source: UsbWattMeter/trunk/wolfssl-3.7.0/src/tls.c@ 165

Last change on this file since 165 was 164, checked in by coas-nagasima, 6 years ago

TOPPERS/ECNLサンプルアプリ「USB充電器電力計」を追加

  • Property svn:eol-style set to native
  • Property svn:keywords set to Id
  • Property svn:mime-type set to text/x-csrc
File size: 106.1 KB
RevLine 
[164]1/* tls.c
2 *
3 * Copyright (C) 2006-2015 wolfSSL Inc.
4 *
5 * This file is part of wolfSSL. (formerly known as CyaSSL)
6 *
7 * wolfSSL is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
11 *
12 * wolfSSL is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
20 */
21
22
23#ifdef HAVE_CONFIG_H
24 #include <config.h>
25#endif
26
27#include <wolfssl/wolfcrypt/settings.h>
28
29#ifndef WOLFCRYPT_ONLY
30
31#include <wolfssl/wolfcrypt/wc_port.h>
32#include <wolfssl/ssl.h>
33#include <wolfssl/internal.h>
34#include <wolfssl/error-ssl.h>
35#include <wolfssl/wolfcrypt/hmac.h>
36#ifdef NO_INLINE
37 #include <wolfssl/wolfcrypt/misc.h>
38#else
39 #include <wolfcrypt/src/misc.c>
40#endif
41
42#ifdef HAVE_NTRU
43 #include "libntruencrypt/ntru_crypto.h"
44 #include <wolfssl/wolfcrypt/random.h>
45#endif
46#ifdef HAVE_QSH
47 static int TLSX_AddQSHKey(QSHKey** list, QSHKey* key);
48 static byte* TLSX_QSHKeyFind_Pub(QSHKey* qsh, word16* pubLen, word16 name);
49 static int TLSX_CreateNtruKey(WOLFSSL* ssl, int type);
50#endif
51
52
53#ifndef NO_TLS
54
55
56#ifdef min
57#define WOLFSSL_HAVE_MIN
58#endif
59#ifndef WOLFSSL_HAVE_MIN
60#define WOLFSSL_HAVE_MIN
61
62 static INLINE word32 min(word32 a, word32 b)
63 {
64 return a > b ? b : a;
65 }
66
67#endif /* WOLFSSL_HAVE_MIN */
68
69
70#ifdef WOLFSSL_SHA384
71 #define P_HASH_MAX_SIZE SHA384_DIGEST_SIZE
72#else
73 #define P_HASH_MAX_SIZE SHA256_DIGEST_SIZE
74#endif
75
76/* compute p_hash for MD5, SHA-1, SHA-256, or SHA-384 for TLSv1 PRF */
77static int p_hash(byte* result, word32 resLen, const byte* secret,
78 word32 secLen, const byte* seed, word32 seedLen, int hash)
79{
80 word32 len = P_HASH_MAX_SIZE;
81 word32 times;
82 word32 lastLen;
83 word32 lastTime;
84 word32 i;
85 word32 idx = 0;
86 int ret = 0;
87#ifdef WOLFSSL_SMALL_STACK
88 byte* previous;
89 byte* current;
90 Hmac* hmac;
91#else
92 byte previous[P_HASH_MAX_SIZE]; /* max size */
93 byte current[P_HASH_MAX_SIZE]; /* max size */
94 Hmac hmac[1];
95#endif
96
97#ifdef WOLFSSL_SMALL_STACK
98 previous = (byte*)XMALLOC(P_HASH_MAX_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
99 current = (byte*)XMALLOC(P_HASH_MAX_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER);
100 hmac = (Hmac*)XMALLOC(sizeof(Hmac), NULL, DYNAMIC_TYPE_TMP_BUFFER);
101
102 if (previous == NULL || current == NULL || hmac == NULL) {
103 if (previous) XFREE(previous, NULL, DYNAMIC_TYPE_TMP_BUFFER);
104 if (current) XFREE(current, NULL, DYNAMIC_TYPE_TMP_BUFFER);
105 if (hmac) XFREE(hmac, NULL, DYNAMIC_TYPE_TMP_BUFFER);
106
107 return MEMORY_E;
108 }
109#endif
110
111 switch (hash) {
112 #ifndef NO_MD5
113 case md5_mac:
114 hash = MD5;
115 len = MD5_DIGEST_SIZE;
116 break;
117 #endif
118
119 #ifndef NO_SHA256
120 case sha256_mac:
121 hash = SHA256;
122 len = SHA256_DIGEST_SIZE;
123 break;
124 #endif
125
126 #ifdef WOLFSSL_SHA384
127 case sha384_mac:
128 hash = SHA384;
129 len = SHA384_DIGEST_SIZE;
130 break;
131 #endif
132
133 #ifndef NO_SHA
134 case sha_mac:
135 default:
136 hash = SHA;
137 len = SHA_DIGEST_SIZE;
138 break;
139 #endif
140 }
141
142 times = resLen / len;
143 lastLen = resLen % len;
144
145 if (lastLen)
146 times += 1;
147
148 lastTime = times - 1;
149
150 if ((ret = wc_HmacSetKey(hmac, hash, secret, secLen)) == 0) {
151 if ((ret = wc_HmacUpdate(hmac, seed, seedLen)) == 0) { /* A0 = seed */
152 if ((ret = wc_HmacFinal(hmac, previous)) == 0) { /* A1 */
153 for (i = 0; i < times; i++) {
154 ret = wc_HmacUpdate(hmac, previous, len);
155 if (ret != 0)
156 break;
157 ret = wc_HmacUpdate(hmac, seed, seedLen);
158 if (ret != 0)
159 break;
160 ret = wc_HmacFinal(hmac, current);
161 if (ret != 0)
162 break;
163
164 if ((i == lastTime) && lastLen)
165 XMEMCPY(&result[idx], current,
166 min(lastLen, P_HASH_MAX_SIZE));
167 else {
168 XMEMCPY(&result[idx], current, len);
169 idx += len;
170 ret = wc_HmacUpdate(hmac, previous, len);
171 if (ret != 0)
172 break;
173 ret = wc_HmacFinal(hmac, previous);
174 if (ret != 0)
175 break;
176 }
177 }
178 }
179 }
180 }
181
182 ForceZero(previous, P_HASH_MAX_SIZE);
183 ForceZero(current, P_HASH_MAX_SIZE);
184 ForceZero(hmac, sizeof(Hmac));
185
186#ifdef WOLFSSL_SMALL_STACK
187 XFREE(previous, NULL, DYNAMIC_TYPE_TMP_BUFFER);
188 XFREE(current, NULL, DYNAMIC_TYPE_TMP_BUFFER);
189 XFREE(hmac, NULL, DYNAMIC_TYPE_TMP_BUFFER);
190#endif
191
192 return ret;
193}
194
195#undef P_HASH_MAX_SIZE
196
197
198#ifndef NO_OLD_TLS
199
200/* calculate XOR for TLSv1 PRF */
201static INLINE void get_xor(byte *digest, word32 digLen, byte* md5, byte* sha)
202{
203 word32 i;
204
205 for (i = 0; i < digLen; i++)
206 digest[i] = md5[i] ^ sha[i];
207}
208
209
210/* compute TLSv1 PRF (pseudo random function using HMAC) */
211static int doPRF(byte* digest, word32 digLen, const byte* secret,word32 secLen,
212 const byte* label, word32 labLen, const byte* seed,
213 word32 seedLen)
214{
215 int ret = 0;
216 word32 half = (secLen + 1) / 2;
217
218#ifdef WOLFSSL_SMALL_STACK
219 byte* md5_half;
220 byte* sha_half;
221 byte* labelSeed;
222 byte* md5_result;
223 byte* sha_result;
224#else
225 byte md5_half[MAX_PRF_HALF]; /* half is real size */
226 byte sha_half[MAX_PRF_HALF]; /* half is real size */
227 byte labelSeed[MAX_PRF_LABSEED]; /* labLen + seedLen is real size */
228 byte md5_result[MAX_PRF_DIG]; /* digLen is real size */
229 byte sha_result[MAX_PRF_DIG]; /* digLen is real size */
230#endif
231
232 if (half > MAX_PRF_HALF)
233 return BUFFER_E;
234 if (labLen + seedLen > MAX_PRF_LABSEED)
235 return BUFFER_E;
236 if (digLen > MAX_PRF_DIG)
237 return BUFFER_E;
238
239#ifdef WOLFSSL_SMALL_STACK
240 md5_half = (byte*)XMALLOC(MAX_PRF_HALF, NULL, DYNAMIC_TYPE_TMP_BUFFER);
241 sha_half = (byte*)XMALLOC(MAX_PRF_HALF, NULL, DYNAMIC_TYPE_TMP_BUFFER);
242 labelSeed = (byte*)XMALLOC(MAX_PRF_LABSEED, NULL, DYNAMIC_TYPE_TMP_BUFFER);
243 md5_result = (byte*)XMALLOC(MAX_PRF_DIG, NULL, DYNAMIC_TYPE_TMP_BUFFER);
244 sha_result = (byte*)XMALLOC(MAX_PRF_DIG, NULL, DYNAMIC_TYPE_TMP_BUFFER);
245
246 if (md5_half == NULL || sha_half == NULL || labelSeed == NULL ||
247 md5_result == NULL || sha_result == NULL) {
248 if (md5_half) XFREE(md5_half, NULL, DYNAMIC_TYPE_TMP_BUFFER);
249 if (sha_half) XFREE(sha_half, NULL, DYNAMIC_TYPE_TMP_BUFFER);
250 if (labelSeed) XFREE(labelSeed, NULL, DYNAMIC_TYPE_TMP_BUFFER);
251 if (md5_result) XFREE(md5_result, NULL, DYNAMIC_TYPE_TMP_BUFFER);
252 if (sha_result) XFREE(sha_result, NULL, DYNAMIC_TYPE_TMP_BUFFER);
253
254 return MEMORY_E;
255 }
256#endif
257
258 XMEMSET(md5_result, 0, digLen);
259 XMEMSET(sha_result, 0, digLen);
260
261 XMEMCPY(md5_half, secret, half);
262 XMEMCPY(sha_half, secret + half - secLen % 2, half);
263
264 XMEMCPY(labelSeed, label, labLen);
265 XMEMCPY(labelSeed + labLen, seed, seedLen);
266
267 if ((ret = p_hash(md5_result, digLen, md5_half, half, labelSeed,
268 labLen + seedLen, md5_mac)) == 0) {
269 if ((ret = p_hash(sha_result, digLen, sha_half, half, labelSeed,
270 labLen + seedLen, sha_mac)) == 0) {
271 get_xor(digest, digLen, md5_result, sha_result);
272 }
273 }
274
275#ifdef WOLFSSL_SMALL_STACK
276 XFREE(md5_half, NULL, DYNAMIC_TYPE_TMP_BUFFER);
277 XFREE(sha_half, NULL, DYNAMIC_TYPE_TMP_BUFFER);
278 XFREE(labelSeed, NULL, DYNAMIC_TYPE_TMP_BUFFER);
279 XFREE(md5_result, NULL, DYNAMIC_TYPE_TMP_BUFFER);
280 XFREE(sha_result, NULL, DYNAMIC_TYPE_TMP_BUFFER);
281#endif
282
283 return ret;
284}
285
286#endif
287
288
289/* Wrapper to call straight thru to p_hash in TSL 1.2 cases to remove stack
290 use */
291static int PRF(byte* digest, word32 digLen, const byte* secret, word32 secLen,
292 const byte* label, word32 labLen, const byte* seed, word32 seedLen,
293 int useAtLeastSha256, int hash_type)
294{
295 int ret = 0;
296
297 if (useAtLeastSha256) {
298#ifdef WOLFSSL_SMALL_STACK
299 byte* labelSeed;
300#else
301 byte labelSeed[MAX_PRF_LABSEED]; /* labLen + seedLen is real size */
302#endif
303
304 if (labLen + seedLen > MAX_PRF_LABSEED)
305 return BUFFER_E;
306
307#ifdef WOLFSSL_SMALL_STACK
308 labelSeed = (byte*)XMALLOC(MAX_PRF_LABSEED, NULL,
309 DYNAMIC_TYPE_TMP_BUFFER);
310 if (labelSeed == NULL)
311 return MEMORY_E;
312#endif
313
314 XMEMCPY(labelSeed, label, labLen);
315 XMEMCPY(labelSeed + labLen, seed, seedLen);
316
317 /* If a cipher suite wants an algorithm better than sha256, it
318 * should use better. */
319 if (hash_type < sha256_mac || hash_type == blake2b_mac)
320 hash_type = sha256_mac;
321 ret = p_hash(digest, digLen, secret, secLen, labelSeed,
322 labLen + seedLen, hash_type);
323
324#ifdef WOLFSSL_SMALL_STACK
325 XFREE(labelSeed, NULL, DYNAMIC_TYPE_TMP_BUFFER);
326#endif
327 }
328#ifndef NO_OLD_TLS
329 else {
330 ret = doPRF(digest, digLen, secret, secLen, label, labLen, seed,
331 seedLen);
332 }
333#endif
334
335 return ret;
336}
337
338
339#ifdef WOLFSSL_SHA384
340 #define HSHASH_SZ SHA384_DIGEST_SIZE
341#else
342 #define HSHASH_SZ FINISHED_SZ
343#endif
344
345
346int BuildTlsFinished(WOLFSSL* ssl, Hashes* hashes, const byte* sender)
347{
348 const byte* side;
349 byte handshake_hash[HSHASH_SZ];
350 word32 hashSz = FINISHED_SZ;
351
352#ifndef NO_OLD_TLS
353 wc_Md5GetHash(&ssl->hsHashes->hashMd5, handshake_hash);
354 wc_ShaGetHash(&ssl->hsHashes->hashSha, &handshake_hash[MD5_DIGEST_SIZE]);
355#endif
356
357 if (IsAtLeastTLSv1_2(ssl)) {
358#ifndef NO_SHA256
359 if (ssl->specs.mac_algorithm <= sha256_mac || ssl->specs.mac_algorithm == blake2b_mac) {
360 int ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256,handshake_hash);
361
362 if (ret != 0)
363 return ret;
364
365 hashSz = SHA256_DIGEST_SIZE;
366 }
367#endif
368#ifdef WOLFSSL_SHA384
369 if (ssl->specs.mac_algorithm == sha384_mac) {
370 int ret = wc_Sha384Final(&ssl->hsHashes->hashSha384,handshake_hash);
371
372 if (ret != 0)
373 return ret;
374
375 hashSz = SHA384_DIGEST_SIZE;
376 }
377#endif
378 }
379
380 if ( XSTRNCMP((const char*)sender, (const char*)client, SIZEOF_SENDER) == 0)
381 side = tls_client;
382 else
383 side = tls_server;
384
385 return PRF((byte*)hashes, TLS_FINISHED_SZ, ssl->arrays->masterSecret,
386 SECRET_LEN, side, FINISHED_LABEL_SZ, handshake_hash, hashSz,
387 IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm);
388}
389
390
391#ifndef NO_OLD_TLS
392
393ProtocolVersion MakeTLSv1(void)
394{
395 ProtocolVersion pv;
396 pv.major = SSLv3_MAJOR;
397 pv.minor = TLSv1_MINOR;
398
399 return pv;
400}
401
402
403ProtocolVersion MakeTLSv1_1(void)
404{
405 ProtocolVersion pv;
406 pv.major = SSLv3_MAJOR;
407 pv.minor = TLSv1_1_MINOR;
408
409 return pv;
410}
411
412#endif
413
414
415ProtocolVersion MakeTLSv1_2(void)
416{
417 ProtocolVersion pv;
418 pv.major = SSLv3_MAJOR;
419 pv.minor = TLSv1_2_MINOR;
420
421 return pv;
422}
423
424
425static const byte master_label[MASTER_LABEL_SZ + 1] = "master secret";
426static const byte key_label [KEY_LABEL_SZ + 1] = "key expansion";
427
428
429/* External facing wrapper so user can call as well, 0 on success */
430int wolfSSL_DeriveTlsKeys(byte* key_data, word32 keyLen,
431 const byte* ms, word32 msLen,
432 const byte* sr, const byte* cr,
433 int tls1_2, int hash_type)
434{
435 byte seed[SEED_LEN];
436
437 XMEMCPY(seed, sr, RAN_LEN);
438 XMEMCPY(seed + RAN_LEN, cr, RAN_LEN);
439
440 return PRF(key_data, keyLen, ms, msLen, key_label, KEY_LABEL_SZ,
441 seed, SEED_LEN, tls1_2, hash_type);
442}
443
444
445int DeriveTlsKeys(WOLFSSL* ssl)
446{
447 int ret;
448 int length = 2 * ssl->specs.hash_size +
449 2 * ssl->specs.key_size +
450 2 * ssl->specs.iv_size;
451#ifdef WOLFSSL_SMALL_STACK
452 byte* key_data;
453#else
454 byte key_data[MAX_PRF_DIG];
455#endif
456
457#ifdef WOLFSSL_SMALL_STACK
458 key_data = (byte*)XMALLOC(MAX_PRF_DIG, NULL, DYNAMIC_TYPE_TMP_BUFFER);
459 if (key_data == NULL) {
460 return MEMORY_E;
461 }
462#endif
463
464 ret = wolfSSL_DeriveTlsKeys(key_data, length,
465 ssl->arrays->masterSecret, SECRET_LEN,
466 ssl->arrays->serverRandom, ssl->arrays->clientRandom,
467 IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm);
468 if (ret == 0)
469 ret = StoreKeys(ssl, key_data);
470
471#ifdef WOLFSSL_SMALL_STACK
472 XFREE(key_data, NULL, DYNAMIC_TYPE_TMP_BUFFER);
473#endif
474
475 return ret;
476}
477
478
479/* External facing wrapper so user can call as well, 0 on success */
480int wolfSSL_MakeTlsMasterSecret(byte* ms, word32 msLen,
481 const byte* pms, word32 pmsLen,
482 const byte* cr, const byte* sr,
483 int tls1_2, int hash_type)
484{
485 byte seed[SEED_LEN];
486
487 XMEMCPY(seed, cr, RAN_LEN);
488 XMEMCPY(seed + RAN_LEN, sr, RAN_LEN);
489
490 return PRF(ms, msLen, pms, pmsLen, master_label, MASTER_LABEL_SZ,
491 seed, SEED_LEN, tls1_2, hash_type);
492}
493
494
495int MakeTlsMasterSecret(WOLFSSL* ssl)
496{
497 int ret;
498
499 ret = wolfSSL_MakeTlsMasterSecret(ssl->arrays->masterSecret, SECRET_LEN,
500 ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz,
501 ssl->arrays->clientRandom, ssl->arrays->serverRandom,
502 IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm);
503
504 if (ret == 0) {
505 #ifdef SHOW_SECRETS
506 int i;
507
508 printf("master secret: ");
509 for (i = 0; i < SECRET_LEN; i++)
510 printf("%02x", ssl->arrays->masterSecret[i]);
511 printf("\n");
512 #endif
513
514 ret = DeriveTlsKeys(ssl);
515 }
516
517 return ret;
518}
519
520
521/* Used by EAP-TLS and EAP-TTLS to derive keying material from
522 * the master_secret. */
523int wolfSSL_make_eap_keys(WOLFSSL* ssl, void* msk, unsigned int len,
524 const char* label)
525{
526 int ret;
527#ifdef WOLFSSL_SMALL_STACK
528 byte* seed;
529#else
530 byte seed[SEED_LEN];
531#endif
532
533#ifdef WOLFSSL_SMALL_STACK
534 seed = (byte*)XMALLOC(SEED_LEN, NULL, DYNAMIC_TYPE_TMP_BUFFER);
535 if (seed == NULL)
536 return MEMORY_E;
537#endif
538
539 /*
540 * As per RFC-5281, the order of the client and server randoms is reversed
541 * from that used by the TLS protocol to derive keys.
