSE(SANITY_MSG_E);
19550
0
                            return SANITY_MSG_E;
19551
0
                        }
19552
0
                    #endif
19553
0
                    if ((ret = DoApplicationData(ssl,
19554
0
                                                ssl->buffers.inputBuffer.buffer,
19555
0
                                                &ssl->buffers.inputBuffer.idx,
19556
0
                                                              NO_SNIFF)) != 0) {
19557
0
                        WOLFSSL_ERROR(ret);
19558
0
                        return ret;
19559
0
                    }
19560
0
                    break;
19561
19562
0
                case alert:
19563
0
                    WOLFSSL_MSG("got ALERT!");
19564
0
                    ret = DoAlert(ssl, ssl->buffers.inputBuffer.buffer,
19565
0
                                  &ssl->buffers.inputBuffer.idx, &type);
19566
0
                    if (ret == alert_fatal)
19567
0
                        return FATAL_ERROR;
19568
0
                    else if (ret < 0)
19569
0
                        return ret;
19570
19571
                    /* catch warnings that are handled as errors */
19572
0
                    if (type == close_notify) {
19573
0
                        ssl->buffers.inputBuffer.idx =
19574
0
                            ssl->buffers.inputBuffer.length;
19575
0
                        ssl->options.processReply = doProcessInit;
19576
0
                        return ssl->error = ZERO_RETURN;
19577
0
                    }
19578
19579
0
                    if (type == decrypt_error)
19580
0
                        return FATAL_ERROR;
19581
19582
                    /* Reset error if we got an alert level in ret */
19583
0
                    if (ret > 0)
19584
0
                        ret = 0;
19585
0
                    break;
19586
19587
#ifdef WOLFSSL_DTLS13
19588
            case ack:
19589
                WOLFSSL_MSG("got ACK");
19590
                if (ssl->options.dtls && IsAtLeastTLSv1_3(ssl->version)) {
19591
                    word32 processedSize = 0;
19592
                    ret = DoDtls13Ack(ssl, ssl->buffers.inputBuffer.buffer +
19593
                                             ssl->buffers.inputBuffer.idx,
19594
                                             ssl->buffers.inputBuffer.length -
19595
                                             ssl->buffers.inputBuffer.idx -
19596
                                             ssl->keys.padSz, &processedSize);
19597
                    ssl->buffers.inputBuffer.idx += processedSize;
19598
                    ssl->buffers.inputBuffer.idx += ssl->keys.padSz;
19599
                    break;
19600
                }
19601
                FALL_THROUGH;
19602
#endif /* WOLFSSL_DTLS13 */
19603
0
                default:
19604
0
                    WOLFSSL_ERROR(UNKNOWN_RECORD_TYPE);
19605
0
                    return UNKNOWN_RECORD_TYPE;
19606
0
            }
19607
19608
0
            ssl->options.processReply = doProcessInit;
19609
19610
            /* input exhausted */
19611
0
            if (ssl->buffers.inputBuffer.idx >= ssl->buffers.inputBuffer.length
19612
#ifdef WOLFSSL_DTLS
19613
                /* If app data was processed then return now to avoid
19614
                 * dropping any app data. */
19615
                || (ssl->options.dtls && ssl->curRL.type == application_data)
19616
#endif
19617
0
                ) {
19618
                /* Shrink input buffer when we successfully finish record
19619
                 * processing */
19620
0
                if (ret == 0 && ssl->buffers.inputBuffer.dynamicFlag)
19621
0
                    ShrinkInputBuffer(ssl, NO_FORCED_FREE);
19622
0
                return ret;
19623
0
            }
19624
            /* more messages per record */
19625
0
            else if ((ssl->buffers.inputBuffer.idx - startIdx) < ssl->curSize) {
19626
0
                WOLFSSL_MSG("More messages in record");
19627
19628
0
                ssl->options.processReply = runProcessingOneMessage;
19629
19630
0
                if (IsEncryptionOn(ssl, 0)) {
19631
0
                    WOLFSSL_MSG("Bundled encrypted messages, remove middle pad");
19632
0
            #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
19633
0
                    if (ssl->options.startedETMRead) {
19634
0
                        word32 digestSz = MacSize(ssl);
19635
0
                        if (ssl->buffers.inputBuffer.idx >=
19636
0
                                                   ssl->keys.padSz + digestSz) {
19637
0
                            ssl->buffers.inputBuffer.idx -=
19638
0
                                                     ssl->keys.padSz + digestSz;
19639
0
                        }
19640
0
                        else {
19641
0
                            WOLFSSL_MSG("\tmiddle padding error");
19642
0
                            WOLFSSL_ERROR_VERBOSE(FATAL_ERROR);
19643
0
                            return FATAL_ERROR;
19644
0
                        }
19645
0
                    }
19646
0
                    else
19647
0
             #endif
19648
0
                    {
19649
0
                        if (ssl->buffers.inputBuffer.idx >= ssl->keys.padSz) {
19650
0
                            ssl->buffers.inputBuffer.idx -= ssl->keys.padSz;
19651
0
                        }
19652
0
                        else {
19653
0
                            WOLFSSL_MSG("\tmiddle padding error");
19654
0
                            WOLFSSL_ERROR_VERBOSE(FATAL_ERROR);
19655
0
                            return FATAL_ERROR;
19656
0
                        }
19657
0
                    }
19658
0
                }
19659
0
            }
19660
            /* more records */
19661
0
            else {
19662
0
                WOLFSSL_MSG("More records in input");
19663
0
            }
19664
#ifdef WOLFSSL_ASYNC_CRYPT
19665
            /* We are setup to read next message/record but we had an error
19666
             * (probably WC_PENDING_E) so return that so it can be handled
19667
             * by higher layers. */
19668
            if (ret != 0)
19669
                return ret;
19670
#endif
19671
            /* It is safe to shrink the input buffer here now. local vars will
19672
             * be reset to the new starting value. */
19673
0
            if (ret == 0 && ssl->buffers.inputBuffer.dynamicFlag)
19674
0
                ShrinkInputBuffer(ssl, NO_FORCED_FREE);
19675
0
            continue;
19676
0
        default:
19677
0
            WOLFSSL_MSG("Bad process input state, programming error");
19678
0
            WOLFSSL_ERROR_VERBOSE(INPUT_CASE_ERROR);
19679
0
            return INPUT_CASE_ERROR;
19680
0
        }
19681
0
    }
19682
0
}
19683
19684
#if !defined(WOLFSSL_NO_TLS12) || !defined(NO_OLD_TLS) || \
19685
             (defined(WOLFSSL_TLS13) && defined(WOLFSSL_TLS13_MIDDLEBOX_COMPAT))
19686
int SendChangeCipher(WOLFSSL* ssl)
19687
0
{
19688
0
    byte              *output;
19689
0
    int                sendSz = RECORD_HEADER_SZ + ENUM_LEN;
19690
0
    int                idx    = RECORD_HEADER_SZ;
19691
0
    int                ret;
19692
19693
0
    #ifdef OPENSSL_EXTRA
19694
0
    ssl->cbmode = SSL_CB_MODE_WRITE;
19695
0
    if (ssl->options.side == WOLFSSL_SERVER_END){
19696
0
        ssl->options.serverState = SERVER_CHANGECIPHERSPEC_COMPLETE;
19697
0
        if (ssl->CBIS != NULL)
19698
0
            ssl->CBIS(ssl, SSL_CB_ACCEPT_LOOP, SSL_SUCCESS);
19699
0
    }
19700
0
    else{
19701
0
        ssl->options.clientState =
19702
0
            CLIENT_CHANGECIPHERSPEC_COMPLETE;
19703
0
        if (ssl->CBIS != NULL)
19704
0
            ssl->CBIS(ssl, SSL_CB_CONNECT_LOOP, SSL_SUCCESS);
19705
0
    }
19706
0
    #endif
19707
19708
    #ifdef WOLFSSL_DTLS
19709
        if (ssl->options.dtls) {
19710
            sendSz += DTLS_RECORD_EXTRA;
19711
            idx    += DTLS_RECORD_EXTRA;
19712
        }
19713
    #endif
19714
19715
    /* are we in scr */
19716
0
    if (IsEncryptionOn(ssl, 1) && ssl->options.handShakeDone) {
19717
0
        sendSz += MAX_MSG_EXTRA;
19718
0
    }
19719
19720
    /* Set this in case CheckAvailableSize returns a WANT_WRITE so that state
19721
     * is not advanced yet */
19722
0
    ssl->options.buildingMsg = 1;
19723
19724
    /* check for available size */
19725
0
    if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
19726
0
        return ret;
19727
19728
    /* get output buffer */
19729
0
    output = ssl->buffers.outputBuffer.buffer +
19730
0
             ssl->buffers.outputBuffer.length;
19731
19732
0
    AddRecordHeader(output, 1, change_cipher_spec, ssl, CUR_ORDER);
19733
19734
0
    output[idx] = 1;             /* turn it on */
19735
19736
0
    if (IsEncryptionOn(ssl, 1) && ssl->options.handShakeDone) {
19737
0
        byte input[ENUM_LEN];
19738
0
        int  inputSz = ENUM_LEN;
19739
19740
0
        input[0] = 1;  /* turn it on */
19741
    #ifdef WOLFSSL_DTLS
19742
        if (IsDtlsNotSctpMode(ssl) &&
19743
                (ret = DtlsMsgPoolSave(ssl, input, inputSz, change_cipher_hs)) != 0) {
19744
            return ret;
19745
        }
19746
    #endif
19747
0
        sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
19748
0
                              change_cipher_spec, 0, 0, 0, CUR_ORDER);
19749
0
        if (sendSz < 0) {
19750
0
            return sendSz;
19751
0
        }
19752
0
    }
19753
    #ifdef WOLFSSL_DTLS
19754
    else {
19755
        if (IsDtlsNotSctpMode(ssl)) {
19756
            if ((ret = DtlsMsgPoolSave(ssl, output, sendSz, change_cipher_hs)) != 0)
19757
                return ret;
19758
            DtlsSEQIncrement(ssl, CUR_ORDER);
19759
        }
19760
    }
19761
    #endif
19762
0
    #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
19763
0
        if (ssl->hsInfoOn) AddPacketName(ssl, "ChangeCipher");
19764
0
        if (ssl->toInfoOn)
19765
0
            AddPacketInfo(ssl, "ChangeCipher", change_cipher_spec, output,
19766
0
                    sendSz, WRITE_PROTO, ssl->heap);
19767
0
    #endif
19768
0
    ssl->buffers.outputBuffer.length += sendSz;
19769
19770
0
#ifdef WOLFSSL_TLS13
19771
0
    if (!ssl->options.tls1_3)
19772
0
#endif
19773
0
    {
19774
        /* setup encrypt keys */
19775
0
        if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
19776
0
            return ret;
19777
19778
0
    #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
19779
0
        ssl->options.startedETMWrite = ssl->options.encThenMac;
19780
0
    #endif
19781
0
    }
19782
19783
0
    ssl->options.buildingMsg = 0;
19784
19785
0
    if (ssl->options.groupMessages)
19786
0
        return 0;
19787
    #if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_DEBUG_DTLS)
19788
    else if (ssl->options.dtls) {
19789
        /* If using DTLS, force the ChangeCipherSpec message to be in the
19790
         * same datagram as the finished message. */
19791
        return 0;
19792
    }
19793
    #endif
19794
0
    else
19795
0
        return SendBuffered(ssl);
19796
0
}
19797
#endif
19798
19799
19800
#if !defined(NO_OLD_TLS) && !defined(WOLFSSL_AEAD_ONLY)
19801
static int SSL_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz,
19802
                    int padLen, int content, int verify, int epochOrder)
19803
0
{
19804
0
    byte   result[WC_MAX_DIGEST_SIZE];
19805
0
    word32 digestSz = ssl->specs.hash_size;            /* actual sizes */
19806
0
    word32 padSz    = ssl->specs.pad_size;
19807
0
    int    ret      = 0;
19808
19809
0
    wc_Md5 md5;
19810
0
    wc_Sha sha;
19811
19812
    /* data */
19813
0
    byte seq[SEQ_SZ];
19814
0
    byte conLen[ENUM_LEN + LENGTH_SZ];     /* content & length */
19815
0
    const byte* macSecret = NULL;
19816
19817
0
    (void)padLen;
19818
19819
#ifdef HAVE_FUZZER
19820
    if (ssl->fuzzerCb)
19821
        ssl->fuzzerCb(ssl, in, sz, FUZZ_HMAC, ssl->fuzzerCtx);
19822
#endif
19823
19824
#ifdef WOLFSSL_DTLS
19825
    if (ssl->options.dtls)
19826
        macSecret = wolfSSL_GetDtlsMacSecret(ssl, verify, epochOrder);
19827
    else
19828
        macSecret = wolfSSL_GetMacSecret(ssl, verify);
19829
#else
19830
0
    macSecret = wolfSSL_GetMacSecret(ssl, verify);
19831
0
#endif
19832
19833
0
    XMEMSET(seq, 0, SEQ_SZ);
19834
0
    conLen[0] = (byte)content;
19835
0
    c16toa((word16)sz, &conLen[ENUM_LEN]);
19836
0
    WriteSEQ(ssl, epochOrder, seq);
19837
19838
0
    if (ssl->specs.mac_algorithm == md5_mac) {
19839
0
        ret =  wc_InitMd5_ex(&md5, ssl->heap, ssl->devId);
19840
0
        if (ret != 0)
19841
0
            return ret;
19842
19843
        /* inner */
19844
0
        ret =  wc_Md5Update(&md5, macSecret, digestSz);
19845
0
        ret |= wc_Md5Update(&md5, PAD1, padSz);
19846
0
        ret |= wc_Md5Update(&md5, seq, SEQ_SZ);
19847
0
        ret |= wc_Md5Update(&md5, conLen, sizeof(conLen));
19848
        /* in buffer */
19849
0
        ret |= wc_Md5Update(&md5, in, sz);
19850
0
        if (ret != 0) {
19851
0
            WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
19852
0
            return VERIFY_MAC_ERROR;
19853
0
        }
19854
0
        ret = wc_Md5Final(&md5, result);
19855
    #ifdef WOLFSSL_ASYNC_CRYPT
19856
        /* TODO: Make non-blocking */
19857
        if (ret == WC_PENDING_E) {
19858
            ret = wc_AsyncWait(ret, &md5.asyncDev, WC_ASYNC_FLAG_NONE);
19859
        }
19860
    #endif
19861
0
        if (ret != 0) {
19862
0
            WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
19863
0
            return VERIFY_MAC_ERROR;
19864
0
        }
19865
19866
        /* outer */
19867
0
        ret =  wc_Md5Update(&md5, macSecret, digestSz);
19868
0
        ret |= wc_Md5Update(&md5, PAD2, padSz);
19869
0
        ret |= wc_Md5Update(&md5, result, digestSz);
19870
0
        if (ret != 0) {
19871
0
            WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
19872
0
            return VERIFY_MAC_ERROR;
19873
0
        }
19874
0
        ret =  wc_Md5Final(&md5, digest);
19875
    #ifdef WOLFSSL_ASYNC_CRYPT
19876
        /* TODO: Make non-blocking */
19877
        if (ret == WC_PENDING_E) {
19878
            ret = wc_AsyncWait(ret, &md5.asyncDev, WC_ASYNC_FLAG_NONE);
19879
        }
19880
    #endif
19881
0
        if (ret != 0) {
19882
0
            WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
19883
0
            return VERIFY_MAC_ERROR;
19884
0
        }
19885
19886
0
        wc_Md5Free(&md5);
19887
0
    }
19888
0
    else {
19889
0
        ret =  wc_InitSha_ex(&sha, ssl->heap, ssl->devId);
19890
0
        if (ret != 0)
19891
0
            return ret;
19892
19893
        /* inner */
19894
0
        ret =  wc_ShaUpdate(&sha, macSecret, digestSz);
19895
0
        ret |= wc_ShaUpdate(&sha, PAD1, padSz);
19896
0
        ret |= wc_ShaUpdate(&sha, seq, SEQ_SZ);
19897
0
        ret |= wc_ShaUpdate(&sha, conLen, sizeof(conLen));
19898
        /* in buffer */
19899
0
        ret |= wc_ShaUpdate(&sha, in, sz);
19900
0
        if (ret != 0) {
19901
0
            WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
19902
0
            return VERIFY_MAC_ERROR;
19903
0
        }
19904
0
        ret = wc_ShaFinal(&sha, result);
19905
    #ifdef WOLFSSL_ASYNC_CRYPT
19906
        /* TODO: Make non-blocking */
19907
        if (ret == WC_PENDING_E) {
19908
            ret = wc_AsyncWait(ret, &sha.asyncDev, WC_ASYNC_FLAG_NONE);
19909
        }
19910
    #endif
19911
0
        if (ret != 0) {
19912
0
            WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
19913
0
            return VERIFY_MAC_ERROR;
19914
0
        }
19915
19916
        /* outer */
19917
0
        ret =  wc_ShaUpdate(&sha, macSecret, digestSz);
19918
0
        ret |= wc_ShaUpdate(&sha, PAD2, padSz);
19919
0
        ret |= wc_ShaUpdate(&sha, result, digestSz);
19920
0
        if (ret != 0) {
19921
0
            WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
19922
0
            return VERIFY_MAC_ERROR;
19923
0
        }
19924
0
        ret =  wc_ShaFinal(&sha, digest);
19925
    #ifdef WOLFSSL_ASYNC_CRYPT
19926
        /* TODO: Make non-blocking */
19927
        if (ret == WC_PENDING_E) {
19928
            ret = wc_AsyncWait(ret, &sha.asyncDev, WC_ASYNC_FLAG_NONE);
19929
        }
19930
    #endif
19931
0
        if (ret != 0) {
19932
0
            WOLFSSL_ERROR_VERBOSE(VERIFY_MAC_ERROR);
19933
0
            return VERIFY_MAC_ERROR;
19934
0
        }
19935
19936
0
        wc_ShaFree(&sha);
19937
0
    }
19938
0
    return 0;
19939
0
}
19940
#endif /* !NO_OLD_TLS && !WOLFSSL_AEAD_ONLY */
19941
19942
#if !defined(NO_MD5) && !defined(NO_OLD_TLS)
19943
static int BuildMD5_CertVerify(WOLFSSL* ssl, byte* digest)
19944
0
{
19945
0
    int ret;
19946
0
    byte md5_result[WC_MD5_DIGEST_SIZE];
19947
0
#ifdef WOLFSSL_SMALL_STACK
19948
0
    wc_Md5* md5 = (wc_Md5*)XMALLOC(sizeof(wc_Md5), ssl->heap, DYNAMIC_TYPE_HASHCTX);
19949
#else
19950
    wc_Md5  md5[1];
19951
#endif
19952
19953
    /* make md5 inner */
19954
0
    ret = wc_Md5Copy(&ssl->hsHashes->hashMd5, md5); /* Save current position */
19955
0
    if (ret == 0)
19956
0
        ret = wc_Md5Update(md5, ssl->arrays->masterSecret,SECRET_LEN);
19957
0
    if (ret == 0)
19958
0
        ret = wc_Md5Update(md5, PAD1, PAD_MD5);
19959
0
    if (ret == 0)
19960
0
        ret = wc_Md5Final(md5, md5_result);
19961
19962
    /* make md5 outer */
19963
0
    if (ret == 0) {
19964
0
        ret = wc_InitMd5_ex(md5, ssl->heap, ssl->devId);
19965
0
        if (ret == 0) {
19966
0
            ret = wc_Md5Update(md5, ssl->arrays->masterSecret, SECRET_LEN);
19967
0
            if (ret == 0)
19968
0
                ret = wc_Md5Update(md5, PAD2, PAD_MD5);
19969
0
            if (ret == 0)
19970
0
                ret = wc_Md5Update(md5, md5_result, WC_MD5_DIGEST_SIZE);
19971
0
            if (ret == 0)
19972
0
                ret = wc_Md5Final(md5, digest);
19973
0
            wc_Md5Free(md5);
19974
0
        }
19975
0
    }
19976
19977
0
#ifdef WOLFSSL_SMALL_STACK
19978
0
    XFREE(md5, ssl->heap, DYNAMIC_TYPE_HASHCTX);
19979
0
#endif
19980
19981
0
    return ret;
19982
0
}
19983
#endif /* !NO_MD5 && !NO_OLD_TLS */
19984
19985
#if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \
19986
                              defined(WOLFSSL_ALLOW_TLS_SHA1))
19987
static int BuildSHA_CertVerify(WOLFSSL* ssl, byte* digest)
19988
0
{
19989
0
    int ret;
19990
0
    byte sha_result[WC_SHA_DIGEST_SIZE];
19991
0
#ifdef WOLFSSL_SMALL_STACK
19992
0
    wc_Sha* sha = (wc_Sha*)XMALLOC(sizeof(wc_Sha), ssl->heap, DYNAMIC_TYPE_HASHCTX);
19993
#else
19994
    wc_Sha  sha[1];
19995
#endif
19996
19997
    /* make sha inner */
19998
0
    ret = wc_ShaCopy(&ssl->hsHashes->hashSha, sha); /* Save current position */
19999
0
    if (ret == 0)
20000
0
        ret = wc_ShaUpdate(sha, ssl->arrays->masterSecret,SECRET_LEN);
20001
0
    if (ret == 0)
20002
0
        ret = wc_ShaUpdate(sha, PAD1, PAD_SHA);
20003
0
    if (ret == 0)
20004
0
        ret = wc_ShaFinal(sha, sha_result);
20005
20006
    /* make sha outer */
20007
0
    if (ret == 0) {
20008
0
        ret = wc_InitSha_ex(sha, ssl->heap, ssl->devId);
20009
0
        if (ret == 0) {
20010
0
            ret = wc_ShaUpdate(sha, ssl->arrays->masterSecret,SECRET_LEN);
20011
0
            if (ret == 0)
20012
0
                ret = wc_ShaUpdate(sha, PAD2, PAD_SHA);
20013
0
            if (ret == 0)
20014
0
                ret = wc_ShaUpdate(sha, sha_result, WC_SHA_DIGEST_SIZE);
20015
0
            if (ret == 0)
20016
0
                ret = wc_ShaFinal(sha, digest);
20017
0
            wc_ShaFree(sha);
20018
0
        }
20019
0
    }
20020
20021
0
#ifdef WOLFSSL_SMALL_STACK
20022
0
    XFREE(sha, ssl->heap, DYNAMIC_TYPE_HASHCTX);
20023
0
#endif
20024
20025
0
    return ret;
20026
0
}
20027
#endif /* !NO_SHA && (!NO_OLD_TLS || WOLFSSL_ALLOW_TLS_SHA1) */
20028
20029
int BuildCertHashes(WOLFSSL* ssl, Hashes* hashes)
20030
0
{
20031
0
    int ret = 0;
20032
20033
0
    (void)hashes;
20034
20035
0
    if (ssl->options.tls) {
20036
0
    #if !defined(NO_MD5) && !defined(NO_OLD_TLS)
20037
0
        ret = wc_Md5GetHash(&ssl->hsHashes->hashMd5, hashes->md5);
20038
0
        if (ret != 0)
20039
0
            return ret;
20040
0
    #endif
20041
0
    #if !defined(NO_SHA)
20042
0
        ret = wc_ShaGetHash(&ssl->hsHashes->hashSha, hashes->sha);
20043
0
        if (ret != 0)
20044
0
            return ret;
20045
0
    #endif
20046
0
        if (IsAtLeastTLSv1_2(ssl)) {
20047
0
            #ifndef NO_SHA256
20048
0
                ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256,
20049
0
                                       hashes->sha256);
20050
0
                if (ret != 0)
20051
0
                    return ret;
20052
0
            #endif
20053
0
            #ifdef WOLFSSL_SHA384
20054
0
                ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384,
20055
0
                                       hashes->sha384);
20056
0
                if (ret != 0)
20057
0
                    return ret;
20058
0
            #endif
20059
0
            #ifdef WOLFSSL_SHA512
20060
0
                ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512,
20061
0
                                       hashes->sha512);
20062
0
                if (ret != 0)
20063
0
                    return ret;
20064
0
            #endif
20065
0
        }
20066
0
    }
20067
0
    else {
20068
0
    #if !defined(NO_MD5) && !defined(NO_OLD_TLS)
20069
0
        ret = BuildMD5_CertVerify(ssl, hashes->md5);
20070
0
        if (ret != 0)
20071
0
            return ret;
20072
0
    #endif
20073
0
    #if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \
20074
0
                              defined(WOLFSSL_ALLOW_TLS_SHA1))
20075
0
        ret = BuildSHA_CertVerify(ssl, hashes->sha);
20076
0
        if (ret != 0)
20077
0
            return ret;
20078
0
    #endif
20079
0
    }
20080
20081
0
    return ret;
20082
0
}
20083
20084
#ifndef WOLFSSL_NO_TLS12
20085
void FreeBuildMsgArgs(WOLFSSL* ssl, BuildMsgArgs* args)
20086
0
{
20087
0
    (void)ssl;
20088
0
    if (args
20089
#ifdef WOLFSSL_ASYNC_CRYPT
20090
            && ssl->options.buildArgsSet
20091
#endif
20092
0
        ) {
20093
        /* only free the IV if it was dynamically allocated */
20094
0
        if (args->iv && (args->iv != args->staticIvBuffer)) {
20095
0
            XFREE(args->iv, ssl->heap, DYNAMIC_TYPE_SALT);
20096
0
        }
20097
0
    }
20098
#ifdef WOLFSSL_ASYNC_CRYPT
20099
    ssl->options.buildArgsSet = 0;
20100
#endif
20101
0
}
20102
#endif
20103
20104
/* Build SSL Message, encrypted */
20105
int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, const byte* input,
20106
             int inSz, int type, int hashOutput, int sizeOnly, int asyncOkay,
20107
             int epochOrder)
20108
0
{
20109
0
#ifndef WOLFSSL_NO_TLS12
20110
0
    int ret;
20111
0
    BuildMsgArgs* args;
20112
0
    BuildMsgArgs  lcl_args;
20113
0
#endif
20114
20115
0
    WOLFSSL_ENTER("BuildMessage");
20116
20117
0
    if (ssl == NULL) {
20118
0
        return BAD_FUNC_ARG;
20119
0
    }
20120
    /* catch mistaken sizeOnly parameter */
20121
0
    if (!sizeOnly && (output == NULL || input == NULL) ) {
20122
0
        return BAD_FUNC_ARG;
20123
0
    }
20124
0
    if (sizeOnly && (output || input) ) {
20125
0
        return BAD_FUNC_ARG;
20126
0
    }
20127
20128
0
    (void)epochOrder;
20129
20130
0
#ifndef NO_TLS
20131
#if defined(WOLFSSL_NO_TLS12) && defined(WOLFSSL_TLS13)
20132
    return BuildTls13Message(ssl, output, outSz, input, inSz, type,
20133
                                               hashOutput, sizeOnly, asyncOkay);
20134
#else
20135
0
#ifdef WOLFSSL_TLS13
20136
0
    if (ssl->options.tls1_3) {
20137
0
        return BuildTls13Message(ssl, output, outSz, input, inSz, type,
20138
0
                                 hashOutput, sizeOnly, asyncOkay);
20139
0
    }
20140
0
#endif
20141
20142
#ifdef WOLFSSL_ASYNC_CRYPT
20143
    ret = WC_NOT_PENDING_E;
20144
    if (asyncOkay) {
20145
        if (ssl->async == NULL) {
20146
            return BAD_FUNC_ARG;
20147
        }
20148
        args = &ssl->async->buildArgs;
20149
20150
        ret = wolfSSL_AsyncPop(ssl, &ssl->options.buildMsgState);
20151
        if (ret != WC_NOT_PENDING_E) {
20152
            /* Check for error */
20153
            if (ret < 0)
20154
                goto exit_buildmsg;
20155
        }
20156
    }
20157
    else
20158
#endif
20159
0
    {
20160
0
        args = &lcl_args;
20161
0
    }
20162
20163
    /* Reset state */
20164
#ifdef WOLFSSL_ASYNC_CRYPT
20165
    if (ret == WC_NOT_PENDING_E)
20166
#endif
20167
0
    {
20168
0
        ret = 0;
20169
#ifdef WOLFSSL_ASYNC_CRYPT
20170
        ssl->options.buildArgsSet = 1;
20171
#endif
20172
0
        ssl->options.buildMsgState = BUILD_MSG_BEGIN;
20173
0
        XMEMSET(args, 0, sizeof(BuildMsgArgs));
20174
20175
0
        args->sz = RECORD_HEADER_SZ + inSz;
20176
0
        args->idx  = RECORD_HEADER_SZ;
20177
0
        args->headerSz = RECORD_HEADER_SZ;
20178
0
    }
20179
20180
0
    switch (ssl->options.buildMsgState) {
20181
0
        case BUILD_MSG_BEGIN:
20182
0
        {
20183
        #if defined(WOLFSSL_DTLS) && defined(HAVE_SECURE_RENEGOTIATION)
20184
            if (ssl->options.dtls && DtlsSCRKeysSet(ssl)) {
20185
                /* For epochs >1 the current cipher parameters are located in
20186
                 * ssl->secure_renegotiation->tmp_keys. Previous cipher
20187
                 * parameters and for epoch 1 use ssl->keys */
20188
                switch (epochOrder) {
20189
                case PREV_ORDER:
20190
                    if (ssl->encrypt.src != KEYS) {
20191
                        ssl->secure_renegotiation->cache_status =
20192
                                SCR_CACHE_NULL;
20193
                        if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
20194
                            ERROR_OUT(ret, exit_buildmsg);
20195
                    }
20196
                    break;
20197
                case CUR_ORDER:
20198
                    if (ssl->keys.dtls_epoch ==
20199
                            ssl->secure_renegotiation->tmp_keys.dtls_epoch) {
20200
                        if (ssl->encrypt.src != SCR) {
20201
                            ssl->secure_renegotiation->cache_status =
20202
                                    SCR_CACHE_NEEDED;
20203
                            if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY))
20204
                                    != 0)
20205
                                ERROR_OUT(ret, exit_buildmsg);
20206
                        }
20207
                    }
20208
                    else {
20209
                        if (ssl->encrypt.src != KEYS) {
20210
                            ssl->secure_renegotiation->cache_status =
20211
                                    SCR_CACHE_NULL;
20212
                            if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY))
20213
                                    != 0)
20214
                                ERROR_OUT(ret, exit_buildmsg);
20215
                        }
20216
                    }
20217
                    break;
20218
                default:
20219
                    WOLFSSL_MSG("BuildMessage only supports PREV_ORDER and "
20220
                                "CUR_ORDER");
20221
                    ERROR_OUT(BAD_FUNC_ARG, exit_buildmsg);
20222
                }
20223
            }
20224
        #endif
20225
20226
0
            ssl->options.buildMsgState = BUILD_MSG_SIZE;
20227
0
        }
20228
0
        FALL_THROUGH;
20229
0
        case BUILD_MSG_SIZE:
20230
0
        {
20231
0
            args->digestSz = ssl->specs.hash_size;
20232
        #ifdef HAVE_TRUNCATED_HMAC
20233
            if (ssl->truncated_hmac)
20234
                args->digestSz = min(TRUNCATED_HMAC_SZ, args->digestSz);
20235
        #endif
20236
0
            args->sz += args->digestSz;
20237
20238
        #ifdef WOLFSSL_DTLS
20239
            if (ssl->options.dtls) {
20240
                args->sz       += DTLS_RECORD_EXTRA;
20241
                args->idx      += DTLS_RECORD_EXTRA;
20242
                args->headerSz += DTLS_RECORD_EXTRA;
20243
            }
20244
        #endif
20245
20246
0
        #ifndef WOLFSSL_AEAD_ONLY
20247
0
            if (ssl->specs.cipher_type == block) {
20248
0
                word32 blockSz = ssl->specs.block_size;
20249
20250
0
                if (blockSz == 0) {
20251
0
                    WOLFSSL_MSG("Invalid block size with block cipher type");
20252
0
                    ERROR_OUT(BAD_STATE_E, exit_buildmsg);
20253
0
                }
20254
20255
0
                if (ssl->options.tls1_1) {
20256
0
                    args->ivSz = blockSz;
20257
0
                    args->sz  += args->ivSz;
20258
20259
0
                    if (args->ivSz > MAX_IV_SZ)
20260
0
                        ERROR_OUT(BUFFER_E, exit_buildmsg);
20261
0
                }
20262
0
                args->sz += 1;       /* pad byte */
20263
0
            #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
20264
0
                if (ssl->options.startedETMWrite) {
20265
0
                    args->pad = (args->sz - args->headerSz -
20266
0
                                                      args->digestSz) % blockSz;
20267
0
                }
20268
0
                else
20269
0
            #endif
20270
0
                {
20271
0
                    args->pad = (args->sz - args->headerSz) % blockSz;
20272
0
                }
20273
0
                if (args->pad != 0)
20274
0
                    args->pad = blockSz - args->pad;
20275
0
                args->sz += args->pad;
20276
0
            }
20277
0
        #endif /* WOLFSSL_AEAD_ONLY */
20278
20279
0
        #ifdef HAVE_AEAD
20280
0
            if (ssl->specs.cipher_type == aead) {
20281
0
                if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha)
20282
0
                    args->ivSz = AESGCM_EXP_IV_SZ;
20283
20284
0
                args->sz += (args->ivSz + ssl->specs.aead_mac_size - args->digestSz);
20285
0
            }
20286
0
        #endif
20287
20288
            /* done with size calculations */
20289
0
            if (sizeOnly)
20290
0
                goto exit_buildmsg;
20291
20292
0
            if (args->sz > (word32)outSz) {
20293
0
                WOLFSSL_MSG("Oops, want to write past output buffer size");
20294
0
                ERROR_OUT(BUFFER_E, exit_buildmsg);
20295
0
            }
20296
20297
0
            if (args->ivSz > 0) {
20298
0
                if (args->ivSz > sizeof(args->staticIvBuffer)) {
20299
0
                    args->iv = (byte*)XMALLOC(args->ivSz, ssl->heap,
20300
0
                                              DYNAMIC_TYPE_SALT);
20301
0
                    if (args->iv == NULL) {
20302
0
                        ERROR_OUT(MEMORY_E, exit_buildmsg);
20303
0
                    }
20304
0
                }
20305
0
                else {
20306
0
                    args->iv = args->staticIvBuffer;
20307
0
                }
20308
20309
0
                ret = wc_RNG_GenerateBlock(ssl->rng, args->iv, args->ivSz);
20310
0
                if (ret != 0)
20311
0
                    goto exit_buildmsg;
20312
0
            }
20313
#if !defined(NO_PUBLIC_GCM_SET_IV) && \
20314
    ((defined(HAVE_FIPS) || defined(HAVE_SELFTEST)) && \
20315
    (!defined(HAVE_FIPS_VERSION) || (HAVE_FIPS_VERSION < 2)) && \
20316
    defined(HAVE_AEAD))
20317
            if (ssl->specs.cipher_type == aead) {
20318
                if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha)
20319
                    XMEMCPY(args->iv, ssl->keys.aead_exp_IV, AESGCM_EXP_IV_SZ);
20320
            }
20321
#endif
20322
20323
0
            args->size = (word16)(args->sz - args->headerSz);    /* include mac and digest */
20324
0
            AddRecordHeader(output, args->size, (byte)type, ssl, epochOrder);
20325
20326
            /* write to output */
20327
0
            if (args->ivSz > 0) {
20328
0
                XMEMCPY(output + args->idx, args->iv,
20329
0
                                        min(args->ivSz, MAX_IV_SZ));
20330
0
                args->idx += args->ivSz;
20331
0
            }
20332
0
            XMEMCPY(output + args->idx, input, inSz);
20333
0
            args->idx += inSz;
20334
20335
0
            ssl->options.buildMsgState = BUILD_MSG_HASH;
20336
0
        }
20337
0
        FALL_THROUGH;
20338
0
        case BUILD_MSG_HASH:
20339
0
        {
20340
            /* done with size calculations */
20341
0
            if (sizeOnly)
20342
0
                goto exit_buildmsg;
20343
20344
0
            if (type == handshake && hashOutput) {
20345
0
                ret = HashOutput(ssl, output, args->headerSz + inSz, args->ivSz);
20346
0
                if (ret != 0)
20347
0
                    goto exit_buildmsg;
20348
0
            }
20349
0
        #ifndef WOLFSSL_AEAD_ONLY
20350
0
            if (ssl->specs.cipher_type == block) {
20351
0
                word32 tmpIdx;
20352
0
                word32 i;
20353
20354
0
            #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
20355
0
                if (ssl->options.startedETMWrite)
20356
0
                    tmpIdx = args->idx;
20357
0
                else
20358
0
            #endif
20359
0
                    tmpIdx = args->idx + args->digestSz;
20360
20361
0
                for (i = 0; i <= args->pad; i++)
20362
0
                    output[tmpIdx++] = (byte)args->pad; /* pad byte gets pad value */
20363
0
            }
20364
0
        #endif
20365
20366
0
            ssl->options.buildMsgState = BUILD_MSG_VERIFY_MAC;
20367
0
        }
20368
0
        FALL_THROUGH;
20369
0
        case BUILD_MSG_VERIFY_MAC:
20370
0
        {
20371
            /* done with size calculations */
20372
0
            if (sizeOnly)
20373
0
                goto exit_buildmsg;
20374
20375
            /* User Record Layer Callback handling */
20376
    #ifdef ATOMIC_USER
20377
        #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
20378
            if (ssl->options.startedETMWrite) {
20379
                if (ssl->ctx->EncryptMacCb) {
20380
                    ret = ssl->ctx->EncryptMacCb(ssl, output + args->idx +
20381
                                                 args->pad + 1, type, 0,
20382
                                                 output + args->headerSz,
20383
                                                 output + args->headerSz,
20384
                                                 args->size - args->digestSz,
20385
                                                 ssl->MacEncryptCtx);
20386
                    goto exit_buildmsg;
20387
                }
20388
            }
20389
            else
20390
        #endif
20391
            {
20392
                if (ssl->ctx->MacEncryptCb) {
20393
                    ret = ssl->ctx->MacEncryptCb(ssl, output + args->idx,
20394
                                    output + args->headerSz + args->ivSz, inSz,
20395
                                    type, 0, output + args->headerSz,
20396
                                    output + args->headerSz, args->size,
20397
                                    ssl->MacEncryptCtx);
20398
                    goto exit_buildmsg;
20399
                }
20400
            }
20401
    #endif
20402
20403
0
        #ifndef WOLFSSL_AEAD_ONLY
20404
0
            if (ssl->specs.cipher_type != aead
20405
0
            #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
20406
0
                                               && !ssl->options.startedETMWrite
20407
0
            #endif
20408
0
                ) {
20409
            #ifdef HAVE_TRUNCATED_HMAC
20410
                if (ssl->truncated_hmac &&
20411
                                        ssl->specs.hash_size > args->digestSz) {
20412
                #ifdef WOLFSSL_SMALL_STACK
20413
                    byte* hmac;
20414
                #else
20415
                    byte  hmac[WC_MAX_DIGEST_SIZE];
20416
                #endif
20417
20418
                #ifdef WOLFSSL_SMALL_STACK
20419
                    hmac = (byte*)XMALLOC(WC_MAX_DIGEST_SIZE, ssl->heap,
20420
                                                           DYNAMIC_TYPE_DIGEST);
20421
                    if (hmac == NULL)
20422
                        ERROR_OUT(MEMORY_E, exit_buildmsg);
20423
                #endif
20424
20425
                    ret = ssl->hmac(ssl, hmac,
20426
                                     output + args->headerSz + args->ivSz, inSz,
20427
                                     -1, type, 0, epochOrder);
20428
                    XMEMCPY(output + args->idx, hmac, args->digestSz);
20429
20430
                #ifdef WOLFSSL_SMALL_STACK
20431
                    XFREE(hmac, ssl->heap, DYNAMIC_TYPE_DIGEST);
20432
                #endif
20433
                }
20434
                else
20435
            #endif
20436
0
                {
20437
0
                    ret = ssl->hmac(ssl, output + args->idx, output +
20438
0
                                args->headerSz + args->ivSz, inSz, -1, type, 0, epochOrder);
20439
0
                }
20440
0
            }
20441
0
        #endif /* WOLFSSL_AEAD_ONLY */
20442
0
            if (ret != 0)
20443
0
                goto exit_buildmsg;
20444
20445
0
            ssl->options.buildMsgState = BUILD_MSG_ENCRYPT;
20446
0
        }
20447
0
        FALL_THROUGH;
20448
0
        case BUILD_MSG_ENCRYPT:
20449
0
        {
20450
            /* done with size calculations */
20451
0
            if (sizeOnly)
20452
0
                goto exit_buildmsg;
20453
20454
    #if defined(HAVE_SECURE_RENEGOTIATION) && defined(WOLFSSL_DTLS)
20455
            /* If we want the PREV_ORDER then modify CUR_ORDER sequence number
20456
             * for all encryption algos that use it for encryption parameters */
20457
            word16 dtls_epoch = 0;
20458
            word16 dtls_sequence_number_hi = 0;
20459
            word32 dtls_sequence_number_lo = 0;
20460
            int swap_seq = ssl->options.dtls && epochOrder == PREV_ORDER &&
20461
                    DtlsUseSCRKeys(ssl);
20462
            if (swap_seq) {
20463
                dtls_epoch = ssl->keys.dtls_epoch;
20464
                dtls_sequence_number_hi = ssl->keys.dtls_sequence_number_hi;
20465
                dtls_sequence_number_lo = ssl->keys.dtls_sequence_number_lo;
20466
                ssl->keys.dtls_epoch--;
20467
                ssl->keys.dtls_sequence_number_hi =
20468
                        ssl->keys.dtls_prev_sequence_number_hi;
20469
                ssl->keys.dtls_sequence_number_lo =
20470
                        ssl->keys.dtls_prev_sequence_number_lo;
20471
            }
20472
    #endif
20473
0
    #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
20474
0
            if (ssl->options.startedETMWrite) {
20475
0
                ret = Encrypt(ssl, output + args->headerSz,
20476
0
                                          output + args->headerSz,
20477
0
                                          (word16)(args->size - args->digestSz),
20478
0
                                          asyncOkay);
20479
0
            }
20480
0
            else
20481
0
    #endif
20482
0
            {
20483
0
                ret = Encrypt(ssl, output + args->headerSz,
20484
0
                                output + args->headerSz, args->size, asyncOkay);
20485
0
            }
20486
    #if defined(HAVE_SECURE_RENEGOTIATION) && defined(WOLFSSL_DTLS)
20487
            /* Restore sequence numbers */
20488
            if (swap_seq) {
20489
                ssl->keys.dtls_epoch = dtls_epoch;
20490
                ssl->keys.dtls_sequence_number_hi = dtls_sequence_number_hi;
20491
                ssl->keys.dtls_sequence_number_lo = dtls_sequence_number_lo;
20492
            }
20493
    #endif
20494
0
            if (ret != 0)
20495
0
                goto exit_buildmsg;
20496
0
            ssl->options.buildMsgState = BUILD_MSG_ENCRYPTED_VERIFY_MAC;
20497
0
        }
20498
0
        FALL_THROUGH;
20499
0
        case BUILD_MSG_ENCRYPTED_VERIFY_MAC:
20500
0
        {
20501
            /* done with size calculations */
20502
0
            if (sizeOnly)
20503
0
                goto exit_buildmsg;
20504
20505
0
        #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
20506
0
            if (ssl->options.startedETMWrite) {
20507
0
                WOLFSSL_MSG("Calculate MAC of Encrypted Data");
20508
20509
            #ifdef HAVE_TRUNCATED_HMAC
20510
                if (ssl->truncated_hmac &&
20511
                                        ssl->specs.hash_size > args->digestSz) {
20512
                #ifdef WOLFSSL_SMALL_STACK
20513
                    byte* hmac = NULL;
20514
                #else
20515
                    byte  hmac[WC_MAX_DIGEST_SIZE];
20516
                #endif
20517
20518
                #ifdef WOLFSSL_SMALL_STACK
20519
                    hmac = (byte*)XMALLOC(WC_MAX_DIGEST_SIZE, ssl->heap,
20520
                                                           DYNAMIC_TYPE_DIGEST);
20521
                    if (hmac == NULL)
20522
                        ERROR_OUT(MEMORY_E, exit_buildmsg);
20523
                #endif
20524
20525
                    ret = ssl->hmac(ssl, hmac, output + args->headerSz,
20526
                                    args->ivSz + inSz + args->pad + 1, -1, type,
20527
                                    0, epochOrder);
20528
                    XMEMCPY(output + args->idx + args->pad + 1, hmac,
20529
                                                                args->digestSz);
20530
20531
                #ifdef WOLFSSL_SMALL_STACK
20532
                    XFREE(hmac, ssl->heap, DYNAMIC_TYPE_DIGEST);
20533
                #endif
20534
                }
20535
                else
20536
            #endif
20537
0
                {
20538
0
                    ret = ssl->hmac(ssl, output + args->idx + args->pad + 1,
20539
0
                                    output + args->headerSz,
20540
0
                                    args->ivSz + inSz + args->pad + 1, -1, type,
20541
0
                                    0, epochOrder);
20542
0
                }
20543
0
            }
20544
0
        #endif /* HAVE_ENCRYPT_THEN_MAC && !WOLFSSL_AEAD_ONLY */
20545
0
        }
20546
0
        FALL_THROUGH;
20547
0
        default:
20548
0
            break;
20549
0
    }
20550
20551
0
exit_buildmsg:
20552
20553
0
    WOLFSSL_LEAVE("BuildMessage", ret);
20554
20555
#ifdef WOLFSSL_ASYNC_CRYPT
20556
    if (ret == WC_PENDING_E) {
20557
        return ret;
20558
    }
20559
#endif
20560
20561
    /* make sure build message state is reset */
20562
0
    ssl->options.buildMsgState = BUILD_MSG_BEGIN;
20563
20564
    #ifdef WOLFSSL_DTLS
20565
        if (ret == 0 && ssl->options.dtls && !sizeOnly)
20566
            DtlsSEQIncrement(ssl, epochOrder);
20567
    #endif
20568
20569
    /* return sz on success */
20570
0
    if (ret == 0) {
20571
0
        ret = args->sz;
20572
0
    }
20573
0
    else {
20574
0
        WOLFSSL_ERROR_VERBOSE(ret);
20575
0
    }
20576
20577
    /* Final cleanup */
20578
0
    FreeBuildMsgArgs(ssl, args);
20579
20580
0
    return ret;
20581
0
#endif /* !WOLFSSL_NO_TLS12 */
20582
#else
20583
    (void)outSz;
20584
    (void)inSz;
20585
    (void)type;
20586
    (void)hashOutput;
20587
    (void)asyncOkay;
20588
    return NOT_COMPILED_IN;
20589
#endif /* NO_TLS */
20590
20591
0
}
20592
20593
#ifndef WOLFSSL_NO_TLS12
20594
20595
int SendFinished(WOLFSSL* ssl)
20596
0
{
20597
0
    int              sendSz,
20598
0
                     finishedSz = ssl->options.tls ? TLS_FINISHED_SZ :
20599
0
                                                     FINISHED_SZ;
20600
0
    byte             input[FINISHED_SZ + DTLS_HANDSHAKE_HEADER_SZ];  /* max */
20601
0
    byte            *output;
20602
0
    Hashes*          hashes;
20603
0
    int              ret;
20604
0
    int              headerSz = HANDSHAKE_HEADER_SZ;
20605
0
    int              outputSz;
20606
20607
0
    WOLFSSL_START(WC_FUNC_FINISHED_SEND);
20608
0
    WOLFSSL_ENTER("SendFinished");
20609
20610
    /* check for available size */
20611
0
    outputSz = sizeof(input) + MAX_MSG_EXTRA;
20612
20613
    /* Set this in case CheckAvailableSize returns a WANT_WRITE so that state
20614
     * is not advanced yet */
20615
0
    ssl->options.buildingMsg = 1;
20616
20617
0
    if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)
20618
0
        return ret;
20619
20620
    #ifdef WOLFSSL_DTLS
20621
        if (ssl->options.dtls) {
20622
            headerSz += DTLS_HANDSHAKE_EXTRA;
20623
            ssl->keys.dtls_epoch++;
20624
            ssl->keys.dtls_prev_sequence_number_hi =
20625
                    ssl->keys.dtls_sequence_number_hi;
20626
            ssl->keys.dtls_prev_sequence_number_lo =
20627
                    ssl->keys.dtls_sequence_number_lo;
20628
            ssl->keys.dtls_sequence_number_hi = 0;
20629
            ssl->keys.dtls_sequence_number_lo = 0;
20630
        }
20631
    #endif
20632
20633
    /* get output buffer */
20634
0
    output = ssl->buffers.outputBuffer.buffer +
20635
0
             ssl->buffers.outputBuffer.length;
20636
20637
0
    AddHandShakeHeader(input, finishedSz, 0, finishedSz, finished, ssl);
20638
20639
    /* make finished hashes */
20640
0
    hashes = (Hashes*)&input[headerSz];
20641
0
    ret = BuildFinished(ssl, hashes, ssl->options.side == WOLFSSL_CLIENT_END ?
20642
0
                                                 kTlsClientStr : kTlsServerStr);
20643
0
    if (ret != 0) return ret;
20644
20645
#ifdef HAVE_SECURE_RENEGOTIATION
20646
    if (ssl->secure_renegotiation) {
20647
        if (ssl->options.side == WOLFSSL_CLIENT_END)
20648
            XMEMCPY(ssl->secure_renegotiation->client_verify_data, hashes,
20649
                    TLS_FINISHED_SZ);
20650
        else
20651
            XMEMCPY(ssl->secure_renegotiation->server_verify_data, hashes,
20652
                    TLS_FINISHED_SZ);
20653
    }
20654
#endif
20655
0
#ifdef WOLFSSL_HAVE_TLS_UNIQUE
20656
0
    if (ssl->options.side == WOLFSSL_CLIENT_END) {
20657
0
        XMEMCPY(ssl->clientFinished,
20658
0
                hashes, TLS_FINISHED_SZ);
20659
0
        ssl->clientFinished_len = TLS_FINISHED_SZ;
20660
0
    }
20661
0
    else {
20662
0
        XMEMCPY(ssl->serverFinished,
20663
0
                hashes, TLS_FINISHED_SZ);
20664
0
        ssl->serverFinished_len = TLS_FINISHED_SZ;
20665
0
    }
20666
0
#endif
20667
20668
    #ifdef WOLFSSL_DTLS
20669
        if (IsDtlsNotSctpMode(ssl)) {
20670
            if ((ret = DtlsMsgPoolSave(ssl, input, headerSz + finishedSz,
20671
                                                              finished)) != 0) {
20672
                return ret;
20673
            }
20674
        }
20675
    #endif
20676
20677
0
    sendSz = BuildMessage(ssl, output, outputSz, input, headerSz + finishedSz,
20678
0
                                                 handshake, 1, 0, 0, CUR_ORDER);
20679
0
    if (sendSz < 0)
20680
0
        return BUILD_MSG_ERROR;
20681
20682
0
    if (!ssl->options.resuming) {
20683
0
#ifndef NO_SESSION_CACHE
20684
0
        AddSession(ssl);    /* just try */
20685
0
#endif
20686
0
        if (ssl->options.side == WOLFSSL_SERVER_END) {
20687
0
        #ifdef OPENSSL_EXTRA
20688
0
            ssl->options.serverState = SERVER_FINISHED_COMPLETE;
20689
0
            ssl->cbmode = SSL_CB_MODE_WRITE;
20690
0
            if (ssl->CBIS != NULL)
20691
0
                ssl->CBIS(ssl, SSL_CB_HANDSHAKE_DONE, SSL_SUCCESS);
20692
0
        #endif
20693
0
            ssl->options.handShakeState = HANDSHAKE_DONE;
20694
0
            ssl->options.handShakeDone  = 1;
20695
0
        }
20696
0
    }
20697
0
    else {
20698
0
        if (ssl->options.side == WOLFSSL_CLIENT_END) {
20699
0
        #ifdef OPENSSL_EXTRA
20700
0
            ssl->options.clientState = CLIENT_FINISHED_COMPLETE;
20701
0
            ssl->cbmode = SSL_CB_MODE_WRITE;
20702
0
            if (ssl->CBIS != NULL)
20703
0
                ssl->CBIS(ssl, SSL_CB_HANDSHAKE_DONE, SSL_SUCCESS);
20704
0
        #endif
20705
0
            ssl->options.handShakeState = HANDSHAKE_DONE;
20706
0
            ssl->options.handShakeDone  = 1;
20707
0
        }
20708
0
    }
20709
20710
0
    #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
20711
0
        if (ssl->hsInfoOn) AddPacketName(ssl, "Finished");
20712
0
        if (ssl->toInfoOn)
20713
0
            AddPacketInfo(ssl, "Finished", handshake, output, sendSz,
20714
0
                          WRITE_PROTO, ssl->heap);
20715
0
    #endif
20716
20717
0
    ssl->buffers.outputBuffer.length += sendSz;
20718
20719
0
    ret = SendBuffered(ssl);
20720
20721
0
    ssl->options.buildingMsg = 0;
20722
20723
#ifdef WOLFSSL_DTLS
20724
    if ((!ssl->options.resuming &&
20725
            ssl->options.side == WOLFSSL_SERVER_END) ||
20726
        (ssl->options.resuming &&
20727
            ssl->options.side == WOLFSSL_CLIENT_END)) {
20728
        ssl->keys.dtls_handshake_number = 0;
20729
        ssl->keys.dtls_expected_peer_handshake_number = 0;
20730
    }
20731
#endif
20732
20733
0
    WOLFSSL_LEAVE("SendFinished", ret);
20734
0
    WOLFSSL_END(WC_FUNC_FINISHED_SEND);
20735
20736
0
    return ret;
20737
0
}
20738
#endif /* WOLFSSL_NO_TLS12 */
20739
20740
#ifndef NO_WOLFSSL_SERVER
20741
#if (!defined(WOLFSSL_NO_TLS12) && \
20742
        (defined(HAVE_CERTIFICATE_STATUS_REQUEST) || \
20743
         defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2))) || \
20744
    (defined(WOLFSSL_TLS13) && defined(HAVE_CERTIFICATE_STATUS_REQUEST))
20745
/* Parses and decodes the certificate then initializes "request". In the case
20746
 * of !ssl->buffers.weOwnCert, ssl->ctx->certOcspRequest gets set to "request".
20747
 *
20748
 * Returns 0 on success
20749
 */
20750
static int CreateOcspRequest(WOLFSSL* ssl, OcspRequest* request,
20751
                             DecodedCert* cert, byte* certData, word32 length)
20752
{
20753
    int ret;
20754
20755
    if (request != NULL)
20756
        XMEMSET(request, 0, sizeof(OcspRequest));
20757
20758
    InitDecodedCert(cert, certData, length, ssl->heap);
20759
    /* TODO: Setup async support here */
20760
    ret = ParseCertRelative(cert, CERT_TYPE, VERIFY, SSL_CM(ssl));
20761
    if (ret != 0) {
20762
        WOLFSSL_MSG("ParseCert failed");
20763
    }
20764
    if (ret == 0)
20765
        ret = InitOcspRequest(request, cert, 0, ssl->heap);
20766
    if (ret == 0) {
20767
        /* make sure ctx OCSP request is updated */
20768
        if (!ssl->buffers.weOwnCert) {
20769
            wolfSSL_Mutex* ocspLock = &SSL_CM(ssl)->ocsp_stapling->ocspLock;
20770
            if (wc_LockMutex(ocspLock) == 0) {
20771
                if (ssl->ctx->certOcspRequest == NULL)
20772
                    ssl->ctx->certOcspRequest = request;
20773
                wc_UnLockMutex(ocspLock);
20774
            }
20775
        }
20776
    }
20777
20778
    FreeDecodedCert(cert);
20779
20780
    return ret;
20781
}
20782
20783
20784
/* Creates OCSP response and places it in variable "response". Memory
20785
 * management for "buffer* response" is up to the caller.
20786
 *
20787
 * Also creates an OcspRequest in the case that ocspRequest is null or that
20788
 * ssl->buffers.weOwnCert is set. In those cases managing ocspRequest free'ing
20789
 * is up to the caller. NOTE: in OcspCreateRequest ssl->ctx->certOcspRequest can
20790
 * be set to point to "ocspRequest" and it then should not be free'd since
20791
 * wolfSSL_CTX_free will take care of it.
20792
 *
20793
 * Returns 0 on success
20794
 */
20795
int CreateOcspResponse(WOLFSSL* ssl, OcspRequest** ocspRequest,
20796
                       buffer* response)
20797
{
20798
    int          ret = 0;
20799
    OcspRequest* request = NULL;
20800
    byte createdRequest  = 0;
20801
20802
    if (ssl == NULL || ocspRequest == NULL || response == NULL)
20803
        return BAD_FUNC_ARG;
20804
20805
    XMEMSET(response, 0, sizeof(*response));
20806
    request = *ocspRequest;
20807
20808
    /* unable to fetch status. skip. */
20809
    if (SSL_CM(ssl) == NULL || SSL_CM(ssl)->ocspStaplingEnabled == 0)
20810
        return 0;
20811
20812
    if (request == NULL || ssl->buffers.weOwnCert) {
20813
        DerBuffer* der = ssl->buffers.certificate;
20814
        #ifdef WOLFSSL_SMALL_STACK
20815
            DecodedCert* cert = NULL;
20816
        #else
20817
            DecodedCert  cert[1];
20818
        #endif
20819
20820
        /* unable to fetch status. skip. */
20821
        if (der->buffer == NULL || der->length == 0)
20822
            return 0;
20823
20824
    #ifdef WOLFSSL_SMALL_STACK
20825
        cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap,
20826
                                        DYNAMIC_TYPE_DCERT);
20827
        if (cert == NULL)
20828
            return MEMORY_E;
20829
    #endif
20830
        request = (OcspRequest*)XMALLOC(sizeof(OcspRequest), ssl->heap,
20831
                                                     DYNAMIC_TYPE_OCSP_REQUEST);
20832
        if (request == NULL)
20833
            ret = MEMORY_E;
20834
20835
        createdRequest = 1;
20836
        if (ret == 0) {
20837
            ret = CreateOcspRequest(ssl, request, cert, der->buffer,
20838
                                                                   der->length);
20839
        }
20840
20841
        if (ret != 0) {
20842
            XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST);
20843
            request = NULL;
20844
        }
20845
20846
    #ifdef WOLFSSL_SMALL_STACK
20847
        XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT);
20848
    #endif
20849
    }
20850
20851
    if (ret == 0) {
20852
        request->ssl = ssl;
20853
        ret = CheckOcspRequest(SSL_CM(ssl)->ocsp_stapling, request, response);
20854
20855
        /* Suppressing, not critical */
20856
        if (ret == OCSP_CERT_REVOKED ||
20857
            ret == OCSP_CERT_UNKNOWN ||
20858
            ret == OCSP_LOOKUP_FAIL) {
20859
            ret = 0;
20860
        }
20861
    }
20862
20863
    /* free request up if error case found otherwise return it */
20864
    if (ret != 0 && createdRequest) {
20865
        FreeOcspRequest(request);
20866
        XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST);
20867
    }
20868
20869
    if (ret == 0)
20870
        *ocspRequest = request;
20871
20872
    return ret;
20873
}
20874
#endif
20875
#endif /* !NO_WOLFSSL_SERVER */
20876
20877
int cipherExtraData(WOLFSSL* ssl)
20878
0
{
20879
0
    int cipherExtra;
20880
    /* Cipher data that may be added by BuildMessage */
20881
    /* There is always an IV (expect for chacha). For AEAD ciphers,
20882
     * there is the authentication tag (aead_mac_size). For block
20883
     * ciphers we have the hash_size MAC on the message, and one
20884
     * block size for possible padding. */
20885
0
    if (ssl->specs.cipher_type == aead) {
20886
0
        cipherExtra = ssl->specs.aead_mac_size;
20887
        /* CHACHA does not have an explicit IV. */
20888
0
        if (ssl->specs.bulk_cipher_algorithm != wolfssl_chacha) {
20889
0
            cipherExtra += AESGCM_EXP_IV_SZ;
20890
0
        }
20891
0
    }
20892
0
    else {
20893
0
        cipherExtra = ssl->specs.iv_size + ssl->specs.block_size +
20894
0
            ssl->specs.hash_size;
20895
0
    }
20896
    /* Sanity check so we don't ever return negative. */
20897
0
    return cipherExtra > 0 ? cipherExtra : 0;
20898
0
}
20899
20900
#ifndef WOLFSSL_NO_TLS12
20901
20902
#ifndef NO_CERTS
20903
#if !defined(NO_WOLFSSL_SERVER) || !defined(WOLFSSL_NO_CLIENT_AUTH)
20904
/* handle generation of certificate (11) */
20905
int SendCertificate(WOLFSSL* ssl)
20906
0
{
20907
0
    int    ret = 0;
20908
0
    word32 certSz, certChainSz, headerSz, listSz, payloadSz;
20909
0
    word32 length, maxFragment;
20910
20911
0
    WOLFSSL_START(WC_FUNC_CERTIFICATE_SEND);
20912
0
    WOLFSSL_ENTER("SendCertificate");
20913
20914
0
    if (ssl->options.usingPSK_cipher || ssl->options.usingAnon_cipher) {
20915
0
        WOLFSSL_MSG("Not sending certificate msg. Using PSK or ANON cipher.");
20916
0
        return 0;  /* not needed */
20917
0
    }
20918
20919
0
    if (ssl->options.sendVerify == SEND_BLANK_CERT) {
20920
0
    #ifdef OPENSSL_EXTRA
20921
0
        if (ssl->version.major == SSLv3_MAJOR
20922
0
            && ssl->version.minor == SSLv3_MINOR){
20923
0
            SendAlert(ssl, alert_warning, no_certificate);
20924
0
            return 0;
20925
0
        } else {
20926
0
    #endif
20927
0
            certSz = 0;
20928
0
            certChainSz = 0;
20929
0
            headerSz = CERT_HEADER_SZ;
20930
0
            length = CERT_HEADER_SZ;
20931
0
            listSz = 0;
20932
0
    #ifdef OPENSSL_EXTRA
20933
0
        }
20934
0
    #endif
20935
0
    }
20936
0
    else {
20937
0
        if (!ssl->buffers.certificate) {
20938
0
            WOLFSSL_MSG("Send Cert missing certificate buffer");
20939
0
            return BUFFER_ERROR;
20940
0
        }
20941
0
        certSz = ssl->buffers.certificate->length;
20942
0
        headerSz = 2 * CERT_HEADER_SZ;
20943
        /* list + cert size */
20944
0
        length = certSz + headerSz;
20945
0
        listSz = certSz + CERT_HEADER_SZ;
20946
20947
        /* may need to send rest of chain, already has leading size(s) */
20948
0
        if (certSz && ssl->buffers.certChain) {
20949
0
            certChainSz = ssl->buffers.certChain->length;
20950
0
            length += certChainSz;
20951
0
            listSz += certChainSz;
20952
0
        }
20953
0
        else
20954
0
            certChainSz = 0;
20955
0
    }
20956
20957
0
    payloadSz = length;
20958
20959
0
    if (ssl->fragOffset != 0)
20960
0
        length -= (ssl->fragOffset + headerSz);
20961
20962
0
    maxFragment = MAX_RECORD_SIZE;
20963
20964
0
    maxFragment = wolfSSL_GetMaxFragSize(ssl, maxFragment);
20965
20966
0
    while (length > 0 && ret == 0) {
20967
0
        byte*  output = NULL;
20968
0
        word32 fragSz = 0;
20969
0
        word32 i = RECORD_HEADER_SZ;
20970
0
        int    sendSz = RECORD_HEADER_SZ;
20971
20972
0
        ssl->options.buildingMsg = 1;
20973
20974
0
        if (!ssl->options.dtls) {
20975
0
            if (ssl->fragOffset == 0)  {
20976
0
                if (headerSz + certSz + certChainSz <=
20977
0
                    maxFragment - HANDSHAKE_HEADER_SZ) {
20978
20979
0
                    fragSz = headerSz + certSz + certChainSz;
20980
0
                }
20981
0
                else {
20982
0
                    fragSz = maxFragment - HANDSHAKE_HEADER_SZ;
20983
0
                }
20984
0
                sendSz += fragSz + HANDSHAKE_HEADER_SZ;
20985
0
                i += HANDSHAKE_HEADER_SZ;
20986
0
            }
20987
0
            else {
20988
0
                fragSz = min(length, maxFragment);
20989
0
                sendSz += fragSz;
20990
0
            }
20991
20992
0
            if (IsEncryptionOn(ssl, 1))
20993
0
                sendSz += MAX_MSG_EXTRA;
20994
0
        }
20995
0
        else {
20996
        #ifdef WOLFSSL_DTLS
20997
            fragSz = min(length, maxFragment);
20998
            sendSz += fragSz + DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_HEADER_SZ;
20999
            i      += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_HEADER_SZ;
21000
        #endif
21001
0
        }
21002
21003
0
        if (IsEncryptionOn(ssl, 1))
21004
0
            sendSz += cipherExtraData(ssl);
21005
21006
        /* check for available size */
21007
0
        if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
21008
0
            return ret;
21009
21010
        /* get output buffer */
21011
0
        output = ssl->buffers.outputBuffer.buffer +
21012
0
                 ssl->buffers.outputBuffer.length;
21013
21014
        /* Safe to use ssl->fragOffset since it will be incremented immediately
21015
         * after this block. This block needs to be entered only once to not
21016
         * hash the cert msg twice. */
21017
0
        if (ssl->fragOffset == 0) {
21018
0
            if (!ssl->options.dtls) {
21019
0
                AddFragHeaders(output, fragSz, 0, payloadSz, certificate, ssl);
21020
0
                if (!IsEncryptionOn(ssl, 1))
21021
0
                    HashRaw(ssl, output + RECORD_HEADER_SZ,
21022
0
                                  HANDSHAKE_HEADER_SZ);
21023
0
            }
21024
0
            else {
21025
            #ifdef WOLFSSL_DTLS
21026
                AddHeaders(output, payloadSz, certificate, ssl);
21027
                HashRaw(ssl,
21028
                        output + RECORD_HEADER_SZ + DTLS_RECORD_EXTRA,
21029
                        HANDSHAKE_HEADER_SZ + DTLS_HANDSHAKE_EXTRA);
21030
                /* Adding the headers increments these, decrement them for
21031
                 * actual message header. */
21032
                ssl->keys.dtls_handshake_number--;
21033
                AddFragHeaders(output, fragSz, 0, payloadSz, certificate, ssl);
21034
                ssl->keys.dtls_handshake_number--;
21035
            #endif /* WOLFSSL_DTLS */
21036
0
            }
21037
21038
            /* list total */
21039
0
            c32to24(listSz, output + i);
21040
0
            if (ssl->options.dtls || !IsEncryptionOn(ssl, 1))
21041
0
                HashRaw(ssl, output + i, CERT_HEADER_SZ);
21042
0
            i += CERT_HEADER_SZ;
21043
0
            length -= CERT_HEADER_SZ;
21044
0
            fragSz -= CERT_HEADER_SZ;
21045
0
            if (certSz) {
21046
0
                c32to24(certSz, output + i);
21047
0
                if (ssl->options.dtls || !IsEncryptionOn(ssl, 1))
21048
0
                    HashRaw(ssl, output + i, CERT_HEADER_SZ);
21049
0
                i += CERT_HEADER_SZ;
21050
0
                length -= CERT_HEADER_SZ;
21051
0
                fragSz -= CERT_HEADER_SZ;
21052
21053
0
                if (ssl->options.dtls || !IsEncryptionOn(ssl, 1)) {
21054
0
                    HashRaw(ssl, ssl->buffers.certificate->buffer, certSz);
21055
0
                    if (certChainSz)
21056
0
                        HashRaw(ssl, ssl->buffers.certChain->buffer,
21057
0
                                      certChainSz);
21058
0
                }
21059
0
            }
21060
0
        }
21061
0
        else {
21062
0
            if (!ssl->options.dtls) {
21063
0
                AddRecordHeader(output, fragSz, handshake, ssl, CUR_ORDER);
21064
0
            }
21065
0
            else {
21066
            #ifdef WOLFSSL_DTLS
21067
                AddFragHeaders(output, fragSz, ssl->fragOffset + headerSz,
21068
                               payloadSz, certificate, ssl);
21069
                ssl->keys.dtls_handshake_number--;
21070
            #endif /* WOLFSSL_DTLS */
21071
0
            }
21072
0
        }
21073
21074
        /* member */
21075
0
        if (certSz && ssl->fragOffset < certSz) {
21076
0
            word32 copySz = min(certSz - ssl->fragOffset, fragSz);
21077
0
            XMEMCPY(output + i,
21078
0
                    ssl->buffers.certificate->buffer + ssl->fragOffset, copySz);
21079
0
            i += copySz;
21080
0
            ssl->fragOffset += copySz;
21081
0
            length -= copySz;
21082
0
            fragSz -= copySz;
21083
0
        }
21084
0
        if (certChainSz && fragSz) {
21085
0
            word32 copySz = min(certChainSz + certSz - ssl->fragOffset, fragSz);
21086
0
            XMEMCPY(output + i,
21087
0
                    ssl->buffers.certChain->buffer + ssl->fragOffset - certSz,
21088
0
                    copySz);
21089
0
            i += copySz;
21090
0
            ssl->fragOffset += copySz;
21091
0
            length -= copySz;
21092
0
        }
21093
21094
0
        if (IsEncryptionOn(ssl, 1)) {
21095
0
            byte* input = NULL;
21096
0
            int   inputSz = i; /* build msg adds rec hdr */
21097
0
            int   recordHeaderSz = RECORD_HEADER_SZ;
21098
21099
0
            if (ssl->options.dtls)
21100
0
                recordHeaderSz += DTLS_RECORD_EXTRA;
21101
0
            inputSz -= recordHeaderSz;
21102
21103
0
            if (inputSz < 0) {
21104
0
                WOLFSSL_MSG("Send Cert bad inputSz");
21105
0
                return BUFFER_E;
21106
0
            }
21107
21108
0
            if (inputSz > 0) {  /* clang thinks could be zero, let's help */
21109
0
                input = (byte*)XMALLOC(inputSz, ssl->heap,
21110
0
                                       DYNAMIC_TYPE_IN_BUFFER);
21111
0
                if (input == NULL)
21112
0
                    return MEMORY_E;
21113
0
                XMEMCPY(input, output + recordHeaderSz, inputSz);
21114
0
            }
21115
21116
0
#ifndef WOLFSSL_DTLS
21117
0
            sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
21118
0
                                                          handshake, 1, 0, 0, CUR_ORDER);
21119
#else
21120
            if (!ssl->options.dtls)
21121
                sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
21122
                                                              handshake, 1, 0, 0, CUR_ORDER);
21123
            else /* DTLS 1.2 has to ignore fragmentation in hashing so we need to
21124
                  * calculate the hash ourselves above */ {
21125
                if ((ret = DtlsMsgPoolSave(ssl, input, inputSz, certificate)) != 0) {
21126
                    XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
21127
                    return ret;
21128
                }
21129
                sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
21130
                                                              handshake, 0, 0, 0, CUR_ORDER);
21131
            }
21132
#endif
21133
21134
0
            XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
21135
21136
0
            if (sendSz < 0)
21137
0
                return sendSz;
21138
0
        }
21139
0
        else {
21140
0
            sendSz = i;
21141
        #ifdef WOLFSSL_DTLS
21142
            if (IsDtlsNotSctpMode(ssl)) {
21143
                if ((ret = DtlsMsgPoolSave(ssl, output, sendSz, certificate)) != 0)
21144
                    return ret;
21145
            }
21146
            if (ssl->options.dtls)
21147
                DtlsSEQIncrement(ssl, CUR_ORDER);
21148
        #endif
21149
0
        }
21150
21151
0
    #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
21152
0
        if (ssl->hsInfoOn)
21153
0
            AddPacketName(ssl, "Certificate");
21154
0
        if (ssl->toInfoOn)
21155
0
            AddPacketInfo(ssl, "Certificate", handshake, output, sendSz,
21156
0
                           WRITE_PROTO, ssl->heap);
21157
0
    #endif
21158
21159
0
        ssl->buffers.outputBuffer.length += sendSz;
21160
0
        if (!ssl->options.groupMessages)
21161
0
            ret = SendBuffered(ssl);
21162
0
    }
21163
21164
0
    if (ret != WANT_WRITE) {
21165
        /* Clean up the fragment offset. */
21166
0
        ssl->options.buildingMsg = 0;
21167
0
        ssl->fragOffset = 0;
21168
        #ifdef WOLFSSL_DTLS
21169
            if (ssl->options.dtls)
21170
                ssl->keys.dtls_handshake_number++;
21171
        #endif
21172
0
        if (ssl->options.side == WOLFSSL_SERVER_END){
21173
0
            ssl->options.serverState = SERVER_CERT_COMPLETE;
21174
0
        }
21175
0
    }
21176
21177
0
    WOLFSSL_LEAVE("SendCertificate", ret);
21178
0
    WOLFSSL_END(WC_FUNC_CERTIFICATE_SEND);
21179
21180
0
    return ret;
21181
0
}
21182
#endif /* !NO_WOLFSSL_SERVER || !WOLFSSL_NO_CLIENT_AUTH */
21183
21184
/* handle generation of certificate_request (13) */
21185
int SendCertificateRequest(WOLFSSL* ssl)
21186
0
{
21187
0
    byte   *output;
21188
0
    int    ret;
21189
0
    int    sendSz;
21190
0
    word32 i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
21191
0
    word32 dnLen = 0;
21192
0
#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)
21193
0
    WOLF_STACK_OF(WOLFSSL_X509_NAME)* names;
21194
0
#endif
21195
21196
0
    int  typeTotal = 1;  /* only 1 for now */
21197
0
    int  reqSz = ENUM_LEN + typeTotal + REQ_HEADER_SZ;  /* add auth later */
21198
21199
0
    WOLFSSL_START(WC_FUNC_CERTIFICATE_REQUEST_SEND);
21200
0
    WOLFSSL_ENTER("SendCertificateRequest");
21201
21202
0
    if (IsAtLeastTLSv1_2(ssl))
21203
0
        reqSz += LENGTH_SZ + ssl->suites->hashSigAlgoSz;
21204
21205
0
#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)
21206
    /* Certificate Authorities */
21207
0
    names = SSL_CA_NAMES(ssl);
21208
0
    while (names != NULL) {
21209
0
        byte seq[MAX_SEQ_SZ];
21210
0
        WOLFSSL_X509_NAME* name = names->data.name;
21211
21212
0
        if (name != NULL) {
21213
            /* 16-bit length | SEQ | Len | DER of name */
21214
0
            dnLen += OPAQUE16_LEN + SetSequence(name->rawLen, seq) +
21215
0
                        name->rawLen;
21216
0
        }
21217
0
        names = names->next;
21218
0
    }
21219
0
    reqSz += dnLen;
21220
0
#endif
21221
21222
0
    if (ssl->options.usingPSK_cipher || ssl->options.usingAnon_cipher)
21223
0
        return 0;  /* not needed */
21224
21225
0
    sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + reqSz;
21226
21227
0
    if (!ssl->options.dtls) {
21228
0
        if (IsEncryptionOn(ssl, 1))
21229
0
            sendSz += MAX_MSG_EXTRA;
21230
0
    }
21231
0
    else {
21232
    #ifdef WOLFSSL_DTLS
21233
        sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
21234
        i      += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
21235
    #endif
21236
0
    }
21237
21238
0
    if (IsEncryptionOn(ssl, 1))
21239
0
        sendSz += cipherExtraData(ssl);
21240
21241
    /* Set this in case CheckAvailableSize returns a WANT_WRITE so that state
21242
     * is not advanced yet */
21243
0
    ssl->options.buildingMsg = 1;
21244
21245
    /* check for available size */
21246
0
    if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
21247
0
        return ret;
21248
21249
    /* get output buffer */
21250
0
    output = ssl->buffers.outputBuffer.buffer +
21251
0
             ssl->buffers.outputBuffer.length;
21252
21253
0
    AddHeaders(output, reqSz, certificate_request, ssl);
21254
21255
    /* write to output */
21256
0
    output[i++] = (byte)typeTotal;  /* # of types */
21257
0
#ifdef HAVE_ECC
21258
0
    if ((ssl->options.cipherSuite0 == ECC_BYTE ||
21259
0
         ssl->options.cipherSuite0 == CHACHA_BYTE) &&
21260
0
                     ssl->specs.sig_algo == ecc_dsa_sa_algo) {
21261
0
        output[i++] = ecdsa_sign;
21262
0
    } else
21263
0
#endif /* HAVE_ECC */
21264
0
    {
21265
0
        output[i++] = rsa_sign;
21266
0
    }
21267
21268
    /* supported hash/sig */
21269
0
    if (IsAtLeastTLSv1_2(ssl)) {
21270
0
        c16toa(ssl->suites->hashSigAlgoSz, &output[i]);
21271
0
        i += OPAQUE16_LEN;
21272
21273
0
        XMEMCPY(&output[i],
21274
0
                         ssl->suites->hashSigAlgo, ssl->suites->hashSigAlgoSz);
21275
0
        i += ssl->suites->hashSigAlgoSz;
21276
0
    }
21277
21278
    /* Certificate Authorities */
21279
0
    c16toa((word16)dnLen, &output[i]);  /* auth's */
21280
0
    i += REQ_HEADER_SZ;
21281
0
#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)
21282
0
    names = SSL_CA_NAMES(ssl);
21283
0
    while (names != NULL) {
21284
0
        byte seq[MAX_SEQ_SZ];
21285
0
        WOLFSSL_X509_NAME* name = names->data.name;
21286
21287
0
        if (name != NULL) {
21288
0
            c16toa((word16)name->rawLen +
21289
0
                   (word16)SetSequence(name->rawLen, seq), &output[i]);
21290
0
            i += OPAQUE16_LEN;
21291
0
            i += SetSequence(name->rawLen, output + i);
21292
0
            XMEMCPY(output + i, name->raw, name->rawLen);
21293
0
            i += name->rawLen;
21294
0
        }
21295
0
        names = names->next;
21296
0
    }
21297
0
#endif
21298
0
    (void)i;
21299
21300
0
        if (IsEncryptionOn(ssl, 1)) {
21301
0
            byte* input = NULL;
21302
0
            int   inputSz = i; /* build msg adds rec hdr */
21303
0
            int   recordHeaderSz = RECORD_HEADER_SZ;
21304
21305
0
            if (ssl->options.dtls)
21306
0
                recordHeaderSz += DTLS_RECORD_EXTRA;
21307
0
            inputSz -= recordHeaderSz;
21308
21309
0
            if (inputSz <= 0) {
21310
0
                WOLFSSL_MSG("Send Cert Req bad inputSz");
21311
0
                return BUFFER_E;
21312
0
            }
21313
21314
0
            input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
21315
0
            if (input == NULL)
21316
0
                return MEMORY_E;
21317
21318
0
            XMEMCPY(input, output + recordHeaderSz, inputSz);
21319
            #ifdef WOLFSSL_DTLS
21320
            if (IsDtlsNotSctpMode(ssl) &&
21321
                    (ret = DtlsMsgPoolSave(ssl, input, inputSz, certificate_request)) != 0) {
21322
                XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
21323
                return ret;
21324
            }
21325
            #endif
21326
0
            sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
21327
0
                                  handshake, 1, 0, 0, CUR_ORDER);
21328
0
            XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
21329
21330
0
            if (sendSz < 0)
21331
0
                return sendSz;
21332
0
        } else {
21333
0
            sendSz = i;
21334
            #ifdef WOLFSSL_DTLS
21335
                if (IsDtlsNotSctpMode(ssl)) {
21336
                    if ((ret = DtlsMsgPoolSave(ssl, output, sendSz, certificate_request)) != 0)
21337
                        return ret;
21338
                }
21339
                if (ssl->options.dtls)
21340
                    DtlsSEQIncrement(ssl, CUR_ORDER);
21341
            #endif
21342
0
            ret = HashOutput(ssl, output, sendSz, 0);
21343
0
            if (ret != 0)
21344
0
                return ret;
21345
0
        }
21346
21347
0
    #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
21348
0
        if (ssl->hsInfoOn)
21349
0
            AddPacketName(ssl, "CertificateRequest");
21350
0
        if (ssl->toInfoOn)
21351
0
            AddPacketInfo(ssl, "CertificateRequest", handshake, output, sendSz,
21352
0
                    WRITE_PROTO, ssl->heap);
21353
0
    #endif
21354
0
    ssl->buffers.outputBuffer.length += sendSz;
21355
0
    if (ssl->options.groupMessages)
21356
0
        ret = 0;
21357
0
    else
21358
0
        ret = SendBuffered(ssl);
21359
21360
0
    ssl->options.buildingMsg = 0;
21361
21362
0
    WOLFSSL_LEAVE("SendCertificateRequest", ret);
21363
0
    WOLFSSL_END(WC_FUNC_CERTIFICATE_REQUEST_SEND);
21364
21365
0
    return ret;
21366
0
}
21367
21368
#ifndef NO_WOLFSSL_SERVER
21369
#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
21370
 || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
21371
static int BuildCertificateStatus(WOLFSSL* ssl, byte type, buffer* status,
21372
                                                                     byte count)
21373
{
21374
    byte*  output  = NULL;
21375
    word32 idx     = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
21376
    word32 length  = ENUM_LEN;
21377
    int    sendSz  = 0;
21378
    int    ret     = 0;
21379
    int    i       = 0;
21380
21381
    WOLFSSL_ENTER("BuildCertificateStatus");
21382
21383
    switch (type) {
21384
        case WOLFSSL_CSR2_OCSP_MULTI:
21385
            length += OPAQUE24_LEN;
21386
            FALL_THROUGH; /* followed by */
21387
21388
        case WOLFSSL_CSR2_OCSP:
21389
            for (i = 0; i < count; i++)
21390
                length += OPAQUE24_LEN + status[i].length;
21391
        break;
21392
21393
        default:
21394
            return 0;
21395
    }
21396
21397
    sendSz = idx + length;
21398
21399
    if (ssl->keys.encryptionOn)
21400
        sendSz += MAX_MSG_EXTRA;
21401
21402
    /* Set this in case CheckAvailableSize returns a WANT_WRITE so that state
21403
     * is not advanced yet */
21404
    ssl->options.buildingMsg = 1;
21405
21406
    if ((ret = CheckAvailableSize(ssl, sendSz)) == 0) {
21407
        output = ssl->buffers.outputBuffer.buffer +
21408
                 ssl->buffers.outputBuffer.length;
21409
21410
        AddHeaders(output, length, certificate_status, ssl);
21411
21412
        output[idx++] = type;
21413
21414
        if (type == WOLFSSL_CSR2_OCSP_MULTI) {
21415
            c32to24(length - (ENUM_LEN + OPAQUE24_LEN), output + idx);
21416
            idx += OPAQUE24_LEN;
21417
        }
21418
21419
        for (i = 0; i < count; i++) {
21420
            c32to24(status[i].length, output + idx);
21421
            idx += OPAQUE24_LEN;
21422
21423
            XMEMCPY(output + idx, status[i].buffer, status[i].length);
21424
            idx += status[i].length;
21425
        }
21426
21427
        if (IsEncryptionOn(ssl, 1)) {
21428
            byte* input;
21429
            int   inputSz = idx; /* build msg adds rec hdr */
21430
            int   recordHeaderSz = RECORD_HEADER_SZ;
21431
21432
            if (ssl->options.dtls)
21433
                recordHeaderSz += DTLS_RECORD_EXTRA;
21434
            inputSz -= recordHeaderSz;
21435
            input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
21436
            if (input == NULL)
21437
                return MEMORY_E;
21438
21439
            XMEMCPY(input, output + recordHeaderSz, inputSz);
21440
            #ifdef WOLFSSL_DTLS
21441
                ret = DtlsMsgPoolSave(ssl, input, inputSz, certificate_status);
21442
            #endif
21443
            if (ret == 0)
21444
                sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
21445
                                      handshake, 1, 0, 0, CUR_ORDER);
21446
            XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
21447
21448
            if (sendSz < 0)
21449
                ret = sendSz;
21450
        }
21451
        else {
21452
            #ifdef WOLFSSL_DTLS
21453
                if (ret == 0 && IsDtlsNotSctpMode(ssl))
21454
                    ret = DtlsMsgPoolSave(ssl, output, sendSz, certificate_status);
21455
                if (ret == 0 && ssl->options.dtls)
21456
                    DtlsSEQIncrement(ssl, CUR_ORDER);
21457
            #endif
21458
            ret = HashOutput(ssl, output, sendSz, 0);
21459
        }
21460
21461
    #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
21462
        if (ret == 0 && ssl->hsInfoOn)
21463
            AddPacketName(ssl, "CertificateStatus");
21464
        if (ret == 0 && ssl->toInfoOn)
21465
            AddPacketInfo(ssl, "CertificateStatus", handshake, output, sendSz,
21466
                    WRITE_PROTO, ssl->heap);
21467
    #endif
21468
21469
        if (ret == 0) {
21470
            ssl->options.buildingMsg = 0;
21471
            ssl->buffers.outputBuffer.length += sendSz;
21472
            if (!ssl->options.groupMessages)
21473
                ret = SendBuffered(ssl);
21474
        }
21475
    }
21476
21477
    WOLFSSL_LEAVE("BuildCertificateStatus", ret);
21478
    return ret;
21479
}
21480
#endif
21481
#endif /* NO_WOLFSSL_SERVER */
21482
21483
/* handle generation of certificate_status (22) */
21484
int SendCertificateStatus(WOLFSSL* ssl)
21485
0
{
21486
0
    int ret = 0;
21487
0
    byte status_type = 0;
21488
21489
0
    WOLFSSL_START(WC_FUNC_CERTIFICATE_STATUS_SEND);
21490
0
    WOLFSSL_ENTER("SendCertificateStatus");
21491
21492
0
    (void) ssl;
21493
21494
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
21495
    status_type = ssl->status_request;
21496
#endif
21497
21498
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
21499
    status_type = status_type ? status_type : ssl->status_request_v2;
21500
#endif
21501
21502
0
    switch (status_type) {
21503
21504
0
    #ifndef NO_WOLFSSL_SERVER
21505
    #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
21506
     || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
21507
        /* case WOLFSSL_CSR_OCSP: */
21508
        case WOLFSSL_CSR2_OCSP:
21509
        {
21510
            OcspRequest* request = ssl->ctx->certOcspRequest;
21511
            buffer response;
21512
21513
            ret = CreateOcspResponse(ssl, &request, &response);
21514
21515
            /* if a request was successfully created and not stored in
21516
             * ssl->ctx then free it */
21517
            if (ret == 0 && request != ssl->ctx->certOcspRequest) {
21518
                FreeOcspRequest(request);
21519
                XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST);
21520
                request = NULL;
21521
            }
21522
21523
            if (ret == 0 && response.buffer) {
21524
                ret = BuildCertificateStatus(ssl, status_type, &response, 1);
21525
21526
                XFREE(response.buffer, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST);
21527
                response.buffer = NULL;
21528
            }
21529
            break;
21530
        }
21531
21532
    #endif /* HAVE_CERTIFICATE_STATUS_REQUEST    */
21533
           /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */
21534
21535
    #if defined HAVE_CERTIFICATE_STATUS_REQUEST_V2
21536
        case WOLFSSL_CSR2_OCSP_MULTI:
21537
        {
21538
            OcspRequest* request = ssl->ctx->certOcspRequest;
21539
            buffer responses[1 + MAX_CHAIN_DEPTH];
21540
            int i = 0;
21541
21542
            XMEMSET(responses, 0, sizeof(responses));
21543
21544
            ret = CreateOcspResponse(ssl, &request, &responses[0]);
21545
21546
            /* if a request was successfully created and not stored in
21547
             * ssl->ctx then free it */
21548
            if (ret == 0 && request != ssl->ctx->certOcspRequest) {
21549
                FreeOcspRequest(request);
21550
                XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST);
21551
                request = NULL;
21552
            }
21553
21554
            if (ret == 0 && (!ssl->ctx->chainOcspRequest[0]
21555
                                              || ssl->buffers.weOwnCertChain)) {
21556
                buffer der;
21557
                word32 idx = 0;
21558
            #ifdef WOLFSSL_SMALL_STACK
21559
                DecodedCert* cert;
21560
            #else
21561
                DecodedCert  cert[1];
21562
            #endif
21563
                DerBuffer* chain;
21564
21565
            #ifdef WOLFSSL_SMALL_STACK
21566
                cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), ssl->heap,
21567
                                                            DYNAMIC_TYPE_DCERT);
21568
                if (cert == NULL)
21569
                    return MEMORY_E;
21570
            #endif
21571
                request = (OcspRequest*)XMALLOC(sizeof(OcspRequest), ssl->heap,
21572
                                                     DYNAMIC_TYPE_OCSP_REQUEST);
21573
                if (request == NULL) {
21574
            #ifdef WOLFSSL_SMALL_STACK
21575
                    XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT);
21576
            #endif
21577
                    return MEMORY_E;
21578
                }
21579
21580
                /* use certChain if available, otherwise use peer certificate */
21581
                chain = ssl->buffers.certChain;
21582
                if (chain == NULL) {
21583
                    chain = ssl->buffers.certificate;
21584
                }
21585
21586
                if (chain && chain->buffer) {
21587
                    while (idx + OPAQUE24_LEN < chain->length) {
21588
                        c24to32(chain->buffer + idx, &der.length);
21589
                        idx += OPAQUE24_LEN;
21590
21591
                        der.buffer = chain->buffer + idx;
21592
                        idx += der.length;
21593
21594
                        if (idx > chain->length)
21595
                            break;
21596
21597
                        ret = CreateOcspRequest(ssl, request, cert, der.buffer,
21598
                                                der.length);
21599
                        if (ret == 0) {
21600
                            request->ssl = ssl;
21601
                        ret = CheckOcspRequest(SSL_CM(ssl)->ocsp_stapling,
21602
                                                    request, &responses[i + 1]);
21603
21604
                            /* Suppressing, not critical */
21605
                            if (ret == OCSP_CERT_REVOKED ||
21606
                                ret == OCSP_CERT_UNKNOWN ||
21607
                                ret == OCSP_LOOKUP_FAIL) {
21608
                                ret = 0;
21609
                            }
21610
21611
21612
                            i++;
21613
                            FreeOcspRequest(request);
21614
                        }
21615
                    }
21616
                }
21617
21618
                XFREE(request, ssl->heap, DYNAMIC_TYPE_OCSP_REQUEST);
21619
            #ifdef WOLFSSL_SMALL_STACK
21620
                XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT);
21621
            #endif
21622
            }
21623
            else {
21624
                while (ret == 0 &&
21625
                            NULL != (request = ssl->ctx->chainOcspRequest[i])) {
21626
                    request->ssl = ssl;
21627
                    ret = CheckOcspRequest(SSL_CM(ssl)->ocsp_stapling,
21628
                                                request, &responses[++i]);
21629
21630
                    /* Suppressing, not critical */
21631
                    if (ret == OCSP_CERT_REVOKED ||
21632
                        ret == OCSP_CERT_UNKNOWN ||
21633
                        ret == OCSP_LOOKUP_FAIL) {
21634
                        ret = 0;
21635
                    }
21636
                }
21637
            }
21638
21639
            if (responses[0].buffer) {
21640
                if (ret == 0) {
21641
                    ret = BuildCertificateStatus(ssl, status_type, responses,
21642
                                                                   (byte)i + 1);
21643
                }
21644
21645
                for (i = 0; i < 1 + MAX_CHAIN_DEPTH; i++) {
21646
                    if (responses[i].buffer) {
21647
                        XFREE(responses[i].buffer, ssl->heap,
21648
                                                     DYNAMIC_TYPE_OCSP_REQUEST);
21649
                    }
21650
                }
21651
            }
21652
21653
            break;
21654
        }
21655
    #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */
21656
0
    #endif /* NO_WOLFSSL_SERVER */
21657
21658
0
        default:
21659
0
            break;
21660
0
    }
21661
21662
0
    WOLFSSL_LEAVE("SendCertificateStatus", ret);
21663
0
    WOLFSSL_END(WC_FUNC_CERTIFICATE_STATUS_SEND);
21664
21665
0
    return ret;
21666
0
}
21667
21668
#endif /* !NO_CERTS */
21669
21670
#endif /* WOLFSSL_NO_TLS12 */
21671
21672
21673
21674
#if defined(HAVE_SECURE_RENEGOTIATION) && defined(WOLFSSL_DTLS)
21675
/**
21676
 * Check if the SCR keys are set in ssl->secure_renegotiation->tmp_keys.
21677
 */
21678
int DtlsSCRKeysSet(WOLFSSL* ssl)
21679
{
21680
    return ssl->secure_renegotiation &&
21681
           ssl->secure_renegotiation->tmp_keys.dtls_epoch != 0;
21682
}
21683
21684
/**
21685
 * ssl->keys contains the current cipher parameters only for epoch 1. For
21686
 * epochs >1 ssl->secure_renegotiation->tmp_keys contains the current
21687
 * cipher parameters. This function checks if the message currently being
21688
 * processed should use ssl->keys or ssl->secure_renegotiation->tmp_keys.
21689
 */
21690
int IsDtlsMsgSCRKeys(WOLFSSL* ssl)
21691
{
21692
    return DtlsSCRKeysSet(ssl) &&
21693
           ssl->keys.curEpoch ==
21694
                   ssl->secure_renegotiation->tmp_keys.dtls_epoch;
21695
}
21696
21697
/**
21698
 * ssl->keys contains the current cipher parameters only for epoch 1. For
21699
 * epochs >1 ssl->secure_renegotiation->tmp_keys contains the current
21700
 * cipher parameters. This function checks if the message currently being
21701
 * built should use ssl->keys or ssl->secure_renegotiation->tmp_keys.
21702
 */
21703
int DtlsUseSCRKeys(WOLFSSL* ssl)
21704
{
21705
    return DtlsSCRKeysSet(ssl) &&
21706
           ssl->secure_renegotiation->tmp_keys.dtls_epoch ==
21707
                   ssl->keys.dtls_epoch;
21708
}
21709
21710
/**
21711
 * If ssl->secure_renegotiation->tmp_keys.dtls_epoch > ssl->keys.dtls_epoch
21712
 * then PREV_ORDER refers to the current epoch.
