[337] | 1 | /* tls13.c
|
---|
| 2 | *
|
---|
| 3 | * Copyright (C) 2006-2017 wolfSSL Inc.
|
---|
| 4 | *
|
---|
| 5 | * This file is part of wolfSSL.
|
---|
| 6 | *
|
---|
| 7 | * wolfSSL is free software; you can redistribute it and/or modify
|
---|
| 8 | * it under the terms of the GNU General Public License as published by
|
---|
| 9 | * the Free Software Foundation; either version 2 of the License, or
|
---|
| 10 | * (at your option) any later version.
|
---|
| 11 | *
|
---|
| 12 | * wolfSSL is distributed in the hope that it will be useful,
|
---|
| 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
---|
| 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
---|
| 15 | * GNU General Public License for more details.
|
---|
| 16 | *
|
---|
| 17 | * You should have received a copy of the GNU General Public License
|
---|
| 18 | * along with this program; if not, write to the Free Software
|
---|
| 19 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
|
---|
| 20 | */
|
---|
| 21 |
|
---|
| 22 |
|
---|
| 23 | /*
|
---|
| 24 | * WOLFSSL_TLS13_DRAFT_18
|
---|
| 25 | * Conform with Draft 18 of the TLS v1.3 specification.
|
---|
| 26 | * WOLFSSL_EARLY_DATA
|
---|
| 27 | * Allow 0-RTT Handshake using Early Data extensions and handshake message
|
---|
| 28 | * WOLFSSL_POST_HANDSHAKE_AUTH
|
---|
| 29 | * Allow TLS v1.3 code to perform post-handshake authentication of the
|
---|
| 30 | * client.
|
---|
| 31 | * WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
|
---|
| 32 | * Allow a NewSessionTicket message to be sent by server before Client's
|
---|
| 33 | * Finished message.
|
---|
| 34 | * See TLS v.13 specification, Section 4.6.1, Paragraph 4 (Note).
|
---|
| 35 | * TLS13_SUPPORTS_EXPORTERS
|
---|
| 36 | * Gaurd to compile out any code for exporter keys.
|
---|
| 37 | * Feature not supported yet.
|
---|
| 38 | */
|
---|
| 39 |
|
---|
| 40 | #ifdef HAVE_CONFIG_H
|
---|
| 41 | #include <config.h>
|
---|
| 42 | #endif
|
---|
| 43 |
|
---|
| 44 | #include <wolfssl/wolfcrypt/settings.h>
|
---|
| 45 |
|
---|
| 46 | #ifdef WOLFSSL_TLS13
|
---|
| 47 | #ifdef HAVE_SESSION_TICKET
|
---|
| 48 | #include <sys/time.h>
|
---|
| 49 | #endif
|
---|
| 50 |
|
---|
| 51 | #ifndef WOLFCRYPT_ONLY
|
---|
| 52 |
|
---|
| 53 | #ifdef HAVE_ERRNO_H
|
---|
| 54 | #include <errno.h>
|
---|
| 55 | #endif
|
---|
| 56 |
|
---|
| 57 | #include <wolfssl/internal.h>
|
---|
| 58 | #include <wolfssl/error-ssl.h>
|
---|
| 59 | #include <wolfssl/wolfcrypt/asn.h>
|
---|
| 60 | #include <wolfssl/wolfcrypt/dh.h>
|
---|
| 61 | #ifdef NO_INLINE
|
---|
| 62 | #include <wolfssl/wolfcrypt/misc.h>
|
---|
| 63 | #else
|
---|
| 64 | #define WOLFSSL_MISC_INCLUDED
|
---|
| 65 | #include <wolfcrypt/src/misc.c>
|
---|
| 66 | #endif
|
---|
| 67 |
|
---|
| 68 | #ifdef HAVE_NTRU
|
---|
| 69 | #include "libntruencrypt/ntru_crypto.h"
|
---|
| 70 | #endif
|
---|
| 71 |
|
---|
| 72 | #if defined(DEBUG_WOLFSSL) || defined(WOLFSSL_DEBUG) || \
|
---|
| 73 | defined(CHACHA_AEAD_TEST) || defined(WOLFSSL_SESSION_EXPORT_DEBUG)
|
---|
| 74 | #if defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
|
---|
| 75 | #if MQX_USE_IO_OLD
|
---|
| 76 | #include <fio.h>
|
---|
| 77 | #else
|
---|
| 78 | #include <nio.h>
|
---|
| 79 | #endif
|
---|
| 80 | #else
|
---|
| 81 | #include <stdio.h>
|
---|
| 82 | #endif
|
---|
| 83 | #endif
|
---|
| 84 |
|
---|
| 85 | #ifdef __sun
|
---|
| 86 | #include <sys/filio.h>
|
---|
| 87 | #endif
|
---|
| 88 |
|
---|
| 89 | #ifndef TRUE
|
---|
| 90 | #define TRUE 1
|
---|
| 91 | #endif
|
---|
| 92 | #ifndef FALSE
|
---|
| 93 | #define FALSE 0
|
---|
| 94 | #endif
|
---|
| 95 |
|
---|
| 96 | /* Set ret to error value and jump to label.
|
---|
| 97 | *
|
---|
| 98 | * err The error value to set.
|
---|
| 99 | * eLabel The label to jump to.
|
---|
| 100 | */
|
---|
| 101 | #define ERROR_OUT(err, eLabel) { ret = (err); goto eLabel; }
|
---|
| 102 |
|
---|
| 103 |
|
---|
| 104 | /* Extract data using HMAC, salt and input.
|
---|
| 105 | * RFC 5869 - HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
|
---|
| 106 | *
|
---|
| 107 | * prk The generated pseudorandom key.
|
---|
| 108 | * salt The salt.
|
---|
| 109 | * saltLen The length of the salt.
|
---|
| 110 | * ikm The input keying material.
|
---|
| 111 | * ikmLen The length of the input keying material.
|
---|
| 112 | * mac The type of digest to use.
|
---|
| 113 | * returns 0 on success, otherwise failure.
|
---|
| 114 | */
|
---|
| 115 | static int Tls13_HKDF_Extract(byte* prk, const byte* salt, int saltLen,
|
---|
| 116 | byte* ikm, int ikmLen, int mac)
|
---|
| 117 | {
|
---|
| 118 | int ret;
|
---|
| 119 | int hash = 0;
|
---|
| 120 | int len = 0;
|
---|
| 121 |
|
---|
| 122 | switch (mac) {
|
---|
| 123 | #ifndef NO_SHA256
|
---|
| 124 | case sha256_mac:
|
---|
| 125 | hash = WC_SHA256;
|
---|
| 126 | len = WC_SHA256_DIGEST_SIZE;
|
---|
| 127 | break;
|
---|
| 128 | #endif
|
---|
| 129 |
|
---|
| 130 | #ifdef WOLFSSL_SHA384
|
---|
| 131 | case sha384_mac:
|
---|
| 132 | hash = WC_SHA384;
|
---|
| 133 | len = WC_SHA384_DIGEST_SIZE;
|
---|
| 134 | break;
|
---|
| 135 | #endif
|
---|
| 136 |
|
---|
| 137 | #ifdef WOLFSSL_TLS13_TLS13_SHA512
|
---|
| 138 | case sha512_mac:
|
---|
| 139 | hash = WC_SHA512;
|
---|
| 140 | len = WC_SHA512_DIGEST_SIZE;
|
---|
| 141 | break;
|
---|
| 142 | #endif
|
---|
| 143 | }
|
---|
| 144 |
|
---|
| 145 | /* When length is 0 then use zeroed data of digest length. */
|
---|
| 146 | if (ikmLen == 0) {
|
---|
| 147 | ikmLen = len;
|
---|
| 148 | XMEMSET(ikm, 0, len);
|
---|
| 149 | }
|
---|
| 150 |
|
---|
| 151 | #ifdef WOLFSSL_DEBUG_TLS
|
---|
| 152 | WOLFSSL_MSG(" Salt");
|
---|
| 153 | WOLFSSL_BUFFER(salt, saltLen);
|
---|
| 154 | WOLFSSL_MSG(" IKM");
|
---|
| 155 | WOLFSSL_BUFFER(ikm, ikmLen);
|
---|
| 156 | #endif
|
---|
| 157 |
|
---|
| 158 | ret = wc_HKDF_Extract(hash, salt, saltLen, ikm, ikmLen, prk);
|
---|
| 159 |
|
---|
| 160 | #ifdef WOLFSSL_DEBUG_TLS
|
---|
| 161 | WOLFSSL_MSG(" PRK");
|
---|
| 162 | WOLFSSL_BUFFER(prk, len);
|
---|
| 163 | #endif
|
---|
| 164 |
|
---|
| 165 | return ret;
|
---|
| 166 | }
|
---|
| 167 |
|
---|
| 168 | /* Expand data using HMAC, salt and label and info.
|
---|
| 169 | * TLS v1.3 defines this function.
|
---|
| 170 | *
|
---|
| 171 | * okm The generated pseudorandom key - output key material.
|
---|
| 172 | * prk The salt - pseudo-random key.
|
---|
| 173 | * prkLen The length of the salt - pseudo-random key.
|
---|
| 174 | * protocol The TLS protocol label.
|
---|
| 175 | * protocolLen The length of the TLS protocol label.
|
---|
| 176 | * info The information to expand.
|
---|
| 177 | * infoLen The length of the information.
|
---|
| 178 | * digest The type of digest to use.
|
---|
| 179 | * returns 0 on success, otherwise failure.
|
---|
| 180 | */
|
---|
| 181 | static int HKDF_Expand_Label(byte* okm, word32 okmLen,
|
---|
| 182 | const byte* prk, word32 prkLen,
|
---|
| 183 | const byte* protocol, word32 protocolLen,
|
---|
| 184 | const byte* label, word32 labelLen,
|
---|
| 185 | const byte* info, word32 infoLen,
|
---|
| 186 | int digest)
|
---|
| 187 | {
|
---|
| 188 | int ret = 0;
|
---|
| 189 | int idx = 0;
|
---|
| 190 | byte data[MAX_HKDF_LABEL_SZ];
|
---|
| 191 |
|
---|
| 192 | /* Output length. */
|
---|
| 193 | data[idx++] = okmLen >> 8;
|
---|
| 194 | data[idx++] = okmLen;
|
---|
| 195 | /* Length of protocol | label. */
|
---|
| 196 | data[idx++] = protocolLen + labelLen;
|
---|
| 197 | /* Protocol */
|
---|
| 198 | XMEMCPY(&data[idx], protocol, protocolLen);
|
---|
| 199 | idx += protocolLen;
|
---|
| 200 | /* Label */
|
---|
| 201 | XMEMCPY(&data[idx], label, labelLen);
|
---|
| 202 | idx += labelLen;
|
---|
| 203 | /* Length of hash of messages */
|
---|
| 204 | data[idx++] = infoLen;
|
---|
| 205 | /* Hash of messages */
|
---|
| 206 | XMEMCPY(&data[idx], info, infoLen);
|
---|
| 207 | idx += infoLen;
|
---|
| 208 |
|
---|
| 209 | #ifdef WOLFSSL_DEBUG_TLS
|
---|
| 210 | WOLFSSL_MSG(" PRK");
|
---|
| 211 | WOLFSSL_BUFFER(prk, prkLen);
|
---|
| 212 | WOLFSSL_MSG(" Info");
|
---|
| 213 | WOLFSSL_BUFFER(data, idx);
|
---|
| 214 | #endif
|
---|
| 215 |
|
---|
| 216 | ret = wc_HKDF_Expand(digest, prk, prkLen, data, idx, okm, okmLen);
|
---|
| 217 |
|
---|
| 218 | #ifdef WOLFSSL_DEBUG_TLS
|
---|
| 219 | WOLFSSL_MSG(" OKM");
|
---|
| 220 | WOLFSSL_BUFFER(okm, okmLen);
|
---|
| 221 | #endif
|
---|
| 222 |
|
---|
| 223 | ForceZero(data, idx);
|
---|
| 224 |
|
---|
| 225 | return ret;
|
---|
| 226 | }
|
---|
| 227 |
|
---|
| 228 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
| 229 | /* Size of the TLS v1.3 label use when deriving keys. */
|
---|
| 230 | #define TLS13_PROTOCOL_LABEL_SZ 9
|
---|
| 231 | /* The protocol label for TLS v1.3. */
|
---|
| 232 | static const byte tls13ProtocolLabel[TLS13_PROTOCOL_LABEL_SZ + 1] = "TLS 1.3, ";
|
---|
| 233 | #else
|
---|
| 234 | /* Size of the TLS v1.3 label use when deriving keys. */
|
---|
| 235 | #define TLS13_PROTOCOL_LABEL_SZ 6
|
---|
| 236 | /* The protocol label for TLS v1.3. */
|
---|
| 237 | static const byte tls13ProtocolLabel[TLS13_PROTOCOL_LABEL_SZ + 1] = "tls13 ";
|
---|
| 238 | #endif
|
---|
| 239 |
|
---|
| 240 | #if !defined(WOLFSSL_TLS13_DRAFT_18) || defined(HAVE_SESSION_TICKET) || \
|
---|
| 241 | !defined(NO_PSK)
|
---|
| 242 | /* Derive a key from a message.
|
---|
| 243 | *
|
---|
| 244 | * ssl The SSL/TLS object.
|
---|
| 245 | * output The buffer to hold the derived key.
|
---|
| 246 | * outputLen The length of the derived key.
|
---|
| 247 | * secret The secret used to derive the key (HMAC secret).
|
---|
| 248 | * label The label used to distinguish the context.
|
---|
| 249 | * labelLen The length of the label.
|
---|
| 250 | * msg The message data to derive key from.
|
---|
| 251 | * msgLen The length of the message data to derive key from.
|
---|
| 252 | * hashAlgo The hash algorithm to use in the HMAC.
|
---|
| 253 | * returns 0 on success, otherwise failure.
|
---|
| 254 | */
|
---|
| 255 | static int DeriveKeyMsg(WOLFSSL* ssl, byte* output, int outputLen,
|
---|
| 256 | const byte* secret, const byte* label, word32 labelLen,
|
---|
| 257 | byte* msg, int msgLen, int hashAlgo)
|
---|
| 258 | {
|
---|
| 259 | byte hash[MAX_DIGEST_SIZE];
|
---|
| 260 | Digest digest;
|
---|
| 261 | word32 hashSz = 0;
|
---|
| 262 | const byte* protocol;
|
---|
| 263 | word32 protocolLen;
|
---|
| 264 | int digestAlg;
|
---|
| 265 | int ret = BAD_FUNC_ARG;
|
---|
| 266 |
|
---|
| 267 | switch (hashAlgo) {
|
---|
| 268 | #ifndef NO_WOLFSSL_SHA256
|
---|
| 269 | case sha256_mac:
|
---|
| 270 | ret = wc_InitSha256_ex(&digest.sha256, ssl->heap, INVALID_DEVID);
|
---|
| 271 | if (ret == 0) {
|
---|
| 272 | ret = wc_Sha256Update(&digest.sha256, msg, msgLen);
|
---|
| 273 | if (ret == 0)
|
---|
| 274 | ret = wc_Sha256Final(&digest.sha256, hash);
|
---|
| 275 | wc_Sha256Free(&digest.sha256);
|
---|
| 276 | }
|
---|
| 277 | hashSz = WC_SHA256_DIGEST_SIZE;
|
---|
| 278 | digestAlg = WC_SHA256;
|
---|
| 279 | break;
|
---|
| 280 | #endif
|
---|
| 281 | #ifdef WOLFSSL_SHA384
|
---|
| 282 | case sha384_mac:
|
---|
| 283 | ret = wc_InitSha384_ex(&digest.sha384, ssl->heap, INVALID_DEVID);
|
---|
| 284 | if (ret == 0) {
|
---|
| 285 | ret = wc_Sha384Update(&digest.sha384, msg, msgLen);
|
---|
| 286 | if (ret == 0)
|
---|
| 287 | ret = wc_Sha384Final(&digest.sha384, hash);
|
---|
| 288 | wc_Sha384Free(&digest.sha384);
|
---|
| 289 | }
|
---|
| 290 | hashSz = WC_SHA384_DIGEST_SIZE;
|
---|
| 291 | digestAlg = WC_SHA384;
|
---|
| 292 | break;
|
---|
| 293 | #endif
|
---|
| 294 | #ifdef WOLFSSL_TLS13_SHA512
|
---|
| 295 | case sha512_mac:
|
---|
| 296 | ret = wc_InitSha512_ex(&digest.sha512, ssl->heap, INVALID_DEVID);
|
---|
| 297 | if (ret == 0) {
|
---|
| 298 | ret = wc_Sha512Update(&digest.sha512, msg, msgLen);
|
---|
| 299 | if (ret == 0)
|
---|
| 300 | ret = wc_Sha512Final(&digest.sha512, hash);
|
---|
| 301 | wc_Sha512Free(&digest.sha512);
|
---|
| 302 | }
|
---|
| 303 | hashSz = WC_SHA512_DIGEST_SIZE;
|
---|
| 304 | digestAlg = WC_SHA512;
|
---|
| 305 | break;
|
---|
| 306 | #endif
|
---|
| 307 | }
|
---|
| 308 |
|
---|
| 309 | if (ret != 0)
|
---|
| 310 | return ret;
|
---|
| 311 |
|
---|
| 312 | switch (ssl->version.minor) {
|
---|
| 313 | case TLSv1_3_MINOR:
|
---|
| 314 | protocol = tls13ProtocolLabel;
|
---|
| 315 | protocolLen = TLS13_PROTOCOL_LABEL_SZ;
|
---|
| 316 | break;
|
---|
| 317 |
|
---|
| 318 | default:
|
---|
| 319 | return VERSION_ERROR;
|
---|
| 320 | }
|
---|
| 321 | if (outputLen == -1)
|
---|
| 322 | outputLen = hashSz;
|
---|
| 323 |
|
---|
| 324 | return HKDF_Expand_Label(output, outputLen, secret, hashSz,
|
---|
| 325 | protocol, protocolLen, label, labelLen,
|
---|
| 326 | hash, hashSz, digestAlg);
|
---|
| 327 | }
|
---|
| 328 | #endif
|
---|
| 329 |
|
---|
| 330 | /* Derive a key.
|
---|
| 331 | *
|
---|
| 332 | * ssl The SSL/TLS object.
|
---|
| 333 | * output The buffer to hold the derived key.
|
---|
| 334 | * outputLen The length of the derived key.
|
---|
| 335 | * secret The secret used to derive the key (HMAC secret).
|
---|
| 336 | * label The label used to distinguish the context.
|
---|
| 337 | * labelLen The length of the label.
|
---|
| 338 | * hashAlgo The hash algorithm to use in the HMAC.
|
---|
| 339 | * includeMsgs Whether to include a hash of the handshake messages so far.
|
---|
| 340 | * returns 0 on success, otherwise failure.
|
---|
| 341 | */
|
---|
| 342 | static int DeriveKey(WOLFSSL* ssl, byte* output, int outputLen,
|
---|
| 343 | const byte* secret, const byte* label, word32 labelLen,
|
---|
| 344 | int hashAlgo, int includeMsgs)
|
---|
| 345 | {
|
---|
| 346 | int ret = 0;
|
---|
| 347 | byte hash[MAX_DIGEST_SIZE];
|
---|
| 348 | word32 hashSz = 0;
|
---|
| 349 | word32 hashOutSz = 0;
|
---|
| 350 | const byte* protocol;
|
---|
| 351 | word32 protocolLen;
|
---|
| 352 | int digestAlg = 0;
|
---|
| 353 |
|
---|
| 354 | switch (hashAlgo) {
|
---|
| 355 | #ifndef NO_SHA256
|
---|
| 356 | case sha256_mac:
|
---|
| 357 | hashSz = WC_SHA256_DIGEST_SIZE;
|
---|
| 358 | digestAlg = WC_SHA256;
|
---|
| 359 | if (includeMsgs)
|
---|
| 360 | ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
|
---|
| 361 | break;
|
---|
| 362 | #endif
|
---|
| 363 |
|
---|
| 364 | #ifdef WOLFSSL_SHA384
|
---|
| 365 | case sha384_mac:
|
---|
| 366 | hashSz = WC_SHA384_DIGEST_SIZE;
|
---|
| 367 | digestAlg = WC_SHA384;
|
---|
| 368 | if (includeMsgs)
|
---|
| 369 | ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
|
---|
| 370 | break;
|
---|
| 371 | #endif
|
---|
| 372 |
|
---|
| 373 | #ifdef WOLFSSL_TLS13_SHA512
|
---|
| 374 | case sha512_mac:
|
---|
| 375 | hashSz = WC_SHA512_DIGEST_SIZE;
|
---|
| 376 | digestAlg = WC_SHA512;
|
---|
| 377 | if (includeMsgs)
|
---|
| 378 | ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash);
|
---|
| 379 | break;
|
---|
| 380 | #endif
|
---|
| 381 | }
|
---|
| 382 | if (ret != 0)
|
---|
| 383 | return ret;
|
---|
| 384 |
|
---|
| 385 | /* Only one protocol version defined at this time. */
|
---|
| 386 | protocol = tls13ProtocolLabel;
|
---|
| 387 | protocolLen = TLS13_PROTOCOL_LABEL_SZ;
|
---|
| 388 |
|
---|
| 389 | if (outputLen == -1)
|
---|
| 390 | outputLen = hashSz;
|
---|
| 391 | if (includeMsgs)
|
---|
| 392 | hashOutSz = hashSz;
|
---|
| 393 |
|
---|
| 394 | return HKDF_Expand_Label(output, outputLen, secret, hashSz,
|
---|
| 395 | protocol, protocolLen, label, labelLen,
|
---|
| 396 | hash, hashOutSz, digestAlg);
|
---|
| 397 | }
|
---|
| 398 |
|
---|
| 399 |
|
---|
| 400 | #ifndef NO_PSK
|
---|
| 401 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
| 402 | /* The length of the binder key label. */
|
---|
| 403 | #define BINDER_KEY_LABEL_SZ 23
|
---|
| 404 | /* The binder key label. */
|
---|
| 405 | static const byte binderKeyLabel[BINDER_KEY_LABEL_SZ + 1] =
|
---|
| 406 | "external psk binder key";
|
---|
| 407 | #else
|
---|
| 408 | /* The length of the binder key label. */
|
---|
| 409 | #define BINDER_KEY_LABEL_SZ 10
|
---|
| 410 | /* The binder key label. */
|
---|
| 411 | static const byte binderKeyLabel[BINDER_KEY_LABEL_SZ + 1] =
|
---|
| 412 | "ext binder";
|
---|
| 413 | #endif
|
---|
| 414 | /* Derive the binder key.
|
---|
| 415 | *
|
---|
| 416 | * ssl The SSL/TLS object.
|
---|
| 417 | * key The derived key.
|
---|
| 418 | * returns 0 on success, otherwise failure.
|
---|
| 419 | */
|
---|
| 420 | static int DeriveBinderKey(WOLFSSL* ssl, byte* key)
|
---|
| 421 | {
|
---|
| 422 | WOLFSSL_MSG("Derive Binder Key");
|
---|
| 423 | return DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,
|
---|
| 424 | binderKeyLabel, BINDER_KEY_LABEL_SZ,
|
---|
| 425 | NULL, 0, ssl->specs.mac_algorithm);
|
---|
| 426 | }
|
---|
| 427 | #endif /* !NO_PSK */
|
---|
| 428 |
|
---|
| 429 | #ifdef HAVE_SESSION_TICKET
|
---|
| 430 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
| 431 | /* The length of the binder key resume label. */
|
---|
| 432 | #define BINDER_KEY_RESUME_LABEL_SZ 25
|
---|
| 433 | /* The binder key resume label. */
|
---|
| 434 | static const byte binderKeyResumeLabel[BINDER_KEY_RESUME_LABEL_SZ + 1] =
|
---|
| 435 | "resumption psk binder key";
|
---|
| 436 | #else
|
---|
| 437 | /* The length of the binder key resume label. */
|
---|
| 438 | #define BINDER_KEY_RESUME_LABEL_SZ 10
|
---|
| 439 | /* The binder key resume label. */
|
---|
| 440 | static const byte binderKeyResumeLabel[BINDER_KEY_RESUME_LABEL_SZ + 1] =
|
---|
| 441 | "res binder";
|
---|
| 442 | #endif
|
---|
| 443 | /* Derive the binder resumption key.
|
---|
| 444 | *
|
---|
| 445 | * ssl The SSL/TLS object.
|
---|
| 446 | * key The derived key.
|
---|
| 447 | * returns 0 on success, otherwise failure.
|
---|
| 448 | */
|
---|
| 449 | static int DeriveBinderKeyResume(WOLFSSL* ssl, byte* key)
|
---|
| 450 | {
|
---|
| 451 | WOLFSSL_MSG("Derive Binder Key - Resumption");
|
---|
| 452 | return DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,
|
---|
| 453 | binderKeyResumeLabel, BINDER_KEY_RESUME_LABEL_SZ,
|
---|
| 454 | NULL, 0, ssl->specs.mac_algorithm);
|
---|
| 455 | }
|
---|
| 456 | #endif /* HAVE_SESSION_TICKET */
|
---|
| 457 |
|
---|
| 458 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 459 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
| 460 | /* The length of the early traffic label. */
|
---|
| 461 | #define EARLY_TRAFFIC_LABEL_SZ 27
|
---|
| 462 | /* The early traffic label. */
|
---|
| 463 | static const byte earlyTrafficLabel[EARLY_TRAFFIC_LABEL_SZ + 1] =
|
---|
| 464 | "client early traffic secret";
|
---|
| 465 | #else
|
---|
| 466 | /* The length of the early traffic label. */
|
---|
| 467 | #define EARLY_TRAFFIC_LABEL_SZ 11
|
---|
| 468 | /* The early traffic label. */
|
---|
| 469 | static const byte earlyTrafficLabel[EARLY_TRAFFIC_LABEL_SZ + 1] =
|
---|
| 470 | "c e traffic";
|
---|
| 471 | #endif
|
---|
| 472 | /* Derive the early traffic key.
|
---|
| 473 | *
|
---|
| 474 | * ssl The SSL/TLS object.
|
---|
| 475 | * key The derived key.
|
---|
| 476 | * returns 0 on success, otherwise failure.
|
---|
| 477 | */
|
---|
| 478 | static int DeriveEarlyTrafficSecret(WOLFSSL* ssl, byte* key)
|
---|
| 479 | {
|
---|
| 480 | WOLFSSL_MSG("Derive Early Traffic Secret");
|
---|
| 481 | return DeriveKey(ssl, key, -1, ssl->arrays->secret,
|
---|
| 482 | earlyTrafficLabel, EARLY_TRAFFIC_LABEL_SZ,
|
---|
| 483 | ssl->specs.mac_algorithm, 1);
|
---|
| 484 | }
|
---|
| 485 |
|
---|
| 486 | #ifdef TLS13_SUPPORTS_EXPORTERS
|
---|
| 487 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
| 488 | /* The length of the early exporter label. */
|
---|
| 489 | #define EARLY_EXPORTER_LABEL_SZ 28
|
---|
| 490 | /* The early exporter label. */
|
---|
| 491 | static const byte earlyExporterLabel[EARLY_EXPORTER_LABEL_SZ + 1] =
|
---|
| 492 | "early exporter master secret";
|
---|
| 493 | #else
|
---|
| 494 | /* The length of the early exporter label. */
|
---|
| 495 | #define EARLY_EXPORTER_LABEL_SZ 12
|
---|
| 496 | /* The early exporter label. */
|
---|
| 497 | static const byte earlyExporterLabel[EARLY_EXPORTER_LABEL_SZ + 1] =
|
---|
| 498 | "e exp master";
|
---|
| 499 | #endif
|
---|
| 500 | /* Derive the early exporter key.
|
---|
| 501 | *
|
---|
| 502 | * ssl The SSL/TLS object.
|
---|
| 503 | * key The derived key.
|
---|
| 504 | * returns 0 on success, otherwise failure.
|
---|
| 505 | */
|
---|
| 506 | static int DeriveEarlyExporterSecret(WOLFSSL* ssl, byte* key)
|
---|
| 507 | {
|
---|
| 508 | WOLFSSL_MSG("Derive Early Exporter Secret");
|
---|
| 509 | return DeriveKey(ssl, key, -1, ssl->arrays->secret,
|
---|
| 510 | earlyExporterLabel, EARLY_EXPORTER_LABEL_SZ,
|
---|
| 511 | ssl->specs.mac_algorithm, 1);
|
---|
| 512 | }
|
---|
| 513 | #endif
|
---|
| 514 | #endif
|
---|
| 515 |
|
---|
| 516 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
| 517 | /* The length of the client hanshake label. */
|
---|
| 518 | #define CLIENT_HANDSHAKE_LABEL_SZ 31
|
---|
| 519 | /* The client hanshake label. */
|
---|
| 520 | static const byte clientHandshakeLabel[CLIENT_HANDSHAKE_LABEL_SZ + 1] =
|
---|
| 521 | "client handshake traffic secret";
|
---|
| 522 | #else
|
---|
| 523 | /* The length of the client hanshake label. */
|
---|
| 524 | #define CLIENT_HANDSHAKE_LABEL_SZ 12
|
---|
| 525 | /* The client hanshake label. */
|
---|
| 526 | static const byte clientHandshakeLabel[CLIENT_HANDSHAKE_LABEL_SZ + 1] =
|
---|
| 527 | "c hs traffic";
|
---|
| 528 | #endif
|
---|
| 529 | /* Derive the client handshake key.
|
---|
| 530 | *
|
---|
| 531 | * ssl The SSL/TLS object.
|
---|
| 532 | * key The derived key.
|
---|
| 533 | * returns 0 on success, otherwise failure.
|
---|
| 534 | */
|
---|
| 535 | static int DeriveClientHandshakeSecret(WOLFSSL* ssl, byte* key)
|
---|
| 536 | {
|
---|
| 537 | WOLFSSL_MSG("Derive Client Handshake Secret");
|
---|
| 538 | return DeriveKey(ssl, key, -1, ssl->arrays->preMasterSecret,
|
---|
| 539 | clientHandshakeLabel, CLIENT_HANDSHAKE_LABEL_SZ,
|
---|
| 540 | ssl->specs.mac_algorithm, 1);
|
---|
| 541 | }
|
---|
| 542 |
|
---|
| 543 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
| 544 | /* The length of the server handshake label. */
|
---|
| 545 | #define SERVER_HANDSHAKE_LABEL_SZ 31
|
---|
| 546 | /* The server handshake label. */
|
---|
| 547 | static const byte serverHandshakeLabel[SERVER_HANDSHAKE_LABEL_SZ + 1] =
|
---|
| 548 | "server handshake traffic secret";
|
---|
| 549 | #else
|
---|
| 550 | /* The length of the server handshake label. */
|
---|
| 551 | #define SERVER_HANDSHAKE_LABEL_SZ 12
|
---|
| 552 | /* The server handshake label. */
|
---|
| 553 | static const byte serverHandshakeLabel[SERVER_HANDSHAKE_LABEL_SZ + 1] =
|
---|
| 554 | "s hs traffic";
|
---|
| 555 | #endif
|
---|
| 556 | /* Derive the server handshake key.
|
---|
| 557 | *
|
---|
| 558 | * ssl The SSL/TLS object.
|
---|
| 559 | * key The derived key.
|
---|
| 560 | * returns 0 on success, otherwise failure.
|
---|
| 561 | */
|
---|
| 562 | static int DeriveServerHandshakeSecret(WOLFSSL* ssl, byte* key)
|
---|
| 563 | {
|
---|
| 564 | WOLFSSL_MSG("Derive Server Handshake Secret");
|
---|
| 565 | return DeriveKey(ssl, key, -1, ssl->arrays->preMasterSecret,
|
---|
| 566 | serverHandshakeLabel, SERVER_HANDSHAKE_LABEL_SZ,
|
---|
| 567 | ssl->specs.mac_algorithm, 1);
|
---|
| 568 | }
|
---|
| 569 |
|
---|
| 570 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
| 571 | /* The length of the client application traffic label. */
|
---|
| 572 | #define CLIENT_APP_LABEL_SZ 33
|
---|
| 573 | /* The client application traffic label. */
|
---|
| 574 | static const byte clientAppLabel[CLIENT_APP_LABEL_SZ + 1] =
|
---|
| 575 | "client application traffic secret";
|
---|
| 576 | #else
|
---|
| 577 | /* The length of the client application traffic label. */
|
---|
| 578 | #define CLIENT_APP_LABEL_SZ 12
|
---|
| 579 | /* The client application traffic label. */
|
---|
| 580 | static const byte clientAppLabel[CLIENT_APP_LABEL_SZ + 1] =
|
---|
| 581 | "c ap traffic";
|
---|
| 582 | #endif
|
---|
| 583 | /* Derive the client application traffic key.
|
---|
| 584 | *
|
---|
| 585 | * ssl The SSL/TLS object.
|
---|
| 586 | * key The derived key.
|
---|
| 587 | * returns 0 on success, otherwise failure.
|
---|
| 588 | */
|
---|
| 589 | static int DeriveClientTrafficSecret(WOLFSSL* ssl, byte* key)
|
---|
| 590 | {
|
---|
| 591 | WOLFSSL_MSG("Derive Client Traffic Secret");
|
---|
| 592 | return DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
|
---|
| 593 | clientAppLabel, CLIENT_APP_LABEL_SZ,
|
---|
| 594 | ssl->specs.mac_algorithm, 1);
|
---|
| 595 | }
|
---|
| 596 |
|
---|
| 597 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
| 598 | /* The length of the server application traffic label. */
|
---|
| 599 | #define SERVER_APP_LABEL_SZ 33
|
---|
| 600 | /* The server application traffic label. */
|
---|
| 601 | static const byte serverAppLabel[SERVER_APP_LABEL_SZ + 1] =
|
---|
| 602 | "server application traffic secret";
|
---|
| 603 | #else
|
---|
| 604 | /* The length of the server application traffic label. */
|
---|
| 605 | #define SERVER_APP_LABEL_SZ 12
|
---|
| 606 | /* The server application traffic label. */
|
---|
| 607 | static const byte serverAppLabel[SERVER_APP_LABEL_SZ + 1] =
|
---|
| 608 | "s ap traffic";
|
---|
| 609 | #endif
|
---|
| 610 | /* Derive the server application traffic key.
|
---|
| 611 | *
|
---|
| 612 | * ssl The SSL/TLS object.
|
---|
| 613 | * key The derived key.
|
---|
| 614 | * returns 0 on success, otherwise failure.
|
---|
| 615 | */
|
---|
| 616 | static int DeriveServerTrafficSecret(WOLFSSL* ssl, byte* key)
|
---|
| 617 | {
|
---|
| 618 | WOLFSSL_MSG("Derive Server Traffic Secret");
|
---|
| 619 | return DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
|
---|
| 620 | serverAppLabel, SERVER_APP_LABEL_SZ,
|
---|
| 621 | ssl->specs.mac_algorithm, 1);
|
---|
| 622 | }
|
---|
| 623 |
|
---|
| 624 | #ifdef TLS13_SUPPORTS_EXPORTERS
|
---|
| 625 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
| 626 | /* The length of the exporter master secret label. */
|
---|
| 627 | #define EXPORTER_MASTER_LABEL_SZ 22
|
---|
| 628 | /* The exporter master secret label. */
|
---|
| 629 | static const byte exporterMasterLabel[EXPORTER_MASTER_LABEL_SZ + 1] =
|
---|
| 630 | "exporter master secret";
|
---|
| 631 | #else
|
---|
| 632 | /* The length of the exporter master secret label. */
|
---|
| 633 | #define EXPORTER_MASTER_LABEL_SZ 10
|
---|
| 634 | /* The exporter master secret label. */
|
---|
| 635 | static const byte exporterMasterLabel[EXPORTER_MASTER_LABEL_SZ + 1] =
|
---|
| 636 | "exp master";
|
---|
| 637 | #endif
|
---|
| 638 | /* Derive the exporter secret.
|
---|
| 639 | *
|
---|
| 640 | * ssl The SSL/TLS object.
|
---|
| 641 | * key The derived key.
|
---|
| 642 | * returns 0 on success, otherwise failure.
|
---|
| 643 | */
|
---|
| 644 | static int DeriveExporterSecret(WOLFSSL* ssl, byte* key)
|
---|
| 645 | {
|
---|
| 646 | WOLFSSL_MSG("Derive Exporter Secret");
|
---|
| 647 | return DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
|
---|
| 648 | exporterMasterLabel, EXPORTER_MASTER_LABEL_SZ,
|
---|
| 649 | ssl->specs.mac_algorithm, 1);
|
---|
| 650 | }
|
---|
| 651 | #endif
|
---|
| 652 |
|
---|
| 653 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
---|
| 654 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
| 655 | /* The length of the resumption master secret label. */
|
---|
| 656 | #define RESUME_MASTER_LABEL_SZ 24
|
---|
| 657 | /* The resumption master secret label. */
|
---|
| 658 | static const byte resumeMasterLabel[RESUME_MASTER_LABEL_SZ + 1] =
|
---|
| 659 | "resumption master secret";
|
---|
| 660 | #else
|
---|
| 661 | /* The length of the resumption master secret label. */
|
---|
| 662 | #define RESUME_MASTER_LABEL_SZ 10
|
---|
| 663 | /* The resumption master secret label. */
|
---|
| 664 | static const byte resumeMasterLabel[RESUME_MASTER_LABEL_SZ + 1] =
|
---|
| 665 | "res master";
|
---|
| 666 | #endif
|
---|
| 667 | /* Derive the resumption secret.
|
---|
| 668 | *
|
---|
| 669 | * ssl The SSL/TLS object.
|
---|
| 670 | * key The derived key.
|
---|
| 671 | * returns 0 on success, otherwise failure.
|
---|
| 672 | */
|
---|
| 673 | static int DeriveResumptionSecret(WOLFSSL* ssl, byte* key)
|
---|
| 674 | {
|
---|
| 675 | WOLFSSL_MSG("Derive Resumption Secret");
|
---|
| 676 | return DeriveKey(ssl, key, -1, ssl->arrays->masterSecret,
|
---|
| 677 | resumeMasterLabel, RESUME_MASTER_LABEL_SZ,
|
---|
| 678 | ssl->specs.mac_algorithm, 1);
|
---|
| 679 | }
|
---|
| 680 | #endif
|
---|
| 681 |
|
---|
| 682 | /* Length of the finished label. */
|
---|
| 683 | #define FINISHED_LABEL_SZ 8
|
---|
| 684 | /* Finished label for generating finished key. */
|
---|
| 685 | static const byte finishedLabel[FINISHED_LABEL_SZ+1] = "finished";
|
---|
| 686 | /* Derive the finished secret.
|
---|
| 687 | *
|
---|
| 688 | * ssl The SSL/TLS object.
|
---|
| 689 | * key The key to use with the HMAC.
|
---|
| 690 | * secret The derived secret.
|
---|
| 691 | * returns 0 on success, otherwise failure.
|
---|
| 692 | */
|
---|
| 693 | static int DeriveFinishedSecret(WOLFSSL* ssl, byte* key, byte* secret)
|
---|
| 694 | {
|
---|
| 695 | WOLFSSL_MSG("Derive Finished Secret");
|
---|
| 696 | return DeriveKey(ssl, secret, -1, key, finishedLabel, FINISHED_LABEL_SZ,
|
---|
| 697 | ssl->specs.mac_algorithm, 0);
|
---|
| 698 | }
|
---|
| 699 |
|
---|
| 700 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
| 701 | /* The length of the application traffic label. */
|
---|
| 702 | #define APP_TRAFFIC_LABEL_SZ 26
|
---|
| 703 | /* The application traffic label. */
|
---|
| 704 | static const byte appTrafficLabel[APP_TRAFFIC_LABEL_SZ + 1] =
|
---|
| 705 | "application traffic secret";
|
---|
| 706 | #else
|
---|
| 707 | /* The length of the application traffic label. */
|
---|
| 708 | #define APP_TRAFFIC_LABEL_SZ 11
|
---|
| 709 | /* The application traffic label. */
|
---|
| 710 | static const byte appTrafficLabel[APP_TRAFFIC_LABEL_SZ + 1] =
|
---|
| 711 | "traffic upd";
|
---|
| 712 | #endif
|
---|
| 713 | /* Update the traffic secret.
|
---|
| 714 | *
|
---|
| 715 | * ssl The SSL/TLS object.
|
---|
| 716 | * secret The previous secret and derived secret.
|
---|
| 717 | * returns 0 on success, otherwise failure.
|
---|
| 718 | */
|
---|
| 719 | static int DeriveTrafficSecret(WOLFSSL* ssl, byte* secret)
|
---|
| 720 | {
|
---|
| 721 | WOLFSSL_MSG("Derive New Application Traffic Secret");
|
---|
| 722 | return DeriveKey(ssl, secret, -1, secret,
|
---|
| 723 | appTrafficLabel, APP_TRAFFIC_LABEL_SZ,
|
---|
| 724 | ssl->specs.mac_algorithm, 0);
|
---|
| 725 | }
|
---|
| 726 |
|
---|
| 727 | /* Derive the early secret using HKDF Extract.
|
---|
| 728 | *
|
---|
| 729 | * ssl The SSL/TLS object.
|
---|
| 730 | */
|
---|
| 731 | static int DeriveEarlySecret(WOLFSSL* ssl)
|
---|
| 732 | {
|
---|
| 733 | WOLFSSL_MSG("Derive Early Secret");
|
---|
| 734 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
---|
| 735 | return Tls13_HKDF_Extract(ssl->arrays->secret, NULL, 0,
|
---|
| 736 | ssl->arrays->psk_key, ssl->arrays->psk_keySz,
|
---|
| 737 | ssl->specs.mac_algorithm);
|
---|
| 738 | #else
|
---|
| 739 | return Tls13_HKDF_Extract(ssl->arrays->secret, NULL, 0,
|
---|
| 740 | ssl->arrays->masterSecret, 0, ssl->specs.mac_algorithm);
|
---|
| 741 | #endif
|
---|
| 742 | }
|
---|
| 743 |
|
---|
| 744 | #ifndef WOLFSSL_TLS13_DRAFT_18
|
---|
| 745 | /* The length of the derived label. */
|
---|
| 746 | #define DERIVED_LABEL_SZ 7
|
---|
| 747 | /* The derived label. */
|
---|
| 748 | static const byte derivedLabel[DERIVED_LABEL_SZ + 1] =
|
---|
| 749 | "derived";
|
---|
| 750 | #endif
|
---|
| 751 | /* Derive the handshake secret using HKDF Extract.
|
---|
| 752 | *
|
---|
| 753 | * ssl The SSL/TLS object.
|
---|
| 754 | */
|
---|
| 755 | static int DeriveHandshakeSecret(WOLFSSL* ssl)
|
---|
| 756 | {
|
---|
| 757 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
| 758 | WOLFSSL_MSG("Derive Handshake Secret");
|
---|
| 759 | return Tls13_HKDF_Extract(ssl->arrays->preMasterSecret,
|
---|
| 760 | ssl->arrays->secret, ssl->specs.hash_size,
|
---|
| 761 | ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz,
|
---|
| 762 | ssl->specs.mac_algorithm);
|
---|
| 763 | #else
|
---|
| 764 | byte key[WC_MAX_DIGEST_SIZE];
|
---|
| 765 | int ret;
|
---|
| 766 |
|
---|
| 767 | WOLFSSL_MSG("Derive Handshake Secret");
|
---|
| 768 |
|
---|
| 769 | ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->secret,
|
---|
| 770 | derivedLabel, DERIVED_LABEL_SZ,
|
---|
| 771 | NULL, 0, ssl->specs.mac_algorithm);
|
---|
| 772 | if (ret != 0)
|
---|
| 773 | return ret;
|
---|
| 774 |
|
---|
| 775 | return Tls13_HKDF_Extract(ssl->arrays->preMasterSecret,
|
---|
| 776 | key, ssl->specs.hash_size,
|
---|
| 777 | ssl->arrays->preMasterSecret, ssl->arrays->preMasterSz,
|
---|
| 778 | ssl->specs.mac_algorithm);
|
---|
| 779 | #endif
|
---|
| 780 | }
|
---|
| 781 |
|
---|
| 782 | /* Derive the master secret using HKDF Extract.
|
---|
| 783 | *
|
---|
| 784 | * ssl The SSL/TLS object.
|
---|
| 785 | */
|
---|
| 786 | static int DeriveMasterSecret(WOLFSSL* ssl)
|
---|
| 787 | {
|
---|
| 788 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
| 789 | WOLFSSL_MSG("Derive Master Secret");
|
---|
| 790 | return Tls13_HKDF_Extract(ssl->arrays->masterSecret,
|
---|
| 791 | ssl->arrays->preMasterSecret, ssl->specs.hash_size,
|
---|
| 792 | ssl->arrays->masterSecret, 0, ssl->specs.mac_algorithm);
|
---|
| 793 | #else
|
---|
| 794 | byte key[WC_MAX_DIGEST_SIZE];
|
---|
| 795 | int ret;
|
---|
| 796 |
|
---|
| 797 | WOLFSSL_MSG("Derive Master Secret");
|
---|
| 798 |
|
---|
| 799 | ret = DeriveKeyMsg(ssl, key, -1, ssl->arrays->preMasterSecret,
|
---|
| 800 | derivedLabel, DERIVED_LABEL_SZ,
|
---|
| 801 | NULL, 0, ssl->specs.mac_algorithm);
|
---|
| 802 | if (ret != 0)
|
---|
| 803 | return ret;
|
---|
| 804 |
|
---|
| 805 | return Tls13_HKDF_Extract(ssl->arrays->masterSecret,
|
---|
| 806 | key, ssl->specs.hash_size,
|
---|
| 807 | ssl->arrays->masterSecret, 0, ssl->specs.mac_algorithm);
|
---|
| 808 | #endif
|
---|
| 809 | }
|
---|
| 810 |
|
---|
| 811 | /* Calculate the HMAC of message data to this point.
|
---|
| 812 | *
|
---|
| 813 | * ssl The SSL/TLS object.
|
---|
| 814 | * key The HMAC key.
|
---|
| 815 | * hash The hash result - verify data.
|
---|
| 816 | * returns length of verify data generated.
|
---|
| 817 | */
|
---|
| 818 | static int BuildTls13HandshakeHmac(WOLFSSL* ssl, byte* key, byte* hash,
|
---|
| 819 | word32* pHashSz)
|
---|
| 820 | {
|
---|
| 821 | Hmac verifyHmac;
|
---|
| 822 | int hashType = WC_SHA256;
|
---|
| 823 | int hashSz = WC_SHA256_DIGEST_SIZE;
|
---|
| 824 | int ret = BAD_FUNC_ARG;
|
---|
| 825 |
|
---|
| 826 | /* Get the hash of the previous handshake messages. */
|
---|
| 827 | switch (ssl->specs.mac_algorithm) {
|
---|
| 828 | #ifndef NO_SHA256
|
---|
| 829 | case sha256_mac:
|
---|
| 830 | hashType = WC_SHA256;
|
---|
| 831 | hashSz = WC_SHA256_DIGEST_SIZE;
|
---|
| 832 | ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
|
---|
| 833 | break;
|
---|
| 834 | #endif /* !NO_SHA256 */
|
---|
| 835 | #ifdef WOLFSSL_SHA384
|
---|
| 836 | case sha384_mac:
|
---|
| 837 | hashType = WC_SHA384;
|
---|
| 838 | hashSz = WC_SHA384_DIGEST_SIZE;
|
---|
| 839 | ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
|
---|
| 840 | break;
|
---|
| 841 | #endif /* WOLFSSL_SHA384 */
|
---|
| 842 | #ifdef WOLFSSL_TLS13_SHA512
|
---|
| 843 | case sha512_mac:
|
---|
| 844 | hashType = WC_SHA512;
|
---|
| 845 | hashSz = WC_SHA512_DIGEST_SIZE;
|
---|
| 846 | ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash);
|
---|
| 847 | break;
|
---|
| 848 | #endif /* WOLFSSL_TLS13_SHA512 */
|
---|
| 849 | }
|
---|
| 850 | if (ret != 0)
|
---|
| 851 | return ret;
|
---|
| 852 |
|
---|
| 853 | /* Calculate the verify data. */
|
---|
| 854 | ret = wc_HmacInit(&verifyHmac, ssl->heap, ssl->devId);
|
---|
| 855 | if (ret == 0) {
|
---|
| 856 | ret = wc_HmacSetKey(&verifyHmac, hashType, key, ssl->specs.hash_size);
|
---|
| 857 | if (ret == 0)
|
---|
| 858 | ret = wc_HmacUpdate(&verifyHmac, hash, hashSz);
|
---|
| 859 | if (ret == 0)
|
---|
| 860 | ret = wc_HmacFinal(&verifyHmac, hash);
|
---|
| 861 | wc_HmacFree(&verifyHmac);
|
---|
| 862 | }
|
---|
| 863 |
|
---|
| 864 | if (pHashSz)
|
---|
| 865 | *pHashSz = hashSz;
|
---|
| 866 |
|
---|
| 867 | return ret;
|
---|
| 868 | }
|
---|
| 869 |
|
---|
| 870 | /* The length of the label to use when deriving keys. */
|
---|
| 871 | #define WRITE_KEY_LABEL_SZ 3
|
---|
| 872 | /* The length of the label to use when deriving IVs. */
|
---|
| 873 | #define WRITE_IV_LABEL_SZ 2
|
---|
| 874 | /* The label to use when deriving keys. */
|
---|
| 875 | static const byte writeKeyLabel[WRITE_KEY_LABEL_SZ+1] = "key";
|
---|
| 876 | /* The label to use when deriving IVs. */
|
---|
| 877 | static const byte writeIVLabel[WRITE_IV_LABEL_SZ+1] = "iv";
|
---|
| 878 |
|
---|
| 879 | /* Derive the keys and IVs for TLS v1.3.
|
---|
| 880 | *
|
---|
| 881 | * ssl The SSL/TLS object.
|
---|
| 882 | * sercret early_data_key when deriving the key and IV for encrypting early
|
---|
| 883 | * data application data and end_of_early_data messages.
|
---|
| 884 | * handshake_key when deriving keys and IVs for encrypting handshake
|
---|
| 885 | * messages.
|
---|
| 886 | * traffic_key when deriving first keys and IVs for encrypting
|
---|
| 887 | * traffic messages.
|
---|
| 888 | * update_traffic_key when deriving next keys and IVs for encrypting
|
---|
| 889 | * traffic messages.
|
---|
| 890 | * side ENCRYPT_SIDE_ONLY when only encryption secret needs to be derived.
|
---|
| 891 | * DECRYPT_SIDE_ONLY when only decryption secret needs to be derived.
|
---|
| 892 | * ENCRYPT_AND_DECRYPT_SIDE when both secret needs to be derived.
|
---|
| 893 | * store 1 indicates to derive the keys and IVs from derived secret and
|
---|
| 894 | * store ready for provisioning.
|
---|
| 895 | * returns 0 on success, otherwise failure.