542 */
543 XMEMCPY(seed, ssl->arrays->clientRandom, RAN_LEN);
544 XMEMCPY(seed + RAN_LEN, ssl->arrays->serverRandom, RAN_LEN);
545
546 ret = PRF((byte*)msk, len, ssl->arrays->masterSecret, SECRET_LEN,
547 (const byte *)label, (word32)strlen(label), seed, SEED_LEN,
548 IsAtLeastTLSv1_2(ssl), ssl->specs.mac_algorithm);
549
550#ifdef WOLFSSL_SMALL_STACK
551 XFREE(seed, NULL, DYNAMIC_TYPE_TMP_BUFFER);
552#endif
553
554 return ret;
555}
556
557
558/*** next for static INLINE s copied internal.c ***/
559
560/* convert 16 bit integer to opaque */
561static INLINE void c16toa(word16 u16, byte* c)
562{
563 c[0] = (u16 >> 8) & 0xff;
564 c[1] = u16 & 0xff;
565}
566
567#ifdef HAVE_TLS_EXTENSIONS
568/* convert opaque to 16 bit integer */
569static INLINE void ato16(const byte* c, word16* u16)
570{
571 *u16 = (c[0] << 8) | (c[1]);
572}
573
574#if defined(HAVE_SNI) && !defined(NO_WOLFSSL_SERVER)
575/* convert a 24 bit integer into a 32 bit one */
576static INLINE void c24to32(const word24 u24, word32* u32)
577{
578 *u32 = (u24[0] << 16) | (u24[1] << 8) | u24[2];
579}
580#endif
581#endif
582
583/* convert 32 bit integer to opaque */
584static INLINE void c32toa(word32 u32, byte* c)
585{
586 c[0] = (u32 >> 24) & 0xff;
587 c[1] = (u32 >> 16) & 0xff;
588 c[2] = (u32 >> 8) & 0xff;
589 c[3] = u32 & 0xff;
590}
591
592
593static INLINE word32 GetSEQIncrement(WOLFSSL* ssl, int verify)
594{
595#ifdef WOLFSSL_DTLS
596 if (ssl->options.dtls) {
597 if (verify)
598 return ssl->keys.dtls_state.curSeq; /* explicit from peer */
599 else
600 return ssl->keys.dtls_sequence_number - 1; /* already incremented */
601 }
602#endif
603 if (verify)
604 return ssl->keys.peer_sequence_number++;
605 else
606 return ssl->keys.sequence_number++;
607}
608
609
610#ifdef WOLFSSL_DTLS
611
612static INLINE word32 GetEpoch(WOLFSSL* ssl, int verify)
613{
614 if (verify)
615 return ssl->keys.dtls_state.curEpoch;
616 else
617 return ssl->keys.dtls_epoch;
618}
619
620#endif /* WOLFSSL_DTLS */
621
622
623/*** end copy ***/
624
625
626/* return HMAC digest type in wolfSSL format */
627int wolfSSL_GetHmacType(WOLFSSL* ssl)
628{
629 if (ssl == NULL)
630 return BAD_FUNC_ARG;
631
632 switch (ssl->specs.mac_algorithm) {
633 #ifndef NO_MD5
634 case md5_mac:
635 {
636 return MD5;
637 }
638 #endif
639 #ifndef NO_SHA256
640 case sha256_mac:
641 {
642 return SHA256;
643 }
644 #endif
645 #ifdef WOLFSSL_SHA384
646 case sha384_mac:
647 {
648 return SHA384;
649 }
650
651 #endif
652 #ifndef NO_SHA
653 case sha_mac:
654 {
655 return SHA;
656 }
657 #endif
658 #ifdef HAVE_BLAKE2
659 case blake2b_mac:
660 {
661 return BLAKE2B_ID;
662 }
663 #endif
664 default:
665 {
666 return SSL_FATAL_ERROR;
667 }
668 }
669}
670
671
672int wolfSSL_SetTlsHmacInner(WOLFSSL* ssl, byte* inner, word32 sz, int content,
673 int verify)
674{
675 if (ssl == NULL || inner == NULL)
676 return BAD_FUNC_ARG;
677
678 XMEMSET(inner, 0, WOLFSSL_TLS_HMAC_INNER_SZ);
679
680#ifdef WOLFSSL_DTLS
681 if (ssl->options.dtls)
682 c16toa((word16)GetEpoch(ssl, verify), inner);
683#endif
684 c32toa(GetSEQIncrement(ssl, verify), &inner[sizeof(word32)]);
685 inner[SEQ_SZ] = (byte)content;
686 inner[SEQ_SZ + ENUM_LEN] = ssl->version.major;
687 inner[SEQ_SZ + ENUM_LEN + ENUM_LEN] = ssl->version.minor;
688 c16toa((word16)sz, inner + SEQ_SZ + ENUM_LEN + VERSION_SZ);
689
690 return 0;
691}
692
693
694/* TLS type HMAC */
695int TLS_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz,
696 int content, int verify)
697{
698 Hmac hmac;
699 int ret;
700 byte myInner[WOLFSSL_TLS_HMAC_INNER_SZ];
701
702 if (ssl == NULL)
703 return BAD_FUNC_ARG;
704
705#ifdef HAVE_FUZZER
706 if (ssl->fuzzerCb)
707 ssl->fuzzerCb(ssl, in, sz, FUZZ_HMAC, ssl->fuzzerCtx);
708#endif
709
710 wolfSSL_SetTlsHmacInner(ssl, myInner, sz, content, verify);
711
712 ret = wc_HmacSetKey(&hmac, wolfSSL_GetHmacType(ssl),
713 wolfSSL_GetMacSecret(ssl, verify), ssl->specs.hash_size);
714 if (ret != 0)
715 return ret;
716 ret = wc_HmacUpdate(&hmac, myInner, sizeof(myInner));
717 if (ret != 0)
718 return ret;
719 ret = wc_HmacUpdate(&hmac, in, sz); /* content */
720 if (ret != 0)
721 return ret;
722 ret = wc_HmacFinal(&hmac, digest);
723 if (ret != 0)
724 return ret;
725
726 return 0;
727}
728
729#ifdef HAVE_TLS_EXTENSIONS
730
731/**
732 * The TLSX semaphore is used to calculate the size of the extensions to be sent
733 * from one peer to another.
734 */
735
736/** Supports up to 64 flags. Increase as needed. */
737#define SEMAPHORE_SIZE 8
738
739/**
740 * Converts the extension type (id) to an index in the semaphore.
741 *
742 * Oficial reference for TLS extension types:
743 * http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xml
744 *
745 * Motivation:
746 * Previously, we used the extension type itself as the index of that
747 * extension in the semaphore as the extension types were declared
748 * sequentially, but maintain a semaphore as big as the number of available
749 * extensions is no longer an option since the release of renegotiation_info.
750 *
751 * How to update:
752 * Assign extension types that extrapolate the number of available semaphores
753 * to the first available index going backwards in the semaphore array.
754 * When adding a new extension type that don't extrapolate the number of
755 * available semaphores, check for a possible collision with with a
756 * 'remapped' extension type.
757 */
758static INLINE word16 TLSX_ToSemaphore(word16 type)
759{
760 switch (type) {
761
762 case SECURE_RENEGOTIATION: /* 0xFF01 */
763 return 63;
764
765 default:
766 if (type > 62) {
767 /* This message SHOULD only happens during the adding of
768 new TLS extensions in which its IANA number overflows
769 the current semaphore's range, or if its number already
770 is assigned to be used by another extension.
771 Use this check value for the new extension and decrement
772 the check value by one. */
773 WOLFSSL_MSG("### TLSX semaphore colision or overflow detected!");
774 }
775 }
776
777 return type;
778}
779
780/** Checks if a specific light (tls extension) is not set in the semaphore. */
781#define IS_OFF(semaphore, light) \
782 ((semaphore)[(light) / 8] ^ (byte) (0x01 << ((light) % 8)))
783
784/** Turn on a specific light (tls extension) in the semaphore. */
785#define TURN_ON(semaphore, light) \
786 ((semaphore)[(light) / 8] |= (byte) (0x01 << ((light) % 8)))
787
788/** Creates a new extension. */
789static TLSX* TLSX_New(TLSX_Type type, void* data)
790{
791 TLSX* extension = (TLSX*)XMALLOC(sizeof(TLSX), 0, DYNAMIC_TYPE_TLSX);
792
793 if (extension) {
794 extension->type = type;
795 extension->data = data;
796 extension->resp = 0;
797 extension->next = NULL;
798 }
799
800 return extension;
801}
802
803/**
804 * Creates a new extension and pushes it to the provided list.
805 * Checks for duplicate extensions, keeps the newest.