21713
 * */
21714
int DtlsCheckOrder(WOLFSSL* ssl, int order)
21715
{
21716
    if (order == PREV_ORDER && ssl->secure_renegotiation &&
21717
            ssl->secure_renegotiation->tmp_keys.dtls_epoch > ssl->keys.dtls_epoch) {
21718
        return CUR_ORDER;
21719
    }
21720
    else {
21721
        return order;
21722
    }
21723
}
21724
#endif /* HAVE_SECURE_RENEGOTIATION && WOLFSSL_DTLS */
21725
21726
/* If secure renegotiation is disabled, this will always return false.
21727
 * Otherwise it checks to see if we are currently renegotiating. */
21728
int IsSCR(WOLFSSL* ssl)
21729
0
{
21730
0
#ifndef HAVE_SECURE_RENEGOTIATION
21731
0
    (void)ssl;
21732
#else /* HAVE_SECURE_RENEGOTIATION */
21733
    if (ssl->secure_renegotiation &&
21734
            ssl->secure_renegotiation->enabled &&  /* Is SCR enabled? */
21735
            ssl->options.handShakeDone && /* At least one handshake done? */
21736
            ssl->options.handShakeState != HANDSHAKE_DONE) /* Currently handshaking? */
21737
        return 1;
21738
#endif /* HAVE_SECURE_RENEGOTIATION */
21739
0
    return 0;
21740
0
}
21741
21742
21743
#ifdef WOLFSSL_DTLS
21744
static int ModifyForMTU(WOLFSSL* ssl, int buffSz, int outputSz, int mtuSz)
21745
{
21746
    int recordExtra = outputSz - buffSz;
21747
21748
    (void)ssl;
21749
21750
    if (recordExtra > 0 && outputSz > mtuSz) {
21751
        buffSz = mtuSz - recordExtra;
21752
#ifndef WOLFSSL_AEAD_ONLY
21753
        /* Subtract a block size to be certain that returned fragment
21754
         * size won't get more padding. */
21755
        if (ssl->specs.cipher_type == block)
21756
            buffSz -= ssl->specs.block_size;
21757
#endif
21758
    }
21759
21760
    return buffSz;
21761
}
21762
#endif /* WOLFSSL_DTLS */
21763
21764
21765
int SendData(WOLFSSL* ssl, const void* data, int sz)
21766
0
{
21767
0
    int sent = 0,  /* plainText size */
21768
0
        sendSz,
21769
0
        ret;
21770
#if defined(WOLFSSL_EARLY_DATA) && defined(WOLFSSL_EARLY_DATA_GROUP)
21771
    int groupMsgs = 0;
21772
#endif
21773
21774
0
    if (ssl->error == WANT_WRITE
21775
    #ifdef WOLFSSL_ASYNC_CRYPT
21776
        || ssl->error == WC_PENDING_E
21777
    #endif
21778
0
    ) {
21779
0
        ssl->error = 0;
21780
0
    }
21781
21782
    /* don't allow write after decrypt or mac error */
21783
0
    if (ssl->error == VERIFY_MAC_ERROR || ssl->error == DECRYPT_ERROR) {
21784
        /* For DTLS allow these possible errors and allow the session
21785
            to continue despite them */
21786
0
        if (ssl->options.dtls) {
21787
0
            ssl->error = 0;
21788
0
        }
21789
0
        else {
21790
0
            WOLFSSL_MSG("Not allowing write after decrypt or mac error");
21791
0
            return WOLFSSL_FATAL_ERROR;
21792
0
        }
21793
0
    }
21794
21795
#ifdef WOLFSSL_EARLY_DATA
21796
    if (ssl->earlyData != no_early_data) {
21797
        if (ssl->options.handShakeState == HANDSHAKE_DONE) {
21798
            WOLFSSL_MSG("handshake complete, trying to send early data");
21799
            ssl->error = BUILD_MSG_ERROR;
21800
            return WOLFSSL_FATAL_ERROR;
21801
        }
21802
    #ifdef WOLFSSL_EARLY_DATA_GROUP
21803
        groupMsgs = 1;
21804
    #endif
21805
    }
21806
    else
21807
#endif
21808
0
    if (ssl->options.handShakeState != HANDSHAKE_DONE && !IsSCR(ssl)) {
21809
0
        int err;
21810
0
        WOLFSSL_MSG("handshake not complete, trying to finish");
21811
0
        if ( (err = wolfSSL_negotiate(ssl)) != WOLFSSL_SUCCESS) {
21812
        #ifdef WOLFSSL_ASYNC_CRYPT
21813
            /* if async would block return WANT_WRITE */
21814
            if (ssl->error == WC_PENDING_E) {
21815
                return WOLFSSL_CBIO_ERR_WANT_WRITE;
21816
            }
21817
        #endif
21818
0
            return  err;
21819
0
        }
21820
0
    }
21821
21822
    /* last time system socket output buffer was full, try again to send */
21823
0
    if (ssl->buffers.outputBuffer.length > 0
21824
    #if defined(WOLFSSL_EARLY_DATA) && defined(WOLFSSL_EARLY_DATA_GROUP)
21825
        && !groupMsgs
21826
    #endif
21827
0
        ) {
21828
0
        WOLFSSL_MSG("output buffer was full, trying to send again");
21829
0
        if ( (ssl->error = SendBuffered(ssl)) < 0) {
21830
0
            WOLFSSL_ERROR(ssl->error);
21831
0
            if (ssl->error == SOCKET_ERROR_E && (ssl->options.connReset ||
21832
0
                                                 ssl->options.isClosed)) {
21833
0
                ssl->error = SOCKET_PEER_CLOSED_E;
21834
0
                WOLFSSL_ERROR(ssl->error);
21835
0
                return 0;  /* peer reset or closed */
21836
0
            }
21837
0
            return ssl->error;
21838
0
        }
21839
0
        else {
21840
            /* advance sent to previous sent + plain size just sent */
21841
0
            sent = ssl->buffers.prevSent + ssl->buffers.plainSz;
21842
0
            WOLFSSL_MSG("sent write buffered data");
21843
21844
0
            if (sent > sz) {
21845
0
                WOLFSSL_MSG("error: write() after WANT_WRITE with short size");
21846
0
                return ssl->error = BAD_FUNC_ARG;
21847
0
            }
21848
0
        }
21849
0
    }
21850
21851
0
    ret = RetrySendAlert(ssl);
21852
0
    if (ret != 0) {
21853
0
        ssl->error = ret;
21854
0
        return WOLFSSL_FATAL_ERROR;
21855
0
    }
21856
21857
0
    for (;;) {
21858
0
        byte* out;
21859
0
        byte* sendBuffer = (byte*)data + sent;  /* may switch on comp */
21860
0
        int   buffSz;                           /* may switch on comp */
21861
0
        int   outputSz;
21862
#ifdef HAVE_LIBZ
21863
        byte  comp[MAX_RECORD_SIZE + MAX_COMP_EXTRA];
21864
#endif
21865
21866
#ifdef WOLFSSL_DTLS13
21867
        if (ssl->options.dtls && ssl->options.tls1_3) {
21868
            byte isEarlyData = 0;
21869
21870
            if (ssl->dtls13EncryptEpoch == NULL)
21871
                return ssl->error = BAD_STATE_E;
21872
21873
#ifdef WOLFSSL_EARLY_DATA
21874
            isEarlyData = ssl->earlyData != no_early_data;
21875
#endif
21876
21877
            if (isEarlyData) {
21878
#ifdef WOLFSSL_EARLY_DATA
21879
                ret = Dtls13SetEpochKeys(ssl,
21880
                    w64From32(0x0, DTLS13_EPOCH_EARLYDATA), ENCRYPT_SIDE_ONLY);
21881
                if (ret != 0) {
21882
                    WOLFSSL_MSG(
21883
                        "trying to send early data without epoch 1");
21884
                    ssl->error = BUILD_MSG_ERROR;
21885
                    return WOLFSSL_FATAL_ERROR;
21886
                }
21887
#endif /* WOLFSSL_EARLY_DATA */
21888
            }
21889
            else if (!w64Equal(
21890
                         ssl->dtls13EncryptEpoch->epochNumber,
21891
                         ssl->dtls13Epoch)) {
21892
                ret = Dtls13SetEpochKeys(
21893
                    ssl, ssl->dtls13Epoch, ENCRYPT_SIDE_ONLY);
21894
                if (ret != 0) {
21895
                    ssl->error = BUILD_MSG_ERROR;
21896
                    return WOLFSSL_FATAL_ERROR;
21897
                }
21898
            }
21899
        }
21900
#endif /* WOLFSSL_DTLS13 */
21901
21902
#ifdef WOLFSSL_DTLS
21903
        if (ssl->options.dtls) {
21904
            buffSz = wolfSSL_GetMaxFragSize(ssl, sz - sent);
21905
        }
21906
        else
21907
#endif
21908
0
        {
21909
0
            buffSz = wolfSSL_GetMaxFragSize(ssl, sz - sent);
21910
21911
0
        }
21912
21913
0
        if (sent == sz) break;
21914
21915
#if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_NO_DTLS_SIZE_CHECK)
21916
        if (ssl->options.dtls && (buffSz < sz - sent)) {
21917
            ssl->error = DTLS_SIZE_ERROR;
21918
            WOLFSSL_ERROR(ssl->error);
21919
            return ssl->error;
21920
        }
21921
#endif
21922
0
        outputSz = buffSz + COMP_EXTRA + DTLS_RECORD_HEADER_SZ;
21923
0
        if (IsEncryptionOn(ssl, 1) || ssl->options.tls1_3)
21924
0
            outputSz += cipherExtraData(ssl);
21925
21926
        /* check for available size */
21927
0
        if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)
21928
0
            return ssl->error = ret;
21929
21930
        /* get output buffer */
21931
0
        out = ssl->buffers.outputBuffer.buffer +
21932
0
              ssl->buffers.outputBuffer.length;
21933
21934
#ifdef HAVE_LIBZ
21935
        if (ssl->options.usingCompression) {
21936
            buffSz = myCompress(ssl, sendBuffer, buffSz, comp, sizeof(comp));
21937
            if (buffSz < 0) {
21938
                return buffSz;
21939
            }
21940
            sendBuffer = comp;
21941
        }
21942
#endif
21943
0
        if (!ssl->options.tls1_3) {
21944
#ifdef WOLFSSL_ASYNC_CRYPT
21945
            if (ssl->async == NULL) {
21946
                ssl->async = (struct WOLFSSL_ASYNC*)
21947
                        XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
21948
                                DYNAMIC_TYPE_ASYNC);
21949
                if (ssl->async == NULL)
21950
                    return MEMORY_E;
21951
                ssl->async->freeArgs = NULL;
21952
            }
21953
#endif
21954
0
            sendSz = BuildMessage(ssl, out, outputSz, sendBuffer, buffSz,
21955
0
                                  application_data, 0, 0, 1, CUR_ORDER);
21956
0
        }
21957
0
        else {
21958
0
#ifdef WOLFSSL_TLS13
21959
0
            sendSz = BuildTls13Message(ssl, out, outputSz, sendBuffer, buffSz,
21960
0
                                       application_data, 0, 0, 1);
21961
#else
21962
            sendSz = BUFFER_ERROR;
21963
#endif
21964
0
        }
21965
0
        if (sendSz < 0) {
21966
        #ifdef WOLFSSL_ASYNC_CRYPT
21967
            if (sendSz == WC_PENDING_E)
21968
                ssl->error = sendSz;
21969
        #endif
21970
0
            return BUILD_MSG_ERROR;
21971
0
        }
21972
21973
#ifdef WOLFSSL_ASYNC_CRYPT
21974
        FreeAsyncCtx(ssl, 0);
21975
#endif
21976
0
        ssl->buffers.outputBuffer.length += sendSz;
21977
21978
0
        if ( (ssl->error = SendBuffered(ssl)) < 0) {
21979
0
            WOLFSSL_ERROR(ssl->error);
21980
            /* store for next call if WANT_WRITE or user embedSend() that
21981
               doesn't present like WANT_WRITE */
21982
0
            ssl->buffers.plainSz  = buffSz;
21983
0
            ssl->buffers.prevSent = sent;
21984
0
            if (ssl->error == SOCKET_ERROR_E && (ssl->options.connReset ||
21985
0
                                                 ssl->options.isClosed)) {
21986
0
                ssl->error = SOCKET_PEER_CLOSED_E;
21987
0
                WOLFSSL_ERROR(ssl->error);
21988
0
                return 0;  /* peer reset or closed */
21989
0
            }
21990
0
            return ssl->error;
21991
0
        }
21992
21993
0
        sent += buffSz;
21994
21995
        /* only one message per attempt */
21996
0
        if (ssl->options.partialWrite == 1) {
21997
0
            WOLFSSL_MSG("Partial Write on, only sending one record");
21998
0
            break;
21999
0
        }
22000
0
    }
22001
22002
0
    return sent;
22003
0
}
22004
22005
/* process input data */
22006
int ReceiveData(WOLFSSL* ssl, byte* output, int sz, int peek)
22007
0
{
22008
0
    int size;
22009
22010
0
    WOLFSSL_ENTER("ReceiveData()");
22011
22012
    /* reset error state */
22013
0
    if (ssl->error == WANT_READ || ssl->error == WOLFSSL_ERROR_WANT_READ) {
22014
0
        ssl->error = 0;
22015
0
    }
22016
22017
#ifdef WOLFSSL_DTLS
22018
    if (ssl->options.dtls) {
22019
        /* In DTLS mode, we forgive some errors and allow the session
22020
         * to continue despite them. */
22021
        if (ssl->error == VERIFY_MAC_ERROR ||
22022
            ssl->error == DECRYPT_ERROR ||
22023
            ssl->error == DTLS_SIZE_ERROR) {
22024
22025
            ssl->error = 0;
22026
        }
22027
    }
22028
#endif /* WOLFSSL_DTLS */
22029
22030
0
    if (ssl->error != 0 && ssl->error != WANT_WRITE
22031
#ifdef WOLFSSL_ASYNC_CRYPT
22032
            && ssl->error != WC_PENDING_E
22033
#endif
22034
#ifdef HAVE_SECURE_RENEGOTIATION
22035
            && ssl->error != APP_DATA_READY
22036
#endif
22037
0
    ) {
22038
0
        WOLFSSL_MSG("User calling wolfSSL_read in error state, not allowed");
22039
0
        return ssl->error;
22040
0
    }
22041
22042
#ifdef WOLFSSL_EARLY_DATA
22043
    if (ssl->earlyData != no_early_data) {
22044
    }
22045
    else
22046
#endif
22047
0
    {
22048
0
        int negotiate = 0;
22049
#ifdef HAVE_SECURE_RENEGOTIATION
22050
        if (ssl->secure_renegotiation && ssl->secure_renegotiation->enabled) {
22051
            if (ssl->options.handShakeState != HANDSHAKE_DONE
22052
                && ssl->buffers.clearOutputBuffer.length == 0)
22053
                negotiate = 1;
22054
        }
22055
        else
22056
#endif
22057
0
        if (ssl->options.handShakeState != HANDSHAKE_DONE)
22058
0
            negotiate = 1;
22059
22060
0
        if (negotiate) {
22061
0
            int err;
22062
0
            WOLFSSL_MSG("Handshake not complete, trying to finish");
22063
0
            if ( (err = wolfSSL_negotiate(ssl)) != WOLFSSL_SUCCESS) {
22064
            #ifdef WOLFSSL_ASYNC_CRYPT
22065
                /* if async would block return WANT_WRITE */
22066
                if (ssl->error == WC_PENDING_E) {
22067
                    return WOLFSSL_CBIO_ERR_WANT_READ;
22068
                }
22069
            #endif
22070
0
                return err;
22071
0
            }
22072
0
        }
22073
0
    }
22074
22075
#ifdef HAVE_SECURE_RENEGOTIATION
22076
startScr:
22077
    if (ssl->secure_renegotiation && ssl->secure_renegotiation->startScr) {
22078
        int ret;
22079
        WOLFSSL_MSG("Need to start scr, server requested");
22080
        ret = wolfSSL_Rehandshake(ssl);
22081
        ssl->secure_renegotiation->startScr = 0;  /* only start once */
22082
        if (ret != WOLFSSL_SUCCESS)
22083
            return ret;
22084
    }
22085
#endif
22086
22087
0
    while (ssl->buffers.clearOutputBuffer.length == 0) {
22088
0
        if ( (ssl->error = ProcessReply(ssl)) < 0) {
22089
0
            if (ssl->error == ZERO_RETURN) {
22090
0
                WOLFSSL_MSG("Zero return, no more data coming");
22091
0
                return 0; /* no more data coming */
22092
0
            }
22093
0
            if (ssl->error == SOCKET_ERROR_E) {
22094
0
                if (ssl->options.connReset || ssl->options.isClosed) {
22095
0
                    WOLFSSL_MSG("Peer reset or closed, connection done");
22096
0
                    ssl->error = SOCKET_PEER_CLOSED_E;
22097
0
                    WOLFSSL_ERROR(ssl->error);
22098
0
                    return 0; /* peer reset or closed */
22099
0
                }
22100
0
            }
22101
0
            WOLFSSL_ERROR(ssl->error);
22102
0
            return ssl->error;
22103
0
        }
22104
22105
#ifdef WOLFSSL_DTLS13
22106
        if (ssl->options.dtls) {
22107
            /* Dtls13DoScheduledWork(ssl) may return WANT_WRITE */
22108
            if ((ssl->error = Dtls13DoScheduledWork(ssl)) < 0) {
22109
                WOLFSSL_ERROR(ssl->error);
22110
                return ssl->error;
22111
            }
22112
        }
22113
#endif /* WOLFSSL_DTLS13 */
22114
        #ifdef HAVE_SECURE_RENEGOTIATION
22115
            if (ssl->secure_renegotiation &&
22116
                ssl->secure_renegotiation->startScr) {
22117
                goto startScr;
22118
            }
22119
            if (ssl->secure_renegotiation && ssl->secure_renegotiation->enabled &&
22120
                    ssl->options.handShakeState != HANDSHAKE_DONE
22121
                    && ssl->buffers.clearOutputBuffer.length == 0) {
22122
                /* ProcessReply processed a handshake packet and not any APP DATA
22123
                 * so let's move the handshake along */
22124
                int err;
22125
                WOLFSSL_MSG("Handshake not complete, trying to finish");
22126
                if ( (err = wolfSSL_negotiate(ssl)) != WOLFSSL_SUCCESS) {
22127
                #ifdef WOLFSSL_ASYNC_CRYPT
22128
                    /* if async would block return WANT_WRITE */
22129
                    if (ssl->error == WC_PENDING_E) {
22130
                        return WOLFSSL_CBIO_ERR_WANT_READ;
22131
                    }
22132
                #endif
22133
                    return err;
22134
                }
22135
            }
22136
        #endif
22137
22138
#ifdef WOLFSSL_DTLS13
22139
            /* if wolfSSL_Peek() is invoked with sz == 0 it will not block (but
22140
             *  it processes pending non-application records) */
22141
            if (ssl->options.dtls && IsAtLeastTLSv1_3(ssl->version) && peek &&
22142
                sz == 0 && ssl->buffers.inputBuffer.idx
22143
                - ssl->buffers.inputBuffer.length  == 0) {
22144
                return 0;
22145
            }
22146
#endif /* WOLFSSL_DTLS13 */
22147
22148
0
#ifndef WOLFSSL_TLS13_NO_PEEK_HANDSHAKE_DONE
22149
0
    #ifdef WOLFSSL_TLS13
22150
0
        if (IsAtLeastTLSv1_3(ssl->version) && ssl->options.handShakeDone &&
22151
0
                                         ssl->curRL.type == handshake && peek) {
22152
0
            WOLFSSL_MSG("Got Handshake Messge in APP data");
22153
0
            if (ssl->buffers.inputBuffer.length == 0) {
22154
0
                ssl->error = WOLFSSL_ERROR_WANT_READ;
22155
0
                return 0;
22156
0
            }
22157
0
        }
22158
0
    #endif
22159
0
#endif
22160
0
    }
22161
22162
0
    size = min(sz, (int)ssl->buffers.clearOutputBuffer.length);
22163
22164
0
    XMEMCPY(output, ssl->buffers.clearOutputBuffer.buffer, size);
22165
22166
0
    if (peek == 0) {
22167
0
        ssl->buffers.clearOutputBuffer.length -= size;
22168
0
        ssl->buffers.clearOutputBuffer.buffer += size;
22169
0
    }
22170
22171
0
    if (ssl->buffers.inputBuffer.dynamicFlag)
22172
0
       ShrinkInputBuffer(ssl, NO_FORCED_FREE);
22173
22174
0
    WOLFSSL_LEAVE("ReceiveData()", size);
22175
0
    return size;
22176
0
}
22177
22178
static int SendAlert_ex(WOLFSSL* ssl, int severity, int type)
22179
0
{
22180
0
    byte input[ALERT_SIZE];
22181
0
    byte *output;
22182
0
    int  sendSz;
22183
0
    int  ret;
22184
0
    int  outputSz;
22185
0
    int  dtlsExtra = 0;
22186
22187
0
    WOLFSSL_ENTER("SendAlert");
22188
22189
#ifdef WOLFSSL_QUIC
22190
    if (WOLFSSL_IS_QUIC(ssl)) {
22191
        ret = !ssl->quic.method->send_alert(ssl, ssl->quic.enc_level_write, (uint8_t)type);
22192
        if (ret) {
22193
            WOLFSSL_MSG("QUIC send_alert callback error");
22194
        }
22195
        return ret;
22196
    }
22197
#endif
22198
22199
#ifdef HAVE_WRITE_DUP
22200
    if (ssl->dupWrite && ssl->dupSide == READ_DUP_SIDE) {
22201
        int notifyErr = 0;
22202
22203
        WOLFSSL_MSG("Read dup side cannot write alerts, notifying sibling");
22204
22205
        if (type == close_notify) {
22206
            notifyErr = ZERO_RETURN;
22207
        } else if (severity == alert_fatal) {
22208
            notifyErr = FATAL_ERROR;
22209
        }
22210
22211
        if (notifyErr != 0) {
22212
            return NotifyWriteSide(ssl, notifyErr);
22213
        }
22214
22215
        return 0;
22216
    }
22217
#endif
22218
22219
0
    ssl->pendingAlert.code = type;
22220
0
    ssl->pendingAlert.level = severity;
22221
22222
0
   #ifdef OPENSSL_EXTRA
22223
0
        if (ssl->CBIS != NULL) {
22224
0
            ssl->CBIS(ssl, SSL_CB_ALERT, type);
22225
0
        }
22226
0
   #endif
22227
   #ifdef WOLFSSL_DTLS
22228
        if (ssl->options.dtls)
22229
           dtlsExtra = DTLS_RECORD_EXTRA;
22230
   #endif
22231
22232
    /* check for available size */
22233
0
    outputSz = ALERT_SIZE + MAX_MSG_EXTRA + dtlsExtra;
22234
0
    if ((ret = CheckAvailableSize(ssl, outputSz)) != 0) {
22235
#ifdef WOLFSSL_DTLS
22236
        /* If CheckAvailableSize returned WANT_WRITE due to a blocking write
22237
         * then discard pending output and just send the alert. */
22238
        if (ssl->options.dtls) {
22239
            if (ret != WANT_WRITE || severity != alert_fatal)
22240
                return ret;
22241
            ShrinkOutputBuffer(ssl);
22242
            if ((ret = CheckAvailableSize(ssl, outputSz)) != 0) {
22243
                return ret;
22244
            }
22245
        }
22246
        else {
22247
            return ret;
22248
        }
22249
#else
22250
0
        return ret;
22251
0
#endif
22252
0
    }
22253
22254
    /* Check output buffer */
22255
0
    if (ssl->buffers.outputBuffer.buffer == NULL)
22256
0
        return BUFFER_E;
22257
22258
    /* get output buffer */
22259
0
    output = ssl->buffers.outputBuffer.buffer +
22260
0
             ssl->buffers.outputBuffer.length;
22261
22262
0
    input[0] = (byte)severity;
22263
0
    input[1] = (byte)type;
22264
0
    ssl->alert_history.last_tx.code = type;
22265
0
    ssl->alert_history.last_tx.level = severity;
22266
0
    if (severity == alert_fatal) {
22267
0
        ssl->options.isClosed = 1;  /* Don't send close_notify */
22268
0
    }
22269
22270
    /* send encrypted alert if encryption is on - can be a rehandshake over
22271
     * an existing encrypted channel.
22272
     * TLS 1.3 encrypts handshake packets after the ServerHello
22273
     */
22274
0
    if (IsEncryptionOn(ssl, 1)) {
22275
#ifdef WOLFSSL_DTLS13
22276
        if (ssl->options.dtls
22277
            && IsAtLeastTLSv1_3(ssl->version)
22278
            && !w64Equal(ssl->dtls13EncryptEpoch->epochNumber, ssl->dtls13Epoch)) {
22279
            ret = Dtls13SetEpochKeys(ssl, ssl->dtls13Epoch, ENCRYPT_SIDE_ONLY);
22280
            if (ret != 0)
22281
                return ret;
22282
        }
22283
#endif /* WOLFSSL_DTLS13 */
22284
22285
0
        sendSz = BuildMessage(ssl, output, outputSz, input, ALERT_SIZE, alert,
22286
0
                                                                       0, 0, 0, CUR_ORDER);
22287
0
    }
22288
0
    else {
22289
22290
#ifdef WOLFSSL_DTLS13
22291
        if (ssl->options.dtls && IsAtLeastTLSv1_3(ssl->version)) {
22292
            ret = Dtls13RlAddPlaintextHeader(ssl, output, alert, ALERT_SIZE);
22293
            if (ret != 0)
22294
                return ret;
22295
        }
22296
        else
22297
#endif /* WOLFSSL_DTLS13 */
22298
0
            {
22299
0
                AddRecordHeader(output, ALERT_SIZE, alert, ssl, CUR_ORDER);
22300
0
            }
22301
22302
0
        output += RECORD_HEADER_SZ;
22303
        #ifdef WOLFSSL_DTLS
22304
            if (ssl->options.dtls)
22305
                output += DTLS_RECORD_EXTRA;
22306
        #endif
22307
0
        XMEMCPY(output, input, ALERT_SIZE);
22308
22309
0
        sendSz = RECORD_HEADER_SZ + ALERT_SIZE;
22310
        #ifdef WOLFSSL_DTLS
22311
            if (ssl->options.dtls)
22312
                sendSz += DTLS_RECORD_EXTRA;
22313
        #endif
22314
0
    }
22315
0
    if (sendSz < 0)
22316
0
        return BUILD_MSG_ERROR;
22317
22318
0
    #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
22319
0
        if (ssl->hsInfoOn)
22320
0
            AddPacketName(ssl, "Alert");
22321
0
        if (ssl->toInfoOn)
22322
0
            AddPacketInfo(ssl, "Alert", alert, output, sendSz, WRITE_PROTO,
22323
0
                    ssl->heap);
22324
0
    #endif
22325
22326
0
    ssl->buffers.outputBuffer.length += sendSz;
22327
22328
0
    ret = SendBuffered(ssl);
22329
22330
0
    ssl->pendingAlert.code = 0;
22331
0
    ssl->pendingAlert.level = alert_none;
22332
22333
0
    WOLFSSL_LEAVE("SendAlert", ret);
22334
22335
0
    return ret;
22336
0
}
22337
22338
int RetrySendAlert(WOLFSSL* ssl)
22339
0
{
22340
0
    int type = ssl->pendingAlert.code;
22341
0
    int severity = ssl->pendingAlert.level;
22342
22343
0
    if (severity == alert_none)
22344
0
        return 0;
22345
22346
0
    ssl->pendingAlert.code = 0;
22347
0
    ssl->pendingAlert.level = alert_none;
22348
22349
0
    return SendAlert_ex(ssl, severity, type);
22350
0
}
22351
22352
/* send alert message */
22353
int SendAlert(WOLFSSL* ssl, int severity, int type)
22354
0
{
22355
0
    int ret;
22356
22357
0
    if (ssl->pendingAlert.level != alert_none) {
22358
0
        ret = RetrySendAlert(ssl);
22359
0
        if (ret != 0) {
22360
0
            if (ssl->pendingAlert.level == alert_none ||
22361
0
                    (ssl->pendingAlert.level != alert_fatal &&
22362
0
                            severity == alert_fatal)) {
22363
                /* Store current alert if pendingAlert is empty or if current
22364
                 * is fatal and previous was not */
22365
0
                ssl->pendingAlert.code = type;
22366
0
                ssl->pendingAlert.level = severity;
22367
0
            }
22368
0
            return ret;
22369
0
        }
22370
0
    }
22371
22372
0
    return SendAlert_ex(ssl, severity, type);
22373
0
}
22374
22375
const char* wolfSSL_ERR_reason_error_string(unsigned long e)
22376
0
{
22377
#ifdef NO_ERROR_STRINGS
22378
22379
    (void)e;
22380
    return "no support for error strings built in";
22381
22382
#else
22383
22384
0
    int error = (int)e;
22385
0
#ifdef OPENSSL_EXTRA
22386
    /* OpenSSL uses positive error codes */
22387
0
    if (error > 0) {
22388
0
        error = -error;
22389
0
    }
22390
0
#endif
22391
22392
    /* pass to wolfCrypt */
22393
0
    if (error < MAX_CODE_E && error > MIN_CODE_E) {
22394
0
        return wc_GetErrorString(error);
22395
0
    }
22396
22397
0
    switch (error) {
22398
22399
0
#ifdef OPENSSL_EXTRA
22400
0
    case 0 :
22401
0
        return "ok";
22402
0
#endif
22403
22404
0
    case UNSUPPORTED_SUITE :
22405
0
        return "unsupported cipher suite";
22406
22407
0
    case INPUT_CASE_ERROR :
22408
0
        return "input state error";
22409
22410
0
    case PREFIX_ERROR :
22411
0
        return "bad index to key rounds";
22412
22413
0
    case MEMORY_ERROR :
22414
0
        return "out of memory";
22415
22416
0
    case VERIFY_FINISHED_ERROR :
22417
0
        return "verify problem on finished";
22418
22419
0
    case VERIFY_MAC_ERROR :
22420
0
        return "verify mac problem";
22421
22422
0
    case PARSE_ERROR :
22423
0
        return "parse error on header";
22424
22425
0
    case SIDE_ERROR :
22426
0
        return "wrong client/server type";
22427
22428
0
    case NO_PEER_CERT : /* OpenSSL compatibility expects this exact text */
22429
0
        return "peer did not return a certificate";
22430
22431
0
    case UNKNOWN_HANDSHAKE_TYPE :
22432
0
        return "weird handshake type";
22433
22434
0
    case SOCKET_ERROR_E :
22435
0
        return "error state on socket";
22436
22437
0
    case SOCKET_NODATA :
22438
0
        return "expected data, not there";
22439
22440
0
    case INCOMPLETE_DATA :
22441
0
        return "don't have enough data to complete task";
22442
22443
0
    case UNKNOWN_RECORD_TYPE :
22444
0
        return "unknown type in record hdr";
22445
22446
0
    case DECRYPT_ERROR :
22447
0
        return "error during decryption";
22448
22449
0
    case FATAL_ERROR :
22450
0
        return "received alert fatal error";
22451
22452
0
    case ENCRYPT_ERROR :
22453
0
        return "error during encryption";
22454
22455
0
    case FREAD_ERROR :
22456
0
        return "fread problem";
22457
22458
0
    case NO_PEER_KEY :
22459
0
        return "need peer's key";
22460
22461
0
    case NO_PRIVATE_KEY :
22462
0
        return "need the private key";
22463
22464
0
    case NO_DH_PARAMS :
22465
0
        return "server missing DH params";
22466
22467
0
    case RSA_PRIVATE_ERROR :
22468
0
        return "error during rsa priv op";
22469
22470
0
    case MATCH_SUITE_ERROR :
22471
0
        return "can't match cipher suite";
22472
22473
0
    case COMPRESSION_ERROR :
22474
0
        return "compression mismatch error";
22475
22476
0
    case BUILD_MSG_ERROR :
22477
0
        return "build message failure";
22478
22479
0
    case BAD_HELLO :
22480
0
        return "client hello malformed";
22481
22482
0
    case DOMAIN_NAME_MISMATCH :
22483
0
        return "peer subject name mismatch";
22484
22485
0
    case IPADDR_MISMATCH :
22486
0
        return "peer ip address mismatch";
22487
22488
0
    case WANT_READ :
22489
0
    case WOLFSSL_ERROR_WANT_READ :
22490
0
        return "non-blocking socket wants data to be read";
22491
22492
0
    case NOT_READY_ERROR :
22493
0
        return "handshake layer not ready yet, complete first";
22494
22495
0
    case VERSION_ERROR :
22496
0
        return "record layer version error";
22497
22498
0
    case WANT_WRITE :
22499
0
    case WOLFSSL_ERROR_WANT_WRITE :
22500
0
        return "non-blocking socket write buffer full";
22501
22502
0
    case BUFFER_ERROR :
22503
0
        return "malformed buffer input error";
22504
22505
0
    case VERIFY_CERT_ERROR :
22506
0
        return "verify problem on certificate";
22507
22508
0
    case VERIFY_SIGN_ERROR :
22509
0
        return "verify problem based on signature";
22510
22511
0
    case CLIENT_ID_ERROR :
22512
0
        return "psk client identity error";
22513
22514
0
    case SERVER_HINT_ERROR:
22515
0
        return "psk server hint error";
22516
22517
0
    case PSK_KEY_ERROR:
22518
0
        return "psk key callback error";
22519
22520
0
    case GETTIME_ERROR:
22521
0
        return "gettimeofday() error";
22522
22523
0
    case GETITIMER_ERROR:
22524
0
        return "getitimer() error";
22525
22526
0
    case SIGACT_ERROR:
22527
0
        return "sigaction() error";
22528
22529
0
    case SETITIMER_ERROR:
22530
0
        return "setitimer() error";
22531
22532
0
    case LENGTH_ERROR:
22533
0
        return "record layer length error";
22534
22535
0
    case PEER_KEY_ERROR:
22536
0
        return "cant decode peer key";
22537
22538
0
    case ZERO_RETURN:
22539
0
    case WOLFSSL_ERROR_ZERO_RETURN:
22540
0
        return "peer sent close notify alert";
22541
22542
0
    case ECC_CURVETYPE_ERROR:
22543
0
        return "Bad ECC Curve Type or unsupported";
22544
22545
0
    case ECC_CURVE_ERROR:
22546
0
        return "Bad ECC Curve or unsupported";
22547
22548
0
    case ECC_PEERKEY_ERROR:
22549
0
        return "Bad ECC Peer Key";
22550
22551
0
    case ECC_MAKEKEY_ERROR:
22552
0
        return "ECC Make Key failure";
22553
22554
0
    case ECC_EXPORT_ERROR:
22555
0
        return "ECC Export Key failure";
22556
22557
0
    case ECC_SHARED_ERROR:
22558
0
        return "ECC DHE shared failure";
22559
22560
0
    case NOT_CA_ERROR:
22561
0
        return "Not a CA by basic constraint error";
22562
22563
0
    case BAD_CERT_MANAGER_ERROR:
22564
0
        return "Bad Cert Manager error";
22565
22566
0
    case OCSP_CERT_REVOKED:
22567
0
        return "OCSP Cert revoked";
22568
22569
0
    case CRL_CERT_REVOKED:
22570
0
        return "CRL Cert revoked";
22571
22572
0
    case CRL_MISSING:
22573
0
        return "CRL missing, not loaded";
22574
22575
0
    case MONITOR_SETUP_E:
22576
0
        return "CRL monitor setup error";
22577
22578
0
    case THREAD_CREATE_E:
22579
0
        return "Thread creation problem";
22580
22581
0
    case OCSP_NEED_URL:
22582
0
        return "OCSP need URL";
22583
22584
0
    case OCSP_CERT_UNKNOWN:
22585
0
        return "OCSP Cert unknown";
22586
22587
0
    case OCSP_LOOKUP_FAIL:
22588
0
        return "OCSP Responder lookup fail";
22589
22590
0
    case MAX_CHAIN_ERROR:
22591
0
        return "Maximum Chain Depth Exceeded";
22592
22593
0
    case COOKIE_ERROR:
22594
0
        return "DTLS Cookie Error";
22595
22596
0
    case SEQUENCE_ERROR:
22597
0
        return "DTLS Sequence Error";
22598
22599
0
    case SUITES_ERROR:
22600
0
        return "Suites Pointer Error";
22601
22602
0
    case OUT_OF_ORDER_E:
22603
0
        return "Out of order message, fatal";
22604
22605
0
    case BAD_KEA_TYPE_E:
22606
0
        return "Bad KEA type found";
22607
22608
0
    case SANITY_CIPHER_E:
22609
0
        return "Sanity check on ciphertext failed";
22610
22611
0
    case RECV_OVERFLOW_E:
22612
0
        return "Receive callback returned more than requested";
22613
22614
0
    case GEN_COOKIE_E:
22615
0
        return "Generate Cookie Error";
22616
22617
0
    case NO_PEER_VERIFY:
22618
0
        return "Need peer certificate verify Error";
22619
22620
0
    case FWRITE_ERROR:
22621
0
        return "fwrite Error";
22622
22623
0
    case CACHE_MATCH_ERROR:
22624
0
        return "Cache restore header match Error";
22625
22626
0
    case UNKNOWN_SNI_HOST_NAME_E:
22627
0
        return "Unrecognized host name Error";
22628
22629
0
    case UNKNOWN_MAX_FRAG_LEN_E:
22630
0
        return "Unrecognized max frag len Error";
22631
22632
0
    case KEYUSE_SIGNATURE_E:
22633
0
        return "Key Use digitalSignature not set Error";
22634
22635
0
    case KEYUSE_ENCIPHER_E:
22636
0
        return "Key Use keyEncipherment not set Error";
22637
22638
0
    case EXTKEYUSE_AUTH_E:
22639
0
        return "Ext Key Use server/client auth not set Error";
22640
22641
0
    case SEND_OOB_READ_E:
22642
0
        return "Send Callback Out of Bounds Read Error";
22643
22644
0
    case SECURE_RENEGOTIATION_E:
22645
0
        return "Invalid Renegotiation Error";
22646
22647
0
    case SESSION_TICKET_LEN_E:
22648
0
        return "Session Ticket Too Long Error";
22649
22650
0
    case SESSION_TICKET_EXPECT_E:
22651
0
        return "Session Ticket Error";
22652
22653
0
    case SESSION_SECRET_CB_E:
22654
0
        return "Session Secret Callback Error";
22655
22656
0
    case NO_CHANGE_CIPHER_E:
22657
0
        return "Finished received from peer before Change Cipher Error";
22658
22659
0
    case SANITY_MSG_E:
22660
0
        return "Sanity Check on message order Error";
22661
22662
0
    case DUPLICATE_MSG_E:
22663
0
        return "Duplicate HandShake message Error";
22664
22665
0
    case SNI_UNSUPPORTED:
22666
0
        return "Protocol version does not support SNI Error";
22667
22668
0
    case SOCKET_PEER_CLOSED_E:
22669
0
        return "Peer closed underlying transport Error";
22670
22671
0
    case BAD_TICKET_KEY_CB_SZ:
22672
0
        return "Bad user session ticket key callback Size Error";
22673
22674
0
    case BAD_TICKET_MSG_SZ:
22675
0
        return "Bad session ticket message Size Error";
22676
22677
0
    case BAD_TICKET_ENCRYPT:
22678
0
        return "Bad user ticket callback encrypt Error";
22679
22680
0
    case DH_KEY_SIZE_E:
22681
0
        return "DH key too small Error";
22682
22683
0
    case SNI_ABSENT_ERROR:
22684
0
        return "No Server Name Indication extension Error";
22685
22686
0
    case RSA_SIGN_FAULT:
22687
0
        return "RSA Signature Fault Error";
22688
22689
0
    case HANDSHAKE_SIZE_ERROR:
22690
0
        return "Handshake message too large Error";
22691
22692
0
    case UNKNOWN_ALPN_PROTOCOL_NAME_E:
22693
0
        return "Unrecognized protocol name Error";
22694
22695
0
    case BAD_CERTIFICATE_STATUS_ERROR:
22696
0
        return "Bad Certificate Status Message Error";
22697
22698
0
    case OCSP_INVALID_STATUS:
22699
0
        return "Invalid OCSP Status Error";
22700
22701
0
    case OCSP_WANT_READ:
22702
0
        return "OCSP nonblock wants read";
22703
22704
0
    case RSA_KEY_SIZE_E:
22705
0
        return "RSA key too small";
22706
22707
0
    case ECC_KEY_SIZE_E:
22708
0
        return "ECC key too small";
22709
22710
0
    case DTLS_EXPORT_VER_E:
22711
0
        return "Version needs updated after code change or version mismatch";
22712
22713
0
    case INPUT_SIZE_E:
22714
0
        return "Input size too large Error";
22715
22716
0
    case CTX_INIT_MUTEX_E:
22717
0
        return "Initialize ctx mutex error";
22718
22719
0
    case EXT_MASTER_SECRET_NEEDED_E:
22720
0
        return "Extended Master Secret must be enabled to resume EMS session";
22721
22722
0
    case DTLS_POOL_SZ_E:
22723
0
        return "Maximum DTLS pool size exceeded";
22724
22725
0
    case DECODE_E:
22726
0
        return "Decode handshake message error";
22727
22728
0
    case WRITE_DUP_READ_E:
22729
0
        return "Write dup write side can't read error";
22730
22731
0
    case WRITE_DUP_WRITE_E:
22732
0
        return "Write dup read side can't write error";
22733
22734
0
    case INVALID_CERT_CTX_E:
22735
0
        return "Certificate context does not match request or not empty";
22736
22737
0
    case BAD_KEY_SHARE_DATA:
22738
0
        return "The Key Share data contains group that wasn't in Client Hello";
22739
22740
0
    case MISSING_HANDSHAKE_DATA:
22741
0
        return "The handshake message is missing required data";
22742
22743
0
    case BAD_BINDER: /* OpenSSL compatibility expects this exact text */
22744
0
        return "binder does not verify";
22745
22746
0
    case EXT_NOT_ALLOWED:
22747
0
        return "Extension type not allowed in handshake message type";
22748
22749
0
    case INVALID_PARAMETER:
22750
0
        return "The security parameter is invalid";
22751
22752
0
    case UNSUPPORTED_EXTENSION:
22753
0
        return "TLS Extension not requested by the client";
22754
22755
0
    case PRF_MISSING:
22756
0
        return "Pseudo-random function is not enabled";
22757
22758
0
    case KEY_SHARE_ERROR:
22759
0
        return "Key share extension did not contain a valid named group";
22760
22761
0
    case POST_HAND_AUTH_ERROR:
22762
0
        return "Client will not do post handshake authentication";
22763
22764
0
    case HRR_COOKIE_ERROR:
22765
0
        return "Cookie does not match one sent in HelloRetryRequest";
22766
22767
0
    case MCAST_HIGHWATER_CB_E:
22768
0
        return "Multicast highwater callback returned error";
22769
22770
0
    case ALERT_COUNT_E:
22771
0
        return "Alert Count exceeded error";
22772
22773
0
    case EXT_MISSING:
22774
0
        return "Required TLS extension missing";
22775
22776
0
    case DTLS_RETX_OVER_TX:
22777
0
        return "DTLS interrupting flight transmit with retransmit";
22778
22779
0
    case DH_PARAMS_NOT_FFDHE_E:
22780
0
        return "Server DH parameters were not from the FFDHE set as required";
22781
22782
0
    case TCA_INVALID_ID_TYPE:
22783
0
        return "TLS Extension Trusted CA ID type invalid";
22784
22785
0
    case TCA_ABSENT_ERROR:
22786
0
        return "TLS Extension Trusted CA ID response absent";
22787
22788
0
    case TSIP_MAC_DIGSZ_E:
22789
0
        return "TSIP MAC size invalid, must be sized for SHA-1 or SHA-256";
22790
22791
0
    case CLIENT_CERT_CB_ERROR:
22792
0
        return "Error importing client cert or key from callback";
22793
22794
0
    case SSL_SHUTDOWN_ALREADY_DONE_E:
22795
0
        return "Shutdown has already occurred";
22796
22797
0
    case TLS13_SECRET_CB_E:
22798
0
        return "TLS1.3 Secret Callback Error";
22799
22800
0
    case DTLS_SIZE_ERROR:
22801
0
        return "DTLS trying to send too much in single datagram error";
22802
22803
0
    case NO_CERT_ERROR:
22804
0
        return "TLS1.3 No Certificate Set Error";
22805
22806
0
    case APP_DATA_READY:
22807
0
        return "Application data is available for reading";
22808
22809
0
    case TOO_MUCH_EARLY_DATA:
22810
0
        return "Too much early data";
22811
22812
0
    case SOCKET_FILTERED_E:
22813
0
        return "Session stopped by network filter";
22814
22815
0
#ifdef HAVE_HTTP_CLIENT
22816
0
    case HTTP_TIMEOUT:
22817
0
        return "HTTP timeout for OCSP or CRL req";
22818
0
    case HTTP_RECV_ERR:
22819
0
        return "HTTP Receive error";
22820
0
    case HTTP_HEADER_ERR:
22821
0
        return "HTTP Header error";
22822
0
    case HTTP_PROTO_ERR:
22823
0
        return "HTTP Protocol error";
22824
0
    case HTTP_STATUS_ERR:
22825
0
        return "HTTP Status error";
22826
0
    case HTTP_VERSION_ERR:
22827
0
        return "HTTP Version error";
22828
0
    case HTTP_APPSTR_ERR:
22829
0
        return "HTTP Application string error";
22830
0
#endif
22831
0
#ifdef OPENSSL_EXTRA
22832
0
    case -X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
22833
0
        return "unable to get local issuer certificate";
22834
0
#endif
22835
0
    case UNSUPPORTED_PROTO_VERSION:
22836
0
        #ifdef OPENSSL_ALL
22837
0
        return "WRONG_SSL_VERSION";
22838
        #else
22839
        return "bad/unsupported protocol version";
22840
        #endif
22841
22842
0
    case FALCON_KEY_SIZE_E:
22843
0
        return "Wrong key size for Falcon.";
22844
0
    case DILITHIUM_KEY_SIZE_E:
22845
0
        return "Wrong key size for Dilithium.";
22846
22847
#ifdef WOLFSSL_QUIC
22848
    case QUIC_TP_MISSING_E:
22849
        return "QUIC transport parameter not set";
22850
#endif
22851
0
    case DTLS_CID_ERROR:
22852
0
        return "DTLS ConnectionID mismatch or missing";
22853
22854
0
    default :
22855
0
        return "unknown error number";
22856
0
    }
22857
22858
0
#endif /* NO_ERROR_STRINGS */
22859
0
}
22860
22861
const char* wolfSSL_ERR_func_error_string(unsigned long e)
22862
0
{
22863
0
    (void)e;
22864
0
    WOLFSSL_MSG("wolfSSL_ERR_func_error_string does not return the name of "
22865
0
                "the function that failed. Please inspect the wolfSSL debug "
22866
0
                "logs to determine where the error occurred.");
22867
0
    return "";
22868
0
}
22869
22870
/* return library name
22871
 * @param e error code
22872
 * @return text library name,
22873
 *    if there is no suitable library found, returns empty string
22874
 */
22875
const char* wolfSSL_ERR_lib_error_string(unsigned long e)
22876
0
{
22877
0
    int libe = 0;
22878
22879
0
    (void)libe;
22880
0
    (void)e;
22881
22882
0
#if defined(OPENSSL_EXTRA)
22883
0
    libe = wolfSSL_ERR_GET_LIB(e);
22884
0
    switch (libe) {
22885
0
    case ERR_LIB_PEM:
22886
0
        return "wolfSSL PEM routines";
22887
0
    case ERR_LIB_EVP:
22888
0
        return "wolfSSL digital envelope routines";
22889
0
    default:
22890
0
        return "";
22891
0
    }
22892
#else
22893
    return "";
22894
#endif
22895
0
}
22896
22897
void SetErrorString(int error, char* str)
22898
0
{
22899
0
    XSTRNCPY(str, wolfSSL_ERR_reason_error_string(error), WOLFSSL_MAX_ERROR_SZ);
22900
0
    str[WOLFSSL_MAX_ERROR_SZ-1] = 0;
22901
0
}
22902
22903
#ifdef NO_CIPHER_SUITE_ALIASES
22904
    #ifndef NO_ERROR_STRINGS
22905
        #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
22906
            #define SUITE_INFO(x,y,z,w,v,u) {(x),(y),(z),(w),(v),(u),WOLFSSL_CIPHER_SUITE_FLAG_NONE}
22907
            #define SUITE_ALIAS(x,z,w,v,u)
22908
        #else
22909
            #define SUITE_INFO(x,y,z,w,v,u) {(x),(y),(z),(w),WOLFSSL_CIPHER_SUITE_FLAG_NONE}
22910
            #define SUITE_ALIAS(x,z,w,v,u)
22911
        #endif
22912
    #else
22913
        #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
22914
            #define SUITE_INFO(x,y,z,w,v,u) {(x),(z),(w),(v),(u),WOLFSSL_CIPHER_SUITE_FLAG_NONE}
22915
            #define SUITE_ALIAS(x,z,w,v,u)
22916
        #else
22917
            #define SUITE_INFO(x,y,z,w,v,u) {(x),(z),(w),WOLFSSL_CIPHER_SUITE_FLAG_NONE}
22918
            #define SUITE_ALIAS(x,z,w,v,u)
22919
        #endif
22920
    #endif
22921
#else /* !NO_CIPHER_SUITE_ALIASES */
22922
22923
    /* note that the comma is included at the end of the SUITE_ALIAS() macro
22924
     * definitions, to allow aliases to be gated out by the above null macros
22925
     * in the NO_CIPHER_SUITE_ALIASES section.
22926
     */
22927
22928
    #ifndef NO_ERROR_STRINGS
22929
        #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) || \
22930
            defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_NGINX)
22931
            #define SUITE_INFO(x,y,z,w,v,u) {(x),(y),(z),(w),(v),(u),WOLFSSL_CIPHER_SUITE_FLAG_NONE}
22932
            #define SUITE_ALIAS(x,z,w,v,u) {(x),"",(z),(w),(v),(u),WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS},
22933
        #else
22934
            #define SUITE_INFO(x,y,z,w,v,u) {(x),(y),(z),(w),WOLFSSL_CIPHER_SUITE_FLAG_NONE}
22935
            #define SUITE_ALIAS(x,z,w,v,u) {(x),"",(z),(w),WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS},
22936
        #endif
22937
    #else
22938
        #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) || \
22939
            defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_NGINX)
22940
            #define SUITE_INFO(x,y,z,w,v,u) {(x),(z),(w),(v),(u),WOLFSSL_CIPHER_SUITE_FLAG_NONE}
22941
            #define SUITE_ALIAS(x,z,w,v,u) {(x),(z),(w),(v),(u),WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS},
22942
        #else
22943
            #define SUITE_INFO(x,y,z,w,v,u) {(x),(z),(w),WOLFSSL_CIPHER_SUITE_FLAG_NONE}
22944
            #define SUITE_ALIAS(x,z,w,v,u) {(x),(z),(w),WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS},
22945
        #endif
22946
    #endif
22947
#endif /* NO_CIPHER_SUITE_ALIASES */
22948
22949
static const CipherSuiteInfo cipher_names[] =
22950
{
22951
22952
#ifdef BUILD_TLS_AES_128_GCM_SHA256
22953
    SUITE_INFO("TLS13-AES128-GCM-SHA256","TLS_AES_128_GCM_SHA256",TLS13_BYTE,TLS_AES_128_GCM_SHA256, TLSv1_3_MINOR, SSLv3_MAJOR),
22954
#endif
22955
22956
#ifdef BUILD_TLS_AES_256_GCM_SHA384
22957
    SUITE_INFO("TLS13-AES256-GCM-SHA384","TLS_AES_256_GCM_SHA384",TLS13_BYTE,TLS_AES_256_GCM_SHA384, TLSv1_3_MINOR, SSLv3_MAJOR),
22958
#endif
22959
22960
#ifdef BUILD_TLS_CHACHA20_POLY1305_SHA256
22961
    SUITE_INFO("TLS13-CHACHA20-POLY1305-SHA256","TLS_CHACHA20_POLY1305_SHA256",TLS13_BYTE,TLS_CHACHA20_POLY1305_SHA256, TLSv1_3_MINOR, SSLv3_MAJOR),
22962
#endif
22963
22964
#ifdef BUILD_TLS_AES_128_CCM_SHA256
22965
    SUITE_INFO("TLS13-AES128-CCM-SHA256","TLS_AES_128_CCM_SHA256",TLS13_BYTE,TLS_AES_128_CCM_SHA256, TLSv1_3_MINOR, SSLv3_MAJOR),
22966
#endif
22967
22968
#ifdef BUILD_TLS_AES_128_CCM_8_SHA256
22969
    SUITE_INFO("TLS13-AES128-CCM-8-SHA256","TLS_AES_128_CCM_8_SHA256",TLS13_BYTE,TLS_AES_128_CCM_8_SHA256,TLSv1_3_MINOR, SSLv3_MAJOR),
22970
    SUITE_ALIAS("TLS13-AES128-CCM8-SHA256",TLS13_BYTE,TLS_AES_128_CCM_8_SHA256,TLSv1_3_MINOR, SSLv3_MAJOR)
22971
#endif
22972
22973
#ifdef BUILD_TLS_SHA256_SHA256
22974
    SUITE_INFO("TLS13-SHA256-SHA256","TLS_SHA256_SHA256",ECC_BYTE,TLS_SHA256_SHA256,TLSv1_3_MINOR, SSLv3_MAJOR),
22975
#endif
22976
22977
#ifdef BUILD_TLS_SHA384_SHA384
22978
    SUITE_INFO("TLS13-SHA384-SHA384","TLS_SHA384_SHA384",ECC_BYTE,TLS_SHA384_SHA384,TLSv1_3_MINOR, SSLv3_MAJOR),
22979
#endif
22980
22981
#ifndef WOLFSSL_NO_TLS12
22982
22983
#ifdef BUILD_SSL_RSA_WITH_RC4_128_SHA
22984
    SUITE_INFO("RC4-SHA","SSL_RSA_WITH_RC4_128_SHA",CIPHER_BYTE,SSL_RSA_WITH_RC4_128_SHA,SSLv3_MINOR,SSLv3_MAJOR),
22985
#endif
22986
22987
#ifdef BUILD_SSL_RSA_WITH_RC4_128_MD5
22988
    SUITE_INFO("RC4-MD5","SSL_RSA_WITH_RC4_128_MD5",CIPHER_BYTE,SSL_RSA_WITH_RC4_128_MD5,SSLv3_MINOR,SSLv3_MAJOR),
22989
#endif
22990
22991
#ifdef BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA
22992
    SUITE_INFO("DES-CBC3-SHA","SSL_RSA_WITH_3DES_EDE_CBC_SHA",CIPHER_BYTE,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSLv3_MINOR,SSLv3_MAJOR),
22993
#endif
22994
22995
#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA
22996
    SUITE_INFO("AES128-SHA","TLS_RSA_WITH_AES_128_CBC_SHA",CIPHER_BYTE,TLS_RSA_WITH_AES_128_CBC_SHA,SSLv3_MINOR,SSLv3_MAJOR),
22997
#endif
22998
22999
#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA
23000
    SUITE_INFO("AES256-SHA","TLS_RSA_WITH_AES_256_CBC_SHA",CIPHER_BYTE,TLS_RSA_WITH_AES_256_CBC_SHA,SSLv3_MINOR,SSLv3_MAJOR),
23001
#endif
23002
23003
#ifdef BUILD_TLS_RSA_WITH_NULL_MD5
23004
    SUITE_INFO("NULL-MD5","TLS_RSA_WITH_NULL_MD5",CIPHER_BYTE,TLS_RSA_WITH_NULL_MD5,SSLv3_MINOR,SSLv3_MAJOR),
23005
#endif
23006
23007
#ifdef BUILD_TLS_RSA_WITH_NULL_SHA
23008
    SUITE_INFO("NULL-SHA","TLS_RSA_WITH_NULL_SHA",CIPHER_BYTE,TLS_RSA_WITH_NULL_SHA,SSLv3_MINOR,SSLv3_MAJOR),
23009
#endif
23010
23011
#ifdef BUILD_TLS_RSA_WITH_NULL_SHA256
23012
    SUITE_INFO("NULL-SHA256","TLS_RSA_WITH_NULL_SHA256",CIPHER_BYTE,TLS_RSA_WITH_NULL_SHA256,TLSv1_2_MINOR,SSLv3_MAJOR),
23013
#endif
23014
23015
#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA
23016
    SUITE_INFO("DHE-RSA-AES128-SHA","TLS_DHE_RSA_WITH_AES_128_CBC_SHA",CIPHER_BYTE,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,SSLv3_MINOR,SSLv3_MAJOR),
23017
#endif
23018
23019
#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
23020
    SUITE_INFO("DHE-RSA-AES256-SHA","TLS_DHE_RSA_WITH_AES_256_CBC_SHA",CIPHER_BYTE,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,SSLv3_MINOR,SSLv3_MAJOR),
23021
#endif
23022
23023
#ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384
23024
    SUITE_INFO("DHE-PSK-AES256-GCM-SHA384","TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",CIPHER_BYTE,TLS_DHE_PSK_WITH_AES_256_GCM_SHA384,TLSv1_2_MINOR,SSLv3_MAJOR),
23025
#endif
23026
23027
#ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
23028
    SUITE_INFO("DHE-PSK-AES128-GCM-SHA256","TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",CIPHER_BYTE,TLS_DHE_PSK_WITH_AES_128_GCM_SHA256,TLSv1_2_MINOR,SSLv3_MAJOR),
23029
#endif
23030
23031
#ifdef BUILD_TLS_PSK_WITH_AES_256_GCM_SHA384
23032
    SUITE_INFO("PSK-AES256-GCM-SHA384","TLS_PSK_WITH_AES_256_GCM_SHA384",CIPHER_BYTE,TLS_PSK_WITH_AES_256_GCM_SHA384,TLSv1_2_MINOR,SSLv3_MAJOR),
23033
#endif
23034
23035
#ifdef BUILD_TLS_PSK_WITH_AES_128_GCM_SHA256
23036
    SUITE_INFO("PSK-AES128-GCM-SHA256","TLS_PSK_WITH_AES_128_GCM_SHA256",CIPHER_BYTE,TLS_PSK_WITH_AES_128_GCM_SHA256,TLSv1_2_MINOR,SSLv3_MAJOR),
23037
#endif
23038
23039
#ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
23040
    SUITE_INFO("DHE-PSK-AES256-CBC-SHA384","TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",CIPHER_BYTE,TLS_DHE_PSK_WITH_AES_256_CBC_SHA384,TLSv1_MINOR,SSLv3_MAJOR),
23041
#endif
23042
23043
#ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
23044
    SUITE_INFO("DHE-PSK-AES128-CBC-SHA256","TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",CIPHER_BYTE,TLS_DHE_PSK_WITH_AES_128_CBC_SHA256,TLSv1_MINOR,SSLv3_MAJOR),
23045
#endif
23046
23047
#ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA384
23048
    SUITE_INFO("PSK-AES256-CBC-SHA384","TLS_PSK_WITH_AES_256_CBC_SHA384",CIPHER_BYTE,TLS_PSK_WITH_AES_256_CBC_SHA384,TLSv1_MINOR,SSLv3_MAJOR),
23049
#endif
23050
23051
#ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA256
23052
    SUITE_INFO("PSK-AES128-CBC-SHA256","TLS_PSK_WITH_AES_128_CBC_SHA256",CIPHER_BYTE,TLS_PSK_WITH_AES_128_CBC_SHA256,TLSv1_MINOR,SSLv3_MAJOR),
23053
#endif
23054
23055
#ifdef BUILD_TLS_PSK_WITH_AES_128_CBC_SHA
23056
    SUITE_INFO("PSK-AES128-CBC-SHA","TLS_PSK_WITH_AES_128_CBC_SHA",CIPHER_BYTE,TLS_PSK_WITH_AES_128_CBC_SHA,TLSv1_MINOR,SSLv3_MAJOR),
23057
#endif
23058
23059
#ifdef BUILD_TLS_PSK_WITH_AES_256_CBC_SHA
23060
    SUITE_INFO("PSK-AES256-CBC-SHA","TLS_PSK_WITH_AES_256_CBC_SHA",CIPHER_BYTE,TLS_PSK_WITH_AES_256_CBC_SHA, TLSv1_MINOR, SSLv3_MAJOR),
23061
#endif
23062
23063
#ifdef BUILD_TLS_DHE_PSK_WITH_AES_128_CCM
23064
    SUITE_INFO("DHE-PSK-AES128-CCM","TLS_DHE_PSK_WITH_AES_128_CCM",ECC_BYTE,TLS_DHE_PSK_WITH_AES_128_CCM,TLSv1_MINOR,SSLv3_MAJOR),
23065
#endif
23066
23067
#ifdef BUILD_TLS_DHE_PSK_WITH_AES_256_CCM
23068
    SUITE_INFO("DHE-PSK-AES256-CCM","TLS_DHE_PSK_WITH_AES_256_CCM",ECC_BYTE,TLS_DHE_PSK_WITH_AES_256_CCM,TLSv1_MINOR,SSLv3_MAJOR),
23069
#endif
23070
23071
#ifdef BUILD_TLS_PSK_WITH_AES_128_CCM
23072
    SUITE_INFO("PSK-AES128-CCM","TLS_PSK_WITH_AES_128_CCM",ECC_BYTE,TLS_PSK_WITH_AES_128_CCM,TLSv1_MINOR,SSLv3_MAJOR),
23073
#endif
23074
23075
#ifdef BUILD_TLS_PSK_WITH_AES_256_CCM
23076
    SUITE_INFO("PSK-AES256-CCM","TLS_PSK_WITH_AES_256_CCM",ECC_BYTE,TLS_PSK_WITH_AES_256_CCM,TLSv1_MINOR,SSLv3_MAJOR),
23077
#endif
23078
23079
#ifdef BUILD_TLS_PSK_WITH_AES_128_CCM_8
23080
    SUITE_INFO("PSK-AES128-CCM-8","TLS_PSK_WITH_AES_128_CCM_8",ECC_BYTE,TLS_PSK_WITH_AES_128_CCM_8,TLSv1_MINOR,SSLv3_MAJOR),
23081
    SUITE_ALIAS("PSK-AES128-CCM8",ECC_BYTE,TLS_PSK_WITH_AES_128_CCM_8,TLSv1_MINOR,SSLv3_MAJOR)
23082
#endif
23083
23084
#ifdef BUILD_TLS_PSK_WITH_AES_256_CCM_8
23085
    SUITE_INFO("PSK-AES256-CCM-8","TLS_PSK_WITH_AES_256_CCM_8",ECC_BYTE,TLS_PSK_WITH_AES_256_CCM_8,TLSv1_MINOR,SSLv3_MAJOR),
23086
    SUITE_ALIAS("PSK-AES256-CCM8",ECC_BYTE,TLS_PSK_WITH_AES_256_CCM_8,TLSv1_MINOR,SSLv3_MAJOR)
23087
#endif
23088
23089
#ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA384
23090
    SUITE_INFO("DHE-PSK-NULL-SHA384","TLS_DHE_PSK_WITH_NULL_SHA384",CIPHER_BYTE,TLS_DHE_PSK_WITH_NULL_SHA384,TLSv1_MINOR,SSLv3_MAJOR),
23091
#endif
23092
23093
#ifdef BUILD_TLS_DHE_PSK_WITH_NULL_SHA256
23094
    SUITE_INFO("DHE-PSK-NULL-SHA256","TLS_DHE_PSK_WITH_NULL_SHA256",CIPHER_BYTE,TLS_DHE_PSK_WITH_NULL_SHA256,TLSv1_MINOR,SSLv3_MAJOR),
23095
#endif
23096
23097
#ifdef BUILD_TLS_PSK_WITH_NULL_SHA384
23098
    SUITE_INFO("PSK-NULL-SHA384","TLS_PSK_WITH_NULL_SHA384",CIPHER_BYTE,TLS_PSK_WITH_NULL_SHA384,TLSv1_MINOR,SSLv3_MAJOR),
23099
#endif
23100
23101
#ifdef BUILD_TLS_PSK_WITH_NULL_SHA256
23102
    SUITE_INFO("PSK-NULL-SHA256","TLS_PSK_WITH_NULL_SHA256",CIPHER_BYTE,TLS_PSK_WITH_NULL_SHA256,TLSv1_MINOR,SSLv3_MAJOR),
23103
#endif
23104
23105
#ifdef BUILD_TLS_PSK_WITH_NULL_SHA
23106
    SUITE_INFO("PSK-NULL-SHA","TLS_PSK_WITH_NULL_SHA",CIPHER_BYTE,TLS_PSK_WITH_NULL_SHA,TLSv1_MINOR,SSLv3_MAJOR),
23107
#endif
23108
23109
#ifdef BUILD_TLS_RSA_WITH_AES_128_CCM_8
23110
    SUITE_INFO("AES128-CCM-8","TLS_RSA_WITH_AES_128_CCM_8",ECC_BYTE,TLS_RSA_WITH_AES_128_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR),
23111
    SUITE_ALIAS("AES128-CCM8",ECC_BYTE,TLS_RSA_WITH_AES_128_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR)
23112
#endif
23113
23114
#ifdef BUILD_TLS_RSA_WITH_AES_256_CCM_8
23115
    SUITE_INFO("AES256-CCM-8","TLS_RSA_WITH_AES_256_CCM_8",ECC_BYTE,TLS_RSA_WITH_AES_256_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR),
23116
    SUITE_ALIAS("AES256-CCM8",ECC_BYTE,TLS_RSA_WITH_AES_256_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR)
23117
#endif
23118
23119
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM
23120
    SUITE_INFO("ECDHE-ECDSA-AES128-CCM","TLS_ECDHE_ECDSA_WITH_AES_128_CCM",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_128_CCM, TLSv1_2_MINOR, SSLv3_MAJOR),
23121
#endif
23122
23123
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
23124
    SUITE_INFO("ECDHE-ECDSA-AES128-CCM-8","TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR),
23125
    SUITE_ALIAS("ECDHE-ECDSA-AES128-CCM8",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR)
23126
#endif
23127
23128
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
23129
    SUITE_INFO("ECDHE-ECDSA-AES256-CCM-8","TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR),
23130
    SUITE_ALIAS("ECDHE-ECDSA-AES256-CCM8",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, TLSv1_2_MINOR, SSLv3_MAJOR)
23131
#endif
23132
23133
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
23134
    SUITE_INFO("ECDHE-RSA-AES128-SHA","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",ECC_BYTE,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLSv1_MINOR,SSLv3_MAJOR),
23135
#endif
23136
23137
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
23138
    SUITE_INFO("ECDHE-RSA-AES256-SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",ECC_BYTE,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLSv1_MINOR,SSLv3_MAJOR),
23139
#endif
23140
23141
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
23142
    SUITE_INFO("ECDHE-ECDSA-AES128-SHA","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLSv1_MINOR, SSLv3_MAJOR),
23143
#endif
23144
23145
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
23146
    SUITE_INFO("ECDHE-ECDSA-AES256-SHA","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLSv1_MINOR, SSLv3_MAJOR),
23147
#endif
23148
23149
#ifdef BUILD_TLS_ECDHE_RSA_WITH_RC4_128_SHA
23150
    SUITE_INFO("ECDHE-RSA-RC4-SHA","TLS_ECDHE_RSA_WITH_RC4_128_SHA",ECC_BYTE,TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLSv1_MINOR, SSLv3_MAJOR),
23151
#endif
23152
23153
#ifdef BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
23154
    SUITE_INFO("ECDHE-RSA-DES-CBC3-SHA","TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",ECC_BYTE,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLSv1_MINOR, SSLv3_MAJOR),
23155
#endif
23156
23157
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
23158
    SUITE_INFO("ECDHE-ECDSA-RC4-SHA","TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLSv1_MINOR, SSLv3_MAJOR),
23159
#endif
23160
23161
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
23162
    SUITE_INFO("ECDHE-ECDSA-DES-CBC3-SHA","TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLSv1_MINOR, SSLv3_MAJOR),
23163
#endif
23164
23165
#ifdef BUILD_TLS_RSA_WITH_AES_128_CBC_SHA256
23166
    SUITE_INFO("AES128-SHA256","TLS_RSA_WITH_AES_128_CBC_SHA256",CIPHER_BYTE,TLS_RSA_WITH_AES_128_CBC_SHA256, TLSv1_MINOR, SSLv3_MAJOR),
23167
#endif
23168
23169
#ifdef BUILD_TLS_RSA_WITH_AES_256_CBC_SHA256
23170
    SUITE_INFO("AES256-SHA256","TLS_RSA_WITH_AES_256_CBC_SHA256",CIPHER_BYTE,TLS_RSA_WITH_AES_256_CBC_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
23171
#endif
23172
23173
#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
23174
    SUITE_INFO("DHE-RSA-AES128-SHA256","TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",CIPHER_BYTE,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
23175
#endif
23176
23177
#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
23178
    SUITE_INFO("DHE-RSA-AES256-SHA256","TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",CIPHER_BYTE,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
23179
#endif
23180
23181
#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
23182
    SUITE_INFO("ECDH-RSA-AES128-SHA","TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",ECC_BYTE,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLSv1_MINOR, SSLv3_MAJOR),
23183
#endif
23184
23185
#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
23186
    SUITE_INFO("ECDH-RSA-AES256-SHA","TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",ECC_BYTE,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLSv1_MINOR, SSLv3_MAJOR),
23187
#endif
23188
23189
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
23190
    SUITE_INFO("ECDH-ECDSA-AES128-SHA","TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",ECC_BYTE,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLSv1_MINOR, SSLv3_MAJOR),
23191
#endif
23192
23193
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
23194
    SUITE_INFO("ECDH-ECDSA-AES256-SHA","TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",ECC_BYTE,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLSv1_MINOR, SSLv3_MAJOR),
23195
#endif
23196
23197
#ifdef BUILD_TLS_ECDH_RSA_WITH_RC4_128_SHA
23198
    SUITE_INFO("ECDH-RSA-RC4-SHA","TLS_ECDH_RSA_WITH_RC4_128_SHA",ECC_BYTE,TLS_ECDH_RSA_WITH_RC4_128_SHA, TLSv1_MINOR, SSLv3_MAJOR),
23199
#endif
23200
23201
#ifdef BUILD_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
23202
    SUITE_INFO("ECDH-RSA-DES-CBC3-SHA","TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",ECC_BYTE,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLSv1_MINOR, SSLv3_MAJOR),
23203
#endif
23204
23205
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
23206
    SUITE_INFO("ECDH-ECDSA-RC4-SHA","TLS_ECDH_ECDSA_WITH_RC4_128_SHA",ECC_BYTE,TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLSv1_MINOR, SSLv3_MAJOR),
23207
#endif
23208
23209
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
23210
    SUITE_INFO("ECDH-ECDSA-DES-CBC3-SHA","TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",ECC_BYTE,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLSv1_MINOR, SSLv3_MAJOR),
23211
#endif
23212
23213
#ifdef BUILD_TLS_RSA_WITH_AES_128_GCM_SHA256
23214
    SUITE_INFO("AES128-GCM-SHA256","TLS_RSA_WITH_AES_128_GCM_SHA256",CIPHER_BYTE,TLS_RSA_WITH_AES_128_GCM_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
23215
#endif
23216
23217
#ifdef BUILD_TLS_RSA_WITH_AES_256_GCM_SHA384
23218
    SUITE_INFO("AES256-GCM-SHA384","TLS_RSA_WITH_AES_256_GCM_SHA384",CIPHER_BYTE,TLS_RSA_WITH_AES_256_GCM_SHA384, TLSv1_2_MINOR, SSLv3_MAJOR),
23219
#endif
23220
23221
#ifdef BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
23222
    SUITE_INFO("DHE-RSA-AES128-GCM-SHA256","TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",CIPHER_BYTE,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
23223
#endif
23224
23225
#ifdef BUILD_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
23226
    SUITE_INFO("DHE-RSA-AES256-GCM-SHA384","TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",CIPHER_BYTE,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLSv1_2_MINOR, SSLv3_MAJOR),
23227
#endif
23228
23229
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
23230
    SUITE_INFO("ECDHE-RSA-AES128-GCM-SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",ECC_BYTE,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
23231
#endif
23232
23233
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
23234
    SUITE_INFO("ECDHE-RSA-AES256-GCM-SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",ECC_BYTE,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLSv1_2_MINOR, SSLv3_MAJOR),
23235
#endif
23236
23237
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
23238
    SUITE_INFO("ECDHE-ECDSA-AES128-GCM-SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
23239
#endif
23240
23241
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
23242
    SUITE_INFO("ECDHE-ECDSA-AES256-GCM-SHA384","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLSv1_2_MINOR, SSLv3_MAJOR),
23243
#endif
23244
23245
#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
23246
    SUITE_INFO("ECDH-RSA-AES128-GCM-SHA256","TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",ECC_BYTE,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
23247
#endif
23248
23249
#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
23250
    SUITE_INFO("ECDH-RSA-AES256-GCM-SHA384","TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",ECC_BYTE,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLSv1_2_MINOR, SSLv3_MAJOR),
23251
#endif
23252
23253
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
23254
    SUITE_INFO("ECDH-ECDSA-AES128-GCM-SHA256","TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",ECC_BYTE,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
23255
#endif
23256
23257
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
23258
    SUITE_INFO("ECDH-ECDSA-AES256-GCM-SHA384","TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",ECC_BYTE,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLSv1_2_MINOR, SSLv3_MAJOR),
23259
#endif
23260
23261
#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
23262
    SUITE_INFO("CAMELLIA128-SHA","TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",CIPHER_BYTE,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,TLSv1_MINOR,SSLv3_MAJOR),
23263
#endif
23264
23265
#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
23266
    SUITE_INFO("DHE-RSA-CAMELLIA128-SHA","TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",CIPHER_BYTE,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLSv1_MINOR,SSLv3_MAJOR),
23267
#endif
23268
23269
#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
23270
    SUITE_INFO("CAMELLIA256-SHA","TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",CIPHER_BYTE,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLSv1_MINOR,SSLv3_MAJOR),
23271
#endif
23272
23273
#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
23274
    SUITE_INFO("DHE-RSA-CAMELLIA256-SHA","TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",CIPHER_BYTE,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLSv1_MINOR,SSLv3_MAJOR),
23275
#endif
23276
23277
#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
23278
    SUITE_INFO("CAMELLIA128-SHA256","TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",CIPHER_BYTE,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256,TLSv1_MINOR,SSLv3_MAJOR),
23279
#endif
23280
23281
#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
23282
    SUITE_INFO("DHE-RSA-CAMELLIA128-SHA256","TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",CIPHER_BYTE,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256,TLSv1_MINOR,SSLv3_MAJOR),
23283
#endif
23284
23285
#ifdef BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
23286
    SUITE_INFO("CAMELLIA256-SHA256","TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",CIPHER_BYTE,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256,TLSv1_MINOR,SSLv3_MAJOR),
23287
#endif
23288
23289
#ifdef BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
23290
    SUITE_INFO("DHE-RSA-CAMELLIA256-SHA256","TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",CIPHER_BYTE,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256,TLSv1_MINOR,SSLv3_MAJOR),
23291
#endif
23292
23293
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
23294
    SUITE_INFO("ECDHE-RSA-AES128-SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",ECC_BYTE,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
23295
#endif
23296
23297
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
23298
    SUITE_INFO("ECDHE-ECDSA-AES128-SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
23299
#endif
23300
23301
#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
23302
    SUITE_INFO("ECDH-RSA-AES128-SHA256","TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",ECC_BYTE,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
23303
#endif
23304
23305
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
23306
    SUITE_INFO("ECDH-ECDSA-AES128-SHA256","TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",ECC_BYTE,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
23307
#endif
23308
23309
#ifdef BUILD_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
23310
    SUITE_INFO("ECDHE-RSA-AES256-SHA384","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",ECC_BYTE,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLSv1_2_MINOR, SSLv3_MAJOR),
23311
#endif
23312
23313
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
23314
    SUITE_INFO("ECDHE-ECDSA-AES256-SHA384","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLSv1_2_MINOR, SSLv3_MAJOR),
23315
#endif
23316
23317
#ifdef BUILD_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
23318
    SUITE_INFO("ECDH-RSA-AES256-SHA384","TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",ECC_BYTE,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLSv1_2_MINOR, SSLv3_MAJOR),
23319
#endif
23320
23321
#ifdef BUILD_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
23322
    SUITE_INFO("ECDH-ECDSA-AES256-SHA384","TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",ECC_BYTE,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLSv1_2_MINOR, SSLv3_MAJOR),
23323
#endif
23324
23325
#ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
23326
    SUITE_INFO("ECDHE-RSA-CHACHA20-POLY1305","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",CHACHA_BYTE,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
23327
#endif
23328
23329
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
23330
    SUITE_INFO("ECDHE-ECDSA-CHACHA20-POLY1305","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",CHACHA_BYTE,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
23331
#endif
23332
23333
#ifdef BUILD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
23334
    SUITE_INFO("DHE-RSA-CHACHA20-POLY1305","TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256",CHACHA_BYTE,TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
23335
#endif
23336
23337
#ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256
23338
    SUITE_INFO("ECDHE-RSA-CHACHA20-POLY1305-OLD","TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256",CHACHA_BYTE,TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
23339
#endif
23340
23341
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256
23342
    SUITE_INFO("ECDHE-ECDSA-CHACHA20-POLY1305-OLD","TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256",CHACHA_BYTE,TLS_ECDHE_ECDSA_WITH_CHACHA20_OLD_POLY1305_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
23343
#endif
23344
23345
#ifdef BUILD_TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256
23346
    SUITE_INFO("DHE-RSA-CHACHA20-POLY1305-OLD","TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256",CHACHA_BYTE,TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256, TLSv1_2_MINOR, SSLv3_MAJOR),
23347
#endif
23348
23349
#ifdef BUILD_TLS_DH_anon_WITH_AES_128_CBC_SHA
23350
    SUITE_INFO("ADH-AES128-SHA","TLS_DH_anon_WITH_AES_128_CBC_SHA",CIPHER_BYTE,TLS_DH_anon_WITH_AES_128_CBC_SHA, TLSv1_2_MINOR, SSLv3_MAJOR),
23351
#endif
23352
23353
#ifdef BUILD_TLS_DH_anon_WITH_AES_256_GCM_SHA384
23354
    SUITE_INFO("ADH-AES256-GCM-SHA384","TLS_DH_anon_WITH_AES_256_GCM_SHA384",CIPHER_BYTE,TLS_DH_anon_WITH_AES_256_GCM_SHA384, TLSv1_2_MINOR, SSLv3_MAJOR),
23355
#endif
23356
23357
#ifdef HAVE_RENEGOTIATION_INDICATION
23358
    SUITE_INFO("RENEGOTIATION-INFO","TLS_EMPTY_RENEGOTIATION_INFO_SCSV",CIPHER_BYTE,TLS_EMPTY_RENEGOTIATION_INFO_SCSV,SSLv3_MINOR,SSLv3_MAJOR),
23359
#endif
23360
23361
#ifdef BUILD_TLS_ECDHE_ECDSA_WITH_NULL_SHA
23362
    SUITE_INFO("ECDHE-ECDSA-NULL-SHA","TLS_ECDHE_ECDSA_WITH_NULL_SHA",ECC_BYTE,TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLSv1_MINOR, SSLv3_MAJOR),
23363
#endif
23364
23365
#ifdef BUILD_TLS_ECDHE_PSK_WITH_NULL_SHA256
23366
    SUITE_INFO("ECDHE-PSK-NULL-SHA256","TLS_ECDHE_PSK_WITH_NULL_SHA256",ECC_BYTE,TLS_ECDHE_PSK_WITH_NULL_SHA256,TLSv1_MINOR,SSLv3_MAJOR),
23367
#endif
23368
23369
#ifdef BUILD_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256
23370
    SUITE_INFO("ECDHE-PSK-AES128-CBC-SHA256","TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",ECC_BYTE,TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256,TLSv1_MINOR,SSLv3_MAJOR),
23371
#endif
23372
23373
#ifdef BUILD_TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256
23374
    SUITE_INFO("ECDHE-PSK-AES128-GCM-SHA256","TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256",ECDHE_PSK_BYTE,TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256,TLSv1_MINOR,SSLv3_MAJOR),
23375
#endif
23376
23377
#ifdef BUILD_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256
23378
    SUITE_INFO("PSK-CHACHA20-POLY1305","TLS_PSK_WITH_CHACHA20_POLY1305_SHA256",CHACHA_BYTE,TLS_PSK_WITH_CHACHA20_POLY1305_SHA256,TLSv1_2_MINOR,SSLv3_MAJOR),
23379
#endif
23380
23381
#ifdef BUILD_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256
23382
    SUITE_INFO("ECDHE-PSK-CHACHA20-POLY1305","TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256",CHACHA_BYTE,TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256,TLSv1_2_MINOR,SSLv3_MAJOR),
23383
#endif
23384
23385
#ifdef BUILD_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256
23386
    SUITE_INFO("DHE-PSK-CHACHA20-POLY1305","TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256",CHACHA_BYTE,TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256,TLSv1_2_MINOR,SSLv3_MAJOR),
23387
#endif
23388
23389
#ifdef BUILD_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
23390
    SUITE_INFO("EDH-RSA-DES-CBC3-SHA","TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",CIPHER_BYTE,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLSv1_MINOR, SSLv3_MAJOR),
23391
#endif
23392
23393
#ifdef BUILD_WDM_WITH_NULL_SHA256
23394
    SUITE_INFO("WDM-NULL-SHA256","WDM_WITH_NULL_SHA256",CIPHER_BYTE,WDM_WITH_NULL_SHA256, TLSv1_3_MINOR, SSLv3_MAJOR)
23395
#endif
23396
23397
#endif /* WOLFSSL_NO_TLS12 */
23398
};
23399
23400
23401
/* returns the cipher_names array */
23402
const CipherSuiteInfo* GetCipherNames(void)
23403
0
{
23404
0
    return cipher_names;
23405
0
}
23406
23407
23408
/* returns the number of elements in the cipher_names array */
23409
int GetCipherNamesSize(void)
23410
0
{
23411
0
    return (int)(sizeof(cipher_names) / sizeof(CipherSuiteInfo));
23412
0
}
23413
23414
23415
const char* GetCipherNameInternal(const byte cipherSuite0, const byte cipherSuite)
23416
0
{
23417
0
    int i;
23418
0
    const char* nameInternal = "None";
23419
23420
0
    for (i = 0; i < GetCipherNamesSize(); i++) {
23421
0
        if ((cipher_names[i].cipherSuite0 == cipherSuite0) &&
23422
0
            (cipher_names[i].cipherSuite  == cipherSuite)
23423
0
#ifndef NO_CIPHER_SUITE_ALIASES
23424
0
            && (! (cipher_names[i].flags & WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS))
23425
0
#endif
23426
0
            ) {
23427
0
            nameInternal = cipher_names[i].name;
23428
0
            break;
23429
0
        }
23430
0
    }
23431
0
    return nameInternal;
23432
0
}
23433
23434
#if defined(WOLFSSL_QT) || defined(OPENSSL_ALL)
23435
/* Segment cipher name into n[n0,n1,n2,n4]
23436
 * @param cipher a pointer to WOLFSSL_CIPHER
23437
 * @param n return segment cipher name
23438
 * return cipher name if cipher is in the list,
23439
 *        otherwise NULL
23440
 */
23441
const char* GetCipherSegment(const WOLFSSL_CIPHER* cipher, char n[][MAX_SEGMENT_SZ])
23442
0
{
23443
0
    int i,j,k;
23444
0
    int strLen;
23445
0
    unsigned long offset;
23446
0
    const char* name;
23447
23448
    /* sanity check */
23449
0
    if (cipher == NULL || n == NULL)
23450
0
        return NULL;
23451
23452
0
    offset = cipher->offset;
23453
23454
0
    if (offset >= (unsigned long)GetCipherNamesSize())
23455
0
        return NULL;
23456
23457
0
    name = cipher_names[offset].name;
23458
23459
0
    if (name == NULL)
23460
0
        return NULL;
23461
23462
    /* Segment cipher name into n[n0,n1,n2,n4]
23463
     * These are used later for comparisons to create:
23464
     * keaStr, authStr, encStr, macStr
23465
     *
23466
     * If cipher_name = ECDHE-ECDSA-AES256-SHA
23467
     * then n0 = "ECDHE", n1 = "ECDSA", n2 = "AES256", n3 = "SHA"
23468
     * and n = [n0,n1,n2,n3,0]
23469
     */
23470
0
    strLen = (int)XSTRLEN(name);
23471
23472
0
    for (i = 0, j = 0, k = 0; i <= strLen; i++) {
23473
0
        if (k >= MAX_SEGMENTS || j >= MAX_SEGMENT_SZ)
23474
0
            break;
23475
23476
0
        if (name[i] != '-' && name[i] != '\0') {
23477
0
            n[k][j] = name[i]; /* Fill kth segment string until '-' */
23478
0
            j++;
23479
0
        }
23480
0
        else {
23481
0
            n[k][j] = '\0';
23482
0
            j = 0;
23483
0
            k++;
23484
0
        }
23485
0
    }
23486
23487
0
    return name;
23488
0
}
23489
23490
/* gcc-12 and later, building with ASAN at -O2 and higher, generate spurious
23491
 * stringop-overread warnings on some (but not all...) reads of n[1] in
23492
 * GetCipherKeaStr().
23493
 */
23494
#if defined(__GNUC__) && __GNUC__ > 11 && defined(__SANITIZE_ADDRESS__)
23495
PRAGMA_GCC_DIAG_PUSH
23496
PRAGMA_GCC("GCC diagnostic ignored \"-Wstringop-overread\"")
23497
#endif
23498
23499
0
const char* GetCipherKeaStr(char n[][MAX_SEGMENT_SZ]) {
23500
0
    const char* keaStr = NULL;
23501
23502
0
    if (XSTRCMP(n[0],"ECDHE") == 0 && XSTRCMP(n[1],"PSK") == 0)
23503
0
        keaStr = "ECDHEPSK";
23504
0
    else if ((XSTRCMP(n[0],"ECDH") == 0) || (XSTRCMP(n[0],"ECDHE") == 0))
23505
0
        keaStr = "ECDH";
23506
0
    else if (XSTRCMP(n[0],"DHE") == 0 && XSTRCMP(n[1],"PSK") == 0)
23507
0
        keaStr = "DHEPSK";
23508
0
    else if (XSTRCMP(n[0],"DHE") == 0)
23509
0
        keaStr = "DH";
23510
0
    else if (XSTRCMP(n[0],"RSA") == 0 && XSTRCMP(n[1],"PSK") == 0)
23511
0
        keaStr = "RSAPSK";
23512
0
    else if (XSTRCMP(n[0],"SRP") == 0)
23513
0
        keaStr = "SRP";
23514
0
    else if (XSTRCMP(n[0],"PSK") == 0)
23515
0
        keaStr = "PSK";
23516
0
    else if (XSTRCMP(n[0],"EDH") == 0)
23517
0
        keaStr = "EDH";
23518
0
    else if ((XSTRCMP(n[1],"SHA") == 0) || (XSTRCMP(n[2],"SHA") == 0) ||
23519
0
             (XSTRCMP(n[3],"SHA") == 0) || (XSTRCMP(n[4],"SHA") == 0) ||
23520
0
             (XSTRCMP(n[2],"RSA") == 0) || (XSTRCMP(n[0],"AES128") == 0) ||
23521
0
             (XSTRCMP(n[0],"AES256") == 0) || (XSTRCMP(n[1],"MD5") == 0))
23522
0
        keaStr = "RSA";
23523
0
    else
23524
0
        keaStr = "unknown";
23525
23526
0
    return keaStr;
23527
0
}
23528
23529
#if defined(__GNUC__) && __GNUC__ > 11 && defined(__SANITIZE_ADDRESS__)
23530
PRAGMA_GCC_DIAG_POP
23531
#endif
23532
23533
0
const char* GetCipherAuthStr(char n[][MAX_SEGMENT_SZ]) {
23534
23535
0
    const char* authStr = NULL;
23536
23537
0
    if ((XSTRCMP(n[0],"AES128") == 0) || (XSTRCMP(n[0],"AES256") == 0)  ||
23538
0
        ((XSTRCMP(n[0],"TLS13") == 0) && ((XSTRCMP(n[1],"AES128") == 0) ||
23539
0
         (XSTRCMP(n[1],"AES256") == 0) || (XSTRCMP(n[1],"CHACHA20") == 0))) ||
23540
0
        (XSTRCMP(n[0],"RSA") == 0) || (XSTRCMP(n[1],"RSA") == 0) ||
23541
0
        (XSTRCMP(n[1],"SHA") == 0) || (XSTRCMP(n[2],"SHA") == 0) ||
23542
0
        (XSTRCMP(n[1],"MD5") == 0))
23543
0
        authStr = "RSA";
23544
0
    else if (XSTRCMP(n[0],"PSK") == 0 || XSTRCMP(n[1],"PSK") == 0)
23545
0
        authStr = "PSK";
23546
0
    else if (XSTRCMP(n[0],"SRP") == 0 && XSTRCMP(n[1],"AES") == 0)
23547
0
        authStr = "SRP";
23548
0
    else if (XSTRCMP(n[1],"ECDSA") == 0)
23549
0
        authStr = "ECDSA";
23550
0
    else if (XSTRCMP(n[0],"ADH") == 0)
23551
0
        authStr = "None";
23552
0
    else
23553
0
        authStr = "unknown";
23554
23555
0
    return authStr;
23556
0
}
23557
23558
0
const char* GetCipherEncStr(char n[][MAX_SEGMENT_SZ]) {
23559
0
    const char* encStr = NULL;
23560
23561
0
    if ((XSTRCMP(n[0],"AES256") == 0 && XSTRCMP(n[1],"GCM") == 0) ||
23562
0
        (XSTRCMP(n[1],"AES256") == 0 && XSTRCMP(n[2],"GCM") == 0) ||
23563
0
        (XSTRCMP(n[2],"AES256") == 0 && XSTRCMP(n[3],"GCM") == 0))
23564
0
        encStr = "AESGCM(256)";
23565
23566
0
    else if ((XSTRCMP(n[0],"AES128") == 0 && XSTRCMP(n[1],"GCM") == 0) ||
23567
0
             (XSTRCMP(n[1],"AES128") == 0 && XSTRCMP(n[2],"GCM") == 0) ||
23568
0
             (XSTRCMP(n[2],"AES128") == 0 && XSTRCMP(n[3],"GCM") == 0))
23569
0
        encStr = "AESGCM(128)";
23570
23571
0
    else if ((XSTRCMP(n[0],"AES128") == 0 && XSTRCMP(n[1],"CCM") == 0) ||
23572
0
             (XSTRCMP(n[1],"AES128") == 0 && XSTRCMP(n[2],"CCM") == 0) ||
23573
0
             (XSTRCMP(n[2],"AES128") == 0 && XSTRCMP(n[3],"CCM") == 0))
23574
0
        encStr = "AESCCM(128)";
23575
23576
0
    else if ((XSTRCMP(n[0],"AES128") == 0) ||
23577
0
             (XSTRCMP(n[1],"AES128") == 0) ||
23578
0
             (XSTRCMP(n[2],"AES128") == 0) ||
23579
0
             (XSTRCMP(n[1],"AES") == 0 && XSTRCMP(n[2],"128") == 0) ||
23580
0
             (XSTRCMP(n[2],"AES") == 0 && XSTRCMP(n[3],"128") == 0))
23581
0
        encStr = "AES(128)";
23582
23583
0
    else if ((XSTRCMP(n[0],"AES256") == 0) ||
23584
0
             (XSTRCMP(n[1],"AES256") == 0) ||
23585
0
             (XSTRCMP(n[2],"AES256") == 0) ||
23586
0
             (XSTRCMP(n[1],"AES") == 0 && XSTRCMP(n[2],"256") == 0) ||
23587
0
             (XSTRCMP(n[2],"AES") == 0 && XSTRCMP(n[3],"256") == 0))
23588
0
        encStr = "AES(256)";
23589
23590
0
    else if ((XSTRCMP(n[0],"CAMELLIA256") == 0) ||
23591
0
             (XSTRCMP(n[2],"CAMELLIA256") == 0))
23592
0
        encStr = "CAMELLIA(256)";
23593
0
    else if ((XSTRCMP(n[0],"CAMELLIA128") == 0) ||
23594
0
             (XSTRCMP(n[2],"CAMELLIA128") == 0))
23595
0
        encStr = "CAMELLIA(128)";
23596
0
    else if ((XSTRCMP(n[0],"RC4") == 0) || (XSTRCMP(n[1],"RC4") == 0) ||
23597
0
            (XSTRCMP(n[2],"RC4") == 0))
23598
0
        encStr = "RC4";
23599
0
    else if (((XSTRCMP(n[0],"DES") == 0)  || (XSTRCMP(n[1],"DES") == 0) ||
23600
0
              (XSTRCMP(n[2],"DES") == 0)) &&
23601
0
             ((XSTRCMP(n[1],"CBC3") == 0) || (XSTRCMP(n[2],"CBC3") == 0) ||
23602
0
              (XSTRCMP(n[3],"CBC3") == 0)))
23603
0
        encStr = "3DES";
23604
0
    else if ((XSTRCMP(n[1],"CHACHA20") == 0 && XSTRCMP(n[2],"POLY1305") == 0) ||
23605
0
             (XSTRCMP(n[2],"CHACHA20") == 0 && XSTRCMP(n[3],"POLY1305") == 0))
23606
0
        encStr = "CHACHA20/POLY1305(256)";
23607
0
    else if ((XSTRCMP(n[0],"NULL") == 0) || (XSTRCMP(n[1],"NULL") == 0) ||
23608
0
             (XSTRCMP(n[2],"NULL") == 0) ||
23609
0
             ((XSTRCMP(n[0],"TLS13") == 0) && (XSTRCMP(n[3],"") == 0)))
23610
0
        encStr = "None";
23611
0
    else
23612
0
        encStr = "unknown";
23613
23614
0
    return encStr;
23615
0
}
23616
23617
/* Check if a cipher is AEAD
23618
 * @param n return segment cipher name
23619
 * return 1 if the cipher is AEAD, otherwise 0
23620
 */
23621
int IsCipherAEAD(char n[][MAX_SEGMENT_SZ])
23622
0
{
23623
0
    WOLFSSL_ENTER("IsCipherAEAD");
23624
23625
0
    if (n == NULL) {
23626
0
        WOLFSSL_MSG("bad function argumet. n is NULL.");
23627
0
        return 0;
23628
0
    }
23629
23630
0
    if ((XSTRCMP(n[2],"GCM") == 0) || (XSTRCMP(n[3],"GCM") == 0) ||
23631
0
        (XSTRCMP(n[1],"CCM") == 0) ||
23632
0
        (XSTRCMP(n[2],"CCM") == 0) || (XSTRCMP(n[3],"CCM") == 0) ||
23633
0
        (XSTRCMP(n[1],"CHACHA20") == 0 && XSTRCMP(n[2],"POLY1305") == 0) ||
23634
0
        (XSTRCMP(n[2],"CHACHA20") == 0 && XSTRCMP(n[3],"POLY1305") == 0))
23635
0
        return 1;
23636
0
    return 0;
23637
0
}
23638
23639
/* Returns the MAC string of a cipher or "unknown" on failure */
23640
0
const char* GetCipherMacStr(char n[][MAX_SEGMENT_SZ]) {
23641
23642
0
    const char* macStr = NULL;
23643
23644
0
    if ((XSTRCMP(n[4],"SHA256") == 0) || (XSTRCMP(n[3],"SHA256") == 0) ||
23645
0
        (XSTRCMP(n[2],"SHA256") == 0) || (XSTRCMP(n[1],"SHA256") == 0))
23646
0
        macStr = "SHA256";
23647
0
    else if ((XSTRCMP(n[4],"SHA384") == 0) ||
23648
0
             (XSTRCMP(n[3],"SHA384") == 0) ||
23649
0
             (XSTRCMP(n[2],"SHA384") == 0) ||
23650
0
             (XSTRCMP(n[1],"SHA384") == 0))
23651
0
        macStr = "SHA384";
23652
0
    else if ((XSTRCMP(n[4],"SHA") == 0) || (XSTRCMP(n[3],"SHA") == 0) ||
23653
0
             (XSTRCMP(n[2],"SHA") == 0) || (XSTRCMP(n[1],"SHA") == 0) ||
23654
0
             (XSTRCMP(n[1],"MD5") == 0))
23655
0
        macStr = "SHA1";
23656
0
    else if ((XSTRCMP(n[3],"GCM") == 0) ||
23657
0
             (XSTRCMP(n[1],"CCM") == 0) ||
23658
0
             (XSTRCMP(n[2],"CCM") == 0) || (XSTRCMP(n[3],"CCM") == 0) ||
23659
0
             (XSTRCMP(n[1],"CHACHA20") == 0 && XSTRCMP(n[2],"POLY1305") == 0) ||
23660
0
             (XSTRCMP(n[2],"CHACHA20") == 0 && XSTRCMP(n[3],"POLY1305") == 0))
23661
0
        macStr = "AEAD";
23662
0
    else
23663
0
        macStr = "unknown";
23664
23665
0
    return macStr;
23666
0
}
23667
23668
/* Returns the number of bits based on the cipher enc string, or 0 on failure */
23669
0
int SetCipherBits(const char* enc) {
23670
0
    int ret = WOLFSSL_FAILURE;
23671
23672
0
    if ((XSTRCMP(enc,"AESGCM(256)") == 0) ||
23673
0
        (XSTRCMP(enc,"AES(256)") == 0) ||
23674
0
        (XSTRCMP(enc,"CAMELLIA(256)") == 0) ||
23675
0
        (XSTRCMP(enc,"CHACHA20/POLY1305(256)") == 0))
23676
0
            ret = 256;
23677
0
    else if
23678
0
        ((XSTRCMP(enc,"3DES") == 0))
23679
0
            ret = 168;
23680
0
    else if
23681
0
        ((XSTRCMP(enc,"AESGCM(128)") == 0) ||
23682
0
         (XSTRCMP(enc,"AES(128)") == 0) ||
23683
0
         (XSTRCMP(enc,"CAMELLIA(128)") == 0) ||
23684
0
         (XSTRCMP(enc,"RC4") == 0))
23685
0
            ret = 128;
23686
0
   else if
23687
0
        ((XSTRCMP(enc,"DES") == 0))
23688
0
            ret = 56;
23689
23690
0
    return ret;
23691
0
}
23692
#endif /* WOLFSSL_QT || OPENSSL_ALL */
23693
23694
const char* GetCipherNameIana(const byte cipherSuite0, const byte cipherSuite)
23695
0
{
23696
0
#ifndef NO_ERROR_STRINGS
23697
0
    int i;
23698
0
    const char* nameIana = "NONE";
23699
23700
0
    for (i = 0; i < GetCipherNamesSize(); i++) {
23701
0
        if ((cipher_names[i].cipherSuite0 == cipherSuite0) &&
23702
0
            (cipher_names[i].cipherSuite  == cipherSuite)
23703
0
#ifndef NO_CIPHER_SUITE_ALIASES
23704
0
            && (! (cipher_names[i].flags & WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS))
23705
0
#endif
23706
0
            ) {
23707
0
            nameIana = cipher_names[i].name_iana;
23708
0
            break;
23709
0
        }
23710
0
    }
23711
0
    return nameIana;
23712
#else
23713
    (void)cipherSuite0;
23714
    (void)cipherSuite;
23715
    return NULL;
23716
#endif
23717
0
}
23718
23719
const char* wolfSSL_get_cipher_name_internal(WOLFSSL* ssl)
23720
0
{
23721
0
    if (ssl == NULL) {
23722
0
        return NULL;
23723
0
    }
23724
23725
0
    return GetCipherNameInternal(ssl->options.cipherSuite0, ssl->options.cipherSuite);
23726
0
}
23727
23728
const char* wolfSSL_get_cipher_name_iana(WOLFSSL* ssl)
23729
0
{
23730
0
    if (ssl == NULL) {
23731
0
        return NULL;
23732
0
    }
23733
23734
0
    return GetCipherNameIana(ssl->options.cipherSuite0, ssl->options.cipherSuite);
23735
0
}
23736
23737
int GetCipherSuiteFromName(const char* name, byte* cipherSuite0,
23738
                           byte* cipherSuite, int* flags)
23739
0
{
23740
0
    int           ret = BAD_FUNC_ARG;
23741
0
    int           i;
23742
0
    unsigned long len;
23743
0
    const char*   nameDelim;
23744
23745
    /* Support trailing : */
23746
0
    nameDelim = XSTRSTR(name, ":");
23747
0
    if (nameDelim)
23748
0
        len = (unsigned long)(nameDelim - name);
23749
0
    else
23750
0
        len = (unsigned long)XSTRLEN(name);
23751
23752
0
    for (i = 0; i < GetCipherNamesSize(); i++) {
23753
0
        if ((XSTRNCMP(name, cipher_names[i].name, len) == 0) &&
23754
0
            (cipher_names[i].name[len] == 0)) {
23755
0
            *cipherSuite0 = cipher_names[i].cipherSuite0;
23756
0
            *cipherSuite  = cipher_names[i].cipherSuite;
23757
0
            *flags = cipher_names[i].flags;
23758
0
            ret = 0;
23759
0
            break;
23760
0
        }
23761
0
    }
23762
23763
0
    return ret;
23764
0
}
23765
23766
/**
23767
Set the enabled cipher suites.