|
---|
| 896 | */
|
---|
| 897 | static int DeriveTls13Keys(WOLFSSL* ssl, int secret, int side, int store)
|
---|
| 898 | {
|
---|
| 899 | int ret;
|
---|
| 900 | int i = 0;
|
---|
| 901 | #ifdef WOLFSSL_SMALL_STACK
|
---|
| 902 | byte* key_dig;
|
---|
| 903 | #else
|
---|
| 904 | byte key_dig[MAX_PRF_DIG];
|
---|
| 905 | #endif
|
---|
| 906 | int provision;
|
---|
| 907 |
|
---|
| 908 | #ifdef WOLFSSL_SMALL_STACK
|
---|
| 909 | key_dig = (byte*)XMALLOC(MAX_PRF_DIG, ssl->heap, DYNAMIC_TYPE_DIGEST);
|
---|
| 910 | if (key_dig == NULL)
|
---|
| 911 | return MEMORY_E;
|
---|
| 912 | #endif
|
---|
| 913 |
|
---|
| 914 | if (side == ENCRYPT_AND_DECRYPT_SIDE) {
|
---|
| 915 | provision = PROVISION_CLIENT_SERVER;
|
---|
| 916 | }
|
---|
| 917 | else {
|
---|
| 918 | provision = ((ssl->options.side != WOLFSSL_CLIENT_END) ^
|
---|
| 919 | (side == ENCRYPT_SIDE_ONLY)) ? PROVISION_CLIENT :
|
---|
| 920 | PROVISION_SERVER;
|
---|
| 921 | }
|
---|
| 922 |
|
---|
| 923 | /* Derive the appropriate secret to use in the HKDF. */
|
---|
| 924 | switch (secret) {
|
---|
| 925 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 926 | case early_data_key:
|
---|
| 927 | ret = DeriveEarlyTrafficSecret(ssl, ssl->arrays->clientSecret);
|
---|
| 928 | if (ret != 0)
|
---|
| 929 | goto end;
|
---|
| 930 | break;
|
---|
| 931 | #endif
|
---|
| 932 |
|
---|
| 933 | case handshake_key:
|
---|
| 934 | if (provision & PROVISION_CLIENT) {
|
---|
| 935 | ret = DeriveClientHandshakeSecret(ssl,
|
---|
| 936 | ssl->arrays->clientSecret);
|
---|
| 937 | if (ret != 0)
|
---|
| 938 | goto end;
|
---|
| 939 | }
|
---|
| 940 | if (provision & PROVISION_SERVER) {
|
---|
| 941 | ret = DeriveServerHandshakeSecret(ssl,
|
---|
| 942 | ssl->arrays->serverSecret);
|
---|
| 943 | if (ret != 0)
|
---|
| 944 | goto end;
|
---|
| 945 | }
|
---|
| 946 | break;
|
---|
| 947 |
|
---|
| 948 | case traffic_key:
|
---|
| 949 | if (provision & PROVISION_CLIENT) {
|
---|
| 950 | ret = DeriveClientTrafficSecret(ssl, ssl->arrays->clientSecret);
|
---|
| 951 | if (ret != 0)
|
---|
| 952 | goto end;
|
---|
| 953 | }
|
---|
| 954 | if (provision & PROVISION_SERVER) {
|
---|
| 955 | ret = DeriveServerTrafficSecret(ssl, ssl->arrays->serverSecret);
|
---|
| 956 | if (ret != 0)
|
---|
| 957 | goto end;
|
---|
| 958 | }
|
---|
| 959 | break;
|
---|
| 960 |
|
---|
| 961 | case update_traffic_key:
|
---|
| 962 | if (provision & PROVISION_CLIENT) {
|
---|
| 963 | ret = DeriveTrafficSecret(ssl, ssl->arrays->clientSecret);
|
---|
| 964 | if (ret != 0)
|
---|
| 965 | goto end;
|
---|
| 966 | }
|
---|
| 967 | if (provision & PROVISION_SERVER) {
|
---|
| 968 | ret = DeriveTrafficSecret(ssl, ssl->arrays->serverSecret);
|
---|
| 969 | if (ret != 0)
|
---|
| 970 | goto end;
|
---|
| 971 | }
|
---|
| 972 | break;
|
---|
| 973 | }
|
---|
| 974 |
|
---|
| 975 | if (!store)
|
---|
| 976 | goto end;
|
---|
| 977 |
|
---|
| 978 | /* Key data = client key | server key | client IV | server IV */
|
---|
| 979 |
|
---|
| 980 | if (provision & PROVISION_CLIENT) {
|
---|
| 981 | /* Derive the client key. */
|
---|
| 982 | WOLFSSL_MSG("Derive Client Key");
|
---|
| 983 | ret = DeriveKey(ssl, &key_dig[i], ssl->specs.key_size,
|
---|
| 984 | ssl->arrays->clientSecret, writeKeyLabel,
|
---|
| 985 | WRITE_KEY_LABEL_SZ, ssl->specs.mac_algorithm, 0);
|
---|
| 986 | if (ret != 0)
|
---|
| 987 | goto end;
|
---|
| 988 | i += ssl->specs.key_size;
|
---|
| 989 | }
|
---|
| 990 |
|
---|
| 991 | if (provision & PROVISION_SERVER) {
|
---|
| 992 | /* Derive the server key. */
|
---|
| 993 | WOLFSSL_MSG("Derive Server Key");
|
---|
| 994 | ret = DeriveKey(ssl, &key_dig[i], ssl->specs.key_size,
|
---|
| 995 | ssl->arrays->serverSecret, writeKeyLabel,
|
---|
| 996 | WRITE_KEY_LABEL_SZ, ssl->specs.mac_algorithm, 0);
|
---|
| 997 | if (ret != 0)
|
---|
| 998 | goto end;
|
---|
| 999 | i += ssl->specs.key_size;
|
---|
| 1000 | }
|
---|
| 1001 |
|
---|
| 1002 | if (provision & PROVISION_CLIENT) {
|
---|
| 1003 | /* Derive the client IV. */
|
---|
| 1004 | WOLFSSL_MSG("Derive Client IV");
|
---|
| 1005 | ret = DeriveKey(ssl, &key_dig[i], ssl->specs.iv_size,
|
---|
| 1006 | ssl->arrays->clientSecret, writeIVLabel,
|
---|
| 1007 | WRITE_IV_LABEL_SZ, ssl->specs.mac_algorithm, 0);
|
---|
| 1008 | if (ret != 0)
|
---|
| 1009 | goto end;
|
---|
| 1010 | i += ssl->specs.iv_size;
|
---|
| 1011 | }
|
---|
| 1012 |
|
---|
| 1013 | if (provision & PROVISION_SERVER) {
|
---|
| 1014 | /* Derive the server IV. */
|
---|
| 1015 | WOLFSSL_MSG("Derive Server IV");
|
---|
| 1016 | ret = DeriveKey(ssl, &key_dig[i], ssl->specs.iv_size,
|
---|
| 1017 | ssl->arrays->serverSecret, writeIVLabel,
|
---|
| 1018 | WRITE_IV_LABEL_SZ, ssl->specs.mac_algorithm, 0);
|
---|
| 1019 | if (ret != 0)
|
---|
| 1020 | goto end;
|
---|
| 1021 | }
|
---|
| 1022 |
|
---|
| 1023 | /* Store keys and IVs but don't activate them. */
|
---|
| 1024 | ret = StoreKeys(ssl, key_dig, provision);
|
---|
| 1025 |
|
---|
| 1026 | end:
|
---|
| 1027 | #ifdef WOLFSSL_SMALL_STACK
|
---|
| 1028 | XFREE(key_dig, ssl->heap, DYNAMIC_TYPE_DIGEST);
|
---|
| 1029 | #endif
|
---|
| 1030 |
|
---|
| 1031 | return ret;
|
---|
| 1032 | }
|
---|
| 1033 |
|
---|
| 1034 | #ifdef HAVE_SESSION_TICKET
|
---|
| 1035 | #if defined(USER_TICKS)
|
---|
| 1036 | #if 0
|
---|
| 1037 | word32 TimeNowInMilliseconds(void)
|
---|
| 1038 | {
|
---|
| 1039 | /*
|
---|
| 1040 | write your own clock tick function if don't want gettimeofday()
|
---|
| 1041 | needs millisecond accuracy but doesn't have to correlated to EPOCH
|
---|
| 1042 | */
|
---|
| 1043 | }
|
---|
| 1044 | #endif
|
---|
| 1045 |
|
---|
| 1046 | #elif defined(TIME_OVERRIDES)
|
---|
| 1047 | #ifndef HAVE_TIME_T_TYPE
|
---|
| 1048 | typedef long time_t;
|
---|
| 1049 | #endif
|
---|
| 1050 | extern time_t XTIME(time_t * timer);
|
---|
| 1051 |
|
---|
| 1052 | /* The time in milliseconds.
|
---|
| 1053 | * Used for tickets to represent difference between when first seen and when
|
---|
| 1054 | * sending.
|
---|
| 1055 | *
|
---|
| 1056 | * returns the time in milliseconds as a 32-bit value.
|
---|
| 1057 | */
|
---|
| 1058 | word32 TimeNowInMilliseconds(void)
|
---|
| 1059 | {
|
---|
| 1060 | return (word32) XTIME(0) * 1000;
|
---|
| 1061 | }
|
---|
| 1062 | #elif defined(USE_WINDOWS_API)
|
---|
| 1063 | /* The time in milliseconds.
|
---|
| 1064 | * Used for tickets to represent difference between when first seen and when
|
---|
| 1065 | * sending.
|
---|
| 1066 | *
|
---|
| 1067 | * returns the time in milliseconds as a 32-bit value.
|
---|
| 1068 | */
|
---|
| 1069 | word32 TimeNowInMilliseconds(void)
|
---|
| 1070 | {
|
---|
| 1071 | static int init = 0;
|
---|
| 1072 | static LARGE_INTEGER freq;
|
---|
| 1073 | LARGE_INTEGER count;
|
---|
| 1074 |
|
---|
| 1075 | if (!init) {
|
---|
| 1076 | QueryPerformanceFrequency(&freq);
|
---|
| 1077 | init = 1;
|
---|
| 1078 | }
|
---|
| 1079 |
|
---|
| 1080 | QueryPerformanceCounter(&count);
|
---|
| 1081 |
|
---|
| 1082 | return (word32)(count.QuadPart / (freq.QuadPart / 1000));
|
---|
| 1083 | }
|
---|
| 1084 |
|
---|
| 1085 | #elif defined(HAVE_RTP_SYS)
|
---|
| 1086 | #include "rtptime.h"
|
---|
| 1087 |
|
---|
| 1088 | /* The time in milliseconds.
|
---|
| 1089 | * Used for tickets to represent difference between when first seen and when
|
---|
| 1090 | * sending.
|
---|
| 1091 | *
|
---|
| 1092 | * returns the time in milliseconds as a 32-bit value.
|
---|
| 1093 | */
|
---|
| 1094 | word32 TimeNowInMilliseconds(void)
|
---|
| 1095 | {
|
---|
| 1096 | return (word32)rtp_get_system_sec() * 1000;
|
---|
| 1097 | }
|
---|
| 1098 | #elif defined(MICRIUM)
|
---|
| 1099 | /* The time in milliseconds.
|
---|
| 1100 | * Used for tickets to represent difference between when first seen and when
|
---|
| 1101 | * sending.
|
---|
| 1102 | *
|
---|
| 1103 | * returns the time in milliseconds as a 32-bit value.
|
---|
| 1104 | */
|
---|
| 1105 | word32 TimeNowInMilliseconds(void)
|
---|
| 1106 | {
|
---|
| 1107 | OS_TICK ticks = 0;
|
---|
| 1108 | OS_ERR err;
|
---|
| 1109 |
|
---|
| 1110 | ticks = OSTimeGet(&err);
|
---|
| 1111 |
|
---|
| 1112 | return (word32) (ticks / OSCfg_TickRate_Hz) * 1000;
|
---|
| 1113 | }
|
---|
| 1114 | #elif defined(MICROCHIP_TCPIP_V5)
|
---|
| 1115 | /* The time in milliseconds.
|
---|
| 1116 | * Used for tickets to represent difference between when first seen and when
|
---|
| 1117 | * sending.
|
---|
| 1118 | *
|
---|
| 1119 | * returns the time in milliseconds as a 32-bit value.
|
---|
| 1120 | */
|
---|
| 1121 | word32 TimeNowInMilliseconds(void)
|
---|
| 1122 | {
|
---|
| 1123 | return (word32) (TickGet() / (TICKS_PER_SECOND / 1000));
|
---|
| 1124 | }
|
---|
| 1125 | #elif defined(MICROCHIP_TCPIP)
|
---|
| 1126 | #if defined(MICROCHIP_MPLAB_HARMONY)
|
---|
| 1127 | #include <system/tmr/sys_tmr.h>
|
---|
| 1128 |
|
---|
| 1129 | /* The time in milliseconds.
|
---|
| 1130 | * Used for tickets to represent difference between when first seen and when
|
---|
| 1131 | * sending.
|
---|
| 1132 | *
|
---|
| 1133 | * returns the time in milliseconds as a 32-bit value.
|
---|
| 1134 | */
|
---|
| 1135 | word32 TimeNowInMilliseconds(void)
|
---|
| 1136 | {
|
---|
| 1137 | return (word32)(SYS_TMR_TickCountGet() /
|
---|
| 1138 | (SYS_TMR_TickCounterFrequencyGet() / 1000));
|
---|
| 1139 | }
|
---|
| 1140 | #else
|
---|
| 1141 | /* The time in milliseconds.
|
---|
| 1142 | * Used for tickets to represent difference between when first seen and when
|
---|
| 1143 | * sending.
|
---|
| 1144 | *
|
---|
| 1145 | * returns the time in milliseconds as a 32-bit value.
|
---|
| 1146 | */
|
---|
| 1147 | word32 TimeNowInMilliseconds(void)
|
---|
| 1148 | {
|
---|
| 1149 | return (word32)(SYS_TICK_Get() / (SYS_TICK_TicksPerSecondGet() / 1000));
|
---|
| 1150 | }
|
---|
| 1151 |
|
---|
| 1152 | #endif
|
---|
| 1153 |
|
---|
| 1154 | #elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX)
|
---|
| 1155 | /* The time in milliseconds.
|
---|
| 1156 | * Used for tickets to represent difference between when first seen and when
|
---|
| 1157 | * sending.
|
---|
| 1158 | *
|
---|
| 1159 | * returns the time in milliseconds as a 32-bit value.
|
---|
| 1160 | */
|
---|
| 1161 | word32 TimeNowInMilliseconds(void)
|
---|
| 1162 | {
|
---|
| 1163 | TIME_STRUCT mqxTime;
|
---|
| 1164 |
|
---|
| 1165 | _time_get_elapsed(&mqxTime);
|
---|
| 1166 |
|
---|
| 1167 | return (word32) mqxTime.SECONDS * 1000;
|
---|
| 1168 | }
|
---|
| 1169 | #elif defined(FREESCALE_FREE_RTOS) || defined(FREESCALE_KSDK_FREERTOS)
|
---|
| 1170 | #include "include/task.h"
|
---|
| 1171 |
|
---|
| 1172 | /* The time in milliseconds.
|
---|
| 1173 | * Used for tickets to represent difference between when first seen and when
|
---|
| 1174 | * sending.
|
---|
| 1175 | *
|
---|
| 1176 | * returns the time in milliseconds as a 32-bit value.
|
---|
| 1177 | */
|
---|
| 1178 | word32 TimeNowInMilliseconds(void)
|
---|
| 1179 | {
|
---|
| 1180 | return (unsigned int)(((float)xTaskGetTickCount()) /
|
---|
| 1181 | (configTICK_RATE_HZ / 1000));
|
---|
| 1182 | }
|
---|
| 1183 | #elif defined(FREESCALE_KSDK_BM)
|
---|
| 1184 | #include "lwip/sys.h" /* lwIP */
|
---|
| 1185 |
|
---|
| 1186 | /* The time in milliseconds.
|
---|
| 1187 | * Used for tickets to represent difference between when first seen and when
|
---|
| 1188 | * sending.
|
---|
| 1189 | *
|
---|
| 1190 | * returns the time in milliseconds as a 32-bit value.
|
---|
| 1191 | */
|
---|
| 1192 | word32 TimeNowInMilliseconds(void)
|
---|
| 1193 | {
|
---|
| 1194 | return sys_now();
|
---|
| 1195 | }
|
---|
| 1196 | #elif defined(WOLFSSL_TIRTOS)
|
---|
| 1197 | /* The time in milliseconds.
|
---|
| 1198 | * Used for tickets to represent difference between when first seen and when
|
---|
| 1199 | * sending.
|
---|
| 1200 | *
|
---|
| 1201 | * returns the time in milliseconds as a 32-bit value.
|
---|
| 1202 | */
|
---|
| 1203 | word32 TimeNowInMilliseconds(void)
|
---|
| 1204 | {
|
---|
| 1205 | return (word32) Seconds_get() * 1000;
|
---|
| 1206 | }
|
---|
| 1207 | #elif defined(WOLFSSL_UTASKER)
|
---|
| 1208 | /* The time in milliseconds.
|
---|
| 1209 | * Used for tickets to represent difference between when first seen and when
|
---|
| 1210 | * sending.
|
---|
| 1211 | *
|
---|
| 1212 | * returns the time in milliseconds as a 32-bit value.
|
---|
| 1213 | */
|
---|
| 1214 | word32 TimeNowInMilliseconds(void)
|
---|
| 1215 | {
|
---|
| 1216 | return (word32)(uTaskerSystemTick / (TICK_RESOLUTION / 1000));
|
---|
| 1217 | }
|
---|
| 1218 | #else
|
---|
| 1219 | /* The time in milliseconds.
|
---|
| 1220 | * Used for tickets to represent difference between when first seen and when
|
---|
| 1221 | * sending.
|
---|
| 1222 | *
|
---|
| 1223 | * returns the time in milliseconds as a 32-bit value.
|
---|
| 1224 | */
|
---|
| 1225 | word32 TimeNowInMilliseconds(void)
|
---|
| 1226 | {
|
---|
| 1227 | struct timeval now;
|
---|
| 1228 |
|
---|
| 1229 | if (gettimeofday(&now, 0) < 0)
|
---|
| 1230 | return GETTIME_ERROR;
|
---|
| 1231 | /* Convert to milliseconds number. */
|
---|
| 1232 | return (word32)(now.tv_sec * 1000 + now.tv_usec / 1000);
|
---|
| 1233 | }
|
---|
| 1234 | #endif
|
---|
| 1235 | #endif /* HAVE_SESSION_TICKET || !NO_PSK */
|
---|
| 1236 |
|
---|
| 1237 |
|
---|
| 1238 | #if !defined(NO_WOLFSSL_SERVER) && (defined(HAVE_SESSION_TICKET) || \
|
---|
| 1239 | !defined(NO_PSK))
|
---|
| 1240 | /* Add input to all handshake hashes.
|
---|
| 1241 | *
|
---|
| 1242 | * ssl The SSL/TLS object.
|
---|
| 1243 | * input The data to hash.
|
---|
| 1244 | * sz The size of the data to hash.
|
---|
| 1245 | * returns 0 on success, otherwise failure.
|
---|
| 1246 | */
|
---|
| 1247 | static int HashInputRaw(WOLFSSL* ssl, const byte* input, int sz)
|
---|
| 1248 | {
|
---|
| 1249 | int ret = BAD_FUNC_ARG;
|
---|
| 1250 |
|
---|
| 1251 | #ifndef NO_SHA256
|
---|
| 1252 | ret = wc_Sha256Update(&ssl->hsHashes->hashSha256, input, sz);
|
---|
| 1253 | if (ret != 0)
|
---|
| 1254 | return ret;
|
---|
| 1255 | #endif
|
---|
| 1256 | #ifdef WOLFSSL_SHA384
|
---|
| 1257 | ret = wc_Sha384Update(&ssl->hsHashes->hashSha384, input, sz);
|
---|
| 1258 | if (ret != 0)
|
---|
| 1259 | return ret;
|
---|
| 1260 | #endif
|
---|
| 1261 | #ifdef WOLFSSL_TLS13_SHA512
|
---|
| 1262 | ret = wc_Sha512Update(&ssl->hsHashes->hashSha512, input, sz);
|
---|
| 1263 | if (ret != 0)
|
---|
| 1264 | return ret;
|
---|
| 1265 | #endif
|
---|
| 1266 |
|
---|
| 1267 | return ret;
|
---|
| 1268 | }
|
---|
| 1269 | #endif
|
---|
| 1270 |
|
---|
| 1271 | /* Extract the handshake header information.
|
---|
| 1272 | *
|
---|
| 1273 | * ssl The SSL/TLS object.
|
---|
| 1274 | * input The buffer holding the message data.
|
---|
| 1275 | * inOutIdx On entry, the index into the buffer of the handshake data.
|
---|
| 1276 | * On exit, the start of the hanshake data.
|
---|
| 1277 | * type Type of handshake message.
|
---|
| 1278 | * size The length of the handshake message data.
|
---|
| 1279 | * totalSz The total size of data in the buffer.
|
---|
| 1280 | * returns BUFFER_E if there is not enough input data and 0 on success.
|
---|
| 1281 | */
|
---|
| 1282 | static int GetHandshakeHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
---|
| 1283 | byte* type, word32* size, word32 totalSz)
|
---|
| 1284 | {
|
---|
| 1285 | const byte* ptr = input + *inOutIdx;
|
---|
| 1286 | (void)ssl;
|
---|
| 1287 |
|
---|
| 1288 | *inOutIdx += HANDSHAKE_HEADER_SZ;
|
---|
| 1289 | if (*inOutIdx > totalSz)
|
---|
| 1290 | return BUFFER_E;
|
---|
| 1291 |
|
---|
| 1292 | *type = ptr[0];
|
---|
| 1293 | c24to32(&ptr[1], size);
|
---|
| 1294 |
|
---|
| 1295 | return 0;
|
---|
| 1296 | }
|
---|
| 1297 |
|
---|
| 1298 | /* Add record layer header to message.
|
---|
| 1299 | *
|
---|
| 1300 | * output The buffer to write the record layer header into.
|
---|
| 1301 | * length The length of the record data.
|
---|
| 1302 | * type The type of record message.
|
---|
| 1303 | * ssl The SSL/TLS object.
|
---|
| 1304 | */
|
---|
| 1305 | static void AddTls13RecordHeader(byte* output, word32 length, byte type,
|
---|
| 1306 | WOLFSSL* ssl)
|
---|
| 1307 | {
|
---|
| 1308 | RecordLayerHeader* rl;
|
---|
| 1309 |
|
---|
| 1310 | rl = (RecordLayerHeader*)output;
|
---|
| 1311 | rl->type = type;
|
---|
| 1312 | rl->pvMajor = ssl->version.major;
|
---|
| 1313 | rl->pvMinor = TLSv1_MINOR;
|
---|
| 1314 | c16toa((word16)length, rl->length);
|
---|
| 1315 | }
|
---|
| 1316 |
|
---|
| 1317 | /* Add handshake header to message.
|
---|
| 1318 | *
|
---|
| 1319 | * output The buffer to write the hanshake header into.
|
---|
| 1320 | * length The length of the handshake data.
|
---|
| 1321 | * fragOffset The offset of the fragment data. (DTLS)
|
---|
| 1322 | * fragLength The length of the fragment data. (DTLS)
|
---|
| 1323 | * type The type of handshake message.
|
---|
| 1324 | * ssl The SSL/TLS object. (DTLS)
|
---|
| 1325 | */
|
---|
| 1326 | static void AddTls13HandShakeHeader(byte* output, word32 length,
|
---|
| 1327 | word32 fragOffset, word32 fragLength,
|
---|
| 1328 | byte type, WOLFSSL* ssl)
|
---|
| 1329 | {
|
---|
| 1330 | HandShakeHeader* hs;
|
---|
| 1331 | (void)fragOffset;
|
---|
| 1332 | (void)fragLength;
|
---|
| 1333 | (void)ssl;
|
---|
| 1334 |
|
---|
| 1335 | /* handshake header */
|
---|
| 1336 | hs = (HandShakeHeader*)output;
|
---|
| 1337 | hs->type = type;
|
---|
| 1338 | c32to24(length, hs->length);
|
---|
| 1339 | }
|
---|
| 1340 |
|
---|
| 1341 |
|
---|
| 1342 | /* Add both record layer and handshake header to message.
|
---|
| 1343 | *
|
---|
| 1344 | * output The buffer to write the headers into.
|
---|
| 1345 | * length The length of the handshake data.
|
---|
| 1346 | * type The type of record layer message.
|
---|
| 1347 | * ssl The SSL/TLS object. (DTLS)
|
---|
| 1348 | */
|
---|
| 1349 | static void AddTls13Headers(byte* output, word32 length, byte type,
|
---|
| 1350 | WOLFSSL* ssl)
|
---|
| 1351 | {
|
---|
| 1352 | word32 lengthAdj = HANDSHAKE_HEADER_SZ;
|
---|
| 1353 | word32 outputAdj = RECORD_HEADER_SZ;
|
---|
| 1354 |
|
---|
| 1355 | AddTls13RecordHeader(output, length + lengthAdj, handshake, ssl);
|
---|
| 1356 | AddTls13HandShakeHeader(output + outputAdj, length, 0, length, type, ssl);
|
---|
| 1357 | }
|
---|
| 1358 |
|
---|
| 1359 |
|
---|
| 1360 | #ifndef NO_CERTS
|
---|
| 1361 | /* Add both record layer and fragement handshake header to message.
|
---|
| 1362 | *
|
---|
| 1363 | * output The buffer to write the headers into.
|
---|
| 1364 | * fragOffset The offset of the fragment data. (DTLS)
|
---|
| 1365 | * fragLength The length of the fragment data. (DTLS)
|
---|
| 1366 | * length The length of the handshake data.
|
---|
| 1367 | * type The type of record layer message.
|
---|
| 1368 | * ssl The SSL/TLS object. (DTLS)
|
---|
| 1369 | */
|
---|
| 1370 | static void AddTls13FragHeaders(byte* output, word32 fragSz, word32 fragOffset,
|
---|
| 1371 | word32 length, byte type, WOLFSSL* ssl)
|
---|
| 1372 | {
|
---|
| 1373 | word32 lengthAdj = HANDSHAKE_HEADER_SZ;
|
---|
| 1374 | word32 outputAdj = RECORD_HEADER_SZ;
|
---|
| 1375 | (void)fragSz;
|
---|
| 1376 |
|
---|
| 1377 | AddTls13RecordHeader(output, fragSz + lengthAdj, handshake, ssl);
|
---|
| 1378 | AddTls13HandShakeHeader(output + outputAdj, length, fragOffset, fragSz,
|
---|
| 1379 | type, ssl);
|
---|
| 1380 | }
|
---|
| 1381 | #endif /* NO_CERTS */
|
---|
| 1382 |
|
---|
| 1383 | /* Write the sequence number into the buffer.
|
---|
| 1384 | * No DTLS v1.3 support.
|
---|
| 1385 | *
|
---|
| 1386 | * ssl The SSL/TLS object.
|
---|
| 1387 | * verifyOrder Which set of sequence numbers to use.
|
---|
| 1388 | * out The buffer to write into.
|
---|
| 1389 | */
|
---|
| 1390 | static INLINE void WriteSEQ(WOLFSSL* ssl, int verifyOrder, byte* out)
|
---|
| 1391 | {
|
---|
| 1392 | word32 seq[2] = {0, 0};
|
---|
| 1393 |
|
---|
| 1394 | if (verifyOrder) {
|
---|
| 1395 | seq[0] = ssl->keys.peer_sequence_number_hi;
|
---|
| 1396 | seq[1] = ssl->keys.peer_sequence_number_lo++;
|
---|
| 1397 | /* handle rollover */
|
---|
| 1398 | if (seq[1] > ssl->keys.peer_sequence_number_lo)
|
---|
| 1399 | ssl->keys.peer_sequence_number_hi++;
|
---|
| 1400 | }
|
---|
| 1401 | else {
|
---|
| 1402 | seq[0] = ssl->keys.sequence_number_hi;
|
---|
| 1403 | seq[1] = ssl->keys.sequence_number_lo++;
|
---|
| 1404 | /* handle rollover */
|
---|
| 1405 | if (seq[1] > ssl->keys.sequence_number_lo)
|
---|
| 1406 | ssl->keys.sequence_number_hi++;
|
---|
| 1407 | }
|
---|
| 1408 |
|
---|
| 1409 | c32toa(seq[0], out);
|
---|
| 1410 | c32toa(seq[1], out + OPAQUE32_LEN);
|
---|
| 1411 | }
|
---|
| 1412 |
|
---|
| 1413 | /* Build the nonce for TLS v1.3 encryption and decryption.
|
---|
| 1414 | *
|
---|
| 1415 | * ssl The SSL/TLS object.
|
---|
| 1416 | * nonce The nonce data to use when encrypting or decrypting.
|
---|
| 1417 | * iv The derived IV.
|
---|
| 1418 | * order The side on which the message is to be or was sent.
|
---|
| 1419 | */
|
---|
| 1420 | static INLINE void BuildTls13Nonce(WOLFSSL* ssl, byte* nonce, const byte* iv,
|
---|
| 1421 | int order)
|
---|
| 1422 | {
|
---|
| 1423 | int i;
|
---|
| 1424 |
|
---|
| 1425 | /* The nonce is the IV with the sequence XORed into the last bytes. */
|
---|
| 1426 | WriteSEQ(ssl, order, nonce + AEAD_NONCE_SZ - SEQ_SZ);
|
---|
| 1427 | for (i = 0; i < AEAD_NONCE_SZ - SEQ_SZ; i++)
|
---|
| 1428 | nonce[i] = iv[i];
|
---|
| 1429 | for (; i < AEAD_NONCE_SZ; i++)
|
---|
| 1430 | nonce[i] ^= iv[i];
|
---|
| 1431 | }
|
---|
| 1432 |
|
---|
| 1433 | #ifdef HAVE_CHACHA
|
---|
| 1434 | /* Encrypt with ChaCha20 and create authenication tag with Poly1305.
|
---|
| 1435 | *
|
---|
| 1436 | * ssl The SSL/TLS object.
|
---|
| 1437 | * output The buffer to write encrypted data and authentication tag into.
|
---|
| 1438 | * May be the same pointer as input.
|
---|
| 1439 | * input The data to encrypt.
|
---|
| 1440 | * sz The number of bytes to encrypt.
|
---|
| 1441 | * nonce The nonce to use with ChaCha20.
|
---|
| 1442 | * tag The authentication tag buffer.
|
---|
| 1443 | * returns 0 on success, otherwise failure.
|
---|
| 1444 | */
|
---|
| 1445 | static int ChaCha20Poly1305_Encrypt(WOLFSSL* ssl, byte* output,
|
---|
| 1446 | const byte* input, word16 sz, byte* nonce,
|
---|
| 1447 | byte* tag)
|
---|
| 1448 | {
|
---|
| 1449 | int ret = 0;
|
---|
| 1450 | byte poly[CHACHA20_256_KEY_SIZE];
|
---|
| 1451 |
|
---|
| 1452 | /* Poly1305 key is 256 bits of zero encrypted with ChaCha20. */
|
---|
| 1453 | XMEMSET(poly, 0, sizeof(poly));
|
---|
| 1454 |
|
---|
| 1455 | /* Set the nonce for ChaCha and get Poly1305 key. */
|
---|
| 1456 | ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 0);
|
---|
| 1457 | if (ret != 0)
|
---|
| 1458 | return ret;
|
---|
| 1459 | /* Create Poly1305 key using ChaCha20 keystream. */
|
---|
| 1460 | ret = wc_Chacha_Process(ssl->encrypt.chacha, poly, poly, sizeof(poly));
|
---|
| 1461 | if (ret != 0)
|
---|
| 1462 | return ret;
|
---|
| 1463 | /* Encrypt the plain text. */
|
---|
| 1464 | ret = wc_Chacha_Process(ssl->encrypt.chacha, output, input, sz);
|
---|
| 1465 | if (ret != 0) {
|
---|
| 1466 | ForceZero(poly, sizeof(poly));
|
---|
| 1467 | return ret;
|
---|
| 1468 | }
|
---|
| 1469 |
|
---|
| 1470 | /* Set key for Poly1305. */
|
---|
| 1471 | ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly, sizeof(poly));
|
---|
| 1472 | ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */
|
---|
| 1473 | if (ret != 0)
|
---|
| 1474 | return ret;
|
---|
| 1475 | /* Add authentication code of encrypted data to end. */
|
---|
| 1476 | ret = wc_Poly1305_MAC(ssl->auth.poly1305, NULL, 0, output, sz, tag,
|
---|
| 1477 | POLY1305_AUTH_SZ);
|
---|
| 1478 |
|
---|
| 1479 | return ret;
|
---|
| 1480 | }
|
---|
| 1481 | #endif
|
---|
| 1482 |
|
---|
| 1483 | /* Encrypt data for TLS v1.3.
|
---|
| 1484 | *
|
---|
| 1485 | * ssl The SSL/TLS object.
|
---|
| 1486 | * output The buffer to write encrypted data and authentication tag into.
|
---|
| 1487 | * May be the same pointer as input.
|
---|
| 1488 | * input The data to encrypt.
|
---|
| 1489 | * sz The number of bytes to encrypt.
|
---|
| 1490 | * asyncOkay If non-zero can return WC_PENDING_E, otherwise blocks on crypto
|
---|
| 1491 | * returns 0 on success, otherwise failure.
|
---|
| 1492 | */
|
---|
| 1493 | static int EncryptTls13(WOLFSSL* ssl, byte* output, const byte* input,
|
---|
| 1494 | word16 sz, int asyncOkay)
|
---|
| 1495 | {
|
---|
| 1496 | int ret = 0;
|
---|
| 1497 | word16 dataSz = sz - ssl->specs.aead_mac_size;
|
---|
| 1498 | word16 macSz = ssl->specs.aead_mac_size;
|
---|
| 1499 | word32 nonceSz = 0;
|
---|
| 1500 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
| 1501 | WC_ASYNC_DEV* asyncDev = NULL;
|
---|
| 1502 | word32 event_flags = WC_ASYNC_FLAG_CALL_AGAIN;
|
---|
| 1503 | #endif
|
---|
| 1504 |
|
---|
| 1505 | WOLFSSL_ENTER("EncryptTls13");
|
---|
| 1506 |
|
---|
| 1507 | (void)output;
|
---|
| 1508 | (void)input;
|
---|
| 1509 | (void)sz;
|
---|
| 1510 | (void)dataSz;
|
---|
| 1511 | (void)macSz;
|
---|
| 1512 | (void)asyncOkay;
|
---|
| 1513 | (void)nonceSz;
|
---|
| 1514 |
|
---|
| 1515 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
| 1516 | if (ssl->error == WC_PENDING_E) {
|
---|
| 1517 | ssl->error = 0; /* clear async */
|
---|
| 1518 | }
|
---|
| 1519 | #endif
|
---|
| 1520 |
|
---|
| 1521 | switch (ssl->encrypt.state) {
|
---|
| 1522 | case CIPHER_STATE_BEGIN:
|
---|
| 1523 | {
|
---|
| 1524 | #ifdef WOLFSSL_DEBUG_TLS
|
---|
| 1525 | WOLFSSL_MSG("Data to encrypt");
|
---|
| 1526 | WOLFSSL_BUFFER(input, dataSz);
|
---|
| 1527 | #endif
|
---|
| 1528 |
|
---|
| 1529 | if (ssl->encrypt.nonce == NULL)
|
---|
| 1530 | ssl->encrypt.nonce = (byte*)XMALLOC(AEAD_NONCE_SZ,
|
---|
| 1531 | ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
|
---|
| 1532 | if (ssl->encrypt.nonce == NULL)
|
---|
| 1533 | return MEMORY_E;
|
---|
| 1534 |
|
---|
| 1535 | BuildTls13Nonce(ssl, ssl->encrypt.nonce, ssl->keys.aead_enc_imp_IV,
|
---|
| 1536 | CUR_ORDER);
|
---|
| 1537 |
|
---|
| 1538 | /* Advance state and proceed */
|
---|
| 1539 | ssl->encrypt.state = CIPHER_STATE_DO;
|
---|
| 1540 | }
|
---|
| 1541 | FALL_THROUGH;
|
---|
| 1542 |
|
---|
| 1543 | case CIPHER_STATE_DO:
|
---|
| 1544 | {
|
---|
| 1545 | switch (ssl->specs.bulk_cipher_algorithm) {
|
---|
| 1546 | #ifdef BUILD_AESGCM
|
---|
| 1547 | case wolfssl_aes_gcm:
|
---|
| 1548 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
| 1549 | /* intialize event */
|
---|
| 1550 | asyncDev = &ssl->encrypt.aes->asyncDev;
|
---|
| 1551 | ret = wolfSSL_AsyncInit(ssl, asyncDev, event_flags);
|
---|
| 1552 | if (ret != 0)
|
---|
| 1553 | break;
|
---|
| 1554 | #endif
|
---|
| 1555 |
|
---|
| 1556 | nonceSz = AESGCM_NONCE_SZ;
|
---|
| 1557 | ret = wc_AesGcmEncrypt(ssl->encrypt.aes, output, input,
|
---|
| 1558 | dataSz, ssl->encrypt.nonce, nonceSz,
|
---|
| 1559 | output + dataSz, macSz, NULL, 0);
|
---|
| 1560 | break;
|
---|
| 1561 | #endif
|
---|
| 1562 |
|
---|
| 1563 | #ifdef HAVE_AESCCM
|
---|
| 1564 | case wolfssl_aes_ccm:
|
---|
| 1565 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
| 1566 | /* intialize event */
|
---|
| 1567 | asyncDev = &ssl->encrypt.aes->asyncDev;
|
---|
| 1568 | ret = wolfSSL_AsyncInit(ssl, asyncDev, event_flags);
|
---|
| 1569 | if (ret != 0)
|
---|
| 1570 | break;
|
---|
| 1571 | #endif
|
---|
| 1572 |
|
---|
| 1573 | nonceSz = AESCCM_NONCE_SZ;
|
---|
| 1574 | ret = wc_AesCcmEncrypt(ssl->encrypt.aes, output, input,
|
---|
| 1575 | dataSz, ssl->encrypt.nonce, nonceSz,
|
---|
| 1576 | output + dataSz, macSz, NULL, 0);
|
---|
| 1577 | break;
|
---|
| 1578 | #endif
|
---|
| 1579 |
|
---|
| 1580 | #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
|
---|
| 1581 | case wolfssl_chacha:
|
---|
| 1582 | ret = ChaCha20Poly1305_Encrypt(ssl, output, input, dataSz,
|
---|
| 1583 | ssl->encrypt.nonce, output + dataSz);
|
---|
| 1584 | break;
|
---|
| 1585 | #endif
|
---|
| 1586 |
|
---|
| 1587 | default:
|
---|
| 1588 | WOLFSSL_MSG("wolfSSL Encrypt programming error");
|
---|
| 1589 | return ENCRYPT_ERROR;
|
---|
| 1590 | }
|
---|
| 1591 |
|
---|
| 1592 | /* Advance state */
|
---|
| 1593 | ssl->encrypt.state = CIPHER_STATE_END;
|
---|
| 1594 |
|
---|
| 1595 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
| 1596 | if (ret == WC_PENDING_E) {
|
---|
| 1597 | /* if async is not okay, then block */
|
---|
| 1598 | if (!asyncOkay) {
|
---|
| 1599 | ret = wc_AsyncWait(ret, asyncDev, event_flags);
|
---|
| 1600 | }
|
---|
| 1601 | else {
|
---|
| 1602 | /* If pending, then leave and return will resume below */
|
---|
| 1603 | return wolfSSL_AsyncPush(ssl, asyncDev);
|
---|
| 1604 | }
|
---|
| 1605 | }
|
---|
| 1606 | #endif
|
---|
| 1607 | }
|
---|
| 1608 | FALL_THROUGH;
|
---|
| 1609 |
|
---|
| 1610 | case CIPHER_STATE_END:
|
---|
| 1611 | {
|
---|
| 1612 | #ifdef WOLFSSL_DEBUG_TLS
|
---|
| 1613 | WOLFSSL_MSG("Nonce");
|
---|
| 1614 | WOLFSSL_BUFFER(ssl->encrypt.nonce, ssl->specs.iv_size);
|
---|
| 1615 | WOLFSSL_MSG("Encrypted data");
|
---|
| 1616 | WOLFSSL_BUFFER(output, dataSz);
|
---|
| 1617 | WOLFSSL_MSG("Authentication Tag");
|
---|
| 1618 | WOLFSSL_BUFFER(output + dataSz, macSz);
|
---|
| 1619 | #endif
|
---|
| 1620 |
|
---|
| 1621 | ForceZero(ssl->encrypt.nonce, AEAD_NONCE_SZ);
|
---|
| 1622 |
|
---|
| 1623 | break;
|
---|
| 1624 | }
|
---|
| 1625 | }
|
---|
| 1626 |
|
---|
| 1627 | /* Reset state */
|
---|
| 1628 | ssl->encrypt.state = CIPHER_STATE_BEGIN;
|
---|
| 1629 |
|
---|
| 1630 | return ret;
|
---|
| 1631 | }
|
---|
| 1632 |
|
---|
| 1633 | #ifdef HAVE_CHACHA
|
---|
| 1634 | /* Decrypt with ChaCha20 and check authenication tag with Poly1305.
|
---|
| 1635 | *
|
---|
| 1636 | * ssl The SSL/TLS object.
|
---|
| 1637 | * output The buffer to write decrypted data into.
|
---|
| 1638 | * May be the same pointer as input.
|
---|
| 1639 | * input The data to decrypt.
|
---|
| 1640 | * sz The number of bytes to decrypt.
|
---|
| 1641 | * nonce The nonce to use with ChaCha20.
|
---|
| 1642 | * tagIn The authentication tag data from packet.
|
---|
| 1643 | * returns 0 on success, otherwise failure.
|
---|
| 1644 | */
|
---|
| 1645 | static int ChaCha20Poly1305_Decrypt(WOLFSSL* ssl, byte* output,
|
---|
| 1646 | const byte* input, word16 sz, byte* nonce,
|
---|
| 1647 | const byte* tagIn)
|
---|
| 1648 | {
|
---|
| 1649 | int ret;
|
---|
| 1650 | byte tag[POLY1305_AUTH_SZ];
|
---|
| 1651 | byte poly[CHACHA20_256_KEY_SIZE]; /* generated key for mac */
|
---|
| 1652 |
|
---|
| 1653 | /* Poly1305 key is 256 bits of zero encrypted with ChaCha20. */
|
---|
| 1654 | XMEMSET(poly, 0, sizeof(poly));
|
---|
| 1655 |
|
---|
| 1656 | /* Set nonce and get Poly1305 key. */
|
---|
| 1657 | ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 0);
|
---|
| 1658 | if (ret != 0)
|
---|
| 1659 | return ret;
|
---|
| 1660 | /* Use ChaCha20 keystream to get Poly1305 key for tag. */
|
---|
| 1661 | ret = wc_Chacha_Process(ssl->decrypt.chacha, poly, poly, sizeof(poly));
|
---|
| 1662 | if (ret != 0)
|
---|
| 1663 | return ret;
|
---|
| 1664 |
|
---|
| 1665 | /* Set key for Poly1305. */
|
---|
| 1666 | ret = wc_Poly1305SetKey(ssl->auth.poly1305, poly, sizeof(poly));
|
---|
| 1667 | ForceZero(poly, sizeof(poly)); /* done with poly1305 key, clear it */
|
---|
| 1668 | if (ret != 0)
|
---|
| 1669 | return ret;
|
---|
| 1670 | /* Generate authentication tag for encrypted data. */
|
---|
| 1671 | if ((ret = wc_Poly1305_MAC(ssl->auth.poly1305, NULL, 0, (byte*)input, sz,
|
---|
| 1672 | tag, sizeof(tag))) != 0) {
|
---|
| 1673 | return ret;
|
---|
| 1674 | }
|
---|
| 1675 |
|
---|
| 1676 | /* Check tag sent along with packet. */
|
---|
| 1677 | if (ConstantCompare(tagIn, tag, POLY1305_AUTH_SZ) != 0) {
|
---|
| 1678 | WOLFSSL_MSG("MAC did not match");
|
---|
| 1679 | return VERIFY_MAC_ERROR;
|
---|
| 1680 | }
|
---|
| 1681 |
|
---|
| 1682 | /* If the tag was good decrypt message. */
|
---|
| 1683 | ret = wc_Chacha_Process(ssl->decrypt.chacha, output, input, sz);
|
---|
| 1684 |
|
---|
| 1685 | return ret;
|
---|
| 1686 | }
|
---|
| 1687 | #endif
|
---|
| 1688 |
|
---|
| 1689 | /* Decrypt data for TLS v1.3.
|
---|
| 1690 | *
|
---|
| 1691 | * ssl The SSL/TLS object.
|
---|
| 1692 | * output The buffer to write decrypted data into.
|
---|
| 1693 | * May be the same pointer as input.
|
---|
| 1694 | * input The data to encrypt and authentication tag.
|
---|
| 1695 | * sz The length of the encrypted data plus authentication tag.
|
---|
| 1696 | * returns 0 on success, otherwise failure.
|
---|
| 1697 | */
|
---|
| 1698 | int DecryptTls13(WOLFSSL* ssl, byte* output, const byte* input, word16 sz)
|
---|
| 1699 | {
|
---|
| 1700 | int ret = 0;
|
---|
| 1701 | word16 dataSz = sz - ssl->specs.aead_mac_size;
|
---|
| 1702 | word16 macSz = ssl->specs.aead_mac_size;
|
---|
| 1703 | word32 nonceSz = 0;
|
---|
| 1704 |
|
---|
| 1705 | WOLFSSL_ENTER("DecryptTls13");
|
---|
| 1706 |
|
---|
| 1707 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
| 1708 | ret = wolfSSL_AsyncPop(ssl, &ssl->decrypt.state);
|
---|
| 1709 | if (ret != WC_NOT_PENDING_E) {
|
---|
| 1710 | /* check for still pending */
|
---|
| 1711 | if (ret == WC_PENDING_E)
|
---|
| 1712 | return ret;
|
---|
| 1713 |
|
---|
| 1714 | ssl->error = 0; /* clear async */
|
---|
| 1715 |
|
---|
| 1716 | /* let failures through so CIPHER_STATE_END logic is run */
|
---|
| 1717 | }
|
---|
| 1718 | else
|
---|
| 1719 | #endif
|
---|
| 1720 | {
|
---|
| 1721 | /* Reset state */
|
---|
| 1722 | ret = 0;
|
---|
| 1723 | ssl->decrypt.state = CIPHER_STATE_BEGIN;
|
---|
| 1724 | }
|
---|
| 1725 |
|
---|
| 1726 | (void)output;
|
---|
| 1727 | (void)input;
|
---|
| 1728 | (void)sz;
|
---|
| 1729 | (void)dataSz;
|
---|
| 1730 | (void)macSz;
|
---|
| 1731 | (void)nonceSz;
|
---|
| 1732 |
|
---|
| 1733 | switch (ssl->decrypt.state) {
|
---|
| 1734 | case CIPHER_STATE_BEGIN:
|
---|
| 1735 | {
|
---|
| 1736 | #ifdef WOLFSSL_DEBUG_TLS
|
---|
| 1737 | WOLFSSL_MSG("Data to decrypt");
|
---|
| 1738 | WOLFSSL_BUFFER(input, dataSz);
|
---|
| 1739 | WOLFSSL_MSG("Authentication tag");
|
---|
| 1740 | WOLFSSL_BUFFER(input + dataSz, macSz);
|
---|
| 1741 | #endif
|
---|
| 1742 |
|
---|
| 1743 | if (ssl->decrypt.nonce == NULL)
|
---|
| 1744 | ssl->decrypt.nonce = (byte*)XMALLOC(AEAD_NONCE_SZ,
|
---|
| 1745 | ssl->heap, DYNAMIC_TYPE_AES_BUFFER);
|
---|
| 1746 | if (ssl->decrypt.nonce == NULL)
|
---|
| 1747 | return MEMORY_E;
|
---|
| 1748 |
|
---|
| 1749 | BuildTls13Nonce(ssl, ssl->decrypt.nonce, ssl->keys.aead_dec_imp_IV,
|
---|
| 1750 | PEER_ORDER);
|
---|
| 1751 |
|
---|
| 1752 | /* Advance state and proceed */
|
---|
| 1753 | ssl->decrypt.state = CIPHER_STATE_DO;
|
---|
| 1754 | }
|
---|
| 1755 | FALL_THROUGH;
|
---|
| 1756 |
|
---|
| 1757 | case CIPHER_STATE_DO:
|
---|
| 1758 | {
|
---|
| 1759 | switch (ssl->specs.bulk_cipher_algorithm) {
|
---|
| 1760 | #ifdef BUILD_AESGCM
|
---|
| 1761 | case wolfssl_aes_gcm:
|
---|
| 1762 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
| 1763 | /* intialize event */
|
---|
| 1764 | ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.aes->asyncDev,
|
---|
| 1765 | WC_ASYNC_FLAG_CALL_AGAIN);
|
---|
| 1766 | if (ret != 0)
|
---|
| 1767 | break;
|
---|
| 1768 | #endif
|
---|
| 1769 |
|
---|
| 1770 | nonceSz = AESGCM_NONCE_SZ;
|
---|
| 1771 | ret = wc_AesGcmDecrypt(ssl->decrypt.aes, output, input,
|
---|
| 1772 | dataSz, ssl->decrypt.nonce, nonceSz,
|
---|
| 1773 | input + dataSz, macSz, NULL, 0);
|
---|
| 1774 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
| 1775 | if (ret == WC_PENDING_E) {
|
---|
| 1776 | ret = wolfSSL_AsyncPush(ssl,
|
---|
| 1777 | &ssl->decrypt.aes->asyncDev);
|
---|
| 1778 | }
|
---|
| 1779 | #endif
|
---|
| 1780 | break;
|
---|
| 1781 | #endif
|
---|
| 1782 |
|
---|
| 1783 | #ifdef HAVE_AESCCM
|
---|
| 1784 | case wolfssl_aes_ccm:
|
---|
| 1785 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
| 1786 | /* intialize event */
|
---|
| 1787 | ret = wolfSSL_AsyncInit(ssl, &ssl->decrypt.aes->asyncDev,
|
---|
| 1788 | WC_ASYNC_FLAG_CALL_AGAIN);
|
---|
| 1789 | if (ret != 0)
|
---|
| 1790 | break;
|
---|
| 1791 | #endif
|
---|
| 1792 |
|
---|
| 1793 | nonceSz = AESCCM_NONCE_SZ;
|
---|
| 1794 | ret = wc_AesCcmDecrypt(ssl->decrypt.aes, output, input,
|
---|
| 1795 | dataSz, ssl->decrypt.nonce, nonceSz,
|
---|
| 1796 | input + dataSz, macSz, NULL, 0);
|
---|
| 1797 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
| 1798 | if (ret == WC_PENDING_E) {
|
---|
| 1799 | ret = wolfSSL_AsyncPush(ssl,
|
---|
| 1800 | &ssl->decrypt.aes->asyncDev);
|
---|
| 1801 | }
|
---|
| 1802 | #endif
|
---|
| 1803 | break;
|
---|
| 1804 | #endif
|
---|
| 1805 |
|
---|
| 1806 | #if defined(HAVE_CHACHA) && defined(HAVE_POLY1305)
|
---|
| 1807 | case wolfssl_chacha:
|
---|
| 1808 | ret = ChaCha20Poly1305_Decrypt(ssl, output, input, dataSz,
|
---|
| 1809 | ssl->decrypt.nonce, input + dataSz);
|
---|
| 1810 | break;
|
---|
| 1811 | #endif
|
---|
| 1812 |
|
---|
| 1813 | default:
|
---|
| 1814 | WOLFSSL_MSG("wolfSSL Decrypt programming error");
|
---|
| 1815 | return DECRYPT_ERROR;
|
---|
| 1816 | }
|
---|
| 1817 |
|
---|
| 1818 | /* Advance state */
|
---|
| 1819 | ssl->decrypt.state = CIPHER_STATE_END;
|
---|
| 1820 |
|
---|
| 1821 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
| 1822 | /* If pending, leave now */
|
---|
| 1823 | if (ret == WC_PENDING_E) {
|
---|
| 1824 | return ret;
|
---|
| 1825 | }
|
---|
| 1826 | #endif
|
---|
| 1827 | }
|
---|
| 1828 | FALL_THROUGH;
|
---|
| 1829 |
|
---|
| 1830 | case CIPHER_STATE_END:
|
---|
| 1831 | {
|
---|
| 1832 | #ifdef WOLFSSL_DEBUG_TLS
|
---|
| 1833 | WOLFSSL_MSG("Nonce");
|
---|
| 1834 | WOLFSSL_BUFFER(ssl->decrypt.nonce, ssl->specs.iv_size);
|
---|
| 1835 | WOLFSSL_MSG("Decrypted data");
|
---|
| 1836 | WOLFSSL_BUFFER(output, dataSz);
|
---|
| 1837 | #endif
|
---|
| 1838 |
|
---|
| 1839 | ForceZero(ssl->decrypt.nonce, AEAD_NONCE_SZ);
|
---|
| 1840 |
|
---|
| 1841 | break;
|
---|
| 1842 | }
|
---|
| 1843 | }
|
---|
| 1844 |
|
---|
| 1845 | #ifndef WOLFSSL_EARLY_DATA
|
---|
| 1846 | if (ret < 0) {
|
---|
| 1847 | SendAlert(ssl, alert_fatal, bad_record_mac);
|
---|
| 1848 | ret = VERIFY_MAC_ERROR;
|
---|
| 1849 | }
|
---|
| 1850 | #endif
|
---|
| 1851 |
|
---|
| 1852 | return ret;
|
---|
| 1853 | }
|
---|
| 1854 |
|
---|
| 1855 | /* Persistable BuildTls13Message arguments */
|
---|
| 1856 | typedef struct BuildMsg13Args {
|
---|
| 1857 | word32 sz;
|
---|
| 1858 | word32 idx;
|
---|
| 1859 | word32 headerSz;
|
---|
| 1860 | word16 size;
|
---|
| 1861 | } BuildMsg13Args;
|
---|
| 1862 |
|
---|
| 1863 | static void FreeBuildMsg13Args(WOLFSSL* ssl, void* pArgs)
|
---|
| 1864 | {
|
---|
| 1865 | BuildMsg13Args* args = (BuildMsg13Args*)pArgs;
|
---|
| 1866 |
|
---|
| 1867 | (void)ssl;
|
---|
| 1868 | (void)args;
|
---|
| 1869 |
|
---|
| 1870 | /* no allocations in BuildTls13Message */
|
---|
| 1871 | }
|
---|
| 1872 |
|
---|
| 1873 | /* Build SSL Message, encrypted.