806 */
807static int TLSX_Push(TLSX** list, TLSX_Type type, void* data)
808{
809 TLSX* extension = TLSX_New(type, data);
810
811 if (extension == NULL)
812 return MEMORY_E;
813
814 /* pushes the new extension on the list. */
815 extension->next = *list;
816 *list = extension;
817
818 /* remove duplicate extensions, there should be only one of each type. */
819 do {
820 if (extension->next && extension->next->type == type) {
821 TLSX *next = extension->next;
822
823 extension->next = next->next;
824 next->next = NULL;
825
826 TLSX_FreeAll(next);
827
828 /* there is no way to occur more than */
829 /* two extensions of the same type. */
830 break;
831 }
832 } while ((extension = extension->next));
833
834 return 0;
835}
836
837#ifndef NO_WOLFSSL_SERVER
838
839/** Mark an extension to be sent back to the client. */
840void TLSX_SetResponse(WOLFSSL* ssl, TLSX_Type type);
841
842void TLSX_SetResponse(WOLFSSL* ssl, TLSX_Type type)
843{
844 TLSX *ext = TLSX_Find(ssl->extensions, type);
845
846 if (ext)
847 ext->resp = 1;
848}
849
850#endif
851
852
853#ifdef HAVE_ALPN
854/** Creates a new ALPN object, providing protocol name to use. */
855static ALPN* TLSX_ALPN_New(char *protocol_name, word16 protocol_nameSz)
856{
857 ALPN *alpn;
858
859 WOLFSSL_ENTER("TLSX_ALPN_New");
860
861 if (protocol_name == NULL ||
862 protocol_nameSz > WOLFSSL_MAX_ALPN_PROTO_NAME_LEN) {
863 WOLFSSL_MSG("Invalid arguments");
864 return NULL;
865 }
866
867 alpn = (ALPN*)XMALLOC(sizeof(ALPN), 0, DYNAMIC_TYPE_TLSX);
868 if (alpn == NULL) {
869 WOLFSSL_MSG("Memory failure");
870 return NULL;
871 }
872
873 alpn->next = NULL;
874 alpn->negociated = 0;
875 alpn->options = 0;
876
877 alpn->protocol_name = XMALLOC(protocol_nameSz + 1, 0, DYNAMIC_TYPE_TLSX);
878 if (alpn->protocol_name == NULL) {
879 WOLFSSL_MSG("Memory failure");
880 XFREE(alpn, 0, DYNAMIC_TYPE_TLSX);
881 return NULL;
882 }
883
884 XMEMCPY(alpn->protocol_name, protocol_name, protocol_nameSz);
885 alpn->protocol_name[protocol_nameSz] = 0;
886
887 return alpn;
888}
889
890/** Releases an ALPN object. */
891static void TLSX_ALPN_Free(ALPN *alpn)
892{
893 if (alpn == NULL)
894 return;
895
896 XFREE(alpn->protocol_name, 0, DYNAMIC_TYPE_TLSX);
897 XFREE(alpn, 0, DYNAMIC_TYPE_TLSX);
898}
899
900/** Releases all ALPN objects in the provided list. */
901static void TLSX_ALPN_FreeAll(ALPN *list)
902{
903 ALPN* alpn;
904
905 while ((alpn = list)) {
906 list = alpn->next;
907 TLSX_ALPN_Free(alpn);
908 }
909}
910
911/** Tells the buffered size of the ALPN objects in a list. */
912static word16 TLSX_ALPN_GetSize(ALPN *list)
913{
914 ALPN* alpn;
915 word16 length = OPAQUE16_LEN; /* list length */
916
917 while ((alpn = list)) {
918 list = alpn->next;
919
920 length++; /* protocol name length is on one byte */
921 length += (word16)XSTRLEN(alpn->protocol_name);
922 }
923
924 return length;
925}
926
927/** Writes the ALPN objects of a list in a buffer. */
928static word16 TLSX_ALPN_Write(ALPN *list, byte *output)
929{
930 ALPN* alpn;
931 word16 length = 0;
932 word16 offset = OPAQUE16_LEN; /* list length offset */
933
934 while ((alpn = list)) {
935 list = alpn->next;
936
937 length = (word16)XSTRLEN(alpn->protocol_name);
938
939 /* protocol name length */
940 output[offset++] = (byte)length;
941
942 /* protocol name value */
943 XMEMCPY(output + offset, alpn->protocol_name, length);
944
945 offset += length;
946 }
947
948 /* writing list length */
949 c16toa(offset - OPAQUE16_LEN, output);
950
951 return offset;
952}
953
954/** Finds a protocol name in the provided ALPN list */
955static ALPN* TLSX_ALPN_Find(ALPN *list, char *protocol_name, word16 size)
956{
957 ALPN *alpn;
958
959 if (list == NULL || protocol_name == NULL)
960 return NULL;
961
962 alpn = list;
963 while (alpn != NULL && (
964 (word16)XSTRLEN(alpn->protocol_name) != size ||
965 XSTRNCMP(alpn->protocol_name, protocol_name, size)))
966 alpn = alpn->next;
967
968 return alpn;
969}
970
971/** Set the ALPN matching client and server requirements */
972static int TLSX_SetALPN(TLSX** extensions, const void* data, word16 size)
973{
974 ALPN *alpn;
975 int ret;
976
977 if (extensions == NULL || data == NULL)
978 return BAD_FUNC_ARG;
979
980 alpn = TLSX_ALPN_New((char *)data, size);
981 if (alpn == NULL) {
982 WOLFSSL_MSG("Memory failure");
983 return MEMORY_E;
984 }
985
986 alpn->negociated = 1;
987
988 ret = TLSX_Push(extensions, WOLFSSL_ALPN, (void*)alpn);
989 if (ret != 0) {
990 TLSX_ALPN_Free(alpn);
991 return ret;
992 }
993
994 return SSL_SUCCESS;
995}
996
997/** Parses a buffer of ALPN extensions and set the first one matching
998 * client and server requirements */
999static int TLSX_ALPN_ParseAndSet(WOLFSSL *ssl, byte *input, word16 length,
1000 byte isRequest)
1001{
1002 word16 size = 0, offset = 0, idx = 0;
1003 int r = BUFFER_ERROR;
1004 byte match = 0;
1005 TLSX *extension;
1006 ALPN *alpn = NULL, *list;
1007
1008 extension = TLSX_Find(ssl->extensions, WOLFSSL_ALPN);
1009 if (extension == NULL)
1010 extension = TLSX_Find(ssl->ctx->extensions, WOLFSSL_ALPN);
1011
1012 if (extension == NULL || extension->data == NULL) {
1013 WOLFSSL_MSG("No ALPN extensions not used or bad");
1014 return isRequest ? 0 /* not using ALPN */
1015 : BUFFER_ERROR; /* unexpected ALPN response */
1016 }
1017
1018 if (OPAQUE16_LEN > length)
1019 return BUFFER_ERROR;
1020
1021 ato16(input, &size);
1022 offset += OPAQUE16_LEN;
1023
1024 /* validating alpn list length */
1025 if (length != OPAQUE16_LEN + size)
1026 return BUFFER_ERROR;
1027
1028 list = (ALPN*)extension->data;
1029
1030 /* keep the list sent by client */
1031 if (isRequest) {
1032 if (ssl->alpn_client_list != NULL)
1033 XFREE(ssl->alpn_client_list, NULL, DYNAMIC_TYPE_TMP_BUFFER);
1034
1035 ssl->alpn_client_list = (char *)XMALLOC(size, NULL,
1036 DYNAMIC_TYPE_TMP_BUFFER);
1037 if (ssl->alpn_client_list == NULL)
1038 return MEMORY_ERROR;
1039 }
1040
1041 for (size = 0; offset < length; offset += size) {
1042
1043 size = input[offset++];
1044 if (offset + size > length)
1045 return BUFFER_ERROR;
1046
1047 if (isRequest) {
1048 XMEMCPY(ssl->alpn_client_list+idx, (char*)input + offset, size);
1049 idx += size;
1050 ssl->alpn_client_list[idx++] = ',';
1051 }
1052
1053 if (!match) {
1054 alpn = TLSX_ALPN_Find(list, (char*)input + offset, size);
1055 if (alpn != NULL) {
1056 WOLFSSL_MSG("ALPN protocol match");
1057 match = 1;
1058
1059 /* skip reading other values if not required */
1060 if (!isRequest)
1061 break;
1062 }
1063 }
1064 }
1065
1066 if (isRequest)
1067 ssl->alpn_client_list[idx-1] = 0;
1068
1069 if (!match) {
1070 WOLFSSL_MSG("No ALPN protocol match");
1071
1072 /* do nothing if no protocol match between client and server and option
1073 is set to continue (like OpenSSL) */
1074 if (list->options & WOLFSSL_ALPN_CONTINUE_ON_MISMATCH) {
1075 WOLFSSL_MSG("Continue on mismatch");
1076 return 0;
1077 }
1078
1079 SendAlert(ssl, alert_fatal, no_application_protocol);
1080 return UNKNOWN_ALPN_PROTOCOL_NAME_E;
1081 }
1082
1083 /* set the matching negociated protocol */
1084 r = TLSX_SetALPN(&ssl->extensions,
1085 alpn->protocol_name,
1086 (word16)XSTRLEN(alpn->protocol_name));
1087 if (r != SSL_SUCCESS) {
1088 WOLFSSL_MSG("TLSX_UseALPN failed");
1089 return BUFFER_ERROR;
1090 }
1091
1092 /* reply to ALPN extension sent from client */
1093 if (isRequest) {
1094#ifndef NO_WOLFSSL_SERVER
1095 TLSX_SetResponse(ssl, WOLFSSL_ALPN);
1096#endif
1097 }
1098
1099 return 0;
1100}
1101
1102/** Add a protocol name to the list of accepted usable ones */
1103int TLSX_UseALPN(TLSX** extensions, const void* data, word16 size, byte options)
1104{
1105 ALPN *alpn;
1106 TLSX *extension;
1107 int ret;
1108
1109 if (extensions == NULL || data == NULL)
1110 return BAD_FUNC_ARG;
1111
1112 alpn = TLSX_ALPN_New((char *)data, size);
1113 if (alpn == NULL) {
1114 WOLFSSL_MSG("Memory failure");
1115 return MEMORY_E;
1116 }
1117
1118 /* Set Options of ALPN */
1119 alpn->options = options;
1120
1121 extension = TLSX_Find(*extensions, WOLFSSL_ALPN);
1122 if (extension == NULL) {
1123 ret = TLSX_Push(extensions, WOLFSSL_ALPN, (void*)alpn);
1124 if (ret != 0) {
1125 TLSX_ALPN_Free(alpn);
1126 return ret;
1127 }
1128 }
1129 else {
1130 /* push new ALPN object to extension data. */
1131 alpn->next = (ALPN*)extension->data;
1132 extension->data = (void*)alpn;
1133 }
1134
1135 return SSL_SUCCESS;
1136}
1137
1138/** Get the protocol name set by the server */
1139int TLSX_ALPN_GetRequest(TLSX* extensions, void** data, word16 *dataSz)
1140{
1141 TLSX *extension;
1142 ALPN *alpn;
1143
1144 if (extensions == NULL || data == NULL || dataSz == NULL)
1145 return BAD_FUNC_ARG;
1146
1147 extension = TLSX_Find(extensions, WOLFSSL_ALPN);
1148 if (extension == NULL) {
1149 WOLFSSL_MSG("TLS extension not found");
1150 return SSL_ALPN_NOT_FOUND;
1151 }
1152
1153 alpn = (ALPN *)extension->data;
1154 if (alpn == NULL) {
1155 WOLFSSL_MSG("ALPN extension not found");
1156 *data = NULL;
1157 *dataSz = 0;
1158 return SSL_FATAL_ERROR;
1159 }
1160
1161 if (alpn->negociated != 1) {
1162
1163 /* consider as an error */
1164 if (alpn->options & WOLFSSL_ALPN_FAILED_ON_MISMATCH) {
1165 WOLFSSL_MSG("No protocol match with peer -> Failed");
1166 return SSL_FATAL_ERROR;
1167 }
1168
1169 /* continue without negociated protocol */
1170 WOLFSSL_MSG("No protocol match with peer -> Continue");
1171 return SSL_ALPN_NOT_FOUND;
1172 }
1173
1174 if (alpn->next != NULL) {
1175 WOLFSSL_MSG("Only one protocol name must be accepted");
1176 return SSL_FATAL_ERROR;
1177 }
1178
1179 *data = alpn->protocol_name;
1180 *dataSz = (word16)XSTRLEN(*data);
1181
1182 return SSL_SUCCESS;
1183}
1184
1185#define ALPN_FREE_ALL TLSX_ALPN_FreeAll
1186#define ALPN_GET_SIZE TLSX_ALPN_GetSize
1187#define ALPN_WRITE TLSX_ALPN_Write
1188#define ALPN_PARSE TLSX_ALPN_ParseAndSet
1189
1190#else /* HAVE_ALPN */
1191
1192#define ALPN_FREE_ALL(list)
1193#define ALPN_GET_SIZE(list) 0
1194#define ALPN_WRITE(a, b) 0
1195#define ALPN_PARSE(a, b, c, d) 0
1196
1197#endif /* HAVE_ALPN */
1198
1199/* Server Name Indication */
1200#ifdef HAVE_SNI
1201
1202/** Creates a new SNI object. */
1203static SNI* TLSX_SNI_New(byte type, const void* data, word16 size)
1204{
1205 SNI* sni = (SNI*)XMALLOC(sizeof(SNI), 0, DYNAMIC_TYPE_TLSX);
1206
1207 if (sni) {
1208 sni->type = type;
1209 sni->next = NULL;
1210
1211 #ifndef NO_WOLFSSL_SERVER
1212 sni->options = 0;
1213 sni->status = WOLFSSL_SNI_NO_MATCH;
1214 #endif
1215
1216 switch (sni->type) {
1217 case WOLFSSL_SNI_HOST_NAME:
1218 sni->data.host_name = XMALLOC(size + 1, 0, DYNAMIC_TYPE_TLSX);
1219
1220 if (sni->data.host_name) {
1221 XSTRNCPY(sni->data.host_name, (const char*)data, size);
1222 sni->data.host_name[size] = 0;
1223 } else {
1224 XFREE(sni, 0, DYNAMIC_TYPE_TLSX);
1225 sni = NULL;
1226 }
1227 break;
1228
1229 default: /* invalid type */
1230 XFREE(sni, 0, DYNAMIC_TYPE_TLSX);
1231 sni = NULL;
1232 }
1233 }
1234
1235 return sni;
1236}
1237
1238/** Releases a SNI object. */
1239static void TLSX_SNI_Free(SNI* sni)
1240{
1241 if (sni) {
1242 switch (sni->type) {
1243 case WOLFSSL_SNI_HOST_NAME:
1244 XFREE(sni->data.host_name, 0, DYNAMIC_TYPE_TLSX);
1245 break;
1246 }
1247
1248 XFREE(sni, 0, DYNAMIC_TYPE_TLSX);
1249 }
1250}
1251
1252/** Releases all SNI objects in the provided list. */
1253static void TLSX_SNI_FreeAll(SNI* list)
1254{
1255 SNI* sni;
1256
1257 while ((sni = list)) {
1258 list = sni->next;
1259 TLSX_SNI_Free(sni);
1260 }
1261}
1262
1263/** Tells the buffered size of the SNI objects in a list. */
1264static word16 TLSX_SNI_GetSize(SNI* list)
1265{
1266 SNI* sni;
1267 word16 length = OPAQUE16_LEN; /* list length */
1268
1269 while ((sni = list)) {
1270 list = sni->next;
1271
1272 length += ENUM_LEN + OPAQUE16_LEN; /* sni type + sni length */
1273
1274 switch (sni->type) {
1275 case WOLFSSL_SNI_HOST_NAME:
1276 length += XSTRLEN((char*)sni->data.host_name);
1277 break;
1278 }
1279 }
1280
1281 return length;
1282}
1283
1284/** Writes the SNI objects of a list in a buffer. */
1285static word16 TLSX_SNI_Write(SNI* list, byte* output)
1286{
1287 SNI* sni;
1288 word16 length = 0;
1289 word16 offset = OPAQUE16_LEN; /* list length offset */
1290
1291 while ((sni = list)) {
1292 list = sni->next;
1293
1294 output[offset++] = sni->type; /* sni type */
1295
1296 switch (sni->type) {
1297 case WOLFSSL_SNI_HOST_NAME:
1298 length = XSTRLEN((char*)sni->data.host_name);
1299
1300 c16toa(length, output + offset); /* sni length */
1301 offset += OPAQUE16_LEN;
1302
1303 XMEMCPY(output + offset, sni->data.host_name, length);
1304
1305 offset += length;
1306 break;
1307 }
1308 }
1309
1310 c16toa(offset - OPAQUE16_LEN, output); /* writing list length */
1311
1312 return offset;
1313}
1314
1315#ifndef NO_WOLFSSL_SERVER
1316
1317/** Finds a SNI object in the provided list. */
1318static SNI* TLSX_SNI_Find(SNI *list, byte type)
1319{
1320 SNI *sni = list;
1321
1322 while (sni && sni->type != type)
1323 sni = sni->next;
1324
1325 return sni;
1326}
1327
1328
1329/** Sets the status of a SNI object. */
1330static void TLSX_SNI_SetStatus(TLSX* extensions, byte type, byte status)
1331{
1332 TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION);
1333 SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type);
1334
1335 if (sni)
1336 sni->status = status;
1337}
1338
1339/** Gets the status of a SNI object. */
1340byte TLSX_SNI_Status(TLSX* extensions, byte type)
1341{
1342 TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION);
1343 SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type);
1344
1345 if (sni)
1346 return sni->status;
1347
1348 return 0;
1349}
1350
1351#endif /* NO_WOLFSSL_SERVER */
1352
1353/** Parses a buffer of SNI extensions. */
1354static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length,
1355 byte isRequest)
1356{
1357#ifndef NO_WOLFSSL_SERVER
1358 word16 size = 0;
1359 word16 offset = 0;
1360 int cacheOnly = 0;
1361#endif
1362
1363 TLSX *extension = TLSX_Find(ssl->extensions, SERVER_NAME_INDICATION);
1364
1365 if (!extension)
1366 extension = TLSX_Find(ssl->ctx->extensions, SERVER_NAME_INDICATION);
1367
1368 (void)isRequest;
1369 (void)input;
1370
1371 if (!extension || !extension->data) {
1372#if defined(WOLFSSL_ALWAYS_KEEP_SNI) && !defined(NO_WOLFSSL_SERVER)
1373 /* This will keep SNI even though TLSX_UseSNI has not been called.