23768
23769
With OPENSSL_EXTRA we attempt to understand some of the available "bulk"
23770
ciphersuites. We can not perfectly filter ciphersuites based on the "bulk"
23771
names but we do what we can. Ciphersuites named explicitly take precedence to
23772
ciphersuites introduced through the "bulk" ciphersuites.
23773
23774
@param [out] suites Suites structure.
23775
@param [in]  list   List of cipher suites, only supports full name from
23776
                    cipher_names[] delimited by ':'.
23777
23778
@return true on success, else false.
23779
*/
23780
int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
23781
0
{
23782
0
    int       ret              = 0;
23783
0
    int       idx              = 0;
23784
0
    int       haveRSAsig       = 0;
23785
0
    int       haveECDSAsig     = 0;
23786
0
    int       haveFalconSig    = 0;
23787
0
    int       haveDilithiumSig = 0;
23788
0
    int       haveAnon         = 0;
23789
0
#ifdef OPENSSL_EXTRA
23790
0
    int       haveRSA          = 0;
23791
0
    int       haveDH           = 0;
23792
0
    int       haveECC          = 0;
23793
0
    int       haveStaticRSA    = 1; /* allowed by default if compiled in */
23794
0
    int       haveStaticECC    = 0;
23795
0
    int       haveNull         = 1; /* allowed by default if compiled in */
23796
0
    int       callInitSuites   = 0;
23797
0
    int       havePSK          = 0;
23798
0
#endif
23799
0
    const int suiteSz       = GetCipherNamesSize();
23800
0
    const char* next        = list;
23801
23802
0
    if (suites == NULL || list == NULL) {
23803
0
        WOLFSSL_MSG("SetCipherList parameter error");
23804
0
        return 0;
23805
0
    }
23806
23807
0
    if (next[0] == 0 || XSTRCMP(next, "ALL") == 0 ||
23808
0
        XSTRCMP(next, "DEFAULT") == 0 || XSTRCMP(next, "HIGH") == 0)
23809
0
        return 1; /* wolfSSL default */
23810
23811
0
    do {
23812
0
        const char* current = next;
23813
0
        char   name[MAX_SUITE_NAME + 1];
23814
0
        int    i;
23815
0
        word32 length;
23816
0
    #ifdef OPENSSL_EXTRA
23817
0
        int    allowing = 1;
23818
0
    #endif
23819
23820
0
        next = XSTRSTR(next, ":");
23821
0
        length = MAX_SUITE_NAME;
23822
0
        if (next != NULL) {
23823
0
            word32 currLen = (word32)(next - current);
23824
0
            if (length > currLen) {
23825
0
                length = currLen;
23826
0
            }
23827
0
        }
23828
23829
0
    #ifdef OPENSSL_EXTRA
23830
0
        if (length > 1) {
23831
0
            if (*current == '!') {
23832
0
                allowing = 0;
23833
0
                current++;
23834
0
                length--;
23835
0
            }
23836
0
        }
23837
0
    #endif
23838
23839
0
        XSTRNCPY(name, current, length);
23840
0
        name[(length == sizeof(name)) ? length - 1 : length] = 0;
23841
23842
0
    #ifdef OPENSSL_EXTRA
23843
0
        if (XSTRCMP(name, "DEFAULT") == 0 || XSTRCMP(name, "ALL") == 0) {
23844
0
            if (XSTRCMP(name, "ALL") == 0)
23845
0
                haveAnon = 1;
23846
0
            else
23847
0
                haveAnon = 0;
23848
        #ifdef HAVE_ANON
23849
            ctx->haveAnon = haveAnon;
23850
        #endif
23851
0
            haveRSA = 1;
23852
0
            haveDH = 1;
23853
0
            haveECC = 1;
23854
0
            haveStaticECC = 1;
23855
0
            haveStaticRSA = 1;
23856
0
            haveRSAsig = 1;
23857
0
            havePSK = 1;
23858
0
            haveNull = 0;
23859
23860
0
            callInitSuites = 1;
23861
0
            ret = 1;
23862
0
            continue;
23863
0
        }
23864
23865
        /* We don't have a way to disallow high bit sizes. Only disable unsafe
23866
         * ciphersuites. */
23867
0
        if (XSTRCMP(name, "HIGH") == 0 && allowing) {
23868
            /* Disable static, anonymous, and null ciphers */
23869
0
            haveAnon = 0;
23870
        #ifdef HAVE_ANON
23871
            ctx->haveAnon = 0;
23872
        #endif
23873
0
            haveRSA = 1;
23874
0
            haveDH = 1;
23875
0
            haveECC = 1;
23876
0
            haveStaticECC = 0;
23877
0
            haveStaticRSA = 0;
23878
0
            haveRSAsig = 1;
23879
0
            havePSK = 1;
23880
0
            haveNull = 0;
23881
23882
0
            callInitSuites = 1;
23883
0
            ret = 1;
23884
0
            continue;
23885
0
        }
23886
23887
0
        if (XSTRCMP(name, "aNULL") == 0) {
23888
0
            haveAnon = allowing;
23889
        #ifdef HAVE_ANON
23890
            ctx->haveAnon = allowing;
23891
        #endif
23892
0
            if (allowing) {
23893
                /* Allow RSA by default. */
23894
0
                if (!haveECC)
23895
0
                    haveRSA = 1;
23896
0
                if (!haveECDSAsig)
23897
0
                    haveRSAsig = 1;
23898
0
                callInitSuites = 1;
23899
0
                ret = 1;
23900
0
            }
23901
0
            continue;
23902
0
        }
23903
23904
0
        if (XSTRCMP(name, "eNULL") == 0 || XSTRCMP(name, "NULL") == 0) {
23905
0
            haveNull = allowing;
23906
0
            if (allowing) {
23907
                /* Allow RSA by default. */
23908
0
                if (!haveECC)
23909
0
                    haveRSA = 1;
23910
0
                if (!haveECDSAsig)
23911
0
                    haveRSAsig = 1;
23912
0
                callInitSuites = 1;
23913
0
                ret = 1;
23914
0
            }
23915
0
            continue;
23916
0
        }
23917
23918
0
        if (XSTRCMP(name, "kDH") == 0) {
23919
0
            haveStaticECC = allowing;
23920
0
            if (allowing) {
23921
0
                haveECC = 1;
23922
0
                haveECDSAsig = 1;
23923
0
                callInitSuites = 1;
23924
0
                ret = 1;
23925
0
            }
23926
0
            continue;
23927
0
        }
23928
23929
0
        if (XSTRCMP(name, "kRSA") == 0 || XSTRCMP(name, "RSA") == 0) {
23930
0
            haveStaticRSA = allowing;
23931
0
            if (allowing) {
23932
0
                haveRSA = 1;
23933
0
                haveRSAsig = 1;
23934
0
                callInitSuites = 1;
23935
0
                ret = 1;
23936
0
            }
23937
0
            continue;
23938
0
        }
23939
23940
0
        if (XSTRCMP(name, "PSK") == 0) {
23941
0
            havePSK = allowing;
23942
0
            haveRSAsig = 1;
23943
0
            if (allowing) {
23944
                /* Allow RSA by default. */
23945
0
                if (!haveECC)
23946
0
                    haveRSA = 1;
23947
0
                if (!haveECDSAsig)
23948
0
                    haveRSAsig = 1;
23949
0
                callInitSuites = 1;
23950
0
                ret = 1;
23951
0
            }
23952
0
            continue;
23953
0
        }
23954
23955
0
        if (XSTRCMP(name, "LOW") == 0 || XSTRCMP(name, "MEDIUM") == 0) {
23956
            /* No way to limit or allow low bit sizes */
23957
0
            if (allowing) {
23958
                /* Allow RSA by default */
23959
0
                haveRSA = 1;
23960
0
                haveRSAsig = 1;
23961
0
                callInitSuites = 1;
23962
0
                ret = 1;
23963
0
            }
23964
0
            continue;
23965
0
        }
23966
23967
0
        if (XSTRCMP(name, "DSS") == 0) {
23968
            /* No support for DSA ciphersuites */
23969
0
            continue;
23970
0
        }
23971
23972
0
        if (XSTRCMP(name, "EXP") == 0 || XSTRCMP(name, "EXPORT") == 0) {
23973
            /* wolfSSL doesn't support "export" ciphers. We can skip this */
23974
0
            continue;
23975
0
        }
23976
0
    #endif /* OPENSSL_EXTRA */
23977
23978
0
        for (i = 0; i < suiteSz; i++) {
23979
0
            if (XSTRNCMP(name, cipher_names[i].name, sizeof(name)) == 0
23980
0
            #ifndef NO_ERROR_STRINGS
23981
0
                || XSTRNCMP(name, cipher_names[i].name_iana, sizeof(name)) == 0
23982
0
            #endif
23983
0
             ) {
23984
            #ifdef WOLFSSL_DTLS
23985
                /* don't allow stream ciphers with DTLS */
23986
                if (ctx->method->version.major == DTLS_MAJOR) {
23987
                    if (XSTRSTR(name, "RC4"))
23988
                    {
23989
                        WOLFSSL_MSG("Stream ciphers not supported with DTLS");
23990
                        continue;
23991
                    }
23992
23993
                }
23994
            #endif /* WOLFSSL_DTLS */
23995
23996
0
                if (idx + 1 >= WOLFSSL_MAX_SUITE_SZ) {
23997
0
                    WOLFSSL_MSG("WOLFSSL_MAX_SUITE_SZ set too low");
23998
0
                    return 0; /* suites buffer not large enough, error out */
23999
0
                }
24000
24001
0
                suites->suites[idx++] = cipher_names[i].cipherSuite0;
24002
0
                suites->suites[idx++] = cipher_names[i].cipherSuite;
24003
                /* The suites are either ECDSA, RSA, PSK, or Anon. The RSA
24004
                 * suites don't necessarily have RSA in the name. */
24005
0
            #ifdef WOLFSSL_TLS13
24006
0
                if (cipher_names[i].cipherSuite0 == TLS13_BYTE ||
24007
0
                         (cipher_names[i].cipherSuite0 == ECC_BYTE &&
24008
0
                          (cipher_names[i].cipherSuite == TLS_SHA256_SHA256 ||
24009
0
                           cipher_names[i].cipherSuite == TLS_SHA384_SHA384))) {
24010
0
                #ifndef NO_RSA
24011
0
                    haveRSAsig = 1;
24012
0
                #endif
24013
0
                #if defined(HAVE_ECC) || defined(HAVE_ED25519) || \
24014
0
                                                             defined(HAVE_ED448)
24015
0
                    haveECDSAsig = 1;
24016
0
                #endif
24017
                #if defined(HAVE_PQC)
24018
                #ifdef HAVE_FALCON
24019
                    haveFalconSig = 1;
24020
                #endif /* HAVE_FALCON */
24021
                #ifdef HAVE_DILITHIUM
24022
                    haveDilithiumSig = 1;
24023
                #endif /* HAVE_DILITHIUM */
24024
                #endif /* HAVE_PQC */
24025
0
                }
24026
0
                else
24027
0
            #endif
24028
0
            #if defined(HAVE_ECC) || defined(HAVE_ED25519) || \
24029
0
                                                             defined(HAVE_ED448)
24030
0
                if ((haveECDSAsig == 0) && XSTRSTR(name, "ECDSA"))
24031
0
                    haveECDSAsig = 1;
24032
0
                else
24033
0
            #endif
24034
            #ifdef HAVE_ANON
24035
                if (XSTRSTR(name, "ADH"))
24036
                    haveAnon = 1;
24037
                else
24038
            #endif
24039
0
                if (haveRSAsig == 0
24040
                    #ifndef NO_PSK
24041
                        && (XSTRSTR(name, "PSK") == NULL)
24042
                    #endif
24043
0
                   ) {
24044
0
                    haveRSAsig = 1;
24045
0
                }
24046
24047
0
                ret = 1; /* found at least one */
24048
0
                break;
24049
0
            }
24050
0
        }
24051
0
    }
24052
0
    while (next++); /* ++ needed to skip ':' */
24053
24054
0
    if (ret) {
24055
0
        int keySz = 0;
24056
0
    #ifndef NO_CERTS
24057
0
        keySz = ctx->privateKeySz;
24058
0
    #endif
24059
0
    #ifdef OPENSSL_EXTRA
24060
0
        if (callInitSuites) {
24061
0
            byte tmp[WOLFSSL_MAX_SUITE_SZ];
24062
0
            XMEMCPY(tmp, suites->suites, idx); /* Store copy */
24063
0
            suites->setSuites = 0; /* Force InitSuites */
24064
0
            suites->hashSigAlgoSz = 0; /* Force InitSuitesHashSigAlgo call
24065
                                        * inside InitSuites */
24066
0
            InitSuites(suites, ctx->method->version, keySz, (word16)haveRSA,
24067
0
                       (word16)havePSK, (word16)haveDH, (word16)haveECDSAsig,
24068
0
                       (word16)haveECC, (word16)haveStaticRSA,
24069
0
                       (word16)haveStaticECC, (word16)haveFalconSig,
24070
0
                       (word16)haveDilithiumSig, (word16)haveAnon,
24071
0
                       (word16)haveNull, ctx->method->side);
24072
            /* Restore user ciphers ahead of defaults */
24073
0
            XMEMMOVE(suites->suites + idx, suites->suites,
24074
0
                    min(suites->suiteSz, WOLFSSL_MAX_SUITE_SZ-idx));
24075
0
            suites->suiteSz += (word16)idx;
24076
0
        }
24077
0
        else
24078
0
    #endif
24079
0
        {
24080
0
            suites->suiteSz   = (word16)idx;
24081
0
            InitSuitesHashSigAlgo(suites, haveECDSAsig, haveRSAsig,
24082
0
                                  haveFalconSig, haveDilithiumSig, haveAnon,
24083
0
                                  1, keySz);
24084
0
        }
24085
0
        suites->setSuites = 1;
24086
0
    }
24087
24088
0
    (void)ctx;
24089
24090
0
    return ret;
24091
0
}
24092
24093
#ifdef OPENSSL_EXTRA
24094
24095
struct mac_algs {
24096
    byte alg;
24097
    const char* name;
24098
} mac_names[] = {
24099
#ifndef NO_SHA256
24100
    { sha256_mac, "SHA256" },
24101
#endif
24102
#ifdef WOLFSSL_SHA384
24103
    { sha384_mac, "SHA384" },
24104
#endif
24105
#ifdef WOLFSSL_SHA512
24106
    { sha512_mac, "SHA512" },
24107
#endif
24108
#ifdef WOLFSSL_SHA224
24109
    { sha224_mac, "SHA224" },
24110
#endif
24111
#if !defined(NO_SHA) && (!defined(NO_OLD_TLS) || \
24112
                                                defined(WOLFSSL_ALLOW_TLS_SHA1))
24113
    { sha_mac,    "SHA1" },
24114
#endif
24115
};
24116
0
#define MAC_NAMES_SZ    (int)(sizeof(mac_names)/sizeof(*mac_names))
24117
24118
/* Convert the hash algorithm string to a TLS MAC algorithm num. */
24119
static byte GetMacAlgFromName(const char* name, int len)
24120
0
{
24121
0
    byte alg = no_mac;
24122
0
    int i;
24123
24124
0
    for (i = 0; i < MAC_NAMES_SZ; i++) {
24125
0
        if (((int)XSTRLEN(mac_names[i].name) == len) &&
24126
0
                                 (XMEMCMP(mac_names[i].name, name, len) == 0)) {
24127
0
            alg = mac_names[i].alg;
24128
0
            break;
24129
0
        }
24130
0
    }
24131
24132
0
    return alg;
24133
0
}
24134
24135
struct sig_algs {
24136
    byte alg;
24137
    const char* name;
24138
} sig_names[] = {
24139
#ifndef NO_RSA
24140
    { rsa_sa_algo,     "RSA" },
24141
#ifdef WC_RSA_PSS
24142
    { rsa_pss_sa_algo, "RSA-PSS" },
24143
    { rsa_pss_sa_algo, "PSS" },
24144
#endif
24145
#endif
24146
#ifdef HAVE_ECC
24147
    { ecc_dsa_sa_algo, "ECDSA" },
24148
#endif
24149
#ifdef HAVE_ED25519
24150
    { ed25519_sa_algo, "ED25519" },
24151
#endif
24152
#ifdef HAVE_ED448
24153
    { ed448_sa_algo,   "ED448" },
24154
#endif
24155
#ifndef NO_DSA
24156
    { dsa_sa_algo,     "DSA" },
24157
#endif
24158
};
24159
0
#define SIG_NAMES_SZ    (int)(sizeof(sig_names)/sizeof(*sig_names))
24160
24161
/* Convert the signature algorithm string to a TLS signature algorithm num. */
24162
static byte GetSigAlgFromName(const char* name, int len)
24163
0
{
24164
0
    byte alg = anonymous_sa_algo;
24165
0
    int i;
24166
24167
0
    for (i = 0; i < SIG_NAMES_SZ; i++) {
24168
0
        if (((int)XSTRLEN(sig_names[i].name) == len) &&
24169
0
                                 (XMEMCMP(sig_names[i].name, name, len) == 0)) {
24170
0
            alg = sig_names[i].alg;
24171
0
            break;
24172
0
        }
24173
0
    }
24174
24175
0
    return alg;
24176
0
}
24177
24178
/* Set the hash/signature algorithms that are supported for certificate signing.
24179
 *
24180
 * suites  [in,out]  Cipher suites and signature algorithms.
24181
 * list    [in]      String representing hash/signature algorithms to set.
24182
 * returns  0 on failure.
24183
 *          1 on success.
24184
 */
24185
int SetSuitesHashSigAlgo(Suites* suites, const char* list)
24186
0
{
24187
0
    int ret = 1;
24188
0
    word16 idx = 0;
24189
0
    const char* s = list;
24190
0
    byte sig_alg = 0;
24191
0
    byte mac_alg = no_mac;
24192
24193
    /* Setting is destructive on error. */
24194
0
    suites->hashSigAlgoSz = 0;
24195
24196
0
    do {
24197
0
        if (*list == '+') {
24198
0
            if (mac_alg != 0) {
24199
0
                ret = 0;
24200
0
                break;
24201
0
            }
24202
0
            sig_alg = GetSigAlgFromName(s, (int)(list - s));
24203
0
            if (sig_alg == 0) {
24204
0
                ret = 0;
24205
0
                break;
24206
0
            }
24207
0
            s = list + 1;
24208
0
        }
24209
0
        else if (*list == ':' || *list == '\0') {
24210
0
            if (sig_alg == 0) {
24211
                /* No signature algorithm set yet.
24212
                 * Ed25519 and Ed448 have implied MAC algorithm.
24213
                 */
24214
0
                sig_alg = GetSigAlgFromName(s, (int)(list - s));
24215
0
                if (sig_alg != ed25519_sa_algo && sig_alg != ed448_sa_algo) {
24216
0
                    ret = 0;
24217
0
                    break;
24218
0
                }
24219
0
            }
24220
0
            else {
24221
0
                mac_alg = GetMacAlgFromName(s, (int)(list - s));
24222
0
                if (mac_alg == 0) {
24223
0
                    ret = 0;
24224
0
                    break;
24225
0
                }
24226
0
            }
24227
0
            AddSuiteHashSigAlgo(suites, mac_alg, sig_alg, 0, &idx);
24228
0
            sig_alg = 0;
24229
0
            mac_alg = no_mac;
24230
0
            s = list + 1;
24231
0
        }
24232
24233
0
        list++;
24234
0
    }
24235
0
    while (*(list-1) != '\0');
24236
24237
0
    if (s != list && (sig_alg != 0 || mac_alg != 0)) {
24238
0
        ret = 0;
24239
0
    }
24240
0
    else {
24241
0
        suites->hashSigAlgoSz = idx;
24242
0
    }
24243
24244
0
    return ret;
24245
0
}
24246
24247
#endif /* OPENSSL_EXTRA */
24248
24249
#if !defined(NO_WOLFSSL_SERVER) || !defined(NO_CERTS)
24250
static int MatchSigAlgo(WOLFSSL* ssl, int sigAlgo)
24251
0
{
24252
0
#ifdef HAVE_ED25519
24253
0
    if (ssl->pkCurveOID == ECC_ED25519_OID) {
24254
        /* Certificate has Ed25519 key, only match with Ed25519 sig alg  */
24255
0
        return sigAlgo == ed25519_sa_algo;
24256
0
    }
24257
0
#endif
24258
0
#ifdef HAVE_ED448
24259
0
    if (ssl->pkCurveOID == ECC_ED448_OID) {
24260
        /* Certificate has Ed448 key, only match with Ed448 sig alg  */
24261
0
        return sigAlgo == ed448_sa_algo;
24262
0
    }
24263
0
#endif
24264
#ifdef HAVE_PQC
24265
#ifdef HAVE_FALCON
24266
    if (ssl->pkCurveOID == CTC_FALCON_LEVEL1) {
24267
        /* Certificate has Falcon level 1 key, only match with Falcon level 1
24268
         * sig alg  */
24269
        return sigAlgo == falcon_level1_sa_algo;
24270
    }
24271
    if (ssl->pkCurveOID == CTC_FALCON_LEVEL5) {
24272
        /* Certificate has Falcon level 5 key, only match with Falcon level 5
24273
         * sig alg  */
24274
        return sigAlgo == falcon_level5_sa_algo;
24275
    }
24276
#endif /* HAVE_FALCON */
24277
#ifdef HAVE_DILITHIUM
24278
    if (ssl->pkCurveOID == CTC_DILITHIUM_LEVEL2) {
24279
        /* Certificate has Dilithium level 2 key, only match with it. */
24280
        return sigAlgo == dilithium_level2_sa_algo;
24281
    }
24282
    if (ssl->pkCurveOID == CTC_DILITHIUM_LEVEL3) {
24283
        /* Certificate has Dilithium level 3 key, only match with it. */
24284
        return sigAlgo == dilithium_level3_sa_algo;
24285
    }
24286
    if (ssl->pkCurveOID == CTC_DILITHIUM_LEVEL5) {
24287
        /* Certificate has Dilithium level 5 key, only match with it. */
24288
        return sigAlgo == dilithium_level5_sa_algo;
24289
    }
24290
    if (ssl->pkCurveOID == CTC_DILITHIUM_AES_LEVEL2) {
24291
        /* Certificate has Dilithium AES level 2 key, only match with it. */
24292
        return sigAlgo == dilithium_aes_level2_sa_algo;
24293
    }
24294
    if (ssl->pkCurveOID == CTC_DILITHIUM_AES_LEVEL3) {
24295
        /* Certificate has Dilithium AES level 3 key, only match with it. */
24296
        return sigAlgo == dilithium_aes_level3_sa_algo;
24297
    }
24298
    if (ssl->pkCurveOID == CTC_DILITHIUM_AES_LEVEL5) {
24299
        /* Certificate has Dilithium AES level 5 key, only match with it. */
24300
        return sigAlgo == dilithium_aes_level5_sa_algo;
24301
    }
24302
#endif /* HAVE_DILITHIUM */
24303
#endif /* HAVE_PQC */
24304
0
#ifdef WC_RSA_PSS
24305
    /* RSA certificate and PSS sig alg. */
24306
0
    if (ssl->suites->sigAlgo == rsa_sa_algo) {
24307
0
    #if defined(WOLFSSL_TLS13)
24308
        /* TLS 1.3 only supports RSA-PSS. */
24309
0
        if (IsAtLeastTLSv1_3(ssl->version))
24310
0
            return sigAlgo == rsa_pss_sa_algo;
24311
0
    #endif
24312
        /* TLS 1.2 and below - RSA-PSS allowed. */
24313
0
        if (sigAlgo == rsa_pss_sa_algo)
24314
0
            return 1;
24315
0
    }
24316
0
#endif
24317
    /* Signature algorithm matches certificate. */
24318
0
    return sigAlgo == ssl->suites->sigAlgo;
24319
0
}
24320
24321
#if defined(HAVE_ECC) && defined(WOLFSSL_TLS13) || \
24322
                                              defined(USE_ECDSA_KEYSZ_HASH_ALGO)
24323
static int CmpEccStrength(int hashAlgo, int curveSz)
24324
0
{
24325
0
    int dgstSz = GetMacDigestSize((byte)hashAlgo);
24326
0
    if (dgstSz <= 0)
24327
0
        return -1;
24328
0
    return dgstSz - (curveSz & (~0x3));
24329
0
}
24330
#endif
24331
24332
static byte MinHashAlgo(WOLFSSL* ssl)
24333
0
{
24334
0
#ifdef WOLFSSL_TLS13
24335
0
    if (IsAtLeastTLSv1_3(ssl->version)) {
24336
0
        return sha256_mac;
24337
0
    }
24338
0
#endif
24339
0
#if !defined(WOLFSSL_NO_TLS12) && !defined(WOLFSSL_ALLOW_TLS_SHA1)
24340
0
    if (IsAtLeastTLSv1_2(ssl)) {
24341
0
        return sha256_mac;
24342
0
    }
24343
0
#endif /* WOLFSSL_NO_TLS12 */
24344
0
    (void)ssl;
24345
0
    return sha_mac;
24346
0
}
24347
24348
int PickHashSigAlgo(WOLFSSL* ssl, const byte* hashSigAlgo, word32 hashSigAlgoSz)
24349
0
{
24350
0
    word32 i;
24351
0
    int ret = MATCH_SUITE_ERROR;
24352
0
    byte minHash;
24353
24354
    /* set defaults */
24355
0
    if (IsAtLeastTLSv1_3(ssl->version)) {
24356
0
    #ifndef NO_CERTS
24357
        /* TLS 1.3 cipher suites don't have public key algorithms in them.
24358
         * Using the one in the certificate - if any.
24359
         */
24360
0
        ssl->suites->sigAlgo = ssl->buffers.keyType;
24361
0
    #endif
24362
0
    }
24363
0
    else {
24364
0
        ssl->suites->sigAlgo = ssl->specs.sig_algo;
24365
0
    }
24366
0
    if (ssl->suites->sigAlgo == anonymous_sa_algo) {
24367
        /* PSK ciphersuite - get digest to use from cipher suite */
24368
0
        ssl->suites->hashAlgo = ssl->specs.mac_algorithm;
24369
0
        return 0;
24370
0
    }
24371
0
    ssl->suites->hashAlgo = minHash = MinHashAlgo(ssl);
24372
24373
    /* No list means go with the defaults. */
24374
0
    if (hashSigAlgoSz == 0)
24375
0
        return 0;
24376
24377
    /* i+1 since two bytes used to describe hash and signature algorithm */
24378
0
    for (i = 0; (i+1) < hashSigAlgoSz; i += HELLO_EXT_SIGALGO_SZ) {
24379
0
        byte hashAlgo = 0, sigAlgo = 0;
24380
24381
0
        DecodeSigAlg(&hashSigAlgo[i], &hashAlgo, &sigAlgo);
24382
        /* Keep looking if hash algorithm not strong enough. */
24383
0
        if (hashAlgo < minHash)
24384
0
            continue;
24385
        /* Keep looking if signature algorithm isn't supported by cert. */
24386
0
        if (!MatchSigAlgo(ssl, sigAlgo))
24387
0
            continue;
24388
24389
0
    #ifdef HAVE_ED25519
24390
0
        if (ssl->pkCurveOID == ECC_ED25519_OID) {
24391
            /* Matched Ed25519 - set chosen and finished. */
24392
0
            ssl->suites->sigAlgo = sigAlgo;
24393
0
            ssl->suites->hashAlgo = hashAlgo;
24394
0
            ret = 0;
24395
0
            break;
24396
0
        }
24397
0
    #endif
24398
0
    #ifdef HAVE_ED448
24399
0
        if (ssl->pkCurveOID == ECC_ED448_OID) {
24400
            /* Matched Ed448 - set chosen and finished. */
24401
0
            ssl->suites->sigAlgo = sigAlgo;
24402
0
            ssl->suites->hashAlgo = hashAlgo;
24403
0
            ret = 0;
24404
0
            break;
24405
0
        }
24406
0
    #endif
24407
    #if defined(HAVE_PQC)
24408
    #if defined(HAVE_FALCON)
24409
        if (ssl->pkCurveOID == CTC_FALCON_LEVEL1 ||
24410
            ssl->pkCurveOID == CTC_FALCON_LEVEL5 ) {
24411
            /* Matched Falcon - set chosen and finished. */
24412
            ssl->suites->sigAlgo = sigAlgo;
24413
            ssl->suites->hashAlgo = hashAlgo;
24414
            ret = 0;
24415
            break;
24416
        }
24417
    #endif /* HAVE_FALCON */
24418
    #if defined(HAVE_DILITHIUM)
24419
        if (ssl->pkCurveOID == CTC_DILITHIUM_LEVEL2 ||
24420
            ssl->pkCurveOID == CTC_DILITHIUM_LEVEL3 ||
24421
            ssl->pkCurveOID == CTC_DILITHIUM_LEVEL5 ||
24422
            ssl->pkCurveOID == CTC_DILITHIUM_AES_LEVEL2 ||
24423
            ssl->pkCurveOID == CTC_DILITHIUM_AES_LEVEL3 ||
24424
            ssl->pkCurveOID == CTC_DILITHIUM_AES_LEVEL5 ) {
24425
            /* Matched Dilithium - set chosen and finished. */
24426
            ssl->suites->sigAlgo = sigAlgo;
24427
            ssl->suites->hashAlgo = hashAlgo;
24428
            ret = 0;
24429
            break;
24430
        }
24431
    #endif /* HAVE_DILITHIUM */
24432
    #endif /* HAVE_PQC */
24433
24434
    #if defined(WOLFSSL_ECDSA_MATCH_HASH) && defined(USE_ECDSA_KEYSZ_HASH_ALGO)
24435
        #error "WOLFSSL_ECDSA_MATCH_HASH and USE_ECDSA_KEYSZ_HASH_ALGO cannot "
24436
               "be used together"
24437
    #endif
24438
24439
0
    #if defined(HAVE_ECC) && (defined(WOLFSSL_TLS13) || \
24440
0
                                              defined(WOLFSSL_ECDSA_MATCH_HASH))
24441
0
        if (sigAlgo == ecc_dsa_sa_algo
24442
0
        #ifndef WOLFSSL_ECDSA_MATCH_HASH
24443
0
            && IsAtLeastTLSv1_3(ssl->version)
24444
0
        #endif
24445
0
            ) {
24446
            /* Must be exact match. */
24447
0
            if (CmpEccStrength(hashAlgo, ssl->buffers.keySz) != 0)
24448
0
                continue;
24449
24450
            /* Matched ECDSA exaclty - set chosen and finished. */
24451
0
            ssl->suites->hashAlgo = hashAlgo;
24452
0
            ssl->suites->sigAlgo = sigAlgo;
24453
0
            ret = 0;
24454
0
            break;
24455
0
        }
24456
0
    #endif
24457
24458
    /* For ECDSA the `USE_ECDSA_KEYSZ_HASH_ALGO` build option will choose a hash
24459
     * algorithm that matches the ephemeral ECDHE key size or the next highest
24460
     * available. This workaround resolves issue with some peer's that do not
24461
     * properly support scenarios such as a P-256 key hashed with SHA512.
24462
     */
24463
    #if defined(HAVE_ECC) && defined(USE_ECDSA_KEYSZ_HASH_ALGO)
24464
        if (sigAlgo == ecc_dsa_sa_algo) {
24465
            int cmp = CmpEccStrength(hashAlgo, ssl->eccTempKeySz);
24466
24467
            /* Keep looking if digest not strong enough. */
24468
            if (cmp < 0)
24469
                continue;
24470
24471
            /* Looking for exact match or next highest. */
24472
            if (ret != 0 || hashAlgo <= ssl->suites->hashAlgo) {
24473
                ssl->suites->hashAlgo = hashAlgo;
24474
                ssl->suites->sigAlgo = sigAlgo;
24475
            #if defined(WOLFSSL_TLS13) || defined(HAVE_FFDHE)
24476
                ssl->namedGroup = 0;
24477
            #endif
24478
                ret = 0;
24479
            }
24480
24481
            /* Continue looking if not the same strength. */
24482
            if (cmp > 0)
24483
                continue;
24484
            /* Exact match - finished. */
24485
            break;
24486
        }
24487
    #endif
24488
24489
0
        switch (hashAlgo) {
24490
0
        #ifndef NO_SHA
24491
0
            case sha_mac:
24492
0
        #endif
24493
0
        #ifdef WOLFSSL_SHA224
24494
0
            case sha224_mac:
24495
0
        #endif
24496
0
        #ifndef NO_SHA256
24497
0
            case sha256_mac:
24498
0
        #endif
24499
0
        #ifdef WOLFSSL_SHA384
24500
0
            case sha384_mac:
24501
0
        #endif
24502
0
        #ifdef WOLFSSL_SHA512
24503
0
            case sha512_mac:
24504
0
        #endif
24505
            #ifdef WOLFSSL_STRONGEST_HASH_SIG
24506
                /* Is hash algorithm weaker than chosen/min? */
24507
                if (hashAlgo < ssl->suites->hashAlgo)
24508
                    break;
24509
            #else
24510
                /* Is hash algorithm stonger than last chosen? */
24511
0
                if (ret == 0 && hashAlgo > ssl->suites->hashAlgo)
24512
0
                    break;
24513
0
            #endif
24514
                /* The chosen one - but keep looking. */
24515
0
                ssl->suites->hashAlgo = hashAlgo;
24516
0
                ssl->suites->sigAlgo = sigAlgo;
24517
0
                ret = 0;
24518
0
                break;
24519
0
            default:
24520
                /* Support for hash algorithm not compiled in. */
24521
0
                break;
24522
0
        }
24523
0
    }
24524
24525
0
    return ret;
24526
0
}
24527
#endif /* !defined(NO_WOLFSSL_SERVER) || !defined(NO_CERTS) */
24528
24529
#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
24530
24531
    /* Initialize HandShakeInfo */
24532
    void InitHandShakeInfo(HandShakeInfo* info, WOLFSSL* ssl)
24533
0
    {
24534
0
        int i;
24535
24536
0
        info->ssl = ssl;
24537
0
        info->cipherName[0] = 0;
24538
0
        for (i = 0; i < MAX_PACKETS_HANDSHAKE; i++)
24539
0
            info->packetNames[i][0] = 0;
24540
0
        info->numberPackets = 0;
24541
0
        info->negotiationError = 0;
24542
0
    }
24543
24544
    /* Set Final HandShakeInfo parameters */
24545
    void FinishHandShakeInfo(HandShakeInfo* info)
24546
0
    {
24547
0
        int i;
24548
0
        int sz = GetCipherNamesSize();
24549
24550
0
        for (i = 0; i < sz; i++) {
24551
0
#ifndef NO_CIPHER_SUITE_ALIASES
24552
0
            if (cipher_names[i].flags & WOLFSSL_CIPHER_SUITE_FLAG_NAMEALIAS)
24553
0
                continue;
24554
0
#endif
24555
0
            if (info->ssl->options.cipherSuite ==
24556
0
                                            (byte)cipher_names[i].cipherSuite) {
24557
0
                if (info->ssl->options.cipherSuite0 == ECC_BYTE)
24558
0
                    continue;   /* ECC suites at end */
24559
0
                XSTRNCPY(info->cipherName, cipher_names[i].name, MAX_CIPHERNAME_SZ);
24560
0
                info->cipherName[MAX_CIPHERNAME_SZ] = '\0';
24561
0
                break;
24562
0
            }
24563
0
        }
24564
24565
        /* error max and min are negative numbers */
24566
0
        if (info->ssl->error <= MIN_PARAM_ERR && info->ssl->error >= MAX_PARAM_ERR)
24567
0
            info->negotiationError = info->ssl->error;
24568
0
    }
24569
24570
24571
    /* Add name to info packet names, increase packet name count */
24572
    void AddPacketName(WOLFSSL* ssl, const char* name)
24573
0
    {
24574
    #ifdef WOLFSSL_CALLBACKS
24575
        HandShakeInfo* info = &ssl->handShakeInfo;
24576
        if (info->numberPackets < MAX_PACKETS_HANDSHAKE) {
24577
            char* packetName = info->packetNames[info->numberPackets];
24578
            XSTRNCPY(packetName, name, MAX_PACKETNAME_SZ);
24579
            packetName[MAX_PACKETNAME_SZ] = '\0';
24580
            info->numberPackets++;
24581
        }
24582
    #endif
24583
0
        (void)ssl;
24584
0
        (void)name;
24585
0
    }
24586
24587
24588
    #ifdef WOLFSSL_CALLBACKS
24589
    /* Initialize TimeoutInfo */
24590
    void InitTimeoutInfo(TimeoutInfo* info)
24591
    {
24592
        XMEMSET(info, 0, sizeof(TimeoutInfo));
24593
    }
24594
24595
24596
    /* Free TimeoutInfo */
24597
    void FreeTimeoutInfo(TimeoutInfo* info, void* heap)
24598
    {
24599
        int i;
24600
        (void)heap;
24601
        for (i = 0; i < MAX_PACKETS_HANDSHAKE; i++) {
24602
            if (info->packets[i].bufferValue) {
24603
                XFREE(info->packets[i].bufferValue, heap, DYNAMIC_TYPE_INFO);
24604
                info->packets[i].bufferValue = NULL;
24605
            }
24606
        }
24607
    }
24608
24609
    /* Add packet name to previously added packet info */
24610
    void AddLateName(const char* name, TimeoutInfo* info)
24611
    {
24612
        /* make sure we have a valid previous one */
24613
        if (info->numberPackets > 0 && info->numberPackets <
24614
                                                        MAX_PACKETS_HANDSHAKE) {
24615
            char* packetName = info->packets[info->numberPackets-1].packetName;
24616
            XSTRNCPY(packetName, name, MAX_PACKETNAME_SZ);
24617
            packetName[MAX_PACKETNAME_SZ] = '\0';
24618
        }
24619
    }
24620
24621
    /* Add record header to previously added packet info */
24622
    void AddLateRecordHeader(const RecordLayerHeader* rl, TimeoutInfo* info)
24623
    {
24624
        /* make sure we have a valid previous one */
24625
        if (info->numberPackets > 0 && info->numberPackets <
24626
                                                        MAX_PACKETS_HANDSHAKE) {
24627
            if (info->packets[info->numberPackets - 1].bufferValue)
24628
                XMEMCPY(info->packets[info->numberPackets - 1].bufferValue, rl,
24629
                       RECORD_HEADER_SZ);
24630
            else
24631
                XMEMCPY(info->packets[info->numberPackets - 1].value, rl,
24632
                       RECORD_HEADER_SZ);
24633
        }
24634
    }
24635
24636
    #endif /* WOLFSSL_CALLBACKS */
24637
24638
24639
    /* Add PacketInfo to TimeoutInfo
24640
     *
24641
     * ssl   WOLFSSL structure sending or receiving packet
24642
     * name  name of packet being sent
24643
     * type  type of packet being sent
24644
     * data  data bing sent with packet
24645
     * sz    size of data buffer
24646
     * written 1 if this packet is being written to wire, 0 if being read
24647
     * heap  custom heap to use for mallocs/frees
24648
     */
24649
    void AddPacketInfo(WOLFSSL* ssl, const char* name, int type,
24650
            const byte* data, int sz, int written, void* heap)
24651
0
    {
24652
    #ifdef WOLFSSL_CALLBACKS
24653
        TimeoutInfo* info = &ssl->timeoutInfo;
24654
24655
        if (info->numberPackets < (MAX_PACKETS_HANDSHAKE - 1)) {
24656
            WOLFSSL_TIMEVAL currTime;
24657
24658
            /* may add name after */
24659
            if (name) {
24660
                char* packetName = info->packets[info->numberPackets].packetName;
24661
                XSTRNCPY(packetName, name, MAX_PACKETNAME_SZ);
24662
                packetName[MAX_PACKETNAME_SZ] = '\0';
24663
            }
24664
24665
            /* add data, put in buffer if bigger than static buffer */
24666
            info->packets[info->numberPackets].valueSz = sz;
24667
            if (sz < MAX_VALUE_SZ)
24668
                XMEMCPY(info->packets[info->numberPackets].value, data, sz);
24669
            else {
24670
                info->packets[info->numberPackets].bufferValue =
24671
                                    (byte*)XMALLOC(sz, heap, DYNAMIC_TYPE_INFO);
24672
                if (!info->packets[info->numberPackets].bufferValue)
24673
                    /* let next alloc catch, just don't fill, not fatal here  */
24674
                    info->packets[info->numberPackets].valueSz = 0;
24675
                else
24676
                    XMEMCPY(info->packets[info->numberPackets].bufferValue,
24677
                           data, sz);
24678
            }
24679
            gettimeofday(&currTime, 0);
24680
            info->packets[info->numberPackets].timestamp.tv_sec  =
24681
                                                             currTime.tv_sec;
24682
            info->packets[info->numberPackets].timestamp.tv_usec =
24683
                                                             currTime.tv_usec;
24684
            info->numberPackets++;
24685
        }
24686
    #endif /* WOLFSSL_CALLBACKS */
24687
0
    #ifdef OPENSSL_EXTRA
24688
0
        if ((ssl->protoMsgCb != NULL) && (sz > RECORD_HEADER_SZ) &&
24689
0
            (ssl->keys.encryptionOn != 1)) {
24690
            /* version from hex to dec  16 is 16^1, 256 from 16^2 and
24691
               4096 from 16^3 */
24692
0
            int version = (ssl->version.minor & 0x0F) +
24693
0
                          ((ssl->version.minor & 0xF0) << 4) +
24694
0
                          ((ssl->version.major & 0x0F) << 8) +
24695
0
                          ((ssl->version.major & 0xF0) << 12);
24696
24697
0
            ssl->protoMsgCb(written, version, type,
24698
0
                         (const void *)(data + RECORD_HEADER_SZ),
24699
0
                         (size_t)(sz - RECORD_HEADER_SZ),
24700
0
                         ssl, ssl->protoMsgCtx);
24701
0
        }
24702
0
    #endif /* OPENSSL_EXTRA */
24703
0
        (void)written;
24704
0
        (void)name;
24705
0
        (void)heap;
24706
0
        (void)type;
24707
0
        (void)ssl;
24708
0
    }
24709
24710
#endif /* WOLFSSL_CALLBACKS */
24711
24712
#if !defined(NO_CERTS)
24713
24714
#if defined(WOLF_PRIVATE_KEY_ID) && !defined(NO_CHECK_PRIVATE_KEY)
24715
/* Create a private key for a device.
24716
 *
24717
 * pkey    Key object.
24718
 * data    Data to identify key.
24719
 * length  Length of data.
24720
 * hsType  Type of the key to create.
24721
 * heap    Custom heap to use for mallocs/frees
24722
 * devId   Id for device.
24723
 * return  0 on success.
24724
 * return  NOT_COMPILED_IN if algorithm type not supported.
24725
 * return  MEMORY_E on memory allocation failure.
24726
 * return  other internal error
24727
 */
24728
int CreateDevPrivateKey(void** pkey, byte* data, word32 length, int hsType,
24729
                        int label, int id, void* heap, int devId)
24730
0
{
24731
0
    int ret = NOT_COMPILED_IN;
24732
24733
0
    if (hsType == DYNAMIC_TYPE_RSA) {
24734
0
#ifndef NO_RSA
24735
0
        RsaKey* rsaKey;
24736
24737
0
        rsaKey = (RsaKey*)XMALLOC(sizeof(RsaKey), heap, DYNAMIC_TYPE_RSA);
24738
0
        if (rsaKey == NULL) {
24739
0
            return MEMORY_E;
24740
0
        }
24741
24742
0
        if (label) {
24743
0
            ret = wc_InitRsaKey_Label(rsaKey, (char*)data, heap, devId);
24744
0
        }
24745
0
        else if (id) {
24746
0
            ret = wc_InitRsaKey_Id(rsaKey, data, length, heap, devId);
24747
0
        }
24748
0
        if (ret == 0) {
24749
0
            *pkey = (void*)rsaKey;
24750
0
        }
24751
0
        else {
24752
0
            XFREE(rsaKey, heap, DYNAMIC_TYPE_RSA);
24753
0
        }
24754
0
#endif
24755
0
    }
24756
0
    else if (hsType == DYNAMIC_TYPE_ECC) {
24757
0
#ifdef HAVE_ECC
24758
0
        ecc_key* ecKey;
24759
24760
0
        ecKey = (ecc_key*)XMALLOC(sizeof(ecc_key), heap, DYNAMIC_TYPE_ECC);
24761
0
        if (ecKey == NULL) {
24762
0
            return MEMORY_E;
24763
0
        }
24764
24765
0
        if (label) {
24766
0
            ret = wc_ecc_init_label(ecKey, (char*)data, heap, devId);
24767
0
        }
24768
0
        else if (id) {
24769
0
            ret = wc_ecc_init_id(ecKey, data, length, heap, devId);
24770
0
        }
24771
0
        if (ret == 0) {
24772
0
            *pkey = (void*)ecKey;
24773
0
        }
24774
0
        else {
24775
0
            XFREE(ecKey, heap, DYNAMIC_TYPE_ECC);
24776
0
        }
24777
0
#endif
24778
0
    }
24779
24780
0
    return ret;
24781
0
}
24782
#endif /* WOLF_PRIVATE_KEY_ID && !NO_CHECK_PRIVATE_KEY */
24783
24784
/* Decode the private key - RSA/ECC/Ed25519/Ed448/Falcon/Dilithium - and
24785
 * creates a key object.
24786
 *
24787
 * The signature type is set as well.
24788
 * The maximum length of a signature is returned.
24789
 *
24790
 * ssl     The SSL/TLS object.
24791
 * length  The length of a signature.
24792
 * returns 0 on success, otherwise failure.
24793
 */
24794
int DecodePrivateKey(WOLFSSL *ssl, word16* length)
24795
0
{
24796
0
    int      ret = BAD_FUNC_ARG;
24797
0
    int      keySz;
24798
0
    word32   idx;
24799
24800
    /* make sure private key exists */
24801
0
    if (ssl->buffers.key == NULL || ssl->buffers.key->buffer == NULL) {
24802
        /* allow no private key if using external */
24803
0
    #ifdef WOLF_PRIVATE_KEY_ID
24804
0
        if (ssl->devId != INVALID_DEVID
24805
        #ifdef HAVE_PK_CALLBACKS
24806
            || wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)
24807
        #endif
24808
0
        ) {
24809
0
            *length = GetPrivateKeySigSize(ssl);
24810
0
            return 0;
24811
0
        }
24812
0
        else
24813
0
    #endif
24814
0
        {
24815
0
            WOLFSSL_MSG("Private key missing!");
24816
0
            ERROR_OUT(NO_PRIVATE_KEY, exit_dpk);
24817
0
        }
24818
0
    }
24819
24820
0
#ifdef WOLF_PRIVATE_KEY_ID
24821
0
    if (ssl->buffers.keyDevId != INVALID_DEVID && (ssl->buffers.keyId ||
24822
0
                                                       ssl->buffers.keyLabel)) {
24823
0
        if (ssl->buffers.keyType == rsa_sa_algo)
24824
0
            ssl->hsType = DYNAMIC_TYPE_RSA;
24825
0
        else if (ssl->buffers.keyType == ecc_dsa_sa_algo)
24826
0
            ssl->hsType = DYNAMIC_TYPE_ECC;
24827
0
        ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
24828
0
        if (ret != 0) {
24829
0
            goto exit_dpk;
24830
0
        }
24831
24832
0
        if (ssl->buffers.keyType == rsa_sa_algo) {
24833
0
    #ifndef NO_RSA
24834
0
            if (ssl->buffers.keyLabel) {
24835
0
                ret = wc_InitRsaKey_Label((RsaKey*)ssl->hsKey,
24836
0
                                          (char*)ssl->buffers.key->buffer,
24837
0
                                          ssl->heap, ssl->buffers.keyDevId);
24838
0
            }
24839
0
            else if (ssl->buffers.keyId) {
24840
0
                ret = wc_InitRsaKey_Id((RsaKey*)ssl->hsKey,
24841
0
                                       ssl->buffers.key->buffer,
24842
0
                                       ssl->buffers.key->length, ssl->heap,
24843
0
                                       ssl->buffers.keyDevId);
24844
0
            }
24845
0
            if (ret == 0) {
24846
0
                if (ssl->buffers.keySz < ssl->options.minRsaKeySz) {
24847
0
                    WOLFSSL_MSG("RSA key size too small");
24848
0
                    ERROR_OUT(RSA_KEY_SIZE_E, exit_dpk);
24849
0
                }
24850
24851
                /* Return the maximum signature length. */
24852
0
                *length = (word16)ssl->buffers.keySz;
24853
0
            }
24854
    #else
24855
            ret = NOT_COMPILED_IN;
24856
    #endif
24857
0
        }
24858
0
        else if (ssl->buffers.keyType == ecc_dsa_sa_algo) {
24859
0
    #ifdef HAVE_ECC
24860
0
            if (ssl->buffers.keyLabel) {
24861
0
                ret = wc_ecc_init_label((ecc_key*)ssl->hsKey,
24862
0
                                        (char*)ssl->buffers.key->buffer,
24863
0
                                        ssl->heap, ssl->buffers.keyDevId);
24864
0
            }
24865
0
            else if (ssl->buffers.keyId) {
24866
0
                ret = wc_ecc_init_id((ecc_key*)ssl->hsKey,
24867
0
                                     ssl->buffers.key->buffer,
24868
0
                                     ssl->buffers.key->length, ssl->heap,
24869
0
                                     ssl->buffers.keyDevId);
24870
0
            }
24871
0
            if (ret == 0) {
24872
0
                if (ssl->buffers.keySz < ssl->options.minEccKeySz) {
24873
0
                    WOLFSSL_MSG("ECC key size too small");
24874
0
                    ERROR_OUT(ECC_KEY_SIZE_E, exit_dpk);
24875
0
                }
24876
24877
                /* Return the maximum signature length. */
24878
0
                *length = (word16)wc_ecc_sig_size_calc(ssl->buffers.keySz);
24879
0
            }
24880
    #else
24881
            ret = NOT_COMPILED_IN;
24882
    #endif
24883
0
        }
24884
0
        goto exit_dpk;
24885
0
    }
24886
0
#endif /* WOLF_PRIVATE_KEY_ID */
24887
24888
0
#ifndef NO_RSA
24889
0
    if (ssl->buffers.keyType == rsa_sa_algo || ssl->buffers.keyType == 0) {
24890
0
        ssl->hsType = DYNAMIC_TYPE_RSA;
24891
0
        ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
24892
0
        if (ret != 0) {
24893
0
            goto exit_dpk;
24894
0
        }
24895
24896
0
        WOLFSSL_MSG("Trying RSA private key");
24897
24898
        /* Set start of data to beginning of buffer. */
24899
0
        idx = 0;
24900
        /* Decode the key assuming it is an RSA private key. */
24901
0
        ret = wc_RsaPrivateKeyDecode(ssl->buffers.key->buffer, &idx,
24902
0
                    (RsaKey*)ssl->hsKey, ssl->buffers.key->length);
24903
0
    #ifdef WOLF_PRIVATE_KEY_ID
24904
        /* if using external key then allow using a public key */
24905
0
        if (ret != 0 && (ssl->devId != INVALID_DEVID
24906
        #ifdef HAVE_PK_CALLBACKS
24907
            || wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)
24908
        #endif
24909
0
        )) {
24910
0
            WOLFSSL_MSG("Trying RSA public key with crypto callbacks");
24911
0
            idx = 0;
24912
0
            ret = wc_RsaPublicKeyDecode(ssl->buffers.key->buffer, &idx,
24913
0
                        (RsaKey*)ssl->hsKey, ssl->buffers.key->length);
24914
0
        }
24915
0
    #endif
24916
0
        if (ret == 0) {
24917
0
            WOLFSSL_MSG("Using RSA private key");
24918
24919
            /* It worked so check it meets minimum key size requirements. */
24920
0
            keySz = wc_RsaEncryptSize((RsaKey*)ssl->hsKey);
24921
0
            if (keySz < 0) { /* check if keySz has error case */
24922
0
                ERROR_OUT(keySz, exit_dpk);
24923
0
            }
24924
24925
0
            if (keySz < ssl->options.minRsaKeySz) {
24926
0
                WOLFSSL_MSG("RSA key size too small");
24927
0
                ERROR_OUT(RSA_KEY_SIZE_E, exit_dpk);
24928
0
            }
24929
24930
            /* Return the maximum signature length. */
24931
0
            *length = (word16)keySz;
24932
24933
0
            goto exit_dpk;
24934
0
        }
24935
0
    }
24936
0
#endif /* !NO_RSA */
24937
24938
0
#ifdef HAVE_ECC
24939
0
#ifndef NO_RSA
24940
0
    FreeKey(ssl, ssl->hsType, (void**)&ssl->hsKey);
24941
0
#endif /* !NO_RSA */
24942
24943
0
    if (ssl->buffers.keyType == ecc_dsa_sa_algo || ssl->buffers.keyType == 0) {
24944
0
        ssl->hsType = DYNAMIC_TYPE_ECC;
24945
0
        ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
24946
0
        if (ret != 0) {
24947
0
            goto exit_dpk;
24948
0
        }
24949
24950
0
    #ifndef NO_RSA
24951
0
        WOLFSSL_MSG("Trying ECC private key, RSA didn't work");
24952
    #else
24953
        WOLFSSL_MSG("Trying ECC private key");
24954
    #endif
24955
24956
        /* Set start of data to beginning of buffer. */
24957
0
        idx = 0;
24958
        /* Decode the key assuming it is an ECC private key. */
24959
0
        ret = wc_EccPrivateKeyDecode(ssl->buffers.key->buffer, &idx,
24960
0
                                     (ecc_key*)ssl->hsKey,
24961
0
                                     ssl->buffers.key->length);
24962
0
    #ifdef WOLF_PRIVATE_KEY_ID
24963
        /* if using external key then allow using a public key */
24964
0
        if (ret != 0 && (ssl->devId != INVALID_DEVID
24965
        #ifdef HAVE_PK_CALLBACKS
24966
            || wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)
24967
        #endif
24968
0
        )) {
24969
0
            WOLFSSL_MSG("Trying ECC public key with crypto callbacks");
24970
0
            idx = 0;
24971
0
            ret = wc_EccPublicKeyDecode(ssl->buffers.key->buffer, &idx,
24972
0
                                     (ecc_key*)ssl->hsKey,
24973
0
                                     ssl->buffers.key->length);
24974
0
        }
24975
0
    #endif
24976
0
        if (ret == 0) {
24977
0
            WOLFSSL_MSG("Using ECC private key");
24978
24979
            /* Check it meets the minimum ECC key size requirements. */
24980
0
            keySz = wc_ecc_size((ecc_key*)ssl->hsKey);
24981
0
            if (keySz < ssl->options.minEccKeySz) {
24982
0
                WOLFSSL_MSG("ECC key size too small");
24983
0
                ERROR_OUT(ECC_KEY_SIZE_E, exit_dpk);
24984
0
            }
24985
24986
            /* Return the maximum signature length. */
24987
0
            *length = (word16)wc_ecc_sig_size((ecc_key*)ssl->hsKey);
24988
24989
0
            goto exit_dpk;
24990
0
        }
24991
0
    }
24992
0
#endif
24993
0
#if defined(HAVE_ED25519) && defined(HAVE_ED25519_KEY_IMPORT)
24994
0
    #if !defined(NO_RSA) || defined(HAVE_ECC)
24995
0
        FreeKey(ssl, ssl->hsType, (void**)&ssl->hsKey);
24996
0
    #endif
24997
24998
0
    if (ssl->buffers.keyType == ed25519_sa_algo || ssl->buffers.keyType == 0) {
24999
0
        ssl->hsType = DYNAMIC_TYPE_ED25519;
25000
0
        ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
25001
0
        if (ret != 0) {
25002
0
            goto exit_dpk;
25003
0
        }
25004
25005
0
        #ifdef HAVE_ECC
25006
0
            WOLFSSL_MSG("Trying ED25519 private key, ECC didn't work");
25007
        #elif !defined(NO_RSA)
25008
            WOLFSSL_MSG("Trying ED25519 private key, RSA didn't work");
25009
        #else
25010
            WOLFSSL_MSG("Trying ED25519 private key");
25011
        #endif
25012
25013
        /* Set start of data to beginning of buffer. */
25014
0
        idx = 0;
25015
        /* Decode the key assuming it is an ED25519 private key. */
25016
0
        ret = wc_Ed25519PrivateKeyDecode(ssl->buffers.key->buffer, &idx,
25017
0
                                         (ed25519_key*)ssl->hsKey,
25018
0
                                         ssl->buffers.key->length);
25019
0
    #ifdef WOLF_PRIVATE_KEY_ID
25020
        /* if using external key then allow using a public key */
25021
0
        if (ret != 0 && (ssl->devId != INVALID_DEVID
25022
        #ifdef HAVE_PK_CALLBACKS
25023
            || wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)
25024
        #endif
25025
0
        )) {
25026
0
            WOLFSSL_MSG("Trying ED25519 public key with crypto callbacks");
25027
0
            idx = 0;
25028
0
            ret = wc_Ed25519PublicKeyDecode(ssl->buffers.key->buffer, &idx,
25029
0
                                           (ed25519_key*)ssl->hsKey,
25030
0
                                            ssl->buffers.key->length);
25031
0
        }
25032
0
    #endif
25033
0
        if (ret == 0) {
25034
0
            WOLFSSL_MSG("Using ED25519 private key");
25035
25036
            /* Check it meets the minimum ECC key size requirements. */
25037
0
            if (ED25519_KEY_SIZE < ssl->options.minEccKeySz) {
25038
0
                WOLFSSL_MSG("ED25519 key size too small");
25039
0
                ERROR_OUT(ECC_KEY_SIZE_E, exit_dpk);
25040
0
            }
25041
25042
            /* Return the maximum signature length. */
25043
0
            *length = ED25519_SIG_SIZE;
25044
25045
0
            goto exit_dpk;
25046
0
        }
25047
0
    }
25048
0
#endif /* HAVE_ED25519 && HAVE_ED25519_KEY_IMPORT */
25049
0
#if defined(HAVE_ED448) && defined(HAVE_ED448_KEY_IMPORT)
25050
0
    #if !defined(NO_RSA) || defined(HAVE_ECC)
25051
0
        FreeKey(ssl, ssl->hsType, (void**)&ssl->hsKey);
25052
0
    #endif
25053
25054
0
    if (ssl->buffers.keyType == ed448_sa_algo || ssl->buffers.keyType == 0) {
25055
0
        ssl->hsType = DYNAMIC_TYPE_ED448;
25056
0
        ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
25057
0
        if (ret != 0) {
25058
0
            goto exit_dpk;
25059
0
        }
25060
25061
0
        #ifdef HAVE_ED25519
25062
0
            WOLFSSL_MSG("Trying ED448 private key, ED25519 didn't work");
25063
        #elif defined(HAVE_ECC)
25064
            WOLFSSL_MSG("Trying ED448 private key, ECC didn't work");
25065
        #elif !defined(NO_RSA)
25066
            WOLFSSL_MSG("Trying ED448 private key, RSA didn't work");
25067
        #else
25068
            WOLFSSL_MSG("Trying ED448 private key");
25069
        #endif
25070
25071
        /* Set start of data to beginning of buffer. */
25072
0
        idx = 0;
25073
        /* Decode the key assuming it is an ED448 private key. */
25074
0
        ret = wc_Ed448PrivateKeyDecode(ssl->buffers.key->buffer, &idx,
25075
0
                                       (ed448_key*)ssl->hsKey,
25076
0
                                       ssl->buffers.key->length);
25077
0
    #ifdef WOLF_PRIVATE_KEY_ID
25078
        /* if using external key then allow using a public key */
25079
0
        if (ret != 0 && (ssl->devId != INVALID_DEVID
25080
        #ifdef HAVE_PK_CALLBACKS
25081
            || wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)
25082
        #endif
25083
0
        )) {
25084
0
            WOLFSSL_MSG("Trying ED25519 public key with crypto callbacks");
25085
0
            idx = 0;
25086
0
            ret = wc_Ed448PublicKeyDecode(ssl->buffers.key->buffer, &idx,
25087
0
                                          (ed448_key*)ssl->hsKey,
25088
0
                                          ssl->buffers.key->length);
25089
0
        }
25090
0
    #endif
25091
0
        if (ret == 0) {
25092
0
            WOLFSSL_MSG("Using ED448 private key");
25093
25094
            /* Check it meets the minimum ECC key size requirements. */
25095
0
            if (ED448_KEY_SIZE < ssl->options.minEccKeySz) {
25096
0
                WOLFSSL_MSG("ED448 key size too small");
25097
0
                ERROR_OUT(ECC_KEY_SIZE_E, exit_dpk);
25098
0
            }
25099
25100
            /* Return the maximum signature length. */
25101
0
            *length = ED448_SIG_SIZE;
25102
25103
0
            goto exit_dpk;
25104
0
        }
25105
0
    }
25106
0
#endif /* HAVE_ED448 && HAVE_ED448_KEY_IMPORT */
25107
#if defined(HAVE_PQC)
25108
#if defined(HAVE_FALCON)
25109
    if (ssl->buffers.keyType == falcon_level1_sa_algo ||
25110
        ssl->buffers.keyType == falcon_level5_sa_algo ||
25111
        ssl->buffers.keyType == 0) {
25112
25113
        ssl->hsType = DYNAMIC_TYPE_FALCON;
25114
        ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
25115
        if (ret != 0) {
25116
            goto exit_dpk;
25117
        }
25118
25119
        if (ssl->buffers.keyType == falcon_level1_sa_algo) {
25120
            ret = wc_falcon_set_level((falcon_key*)ssl->hsKey, 1);
25121
        }
25122
        else if (ssl->buffers.keyType == falcon_level5_sa_algo) {
25123
            ret = wc_falcon_set_level((falcon_key*)ssl->hsKey, 5);
25124
        }
25125
        else {
25126
            /* What if ssl->buffers.keyType is 0? We might want to do something
25127
             * more graceful here. */
25128
            ret = ALGO_ID_E;
25129
        }
25130
25131
        if (ret != 0) {
25132
            goto exit_dpk;
25133
        }
25134
25135
        #if defined(HAVE_ED448)
25136
            WOLFSSL_MSG("Trying Falcon private key, ED448 didn't work");
25137
        #elif defined(HAVE_ED25519)
25138
            WOLFSSL_MSG("Trying Falcon private key, ED25519 didn't work");
25139
        #elif defined(HAVE_ECC)
25140
            WOLFSSL_MSG("Trying Falcon private key, ECC didn't work");
25141
        #elif !defined(NO_RSA)
25142
            WOLFSSL_MSG("Trying Falcon private key, RSA didn't work");
25143
        #else
25144
            WOLFSSL_MSG("Trying Falcon private key");
25145
        #endif
25146
25147
        /* Set start of data to beginning of buffer. */
25148
        idx = 0;
25149
        /* Decode the key assuming it is a Falcon private key. */
25150
        ret = wc_falcon_import_private_only(ssl->buffers.key->buffer,
25151
                                            ssl->buffers.key->length,
25152
                                            (falcon_key*)ssl->hsKey);
25153
        if (ret == 0) {
25154
            WOLFSSL_MSG("Using Falcon private key");
25155
25156
            /* Check it meets the minimum Falcon key size requirements. */
25157
            if (FALCON_MAX_KEY_SIZE < ssl->options.minFalconKeySz) {
25158
                WOLFSSL_MSG("Falcon key size too small");
25159
                ERROR_OUT(FALCON_KEY_SIZE_E, exit_dpk);
25160
            }
25161
25162
            /* Return the maximum signature length. */
25163
            *length = FALCON_MAX_SIG_SIZE;
25164
25165
            goto exit_dpk;
25166
        }
25167
    }
25168
#endif /* HAVE_FALCON */
25169
#if defined(HAVE_DILITHIUM)
25170
    if (ssl->buffers.keyType == dilithium_level2_sa_algo ||
25171
        ssl->buffers.keyType == dilithium_level3_sa_algo ||
25172
        ssl->buffers.keyType == dilithium_level5_sa_algo ||
25173
        ssl->buffers.keyType == dilithium_aes_level2_sa_algo ||
25174
        ssl->buffers.keyType == dilithium_aes_level3_sa_algo ||
25175
        ssl->buffers.keyType == dilithium_aes_level5_sa_algo ||
25176
        ssl->buffers.keyType == 0) {
25177
25178
        ssl->hsType = DYNAMIC_TYPE_DILITHIUM;
25179
        ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
25180
        if (ret != 0) {
25181
            goto exit_dpk;
25182
        }
25183
25184
        if (ssl->buffers.keyType == dilithium_level2_sa_algo) {
25185
            ret = wc_dilithium_set_level_and_sym((dilithium_key*)ssl->hsKey,
25186
                                                 2, SHAKE_VARIANT);
25187
        }
25188
        else if (ssl->buffers.keyType == dilithium_level3_sa_algo) {
25189
            ret = wc_dilithium_set_level_and_sym((dilithium_key*)ssl->hsKey,
25190
                                                 3, SHAKE_VARIANT);
25191
        }
25192
        else if (ssl->buffers.keyType == dilithium_level5_sa_algo) {
25193
            ret = wc_dilithium_set_level_and_sym((dilithium_key*)ssl->hsKey,
25194
                                                 5, SHAKE_VARIANT);
25195
        }
25196
        else if (ssl->buffers.keyType == dilithium_aes_level2_sa_algo) {
25197
            ret = wc_dilithium_set_level_and_sym((dilithium_key*)ssl->hsKey,
25198
                                                 2, AES_VARIANT);
25199
        }
25200
        else if (ssl->buffers.keyType == dilithium_aes_level3_sa_algo) {
25201
            ret = wc_dilithium_set_level_and_sym((dilithium_key*)ssl->hsKey,
25202
                                                 3, AES_VARIANT);
25203
        }
25204
        else if (ssl->buffers.keyType == dilithium_aes_level5_sa_algo) {
25205
            ret = wc_dilithium_set_level_and_sym((dilithium_key*)ssl->hsKey,
25206
                                                 5, AES_VARIANT);
25207
        }
25208
        else {
25209
            /* What if ssl->buffers.keyType is 0? We might want to do something
25210
             * more graceful here. */
25211
            ret = ALGO_ID_E;
25212
        }
25213
25214
        if (ret != 0) {
25215
            goto exit_dpk;
25216
        }
25217
25218
        #if defined(HAVE_ED448)
25219
            WOLFSSL_MSG("Trying Dilithium private key, ED448 didn't work");
25220
        #elif defined(HAVE_ED25519)
25221
            WOLFSSL_MSG("Trying Dilithium private key, ED25519 didn't work");
25222
        #elif defined(HAVE_ECC)
25223
            WOLFSSL_MSG("Trying Dilithium private key, ECC didn't work");
25224
        #elif !defined(NO_RSA)
25225
            WOLFSSL_MSG("Trying Dilithium private key, RSA didn't work");
25226
        #elif defined(HAVE_FALCON)
25227
            WOLFSSL_MSG("Trying Dilithium private key, Falcon didn't work");
25228
        #else
25229
            WOLFSSL_MSG("Trying Dilithium private key");
25230
        #endif
25231
25232
        /* Set start of data to beginning of buffer. */
25233
        idx = 0;
25234
        /* Decode the key assuming it is a Dilithium private key. */
25235
        ret = wc_dilithium_import_private_only(ssl->buffers.key->buffer,
25236
                                               ssl->buffers.key->length,
25237
                                               (dilithium_key*)ssl->hsKey);
25238
        if (ret == 0) {
25239
            WOLFSSL_MSG("Using Dilithium private key");
25240
25241
            /* Check it meets the minimum Dilithium key size requirements. */
25242
            if (DILITHIUM_MAX_KEY_SIZE < ssl->options.minDilithiumKeySz) {
25243
                WOLFSSL_MSG("Dilithium key size too small");
25244
                ERROR_OUT(DILITHIUM_KEY_SIZE_E, exit_dpk);
25245
            }
25246
25247
            /* Return the maximum signature length. */
25248
            *length = DILITHIUM_MAX_SIG_SIZE;
25249
25250
            goto exit_dpk;
25251
        }
25252
    }
25253
#endif /* HAVE_DILITHIUM */
25254
#endif /* HAVE_PQC */
25255
25256
0
    (void)idx;
25257
0
    (void)keySz;
25258
0
    (void)length;
25259
25260
0
exit_dpk:
25261
0
    if (ret != 0) {
25262
0
        WOLFSSL_ERROR_VERBOSE(ret);
25263
0
    }
25264
25265
0
    return ret;
25266
0
}
25267
25268
#endif /* WOLFSSL_TLS13 || !NO_WOLFSSL_CLIENT */
25269
25270
#if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NO_TLS12)
25271
    /* returns 1 if able to do TLS 1.3 otherwise 0 */
25272
    int TLSv1_3_Capable(WOLFSSL* ssl)
25273
0
    {
25274
    #ifndef WOLFSSL_TLS13
25275
        return 0;
25276
    #else
25277
0
        int ret = 0;
25278
25279
0
        if (IsAtLeastTLSv1_3(ssl->ctx->method->version)) {
25280
0
            ret = 1;
25281
0
        }
25282
25283
0
        if ((wolfSSL_get_options(ssl) & WOLFSSL_OP_NO_TLSv1_3)) {
25284
            /* option set at run time to disable TLS 1.3 */
25285
0
            ret = 0;
25286
0
        }
25287
25288
0
        return ret;
25289
0
    #endif
25290
0
    }
25291
#endif /* WOLFSSL_TLS13 */
25292
25293
#ifndef WOLFSSL_NO_TLS12
25294
#if (!defined(NO_WOLFSSL_CLIENT) && (!defined(NO_DH) || defined(HAVE_ECC) || \
25295
      defined(HAVE_CURVE25519) || defined(HAVE_CURVE448))) || \
25296
    (!defined(NO_WOLFSSL_SERVER) && (defined(HAVE_ECC) || \
25297
      ((defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)) && \
25298
       (defined(HAVE_ED25519) || defined(HAVE_ED448) || !defined(NO_RSA)))) || \
25299
     (!defined(NO_DH) && (!defined(NO_RSA) || defined(HAVE_ANON))))
25300
static int HashSkeData(WOLFSSL* ssl, enum wc_HashType hashType,
25301
    const byte* data, int sz, byte sigAlgo)
25302
0
{
25303
0
    int ret = 0;
25304
0
    int digest_sz = wc_HashGetDigestSize(hashType);
25305
25306
0
    if (digest_sz <= 0) {
25307
0
        ret = BUFFER_ERROR;
25308
0
    }
25309
25310
0
    if (ret == 0) {
25311
        /* buffer for signature */
25312
0
        ssl->buffers.sig.buffer = (byte*)XMALLOC(SEED_LEN + sz, ssl->heap,
25313
0
                                                        DYNAMIC_TYPE_SIGNATURE);
25314
0
        if (ssl->buffers.sig.buffer == NULL) {
25315
0
            ret = MEMORY_E;
25316
0
        }
25317
0
    }
25318
0
    if (ret == 0) {
25319
0
        ssl->buffers.sig.length = SEED_LEN + sz;
25320
25321
        /* build message to hash */
25322
0
        XMEMCPY(ssl->buffers.sig.buffer, ssl->arrays->clientRandom, RAN_LEN);
25323
0
        XMEMCPY(&ssl->buffers.sig.buffer[RAN_LEN], ssl->arrays->serverRandom,
25324
0
            RAN_LEN);
25325
        /* message */
25326
0
        XMEMCPY(&ssl->buffers.sig.buffer[RAN_LEN * 2], data, sz);
25327
0
    }
25328
0
    if (ret == 0 && sigAlgo != ed25519_sa_algo && sigAlgo != ed448_sa_algo) {
25329
0
         ssl->buffers.digest.length = (unsigned int)digest_sz;
25330
25331
        /* buffer for hash */
25332
0
        ssl->buffers.digest.buffer = (byte*)XMALLOC(ssl->buffers.digest.length,
25333
0
            ssl->heap, DYNAMIC_TYPE_DIGEST);
25334
0
        if (ssl->buffers.digest.buffer == NULL) {
25335
0
            ret = MEMORY_E;
25336
0
        }
25337
0
    }
25338
0
    if (ret == 0 && sigAlgo != ed25519_sa_algo && sigAlgo != ed448_sa_algo) {
25339
        /* Perform hash. Only wc_Hash supports MD5_SHA1. */
25340
0
        ret = wc_Hash(hashType, ssl->buffers.sig.buffer,
25341
0
                                ssl->buffers.sig.length,
25342
0
                                ssl->buffers.digest.buffer,
25343
0
                                ssl->buffers.digest.length);
25344
0
        XFREE(ssl->buffers.sig.buffer, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
25345
0
        ssl->buffers.sig.buffer = NULL;
25346
0
    }
25347
25348
0
    return ret;
25349
0
}
25350
#endif
25351
#endif /* !WOLFSSL_NO_TLS12 */
25352
25353
/* client only parts */
25354
#ifndef NO_WOLFSSL_CLIENT
25355
25356
#ifndef WOLFSSL_NO_TLS12
25357
25358
    /* handle generation of client_hello (1) */
25359
    int SendClientHello(WOLFSSL* ssl)
25360
0
    {
25361
0
        byte              *output;
25362
0
        word32             length, idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
25363
0
        int                sendSz;
25364
0
        int                idSz;
25365
0
        int                ret;
25366
0
        word16             extSz = 0;
25367
25368
0
        if (ssl == NULL) {
25369
0
            return BAD_FUNC_ARG;
25370
0
        }
25371
25372
0
        idSz = ssl->options.resuming ? ssl->session->sessionIDSz : 0;
25373
25374
0
#ifdef WOLFSSL_TLS13
25375
0
        if (IsAtLeastTLSv1_3(ssl->version))
25376
0
            return SendTls13ClientHello(ssl);
25377
0
#endif
25378
25379
0
        WOLFSSL_START(WC_FUNC_CLIENT_HELLO_SEND);
25380
0
        WOLFSSL_ENTER("SendClientHello");
25381
25382
0
        if (ssl->suites == NULL) {
25383
0
            WOLFSSL_MSG("Bad suites pointer in SendClientHello");
25384
0
            return SUITES_ERROR;
25385
0
        }
25386
25387
0
#ifdef HAVE_SESSION_TICKET
25388
0
        if (ssl->options.resuming && ssl->session->ticketLen > 0) {
25389
0
            SessionTicket* ticket;
25390
25391
0
            ticket = TLSX_SessionTicket_Create(0, ssl->session->ticket,
25392
0
                                             ssl->session->ticketLen, ssl->heap);
25393
0
            if (ticket == NULL) return MEMORY_E;
25394
25395
0
            ret = TLSX_UseSessionTicket(&ssl->extensions, ticket, ssl->heap);
25396
0
            if (ret != WOLFSSL_SUCCESS) {
25397
0
                TLSX_SessionTicket_Free(ticket, ssl->heap);
25398
0
                return ret;
25399
0
            }
25400
25401
0
            idSz = 0;
25402
0
        }
25403
0
#endif
25404
0
        length = VERSION_SZ + RAN_LEN
25405
0
               + idSz + ENUM_LEN
25406
0
               + ssl->suites->suiteSz + SUITE_LEN
25407
0
               + COMP_LEN + ENUM_LEN;
25408
25409
0
#ifdef HAVE_TLS_EXTENSIONS
25410
        /* auto populate extensions supported unless user defined */
25411
0
        if ((ret = TLSX_PopulateExtensions(ssl, 0)) != 0)
25412
0
            return ret;
25413
0
        extSz = 0;
25414
0
        ret = TLSX_GetRequestSize(ssl, client_hello, &extSz);
25415
0
        if (ret != 0)
25416
0
            return ret;
25417
0
        length += extSz;
25418
#else
25419
        if (IsAtLeastTLSv1_2(ssl) && ssl->suites->hashSigAlgoSz)
25420
            extSz += HELLO_EXT_SZ + HELLO_EXT_SIGALGO_SZ
25421
                   + ssl->suites->hashSigAlgoSz;
25422
#ifdef HAVE_EXTENDED_MASTER
25423
        if (ssl->options.haveEMS)
25424
            extSz += HELLO_EXT_SZ;
25425
#endif
25426
        if (extSz != 0)
25427
            length += extSz + HELLO_EXT_SZ_SZ;
25428
#endif
25429
0
        sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
25430
25431
0
        if (ssl->arrays == NULL) {
25432
0
            return BAD_FUNC_ARG;
25433
0
        }
25434
25435
#ifdef WOLFSSL_DTLS
25436
        if (ssl->options.dtls) {
25437
            length += ENUM_LEN;   /* cookie */
25438
            if (ssl->arrays->cookieSz != 0) length += ssl->arrays->cookieSz;
25439
            sendSz  = length + DTLS_HANDSHAKE_HEADER_SZ + DTLS_RECORD_HEADER_SZ;
25440
            idx    += DTLS_HANDSHAKE_EXTRA + DTLS_RECORD_EXTRA;
25441
        }
25442
#endif
25443
25444
0
        if (IsEncryptionOn(ssl, 1))
25445
0
            sendSz += MAX_MSG_EXTRA;
25446
25447
        /* Set this in case CheckAvailableSize returns a WANT_WRITE so that state
25448
         * is not advanced yet */
25449
0
        ssl->options.buildingMsg = 1;
25450
25451
        /* check for available size */
25452
0
        if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
25453
0
            return ret;
25454
25455
        /* get output buffer */
25456
0
        output = ssl->buffers.outputBuffer.buffer +
25457
0
                 ssl->buffers.outputBuffer.length;
25458
25459
0
        AddHeaders(output, length, client_hello, ssl);
25460
25461
        /* client hello, first version */
25462
0
        output[idx++] = ssl->version.major;
25463
0
        output[idx++] = ssl->version.minor;
25464
0
        ssl->chVersion = ssl->version;  /* store in case changed */
25465
25466
        /* then random */
25467
0
        if (ssl->options.connectState == CONNECT_BEGIN) {
25468
0
            ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, RAN_LEN);
25469
0
            if (ret != 0)
25470
0
                return ret;
25471
25472
            /* store random */
25473
0
            XMEMCPY(ssl->arrays->clientRandom, output + idx, RAN_LEN);
25474
0
        } else {
25475
#ifdef WOLFSSL_DTLS
25476
            /* send same random on hello again */
25477
            XMEMCPY(output + idx, ssl->arrays->clientRandom, RAN_LEN);
25478
#endif
25479
0
        }
25480
0
        idx += RAN_LEN;
25481
25482
        /* then session id */
25483
0
        output[idx++] = (byte)idSz;
25484
0
        if (idSz) {
25485
0
            XMEMCPY(output + idx, ssl->session->sessionID,
25486
0
                                                      ssl->session->sessionIDSz);
25487
0
            idx += ssl->session->sessionIDSz;
25488
0
        }
25489
25490
        /* then DTLS cookie */
25491
#ifdef WOLFSSL_DTLS
25492
        if (ssl->options.dtls) {
25493
            byte cookieSz = ssl->arrays->cookieSz;
25494
25495
            output[idx++] = cookieSz;
25496
            if (cookieSz) {
25497
                XMEMCPY(&output[idx], ssl->arrays->cookie, cookieSz);
25498
                idx += cookieSz;
25499
            }
25500
        }
25501
#endif
25502
        /* then cipher suites */
25503
0
        c16toa(ssl->suites->suiteSz, output + idx);
25504
0
        idx += OPAQUE16_LEN;
25505
0
        XMEMCPY(output + idx, &ssl->suites->suites, ssl->suites->suiteSz);
25506
0
        idx += ssl->suites->suiteSz;
25507
25508
        /* last, compression */
25509
0
        output[idx++] = COMP_LEN;
25510
0
        if (ssl->options.usingCompression)
25511
0
            output[idx++] = ZLIB_COMPRESSION;
25512
0
        else
25513
0
            output[idx++] = NO_COMPRESSION;
25514
25515
0
#ifdef HAVE_TLS_EXTENSIONS
25516
0
        extSz = 0;
25517
0
        ret = TLSX_WriteRequest(ssl, output + idx, client_hello, &extSz);
25518
0
        if (ret != 0)
25519
0
            return ret;
25520
0
        idx += extSz;
25521
25522
0
        (void)idx; /* suppress analyzer warning, keep idx current */
25523
#else
25524
        if (extSz != 0) {
25525
            c16toa(extSz, output + idx);
25526
            idx += HELLO_EXT_SZ_SZ;
25527
25528
            if (IsAtLeastTLSv1_2(ssl)) {
25529
                if (ssl->suites->hashSigAlgoSz) {
25530
                    word16 i;
25531
                    /* extension type */
25532
                    c16toa(HELLO_EXT_SIG_ALGO, output + idx);
25533
                    idx += HELLO_EXT_TYPE_SZ;
25534
                    /* extension data length */
25535
                    c16toa(HELLO_EXT_SIGALGO_SZ + ssl->suites->hashSigAlgoSz,
25536
                           output + idx);
25537
                    idx += HELLO_EXT_SZ_SZ;
25538
                    /* sig algos length */
25539
                    c16toa(ssl->suites->hashSigAlgoSz, output + idx);
25540
                    idx += HELLO_EXT_SIGALGO_SZ;
25541
                    for (i=0; i < ssl->suites->hashSigAlgoSz; i++, idx++) {
25542
                        output[idx] = ssl->suites->hashSigAlgo[i];
25543
                    }
25544
                }
25545
            }
25546
#ifdef HAVE_EXTENDED_MASTER
25547
            if (ssl->options.haveEMS) {
25548
                c16toa(HELLO_EXT_EXTMS, output + idx);
25549
                idx += HELLO_EXT_TYPE_SZ;
25550
                c16toa(0, output + idx);
25551
                idx += HELLO_EXT_SZ_SZ;
25552
            }
25553
#endif
25554
        }
25555
#endif
25556
25557
0
        if (IsEncryptionOn(ssl, 1)) {
25558
0
            byte* input;
25559
0
            int   inputSz = idx; /* build msg adds rec hdr */
25560
0
            int   recordHeaderSz = RECORD_HEADER_SZ;
25561
25562
0
            if (ssl->options.dtls)
25563
0
                recordHeaderSz += DTLS_RECORD_EXTRA;
25564
0
            inputSz -= recordHeaderSz;
25565
0
            input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
25566
0
            if (input == NULL)
25567
0
                return MEMORY_E;
25568
25569
0
            XMEMCPY(input, output + recordHeaderSz, inputSz);
25570
            #ifdef WOLFSSL_DTLS
25571
            if (IsDtlsNotSctpMode(ssl) &&
25572
                    (ret = DtlsMsgPoolSave(ssl, input, inputSz, client_hello)) != 0) {
25573
                XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
25574
                return ret;
25575
            }
25576
            #endif
25577
0
            sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
25578
0
                                  handshake, 1, 0, 0, CUR_ORDER);
25579
0
            XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
25580
25581
0
            if (sendSz < 0)
25582
0
                return sendSz;
25583
0
        } else {
25584
            #ifdef WOLFSSL_DTLS
25585
                if (IsDtlsNotSctpMode(ssl)) {
25586
                    if ((ret = DtlsMsgPoolSave(ssl, output, sendSz, client_hello)) != 0)
25587
                        return ret;
25588
                }
25589
                if (ssl->options.dtls)
25590
                    DtlsSEQIncrement(ssl, CUR_ORDER);
25591
            #endif
25592
0
            ret = HashOutput(ssl, output, sendSz, 0);
25593
0
            if (ret != 0)
25594
0
                return ret;
25595
0
        }
25596
25597
0
        ssl->options.clientState = CLIENT_HELLO_COMPLETE;
25598
0
#ifdef OPENSSL_EXTRA
25599
0
        ssl->cbmode = SSL_CB_MODE_WRITE;
25600
0
        if (ssl->CBIS != NULL)
25601
0
            ssl->CBIS(ssl, SSL_CB_CONNECT_LOOP, SSL_SUCCESS);
25602
0
#endif
25603
25604
0
#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
25605
0
        if (ssl->hsInfoOn) AddPacketName(ssl, "ClientHello");
25606
0
        if (ssl->toInfoOn)
25607
0
            AddPacketInfo(ssl, "ClientHello", handshake, output, sendSz,
25608
0
                          WRITE_PROTO, ssl->heap);
25609
0
#endif
25610
25611
0
        ssl->options.buildingMsg = 0;
25612
25613
0
        ssl->buffers.outputBuffer.length += sendSz;
25614
25615
0
        ret = SendBuffered(ssl);
25616
25617
0
        WOLFSSL_LEAVE("SendClientHello", ret);
25618
0
        WOLFSSL_END(WC_FUNC_CLIENT_HELLO_SEND);
25619
25620
0
        return ret;
25621
0
    }
25622
25623
25624
    /* handle processing of DTLS hello_verify_request (3) */
25625
    int DoHelloVerifyRequest(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
25626
        word32 size)
25627
0
    {
25628
0
        ProtocolVersion pv;
25629
0
        byte            cookieSz;
25630
0
        word32          begin = *inOutIdx;
25631
25632
#ifdef WOLFSSL_CALLBACKS
25633
        if (ssl->hsInfoOn) AddPacketName(ssl, "HelloVerifyRequest");
25634
        if (ssl->toInfoOn) AddLateName("HelloVerifyRequest", &ssl->timeoutInfo);
25635
#endif
25636
25637
#ifdef WOLFSSL_DTLS
25638
        if (ssl->options.dtls) {
25639
            DtlsMsgPoolReset(ssl);
25640
        }
25641
#endif
25642
25643
0
        if (OPAQUE16_LEN + OPAQUE8_LEN > size)
25644
0
            return BUFFER_ERROR;
25645
25646
0
        XMEMCPY(&pv, input + *inOutIdx, OPAQUE16_LEN);
25647
0
        *inOutIdx += OPAQUE16_LEN;
25648
25649
0
        if (pv.major != DTLS_MAJOR ||
25650
0
                         (pv.minor != DTLS_MINOR && pv.minor != DTLSv1_2_MINOR))
25651
0
            return VERSION_ERROR;
25652
25653
0
        cookieSz = input[(*inOutIdx)++];
25654
25655
0
        if (cookieSz) {
25656
0
            if ((*inOutIdx - begin) + cookieSz > size)
25657
0
                return BUFFER_ERROR;
25658
25659
#ifdef WOLFSSL_DTLS
25660
            if (cookieSz <= MAX_COOKIE_LEN) {
25661
                XMEMCPY(ssl->arrays->cookie, input + *inOutIdx, cookieSz);
25662
                ssl->arrays->cookieSz = cookieSz;
25663
            }
25664
#endif
25665
0
            *inOutIdx += cookieSz;
25666
0
        }
25667
25668
#if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_TLS13)
25669
        if (IsAtLeastTLSv1_3(ssl->version) && ssl->options.dtls) {
25670
            /* we sent a TLSv1.3 ClientHello but received a
25671
             * HELLO_VERIFY_REQUEST */
25672
            if (!ssl->options.downgrade ||
25673
                    ssl->options.minDowngrade < pv.minor)
25674
                return VERSION_ERROR;
25675
        }
25676
#endif /* defined(WOLFSSL_DTLS13) && defined(WOLFSSL_TLS13) */
25677
25678
0
        ssl->options.serverState = SERVER_HELLOVERIFYREQUEST_COMPLETE;
25679
25680
0
        return 0;
25681
0
    }
25682
25683
25684
    static WC_INLINE int DSH_CheckSessionId(WOLFSSL* ssl)
25685
0
    {
25686
0
        int ret = 0;
25687
25688
#ifdef HAVE_SECRET_CALLBACK
25689
        /* If a session secret callback exists, we are using that
25690
         * key instead of the saved session key. Requires a ticket. */
25691
        ret = ret || (ssl->sessionSecretCb != NULL
25692
#ifdef HAVE_SESSION_TICKET
25693
                && ssl->session->ticketLen > 0
25694
#endif
25695
                );
25696
#endif
25697
25698
0
#ifdef HAVE_SESSION_TICKET
25699
        /* server may send blank ticket which may not be expected to indicate
25700
         * existing one ok but will also be sending a new one */
25701
0
        ret = ret || (ssl->session->ticketLen > 0);
25702
0
#endif
25703
25704
0
        ret = ret ||
25705
0
              (ssl->options.haveSessionId && XMEMCMP(ssl->arrays->sessionID,
25706
0
                                          ssl->session->sessionID, ID_LEN) == 0);
25707
25708
0
        return ret;
25709
0
    }
25710
25711
    /* Check the version in the received message is valid and set protocol
25712
     * version to use.