|
---|
| 1874 | * TLS v1.3 encryption is AEAD only.
|
---|
| 1875 | *
|
---|
| 1876 | * ssl The SSL/TLS object.
|
---|
| 1877 | * output The buffer to write record message to.
|
---|
| 1878 | * outSz Size of the buffer being written into.
|
---|
| 1879 | * input The record data to encrypt (excluding record header).
|
---|
| 1880 | * inSz The size of the record data.
|
---|
| 1881 | * type The recorder header content type.
|
---|
| 1882 | * hashOutput Whether to hash the unencrypted record data.
|
---|
| 1883 | * sizeOnly Only want the size of the record message.
|
---|
| 1884 | * asyncOkay If non-zero can return WC_PENDING_E, otherwise blocks on crypto
|
---|
| 1885 | * returns the size of the encrypted record message or negative value on error.
|
---|
| 1886 | */
|
---|
| 1887 | int BuildTls13Message(WOLFSSL* ssl, byte* output, int outSz, const byte* input,
|
---|
| 1888 | int inSz, int type, int hashOutput, int sizeOnly, int asyncOkay)
|
---|
| 1889 | {
|
---|
| 1890 | int ret = 0;
|
---|
| 1891 | BuildMsg13Args* args;
|
---|
| 1892 | BuildMsg13Args lcl_args;
|
---|
| 1893 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
| 1894 | args = (BuildMsg13Args*)ssl->async.args;
|
---|
| 1895 | typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1];
|
---|
| 1896 | (void)sizeof(args_test);
|
---|
| 1897 | #endif
|
---|
| 1898 |
|
---|
| 1899 | WOLFSSL_ENTER("BuildTls13Message");
|
---|
| 1900 |
|
---|
| 1901 | ret = WC_NOT_PENDING_E;
|
---|
| 1902 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
| 1903 | if (asyncOkay) {
|
---|
| 1904 | ret = wolfSSL_AsyncPop(ssl, &ssl->options.buildMsgState);
|
---|
| 1905 | if (ret != WC_NOT_PENDING_E) {
|
---|
| 1906 | /* Check for error */
|
---|
| 1907 | if (ret < 0)
|
---|
| 1908 | goto exit_buildmsg;
|
---|
| 1909 | }
|
---|
| 1910 | }
|
---|
| 1911 | else
|
---|
| 1912 | #endif
|
---|
| 1913 | {
|
---|
| 1914 | args = &lcl_args;
|
---|
| 1915 | }
|
---|
| 1916 |
|
---|
| 1917 | /* Reset state */
|
---|
| 1918 | if (ret == WC_NOT_PENDING_E) {
|
---|
| 1919 | ret = 0;
|
---|
| 1920 | ssl->options.buildMsgState = BUILD_MSG_BEGIN;
|
---|
| 1921 | XMEMSET(args, 0, sizeof(BuildMsg13Args));
|
---|
| 1922 |
|
---|
| 1923 | args->sz = RECORD_HEADER_SZ + inSz;
|
---|
| 1924 | args->idx = RECORD_HEADER_SZ;
|
---|
| 1925 | args->headerSz = RECORD_HEADER_SZ;
|
---|
| 1926 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
| 1927 | ssl->async.freeArgs = FreeBuildMsg13Args;
|
---|
| 1928 | #endif
|
---|
| 1929 | }
|
---|
| 1930 |
|
---|
| 1931 | switch (ssl->options.buildMsgState) {
|
---|
| 1932 | case BUILD_MSG_BEGIN:
|
---|
| 1933 | {
|
---|
| 1934 | if (output == NULL || input == NULL)
|
---|
| 1935 | return BAD_FUNC_ARG;
|
---|
| 1936 | /* catch mistaken sizeOnly parameter */
|
---|
| 1937 | if (sizeOnly && (output || input)) {
|
---|
| 1938 | WOLFSSL_MSG("BuildTls13Message with sizeOnly doesn't need "
|
---|
| 1939 | "input or output");
|
---|
| 1940 | return BAD_FUNC_ARG;
|
---|
| 1941 | }
|
---|
| 1942 |
|
---|
| 1943 | /* Record layer content type at the end of record data. */
|
---|
| 1944 | args->sz++;
|
---|
| 1945 | /* Authentication data at the end. */
|
---|
| 1946 | args->sz += ssl->specs.aead_mac_size;
|
---|
| 1947 |
|
---|
| 1948 | if (sizeOnly)
|
---|
| 1949 | return args->sz;
|
---|
| 1950 |
|
---|
| 1951 | if (args->sz > (word32)outSz) {
|
---|
| 1952 | WOLFSSL_MSG("Oops, want to write past output buffer size");
|
---|
| 1953 | return BUFFER_E;
|
---|
| 1954 | }
|
---|
| 1955 |
|
---|
| 1956 | /* Record data length. */
|
---|
| 1957 | args->size = (word16)(args->sz - args->headerSz);
|
---|
| 1958 | /* Write/update the record header with the new size.
|
---|
| 1959 | * Always have the content type as application data for encrypted
|
---|
| 1960 | * messages in TLS v1.3.
|
---|
| 1961 | */
|
---|
| 1962 | AddTls13RecordHeader(output, args->size, application_data, ssl);
|
---|
| 1963 |
|
---|
| 1964 | /* TLS v1.3 can do in place encryption. */
|
---|
| 1965 | if (input != output + args->idx)
|
---|
| 1966 | XMEMCPY(output + args->idx, input, inSz);
|
---|
| 1967 | args->idx += inSz;
|
---|
| 1968 |
|
---|
| 1969 | ssl->options.buildMsgState = BUILD_MSG_HASH;
|
---|
| 1970 | }
|
---|
| 1971 | FALL_THROUGH;
|
---|
| 1972 |
|
---|
| 1973 | case BUILD_MSG_HASH:
|
---|
| 1974 | {
|
---|
| 1975 | if (hashOutput) {
|
---|
| 1976 | ret = HashOutput(ssl, output, args->headerSz + inSz, 0);
|
---|
| 1977 | if (ret != 0)
|
---|
| 1978 | goto exit_buildmsg;
|
---|
| 1979 | }
|
---|
| 1980 |
|
---|
| 1981 | ssl->options.buildMsgState = BUILD_MSG_ENCRYPT;
|
---|
| 1982 | }
|
---|
| 1983 | FALL_THROUGH;
|
---|
| 1984 |
|
---|
| 1985 | case BUILD_MSG_ENCRYPT:
|
---|
| 1986 | {
|
---|
| 1987 | /* The real record content type goes at the end of the data. */
|
---|
| 1988 | output[args->idx++] = type;
|
---|
| 1989 |
|
---|
| 1990 | #ifdef ATOMIC_USER
|
---|
| 1991 | if (ssl->ctx->MacEncryptCb) {
|
---|
| 1992 | /* User Record Layer Callback handling */
|
---|
| 1993 | byte* mac = output + args->idx;
|
---|
| 1994 | output += args->headerSz;
|
---|
| 1995 |
|
---|
| 1996 | ret = ssl->ctx->MacEncryptCb(ssl, mac, output, inSz, type, 0,
|
---|
| 1997 | output, output, args->size, ssl->MacEncryptCtx);
|
---|
| 1998 | }
|
---|
| 1999 | else
|
---|
| 2000 | #endif
|
---|
| 2001 | {
|
---|
| 2002 | output += args->headerSz;
|
---|
| 2003 | ret = EncryptTls13(ssl, output, output, args->size, asyncOkay);
|
---|
| 2004 | }
|
---|
| 2005 | break;
|
---|
| 2006 | }
|
---|
| 2007 | }
|
---|
| 2008 |
|
---|
| 2009 | exit_buildmsg:
|
---|
| 2010 |
|
---|
| 2011 | WOLFSSL_LEAVE("BuildTls13Message", ret);
|
---|
| 2012 |
|
---|
| 2013 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
| 2014 | if (ret == WC_PENDING_E) {
|
---|
| 2015 | return ret;
|
---|
| 2016 | }
|
---|
| 2017 | #endif
|
---|
| 2018 |
|
---|
| 2019 | /* make sure build message state is reset */
|
---|
| 2020 | ssl->options.buildMsgState = BUILD_MSG_BEGIN;
|
---|
| 2021 |
|
---|
| 2022 | /* return sz on success */
|
---|
| 2023 | if (ret == 0)
|
---|
| 2024 | ret = args->sz;
|
---|
| 2025 |
|
---|
| 2026 | /* Final cleanup */
|
---|
| 2027 | FreeBuildMsg13Args(ssl, args);
|
---|
| 2028 |
|
---|
| 2029 | return ret;
|
---|
| 2030 | }
|
---|
| 2031 |
|
---|
| 2032 | #ifndef NO_WOLFSSL_CLIENT
|
---|
| 2033 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
---|
| 2034 | /* Setup pre-shared key based on the details in the extension data.
|
---|
| 2035 | *
|
---|
| 2036 | * ssl SSL/TLS object.
|
---|
| 2037 | * psk Pre-shared key extension data.
|
---|
| 2038 | * returns 0 on success, PSK_KEY_ERROR when the client PSK callback fails and
|
---|
| 2039 | * other negative value on failure.
|
---|
| 2040 | */
|
---|
| 2041 | static int SetupPskKey(WOLFSSL* ssl, PreSharedKey* psk)
|
---|
| 2042 | {
|
---|
| 2043 | int ret;
|
---|
| 2044 |
|
---|
| 2045 | ssl->options.cipherSuite0 = psk->cipherSuite0;
|
---|
| 2046 | ssl->options.cipherSuite = psk->cipherSuite;
|
---|
| 2047 | if ((ret = SetCipherSpecs(ssl)) != 0)
|
---|
| 2048 | return ret;
|
---|
| 2049 |
|
---|
| 2050 | #ifdef HAVE_SESSION_TICKET
|
---|
| 2051 | if (psk->resumption) {
|
---|
| 2052 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 2053 | if (ssl->session.maxEarlyDataSz == 0)
|
---|
| 2054 | ssl->earlyData = 0;
|
---|
| 2055 | #endif
|
---|
| 2056 | /* Resumption PSK is master secret. */
|
---|
| 2057 | ssl->arrays->psk_keySz = ssl->specs.hash_size;
|
---|
| 2058 | XMEMCPY(ssl->arrays->psk_key, ssl->session.masterSecret,
|
---|
| 2059 | ssl->arrays->psk_keySz);
|
---|
| 2060 | }
|
---|
| 2061 | #endif
|
---|
| 2062 | #ifndef NO_PSK
|
---|
| 2063 | if (!psk->resumption) {
|
---|
| 2064 | /* Get the pre-shared key. */
|
---|
| 2065 | ssl->arrays->psk_keySz = ssl->options.client_psk_cb(ssl,
|
---|
| 2066 | (char *)psk->identity, ssl->arrays->client_identity,
|
---|
| 2067 | MAX_PSK_ID_LEN, ssl->arrays->psk_key, MAX_PSK_KEY_LEN);
|
---|
| 2068 | if (ssl->arrays->psk_keySz == 0 ||
|
---|
| 2069 | ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
|
---|
| 2070 | return PSK_KEY_ERROR;
|
---|
| 2071 | }
|
---|
| 2072 | }
|
---|
| 2073 | #endif
|
---|
| 2074 |
|
---|
| 2075 | /* Derive the early secret using the PSK. */
|
---|
| 2076 | return DeriveEarlySecret(ssl);
|
---|
| 2077 | }
|
---|
| 2078 |
|
---|
| 2079 | /* Derive and write the binders into the ClientHello in space left when
|
---|
| 2080 | * writing the Pre-Shared Key extension.
|
---|
| 2081 | *
|
---|
| 2082 | * ssl The SSL/TLS object.
|
---|
| 2083 | * output The buffer containing the ClientHello.
|
---|
| 2084 | * idx The index at the end of the completed ClientHello.
|
---|
| 2085 | * returns 0 on success and otherwise failure.
|
---|
| 2086 | */
|
---|
| 2087 | static int WritePSKBinders(WOLFSSL* ssl, byte* output, word32 idx)
|
---|
| 2088 | {
|
---|
| 2089 | int ret;
|
---|
| 2090 | TLSX* ext;
|
---|
| 2091 | PreSharedKey* current;
|
---|
| 2092 | byte binderKey[MAX_DIGEST_SIZE];
|
---|
| 2093 | word16 len;
|
---|
| 2094 |
|
---|
| 2095 | ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
|
---|
| 2096 | if (ext == NULL)
|
---|
| 2097 | return SANITY_MSG_E;
|
---|
| 2098 |
|
---|
| 2099 | /* Get the size of the binders to determine where to write binders. */
|
---|
| 2100 | idx -= TLSX_PreSharedKey_GetSizeBinders((PreSharedKey*)ext->data,
|
---|
| 2101 | client_hello);
|
---|
| 2102 |
|
---|
| 2103 | /* Hash truncated ClientHello - up to binders. */
|
---|
| 2104 | ret = HashOutput(ssl, output, idx, 0);
|
---|
| 2105 | if (ret != 0)
|
---|
| 2106 | return ret;
|
---|
| 2107 |
|
---|
| 2108 | current = (PreSharedKey*)ext->data;
|
---|
| 2109 | /* Calculate the binder for each identity based on previous handshake data.
|
---|
| 2110 | */
|
---|
| 2111 | while (current != NULL) {
|
---|
| 2112 | if ((ret = SetupPskKey(ssl, current)) != 0)
|
---|
| 2113 | return ret;
|
---|
| 2114 |
|
---|
| 2115 | #ifdef HAVE_SESSION_TICKET
|
---|
| 2116 | if (current->resumption)
|
---|
| 2117 | ret = DeriveBinderKeyResume(ssl, binderKey);
|
---|
| 2118 | #endif
|
---|
| 2119 | #ifndef NO_PSK
|
---|
| 2120 | if (!current->resumption)
|
---|
| 2121 | ret = DeriveBinderKey(ssl, binderKey);
|
---|
| 2122 | #endif
|
---|
| 2123 | if (ret != 0)
|
---|
| 2124 | return ret;
|
---|
| 2125 |
|
---|
| 2126 | /* Derive the Finished message secret. */
|
---|
| 2127 | ret = DeriveFinishedSecret(ssl, binderKey,
|
---|
| 2128 | ssl->keys.client_write_MAC_secret);
|
---|
| 2129 | if (ret != 0)
|
---|
| 2130 | return ret;
|
---|
| 2131 |
|
---|
| 2132 | /* Build the HMAC of the handshake message data = binder. */
|
---|
| 2133 | ret = BuildTls13HandshakeHmac(ssl, ssl->keys.client_write_MAC_secret,
|
---|
| 2134 | current->binder, ¤t->binderLen);
|
---|
| 2135 | if (ret != 0)
|
---|
| 2136 | return ret;
|
---|
| 2137 |
|
---|
| 2138 | current = current->next;
|
---|
| 2139 | }
|
---|
| 2140 |
|
---|
| 2141 | /* Data entered into extension, now write to message. */
|
---|
| 2142 | len = TLSX_PreSharedKey_WriteBinders((PreSharedKey*)ext->data, output + idx,
|
---|
| 2143 | client_hello);
|
---|
| 2144 |
|
---|
| 2145 | /* Hash binders to complete the hash of the ClientHello. */
|
---|
| 2146 | ret = HashOutputRaw(ssl, output + idx, len);
|
---|
| 2147 | if (ret < 0)
|
---|
| 2148 | return ret;
|
---|
| 2149 |
|
---|
| 2150 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 2151 | if (ssl->earlyData) {
|
---|
| 2152 | if ((ret = SetupPskKey(ssl, (PreSharedKey*)ext->data)) != 0)
|
---|
| 2153 | return ret;
|
---|
| 2154 |
|
---|
| 2155 | /* Derive early data encryption key. */
|
---|
| 2156 | ret = DeriveTls13Keys(ssl, early_data_key, ENCRYPT_SIDE_ONLY, 1);
|
---|
| 2157 | if (ret != 0)
|
---|
| 2158 | return ret;
|
---|
| 2159 | if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
|
---|
| 2160 | return ret;
|
---|
| 2161 | }
|
---|
| 2162 | #endif
|
---|
| 2163 | return ret;
|
---|
| 2164 | }
|
---|
| 2165 | #endif
|
---|
| 2166 |
|
---|
| 2167 | /* Send a ClientHello message to the server.
|
---|
| 2168 | * Include the information required to start a handshake with servers using
|
---|
| 2169 | * protocol versions less than TLS v1.3.
|
---|
| 2170 | * Only a client will send this message.
|
---|
| 2171 | *
|
---|
| 2172 | * ssl The SSL/TLS object.
|
---|
| 2173 | * returns 0 on success and otherwise failure.
|
---|
| 2174 | */
|
---|
| 2175 | int SendTls13ClientHello(WOLFSSL* ssl)
|
---|
| 2176 | {
|
---|
| 2177 | byte* output;
|
---|
| 2178 | word32 length;
|
---|
| 2179 | word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
---|
| 2180 | int sendSz;
|
---|
| 2181 | int ret;
|
---|
| 2182 |
|
---|
| 2183 | WOLFSSL_ENTER("SendTls13ClientHello");
|
---|
| 2184 |
|
---|
| 2185 | #ifdef HAVE_SESSION_TICKET
|
---|
| 2186 | if (ssl->options.resuming &&
|
---|
| 2187 | (ssl->session.version.major != ssl->version.major ||
|
---|
| 2188 | ssl->session.version.minor != ssl->version.minor)) {
|
---|
| 2189 | /* Cannot resume with a different protocol version - new handshake. */
|
---|
| 2190 | ssl->options.resuming = 0;
|
---|
| 2191 | ssl->version.major = ssl->session.version.major;
|
---|
| 2192 | ssl->version.minor = ssl->session.version.minor;
|
---|
| 2193 | return SendClientHello(ssl);
|
---|
| 2194 | }
|
---|
| 2195 | #endif
|
---|
| 2196 |
|
---|
| 2197 | if (ssl->suites == NULL) {
|
---|
| 2198 | WOLFSSL_MSG("Bad suites pointer in SendTls13ClientHello");
|
---|
| 2199 | return SUITES_ERROR;
|
---|
| 2200 | }
|
---|
| 2201 |
|
---|
| 2202 | /* Version | Random | Session Id | Cipher Suites | Compression | Ext */
|
---|
| 2203 | length = VERSION_SZ + RAN_LEN + ENUM_LEN + ssl->suites->suiteSz +
|
---|
| 2204 | SUITE_LEN + COMP_LEN + ENUM_LEN;
|
---|
| 2205 |
|
---|
| 2206 | /* Auto populate extensions supported unless user defined. */
|
---|
| 2207 | if ((ret = TLSX_PopulateExtensions(ssl, 0)) != 0)
|
---|
| 2208 | return ret;
|
---|
| 2209 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 2210 | #ifndef NO_PSK
|
---|
| 2211 | if (!ssl->options.resuming && ssl->options.client_psk_cb == NULL)
|
---|
| 2212 | #else
|
---|
| 2213 | if (!ssl->options.resuming)
|
---|
| 2214 | #endif
|
---|
| 2215 | ssl->earlyData = 0;
|
---|
| 2216 | if (ssl->earlyData && (ret = TLSX_EarlyData_Use(ssl, 0)) < 0)
|
---|
| 2217 | return ret;
|
---|
| 2218 | #endif
|
---|
| 2219 | #ifdef HAVE_QSH
|
---|
| 2220 | if (QSH_Init(ssl) != 0)
|
---|
| 2221 | return MEMORY_E;
|
---|
| 2222 | #endif
|
---|
| 2223 | /* Include length of TLS extensions. */
|
---|
| 2224 | length += TLSX_GetRequestSize(ssl, client_hello);
|
---|
| 2225 |
|
---|
| 2226 | /* Total message size. */
|
---|
| 2227 | sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
|
---|
| 2228 |
|
---|
| 2229 | /* Check buffers are big enough and grow if needed. */
|
---|
| 2230 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
|
---|
| 2231 | return ret;
|
---|
| 2232 |
|
---|
| 2233 | /* Get position in output buffer to write new message to. */
|
---|
| 2234 | output = ssl->buffers.outputBuffer.buffer +
|
---|
| 2235 | ssl->buffers.outputBuffer.length;
|
---|
| 2236 |
|
---|
| 2237 | /* Put the record and handshake headers on. */
|
---|
| 2238 | AddTls13Headers(output, length, client_hello, ssl);
|
---|
| 2239 |
|
---|
| 2240 | /* Protocol version. */
|
---|
| 2241 | output[idx++] = SSLv3_MAJOR;
|
---|
| 2242 | output[idx++] = TLSv1_2_MINOR;
|
---|
| 2243 | ssl->chVersion = ssl->version;
|
---|
| 2244 |
|
---|
| 2245 | /* Client Random */
|
---|
| 2246 | if (ssl->options.connectState == CONNECT_BEGIN) {
|
---|
| 2247 | ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, RAN_LEN);
|
---|
| 2248 | if (ret != 0)
|
---|
| 2249 | return ret;
|
---|
| 2250 |
|
---|
| 2251 | /* Store random for possible second ClientHello. */
|
---|
| 2252 | XMEMCPY(ssl->arrays->clientRandom, output + idx, RAN_LEN);
|
---|
| 2253 | }
|
---|
| 2254 | else
|
---|
| 2255 | XMEMCPY(output + idx, ssl->arrays->clientRandom, RAN_LEN);
|
---|
| 2256 | idx += RAN_LEN;
|
---|
| 2257 |
|
---|
| 2258 | /* TLS v1.3 does not use session id - 0 length. */
|
---|
| 2259 | output[idx++] = 0;
|
---|
| 2260 |
|
---|
| 2261 | /* Cipher suites */
|
---|
| 2262 | c16toa(ssl->suites->suiteSz, output + idx);
|
---|
| 2263 | idx += OPAQUE16_LEN;
|
---|
| 2264 | XMEMCPY(output + idx, &ssl->suites->suites, ssl->suites->suiteSz);
|
---|
| 2265 | idx += ssl->suites->suiteSz;
|
---|
| 2266 |
|
---|
| 2267 | /* Compression not supported in TLS v1.3. */
|
---|
| 2268 | output[idx++] = COMP_LEN;
|
---|
| 2269 | output[idx++] = NO_COMPRESSION;
|
---|
| 2270 |
|
---|
| 2271 | /* Write out extensions for a request. */
|
---|
| 2272 | idx += TLSX_WriteRequest(ssl, output + idx, client_hello);
|
---|
| 2273 |
|
---|
| 2274 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
---|
| 2275 | /* Resumption has a specific set of extensions and binder is calculated
|
---|
| 2276 | * for each identity.
|
---|
| 2277 | */
|
---|
| 2278 | if (TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY))
|
---|
| 2279 | ret = WritePSKBinders(ssl, output, idx);
|
---|
| 2280 | else
|
---|
| 2281 | #endif
|
---|
| 2282 | ret = HashOutput(ssl, output, idx, 0);
|
---|
| 2283 | if (ret != 0)
|
---|
| 2284 | return ret;
|
---|
| 2285 |
|
---|
| 2286 | ssl->options.clientState = CLIENT_HELLO_COMPLETE;
|
---|
| 2287 |
|
---|
| 2288 | #ifdef WOLFSSL_CALLBACKS
|
---|
| 2289 | if (ssl->hsInfoOn) AddPacketName("ClientHello", &ssl->handShakeInfo);
|
---|
| 2290 | if (ssl->toInfoOn) {
|
---|
| 2291 | AddPacketInfo("ClientHello", &ssl->timeoutInfo, output, sendSz,
|
---|
| 2292 | ssl->heap);
|
---|
| 2293 | }
|
---|
| 2294 | #endif
|
---|
| 2295 |
|
---|
| 2296 | ssl->buffers.outputBuffer.length += sendSz;
|
---|
| 2297 |
|
---|
| 2298 | ret = SendBuffered(ssl);
|
---|
| 2299 |
|
---|
| 2300 | WOLFSSL_LEAVE("SendTls13ClientHello", ret);
|
---|
| 2301 |
|
---|
| 2302 | return ret;
|
---|
| 2303 | }
|
---|
| 2304 |
|
---|
| 2305 | #ifndef WOLFSSL_TLS13_DRAFT_18
|
---|
| 2306 | #ifdef WOLFSSL_SEND_HRR_COOKIE
|
---|
| 2307 | /* Create Cookie extension using the hash of the first ClientHello.
|
---|
| 2308 | *
|
---|
| 2309 | * ssl SSL/TLS object.
|
---|
| 2310 | * hash The hash data.
|
---|
| 2311 | * hashSz The size of the hash data in bytes.
|
---|
| 2312 | * returns 0 on success, otherwise failure.
|
---|
| 2313 | */
|
---|
| 2314 | static int CreateCookie(WOLFSSL* ssl, byte* hash, byte hashSz)
|
---|
| 2315 | {
|
---|
| 2316 | int ret;
|
---|
| 2317 | byte mac[MAX_DIGEST_SIZE];
|
---|
| 2318 | Hmac cookieHmac;
|
---|
| 2319 | byte cookieType;
|
---|
| 2320 | byte macSz;
|
---|
| 2321 |
|
---|
| 2322 | #if !defined(NO_SHA) && defined(NO_SHA256)
|
---|
| 2323 | cookieType = SHA;
|
---|
| 2324 | macSz = WC_SHA_DIGEST_SIZE;
|
---|
| 2325 | #endif /* NO_SHA */
|
---|
| 2326 | #ifndef NO_SHA256
|
---|
| 2327 | cookieType = WC_SHA256;
|
---|
| 2328 | macSz = WC_SHA256_DIGEST_SIZE;
|
---|
| 2329 | #endif /* NO_SHA256 */
|
---|
| 2330 |
|
---|
| 2331 | ret = wc_HmacSetKey(&cookieHmac, cookieType,
|
---|
| 2332 | ssl->buffers.tls13CookieSecret.buffer,
|
---|
| 2333 | ssl->buffers.tls13CookieSecret.length);
|
---|
| 2334 | if (ret != 0)
|
---|
| 2335 | return ret;
|
---|
| 2336 | if ((ret = wc_HmacUpdate(&cookieHmac, hash, hashSz)) != 0)
|
---|
| 2337 | return ret;
|
---|
| 2338 | if ((ret = wc_HmacFinal(&cookieHmac, mac)) != 0)
|
---|
| 2339 | return ret;
|
---|
| 2340 |
|
---|
| 2341 | /* The cookie data is the hash and the integrity check. */
|
---|
| 2342 | return TLSX_Cookie_Use(ssl, hash, hashSz, mac, macSz, 1);
|
---|
| 2343 | }
|
---|
| 2344 | #endif
|
---|
| 2345 |
|
---|
| 2346 | /* Restart the Hanshake hash with a hash of the previous messages.
|
---|
| 2347 | *
|
---|
| 2348 | * ssl The SSL/TLS object.
|
---|
| 2349 | * returns 0 on success, otherwise failure.
|
---|
| 2350 | */
|
---|
| 2351 | static int RestartHandshakeHash(WOLFSSL* ssl)
|
---|
| 2352 | {
|
---|
| 2353 | int ret;
|
---|
| 2354 | Hashes hashes;
|
---|
| 2355 | byte header[HANDSHAKE_HEADER_SZ];
|
---|
| 2356 | byte* hash = NULL;
|
---|
| 2357 | byte hashSz = 0;
|
---|
| 2358 |
|
---|
| 2359 | ret = BuildCertHashes(ssl, &hashes);
|
---|
| 2360 | if (ret != 0)
|
---|
| 2361 | return ret;
|
---|
| 2362 | switch (ssl->specs.mac_algorithm) {
|
---|
| 2363 | #ifndef NO_SHA256
|
---|
| 2364 | case sha256_mac:
|
---|
| 2365 | hash = hashes.sha256;
|
---|
| 2366 | break;
|
---|
| 2367 | #endif
|
---|
| 2368 | #ifdef WOLFSSL_SHA384
|
---|
| 2369 | case sha384_mac:
|
---|
| 2370 | hash = hashes.sha384;
|
---|
| 2371 | break;
|
---|
| 2372 | #endif
|
---|
| 2373 | #ifdef WOLFSSL_TLS13_SHA512
|
---|
| 2374 | case sha512_mac:
|
---|
| 2375 | hash = hashes.sha512;
|
---|
| 2376 | break;
|
---|
| 2377 | #endif
|
---|
| 2378 | }
|
---|
| 2379 | hashSz = ssl->specs.hash_size;
|
---|
| 2380 | AddTls13HandShakeHeader(header, hashSz, 0, 0, message_hash, ssl);
|
---|
| 2381 |
|
---|
| 2382 | WOLFSSL_MSG("Restart Hash");
|
---|
| 2383 | WOLFSSL_BUFFER(hash, hashSz);
|
---|
| 2384 |
|
---|
| 2385 | #ifdef WOLFSSL_SEND_HRR_COOKIE
|
---|
| 2386 | if (ssl->options.sendCookie) {
|
---|
| 2387 | byte cookie[OPAQUE8_LEN + MAX_DIGEST_SIZE + OPAQUE16_LEN * 2];
|
---|
| 2388 | TLSX* ext;
|
---|
| 2389 | word32 idx = 0;
|
---|
| 2390 |
|
---|
| 2391 | /* Cookie Data = Hash Len | Hash | CS | KeyShare Group */
|
---|
| 2392 | cookie[idx++] = hashSz;
|
---|
| 2393 | XMEMCPY(cookie + idx, hash, hashSz);
|
---|
| 2394 | idx += hashSz;
|
---|
| 2395 | cookie[idx++] = ssl->options.cipherSuite0;
|
---|
| 2396 | cookie[idx++] = ssl->options.cipherSuite;
|
---|
| 2397 | if ((ext = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE)) != NULL) {
|
---|
| 2398 | KeyShareEntry* kse = (KeyShareEntry*)ext->data;
|
---|
| 2399 | c16toa(kse->group, cookie + idx);
|
---|
| 2400 | idx += OPAQUE16_LEN;
|
---|
| 2401 | }
|
---|
| 2402 | return CreateCookie(ssl, cookie, idx);
|
---|
| 2403 | }
|
---|
| 2404 | #endif
|
---|
| 2405 |
|
---|
| 2406 | ret = InitHandshakeHashes(ssl);
|
---|
| 2407 | if (ret != 0)
|
---|
| 2408 | return ret;
|
---|
| 2409 | ret = HashOutputRaw(ssl, header, sizeof(header));
|
---|
| 2410 | if (ret != 0)
|
---|
| 2411 | return ret;
|
---|
| 2412 | return HashOutputRaw(ssl, hash, hashSz);
|
---|
| 2413 | }
|
---|
| 2414 | #endif
|
---|
| 2415 |
|
---|
| 2416 | /* Parse and handle a HelloRetryRequest message.
|
---|
| 2417 | * Only a client will receive this message.
|
---|
| 2418 | *
|
---|
| 2419 | * ssl The SSL/TLS object.
|
---|
| 2420 | * input The message buffer.
|
---|
| 2421 | * inOutIdx On entry, the index into the message buffer of
|
---|
| 2422 | * HelloRetryRequest.
|
---|
| 2423 | * On exit, the index of byte after the HelloRetryRequest message.
|
---|
| 2424 | * totalSz The length of the current handshake message.
|
---|
| 2425 | * returns 0 on success and otherwise failure.
|
---|
| 2426 | */
|
---|
| 2427 | static int DoTls13HelloRetryRequest(WOLFSSL* ssl, const byte* input,
|
---|
| 2428 | word32* inOutIdx, word32 totalSz)
|
---|
| 2429 | {
|
---|
| 2430 | int ret;
|
---|
| 2431 | word32 begin = *inOutIdx;
|
---|
| 2432 | word32 i = begin;
|
---|
| 2433 | word16 totalExtSz;
|
---|
| 2434 | ProtocolVersion pv;
|
---|
| 2435 |
|
---|
| 2436 | WOLFSSL_ENTER("DoTls13HelloRetryRequest");
|
---|
| 2437 |
|
---|
| 2438 | #ifdef WOLFSSL_CALLBACKS
|
---|
| 2439 | if (ssl->hsInfoOn) AddPacketName("HelloRetryRequest", &ssl->handShakeInfo);
|
---|
| 2440 | if (ssl->toInfoOn) AddLateName("HelloRetryRequest", &ssl->timeoutInfo);
|
---|
| 2441 | #endif
|
---|
| 2442 |
|
---|
| 2443 | /* Version info and length field of extension data. */
|
---|
| 2444 | if (totalSz < i - begin + OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
|
---|
| 2445 | return BUFFER_ERROR;
|
---|
| 2446 |
|
---|
| 2447 | /* Protocol version. */
|
---|
| 2448 | XMEMCPY(&pv, input + i, OPAQUE16_LEN);
|
---|
| 2449 | i += OPAQUE16_LEN;
|
---|
| 2450 | ret = CheckVersion(ssl, pv);
|
---|
| 2451 | if (ret != 0)
|
---|
| 2452 | return ret;
|
---|
| 2453 |
|
---|
| 2454 | #ifndef WOLFSSL_TLS13_DRAFT_18
|
---|
| 2455 | /* Set the cipher suite from the message. */
|
---|
| 2456 | ssl->options.cipherSuite0 = input[i++];
|
---|
| 2457 | ssl->options.cipherSuite = input[i++];
|
---|
| 2458 |
|
---|
| 2459 | ret = SetCipherSpecs(ssl);
|
---|
| 2460 | if (ret != 0)
|
---|
| 2461 | return ret;
|
---|
| 2462 | #endif
|
---|
| 2463 |
|
---|
| 2464 | /* Length of extension data. */
|
---|
| 2465 | ato16(&input[i], &totalExtSz);
|
---|
| 2466 | i += OPAQUE16_LEN;
|
---|
| 2467 | if (totalExtSz == 0) {
|
---|
| 2468 | WOLFSSL_MSG("HelloRetryRequest must contain extensions");
|
---|
| 2469 | return MISSING_HANDSHAKE_DATA;
|
---|
| 2470 | }
|
---|
| 2471 |
|
---|
| 2472 | /* Extension data. */
|
---|
| 2473 | if (i - begin + totalExtSz > totalSz)
|
---|
| 2474 | return BUFFER_ERROR;
|
---|
| 2475 | if ((ret = TLSX_Parse(ssl, (byte *)(input + i), totalExtSz,
|
---|
| 2476 | hello_retry_request, NULL)) != 0)
|
---|
| 2477 | return ret;
|
---|
| 2478 | /* The KeyShare extension parsing fails when not valid. */
|
---|
| 2479 |
|
---|
| 2480 | /* Move index to byte after message. */
|
---|
| 2481 | *inOutIdx = i + totalExtSz;
|
---|
| 2482 |
|
---|
| 2483 | ssl->options.tls1_3 = 1;
|
---|
| 2484 | ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST;
|
---|
| 2485 |
|
---|
| 2486 | #ifndef WOLFSSL_TLS13_DRAFT_18
|
---|
| 2487 | ret = RestartHandshakeHash(ssl);
|
---|
| 2488 | #endif
|
---|
| 2489 |
|
---|
| 2490 | WOLFSSL_LEAVE("DoTls13HelloRetryRequest", ret);
|
---|
| 2491 |
|
---|
| 2492 | return ret;
|
---|
| 2493 | }
|
---|
| 2494 |
|
---|
| 2495 | /* Handle the ServerHello message from the server.
|
---|
| 2496 | * Only a client will receive this message.
|
---|
| 2497 | *
|
---|
| 2498 | * ssl The SSL/TLS object.
|
---|
| 2499 | * input The message buffer.
|
---|
| 2500 | * inOutIdx On entry, the index into the message buffer of ServerHello.
|
---|
| 2501 | * On exit, the index of byte after the ServerHello message.
|
---|
| 2502 | * helloSz The length of the current handshake message.
|
---|
| 2503 | * returns 0 on success and otherwise failure.
|
---|
| 2504 | */
|
---|
| 2505 | int DoTls13ServerHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
---|
| 2506 | word32 helloSz)
|
---|
| 2507 | {
|
---|
| 2508 | ProtocolVersion pv;
|
---|
| 2509 | word32 i = *inOutIdx;
|
---|
| 2510 | word32 begin = i;
|
---|
| 2511 | int ret;
|
---|
| 2512 | word16 totalExtSz;
|
---|
| 2513 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
---|
| 2514 | TLSX* ext;
|
---|
| 2515 | PreSharedKey* psk = NULL;
|
---|
| 2516 | #endif
|
---|
| 2517 |
|
---|
| 2518 | WOLFSSL_ENTER("DoTls13ServerHello");
|
---|
| 2519 |
|
---|
| 2520 | #ifdef WOLFSSL_CALLBACKS
|
---|
| 2521 | if (ssl->hsInfoOn) AddPacketName("ServerHello", &ssl->handShakeInfo);
|
---|
| 2522 | if (ssl->toInfoOn) AddLateName("ServerHello", &ssl->timeoutInfo);
|
---|
| 2523 | #endif
|
---|
| 2524 |
|
---|
| 2525 | /* Protocol version length check. */
|
---|
| 2526 | if (OPAQUE16_LEN > helloSz)
|
---|
| 2527 | return BUFFER_ERROR;
|
---|
| 2528 |
|
---|
| 2529 | /* Protocol version */
|
---|
| 2530 | XMEMCPY(&pv, input + i, OPAQUE16_LEN);
|
---|
| 2531 | i += OPAQUE16_LEN;
|
---|
| 2532 | ret = CheckVersion(ssl, pv);
|
---|
| 2533 | if (ret != 0)
|
---|
| 2534 | return ret;
|
---|
| 2535 | if (!IsAtLeastTLSv1_3(pv) && pv.major != TLS_DRAFT_MAJOR) {
|
---|
| 2536 | if (ssl->options.downgrade) {
|
---|
| 2537 | ssl->version = pv;
|
---|
| 2538 | return DoServerHello(ssl, input, inOutIdx, helloSz);
|
---|
| 2539 | }
|
---|
| 2540 |
|
---|
| 2541 | WOLFSSL_MSG("CLient using higher version, fatal error");
|
---|
| 2542 | return VERSION_ERROR;
|
---|
| 2543 | }
|
---|
| 2544 |
|
---|
| 2545 | /* Random, cipher suite and extensions length check. */
|
---|
| 2546 | if ((i - begin) + RAN_LEN + OPAQUE16_LEN + OPAQUE16_LEN > helloSz)
|
---|
| 2547 | return BUFFER_ERROR;
|
---|
| 2548 |
|
---|
| 2549 | /* Server random - keep for debugging. */
|
---|
| 2550 | XMEMCPY(ssl->arrays->serverRandom, input + i, RAN_LEN);
|
---|
| 2551 | i += RAN_LEN;
|
---|
| 2552 |
|
---|
| 2553 | /* Set the cipher suite from the message. */
|
---|
| 2554 | ssl->options.cipherSuite0 = input[i++];
|
---|
| 2555 | ssl->options.cipherSuite = input[i++];
|
---|
| 2556 |
|
---|
| 2557 | /* Get extension length and length check. */
|
---|
| 2558 | ato16(&input[i], &totalExtSz);
|
---|
| 2559 | i += OPAQUE16_LEN;
|
---|
| 2560 | if ((i - begin) + totalExtSz > helloSz)
|
---|
| 2561 | return BUFFER_ERROR;
|
---|
| 2562 |
|
---|
| 2563 | /* Parse and handle extensions. */
|
---|
| 2564 | ret = TLSX_Parse(ssl, (byte *) input + i, totalExtSz, server_hello, NULL);
|
---|
| 2565 | if (ret != 0)
|
---|
| 2566 | return ret;
|
---|
| 2567 |
|
---|
| 2568 | i += totalExtSz;
|
---|
| 2569 | *inOutIdx = i;
|
---|
| 2570 |
|
---|
| 2571 | ssl->options.serverState = SERVER_HELLO_COMPLETE;
|
---|
| 2572 |
|
---|
| 2573 | #ifdef HAVE_SECRET_CALLBACK
|
---|
| 2574 | if (ssl->sessionSecretCb != NULL) {
|
---|
| 2575 | int secretSz = SECRET_LEN;
|
---|
| 2576 | ret = ssl->sessionSecretCb(ssl, ssl->session.masterSecret,
|
---|
| 2577 | &secretSz, ssl->sessionSecretCtx);
|
---|
| 2578 | if (ret != 0 || secretSz != SECRET_LEN)
|
---|
| 2579 | return SESSION_SECRET_CB_E;
|
---|
| 2580 | }
|
---|
| 2581 | #endif /* HAVE_SECRET_CALLBACK */
|
---|
| 2582 |
|
---|
| 2583 | ret = SetCipherSpecs(ssl);
|
---|
| 2584 | if (ret != 0)
|
---|
| 2585 | return ret;
|
---|
| 2586 |
|
---|
| 2587 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
---|
| 2588 | ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
|
---|
| 2589 | if (ext != NULL)
|
---|
| 2590 | psk = (PreSharedKey*)ext->data;
|
---|
| 2591 | while (psk != NULL && !psk->chosen)
|
---|
| 2592 | psk = psk->next;
|
---|
| 2593 | if (psk == NULL) {
|
---|
| 2594 | ssl->options.resuming = 0;
|
---|
| 2595 | ssl->arrays->psk_keySz = 0;
|
---|
| 2596 | XMEMSET(ssl->arrays->psk_key, 0, MAX_PSK_KEY_LEN);
|
---|
| 2597 | }
|
---|
| 2598 | else if ((ret = SetupPskKey(ssl, psk)) != 0)
|
---|
| 2599 | return ret;
|
---|
| 2600 | #endif
|
---|
| 2601 |
|
---|
| 2602 | ssl->keys.encryptionOn = 1;
|
---|
| 2603 |
|
---|
| 2604 | WOLFSSL_LEAVE("DoTls13ServerHello", ret);
|
---|
| 2605 |
|
---|
| 2606 | return ret;
|
---|
| 2607 | }
|
---|
| 2608 |
|
---|
| 2609 | /* Parse and handle an EncryptedExtensions message.
|
---|
| 2610 | * Only a client will receive this message.
|
---|
| 2611 | *
|
---|
| 2612 | * ssl The SSL/TLS object.
|
---|
| 2613 | * input The message buffer.
|
---|
| 2614 | * inOutIdx On entry, the index into the message buffer of
|
---|
| 2615 | * EncryptedExtensions.
|
---|
| 2616 | * On exit, the index of byte after the EncryptedExtensions
|
---|
| 2617 | * message.
|
---|
| 2618 | * totalSz The length of the current handshake message.
|
---|
| 2619 | * returns 0 on success and otherwise failure.
|
---|
| 2620 | */
|
---|
| 2621 | static int DoTls13EncryptedExtensions(WOLFSSL* ssl, const byte* input,
|
---|
| 2622 | word32* inOutIdx, word32 totalSz)
|
---|
| 2623 | {
|
---|
| 2624 | int ret;
|
---|
| 2625 | word32 begin = *inOutIdx;
|
---|
| 2626 | word32 i = begin;
|
---|
| 2627 | word16 totalExtSz;
|
---|
| 2628 |
|
---|
| 2629 | WOLFSSL_ENTER("DoTls13EncryptedExtensions");
|
---|
| 2630 |
|
---|
| 2631 | #ifdef WOLFSSL_CALLBACKS
|
---|
| 2632 | if (ssl->hsInfoOn) AddPacketName("EncryptedExtensions",
|
---|
| 2633 | &ssl->handShakeInfo);
|
---|
| 2634 | if (ssl->toInfoOn) AddLateName("EncryptedExtensions", &ssl->timeoutInfo);
|
---|
| 2635 | #endif
|
---|
| 2636 |
|
---|
| 2637 | /* Length field of extension data. */
|
---|
| 2638 | if (totalSz < i - begin + OPAQUE16_LEN)
|
---|
| 2639 | return BUFFER_ERROR;
|
---|
| 2640 | ato16(&input[i], &totalExtSz);
|
---|
| 2641 | i += OPAQUE16_LEN;
|
---|
| 2642 |
|
---|
| 2643 | /* Extension data. */
|
---|
| 2644 | if (i - begin + totalExtSz > totalSz)
|
---|
| 2645 | return BUFFER_ERROR;
|
---|
| 2646 | if ((ret = TLSX_Parse(ssl, (byte *)(input + i), totalExtSz,
|
---|
| 2647 | encrypted_extensions, NULL)))
|
---|
| 2648 | return ret;
|
---|
| 2649 |
|
---|
| 2650 | /* Move index to byte after message. */
|
---|
| 2651 | *inOutIdx = i + totalExtSz;
|
---|
| 2652 |
|
---|
| 2653 | /* Always encrypted. */
|
---|
| 2654 | *inOutIdx += ssl->keys.padSz;
|
---|
| 2655 |
|
---|
| 2656 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 2657 | if (ssl->earlyData) {
|
---|
| 2658 | TLSX* ext = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA);
|
---|
| 2659 | if (ext == NULL || !ext->val)
|
---|
| 2660 | ssl->earlyData = 0;
|
---|
| 2661 | }
|
---|
| 2662 | #endif
|
---|
| 2663 |
|
---|
| 2664 | WOLFSSL_LEAVE("DoTls13EncryptedExtensions", ret);
|
---|
| 2665 |
|
---|
| 2666 | return ret;
|
---|
| 2667 | }
|
---|
| 2668 |
|
---|
| 2669 | /* Handle a TLS v1.3 CertificateRequest message.
|
---|
| 2670 | * This message is always encrypted.
|
---|
| 2671 | * Only a client will receive this message.
|
---|
| 2672 | *
|
---|
| 2673 | * ssl The SSL/TLS object.
|
---|
| 2674 | * input The message buffer.
|
---|
| 2675 | * inOutIdx On entry, the index into the message buffer of CertificateRequest.
|
---|
| 2676 | * On exit, the index of byte after the CertificateRequest message.
|
---|
| 2677 | * size The length of the current handshake message.
|
---|
| 2678 | * returns 0 on success and otherwise failure.
|
---|
| 2679 | */
|
---|
| 2680 | static int DoTls13CertificateRequest(WOLFSSL* ssl, const byte* input,
|
---|
| 2681 | word32* inOutIdx, word32 size)
|
---|
| 2682 | {
|
---|
| 2683 | word16 len;
|
---|
| 2684 | word32 begin = *inOutIdx;
|
---|
| 2685 | int ret = 0;
|
---|
| 2686 | #ifndef WOLFSSL_TLS13_DRAFT_18
|
---|
| 2687 | Suites peerSuites;
|
---|
| 2688 | #endif
|
---|
| 2689 | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
|
---|
| 2690 | CertReqCtx* certReqCtx;
|
---|
| 2691 | #endif
|
---|
| 2692 |
|
---|
| 2693 | WOLFSSL_ENTER("DoTls13CertificateRequest");
|
---|
| 2694 |
|
---|
| 2695 | #ifdef WOLFSSL_CALLBACKS
|
---|
| 2696 | if (ssl->hsInfoOn) AddPacketName("CertificateRequest", &ssl->handShakeInfo);
|
---|
| 2697 | if (ssl->toInfoOn) AddLateName("CertificateRequest", &ssl->timeoutInfo);
|
---|
| 2698 | #endif
|
---|
| 2699 |
|
---|
| 2700 | if ((*inOutIdx - begin) + OPAQUE8_LEN > size)
|
---|
| 2701 | return BUFFER_ERROR;
|
---|
| 2702 |
|
---|
| 2703 | /* Length of the request context. */
|
---|
| 2704 | len = input[(*inOutIdx)++];
|
---|
| 2705 | if ((*inOutIdx - begin) + len > size)
|
---|
| 2706 | return BUFFER_ERROR;
|
---|
| 2707 | if (ssl->options.connectState < FINISHED_DONE && len > 0)
|
---|
| 2708 | return BUFFER_ERROR;
|
---|
| 2709 |
|
---|
| 2710 | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
|
---|
| 2711 | /* CertReqCtx has one byte at end for context value.
|
---|
| 2712 | * Increase size to handle other implementations sending more than one byte.
|
---|
| 2713 | * That is, allocate extra space, over one byte, to hold the context value.
|
---|
| 2714 | */
|
---|
| 2715 | certReqCtx = (CertReqCtx*)XMALLOC(sizeof(CertReqCtx) + len - 1, ssl->heap,
|
---|
| 2716 | DYNAMIC_TYPE_TMP_BUFFER);
|
---|
| 2717 | if (certReqCtx == NULL)
|
---|
| 2718 | return MEMORY_E;
|
---|
| 2719 | certReqCtx->next = ssl->certReqCtx;
|
---|
| 2720 | certReqCtx->len = len;
|
---|
| 2721 | XMEMCPY(&certReqCtx->ctx, input + *inOutIdx, len);
|
---|
| 2722 | ssl->certReqCtx = certReqCtx;
|
---|
| 2723 | #endif
|
---|
| 2724 | *inOutIdx += len;
|
---|
| 2725 |
|
---|
| 2726 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
| 2727 | /* Signature and hash algorithms. */
|
---|
| 2728 | if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
|
---|
| 2729 | return BUFFER_ERROR;
|
---|
| 2730 | ato16(input + *inOutIdx, &len);
|
---|
| 2731 | *inOutIdx += OPAQUE16_LEN;
|
---|
| 2732 | if ((*inOutIdx - begin) + len > size)
|
---|
| 2733 | return BUFFER_ERROR;
|
---|
| 2734 | PickHashSigAlgo(ssl, input + *inOutIdx, len);
|
---|
| 2735 | *inOutIdx += len;
|
---|
| 2736 |
|
---|
| 2737 | /* Length of certificate authority data. */
|
---|
| 2738 | if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
|
---|
| 2739 | return BUFFER_ERROR;
|
---|
| 2740 | ato16(input + *inOutIdx, &len);
|
---|
| 2741 | *inOutIdx += OPAQUE16_LEN;
|
---|
| 2742 | if ((*inOutIdx - begin) + len > size)
|
---|
| 2743 | return BUFFER_ERROR;
|
---|
| 2744 |
|
---|
| 2745 | /* Certificate authorities. */
|
---|
| 2746 | while (len) {
|
---|
| 2747 | word16 dnSz;
|
---|
| 2748 |
|
---|
| 2749 | if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
|
---|
| 2750 | return BUFFER_ERROR;
|
---|
| 2751 |
|
---|
| 2752 | ato16(input + *inOutIdx, &dnSz);
|
---|
| 2753 | *inOutIdx += OPAQUE16_LEN;
|
---|
| 2754 |
|
---|
| 2755 | if ((*inOutIdx - begin) + dnSz > size)
|
---|
| 2756 | return BUFFER_ERROR;
|
---|
| 2757 |
|
---|
| 2758 | *inOutIdx += dnSz;
|
---|
| 2759 | len -= OPAQUE16_LEN + dnSz;
|
---|
| 2760 | }
|
---|
| 2761 |
|
---|
| 2762 | /* Certificate extensions */
|
---|
| 2763 | if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
|
---|
| 2764 | return BUFFER_ERROR;
|
---|
| 2765 | ato16(input + *inOutIdx, &len);
|
---|
| 2766 | *inOutIdx += OPAQUE16_LEN;
|
---|
| 2767 | if ((*inOutIdx - begin) + len > size)
|
---|
| 2768 | return BUFFER_ERROR;
|
---|
| 2769 | *inOutIdx += len;
|
---|
| 2770 | #else
|
---|
| 2771 | /* TODO: Add support for more extensions:
|
---|
| 2772 | * signed_certificate_timestamp, certificate_authorities, oid_filters.