1374 * Enable it so that the received sni is available to functions
1375 * that use a custom callback when SNI is received */
1376 cacheOnly = 1;
1377 WOLFSSL_MSG("Forcing SSL object to store SNI parameter");
1378#else
1379 return isRequest ? 0 /* not using SNI. */
1380 : BUFFER_ERROR; /* unexpected SNI response. */
1381#endif
1382 }
1383
1384 if (!isRequest)
1385 return length ? BUFFER_ERROR /* SNI response MUST be empty. */
1386 : 0; /* nothing else to do. */
1387
1388#ifndef NO_WOLFSSL_SERVER
1389
1390 if (OPAQUE16_LEN > length)
1391 return BUFFER_ERROR;
1392
1393 ato16(input, &size);
1394 offset += OPAQUE16_LEN;
1395
1396 /* validating sni list length */
1397 if (length != OPAQUE16_LEN + size)
1398 return BUFFER_ERROR;
1399
1400 for (size = 0; offset < length; offset += size) {
1401 SNI *sni = NULL;
1402 byte type = input[offset++];
1403
1404 if (offset + OPAQUE16_LEN > length)
1405 return BUFFER_ERROR;
1406
1407 ato16(input + offset, &size);
1408 offset += OPAQUE16_LEN;
1409
1410 if (offset + size > length)
1411 return BUFFER_ERROR;
1412
1413 if (!cacheOnly && !(sni = TLSX_SNI_Find((SNI*)extension->data, type)))
1414 continue; /* not using this type of SNI. */
1415
1416 switch(type) {
1417 case WOLFSSL_SNI_HOST_NAME: {
1418 int matchStat;
1419 byte matched = cacheOnly ||
1420 ((XSTRLEN(sni->data.host_name) == size)
1421 && (XSTRNCMP(sni->data.host_name,
1422 (const char*)input + offset, size) == 0));
1423
1424 if (matched || sni->options & WOLFSSL_SNI_ANSWER_ON_MISMATCH) {
1425 int r = TLSX_UseSNI(&ssl->extensions,
1426 type, input + offset, size);
1427
1428 if (r != SSL_SUCCESS)
1429 return r; /* throws error. */
1430
1431 if(cacheOnly) {
1432 WOLFSSL_MSG("Forcing storage of SNI, Fake match");
1433 matchStat = WOLFSSL_SNI_FORCE_KEEP;
1434 } else if(matched) {
1435 WOLFSSL_MSG("SNI did match!");
1436 matchStat = WOLFSSL_SNI_REAL_MATCH;
1437 } else {
1438 WOLFSSL_MSG("fake SNI match from ANSWER_ON_MISMATCH");
1439 matchStat = WOLFSSL_SNI_FAKE_MATCH;
1440 }
1441
1442 TLSX_SNI_SetStatus(ssl->extensions, type, matchStat);
1443
1444 if(!cacheOnly)
1445 TLSX_SetResponse(ssl, SERVER_NAME_INDICATION);
1446
1447 } else if (!(sni->options & WOLFSSL_SNI_CONTINUE_ON_MISMATCH)) {
1448 SendAlert(ssl, alert_fatal, unrecognized_name);
1449
1450 return UNKNOWN_SNI_HOST_NAME_E;
1451 }
1452 break;
1453 }
1454 }
1455 }
1456
1457#endif
1458
1459 return 0;
1460}
1461
1462static int TLSX_SNI_VerifyParse(WOLFSSL* ssl, byte isRequest)
1463{
1464 (void)ssl;
1465
1466 if (isRequest) {
1467 #ifndef NO_WOLFSSL_SERVER
1468 TLSX* ctx_ext = TLSX_Find(ssl->ctx->extensions, SERVER_NAME_INDICATION);
1469 TLSX* ssl_ext = TLSX_Find(ssl->extensions, SERVER_NAME_INDICATION);
1470 SNI* ctx_sni = ctx_ext ? ctx_ext->data : NULL;
1471 SNI* ssl_sni = ssl_ext ? ssl_ext->data : NULL;
1472 SNI* sni = NULL;
1473
1474 for (; ctx_sni; ctx_sni = ctx_sni->next) {
1475 if (ctx_sni->options & WOLFSSL_SNI_ABORT_ON_ABSENCE) {
1476 sni = TLSX_SNI_Find(ssl_sni, ctx_sni->type);
1477
1478 if (sni) {
1479 if (sni->status != WOLFSSL_SNI_NO_MATCH)
1480 continue;
1481
1482 /* if ssl level overrides ctx level, it is ok. */
1483 if ((sni->options & WOLFSSL_SNI_ABORT_ON_ABSENCE) == 0)
1484 continue;
1485 }
1486
1487 SendAlert(ssl, alert_fatal, handshake_failure);
1488 return SNI_ABSENT_ERROR;
1489 }
1490 }
1491
1492 for (; ssl_sni; ssl_sni = ssl_sni->next) {
1493 if (ssl_sni->options & WOLFSSL_SNI_ABORT_ON_ABSENCE) {
1494 if (ssl_sni->status != WOLFSSL_SNI_NO_MATCH)
1495 continue;
1496
1497 SendAlert(ssl, alert_fatal, handshake_failure);
1498 return SNI_ABSENT_ERROR;
1499 }
1500 }
1501 #endif /* NO_WOLFSSL_SERVER */
1502 }
1503
1504 return 0;
1505}
1506
1507int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, word16 size)
1508{
1509 TLSX* extension = TLSX_Find(*extensions, SERVER_NAME_INDICATION);
1510 SNI* sni = NULL;
1511
1512 if (extensions == NULL || data == NULL)
1513 return BAD_FUNC_ARG;
1514
1515 if ((sni = TLSX_SNI_New(type, data, size)) == NULL)
1516 return MEMORY_E;
1517
1518 if (!extension) {
1519 int ret = TLSX_Push(extensions, SERVER_NAME_INDICATION, (void*)sni);
1520 if (ret != 0) {
1521 TLSX_SNI_Free(sni);
1522 return ret;
1523 }
1524 }
1525 else {
1526 /* push new SNI object to extension data. */
1527 sni->next = (SNI*)extension->data;
1528 extension->data = (void*)sni;
1529
1530 /* remove duplicate SNI, there should be only one of each type. */
1531 do {
1532 if (sni->next && sni->next->type == type) {
1533 SNI *next = sni->next;
1534
1535 sni->next = next->next;
1536 TLSX_SNI_Free(next);
1537
1538 /* there is no way to occur more than */
1539 /* two SNIs of the same type. */
1540 break;
1541 }
1542 } while ((sni = sni->next));
1543 }
1544
1545 return SSL_SUCCESS;
1546}
1547
1548#ifndef NO_WOLFSSL_SERVER
1549
1550/** Tells the SNI requested by the client. */
1551word16 TLSX_SNI_GetRequest(TLSX* extensions, byte type, void** data)
1552{
1553 TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION);
1554 SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type);
1555
1556 if (sni && sni->status != WOLFSSL_SNI_NO_MATCH) {
1557 switch (sni->type) {
1558 case WOLFSSL_SNI_HOST_NAME:
1559 *data = sni->data.host_name;
1560 return XSTRLEN(*data);
1561 }
1562 }
1563
1564 return 0;
1565}
1566
1567/** Sets the options for a SNI object. */
1568void TLSX_SNI_SetOptions(TLSX* extensions, byte type, byte options)
1569{
1570 TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION);
1571 SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type);
1572
1573 if (sni)
1574 sni->options = options;
1575}
1576
1577/** Retrieves a SNI request from a client hello buffer. */
1578int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz,
1579 byte type, byte* sni, word32* inOutSz)
1580{
1581 word32 offset = 0;
1582 word32 len32 = 0;
1583 word16 len16 = 0;
1584
1585 if (helloSz < RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + CLIENT_HELLO_FIRST)
1586 return INCOMPLETE_DATA;
1587
1588 /* TLS record header */
1589 if ((enum ContentType) clientHello[offset++] != handshake) {
1590
1591 /* checking for SSLv2.0 client hello according to: */
1592 /* http://tools.ietf.org/html/rfc4346#appendix-E.1 */
1593 if ((enum HandShakeType) clientHello[++offset] == client_hello) {
1594 offset += ENUM_LEN + VERSION_SZ; /* skip version */
1595
1596 ato16(clientHello + offset, &len16);
1597 offset += OPAQUE16_LEN;
1598
1599 if (len16 % 3) /* cipher_spec_length must be multiple of 3 */
1600 return BUFFER_ERROR;
1601
1602 ato16(clientHello + offset, &len16);
1603 offset += OPAQUE16_LEN;
1604
1605 if (len16 != 0) /* session_id_length must be 0 */
1606 return BUFFER_ERROR;
1607
1608 return SNI_UNSUPPORTED;
1609 }
1610
1611 return BUFFER_ERROR;
1612 }
1613
1614 if (clientHello[offset++] != SSLv3_MAJOR)
1615 return BUFFER_ERROR;
1616
1617 if (clientHello[offset++] < TLSv1_MINOR)
1618 return SNI_UNSUPPORTED;
1619
1620 ato16(clientHello + offset, &len16);
1621 offset += OPAQUE16_LEN;
1622
1623 if (offset + len16 > helloSz)
1624 return INCOMPLETE_DATA;
1625
1626 /* Handshake header */
1627 if ((enum HandShakeType) clientHello[offset] != client_hello)
1628 return BUFFER_ERROR;
1629
1630 c24to32(clientHello + offset + 1, &len32);
1631 offset += HANDSHAKE_HEADER_SZ;
1632
1633 if (offset + len32 > helloSz)
1634 return BUFFER_ERROR;
1635
1636 /* client hello */
1637 offset += VERSION_SZ + RAN_LEN; /* version, random */
1638
1639 if (helloSz < offset + clientHello[offset])
1640 return BUFFER_ERROR;
1641
1642 offset += ENUM_LEN + clientHello[offset]; /* skip session id */
1643
1644 /* cypher suites */
1645 if (helloSz < offset + OPAQUE16_LEN)
1646 return BUFFER_ERROR;
1647
1648 ato16(clientHello + offset, &len16);
1649 offset += OPAQUE16_LEN;
1650
1651 if (helloSz < offset + len16)
1652 return BUFFER_ERROR;
1653
1654 offset += len16; /* skip cypher suites */
1655
1656 /* compression methods */
1657 if (helloSz < offset + 1)
1658 return BUFFER_ERROR;
1659
1660 if (helloSz < offset + clientHello[offset])
1661 return BUFFER_ERROR;
1662
1663 offset += ENUM_LEN + clientHello[offset]; /* skip compression methods */
1664
1665 /* extensions */
1666 if (helloSz < offset + OPAQUE16_LEN)
1667 return 0; /* no extensions in client hello. */
1668
1669 ato16(clientHello + offset, &len16);
1670 offset += OPAQUE16_LEN;
1671
1672 if (helloSz < offset + len16)
1673 return BUFFER_ERROR;
1674
1675 while (len16 >= OPAQUE16_LEN + OPAQUE16_LEN) {
1676 word16 extType;
1677 word16 extLen;
1678
1679 ato16(clientHello + offset, &extType);
1680 offset += OPAQUE16_LEN;
1681
1682 ato16(clientHello + offset, &extLen);
1683 offset += OPAQUE16_LEN;
1684
1685 if (helloSz < offset + extLen)
1686 return BUFFER_ERROR;
1687
1688 if (extType != SERVER_NAME_INDICATION) {
1689 offset += extLen; /* skip extension */
1690 } else {
1691 word16 listLen;
1692
1693 ato16(clientHello + offset, &listLen);
1694 offset += OPAQUE16_LEN;
1695
1696 if (helloSz < offset + listLen)
1697 return BUFFER_ERROR;
1698
1699 while (listLen > ENUM_LEN + OPAQUE16_LEN) {
1700 byte sniType = clientHello[offset++];
1701 word16 sniLen;
1702
1703 ato16(clientHello + offset, &sniLen);
1704 offset += OPAQUE16_LEN;
1705
1706 if (helloSz < offset + sniLen)
1707 return BUFFER_ERROR;
1708
1709 if (sniType != type) {
1710 offset += sniLen;
1711 listLen -= min(ENUM_LEN + OPAQUE16_LEN + sniLen, listLen);
1712 continue;
1713 }
1714
1715 *inOutSz = min(sniLen, *inOutSz);
1716 XMEMCPY(sni, clientHello + offset, *inOutSz);
1717
1718 return SSL_SUCCESS;
1719 }
1720 }
1721
1722 len16 -= min(2 * OPAQUE16_LEN + extLen, len16);
1723 }
1724
1725 return len16 ? BUFFER_ERROR : 0;
1726}
1727
1728#endif
1729
1730#define SNI_FREE_ALL TLSX_SNI_FreeAll
1731#define SNI_GET_SIZE TLSX_SNI_GetSize
1732#define SNI_WRITE TLSX_SNI_Write
1733#define SNI_PARSE TLSX_SNI_Parse
1734#define SNI_VERIFY_PARSE TLSX_SNI_VerifyParse
1735
1736#else
1737
1738#define SNI_FREE_ALL(list)
1739#define SNI_GET_SIZE(list) 0
1740#define SNI_WRITE(a, b) 0
1741#define SNI_PARSE(a, b, c, d) 0
1742#define SNI_VERIFY_PARSE(a, b) 0
1743
1744#endif /* HAVE_SNI */
1745
1746#ifdef HAVE_MAX_FRAGMENT
1747
1748static word16 TLSX_MFL_Write(byte* data, byte* output)
1749{
1750 output[0] = data[0];
1751
1752 return ENUM_LEN;
1753}
1754
1755static int TLSX_MFL_Parse(WOLFSSL* ssl, byte* input, word16 length,
1756 byte isRequest)
1757{
1758 (void)isRequest;
1759
1760 if (length != ENUM_LEN)
1761 return BUFFER_ERROR;
1762
1763 switch (*input) {
1764 case WOLFSSL_MFL_2_9 : ssl->max_fragment = 512; break;
1765 case WOLFSSL_MFL_2_10: ssl->max_fragment = 1024; break;
1766 case WOLFSSL_MFL_2_11: ssl->max_fragment = 2048; break;
1767 case WOLFSSL_MFL_2_12: ssl->max_fragment = 4096; break;
1768 case WOLFSSL_MFL_2_13: ssl->max_fragment = 8192; break;
1769
1770 default:
1771 SendAlert(ssl, alert_fatal, illegal_parameter);
1772
1773 return UNKNOWN_MAX_FRAG_LEN_E;
1774 }
1775
1776#ifndef NO_WOLFSSL_SERVER
1777 if (isRequest) {
1778 int r = TLSX_UseMaxFragment(&ssl->extensions, *input);
1779
1780 if (r != SSL_SUCCESS) return r; /* throw error */
1781
1782 TLSX_SetResponse(ssl, MAX_FRAGMENT_LENGTH);
1783 }
1784#endif
1785
1786 return 0;
1787}
1788
1789int TLSX_UseMaxFragment(TLSX** extensions, byte mfl)
1790{
1791 byte* data = NULL;
1792 int ret = 0;
1793
1794 if (extensions == NULL)
1795 return BAD_FUNC_ARG;
1796
1797 if (mfl < WOLFSSL_MFL_2_9 || WOLFSSL_MFL_2_13 < mfl)
1798 return BAD_FUNC_ARG;
1799
1800 if ((data = XMALLOC(ENUM_LEN, 0, DYNAMIC_TYPE_TLSX)) == NULL)
1801 return MEMORY_E;
1802
1803 data[0] = mfl;
1804
1805 /* push new MFL extension. */
1806 if ((ret = TLSX_Push(extensions, MAX_FRAGMENT_LENGTH, data)) != 0) {
1807 XFREE(data, 0, DYNAMIC_TYPE_TLSX);
1808 return ret;
1809 }
1810
1811 return SSL_SUCCESS;
1812}
1813
1814
1815#define MFL_FREE_ALL(data) XFREE(data, 0, DYNAMIC_TYPE_TLSX)
1816#define MFL_GET_SIZE(data) ENUM_LEN
1817#define MFL_WRITE TLSX_MFL_Write
1818#define MFL_PARSE TLSX_MFL_Parse
1819
1820#else
1821
1822#define MFL_FREE_ALL(a)
1823#define MFL_GET_SIZE(a) 0
1824#define MFL_WRITE(a, b) 0
1825#define MFL_PARSE(a, b, c, d) 0
1826
1827#endif /* HAVE_MAX_FRAGMENT */
1828
1829#ifdef HAVE_TRUNCATED_HMAC
1830
1831static int TLSX_THM_Parse(WOLFSSL* ssl, byte* input, word16 length,
1832 byte isRequest)
1833{
1834 (void)isRequest;
1835
1836 if (length != 0 || input == NULL)
1837 return BUFFER_ERROR;
1838
1839#ifndef NO_WOLFSSL_SERVER
1840 if (isRequest) {
1841 int r = TLSX_UseTruncatedHMAC(&ssl->extensions);
1842
1843 if (r != SSL_SUCCESS) return r; /* throw error */
1844
1845 TLSX_SetResponse(ssl, TRUNCATED_HMAC);
1846 }
1847#endif
1848
1849 ssl->truncated_hmac = 1;
1850
1851 return 0;
1852}
1853
1854int TLSX_UseTruncatedHMAC(TLSX** extensions)
1855{
1856 int ret = 0;
1857
1858 if (extensions == NULL)
1859 return BAD_FUNC_ARG;
1860
1861 if ((ret = TLSX_Push(extensions, TRUNCATED_HMAC, NULL)) != 0)
1862 return ret;
1863
1864 return SSL_SUCCESS;