25713
     *
25714
     * ssl  The SSL/TLS object.
25715
     * pv   The protocol version from the packet.
25716
     * returns 0 on success, otherwise failure.
25717
     */
25718
    int CheckVersion(WOLFSSL *ssl, ProtocolVersion pv)
25719
0
    {
25720
0
        byte lowerVersion, higherVersion;
25721
    #ifdef WOLFSSL_TLS13_DRAFT
25722
        if (pv.major == TLS_DRAFT_MAJOR) {
25723
            pv.major = SSLv3_MAJOR;
25724
            pv.minor = TLSv1_3_MINOR;
25725
        }
25726
    #endif
25727
25728
0
        #ifdef OPENSSL_EXTRA
25729
0
        if (ssl->CBIS != NULL) {
25730
0
            ssl->CBIS(ssl, SSL_CB_HANDSHAKE_START, SSL_SUCCESS);
25731
0
        }
25732
0
        #endif
25733
25734
0
        if (ssl->options.dtls) {
25735
0
            if (pv.major != DTLS_MAJOR || pv.minor == DTLS_BOGUS_MINOR) {
25736
0
                WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
25737
0
                return VERSION_ERROR;
25738
0
            }
25739
0
            lowerVersion = pv.minor > ssl->version.minor;
25740
0
            higherVersion = pv.minor < ssl->version.minor;
25741
0
        }
25742
0
        else {
25743
0
            if (pv.major != SSLv3_MAJOR) {
25744
0
                WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
25745
0
                return VERSION_ERROR;
25746
0
            }
25747
0
            lowerVersion = pv.minor < ssl->version.minor;
25748
0
            higherVersion = pv.minor > ssl->version.minor;
25749
0
        }
25750
25751
0
        if (higherVersion) {
25752
0
            WOLFSSL_MSG("Server using higher version, fatal error");
25753
0
            WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
25754
0
            return VERSION_ERROR;
25755
0
        }
25756
0
        if (lowerVersion) {
25757
0
            WOLFSSL_MSG("server using lower version");
25758
25759
            /* Check for downgrade attack. */
25760
0
            if (!ssl->options.downgrade) {
25761
0
                WOLFSSL_MSG("\tno downgrade allowed, fatal error");
25762
0
                WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
25763
0
                return VERSION_ERROR;
25764
0
            }
25765
0
            if ((!ssl->options.dtls && pv.minor < ssl->options.minDowngrade) ||
25766
0
                (ssl->options.dtls && pv.minor > ssl->options.minDowngrade)) {
25767
0
                WOLFSSL_MSG("\tversion below minimum allowed, fatal error");
25768
0
                WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
25769
0
                return VERSION_ERROR;
25770
0
            }
25771
25772
            #ifdef HAVE_SECURE_RENEGOTIATION
25773
                if (ssl->secure_renegotiation &&
25774
                                         ssl->secure_renegotiation->enabled &&
25775
                                         ssl->options.handShakeDone) {
25776
                    WOLFSSL_MSG("Server changed version during scr");
25777
                    WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
25778
                    return VERSION_ERROR;
25779
                }
25780
            #endif
25781
25782
            /* Checks made - OK to downgrade. */
25783
0
                ssl->version.minor = pv.minor;
25784
0
                switch(pv.minor) {
25785
0
                case SSLv3_MINOR:
25786
                    /* turn off tls */
25787
0
                    WOLFSSL_MSG("\tdowngrading to SSLv3");
25788
0
                    ssl->options.tls    = 0;
25789
0
                    ssl->options.tls1_1 = 0;
25790
0
                    break;
25791
0
                case TLSv1_MINOR:
25792
                    /* turn off tls 1.1+ */
25793
0
                    WOLFSSL_MSG("\tdowngrading to TLSv1");
25794
0
                    ssl->options.tls1_1 = 0;
25795
0
                    break;
25796
0
                case TLSv1_1_MINOR:
25797
0
                    WOLFSSL_MSG("\tdowngrading to TLSv1.1");
25798
0
                    break;
25799
0
                case DTLS_MINOR:
25800
0
                    WOLFSSL_MSG("\tdowngrading to DTLSv1.1");
25801
0
                    break;
25802
0
                case TLSv1_2_MINOR:
25803
0
                    WOLFSSL_MSG("\tdowngrading to TLSv1.2");
25804
0
                    break;
25805
0
                case DTLSv1_2_MINOR:
25806
0
                    WOLFSSL_MSG("\tdowngrading to DTLSv1.2");
25807
0
                    break;
25808
0
                default:
25809
0
                    WOLFSSL_MSG("\tbad minor version");
25810
0
                    WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
25811
0
                    return VERSION_ERROR;
25812
0
                }
25813
0
        }
25814
25815
        /* check if option is set to not allow the current version
25816
         * set from either wolfSSL_set_options or wolfSSL_CTX_set_options */
25817
0
        if (!ssl->options.dtls && ssl->options.downgrade &&
25818
0
            ssl->options.mask > 0) {
25819
25820
0
            if (ssl->version.minor == TLSv1_2_MINOR &&
25821
0
               (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_2) ==
25822
0
                WOLFSSL_OP_NO_TLSv1_2) {
25823
0
                WOLFSSL_MSG("\tOption set to not allow TLSv1.2, Downgrading");
25824
0
                ssl->version.minor = TLSv1_1_MINOR;
25825
0
            }
25826
25827
0
            if (ssl->version.minor == TLSv1_1_MINOR &&
25828
0
               (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_1) ==
25829
0
                WOLFSSL_OP_NO_TLSv1_1) {
25830
0
                WOLFSSL_MSG("\tOption set to not allow TLSv1.1, Downgrading");
25831
0
                ssl->options.tls1_1 = 0;
25832
0
                ssl->version.minor = TLSv1_MINOR;
25833
0
            }
25834
25835
0
            if (ssl->version.minor == TLSv1_MINOR &&
25836
0
                (ssl->options.mask & WOLFSSL_OP_NO_TLSv1) ==
25837
0
                WOLFSSL_OP_NO_TLSv1) {
25838
0
                WOLFSSL_MSG("\tOption set to not allow TLSv1, Downgrading");
25839
0
                ssl->options.tls    = 0;
25840
0
                ssl->options.tls1_1 = 0;
25841
0
                ssl->version.minor = SSLv3_MINOR;
25842
0
            }
25843
25844
0
            if (ssl->version.minor == SSLv3_MINOR &&
25845
0
                (ssl->options.mask & WOLFSSL_OP_NO_SSLv3) ==
25846
0
                WOLFSSL_OP_NO_SSLv3) {
25847
0
                WOLFSSL_MSG("\tError, option set to not allow SSLv3");
25848
0
                WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
25849
0
                return VERSION_ERROR;
25850
0
            }
25851
25852
0
            if (ssl->version.minor < ssl->options.minDowngrade) {
25853
0
                WOLFSSL_MSG("\tversion below minimum allowed, fatal error");
25854
0
                WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
25855
0
                return VERSION_ERROR;
25856
0
            }
25857
0
        }
25858
25859
0
        return 0;
25860
0
    }
25861
25862
    /* handle processing of server_hello (2) */
25863
    int DoServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
25864
                      word32 helloSz)
25865
0
    {
25866
0
        byte            cs0;   /* cipher suite bytes 0, 1 */
25867
0
        byte            cs1;
25868
0
        ProtocolVersion pv;
25869
0
        byte            compression;
25870
0
        word32          i = *inOutIdx;
25871
0
        word32          begin = i;
25872
0
        int             ret;
25873
25874
0
        WOLFSSL_START(WC_FUNC_SERVER_HELLO_DO);
25875
0
        WOLFSSL_ENTER("DoServerHello");
25876
25877
#ifdef WOLFSSL_CALLBACKS
25878
        if (ssl->hsInfoOn) AddPacketName(ssl, "ServerHello");
25879
        if (ssl->toInfoOn) AddLateName("ServerHello", &ssl->timeoutInfo);
25880
#endif
25881
25882
        /* protocol version, random and session id length check */
25883
0
        if (OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN > helloSz)
25884
0
            return BUFFER_ERROR;
25885
25886
        /* protocol version */
25887
0
        XMEMCPY(&pv, input + i, OPAQUE16_LEN);
25888
0
        i += OPAQUE16_LEN;
25889
25890
0
        ret = CheckVersion(ssl, pv);
25891
0
        if (ret != 0)
25892
0
            return ret;
25893
25894
0
#ifdef WOLFSSL_TLS13
25895
0
        if (IsAtLeastTLSv1_3(pv)) {
25896
0
            byte type = server_hello;
25897
0
            return DoTls13ServerHello(ssl, input, inOutIdx, helloSz, &type);
25898
0
        }
25899
0
#endif
25900
25901
        /* random */
25902
0
        XMEMCPY(ssl->arrays->serverRandom, input + i, RAN_LEN);
25903
0
        i += RAN_LEN;
25904
25905
        /* session id */
25906
0
        ssl->arrays->sessionIDSz = input[i++];
25907
25908
0
        if (ssl->arrays->sessionIDSz > ID_LEN) {
25909
0
            WOLFSSL_MSG("Invalid session ID size");
25910
0
            ssl->arrays->sessionIDSz = 0;
25911
0
            return BUFFER_ERROR;
25912
0
        }
25913
0
        else if (ssl->arrays->sessionIDSz) {
25914
0
            if ((i - begin) + ssl->arrays->sessionIDSz > helloSz)
25915
0
                return BUFFER_ERROR;
25916
25917
0
            XMEMCPY(ssl->arrays->sessionID, input + i,
25918
0
                                                      ssl->arrays->sessionIDSz);
25919
0
            i += ssl->arrays->sessionIDSz;
25920
0
            ssl->options.haveSessionId = 1;
25921
0
        }
25922
25923
25924
        /* suite and compression */
25925
0
        if ((i - begin) + OPAQUE16_LEN + OPAQUE8_LEN > helloSz)
25926
0
            return BUFFER_ERROR;
25927
25928
0
        cs0 = input[i++];
25929
0
        cs1 = input[i++];
25930
25931
#ifdef HAVE_SECURE_RENEGOTIATION
25932
        if (ssl->secure_renegotiation && ssl->secure_renegotiation->enabled &&
25933
                                         ssl->options.handShakeDone) {
25934
            if (ssl->options.cipherSuite0 != cs0 ||
25935
                ssl->options.cipherSuite  != cs1) {
25936
                WOLFSSL_MSG("Server changed cipher suite during scr");
25937
                WOLFSSL_ERROR_VERBOSE(MATCH_SUITE_ERROR);
25938
                return MATCH_SUITE_ERROR;
25939
            }
25940
        }
25941
#endif
25942
25943
0
        ssl->options.cipherSuite0 = cs0;
25944
0
        ssl->options.cipherSuite  = cs1;
25945
    #ifdef WOLFSSL_DEBUG_TLS
25946
        WOLFSSL_MSG("Chosen cipher suite:");
25947
        WOLFSSL_MSG(GetCipherNameInternal(ssl->options.cipherSuite0,
25948
                                          ssl->options.cipherSuite));
25949
    #endif
25950
25951
0
        compression = input[i++];
25952
25953
0
#ifndef WOLFSSL_NO_STRICT_CIPHER_SUITE
25954
0
        {
25955
0
            word32 idx, found = 0;
25956
            /* confirm server_hello cipher suite is one sent in client_hello */
25957
0
            for (idx = 0; idx < ssl->suites->suiteSz; idx += 2) {
25958
0
                if (ssl->suites->suites[idx]   == cs0 &&
25959
0
                    ssl->suites->suites[idx+1] == cs1) {
25960
0
                    found = 1;
25961
0
                    break;
25962
0
                }
25963
0
            }
25964
0
            if (!found) {
25965
0
                WOLFSSL_MSG("ServerHello did not use cipher suite from ClientHello");
25966
0
                WOLFSSL_ERROR_VERBOSE(MATCH_SUITE_ERROR);
25967
0
                return MATCH_SUITE_ERROR;
25968
0
            }
25969
0
        }
25970
0
#endif /* !WOLFSSL_NO_STRICT_CIPHER_SUITE */
25971
25972
0
        if (compression != NO_COMPRESSION && !ssl->options.usingCompression) {
25973
0
            WOLFSSL_MSG("Server forcing compression w/o support");
25974
0
            WOLFSSL_ERROR_VERBOSE(COMPRESSION_ERROR);
25975
0
            return COMPRESSION_ERROR;
25976
0
        }
25977
25978
0
        if (compression != ZLIB_COMPRESSION && ssl->options.usingCompression) {
25979
0
            WOLFSSL_MSG("Server refused compression, turning off");
25980
0
            ssl->options.usingCompression = 0;  /* turn off if server refused */
25981
0
        }
25982
25983
0
        *inOutIdx = i;
25984
25985
0
#ifdef HAVE_TLS_EXTENSIONS
25986
0
        if ( (i - begin) < helloSz) {
25987
0
            if (TLSX_SupportExtensions(ssl)) {
25988
0
                word16 totalExtSz;
25989
25990
0
                if ((i - begin) + OPAQUE16_LEN > helloSz)
25991
0
                    return BUFFER_ERROR;
25992
25993
0
                ato16(&input[i], &totalExtSz);
25994
0
                i += OPAQUE16_LEN;
25995
25996
0
                if ((i - begin) + totalExtSz > helloSz)
25997
0
                    return BUFFER_ERROR;
25998
25999
0
                if ((ret = TLSX_Parse(ssl, (byte *) input + i, totalExtSz,
26000
0
                                                           server_hello, NULL)))
26001
0
                    return ret;
26002
26003
0
                i += totalExtSz;
26004
0
                *inOutIdx = i;
26005
0
            }
26006
0
            else
26007
0
                *inOutIdx = begin + helloSz; /* skip extensions */
26008
0
        }
26009
0
        else
26010
0
            ssl->options.haveEMS = 0; /* If no extensions, no EMS */
26011
#else
26012
        {
26013
            int allowExt = 0;
26014
            byte pendingEMS = 0;
26015
26016
            if ( (i - begin) < helloSz) {
26017
                if (ssl->version.major == SSLv3_MAJOR &&
26018
                    ssl->version.minor >= TLSv1_MINOR) {
26019
26020
                    allowExt = 1;
26021
                }
26022
#ifdef WOLFSSL_DTLS
26023
                if (ssl->version.major == DTLS_MAJOR)
26024
                    allowExt = 1;
26025
#endif
26026
26027
                if (allowExt) {
26028
                    word16 totalExtSz;
26029
26030
                    if ((i - begin) + OPAQUE16_LEN > helloSz)
26031
                        return BUFFER_ERROR;
26032
26033
                    ato16(&input[i], &totalExtSz);
26034
                    i += OPAQUE16_LEN;
26035
26036
                    if ((i - begin) + totalExtSz > helloSz)
26037
                        return BUFFER_ERROR;
26038
26039
                    while (totalExtSz) {
26040
                        word16 extId, extSz;
26041
26042
                        if (OPAQUE16_LEN + OPAQUE16_LEN > totalExtSz)
26043
                            return BUFFER_ERROR;
26044
26045
                        ato16(&input[i], &extId);
26046
                        i += OPAQUE16_LEN;
26047
                        ato16(&input[i], &extSz);
26048
                        i += OPAQUE16_LEN;
26049
26050
                        if (OPAQUE16_LEN + OPAQUE16_LEN + extSz > totalExtSz)
26051
                            return BUFFER_ERROR;
26052
26053
                        if (extId == HELLO_EXT_EXTMS)
26054
                            pendingEMS = 1;
26055
                        else
26056
                            i += extSz;
26057
26058
                        totalExtSz -= OPAQUE16_LEN + OPAQUE16_LEN + extSz;
26059
                    }
26060
26061
                    *inOutIdx = i;
26062
                }
26063
                else
26064
                    *inOutIdx = begin + helloSz; /* skip extensions */
26065
            }
26066
26067
            if (!pendingEMS && ssl->options.haveEMS)
26068
                ssl->options.haveEMS = 0;
26069
        }
26070
#endif
26071
26072
0
        ssl->options.serverState = SERVER_HELLO_COMPLETE;
26073
26074
0
        if (IsEncryptionOn(ssl, 0)) {
26075
0
            *inOutIdx += ssl->keys.padSz;
26076
0
        #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
26077
0
            if (ssl->options.startedETMWrite &&
26078
0
                                              ssl->specs.cipher_type == block) {
26079
0
                *inOutIdx += MacSize(ssl);
26080
0
            }
26081
0
        #endif
26082
0
        }
26083
26084
#ifdef HAVE_SECRET_CALLBACK
26085
        if (ssl->sessionSecretCb != NULL
26086
#ifdef HAVE_SESSION_TICKET
26087
                && ssl->session->ticketLen > 0
26088
#endif
26089
                ) {
26090
            int secretSz = SECRET_LEN;
26091
            ret = ssl->sessionSecretCb(ssl, ssl->session->masterSecret,
26092
                                              &secretSz, ssl->sessionSecretCtx);
26093
            if (ret != 0 || secretSz != SECRET_LEN) {
26094
                WOLFSSL_ERROR_VERBOSE(SESSION_SECRET_CB_E);
26095
                return SESSION_SECRET_CB_E;
26096
            }
26097
        }
26098
#endif /* HAVE_SECRET_CALLBACK */
26099
26100
0
        ret = CompleteServerHello(ssl);
26101
26102
0
        WOLFSSL_LEAVE("DoServerHello", ret);
26103
0
        WOLFSSL_END(WC_FUNC_SERVER_HELLO_DO);
26104
26105
0
        return ret;
26106
0
    }
26107
26108
    int CompleteServerHello(WOLFSSL* ssl)
26109
0
    {
26110
0
        int ret;
26111
26112
0
        if (!ssl->options.resuming) {
26113
0
            byte* down = ssl->arrays->serverRandom + RAN_LEN -
26114
0
                                                         TLS13_DOWNGRADE_SZ - 1;
26115
0
            byte  vers = ssl->arrays->serverRandom[RAN_LEN - 1];
26116
0
    #ifdef WOLFSSL_TLS13
26117
0
            if (TLSv1_3_Capable(ssl)) {
26118
                /* TLS v1.3 capable client not allowed to downgrade when
26119
                 * connecting to TLS v1.3 capable server unless cipher suite
26120
                 * demands it.
26121
                 */
26122
0
                if (XMEMCMP(down, tls13Downgrade, TLS13_DOWNGRADE_SZ) == 0 &&
26123
0
                                                     (vers == 0 || vers == 1)) {
26124
0
                    SendAlert(ssl, alert_fatal, illegal_parameter);
26125
0
                    WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
26126
0
                    return VERSION_ERROR;
26127
0
                }
26128
0
            }
26129
0
            else
26130
0
    #endif
26131
0
            if (ssl->ctx->method->version.major == SSLv3_MAJOR &&
26132
0
                ssl->ctx->method->version.minor == TLSv1_2_MINOR &&
26133
0
                (wolfSSL_get_options(ssl) & WOLFSSL_OP_NO_TLSv1_2) == 0) {
26134
                /* TLS v1.2 capable client not allowed to downgrade when
26135
                 * connecting to TLS v1.2 capable server.
26136
                 */
26137
0
                if (XMEMCMP(down, tls13Downgrade, TLS13_DOWNGRADE_SZ) == 0 &&
26138
0
                                                                    vers == 0) {
26139
0
                    SendAlert(ssl, alert_fatal, illegal_parameter);
26140
0
                    WOLFSSL_ERROR_VERBOSE(VERSION_ERROR);
26141
0
                    return VERSION_ERROR;
26142
0
                }
26143
0
            }
26144
0
        }
26145
0
        else {
26146
0
            if (DSH_CheckSessionId(ssl)) {
26147
0
                if (SetCipherSpecs(ssl) == 0) {
26148
26149
0
                    XMEMCPY(ssl->arrays->masterSecret,
26150
0
                            ssl->session->masterSecret, SECRET_LEN);
26151
            #ifdef NO_OLD_TLS
26152
                    ret = DeriveTlsKeys(ssl);
26153
            #else
26154
0
                    ret = -1; /* default value */
26155
0
                #ifndef NO_TLS
26156
0
                    if (ssl->options.tls)
26157
0
                        ret = DeriveTlsKeys(ssl);
26158
0
                #endif
26159
0
                    if (!ssl->options.tls)
26160
0
                        ret = DeriveKeys(ssl);
26161
0
            #endif /* NO_OLD_TLS */
26162
                    /* SERVER: peer auth based on session secret. */
26163
0
                    ssl->options.peerAuthGood = (ret == 0);
26164
0
                    ssl->options.serverState = SERVER_HELLODONE_COMPLETE;
26165
26166
0
                    return ret;
26167
0
                }
26168
0
                else {
26169
0
                    WOLFSSL_MSG("Unsupported cipher suite, DoServerHello");
26170
0
                    WOLFSSL_ERROR_VERBOSE(UNSUPPORTED_SUITE);
26171
0
                    return UNSUPPORTED_SUITE;
26172
0
                }
26173
0
            }
26174
0
            else {
26175
0
                WOLFSSL_MSG("Server denied resumption attempt");
26176
0
                ssl->options.resuming = 0; /* server denied resumption try */
26177
0
            }
26178
0
        }
26179
0
        return SetCipherSpecs(ssl);
26180
0
    }
26181
26182
#endif /* !WOLFSSL_NO_TLS12 */
26183
26184
26185
    /* Make sure client setup is valid for this suite, true on success */
26186
    int VerifyClientSuite(WOLFSSL* ssl)
26187
0
    {
26188
    #ifndef NO_PSK
26189
        int  havePSK = ssl->options.havePSK;
26190
    #endif
26191
0
        byte first   = ssl->options.cipherSuite0;
26192
0
        byte second  = ssl->options.cipherSuite;
26193
26194
0
        WOLFSSL_ENTER("VerifyClientSuite");
26195
26196
0
        if (CipherRequires(first, second, REQUIRES_PSK)) {
26197
0
            WOLFSSL_MSG("Requires PSK");
26198
        #ifndef NO_PSK
26199
            if (havePSK == 0)
26200
        #endif
26201
0
            {
26202
0
                WOLFSSL_MSG("Don't have PSK");
26203
0
                return 0;
26204
0
            }
26205
0
        }
26206
26207
0
        return 1;  /* success */
26208
0
    }
26209
26210
#ifndef WOLFSSL_NO_TLS12
26211
26212
#ifndef NO_CERTS
26213
    /* handle processing of certificate_request (13) */
26214
    static int DoCertificateRequest(WOLFSSL* ssl, const byte* input, word32*
26215
                                    inOutIdx, word32 size)
26216
0
    {
26217
0
        word16 len;
26218
0
        word32 begin = *inOutIdx;
26219
0
    #if defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \
26220
0
        defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)
26221
0
        int ret;
26222
0
    #endif
26223
0
    #ifdef OPENSSL_EXTRA
26224
0
        WOLFSSL_X509* x509 = NULL;
26225
0
        WOLFSSL_EVP_PKEY* pkey = NULL;
26226
0
    #endif
26227
26228
0
        WOLFSSL_START(WC_FUNC_CERTIFICATE_REQUEST_DO);
26229
0
        WOLFSSL_ENTER("DoCertificateRequest");
26230
26231
        #ifdef WOLFSSL_CALLBACKS
26232
            if (ssl->hsInfoOn)
26233
                AddPacketName(ssl, "CertificateRequest");
26234
            if (ssl->toInfoOn)
26235
                AddLateName("CertificateRequest", &ssl->timeoutInfo);
26236
        #endif
26237
26238
0
        if (OPAQUE8_LEN > size)
26239
0
            return BUFFER_ERROR;
26240
26241
0
        len = input[(*inOutIdx)++];
26242
26243
0
        if ((*inOutIdx - begin) + len > size)
26244
0
            return BUFFER_ERROR;
26245
26246
        /* types, read in here */
26247
0
        *inOutIdx += len;
26248
26249
        /* signature and hash signature algorithm */
26250
0
        if (IsAtLeastTLSv1_2(ssl)) {
26251
0
            if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
26252
0
                return BUFFER_ERROR;
26253
26254
0
            ato16(input + *inOutIdx, &len);
26255
0
            *inOutIdx += OPAQUE16_LEN;
26256
26257
0
            if ((len > size) || ((*inOutIdx - begin) + len > size))
26258
0
                return BUFFER_ERROR;
26259
26260
0
            if (PickHashSigAlgo(ssl, input + *inOutIdx, len) != 0 &&
26261
0
                                             ssl->buffers.certificate &&
26262
0
                                             ssl->buffers.certificate->buffer) {
26263
            #ifdef HAVE_PK_CALLBACKS
26264
                if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) {
26265
                    WOLFSSL_MSG("Using PK for client private key");
26266
                    WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
26267
                    return INVALID_PARAMETER;
26268
                }
26269
            #endif
26270
0
                if (ssl->buffers.key && ssl->buffers.key->buffer) {
26271
0
                    WOLFSSL_ERROR_VERBOSE(INVALID_PARAMETER);
26272
0
                    return INVALID_PARAMETER;
26273
0
                }
26274
0
            }
26275
0
            *inOutIdx += len;
26276
0
    #ifdef WC_RSA_PSS
26277
0
            ssl->pssAlgo = 0;
26278
0
            if (ssl->suites->sigAlgo == rsa_pss_sa_algo)
26279
0
                ssl->pssAlgo |= 1 << ssl->suites->hashAlgo;
26280
0
    #endif
26281
0
        }
26282
26283
        /* authorities */
26284
0
        if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
26285
0
            return BUFFER_ERROR;
26286
26287
        /* DN seq length */
26288
0
        ato16(input + *inOutIdx, &len);
26289
0
        *inOutIdx += OPAQUE16_LEN;
26290
26291
0
        if ((*inOutIdx - begin) + len > size)
26292
0
            return BUFFER_ERROR;
26293
26294
0
    #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)
26295
0
        if (ssl->ca_names != ssl->ctx->ca_names)
26296
0
            wolfSSL_sk_X509_NAME_pop_free(ssl->ca_names, NULL);
26297
0
        ssl->ca_names = wolfSSL_sk_X509_NAME_new(NULL);
26298
0
        if (ssl->ca_names == NULL) {
26299
0
            return MEMORY_ERROR;
26300
0
        }
26301
0
    #endif
26302
26303
0
        while (len) {
26304
0
            word16 dnSz;
26305
26306
0
            if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
26307
0
                return BUFFER_ERROR;
26308
26309
0
            ato16(input + *inOutIdx, &dnSz);
26310
0
            *inOutIdx += OPAQUE16_LEN;
26311
26312
0
            if ((*inOutIdx - begin) + dnSz > size)
26313
0
                return BUFFER_ERROR;
26314
26315
0
        #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)
26316
0
            {
26317
0
                WOLFSSL_X509_NAME* name = NULL;
26318
                /* Use a DecodedCert struct to get access to GetName to
26319
                 * parse DN name */
26320
0
#ifdef WOLFSSL_SMALL_STACK
26321
0
                DecodedCert *cert = (DecodedCert *)XMALLOC(
26322
0
                    sizeof(*cert), ssl->heap, DYNAMIC_TYPE_DCERT);
26323
0
                if (cert == NULL)
26324
0
                    return MEMORY_ERROR;
26325
#else
26326
                DecodedCert cert[1];
26327
#endif
26328
26329
0
                InitDecodedCert(cert, input + *inOutIdx, dnSz, ssl->heap);
26330
26331
0
                ret = GetName(cert, SUBJECT, dnSz);
26332
26333
0
                if (ret == 0) {
26334
0
                    if ((name = wolfSSL_X509_NAME_new()) == NULL)
26335
0
                        ret = MEMORY_ERROR;
26336
0
                }
26337
26338
0
                if (ret == 0) {
26339
0
                    CopyDecodedName(name, cert, SUBJECT);
26340
0
                }
26341
26342
0
                if (ret == 0) {
26343
0
                    if (wolfSSL_sk_X509_NAME_push(ssl->ca_names, name)
26344
0
                        == WOLFSSL_FAILURE)
26345
0
                    {
26346
0
                        ret = MEMORY_ERROR;
26347
0
                    }
26348
0
                }
26349
26350
0
                FreeDecodedCert(cert);
26351
26352
0
#ifdef WOLFSSL_SMALL_STACK
26353
0
                XFREE(cert, ssl->heap, DYNAMIC_TYPE_DCERT);
26354
0
#endif
26355
0
                if (ret != 0) {
26356
0
                    if (name != NULL)
26357
0
                        wolfSSL_X509_NAME_free(name);
26358
0
                    return ret;
26359
0
                }
26360
0
            }
26361
0
        #endif
26362
26363
0
            *inOutIdx += dnSz;
26364
0
            len -= OPAQUE16_LEN + dnSz;
26365
0
        }
26366
26367
0
    #ifdef OPENSSL_EXTRA
26368
        /* call client cert callback if no cert has been loaded */
26369
0
        if ((ssl->ctx->CBClientCert != NULL) &&
26370
0
            (!ssl->buffers.certificate || !ssl->buffers.certificate->buffer)) {
26371
26372
0
            ret = ssl->ctx->CBClientCert(ssl, &x509, &pkey);
26373
0
            if (ret == 1) {
26374
0
                if ((wolfSSL_use_certificate(ssl, x509) != WOLFSSL_SUCCESS) ||
26375
0
                    (wolfSSL_use_PrivateKey(ssl, pkey) != WOLFSSL_SUCCESS)) {
26376
0
                    WOLFSSL_ERROR_VERBOSE(CLIENT_CERT_CB_ERROR);
26377
0
                    return CLIENT_CERT_CB_ERROR;
26378
0
                }
26379
0
                wolfSSL_X509_free(x509);
26380
0
                wolfSSL_EVP_PKEY_free(pkey);
26381
26382
0
            }
26383
0
            else if (ret < 0) {
26384
0
                return WOLFSSL_ERROR_WANT_X509_LOOKUP;
26385
0
            }
26386
0
        }
26387
0
        if ((ret = CertSetupCbWrapper(ssl)) != 0)
26388
0
            return ret;
26389
0
    #endif
26390
26391
        /* don't send client cert or cert verify if user hasn't provided
26392
           cert and private key */
26393
0
        if (ssl->buffers.certificate && ssl->buffers.certificate->buffer) {
26394
        #ifdef HAVE_PK_CALLBACKS
26395
            if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) {
26396
                WOLFSSL_MSG("Using PK for client private key");
26397
                ssl->options.sendVerify = SEND_CERT;
26398
            }
26399
        #endif
26400
0
            if (ssl->buffers.key && ssl->buffers.key->buffer) {
26401
0
                ssl->options.sendVerify = SEND_CERT;
26402
0
            }
26403
0
        }
26404
0
    #ifdef OPENSSL_EXTRA
26405
0
        else
26406
    #else
26407
        else if (IsTLS(ssl))
26408
    #endif
26409
0
        {
26410
0
            ssl->options.sendVerify = SEND_BLANK_CERT;
26411
0
        }
26412
26413
0
        if (IsEncryptionOn(ssl, 0)) {
26414
0
            *inOutIdx += ssl->keys.padSz;
26415
0
        #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
26416
0
            if (ssl->options.startedETMRead)
26417
0
                *inOutIdx += MacSize(ssl);
26418
0
        #endif
26419
0
        }
26420
26421
0
        WOLFSSL_LEAVE("DoCertificateRequest", 0);
26422
0
        WOLFSSL_END(WC_FUNC_CERTIFICATE_REQUEST_DO);
26423
26424
0
        return 0;
26425
0
    }
26426
#endif /* !NO_CERTS */
26427
26428
26429
#if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
26430
26431
    static int CheckCurveId(int tlsCurveId)
26432
0
    {
26433
0
        int ret = ECC_CURVE_ERROR;
26434
26435
0
        switch (tlsCurveId) {
26436
    #if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 160
26437
        #ifndef NO_ECC_SECP
26438
            case WOLFSSL_ECC_SECP160R1: return ECC_SECP160R1_OID;
26439
        #endif /* !NO_ECC_SECP */
26440
        #ifdef HAVE_ECC_SECPR2
26441
            case WOLFSSL_ECC_SECP160R2: return ECC_SECP160R2_OID;
26442
        #endif /* HAVE_ECC_SECPR2 */
26443
        #ifdef HAVE_ECC_KOBLITZ
26444
            case WOLFSSL_ECC_SECP160K1: return ECC_SECP160K1_OID;
26445
        #endif /* HAVE_ECC_KOBLITZ */
26446
    #endif
26447
    #if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 192
26448
        #ifndef NO_ECC_SECP
26449
            case WOLFSSL_ECC_SECP192R1: return ECC_SECP192R1_OID;
26450
        #endif /* !NO_ECC_SECP */
26451
        #ifdef HAVE_ECC_KOBLITZ
26452
            case WOLFSSL_ECC_SECP192K1: return ECC_SECP192K1_OID;
26453
        #endif /* HAVE_ECC_KOBLITZ */
26454
    #endif
26455
0
    #if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 224
26456
0
        #ifndef NO_ECC_SECP
26457
0
            case WOLFSSL_ECC_SECP224R1: return ECC_SECP224R1_OID;
26458
0
        #endif /* !NO_ECC_SECP */
26459
0
        #ifdef HAVE_ECC_KOBLITZ
26460
0
            case WOLFSSL_ECC_SECP224K1: return ECC_SECP224K1_OID;
26461
0
        #endif /* HAVE_ECC_KOBLITZ */
26462
0
    #endif
26463
0
        #if defined(HAVE_CURVE25519) && ECC_MIN_KEY_SZ <= 256
26464
0
            case WOLFSSL_ECC_X25519: return ECC_X25519_OID;
26465
0
        #endif
26466
0
    #if (!defined(NO_ECC256)  || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
26467
0
        #ifndef NO_ECC_SECP
26468
0
            case WOLFSSL_ECC_SECP256R1: return ECC_SECP256R1_OID;
26469
0
        #endif /* !NO_ECC_SECP */
26470
0
        #ifdef HAVE_ECC_KOBLITZ
26471
0
            case WOLFSSL_ECC_SECP256K1: return ECC_SECP256K1_OID;
26472
0
        #endif /* HAVE_ECC_KOBLITZ */
26473
0
        #ifdef HAVE_ECC_BRAINPOOL
26474
0
            case WOLFSSL_ECC_BRAINPOOLP256R1: return ECC_BRAINPOOLP256R1_OID;
26475
0
        #endif /* HAVE_ECC_BRAINPOOL */
26476
0
    #endif
26477
0
        #if defined(HAVE_CURVE448) && ECC_MIN_KEY_SZ <= 448
26478
0
            case WOLFSSL_ECC_X448: return ECC_X448_OID;
26479
0
        #endif
26480
0
    #if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384
26481
0
        #ifndef NO_ECC_SECP
26482
0
            case WOLFSSL_ECC_SECP384R1: return ECC_SECP384R1_OID;
26483
0
        #endif /* !NO_ECC_SECP */
26484
0
        #ifdef HAVE_ECC_BRAINPOOL
26485
0
            case WOLFSSL_ECC_BRAINPOOLP384R1: return ECC_BRAINPOOLP384R1_OID;
26486
0
        #endif /* HAVE_ECC_BRAINPOOL */
26487
0
    #endif
26488
0
    #if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 512
26489
0
        #ifdef HAVE_ECC_BRAINPOOL
26490
0
            case WOLFSSL_ECC_BRAINPOOLP512R1: return ECC_BRAINPOOLP512R1_OID;
26491
0
        #endif /* HAVE_ECC_BRAINPOOL */
26492
0
    #endif
26493
0
    #if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521
26494
0
        #ifndef NO_ECC_SECP
26495
0
            case WOLFSSL_ECC_SECP521R1: return ECC_SECP521R1_OID;
26496
0
        #endif /* !NO_ECC_SECP */
26497
0
    #endif
26498
0
            default: break;
26499
0
        }
26500
26501
0
        return ret;
26502
0
    }
26503
26504
#endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
26505
26506
/* Persistable DoServerKeyExchange arguments */
26507
typedef struct DskeArgs {
26508
    byte*  output; /* not allocated */
26509
#if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
26510
                                                          defined(HAVE_CURVE448)
26511
    byte*  verifySig;
26512
#endif
26513
    word32 idx;
26514
    word32 begin;
26515
#if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
26516
                                                          defined(HAVE_CURVE448)
26517
    word16 verifySigSz;
26518
#endif
26519
    word16 sigSz;
26520
    byte   sigAlgo;
26521
    byte   hashAlgo;
26522
#if !defined(NO_RSA) && defined(WC_RSA_PSS)
26523
    int    bits;
26524
#endif
26525
} DskeArgs;
26526
26527
static void FreeDskeArgs(WOLFSSL* ssl, void* pArgs)
26528
0
{
26529
0
    DskeArgs* args = (DskeArgs*)pArgs;
26530
26531
0
    (void)ssl;
26532
0
    (void)args;
26533
26534
0
#if !defined(NO_DH) || defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
26535
0
                                                          defined(HAVE_CURVE448)
26536
0
    if (args->verifySig) {
26537
0
        XFREE(args->verifySig, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
26538
0
        args->verifySig = NULL;
26539
0
    }
26540
0
#endif
26541
0
}
26542
26543
#ifndef NO_DH
26544
static int GetDhPublicKey(WOLFSSL* ssl, const byte* input, word32 size,
26545
                          DskeArgs* args)
26546
0
{
26547
0
    int             ret = 0;
26548
0
    word16          length;
26549
0
#ifdef HAVE_FFDHE
26550
0
#ifdef HAVE_PUBLIC_FFDHE
26551
0
    const DhParams* params = NULL;
26552
0
#endif
26553
0
    word16          group = 0;
26554
0
#endif
26555
26556
0
    if (ssl->buffers.weOwnDH) {
26557
0
        if (ssl->buffers.serverDH_P.buffer) {
26558
0
            XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap,
26559
0
                    DYNAMIC_TYPE_PUBLIC_KEY);
26560
0
            ssl->buffers.serverDH_P.buffer = NULL;
26561
0
        }
26562
26563
0
        if (ssl->buffers.serverDH_G.buffer) {
26564
0
            XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap,
26565
0
                    DYNAMIC_TYPE_PUBLIC_KEY);
26566
0
            ssl->buffers.serverDH_G.buffer = NULL;
26567
0
        }
26568
26569
0
    }
26570
26571
0
    if (ssl->buffers.serverDH_Pub.buffer) {
26572
0
        XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap,
26573
0
                DYNAMIC_TYPE_PUBLIC_KEY);
26574
0
        ssl->buffers.serverDH_Pub.buffer = NULL;
26575
0
    }
26576
26577
    /* p */
26578
0
    if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
26579
0
        ERROR_OUT(BUFFER_ERROR, exit_gdpk);
26580
0
    }
26581
26582
0
    ato16(input + args->idx, &length);
26583
0
    args->idx += OPAQUE16_LEN;
26584
26585
0
    if ((args->idx - args->begin) + length > size) {
26586
0
        ERROR_OUT(BUFFER_ERROR, exit_gdpk);
26587
0
    }
26588
26589
0
    if (length < ssl->options.minDhKeySz) {
26590
0
        WOLFSSL_MSG("Server using a DH key that is too small");
26591
0
        SendAlert(ssl, alert_fatal, handshake_failure);
26592
0
        ERROR_OUT(DH_KEY_SIZE_E, exit_gdpk);
26593
0
    }
26594
0
    if (length > ssl->options.maxDhKeySz) {
26595
0
        WOLFSSL_MSG("Server using a DH key that is too big");
26596
0
        SendAlert(ssl, alert_fatal, handshake_failure);
26597
0
        ERROR_OUT(DH_KEY_SIZE_E, exit_gdpk);
26598
0
    }
26599
26600
0
    ssl->buffers.serverDH_P.buffer =
26601
0
        (byte*)XMALLOC(length, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
26602
0
    if (ssl->buffers.serverDH_P.buffer) {
26603
0
        ssl->buffers.serverDH_P.length = length;
26604
0
    }
26605
0
    else {
26606
0
        ERROR_OUT(MEMORY_ERROR, exit_gdpk);
26607
0
    }
26608
26609
0
    XMEMCPY(ssl->buffers.serverDH_P.buffer, input + args->idx,
26610
0
                                                        length);
26611
0
    args->idx += length;
26612
26613
0
    ssl->options.dhKeySz = length;
26614
26615
    /* g */
26616
0
    if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
26617
0
        XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap,
26618
0
                DYNAMIC_TYPE_PUBLIC_KEY);
26619
0
        ssl->buffers.serverDH_P.buffer = NULL;
26620
0
        ERROR_OUT(BUFFER_ERROR, exit_gdpk);
26621
0
    }
26622
26623
0
    ato16(input + args->idx, &length);
26624
0
    args->idx += OPAQUE16_LEN;
26625
26626
0
    if ((args->idx - args->begin) + length > size) {
26627
0
        XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap,
26628
0
                DYNAMIC_TYPE_PUBLIC_KEY);
26629
0
        ssl->buffers.serverDH_P.buffer = NULL;
26630
0
        ERROR_OUT(BUFFER_ERROR, exit_gdpk);
26631
0
    }
26632
26633
0
    if (length > ssl->options.maxDhKeySz) {
26634
0
        WOLFSSL_MSG("Server using a DH key generator that is too big");
26635
0
        SendAlert(ssl, alert_fatal, handshake_failure);
26636
0
        XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap,
26637
0
                DYNAMIC_TYPE_PUBLIC_KEY);
26638
0
        ssl->buffers.serverDH_P.buffer = NULL;
26639
0
        ERROR_OUT(DH_KEY_SIZE_E, exit_gdpk);
26640
0
    }
26641
26642
0
    ssl->buffers.serverDH_G.buffer =
26643
0
        (byte*)XMALLOC(length, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
26644
0
    if (ssl->buffers.serverDH_G.buffer) {
26645
0
        ssl->buffers.serverDH_G.length = length;
26646
0
    }
26647
0
    else {
26648
0
        XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap,
26649
0
                DYNAMIC_TYPE_PUBLIC_KEY);
26650
0
        ssl->buffers.serverDH_P.buffer = NULL;
26651
0
        ERROR_OUT(MEMORY_ERROR, exit_gdpk);
26652
0
    }
26653
26654
0
    XMEMCPY(ssl->buffers.serverDH_G.buffer, input + args->idx,
26655
0
                                                        length);
26656
0
    args->idx += length;
26657
26658
    /* pub */
26659
0
    if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
26660
0
        XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap,
26661
0
                DYNAMIC_TYPE_PUBLIC_KEY);
26662
0
        ssl->buffers.serverDH_P.buffer = NULL;
26663
0
        XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap,
26664
0
                DYNAMIC_TYPE_PUBLIC_KEY);
26665
0
        ssl->buffers.serverDH_G.buffer = NULL;
26666
0
        ERROR_OUT(BUFFER_ERROR, exit_gdpk);
26667
0
    }
26668
26669
0
    ato16(input + args->idx, &length);
26670
0
    args->idx += OPAQUE16_LEN;
26671
26672
0
    if ((args->idx - args->begin) + length > size) {
26673
0
        XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap,
26674
0
                DYNAMIC_TYPE_PUBLIC_KEY);
26675
0
        ssl->buffers.serverDH_P.buffer = NULL;
26676
0
        XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap,
26677
0
                DYNAMIC_TYPE_PUBLIC_KEY);
26678
0
        ssl->buffers.serverDH_G.buffer = NULL;
26679
0
        ERROR_OUT(BUFFER_ERROR, exit_gdpk);
26680
0
    }
26681
26682
0
    if (length > ssl->options.maxDhKeySz) {
26683
0
        WOLFSSL_MSG("Server using a public DH key that is too big");
26684
0
        SendAlert(ssl, alert_fatal, handshake_failure);
26685
0
        XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap,
26686
0
                DYNAMIC_TYPE_PUBLIC_KEY);
26687
0
        ssl->buffers.serverDH_P.buffer = NULL;
26688
0
        XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap,
26689
0
                DYNAMIC_TYPE_PUBLIC_KEY);
26690
0
        ssl->buffers.serverDH_G.buffer = NULL;
26691
0
        ERROR_OUT(DH_KEY_SIZE_E, exit_gdpk);
26692
0
    }
26693
26694
0
    ssl->buffers.serverDH_Pub.buffer =
26695
0
        (byte*)XMALLOC(length, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
26696
0
    if (ssl->buffers.serverDH_Pub.buffer) {
26697
0
        ssl->buffers.serverDH_Pub.length = length;
26698
0
    }
26699
0
    else {
26700
0
        XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap,
26701
0
                DYNAMIC_TYPE_PUBLIC_KEY);
26702
0
        ssl->buffers.serverDH_P.buffer = NULL;
26703
0
        XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap,
26704
0
                DYNAMIC_TYPE_PUBLIC_KEY);
26705
0
        ssl->buffers.serverDH_G.buffer = NULL;
26706
0
        ERROR_OUT(MEMORY_ERROR, exit_gdpk);
26707
0
    }
26708
26709
0
    XMEMCPY(ssl->buffers.serverDH_Pub.buffer, input + args->idx,
26710
0
                                                        length);
26711
0
    ssl->buffers.weOwnDH = 1;
26712
0
    args->idx += length;
26713
26714
0
#ifdef HAVE_FFDHE
26715
0
    switch (ssl->options.dhKeySz) {
26716
0
    #ifdef HAVE_FFDHE_2048
26717
0
        case 2048/8:
26718
0
            #ifdef HAVE_PUBLIC_FFDHE
26719
0
            params = wc_Dh_ffdhe2048_Get();
26720
0
            #endif
26721
0
            group = WOLFSSL_FFDHE_2048;
26722
0
            break;
26723
0
    #endif
26724
    #ifdef HAVE_FFDHE_3072
26725
        case 3072/8:
26726
            #ifdef HAVE_PUBLIC_FFDHE
26727
            params = wc_Dh_ffdhe3072_Get();
26728
            #endif
26729
            group = WOLFSSL_FFDHE_3072;
26730
            break;
26731
    #endif
26732
    #ifdef HAVE_FFDHE_4096
26733
        case 4096/8:
26734
            #ifdef HAVE_PUBLIC_FFDHE
26735
            params = wc_Dh_ffdhe4096_Get();
26736
            #endif
26737
            group = WOLFSSL_FFDHE_4096;
26738
            break;
26739
    #endif
26740
    #ifdef HAVE_FFDHE_6144
26741
        case 6144/8:
26742
            #ifdef HAVE_PUBLIC_FFDHE
26743
            params = wc_Dh_ffdhe6144_Get();
26744
            #endif
26745
            group = WOLFSSL_FFDHE_6144;
26746
            break;
26747
    #endif
26748
    #ifdef HAVE_FFDHE_8192
26749
        case 8192/8:
26750
            #ifdef HAVE_PUBLIC_FFDHE
26751
            params = wc_Dh_ffdhe8192_Get();
26752
            #endif
26753
            group = WOLFSSL_FFDHE_8192;
26754
            break;
26755
    #endif
26756
0
        default:
26757
0
            break;
26758
0
    }
26759
26760
26761
0
#ifdef HAVE_PUBLIC_FFDHE
26762
0
    if (params == NULL || params->g_len != ssl->buffers.serverDH_G.length ||
26763
0
            (XMEMCMP(ssl->buffers.serverDH_G.buffer, params->g,
26764
0
                    params->g_len) != 0) ||
26765
0
            (XMEMCMP(ssl->buffers.serverDH_P.buffer, params->p,
26766
0
                    params->p_len) != 0))
26767
#else
26768
    if (!wc_DhCmpNamedKey(group, 1,
26769
            ssl->buffers.serverDH_P.buffer, ssl->buffers.serverDH_P.length,
26770
            ssl->buffers.serverDH_G.buffer, ssl->buffers.serverDH_G.length,
26771
            NULL, 0))
26772
#endif
26773
0
    {
26774
0
        WOLFSSL_MSG("Server not using FFDHE parameters");
26775
    #ifdef WOLFSSL_REQUIRE_FFDHE
26776
        SendAlert(ssl, alert_fatal, handshake_failure);
26777
        ERROR_OUT(DH_PARAMS_NOT_FFDHE_E, exit_gdpk);
26778
    #endif
26779
0
    }
26780
0
    else {
26781
0
        ssl->namedGroup = group;
26782
0
    #if !defined(WOLFSSL_OLD_PRIME_CHECK) && !defined(HAVE_FIPS) && \
26783
0
        !defined(HAVE_SELFTEST)
26784
0
        ssl->options.dhDoKeyTest = 0;
26785
0
    #endif
26786
0
    }
26787
0
#endif /* HAVE_FFDHE */
26788
26789
0
exit_gdpk:
26790
0
    if (ret != 0) {
26791
0
        WOLFSSL_ERROR_VERBOSE(ret);
26792
0
    }
26793
0
    return ret;
26794
0
}
26795
#endif
26796
26797
/* handle processing of server_key_exchange (12) */
26798
static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
26799
                               word32* inOutIdx, word32 size)
26800
0
{
26801
0
    int ret = 0;
26802
#ifdef WOLFSSL_ASYNC_CRYPT
26803
    DskeArgs* args = NULL;
26804
    WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
26805
#else
26806
0
    DskeArgs  args[1];
26807
0
#endif
26808
26809
0
    (void)input;
26810
0
    (void)size;
26811
26812
0
    WOLFSSL_START(WC_FUNC_SERVER_KEY_EXCHANGE_DO);
26813
0
    WOLFSSL_ENTER("DoServerKeyExchange");
26814
26815
#ifdef WOLFSSL_ASYNC_CRYPT
26816
    if (ssl->async == NULL) {
26817
        ssl->async = (struct WOLFSSL_ASYNC*)
26818
                XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
26819
                        DYNAMIC_TYPE_ASYNC);
26820
        if (ssl->async == NULL)
26821
            ERROR_OUT(MEMORY_E, exit_dske);
26822
    }
26823
    args = (DskeArgs*)ssl->async->args;
26824
26825
    ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
26826
    if (ret != WC_NOT_PENDING_E) {
26827
        /* Check for error */
26828
        if (ret < 0)
26829
            goto exit_dske;
26830
    }
26831
    else
26832
#endif
26833
0
    {
26834
        /* Reset state */
26835
0
        ret = 0;
26836
0
        ssl->options.asyncState = TLS_ASYNC_BEGIN;
26837
0
        XMEMSET(args, 0, sizeof(DskeArgs));
26838
0
        args->idx = *inOutIdx;
26839
0
        args->begin = *inOutIdx;
26840
0
        args->sigAlgo = ssl->specs.sig_algo;
26841
0
        args->hashAlgo = sha_mac;
26842
    #ifdef WOLFSSL_ASYNC_CRYPT
26843
        ssl->async->freeArgs = FreeDskeArgs;
26844
    #endif
26845
0
    }
26846
26847
0
    switch(ssl->options.asyncState)
26848
0
    {
26849
0
        case TLS_ASYNC_BEGIN:
26850
0
        {
26851
        #ifdef WOLFSSL_CALLBACKS
26852
            if (ssl->hsInfoOn)
26853
                AddPacketName(ssl, "ServerKeyExchange");
26854
            if (ssl->toInfoOn)
26855
                AddLateName("ServerKeyExchange", &ssl->timeoutInfo);
26856
        #endif
26857
26858
0
            switch(ssl->specs.kea)
26859
0
            {
26860
            #ifndef NO_PSK
26861
                case psk_kea:
26862
                {
26863
                    int srvHintLen;
26864
                    word16 length;
26865
26866
                    if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
26867
                        ERROR_OUT(BUFFER_ERROR, exit_dske);
26868
                    }
26869
26870
                    ato16(input + args->idx, &length);
26871
                    args->idx += OPAQUE16_LEN;
26872
26873
                    if ((args->idx - args->begin) + length > size) {
26874
                        ERROR_OUT(BUFFER_ERROR, exit_dske);
26875
                    }
26876
26877
                    /* get PSK server hint from the wire */
26878
                    srvHintLen = min(length, MAX_PSK_ID_LEN);
26879
                    XMEMCPY(ssl->arrays->server_hint, input + args->idx,
26880
                                                                    srvHintLen);
26881
                    ssl->arrays->server_hint[srvHintLen] = '\0'; /* null term */
26882
                    args->idx += length;
26883
                    break;
26884
                }
26885
            #endif /* !NO_PSK */
26886
0
            #ifndef NO_DH
26887
0
                case diffie_hellman_kea:
26888
0
                {
26889
0
                    ret = GetDhPublicKey(ssl, input, size, args);
26890
0
                    if (ret != 0)
26891
0
                        goto exit_dske;
26892
0
                    break;
26893
0
                }
26894
0
            #endif /* !NO_DH */
26895
0
            #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
26896
0
                                                          defined(HAVE_CURVE448)
26897
0
                case ecc_diffie_hellman_kea:
26898
0
                {
26899
0
                    byte b;
26900
0
                #ifdef HAVE_ECC
26901
0
                    int curveId;
26902
0
                #endif
26903
0
                    int curveOid;
26904
0
                    word16 length;
26905
26906
0
                    if ((args->idx - args->begin) + ENUM_LEN + OPAQUE16_LEN +
26907
0
                                                        OPAQUE8_LEN > size) {
26908
0
                        ERROR_OUT(BUFFER_ERROR, exit_dske);
26909
0
                    }
26910
26911
0
                    b = input[args->idx++];
26912
0
                    if (b != named_curve) {
26913
0
                        ERROR_OUT(ECC_CURVETYPE_ERROR, exit_dske);
26914
0
                    }
26915
26916
0
                    args->idx += 1;   /* curve type, eat leading 0 */
26917
0
                    b = input[args->idx++];
26918
0
                    if ((curveOid = CheckCurveId(b)) < 0) {
26919
0
                        ERROR_OUT(ECC_CURVE_ERROR, exit_dske);
26920
0
                    }
26921
0
                    ssl->ecdhCurveOID = curveOid;
26922
0
                #if defined(WOLFSSL_TLS13) || defined(HAVE_FFDHE)
26923
0
                    ssl->namedGroup = 0;
26924
0
                #endif
26925
26926
0
                    length = input[args->idx++];
26927
0
                    if ((args->idx - args->begin) + length > size) {
26928
0
                        ERROR_OUT(BUFFER_ERROR, exit_dske);
26929
0
                    }
26930
26931
0
                #ifdef HAVE_CURVE25519
26932
0
                    if (ssl->ecdhCurveOID == ECC_X25519_OID) {
26933
0
                        if (ssl->peerX25519Key == NULL) {
26934
0
                            ret = AllocKey(ssl, DYNAMIC_TYPE_CURVE25519,
26935
0
                                           (void**)&ssl->peerX25519Key);
26936
0
                            if (ret != 0) {
26937
0
                                goto exit_dske;
26938
0
                            }
26939
0
                        } else if (ssl->peerX25519KeyPresent) {
26940
0
                            ret = ReuseKey(ssl, DYNAMIC_TYPE_CURVE25519,
26941
0
                                           ssl->peerX25519Key);
26942
0
                            ssl->peerX25519KeyPresent = 0;
26943
0
                            if (ret != 0) {
26944
0
                                goto exit_dske;
26945
0
                            }
26946
0
                        }
26947
26948
0
                        if ((ret = wc_curve25519_check_public(
26949
0
                                input + args->idx, length,
26950
0
                                EC25519_LITTLE_ENDIAN)) != 0) {
26951
0
                        #ifdef WOLFSSL_EXTRA_ALERTS
26952
0
                            if (ret == BUFFER_E)
26953
0
                                SendAlert(ssl, alert_fatal, decode_error);
26954
0
                            else if (ret == ECC_OUT_OF_RANGE_E)
26955
0
                                SendAlert(ssl, alert_fatal, bad_record_mac);
26956
0
                            else {
26957
0
                                SendAlert(ssl, alert_fatal, illegal_parameter);
26958
0
                            }
26959
0
                        #endif
26960
0
                            ERROR_OUT(ECC_PEERKEY_ERROR, exit_dske);
26961
0
                        }
26962
26963
0
                        if (wc_curve25519_import_public_ex(input + args->idx,
26964
0
                                length, ssl->peerX25519Key,
26965
0
                                EC25519_LITTLE_ENDIAN) != 0) {
26966
0
                            ERROR_OUT(ECC_PEERKEY_ERROR, exit_dske);
26967
0
                        }
26968
26969
0
                        args->idx += length;
26970
0
                        ssl->peerX25519KeyPresent = 1;
26971
0
                        break;
26972
0
                    }
26973
0
                #endif
26974
0
                #ifdef HAVE_CURVE448
26975
0
                    if (ssl->ecdhCurveOID == ECC_X448_OID) {
26976
0
                        if (ssl->peerX448Key == NULL) {
26977
0
                            ret = AllocKey(ssl, DYNAMIC_TYPE_CURVE448,
26978
0
                                           (void**)&ssl->peerX448Key);
26979
0
                            if (ret != 0) {
26980
0
                                goto exit_dske;
26981
0
                            }
26982
0
                        } else if (ssl->peerX448KeyPresent) {
26983
0
                            ret = ReuseKey(ssl, DYNAMIC_TYPE_CURVE448,
26984
0
                                           ssl->peerX448Key);
26985
0
                            ssl->peerX448KeyPresent = 0;
26986
0
                            if (ret != 0) {
26987
0
                                goto exit_dske;
26988
0
                            }
26989
0
                        }
26990
26991
0
                        if ((ret = wc_curve448_check_public(
26992
0
                                input + args->idx, length,
26993
0
                                EC448_LITTLE_ENDIAN)) != 0) {
26994
0
                        #ifdef WOLFSSL_EXTRA_ALERTS
26995
0
                            if (ret == BUFFER_E)
26996
0
                                SendAlert(ssl, alert_fatal, decode_error);
26997
0
                            else if (ret == ECC_OUT_OF_RANGE_E)
26998
0
                                SendAlert(ssl, alert_fatal, bad_record_mac);
26999
0
                            else {
27000
0
                                SendAlert(ssl, alert_fatal, illegal_parameter);
27001
0
                            }
27002
0
                        #endif
27003
0
                            ERROR_OUT(ECC_PEERKEY_ERROR, exit_dske);
27004
0
                        }
27005
27006
0
                        if (wc_curve448_import_public_ex(input + args->idx,
27007
0
                                length, ssl->peerX448Key,
27008
0
                                EC448_LITTLE_ENDIAN) != 0) {
27009
0
                            ERROR_OUT(ECC_PEERKEY_ERROR, exit_dske);
27010
0
                        }
27011
27012
0
                        args->idx += length;
27013
0
                        ssl->peerX448KeyPresent = 1;
27014
0
                        break;
27015
0
                    }
27016
0
                #endif
27017
0
                #ifdef HAVE_ECC
27018
0
                    if (ssl->peerEccKey == NULL) {
27019
0
                        ret = AllocKey(ssl, DYNAMIC_TYPE_ECC,
27020
0
                                       (void**)&ssl->peerEccKey);
27021
0
                        if (ret != 0) {
27022
0
                            goto exit_dske;
27023
0
                        }
27024
0
                    } else if (ssl->peerEccKeyPresent) {
27025
0
                        ret = ReuseKey(ssl, DYNAMIC_TYPE_ECC, ssl->peerEccKey);
27026
0
                        ssl->peerEccKeyPresent = 0;
27027
0
                        if (ret != 0) {
27028
0
                            goto exit_dske;
27029
0
                        }
27030
0
                    }
27031
27032
0
                    curveId = wc_ecc_get_oid(curveOid, NULL, NULL);
27033
0
                    if (wc_ecc_import_x963_ex(input + args->idx, length,
27034
0
                                        ssl->peerEccKey, curveId) != 0) {
27035
0
                    #ifdef WOLFSSL_EXTRA_ALERTS
27036
0
                        SendAlert(ssl, alert_fatal, illegal_parameter);
27037
0
                    #endif
27038
0
                        ERROR_OUT(ECC_PEERKEY_ERROR, exit_dske);
27039
0
                    }
27040
27041
0
                    args->idx += length;
27042
0
                    ssl->peerEccKeyPresent = 1;
27043
0
                #endif
27044
0
                    break;
27045
0
                }
27046
0
            #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
27047
            #if !defined(NO_DH) && !defined(NO_PSK)
27048
                case dhe_psk_kea:
27049
                {
27050
                    int srvHintLen;
27051
                    word16 length;
27052
27053
                    if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
27054
                        ERROR_OUT(BUFFER_ERROR, exit_dske);
27055
                    }
27056
27057
                    ato16(input + args->idx, &length);
27058
                    args->idx += OPAQUE16_LEN;
27059
27060
                    if ((args->idx - args->begin) + length > size) {
27061
                        ERROR_OUT(BUFFER_ERROR, exit_dske);
27062
                    }
27063
27064
                    /* get PSK server hint from the wire */
27065
                    srvHintLen = min(length, MAX_PSK_ID_LEN);
27066
                    XMEMCPY(ssl->arrays->server_hint, input + args->idx,
27067
                                                                srvHintLen);
27068
                    ssl->arrays->server_hint[srvHintLen] = '\0'; /* null term */
27069
                    args->idx += length;
27070
27071
                    ret = GetDhPublicKey(ssl, input, size, args);
27072
                    if (ret != 0)
27073
                        goto exit_dske;
27074
                    break;
27075
                }
27076
            #endif /* !NO_DH && !NO_PSK */
27077
            #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
27078
                                     defined(HAVE_CURVE448)) && !defined(NO_PSK)
27079
                case ecdhe_psk_kea:
27080
                {
27081
                    byte b;
27082
                    int curveOid, curveId;
27083
                    int srvHintLen;
27084
                    word16 length;
27085
27086
                    if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
27087
                        ERROR_OUT(BUFFER_ERROR, exit_dske);
27088
                    }
27089
27090
                    ato16(input + args->idx, &length);
27091
                    args->idx += OPAQUE16_LEN;
27092
27093
                    if ((args->idx - args->begin) + length > size) {
27094
                        ERROR_OUT(BUFFER_ERROR, exit_dske);
27095
                    }
27096
27097
                    /* get PSK server hint from the wire */
27098
                    srvHintLen = min(length, MAX_PSK_ID_LEN);
27099
                    XMEMCPY(ssl->arrays->server_hint, input + args->idx,
27100
                                                                    srvHintLen);
27101
                    ssl->arrays->server_hint[srvHintLen] = '\0'; /* null term */
27102
27103
                    args->idx += length;
27104
27105
                    if ((args->idx - args->begin) + ENUM_LEN + OPAQUE16_LEN +
27106
                        OPAQUE8_LEN > size) {
27107
                        ERROR_OUT(BUFFER_ERROR, exit_dske);
27108
                    }
27109
27110
                    /* Check curve name and ID */
27111
                    b = input[args->idx++];
27112
                    if (b != named_curve) {
27113
                        ERROR_OUT(ECC_CURVETYPE_ERROR, exit_dske);
27114
                    }
27115
27116
                    args->idx += 1;   /* curve type, eat leading 0 */
27117
                    b = input[args->idx++];
27118
                    if ((curveOid = CheckCurveId(b)) < 0) {
27119
                        ERROR_OUT(ECC_CURVE_ERROR, exit_dske);
27120
                    }
27121
27122
                    length = input[args->idx++];
27123
                    if ((args->idx - args->begin) + length > size) {
27124
                        ERROR_OUT(BUFFER_ERROR, exit_dske);
27125
                    }
27126
27127
                #ifdef HAVE_CURVE25519
27128
                    if (ssl->ecdhCurveOID == ECC_X25519_OID) {
27129
                        if (ssl->peerX25519Key == NULL) {
27130
                            ret = AllocKey(ssl, DYNAMIC_TYPE_CURVE25519,
27131
                                           (void**)&ssl->peerX25519Key);
27132
                            if (ret != 0) {
27133
                                goto exit_dske;
27134
                            }
27135
                        } else if (ssl->peerEccKeyPresent) {
27136
                            ret = ReuseKey(ssl, DYNAMIC_TYPE_CURVE25519,
27137
                                           ssl->peerX25519Key);
27138
                            ssl->peerX25519KeyPresent = 0;
27139
                            if (ret != 0) {
27140
                                goto exit_dske;
27141
                            }
27142
                        }
27143
27144
                        if ((ret = wc_curve25519_check_public(
27145
                                input + args->idx, length,
27146
                                EC25519_LITTLE_ENDIAN)) != 0) {
27147
                        #ifdef WOLFSSL_EXTRA_ALERTS
27148
                            if (ret == BUFFER_E)
27149
                                SendAlert(ssl, alert_fatal, decode_error);
27150
                            else if (ret == ECC_OUT_OF_RANGE_E)
27151
                                SendAlert(ssl, alert_fatal, bad_record_mac);
27152
                            else {
27153
                                SendAlert(ssl, alert_fatal, illegal_parameter);
27154
                            }
27155
                        #endif
27156
                            ERROR_OUT(ECC_PEERKEY_ERROR, exit_dske);
27157
                        }
27158
27159
                        if (wc_curve25519_import_public_ex(input + args->idx,
27160
                                length, ssl->peerX25519Key,
27161
                                EC25519_LITTLE_ENDIAN) != 0) {
27162
                            ERROR_OUT(ECC_PEERKEY_ERROR, exit_dske);
27163
                        }
27164
27165
                        args->idx += length;
27166
                        ssl->peerX25519KeyPresent = 1;
27167
                        break;
27168
                    }
27169
                #endif
27170
                #ifdef HAVE_CURVE448
27171
                    if (ssl->ecdhCurveOID == ECC_X448_OID) {
27172
                        if (ssl->peerX448Key == NULL) {
27173
                            ret = AllocKey(ssl, DYNAMIC_TYPE_CURVE448,
27174
                                           (void**)&ssl->peerX448Key);
27175
                            if (ret != 0) {
27176
                                goto exit_dske;
27177
                            }
27178
                        } else if (ssl->peerEccKeyPresent) {
27179
                            ret = ReuseKey(ssl, DYNAMIC_TYPE_CURVE448,
27180
                                           ssl->peerX448Key);
27181
                            ssl->peerX448KeyPresent = 0;
27182
                            if (ret != 0) {
27183
                                goto exit_dske;
27184
                            }
27185
                        }
27186
27187
                        if ((ret = wc_curve448_check_public(
27188
                                input + args->idx, length,
27189
                                EC448_LITTLE_ENDIAN)) != 0) {
27190
                        #ifdef WOLFSSL_EXTRA_ALERTS
27191
                            if (ret == BUFFER_E)
27192
                                SendAlert(ssl, alert_fatal, decode_error);
27193
                            else if (ret == ECC_OUT_OF_RANGE_E)
27194
                                SendAlert(ssl, alert_fatal, bad_record_mac);
27195
                            else {
27196
                                SendAlert(ssl, alert_fatal, illegal_parameter);
27197
                            }
27198
                        #endif
27199
                            ERROR_OUT(ECC_PEERKEY_ERROR, exit_dske);
27200
                        }
27201
27202
                        if (wc_curve448_import_public_ex(input + args->idx,
27203
                                length, ssl->peerX448Key,
27204
                                EC448_LITTLE_ENDIAN) != 0) {
27205
                            ERROR_OUT(ECC_PEERKEY_ERROR, exit_dske);
27206
                        }
27207
27208
                        args->idx += length;
27209
                        ssl->peerX448KeyPresent = 1;
27210
                        break;
27211
                    }
27212
                #endif
27213
27214
                    if (ssl->peerEccKey == NULL) {
27215
                        ret = AllocKey(ssl, DYNAMIC_TYPE_ECC,
27216
                                 (void**)&ssl->peerEccKey);
27217
                        if (ret != 0) {
27218
                            goto exit_dske;
27219
                        }
27220
                    } else if (ssl->peerEccKeyPresent) {
27221
                        ret = ReuseKey(ssl, DYNAMIC_TYPE_ECC, ssl->peerEccKey);
27222
                        ssl->peerEccKeyPresent = 0;
27223
                        if (ret != 0) {
27224
                            goto exit_dske;
27225
                        }
27226
                    }
27227
27228
                    curveId = wc_ecc_get_oid(curveOid, NULL, NULL);
27229
                    if (wc_ecc_import_x963_ex(input + args->idx, length,
27230
                        ssl->peerEccKey, curveId) != 0) {
27231
                        ERROR_OUT(ECC_PEERKEY_ERROR, exit_dske);
27232
                    }
27233
27234
                    args->idx += length;
27235
                    ssl->peerEccKeyPresent = 1;
27236
                    break;
27237
                }
27238
            #endif /* (HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448) && !NO_PSK */
27239
0
                default:
27240
0
                    ret = BAD_KEA_TYPE_E;
27241
0
            } /* switch(ssl->specs.kea) */
27242
27243
            /* Check for error */
27244
0
            if (ret != 0) {
27245
0
                goto exit_dske;
27246
0
            }
27247
27248
            /* Advance state and proceed */
27249
0
            ssl->options.asyncState = TLS_ASYNC_BUILD;
27250
0
        } /* case TLS_ASYNC_BEGIN */
27251
0
        FALL_THROUGH;
27252
27253
0
        case TLS_ASYNC_BUILD:
27254
0
        {
27255
0
            switch(ssl->specs.kea)
27256
0
            {
27257
0
                case psk_kea:
27258
0
                case dhe_psk_kea:
27259
0
                case ecdhe_psk_kea:
27260
0
                {
27261
                    /* Nothing to do in this sub-state */
27262
0
                    break;
27263
0
                }
27264
27265
0
                case diffie_hellman_kea:
27266
0
                case ecc_diffie_hellman_kea:
27267
0
                {
27268
            #if defined(NO_DH) && !defined(HAVE_ECC) && \
27269
                            !defined(HAVE_CURVE25519) && !defined(HAVE_CURVE448)
27270
                    ERROR_OUT(NOT_COMPILED_IN, exit_dske);
27271
            #else
27272
0
                    enum wc_HashType hashType;
27273
0
                    word16 verifySz;
27274
0
                    byte sigAlgo;
27275
27276
0
                    if (ssl->options.usingAnon_cipher) {
27277
0
                        break;
27278
0
                    }
27279
27280
0
                    verifySz = (word16)(args->idx - args->begin);
27281
0
                    if (verifySz > MAX_DH_SZ) {
27282
0
                        ERROR_OUT(BUFFER_ERROR, exit_dske);
27283
0
                    }
27284
27285
0
                    if (IsAtLeastTLSv1_2(ssl)) {
27286
0
                        if ((args->idx - args->begin) + ENUM_LEN + ENUM_LEN >
27287
0
                                                                        size) {
27288
0
                            ERROR_OUT(BUFFER_ERROR, exit_dske);
27289
0
                        }
27290
27291
0
                        DecodeSigAlg(&input[args->idx], &args->hashAlgo,
27292
0
                                     &sigAlgo);
27293
0
                    #ifndef NO_RSA
27294
0
                        if (sigAlgo == rsa_pss_sa_algo &&
27295
0
                                                 args->sigAlgo == rsa_sa_algo) {
27296
0
                            args->sigAlgo = sigAlgo;
27297
0
                        }
27298
0
                        else
27299
0
                    #endif
27300
0
                    #ifdef HAVE_ED25519
27301
0
                        if (sigAlgo == ed25519_sa_algo &&
27302
0
                                             args->sigAlgo == ecc_dsa_sa_algo) {
27303
0
                            args->sigAlgo = sigAlgo;
27304
0
                        }
27305
0
                        else
27306
0
                    #endif
27307
0
                    #ifdef HAVE_ED448
27308
0
                        if (sigAlgo == ed448_sa_algo &&
27309
0
                                             args->sigAlgo == ecc_dsa_sa_algo) {
27310
0
                            args->sigAlgo = sigAlgo;
27311
0
                        }
27312
0
                        else
27313
0
                    #endif
27314
                        /* Signature algorithm from message must match signature
27315
                         * algorithm in cipher suite. */
27316
0
                        if (sigAlgo != args->sigAlgo) {
27317
0
                            ERROR_OUT(ALGO_ID_E, exit_dske);
27318
0
                        }
27319
0
                        args->idx += 2;
27320
0
                        hashType = HashAlgoToType(args->hashAlgo);
27321
0
                        if (hashType == WC_HASH_TYPE_NONE) {
27322
0
                            ERROR_OUT(ALGO_ID_E, exit_dske);
27323
0
                        }
27324
0
                    } else {
27325
                        /* only using sha and md5 for rsa */
27326
0
                        #ifndef NO_OLD_TLS
27327
0
                            hashType = WC_HASH_TYPE_SHA;
27328
0
                            if (args->sigAlgo == rsa_sa_algo) {
27329
0
                                hashType = WC_HASH_TYPE_MD5_SHA;
27330
0
                            }
27331
                        #else
27332
                            ERROR_OUT(ALGO_ID_E, exit_dske);
27333
                        #endif
27334
0
                    }
27335
27336
                    /* signature */
27337
0
                    if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
27338
0
                        ERROR_OUT(BUFFER_ERROR, exit_dske);
27339
0
                    }
27340
27341
0
                    ato16(input + args->idx, &args->verifySigSz);
27342
0
                    args->idx += OPAQUE16_LEN;
27343
27344
0
                    if ((args->idx - args->begin) + args->verifySigSz > size) {
27345
0
                        ERROR_OUT(BUFFER_ERROR, exit_dske);
27346
0
                    }
27347
27348
0
                    ret = HashSkeData(ssl, hashType, input + args->begin,
27349
0
                        verifySz, args->sigAlgo);
27350
0
                    if (ret != 0) {
27351
0
                        goto exit_dske;
27352
0
                    }
27353
27354
0
                    switch (args->sigAlgo)
27355
0
                    {
27356
0
                    #ifndef NO_RSA
27357
0
                    #ifdef WC_RSA_PSS
27358
0
                        case rsa_pss_sa_algo:
27359
0
                    #endif
27360
0
                        case rsa_sa_algo:
27361
0
                        {
27362
0
                            if (ssl->peerRsaKey == NULL ||
27363
0
                                                    !ssl->peerRsaKeyPresent) {
27364
0
                                ERROR_OUT(NO_PEER_KEY, exit_dske);
27365
0
                            }
27366
0
                            break;
27367
0
                        }
27368
0
                    #endif /* !NO_RSA */
27369
0
                    #ifdef HAVE_ECC
27370
0
                        case ecc_dsa_sa_algo:
27371
0
                        {
27372
0
                            if (!ssl->peerEccDsaKeyPresent) {
27373
0
                                ERROR_OUT(NO_PEER_KEY, exit_dske);
27374
0
                            }
27375
0
                            break;
27376
0
                        }
27377
0
                    #endif /* HAVE_ECC */
27378
0
                    #if defined(HAVE_ED25519)
27379
0
                        case ed25519_sa_algo:
27380
0
                        {
27381
0
                            if (!ssl->peerEd25519KeyPresent) {
27382
0
                                ERROR_OUT(NO_PEER_KEY, exit_dske);
27383
0
                            }
27384
0
                            break;
27385
0
                        }
27386
0
                    #endif /* HAVE_ED25519 */
27387
0
                    #if defined(HAVE_ED448)
27388
0
                        case ed448_sa_algo:
27389
0
                        {
27390
0
                            if (!ssl->peerEd448KeyPresent) {
27391
0
                                ERROR_OUT(NO_PEER_KEY, exit_dske);
27392
0
                            }
27393
0
                            break;
27394
0
                        }
27395
0
                    #endif /* HAVE_ED448 */
27396
27397
0
                    default:
27398
0
                        ret = ALGO_ID_E;
27399
0
                    } /* switch (args->sigAlgo) */
27400
27401
0
            #endif /* NO_DH && !HAVE_ECC && !HAVE_ED25519 && !HAVE_ED448 */
27402
0
                    break;
27403
0
                }
27404
0
                default:
27405
0
                    ret = BAD_KEA_TYPE_E;
27406
0
            } /* switch(ssl->specs.kea) */
27407
27408
            /* Check for error */
27409
0
            if (ret != 0) {
27410
0
                goto exit_dske;
27411
0
            }
27412
27413
            /* Advance state and proceed */
27414
0
            ssl->options.asyncState = TLS_ASYNC_DO;
27415
0
        } /* case TLS_ASYNC_BUILD */
27416
0
        FALL_THROUGH;
27417
27418
0
        case TLS_ASYNC_DO:
27419
0
        {
27420
0
            switch(ssl->specs.kea)
27421
0
            {
27422
0
                case psk_kea:
27423
0
                case dhe_psk_kea:
27424
0
                case ecdhe_psk_kea:
27425
0
                {
27426
                    /* Nothing to do in this sub-state */
27427
0
                    break;
27428
0
                }
27429
27430
0
                case diffie_hellman_kea:
27431
0
                case ecc_diffie_hellman_kea:
27432
0
                {
27433
            #if defined(NO_DH) && !defined(HAVE_ECC) && \
27434
                            !defined(HAVE_CURVE25519) && !defined(HAVE_CURVE448)
27435
                    ERROR_OUT(NOT_COMPILED_IN, exit_dske);
27436
            #else
27437
0
                    if (ssl->options.usingAnon_cipher) {
27438
0
                        break;
27439
0
                    }
27440
27441
0
                    if (args->verifySig == NULL) {
27442
0
                        args->verifySig = (byte*)XMALLOC(args->verifySigSz,
27443
0
                                            ssl->heap, DYNAMIC_TYPE_SIGNATURE);
27444
0
                        if (args->verifySig == NULL) {
27445
0
                            ERROR_OUT(MEMORY_E, exit_dske);
27446
0
                        }
27447
0
                        XMEMCPY(args->verifySig, input + args->idx,
27448
0
                                                            args->verifySigSz);
27449
0
                    }
27450
27451
0
                    switch (args->sigAlgo)
27452
0
                    {
27453
0
                    #ifndef NO_RSA
27454
0
                    #ifdef WC_RSA_PSS
27455
0
                        case rsa_pss_sa_algo:
27456
0
                    #endif
27457
0
                        case rsa_sa_algo:
27458
0
                        {
27459
0
                            ret = RsaVerify(ssl,
27460
0
                                args->verifySig, args->verifySigSz,
27461
0
                                &args->output,
27462
0
                                args->sigAlgo, args->hashAlgo,
27463
0
                                ssl->peerRsaKey,
27464
                            #ifdef HAVE_PK_CALLBACKS
27465
                                &ssl->buffers.peerRsaKey
27466
                            #else
27467
0
                                NULL
27468
0
                            #endif
27469
0
                            );
27470
27471
0
                            if (ret >= 0) {
27472
0
                                args->sigSz = (word16)ret;
27473
0
                            #ifdef WC_RSA_PSS
27474
0
                                args->bits = mp_count_bits(&ssl->peerRsaKey->n);
27475
0
                            #endif
27476
0
                                ret = 0;
27477
0
                            }
27478
                        #ifdef WOLFSSL_ASYNC_CRYPT
27479
                            if (ret != WC_PENDING_E)
27480
                        #endif
27481
0
                            {
27482
                                /* peerRsaKey */
27483
0
                                FreeKey(ssl, DYNAMIC_TYPE_RSA,
27484
0
                                                      (void**)&ssl->peerRsaKey);
27485
0
                                ssl->peerRsaKeyPresent = 0;
27486
0
                            }
27487
0
                            break;
27488
0
                        }
27489
0
                    #endif /* !NO_RSA */
27490
0
                    #ifdef HAVE_ECC
27491
0
                        case ecc_dsa_sa_algo:
27492
0
                        {
27493
0
                            ret = EccVerify(ssl,
27494
0
                                args->verifySig, args->verifySigSz,
27495
0
                                ssl->buffers.digest.buffer,
27496
0
                                ssl->buffers.digest.length,
27497
0
                                ssl->peerEccDsaKey,
27498
                            #ifdef HAVE_PK_CALLBACKS
27499
                                &ssl->buffers.peerEccDsaKey
27500
                            #else
27501
0
                                NULL
27502
0
                            #endif
27503
0
                            );
27504
27505
                        #ifdef WOLFSSL_ASYNC_CRYPT
27506
                            if (ret != WC_PENDING_E)
27507
                        #endif
27508
0
                            {
27509
                                /* peerEccDsaKey */
27510
0
                                FreeKey(ssl, DYNAMIC_TYPE_ECC,
27511
0
                                                   (void**)&ssl->peerEccDsaKey);
27512
0
                                ssl->peerEccDsaKeyPresent = 0;
27513
0
                            }
27514
                            /* CLIENT: Data verified with cert's public key. */
27515
0
                            ssl->options.peerAuthGood =
27516
0
                                ssl->options.havePeerCert && (ret == 0);
27517
0
                            break;
27518
0
                        }
27519
0
                    #endif /* HAVE_ECC */
27520
0
                    #if defined(HAVE_ED25519)
27521
0
                        case ed25519_sa_algo:
27522
0
                        {
27523
0
                            ret = Ed25519Verify(ssl,
27524
0
                                args->verifySig, args->verifySigSz,
27525
0
                                ssl->buffers.sig.buffer,
27526
0
                                ssl->buffers.sig.length,
27527
0
                                ssl->peerEd25519Key,
27528
                            #ifdef HAVE_PK_CALLBACKS
27529
                                &ssl->buffers.peerEd25519Key
27530
                            #else
27531
0
                                NULL
27532
0
                            #endif
27533
0
                            );
27534
27535
                        #ifdef WOLFSSL_ASYNC_CRYPT
27536
                            if (ret != WC_PENDING_E)
27537
                        #endif
27538
0
                            {
27539
                                /* peerEccDsaKey */
27540
0
                                FreeKey(ssl, DYNAMIC_TYPE_ED25519,
27541
0
                                                  (void**)&ssl->peerEd25519Key);
27542
0
                                ssl->peerEd25519KeyPresent = 0;
27543
0
                            }
27544
                            /* CLIENT: Data verified with cert's public key. */
27545
0
                            ssl->options.peerAuthGood =
27546
0
                                ssl->options.havePeerCert && (ret == 0);
27547
0
                            break;
27548
0
                        }
27549
0
                    #endif /* HAVE_ED25519 */
27550
0
                    #if defined(HAVE_ED448)
27551
0
                        case ed448_sa_algo:
27552
0
                        {
27553
0
                            ret = Ed448Verify(ssl,
27554
0
                                args->verifySig, args->verifySigSz,
27555
0
                                ssl->buffers.sig.buffer,
27556
0
                                ssl->buffers.sig.length,
27557
0
                                ssl->peerEd448Key,
27558
                            #ifdef HAVE_PK_CALLBACKS
27559
                                &ssl->buffers.peerEd448Key
27560
                            #else
27561
0
                                NULL
27562
0
                            #endif
27563
0
                            );
27564
27565
                        #ifdef WOLFSSL_ASYNC_CRYPT
27566
                            if (ret != WC_PENDING_E)
27567
                        #endif
27568
0
                            {
27569
                                /* peerEccDsaKey */
27570
0
                                FreeKey(ssl, DYNAMIC_TYPE_ED448,
27571
0
                                                    (void**)&ssl->peerEd448Key);
27572
0
                                ssl->peerEd448KeyPresent = 0;
27573
0
                            }
27574
                            /* CLIENT: Data verified with cert's public key. */
27575
0
                            ssl->options.peerAuthGood =
27576
0
                                ssl->options.havePeerCert && (ret == 0);
27577
0
                            break;
27578
0
                        }
27579
0
                    #endif /* HAVE_ED448 */
27580
27581
0
                    default:
27582
0
                        ret = ALGO_ID_E;
27583
0
                    } /* switch (sigAlgo) */
27584
0
            #endif /* NO_DH && !HAVE_ECC && !HAVE_ED25519 && !HAVE_ED448 */
27585
0
                    break;
27586
0
                }
27587
0
                default:
27588
0
                    ret = BAD_KEA_TYPE_E;
27589
0
            } /* switch(ssl->specs.kea) */
27590
27591
            /* Check for error */
27592
0
            if (ret != 0) {
27593
0
                goto exit_dske;
27594
0
            }
27595
27596
            /* Advance state and proceed */
27597
0
            ssl->options.asyncState = TLS_ASYNC_VERIFY;
27598
0
        } /* case TLS_ASYNC_DO */
27599
0
        FALL_THROUGH;
27600
27601
0
        case TLS_ASYNC_VERIFY:
27602
0
        {
27603
0
            switch(ssl->specs.kea)
27604
0
            {
27605
0
                case psk_kea:
27606
0
                case dhe_psk_kea:
27607
0
                case ecdhe_psk_kea:
27608
0
                {
27609
                    /* Nothing to do in this sub-state */
27610
0
                    break;
27611
0
                }
27612
27613
0
                case diffie_hellman_kea:
27614
0
                case ecc_diffie_hellman_kea:
27615
0
                {
27616
            #if defined(NO_DH) && !defined(HAVE_ECC) && \
27617
                            !defined(HAVE_CURVE25519) && !defined(HAVE_CURVE448)
27618
                    ERROR_OUT(NOT_COMPILED_IN, exit_dske);
27619
            #else
27620
0
                    if (ssl->options.usingAnon_cipher) {
27621
0
                        break;
27622
0
                    }
27623
27624
                    /* increment index after verify is done */
27625
0
                    args->idx += args->verifySigSz;
27626
27627
0
                    switch(args->sigAlgo)
27628
0
                    {
27629
0
                    #ifndef NO_RSA
27630
0
                    #ifdef WC_RSA_PSS
27631
0
                        case rsa_pss_sa_algo:
27632
                        #ifdef HAVE_SELFTEST
27633
                            ret = wc_RsaPSS_CheckPadding(
27634
                                             ssl->buffers.digest.buffer,
27635
                                             ssl->buffers.digest.length,
27636
                                             args->output, args->sigSz,
27637
                                             HashAlgoToType(args->hashAlgo));
27638
                        #else
27639
0
                            ret = wc_RsaPSS_CheckPadding_ex(
27640
0
                                             ssl->buffers.digest.buffer,
27641
0
                                             ssl->buffers.digest.length,
27642
0
                                             args->output, args->sigSz,
27643
0
                                             HashAlgoToType(args->hashAlgo),
27644
0
                                             -1, args->bits);
27645
0
                        #endif
27646
0
                            if (ret != 0)
27647
0
                                return ret;
27648
                            /* CLIENT: Data verified with cert's public key. */
27649
0
                            ssl->options.peerAuthGood =
27650
0
                                ssl->options.havePeerCert;
27651
0
                            break;
27652
0
                    #endif
27653
0
                        case rsa_sa_algo:
27654
0
                        {
27655
                            #if (defined(WOLFSSL_RENESAS_SCEPROTECT) && \
27656
                                defined(WOLFSSL_RENESAS_SCEPROTECT_ECC)) || \
27657
                                defined(WOLFSSL_RENESAS_TSIP_TLS)
27658
                            /* already checked signature result by SCE */
27659
                            /* skip the sign checks below              */
27660
                            if (Renesas_cmn_usable(ssl, 0)) {
27661
                                break;
27662
                             }
27663
                            #endif
27664
0
                            if (IsAtLeastTLSv1_2(ssl)) {
27665
0
                            #ifdef WOLFSSL_SMALL_STACK
27666
0
                                byte*  encodedSig;
27667
                            #else
27668
                                byte   encodedSig[MAX_ENCODED_SIG_SZ];
27669
                            #endif
27670
0
                                word32 encSigSz;
27671
27672
0
                            #ifdef WOLFSSL_SMALL_STACK
27673
0
                                encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ,
27674
0
                                                ssl->heap, DYNAMIC_TYPE_SIGNATURE);
27675
0
                                if (encodedSig == NULL) {
27676
0
                                    ERROR_OUT(MEMORY_E, exit_dske);
27677
0
                                }
27678
0
                            #endif
27679
27680
0
                                encSigSz = wc_EncodeSignature(encodedSig,
27681
0
                                    ssl->buffers.digest.buffer,
27682
0
                                    ssl->buffers.digest.length,
27683
0
                                    TypeHash(args->hashAlgo));
27684
0
                                if (encSigSz != args->sigSz || !args->output ||
27685
0
                                    XMEMCMP(args->output, encodedSig,
27686
0
                                            min(encSigSz, MAX_ENCODED_SIG_SZ)) != 0) {
27687
0
                                    ret = VERIFY_SIGN_ERROR;
27688
0
                                }
27689
0
                            #ifdef WOLFSSL_SMALL_STACK
27690
0
                                XFREE(encodedSig, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
27691
0
                            #endif
27692
0
                                if (ret != 0) {
27693
0
                                    goto exit_dske;
27694
0
                                }
27695
0
                            }
27696
0
                            else if (args->sigSz != FINISHED_SZ ||
27697
0
                                    !args->output ||
27698
0
                                    XMEMCMP(args->output,
27699
0
                                            ssl->buffers.digest.buffer,
27700
0
                                            FINISHED_SZ) != 0) {
27701
0
                                ERROR_OUT(VERIFY_SIGN_ERROR, exit_dske);
27702
0
                            }
27703
                            /* CLIENT: Data verified with cert's public key. */
27704
0
                            ssl->options.peerAuthGood =
27705
0
                                ssl->options.havePeerCert;
27706
0
                            break;
27707
0
                        }
27708
0
                    #endif /* !NO_RSA */
27709
0
                    #ifdef HAVE_ECC
27710
0
                        case ecc_dsa_sa_algo:
27711
                            /* Nothing to do in this algo */
27712
0
                            break;
27713
0
                    #endif /* HAVE_ECC */
27714
0
                    #if defined(HAVE_ED25519)
27715
0
                        case ed25519_sa_algo:
27716
                            /* Nothing to do in this algo */
27717
0
                            break;
27718
0
                    #endif /* HAVE_ED25519 */
27719
0
                    #if defined(HAVE_ED448)
27720
0
                        case ed448_sa_algo:
27721
                            /* Nothing to do in this algo */
27722
0
                            break;
27723
0
                    #endif /* HAVE_ED448 */
27724
0
                        default:
27725
0
                            ret = ALGO_ID_E;
27726
0
                    } /* switch (sigAlgo) */
27727
0
            #endif /* NO_DH && !HAVE_ECC && !HAVE_ED25519 && !HAVE_ED448 */
27728
0
                    break;
27729
0
                }
27730
0
                default:
27731
0
                    ret = BAD_KEA_TYPE_E;
27732
0
            } /* switch(ssl->specs.kea) */
27733
27734
            /* Check for error */
27735
0
            if (ret != 0) {
27736
0
                goto exit_dske;
27737
0
            }
27738
27739
            /* Advance state and proceed */
27740
0
            ssl->options.asyncState = TLS_ASYNC_FINALIZE;
27741
0
        } /* case TLS_ASYNC_VERIFY */
27742
0
        FALL_THROUGH;
27743
27744
0
        case TLS_ASYNC_FINALIZE:
27745
0
        {
27746
0
            if (IsEncryptionOn(ssl, 0)) {
27747
0
                args->idx += ssl->keys.padSz;
27748
0
            #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
27749
0
                if (ssl->options.startedETMRead)
27750
0
                    args->idx += MacSize(ssl);
27751
0
            #endif
27752
0
            }
27753
27754
            /* Advance state and proceed */
27755
0
            ssl->options.asyncState = TLS_ASYNC_END;
27756
0
        } /* case TLS_ASYNC_FINALIZE */
27757
0
        FALL_THROUGH;
27758
27759
0
        case TLS_ASYNC_END:
27760
0
        {
27761
            /* return index */
27762
0
            *inOutIdx = args->idx;
27763
27764
0
            ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE;
27765
0
            break;
27766
0
        }
27767
0
        default:
27768
0
            ret = INPUT_CASE_ERROR;
27769
0
    } /* switch(ssl->options.asyncState) */
27770
27771
0
exit_dske:
27772
27773
0
    WOLFSSL_LEAVE("DoServerKeyExchange", ret);
27774
0
    WOLFSSL_END(WC_FUNC_SERVER_KEY_EXCHANGE_DO);
27775
27776
#ifdef WOLFSSL_ASYNC_CRYPT
27777
    /* Handle async operation */
27778
    if (ret == WC_PENDING_E) {
27779
        /* Mark message as not received so it can process again */
27780
        ssl->msgsReceived.got_server_key_exchange = 0;
27781
27782
        return ret;
27783
    }
27784
    /* Cleanup async */
27785
    FreeAsyncCtx(ssl, 0);
27786
#else
27787
0
    FreeDskeArgs(ssl, args);
27788
0
#endif /* WOLFSSL_ASYNC_CRYPT */
27789
27790
    /* Final cleanup */
27791
0
    FreeKeyExchange(ssl);
27792
27793
0
    if (ret != 0) {
27794
0
        WOLFSSL_ERROR_VERBOSE(ret);
27795
0
    }
27796
0
    return ret;
27797
0
}
27798
27799
typedef struct SckeArgs {
27800
    byte*  output; /* not allocated */
27801
    byte*  encSecret;
27802
    byte*  input;
27803
    word32 encSz;
27804
    word32 length;
27805
    int    sendSz;
27806
    int    inputSz;
27807
} SckeArgs;
27808
27809
static void FreeSckeArgs(WOLFSSL* ssl, void* pArgs)
27810
0
{
27811
0
    SckeArgs* args = (SckeArgs*)pArgs;
27812
27813
0
    (void)ssl;
27814
27815
0
    if (args->encSecret) {
27816
0
        XFREE(args->encSecret, ssl->heap, DYNAMIC_TYPE_SECRET);
27817
0
        args->encSecret = NULL;
27818
0
    }
27819
0
    if (args->input) {
27820
0
        XFREE(args->input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
27821
0
        args->input = NULL;
27822
0
    }
27823
0
}
27824
27825
/* handle generation client_key_exchange (16) */
27826
int SendClientKeyExchange(WOLFSSL* ssl)
27827
0
{
27828
0
    int ret = 0;
27829
0
#ifdef WOLFSSL_ASYNC_IO
27830
0
    SckeArgs* args = NULL;
27831
0
    WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
27832
#else
27833
    SckeArgs  args[1];
27834
#endif
27835
27836
0
    WOLFSSL_START(WC_FUNC_CLIENT_KEY_EXCHANGE_SEND);
27837
0
    WOLFSSL_ENTER("SendClientKeyExchange");
27838
27839
0
#ifdef OPENSSL_EXTRA
27840
0
    ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE;
27841
0
    ssl->cbmode = SSL_CB_MODE_WRITE;
27842
0
    if (ssl->CBIS != NULL)
27843
0
        ssl->CBIS(ssl, SSL_CB_CONNECT_LOOP, SSL_SUCCESS);
27844
0
#endif
27845
27846
0
#ifdef WOLFSSL_ASYNC_IO
27847
0
    if (ssl->async == NULL) {
27848
0
        ssl->async = (struct WOLFSSL_ASYNC*)
27849
0
                XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
27850
0
                        DYNAMIC_TYPE_ASYNC);
27851
0
        if (ssl->async == NULL)
27852
0
            ERROR_OUT(MEMORY_E, exit_scke);
27853
0
    }
27854
0
    args = (SckeArgs*)ssl->async->args;
27855
27856
#ifdef WOLFSSL_ASYNC_CRYPT
27857
    ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
27858
    if (ret != WC_NOT_PENDING_E) {
27859
        /* Check for error */
27860
        if (ret < 0)
27861
            goto exit_scke;
27862
    }
27863
    else
27864
#endif
27865
0
    if (ssl->options.buildingMsg) {
27866
        /* Continue building the message */
27867
0
    }
27868
0
    else
27869
0
#endif
27870
0
    {
27871
        /* Reset state */
27872
0
        ret = 0;
27873
0
        ssl->options.asyncState = TLS_ASYNC_BEGIN;
27874
0
        XMEMSET(args, 0, sizeof(SckeArgs));
27875
        /* Set this in case CheckAvailableSize returns a WANT_WRITE so that state
27876
         * is not advanced yet */
27877
0
        ssl->options.buildingMsg = 1;
27878
0
    #ifdef WOLFSSL_ASYNC_IO
27879
0
        ssl->async->freeArgs = FreeSckeArgs;
27880
0
    #endif
27881
0
    }
27882
27883
0
    switch(ssl->options.asyncState)
27884
0
    {
27885
0
        case TLS_ASYNC_BEGIN:
27886
0
        {
27887
0
            switch (ssl->specs.kea) {
27888
0
            #ifndef NO_RSA
27889
0
                case rsa_kea:
27890
0
                    if (ssl->peerRsaKey == NULL ||
27891
0
                        ssl->peerRsaKeyPresent == 0) {
27892
0
                        ERROR_OUT(NO_PEER_KEY, exit_scke);
27893
0
                    }
27894
0
                    break;
27895
0
            #endif
27896
0
            #ifndef NO_DH
27897
0
                case diffie_hellman_kea:
27898
0
                    if (ssl->buffers.serverDH_P.buffer == NULL ||