|
---|
| 2773 | */
|
---|
| 2774 | /* Certificate extensions */
|
---|
| 2775 | if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
|
---|
| 2776 | return BUFFER_ERROR;
|
---|
| 2777 | ato16(input + *inOutIdx, &len);
|
---|
| 2778 | *inOutIdx += OPAQUE16_LEN;
|
---|
| 2779 | if ((*inOutIdx - begin) + len > size)
|
---|
| 2780 | return BUFFER_ERROR;
|
---|
| 2781 | if (len == 0)
|
---|
| 2782 | return INVALID_PARAMETER;
|
---|
| 2783 | if ((ret = TLSX_Parse(ssl, (byte *)(input + *inOutIdx), len,
|
---|
| 2784 | certificate_request, &peerSuites))) {
|
---|
| 2785 | return ret;
|
---|
| 2786 | }
|
---|
| 2787 | *inOutIdx += len;
|
---|
| 2788 |
|
---|
| 2789 | PickHashSigAlgo(ssl, peerSuites.hashSigAlgo, peerSuites.hashSigAlgoSz);
|
---|
| 2790 | #endif
|
---|
| 2791 |
|
---|
| 2792 | if (ssl->buffers.certificate && ssl->buffers.certificate->buffer &&
|
---|
| 2793 | ssl->buffers.key && ssl->buffers.key->buffer)
|
---|
| 2794 | ssl->options.sendVerify = SEND_CERT;
|
---|
| 2795 | else
|
---|
| 2796 | ssl->options.sendVerify = SEND_BLANK_CERT;
|
---|
| 2797 |
|
---|
| 2798 | /* This message is always encrypted so add encryption padding. */
|
---|
| 2799 | *inOutIdx += ssl->keys.padSz;
|
---|
| 2800 |
|
---|
| 2801 | #if !defined(NO_WOLFSSL_CLIENT) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
|
---|
| 2802 | if (ssl->options.side == WOLFSSL_CLIENT_END &&
|
---|
| 2803 | ssl->options.handShakeState == HANDSHAKE_DONE) {
|
---|
| 2804 | /* reset handshake states */
|
---|
| 2805 | ssl->options.clientState = CLIENT_HELLO_COMPLETE;
|
---|
| 2806 | ssl->options.connectState = FIRST_REPLY_DONE;
|
---|
| 2807 | ssl->options.handShakeState = CLIENT_HELLO_COMPLETE;
|
---|
| 2808 | }
|
---|
| 2809 | #endif
|
---|
| 2810 |
|
---|
| 2811 | WOLFSSL_LEAVE("DoTls13CertificateRequest", ret);
|
---|
| 2812 |
|
---|
| 2813 | return ret;
|
---|
| 2814 | }
|
---|
| 2815 |
|
---|
| 2816 | #endif /* !NO_WOLFSSL_CLIENT */
|
---|
| 2817 |
|
---|
| 2818 | #ifndef NO_WOLFSSL_SERVER
|
---|
| 2819 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
---|
| 2820 | /* Handle any Pre-Shared Key (PSK) extension.
|
---|
| 2821 | * Must do this in ClientHello as it requires a hash of the truncated message.
|
---|
| 2822 | * Don't know size of binders until Pre-Shared Key extension has been parsed.
|
---|
| 2823 | *
|
---|
| 2824 | * ssl The SSL/TLS object.
|
---|
| 2825 | * input The ClientHello message.
|
---|
| 2826 | * helloSz The size of the ClientHello message (including binders if present).
|
---|
| 2827 | * usingPSK Indicates handshake is using Pre-Shared Keys.
|
---|
| 2828 | * returns 0 on success and otherwise failure.
|
---|
| 2829 | */
|
---|
| 2830 | static int DoPreSharedKeys(WOLFSSL* ssl, const byte* input, word32 helloSz,
|
---|
| 2831 | int* usingPSK)
|
---|
| 2832 | {
|
---|
| 2833 | int ret;
|
---|
| 2834 | TLSX* ext;
|
---|
| 2835 | word16 bindersLen;
|
---|
| 2836 | PreSharedKey* current;
|
---|
| 2837 | byte binderKey[MAX_DIGEST_SIZE];
|
---|
| 2838 | byte binder[MAX_DIGEST_SIZE];
|
---|
| 2839 | word32 binderLen;
|
---|
| 2840 | word16 modes;
|
---|
| 2841 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 2842 | int pskCnt = 0;
|
---|
| 2843 | TLSX* extEarlyData;
|
---|
| 2844 | #endif
|
---|
| 2845 |
|
---|
| 2846 | ext = TLSX_Find(ssl->extensions, TLSX_PRE_SHARED_KEY);
|
---|
| 2847 | if (ext == NULL) {
|
---|
| 2848 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 2849 | ssl->earlyData = 0;
|
---|
| 2850 | #endif
|
---|
| 2851 | return 0;
|
---|
| 2852 | }
|
---|
| 2853 |
|
---|
| 2854 | /* Extensions pushed on stack/list and PSK must be last. */
|
---|
| 2855 | if (ssl->extensions != ext)
|
---|
| 2856 | return PSK_KEY_ERROR;
|
---|
| 2857 |
|
---|
| 2858 | /* Assume we are going to resume with a pre-shared key. */
|
---|
| 2859 | ssl->options.resuming = 1;
|
---|
| 2860 |
|
---|
| 2861 | /* Find the pre-shared key extension and calculate hash of truncated
|
---|
| 2862 | * ClientHello for binders.
|
---|
| 2863 | */
|
---|
| 2864 | bindersLen = TLSX_PreSharedKey_GetSizeBinders((PreSharedKey*)ext->data,
|
---|
| 2865 | client_hello);
|
---|
| 2866 |
|
---|
| 2867 | /* Hash data up to binders for deriving binders in PSK extension. */
|
---|
| 2868 | ret = HashInput(ssl, input, helloSz - bindersLen);
|
---|
| 2869 | if (ret != 0)
|
---|
| 2870 | return ret;
|
---|
| 2871 |
|
---|
| 2872 | /* Look through all client's pre-shared keys for a match. */
|
---|
| 2873 | current = (PreSharedKey*)ext->data;
|
---|
| 2874 | while (current != NULL) {
|
---|
| 2875 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 2876 | pskCnt++;
|
---|
| 2877 | #endif
|
---|
| 2878 |
|
---|
| 2879 | #ifndef NO_PSK
|
---|
| 2880 | XMEMCPY(ssl->arrays->client_identity, current->identity,
|
---|
| 2881 | current->identityLen);
|
---|
| 2882 | ssl->arrays->client_identity[current->identityLen] = '\0';
|
---|
| 2883 | #endif
|
---|
| 2884 |
|
---|
| 2885 | #ifdef HAVE_SESSION_TICKET
|
---|
| 2886 | /* Decode the identity. */
|
---|
| 2887 | if ((ret = DoClientTicket(ssl, current->identity, current->identityLen))
|
---|
| 2888 | == WOLFSSL_TICKET_RET_OK) {
|
---|
| 2889 | word32 now;
|
---|
| 2890 | int diff;
|
---|
| 2891 |
|
---|
| 2892 | now = TimeNowInMilliseconds();
|
---|
| 2893 | if (now == (word32)GETTIME_ERROR)
|
---|
| 2894 | return now;
|
---|
| 2895 | diff = now - ssl->session.ticketSeen;
|
---|
| 2896 | diff -= current->ticketAge - ssl->session.ticketAdd;
|
---|
| 2897 | /* Check session and ticket age timeout.
|
---|
| 2898 | * Allow +/- 1000 milliseconds on ticket age.
|
---|
| 2899 | */
|
---|
| 2900 | if (diff > (int)ssl->timeout * 1000 || diff < -1000 ||
|
---|
| 2901 | diff - MAX_TICKET_AGE_SECS * 1000 > 1000) {
|
---|
| 2902 | /* Invalid difference, fallback to full handshake. */
|
---|
| 2903 | ssl->options.resuming = 0;
|
---|
| 2904 | break;
|
---|
| 2905 | }
|
---|
| 2906 |
|
---|
| 2907 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 2908 | ssl->options.maxEarlyDataSz = ssl->session.maxEarlyDataSz;
|
---|
| 2909 | #endif
|
---|
| 2910 | /* Use the same cipher suite as before and set up for use. */
|
---|
| 2911 | ssl->options.cipherSuite0 = ssl->session.cipherSuite0;
|
---|
| 2912 | ssl->options.cipherSuite = ssl->session.cipherSuite;
|
---|
| 2913 | ret = SetCipherSpecs(ssl);
|
---|
| 2914 | if (ret != 0)
|
---|
| 2915 | return ret;
|
---|
| 2916 |
|
---|
| 2917 | /* Resumption PSK is resumption master secret. */
|
---|
| 2918 | ssl->arrays->psk_keySz = ssl->specs.hash_size;
|
---|
| 2919 | XMEMCPY(ssl->arrays->psk_key, ssl->session.masterSecret,
|
---|
| 2920 | ssl->specs.hash_size);
|
---|
| 2921 |
|
---|
| 2922 | /* Derive the early secret using the PSK. */
|
---|
| 2923 | ret = DeriveEarlySecret(ssl);
|
---|
| 2924 | if (ret != 0)
|
---|
| 2925 | return ret;
|
---|
| 2926 | /* Derive the binder key to use to with HMAC. */
|
---|
| 2927 | ret = DeriveBinderKeyResume(ssl, binderKey);
|
---|
| 2928 | if (ret != 0)
|
---|
| 2929 | return ret;
|
---|
| 2930 | }
|
---|
| 2931 | else
|
---|
| 2932 | #endif
|
---|
| 2933 | #ifndef NO_PSK
|
---|
| 2934 | if (ssl->options.server_psk_cb != NULL &&
|
---|
| 2935 | (ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl,
|
---|
| 2936 | ssl->arrays->client_identity, ssl->arrays->psk_key,
|
---|
| 2937 | MAX_PSK_KEY_LEN)) != 0) {
|
---|
| 2938 | if (ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN)
|
---|
| 2939 | return PSK_KEY_ERROR;
|
---|
| 2940 |
|
---|
| 2941 | ssl->options.resuming = 0;
|
---|
| 2942 |
|
---|
| 2943 | /* PSK age is always zero. */
|
---|
| 2944 | if (current->ticketAge != ssl->session.ticketAdd)
|
---|
| 2945 | return PSK_KEY_ERROR;
|
---|
| 2946 |
|
---|
| 2947 | /* TODO: Callback should be able to change ciphersuite. */
|
---|
| 2948 | /* Default to ciphersuite if cb doesn't specify. */
|
---|
| 2949 | ssl->options.cipherSuite0 = TLS13_BYTE;
|
---|
| 2950 | ssl->options.cipherSuite = WOLFSSL_DEF_PSK_CIPHER;
|
---|
| 2951 | ret = SetCipherSpecs(ssl);
|
---|
| 2952 | if (ret != 0)
|
---|
| 2953 | return ret;
|
---|
| 2954 |
|
---|
| 2955 | /* Derive the early secret using the PSK. */
|
---|
| 2956 | ret = DeriveEarlySecret(ssl);
|
---|
| 2957 | if (ret != 0)
|
---|
| 2958 | return ret;
|
---|
| 2959 | /* Derive the binder key to use to with HMAC. */
|
---|
| 2960 | ret = DeriveBinderKey(ssl, binderKey);
|
---|
| 2961 | if (ret != 0)
|
---|
| 2962 | return ret;
|
---|
| 2963 | }
|
---|
| 2964 | else
|
---|
| 2965 | #endif
|
---|
| 2966 | {
|
---|
| 2967 | current = current->next;
|
---|
| 2968 | continue;
|
---|
| 2969 | }
|
---|
| 2970 |
|
---|
| 2971 | ssl->options.sendVerify = 0;
|
---|
| 2972 |
|
---|
| 2973 | /* Derive the Finished message secret. */
|
---|
| 2974 | ret = DeriveFinishedSecret(ssl, binderKey,
|
---|
| 2975 | ssl->keys.client_write_MAC_secret);
|
---|
| 2976 | if (ret != 0)
|
---|
| 2977 | return ret;
|
---|
| 2978 |
|
---|
| 2979 | /* Derive the binder and compare with the one in the extension. */
|
---|
| 2980 | ret = BuildTls13HandshakeHmac(ssl,
|
---|
| 2981 | ssl->keys.client_write_MAC_secret, binder, &binderLen);
|
---|
| 2982 | if (ret != 0)
|
---|
| 2983 | return ret;
|
---|
| 2984 | if (binderLen != current->binderLen ||
|
---|
| 2985 | XMEMCMP(binder, current->binder, binderLen) != 0) {
|
---|
| 2986 | return BAD_BINDER;
|
---|
| 2987 | }
|
---|
| 2988 |
|
---|
| 2989 | /* This PSK works, no need to try any more. */
|
---|
| 2990 | current->chosen = 1;
|
---|
| 2991 | ext->resp = 1;
|
---|
| 2992 | break;
|
---|
| 2993 | }
|
---|
| 2994 |
|
---|
| 2995 | /* Hash the rest of the ClientHello. */
|
---|
| 2996 | ret = HashInputRaw(ssl, input + helloSz - bindersLen, bindersLen);
|
---|
| 2997 | if (ret != 0)
|
---|
| 2998 | return ret;
|
---|
| 2999 |
|
---|
| 3000 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 3001 | extEarlyData = TLSX_Find(ssl->extensions, TLSX_EARLY_DATA);
|
---|
| 3002 | if (extEarlyData != NULL) {
|
---|
| 3003 | if (ssl->earlyData && current == ext->data) {
|
---|
| 3004 | extEarlyData->resp = 1;
|
---|
| 3005 |
|
---|
| 3006 | /* Derive early data decryption key. */
|
---|
| 3007 | ret = DeriveTls13Keys(ssl, early_data_key, DECRYPT_SIDE_ONLY, 1);
|
---|
| 3008 | if (ret != 0)
|
---|
| 3009 | return ret;
|
---|
| 3010 | if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
|
---|
| 3011 | return ret;
|
---|
| 3012 |
|
---|
| 3013 | ssl->earlyData = 2;
|
---|
| 3014 | }
|
---|
| 3015 | else
|
---|
| 3016 | extEarlyData->resp = 0;
|
---|
| 3017 | }
|
---|
| 3018 | #endif
|
---|
| 3019 |
|
---|
| 3020 | /* Get the PSK key exchange modes the client wants to negotiate. */
|
---|
| 3021 | ext = TLSX_Find(ssl->extensions, TLSX_PSK_KEY_EXCHANGE_MODES);
|
---|
| 3022 | if (ext == NULL)
|
---|
| 3023 | return MISSING_HANDSHAKE_DATA;
|
---|
| 3024 | modes = ext->val;
|
---|
| 3025 |
|
---|
| 3026 | ext = TLSX_Find(ssl->extensions, TLSX_KEY_SHARE);
|
---|
| 3027 | /* Use (EC)DHE for forward-security if possible. */
|
---|
| 3028 | if ((modes & (1 << PSK_DHE_KE)) != 0 && !ssl->options.noPskDheKe &&
|
---|
| 3029 | ext != NULL) {
|
---|
| 3030 | /* Only use named group used in last session. */
|
---|
| 3031 | ssl->namedGroup = ssl->session.namedGroup;
|
---|
| 3032 |
|
---|
| 3033 | /* Try to establish a new secret. */
|
---|
| 3034 | ret = TLSX_KeyShare_Establish(ssl);
|
---|
| 3035 | if (ret == KEY_SHARE_ERROR)
|
---|
| 3036 | return PSK_KEY_ERROR;
|
---|
| 3037 | else if (ret < 0)
|
---|
| 3038 | return ret;
|
---|
| 3039 |
|
---|
| 3040 | /* Send new public key to client. */
|
---|
| 3041 | ext->resp = 1;
|
---|
| 3042 | }
|
---|
| 3043 | else if ((modes & (1 << PSK_KE)) == 0)
|
---|
| 3044 | return PSK_KEY_ERROR;
|
---|
| 3045 |
|
---|
| 3046 | *usingPSK = 1;
|
---|
| 3047 |
|
---|
| 3048 | return ret;
|
---|
| 3049 | }
|
---|
| 3050 | #endif
|
---|
| 3051 |
|
---|
| 3052 | #if !defined(WOLFSSL_TLS13_DRAFT_18) && defined(WOLFSSL_SEND_HRR_COOKIE)
|
---|
| 3053 | /* Check that the Cookie data's integrity.
|
---|
| 3054 | *
|
---|
| 3055 | * ssl SSL/TLS object.
|
---|
| 3056 | * cookie The cookie data - hash and MAC.
|
---|
| 3057 | * cookieSz The length of the cookie data in bytes.
|
---|
| 3058 | * returns Length of the hash on success, otherwise failure.
|
---|
| 3059 | */
|
---|
| 3060 | static int CheckCookie(WOLFSSL* ssl, byte* cookie, byte cookieSz)
|
---|
| 3061 | {
|
---|
| 3062 | int ret;
|
---|
| 3063 | byte mac[MAX_DIGEST_SIZE];
|
---|
| 3064 | Hmac cookieHmac;
|
---|
| 3065 | byte cookieType;
|
---|
| 3066 | byte macSz;
|
---|
| 3067 |
|
---|
| 3068 | #if !defined(NO_SHA) && defined(NO_SHA256)
|
---|
| 3069 | cookieType = SHA;
|
---|
| 3070 | macSz = WC_SHA_DIGEST_SIZE;
|
---|
| 3071 | #endif /* NO_SHA */
|
---|
| 3072 | #ifndef NO_SHA256
|
---|
| 3073 | cookieType = WC_SHA256;
|
---|
| 3074 | macSz = WC_SHA256_DIGEST_SIZE;
|
---|
| 3075 | #endif /* NO_SHA256 */
|
---|
| 3076 |
|
---|
| 3077 | if (cookieSz < ssl->specs.hash_size + macSz)
|
---|
| 3078 | return HRR_COOKIE_ERROR;
|
---|
| 3079 | cookieSz -= macSz;
|
---|
| 3080 |
|
---|
| 3081 | ret = wc_HmacSetKey(&cookieHmac, cookieType,
|
---|
| 3082 | ssl->buffers.tls13CookieSecret.buffer,
|
---|
| 3083 | ssl->buffers.tls13CookieSecret.length);
|
---|
| 3084 | if (ret != 0)
|
---|
| 3085 | return ret;
|
---|
| 3086 | if ((ret = wc_HmacUpdate(&cookieHmac, cookie, cookieSz)) != 0)
|
---|
| 3087 | return ret;
|
---|
| 3088 | if ((ret = wc_HmacFinal(&cookieHmac, mac)) != 0)
|
---|
| 3089 | return ret;
|
---|
| 3090 |
|
---|
| 3091 | if (ConstantCompare(cookie + cookieSz, mac, macSz) != 0)
|
---|
| 3092 | return HRR_COOKIE_ERROR;
|
---|
| 3093 | return cookieSz;
|
---|
| 3094 | }
|
---|
| 3095 |
|
---|
| 3096 | /* Length of the KeyShare Extension */
|
---|
| 3097 | #define HRR_KEY_SHARE_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
|
---|
| 3098 | /* Length of the Cookie Extension excluding cookie data */
|
---|
| 3099 | #define HRR_COOKIE_HDR_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
|
---|
| 3100 | /* PV | CipherSuite | Ext Len */
|
---|
| 3101 | #define HRR_BODY_SZ (OPAQUE16_LEN + OPAQUE16_LEN + OPAQUE16_LEN)
|
---|
| 3102 | /* HH | PV | CipherSuite | Ext Len | Key Share | Cookie */
|
---|
| 3103 | #define MAX_HRR_SZ (HANDSHAKE_HEADER_SZ + \
|
---|
| 3104 | HRR_BODY_SZ + \
|
---|
| 3105 | HRR_KEY_SHARE_SZ + \
|
---|
| 3106 | HRR_COOKIE_HDR_SZ)
|
---|
| 3107 | /* Restart the Hanshake hash from the cookie value.
|
---|
| 3108 | *
|
---|
| 3109 | * ssl SSL/TLS object.
|
---|
| 3110 | * cookie Cookie data from client.
|
---|
| 3111 | * returns 0 on success, otherwise failure.
|
---|
| 3112 | */
|
---|
| 3113 | static int RestartHandshakeHashWithCookie(WOLFSSL* ssl, Cookie* cookie)
|
---|
| 3114 | {
|
---|
| 3115 | byte header[HANDSHAKE_HEADER_SZ];
|
---|
| 3116 | byte hrr[MAX_HRR_SZ];
|
---|
| 3117 | int hrrIdx;
|
---|
| 3118 | word32 idx;
|
---|
| 3119 | byte hashSz;
|
---|
| 3120 | byte* cookieData;
|
---|
| 3121 | byte cookieDataSz;
|
---|
| 3122 | word16 length;
|
---|
| 3123 | int keyShareExt = 0;
|
---|
| 3124 | int ret;
|
---|
| 3125 |
|
---|
| 3126 | cookieDataSz = ret = CheckCookie(ssl, &cookie->data, cookie->len);
|
---|
| 3127 | if (ret < 0)
|
---|
| 3128 | return ret;
|
---|
| 3129 | hashSz = cookie->data;
|
---|
| 3130 | cookieData = &cookie->data;
|
---|
| 3131 | idx = OPAQUE8_LEN;
|
---|
| 3132 |
|
---|
| 3133 | /* Restart handshake hash with synthetic message hash. */
|
---|
| 3134 | AddTls13HandShakeHeader(header, hashSz, 0, 0, message_hash, ssl);
|
---|
| 3135 | if ((ret = InitHandshakeHashes(ssl)) != 0)
|
---|
| 3136 | return ret;
|
---|
| 3137 | if ((ret = HashOutputRaw(ssl, header, sizeof(header))) != 0)
|
---|
| 3138 | return ret;
|
---|
| 3139 | if ((ret = HashOutputRaw(ssl, cookieData + idx, hashSz)) != 0)
|
---|
| 3140 | return ret;
|
---|
| 3141 |
|
---|
| 3142 | /* Reconstruct the HelloRetryMessage for handshake hash. */
|
---|
| 3143 | length = HRR_BODY_SZ + HRR_COOKIE_HDR_SZ + cookie->len;
|
---|
| 3144 | if (cookieDataSz > hashSz + OPAQUE16_LEN) {
|
---|
| 3145 | keyShareExt = 1;
|
---|
| 3146 | length += HRR_KEY_SHARE_SZ;
|
---|
| 3147 | }
|
---|
| 3148 | AddTls13HandShakeHeader(hrr, length, 0, 0, hello_retry_request, ssl);
|
---|
| 3149 |
|
---|
| 3150 | idx += hashSz;
|
---|
| 3151 | hrrIdx = HANDSHAKE_HEADER_SZ;
|
---|
| 3152 | /* TODO: [TLS13] Replace existing code with code in comment.
|
---|
| 3153 | * Use the TLS v1.3 draft version for now.
|
---|
| 3154 | *
|
---|
| 3155 | * Change to:
|
---|
| 3156 | * hrr[hrrIdx++] = ssl->version.major;
|
---|
| 3157 | * hrr[hrrIdx++] = ssl->version.minor;
|
---|
| 3158 | */
|
---|
| 3159 | /* The negotiated protocol version. */
|
---|
| 3160 | hrr[hrrIdx++] = TLS_DRAFT_MAJOR;
|
---|
| 3161 | hrr[hrrIdx++] = TLS_DRAFT_MINOR;
|
---|
| 3162 | /* Cipher Suite */
|
---|
| 3163 | hrr[hrrIdx++] = cookieData[idx++];
|
---|
| 3164 | hrr[hrrIdx++] = cookieData[idx++];
|
---|
| 3165 |
|
---|
| 3166 | /* Extensions' length */
|
---|
| 3167 | length -= HRR_BODY_SZ;
|
---|
| 3168 | c16toa(length, hrr + hrrIdx);
|
---|
| 3169 | hrrIdx += 2;
|
---|
| 3170 | /* Optional KeyShare Extension */
|
---|
| 3171 | if (keyShareExt) {
|
---|
| 3172 | c16toa(TLSX_KEY_SHARE, hrr + hrrIdx);
|
---|
| 3173 | hrrIdx += 2;
|
---|
| 3174 | c16toa(OPAQUE16_LEN, hrr + hrrIdx);
|
---|
| 3175 | hrrIdx += 2;
|
---|
| 3176 | hrr[hrrIdx++] = cookieData[idx++];
|
---|
| 3177 | hrr[hrrIdx++] = cookieData[idx++];
|
---|
| 3178 | }
|
---|
| 3179 | /* Mandatory Cookie Extension */
|
---|
| 3180 | c16toa(TLSX_COOKIE, hrr + hrrIdx);
|
---|
| 3181 | hrrIdx += 2;
|
---|
| 3182 | c16toa(cookie->len + OPAQUE16_LEN, hrr + hrrIdx);
|
---|
| 3183 | hrrIdx += 2;
|
---|
| 3184 | c16toa(cookie->len, hrr + hrrIdx);
|
---|
| 3185 | hrrIdx += 2;
|
---|
| 3186 |
|
---|
| 3187 | #ifdef WOLFSSL_DEBUG_TLS
|
---|
| 3188 | WOLFSSL_MSG("Reconstucted HelloRetryRequest");
|
---|
| 3189 | WOLFSSL_BUFFER(hrr, hrrIdx);
|
---|
| 3190 | WOLFSSL_MSG("Cookie");
|
---|
| 3191 | WOLFSSL_BUFFER(cookieData, cookie->len);
|
---|
| 3192 | #endif
|
---|
| 3193 |
|
---|
| 3194 | if ((ret = HashOutputRaw(ssl, hrr, hrrIdx)) != 0)
|
---|
| 3195 | return ret;
|
---|
| 3196 | return HashOutputRaw(ssl, cookieData, cookie->len);
|
---|
| 3197 | }
|
---|
| 3198 | #endif
|
---|
| 3199 |
|
---|
| 3200 | /* Handle a ClientHello handshake message.
|
---|
| 3201 | * If the protocol version in the message is not TLS v1.3 or higher, use
|
---|
| 3202 | * DoClientHello()
|
---|
| 3203 | * Only a server will receive this message.
|
---|
| 3204 | *
|
---|
| 3205 | * ssl The SSL/TLS object.
|
---|
| 3206 | * input The message buffer.
|
---|
| 3207 | * inOutIdx On entry, the index into the message buffer of ClientHello.
|
---|
| 3208 | * On exit, the index of byte after the ClientHello message and
|
---|
| 3209 | * padding.
|
---|
| 3210 | * helloSz The length of the current handshake message.
|
---|
| 3211 | * returns 0 on success and otherwise failure.
|
---|
| 3212 | */
|
---|
| 3213 | int DoTls13ClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
---|
| 3214 | word32 helloSz)
|
---|
| 3215 | {
|
---|
| 3216 | int ret;
|
---|
| 3217 | byte b;
|
---|
| 3218 | ProtocolVersion pv;
|
---|
| 3219 | Suites clSuites;
|
---|
| 3220 | word32 i = *inOutIdx;
|
---|
| 3221 | word32 begin = i;
|
---|
| 3222 | word16 totalExtSz;
|
---|
| 3223 | int usingPSK = 0;
|
---|
| 3224 | byte sessIdSz;
|
---|
| 3225 |
|
---|
| 3226 | WOLFSSL_ENTER("DoTls13ClientHello");
|
---|
| 3227 |
|
---|
| 3228 | #ifdef WOLFSSL_CALLBACKS
|
---|
| 3229 | if (ssl->hsInfoOn) AddPacketName("ClientHello", &ssl->handShakeInfo);
|
---|
| 3230 | if (ssl->toInfoOn) AddLateName("ClientHello", &ssl->timeoutInfo);
|
---|
| 3231 | #endif
|
---|
| 3232 |
|
---|
| 3233 | /* protocol version, random and session id length check */
|
---|
| 3234 | if ((i - begin) + OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN > helloSz)
|
---|
| 3235 | return BUFFER_ERROR;
|
---|
| 3236 |
|
---|
| 3237 | /* Protocol version */
|
---|
| 3238 | XMEMCPY(&pv, input + i, OPAQUE16_LEN);
|
---|
| 3239 | ssl->chVersion = pv; /* store */
|
---|
| 3240 | i += OPAQUE16_LEN;
|
---|
| 3241 |
|
---|
| 3242 | if (ssl->version.major == SSLv3_MAJOR && ssl->version.minor < TLSv1_3_MINOR)
|
---|
| 3243 | return DoClientHello(ssl, input, inOutIdx, helloSz);
|
---|
| 3244 |
|
---|
| 3245 | /* Client random */
|
---|
| 3246 | XMEMCPY(ssl->arrays->clientRandom, input + i, RAN_LEN);
|
---|
| 3247 | i += RAN_LEN;
|
---|
| 3248 |
|
---|
| 3249 | #ifdef WOLFSSL_DEBUG_TLS
|
---|
| 3250 | WOLFSSL_MSG("client random");
|
---|
| 3251 | WOLFSSL_BUFFER(ssl->arrays->clientRandom, RAN_LEN);
|
---|
| 3252 | #endif
|
---|
| 3253 |
|
---|
| 3254 | /* Session id - empty in TLS v1.3 */
|
---|
| 3255 | sessIdSz = input[i++];
|
---|
| 3256 | if (sessIdSz > 0) {
|
---|
| 3257 | WOLFSSL_MSG("Client sent session id - not supported");
|
---|
| 3258 | return BUFFER_ERROR;
|
---|
| 3259 | }
|
---|
| 3260 |
|
---|
| 3261 | /* Cipher suites */
|
---|
| 3262 | if ((i - begin) + OPAQUE16_LEN > helloSz)
|
---|
| 3263 | return BUFFER_ERROR;
|
---|
| 3264 | ato16(&input[i], &clSuites.suiteSz);
|
---|
| 3265 | i += OPAQUE16_LEN;
|
---|
| 3266 | /* suites and compression length check */
|
---|
| 3267 | if ((i - begin) + clSuites.suiteSz + OPAQUE8_LEN > helloSz)
|
---|
| 3268 | return BUFFER_ERROR;
|
---|
| 3269 | if (clSuites.suiteSz > WOLFSSL_MAX_SUITE_SZ)
|
---|
| 3270 | return BUFFER_ERROR;
|
---|
| 3271 | XMEMCPY(clSuites.suites, input + i, clSuites.suiteSz);
|
---|
| 3272 | i += clSuites.suiteSz;
|
---|
| 3273 | clSuites.hashSigAlgoSz = 0;
|
---|
| 3274 |
|
---|
| 3275 | /* Compression */
|
---|
| 3276 | b = input[i++];
|
---|
| 3277 | if ((i - begin) + b > helloSz)
|
---|
| 3278 | return BUFFER_ERROR;
|
---|
| 3279 | if (b != COMP_LEN) {
|
---|
| 3280 | WOLFSSL_MSG("Must be one compression type in list");
|
---|
| 3281 | return INVALID_PARAMETER;
|
---|
| 3282 | }
|
---|
| 3283 | b = input[i++];
|
---|
| 3284 | if (b != NO_COMPRESSION) {
|
---|
| 3285 | WOLFSSL_MSG("Must be no compression type in list");
|
---|
| 3286 | return INVALID_PARAMETER;
|
---|
| 3287 | }
|
---|
| 3288 |
|
---|
| 3289 | /* TLS v1.3 ClientHello messages will have extensions. */
|
---|
| 3290 | if ((i - begin) >= helloSz) {
|
---|
| 3291 | WOLFSSL_MSG("ClientHello must have extensions in TLS v1.3");
|
---|
| 3292 | return BUFFER_ERROR;
|
---|
| 3293 | }
|
---|
| 3294 | if ((i - begin) + OPAQUE16_LEN > helloSz)
|
---|
| 3295 | return BUFFER_ERROR;
|
---|
| 3296 | ato16(&input[i], &totalExtSz);
|
---|
| 3297 | i += OPAQUE16_LEN;
|
---|
| 3298 | if ((i - begin) + totalExtSz > helloSz)
|
---|
| 3299 | return BUFFER_ERROR;
|
---|
| 3300 |
|
---|
| 3301 | #ifdef HAVE_QSH
|
---|
| 3302 | QSH_Init(ssl);
|
---|
| 3303 | #endif
|
---|
| 3304 |
|
---|
| 3305 | /* Auto populate extensions supported unless user defined. */
|
---|
| 3306 | if ((ret = TLSX_PopulateExtensions(ssl, 1)) != 0)
|
---|
| 3307 | return ret;
|
---|
| 3308 |
|
---|
| 3309 | /* Parse extensions */
|
---|
| 3310 | if ((ret = TLSX_Parse(ssl, (byte*)input + i, totalExtSz, client_hello,
|
---|
| 3311 | &clSuites))) {
|
---|
| 3312 | return ret;
|
---|
| 3313 | }
|
---|
| 3314 |
|
---|
| 3315 | #ifdef HAVE_STUNNEL
|
---|
| 3316 | if ((ret = SNI_Callback(ssl)) != 0)
|
---|
| 3317 | return ret;
|
---|
| 3318 | #endif /*HAVE_STUNNEL*/
|
---|
| 3319 |
|
---|
| 3320 | if (TLSX_Find(ssl->extensions, TLSX_SUPPORTED_VERSIONS) == NULL) {
|
---|
| 3321 | if (!ssl->options.downgrade) {
|
---|
| 3322 | WOLFSSL_MSG("Client trying to connect with lesser version");
|
---|
| 3323 | return VERSION_ERROR;
|
---|
| 3324 | }
|
---|
| 3325 | ssl->version.minor = pv.minor;
|
---|
| 3326 | }
|
---|
| 3327 |
|
---|
| 3328 | #ifdef WOLFSSL_SEND_HRR_COOKIE
|
---|
| 3329 | if (ssl->options.sendCookie &&
|
---|
| 3330 | ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST) {
|
---|
| 3331 | TLSX* ext;
|
---|
| 3332 |
|
---|
| 3333 | if ((ext = TLSX_Find(ssl->extensions, TLSX_COOKIE)) == NULL)
|
---|
| 3334 | return HRR_COOKIE_ERROR;
|
---|
| 3335 | /* Ensure the cookie came from client and isn't the one in the response
|
---|
| 3336 | * - HelloRetryRequest.
|
---|
| 3337 | */
|
---|
| 3338 | if (ext->resp == 1)
|
---|
| 3339 | return HRR_COOKIE_ERROR;
|
---|
| 3340 | ret = RestartHandshakeHashWithCookie(ssl, (Cookie*)ext->data);
|
---|
| 3341 | if (ret != 0)
|
---|
| 3342 | return ret;
|
---|
| 3343 | }
|
---|
| 3344 | #endif
|
---|
| 3345 |
|
---|
| 3346 | ssl->options.sendVerify = SEND_CERT;
|
---|
| 3347 |
|
---|
| 3348 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
---|
| 3349 | /* Process the Pre-Shared Key extension if present. */
|
---|
| 3350 | ret = DoPreSharedKeys(ssl, input + begin, helloSz, &usingPSK);
|
---|
| 3351 | if (ret != 0)
|
---|
| 3352 | return ret;
|
---|
| 3353 | #endif
|
---|
| 3354 |
|
---|
| 3355 | if (!usingPSK) {
|
---|
| 3356 | if ((ret = MatchSuite(ssl, &clSuites)) < 0) {
|
---|
| 3357 | WOLFSSL_MSG("Unsupported cipher suite, ClientHello");
|
---|
| 3358 | return ret;
|
---|
| 3359 | }
|
---|
| 3360 |
|
---|
| 3361 | #ifdef HAVE_SESSION_TICKET
|
---|
| 3362 | if (ssl->options.resuming) {
|
---|
| 3363 | ssl->options.resuming = 0;
|
---|
| 3364 | XMEMSET(ssl->arrays->psk_key, 0, ssl->specs.hash_size);
|
---|
| 3365 | /* May or may not have done any hashing. */
|
---|
| 3366 | if ((ret = InitHandshakeHashes(ssl)) != 0)
|
---|
| 3367 | return ret;
|
---|
| 3368 | }
|
---|
| 3369 | #endif
|
---|
| 3370 |
|
---|
| 3371 | if ((ret = HashInput(ssl, input + begin, helloSz)) != 0)
|
---|
| 3372 | return ret;
|
---|
| 3373 |
|
---|
| 3374 | /* Derive early secret for handshake secret. */
|
---|
| 3375 | if ((ret = DeriveEarlySecret(ssl)) != 0)
|
---|
| 3376 | return ret;
|
---|
| 3377 | }
|
---|
| 3378 |
|
---|
| 3379 | i += totalExtSz;
|
---|
| 3380 | *inOutIdx = i;
|
---|
| 3381 |
|
---|
| 3382 | ssl->options.clientState = CLIENT_HELLO_COMPLETE;
|
---|
| 3383 |
|
---|
| 3384 | WOLFSSL_LEAVE("DoTls13ClientHello", ret);
|
---|
| 3385 |
|
---|
| 3386 | return ret;
|
---|
| 3387 | }
|
---|
| 3388 |
|
---|
| 3389 | /* Send the HelloRetryRequest message to indicate the negotiated protocol
|
---|
| 3390 | * version and security parameters the server is willing to use.
|
---|
| 3391 | * Only a server will send this message.
|
---|
| 3392 | *
|
---|
| 3393 | * ssl The SSL/TLS object.
|
---|
| 3394 | * returns 0 on success, otherwise failure.
|
---|
| 3395 | */
|
---|
| 3396 | int SendTls13HelloRetryRequest(WOLFSSL* ssl)
|
---|
| 3397 | {
|
---|
| 3398 | int ret;
|
---|
| 3399 | byte* output;
|
---|
| 3400 | word32 length;
|
---|
| 3401 | word32 len;
|
---|
| 3402 | word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
---|
| 3403 | int sendSz;
|
---|
| 3404 |
|
---|
| 3405 | WOLFSSL_ENTER("SendTls13HelloRetryRequest");
|
---|
| 3406 |
|
---|
| 3407 | #ifndef WOLFSSL_TLS13_DRAFT_18
|
---|
| 3408 | if ((ret = RestartHandshakeHash(ssl)) < 0)
|
---|
| 3409 | return ret;
|
---|
| 3410 | #endif
|
---|
| 3411 |
|
---|
| 3412 | /* Get the length of the extensions that will be written. */
|
---|
| 3413 | len = TLSX_GetResponseSize(ssl, hello_retry_request);
|
---|
| 3414 | /* There must be extensions sent to indicate what client needs to do. */
|
---|
| 3415 | if (len == 0)
|
---|
| 3416 | return MISSING_HANDSHAKE_DATA;
|
---|
| 3417 |
|
---|
| 3418 | #ifndef WOLFSSL_TLS13_DRAFT_18
|
---|
| 3419 | /* Protocol version + CipherSuite + Extensions */
|
---|
| 3420 | length = OPAQUE16_LEN + OPAQUE16_LEN + len;
|
---|
| 3421 | #else
|
---|
| 3422 | /* Protocol version + Extensions */
|
---|
| 3423 | length = OPAQUE16_LEN + len;
|
---|
| 3424 | #endif
|
---|
| 3425 | sendSz = idx + length;
|
---|
| 3426 |
|
---|
| 3427 | /* Check buffers are big enough and grow if needed. */
|
---|
| 3428 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
|
---|
| 3429 | return ret;
|
---|
| 3430 |
|
---|
| 3431 | /* Get position in output buffer to write new message to. */
|
---|
| 3432 | output = ssl->buffers.outputBuffer.buffer +
|
---|
| 3433 | ssl->buffers.outputBuffer.length;
|
---|
| 3434 | /* Add record and hanshake headers. */
|
---|
| 3435 | AddTls13Headers(output, length, hello_retry_request, ssl);
|
---|
| 3436 |
|
---|
| 3437 | /* TODO: [TLS13] Replace existing code with code in comment.
|
---|
| 3438 | * Use the TLS v1.3 draft version for now.
|
---|
| 3439 | *
|
---|
| 3440 | * Change to:
|
---|
| 3441 | * output[idx++] = ssl->version.major;
|
---|
| 3442 | * output[idx++] = ssl->version.minor;
|
---|
| 3443 | */
|
---|
| 3444 | /* The negotiated protocol version. */
|
---|
| 3445 | output[idx++] = TLS_DRAFT_MAJOR;
|
---|
| 3446 | output[idx++] = TLS_DRAFT_MINOR;
|
---|
| 3447 |
|
---|
| 3448 | #ifndef WOLFSSL_TLS13_DRAFT_18
|
---|
| 3449 | /* Chosen cipher suite */
|
---|
| 3450 | output[idx++] = ssl->options.cipherSuite0;
|
---|
| 3451 | output[idx++] = ssl->options.cipherSuite;
|
---|
| 3452 | #endif
|
---|
| 3453 |
|
---|
| 3454 | /* Add TLS extensions. */
|
---|
| 3455 | TLSX_WriteResponse(ssl, output + idx, hello_retry_request);
|
---|
| 3456 | idx += len;
|
---|
| 3457 |
|
---|
| 3458 | #ifdef WOLFSSL_CALLBACKS
|
---|
| 3459 | if (ssl->hsInfoOn)
|
---|
| 3460 | AddPacketName("HelloRetryRequest", &ssl->handShakeInfo);
|
---|
| 3461 | if (ssl->toInfoOn) {
|
---|
| 3462 | AddPacketInfo("HelloRetryRequest", &ssl->timeoutInfo, output, sendSz,
|
---|
| 3463 | ssl->heap);
|
---|
| 3464 | }
|
---|
| 3465 | #endif
|
---|
| 3466 |
|
---|
| 3467 | if ((ret = HashOutput(ssl, output, idx, 0)) != 0)
|
---|
| 3468 | return ret;
|
---|
| 3469 |
|
---|
| 3470 | ssl->buffers.outputBuffer.length += sendSz;
|
---|
| 3471 |
|
---|
| 3472 | if (!ssl->options.groupMessages)
|
---|
| 3473 | ret = SendBuffered(ssl);
|
---|
| 3474 |
|
---|
| 3475 | WOLFSSL_LEAVE("SendTls13HelloRetryRequest", ret);
|
---|
| 3476 |
|
---|
| 3477 | return ret;
|
---|
| 3478 | }
|
---|
| 3479 |
|
---|
| 3480 | /* Send TLS v1.3 ServerHello message to client.
|
---|
| 3481 | * Only a server will send this message.
|
---|
| 3482 | *
|
---|
| 3483 | * ssl The SSL/TLS object.
|
---|
| 3484 | * returns 0 on success, otherwise failure.
|
---|
| 3485 | */
|
---|
| 3486 | static int SendTls13ServerHello(WOLFSSL* ssl)
|
---|
| 3487 | {
|
---|
| 3488 | byte* output;
|
---|
| 3489 | word32 length;
|
---|
| 3490 | word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
---|
| 3491 | int sendSz;
|
---|
| 3492 | int ret;
|
---|
| 3493 |
|
---|
| 3494 | WOLFSSL_ENTER("SendTls13ServerHello");
|
---|
| 3495 |
|
---|
| 3496 | /* Protocol version, server random, cipher suite and extensions. */
|
---|
| 3497 | length = VERSION_SZ + RAN_LEN + SUITE_LEN +
|
---|
| 3498 | TLSX_GetResponseSize(ssl, server_hello);
|
---|
| 3499 | sendSz = idx + length;
|
---|
| 3500 |
|
---|
| 3501 | /* Check buffers are big enough and grow if needed. */
|
---|
| 3502 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
|
---|
| 3503 | return ret;
|
---|
| 3504 |
|
---|
| 3505 | /* Get position in output buffer to write new message to. */
|
---|
| 3506 | output = ssl->buffers.outputBuffer.buffer +
|
---|
| 3507 | ssl->buffers.outputBuffer.length;
|
---|
| 3508 |
|
---|
| 3509 | /* Put the record and handshake headers on. */
|
---|
| 3510 | AddTls13Headers(output, length, server_hello, ssl);
|
---|
| 3511 |
|
---|
| 3512 | /* TODO: [TLS13] Replace existing code with code in comment.
|
---|
| 3513 | * Use the TLS v1.3 draft version for now.
|
---|
| 3514 | *
|
---|
| 3515 | * Change to:
|
---|
| 3516 | * output[idx++] = ssl->version.major;
|
---|
| 3517 | * output[idx++] = ssl->version.minor;
|
---|
| 3518 | */
|
---|
| 3519 | /* The negotiated protocol version. */
|
---|
| 3520 | output[idx++] = TLS_DRAFT_MAJOR;
|
---|
| 3521 | output[idx++] = TLS_DRAFT_MINOR;
|
---|
| 3522 |
|
---|
| 3523 | /* Generate server random. */
|
---|
| 3524 | if ((ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, RAN_LEN)) != 0)
|
---|
| 3525 | return ret;
|
---|
| 3526 | /* Store in SSL for debugging. */
|
---|
| 3527 | XMEMCPY(ssl->arrays->serverRandom, output + idx, RAN_LEN);
|
---|
| 3528 | idx += RAN_LEN;
|
---|
| 3529 |
|
---|
| 3530 | #ifdef WOLFSSL_DEBUG_TLS
|
---|
| 3531 | WOLFSSL_MSG("Server random");
|
---|
| 3532 | WOLFSSL_BUFFER(ssl->arrays->serverRandom, RAN_LEN);
|
---|
| 3533 | #endif
|
---|
| 3534 |
|
---|
| 3535 | /* Chosen cipher suite */
|
---|
| 3536 | output[idx++] = ssl->options.cipherSuite0;
|
---|
| 3537 | output[idx++] = ssl->options.cipherSuite;
|
---|
| 3538 |
|
---|
| 3539 | /* Extensions */
|
---|
| 3540 | TLSX_WriteResponse(ssl, output + idx, server_hello);
|
---|
| 3541 |
|
---|
| 3542 | ssl->buffers.outputBuffer.length += sendSz;
|
---|
| 3543 |
|
---|
| 3544 | if ((ret = HashOutput(ssl, output, sendSz, 0)) != 0)
|
---|
| 3545 | return ret;
|
---|
| 3546 |
|
---|
| 3547 | #ifdef WOLFSSL_CALLBACKS
|
---|
| 3548 | if (ssl->hsInfoOn)
|
---|
| 3549 | AddPacketName("ServerHello", &ssl->handShakeInfo);
|
---|
| 3550 | if (ssl->toInfoOn) {
|
---|
| 3551 | AddPacketInfo("ServerHello", &ssl->timeoutInfo, output, sendSz,
|
---|
| 3552 | ssl->heap);
|
---|
| 3553 | }
|
---|
| 3554 | #endif
|
---|
| 3555 |
|
---|
| 3556 | ssl->options.serverState = SERVER_HELLO_COMPLETE;
|
---|
| 3557 |
|
---|
| 3558 | if (!ssl->options.groupMessages)
|
---|
| 3559 | ret = SendBuffered(ssl);
|
---|
| 3560 |
|
---|
| 3561 | WOLFSSL_LEAVE("SendTls13ServerHello", ret);
|
---|
| 3562 |
|
---|
| 3563 | return ret;
|
---|
| 3564 | }
|
---|
| 3565 |
|
---|
| 3566 | /* Send the rest of the extensions encrypted under the handshake key.
|
---|
| 3567 | * This message is always encrypted in TLS v1.3.
|
---|
| 3568 | * Only a server will send this message.
|
---|
| 3569 | *
|
---|
| 3570 | * ssl The SSL/TLS object.
|
---|
| 3571 | * returns 0 on success, otherwise failure.
|
---|
| 3572 | */
|
---|
| 3573 | static int SendTls13EncryptedExtensions(WOLFSSL* ssl)
|
---|
| 3574 | {
|
---|
| 3575 | int ret;
|
---|
| 3576 | byte* output;
|
---|
| 3577 | word32 length;
|
---|
| 3578 | word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
---|
| 3579 | int sendSz;
|
---|
| 3580 |
|
---|
| 3581 | WOLFSSL_ENTER("SendTls13EncryptedExtensions");
|
---|
| 3582 |
|
---|
| 3583 | ssl->keys.encryptionOn = 1;
|
---|
| 3584 |
|
---|
| 3585 | /* Derive the handshake secret now that we are at first message to be
|
---|
| 3586 | * encrypted under the keys.
|
---|
| 3587 | */
|
---|
| 3588 | if ((ret = DeriveHandshakeSecret(ssl)) != 0)
|
---|
| 3589 | return ret;
|
---|
| 3590 | if ((ret = DeriveTls13Keys(ssl, handshake_key,
|
---|
| 3591 | ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0)
|
---|
| 3592 | return ret;
|
---|
| 3593 |
|
---|
| 3594 | /* Setup encrypt/decrypt keys for following messages. */
|
---|
| 3595 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 3596 | if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
|
---|
| 3597 | return ret;
|
---|
| 3598 | if (ssl->earlyData != 2) {
|
---|
| 3599 | if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
|
---|
| 3600 | return ret;
|
---|
| 3601 | }
|
---|
| 3602 | #else
|
---|
| 3603 | if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0)
|
---|
| 3604 | return ret;
|
---|
| 3605 | #endif
|
---|
| 3606 |
|
---|
| 3607 | length = TLSX_GetResponseSize(ssl, encrypted_extensions);
|
---|
| 3608 | sendSz = idx + length;
|
---|
| 3609 | /* Encryption always on. */
|
---|
| 3610 | sendSz += MAX_MSG_EXTRA;
|
---|
| 3611 |
|
---|
| 3612 | /* Check buffers are big enough and grow if needed. */
|
---|
| 3613 | ret = CheckAvailableSize(ssl, sendSz);
|
---|
| 3614 | if (ret != 0)
|
---|
| 3615 | return ret;
|
---|
| 3616 |
|
---|
| 3617 | /* Get position in output buffer to write new message to. */
|
---|
| 3618 | output = ssl->buffers.outputBuffer.buffer +
|
---|
| 3619 | ssl->buffers.outputBuffer.length;
|
---|
| 3620 |
|
---|
| 3621 | /* Put the record and handshake headers on. */
|
---|
| 3622 | AddTls13Headers(output, length, encrypted_extensions, ssl);
|
---|
| 3623 |
|
---|
| 3624 | TLSX_WriteResponse(ssl, output + idx, encrypted_extensions);
|
---|
| 3625 | idx += length;
|
---|
| 3626 |
|
---|
| 3627 | #ifdef WOLFSSL_CALLBACKS
|
---|
| 3628 | if (ssl->hsInfoOn)
|
---|
| 3629 | AddPacketName("EncryptedExtensions", &ssl->handShakeInfo);
|
---|
| 3630 | if (ssl->toInfoOn) {
|
---|
| 3631 | AddPacketInfo("EncryptedExtensions", &ssl->timeoutInfo, output,
|
---|
| 3632 | sendSz, ssl->heap);
|
---|
| 3633 | }
|
---|
| 3634 | #endif
|
---|
| 3635 |
|
---|
| 3636 | /* This handshake message is always encrypted. */
|
---|
| 3637 | sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
|
---|
| 3638 | idx - RECORD_HEADER_SZ, handshake, 1, 0, 0);
|
---|
| 3639 | if (sendSz < 0)
|
---|
| 3640 | return sendSz;
|
---|
| 3641 |
|
---|
| 3642 | ssl->buffers.outputBuffer.length += sendSz;
|
---|
| 3643 |
|
---|
| 3644 | ssl->options.serverState = SERVER_ENCRYPTED_EXTENSIONS_COMPLETE;
|
---|
| 3645 |
|
---|
| 3646 | if (!ssl->options.groupMessages)
|
---|
| 3647 | ret = SendBuffered(ssl);
|
---|
| 3648 |
|
---|
| 3649 | WOLFSSL_LEAVE("SendTls13EncryptedExtensions", ret);
|
---|
| 3650 |
|
---|
| 3651 | return ret;
|
---|
| 3652 | }
|
---|
| 3653 |
|
---|
| 3654 | #ifndef NO_CERTS
|
---|
| 3655 | /* Send the TLS v1.3 CertificateRequest message.