1865}
1866
1867#define THM_PARSE TLSX_THM_Parse
1868
1869#else
1870
1871#define THM_PARSE(a, b, c, d) 0
1872
1873#endif /* HAVE_TRUNCATED_HMAC */
1874
1875#ifdef HAVE_SUPPORTED_CURVES
1876
1877#ifndef HAVE_ECC
1878#error Elliptic Curves Extension requires Elliptic Curve Cryptography. \
1879 Use --enable-ecc in the configure script or define HAVE_ECC.
1880#endif
1881
1882static void TLSX_EllipticCurve_FreeAll(EllipticCurve* list)
1883{
1884 EllipticCurve* curve;
1885
1886 while ((curve = list)) {
1887 list = curve->next;
1888 XFREE(curve, 0, DYNAMIC_TYPE_TLSX);
1889 }
1890}
1891
1892static int TLSX_EllipticCurve_Append(EllipticCurve** list, word16 name)
1893{
1894 EllipticCurve* curve;
1895
1896 if (list == NULL)
1897 return BAD_FUNC_ARG;
1898
1899 if ((curve = XMALLOC(sizeof(EllipticCurve), 0, DYNAMIC_TYPE_TLSX)) == NULL)
1900 return MEMORY_E;
1901
1902 curve->name = name;
1903 curve->next = *list;
1904
1905 *list = curve;
1906
1907 return 0;
1908}
1909
1910#ifndef NO_WOLFSSL_CLIENT
1911
1912static void TLSX_EllipticCurve_ValidateRequest(WOLFSSL* ssl, byte* semaphore)
1913{
1914 int i;
1915
1916 for (i = 0; i < ssl->suites->suiteSz; i+= 2)
1917 if (ssl->suites->suites[i] == ECC_BYTE)
1918 return;
1919
1920 /* turns semaphore on to avoid sending this extension. */
1921 TURN_ON(semaphore, TLSX_ToSemaphore(ELLIPTIC_CURVES));
1922}
1923
1924static word16 TLSX_EllipticCurve_GetSize(EllipticCurve* list)
1925{
1926 EllipticCurve* curve;
1927 word16 length = OPAQUE16_LEN; /* list length */
1928
1929 while ((curve = list)) {
1930 list = curve->next;
1931 length += OPAQUE16_LEN; /* curve length */
1932 }
1933
1934 return length;
1935}
1936
1937static word16 TLSX_EllipticCurve_WriteR(EllipticCurve* curve, byte* output);
1938static word16 TLSX_EllipticCurve_WriteR(EllipticCurve* curve, byte* output)
1939{
1940 word16 offset = 0;
1941
1942 if (!curve)
1943 return offset;
1944
1945 offset = TLSX_EllipticCurve_WriteR(curve->next, output);
1946 c16toa(curve->name, output + offset);
1947
1948 return OPAQUE16_LEN + offset;
1949}
1950
1951static word16 TLSX_EllipticCurve_Write(EllipticCurve* list, byte* output)
1952{
1953 word16 length = TLSX_EllipticCurve_WriteR(list, output + OPAQUE16_LEN);
1954
1955 c16toa(length, output); /* writing list length */
1956
1957 return OPAQUE16_LEN + length;
1958}
1959
1960#endif /* NO_WOLFSSL_CLIENT */
1961#ifndef NO_WOLFSSL_SERVER
1962
1963static int TLSX_EllipticCurve_Parse(WOLFSSL* ssl, byte* input, word16 length,
1964 byte isRequest)
1965{
1966 word16 offset;
1967 word16 name;
1968 int r;
1969
1970 (void) isRequest; /* shut up compiler! */
1971
1972 if (OPAQUE16_LEN > length || length % OPAQUE16_LEN)
1973 return BUFFER_ERROR;
1974
1975 ato16(input, &offset);
1976
1977 /* validating curve list length */
1978 if (length != OPAQUE16_LEN + offset)
1979 return BUFFER_ERROR;
1980
1981 while (offset) {
1982 ato16(input + offset, &name);
1983 offset -= OPAQUE16_LEN;
1984
1985 r = TLSX_UseSupportedCurve(&ssl->extensions, name);
1986
1987 if (r != SSL_SUCCESS) return r; /* throw error */
1988 }
1989
1990 return 0;
1991}
1992
1993int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) {
1994 TLSX* extension = (first == ECC_BYTE)
1995 ? TLSX_Find(ssl->extensions, ELLIPTIC_CURVES)
1996 : NULL;
1997 EllipticCurve* curve = NULL;
1998 word32 oid = 0;
1999 word16 octets = 0; /* acording to 'ecc_set_type ecc_sets[];' */
2000 int sig = 0; /* valitade signature */
2001 int key = 0; /* validate key */
2002
2003 (void)oid;
2004 (void)octets;
2005
2006 if (!extension)
2007 return 1; /* no suite restriction */
2008
2009 for (curve = extension->data; curve && !(sig && key); curve = curve->next) {
2010
2011 switch (curve->name) {
2012#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC160)
2013 case WOLFSSL_ECC_SECP160R1: oid = ECC_160R1; octets = 20; break;
2014#endif
2015#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC192)
2016 case WOLFSSL_ECC_SECP192R1: oid = ECC_192R1; octets = 24; break;
2017#endif
2018#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC224)
2019 case WOLFSSL_ECC_SECP224R1: oid = ECC_224R1; octets = 28; break;
2020#endif
2021#if defined(HAVE_ALL_CURVES) || !defined(NO_ECC256)
2022 case WOLFSSL_ECC_SECP256R1: oid = ECC_256R1; octets = 32; break;
2023#endif
2024#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC384)
2025 case WOLFSSL_ECC_SECP384R1: oid = ECC_384R1; octets = 48; break;
2026#endif
2027#if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC521)
2028 case WOLFSSL_ECC_SECP521R1: oid = ECC_521R1; octets = 66; break;
2029#endif
2030 default: continue; /* unsupported curve */
2031 }
2032
2033 switch (second) {
2034#ifndef NO_DSA
2035 /* ECDHE_ECDSA */
2036 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
2037 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
2038 case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:
2039 case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA:
2040 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
2041 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
2042 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
2043 case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
2044 case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8:
2045 case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8:
2046 sig |= ssl->pkCurveOID == oid;
2047 key |= ssl->eccTempKeySz == octets;
2048 break;
2049
2050 /* ECDH_ECDSA */
2051 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA:
2052 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA:
2053 case TLS_ECDH_ECDSA_WITH_RC4_128_SHA:
2054 case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA:
2055 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256:
2056 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384:
2057 case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256:
2058 case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384:
2059 sig |= ssl->pkCurveOID == oid;
2060 key |= ssl->pkCurveOID == oid;
2061 break;
2062#endif
2063#ifndef NO_RSA
2064 /* ECDHE_RSA */
2065 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
2066 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
2067 case TLS_ECDHE_RSA_WITH_RC4_128_SHA:
2068 case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:
2069 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
2070 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:
2071 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
2072 case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
2073 sig = 1;
2074 key |= ssl->eccTempKeySz == octets;
2075 break;
2076
2077 /* ECDH_RSA */
2078 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA:
2079 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA:
2080 case TLS_ECDH_RSA_WITH_RC4_128_SHA:
2081 case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA:
2082 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256:
2083 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384:
2084 case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256:
2085 case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384:
2086 sig = 1;
2087 key |= ssl->pkCurveOID == oid;
2088 break;
2089#endif
2090 default:
2091 sig = 1;
2092 key = 1;
2093 break;
2094 }
2095 }
2096
2097 return sig && key;
2098}
2099
2100#endif /* NO_WOLFSSL_SERVER */
2101
2102int TLSX_UseSupportedCurve(TLSX** extensions, word16 name)
2103{
2104 TLSX* extension = TLSX_Find(*extensions, ELLIPTIC_CURVES);
2105 EllipticCurve* curve = NULL;
2106 int ret = 0;
2107
2108 if (extensions == NULL)
2109 return BAD_FUNC_ARG;
2110
2111 if ((ret = TLSX_EllipticCurve_Append(&curve, name)) != 0)
2112 return ret;
2113
2114 if (!extension) {
2115 if ((ret = TLSX_Push(extensions, ELLIPTIC_CURVES, curve)) != 0) {
2116 XFREE(curve, 0, DYNAMIC_TYPE_TLSX);
2117 return ret;
2118 }
2119 }
2120 else {
2121 /* push new EllipticCurve object to extension data. */
2122 curve->next = (EllipticCurve*)extension->data;
2123 extension->data = (void*)curve;
2124
2125 /* look for another curve of the same name to remove (replacement) */
2126 do {
2127 if (curve->next && curve->next->name == name) {
2128 EllipticCurve *next = curve->next;
2129
2130 curve->next = next->next;
2131 XFREE(next, 0, DYNAMIC_TYPE_TLSX);
2132
2133 break;
2134 }
2135 } while ((curve = curve->next));
2136 }
2137
2138 return SSL_SUCCESS;
2139}
2140
2141#define EC_FREE_ALL TLSX_EllipticCurve_FreeAll
2142#define EC_VALIDATE_REQUEST TLSX_EllipticCurve_ValidateRequest
2143
2144#ifndef NO_WOLFSSL_CLIENT
2145#define EC_GET_SIZE TLSX_EllipticCurve_GetSize
2146#define EC_WRITE TLSX_EllipticCurve_Write
2147#else
2148#define EC_GET_SIZE(list) 0
2149#define EC_WRITE(a, b) 0
2150#endif
2151
2152#ifndef NO_WOLFSSL_SERVER
2153#define EC_PARSE TLSX_EllipticCurve_Parse
2154#else
2155#define EC_PARSE(a, b, c, d) 0
2156#endif
2157
2158#else
2159
2160#define EC_FREE_ALL(list)
2161#define EC_GET_SIZE(list) 0
2162#define EC_WRITE(a, b) 0
2163#define EC_PARSE(a, b, c, d) 0
2164#define EC_VALIDATE_REQUEST(a, b)
2165
2166#endif /* HAVE_SUPPORTED_CURVES */
2167
2168#ifdef HAVE_SECURE_RENEGOTIATION
2169
2170static byte TLSX_SecureRenegotiation_GetSize(SecureRenegotiation* data,
2171 int isRequest)
2172{
2173 byte length = OPAQUE8_LEN; /* empty info length */
2174
2175 if (data->enabled) {
2176 /* client sends client_verify_data only */
2177 length += TLS_FINISHED_SZ;
2178
2179 /* server also sends server_verify_data */
2180 if (!isRequest)
2181 length += TLS_FINISHED_SZ;
2182 }
2183
2184 return length;
2185}
2186
2187static word16 TLSX_SecureRenegotiation_Write(SecureRenegotiation* data,
2188 byte* output, int isRequest)
2189{
2190 word16 offset = OPAQUE8_LEN; /* RenegotiationInfo length */
2191
2192 if (data->enabled) {
2193 /* client sends client_verify_data only */
2194 XMEMCPY(output + offset, data->client_verify_data, TLS_FINISHED_SZ);
2195 offset += TLS_FINISHED_SZ;
2196
2197 /* server also sends server_verify_data */
2198 if (!isRequest) {
2199 XMEMCPY(output + offset, data->server_verify_data, TLS_FINISHED_SZ);
2200 offset += TLS_FINISHED_SZ;
2201 }
2202 }
2203
2204 output[0] = offset - 1; /* info length - self */
2205
2206 return offset;
2207}
2208
2209static int TLSX_SecureRenegotiation_Parse(WOLFSSL* ssl, byte* input,
2210 word16 length, byte isRequest)
2211{
2212 int ret = SECURE_RENEGOTIATION_E;
2213
2214 if (length >= OPAQUE8_LEN) {
2215 if (ssl->secure_renegotiation == NULL) {
2216 #ifndef NO_WOLFSSL_SERVER
2217 if (isRequest && *input == 0) {
2218 ret = 0; /* don't reply, user didn't enable */
2219 }
2220 #endif
2221 }
2222 else if (isRequest) {
2223 #ifndef NO_WOLFSSL_SERVER
2224 if (*input == TLS_FINISHED_SZ) {
2225 /* TODO compare client_verify_data */
2226 ret = 0;
2227 }
2228 #endif
2229 }
2230 else {
2231 #ifndef NO_WOLFSSL_CLIENT
2232 if (!ssl->secure_renegotiation->enabled) {
2233 if (*input == 0) {
2234 ssl->secure_renegotiation->enabled = 1;
2235 ret = 0;
2236 }
2237 }
2238 else if (*input == 2 * TLS_FINISHED_SZ) {
2239 /* TODO compare client_verify_data and server_verify_data */
2240 ret = 0;
2241 }
2242 #endif
2243 }
2244 }
2245
2246 if (ret != 0) {
2247 /* TODO: turn on fatal error at ssl level too */
2248 SendAlert(ssl, alert_fatal, handshake_failure);
2249 }
2250
2251 return ret;
2252}
2253
2254int TLSX_UseSecureRenegotiation(TLSX** extensions)
2255{
2256 int ret = 0;
2257 SecureRenegotiation* data = NULL;
2258
2259 data = (SecureRenegotiation*)XMALLOC(sizeof(SecureRenegotiation), NULL,
2260 DYNAMIC_TYPE_TLSX);
2261 if (data == NULL)
2262 return MEMORY_E;
2263
2264 XMEMSET(data, 0, sizeof(SecureRenegotiation));
2265
2266 ret = TLSX_Push(extensions, SECURE_RENEGOTIATION, data);
2267 if (ret != 0) {
2268 XFREE(data, 0, DYNAMIC_TYPE_TLSX);
2269 return ret;
2270 }
2271
2272 return SSL_SUCCESS;
2273}
2274
2275
2276#define SCR_FREE_ALL(data) XFREE(data, NULL, DYNAMIC_TYPE_TLSX)
2277#define SCR_GET_SIZE TLSX_SecureRenegotiation_GetSize
2278#define SCR_WRITE TLSX_SecureRenegotiation_Write
2279#define SCR_PARSE TLSX_SecureRenegotiation_Parse
2280
2281#else
2282
2283#define SCR_FREE_ALL(a)
2284#define SCR_GET_SIZE(a, b) 0
2285#define SCR_WRITE(a, b, c) 0
2286#define SCR_PARSE(a, b, c, d) 0
2287
2288#endif /* HAVE_SECURE_RENEGOTIATION */
2289
2290#ifdef HAVE_SESSION_TICKET
2291
2292static void TLSX_SessionTicket_ValidateRequest(WOLFSSL* ssl)
2293{
2294 TLSX* extension = TLSX_Find(ssl->extensions, SESSION_TICKET);
2295 SessionTicket* ticket = extension ? extension->data : NULL;
2296
2297 if (ticket) {
2298 /* TODO validate ticket timeout here! */
2299 if (ticket->lifetime == 0xfffffff) {
2300 /* send empty ticket on timeout */
2301 TLSX_UseSessionTicket(&ssl->extensions, NULL);
2302 }
2303 }
2304}
2305
2306
2307static word16 TLSX_SessionTicket_GetSize(SessionTicket* ticket, int isRequest)
2308{
2309 (void)isRequest;
2310 return ticket ? ticket->size : 0;
2311}
2312
2313static word16 TLSX_SessionTicket_Write(SessionTicket* ticket, byte* output,
2314 int isRequest)
2315{
2316 word16 offset = 0; /* empty ticket */