27899
0
                        ssl->buffers.serverDH_G.buffer == NULL ||
27900
0
                        ssl->buffers.serverDH_Pub.buffer == NULL) {
27901
0
                        ERROR_OUT(NO_PEER_KEY, exit_scke);
27902
0
                    }
27903
0
                    break;
27904
0
            #endif /* NO_DH */
27905
            #ifndef NO_PSK
27906
                case psk_kea:
27907
                    /* sanity check that PSK client callback has been set */
27908
                    if (ssl->options.client_psk_cb == NULL) {
27909
                        WOLFSSL_MSG("No client PSK callback set");
27910
                        ERROR_OUT(PSK_KEY_ERROR, exit_scke);
27911
                    }
27912
                    break;
27913
            #endif /* NO_PSK */
27914
            #if !defined(NO_DH) && !defined(NO_PSK)
27915
                case dhe_psk_kea:
27916
                    if (ssl->buffers.serverDH_P.buffer == NULL ||
27917
                        ssl->buffers.serverDH_G.buffer == NULL ||
27918
                        ssl->buffers.serverDH_Pub.buffer == NULL) {
27919
                        ERROR_OUT(NO_PEER_KEY, exit_scke);
27920
                    }
27921
27922
                    /* sanity check that PSK client callback has been set */
27923
                    if (ssl->options.client_psk_cb == NULL) {
27924
                        WOLFSSL_MSG("No client PSK callback set");
27925
                        ERROR_OUT(PSK_KEY_ERROR, exit_scke);
27926
                    }
27927
                    break;
27928
            #endif /* !NO_DH && !NO_PSK */
27929
            #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
27930
                                     defined(HAVE_CURVE448)) && !defined(NO_PSK)
27931
                case ecdhe_psk_kea:
27932
                    /* sanity check that PSK client callback has been set */
27933
                    if (ssl->options.client_psk_cb == NULL) {
27934
                        WOLFSSL_MSG("No client PSK callback set");
27935
                        ERROR_OUT(PSK_KEY_ERROR, exit_scke);
27936
                    }
27937
27938
                #ifdef HAVE_CURVE25519
27939
                    if (ssl->peerX25519KeyPresent) {
27940
                        /* Check client ECC public key */
27941
                        if (!ssl->peerX25519Key || !ssl->peerX25519Key->dp) {
27942
                            ERROR_OUT(NO_PEER_KEY, exit_scke);
27943
                        }
27944
27945
                    #ifdef HAVE_PK_CALLBACKS
27946
                        /* if callback then use it for shared secret */
27947
                        if (ssl->ctx->X25519SharedSecretCb != NULL) {
27948
                            break;
27949
                        }
27950
                    #endif
27951
27952
                        /* create private key */
27953
                        ssl->hsType = DYNAMIC_TYPE_CURVE25519;
27954
                        ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
27955
                        if (ret != 0) {
27956
                            goto exit_scke;
27957
                        }
27958
27959
                        ret = X25519MakeKey(ssl, (curve25519_key*)ssl->hsKey,
27960
                                            ssl->peerX25519Key);
27961
                        break;
27962
                    }
27963
                #endif
27964
                #ifdef HAVE_CURVE448
27965
                    if (ssl->peerX448KeyPresent) {
27966
                        /* Check client ECC public key */
27967
                        if (!ssl->peerX448Key) {
27968
                            ERROR_OUT(NO_PEER_KEY, exit_scke);
27969
                        }
27970
27971
                    #ifdef HAVE_PK_CALLBACKS
27972
                        /* if callback then use it for shared secret */
27973
                        if (ssl->ctx->X448SharedSecretCb != NULL) {
27974
                            break;
27975
                        }
27976
                    #endif
27977
27978
                        /* create private key */
27979
                        ssl->hsType = DYNAMIC_TYPE_CURVE448;
27980
                        ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
27981
                        if (ret != 0) {
27982
                            goto exit_scke;
27983
                        }
27984
27985
                        ret = X448MakeKey(ssl, (curve448_key*)ssl->hsKey,
27986
                                          ssl->peerX448Key);
27987
                        break;
27988
                    }
27989
                #endif
27990
                    /* Check client ECC public key */
27991
                    if (!ssl->peerEccKey || !ssl->peerEccKeyPresent ||
27992
                                            !ssl->peerEccKey->dp) {
27993
                        ERROR_OUT(NO_PEER_KEY, exit_scke);
27994
                    }
27995
27996
                #ifdef HAVE_PK_CALLBACKS
27997
                    /* if callback then use it for shared secret */
27998
                    if (ssl->ctx->EccSharedSecretCb != NULL) {
27999
                        break;
28000
                    }
28001
                #endif
28002
28003
                    /* create ephemeral private key */
28004
                    ssl->hsType = DYNAMIC_TYPE_ECC;
28005
                    ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
28006
                    if (ret != 0) {
28007
                        goto exit_scke;
28008
                    }
28009
28010
                    ret = EccMakeKey(ssl, (ecc_key*)ssl->hsKey, ssl->peerEccKey);
28011
28012
                    break;
28013
            #endif /* (HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448) && !NO_PSK */
28014
0
            #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
28015
0
                                                          defined(HAVE_CURVE448)
28016
0
                case ecc_diffie_hellman_kea:
28017
0
                {
28018
0
                #ifdef HAVE_ECC
28019
0
                    ecc_key* peerKey;
28020
0
                #endif
28021
28022
            #ifdef HAVE_PK_CALLBACKS
28023
                    /* if callback then use it for shared secret */
28024
                #ifdef HAVE_CURVE25519
28025
                    if (ssl->ecdhCurveOID == ECC_X25519_OID) {
28026
                        if (ssl->ctx->X25519SharedSecretCb != NULL)
28027
                            break;
28028
                    }
28029
                    else
28030
                #endif
28031
                #ifdef HAVE_CURVE448
28032
                    if (ssl->ecdhCurveOID == ECC_X448_OID) {
28033
                        if (ssl->ctx->X448SharedSecretCb != NULL)
28034
                            break;
28035
                    }
28036
                    else
28037
                #endif
28038
                #ifdef HAVE_ECC
28039
                    if (ssl->ctx->EccSharedSecretCb != NULL) {
28040
                        break;
28041
                    }
28042
                    else
28043
                #endif
28044
                    {
28045
                    }
28046
            #endif /* HAVE_PK_CALLBACKS */
28047
28048
0
                #ifdef HAVE_CURVE25519
28049
0
                    if (ssl->peerX25519KeyPresent) {
28050
0
                        if (!ssl->peerX25519Key || !ssl->peerX25519Key->dp) {
28051
0
                            ERROR_OUT(NO_PEER_KEY, exit_scke);
28052
0
                        }
28053
28054
                        /* create private key */
28055
0
                        ssl->hsType = DYNAMIC_TYPE_CURVE25519;
28056
0
                        ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
28057
0
                        if (ret != 0) {
28058
0
                            goto exit_scke;
28059
0
                        }
28060
28061
0
                        ret = X25519MakeKey(ssl, (curve25519_key*)ssl->hsKey,
28062
0
                                            ssl->peerX25519Key);
28063
0
                        break;
28064
0
                    }
28065
0
                #endif
28066
0
                #ifdef HAVE_CURVE448
28067
0
                    if (ssl->peerX448KeyPresent) {
28068
0
                        if (!ssl->peerX448Key) {
28069
0
                            ERROR_OUT(NO_PEER_KEY, exit_scke);
28070
0
                        }
28071
28072
                        /* create private key */
28073
0
                        ssl->hsType = DYNAMIC_TYPE_CURVE448;
28074
0
                        ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
28075
0
                        if (ret != 0) {
28076
0
                            goto exit_scke;
28077
0
                        }
28078
28079
0
                        ret = X448MakeKey(ssl, (curve448_key*)ssl->hsKey,
28080
0
                                          ssl->peerX448Key);
28081
0
                        break;
28082
0
                    }
28083
0
                #endif
28084
0
                #ifdef HAVE_ECC
28085
0
                    if (ssl->specs.static_ecdh) {
28086
                        /* Note: EccDsa is really fixed Ecc key here */
28087
0
                        if (!ssl->peerEccDsaKey || !ssl->peerEccDsaKeyPresent) {
28088
0
                            ERROR_OUT(NO_PEER_KEY, exit_scke);
28089
0
                        }
28090
0
                        peerKey = ssl->peerEccDsaKey;
28091
0
                    }
28092
0
                    else {
28093
0
                        if (!ssl->peerEccKey || !ssl->peerEccKeyPresent) {
28094
0
                            ERROR_OUT(NO_PEER_KEY, exit_scke);
28095
0
                        }
28096
0
                        peerKey = ssl->peerEccKey;
28097
0
                    }
28098
0
                    if (peerKey == NULL) {
28099
0
                        ERROR_OUT(NO_PEER_KEY, exit_scke);
28100
0
                    }
28101
28102
                    /* create ephemeral private key */
28103
0
                    ssl->hsType = DYNAMIC_TYPE_ECC;
28104
0
                    ret = AllocKey(ssl, ssl->hsType, &ssl->hsKey);
28105
0
                    if (ret != 0) {
28106
0
                        goto exit_scke;
28107
0
                    }
28108
28109
0
                    ret = EccMakeKey(ssl, (ecc_key*)ssl->hsKey, peerKey);
28110
0
                #endif
28111
28112
0
                    break;
28113
0
                }
28114
0
            #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
28115
28116
0
                default:
28117
0
                    ret = BAD_KEA_TYPE_E;
28118
0
            } /* switch(ssl->specs.kea) */
28119
28120
            /* Check for error */
28121
0
            if (ret != 0) {
28122
0
                goto exit_scke;
28123
0
            }
28124
28125
            /* Advance state and proceed */
28126
0
            ssl->options.asyncState = TLS_ASYNC_BUILD;
28127
0
        } /* case TLS_ASYNC_BEGIN */
28128
0
        FALL_THROUGH;
28129
28130
0
        case TLS_ASYNC_BUILD:
28131
0
        {
28132
0
            args->encSz = MAX_ENCRYPT_SZ;
28133
0
            args->encSecret = (byte*)XMALLOC(MAX_ENCRYPT_SZ, ssl->heap,
28134
0
                                                    DYNAMIC_TYPE_SECRET);
28135
0
            if (args->encSecret == NULL) {
28136
0
                ERROR_OUT(MEMORY_E, exit_scke);
28137
0
            }
28138
0
            if (ssl->arrays->preMasterSecret == NULL) {
28139
0
                ssl->arrays->preMasterSz = ENCRYPT_LEN;
28140
0
                ssl->arrays->preMasterSecret = (byte*)XMALLOC(ENCRYPT_LEN,
28141
0
                                                ssl->heap, DYNAMIC_TYPE_SECRET);
28142
0
                if (ssl->arrays->preMasterSecret == NULL) {
28143
0
                    ERROR_OUT(MEMORY_E, exit_scke);
28144
0
                }
28145
0
                XMEMSET(ssl->arrays->preMasterSecret, 0, ENCRYPT_LEN);
28146
0
            }
28147
28148
0
            switch(ssl->specs.kea)
28149
0
            {
28150
0
            #ifndef NO_RSA
28151
0
                case rsa_kea:
28152
0
                {
28153
                    #ifdef HAVE_PK_CALLBACKS
28154
                    if (ssl->ctx->GenPreMasterCb) {
28155
                        void* ctx = wolfSSL_GetGenPreMasterCtx(ssl);
28156
                        ret = ssl->ctx->GenPreMasterCb(ssl,
28157
                            ssl->arrays->preMasterSecret, ENCRYPT_LEN, ctx);
28158
                        if (ret != 0 && ret != PROTOCOLCB_UNAVAILABLE) {
28159
                            goto exit_scke;
28160
                        }
28161
                    }
28162
                    if (!ssl->ctx->GenPreMasterCb || ret == PROTOCOLCB_UNAVAILABLE)
28163
                    #endif
28164
0
                    {
28165
                        /* build PreMasterSecret with RNG data */
28166
0
                        ret = wc_RNG_GenerateBlock(ssl->rng,
28167
0
                            &ssl->arrays->preMasterSecret[VERSION_SZ],
28168
0
                            SECRET_LEN - VERSION_SZ);
28169
0
                        if (ret != 0) {
28170
0
                            goto exit_scke;
28171
0
                        }
28172
28173
0
                        ssl->arrays->preMasterSecret[0] = ssl->chVersion.major;
28174
0
                        ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor;
28175
28176
0
                        ssl->arrays->preMasterSz = SECRET_LEN;
28177
0
                    }
28178
0
                    break;
28179
0
                }
28180
0
            #endif /* !NO_RSA */
28181
0
            #ifndef NO_DH
28182
0
                case diffie_hellman_kea:
28183
0
                {
28184
0
                    ssl->buffers.sig.length = ENCRYPT_LEN;
28185
0
                    ssl->buffers.sig.buffer = (byte*)XMALLOC(ENCRYPT_LEN,
28186
0
                                            ssl->heap, DYNAMIC_TYPE_SIGNATURE);
28187
0
                    if (ssl->buffers.sig.buffer == NULL) {
28188
0
                        ERROR_OUT(MEMORY_E, exit_scke);
28189
0
                    }
28190
28191
0
                    ret = AllocKey(ssl, DYNAMIC_TYPE_DH,
28192
0
                                            (void**)&ssl->buffers.serverDH_Key);
28193
0
                    if (ret != 0) {
28194
0
                        goto exit_scke;
28195
0
                    }
28196
28197
#if defined(HAVE_FFDHE) && !defined(HAVE_PUBLIC_FFDHE)
28198
                    if (ssl->namedGroup) {
28199
                        ret = wc_DhSetNamedKey(ssl->buffers.serverDH_Key,
28200
                                ssl->namedGroup);
28201
                        if (ret != 0) {
28202
                            goto exit_scke;
28203
                        }
28204
                        ssl->buffers.sig.length =
28205
                            wc_DhGetNamedKeyMinSize(ssl->namedGroup);
28206
                    }
28207
                    else
28208
#endif
28209
0
                    #if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
28210
0
                        !defined(WOLFSSL_OLD_PRIME_CHECK)
28211
0
                    if (ssl->options.dhDoKeyTest &&
28212
0
                        !ssl->options.dhKeyTested)
28213
0
                    {
28214
0
                        ret = wc_DhSetCheckKey(ssl->buffers.serverDH_Key,
28215
0
                            ssl->buffers.serverDH_P.buffer,
28216
0
                            ssl->buffers.serverDH_P.length,
28217
0
                            ssl->buffers.serverDH_G.buffer,
28218
0
                            ssl->buffers.serverDH_G.length,
28219
0
                            NULL, 0, 0, ssl->rng);
28220
0
                        if (ret != 0) {
28221
0
                            goto exit_scke;
28222
0
                        }
28223
0
                        ssl->options.dhKeyTested = 1;
28224
0
                    }
28225
0
                    else
28226
0
                    #endif
28227
0
                    {
28228
0
                        ret = wc_DhSetKey(ssl->buffers.serverDH_Key,
28229
0
                            ssl->buffers.serverDH_P.buffer,
28230
0
                            ssl->buffers.serverDH_P.length,
28231
0
                            ssl->buffers.serverDH_G.buffer,
28232
0
                            ssl->buffers.serverDH_G.length);
28233
0
                        if (ret != 0) {
28234
0
                            goto exit_scke;
28235
0
                        }
28236
0
                    }
28237
28238
                    /* for DH, encSecret is Yc, agree is pre-master */
28239
0
                    ret = DhGenKeyPair(ssl, ssl->buffers.serverDH_Key,
28240
0
                        ssl->buffers.sig.buffer, (word32*)&ssl->buffers.sig.length,
28241
0
                        args->encSecret, &args->encSz);
28242
28243
                    /* set the max agree result size */
28244
0
                    ssl->arrays->preMasterSz = ENCRYPT_LEN;
28245
0
                    break;
28246
0
                }
28247
0
            #endif /* !NO_DH */
28248
            #ifndef NO_PSK
28249
                case psk_kea:
28250
                {
28251
                    byte* pms = ssl->arrays->preMasterSecret;
28252
                    ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl,
28253
                        ssl->arrays->server_hint, ssl->arrays->client_identity,
28254
                        MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN);
28255
                    if (ssl->arrays->psk_keySz == 0 ||
28256
                        ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
28257
                        ERROR_OUT(PSK_KEY_ERROR, exit_scke);
28258
                    }
28259
                    ssl->arrays->client_identity[MAX_PSK_ID_LEN] = '\0'; /* null term */
28260
                    args->encSz = (word32)XSTRLEN(ssl->arrays->client_identity);
28261
                    if (args->encSz > MAX_PSK_ID_LEN) {
28262
                        ERROR_OUT(CLIENT_ID_ERROR, exit_scke);
28263
                    }
28264
                    XMEMCPY(args->encSecret, ssl->arrays->client_identity,
28265
                                                                args->encSz);
28266
                    /* CLIENT: Pre-shared Key for peer authentication. */
28267
                    ssl->options.peerAuthGood = 1;
28268
28269
                    /* make psk pre master secret */
28270
                    /* length of key + length 0s + length of key + key */
28271
                    c16toa((word16)ssl->arrays->psk_keySz, pms);
28272
                    pms += OPAQUE16_LEN;
28273
                    XMEMSET(pms, 0, ssl->arrays->psk_keySz);
28274
                    pms += ssl->arrays->psk_keySz;
28275
                    c16toa((word16)ssl->arrays->psk_keySz, pms);
28276
                    pms += OPAQUE16_LEN;
28277
                    XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz);
28278
                    ssl->arrays->preMasterSz = (ssl->arrays->psk_keySz * 2) +
28279
                        (2 * OPAQUE16_LEN);
28280
                    ForceZero(ssl->arrays->psk_key, ssl->arrays->psk_keySz);
28281
                    ssl->arrays->psk_keySz = 0; /* No further need */
28282
                    break;
28283
                }
28284
            #endif /* !NO_PSK */
28285
            #if !defined(NO_DH) && !defined(NO_PSK)
28286
                case dhe_psk_kea:
28287
                {
28288
                    word32 esSz = 0;
28289
                    args->output = args->encSecret;
28290
28291
                    ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl,
28292
                         ssl->arrays->server_hint, ssl->arrays->client_identity,
28293
                         MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN);
28294
                    if (ssl->arrays->psk_keySz == 0 ||
28295
                                     ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
28296
                        ERROR_OUT(PSK_KEY_ERROR, exit_scke);
28297
                    }
28298
                    ssl->arrays->client_identity[MAX_PSK_ID_LEN] = '\0'; /* null term */
28299
                    esSz = (word32)XSTRLEN(ssl->arrays->client_identity);
28300
28301
                    if (esSz > MAX_PSK_ID_LEN) {
28302
                        ERROR_OUT(CLIENT_ID_ERROR, exit_scke);
28303
                    }
28304
                    /* CLIENT: Pre-shared Key for peer authentication. */
28305
                    ssl->options.peerAuthGood = 1;
28306
28307
                    ssl->buffers.sig.length = ENCRYPT_LEN;
28308
                    ssl->buffers.sig.buffer = (byte*)XMALLOC(ENCRYPT_LEN,
28309
                                            ssl->heap, DYNAMIC_TYPE_SIGNATURE);
28310
                    if (ssl->buffers.sig.buffer == NULL) {
28311
                        ERROR_OUT(MEMORY_E, exit_scke);
28312
                    }
28313
28314
                    c16toa((word16)esSz, args->output);
28315
                    args->output += OPAQUE16_LEN;
28316
                    XMEMCPY(args->output, ssl->arrays->client_identity, esSz);
28317
                    args->output += esSz;
28318
                    args->length = args->encSz - esSz - OPAQUE16_LEN;
28319
                    args->encSz = esSz + OPAQUE16_LEN;
28320
28321
                    ret = AllocKey(ssl, DYNAMIC_TYPE_DH,
28322
                                            (void**)&ssl->buffers.serverDH_Key);
28323
                    if (ret != 0) {
28324
                        goto exit_scke;
28325
                    }
28326
28327
                    #if !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \
28328
                        !defined(WOLFSSL_OLD_PRIME_CHECK)
28329
                    if (ssl->options.dhDoKeyTest &&
28330
                        !ssl->options.dhKeyTested)
28331
                    {
28332
                        ret = wc_DhSetCheckKey(ssl->buffers.serverDH_Key,
28333
                            ssl->buffers.serverDH_P.buffer,
28334
                            ssl->buffers.serverDH_P.length,
28335
                            ssl->buffers.serverDH_G.buffer,
28336
                            ssl->buffers.serverDH_G.length,
28337
                            NULL, 0, 0, ssl->rng);
28338
                        if (ret != 0) {
28339
                            goto exit_scke;
28340
                        }
28341
                        ssl->options.dhKeyTested = 1;
28342
                    }
28343
                    else
28344
                    #endif
28345
                    {
28346
                        ret = wc_DhSetKey(ssl->buffers.serverDH_Key,
28347
                            ssl->buffers.serverDH_P.buffer,
28348
                            ssl->buffers.serverDH_P.length,
28349
                            ssl->buffers.serverDH_G.buffer,
28350
                            ssl->buffers.serverDH_G.length);
28351
                        if (ret != 0) {
28352
                            goto exit_scke;
28353
                        }
28354
                    }
28355
28356
                    /* for DH, encSecret is Yc, agree is pre-master */
28357
                    ret = DhGenKeyPair(ssl, ssl->buffers.serverDH_Key,
28358
                            ssl->buffers.sig.buffer,
28359
                            (word32*)&ssl->buffers.sig.length,
28360
                            args->output + OPAQUE16_LEN, &args->length);
28361
                    break;
28362
                }
28363
            #endif /* !NO_DH && !NO_PSK */
28364
            #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
28365
                                     defined(HAVE_CURVE448)) && !defined(NO_PSK)
28366
                case ecdhe_psk_kea:
28367
                {
28368
                    word32 esSz = 0;
28369
                    args->output = args->encSecret;
28370
28371
                    /* Send PSK client identity */
28372
                    ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl,
28373
                         ssl->arrays->server_hint, ssl->arrays->client_identity,
28374
                         MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN);
28375
                    if (ssl->arrays->psk_keySz == 0 ||
28376
                                     ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
28377
                        ERROR_OUT(PSK_KEY_ERROR, exit_scke);
28378
                    }
28379
                    ssl->arrays->client_identity[MAX_PSK_ID_LEN] = '\0'; /* null term */
28380
                    esSz = (word32)XSTRLEN(ssl->arrays->client_identity);
28381
                    if (esSz > MAX_PSK_ID_LEN) {
28382
                        ERROR_OUT(CLIENT_ID_ERROR, exit_scke);
28383
                    }
28384
                    /* CLIENT: Pre-shared Key for peer authentication. */
28385
                    ssl->options.peerAuthGood = 1;
28386
28387
                    /* place size and identity in output buffer sz:identity */
28388
                    c16toa((word16)esSz, args->output);
28389
                    args->output += OPAQUE16_LEN;
28390
                    XMEMCPY(args->output, ssl->arrays->client_identity, esSz);
28391
                    args->output += esSz;
28392
                    args->encSz = esSz + OPAQUE16_LEN;
28393
28394
                    /* length is used for public key size */
28395
                    args->length = MAX_ENCRYPT_SZ;
28396
28397
                    /* Create shared ECC key leaving room at the beginning
28398
                       of buffer for size of shared key. */
28399
                    ssl->arrays->preMasterSz = ENCRYPT_LEN - OPAQUE16_LEN;
28400
28401
                #ifdef HAVE_CURVE25519
28402
                    if (ssl->ecdhCurveOID == ECC_X25519_OID) {
28403
                    #ifdef HAVE_PK_CALLBACKS
28404
                        /* if callback then use it for shared secret */
28405
                        if (ssl->ctx->X25519SharedSecretCb != NULL) {
28406
                            break;
28407
                        }
28408
                    #endif
28409
28410
                        ret = wc_curve25519_export_public_ex(
28411
                                (curve25519_key*)ssl->hsKey,
28412
                                args->output + OPAQUE8_LEN, &args->length,
28413
                                EC25519_LITTLE_ENDIAN);
28414
                        if (ret != 0) {
28415
                            ERROR_OUT(ECC_EXPORT_ERROR, exit_scke);
28416
                        }
28417
28418
                        break;
28419
                    }
28420
                #endif
28421
                #ifdef HAVE_CURVE448
28422
                    if (ssl->ecdhCurveOID == ECC_X448_OID) {
28423
                    #ifdef HAVE_PK_CALLBACKS
28424
                        /* if callback then use it for shared secret */
28425
                        if (ssl->ctx->X448SharedSecretCb != NULL) {
28426
                            break;
28427
                        }
28428
                    #endif
28429
28430
                        ret = wc_curve448_export_public_ex(
28431
                                (curve448_key*)ssl->hsKey,
28432
                                args->output + OPAQUE8_LEN, &args->length,
28433
                                EC448_LITTLE_ENDIAN);
28434
                        if (ret != 0) {
28435
                            ERROR_OUT(ECC_EXPORT_ERROR, exit_scke);
28436
                        }
28437
28438
                        break;
28439
                    }
28440
                #endif
28441
                #ifdef HAVE_PK_CALLBACKS
28442
                    /* if callback then use it for shared secret */
28443
                    if (ssl->ctx->EccSharedSecretCb != NULL) {
28444
                        break;
28445
                    }
28446
                #endif
28447
28448
                    /* Place ECC key in output buffer, leaving room for size */
28449
                    PRIVATE_KEY_UNLOCK();
28450
                    ret = wc_ecc_export_x963((ecc_key*)ssl->hsKey,
28451
                                    args->output + OPAQUE8_LEN, &args->length);
28452
                    PRIVATE_KEY_LOCK();
28453
                    if (ret != 0) {
28454
                        ERROR_OUT(ECC_EXPORT_ERROR, exit_scke);
28455
                    }
28456
28457
                    break;
28458
                }
28459
            #endif /* (HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448) && !NO_PSK */
28460
0
            #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
28461
0
                                                          defined(HAVE_CURVE448)
28462
0
                case ecc_diffie_hellman_kea:
28463
0
                {
28464
0
                    ssl->arrays->preMasterSz = ENCRYPT_LEN;
28465
28466
0
                #ifdef HAVE_CURVE25519
28467
0
                    if (ssl->hsType == DYNAMIC_TYPE_CURVE25519) {
28468
                    #ifdef HAVE_PK_CALLBACKS
28469
                        /* if callback then use it for shared secret */
28470
                        if (ssl->ctx->X25519SharedSecretCb != NULL) {
28471
                            break;
28472
                        }
28473
                    #endif
28474
28475
0
                        ret = wc_curve25519_export_public_ex(
28476
0
                                (curve25519_key*)ssl->hsKey,
28477
0
                                args->encSecret + OPAQUE8_LEN, &args->encSz,
28478
0
                                EC25519_LITTLE_ENDIAN);
28479
0
                        if (ret != 0) {
28480
0
                            ERROR_OUT(ECC_EXPORT_ERROR, exit_scke);
28481
0
                        }
28482
28483
0
                        break;
28484
0
                    }
28485
0
                #endif
28486
0
                #ifdef HAVE_CURVE448
28487
0
                    if (ssl->hsType == DYNAMIC_TYPE_CURVE448) {
28488
                    #ifdef HAVE_PK_CALLBACKS
28489
                        /* if callback then use it for shared secret */
28490
                        if (ssl->ctx->X448SharedSecretCb != NULL) {
28491
                            break;
28492
                        }
28493
                    #endif
28494
28495
0
                        ret = wc_curve448_export_public_ex(
28496
0
                                (curve448_key*)ssl->hsKey,
28497
0
                                args->encSecret + OPAQUE8_LEN, &args->encSz,
28498
0
                                EC448_LITTLE_ENDIAN);
28499
0
                        if (ret != 0) {
28500
0
                            ERROR_OUT(ECC_EXPORT_ERROR, exit_scke);
28501
0
                        }
28502
28503
0
                        break;
28504
0
                    }
28505
0
                #endif
28506
0
                #if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT)
28507
                #ifdef HAVE_PK_CALLBACKS
28508
                    /* if callback then use it for shared secret */
28509
                    if (ssl->ctx->EccSharedSecretCb != NULL) {
28510
                        break;
28511
                    }
28512
                #endif
28513
28514
                    /* Place ECC key in buffer, leaving room for size */
28515
0
                    PRIVATE_KEY_UNLOCK();
28516
0
                    ret = wc_ecc_export_x963((ecc_key*)ssl->hsKey,
28517
0
                                args->encSecret + OPAQUE8_LEN, &args->encSz);
28518
0
                    PRIVATE_KEY_LOCK();
28519
0
                    if (ret != 0) {
28520
0
                        ERROR_OUT(ECC_EXPORT_ERROR, exit_scke);
28521
0
                    }
28522
0
                #endif /* HAVE_ECC */
28523
0
                    break;
28524
0
                }
28525
0
            #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
28526
28527
0
                default:
28528
0
                    ret = BAD_KEA_TYPE_E;
28529
0
            } /* switch(ssl->specs.kea) */
28530
28531
            /* Check for error */
28532
0
            if (ret != 0) {
28533
0
                goto exit_scke;
28534
0
            }
28535
28536
            /* Advance state and proceed */
28537
0
            ssl->options.asyncState = TLS_ASYNC_DO;
28538
0
        } /* case TLS_ASYNC_BUILD */
28539
0
        FALL_THROUGH;
28540
28541
0
        case TLS_ASYNC_DO:
28542
0
        {
28543
0
            switch(ssl->specs.kea)
28544
0
            {
28545
0
            #ifndef NO_RSA
28546
0
                case rsa_kea:
28547
0
                {
28548
0
                        ret = RsaEnc(ssl,
28549
0
                            ssl->arrays->preMasterSecret, SECRET_LEN,
28550
0
                            args->encSecret, &args->encSz,
28551
0
                            ssl->peerRsaKey,
28552
                        #if defined(HAVE_PK_CALLBACKS)
28553
                            &ssl->buffers.peerRsaKey
28554
                        #else
28555
0
                            NULL
28556
0
                        #endif
28557
0
                        );
28558
28559
0
                    break;
28560
0
                }
28561
0
            #endif /* !NO_RSA */
28562
0
            #ifndef NO_DH
28563
0
                case diffie_hellman_kea:
28564
0
                {
28565
0
                    ret = DhAgree(ssl, ssl->buffers.serverDH_Key,
28566
0
                        ssl->buffers.sig.buffer, ssl->buffers.sig.length,
28567
0
                        ssl->buffers.serverDH_Pub.buffer,
28568
0
                        ssl->buffers.serverDH_Pub.length,
28569
0
                        ssl->arrays->preMasterSecret,
28570
0
                        &ssl->arrays->preMasterSz,
28571
0
                        ssl->buffers.serverDH_P.buffer,
28572
0
                        ssl->buffers.serverDH_P.length);
28573
0
                    break;
28574
0
                }
28575
0
            #endif /* !NO_DH */
28576
            #ifndef NO_PSK
28577
                case psk_kea:
28578
                {
28579
                    break;
28580
                }
28581
            #endif /* !NO_PSK */
28582
            #if !defined(NO_DH) && !defined(NO_PSK)
28583
                case dhe_psk_kea:
28584
                {
28585
                    ret = DhAgree(ssl, ssl->buffers.serverDH_Key,
28586
                        ssl->buffers.sig.buffer, ssl->buffers.sig.length,
28587
                        ssl->buffers.serverDH_Pub.buffer,
28588
                        ssl->buffers.serverDH_Pub.length,
28589
                        ssl->arrays->preMasterSecret + OPAQUE16_LEN,
28590
                        &ssl->arrays->preMasterSz,
28591
                        ssl->buffers.serverDH_P.buffer,
28592
                        ssl->buffers.serverDH_P.length);
28593
                    break;
28594
                }
28595
            #endif /* !NO_DH && !NO_PSK */
28596
            #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
28597
                                     defined(HAVE_CURVE448)) && !defined(NO_PSK)
28598
                case ecdhe_psk_kea:
28599
                {
28600
                #ifdef HAVE_CURVE25519
28601
                    if (ssl->peerX25519KeyPresent) {
28602
                        ret = X25519SharedSecret(ssl,
28603
                            (curve25519_key*)ssl->hsKey, ssl->peerX25519Key,
28604
                            args->output + OPAQUE8_LEN, &args->length,
28605
                            ssl->arrays->preMasterSecret + OPAQUE16_LEN,
28606
                            &ssl->arrays->preMasterSz,
28607
                            WOLFSSL_CLIENT_END
28608
                        );
28609
                        if (!ssl->specs.static_ecdh
28610
                        #ifdef WOLFSSL_ASYNC_CRYPT
28611
                            && ret != WC_PENDING_E
28612
                        #endif
28613
                        ) {
28614
                            FreeKey(ssl, DYNAMIC_TYPE_CURVE25519,
28615
                                                   (void**)&ssl->peerX25519Key);
28616
                            ssl->peerX25519KeyPresent = 0;
28617
                        }
28618
                        break;
28619
                    }
28620
                #endif
28621
                #ifdef HAVE_CURVE448
28622
                    if (ssl->peerX448KeyPresent) {
28623
                        ret = X448SharedSecret(ssl,
28624
                            (curve448_key*)ssl->hsKey, ssl->peerX448Key,
28625
                            args->output + OPAQUE8_LEN, &args->length,
28626
                            ssl->arrays->preMasterSecret + OPAQUE16_LEN,
28627
                            &ssl->arrays->preMasterSz,
28628
                            WOLFSSL_CLIENT_END
28629
                        );
28630
                        if (!ssl->specs.static_ecdh
28631
                        #ifdef WOLFSSL_ASYNC_CRYPT
28632
                            && ret != WC_PENDING_E
28633
                        #endif
28634
                        ) {
28635
                            FreeKey(ssl, DYNAMIC_TYPE_CURVE448,
28636
                                                     (void**)&ssl->peerX448Key);
28637
                            ssl->peerX448KeyPresent = 0;
28638
                        }
28639
                        break;
28640
                    }
28641
                #endif
28642
                    ret = EccSharedSecret(ssl,
28643
                        (ecc_key*)ssl->hsKey, ssl->peerEccKey,
28644
                        args->output + OPAQUE8_LEN, &args->length,
28645
                        ssl->arrays->preMasterSecret + OPAQUE16_LEN,
28646
                        &ssl->arrays->preMasterSz,
28647
                        WOLFSSL_CLIENT_END
28648
                    );
28649
                #ifdef WOLFSSL_ASYNC_CRYPT
28650
                    if (ret != WC_PENDING_E)
28651
                #endif
28652
                    {
28653
                        FreeKey(ssl, DYNAMIC_TYPE_ECC,
28654
                                                      (void**)&ssl->peerEccKey);
28655
                        ssl->peerEccKeyPresent = 0;
28656
                    }
28657
                    break;
28658
                }
28659
            #endif /* (HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448) && !NO_PSK */
28660
0
            #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
28661
0
                                                          defined(HAVE_CURVE448)
28662
0
                case ecc_diffie_hellman_kea:
28663
0
                {
28664
0
                #ifdef HAVE_ECC
28665
0
                    ecc_key* peerKey;
28666
0
                #endif
28667
28668
0
                #ifdef HAVE_CURVE25519
28669
0
                    if (ssl->peerX25519KeyPresent) {
28670
0
                        ret = X25519SharedSecret(ssl,
28671
0
                            (curve25519_key*)ssl->hsKey, ssl->peerX25519Key,
28672
0
                            args->encSecret + OPAQUE8_LEN, &args->encSz,
28673
0
                            ssl->arrays->preMasterSecret,
28674
0
                            &ssl->arrays->preMasterSz,
28675
0
                            WOLFSSL_CLIENT_END
28676
0
                        );
28677
0
                        if (!ssl->specs.static_ecdh
28678
                        #ifdef WOLFSSL_ASYNC_CRYPT
28679
                            && ret != WC_PENDING_E
28680
                        #endif
28681
0
                        ) {
28682
0
                            FreeKey(ssl, DYNAMIC_TYPE_CURVE25519,
28683
0
                                                   (void**)&ssl->peerX25519Key);
28684
0
                            ssl->peerX25519KeyPresent = 0;
28685
0
                        }
28686
0
                        break;
28687
0
                    }
28688
0
                #endif
28689
0
                #ifdef HAVE_CURVE448
28690
0
                    if (ssl->peerX448KeyPresent) {
28691
0
                        ret = X448SharedSecret(ssl,
28692
0
                            (curve448_key*)ssl->hsKey, ssl->peerX448Key,
28693
0
                            args->encSecret + OPAQUE8_LEN, &args->encSz,
28694
0
                            ssl->arrays->preMasterSecret,
28695
0
                            &ssl->arrays->preMasterSz,
28696
0
                            WOLFSSL_CLIENT_END
28697
0
                        );
28698
0
                        if (!ssl->specs.static_ecdh
28699
                        #ifdef WOLFSSL_ASYNC_CRYPT
28700
                            && ret != WC_PENDING_E
28701
                        #endif
28702
0
                        ) {
28703
0
                            FreeKey(ssl, DYNAMIC_TYPE_CURVE448,
28704
0
                                                     (void**)&ssl->peerX448Key);
28705
0
                            ssl->peerX448KeyPresent = 0;
28706
0
                        }
28707
0
                        break;
28708
0
                    }
28709
0
                #endif
28710
0
                #ifdef HAVE_ECC
28711
0
                    peerKey = (ssl->specs.static_ecdh) ?
28712
0
                              ssl->peerEccDsaKey : ssl->peerEccKey;
28713
28714
0
                    ret = EccSharedSecret(ssl,
28715
0
                        (ecc_key*)ssl->hsKey, peerKey,
28716
0
                        args->encSecret + OPAQUE8_LEN, &args->encSz,
28717
0
                        ssl->arrays->preMasterSecret,
28718
0
                        &ssl->arrays->preMasterSz,
28719
0
                        WOLFSSL_CLIENT_END
28720
0
                    );
28721
0
                    if (!ssl->specs.static_ecdh
28722
                #ifdef WOLFSSL_ASYNC_CRYPT
28723
                        && ret != WC_PENDING_E
28724
                #endif
28725
0
                     && !ssl->options.keepResources) {
28726
0
                        FreeKey(ssl, DYNAMIC_TYPE_ECC,
28727
0
                                                      (void**)&ssl->peerEccKey);
28728
0
                        ssl->peerEccKeyPresent = 0;
28729
0
                    }
28730
0
                #endif
28731
28732
0
                    break;
28733
0
                }
28734
0
            #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
28735
28736
0
                default:
28737
0
                    ret = BAD_KEA_TYPE_E;
28738
0
            } /* switch(ssl->specs.kea) */
28739
28740
            /* Check for error */
28741
0
            if (ret != 0) {
28742
0
                goto exit_scke;
28743
0
            }
28744
28745
            /* Advance state and proceed */
28746
0
            ssl->options.asyncState = TLS_ASYNC_VERIFY;
28747
0
        } /* case TLS_ASYNC_DO */
28748
0
        FALL_THROUGH;
28749
28750
0
        case TLS_ASYNC_VERIFY:
28751
0
        {
28752
0
            switch(ssl->specs.kea)
28753
0
            {
28754
0
            #ifndef NO_RSA
28755
0
                case rsa_kea:
28756
0
                {
28757
0
                    break;
28758
0
                }
28759
0
            #endif /* !NO_RSA */
28760
0
            #ifndef NO_DH
28761
0
                case diffie_hellman_kea:
28762
0
                {
28763
0
                    break;
28764
0
                }
28765
0
            #endif /* !NO_DH */
28766
            #ifndef NO_PSK
28767
                case psk_kea:
28768
                {
28769
                    break;
28770
                }
28771
            #endif /* !NO_PSK */
28772
            #if !defined(NO_DH) && !defined(NO_PSK)
28773
                case dhe_psk_kea:
28774
                {
28775
                    byte* pms = ssl->arrays->preMasterSecret;
28776
28777
                    /* validate args */
28778
                    if (args->output == NULL || args->length == 0) {
28779
                        ERROR_OUT(BAD_FUNC_ARG, exit_scke);
28780
                    }
28781
28782
                    c16toa((word16)args->length, args->output);
28783
                    args->encSz += args->length + OPAQUE16_LEN;
28784
                    c16toa((word16)ssl->arrays->preMasterSz, pms);
28785
                    ssl->arrays->preMasterSz += OPAQUE16_LEN;
28786
                    pms += ssl->arrays->preMasterSz;
28787
28788
                    /* make psk pre master secret */
28789
                    /* length of key + length 0s + length of key + key */
28790
                    c16toa((word16)ssl->arrays->psk_keySz, pms);
28791
                    pms += OPAQUE16_LEN;
28792
                    XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz);
28793
                    ssl->arrays->preMasterSz +=
28794
                                         ssl->arrays->psk_keySz + OPAQUE16_LEN;
28795
                    ForceZero(ssl->arrays->psk_key, ssl->arrays->psk_keySz);
28796
                    ssl->arrays->psk_keySz = 0; /* No further need */
28797
                    break;
28798
                }
28799
            #endif /* !NO_DH && !NO_PSK */
28800
            #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
28801
                                     defined(HAVE_CURVE448)) && !defined(NO_PSK)
28802
                case ecdhe_psk_kea:
28803
                {
28804
                    byte* pms = ssl->arrays->preMasterSecret;
28805
28806
                    /* validate args */
28807
                    if (args->output == NULL || args->length > ENCRYPT_LEN) {
28808
                        ERROR_OUT(BAD_FUNC_ARG, exit_scke);
28809
                    }
28810
28811
                    /* place size of public key in output buffer */
28812
                    *args->output = (byte)args->length;
28813
                    args->encSz += args->length + OPAQUE8_LEN;
28814
28815
                    /* Create pre master secret is the concatenation of
28816
                       eccSize + eccSharedKey + pskSize + pskKey */
28817
                    c16toa((word16)ssl->arrays->preMasterSz, pms);
28818
                    ssl->arrays->preMasterSz += OPAQUE16_LEN;
28819
                    pms += ssl->arrays->preMasterSz;
28820
28821
                    c16toa((word16)ssl->arrays->psk_keySz, pms);
28822
                    pms += OPAQUE16_LEN;
28823
                    XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz);
28824
                    ssl->arrays->preMasterSz +=
28825
                                          ssl->arrays->psk_keySz + OPAQUE16_LEN;
28826
28827
                    ForceZero(ssl->arrays->psk_key, ssl->arrays->psk_keySz);
28828
                    ssl->arrays->psk_keySz = 0; /* No further need */
28829
                    break;
28830
                }
28831
            #endif /* (HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448) && !NO_PSK */
28832
0
            #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
28833
0
                                                          defined(HAVE_CURVE448)
28834
0
                case ecc_diffie_hellman_kea:
28835
0
                {
28836
                    /* place size of public key in buffer */
28837
0
                    *args->encSecret = (byte)args->encSz;
28838
0
                    args->encSz += OPAQUE8_LEN;
28839
0
                    break;
28840
0
                }
28841
0
            #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
28842
28843
0
                default:
28844
0
                    ret = BAD_KEA_TYPE_E;
28845
0
            } /* switch(ssl->specs.kea) */
28846
28847
            /* Check for error */
28848
0
            if (ret != 0) {
28849
0
                goto exit_scke;
28850
0
            }
28851
28852
            /* Advance state and proceed */
28853
0
            ssl->options.asyncState = TLS_ASYNC_FINALIZE;
28854
0
        } /* case TLS_ASYNC_VERIFY */
28855
0
        FALL_THROUGH;
28856
28857
0
        case TLS_ASYNC_FINALIZE:
28858
0
        {
28859
0
            word32 tlsSz = 0;
28860
0
            word32 idx = 0;
28861
28862
0
            if (ssl->options.tls || ssl->specs.kea == diffie_hellman_kea) {
28863
0
                tlsSz = 2;
28864
0
            }
28865
28866
0
            if (ssl->specs.kea == ecc_diffie_hellman_kea ||
28867
0
                ssl->specs.kea == dhe_psk_kea ||
28868
0
                ssl->specs.kea == ecdhe_psk_kea) { /* always off */
28869
0
                tlsSz = 0;
28870
0
            }
28871
28872
0
            idx = HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
28873
0
            args->sendSz = args->encSz + tlsSz + idx;
28874
28875
        #ifdef WOLFSSL_DTLS
28876
            if (ssl->options.dtls) {
28877
                idx    += DTLS_HANDSHAKE_EXTRA + DTLS_RECORD_EXTRA;
28878
                args->sendSz += DTLS_HANDSHAKE_EXTRA + DTLS_RECORD_EXTRA;
28879
            }
28880
        #endif
28881
28882
0
            if (IsEncryptionOn(ssl, 1)) {
28883
0
                args->sendSz += MAX_MSG_EXTRA;
28884
0
            }
28885
28886
            /* check for available size */
28887
0
            if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0)
28888
0
                goto exit_scke;
28889
28890
            /* get output buffer */
28891
0
            args->output = ssl->buffers.outputBuffer.buffer +
28892
0
                           ssl->buffers.outputBuffer.length;
28893
28894
0
            AddHeaders(args->output, args->encSz + tlsSz, client_key_exchange, ssl);
28895
28896
0
            if (tlsSz) {
28897
0
                c16toa((word16)args->encSz, &args->output[idx]);
28898
0
                idx += OPAQUE16_LEN;
28899
0
            }
28900
0
            XMEMCPY(args->output + idx, args->encSecret, args->encSz);
28901
0
            idx += args->encSz;
28902
28903
0
            if (IsEncryptionOn(ssl, 1)) {
28904
0
                int recordHeaderSz = RECORD_HEADER_SZ;
28905
28906
0
                if (ssl->options.dtls)
28907
0
                    recordHeaderSz += DTLS_RECORD_EXTRA;
28908
0
                args->inputSz = idx - recordHeaderSz; /* buildmsg adds rechdr */
28909
0
                args->input = (byte*)XMALLOC(args->inputSz, ssl->heap,
28910
0
                                                       DYNAMIC_TYPE_IN_BUFFER);
28911
0
                if (args->input == NULL) {
28912
0
                    ERROR_OUT(MEMORY_E, exit_scke);
28913
0
                }
28914
28915
0
                XMEMCPY(args->input, args->output + recordHeaderSz,
28916
0
                                                                args->inputSz);
28917
0
            }
28918
28919
            /* Advance state and proceed */
28920
0
            ssl->options.asyncState = TLS_ASYNC_END;
28921
0
        } /* case TLS_ASYNC_FINALIZE */
28922
0
        FALL_THROUGH;
28923
28924
0
        case TLS_ASYNC_END:
28925
0
        {
28926
0
            if (IsEncryptionOn(ssl, 1)) {
28927
            #ifdef WOLFSSL_DTLS
28928
                if (IsDtlsNotSctpMode(ssl) &&
28929
                        (ret = DtlsMsgPoolSave(ssl, args->input, args->inputSz, client_key_exchange)) != 0) {
28930
                    goto exit_scke;
28931
                }
28932
            #endif
28933
0
                ret = BuildMessage(ssl, args->output, args->sendSz,
28934
0
                            args->input, args->inputSz, handshake, 1, 0, 0, CUR_ORDER);
28935
0
                XFREE(args->input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
28936
0
                args->input = NULL; /* make sure its not double free'd on cleanup */
28937
28938
0
                if (ret >= 0) {
28939
0
                    args->sendSz = ret;
28940
0
                    ret = 0;
28941
0
                }
28942
0
            }
28943
0
            else {
28944
            #ifdef WOLFSSL_DTLS
28945
                if (IsDtlsNotSctpMode(ssl)) {
28946
                    if ((ret = DtlsMsgPoolSave(ssl, args->output, args->sendSz, client_key_exchange)) != 0) {
28947
                        goto exit_scke;
28948
                    }
28949
                }
28950
                if (ssl->options.dtls)
28951
                    DtlsSEQIncrement(ssl, CUR_ORDER);
28952
            #endif
28953
0
                ret = HashOutput(ssl, args->output, args->sendSz, 0);
28954
0
            }
28955
28956
0
            if (ret != 0) {
28957
0
                goto exit_scke;
28958
0
            }
28959
28960
0
        #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
28961
0
            if (ssl->hsInfoOn)
28962
0
                AddPacketName(ssl, "ClientKeyExchange");
28963
0
            if (ssl->toInfoOn)
28964
0
                AddPacketInfo(ssl, "ClientKeyExchange", handshake,
28965
0
                            args->output, args->sendSz, WRITE_PROTO, ssl->heap);
28966
0
        #endif
28967
28968
0
            ssl->buffers.outputBuffer.length += args->sendSz;
28969
28970
0
            if (!ssl->options.groupMessages) {
28971
0
                ret = SendBuffered(ssl);
28972
0
            }
28973
0
            if (ret == 0 || ret == WANT_WRITE) {
28974
0
                int tmpRet = MakeMasterSecret(ssl);
28975
0
                if (tmpRet != 0) {
28976
0
                    ret = tmpRet;   /* save WANT_WRITE unless more serious */
28977
0
                }
28978
0
                ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE;
28979
0
                ssl->options.buildingMsg = 0;
28980
0
            }
28981
        #if defined(OPENSSL_EXTRA) && defined(HAVE_SECRET_CALLBACK)
28982
            if (ssl->keyLogCb != NULL) {
28983
                int secretSz = SECRET_LEN;
28984
                ret = ssl->keyLogCb(ssl, ssl->arrays->masterSecret, &secretSz,
28985
                                                                        NULL);
28986
                if (ret != 0 || secretSz != SECRET_LEN)
28987
                    return SESSION_SECRET_CB_E;
28988
            }
28989
        #endif /* OPENSSL_EXTRA && HAVE_SECRET_CALLBACK */
28990
0
            break;
28991
0
        }
28992
0
        default:
28993
0
            ret = INPUT_CASE_ERROR;
28994
0
    } /* switch(ssl->options.asyncState) */
28995
28996
0
exit_scke:
28997
28998
0
    WOLFSSL_LEAVE("SendClientKeyExchange", ret);
28999
0
    WOLFSSL_END(WC_FUNC_CLIENT_KEY_EXCHANGE_SEND);
29000
29001
0
#ifdef WOLFSSL_ASYNC_IO
29002
    /* Handle async operation */
29003
0
    if (ret == WC_PENDING_E || ret == WANT_WRITE) {
29004
0
        if (ssl->options.buildingMsg)
29005
0
            return ret;
29006
        /* If we have completed all states then we will not enter this function
29007
         * again. We need to do clean up now. */
29008
0
    }
29009
0
#endif
29010
29011
    /* No further need for PMS */
29012
0
    if (ssl->arrays->preMasterSecret != NULL) {
29013
0
        ForceZero(ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz);
29014
0
    }
29015
0
    ssl->arrays->preMasterSz = 0;
29016
29017
    /* Final cleanup */
29018
0
#ifdef WOLFSSL_ASYNC_IO
29019
    /* Cleanup async */
29020
0
    FreeAsyncCtx(ssl, 0);
29021
#else
29022
    FreeSckeArgs(ssl, args);
29023
#endif
29024
0
    FreeKeyExchange(ssl);
29025
29026
0
    if (ret != 0) {
29027
0
        WOLFSSL_ERROR_VERBOSE(ret);
29028
0
    }
29029
0
    return ret;
29030
0
}
29031
29032
#endif /* !WOLFSSL_NO_TLS12 */
29033
29034
#ifndef NO_CERTS
29035
29036
#ifndef WOLFSSL_NO_TLS12
29037
29038
#ifndef WOLFSSL_NO_CLIENT_AUTH
29039
typedef struct ScvArgs {
29040
    byte*  output; /* not allocated */
29041
#ifndef NO_RSA
29042
    byte*  verifySig;
29043
#endif
29044
    byte*  verify; /* not allocated */
29045
    byte*  input;
29046
    word32 idx;
29047
    word32 extraSz;
29048
    word32 sigSz;
29049
    int    sendSz;
29050
    int    inputSz;
29051
    word16 length;
29052
    byte   sigAlgo;
29053
} ScvArgs;
29054
29055
static void FreeScvArgs(WOLFSSL* ssl, void* pArgs)
29056
0
{
29057
0
    ScvArgs* args = (ScvArgs*)pArgs;
29058
29059
0
    (void)ssl;
29060
29061
0
#ifndef NO_RSA
29062
0
    if (args->verifySig) {
29063
0
        XFREE(args->verifySig, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
29064
0
        args->verifySig = NULL;
29065
0
    }
29066
0
#endif
29067
0
    if (args->input) {
29068
0
        XFREE(args->input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
29069
0
        args->input = NULL;
29070
0
    }
29071
0
}
29072
29073
/* handle generation of certificate_verify (15) */
29074
int SendCertificateVerify(WOLFSSL* ssl)
29075
0
{
29076
0
    int ret = 0;
29077
0
#ifdef WOLFSSL_ASYNC_IO
29078
0
    ScvArgs* args = NULL;
29079
0
    WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
29080
#else
29081
    ScvArgs  args[1];
29082
#endif
29083
29084
0
    WOLFSSL_START(WC_FUNC_CERTIFICATE_VERIFY_SEND);
29085
0
    WOLFSSL_ENTER("SendCertificateVerify");
29086
29087
0
#ifdef WOLFSSL_ASYNC_IO
29088
0
    if (ssl->async == NULL) {
29089
0
        ssl->async = (struct WOLFSSL_ASYNC*)
29090
0
                XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
29091
0
                        DYNAMIC_TYPE_ASYNC);
29092
0
        if (ssl->async == NULL)
29093
0
            ERROR_OUT(MEMORY_E, exit_scv);
29094
0
    }
29095
0
    args = (ScvArgs*)ssl->async->args;
29096
#ifdef WOLFSSL_ASYNC_CRYPT
29097
    /* BuildMessage does its own Pop */
29098
    if (ssl->error != WC_PENDING_E ||
29099
            ssl->options.asyncState != TLS_ASYNC_END)
29100
        ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
29101
    if (ret != WC_NOT_PENDING_E) {
29102
        /* Check for error */
29103
        if (ret < 0)
29104
            goto exit_scv;
29105
    }
29106
    else
29107
#endif
29108
0
    if (ssl->options.buildingMsg) {
29109
        /* We should be in the sending state. */
29110
0
        if (ssl->options.asyncState != TLS_ASYNC_END) {
29111
0
            ret = BAD_STATE_E;
29112
0
            goto exit_scv;
29113
0
        }
29114
0
    }
29115
0
    else
29116
0
#endif
29117
0
    {
29118
        /* Reset state */
29119
0
        ret = 0;
29120
0
        ssl->options.asyncState = TLS_ASYNC_BEGIN;
29121
0
        XMEMSET(args, 0, sizeof(ScvArgs));
29122
0
    #ifdef WOLFSSL_ASYNC_IO
29123
0
        ssl->async->freeArgs = FreeScvArgs;
29124
0
    #endif
29125
0
    }
29126
29127
0
    switch(ssl->options.asyncState)
29128
0
    {
29129
0
        case TLS_ASYNC_BEGIN:
29130
0
        {
29131
0
            if (ssl->options.sendVerify == SEND_BLANK_CERT) {
29132
0
                return 0;  /* sent blank cert, can't verify */
29133
0
            }
29134
29135
0
            args->sendSz = MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA;
29136
0
            if (IsEncryptionOn(ssl, 1)) {
29137
0
                args->sendSz += MAX_MSG_EXTRA;
29138
0
            }
29139
29140
            /* Use tmp buffer */
29141
0
            args->input = (byte*)XMALLOC(args->sendSz,
29142
0
                    ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
29143
0
            if (args->input == NULL)
29144
0
                ERROR_OUT(MEMORY_E, exit_scv);
29145
0
            args->output = args->input;
29146
29147
            /* Advance state and proceed */
29148
0
            ssl->options.asyncState = TLS_ASYNC_BUILD;
29149
0
        } /* case TLS_ASYNC_BEGIN */
29150
0
        FALL_THROUGH;
29151
29152
0
        case TLS_ASYNC_BUILD:
29153
0
        {
29154
0
            ret = BuildCertHashes(ssl, &ssl->hsHashes->certHashes);
29155
0
            if (ret != 0) {
29156
0
                goto exit_scv;
29157
0
            }
29158
29159
0
            if (ssl->buffers.key == NULL) {
29160
            #ifdef HAVE_PK_CALLBACKS
29161
                if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx))
29162
                    args->length = GetPrivateKeySigSize(ssl);
29163
                else
29164
            #endif
29165
0
                    ERROR_OUT(NO_PRIVATE_KEY, exit_scv);
29166
0
            }
29167
0
            else {
29168
                /* Decode private key. */
29169
0
                ret = DecodePrivateKey(ssl, &args->length);
29170
0
                if (ret != 0) {
29171
0
                    goto exit_scv;
29172
0
                }
29173
0
            }
29174
29175
0
            if (args->length == 0) {
29176
0
                ERROR_OUT(NO_PRIVATE_KEY, exit_scv);
29177
0
            }
29178
29179
            /* idx is used to track verify pointer offset to output */
29180
0
            args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
29181
0
            args->verify = &args->output[RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ];
29182
0
            args->extraSz = 0;  /* tls 1.2 hash/sig */
29183
29184
            /* build encoded signature buffer */
29185
0
            ssl->buffers.sig.length = MAX_ENCODED_SIG_SZ;
29186
0
            ssl->buffers.sig.buffer = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ,
29187
0
                                        ssl->heap, DYNAMIC_TYPE_SIGNATURE);
29188
0
            if (ssl->buffers.sig.buffer == NULL) {
29189
0
                ERROR_OUT(MEMORY_E, exit_scv);
29190
0
            }
29191
29192
        #ifdef WOLFSSL_DTLS
29193
            if (ssl->options.dtls) {
29194
                args->idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
29195
                args->verify += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
29196
            }
29197
        #endif
29198
29199
0
    #ifndef NO_OLD_TLS
29200
0
        #ifndef NO_SHA
29201
            /* old tls default */
29202
0
            SetDigest(ssl, sha_mac);
29203
0
        #endif
29204
    #else
29205
        #ifndef NO_SHA256
29206
            /* new tls default */
29207
            SetDigest(ssl, sha256_mac);
29208
        #endif
29209
    #endif /* !NO_OLD_TLS */
29210
29211
0
            if (ssl->hsType == DYNAMIC_TYPE_RSA) {
29212
0
        #ifdef WC_RSA_PSS
29213
0
                if (IsAtLeastTLSv1_2(ssl) &&
29214
0
                                (ssl->pssAlgo & (1 << ssl->suites->hashAlgo))) {
29215
0
                    args->sigAlgo = rsa_pss_sa_algo;
29216
0
                }
29217
0
                else
29218
0
        #endif
29219
0
                    args->sigAlgo = rsa_sa_algo;
29220
0
            }
29221
0
            else if (ssl->hsType == DYNAMIC_TYPE_ECC)
29222
0
                args->sigAlgo = ecc_dsa_sa_algo;
29223
0
            else if (ssl->hsType == DYNAMIC_TYPE_ED25519)
29224
0
                args->sigAlgo = ed25519_sa_algo;
29225
0
            else if (ssl->hsType == DYNAMIC_TYPE_ED448)
29226
0
                args->sigAlgo = ed448_sa_algo;
29227
29228
0
            if (IsAtLeastTLSv1_2(ssl)) {
29229
0
                EncodeSigAlg(ssl->suites->hashAlgo, args->sigAlgo,
29230
0
                             args->verify);
29231
0
                args->extraSz = HASH_SIG_SIZE;
29232
0
                SetDigest(ssl, ssl->suites->hashAlgo);
29233
0
            }
29234
0
        #ifndef NO_OLD_TLS
29235
0
            else {
29236
                /* if old TLS load MD5 and SHA hash as value to sign
29237
                 * MD5 and SHA must be first two buffers in stucture */
29238
0
                XMEMCPY(ssl->buffers.sig.buffer,
29239
0
                                (byte*)&ssl->hsHashes->certHashes, FINISHED_SZ);
29240
0
            }
29241
0
        #endif
29242
29243
0
        #ifndef NO_RSA
29244
0
            if (args->sigAlgo == rsa_sa_algo) {
29245
0
                ssl->buffers.sig.length = FINISHED_SZ;
29246
0
                args->sigSz = ENCRYPT_LEN;
29247
29248
0
                if (IsAtLeastTLSv1_2(ssl)) {
29249
0
                    ssl->buffers.sig.length = wc_EncodeSignature(
29250
0
                            ssl->buffers.sig.buffer, ssl->buffers.digest.buffer,
29251
0
                            ssl->buffers.digest.length,
29252
0
                            TypeHash(ssl->suites->hashAlgo));
29253
0
                }
29254
29255
                /* prepend hdr */
29256
0
                c16toa(args->length, args->verify + args->extraSz);
29257
0
            }
29258
0
            #ifdef WC_RSA_PSS
29259
0
            else if (args->sigAlgo == rsa_pss_sa_algo) {
29260
0
                XMEMCPY(ssl->buffers.sig.buffer, ssl->buffers.digest.buffer,
29261
0
                        ssl->buffers.digest.length);
29262
0
                ssl->buffers.sig.length = ssl->buffers.digest.length;
29263
0
                args->sigSz = ENCRYPT_LEN;
29264
29265
                /* prepend hdr */
29266
0
                c16toa(args->length, args->verify + args->extraSz);
29267
0
            }
29268
0
            #endif
29269
0
        #endif /* !NO_RSA */
29270
0
        #if defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)
29271
0
            if (args->sigAlgo == ed25519_sa_algo) {
29272
0
                ret = Ed25519CheckPubKey(ssl);
29273
0
                if (ret != 0)
29274
0
                    goto exit_scv;
29275
0
            }
29276
0
        #endif /* HAVE_ED25519 && !NO_ED25519_CLIENT_AUTH */
29277
0
        #if defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)
29278
0
            if (args->sigAlgo == ed448_sa_algo) {
29279
0
                ret = Ed448CheckPubKey(ssl);
29280
0
                if (ret != 0)
29281
0
                    goto exit_scv;
29282
0
            }
29283
0
        #endif /* HAVE_ED448 && !NO_ED448_CLIENT_AUTH */
29284
29285
            /* Advance state and proceed */
29286
0
            ssl->options.asyncState = TLS_ASYNC_DO;
29287
0
        } /* case TLS_ASYNC_BUILD */
29288
0
        FALL_THROUGH;
29289
29290
0
        case TLS_ASYNC_DO:
29291
0
        {
29292
0
        #ifdef HAVE_ECC
29293
0
           if (ssl->hsType == DYNAMIC_TYPE_ECC) {
29294
0
                ecc_key* key = (ecc_key*)ssl->hsKey;
29295
29296
0
                ret = EccSign(ssl,
29297
0
                    ssl->buffers.digest.buffer, ssl->buffers.digest.length,
29298
0
                    ssl->buffers.sig.buffer, (word32*)&ssl->buffers.sig.length,
29299
0
                    key,
29300
            #ifdef HAVE_PK_CALLBACKS
29301
                    ssl->buffers.key
29302
            #else
29303
0
                    NULL
29304
0
            #endif
29305
0
                );
29306
0
            }
29307
0
        #endif /* HAVE_ECC */
29308
0
        #if defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)
29309
0
           if (ssl->hsType == DYNAMIC_TYPE_ED25519) {
29310
0
                ed25519_key* key = (ed25519_key*)ssl->hsKey;
29311
29312
0
                ret = Ed25519Sign(ssl,
29313
0
                    ssl->hsHashes->messages, ssl->hsHashes->length,
29314
0
                    ssl->buffers.sig.buffer, (word32*)&ssl->buffers.sig.length,
29315
0
                    key,
29316
            #ifdef HAVE_PK_CALLBACKS
29317
                    ssl->buffers.key
29318
            #else
29319
0
                    NULL
29320
0
            #endif
29321
0
                );
29322
0
            }
29323
0
        #endif /* HAVE_ED25519 && !NO_ED25519_CLIENT_AUTH */
29324
0
        #if defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)
29325
0
           if (ssl->hsType == DYNAMIC_TYPE_ED448) {
29326
0
                ed448_key* key = (ed448_key*)ssl->hsKey;
29327
29328
0
                ret = Ed448Sign(ssl,
29329
0
                    ssl->hsHashes->messages, ssl->hsHashes->length,
29330
0
                    ssl->buffers.sig.buffer, (word32*)&ssl->buffers.sig.length,
29331
0
                    key,
29332
            #ifdef HAVE_PK_CALLBACKS
29333
                    ssl->buffers.key
29334
            #else
29335
0
                    NULL
29336
0
            #endif
29337
0
                );
29338
0
            }
29339
0
        #endif /* HAVE_ED448 && !NO_ED448_CLIENT_AUTH */
29340
0
        #ifndef NO_RSA
29341
0
            if (ssl->hsType == DYNAMIC_TYPE_RSA) {
29342
0
                RsaKey* key = (RsaKey*)ssl->hsKey;
29343
29344
                /* restore verify pointer */
29345
0
                args->verify = &args->output[args->idx];
29346
29347
0
                ret = RsaSign(ssl,
29348
0
                    ssl->buffers.sig.buffer, ssl->buffers.sig.length,
29349
0
                    args->verify + args->extraSz + VERIFY_HEADER, &args->sigSz,
29350
0
                    args->sigAlgo, ssl->suites->hashAlgo, key,
29351
0
                    ssl->buffers.key
29352
0
                );
29353
0
            }
29354
0
        #endif /* !NO_RSA */
29355
29356
            /* Check for error */
29357
0
            if (ret != 0) {
29358
0
                goto exit_scv;
29359
0
            }
29360
29361
            /* Advance state and proceed */
29362
0
            ssl->options.asyncState = TLS_ASYNC_VERIFY;
29363
0
        } /* case TLS_ASYNC_DO */
29364
0
        FALL_THROUGH;
29365
29366
0
        case TLS_ASYNC_VERIFY:
29367
0
        {
29368
            /* restore verify pointer */
29369
0
            args->verify = &args->output[args->idx];
29370
29371
0
            switch (ssl->hsType) {
29372
0
        #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448)
29373
0
            #ifdef HAVE_ECC
29374
0
                case DYNAMIC_TYPE_ECC:
29375
0
            #endif
29376
0
            #ifdef HAVE_ED25519
29377
0
                case DYNAMIC_TYPE_ED25519:
29378
0
            #endif
29379
0
            #ifdef HAVE_ED448
29380
0
                case DYNAMIC_TYPE_ED448:
29381
0
            #endif
29382
0
                    args->length = (word16)ssl->buffers.sig.length;
29383
                    /* prepend hdr */
29384
0
                    c16toa(args->length, args->verify + args->extraSz);
29385
0
                    XMEMCPY(args->verify + args->extraSz + VERIFY_HEADER,
29386
0
                            ssl->buffers.sig.buffer, ssl->buffers.sig.length);
29387
0
                    break;
29388
0
        #endif
29389
0
            #ifndef NO_RSA
29390
0
                case DYNAMIC_TYPE_RSA:
29391
0
                {
29392
0
                    RsaKey* key = (RsaKey*)ssl->hsKey;
29393
29394
0
                    if (args->verifySig == NULL) {
29395
0
                        args->verifySig = (byte*)XMALLOC(args->sigSz, ssl->heap,
29396
0
                                          DYNAMIC_TYPE_SIGNATURE);
29397
0
                        if (args->verifySig == NULL) {
29398
0
                            ERROR_OUT(MEMORY_E, exit_scv);
29399
0
                        }
29400
0
                        XMEMCPY(args->verifySig, args->verify + args->extraSz +
29401
0
                                                    VERIFY_HEADER, args->sigSz);
29402
0
                    }
29403
29404
                    /* check for signature faults */
29405
0
                    ret = VerifyRsaSign(ssl,
29406
0
                        args->verifySig, args->sigSz,
29407
0
                        ssl->buffers.sig.buffer, ssl->buffers.sig.length,
29408
0
                        args->sigAlgo, ssl->suites->hashAlgo, key,
29409
0
                        ssl->buffers.key
29410
0
                    );
29411
29412
                    /* free temporary buffer now */
29413
0
                    if (ret != WC_PENDING_E) {
29414
0
                        XFREE(args->verifySig, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
29415
0
                        args->verifySig = NULL;
29416
0
                    }
29417
0
                    break;
29418
0
                }
29419
0
            #endif /* !NO_RSA */
29420
0
                default:
29421
0
                    break;
29422
0
            }
29423
29424
            /* Check for error */
29425
0
            if (ret != 0) {
29426
0
                goto exit_scv;
29427
0
            }
29428
29429
            /* Advance state and proceed */
29430
0
            ssl->options.asyncState = TLS_ASYNC_FINALIZE;
29431
0
        } /* case TLS_ASYNC_VERIFY */
29432
0
        FALL_THROUGH;
29433
29434
0
        case TLS_ASYNC_FINALIZE:
29435
0
        {
29436
0
            if (args->output == NULL) {
29437
0
                ERROR_OUT(BUFFER_ERROR, exit_scv);
29438
0
            }
29439
0
            AddHeaders(args->output, (word32)args->length + args->extraSz +
29440
0
                                        VERIFY_HEADER, certificate_verify, ssl);
29441
29442
            /* Advance state and proceed */
29443
0
            ssl->options.asyncState = TLS_ASYNC_END;
29444
0
        } /* case TLS_ASYNC_FINALIZE */
29445
0
        FALL_THROUGH;
29446
29447
0
        case TLS_ASYNC_END:
29448
0
        {
29449
0
            ret = SendHandshakeMsg(ssl, args->output,
29450
0
                (word32)args->length + args->extraSz + VERIFY_HEADER,
29451
0
                certificate_verify, "CertificateVerify");
29452
0
            if (ret != 0)
29453
0
                goto exit_scv;
29454
29455
0
            break;
29456
0
        }
29457
0
        default:
29458
0
            ret = INPUT_CASE_ERROR;
29459
0
    } /* switch(ssl->options.asyncState) */
29460
29461
0
exit_scv:
29462
29463
0
    WOLFSSL_LEAVE("SendCertificateVerify", ret);
29464
0
    WOLFSSL_END(WC_FUNC_CERTIFICATE_VERIFY_SEND);
29465
29466
0
#ifdef WOLFSSL_ASYNC_IO
29467
    /* Handle async operation */
29468
0
    if (ret == WANT_WRITE
29469
#ifdef WOLFSSL_ASYNC_CRYPT
29470
            || ret == WC_PENDING_E
29471
#endif
29472
0
            )
29473
0
        return ret;
29474
0
#endif /* WOLFSSL_ASYNC_IO */
29475
29476
    /* Digest is not allocated, so do this to prevent free */
29477
0
    ssl->buffers.digest.buffer = NULL;
29478
0
    ssl->buffers.digest.length = 0;
29479
29480
    /* Final cleanup */
29481
0
#ifdef WOLFSSL_ASYNC_IO
29482
    /* Cleanup async */
29483
0
    FreeAsyncCtx(ssl, 0);
29484
#else
29485
    FreeScvArgs(ssl, args);
29486
#endif
29487
0
    FreeKeyExchange(ssl);
29488
29489
0
    if (ret != 0) {
29490
0
        WOLFSSL_ERROR_VERBOSE(ret);
29491
0
    }
29492
29493
0
    return ret;
29494
0
}
29495
#endif /* WOLFSSL_NO_CLIENT_AUTH */
29496
29497
#endif /* WOLFSSL_NO_TLS12 */
29498
29499
#endif /* NO_CERTS */
29500
29501
29502
#ifdef HAVE_SESSION_TICKET
29503
int SetTicket(WOLFSSL* ssl, const byte* ticket, word32 length)
29504
0
{
29505
    /* Free old dynamic ticket if we already had one */
29506
0
    if (ssl->session->ticketLenAlloc > 0) {
29507
0
        XFREE(ssl->session->ticket, ssl->heap, DYNAMIC_TYPE_SESSION_TICK);
29508
0
        ssl->session->ticket = ssl->session->staticTicket;
29509
0
        ssl->session->ticketLenAlloc = 0;
29510
0
    }
29511
29512
0
    if (length > sizeof(ssl->session->staticTicket)) {
29513
0
        byte* sessionTicket =
29514
0
                   (byte*)XMALLOC(length, ssl->heap, DYNAMIC_TYPE_SESSION_TICK);
29515
0
        if (sessionTicket == NULL)
29516
0
            return MEMORY_E;
29517
0
        ssl->session->ticket = sessionTicket;
29518
0
        ssl->session->ticketLenAlloc = (word16)length;
29519
0
    }
29520
0
    ssl->session->ticketLen = (word16)length;
29521
29522
0
    if (length > 0) {
29523
0
        XMEMCPY(ssl->session->ticket, ticket, length);
29524
0
        if (ssl->session_ticket_cb != NULL) {
29525
0
            ssl->session_ticket_cb(ssl,
29526
0
                                   ssl->session->ticket, ssl->session->ticketLen,
29527
0
                                   ssl->session_ticket_ctx);
29528
0
        }
29529
        /* Create a fake sessionID based on the ticket, this will
29530
         * supersede the existing session cache info. */
29531
0
        ssl->options.haveSessionId = 1;
29532
0
#ifdef WOLFSSL_TLS13
29533
0
        if (ssl->options.tls1_3) {
29534
0
            XMEMCPY(ssl->session->sessionID,
29535
0
                                 ssl->session->ticket + length - ID_LEN, ID_LEN);
29536
0
            ssl->session->sessionIDSz = ID_LEN;
29537
0
        }
29538
0
        else
29539
0
#endif
29540
0
        {
29541
0
            XMEMCPY(ssl->arrays->sessionID,
29542
0
                                 ssl->session->ticket + length - ID_LEN, ID_LEN);
29543
0
            ssl->arrays->sessionIDSz = ID_LEN;
29544
0
        }
29545
0
    }
29546
29547
0
    return 0;
29548
0
}
29549
29550
#ifndef WOLFSSL_NO_TLS12
29551
29552
/* handle processing of session_ticket (4) */
29553
static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
29554
    word32 size)
29555
0
{
29556
0
    word32 begin = *inOutIdx;
29557
0
    word32 lifetime;
29558
0
    word16 length;
29559
0
    int    ret;
29560
29561
0
    if (ssl->expect_session_ticket == 0) {
29562
0
        WOLFSSL_MSG("Unexpected session ticket");
29563
0
        WOLFSSL_ERROR_VERBOSE(SESSION_TICKET_EXPECT_E);
29564
0
        return SESSION_TICKET_EXPECT_E;
29565
0
    }
29566
29567
0
    if (OPAQUE32_LEN > size)
29568
0
        return BUFFER_ERROR;
29569
29570
0
    ato32(input + *inOutIdx, &lifetime);
29571
0
    *inOutIdx += OPAQUE32_LEN;
29572
29573
0
    if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
29574
0
        return BUFFER_ERROR;
29575
29576
0
    ato16(input + *inOutIdx, &length);
29577
0
    *inOutIdx += OPAQUE16_LEN;
29578
29579
0
    if ((*inOutIdx - begin) + length > size)
29580
0
        return BUFFER_ERROR;
29581
29582
0
    if ((ret = SetTicket(ssl, input + *inOutIdx, length)) != 0)
29583
0
        return ret;
29584
0
    *inOutIdx += length;
29585
0
    if (length > 0) {
29586
0
        ssl->timeout = lifetime;
29587
0
#ifndef NO_SESSION_CACHE
29588
0
        AddSession(ssl);
29589
0
#endif
29590
0
    }
29591
29592
0
    if (IsEncryptionOn(ssl, 0)) {
29593
0
        *inOutIdx += ssl->keys.padSz;
29594
0
    #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
29595
0
        if (ssl->options.startedETMRead)
29596
0
            *inOutIdx += MacSize(ssl);
29597
0
    #endif
29598
0
    }
29599
29600
0
    ssl->expect_session_ticket = 0;
29601
29602
0
    return 0;
29603
0
}
29604
29605
#endif /* !WOLFSSL_NO_TLS12 */
29606
29607
#endif /* HAVE_SESSION_TICKET */
29608
29609
#endif /* NO_WOLFSSL_CLIENT */
29610
29611
#ifndef NO_CERTS
29612
29613
#ifdef WOLF_PRIVATE_KEY_ID
29614
    int GetPrivateKeySigSize(WOLFSSL* ssl)
29615
0
    {
29616
0
        int sigSz = 0;
29617
29618
0
        if (ssl == NULL)
29619
0
            return 0;
29620
29621
0
        switch (ssl->buffers.keyType) {
29622
0
        #ifndef NO_RSA
29623
0
        #ifdef WC_RSA_PSS
29624
0
            case rsa_pss_sa_algo:
29625
0
        #endif
29626
0
            case rsa_sa_algo:
29627
0
                sigSz = ssl->buffers.keySz;
29628
0
                ssl->hsType = DYNAMIC_TYPE_RSA;
29629
0
                break;
29630
0
        #endif
29631
0
        #ifdef HAVE_ECC
29632
0
            case ecc_dsa_sa_algo:
29633
0
                sigSz = wc_ecc_sig_size_calc(ssl->buffers.keySz);
29634
0
                ssl->hsType = DYNAMIC_TYPE_ECC;
29635
0
                break;
29636
0
        #endif
29637
0
        #ifdef HAVE_ED25519
29638
0
            case ed25519_sa_algo:
29639
0
                sigSz = ED25519_SIG_SIZE; /* fixed known value */
29640
0
                ssl->hsType = DYNAMIC_TYPE_ED25519;
29641
0
                break;
29642
0
        #endif
29643
0
        #ifdef HAVE_ED448
29644
0
            case ed448_sa_algo:
29645
0
                sigSz = ED448_SIG_SIZE; /* fixed known value */
29646
0
                ssl->hsType = DYNAMIC_TYPE_ED448;
29647
0
                break;
29648
0
        #endif
29649
0
            default:
29650
0
                break;
29651
0
        }
29652
0
        return sigSz;
29653
0
    }
29654
#endif /* HAVE_PK_CALLBACKS */
29655
29656
#endif /* NO_CERTS */
29657
29658
#ifdef HAVE_ECC
29659
    /* returns the WOLFSSL_* version of the curve from the OID sum */
29660
0
    word16 GetCurveByOID(int oidSum) {
29661
0
        switch(oidSum) {
29662
    #if (defined(HAVE_ECC160) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 160
29663
        #ifndef NO_ECC_SECP
29664
            case ECC_SECP160R1_OID:
29665
                return WOLFSSL_ECC_SECP160R1;
29666
        #endif /* !NO_ECC_SECP */
29667
        #ifdef HAVE_ECC_SECPR2
29668
            case ECC_SECP160R2_OID:
29669
                return WOLFSSL_ECC_SECP160R2;
29670
        #endif /* HAVE_ECC_SECPR2 */
29671
        #ifdef HAVE_ECC_KOBLITZ
29672
            case ECC_SECP160K1_OID:
29673
                return WOLFSSL_ECC_SECP160K1;
29674
        #endif /* HAVE_ECC_KOBLITZ */
29675
    #endif
29676
    #if (defined(HAVE_ECC192) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 192
29677
        #ifndef NO_ECC_SECP
29678
            case ECC_SECP192R1_OID:
29679
                return WOLFSSL_ECC_SECP192R1;
29680
        #endif /* !NO_ECC_SECP */
29681
        #ifdef HAVE_ECC_KOBLITZ
29682
            case ECC_SECP192K1_OID:
29683
                return WOLFSSL_ECC_SECP192K1;
29684
        #endif /* HAVE_ECC_KOBLITZ */
29685
    #endif
29686
0
    #if (defined(HAVE_ECC224) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 224
29687
0
        #ifndef NO_ECC_SECP
29688
0
            case ECC_SECP224R1_OID:
29689
0
                return WOLFSSL_ECC_SECP224R1;
29690
0
        #endif /* !NO_ECC_SECP */
29691
0
        #ifdef HAVE_ECC_KOBLITZ
29692
0
            case ECC_SECP224K1_OID:
29693
0
                return WOLFSSL_ECC_SECP224K1;
29694
0
        #endif /* HAVE_ECC_KOBLITZ */
29695
0
    #endif
29696
0
    #if (!defined(NO_ECC256)  || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 256
29697
0
        #ifndef NO_ECC_SECP
29698
0
            case ECC_SECP256R1_OID:
29699
0
                return WOLFSSL_ECC_SECP256R1;
29700
0
        #endif /* !NO_ECC_SECP */
29701
0
        #ifdef HAVE_ECC_KOBLITZ
29702
0
            case ECC_SECP256K1_OID:
29703
0
                return WOLFSSL_ECC_SECP256K1;
29704
0
        #endif /* HAVE_ECC_KOBLITZ */
29705
0
        #ifdef HAVE_ECC_BRAINPOOL
29706
0
            case ECC_BRAINPOOLP256R1_OID:
29707
0
                return WOLFSSL_ECC_BRAINPOOLP256R1;
29708
0
        #endif /* HAVE_ECC_BRAINPOOL */
29709
0
    #endif
29710
0
    #if (defined(HAVE_ECC384) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 384
29711
0
        #ifndef NO_ECC_SECP
29712
0
            case ECC_SECP384R1_OID:
29713
0
                return WOLFSSL_ECC_SECP384R1;
29714
0
        #endif /* !NO_ECC_SECP */
29715
0
        #ifdef HAVE_ECC_BRAINPOOL
29716
0
            case ECC_BRAINPOOLP384R1_OID:
29717
0
                return WOLFSSL_ECC_BRAINPOOLP384R1;
29718
0
        #endif /* HAVE_ECC_BRAINPOOL */
29719
0
    #endif
29720
0
    #if (defined(HAVE_ECC512) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 512
29721
0
        #ifdef HAVE_ECC_BRAINPOOL
29722
0
            case ECC_BRAINPOOLP512R1_OID:
29723
0
                return WOLFSSL_ECC_BRAINPOOLP512R1;
29724
0
        #endif /* HAVE_ECC_BRAINPOOL */
29725
0
    #endif
29726
0
    #if (defined(HAVE_ECC521) || defined(HAVE_ALL_CURVES)) && ECC_MIN_KEY_SZ <= 521
29727
0
        #ifndef NO_ECC_SECP
29728
0
            case ECC_SECP521R1_OID:
29729
0
                return WOLFSSL_ECC_SECP521R1;
29730
0
        #endif /* !NO_ECC_SECP */
29731
0
    #endif
29732
0
            default:
29733
0
                WOLFSSL_MSG("Curve OID not compiled in or implemented");
29734
0
                return 0;
29735
0
        }
29736
0
    }
29737
#endif /* HAVE_ECC */
29738
29739
29740
#ifndef NO_WOLFSSL_SERVER
29741
29742
#ifndef WOLFSSL_NO_TLS12
29743
29744
    /* handle generation of server_hello (2) */
29745
    int SendServerHello(WOLFSSL* ssl)
29746
0
    {
29747
0
        int    ret;
29748
0
        byte   *output;
29749
0
        word16 length;
29750
0
        word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
29751
0
        int    sendSz;
29752
0
        byte   sessIdSz = ID_LEN;
29753
0
    #if defined(HAVE_TLS_EXTENSIONS) && defined(HAVE_SESSION_TICKET)
29754
0
        byte   echoId   = 0;  /* ticket echo id flag */
29755
0
    #endif
29756
0
        byte   cacheOff = 0;  /* session cache off flag */
29757
29758
0
        WOLFSSL_START(WC_FUNC_SERVER_HELLO_SEND);
29759
0
        WOLFSSL_ENTER("SendServerHello");
29760
29761
0
        length = VERSION_SZ + RAN_LEN
29762
0
               + ID_LEN + ENUM_LEN
29763
0
               + SUITE_LEN
29764
0
               + ENUM_LEN;
29765
29766
0
#ifdef HAVE_TLS_EXTENSIONS
29767
0
        ret = TLSX_GetResponseSize(ssl, server_hello, &length);
29768
0
        if (ret != 0)
29769
0
            return ret;
29770
0
    #ifdef HAVE_SESSION_TICKET
29771
0
        if (ssl->options.useTicket) {
29772
            /* echo session id sz can be 0,32 or bogus len in between */
29773
0
            sessIdSz = ssl->arrays->sessionIDSz;
29774
0
            if (sessIdSz > ID_LEN) {
29775
0
                WOLFSSL_MSG("Bad bogus session id len");
29776
0
                return BUFFER_ERROR;
29777
0
            }
29778
0
            if (!IsAtLeastTLSv1_3(ssl->version))
29779
0
                length -= (ID_LEN - sessIdSz);  /* adjust ID_LEN assumption */
29780
0
            echoId = 1;
29781
0
        }
29782
0
    #endif /* HAVE_SESSION_TICKET */
29783
#else
29784
        if (ssl->options.haveEMS) {
29785
            length += HELLO_EXT_SZ_SZ + HELLO_EXT_SZ;
29786
        }
29787
#endif
29788
29789
        /* is the session cache off at build or runtime */
29790
#ifdef NO_SESSION_CACHE
29791
        cacheOff = 1;
29792
#else
29793
0
        if (ssl->options.sessionCacheOff == 1) {
29794
0
            cacheOff = 1;
29795
0
        }
29796
0
#endif
29797
29798
        /* if no session cache don't send a session ID unless we're echoing
29799
         * an ID as part of session tickets */
29800
0
        if (cacheOff == 1
29801
0
        #if defined(HAVE_TLS_EXTENSIONS) && defined(HAVE_SESSION_TICKET)
29802
0
            && echoId == 0
29803
0
        #endif
29804
0
            ) {
29805
0
            length -= ID_LEN;    /* adjust ID_LEN assumption */
29806
0
            sessIdSz = 0;
29807
0
        }
29808
29809
0
        sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
29810
        #ifdef WOLFSSL_DTLS
29811
        if (ssl->options.dtls) {
29812
            if (((ssl->keys.dtls_sequence_number_hi == ssl->keys.curSeq_hi &&
29813
                  ssl->keys.dtls_sequence_number_lo < ssl->keys.curSeq_lo) ||
29814
                 (ssl->keys.dtls_sequence_number_hi < ssl->keys.curSeq_hi))) {
29815
                /* Server Hello should use the same sequence number as the
29816
                 * Client Hello if available. */
29817
                ssl->keys.dtls_sequence_number_hi = ssl->keys.curSeq_hi;
29818
                ssl->keys.dtls_sequence_number_lo = ssl->keys.curSeq_lo;
29819
            }
29820
            idx    += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
29821
            sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
29822
        }
29823
        #endif /* WOLFSSL_DTLS */
29824
29825
0
        if (IsEncryptionOn(ssl, 1))
29826
0
            sendSz += MAX_MSG_EXTRA;
29827
29828
        /* Set this in case CheckAvailableSize returns a WANT_WRITE so that state
29829
         * is not advanced yet */
29830
0
        ssl->options.buildingMsg = 1;
29831
29832
        /* check for available size */
29833
0
        if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
29834
0
            return ret;
29835
29836
        /* get output buffer */
29837
0
        output = ssl->buffers.outputBuffer.buffer +
29838
0
                 ssl->buffers.outputBuffer.length;
29839
29840
0
        AddHeaders(output, length, server_hello, ssl);
29841
29842
        /* now write to output */
29843
        /* first version */
29844
0
        output[idx++] = (byte)ssl->version.major;
29845
0
        output[idx++] = (byte)ssl->version.minor;
29846
29847
        /* then random and session id */
29848
0
        if (!ssl->options.resuming) {
29849
            /* generate random part and session id */
29850
0
            ret = wc_RNG_GenerateBlock(ssl->rng, output + idx,
29851
0
                RAN_LEN + sizeof(sessIdSz) + sessIdSz);
29852
0
            if (ret != 0)
29853
0
                return ret;
29854
29855
0
#ifdef WOLFSSL_TLS13
29856
0
            if (TLSv1_3_Capable(ssl)) {
29857
                /* TLS v1.3 capable server downgraded. */
29858
0
                XMEMCPY(output + idx + RAN_LEN - (TLS13_DOWNGRADE_SZ + 1),
29859
0
                        tls13Downgrade, TLS13_DOWNGRADE_SZ);
29860
0
                output[idx + RAN_LEN - 1] = (byte)IsAtLeastTLSv1_2(ssl);
29861
0
            }
29862
0
            else
29863
0
#endif
29864
0
            if (ssl->ctx->method->version.major == SSLv3_MAJOR &&
29865
0
                ssl->ctx->method->version.minor == TLSv1_2_MINOR &&
29866
0
                (wolfSSL_get_options(ssl) & WOLFSSL_OP_NO_TLSv1_2) == 0 &&
29867
0
                !IsAtLeastTLSv1_2(ssl)) {
29868
                /* TLS v1.2 capable server downgraded. */
29869
0
                XMEMCPY(output + idx + RAN_LEN - (TLS13_DOWNGRADE_SZ + 1),
29870
0
                        tls13Downgrade, TLS13_DOWNGRADE_SZ);
29871
0
                output[idx + RAN_LEN - 1] = 0;
29872
0
            }
29873
29874
            /* store info in SSL for later */
29875
0
            XMEMCPY(ssl->arrays->serverRandom, output + idx, RAN_LEN);
29876
0
            idx += RAN_LEN;
29877
0
            output[idx++] = sessIdSz;
29878
0
            XMEMCPY(ssl->arrays->sessionID, output + idx, sessIdSz);
29879
0
            ssl->arrays->sessionIDSz = sessIdSz;
29880
0
        }
29881
0
        else {
29882
            /* If resuming, use info from SSL */
29883
0
            XMEMCPY(output + idx, ssl->arrays->serverRandom, RAN_LEN);
29884
0
            idx += RAN_LEN;
29885
0
            output[idx++] = sessIdSz;
29886
0
            XMEMCPY(output + idx, ssl->arrays->sessionID, sessIdSz);
29887
0
        }
29888
0
        idx += sessIdSz;
29889
29890
#ifdef SHOW_SECRETS
29891
        {
29892
            int j;
29893
            printf("server random: ");
29894
            for (j = 0; j < RAN_LEN; j++)
29895
                printf("%02x", ssl->arrays->serverRandom[j]);
29896
            printf("\n");
29897
        }
29898
#endif
29899
29900
        /* then cipher suite */
29901
0
        output[idx++] = ssl->options.cipherSuite0;
29902
0
        output[idx++] = ssl->options.cipherSuite;
29903
29904
        /* then compression */
29905
0
        if (ssl->options.usingCompression)
29906
0
            output[idx++] = ZLIB_COMPRESSION;
29907
0
        else
29908
0
            output[idx++] = NO_COMPRESSION;
29909
29910
        /* last, extensions */
29911
0
#ifdef HAVE_TLS_EXTENSIONS
29912
0
        {
29913
0
            word16 offset = 0;
29914
0
            ret = TLSX_WriteResponse(ssl, output + idx, server_hello, &offset);
29915
0
            if (ret != 0)
29916
0
                return ret;
29917
0
            idx += offset;
29918
0
        }
29919
#else
29920
#ifdef HAVE_EXTENDED_MASTER
29921
        if (ssl->options.haveEMS) {
29922
            c16toa(HELLO_EXT_SZ, output + idx);
29923
            idx += HELLO_EXT_SZ_SZ;
29924
29925
            c16toa(HELLO_EXT_EXTMS, output + idx);
29926
            idx += HELLO_EXT_TYPE_SZ;
29927
            c16toa(0, output + idx);
29928
            /*idx += HELLO_EXT_SZ_SZ;*/
29929
            /* idx is not used after this point. uncomment the line above
29930
             * if adding any more extensions in the future. */
29931
        }
29932
#endif
29933
#endif
29934
29935
0
        if (IsEncryptionOn(ssl, 1)) {
29936
0
            byte* input;
29937
0
            int   inputSz = idx; /* build msg adds rec hdr */
29938
0
            int   recordHeaderSz = RECORD_HEADER_SZ;
29939
29940
0
            if (ssl->options.dtls)
29941
0
                recordHeaderSz += DTLS_RECORD_EXTRA;
29942
0
            inputSz -= recordHeaderSz;
29943
0
            input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
29944
0
            if (input == NULL)
29945
0
                return MEMORY_E;
29946
29947
0
            XMEMCPY(input, output + recordHeaderSz, inputSz);
29948
            #ifdef WOLFSSL_DTLS
29949
            if (IsDtlsNotSctpMode(ssl) &&
29950
                    (ret = DtlsMsgPoolSave(ssl, input, inputSz, server_hello)) != 0) {
29951
                XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
29952
                return ret;
29953
            }
29954
            #endif
29955
0
            sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
29956
0
                                  handshake, 1, 0, 0, CUR_ORDER);
29957
0
            XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
29958
29959
0
            if (sendSz < 0)
29960
0
                return sendSz;
29961
0
        } else {
29962
            #ifdef WOLFSSL_DTLS
29963
                if (IsDtlsNotSctpMode(ssl)) {
29964
                    if ((ret = DtlsMsgPoolSave(ssl, output, sendSz, server_hello)) != 0)
29965
                        return ret;
29966
                }
29967
                if (ssl->options.dtls)
29968
                    DtlsSEQIncrement(ssl, CUR_ORDER);
29969
            #endif
29970
0
            ret = HashOutput(ssl, output, sendSz, 0);
29971
0
            if (ret != 0)
29972
0
                return ret;
29973
0
        }
29974
29975
0
    #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
29976
0
        if (ssl->hsInfoOn)
29977
0
            AddPacketName(ssl, "ServerHello");
29978
0
        if (ssl->toInfoOn)
29979
0
            AddPacketInfo(ssl, "ServerHello", handshake, output, sendSz,
29980
0
                          WRITE_PROTO, ssl->heap);
29981
0
    #endif
29982
29983
0
        ssl->options.serverState = SERVER_HELLO_COMPLETE;
29984
0
        ssl->options.buildingMsg = 0;
29985
0
        ssl->buffers.outputBuffer.length += sendSz;
29986
29987
0
        if (ssl->options.groupMessages)
29988
0
            ret = 0;
29989
0
        else
29990
0
            ret = SendBuffered(ssl);
29991
29992
0
        WOLFSSL_LEAVE("SendServerHello", ret);
29993
0
        WOLFSSL_END(WC_FUNC_SERVER_HELLO_SEND);
29994
29995
0
        return ret;
29996
0
    }
29997
29998
29999
#if defined(HAVE_ECC)
30000
30001
    static byte SetCurveId(ecc_key* key)
30002
0
    {
30003
0
        if (key == NULL || key->dp == NULL) {
30004
0
            WOLFSSL_MSG("SetCurveId: Invalid key!");
30005
0
            return 0;
30006
0
        }
30007
30008
0
        return (byte)GetCurveByOID(key->dp->oidSum);
30009
0
    }
30010
30011
#endif /* HAVE_ECC */
30012
30013
    typedef struct SskeArgs {
30014
        byte*  output; /* not allocated */
30015
    #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
30016
        byte*  exportBuf;
30017
    #endif
30018
    #ifndef NO_RSA
30019
        byte*  verifySig;
30020
    #endif
30021
        byte*  input;
30022
        word32 idx;
30023
        word32 tmpSigSz;
30024
        word32 length;
30025
        word32 sigSz;
30026
    #if defined(HAVE_ECC) || defined(HAVE_ED25519) || defined(HAVE_ED448) || \
30027
                                                                !defined(NO_RSA)
30028
        word32 sigDataSz;
30029
    #endif
30030
    #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
30031
        word32 exportSz;
30032
    #endif
30033
        int    sendSz;
30034
        int    inputSz;
30035
    } SskeArgs;
30036
30037
    static void FreeSskeArgs(WOLFSSL* ssl, void* pArgs)
30038
0
    {
30039
0
        SskeArgs* args = (SskeArgs*)pArgs;
30040
30041
0
        (void)ssl;
30042
30043
0
    #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)
30044
0
        if (args->exportBuf) {
30045
0
            XFREE(args->exportBuf, ssl->heap, DYNAMIC_TYPE_DER);
30046
0
            args->exportBuf = NULL;
30047
0
        }
30048
0
    #endif
30049
0
    #ifndef NO_RSA
30050
0
        if (args->verifySig) {
30051
0
            XFREE(args->verifySig, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
30052
0
            args->verifySig = NULL;
30053
0
        }
30054
0
    #endif
30055
0
        (void)args;
30056
0
    }
30057
30058
    /* handle generation of server_key_exchange (12) */
30059
    int SendServerKeyExchange(WOLFSSL* ssl)
30060
0
    {
30061
0
        int ret = 0;
30062
0
    #ifdef WOLFSSL_ASYNC_IO
30063
0
        SskeArgs* args = NULL;
30064
0
        WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
30065
    #else
30066
        SskeArgs  args[1];
30067
    #endif
30068
30069
0
        WOLFSSL_START(WC_FUNC_SERVER_KEY_EXCHANGE_SEND);
30070
0
        WOLFSSL_ENTER("SendServerKeyExchange");
30071
30072
0
    #ifdef WOLFSSL_ASYNC_IO
30073
0
        if (ssl->async == NULL) {
30074
0
            ssl->async = (struct WOLFSSL_ASYNC*)
30075
0
                    XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
30076
0
                            DYNAMIC_TYPE_ASYNC);
30077
0
            if (ssl->async == NULL)