|
---|
| 3656 | * This message is always encrypted in TLS v1.3.
|
---|
| 3657 | * Only a server will send this message.
|
---|
| 3658 | *
|
---|
| 3659 | * ssl SSL/TLS object.
|
---|
| 3660 | * reqCtx Request context.
|
---|
| 3661 | * reqCtxLen Length of context. 0 when sending as part of handshake.
|
---|
| 3662 | * returns 0 on success, otherwise failure.
|
---|
| 3663 | */
|
---|
| 3664 | static int SendTls13CertificateRequest(WOLFSSL* ssl, byte* reqCtx,
|
---|
| 3665 | int reqCtxLen)
|
---|
| 3666 | {
|
---|
| 3667 | byte* output;
|
---|
| 3668 | int ret;
|
---|
| 3669 | int sendSz;
|
---|
| 3670 | word32 i;
|
---|
| 3671 | int reqSz;
|
---|
| 3672 | #ifndef WOLFSSL_TLS13_DRAFT_18
|
---|
| 3673 | TLSX* ext;
|
---|
| 3674 | #endif
|
---|
| 3675 |
|
---|
| 3676 | WOLFSSL_ENTER("SendTls13CertificateRequest");
|
---|
| 3677 |
|
---|
| 3678 | if (ssl->options.side == WOLFSSL_SERVER_END)
|
---|
| 3679 | InitSuitesHashSigAlgo(ssl->suites, 1, 1, 0, 1, ssl->buffers.keySz);
|
---|
| 3680 |
|
---|
| 3681 | #ifdef WOLFSSL_TLS13_DRAFT_18
|
---|
| 3682 | i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
---|
| 3683 | reqSz = OPAQUE8_LEN + reqCtxLen + REQ_HEADER_SZ + REQ_HEADER_SZ;
|
---|
| 3684 | reqSz += LENGTH_SZ + ssl->suites->hashSigAlgoSz;
|
---|
| 3685 |
|
---|
| 3686 | sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + reqSz;
|
---|
| 3687 | /* Always encrypted and make room for padding. */
|
---|
| 3688 | sendSz += MAX_MSG_EXTRA;
|
---|
| 3689 |
|
---|
| 3690 | /* Check buffers are big enough and grow if needed. */
|
---|
| 3691 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
|
---|
| 3692 | return ret;
|
---|
| 3693 |
|
---|
| 3694 | /* Get position in output buffer to write new message to. */
|
---|
| 3695 | output = ssl->buffers.outputBuffer.buffer +
|
---|
| 3696 | ssl->buffers.outputBuffer.length;
|
---|
| 3697 |
|
---|
| 3698 | /* Put the record and handshake headers on. */
|
---|
| 3699 | AddTls13Headers(output, reqSz, certificate_request, ssl);
|
---|
| 3700 |
|
---|
| 3701 | /* Certificate request context. */
|
---|
| 3702 | output[i++] = reqCtxLen;
|
---|
| 3703 | if (reqCtxLen != 0) {
|
---|
| 3704 | XMEMCPY(output + i, reqCtx, reqCtxLen);
|
---|
| 3705 | i += reqCtxLen;
|
---|
| 3706 | }
|
---|
| 3707 |
|
---|
| 3708 | /* supported hash/sig */
|
---|
| 3709 | c16toa(ssl->suites->hashSigAlgoSz, &output[i]);
|
---|
| 3710 | i += LENGTH_SZ;
|
---|
| 3711 |
|
---|
| 3712 | XMEMCPY(&output[i], ssl->suites->hashSigAlgo, ssl->suites->hashSigAlgoSz);
|
---|
| 3713 | i += ssl->suites->hashSigAlgoSz;
|
---|
| 3714 |
|
---|
| 3715 | /* Certificate authorities not supported yet - empty buffer. */
|
---|
| 3716 | c16toa(0, &output[i]);
|
---|
| 3717 | i += REQ_HEADER_SZ;
|
---|
| 3718 |
|
---|
| 3719 | /* Certificate extensions. */
|
---|
| 3720 | c16toa(0, &output[i]); /* auth's */
|
---|
| 3721 | i += REQ_HEADER_SZ;
|
---|
| 3722 | #else
|
---|
| 3723 | ext = TLSX_Find(ssl->extensions, TLSX_SIGNATURE_ALGORITHMS);
|
---|
| 3724 | if (ext == NULL)
|
---|
| 3725 | return EXT_MISSING;
|
---|
| 3726 | ext->resp = 0;
|
---|
| 3727 |
|
---|
| 3728 | i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
---|
| 3729 | reqSz = OPAQUE8_LEN + reqCtxLen +
|
---|
| 3730 | TLSX_GetRequestSize(ssl, certificate_request);
|
---|
| 3731 |
|
---|
| 3732 | sendSz = i + reqSz;
|
---|
| 3733 | /* Always encrypted and make room for padding. */
|
---|
| 3734 | sendSz += MAX_MSG_EXTRA;
|
---|
| 3735 |
|
---|
| 3736 | /* Check buffers are big enough and grow if needed. */
|
---|
| 3737 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
|
---|
| 3738 | return ret;
|
---|
| 3739 |
|
---|
| 3740 | /* Get position in output buffer to write new message to. */
|
---|
| 3741 | output = ssl->buffers.outputBuffer.buffer +
|
---|
| 3742 | ssl->buffers.outputBuffer.length;
|
---|
| 3743 |
|
---|
| 3744 | /* Put the record and handshake headers on. */
|
---|
| 3745 | AddTls13Headers(output, reqSz, certificate_request, ssl);
|
---|
| 3746 |
|
---|
| 3747 | /* Certificate request context. */
|
---|
| 3748 | output[i++] = reqCtxLen;
|
---|
| 3749 | if (reqCtxLen != 0) {
|
---|
| 3750 | XMEMCPY(output + i, reqCtx, reqCtxLen);
|
---|
| 3751 | i += reqCtxLen;
|
---|
| 3752 | }
|
---|
| 3753 |
|
---|
| 3754 | /* Certificate extensions. */
|
---|
| 3755 | i += TLSX_WriteRequest(ssl, output + i, certificate_request);
|
---|
| 3756 | #endif
|
---|
| 3757 |
|
---|
| 3758 | /* Always encrypted. */
|
---|
| 3759 | sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
|
---|
| 3760 | i - RECORD_HEADER_SZ, handshake, 1, 0, 0);
|
---|
| 3761 | if (sendSz < 0)
|
---|
| 3762 | return sendSz;
|
---|
| 3763 |
|
---|
| 3764 | #ifdef WOLFSSL_CALLBACKS
|
---|
| 3765 | if (ssl->hsInfoOn)
|
---|
| 3766 | AddPacketName("CertificateRequest", &ssl->handShakeInfo);
|
---|
| 3767 | if (ssl->toInfoOn) {
|
---|
| 3768 | AddPacketInfo("CertificateRequest", &ssl->timeoutInfo, output,
|
---|
| 3769 | sendSz, ssl->heap);
|
---|
| 3770 | }
|
---|
| 3771 | #endif
|
---|
| 3772 |
|
---|
| 3773 | ssl->buffers.outputBuffer.length += sendSz;
|
---|
| 3774 | if (!ssl->options.groupMessages)
|
---|
| 3775 | ret = SendBuffered(ssl);
|
---|
| 3776 |
|
---|
| 3777 | WOLFSSL_LEAVE("SendTls13CertificateRequest", ret);
|
---|
| 3778 |
|
---|
| 3779 | return ret;
|
---|
| 3780 | }
|
---|
| 3781 | #endif /* NO_CERTS */
|
---|
| 3782 | #endif /* NO_WOLFSSL_SERVER */
|
---|
| 3783 |
|
---|
| 3784 | #ifndef NO_CERTS
|
---|
| 3785 | #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519)
|
---|
| 3786 | /* Encode the signature algorithm into buffer.
|
---|
| 3787 | *
|
---|
| 3788 | * hashalgo The hash algorithm.
|
---|
| 3789 | * hsType The signature type.
|
---|
| 3790 | * output The buffer to encode into.
|
---|
| 3791 | */
|
---|
| 3792 | static INLINE void EncodeSigAlg(byte hashAlgo, byte hsType, byte* output)
|
---|
| 3793 | {
|
---|
| 3794 | switch (hsType) {
|
---|
| 3795 | #ifdef HAVE_ECC
|
---|
| 3796 | case ecc_dsa_sa_algo:
|
---|
| 3797 | output[0] = hashAlgo;
|
---|
| 3798 | output[1] = ecc_dsa_sa_algo;
|
---|
| 3799 | break;
|
---|
| 3800 | #endif
|
---|
| 3801 | #ifdef HAVE_ED25519
|
---|
| 3802 | /* ED25519: 0x0807 */
|
---|
| 3803 | case ed25519_sa_algo:
|
---|
| 3804 | output[0] = ED25519_SA_MAJOR;
|
---|
| 3805 | output[1] = ED25519_SA_MINOR;
|
---|
| 3806 | (void)hashAlgo;
|
---|
| 3807 | break;
|
---|
| 3808 | #endif
|
---|
| 3809 | #ifndef NO_RSA
|
---|
| 3810 | /* PSS signatures: 0x080[4-6] */
|
---|
| 3811 | case rsa_pss_sa_algo:
|
---|
| 3812 | output[0] = rsa_pss_sa_algo;
|
---|
| 3813 | output[1] = hashAlgo;
|
---|
| 3814 | break;
|
---|
| 3815 | #endif
|
---|
| 3816 | /* ED448: 0x0808 */
|
---|
| 3817 | }
|
---|
| 3818 | }
|
---|
| 3819 |
|
---|
| 3820 | /* Decode the signature algorithm.
|
---|
| 3821 | *
|
---|
| 3822 | * input The encoded signature algorithm.
|
---|
| 3823 | * hashalgo The hash algorithm.
|
---|
| 3824 | * hsType The signature type.
|
---|
| 3825 | */
|
---|
| 3826 | static INLINE void DecodeSigAlg(byte* input, byte* hashAlgo, byte* hsType)
|
---|
| 3827 | {
|
---|
| 3828 | switch (input[0]) {
|
---|
| 3829 | case NEW_SA_MAJOR:
|
---|
| 3830 | /* PSS signatures: 0x080[4-6] */
|
---|
| 3831 | if (input[1] <= sha512_mac) {
|
---|
| 3832 | *hsType = input[0];
|
---|
| 3833 | *hashAlgo = input[1];
|
---|
| 3834 | }
|
---|
| 3835 | #ifdef HAVE_ED25519
|
---|
| 3836 | /* ED25519: 0x0807 */
|
---|
| 3837 | if (input[1] == ED25519_SA_MINOR) {
|
---|
| 3838 | *hsType = ed25519_sa_algo;
|
---|
| 3839 | /* Hash performed as part of sign/verify operation. */
|
---|
| 3840 | *hashAlgo = sha512_mac;
|
---|
| 3841 | }
|
---|
| 3842 | #endif
|
---|
| 3843 | /* ED448: 0x0808 */
|
---|
| 3844 | break;
|
---|
| 3845 | default:
|
---|
| 3846 | *hashAlgo = input[0];
|
---|
| 3847 | *hsType = input[1];
|
---|
| 3848 | break;
|
---|
| 3849 | }
|
---|
| 3850 | }
|
---|
| 3851 |
|
---|
| 3852 | /* Get the hash of the messages so far.
|
---|
| 3853 | *
|
---|
| 3854 | * ssl The SSL/TLS object.
|
---|
| 3855 | * hash The buffer to write the hash to.
|
---|
| 3856 | * returns the length of the hash.
|
---|
| 3857 | */
|
---|
| 3858 | static INLINE int GetMsgHash(WOLFSSL* ssl, byte* hash)
|
---|
| 3859 | {
|
---|
| 3860 | int ret = 0;
|
---|
| 3861 | switch (ssl->specs.mac_algorithm) {
|
---|
| 3862 | #ifndef NO_SHA256
|
---|
| 3863 | case sha256_mac:
|
---|
| 3864 | ret = wc_Sha256GetHash(&ssl->hsHashes->hashSha256, hash);
|
---|
| 3865 | if (ret == 0)
|
---|
| 3866 | ret = WC_SHA256_DIGEST_SIZE;
|
---|
| 3867 | break;
|
---|
| 3868 | #endif /* !NO_SHA256 */
|
---|
| 3869 | #ifdef WOLFSSL_SHA384
|
---|
| 3870 | case sha384_mac:
|
---|
| 3871 | ret = wc_Sha384GetHash(&ssl->hsHashes->hashSha384, hash);
|
---|
| 3872 | if (ret == 0)
|
---|
| 3873 | ret = WC_SHA384_DIGEST_SIZE;
|
---|
| 3874 | break;
|
---|
| 3875 | #endif /* WOLFSSL_SHA384 */
|
---|
| 3876 | #ifdef WOLFSSL_TLS13_SHA512
|
---|
| 3877 | case sha512_mac:
|
---|
| 3878 | ret = wc_Sha512GetHash(&ssl->hsHashes->hashSha512, hash);
|
---|
| 3879 | if (ret == 0)
|
---|
| 3880 | ret = WC_SHA512_DIGEST_SIZE;
|
---|
| 3881 | break;
|
---|
| 3882 | #endif /* WOLFSSL_TLS13_SHA512 */
|
---|
| 3883 | }
|
---|
| 3884 | return ret;
|
---|
| 3885 | }
|
---|
| 3886 |
|
---|
| 3887 | /* The length of the certificate verification label - client and server. */
|
---|
| 3888 | #define CERT_VFY_LABEL_SZ 34
|
---|
| 3889 | /* The server certificate verification label. */
|
---|
| 3890 | static const byte serverCertVfyLabel[CERT_VFY_LABEL_SZ] =
|
---|
| 3891 | "TLS 1.3, server CertificateVerify";
|
---|
| 3892 | /* The client certificate verification label. */
|
---|
| 3893 | static const byte clientCertVfyLabel[CERT_VFY_LABEL_SZ] =
|
---|
| 3894 | "TLS 1.3, client CertificateVerify";
|
---|
| 3895 |
|
---|
| 3896 | /* The number of prefix bytes for signature data. */
|
---|
| 3897 | #define SIGNING_DATA_PREFIX_SZ 64
|
---|
| 3898 | /* The prefix byte in the signature data. */
|
---|
| 3899 | #define SIGNING_DATA_PREFIX_BYTE 0x20
|
---|
| 3900 | /* Maximum length of the signature data. */
|
---|
| 3901 | #define MAX_SIG_DATA_SZ (SIGNING_DATA_PREFIX_SZ + \
|
---|
| 3902 | CERT_VFY_LABEL_SZ + \
|
---|
| 3903 | MAX_DIGEST_SIZE)
|
---|
| 3904 |
|
---|
| 3905 | /* Create the signature data for TLS v1.3 certificate verification.
|
---|
| 3906 | *
|
---|
| 3907 | * ssl The SSL/TLS object.
|
---|
| 3908 | * sigData The signature data.
|
---|
| 3909 | * sigDataSz The length of the signature data.
|
---|
| 3910 | * check Indicates this is a check not create.
|
---|
| 3911 | */
|
---|
| 3912 | static int CreateSigData(WOLFSSL* ssl, byte* sigData, word16* sigDataSz,
|
---|
| 3913 | int check)
|
---|
| 3914 | {
|
---|
| 3915 | word16 idx;
|
---|
| 3916 | int side = ssl->options.side;
|
---|
| 3917 | int ret;
|
---|
| 3918 |
|
---|
| 3919 | /* Signature Data = Prefix | Label | Handshake Hash */
|
---|
| 3920 | XMEMSET(sigData, SIGNING_DATA_PREFIX_BYTE, SIGNING_DATA_PREFIX_SZ);
|
---|
| 3921 | idx = SIGNING_DATA_PREFIX_SZ;
|
---|
| 3922 |
|
---|
| 3923 | if ((side == WOLFSSL_SERVER_END && check) ||
|
---|
| 3924 | (side == WOLFSSL_CLIENT_END && !check)) {
|
---|
| 3925 | XMEMCPY(&sigData[idx], clientCertVfyLabel, CERT_VFY_LABEL_SZ);
|
---|
| 3926 | }
|
---|
| 3927 | if ((side == WOLFSSL_CLIENT_END && check) ||
|
---|
| 3928 | (side == WOLFSSL_SERVER_END && !check)) {
|
---|
| 3929 | XMEMCPY(&sigData[idx], serverCertVfyLabel, CERT_VFY_LABEL_SZ);
|
---|
| 3930 | }
|
---|
| 3931 | idx += CERT_VFY_LABEL_SZ;
|
---|
| 3932 |
|
---|
| 3933 | ret = GetMsgHash(ssl, &sigData[idx]);
|
---|
| 3934 | if (ret < 0)
|
---|
| 3935 | return ret;
|
---|
| 3936 |
|
---|
| 3937 | *sigDataSz = idx + ret;
|
---|
| 3938 | ret = 0;
|
---|
| 3939 |
|
---|
| 3940 | return ret;
|
---|
| 3941 | }
|
---|
| 3942 |
|
---|
| 3943 | #ifndef NO_RSA
|
---|
| 3944 | /* Encode the PKCS #1.5 RSA signature.
|
---|
| 3945 | *
|
---|
| 3946 | * sig The buffer to place the encoded signature into.
|
---|
| 3947 | * sigData The data to be signed.
|
---|
| 3948 | * sigDataSz The size of the data to be signed.
|
---|
| 3949 | * hashAlgo The hash algorithm to use when signing.
|
---|
| 3950 | * returns the length of the encoded signature or negative on error.
|
---|
| 3951 | */
|
---|
| 3952 | static int CreateRSAEncodedSig(byte* sig, byte* sigData, int sigDataSz,
|
---|
| 3953 | int sigAlgo, int hashAlgo)
|
---|
| 3954 | {
|
---|
| 3955 | Digest digest;
|
---|
| 3956 | int hashSz = 0;
|
---|
| 3957 | int ret = BAD_FUNC_ARG;
|
---|
| 3958 | byte* hash;
|
---|
| 3959 |
|
---|
| 3960 | (void)sigAlgo;
|
---|
| 3961 |
|
---|
| 3962 | hash = sig;
|
---|
| 3963 |
|
---|
| 3964 | /* Digest the signature data. */
|
---|
| 3965 | switch (hashAlgo) {
|
---|
| 3966 | #ifndef NO_WOLFSSL_SHA256
|
---|
| 3967 | case sha256_mac:
|
---|
| 3968 | ret = wc_InitSha256(&digest.sha256);
|
---|
| 3969 | if (ret == 0) {
|
---|
| 3970 | ret = wc_Sha256Update(&digest.sha256, sigData, sigDataSz);
|
---|
| 3971 | if (ret == 0)
|
---|
| 3972 | ret = wc_Sha256Final(&digest.sha256, hash);
|
---|
| 3973 | wc_Sha256Free(&digest.sha256);
|
---|
| 3974 | }
|
---|
| 3975 | hashSz = WC_SHA256_DIGEST_SIZE;
|
---|
| 3976 | break;
|
---|
| 3977 | #endif
|
---|
| 3978 | #ifdef WOLFSSL_SHA384
|
---|
| 3979 | case sha384_mac:
|
---|
| 3980 | ret = wc_InitSha384(&digest.sha384);
|
---|
| 3981 | if (ret == 0) {
|
---|
| 3982 | ret = wc_Sha384Update(&digest.sha384, sigData, sigDataSz);
|
---|
| 3983 | if (ret == 0)
|
---|
| 3984 | ret = wc_Sha384Final(&digest.sha384, hash);
|
---|
| 3985 | wc_Sha384Free(&digest.sha384);
|
---|
| 3986 | }
|
---|
| 3987 | hashSz = WC_SHA384_DIGEST_SIZE;
|
---|
| 3988 | break;
|
---|
| 3989 | #endif
|
---|
| 3990 | #ifdef WOLFSSL_SHA512
|
---|
| 3991 | case sha512_mac:
|
---|
| 3992 | ret = wc_InitSha512(&digest.sha512);
|
---|
| 3993 | if (ret == 0) {
|
---|
| 3994 | ret = wc_Sha512Update(&digest.sha512, sigData, sigDataSz);
|
---|
| 3995 | if (ret == 0)
|
---|
| 3996 | ret = wc_Sha512Final(&digest.sha512, hash);
|
---|
| 3997 | wc_Sha512Free(&digest.sha512);
|
---|
| 3998 | }
|
---|
| 3999 | hashSz = WC_SHA512_DIGEST_SIZE;
|
---|
| 4000 | break;
|
---|
| 4001 | #endif
|
---|
| 4002 | }
|
---|
| 4003 |
|
---|
| 4004 | if (ret != 0)
|
---|
| 4005 | return ret;
|
---|
| 4006 |
|
---|
| 4007 | return hashSz;
|
---|
| 4008 | }
|
---|
| 4009 | #endif /* !NO_RSA */
|
---|
| 4010 |
|
---|
| 4011 | #ifdef HAVE_ECC
|
---|
| 4012 | /* Encode the ECC signature.
|
---|
| 4013 | *
|
---|
| 4014 | * sigData The data to be signed.
|
---|
| 4015 | * sigDataSz The size of the data to be signed.
|
---|
| 4016 | * hashAlgo The hash algorithm to use when signing.
|
---|
| 4017 | * returns the length of the encoded signature or negative on error.
|
---|
| 4018 | */
|
---|
| 4019 | static int CreateECCEncodedSig(byte* sigData, int sigDataSz, int hashAlgo)
|
---|
| 4020 | {
|
---|
| 4021 | Digest digest;
|
---|
| 4022 | int hashSz = 0;
|
---|
| 4023 | int ret = BAD_FUNC_ARG;
|
---|
| 4024 |
|
---|
| 4025 | /* Digest the signature data. */
|
---|
| 4026 | switch (hashAlgo) {
|
---|
| 4027 | #ifndef NO_WOLFSSL_SHA256
|
---|
| 4028 | case sha256_mac:
|
---|
| 4029 | ret = wc_InitSha256(&digest.sha256);
|
---|
| 4030 | if (ret == 0) {
|
---|
| 4031 | ret = wc_Sha256Update(&digest.sha256, sigData, sigDataSz);
|
---|
| 4032 | if (ret == 0)
|
---|
| 4033 | ret = wc_Sha256Final(&digest.sha256, sigData);
|
---|
| 4034 | wc_Sha256Free(&digest.sha256);
|
---|
| 4035 | }
|
---|
| 4036 | hashSz = WC_SHA256_DIGEST_SIZE;
|
---|
| 4037 | break;
|
---|
| 4038 | #endif
|
---|
| 4039 | #ifdef WOLFSSL_SHA384
|
---|
| 4040 | case sha384_mac:
|
---|
| 4041 | ret = wc_InitSha384(&digest.sha384);
|
---|
| 4042 | if (ret == 0) {
|
---|
| 4043 | ret = wc_Sha384Update(&digest.sha384, sigData, sigDataSz);
|
---|
| 4044 | if (ret == 0)
|
---|
| 4045 | ret = wc_Sha384Final(&digest.sha384, sigData);
|
---|
| 4046 | wc_Sha384Free(&digest.sha384);
|
---|
| 4047 | }
|
---|
| 4048 | hashSz = WC_SHA384_DIGEST_SIZE;
|
---|
| 4049 | break;
|
---|
| 4050 | #endif
|
---|
| 4051 | #ifdef WOLFSSL_SHA512
|
---|
| 4052 | case sha512_mac:
|
---|
| 4053 | ret = wc_InitSha512(&digest.sha512);
|
---|
| 4054 | if (ret == 0) {
|
---|
| 4055 | ret = wc_Sha512Update(&digest.sha512, sigData, sigDataSz);
|
---|
| 4056 | if (ret == 0)
|
---|
| 4057 | ret = wc_Sha512Final(&digest.sha512, sigData);
|
---|
| 4058 | wc_Sha512Free(&digest.sha512);
|
---|
| 4059 | }
|
---|
| 4060 | hashSz = WC_SHA512_DIGEST_SIZE;
|
---|
| 4061 | break;
|
---|
| 4062 | #endif
|
---|
| 4063 | }
|
---|
| 4064 |
|
---|
| 4065 | if (ret != 0)
|
---|
| 4066 | return ret;
|
---|
| 4067 |
|
---|
| 4068 | return hashSz;
|
---|
| 4069 | }
|
---|
| 4070 | #endif /* HAVE_ECC */
|
---|
| 4071 |
|
---|
| 4072 | #ifndef NO_RSA
|
---|
| 4073 | /* Check that the decrypted signature matches the encoded signature
|
---|
| 4074 | * based on the digest of the signature data.
|
---|
| 4075 | *
|
---|
| 4076 | * ssl The SSL/TLS object.
|
---|
| 4077 | * hashAlgo The signature algorithm used to generate signature.
|
---|
| 4078 | * hashAlgo The hash algorithm used to generate signature.
|
---|
| 4079 | * decSig The decrypted signature.
|
---|
| 4080 | * decSigSz The size of the decrypted signature.
|
---|
| 4081 | * returns 0 on success, otherwise failure.
|
---|
| 4082 | */
|
---|
| 4083 | static int CheckRSASignature(WOLFSSL* ssl, int sigAlgo, int hashAlgo,
|
---|
| 4084 | byte* decSig, word32 decSigSz)
|
---|
| 4085 | {
|
---|
| 4086 | int ret = 0;
|
---|
| 4087 | byte sigData[MAX_SIG_DATA_SZ];
|
---|
| 4088 | word16 sigDataSz;
|
---|
| 4089 | word32 sigSz;
|
---|
| 4090 |
|
---|
| 4091 | ret = CreateSigData(ssl, sigData, &sigDataSz, 1);
|
---|
| 4092 | if (ret != 0)
|
---|
| 4093 | return ret;
|
---|
| 4094 |
|
---|
| 4095 | if (sigAlgo == rsa_pss_sa_algo) {
|
---|
| 4096 | enum wc_HashType hashType = WC_HASH_TYPE_NONE;
|
---|
| 4097 |
|
---|
| 4098 | ret = ConvertHashPss(hashAlgo, &hashType, NULL);
|
---|
| 4099 | if (ret < 0)
|
---|
| 4100 | return ret;
|
---|
| 4101 |
|
---|
| 4102 | /* PSS signature can be done in-pace */
|
---|
| 4103 | ret = CreateRSAEncodedSig(sigData, sigData, sigDataSz,
|
---|
| 4104 | sigAlgo, hashAlgo);
|
---|
| 4105 | if (ret < 0)
|
---|
| 4106 | return ret;
|
---|
| 4107 | sigSz = ret;
|
---|
| 4108 |
|
---|
| 4109 | ret = wc_RsaPSS_CheckPadding(sigData, sigSz, decSig, decSigSz,
|
---|
| 4110 | hashType);
|
---|
| 4111 | }
|
---|
| 4112 |
|
---|
| 4113 | return ret;
|
---|
| 4114 | }
|
---|
| 4115 | #endif /* !NO_RSA */
|
---|
| 4116 | #endif /* !NO_RSA || HAVE_ECC */
|
---|
| 4117 |
|
---|
| 4118 | /* Get the next certificate from the list for writing into the TLS v1.3
|
---|
| 4119 | * Certificate message.
|
---|
| 4120 | *
|
---|
| 4121 | * data The certificate list.
|
---|
| 4122 | * length The length of the certificate data in the list.
|
---|
| 4123 | * idx The index of the next certificate.
|
---|
| 4124 | * returns the length of the certificate data. 0 indicates no more certificates
|
---|
| 4125 | * in the list.
|
---|
| 4126 | */
|
---|
| 4127 | static word32 NextCert(byte* data, word32 length, word32* idx)
|
---|
| 4128 | {
|
---|
| 4129 | word32 len;
|
---|
| 4130 |
|
---|
| 4131 | /* Is index at end of list. */
|
---|
| 4132 | if (*idx == length)
|
---|
| 4133 | return 0;
|
---|
| 4134 |
|
---|
| 4135 | /* Length of the current ASN.1 encoded certificate. */
|
---|
| 4136 | c24to32(data + *idx, &len);
|
---|
| 4137 | /* Include the length field. */
|
---|
| 4138 | len += 3;
|
---|
| 4139 |
|
---|
| 4140 | /* Move index to next certificate and return the current certificate's
|
---|
| 4141 | * length.
|
---|
| 4142 | */
|
---|
| 4143 | *idx += len;
|
---|
| 4144 | return len;
|
---|
| 4145 | }
|
---|
| 4146 |
|
---|
| 4147 | /* Add certificate data and empty extension to output up to the fragment size.
|
---|
| 4148 | *
|
---|
| 4149 | * cert The certificate data to write out.
|
---|
| 4150 | * len The length of the certificate data.
|
---|
| 4151 | * idx The start of the certificate data to write out.
|
---|
| 4152 | * fragSz The maximum size of this fragment.
|
---|
| 4153 | * output The buffer to write to.
|
---|
| 4154 | * returns the number of bytes written.
|
---|
| 4155 | */
|
---|
| 4156 | static word32 AddCertExt(byte* cert, word32 len, word32 idx, word32 fragSz,
|
---|
| 4157 | byte* output)
|
---|
| 4158 | {
|
---|
| 4159 | word32 i = 0;
|
---|
| 4160 | word32 copySz = min(len - idx, fragSz);
|
---|
| 4161 |
|
---|
| 4162 | if (idx < len) {
|
---|
| 4163 | XMEMCPY(output, cert + idx, copySz);
|
---|
| 4164 | i = copySz;
|
---|
| 4165 | }
|
---|
| 4166 |
|
---|
| 4167 | if (copySz + OPAQUE16_LEN <= fragSz) {
|
---|
| 4168 | /* Empty extension */
|
---|
| 4169 | output[i++] = 0;
|
---|
| 4170 | output[i++] = 0;
|
---|
| 4171 | }
|
---|
| 4172 |
|
---|
| 4173 | return i;
|
---|
| 4174 | }
|
---|
| 4175 |
|
---|
| 4176 | /* Send the certificate for this end and any CAs that help with validation.
|
---|
| 4177 | * This message is always encrypted in TLS v1.3.
|
---|
| 4178 | *
|
---|
| 4179 | * ssl The SSL/TLS object.
|
---|
| 4180 | * returns 0 on success, otherwise failure.
|
---|
| 4181 | */
|
---|
| 4182 | static int SendTls13Certificate(WOLFSSL* ssl)
|
---|
| 4183 | {
|
---|
| 4184 | int ret = 0;
|
---|
| 4185 | word32 certSz, certChainSz, headerSz, listSz, payloadSz;
|
---|
| 4186 | word32 length, maxFragment;
|
---|
| 4187 | word32 len = 0;
|
---|
| 4188 | word32 idx = 0;
|
---|
| 4189 | word32 offset = OPAQUE16_LEN;
|
---|
| 4190 | byte* p = NULL;
|
---|
| 4191 | byte certReqCtxLen = 0;
|
---|
| 4192 | byte* certReqCtx = NULL;
|
---|
| 4193 |
|
---|
| 4194 | WOLFSSL_ENTER("SendTls13Certificate");
|
---|
| 4195 |
|
---|
| 4196 | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
|
---|
| 4197 | if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->certReqCtx != NULL) {
|
---|
| 4198 | certReqCtxLen = ssl->certReqCtx->len;
|
---|
| 4199 | certReqCtx = &ssl->certReqCtx->ctx;
|
---|
| 4200 | }
|
---|
| 4201 | #endif
|
---|
| 4202 |
|
---|
| 4203 | if (ssl->options.sendVerify == SEND_BLANK_CERT) {
|
---|
| 4204 | certSz = 0;
|
---|
| 4205 | certChainSz = 0;
|
---|
| 4206 | headerSz = OPAQUE8_LEN + certReqCtxLen + CERT_HEADER_SZ;
|
---|
| 4207 | length = headerSz;
|
---|
| 4208 | listSz = 0;
|
---|
| 4209 | }
|
---|
| 4210 | else {
|
---|
| 4211 | if (!ssl->buffers.certificate) {
|
---|
| 4212 | WOLFSSL_MSG("Send Cert missing certificate buffer");
|
---|
| 4213 | return BUFFER_ERROR;
|
---|
| 4214 | }
|
---|
| 4215 | /* Certificate Data */
|
---|
| 4216 | certSz = ssl->buffers.certificate->length;
|
---|
| 4217 | /* Cert Req Ctx Len | Cert Req Ctx | Cert List Len | Cert Data Len */
|
---|
| 4218 | headerSz = OPAQUE8_LEN + certReqCtxLen + CERT_HEADER_SZ +
|
---|
| 4219 | CERT_HEADER_SZ;
|
---|
| 4220 | /* Length of message data with one certificate and empty extensions. */
|
---|
| 4221 | length = headerSz + certSz + OPAQUE16_LEN;
|
---|
| 4222 | /* Length of list data with one certificate and empty extensions. */
|
---|
| 4223 | listSz = CERT_HEADER_SZ + certSz + OPAQUE16_LEN;
|
---|
| 4224 |
|
---|
| 4225 | /* Send rest of chain if sending cert (chain has leading size/s). */
|
---|
| 4226 | if (certSz > 0 && ssl->buffers.certChainCnt > 0) {
|
---|
| 4227 | /* The pointer to the current spot in the cert chain buffer. */
|
---|
| 4228 | p = ssl->buffers.certChain->buffer;
|
---|
| 4229 | /* Chain length including extensions. */
|
---|
| 4230 | certChainSz = ssl->buffers.certChain->length +
|
---|
| 4231 | OPAQUE16_LEN * ssl->buffers.certChainCnt;
|
---|
| 4232 | length += certChainSz;
|
---|
| 4233 | listSz += certChainSz;
|
---|
| 4234 | }
|
---|
| 4235 | else
|
---|
| 4236 | certChainSz = 0;
|
---|
| 4237 | }
|
---|
| 4238 |
|
---|
| 4239 | payloadSz = length;
|
---|
| 4240 |
|
---|
| 4241 | if (ssl->fragOffset != 0)
|
---|
| 4242 | length -= (ssl->fragOffset + headerSz);
|
---|
| 4243 |
|
---|
| 4244 | maxFragment = MAX_RECORD_SIZE;
|
---|
| 4245 |
|
---|
| 4246 | #ifdef HAVE_MAX_FRAGMENT
|
---|
| 4247 | if (ssl->max_fragment != 0 && maxFragment >= ssl->max_fragment)
|
---|
| 4248 | maxFragment = ssl->max_fragment;
|
---|
| 4249 | #endif /* HAVE_MAX_FRAGMENT */
|
---|
| 4250 |
|
---|
| 4251 | while (length > 0 && ret == 0) {
|
---|
| 4252 | byte* output = NULL;
|
---|
| 4253 | word32 fragSz = 0;
|
---|
| 4254 | word32 i = RECORD_HEADER_SZ;
|
---|
| 4255 | int sendSz = RECORD_HEADER_SZ;
|
---|
| 4256 |
|
---|
| 4257 | if (ssl->fragOffset == 0) {
|
---|
| 4258 | if (headerSz + certSz + OPAQUE16_LEN + certChainSz <=
|
---|
| 4259 | maxFragment - HANDSHAKE_HEADER_SZ) {
|
---|
| 4260 |
|
---|
| 4261 | fragSz = headerSz + certSz + OPAQUE16_LEN + certChainSz;
|
---|
| 4262 | }
|
---|
| 4263 | else {
|
---|
| 4264 | fragSz = maxFragment - HANDSHAKE_HEADER_SZ;
|
---|
| 4265 | }
|
---|
| 4266 | sendSz += fragSz + HANDSHAKE_HEADER_SZ;
|
---|
| 4267 | i += HANDSHAKE_HEADER_SZ;
|
---|
| 4268 | }
|
---|
| 4269 | else {
|
---|
| 4270 | fragSz = min(length, maxFragment);
|
---|
| 4271 | sendSz += fragSz;
|
---|
| 4272 | }
|
---|
| 4273 |
|
---|
| 4274 | sendSz += MAX_MSG_EXTRA;
|
---|
| 4275 |
|
---|
| 4276 | /* Check buffers are big enough and grow if needed. */
|
---|
| 4277 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
|
---|
| 4278 | return ret;
|
---|
| 4279 |
|
---|
| 4280 | /* Get position in output buffer to write new message to. */
|
---|
| 4281 | output = ssl->buffers.outputBuffer.buffer +
|
---|
| 4282 | ssl->buffers.outputBuffer.length;
|
---|
| 4283 |
|
---|
| 4284 | if (ssl->fragOffset == 0) {
|
---|
| 4285 | AddTls13FragHeaders(output, fragSz, 0, payloadSz, certificate, ssl);
|
---|
| 4286 |
|
---|
| 4287 | /* Request context. */
|
---|
| 4288 | output[i++] = certReqCtxLen;
|
---|
| 4289 | if (certReqCtxLen > 0) {
|
---|
| 4290 | XMEMCPY(output + i, certReqCtx, certReqCtxLen);
|
---|
| 4291 | i += certReqCtxLen;
|
---|
| 4292 | }
|
---|
| 4293 | length -= OPAQUE8_LEN + certReqCtxLen;
|
---|
| 4294 | fragSz -= OPAQUE8_LEN + certReqCtxLen;
|
---|
| 4295 | /* Certificate list length. */
|
---|
| 4296 | c32to24(listSz, output + i);
|
---|
| 4297 | i += CERT_HEADER_SZ;
|
---|
| 4298 | length -= CERT_HEADER_SZ;
|
---|
| 4299 | fragSz -= CERT_HEADER_SZ;
|
---|
| 4300 | /* Leaf certificate data length. */
|
---|
| 4301 | if (certSz > 0) {
|
---|
| 4302 | c32to24(certSz, output + i);
|
---|
| 4303 | i += CERT_HEADER_SZ;
|
---|
| 4304 | length -= CERT_HEADER_SZ;
|
---|
| 4305 | fragSz -= CERT_HEADER_SZ;
|
---|
| 4306 | }
|
---|
| 4307 | }
|
---|
| 4308 | else
|
---|
| 4309 | AddTls13RecordHeader(output, fragSz, handshake, ssl);
|
---|
| 4310 |
|
---|
| 4311 | if (certSz > 0 && ssl->fragOffset < certSz + OPAQUE16_LEN) {
|
---|
| 4312 | /* Put in the leaf certificate and empty extension. */
|
---|
| 4313 | word32 copySz = AddCertExt(ssl->buffers.certificate->buffer, certSz,
|
---|
| 4314 | ssl->fragOffset, fragSz, output + i);
|
---|
| 4315 |
|
---|
| 4316 | i += copySz;
|
---|
| 4317 | ssl->fragOffset += copySz;
|
---|
| 4318 | length -= copySz;
|
---|
| 4319 | fragSz -= copySz;
|
---|
| 4320 | }
|
---|
| 4321 | if (certChainSz > 0 && fragSz > 0) {
|
---|
| 4322 | /* Put in the CA certificates with empty extensions. */
|
---|
| 4323 | while (fragSz > 0) {
|
---|
| 4324 | word32 l;
|
---|
| 4325 |
|
---|
| 4326 | if (offset == len + OPAQUE16_LEN) {
|
---|
| 4327 | /* Find next CA certificate to write out. */
|
---|
| 4328 | offset = 0;
|
---|
| 4329 | len = NextCert(ssl->buffers.certChain->buffer,
|
---|
| 4330 | ssl->buffers.certChain->length, &idx);
|
---|
| 4331 | if (len == 0)
|
---|
| 4332 | break;
|
---|
| 4333 | }
|
---|
| 4334 |
|
---|
| 4335 | /* Write out certificate and empty extension. */
|
---|
| 4336 | l = AddCertExt(p, len, offset, fragSz, output + i);
|
---|
| 4337 | i += l;
|
---|
| 4338 | ssl->fragOffset += l;
|
---|
| 4339 | length -= l;
|
---|
| 4340 | fragSz -= l;
|
---|
| 4341 | offset += l;
|
---|
| 4342 | }
|
---|
| 4343 | }
|
---|
| 4344 |
|
---|
| 4345 | if ((int)i - RECORD_HEADER_SZ < 0) {
|
---|
| 4346 | WOLFSSL_MSG("Send Cert bad inputSz");
|
---|
| 4347 | return BUFFER_E;
|
---|
| 4348 | }
|
---|
| 4349 |
|
---|
| 4350 | /* This message is always encrypted. */
|
---|
| 4351 | sendSz = BuildTls13Message(ssl, output, sendSz,
|
---|
| 4352 | output + RECORD_HEADER_SZ,
|
---|
| 4353 | i - RECORD_HEADER_SZ, handshake, 1, 0, 0);
|
---|
| 4354 | if (sendSz < 0)
|
---|
| 4355 | return sendSz;
|
---|
| 4356 |
|
---|
| 4357 | #ifdef WOLFSSL_CALLBACKS
|
---|
| 4358 | if (ssl->hsInfoOn)
|
---|
| 4359 | AddPacketName("Certificate", &ssl->handShakeInfo);
|
---|
| 4360 | if (ssl->toInfoOn) {
|
---|
| 4361 | AddPacketInfo("Certificate", &ssl->timeoutInfo, output, sendSz,
|
---|
| 4362 | ssl->heap);
|
---|
| 4363 | }
|
---|
| 4364 | #endif
|
---|
| 4365 |
|
---|
| 4366 | ssl->buffers.outputBuffer.length += sendSz;
|
---|
| 4367 | if (!ssl->options.groupMessages)
|
---|
| 4368 | ret = SendBuffered(ssl);
|
---|
| 4369 | }
|
---|
| 4370 |
|
---|
| 4371 | if (ret != WANT_WRITE) {
|
---|
| 4372 | /* Clean up the fragment offset. */
|
---|
| 4373 | ssl->fragOffset = 0;
|
---|
| 4374 | if (ssl->options.side == WOLFSSL_SERVER_END)
|
---|
| 4375 | ssl->options.serverState = SERVER_CERT_COMPLETE;
|
---|
| 4376 | }
|
---|
| 4377 |
|
---|
| 4378 | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
|
---|
| 4379 | if (ssl->options.side == WOLFSSL_CLIENT_END && ssl->certReqCtx != NULL) {
|
---|
| 4380 | CertReqCtx* ctx = ssl->certReqCtx;
|
---|
| 4381 | ssl->certReqCtx = ssl->certReqCtx->next;
|
---|
| 4382 | XFREE(ctx, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
|
---|
| 4383 | }
|
---|
| 4384 | #endif
|
---|
| 4385 |
|
---|
| 4386 | WOLFSSL_LEAVE("SendTls13Certificate", ret);
|
---|
| 4387 |
|
---|
| 4388 | return ret;
|
---|
| 4389 | }
|
---|
| 4390 |
|
---|
| 4391 | typedef struct Scv13Args {
|
---|
| 4392 | byte* output; /* not allocated */
|
---|
| 4393 | #ifndef NO_RSA
|
---|
| 4394 | byte* verifySig;
|
---|
| 4395 | #endif
|
---|
| 4396 | byte* verify; /* not allocated */
|
---|
| 4397 | word32 idx;
|
---|
| 4398 | word32 sigLen;
|
---|
| 4399 | int sendSz;
|
---|
| 4400 | word16 length;
|
---|
| 4401 |
|
---|
| 4402 | byte sigAlgo;
|
---|
| 4403 | byte* sigData;
|
---|
| 4404 | word16 sigDataSz;
|
---|
| 4405 | } Scv13Args;
|
---|
| 4406 |
|
---|
| 4407 | static void FreeScv13Args(WOLFSSL* ssl, void* pArgs)
|
---|
| 4408 | {
|
---|
| 4409 | Scv13Args* args = (Scv13Args*)pArgs;
|
---|
| 4410 |
|
---|
| 4411 | (void)ssl;
|
---|
| 4412 |
|
---|
| 4413 | #ifndef NO_RSA
|
---|
| 4414 | if (args->verifySig) {
|
---|
| 4415 | XFREE(args->verifySig, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
|
---|
| 4416 | args->verifySig = NULL;
|
---|
| 4417 | }
|
---|
| 4418 | #endif
|
---|
| 4419 | if (args->sigData) {
|
---|
| 4420 | XFREE(args->sigData, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
|
---|
| 4421 | args->sigData = NULL;
|
---|
| 4422 | }
|
---|
| 4423 | }
|
---|
| 4424 |
|
---|
| 4425 | /* Send the TLS v1.3 CertificateVerify message.
|
---|
| 4426 | * A hash of all the message so far is used.
|
---|
| 4427 | * The signed data is:
|
---|
| 4428 | * 0x20 * 64 | context string | 0x00 | hash of messages
|
---|
| 4429 | * This message is always encrypted in TLS v1.3.
|
---|
| 4430 | *
|
---|
| 4431 | * ssl The SSL/TLS object.
|
---|
| 4432 | * returns 0 on success, otherwise failure.