2317
2318 if (isRequest && ticket) {
2319 XMEMCPY(output + offset, ticket->data, ticket->size);
2320 offset += ticket->size;
2321 }
2322
2323 return offset;
2324}
2325
2326
2327static int TLSX_SessionTicket_Parse(WOLFSSL* ssl, byte* input, word16 length,
2328 byte isRequest)
2329{
2330 int ret = 0;
2331
2332 if (!isRequest) {
2333 /* client side */
2334 if (length != 0)
2335 return BUFFER_ERROR;
2336
2337 ssl->expect_session_ticket = 1;
2338 }
2339#ifndef NO_WOLFSSL_SERVER
2340 else {
2341 /* server side */
2342 if (ssl->ctx->ticketEncCb == NULL) {
2343 WOLFSSL_MSG("Client sent session ticket, server has no callback");
2344 return 0;
2345 }
2346
2347 if (length == 0) {
2348 /* blank ticket */
2349 ret = TLSX_UseSessionTicket(&ssl->extensions, NULL);
2350 if (ret == SSL_SUCCESS) {
2351 ret = 0;
2352 TLSX_SetResponse(ssl, SESSION_TICKET); /* send blank ticket */
2353 ssl->options.createTicket = 1; /* will send ticket msg */
2354 ssl->options.useTicket = 1;
2355 }
2356 } else {
2357 /* got actual ticket from client */
2358 ret = DoClientTicket(ssl, input, length);
2359 if (ret == WOLFSSL_TICKET_RET_OK) { /* use ticket to resume */
2360 WOLFSSL_MSG("Using exisitng client ticket");
2361 ssl->options.useTicket = 1;
2362 ssl->options.resuming = 1;
2363 } else if (ret == WOLFSSL_TICKET_RET_CREATE) {
2364 WOLFSSL_MSG("Using existing client ticket, creating new one");
2365 ret = TLSX_UseSessionTicket(&ssl->extensions, NULL);
2366 if (ret == SSL_SUCCESS) {
2367 ret = 0;
2368 TLSX_SetResponse(ssl, SESSION_TICKET);
2369 /* send blank ticket */
2370 ssl->options.createTicket = 1; /* will send ticket msg */
2371 ssl->options.useTicket = 1;
2372 ssl->options.resuming = 1;
2373 }
2374 } else if (ret == WOLFSSL_TICKET_RET_REJECT) {
2375 WOLFSSL_MSG("Process client ticket rejected, not using");
2376 ret = 0; /* not fatal */
2377 } else if (ret == WOLFSSL_TICKET_RET_FATAL || ret < 0) {
2378 WOLFSSL_MSG("Process client ticket fatal error, not using");
2379 }
2380 }
2381 }
2382#endif /* NO_WOLFSSL_SERVER */
2383
2384 return ret;
2385}
2386
2387WOLFSSL_LOCAL SessionTicket* TLSX_SessionTicket_Create(word32 lifetime,
2388 byte* data, word16 size)
2389{
2390 SessionTicket* ticket = (SessionTicket*)XMALLOC(sizeof(SessionTicket),
2391 NULL, DYNAMIC_TYPE_TLSX);
2392 if (ticket) {
2393 ticket->data = (byte*)XMALLOC(size, NULL, DYNAMIC_TYPE_TLSX);
2394 if (ticket->data == NULL) {
2395 XFREE(ticket, NULL, DYNAMIC_TYPE_TLSX);
2396 return NULL;
2397 }
2398
2399 XMEMCPY(ticket->data, data, size);
2400 ticket->size = size;
2401 ticket->lifetime = lifetime;
2402 }
2403
2404 return ticket;
2405}
2406WOLFSSL_LOCAL void TLSX_SessionTicket_Free(SessionTicket* ticket)
2407{
2408 if (ticket) {
2409 XFREE(ticket->data, NULL, DYNAMIC_TYPE_TLSX);
2410 XFREE(ticket, NULL, DYNAMIC_TYPE_TLSX);
2411 }
2412}
2413
2414int TLSX_UseSessionTicket(TLSX** extensions, SessionTicket* ticket)
2415{
2416 int ret = 0;
2417
2418 if (extensions == NULL)
2419 return BAD_FUNC_ARG;
2420
2421 /* If the ticket is NULL, the client will request a new ticket from the
2422 server. Otherwise, the client will use it in the next client hello. */
2423 if ((ret = TLSX_Push(extensions, SESSION_TICKET, (void*)ticket)) != 0)
2424 return ret;
2425
2426 return SSL_SUCCESS;
2427}
2428
2429#define STK_VALIDATE_REQUEST TLSX_SessionTicket_ValidateRequest
2430#define STK_GET_SIZE TLSX_SessionTicket_GetSize
2431#define STK_WRITE TLSX_SessionTicket_Write
2432#define STK_PARSE TLSX_SessionTicket_Parse
2433
2434#else
2435
2436#define STK_VALIDATE_REQUEST(a)
2437#define STK_GET_SIZE(a, b) 0
2438#define STK_WRITE(a, b, c) 0
2439#define STK_PARSE(a, b, c, d) 0
2440
2441#endif /* HAVE_SESSION_TICKET */
2442
2443
2444#ifdef HAVE_QSH
2445static WC_RNG* rng;
2446static wolfSSL_Mutex* rngMutex;
2447
2448static void TLSX_QSH_FreeAll(QSHScheme* list)
2449{
2450 QSHScheme* current;
2451
2452 while ((current = list)) {
2453 list = current->next;
2454 XFREE(current, 0, DYNAMIC_TYPE_TLSX);
2455 }
2456}
2457
2458static int TLSX_QSH_Append(QSHScheme** list, word16 name, byte* pub,
2459 word16 pubLen)
2460{
2461 QSHScheme* temp;
2462
2463 if (list == NULL)
2464 return BAD_FUNC_ARG;
2465
2466 if ((temp = XMALLOC(sizeof(QSHScheme), 0, DYNAMIC_TYPE_TLSX)) == NULL)
2467 return MEMORY_E;
2468
2469 temp->name = name;
2470 temp->PK = pub;
2471 temp->PKLen = pubLen;
2472 temp->next = *list;
2473
2474 *list = temp;
2475
2476 return 0;
2477}
2478
2479
2480/* request for server's public key : 02 indicates 0-2 requested */
2481static byte TLSX_QSH_SerPKReq(byte* output, byte isRequest)
2482{
2483 if (isRequest) {
2484 /* only request one public key from the server */
2485 output[0] = 0x01;
2486
2487 return OPAQUE8_LEN;
2488 }
2489 else {
2490 return 0;
2491 }
2492}
2493
2494#ifndef NO_WOLFSSL_CLIENT
2495
2496/* check for TLS_QSH suite */
2497static void TLSX_QSH_ValidateRequest(WOLFSSL* ssl, byte* semaphore)
2498{
2499 int i;
2500
2501 for (i = 0; i < ssl->suites->suiteSz; i+= 2)
2502 if (ssl->suites->suites[i] == QSH_BYTE)
2503 return;
2504
2505 /* No QSH suite found */
2506 TURN_ON(semaphore, TLSX_ToSemaphore(WOLFSSL_QSH));
2507}
2508
2509
2510/* return the size of the QSH hello extension
2511 list the list of QSHScheme structs containing id and key
2512 isRequest if 1 then is being sent to the server
2513 */
2514word16 TLSX_QSH_GetSize(QSHScheme* list, byte isRequest)
2515{
2516 QSHScheme* temp = list;
2517 word16 length = 0;
2518
2519 /* account for size of scheme list and public key list */
2520 if (isRequest)
2521 length = OPAQUE16_LEN;
2522 length += OPAQUE24_LEN;
2523
2524 /* for each non null element in list add size */
2525 while ((temp)) {
2526 /* add public key info Scheme | Key Length | Key */
2527 length += OPAQUE16_LEN;
2528 length += OPAQUE16_LEN;
2529 length += temp->PKLen;
2530
2531 /* if client add name size for scheme list
2532 advance to next QSHScheme struct in list */
2533 if (isRequest)
2534 length += OPAQUE16_LEN;
2535 temp = temp->next;
2536 }
2537
2538 /* add length for request server public keys */
2539 if (isRequest)
2540 length += OPAQUE8_LEN;
2541
2542 return length;
2543}
2544
2545
2546/* write out a list of QSHScheme IDs */
2547static word16 TLSX_QSH_Write(QSHScheme* list, byte* output)
2548{
2549 QSHScheme* current = list;
2550 word16 length = 0;
2551
2552 length += OPAQUE16_LEN;
2553
2554 while (current) {
2555 c16toa(current->name, output + length);
2556 length += OPAQUE16_LEN;
2557 current = (QSHScheme*)current->next;
2558 }
2559
2560 c16toa(length - OPAQUE16_LEN, output); /* writing list length */
2561
2562 return length;
2563}
2564
2565
2566/* write public key list in extension */
2567static word16 TLSX_QSHPK_WriteR(QSHScheme* format, byte* output);
2568static word16 TLSX_QSHPK_WriteR(QSHScheme* format, byte* output)
2569{
2570 word32 offset = 0;
2571 word16 public_len = 0;
2572
2573 if (!format)
2574 return offset;
2575
2576 /* write scheme ID */
2577 c16toa(format->name, output + offset);
2578 offset += OPAQUE16_LEN;
2579
2580 /* write public key matching scheme */
2581 public_len = format->PKLen;
2582 c16toa(public_len, output + offset);
2583 offset += OPAQUE16_LEN;
2584 if (format->PK) {
2585 XMEMCPY(output+offset, format->PK, public_len);
2586 }
2587
2588 return public_len + offset;
2589}
2590
2591word16 TLSX_QSHPK_Write(QSHScheme* list, byte* output)
2592{
2593 QSHScheme* current = list;
2594 word32 length = 0;
2595 word24 toWire;
2596
2597 length += OPAQUE24_LEN;
2598
2599 while (current) {
2600 length += TLSX_QSHPK_WriteR(current, output + length);
2601 current = (QSHScheme*)current->next;
2602 }
2603 /* length of public keys sent */
2604 c32to24(length - OPAQUE24_LEN, toWire);
2605 output[0] = toWire[0];
2606 output[1] = toWire[1];
2607 output[2] = toWire[2];
2608
2609 return length;
2610}
2611
2612#endif /* NO_WOLFSSL_CLIENT */
2613#ifndef NO_WOLFSSL_SERVER
2614
2615static void TLSX_QSHAgreement(TLSX** extensions)
2616{
2617 TLSX* extension = TLSX_Find(*extensions, WOLFSSL_QSH);
2618 QSHScheme* format = NULL;
2619 QSHScheme* delete = NULL;
2620 QSHScheme* prev = NULL;
2621
2622 if (extension == NULL)
2623 return;
2624
2625 format = extension->data;
2626 while (format) {
2627 if (format->PKLen == 0) {
2628 /* case of head */
2629 if (format == extension->data) {
2630 extension->data = format->next;
2631 }
2632 if (prev)
2633 prev->next = format->next;
2634 delete = format;
2635 format = format->next;
2636 XFREE(delete, 0, DYNAMIC_TYPE_TMP_ARRAY);
2637 delete = NULL;
2638 } else {
2639 prev = format;
2640 format = format->next;
2641 }
2642 }
2643}
2644
2645
2646/* Parse in hello extension
2647 input the byte stream to process
2648 length length of total extension found
2649 isRequest set to 1 if being sent to the server
2650 */
2651static int TLSX_QSH_Parse(WOLFSSL* ssl, byte* input, word16 length,
2652 byte isRequest)
2653{
2654 byte numKeys = 0;
2655 word16 offset = 0;
2656 word16 schemSz = 0;
2657 word16 offset_len = 0;
2658 word32 offset_pk = 0;
2659 word16 name = 0;
2660 word16 PKLen = 0;
2661 byte* PK = NULL;
2662 int r;
2663
2664
2665 if (OPAQUE16_LEN > length)
2666 return BUFFER_ERROR;
2667
2668 if (isRequest) {
2669 ato16(input, &schemSz);
2670
2671 /* list of public keys avialable for QSH schemes */
2672 offset_len = schemSz + OPAQUE16_LEN;
2673 }
2674
2675 offset_pk = ((input[offset_len] << 16) & 0xFF00000) |
2676 (((input[offset_len + 1]) << 8) & 0xFF00) |
2677 (input[offset_len + 2] & 0xFF);
2678 offset_len += OPAQUE24_LEN;
2679
2680 /* check buffer size */
2681 if (offset_pk > length)
2682 return BUFFER_ERROR;
2683
2684 /* set maximum number of keys the client will accept */
2685 if (!isRequest)
2686 numKeys = (ssl->maxRequest < 1)? 1 : ssl->maxRequest;
2687
2688 /* hello extension read list of scheme ids */
2689 if (isRequest) {
2690
2691 /* read in request for public keys */
2692 ssl->minRequest = (input[length -1] >> 4) & 0xFF;
2693 ssl->maxRequest = input[length -1] & 0x0F;
2694
2695 /* choose the min between min requested by client and 1 */
2696 numKeys = (ssl->minRequest > 1) ? ssl->minRequest : 1;
2697
2698 if (ssl->minRequest > ssl->maxRequest)
2699 return BAD_FUNC_ARG;
2700
2701 offset += OPAQUE16_LEN;
2702 schemSz += offset;
2703
2704 /* check buffer size */
2705 if (schemSz > length)
2706 return BUFFER_ERROR;
2707
2708 while ((offset < schemSz) && numKeys) {
2709 /* Scheme ID list */
2710 ato16(input + offset, &name);
2711 offset += OPAQUE16_LEN;
2712
2713 /* validate we have scheme id */
2714 if (ssl->user_set_QSHSchemes &&
2715 !TLSX_ValidateQSHScheme(&ssl->extensions, name)) {
2716 continue;
2717 }
2718
2719 /* server create keys on demand */
2720 if ((r = TLSX_CreateNtruKey(ssl, name)) != 0) {
2721 WOLFSSL_MSG("Error creating ntru keys");
2722 return r;
2723 }
2724
2725 /* peer sent an agreed upon scheme */
2726 r = TLSX_UseQSHScheme(&ssl->extensions, name, NULL, 0);
2727
2728 if (r != SSL_SUCCESS) return r; /* throw error */
2729
2730 numKeys--;
2731 }
2732
2733 /* choose the min between min requested by client and 1 */
2734 numKeys = (ssl->minRequest > 1) ? ssl->minRequest : 1;
2735 }
2736
2737 /* QSHPK struct */
2738 offset_pk += offset_len;
2739 while ((offset_len < offset_pk) && numKeys) {
2740 QSHKey * temp;
2741
2742 if ((temp = XMALLOC(sizeof(QSHKey), 0, DYNAMIC_TYPE_TLSX)) == NULL)
2743 return MEMORY_E;
2744
2745 /* initialize */
2746 temp->next = NULL;
2747 temp->pub.buffer = NULL;
2748 temp->pub.length = 0;
2749 temp->pri.buffer = NULL;
2750 temp->pri.length = 0;
2751
2752 /* scheme id */
2753 ato16(input + offset_len, &(temp->name));
2754 offset_len += OPAQUE16_LEN;
2755
2756 /* public key length */
2757 ato16(input + offset_len, &PKLen);
2758 temp->pub.length = PKLen;
2759 offset_len += OPAQUE16_LEN;
2760
2761
2762 if (isRequest) {
2763 /* validate we have scheme id */
2764 if (ssl->user_set_QSHSchemes &&
2765 (!TLSX_ValidateQSHScheme(&ssl->extensions, temp->name))) {
2766 offset_len += PKLen;
2767 XFREE(temp, 0, DYNAMIC_TYPE_TLSX);
2768 continue;
2769 }
2770 }
2771
2772 /* read in public key */
2773 if (PKLen > 0) {
2774 temp->pub.buffer = (byte*)XMALLOC(temp->pub.length,
2775 0, DYNAMIC_TYPE_PUBLIC_KEY);
2776 XMEMCPY(temp->pub.buffer, input + offset_len, temp->pub.length);
2777 offset_len += PKLen;
2778 }
2779 else {
2780 PK = NULL;
2781 }
2782
2783 /* use own key when adding to extensions list for sending reply */
2784 PKLen = 0;
2785 PK = TLSX_QSHKeyFind_Pub(ssl->QSH_Key, &PKLen, temp->name);
2786 r = TLSX_UseQSHScheme(&ssl->extensions, temp->name, PK, PKLen);
2787
2788 /* store peers key */
2789 ssl->peerQSHKeyPresent = 1;
2790 if (TLSX_AddQSHKey(&ssl->peerQSHKey, temp) != 0)
2791 return MEMORY_E;
2792
2793 if (temp->pub.length == 0) {
2794 XFREE(temp, 0, DYNAMIC_TYPE_TLSX);
2795 }
2796
2797 if (r != SSL_SUCCESS) {return r;} /* throw error */
2798
2799 numKeys--;
2800 }
2801
2802 /* reply to a QSH extension sent from client */
2803 if (isRequest) {
2804 TLSX_SetResponse(ssl, WOLFSSL_QSH);
2805 /* only use schemes we have key generated for -- free the rest */