30078
0
                ERROR_OUT(MEMORY_E, exit_sske);
30079
0
        }
30080
0
        args = (SskeArgs*)ssl->async->args;
30081
    #ifdef WOLFSSL_ASYNC_CRYPT
30082
        ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
30083
        if (ret != WC_NOT_PENDING_E) {
30084
            /* Check for error */
30085
            if (ret < 0)
30086
                goto exit_sske;
30087
        }
30088
        else
30089
    #endif
30090
0
        if (ssl->options.buildingMsg) {
30091
            /* We should be in the sending state. */
30092
0
            if (ssl->options.asyncState != TLS_ASYNC_END) {
30093
0
                ret = BAD_STATE_E;
30094
0
                goto exit_sske;
30095
0
            }
30096
0
        }
30097
0
        else
30098
0
    #endif
30099
0
        {
30100
            /* Reset state */
30101
0
            ret = 0;
30102
0
            ssl->options.asyncState = TLS_ASYNC_BEGIN;
30103
0
            XMEMSET(args, 0, sizeof(SskeArgs));
30104
0
        #ifdef WOLFSSL_ASYNC_IO
30105
0
            ssl->async->freeArgs = FreeSskeArgs;
30106
0
        #endif
30107
0
        }
30108
30109
0
        switch(ssl->options.asyncState)
30110
0
        {
30111
0
            case TLS_ASYNC_BEGIN:
30112
0
            {
30113
                /* Do some checks / debug msgs */
30114
0
                switch(ssl->specs.kea)
30115
0
                {
30116
                #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
30117
                                     defined(HAVE_CURVE448)) && !defined(NO_PSK)
30118
                    case ecdhe_psk_kea:
30119
                    {
30120
                        WOLFSSL_MSG("Using ephemeral ECDH PSK");
30121
                        break;
30122
                    }
30123
                #endif /* (HAVE_ECC || CURVE25519 || CURVE448) && !NO_PSK */
30124
0
                #if defined(HAVE_ECC)
30125
0
                    case ecc_diffie_hellman_kea:
30126
0
                    {
30127
0
                        if (ssl->specs.static_ecdh) {
30128
0
                            WOLFSSL_MSG("Using Static ECDH, not sending "
30129
0
                                        "ServerKeyExchange");
30130
0
                            ERROR_OUT(0, exit_sske);
30131
0
                        }
30132
30133
0
                        WOLFSSL_MSG("Using ephemeral ECDH");
30134
0
                        break;
30135
0
                    }
30136
0
                #endif /* HAVE_ECC */
30137
0
                }
30138
30139
                /* Preparing keys */
30140
0
                switch(ssl->specs.kea)
30141
0
                {
30142
                #ifndef NO_PSK
30143
                    case psk_kea:
30144
                    {
30145
                        /* Nothing to do in this sub-state */
30146
                        break;
30147
                    }
30148
                #endif /* !NO_PSK */
30149
0
                #if !defined(NO_DH) && (!defined(NO_PSK) || !defined(NO_RSA) \
30150
0
                          || (defined(HAVE_ANON) && !defined(WOLFSSL_NO_TLS12)))
30151
                #if !defined(NO_PSK)
30152
                    case dhe_psk_kea:
30153
                #endif
30154
0
                #if !defined(NO_RSA) || (defined(HAVE_ANON) && \
30155
0
                                         !defined(WOLFSSL_NO_TLS12))
30156
0
                    case diffie_hellman_kea:
30157
0
                #endif
30158
#if (defined(WOLFSSL_TLS13) || defined(HAVE_FFDHE)) && !defined(HAVE_PUBLIC_FFDHE)
30159
                    if (ssl->namedGroup) {
30160
                        word32 pSz = 0;
30161
30162
                        ret = wc_DhGetNamedKeyParamSize(ssl->namedGroup, &pSz,
30163
                                NULL, NULL);
30164
                        if (ret != 0)
30165
                            goto exit_sske;
30166
30167
                        if (ssl->buffers.serverDH_Pub.buffer == NULL) {
30168
                            /* Free'd in SSL_ResourceFree and
30169
                             * FreeHandshakeResources */
30170
                            ssl->buffers.serverDH_Pub.buffer = (byte*)XMALLOC(
30171
                                    pSz, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
30172
                            if (ssl->buffers.serverDH_Pub.buffer == NULL) {
30173
                                ERROR_OUT(MEMORY_E, exit_sske);
30174
                            }
30175
                            ssl->buffers.serverDH_Pub.length = pSz;
30176
                        }
30177
                        ssl->options.dhKeySz =(word16)pSz;
30178
30179
                        pSz = wc_DhGetNamedKeyMinSize(ssl->namedGroup);
30180
30181
                        if (ssl->buffers.serverDH_Priv.buffer == NULL) {
30182
                            /* Free'd in SSL_ResourceFree and
30183
                             * FreeHandshakeResources */
30184
                            ssl->buffers.serverDH_Priv.buffer = (byte*)XMALLOC(
30185
                                    pSz, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
30186
                            if (ssl->buffers.serverDH_Priv.buffer == NULL) {
30187
                                ERROR_OUT(MEMORY_E, exit_sske);
30188
                            }
30189
                            ssl->buffers.serverDH_Priv.length = pSz;
30190
                        }
30191
30192
                        ret = AllocKey(ssl, DYNAMIC_TYPE_DH,
30193
                                            (void**)&ssl->buffers.serverDH_Key);
30194
                        if (ret != 0) {
30195
                            goto exit_sske;
30196
                        }
30197
30198
                        ret = wc_DhSetNamedKey(ssl->buffers.serverDH_Key,
30199
                                ssl->namedGroup);
30200
                        if (ret != 0) {
30201
                            goto exit_sske;
30202
                        }
30203
    #if !defined(WOLFSSL_OLD_PRIME_CHECK) && \
30204
        !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST)
30205
                        ssl->options.dhKeyTested = 1;
30206
    #endif
30207
30208
                #ifdef HAVE_SECURE_RENEGOTIATION
30209
                        /* Check that the DH public key buffer is large
30210
                         * enough to hold the key. This may occur on a
30211
                         * renegotiation when the key generated in the
30212
                         * initial handshake is shorter than the key
30213
                         * generated in the renegotiation. */
30214
                        if (ssl->buffers.serverDH_Pub.length <
30215
                                ssl->buffers.serverDH_P.length) {
30216
                            byte* tmp = (byte*)XREALLOC(
30217
                                    ssl->buffers.serverDH_Pub.buffer,
30218
                                    ssl->buffers.serverDH_P.length +
30219
                                        OPAQUE16_LEN,
30220
                                    ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
30221
                            if (tmp == NULL)
30222
                                ERROR_OUT(MEMORY_E, exit_sske);
30223
                            ssl->buffers.serverDH_Pub.buffer = tmp;
30224
                            ssl->buffers.serverDH_Pub.length =
30225
                                ssl->buffers.serverDH_P.length + OPAQUE16_LEN;
30226
                        }
30227
                #endif
30228
30229
                        ret = DhGenKeyPair(ssl, ssl->buffers.serverDH_Key,
30230
                            ssl->buffers.serverDH_Priv.buffer,
30231
                            (word32*)&ssl->buffers.serverDH_Priv.length,
30232
                            ssl->buffers.serverDH_Pub.buffer,
30233
                            (word32*)&ssl->buffers.serverDH_Pub.length);
30234
                    #ifdef WOLFSSL_CHECK_MEM_ZERO
30235
                        wc_MemZero_Add("DH private key buffer",
30236
                            ssl->buffers.serverDH_Priv.buffer,
30237
                            ssl->buffers.serverDH_Priv.length);
30238
                    #endif
30239
                        break;
30240
                    }
30241
                    else
30242
#endif
30243
0
                    {
30244
                        /* Allocate DH key buffers and generate key */
30245
0
                        if (ssl->buffers.serverDH_P.buffer == NULL ||
30246
0
                            ssl->buffers.serverDH_G.buffer == NULL) {
30247
0
                            ERROR_OUT(NO_DH_PARAMS, exit_sske);
30248
0
                        }
30249
30250
0
                        if (ssl->buffers.serverDH_Pub.buffer == NULL) {
30251
                            /* Free'd in SSL_ResourceFree and FreeHandshakeResources */
30252
0
                            ssl->buffers.serverDH_Pub.buffer = (byte*)XMALLOC(
30253
0
                                    ssl->buffers.serverDH_P.length,
30254
0
                                    ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
30255
0
                            if (ssl->buffers.serverDH_Pub.buffer == NULL) {
30256
0
                                ERROR_OUT(MEMORY_E, exit_sske);
30257
0
                            }
30258
0
                            ssl->buffers.serverDH_Pub.length =
30259
0
                                ssl->buffers.serverDH_P.length;
30260
0
                        }
30261
30262
0
                        if (ssl->buffers.serverDH_Priv.buffer == NULL) {
30263
                            /* Free'd in SSL_ResourceFree and FreeHandshakeResources */
30264
0
                            ssl->buffers.serverDH_Priv.buffer = (byte*)XMALLOC(
30265
0
                                    ssl->buffers.serverDH_P.length,
30266
0
                                    ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
30267
0
                            if (ssl->buffers.serverDH_Priv.buffer == NULL) {
30268
0
                                ERROR_OUT(MEMORY_E, exit_sske);
30269
0
                            }
30270
0
                            ssl->buffers.serverDH_Priv.length =
30271
0
                                ssl->buffers.serverDH_P.length;
30272
0
                        }
30273
30274
0
                        ssl->options.dhKeySz =
30275
0
                                (word16)ssl->buffers.serverDH_P.length;
30276
30277
0
                        ret = AllocKey(ssl, DYNAMIC_TYPE_DH,
30278
0
                                            (void**)&ssl->buffers.serverDH_Key);
30279
0
                        if (ret != 0) {
30280
0
                            goto exit_sske;
30281
0
                        }
30282
30283
0
                        #if !defined(WOLFSSL_OLD_PRIME_CHECK) && \
30284
0
                            !defined(HAVE_FIPS) && \
30285
0
                            !defined(HAVE_SELFTEST)
30286
0
                        if (ssl->options.dhDoKeyTest &&
30287
0
                            !ssl->options.dhKeyTested)
30288
0
                        {
30289
0
                            ret = wc_DhSetCheckKey(
30290
0
                                ssl->buffers.serverDH_Key,
30291
0
                                ssl->buffers.serverDH_P.buffer,
30292
0
                                ssl->buffers.serverDH_P.length,
30293
0
                                ssl->buffers.serverDH_G.buffer,
30294
0
                                ssl->buffers.serverDH_G.length,
30295
0
                                NULL, 0, 0, ssl->rng);
30296
0
                            if (ret != 0) {
30297
0
                                goto exit_sske;
30298
0
                            }
30299
0
                            ssl->options.dhKeyTested = 1;
30300
0
                        }
30301
0
                        else
30302
0
                        #endif
30303
0
                        {
30304
0
                            ret = wc_DhSetKey(ssl->buffers.serverDH_Key,
30305
0
                                ssl->buffers.serverDH_P.buffer,
30306
0
                                ssl->buffers.serverDH_P.length,
30307
0
                                ssl->buffers.serverDH_G.buffer,
30308
0
                                ssl->buffers.serverDH_G.length);
30309
0
                            if (ret != 0) {
30310
0
                                goto exit_sske;
30311
0
                            }
30312
0
                        }
30313
30314
                #ifdef HAVE_SECURE_RENEGOTIATION
30315
                        /* Check that the DH public key buffer is large
30316
                         * enough to hold the key. This may occur on a
30317
                         * renegotiation when the key generated in the
30318
                         * initial handshake is shorter than the key
30319
                         * generated in the renegotiation. */
30320
                        if (ssl->buffers.serverDH_Pub.length <
30321
                                ssl->buffers.serverDH_P.length) {
30322
                            byte* tmp = (byte*)XREALLOC(
30323
                                    ssl->buffers.serverDH_Pub.buffer,
30324
                                    ssl->buffers.serverDH_P.length +
30325
                                        OPAQUE16_LEN,
30326
                                    ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
30327
                            if (tmp == NULL)
30328
                                ERROR_OUT(MEMORY_E, exit_sske);
30329
                            ssl->buffers.serverDH_Pub.buffer = tmp;
30330
                            ssl->buffers.serverDH_Pub.length =
30331
                                ssl->buffers.serverDH_P.length + OPAQUE16_LEN;
30332
                        }
30333
                #endif
30334
0
                        ret = DhGenKeyPair(ssl, ssl->buffers.serverDH_Key,
30335
0
                            ssl->buffers.serverDH_Priv.buffer,
30336
0
                            (word32*)&ssl->buffers.serverDH_Priv.length,
30337
0
                            ssl->buffers.serverDH_Pub.buffer,
30338
0
                            (word32*)&ssl->buffers.serverDH_Pub.length);
30339
                    #ifdef WOLFSSL_CHECK_MEM_ZERO
30340
                        wc_MemZero_Add("DH private key buffer",
30341
                            ssl->buffers.serverDH_Priv.buffer,
30342
                            ssl->buffers.serverDH_Priv.length);
30343
                    #endif
30344
0
                        break;
30345
0
                    }
30346
0
                #endif /* !NO_DH && (!NO_PSK || !NO_RSA) */
30347
                #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
30348
                                     defined(HAVE_CURVE448)) && !defined(NO_PSK)
30349
                    case ecdhe_psk_kea:
30350
                        /* Fall through to create temp ECC key */
30351
                #endif /* (HAVE_ECC || CURVE25519 || CURVE448) && !NO_PSK */
30352
0
                #if defined(HAVE_ECC) || \
30353
0
                    ((defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)) && \
30354
0
                     (defined(HAVE_ED25519) || defined(HAVE_ED448) || \
30355
0
                      !defined(NO_RSA)))
30356
0
                    case ecc_diffie_hellman_kea:
30357
0
                    {
30358
0
                    #ifdef HAVE_CURVE25519
30359
0
                        if (ssl->ecdhCurveOID == ECC_X25519_OID) {
30360
                            /* need ephemeral key now, create it if missing */
30361
0
                            if (ssl->eccTempKey == NULL) {
30362
                                /* alloc/init on demand */
30363
0
                                ret = AllocKey(ssl, DYNAMIC_TYPE_CURVE25519,
30364
0
                                    (void**)&ssl->eccTempKey);
30365
0
                                if (ret != 0) {
30366
0
                                    goto exit_sske;
30367
0
                                }
30368
0
                            }
30369
30370
0
                            if (ssl->eccTempKeyPresent == 0) {
30371
0
                                ret = X25519MakeKey(ssl,
30372
0
                                        (curve25519_key*)ssl->eccTempKey, NULL);
30373
0
                                if (ret == 0 || ret == WC_PENDING_E) {
30374
0
                                    ssl->eccTempKeyPresent =
30375
0
                                        DYNAMIC_TYPE_CURVE25519;
30376
0
                                }
30377
0
                            }
30378
0
                            break;
30379
0
                        }
30380
0
                    #endif
30381
0
                    #ifdef HAVE_CURVE448
30382
0
                        if (ssl->ecdhCurveOID == ECC_X448_OID) {
30383
                            /* need ephemeral key now, create it if missing */
30384
0
                            if (ssl->eccTempKey == NULL) {
30385
                                /* alloc/init on demand */
30386
0
                                ret = AllocKey(ssl, DYNAMIC_TYPE_CURVE448,
30387
0
                                    (void**)&ssl->eccTempKey);
30388
0
                                if (ret != 0) {
30389
0
                                    goto exit_sske;
30390
0
                                }
30391
0
                            }
30392
30393
0
                            if (ssl->eccTempKeyPresent == 0) {
30394
0
                                ret = X448MakeKey(ssl,
30395
0
                                          (curve448_key*)ssl->eccTempKey, NULL);
30396
0
                                if (ret == 0 || ret == WC_PENDING_E) {
30397
0
                                    ssl->eccTempKeyPresent =
30398
0
                                        DYNAMIC_TYPE_CURVE448;
30399
0
                                }
30400
0
                            }
30401
0
                            break;
30402
0
                        }
30403
0
                    #endif
30404
0
                    #ifdef HAVE_ECC
30405
                        /* need ephemeral key now, create it if missing */
30406
0
                        if (ssl->eccTempKey == NULL) {
30407
                            /* alloc/init on demand */
30408
0
                            ret = AllocKey(ssl, DYNAMIC_TYPE_ECC,
30409
0
                                (void**)&ssl->eccTempKey);
30410
0
                            if (ret != 0) {
30411
0
                                goto exit_sske;
30412
0
                            }
30413
0
                        }
30414
30415
0
                        if (ssl->eccTempKeyPresent == 0) {
30416
0
                            ret = EccMakeKey(ssl, ssl->eccTempKey, NULL);
30417
0
                            if (ret == 0 || ret == WC_PENDING_E) {
30418
0
                                ssl->eccTempKeyPresent = DYNAMIC_TYPE_ECC;
30419
0
                            }
30420
0
                        }
30421
0
                    #endif
30422
0
                        break;
30423
0
                    }
30424
0
                #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
30425
0
                    default:
30426
                        /* Skip ServerKeyExchange */
30427
0
                        goto exit_sske;
30428
0
                } /* switch(ssl->specs.kea) */
30429
30430
                /* Check for error */
30431
0
                if (ret != 0) {
30432
0
                    goto exit_sske;
30433
0
                }
30434
30435
                /* Advance state and proceed */
30436
0
                ssl->options.asyncState = TLS_ASYNC_BUILD;
30437
0
            } /* case TLS_ASYNC_BEGIN */
30438
0
            FALL_THROUGH;
30439
30440
0
            case TLS_ASYNC_BUILD:
30441
0
            {
30442
0
                switch(ssl->specs.kea)
30443
0
                {
30444
                #ifndef NO_PSK
30445
                    case psk_kea:
30446
                    {
30447
                        args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
30448
30449
                        if (ssl->arrays->server_hint[0] == 0) {
30450
                            ERROR_OUT(0, exit_sske); /* don't send */
30451
                        }
30452
30453
                        /* include size part */
30454
                        args->length = (word32)XSTRLEN(ssl->arrays->server_hint);
30455
                        if (args->length > MAX_PSK_ID_LEN) {
30456
                            ERROR_OUT(SERVER_HINT_ERROR, exit_sske);
30457
                        }
30458
30459
                        args->length += HINT_LEN_SZ;
30460
                        args->sendSz = args->length + HANDSHAKE_HEADER_SZ +
30461
                                                            RECORD_HEADER_SZ;
30462
30463
                    #ifdef WOLFSSL_DTLS
30464
                        if (ssl->options.dtls) {
30465
                            args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
30466
                            args->idx    += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
30467
                        }
30468
                    #endif
30469
30470
                        if (IsEncryptionOn(ssl, 1)) {
30471
                            args->sendSz += MAX_MSG_EXTRA;
30472
                        }
30473
30474
                        /* Use tmp buffer */
30475
                        args->input = (byte*)XMALLOC(args->sendSz,
30476
                                ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
30477
                        if (args->input == NULL)
30478
                            ERROR_OUT(MEMORY_E, exit_sske);
30479
                        args->output = args->input;
30480
30481
                        AddHeaders(args->output, args->length,
30482
                                                    server_key_exchange, ssl);
30483
30484
                        /* key data */
30485
                        c16toa((word16)(args->length - HINT_LEN_SZ),
30486
                                                      args->output + args->idx);
30487
30488
                        args->idx += HINT_LEN_SZ;
30489
                        XMEMCPY(args->output + args->idx,
30490
                                ssl->arrays->server_hint,
30491
                                args->length - HINT_LEN_SZ);
30492
                        break;
30493
                    }
30494
                #endif /* !NO_PSK */
30495
                #if !defined(NO_DH) && !defined(NO_PSK)
30496
                    case dhe_psk_kea:
30497
                    {
30498
                        word32 hintLen;
30499
30500
                        args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
30501
                        args->length = LENGTH_SZ * 3 + /* p, g, pub */
30502
                                 ssl->buffers.serverDH_P.length +
30503
                                 ssl->buffers.serverDH_G.length +
30504
                                 ssl->buffers.serverDH_Pub.length;
30505
30506
                        /* include size part */
30507
                        hintLen = (word32)XSTRLEN(ssl->arrays->server_hint);
30508
                        if (hintLen > MAX_PSK_ID_LEN) {
30509
                            ERROR_OUT(SERVER_HINT_ERROR, exit_sske);
30510
                        }
30511
                        args->length += hintLen + HINT_LEN_SZ;
30512
                        args->sendSz = args->length + HANDSHAKE_HEADER_SZ +
30513
                                                            RECORD_HEADER_SZ;
30514
30515
                    #ifdef WOLFSSL_DTLS
30516
                        if (ssl->options.dtls) {
30517
                            args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
30518
                            args->idx    += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
30519
                        }
30520
                    #endif
30521
30522
                        if (IsEncryptionOn(ssl, 1)) {
30523
                            args->sendSz += MAX_MSG_EXTRA;
30524
                        }
30525
30526
                        /* Use tmp buffer */
30527
                        args->input = (byte*)XMALLOC(args->sendSz,
30528
                                ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
30529
                        if (args->input == NULL)
30530
                            ERROR_OUT(MEMORY_E, exit_sske);
30531
                        args->output = args->input;
30532
30533
                        AddHeaders(args->output, args->length,
30534
                                                    server_key_exchange, ssl);
30535
30536
                        /* key data */
30537
                        c16toa((word16)hintLen, args->output + args->idx);
30538
                        args->idx += HINT_LEN_SZ;
30539
                        XMEMCPY(args->output + args->idx,
30540
                                            ssl->arrays->server_hint, hintLen);
30541
                        args->idx += hintLen;
30542
30543
                        /* add p, g, pub */
30544
                        c16toa((word16)ssl->buffers.serverDH_P.length,
30545
                            args->output + args->idx);
30546
                        args->idx += LENGTH_SZ;
30547
                        XMEMCPY(args->output + args->idx,
30548
                                ssl->buffers.serverDH_P.buffer,
30549
                                ssl->buffers.serverDH_P.length);
30550
                        args->idx += ssl->buffers.serverDH_P.length;
30551
30552
                        /*  g */
30553
                        c16toa((word16)ssl->buffers.serverDH_G.length,
30554
                            args->output + args->idx);
30555
                        args->idx += LENGTH_SZ;
30556
                        XMEMCPY(args->output + args->idx,
30557
                                ssl->buffers.serverDH_G.buffer,
30558
                                ssl->buffers.serverDH_G.length);
30559
                        args->idx += ssl->buffers.serverDH_G.length;
30560
30561
                        /*  pub */
30562
                        c16toa((word16)ssl->buffers.serverDH_Pub.length,
30563
                            args->output + args->idx);
30564
                        args->idx += LENGTH_SZ;
30565
                        XMEMCPY(args->output + args->idx,
30566
                                ssl->buffers.serverDH_Pub.buffer,
30567
                                ssl->buffers.serverDH_Pub.length);
30568
                        /* No need to update idx, since sizes are already set */
30569
                        /* args->idx += ssl->buffers.serverDH_Pub.length; */
30570
                        break;
30571
                    }
30572
                #endif /* !defined(NO_DH) && !defined(NO_PSK) */
30573
                #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
30574
                                     defined(HAVE_CURVE448)) && !defined(NO_PSK)
30575
                    case ecdhe_psk_kea:
30576
                    {
30577
                        word32 hintLen;
30578
30579
                        /* curve type, named curve, length(1) */
30580
                        args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
30581
                        args->length = ENUM_LEN + CURVE_LEN + ENUM_LEN;
30582
30583
                        args->exportSz = MAX_EXPORT_ECC_SZ;
30584
                        args->exportBuf = (byte*)XMALLOC(MAX_EXPORT_ECC_SZ,
30585
                                            ssl->heap, DYNAMIC_TYPE_DER);
30586
                        if (args->exportBuf == NULL) {
30587
                            ERROR_OUT(MEMORY_E, exit_sske);
30588
                        }
30589
                    #ifdef HAVE_CURVE25519
30590
                        if (ssl->ecdhCurveOID == ECC_X25519_OID) {
30591
                            if (wc_curve25519_export_public_ex(
30592
                                    (curve25519_key*)ssl->eccTempKey,
30593
                                    args->exportBuf, &args->exportSz,
30594
                                    EC25519_LITTLE_ENDIAN) != 0) {
30595
                                ERROR_OUT(ECC_EXPORT_ERROR, exit_sske);
30596
                            }
30597
                        }
30598
                        else
30599
                    #endif
30600
                    #ifdef HAVE_CURVE448
30601
                        if (ssl->ecdhCurveOID == ECC_X448_OID) {
30602
                            if (wc_curve448_export_public_ex(
30603
                                    (curve448_key*)ssl->eccTempKey,
30604
                                    args->exportBuf, &args->exportSz,
30605
                                    EC448_LITTLE_ENDIAN) != 0) {
30606
                                ERROR_OUT(ECC_EXPORT_ERROR, exit_sske);
30607
                            }
30608
                        }
30609
                        else
30610
                    #endif
30611
                        {
30612
                            PRIVATE_KEY_UNLOCK();
30613
                            ret = wc_ecc_export_x963(ssl->eccTempKey,
30614
                                       args->exportBuf, &args->exportSz);
30615
                            PRIVATE_KEY_LOCK();
30616
                            if (ret != 0) {
30617
                                ERROR_OUT(ECC_EXPORT_ERROR, exit_sske);
30618
                            }
30619
                        }
30620
                        args->length += args->exportSz;
30621
30622
                        /* include size part */
30623
                        hintLen = (word32)XSTRLEN(ssl->arrays->server_hint);
30624
                        if (hintLen > MAX_PSK_ID_LEN) {
30625
                            ERROR_OUT(SERVER_HINT_ERROR, exit_sske);
30626
                        }
30627
                        args->length += hintLen + HINT_LEN_SZ;
30628
                        args->sendSz = args->length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
30629
30630
                    #ifdef WOLFSSL_DTLS
30631
                        if (ssl->options.dtls) {
30632
                            args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
30633
                            args->idx    += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
30634
                        }
30635
                    #endif
30636
30637
                        if (IsEncryptionOn(ssl, 1)) {
30638
                            args->sendSz += MAX_MSG_EXTRA;
30639
                        }
30640
30641
                        /* Use tmp buffer */
30642
                        args->input = (byte*)XMALLOC(args->sendSz,
30643
                                ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
30644
                        if (args->input == NULL)
30645
                            ERROR_OUT(MEMORY_E, exit_sske);
30646
                        args->output = args->input;
30647
30648
                        /* key data */
30649
                        c16toa((word16)hintLen, args->output + args->idx);
30650
                        args->idx += HINT_LEN_SZ;
30651
                        XMEMCPY(args->output + args->idx,
30652
                                            ssl->arrays->server_hint, hintLen);
30653
                        args->idx += hintLen;
30654
30655
                        /* ECC key exchange data */
30656
                        args->output[args->idx++] = named_curve;
30657
                        args->output[args->idx++] = 0x00;          /* leading zero */
30658
                    #ifdef HAVE_CURVE25519
30659
                        if (ssl->ecdhCurveOID == ECC_X25519_OID)
30660
                            args->output[args->idx++] = WOLFSSL_ECC_X25519;
30661
                        else
30662
                    #endif
30663
                    #ifdef HAVE_CURVE448
30664
                        if (ssl->ecdhCurveOID == ECC_X448_OID)
30665
                            args->output[args->idx++] = WOLFSSL_ECC_X448;
30666
                        else
30667
                    #endif
30668
                        {
30669
                    #ifdef HAVE_ECC
30670
                            args->output[args->idx++] =
30671
                                                    SetCurveId(ssl->eccTempKey);
30672
                    #endif
30673
                        }
30674
                        args->output[args->idx++] = (byte)args->exportSz;
30675
                        XMEMCPY(args->output + args->idx, args->exportBuf,
30676
                                                                args->exportSz);
30677
                        break;
30678
                    }
30679
                #endif /* (HAVE_ECC || CURVE25519 || CURVE448) && !NO_PSK */
30680
0
                #if defined(HAVE_ECC) || \
30681
0
                    ((defined(HAVE_CURVE25519) || defined(HAVE_CURVE448)) && \
30682
0
                     (defined(HAVE_ED25519) || defined(HAVE_ED448) || \
30683
0
                      !defined(NO_RSA)))
30684
0
                    case ecc_diffie_hellman_kea:
30685
0
                    {
30686
0
                        enum wc_HashType hashType;
30687
0
                        word32 preSigSz, preSigIdx;
30688
30689
                        /* curve type, named curve, length(1) */
30690
0
                        args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
30691
0
                        args->length = ENUM_LEN + CURVE_LEN + ENUM_LEN;
30692
30693
                        /* Export temp ECC key and add to length */
30694
0
                        args->exportSz = MAX_EXPORT_ECC_SZ;
30695
0
                        args->exportBuf = (byte*)XMALLOC(MAX_EXPORT_ECC_SZ,
30696
0
                                            ssl->heap, DYNAMIC_TYPE_DER);
30697
0
                        if (args->exportBuf == NULL) {
30698
0
                            ERROR_OUT(MEMORY_E, exit_sske);
30699
0
                        }
30700
0
                    #ifdef HAVE_CURVE25519
30701
0
                        if (ssl->ecdhCurveOID == ECC_X25519_OID) {
30702
0
                            if (wc_curve25519_export_public_ex(
30703
0
                                        (curve25519_key*)ssl->eccTempKey,
30704
0
                                        args->exportBuf, &args->exportSz,
30705
0
                                        EC25519_LITTLE_ENDIAN) != 0) {
30706
0
                                ERROR_OUT(ECC_EXPORT_ERROR, exit_sske);
30707
0
                            }
30708
0
                        }
30709
0
                        else
30710
0
                    #endif
30711
0
                    #ifdef HAVE_CURVE448
30712
0
                        if (ssl->ecdhCurveOID == ECC_X448_OID) {
30713
0
                            if (wc_curve448_export_public_ex(
30714
0
                                        (curve448_key*)ssl->eccTempKey,
30715
0
                                        args->exportBuf, &args->exportSz,
30716
0
                                        EC448_LITTLE_ENDIAN) != 0) {
30717
0
                                ERROR_OUT(ECC_EXPORT_ERROR, exit_sske);
30718
0
                            }
30719
0
                        }
30720
0
                        else
30721
0
                    #endif
30722
0
                        {
30723
0
                    #if defined(HAVE_ECC) && defined(HAVE_ECC_KEY_EXPORT)
30724
0
                            PRIVATE_KEY_UNLOCK();
30725
0
                            ret = wc_ecc_export_x963(ssl->eccTempKey,
30726
0
                                    args->exportBuf, &args->exportSz);
30727
0
                            PRIVATE_KEY_LOCK();
30728
0
                            if (ret != 0) {
30729
0
                                ERROR_OUT(ECC_EXPORT_ERROR, exit_sske);
30730
0
                            }
30731
0
                    #endif
30732
0
                        }
30733
0
                        args->length += args->exportSz;
30734
30735
0
                        preSigSz  = args->length;
30736
0
                        preSigIdx = args->idx;
30737
30738
0
                        if (ssl->buffers.key == NULL) {
30739
                        #ifdef HAVE_PK_CALLBACKS
30740
                            if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx)) {
30741
                                args->tmpSigSz = GetPrivateKeySigSize(ssl);
30742
                                if (args->tmpSigSz == 0) {
30743
                                    ERROR_OUT(NO_PRIVATE_KEY, exit_sske);
30744
                                }
30745
                            }
30746
                            else
30747
                        #endif
30748
0
                                ERROR_OUT(NO_PRIVATE_KEY, exit_sske);
30749
0
                        }
30750
0
                        else {
30751
0
                            switch(ssl->suites->sigAlgo) {
30752
0
                        #ifndef NO_RSA
30753
0
                        #ifdef WC_RSA_PSS
30754
0
                            case rsa_pss_sa_algo:
30755
0
                        #endif
30756
0
                            case rsa_sa_algo:
30757
0
                            {
30758
0
                                word16 keySz;
30759
30760
0
                                ssl->buffers.keyType = rsa_sa_algo;
30761
0
                                ret = DecodePrivateKey(ssl, &keySz);
30762
0
                                if (ret != 0) {
30763
0
                                    goto exit_sske;
30764
0
                                }
30765
30766
0
                                args->tmpSigSz = (word32)keySz;
30767
0
                                break;
30768
0
                            }
30769
0
                        #endif /* !NO_RSA */
30770
0
                        #ifdef HAVE_ECC
30771
0
                            case ecc_dsa_sa_algo:
30772
0
                            {
30773
0
                                word16 keySz;
30774
30775
0
                                ssl->buffers.keyType = ecc_dsa_sa_algo;
30776
0
                                ret = DecodePrivateKey(ssl, &keySz);
30777
0
                                if (ret != 0) {
30778
0
                                    goto exit_sske;
30779
0
                                }
30780
                                /* worst case estimate */
30781
0
                                args->tmpSigSz = keySz;
30782
0
                                break;
30783
0
                            }
30784
0
                        #endif
30785
0
                        #ifdef HAVE_ED25519
30786
0
                            case ed25519_sa_algo:
30787
0
                            {
30788
0
                                word16 keySz;
30789
30790
0
                                ssl->buffers.keyType = ed25519_sa_algo;
30791
0
                                ret = DecodePrivateKey(ssl, &keySz);
30792
0
                                if (ret != 0) {
30793
0
                                    goto exit_sske;
30794
0
                                }
30795
30796
                                /* worst case estimate */
30797
0
                                args->tmpSigSz = ED25519_SIG_SIZE;
30798
0
                                break;
30799
0
                            }
30800
0
                        #endif /* HAVE_ED25519 */
30801
0
                        #ifdef HAVE_ED448
30802
0
                            case ed448_sa_algo:
30803
0
                            {
30804
0
                                word16 keySz;
30805
30806
0
                                ssl->buffers.keyType = ed448_sa_algo;
30807
0
                                ret = DecodePrivateKey(ssl, &keySz);
30808
0
                                if (ret != 0) {
30809
0
                                    goto exit_sske;
30810
0
                                }
30811
30812
                                /* worst case estimate */
30813
0
                                args->tmpSigSz = ED448_SIG_SIZE;
30814
0
                                break;
30815
0
                            }
30816
0
                        #endif /* HAVE_ED448 */
30817
0
                            default:
30818
0
                                ERROR_OUT(ALGO_ID_E, exit_sske);  /* unsupported type */
30819
0
                            } /* switch(ssl->specs.sig_algo) */
30820
0
                        }
30821
30822
                        /* sig length */
30823
0
                        args->length += LENGTH_SZ;
30824
0
                        args->length += args->tmpSigSz;
30825
30826
0
                        if (IsAtLeastTLSv1_2(ssl)) {
30827
0
                            args->length += HASH_SIG_SIZE;
30828
0
                        }
30829
30830
0
                        args->sendSz = args->length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
30831
30832
                    #ifdef WOLFSSL_DTLS
30833
                        if (ssl->options.dtls) {
30834
                            args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
30835
                            args->idx    += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
30836
                            preSigIdx = args->idx;
30837
                        }
30838
                    #endif
30839
0
                        if (IsEncryptionOn(ssl, 1)) {
30840
0
                            args->sendSz += MAX_MSG_EXTRA;
30841
0
                        }
30842
30843
                        /* Use tmp buffer */
30844
0
                        args->input = (byte*)XMALLOC(args->sendSz,
30845
0
                                ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
30846
0
                        if (args->input == NULL)
30847
0
                            ERROR_OUT(MEMORY_E, exit_sske);
30848
0
                        args->output = args->input;
30849
30850
                        /* record and message headers will be added below, when we're sure
30851
                           of the sig length */
30852
30853
                        /* key exchange data */
30854
0
                        args->output[args->idx++] = named_curve;
30855
0
                        args->output[args->idx++] = 0x00;          /* leading zero */
30856
0
                    #ifdef HAVE_CURVE25519
30857
0
                        if (ssl->ecdhCurveOID == ECC_X25519_OID)
30858
0
                            args->output[args->idx++] = WOLFSSL_ECC_X25519;
30859
0
                        else
30860
0
                    #endif
30861
0
                    #ifdef HAVE_CURVE448
30862
0
                        if (ssl->ecdhCurveOID == ECC_X448_OID)
30863
0
                            args->output[args->idx++] = WOLFSSL_ECC_X448;
30864
0
                        else
30865
0
                    #endif
30866
0
                        {
30867
0
                    #ifdef HAVE_ECC
30868
0
                            args->output[args->idx++] =
30869
0
                                                    SetCurveId(ssl->eccTempKey);
30870
0
                    #endif
30871
0
                        }
30872
0
                        args->output[args->idx++] = (byte)args->exportSz;
30873
0
                        XMEMCPY(args->output + args->idx, args->exportBuf, args->exportSz);
30874
0
                        args->idx += args->exportSz;
30875
30876
                        /* Determine hash type */
30877
0
                        if (IsAtLeastTLSv1_2(ssl)) {
30878
0
                            EncodeSigAlg(ssl->suites->hashAlgo,
30879
0
                                         ssl->suites->sigAlgo,
30880
0
                                         &args->output[args->idx]);
30881
0
                            args->idx += 2;
30882
30883
0
                            hashType = HashAlgoToType(ssl->suites->hashAlgo);
30884
0
                            if (hashType == WC_HASH_TYPE_NONE) {
30885
0
                                ERROR_OUT(ALGO_ID_E, exit_sske);
30886
0
                            }
30887
30888
0
                        } else {
30889
                            /* only using sha and md5 for rsa */
30890
0
                        #ifndef NO_OLD_TLS
30891
0
                            hashType = WC_HASH_TYPE_SHA;
30892
0
                            if (ssl->suites->sigAlgo == rsa_sa_algo) {
30893
0
                                hashType = WC_HASH_TYPE_MD5_SHA;
30894
0
                            }
30895
                        #else
30896
                            ERROR_OUT(ALGO_ID_E, exit_sske);
30897
                        #endif
30898
0
                        }
30899
30900
                        /* Signature length will be written later, when we're sure what it is */
30901
30902
                    #ifdef HAVE_FUZZER
30903
                        if (ssl->fuzzerCb) {
30904
                            ssl->fuzzerCb(ssl, args->output + preSigIdx,
30905
                                preSigSz, FUZZ_SIGNATURE, ssl->fuzzerCtx);
30906
                        }
30907
                    #endif
30908
30909
0
                        ret = HashSkeData(ssl, hashType,
30910
0
                            args->output + preSigIdx, preSigSz,
30911
0
                            ssl->suites->sigAlgo);
30912
0
                        if (ret != 0) {
30913
0
                            goto exit_sske;
30914
0
                        }
30915
30916
0
                        args->sigSz = args->tmpSigSz;
30917
30918
                        /* Sign hash to create signature */
30919
0
                        switch (ssl->suites->sigAlgo)
30920
0
                        {
30921
0
                        #ifndef NO_RSA
30922
0
                            case rsa_sa_algo:
30923
0
                            {
30924
                                /* For TLS 1.2 re-encode signature */
30925
0
                                if (IsAtLeastTLSv1_2(ssl)) {
30926
0
                                    byte* encodedSig = (byte*)XMALLOC(
30927
0
                                                  MAX_ENCODED_SIG_SZ, ssl->heap,
30928
0
                                                           DYNAMIC_TYPE_DIGEST);
30929
0
                                    if (encodedSig == NULL) {
30930
0
                                        ERROR_OUT(MEMORY_E, exit_sske);
30931
0
                                    }
30932
30933
0
                                    ssl->buffers.digest.length =
30934
0
                                        wc_EncodeSignature(encodedSig,
30935
0
                                            ssl->buffers.digest.buffer,
30936
0
                                            ssl->buffers.digest.length,
30937
0
                                            TypeHash(ssl->suites->hashAlgo));
30938
30939
                                    /* Replace sig buffer with new one */
30940
0
                                    XFREE(ssl->buffers.digest.buffer, ssl->heap,
30941
0
                                                           DYNAMIC_TYPE_DIGEST);
30942
0
                                    ssl->buffers.digest.buffer = encodedSig;
30943
0
                                }
30944
30945
                                /* write sig size here */
30946
0
                                c16toa((word16)args->sigSz,
30947
0
                                    args->output + args->idx);
30948
0
                                args->idx += LENGTH_SZ;
30949
0
                                break;
30950
0
                            }
30951
0
                        #ifdef WC_RSA_PSS
30952
0
                            case rsa_pss_sa_algo:
30953
                                /* write sig size here */
30954
0
                                c16toa((word16)args->sigSz,
30955
0
                                    args->output + args->idx);
30956
0
                                args->idx += LENGTH_SZ;
30957
0
                                break;
30958
0
                        #endif
30959
0
                        #endif /* !NO_RSA */
30960
0
                            case ecc_dsa_sa_algo:
30961
0
                            {
30962
0
                                break;
30963
0
                            }
30964
0
                        #ifdef  HAVE_ED25519
30965
0
                            case ed25519_sa_algo:
30966
0
                                ret = Ed25519CheckPubKey(ssl);
30967
0
                                if (ret != 0)
30968
0
                                    goto exit_sske;
30969
0
                                break;
30970
0
                        #endif /* HAVE_ED25519 */
30971
0
                        #ifdef  HAVE_ED448
30972
0
                            case ed448_sa_algo:
30973
0
                                ret = Ed448CheckPubKey(ssl);
30974
0
                                if (ret != 0)
30975
0
                                    goto exit_sske;
30976
0
                                break;
30977
0
                        #endif /* HAVE_ED448 */
30978
0
                            default:
30979
0
                                break;
30980
0
                        } /* switch(ssl->specs.sig_algo) */
30981
0
                        break;
30982
0
                    }
30983
0
                #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
30984
0
                #if !defined(NO_DH) && (!defined(NO_RSA) || \
30985
0
                             (defined(HAVE_ANON) && !defined(WOLFSSL_NO_TLS12)))
30986
0
                    case diffie_hellman_kea:
30987
0
                    {
30988
0
                        enum wc_HashType hashType;
30989
0
                        word32 preSigSz, preSigIdx;
30990
30991
0
                        args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
30992
0
                        args->length = LENGTH_SZ * 3;  /* p, g, pub */
30993
0
                        args->length += ssl->buffers.serverDH_P.length +
30994
0
                                        ssl->buffers.serverDH_G.length +
30995
0
                                        ssl->buffers.serverDH_Pub.length;
30996
30997
0
                        preSigIdx = args->idx;
30998
0
                        preSigSz  = args->length;
30999
31000
0
                        if (!ssl->options.usingAnon_cipher) {
31001
0
                            word16 keySz = 0;
31002
31003
                            /* sig length */
31004
0
                            args->length += LENGTH_SZ;
31005
31006
0
                            if (ssl->buffers.key == NULL) {
31007
                            #ifdef HAVE_PK_CALLBACKS
31008
                                if (wolfSSL_CTX_IsPrivatePkSet(ssl->ctx))
31009
                                    keySz = (word32)GetPrivateKeySigSize(ssl);
31010
                                else
31011
                            #endif
31012
0
                                    ERROR_OUT(NO_PRIVATE_KEY, exit_sske);
31013
0
                            }
31014
0
                            else
31015
0
                            {
31016
0
                                if (ssl->buffers.keyType == 0)
31017
0
                                    ssl->buffers.keyType = rsa_sa_algo;
31018
0
                                ret = DecodePrivateKey(ssl, &keySz);
31019
0
                                if (ret != 0) {
31020
0
                                    goto exit_sske;
31021
0
                                }
31022
0
                            }
31023
31024
                            /* test if keySz has error */
31025
0
                            if (keySz == 0) {
31026
0
                                ERROR_OUT(keySz, exit_sske);
31027
0
                            }
31028
31029
0
                            args->tmpSigSz = (word32)keySz;
31030
0
                            args->length += args->tmpSigSz;
31031
31032
0
                            if (IsAtLeastTLSv1_2(ssl)) {
31033
0
                                args->length += HASH_SIG_SIZE;
31034
0
                            }
31035
0
                        }
31036
31037
0
                        args->sendSz = args->length + HANDSHAKE_HEADER_SZ +
31038
0
                                                            RECORD_HEADER_SZ;
31039
31040
                    #ifdef WOLFSSL_DTLS
31041
                        if (ssl->options.dtls) {
31042
                            args->sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
31043
                            args->idx    += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
31044
                            preSigIdx = args->idx;
31045
                        }
31046
                    #endif
31047
31048
0
                        if (IsEncryptionOn(ssl, 1)) {
31049
0
                            args->sendSz += MAX_MSG_EXTRA;
31050
0
                        }
31051
31052
                        /* Use tmp buffer */
31053
0
                        args->input = (byte*)XMALLOC(args->sendSz,
31054
0
                                ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
31055
0
                        if (args->input == NULL)
31056
0
                            ERROR_OUT(MEMORY_E, exit_sske);
31057
0
                        args->output = args->input;
31058
31059
0
                        AddHeaders(args->output, args->length,
31060
0
                                                    server_key_exchange, ssl);
31061
31062
                        /* add p, g, pub */
31063
0
                        c16toa((word16)ssl->buffers.serverDH_P.length,
31064
0
                                                    args->output + args->idx);
31065
0
                        args->idx += LENGTH_SZ;
31066
0
                        XMEMCPY(args->output + args->idx,
31067
0
                                              ssl->buffers.serverDH_P.buffer,
31068
0
                                              ssl->buffers.serverDH_P.length);
31069
0
                        args->idx += ssl->buffers.serverDH_P.length;
31070
31071
                        /*  g */
31072
0
                        c16toa((word16)ssl->buffers.serverDH_G.length,
31073
0
                                                    args->output + args->idx);
31074
0
                        args->idx += LENGTH_SZ;
31075
0
                        XMEMCPY(args->output + args->idx,
31076
0
                                              ssl->buffers.serverDH_G.buffer,
31077
0
                                              ssl->buffers.serverDH_G.length);
31078
0
                        args->idx += ssl->buffers.serverDH_G.length;
31079
31080
                        /*  pub */
31081
0
                        c16toa((word16)ssl->buffers.serverDH_Pub.length,
31082
0
                                                    args->output + args->idx);
31083
0
                        args->idx += LENGTH_SZ;
31084
0
                        XMEMCPY(args->output + args->idx,
31085
0
                                              ssl->buffers.serverDH_Pub.buffer,
31086
0
                                              ssl->buffers.serverDH_Pub.length);
31087
0
                        args->idx += ssl->buffers.serverDH_Pub.length;
31088
31089
                    #ifdef HAVE_FUZZER
31090
                        if (ssl->fuzzerCb) {
31091
                            ssl->fuzzerCb(ssl, args->output + preSigIdx,
31092
                                preSigSz, FUZZ_SIGNATURE, ssl->fuzzerCtx);
31093
                        }
31094
                    #endif
31095
31096
0
                        if (ssl->options.usingAnon_cipher) {
31097
0
                            break;
31098
0
                        }
31099
31100
                        /* Determine hash type */
31101
0
                        if (IsAtLeastTLSv1_2(ssl)) {
31102
0
                            EncodeSigAlg(ssl->suites->hashAlgo,
31103
0
                                         ssl->suites->sigAlgo,
31104
0
                                         &args->output[args->idx]);
31105
0
                            args->idx += 2;
31106
31107
0
                            hashType = HashAlgoToType(ssl->suites->hashAlgo);
31108
0
                            if (hashType == WC_HASH_TYPE_NONE) {
31109
0
                                ERROR_OUT(ALGO_ID_E, exit_sske);
31110
0
                            }
31111
0
                        } else {
31112
                            /* only using sha and md5 for rsa */
31113
0
                        #ifndef NO_OLD_TLS
31114
0
                            hashType = WC_HASH_TYPE_SHA;
31115
0
                            if (ssl->suites->sigAlgo == rsa_sa_algo) {
31116
0
                                hashType = WC_HASH_TYPE_MD5_SHA;
31117
0
                            }
31118
                        #else
31119
                            ERROR_OUT(ALGO_ID_E, exit_sske);
31120
                        #endif
31121
0
                        }
31122
31123
                        /* signature size */
31124
0
                        c16toa((word16)args->tmpSigSz, args->output + args->idx);
31125
0
                        args->idx += LENGTH_SZ;
31126
31127
0
                        ret = HashSkeData(ssl, hashType,
31128
0
                            args->output + preSigIdx, preSigSz,
31129
0
                            ssl->suites->sigAlgo);
31130
0
                        if (ret != 0) {
31131
0
                            goto exit_sske;
31132
0
                        }
31133
31134
0
                        args->sigSz = args->tmpSigSz;
31135
31136
                        /* Sign hash to create signature */
31137
0
                        switch (ssl->suites->sigAlgo)
31138
0
                        {
31139
0
                        #ifndef NO_RSA
31140
0
                            case rsa_sa_algo:
31141
0
                            {
31142
                                /* For TLS 1.2 re-encode signature */
31143
0
                                if (IsAtLeastTLSv1_2(ssl)) {
31144
0
                                    byte* encodedSig = (byte*)XMALLOC(
31145
0
                                                  MAX_ENCODED_SIG_SZ, ssl->heap,
31146
0
                                                           DYNAMIC_TYPE_DIGEST);
31147
0
                                    if (encodedSig == NULL) {
31148
0
                                        ERROR_OUT(MEMORY_E, exit_sske);
31149
0
                                    }
31150
31151
0
                                    ssl->buffers.digest.length =
31152
0
                                        wc_EncodeSignature(encodedSig,
31153
0
                                            ssl->buffers.digest.buffer,
31154
0
                                            ssl->buffers.digest.length,
31155
0
                                            TypeHash(ssl->suites->hashAlgo));
31156
31157
                                    /* Replace sig buffer with new one */
31158
0
                                    XFREE(ssl->buffers.digest.buffer, ssl->heap,
31159
0
                                                           DYNAMIC_TYPE_DIGEST);
31160
0
                                    ssl->buffers.digest.buffer = encodedSig;
31161
0
                                }
31162
0
                                break;
31163
0
                            }
31164
0
                        #endif /* NO_RSA */
31165
0
                            default:
31166
0
                                break;
31167
0
                        } /* switch (ssl->suites->sigAlgo) */
31168
0
                        break;
31169
0
                    }
31170
0
                #endif /* !defined(NO_DH) && !defined(NO_RSA) */
31171
0
                    default:
31172
0
                        break;
31173
0
                } /* switch(ssl->specs.kea) */
31174
31175
                /* Check for error */
31176
0
                if (ret != 0) {
31177
0
                    goto exit_sske;
31178
0
                }
31179
31180
                /* Advance state and proceed */
31181
0
                ssl->options.asyncState = TLS_ASYNC_DO;
31182
0
            } /* case TLS_ASYNC_BUILD */
31183
0
            FALL_THROUGH;
31184
31185
0
            case TLS_ASYNC_DO:
31186
0
            {
31187
0
                switch(ssl->specs.kea)
31188
0
                {
31189
                #ifndef NO_PSK
31190
                    case psk_kea:
31191
                    {
31192
                        break;
31193
                    }
31194
                #endif /* !NO_PSK */
31195
                #if !defined(NO_DH) && !defined(NO_PSK)
31196
                    case dhe_psk_kea:
31197
                    {
31198
                        break;
31199
                    }
31200
                #endif /* !defined(NO_DH) && !defined(NO_PSK) */
31201
                #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
31202
                                     defined(HAVE_CURVE448)) && !defined(NO_PSK)
31203
                    case ecdhe_psk_kea:
31204
                    {
31205
                        break;
31206
                    }
31207
                #endif /* (HAVE_ECC || CURVE25519 || CURVE448) && !NO_PSK */
31208
0
                #if defined(HAVE_ECC)  || defined(HAVE_CURVE25519) || \
31209
0
                                                          defined(HAVE_CURVE448)
31210
0
                    case ecc_diffie_hellman_kea:
31211
0
                    {
31212
                        /* Sign hash to create signature */
31213
0
                        switch (ssl->suites->sigAlgo)
31214
0
                        {
31215
0
                        #ifndef NO_RSA
31216
0
                        #ifdef WC_RSA_PSS
31217
0
                            case rsa_pss_sa_algo:
31218
0
                        #endif
31219
0
                            case rsa_sa_algo:
31220
0
                            {
31221
0
                                RsaKey* key = (RsaKey*)ssl->hsKey;
31222
31223
0
                                ret = RsaSign(ssl,
31224
0
                                    ssl->buffers.digest.buffer,
31225
0
                                    ssl->buffers.digest.length,
31226
0
                                    args->output + args->idx,
31227
0
                                    &args->sigSz,
31228
0
                                    ssl->suites->sigAlgo, ssl->suites->hashAlgo,
31229
0
                                    key,
31230
0
                                    ssl->buffers.key
31231
0
                                );
31232
0
                                break;
31233
0
                            }
31234
0
                        #endif /* !NO_RSA */
31235
0
                        #ifdef HAVE_ECC
31236
0
                            case ecc_dsa_sa_algo:
31237
0
                            {
31238
0
                                ecc_key* key = (ecc_key*)ssl->hsKey;
31239
31240
0
                                ret = EccSign(ssl,
31241
0
                                    ssl->buffers.digest.buffer,
31242
0
                                    ssl->buffers.digest.length,
31243
0
                                    args->output + LENGTH_SZ + args->idx,
31244
0
                                    &args->sigSz,
31245
0
                                    key,
31246
                            #ifdef HAVE_PK_CALLBACKS
31247
                                    ssl->buffers.key
31248
                            #else
31249
0
                                    NULL
31250
0
                            #endif
31251
0
                                );
31252
0
                                break;
31253
0
                            }
31254
0
                        #endif /* HAVE_ECC */
31255
0
                        #ifdef HAVE_ED25519
31256
0
                            case ed25519_sa_algo:
31257
0
                            {
31258
0
                                ed25519_key* key = (ed25519_key*)ssl->hsKey;
31259
31260
0
                                ret = Ed25519Sign(ssl,
31261
0
                                    ssl->buffers.sig.buffer,
31262
0
                                    ssl->buffers.sig.length,
31263
0
                                    args->output + LENGTH_SZ + args->idx,
31264
0
                                    &args->sigSz,
31265
0
                                    key,
31266
                            #ifdef HAVE_PK_CALLBACKS
31267
                                    ssl->buffers.key
31268
                            #else
31269
0
                                    NULL
31270
0
                            #endif
31271
0
                                );
31272
0
                                break;
31273
0
                            }
31274
0
                        #endif
31275
0
                        #ifdef HAVE_ED448
31276
0
                            case ed448_sa_algo:
31277
0
                            {
31278
0
                                ed448_key* key = (ed448_key*)ssl->hsKey;
31279
31280
0
                                ret = Ed448Sign(ssl,
31281
0
                                    ssl->buffers.sig.buffer,
31282
0
                                    ssl->buffers.sig.length,
31283
0
                                    args->output + LENGTH_SZ + args->idx,
31284
0
                                    &args->sigSz,
31285
0
                                    key,
31286
                            #ifdef HAVE_PK_CALLBACKS
31287
                                    ssl->buffers.key
31288
                            #else
31289
0
                                    NULL
31290
0
                            #endif
31291
0
                                );
31292
0
                                break;
31293
0
                            }
31294
0
                        #endif
31295
0
                            default:
31296
0
                                ERROR_OUT(ALGO_ID_E, exit_sske);
31297
0
                        } /* switch(ssl->specs.sig_algo) */
31298
0
                        break;
31299
0
                    }
31300
0
                #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
31301
0
                #if !defined(NO_DH) && !defined(NO_RSA)
31302
0
                    case diffie_hellman_kea:
31303
0
                    {
31304
                        /* Sign hash to create signature */
31305
0
                        switch (ssl->suites->sigAlgo)
31306
0
                        {
31307
0
                        #ifndef NO_RSA
31308
0
                        #ifdef WC_RSA_PSS
31309
0
                            case rsa_pss_sa_algo:
31310
0
                        #endif
31311
0
                            case rsa_sa_algo:
31312
0
                            {
31313
0
                                RsaKey* key = (RsaKey*)ssl->hsKey;
31314
31315
0
                                if (ssl->options.usingAnon_cipher) {
31316
0
                                    break;
31317
0
                                }
31318
31319
0
                                ret = RsaSign(ssl,
31320
0
                                    ssl->buffers.digest.buffer,
31321
0
                                    ssl->buffers.digest.length,
31322
0
                                    args->output + args->idx,
31323
0
                                    &args->sigSz,
31324
0
                                    ssl->suites->sigAlgo, ssl->suites->hashAlgo,
31325
0
                                    key,
31326
0
                                    ssl->buffers.key
31327
0
                                );
31328
0
                                break;
31329
0
                            }
31330
0
                        #endif /* NO_RSA */
31331
0
                            default:
31332
0
                                break;
31333
0
                        } /* switch (ssl->suites->sigAlgo) */
31334
31335
0
                        break;
31336
0
                    }
31337
0
                #endif /* !defined(NO_DH) && !defined(NO_RSA) */
31338
0
                    default:
31339
0
                        break;
31340
0
                } /* switch(ssl->specs.kea) */
31341
31342
                /* Check for error */
31343
0
                if (ret != 0) {
31344
0
                    goto exit_sske;
31345
0
                }
31346
31347
                /* Advance state and proceed */
31348
0
                ssl->options.asyncState = TLS_ASYNC_VERIFY;
31349
0
            } /* case TLS_ASYNC_DO */
31350
0
            FALL_THROUGH;
31351
31352
0
            case TLS_ASYNC_VERIFY:
31353
0
            {
31354
0
                switch(ssl->specs.kea)
31355
0
                {
31356
                #ifndef NO_PSK
31357
                    case psk_kea:
31358
                    {
31359
                        /* Nothing to do in this sub-state */
31360
                        break;
31361
                    }
31362
                #endif /* !NO_PSK */
31363
                #if !defined(NO_DH) && !defined(NO_PSK)
31364
                    case dhe_psk_kea:
31365
                    {
31366
                        /* Nothing to do in this sub-state */
31367
                        break;
31368
                    }
31369
                #endif /* !defined(NO_DH) && !defined(NO_PSK) */
31370
                #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) ||  \
31371
                                     defined(HAVE_CURVE448)) && !defined(NO_PSK)
31372
                    case ecdhe_psk_kea:
31373
                    {
31374
                        /* Nothing to do in this sub-state */
31375
                        break;
31376
                    }
31377
                #endif /* (HAVE_ECC || CURVE25519 || CURVE448) && !NO_PSK */
31378
0
                #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
31379
0
                                                          defined(HAVE_CURVE448)
31380
0
                    case ecc_diffie_hellman_kea:
31381
0
                    {
31382
0
                        switch(ssl->suites->sigAlgo)
31383
0
                        {
31384
0
                        #ifndef NO_RSA
31385
0
                        #ifdef WC_RSA_PSS
31386
0
                            case rsa_pss_sa_algo:
31387
0
                        #endif
31388
0
                            case rsa_sa_algo:
31389
0
                            {
31390
0
                                RsaKey* key = (RsaKey*)ssl->hsKey;
31391
31392
0
                                if (args->verifySig == NULL) {
31393
0
                                    if (args->sigSz == 0) {
31394
0
                                        ERROR_OUT(BAD_COND_E, exit_sske);
31395
0
                                    }
31396
0
                                    args->verifySig = (byte*)XMALLOC(
31397
0
                                                    args->sigSz, ssl->heap,
31398
0
                                                    DYNAMIC_TYPE_SIGNATURE);
31399
0
                                    if (!args->verifySig) {
31400
0
                                        ERROR_OUT(MEMORY_E, exit_sske);
31401
0
                                    }
31402
0
                                    XMEMCPY(args->verifySig,
31403
0
                                        args->output + args->idx, args->sigSz);
31404
0
                                }
31405
31406
                                /* check for signature faults */
31407
0
                                ret = VerifyRsaSign(ssl,
31408
0
                                    args->verifySig, args->sigSz,
31409
0
                                    ssl->buffers.digest.buffer,
31410
0
                                    ssl->buffers.digest.length,
31411
0
                                    ssl->suites->sigAlgo, ssl->suites->hashAlgo,
31412
0
                                    key, ssl->buffers.key
31413
0
                                );
31414
0
                                break;
31415
0
                            }
31416
0
                        #endif
31417
0
                            case ecc_dsa_sa_algo:
31418
0
                        #ifdef HAVE_ED25519
31419
0
                            case ed25519_sa_algo:
31420
0
                        #endif
31421
0
                        #ifdef HAVE_ED448
31422
0
                            case ed448_sa_algo:
31423
0
                        #endif
31424
0
                            {
31425
                                /* Now that we know the real sig size, write it. */
31426
0
                                c16toa((word16)args->sigSz,
31427
0
                                                    args->output + args->idx);
31428
31429
                                /* And adjust length and sendSz from estimates */
31430
0
                                args->length += args->sigSz - args->tmpSigSz;
31431
0
                                args->sendSz += args->sigSz - args->tmpSigSz;
31432
0
                                break;
31433
0
                            }
31434
0
                            default:
31435
0
                                ERROR_OUT(ALGO_ID_E, exit_sske);  /* unsupported type */
31436
0
                        } /* switch(ssl->specs.sig_algo) */
31437
0
                        break;
31438
0
                    }
31439
0
                #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
31440
0
                #if !defined(NO_DH) && !defined(NO_RSA)
31441
0
                    case diffie_hellman_kea:
31442
0
                    {
31443
0
                        switch (ssl->suites->sigAlgo)
31444
0
                        {
31445
0
                        #ifndef NO_RSA
31446
                        #ifndef WC_RSA_PSS
31447
                            case rsa_pss_sa_algo:
31448
                        #endif
31449
0
                            case rsa_sa_algo:
31450
0
                            {
31451
0
                                RsaKey* key = (RsaKey*)ssl->hsKey;
31452
31453
0
                                if (ssl->options.usingAnon_cipher) {
31454
0
                                    break;
31455
0
                                }
31456
31457
0
                                if (args->verifySig == NULL) {
31458
0
                                    if (args->sigSz == 0) {
31459
0
                                        ERROR_OUT(BAD_COND_E, exit_sske);
31460
0
                                    }
31461
0
                                    args->verifySig = (byte*)XMALLOC(
31462
0
                                                      args->sigSz, ssl->heap,
31463
0
                                                      DYNAMIC_TYPE_SIGNATURE);
31464
0
                                    if (!args->verifySig) {
31465
0
                                        ERROR_OUT(MEMORY_E, exit_sske);
31466
0
                                    }
31467
0
                                    XMEMCPY(args->verifySig,
31468
0
                                        args->output + args->idx, args->sigSz);
31469
0
                                }
31470
31471
                                /* check for signature faults */
31472
0
                                ret = VerifyRsaSign(ssl,
31473
0
                                    args->verifySig, args->sigSz,
31474
0
                                    ssl->buffers.digest.buffer,
31475
0
                                    ssl->buffers.digest.length,
31476
0
                                    ssl->suites->sigAlgo, ssl->suites->hashAlgo,
31477
0
                                    key, ssl->buffers.key
31478
0
                                );
31479
0
                                break;
31480
0
                            }
31481
0
                        #endif
31482
0
                        } /* switch (ssl->suites->sigAlgo) */
31483
0
                        break;
31484
0
                    }
31485
0
                #endif /* !defined(NO_DH) && !defined(NO_RSA) */
31486
0
                    default:
31487
0
                        break;
31488
0
                } /* switch(ssl->specs.kea) */
31489
31490
                /* Check for error */
31491
0
                if (ret != 0) {
31492
0
                    goto exit_sske;
31493
0
                }
31494
31495
                /* Advance state and proceed */
31496
0
                ssl->options.asyncState = TLS_ASYNC_FINALIZE;
31497
0
            } /* case TLS_ASYNC_VERIFY */
31498
0
            FALL_THROUGH;
31499
31500
0
            case TLS_ASYNC_FINALIZE:
31501
0
            {
31502
0
            #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
31503
0
                                                          defined(HAVE_CURVE448)
31504
0
                if (ssl->specs.kea == ecdhe_psk_kea ||
31505
0
                    ssl->specs.kea == ecc_diffie_hellman_kea) {
31506
                    /* Check output to make sure it was set */
31507
0
                    if (args->output) {
31508
0
                        AddHeaders(args->output, args->length,
31509
0
                                                    server_key_exchange, ssl);
31510
0
                    }
31511
0
                    else {
31512
0
                        ERROR_OUT(BUFFER_ERROR, exit_sske);
31513
0
                    }
31514
0
                }
31515
0
            #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
31516
31517
                /* Advance state and proceed */
31518
0
                ssl->options.asyncState = TLS_ASYNC_END;
31519
0
            } /* case TLS_ASYNC_FINALIZE */
31520
0
            FALL_THROUGH;
31521
31522
0
            case TLS_ASYNC_END:
31523
0
            {
31524
0
                ret = SendHandshakeMsg(ssl, args->output, args->length,
31525
0
                        server_key_exchange, "ServerKeyExchange");
31526
0
                if (ret != 0)
31527
0
                    goto exit_sske;
31528
0
                ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE;
31529
0
                break;
31530
0
            }
31531
0
            default:
31532
0
                ret = INPUT_CASE_ERROR;
31533
0
        } /* switch(ssl->options.asyncState) */
31534
31535
0
    exit_sske:
31536
31537
0
        WOLFSSL_LEAVE("SendServerKeyExchange", ret);
31538
0
        WOLFSSL_END(WC_FUNC_SERVER_KEY_EXCHANGE_SEND);
31539
31540
0
    #ifdef WOLFSSL_ASYNC_IO
31541
        /* Handle async operation */
31542
0
        if (ret == WANT_WRITE
31543
        #ifdef WOLFSSL_ASYNC_CRYPT
31544
                || ret == WC_PENDING_E
31545
        #endif
31546
0
                )
31547
0
            return ret;
31548
0
    #endif /* WOLFSSL_ASYNC_IO */
31549
31550
        /* Final cleanup */
31551
0
        if (args != NULL && args->input != NULL) {
31552
0
            XFREE(args->input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
31553
0
            args->input = NULL;
31554
0
        }
31555
0
    #ifdef WOLFSSL_ASYNC_IO
31556
        /* Cleanup async */
31557
0
        FreeAsyncCtx(ssl, 0);
31558
    #else
31559
        FreeSskeArgs(ssl, args);
31560
    #endif
31561
0
        FreeKeyExchange(ssl);
31562
31563
0
        if (ret != 0) {
31564
0
            WOLFSSL_ERROR_VERBOSE(ret);
31565
0
        }
31566
31567
0
        return ret;
31568
0
    }
31569
31570
#if defined(HAVE_SERVER_RENEGOTIATION_INFO) || defined(HAVE_FALLBACK_SCSV) || \
31571
                                                            defined(OPENSSL_ALL)
31572
31573
    /* search suites for specific one, idx on success, negative on error */
31574
    static int FindSuite(Suites* suites, byte first, byte second)
31575
0
    {
31576
0
        int i;
31577
31578
0
        if (suites == NULL || suites->suiteSz == 0) {
31579
0
            WOLFSSL_MSG("Suites pointer error or suiteSz 0");
31580
0
            return SUITES_ERROR;
31581
0
        }
31582
31583
0
        for (i = 0; i < suites->suiteSz-1; i += SUITE_LEN) {
31584
0
            if (suites->suites[i]   == first &&
31585
0
                suites->suites[i+1] == second )
31586
0
                return i;
31587
0
        }
31588
31589
0
        return MATCH_SUITE_ERROR;
31590
0
    }
31591
31592
#endif
31593
31594
#endif /* !WOLFSSL_NO_TLS12 */
31595
31596
    /* Make sure server cert/key are valid for this suite, true on success
31597
     * Returns 1 for valid server suite or 0 if not found
31598
     * For asynchronous this can return WC_PENDING_E
31599
     */
31600
    static int VerifyServerSuite(WOLFSSL* ssl, word16 idx)
31601
0
    {
31602
    #ifndef NO_PSK
31603
        int  havePSK = ssl->options.havePSK;
31604
    #endif
31605
0
        byte first;
31606
0
        byte second;
31607
31608
0
        WOLFSSL_ENTER("VerifyServerSuite");
31609
31610
0
        if (ssl->suites == NULL) {
31611
0
            WOLFSSL_MSG("Suites pointer error");
31612
0
            return 0;
31613
0
        }
31614
31615
0
        first   = ssl->suites->suites[idx];
31616
0
        second  = ssl->suites->suites[idx+1];
31617
31618
0
        if (CipherRequires(first, second, REQUIRES_RSA)) {
31619
0
            WOLFSSL_MSG("Requires RSA");
31620
0
            if (ssl->options.haveRSA == 0) {
31621
0
                WOLFSSL_MSG("Don't have RSA");
31622
0
                return 0;
31623
0
            }
31624
0
        }
31625
31626
0
        if (CipherRequires(first, second, REQUIRES_DHE)) {
31627
0
            WOLFSSL_MSG("Requires DHE");
31628
0
            if (ssl->options.haveDH == 0) {
31629
0
                WOLFSSL_MSG("Don't have DHE");
31630
0
                return 0;
31631
0
            }
31632
0
        }
31633
31634
0
        if (CipherRequires(first, second, REQUIRES_ECC)) {
31635
0
            WOLFSSL_MSG("Requires ECC");
31636
0
            if (ssl->options.haveECC == 0) {
31637
0
                WOLFSSL_MSG("Don't have ECC");
31638
0
                return 0;
31639
0
            }
31640
0
        }
31641
31642
0
        if (CipherRequires(first, second, REQUIRES_ECC_STATIC)) {
31643
0
            WOLFSSL_MSG("Requires static ECC");
31644
0
            if (ssl->options.haveStaticECC == 0) {
31645
0
                WOLFSSL_MSG("Don't have static ECC");
31646
0
                return 0;
31647
0
            }
31648
0
        }
31649
31650
0
        if (CipherRequires(first, second, REQUIRES_PSK)) {
31651
0
            WOLFSSL_MSG("Requires PSK");
31652
        #ifndef NO_PSK
31653
            if (havePSK == 0)
31654
        #endif
31655
0
            {
31656
0
                WOLFSSL_MSG("Don't have PSK");
31657
0
                return 0;
31658
0
            }
31659
0
        }
31660
31661
0
        if (CipherRequires(first, second, REQUIRES_RSA_SIG)) {
31662
0
            WOLFSSL_MSG("Requires RSA Signature");
31663
0
            if (ssl->options.side == WOLFSSL_SERVER_END &&
31664
0
                                           ssl->options.haveECDSAsig == 1) {
31665
0
                WOLFSSL_MSG("Don't have RSA Signature");
31666
0
                return 0;
31667
0
            }
31668
0
        }
31669
31670
0
#if !defined(WOLFSSL_OLDTLS_AEAD_CIPHERSUITES)
31671
0
        if (CipherRequires(first, second, REQUIRES_AEAD)) {
31672
0
            WOLFSSL_MSG("Requires AEAD");
31673
0
            if (ssl->version.major == SSLv3_MAJOR &&
31674
0
                                           ssl->version.minor < TLSv1_2_MINOR) {
31675
0
                WOLFSSL_MSG("Version of SSL does not support AEAD ciphers");
31676
0
                return 0;
31677
0
            }
31678
31679
0
        }
31680
0
#endif
31681
31682
0
#if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
31683
0
                       defined(HAVE_CURVE448)) && defined(HAVE_SUPPORTED_CURVES)
31684
0
        if (!TLSX_ValidateSupportedCurves(ssl, first, second)) {
31685
0
            WOLFSSL_MSG("Don't have matching curves");
31686
0
            return 0;
31687
0
        }
31688
0
#endif
31689
31690
0
#ifdef WOLFSSL_TLS13
31691
0
        if (IsAtLeastTLSv1_3(ssl->version) &&
31692
0
                                      ssl->options.side == WOLFSSL_SERVER_END) {
31693
0
    #ifdef HAVE_SUPPORTED_CURVES
31694
0
            int doHelloRetry = 0;
31695
            /* Try to establish a key share. */
31696
0
            int ret = TLSX_KeyShare_Establish(ssl, &doHelloRetry);
31697
0
            if (doHelloRetry) {
31698
0
                ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE;
31699
0
            }
31700
        #ifdef WOLFSSL_ASYNC_CRYPT
31701
            if (ret == WC_PENDING_E)
31702
                return ret;
31703
        #endif
31704
0
            if (!doHelloRetry && ret != 0) {
31705
0
                return 0; /* not found */
31706
0
            }
31707
0
    #endif /* HAVE_SUPPORTED_CURVES */
31708
0
        }
31709
0
        else if (first == TLS13_BYTE || (first == ECC_BYTE &&
31710
0
                (second == TLS_SHA256_SHA256 || second == TLS_SHA384_SHA384))) {
31711
            /* Can't negotiate TLS 1.3 cipher suites with lower protocol
31712
             * version. */
31713
0
            return 0;
31714
0
        }
31715
0
#endif /* WOLFSSL_TLS13 */
31716
31717
0
        return 1;
31718
0
    }
31719
31720
    static int CompareSuites(WOLFSSL* ssl, Suites* peerSuites, word16 i,
31721
                             word16 j)
31722
0
    {
31723
0
        if (ssl->suites->suites[i]   == peerSuites->suites[j] &&
31724
0
            ssl->suites->suites[i+1] == peerSuites->suites[j+1] ) {
31725
31726
0
            int ret = VerifyServerSuite(ssl, i);
31727
            #ifdef WOLFSSL_ASYNC_CRYPT
31728
            if (ret == WC_PENDING_E)
31729
                return ret;
31730
            #endif
31731
0
            if (ret) {
31732
0
                WOLFSSL_MSG("Verified suite validity");
31733
0
                ssl->options.cipherSuite0 = ssl->suites->suites[i];
31734
0
                ssl->options.cipherSuite  = ssl->suites->suites[i+1];
31735
0
                ret = SetCipherSpecs(ssl);
31736
0
                if (ret == 0) {
31737
0
                    ret = PickHashSigAlgo(ssl, peerSuites->hashSigAlgo,
31738
0
                                                     peerSuites->hashSigAlgoSz);
31739
0
                }
31740
0
                return ret;
31741
0
            }
31742
0
            else {
31743
0
                WOLFSSL_MSG("Could not verify suite validity, continue");
31744
0
            }
31745
0
        }
31746
31747
0
        return MATCH_SUITE_ERROR;
31748
0
    }
31749
31750
    int MatchSuite(WOLFSSL* ssl, Suites* peerSuites)
31751
0
    {
31752
0
        int ret;
31753
0
        word16 i, j;
31754
31755
0
        WOLFSSL_ENTER("MatchSuite");
31756
31757
        /* & 0x1 equivalent % 2 */
31758
0
        if (peerSuites->suiteSz == 0 || peerSuites->suiteSz & 0x1)
31759
0
            return BUFFER_ERROR;
31760
31761
0
        if (ssl->suites == NULL)
31762
0
            return SUITES_ERROR;
31763
31764
0
        if (!ssl->options.useClientOrder) {
31765
            /* Server order */
31766
0
            for (i = 0; i < ssl->suites->suiteSz; i += 2) {
31767
0
                for (j = 0; j < peerSuites->suiteSz; j += 2) {
31768
0
                    ret = CompareSuites(ssl, peerSuites, i, j);
31769
0
                    if (ret != MATCH_SUITE_ERROR)
31770
0
                        return ret;
31771
0
                }
31772
0
            }
31773
0
        }
31774
0
        else {
31775
            /* Client order */
31776
0
            for (j = 0; j < peerSuites->suiteSz; j += 2) {
31777
0
                for (i = 0; i < ssl->suites->suiteSz; i += 2) {
31778
0
                    ret = CompareSuites(ssl, peerSuites, i, j);
31779
0
                    if (ret != MATCH_SUITE_ERROR)
31780
0
                        return ret;
31781
0
                }
31782
0
            }
31783
0
        }
31784
31785
0
        WOLFSSL_ERROR_VERBOSE(MATCH_SUITE_ERROR);
31786
0
        return MATCH_SUITE_ERROR;
31787
0
    }
31788
31789
#ifdef OLD_HELLO_ALLOWED
31790
31791
    /* process old style client hello, deprecate? */
31792
    int ProcessOldClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
31793
                              word32 inSz, word16 sz)
31794
    {
31795
        word32          idx = *inOutIdx;
31796
        word16          sessionSz;
31797
        word16          randomSz;
31798
        word16          i, j;
31799
        ProtocolVersion pv;
31800
        Suites          clSuites;
31801
        int ret = -1;
31802
31803
        (void)inSz;
31804
        WOLFSSL_MSG("Got old format client hello");
31805
#ifdef WOLFSSL_CALLBACKS
31806
        if (ssl->hsInfoOn)
31807
            AddPacketName(ssl, "ClientHello");
31808
        if (ssl->toInfoOn)
31809
            AddLateName("ClientHello", &ssl->timeoutInfo);
31810
#endif
31811
31812
        /* manually hash input since different format */
31813
#ifndef NO_OLD_TLS
31814
#ifndef NO_MD5
31815
        wc_Md5Update(&ssl->hsHashes->hashMd5, input + idx, sz);
31816
#endif
31817
#ifndef NO_SHA
31818
        wc_ShaUpdate(&ssl->hsHashes->hashSha, input + idx, sz);
31819
#endif
31820
#endif
31821
#ifndef NO_SHA256
31822
        if (IsAtLeastTLSv1_2(ssl)) {
31823
            int shaRet = wc_Sha256Update(&ssl->hsHashes->hashSha256,
31824
                                         input + idx, sz);
31825
            if (shaRet != 0)
31826
                return shaRet;
31827
        }
31828
#endif
31829
31830
        /* does this value mean client_hello? */
31831
        idx++;
31832
31833
        /* version */
31834
        pv.major = input[idx++];
31835
        pv.minor = input[idx++];
31836
        ssl->chVersion = pv;  /* store */
31837
31838
        if (ssl->version.minor > pv.minor) {
31839
            byte haveRSA = 0;
31840
            byte havePSK = 0;
31841
            int  keySz   = 0;
31842
31843
            if (!ssl->options.downgrade) {
31844
                WOLFSSL_MSG("Client trying to connect with lesser version");
31845
                return VERSION_ERROR;
31846
            }
31847
            if (pv.minor < ssl->options.minDowngrade) {
31848
                WOLFSSL_MSG("\tversion below minimum allowed, fatal error");
31849
                return VERSION_ERROR;
31850
            }
31851
            if (pv.minor == SSLv3_MINOR) {
31852
                /* turn off tls */
31853
                WOLFSSL_MSG("\tdowngrading to SSLv3");
31854
                ssl->options.tls    = 0;
31855
                ssl->options.tls1_1 = 0;
31856
                ssl->version.minor  = SSLv3_MINOR;
31857
            }
31858
            else if (pv.minor == TLSv1_MINOR) {
31859
                WOLFSSL_MSG("\tdowngrading to TLSv1");
31860
                /* turn off tls 1.1+ */
31861
                ssl->options.tls1_1 = 0;
31862
                ssl->version.minor  = TLSv1_MINOR;
31863
            }
31864
            else if (pv.minor == TLSv1_1_MINOR) {
31865
                WOLFSSL_MSG("\tdowngrading to TLSv1.1");
31866
                ssl->version.minor  = TLSv1_1_MINOR;
31867
            }
31868
            else if (pv.minor == TLSv1_2_MINOR) {
31869
                WOLFSSL_MSG("    downgrading to TLSv1.2");
31870
                ssl->version.minor  = TLSv1_2_MINOR;
31871
            }
31872
#ifndef NO_RSA
31873
            haveRSA = 1;
31874
#endif
31875
#ifndef NO_PSK
31876
            havePSK = ssl->options.havePSK;
31877
#endif
31878
#ifndef NO_CERTS
31879
            keySz = ssl->buffers.keySz;
31880
#endif
31881
31882
            InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
31883
                       ssl->options.haveDH, ssl->options.haveECDSAsig,
31884
                       ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
31885
                       ssl->options.haveFalconSig,
31886
                       ssl->options.haveDilithiumSig, ssl->options.haveAnon,
31887
                       TRUE, ssl->options.side);
31888
        }
31889
31890
        /* suite size */
31891
        ato16(&input[idx], &clSuites.suiteSz);
31892
        idx += OPAQUE16_LEN;
31893
31894
        if (clSuites.suiteSz > WOLFSSL_MAX_SUITE_SZ)
31895
            return BUFFER_ERROR;
31896
        /* Make sure the suiteSz is a multiple of 3. (Old Client Hello) */
31897
        if (clSuites.suiteSz % 3 != 0)
31898
            return BUFFER_ERROR;
31899
        clSuites.hashSigAlgoSz = 0;
31900
31901
        /* session size */
31902
        ato16(&input[idx], &sessionSz);
31903
        idx += OPAQUE16_LEN;
31904
31905
        if (sessionSz > ID_LEN)
31906
            return BUFFER_ERROR;
31907
31908
        /* random size */
31909
        ato16(&input[idx], &randomSz);
31910
        idx += OPAQUE16_LEN;
31911
31912
        if (randomSz > RAN_LEN)
31913
            return BUFFER_ERROR;
31914
31915
        /* suites */
31916
        for (i = 0, j = 0; i < clSuites.suiteSz; i += 3) {
31917
            byte first = input[idx++];
31918
            if (!first) { /* implicit: skip sslv2 type */
31919
                XMEMCPY(&clSuites.suites[j], &input[idx], SUITE_LEN);
31920
                j += SUITE_LEN;
31921
            }
31922
            idx += SUITE_LEN;
31923
        }
31924
        clSuites.suiteSz = j;
31925
31926
        /* session id */
31927
        if (sessionSz) {
31928
            XMEMCPY(ssl->arrays->sessionID, input + idx, sessionSz);
31929
            ssl->arrays->sessionIDSz = (byte)sessionSz;
31930
            idx += sessionSz;
31931
            ssl->options.resuming = 1;
31932
        }
31933
31934
        /* random */
31935
        if (randomSz < RAN_LEN)
31936
            XMEMSET(ssl->arrays->clientRandom, 0, RAN_LEN - randomSz);
31937
        XMEMCPY(&ssl->arrays->clientRandom[RAN_LEN - randomSz], input + idx,
31938
               randomSz);
31939
        idx += randomSz;
31940
31941
        if (ssl->options.usingCompression)
31942
            ssl->options.usingCompression = 0;  /* turn off */
31943
31944
        ssl->options.clientState = CLIENT_HELLO_COMPLETE;
31945
        ssl->cbmode = SSL_CB_MODE_WRITE;
31946
        *inOutIdx = idx;
31947
31948
        ssl->options.haveSessionId = 1;
31949
        /* DoClientHello uses same resume code */
31950
        if (ssl->options.resuming) {  /* let's try */
31951
            WOLFSSL_SESSION* session;
31952
        #ifdef HAVE_SESSION_TICKET
31953
            if (ssl->options.useTicket == 1) {
31954
                session = ssl->session;
31955
            }
31956
            else
31957
        #endif
31958
            {
31959
                session = wolfSSL_GetSession(ssl, ssl->arrays->masterSecret, 1);
31960
            }
31961
            if (!session) {
31962
                WOLFSSL_MSG("Session lookup for resume failed");
31963
                ssl->options.resuming = 0;
31964
            } else {
31965
                if (MatchSuite(ssl, &clSuites) < 0) {
31966
                    WOLFSSL_MSG("Unsupported cipher suite, OldClientHello");
31967
                    return UNSUPPORTED_SUITE;
31968
                }
31969
31970
                ret = wc_RNG_GenerateBlock(ssl->rng, ssl->arrays->serverRandom,
31971
                                                                       RAN_LEN);
31972
                if (ret != 0)
31973
                    return ret;
31974
31975
                #ifdef NO_OLD_TLS
31976
                    ret = DeriveTlsKeys(ssl);
31977
                #else
31978
                    #ifndef NO_TLS
31979
                        if (ssl->options.tls)
31980
                            ret = DeriveTlsKeys(ssl);
31981
                    #endif
31982
                        if (!ssl->options.tls)
31983
                            ret = DeriveKeys(ssl);
31984
                #endif
31985
                /* SERVER: peer auth based on session secret. */
31986
                ssl->options.peerAuthGood = (ret == 0);
31987
                ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE;
31988
31989
                return ret;
31990
            }
31991
        }
31992
31993
        ret = MatchSuite(ssl, &clSuites);
31994
        if (ret != 0)return ret;
31995
        return SanityCheckMsgReceived(ssl, client_hello);
31996
    }
31997
31998
#endif /* OLD_HELLO_ALLOWED */
31999
32000
#ifndef WOLFSSL_NO_TLS12
32001
32002
    /**
32003
     *  Handles session resumption.
32004
     *  Session tickets are checked for validity based on the time each ticket
32005
     *  was created, timeout value and the current time. If the tickets are
32006
     *  judged expired, falls back to full-handshake. If you want disable this
32007
     *  session ticket validation check in TLS1.2 and below, define
32008
     *  WOLFSSL_NO_TICKET_EXPRE.