|
---|
| 4433 | */
|
---|
| 4434 | static int SendTls13CertificateVerify(WOLFSSL* ssl)
|
---|
| 4435 | {
|
---|
| 4436 | int ret = 0;
|
---|
| 4437 | buffer* sig = &ssl->buffers.sig;
|
---|
| 4438 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
| 4439 | Scv13Args* args = (Scv13Args*)ssl->async.args;
|
---|
| 4440 | typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1];
|
---|
| 4441 | (void)sizeof(args_test);
|
---|
| 4442 | #else
|
---|
| 4443 | Scv13Args args[1];
|
---|
| 4444 | #endif
|
---|
| 4445 |
|
---|
| 4446 | WOLFSSL_ENTER("SendTls13CertificateVerify");
|
---|
| 4447 |
|
---|
| 4448 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
| 4449 | ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
|
---|
| 4450 | if (ret != WC_NOT_PENDING_E) {
|
---|
| 4451 | /* Check for error */
|
---|
| 4452 | if (ret < 0)
|
---|
| 4453 | goto exit_scv;
|
---|
| 4454 | }
|
---|
| 4455 | else
|
---|
| 4456 | #endif
|
---|
| 4457 | {
|
---|
| 4458 | /* Reset state */
|
---|
| 4459 | ret = 0;
|
---|
| 4460 | ssl->options.asyncState = TLS_ASYNC_BEGIN;
|
---|
| 4461 | XMEMSET(args, 0, sizeof(Scv13Args));
|
---|
| 4462 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
| 4463 | ssl->async.freeArgs = FreeScv13Args;
|
---|
| 4464 | #endif
|
---|
| 4465 | }
|
---|
| 4466 |
|
---|
| 4467 | switch(ssl->options.asyncState)
|
---|
| 4468 | {
|
---|
| 4469 | case TLS_ASYNC_BEGIN:
|
---|
| 4470 | {
|
---|
| 4471 | if (ssl->options.sendVerify == SEND_BLANK_CERT) {
|
---|
| 4472 | return 0; /* sent blank cert, can't verify */
|
---|
| 4473 | }
|
---|
| 4474 |
|
---|
| 4475 | args->sendSz = MAX_CERT_VERIFY_SZ;
|
---|
| 4476 | /* Always encrypted. */
|
---|
| 4477 | args->sendSz += MAX_MSG_EXTRA;
|
---|
| 4478 |
|
---|
| 4479 | /* check for available size */
|
---|
| 4480 | if ((ret = CheckAvailableSize(ssl, args->sendSz)) != 0) {
|
---|
| 4481 | goto exit_scv;
|
---|
| 4482 | }
|
---|
| 4483 |
|
---|
| 4484 | /* get output buffer */
|
---|
| 4485 | args->output = ssl->buffers.outputBuffer.buffer +
|
---|
| 4486 | ssl->buffers.outputBuffer.length;
|
---|
| 4487 |
|
---|
| 4488 | /* Advance state and proceed */
|
---|
| 4489 | ssl->options.asyncState = TLS_ASYNC_BUILD;
|
---|
| 4490 | } /* case TLS_ASYNC_BEGIN */
|
---|
| 4491 | FALL_THROUGH;
|
---|
| 4492 |
|
---|
| 4493 | case TLS_ASYNC_BUILD:
|
---|
| 4494 | {
|
---|
| 4495 | /* idx is used to track verify pointer offset to output */
|
---|
| 4496 | args->idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
---|
| 4497 | args->verify =
|
---|
| 4498 | &args->output[RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ];
|
---|
| 4499 |
|
---|
| 4500 | ret = DecodePrivateKey(ssl, &args->length);
|
---|
| 4501 | if (ret != 0)
|
---|
| 4502 | goto exit_scv;
|
---|
| 4503 |
|
---|
| 4504 | /* Add signature algorithm. */
|
---|
| 4505 | if (ssl->hsType == DYNAMIC_TYPE_RSA)
|
---|
| 4506 | args->sigAlgo = rsa_pss_sa_algo;
|
---|
| 4507 | else if (ssl->hsType == DYNAMIC_TYPE_ECC)
|
---|
| 4508 | args->sigAlgo = ecc_dsa_sa_algo;
|
---|
| 4509 | #ifdef HAVE_ED25519
|
---|
| 4510 | else if (ssl->hsType == DYNAMIC_TYPE_ED25519)
|
---|
| 4511 | args->sigAlgo = ed25519_sa_algo;
|
---|
| 4512 | #endif
|
---|
| 4513 | EncodeSigAlg(ssl->suites->hashAlgo, args->sigAlgo, args->verify);
|
---|
| 4514 |
|
---|
| 4515 | /* Create the data to be signed. */
|
---|
| 4516 | args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap,
|
---|
| 4517 | DYNAMIC_TYPE_SIGNATURE);
|
---|
| 4518 | if (args->sigData == NULL) {
|
---|
| 4519 | ERROR_OUT(MEMORY_E, exit_scv);
|
---|
| 4520 | }
|
---|
| 4521 |
|
---|
| 4522 | ret = CreateSigData(ssl, args->sigData, &args->sigDataSz, 0);
|
---|
| 4523 | if (ret != 0)
|
---|
| 4524 | goto exit_scv;
|
---|
| 4525 |
|
---|
| 4526 | #ifndef NO_RSA
|
---|
| 4527 | if (ssl->hsType == DYNAMIC_TYPE_RSA) {
|
---|
| 4528 | /* build encoded signature buffer */
|
---|
| 4529 | sig->length = MAX_ENCODED_SIG_SZ;
|
---|
| 4530 | sig->buffer = (byte*)XMALLOC(sig->length, ssl->heap,
|
---|
| 4531 | DYNAMIC_TYPE_SIGNATURE);
|
---|
| 4532 | if (sig->buffer == NULL) {
|
---|
| 4533 | ERROR_OUT(MEMORY_E, exit_scv);
|
---|
| 4534 | }
|
---|
| 4535 |
|
---|
| 4536 | ret = CreateRSAEncodedSig(sig->buffer, args->sigData,
|
---|
| 4537 | args->sigDataSz, args->sigAlgo, ssl->suites->hashAlgo);
|
---|
| 4538 | if (ret < 0)
|
---|
| 4539 | goto exit_scv;
|
---|
| 4540 | sig->length = ret;
|
---|
| 4541 | ret = 0;
|
---|
| 4542 |
|
---|
| 4543 | /* Maximum size of RSA Signature. */
|
---|
| 4544 | args->sigLen = args->length;
|
---|
| 4545 | }
|
---|
| 4546 | #endif /* !NO_RSA */
|
---|
| 4547 | #ifdef HAVE_ECC
|
---|
| 4548 | if (ssl->hsType == DYNAMIC_TYPE_ECC) {
|
---|
| 4549 | sig->length = args->sendSz - args->idx - HASH_SIG_SIZE -
|
---|
| 4550 | VERIFY_HEADER;
|
---|
| 4551 | ret = CreateECCEncodedSig(args->sigData,
|
---|
| 4552 | args->sigDataSz, ssl->suites->hashAlgo);
|
---|
| 4553 | if (ret < 0)
|
---|
| 4554 | goto exit_scv;
|
---|
| 4555 | args->sigDataSz = ret;
|
---|
| 4556 | ret = 0;
|
---|
| 4557 | }
|
---|
| 4558 | #endif /* HAVE_ECC */
|
---|
| 4559 | #ifdef HAVE_ED25519
|
---|
| 4560 | if (ssl->hsType == DYNAMIC_TYPE_ED25519) {
|
---|
| 4561 | /* Nothing to do */
|
---|
| 4562 | sig->length = ED25519_SIG_SIZE;
|
---|
| 4563 | }
|
---|
| 4564 | #endif /* HAVE_ECC */
|
---|
| 4565 |
|
---|
| 4566 | /* Advance state and proceed */
|
---|
| 4567 | ssl->options.asyncState = TLS_ASYNC_DO;
|
---|
| 4568 | } /* case TLS_ASYNC_BUILD */
|
---|
| 4569 | FALL_THROUGH;
|
---|
| 4570 |
|
---|
| 4571 | case TLS_ASYNC_DO:
|
---|
| 4572 | {
|
---|
| 4573 | #ifdef HAVE_ECC
|
---|
| 4574 | if (ssl->hsType == DYNAMIC_TYPE_ECC) {
|
---|
| 4575 | ret = EccSign(ssl, args->sigData, args->sigDataSz,
|
---|
| 4576 | args->verify + HASH_SIG_SIZE + VERIFY_HEADER,
|
---|
| 4577 | &sig->length, (ecc_key*)ssl->hsKey,
|
---|
| 4578 | #if defined(HAVE_PK_CALLBACKS)
|
---|
| 4579 | ssl->buffers.key->buffer, ssl->buffers.key->length,
|
---|
| 4580 | ssl->EccSignCtx
|
---|
| 4581 | #else
|
---|
| 4582 | NULL, 0, NULL
|
---|
| 4583 | #endif
|
---|
| 4584 | );
|
---|
| 4585 | args->length = sig->length;
|
---|
| 4586 | }
|
---|
| 4587 | #endif /* HAVE_ECC */
|
---|
| 4588 | #ifdef HAVE_ED25519
|
---|
| 4589 | if (ssl->hsType == DYNAMIC_TYPE_ED25519) {
|
---|
| 4590 | ret = Ed25519Sign(ssl, args->sigData, args->sigDataSz,
|
---|
| 4591 | args->verify + HASH_SIG_SIZE + VERIFY_HEADER,
|
---|
| 4592 | &sig->length, (ed25519_key*)ssl->hsKey,
|
---|
| 4593 | #if defined(HAVE_PK_CALLBACKS)
|
---|
| 4594 | ssl->buffers.key->buffer, ssl->buffers.key->length,
|
---|
| 4595 | ssl->Ed25519SignCtx
|
---|
| 4596 | #else
|
---|
| 4597 | NULL, 0, NULL
|
---|
| 4598 | #endif
|
---|
| 4599 | );
|
---|
| 4600 | args->length = sig->length;
|
---|
| 4601 | }
|
---|
| 4602 | #endif
|
---|
| 4603 | #ifndef NO_RSA
|
---|
| 4604 | if (ssl->hsType == DYNAMIC_TYPE_RSA) {
|
---|
| 4605 |
|
---|
| 4606 | ret = RsaSign(ssl, sig->buffer, sig->length,
|
---|
| 4607 | args->verify + HASH_SIG_SIZE + VERIFY_HEADER, &args->sigLen,
|
---|
| 4608 | args->sigAlgo, ssl->suites->hashAlgo,
|
---|
| 4609 | (RsaKey*)ssl->hsKey,
|
---|
| 4610 | ssl->buffers.key->buffer, ssl->buffers.key->length,
|
---|
| 4611 | #ifdef HAVE_PK_CALLBACKS
|
---|
| 4612 | ssl->RsaSignCtx
|
---|
| 4613 | #else
|
---|
| 4614 | NULL
|
---|
| 4615 | #endif
|
---|
| 4616 | );
|
---|
| 4617 | args->length = args->sigLen;
|
---|
| 4618 | }
|
---|
| 4619 | #endif /* !NO_RSA */
|
---|
| 4620 |
|
---|
| 4621 | /* Check for error */
|
---|
| 4622 | if (ret != 0) {
|
---|
| 4623 | goto exit_scv;
|
---|
| 4624 | }
|
---|
| 4625 |
|
---|
| 4626 | /* Add signature length. */
|
---|
| 4627 | c16toa(args->length, args->verify + HASH_SIG_SIZE);
|
---|
| 4628 |
|
---|
| 4629 | /* Advance state and proceed */
|
---|
| 4630 | ssl->options.asyncState = TLS_ASYNC_VERIFY;
|
---|
| 4631 | } /* case TLS_ASYNC_DO */
|
---|
| 4632 | FALL_THROUGH;
|
---|
| 4633 |
|
---|
| 4634 | case TLS_ASYNC_VERIFY:
|
---|
| 4635 | {
|
---|
| 4636 | #ifndef NO_RSA
|
---|
| 4637 | if (ssl->hsType == DYNAMIC_TYPE_RSA) {
|
---|
| 4638 | if (args->verifySig == NULL) {
|
---|
| 4639 | args->verifySig = (byte*)XMALLOC(args->sigLen, ssl->heap,
|
---|
| 4640 | DYNAMIC_TYPE_SIGNATURE);
|
---|
| 4641 | if (args->verifySig == NULL) {
|
---|
| 4642 | ERROR_OUT(MEMORY_E, exit_scv);
|
---|
| 4643 | }
|
---|
| 4644 | XMEMCPY(args->verifySig,
|
---|
| 4645 | args->verify + HASH_SIG_SIZE + VERIFY_HEADER,
|
---|
| 4646 | args->sigLen);
|
---|
| 4647 | }
|
---|
| 4648 |
|
---|
| 4649 | /* check for signature faults */
|
---|
| 4650 | ret = VerifyRsaSign(ssl, args->verifySig, args->sigLen,
|
---|
| 4651 | sig->buffer, sig->length, args->sigAlgo,
|
---|
| 4652 | ssl->suites->hashAlgo, (RsaKey*)ssl->hsKey);
|
---|
| 4653 | }
|
---|
| 4654 | #endif /* !NO_RSA */
|
---|
| 4655 |
|
---|
| 4656 | /* Check for error */
|
---|
| 4657 | if (ret != 0) {
|
---|
| 4658 | goto exit_scv;
|
---|
| 4659 | }
|
---|
| 4660 |
|
---|
| 4661 | /* Advance state and proceed */
|
---|
| 4662 | ssl->options.asyncState = TLS_ASYNC_FINALIZE;
|
---|
| 4663 | } /* case TLS_ASYNC_VERIFY */
|
---|
| 4664 | FALL_THROUGH;
|
---|
| 4665 |
|
---|
| 4666 | case TLS_ASYNC_FINALIZE:
|
---|
| 4667 | {
|
---|
| 4668 | /* Put the record and handshake headers on. */
|
---|
| 4669 | AddTls13Headers(args->output, args->length + HASH_SIG_SIZE +
|
---|
| 4670 | VERIFY_HEADER, certificate_verify, ssl);
|
---|
| 4671 |
|
---|
| 4672 | args->sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ +
|
---|
| 4673 | args->length + HASH_SIG_SIZE + VERIFY_HEADER;
|
---|
| 4674 |
|
---|
| 4675 | /* Advance state and proceed */
|
---|
| 4676 | ssl->options.asyncState = TLS_ASYNC_END;
|
---|
| 4677 | } /* case TLS_ASYNC_FINALIZE */
|
---|
| 4678 | FALL_THROUGH;
|
---|
| 4679 |
|
---|
| 4680 | case TLS_ASYNC_END:
|
---|
| 4681 | {
|
---|
| 4682 | /* This message is always encrypted. */
|
---|
| 4683 | ret = BuildTls13Message(ssl, args->output,
|
---|
| 4684 | MAX_CERT_VERIFY_SZ + MAX_MSG_EXTRA,
|
---|
| 4685 | args->output + RECORD_HEADER_SZ,
|
---|
| 4686 | args->sendSz - RECORD_HEADER_SZ, handshake,
|
---|
| 4687 | 1, 0, 0);
|
---|
| 4688 |
|
---|
| 4689 | if (ret < 0) {
|
---|
| 4690 | goto exit_scv;
|
---|
| 4691 | }
|
---|
| 4692 | else {
|
---|
| 4693 | args->sendSz = ret;
|
---|
| 4694 | ret = 0;
|
---|
| 4695 | }
|
---|
| 4696 |
|
---|
| 4697 | #ifdef WOLFSSL_CALLBACKS
|
---|
| 4698 | if (ssl->hsInfoOn)
|
---|
| 4699 | AddPacketName("CertificateVerify", &ssl->handShakeInfo);
|
---|
| 4700 | if (ssl->toInfoOn) {
|
---|
| 4701 | AddPacketInfo("CertificateVerify", &ssl->timeoutInfo,
|
---|
| 4702 | args->output, args->sendSz, ssl->heap);
|
---|
| 4703 | }
|
---|
| 4704 | #endif
|
---|
| 4705 |
|
---|
| 4706 | ssl->buffers.outputBuffer.length += args->sendSz;
|
---|
| 4707 |
|
---|
| 4708 | if (!ssl->options.groupMessages)
|
---|
| 4709 | ret = SendBuffered(ssl);
|
---|
| 4710 | break;
|
---|
| 4711 | }
|
---|
| 4712 | default:
|
---|
| 4713 | ret = INPUT_CASE_ERROR;
|
---|
| 4714 | } /* switch(ssl->options.asyncState) */
|
---|
| 4715 |
|
---|
| 4716 | exit_scv:
|
---|
| 4717 |
|
---|
| 4718 | WOLFSSL_LEAVE("SendTls13CertificateVerify", ret);
|
---|
| 4719 |
|
---|
| 4720 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
| 4721 | /* Handle async operation */
|
---|
| 4722 | if (ret == WC_PENDING_E) {
|
---|
| 4723 | return ret;
|
---|
| 4724 | }
|
---|
| 4725 | #endif /* WOLFSSL_ASYNC_CRYPT */
|
---|
| 4726 |
|
---|
| 4727 | /* Final cleanup */
|
---|
| 4728 | FreeScv13Args(ssl, args);
|
---|
| 4729 | FreeKeyExchange(ssl);
|
---|
| 4730 |
|
---|
| 4731 | return ret;
|
---|
| 4732 | }
|
---|
| 4733 |
|
---|
| 4734 |
|
---|
| 4735 | /* Parse and handle a TLS v1.3 Certificate message.
|
---|
| 4736 | *
|
---|
| 4737 | * ssl The SSL/TLS object.
|
---|
| 4738 | * input The message buffer.
|
---|
| 4739 | * inOutIdx On entry, the index into the message buffer of Certificate.
|
---|
| 4740 | * On exit, the index of byte after the Certificate message.
|
---|
| 4741 | * totalSz The length of the current handshake message.
|
---|
| 4742 | * returns 0 on success and otherwise failure.
|
---|
| 4743 | */
|
---|
| 4744 | static int DoTls13Certificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
---|
| 4745 | word32 totalSz)
|
---|
| 4746 | {
|
---|
| 4747 | int ret;
|
---|
| 4748 |
|
---|
| 4749 | WOLFSSL_ENTER("DoTls13Certificate");
|
---|
| 4750 |
|
---|
| 4751 | ret = ProcessPeerCerts(ssl, input, inOutIdx, totalSz);
|
---|
| 4752 |
|
---|
| 4753 | #if !defined(NO_WOLFSSL_SERVER) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
|
---|
| 4754 | if (ret == 0 && ssl->options.side == WOLFSSL_SERVER_END &&
|
---|
| 4755 | ssl->options.handShakeState == HANDSHAKE_DONE) {
|
---|
| 4756 | /* reset handshake states */
|
---|
| 4757 | ssl->options.serverState = SERVER_FINISHED_COMPLETE;
|
---|
| 4758 | ssl->options.acceptState = TICKET_SENT;
|
---|
| 4759 | ssl->options.handShakeState = SERVER_FINISHED_COMPLETE;
|
---|
| 4760 | }
|
---|
| 4761 | #endif
|
---|
| 4762 |
|
---|
| 4763 | WOLFSSL_LEAVE("DoTls13Certificate", ret);
|
---|
| 4764 |
|
---|
| 4765 | return ret;
|
---|
| 4766 | }
|
---|
| 4767 |
|
---|
| 4768 | #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519)
|
---|
| 4769 |
|
---|
| 4770 | typedef struct Dcv13Args {
|
---|
| 4771 | byte* output; /* not allocated */
|
---|
| 4772 | word32 sendSz;
|
---|
| 4773 | word16 sz;
|
---|
| 4774 | word32 sigSz;
|
---|
| 4775 | word32 idx;
|
---|
| 4776 | word32 begin;
|
---|
| 4777 | byte hashAlgo;
|
---|
| 4778 | byte sigAlgo;
|
---|
| 4779 |
|
---|
| 4780 | byte* sigData;
|
---|
| 4781 | word16 sigDataSz;
|
---|
| 4782 | } Dcv13Args;
|
---|
| 4783 |
|
---|
| 4784 | static void FreeDcv13Args(WOLFSSL* ssl, void* pArgs)
|
---|
| 4785 | {
|
---|
| 4786 | Dcv13Args* args = (Dcv13Args*)pArgs;
|
---|
| 4787 |
|
---|
| 4788 | if (args->sigData != NULL) {
|
---|
| 4789 | XFREE(args->sigData, ssl->heap, DYNAMIC_TYPE_SIGNATURE);
|
---|
| 4790 | args->sigData = NULL;
|
---|
| 4791 | }
|
---|
| 4792 |
|
---|
| 4793 | (void)ssl;
|
---|
| 4794 | }
|
---|
| 4795 |
|
---|
| 4796 | /* Parse and handle a TLS v1.3 CertificateVerify message.
|
---|
| 4797 | *
|
---|
| 4798 | * ssl The SSL/TLS object.
|
---|
| 4799 | * input The message buffer.
|
---|
| 4800 | * inOutIdx On entry, the index into the message buffer of
|
---|
| 4801 | * CertificateVerify.
|
---|
| 4802 | * On exit, the index of byte after the CertificateVerify message.
|
---|
| 4803 | * totalSz The length of the current handshake message.
|
---|
| 4804 | * returns 0 on success and otherwise failure.
|
---|
| 4805 | */
|
---|
| 4806 | static int DoTls13CertificateVerify(WOLFSSL* ssl, byte* input,
|
---|
| 4807 | word32* inOutIdx, word32 totalSz)
|
---|
| 4808 | {
|
---|
| 4809 | int ret = 0;
|
---|
| 4810 | buffer* sig = &ssl->buffers.sig;
|
---|
| 4811 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
| 4812 | Dcv13Args* args = (Dcv13Args*)ssl->async.args;
|
---|
| 4813 | typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1];
|
---|
| 4814 | (void)sizeof(args_test);
|
---|
| 4815 | #else
|
---|
| 4816 | Dcv13Args args[1];
|
---|
| 4817 | #endif
|
---|
| 4818 |
|
---|
| 4819 | WOLFSSL_ENTER("DoTls13CertificateVerify");
|
---|
| 4820 |
|
---|
| 4821 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
| 4822 | ret = wolfSSL_AsyncPop(ssl, &ssl->options.asyncState);
|
---|
| 4823 | if (ret != WC_NOT_PENDING_E) {
|
---|
| 4824 | /* Check for error */
|
---|
| 4825 | if (ret < 0)
|
---|
| 4826 | goto exit_dcv;
|
---|
| 4827 | }
|
---|
| 4828 | else
|
---|
| 4829 | #endif
|
---|
| 4830 | {
|
---|
| 4831 | /* Reset state */
|
---|
| 4832 | ret = 0;
|
---|
| 4833 | ssl->options.asyncState = TLS_ASYNC_BEGIN;
|
---|
| 4834 | XMEMSET(args, 0, sizeof(Dcv13Args));
|
---|
| 4835 | args->hashAlgo = sha_mac;
|
---|
| 4836 | args->sigAlgo = anonymous_sa_algo;
|
---|
| 4837 | args->idx = *inOutIdx;
|
---|
| 4838 | args->begin = *inOutIdx;
|
---|
| 4839 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
| 4840 | ssl->async.freeArgs = FreeDcv13Args;
|
---|
| 4841 | #endif
|
---|
| 4842 | }
|
---|
| 4843 |
|
---|
| 4844 | switch(ssl->options.asyncState)
|
---|
| 4845 | {
|
---|
| 4846 | case TLS_ASYNC_BEGIN:
|
---|
| 4847 | {
|
---|
| 4848 | #ifdef WOLFSSL_CALLBACKS
|
---|
| 4849 | if (ssl->hsInfoOn) AddPacketName("CertificateVerify",
|
---|
| 4850 | &ssl->handShakeInfo);
|
---|
| 4851 | if (ssl->toInfoOn) AddLateName("CertificateVerify",
|
---|
| 4852 | &ssl->timeoutInfo);
|
---|
| 4853 | #endif
|
---|
| 4854 |
|
---|
| 4855 | /* Advance state and proceed */
|
---|
| 4856 | ssl->options.asyncState = TLS_ASYNC_BUILD;
|
---|
| 4857 | } /* case TLS_ASYNC_BEGIN */
|
---|
| 4858 | FALL_THROUGH;
|
---|
| 4859 |
|
---|
| 4860 | case TLS_ASYNC_BUILD:
|
---|
| 4861 | {
|
---|
| 4862 | /* Signature algorithm. */
|
---|
| 4863 | if ((args->idx - args->begin) + ENUM_LEN + ENUM_LEN > totalSz) {
|
---|
| 4864 | ERROR_OUT(BUFFER_ERROR, exit_dcv);
|
---|
| 4865 | }
|
---|
| 4866 | DecodeSigAlg(input + args->idx, &args->hashAlgo, &args->sigAlgo);
|
---|
| 4867 | args->idx += OPAQUE16_LEN;
|
---|
| 4868 |
|
---|
| 4869 | /* Signature length. */
|
---|
| 4870 | if ((args->idx - args->begin) + OPAQUE16_LEN > totalSz) {
|
---|
| 4871 | ERROR_OUT(BUFFER_ERROR, exit_dcv);
|
---|
| 4872 | }
|
---|
| 4873 | ato16(input + args->idx, &args->sz);
|
---|
| 4874 | args->idx += OPAQUE16_LEN;
|
---|
| 4875 |
|
---|
| 4876 | /* Signature data. */
|
---|
| 4877 | if ((args->idx - args->begin) + args->sz > totalSz ||
|
---|
| 4878 | args->sz > ENCRYPT_LEN) {
|
---|
| 4879 | ERROR_OUT(BUFFER_ERROR, exit_dcv);
|
---|
| 4880 | }
|
---|
| 4881 |
|
---|
| 4882 | /* Check for public key of required type. */
|
---|
| 4883 | #ifdef HAVE_ED25519
|
---|
| 4884 | if (args->sigAlgo == ed25519_sa_algo &&
|
---|
| 4885 | !ssl->peerEd25519KeyPresent) {
|
---|
| 4886 | WOLFSSL_MSG("Oops, peer sent ED25519 key but not in verify");
|
---|
| 4887 | }
|
---|
| 4888 | #endif
|
---|
| 4889 | #ifdef HAVE_ECC
|
---|
| 4890 | if (args->sigAlgo == ecc_dsa_sa_algo &&
|
---|
| 4891 | !ssl->peerEccDsaKeyPresent) {
|
---|
| 4892 | WOLFSSL_MSG("Oops, peer sent ECC key but not in verify");
|
---|
| 4893 | }
|
---|
| 4894 | #endif
|
---|
| 4895 | #ifndef NO_RSA
|
---|
| 4896 | if ((args->sigAlgo == rsa_sa_algo ||
|
---|
| 4897 | args->sigAlgo == rsa_pss_sa_algo) &&
|
---|
| 4898 | (ssl->peerRsaKey == NULL || !ssl->peerRsaKeyPresent)) {
|
---|
| 4899 | WOLFSSL_MSG("Oops, peer sent RSA key but not in verify");
|
---|
| 4900 | }
|
---|
| 4901 | #endif
|
---|
| 4902 |
|
---|
| 4903 | sig->buffer = (byte*)XMALLOC(args->sz, ssl->heap,
|
---|
| 4904 | DYNAMIC_TYPE_SIGNATURE);
|
---|
| 4905 | if (sig->buffer == NULL) {
|
---|
| 4906 | ERROR_OUT(MEMORY_E, exit_dcv);
|
---|
| 4907 | }
|
---|
| 4908 | sig->length = args->sz;
|
---|
| 4909 | XMEMCPY(sig->buffer, input + args->idx, args->sz);
|
---|
| 4910 |
|
---|
| 4911 | #ifdef HAVE_ECC
|
---|
| 4912 | if (ssl->peerEccDsaKeyPresent) {
|
---|
| 4913 | WOLFSSL_MSG("Doing ECC peer cert verify");
|
---|
| 4914 |
|
---|
| 4915 | args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap,
|
---|
| 4916 | DYNAMIC_TYPE_SIGNATURE);
|
---|
| 4917 | if (args->sigData == NULL) {
|
---|
| 4918 | ERROR_OUT(MEMORY_E, exit_dcv);
|
---|
| 4919 | }
|
---|
| 4920 |
|
---|
| 4921 | ret = CreateSigData(ssl, args->sigData, &args->sigDataSz, 1);
|
---|
| 4922 | if (ret != 0)
|
---|
| 4923 | goto exit_dcv;
|
---|
| 4924 | ret = CreateECCEncodedSig(args->sigData,
|
---|
| 4925 | args->sigDataSz, args->hashAlgo);
|
---|
| 4926 | if (ret < 0)
|
---|
| 4927 | goto exit_dcv;
|
---|
| 4928 | args->sigDataSz = ret;
|
---|
| 4929 | ret = 0;
|
---|
| 4930 | }
|
---|
| 4931 | #endif
|
---|
| 4932 | #ifdef HAVE_ED25519
|
---|
| 4933 | if (ssl->peerEd25519KeyPresent) {
|
---|
| 4934 | WOLFSSL_MSG("Doing ED25519 peer cert verify");
|
---|
| 4935 |
|
---|
| 4936 | args->sigData = (byte*)XMALLOC(MAX_SIG_DATA_SZ, ssl->heap,
|
---|
| 4937 | DYNAMIC_TYPE_SIGNATURE);
|
---|
| 4938 | if (args->sigData == NULL) {
|
---|
| 4939 | ERROR_OUT(MEMORY_E, exit_dcv);
|
---|
| 4940 | }
|
---|
| 4941 |
|
---|
| 4942 | CreateSigData(ssl, args->sigData, &args->sigDataSz, 1);
|
---|
| 4943 | ret = 0;
|
---|
| 4944 | }
|
---|
| 4945 | #endif
|
---|
| 4946 |
|
---|
| 4947 | /* Advance state and proceed */
|
---|
| 4948 | ssl->options.asyncState = TLS_ASYNC_DO;
|
---|
| 4949 | } /* case TLS_ASYNC_BUILD */
|
---|
| 4950 | FALL_THROUGH;
|
---|
| 4951 |
|
---|
| 4952 | case TLS_ASYNC_DO:
|
---|
| 4953 | {
|
---|
| 4954 | #ifndef NO_RSA
|
---|
| 4955 | if (args->sigAlgo == rsa_sa_algo ||
|
---|
| 4956 | args->sigAlgo == rsa_pss_sa_algo) {
|
---|
| 4957 | WOLFSSL_MSG("Doing RSA peer cert verify");
|
---|
| 4958 |
|
---|
| 4959 | ret = RsaVerify(ssl, sig->buffer, sig->length, &args->output,
|
---|
| 4960 | args->sigAlgo, args->hashAlgo, ssl->peerRsaKey,
|
---|
| 4961 | #ifdef HAVE_PK_CALLBACKS
|
---|
| 4962 | ssl->buffers.peerRsaKey.buffer,
|
---|
| 4963 | ssl->buffers.peerRsaKey.length,
|
---|
| 4964 | ssl->RsaVerifyCtx
|
---|
| 4965 | #else
|
---|
| 4966 | NULL, 0, NULL
|
---|
| 4967 | #endif
|
---|
| 4968 | );
|
---|
| 4969 | if (ret >= 0) {
|
---|
| 4970 | args->sendSz = ret;
|
---|
| 4971 | ret = 0;
|
---|
| 4972 | }
|
---|
| 4973 | }
|
---|
| 4974 | #endif /* !NO_RSA */
|
---|
| 4975 | #ifdef HAVE_ECC
|
---|
| 4976 | if (ssl->peerEccDsaKeyPresent) {
|
---|
| 4977 | WOLFSSL_MSG("Doing ECC peer cert verify");
|
---|
| 4978 |
|
---|
| 4979 | ret = EccVerify(ssl, input + args->idx, args->sz,
|
---|
| 4980 | args->sigData, args->sigDataSz,
|
---|
| 4981 | ssl->peerEccDsaKey,
|
---|
| 4982 | #ifdef HAVE_PK_CALLBACKS
|
---|
| 4983 | ssl->buffers.peerEccDsaKey.buffer,
|
---|
| 4984 | ssl->buffers.peerEccDsaKey.length,
|
---|
| 4985 | ssl->EccVerifyCtx
|
---|
| 4986 | #else
|
---|
| 4987 | NULL, 0, NULL
|
---|
| 4988 | #endif
|
---|
| 4989 | );
|
---|
| 4990 | }
|
---|
| 4991 | #endif /* HAVE_ECC */
|
---|
| 4992 | #ifdef HAVE_ED25519
|
---|
| 4993 | if (ssl->peerEd25519KeyPresent) {
|
---|
| 4994 | WOLFSSL_MSG("Doing ED25519 peer cert verify");
|
---|
| 4995 |
|
---|
| 4996 | ret = Ed25519Verify(ssl, input + args->idx, args->sz,
|
---|
| 4997 | args->sigData, args->sigDataSz,
|
---|
| 4998 | ssl->peerEd25519Key,
|
---|
| 4999 | #ifdef HAVE_PK_CALLBACKS
|
---|
| 5000 | ssl->buffers.peerEd25519Key.buffer,
|
---|
| 5001 | ssl->buffers.peerEd25519Key.length,
|
---|
| 5002 | ssl->Ed25519VerifyCtx
|
---|
| 5003 | #else
|
---|
| 5004 | NULL, 0, NULL
|
---|
| 5005 | #endif
|
---|
| 5006 | );
|
---|
| 5007 | }
|
---|
| 5008 | #endif
|
---|
| 5009 |
|
---|
| 5010 | /* Check for error */
|
---|
| 5011 | if (ret != 0) {
|
---|
| 5012 | goto exit_dcv;
|
---|
| 5013 | }
|
---|
| 5014 |
|
---|
| 5015 | /* Advance state and proceed */
|
---|
| 5016 | ssl->options.asyncState = TLS_ASYNC_VERIFY;
|
---|
| 5017 | } /* case TLS_ASYNC_DO */
|
---|
| 5018 | FALL_THROUGH;
|
---|
| 5019 |
|
---|
| 5020 | case TLS_ASYNC_VERIFY:
|
---|
| 5021 | {
|
---|
| 5022 | #ifndef NO_RSA
|
---|
| 5023 | if (ssl->peerRsaKey != NULL && ssl->peerRsaKeyPresent != 0) {
|
---|
| 5024 | ret = CheckRSASignature(ssl, args->sigAlgo, args->hashAlgo,
|
---|
| 5025 | args->output, args->sendSz);
|
---|
| 5026 | if (ret != 0)
|
---|
| 5027 | goto exit_dcv;
|
---|
| 5028 | }
|
---|
| 5029 | #endif /* !NO_RSA */
|
---|
| 5030 |
|
---|
| 5031 | /* Advance state and proceed */
|
---|
| 5032 | ssl->options.asyncState = TLS_ASYNC_FINALIZE;
|
---|
| 5033 | } /* case TLS_ASYNC_VERIFY */
|
---|
| 5034 | FALL_THROUGH;
|
---|
| 5035 |
|
---|
| 5036 | case TLS_ASYNC_FINALIZE:
|
---|
| 5037 | {
|
---|
| 5038 | ssl->options.havePeerVerify = 1;
|
---|
| 5039 |
|
---|
| 5040 | /* Set final index */
|
---|
| 5041 | args->idx += args->sz;
|
---|
| 5042 | *inOutIdx = args->idx;
|
---|
| 5043 |
|
---|
| 5044 | /* Encryption is always on: add padding */
|
---|
| 5045 | *inOutIdx += ssl->keys.padSz;
|
---|
| 5046 |
|
---|
| 5047 | /* Advance state and proceed */
|
---|
| 5048 | ssl->options.asyncState = TLS_ASYNC_END;
|
---|
| 5049 | } /* case TLS_ASYNC_FINALIZE */
|
---|
| 5050 |
|
---|
| 5051 | case TLS_ASYNC_END:
|
---|
| 5052 | {
|
---|
| 5053 | break;
|
---|
| 5054 | }
|
---|
| 5055 | default:
|
---|
| 5056 | ret = INPUT_CASE_ERROR;
|
---|
| 5057 | } /* switch(ssl->options.asyncState) */
|
---|
| 5058 |
|
---|
| 5059 | exit_dcv:
|
---|
| 5060 |
|
---|
| 5061 | WOLFSSL_LEAVE("DoTls13CertificateVerify", ret);
|
---|
| 5062 |
|
---|
| 5063 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
| 5064 | /* Handle async operation */
|
---|
| 5065 | if (ret == WC_PENDING_E) {
|
---|
| 5066 | /* Mark message as not recevied so it can process again */
|
---|
| 5067 | ssl->msgsReceived.got_certificate_verify = 0;
|
---|
| 5068 |
|
---|
| 5069 | return ret;
|
---|
| 5070 | }
|
---|
| 5071 | #endif /* WOLFSSL_ASYNC_CRYPT */
|
---|
| 5072 |
|
---|
| 5073 | /* Final cleanup */
|
---|
| 5074 | FreeDcv13Args(ssl, args);
|
---|
| 5075 | FreeKeyExchange(ssl);
|
---|
| 5076 |
|
---|
| 5077 | return ret;
|
---|
| 5078 | }
|
---|
| 5079 | #endif /* !NO_RSA || HAVE_ECC */
|
---|
| 5080 |
|
---|
| 5081 | /* Parse and handle a TLS v1.3 Finished message.
|
---|
| 5082 | *
|
---|
| 5083 | * ssl The SSL/TLS object.
|
---|
| 5084 | * input The message buffer.
|
---|
| 5085 | * inOutIdx On entry, the index into the message buffer of Finished.
|
---|
| 5086 | * On exit, the index of byte after the Finished message and padding.
|
---|
| 5087 | * size Length of message data.
|
---|
| 5088 | * totalSz Length of remaining data in the message buffer.
|
---|
| 5089 | * sniff Indicates whether we are sniffing packets.
|
---|
| 5090 | * returns 0 on success and otherwise failure.
|
---|
| 5091 | */
|
---|
| 5092 | static int DoTls13Finished(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
---|
| 5093 | word32 size, word32 totalSz, int sniff)
|
---|
| 5094 | {
|
---|
| 5095 | int ret;
|
---|
| 5096 | word32 finishedSz = 0;
|
---|
| 5097 | byte* secret;
|
---|
| 5098 | byte mac[MAX_DIGEST_SIZE];
|
---|
| 5099 |
|
---|
| 5100 | WOLFSSL_ENTER("DoTls13Finished");
|
---|
| 5101 |
|
---|
| 5102 | /* check against totalSz */
|
---|
| 5103 | if (*inOutIdx + size + ssl->keys.padSz > totalSz)
|
---|
| 5104 | return BUFFER_E;
|
---|
| 5105 |
|
---|
| 5106 | if (ssl->options.side == WOLFSSL_CLIENT_END) {
|
---|
| 5107 | /* All the handshake messages have been received to calculate
|
---|
| 5108 | * client and server finished keys.
|
---|
| 5109 | */
|
---|
| 5110 | ret = DeriveFinishedSecret(ssl, ssl->arrays->clientSecret,
|
---|
| 5111 | ssl->keys.client_write_MAC_secret);
|
---|
| 5112 | if (ret != 0)
|
---|
| 5113 | return ret;
|
---|
| 5114 |
|
---|
| 5115 | ret = DeriveFinishedSecret(ssl, ssl->arrays->serverSecret,
|
---|
| 5116 | ssl->keys.server_write_MAC_secret);
|
---|
| 5117 | if (ret != 0)
|
---|
| 5118 | return ret;
|
---|
| 5119 |
|
---|
| 5120 | secret = ssl->keys.server_write_MAC_secret;
|
---|
| 5121 | }
|
---|
| 5122 | else
|
---|
| 5123 | secret = ssl->keys.client_write_MAC_secret;
|
---|
| 5124 |
|
---|
| 5125 | ret = BuildTls13HandshakeHmac(ssl, secret, mac, &finishedSz);
|
---|
| 5126 | if (ret != 0)
|
---|
| 5127 | return ret;
|
---|
| 5128 | if (size != finishedSz)
|
---|
| 5129 | return BUFFER_ERROR;
|
---|
| 5130 |
|
---|
| 5131 | #ifdef WOLFSSL_CALLBACKS
|
---|
| 5132 | if (ssl->hsInfoOn) AddPacketName("Finished", &ssl->handShakeInfo);
|
---|
| 5133 | if (ssl->toInfoOn) AddLateName("Finished", &ssl->timeoutInfo);
|
---|
| 5134 | #endif
|
---|
| 5135 |
|
---|
| 5136 | if (sniff == NO_SNIFF) {
|
---|
| 5137 | /* Actually check verify data. */
|
---|
| 5138 | if (XMEMCMP(input + *inOutIdx, mac, size) != 0){
|
---|
| 5139 | WOLFSSL_MSG("Verify finished error on hashes");
|
---|
| 5140 | return VERIFY_FINISHED_ERROR;
|
---|
| 5141 | }
|
---|
| 5142 | }
|
---|
| 5143 |
|
---|
| 5144 | /* Force input exhaustion at ProcessReply by consuming padSz. */
|
---|
| 5145 | *inOutIdx += size + ssl->keys.padSz;
|
---|
| 5146 |
|
---|
| 5147 | if (ssl->options.side == WOLFSSL_SERVER_END &&
|
---|
| 5148 | !ssl->options.handShakeDone) {
|
---|
| 5149 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 5150 | if (ssl->earlyData) {
|
---|
| 5151 | if ((ret = DeriveTls13Keys(ssl, no_key, DECRYPT_SIDE_ONLY, 1)) != 0)
|
---|
| 5152 | return ret;
|
---|
| 5153 | }
|
---|
| 5154 | #endif
|
---|
| 5155 | /* Setup keys for application data messages from client. */
|
---|
| 5156 | if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
|
---|
| 5157 | return ret;
|
---|
| 5158 | }
|
---|
| 5159 |
|
---|
| 5160 | #ifndef NO_WOLFSSL_CLIENT
|
---|
| 5161 | if (ssl->options.side == WOLFSSL_CLIENT_END)
|
---|
| 5162 | ssl->options.serverState = SERVER_FINISHED_COMPLETE;
|
---|
| 5163 | #endif
|
---|
| 5164 | #ifndef NO_WOLFSSL_SERVER
|
---|
| 5165 | if (ssl->options.side == WOLFSSL_SERVER_END) {
|
---|
| 5166 | ssl->options.clientState = CLIENT_FINISHED_COMPLETE;
|
---|
| 5167 | ssl->options.handShakeState = HANDSHAKE_DONE;
|
---|
| 5168 | ssl->options.handShakeDone = 1;
|
---|
| 5169 | }
|
---|
| 5170 | #endif
|
---|
| 5171 |
|
---|
| 5172 | WOLFSSL_LEAVE("DoTls13Finished", 0);
|
---|
| 5173 |
|
---|
| 5174 | return 0;
|
---|
| 5175 | }
|
---|
| 5176 | #endif /* NO_CERTS */
|
---|
| 5177 |
|
---|
| 5178 | /* Send the TLS v1.3 Finished message.
|
---|
| 5179 | *
|
---|
| 5180 | * ssl The SSL/TLS object.
|
---|
| 5181 | * returns 0 on success, otherwise failure.
|
---|
| 5182 | */
|
---|
| 5183 | static int SendTls13Finished(WOLFSSL* ssl)
|
---|
| 5184 | {
|
---|
| 5185 | int sendSz;
|
---|
| 5186 | int finishedSz = ssl->specs.hash_size;
|
---|
| 5187 | byte* input;
|
---|
| 5188 | byte* output;
|
---|
| 5189 | int ret;
|
---|
| 5190 | int headerSz = HANDSHAKE_HEADER_SZ;
|
---|
| 5191 | int outputSz;
|
---|
| 5192 | byte* secret;
|
---|
| 5193 |
|
---|
| 5194 | WOLFSSL_ENTER("SendTls13Finished");
|
---|
| 5195 |
|
---|
| 5196 | outputSz = MAX_DIGEST_SIZE + DTLS_HANDSHAKE_HEADER_SZ + MAX_MSG_EXTRA;
|
---|
| 5197 | /* Check buffers are big enough and grow if needed. */
|
---|
| 5198 | if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)
|
---|
| 5199 | return ret;
|
---|
| 5200 |
|
---|
| 5201 | /* get output buffer */
|
---|
| 5202 | output = ssl->buffers.outputBuffer.buffer +
|
---|
| 5203 | ssl->buffers.outputBuffer.length;
|
---|
| 5204 | input = output + RECORD_HEADER_SZ;
|
---|
| 5205 |
|
---|
| 5206 | AddTls13HandShakeHeader(input, finishedSz, 0, finishedSz, finished, ssl);
|
---|
| 5207 |
|
---|
| 5208 | /* make finished hashes */
|
---|
| 5209 | if (ssl->options.side == WOLFSSL_CLIENT_END)
|
---|
| 5210 | secret = ssl->keys.client_write_MAC_secret;
|
---|
| 5211 | else {
|
---|
| 5212 | /* All the handshake messages have been done to calculate client and
|
---|
| 5213 | * server finished keys.
|
---|
| 5214 | */
|
---|
| 5215 | ret = DeriveFinishedSecret(ssl, ssl->arrays->clientSecret,
|
---|
| 5216 | ssl->keys.client_write_MAC_secret);
|
---|
| 5217 | if (ret != 0)
|
---|
| 5218 | return ret;
|
---|
| 5219 |
|
---|
| 5220 | ret = DeriveFinishedSecret(ssl, ssl->arrays->serverSecret,
|
---|
| 5221 | ssl->keys.server_write_MAC_secret);
|
---|
| 5222 | if (ret != 0)
|
---|
| 5223 | return ret;
|
---|
| 5224 |
|
---|
| 5225 | secret = ssl->keys.server_write_MAC_secret;
|
---|
| 5226 | }
|
---|
| 5227 | ret = BuildTls13HandshakeHmac(ssl, secret, &input[headerSz], NULL);
|
---|
| 5228 | if (ret != 0)
|
---|
| 5229 | return ret;
|
---|
| 5230 |
|
---|
| 5231 | /* This message is always encrypted. */
|
---|
| 5232 | sendSz = BuildTls13Message(ssl, output, outputSz, input,
|
---|
| 5233 | headerSz + finishedSz, handshake, 1, 0, 0);
|
---|
| 5234 | if (sendSz < 0)
|
---|
| 5235 | return BUILD_MSG_ERROR;
|
---|
| 5236 |
|
---|
| 5237 | if (!ssl->options.resuming) {
|
---|
| 5238 | #ifndef NO_SESSION_CACHE
|
---|
| 5239 | AddSession(ssl); /* just try */
|
---|
| 5240 | #endif
|
---|
| 5241 | }
|
---|
| 5242 |
|
---|
| 5243 | #ifdef WOLFSSL_CALLBACKS
|
---|
| 5244 | if (ssl->hsInfoOn) AddPacketName("Finished", &ssl->handShakeInfo);
|
---|
| 5245 | if (ssl->toInfoOn) {
|
---|
| 5246 | AddPacketInfo("Finished", &ssl->timeoutInfo, output, sendSz,
|
---|
| 5247 | ssl->heap);
|
---|
| 5248 | }
|
---|
| 5249 | #endif
|
---|
| 5250 |
|
---|
| 5251 | ssl->buffers.outputBuffer.length += sendSz;
|
---|
| 5252 |
|
---|
| 5253 | if ((ret = SendBuffered(ssl)) != 0)
|
---|
| 5254 | return ret;
|
---|
| 5255 |
|
---|
| 5256 | if (ssl->options.side == WOLFSSL_SERVER_END) {
|
---|
| 5257 | /* Can send application data now. */
|
---|
| 5258 | if ((ret = DeriveMasterSecret(ssl)) != 0)
|
---|
| 5259 | return ret;
|
---|
| 5260 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 5261 | if ((ret = DeriveTls13Keys(ssl, traffic_key, ENCRYPT_SIDE_ONLY, 1))
|
---|
| 5262 | != 0) {
|
---|
| 5263 | return ret;
|
---|
| 5264 | }
|
---|
| 5265 | if ((ret = DeriveTls13Keys(ssl, traffic_key, DECRYPT_SIDE_ONLY,
|
---|
| 5266 | !ssl->earlyData)) != 0) {
|
---|
| 5267 | return ret;
|
---|
| 5268 | }
|
---|
| 5269 | #else
|
---|
| 5270 | if ((ret = DeriveTls13Keys(ssl, traffic_key, ENCRYPT_AND_DECRYPT_SIDE,
|
---|
| 5271 | 1)) != 0) {
|
---|
| 5272 | return ret;
|
---|
| 5273 | }
|
---|
| 5274 | #endif
|
---|
| 5275 | if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
|
---|
| 5276 | return ret;
|
---|
| 5277 | }
|
---|
| 5278 |
|
---|
| 5279 | if (ssl->options.side == WOLFSSL_CLIENT_END &&
|
---|
| 5280 | !ssl->options.handShakeDone) {
|
---|
| 5281 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 5282 | if (ssl->earlyData) {
|
---|
| 5283 | if ((ret = DeriveTls13Keys(ssl, no_key, ENCRYPT_AND_DECRYPT_SIDE,
|
---|
| 5284 | 1)) != 0) {
|
---|
| 5285 | return ret;
|
---|
| 5286 | }
|
---|
| 5287 | }
|
---|
| 5288 | #endif
|
---|
| 5289 | /* Setup keys for application data messages. */
|
---|
| 5290 | if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0)
|
---|
| 5291 | return ret;
|
---|
| 5292 |
|
---|
| 5293 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
---|
| 5294 | ret = DeriveResumptionSecret(ssl, ssl->session.masterSecret);
|
---|
| 5295 | #endif
|
---|
| 5296 | }
|
---|
| 5297 |
|
---|
| 5298 | if (ssl->options.resuming) {
|
---|
| 5299 | if (ssl->options.side == WOLFSSL_CLIENT_END) {
|
---|
| 5300 | ssl->options.handShakeState = HANDSHAKE_DONE;
|
---|
| 5301 | ssl->options.handShakeDone = 1;
|
---|
| 5302 | }
|
---|
| 5303 | }
|
---|
| 5304 | #ifndef NO_WOLFSSL_CLIENT
|
---|
| 5305 | if (ssl->options.side == WOLFSSL_CLIENT_END) {
|
---|
| 5306 | if (!ssl->options.resuming) {
|
---|
| 5307 | ssl->options.handShakeState = HANDSHAKE_DONE;
|
---|
| 5308 | ssl->options.handShakeDone = 1;
|
---|
| 5309 | }
|
---|
| 5310 | }
|
---|
| 5311 | #endif
|
---|
| 5312 |
|
---|
| 5313 | WOLFSSL_LEAVE("SendTls13Finished", ret);
|
---|
| 5314 |
|
---|
| 5315 | return ret;
|
---|
| 5316 | }
|
---|
| 5317 |
|
---|
| 5318 | /* Send the TLS v1.3 KeyUpdate message.
|
---|
| 5319 | *
|
---|
| 5320 | * ssl The SSL/TLS object.
|
---|
| 5321 | * returns 0 on success, otherwise failure.
|
---|
| 5322 | */
|
---|
| 5323 | static int SendTls13KeyUpdate(WOLFSSL* ssl)
|
---|
| 5324 | {
|
---|
| 5325 | int sendSz;
|
---|
| 5326 | byte* input;
|
---|
| 5327 | byte* output;
|
---|
| 5328 | int ret;
|
---|
| 5329 | int headerSz = HANDSHAKE_HEADER_SZ;
|
---|
| 5330 | int outputSz;
|
---|
| 5331 | word32 i = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
---|
| 5332 |
|
---|
| 5333 | WOLFSSL_ENTER("SendTls13KeyUpdate");
|
---|
| 5334 |
|
---|
| 5335 | outputSz = OPAQUE8_LEN + MAX_MSG_EXTRA;
|
---|
| 5336 | /* Check buffers are big enough and grow if needed. */
|
---|
| 5337 | if ((ret = CheckAvailableSize(ssl, outputSz)) != 0)
|
---|
| 5338 | return ret;
|
---|
| 5339 |
|
---|
| 5340 | /* get output buffer */
|
---|
| 5341 | output = ssl->buffers.outputBuffer.buffer +
|
---|
| 5342 | ssl->buffers.outputBuffer.length;
|
---|
| 5343 | input = output + RECORD_HEADER_SZ;
|
---|
| 5344 |
|
---|
| 5345 | AddTls13Headers(output, OPAQUE8_LEN, key_update, ssl);
|
---|
| 5346 |
|
---|
| 5347 | /* If:
|
---|
| 5348 | * 1. I haven't sent a KeyUpdate requesting a response and
|
---|
| 5349 | * 2. This isn't responding to peer KeyUpdate requiring a response then,
|
---|
| 5350 | * I want a response.
|
---|
| 5351 | */
|
---|
| 5352 | ssl->keys.updateResponseReq = output[i++] =
|
---|
| 5353 | !ssl->keys.updateResponseReq && !ssl->keys.keyUpdateRespond;
|
---|
| 5354 | /* Sent response, no longer need to respond. */
|
---|
| 5355 | ssl->keys.keyUpdateRespond = 0;
|
---|
| 5356 |
|
---|
| 5357 | /* This message is always encrypted. */
|
---|
| 5358 | sendSz = BuildTls13Message(ssl, output, outputSz, input,
|
---|
| 5359 | headerSz + OPAQUE8_LEN, handshake, 0, 0, 0);
|
---|
| 5360 | if (sendSz < 0)
|
---|
| 5361 | return BUILD_MSG_ERROR;
|
---|
| 5362 |
|
---|
| 5363 | #ifdef WOLFSSL_CALLBACKS
|
---|
| 5364 | if (ssl->hsInfoOn) AddPacketName("KeyUpdate", &ssl->handShakeInfo);
|
---|
| 5365 | if (ssl->toInfoOn) {
|
---|
| 5366 | AddPacketInfo("KeyUpdate", &ssl->timeoutInfo, output, sendSz,
|
---|
| 5367 | ssl->heap);
|
---|
| 5368 | }
|
---|
| 5369 | #endif
|
---|
| 5370 |
|
---|
| 5371 | ssl->buffers.outputBuffer.length += sendSz;
|
---|
| 5372 |
|
---|
| 5373 | ret = SendBuffered(ssl);
|
---|
| 5374 | if (ret != 0 && ret != WANT_WRITE)
|
---|
| 5375 | return ret;
|
---|
| 5376 |
|
---|
| 5377 | /* Future traffic uses new encryption keys. */
|
---|
| 5378 | if ((ret = DeriveTls13Keys(ssl, update_traffic_key, ENCRYPT_SIDE_ONLY, 1))
|
---|
| 5379 | != 0)
|
---|
| 5380 | return ret;
|
---|
| 5381 | if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
|
---|
| 5382 | return ret;
|
---|
| 5383 |
|
---|
| 5384 | WOLFSSL_LEAVE("SendTls13KeyUpdate", ret);
|
---|
| 5385 |
|
---|
| 5386 | return ret;
|
---|
| 5387 | }
|
---|
| 5388 |
|
---|
| 5389 | /* Parse and handle a TLS v1.3 KeyUpdate message.
|
---|
| 5390 | *
|
---|
| 5391 | * ssl The SSL/TLS object.
|
---|
| 5392 | * input The message buffer.
|
---|
| 5393 | * inOutIdx On entry, the index into the message buffer of Finished.
|
---|
| 5394 | * On exit, the index of byte after the Finished message and padding.
|
---|
| 5395 | * totalSz The length of the current handshake message.
|
---|
| 5396 | * returns 0 on success and otherwise failure.
|
---|
| 5397 | */
|
---|
| 5398 | static int DoTls13KeyUpdate(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
|
---|
| 5399 | word32 totalSz)
|
---|
| 5400 | {
|
---|
| 5401 | int ret;
|
---|
| 5402 | word32 i = *inOutIdx;
|
---|
| 5403 |
|
---|
| 5404 | WOLFSSL_ENTER("DoTls13KeyUpdate");
|
---|
| 5405 |
|
---|
| 5406 | /* check against totalSz */
|
---|
| 5407 | if (OPAQUE8_LEN != totalSz)
|
---|
| 5408 | return BUFFER_E;
|
---|
| 5409 |
|
---|
| 5410 | switch (input[i]) {
|
---|
| 5411 | case update_not_requested:
|
---|
| 5412 | /* This message in response to any oustanding request. */
|
---|
| 5413 | ssl->keys.keyUpdateRespond = 0;
|
---|
| 5414 | ssl->keys.updateResponseReq = 0;
|
---|
| 5415 | break;
|
---|
| 5416 | case update_requested:
|
---|
| 5417 | /* New key update requiring a response. */
|
---|
| 5418 | ssl->keys.keyUpdateRespond = 1;
|
---|
| 5419 | break;
|
---|
| 5420 | default:
|
---|
| 5421 | return INVALID_PARAMETER;
|
---|
| 5422 | break;
|
---|
| 5423 | }
|
---|
| 5424 |
|
---|
| 5425 | /* Move index to byte after message. */
|
---|
| 5426 | *inOutIdx += totalSz;
|
---|
| 5427 | /* Always encrypted. */
|
---|
| 5428 | *inOutIdx += ssl->keys.padSz;
|
---|
| 5429 |
|
---|
| 5430 | /* Future traffic uses new decryption keys. */
|
---|
| 5431 | if ((ret = DeriveTls13Keys(ssl, update_traffic_key, DECRYPT_SIDE_ONLY, 1))
|
---|
| 5432 | != 0) {
|
---|
| 5433 | return ret;
|
---|
| 5434 | }
|
---|
| 5435 | if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
|
---|
| 5436 | return ret;
|
---|
| 5437 |
|
---|
| 5438 | if (ssl->keys.keyUpdateRespond)
|
---|
| 5439 | return SendTls13KeyUpdate(ssl);
|
---|
| 5440 |
|
---|
| 5441 | WOLFSSL_LEAVE("DoTls13KeyUpdate", ret);
|
---|
| 5442 |
|
---|
| 5443 | return 0;
|
---|
| 5444 | }
|
---|
| 5445 |
|
---|
| 5446 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 5447 | #ifndef NO_WOLFSSL_CLIENT
|
---|
| 5448 | /* Send the TLS v1.3 EndOfEarlyData message to indicate that there will be no
|
---|
| 5449 | * more early application data.
|
---|
| 5450 | * The encryption key now changes to the pre-calculated handshake key.
|
---|
| 5451 | *
|
---|
| 5452 | * ssl The SSL/TLS object.
|
---|
| 5453 | * returns 0 on success and otherwise failure.