2806 TLSX_QSHAgreement(&ssl->extensions);
2807 }
2808
2809 return 0;
2810}
2811
2812
2813/* Used for parsing in QSHCipher structs on Key Exchange */
2814int TLSX_QSHCipher_Parse(WOLFSSL* ssl, const byte* input, word16 length,
2815 byte isServer)
2816{
2817 QSHKey* key;
2818 word16 Max_Secret_Len = 48;
2819 word16 offset = 0;
2820 word16 offset_len = 0;
2821 word32 offset_pk = 0;
2822 word16 name = 0;
2823 word16 secretLen = 0;
2824 byte* secret = NULL;
2825 word16 buffLen = 0;
2826 byte buff[145]; /* size enough for 3 secrets */
2827 buffer* buf;
2828
2829 /* pointer to location where secret should be stored */
2830 if (isServer) {
2831 buf = ssl->QSH_secret->CliSi;
2832 }
2833 else {
2834 buf = ssl->QSH_secret->SerSi;
2835 }
2836
2837 offset_pk = ((input[offset_len] << 16) & 0xFF0000) |
2838 (((input[offset_len + 1]) << 8) & 0xFF00) |
2839 (input[offset_len + 2] & 0xFF);
2840 offset_len += OPAQUE24_LEN;
2841
2842 /* validating extension list length -- check if trying to read over edge
2843 of buffer */
2844 if (length < (offset_pk + OPAQUE24_LEN)) {
2845 return BUFFER_ERROR;
2846 }
2847
2848 /* QSHCipherList struct */
2849 offset_pk += offset_len;
2850 while (offset_len < offset_pk) {
2851
2852 /* scheme id */
2853 ato16(input + offset_len, &name);
2854 offset_len += OPAQUE16_LEN;
2855
2856 /* public key length */
2857 ato16(input + offset_len, &secretLen);
2858 offset_len += OPAQUE16_LEN;
2859
2860 /* read in public key */
2861 if (secretLen > 0) {
2862 secret = (byte*)(input + offset_len);
2863 offset_len += secretLen;
2864 }
2865 else {
2866 secret = NULL;
2867 }
2868
2869 /* no secret sent */
2870 if (secret == NULL)
2871 continue;
2872
2873 /* find coresponding key */
2874 key = ssl->QSH_Key;
2875 while (key) {
2876 if (key->name == name)
2877 break;
2878 else
2879 key = (QSHKey*)key->next;
2880 }
2881
2882 /* if we do not have the key than there was a big issue negotiation */
2883 if (key == NULL) {
2884 WOLFSSL_MSG("key was null for decryption!!!\n");
2885 return MEMORY_E;
2886 }
2887
2888 /* Decrypt sent secret */
2889 buffLen = Max_Secret_Len;
2890 QSH_Decrypt(key, secret, secretLen, buff + offset, &buffLen);
2891 offset += buffLen;
2892 }
2893
2894 /* allocate memory for buffer */
2895 buf->length = offset;
2896 buf->buffer = (byte*)XMALLOC(offset, NULL, DYNAMIC_TYPE_TMP_BUFFER);
2897 if (buf->buffer == NULL)
2898 return MEMORY_E;
2899
2900 /* store secrets */
2901 XMEMCPY(buf->buffer, buff, offset);
2902 ForceZero(buff, offset);
2903
2904 return offset_len;
2905}
2906
2907
2908/* return 1 on success */
2909int TLSX_ValidateQSHScheme(TLSX** extensions, word16 theirs) {
2910 TLSX* extension = TLSX_Find(*extensions, WOLFSSL_QSH);
2911 QSHScheme* format = NULL;
2912
2913 /* if no extension is sent then do not use QSH */
2914 if (!extension) {
2915 WOLFSSL_MSG("No QSH Extension");
2916 return 0;
2917 }
2918
2919 for (format = (QSHScheme*)extension->data; format; format = format->next) {
2920 if (format->name == theirs) {
2921 WOLFSSL_MSG("Found Matching QSH Scheme");
2922 return 1; /* have QSH */
2923 }
2924 }
2925
2926 return 0;
2927}
2928#endif /* NO_WOLFSSL_SERVER */
2929
2930/* test if the QSH Scheme is implemented
2931 return 1 if yes 0 if no */
2932static int TLSX_HaveQSHScheme(word16 name)
2933{
2934 switch(name) {
2935 #ifdef HAVE_NTRU
2936 case WOLFSSL_NTRU_EESS439:
2937 case WOLFSSL_NTRU_EESS593:
2938 case WOLFSSL_NTRU_EESS743:
2939 return 1;
2940 #endif
2941 case WOLFSSL_LWE_XXX:
2942 case WOLFSSL_HFE_XXX:
2943 return 0; /* not supported yet */
2944
2945 default:
2946 return 0;
2947 }
2948}
2949
2950
2951/* Add a QSHScheme struct to list of usable ones */
2952int TLSX_UseQSHScheme(TLSX** extensions, word16 name, byte* pKey, word16 pkeySz)
2953{
2954 TLSX* extension = TLSX_Find(*extensions, WOLFSSL_QSH);
2955 QSHScheme* format = NULL;
2956 int ret = 0;
2957
2958 /* sanity check */
2959 if (extensions == NULL || (pKey == NULL && pkeySz != 0))
2960 return BAD_FUNC_ARG;
2961
2962 /* if scheme is implemented than add */
2963 if (TLSX_HaveQSHScheme(name)) {
2964 if ((ret = TLSX_QSH_Append(&format, name, pKey, pkeySz)) != 0)
2965 return ret;
2966
2967 if (!extension) {
2968 if ((ret = TLSX_Push(extensions, WOLFSSL_QSH, format)) != 0) {
2969 XFREE(format, 0, DYNAMIC_TYPE_TLSX);
2970 return ret;
2971 }
2972 }
2973 else {
2974 /* push new QSH object to extension data. */
2975 format->next = (QSHScheme*)extension->data;
2976 extension->data = (void*)format;
2977
2978 /* look for another format of the same name to remove (replacement) */
2979 do {
2980 if (format->next && (format->next->name == name)) {
2981 QSHScheme* next = format->next;
2982
2983 format->next = next->next;
2984 XFREE(next, 0, DYNAMIC_TYPE_TLSX);
2985
2986 break;
2987 }
2988 } while ((format = format->next));
2989 }
2990 }
2991 return SSL_SUCCESS;
2992}
2993
2994#define QSH_FREE_ALL TLSX_QSH_FreeAll
2995#define QSH_VALIDATE_REQUEST TLSX_QSH_ValidateRequest
2996
2997#ifndef NO_WOLFSSL_CLIENT
2998#define QSH_GET_SIZE TLSX_QSH_GetSize
2999#define QSH_WRITE TLSX_QSH_Write
3000#else
3001#define QSH_GET_SIZE(list) 0
3002#define QSH_WRITE(a, b) 0
3003#endif
3004
3005#ifndef NO_WOLFSSL_SERVER
3006#define QSH_PARSE TLSX_QSH_Parse
3007#else
3008#define QSH_PARSE(a, b, c, d) 0
3009#endif
3010
3011#define QSHPK_WRITE TLSX_QSHPK_Write
3012#define QSH_SERREQ TLSX_QSH_SerPKReq
3013#else
3014
3015#define QSH_FREE_ALL(list)
3016#define QSH_GET_SIZE(list, a) 0
3017#define QSH_WRITE(a, b) 0
3018#define QSH_PARSE(a, b, c, d) 0
3019#define QSHPK_WRITE(a, b) 0
3020#define QSH_SERREQ(a, b) 0
3021#define QSH_VALIDATE_REQUEST(a, b)
3022
3023#endif /* HAVE_QSH */
3024
3025
3026/** Finds an extension in the provided list. */
3027TLSX* TLSX_Find(TLSX* list, TLSX_Type type)
3028{
3029 TLSX* extension = list;
3030
3031 while (extension && extension->type != type)
3032 extension = extension->next;
3033
3034 return extension;
3035}
3036
3037/** Releases all extensions in the provided list. */
3038void TLSX_FreeAll(TLSX* list)
3039{
3040 TLSX* extension;
3041
3042 while ((extension = list)) {
3043 list = extension->next;
3044
3045 switch (extension->type) {
3046
3047 case SERVER_NAME_INDICATION:
3048 SNI_FREE_ALL((SNI*)extension->data);
3049 break;
3050
3051 case MAX_FRAGMENT_LENGTH:
3052 MFL_FREE_ALL(extension->data);
3053 break;
3054
3055 case TRUNCATED_HMAC:
3056 /* Nothing to do. */
3057 break;
3058
3059 case ELLIPTIC_CURVES:
3060 EC_FREE_ALL(extension->data);
3061 break;
3062
3063 case SECURE_RENEGOTIATION:
3064 SCR_FREE_ALL(extension->data);
3065 break;
3066
3067 case SESSION_TICKET:
3068 /* Nothing to do. */
3069 break;
3070
3071 case WOLFSSL_QSH:
3072 QSH_FREE_ALL(extension->data);
3073 break;
3074
3075 case WOLFSSL_ALPN:
3076 ALPN_FREE_ALL((ALPN*)extension->data);
3077 break;
3078 }
3079
3080 XFREE(extension, 0, DYNAMIC_TYPE_TLSX);
3081 }
3082}
3083
3084/** Checks if the tls extensions are supported based on the protocol version. */
3085int TLSX_SupportExtensions(WOLFSSL* ssl) {
3086 return ssl && (IsTLS(ssl) || ssl->version.major == DTLS_MAJOR);
3087}
3088
3089/** Tells the buffered size of the extensions in a list. */
3090static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte isRequest)
3091{
3092 TLSX* extension;
3093 word16 length = 0;
3094
3095 while ((extension = list)) {
3096 list = extension->next;
3097
3098 /* only extensions marked as response are sent back to the client. */
3099 if (!isRequest && !extension->resp)
3100 continue; /* skip! */
3101
3102 /* ssl level extensions are expected to override ctx level ones. */
3103 if (!IS_OFF(semaphore, TLSX_ToSemaphore(extension->type)))
3104 continue; /* skip! */
3105
3106 /* extension type + extension data length. */
3107 length += HELLO_EXT_TYPE_SZ + OPAQUE16_LEN;
3108
3109
3110 switch (extension->type) {
3111
3112 case SERVER_NAME_INDICATION:
3113 /* SNI only sends the name on the request. */
3114 if (isRequest)
3115 length += SNI_GET_SIZE(extension->data);
3116 break;
3117
3118 case MAX_FRAGMENT_LENGTH:
3119 length += MFL_GET_SIZE(extension->data);
3120 break;
3121
3122 case TRUNCATED_HMAC:
3123 /* always empty. */
3124 break;
3125
3126 case ELLIPTIC_CURVES:
3127 length += EC_GET_SIZE(extension->data);
3128 break;
3129
3130 case SECURE_RENEGOTIATION:
3131 length += SCR_GET_SIZE(extension->data, isRequest);
3132 break;
3133
3134 case SESSION_TICKET:
3135 length += STK_GET_SIZE(extension->data, isRequest);
3136 break;
3137
3138 case WOLFSSL_QSH:
3139 length += QSH_GET_SIZE(extension->data, isRequest);
3140 break;
3141
3142 case WOLFSSL_ALPN:
3143 length += ALPN_GET_SIZE(extension->data);
3144 break;
3145
3146 }
3147
3148 /* marks the extension as processed so ctx level */
3149 /* extensions don't overlap with ssl level ones. */
3150 TURN_ON(semaphore, TLSX_ToSemaphore(extension->type));
3151 }
3152
3153 return length;
3154}
3155
3156/** Writes the extensions of a list in a buffer. */
3157static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore,
3158 byte isRequest)
3159{
3160 TLSX* extension;
3161 word16 offset = 0;
3162 word16 length_offset = 0;
3163
3164 while ((extension = list)) {
3165 list = extension->next;
3166
3167 /* only extensions marked as response are written in a response. */
3168 if (!isRequest && !extension->resp)
3169 continue; /* skip! */
3170
3171 /* ssl level extensions are expected to override ctx level ones. */
3172 if (!IS_OFF(semaphore, TLSX_ToSemaphore(extension->type)))
3173 continue; /* skip! */
3174
3175 /* writes extension type. */
3176 c16toa(extension->type, output + offset);
3177 offset += HELLO_EXT_TYPE_SZ + OPAQUE16_LEN;
3178 length_offset = offset;
3179
3180 /* extension data should be written internally. */
3181 switch (extension->type) {
3182 case SERVER_NAME_INDICATION:
3183 if (isRequest)
3184 offset += SNI_WRITE(extension->data, output + offset);
3185 break;
3186
3187 case MAX_FRAGMENT_LENGTH:
3188 offset += MFL_WRITE(extension->data, output + offset);
3189 break;
3190
3191 case TRUNCATED_HMAC:
3192 /* always empty. */
3193 break;
3194
3195 case ELLIPTIC_CURVES:
3196 offset += EC_WRITE(extension->data, output + offset);
3197 break;
3198
3199 case SECURE_RENEGOTIATION:
3200 offset += SCR_WRITE(extension->data, output + offset,
3201 isRequest);
3202 break;
3203
3204 case SESSION_TICKET:
3205 offset += STK_WRITE(extension->data, output + offset,
3206 isRequest);
3207 break;
3208
3209 case WOLFSSL_QSH:
3210 if (isRequest) {
3211 offset += QSH_WRITE(extension->data, output + offset);
3212 }
3213 offset += QSHPK_WRITE(extension->data, output + offset);
3214 offset += QSH_SERREQ(output + offset, isRequest);
3215 break;
3216
3217 case WOLFSSL_ALPN:
3218 offset += ALPN_WRITE(extension->data, output + offset);
3219 break;
3220 }
3221
3222 /* writes extension data length. */
3223 c16toa(offset - length_offset, output + length_offset - OPAQUE16_LEN);
3224
3225 /* marks the extension as processed so ctx level */
3226 /* extensions don't overlap with ssl level ones. */
3227 TURN_ON(semaphore, TLSX_ToSemaphore(extension->type));
3228 }
3229
3230 return offset;
3231}
3232
3233
3234#ifdef HAVE_NTRU
3235
3236static word32 GetEntropy(unsigned char* out, word32 num_bytes)
3237{
3238 int ret = 0;
3239
3240 if (rng == NULL) {
3241 if ((rng = XMALLOC(sizeof(WC_RNG), 0, DYNAMIC_TYPE_TLSX)) == NULL)
3242 return DRBG_OUT_OF_MEMORY;
3243 wc_InitRng(rng);
3244 }
3245
3246 if (rngMutex == NULL) {
3247 if ((rngMutex = XMALLOC(sizeof(wolfSSL_Mutex), 0,
3248 DYNAMIC_TYPE_TLSX)) == NULL)
3249 return DRBG_OUT_OF_MEMORY;
3250 InitMutex(rngMutex);
3251 }
3252
3253 ret |= LockMutex(rngMutex);
3254 ret |= wc_RNG_GenerateBlock(rng, out, num_bytes);
3255 ret |= UnLockMutex(rngMutex);
3256
3257 if (ret != 0)
3258 return DRBG_ENTROPY_FAIL;
3259
3260 return DRBG_OK;
3261}
3262#endif
3263
3264
3265#ifdef HAVE_QSH
3266static int TLSX_CreateQSHKey(WOLFSSL* ssl, int type)
3267{
3268 int ret;
3269
3270 switch (type) {
3271#ifdef HAVE_NTRU
3272 case WOLFSSL_NTRU_EESS439:
3273 case WOLFSSL_NTRU_EESS593:
3274 case WOLFSSL_NTRU_EESS743:
3275 ret = TLSX_CreateNtruKey(ssl, type);
3276 break;
3277#endif
3278 default:
3279 WOLFSSL_MSG("Unknown type for creating NTRU key");
3280 return -1;
3281 }
3282
3283 return ret;
3284}
3285
3286
3287static int TLSX_AddQSHKey(QSHKey** list, QSHKey* key)
3288{
3289 if (key == NULL)
3290 return BAD_FUNC_ARG;
3291
3292 /* if no public key stored in key then do not add */
3293 if (key->pub.length == 0 || key->pub.buffer == NULL)
3294 return 0;
3295
3296 /* first element to be added to the list */
3297 QSHKey* current = *list;
3298 if (current == NULL) {
3299 *list = key;
3300 return 0;
3301 }
3302
3303 while (current->next) {
3304 /* can only have one of the key in the list */
3305 if (current->name == key->name)
3306 return -1;
3307 current = (QSHKey*)current->next;
3308 }
3309
3310 current->next = (struct QSHKey*)key;
3311
3312 return 0;
3313}
3314
3315
3316#ifdef HAVE_NTRU
3317int TLSX_CreateNtruKey(WOLFSSL* ssl, int type)
3318{
3319 int ret;
3320 int ntruType;
3321