32009
     */
32010
    int HandleTlsResumption(WOLFSSL* ssl, int bogusID, Suites* clSuites)
32011
0
    {
32012
0
        int ret = 0;
32013
0
        WOLFSSL_SESSION* session;
32014
0
        (void)bogusID;
32015
0
    #ifdef HAVE_SESSION_TICKET
32016
0
        if (ssl->options.useTicket == 1) {
32017
0
            session = ssl->session;
32018
0
        }
32019
0
        else if (bogusID == 1 && ssl->options.rejectTicket == 0) {
32020
0
            WOLFSSL_MSG("Bogus session ID without session ticket");
32021
0
            return BUFFER_ERROR;
32022
0
        }
32023
0
        else
32024
0
    #endif
32025
0
        {
32026
0
            session = wolfSSL_GetSession(ssl, ssl->arrays->masterSecret, 1);
32027
0
        }
32028
0
        if (!session) {
32029
0
            WOLFSSL_MSG("Session lookup for resume failed");
32030
0
            ssl->options.resuming = 0;
32031
0
            return ret;
32032
0
        }
32033
0
#if defined(HAVE_SESSION_TICKET) && !defined(WOLFSSL_NO_TICKET_EXPIRE) && \
32034
0
                                    !defined(NO_ASN_TIME)
32035
        /* check if the ticket is valid */
32036
0
        if (LowResTimer() > session->bornOn + ssl->timeout) {
32037
0
            WOLFSSL_MSG("Expired session ticket, fall back to full handshake.");
32038
0
            ssl->options.resuming = 0;
32039
0
        }
32040
0
#endif /* HAVE_SESSION_TICKET && !WOLFSSL_NO_TICKET_EXPIRE && !NO_ASN_TIME */
32041
32042
0
        else if (session->haveEMS != ssl->options.haveEMS) {
32043
            /* RFC 7627, 5.3, server-side */
32044
            /* if old sess didn't have EMS, but new does, full handshake */
32045
0
            if (!session->haveEMS && ssl->options.haveEMS) {
32046
0
                WOLFSSL_MSG("Attempting to resume a session that didn't "
32047
0
                            "use EMS with a new session with EMS. Do full "
32048
0
                            "handshake.");
32049
0
                ssl->options.resuming = 0;
32050
0
            }
32051
            /* if old sess used EMS, but new doesn't, MUST abort */
32052
0
            else if (session->haveEMS && !ssl->options.haveEMS) {
32053
0
                WOLFSSL_MSG("Trying to resume a session with EMS without "
32054
0
                            "using EMS");
32055
0
            #ifdef WOLFSSL_EXTRA_ALERTS
32056
0
                SendAlert(ssl, alert_fatal, handshake_failure);
32057
0
            #endif
32058
0
                ret = EXT_MASTER_SECRET_NEEDED_E;
32059
0
                WOLFSSL_ERROR_VERBOSE(ret);
32060
0
            }
32061
0
        }
32062
0
        else {
32063
0
        #ifndef NO_RESUME_SUITE_CHECK
32064
0
            int j;
32065
32066
            /* Check client suites include the one in session */
32067
0
            for (j = 0; j < clSuites->suiteSz; j += 2) {
32068
0
                if (clSuites->suites[j] == session->cipherSuite0 &&
32069
0
                                clSuites->suites[j+1] == session->cipherSuite) {
32070
0
                    break;
32071
0
                }
32072
0
            }
32073
0
            if (j == clSuites->suiteSz) {
32074
0
                WOLFSSL_MSG("Prev session's cipher suite not in ClientHello");
32075
0
            #ifdef WOLFSSL_EXTRA_ALERTS
32076
0
                SendAlert(ssl, alert_fatal, illegal_parameter);
32077
0
            #endif
32078
0
                ret = UNSUPPORTED_SUITE;
32079
0
                WOLFSSL_ERROR_VERBOSE(ret);
32080
0
            }
32081
0
        #endif
32082
32083
0
            if (ret == 0 && ssl->options.resuming) {
32084
                /* for resumption use the cipher suite from session */
32085
0
                ssl->options.cipherSuite0 = session->cipherSuite0;
32086
0
                ssl->options.cipherSuite =  session->cipherSuite;
32087
0
                ret = SetCipherSpecs(ssl);
32088
0
                if (ret == 0) {
32089
0
                    ret = PickHashSigAlgo(ssl, clSuites->hashSigAlgo,
32090
0
                                               clSuites->hashSigAlgoSz);
32091
0
                }
32092
0
            }
32093
0
            else if (ret == 0) {
32094
0
                if (MatchSuite(ssl, clSuites) < 0) {
32095
0
                    WOLFSSL_MSG("Unsupported cipher suite, ClientHello");
32096
0
                    ret = UNSUPPORTED_SUITE;
32097
0
                    WOLFSSL_ERROR_VERBOSE(ret);
32098
0
                }
32099
0
            }
32100
0
            if (ret == 0) {
32101
0
                ret = wc_RNG_GenerateBlock(ssl->rng,
32102
0
                                           ssl->arrays->serverRandom, RAN_LEN);
32103
0
            }
32104
0
            if (ret == 0) {
32105
                #ifdef NO_OLD_TLS
32106
                    ret = DeriveTlsKeys(ssl);
32107
                #else
32108
0
                    #ifndef NO_TLS
32109
0
                        if (ssl->options.tls)
32110
0
                            ret = DeriveTlsKeys(ssl);
32111
0
                    #endif
32112
0
                        if (!ssl->options.tls)
32113
0
                            ret = DeriveKeys(ssl);
32114
0
                #endif
32115
                /* SERVER: peer auth based on session secret. */
32116
0
                ssl->options.peerAuthGood = (ret == 0);
32117
0
                ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE;
32118
0
            }
32119
0
        }
32120
32121
32122
0
        return ret;
32123
0
    }
32124
32125
32126
    /* handle processing of client_hello (1) */
32127
    int DoClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
32128
                             word32 helloSz)
32129
0
    {
32130
0
        byte            b;
32131
0
        byte            bogusID = 0;   /* flag for a bogus session id */
32132
0
        ProtocolVersion pv;
32133
0
        Suites          clSuites;
32134
0
        word32          i = *inOutIdx;
32135
0
        word32          begin = i;
32136
0
        int             ret = 0;
32137
0
        byte            lesserVersion;
32138
32139
#ifdef WOLFSSL_DTLS
32140
        Hmac            cookieHmac;
32141
        byte            newCookie[MAX_COOKIE_LEN];
32142
        byte            peerCookie[MAX_COOKIE_LEN];
32143
        byte            peerCookieSz = 0;
32144
        byte            cookieType;
32145
        byte            cookieSz = 0;
32146
32147
        XMEMSET(&cookieHmac, 0, sizeof(Hmac));
32148
#endif /* WOLFSSL_DTLS */
32149
32150
0
        WOLFSSL_START(WC_FUNC_CLIENT_HELLO_DO);
32151
0
        WOLFSSL_ENTER("DoClientHello");
32152
32153
#ifdef WOLFSSL_CALLBACKS
32154
        if (ssl->hsInfoOn) AddPacketName(ssl, "ClientHello");
32155
        if (ssl->toInfoOn) AddLateName("ClientHello", &ssl->timeoutInfo);
32156
#endif
32157
        /* protocol version, random and session id length check */
32158
0
        if (OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN > helloSz)
32159
0
            return BUFFER_ERROR;
32160
32161
        /* protocol version */
32162
0
        XMEMCPY(&pv, input + i, OPAQUE16_LEN);
32163
0
        ssl->chVersion = pv;   /* store */
32164
#ifdef WOLFSSL_DTLS
32165
        if (IsDtlsNotSctpMode(ssl) && IsDtlsNotSrtpMode(ssl) && !IsSCR(ssl)) {
32166
            #if defined(NO_SHA) && defined(NO_SHA256)
32167
                #error "DTLS needs either SHA or SHA-256"
32168
            #endif /* NO_SHA && NO_SHA256 */
32169
32170
            #if !defined(NO_SHA) && defined(NO_SHA256)
32171
                cookieType = WC_SHA;
32172
                cookieSz = WC_SHA_DIGEST_SIZE;
32173
            #endif /* NO_SHA */
32174
            #ifndef NO_SHA256
32175
                cookieType = WC_SHA256;
32176
                cookieSz = WC_SHA256_DIGEST_SIZE;
32177
            #endif /* NO_SHA256 */
32178
            ret = wc_HmacSetKey(&cookieHmac, cookieType,
32179
                                ssl->buffers.dtlsCookieSecret.buffer,
32180
                                ssl->buffers.dtlsCookieSecret.length);
32181
            if (ret != 0) goto out;
32182
            ret = wc_HmacUpdate(&cookieHmac,
32183
                                (const byte*)ssl->buffers.dtlsCtx.peer.sa,
32184
                                ssl->buffers.dtlsCtx.peer.sz);
32185
            if (ret != 0) goto out;
32186
            ret = wc_HmacUpdate(&cookieHmac, input + i, OPAQUE16_LEN);
32187
            if (ret != 0) goto out;
32188
        }
32189
#endif /* WOLFSSL_DTLS */
32190
0
        i += OPAQUE16_LEN;
32191
32192
        /* Legacy protocol version cannot negotiate TLS 1.3 or higher. */
32193
0
        if (pv.major == SSLv3_MAJOR && pv.minor >= TLSv1_3_MINOR)
32194
0
            pv.minor = TLSv1_2_MINOR;
32195
32196
0
        lesserVersion = !ssl->options.dtls && ssl->version.minor > pv.minor;
32197
0
        lesserVersion |= ssl->options.dtls && ssl->version.minor < pv.minor;
32198
32199
0
        if (lesserVersion) {
32200
0
            byte   belowMinDowngrade;
32201
0
            word16 haveRSA = 0;
32202
0
            word16 havePSK = 0;
32203
0
            int    keySz   = 0;
32204
32205
0
            if (!ssl->options.downgrade) {
32206
0
                WOLFSSL_MSG("Client trying to connect with lesser version");
32207
0
#if defined(WOLFSSL_EXTRA_ALERTS) ||  defined(OPENSSL_EXTRA)
32208
0
                SendAlert(ssl, alert_fatal, handshake_failure);
32209
0
#endif
32210
0
                ret = VERSION_ERROR;
32211
0
                goto out;
32212
0
            }
32213
32214
0
            belowMinDowngrade = pv.minor < ssl->options.minDowngrade;
32215
32216
            /* DTLS versions increase backwards (-1,-2,-3) ecc  */
32217
0
            if (ssl->options.dtls)
32218
0
                belowMinDowngrade = ssl->options.dtls
32219
0
                    && pv.minor > ssl->options.minDowngrade;
32220
32221
0
            if (belowMinDowngrade) {
32222
0
                WOLFSSL_MSG("\tversion below minimum allowed, fatal error");
32223
0
#if defined(WOLFSSL_EXTRA_ALERTS) ||  defined(OPENSSL_EXTRA)
32224
0
                SendAlert(ssl, alert_fatal, handshake_failure);
32225
0
#endif
32226
0
                ret = VERSION_ERROR;
32227
0
                goto out;
32228
0
            }
32229
32230
0
            if (!ssl->options.dtls) {
32231
0
                if (pv.minor == SSLv3_MINOR) {
32232
                    /* turn off tls */
32233
0
                    WOLFSSL_MSG("\tdowngrading to SSLv3");
32234
0
                    ssl->options.tls    = 0;
32235
0
                    ssl->options.tls1_1 = 0;
32236
0
                    ssl->version.minor  = SSLv3_MINOR;
32237
0
                }
32238
0
                else if (pv.minor == TLSv1_MINOR) {
32239
                    /* turn off tls 1.1+ */
32240
0
                    WOLFSSL_MSG("\tdowngrading to TLSv1");
32241
0
                    ssl->options.tls1_1 = 0;
32242
0
                    ssl->version.minor  = TLSv1_MINOR;
32243
0
                }
32244
0
                else if (pv.minor == TLSv1_1_MINOR) {
32245
0
                    WOLFSSL_MSG("\tdowngrading to TLSv1.1");
32246
0
                    ssl->version.minor  = TLSv1_1_MINOR;
32247
0
                }
32248
0
                else if (pv.minor == TLSv1_2_MINOR) {
32249
0
                    WOLFSSL_MSG("    downgrading to TLSv1.2");
32250
0
                    ssl->version.minor  = TLSv1_2_MINOR;
32251
0
                }
32252
0
            }
32253
0
            else {
32254
0
                if (pv.minor == DTLSv1_2_MINOR) {
32255
0
                    WOLFSSL_MSG("\tDowngrading to DTLSv1.2");
32256
0
                    ssl->options.tls1_3 = 0;
32257
0
                    ssl->version.minor = DTLSv1_2_MINOR;
32258
32259
                    /* reset hashes, DTLSv1.2 will take care of the hashing
32260
                       later */
32261
0
                    ret = InitHandshakeHashes(ssl);
32262
0
                    if (ret != 0)
32263
0
                        return ret;
32264
0
                }
32265
0
                else if (pv.minor == DTLS_MINOR) {
32266
0
                    WOLFSSL_MSG("\tDowngrading to DTLSv1.2");
32267
0
                    ssl->options.tls1_3 = 0;
32268
0
                    ssl->version.minor = DTLS_MINOR;
32269
0
                }
32270
0
            }
32271
0
#ifndef NO_RSA
32272
0
            haveRSA = 1;
32273
0
#endif
32274
#ifndef NO_PSK
32275
            havePSK = ssl->options.havePSK;
32276
#endif
32277
0
#ifndef NO_CERTS
32278
0
            keySz = ssl->buffers.keySz;
32279
0
#endif
32280
0
            InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
32281
0
                       ssl->options.haveDH, ssl->options.haveECDSAsig,
32282
0
                       ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
32283
0
                       ssl->options.haveFalconSig,
32284
0
                       ssl->options.haveDilithiumSig, ssl->options.haveAnon,
32285
0
                       TRUE, ssl->options.side);
32286
0
        }
32287
32288
        /* check if option is set to not allow the current version
32289
         * set from either wolfSSL_set_options or wolfSSL_CTX_set_options */
32290
0
        if (!ssl->options.dtls && ssl->options.downgrade &&
32291
0
            ssl->options.mask > 0) {
32292
32293
0
            int reset = 0;
32294
32295
0
            if (ssl->version.minor == TLSv1_2_MINOR &&
32296
0
               (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_2) ==
32297
0
                WOLFSSL_OP_NO_TLSv1_2) {
32298
0
                WOLFSSL_MSG("\tOption set to not allow TLSv1.2, Downgrading");
32299
0
                ssl->version.minor = TLSv1_1_MINOR;
32300
0
                reset = 1;
32301
0
            }
32302
32303
0
            if (ssl->version.minor == TLSv1_1_MINOR &&
32304
0
               (ssl->options.mask & WOLFSSL_OP_NO_TLSv1_1) ==
32305
0
                WOLFSSL_OP_NO_TLSv1_1) {
32306
0
                WOLFSSL_MSG("\tOption set to not allow TLSv1.1, Downgrading");
32307
0
                ssl->options.tls1_1 = 0;
32308
0
                ssl->version.minor = TLSv1_MINOR;
32309
0
                reset = 1;
32310
0
            }
32311
32312
0
            if (ssl->version.minor == TLSv1_MINOR &&
32313
0
               (ssl->options.mask & WOLFSSL_OP_NO_TLSv1) ==
32314
0
                WOLFSSL_OP_NO_TLSv1) {
32315
0
                WOLFSSL_MSG("\tOption set to not allow TLSv1, Downgrading");
32316
0
                ssl->options.tls    = 0;
32317
0
                ssl->options.tls1_1 = 0;
32318
0
                ssl->version.minor = SSLv3_MINOR;
32319
0
                reset = 1;
32320
0
            }
32321
32322
0
            if (ssl->version.minor == SSLv3_MINOR &&
32323
0
               (ssl->options.mask & WOLFSSL_OP_NO_SSLv3) ==
32324
0
                WOLFSSL_OP_NO_SSLv3) {
32325
0
                WOLFSSL_MSG("\tError, option set to not allow SSLv3");
32326
0
                ret = VERSION_ERROR;
32327
0
                goto out;
32328
0
            }
32329
32330
0
            if (ssl->version.minor < ssl->options.minDowngrade) {
32331
0
                WOLFSSL_MSG("\tversion below minimum allowed, fatal error");
32332
0
                ret = VERSION_ERROR;
32333
0
                goto out;
32334
0
            }
32335
32336
0
            if (reset) {
32337
0
                word16 haveRSA = 0;
32338
0
                word16 havePSK = 0;
32339
0
                int    keySz   = 0;
32340
32341
0
            #ifndef NO_RSA
32342
0
                haveRSA = 1;
32343
0
            #endif
32344
            #ifndef NO_PSK
32345
                havePSK = ssl->options.havePSK;
32346
            #endif
32347
0
            #ifndef NO_CERTS
32348
0
                keySz = ssl->buffers.keySz;
32349
0
            #endif
32350
32351
                /* reset cipher suites to account for TLS version change */
32352
0
                InitSuites(ssl->suites, ssl->version, keySz, haveRSA, havePSK,
32353
0
                           ssl->options.haveDH, ssl->options.haveECDSAsig,
32354
0
                           ssl->options.haveECC, TRUE, ssl->options.haveStaticECC,
32355
0
                           ssl->options.haveFalconSig,
32356
0
                           ssl->options.haveDilithiumSig, ssl->options.haveAnon,
32357
0
                           TRUE, ssl->options.side);
32358
0
            }
32359
0
        }
32360
32361
        /* random */
32362
0
        XMEMCPY(ssl->arrays->clientRandom, input + i, RAN_LEN);
32363
#ifdef WOLFSSL_DTLS
32364
        if (IsDtlsNotSctpMode(ssl) && IsDtlsNotSrtpMode(ssl) && !IsSCR(ssl)) {
32365
            ret = wc_HmacUpdate(&cookieHmac, input + i, RAN_LEN);
32366
            if (ret != 0) goto out;
32367
        }
32368
#endif /* WOLFSSL_DTLS */
32369
0
        i += RAN_LEN;
32370
32371
#ifdef SHOW_SECRETS
32372
        {
32373
            int j;
32374
            printf("client random: ");
32375
            for (j = 0; j < RAN_LEN; j++)
32376
                printf("%02x", ssl->arrays->clientRandom[j]);
32377
            printf("\n");
32378
        }
32379
#endif
32380
32381
        /* session id */
32382
0
        b = input[i++];
32383
32384
0
#ifdef HAVE_SESSION_TICKET
32385
0
        if (b > 0 && b < ID_LEN) {
32386
0
            bogusID = 1;
32387
0
            WOLFSSL_MSG("Client sent bogus session id, let's allow for echo");
32388
0
        }
32389
0
#endif
32390
32391
0
        if (b == ID_LEN || bogusID) {
32392
0
            if ((i - begin) + b > helloSz) {
32393
0
                ret = BUFFER_ERROR;
32394
0
                goto out;
32395
0
            }
32396
32397
0
            XMEMCPY(ssl->arrays->sessionID, input + i, b);
32398
#ifdef WOLFSSL_DTLS
32399
            if (IsDtlsNotSctpMode(ssl) && IsDtlsNotSrtpMode(ssl) &&
32400
                    !IsSCR(ssl)) {
32401
                ret = wc_HmacUpdate(&cookieHmac, input + i - 1, b + 1);
32402
                if (ret != 0) goto out;
32403
            }
32404
#endif /* WOLFSSL_DTLS */
32405
0
            ssl->arrays->sessionIDSz = b;
32406
0
            i += b;
32407
0
            ssl->options.resuming = 1; /* client wants to resume */
32408
0
            WOLFSSL_MSG("Client wants to resume session");
32409
0
        }
32410
0
        else if (b) {
32411
0
            WOLFSSL_MSG("Invalid session ID size");
32412
0
            ret = BUFFER_ERROR; /* session ID nor 0 neither 32 bytes long */
32413
0
            goto out;
32414
0
        }
32415
32416
        #ifdef WOLFSSL_DTLS
32417
            /* cookie */
32418
            if (ssl->options.dtls) {
32419
32420
                if ((i - begin) + OPAQUE8_LEN > helloSz) {
32421
                    ret = BUFFER_ERROR;
32422
                    goto out;
32423
                }
32424
32425
                peerCookieSz = input[i++];
32426
32427
                if (peerCookieSz) {
32428
                    if (peerCookieSz > MAX_COOKIE_LEN) {
32429
                        ret = BUFFER_ERROR;
32430
                        goto out;
32431
                    }
32432
32433
                    if ((i - begin) + peerCookieSz > helloSz) {
32434
                        ret = BUFFER_ERROR;
32435
                        goto out;
32436
                    }
32437
32438
                    XMEMCPY(peerCookie, input + i, peerCookieSz);
32439
32440
                    i += peerCookieSz;
32441
                }
32442
            }
32443
        #endif
32444
32445
        /* suites */
32446
0
        if ((i - begin) + OPAQUE16_LEN > helloSz) {
32447
0
            ret = BUFFER_ERROR;
32448
0
            goto out;
32449
0
        }
32450
32451
0
        ato16(&input[i], &clSuites.suiteSz);
32452
0
        i += OPAQUE16_LEN;
32453
32454
        /* Cipher suite lists are always multiples of two in length. */
32455
0
        if (clSuites.suiteSz % 2 != 0) {
32456
0
            ret = BUFFER_ERROR;
32457
0
            goto out;
32458
0
        }
32459
32460
        /* suites and compression length check */
32461
0
        if ((i - begin) + clSuites.suiteSz + OPAQUE8_LEN > helloSz) {
32462
0
            ret = BUFFER_ERROR;
32463
0
            goto out;
32464
0
        }
32465
32466
0
        if (clSuites.suiteSz > WOLFSSL_MAX_SUITE_SZ) {
32467
0
            ret = BUFFER_ERROR;
32468
0
            goto out;
32469
0
        }
32470
32471
0
        XMEMCPY(clSuites.suites, input + i, clSuites.suiteSz);
32472
32473
0
#ifdef HAVE_SERVER_RENEGOTIATION_INFO
32474
        /* check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV suite */
32475
0
        if (FindSuite(&clSuites, 0, TLS_EMPTY_RENEGOTIATION_INFO_SCSV) >= 0) {
32476
0
            TLSX* extension;
32477
32478
            /* check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV suite */
32479
0
            ret = TLSX_AddEmptyRenegotiationInfo(&ssl->extensions, ssl->heap);
32480
0
            if (ret != WOLFSSL_SUCCESS)
32481
0
                goto out;
32482
32483
0
            extension = TLSX_Find(ssl->extensions, TLSX_RENEGOTIATION_INFO);
32484
0
            if (extension) {
32485
0
                ssl->secure_renegotiation =
32486
0
                                          (SecureRenegotiation*)extension->data;
32487
0
                ssl->secure_renegotiation->enabled = 1;
32488
0
            }
32489
0
        }
32490
0
#endif /* HAVE_SERVER_RENEGOTIATION_INFO */
32491
0
#if defined(HAVE_FALLBACK_SCSV) || defined(OPENSSL_ALL)
32492
        /* check for TLS_FALLBACK_SCSV suite */
32493
0
        if (FindSuite(&clSuites, TLS_FALLBACK_SCSV, 0) >= 0) {
32494
0
            WOLFSSL_MSG("Found Fallback SCSV");
32495
0
            if (ssl->ctx->method->version.minor > pv.minor) {
32496
0
                WOLFSSL_MSG("Client trying to connect with lesser version");
32497
0
                SendAlert(ssl, alert_fatal, inappropriate_fallback);
32498
0
                ret = VERSION_ERROR;
32499
0
                goto out;
32500
0
            }
32501
0
        }
32502
0
#endif
32503
32504
#ifdef WOLFSSL_DTLS
32505
        if (IsDtlsNotSctpMode(ssl) && IsDtlsNotSrtpMode(ssl) && !IsSCR(ssl)) {
32506
            ret = wc_HmacUpdate(&cookieHmac,
32507
                                    input + i - OPAQUE16_LEN,
32508
                                    clSuites.suiteSz + OPAQUE16_LEN);
32509
            if (ret != 0) goto out;
32510
        }
32511
#endif /* WOLFSSL_DTLS */
32512
0
        i += clSuites.suiteSz;
32513
0
        clSuites.hashSigAlgoSz = 0;
32514
32515
        /* compression length */
32516
0
        b = input[i++];
32517
32518
0
        if ((i - begin) + b > helloSz) {
32519
0
            ret = BUFFER_ERROR;
32520
0
            goto out;
32521
0
        }
32522
32523
0
        if (b == 0) {
32524
0
            WOLFSSL_MSG("No compression types in list");
32525
0
#ifdef WOLFSSL_EXTRA_ALERTS
32526
0
            SendAlert(ssl, alert_fatal, decode_error);
32527
0
#endif
32528
0
            ret = COMPRESSION_ERROR;
32529
0
            goto out;
32530
0
        }
32531
32532
#ifdef WOLFSSL_DTLS
32533
        if (IsDtlsNotSctpMode(ssl) && IsDtlsNotSrtpMode(ssl) && !IsSCR(ssl)) {
32534
32535
            ret = wc_HmacUpdate(&cookieHmac, input + i - 1, b + 1);
32536
            if (ret != 0) goto out;
32537
            ret = wc_HmacFinal(&cookieHmac, newCookie);
32538
            if (ret != 0) goto out;
32539
32540
            /* If a cookie callback is set, call it to overwrite the cookie.
32541
             * This should be deprecated. The code now calculates the cookie
32542
             * using an HMAC as expected. */
32543
            if (ssl->ctx->CBIOCookie != NULL &&
32544
                ssl->ctx->CBIOCookie(ssl, newCookie, cookieSz,
32545
                                     ssl->IOCB_CookieCtx) != cookieSz) {
32546
                ret = COOKIE_ERROR;
32547
                goto out;
32548
            }
32549
32550
32551
#ifndef WOLFSSL_DTLS_NO_HVR_ON_RESUME
32552
            if (peerCookieSz != cookieSz ||
32553
                 XMEMCMP(peerCookie, newCookie, cookieSz) != 0) {
32554
                *inOutIdx += helloSz;
32555
                ret = SendHelloVerifyRequest(ssl, newCookie, cookieSz);
32556
                goto out;
32557
            }
32558
#endif /* !WOLFSSL_DTLS_NO_HVR_ON_RESUME */
32559
32560
32561
        }
32562
#endif /* WOLFSSL_DTLS */
32563
32564
0
        {
32565
            /* compression match types */
32566
0
            int matchNo = 0;
32567
0
            int matchZlib = 0;
32568
32569
0
            while (b--) {
32570
0
                byte comp = input[i++];
32571
32572
0
                if (comp == NO_COMPRESSION) {
32573
0
                    matchNo = 1;
32574
0
                }
32575
0
                if (comp == ZLIB_COMPRESSION) {
32576
0
                    matchZlib = 1;
32577
0
                }
32578
0
            }
32579
32580
0
            if (ssl->options.usingCompression == 0 && matchNo) {
32581
0
                WOLFSSL_MSG("Matched No Compression");
32582
0
            } else if (ssl->options.usingCompression && matchZlib) {
32583
0
                WOLFSSL_MSG("Matched zlib Compression");
32584
0
            } else if (ssl->options.usingCompression && matchNo) {
32585
0
                WOLFSSL_MSG("Could only match no compression, turning off");
32586
0
                ssl->options.usingCompression = 0;  /* turn off */
32587
0
            } else {
32588
0
                WOLFSSL_MSG("Could not match compression");
32589
0
#ifdef WOLFSSL_EXTRA_ALERTS
32590
0
                SendAlert(ssl, alert_fatal, illegal_parameter);
32591
0
#endif
32592
0
                ret = COMPRESSION_ERROR;
32593
0
                goto out;
32594
0
            }
32595
0
        }
32596
32597
0
        *inOutIdx = i;
32598
32599
        /* tls extensions */
32600
0
        if ((i - begin) < helloSz) {
32601
0
#ifdef HAVE_TLS_EXTENSIONS
32602
0
            if (TLSX_SupportExtensions(ssl))
32603
#else
32604
            if (IsAtLeastTLSv1_2(ssl))
32605
#endif
32606
0
            {
32607
                /* Process the hello extension. Skip unsupported. */
32608
0
                word16 totalExtSz;
32609
32610
0
#ifdef HAVE_TLS_EXTENSIONS
32611
                /* auto populate extensions supported unless user defined */
32612
0
                if ((ret = TLSX_PopulateExtensions(ssl, 1)) != 0)
32613
0
                    goto out;
32614
0
#endif
32615
32616
0
                if ((i - begin) + OPAQUE16_LEN > helloSz) {
32617
0
                    ret = BUFFER_ERROR;
32618
0
                    goto out;
32619
0
                }
32620
32621
0
                ato16(&input[i], &totalExtSz);
32622
0
                i += OPAQUE16_LEN;
32623
32624
0
                if ((i - begin) + totalExtSz > helloSz) {
32625
0
                    ret = BUFFER_ERROR;
32626
0
                    goto out;
32627
0
                }
32628
32629
0
#ifdef HAVE_TLS_EXTENSIONS
32630
                /* tls extensions */
32631
0
                if ((ret = TLSX_Parse(ssl, input + i, totalExtSz, client_hello,
32632
0
                                                                    &clSuites)))
32633
0
                    goto out;
32634
0
    #ifdef WOLFSSL_TLS13
32635
0
                if (TLSX_Find(ssl->extensions,
32636
0
                                             TLSX_SUPPORTED_VERSIONS) != NULL) {
32637
0
                    WOLFSSL_MSG(
32638
0
                            "Client attempting to connect with higher version");
32639
0
                    ret = VERSION_ERROR;
32640
0
                    goto out;
32641
0
                }
32642
0
    #endif
32643
0
    #ifdef HAVE_SNI
32644
0
                if((ret=SNI_Callback(ssl)))
32645
0
                    goto out;
32646
0
    #endif
32647
32648
0
                i += totalExtSz;
32649
#else
32650
                while (totalExtSz) {
32651
                    word16 extId, extSz;
32652
32653
                    if (OPAQUE16_LEN + OPAQUE16_LEN > totalExtSz) {
32654
                        ret = BUFFER_ERROR;
32655
                        goto out;
32656
                    }
32657
32658
                    ato16(&input[i], &extId);
32659
                    i += OPAQUE16_LEN;
32660
                    ato16(&input[i], &extSz);
32661
                    i += OPAQUE16_LEN;
32662
32663
                    if (OPAQUE16_LEN + OPAQUE16_LEN + extSz > totalExtSz) {
32664
                        ret = BUFFER_ERROR;
32665
                        goto out;
32666
                    }
32667
32668
                    if (extId == HELLO_EXT_SIG_ALGO) {
32669
                        word16 hashSigAlgoSz;
32670
32671
                        ato16(&input[i], &hashSigAlgoSz);
32672
                        i += OPAQUE16_LEN;
32673
32674
                        if (OPAQUE16_LEN + hashSigAlgoSz > extSz) {
32675
                            ret = BUFFER_ERROR;
32676
                            goto out;
32677
                        }
32678
32679
                        if (hashSigAlgoSz % 2 != 0) {
32680
                            ret = BUFFER_ERROR;
32681
                            goto out;
32682
                        }
32683
32684
                        clSuites.hashSigAlgoSz = hashSigAlgoSz;
32685
                        if (clSuites.hashSigAlgoSz > WOLFSSL_MAX_SIGALGO) {
32686
                            WOLFSSL_MSG("ClientHello SigAlgo list exceeds max, "
32687
                                                                  "truncating");
32688
                            clSuites.hashSigAlgoSz = WOLFSSL_MAX_SIGALGO;
32689
                        }
32690
32691
                        XMEMCPY(clSuites.hashSigAlgo, &input[i],
32692
                                                      clSuites.hashSigAlgoSz);
32693
32694
                        i += hashSigAlgoSz;
32695
                    }
32696
#ifdef HAVE_EXTENDED_MASTER
32697
                    else if (extId == HELLO_EXT_EXTMS)
32698
                        ssl->options.haveEMS = 1;
32699
#endif
32700
                    else
32701
                        i += extSz;
32702
32703
                    totalExtSz -= OPAQUE16_LEN + OPAQUE16_LEN + extSz;
32704
                }
32705
#endif
32706
0
                *inOutIdx = i;
32707
0
            }
32708
0
            else
32709
0
                *inOutIdx = begin + helloSz; /* skip extensions */
32710
0
        }
32711
32712
#ifdef WOLFSSL_DTLS_CID
32713
        if (ssl->options.useDtlsCID)
32714
            DtlsCIDOnExtensionsParsed(ssl);
32715
#endif /* WOLFSSL_DTLS_CID */
32716
32717
0
        ssl->options.clientState   = CLIENT_HELLO_COMPLETE;
32718
0
        ssl->options.haveSessionId = 1;
32719
32720
        /* ProcessOld uses same resume code */
32721
0
        if (ssl->options.resuming) {
32722
0
            ret = HandleTlsResumption(ssl, bogusID, &clSuites);
32723
0
            if (ret != 0)
32724
0
                goto out;
32725
32726
0
#if defined(HAVE_TLS_EXTENSIONS) && defined(HAVE_ENCRYPT_THEN_MAC) && \
32727
0
    !defined(WOLFSSL_AEAD_ONLY)
32728
0
            if (ssl->options.encThenMac && ssl->specs.cipher_type == block) {
32729
0
                ret = TLSX_EncryptThenMac_Respond(ssl);
32730
0
                if (ret != 0)
32731
0
                    goto out;
32732
0
            }
32733
0
            else
32734
0
                ssl->options.encThenMac = 0;
32735
0
#endif
32736
0
            if (ssl->options.clientState == CLIENT_KEYEXCHANGE_COMPLETE) {
32737
0
                WOLFSSL_LEAVE("DoClientHello", ret);
32738
0
                WOLFSSL_END(WC_FUNC_CLIENT_HELLO_DO);
32739
32740
0
                goto out;
32741
0
            }
32742
0
        }
32743
32744
#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_DTLS_NO_HVR_ON_RESUME)
32745
        if (IsDtlsNotSctpMode(ssl) && IsDtlsNotSrtpMode(ssl) && !IsSCR(ssl)) {
32746
32747
            if (!ssl->options.resuming) {
32748
                /* resume failed, check the cookie */
32749
                if (peerCookieSz != cookieSz ||
32750
                    XMEMCMP(peerCookie, newCookie, cookieSz) != 0) {
32751
                    *inOutIdx = begin + helloSz;
32752
                    ret = SendHelloVerifyRequest(ssl, newCookie, cookieSz);
32753
                    goto out;
32754
                }
32755
            }
32756
        }
32757
#endif /* WOLFSSL_DTLS && WOLFSSL_DTLS_NO_HVR_ON_RESUME */
32758
32759
0
#if defined(HAVE_TLS_EXTENSIONS) && defined(HAVE_DH_DEFAULT_PARAMS)
32760
0
    #if defined(HAVE_FFDHE) && defined(HAVE_SUPPORTED_CURVES)
32761
0
        if (TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS) != NULL) {
32762
            /* Set FFDHE parameters or clear DHE parameters if FFDH parameters
32763
             * present and no matches in the server's list. */
32764
0
            ret = TLSX_SupportedFFDHE_Set(ssl);
32765
0
            if (ret != 0)
32766
0
                goto out;
32767
0
        }
32768
0
    #endif
32769
0
#endif
32770
32771
0
#ifdef OPENSSL_EXTRA
32772
        /* Give user last chance to provide a cert for cipher selection */
32773
0
        if (ret == 0 && ssl->ctx->certSetupCb != NULL)
32774
0
            ret = CertSetupCbWrapper(ssl);
32775
0
#endif
32776
0
        if (ret == 0)
32777
0
            ret = MatchSuite(ssl, &clSuites);
32778
32779
0
#ifdef WOLFSSL_EXTRA_ALERTS
32780
0
        if (ret == BUFFER_ERROR)
32781
0
            SendAlert(ssl, alert_fatal, decode_error);
32782
0
        else if (ret < 0)
32783
0
            SendAlert(ssl, alert_fatal, handshake_failure);
32784
0
#endif
32785
0
#if defined(HAVE_TLS_EXTENSIONS) && defined(HAVE_ENCRYPT_THEN_MAC) && \
32786
0
    !defined(WOLFSSL_AEAD_ONLY)
32787
0
        if (ret == 0 && ssl->options.encThenMac &&
32788
0
                                              ssl->specs.cipher_type == block) {
32789
0
            ret = TLSX_EncryptThenMac_Respond(ssl);
32790
0
        }
32791
0
        else
32792
0
            ssl->options.encThenMac = 0;
32793
0
#endif
32794
32795
#ifdef WOLFSSL_DTLS
32796
        if (ret == 0 && ssl->options.dtls)
32797
            DtlsMsgPoolReset(ssl);
32798
#endif
32799
32800
0
    out:
32801
32802
#ifdef WOLFSSL_DTLS
32803
        wc_HmacFree(&cookieHmac);
32804
#endif
32805
32806
0
        WOLFSSL_LEAVE("DoClientHello", ret);
32807
0
        WOLFSSL_END(WC_FUNC_CLIENT_HELLO_DO);
32808
32809
0
        if (ret != 0) {
32810
0
            WOLFSSL_ERROR_VERBOSE(ret);
32811
0
        }
32812
32813
0
        return ret;
32814
0
    }
32815
32816
32817
#if (!defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519) || \
32818
                        defined(HAVE_ED448)) && !defined(WOLFSSL_NO_CLIENT_AUTH)
32819
32820
    typedef struct DcvArgs {
32821
        byte*  output; /* not allocated */
32822
        word32 sendSz;
32823
        word16 sz;
32824
        word32 sigSz;
32825
        word32 idx;
32826
        word32 begin;
32827
        byte   hashAlgo;
32828
        byte   sigAlgo;
32829
    } DcvArgs;
32830
32831
    static void FreeDcvArgs(WOLFSSL* ssl, void* pArgs)
32832
0
    {
32833
0
        DcvArgs* args = (DcvArgs*)pArgs;
32834
32835
0
        (void)ssl;
32836
0
        (void)args;
32837
0
    }
32838
32839
    /* handle processing of certificate_verify (15) */
32840
    static int DoCertificateVerify(WOLFSSL* ssl, byte* input,
32841
                                word32* inOutIdx, word32 size)
32842
0
    {
32843
0
        int ret = 0;
32844
    #ifdef WOLFSSL_ASYNC_CRYPT
32845
        DcvArgs* args = NULL;
32846
        WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
32847
    #else
32848
0
        DcvArgs  args[1];
32849
0
    #endif
32850
32851
0
        WOLFSSL_START(WC_FUNC_CERTIFICATE_VERIFY_DO);
32852
0
        WOLFSSL_ENTER("DoCertificateVerify");
32853
32854
    #ifdef WOLFSSL_ASYNC_CRYPT
32855
        if (ssl->async == NULL) {
32856
            ssl->async = (struct WOLFSSL_ASYNC*)
32857
                    XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
32858
                            DYNAMIC_TYPE_ASYNC);
32859
            if (ssl->async == NULL)
32860
                ERROR_OUT(MEMORY_E, exit_dcv);
32861
        }
32862
        args = (DcvArgs*)ssl->async->args;
32863
32864
        ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
32865
        if (ret != WC_NOT_PENDING_E) {
32866
            /* Check for error */
32867
            if (ret < 0)
32868
                goto exit_dcv;
32869
        }
32870
        else
32871
    #endif
32872
0
        {
32873
            /* Reset state */
32874
0
            ret = 0;
32875
0
            ssl->options.asyncState = TLS_ASYNC_BEGIN;
32876
0
            XMEMSET(args, 0, sizeof(DcvArgs));
32877
0
            args->hashAlgo = sha_mac;
32878
0
            args->sigAlgo = anonymous_sa_algo;
32879
0
            args->idx = *inOutIdx;
32880
0
            args->begin = *inOutIdx;
32881
        #ifdef WOLFSSL_ASYNC_CRYPT
32882
            ssl->async->freeArgs = FreeDcvArgs;
32883
        #endif
32884
0
        }
32885
32886
0
        switch(ssl->options.asyncState)
32887
0
        {
32888
0
            case TLS_ASYNC_BEGIN:
32889
0
            {
32890
            #ifdef WOLFSSL_CALLBACKS
32891
                if (ssl->hsInfoOn)
32892
                    AddPacketName(ssl, "CertificateVerify");
32893
                if (ssl->toInfoOn)
32894
                    AddLateName("CertificateVerify", &ssl->timeoutInfo);
32895
            #endif
32896
32897
                /* Advance state and proceed */
32898
0
                ssl->options.asyncState = TLS_ASYNC_BUILD;
32899
0
            } /* case TLS_ASYNC_BEGIN */
32900
0
            FALL_THROUGH;
32901
32902
0
            case TLS_ASYNC_BUILD:
32903
0
            {
32904
0
                if (IsAtLeastTLSv1_2(ssl)) {
32905
0
                    if ((args->idx - args->begin) + ENUM_LEN + ENUM_LEN > size) {
32906
0
                        ERROR_OUT(BUFFER_ERROR, exit_dcv);
32907
0
                    }
32908
32909
0
                    DecodeSigAlg(&input[args->idx], &args->hashAlgo,
32910
0
                                 &args->sigAlgo);
32911
0
                    args->idx += 2;
32912
0
                }
32913
0
            #ifndef NO_RSA
32914
0
                else if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0)
32915
0
                    args->sigAlgo = rsa_sa_algo;
32916
0
            #endif
32917
0
            #ifdef HAVE_ECC
32918
0
                else if (ssl->peerEccDsaKeyPresent)
32919
0
                    args->sigAlgo = ecc_dsa_sa_algo;
32920
0
            #endif
32921
0
            #if defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)
32922
0
                else if (ssl->peerEd25519KeyPresent)
32923
0
                    args->sigAlgo = ed25519_sa_algo;
32924
0
            #endif /* HAVE_ED25519 && !NO_ED25519_CLIENT_AUTH */
32925
0
            #if defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)
32926
0
                else if (ssl->peerEd448KeyPresent)
32927
0
                    args->sigAlgo = ed448_sa_algo;
32928
0
            #endif /* HAVE_ED448 && !NO_ED448_CLIENT_AUTH */
32929
32930
0
                if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
32931
0
                    ERROR_OUT(BUFFER_ERROR, exit_dcv);
32932
0
                }
32933
32934
0
                ato16(input + args->idx, &args->sz);
32935
0
                args->idx += OPAQUE16_LEN;
32936
32937
0
                if ((args->idx - args->begin) + args->sz > size ||
32938
0
                                                    args->sz > ENCRYPT_LEN) {
32939
0
                    ERROR_OUT(BUFFER_ERROR, exit_dcv);
32940
0
                }
32941
32942
0
            #ifdef HAVE_ECC
32943
0
                if (ssl->peerEccDsaKeyPresent) {
32944
32945
0
                    WOLFSSL_MSG("Doing ECC peer cert verify");
32946
32947
                /* make sure a default is defined */
32948
0
                #if !defined(NO_SHA)
32949
0
                    SetDigest(ssl, sha_mac);
32950
                #elif !defined(NO_SHA256)
32951
                    SetDigest(ssl, sha256_mac);
32952
                #elif defined(WOLFSSL_SHA384)
32953
                    SetDigest(ssl, sha384_mac);
32954
                #elif defined(WOLFSSL_SHA512)
32955
                    SetDigest(ssl, sha512_mac);
32956
                #else
32957
                    #error No digest enabled for ECC sig verify
32958
                #endif
32959
32960
0
                    if (IsAtLeastTLSv1_2(ssl)) {
32961
0
                        if (args->sigAlgo != ecc_dsa_sa_algo) {
32962
0
                            WOLFSSL_MSG("Oops, peer sent ECC key but not in verify");
32963
0
                        }
32964
32965
0
                        SetDigest(ssl, args->hashAlgo);
32966
0
                    }
32967
0
                }
32968
0
            #endif /* HAVE_ECC */
32969
0
            #if defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)
32970
0
                if (ssl->peerEd25519KeyPresent) {
32971
0
                    WOLFSSL_MSG("Doing ED25519 peer cert verify");
32972
0
                    if (IsAtLeastTLSv1_2(ssl) &&
32973
0
                                             args->sigAlgo != ed25519_sa_algo) {
32974
0
                        WOLFSSL_MSG(
32975
0
                               "Oops, peer sent ED25519 key but not in verify");
32976
0
                    }
32977
0
                }
32978
0
            #endif /* HAVE_ED25519 && !NO_ED25519_CLIENT_AUTH */
32979
0
            #if defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)
32980
0
                if (ssl->peerEd448KeyPresent) {
32981
0
                    WOLFSSL_MSG("Doing ED448 peer cert verify");
32982
0
                    if (IsAtLeastTLSv1_2(ssl) &&
32983
0
                                               args->sigAlgo != ed448_sa_algo) {
32984
0
                        WOLFSSL_MSG(
32985
0
                                 "Oops, peer sent ED448 key but not in verify");
32986
0
                    }
32987
0
                }
32988
0
            #endif /* HAVE_ED448 && !NO_ED448_CLIENT_AUTH */
32989
32990
                /* Advance state and proceed */
32991
0
                ssl->options.asyncState = TLS_ASYNC_DO;
32992
0
            } /* case TLS_ASYNC_BUILD */
32993
0
            FALL_THROUGH;
32994
32995
0
            case TLS_ASYNC_DO:
32996
0
            {
32997
0
            #ifndef NO_RSA
32998
0
                if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) {
32999
0
                    WOLFSSL_MSG("Doing RSA peer cert verify");
33000
33001
0
                    ret = RsaVerify(ssl,
33002
0
                        input + args->idx,
33003
0
                        args->sz,
33004
0
                        &args->output,
33005
0
                        args->sigAlgo, args->hashAlgo,
33006
0
                        ssl->peerRsaKey,
33007
                    #ifdef HAVE_PK_CALLBACKS
33008
                        &ssl->buffers.peerRsaKey
33009
                    #else
33010
0
                        NULL
33011
0
                    #endif
33012
0
                    );
33013
0
                    if (ret >= 0) {
33014
0
                        if (args->sigAlgo == rsa_sa_algo)
33015
0
                            args->sendSz = ret;
33016
0
                        else {
33017
0
                            args->sigSz = ret;
33018
0
                            args->sendSz = ssl->buffers.digest.length;
33019
0
                        }
33020
0
                        ret = 0;
33021
0
                    }
33022
0
                }
33023
0
            #endif /* !NO_RSA */
33024
0
            #ifdef HAVE_ECC
33025
0
                if (ssl->peerEccDsaKeyPresent) {
33026
0
                    WOLFSSL_MSG("Doing ECC peer cert verify");
33027
33028
0
                    ret = EccVerify(ssl,
33029
0
                        input + args->idx, args->sz,
33030
0
                        ssl->buffers.digest.buffer, ssl->buffers.digest.length,
33031
0
                        ssl->peerEccDsaKey,
33032
                    #ifdef HAVE_PK_CALLBACKS
33033
                        &ssl->buffers.peerEccDsaKey
33034
                    #else
33035
0
                        NULL
33036
0
                    #endif
33037
0
                    );
33038
                    /* SERVER: Data verified with certificate's public key. */
33039
0
                    ssl->options.peerAuthGood = ssl->options.havePeerCert &&
33040
0
                                                (ret == 0);
33041
0
                }
33042
0
            #endif /* HAVE_ECC */
33043
0
            #if defined(HAVE_ED25519) && !defined(NO_ED25519_CLIENT_AUTH)
33044
0
                if (ssl->peerEd25519KeyPresent) {
33045
0
                    WOLFSSL_MSG("Doing Ed25519 peer cert verify");
33046
33047
0
                    ret = Ed25519Verify(ssl,
33048
0
                        input + args->idx, args->sz,
33049
0
                        ssl->hsHashes->messages, ssl->hsHashes->prevLen,
33050
0
                        ssl->peerEd25519Key,
33051
                    #ifdef HAVE_PK_CALLBACKS
33052
                        &ssl->buffers.peerEd25519Key
33053
                    #else
33054
0
                        NULL
33055
0
                    #endif
33056
0
                    );
33057
                    /* SERVER: Data verified with certificate's public key. */
33058
0
                    ssl->options.peerAuthGood = ssl->options.havePeerCert &&
33059
0
                                                (ret == 0);
33060
0
                }
33061
0
            #endif /* HAVE_ED25519 && !NO_ED25519_CLIENT_AUTH */
33062
0
            #if defined(HAVE_ED448) && !defined(NO_ED448_CLIENT_AUTH)
33063
0
                if (ssl->peerEd448KeyPresent) {
33064
0
                    WOLFSSL_MSG("Doing Ed448 peer cert verify");
33065
33066
0
                    ret = Ed448Verify(ssl,
33067
0
                        input + args->idx, args->sz,
33068
0
                        ssl->hsHashes->messages, ssl->hsHashes->prevLen,
33069
0
                        ssl->peerEd448Key,
33070
                    #ifdef HAVE_PK_CALLBACKS
33071
                        &ssl->buffers.peerEd448Key
33072
                    #else
33073
0
                        NULL
33074
0
                    #endif
33075
0
                    );
33076
                    /* SERVER: Data verified with certificate's public key. */
33077
0
                    ssl->options.peerAuthGood = ssl->options.havePeerCert &&
33078
0
                                                (ret == 0);
33079
0
                }
33080
0
            #endif /* HAVE_ED448 && !NO_ED448_CLIENT_AUTH */
33081
33082
            #ifdef WOLFSSL_ASYNC_CRYPT
33083
                /* handle async pending */
33084
                if (ret == WC_PENDING_E)
33085
                    goto exit_dcv;
33086
            #endif
33087
33088
                /* Check for error */
33089
0
                if (ret != 0) {
33090
0
                    ret = SIG_VERIFY_E;
33091
0
                    goto exit_dcv;
33092
0
                }
33093
33094
                /* Advance state and proceed */
33095
0
                ssl->options.asyncState = TLS_ASYNC_VERIFY;
33096
0
            } /* case TLS_ASYNC_DO */
33097
0
            FALL_THROUGH;
33098
33099
0
            case TLS_ASYNC_VERIFY:
33100
0
            {
33101
0
            #ifndef NO_RSA
33102
0
                if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) {
33103
0
                    if (IsAtLeastTLSv1_2(ssl)) {
33104
0
                    #ifdef WC_RSA_PSS
33105
0
                        if (args->sigAlgo == rsa_pss_sa_algo) {
33106
0
                            SetDigest(ssl, args->hashAlgo);
33107
33108
                        #ifdef HAVE_SELFTEST
33109
                            ret = wc_RsaPSS_CheckPadding(
33110
                                            ssl->buffers.digest.buffer,
33111
                                            ssl->buffers.digest.length,
33112
                                            args->output, args->sigSz,
33113
                                            HashAlgoToType(args->hashAlgo));
33114
                        #else
33115
0
                            ret = wc_RsaPSS_CheckPadding_ex(
33116
0
                                            ssl->buffers.digest.buffer,
33117
0
                                            ssl->buffers.digest.length,
33118
0
                                            args->output, args->sigSz,
33119
0
                                            HashAlgoToType(args->hashAlgo), -1,
33120
0
                                            mp_count_bits(&ssl->peerRsaKey->n));
33121
0
                        #endif
33122
0
                            if (ret != 0) {
33123
0
                                ret = SIG_VERIFY_E;
33124
0
                                goto exit_dcv;
33125
0
                            }
33126
0
                        }
33127
0
                        else
33128
0
                    #endif
33129
0
                        {
33130
                        #ifndef WOLFSSL_SMALL_STACK
33131
                            byte  encodedSig[MAX_ENCODED_SIG_SZ];
33132
                        #else
33133
0
                            byte* encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ,
33134
0
                                             ssl->heap, DYNAMIC_TYPE_SIGNATURE);
33135
0
                            if (encodedSig == NULL) {
33136
0
                                ERROR_OUT(MEMORY_E, exit_dcv);
33137
0
                            }
33138
0
                        #endif
33139
33140
0
                            if (args->sigAlgo != rsa_sa_algo) {
33141
0
                                WOLFSSL_MSG("Oops, peer sent RSA key but not "
33142
0
                                            "in verify");
33143
0
                            }
33144
33145
0
                            SetDigest(ssl, args->hashAlgo);
33146
33147
0
                            args->sigSz = wc_EncodeSignature(encodedSig,
33148
0
                                ssl->buffers.digest.buffer,
33149
0
                                ssl->buffers.digest.length,
33150
0
                                TypeHash(args->hashAlgo));
33151
33152
0
                            if (args->sendSz != args->sigSz || !args->output ||
33153
0
                                XMEMCMP(args->output, encodedSig,
33154
0
                                   min(args->sigSz, MAX_ENCODED_SIG_SZ)) != 0) {
33155
0
                                ret = VERIFY_CERT_ERROR;
33156
0
                            }
33157
33158
0
                        #ifdef WOLFSSL_SMALL_STACK
33159
0
                            XFREE(encodedSig, ssl->heap,
33160
0
                                  DYNAMIC_TYPE_SIGNATURE);
33161
0
                        #endif
33162
0
                        }
33163
0
                    }
33164
0
                    else {
33165
0
                        if (args->sendSz != FINISHED_SZ || !args->output ||
33166
0
                            XMEMCMP(args->output,
33167
0
                                &ssl->hsHashes->certHashes, FINISHED_SZ) != 0) {
33168
0
                            ret = VERIFY_CERT_ERROR;
33169
0
                        }
33170
0
                    }
33171
0
                    if (ret == 0) {
33172
                        /* SERVER: Data verified with cert's public key. */
33173
0
                        ssl->options.peerAuthGood = ssl->options.havePeerCert &&
33174
0
                                                    (ret == 0);
33175
0
                    }
33176
0
                }
33177
0
            #endif /* !NO_RSA */
33178
0
                if (ret != 0)
33179
0
                    break;
33180
33181
                /* Advance state and proceed */
33182
0
                ssl->options.asyncState = TLS_ASYNC_FINALIZE;
33183
0
            } /* case TLS_ASYNC_VERIFY */
33184
0
            FALL_THROUGH;
33185
33186
0
            case TLS_ASYNC_FINALIZE:
33187
0
            {
33188
0
                if (IsEncryptionOn(ssl, 0)) {
33189
0
                    args->idx += ssl->keys.padSz;
33190
0
            #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
33191
0
                    if (ssl->options.startedETMRead)
33192
0
                        args->idx += MacSize(ssl);
33193
0
            #endif
33194
0
                }
33195
33196
0
                ssl->options.havePeerVerify = 1;
33197
33198
                /* Set final index */
33199
0
                args->idx += args->sz;
33200
0
                *inOutIdx = args->idx;
33201
33202
                /* Advance state and proceed */
33203
0
                ssl->options.asyncState = TLS_ASYNC_END;
33204
0
            } /* case TLS_ASYNC_FINALIZE */
33205
0
            FALL_THROUGH;
33206
33207
0
            case TLS_ASYNC_END:
33208
0
            {
33209
0
                break;
33210
0
            }
33211
0
            default:
33212
0
                ret = INPUT_CASE_ERROR;
33213
0
        } /* switch(ssl->options.asyncState) */
33214
33215
0
    exit_dcv:
33216
33217
0
        WOLFSSL_LEAVE("DoCertificateVerify", ret);
33218
0
        WOLFSSL_END(WC_FUNC_CERTIFICATE_VERIFY_DO);
33219
33220
    #ifdef WOLFSSL_ASYNC_CRYPT
33221
        /* Handle async operation */
33222
        if (ret == WC_PENDING_E) {
33223
            /* Mark message as not received so it can process again */
33224
            ssl->msgsReceived.got_certificate_verify = 0;
33225
33226
            return ret;
33227
        }
33228
    #endif /* WOLFSSL_ASYNC_CRYPT */
33229
0
    #ifdef WOLFSSL_EXTRA_ALERTS
33230
0
        if (ret == BUFFER_ERROR)
33231
0
            SendAlert(ssl, alert_fatal, decode_error);
33232
0
        else if (ret == SIG_VERIFY_E)
33233
0
            SendAlert(ssl, alert_fatal, decrypt_error);
33234
0
        else if (ret != 0)
33235
0
            SendAlert(ssl, alert_fatal, bad_certificate);
33236
0
    #endif
33237
        /* Digest is not allocated, so do this to prevent free */
33238
0
        ssl->buffers.digest.buffer = NULL;
33239
0
        ssl->buffers.digest.length = 0;
33240
33241
    #ifdef WOLFSSL_ASYNC_CRYPT
33242
        /* Cleanup async */
33243
        FreeAsyncCtx(ssl, 0);
33244
    #else
33245
0
        FreeDcvArgs(ssl, args);
33246
0
    #endif
33247
        /* Final cleanup */
33248
0
        FreeKeyExchange(ssl);
33249
33250
0
        if (ret != 0) {
33251
0
            WOLFSSL_ERROR_VERBOSE(ret);
33252
0
        }
33253
33254
0
        return ret;
33255
0
    }
33256
33257
#endif /* (!NO_RSA || ECC || ED25519 || ED448) && !WOLFSSL_NO_CLIENT_AUTH */
33258
33259
    /* handle generation of server_hello_done (14) */
33260
    int SendServerHelloDone(WOLFSSL* ssl)
33261
0
    {
33262
0
        byte* output;
33263
0
        int   sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
33264
0
        int   ret;
33265
33266
0
        WOLFSSL_START(WC_FUNC_SERVER_HELLO_DONE_SEND);
33267
0
        WOLFSSL_ENTER("SendServerHelloDone");
33268
33269
    #ifdef WOLFSSL_DTLS
33270
        if (ssl->options.dtls)
33271
            sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
33272
    #endif
33273
33274
0
        if (IsEncryptionOn(ssl, 1))
33275
0
            sendSz += MAX_MSG_EXTRA;
33276
33277
        /* Set this in case CheckAvailableSize returns a WANT_WRITE so that state
33278
         * is not advanced yet */
33279
0
        ssl->options.buildingMsg = 1;
33280
33281
        /* check for available size */
33282
0
        if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
33283
0
            return ret;
33284
33285
        /* get output buffer */
33286
0
        output = ssl->buffers.outputBuffer.buffer +
33287
0
                 ssl->buffers.outputBuffer.length;
33288
33289
0
        AddHeaders(output, 0, server_hello_done, ssl);
33290
33291
0
        if (IsEncryptionOn(ssl, 1)) {
33292
0
            byte* input;
33293
0
            int   inputSz = HANDSHAKE_HEADER_SZ; /* build msg adds rec hdr */
33294
0
            int   recordHeaderSz = RECORD_HEADER_SZ;
33295
33296
0
            if (ssl->options.dtls) {
33297
0
                recordHeaderSz += DTLS_RECORD_EXTRA;
33298
0
                inputSz += DTLS_HANDSHAKE_EXTRA;
33299
0
            }
33300
33301
0
            input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
33302
0
            if (input == NULL)
33303
0
                return MEMORY_E;
33304
33305
0
            XMEMCPY(input, output + recordHeaderSz, inputSz);
33306
            #ifdef WOLFSSL_DTLS
33307
            if (IsDtlsNotSctpMode(ssl) &&
33308
                    (ret = DtlsMsgPoolSave(ssl, input, inputSz, server_hello_done)) != 0) {
33309
                XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
33310
                return ret;
33311
            }
33312
            #endif
33313
0
            sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
33314
0
                                  handshake, 1, 0, 0, CUR_ORDER);
33315
0
            XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
33316
33317
0
            if (sendSz < 0)
33318
0
                return sendSz;
33319
0
        } else {
33320
            #ifdef WOLFSSL_DTLS
33321
                if (IsDtlsNotSctpMode(ssl)) {
33322
                    if ((ret = DtlsMsgPoolSave(ssl, output, sendSz, server_hello_done)) != 0)
33323
                        return ret;
33324
                }
33325
                if (ssl->options.dtls)
33326
                    DtlsSEQIncrement(ssl, CUR_ORDER);
33327
            #endif
33328
0
            ret = HashOutput(ssl, output, sendSz, 0);
33329
0
            if (ret != 0)
33330
0
                return ret;
33331
0
        }
33332
33333
0
    #if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
33334
0
        if (ssl->hsInfoOn)
33335
0
            AddPacketName(ssl, "ServerHelloDone");
33336
0
        if (ssl->toInfoOn)
33337
0
            AddPacketInfo(ssl, "ServerHelloDone", handshake, output, sendSz,
33338
0
                    WRITE_PROTO, ssl->heap);
33339
0
    #endif
33340
0
        ssl->options.serverState = SERVER_HELLODONE_COMPLETE;
33341
0
        ssl->options.buildingMsg = 0;
33342
33343
0
        ssl->buffers.outputBuffer.length += sendSz;
33344
33345
0
        ret = SendBuffered(ssl);
33346
33347
0
        WOLFSSL_LEAVE("SendServerHelloDone", ret);
33348
0
        WOLFSSL_END(WC_FUNC_SERVER_HELLO_DONE_SEND);
33349
33350
0
        return ret;
33351
0
    }
33352
33353
#endif /* !WOLFSSL_NO_TLS12 */
33354
33355
#ifdef HAVE_SESSION_TICKET
33356
33357
    /* create a new session ticket, 0 on success */
33358
    int CreateTicket(WOLFSSL* ssl)
33359
0
    {
33360
0
        InternalTicket* it;
33361
0
        ExternalTicket* et;
33362
0
        int encLen;
33363
0
        int ret;
33364
0
        int error;
33365
0
        word32 itHash = 0;
33366
0
        byte zeros[WOLFSSL_TICKET_MAC_SZ];   /* biggest cmp size */
33367
33368
0
        WOLFSSL_ASSERT_SIZEOF_GE(ssl->session->staticTicket, *et);
33369
0
        WOLFSSL_ASSERT_SIZEOF_GE(et->enc_ticket, *it);
33370
33371
0
        if (ssl->session->ticket != ssl->session->staticTicket) {
33372
            /* Always use the static ticket buffer */
33373
0
            XFREE(ssl->session->ticket, NULL, DYNAMIC_TYPE_SESSION_TICK);
33374
0
            ssl->session->ticket = ssl->session->staticTicket;
33375
0
            ssl->session->ticketLenAlloc = 0;
33376
0
        }
33377
33378
0
        et = (ExternalTicket*)ssl->session->ticket;
33379
0
        it = (InternalTicket*)et->enc_ticket;
33380
33381
0
        XMEMSET(et, 0, sizeof(*et));
33382
33383
        /* build internal */
33384
0
        it->pv.major = ssl->version.major;
33385
0
        it->pv.minor = ssl->version.minor;
33386
33387
0
        it->suite[0] = ssl->options.cipherSuite0;
33388
0
        it->suite[1] = ssl->options.cipherSuite;
33389
33390
    #ifdef WOLFSSL_EARLY_DATA
33391
        c32toa(ssl->options.maxEarlyDataSz, it->maxEarlyDataSz);
33392
    #endif
33393
33394
0
        if (!ssl->options.tls1_3) {
33395
0
            XMEMCPY(it->msecret, ssl->arrays->masterSecret, SECRET_LEN);
33396
0
#ifndef NO_ASN_TIME
33397
0
            c32toa(LowResTimer(), it->timestamp);
33398
0
#endif
33399
0
            it->haveEMS = (byte) ssl->options.haveEMS;
33400
0
        }
33401
0
        else {
33402
0
#ifdef WOLFSSL_TLS13
33403
            /* Client adds to ticket age to obfuscate. */
33404
0
            ret = wc_RNG_GenerateBlock(ssl->rng, it->ageAdd,
33405
0
                                       sizeof(it->ageAdd));
33406
0
            if (ret != 0) {
33407
0
                ret = BAD_TICKET_ENCRYPT;
33408
0
                goto error;
33409
0
            }
33410
0
            ato32(it->ageAdd, &ssl->session->ticketAdd);
33411
0
            c16toa(ssl->session->namedGroup, it->namedGroup);
33412
0
            c32toa(TimeNowInMilliseconds(), it->timestamp);
33413
            /* Resumption master secret. */
33414
0
            XMEMCPY(it->msecret, ssl->session->masterSecret, SECRET_LEN);
33415
0
            XMEMCPY(&it->ticketNonce, &ssl->session->ticketNonce,
33416
0
                                                           sizeof(TicketNonce));
33417
0
#endif
33418
0
        }
33419
33420
0
#ifdef WOLFSSL_TICKET_HAVE_ID
33421
0
        {
33422
0
            const byte* id = NULL;
33423
0
            byte idSz = 0;
33424
0
            if (ssl->session->haveAltSessionID) {
33425
0
                id = ssl->session->altSessionID;
33426
0
                idSz = ID_LEN;
33427
0
            }
33428
0
            else if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL) {
33429
0
                id = ssl->arrays->sessionID;
33430
0
                idSz = ssl->arrays->sessionIDSz;
33431
0
            }
33432
0
            else {
33433
0
                id = ssl->session->sessionID;
33434
0
                idSz = ssl->session->sessionIDSz;
33435
0
            }
33436
0
            if (idSz == 0) {
33437
0
                ret = wc_RNG_GenerateBlock(ssl->rng, ssl->session->altSessionID,
33438
0
                                           ID_LEN);
33439
0
                if (ret != 0)
33440
0
                    goto error;
33441
0
                ssl->session->haveAltSessionID = 1;
33442
0
                id = ssl->session->altSessionID;
33443
0
                idSz = ID_LEN;
33444
0
            }
33445
            /* make sure idSz is not larger than ID_LEN */
33446
0
            if (idSz > ID_LEN)
33447
0
                idSz = ID_LEN;
33448
0
            XMEMCPY(it->id, id, idSz);
33449
0
        }
33450
0
#endif
33451
33452
        /* encrypt */
33453
0
        encLen = WOLFSSL_TICKET_ENC_SZ;  /* max size user can use */
33454
0
        if (ssl->ctx->ticketEncCb == NULL
33455
0
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL)
33456
0
                ||
33457
                /* SSL_OP_NO_TICKET turns off tickets in < 1.2. Forces
33458
                 * "stateful" tickets for 1.3 so just use the regular
33459
                 * stateless ones. */
33460
0
                (!IsAtLeastTLSv1_3(ssl->version) &&
33461
0
                        (ssl->options.mask & WOLFSSL_OP_NO_TICKET) != 0)
33462
0
#endif
33463
0
                        ) {
33464
            /* Use BAD_TICKET_ENCRYPT to signal missing ticket callback */
33465
0
            ret = BAD_TICKET_ENCRYPT;
33466
0
        }
33467
0
        else {
33468
0
            itHash = HashObject((byte*)it, sizeof(*it), &error);
33469
0
            if (error == 0) {
33470
0
                ret = ssl->ctx->ticketEncCb(ssl, et->key_name, et->iv, et->mac,
33471
0
                        1, et->enc_ticket, sizeof(InternalTicket), &encLen,
33472
0
                        ssl->ctx->ticketEncCtx);
33473
0
            }
33474
0
            else {
33475
0
                ret = WOLFSSL_TICKET_RET_FATAL;
33476
0
            }
33477
0
        }
33478
0
        if (ret != WOLFSSL_TICKET_RET_OK) {
33479
#ifdef WOLFSSL_ASYNC_CRYPT
33480
            if (ret == WC_PENDING_E) {
33481
                return ret;
33482
            }
33483
#endif
33484
0
            goto error;
33485
0
        }
33486
0
        if (encLen < (int)sizeof(InternalTicket) ||
33487
0
                encLen > (int)WOLFSSL_TICKET_ENC_SZ) {
33488
0
            WOLFSSL_MSG("Bad user ticket encrypt size");
33489
0
            ret = BAD_TICKET_KEY_CB_SZ;
33490
0
        }
33491
33492
        /* sanity checks on encrypt callback */
33493
33494
        /* internal ticket can't be the same if encrypted */
33495
0
        if (itHash == HashObject((byte*)it, sizeof(*it), &error) || error != 0)
33496
0
        {
33497
0
            WOLFSSL_MSG("User ticket encrypt didn't encrypt or hash failed");
33498
0
            ret = BAD_TICKET_ENCRYPT;
33499
0
            goto error;
33500
0
        }
33501
33502
0
        XMEMSET(zeros, 0, sizeof(zeros));
33503
33504
        /* name */
33505
0
        if (XMEMCMP(et->key_name, zeros, WOLFSSL_TICKET_NAME_SZ) == 0) {
33506
0
            WOLFSSL_MSG("User ticket encrypt didn't set name");
33507
0
            ret = BAD_TICKET_ENCRYPT;
33508
0
            goto error;
33509
0
        }
33510
33511
        /* iv */
33512
0
        if (XMEMCMP(et->iv, zeros, WOLFSSL_TICKET_IV_SZ) == 0) {
33513
0
            WOLFSSL_MSG("User ticket encrypt didn't set iv");
33514
0
            ret = BAD_TICKET_ENCRYPT;
33515
0
            goto error;
33516
0
        }
33517
33518
        /* mac */
33519
0
        if (XMEMCMP(et->mac, zeros, WOLFSSL_TICKET_MAC_SZ) == 0) {
33520
0
            WOLFSSL_MSG("User ticket encrypt didn't set mac");
33521
0
            ret = BAD_TICKET_ENCRYPT;
33522
0
            goto error;
33523
0
        }
33524
33525
        /* set size */
33526
0
        c16toa((word16)encLen, et->enc_len);
33527
0
        if (encLen < (int)WOLFSSL_TICKET_ENC_SZ) {
33528
            /* move mac up since whole enc buffer not used */
33529
0
            XMEMMOVE(et->enc_ticket + encLen, et->mac,
33530
0
                    WOLFSSL_TICKET_MAC_SZ);
33531
0
        }
33532
0
        ssl->session->ticketLen =
33533
0
                (word16)(encLen + WOLFSSL_TICKET_FIXED_SZ);
33534
33535
0
        return ret;
33536
0
    error:
33537
#ifdef WOLFSSL_CHECK_MEM_ZERO
33538
        /* Ticket has sensitive data in it now. */
33539
        wc_MemZero_Add("Create Ticket internal", it, sizeof(InternalTicket));
33540
#endif
33541
0
        ForceZero(it, sizeof(*it));
33542
#ifdef WOLFSSL_CHECK_MEM_ZERO
33543
        wc_MemZero_Check(it, sizeof(InternalTicket));
33544
#endif
33545
0
        WOLFSSL_ERROR_VERBOSE(ret);
33546
0
        return ret;
33547
33548
0
    }
33549
33550
33551
    /* Parse ticket sent by client, returns callback return value */
33552
    int DoClientTicket(WOLFSSL* ssl, const byte* input, word32 len)
33553
0
    {
33554
0
        ExternalTicket* et;
33555
0
        InternalTicket* it;
33556
0
        int             ret;
33557
0
        int             outLen;
33558
0
        word16          inLen;
33559
33560
0
        WOLFSSL_START(WC_FUNC_TICKET_DO);
33561
0
        WOLFSSL_ENTER("DoClientTicket");
33562
33563
0
        if (len > SESSION_TICKET_LEN ||
33564
0
            len < (word32)(sizeof(InternalTicket) + WOLFSSL_TICKET_FIXED_SZ)) {
33565
0
            WOLFSSL_ERROR_VERBOSE(BAD_TICKET_MSG_SZ);
33566
0
            return WOLFSSL_TICKET_RET_REJECT;
33567
0
        }
33568
33569
0
        et = (ExternalTicket*)input;
33570
33571
        /* decrypt */
33572
0
        ato16(et->enc_len, &inLen);
33573
0
        if (inLen > WOLFSSL_TICKET_ENC_SZ) {
33574
0
            WOLFSSL_ERROR_VERBOSE(BAD_TICKET_MSG_SZ);
33575
0
            return WOLFSSL_TICKET_RET_REJECT;
33576
0
        }
33577
0
        outLen = (int)inLen;   /* may be reduced by user padding */
33578
33579
0
        if (ssl->ctx->ticketEncCb == NULL
33580
0
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) || defined(WOLFSSL_WPAS_SMALL)
33581
0
                ||
33582
                /* SSL_OP_NO_TICKET turns off tickets in < 1.2. Forces
33583
                 * "stateful" tickets for 1.3 so just use the regular
33584
                 * stateless ones. */
33585
0
                (!IsAtLeastTLSv1_3(ssl->version) &&
33586
0
                        (ssl->options.mask & WOLFSSL_OP_NO_TICKET) != 0)
33587
0
#endif
33588
0
                        ) {
33589
            /* Use BAD_TICKET_ENCRYPT to signal missing ticket callback */
33590
0
            WOLFSSL_ERROR_VERBOSE(BAD_TICKET_ENCRYPT);
33591
0
            ret = WOLFSSL_TICKET_RET_REJECT;
33592
0
        }
33593
0
        else {
33594
0
            ret = ssl->ctx->ticketEncCb(ssl, et->key_name, et->iv,
33595
0
                                    et->enc_ticket + inLen, 0,
33596
0
                                    et->enc_ticket, inLen, &outLen,
33597
0
                                    ssl->ctx->ticketEncCtx);
33598
0
        }
33599
0
        if (ret != WOLFSSL_TICKET_RET_OK && ret != WOLFSSL_TICKET_RET_CREATE) {
33600
0
            WOLFSSL_ERROR_VERBOSE(BAD_TICKET_KEY_CB_SZ);
33601
0
            return WOLFSSL_TICKET_RET_REJECT;
33602
0
        }
33603
0
        if (outLen > (int)inLen || outLen < (int)sizeof(InternalTicket)) {
33604
0
            WOLFSSL_MSG("Bad user ticket decrypt len");
33605
0
            WOLFSSL_ERROR_VERBOSE(BAD_TICKET_KEY_CB_SZ);
33606
0
            return BAD_TICKET_KEY_CB_SZ;
33607
0
        }
33608
33609
0
        it = (InternalTicket*)et->enc_ticket;
33610
    #ifdef WOLFSSL_CHECK_MEM_ZERO
33611
        /* Internal ticket successfully decrypted. */
33612
        wc_MemZero_Add("Do Client Ticket internal", it, sizeof(InternalTicket));
33613
    #endif
33614
33615
        /* get master secret */
33616
0
        if (ret == WOLFSSL_TICKET_RET_OK || ret == WOLFSSL_TICKET_RET_CREATE) {
33617
0
            if (ssl->version.minor < it->pv.minor) {
33618
0
                WOLFSSL_MSG("Ticket has greater version");
33619
0
                ret = VERSION_ERROR;
33620
0
                goto error;
33621
0
            }
33622
0
            else if (ssl->version.minor > it->pv.minor) {
33623
0
                if (IsAtLeastTLSv1_3(it->pv) != IsAtLeastTLSv1_3(ssl->version)) {
33624
0
                    WOLFSSL_MSG("Tickets cannot be shared between "
33625
0
                                               "TLS 1.3 and TLS 1.2 and lower");
33626
0
                    ret = VERSION_ERROR;
33627
0
                    goto error;
33628
0
                }
33629
33630
0
                if (!ssl->options.downgrade) {
33631
0
                    WOLFSSL_MSG("Ticket has lesser version");
33632
0
                    ret = VERSION_ERROR;
33633
0
                    goto error;
33634
0
                }
33635
33636
0
                WOLFSSL_MSG("Downgrading protocol due to ticket");
33637
33638
0
                if (it->pv.minor < ssl->options.minDowngrade) {
33639
0
                    WOLFSSL_MSG("Ticket has lesser version than allowed");
33640
0
                    ret = VERSION_ERROR;
33641
0
                    goto error;
33642
0
                }
33643
0
                ssl->version.minor = it->pv.minor;
33644
0
            }
33645
33646
0
#ifdef WOLFSSL_TICKET_HAVE_ID
33647
0
            {
33648
0
                ssl->session->haveAltSessionID = 1;
33649
0
                XMEMCPY(ssl->session->altSessionID, it->id, ID_LEN);
33650
0
                if (wolfSSL_GetSession(ssl, NULL, 1) != NULL) {
33651
0
                    WOLFSSL_MSG("Found session matching the session id"
33652
0
                                " found in the ticket");
33653
0
                }
33654
0
                else {
33655
0
                    WOLFSSL_MSG("Can't find session matching the session id"
33656
0
                                " found in the ticket");
33657
0
                }
33658
0
            }
33659
0
#endif
33660
33661
0
            if (!IsAtLeastTLSv1_3(ssl->version)) {
33662
0
                XMEMCPY(ssl->arrays->masterSecret, it->msecret, SECRET_LEN);
33663
                /* Copy the haveExtendedMasterSecret property from the ticket to
33664
                 * the saved session, so the property may be checked later. */
33665
0
                ssl->session->haveEMS = it->haveEMS;
33666
0
                ato32((const byte*)&it->timestamp, &ssl->session->bornOn);
33667
0
            #ifndef NO_RESUME_SUITE_CHECK
33668
0
                ssl->session->cipherSuite0 = it->suite[0];
33669
0
                ssl->session->cipherSuite = it->suite[1];
33670
0
            #endif
33671
0
            }
33672
0
            else {
33673
0
#ifdef WOLFSSL_TLS13
33674
                /* Restore information to renegotiate. */
33675
0
                ato32(it->timestamp, &ssl->session->ticketSeen);
33676
0
                ato32(it->ageAdd, &ssl->session->ticketAdd);
33677
0
                ssl->session->cipherSuite0 = it->suite[0];
33678
0
                ssl->session->cipherSuite = it->suite[1];
33679
    #ifdef WOLFSSL_EARLY_DATA
33680
                ato32(it->maxEarlyDataSz, &ssl->session->maxEarlyDataSz);
33681
    #endif
33682
                /* Resumption master secret. */
33683
0
                XMEMCPY(ssl->session->masterSecret, it->msecret, SECRET_LEN);
33684
0
                XMEMCPY(&ssl->session->ticketNonce, &it->ticketNonce,
33685
0
                                                           sizeof(TicketNonce));
33686
0
                ato16(it->namedGroup, &ssl->session->namedGroup);
33687
0
#endif
33688
0
            }
33689
0
        }
33690
33691
0
        ForceZero(it, sizeof(*it));
33692
#ifdef WOLFSSL_CHECK_MEM_ZERO
33693
        wc_MemZero_Check(it, sizeof(InternalTicket));
33694
#endif
33695
33696
0
        WOLFSSL_LEAVE("DoClientTicket", ret);
33697
0
        WOLFSSL_END(WC_FUNC_TICKET_DO);
33698
33699
0
        return ret;
33700
33701
0
error:
33702
0
        ForceZero(it, sizeof(*it));
33703
#ifdef WOLFSSL_CHECK_MEM_ZERO
33704
        wc_MemZero_Check(it, sizeof(InternalTicket));
33705
#endif
33706
0
        WOLFSSL_ERROR_VERBOSE(ret);
33707
0
        return WOLFSSL_TICKET_RET_REJECT;
33708
0
    }
33709
33710
33711
    /* send Session Ticket */
33712
    int SendTicket(WOLFSSL* ssl)
33713
0
    {
33714
0
        byte*              output;
33715
0
        int                ret;
33716
0
        int                sendSz;
33717
0
        word32             length = SESSION_HINT_SZ + LENGTH_SZ;
33718
0
        word32             idx    = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
33719
33720
0
        WOLFSSL_START(WC_FUNC_TICKET_SEND);
33721
0
        WOLFSSL_ENTER("SendTicket");
33722
33723
0
        if (ssl->options.createTicket) {
33724
0
            ret = CreateTicket(ssl);
33725
0
            if (ret != 0)
33726
0
                return ret;
33727
0
        }
33728
33729
0
        length += ssl->session->ticketLen;
33730
0
        sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
33731
33732
0
        if (!ssl->options.dtls) {
33733
0
            if (IsEncryptionOn(ssl, 1) && ssl->options.handShakeDone)
33734
0
                sendSz += MAX_MSG_EXTRA;
33735
0
        }
33736
0
        else {
33737
        #ifdef WOLFSSL_DTLS
33738
            sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
33739
            idx    += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
33740
        #endif
33741
0
        }
33742
33743
0
        if (IsEncryptionOn(ssl, 1) && ssl->options.handShakeDone)
33744
0
            sendSz += cipherExtraData(ssl);
33745
33746
        /* Set this in case CheckAvailableSize returns a WANT_WRITE so that state
33747
         * is not advanced yet */
33748
0
        ssl->options.buildingMsg = 1;
33749
33750
        /* check for available size */
33751
0
        if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
33752
0
            return ret;
33753
33754
        /* get output buffer */
33755
0
        output = ssl->buffers.outputBuffer.buffer +
33756
0
                 ssl->buffers.outputBuffer.length;
33757
33758
0
        AddHeaders(output, length, session_ticket, ssl);
33759
33760
        /* hint */
33761
0
        c32toa(ssl->ctx->ticketHint, output + idx);
33762
0
        idx += SESSION_HINT_SZ;
33763
33764
        /* length */
33765
0
        c16toa(ssl->session->ticketLen, output + idx);
33766
0
        idx += LENGTH_SZ;
33767
33768
        /* ticket */
33769
0
        XMEMCPY(output + idx, ssl->session->ticket, ssl->session->ticketLen);
33770
0
        idx += ssl->session->ticketLen;
33771
33772
0
        if (IsEncryptionOn(ssl, 1) && ssl->options.handShakeDone) {
33773
0
            byte* input;
33774
0
            int   inputSz = idx; /* build msg adds rec hdr */
33775
0
            int   recordHeaderSz = RECORD_HEADER_SZ;
33776
33777
0
            if (ssl->options.dtls)
33778
0
                recordHeaderSz += DTLS_RECORD_EXTRA;
33779
0
            inputSz -= recordHeaderSz;
33780
0
            input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
33781
0
            if (input == NULL)
33782
0
                return MEMORY_E;
33783
33784
0
            XMEMCPY(input, output + recordHeaderSz, inputSz);
33785
0
            sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
33786
0
                                  handshake, 1, 0, 0, CUR_ORDER);
33787
0
            XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
33788
33789
0
            if (sendSz < 0)
33790
0
                return sendSz;
33791
0
        }
33792
0
        else {
33793
            #ifdef WOLFSSL_DTLS
33794
            if (ssl->options.dtls) {
33795
                if ((ret = DtlsMsgPoolSave(ssl, output, sendSz, session_ticket)) != 0)
33796
                    return ret;
33797
33798
                DtlsSEQIncrement(ssl, CUR_ORDER);
33799
            }
33800
            #endif
33801
0
            ret = HashOutput(ssl, output, sendSz, 0);
33802
0
            if (ret != 0)
33803
0
                return ret;
33804
0
        }
33805
33806
0
        ssl->buffers.outputBuffer.length += sendSz;
33807
0
        ssl->options.buildingMsg = 0;
33808
33809
0
        if (!ssl->options.groupMessages)
33810
0
            ret = SendBuffered(ssl);
33811
33812
0
        WOLFSSL_LEAVE("SendTicket", ret);
33813
0
        WOLFSSL_END(WC_FUNC_TICKET_SEND);
33814
33815
0
        return ret;
33816
0
    }
33817
33818
#ifndef WOLFSSL_NO_DEF_TICKET_ENC_CB
33819
33820
/* Initialize the context for session ticket encryption.
33821
 *
33822
 * @param [in]  ctx     SSL context.
33823
 * @param [in]  keyCtx  Context for session ticket encryption.
33824
 * @return  0 on success.
33825
 * @return  BAD_MUTEX_E when initializing mutex fails.
33826
 */
33827
static int TicketEncCbCtx_Init(WOLFSSL_CTX* ctx, TicketEncCbCtx* keyCtx)
33828
0
{
33829
0
    int ret = 0;
33830
33831
0
    XMEMSET(keyCtx, 0, sizeof(*keyCtx));
33832
0
    keyCtx->ctx = ctx;
33833
33834
#ifdef WOLFSSL_CHECK_MEM_ZERO
33835
    wc_MemZero_Add("TicketEncCbCtx_Init keyCtx->name", keyCtx->name,
33836
        sizeof(keyCtx->name));
33837
    wc_MemZero_Add("TicketEncCbCtx_Init keyCtx->key[0]", keyCtx->key[0],
33838
        sizeof(keyCtx->key[0]));
33839
    wc_MemZero_Add("TicketEncCbCtx_Init keyCtx->key[1]", keyCtx->key[1],
33840
        sizeof(keyCtx->key[1]));
33841
#endif
33842
33843
0
#ifndef SINGLE_THREADED
33844
0
    ret = wc_InitMutex(&keyCtx->mutex);
33845
0
#endif
33846
33847
0
    return ret;
33848
0
}
33849
33850
/* Setup the session ticket encryption context for this.
33851
 *
33852
 * Initialize RNG, generate name, generate primary key and set primary key
33853
 * expirary.
33854
 *
33855
 * @param [in]  keyCtx  Context for session ticket encryption.
33856
 * @param [in]  heap    Dynamic memory allocation hint.
33857
 * @param [in]  devId   Device identifier.
33858
 * @return  0 on success.
33859
 * @return  Other value when random number generator fails.
33860
 */
33861
static int TicketEncCbCtx_Setup(TicketEncCbCtx* keyCtx, void* heap, int devId)
33862
0
{
33863
0
    int ret;
33864
33865
0
#ifndef SINGLE_THREADED
33866
0
    ret = 0;
33867
33868
    /* Check that key wasn't set up while waiting. */
33869
0
    if (keyCtx->expirary[0] == 0)
33870
0
#endif
33871
0
    {
33872
0
        ret = wc_InitRng_ex(&keyCtx->rng, heap, devId);
33873
0
        if (ret == 0) {
33874
0
            ret = wc_RNG_GenerateBlock(&keyCtx->rng, keyCtx->name,
33875
0
                                       sizeof(keyCtx->name));
33876
0
        }
33877
0
        if (ret == 0) {
33878
            /* Mask of the bottom bit - used for index of key. */
33879
0
            keyCtx->name[WOLFSSL_TICKET_NAME_SZ - 1] &= 0xfe;
33880
33881
            /* Generate initial primary key. */
33882
0
            ret = wc_RNG_GenerateBlock(&keyCtx->rng, keyCtx->key[0],
33883
0
                                       WOLFSSL_TICKET_KEY_SZ);
33884
0
        }
33885
0
        if (ret == 0) {
33886
0
            keyCtx->expirary[0] = LowResTimer() + WOLFSSL_TICKET_KEY_LIFETIME;
33887
0
        }
33888
0
    }
33889
33890
0
    return ret;
33891
0
}
33892
/* Free the context for session ticket encryption.
33893
 *
33894
 * Zeroize keys and name.
33895
 *
33896
 * @param [in]  keyCtx  Context for session ticket encryption.
33897
 */
33898
static void TicketEncCbCtx_Free(TicketEncCbCtx* keyCtx)
33899
0
{
33900
    /* Zeroize sensitive data. */
33901
0
    ForceZero(keyCtx->name, sizeof(keyCtx->name));
33902
0
    ForceZero(keyCtx->key[0], sizeof(keyCtx->key[0]));
33903
0
    ForceZero(keyCtx->key[1], sizeof(keyCtx->key[1]));
33904
33905
#ifdef WOLFSSL_CHECK_MEM_ZERO
33906
    wc_MemZero_Check(keyCtx->name, sizeof(keyCtx->name));
33907
    wc_MemZero_Check(keyCtx->key[0], sizeof(keyCtx->key[0]));
33908
    wc_MemZero_Check(keyCtx->key[1], sizeof(keyCtx->key[1]));
33909
#endif
33910
33911
0
#ifndef SINGLE_THREADED
33912
0
    wc_FreeMutex(&keyCtx->mutex);
33913
0
#endif
33914
0
    wc_FreeRng(&keyCtx->rng);
33915
0
}
33916
33917
#if defined(HAVE_CHACHA) && defined(HAVE_POLY1305) && \
33918
    !defined(WOLFSSL_TICKET_ENC_AES128_GCM) && \
33919
    !defined(WOLFSSL_TICKET_ENC_AES256_GCM)
33920
/* Ticket encryption/decryption implementation.
33921
 *
33922
 * @param [in]   key     Key for encryption/decryption.
33923
 * @param [in]   keyLen  Length of key in bytes.
33924
 * @param [in]   iv      IV/Nonce for encryption/decryption.
33925
 * @param [in]   aad     Additional authentication data.
33926
 * @param [in]   aadSz   Length of additional authentication data.
33927
 * @param [in]   in      Data to encrypt/decrypt.
33928
 * @param [in]   inLen   Length of encrypted data.
33929
 * @param [out]  out     Resulting data from encrypt/decrypt.
33930
 * @param [out]  outLen  Size of resulting data.
33931
 * @param [in]   tag     Authentication tag for encrypted data.
33932
 * @param [in]   heap    Dynamic memory allocation data hint.
33933
 * @param [in]   enc     1 when encrypting, 0 when decrypting.
33934
 * @return  0 on success.
33935
 * @return  Other value when encryption/decryption fails.
33936
 */
33937
static int TicketEncDec(byte* key, int keyLen, byte* iv, byte* aad, int aadSz,
33938
                        byte* in, int inLen, byte* out, int* outLen, byte* tag,
33939
                        void* heap, int enc)
33940
0
{
33941
0
    int ret;
33942
33943
0
    (void)keyLen;
33944
0
    (void)heap;
33945
33946
0
    if (enc) {
33947
0
        ret = wc_ChaCha20Poly1305_Encrypt(key, iv, aad, aadSz, in, inLen, out,
33948
0
                                          tag);
33949
0
    }
33950
0
    else {
33951
0
        ret = wc_ChaCha20Poly1305_Decrypt(key, iv, aad, aadSz, in, inLen, tag,
33952
0
                                          out);
33953
0
    }
33954
33955
0
    *outLen = inLen;
33956
33957
0
    return ret;
33958
0
}
33959
#elif defined(HAVE_AESGCM)
33960
/* Ticket encryption/decryption implementation.
33961
 *
33962
 * @param [in]   key     Key for encryption/decryption.
33963
 * @param [in]   keyLen  Length of key in bytes.
33964
 * @param [in]   iv      IV/Nonce for encryption/decryption.
33965
 * @param [in]   aad     Additional authentication data.
33966
 * @param [in]   aadSz   Length of additional authentication data.
33967
 * @param [in]   in      Data to encrypt/decrypt.
33968
 * @param [in]   inLen   Length of encrypted data.
33969
 * @param [out]  out     Resulting data from encrypt/decrypt.
33970
 * @param [out]  outLen  Size of resulting data.
33971
 * @param [in]   tag     Authentication tag for encrypted data.
33972
 * @param [in]   heap    Dynamic memory allocation data hint.
33973
 * @param [in]   enc     1 when encrypting, 0 when decrypting.
33974
 * @return  0 on success.
33975
 * @return  MEMORY_E when dynamic memory allocation fails.
33976
 * @return  Other value when encryption/decryption fails.
33977
 */
33978
static int TicketEncDec(byte* key, int keyLen, byte* iv, byte* aad, int aadSz,
33979
                        byte* in, int inLen, byte* out, int* outLen, byte* tag,
33980
                        void* heap, int enc)
33981
{
33982
    int ret;
33983
#ifdef WOLFSSL_SMALL_STACK
33984
    Aes* aes;
33985
#else
33986
    Aes aes[1];
33987
#endif
33988
33989
    (void)heap;
33990
33991
#ifdef WOLFSSL_SMALL_STACK
33992
    aes = (Aes*)XMALLOC(sizeof(Aes), heap, DYNAMIC_TYPE_TMP_BUFFER);
33993
    if (aes == NULL)
33994
        return MEMORY_E;
33995
#endif
33996
33997
    if (enc) {
33998
        ret = wc_AesInit(aes, NULL, INVALID_DEVID);
33999
        if (ret == 0) {
34000
            ret = wc_AesGcmSetKey(aes, key, keyLen);
34001
        }
34002
        if (ret == 0) {
34003
            ret = wc_AesGcmEncrypt(aes, in, out, inLen, iv, GCM_NONCE_MID_SZ,
34004
                                   tag, AES_BLOCK_SIZE, aad, aadSz);
34005
        }
34006
        wc_AesFree(aes);
34007
    }
34008
    else {
34009
        ret = wc_AesInit(aes, NULL, INVALID_DEVID);
34010
        if (ret == 0) {
34011
            ret = wc_AesGcmSetKey(aes, key, keyLen);
34012
        }
34013
        if (ret == 0) {
34014
            ret = wc_AesGcmDecrypt(aes, in, out, inLen, iv, GCM_NONCE_MID_SZ,
34015
                                   tag, AES_BLOCK_SIZE, aad, aadSz);
34016
        }
34017
        wc_AesFree(aes);
34018
    }
34019
34020
#ifdef WOLFSSL_SMALL_STACK
34021
    XFREE(aes, heap, DYNAMIC_TYPE_TMP_BUFFER);
34022
#endif
34023
34024
    *outLen = inLen;
34025
34026
    return ret;
34027
}
34028
#else
34029
    #error "No encryption algorithm available for default ticket encryption."
34030
#endif
34031
34032
/* Choose a key to use for encryption.
34033
 *
34034
 * Generate a new key if the current ones are expired.
34035
 * If the secondary key has not been used and the primary key has expired then
34036
 * generate a new primary key.
34037
 *
34038
 * @param [in]   Ticket encryption callback context.
34039
 * @param [in]   Session ticket lifetime.
34040
 * @param [out]  Index of key to use for encryption.
34041
 * @return  0 on success.
34042
 * @return  Other value when random number generation fails.
34043
 */
34044
static int TicketEncCbCtx_ChooseKey(TicketEncCbCtx* keyCtx, int ticketHint,
34045
                                    int* keyIdx)
34046
0
{
34047
0
    int ret = 0;
34048
34049
    /* Get new current time as lock may have taken some time. */
34050
0
    word32 now = LowResTimer();
34051
34052
    /* Check expirary of primary key for encrypt. */
34053
0
    if (keyCtx->expirary[0] >= now + ticketHint) {
34054
0
        *keyIdx = 0;
34055
0
    }
34056
    /* Check expirary of primary key for encrypt. */
34057
0
    else if (keyCtx->expirary[1] >= now + ticketHint) {
34058
0
        *keyIdx = 1;
34059
0
    }
34060
    /* No key available to use. */
34061
0
    else {
34062
0
        int genKey;
34063
34064
        /* Generate which ever key is expired for decrypt - primary first. */
34065
0
        if (keyCtx->expirary[0] < now) {
34066
0
            genKey = 0;
34067
0
        }
34068
0
        else if (keyCtx->expirary[1] < now) {
34069
0
            genKey = 1;
34070
0
        }
34071
        /* Timeouts and expirary should not allow this to happen. */
34072
0
        else {
34073
0
            return BAD_STATE_E;
34074
0
        }
34075
34076
        /* Generate the required key */
34077
0
        ret = wc_RNG_GenerateBlock(&keyCtx->rng, keyCtx->key[genKey],
34078
0
                                   WOLFSSL_TICKET_KEY_SZ);
34079
0
        if (ret == 0) {
34080
0
            keyCtx->expirary[genKey] = now + WOLFSSL_TICKET_KEY_LIFETIME;
34081
0
            *keyIdx = genKey;
34082
0
        }
34083
0
    }
34084
34085
0
    return ret;
34086
0
}
34087
34088
/* Default Session Ticket encryption/decryption callback.
34089
 *
34090
 * Use ChaCha20-Poly1305 or AES-GCM to encrypt/decrypt the ticket.
34091
 * Two keys are used:
34092
 *  - When the first expires for encryption, then use the other.
34093
 *  - Don't encrypt with key if the ticket lifetime will go beyond expirary.
34094
 *  - Generate a new primary key when primary key expired for decrypt and
34095
 *    no secondary key is activate for encryption.
34096
 *  - Generate a new secondary key when expired and needed.
34097
 *  - Calculate expirary starting from first encrypted ticket.
34098
 *  - Key name has last bit set to indicate index of key.
34099
 * Keys expire for decryption after ticket key lifetime from the first encrypted
34100
 * ticket.
34101
 * Keys can only be use for encryption while the ticket hint does not exceed
34102
 * the key lifetime.
34103
 * Lifetime of a key must be greater than the lifetime of a ticket. This means
34104
 * that if one ticket is only valid for decryption, then the other will be
34105
 * valid for encryption.
34106
 * AAD = key_name | iv | ticket len (16-bits network order)
34107
 *
34108
 * @param [in]      ssl       SSL connection.
34109
 * @param [in,out]  key_name  Name of key from client.
34110
 *                            Encrypt: name of key returned.
34111
 *                            Decrypt: name from ticket message to check.
34112
 * @param [in]      iv        IV to use in encryption/decryption.
34113
 * @param [in]      mac       MAC for authentication of encrypted data.
34114
 * @param [in]      enc       1 when encrypting ticket, 0 when decrypting.
34115
 * @param [in,out]  ticket    Encrypted/decrypted session ticket bytes.
34116
 * @param [in]      inLen     Length of incoming ticket.
34117
 * @param [out]     outLen    Length of outgoing ticket.
34118
 * @param [in]      userCtx   Context for encryption/decryption of ticket.
34119
 * @return  WOLFSSL_TICKET_RET_OK when successful.
34120
 * @return  WOLFSSL_TICKET_RET_CREATE when successful and a new ticket is to
34121
 *          be created for TLS 1.2 and below.
34122
 * @return  WOLFSSL_TICKET_RET_REJECT when failed to produce valid encrypted or
34123
 *          decrypted ticket.
34124
 * @return  WOLFSSL_TICKET_RET_FATAL when key name does not match.
34125
 */
34126
static int DefTicketEncCb(WOLFSSL* ssl, byte key_name[WOLFSSL_TICKET_NAME_SZ],
34127
                          byte iv[WOLFSSL_TICKET_IV_SZ],
34128
                          byte mac[WOLFSSL_TICKET_MAC_SZ],
34129
                          int enc, byte* ticket, int inLen, int* outLen,
34130
                          void* userCtx)
34131
0
{
34132
0
    int ret;
34133
0
    TicketEncCbCtx* keyCtx = (TicketEncCbCtx*)userCtx;
34134
0
    WOLFSSL_CTX* ctx = keyCtx->ctx;
34135
0
    word16 sLen = XHTONS((word16)inLen);
34136
0
    byte aad[WOLFSSL_TICKET_NAME_SZ + WOLFSSL_TICKET_IV_SZ + sizeof(sLen)];
34137
0
    int  aadSz = WOLFSSL_TICKET_NAME_SZ + WOLFSSL_TICKET_IV_SZ + sizeof(sLen);
34138
0
    byte* p = aad;
34139
0
    int keyIdx = 0;
34140
34141
0
    WOLFSSL_ENTER("DefTicketEncCb");
34142
34143
    /* Check we have setup the RNG, name and primary key. */
34144
0
    if (keyCtx->expirary[0] == 0) {
34145
0
#ifndef SINGLE_THREADED
34146
        /* Lock around access to expirary and key - stop initial key being
34147
         * generated twice at the same time. */
34148
0
        if (wc_LockMutex(&keyCtx->mutex) != 0) {
34149
0
            WOLFSSL_MSG("Couldn't lock key context mutex");
34150
0
            return WOLFSSL_TICKET_RET_REJECT;
34151
0
        }
34152
0
#endif
34153
        /* Sets expirary of primary key in setup. */
34154
0
        ret = TicketEncCbCtx_Setup(keyCtx, ssl->ctx->heap, ssl->ctx->devId);
34155
0
#ifndef SINGLE_THREADED
34156
0
        wc_UnLockMutex(&keyCtx->mutex);
34157
0
#endif
34158
0
        if (ret != 0)
34159
0
            return ret;
34160
0
    }
34161
34162
0
    if (enc) {
34163
        /* Return the name of the key - missing key index. */
34164
0
        XMEMCPY(key_name, keyCtx->name, WOLFSSL_TICKET_NAME_SZ);
34165
34166
        /* Generate a new IV into buffer to be returned.