|
---|
| 5454 | */
|
---|
| 5455 | static int SendTls13EndOfEarlyData(WOLFSSL* ssl)
|
---|
| 5456 | {
|
---|
| 5457 | byte* output;
|
---|
| 5458 | int ret;
|
---|
| 5459 | int sendSz;
|
---|
| 5460 | word32 length;
|
---|
| 5461 | word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
---|
| 5462 |
|
---|
| 5463 | WOLFSSL_ENTER("SendTls13EndOfEarlyData");
|
---|
| 5464 |
|
---|
| 5465 | length = 0;
|
---|
| 5466 | sendSz = idx + length + MAX_MSG_EXTRA;
|
---|
| 5467 |
|
---|
| 5468 | /* Check buffers are big enough and grow if needed. */
|
---|
| 5469 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
|
---|
| 5470 | return ret;
|
---|
| 5471 |
|
---|
| 5472 | /* Get position in output buffer to write new message to. */
|
---|
| 5473 | output = ssl->buffers.outputBuffer.buffer +
|
---|
| 5474 | ssl->buffers.outputBuffer.length;
|
---|
| 5475 |
|
---|
| 5476 | /* Put the record and handshake headers on. */
|
---|
| 5477 | AddTls13Headers(output, length, end_of_early_data, ssl);
|
---|
| 5478 |
|
---|
| 5479 | /* This message is always encrypted. */
|
---|
| 5480 | sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
|
---|
| 5481 | idx - RECORD_HEADER_SZ, handshake, 1, 0, 0);
|
---|
| 5482 | if (sendSz < 0)
|
---|
| 5483 | return sendSz;
|
---|
| 5484 |
|
---|
| 5485 | ssl->buffers.outputBuffer.length += sendSz;
|
---|
| 5486 |
|
---|
| 5487 | if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
|
---|
| 5488 | return ret;
|
---|
| 5489 |
|
---|
| 5490 | if (!ssl->options.groupMessages)
|
---|
| 5491 | ret = SendBuffered(ssl);
|
---|
| 5492 |
|
---|
| 5493 | WOLFSSL_LEAVE("SendTls13EndOfEarlyData", ret);
|
---|
| 5494 |
|
---|
| 5495 | return ret;
|
---|
| 5496 | }
|
---|
| 5497 | #endif /* !NO_WOLFSSL_CLIENT */
|
---|
| 5498 |
|
---|
| 5499 | #ifndef NO_WOLFSSL_SERVER
|
---|
| 5500 | /* Parse the TLS v1.3 EndOfEarlyData message that indicates that there will be
|
---|
| 5501 | * no more early application data.
|
---|
| 5502 | * The decryption key now changes to the pre-calculated handshake key.
|
---|
| 5503 | *
|
---|
| 5504 | * ssl The SSL/TLS object.
|
---|
| 5505 | * returns 0 on success and otherwise failure.
|
---|
| 5506 | */
|
---|
| 5507 | static int DoTls13EndOfEarlyData(WOLFSSL* ssl, const byte* input,
|
---|
| 5508 | word32* inOutIdx, word32 size)
|
---|
| 5509 | {
|
---|
| 5510 | int ret;
|
---|
| 5511 | word32 begin = *inOutIdx;
|
---|
| 5512 |
|
---|
| 5513 | (void)input;
|
---|
| 5514 |
|
---|
| 5515 | WOLFSSL_ENTER("DoTls13EndOfEarlyData");
|
---|
| 5516 |
|
---|
| 5517 | if ((*inOutIdx - begin) != size)
|
---|
| 5518 | return BUFFER_ERROR;
|
---|
| 5519 |
|
---|
| 5520 | /* Always encrypted. */
|
---|
| 5521 | *inOutIdx += ssl->keys.padSz;
|
---|
| 5522 |
|
---|
| 5523 | ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY);
|
---|
| 5524 |
|
---|
| 5525 | WOLFSSL_LEAVE("SendTls13EndOfEarlyData", ret);
|
---|
| 5526 |
|
---|
| 5527 | return ret;
|
---|
| 5528 | }
|
---|
| 5529 | #endif /* !NO_WOLFSSL_SERVER */
|
---|
| 5530 | #endif /* WOLFSSL_EARLY_DATA */
|
---|
| 5531 |
|
---|
| 5532 | #ifndef NO_WOLFSSL_CLIENT
|
---|
| 5533 | /* Handle a New Session Ticket handshake message.
|
---|
| 5534 | * Message contains the information required to perform resumption.
|
---|
| 5535 | *
|
---|
| 5536 | * ssl The SSL/TLS object.
|
---|
| 5537 | * input The message buffer.
|
---|
| 5538 | * inOutIdx On entry, the index into the message buffer of Finished.
|
---|
| 5539 | * On exit, the index of byte after the Finished message and padding.
|
---|
| 5540 | * size The length of the current handshake message.
|
---|
| 5541 | * retuns 0 on success, otherwise failure.
|
---|
| 5542 | */
|
---|
| 5543 | static int DoTls13NewSessionTicket(WOLFSSL* ssl, const byte* input,
|
---|
| 5544 | word32* inOutIdx, word32 size)
|
---|
| 5545 | {
|
---|
| 5546 | #ifdef HAVE_SESSION_TICKET
|
---|
| 5547 | int ret;
|
---|
| 5548 | word32 begin = *inOutIdx;
|
---|
| 5549 | word32 lifetime;
|
---|
| 5550 | word32 ageAdd;
|
---|
| 5551 | word16 length;
|
---|
| 5552 | word32 now;
|
---|
| 5553 |
|
---|
| 5554 | WOLFSSL_ENTER("DoTls13NewSessionTicket");
|
---|
| 5555 |
|
---|
| 5556 | /* Lifetime hint. */
|
---|
| 5557 | if ((*inOutIdx - begin) + SESSION_HINT_SZ > size)
|
---|
| 5558 | return BUFFER_ERROR;
|
---|
| 5559 | ato32(input + *inOutIdx, &lifetime);
|
---|
| 5560 | *inOutIdx += SESSION_HINT_SZ;
|
---|
| 5561 | if (lifetime > MAX_LIFETIME)
|
---|
| 5562 | return SERVER_HINT_ERROR;
|
---|
| 5563 |
|
---|
| 5564 | /* Age add. */
|
---|
| 5565 | if ((*inOutIdx - begin) + SESSION_ADD_SZ > size)
|
---|
| 5566 | return BUFFER_ERROR;
|
---|
| 5567 | ato32(input + *inOutIdx, &ageAdd);
|
---|
| 5568 | *inOutIdx += SESSION_ADD_SZ;
|
---|
| 5569 |
|
---|
| 5570 | /* Ticket length. */
|
---|
| 5571 | if ((*inOutIdx - begin) + LENGTH_SZ > size)
|
---|
| 5572 | return BUFFER_ERROR;
|
---|
| 5573 | ato16(input + *inOutIdx, &length);
|
---|
| 5574 | *inOutIdx += LENGTH_SZ;
|
---|
| 5575 | if ((*inOutIdx - begin) + length > size)
|
---|
| 5576 | return BUFFER_ERROR;
|
---|
| 5577 |
|
---|
| 5578 | if ((ret = SetTicket(ssl, input + *inOutIdx, length)) != 0)
|
---|
| 5579 | return ret;
|
---|
| 5580 | *inOutIdx += length;
|
---|
| 5581 |
|
---|
| 5582 | now = TimeNowInMilliseconds();
|
---|
| 5583 | if (now == (word32)GETTIME_ERROR)
|
---|
| 5584 | return now;
|
---|
| 5585 | /* Copy in ticket data (server identity). */
|
---|
| 5586 | ssl->timeout = lifetime;
|
---|
| 5587 | ssl->session.timeout = lifetime;
|
---|
| 5588 | ssl->session.cipherSuite0 = ssl->options.cipherSuite0;
|
---|
| 5589 | ssl->session.cipherSuite = ssl->options.cipherSuite;
|
---|
| 5590 | ssl->session.ticketSeen = now;
|
---|
| 5591 | ssl->session.ticketAdd = ageAdd;
|
---|
| 5592 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 5593 | ssl->session.maxEarlyDataSz = ssl->options.maxEarlyDataSz;
|
---|
| 5594 | #endif
|
---|
| 5595 |
|
---|
| 5596 | if ((*inOutIdx - begin) + EXTS_SZ > size)
|
---|
| 5597 | return BUFFER_ERROR;
|
---|
| 5598 | ato16(input + *inOutIdx, &length);
|
---|
| 5599 | *inOutIdx += EXTS_SZ;
|
---|
| 5600 | if ((*inOutIdx - begin) + length != size)
|
---|
| 5601 | return BUFFER_ERROR;
|
---|
| 5602 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 5603 | ret = TLSX_Parse(ssl, (byte *)input + (*inOutIdx), length, session_ticket,
|
---|
| 5604 | NULL);
|
---|
| 5605 | if (ret != 0)
|
---|
| 5606 | return ret;
|
---|
| 5607 | #endif
|
---|
| 5608 | *inOutIdx += length;
|
---|
| 5609 |
|
---|
| 5610 | #ifndef NO_SESSION_CACHE
|
---|
| 5611 | AddSession(ssl);
|
---|
| 5612 | #endif
|
---|
| 5613 |
|
---|
| 5614 | /* Always encrypted. */
|
---|
| 5615 | *inOutIdx += ssl->keys.padSz;
|
---|
| 5616 |
|
---|
| 5617 | ssl->expect_session_ticket = 0;
|
---|
| 5618 | #else
|
---|
| 5619 | (void)ssl;
|
---|
| 5620 | (void)input;
|
---|
| 5621 |
|
---|
| 5622 | WOLFSSL_ENTER("DoTls13NewSessionTicket");
|
---|
| 5623 |
|
---|
| 5624 | *inOutIdx += size + ssl->keys.padSz;
|
---|
| 5625 | #endif /* HAVE_SESSION_TICKET */
|
---|
| 5626 |
|
---|
| 5627 | WOLFSSL_LEAVE("DoTls13NewSessionTicket", 0);
|
---|
| 5628 |
|
---|
| 5629 | return 0;
|
---|
| 5630 | }
|
---|
| 5631 | #endif /* NO_WOLFSSL_CLIENT */
|
---|
| 5632 |
|
---|
| 5633 | #ifndef NO_WOLFSSL_SERVER
|
---|
| 5634 | #ifdef HAVE_SESSION_TICKET
|
---|
| 5635 |
|
---|
| 5636 | #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
|
---|
| 5637 | /* Offset of the MAC size in the finished message. */
|
---|
| 5638 | #define FINISHED_MSG_SIZE_OFFSET 3
|
---|
| 5639 |
|
---|
| 5640 | /* Calculate the resumption secret which includes the unseen client finished
|
---|
| 5641 | * message.
|
---|
| 5642 | *
|
---|
| 5643 | * ssl The SSL/TLS object.
|
---|
| 5644 | * retuns 0 on success, otherwise failure.
|
---|
| 5645 | */
|
---|
| 5646 | static int ExpectedResumptionSecret(WOLFSSL* ssl)
|
---|
| 5647 | {
|
---|
| 5648 | int ret;
|
---|
| 5649 | word32 finishedSz = 0;
|
---|
| 5650 | byte mac[MAX_DIGEST_SIZE];
|
---|
| 5651 | Digest digest;
|
---|
| 5652 | static byte header[] = { 0x14, 0x00, 0x00, 0x00 };
|
---|
| 5653 |
|
---|
| 5654 | /* Copy the running hash so we cna restore it after. */
|
---|
| 5655 | switch (ssl->specs.mac_algorithm) {
|
---|
| 5656 | #ifndef NO_SHA256
|
---|
| 5657 | case sha256_mac:
|
---|
| 5658 | ret = wc_Sha256Copy(&ssl->hsHashes->hashSha256, &digest.sha256);
|
---|
| 5659 | if (ret != 0)
|
---|
| 5660 | return ret;
|
---|
| 5661 | break;
|
---|
| 5662 | #endif
|
---|
| 5663 | #ifdef WOLFSSL_SHA384
|
---|
| 5664 | case sha384_mac:
|
---|
| 5665 | ret = wc_Sha384Copy(&ssl->hsHashes->hashSha384, &digest.sha384);
|
---|
| 5666 | if (ret != 0)
|
---|
| 5667 | return ret;
|
---|
| 5668 | break;
|
---|
| 5669 | #endif
|
---|
| 5670 | #ifdef WOLFSSL_TLS13_SHA512
|
---|
| 5671 | case sha512_mac:
|
---|
| 5672 | ret = wc_Sha512Copy(&ssl->hsHashes->hashSha512, &digest.sha512);
|
---|
| 5673 | if (ret != 0)
|
---|
| 5674 | return ret;
|
---|
| 5675 | break;
|
---|
| 5676 | #endif
|
---|
| 5677 | }
|
---|
| 5678 |
|
---|
| 5679 | /* Generate the Client's Finished message and hash it. */
|
---|
| 5680 | ret = BuildTls13HandshakeHmac(ssl, ssl->keys.client_write_MAC_secret, mac,
|
---|
| 5681 | &finishedSz);
|
---|
| 5682 | if (ret != 0)
|
---|
| 5683 | return ret;
|
---|
| 5684 | header[FINISHED_MSG_SIZE_OFFSET] = finishedSz;
|
---|
| 5685 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 5686 | if (ssl->earlyData) {
|
---|
| 5687 | static byte endOfEarlyData[] = { 0x05, 0x00, 0x00, 0x00 };
|
---|
| 5688 | ret = HashInputRaw(ssl, endOfEarlyData, sizeof(endOfEarlyData));
|
---|
| 5689 | if (ret != 0)
|
---|
| 5690 | return ret;
|
---|
| 5691 | }
|
---|
| 5692 | #endif
|
---|
| 5693 | if ((ret = HashInputRaw(ssl, header, sizeof(header))) != 0)
|
---|
| 5694 | return ret;
|
---|
| 5695 | if ((ret = HashInputRaw(ssl, mac, finishedSz)) != 0)
|
---|
| 5696 | return ret;
|
---|
| 5697 |
|
---|
| 5698 | if ((ret = DeriveResumptionSecret(ssl, ssl->session.masterSecret)) != 0)
|
---|
| 5699 | return ret;
|
---|
| 5700 |
|
---|
| 5701 | /* Restore the hash inline with currently seen messages. */
|
---|
| 5702 | switch (ssl->specs.mac_algorithm) {
|
---|
| 5703 | #ifndef NO_SHA256
|
---|
| 5704 | case sha256_mac:
|
---|
| 5705 | ret = wc_Sha256Copy(&digest.sha256, &ssl->hsHashes->hashSha256);
|
---|
| 5706 | if (ret != 0)
|
---|
| 5707 | return ret;
|
---|
| 5708 | break;
|
---|
| 5709 | #endif
|
---|
| 5710 | #ifdef WOLFSSL_SHA384
|
---|
| 5711 | case sha384_mac:
|
---|
| 5712 | ret = wc_Sha384Copy(&digest.sha384, &ssl->hsHashes->hashSha384);
|
---|
| 5713 | if (ret != 0)
|
---|
| 5714 | return ret;
|
---|
| 5715 | break;
|
---|
| 5716 | #endif
|
---|
| 5717 | #ifdef WOLFSSL_TLS13_SHA512
|
---|
| 5718 | case sha512_mac:
|
---|
| 5719 | ret = wc_Sha512Copy(&digest.sha512, &ssl->hsHashes->hashSha384);
|
---|
| 5720 | if (ret != 0)
|
---|
| 5721 | return ret;
|
---|
| 5722 | break;
|
---|
| 5723 | #endif
|
---|
| 5724 | }
|
---|
| 5725 |
|
---|
| 5726 | return ret;
|
---|
| 5727 | }
|
---|
| 5728 | #endif
|
---|
| 5729 |
|
---|
| 5730 | /* Send New Session Ticket handshake message.
|
---|
| 5731 | * Message contains the information required to perform resumption.
|
---|
| 5732 | *
|
---|
| 5733 | * ssl The SSL/TLS object.
|
---|
| 5734 | * retuns 0 on success, otherwise failure.
|
---|
| 5735 | */
|
---|
| 5736 | static int SendTls13NewSessionTicket(WOLFSSL* ssl)
|
---|
| 5737 | {
|
---|
| 5738 | byte* output;
|
---|
| 5739 | int ret;
|
---|
| 5740 | int sendSz;
|
---|
| 5741 | word32 extSz;
|
---|
| 5742 | word32 length;
|
---|
| 5743 | word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
---|
| 5744 |
|
---|
| 5745 | WOLFSSL_ENTER("SendTls13NewSessionTicket");
|
---|
| 5746 |
|
---|
| 5747 | #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
|
---|
| 5748 | if (!ssl->msgsReceived.got_finished) {
|
---|
| 5749 | if ((ret = ExpectedResumptionSecret(ssl)) != 0)
|
---|
| 5750 | return ret;
|
---|
| 5751 | }
|
---|
| 5752 | #endif
|
---|
| 5753 |
|
---|
| 5754 | if (!ssl->options.noTicketTls13) {
|
---|
| 5755 | if ((ret = CreateTicket(ssl)) != 0)
|
---|
| 5756 | return ret;
|
---|
| 5757 | }
|
---|
| 5758 |
|
---|
| 5759 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 5760 | ssl->session.maxEarlyDataSz = ssl->options.maxEarlyDataSz;
|
---|
| 5761 | if (ssl->session.maxEarlyDataSz > 0)
|
---|
| 5762 | TLSX_EarlyData_Use(ssl, ssl->session.maxEarlyDataSz);
|
---|
| 5763 | extSz = TLSX_GetResponseSize(ssl, session_ticket);
|
---|
| 5764 | #else
|
---|
| 5765 | extSz = EXTS_SZ;
|
---|
| 5766 | #endif
|
---|
| 5767 |
|
---|
| 5768 | /* Lifetime | Age Add | Ticket | Extensions */
|
---|
| 5769 | length = SESSION_HINT_SZ + SESSION_ADD_SZ + LENGTH_SZ +
|
---|
| 5770 | ssl->session.ticketLen + extSz;
|
---|
| 5771 | sendSz = idx + length + MAX_MSG_EXTRA;
|
---|
| 5772 |
|
---|
| 5773 | /* Check buffers are big enough and grow if needed. */
|
---|
| 5774 | if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
|
---|
| 5775 | return ret;
|
---|
| 5776 |
|
---|
| 5777 | /* Get position in output buffer to write new message to. */
|
---|
| 5778 | output = ssl->buffers.outputBuffer.buffer +
|
---|
| 5779 | ssl->buffers.outputBuffer.length;
|
---|
| 5780 |
|
---|
| 5781 | /* Put the record and handshake headers on. */
|
---|
| 5782 | AddTls13Headers(output, length, session_ticket, ssl);
|
---|
| 5783 |
|
---|
| 5784 | /* Lifetime hint */
|
---|
| 5785 | c32toa(ssl->ctx->ticketHint, output + idx);
|
---|
| 5786 | idx += SESSION_HINT_SZ;
|
---|
| 5787 | /* Age add - obfuscator */
|
---|
| 5788 | c32toa(ssl->session.ticketAdd, output + idx);
|
---|
| 5789 | idx += SESSION_ADD_SZ;
|
---|
| 5790 |
|
---|
| 5791 | /* length */
|
---|
| 5792 | c16toa(ssl->session.ticketLen, output + idx);
|
---|
| 5793 | idx += LENGTH_SZ;
|
---|
| 5794 | /* ticket */
|
---|
| 5795 | XMEMCPY(output + idx, ssl->session.ticket, ssl->session.ticketLen);
|
---|
| 5796 | idx += ssl->session.ticketLen;
|
---|
| 5797 |
|
---|
| 5798 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 5799 | idx += TLSX_WriteResponse(ssl, output + idx, session_ticket);
|
---|
| 5800 | #else
|
---|
| 5801 | /* No extension support - empty extensions. */
|
---|
| 5802 | c16toa(0, output + idx);
|
---|
| 5803 | idx += EXTS_SZ;
|
---|
| 5804 | #endif
|
---|
| 5805 |
|
---|
| 5806 | ssl->options.haveSessionId = 1;
|
---|
| 5807 |
|
---|
| 5808 | #ifndef NO_SESSION_CACHE
|
---|
| 5809 | AddSession(ssl);
|
---|
| 5810 | #endif
|
---|
| 5811 |
|
---|
| 5812 | /* This message is always encrypted. */
|
---|
| 5813 | sendSz = BuildTls13Message(ssl, output, sendSz, output + RECORD_HEADER_SZ,
|
---|
| 5814 | idx - RECORD_HEADER_SZ, handshake, 0, 0, 0);
|
---|
| 5815 | if (sendSz < 0)
|
---|
| 5816 | return sendSz;
|
---|
| 5817 |
|
---|
| 5818 | ssl->buffers.outputBuffer.length += sendSz;
|
---|
| 5819 |
|
---|
| 5820 | if (!ssl->options.groupMessages)
|
---|
| 5821 | ret = SendBuffered(ssl);
|
---|
| 5822 |
|
---|
| 5823 | WOLFSSL_LEAVE("SendTls13NewSessionTicket", 0);
|
---|
| 5824 |
|
---|
| 5825 | return ret;
|
---|
| 5826 | }
|
---|
| 5827 | #endif /* HAVE_SESSION_TICKET */
|
---|
| 5828 | #endif /* NO_WOLFSSL_SERVER */
|
---|
| 5829 |
|
---|
| 5830 | /* Make sure no duplicates, no fast forward, or other problems
|
---|
| 5831 | *
|
---|
| 5832 | * ssl The SSL/TLS object.
|
---|
| 5833 | * type Type of handshake message received.
|
---|
| 5834 | * returns 0 on success, otherwise failure.
|
---|
| 5835 | */
|
---|
| 5836 | static int SanityCheckTls13MsgReceived(WOLFSSL* ssl, byte type)
|
---|
| 5837 | {
|
---|
| 5838 | /* verify not a duplicate, mark received, check state */
|
---|
| 5839 | switch (type) {
|
---|
| 5840 |
|
---|
| 5841 | #ifndef NO_WOLFSSL_SERVER
|
---|
| 5842 | case client_hello:
|
---|
| 5843 | if (ssl->msgsReceived.got_client_hello == 2) {
|
---|
| 5844 | WOLFSSL_MSG("Too many ClientHello received");
|
---|
| 5845 | return DUPLICATE_MSG_E;
|
---|
| 5846 | }
|
---|
| 5847 | ssl->msgsReceived.got_client_hello++;
|
---|
| 5848 |
|
---|
| 5849 | break;
|
---|
| 5850 | #endif
|
---|
| 5851 |
|
---|
| 5852 | #ifndef NO_WOLFSSL_CLIENT
|
---|
| 5853 | case server_hello:
|
---|
| 5854 | if (ssl->msgsReceived.got_server_hello) {
|
---|
| 5855 | WOLFSSL_MSG("Duplicate ServerHello received");
|
---|
| 5856 | return DUPLICATE_MSG_E;
|
---|
| 5857 | }
|
---|
| 5858 | ssl->msgsReceived.got_server_hello = 1;
|
---|
| 5859 |
|
---|
| 5860 | break;
|
---|
| 5861 | #endif
|
---|
| 5862 |
|
---|
| 5863 | #ifndef NO_WOLFSSL_CLIENT
|
---|
| 5864 | case session_ticket:
|
---|
| 5865 | if (ssl->msgsReceived.got_session_ticket) {
|
---|
| 5866 | WOLFSSL_MSG("Duplicate SessionTicket received");
|
---|
| 5867 | return DUPLICATE_MSG_E;
|
---|
| 5868 | }
|
---|
| 5869 | ssl->msgsReceived.got_session_ticket = 1;
|
---|
| 5870 |
|
---|
| 5871 | break;
|
---|
| 5872 | #endif
|
---|
| 5873 |
|
---|
| 5874 | #ifndef NO_WOLFSSL_SERVER
|
---|
| 5875 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 5876 | case end_of_early_data:
|
---|
| 5877 | if (ssl->msgsReceived.got_end_of_early_data == 1) {
|
---|
| 5878 | WOLFSSL_MSG("Too many EndOfEarlyData received");
|
---|
| 5879 | return DUPLICATE_MSG_E;
|
---|
| 5880 | }
|
---|
| 5881 | ssl->msgsReceived.got_end_of_early_data++;
|
---|
| 5882 |
|
---|
| 5883 | break;
|
---|
| 5884 | #endif
|
---|
| 5885 | #endif
|
---|
| 5886 |
|
---|
| 5887 | #ifndef NO_WOLFSSL_CLIENT
|
---|
| 5888 | case hello_retry_request:
|
---|
| 5889 | if (ssl->msgsReceived.got_hello_retry_request) {
|
---|
| 5890 | WOLFSSL_MSG("Duplicate HelloRetryRequest received");
|
---|
| 5891 | return DUPLICATE_MSG_E;
|
---|
| 5892 | }
|
---|
| 5893 | ssl->msgsReceived.got_hello_retry_request = 1;
|
---|
| 5894 |
|
---|
| 5895 | break;
|
---|
| 5896 | #endif
|
---|
| 5897 |
|
---|
| 5898 | #ifndef NO_WOLFSSL_CLIENT
|
---|
| 5899 | case encrypted_extensions:
|
---|
| 5900 | if (ssl->msgsReceived.got_encrypted_extensions) {
|
---|
| 5901 | WOLFSSL_MSG("Duplicate EncryptedExtensions received");
|
---|
| 5902 | return DUPLICATE_MSG_E;
|
---|
| 5903 | }
|
---|
| 5904 | ssl->msgsReceived.got_encrypted_extensions = 1;
|
---|
| 5905 |
|
---|
| 5906 | break;
|
---|
| 5907 | #endif
|
---|
| 5908 |
|
---|
| 5909 | case certificate:
|
---|
| 5910 | if (ssl->msgsReceived.got_certificate) {
|
---|
| 5911 | WOLFSSL_MSG("Duplicate Certificate received");
|
---|
| 5912 | return DUPLICATE_MSG_E;
|
---|
| 5913 | }
|
---|
| 5914 | ssl->msgsReceived.got_certificate = 1;
|
---|
| 5915 |
|
---|
| 5916 | #ifndef NO_WOLFSSL_CLIENT
|
---|
| 5917 | if (ssl->options.side == WOLFSSL_CLIENT_END) {
|
---|
| 5918 | if ( ssl->msgsReceived.got_server_hello == 0) {
|
---|
| 5919 | WOLFSSL_MSG("No ServerHello before Cert");
|
---|
| 5920 | return OUT_OF_ORDER_E;
|
---|
| 5921 | }
|
---|
| 5922 | }
|
---|
| 5923 | #endif
|
---|
| 5924 | #ifndef NO_WOLFSSL_SERVER
|
---|
| 5925 | if (ssl->options.side == WOLFSSL_SERVER_END) {
|
---|
| 5926 | if ( ssl->msgsReceived.got_client_hello == 0) {
|
---|
| 5927 | WOLFSSL_MSG("No ClientHello before Cert");
|
---|
| 5928 | return OUT_OF_ORDER_E;
|
---|
| 5929 | }
|
---|
| 5930 | }
|
---|
| 5931 | #endif
|
---|
| 5932 | break;
|
---|
| 5933 |
|
---|
| 5934 | #ifndef NO_WOLFSSL_CLIENT
|
---|
| 5935 | case certificate_request:
|
---|
| 5936 | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
|
---|
| 5937 | if (ssl->msgsReceived.got_finished)
|
---|
| 5938 | ;
|
---|
| 5939 | else
|
---|
| 5940 | #endif
|
---|
| 5941 | if (ssl->msgsReceived.got_certificate_request) {
|
---|
| 5942 | WOLFSSL_MSG("Duplicate CertificateRequest received");
|
---|
| 5943 | return DUPLICATE_MSG_E;
|
---|
| 5944 | }
|
---|
| 5945 | ssl->msgsReceived.got_certificate_request = 1;
|
---|
| 5946 |
|
---|
| 5947 | break;
|
---|
| 5948 | #endif
|
---|
| 5949 |
|
---|
| 5950 | case certificate_verify:
|
---|
| 5951 | if (ssl->msgsReceived.got_certificate_verify) {
|
---|
| 5952 | WOLFSSL_MSG("Duplicate CertificateVerify received");
|
---|
| 5953 | return DUPLICATE_MSG_E;
|
---|
| 5954 | }
|
---|
| 5955 | ssl->msgsReceived.got_certificate_verify = 1;
|
---|
| 5956 |
|
---|
| 5957 | if (ssl->msgsReceived.got_certificate == 0) {
|
---|
| 5958 | WOLFSSL_MSG("No Cert before CertVerify");
|
---|
| 5959 | return OUT_OF_ORDER_E;
|
---|
| 5960 | }
|
---|
| 5961 | break;
|
---|
| 5962 |
|
---|
| 5963 | case finished:
|
---|
| 5964 | #ifdef WOLFSSL_POST_HANDSHAKE_AUTH
|
---|
| 5965 | if (1) {
|
---|
| 5966 | }
|
---|
| 5967 | else
|
---|
| 5968 | #endif
|
---|
| 5969 | if (ssl->msgsReceived.got_finished) {
|
---|
| 5970 | WOLFSSL_MSG("Duplicate Finished received");
|
---|
| 5971 | return DUPLICATE_MSG_E;
|
---|
| 5972 | }
|
---|
| 5973 | ssl->msgsReceived.got_finished = 1;
|
---|
| 5974 |
|
---|
| 5975 | break;
|
---|
| 5976 |
|
---|
| 5977 | case key_update:
|
---|
| 5978 | if (!ssl->msgsReceived.got_finished) {
|
---|
| 5979 | WOLFSSL_MSG("No KeyUpdate before Finished");
|
---|
| 5980 | return OUT_OF_ORDER_E;
|
---|
| 5981 | }
|
---|
| 5982 | break;
|
---|
| 5983 |
|
---|
| 5984 | default:
|
---|
| 5985 | WOLFSSL_MSG("Unknown message type");
|
---|
| 5986 | return SANITY_MSG_E;
|
---|
| 5987 | }
|
---|
| 5988 |
|
---|
| 5989 | return 0;
|
---|
| 5990 | }
|
---|
| 5991 |
|
---|
| 5992 | /* Handle a type of handshake message that has been received.
|
---|
| 5993 | *
|
---|
| 5994 | * ssl The SSL/TLS object.
|
---|
| 5995 | * input The message buffer.
|
---|
| 5996 | * inOutIdx On entry, the index into the buffer of the current message.
|
---|
| 5997 | * On exit, the index into the buffer of the next message.
|
---|
| 5998 | * size The length of the current handshake message.
|
---|
| 5999 | * totalSz Length of remaining data in the message buffer.
|
---|
| 6000 | * returns 0 on success and otherwise failure.
|
---|
| 6001 | */
|
---|
| 6002 | int DoTls13HandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
---|
| 6003 | byte type, word32 size, word32 totalSz)
|
---|
| 6004 | {
|
---|
| 6005 | int ret = 0;
|
---|
| 6006 | (void)totalSz;
|
---|
| 6007 | word32 inIdx = *inOutIdx;
|
---|
| 6008 |
|
---|
| 6009 | WOLFSSL_ENTER("DoTls13HandShakeMsgType");
|
---|
| 6010 |
|
---|
| 6011 | /* make sure can read the message */
|
---|
| 6012 | if (*inOutIdx + size > totalSz)
|
---|
| 6013 | return INCOMPLETE_DATA;
|
---|
| 6014 |
|
---|
| 6015 | /* sanity check msg received */
|
---|
| 6016 | if ( (ret = SanityCheckTls13MsgReceived(ssl, type)) != 0) {
|
---|
| 6017 | WOLFSSL_MSG("Sanity Check on handshake message type received failed");
|
---|
| 6018 | return ret;
|
---|
| 6019 | }
|
---|
| 6020 |
|
---|
| 6021 | #ifdef WOLFSSL_CALLBACKS
|
---|
| 6022 | /* add name later, add on record and handshake header part back on */
|
---|
| 6023 | if (ssl->toInfoOn) {
|
---|
| 6024 | int add = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
|
---|
| 6025 | AddPacketInfo(0, &ssl->timeoutInfo, input + *inOutIdx - add,
|
---|
| 6026 | size + add, ssl->heap);
|
---|
| 6027 | AddLateRecordHeader(&ssl->curRL, &ssl->timeoutInfo);
|
---|
| 6028 | }
|
---|
| 6029 | #endif
|
---|
| 6030 |
|
---|
| 6031 | if (ssl->options.handShakeState == HANDSHAKE_DONE &&
|
---|
| 6032 | type != session_ticket && type != certificate_request &&
|
---|
| 6033 | type != certificate && type != key_update) {
|
---|
| 6034 | WOLFSSL_MSG("HandShake message after handshake complete");
|
---|
| 6035 | SendAlert(ssl, alert_fatal, unexpected_message);
|
---|
| 6036 | return OUT_OF_ORDER_E;
|
---|
| 6037 | }
|
---|
| 6038 |
|
---|
| 6039 | if (ssl->options.side == WOLFSSL_CLIENT_END &&
|
---|
| 6040 | ssl->options.serverState == NULL_STATE &&
|
---|
| 6041 | type != server_hello && type != hello_retry_request) {
|
---|
| 6042 | WOLFSSL_MSG("First server message not server hello");
|
---|
| 6043 | SendAlert(ssl, alert_fatal, unexpected_message);
|
---|
| 6044 | return OUT_OF_ORDER_E;
|
---|
| 6045 | }
|
---|
| 6046 |
|
---|
| 6047 | if (ssl->options.side == WOLFSSL_SERVER_END &&
|
---|
| 6048 | ssl->options.clientState == NULL_STATE && type != client_hello) {
|
---|
| 6049 | WOLFSSL_MSG("First client message not client hello");
|
---|
| 6050 | SendAlert(ssl, alert_fatal, unexpected_message);
|
---|
| 6051 | return OUT_OF_ORDER_E;
|
---|
| 6052 | }
|
---|
| 6053 |
|
---|
| 6054 | /* above checks handshake state */
|
---|
| 6055 | switch (type) {
|
---|
| 6056 |
|
---|
| 6057 | #ifndef NO_WOLFSSL_CLIENT
|
---|
| 6058 | case hello_retry_request:
|
---|
| 6059 | WOLFSSL_MSG("processing hello rety request");
|
---|
| 6060 | ret = DoTls13HelloRetryRequest(ssl, input, inOutIdx, size);
|
---|
| 6061 | break;
|
---|
| 6062 |
|
---|
| 6063 | case server_hello:
|
---|
| 6064 | WOLFSSL_MSG("processing server hello");
|
---|
| 6065 | ret = DoTls13ServerHello(ssl, input, inOutIdx, size);
|
---|
| 6066 | break;
|
---|
| 6067 |
|
---|
| 6068 | #ifndef NO_CERTS
|
---|
| 6069 | case certificate_request:
|
---|
| 6070 | WOLFSSL_MSG("processing certificate request");
|
---|
| 6071 | ret = DoTls13CertificateRequest(ssl, input, inOutIdx, size);
|
---|
| 6072 | break;
|
---|
| 6073 | #endif
|
---|
| 6074 |
|
---|
| 6075 | case session_ticket:
|
---|
| 6076 | WOLFSSL_MSG("processing new session ticket");
|
---|
| 6077 | ret = DoTls13NewSessionTicket(ssl, input, inOutIdx, size);
|
---|
| 6078 | break;
|
---|
| 6079 |
|
---|
| 6080 | case encrypted_extensions:
|
---|
| 6081 | WOLFSSL_MSG("processing encrypted extensions");
|
---|
| 6082 | ret = DoTls13EncryptedExtensions(ssl, input, inOutIdx, size);
|
---|
| 6083 | break;
|
---|
| 6084 | #endif /* !NO_WOLFSSL_CLIENT */
|
---|
| 6085 |
|
---|
| 6086 | #ifndef NO_CERTS
|
---|
| 6087 | case certificate:
|
---|
| 6088 | WOLFSSL_MSG("processing certificate");
|
---|
| 6089 | ret = DoTls13Certificate(ssl, input, inOutIdx, size);
|
---|
| 6090 | break;
|
---|
| 6091 | #endif
|
---|
| 6092 |
|
---|
| 6093 | #if !defined(NO_RSA) || defined(HAVE_ECC) || defined(HAVE_ED25519)
|
---|
| 6094 | case certificate_verify:
|
---|
| 6095 | WOLFSSL_MSG("processing certificate verify");
|
---|
| 6096 | ret = DoTls13CertificateVerify(ssl, input, inOutIdx, size);
|
---|
| 6097 | break;
|
---|
| 6098 | #endif /* !NO_RSA || HAVE_ECC */
|
---|
| 6099 |
|
---|
| 6100 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 6101 | #ifndef NO_WOLFSSL_SERVER
|
---|
| 6102 | case end_of_early_data:
|
---|
| 6103 | WOLFSSL_MSG("processing end of early data");
|
---|
| 6104 | ret = DoTls13EndOfEarlyData(ssl, input, inOutIdx, size);
|
---|
| 6105 | break;
|
---|
| 6106 | #endif
|
---|
| 6107 | #endif
|
---|
| 6108 |
|
---|
| 6109 | case finished:
|
---|
| 6110 | WOLFSSL_MSG("processing finished");
|
---|
| 6111 | ret = DoTls13Finished(ssl, input, inOutIdx, size, totalSz, NO_SNIFF);
|
---|
| 6112 | break;
|
---|
| 6113 |
|
---|
| 6114 | case key_update:
|
---|
| 6115 | WOLFSSL_MSG("processing finished");
|
---|
| 6116 | ret = DoTls13KeyUpdate(ssl, input, inOutIdx, size);
|
---|
| 6117 | break;
|
---|
| 6118 |
|
---|
| 6119 | #ifndef NO_WOLFSSL_SERVER
|
---|
| 6120 | case client_hello:
|
---|
| 6121 | WOLFSSL_MSG("processing client hello");
|
---|
| 6122 | ret = DoTls13ClientHello(ssl, input, inOutIdx, size);
|
---|
| 6123 | break;
|
---|
| 6124 | #endif /* !NO_WOLFSSL_SERVER */
|
---|
| 6125 |
|
---|
| 6126 | default:
|
---|
| 6127 | WOLFSSL_MSG("Unknown handshake message type");
|
---|
| 6128 | ret = UNKNOWN_HANDSHAKE_TYPE;
|
---|
| 6129 | break;
|
---|
| 6130 | }
|
---|
| 6131 |
|
---|
| 6132 | /* reset error */
|
---|
| 6133 | if (ret == 0 && ssl->error == WC_PENDING_E)
|
---|
| 6134 | ssl->error = 0;
|
---|
| 6135 |
|
---|
| 6136 |
|
---|
| 6137 | if (ret == 0 && type != client_hello && type != session_ticket &&
|
---|
| 6138 | type != key_update && ssl->error != WC_PENDING_E) {
|
---|
| 6139 | ret = HashInput(ssl, input + inIdx, size);
|
---|
| 6140 | }
|
---|
| 6141 |
|
---|
| 6142 | if (ret == BUFFER_ERROR || ret == MISSING_HANDSHAKE_DATA)
|
---|
| 6143 | SendAlert(ssl, alert_fatal, decode_error);
|
---|
| 6144 |
|
---|
| 6145 | if (ret == EXT_NOT_ALLOWED || ret == PEER_KEY_ERROR ||
|
---|
| 6146 | ret == ECC_PEERKEY_ERROR || ret == BAD_KEY_SHARE_DATA ||
|
---|
| 6147 | ret == PSK_KEY_ERROR || ret == INVALID_PARAMETER) {
|
---|
| 6148 | SendAlert(ssl, alert_fatal, illegal_parameter);
|
---|
| 6149 | }
|
---|
| 6150 |
|
---|
| 6151 | if (ssl->options.tls1_3) {
|
---|
| 6152 | if (type == server_hello && ssl->options.side == WOLFSSL_CLIENT_END) {
|
---|
| 6153 | if ((ret = DeriveEarlySecret(ssl)) != 0)
|
---|
| 6154 | return ret;
|
---|
| 6155 | if ((ret = DeriveHandshakeSecret(ssl)) != 0)
|
---|
| 6156 | return ret;
|
---|
| 6157 |
|
---|
| 6158 | if ((ret = DeriveTls13Keys(ssl, handshake_key,
|
---|
| 6159 | ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0) {
|
---|
| 6160 | return ret;
|
---|
| 6161 | }
|
---|
| 6162 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 6163 | if ((ret = SetKeysSide(ssl, DECRYPT_SIDE_ONLY)) != 0)
|
---|
| 6164 | return ret;
|
---|
| 6165 | #else
|
---|
| 6166 | if ((ret = SetKeysSide(ssl, ENCRYPT_AND_DECRYPT_SIDE)) != 0)
|
---|
| 6167 | return ret;
|
---|
| 6168 | #endif
|
---|
| 6169 | }
|
---|
| 6170 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 6171 | if (type == encrypted_extensions &&
|
---|
| 6172 | ssl->options.side == WOLFSSL_CLIENT_END) {
|
---|
| 6173 | if (!ssl->earlyData)
|
---|
| 6174 | {
|
---|
| 6175 | if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
|
---|
| 6176 | return ret;
|
---|
| 6177 | }
|
---|
| 6178 | }
|
---|
| 6179 | #endif
|
---|
| 6180 |
|
---|
| 6181 | if (type == finished && ssl->options.side == WOLFSSL_CLIENT_END) {
|
---|
| 6182 | if ((ret = DeriveMasterSecret(ssl)) != 0)
|
---|
| 6183 | return ret;
|
---|
| 6184 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 6185 | if ((ret = DeriveTls13Keys(ssl, traffic_key,
|
---|
| 6186 | ENCRYPT_AND_DECRYPT_SIDE, !ssl->earlyData)) != 0) {
|
---|
| 6187 | return ret;
|
---|
| 6188 | }
|
---|
| 6189 | #else
|
---|
| 6190 | if ((ret = DeriveTls13Keys(ssl, traffic_key,
|
---|
| 6191 | ENCRYPT_AND_DECRYPT_SIDE, 1)) != 0) {
|
---|
| 6192 | return ret;
|
---|
| 6193 | }
|
---|
| 6194 | #endif
|
---|
| 6195 | }
|
---|
| 6196 |
|
---|
| 6197 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
---|
| 6198 | if (type == finished && ssl->options.side == WOLFSSL_SERVER_END) {
|
---|
| 6199 | ret = DeriveResumptionSecret(ssl, ssl->session.masterSecret);
|
---|
| 6200 | if (ret != 0)
|
---|
| 6201 | return ret;
|
---|
| 6202 | }
|
---|
| 6203 | #endif
|
---|
| 6204 | }
|
---|
| 6205 |
|
---|
| 6206 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
| 6207 | /* if async, offset index so this msg will be processed again */
|
---|
| 6208 | if (ret == WC_PENDING_E && *inOutIdx > 0) {
|
---|
| 6209 | *inOutIdx -= HANDSHAKE_HEADER_SZ;
|
---|
| 6210 | }
|
---|
| 6211 | #endif
|
---|
| 6212 |
|
---|
| 6213 | WOLFSSL_LEAVE("DoTls13HandShakeMsgType()", ret);
|
---|
| 6214 | return ret;
|
---|
| 6215 | }
|
---|
| 6216 |
|
---|
| 6217 |
|
---|
| 6218 | /* Handle a handshake message that has been received.
|
---|
| 6219 | *
|
---|
| 6220 | * ssl The SSL/TLS object.
|
---|
| 6221 | * input The message buffer.
|
---|
| 6222 | * inOutIdx On entry, the index into the buffer of the current message.
|
---|
| 6223 | * On exit, the index into the buffer of the next message.
|
---|
| 6224 | * totalSz Length of remaining data in the message buffer.
|
---|
| 6225 | * returns 0 on success and otherwise failure.
|
---|
| 6226 | */
|
---|
| 6227 | int DoTls13HandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
---|
| 6228 | word32 totalSz)
|
---|
| 6229 | {
|
---|
| 6230 | int ret = 0;
|
---|
| 6231 | word32 inputLength;
|
---|
| 6232 |
|
---|
| 6233 | WOLFSSL_ENTER("DoTls13HandShakeMsg()");
|
---|
| 6234 |
|
---|
| 6235 | if (ssl->arrays == NULL) {
|
---|
| 6236 | byte type;
|
---|
| 6237 | word32 size;
|
---|
| 6238 |
|
---|
| 6239 | if (GetHandshakeHeader(ssl,input,inOutIdx,&type, &size, totalSz) != 0)
|
---|
| 6240 | return PARSE_ERROR;
|
---|
| 6241 |
|
---|
| 6242 | return DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size,
|
---|
| 6243 | totalSz);
|
---|
| 6244 | }
|
---|
| 6245 |
|
---|
| 6246 | inputLength = ssl->buffers.inputBuffer.length - *inOutIdx - ssl->keys.padSz;
|
---|
| 6247 |
|
---|
| 6248 | /* If there is a pending fragmented handshake message,
|
---|
| 6249 | * pending message size will be non-zero. */
|
---|
| 6250 | if (ssl->arrays->pendingMsgSz == 0) {
|
---|
| 6251 | byte type;
|
---|
| 6252 | word32 size;
|
---|
| 6253 |
|
---|
| 6254 | if (GetHandshakeHeader(ssl,input, inOutIdx, &type, &size, totalSz) != 0)
|
---|
| 6255 | return PARSE_ERROR;
|
---|
| 6256 |
|
---|
| 6257 | /* Cap the maximum size of a handshake message to something reasonable.
|
---|
| 6258 | * By default is the maximum size of a certificate message assuming
|
---|
| 6259 | * nine 2048-bit RSA certificates in the chain. */
|
---|
| 6260 | if (size > MAX_HANDSHAKE_SZ) {
|
---|
| 6261 | WOLFSSL_MSG("Handshake message too large");
|
---|
| 6262 | return HANDSHAKE_SIZE_ERROR;
|
---|
| 6263 | }
|
---|
| 6264 |
|
---|
| 6265 | /* size is the size of the certificate message payload */
|
---|
| 6266 | if (inputLength - HANDSHAKE_HEADER_SZ < size) {
|
---|
| 6267 | ssl->arrays->pendingMsgType = type;
|
---|
| 6268 | ssl->arrays->pendingMsgSz = size + HANDSHAKE_HEADER_SZ;
|
---|
| 6269 | ssl->arrays->pendingMsg = (byte*)XMALLOC(size + HANDSHAKE_HEADER_SZ,
|
---|
| 6270 | ssl->heap,
|
---|
| 6271 | DYNAMIC_TYPE_ARRAYS);
|
---|
| 6272 | if (ssl->arrays->pendingMsg == NULL)
|
---|
| 6273 | return MEMORY_E;
|
---|
| 6274 | XMEMCPY(ssl->arrays->pendingMsg,
|
---|
| 6275 | input + *inOutIdx - HANDSHAKE_HEADER_SZ,
|
---|
| 6276 | inputLength);
|
---|
| 6277 | ssl->arrays->pendingMsgOffset = inputLength;
|
---|
| 6278 | *inOutIdx += inputLength + ssl->keys.padSz - HANDSHAKE_HEADER_SZ;
|
---|
| 6279 | return 0;
|
---|
| 6280 | }
|
---|
| 6281 |
|
---|
| 6282 | ret = DoTls13HandShakeMsgType(ssl, input, inOutIdx, type, size,
|
---|
| 6283 | totalSz);
|
---|
| 6284 | }
|
---|
| 6285 | else {
|
---|
| 6286 | if (inputLength + ssl->arrays->pendingMsgOffset >
|
---|
| 6287 | ssl->arrays->pendingMsgSz) {
|
---|
| 6288 | return BUFFER_ERROR;
|
---|
| 6289 | }
|
---|
| 6290 |
|
---|
| 6291 | XMEMCPY(ssl->arrays->pendingMsg + ssl->arrays->pendingMsgOffset,
|
---|
| 6292 | input + *inOutIdx, inputLength);
|
---|
| 6293 | ssl->arrays->pendingMsgOffset += inputLength;
|
---|
| 6294 | *inOutIdx += inputLength + ssl->keys.padSz;
|
---|
| 6295 |
|
---|
| 6296 | if (ssl->arrays->pendingMsgOffset == ssl->arrays->pendingMsgSz)
|
---|
| 6297 | {
|
---|
| 6298 | word32 idx = 0;
|
---|
| 6299 | ret = DoTls13HandShakeMsgType(ssl,
|
---|
| 6300 | ssl->arrays->pendingMsg + HANDSHAKE_HEADER_SZ,
|
---|
| 6301 | &idx, ssl->arrays->pendingMsgType,
|
---|
| 6302 | ssl->arrays->pendingMsgSz - HANDSHAKE_HEADER_SZ,
|
---|
| 6303 | ssl->arrays->pendingMsgSz);
|
---|
| 6304 | #ifdef WOLFSSL_ASYNC_CRYPT
|
---|
| 6305 | if (ret == WC_PENDING_E) {
|
---|
| 6306 | /* setup to process fragment again */
|
---|
| 6307 | ssl->arrays->pendingMsgOffset -= inputLength;
|
---|
| 6308 | *inOutIdx -= inputLength + ssl->keys.padSz;
|
---|
| 6309 | }
|
---|
| 6310 | else
|
---|
| 6311 | #endif
|
---|
| 6312 | {
|
---|
| 6313 | XFREE(ssl->arrays->pendingMsg, ssl->heap, DYNAMIC_TYPE_ARRAYS);
|
---|
| 6314 | ssl->arrays->pendingMsg = NULL;
|
---|
| 6315 | ssl->arrays->pendingMsgSz = 0;
|
---|
| 6316 | }
|
---|
| 6317 | }
|
---|
| 6318 | }
|
---|
| 6319 |
|
---|
| 6320 | WOLFSSL_LEAVE("DoTls13HandShakeMsg()", ret);
|
---|
| 6321 | return ret;
|
---|
| 6322 | }
|
---|
| 6323 |
|
---|
| 6324 |
|
---|
| 6325 | /* The client connecting to the server.
|
---|
| 6326 | * The protocol version is expecting to be TLS v1.3.
|
---|
| 6327 | * If the server downgrades, and older versions of the protocol are compiled
|
---|
| 6328 | * in, the client will fallback to wolfSSL_connect().
|
---|
| 6329 | * Please see note at top of README if you get an error from connect.
|
---|
| 6330 | *
|
---|
| 6331 | * ssl The SSL/TLS object.
|
---|
| 6332 | * returns WOLFSSL_SUCCESS on successful handshake, WOLFSSL_FATAL_ERROR when
|
---|
| 6333 | * unrecoverable error occurs and 0 otherwise.
|
---|
| 6334 | * For more error information use wolfSSL_get_error().