3322 /* variable declarations for NTRU*/
3323 QSHKey* temp = NULL;
3324 byte public_key[1027];
3325 word16 public_key_len = sizeof(public_key);
3326 byte private_key[1120];
3327 word16 private_key_len = sizeof(private_key);
3328 DRBG_HANDLE drbg;
3329
3330 if (ssl == NULL)
3331 return BAD_FUNC_ARG;
3332
3333 switch (type) {
3334 case WOLFSSL_NTRU_EESS439:
3335 ntruType = NTRU_EES439EP1;
3336 break;
3337 case WOLFSSL_NTRU_EESS593:
3338 ntruType = NTRU_EES593EP1;
3339 break;
3340 case WOLFSSL_NTRU_EESS743:
3341 ntruType = NTRU_EES743EP1;
3342 break;
3343 default:
3344 WOLFSSL_MSG("Unknown type for creating NTRU key");
3345 return -1;
3346 }
3347 ret = ntru_crypto_drbg_external_instantiate(GetEntropy, &drbg);
3348 if (ret != DRBG_OK) {
3349 WOLFSSL_MSG("NTRU drbg instantiate failed\n");
3350 return ret;
3351 }
3352
3353 if ((ret = ntru_crypto_ntru_encrypt_keygen(drbg, ntruType,
3354 &public_key_len, NULL, &private_key_len, NULL)) != NTRU_OK)
3355 return ret;
3356
3357 if ((ret = ntru_crypto_ntru_encrypt_keygen(drbg, ntruType,
3358 &public_key_len, public_key, &private_key_len, private_key)) != NTRU_OK)
3359 return ret;
3360
3361 ret = ntru_crypto_drbg_uninstantiate(drbg);
3362 if (ret != NTRU_OK) {
3363 WOLFSSL_MSG("NTRU drbg uninstantiate failed\n");
3364 return ret;
3365 }
3366
3367 if ((temp = XMALLOC(sizeof(QSHKey), 0, DYNAMIC_TYPE_TLSX)) == NULL)
3368 return MEMORY_E;
3369 temp->name = type;
3370 temp->pub.length = public_key_len;
3371 temp->pub.buffer = XMALLOC(public_key_len, public_key,
3372 DYNAMIC_TYPE_PUBLIC_KEY);
3373 XMEMCPY(temp->pub.buffer, public_key, public_key_len);
3374 temp->pri.length = private_key_len;
3375 temp->pri.buffer = XMALLOC(private_key_len, private_key,
3376 DYNAMIC_TYPE_ARRAYS);
3377 XMEMCPY(temp->pri.buffer, private_key, private_key_len);
3378 temp->next = NULL;
3379
3380 TLSX_AddQSHKey(&ssl->QSH_Key, temp);
3381
3382 return ret;
3383}
3384#endif
3385
3386
3387/*
3388 Used to find a public key from the list of keys
3389 pubLen length of array
3390 name input the name of the scheme looking for ie WOLFSSL_NTRU_ESSXXX
3391
3392 returns a pointer to public key byte* or NULL if not found
3393 */
3394static byte* TLSX_QSHKeyFind_Pub(QSHKey* qsh, word16* pubLen, word16 name)
3395{
3396 QSHKey* current = qsh;
3397
3398 if (qsh == NULL || pubLen == NULL)
3399 return NULL;
3400
3401 *pubLen = 0;
3402
3403 while(current) {
3404 if (current->name == name) {
3405 *pubLen = current->pub.length;
3406 return current->pub.buffer;
3407 }
3408 current = (QSHKey*)current->next;
3409 }
3410
3411 return NULL;
3412}
3413#endif /* HAVE_QSH */
3414
3415
3416int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
3417{
3418 byte* public_key = NULL;
3419 word16 public_key_len = 0;
3420 #ifdef HAVE_QSH
3421 TLSX* extension;
3422 QSHScheme* qsh;
3423 QSHScheme* next;
3424 #endif
3425 int ret = 0;
3426
3427 #ifdef HAVE_QSH
3428 /* add supported QSHSchemes */
3429 WOLFSSL_MSG("Adding supported QSH Schemes");
3430
3431 /* server will add extension depending on whats parsed from client */
3432 if (!isServer) {
3433
3434 /* test if user has set a specific scheme already */
3435 if (!ssl->user_set_QSHSchemes) {
3436 if (ssl->sendQSHKeys && ssl->QSH_Key == NULL) {
3437 if ((ret = TLSX_CreateQSHKey(ssl, WOLFSSL_NTRU_EESS743)) != 0) {
3438 WOLFSSL_MSG("Error creating ntru keys");
3439 return ret;
3440 }
3441 if ((ret = TLSX_CreateQSHKey(ssl, WOLFSSL_NTRU_EESS593)) != 0) {
3442 WOLFSSL_MSG("Error creating ntru keys");
3443 return ret;
3444 }
3445 if ((ret = TLSX_CreateQSHKey(ssl, WOLFSSL_NTRU_EESS439)) != 0) {
3446 WOLFSSL_MSG("Error creating ntru keys");
3447 return ret;
3448 }
3449
3450 /* add NTRU 256 */
3451 public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key,
3452 &public_key_len, WOLFSSL_NTRU_EESS743);
3453 }
3454 if (TLSX_UseQSHScheme(&ssl->extensions, WOLFSSL_NTRU_EESS743,
3455 public_key, public_key_len) != SSL_SUCCESS)
3456 ret = -1;
3457
3458 /* add NTRU 196 */
3459 if (ssl->sendQSHKeys) {
3460 public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key,
3461 &public_key_len, WOLFSSL_NTRU_EESS593);
3462 }
3463 if (TLSX_UseQSHScheme(&ssl->extensions, WOLFSSL_NTRU_EESS593,
3464 public_key, public_key_len) != SSL_SUCCESS)
3465 ret = -1;
3466
3467 /* add NTRU 128 */
3468 if (ssl->sendQSHKeys) {
3469 public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key,
3470 &public_key_len, WOLFSSL_NTRU_EESS439);
3471 }
3472 if (TLSX_UseQSHScheme(&ssl->extensions, WOLFSSL_NTRU_EESS439,
3473 public_key, public_key_len) != SSL_SUCCESS)
3474 ret = -1;
3475 }
3476 else if (ssl->sendQSHKeys && ssl->QSH_Key == NULL) {
3477 /* for each scheme make a client key */
3478 extension = TLSX_Find(ssl->extensions, WOLFSSL_QSH);
3479 if (extension) {
3480 qsh = (QSHScheme*)extension->data;
3481
3482 while (qsh) {
3483 if ((ret = TLSX_CreateQSHKey(ssl, qsh->name)) != 0)
3484 return ret;
3485
3486 /* get next now because qsh could be freed */
3487 next = qsh->next;
3488
3489 /* find the public key created and add to extension*/
3490 public_key = TLSX_QSHKeyFind_Pub(ssl->QSH_Key,
3491 &public_key_len, qsh->name);
3492 if (TLSX_UseQSHScheme(&ssl->extensions, qsh->name,
3493 public_key, public_key_len) != SSL_SUCCESS)
3494 ret = -1;
3495 qsh = next;
3496 }
3497 }
3498 }
3499 } /* is not server */
3500 #endif
3501
3502 (void)isServer;
3503 (void)public_key;
3504 (void)public_key_len;
3505 (void)ssl;
3506
3507 return ret;
3508}
3509
3510
3511#ifndef NO_WOLFSSL_CLIENT
3512
3513/** Tells the buffered size of extensions to be sent into the client hello. */
3514word16 TLSX_GetRequestSize(WOLFSSL* ssl)
3515{
3516 word16 length = 0;
3517
3518 if (TLSX_SupportExtensions(ssl)) {
3519 byte semaphore[SEMAPHORE_SIZE] = {0};
3520
3521 EC_VALIDATE_REQUEST(ssl, semaphore);
3522 QSH_VALIDATE_REQUEST(ssl, semaphore);
3523 STK_VALIDATE_REQUEST(ssl);
3524
3525 if (ssl->extensions)
3526 length += TLSX_GetSize(ssl->extensions, semaphore, 1);
3527
3528 if (ssl->ctx && ssl->ctx->extensions)
3529 length += TLSX_GetSize(ssl->ctx->extensions, semaphore, 1);
3530
3531 if (IsAtLeastTLSv1_2(ssl) && ssl->suites->hashSigAlgoSz)
3532 length += ssl->suites->hashSigAlgoSz + HELLO_EXT_LEN;
3533 }
3534
3535 if (length)
3536 length += OPAQUE16_LEN; /* for total length storage. */
3537
3538 return length;
3539}
3540
3541/** Writes the extensions to be sent into the client hello. */
3542word16 TLSX_WriteRequest(WOLFSSL* ssl, byte* output)
3543{
3544 word16 offset = 0;
3545
3546 if (TLSX_SupportExtensions(ssl) && output) {
3547 byte semaphore[SEMAPHORE_SIZE] = {0};
3548
3549 offset += OPAQUE16_LEN; /* extensions length */
3550
3551 EC_VALIDATE_REQUEST(ssl, semaphore);
3552 STK_VALIDATE_REQUEST(ssl);
3553 QSH_VALIDATE_REQUEST(ssl, semaphore);
3554
3555 if (ssl->extensions)
3556 offset += TLSX_Write(ssl->extensions, output + offset,
3557 semaphore, 1);
3558
3559 if (ssl->ctx && ssl->ctx->extensions)
3560 offset += TLSX_Write(ssl->ctx->extensions, output + offset,
3561 semaphore, 1);
3562
3563 if (IsAtLeastTLSv1_2(ssl) && ssl->suites->hashSigAlgoSz)
3564 {
3565 int i;
3566 /* extension type */
3567 c16toa(HELLO_EXT_SIG_ALGO, output + offset);
3568 offset += HELLO_EXT_TYPE_SZ;
3569
3570 /* extension data length */
3571 c16toa(OPAQUE16_LEN + ssl->suites->hashSigAlgoSz, output + offset);
3572 offset += OPAQUE16_LEN;
3573
3574 /* sig algos length */
3575 c16toa(ssl->suites->hashSigAlgoSz, output + offset);
3576 offset += OPAQUE16_LEN;
3577
3578 /* sig algos */
3579 for (i = 0; i < ssl->suites->hashSigAlgoSz; i++, offset++)
3580 output[offset] = ssl->suites->hashSigAlgo[i];
3581 }
3582
3583 if (offset > OPAQUE16_LEN)
3584 c16toa(offset - OPAQUE16_LEN, output); /* extensions length */
3585 }
3586
3587 return offset;
3588}
3589
3590#endif /* NO_WOLFSSL_CLIENT */
3591
3592#ifndef NO_WOLFSSL_SERVER
3593
3594/** Tells the buffered size of extensions to be sent into the server hello. */
3595word16 TLSX_GetResponseSize(WOLFSSL* ssl)
3596{
3597 word16 length = 0;
3598 byte semaphore[SEMAPHORE_SIZE] = {0};
3599
3600 #ifdef HAVE_QSH
3601 /* change response if not using TLS_QSH */
3602 if (!ssl->options.haveQSH) {
3603 TLSX* ext = TLSX_Find(ssl->extensions, WOLFSSL_QSH);
3604 if (ext)
3605 ext->resp = 0;
3606 }
3607 #endif
3608
3609 if (TLSX_SupportExtensions(ssl))
3610 length += TLSX_GetSize(ssl->extensions, semaphore, 0);
3611
3612 /* All the response data is set at the ssl object only, so no ctx here. */
3613
3614 if (length)
3615 length += OPAQUE16_LEN; /* for total length storage */
3616
3617 return length;
3618}
3619
3620/** Writes the server hello extensions into a buffer. */
3621word16 TLSX_WriteResponse(WOLFSSL *ssl, byte* output)
3622{
3623 word16 offset = 0;
3624
3625 if (TLSX_SupportExtensions(ssl) && output) {
3626 byte semaphore[SEMAPHORE_SIZE] = {0};
3627
3628 offset += OPAQUE16_LEN; /* extensions length */
3629
3630 offset += TLSX_Write(ssl->extensions, output + offset, semaphore, 0);
3631
3632 if (offset > OPAQUE16_LEN)
3633 c16toa(offset - OPAQUE16_LEN, output); /* extensions length */
3634 }
3635
3636 return offset;
3637}
3638
3639#endif /* NO_WOLFSSL_SERVER */
3640
3641/** Parses a buffer of TLS extensions. */
3642int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte isRequest,
3643 Suites *suites)
3644{
3645 int ret = 0;
3646 word16 offset = 0;
3647
3648 if (!ssl || !input || (isRequest && !suites))
3649 return BAD_FUNC_ARG;
3650
3651 while (ret == 0 && offset < length) {
3652 word16 type;
3653 word16 size;
3654
3655 if (length - offset < HELLO_EXT_TYPE_SZ + OPAQUE16_LEN)
3656 return BUFFER_ERROR;
3657
3658 ato16(input + offset, &type);
3659 offset += HELLO_EXT_TYPE_SZ;
3660
3661 ato16(input + offset, &size);
3662 offset += OPAQUE16_LEN;
3663
3664 if (offset + size > length)
3665 return BUFFER_ERROR;
3666
3667 switch (type) {
3668 case SERVER_NAME_INDICATION:
3669 WOLFSSL_MSG("SNI extension received");
3670
3671 ret = SNI_PARSE(ssl, input + offset, size, isRequest);
3672 break;
3673
3674 case MAX_FRAGMENT_LENGTH:
3675 WOLFSSL_MSG("Max Fragment Length extension received");
3676
3677 ret = MFL_PARSE(ssl, input + offset, size, isRequest);
3678 break;
3679
3680 case TRUNCATED_HMAC:
3681 WOLFSSL_MSG("Truncated HMAC extension received");
3682
3683 ret = THM_PARSE(ssl, input + offset, size, isRequest);
3684 break;
3685
3686 case ELLIPTIC_CURVES:
3687 WOLFSSL_MSG("Elliptic Curves extension received");
3688
3689 ret = EC_PARSE(ssl, input + offset, size, isRequest);
3690 break;
3691
3692 case SECURE_RENEGOTIATION:
3693 WOLFSSL_MSG("Secure Renegotiation extension received");
3694
3695 ret = SCR_PARSE(ssl, input + offset, size, isRequest);
3696 break;
3697
3698 case SESSION_TICKET:
3699 WOLFSSL_MSG("Session Ticket extension received");
3700
3701 ret = STK_PARSE(ssl, input + offset, size, isRequest);
3702 break;
3703
3704 case WOLFSSL_QSH:
3705 WOLFSSL_MSG("Quantum-Safe-Hybrid extension received");
3706
3707 ret = QSH_PARSE(ssl, input + offset, size, isRequest);
3708 break;
3709
3710 case WOLFSSL_ALPN:
3711 WOLFSSL_MSG("ALPN extension received");
3712
3713 ret = ALPN_PARSE(ssl, input + offset, size, isRequest);
3714 break;
3715
3716 case HELLO_EXT_SIG_ALGO:
3717 if (isRequest) {
3718 /* do not mess with offset inside the switch! */
3719 if (IsAtLeastTLSv1_2(ssl)) {
3720 ato16(input + offset, &suites->hashSigAlgoSz);
3721
3722 if (suites->hashSigAlgoSz > size - OPAQUE16_LEN)
3723 return BUFFER_ERROR;
3724
3725 XMEMCPY(suites->hashSigAlgo,
3726 input + offset + OPAQUE16_LEN,
3727 min(suites->hashSigAlgoSz,
3728 HELLO_EXT_SIGALGO_MAX));
3729 }
3730 } else {
3731 WOLFSSL_MSG("Servers MUST NOT send SIG ALGO extension.");
3732 }
3733
3734 break;
3735 }
3736
3737 /* offset should be updated here! */
3738 offset += size;
3739 }
3740
3741 if (ret == 0)
3742 ret = SNI_VERIFY_PARSE(ssl, isRequest);
3743
3744 return ret;
3745}
3746
3747/* undefining semaphore macros */
3748#undef IS_OFF
3749#undef TURN_ON
3750#undef SEMAPHORE_SIZE
3751
3752#endif /* HAVE_TLS_EXTENSIONS */
3753
3754#ifndef NO_WOLFSSL_CLIENT
3755
3756#ifndef NO_OLD_TLS
3757
3758 WOLFSSL_METHOD* wolfTLSv1_client_method(void)
3759 {
3760 WOLFSSL_METHOD* method =
3761 (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), 0,
3762 DYNAMIC_TYPE_METHOD);
3763 if (method)
3764 InitSSL_Method(method, MakeTLSv1());
3765 return method;
3766 }
3767
3768
3769 WOLFSSL_METHOD* wolfTLSv1_1_client_method(void)
3770 {
3771 WOLFSSL_METHOD* method =
3772 (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), 0,
3773 DYNAMIC_TYPE_METHOD);
3774 if (method)
3775 InitSSL_Method(method, MakeTLSv1_1());
3776 return method;
3777 }
3778
3779#endif /* !NO_OLD_TLS */
3780
3781#ifndef NO_SHA256 /* can't use without SHA256 */
3782
3783 WOLFSSL_METHOD* wolfTLSv1_2_client_method(void)
3784 {
3785 WOLFSSL_METHOD* method =
3786 (WOLFSSL_METHOD*) XMALLOC(sizeof(WOLFSSL_METHOD), 0,
3787 DYNAMIC_TYPE_METHOD);
3788 if (method)
3789 InitSSL_Method(method, MakeTLSv1_2());
3790 return method;
3791 }
3792
3793#endif
3794
3795
3796 WOLFSSL_METHOD* wolfSSLv23_client_method(void) </