34167
         * Don't use the RNG in keyCtx as it's for generating private data. */
34168
0
        ret = wc_RNG_GenerateBlock(ssl->rng, iv, WOLFSSL_TICKET_IV_SZ);
34169
0
        if (ret != 0) {
34170
0
            return WOLFSSL_TICKET_RET_REJECT;
34171
0
        }
34172
0
    }
34173
0
    else {
34174
        /* Mask of last bit that is the key index. */
34175
0
        byte lastByte = key_name[WOLFSSL_TICKET_NAME_SZ - 1] & 0xfe;
34176
34177
        /* For decryption, see if we know this key - check all but last byte. */
34178
0
        if (XMEMCMP(key_name, keyCtx->name, WOLFSSL_TICKET_NAME_SZ - 1) != 0) {
34179
0
            return WOLFSSL_TICKET_RET_FATAL;
34180
0
        }
34181
        /* Ensure last byte without index bit matches too. */
34182
0
        if (lastByte != keyCtx->name[WOLFSSL_TICKET_NAME_SZ - 1]) {
34183
0
            return WOLFSSL_TICKET_RET_FATAL;
34184
0
        }
34185
0
    }
34186
34187
    /* Build AAD from: key name, iv, and length of ticket. */
34188
0
    XMEMCPY(p, keyCtx->name, WOLFSSL_TICKET_NAME_SZ);
34189
0
    p += WOLFSSL_TICKET_NAME_SZ;
34190
0
    XMEMCPY(p, iv, WOLFSSL_TICKET_IV_SZ);
34191
0
    p += WOLFSSL_TICKET_IV_SZ;
34192
0
    XMEMCPY(p, &sLen, sizeof(sLen));
34193
34194
    /* Encrypt ticket. */
34195
0
    if (enc) {
34196
0
        word32 now;
34197
34198
0
        now = LowResTimer();
34199
        /* As long as encryption expirary isn't imminent - no lock. */
34200
0
        if (keyCtx->expirary[0] > now + ctx->ticketHint) {
34201
0
            keyIdx = 0;
34202
0
        }
34203
0
        else if (keyCtx->expirary[1] > now + ctx->ticketHint) {
34204
0
            keyIdx = 1;
34205
0
        }
34206
0
        else {
34207
0
#ifndef SINGLE_THREADED
34208
            /* Lock around access to expirary and key - stop key being generated
34209
             * twice at the same time. */
34210
0
            if (wc_LockMutex(&keyCtx->mutex) != 0) {
34211
0
                WOLFSSL_MSG("Couldn't lock key context mutex");
34212
0
                return WOLFSSL_TICKET_RET_REJECT;
34213
0
            }
34214
0
#endif
34215
0
            ret = TicketEncCbCtx_ChooseKey(keyCtx, ctx->ticketHint, &keyIdx);
34216
0
#ifndef SINGLE_THREADED
34217
0
            wc_UnLockMutex(&keyCtx->mutex);
34218
0
#endif
34219
0
            if (ret != 0) {
34220
0
                return WOLFSSL_TICKET_RET_REJECT;
34221
0
            }
34222
0
        }
34223
        /* Set the name of the key to the index chosen. */
34224
0
        key_name[WOLFSSL_TICKET_NAME_SZ - 1] |= keyIdx;
34225
        /* Update AAD too. */
34226
0
        aad[WOLFSSL_TICKET_NAME_SZ - 1] |= keyIdx;
34227
34228
        /* Encrypt ticket data. */
34229
0
        ret = TicketEncDec(keyCtx->key[keyIdx], WOLFSSL_TICKET_KEY_SZ, iv, aad,
34230
0
                           aadSz, ticket, inLen, ticket, outLen, mac, ssl->heap,
34231
0
                           1);
34232
0
        if (ret != 0) return WOLFSSL_TICKET_RET_REJECT;
34233
0
    }
34234
    /* Decrypt ticket. */
34235
0
    else {
34236
        /* Get index of key from name. */
34237
0
        keyIdx = key_name[WOLFSSL_TICKET_NAME_SZ - 1] & 0x1;
34238
        /* Update AAD with index. */
34239
0
        aad[WOLFSSL_TICKET_NAME_SZ - 1] |= keyIdx;
34240
34241
        /* Check expirary */
34242
0
        if (keyCtx->expirary[keyIdx] <= LowResTimer()) {
34243
0
            return WOLFSSL_TICKET_RET_REJECT;
34244
0
        }
34245
34246
        /* Decrypt ticket data. */
34247
0
        ret = TicketEncDec(keyCtx->key[keyIdx], WOLFSSL_TICKET_KEY_SZ, iv, aad,
34248
0
                           aadSz, ticket, inLen, ticket, outLen, mac, ssl->heap,
34249
0
                           0);
34250
0
        if (ret != 0) {
34251
0
            return WOLFSSL_TICKET_RET_REJECT;
34252
0
        }
34253
0
    }
34254
34255
0
#ifndef WOLFSSL_TICKET_DECRYPT_NO_CREATE
34256
0
    if (!IsAtLeastTLSv1_3(ssl->version) && !enc)
34257
0
        return WOLFSSL_TICKET_RET_CREATE;
34258
0
#endif
34259
0
    return WOLFSSL_TICKET_RET_OK;
34260
0
}
34261
34262
#endif /* !WOLFSSL_NO_DEF_TICKET_ENC_CB */
34263
34264
#endif /* HAVE_SESSION_TICKET */
34265
34266
#ifndef WOLFSSL_NO_TLS12
34267
34268
#if defined(HAVE_SECURE_RENEGOTIATION) && \
34269
    !defined(NO_WOLFSSL_SERVER)
34270
34271
    /* handle generation of server's hello_request (0) */
34272
    int SendHelloRequest(WOLFSSL* ssl)
34273
    {
34274
        byte* output;
34275
        int sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
34276
        int ret;
34277
34278
        WOLFSSL_START(WC_FUNC_HELLO_REQUEST_SEND);
34279
        WOLFSSL_ENTER("SendHelloRequest");
34280
34281
        if (IsEncryptionOn(ssl, 1))
34282
            sendSz += MAX_MSG_EXTRA;
34283
34284
        if (ssl->options.dtls)
34285
            sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
34286
34287
        /* Set this in case CheckAvailableSize returns a WANT_WRITE so that state
34288
         * is not advanced yet */
34289
        ssl->options.buildingMsg = 1;
34290
34291
        /* check for available size */
34292
        if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
34293
            return ret;
34294
34295
        /* get output buffer */
34296
        output = ssl->buffers.outputBuffer.buffer +
34297
                 ssl->buffers.outputBuffer.length;
34298
34299
        AddHeaders(output, 0, hello_request, ssl);
34300
34301
        if (IsEncryptionOn(ssl, 1)) {
34302
            byte* input;
34303
            int   inputSz = HANDSHAKE_HEADER_SZ; /* build msg adds rec hdr */
34304
            int   recordHeaderSz = RECORD_HEADER_SZ;
34305
34306
            if (ssl->options.dtls) {
34307
                recordHeaderSz += DTLS_RECORD_EXTRA;
34308
                inputSz += DTLS_HANDSHAKE_EXTRA;
34309
            }
34310
34311
            input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
34312
            if (input == NULL)
34313
                return MEMORY_E;
34314
34315
            XMEMCPY(input, output + recordHeaderSz, inputSz);
34316
            #ifdef WOLFSSL_DTLS
34317
            if (IsDtlsNotSctpMode(ssl) &&
34318
                    (ret = DtlsMsgPoolSave(ssl, input, inputSz, hello_request)) != 0) {
34319
                XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
34320
                return ret;
34321
            }
34322
            #endif
34323
            sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
34324
                                  handshake, 0, 0, 0, CUR_ORDER);
34325
            XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
34326
34327
            if (sendSz < 0)
34328
                return sendSz;
34329
        }
34330
34331
        ssl->buffers.outputBuffer.length += sendSz;
34332
        ssl->options.buildingMsg = 0;
34333
34334
        ret = SendBuffered(ssl);
34335
34336
        WOLFSSL_LEAVE("SendHelloRequest", ret);
34337
        WOLFSSL_END(WC_FUNC_HELLO_REQUEST_SEND);
34338
34339
        return ret;
34340
    }
34341
34342
#endif /* HAVE_SECURE_RENEGOTIATION && !NO_WOLFSSL_SERVER */
34343
34344
#ifdef WOLFSSL_DTLS
34345
    /* handle generation of DTLS hello_verify_request (3) */
34346
    static int SendHelloVerifyRequest(WOLFSSL* ssl,
34347
                                      const byte* cookie, byte cookieSz)
34348
    {
34349
        byte* output;
34350
        int   length = VERSION_SZ + ENUM_LEN + cookieSz;
34351
        int   idx    = DTLS_RECORD_HEADER_SZ + DTLS_HANDSHAKE_HEADER_SZ;
34352
        int   sendSz = length + idx;
34353
        int   ret;
34354
34355
        /* are we in scr */
34356
        if (IsEncryptionOn(ssl, 1)) {
34357
            sendSz += MAX_MSG_EXTRA;
34358
        }
34359
34360
        /* reset states  */
34361
        ssl->msgsReceived.got_client_hello = 0;
34362
        ssl->keys.dtls_handshake_number = 0;
34363
        ssl->keys.dtls_expected_peer_handshake_number = 0;
34364
        ssl->options.clientState = 0;
34365
        ret = InitHandshakeHashes(ssl);
34366
        if (ret != 0)
34367
            return ret;
34368
34369
        /* check for available size */
34370
        if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
34371
            return ret;
34372
34373
        /* get output buffer */
34374
        output = ssl->buffers.outputBuffer.buffer +
34375
                 ssl->buffers.outputBuffer.length;
34376
34377
        /* Hello Verify Request should use the same sequence number
34378
         * as the Client Hello unless we are in renegotiation then
34379
         * don't change numbers */
34380
#ifdef HAVE_SECURE_RENEGOTIATION
34381
        if (!IsSCR(ssl))
34382
#endif
34383
        {
34384
            ssl->keys.dtls_sequence_number_hi = ssl->keys.curSeq_hi;
34385
            ssl->keys.dtls_sequence_number_lo = ssl->keys.curSeq_lo;
34386
        }
34387
        AddHeaders(output, length, hello_verify_request, ssl);
34388
34389
#ifdef OPENSSL_EXTRA
34390
        output[idx++] = DTLS_MAJOR;
34391
        output[idx++] = DTLS_MINOR;
34392
#else
34393
        output[idx++] = ssl->version.major;
34394
        output[idx++] = ssl->version.minor;
34395
#endif
34396
34397
        output[idx++] = cookieSz;
34398
        if (cookie == NULL || cookieSz == 0)
34399
            return COOKIE_ERROR;
34400
34401
        XMEMCPY(output + idx, cookie, cookieSz);
34402
34403
#if defined(WOLFSSL_CALLBACKS) || defined(OPENSSL_EXTRA)
34404
        if (ssl->hsInfoOn)
34405
            AddPacketName(ssl, "HelloVerifyRequest");
34406
        if (ssl->toInfoOn)
34407
            AddPacketInfo(ssl, "HelloVerifyRequest", handshake, output,
34408
                          sendSz, WRITE_PROTO, ssl->heap);
34409
#endif
34410
34411
        /* are we in scr */
34412
        if (IsEncryptionOn(ssl, 1)) {
34413
            byte* input;
34414
            int   inputSz = DTLS_HANDSHAKE_HEADER_SZ + length; /* build msg adds rec hdr */
34415
            int   recordHeaderSz = DTLS_RECORD_HEADER_SZ;
34416
34417
            input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
34418
            if (input == NULL)
34419
                return MEMORY_E;
34420
34421
            XMEMCPY(input, output + recordHeaderSz, inputSz);
34422
            sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
34423
                                  handshake, 0, 0, 0, CUR_ORDER);
34424
            XFREE(input, ssl->heap, DYNAMIC_TYPE_IN_BUFFER);
34425
34426
            if (sendSz < 0)
34427
                return sendSz;
34428
        }
34429
34430
        ssl->buffers.outputBuffer.length += sendSz;
34431
        DtlsSEQIncrement(ssl, CUR_ORDER);
34432
34433
        return SendBuffered(ssl);
34434
    }
34435
#endif /* WOLFSSL_DTLS */
34436
34437
    typedef struct DckeArgs {
34438
        byte*  output; /* not allocated */
34439
        word32 length;
34440
        word32 idx;
34441
        word32 begin;
34442
        word32 sigSz;
34443
    #ifndef NO_RSA
34444
        int    lastErr;
34445
    #endif
34446
    } DckeArgs;
34447
34448
    static void FreeDckeArgs(WOLFSSL* ssl, void* pArgs)
34449
0
    {
34450
0
        DckeArgs* args = (DckeArgs*)pArgs;
34451
34452
0
        (void)ssl;
34453
0
        (void)args;
34454
0
    }
34455
34456
    /* handle processing client_key_exchange (16) */
34457
    static int DoClientKeyExchange(WOLFSSL* ssl, byte* input, word32* inOutIdx,
34458
                                                                    word32 size)
34459
0
    {
34460
0
        int ret;
34461
    #ifdef WOLFSSL_ASYNC_CRYPT
34462
        DckeArgs* args = NULL;
34463
        WOLFSSL_ASSERT_SIZEOF_GE(ssl->async->args, *args);
34464
    #else
34465
0
        DckeArgs  args[1];
34466
0
    #endif
34467
34468
0
        (void)size;
34469
0
        (void)input;
34470
34471
0
        WOLFSSL_START(WC_FUNC_CLIENT_KEY_EXCHANGE_DO);
34472
0
        WOLFSSL_ENTER("DoClientKeyExchange");
34473
34474
    #ifdef WOLFSSL_ASYNC_CRYPT
34475
        if (ssl->async == NULL) {
34476
            ssl->async = (struct WOLFSSL_ASYNC*)
34477
                    XMALLOC(sizeof(struct WOLFSSL_ASYNC), ssl->heap,
34478
                            DYNAMIC_TYPE_ASYNC);
34479
            if (ssl->async == NULL)
34480
                ERROR_OUT(MEMORY_E, exit_dcke);
34481
        }
34482
        args = (DckeArgs*)ssl->async->args;
34483
34484
        ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
34485
        if (ret != WC_NOT_PENDING_E) {
34486
            /* Check for error */
34487
            if (ret < 0)
34488
                goto exit_dcke;
34489
        }
34490
        else
34491
    #endif /* WOLFSSL_ASYNC_CRYPT */
34492
0
        {
34493
            /* Reset state */
34494
0
            ret = 0;
34495
0
            ssl->options.asyncState = TLS_ASYNC_BEGIN;
34496
0
            XMEMSET(args, 0, sizeof(DckeArgs));
34497
0
            args->idx = *inOutIdx;
34498
0
            args->begin = *inOutIdx;
34499
        #ifdef WOLFSSL_ASYNC_CRYPT
34500
            ssl->async->freeArgs = FreeDckeArgs;
34501
        #endif
34502
0
        }
34503
34504
        /* Do Client Key Exchange State Machine */
34505
0
        switch(ssl->options.asyncState)
34506
0
        {
34507
0
            case TLS_ASYNC_BEGIN:
34508
0
            {
34509
                /* Sanity checks */
34510
                /* server side checked in SanityCheckMsgReceived */
34511
0
                if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {
34512
0
                    WOLFSSL_MSG("Client sending keyexchange at wrong time");
34513
0
                    SendAlert(ssl, alert_fatal, unexpected_message);
34514
0
                    ERROR_OUT(OUT_OF_ORDER_E, exit_dcke);
34515
0
                }
34516
34517
0
            #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH)
34518
0
                if (ssl->options.verifyPeer &&
34519
0
                         (ssl->options.mutualAuth || ssl->options.failNoCert)) {
34520
0
                    if (!ssl->options.havePeerCert) {
34521
0
                        WOLFSSL_MSG("client didn't present peer cert");
34522
0
                        ERROR_OUT(NO_PEER_CERT, exit_dcke);
34523
0
                    }
34524
0
                }
34525
34526
0
                if (ssl->options.verifyPeer && ssl->options.failNoCertxPSK) {
34527
0
                    if (!ssl->options.havePeerCert &&
34528
0
                                             !ssl->options.usingPSK_cipher) {
34529
0
                        WOLFSSL_MSG("client didn't present peer cert");
34530
0
                        ERROR_OUT(NO_PEER_CERT, exit_dcke);
34531
0
                    }
34532
0
                }
34533
0
            #endif /* !NO_CERTS && !WOLFSSL_NO_CLIENT_AUTH */
34534
34535
            #if defined(WOLFSSL_CALLBACKS)
34536
                if (ssl->hsInfoOn) {
34537
                    AddPacketName(ssl, "ClientKeyExchange");
34538
                }
34539
                if (ssl->toInfoOn) {
34540
                    AddLateName("ClientKeyExchange", &ssl->timeoutInfo);
34541
                }
34542
            #endif
34543
34544
0
                if (ssl->arrays->preMasterSecret == NULL) {
34545
0
                    ssl->arrays->preMasterSz = ENCRYPT_LEN;
34546
0
                    ssl->arrays->preMasterSecret = (byte*)XMALLOC(ENCRYPT_LEN,
34547
0
                                                ssl->heap, DYNAMIC_TYPE_SECRET);
34548
0
                    if (ssl->arrays->preMasterSecret == NULL) {
34549
0
                        ERROR_OUT(MEMORY_E, exit_dcke);
34550
0
                    }
34551
0
                    XMEMSET(ssl->arrays->preMasterSecret, 0, ENCRYPT_LEN);
34552
0
                }
34553
34554
0
                switch (ssl->specs.kea) {
34555
0
                #ifndef NO_RSA
34556
0
                    case rsa_kea:
34557
0
                    {
34558
0
                        break;
34559
0
                    } /* rsa_kea */
34560
0
                #endif /* !NO_RSA */
34561
                #ifndef NO_PSK
34562
                    case psk_kea:
34563
                    {
34564
                        /* sanity check that PSK server callback has been set */
34565
                        if (ssl->options.server_psk_cb == NULL) {
34566
                           WOLFSSL_MSG("No server PSK callback set");
34567
                           ERROR_OUT(PSK_KEY_ERROR, exit_dcke);
34568
                        }
34569
                        break;
34570
                    }
34571
                #endif /* !NO_PSK */
34572
0
                #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
34573
0
                                                          defined(HAVE_CURVE448)
34574
0
                    case ecc_diffie_hellman_kea:
34575
0
                    {
34576
0
                        break;
34577
0
                    }
34578
0
                #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
34579
0
                #ifndef NO_DH
34580
0
                    case diffie_hellman_kea:
34581
0
                    {
34582
0
                        break;
34583
0
                    }
34584
0
                #endif /* !NO_DH */
34585
                #if !defined(NO_DH) && !defined(NO_PSK)
34586
                    case dhe_psk_kea:
34587
                    {
34588
                        /* sanity check that PSK server callback has been set */
34589
                        if (ssl->options.server_psk_cb == NULL) {
34590
                            WOLFSSL_MSG("No server PSK callback set");
34591
                            ERROR_OUT(PSK_KEY_ERROR, exit_dcke);
34592
                        }
34593
                        break;
34594
                    }
34595
                #endif /* !NO_DH && !NO_PSK */
34596
                #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
34597
                                     defined(HAVE_CURVE448)) && !defined(NO_PSK)
34598
                    case ecdhe_psk_kea:
34599
                    {
34600
                        /* sanity check that PSK server callback has been set */
34601
                        if (ssl->options.server_psk_cb == NULL) {
34602
                            WOLFSSL_MSG("No server PSK callback set");
34603
                            ERROR_OUT(PSK_KEY_ERROR, exit_dcke);
34604
                        }
34605
                        break;
34606
                    }
34607
                #endif /* (HAVE_ECC || CURVE25519 || CURVE448) && !NO_PSK */
34608
0
                    default:
34609
0
                        WOLFSSL_MSG("Bad kea type");
34610
0
                        ret = BAD_KEA_TYPE_E;
34611
0
                } /* switch (ssl->specs.kea) */
34612
34613
                /* Check for error */
34614
0
                if (ret != 0) {
34615
0
                    goto exit_dcke;
34616
0
                }
34617
34618
                /* Advance state and proceed */
34619
0
                ssl->options.asyncState = TLS_ASYNC_BUILD;
34620
0
            } /* TLS_ASYNC_BEGIN */
34621
0
            FALL_THROUGH;
34622
34623
0
            case TLS_ASYNC_BUILD:
34624
0
            {
34625
0
                switch (ssl->specs.kea) {
34626
0
                #ifndef NO_RSA
34627
0
                    case rsa_kea:
34628
0
                    {
34629
0
                        word16 keySz;
34630
34631
0
                        ssl->buffers.keyType = rsa_sa_algo;
34632
0
                        ret = DecodePrivateKey(ssl, &keySz);
34633
0
                        if (ret != 0) {
34634
0
                            goto exit_dcke;
34635
0
                        }
34636
0
                        args->length = (word32)keySz;
34637
0
                        ssl->arrays->preMasterSz = SECRET_LEN;
34638
34639
0
                        if (ssl->options.tls) {
34640
0
                            word16 check;
34641
34642
0
                            if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
34643
0
                                ERROR_OUT(BUFFER_ERROR, exit_dcke);
34644
0
                            }
34645
34646
0
                            ato16(input + args->idx, &check);
34647
0
                            args->idx += OPAQUE16_LEN;
34648
34649
0
                            if ((word32)check != args->length) {
34650
0
                                WOLFSSL_MSG("RSA explicit size doesn't match");
34651
0
                        #ifdef WOLFSSL_EXTRA_ALERTS
34652
0
                                SendAlert(ssl, alert_fatal, bad_record_mac);
34653
0
                        #endif
34654
0
                                ERROR_OUT(RSA_PRIVATE_ERROR, exit_dcke);
34655
0
                            }
34656
0
                        }
34657
34658
0
                        if ((args->idx - args->begin) + args->length > size) {
34659
0
                            WOLFSSL_MSG("RSA message too big");
34660
0
                            ERROR_OUT(BUFFER_ERROR, exit_dcke);
34661
0
                        }
34662
34663
                        /* pre-load PreMasterSecret with RNG data */
34664
0
                        ret = wc_RNG_GenerateBlock(ssl->rng,
34665
0
                            &ssl->arrays->preMasterSecret[VERSION_SZ],
34666
0
                            SECRET_LEN - VERSION_SZ);
34667
0
                        if (ret != 0) {
34668
0
                            goto exit_dcke;
34669
0
                        }
34670
34671
0
                        args->output = NULL;
34672
0
                        break;
34673
0
                    } /* rsa_kea */
34674
0
                #endif /* !NO_RSA */
34675
                #ifndef NO_PSK
34676
                    case psk_kea:
34677
                    {
34678
                        byte* pms = ssl->arrays->preMasterSecret;
34679
                        word16 ci_sz;
34680
34681
                        if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
34682
                            ERROR_OUT(BUFFER_ERROR, exit_dcke);
34683
                        }
34684
34685
                        ato16(input + args->idx, &ci_sz);
34686
                        args->idx += OPAQUE16_LEN;
34687
34688
                        if (ci_sz > MAX_PSK_ID_LEN) {
34689
                            ERROR_OUT(CLIENT_ID_ERROR, exit_dcke);
34690
                        }
34691
34692
                        if ((args->idx - args->begin) + ci_sz > size) {
34693
                            ERROR_OUT(BUFFER_ERROR, exit_dcke);
34694
                        }
34695
34696
                        XMEMCPY(ssl->arrays->client_identity,
34697
                                                    input + args->idx, ci_sz);
34698
                        args->idx += ci_sz;
34699
34700
                        ssl->arrays->client_identity[ci_sz] = '\0'; /* null term */
34701
                        ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl,
34702
                            ssl->arrays->client_identity, ssl->arrays->psk_key,
34703
                            MAX_PSK_KEY_LEN);
34704
34705
                        if (ssl->arrays->psk_keySz == 0 ||
34706
                                ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
34707
                            #if defined(WOLFSSL_EXTRA_ALERTS) || \
34708
                                defined(WOLFSSL_PSK_IDENTITY_ALERT)
34709
                                SendAlert(ssl, alert_fatal,
34710
                                        unknown_psk_identity);
34711
                            #endif
34712
                            ERROR_OUT(PSK_KEY_ERROR, exit_dcke);
34713
                        }
34714
                        /* SERVER: Pre-shared Key for peer authentication. */
34715
                        ssl->options.peerAuthGood = 1;
34716
34717
                        /* make psk pre master secret */
34718
                        /* length of key + length 0s + length of key + key */
34719
                        c16toa((word16) ssl->arrays->psk_keySz, pms);
34720
                        pms += OPAQUE16_LEN;
34721
34722
                        XMEMSET(pms, 0, ssl->arrays->psk_keySz);
34723
                        pms += ssl->arrays->psk_keySz;
34724
34725
                        c16toa((word16) ssl->arrays->psk_keySz, pms);
34726
                        pms += OPAQUE16_LEN;
34727
34728
                        XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz);
34729
                        ssl->arrays->preMasterSz =
34730
                            (ssl->arrays->psk_keySz * 2) + (OPAQUE16_LEN * 2);
34731
                        break;
34732
                    }
34733
                #endif /* !NO_PSK */
34734
0
                #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
34735
0
                                                          defined(HAVE_CURVE448)
34736
0
                    case ecc_diffie_hellman_kea:
34737
0
                    {
34738
0
                    #ifdef HAVE_ECC
34739
0
                        ecc_key* private_key = ssl->eccTempKey;
34740
34741
                        /* handle static private key */
34742
0
                        if (ssl->specs.static_ecdh &&
34743
0
                                          ssl->ecdhCurveOID != ECC_X25519_OID &&
34744
0
                                          ssl->ecdhCurveOID != ECC_X448_OID) {
34745
0
                            word16 keySz;
34746
34747
0
                            ssl->buffers.keyType = ecc_dsa_sa_algo;
34748
0
                            ret = DecodePrivateKey(ssl, &keySz);
34749
0
                            if (ret != 0) {
34750
0
                                goto exit_dcke;
34751
0
                            }
34752
0
                            private_key = (ecc_key*)ssl->hsKey;
34753
0
                        }
34754
0
                    #endif
34755
34756
                        /* import peer ECC key */
34757
0
                        if ((args->idx - args->begin) + OPAQUE8_LEN > size) {
34758
0
                        #ifdef WOLFSSL_EXTRA_ALERTS
34759
0
                            SendAlert(ssl, alert_fatal, decode_error);
34760
0
                        #endif
34761
0
                            ERROR_OUT(BUFFER_ERROR, exit_dcke);
34762
0
                        }
34763
34764
0
                        args->length = input[args->idx++];
34765
34766
0
                        if ((args->idx - args->begin) + args->length > size) {
34767
0
                        #ifdef WOLFSSL_EXTRA_ALERTS
34768
0
                            SendAlert(ssl, alert_fatal, decode_error);
34769
0
                        #endif
34770
0
                            ERROR_OUT(BUFFER_ERROR, exit_dcke);
34771
0
                        }
34772
34773
0
                    #ifdef HAVE_CURVE25519
34774
0
                        if (ssl->ecdhCurveOID == ECC_X25519_OID) {
34775
                        #ifdef HAVE_PK_CALLBACKS
34776
                            /* if callback then use it for shared secret */
34777
                            if (ssl->ctx->X25519SharedSecretCb != NULL) {
34778
                                break;
34779
                            }
34780
                        #endif
34781
0
                            if (ssl->peerX25519Key == NULL) {
34782
                                /* alloc/init on demand */
34783
0
                                ret = AllocKey(ssl, DYNAMIC_TYPE_CURVE25519,
34784
0
                                    (void**)&ssl->peerX25519Key);
34785
0
                                if (ret != 0) {
34786
0
                                    goto exit_dcke;
34787
0
                                }
34788
0
                            } else if (ssl->peerX25519KeyPresent) {
34789
0
                                ret = ReuseKey(ssl, DYNAMIC_TYPE_CURVE25519,
34790
0
                                               ssl->peerX25519Key);
34791
0
                                ssl->peerX25519KeyPresent = 0;
34792
0
                                if (ret != 0) {
34793
0
                                    goto exit_dcke;
34794
0
                                }
34795
0
                            }
34796
34797
0
                            if ((ret = wc_curve25519_check_public(
34798
0
                                    input + args->idx, args->length,
34799
0
                                    EC25519_LITTLE_ENDIAN)) != 0) {
34800
0
                        #ifdef WOLFSSL_EXTRA_ALERTS
34801
0
                                if (ret == BUFFER_E)
34802
0
                                    SendAlert(ssl, alert_fatal, decode_error);
34803
0
                                else if (ret == ECC_OUT_OF_RANGE_E)
34804
0
                                    SendAlert(ssl, alert_fatal, bad_record_mac);
34805
0
                                else {
34806
0
                                    SendAlert(ssl, alert_fatal,
34807
0
                                                             illegal_parameter);
34808
0
                                }
34809
0
                        #endif
34810
0
                                ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke);
34811
0
                            }
34812
34813
0
                            if (wc_curve25519_import_public_ex(
34814
0
                                    input + args->idx, args->length,
34815
0
                                    ssl->peerX25519Key,
34816
0
                                    EC25519_LITTLE_ENDIAN)) {
34817
0
                        #ifdef WOLFSSL_EXTRA_ALERTS
34818
0
                                SendAlert(ssl, alert_fatal, illegal_parameter);
34819
0
                        #endif
34820
0
                                ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke);
34821
0
                            }
34822
34823
0
                            ssl->arrays->preMasterSz = CURVE25519_KEYSIZE;
34824
34825
0
                            ssl->peerX25519KeyPresent = 1;
34826
34827
0
                            break;
34828
0
                        }
34829
0
                    #endif
34830
0
                    #ifdef HAVE_CURVE448
34831
0
                        if (ssl->ecdhCurveOID == ECC_X448_OID) {
34832
                        #ifdef HAVE_PK_CALLBACKS
34833
                            /* if callback then use it for shared secret */
34834
                            if (ssl->ctx->X448SharedSecretCb != NULL) {
34835
                                break;
34836
                            }
34837
                        #endif
34838
0
                            if (ssl->peerX448Key == NULL) {
34839
                                /* alloc/init on demand */
34840
0
                                ret = AllocKey(ssl, DYNAMIC_TYPE_CURVE448,
34841
0
                                    (void**)&ssl->peerX448Key);
34842
0
                                if (ret != 0) {
34843
0
                                    goto exit_dcke;
34844
0
                                }
34845
0
                            } else if (ssl->peerX448KeyPresent) {
34846
0
                                ret = ReuseKey(ssl, DYNAMIC_TYPE_CURVE448,
34847
0
                                               ssl->peerX448Key);
34848
0
                                ssl->peerX448KeyPresent = 0;
34849
0
                                if (ret != 0) {
34850
0
                                    goto exit_dcke;
34851
0
                                }
34852
0
                            }
34853
34854
0
                            if ((ret = wc_curve448_check_public(
34855
0
                                    input + args->idx, args->length,
34856
0
                                    EC448_LITTLE_ENDIAN)) != 0) {
34857
0
                        #ifdef WOLFSSL_EXTRA_ALERTS
34858
0
                                if (ret == BUFFER_E)
34859
0
                                    SendAlert(ssl, alert_fatal, decode_error);
34860
0
                                else if (ret == ECC_OUT_OF_RANGE_E)
34861
0
                                    SendAlert(ssl, alert_fatal, bad_record_mac);
34862
0
                                else {
34863
0
                                    SendAlert(ssl, alert_fatal,
34864
0
                                                             illegal_parameter);
34865
0
                                }
34866
0
                        #endif
34867
0
                                ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke);
34868
0
                            }
34869
34870
0
                            if (wc_curve448_import_public_ex(
34871
0
                                    input + args->idx, args->length,
34872
0
                                    ssl->peerX448Key,
34873
0
                                    EC448_LITTLE_ENDIAN)) {
34874
0
                        #ifdef WOLFSSL_EXTRA_ALERTS
34875
0
                                SendAlert(ssl, alert_fatal, illegal_parameter);
34876
0
                        #endif
34877
0
                                ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke);
34878
0
                            }
34879
34880
0
                            ssl->arrays->preMasterSz = CURVE448_KEY_SIZE;
34881
34882
0
                            ssl->peerX448KeyPresent = 1;
34883
34884
0
                            break;
34885
0
                        }
34886
0
                    #endif
34887
0
                #ifdef HAVE_ECC
34888
                    #ifdef HAVE_PK_CALLBACKS
34889
                        /* if callback then use it for shared secret */
34890
                        if (ssl->ctx->EccSharedSecretCb != NULL) {
34891
                            break;
34892
                        }
34893
                    #endif
34894
34895
0
                        if (!ssl->specs.static_ecdh &&
34896
0
                            ssl->eccTempKeyPresent == 0) {
34897
0
                            WOLFSSL_MSG("Ecc ephemeral key not made correctly");
34898
0
                            ERROR_OUT(ECC_MAKEKEY_ERROR, exit_dcke);
34899
0
                        }
34900
34901
0
                        if (ssl->peerEccKey == NULL) {
34902
                            /* alloc/init on demand */
34903
0
                            ret = AllocKey(ssl, DYNAMIC_TYPE_ECC,
34904
0
                                (void**)&ssl->peerEccKey);
34905
0
                            if (ret != 0) {
34906
0
                                goto exit_dcke;
34907
0
                            }
34908
0
                        } else if (ssl->peerEccKeyPresent) {
34909
0
                            ret = ReuseKey(ssl, DYNAMIC_TYPE_ECC,
34910
0
                                           ssl->peerEccKey);
34911
0
                            ssl->peerEccKeyPresent = 0;
34912
0
                            if (ret != 0) {
34913
0
                                goto exit_dcke;
34914
0
                            }
34915
0
                        }
34916
34917
0
                        if (wc_ecc_import_x963_ex(input + args->idx,
34918
0
                                                  args->length, ssl->peerEccKey,
34919
0
                                                  private_key->dp->id)) {
34920
0
                        #ifdef WOLFSSL_EXTRA_ALERTS
34921
0
                            SendAlert(ssl, alert_fatal, illegal_parameter);
34922
0
                        #endif
34923
0
                            ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke);
34924
0
                        }
34925
34926
0
                        ssl->arrays->preMasterSz = private_key->dp->size;
34927
34928
0
                        ssl->peerEccKeyPresent = 1;
34929
34930
0
                    #if defined(WOLFSSL_TLS13) || defined(HAVE_FFDHE)
34931
                        /* client_hello may have sent FFEDH2048, which sets namedGroup,
34932
                            but that is not being used, so clear it */
34933
                        /* resolves issue with server side wolfSSL_get_curve_name */
34934
0
                        ssl->namedGroup = 0;
34935
0
                    #endif
34936
0
                #endif /* HAVE_ECC */
34937
34938
0
                        break;
34939
0
                    }
34940
0
                #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
34941
0
                #ifndef NO_DH
34942
0
                    case diffie_hellman_kea:
34943
0
                    {
34944
0
                        word16 clientPubSz;
34945
34946
0
                        if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
34947
0
                            ERROR_OUT(BUFFER_ERROR, exit_dcke);
34948
0
                        }
34949
34950
0
                        ato16(input + args->idx, &clientPubSz);
34951
0
                        args->idx += OPAQUE16_LEN;
34952
34953
0
                        if ((args->idx - args->begin) + clientPubSz > size) {
34954
0
                        #ifdef WOLFSSL_EXTRA_ALERTS
34955
0
                            SendAlert(ssl, alert_fatal, decode_error);
34956
0
                        #endif
34957
0
                            ERROR_OUT(BUFFER_ERROR, exit_dcke);
34958
0
                        }
34959
34960
0
                        args->sigSz = clientPubSz;
34961
34962
0
                        ret = AllocKey(ssl, DYNAMIC_TYPE_DH,
34963
0
                                            (void**)&ssl->buffers.serverDH_Key);
34964
0
                        if (ret != 0) {
34965
0
                            goto exit_dcke;
34966
0
                        }
34967
34968
0
                        ret = wc_DhSetKey(ssl->buffers.serverDH_Key,
34969
0
                            ssl->buffers.serverDH_P.buffer,
34970
0
                            ssl->buffers.serverDH_P.length,
34971
0
                            ssl->buffers.serverDH_G.buffer,
34972
0
                            ssl->buffers.serverDH_G.length);
34973
34974
                        /* set the max agree result size */
34975
0
                        ssl->arrays->preMasterSz = ENCRYPT_LEN;
34976
0
                        break;
34977
0
                    }
34978
0
                #endif /* !NO_DH */
34979
                #if !defined(NO_DH) && !defined(NO_PSK)
34980
                    case dhe_psk_kea:
34981
                    {
34982
                        word16 clientSz;
34983
34984
                        /* Read in the PSK hint */
34985
                        if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
34986
                            ERROR_OUT(BUFFER_ERROR, exit_dcke);
34987
                        }
34988
34989
                        ato16(input + args->idx, &clientSz);
34990
                        args->idx += OPAQUE16_LEN;
34991
                        if (clientSz > MAX_PSK_ID_LEN) {
34992
                            ERROR_OUT(CLIENT_ID_ERROR, exit_dcke);
34993
                        }
34994
34995
                        if ((args->idx - args->begin) + clientSz > size) {
34996
                            ERROR_OUT(BUFFER_ERROR, exit_dcke);
34997
                        }
34998
34999
                        XMEMCPY(ssl->arrays->client_identity, input + args->idx,
35000
                                                                    clientSz);
35001
                        args->idx += clientSz;
35002
                        ssl->arrays->client_identity[clientSz] = '\0'; /* null term */
35003
35004
                        /* Read in the DHE business */
35005
                        if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
35006
                            ERROR_OUT(BUFFER_ERROR, exit_dcke);
35007
                        }
35008
35009
                        ato16(input + args->idx, &clientSz);
35010
                        args->idx += OPAQUE16_LEN;
35011
35012
                        if ((args->idx - args->begin) + clientSz > size) {
35013
                            ERROR_OUT(BUFFER_ERROR, exit_dcke);
35014
                        }
35015
35016
                        args->sigSz = clientSz;
35017
35018
                        ret = AllocKey(ssl, DYNAMIC_TYPE_DH,
35019
                                            (void**)&ssl->buffers.serverDH_Key);
35020
                        if (ret != 0) {
35021
                            goto exit_dcke;
35022
                        }
35023
35024
                        ret = wc_DhSetKey(ssl->buffers.serverDH_Key,
35025
                            ssl->buffers.serverDH_P.buffer,
35026
                            ssl->buffers.serverDH_P.length,
35027
                            ssl->buffers.serverDH_G.buffer,
35028
                            ssl->buffers.serverDH_G.length);
35029
35030
                        break;
35031
                    }
35032
                #endif /* !NO_DH && !NO_PSK */
35033
                #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
35034
                                     defined(HAVE_CURVE448)) && !defined(NO_PSK)
35035
                    case ecdhe_psk_kea:
35036
                    {
35037
                        word16 clientSz;
35038
35039
                        /* Read in the PSK hint */
35040
                        if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
35041
                            ERROR_OUT(BUFFER_ERROR, exit_dcke);
35042
                        }
35043
35044
                        ato16(input + args->idx, &clientSz);
35045
                        args->idx += OPAQUE16_LEN;
35046
                        if (clientSz > MAX_PSK_ID_LEN) {
35047
                            ERROR_OUT(CLIENT_ID_ERROR, exit_dcke);
35048
                        }
35049
                        if ((args->idx - args->begin) + clientSz > size) {
35050
                            ERROR_OUT(BUFFER_ERROR, exit_dcke);
35051
                        }
35052
35053
                        XMEMCPY(ssl->arrays->client_identity,
35054
                                                   input + args->idx, clientSz);
35055
                        args->idx += clientSz;
35056
                        ssl->arrays->client_identity[clientSz] = '\0'; /* null term */
35057
35058
                        /* import peer ECC key */
35059
                        if ((args->idx - args->begin) + OPAQUE8_LEN > size) {
35060
                            ERROR_OUT(BUFFER_ERROR, exit_dcke);
35061
                        }
35062
35063
                        args->length = input[args->idx++];
35064
35065
                        if ((args->idx - args->begin) + args->length > size) {
35066
                            ERROR_OUT(BUFFER_ERROR, exit_dcke);
35067
                        }
35068
35069
                        args->sigSz = ENCRYPT_LEN - OPAQUE16_LEN;
35070
35071
                    #ifdef HAVE_CURVE25519
35072
                        if (ssl->ecdhCurveOID == ECC_X25519_OID) {
35073
                        #ifdef HAVE_PK_CALLBACKS
35074
                            /* if callback then use it for shared secret */
35075
                            if (ssl->ctx->X25519SharedSecretCb != NULL) {
35076
                                break;
35077
                            }
35078
                        #endif
35079
35080
                            if (ssl->eccTempKeyPresent == 0) {
35081
                                WOLFSSL_MSG(
35082
                                     "X25519 ephemeral key not made correctly");
35083
                                ERROR_OUT(ECC_MAKEKEY_ERROR, exit_dcke);
35084
                            }
35085
35086
                            if (ssl->peerX25519Key == NULL) {
35087
                                /* alloc/init on demand */
35088
                                ret = AllocKey(ssl, DYNAMIC_TYPE_CURVE25519,
35089
                                    (void**)&ssl->peerX25519Key);
35090
                                if (ret != 0) {
35091
                                    goto exit_dcke;
35092
                                }
35093
                            } else if (ssl->peerX25519KeyPresent) {
35094
                                ret = ReuseKey(ssl, DYNAMIC_TYPE_CURVE25519,
35095
                                               ssl->peerX25519Key);
35096
                                ssl->peerX25519KeyPresent = 0;
35097
                                if (ret != 0) {
35098
                                    goto exit_dcke;
35099
                                }
35100
                            }
35101
35102
                            if ((ret = wc_curve25519_check_public(
35103
                                    input + args->idx, args->length,
35104
                                    EC25519_LITTLE_ENDIAN)) != 0) {
35105
                        #ifdef WOLFSSL_EXTRA_ALERTS
35106
                                if (ret == BUFFER_E)
35107
                                    SendAlert(ssl, alert_fatal, decode_error);
35108
                                else if (ret == ECC_OUT_OF_RANGE_E)
35109
                                    SendAlert(ssl, alert_fatal, bad_record_mac);
35110
                                else {
35111
                                    SendAlert(ssl, alert_fatal,
35112
                                                             illegal_parameter);
35113
                                }
35114
                        #endif
35115
                                ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke);
35116
                            }
35117
35118
                            if (wc_curve25519_import_public_ex(
35119
                                    input + args->idx, args->length,
35120
                                    ssl->peerX25519Key,
35121
                                    EC25519_LITTLE_ENDIAN)) {
35122
                                ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke);
35123
                            }
35124
35125
                            ssl->peerX25519KeyPresent = 1;
35126
35127
                            break;
35128
                        }
35129
                    #endif
35130
                    #ifdef HAVE_CURVE448
35131
                        if (ssl->ecdhCurveOID == ECC_X448_OID) {
35132
                        #ifdef HAVE_PK_CALLBACKS
35133
                            /* if callback then use it for shared secret */
35134
                            if (ssl->ctx->X448SharedSecretCb != NULL) {
35135
                                break;
35136
                            }
35137
                        #endif
35138
35139
                            if (ssl->eccTempKeyPresent == 0) {
35140
                                WOLFSSL_MSG(
35141
                                       "X448 ephemeral key not made correctly");
35142
                                ERROR_OUT(ECC_MAKEKEY_ERROR, exit_dcke);
35143
                            }
35144
35145
                            if (ssl->peerX448Key == NULL) {
35146
                                /* alloc/init on demand */
35147
                                ret = AllocKey(ssl, DYNAMIC_TYPE_CURVE448,
35148
                                    (void**)&ssl->peerX448Key);
35149
                                if (ret != 0) {
35150
                                    goto exit_dcke;
35151
                                }
35152
                            } else if (ssl->peerX448KeyPresent) {
35153
                                ret = ReuseKey(ssl, DYNAMIC_TYPE_CURVE448,
35154
                                               ssl->peerX448Key);
35155
                                ssl->peerX448KeyPresent = 0;
35156
                                if (ret != 0) {
35157
                                    goto exit_dcke;
35158
                                }
35159
                            }
35160
35161
                            if ((ret = wc_curve448_check_public(
35162
                                    input + args->idx, args->length,
35163
                                    EC448_LITTLE_ENDIAN)) != 0) {
35164
                        #ifdef WOLFSSL_EXTRA_ALERTS
35165
                                if (ret == BUFFER_E)
35166
                                    SendAlert(ssl, alert_fatal, decode_error);
35167
                                else if (ret == ECC_OUT_OF_RANGE_E)
35168
                                    SendAlert(ssl, alert_fatal, bad_record_mac);
35169
                                else {
35170
                                    SendAlert(ssl, alert_fatal,
35171
                                                             illegal_parameter);
35172
                                }
35173
                        #endif
35174
                                ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke);
35175
                            }
35176
35177
                            if (wc_curve448_import_public_ex(
35178
                                    input + args->idx, args->length,
35179
                                    ssl->peerX448Key,
35180
                                    EC448_LITTLE_ENDIAN)) {
35181
                                ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke);
35182
                            }
35183
35184
                            ssl->peerX448KeyPresent = 1;
35185
35186
                            break;
35187
                        }
35188
                    #endif
35189
                    #ifdef HAVE_PK_CALLBACKS
35190
                        /* if callback then use it for shared secret */
35191
                        if (ssl->ctx->EccSharedSecretCb != NULL) {
35192
                            break;
35193
                        }
35194
                    #endif
35195
35196
                        if (ssl->eccTempKeyPresent == 0) {
35197
                            WOLFSSL_MSG("Ecc ephemeral key not made correctly");
35198
                            ERROR_OUT(ECC_MAKEKEY_ERROR, exit_dcke);
35199
                        }
35200
35201
                        if (ssl->peerEccKey == NULL) {
35202
                            /* alloc/init on demand */
35203
                            ret = AllocKey(ssl, DYNAMIC_TYPE_ECC,
35204
                                (void**)&ssl->peerEccKey);
35205
                            if (ret != 0) {
35206
                                goto exit_dcke;
35207
                            }
35208
                        }
35209
                        else if (ssl->peerEccKeyPresent) {
35210
                            ret = ReuseKey(ssl, DYNAMIC_TYPE_ECC,
35211
                                           ssl->peerEccKey);
35212
                            ssl->peerEccKeyPresent = 0;
35213
                            if (ret != 0) {
35214
                                goto exit_dcke;
35215
                            }
35216
                        }
35217
                        if (wc_ecc_import_x963_ex(input + args->idx,
35218
                                 args->length, ssl->peerEccKey,
35219
                                 ssl->eccTempKey->dp->id)) {
35220
                            ERROR_OUT(ECC_PEERKEY_ERROR, exit_dcke);
35221
                        }
35222
35223
                        ssl->peerEccKeyPresent = 1;
35224
                        break;
35225
                    }
35226
                #endif /* (HAVE_ECC || CURVE25519 || CURVE448) && !NO_PSK */
35227
0
                    default:
35228
0
                        ret = BAD_KEA_TYPE_E;
35229
0
                } /* switch (ssl->specs.kea) */
35230
35231
                /* Check for error */
35232
0
                if (ret != 0) {
35233
0
                    goto exit_dcke;
35234
0
                }
35235
35236
                /* Advance state and proceed */
35237
0
                ssl->options.asyncState = TLS_ASYNC_DO;
35238
0
            } /* TLS_ASYNC_BUILD */
35239
0
            FALL_THROUGH;
35240
35241
0
            case TLS_ASYNC_DO:
35242
0
            {
35243
0
                switch (ssl->specs.kea) {
35244
0
                #ifndef NO_RSA
35245
0
                    case rsa_kea:
35246
0
                    {
35247
0
                        RsaKey* key = (RsaKey*)ssl->hsKey;
35248
35249
0
                        ret = RsaDec(ssl,
35250
0
                            input + args->idx,
35251
0
                            args->length,
35252
0
                            &args->output,
35253
0
                            &args->sigSz,
35254
0
                            key,
35255
                        #ifdef HAVE_PK_CALLBACKS
35256
                            ssl->buffers.key
35257
                        #else
35258
0
                            NULL
35259
0
                        #endif
35260
0
                        );
35261
35262
                        /*  Errors that can occur here that should be
35263
                         *  indistinguishable:
35264
                         *       RSA_BUFFER_E, RSA_PAD_E and RSA_PRIVATE_ERROR
35265
                         */
35266
                    #ifdef WOLFSSL_ASYNC_CRYPT
35267
                        if (ret == WC_PENDING_E)
35268
                            goto exit_dcke;
35269
                    #endif
35270
0
                        if (ret == BAD_FUNC_ARG)
35271
0
                            goto exit_dcke;
35272
35273
0
                        args->lastErr = ret - (SECRET_LEN - args->sigSz);
35274
0
                        ret = 0;
35275
0
                        break;
35276
0
                    } /* rsa_kea */
35277
0
                #endif /* !NO_RSA */
35278
                #ifndef NO_PSK
35279
                    case psk_kea:
35280
                    {
35281
                        break;
35282
                    }
35283
                #endif /* !NO_PSK */
35284
0
                #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
35285
0
                                                          defined(HAVE_CURVE448)
35286
0
                    case ecc_diffie_hellman_kea:
35287
0
                    {
35288
0
                        void* private_key = ssl->eccTempKey;
35289
0
                        (void)private_key;
35290
35291
0
                    #ifdef HAVE_CURVE25519
35292
0
                        if (ssl->ecdhCurveOID == ECC_X25519_OID) {
35293
0
                            ret = X25519SharedSecret(ssl,
35294
0
                                (curve25519_key*)private_key,
35295
0
                                ssl->peerX25519Key,
35296
0
                                input + args->idx, &args->length,
35297
0
                                ssl->arrays->preMasterSecret,
35298
0
                                &ssl->arrays->preMasterSz,
35299
0
                                WOLFSSL_SERVER_END
35300
0
                            );
35301
0
                            break;
35302
0
                        }
35303
0
                    #endif
35304
0
                    #ifdef HAVE_CURVE448
35305
0
                        if (ssl->ecdhCurveOID == ECC_X448_OID) {
35306
0
                            ret = X448SharedSecret(ssl,
35307
0
                                (curve448_key*)private_key,
35308
0
                                ssl->peerX448Key,
35309
0
                                input + args->idx, &args->length,
35310
0
                                ssl->arrays->preMasterSecret,
35311
0
                                &ssl->arrays->preMasterSz,
35312
0
                                WOLFSSL_SERVER_END
35313
0
                            );
35314
0
                            break;
35315
0
                        }
35316
0
                    #endif
35317
0
                    #ifdef HAVE_ECC
35318
0
                        if (ssl->specs.static_ecdh) {
35319
0
                            private_key = ssl->hsKey;
35320
0
                        }
35321
35322
                        /* Generate shared secret */
35323
0
                        ret = EccSharedSecret(ssl,
35324
0
                            (ecc_key*)private_key, ssl->peerEccKey,
35325
0
                            input + args->idx, &args->length,
35326
0
                            ssl->arrays->preMasterSecret,
35327
0
                            &ssl->arrays->preMasterSz,
35328
0
                            WOLFSSL_SERVER_END
35329
0
                        );
35330
                    #ifdef WOLFSSL_ASYNC_CRYPT
35331
                        if (ret != WC_PENDING_E)
35332
                    #endif
35333
0
                        {
35334
0
                            FreeKey(ssl, DYNAMIC_TYPE_ECC,
35335
0
                                                      (void**)&ssl->peerEccKey);
35336
0
                            ssl->peerEccKeyPresent = 0;
35337
0
                        }
35338
0
                    #endif
35339
0
                        break;
35340
0
                    }
35341
0
                #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
35342
0
                #ifndef NO_DH
35343
0
                    case diffie_hellman_kea:
35344
0
                    {
35345
0
                        ret = DhAgree(ssl, ssl->buffers.serverDH_Key,
35346
0
                            ssl->buffers.serverDH_Priv.buffer,
35347
0
                            ssl->buffers.serverDH_Priv.length,
35348
0
                            input + args->idx,
35349
0
                            (word16)args->sigSz,
35350
0
                            ssl->arrays->preMasterSecret,
35351
0
                            &ssl->arrays->preMasterSz,
35352
0
                            ssl->buffers.serverDH_P.buffer,
35353
0
                            ssl->buffers.serverDH_P.length);
35354
0
                        break;
35355
0
                    }
35356
0
                #endif /* !NO_DH */
35357
                #if !defined(NO_DH) && !defined(NO_PSK)
35358
                    case dhe_psk_kea:
35359
                    {
35360
                        ret = DhAgree(ssl, ssl->buffers.serverDH_Key,
35361
                            ssl->buffers.serverDH_Priv.buffer,
35362
                            ssl->buffers.serverDH_Priv.length,
35363
                            input + args->idx,
35364
                            (word16)args->sigSz,
35365
                            ssl->arrays->preMasterSecret + OPAQUE16_LEN,
35366
                            &ssl->arrays->preMasterSz,
35367
                            ssl->buffers.serverDH_P.buffer,
35368
                            ssl->buffers.serverDH_P.length);
35369
                        break;
35370
                    }
35371
                #endif /* !NO_DH && !NO_PSK */
35372
                #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
35373
                                     defined(HAVE_CURVE448)) && !defined(NO_PSK)
35374
                    case ecdhe_psk_kea:
35375
                    {
35376
                    #ifdef HAVE_CURVE25519
35377
                        if (ssl->ecdhCurveOID == ECC_X25519_OID) {
35378
                            ret = X25519SharedSecret(ssl,
35379
                                (curve25519_key*)ssl->eccTempKey,
35380
                                ssl->peerX25519Key,
35381
                                input + args->idx, &args->length,
35382
                                ssl->arrays->preMasterSecret + OPAQUE16_LEN,
35383
                                &args->sigSz,
35384
                                WOLFSSL_SERVER_END
35385
                            );
35386
                        #ifdef WOLFSSL_ASYNC_CRYPT
35387
                            if (ret != WC_PENDING_E)
35388
                        #endif
35389
                            {
35390
                                FreeKey(ssl, DYNAMIC_TYPE_CURVE25519,
35391
                                                   (void**)&ssl->peerX25519Key);
35392
                                ssl->peerX25519KeyPresent = 0;
35393
                            }
35394
                            break;
35395
                        }
35396
                    #endif
35397
                    #ifdef HAVE_CURVE448
35398
                        if (ssl->ecdhCurveOID == ECC_X448_OID) {
35399
                            ret = X448SharedSecret(ssl,
35400
                                (curve448_key*)ssl->eccTempKey,
35401
                                ssl->peerX448Key,
35402
                                input + args->idx, &args->length,
35403
                                ssl->arrays->preMasterSecret + OPAQUE16_LEN,
35404
                                &args->sigSz,
35405
                                WOLFSSL_SERVER_END
35406
                            );
35407
                        #ifdef WOLFSSL_ASYNC_CRYPT
35408
                            if (ret != WC_PENDING_E)
35409
                        #endif
35410
                            {
35411
                                FreeKey(ssl, DYNAMIC_TYPE_CURVE448,
35412
                                                     (void**)&ssl->peerX448Key);
35413
                                ssl->peerX448KeyPresent = 0;
35414
                            }
35415
                            break;
35416
                        }
35417
                    #endif
35418
                        /* Generate shared secret */
35419
                        ret = EccSharedSecret(ssl,
35420
                            ssl->eccTempKey, ssl->peerEccKey,
35421
                            input + args->idx, &args->length,
35422
                            ssl->arrays->preMasterSecret + OPAQUE16_LEN,
35423
                            &args->sigSz,
35424
                            WOLFSSL_SERVER_END
35425
                        );
35426
                        if (!ssl->specs.static_ecdh
35427
                    #ifdef WOLFSSL_ASYNC_CRYPT
35428
                            && ret != WC_PENDING_E
35429
                    #endif
35430
                        ) {
35431
                            FreeKey(ssl, DYNAMIC_TYPE_ECC,
35432
                                                      (void**)&ssl->peerEccKey);
35433
                            ssl->peerEccKeyPresent = 0;
35434
                        }
35435
                        break;
35436
                    }
35437
                #endif /* (HAVE_ECC || CURVE25519 || CURVE448) && !NO_PSK */
35438
0
                    default:
35439
0
                        ret = BAD_KEA_TYPE_E;
35440
0
                } /* switch (ssl->specs.kea) */
35441
35442
                /* Check for error */
35443
0
                if (ret != 0) {
35444
0
                    goto exit_dcke;
35445
0
                }
35446
35447
                /* Advance state and proceed */
35448
0
                ssl->options.asyncState = TLS_ASYNC_VERIFY;
35449
0
            } /* TLS_ASYNC_DO */
35450
0
            FALL_THROUGH;
35451
35452
0
            case TLS_ASYNC_VERIFY:
35453
0
            {
35454
0
                switch (ssl->specs.kea) {
35455
0
                #ifndef NO_RSA
35456
0
                    case rsa_kea:
35457
0
                    {
35458
0
                        byte *tmpRsa;
35459
0
                        byte mask;
35460
0
                        int i;
35461
35462
                        /* Add the signature length to idx */
35463
0
                        args->idx += args->length;
35464
35465
                    #ifdef DEBUG_WOLFSSL
35466
                        /* check version (debug warning message only) */
35467
                        if (args->output != NULL) {
35468
                            if (args->output[0] != ssl->chVersion.major ||
35469
                                args->output[1] != ssl->chVersion.minor) {
35470
                                WOLFSSL_MSG("preMasterSecret version mismatch");
35471
                            }
35472
                        }
35473
                    #endif
35474
35475
                        /* RFC5246 7.4.7.1:
35476
                         * Treat incorrectly formatted message blocks and/or
35477
                         * mismatched version numbers in a manner
35478
                         * indistinguishable from correctly formatted RSA blocks
35479
                         */
35480
35481
0
                        ret = args->lastErr;
35482
0
                        args->lastErr = 0; /* reset */
35483
                        /* On error 'ret' will be negative */
35484
0
                        mask = ((unsigned int)ret >>
35485
0
                                                   ((sizeof(ret) * 8) - 1)) - 1;
35486
35487
                        /* build PreMasterSecret */
35488
0
                        ssl->arrays->preMasterSecret[0] = ssl->chVersion.major;
35489
0
                        ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor;
35490
35491
0
                        tmpRsa = input + args->idx - VERSION_SZ - SECRET_LEN;
35492
0
                        ctMaskCopy(~mask, (byte*)&args->output, (byte*)&tmpRsa,
35493
0
                            sizeof(args->output));
35494
0
                        if (args->output != NULL) {
35495
                            /* Use random secret on error */
35496
0
                            for (i = VERSION_SZ; i < SECRET_LEN; i++) {
35497
0
                                ssl->arrays->preMasterSecret[i] =
35498
0
                                     ctMaskSel(mask, args->output[i],
35499
0
                                               ssl->arrays->preMasterSecret[i]);
35500
0
                            }
35501
0
                        }
35502
                        /* preMasterSecret has RNG and version set
35503
                         * return proper length and ignore error
35504
                         * error will be caught as decryption error
35505
                         */
35506
0
                        args->sigSz = SECRET_LEN;
35507
0
                        ret = 0;
35508
0
                        break;
35509
0
                    } /* rsa_kea */
35510
0
                #endif /* !NO_RSA */
35511
                #ifndef NO_PSK
35512
                    case psk_kea:
35513
                    {
35514
                        break;
35515
                    }
35516
                #endif /* !NO_PSK */
35517
0
                #if defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
35518
0
                                                          defined(HAVE_CURVE448)
35519
0
                    case ecc_diffie_hellman_kea:
35520
0
                    {
35521
                        /* skip past the imported peer key */
35522
0
                        args->idx += args->length;
35523
0
                        break;
35524
0
                    }
35525
0
                #endif /* HAVE_ECC || HAVE_CURVE25519 || HAVE_CURVE448 */
35526
0
                #ifndef NO_DH
35527
0
                    case diffie_hellman_kea:
35528
0
                    {
35529
0
                        args->idx += (word16)args->sigSz;
35530
0
                        break;
35531
0
                    }
35532
0
                #endif /* !NO_DH */
35533
                #if !defined(NO_DH) && !defined(NO_PSK)
35534
                    case dhe_psk_kea:
35535
                    {
35536
                        byte* pms = ssl->arrays->preMasterSecret;
35537
                        word16 clientSz = (word16)args->sigSz;
35538
35539
                        args->idx += clientSz;
35540
                        c16toa((word16)ssl->arrays->preMasterSz, pms);
35541
                        ssl->arrays->preMasterSz += OPAQUE16_LEN;
35542
                        pms += ssl->arrays->preMasterSz;
35543
35544
                        /* Use the PSK hint to look up the PSK and add it to the
35545
                         * preMasterSecret here. */
35546
                        ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl,
35547
                            ssl->arrays->client_identity, ssl->arrays->psk_key,
35548
                            MAX_PSK_KEY_LEN);
35549
35550
                        if (ssl->arrays->psk_keySz == 0 ||
35551
                                ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
35552
                            #if defined(WOLFSSL_EXTRA_ALERTS) || \
35553
                                defined(WOLFSSL_PSK_IDENTITY_ALERT)
35554
                                SendAlert(ssl, alert_fatal,
35555
                                        unknown_psk_identity);
35556
                            #endif
35557
                            ERROR_OUT(PSK_KEY_ERROR, exit_dcke);
35558
                        }
35559
                        /* SERVER: Pre-shared Key for peer authentication. */
35560
                        ssl->options.peerAuthGood = 1;
35561
35562
                        c16toa((word16) ssl->arrays->psk_keySz, pms);
35563
                        pms += OPAQUE16_LEN;
35564
35565
                        XMEMCPY(pms, ssl->arrays->psk_key,
35566
                                                    ssl->arrays->psk_keySz);
35567
                        ssl->arrays->preMasterSz += ssl->arrays->psk_keySz +
35568
                                                                OPAQUE16_LEN;
35569
                        break;
35570
                    }
35571
                #endif /* !NO_DH && !NO_PSK */
35572
                #if (defined(HAVE_ECC) || defined(HAVE_CURVE25519) || \
35573
                                     defined(HAVE_CURVE448)) && !defined(NO_PSK)
35574
                    case ecdhe_psk_kea:
35575
                    {
35576
                        byte* pms = ssl->arrays->preMasterSecret;
35577
                        word16 clientSz = (word16)args->sigSz;
35578
35579
                        /* skip past the imported peer key */
35580
                        args->idx += args->length;
35581
35582
                        /* Add preMasterSecret */
35583
                        c16toa(clientSz, pms);
35584
                        ssl->arrays->preMasterSz = OPAQUE16_LEN + clientSz;
35585
                        pms += ssl->arrays->preMasterSz;
35586
35587
                        /* Use the PSK hint to look up the PSK and add it to the
35588
                         * preMasterSecret here. */
35589
                        ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl,
35590
                            ssl->arrays->client_identity, ssl->arrays->psk_key,
35591
                            MAX_PSK_KEY_LEN);
35592
35593
                        if (ssl->arrays->psk_keySz == 0 ||
35594
                                   ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
35595
                            ERROR_OUT(PSK_KEY_ERROR, exit_dcke);
35596
                        }
35597
                        /* SERVER: Pre-shared Key for peer authentication. */
35598
                        ssl->options.peerAuthGood = 1;
35599
35600
                        c16toa((word16) ssl->arrays->psk_keySz, pms);
35601
                        pms += OPAQUE16_LEN;
35602
35603
                        XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz);
35604
                        ssl->arrays->preMasterSz +=
35605
                                      ssl->arrays->psk_keySz + OPAQUE16_LEN;
35606
                        break;
35607
                    }
35608
                #endif /* (HAVE_ECC || CURVE25519 || CURVE448) && !NO_PSK */
35609
0
                    default:
35610
0
                        ret = BAD_KEA_TYPE_E;
35611
0
                } /* switch (ssl->specs.kea) */
35612
35613
                /* Check for error */
35614
0
                if (ret != 0) {
35615
0
                    goto exit_dcke;
35616
0
                }
35617
35618
                /* Advance state and proceed */
35619
0
                ssl->options.asyncState = TLS_ASYNC_FINALIZE;
35620
0
            } /* TLS_ASYNC_VERIFY */
35621
0
            FALL_THROUGH;
35622
35623
0
            case TLS_ASYNC_FINALIZE:
35624
0
            {
35625
0
                if (IsEncryptionOn(ssl, 0)) {
35626
0
                    args->idx += ssl->keys.padSz;
35627
0
            #if defined(HAVE_ENCRYPT_THEN_MAC) && !defined(WOLFSSL_AEAD_ONLY)
35628
0
                    if (ssl->options.startedETMRead)
35629
0
                        args->idx += MacSize(ssl);
35630
0
            #endif
35631
0
                }
35632
35633
0
                ret = MakeMasterSecret(ssl);
35634
35635
                /* Check for error */
35636
0
                if (ret != 0) {
35637
0
                    goto exit_dcke;
35638
0
                }
35639
35640
                /* Advance state and proceed */
35641
0
                ssl->options.asyncState = TLS_ASYNC_END;
35642
0
            } /* TLS_ASYNC_FINALIZE */
35643
0
            FALL_THROUGH;
35644
35645
0
            case TLS_ASYNC_END:
35646
0
            {
35647
                /* Set final index */
35648
0
                *inOutIdx = args->idx;
35649
35650
0
                ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE;
35651
0
            #if !defined(NO_CERTS) && !defined(WOLFSSL_NO_CLIENT_AUTH)
35652
0
                if (ssl->options.verifyPeer) {
35653
0
                    ret = BuildCertHashes(ssl, &ssl->hsHashes->certHashes);
35654
0
                }
35655
0
            #endif
35656
0
                break;
35657
0
            } /* TLS_ASYNC_END */
35658
0
            default:
35659
0
                ret = INPUT_CASE_ERROR;
35660
0
        } /* switch(ssl->options.asyncState) */
35661
35662
0
    exit_dcke:
35663
35664
0
        WOLFSSL_LEAVE("DoClientKeyExchange", ret);
35665
0
        WOLFSSL_END(WC_FUNC_CLIENT_KEY_EXCHANGE_DO);
35666
    #ifdef WOLFSSL_ASYNC_CRYPT
35667
        /* Handle async operation */
35668
        if (ret == WC_PENDING_E) {
35669
            /* Mark message as not received so it can process again */
35670
            ssl->msgsReceived.got_client_key_exchange = 0;
35671
35672
            return ret;
35673
        }
35674
        /* Cleanup async */
35675
        FreeAsyncCtx(ssl, 0);
35676
    #else
35677
0
        FreeDckeArgs(ssl, args);
35678
0
    #endif /* WOLFSSL_ASYNC_CRYPT */
35679
0
    #ifdef OPENSSL_ALL
35680
        /* add error ret value to error queue */
35681
0
        if (ret != 0) {
35682
0
            WOLFSSL_ERROR(ret);
35683
0
        }
35684
0
    #endif
35685
35686
35687
        /* Cleanup PMS */
35688
0
        if (ssl->arrays->preMasterSecret != NULL) {
35689
0
            ForceZero(ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz);
35690
0
        }
35691
0
        ssl->arrays->preMasterSz = 0;
35692
35693
        /* Final cleanup */
35694
0
        FreeKeyExchange(ssl);
35695
35696
0
        return ret;
35697
0
    }
35698
35699
#endif /* !WOLFSSL_NO_TLS12 */
35700
35701
#ifdef HAVE_SNI
35702
    int SNI_Callback(WOLFSSL* ssl)
35703
0
    {
35704
0
        int ad = 0;
35705
0
        int sniRet = 0;
35706
        /* Stunnel supports a custom sni callback to switch an SSL's ctx
35707
        * when SNI is received. Call it now if exists */
35708
0
        if(ssl && ssl->ctx && ssl->ctx->sniRecvCb) {
35709
0
            WOLFSSL_MSG("Calling custom sni callback");
35710
0
            sniRet = ssl->ctx->sniRecvCb(ssl, &ad, ssl->ctx->sniRecvCbArg);
35711
0
            switch (sniRet) {
35712
0
                case warning_return:
35713
0
                    WOLFSSL_MSG("Error in custom sni callback. Warning alert");
35714
0
                    SendAlert(ssl, alert_warning, ad);
35715
0
                    break;
35716
0
                case fatal_return:
35717
0
                    WOLFSSL_MSG("Error in custom sni callback. Fatal alert");
35718
0
                    SendAlert(ssl, alert_fatal, ad);
35719
0
                    return FATAL_ERROR;
35720
0
                case noack_return:
35721
0
                    WOLFSSL_MSG("Server quietly not acking servername.");
35722
0
                    break;
35723
0
                default:
35724
0
                    break;
35725
0
            }
35726
0
        }
35727
0
        return 0;
35728
0
    }
35729
#endif /* HAVE_SNI */
35730
35731
#endif /* NO_WOLFSSL_SERVER */
35732
35733
35734
#ifdef WOLFSSL_ASYNC_CRYPT
35735
int wolfSSL_AsyncPop(WOLFSSL* ssl, byte* state)
35736
{
35737
    int ret = 0;
35738
    WC_ASYNC_DEV* asyncDev;
35739
    WOLF_EVENT* event;
35740
35741
    if (ssl == NULL) {
35742
        return BAD_FUNC_ARG;
35743
    }
35744
35745
    /* check for pending async */
35746
    asyncDev = ssl->asyncDev;
35747
    if (asyncDev) {
35748
        /* grab event pointer */
35749
        event = &asyncDev->event;
35750
35751
        ret = wolfAsync_EventPop(event, WOLF_EVENT_TYPE_ASYNC_WOLFSSL);
35752
        if (ret != WC_NOT_PENDING_E && ret != WC_PENDING_E) {
35753
35754
            /* advance key share state if doesn't need called again */
35755
            if (state && (asyncDev->event.flags & WC_ASYNC_FLAG_CALL_AGAIN) == 0) {
35756
                (*state)++;
35757
            }
35758
35759
            /* clear event */
35760
            XMEMSET(&asyncDev->event, 0, sizeof(WOLF_EVENT));
35761
35762
            /* clear async dev */
35763
            ssl->asyncDev = NULL;
35764
        }
35765
    }
35766
    else {
35767
        ret = WC_NOT_PENDING_E;
35768
    }
35769
35770
    WOLFSSL_LEAVE("wolfSSL_AsyncPop", ret);
35771
35772
    return ret;
35773
}
35774
35775
int wolfSSL_AsyncInit(WOLFSSL* ssl, WC_ASYNC_DEV* asyncDev, word32 flags)
35776
{
35777
    int ret;
35778
    WOLF_EVENT* event;
35779
35780
    if (ssl == NULL || asyncDev == NULL) {
35781
        return BAD_FUNC_ARG;
35782
    }
35783
35784
    /* grab event pointer */
35785
    event = &asyncDev->event;
35786
35787
    /* init event */
35788
    ret = wolfAsync_EventInit(event, WOLF_EVENT_TYPE_ASYNC_WOLFSSL, ssl, flags);
35789
35790
    WOLFSSL_LEAVE("wolfSSL_AsyncInit", ret);
35791
35792
    return ret;
35793
}
35794
35795
int wolfSSL_AsyncPush(WOLFSSL* ssl, WC_ASYNC_DEV* asyncDev)
35796
{
35797
    int ret;
35798
    WOLF_EVENT* event;
35799
35800
    if (ssl == NULL || asyncDev == NULL) {
35801
        return BAD_FUNC_ARG;
35802
    }
35803
35804
    /* grab event pointer */
35805
    event = &asyncDev->event;
35806
35807
    /* store reference to active async operation */
35808
    ssl->asyncDev = asyncDev;
35809
35810
    /* place event into queue */
35811
    ret = wolfAsync_EventQueuePush(&ssl->ctx->event_queue, event);
35812
35813
    /* success means return WC_PENDING_E */
35814
    if (ret == 0) {
35815
        ret = WC_PENDING_E;
35816
    }
35817
35818
    WOLFSSL_LEAVE("wolfSSL_AsyncPush", ret);
35819
35820
    return ret;
35821
}
35822
35823
#endif /* WOLFSSL_ASYNC_CRYPT */
35824
35825
35826
/**
35827
 * Return the max fragment size. This is essentially the maximum
35828
 * fragment_length available.
35829
 * @param ssl         WOLFSSL object containing ciphersuite information.
35830
 * @param maxFragment The amount of space we want to check is available. This
35831
 *                    is only the fragment length WITHOUT the (D)TLS headers.
35832
 * @return            Max fragment size
35833
 */
35834
int wolfSSL_GetMaxFragSize(WOLFSSL* ssl, int maxFragment)
35835
0
{
35836
0
    (void) ssl; /* Avoid compiler warnings */
35837
35838
0
    if (maxFragment > MAX_RECORD_SIZE) {
35839
0
        maxFragment = MAX_RECORD_SIZE;
35840
0
    }
35841
35842
#ifdef HAVE_MAX_FRAGMENT
35843
    if ((ssl->max_fragment != 0) && ((word16)maxFragment > ssl->max_fragment)) {
35844
        maxFragment = ssl->max_fragment;
35845
    }
35846
#endif /* HAVE_MAX_FRAGMENT */
35847
#ifdef WOLFSSL_DTLS
35848
    if (IsDtlsNotSctpMode(ssl)) {
35849
        int outputSz, mtuSz;
35850
35851
        /* Given a input buffer size of maxFragment, how big will the
35852
         * encrypted output be? */
35853
        if (IsEncryptionOn(ssl, 1)) {
35854
            outputSz = BuildMessage(ssl, NULL, 0, NULL,
35855
                    maxFragment + DTLS_HANDSHAKE_HEADER_SZ,
35856
                    application_data, 0, 1, 0, CUR_ORDER);
35857
        }
35858
        else {
35859
            outputSz = maxFragment + DTLS_RECORD_HEADER_SZ +
35860
                    DTLS_HANDSHAKE_HEADER_SZ;
35861
        }
35862
35863
        /* Readjust maxFragment for MTU size. */
35864
        #if defined(WOLFSSL_DTLS_MTU)
35865
            mtuSz = ssl->dtlsMtuSz;
35866
        #else
35867
            mtuSz = MAX_MTU;
35868
        #endif
35869
        maxFragment = ModifyForMTU(ssl, maxFragment, outputSz, mtuSz);
35870
    }
35871
#endif
35872
35873
0
    return maxFragment;
35874
0
}
35875
35876
#if defined(WOLFSSL_IOTSAFE) && defined(HAVE_PK_CALLBACKS)
35877
35878
IOTSAFE *wolfSSL_get_iotsafe_ctx(WOLFSSL *ssl)
35879
{
35880
    if (ssl == NULL)
35881
        return NULL;
35882
    return &ssl->iotsafe;
35883
35884
}
35885
35886
int wolfSSL_set_iotsafe_ctx(WOLFSSL *ssl, IOTSAFE *iotsafe)
35887
{
35888
    if ((ssl == NULL) || (iotsafe == NULL))
35889
        return BAD_FUNC_ARG;
35890
    XMEMCPY(&ssl->iotsafe, iotsafe, sizeof(IOTSAFE));
35891
    return 0;
35892
}
35893
35894
#endif
35895
35896
#if defined(OPENSSL_ALL) && !defined(NO_FILESYSTEM) && !defined(NO_WOLFSSL_DIR)
35897
/* create an instance of WOLFSSL_BY_DIR_HASH structure */
35898
WOLFSSL_BY_DIR_HASH* wolfSSL_BY_DIR_HASH_new(void)
35899
0
{
35900
0
    WOLFSSL_BY_DIR_HASH* dir_hash;
35901
35902
0
    WOLFSSL_ENTER("wolfSSL_BY_DIR_HASH_new");
35903
35904
0
    dir_hash = (WOLFSSL_BY_DIR_HASH*)XMALLOC(sizeof(WOLFSSL_BY_DIR_HASH), NULL,
35905
0
        DYNAMIC_TYPE_OPENSSL);
35906
0
    if (dir_hash) {
35907
0
        XMEMSET(dir_hash, 0, sizeof(WOLFSSL_BY_DIR_HASH));
35908
0
    }
35909
0
    return dir_hash;
35910
0
}
35911
/* release a WOLFSSL_BY_DIR_HASH resource */
35912
void wolfSSL_BY_DIR_HASH_free(WOLFSSL_BY_DIR_HASH* dir_hash)
35913
0
{
35914
0
    if (dir_hash == NULL)
35915
0
        return;
35916
35917
0
    XFREE(dir_hash, NULL, DYNAMIC_TYPE_OPENSSL);
35918
0
}
35919
/* create an instance of WOLFSSL_STACK for STACK_TYPE_BY_DIR_hash */
35920
WOLFSSL_STACK* wolfSSL_sk_BY_DIR_HASH_new_null(void)
35921
0
{
35922
0
    WOLFSSL_STACK* sk = wolfSSL_sk_new_node(NULL);
35923
35924
0
    WOLFSSL_ENTER("wolfSSL_sk_BY_DIR_HASH_new_null");
35925
35926
0
    if (sk) {
35927
0
        sk->type = STACK_TYPE_BY_DIR_hash;
35928
0
    }
35929
0
    return sk;
35930
0
}
35931
35932
/* returns value less than 0 on fail to match
35933
 * On a successful match the priority level found is returned
35934
 */
35935
int wolfSSL_sk_BY_DIR_HASH_find(
35936
   WOLF_STACK_OF(WOLFSSL_BY_DIR_HASH)* sk, const WOLFSSL_BY_DIR_HASH* toFind)
35937
0
{
35938
0
    WOLFSSL_STACK* next;
35939
0
    int i, sz;
35940
35941
0
    WOLFSSL_ENTER("wolfSSL_sk_BY_DIR_HASH_find");
35942
35943
0
    if (sk == NULL || toFind == NULL) {
35944
0
        return WOLFSSL_FAILURE;
35945
0
    }
35946
35947
0
    sz   = wolfSSL_sk_BY_DIR_HASH_num(sk);
35948
0
    next = sk;
35949
0
    for (i = 0; i < sz && next != NULL; i++) {
35950
0
        if (next->data.dir_hash->hash_value == toFind->hash_value) {
35951
0
            return sz - i; /* reverse because stack pushed highest on first */
35952
0
        }
35953
0
        next = next->next;
35954
0
    }
35955
0
    return -1;
35956
0
}
35957
/* return a number of WOLFSSL_BY_DIR_HASH in stack */
35958
int wolfSSL_sk_BY_DIR_HASH_num(const WOLF_STACK_OF(WOLFSSL_BY_DIR_HASH) *sk)
35959
0
{
35960
0
    WOLFSSL_ENTER("wolfSSL_sk_BY_DIR_HASH_num");
35961
35962
0
    if (sk == NULL)
35963
0
        return -1;
35964
0
    return (int)sk->num;
35965
0
}
35966
/* return WOLFSSL_BY_DIR_HASH instance at i */
35967
WOLFSSL_BY_DIR_HASH* wolfSSL_sk_BY_DIR_HASH_value(
35968
                        const WOLF_STACK_OF(WOLFSSL_BY_DIR_HASH) *sk, int i)
35969
0
{
35970
0
    WOLFSSL_ENTER("wolfSSL_sk_BY_DIR_HASH_value");
35971
35972
0
    for (; sk != NULL && i > 0; i--)
35973
0
        sk = sk->next;
35974
35975
0
    if (i != 0 || sk == NULL)
35976
0
        return NULL;
35977
0
    return sk->data.dir_hash;
35978
0
}
35979
/* pop WOLFSSL_BY_DIR_HASH instance, and remove its node from stack */
35980
WOLFSSL_BY_DIR_HASH* wolfSSL_sk_BY_DIR_HASH_pop(
35981
                                WOLF_STACK_OF(WOLFSSL_BY_DIR_HASH)* sk)
35982
0
{
35983
0
    WOLFSSL_STACK* node;
35984
0
    WOLFSSL_BY_DIR_HASH* hash;
35985
35986
0
    WOLFSSL_ENTER("wolfSSL_sk_BY_DIR_HASH_pop");
35987
35988
0
    if (sk == NULL) {
35989
0
        return NULL;
35990
0
    }
35991
35992
0
    node = sk->next;
35993
0
    hash = sk->data.dir_hash;
35994
35995
0
    if (node != NULL) { /* update sk and remove node from stack */
35996
0
        sk->data.dir_hash = node->data.dir_hash;
35997
0
        sk->next = node->next;
35998
0
        wolfSSL_sk_free_node(node);
35999
0
    }
36000
0
    else { /* last x509 in stack */
36001
0
        sk->data.dir_hash = NULL;
36002
0
    }
36003
36004
0
    if (sk->num > 0) {
36005
0
        sk->num -= 1;
36006
0
    }
36007
36008
0
    return hash;
36009
0
}
36010
/* release all contents in stack, and then release stack itself. */
36011
/* Second argument is a function pointer to release resouces.    */
36012
/* It calls the function to release resouces when t is passed    */
36013
/* instead of wolfSSL_BY_DIR_HASH_free().                        */
36014
void wolfSSL_sk_BY_DIR_HASH_pop_free(WOLF_STACK_OF(BY_DIR_HASH)* sk,
36015
    void (*f) (WOLFSSL_BY_DIR_HASH*))
36016
0
{
36017
0
    WOLFSSL_STACK* node;
36018
36019
0
    WOLFSSL_ENTER("wolfSSL_sk_BY_DIR_HASH_pop_free");
36020
36021
0
    if (sk == NULL) {
36022
0
        return;
36023
0
    }
36024
36025
    /* parse through stack freeing each node */
36026
0
    node = sk->next;
36027
0
    while (node && sk->num > 1) {
36028
0
        WOLFSSL_STACK* tmp = node;
36029
0
        node = node->next;
36030
36031
0
        if (f)
36032
0
            f(tmp->data.dir_hash);
36033
0
        else
36034
0
            wolfSSL_BY_DIR_HASH_free(tmp->data.dir_hash);
36035
0
        tmp->data.dir_hash = NULL;
36036
0
        XFREE(tmp, NULL, DYNAMIC_TYPE_OPENSSL);
36037
0
        sk->num -= 1;
36038
0
    }
36039
36040
    /* free head of stack */
36041
0
    if (sk->num == 1) {
36042
0
        if (f)
36043
0
            f(sk->data.dir_hash);
36044
0
        else
36045
0
            wolfSSL_BY_DIR_HASH_free(sk->data.dir_hash);
36046
0
        sk->data.dir_hash = NULL;
36047
0
    }
36048
0
    XFREE(sk, NULL, DYNAMIC_TYPE_OPENSSL);
36049
0
}
36050
/* release all contents in stack, and then release stack itself */
36051
void wolfSSL_sk_BY_DIR_HASH_free(WOLF_STACK_OF(WOLFSSL_BY_DIR_HASH) *sk)
36052
0
{
36053
0
    wolfSSL_sk_BY_DIR_HASH_pop_free(sk, NULL);
36054
0
}
36055
/* Adds the WOLFSSL_BY_DIR_HASH to the stack "sk". "sk" takes control of "in" and
36056
 * tries to free it when the stack is free'd.
36057
 *
36058
 * return 1 on success 0 on fail
36059
 */
36060
int wolfSSL_sk_BY_DIR_HASH_push(WOLF_STACK_OF(WOLFSSL_BY_DIR_HASH)* sk,
36061
                                               WOLFSSL_BY_DIR_HASH* in)
36062
0
{
36063
0
    WOLFSSL_STACK* node;
36064
36065
0
    WOLFSSL_ENTER("wolfSSL_sk_BY_DIR_HASH_push");
36066
36067
0
    if (sk == NULL || in == NULL) {
36068
0
        return WOLFSSL_FAILURE;
36069
0
    }
36070
36071
    /* no previous values in stack */
36072
0
    if (sk->data.dir_hash == NULL) {
36073
0
        sk->data.dir_hash = in;
36074
0
        sk->num += 1;
36075
0
        return WOLFSSL_SUCCESS;
36076
0
    }
36077
36078
    /* stack already has value(s) create a new node and add more */
36079
0
    node = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK), NULL,
36080
0
            DYNAMIC_TYPE_OPENSSL);
36081
0
    if (node == NULL) {
36082
0
        WOLFSSL_MSG("Memory error");
36083
0
        return WOLFSSL_FAILURE;
36084
0
    }
36085
0
    XMEMSET(node, 0, sizeof(WOLFSSL_STACK));
36086
36087
    /* push new obj onto head of stack */
36088
0
    node->data.dir_hash    = sk->data.dir_hash;
36089
0
    node->next             = sk->next;
36090
0
    node->type             = sk->type;
36091
0
    sk->next               = node;
36092
0
    sk->data.dir_hash      = in;
36093
0
    sk->num                += 1;
36094
36095
0
    return WOLFSSL_SUCCESS;
36096
0
}
36097
/* create an instance of WOLFSSL_BY_DIR_entry structure */
36098
WOLFSSL_BY_DIR_entry* wolfSSL_BY_DIR_entry_new(void)
36099
0
{
36100
0
    WOLFSSL_BY_DIR_entry* entry;
36101
36102
0
    WOLFSSL_ENTER("wolfSSL_BY_DIR_entry_new");
36103
36104
0
    entry = (WOLFSSL_BY_DIR_entry*)XMALLOC(sizeof(WOLFSSL_BY_DIR_entry), NULL,
36105
0
        DYNAMIC_TYPE_OPENSSL);
36106
36107
0
    if (entry) {
36108
0
        XMEMSET(entry, 0, sizeof(WOLFSSL_BY_DIR_entry));
36109
0
    }
36110
0
    return entry;
36111
0
}
36112
/* release a WOLFSSL_BY_DIR_entry resource */
36113
void wolfSSL_BY_DIR_entry_free(WOLFSSL_BY_DIR_entry* entry)
36114
0
{
36115
0
    WOLFSSL_ENTER("wolfSSL_BY_DIR_entry_free");
36116
36117
0
    if (entry == NULL)
36118
0
        return;
36119
36120
0
    if (entry->hashes) {
36121
0
        wolfSSL_sk_BY_DIR_HASH_free(entry->hashes);
36122
0
    }
36123
36124
0
    if (entry->dir_name != NULL) {
36125
0
        XFREE(entry->dir_name, NULL, DYNAMIC_TYPE_OPENSSL);
36126
0
    }
36127
36128
0
    XFREE(entry, NULL, DYNAMIC_TYPE_OPENSSL);
36129
0
}
36130
36131
WOLFSSL_STACK* wolfSSL_sk_BY_DIR_entry_new_null(void)
36132
0
{
36133
0
    WOLFSSL_STACK* sk = wolfSSL_sk_new_node(NULL);
36134
36135
0
    WOLFSSL_ENTER("wolfSSL_sk_BY_DIR_entry_new_null");
36136
36137
0
    if (sk) {
36138
0
        sk->type = STACK_TYPE_BY_DIR_entry;
36139
0
    }
36140
0
    return sk;
36141
0
}
36142
/* return a number of WOLFSSL_BY_DIR_entry in stack */
36143
int wolfSSL_sk_BY_DIR_entry_num(const WOLF_STACK_OF(WOLFSSL_BY_DIR_entry) *sk)
36144
0
{
36145
0
    WOLFSSL_ENTER("wolfSSL_sk_BY_DIR_entry_num");
36146
36147
0
    if (sk == NULL)
36148
0
        return -1;
36149
0
    return (int)sk->num;
36150
0
}
36151
/* return WOLFSSL_BY_DIR_entry instance at i */
36152
WOLFSSL_BY_DIR_entry* wolfSSL_sk_BY_DIR_entry_value(
36153
                        const WOLF_STACK_OF(WOLFSSL_BY_DIR_entry) *sk, int i)
36154
0
{
36155
0
    WOLFSSL_ENTER("wolfSSL_sk_BY_DIR_entry_value");
36156
36157
0
    for (; sk != NULL && i > 0; i--)
36158
0
        sk = sk->next;
36159
36160
0
    if (i != 0 || sk == NULL)
36161
0
        return NULL;
36162
0
    return sk->data.dir_entry;
36163
0
}
36164
/* pop WOLFSSL_BY_DIR_entry instance first, and remove its node from stack */
36165
WOLFSSL_BY_DIR_entry* wolfSSL_sk_BY_DIR_entry_pop(
36166
                                WOLF_STACK_OF(WOLFSSL_BY_DIR_entry)* sk)
36167
0
{
36168
0
    WOLFSSL_STACK* node;
36169
0
    WOLFSSL_BY_DIR_entry* entry;
36170
36171
0
    WOLFSSL_ENTER("wolfSSL_sk_BY_DIR_entry_pop");
36172
36173
0
    if (sk == NULL) {
36174
0
        return NULL;
36175
0
    }
36176
36177
0
    node = sk->next;
36178
0
    entry = sk->data.dir_entry;
36179
36180
0
    if (node != NULL) { /* update sk and remove node from stack */
36181
0
        sk->data.dir_entry = node->data.dir_entry;
36182
0
        sk->next = node->next;
36183
0
        wolfSSL_sk_free_node(node);
36184
0
    }
36185
0
    else { /* last x509 in stack */
36186
0
        sk->data.dir_entry = NULL;
36187
0
    }
36188
36189
0
    if (sk->num > 0) {
36190
0
        sk->num -= 1;
36191
0
    }
36192
36193
0
    return entry;
36194
0
}
36195
/* release all contents in stack, and then release stack itself. */
36196
/* Second argument is a function pointer to release resouces.    */
36197
/* It calls the function to release resouces when t is passed    */
36198
/* instead of wolfSSL_BY_DIR_entry_free().                       */
36199
void wolfSSL_sk_BY_DIR_entry_pop_free(WOLF_STACK_OF(WOLFSSL_BY_DIR_entry)* sk,
36200
    void (*f) (WOLFSSL_BY_DIR_entry*))
36201
0
{
36202
0
    WOLFSSL_STACK* node;
36203
36204
0
    WOLFSSL_ENTER("wolfSSL_sk_BY_DIR_entry_pop_free");
36205
36206
0
    if (sk == NULL) {
36207
0
        return;
36208
0
    }
36209
36210
    /* parse through stack freeing each node */
36211
0
    node = sk->next;
36212
0
    while (node && sk->num > 1) {
36213
0
        WOLFSSL_STACK* tmp = node;
36214
0
        node = node->next;
36215
36216
0
        if (f)
36217
0
            f(tmp->data.dir_entry);
36218
0
        else
36219
0
            wolfSSL_BY_DIR_entry_free(tmp->data.dir_entry);
36220
0
        tmp->data.dir_entry = NULL;
36221
0
        XFREE(tmp, NULL, DYNAMIC_TYPE_OPENSSL);
36222
0
        sk->num -= 1;
36223
0
    }
36224
36225
    /* free head of stack */
36226
0
    if (sk->num == 1) {
36227
0
        if (f)
36228
0
            f(sk->data.dir_entry);
36229
0
        else
36230
0
            wolfSSL_BY_DIR_entry_free(sk->data.dir_entry);
36231
0
        sk->data.dir_entry = NULL;
36232
0
    }
36233
0
    XFREE(sk, NULL, DYNAMIC_TYPE_OPENSSL);
36234
0
}
36235
/* release all contents in stack, and then release stack itself */
36236
void wolfSSL_sk_BY_DIR_entry_free(WOLF_STACK_OF(wolfSSL_BY_DIR_entry) *sk)
36237
0
{
36238
0
    wolfSSL_sk_BY_DIR_entry_pop_free(sk, NULL);
36239
0
}
36240
36241
/* Adds the wolfSSL_BY_DIR_entry to the stack "sk". "sk" takes control of "in" and
36242
 * tries to free it when the stack is free'd.
36243
 *
36244
 * return 1 on success 0 on fail
36245
 */
36246
int wolfSSL_sk_BY_DIR_entry_push(WOLF_STACK_OF(WOLFSSL_BY_DIR_entry)* sk,
36247
                                               WOLFSSL_BY_DIR_entry* in)
36248
0
{
36249
0
    WOLFSSL_STACK* node;
36250
36251
0
    if (sk == NULL || in == NULL) {
36252
0
        return WOLFSSL_FAILURE;
36253
0
    }
36254
36255
    /* no previous values in stack */
36256
0
    if (sk->data.dir_entry == NULL) {
36257
0
        sk->data.dir_entry = in;
36258
0
        sk->num += 1;
36259
0
        return WOLFSSL_SUCCESS;
36260
0
    }
36261
36262
    /* stack already has value(s) create a new node and add more */
36263
0
    node = (WOLFSSL_STACK*)XMALLOC(sizeof(WOLFSSL_STACK), NULL,
36264
0
            DYNAMIC_TYPE_OPENSSL);
36265
0
    if (node == NULL) {
36266
0
        WOLFSSL_MSG("Memory error");
36267
0
        return WOLFSSL_FAILURE;
36268
0
    }
36269
0
    XMEMSET(node, 0, sizeof(WOLFSSL_STACK));
36270
36271
    /* push new obj onto head of stack */
36272
0
    node->data.dir_entry    = sk->data.dir_entry;
36273
0
    node->next              = sk->next;
36274
0
    node->type              = sk->type;
36275
0
    sk->next                = node;
36276
0
    sk->data.dir_entry      = in;
36277
0
    sk->num                 += 1;
36278
36279
0
    return WOLFSSL_SUCCESS;
36280
0
}
36281
36282
#endif /* OPENSSL_ALL */
36283
36284
36285
#undef ERROR_OUT
36286
36287
#endif /* WOLFCRYPT_ONLY */