|
---|
| 6335 | */
|
---|
| 6336 | int wolfSSL_connect_TLSv13(WOLFSSL* ssl)
|
---|
| 6337 | {
|
---|
| 6338 | int neededState;
|
---|
| 6339 |
|
---|
| 6340 | WOLFSSL_ENTER("wolfSSL_connect_TLSv13()");
|
---|
| 6341 |
|
---|
| 6342 | #ifdef HAVE_ERRNO_H
|
---|
| 6343 | errno = 0;
|
---|
| 6344 | #endif
|
---|
| 6345 |
|
---|
| 6346 | if (ssl->options.side != WOLFSSL_CLIENT_END) {
|
---|
| 6347 | WOLFSSL_ERROR(ssl->error = SIDE_ERROR);
|
---|
| 6348 | return WOLFSSL_FATAL_ERROR;
|
---|
| 6349 | }
|
---|
| 6350 |
|
---|
| 6351 | if (ssl->buffers.outputBuffer.length > 0) {
|
---|
| 6352 | if ((ssl->error = SendBuffered(ssl)) == 0) {
|
---|
| 6353 | /* fragOffset is non-zero when sending fragments. On the last
|
---|
| 6354 | * fragment, fragOffset is zero again, and the state can be
|
---|
| 6355 | * advanced. */
|
---|
| 6356 | if (ssl->fragOffset == 0) {
|
---|
| 6357 | ssl->options.connectState++;
|
---|
| 6358 | WOLFSSL_MSG("connect state: "
|
---|
| 6359 | "Advanced from last buffered fragment send");
|
---|
| 6360 | }
|
---|
| 6361 | else {
|
---|
| 6362 | WOLFSSL_MSG("connect state: "
|
---|
| 6363 | "Not advanced, more fragments to send");
|
---|
| 6364 | }
|
---|
| 6365 | }
|
---|
| 6366 | else {
|
---|
| 6367 | WOLFSSL_ERROR(ssl->error);
|
---|
| 6368 | return WOLFSSL_FATAL_ERROR;
|
---|
| 6369 | }
|
---|
| 6370 | }
|
---|
| 6371 |
|
---|
| 6372 | switch (ssl->options.connectState) {
|
---|
| 6373 |
|
---|
| 6374 | case CONNECT_BEGIN:
|
---|
| 6375 | /* Always send client hello first. */
|
---|
| 6376 | if ((ssl->error = SendTls13ClientHello(ssl)) != 0) {
|
---|
| 6377 | WOLFSSL_ERROR(ssl->error);
|
---|
| 6378 | return WOLFSSL_FATAL_ERROR;
|
---|
| 6379 | }
|
---|
| 6380 |
|
---|
| 6381 | ssl->options.connectState = CLIENT_HELLO_SENT;
|
---|
| 6382 | WOLFSSL_MSG("connect state: CLIENT_HELLO_SENT");
|
---|
| 6383 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 6384 | if (ssl->earlyData) {
|
---|
| 6385 | ssl->options.handShakeState = CLIENT_HELLO_COMPLETE;
|
---|
| 6386 | return WOLFSSL_SUCCESS;
|
---|
| 6387 | }
|
---|
| 6388 | #endif
|
---|
| 6389 | FALL_THROUGH;
|
---|
| 6390 |
|
---|
| 6391 | case CLIENT_HELLO_SENT:
|
---|
| 6392 | neededState = ssl->options.resuming ? SERVER_FINISHED_COMPLETE :
|
---|
| 6393 | SERVER_HELLODONE_COMPLETE;
|
---|
| 6394 | /* Get the response/s from the server. */
|
---|
| 6395 | while (ssl->options.serverState < neededState) {
|
---|
| 6396 | if ((ssl->error = ProcessReply(ssl)) < 0) {
|
---|
| 6397 | WOLFSSL_ERROR(ssl->error);
|
---|
| 6398 | return WOLFSSL_FATAL_ERROR;
|
---|
| 6399 | }
|
---|
| 6400 | /* if resumption failed, reset needed state. */
|
---|
| 6401 | if (neededState == SERVER_FINISHED_COMPLETE &&
|
---|
| 6402 | !ssl->options.resuming) {
|
---|
| 6403 | neededState = SERVER_HELLODONE_COMPLETE;
|
---|
| 6404 | }
|
---|
| 6405 | }
|
---|
| 6406 |
|
---|
| 6407 | ssl->options.connectState = HELLO_AGAIN;
|
---|
| 6408 | WOLFSSL_MSG("connect state: HELLO_AGAIN");
|
---|
| 6409 | FALL_THROUGH;
|
---|
| 6410 |
|
---|
| 6411 | case HELLO_AGAIN:
|
---|
| 6412 | if (ssl->options.certOnly)
|
---|
| 6413 | return WOLFSSL_SUCCESS;
|
---|
| 6414 |
|
---|
| 6415 | if (!ssl->options.tls1_3) {
|
---|
| 6416 | if (ssl->options.downgrade)
|
---|
| 6417 | return wolfSSL_connect(ssl);
|
---|
| 6418 |
|
---|
| 6419 | WOLFSSL_MSG("Client using higher version, fatal error");
|
---|
| 6420 | return VERSION_ERROR;
|
---|
| 6421 | }
|
---|
| 6422 |
|
---|
| 6423 | if (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST) {
|
---|
| 6424 | ssl->options.serverState = NULL_STATE;
|
---|
| 6425 | /* Try again with different security parameters. */
|
---|
| 6426 | if ((ssl->error = SendTls13ClientHello(ssl)) != 0) {
|
---|
| 6427 | WOLFSSL_ERROR(ssl->error);
|
---|
| 6428 | return WOLFSSL_FATAL_ERROR;
|
---|
| 6429 | }
|
---|
| 6430 | }
|
---|
| 6431 |
|
---|
| 6432 | ssl->options.connectState = HELLO_AGAIN_REPLY;
|
---|
| 6433 | WOLFSSL_MSG("connect state: HELLO_AGAIN_REPLY");
|
---|
| 6434 | FALL_THROUGH;
|
---|
| 6435 |
|
---|
| 6436 | case HELLO_AGAIN_REPLY:
|
---|
| 6437 | if (ssl->options.serverState == NULL_STATE ||
|
---|
| 6438 | ssl->error == WC_PENDING_E) {
|
---|
| 6439 | neededState = ssl->options.resuming ? SERVER_FINISHED_COMPLETE :
|
---|
| 6440 | SERVER_HELLODONE_COMPLETE;
|
---|
| 6441 |
|
---|
| 6442 | /* Get the response/s from the server. */
|
---|
| 6443 | while (ssl->options.serverState < neededState) {
|
---|
| 6444 | if ((ssl->error = ProcessReply(ssl)) < 0) {
|
---|
| 6445 | WOLFSSL_ERROR(ssl->error);
|
---|
| 6446 | return WOLFSSL_FATAL_ERROR;
|
---|
| 6447 | }
|
---|
| 6448 | /* if resumption failed, reset needed state */
|
---|
| 6449 | else if (neededState == SERVER_FINISHED_COMPLETE) {
|
---|
| 6450 | if (!ssl->options.resuming)
|
---|
| 6451 | neededState = SERVER_HELLODONE_COMPLETE;
|
---|
| 6452 | }
|
---|
| 6453 | }
|
---|
| 6454 | }
|
---|
| 6455 |
|
---|
| 6456 | ssl->options.connectState = FIRST_REPLY_DONE;
|
---|
| 6457 | WOLFSSL_MSG("connect state: FIRST_REPLY_DONE");
|
---|
| 6458 | FALL_THROUGH;
|
---|
| 6459 |
|
---|
| 6460 | case FIRST_REPLY_DONE:
|
---|
| 6461 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 6462 | if (ssl->earlyData) {
|
---|
| 6463 | if ((ssl->error = SendTls13EndOfEarlyData(ssl)) != 0) {
|
---|
| 6464 | WOLFSSL_ERROR(ssl->error);
|
---|
| 6465 | return WOLFSSL_FATAL_ERROR;
|
---|
| 6466 | }
|
---|
| 6467 | WOLFSSL_MSG("sent: end_of_early_data");
|
---|
| 6468 | }
|
---|
| 6469 | #endif
|
---|
| 6470 |
|
---|
| 6471 | ssl->options.connectState = FIRST_REPLY_FIRST;
|
---|
| 6472 | WOLFSSL_MSG("connect state: FIRST_REPLY_FIRST");
|
---|
| 6473 | FALL_THROUGH;
|
---|
| 6474 |
|
---|
| 6475 | case FIRST_REPLY_FIRST:
|
---|
| 6476 | #ifndef NO_CERTS
|
---|
| 6477 | if (!ssl->options.resuming && ssl->options.sendVerify) {
|
---|
| 6478 | ssl->error = SendTls13Certificate(ssl);
|
---|
| 6479 | if (ssl->error != 0) {
|
---|
| 6480 | WOLFSSL_ERROR(ssl->error);
|
---|
| 6481 | return WOLFSSL_FATAL_ERROR;
|
---|
| 6482 | }
|
---|
| 6483 | WOLFSSL_MSG("sent: certificate");
|
---|
| 6484 | }
|
---|
| 6485 | #endif
|
---|
| 6486 |
|
---|
| 6487 | ssl->options.connectState = FIRST_REPLY_SECOND;
|
---|
| 6488 | WOLFSSL_MSG("connect state: FIRST_REPLY_SECOND");
|
---|
| 6489 | FALL_THROUGH;
|
---|
| 6490 |
|
---|
| 6491 | case FIRST_REPLY_SECOND:
|
---|
| 6492 |
|
---|
| 6493 | #ifndef NO_CERTS
|
---|
| 6494 | if (!ssl->options.resuming && ssl->options.sendVerify) {
|
---|
| 6495 | ssl->error = SendTls13CertificateVerify(ssl);
|
---|
| 6496 | if (ssl->error != 0) {
|
---|
| 6497 | WOLFSSL_ERROR(ssl->error);
|
---|
| 6498 | return WOLFSSL_FATAL_ERROR;
|
---|
| 6499 | }
|
---|
| 6500 | WOLFSSL_MSG("sent: certificate verify");
|
---|
| 6501 | }
|
---|
| 6502 | #endif
|
---|
| 6503 |
|
---|
| 6504 | ssl->options.connectState = FIRST_REPLY_THIRD;
|
---|
| 6505 | WOLFSSL_MSG("connect state: FIRST_REPLY_THIRD");
|
---|
| 6506 | FALL_THROUGH;
|
---|
| 6507 |
|
---|
| 6508 | case FIRST_REPLY_THIRD:
|
---|
| 6509 | if ((ssl->error = SendTls13Finished(ssl)) != 0) {
|
---|
| 6510 | WOLFSSL_ERROR(ssl->error);
|
---|
| 6511 | return WOLFSSL_FATAL_ERROR;
|
---|
| 6512 | }
|
---|
| 6513 | WOLFSSL_MSG("sent: finished");
|
---|
| 6514 |
|
---|
| 6515 | ssl->options.connectState = FINISHED_DONE;
|
---|
| 6516 | WOLFSSL_MSG("connect state: FINISHED_DONE");
|
---|
| 6517 | FALL_THROUGH;
|
---|
| 6518 |
|
---|
| 6519 | case FINISHED_DONE:
|
---|
| 6520 | #ifndef NO_HANDSHAKE_DONE_CB
|
---|
| 6521 | if (ssl->hsDoneCb != NULL) {
|
---|
| 6522 | int cbret = ssl->hsDoneCb(ssl, ssl->hsDoneCtx);
|
---|
| 6523 | if (cbret < 0) {
|
---|
| 6524 | ssl->error = cbret;
|
---|
| 6525 | WOLFSSL_MSG("HandShake Done Cb don't continue error");
|
---|
| 6526 | return WOLFSSL_FATAL_ERROR;
|
---|
| 6527 | }
|
---|
| 6528 | }
|
---|
| 6529 | #endif /* NO_HANDSHAKE_DONE_CB */
|
---|
| 6530 |
|
---|
| 6531 | WOLFSSL_LEAVE("wolfSSL_connect_TLSv13()", WOLFSSL_SUCCESS);
|
---|
| 6532 | return WOLFSSL_SUCCESS;
|
---|
| 6533 |
|
---|
| 6534 | default:
|
---|
| 6535 | WOLFSSL_MSG("Unknown connect state ERROR");
|
---|
| 6536 | return WOLFSSL_FATAL_ERROR; /* unknown connect state */
|
---|
| 6537 | }
|
---|
| 6538 | }
|
---|
| 6539 |
|
---|
| 6540 | #if defined(WOLFSSL_SEND_HRR_COOKIE) && !defined(NO_WOLFSSL_SERVER)
|
---|
| 6541 | /* Send a cookie with the HelloRetryRequest to avoid storing state.
|
---|
| 6542 | *
|
---|
| 6543 | * ssl SSL/TLS object.
|
---|
| 6544 | * secret Secret to use when generating integrity check for cookie.
|
---|
| 6545 | * A value of NULL indicates to generate a new random secret.
|
---|
| 6546 | * secretSz Size of secret data in bytes.
|
---|
| 6547 | * Use a value of 0 to indicate use of default size.
|
---|
| 6548 | * returns BAD_FUNC_ARG when ssl is NULL or not using TLS v1.3, SIDE_ERROR when
|
---|
| 6549 | * called on a client; WOLFSSL_SUCCESS on success and otherwise failure.
|
---|
| 6550 | */
|
---|
| 6551 | int wolfSSL_send_hrr_cookie(WOLFSSL* ssl, const unsigned char* secret,
|
---|
| 6552 | unsigned int secretSz)
|
---|
| 6553 | {
|
---|
| 6554 | int ret;
|
---|
| 6555 |
|
---|
| 6556 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
|
---|
| 6557 | return BAD_FUNC_ARG;
|
---|
| 6558 | if (ssl->options.side == WOLFSSL_CLIENT_END)
|
---|
| 6559 | return SIDE_ERROR;
|
---|
| 6560 |
|
---|
| 6561 | if (secretSz == 0) {
|
---|
| 6562 | #if !defined(NO_SHA) && defined(NO_SHA256)
|
---|
| 6563 | secretSz = WC_SHA_DIGEST_SIZE;
|
---|
| 6564 | #endif /* NO_SHA */
|
---|
| 6565 | #ifndef NO_SHA256
|
---|
| 6566 | secretSz = WC_SHA256_DIGEST_SIZE;
|
---|
| 6567 | #endif /* NO_SHA256 */
|
---|
| 6568 | }
|
---|
| 6569 |
|
---|
| 6570 | if (secretSz != ssl->buffers.tls13CookieSecret.length) {
|
---|
| 6571 | byte* newSecret;
|
---|
| 6572 |
|
---|
| 6573 | if (ssl->buffers.tls13CookieSecret.buffer != NULL) {
|
---|
| 6574 | ForceZero(ssl->buffers.tls13CookieSecret.buffer,
|
---|
| 6575 | ssl->buffers.tls13CookieSecret.length);
|
---|
| 6576 | XFREE(ssl->buffers.tls13CookieSecret.buffer,
|
---|
| 6577 | ssl->heap, DYNAMIC_TYPE_COOKIE_PWD);
|
---|
| 6578 | }
|
---|
| 6579 |
|
---|
| 6580 | newSecret = (byte*)XMALLOC(secretSz, ssl->heap,
|
---|
| 6581 | DYNAMIC_TYPE_COOKIE_PWD);
|
---|
| 6582 | if (newSecret == NULL) {
|
---|
| 6583 | ssl->buffers.tls13CookieSecret.buffer = NULL;
|
---|
| 6584 | ssl->buffers.tls13CookieSecret.length = 0;
|
---|
| 6585 | WOLFSSL_MSG("couldn't allocate new cookie secret");
|
---|
| 6586 | return MEMORY_ERROR;
|
---|
| 6587 | }
|
---|
| 6588 | ssl->buffers.tls13CookieSecret.buffer = newSecret;
|
---|
| 6589 | ssl->buffers.tls13CookieSecret.length = secretSz;
|
---|
| 6590 | }
|
---|
| 6591 |
|
---|
| 6592 | /* If the supplied secret is NULL, randomly generate a new secret. */
|
---|
| 6593 | if (secret == NULL) {
|
---|
| 6594 | ret = wc_RNG_GenerateBlock(ssl->rng,
|
---|
| 6595 | ssl->buffers.tls13CookieSecret.buffer, secretSz);
|
---|
| 6596 | if (ret < 0)
|
---|
| 6597 | return ret;
|
---|
| 6598 | }
|
---|
| 6599 | else
|
---|
| 6600 | XMEMCPY(ssl->buffers.tls13CookieSecret.buffer, secret, secretSz);
|
---|
| 6601 |
|
---|
| 6602 | ssl->options.sendCookie = 1;
|
---|
| 6603 |
|
---|
| 6604 | return WOLFSSL_SUCCESS;
|
---|
| 6605 | }
|
---|
| 6606 | #endif
|
---|
| 6607 |
|
---|
| 6608 | /* Create a key share entry from group.
|
---|
| 6609 | * Generates a key pair.
|
---|
| 6610 | *
|
---|
| 6611 | * ssl The SSL/TLS object.
|
---|
| 6612 | * group The named group.
|
---|
| 6613 | * returns 0 on success, otherwise failure.
|
---|
| 6614 | */
|
---|
| 6615 | int wolfSSL_UseKeyShare(WOLFSSL* ssl, word16 group)
|
---|
| 6616 | {
|
---|
| 6617 | int ret;
|
---|
| 6618 |
|
---|
| 6619 | if (ssl == NULL)
|
---|
| 6620 | return BAD_FUNC_ARG;
|
---|
| 6621 | if (ssl->options.side == WOLFSSL_SERVER_END)
|
---|
| 6622 | return SIDE_ERROR;
|
---|
| 6623 |
|
---|
| 6624 | ret = TLSX_KeyShare_Use(ssl, group, 0, NULL, NULL);
|
---|
| 6625 | if (ret != 0)
|
---|
| 6626 | return ret;
|
---|
| 6627 |
|
---|
| 6628 | return WOLFSSL_SUCCESS;
|
---|
| 6629 | }
|
---|
| 6630 |
|
---|
| 6631 | /* Send no key share entries - use HelloRetryRequest to negotiate shared group.
|
---|
| 6632 | *
|
---|
| 6633 | * ssl The SSL/TLS object.
|
---|
| 6634 | * returns 0 on success, otherwise failure.
|
---|
| 6635 | */
|
---|
| 6636 | int wolfSSL_NoKeyShares(WOLFSSL* ssl)
|
---|
| 6637 | {
|
---|
| 6638 | int ret;
|
---|
| 6639 |
|
---|
| 6640 | if (ssl == NULL)
|
---|
| 6641 | return BAD_FUNC_ARG;
|
---|
| 6642 | if (ssl->options.side == WOLFSSL_SERVER_END)
|
---|
| 6643 | return SIDE_ERROR;
|
---|
| 6644 |
|
---|
| 6645 | ret = TLSX_KeyShare_Empty(ssl);
|
---|
| 6646 | if (ret != 0)
|
---|
| 6647 | return ret;
|
---|
| 6648 |
|
---|
| 6649 | return WOLFSSL_SUCCESS;
|
---|
| 6650 | }
|
---|
| 6651 |
|
---|
| 6652 | /* Do not send a ticket after TLS v1.3 handshake for resumption.
|
---|
| 6653 | *
|
---|
| 6654 | * ctx The SSL/TLS CTX object.
|
---|
| 6655 | * returns BAD_FUNC_ARG when ctx is NULL and 0 on success.
|
---|
| 6656 | */
|
---|
| 6657 | int wolfSSL_CTX_no_ticket_TLSv13(WOLFSSL_CTX* ctx)
|
---|
| 6658 | {
|
---|
| 6659 | if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
|
---|
| 6660 | return BAD_FUNC_ARG;
|
---|
| 6661 | if (ctx->method->side == WOLFSSL_CLIENT_END)
|
---|
| 6662 | return SIDE_ERROR;
|
---|
| 6663 |
|
---|
| 6664 | #ifdef HAVE_SESSION_TICKET
|
---|
| 6665 | ctx->noTicketTls13 = 1;
|
---|
| 6666 | #endif
|
---|
| 6667 |
|
---|
| 6668 | return 0;
|
---|
| 6669 | }
|
---|
| 6670 |
|
---|
| 6671 | /* Do not send a ticket after TLS v1.3 handshake for resumption.
|
---|
| 6672 | *
|
---|
| 6673 | * ssl The SSL/TLS object.
|
---|
| 6674 | * returns BAD_FUNC_ARG when ssl is NULL, not using TLS v1.3, or called on
|
---|
| 6675 | * a client and 0 on success.
|
---|
| 6676 | */
|
---|
| 6677 | int wolfSSL_no_ticket_TLSv13(WOLFSSL* ssl)
|
---|
| 6678 | {
|
---|
| 6679 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
|
---|
| 6680 | return BAD_FUNC_ARG;
|
---|
| 6681 | if (ssl->options.side == WOLFSSL_CLIENT_END)
|
---|
| 6682 | return SIDE_ERROR;
|
---|
| 6683 |
|
---|
| 6684 | #ifdef HAVE_SESSION_TICKET
|
---|
| 6685 | ssl->options.noTicketTls13 = 1;
|
---|
| 6686 | #endif
|
---|
| 6687 |
|
---|
| 6688 | return 0;
|
---|
| 6689 | }
|
---|
| 6690 |
|
---|
| 6691 | /* Disallow (EC)DHE key exchange when using pre-shared keys.
|
---|
| 6692 | *
|
---|
| 6693 | * ctx The SSL/TLS CTX object.
|
---|
| 6694 | * returns BAD_FUNC_ARG when ctx is NULL and 0 on success.
|
---|
| 6695 | */
|
---|
| 6696 | int wolfSSL_CTX_no_dhe_psk(WOLFSSL_CTX* ctx)
|
---|
| 6697 | {
|
---|
| 6698 | if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
|
---|
| 6699 | return BAD_FUNC_ARG;
|
---|
| 6700 |
|
---|
| 6701 | ctx->noPskDheKe = 1;
|
---|
| 6702 |
|
---|
| 6703 | return 0;
|
---|
| 6704 | }
|
---|
| 6705 |
|
---|
| 6706 | /* Disallow (EC)DHE key exchange when using pre-shared keys.
|
---|
| 6707 | *
|
---|
| 6708 | * ssl The SSL/TLS object.
|
---|
| 6709 | * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3 and 0 on
|
---|
| 6710 | * success.
|
---|
| 6711 | */
|
---|
| 6712 | int wolfSSL_no_dhe_psk(WOLFSSL* ssl)
|
---|
| 6713 | {
|
---|
| 6714 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
|
---|
| 6715 | return BAD_FUNC_ARG;
|
---|
| 6716 |
|
---|
| 6717 | ssl->options.noPskDheKe = 1;
|
---|
| 6718 |
|
---|
| 6719 | return 0;
|
---|
| 6720 | }
|
---|
| 6721 |
|
---|
| 6722 | /* Update the keys for encryption and decryption.
|
---|
| 6723 | * If using non-blocking I/O and WOLFSSL_ERROR_WANT_WRITE is returned then
|
---|
| 6724 | * calling wolfSSL_write() will have the message sent when ready.
|
---|
| 6725 | *
|
---|
| 6726 | * ssl The SSL/TLS object.
|
---|
| 6727 | * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3,
|
---|
| 6728 | * WOLFSSL_ERROR_WANT_WRITE when non-blocking I/O is not ready to write,
|
---|
| 6729 | * WOLFSSL_SUCCESS on success and otherwise failure.
|
---|
| 6730 | */
|
---|
| 6731 | int wolfSSL_update_keys(WOLFSSL* ssl)
|
---|
| 6732 | {
|
---|
| 6733 | int ret;
|
---|
| 6734 |
|
---|
| 6735 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
|
---|
| 6736 | return BAD_FUNC_ARG;
|
---|
| 6737 |
|
---|
| 6738 | ret = SendTls13KeyUpdate(ssl);
|
---|
| 6739 | if (ret == WANT_WRITE)
|
---|
| 6740 | ret = WOLFSSL_ERROR_WANT_WRITE;
|
---|
| 6741 | else if (ret == 0)
|
---|
| 6742 | ret = WOLFSSL_SUCCESS;
|
---|
| 6743 | return ret;
|
---|
| 6744 | }
|
---|
| 6745 |
|
---|
| 6746 | #if !defined(NO_CERTS) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
|
---|
| 6747 | /* Allow post-handshake authentication in TLS v1.3 connections.
|
---|
| 6748 | *
|
---|
| 6749 | * ctx The SSL/TLS CTX object.
|
---|
| 6750 | * returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a server and
|
---|
| 6751 | * 0 on success.
|
---|
| 6752 | */
|
---|
| 6753 | int wolfSSL_CTX_allow_post_handshake_auth(WOLFSSL_CTX* ctx)
|
---|
| 6754 | {
|
---|
| 6755 | if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
|
---|
| 6756 | return BAD_FUNC_ARG;
|
---|
| 6757 | if (ctx->method->side == WOLFSSL_SERVER_END)
|
---|
| 6758 | return SIDE_ERROR;
|
---|
| 6759 |
|
---|
| 6760 | ctx->postHandshakeAuth = 1;
|
---|
| 6761 |
|
---|
| 6762 | return 0;
|
---|
| 6763 | }
|
---|
| 6764 |
|
---|
| 6765 | /* Allow post-handshake authentication in TLS v1.3 connection.
|
---|
| 6766 | *
|
---|
| 6767 | * ssl The SSL/TLS object.
|
---|
| 6768 | * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3,
|
---|
| 6769 | * SIDE_ERROR when not a server and 0 on success.
|
---|
| 6770 | */
|
---|
| 6771 | int wolfSSL_allow_post_handshake_auth(WOLFSSL* ssl)
|
---|
| 6772 | {
|
---|
| 6773 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
|
---|
| 6774 | return BAD_FUNC_ARG;
|
---|
| 6775 | if (ssl->options.side == WOLFSSL_SERVER_END)
|
---|
| 6776 | return SIDE_ERROR;
|
---|
| 6777 |
|
---|
| 6778 | ssl->options.postHandshakeAuth = 1;
|
---|
| 6779 |
|
---|
| 6780 | return 0;
|
---|
| 6781 | }
|
---|
| 6782 |
|
---|
| 6783 | /* Request a certificate of the client.
|
---|
| 6784 | * Can be called any time after handshake completion.
|
---|
| 6785 | * A maximum of 256 requests can be sent on a connection.
|
---|
| 6786 | *
|
---|
| 6787 | * ssl SSL/TLS object.
|
---|
| 6788 | */
|
---|
| 6789 | int wolfSSL_request_certificate(WOLFSSL* ssl)
|
---|
| 6790 | {
|
---|
| 6791 | int ret;
|
---|
| 6792 | CertReqCtx* certReqCtx;
|
---|
| 6793 |
|
---|
| 6794 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
|
---|
| 6795 | return BAD_FUNC_ARG;
|
---|
| 6796 | if (ssl->options.side == WOLFSSL_CLIENT_END)
|
---|
| 6797 | return SIDE_ERROR;
|
---|
| 6798 | if (ssl->options.handShakeState != HANDSHAKE_DONE)
|
---|
| 6799 | return NOT_READY_ERROR;
|
---|
| 6800 | if (!ssl->options.postHandshakeAuth)
|
---|
| 6801 | return POST_HAND_AUTH_ERROR;
|
---|
| 6802 |
|
---|
| 6803 | certReqCtx = (CertReqCtx*)XMALLOC(sizeof(CertReqCtx), ssl->heap,
|
---|
| 6804 | DYNAMIC_TYPE_TMP_BUFFER);
|
---|
| 6805 | if (certReqCtx == NULL)
|
---|
| 6806 | return MEMORY_E;
|
---|
| 6807 | XMEMSET(certReqCtx, 0, sizeof(CertReqCtx));
|
---|
| 6808 | certReqCtx->next = ssl->certReqCtx;
|
---|
| 6809 | certReqCtx->len = 1;
|
---|
| 6810 | if (certReqCtx->next != NULL)
|
---|
| 6811 | certReqCtx->ctx = certReqCtx->next->ctx + 1;
|
---|
| 6812 | ssl->certReqCtx = certReqCtx;
|
---|
| 6813 |
|
---|
| 6814 | ret = SendTls13CertificateRequest(ssl, &certReqCtx->ctx, certReqCtx->len);
|
---|
| 6815 | if (ret == WANT_WRITE)
|
---|
| 6816 | ret = WOLFSSL_ERROR_WANT_WRITE;
|
---|
| 6817 | else if (ret == 0)
|
---|
| 6818 | ret = WOLFSSL_SUCCESS;
|
---|
| 6819 | return ret;
|
---|
| 6820 | }
|
---|
| 6821 | #endif /* !NO_CERTS && WOLFSSL_POST_HANDSHAKE_AUTH */
|
---|
| 6822 |
|
---|
| 6823 | #ifndef NO_WOLFSSL_SERVER
|
---|
| 6824 | /* The server accepting a connection from a client.
|
---|
| 6825 | * The protocol version is expecting to be TLS v1.3.
|
---|
| 6826 | * If the client downgrades, and older versions of the protocol are compiled
|
---|
| 6827 | * in, the server will fallback to wolfSSL_accept().
|
---|
| 6828 | * Please see note at top of README if you get an error from accept.
|
---|
| 6829 | *
|
---|
| 6830 | * ssl The SSL/TLS object.
|
---|
| 6831 | * returns WOLFSSL_SUCCESS on successful handshake, WOLFSSL_FATAL_ERROR when
|
---|
| 6832 | * unrecoverable error occurs and 0 otherwise.
|
---|
| 6833 | * For more error information use wolfSSL_get_error().
|
---|
| 6834 | */
|
---|
| 6835 | int wolfSSL_accept_TLSv13(WOLFSSL* ssl)
|
---|
| 6836 | {
|
---|
| 6837 | word16 havePSK = 0;
|
---|
| 6838 | word16 haveAnon = 0;
|
---|
| 6839 | WOLFSSL_ENTER("SSL_accept_TLSv13()");
|
---|
| 6840 |
|
---|
| 6841 | #ifdef HAVE_ERRNO_H
|
---|
| 6842 | errno = 0;
|
---|
| 6843 | #endif
|
---|
| 6844 |
|
---|
| 6845 | #if defined(HAVE_SESSION_TICKET) || !defined(NO_PSK)
|
---|
| 6846 | havePSK = ssl->options.havePSK;
|
---|
| 6847 | #endif
|
---|
| 6848 | (void)havePSK;
|
---|
| 6849 |
|
---|
| 6850 | #ifdef HAVE_ANON
|
---|
| 6851 | haveAnon = ssl->options.haveAnon;
|
---|
| 6852 | #endif
|
---|
| 6853 | (void)haveAnon;
|
---|
| 6854 |
|
---|
| 6855 | if (ssl->options.side != WOLFSSL_SERVER_END) {
|
---|
| 6856 | WOLFSSL_ERROR(ssl->error = SIDE_ERROR);
|
---|
| 6857 | return WOLFSSL_FATAL_ERROR;
|
---|
| 6858 | }
|
---|
| 6859 |
|
---|
| 6860 | #ifndef NO_CERTS
|
---|
| 6861 | /* in case used set_accept_state after init */
|
---|
| 6862 | if (!havePSK && !haveAnon &&
|
---|
| 6863 | (!ssl->buffers.certificate ||
|
---|
| 6864 | !ssl->buffers.certificate->buffer ||
|
---|
| 6865 | !ssl->buffers.key ||
|
---|
| 6866 | !ssl->buffers.key->buffer)) {
|
---|
| 6867 | WOLFSSL_MSG("accept error: don't have server cert and key");
|
---|
| 6868 | ssl->error = NO_PRIVATE_KEY;
|
---|
| 6869 | WOLFSSL_ERROR(ssl->error);
|
---|
| 6870 | return WOLFSSL_FATAL_ERROR;
|
---|
| 6871 | }
|
---|
| 6872 | #endif
|
---|
| 6873 |
|
---|
| 6874 | if (ssl->buffers.outputBuffer.length > 0) {
|
---|
| 6875 | if ((ssl->error = SendBuffered(ssl)) == 0) {
|
---|
| 6876 | /* fragOffset is non-zero when sending fragments. On the last
|
---|
| 6877 | * fragment, fragOffset is zero again, and the state can be
|
---|
| 6878 | * advanced. */
|
---|
| 6879 | if (ssl->fragOffset == 0) {
|
---|
| 6880 | ssl->options.acceptState++;
|
---|
| 6881 | WOLFSSL_MSG("accept state: "
|
---|
| 6882 | "Advanced from last buffered fragment send");
|
---|
| 6883 | }
|
---|
| 6884 | else {
|
---|
| 6885 | WOLFSSL_MSG("accept state: "
|
---|
| 6886 | "Not advanced, more fragments to send");
|
---|
| 6887 | }
|
---|
| 6888 | }
|
---|
| 6889 | else {
|
---|
| 6890 | WOLFSSL_ERROR(ssl->error);
|
---|
| 6891 | return WOLFSSL_FATAL_ERROR;
|
---|
| 6892 | }
|
---|
| 6893 | }
|
---|
| 6894 |
|
---|
| 6895 | switch (ssl->options.acceptState) {
|
---|
| 6896 |
|
---|
| 6897 | case ACCEPT_BEGIN :
|
---|
| 6898 | /* get response */
|
---|
| 6899 | while (ssl->options.clientState < CLIENT_HELLO_COMPLETE)
|
---|
| 6900 | if ((ssl->error = ProcessReply(ssl)) < 0) {
|
---|
| 6901 | WOLFSSL_ERROR(ssl->error);
|
---|
| 6902 | return WOLFSSL_FATAL_ERROR;
|
---|
| 6903 | }
|
---|
| 6904 |
|
---|
| 6905 | ssl->options.acceptState = ACCEPT_CLIENT_HELLO_DONE;
|
---|
| 6906 | WOLFSSL_MSG("accept state ACCEPT_CLIENT_HELLO_DONE");
|
---|
| 6907 | FALL_THROUGH;
|
---|
| 6908 |
|
---|
| 6909 | case ACCEPT_CLIENT_HELLO_DONE :
|
---|
| 6910 | if (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST) {
|
---|
| 6911 | if ((ssl->error = SendTls13HelloRetryRequest(ssl)) != 0) {
|
---|
| 6912 | WOLFSSL_ERROR(ssl->error);
|
---|
| 6913 | return WOLFSSL_FATAL_ERROR;
|
---|
| 6914 | }
|
---|
| 6915 | }
|
---|
| 6916 | ssl->options.acceptState = ACCEPT_HELLO_RETRY_REQUEST_DONE;
|
---|
| 6917 | WOLFSSL_MSG("accept state ACCEPT_HELLO_RETRY_REQUEST_DONE");
|
---|
| 6918 | FALL_THROUGH;
|
---|
| 6919 |
|
---|
| 6920 | case ACCEPT_HELLO_RETRY_REQUEST_DONE :
|
---|
| 6921 | if (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST) {
|
---|
| 6922 | if ( (ssl->error = ProcessReply(ssl)) < 0) {
|
---|
| 6923 | WOLFSSL_ERROR(ssl->error);
|
---|
| 6924 | return WOLFSSL_FATAL_ERROR;
|
---|
| 6925 | }
|
---|
| 6926 | }
|
---|
| 6927 | ssl->options.acceptState = ACCEPT_FIRST_REPLY_DONE;
|
---|
| 6928 | WOLFSSL_MSG("accept state ACCEPT_FIRST_REPLY_DONE");
|
---|
| 6929 | FALL_THROUGH;
|
---|
| 6930 |
|
---|
| 6931 | case ACCEPT_FIRST_REPLY_DONE :
|
---|
| 6932 | if ((ssl->error = SendTls13ServerHello(ssl)) != 0) {
|
---|
| 6933 | WOLFSSL_ERROR(ssl->error);
|
---|
| 6934 | return WOLFSSL_FATAL_ERROR;
|
---|
| 6935 | }
|
---|
| 6936 | ssl->options.acceptState = SERVER_HELLO_SENT;
|
---|
| 6937 | WOLFSSL_MSG("accept state SERVER_HELLO_SENT");
|
---|
| 6938 | FALL_THROUGH;
|
---|
| 6939 |
|
---|
| 6940 | case SERVER_HELLO_SENT :
|
---|
| 6941 | if ((ssl->error = SendTls13EncryptedExtensions(ssl)) != 0) {
|
---|
| 6942 | WOLFSSL_ERROR(ssl->error);
|
---|
| 6943 | return WOLFSSL_FATAL_ERROR;
|
---|
| 6944 | }
|
---|
| 6945 | ssl->options.acceptState = SERVER_EXTENSIONS_SENT;
|
---|
| 6946 | WOLFSSL_MSG("accept state SERVER_EXTENSIONS_SENT");
|
---|
| 6947 | FALL_THROUGH;
|
---|
| 6948 |
|
---|
| 6949 | case SERVER_EXTENSIONS_SENT :
|
---|
| 6950 | #ifndef NO_CERTS
|
---|
| 6951 | if (!ssl->options.resuming) {
|
---|
| 6952 | if (ssl->options.verifyPeer) {
|
---|
| 6953 | ssl->error = SendTls13CertificateRequest(ssl, NULL, 0);
|
---|
| 6954 | if (ssl->error != 0) {
|
---|
| 6955 | WOLFSSL_ERROR(ssl->error);
|
---|
| 6956 | return WOLFSSL_FATAL_ERROR;
|
---|
| 6957 | }
|
---|
| 6958 | }
|
---|
| 6959 | }
|
---|
| 6960 | #endif
|
---|
| 6961 | ssl->options.acceptState = CERT_REQ_SENT;
|
---|
| 6962 | WOLFSSL_MSG("accept state CERT_REQ_SENT");
|
---|
| 6963 | FALL_THROUGH;
|
---|
| 6964 |
|
---|
| 6965 | case CERT_REQ_SENT :
|
---|
| 6966 | ssl->options.acceptState = KEY_EXCHANGE_SENT;
|
---|
| 6967 | #ifndef NO_CERTS
|
---|
| 6968 | if (!ssl->options.resuming && ssl->options.sendVerify) {
|
---|
| 6969 | if ((ssl->error = SendTls13Certificate(ssl)) != 0) {
|
---|
| 6970 | WOLFSSL_ERROR(ssl->error);
|
---|
| 6971 | return WOLFSSL_FATAL_ERROR;
|
---|
| 6972 | }
|
---|
| 6973 | }
|
---|
| 6974 | #endif
|
---|
| 6975 | ssl->options.acceptState = CERT_SENT;
|
---|
| 6976 | WOLFSSL_MSG("accept state CERT_SENT");
|
---|
| 6977 | FALL_THROUGH;
|
---|
| 6978 |
|
---|
| 6979 | case CERT_SENT :
|
---|
| 6980 | #ifndef NO_CERTS
|
---|
| 6981 | if (!ssl->options.resuming && ssl->options.sendVerify) {
|
---|
| 6982 | if ((ssl->error = SendTls13CertificateVerify(ssl)) != 0) {
|
---|
| 6983 | WOLFSSL_ERROR(ssl->error);
|
---|
| 6984 | return WOLFSSL_FATAL_ERROR;
|
---|
| 6985 | }
|
---|
| 6986 | }
|
---|
| 6987 | #endif
|
---|
| 6988 | ssl->options.acceptState = CERT_STATUS_SENT;
|
---|
| 6989 | WOLFSSL_MSG("accept state CERT_STATUS_SENT");
|
---|
| 6990 | FALL_THROUGH;
|
---|
| 6991 |
|
---|
| 6992 | case CERT_VERIFY_SENT :
|
---|
| 6993 | if ((ssl->error = SendTls13Finished(ssl)) != 0) {
|
---|
| 6994 | WOLFSSL_ERROR(ssl->error);
|
---|
| 6995 | return WOLFSSL_FATAL_ERROR;
|
---|
| 6996 | }
|
---|
| 6997 |
|
---|
| 6998 | ssl->options.acceptState = ACCEPT_FINISHED_DONE;
|
---|
| 6999 | WOLFSSL_MSG("accept state ACCEPT_FINISHED_DONE");
|
---|
| 7000 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 7001 | if (ssl->earlyData) {
|
---|
| 7002 | ssl->options.handShakeState = SERVER_FINISHED_COMPLETE;
|
---|
| 7003 | return WOLFSSL_SUCCESS;
|
---|
| 7004 | }
|
---|
| 7005 | #endif
|
---|
| 7006 | FALL_THROUGH;
|
---|
| 7007 |
|
---|
| 7008 | case ACCEPT_FINISHED_DONE :
|
---|
| 7009 | #ifdef HAVE_SESSION_TICKET
|
---|
| 7010 | #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
|
---|
| 7011 | if (!ssl->options.resuming && !ssl->options.verifyPeer &&
|
---|
| 7012 | !ssl->options.noTicketTls13 && ssl->ctx->ticketEncCb != NULL) {
|
---|
| 7013 | if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) {
|
---|
| 7014 | WOLFSSL_ERROR(ssl->error);
|
---|
| 7015 | return WOLFSSL_FATAL_ERROR;
|
---|
| 7016 | }
|
---|
| 7017 | }
|
---|
| 7018 | #endif
|
---|
| 7019 | #endif /* HAVE_SESSION_TICKET */
|
---|
| 7020 | ssl->options.acceptState = TICKET_SENT;
|
---|
| 7021 | WOLFSSL_MSG("accept state TICKET_SENT");
|
---|
| 7022 | FALL_THROUGH;
|
---|
| 7023 |
|
---|
| 7024 | case TICKET_SENT:
|
---|
| 7025 | while (ssl->options.clientState < CLIENT_FINISHED_COMPLETE)
|
---|
| 7026 | if ( (ssl->error = ProcessReply(ssl)) < 0) {
|
---|
| 7027 | WOLFSSL_ERROR(ssl->error);
|
---|
| 7028 | return WOLFSSL_FATAL_ERROR;
|
---|
| 7029 | }
|
---|
| 7030 |
|
---|
| 7031 | ssl->options.acceptState = ACCEPT_SECOND_REPLY_DONE;
|
---|
| 7032 | WOLFSSL_MSG("accept state ACCEPT_SECOND_REPLY_DONE");
|
---|
| 7033 | FALL_THROUGH;
|
---|
| 7034 |
|
---|
| 7035 | case ACCEPT_SECOND_REPLY_DONE :
|
---|
| 7036 | #ifdef HAVE_SESSION_TICKET
|
---|
| 7037 | #ifdef WOLFSSL_TLS13_TICKET_BEFORE_FINISHED
|
---|
| 7038 | if (!ssl->options.verifyPeer) {
|
---|
| 7039 | }
|
---|
| 7040 | else
|
---|
| 7041 | #endif
|
---|
| 7042 | if (!ssl->options.resuming &&
|
---|
| 7043 | !ssl->options.noTicketTls13 && ssl->ctx->ticketEncCb != NULL) {
|
---|
| 7044 | if ((ssl->error = SendTls13NewSessionTicket(ssl)) != 0) {
|
---|
| 7045 | WOLFSSL_ERROR(ssl->error);
|
---|
| 7046 | return WOLFSSL_FATAL_ERROR;
|
---|
| 7047 | }
|
---|
| 7048 | }
|
---|
| 7049 | #endif /* HAVE_SESSION_TICKET */
|
---|
| 7050 | ssl->options.acceptState = ACCEPT_THIRD_REPLY_DONE;
|
---|
| 7051 | WOLFSSL_MSG("accept state ACCEPT_THIRD_REPLY_DONE");
|
---|
| 7052 | FALL_THROUGH;
|
---|
| 7053 |
|
---|
| 7054 | case ACCEPT_THIRD_REPLY_DONE:
|
---|
| 7055 | #ifndef NO_HANDSHAKE_DONE_CB
|
---|
| 7056 | if (ssl->hsDoneCb) {
|
---|
| 7057 | int cbret = ssl->hsDoneCb(ssl, ssl->hsDoneCtx);
|
---|
| 7058 | if (cbret < 0) {
|
---|
| 7059 | ssl->error = cbret;
|
---|
| 7060 | WOLFSSL_MSG("HandShake Done Cb don't continue error");
|
---|
| 7061 | return WOLFSSL_FATAL_ERROR;
|
---|
| 7062 | }
|
---|
| 7063 | }
|
---|
| 7064 | #endif /* NO_HANDSHAKE_DONE_CB */
|
---|
| 7065 |
|
---|
| 7066 | WOLFSSL_LEAVE("SSL_accept()", WOLFSSL_SUCCESS);
|
---|
| 7067 | return WOLFSSL_SUCCESS;
|
---|
| 7068 |
|
---|
| 7069 | default :
|
---|
| 7070 | WOLFSSL_MSG("Unknown accept state ERROR");
|
---|
| 7071 | return WOLFSSL_FATAL_ERROR;
|
---|
| 7072 | }
|
---|
| 7073 | }
|
---|
| 7074 | #endif
|
---|
| 7075 |
|
---|
| 7076 | #ifdef WOLFSSL_EARLY_DATA
|
---|
| 7077 | /* Sets the maximum amount of early data that can be seen by server when using
|
---|
| 7078 | * session tickets for resumption.
|
---|
| 7079 | * A value of zero indicates no early data is to be sent by client using session
|
---|
| 7080 | * tickets.
|
---|
| 7081 | *
|
---|
| 7082 | * ctx The SSL/TLS CTX object.
|
---|
| 7083 | * sz Maximum size of the early data.
|
---|
| 7084 | * returns BAD_FUNC_ARG when ctx is NULL, SIDE_ERROR when not a server and
|
---|
| 7085 | * 0 on success.
|
---|
| 7086 | */
|
---|
| 7087 | int wolfSSL_CTX_set_max_early_data(WOLFSSL_CTX* ctx, unsigned int sz)
|
---|
| 7088 | {
|
---|
| 7089 | if (ctx == NULL || !IsAtLeastTLSv1_3(ctx->method->version))
|
---|
| 7090 | return BAD_FUNC_ARG;
|
---|
| 7091 | if (ctx->method->side == WOLFSSL_CLIENT_END)
|
---|
| 7092 | return SIDE_ERROR;
|
---|
| 7093 |
|
---|
| 7094 | ctx->maxEarlyDataSz = sz;
|
---|
| 7095 |
|
---|
| 7096 | return 0;
|
---|
| 7097 | }
|
---|
| 7098 |
|
---|
| 7099 | /* Sets the maximum amount of early data that can be seen by server when using
|
---|
| 7100 | * session tickets for resumption.
|
---|
| 7101 | * A value of zero indicates no early data is to be sent by client using session
|
---|
| 7102 | * tickets.
|
---|
| 7103 | *
|
---|
| 7104 | * ssl The SSL/TLS object.
|
---|
| 7105 | * sz Maximum size of the early data.
|
---|
| 7106 | * returns BAD_FUNC_ARG when ssl is NULL, or not using TLS v1.3,
|
---|
| 7107 | * SIDE_ERROR when not a server and 0 on success.
|
---|
| 7108 | */
|
---|
| 7109 | int wolfSSL_set_max_early_data(WOLFSSL* ssl, unsigned int sz)
|
---|
| 7110 | {
|
---|
| 7111 | if (ssl == NULL || !IsAtLeastTLSv1_3(ssl->version))
|
---|
| 7112 | return BAD_FUNC_ARG;
|
---|
| 7113 | if (ssl->options.side == WOLFSSL_CLIENT_END)
|
---|
| 7114 | return SIDE_ERROR;
|
---|
| 7115 |
|
---|
| 7116 | ssl->options.maxEarlyDataSz = sz;
|
---|
| 7117 |
|
---|
| 7118 | return 0;
|
---|
| 7119 | }
|
---|
| 7120 |
|
---|
| 7121 | /* Write early data to the server.
|
---|
| 7122 | *
|
---|
| 7123 | * ssl The SSL/TLS object.
|
---|
| 7124 | * data Early data to write
|
---|
| 7125 | * sz The size of the eary data in bytes.
|
---|
| 7126 | * outSz The number of early data bytes written.
|
---|
| 7127 | * returns BAD_FUNC_ARG when: ssl, data or outSz is NULL; sz is negative;
|
---|
| 7128 | * or not using TLS v1.3. SIDE ERROR when not a server. Otherwise the number of
|
---|
| 7129 | * early data bytes written.
|
---|
| 7130 | */
|
---|
| 7131 | int wolfSSL_write_early_data(WOLFSSL* ssl, const void* data, int sz, int* outSz)
|
---|
| 7132 | {
|
---|
| 7133 | int ret = 0;
|
---|
| 7134 |
|
---|
| 7135 | WOLFSSL_ENTER("SSL_write_early_data()");
|
---|
| 7136 |
|
---|
| 7137 | if (ssl == NULL || data == NULL || sz < 0 || outSz == NULL)
|
---|
| 7138 | return BAD_FUNC_ARG;
|
---|
| 7139 | if (!IsAtLeastTLSv1_3(ssl->version))
|
---|
| 7140 | return BAD_FUNC_ARG;
|
---|
| 7141 |
|
---|
| 7142 | if (ssl->options.side == WOLFSSL_SERVER_END)
|
---|
| 7143 | return SIDE_ERROR;
|
---|
| 7144 |
|
---|
| 7145 | if (ssl->options.handShakeState == NULL_STATE) {
|
---|
| 7146 | ssl->earlyData = 1;
|
---|
| 7147 | ret = wolfSSL_connect_TLSv13(ssl);
|
---|
| 7148 | if (ret <= 0)
|
---|
| 7149 | return WOLFSSL_FATAL_ERROR;
|
---|
| 7150 | }
|
---|
| 7151 | if (ssl->options.handShakeState == CLIENT_HELLO_COMPLETE) {
|
---|
| 7152 | ret = SendData(ssl, data, sz);
|
---|
| 7153 | if (ret > 0)
|
---|
| 7154 | *outSz = ret;
|
---|
| 7155 | }
|
---|
| 7156 |
|
---|
| 7157 | WOLFSSL_LEAVE("SSL_write_early_data()", ret);
|
---|
| 7158 |
|
---|
| 7159 | if (ret < 0)
|
---|
| 7160 | ret = WOLFSSL_FATAL_ERROR;
|
---|
| 7161 | return ret;
|
---|
| 7162 | }
|
---|
| 7163 |
|
---|
| 7164 | /* Read the any early data from the client.
|
---|
| 7165 | *
|
---|
| 7166 | * ssl The SSL/TLS object.
|
---|
| 7167 | * data Buffer to put the early data into.
|
---|
| 7168 | * sz The size of the buffer in bytes.
|
---|
| 7169 | * outSz The number of early data bytes read.
|
---|
| 7170 | * returns BAD_FUNC_ARG when: ssl, data or outSz is NULL; sz is negative;
|
---|
| 7171 | * or not using TLS v1.3. SIDE ERROR when not a server. Otherwise the number of
|
---|
| 7172 | * early data bytes read.
|
---|
| 7173 | */
|
---|
| 7174 | int wolfSSL_read_early_data(WOLFSSL* ssl, void* data, int sz, int* outSz)
|
---|
| 7175 | {
|
---|
| 7176 | int ret;
|
---|
| 7177 |
|
---|
| 7178 | WOLFSSL_ENTER("wolfSSL_read_early_data()");
|
---|
| 7179 |
|
---|
| 7180 |
|
---|
| 7181 | if (ssl == NULL || data == NULL || sz < 0 || outSz == NULL)
|
---|
| 7182 | return BAD_FUNC_ARG;
|
---|
| 7183 | if (!IsAtLeastTLSv1_3(ssl->version))
|
---|
| 7184 | return BAD_FUNC_ARG;
|
---|
| 7185 |
|
---|
| 7186 | if (ssl->options.side == WOLFSSL_CLIENT_END)
|
---|
| 7187 | return SIDE_ERROR;
|
---|
| 7188 |
|
---|
| 7189 | if (ssl->options.handShakeState == NULL_STATE) {
|
---|
| 7190 | ssl->earlyData = 1;
|
---|
| 7191 | ret = wolfSSL_accept_TLSv13(ssl);
|
---|
| 7192 | if (ret <= 0)
|
---|
| 7193 | return WOLFSSL_FATAL_ERROR;
|
---|
| 7194 | }
|
---|
| 7195 | if (ssl->options.handShakeState == SERVER_FINISHED_COMPLETE) {
|
---|
| 7196 | ret = ReceiveData(ssl, (byte*)data, sz, FALSE);
|
---|
| 7197 | if (ret > 0)
|
---|
| 7198 | *outSz = ret;
|
---|
| 7199 | if (ssl->error == ZERO_RETURN)
|
---|
| 7200 | ssl->error = WOLFSSL_ERROR_NONE;
|
---|
| 7201 | }
|
---|
| 7202 | else
|
---|
| 7203 | ret = 0;
|
---|
| 7204 |
|
---|
| 7205 | WOLFSSL_LEAVE("wolfSSL_read_early_data()", ret);
|
---|
| 7206 |
|
---|
| 7207 | if (ret < 0)
|
---|
| 7208 | ret = WOLFSSL_FATAL_ERROR;
|
---|
| 7209 | return ret;
|
---|
| 7210 | }
|
---|
| 7211 | #endif
|
---|
| 7212 |
|
---|
| 7213 | #undef ERROR_OUT
|
---|
| 7214 |
|
---|
| 7215 | #endif /* !WOLFCRYPT_ONLY */
|
---|
| 7216 |
|
---|
| 7217 | #endif /* WOLFSSL_TLS13 */
|
---|